@blamejs/core 0.8.68 → 0.8.71

package/lib/compliance.js

@@ -84,6 +84,7 @@ var KNOWN_POSTURES = Object.freeze([
   "uk-gdpr",     // UK General Data Protection Regulation (added 2026)
   // ---- Sectoral expansions (added 2026 — v0.8.24) ----
   "fapi-2.0",        // Financial-grade API 2.0 Final (composes PAR + DPoP + OAuth 2.1 + mTLS)
+  "fapi-2.0-message-signing", // FAPI 2.0 Message Signing profile — adds JARM mandate + signed-request-object enforcement
   "cfpb-1033",       // CFPB §1033 / FDX consumer-financial-data sharing (deadline past for $250B+ banks 2026-04-01)
   "iab-tcf-v2.3",    // IAB Transparency & Consent Framework v2.3 with disclosedVendors (deadline past 2026-02-28)
   "iab-mspa",        // IAB Multi-State Privacy Agreement / Global Privacy Platform universal opt-out
@@ -104,6 +105,11 @@ var KNOWN_POSTURES = Object.freeze([
   "bsi-c5",          // Germany BSI C5
   "ens-es",          // Spain Esquema Nacional de Seguridad
   "uk-g-cloud",      // UK G-Cloud
+  // ---- v0.8.70 expansion — 2026 effective deadlines ----
+  "modpa",           // Maryland Online Data Privacy Act (effective 2026-10-01) — strict data-min
+  "nydfs-500",       // NYDFS 23 NYCRR 500 Amendment 2 — financial cybersecurity (multi-factor + asset inventory + governance)
+  "hipaa-2026",      // HHS HIPAA Security Rule 2026-Q4 final — extends hipaa with mandatory MFA + asset inventory + 72h restoration testing
+  "quebec-25",       // Quebec Law 25 final phase (effective 2026-09-22) — DPIA + automated-decision opt-out
 ]);
 
 var STATE = { posture: null, setAt: null };
@@ -457,6 +463,36 @@ var REGIME_MAP = Object.freeze({
     jurisdiction: "UK",
     domain:     "privacy",
   },
+  "fapi-2.0-message-signing": {
+    name:        "FAPI 2.0 Message Signing Profile",
+    citation:    "OpenID Foundation FAPI 2.0 Message Signing — Final",
+    jurisdiction: "INTL",
+    domain:      "financial",
+  },
+  "modpa": {
+    name:        "Maryland Online Data Privacy Act",
+    citation:    "Md. Code Ann., Com. Law §§14-4601 et seq. (effective 2026-10-01)",
+    jurisdiction: "US-MD",
+    domain:      "privacy",
+  },
+  "nydfs-500": {
+    name:        "NYDFS 23 NYCRR 500 Amendment 2",
+    citation:    "23 NYCRR Part 500 (Second Amendment, effective 2024-11-01 with rolling phase-in)",
+    jurisdiction: "US-NY",
+    domain:      "financial",
+  },
+  "hipaa-2026": {
+    name:        "HIPAA Security Rule (2026 Final)",
+    citation:    "45 CFR Parts 160, 162, 164 — HHS Final Rule (effective 2026-Q4)",
+    jurisdiction: "US",
+    domain:      "health",
+  },
+  "quebec-25": {
+    name:        "Loi 25 (Quebec — final phase)",
+    citation:    "An Act to modernize legislative provisions as regards the protection of personal information (Final phase 2026-09-22)",
+    jurisdiction: "CA-QC",
+    domain:      "privacy",
+  },
 });
 
 /**
@@ -564,6 +600,46 @@ var POSTURE_DEFAULTS = Object.freeze({
     tlsMinVersion:            "TLSv1.3",
     requireVacuumAfterErase:  true,
   }),
+  // v0.8.70 — 2026 effective deadlines
+  "modpa": Object.freeze({
+    // Maryland Online Data Privacy Act (effective 2026-10-01) —
+    // unique among US state privacy laws for its strict data-
+    // minimization standard ("reasonably necessary"). The cascade
+    // floors mirror GDPR-tier audit + at-rest encryption.
+    backupEncryptionRequired: true,
+    auditChainSignedRequired: true,
+    tlsMinVersion:            "TLSv1.3",
+    requireVacuumAfterErase:  true,
+  }),
+  "nydfs-500": Object.freeze({
+    // NYDFS 23 NYCRR 500 Amendment 2 — financial cyber. Adds
+    // mandatory MFA, annual penetration test, asset inventory,
+    // governance reporting. Floor: encrypted backups + signed
+    // audit chain (already true), TLS 1.3 minimum.
