@blamejs/core 0.9.39 → 0.9.41

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.41 (2026-05-15) — **Operator-friction ergonomic helpers surfaced from downstream-consumer gap audit.** Three small additive surfaces, no behavior change for existing callers. (1) **`b.storage.listBackends()`** now surfaces `rootDir` for local-protocol backends, sourced from the live backend (with config-reload propagation) so downstream path-traversal guards + scratch-dir derivation read the canonical path directly from the framework instead of re-deriving from operator-supplied opts. Remote protocols (sigv4 / gcs / azure-blob / http-put) don't carry a rootDir; the field stays absent for those. (2) **`b.problemDetails.send(res, fields)`** — bare wire-shape emit shortcut that lets routes migrate incrementally from inline `res.status(400).json({ error: ... })` to RFC 9457 problem-details without restructuring the handler around an error throw. Equivalent to `respond(res, create(fields))` in one call; same `application/problem+json` content type + `Cache-Control: no-store`. (3) **`b.mail.send` CR/LF/NUL refusal** confirmed already in place at `lib/mail.js:275` / `:309` / `:1808` per RFC 5321 §2.3.8 + RFC 5322 §3.2.5 header-injection defense — operators with inline `validateEmailAddr` wrappers can retire them. No new API, just confirmation that the existing primitive already covers the wire-protocol injection class (CVE-2026-32178 .NET System.Net.Mail header injection defended at the framework boundary).
+- v0.9.40 (2026-05-15) — **`b.guardListId` — RFC 2919 List-Id header validator.** Companion to v0.9.39 `b.guardListUnsubscribe`; gates outbound mailing-list mail so the List-Id carries a well-formed identifier downstream filters + bulk-sender pipelines reliably route on. (1) **`b.guardListId.validate(headerValue, opts?)`** — parses bracketed (`<my-list.example.com>`), phrase-prefixed (`My Newsletter <my-list.example.com>`), and bare-identifier forms per RFC 2919 §2. Returns `{ action, listId, label, namespace, phrase, reason }`. Action one of `accept` / `refuse`. (2) **RFC 2919 §3 caps + ABNF** — list-id capped at 255 octets; header value capped at RFC 5322 §2.1.1 line cap (998 bytes); per-label shape per RFC 5322 §3.2.3 dot-atom-text. (3) **Phrase-smuggling defense** — phrase MUST NOT contain `<` / `>` (would smuggle a second bracketed identifier through the parser). Trailing content after `>` refused. Nested or unmatched brackets refused. (4) **CRLF / NUL / C0 / DEL refusal** — header-injection defense per RFC 5322 §3.2.5 + CVE-2026-32178 wire-protocol surface class. (5) **`localhost` namespace handling** (RFC 2919 §3) — strict requires the recommended 32-hex random component in the label (the SHOULD becomes operator-strict for HIPAA / PCI / GDPR / SOC2 postures); balanced / permissive accept without. (6) **FQDN namespace enforcement** under strict / balanced — list-id with single-label namespace (e.g. `mylist.test`) refused unless permissive. (7) Heuristic label / namespace split — last 2 dot-segments → namespace (matches typical DNS delegation); consumers needing PSL-accurate org-domain extraction compose `b.publicSuffix.organizationalDomain`. Three profiles + posture cascade (hipaa / pci-dss / gdpr / soc2 → strict). Fuzz harness ships in `fuzz/guard-list-id.fuzz.js`. Registered as standalone guard with `KIND="list-id"`. Threat-model: List-Id forging (RFC 2919 §8 explicitly notes the identifier is NOT an authentication signal; operators wanting authentication compose b.mail.auth.dmarc / arc.verify), bulk-sender bucket-drop (Gmail 2024 keys on List-Id presence for Precedence: list / 5000+ daily-send mail).
