@blamejs/core 0.8.38 → 0.8.40

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.
+- v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
 - v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.
 
 - **0.8.37** (2026-05-08) — D-L family SQL/schema hygiene. **`_blamejs_audit_purge_anchor.scope` CHECK constraint** — `scope IN ('audit', 'consent')`. Pre-v0.8.37 a typo silently created a parallel anchor; the chain verifier walked the wrong anchor and missed tampering. **`personalDataCategories` vocabulary validation** — operator-supplied categories validated against the GDPR Article 9 special-category vocabulary + the framework's general categories at `db.init`. Unknown categories don't refuse (operators have legitimate custom labels) but emit a `db.personal_data_category_unknown` audit row so typos surface in regulator reviews. Allowed: `name`, `email`, `phone`, `address`, `ip`, `id-document`, `biometric`, `health`, `genetic`, `sexual-orientation`, `racial-or-ethnic-origin`, `political-opinion`, `religious-belief`, `trade-union-membership`, `criminal-record`, `financial`, `location`, `behavioral`, `device-id`, `child-data`, `education`, `employment`, `operator-defined`.

package/index.js

@@ -162,6 +162,7 @@ var auth = {
   acr:        require("./lib/auth/acr-vocabulary"),
   authTime:   require("./lib/auth/auth-time-tracker"),
   accessLock: require("./lib/auth/access-lock"),
+  atoKillSwitch: require("./lib/auth/ato-kill-switch"),
 };
 var template = require("./lib/template");
 var render = require("./lib/render");
@@ -225,6 +226,7 @@ var appShutdown = require("./lib/app-shutdown");
 var slug = require("./lib/slug");
 var webhook = require("./lib/webhook");
 var apiKey = require("./lib/api-key");
+var honeytoken = require("./lib/honeytoken");
 var credentialHash = require("./lib/credential-hash");
 var permissions = require("./lib/permissions");
 var cache = require("./lib/cache");
@@ -401,6 +403,7 @@ module.exports = {
   slug:             slug,
   webhook:          webhook,
   apiKey:           apiKey,
+  honeytoken:       honeytoken,
   credentialHash:   credentialHash,
   permissions:      permissions,
   cache:            cache,

package/lib/audit-tools.js

@@ -61,6 +61,7 @@ var auditSign = require("./audit-sign");
 var backupCrypto = require("./backup/crypto");
 var clusterStorage = require("./cluster-storage");
 var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
 var jsonSafe = require("./safe-json");
 var { defineClass } = require("./framework-error");
 
