@blamejs/core 0.8.7 → 0.8.9

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.9** (2026-05-07) — `b.incident.report` — generic 3-stage incident-reporting primitive. The three stages mirror the deadline pattern that recurs across regulatory regimes: initial / early-warning notification (within 24h of detection), intermediate / status update (within 72h), final report (within 30d or per-regime deadline). Built-in per-regime deadlines for `gdpr` (Article 33), `nis2` (Article 23), `dora` (Article 19), `cra` (Article 14), `hipaa` (Breach Notification Rule); operators select via `regime: "gdpr"` and `opts.deadlines` can override per-stage. Each stage records a tamper-evident audit event (`incident.report.stage_recorded`) with a `late: bool` + `lateBy: ms` flag — late filings are recorded with `outcome: "late"` so regulator audits can distinguish on-time from late-but-eventually filings. Operator-supplied `persist(record)` writes to a DB / SIEM / SOAR system; `onStage(event)` fires for synchronous routing. `status()` returns aggregate counts (open / closed / late-per-stage) for dashboards.
+
+- **0.8.8** (2026-05-07) — `b.middleware.requireBoundKey` + `b.audit.rotateSigningKey` / `reSignAll` + `b.circuitBreaker` top-level surface + `b.htmlBalance.checkSafe` + permissions predicate-shape audit + FIPS 140-3 boundary docs + ESLint pin. **`b.middleware.requireBoundKey`** — Bearer-API-key middleware with three-axis binding: required scopes, bound-field equality (operator pulls values from headers / query / body via `getBoundField` getters; bound-fields registered on the key are checked with constant-time match), and peer-cert fingerprint allowlist (composes with v0.8.4's `b.crypto.hashCertFingerprint` / `isCertRevoked`). Operator-supplied async `resolver(apiKey)` returns the registered record `{ id, scopes, boundFields, peerCertFingerprints }` or `null` when revoked. Refusals carry structured reasons (`no-bearer-token`, `key-unknown-or-revoked`, `missing-scope`, `bound-field-missing`, `bound-field-mismatch`, `peer-cert-required`, `peer-cert-not-pinned`); audit chain captures the keyId + reason on every refusal. **`b.audit.rotateSigningKey`** — operator-callable rotation of the audit-signing keypair. Generates (or accepts BYO) a new keypair, copies the existing sealed file to a timestamped history path so historical signatures remain verifiable, re-seals with the operator's passphrase, and atomic-swaps the in-memory keys. Companion `reSignAll(iter)` walks an operator-supplied async iterable of `{ payload, signature, oldPublicKeyPem }` and re-signs each entry with the new key — the audit module's checkpoint store calls this to re-stamp historical checkpoints after a rotation. **`b.circuitBreaker`** — top-level re-export of `b.retry.CircuitBreaker` so operators discover it alongside `b.retry`; same state machine, same `wrap()` API, ergonomic `create(opts)` factory. **`b.htmlBalance.checkSafe(html, opts)`** — combines structural `balance()` check with a `b.guardHtml.gate` security pass under the same `{ profile, posture }` opt shape used by `b.fileUpload({ contentSafety })` / `b.staticServe({ contentSafety })`. **`b.permissions.policy(scope, predicate)`** — emits `permissions.policy_predicate_shape_warning` audit on register-time when the predicate's `.length < 2` (operators commonly forget the `context` argument and ship a predicate that's always-true on the actor parameter). **`SECURITY.md`** — new "FIPS 140-3 cryptographic boundary" section explaining the dual boundary (Node.js OpenSSL FIPS provider for classical primitives, vendored noble-* implementations for PQ algorithms — the latter implement FIPS-published algorithms but the *implementations themselves* are not CMVP-validated). Operator path for FIPS-mandated environments documented. **CI** — eslint pinned to `10.3.0` across `ci.yml` / `npm-publish.yml` / `release-container.yml`; `eslint@latest` was silently letting new rule additions break the publish gate on releases that had passed the day before. The pin moves on operator-confirmed bumps.
+
 - **0.8.7** (2026-05-06) — `b.auth.accessLock` — three-mode access-lock primitive for stop-the-world / read-only / role-restricted operator interventions. `"open"` is normal operation; `"read-only"` refuses non-idempotent methods (POST/PUT/PATCH/DELETE) with 503 + Retry-After while letting GET/HEAD/OPTIONS pass; `"locked"` refuses everything except an operator-supplied `passthroughPaths` allowlist (status / health / unlock endpoint). Operators flip modes during incident response, schema-migration windows, or break-glass review via `lock.set("locked", { actor, reason })`; the transition emits `auth.access_lock.mode_changed` audit + metric. `unlockRoles: ["sre", ...]` lets a privileged role bypass all three modes via `getRole(req)` so a break-glass operator can always reach the unlock endpoint to flip back. The boot-time mode emits `auth.access_lock.boot` so the audit chain captures the deploy posture.
 
