@blamejs/core 0.8.37 → 0.8.39

package/CHANGELOG.md

@@ -8,6 +8,9 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
+- v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.
+
 - **0.8.37** (2026-05-08) — D-L family SQL/schema hygiene. **`_blamejs_audit_purge_anchor.scope` CHECK constraint** — `scope IN ('audit', 'consent')`. Pre-v0.8.37 a typo silently created a parallel anchor; the chain verifier walked the wrong anchor and missed tampering. **`personalDataCategories` vocabulary validation** — operator-supplied categories validated against the GDPR Article 9 special-category vocabulary + the framework's general categories at `db.init`. Unknown categories don't refuse (operators have legitimate custom labels) but emit a `db.personal_data_category_unknown` audit row so typos surface in regulator reviews. Allowed: `name`, `email`, `phone`, `address`, `ip`, `id-document`, `biometric`, `health`, `genetic`, `sexual-orientation`, `racial-or-ethnic-origin`, `political-opinion`, `religious-belief`, `trade-union-membership`, `criminal-record`, `financial`, `location`, `behavioral`, `device-id`, `child-data`, `education`, `employment`, `operator-defined`.
 
 - **0.8.36** (2026-05-08) — HTTP/web G-class LOW cleanup + scope-aware bearer challenge. **WS handshake (RFC 6455 §4.1)** — `Sec-WebSocket-Key` validated as base64 of 16 random bytes (`/^[A-Za-z0-9+/]{22}==$/`). Pre-v0.8.36 only the presence was checked; truncated / arbitrary-token values flowed through. **Permissions-Policy default** — `fullscreen` flipped to `()` (deny) instead of `(self)`; operators wanting fullscreen pass an explicit override. **`b.middleware.bearerAuth` insufficient_scope (RFC 6750 §3)** — new `requiredScopes: ["scope1", "scope2"]` opt enforces operator-declared scopes. Token's `user.scope` (string, space-separated) or `user.scopes` (array) is checked; missing scopes refuse with HTTP 403 + `WWW-Authenticate: Bearer error="insufficient_scope", scope="..."`. **`b.requestHelpers.parseListHeader({strictToken: true})`** — RFC 9110 §5.6.2 token-grammar enforcement. Refuses non-token entries (anything outside `!#$%&'*+-.^_\\`|~` + alnum). **Multipart boundary validation (RFC 2046 §5.1.1)** — `_parseMultipart` refuses boundaries longer than 70 chars OR violating the `bcharsnospace` grammar. Closes the quadratic-match risk on pathological boundaries.

package/index.js

@@ -162,6 +162,7 @@ var auth = {
   acr:        require("./lib/auth/acr-vocabulary"),
   authTime:   require("./lib/auth/auth-time-tracker"),
   accessLock: require("./lib/auth/access-lock"),
+  atoKillSwitch: require("./lib/auth/ato-kill-switch"),
 };
 var template = require("./lib/template");
 var render = require("./lib/render");

