@blamejs/core 0.9.12 → 0.9.15

package/lib/network.js

@@ -34,8 +34,8 @@ var byteQuota = require("./network-byte-quota");
 var ntpCheck = require("./ntp-check");
 var nts      = require("./network-nts");
 var dns      = require("./network-dns");
-var proxy    = require("./network-proxy");
-var trust    = require("./network-tls");
+var networkProxy = require("./network-proxy");
+var networkTls = require("./network-tls");
 var heartbeat = require("./network-heartbeat");
 var smtpPolicy = require("./network-smtp-policy");
 var ssrfGuard  = require("./ssrf-guard");
@@ -223,19 +223,19 @@ function bootFromEnv(opts) {
 
   if (env.HTTP_PROXY || env.http_proxy || env.HTTPS_PROXY || env.https_proxy ||
       env.NO_PROXY  || env.no_proxy  || env.ALL_PROXY    || env.all_proxy) {
-    applied.proxy = proxy.fromEnv(env);
+    applied.proxy = networkProxy.fromEnv(env);
   }
 
   if (env.BLAMEJS_EXTRA_CA_CERTS) {
-    trust.addCa(env.BLAMEJS_EXTRA_CA_CERTS, { label: "BLAMEJS_EXTRA_CA_CERTS" });
+    networkTls.addCa(env.BLAMEJS_EXTRA_CA_CERTS, { label: "BLAMEJS_EXTRA_CA_CERTS" });
     applied.tls.fileLoaded = env.BLAMEJS_EXTRA_CA_CERTS;
   }
   if (env.BLAMEJS_EXTRA_CA_CERTS_DIR) {
-    trust.addCaBundle(env.BLAMEJS_EXTRA_CA_CERTS_DIR, { label: "BLAMEJS_EXTRA_CA_CERTS_DIR" });
+    networkTls.addCaBundle(env.BLAMEJS_EXTRA_CA_CERTS_DIR, { label: "BLAMEJS_EXTRA_CA_CERTS_DIR" });
     applied.tls.dirLoaded = env.BLAMEJS_EXTRA_CA_CERTS_DIR;
   }
   if (env.BLAMEJS_USE_SYSTEM_TRUST === "1" || env.BLAMEJS_USE_SYSTEM_TRUST === "true") {
-    trust.useSystemTrust(true);
+    networkTls.useSystemTrust(true);
     applied.tls.systemTrust = true;
   }
 
@@ -287,10 +287,10 @@ function snapshot() {
       thresholds:  ntpCheck.getThresholds(),
     },
     dns: dns._stateForTest(),
-    proxy: proxy.snapshot(),
+    proxy: networkProxy.snapshot(),
     tls:  {
-      systemTrust: trust.isSystemTrustEnabled(),
-      caCount:     trust.getTrustStore().length,
+      systemTrust: networkTls.isSystemTrustEnabled(),
+      caCount:     networkTls.getTrustStore().length,
     },
     heartbeat: heartbeat.statuses(),
     socket: _socketDefaults(),
@@ -306,8 +306,8 @@ function _resetForTest() {
   ntpFacade._defaultTimeoutMs = null;
   if (typeof ntpCheck._resetThresholdsForTest === "function") ntpCheck._resetThresholdsForTest();
   dns._resetForTest();
-  proxy._resetForTest();
-  trust._resetForTest();
+  networkProxy._resetForTest();
+  networkTls._resetForTest();
   heartbeat._resetForTest();
   SOCKET_DEFAULTS.noDelay = true;
   SOCKET_DEFAULTS.keepAlive = true;
@@ -317,8 +317,8 @@ function _resetForTest() {
 module.exports = {
   ntp:        ntpFacade,
   dns:        dns,
-  proxy:      proxy,
-  tls:        trust,
+  proxy:      networkProxy,
+  tls:        networkTls,
   heartbeat:  heartbeat,
   smtp: {
     policy:    smtpPolicy,