 - **0.8.6** (2026-05-06) — New primitives: `b.middleware.dailyByteQuota` + `b.appShutdown` extensions. **`b.middleware.dailyByteQuota`** — per-IP rolling 24-hour byte budget (24 hourly bins, slides per-second so a peer can't reset by waiting past midnight). Memory backend single-node by default; `opts.cache` wires `b.cache` for cluster-shared accounting. Refuses with 429 + `Retry-After` when peers exceed the quota; emits `middleware.daily_byte_quota.refused` audit + `middleware.daily_byte_quota.refused` metric. Inbound + outbound bytes counted (header bytes + content-length + outbound write/end byte counts). Fail-open on cache backend errors with audited reason — a flaky cache no longer takes the framework down. **`b.appShutdown` extensions** — `onUncaught` hook fires on `uncaughtException` / `unhandledRejection`; default is graceful-shutdown with exitCode=1, operators can wire a hook for relay to PagerDuty / observability before exit. `opts.signals` now accepts a custom signal list (defaults to `["SIGTERM","SIGINT"]`); operators add `SIGUSR2` (nodemon restart), `SIGHUP` (terminal disconnect), `SIGQUIT` (`kill -3`) without subclassing. `b.appShutdown.pidLock(lockPath)` — single-instance file lock that writes `process.pid`, refuses to acquire when another live process holds the lock, reaps stale lock files (PID gone), and releases on shutdown. **`b.observability.otlpExporter`** — new `system.observability.otlp_exporter.post_failed` audit emission distinguishes timeout / abort from generic network failure (operators can route timeout-rooted exporter degradation to a different alert channel). `stats()` now reports `droppedTotal` (queue overflow + export failed) and emits a `dropped_total` metric on every call so dashboards chart the running drop count. **`b.auth.oauth.fetchUserInfo`** — refuses on OIDC IdPs unless the caller threads `ufiOpts.idTokenSub` (the verified `sub` claim from `exchangeCode`'s `id_token`); cross-checks userinfo `sub === idTokenSub` to defend against token-substitution where a hostile IdP returns a different user's profile. Non-OIDC OAuth 2.0 deployments mis-flagged as `isOidc` opt out via `{ skipSubCheck: true }` with audited reason.

package/index.js

@@ -247,6 +247,8 @@ module.exports = {
   storage:          storage,
   objectStore:      objectStore,
   retry:            retry,
+  circuitBreaker:   require("./lib/circuit-breaker"),
+  incident:         { report: require("./lib/incident-report") },
   queue:            queue,
   logStream:        logStream,
   redact:           redact,

package/lib/audit-sign.js

@@ -326,6 +326,158 @@ function getPublicKeyFingerprint() { _requireInit(); return keys.fingerprint; }
 function getMode() { return currentMode; }
 function getAlgorithm() { _requireInit(); return keys.algorithm; }
 