 - v0.9.39 (2026-05-15) — **`b.guardListUnsubscribe` — RFC 2369 + RFC 8058 List-Unsubscribe / List-Unsubscribe-Post validator.** Gates the outbound submission path so messages carrying a List-Id (or any mailing-list shape) emit headers Gmail / Yahoo / Outlook one-click unsubscribe machinery actually accepts. (1) **`b.guardListUnsubscribe.validate({ listUnsubscribe, listUnsubscribePost }, opts?)`** — returns `{ action, reason, uris, hasHttpsUri, hasMailtoUri, postHeaderOk, oneClickReady }`. (2) **Gmail / Yahoo bulk-sender 2024 enforcement** — under strict requires at least one `https://` URI in the header (mailto: alone refused) + the paired `List-Unsubscribe-Post: List-Unsubscribe=One-Click` value EXACTLY (case-sensitive — Gmail silently fails one-click on mixed-case variants). (3) **Always-refused schemes** — `javascript:` / `data:` / `file:` / `vbscript:` / `blob:` refused regardless of profile (XSS / file-read class in mail-client rendering). (4) **`http://` refused under strict / balanced** — one-click endpoint MUST be TLS per RFC 8058 §2. Permissive accepts http for audit-only legacy use. (5) **Header-injection defense** — CRLF, NUL, C0 controls, DEL refused at validate time (RFC 5322 §3.2.5). (6) **Bounded surface** — per-URI byte cap (2 KiB strict / 4 KiB permissive), URI-count cap (4 / 8 / 16), header total byte cap (4 / 4 / 8 KiB). RFC 3986 §3.1 scheme shape; RFC 2369 §3.1 angle-bracket URI list. HTTPS URIs validated through `b.safeUrl.parse` with the framework's HTTPS allowlist. Three profiles + posture cascade (hipaa / pci-dss / gdpr / soc2 → strict). Fuzz harness ships in `fuzz/guard-list-unsubscribe.fuzz.js`. Registered as a standalone guard with KIND="list-unsubscribe". Threat-model coverage: unsubscribe-link injection via AI-generated newsletter templates, open-redirect via List-Unsubscribe (operator validates target host downstream via own safeRedirect allowlist), mail-client mishandling (Outlook's mailto: auto-fetch history).
 - v0.9.38 (2026-05-15) — **Re-publish bundle: prefix npm tarball path with `./` so npm doesn't mis-classify it as a git spec.** v0.9.30 and v0.9.37 publish workflow runs both failed at exit 128 — npm 10+ interprets a relative tarball path containing `/` (`dist/blamejs-core-0.9.X.tgz`) as a git spec and attempts `git ls-remote ssh://git@github.com/dist/...tgz`, which the runner's SSH credentials can't auth against. v0.9.29-v0.9.37 never reached npm as a result; v0.9.28 remained the latest published version on the registry. v0.9.38 ships only the workflow path fix (no operator-facing primitive change vs v0.9.37) — operators upgrading from v0.9.28 see the full bundled surface delivered by v0.9.29-v0.9.37: agent.trace + agent.snapshot (v0.9.29 / v0.9.30), safeDns + network.dns.resolver (v0.9.31), guardSmtpCommand (v0.9.32), mail.rbl (v0.9.33), mail.greylist + lib/ip-utils (v0.9.34), mail.helo (v0.9.35), guardEnvelope (v0.9.36), guardDsn (v0.9.37).
