npm - @blamejs/core - Versions diffs - 0.8.43 → 0.8.49 - Mend

@blamejs/core 0.8.43 → 0.8.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (222) hide show

package/CHANGELOG.md +92 -0
package/README.md +10 -10
package/index.js +52 -0
package/lib/a2a.js +159 -34
package/lib/acme.js +762 -0
package/lib/ai-pref.js +166 -43
package/lib/api-key.js +108 -47
package/lib/api-snapshot.js +157 -40
package/lib/app-shutdown.js +113 -77
package/lib/archive.js +337 -40
package/lib/arg-parser.js +697 -0
package/lib/asyncapi.js +99 -55
package/lib/atomic-file.js +465 -104
package/lib/audit-chain.js +123 -34
package/lib/audit-daily-review.js +389 -0
package/lib/audit-sign.js +302 -56
package/lib/audit-tools.js +412 -63
package/lib/audit.js +656 -35
package/lib/auth/jwt-external.js +17 -0
package/lib/auth/oauth.js +7 -0
package/lib/auth-bot-challenge.js +505 -0
package/lib/auth-header.js +92 -25
package/lib/backup/bundle.js +26 -0
package/lib/backup/index.js +512 -89
package/lib/backup/manifest.js +168 -7
package/lib/break-glass.js +415 -39
package/lib/budr.js +103 -30
package/lib/bundler.js +86 -66
package/lib/cache.js +192 -72
package/lib/chain-writer.js +65 -40
package/lib/circuit-breaker.js +56 -33
package/lib/cli-helpers.js +106 -75
package/lib/cli.js +6 -30
package/lib/cloud-events.js +99 -32
package/lib/cluster-storage.js +162 -37
package/lib/cluster.js +340 -49
package/lib/codepoint-class.js +66 -0
package/lib/compliance.js +424 -24
package/lib/config-drift.js +111 -46
package/lib/config.js +94 -40
package/lib/consent.js +165 -18
package/lib/constants.js +1 -0
package/lib/content-credentials.js +153 -48
package/lib/cookies.js +154 -62
package/lib/credential-hash.js +133 -61
package/lib/crypto-field.js +702 -18
package/lib/crypto-hpke.js +256 -0
package/lib/crypto.js +744 -22
package/lib/csv.js +178 -35
package/lib/daemon.js +456 -0
package/lib/dark-patterns.js +186 -55
package/lib/db-query.js +79 -2
package/lib/db.js +1431 -60
package/lib/ddl-change-control.js +523 -0
package/lib/deprecate.js +195 -40
package/lib/dev.js +82 -39
package/lib/dora.js +67 -48
package/lib/dr-runbook.js +368 -0
package/lib/dsr.js +142 -11
package/lib/dual-control.js +91 -56
package/lib/events.js +120 -41
package/lib/external-db-migrate.js +192 -2
package/lib/external-db.js +795 -50
package/lib/fapi2.js +122 -1
package/lib/fda-21cfr11.js +395 -0
package/lib/fdx.js +132 -2
package/lib/file-type.js +87 -0
package/lib/file-upload.js +93 -0
package/lib/flag.js +82 -20
package/lib/forms.js +132 -29
package/lib/framework-error.js +169 -0
package/lib/framework-schema.js +163 -35
package/lib/gate-contract.js +849 -175
package/lib/graphql-federation.js +68 -7
package/lib/guard-all.js +172 -55
package/lib/guard-archive.js +286 -124
package/lib/guard-auth.js +194 -21
package/lib/guard-cidr.js +190 -28
package/lib/guard-csv.js +397 -51
package/lib/guard-domain.js +213 -91
package/lib/guard-email.js +236 -29
package/lib/guard-filename.js +307 -75
package/lib/guard-graphql.js +263 -30
package/lib/guard-html.js +310 -116
package/lib/guard-image.js +243 -30
package/lib/guard-json.js +260 -54
package/lib/guard-jsonpath.js +235 -23
package/lib/guard-jwt.js +284 -30
package/lib/guard-markdown.js +204 -22
package/lib/guard-mime.js +190 -26
package/lib/guard-oauth.js +277 -28
package/lib/guard-pdf.js +251 -27
package/lib/guard-regex.js +226 -18
package/lib/guard-shell.js +229 -26
package/lib/guard-svg.js +177 -10
package/lib/guard-template.js +232 -21
package/lib/guard-time.js +195 -29
package/lib/guard-uuid.js +189 -30
package/lib/guard-xml.js +259 -36
package/lib/guard-yaml.js +241 -44
package/lib/honeytoken.js +63 -27
package/lib/html-balance.js +83 -0
package/lib/http-client.js +486 -59
package/lib/http-message-signature.js +582 -0
package/lib/i18n.js +102 -49
package/lib/iab-mspa.js +112 -32
package/lib/iab-tcf.js +107 -2
package/lib/inbox.js +90 -52
package/lib/keychain.js +865 -0
package/lib/legal-hold.js +374 -0
package/lib/local-db-thin.js +320 -0
package/lib/log-stream.js +281 -51
package/lib/log.js +184 -86
package/lib/mail-bounce.js +107 -62
package/lib/mail.js +295 -58
package/lib/mcp.js +108 -27
package/lib/metrics.js +98 -89
package/lib/middleware/age-gate.js +36 -0
