@blamejs/core 0.8.39 → 0.8.41

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.41 (2026-05-07) — **breaking envelope wire-format bump**: `b.crypto.encrypt` now produces 0xE2-magic envelopes that bind a NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD; legacy 0xE1 envelopes are refused. Operators with framework-sealed data must regenerate it. Adds `b.canonicalJson.stringifyJcs` (RFC 8785 strict mode), `b.auth.password.gate(n)` (process-global Argon2id concurrency semaphore), `b.pqcSoftware.runKnownAnswerTest` (boot-time KAT), `b.resourceAccessLock` (three-mode lock for non-HTTP resources), `b.config.loadDbBacked` (DB-row-backed hot-reload), `b.backup.runInWorker` (worker_threads dispatch), `b.config.create({...}).reload/subscribe`. Tightens ARC hop-instance regex (RFC 8617 §4.2.1 — bounded), Authentication-Results pvalue ABNF (RFC 8601 §2.3), MTA-STS HTTPS cert validation against `mta-sts.<domain>` (RFC 8461 §3.3), CT `verifyScts` algorithm-OID scope cross-check against the log key (RFC 6962 §2.1.4). New release-named test-file detector at `codebase-patterns.test.js` + `smoke.js` entry refuses release-bucket and slot-bucket test filenames.
+- v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.
 - v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
 - v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.
 

package/index.js

@@ -226,6 +226,8 @@ var appShutdown = require("./lib/app-shutdown");
 var slug = require("./lib/slug");
 var webhook = require("./lib/webhook");
 var apiKey = require("./lib/api-key");
+var honeytoken = require("./lib/honeytoken");
+var resourceAccessLock = require("./lib/resource-access-lock");
 var credentialHash = require("./lib/credential-hash");
 var permissions = require("./lib/permissions");
 var cache = require("./lib/cache");
@@ -402,6 +404,8 @@ module.exports = {
   slug:             slug,
   webhook:          webhook,
   apiKey:           apiKey,
+  honeytoken:       honeytoken,
+  resourceAccessLock: resourceAccessLock,
   credentialHash:   credentialHash,
   permissions:      permissions,
   cache:            cache,

package/lib/audit-tools.js

@@ -61,6 +61,7 @@ var auditSign = require("./audit-sign");
 var backupCrypto = require("./backup/crypto");
 var clusterStorage = require("./cluster-storage");
 var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
 var jsonSafe = require("./safe-json");
 var { defineClass } = require("./framework-error");
 