 - v0.9.37 (2026-05-15) — **`b.guardDsn` — RFC 3464 Delivery Status Notification parser.** Reads the `message/delivery-status` MIME-part body bounces / delayed-delivery notices / successful-delivery confirmations carry and surfaces the per-recipient action + RFC 3463 enhanced status code so operator-side delivery-failure routing (`b.mail.bounce` retry curve, address-book invalidation, mailing-list cleanup, transactional-mail dead-letter) reads one shape regardless of MTA wording. (1) **`b.guardDsn.parse(deliveryStatusBody, opts?)`** — returns `{ perMessage: { reportingMta, originalEnvelopeId?, arrivalDate?, receivedFromMta? }, perRecipients: [{ finalRecipient, action, status, statusClass, diagnosticCode? }, ...], worstStatusClass, action }`. (2) **RFC 3464 mandatory-field enforcement** — Reporting-MTA required per §2.2.2; per-recipient Final-Recipient (§2.3.2), Action (§2.3.3) from `{ failed | delayed | delivered | relayed | expanded }` vocabulary, and Status (§2.3.4) in RFC 3463 `D.D.D` form all required. Missing-field → typed error (`guard-dsn/missing-{reporting-mta|final-recipient|action|status}`). (3) **RFC 3463 status-class verdict** — first digit drives routing: `2.x.y` → success / deliver; `4.x.y` → temporary / retry; `5.x.y` → permanent / invalidate. Worst class across recipients wins so a single permanent failure in a multi-recipient bounce flips `action: invalidate`. (4) **Defenses** — bounded body cap (256 KiB strict / 1 MiB balanced / 4 MiB permissive), per-DSN recipient cap (256 / 1024 / 4096), RFC 5322 §2.1.1 header-line cap (998 bytes), CRLF / NUL / C0 / DEL refusal for header-injection defense (CVE-2026-32178 .NET System.Net.Mail class on the inbound parse path). (5) **RFC 5322 §2.2 continuation lines** — values can wrap onto subsequent lines starting with whitespace; parser folds correctly. (6) **`rfc822;` address-type prefix** stripped per RFC 3464 §2.3.2 so consumers see canonical mailbox form. Three profiles + posture cascade (hipaa / pci-dss / gdpr / soc2 → strict). Fuzz harness ships in `fuzz/guard-dsn.fuzz.js`.

package/index.js

@@ -165,6 +165,7 @@ var guardSmtpCommand = require("./lib/guard-smtp-command");
 var guardEnvelope = require("./lib/guard-envelope");
 var guardDsn = require("./lib/guard-dsn");
 var guardListUnsubscribe = require("./lib/guard-list-unsubscribe");
+var guardListId = require("./lib/guard-list-id");
 var guardMailQuery = require("./lib/guard-mail-query");
 var guardMailCompose = require("./lib/guard-mail-compose");
 var guardMailReply = require("./lib/guard-mail-reply");
@@ -434,6 +435,7 @@ module.exports = {
   guardEnvelope:    guardEnvelope,
   guardDsn:         guardDsn,
   guardListUnsubscribe: guardListUnsubscribe,
+  guardListId:      guardListId,
   guardMailQuery:   guardMailQuery,
   guardMailCompose: guardMailCompose,
   guardMailReply:   guardMailReply,

package/lib/guard-list-id.js

@@ -0,0 +1,309 @@
+"use strict";
+/**
+ * @module     b.guardListId
+ * @nav        Guards
+ * @title      Guard List-Id
+ * @order      466
+ *
+ * @intro
+ *   RFC 2919 `List-Id` header validator. Companion to
+ *   `b.guardListUnsubscribe`; gates the outbound submission path so
+ *   mailing-list mail carries a well-formed list identifier that
+ *   downstream mail-client filters + bulk-sender pipelines can
+ *   reliably route on.
+ *
+ *   ## RFC 2919 §2 ABNF
+ *
+ *   ```
+ *   list-id           = list-label "." list-id-namespace
+ *   list-label        = dot-atom-text       (RFC 5322)
+ *   list-id-namespace = domain-name / "localhost"
+ *   ```
+ *
+ *   Headers MAY surround the identifier in angle brackets and
+ *   prepend a phrase + comment:
+ *
+ *   ```
+ *   List-Id: My Newsletter <my-newsletter.example.com>
+ *   List-Id: (Comment text) <list-12345.example.com>
+ *   ```
+ *
+ *   This validator parses both bare-identifier and bracketed forms,
+ *   refusing the address-list-injection class.
+ *
+ *   ## Defenses
+ *
+ *   - **Length cap** — RFC 2919 §3 caps the list identifier at 255
+ *     octets. Total header value capped at 998 bytes per RFC 5322
+ *     §2.1.1 line cap.