package/lib/middleware/ai-act-disclosure.js +37 -0
package/lib/middleware/api-encrypt.js +45 -0
package/lib/middleware/assetlinks.js +40 -0
package/lib/middleware/asyncapi-serve.js +35 -0
package/lib/middleware/attach-user.js +40 -0
package/lib/middleware/bearer-auth.js +40 -0
package/lib/middleware/body-parser.js +230 -0
package/lib/middleware/bot-disclose.js +34 -0
package/lib/middleware/bot-guard.js +39 -0
package/lib/middleware/compression.js +37 -0
package/lib/middleware/cookies.js +32 -0
package/lib/middleware/cors.js +40 -0
package/lib/middleware/csp-nonce.js +40 -0
package/lib/middleware/csp-report.js +34 -0
package/lib/middleware/csrf-protect.js +43 -0
package/lib/middleware/daily-byte-quota.js +53 -85
package/lib/middleware/db-role-for.js +40 -0
package/lib/middleware/dpop.js +40 -0
package/lib/middleware/error-handler.js +37 -14
package/lib/middleware/fetch-metadata.js +39 -0
package/lib/middleware/flag-context.js +34 -0
package/lib/middleware/gpc.js +33 -0
package/lib/middleware/headers.js +35 -0
package/lib/middleware/health.js +46 -0
package/lib/middleware/host-allowlist.js +30 -0
package/lib/middleware/network-allowlist.js +38 -0
package/lib/middleware/openapi-serve.js +34 -0
package/lib/middleware/rate-limit.js +160 -18
package/lib/middleware/request-id.js +36 -18
package/lib/middleware/request-log.js +37 -0
package/lib/middleware/require-aal.js +29 -0
package/lib/middleware/require-auth.js +32 -0
package/lib/middleware/require-bound-key.js +41 -0
package/lib/middleware/require-content-type.js +32 -0
package/lib/middleware/require-methods.js +27 -0
package/lib/middleware/require-mtls.js +33 -0
package/lib/middleware/require-step-up.js +37 -0
package/lib/middleware/security-headers.js +44 -0
package/lib/middleware/security-txt.js +38 -0
package/lib/middleware/span-http-server.js +37 -0
package/lib/middleware/sse.js +36 -0
package/lib/middleware/trace-log-correlation.js +33 -0
package/lib/middleware/trace-propagate.js +32 -0
package/lib/middleware/tus-upload.js +90 -0
package/lib/middleware/web-app-manifest.js +53 -0
package/lib/mtls-ca.js +100 -70
package/lib/network-byte-quota.js +308 -0
package/lib/network-heartbeat.js +135 -0
package/lib/network-tls.js +534 -4
package/lib/network.js +103 -0
package/lib/notify.js +114 -43
package/lib/ntp-check.js +192 -51
package/lib/observability.js +145 -47
package/lib/openapi.js +90 -44
package/lib/outbox.js +99 -1
package/lib/pagination.js +168 -86
package/lib/parsers/index.js +16 -5
package/lib/permissions.js +93 -40
package/lib/pqc-agent.js +84 -8
package/lib/pqc-software.js +94 -60
package/lib/process-spawn.js +95 -21
package/lib/pubsub.js +96 -66
package/lib/queue.js +375 -54
package/lib/redact.js +793 -21
package/lib/render.js +139 -47
package/lib/request-helpers.js +485 -121
package/lib/restore-bundle.js +142 -39
package/lib/restore-rollback.js +136 -45
package/lib/retention.js +178 -50
package/lib/retry.js +116 -33
package/lib/router.js +475 -23
package/lib/safe-async.js +543 -94
package/lib/safe-buffer.js +337 -41
package/lib/safe-json.js +467 -62
package/lib/safe-jsonpath.js +285 -0
package/lib/safe-schema.js +631 -87
package/lib/safe-sql.js +221 -59
package/lib/safe-url.js +278 -46
package/lib/sandbox-worker.js +135 -0
package/lib/sandbox.js +358 -0
package/lib/scheduler.js +135 -70
package/lib/self-update.js +647 -0
package/lib/session-device-binding.js +431 -0
package/lib/session.js +259 -49
package/lib/slug.js +138 -26
package/lib/ssrf-guard.js +316 -56
package/lib/storage.js +433 -70
package/lib/subject.js +405 -23
package/lib/template.js +148 -8
package/lib/tenant-quota.js +545 -0
package/lib/testing.js +440 -53
package/lib/time.js +291 -23
package/lib/tls-exporter.js +239 -0
package/lib/tracing.js +90 -74
package/lib/uuid.js +97 -22
package/lib/vault/index.js +284 -22
package/lib/vault/seal-pem-file.js +66 -0
package/lib/watcher.js +368 -0
package/lib/webhook.js +196 -63
package/lib/websocket.js +393 -68
package/lib/wiki-concepts.js +338 -0
package/lib/worker-pool.js +464 -0
package/package.json +3 -3
package/sbom.cyclonedx.json +7 -7

package/lib/http-message-signature.js ADDED Viewed

@@ -0,0 +1,582 @@
+"use strict";
+/**
+ * b.crypto.httpSig — RFC 9421 HTTP Message Signatures.