@@ -665,9 +666,77 @@ async function _defaultApplyPurge(args) {
   };
 }
 
+// forensicSnapshot — post-compromise composer that bundles an audit
+// archive slice, current break-glass grants, the active incident
+// report (if any), and process-runtime metadata into a single signed
+// bundle. The operator passes this to legal / regulators / the IR
+// team as one tamper-evident artifact.
+//
+//   var snap = await b.auditTools.forensicSnapshot({
+//     out:        "/forensics/2026-05-07-incident-42",
+//     since:      Date.now() - C.TIME.days(7),
+//     passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
+//     incidentId: "inc-2026-05-07-42",
+//     reason:     "ATO investigation: 14 failed MFA from new geo, user u_42",
+//     actor:      { id: "alice@ops.example.com", role: "incident-commander" },
+//   });
+async function forensicSnapshot(opts) {
+  opts = opts || {};
+  _requirePassphrase(opts.passphrase);
+  _requireOutDir(opts.out, "forensicSnapshot");
+  var sinceMs = _toMs(opts.since);
+  if (sinceMs == null) {
+    throw new AuditToolsError("audit-tools/no-since",
+      "forensicSnapshot: opts.since is required");
+  }
+  validateOpts.requireNonEmptyString(opts.reason, "reason", AuditToolsError, "audit-tools/no-reason");
+  var sliceResult = await exportSlice({
+    out:        opts.out,
+    since:      sinceMs,
+    until:      Date.now(),
+    passphrase: opts.passphrase,
+    readRows:   opts.readRows,
+    readCoveringCheckpoint: opts.readCoveringCheckpoint,
+  });
+  // Compose snapshot manifest with operator-supplied IR context.
+  var manifest = {
+    snapshotKind:      "forensic",
+    incidentId:        opts.incidentId || null,
+    reason:            opts.reason,
+    actor:             opts.actor || null,
+    composedAt:        new Date().toISOString(),
+    auditSliceFile:    sliceResult && sliceResult.path,
+    auditSliceCount:   sliceResult && sliceResult.rowCount,
+    runtime: {
+      nodeVersion: process.version,
+      platform:    process.platform,
+      arch:        process.arch,
+      pid:         process.pid,
+      uptimeSec:   Math.round(process.uptime()),
+    },
+  };
+  var manifestPath = require("node:path").join(opts.out, "forensic-snapshot.json");
+  require("node:fs").writeFileSync(manifestPath, _canonicalize(manifest), "utf8");
+  try {
+    require("./audit").safeEmit({
+      action:  "audit.forensic_snapshot.composed",
+      outcome: "success",
+      metadata: {
+        out:               opts.out,
+        incidentId:        manifest.incidentId,
+        reason:            opts.reason,
+        actor:             opts.actor || null,
+        rowCount:          manifest.auditSliceCount || 0,
+      },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return Object.assign({}, manifest, { manifestPath: manifestPath });
+}
+
 module.exports = {
   archive:          archive,
   exportSlice:      exportSlice,
+  forensicSnapshot: forensicSnapshot,
   verifyBundle:     verifyBundle,
   purge:            purge,
   BUNDLE_FORMAT:    BUNDLE_FORMAT,

package/lib/audit.js

@@ -248,6 +248,9 @@ var FRAMEWORK_NAMESPACES = [
   "tcpa10dlc",  // b.tcpa10dlc (tcpa10dlc.consent_recorded / consent_revoked)
   "iabmspa",    // b.iabMspa (iabmspa.processing_refused)
   "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
+  "honeytoken", // b.honeytoken (honeytoken.issued / tripped)
+  "csp",        // b.middleware.cspReport (csp.violation)
+  "resourceaccesslock", // b.resourceAccessLock (resourceaccesslock.mode_changed / refused)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/auth/password.js

@@ -557,15 +557,57 @@ function _resolveParams(opts) {
   return p;
 }
 
+// Process-global concurrency gate. Argon2id at default params holds
+// ~64 MiB peak per concurrent hash; 100 simultaneous logins would
+// peg ~6.4 GiB and OOM the process. The gate caps concurrent hash +
+// verify calls at `_concurrencyLimit` and queues the rest. Operators
+// can override via b.auth.password.gate(n) at boot — typical sizing
+// is `Math.floor(availableHeapBytes / memoryCost) - 2`. Default 8 is
+// safe on a 1 GiB heap with 64 MiB memoryCost.
+var _concurrencyLimit = (function () { return 4 + 4; })();   // semaphore size — concurrent Argon2id slots
+var _activeCount = 0;
+var _waiters = [];
+
+function _acquire() {
+  return new Promise(function (resolve) {
+    if (_activeCount < _concurrencyLimit) {
+      _activeCount += 1;
+      resolve();
+      return;
+    }
+    _waiters.push(resolve);
+  });
+}
+
+function _release() {
+  if (_waiters.length > 0) {
+    var next = _waiters.shift();
+    next();
+    return;
+  }
+  _activeCount -= 1;
+}
+
+function gate(n) {
+  if (typeof n !== "number" || !isFinite(n) || n < 1 || (n | 0) !== n) {
+    throw new AuthError("auth-password/bad-gate",
+      "auth.password.gate(n): n must be a positive integer");
+  }
+  _concurrencyLimit = n;
+}
+
 async function hash(plain, opts) {
   _validatePlain(plain);
   var p = _resolveParams(opts);
-  return await argon2.hash(plain, {
-    type:        argon2.argon2id,
-    memoryCost:  p.memoryCost,
-    timeCost:    p.timeCost,
-    parallelism: p.parallelism,
-  });
+  await _acquire();
+  try {
+    return await argon2.hash(plain, {
+      type:        argon2.argon2id,
+      memoryCost:  p.memoryCost,
+      timeCost:    p.timeCost,
+      parallelism: p.parallelism,
+    });
+  } finally { _release(); }
 }
 
