npm - @blamejs/core - Versions diffs - 0.8.39 → 0.8.40 - Mend

@blamejs/core 0.8.39 → 0.8.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +1 -0
package/index.js +2 -0
package/lib/audit-tools.js +69 -0
package/lib/audit.js +2 -0
package/lib/honeytoken.js +132 -0
package/lib/middleware/csp-report.js +133 -0
package/lib/middleware/index.js +2 -0
package/lib/network-tls.js +62 -0
package/package.json +1 -1
package/sbom.cyclonedx.json +6 -6

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 ## v0.8.x
+- v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.
 - v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
 - v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.

package/index.js CHANGED Viewed

@@ -226,6 +226,7 @@ var appShutdown = require("./lib/app-shutdown");
 var slug = require("./lib/slug");
 var webhook = require("./lib/webhook");
 var apiKey = require("./lib/api-key");
+var honeytoken = require("./lib/honeytoken");
 var credentialHash = require("./lib/credential-hash");
 var permissions = require("./lib/permissions");
 var cache = require("./lib/cache");
@@ -402,6 +403,7 @@ module.exports = {
   slug:             slug,
   webhook:          webhook,
   apiKey:           apiKey,
+  honeytoken:       honeytoken,
   credentialHash:   credentialHash,
   permissions:      permissions,
   cache:            cache,

package/lib/audit-tools.js CHANGED Viewed

@@ -61,6 +61,7 @@ var auditSign = require("./audit-sign");
 var backupCrypto = require("./backup/crypto");
 var clusterStorage = require("./cluster-storage");
 var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
 var jsonSafe = require("./safe-json");
 var { defineClass } = require("./framework-error");
@@ -665,9 +666,77 @@ async function _defaultApplyPurge(args) {
   };
 }
+// forensicSnapshot — post-compromise composer that bundles an audit
+// archive slice, current break-glass grants, the active incident
+// report (if any), and process-runtime metadata into a single signed
+// bundle. The operator passes this to legal / regulators / the IR
+// team as one tamper-evident artifact.
+//
+//   var snap = await b.auditTools.forensicSnapshot({
+//     out:        "/forensics/2026-05-07-incident-42",
+//     since:      Date.now() - C.TIME.days(7),
+//     passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
+//     incidentId: "inc-2026-05-07-42",
+//     reason:     "ATO investigation: 14 failed MFA from new geo, user u_42",
+//     actor:      { id: "alice@ops.example.com", role: "incident-commander" },
+//   });
+async function forensicSnapshot(opts) {
+  opts = opts || {};
+  _requirePassphrase(opts.passphrase);
+  _requireOutDir(opts.out, "forensicSnapshot");
+  var sinceMs = _toMs(opts.since);
+  if (sinceMs == null) {
+    throw new AuditToolsError("audit-tools/no-since",
+      "forensicSnapshot: opts.since is required");
+  }
+  validateOpts.requireNonEmptyString(opts.reason, "reason", AuditToolsError, "audit-tools/no-reason");
+  var sliceResult = await exportSlice({
+    out:        opts.out,
+    since:      sinceMs,
+    until:      Date.now(),
+    passphrase: opts.passphrase,
+    readRows:   opts.readRows,
+    readCoveringCheckpoint: opts.readCoveringCheckpoint,
+  });
+  // Compose snapshot manifest with operator-supplied IR context.
+  var manifest = {
+    snapshotKind:      "forensic",
+    incidentId:        opts.incidentId || null,
+    reason:            opts.reason,
+    actor:             opts.actor || null,
+    composedAt:        new Date().toISOString(),
+    auditSliceFile:    sliceResult && sliceResult.path,
+    auditSliceCount:   sliceResult && sliceResult.rowCount,
+    runtime: {
+      nodeVersion: process.version,
+      platform:    process.platform,
+      arch:        process.arch,
+      pid:         process.pid,
+      uptimeSec:   Math.round(process.uptime()),
+    },
+  };
+  var manifestPath = require("node:path").join(opts.out, "forensic-snapshot.json");
+  require("node:fs").writeFileSync(manifestPath, _canonicalize(manifest), "utf8");
+  try {
+    require("./audit").safeEmit({
+      action:  "audit.forensic_snapshot.composed",
+      outcome: "success",
+      metadata: {
+        out:               opts.out,
+        incidentId:        manifest.incidentId,
+        reason:            opts.reason,
+        actor:             opts.actor || null,
+        rowCount:          manifest.auditSliceCount || 0,
+      },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return Object.assign({}, manifest, { manifestPath: manifestPath });
+}
 module.exports = {
   archive:          archive,
   exportSlice:      exportSlice,
+  forensicSnapshot: forensicSnapshot,
   verifyBundle:     verifyBundle,
   purge:            purge,
   BUNDLE_FORMAT:    BUNDLE_FORMAT,

