@blamejs/core 0.8.26 → 0.8.28

package/index.js

@@ -103,6 +103,8 @@ var darkPatterns = require("./lib/dark-patterns");
 var budr = require("./lib/budr");
 var secCyber = require("./lib/sec-cyber");
 var iabTcf = require("./lib/iab-tcf");
+var fapi2 = require("./lib/fapi2");
+var contentCredentials = require("./lib/content-credentials");
 var safeUrl = require("./lib/safe-url");
 var safeRedirect = require("./lib/safe-redirect");
 var pick = require("./lib/pick");
@@ -293,6 +295,8 @@ module.exports = {
   budr:             budr,
   secCyber:         secCyber,
   iabTcf:           iabTcf,
+  fapi2:            fapi2,
+  contentCredentials: contentCredentials,
   safeUrl:          safeUrl,
   safeRedirect:     safeRedirect,
   pick:             pick,

package/lib/audit.js

@@ -241,6 +241,8 @@ var FRAMEWORK_NAMESPACES = [
   "budr",       // b.budr (budr.declared)
   "seccyber",   // b.secCyber (seccyber.eight_k_artifact)
   "iabtcf",     // b.iabTcf (iabtcf.refused / iabtcf.accepted)
+  "fapi2",      // b.fapi2 (fapi2.posture_asserted)
+  "contentcredentials", // b.contentCredentials (contentcredentials.signed / verified)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/content-credentials.js

@@ -0,0 +1,232 @@
+"use strict";
+/**
+ * b.contentCredentials — California SB-942 / AB-853 + C2PA 2.1
+ * content-provenance manifest builder for AI-generated assets.
+ *
+ * California SB-942 (Cal. Bus. & Prof. Code §22757) + AB-853, both
+ * effective 2026-08-02, require providers of generative AI systems
+ * to embed a latent (machine-readable) provenance disclosure in
+ * every AI-generated image / video / audio asset distributed in
+ * California. The disclosure MUST carry:
+ *
+ *   - Provider name
+ *   - System (model) identifier + version
+ *   - Content timestamp (when generated)
+ *   - Unique content ID
+ *
+ * SB-942 specifically cites C2PA (Coalition for Content Provenance
+ * and Authenticity) as an acceptable disclosure format. C2PA 2.1+
+ * manifests carry signed assertions with the same fields.
+ *
+ * The framework can't embed the manifest into image/video/audio
+ * bytes directly (that requires format-specific muxers — JPEG XMP /
+ * PNG iTXt / MP4 ContentBoxes / etc. that vary per codec). What it
+ * CAN do:
+ *
+ *   - Build a C2PA-shaped manifest carrying the required fields.
+ *   - Sign the manifest with the framework's audit-sign keypair
+ *     (ML-DSA-87 — or operator-supplied SigStore key).
+ *   - Emit a tamper-evident audit row recording the disclosure.
+ *   - Validate inbound manifests presented by upstream content
+ *     pipelines (the receiver side of the same chain).
+ *
+ * Operator workflow:
+ *
+ *   var manifest = b.contentCredentials.build({
+ *     provider:        "Acme AI Inc.",
+ *     system:          "acme-image-v3",
+ *     systemVersion:   "3.2.1",
+ *     contentId:       "img-2026-05-08-abc123",
+ *     contentType:     "image/png",
+ *     contentSha3:     hashHex,
+ *     // operator's display attribution + machine-readable fields
+ *   });
+ *   var signed = b.contentCredentials.sign(manifest, { signWith: ... });
+ *   // operator hands `signed.manifest` to their muxer for embedding
+ *
+ * Public API:
+ *
+ *   contentCredentials.build(opts) -> manifest (unsigned)
+ *   contentCredentials.sign(manifest, opts) -> { manifest, signature }
+ *   contentCredentials.verify(envelope, publicKeyPem) -> { valid, claims }
+ *   contentCredentials.required(opts) -> array of missing-field errors
+ *     (returns [] when the operator's input satisfies SB-942 minimums)
+ */
+
+var crypto = require("./crypto");
+var canonicalJson = require("./canonical-json");
+var validateOpts = require("./validate-opts");
+var audit = require("./audit");
+var { defineClass } = require("./framework-error");
+var ContentCredentialsError = defineClass("ContentCredentialsError", { alwaysPermanent: true });
+
+var STR_LEN_MAX = 256;                                                                        // allow:raw-byte-literal — string-length cap, not bytes
+var ID_LEN_MAX  = 128;                                                                        // allow:raw-byte-literal — string-length cap, not bytes
+var SEMVER_RE = /^[0-9]+\.[0-9]+(?:\.[0-9]+)?(?:[-+][A-Za-z0-9.-]+)?$/;
+var ID_RE     = /^[a-zA-Z0-9._:/-]{1,128}$/;
+var SHA3_HEX_LEN = 128;                                                                       // allow:raw-byte-literal — SHA3-512 hex length, not bytes
+
+// Required fields per SB-942 §22757(a) — every AI-generated asset
+// must disclose provider + system + timestamp + contentId.