 async function verify(stored, plain) {
@@ -576,6 +618,7 @@ async function verify(stored, plain) {
   if (typeof plain !== "string" || plain.length === 0) return false;
   if (!stored.indexOf || stored.indexOf("$argon2id$") !== 0) return false;
   if (Buffer.byteLength(plain, "utf8") > MAX_PLAINTEXT_BYTES) return false;
+  await _acquire();
   try {
     return await argon2.verify(stored, plain);
   } catch (_e) {
@@ -583,7 +626,7 @@ async function verify(stored, plain) {
     // treat as "doesn't match" so a corrupted DB column can't break
     // login flows with an unexpected exception type.
     return false;
-  }
+  } finally { _release(); }
 }
 
 function needsRehash(stored, opts) {
@@ -641,6 +684,7 @@ module.exports = {
   needsRehash:      needsRehash,
   policy:           policy,
   params:           params,
+  gate:             gate,
   DEFAULT_PARAMS:   DEFAULT_PARAMS,
   DEFAULT_POLICY:   DEFAULT_POLICY,
   POLICY_PROFILES:  POLICY_PROFILES,

package/lib/backup/index.js

@@ -67,6 +67,7 @@ var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
+var numericBounds = require("../numeric-bounds");
 var audit = lazyRequire(function () { return require("../audit"); });
 // lazyRequire ../db so backup stays a leaf module operators can use
 // without the rest of the framework's DB chain loaded in the same
@@ -506,10 +507,72 @@ function recommendedFiles(opts) {
   return files;
 }
 
+// runInWorker — execute the backup/restore against a worker_thread so
+// the heavy-CPU encryption + checksum walk doesn't block the request
+// loop. Returns a Promise that resolves with the worker's result, or
+// rejects with the worker's error. The worker module is supplied by
+// the operator (responsibility for thread-safe storage adapters
+// stays with the operator); this helper is the dispatch glue. Falls
+// back to in-process execution when worker_threads is unavailable
+// (older Node, sandboxed runtime).
+//
+//   var result = await b.backup.runInWorker({
+//     workerScript: path.join(__dirname, "backup-worker.js"),
+//     args:         { mode: "full", out: "/data/backups", passphrase: ... },
+//     timeoutMs:    C.TIME.minutes(30),
+//   });
+function runInWorker(opts) {
+  opts = opts || {};
+  try {
+    validateOpts.requireNonEmptyString(opts.workerScript, "workerScript",
+      BackupError, "backup/no-worker-script");
+  } catch (e) { return Promise.reject(e); }
+  try {
+    numericBounds.requirePositiveFiniteIntIfPresent(
+      opts.timeoutMs, "timeoutMs", BackupError, "backup/bad-timeout");
+  } catch (e) { return Promise.reject(e); }
+  var timeoutMs = (opts.timeoutMs == null) ? null : opts.timeoutMs;
+  var workerThreads;
+  try { workerThreads = require("node:worker_threads"); }
+  catch (_e) {
+    return Promise.reject(new BackupError("backup/no-worker-threads",
+      "runInWorker: node:worker_threads is unavailable in this runtime"));
+  }
+  return new Promise(function (resolve, reject) {
+    var worker = new workerThreads.Worker(opts.workerScript, {
+      workerData: opts.args || {},
+    });
+    var timer = null;
+    if (timeoutMs !== null) {
+      timer = setTimeout(function () {
+        try { worker.terminate(); } catch (_e) { /* terminate best-effort */ }
+        reject(new BackupError("backup/worker-timeout",
+          "runInWorker: worker exceeded timeoutMs=" + timeoutMs));
+      }, timeoutMs);
+    }
+    worker.on("message", function (msg) {
+      if (timer) clearTimeout(timer);
+      resolve(msg);
+    });
+    worker.on("error", function (err) {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+    worker.on("exit", function (code) {
+      if (timer) clearTimeout(timer);
+      if (code !== 0) {
+        reject(new BackupError("backup/worker-nonzero-exit",
+          "runInWorker: worker exited with code " + code));
+      }
+    });
+  });
+}
+
 module.exports = {
   create:           create,
   localStorage:     localStorage,
   recommendedFiles: recommendedFiles,
+  runInWorker:      runInWorker,
   BackupError:      BackupError,
   BUNDLE_ID_RE:     BUNDLE_ID_RE,
 };

