@blamejs/core 0.8.40 → 0.8.41

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.41 (2026-05-07) — **breaking envelope wire-format bump**: `b.crypto.encrypt` now produces 0xE2-magic envelopes that bind a NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD; legacy 0xE1 envelopes are refused. Operators with framework-sealed data must regenerate it. Adds `b.canonicalJson.stringifyJcs` (RFC 8785 strict mode), `b.auth.password.gate(n)` (process-global Argon2id concurrency semaphore), `b.pqcSoftware.runKnownAnswerTest` (boot-time KAT), `b.resourceAccessLock` (three-mode lock for non-HTTP resources), `b.config.loadDbBacked` (DB-row-backed hot-reload), `b.backup.runInWorker` (worker_threads dispatch), `b.config.create({...}).reload/subscribe`. Tightens ARC hop-instance regex (RFC 8617 §4.2.1 — bounded), Authentication-Results pvalue ABNF (RFC 8601 §2.3), MTA-STS HTTPS cert validation against `mta-sts.<domain>` (RFC 8461 §3.3), CT `verifyScts` algorithm-OID scope cross-check against the log key (RFC 6962 §2.1.4). New release-named test-file detector at `codebase-patterns.test.js` + `smoke.js` entry refuses release-bucket and slot-bucket test filenames.
 - v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.
 - v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
 - v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.

package/index.js

@@ -227,6 +227,7 @@ var slug = require("./lib/slug");
 var webhook = require("./lib/webhook");
 var apiKey = require("./lib/api-key");
 var honeytoken = require("./lib/honeytoken");
+var resourceAccessLock = require("./lib/resource-access-lock");
 var credentialHash = require("./lib/credential-hash");
 var permissions = require("./lib/permissions");
 var cache = require("./lib/cache");
@@ -404,6 +405,7 @@ module.exports = {
   webhook:          webhook,
   apiKey:           apiKey,
   honeytoken:       honeytoken,
+  resourceAccessLock: resourceAccessLock,
   credentialHash:   credentialHash,
   permissions:      permissions,
   cache:            cache,

package/lib/audit.js

@@ -250,6 +250,7 @@ var FRAMEWORK_NAMESPACES = [
   "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
   "honeytoken", // b.honeytoken (honeytoken.issued / tripped)
   "csp",        // b.middleware.cspReport (csp.violation)
+  "resourceaccesslock", // b.resourceAccessLock (resourceaccesslock.mode_changed / refused)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/auth/password.js

@@ -557,15 +557,57 @@ function _resolveParams(opts) {
   return p;
 }
 
+// Process-global concurrency gate. Argon2id at default params holds
+// ~64 MiB peak per concurrent hash; 100 simultaneous logins would
+// peg ~6.4 GiB and OOM the process. The gate caps concurrent hash +
+// verify calls at `_concurrencyLimit` and queues the rest. Operators
+// can override via b.auth.password.gate(n) at boot — typical sizing
+// is `Math.floor(availableHeapBytes / memoryCost) - 2`. Default 8 is
+// safe on a 1 GiB heap with 64 MiB memoryCost.
+var _concurrencyLimit = (function () { return 4 + 4; })();   // semaphore size — concurrent Argon2id slots
+var _activeCount = 0;
+var _waiters = [];
+
+function _acquire() {
+  return new Promise(function (resolve) {
+    if (_activeCount < _concurrencyLimit) {
+      _activeCount += 1;
+      resolve();
+      return;
+    }
+    _waiters.push(resolve);
+  });
+}
+
+function _release() {
+  if (_waiters.length > 0) {
+    var next = _waiters.shift();
+    next();
+    return;
+  }
+  _activeCount -= 1;
+}
+
+function gate(n) {
+  if (typeof n !== "number" || !isFinite(n) || n < 1 || (n | 0) !== n) {
+    throw new AuthError("auth-password/bad-gate",
+      "auth.password.gate(n): n must be a positive integer");
+  }
+  _concurrencyLimit = n;
+}
+
 async function hash(plain, opts) {
   _validatePlain(plain);
   var p = _resolveParams(opts);
-  return await argon2.hash(plain, {
-    type:        argon2.argon2id,
-    memoryCost:  p.memoryCost,
-    timeCost:    p.timeCost,
-    parallelism: p.parallelism,
-  });
+  await _acquire();
+  try {
+    return await argon2.hash(plain, {
+      type:        argon2.argon2id,
+      memoryCost:  p.memoryCost,
+      timeCost:    p.timeCost,
+      parallelism: p.parallelism,
+    });
+  } finally { _release(); }
 }
 
 async function verify(stored, plain) {
@@ -576,6 +618,7 @@ async function verify(stored, plain) {
   if (typeof plain !== "string" || plain.length === 0) return false;
   if (!stored.indexOf || stored.indexOf("$argon2id$") !== 0) return false;
   if (Buffer.byteLength(plain, "utf8") > MAX_PLAINTEXT_BYTES) return false;
+  await _acquire();
   try {
     return await argon2.verify(stored, plain);
   } catch (_e) {
@@ -583,7 +626,7 @@ async function verify(stored, plain) {
     // treat as "doesn't match" so a corrupted DB column can't break
     // login flows with an unexpected exception type.
     return false;
-  }
+  } finally { _release(); }
 }
 
 function needsRehash(stored, opts) {
@@ -641,6 +684,7 @@ module.exports = {
   needsRehash:      needsRehash,
   policy:           policy,
   params:           params,
+  gate:             gate,
   DEFAULT_PARAMS:   DEFAULT_PARAMS,
   DEFAULT_POLICY:   DEFAULT_POLICY,
   POLICY_PROFILES:  POLICY_PROFILES,

package/lib/backup/index.js

@@ -67,6 +67,7 @@ var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
+var numericBounds = require("../numeric-bounds");
 var audit = lazyRequire(function () { return require("../audit"); });
 // lazyRequire ../db so backup stays a leaf module operators can use
 // without the rest of the framework's DB chain loaded in the same
@@ -506,10 +507,72 @@ function recommendedFiles(opts) {
   return files;
 }
 