package/lib/audit.js CHANGED Viewed

@@ -248,6 +248,8 @@ var FRAMEWORK_NAMESPACES = [
   "tcpa10dlc",  // b.tcpa10dlc (tcpa10dlc.consent_recorded / consent_revoked)
   "iabmspa",    // b.iabMspa (iabmspa.processing_refused)
   "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
+  "honeytoken", // b.honeytoken (honeytoken.issued / tripped)
+  "csp",        // b.middleware.cspReport (csp.violation)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);

package/lib/honeytoken.js ADDED Viewed

@@ -0,0 +1,132 @@
+"use strict";
+/**
+ * b.honeytoken — canary credential framework. Generates decoy values
+ * (fake api-key shapes, fake admin URLs, fake DB row references) that
+ * are NEVER handed to a real client; their presence in a request,
+ * log, or DB lookup means an attacker found something they shouldn't
+ * have. The framework registers each token at issuance and refuses
+ * silently in production but always emits a `honeytoken.tripped`
+ * audit row on any positive lookup.
+ *
+ *   var honey = b.honeytoken.create({ audit: b.audit });
+ *
+ *   var token = honey.issue({
+ *     kind:     "apiKey",
+ *     metadata: { plantedAt: "GET /admin/keys/404", linkedTo: "u_42" },
+ *   });
+ *   // → { value: "bk_canary_8f3a7b2e0c…", id: "ht_<hex>" }
+ *
+ *   if (honey.lookup(req.headers["x-api-key"])) {
+ *     // attacker is using the canary; tripped event already audited
+ *     return res.status(403).end();
+ *   }
+ *
+ * Canary value shapes (`kind`):
+ *   - "apiKey"   → `bk_canary_<32 hex>` (matches b.apiKey shape)
+ *   - "session"  → `bks_canary_<48 hex>` (matches b.session shape)
+ *   - "url"      → `/admin/canary-<32 hex>` (planted as a clickable link)
+ *   - "rowId"    → `ht_canary_<32 hex>` (planted as a fake foreign key)
+ *
+ * Audit shape:
+ *   - `honeytoken.issued` — outcome=success; metadata: { id, kind }
+ *   - `honeytoken.tripped` — outcome=failure; metadata: { id, kind,
+ *     metadata, observedAt, observedActor }
+ */
+var crypto = require("./crypto");
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+var audit = lazyRequire(function () { return require("./audit"); });
+var HoneytokenError = defineClass("HoneytokenError", { alwaysPermanent: true });
+var KINDS = Object.freeze({
+  apiKey:  function () { return "bk_canary_"  + crypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte (128-bit) canary entropy
+  session: function () { return "bks_canary_" + crypto.generateToken(24); },     // allow:raw-byte-literal — 24-byte (192-bit) canary entropy
+  url:     function () { return "/admin/canary-" + crypto.generateToken(16); },  // allow:raw-byte-literal — 16-byte canary entropy
+  rowId:   function () { return "ht_canary_"  + crypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte canary entropy
+});
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["audit"], "honeytoken.create");
+  var registry = new Map();   // value → { id, kind, metadata, issuedAt }
+  function issue(spec) {
+    spec = spec || {};
+    validateOpts(spec, ["kind", "metadata"], "honeytoken.issue");
+    var kind = spec.kind;
+    if (typeof KINDS[kind] !== "function") {
+      throw new HoneytokenError(
+        "honeytoken/unknown-kind",
+        "honeytoken.issue: unknown kind '" + kind + "' " +
+        "(supported: " + Object.keys(KINDS).join(", ") + ")");
+    }
+    var value = KINDS[kind]();
+    var id = "ht_" + crypto.generateToken(8);                                    // allow:raw-byte-literal — 8-byte registry id
+    var record = Object.freeze({
+      id:        id,
+      kind:      kind,
+      metadata:  spec.metadata || null,
+      issuedAt:  Date.now(),
+    });
+    registry.set(value, record);
+    try {
+      audit().safeEmit({
+        action: "honeytoken.issued",
+        outcome: "success",
+        metadata: { id: id, kind: kind },
+      });
+    } catch (_e) { /* audit best-effort */ }
+    return { id: id, value: value };
+  }
+  function lookup(value, observedActor) {
+    if (typeof value !== "string" || value.length === 0) return null;
+    var record = registry.get(value);
+    if (!record) return null;
+    try {
+      audit().safeEmit({
+        action: "honeytoken.tripped",
+        outcome: "failure",
+        metadata: {
+          id:             record.id,
+          kind:           record.kind,
+          metadata:       record.metadata,
+          observedAt:     Date.now(),
+          observedActor:  observedActor || null,
+        },
+      });
+    } catch (_e) { /* audit best-effort */ }
+    return record;
+  }
+  function revoke(id) {
+    var found = false;
+    registry.forEach(function (record, value) {
+      if (record.id === id) {
+        registry.delete(value);
+        found = true;
+      }
+    });
+    return found;
+  }
+  function size() { return registry.size; }
+  return {
+    issue:   issue,
+    lookup:  lookup,
+    revoke:  revoke,
+    size:    size,
+  };
+}
+module.exports = {
+  create:           create,
+  KINDS:            Object.freeze(Object.keys(KINDS)),
+  HoneytokenError:  HoneytokenError,
+};