package/lib/notify.js

@@ -41,7 +41,7 @@
  */
 
 var lazyRequire = require("./lazy-require");
-var bootLog = require("./log");
+var logModule = require("./log");
 var numericChecks = require("./numeric-checks");
 var requestHelpers = require("./request-helpers");
 var safeAsync = require("./safe-async");
@@ -282,14 +282,14 @@ function httpJson(opts) {
 // log — fire-and-forget developer logger. Never throws; audit + obs still emit.
 function logTransport(opts) {
   opts = opts || {};
-  // bootLog.boot() returns a callable with .info / .warn / .error
+  // logModule.boot() returns a callable with .info / .warn / .error
   // attached; that shape satisfies the operator-supplied opts.logger
   // contract directly. No fallback wrapper needed.
   var logger;
   if (opts.logger && typeof opts.logger.info === "function") {
     logger = opts.logger;
   } else {
-    logger = bootLog.boot("notify.log");
+    logger = logModule.boot("notify.log");
   }
   return {
     name: opts.name || "log",

package/lib/object-store/gcs-bucket-ops.js

@@ -23,7 +23,7 @@
  * Auth: same service-account JSON / RSA-SHA256-signed JWT exchanged
  * for an OAuth2 access token as `lib/object-store/gcs.js`.
  */
-var fs = require("node:fs");
+var nodeFs = require("node:fs");
 var gcs = require("./gcs");
 var authHeader = require("../auth-header");
 var httpClient = require("../http-client");
@@ -139,7 +139,7 @@ function create(config) {
   var serviceAccount = config.serviceAccount;
   if (!serviceAccount && config.serviceAccountFile) {
     try {
-      serviceAccount = safeJson.parse(fs.readFileSync(config.serviceAccountFile));
+      serviceAccount = safeJson.parse(nodeFs.readFileSync(config.serviceAccountFile));
     } catch (e) {
       throw _err("BAD_OPT", "gcs bucketOps: failed to read serviceAccountFile '" +
         config.serviceAccountFile + "': " + ((e && e.message) || String(e)), true);

package/lib/object-store/gcs.js

@@ -22,12 +22,12 @@
  *   https://cloud.google.com/storage/docs/json_api/v1
  *   https://developers.google.com/identity/protocols/oauth2/service-account
  */
-var fs = require("fs");
+var nodeFs = require("fs");
 var nodeCrypto = require("crypto");
 var { Readable } = require("stream");
 var safeJson = require("../safe-json");
 var C = require("../constants");
-var nb = require("../numeric-bounds");
+var numericBounds = require("../numeric-bounds");
 var requestHelpers = require("../request-helpers");
 var { ObjectStoreError } = require("../framework-error");
 var safeUrl = require("../safe-url");
@@ -125,7 +125,7 @@ function create(config) {
   var serviceAccount = config.serviceAccount;
   if (!serviceAccount && config.serviceAccountFile) {
     try {
-      serviceAccount = safeJson.parse(fs.readFileSync(config.serviceAccountFile), { schema: SERVICE_ACCOUNT_SCHEMA });
+      serviceAccount = safeJson.parse(nodeFs.readFileSync(config.serviceAccountFile), { schema: SERVICE_ACCOUNT_SCHEMA });
     } catch (e) {
       throw new Error("gcs: failed to read serviceAccountFile '" + config.serviceAccountFile + "': " + e.message);
     }
@@ -421,10 +421,10 @@ function create(config) {
         "POST-form policy enforces body size via the content-length-range condition; " +
         "use presignedUploadUrl if size enforcement is not needed", true);
     }
-    if (opts.minBytes !== undefined && !nb.isNonNegativeFiniteInt(opts.minBytes)) {
+    if (opts.minBytes !== undefined && !numericBounds.isNonNegativeFiniteInt(opts.minBytes)) {
       throw _err("INVALID_MIN_BYTES",
         "presignedUploadPolicy: minBytes must be a non-negative finite integer; got " +
-        nb.shape(opts.minBytes), true);
+        numericBounds.shape(opts.minBytes), true);
     }
     var minBytes = opts.minBytes !== undefined ? opts.minBytes : 0;
     var expiresIn = opts.expiresIn != null ? opts.expiresIn : PRESIGN_DEFAULT_EXPIRES_SECONDS;