+ *
+ * RFC 9421 (April 2024) standardizes message-level integrity for HTTP
+ * requests and responses. Two headers carry the signature:
+ *
+ *   Signature-Input: <label>=("@method" "@target-uri" "content-digest");
+ *                    created=1718000000;keyid="key-1";alg="ed25519"
+ *   Signature:       <label>=:<base64-of-signature>:
+ *
+ * Per RFC 9421 §2.5, the signature base is the canonicalized list of
+ * covered components plus the signature parameters; the signing
+ * algorithm runs over those bytes.
+ *
+ * Derived components implemented here (RFC 9421 §2.2):
+ *   @method, @target-uri, @authority, @scheme, @request-target,
+ *   @path, @query, @query-param
+ *
+ * Signature parameters (RFC 9421 §2.3):
+ *   created, expires, nonce, keyid, alg, tag
+ *
+ * Algorithms (RFC 9421 §3.3 + §A.2 IANA registry):
+ *   "ed25519"      — Edwards-curve digital signature, classical
+ *                    backward-compat default for non-PQC peers
+ *   "ml-dsa-65"    — FIPS 204 lattice signatures, PQC default when
+ *                    both peers PQC-aware
+ *
+ * The framework does NOT expose RSA / ECDSA-P256 / ECDSA-P384 / HMAC
+ * variants from RFC 9421 §3.3 — same crypto-policy stance as the rest
+ * of the framework (no SHA-256-only hashes, no classical-only
+ * primitives where a PQC alternative is shipping).
+ *
+ * Operator API:
+ *
+ *   var sig = b.crypto.httpSig.sign({
+ *     method:  "POST",
+ *     url:     "https://api.example.com/orders",
+ *     headers: { "content-type": "application/json", "host": "api.example.com" },
+ *     body:    bodyBuffer,                 // for content-digest header
+ *   }, {
+ *     keyid:   "service-a-2026-05",
+ *     alg:     "ed25519",                  // or "ml-dsa-65"
+ *     privateKey: privateKeyPem,
+ *     covered: ["@method", "@target-uri", "content-digest"],
+ *     created: Math.floor(Date.now()/1000),
+ *     expires: Math.floor(Date.now()/1000) + 300,
+ *     label:   "sig1",                     // optional — defaults to "sig1"
+ *   });
+ *   // → { headers: { "Signature-Input": "...", "Signature": "...",
+ *                     "Content-Digest": "..." } }
+ *
+ *   var ok = b.crypto.httpSig.verify({
+ *     method, url, headers, body
+ *   }, {
+ *     keyResolver: function (keyid, alg) { return publicKeyPem; },
+ *     toleranceMs: b.constants.TIME.minutes(5),
+ *   });
+ *   // → { valid, label, keyid, alg, covered, reason? }
+ */
+var nodeCrypto = require("crypto");
+var safeUrl = require("./safe-url");
+var safeBuffer = require("./safe-buffer");
+var C = require("./constants");
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { HttpSigError } = require("./framework-error");
+var _err = HttpSigError.factory;
+var observability = lazyRequire(function () { return require("./observability"); });
+var SUPPORTED_ALGS = Object.freeze(["ed25519", "ml-dsa-65"]);
+// Tolerance defaults — per RFC 9421 §3.2.4 the verifier checks the
+// `expires` parameter when present and the `created` skew otherwise.
+// Match the webhook primitive's defaults (5 minutes tolerance, 1 minute
+// future skew) so an operator wiring both gets one knob shape.