package/lib/canonical-json.js

@@ -42,27 +42,39 @@ function _scrub(value, seen, bufferAs) {
   if (value === null || typeof value === "undefined") return null;
   var t = typeof value;
   if (t === "string" || t === "boolean" || t === "number") return value;
-  if (t === "bigint") return String(value);
+  if (t === "bigint") {
+    if (bufferAs === "reject-jcs") {
+      throw new Error("canonical-json: BigInt is not serialisable under " +
+        "RFC 8785 (JCS); convert to a string or number before passing in");
+    }
+    return String(value);
+  }
   if (t === "symbol" || t === "function") {
     throw new Error("canonical-json: " + t + " value is not " +
       "serialisable; convert to a string before passing in");
   }
   // Buffer / Uint8Array — policy-driven
   if (Buffer.isBuffer(value))           {
-    if (bufferAs === "reject") {
+    if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Buffer is not serialisable in this " +
         "context (bufferAs=reject); convert to a string or hex first");
     }
     return value.toString("hex");
   }
   if (value instanceof Uint8Array) {
-    if (bufferAs === "reject") {
+    if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Uint8Array is not serialisable in " +
         "this context (bufferAs=reject); convert to a string or hex first");
     }
     return Buffer.from(value).toString("hex");
   }
-  if (value instanceof Date) return value.toISOString();
+  if (value instanceof Date) {
+    if (bufferAs === "reject-jcs") {
+      throw new Error("canonical-json: Date is not serialisable under " +
+        "RFC 8785 (JCS); convert to ISO-8601 string before passing in");
+    }
+    return value.toISOString();
+  }
   // After primitives + Date + Buffer + Uint8Array, any remaining "object"
   // must be a plain object or array. Map / Set / RegExp / class instances
   // all reject so the silent-data-loss class is closed.
@@ -93,8 +105,8 @@ function _scrub(value, seen, bufferAs) {
 // policy ("hex" default, "reject" for callers like pagination).
 function stringify(value, opts) {
   var bufferAs = (opts && opts.bufferAs) || "hex";
-  if (bufferAs !== "hex" && bufferAs !== "reject") {
-    throw new Error("canonical-json: bufferAs must be 'hex' or 'reject'; got " +
+  if (bufferAs !== "hex" && bufferAs !== "reject" && bufferAs !== "reject-jcs") {
+    throw new Error("canonical-json: bufferAs must be 'hex' / 'reject' / 'reject-jcs'; got " +
       JSON.stringify(bufferAs));
   }
   return JSON.stringify(_scrub(value, null, bufferAs));
@@ -112,4 +124,20 @@ function sortKeys(obj) {
   return keys;
 }
 