+// Re-sign every payload in the operator-supplied iterable using the
+// CURRENT in-memory key. Returns { reSigned: number, skipped: number,
+// errors: number } so the caller (audit module's checkpoint store)
+// can log a summary. Each iteration is wrapped in try/catch — a
+// payload that fails to verify under the OLD key is skipped (already
+// tampered or never signed under the historical key) rather than
+// aborting the whole walk.
+//
+// The iterable yields { payload, signature, oldPublicKeyPem } so the
+// caller's storage layer doesn't need to reach into audit-sign's
+// internal key-history. The caller persists the new signature in
+// place — this primitive returns the new bytes without touching
+// storage.
+async function reSignAll(iter, opts) {
+  _requireInit();
+  opts = opts || {};
+  var summary = { reSigned: 0, skipped: 0, errors: 0 };
+  var onProgress = typeof opts.onProgress === "function" ? opts.onProgress : null;
+  for await (var entry of iter) {
+    try {
+      if (!entry || !entry.payload || !entry.signature) {
+        summary.skipped += 1;
+        continue;
+      }
+      var oldPub = entry.oldPublicKeyPem || keys.publicKey;
+      if (!verify(entry.payload, entry.signature, oldPub)) {
+        summary.skipped += 1;
+        continue;
+      }
+      var newSig = sign(entry.payload);
+      summary.reSigned += 1;
+      if (onProgress) {
+        try { onProgress({ id: entry.id, newSignature: newSig }); }
+        catch (_e) { /* operator hook, drop-silent */ }
+      }
+    } catch (_e) {
+      summary.errors += 1;
+    }
+  }
+  return summary;
+}
+
+// Rotate the in-memory + on-disk keypair. Generates a fresh keypair
+// (or accepts operator-supplied keypair via opts.privateKeyPem +
+// publicKeyPem for the BYO-key case), writes the OLD sealed file
+// to a timestamped history path so historical checkpoints can still
+// be verified, then re-seals with the new keypair.
+//
+// rotation does NOT walk and re-sign existing audit checkpoints —
+// the audit module orchestrates that via reSignAll() above so the
+// per-row storage transactions stay in one place. Operators rotating
+// the audit key in production typically:
+//   1. Read existing audit checkpoints
+//   2. Call rotateSigningKey() — gets new keys live
+//   3. Walk checkpoints through reSignAll()
+//   4. Write back the new signatures atomically
+async function rotateSigningKey(rotOpts) {
+  _requireInit();
+  rotOpts = rotOpts || {};
+  var prevFingerprint = keys.fingerprint;
+  var prevPublicKey = keys.publicKey;
+  var prevAlgorithm = keys.algorithm;
+
+  // Operator may supply the new keypair (BYO; useful for a hardware-
+  // backed signer) or let the framework generate. The algorithm
+  // defaults to the current keypair's algorithm; operators upgrading
+  // the algorithm pass the new alg explicitly.
+  var newAlg;
+  var newPair;
+  if (typeof rotOpts.privateKeyPem === "string" && typeof rotOpts.publicKeyPem === "string") {
+    newAlg  = rotOpts.algorithm || prevAlgorithm;
+    newPair = { publicKey: rotOpts.publicKeyPem, privateKey: rotOpts.privateKeyPem };
+  } else {
+    newAlg = rotOpts.algorithm || prevAlgorithm;
+    newPair = nodeCrypto.generateKeyPairSync(newAlg, {
+      publicKeyEncoding:  { type: "spki",  format: "pem" },
+      privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+  }
+  if (SUPPORTED_SIGNING_ALGS.indexOf(newAlg) === -1) {
+    throw _err("ROTATE_BAD_ALG",
+      "audit-sign.rotateSigningKey: algorithm '" + newAlg + "' is not in SUPPORTED_SIGNING_ALGS");
+  }
+
+  var newFingerprint = _computeFingerprint(newPair.publicKey);
+  if (newFingerprint === prevFingerprint) {
+    throw _err("ROTATE_NOOP",
+      "audit-sign.rotateSigningKey: new keypair has identical fingerprint to the current — refusing to write a no-op rotation");
+  }
+
+  // Move the existing sealed/plaintext file to a timestamped history
+  // path so historical checkpoints can still be verified by readers
+  // that load the old key. We keep the history forever — the file is
+  // small (a few KB) and signed audit checkpoints can be decades old.
+  var iso = new Date().toISOString().replace(/[:.]/g, "-");
+  if (currentMode === "wrapped" && paths && paths.sealed) {
+    var historyPath = paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */;
+    try { await atomicFile.copy(paths.sealed, historyPath); }
+    catch (_e) { /* history copy is best-effort; the in-memory rotation still proceeds */ }
+  } else if (currentMode === "plaintext" && paths && paths.plaintext) {
+    var historyPathP = paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */;
+    try { await atomicFile.copy(paths.plaintext, historyPathP); }
+    catch (_e) { /* history copy is best-effort */ }
+  }
+
+  // Persist the new keypair through the same path as boot — sealed
+  // mode re-wraps with the operator's passphrase; plaintext mode
+  // writes JSON. We don't accept a passphrase override here; the
+  // existing in-process passphrase derivation runs again.
+  if (currentMode === "wrapped") {
+    var passphrase = await _getPassphrase("Audit-signing passphrase (rotate): ");
+    try {
+      var sealed = await vaultWrap.wrap(
+        JSON.stringify({ algorithm: newAlg, publicKey: newPair.publicKey, privateKey: newPair.privateKey }, null, 2),
+        passphrase
+      );
+      atomicFile.writeSync(paths.sealed, sealed, { fileMode: 0o600 });
+    } finally { safeBuffer.secureZero(passphrase); }
+  } else if (currentMode === "plaintext") {
+    atomicFile.writeSync(
+      paths.plaintext,
+      JSON.stringify({ algorithm: newAlg, publicKey: newPair.publicKey, privateKey: newPair.privateKey }, null, 2),
+      { fileMode: 0o600 }
+    );
+  }
+
+  // Atomic in-memory swap last (so a write failure above doesn't
+  // leave a half-rotated state where memory has the new key but the
+  // disk has the old one).
+  keys = {
+    publicKey:  newPair.publicKey,
+    privateKey: newPair.privateKey,
+    algorithm:  newAlg,
+    fingerprint: newFingerprint,
+  };
+  log("audit-signing keypair rotated (alg=" + newAlg + ", fp=" + newFingerprint.slice(0, 16) + "...)");                       /* allow:raw-byte-literal — fingerprint hex truncation count */
+
+  return {
+    previousFingerprint: prevFingerprint,
+    previousPublicKey:   prevPublicKey,
+    newFingerprint:      newFingerprint,
+    newPublicKey:        newPair.publicKey,
+    algorithm:           newAlg,
+    rotatedAt:           new Date().toISOString(),
+    historyPath:         (currentMode === "wrapped" && paths && paths.sealed)
+                          ? paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */
+                          : (currentMode === "plaintext" && paths && paths.plaintext)
+                            ? paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */
+                            : null,
+  };
+}
+
 function _resetForTest() {
   keys = null;
   initialized = false;
@@ -338,6 +490,8 @@ module.exports = {
   init:                     init,
   sign:                     sign,
   verify:                   verify,
+  rotateSigningKey:         rotateSigningKey,
+  reSignAll:                reSignAll,
   getPublicKey:             getPublicKey,
   getPublicKeyFingerprint:  getPublicKeyFingerprint,
   getMode:                  getMode,

package/lib/circuit-breaker.js

@@ -0,0 +1,55 @@
+"use strict";
+/**
+ * b.circuitBreaker — top-level circuit-breaker primitive.
+ *
+ * Re-exports the CircuitBreaker class previously only reachable as
+ * b.retry.CircuitBreaker, plus a `create(opts)` factory that matches
+ * every other framework primitive's `create()` shape. The
+ * implementation lives in lib/retry.js to keep the retry-classifier
+ * + CircuitBreaker close to each other (they share the
+ * isRetryable / observability emit conventions). This module is the
+ * top-level surface so operators don't have to know that retry
+ * happens to be the home of the circuit-breaker class.
+ *
+ * State machine:
+ *   closed   — normal flow; failures count up to failureThreshold
+ *   open     — fast-fail every call for cooldownMs
+ *   half     — first probe succeeds → close; first probe fails → re-open
+ *
+ *   var cb = b.circuitBreaker.create({
+ *     name:                 "upstream-billing",
+ *     failureThreshold:     5,
+ *     cooldownMs:           b.constants.TIME.seconds(30),
+ *     successThreshold:     2,
+ *     audit:                b.audit,
+ *     onStateChange:        function (event) {
+ *       // event = { name, from, to, at }
+ *       log("breaker " + event.name + " " + event.from + " -> " + event.to);
+ *     },
+ *   });
+ *   await cb.wrap(function () { return upstream.callRiskyOp(); });
+ *
+ * The circuit-breaker is intended for per-target use (one instance
+ * per upstream service); operators sharing a breaker across
+ * unrelated targets defeat the failure-threshold semantic.
+ */
+
+var retry = require("./retry");
+
+// Pass-through factory — operators get the same instance shape as
+// b.retry.CircuitBreaker but with the framework's `create(opts)`
+// vocabulary. The breaker class is unchanged; this is a thin
+// surface re-export so b.circuitBreaker is operator-discoverable
+// alongside b.retry.
+function create(opts) {
+  return new retry.CircuitBreaker(opts || {});
+}
+
+module.exports = {
+  create:         create,
+  CircuitBreaker: retry.CircuitBreaker,
+  // Forward the error class so operators catching breaker rejections
+  // can `instanceof` against the framework's RetryError without
+  // requiring a separate b.retry import.
+  RetryError:     retry.RetryError,
+};