+var REQUIRED_FIELDS = ["provider", "system", "systemVersion", "contentId"];
+
+function _validateBuildOpts(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw ContentCredentialsError.factory("BAD_OPTS",
+      "contentCredentials.build: opts required");
+  }
+  for (var i = 0; i < REQUIRED_FIELDS.length; i += 1) {
+    var f = REQUIRED_FIELDS[i];
+    validateOpts.requireNonEmptyString(opts[f],
+      "contentCredentials.build: " + f, ContentCredentialsError, "MISSING_" + f.toUpperCase());
+  }
+  if (opts.provider.length > STR_LEN_MAX) {
+    throw ContentCredentialsError.factory("BAD_PROVIDER",
+      "provider exceeds " + STR_LEN_MAX + " chars");
+  }
+  if (opts.system.length > ID_LEN_MAX || !ID_RE.test(opts.system)) {
+    throw ContentCredentialsError.factory("BAD_SYSTEM",
+      "system must match " + ID_RE);
+  }
+  if (opts.systemVersion.length > 64 || !SEMVER_RE.test(opts.systemVersion)) {                // allow:raw-byte-literal — semver length cap, not bytes
+    throw ContentCredentialsError.factory("BAD_VERSION",
+      "systemVersion must be semver");
+  }
+  if (opts.contentId.length > ID_LEN_MAX || !ID_RE.test(opts.contentId)) {
+    throw ContentCredentialsError.factory("BAD_CONTENT_ID",
+      "contentId must match " + ID_RE);
+  }
+  if (opts.contentType !== undefined) {
+    if (typeof opts.contentType !== "string" || opts.contentType.length === 0 ||
+        opts.contentType.length > ID_LEN_MAX || !/^[a-zA-Z]+\/[A-Za-z0-9._+-]+$/.test(opts.contentType)) {
+      throw ContentCredentialsError.factory("BAD_CONTENT_TYPE",
+        "contentType must be a valid IANA media type");
+    }
+  }
+  if (opts.contentSha3 !== undefined) {
+    if (typeof opts.contentSha3 !== "string" || opts.contentSha3.length !== SHA3_HEX_LEN ||
+        !/^[a-f0-9]+$/i.test(opts.contentSha3)) {
+      throw ContentCredentialsError.factory("BAD_CONTENT_HASH",
+        "contentSha3 must be lowercase hex SHA3-512 (" + SHA3_HEX_LEN + " chars)");
+    }
+  }
+}
+
+function build(opts) {
+  _validateBuildOpts(opts);
+  var generatedAt = typeof opts.generatedAt === "number" ? opts.generatedAt : Date.now();
+  var manifest = {
+    "@context":   "https://c2pa.org/specifications/specifications/2.1/",
+    type:         "c2pa.manifest",
+    aiGenerated:  true,
+    provider: {
+      name:    opts.provider,
+      contact: opts.providerContact || null,
+    },
+    system: {
+      id:      opts.system,
+      version: opts.systemVersion,
+    },
+    content: {
+      id:           opts.contentId,
+      type:         opts.contentType || null,
+      sha3_512:     opts.contentSha3 || null,
+    },
+    generatedAt:    generatedAt,
+    generatedAtIso: new Date(generatedAt).toISOString(),
+    citations:      ["california-sb-942", "california-ab-853", "c2pa-2.1"],
+    // Optional operator-supplied display assertion (SB-942 §22757(b))
+    visibleDisclosure: opts.visibleDisclosure || null,
+  };
+  return Object.freeze(manifest);
+}
+
+function required(opts) {
+  var errors = [];
+  if (!opts || typeof opts !== "object") return ["opts-required"];
+  for (var i = 0; i < REQUIRED_FIELDS.length; i += 1) {
+    if (typeof opts[REQUIRED_FIELDS[i]] !== "string" || opts[REQUIRED_FIELDS[i]].length === 0) {