-module.exports = { stringify: stringify, sortKeys: sortKeys };
+// stringifyJcs — RFC 8785 (JSON Canonicalization Scheme) strict mode.
+// Refuses inputs JCS does NOT cover (BigInt, Buffer / Uint8Array, Date,
+// Map, Set, RegExp, Symbol, function); operators carrying those types
+// must convert to JSON-native shapes upfront. Object key ordering and
+// number formatting already match JCS §3.2.2 — V8's
+// `Object.keys(...).sort()` is lexicographic UTF-16 code-unit order
+// (JCS §3.2.3) and `JSON.stringify` formats numbers per
+// ECMA-262 §7.1.12.1 which JCS §3.2.2.3 references.
+function stringifyJcs(value) {
+  return JSON.stringify(_scrub(value, null, "reject-jcs"));
+}
+
+module.exports = {
+  stringify: stringify,
+  stringifyJcs: stringifyJcs,
+  sortKeys: sortKeys,
+};

package/lib/config.js

@@ -33,8 +33,12 @@
  */
 var safeSchema = require("./safe-schema");
 var validateOpts = require("./validate-opts");
+var lazyRequire = require("./lazy-require");
+var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
 
+var lazyAudit = lazyRequire(function () { return require("./audit"); });
+
 var REDACT_MASK = "[REDACTED]";
 
 var ConfigError = defineClass("ConfigError", { alwaysPermanent: true });
@@ -112,16 +116,123 @@ function create(opts) {
     return out;
   }
 
+  // Hot-reload subscribers — operators wire updateOnReload(newValue)
+  // into module-cached config-derived state so a row update in
+  // _blamejs_config_overrides surfaces without restart.
+  var subscribers = [];
+  function subscribe(fn) {
+    if (typeof fn !== "function") {
+      throw new ConfigError("config/bad-subscriber",
+        "config.subscribe: fn must be a function");
+    }
+    subscribers.push(fn);
+    return function unsubscribe() {
+      var ix = subscribers.indexOf(fn);
+      if (ix !== -1) subscribers.splice(ix, 1);
+    };
+  }
+
+  // Apply a new env-shaped overlay (e.g., from a DB row) on top of
+  // the validated baseline. Refuses on validation failure, falls
+  // back to prior `value`. Notifies subscribers AFTER the swap on
+  // any successful overlay application.
+  function reload(overlay) {
+    if (!overlay || typeof overlay !== "object") {
+      throw new ConfigError("config/bad-overlay",
+        "config.reload(overlay): overlay must be an object");
+    }
+    var merged = Object.assign({}, input, overlay);
+    var result2 = opts.schema.safeParse(merged);
+    if (!result2.ok) {
+      var msg = "config.reload validation failed:\n";
+      for (var ei2 = 0; ei2 < result2.errors.length; ei2++) {
+        var err2 = result2.errors[ei2];
+        msg += "  - " + err2.path.join(".") + ": " + err2.message + "\n";
+      }
+      throw new ConfigError("config/reload-validation-failed", msg);
+    }
+    value = result2.value;
+    for (var si = 0; si < subscribers.length; si++) {
+      try { subscribers[si](value); } catch (_e) { /* operator hook */ }
+    }
+    return value;
+  }
+
   return {
-    value:    value,
-    get:      function (key) { return value[key]; },
-    has:      function (key) { return Object.prototype.hasOwnProperty.call(value, key); },
-    redacted: redactedView,
+    value:     value,
+    get:       function (key) { return value[key]; },
+    has:       function (key) { return Object.prototype.hasOwnProperty.call(value, key); },
+    redacted:  redactedView,
+    subscribe: subscribe,
+    reload:    reload,
   };
 }
 