@@ -665,9 +666,77 @@ async function _defaultApplyPurge(args) {
   };
 }
 
+// forensicSnapshot — post-compromise composer that bundles an audit
+// archive slice, current break-glass grants, the active incident
+// report (if any), and process-runtime metadata into a single signed
+// bundle. The operator passes this to legal / regulators / the IR
+// team as one tamper-evident artifact.
+//
+//   var snap = await b.auditTools.forensicSnapshot({
+//     out:        "/forensics/2026-05-07-incident-42",
+//     since:      Date.now() - C.TIME.days(7),
+//     passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
+//     incidentId: "inc-2026-05-07-42",
+//     reason:     "ATO investigation: 14 failed MFA from new geo, user u_42",
+//     actor:      { id: "alice@ops.example.com", role: "incident-commander" },
+//   });
+async function forensicSnapshot(opts) {
+  opts = opts || {};
+  _requirePassphrase(opts.passphrase);
+  _requireOutDir(opts.out, "forensicSnapshot");
+  var sinceMs = _toMs(opts.since);
+  if (sinceMs == null) {
+    throw new AuditToolsError("audit-tools/no-since",
+      "forensicSnapshot: opts.since is required");
+  }
+  validateOpts.requireNonEmptyString(opts.reason, "reason", AuditToolsError, "audit-tools/no-reason");
+  var sliceResult = await exportSlice({
+    out:        opts.out,
+    since:      sinceMs,
+    until:      Date.now(),
+    passphrase: opts.passphrase,
+    readRows:   opts.readRows,
+    readCoveringCheckpoint: opts.readCoveringCheckpoint,
+  });
+  // Compose snapshot manifest with operator-supplied IR context.
+  var manifest = {
+    snapshotKind:      "forensic",
+    incidentId:        opts.incidentId || null,
+    reason:            opts.reason,
+    actor:             opts.actor || null,
+    composedAt:        new Date().toISOString(),
+    auditSliceFile:    sliceResult && sliceResult.path,
+    auditSliceCount:   sliceResult && sliceResult.rowCount,
+    runtime: {
+      nodeVersion: process.version,
+      platform:    process.platform,
+      arch:        process.arch,
+      pid:         process.pid,
+      uptimeSec:   Math.round(process.uptime()),
+    },
+  };
+  var manifestPath = require("node:path").join(opts.out, "forensic-snapshot.json");
+  require("node:fs").writeFileSync(manifestPath, _canonicalize(manifest), "utf8");
+  try {
+    require("./audit").safeEmit({
+      action:  "audit.forensic_snapshot.composed",
+      outcome: "success",
+      metadata: {
+        out:               opts.out,
+        incidentId:        manifest.incidentId,
+        reason:            opts.reason,
+        actor:             opts.actor || null,
+        rowCount:          manifest.auditSliceCount || 0,
+      },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return Object.assign({}, manifest, { manifestPath: manifestPath });
+}
+
 module.exports = {
   archive:          archive,
   exportSlice:      exportSlice,
+  forensicSnapshot: forensicSnapshot,
   verifyBundle:     verifyBundle,
   purge:            purge,
   BUNDLE_FORMAT:    BUNDLE_FORMAT,

package/lib/audit.js

@@ -247,6 +247,9 @@ var FRAMEWORK_NAMESPACES = [
   "fdx",        // b.fdx (fdx.bound / fdx.consent_receipt_issued)
   "tcpa10dlc",  // b.tcpa10dlc (tcpa10dlc.consent_recorded / consent_revoked)
   "iabmspa",    // b.iabMspa (iabmspa.processing_refused)
+  "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
+  "honeytoken", // b.honeytoken (honeytoken.issued / tripped)
+  "csp",        // b.middleware.cspReport (csp.violation)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/auth/ato-kill-switch.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * b.auth.atoKillSwitch — composite primitive for account-takeover