+var DEFAULT_TOLERANCE_MS  = C.TIME.minutes(5);
+var DEFAULT_CLOCK_SKEW_MS = C.TIME.minutes(1);
+// _sfString / _sfList / _sfDict — minimal Structured Fields (RFC 8941)
+// formatters scoped to what RFC 9421 needs. Full RFC 8941 is overkill
+// for the labels + parameters this primitive emits; we compose a
+// quoted-string + parameter list and emit verbatim.
+function _sfQuotedString(s) {
+  // RFC 8941 §3.3.3 — escape DQUOTE and backslash. Invalid bytes (any
+  // byte outside 0x20..0x7E) refuse to encode rather than silently lose
+  // information.
+  for (var i = 0; i < s.length; i++) {
+    var c = s.charCodeAt(i);
+    if (c < 0x20 || c > 0x7E) {                                                  // allow:raw-byte-literal — RFC 8941 §3.3.3 printable-ASCII range
+      throw _err("BAD_PARAM",
+        "httpSig: parameter string contains non-printable byte at offset " + i);
+    }
+  }
+  return "\"" + s.replace(/\\/g, "\\\\").replace(/"/g, "\\\"") + "\"";
+}
+// _serializeCovered — RFC 9421 §2.5 covered-components list.
+//   ("@method" "@target-uri" "x-foo" "@query-param";name="ref")
+// Per RFC 9421 §2.5: parameters that bind to a covered identifier are
+// emitted OUTSIDE the quoted bare name (the quoted string holds only
+// the bare name; parameters follow in structured-fields form).
+function _serializeCovered(covered) {
+  var parts = covered.map(function (c) {
+    var semi = c.indexOf(";");
+    if (semi === -1) return _sfQuotedString(c);
+    var bare = c.slice(0, semi);
+    var paramSuffix = c.slice(semi);
+    return _sfQuotedString(bare) + paramSuffix;
+  });
+  return "(" + parts.join(" ") + ")";
+}
+// _serializeSigParams — RFC 9421 §2.3 signature parameters.
+//   ;created=1718000000;keyid="k-1";alg="ed25519"
+function _serializeSigParams(p) {
+  var out = "";
+  if (typeof p.created === "number") out += ";created=" + p.created;
+  if (typeof p.expires === "number") out += ";expires=" + p.expires;
+  if (typeof p.nonce === "string") out += ";nonce=" + _sfQuotedString(p.nonce);
+  if (typeof p.alg === "string") out += ";alg=" + _sfQuotedString(p.alg);
+  if (typeof p.keyid === "string") out += ";keyid=" + _sfQuotedString(p.keyid);
+  if (typeof p.tag === "string") out += ";tag=" + _sfQuotedString(p.tag);
+  return out;
+}
+// _resolveDerivedComponent — RFC 9421 §2.2 derived components.
+function _resolveDerivedComponent(name, msg) {
+  var parsed = msg._parsedUrl;
+  switch (name) {
+    case "@method":         return msg.method.toUpperCase();
+    case "@target-uri":     return msg.url;
+    case "@authority":      return parsed.host;
+    case "@scheme":         return parsed.protocol.replace(/:$/, "");
+    case "@request-target": return parsed.pathname + (parsed.search || "");
+    case "@path":           return parsed.pathname;
+    case "@query":          return parsed.search || "?";
+    case "@status":
+      if (typeof msg.status !== "number") {
+        throw _err("MISSING_STATUS",
+          "httpSig: @status referenced but message has no numeric status");
+      }
+      return String(msg.status);
+    default:
+      throw _err("UNKNOWN_DERIVED",
+        "httpSig: unknown derived component " + JSON.stringify(name));
+  }
+}
+// _resolveQueryParam — RFC 9421 §2.2.8 — covered identifier of the
+// shape `"@query-param";name="k"` (the name parameter selects which
+// query-string parameter participates in the signature base).
+function _resolveQueryParam(msg, paramName) {
+  var search = (msg._parsedUrl.search || "").replace(/^\?/, "");
+  if (search.length === 0) {
+    throw _err("MISSING_QUERY",
+      "httpSig: @query-param;name=" + JSON.stringify(paramName) + " but URL has no query");
+  }
+  var pairs = search.split("&");
+  // RFC 9421 §2.2.8 — names compare without percent-decoding (server
+  // and signer must agree on the literal bytes). The framework follows
+  // the spec strictly: literal compare on encoded names.
+  var encName = encodeURIComponent(paramName);
+  for (var i = 0; i < pairs.length; i++) {
+    var eq = pairs[i].indexOf("=");
+    var rawName = eq === -1 ? pairs[i] : pairs[i].slice(0, eq);
+    if (rawName === encName || rawName === paramName) {
+      return eq === -1 ? "" : pairs[i].slice(eq + 1);
+    }
+  }
+  throw _err("MISSING_QUERY_PARAM",
+    "httpSig: @query-param;name=" + JSON.stringify(paramName) + " not present in URL");
+}
+// _resolveHeader — case-insensitive header lookup. RFC 9421 §2.1
+// requires obs-fold normalization (concat multi-values with ", ").