+    backupEncryptionRequired: true,
+    auditChainSignedRequired: true,
+    tlsMinVersion:            "TLSv1.3",
+    requireVacuumAfterErase:  true,
+  }),
+  "hipaa-2026": Object.freeze({
+    // HHS HIPAA Security Rule final 2026-Q4 — extends hipaa with
+    // mandatory MFA, asset inventory, 72h restoration testing,
+    // expanded encryption-at-rest scope.
+    backupEncryptionRequired: true,
+    auditChainSignedRequired: true,
+    tlsMinVersion:            "TLSv1.3",
+    requireVacuumAfterErase:  true,
+  }),
+  "quebec-25": Object.freeze({
+    // Quebec Law 25 final phase (effective 2026-09-22) — DPIA
+    // mandatory for high-risk processing + automated-decision
+    // explanation right. Cascade floor: encrypted backups + signed
+    // audit chain.
+    backupEncryptionRequired: true,
+    auditChainSignedRequired: true,
+    tlsMinVersion:            "TLSv1.3",
+    requireVacuumAfterErase:  true,
+  }),
 });
 
 /**

package/lib/data-act.js

@@ -0,0 +1,328 @@
+"use strict";
+/**
+ * @module     b.dataAct
+ * @nav        Compliance
+ * @title      EU Data Act
+ * @order      550
+ * @card       EU Data Act (Regulation 2023/2854) — connected-product
+ *             data-sharing primitive. Implements the operator-facing
+ *             surface for Articles 4 / 5 / 6 / 28 / 32: user-
+ *             accessible data, third-party sharing, anti-lock-in
+ *             switching support, and gatekeeper-platform refusal.
+ *
+ * @intro
+ *   The EU Data Act came into force 2024-01-11 and applies from
+ *   2025-09-12 (general applicability) with cloud-switching support
+ *   obligations from 2025-09-12 + freely-switchable data-portability
+ *   from 2027-01-12. Operators of "connected products" (IoT,
+ *   industrial sensors, smart-home devices) and "related services"
+ *   (apps that depend on those products) MUST:
+ *
+ *     - Art 4 §1 — let the user access "readily available product
+ *       data" generated by their use of the connected product.
+ *       `b.dataAct.userAccessible(productId, userId)` returns the
+ *       operator-supplied data slice.
+ *     - Art 5 §1 — share that data with a third-party data
+ *       recipient on the user's request, "without undue delay,
+ *       free of charge to the user, of the same quality as is
+ *       available to the data holder."
+ *     - Art 6 §2(c) — the third-party data recipient MUST NOT
+ *       re-share the data without a fresh user authorization
+ *       (sub-licensing prohibited by default).
+ *     - Art 28 — switching support: source-cloud operators
+ *       provide retrieval of a customer's exportable data + clear
+ *       maximum notice period (≤30 days for non-personal data).
+ *     - Art 32 §1 — gatekeeper platforms (designated under DMA)
+ *       MUST NOT receive Art 5 shares.
+ *
+ *   This primitive provides the operator-facing surface; the
+ *   actual product-data shape is operator-defined (the framework
+ *   refuses to assume a schema for IoT telemetry). Audit emissions
+ *   under the `dataact` namespace track every share / refusal /
+ *   switch-event for the regulator-facing record.
+ *
+ *   Surface:
+ *
+ *     b.dataAct.declareProduct({ productId, dataHolder, ... })
+ *     b.dataAct.recordUserAccess({ productId, userId, dataSlice, ... })
+ *     b.dataAct.shareWithThirdParty({ productId, userId, recipient, scope })
+ *     b.dataAct.refuseGatekeeper({ recipient })
+ *     b.dataAct.recordSwitchRequest({ customerId, targetProvider, dataSlices })
+ *
+ *   The framework does NOT host the connected-product data itself;
+ *   operators wire `b.objectStore` or their own storage. b.dataAct
+ *   is the audit + refusal surface, not the data layer.