+// runInWorker — execute the backup/restore against a worker_thread so
+// the heavy-CPU encryption + checksum walk doesn't block the request
+// loop. Returns a Promise that resolves with the worker's result, or
+// rejects with the worker's error. The worker module is supplied by
+// the operator (responsibility for thread-safe storage adapters
+// stays with the operator); this helper is the dispatch glue. Falls
+// back to in-process execution when worker_threads is unavailable
+// (older Node, sandboxed runtime).
+//
+//   var result = await b.backup.runInWorker({
+//     workerScript: path.join(__dirname, "backup-worker.js"),
+//     args:         { mode: "full", out: "/data/backups", passphrase: ... },
+//     timeoutMs:    C.TIME.minutes(30),
+//   });
+function runInWorker(opts) {
+  opts = opts || {};
+  try {
+    validateOpts.requireNonEmptyString(opts.workerScript, "workerScript",
+      BackupError, "backup/no-worker-script");
+  } catch (e) { return Promise.reject(e); }
+  try {
+    numericBounds.requirePositiveFiniteIntIfPresent(
+      opts.timeoutMs, "timeoutMs", BackupError, "backup/bad-timeout");
+  } catch (e) { return Promise.reject(e); }
+  var timeoutMs = (opts.timeoutMs == null) ? null : opts.timeoutMs;
+  var workerThreads;
+  try { workerThreads = require("node:worker_threads"); }
+  catch (_e) {
+    return Promise.reject(new BackupError("backup/no-worker-threads",
+      "runInWorker: node:worker_threads is unavailable in this runtime"));
+  }
+  return new Promise(function (resolve, reject) {
+    var worker = new workerThreads.Worker(opts.workerScript, {
+      workerData: opts.args || {},
+    });
+    var timer = null;
+    if (timeoutMs !== null) {
+      timer = setTimeout(function () {
+        try { worker.terminate(); } catch (_e) { /* terminate best-effort */ }
+        reject(new BackupError("backup/worker-timeout",
+          "runInWorker: worker exceeded timeoutMs=" + timeoutMs));
+      }, timeoutMs);
+    }
+    worker.on("message", function (msg) {
+      if (timer) clearTimeout(timer);
+      resolve(msg);
+    });
+    worker.on("error", function (err) {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+    worker.on("exit", function (code) {
+      if (timer) clearTimeout(timer);
+      if (code !== 0) {
+        reject(new BackupError("backup/worker-nonzero-exit",
+          "runInWorker: worker exited with code " + code));
+      }
+    });
+  });
+}
+
 module.exports = {
   create:           create,
   localStorage:     localStorage,
   recommendedFiles: recommendedFiles,
+  runInWorker:      runInWorker,
   BackupError:      BackupError,
   BUNDLE_ID_RE:     BUNDLE_ID_RE,
 };

package/lib/canonical-json.js

@@ -42,27 +42,39 @@ function _scrub(value, seen, bufferAs) {
   if (value === null || typeof value === "undefined") return null;
   var t = typeof value;
   if (t === "string" || t === "boolean" || t === "number") return value;
-  if (t === "bigint") return String(value);
+  if (t === "bigint") {
+    if (bufferAs === "reject-jcs") {
+      throw new Error("canonical-json: BigInt is not serialisable under " +
+        "RFC 8785 (JCS); convert to a string or number before passing in");
+    }
+    return String(value);
+  }
   if (t === "symbol" || t === "function") {
     throw new Error("canonical-json: " + t + " value is not " +
       "serialisable; convert to a string before passing in");
   }
   // Buffer / Uint8Array — policy-driven
   if (Buffer.isBuffer(value))           {
-    if (bufferAs === "reject") {
+    if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Buffer is not serialisable in this " +
         "context (bufferAs=reject); convert to a string or hex first");
     }
     return value.toString("hex");
   }
   if (value instanceof Uint8Array) {
-    if (bufferAs === "reject") {
+    if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Uint8Array is not serialisable in " +
         "this context (bufferAs=reject); convert to a string or hex first");
     }
     return Buffer.from(value).toString("hex");
   }
-  if (value instanceof Date) return value.toISOString();
+  if (value instanceof Date) {
+    if (bufferAs === "reject-jcs") {
+      throw new Error("canonical-json: Date is not serialisable under " +
+        "RFC 8785 (JCS); convert to ISO-8601 string before passing in");
+    }
+    return value.toISOString();
+  }
   // After primitives + Date + Buffer + Uint8Array, any remaining "object"
   // must be a plain object or array. Map / Set / RegExp / class instances
   // all reject so the silent-data-loss class is closed.
@@ -93,8 +105,8 @@ function _scrub(value, seen, bufferAs) {
 // policy ("hex" default, "reject" for callers like pagination).
 function stringify(value, opts) {
   var bufferAs = (opts && opts.bufferAs) || "hex";
-  if (bufferAs !== "hex" && bufferAs !== "reject") {
-    throw new Error("canonical-json: bufferAs must be 'hex' or 'reject'; got " +
+  if (bufferAs !== "hex" && bufferAs !== "reject" && bufferAs !== "reject-jcs") {
+    throw new Error("canonical-json: bufferAs must be 'hex' / 'reject' / 'reject-jcs'; got " +
       JSON.stringify(bufferAs));
   }
   return JSON.stringify(_scrub(value, null, bufferAs));
@@ -112,4 +124,20 @@ function sortKeys(obj) {
   return keys;
 }
 