+function _resolveHeader(headers, name) {
+  var lower = name.toLowerCase();
+  var keys = Object.keys(headers);
+  for (var i = 0; i < keys.length; i++) {
+    if (keys[i].toLowerCase() === lower) {
+      var v = headers[keys[i]];
+      if (Array.isArray(v)) return v.map(function (s) { return String(s).trim(); }).join(", ");
+      return String(v).trim();
+    }
+  }
+  return null;
+}
+// _buildSignatureBase — RFC 9421 §2.5 signature base construction.
+//
+// One line per covered identifier, each shaped as:
+//   "<bare-identifier>": <component value>
+// terminated by:
+//   "@signature-params": (<covered>...)<params>
+function _buildSignatureBase(coveredList, params, msg) {
+  var lines = [];
+  for (var i = 0; i < coveredList.length; i++) {
+    var raw = coveredList[i];
+    // Covered identifiers may be a bare name (`"content-digest"`) or
+    // a bare name + parameters (`"@query-param";name="q"`). The
+    // canonicalization follows RFC 9421 §2.5 — quote the bare name +
+    // re-emit any parameters verbatim.
+    var semicolon = raw.indexOf(";");
+    var bare = semicolon === -1 ? raw : raw.slice(0, semicolon);
+    var paramSuffix = semicolon === -1 ? "" : raw.slice(semicolon);
+    var value;
+    if (bare === "@query-param") {
+      // Extract name= parameter; RFC 9421 §2.2.8.
+      var nameMatch = paramSuffix.match(/;name="([^"]+)"/);
+      if (!nameMatch) {
+        throw _err("BAD_QUERY_PARAM",
+          "httpSig: @query-param requires ;name=\"...\" parameter");
+      }
+      value = _resolveQueryParam(msg, nameMatch[1]);
+    } else if (bare.charAt(0) === "@") {
+      value = _resolveDerivedComponent(bare, msg);
+    } else {
+      value = _resolveHeader(msg.headers, bare);
+      if (value === null) {
+        throw _err("MISSING_HEADER",
+          "httpSig: covered header " + JSON.stringify(bare) + " not present");
+      }
+    }
+    lines.push(_sfQuotedString(bare) + paramSuffix + ": " + value);
+  }
+  // Terminator line — RFC 9421 §2.5 step 4.
+  lines.push("\"@signature-params\": " + _serializeCovered(coveredList) +
+             _serializeSigParams(params));
+  return Buffer.from(lines.join("\n"), "utf8");
+}
+// _contentDigest — RFC 9530 / RFC 9421 §B.2.5 Content-Digest header.
+// SHA3-512 only (framework's default hash family — matches every
+// other content-integrity primitive). Returns the structured-field
+// form `sha-512=:<base64>:` so operators can drop straight into the
+// Content-Digest header.
+function contentDigest(body) {
+  var buf;
+  if (Buffer.isBuffer(body)) buf = body;
+  else if (typeof body === "string") buf = Buffer.from(body, "utf8");
+  else throw _err("BAD_BODY",
+    "httpSig.contentDigest: body must be a string or Buffer");
+  // RFC 9530 lists "sha-512" (SHA-512, FIPS 180-4) — we use SHA3-512
+  // which has the same output length and is the framework's hash
+  // policy. Operators interoperating with peers expecting SHA-512
+  // pass `algorithm: "sha-512"`.
+  var h = nodeCrypto.createHash("sha3-512").update(buf).digest("base64");
+  return "sha3-512=:" + h + ":";
+}
+function _parseUrl(url) {
+  var parsed = safeUrl.parse(url, {
+    allowedProtocols: safeUrl.ALLOW_HTTP_TLS,
+    errorClass:       HttpSigError,
+  });
+  return {
+    protocol: parsed.protocol,
+    host:     parsed.host,
+    pathname: parsed.pathname || "/",
+    search:   parsed.search || "",
+  };
+}
+function _normalizeMessage(msg) {
+  validateOpts.requireObject(msg, "httpSig: message", HttpSigError);
+  validateOpts.requireNonEmptyString(msg.method,
+    "httpSig: message.method", HttpSigError, "BAD_OPT");
+  validateOpts.requireNonEmptyString(msg.url,
+    "httpSig: message.url", HttpSigError, "BAD_OPT");
+  if (!msg.headers || typeof msg.headers !== "object") {
+    throw _err("BAD_OPT", "httpSig: message.headers required");
+  }
+  return {
+    method:  msg.method,
+    url:     msg.url,
+    headers: msg.headers,
+    body:    msg.body,
+    status:  msg.status,
+    _parsedUrl: _parseUrl(msg.url),
+  };
+}
+// sign — RFC 9421 §3.1 signing flow.