package/lib/object-store/index.js

@@ -29,11 +29,11 @@
  */
 var localProto             = require("./local");
 var httpPutProto           = require("./http-put");
-var sigv4Proto             = require("./sigv4");
+var sigv4                  = require("./sigv4");
 var sigv4BucketOps         = require("./sigv4-bucket-ops");
-var gcsProto               = require("./gcs");
+var gcs                    = require("./gcs");
 var gcsBucketOps           = require("./gcs-bucket-ops");
-var azureBlobProto         = require("./azure-blob");
+var azureBlob              = require("./azure-blob");
 var azureBlobBucketOps     = require("./azure-blob-bucket-ops");
 var retryHelper            = require("../retry");
 var protocolDispatcher     = require("../protocol-dispatcher");
@@ -47,9 +47,9 @@ var dispatcher = protocolDispatcher.create({
   protocols: {
     "local":      localProto,
     "http-put":   httpPutProto,
-    "sigv4":      sigv4Proto,
-    "gcs":        gcsProto,
-    "azure-blob": azureBlobProto,
+    "sigv4":      sigv4,
+    "gcs":        gcs,
+    "azure-blob": azureBlob,
   },
   deferred:         {},
   fallbackProtocol: "local",

package/lib/object-store/local.js

@@ -4,15 +4,15 @@
  *
  * Implements the uniform protocol surface (put / get / getStream / delete /
  * head / list) against a directory tree. Streaming is via Node's native
- * fs.createReadStream / createWriteStream — no in-memory buffering of
+ * nodeFs.createReadStream / createWriteStream — no in-memory buffering of
  * full files.
  *
  * Path safety: every key resolves under the configured rootDir, with an
  * alphanumeric + `_-./` charset whitelist and explicit rejection of any
  * path that escapes rootDir after resolution.
  */
-var fs = require("fs");
-var path = require("path");
+var nodeFs = require("fs");
+var nodePath = require("path");
 var atomicFile = require("../atomic-file");
 var cluster = require("../cluster");
 var { ObjectStoreError } = require("../framework-error");
@@ -24,10 +24,10 @@ function _resolveSafe(rootDir, key) {
     throw _err("INVALID_KEY", "key must be a non-empty string", true);
   }
   if (key.includes("\0")) throw _err("INVALID_KEY", "null byte in key", true);
-  if (path.isAbsolute(key)) throw _err("INVALID_KEY", "absolute key not allowed", true);
+  if (nodePath.isAbsolute(key)) throw _err("INVALID_KEY", "absolute key not allowed", true);
   if (!SAFE_KEY.test(key)) throw _err("INVALID_KEY", "invalid characters in key", true);
-  var full = path.resolve(rootDir, key);
-  var withSep = rootDir.endsWith(path.sep) ? rootDir : rootDir + path.sep;
+  var full = nodePath.resolve(rootDir, key);
+  var withSep = rootDir.endsWith(nodePath.sep) ? rootDir : rootDir + nodePath.sep;
   if (full !== rootDir && !full.startsWith(withSep)) {
     throw _err("INVALID_KEY", "key escapes rootDir", true);
   }
@@ -40,14 +40,14 @@ function create(config) {
   if (!config || !config.rootDir) {
     throw new Error("local protocol requires { rootDir }");
   }
-  var rootDir = path.resolve(config.rootDir);
-  if (!fs.existsSync(rootDir)) fs.mkdirSync(rootDir, { recursive: true });
+  var rootDir = nodePath.resolve(config.rootDir);
+  if (!nodeFs.existsSync(rootDir)) nodeFs.mkdirSync(rootDir, { recursive: true });
 