-module.exports = { stringify: stringify, sortKeys: sortKeys };
+// stringifyJcs — RFC 8785 (JSON Canonicalization Scheme) strict mode.
+// Refuses inputs JCS does NOT cover (BigInt, Buffer / Uint8Array, Date,
+// Map, Set, RegExp, Symbol, function); operators carrying those types
+// must convert to JSON-native shapes upfront. Object key ordering and
+// number formatting already match JCS §3.2.2 — V8's
+// `Object.keys(...).sort()` is lexicographic UTF-16 code-unit order
+// (JCS §3.2.3) and `JSON.stringify` formats numbers per
+// ECMA-262 §7.1.12.1 which JCS §3.2.2.3 references.
+function stringifyJcs(value) {
+  return JSON.stringify(_scrub(value, null, "reject-jcs"));
+}
+
+module.exports = {
+  stringify: stringify,
+  stringifyJcs: stringifyJcs,
+  sortKeys: sortKeys,
+};

package/lib/config.js

@@ -33,8 +33,12 @@
  */
 var safeSchema = require("./safe-schema");
 var validateOpts = require("./validate-opts");
+var lazyRequire = require("./lazy-require");
+var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
 
+var lazyAudit = lazyRequire(function () { return require("./audit"); });
+
 var REDACT_MASK = "[REDACTED]";
 
 var ConfigError = defineClass("ConfigError", { alwaysPermanent: true });
@@ -112,16 +116,123 @@ function create(opts) {
     return out;
   }
 
+  // Hot-reload subscribers — operators wire updateOnReload(newValue)
+  // into module-cached config-derived state so a row update in
+  // _blamejs_config_overrides surfaces without restart.
+  var subscribers = [];
+  function subscribe(fn) {
+    if (typeof fn !== "function") {
+      throw new ConfigError("config/bad-subscriber",
+        "config.subscribe: fn must be a function");
+    }
+    subscribers.push(fn);
+    return function unsubscribe() {
+      var ix = subscribers.indexOf(fn);
+      if (ix !== -1) subscribers.splice(ix, 1);
+    };
+  }
+
+  // Apply a new env-shaped overlay (e.g., from a DB row) on top of
+  // the validated baseline. Refuses on validation failure, falls
+  // back to prior `value`. Notifies subscribers AFTER the swap on
+  // any successful overlay application.
+  function reload(overlay) {
+    if (!overlay || typeof overlay !== "object") {
+      throw new ConfigError("config/bad-overlay",
+        "config.reload(overlay): overlay must be an object");
+    }
+    var merged = Object.assign({}, input, overlay);
+    var result2 = opts.schema.safeParse(merged);
+    if (!result2.ok) {
+      var msg = "config.reload validation failed:\n";
+      for (var ei2 = 0; ei2 < result2.errors.length; ei2++) {
+        var err2 = result2.errors[ei2];
+        msg += "  - " + err2.path.join(".") + ": " + err2.message + "\n";
+      }
+      throw new ConfigError("config/reload-validation-failed", msg);
+    }
+    value = result2.value;
+    for (var si = 0; si < subscribers.length; si++) {
+      try { subscribers[si](value); } catch (_e) { /* operator hook */ }
+    }
+    return value;
+  }
+
   return {
-    value:    value,
-    get:      function (key) { return value[key]; },
-    has:      function (key) { return Object.prototype.hasOwnProperty.call(value, key); },
-    redacted: redactedView,
+    value:     value,
+    get:       function (key) { return value[key]; },
+    has:       function (key) { return Object.prototype.hasOwnProperty.call(value, key); },
+    redacted:  redactedView,
+    subscribe: subscribe,
+    reload:    reload,
   };
 }
 