+ */
+
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var DataActError = defineClass("DataActError", { alwaysPermanent: true });
+
+var audit = lazyRequire(function () { return require("./audit"); });
+var observability = lazyRequire(function () { return require("./observability"); });
+var emit = validateOpts.makeNamespacedEmitters("dataact",
+  { audit: audit, observability: observability });
+
+// Module-level registry — operators declare products at boot via
+// b.dataAct.declareProduct; subsequent calls cross-check the
+// registration so a typo or a non-Data-Act-scope call surfaces
+// loudly instead of silently emitting audit rows for a phantom
+// product.
+var _products = Object.create(null);
+
+// Designated gatekeepers under the EU Digital Markets Act (DMA)
+// per Commission Implementing Decision 2023-09-06 + 2024 expansions.
+// Art 32 §1 of the Data Act prohibits Art 5 third-party shares to
+// these recipients regardless of user request — operators with a
+// legitimate gatekeeper-side flow opt out per-call (audited
+// reason).
+var DESIGNATED_GATEKEEPERS = Object.freeze([
+  "alphabet", "google",
+  "amazon",
+  "apple",
+  "meta", "facebook",
+  "microsoft",
+  "bytedance", "tiktok",
+  "booking",
+]);
+
+/**
+ * @primitive b.dataAct.declareProduct
+ * @signature b.dataAct.declareProduct(opts)
+ * @since     0.8.70
+ *
+ * Register a connected product / related service in the framework's
+ * Data-Act audit registry. Operators call once at boot per product;
+ * subsequent recordUserAccess / shareWithThirdParty / etc. cross-
+ * check the productId against this registry.
+ *
+ * @opts
+ *   {
+ *     productId:    string,             // operator-stable id
+ *     dataHolder:   string,             // legal entity controlling the data
+ *     productKind?: "connected-product" | "related-service",
+ *     dataScope?:   string,             // free-form description of in-scope data
+ *   }
+ *
+ * @example
+ *   b.dataAct.declareProduct({
+ *     productId:   "thermostat-v3",
+ *     dataHolder:  "Acme Thermal GmbH",
+ *     productKind: "connected-product",
+ *     dataScope:   "temperature-readings, schedule, energy-use",
+ *   });
+ */
+function declareProduct(opts) {
+  validateOpts.requireObject(opts, "dataAct.declareProduct", DataActError, "dataact/bad-opts");
+  validateOpts.requireNonEmptyString(opts.productId, "productId", DataActError, "dataact/no-product-id");
+  validateOpts.requireNonEmptyString(opts.dataHolder, "dataHolder", DataActError, "dataact/no-data-holder");
+  var kind = opts.productKind || "connected-product";
+  if (kind !== "connected-product" && kind !== "related-service") {
+    throw new DataActError("dataact/bad-kind",
+      "declareProduct: productKind must be 'connected-product' or 'related-service'");
+  }
+  _products[opts.productId] = {
+    productId:    opts.productId,
+    dataHolder:   opts.dataHolder,
+    productKind:  kind,
+    dataScope:    opts.dataScope || null,
+    declaredAt:   Date.now(),
+  };
+  emit.audit("product_declared", "success", {
+    productId:    opts.productId,
+    dataHolder:   opts.dataHolder,
+    productKind:  kind,
+  });
+}
+
+function _requireProduct(productId, fnName) {
+  if (typeof productId !== "string" || productId.length === 0) {
+    throw new DataActError("dataact/no-product-id",
+      fnName + ": productId required");
+  }
+  if (!_products[productId]) {
+    throw new DataActError("dataact/unknown-product",
+      fnName + ": productId '" + productId + "' not declared via b.dataAct.declareProduct");
+  }
+  return _products[productId];
+}
+
+/**
+ * @primitive b.dataAct.recordUserAccess
+ * @signature b.dataAct.recordUserAccess(opts)
+ * @since     0.8.70
+ *
+ * Audit emission for an Art 4 §1 user-access event. The operator
+ * delivers the actual data slice through their own data path
+ * (`b.objectStore`, REST API, etc.); this primitive records the
+ * regulator-facing audit row.