package/lib/audit.js

@@ -247,6 +247,7 @@ var FRAMEWORK_NAMESPACES = [
   "fdx",        // b.fdx (fdx.bound / fdx.consent_receipt_issued)
   "tcpa10dlc",  // b.tcpa10dlc (tcpa10dlc.consent_recorded / consent_revoked)
   "iabmspa",    // b.iabMspa (iabmspa.processing_refused)
+  "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/auth/ato-kill-switch.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * b.auth.atoKillSwitch — composite primitive for account-takeover
+ * incident response. Composes `b.session.destroyAllForUser` +
+ * `b.auth.lockout.lock` + (optionally) `b.auth.accessLock` mode flip
+ * into a single operator-callable workflow.
+ *
+ * Trigger conditions are operator territory (SOC alert, fraud signal,
+ * user self-report, IDS rule); this primitive is the deterministic
+ * cleanup path once the trigger fires:
+ *
+ *   1. destroy every session for the user across the cluster
+ *   2. lock the user out of new logins (b.auth.lockout)
+ *   3. emit an audit row with reason / actor for downstream forensics
+ *
+ *   await b.auth.atoKillSwitch.trigger({
+ *     userId:    "u_42",
+ *     reason:    "fraud-signal: 14 failed MFA from new geo",
+ *     actor:     { id: req.user && req.user.id, role: req.user && req.user.role },
+ *     lockout:   true,                  // default true
+ *     accessLock: "locked",             // optional — flip the global access-lock mode
+ *   });
+ *
+ * Returns `{ sessionsDestroyed, lockoutApplied, accessLockMode }`.
+ */
+
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var session = lazyRequire(function () { return require("../session"); });
+var lockout = lazyRequire(function () { return require("./lockout"); });
+var accessLock = lazyRequire(function () { return require("./access-lock"); });
+var audit = lazyRequire(function () { return require("../audit"); });
+
+var AtoKillSwitchError = defineClass("AtoKillSwitchError", { alwaysPermanent: true });
+
+async function trigger(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "userId", "reason", "actor", "lockout", "accessLock",
+  ], "auth.atoKillSwitch.trigger");
+
+  validateOpts.requireNonEmptyString(opts.userId, "userId", AtoKillSwitchError, "auth-ato-kill-switch/missing-user-id");
+  validateOpts.requireNonEmptyString(opts.reason, "reason", AtoKillSwitchError, "auth-ato-kill-switch/missing-reason");
+  var doLockout       = opts.lockout !== false;
+  var accessLockMode  = typeof opts.accessLock === "string" ? opts.accessLock : null;
+
+  var sessionsDestroyed = 0;
+  try {
+    sessionsDestroyed = await session().destroyAllForUser(opts.userId);
+  } catch (e) {
+    audit().safeEmit({
+      action: "auth.ato_kill_switch.partial",
+      outcome: "failure",
+      metadata: {
+        userId: opts.userId,
+        step:   "destroy-sessions",
+        reason: e && e.message,
+      },
+    });
+    throw e;
+  }
+
+  var lockoutApplied = false;
+  if (doLockout) {
+    try {
+      await lockout().lock(opts.userId, {
+        reason: "ato-kill-switch:" + opts.reason,
+      });
+      lockoutApplied = true;
+    } catch (_e) { /* lockout is best-effort; sessions already destroyed */ }
+  }
+
+  var modeApplied = null;
+  if (accessLockMode !== null) {
+    try {
+      var lock = accessLock();
+      if (lock && typeof lock.set === "function") {
+        await lock.set(accessLockMode, {
+          actor:  opts.actor || null,
+          reason: "ato-kill-switch:" + opts.reason,
+        });
+        modeApplied = accessLockMode;
+      }
+    } catch (_e) { /* operator may not have wired global accessLock; fine */ }
+  }
+
+  audit().safeEmit({
+    action: "auth.ato_kill_switch.triggered",
+    outcome: "success",
+    metadata: {
+      userId:             opts.userId,
+      reason:             opts.reason,
+      actor:              opts.actor || null,
+      sessionsDestroyed:  sessionsDestroyed,
+      lockoutApplied:     lockoutApplied,
+      accessLockMode:     modeApplied,
+    },
+  });
+
+  return {
+    sessionsDestroyed: sessionsDestroyed,
+    lockoutApplied:    lockoutApplied,
+    accessLockMode:    modeApplied,
+  };
+}
+
+module.exports = {
+  trigger:              trigger,
+  AtoKillSwitchError:   AtoKillSwitchError,
+};