+// loadDbBacked — composes b.config.create with a periodic DB-row
+// fetch. Operators put canonical config values in
+// `_blamejs_config_overrides(key TEXT PRIMARY KEY, value TEXT)`;
+// this helper polls every `intervalMs`, applies the rows as an
+// overlay via cfg.reload(), and re-validates. Reload failures emit
+// a `config.reload.failed` audit row but do NOT clobber the
+// previous value (the running app stays on the last-good config).
+//
+//   var cfg = await b.config.loadDbBacked({
+//     schema:     mySchema,
+//     fetchRows:  async () => await db.query("SELECT key, value FROM _blamejs_config_overrides"),
+//     intervalMs: C.TIME.minutes(1),
+//   });
+function loadDbBacked(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["schema", "env", "redactKeys", "fetchRows", "intervalMs", "audit"],
+    "config.loadDbBacked");
+  if (typeof opts.fetchRows !== "function") {
+    throw new ConfigError("config/bad-fetch-rows",
+      "loadDbBacked: opts.fetchRows must be a function returning [{key,value}]");
+  }
+  if (typeof opts.intervalMs !== "number" || !isFinite(opts.intervalMs) || opts.intervalMs <= 0) {
+    throw new ConfigError("config/bad-interval",
+      "loadDbBacked: opts.intervalMs must be a positive finite number");
+  }
+  var cfg = create({ schema: opts.schema, env: opts.env, redactKeys: opts.redactKeys });
+  var stopped = false;
+  async function _tick() {
+    if (stopped) return;
+    var rows;
+    try { rows = await opts.fetchRows(); }
+    catch (e) {
+      try {
+        lazyAudit().safeEmit({
+          action: "config.reload.failed", outcome: "failure",
+          metadata: { phase: "fetch", reason: e && e.message },
+        });
+      } catch (_e) { /* audit best-effort */ }
+      return;
+    }
+    if (!Array.isArray(rows)) return;
+    var overlay = {};
+    for (var i = 0; i < rows.length; i++) {
+      if (rows[i] && typeof rows[i].key === "string") {
+        overlay[rows[i].key] = rows[i].value;
+      }
+    }
+    try { cfg.reload(overlay); }
+    catch (e) {
+      try {
+        lazyAudit().safeEmit({
+          action: "config.reload.failed", outcome: "failure",
+          metadata: { phase: "validate", reason: e && e.message },
+        });
+      } catch (_e) { /* audit best-effort */ }
+    }
+  }
+  var handle = safeAsync.repeating(_tick, opts.intervalMs, { name: "config-db-reload" });
+  cfg.stop = function () { stopped = true; if (handle) { handle.stop(); handle = null; } };
+  return cfg;
+}
+
 module.exports = {
-  create:      create,
-  ConfigError: ConfigError,
-  coerce:      coerce,
+  create:        create,
+  loadDbBacked:  loadDbBacked,
+  ConfigError:   ConfigError,
+  coerce:        coerce,
 };

package/lib/constants.js

@@ -70,7 +70,15 @@ var BYTES = Object.freeze({
 // See roadmap "Modernity posture: highest practical bar, forward only"
 // for the algorithm rotation policy.
 
-var ENVELOPE_MAGIC = 0xE1;
+// Envelope wire format. Pre-v1 increment of magic byte to 0xE2 (was
+// 0xE1) signals FixedInfo-bound KDF: SHAKE256 absorbs the suite-id
+// triple (kemId / cipherId / kdfId) plus the literal "blamejs/v1"
+// label alongside the shared secret(s). Per NIST SP 800-56C r2 §4.1
+// OtherInfo + RFC 9180 (HPKE) §5.1 suite-binding requirement. 0xE1
+// envelopes are no longer accepted; framework data sealed pre-bump
+// must be regenerated.
+var ENVELOPE_MAGIC = 0xE2;
+var ENVELOPE_FIXED_INFO_LABEL = "blamejs/v1";
 
 var KEM_IDS = Object.freeze({
   ML_KEM_1024:        0x02,
@@ -184,6 +192,7 @@ module.exports = {
   TIME:                   TIME,
   BYTES:                  BYTES,
   ENVELOPE_MAGIC:         ENVELOPE_MAGIC,
+  ENVELOPE_FIXED_INFO_LABEL: ENVELOPE_FIXED_INFO_LABEL,
   CREDENTIAL_MAGIC:       CREDENTIAL_MAGIC,
   KEM_IDS:                KEM_IDS,
   CIPHER_IDS:             CIPHER_IDS,

package/lib/crypto.js

@@ -91,6 +91,19 @@ function hmacSha3(key, data) { return hmac(key, data, "sha3-512"); }
 // ---- KDF ----
 function kdf(input, outputLength) { return hash(input, "shake256", outputLength); }
 
+// _suiteFixedInfo — NIST SP 800-56C r2 §4.1 OtherInfo / RFC 9180
+// (HPKE) §5.1 suite_id binding. Returns the byte string that the KDF
+// MUST absorb alongside the shared-secret(s) so a key derived under
+// one suite is not silently usable under a different suite. Same
+// label is recovered on decrypt by re-reading the envelope-prefix
+// bytes (kemId / cipherId / kdfId).
+function _suiteFixedInfo(kemId, cipherId, kdfId) {
+  return Buffer.concat([
+    Buffer.from(C.ENVELOPE_FIXED_INFO_LABEL, "utf8"),
+    Buffer.from([0x00, kemId, cipherId, kdfId, 0x00]),
+  ]);
+}
+
 // ---- Random ----
 function generateBytes(byteLength) { return Buffer.from(random(byteLength)); }
 function generateToken(byteLength) { return random(byteLength || 32).toString("hex"); }
@@ -206,28 +219,38 @@ function encrypt(plaintext, publicKeys) {
     privateKey: nodeCrypto.createPrivateKey(ephEc.privateKey),
     publicKey:  nodeCrypto.createPublicKey(ecPubPem),
   });
-  var key = kdf(Buffer.concat([kem.sharedKey, ecSs]), C.BYTES.bytes(32));
+  var key = kdf(Buffer.concat([kem.sharedKey, ecSs,
+    _suiteFixedInfo(C.ACTIVE.KEM, C.ACTIVE.CIPHER, C.ACTIVE.KDF)]),
+    C.BYTES.bytes(32));
   var nonce = generateBytes(C.BYTES.bytes(24));
-  var ct = xchacha20poly1305(key, nonce).encrypt(Buffer.from(plaintext, "utf8"));
+  // Bind the 4-byte envelope header (MAGIC + kemId + cipherId + kdfId)
+  // as AAD so a tampered header (algorithm-substitution attack) fails
+  // the Poly1305 tag.
+  var headerAad = Buffer.from([C.ENVELOPE_MAGIC, C.ACTIVE.KEM, C.ACTIVE.CIPHER, C.ACTIVE.KDF]);
+  var ct = xchacha20poly1305(key, nonce, headerAad).encrypt(Buffer.from(plaintext, "utf8"));
 