+ * incident response. Composes `b.session.destroyAllForUser` +
+ * `b.auth.lockout.lock` + (optionally) `b.auth.accessLock` mode flip
+ * into a single operator-callable workflow.
+ *
+ * Trigger conditions are operator territory (SOC alert, fraud signal,
+ * user self-report, IDS rule); this primitive is the deterministic
+ * cleanup path once the trigger fires:
+ *
+ *   1. destroy every session for the user across the cluster
+ *   2. lock the user out of new logins (b.auth.lockout)
+ *   3. emit an audit row with reason / actor for downstream forensics
+ *
+ *   await b.auth.atoKillSwitch.trigger({
+ *     userId:    "u_42",
+ *     reason:    "fraud-signal: 14 failed MFA from new geo",
+ *     actor:     { id: req.user && req.user.id, role: req.user && req.user.role },
+ *     lockout:   true,                  // default true
+ *     accessLock: "locked",             // optional — flip the global access-lock mode
+ *   });
+ *
+ * Returns `{ sessionsDestroyed, lockoutApplied, accessLockMode }`.
+ */
+
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var session = lazyRequire(function () { return require("../session"); });
+var lockout = lazyRequire(function () { return require("./lockout"); });
+var accessLock = lazyRequire(function () { return require("./access-lock"); });
+var audit = lazyRequire(function () { return require("../audit"); });
+
+var AtoKillSwitchError = defineClass("AtoKillSwitchError", { alwaysPermanent: true });
+
+async function trigger(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "userId", "reason", "actor", "lockout", "accessLock",
+  ], "auth.atoKillSwitch.trigger");
+
+  validateOpts.requireNonEmptyString(opts.userId, "userId", AtoKillSwitchError, "auth-ato-kill-switch/missing-user-id");
+  validateOpts.requireNonEmptyString(opts.reason, "reason", AtoKillSwitchError, "auth-ato-kill-switch/missing-reason");
+  var doLockout       = opts.lockout !== false;
+  var accessLockMode  = typeof opts.accessLock === "string" ? opts.accessLock : null;
+
+  var sessionsDestroyed = 0;
+  try {
+    sessionsDestroyed = await session().destroyAllForUser(opts.userId);
+  } catch (e) {
+    audit().safeEmit({
+      action: "auth.ato_kill_switch.partial",
+      outcome: "failure",
+      metadata: {
+        userId: opts.userId,
+        step:   "destroy-sessions",
+        reason: e && e.message,
+      },
+    });
+    throw e;
+  }
+
+  var lockoutApplied = false;
+  if (doLockout) {
+    try {
+      await lockout().lock(opts.userId, {
+        reason: "ato-kill-switch:" + opts.reason,
+      });
+      lockoutApplied = true;
+    } catch (_e) { /* lockout is best-effort; sessions already destroyed */ }
+  }
+
+  var modeApplied = null;
+  if (accessLockMode !== null) {
+    try {
+      var lock = accessLock();
+      if (lock && typeof lock.set === "function") {
+        await lock.set(accessLockMode, {
+          actor:  opts.actor || null,
+          reason: "ato-kill-switch:" + opts.reason,
+        });
+        modeApplied = accessLockMode;
+      }
+    } catch (_e) { /* operator may not have wired global accessLock; fine */ }
+  }
+
+  audit().safeEmit({
+    action: "auth.ato_kill_switch.triggered",
+    outcome: "success",
+    metadata: {
+      userId:             opts.userId,
+      reason:             opts.reason,
+      actor:              opts.actor || null,
+      sessionsDestroyed:  sessionsDestroyed,
+      lockoutApplied:     lockoutApplied,
+      accessLockMode:     modeApplied,
+    },
+  });
+
+  return {
+    sessionsDestroyed: sessionsDestroyed,
+    lockoutApplied:    lockoutApplied,
+    accessLockMode:    modeApplied,
+  };
+}
+
+module.exports = {
+  trigger:              trigger,
+  AtoKillSwitchError:   AtoKillSwitchError,
+};