package/lib/html-balance.js

@@ -224,4 +224,41 @@ function check(html) {
   return null;
 }
 
-module.exports = { check: check };
+// Optional content-safety pass for HTML rendered through the framework.
+// Mirrors the same opt shape as b.fileUpload({ contentSafety }) /
+// b.staticServe({ contentSafety }) so operators wiring guards across
+// the stack pass a single { profile, posture } object — the pass-
+// through to b.guardHtml.gate validates the HTML against the same
+// strict / balanced / permissive vocabulary, plus the configured
+// compliance posture.
+//
+//   var safe = b.htmlBalance.checkSafe(html, { profile: "strict" });
+//   if (safe.issues.length) refuseRequest();
+//
+// checkSafe runs balance() first (cheap structural well-formedness),
+// then guardHtml.gate({ profile }) for the security-class checks. The
+// returned shape is { balanceIssue, guardIssues } so callers can
+// distinguish a structural problem from a content-safety reject.
+var lazyRequire = require("./lazy-require");
+var _guardHtml = lazyRequire(function () { return require("./guard-html"); });
+
+function checkSafe(html, opts) {
+  opts = opts || {};
+  var balanceIssue = check(html);
+  var guardIssues = [];
+  if (opts.profile || opts.contentSafety) {
+    var profile = opts.profile || (opts.contentSafety && opts.contentSafety.profile) || "strict";
+    var posture = opts.posture || (opts.contentSafety && opts.contentSafety.posture) || null;
+    var validateOpts = { profile: profile };
+    if (posture) validateOpts.compliancePosture = posture;
+    var rv = _guardHtml().validate(html, validateOpts);
+    if (rv && Array.isArray(rv.issues)) guardIssues = rv.issues;
+  }
+  return {
+    balanceIssue: balanceIssue,
+    guardIssues:  guardIssues,
+    ok:           !balanceIssue && guardIssues.length === 0,
+  };
+}
+
+module.exports = { check: check, checkSafe: checkSafe };