   var kemCtLen = Buffer.alloc(2); kemCtLen.writeUInt16BE(kem.ciphertext.length);
   var ecEphDer = ephEc.publicKey;
   var ecEphLen = Buffer.alloc(2); ecEphLen.writeUInt16BE(ecEphDer.length);
 
   return Buffer.concat([
-    Buffer.from([C.ENVELOPE_MAGIC, C.ACTIVE.KEM, C.ACTIVE.CIPHER, C.ACTIVE.KDF]),
+    headerAad,
     kemCtLen, kem.ciphertext, ecEphLen, ecEphDer, nonce, Buffer.from(ct),
   ]).toString("base64");
 }
 
 function encryptMlkemOnly(plaintext, publicKeyPem) {
   var kem = nodeCrypto.encapsulate(nodeCrypto.createPublicKey(publicKeyPem));
-  var key = kdf(kem.sharedKey, C.BYTES.bytes(32));
+  var key = kdf(Buffer.concat([kem.sharedKey,
+    _suiteFixedInfo(C.KEM_IDS.ML_KEM_1024, C.ACTIVE.CIPHER, C.ACTIVE.KDF)]),
+    C.BYTES.bytes(32));
   var nonce = generateBytes(C.BYTES.bytes(24));
-  var ct = xchacha20poly1305(key, nonce).encrypt(Buffer.from(plaintext, "utf8"));
+  var headerAad = Buffer.from([C.ENVELOPE_MAGIC, C.KEM_IDS.ML_KEM_1024,
+    C.ACTIVE.CIPHER, C.ACTIVE.KDF]);
+  var ct = xchacha20poly1305(key, nonce, headerAad).encrypt(Buffer.from(plaintext, "utf8"));
   var kemCtLen = Buffer.alloc(2); kemCtLen.writeUInt16BE(kem.ciphertext.length);
   return Buffer.concat([
-    Buffer.from([C.ENVELOPE_MAGIC, C.KEM_IDS.ML_KEM_1024, C.ACTIVE.CIPHER, C.ACTIVE.KDF]),
+    headerAad,
     kemCtLen, kem.ciphertext, nonce, Buffer.from(ct),
   ]).toString("base64");
 }
@@ -235,6 +258,10 @@ function encryptMlkemOnly(plaintext, publicKeyPem) {
 // ---- Envelope decrypt (dispatches on envelope IDs, supports both KEM IDs) ----
 function decrypt(ciphertext, privateKeys) {
   var packed = Buffer.from(ciphertext, "base64");
+  if (packed[0] === 0xE1) {                                                       // allow:raw-byte-literal — legacy envelope magic
+    throw new Error("Invalid envelope: legacy 0xE1 format predates the FixedInfo " +
+      "KDF binding (NIST SP 800-56C r2 §4.1) — re-seal data under the current envelope");
+  }
   if (packed[0] !== C.ENVELOPE_MAGIC) {
     throw new Error("Invalid envelope: unsupported format");
   }
@@ -269,9 +296,11 @@ function decryptEnvelope(packed, privateKeys) {
       privateKey: nodeCrypto.createPrivateKey(ecPrivPem),
       publicKey:  nodeCrypto.createPublicKey({ key: ecEphDer, type: "spki", format: "der" }),
     });
-    symmetricKey = kdf(Buffer.concat([mlkemSs, ecSs]), C.BYTES.bytes(32));
+    symmetricKey = kdf(Buffer.concat([mlkemSs, ecSs,
+      _suiteFixedInfo(kemId, cipherId, kdfId)]), C.BYTES.bytes(32));
   } else if (kemId === C.KEM_IDS.ML_KEM_1024) {
-    symmetricKey = kdf(mlkemSs, C.BYTES.bytes(32));
+    symmetricKey = kdf(Buffer.concat([mlkemSs,
+      _suiteFixedInfo(kemId, cipherId, kdfId)]), C.BYTES.bytes(32));
   } else if (kemId === C.KEM_IDS.ML_KEM_768_X25519) {
     // ML-KEM-768 + X25519 hybrid envelope. The mlkemPriv must be an
     // ML-KEM-768 key (not 1024); operators are responsible for passing
@@ -286,14 +315,19 @@ function decryptEnvelope(packed, privateKeys) {
       privateKey: nodeCrypto.createPrivateKey(x25519PrivPem),
       publicKey:  nodeCrypto.createPublicKey({ key: x25519EphDer, type: "spki", format: "der" }),
     });
-    symmetricKey = kdf(Buffer.concat([mlkemSs, x25519Ss]), C.BYTES.bytes(32));
+    symmetricKey = kdf(Buffer.concat([mlkemSs, x25519Ss,
+      _suiteFixedInfo(kemId, cipherId, kdfId)]), C.BYTES.bytes(32));
   } else {
     throw new Error("Invalid envelope: unsupported KEM ID " + kemId);
   }
 
   var nonce = packed.subarray(pos, pos + C.BYTES.bytes(24)); pos += C.BYTES.bytes(24);
+  // Re-derive the 4-byte envelope-header AAD from the bytes we just
+  // dispatched on. A tampered header (algorithm-substitution attack)
+  // surfaces here as a Poly1305 tag verification failure.
+  var headerAad = packed.subarray(0, 4);                                          // allow:raw-byte-literal — envelope-header byte slice
   return Buffer.from(
-    xchacha20poly1305(symmetricKey, nonce).decrypt(packed.subarray(pos))
+    xchacha20poly1305(symmetricKey, nonce, headerAad).decrypt(packed.subarray(pos))
   ).toString("utf8");
 }
 