package/lib/config-drift.js

@@ -292,10 +292,70 @@ function create(opts) {
   };
 }
 
+// verifyVendorIntegrity — at-boot integrity check over `lib/vendor/*`.
+// MANIFEST.json carries a sha256 digest per bundled file; we re-hash
+// each one and refuse on mismatch. Catches a half-applied vendor
+// refresh, a corrupted install, or an attacker who modified a
+// vendored cjs without updating the manifest. Returns
+// `{ ok, mismatches: [{ path, expected, actual }] }` and emits
+// `vendor.integrity.{verified,tampered}` audit on each call.
+function verifyVendorIntegrity(opts) {
+  opts = opts || {};
+  var libVendorDir  = opts.libVendorDir  || path.join(process.cwd(), "lib", "vendor");
+  var manifestPath  = opts.manifestPath  || path.join(libVendorDir, "MANIFEST.json");
+  var raw;
+  try { raw = fs.readFileSync(manifestPath, "utf8"); }
+  catch (_e) {
+    throw _err("VENDOR_MANIFEST_MISSING",
+      "vendor MANIFEST.json missing at " + manifestPath, true);
+  }
+  var manifest = safeJson.parse(raw);
+  if (!manifest || typeof manifest.packages !== "object") {
+    throw _err("VENDOR_MANIFEST_SHAPE",
+      "vendor MANIFEST.json missing `packages` map", true);
+  }
+  var mismatches = [];
+  var checkedCount = 0;
+  Object.keys(manifest.packages).forEach(function (pkgName) {
+    var pkg = manifest.packages[pkgName];
+    var files = (pkg && pkg.files) || {};
+    var hashes = (pkg && pkg.hashes) || {};
+    Object.keys(files).forEach(function (kind) {
+      var rel = files[kind];
+      var expected = hashes[kind];
+      if (typeof rel !== "string" || typeof expected !== "string") return;
+      var abs = path.isAbsolute(rel) ? rel : path.join(process.cwd(), rel);
+      var actual;
+      try {
+        var bytes = fs.readFileSync(abs);
+        actual = "sha256:" + require("node:crypto")
+          .createHash("sha256").update(bytes).digest("hex");
+      } catch (_e) {
+        mismatches.push({ pkg: pkgName, kind: kind, path: rel, expected: expected, actual: "<read-failed>" });
+        return;
+      }
+      checkedCount += 1;
+      if (actual !== expected) {
+        mismatches.push({ pkg: pkgName, kind: kind, path: rel, expected: expected, actual: actual });
+      }
+    });
+  });
+  var ok = mismatches.length === 0;
+  try {
+    audit().safeEmit({
+      action: ok ? "vendor.integrity.verified" : "vendor.integrity.tampered",
+      outcome: ok ? "success" : "failure",
+      metadata: { checkedCount: checkedCount, mismatchCount: mismatches.length },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return { ok: ok, checkedCount: checkedCount, mismatches: mismatches };
+}
+
 module.exports = {
-  create:            create,
-  ConfigDriftError:  ConfigDriftError,
+  create:                  create,
+  verifyVendorIntegrity:   verifyVendorIntegrity,
+  ConfigDriftError:        ConfigDriftError,
   // Test-only export for hashing — operators don't need this directly.
-  _hashSnapshot:     _hashSnapshot,
-  _stableStringify:  _stableStringify,
+  _hashSnapshot:           _hashSnapshot,
+  _stableStringify:        _stableStringify,
 };