package/lib/middleware/csp-report.js ADDED Viewed

@@ -0,0 +1,133 @@
+"use strict";
+/**
+ * b.middleware.cspReport — Reporting-API endpoint for CSP / COEP /
+ * COOP / Permissions-Policy violations.
+ *
+ * The framework's default CSP appends `report-to default;` (see
+ * lib/middleware/security-headers.js); operators wire the matching
+ * `Reporting-Endpoints: default="https://app.example.com/csp-report"`
+ * header — and mount this middleware at the configured path. Browsers
+ * POST batches of violations as `application/reports+json`.
+ *
+ *   var cspReport = b.middleware.cspReport.create({
+ *     audit:     b.audit,
+ *     onReport:  function (report) { metrics.count("csp.violation", 1, { directive: report.body.effectiveDirective }); },
+ *     maxBytes:  C.BYTES.kib(64),
+ *   });
+ *   router.post("/csp-report", cspReport);
+ *
+ * Audit shape: `csp.violation` (failure) per report; metadata carries
+ * the report.body fields (blockedURL, documentURL, effectiveDirective,
+ * sample, statusCode). Sample is truncated to 200 chars.
+ *
+ * Validation:
+ *   - Refuses non-POST methods with 405
+ *   - Refuses bodies > maxBytes (default 64 KiB) with 413
+ *   - Refuses non-JSON bodies with 400
+ *   - Accepts `application/reports+json` AND legacy `application/csp-report`
+ */
+var C = require("../constants");
+var lazyRequire = require("../lazy-require");
+var safeBuffer = require("../safe-buffer");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var audit = lazyRequire(function () { return require("../audit"); });
+var DEFAULT_MAX_BYTES = C.BYTES.kib(64);
+var SAMPLE_TRUNCATE = 200;
+function _truncate(value) {
+  if (typeof value !== "string") return value;
+  if (value.length <= SAMPLE_TRUNCATE) return value;
+  return value.slice(0, SAMPLE_TRUNCATE) + "…";
+}
+function _normalizeOne(reportLike) {
+  // Reporting API shape: { type, age, url, user_agent, body: {...} }
+  // Legacy CSP shape:    { "csp-report": { ... } }
+  if (!reportLike || typeof reportLike !== "object") return null;
+  if (reportLike["csp-report"] && typeof reportLike["csp-report"] === "object") {
+    var legacy = reportLike["csp-report"];
+    return {
+      type: "csp-violation",
+      url:  legacy["document-uri"] || null,
+      body: {
+        documentURL:        legacy["document-uri"] || null,
+        blockedURL:         legacy["blocked-uri"] || null,
+        effectiveDirective: legacy["effective-directive"] || legacy["violated-directive"] || null,
+        statusCode:         legacy["status-code"] || null,
+        sample:             _truncate(legacy["script-sample"] || ""),
+        sourceFile:         legacy["source-file"] || null,
+        lineNumber:         legacy["line-number"] || null,
+      },
+    };
+  }
+  if (reportLike.type && reportLike.body && typeof reportLike.body === "object") {
+    return {
+      type: reportLike.type,
+      url:  reportLike.url || null,
+      body: {
+        documentURL:        reportLike.body.documentURL || null,