@@ -375,17 +409,20 @@ function encryptMlkem768X25519(plaintext, recipient) {
     privateKey: nodeCrypto.createPrivateKey(ephX25519.privateKey),
     publicKey:  nodeCrypto.createPublicKey(recipient.x25519PublicKey),
   });
-  var key = kdf(Buffer.concat([kem.sharedKey, x25519Ss]), C.BYTES.bytes(32));
+  var key = kdf(Buffer.concat([kem.sharedKey, x25519Ss,
+    _suiteFixedInfo(C.KEM_IDS.ML_KEM_768_X25519, C.ACTIVE.CIPHER, C.ACTIVE.KDF)]),
+    C.BYTES.bytes(32));
   var nonce = generateBytes(C.BYTES.bytes(24));
-  var ct = xchacha20poly1305(key, nonce).encrypt(Buffer.from(plaintext, "utf8"));
+  var headerAad = Buffer.from([C.ENVELOPE_MAGIC, C.KEM_IDS.ML_KEM_768_X25519,
+    C.ACTIVE.CIPHER, C.ACTIVE.KDF]);
+  var ct = xchacha20poly1305(key, nonce, headerAad).encrypt(Buffer.from(plaintext, "utf8"));
 
   var kemCtLen = Buffer.alloc(2); kemCtLen.writeUInt16BE(kem.ciphertext.length);
   var x25519EphDer = ephX25519.publicKey;
   var x25519EphLen = Buffer.alloc(2); x25519EphLen.writeUInt16BE(x25519EphDer.length);
 
   return Buffer.concat([
-    Buffer.from([C.ENVELOPE_MAGIC, C.KEM_IDS.ML_KEM_768_X25519,
-                 C.ACTIVE.CIPHER, C.ACTIVE.KDF]),
+    headerAad,
     kemCtLen, kem.ciphertext, x25519EphLen, x25519EphDer, nonce, Buffer.from(ct),
   ]).toString("base64");
 }

package/lib/mail-auth.js

@@ -565,7 +565,11 @@ async function arcVerify(rfc822, opts) {
     var value = line.slice(colonAt + 1).trim();
     if (name !== "arc-seal" && name !== "arc-message-signature" &&
         name !== "arc-authentication-results") continue;
-    var iMatch = value.match(/(?:^|[;,\s])i=(\d+)/);                             // allow:regex-no-length-cap — header bounded by RFC 5322 998
+    // ARC hop instance per RFC 8617 §4.2.1 — bounded to 3 digits; the
+    // spec doesn't define a hard ceiling but operational use never
+    // exceeds 50 hops, and a 999-hop limit prevents pathological
+    // header values from chewing the verifier.
+    var iMatch = value.match(/(?:^|[;,\s])i=(\d{1,3})\b/);
     var inst = iMatch ? parseInt(iMatch[1], 10) : null;
     if (inst === null || !isFinite(inst) || inst < 1) continue;
     if (inst > maxInstanceSeen) maxInstanceSeen = inst;
@@ -1126,9 +1130,17 @@ function authResultsEmit(opts) {
     var propKeys = Object.keys(props);
     for (var pk = 0; pk < propKeys.length; pk += 1) {
       var k = propKeys[pk];
-      if (typeof r[k] === "string" && r[k].length > 0 && !/[\r\n\0;]/.test(r[k])) {
-        clause += " " + props[k] + "=" + r[k];
-      }
+      var rv = r[k];
+      if (typeof rv !== "string" || rv.length === 0) continue;
+      // pvalue ABNF per RFC 8601 §2.3:
+      //   pvalue = [CFWS] ((value / dot-atom-text) [CFWS]) /
+      //            (local-part "@" domain) [CFWS]
+      // For framework emit we require the printable-ASCII subset of
+      // dot-atom-text + local-part-at-domain shapes; CRLF / NUL /
+      // semicolon / SP / HTAB / quoting metacharacters are refused
+      // (operator-supplied value is structured, not free-form).
+      if (!/^[A-Za-z0-9._@\-:[\]]+$/.test(rv)) continue;                            // allow:regex-no-length-cap — bounded by header line cap
+      clause += " " + props[k] + "=" + rv;
     }
     clauses.push(clause);
   }