package/lib/honeytoken.js

@@ -0,0 +1,132 @@
+"use strict";
+/**
+ * b.honeytoken — canary credential framework. Generates decoy values
+ * (fake api-key shapes, fake admin URLs, fake DB row references) that
+ * are NEVER handed to a real client; their presence in a request,
+ * log, or DB lookup means an attacker found something they shouldn't
+ * have. The framework registers each token at issuance and refuses
+ * silently in production but always emits a `honeytoken.tripped`
+ * audit row on any positive lookup.
+ *
+ *   var honey = b.honeytoken.create({ audit: b.audit });
+ *
+ *   var token = honey.issue({
+ *     kind:     "apiKey",
+ *     metadata: { plantedAt: "GET /admin/keys/404", linkedTo: "u_42" },
+ *   });
+ *   // → { value: "bk_canary_8f3a7b2e0c…", id: "ht_<hex>" }
+ *
+ *   if (honey.lookup(req.headers["x-api-key"])) {
+ *     // attacker is using the canary; tripped event already audited
+ *     return res.status(403).end();
+ *   }
+ *
+ * Canary value shapes (`kind`):
+ *   - "apiKey"   → `bk_canary_<32 hex>` (matches b.apiKey shape)
+ *   - "session"  → `bks_canary_<48 hex>` (matches b.session shape)
+ *   - "url"      → `/admin/canary-<32 hex>` (planted as a clickable link)
+ *   - "rowId"    → `ht_canary_<32 hex>` (planted as a fake foreign key)
+ *
+ * Audit shape:
+ *   - `honeytoken.issued` — outcome=success; metadata: { id, kind }
+ *   - `honeytoken.tripped` — outcome=failure; metadata: { id, kind,
+ *     metadata, observedAt, observedActor }
+ */
+
+var crypto = require("./crypto");
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var HoneytokenError = defineClass("HoneytokenError", { alwaysPermanent: true });
+
+var KINDS = Object.freeze({
+  apiKey:  function () { return "bk_canary_"  + crypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte (128-bit) canary entropy
+  session: function () { return "bks_canary_" + crypto.generateToken(24); },     // allow:raw-byte-literal — 24-byte (192-bit) canary entropy
+  url:     function () { return "/admin/canary-" + crypto.generateToken(16); },  // allow:raw-byte-literal — 16-byte canary entropy
+  rowId:   function () { return "ht_canary_"  + crypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte canary entropy
+});
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["audit"], "honeytoken.create");
+
+  var registry = new Map();   // value → { id, kind, metadata, issuedAt }
+
+  function issue(spec) {
+    spec = spec || {};
+    validateOpts(spec, ["kind", "metadata"], "honeytoken.issue");
+    var kind = spec.kind;
+    if (typeof KINDS[kind] !== "function") {
+      throw new HoneytokenError(
+        "honeytoken/unknown-kind",
+        "honeytoken.issue: unknown kind '" + kind + "' " +
+        "(supported: " + Object.keys(KINDS).join(", ") + ")");
+    }
+    var value = KINDS[kind]();
+    var id = "ht_" + crypto.generateToken(8);                                    // allow:raw-byte-literal — 8-byte registry id
+    var record = Object.freeze({
+      id:        id,
+      kind:      kind,
+      metadata:  spec.metadata || null,
+      issuedAt:  Date.now(),
+    });
+    registry.set(value, record);
+    try {
+      audit().safeEmit({
+        action: "honeytoken.issued",
+        outcome: "success",
+        metadata: { id: id, kind: kind },
+      });
+    } catch (_e) { /* audit best-effort */ }
+    return { id: id, value: value };
+  }
+
+  function lookup(value, observedActor) {
+    if (typeof value !== "string" || value.length === 0) return null;
+    var record = registry.get(value);
+    if (!record) return null;
+    try {
+      audit().safeEmit({
+        action: "honeytoken.tripped",
+        outcome: "failure",
+        metadata: {
+          id:             record.id,
+          kind:           record.kind,
+          metadata:       record.metadata,
+          observedAt:     Date.now(),
+          observedActor:  observedActor || null,
+        },
+      });
+    } catch (_e) { /* audit best-effort */ }
+    return record;
+  }
+
+  function revoke(id) {
+    var found = false;
+    registry.forEach(function (record, value) {
+      if (record.id === id) {
+        registry.delete(value);
+        found = true;
+      }
+    });
+    return found;
+  }
+
+  function size() { return registry.size; }
+
+  return {
+    issue:   issue,
+    lookup:  lookup,
+    revoke:  revoke,
+    size:    size,
+  };
+}
+
+module.exports = {
+  create:           create,
+  KINDS:            Object.freeze(Object.keys(KINDS)),
+  HoneytokenError:  HoneytokenError,
+};