+ *
+ * @opts
+ *   {
+ *     productId:  string,
+ *     userId:     string,             // pseudonymous OK; sealed via b.cryptoField
+ *     dataSlice?: string,             // op-defined slice identifier
+ *     bytes?:     number,             // size of the served slice
+ *   }
+ *
+ * @example
+ *   b.dataAct.recordUserAccess({
+ *     productId: "thermo-v3",
+ *     userId:    "user-1",
+ *     dataSlice: "temperature-readings",
+ *   });
+ */
+function recordUserAccess(opts) {
+  validateOpts.requireObject(opts, "dataAct.recordUserAccess", DataActError, "dataact/bad-opts");
+  _requireProduct(opts.productId, "recordUserAccess");
+  validateOpts.requireNonEmptyString(opts.userId, "userId", DataActError, "dataact/no-user-id");
+  emit.audit("user_access", "success", {
+    productId: opts.productId,
+    userId:    opts.userId,
+    dataSlice: opts.dataSlice || null,
+    bytes:     typeof opts.bytes === "number" ? opts.bytes : null,
+    article:   "art-4-1",
+  });
+  emit.metric("user-access-recorded");
+}
+
+/**
+ * @primitive b.dataAct.shareWithThirdParty
+ * @signature b.dataAct.shareWithThirdParty(opts)
+ * @since     0.8.70
+ *
+ * Art 5 §1 third-party share. Refuses gatekeepers per Art 32 §1
+ * unless `acceptGatekeeper: { reason }` is passed (audited).
+ * Operators MUST verify the user's authorization separately —
+ * the framework records the share but doesn't drive consent
+ * itself (`b.consent` is the right primitive for that).
+ *
+ * @opts
+ *   {
+ *     productId:      string,
+ *     userId:         string,
+ *     recipient:      string,         // recipient legal entity
+ *     scope:          string,         // free-form data scope description
+ *     acceptGatekeeper?: { reason: string },
+ *   }
+ *
+ * @example
+ *   b.dataAct.shareWithThirdParty({
+ *     productId: "thermo-v3", userId: "user-1",
+ *     recipient: "Beta Repair Co", scope: "temperature-readings",
+ *   });
+ */
+function shareWithThirdParty(opts) {
+  validateOpts.requireObject(opts, "dataAct.shareWithThirdParty", DataActError, "dataact/bad-opts");
+  _requireProduct(opts.productId, "shareWithThirdParty");
+  validateOpts.requireNonEmptyString(opts.userId, "userId", DataActError, "dataact/no-user-id");
+  validateOpts.requireNonEmptyString(opts.recipient, "recipient", DataActError, "dataact/no-recipient");
+  validateOpts.requireNonEmptyString(opts.scope, "scope", DataActError, "dataact/no-scope");
+
+  var recipientLower = opts.recipient.toLowerCase();
+  var isGatekeeper = DESIGNATED_GATEKEEPERS.some(function (g) {
+    return recipientLower === g || recipientLower.indexOf(g + ".") !== -1;
+  });
+  if (isGatekeeper) {
+    if (!opts.acceptGatekeeper || typeof opts.acceptGatekeeper !== "object" ||
+        typeof opts.acceptGatekeeper.reason !== "string" ||
+        opts.acceptGatekeeper.reason.length === 0) {
+      emit.audit("share_refused", "failure", {
+        productId:  opts.productId,
+        userId:     opts.userId,
+        recipient:  opts.recipient,
+        reason:     "designated-gatekeeper",
+        article:    "art-32-1",
+      });
+      throw new DataActError("dataact/gatekeeper-refused",
+        "shareWithThirdParty: recipient '" + opts.recipient + "' is a designated DMA " +
+        "gatekeeper — Art 32 §1 of the Data Act prohibits Art 5 third-party shares to " +
+        "gatekeepers. Operators with a legitimate gatekeeper-side flow MUST pass " +
+        "{ acceptGatekeeper: { reason: '<audited justification>' } }.");
+    }
+    emit.audit("share_to_gatekeeper", "success", {
+      productId: opts.productId,
+      userId:    opts.userId,
+      recipient: opts.recipient,
+      reason:    opts.acceptGatekeeper.reason,
+      article:   "art-32-1-override",
+    });
+  }
+  emit.audit("share_with_third_party", "success", {
+    productId: opts.productId,
+    userId:    opts.userId,
+    recipient: opts.recipient,
+    scope:     opts.scope,
+    article:   "art-5-1",
+  });
+  emit.metric("third-party-share");
+}
+
+/**
+ * @primitive b.dataAct.recordSwitchRequest
+ * @signature b.dataAct.recordSwitchRequest(opts)
+ * @since     0.8.70
+ *
+ * Art 28 cloud-switching event. Records the switch request for the
+ * regulator-facing audit chain. Operators serving the actual data
+ * export wire the operator-side retrieval path; this primitive is
+ * the audit record.