+function sign(msg, opts) {
+  var m = _normalizeMessage(msg);
+  validateOpts.requireObject(opts, "httpSig.sign", HttpSigError);
+  validateOpts.requireNonEmptyString(opts.keyid,
+    "httpSig.sign: keyid", HttpSigError, "BAD_OPT");
+  if (typeof opts.alg !== "string" || SUPPORTED_ALGS.indexOf(opts.alg) === -1) {
+    throw _err("BAD_OPT",
+      "httpSig.sign: alg must be one of " + SUPPORTED_ALGS.join(", ") +
+      " (got " + JSON.stringify(opts.alg) + ")");
+  }
+  validateOpts.requireNonEmptyString(opts.privateKey,
+    "httpSig.sign: privateKey (PEM)", HttpSigError, "BAD_OPT");
+  if (!Array.isArray(opts.covered) || opts.covered.length === 0) {
+    throw _err("BAD_OPT", "httpSig.sign: covered must be a non-empty array");
+  }
+  var label = typeof opts.label === "string" && opts.label.length > 0
+    ? opts.label : "sig1";
+  var nowSec = Math.floor((opts.now ? opts.now() : Date.now()) / C.TIME.seconds(1));
+  var params = {
+    created: typeof opts.created === "number" ? opts.created : nowSec,
+    expires: typeof opts.expires === "number" ? opts.expires : undefined,
+    nonce:   typeof opts.nonce === "string" ? opts.nonce : undefined,
+    alg:     opts.alg,
+    keyid:   opts.keyid,
+    tag:     typeof opts.tag === "string" ? opts.tag : undefined,
+  };
+  var emittedHeaders = {};
+  // Auto-emit Content-Digest when "content-digest" is covered + the
+  // header isn't already supplied. Operators wanting to use the
+  // RFC 9530 "sha-512" identifier (SHA-512 instead of SHA3-512) supply
+  // the header themselves; the framework emits SHA3-512.
+  var coveredLower = opts.covered.map(function (c) { return c.split(";")[0].toLowerCase(); });
+  if (coveredLower.indexOf("content-digest") !== -1 &&
+      _resolveHeader(m.headers, "content-digest") === null) {
+    if (m.body == null) {
+      throw _err("BAD_OPT",
+        "httpSig.sign: covered includes content-digest but message.body is missing");
+    }
+    var digest = contentDigest(m.body);
+    emittedHeaders["Content-Digest"] = digest;
+    m.headers = Object.assign({}, m.headers, { "content-digest": digest });
+  }
+  var base = _buildSignatureBase(opts.covered, params, m);
+  var sig;
+  try {
+    sig = nodeCrypto.sign(null, base, opts.privateKey);
+  } catch (e) {
+    throw _err("SIGN_FAILED", "httpSig.sign: " + e.message);
+  }
+  var sigB64 = sig.toString("base64");
+  emittedHeaders["Signature-Input"] = label + "=" + _serializeCovered(opts.covered) +
+                                      _serializeSigParams(params);
+  emittedHeaders["Signature"] = label + "=:" + sigB64 + ":";
+  try { observability().safeEvent("httpSig.sign", 1, { outcome: "success", alg: opts.alg }); }
+  catch (_e) { /* drop-silent */ }
+  return {
+    headers:    emittedHeaders,
+    label:      label,
+    signature:  sigB64,
+    base:       base,
+  };
+}
+// _parseSignatureInput — minimal RFC 8941 dictionary parser scoped to
+// what RFC 9421 emits. A full RFC 8941 parser is overkill here.
+function _parseSignatureInput(headerValue) {
+  // <label>=("@a" "@b");created=...;keyid="...";alg="..."
+  // We split by "=" once on the label, then by ";" for parameters.
+  var eq = headerValue.indexOf("=");
+  if (eq === -1) {
+    throw _err("BAD_HEADER", "httpSig: Signature-Input: missing '=' separator");
+  }
+  var label = headerValue.slice(0, eq).trim();
+  var rest = headerValue.slice(eq + 1).trim();
+  if (rest.charAt(0) !== "(") {
+    throw _err("BAD_HEADER",
+      "httpSig: Signature-Input: covered list must start with '('");
+  }
+  var closeIdx = rest.indexOf(")");
+  if (closeIdx === -1) {
+    throw _err("BAD_HEADER",
+      "httpSig: Signature-Input: covered list missing ')'");
+  }
+  var coveredRaw = rest.slice(1, closeIdx).trim();
+  var paramsRaw = rest.slice(closeIdx + 1);
+  var covered = [];
+  // Hand-roll the parse — covered tokens are quoted bare names with
+  // optional structured-field parameters trailing each closing quote
+  // (e.g. `"@query-param";name="ref"`). Whitespace separates tokens.