+        blockedURL:         reportLike.body.blockedURL || null,
+        effectiveDirective: reportLike.body.effectiveDirective || null,
+        statusCode:         reportLike.body.statusCode || null,
+        sample:             _truncate(reportLike.body.sample || ""),
+        sourceFile:         reportLike.body.sourceFile || null,
+        lineNumber:         reportLike.body.lineNumber || null,
+      },
+    };
+  }
+  return null;
+}
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["audit", "onReport", "maxBytes"], "middleware.cspReport");
+  var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
+    ? opts.maxBytes : DEFAULT_MAX_BYTES;
+  var onReport = (typeof opts.onReport === "function") ? opts.onReport : null;
+  return async function cspReport(req, res, _next) {
+    if (req.method !== "POST") {
+      res.writeHead(405, { "Allow": "POST" });                                     // allow:raw-byte-literal — HTTP 405 status
+      res.end();
+      return;
+    }
+    var body;
+    try {
+      body = await safeBuffer.boundedChunkCollector(req, { maxBytes: maxBytes });
+    } catch (_e) {
+      res.writeHead(413);                                                         // allow:raw-byte-literal — HTTP 413 status
+      res.end();
+      return;
+    }
+    var parsed;
+    try { parsed = safeJson.parse(body.toString("utf8")); }
+    catch (_e) {
+      res.writeHead(400);                                                         // allow:raw-byte-literal — HTTP 400 status
+      res.end();
+      return;
+    }
+    var reports = Array.isArray(parsed) ? parsed : [parsed];
+    for (var i = 0; i < reports.length; i++) {
+      var normalized = _normalizeOne(reports[i]);
+      if (!normalized) continue;
+      try {
+        audit().safeEmit({
+          action:  "csp.violation",
+          outcome: "failure",
+          metadata: Object.assign({ type: normalized.type, url: normalized.url }, normalized.body),
+        });
+      } catch (_e) { /* audit best-effort */ }
+      if (onReport) {
+        try { onReport(normalized); } catch (_e) { /* hook best-effort */ }
+      }
+    }
+    res.writeHead(204);                                                           // allow:raw-byte-literal — HTTP 204 status
+    res.end();
+  };
+}
+module.exports = { create: create };

package/lib/middleware/index.js CHANGED Viewed

@@ -32,6 +32,7 @@ var cookies = require("./cookies");
 var cors = require("./cors");
 var dailyByteQuota = require("./daily-byte-quota");
 var cspNonce = require("./csp-nonce");
+var cspReport = require("./csp-report");
 var csrfProtect = require("./csrf-protect");
 var dbRoleFor = require("./db-role-for");
 var dpop = require("./dpop");
@@ -88,6 +89,7 @@ module.exports = {
   compression:      compression.create,
   cookies:          cookies.create,
   cspNonce:         cspNonce.create,
+  cspReport:        cspReport.create,
   securityTxt:      securityTxt.create,
   sse:              sse.create,
   requestLog:       requestLog.create,