package/lib/middleware/csp-report.js

@@ -0,0 +1,133 @@
+"use strict";
+/**
+ * b.middleware.cspReport — Reporting-API endpoint for CSP / COEP /
+ * COOP / Permissions-Policy violations.
+ *
+ * The framework's default CSP appends `report-to default;` (see
+ * lib/middleware/security-headers.js); operators wire the matching
+ * `Reporting-Endpoints: default="https://app.example.com/csp-report"`
+ * header — and mount this middleware at the configured path. Browsers
+ * POST batches of violations as `application/reports+json`.
+ *
+ *   var cspReport = b.middleware.cspReport.create({
+ *     audit:     b.audit,
+ *     onReport:  function (report) { metrics.count("csp.violation", 1, { directive: report.body.effectiveDirective }); },
+ *     maxBytes:  C.BYTES.kib(64),
+ *   });
+ *   router.post("/csp-report", cspReport);
+ *
+ * Audit shape: `csp.violation` (failure) per report; metadata carries
+ * the report.body fields (blockedURL, documentURL, effectiveDirective,
+ * sample, statusCode). Sample is truncated to 200 chars.
+ *
+ * Validation:
+ *   - Refuses non-POST methods with 405
+ *   - Refuses bodies > maxBytes (default 64 KiB) with 413
+ *   - Refuses non-JSON bodies with 400
+ *   - Accepts `application/reports+json` AND legacy `application/csp-report`
+ */
+
+var C = require("../constants");
+var lazyRequire = require("../lazy-require");
+var safeBuffer = require("../safe-buffer");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+
+var audit = lazyRequire(function () { return require("../audit"); });
+
+var DEFAULT_MAX_BYTES = C.BYTES.kib(64);
+var SAMPLE_TRUNCATE = 200;
+
+function _truncate(value) {
+  if (typeof value !== "string") return value;
+  if (value.length <= SAMPLE_TRUNCATE) return value;
+  return value.slice(0, SAMPLE_TRUNCATE) + "…";
+}
+
+function _normalizeOne(reportLike) {
+  // Reporting API shape: { type, age, url, user_agent, body: {...} }
+  // Legacy CSP shape:    { "csp-report": { ... } }
+  if (!reportLike || typeof reportLike !== "object") return null;
+  if (reportLike["csp-report"] && typeof reportLike["csp-report"] === "object") {
+    var legacy = reportLike["csp-report"];
+    return {
+      type: "csp-violation",
+      url:  legacy["document-uri"] || null,
+      body: {
+        documentURL:        legacy["document-uri"] || null,
+        blockedURL:         legacy["blocked-uri"] || null,
+        effectiveDirective: legacy["effective-directive"] || legacy["violated-directive"] || null,
+        statusCode:         legacy["status-code"] || null,
+        sample:             _truncate(legacy["script-sample"] || ""),
+        sourceFile:         legacy["source-file"] || null,
+        lineNumber:         legacy["line-number"] || null,
+      },
+    };
+  }
+  if (reportLike.type && reportLike.body && typeof reportLike.body === "object") {
+    return {
+      type: reportLike.type,
+      url:  reportLike.url || null,
+      body: {
+        documentURL:        reportLike.body.documentURL || null,
+        blockedURL:         reportLike.body.blockedURL || null,
+        effectiveDirective: reportLike.body.effectiveDirective || null,
+        statusCode:         reportLike.body.statusCode || null,
+        sample:             _truncate(reportLike.body.sample || ""),
+        sourceFile:         reportLike.body.sourceFile || null,
+        lineNumber:         reportLike.body.lineNumber || null,
+      },
+    };
+  }
+  return null;
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["audit", "onReport", "maxBytes"], "middleware.cspReport");
+  var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
+    ? opts.maxBytes : DEFAULT_MAX_BYTES;
+  var onReport = (typeof opts.onReport === "function") ? opts.onReport : null;
+
+  return async function cspReport(req, res, _next) {
+    if (req.method !== "POST") {
+      res.writeHead(405, { "Allow": "POST" });                                     // allow:raw-byte-literal — HTTP 405 status
+      res.end();
+      return;
+    }
+    var body;
+    try {
+      body = await safeBuffer.boundedChunkCollector(req, { maxBytes: maxBytes });
+    } catch (_e) {
+      res.writeHead(413);                                                         // allow:raw-byte-literal — HTTP 413 status
+      res.end();
+      return;
+    }
+    var parsed;
+    try { parsed = safeJson.parse(body.toString("utf8")); }
+    catch (_e) {
+      res.writeHead(400);                                                         // allow:raw-byte-literal — HTTP 400 status
+      res.end();
+      return;
+    }
+    var reports = Array.isArray(parsed) ? parsed : [parsed];
+    for (var i = 0; i < reports.length; i++) {
+      var normalized = _normalizeOne(reports[i]);
+      if (!normalized) continue;
+      try {
+        audit().safeEmit({
+          action:  "csp.violation",
+          outcome: "failure",
+          metadata: Object.assign({ type: normalized.type, url: normalized.url }, normalized.body),
+        });
+      } catch (_e) { /* audit best-effort */ }
+      if (onReport) {
+        try { onReport(normalized); } catch (_e) { /* hook best-effort */ }
+      }
+    }
+    res.writeHead(204);                                                           // allow:raw-byte-literal — HTTP 204 status
+    res.end();
+  };
+}
+
+module.exports = { create: create };