+  // A regex that handles every nesting case isn't worth the
+  // ambiguity; the linear walk below is precise.
+  var i2 = 0;
+  while (i2 < coveredRaw.length) {
+    while (i2 < coveredRaw.length && /\s/.test(coveredRaw.charAt(i2))) i2++;
+    if (i2 >= coveredRaw.length) break;
+    if (coveredRaw.charAt(i2) !== "\"") {
+      // Tolerate bare unquoted tokens for forward-compat with peers.
+      var endTok = i2;
+      while (endTok < coveredRaw.length && !/[\s]/.test(coveredRaw.charAt(endTok))) endTok++;
+      covered.push(coveredRaw.slice(i2, endTok));
+      i2 = endTok;
+      continue;
+    }
+    // Quoted bare name. Find the matching closing quote, accounting
+    // for backslash-escapes per RFC 8941.
+    var qStart = i2 + 1;
+    var qEnd = qStart;
+    while (qEnd < coveredRaw.length && coveredRaw.charAt(qEnd) !== "\"") {
+      if (coveredRaw.charAt(qEnd) === "\\" && qEnd + 1 < coveredRaw.length) qEnd += 2;
+      else qEnd++;
+    }
+    if (qEnd >= coveredRaw.length) {
+      throw _err("BAD_HEADER",
+        "httpSig: Signature-Input: unterminated quoted token");
+    }
+    var bareName = coveredRaw.slice(qStart, qEnd).replace(/\\\\/g, "\\").replace(/\\"/g, "\"");
+    i2 = qEnd + 1;
+    // Optional ;param=value;param=... suffix immediately following.
+    var suffixStart = i2;
+    while (i2 < coveredRaw.length && /[^\s]/.test(coveredRaw.charAt(i2))) i2++;
+    var suffix = coveredRaw.slice(suffixStart, i2);
+    covered.push(bareName + suffix);
+  }
+  var params = {};
+  if (paramsRaw.length > 0) {
+    var paramParts = paramsRaw.split(";");
+    for (var j = 0; j < paramParts.length; j++) {
+      var part = paramParts[j].trim();
+      if (part.length === 0) continue;
+      var pEq = part.indexOf("=");
+      if (pEq === -1) continue;
+      var k = part.slice(0, pEq).trim();
+      var vv = part.slice(pEq + 1).trim();
+      if (vv.charAt(0) === "\"" && vv.charAt(vv.length - 1) === "\"") {
+        params[k] = vv.slice(1, -1);
+      } else {
+        var num = Number(vv);
+        params[k] = isFinite(num) ? num : vv;
+      }
+    }
+  }
+  return { label: label, covered: covered, params: params };
+}
+function _parseSignature(headerValue, label) {
+  // <label>=:<base64>:
+  var prefix = label + "=:";
+  if (headerValue.indexOf(prefix) !== 0) {
+    // Multiple signature labels can appear; comma-separated. Find the
+    // matching label.
+    var parts = headerValue.split(",");
+    for (var i = 0; i < parts.length; i++) {
+      var p = parts[i].trim();
+      if (p.indexOf(prefix) === 0) {
+        return p.slice(prefix.length).replace(/:$/, "");
+      }
+    }
+    throw _err("BAD_HEADER",
+      "httpSig: Signature header has no entry for label " + JSON.stringify(label));
+  }
+  return headerValue.slice(prefix.length).replace(/:$/, "");
+}
+// verify — RFC 9421 §3.2 verification flow.