   function put(key, body, _opts) {
     cluster.requireLeader();
     var full = _resolveSafe(rootDir, key);
-    var dir = path.dirname(full);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    var dir = nodePath.dirname(full);
+    if (!nodeFs.existsSync(dir)) nodeFs.mkdirSync(dir, { recursive: true });
 
     if (Buffer.isBuffer(body)) {
       atomicFile.writeSync(full, body);
@@ -56,7 +56,7 @@ function create(config) {
     if (body && typeof body.pipe === "function") {
       // Streaming put — pipe directly to disk
       return new Promise(function (resolve, reject) {
-        var ws = fs.createWriteStream(full);
+        var ws = nodeFs.createWriteStream(full);
         var bytes = 0;
         body.on("data", function (chunk) { bytes += chunk.length; });
         body.pipe(ws);
@@ -75,26 +75,26 @@ function create(config) {
 
   function get(key) {
     var full = _resolveSafe(rootDir, key);
-    if (!fs.existsSync(full)) {
+    if (!nodeFs.existsSync(full)) {
       return Promise.reject(_err("NOT_FOUND", "key not found: " + key, true));
     }
-    return Promise.resolve(fs.readFileSync(full));
+    return Promise.resolve(nodeFs.readFileSync(full));
   }
 
   function getStream(key) {
     var full = _resolveSafe(rootDir, key);
-    if (!fs.existsSync(full)) {
+    if (!nodeFs.existsSync(full)) {
       throw _err("NOT_FOUND", "key not found: " + key, true);
     }
-    return fs.createReadStream(full);
+    return nodeFs.createReadStream(full);
   }
 
   function head(key) {
     var full = _resolveSafe(rootDir, key);
-    if (!fs.existsSync(full)) {
+    if (!nodeFs.existsSync(full)) {
       return Promise.reject(_err("NOT_FOUND", "key not found: " + key, true));
     }
-    var stat = fs.statSync(full);
+    var stat = nodeFs.statSync(full);
     return Promise.resolve({
       size:         stat.size,
       lastModified: stat.mtimeMs,
@@ -104,8 +104,8 @@ function create(config) {
   function deleteKey(key) {
     cluster.requireLeader();
     var full = _resolveSafe(rootDir, key);
-    if (!fs.existsSync(full)) return Promise.resolve(false);
-    fs.unlinkSync(full);
+    if (!nodeFs.existsSync(full)) return Promise.resolve(false);
+    nodeFs.unlinkSync(full);
     return Promise.resolve(true);
   }
 

package/lib/object-store/sigv4.js

@@ -29,7 +29,7 @@ var { Readable } = require("stream");
 var safeXml = require("../parsers/safe-xml");
 var sharedRequest = require("./http-request");
 var C = require("../constants");
-var nb = require("../numeric-bounds");
+var numericBounds = require("../numeric-bounds");
 var requestHelpers = require("../request-helpers");
 var { ObjectStoreError } = require("../framework-error");
 var safeUrl = require("../safe-url");
@@ -821,10 +821,10 @@ function create(config) {
         "POST-form policy enforces body size via the content-length-range condition; " +
         "use presignedUploadUrl if size enforcement is not needed", true);
     }
-    if (opts.minBytes !== undefined && !nb.isNonNegativeFiniteInt(opts.minBytes)) {
+    if (opts.minBytes !== undefined && !numericBounds.isNonNegativeFiniteInt(opts.minBytes)) {
       throw _err("INVALID_MIN_BYTES",
         "presignedUploadPolicy: minBytes must be a non-negative finite integer; got " +
-        nb.shape(opts.minBytes), true);
+        numericBounds.shape(opts.minBytes), true);
     }
     var minBytes = opts.minBytes !== undefined ? opts.minBytes : 0;
     var expiresIn = opts.expiresIn != null ? opts.expiresIn : PRESIGN_DEFAULT_EXPIRES_SECONDS;