package/lib/middleware/index.js

@@ -32,6 +32,7 @@ var cookies = require("./cookies");
 var cors = require("./cors");
 var dailyByteQuota = require("./daily-byte-quota");
 var cspNonce = require("./csp-nonce");
+var cspReport = require("./csp-report");
 var csrfProtect = require("./csrf-protect");
 var dbRoleFor = require("./db-role-for");
 var dpop = require("./dpop");
@@ -88,6 +89,7 @@ module.exports = {
   compression:      compression.create,
   cookies:          cookies.create,
   cspNonce:         cspNonce.create,
+  cspReport:        cspReport.create,
   securityTxt:      securityTxt.create,
   sse:              sse.create,
   requestLog:       requestLog.create,

package/lib/network-tls.js

@@ -329,6 +329,67 @@ function captureBaselineFingerprints() {
   STATE.baselineFingerprints = STATE.cas.map(function (e) { return e.meta.fingerprint256; });
 }
 
+// pinsetDriftMonitor — periodic check that emits audit + observability
+// events when the trust-store fingerprint set drifts from the captured
+// baseline. Different intent from expiryMonitor: this fires when a
+// CA is added or removed (by operator config-flip OR by a tampered
+// MANIFEST / vendor refresh), not when an existing one approaches
+// validity expiry.
+//
+//   b.network.tls.captureBaselineFingerprints();   // at boot
+//   var mon = b.network.tls.pinsetDriftMonitor({
+//     intervalMs:  C.TIME.minutes(15),
+//     onDrift:     function (drift) { /* operator hook */ },
+//   });
+//
+// Audit emissions:
+//   network.tls.pinset.drift_check  — every check, ok / warn
+//   network.tls.pinset.drifted      — when added.length || removed.length
+function pinsetDriftMonitor(opts) {
+  opts = opts || {};
+  var intervalMs = opts.intervalMs;
+  var auditOn    = opts.audit !== false;
+  if (typeof intervalMs !== "number" || !isFinite(intervalMs) || intervalMs <= 0) {
+    throw new TlsTrustError("tls/bad-interval",
+      "tls.pinsetDriftMonitor: intervalMs must be a positive finite number");
+  }
+  function _tick() {
+    var drift;
+    try { drift = detectBaselineDrift(); }
+    catch (_e) { return; }
+    if (drift === null) return;   // baseline not captured; nothing to compare
+    if (auditOn) {
+      try {
+        audit().safeEmit({
+          action:  "network.tls.pinset.drift_check",
+          outcome: drift.drifted ? "warn" : "ok",
+          metadata: { added: drift.added.length, removed: drift.removed.length },
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+    if (drift.drifted) {
+      try { observability().safeEvent("network.tls.pinset.drifted", 1, {}); }
+      catch (_e) { /* drop-silent */ }
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "network.tls.pinset.drifted",
+            outcome: "failure",
+            metadata: { added: drift.added, removed: drift.removed },
+          });
+        } catch (_e) { /* drop-silent */ }
+      }
+      if (typeof opts.onDrift === "function") {
+        try { opts.onDrift(drift); } catch (_e) { /* operator hook */ }
+      }
+    }
+  }
+  var handle = safeAsync.repeating(_tick, intervalMs, { name: "tls-pinset-drift-monitor" });
+  return {
+    stop: function () { if (handle) { handle.stop(); handle = null; } },
+  };
+}
+
 function detectBaselineDrift() {
   if (!STATE.baselineFingerprints) return null;
   var current = STATE.cas.map(function (e) { return e.meta.fingerprint256; });
@@ -1683,6 +1744,7 @@ module.exports = {
   purgeExpired:        purgeExpired,
   expiringSoon:        expiringSoon,
   expiryMonitor:       expiryMonitor,
+  pinsetDriftMonitor:  pinsetDriftMonitor,
   useSystemTrust:      useSystemTrust,
   isSystemTrustEnabled: isSystemTrustEnabled,
   getTrustStore:       getTrustStore,

package/lib/network.js

@@ -7,6 +7,7 @@ var proxy    = require("./network-proxy");
 var trust    = require("./network-tls");
 var heartbeat = require("./network-heartbeat");
 var smtpPolicy = require("./network-smtp-policy");
+var ssrfGuard  = require("./ssrf-guard");
 
 var validateOpts = require("./validate-opts");
 var lazyRequire = require("./lazy-require");
@@ -226,6 +227,7 @@ module.exports = {
     dane:      smtpPolicy.dane,
     tlsRpt:    smtpPolicy.tlsRpt,
   },
+  allowlist:  { create: ssrfGuard.createAllowlist },
   socket: {
     setDefaultNoDelay:   _setSocketNoDelay,
     setDefaultKeepAlive: _setSocketKeepAlive,

package/lib/ssrf-guard.js

@@ -403,10 +403,65 @@ async function checkUrl(url, opts) {
   return { url: parsed, ips: ips };
 }
 