package/lib/incident-report.js

@@ -0,0 +1,314 @@
+"use strict";
+/**
+ * b.incident.report — generic 3-stage incident-reporting primitive.
+ *
+ * The three stages mirror the deadline pattern that recurs across
+ * regulatory regimes (GDPR Article 33 / NIS2 Article 23 / DORA
+ * Article 19 / CRA Article 14 / HIPAA Breach Notification Rule):
+ *
+ *   1. Initial / early-warning notification — within 24 hours of
+ *      detection. Operators report what they know: scope, suspected
+ *      cause, immediate-mitigation plan.
+ *   2. Intermediate / status update — within 72 hours of detection.
+ *      Updated impact assessment, root-cause analysis progress,
+ *      operator's response posture.
+ *   3. Final report — within 30 days of detection (or per-regime
+ *      deadline). Full incident narrative, affected-data-subject
+ *      count, remediation, lessons learned.
+ *
+ *   var ir = b.incident.report.create({
+ *     audit:    b.audit,
+ *     persist:  async function (record) { await db.run("INSERT ..."); },
+ *     onStage:  function (event) {
+ *       // event = { incidentId, stage: "initial"|"intermediate"|"final",
+ *       //           dueBy, regime, fields }
+ *     },
+ *     deadlines: {                                  // operator-overridable per regime
+ *       initial:      C.TIME.hours(24),
+ *       intermediate: C.TIME.hours(72),
+ *       final:        C.TIME.days(30),
+ *     },
+ *   });
+ *   var incident = await ir.open({
+ *     regime:       "gdpr",                         // identifies the regulatory regime
+ *     detectedAt:   Date.now(),
+ *     scope:        "data-confidentiality-breach",
+ *     summary:      "...",
+ *     impact:       { dataSubjects: 1200, categories: ["pii", "phi"] },
+ *   });
+ *   await ir.recordInitial(incident.id, { ... });
+ *   await ir.recordIntermediate(incident.id, { ... });
+ *   await ir.recordFinal(incident.id, { ... });
+ *
+ * Each stage records a tamper-evident audit event with the regime,
+ * incident ID, stage, due-by timestamp, and operator-supplied
+ * payload. The `persist` hook writes to the operator's incident
+ * registry (DB / SIEM / SOAR system); audits give regulator-friendly
+ * proof-of-process when the primitive is queried later.
+ *
+ * Late-stage detection (filing past the due-by) is recorded with a
+ * `lateBy` field on the audit metadata and `outcome: "late"`, so
+ * regulator audits can distinguish "filed on time" from "filed late
+ * but eventually". Refusing to record at all would lose the data;
+ * the framework's posture is "always record, always flag late".
+ */
+
+var C = require("./constants");
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+var observability = lazyRequire(function () { return require("./observability"); });
+
+var IncidentReportError = defineClass("IncidentReportError", { alwaysPermanent: true });
+
+var DEFAULT_DEADLINES = Object.freeze({
+  initial:      C.TIME.hours(24),
+  intermediate: C.TIME.hours(72),
+  final:        C.TIME.days(30),
+});
+
+var VALID_STAGES = Object.freeze({ initial: 1, intermediate: 1, final: 1 });
+
+// Regime defaults — operators select these via opts.regime so the
+// per-regime deadline shape is the framework default, not something
+// the operator has to redefine each time. Operators with mixed
+// regimes per incident pick the shortest deadline (the "first wall
+// to hit" rule). Per-regime overrides go on opts.deadlines and
+// override the regime defaults.
+var REGIME_DEADLINES = Object.freeze({
+  // GDPR Article 33 §1: notify within 72 hours of awareness.
+  // No formal "initial" stage — the framework adds an internal
+  // 24-hour initial-warning checkpoint as a practical posture.
+  gdpr: Object.freeze({
+    initial:      C.TIME.hours(24),
+    intermediate: C.TIME.hours(72),
+    final:        C.TIME.days(30),
+  }),
+  // NIS2 Directive Article 23 §4: early warning within 24h, full
+  // notification within 72h, final report within 1 month.
+  nis2: Object.freeze({
+    initial:      C.TIME.hours(24),
+    intermediate: C.TIME.hours(72),
+    final:        C.TIME.days(30),
+  }),
+  // DORA (EU Digital Operational Resilience Act) Article 19: initial
+  // within 4h of classification, intermediate within 24h, final
+  // within 1 month.
+  dora: Object.freeze({
+    initial:      C.TIME.hours(4),
+    intermediate: C.TIME.hours(24),
+    final:        C.TIME.days(30),
+  }),
+  // CRA (EU Cyber Resilience Act) Article 14: early warning within
+  // 24h, vulnerability/incident notification within 72h, final
+  // report within 14 days.
+  cra: Object.freeze({
+    initial:      C.TIME.hours(24),
+    intermediate: C.TIME.hours(72),
+    final:        C.TIME.days(14),
+  }),
+  // HIPAA Breach Notification Rule (45 CFR §164.404 etc.): notify
+  // affected individuals within 60 days; HHS within 60 days for
+  // breaches affecting 500+ individuals (annually otherwise). The
+  // initial / intermediate stages have no statutory deadline; we
+  // adopt the EU 24/72-hour internal checkpoints as good operator
+  // practice.
+  hipaa: Object.freeze({
+    initial:      C.TIME.hours(24),
+    intermediate: C.TIME.hours(72),
+    final:        C.TIME.days(60),
+  }),
+});
+
+function _resolveDeadlines(regime, override) {
+  var base = (regime && REGIME_DEADLINES[regime]) || DEFAULT_DEADLINES;
+  if (!override || typeof override !== "object") return base;
+  return Object.freeze({
+    initial:      typeof override.initial      === "number" ? override.initial      : base.initial,
+    intermediate: typeof override.intermediate === "number" ? override.intermediate : base.intermediate,
+    final:        typeof override.final        === "number" ? override.final        : base.final,
+  });
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "persist", "onStage", "deadlines", "now",
+  ], "incident.report");
+
+  var auditOn = opts.audit !== false;
+  var persist = typeof opts.persist === "function" ? opts.persist : null;
+  var onStage = typeof opts.onStage === "function" ? opts.onStage : null;
+  var deadlinesOverride = opts.deadlines || null;
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+
+  // In-memory registry — operators wire `persist` for durable
+  // storage. The in-memory map is for unit tests + small operator
+  // deployments that don't yet wire a DB-backed registry.