package/lib/observability-tracer.js

@@ -73,14 +73,14 @@
  */
 
 var bCrypto = require("./crypto");
-var constants = require("./constants");
+var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var safeBuffer = require("./safe-buffer");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 
-var TRACE_ID_BYTES = constants.BYTES.bytes(16);                                    // W3C §3.2.2.3 — 128-bit trace-id
-var SPAN_ID_BYTES  = constants.BYTES.bytes(8);                                     // W3C §3.2.2.4 — 64-bit span-id
+var TRACE_ID_BYTES = C.BYTES.bytes(16);                                    // W3C §3.2.2.3 — 128-bit trace-id
+var SPAN_ID_BYTES  = C.BYTES.bytes(8);                                     // W3C §3.2.2.4 — 64-bit span-id
 
 var TracerError = defineClass("TracerError", { alwaysPermanent: true });
 
@@ -168,7 +168,7 @@ function create(opts) {
   var resource = Object.assign({
     "service.name": opts.service,
   }, opts.resource || {});
-  var scope = opts.scope || { name: "blamejs", version: constants.version || null };
+  var scope = opts.scope || { name: "blamejs", version: C.version || null };
   var maxAttributes = opts.maxAttributes || DEFAULT_MAX_ATTRIBUTES;
   var maxEvents     = opts.maxEvents     || DEFAULT_MAX_EVENTS;
   var maxAttrValLen = opts.maxAttributeValueLength || DEFAULT_MAX_ATTR_VALUE_LEN;

package/lib/otel-export.js

@@ -41,7 +41,7 @@
  */
 var C = require("./constants");
 var canonicalJson = require("./canonical-json");
-var defaultHttpClient = require("./http-client");
+var httpClient = require("./http-client");
 var safeAsync = require("./safe-async");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
@@ -110,7 +110,7 @@ function create(opts) {
     throw new OtelExportError("otel-export/bad-interval",
       "create: intervalMs must be a non-negative finite number");
   }
-  var httpClient = opts.httpClient || defaultHttpClient;
+  var effectiveHttpClient = opts.httpClient || httpClient;
   var scopeName = (opts.scope && opts.scope.name) || "blamejs";
   var scopeVersion = (opts.scope && opts.scope.version) || "0.5.x";
   var resourceAttrs = Object.assign({ "service.name": serviceName },
@@ -220,7 +220,7 @@ function create(opts) {
     if (!payload) return { sent: false, reason: "no-data" };
     var body = JSON.stringify(payload);
     try {
-      var res = await httpClient.request({
+      var res = await effectiveHttpClient.request({
         method:  "POST",
         url:     endpoint,
         headers: Object.assign({ "Content-Type": "application/json" }, headers),

package/lib/pagination.js

@@ -49,8 +49,8 @@
 var nodeCrypto = require("node:crypto");
 var C = require("./constants");
 var canonicalJson = require("./canonical-json");
-var crypto = require("./crypto");
-var nb = require("./numeric-bounds");
+var bCrypto = require("./crypto");
+var numericBounds = require("./numeric-bounds");
 var safeJson = require("./safe-json");
 var safeSql = require("./safe-sql");
 var { defineClass } = require("./framework-error");
@@ -185,7 +185,7 @@ function decodeCursor(token, secret) {
     throw new PaginationError("pagination/bad-cursor", "cursor base64 decode failed");
   }
   var expected = _tag(sb, json);
-  if (!crypto.timingSafeEqual(tag, expected)) {
+  if (!bCrypto.timingSafeEqual(tag, expected)) {
     throw new PaginationError("pagination/cursor-tag-mismatch",
       "cursor HMAC verification failed (tampered or wrong secret)");
   }
@@ -205,9 +205,9 @@ function decodeCursor(token, secret) {
 }
 
 function _resolveLimit(opts) {
-  nb.requirePositiveFiniteIntIfPresent(opts.max,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.max,
     "max", PaginationError, "pagination/bad-opt");
-  nb.requirePositiveFiniteIntIfPresent(opts.default,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.default,
     "default", PaginationError, "pagination/bad-opt");
   var max = opts.max || DEFAULT_MAX_LIMIT;
   var def = opts.default || DEFAULT_LIMIT;

package/lib/parsers/safe-xml.js

@@ -40,7 +40,7 @@
  */
 
 var C = require("../constants");
-var nb = require("../numeric-bounds");
+var numericBounds = require("../numeric-bounds");
 var safeBuffer = require("../safe-buffer");
 var { FrameworkError } = require("../framework-error");
 