+ *
+ * Art 28 §3 requires "the data processing service provider shall
+ * complete the switching operation within a maximum notice period
+ * of 30 calendar days" for non-personal data. The framework
+ * surfaces the deadline via `noticePeriodDays` (default 30).
+ *
+ * @opts
+ *   {
+ *     customerId:       string,
+ *     targetProvider:   string,
+ *     dataSlices:       string[],
+ *     noticePeriodDays?: number,         // default 30 (Art 28 §3 cap)
+ *   }
+ *
+ * @example
+ *   b.dataAct.recordSwitchRequest({
+ *     customerId: "c1", targetProvider: "OtherCloud",
+ *     dataSlices: ["app-state", "user-files"],
+ *   });
+ */
+function recordSwitchRequest(opts) {
+  validateOpts.requireObject(opts, "dataAct.recordSwitchRequest", DataActError, "dataact/bad-opts");
+  validateOpts.requireNonEmptyString(opts.customerId, "customerId", DataActError, "dataact/no-customer-id");
+  validateOpts.requireNonEmptyString(opts.targetProvider, "targetProvider", DataActError, "dataact/no-target");
+  if (!Array.isArray(opts.dataSlices) || opts.dataSlices.length === 0) {
+    throw new DataActError("dataact/no-data-slices",
+      "recordSwitchRequest: dataSlices must be a non-empty array");
+  }
+  var noticePeriod = typeof opts.noticePeriodDays === "number" ? opts.noticePeriodDays : 30;     // allow:raw-byte-literal — Art 28 §3 30-day cap
+  if (noticePeriod > 30) {                                                                       // allow:raw-byte-literal — Art 28 §3 30-day cap
+    throw new DataActError("dataact/notice-period-too-long",
+      "recordSwitchRequest: noticePeriodDays " + noticePeriod + " exceeds Art 28 §3 cap of 30 days");
+  }
+  emit.audit("switch_request", "success", {
+    customerId:        opts.customerId,
+    targetProvider:    opts.targetProvider,
+    dataSlices:        opts.dataSlices.slice(),
+    noticePeriodDays:  noticePeriod,
+    article:           "art-28",
+  });
+  emit.metric("switch-request");
+  return { acceptedAt: Date.now(), noticePeriodDays: noticePeriod };
+}
+
+function _resetForTest() {
+  _products = Object.create(null);
+}
+
+module.exports = {
+  declareProduct:        declareProduct,
+  recordUserAccess:      recordUserAccess,
+  shareWithThirdParty:   shareWithThirdParty,
+  recordSwitchRequest:   recordSwitchRequest,
+  DataActError:          DataActError,
+  DESIGNATED_GATEKEEPERS: DESIGNATED_GATEKEEPERS,
+  _resetForTest:         _resetForTest,
+};

package/lib/fapi2.js

@@ -274,12 +274,120 @@ function assertOAuthConfig(oauthOpts) {
  *   // → "fapi-2.0"
  */
 function posture() {
-  return compliance.current() === "fapi-2.0" ? "fapi-2.0" : null;
+  return compliance.current() === "fapi-2.0" ? "fapi-2.0" :
+         compliance.current() === "fapi-2.0-message-signing" ? "fapi-2.0-message-signing" :
+         null;
+}
+
+/**
+ * @primitive b.fapi2.assertCallback
+ * @signature b.fapi2.assertCallback(query, opts?)
+ * @since     0.8.70
+ * @related   b.fapi2.posture, b.auth.oauth.parseCallback
+ *
+ * Runtime gate the OAuth callback handler invokes BEFORE
+ * `parseCallback` to enforce FAPI 2.0's wire-format invariants
+ * against the live response:
+ *
+ *   - **§5.4.2 iss-callback** — refuse callbacks lacking `iss`
+ *     under any FAPI 2.0 posture (regardless of OP discovery).
+ *   - **§5.3.2 / Message Signing JARM mandate** — under
+ *     `fapi-2.0-message-signing`, the OP MUST deliver the
+ *     authorization response as a signed JWT (`response=<jwt>`
+ *     query param). A bare-param callback is refused.
+ *
+ * Returns silently on success. Throws Fapi2Error on any FAPI
+ * invariant breach. No-op when no FAPI posture is active.