package/lib/network-smtp-policy.js

@@ -164,13 +164,20 @@ async function mtaStsFetch(domain, opts) {
   return await _getStsCache().wrap(cacheKey, async function () {
     var url = "https://mta-sts." + lcDomain + "/.well-known/mta-sts.txt";
     safeUrl.parse(url, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
+    // RFC 8461 §3.3 — the HTTPS cert MUST validate against
+    // mta-sts.<domain> with the standard public-CA chain. We pass
+    // checkServerIdentity:default + rejectUnauthorized:true (the
+    // framework default) and pin servername to the expected host
+    // so a permissive httpClient default can't be flipped on.
     var res;
     try {
       res = await httpClient().request({
-        method:    "GET",
-        url:       url,
-        maxBytes:  MAX_POLICY_BYTES,
-        timeoutMs: C.TIME.seconds(10),
+        method:             "GET",
+        url:                url,
+        maxBytes:           MAX_POLICY_BYTES,
+        timeoutMs:          C.TIME.seconds(10),
+        servername:         "mta-sts." + lcDomain,
+        rejectUnauthorized: true,
       });
     } catch (_e) {
       return null;

package/lib/network-tls.js

@@ -1650,6 +1650,21 @@ function verifyScts(certDer, opts) {
         error: (e && e.message) || String(e) });
       continue;
     }
+    // RFC 6962 §2.1.4 — log-key SignatureAndHashAlgorithm pair must
+    // match the SCT's signatureAlgorithm. signatureAlgo enum 1=RSA,
+    // 3=ECDSA. Cross-check against the actual log-key type so a
+    // malformed log-keys map can't silently accept SCTs signed
+    // under one algorithm against a key registered under another.
+    var keyType = keyObj.asymmetricKeyType;
+    var sctSigAlgo = sct.signatureAlgo;
+    var algoOk = (sctSigAlgo === 1 && keyType === "rsa") ||                       // allow:raw-byte-literal — TLS 1.2 SignatureAlgorithm rsa
+                 (sctSigAlgo === 3 && (keyType === "ec" || keyType === "ecdsa")); // allow:raw-byte-literal — TLS 1.2 SignatureAlgorithm ecdsa
+    if (!algoOk) {
+      perSctResults.push({ logIdHex: sct.logIdHex, verified: false,
+        reason: "log-key-algo-mismatch",
+        sctSignatureAlgo: sctSigAlgo, logKeyType: keyType });
+      continue;
+    }
     var verified;
     try { verified = nodeCrypto.verify(nodeAlgo, signedEntry, keyObj, sct.signature); }
     catch (e) {

package/lib/pqc-software.js

@@ -57,6 +57,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var bCrypto = require("./crypto");
 var PqcError = defineClass("PqcError", { alwaysPermanent: true });
 
 var _vendoredOnce = null;
@@ -192,4 +193,45 @@ Object.defineProperty(pqc, "DEFAULT_HASH_SIG", {
   get: function () { return _accessor("slh_dsa_shake_256f"); },
 });
 
+// runKnownAnswerTest — round-trip the vendored ML-KEM-1024 against
+// itself with a self-generated keypair. This is NOT the FIPS 203
+// Appendix A KAT vector (those are 800 KB of test data the framework
+// chooses not to vendor); it's a self-consistency check that the
+// vendored bundle's keygen / encapsulate / decapsulate survives a
+// full cycle and produces a 32-byte shared secret. The fallback
+// path becomes load-bearing if Node strips the WebCrypto ML-KEM
+// extension; this gate fails fast at boot rather than mid-request.
+//
+//   var result = b.pqcSoftware.runKnownAnswerTest();
+//   if (!result.ok) throw new Error("PQC KAT failed: " + result.reason);
+function runKnownAnswerTest() {
+  if (!isAvailable()) {
+    return { ok: false, reason: "vendored @noble/post-quantum bundle not loadable" };
+  }
+  try {
+    var kem = _accessor("ml_kem1024");
+    var kp = kem.keygen();
+    var enc = kem.encapsulate(kp.publicKey);
+    var ssAlice = enc.sharedSecret;
+    var ssBob = kem.decapsulate(enc.cipherText, kp.secretKey);
+    if (!ssAlice || !ssBob) {
+      return { ok: false, reason: "keygen/encapsulate/decapsulate returned falsy" };
+    }
+    if (ssAlice.length !== 32 || ssBob.length !== 32) {                            // allow:raw-byte-literal — FIPS 203 §1 K_size = 32 bytes
+      return { ok: false, reason: "shared-secret length mismatch (expected 32 bytes)" };
+    }
+    // Constant-time compare via the framework wrapper. The KAT runs
+    // at boot only, but using the timing-safe path keeps the wider
+    // pattern-detector signal clean.
+    if (!bCrypto.timingSafeEqual(Buffer.from(ssAlice), Buffer.from(ssBob))) {
+      return { ok: false, reason: "shared-secret bytes diverge" };
+    }
+    return { ok: true, sharedSecretLength: ssAlice.length };
+  } catch (e) {
+    return { ok: false, reason: "exception: " + (e && e.message) };
+  }
+}
+
+pqc.runKnownAnswerTest = runKnownAnswerTest;
+
 module.exports = pqc;