@@ -77,10 +77,10 @@ var BUILT_IN_ENTITIES = { lt: "<", gt: ">", amp: "&", quot: "\"", apos: "'" };
 
 function _validateAndCap(name, value, defaultValue, ceiling) {
   if (value === undefined) return defaultValue;
-  if (!nb.isPositiveFiniteInt(value)) {
+  if (!numericBounds.isPositiveFiniteInt(value)) {
     throw new SafeXmlError("xml/bad-opt",
       "xml.parse: " + name + " must be a positive finite integer; got " +
-      nb.shape(value));
+      numericBounds.shape(value));
   }
   return Math.min(value, ceiling);
 }

package/lib/pqc-agent.js

@@ -1,31 +1,29 @@
 "use strict";
 /**
- * pqc-agent — outbound HTTPS agent locked to PQC group preference.
+ * @module     b.pqcAgent
+ * @nav        Production
+ * @title      PQC Agent
+ * @order      630
  *
- * The framework's posture is "all outbound TLS is PQC-only". This is
- * the single primitive that defines what that means at the agent
- * level: TLSv1.3 minimum, ecdhCurve set to the framework's PQC hybrid
- * preference (constants.TLS_GROUP_CURVE_STR), keep-alive on.
+ * @intro
+ *   Outbound HTTPS agent locked to the framework's PQC group preference.
+ *   The framework's posture is "all outbound TLS is PQC-only"; this
+ *   primitive defines what that means at the agent level — TLSv1.3
+ *   minimum, `ecdhCurve` set to the framework's PQC hybrid preference
+ *   (`constants.TLS_GROUP_CURVE_STR`), keep-alive on.
  *
- * Two surfaces:
+ *   `b.pqcAgent.agent` is a process-wide default agent, lazy-built on
+ *   first access; `b.pqcAgent.create(opts)` builds a fresh agent with
+ *   custom pool / timeout opts (ecdhCurve and minVersion cannot be
+ *   weakened); `b.pqcAgent.reload()` tears down the default agent so
+ *   the next access rebuilds against current TLS posture.
  *
- *   1. b.pqcAgent.agent — a process-wide default agent, lazy-built on
- *      first access. Use this for one-off outbound calls that go
- *      through node:https directly:
+ *   `lib/http-client.js`'s transport cache uses `pqcAgent.create()` under
+ *   the hood, so the framework's bundled HTTP client and any operator-
+ *   direct `https.request` calls converge on the same agent posture.
  *
- *        https.request(url, { agent: b.pqcAgent.agent }, ...);
- *
- *   2. b.pqcAgent.create(opts) — build a fresh agent with custom
- *      pool / timeout opts. ecdhCurve and minVersion CANNOT be
- *      weakened via opts; operator-supplied values for those are
- *      ignored and the framework's defaults win. Operators who need
- *      a non-PQC agent for a deliberate one-off integration with a
- *      non-PQC server construct their own new https.Agent() directly,
- *      outside this primitive.
- *
- * lib/http-client.js's transport cache uses pqcAgent.create() under
- * the hood, so the framework's bundled HTTP client and any operator-
- * direct https.request calls converge on the same agent posture.
+ * @card
+ *   Outbound HTTPS agent locked to TLSv1.3 + framework PQC hybrid group preference.
  */
 
 var https = require("node:https");
@@ -152,14 +150,63 @@ function _buildAgentOpts(opts) {
   return merged;
 }
 