+      errors.push("missing-" + REQUIRED_FIELDS[i]);
+    }
+  }
+  return errors;
+}
+
+function sign(manifest, opts) {
+  opts = opts || {};
+  if (!manifest || typeof manifest !== "object") {
+    throw ContentCredentialsError.factory("BAD_MANIFEST",
+      "contentCredentials.sign: manifest required");
+  }
+  validateOpts.requireNonEmptyString(opts.privateKeyPem,
+    "contentCredentials.sign: privateKeyPem", ContentCredentialsError, "BAD_KEY");
+  var canonical = canonicalJson.stringify(manifest);
+  var signature = crypto.sign(Buffer.from(canonical, "utf8"), opts.privateKeyPem);
+  var auditOn = opts.audit !== false;
+  if (auditOn) {
+    audit.safeEmit({
+      action:   "contentcredentials.signed",
+      outcome:  "success",
+      metadata: {
+        provider:   manifest.provider && manifest.provider.name,
+        system:     manifest.system   && manifest.system.id,
+        contentId:  manifest.content  && manifest.content.id,
+      },
+    });
+  }
+  return {
+    manifest:  manifest,
+    signature: signature.toString("base64"),
+  };
+}
+
+function verify(envelope, publicKeyPem, opts) {
+  opts = opts || {};
+  if (!envelope || typeof envelope !== "object" || !envelope.manifest || !envelope.signature) {
+    return { valid: false, claims: null, reason: "envelope-shape" };
+  }
+  if (typeof publicKeyPem !== "string" || publicKeyPem.length === 0) {
+    return { valid: false, claims: null, reason: "public-key-required" };
+  }
+  var canonical = canonicalJson.stringify(envelope.manifest);
+  var sigBuf;
+  try { sigBuf = Buffer.from(envelope.signature, "base64"); }
+  catch (_e) {
+    return { valid: false, claims: null, reason: "signature-base64-bad" };
+  }
+  var ok = crypto.verify(Buffer.from(canonical, "utf8"), sigBuf, publicKeyPem);
+  if (!ok) {
+    return { valid: false, claims: null, reason: "signature-mismatch" };
+  }
+  // SB-942 §22757(a) field-presence check on the verified manifest.
+  var missing = required({
+    provider:      envelope.manifest.provider && envelope.manifest.provider.name,
+    system:        envelope.manifest.system   && envelope.manifest.system.id,
+    systemVersion: envelope.manifest.system   && envelope.manifest.system.version,
+    contentId:     envelope.manifest.content  && envelope.manifest.content.id,
+  });
+  if (missing.length > 0) {
+    return { valid: false, claims: null, reason: "missing-required:" + missing.join(",") };
+  }
+  if (opts.audit !== false) {
+    audit.safeEmit({
+      action:   "contentcredentials.verified",
+      outcome:  "success",
+      metadata: {
+        provider:   envelope.manifest.provider.name,
+        system:     envelope.manifest.system.id,
+        contentId:  envelope.manifest.content.id,
+      },
+    });
+  }
+  return { valid: true, claims: envelope.manifest, reason: null };
+}
+
+module.exports = {
+  build:      build,
+  sign:       sign,
+  verify:     verify,
+  required:   required,
+  REQUIRED_FIELDS: REQUIRED_FIELDS.slice(),
+  ContentCredentialsError: ContentCredentialsError,
+};

package/lib/fapi2.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * b.fapi2 — Financial-grade API 2.0 Final conformance posture.