package/lib/config-drift.js

@@ -292,10 +292,70 @@ function create(opts) {
   };
 }
 
+// verifyVendorIntegrity — at-boot integrity check over `lib/vendor/*`.
+// MANIFEST.json carries a sha256 digest per bundled file; we re-hash
+// each one and refuse on mismatch. Catches a half-applied vendor
+// refresh, a corrupted install, or an attacker who modified a
+// vendored cjs without updating the manifest. Returns
+// `{ ok, mismatches: [{ path, expected, actual }] }` and emits
+// `vendor.integrity.{verified,tampered}` audit on each call.
+function verifyVendorIntegrity(opts) {
+  opts = opts || {};
+  var libVendorDir  = opts.libVendorDir  || path.join(process.cwd(), "lib", "vendor");
+  var manifestPath  = opts.manifestPath  || path.join(libVendorDir, "MANIFEST.json");
+  var raw;
+  try { raw = fs.readFileSync(manifestPath, "utf8"); }
+  catch (_e) {
+    throw _err("VENDOR_MANIFEST_MISSING",
+      "vendor MANIFEST.json missing at " + manifestPath, true);
+  }
+  var manifest = safeJson.parse(raw);
+  if (!manifest || typeof manifest.packages !== "object") {
+    throw _err("VENDOR_MANIFEST_SHAPE",
+      "vendor MANIFEST.json missing `packages` map", true);
+  }
+  var mismatches = [];
+  var checkedCount = 0;
+  Object.keys(manifest.packages).forEach(function (pkgName) {
+    var pkg = manifest.packages[pkgName];
+    var files = (pkg && pkg.files) || {};
+    var hashes = (pkg && pkg.hashes) || {};
+    Object.keys(files).forEach(function (kind) {
+      var rel = files[kind];
+      var expected = hashes[kind];
+      if (typeof rel !== "string" || typeof expected !== "string") return;
+      var abs = path.isAbsolute(rel) ? rel : path.join(process.cwd(), rel);
+      var actual;
+      try {
+        var bytes = fs.readFileSync(abs);
+        actual = "sha256:" + require("node:crypto")
+          .createHash("sha256").update(bytes).digest("hex");
+      } catch (_e) {
+        mismatches.push({ pkg: pkgName, kind: kind, path: rel, expected: expected, actual: "<read-failed>" });
+        return;
+      }
+      checkedCount += 1;
+      if (actual !== expected) {
+        mismatches.push({ pkg: pkgName, kind: kind, path: rel, expected: expected, actual: actual });
+      }
+    });
+  });
+  var ok = mismatches.length === 0;
+  try {
+    audit().safeEmit({
+      action: ok ? "vendor.integrity.verified" : "vendor.integrity.tampered",
+      outcome: ok ? "success" : "failure",
+      metadata: { checkedCount: checkedCount, mismatchCount: mismatches.length },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return { ok: ok, checkedCount: checkedCount, mismatches: mismatches };
+}
+
 module.exports = {
-  create:            create,
-  ConfigDriftError:  ConfigDriftError,
+  create:                  create,
+  verifyVendorIntegrity:   verifyVendorIntegrity,
+  ConfigDriftError:        ConfigDriftError,
   // Test-only export for hashing — operators don't need this directly.
-  _hashSnapshot:     _hashSnapshot,
-  _stableStringify:  _stableStringify,
+  _hashSnapshot:           _hashSnapshot,
+  _stableStringify:        _stableStringify,
 };

package/lib/middleware/body-parser.js

@@ -526,27 +526,75 @@ function _sanitizeFilename(name) {
 function _parseMultipartHeaders(rawHeaders) {
   // Each line is `Header-Name: value`. Common headers: Content-Disposition,
   // Content-Type, Content-Transfer-Encoding. Unknown headers are ignored.
+  // RFC 9112 §5.2 — line folding (obs-fold) is OBSOLETE in HTTP messages;
+  // a continuation line beginning with SP/HTAB MUST be refused. RFC 9110
+  // §5.5 — header field values MUST NOT contain CR, LF, or NUL bytes.
+  // We refuse the part outright (caller surfaces the throw as 400 + drop).
   var lines = rawHeaders.split("\r\n");
   var out = {};
   for (var i = 0; i < lines.length; i++) {
     var line = lines[i];
     if (!line) continue;
+    var first = line.charCodeAt(0);
+    if (first === 32 || first === 9) {                                            // allow:raw-byte-literal — SP/HTAB obs-fold sentinels
+      throw new BodyParserError(
+        "body-parser/multipart-obs-fold",
+        "multipart part header uses obsolete line folding (RFC 9112 §5.2)",
+        true, HTTP_STATUS.BAD_REQUEST
+      );
+    }
     var idx = line.indexOf(":");
     if (idx === -1) continue;
     var k = line.slice(0, idx).trim().toLowerCase();
     var v = line.slice(idx + 1).trim();
+    for (var j = 0; j < v.length; j++) {
+      var c = v.charCodeAt(j);
+      if (c === 0 || c === 10 || c === 13) {                                      // allow:raw-byte-literal — NUL/LF/CR forbidden in field-value (RFC 9110 §5.5)
+        throw new BodyParserError(
+          "body-parser/multipart-bad-header-value",
+          "multipart part header `" + k + "` contains CR/LF/NUL (RFC 9110 §5.5)",
+          true, HTTP_STATUS.BAD_REQUEST
+        );
+      }
+    }
     out[k] = v;
   }
   return out;
 }
 