+/**
+ * @primitive b.pqcAgent.create
+ * @signature b.pqcAgent.create(opts?)
+ * @since     0.5.0
+ * @status    stable
+ * @related   b.pqcAgent.reload
+ *
+ * Build a fresh https.Agent locked to the framework PQC hybrid group
+ * preference (TLSv1.3 minimum, ecdhCurve set to
+ * `C.TLS_GROUP_CURVE_STR`). Operator-supplied values for ecdhCurve
+ * may NARROW the framework default (drop a group) but cannot widen it
+ * unless `opts.allowOperatorGroups: true` is set; minVersion is fixed
+ * at TLSv1.3 and cannot be weakened.
+ *
+ * @opts
+ *   keepAlive?:           boolean,
+ *   keepAliveMsecs?:      number,
+ *   maxSockets?:          number,
+ *   maxFreeSockets?:      number,
+ *   scheduling?:          string,
+ *   ecdhCurve?:           string,   // colon-separated group names; must subset C.TLS_GROUP_PREFERENCE
+ *   allowOperatorGroups?: boolean,  // default false; opt in to operator-supplied groups outside the framework PQC preference
+ *
+ * @example
+ *   var agent = b.pqcAgent.create({ maxSockets: 200 });
+ *   var req = https.request("https://api.example.com/v1/x", { agent: agent });
+ *   req.end();
+ */
 function create(opts) {
   return new https.Agent(_buildAgentOpts(opts));
 }
 
-// http (cleartext) variant — same pool defaults but obviously no TLS
-// posture to enforce. Operator-side, almost no caller wants this; it
-// exists so http-client's h1 transport for cleartext origins (h2c
-// fixtures, internal services) shares the pool tuning.
+/**
+ * @primitive b.pqcAgent.createHttp
+ * @signature b.pqcAgent.createHttp(opts?)
+ * @since     0.5.0
+ * @status    stable
+ * @related   b.pqcAgent.create
+ *
+ * Build a cleartext `http.Agent` with the same pool defaults as
+ * `b.pqcAgent.create` — no TLS posture to enforce. Exists so the
+ * framework's HTTP client's h1 transport for cleartext origins (h2c
+ * fixtures, internal services on a private network) shares the same
+ * pool tuning as the encrypted path.
+ *
+ * @opts
+ *   keepAlive?:      boolean,
+ *   keepAliveMsecs?: number,
+ *   maxSockets?:     number,
+ *   maxFreeSockets?: number,
+ *   scheduling?:     string,
+ *
+ * @example
+ *   var agent = b.pqcAgent.createHttp({ maxSockets: 100 });
+ *   var req = http.request("http://internal.svc/health", { agent: agent });
+ *   req.end();
+ */
 function createHttp(opts) {
   return new http.Agent(Object.assign({}, DEFAULT_OPTS, opts || {}));
 }
@@ -173,11 +220,54 @@ function _getDefaultAgent() {
   return _defaultAgent;
 }
 