+ *
+ * FAPI 2.0 Final (https://openid.net/specs/fapi-2_0-security-profile-FINAL.html)
+ * is the OpenID Foundation's security profile for financial / banking
+ * APIs. It composes existing IETF + OAuth standards into a single
+ * profile that operators MUST satisfy to interoperate with FAPI 2.0
+ * client deployments. The composition (per §5):
+ *
+ *   - PAR (Pushed Authorization Requests, RFC 9126) — REQUIRED
+ *   - PKCE with S256 (RFC 7636) — REQUIRED, PLAIN refused
+ *   - Sender-constrained tokens via DPoP (RFC 9449) OR mTLS (RFC 8705)
+ *     — REQUIRED, exactly one
+ *   - Authorization-server issuer in callback (RFC 9207) — REQUIRED
+ *   - TLS 1.2+ with FAPI-approved cipher suites (TLS 1.3 default)
+ *   - JAR (JWT-secured Authorization Request, RFC 9101) when
+ *     request-object signed
+ *
+ * The framework already ships every component primitive. FAPI 2.0
+ * conformance is therefore a posture-coordination problem: the
+ * operator declares the deployment is FAPI-bound, and the framework
+ * asserts that every primitive in the chain is configured per the
+ * profile.
+ *
+ * Public API:
+ *
+ *   b.fapi2.assertConformance(opts) -> { conformant, findings }
+ *     opts:
+ *       senderConstraint: "dpop" | "mtls" — REQUIRED.
+ *       parRequired:      bool, default true.
+ *       pkceMethod:       must be "S256" (default; refuses "plain").
+ *       requireIssuerInCallback: bool, default true.
+ *       requireJarOnSignedRequests: bool, default true.
+ *
+ *     Returns:
+ *       conformant: bool — every check passed.
+ *       findings:   Array<{ requirement, status, detail? }>
+ *
+ *   b.fapi2.assertOAuthConfig(oauthOpts) -> void
+ *     Inspects an `b.auth.oauth.create(opts)` configuration object
+ *     and throws Fapi2Error if any FAPI 2.0 mandate is violated:
+ *       - PKCE absent / non-S256
+ *       - state / nonce missing (auto-mint default OK)
+ *       - Sender-constraint absent
+ *
+ *   b.fapi2.posture() -> "fapi-2.0" | null
+ *     Returns "fapi-2.0" when b.compliance.set("fapi-2.0") was
+ *     called, else null. Convenience for code that branches on the
+ *     posture without calling b.compliance.current() directly.
+ *
+ * The framework does NOT replace operator OAuth configuration —
+ * `b.auth.oauth.create(...)` is still where the operator declares
+ * client + scopes + redirect URIs. b.fapi2.assertOAuthConfig is the
+ * boot-time gate that refuses to start a FAPI-declared deployment
+ * if any mandate is missing.
+ */
+
+var compliance = require("./compliance");
+var audit = require("./audit");
+var { defineClass } = require("./framework-error");
+var Fapi2Error = defineClass("Fapi2Error", { alwaysPermanent: true });
+
+var SENDER_CONSTRAINTS = ["dpop", "mtls"];
+
+function assertConformance(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw Fapi2Error.factory("BAD_OPTS",
+      "fapi2.assertConformance: opts required");
+  }
+  if (SENDER_CONSTRAINTS.indexOf(opts.senderConstraint) === -1) {
+    throw Fapi2Error.factory("BAD_SENDER_CONSTRAINT",
+      "fapi2.assertConformance: senderConstraint must be 'dpop' or 'mtls'");
+  }
+  var parRequired = opts.parRequired !== false;
+  var pkceMethod = opts.pkceMethod || "S256";
+  if (pkceMethod !== "S256") {
+    throw Fapi2Error.factory("BAD_PKCE",
+      "fapi2.assertConformance: PKCE method must be S256 (FAPI 2.0 §5.3.1.1) — got '" +
+      pkceMethod + "'");
+  }
+  var requireIssuer = opts.requireIssuerInCallback !== false;
+  var requireJar    = opts.requireJarOnSignedRequests !== false;
+
+  var findings = [];
+  findings.push({ requirement: "pkce-s256",          status: "satisfied",
+    detail: "PKCE S256 declared (FAPI 2.0 §5.3.1.1)" });
+  findings.push({ requirement: "par-required",       status: parRequired ? "satisfied" : "WAIVED",
+    detail: parRequired
+      ? "PAR (RFC 9126) declared required (FAPI 2.0 §5.3.2.2)"