+// RFC 5987 / 8187 — `filename*=UTF-8''percent%20encoded.txt` extended
+// parameter form for non-ASCII filenames. Charset MUST be `UTF-8`
+// (case-insensitive); we refuse other charsets to keep the decode
+// path single-encoding. Language tag (between the two `'`s) is
+// permitted but ignored.
+function _decodeRfc5987(raw) {
+  if (typeof raw !== "string") return null;
+  var firstTick  = raw.indexOf("'");
+  if (firstTick === -1) return null;
+  var secondTick = raw.indexOf("'", firstTick + 1);
+  if (secondTick === -1) return null;
+  var charset = raw.slice(0, firstTick).toLowerCase();
+  if (charset !== "utf-8") return null;       // RFC 5987 mandated charset; refuse anything else
+  var encoded = raw.slice(secondTick + 1);
+  try {
+    return decodeURIComponent(encoded);
+  } catch (_e) {
+    return null;
+  }
+}
+
 function _parseHeaderParams(headerValue) {
   // Content-Disposition: form-data; name="field"; filename="x.txt"
   // Returns { _value: "form-data", name: "field", filename: "x.txt" }
+  // RFC 5987 / 8187 — when a `filename*=UTF-8''...` extended parameter
+  // is present, it takes precedence over the legacy `filename=`
+  // companion (RFC 6266 §4.3). We surface the decoded value at
+  // `filename` so downstream consumers don't need parser-aware code.
   var out = { _value: "" };
   if (!headerValue) return out;
   var parts = headerValue.split(";");
   out._value = parts[0].trim().toLowerCase();
+  var extName = null;
   for (var i = 1; i < parts.length; i++) {
     var p = parts[i].trim();
     var eq = p.indexOf("=");
@@ -554,8 +602,18 @@ function _parseHeaderParams(headerValue) {
     var k = p.slice(0, eq).trim().toLowerCase();
     var v = p.slice(eq + 1).trim();
     if (v.length >= 2 && v[0] === '"' && v[v.length - 1] === '"') v = v.slice(1, -1);
+    if (k.charAt(k.length - 1) === "*") {
+      var decoded = _decodeRfc5987(v);
+      if (decoded !== null) {
+        var bareKey = k.slice(0, -1);
+        if (bareKey === "filename") extName = decoded;
+        out[bareKey] = decoded;
+      }
+      continue;
+    }
     out[k] = v;
   }
+  if (extName !== null) out.filename = extName;
   return out;
 }
 
@@ -751,7 +809,12 @@ async function _parseMultipart(req, opts, ctParams) {
                 true, HTTP_STATUS.PAYLOAD_TOO_LARGE));
               return;
             }
-            currentHeaders = _parseMultipartHeaders(pending.slice(0, headEnd).toString("utf8"));
+            try {
+              currentHeaders = _parseMultipartHeaders(pending.slice(0, headEnd).toString("utf8"));
+            } catch (parseErr) {
+              done(parseErr);
+              return;
+            }
             pending = pending.slice(headEnd + 4);
             // Decode Content-Disposition.
             var cd = _parseHeaderParams(currentHeaders["content-disposition"]);

package/lib/network.js

@@ -7,6 +7,7 @@ var proxy    = require("./network-proxy");
 var trust    = require("./network-tls");
 var heartbeat = require("./network-heartbeat");
 var smtpPolicy = require("./network-smtp-policy");
+var ssrfGuard  = require("./ssrf-guard");
 