+/**
+ * @primitive b.pqcAgent.reload
+ * @signature b.pqcAgent.reload()
+ * @since     0.9.14
+ * @status    stable
+ * @related   b.pqcAgent.create
+ *
+ * Tear down the lazily-built default agent and reset to null so the
+ * next `b.pqcAgent.agent` access rebuilds against current TLS posture
+ * + network-tls applyToContext output.
+ *
+ * Long-running daemons that rotate the framework's TLS posture (via
+ * `b.network.tls` config refresh, certificate-pinset reload, or a
+ * `C.TLS_GROUP_PREFERENCE` update behind a feature flag) need a way
+ * to re-source the outbound https.Agent without forking a new
+ * process. `reload()` calls `.destroy()` on the existing default
+ * agent — Node closes idle keep-alive sockets and lets in-flight
+ * sockets complete naturally — then nulls the cache so the next
+ * `agent` access builds fresh. Agents handed out via explicit
+ * `b.pqcAgent.create()` are unaffected; only the framework's lazy
+ * default is recycled.
+ *
+ * Returns `{ destroyed: boolean }` — `destroyed: true` when an agent
+ * was actually torn down, `false` when no default had been built
+ * (no callers yet asked for it).
+ *
+ * @example
+ *   // operator's daemon picked up a refreshed TLS-pinset config:
+ *   b.network.tls.reload();
+ *   var res = b.pqcAgent.reload();
+ *   logger.info("pqc-agent reloaded", res);
+ */
+function reload() {
+  var hadAgent = _defaultAgent !== null;
+  if (hadAgent) {
+    try { _defaultAgent.destroy(); }
+    catch (_e) { /* destroy is best-effort */ }
+    _defaultAgent = null;
+  }
+  return { destroyed: hadAgent };
+}
+
 module.exports = {
   // Read property — getter so the agent is built on first access.
   get agent()  { return _getDefaultAgent(); },
   create:      create,
   createHttp:  createHttp,
+  reload:      reload,
   DEFAULT_OPTS: DEFAULT_OPTS,
   KNOWN_TLS_GROUPS: KNOWN_TLS_GROUPS,
   enforced:    true,

package/lib/pqc-gate.js

@@ -39,7 +39,7 @@
 var net = require("node:net");
 var C = require("./constants");
 var { PQC_GROUPS } = require("./constants");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var validateOpts = require("./validate-opts");
 var { boot } = require("./log");
 
@@ -155,14 +155,14 @@ function create(opts) {
   }
   var internalHost = typeof opts.internalHost === "string" ? opts.internalHost : "127.0.0.1";
   var bypass       = Array.isArray(opts.bypass) ? opts.bypass.slice() : DEFAULT_BYPASS.slice();
-  if (opts.clientHelloTimeoutMs !== undefined && !nb.isPositiveFiniteInt(opts.clientHelloTimeoutMs)) {
+  if (opts.clientHelloTimeoutMs !== undefined && !numericBounds.isPositiveFiniteInt(opts.clientHelloTimeoutMs)) {
     throw new Error("pqc-gate: clientHelloTimeoutMs must be a positive finite integer; got " +
-      nb.shape(opts.clientHelloTimeoutMs));
+      numericBounds.shape(opts.clientHelloTimeoutMs));
   }
   var clientHelloTimeoutMs = opts.clientHelloTimeoutMs || DEFAULT_CLIENTHELLO_TIMEOUT_MS;
-  if (opts.maxClientHelloBytes !== undefined && !nb.isPositiveFiniteInt(opts.maxClientHelloBytes)) {
+  if (opts.maxClientHelloBytes !== undefined && !numericBounds.isPositiveFiniteInt(opts.maxClientHelloBytes)) {
     throw new Error("pqc-gate: maxClientHelloBytes must be a positive finite integer; got " +
-      nb.shape(opts.maxClientHelloBytes));
+      numericBounds.shape(opts.maxClientHelloBytes));
   }
   var maxClientHelloBytes  = opts.maxClientHelloBytes || DEFAULT_MAX_CLIENTHELLO_BYTES;
   var log = opts.log || null;

package/lib/pubsub-redis.js

@@ -22,7 +22,7 @@
  * conventions of its own.
  */
 var C = require("./constants");
-var fwCrypto = require("./crypto");
+var bCrypto = require("./crypto");
 var lazyRequire = require("./lazy-require");
 var redisClient = require("./redis-client");
 var safeJson = require("./safe-json");
@@ -39,7 +39,7 @@ function create(opts) {
   // the local dispatch synchronously before awaiting the remote
   // write — without this filter every same-instance publish would
   // double-fire local handlers).
-  var instanceNonce = fwCrypto.generateToken(C.BYTES.bytes(8));
+  var instanceNonce = bCrypto.generateToken(C.BYTES.bytes(8));
 
   var clientOpts = redisClient.pickClientOpts(opts, "redis");