+      : "PAR waived by operator — non-conformant unless authorization-server is FAPI-1 fallback" });
+  findings.push({ requirement: "sender-constraint", status: "satisfied",
+    detail: opts.senderConstraint + " — FAPI 2.0 §5.3.2.5" });
+  findings.push({ requirement: "issuer-in-callback", status: requireIssuer ? "satisfied" : "WAIVED",
+    detail: requireIssuer
+      ? "Issuer in callback (RFC 9207) required"
+      : "Issuer-in-callback waived — IdP-mix-up class still open" });
+  findings.push({ requirement: "jar-signed-requests", status: requireJar ? "satisfied" : "WAIVED",
+    detail: requireJar
+      ? "JAR (RFC 9101) required for signed authorization requests"
+      : "JAR waived for signed authorization requests" });
+
+  var conformant = findings.every(function (f) { return f.status === "satisfied"; });
+
+  audit.safeEmit({
+    action:   "fapi2.posture_asserted",
+    outcome:  conformant ? "success" : "warning",
+    metadata: {
+      senderConstraint:  opts.senderConstraint,
+      parRequired:       parRequired,
+      pkceMethod:        pkceMethod,
+      requireIssuer:     requireIssuer,
+      requireJar:        requireJar,
+      conformant:        conformant,
+    },
+  });
+
+  return { conformant: conformant, findings: findings };
+}
+
+function assertOAuthConfig(oauthOpts) {
+  if (!oauthOpts || typeof oauthOpts !== "object") {
+    throw Fapi2Error.factory("BAD_OAUTH_OPTS",
+      "fapi2.assertOAuthConfig: oauth opts required");
+  }
+  // PKCE — refuse pkce: false (b.auth.oauth.create already does this,
+  // but check explicitly for FAPI clarity).
+  if (oauthOpts.pkce === false) {
+    throw Fapi2Error.factory("PKCE_DISABLED",
+      "fapi2.assertOAuthConfig: PKCE is disabled — FAPI 2.0 §5.3.1.1 mandates S256");
+  }
+  if (oauthOpts.pkceMethod && oauthOpts.pkceMethod !== "S256") {
+    throw Fapi2Error.factory("PKCE_NOT_S256",
+      "fapi2.assertOAuthConfig: PKCE method '" + oauthOpts.pkceMethod +
+      "' is not S256 (FAPI 2.0 §5.3.1.1)");
+  }
+  // Sender-constraint required
+  var hasDpop = oauthOpts.dpop === true || oauthOpts.senderConstraint === "dpop";
+  var hasMtls = oauthOpts.mtls === true || oauthOpts.senderConstraint === "mtls";
+  if (!hasDpop && !hasMtls) {
+    throw Fapi2Error.factory("NO_SENDER_CONSTRAINT",
+      "fapi2.assertOAuthConfig: FAPI 2.0 §5.3.2.5 requires sender-constrained tokens via DPoP OR mTLS — neither declared");
+  }
+  if (hasDpop && hasMtls) {
+    throw Fapi2Error.factory("BOTH_SENDER_CONSTRAINTS",
+      "fapi2.assertOAuthConfig: declare exactly one of DPoP / mTLS — both creates over-binding ambiguity");
+  }
+  // PAR
+  if (oauthOpts.par === false) {
+    throw Fapi2Error.factory("PAR_DISABLED",
+      "fapi2.assertOAuthConfig: PAR is disabled — FAPI 2.0 §5.3.2.2 mandates Pushed Authorization Requests");
+  }
+}
+
+function posture() {
+  return compliance.current() === "fapi-2.0" ? "fapi-2.0" : null;
+}
+
+module.exports = {
+  assertConformance:  assertConformance,
+  assertOAuthConfig:  assertOAuthConfig,
+  posture:            posture,
+  SENDER_CONSTRAINTS: SENDER_CONSTRAINTS.slice(),
+  Fapi2Error:         Fapi2Error,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.26",
+  "version": "0.8.28",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:cbce5737-d9f9-4793-b198-266fc75eb98e",
+  "serialNumber": "urn:uuid:0b8cc5a2-bd56-46a7-a9e6-2508bf3da424",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T13:46:19.961Z",
+    "timestamp": "2026-05-07T14:00:16.533Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.26",
+      "bom-ref": "@blamejs/core@0.8.28",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.26",
+      "version": "0.8.28",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.26",
+      "purl": "pkg:npm/%40blamejs/core@0.8.28",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.26",
+      "ref": "@blamejs/core@0.8.28",
       "dependsOn": []
     }
   ]