package/lib/network-tls.js CHANGED Viewed

@@ -329,6 +329,67 @@ function captureBaselineFingerprints() {
   STATE.baselineFingerprints = STATE.cas.map(function (e) { return e.meta.fingerprint256; });
 }
+// pinsetDriftMonitor — periodic check that emits audit + observability
+// events when the trust-store fingerprint set drifts from the captured
+// baseline. Different intent from expiryMonitor: this fires when a
+// CA is added or removed (by operator config-flip OR by a tampered
+// MANIFEST / vendor refresh), not when an existing one approaches
+// validity expiry.
+//
+//   b.network.tls.captureBaselineFingerprints();   // at boot
+//   var mon = b.network.tls.pinsetDriftMonitor({
+//     intervalMs:  C.TIME.minutes(15),
+//     onDrift:     function (drift) { /* operator hook */ },
+//   });
+//
+// Audit emissions:
+//   network.tls.pinset.drift_check  — every check, ok / warn
+//   network.tls.pinset.drifted      — when added.length || removed.length
+function pinsetDriftMonitor(opts) {
+  opts = opts || {};
+  var intervalMs = opts.intervalMs;
+  var auditOn    = opts.audit !== false;
+  if (typeof intervalMs !== "number" || !isFinite(intervalMs) || intervalMs <= 0) {
+    throw new TlsTrustError("tls/bad-interval",
+      "tls.pinsetDriftMonitor: intervalMs must be a positive finite number");
+  }
+  function _tick() {
+    var drift;
+    try { drift = detectBaselineDrift(); }
+    catch (_e) { return; }
+    if (drift === null) return;   // baseline not captured; nothing to compare
+    if (auditOn) {
+      try {
+        audit().safeEmit({
+          action:  "network.tls.pinset.drift_check",
+          outcome: drift.drifted ? "warn" : "ok",
+          metadata: { added: drift.added.length, removed: drift.removed.length },
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+    if (drift.drifted) {
+      try { observability().safeEvent("network.tls.pinset.drifted", 1, {}); }
+      catch (_e) { /* drop-silent */ }
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "network.tls.pinset.drifted",
+            outcome: "failure",
+            metadata: { added: drift.added, removed: drift.removed },
+          });
+        } catch (_e) { /* drop-silent */ }
+      }
+      if (typeof opts.onDrift === "function") {
+        try { opts.onDrift(drift); } catch (_e) { /* operator hook */ }
+      }
+    }
+  }
+  var handle = safeAsync.repeating(_tick, intervalMs, { name: "tls-pinset-drift-monitor" });
+  return {
+    stop: function () { if (handle) { handle.stop(); handle = null; } },
+  };
+}
 function detectBaselineDrift() {
   if (!STATE.baselineFingerprints) return null;
   var current = STATE.cas.map(function (e) { return e.meta.fingerprint256; });
@@ -1683,6 +1744,7 @@ module.exports = {
   purgeExpired:        purgeExpired,
   expiringSoon:        expiringSoon,
   expiryMonitor:       expiryMonitor,
+  pinsetDriftMonitor:  pinsetDriftMonitor,
   useSystemTrust:      useSystemTrust,
   isSystemTrustEnabled: isSystemTrustEnabled,
   getTrustStore:       getTrustStore,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.39",
+  "version": "0.8.40",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:319bfdfd-c9b3-4f86-a42e-c3441466295e",
+  "serialNumber": "urn:uuid:7c951f5a-156e-49be-91c0-8a5a420faf2c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T16:17:54.954Z",
+    "timestamp": "2026-05-07T16:35:12.500Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.39",
+      "bom-ref": "@blamejs/core@0.8.40",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.39",
+      "version": "0.8.40",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.39",
+      "purl": "pkg:npm/%40blamejs/core@0.8.40",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.39",
+      "ref": "@blamejs/core@0.8.40",
       "dependsOn": []
     }
   ]