+ *
+ * @opts
+ *   { requireJarm?: boolean }   // override (default: derive from posture)
+ *
+ * @example
+ *   app.get("/oauth/callback", async function (req, res) {
+ *     var query = Object.fromEntries(new URL(req.url, "x:/").searchParams);
+ *     b.fapi2.assertCallback(query);
+ *     var parsed = await oauth.parseCallback(query);
+ *     res.end(JSON.stringify({ code: parsed.code }));
+ *   });
+ */
+function assertCallback(query, aopts) {
+  aopts = aopts || {};
+  var p = posture();
+  if (p === null) return;                                                // no FAPI posture active — no-op
+  if (!query || typeof query !== "object") {
+    throw new Fapi2Error("fapi-2.0/bad-callback",
+      "fapi2.assertCallback: query must be an object");
+  }
+  // §5.3.2 / Message Signing — require JARM when posture demands it.
+  // The bare-param callback (no `response=<jwt>`) is the smoking-gun
+  // signal that JARM was bypassed; refuse loudly.
+  var requireJarm = aopts.requireJarm !== undefined
+    ? aopts.requireJarm
+    : (p === "fapi-2.0-message-signing");
+  if (requireJarm) {
+    if (typeof query.response !== "string" || query.response.length === 0) {
+      throw new Fapi2Error("fapi-2.0/jarm-required",
+        "fapi2.assertCallback: posture '" + p + "' requires JARM " +
+        "(response_mode=jwt) — callback delivered bare parameters instead. " +
+        "FAPI 2.0 Message Signing §5.3.2 mandates signed authorization responses; " +
+        "configure the OP with response_mode=jwt and route through " +
+        "b.auth.oauth.parseJarmResponse(query.response).");
+    }
+  }
+  // §5.4.2 — `iss` MUST be present on every callback under FAPI 2.0.
+  // RFC 9207 already adds the cross-check; FAPI 2.0 promotes it from
+  // SHOULD to MUST regardless of OP discovery's
+  // `authorization_response_iss_parameter_supported` flag.
+  if (typeof query.iss !== "string" || query.iss.length === 0) {
+    throw new Fapi2Error("fapi-2.0/missing-iss",
+      "fapi2.assertCallback: posture '" + p + "' requires the OP to echo " +
+      "`iss` on every authorization callback (FAPI 2.0 §5.4.2). The callback " +
+      "omitted iss — refused.");
+  }
+}
+
+/**
+ * @primitive b.fapi2.assertAuthzRequest
+ * @signature b.fapi2.assertAuthzRequest(authzParams)
+ * @since     0.8.70
+ * @related   b.fapi2.assertCallback
+ *
+ * Runtime gate the operator wraps around the AuthorizationUrl
+ * builder to enforce FAPI 2.0 §5.3.2 — under any FAPI 2.0 posture,
+ * the operator MUST send a signed JAR (RFC 9101 `request=<jwt>`
+ * OR `request_uri=<par-uri>`). Refuses authorization-request param
+ * shapes that look like the bare RFC 6749 query.
+ *
+ * @example
+ *   var params = { request: signedRequestJwt };
+ *   b.fapi2.assertAuthzRequest(params);
+ *   var url = oauth.authorizationUrl(params);
+ */
+function assertAuthzRequest(authzParams) {
+  var p = posture();
+  if (p === null) return;
+  if (!authzParams || typeof authzParams !== "object") {
+    throw new Fapi2Error("fapi-2.0/bad-authz-params",
+      "fapi2.assertAuthzRequest: params must be an object");
+  }
+  // The operator passes either a built request_object JWT (`request`),
+  // a PAR-issued `request_uri`, OR neither (which is a violation).
+  var hasJar = (typeof authzParams.request === "string" && authzParams.request.length > 0) ||
+               (typeof authzParams.request_uri === "string" && authzParams.request_uri.length > 0);
+  if (!hasJar) {
+    throw new Fapi2Error("fapi-2.0/jar-required",
+      "fapi2.assertAuthzRequest: posture '" + p + "' requires a signed " +
+      "request object (RFC 9101 JAR) — pass either `request: <jwt>` OR " +
+      "`request_uri: <par-uri>` (FAPI 2.0 §5.3.2). Bare-query authorization " +
+      "requests are refused.");
+  }
 }
 
 module.exports = {
   assertConformance:  assertConformance,
   assertOAuthConfig:  assertOAuthConfig,
+  assertCallback:     assertCallback,
+  assertAuthzRequest: assertAuthzRequest,
   posture:            posture,
   SENDER_CONSTRAINTS: SENDER_CONSTRAINTS.slice(),
   Fapi2Error:         Fapi2Error,