+// b.network.allowlist — contextual per-call egress allowlist composing
+// on ssrfGuard. Operators describe an allowed CIDR set + denylist;
+// the resulting `assert(url)` either resolves to the validated IP set
+// or throws SsrfError. Distinct from `ssrfGuard.checkUrl` (which uses
+// the framework's hard-coded private/cloud-metadata ban list) — this
+// is for cases where the operator's deployment has SPECIFIC outbound
+// targets and everything else should be refused.
+//
+//   var egress = b.network.allowlist.create({
+//     allow: ["api.partner.example.com", "192.0.2.0/24"],
+//     deny:  ["api.partner.example.com/admin"],
+//   });
+//   await egress.assert("https://api.partner.example.com/v1/x");
+function createAllowlist(opts) {
+  opts = opts || {};
+  var allowList = Array.isArray(opts.allow) ? opts.allow.slice() : [];
+  var denyList  = Array.isArray(opts.deny)  ? opts.deny.slice()  : [];
+  if (allowList.length === 0) {
+    throw new SsrfError(
+      "network.allowlist.create requires at least one entry in `allow`",
+      "ssrf-guard/empty-allowlist", {});
+  }
+  function _matches(list, hostOrIp) {
+    for (var i = 0; i < list.length; i++) {
+      var entry = list[i];
+      if (entry === hostOrIp) return true;
+      if (entry.indexOf("/") !== -1) {
+        try { if (cidrContains(entry, hostOrIp)) return true; } catch (_e) { /* ignore */ }
+      }
+    }
+    return false;
+  }
+  async function assertUrl(url) {
+    var parsed;
+    try { parsed = new URL(url); }                                                 // allow:raw-new-url — local URL parse for hostname extraction
+    catch (_e) {
+      throw new SsrfError("invalid URL", "ssrf-guard/bad-url", { url: url });
+    }
+    var host = parsed.hostname;
+    if (!_matches(allowList, host)) {
+      throw new SsrfError(
+        "URL host '" + host + "' not on the operator allowlist",
+        "ssrf-guard/not-on-allowlist", { url: url, host: host });
+    }
+    if (_matches(denyList, host)) {
+      throw new SsrfError(
+        "URL host '" + host + "' on the operator denylist",
+        "ssrf-guard/on-denylist", { url: url, host: host });
+    }
+    return checkUrl(parsed.toString(), { allowInternal: true });
+  }
+  return { assert: assertUrl };
+}
+
 module.exports = {
   classify:        classify,
   cidrContains:    cidrContains,
   checkUrl:        checkUrl,
+  createAllowlist: createAllowlist,
   isPrivate:       function (ip) { return classify(ip) === "private"; },
   isLoopback:      function (ip) { return classify(ip) === "loopback"; },
   isLinkLocal:     function (ip) { return classify(ip) === "link-local"; },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.38",
+  "version": "0.8.40",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:33e4b58d-3cab-4ba0-b54a-4fd4a9b62e38",
+  "serialNumber": "urn:uuid:7c951f5a-156e-49be-91c0-8a5a420faf2c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T16:03:53.948Z",
+    "timestamp": "2026-05-07T16:35:12.500Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.38",
+      "bom-ref": "@blamejs/core@0.8.40",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.38",
+      "version": "0.8.40",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.38",
+      "purl": "pkg:npm/%40blamejs/core@0.8.40",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.38",
+      "ref": "@blamejs/core@0.8.40",
       "dependsOn": []
     }
   ]