 var validateOpts = require("./validate-opts");
 var lazyRequire = require("./lazy-require");
@@ -226,6 +227,7 @@ module.exports = {
     dane:      smtpPolicy.dane,
     tlsRpt:    smtpPolicy.tlsRpt,
   },
+  allowlist:  { create: ssrfGuard.createAllowlist },
   socket: {
     setDefaultNoDelay:   _setSocketNoDelay,
     setDefaultKeepAlive: _setSocketKeepAlive,

package/lib/ssrf-guard.js

@@ -403,10 +403,65 @@ async function checkUrl(url, opts) {
   return { url: parsed, ips: ips };
 }
 
+// b.network.allowlist — contextual per-call egress allowlist composing
+// on ssrfGuard. Operators describe an allowed CIDR set + denylist;
+// the resulting `assert(url)` either resolves to the validated IP set
+// or throws SsrfError. Distinct from `ssrfGuard.checkUrl` (which uses
+// the framework's hard-coded private/cloud-metadata ban list) — this
+// is for cases where the operator's deployment has SPECIFIC outbound
+// targets and everything else should be refused.
+//
+//   var egress = b.network.allowlist.create({
+//     allow: ["api.partner.example.com", "192.0.2.0/24"],
+//     deny:  ["api.partner.example.com/admin"],
+//   });
+//   await egress.assert("https://api.partner.example.com/v1/x");
+function createAllowlist(opts) {
+  opts = opts || {};
+  var allowList = Array.isArray(opts.allow) ? opts.allow.slice() : [];
+  var denyList  = Array.isArray(opts.deny)  ? opts.deny.slice()  : [];
+  if (allowList.length === 0) {
+    throw new SsrfError(
+      "network.allowlist.create requires at least one entry in `allow`",
+      "ssrf-guard/empty-allowlist", {});
+  }
+  function _matches(list, hostOrIp) {
+    for (var i = 0; i < list.length; i++) {
+      var entry = list[i];
+      if (entry === hostOrIp) return true;
+      if (entry.indexOf("/") !== -1) {
+        try { if (cidrContains(entry, hostOrIp)) return true; } catch (_e) { /* ignore */ }
+      }
+    }
+    return false;
+  }
+  async function assertUrl(url) {
+    var parsed;
+    try { parsed = new URL(url); }                                                 // allow:raw-new-url — local URL parse for hostname extraction
+    catch (_e) {
+      throw new SsrfError("invalid URL", "ssrf-guard/bad-url", { url: url });
+    }
+    var host = parsed.hostname;
+    if (!_matches(allowList, host)) {
+      throw new SsrfError(
+        "URL host '" + host + "' not on the operator allowlist",
+        "ssrf-guard/not-on-allowlist", { url: url, host: host });
+    }
+    if (_matches(denyList, host)) {
+      throw new SsrfError(
+        "URL host '" + host + "' on the operator denylist",
+        "ssrf-guard/on-denylist", { url: url, host: host });
+    }
+    return checkUrl(parsed.toString(), { allowInternal: true });
+  }
+  return { assert: assertUrl };
+}
+
 module.exports = {
   classify:        classify,
   cidrContains:    cidrContains,
   checkUrl:        checkUrl,
+  createAllowlist: createAllowlist,
   isPrivate:       function (ip) { return classify(ip) === "private"; },
   isLoopback:      function (ip) { return classify(ip) === "loopback"; },
   isLinkLocal:     function (ip) { return classify(ip) === "link-local"; },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.37",
+  "version": "0.8.39",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:2a183a44-815b-479c-8f1f-f705a55d7749",
+  "serialNumber": "urn:uuid:319bfdfd-c9b3-4f86-a42e-c3441466295e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T15:51:51.404Z",
+    "timestamp": "2026-05-07T16:17:54.954Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.37",
+      "bom-ref": "@blamejs/core@0.8.39",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.37",
+      "version": "0.8.39",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.37",
+      "purl": "pkg:npm/%40blamejs/core@0.8.39",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.37",
+      "ref": "@blamejs/core@0.8.39",
       "dependsOn": []
     }
   ]