+function verify(msg, opts) {
+  var m = _normalizeMessage(msg);
+  opts = opts || {};
+  if (typeof opts.keyResolver !== "function") {
+    throw _err("BAD_OPT",
+      "httpSig.verify: keyResolver(keyid, alg) → publicKeyPem required");
+  }
+  var toleranceMs = typeof opts.toleranceMs === "number" ? opts.toleranceMs : DEFAULT_TOLERANCE_MS;
+  var clockSkewMs = typeof opts.clockSkewMs === "number" ? opts.clockSkewMs : DEFAULT_CLOCK_SKEW_MS;
+  var nowMs = opts.now ? opts.now() : Date.now();
+  var sigInput = _resolveHeader(m.headers, "signature-input");
+  var sig = _resolveHeader(m.headers, "signature");
+  if (!sigInput) {
+    return { valid: false, reason: "missing-signature-input" };
+  }
+  if (!sig) {
+    return { valid: false, reason: "missing-signature" };
+  }
+  var parsedInput;
+  try { parsedInput = _parseSignatureInput(sigInput); }
+  catch (e) { return { valid: false, reason: "bad-signature-input", error: e.message }; }
+  var p = parsedInput.params;
+  if (typeof p.alg !== "string" || SUPPORTED_ALGS.indexOf(p.alg) === -1) {
+    return { valid: false, reason: "unsupported-alg", alg: p.alg };
+  }
+  if (typeof p.keyid !== "string" || p.keyid.length === 0) {
+    return { valid: false, reason: "missing-keyid" };
+  }
+  if (typeof p.created === "number") {
+    var ageMs = nowMs - p.created * C.TIME.seconds(1);
+    if (ageMs > toleranceMs) {
+      return { valid: false, reason: "expired", ageMs: ageMs };
+    }
+    if (-ageMs > clockSkewMs) {
+      return { valid: false, reason: "future", skewMs: -ageMs };
+    }
+  }
+  if (typeof p.expires === "number" && nowMs > p.expires * C.TIME.seconds(1)) {
+    return { valid: false, reason: "expires-passed" };
+  }
+  var publicKeyPem;
+  try { publicKeyPem = opts.keyResolver(p.keyid, p.alg); }
+  catch (e) { return { valid: false, reason: "key-resolver-threw", error: e.message }; }
+  if (typeof publicKeyPem !== "string" || publicKeyPem.length === 0) {
+    return { valid: false, reason: "unknown-keyid", keyid: p.keyid };
+  }
+  // If content-digest is covered, recompute and compare. RFC 9421 §B.2.5
+  // mandates that verifiers re-run the digest over the body — a stale
+  // header from a proxy would otherwise verify trivially.
+  var coveredLower = parsedInput.covered.map(function (c) { return c.split(";")[0].toLowerCase(); });
+  if (coveredLower.indexOf("content-digest") !== -1) {
+    if (m.body == null) {
+      return { valid: false, reason: "content-digest-no-body" };
+    }
+    var presented = _resolveHeader(m.headers, "content-digest");
+    if (!presented) {
+      return { valid: false, reason: "content-digest-header-missing" };
+    }
+    var actual = contentDigest(m.body);
+    // RFC 9530 allows multiple algorithms in one header (sha-512=...,
+    // sha-256=...). For SHA3-512 specifically — exact substring match
+    // against the presented header. For peer-supplied SHA-512 / SHA-256
+    // identifiers the operator is responsible for re-validating; this
+    // primitive only auto-checks SHA3-512.
+    if (presented.indexOf(actual.replace(/^sha3-512=/, "sha3-512=")) === -1) {
+      return { valid: false, reason: "content-digest-mismatch" };
+    }
+  }
+  var sigB64;
+  try { sigB64 = _parseSignature(sig, parsedInput.label); }
+  catch (e) { return { valid: false, reason: "bad-signature-header", error: e.message }; }
+  if (!safeBuffer.BASE64URL_RE && typeof sigB64 !== "string") {                  // allow:raw-byte-literal — defensive base64 shape check
+    return { valid: false, reason: "bad-signature-encoding" };
+  }
+  var sigBuf;
+  try { sigBuf = Buffer.from(sigB64, "base64"); }
+  catch (_e) { return { valid: false, reason: "bad-signature-encoding" }; }
+  var paramsForBase = {
+    created: p.created,
+    expires: p.expires,
+    nonce:   p.nonce,
+    alg:     p.alg,
+    keyid:   p.keyid,
+    tag:     p.tag,
+  };
+  var base;
+  try { base = _buildSignatureBase(parsedInput.covered, paramsForBase, m); }
+  catch (e) { return { valid: false, reason: "build-base-failed", error: e.message }; }
+  var ok;
+  try { ok = nodeCrypto.verify(null, base, publicKeyPem, sigBuf); }
+  catch (e) { return { valid: false, reason: "verify-threw", error: e.message }; }
+  try { observability().safeEvent("httpSig.verify", 1, { outcome: ok ? "success" : "failure", alg: p.alg }); }
+  catch (_e) { /* drop-silent */ }
+  if (!ok) {
+    return { valid: false, reason: "bad-signature", keyid: p.keyid, alg: p.alg };
+  }
+  return {
+    valid:   true,
+    label:   parsedInput.label,
+    keyid:   p.keyid,
+    alg:     p.alg,
+    covered: parsedInput.covered,
+    created: p.created,
+    expires: p.expires,
+    nonce:   p.nonce,
+  };
+}
+module.exports = {
+  sign:           sign,
+  verify:         verify,
+  contentDigest:  contentDigest,
+  SUPPORTED_ALGS: SUPPORTED_ALGS,
+  HttpSigError:   HttpSigError,
+};