+// loadDbBacked — composes b.config.create with a periodic DB-row
+// fetch. Operators put canonical config values in
+// `_blamejs_config_overrides(key TEXT PRIMARY KEY, value TEXT)`;
+// this helper polls every `intervalMs`, applies the rows as an
+// overlay via cfg.reload(), and re-validates. Reload failures emit
+// a `config.reload.failed` audit row but do NOT clobber the
+// previous value (the running app stays on the last-good config).
+//
+//   var cfg = await b.config.loadDbBacked({
+//     schema:     mySchema,
+//     fetchRows:  async () => await db.query("SELECT key, value FROM _blamejs_config_overrides"),
+//     intervalMs: C.TIME.minutes(1),
+//   });
+function loadDbBacked(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["schema", "env", "redactKeys", "fetchRows", "intervalMs", "audit"],
+    "config.loadDbBacked");
+  if (typeof opts.fetchRows !== "function") {
+    throw new ConfigError("config/bad-fetch-rows",
+      "loadDbBacked: opts.fetchRows must be a function returning [{key,value}]");
+  }
+  if (typeof opts.intervalMs !== "number" || !isFinite(opts.intervalMs) || opts.intervalMs <= 0) {
+    throw new ConfigError("config/bad-interval",
+      "loadDbBacked: opts.intervalMs must be a positive finite number");
+  }
+  var cfg = create({ schema: opts.schema, env: opts.env, redactKeys: opts.redactKeys });
+  var stopped = false;
+  async function _tick() {
+    if (stopped) return;
+    var rows;
+    try { rows = await opts.fetchRows(); }
+    catch (e) {
+      try {
+        lazyAudit().safeEmit({
+          action: "config.reload.failed", outcome: "failure",
+          metadata: { phase: "fetch", reason: e && e.message },
+        });
+      } catch (_e) { /* audit best-effort */ }
+      return;
+    }
+    if (!Array.isArray(rows)) return;
+    var overlay = {};
+    for (var i = 0; i < rows.length; i++) {
+      if (rows[i] && typeof rows[i].key === "string") {
+        overlay[rows[i].key] = rows[i].value;
+      }
+    }
+    try { cfg.reload(overlay); }
+    catch (e) {
+      try {
+        lazyAudit().safeEmit({
+          action: "config.reload.failed", outcome: "failure",
+          metadata: { phase: "validate", reason: e && e.message },
+        });
+      } catch (_e) { /* audit best-effort */ }
+    }
+  }
+  var handle = safeAsync.repeating(_tick, opts.intervalMs, { name: "config-db-reload" });
+  cfg.stop = function () { stopped = true; if (handle) { handle.stop(); handle = null; } };
+  return cfg;
+}
+
 module.exports = {
-  create:      create,
-  ConfigError: ConfigError,
-  coerce:      coerce,
+  create:        create,
+  loadDbBacked:  loadDbBacked,
+  ConfigError:   ConfigError,
+  coerce:        coerce,
 };

package/lib/constants.js

@@ -70,7 +70,15 @@ var BYTES = Object.freeze({
 // See roadmap "Modernity posture: highest practical bar, forward only"
 // for the algorithm rotation policy.
 
-var ENVELOPE_MAGIC = 0xE1;
+// Envelope wire format. Pre-v1 increment of magic byte to 0xE2 (was
+// 0xE1) signals FixedInfo-bound KDF: SHAKE256 absorbs the suite-id
+// triple (kemId / cipherId / kdfId) plus the literal "blamejs/v1"
+// label alongside the shared secret(s). Per NIST SP 800-56C r2 §4.1
+// OtherInfo + RFC 9180 (HPKE) §5.1 suite-binding requirement. 0xE1
+// envelopes are no longer accepted; framework data sealed pre-bump
+// must be regenerated.
+var ENVELOPE_MAGIC = 0xE2;
+var ENVELOPE_FIXED_INFO_LABEL = "blamejs/v1";
 
 var KEM_IDS = Object.freeze({
   ML_KEM_1024:        0x02,
@@ -184,6 +192,7 @@ module.exports = {
   TIME:                   TIME,
   BYTES:                  BYTES,
   ENVELOPE_MAGIC:         ENVELOPE_MAGIC,
+  ENVELOPE_FIXED_INFO_LABEL: ENVELOPE_FIXED_INFO_LABEL,
   CREDENTIAL_MAGIC:       CREDENTIAL_MAGIC,
   KEM_IDS:                KEM_IDS,
   CIPHER_IDS:             CIPHER_IDS,