+  var incidents = new Map();
+  var seq = 0;
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "incident.report." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+  function _emitMetric(verb, n, labels) {
+    try { observability().safeEvent("incident.report." + verb, n || 1, labels || {}); }
+    catch (_e) { /* drop-silent */ }
+  }
+
+  function _genIncidentId(regime, detectedAt) {
+    seq += 1;
+    var ts = new Date(detectedAt).toISOString().replace(/[:.]/g, "-");
+    return "incident-" + (regime || "generic") + "-" + ts + "-" + seq;
+  }
+
+  async function open(spec) {
+    if (!spec || typeof spec !== "object") {
+      throw new IncidentReportError("incident-report/bad-spec",
+        "incident.report.open: spec must be an object with { regime, detectedAt, scope, summary, impact }");
+    }
+    if (typeof spec.regime !== "string" || spec.regime.length === 0) {
+      throw new IncidentReportError("incident-report/bad-regime",
+        "incident.report.open: spec.regime must be a non-empty string (gdpr / nis2 / dora / cra / hipaa or operator-defined)");
+    }
+    if (typeof spec.detectedAt !== "number" || !isFinite(spec.detectedAt)) {
+      throw new IncidentReportError("incident-report/bad-detected-at",
+        "incident.report.open: spec.detectedAt must be a finite Unix-ms timestamp");
+    }
+    var deadlines = _resolveDeadlines(spec.regime, deadlinesOverride);
+    var id = _genIncidentId(spec.regime, spec.detectedAt);
+    var record = {
+      id:           id,
+      regime:       spec.regime,
+      detectedAt:   spec.detectedAt,
+      scope:        spec.scope || null,
+      summary:      spec.summary || null,
+      impact:       spec.impact || null,
+      deadlines:    deadlines,
+      dueBy: {
+        initial:      spec.detectedAt + deadlines.initial,
+        intermediate: spec.detectedAt + deadlines.intermediate,
+        final:        spec.detectedAt + deadlines.final,
+      },
+      stages:       {},                                                                  // populated by recordInitial / recordIntermediate / recordFinal
+      openedAt:     now(),
+      closedAt:     null,
+    };
+    incidents.set(id, record);
+    _emitAudit("opened", "success", {
+      incidentId: id, regime: spec.regime, detectedAt: spec.detectedAt,
+      dueByInitial:      record.dueBy.initial,
+      dueByIntermediate: record.dueBy.intermediate,
+      dueByFinal:        record.dueBy.final,
+    });
+    _emitMetric("opened", 1, { regime: spec.regime });
+    if (persist) {
+      try { await persist(record); }
+      catch (e) { _emitAudit("persist_failed", "failure", { incidentId: id, error: (e && e.message) || String(e) }); }
+    }
+    return record;
+  }
+
+  async function _recordStage(incidentId, stage, payload) {
+    if (!VALID_STAGES[stage]) {
+      throw new IncidentReportError("incident-report/bad-stage",
+        "incident.report._recordStage: stage must be one of " + Object.keys(VALID_STAGES).join(", "));
+    }
+    var rec = incidents.get(incidentId);
+    if (!rec) {
+      throw new IncidentReportError("incident-report/unknown-incident",
+        "incident.report: no incident with id '" + incidentId + "'");
+    }
+    if (rec.stages[stage]) {
+      throw new IncidentReportError("incident-report/stage-already-filed",
+        "incident.report: incident '" + incidentId + "' already has a '" + stage + "' stage filing");
+    }
+    var nowMs = now();
+    var dueBy = rec.dueBy[stage];
+    var late = nowMs > dueBy;
+    var lateBy = late ? (nowMs - dueBy) : 0;
+    rec.stages[stage] = {
+      filedAt:  nowMs,
+      dueBy:    dueBy,
+      late:     late,
+      lateBy:   lateBy,
+      payload:  payload || {},
+    };
+    if (stage === "final") rec.closedAt = nowMs;
+
+    _emitAudit("stage_recorded", late ? "late" : "success", {
+      incidentId: incidentId, regime: rec.regime, stage: stage,
+      dueBy: dueBy, filedAt: nowMs, late: late, lateBy: lateBy,
+    });
+    _emitMetric("stage_recorded", 1, { regime: rec.regime, stage: stage, late: String(late) });
+    if (onStage) {
+      try { onStage({ incidentId: incidentId, stage: stage, dueBy: dueBy, late: late, regime: rec.regime, fields: payload }); }
+      catch (_e) { /* drop-silent — operator hook */ }
+    }
+    if (persist) {
+      try { await persist(rec); }
+      catch (e) { _emitAudit("persist_failed", "failure", { incidentId: incidentId, stage: stage, error: (e && e.message) || String(e) }); }
+    }
+    return rec;
+  }
+
+  function recordInitial(incidentId, payload)      { return _recordStage(incidentId, "initial",      payload); }
+  function recordIntermediate(incidentId, payload) { return _recordStage(incidentId, "intermediate", payload); }
+  function recordFinal(incidentId, payload)        { return _recordStage(incidentId, "final",        payload); }
+
+  function get(incidentId) { return incidents.get(incidentId) || null; }
+  function list() {
+    var out = [];
+    incidents.forEach(function (rec) { out.push(rec); });
+    return out;
+  }
+
+  // Operator-facing summary for dashboards / regulator-prep — counts
+  // open / late / closed across all tracked regimes.
+  function status() {
+    var nowMs = now();
+    var summary = {
+      total:  incidents.size,
+      open:   0,
+      closed: 0,
+      late:   { initial: 0, intermediate: 0, final: 0 },
+    };
+    incidents.forEach(function (rec) {
+      if (rec.closedAt) summary.closed += 1; else summary.open += 1;
+      ["initial", "intermediate", "final"].forEach(function (s) {
+        if (!rec.stages[s] && nowMs > rec.dueBy[s]) summary.late[s] += 1;
+        else if (rec.stages[s] && rec.stages[s].late) summary.late[s] += 1;
+      });
+    });
+    return summary;
+  }
+
+  return {
+    open:               open,
+    recordInitial:      recordInitial,
+    recordIntermediate: recordIntermediate,
+    recordFinal:        recordFinal,
+    get:                get,
+    list:               list,
+    status:             status,
+    REGIME_DEADLINES:   REGIME_DEADLINES,
+    DEFAULT_DEADLINES:  DEFAULT_DEADLINES,
+  };
+}
+
+module.exports = {
+  create:                create,
+  IncidentReportError:   IncidentReportError,
+  REGIME_DEADLINES:      REGIME_DEADLINES,
+  DEFAULT_DEADLINES:     DEFAULT_DEADLINES,
+  VALID_STAGES:          Object.keys(VALID_STAGES),
+};