package/lib/resource-access-lock.js

@@ -0,0 +1,116 @@
+"use strict";
+/**
+ * b.resourceAccessLock — three-mode access-lock for arbitrary
+ * resources (data exports, scheduled jobs, file paths, queue
+ * partitions). Different from b.auth.accessLock — that one gates
+ * HTTP request flow; this one gates non-HTTP-shaped operator
+ * actions. Both share the open / read-only / locked vocabulary.
+ *
+ *   var exportLock = b.resourceAccessLock.create({
+ *     resource:     "data-export-jobs",
+ *     startMode:    "open",
+ *     audit:        b.audit,
+ *   });
+ *
+ *   if (!exportLock.permits("write")) {
+ *     throw new b.resourceAccessLock.ResourceAccessLockError(
+ *       "resource-access-lock/refused",
+ *       "data export refused: lock mode is " + exportLock.mode());
+ *   }
+ *   await runExportJob();
+ *
+ *   exportLock.set("locked", { actor: "alice", reason: "incident-42 freeze" });
+ *
+ * Mode semantics:
+ *   open       — every action permitted
+ *   read-only  — actions tagged "read" permitted; "write" refused
+ *   locked     — every action refused
+ *
+ * Audit shape:
+ *   resourceaccesslock.mode_changed — {resource, from, to, actor, reason}
+ *   resourceaccesslock.refused      — {resource, action, mode, actor}
+ */
+
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var ResourceAccessLockError = defineClass("ResourceAccessLockError",
+  { alwaysPermanent: true });
+
+var VALID_MODES = Object.freeze({ open: 1, "read-only": 1, locked: 1 });
+var READ_ACTIONS = Object.freeze({ read: 1, list: 1, get: 1, query: 1, "read-only": 1 });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["resource", "startMode", "audit"], "resourceAccessLock.create");
+  validateOpts.requireNonEmptyString(opts.resource, "resource",
+    ResourceAccessLockError, "resource-access-lock/no-resource");
+  var startMode = opts.startMode || "open";
+  if (!VALID_MODES[startMode]) {
+    throw new ResourceAccessLockError(
+      "resource-access-lock/bad-start-mode",
+      "startMode must be one of: " + Object.keys(VALID_MODES).join(" / "));
+  }
+  var auditOn = opts.audit !== false;
+  var resource = opts.resource;
+  var mode = startMode;
+
+  function _emit(action, outcome, meta) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action: action, outcome: outcome,
+        metadata: Object.assign({ resource: resource }, meta || {}),
+      });
+    } catch (_e) { /* audit best-effort */ }
+  }
+
+  function permits(action) {
+    if (mode === "open") return true;
+    if (mode === "locked") return false;
+    return !!READ_ACTIONS[action];
+  }
+
+  function set(newMode, ctx) {
+    ctx = ctx || {};
+    if (!VALID_MODES[newMode]) {
+      throw new ResourceAccessLockError(
+        "resource-access-lock/bad-mode",
+        "set: mode must be one of: " + Object.keys(VALID_MODES).join(" / "));
+    }
+    var prev = mode;
+    mode = newMode;
+    _emit("resourceaccesslock.mode_changed", "success", {
+      from: prev, to: newMode,
+      actor: ctx.actor || null, reason: ctx.reason || null,
+    });
+  }
+
+  function assertPermits(action, ctx) {
+    if (permits(action)) return;
+    _emit("resourceaccesslock.refused", "failure", {
+      action: action, mode: mode,
+      actor: (ctx && ctx.actor) || null,
+    });
+    throw new ResourceAccessLockError(
+      "resource-access-lock/refused",
+      resource + " refuses '" + action + "': lock mode is '" + mode + "'");
+  }
+
+  return {
+    resource:      resource,
+    mode:          function () { return mode; },
+    set:           set,
+    permits:       permits,
+    assertPermits: assertPermits,
+  };
+}
+
+module.exports = {
+  create:                   create,
+  VALID_MODES:              Object.freeze(Object.keys(VALID_MODES)),
+  ResourceAccessLockError:  ResourceAccessLockError,
+};

package/lib/vault/index.js

@@ -294,10 +294,33 @@ var vaultAad = require("../vault-aad");
 
 var sealPemFileModule = require("./seal-pem-file");
 
+// _zeroizeAndReplace — best-effort secureZero of prior in-memory keys
+// before a swap. V8 strings can't be reliably overwritten (string
+// interning + GC managed), so the pre-swap pass converts each PEM
+// string to a Buffer, secureZeros the Buffer, and rebinds the
+// property to "ZEROED" before the new keys land. The string copy
+// inside V8 may still linger until GC; this just removes the
+// largest-window heap copy (the ones held by `keys`).
+function _zeroizeAndReplace(replacement) {
+  if (!keys) { keys = replacement; return; }
+  Object.keys(keys).forEach(function (k) {
+    var v = keys[k];
+    if (typeof v === "string" && v.length > 0) {
+      try {
+        var buf = Buffer.from(v, "utf8");
+        safeBuffer.secureZero(buf);
+      } catch (_e) { /* best-effort */ }
+      keys[k] = "ZEROED";
+    }
+  });
+  keys = replacement;
+}
+
 module.exports = {
   init:                  init,
   seal:                  seal,
   unseal:                unseal,
+  _zeroizeAndReplace:    _zeroizeAndReplace,
   aad:                   vaultAad,
   getKeysJson:           getKeysJson,
   getCurrentPassphrase:  getCurrentPassphrase,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.40",
+  "version": "0.8.41",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:7c951f5a-156e-49be-91c0-8a5a420faf2c",
+  "serialNumber": "urn:uuid:a6849ba0-e669-440c-8a01-b08d37e28a1e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T16:35:12.500Z",
+    "timestamp": "2026-05-07T17:22:17.744Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.40",
+      "bom-ref": "@blamejs/core@0.8.41",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.40",
+      "version": "0.8.41",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.40",
+      "purl": "pkg:npm/%40blamejs/core@0.8.41",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.40",
+      "ref": "@blamejs/core@0.8.41",
       "dependsOn": []
     }
   ]