package/lib/middleware/require-bound-key.js

@@ -0,0 +1,249 @@
+"use strict";
+/**
+ * requireBoundKey middleware — Bearer-API-key auth with scope + bound-
+ * fields + cert-fingerprint binding.
+ *
+ * The framework's bearer-auth + dpop + requireMtls cover JWT, DPoP, and
+ * mTLS. requireBoundKey covers the API-key-with-binding case that
+ * shows up on internal service-to-service endpoints, partner API
+ * webhook receivers, and CI runners shipping events to a hosted
+ * blamejs deployment:
+ *
+ *   - Authorization: Bearer <api-key>
+ *   - the API key is registered in an operator-supplied resolver
+ *     with: { scopes: [...], boundFields: { ... }, peerCertFingerprints: [...] }
+ *   - the request must present a peer cert whose fingerprint is in
+ *     peerCertFingerprints (when set)
+ *   - the request must include the boundFields with the registered
+ *     values (e.g. { tenantId: "acme", region: "us-east-1" }) — bound
+ *     fields are pulled from headers / query / body via getter
+ *   - the request must hold one of the operator-required scopes
+ *
+ * Failure mode: 401 / 403 with a structured JSON body identifying
+ * which check failed (operator audit trail). Audits emit
+ * `auth.require_bound_key.allowed` / `auth.require_bound_key.refused`
+ * with the api-key-id (not the secret) + reason metadata.
+ *
+ *   var keys = b.middleware.requireBoundKey({
+ *     resolver: async function (apiKey) {
+ *       // operator-supplied — usually a DB lookup with timing-safe
+ *       // compare. Returns { id, scopes, boundFields, peerCertFingerprints }
+ *       // or null when the key is unknown / revoked.
+ *       return await keyDb.findByKey(apiKey);
+ *     },
+ *     requiredScopes:    ["webhook.ingest"],
+ *     getBoundField:     {
+ *       tenantId: function (req) { return req.headers["x-tenant-id"]; },
+ *       region:   function (req) { return req.query.region; },
+ *     },
+ *     audit:             b.audit,
+ *   });
+ *   router.post("/webhook/ingest", keys, ingestHandler);
+ *
+ * Composition with other middleware:
+ *   - b.middleware.requireMtls runs FIRST (so req.peerCert is set)
+ *   - b.middleware.requireBoundKey reads req.peerCert and cross-checks
+ *
+ * Defaults to fail-closed on every check; resolver throws / returns
+ * undefined → refused with reason "resolver-unavailable".
+ */
+
+var defineClass = require("../framework-error").defineClass;
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+
+var crypto = lazyRequire(function () { return require("../crypto"); });
+var audit  = lazyRequire(function () { return require("../audit"); });
+
+var RequireBoundKeyError = defineClass("RequireBoundKeyError", { alwaysPermanent: true });
+
+function _parseBearer(req) {
+  var h = req.headers && (req.headers.authorization || req.headers.Authorization);
+  if (typeof h !== "string" || h.length === 0) return null;
+  var m = h.match(/^Bearer\s+([\x21-\x7e]+)$/);                                          // RFC 6750 token68
+  return m ? m[1] : null;
+}
+
+function _timingSafeStringEqual(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  if (a.length !== b.length) return false;
+  return crypto().timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "resolver", "requiredScopes", "getBoundField",
+    "audit", "auditAction", "errorMessage",
+    "tolerateMissingPeerCert",
+  ], "middleware.requireBoundKey");
+
+  if (typeof opts.resolver !== "function") {
+    throw new RequireBoundKeyError("require-bound-key/bad-resolver",
+      "middleware.requireBoundKey: opts.resolver must be an async function (apiKey) -> {id, scopes, boundFields, peerCertFingerprints} | null");
+  }
+  var resolver = opts.resolver;
+  var requiredScopes = Array.isArray(opts.requiredScopes) ? opts.requiredScopes.slice() : [];
+  for (var rs = 0; rs < requiredScopes.length; rs++) {
+    if (typeof requiredScopes[rs] !== "string" || requiredScopes[rs].length === 0) {
+      throw new RequireBoundKeyError("require-bound-key/bad-scope",
+        "middleware.requireBoundKey: requiredScopes[" + rs + "] must be a non-empty string");
+    }
+  }
+  var getBoundField = (opts.getBoundField && typeof opts.getBoundField === "object")
+    ? opts.getBoundField : {};
+  var boundFieldNames = Object.keys(getBoundField);
+  for (var bf = 0; bf < boundFieldNames.length; bf++) {
+    if (typeof getBoundField[boundFieldNames[bf]] !== "function") {
+      throw new RequireBoundKeyError("require-bound-key/bad-bound-field-getter",
+        "middleware.requireBoundKey: getBoundField." + boundFieldNames[bf] + " must be a function (req) -> string");
+    }
+  }
+  var auditOn = opts.audit !== false;
+  var actionBase = typeof opts.auditAction === "string" && opts.auditAction.length > 0
+    ? opts.auditAction : "auth.require_bound_key";
+  var errorMessage = typeof opts.errorMessage === "string" && opts.errorMessage.length > 0
+    ? opts.errorMessage : "api key required";
+  // For operator-side fixtures and dev environments without an mTLS
+  // termination layer, allow disabling the peer-cert cross-check
+  // even when peerCertFingerprints is set on the registered key.
+  // Production deployments leave this at default false.
+  var tolerateMissingPeerCert = !!opts.tolerateMissingPeerCert;
+
+  function _emitAudit(outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   actionBase + (outcome === "success" ? ".allowed" : ".refused"),
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function _refuse(res, status, reason, metadata) {
+    _emitAudit("denied", Object.assign({ reason: reason }, metadata || {}));
+    if (res.writableEnded || typeof res.writeHead !== "function") return;
+    res.writeHead(status, {
+      "Content-Type":     "application/json; charset=utf-8",
+      "WWW-Authenticate": 'Bearer realm="api", error="invalid_request"',
+      "Cache-Control":    "no-store",
+    });
+    res.end(JSON.stringify({ error: errorMessage, reason: reason }));
+  }
+
+  return async function requireBoundKeyMiddleware(req, res, next) {
+    var apiKey = _parseBearer(req);
+    if (!apiKey) return _refuse(res, 401, "no-bearer-token", {});
+
+    var record;
+    try { record = await resolver(apiKey); }
+    catch (e) {
+      return _refuse(res, 503, "resolver-unavailable", {
+        error: (e && e.message) || String(e),
+      });
+    }
+    if (!record || typeof record !== "object") {
+      return _refuse(res, 401, "key-unknown-or-revoked", {});
+    }
+
+    // Required-scope check — operator-supplied requiredScopes must be
+    // a subset of the registered key's scopes.
+    var keyScopes = Array.isArray(record.scopes) ? record.scopes : [];
+    for (var rsi = 0; rsi < requiredScopes.length; rsi++) {
+      if (keyScopes.indexOf(requiredScopes[rsi]) === -1) {
+        return _refuse(res, 403, "missing-scope", {
+          requiredScope: requiredScopes[rsi], keyId: record.id || null,
+        });
+      }
+    }
+
+    // Bound-field check — every key in the registered boundFields map
+    // must be present on the request and match. The operator's
+    // getBoundField extracts each value from headers / query / body.
+    var registered = (record.boundFields && typeof record.boundFields === "object") ? record.boundFields : {};
+    var registeredKeys = Object.keys(registered);
+    for (var bfi = 0; bfi < registeredKeys.length; bfi++) {
+      var fieldName = registeredKeys[bfi];
+      var getter = getBoundField[fieldName];
+      if (!getter) {
+        return _refuse(res, 500, "bound-field-no-getter", {
+          field: fieldName, keyId: record.id || null,
+        });
+      }
+      var presented;
+      try { presented = getter(req); }
+      catch (e) {
+        return _refuse(res, 400, "bound-field-getter-threw", {                            // allow:raw-byte-literal — HTTP 400
+          field: fieldName, error: (e && e.message) || String(e),
+        });
+      }
+      if (typeof presented !== "string" || presented.length === 0) {
+        return _refuse(res, 400, "bound-field-missing", {                                 // allow:raw-byte-literal — HTTP 400
+          field: fieldName, keyId: record.id || null,
+        });
+      }
+      var expected = String(registered[fieldName]);
+      if (!_timingSafeStringEqual(presented, expected)) {
+        return _refuse(res, 403, "bound-field-mismatch", {
+          field: fieldName, keyId: record.id || null,
+        });
+      }
+    }
+
+    // Peer-cert fingerprint check — if the registered key pins peer
+    // certs, the request must come over mTLS with a fingerprint on
+    // the allowlist. b.middleware.requireMtls running upstream
+    // attaches req.peerCert / req.peerFingerprint; we re-derive when
+    // a downstream middleware order leaves them unset.
+    var pinned = Array.isArray(record.peerCertFingerprints) ? record.peerCertFingerprints : [];
+    if (pinned.length > 0) {
+      var fpHex = req.peerFingerprint && req.peerFingerprint.hex;
+      var fpColon = req.peerFingerprint && req.peerFingerprint.colon;
+      if (!fpHex && req.peerCert && req.peerCert.raw) {
+        try {
+          var fp = crypto().hashCertFingerprint(req.peerCert.raw);
+          fpHex = fp.hex; fpColon = fp.colon;
+        } catch (_e) { /* fall through to refused below */ }
+      }
+      if (!fpHex) {
+        if (tolerateMissingPeerCert) {
+          // Audited bypass for dev fixtures.
+          _emitAudit("denied", { reason: "peer-cert-bypass-tolerated", keyId: record.id });
+        } else {
+          return _refuse(res, 401, "peer-cert-required", {
+            keyId: record.id || null,
+          });
+        }
+      } else if (!crypto().isCertRevoked(req.peerCert.raw, pinned)) {
+        // isCertRevoked returns true on MATCH against the deny-list
+        // shape; we use it here as a fingerprint-set membership test
+        // because it does the same constant-time hex/colon comparison
+        // we want for an allow-list. A future refactor can rename to
+        // isCertFingerprintInSet — semantically identical.
+        return _refuse(res, 403, "peer-cert-not-pinned", {
+          fingerprint: fpColon, keyId: record.id || null,
+        });
+      }
+    }
+
+    // All checks passed. Attach the resolved record to req.apiKey for
+    // downstream handlers (without the secret — the resolver returned
+    // a normalized record, the middleware never re-exposes the bearer).
+    req.apiKey = {
+      id:           record.id || null,
+      scopes:       keyScopes.slice(),
+      boundFields:  Object.assign({}, registered),
+    };
+    _emitAudit("success", {
+      keyId:         record.id || null,
+      scopesGranted: keyScopes,
+    });
+    return next();
+  };
+}
+
+module.exports = {
+  create:               create,
+  RequireBoundKeyError: RequireBoundKeyError,
+};

package/lib/permissions.js

@@ -300,6 +300,29 @@ function create(opts) {
     if (policies[scope]) {
       throw _err("DUPLICATE_POLICY", "permissions.policy: '" + scope + "' is already registered");
     }
+    // Predicate-shape sanity check — predicate(actor, context) is the
+    // documented contract. Operator-supplied 0-arg or 1-arg predicates
+    // typically indicate the operator forgot the context parameter
+    // and is silently always-true for any actor (the predicate
+    // returns based on closure state instead of inspecting the
+    // actor / context). Emit a one-time audit warning at register-
+    // time so operator-side tooling sees the misconfiguration.
+    if (predicate.length < 2) {
+      try {
+        if (audit && typeof audit.safeEmit === "function") {
+          audit.safeEmit({
+            action:   "permissions.policy_predicate_shape_warning",
+            outcome:  "warning",
+            metadata: {
+              scope:    scope,
+              arity:    predicate.length,
+              expected: "predicate(actor, context) -> bool",
+              hint:     "predicate has " + predicate.length + " formal arg(s); the framework calls it as predicate(actor, context). Confirm the predicate inspects both args.",
+            },
+          });
+        }
+      } catch (_e) { /* drop-silent — audit is best-effort */ }
+    }
     policies[scope] = predicate;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.7",
+  "version": "0.8.9",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:c89193b4-c13d-4dd9-882f-4581a77a92d9",
+  "serialNumber": "urn:uuid:b2addb57-b40a-4a44-9c34-7f7bd7d741c3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T01:02:55.563Z",
+    "timestamp": "2026-05-07T02:18:24.599Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.7",
+      "bom-ref": "@blamejs/core@0.8.9",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.7",
+      "version": "0.8.9",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.7",
+      "purl": "pkg:npm/%40blamejs/core@0.8.9",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.7",
+      "ref": "@blamejs/core@0.8.9",
       "dependsOn": []
     }
   ]