+ *   - **CRLF + control-char refusal** — header-injection defense
+ *     (CVE-2026-32178 .NET System.Net.Mail class on the wire-protocol
+ *     surface; this primitive's job is the SEMANTIC shape).
+ *   - **Phrase-injection refusal** — Operator-supplied display
+ *     phrase mustn't carry CRLF / `<` / `>` outside the angle
+ *     brackets (a separate Bcc/Cc header smuggled into the phrase
+ *     fails the parse).
+ *   - **Domain shape** — dot-atom-text per RFC 5322 §3.2.3; LDH
+ *     labels per RFC 5321 §2.3.5; at least one `.` separator
+ *     (rejects bare `mylist` claims).
+ *   - **`localhost` namespace** — RFC 2919 §3 permits, but operator
+ *     MUST also carry the recommended 32-hex random component when
+ *     using `localhost`. Strict refuses unmanaged identifiers
+ *     missing the randomness suffix (`SHOULD` semantics).
+ *
+ *   ## CVE / threat model
+ *
+ *   - **List-Id forging** — RFC 2919 §8 explicitly notes the
+ *     identifier is NOT an authentication signal; this primitive
+ *     refuses the SHAPE-injection class (mailing-list pipelines
+ *     that crash or mis-route on malformed List-Id). Operators
+ *     wanting authentication compose b.mail.auth.dmarc.evaluate /
+ *     b.mail.auth.arc.verify on top.
+ *   - **Bulk-sender bucket-drop** — Gmail's 2024 bulk-sender
+ *     requirements key on List-Id presence for messages with
+ *     `Precedence: list` or 5000+ daily sends; malformed List-Id
+ *     drops the message into spam. This primitive surfaces the
+ *     refuse-at-submit verdict so operators see the issue at
+ *     send-time, not at delivery.
+ *
+ * @card
+ *   RFC 2919 List-Id validator. Parses bare + bracketed + phrase-prefixed forms; refuses CRLF / control-char / phrase-injection / non-LDH domain / >255-octet identifier / bare-host claim. Companion to b.guardListUnsubscribe for outbound mailing-list compliance.
+ */
+
+var C                  = require("./constants");
+var { defineClass }    = require("./framework-error");
+
+var GuardListIdError = defineClass("GuardListIdError", { alwaysPermanent: true });
+
+var DEFAULT_PROFILE = "strict";
+
+var PROFILES = Object.freeze({
+  strict: {
+    maxBytes:           998,                                                                             // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
+    maxListIdBytes:     255,                                                                             // allow:raw-byte-literal — RFC 2919 §3 cap
+    requireFqdn:        true,
+    requireRandomForLocalhost: true,
+    allowPhrase:        true,
+  },
+  balanced: {
+    maxBytes:           998,                                                                             // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
+    maxListIdBytes:     255,                                                                             // allow:raw-byte-literal — RFC 2919 §3 cap
+    requireFqdn:        true,
+    requireRandomForLocalhost: false,
+    allowPhrase:        true,
+  },
+  permissive: {
+    maxBytes:           C.BYTES.kib(4),
+    maxListIdBytes:     512,                                                                             // allow:raw-byte-literal — permissive max
+    requireFqdn:        false,
+    requireRandomForLocalhost: false,
+    allowPhrase:        true,
+  },
+});
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  hipaa:     "strict",
+  "pci-dss": "strict",
+  gdpr:      "strict",
+  soc2:      "strict",
+});
+
+// RFC 5322 §3.2.3 dot-atom-text shape — alphanumeric + select
+// printable specials. We don't allow the full atext set because
+// the relaxed forms (`!`, `#`, `$`, etc.) almost never appear in
+// real-world list IDs and the strictness defends parser drift in
+// downstream consumers.
+var DOT_ATOM_LABEL_RE = /^[A-Za-z0-9](?:[A-Za-z0-9_-]*[A-Za-z0-9])?$/;                                  // allow:regex-no-length-cap — per-label repeat-cap matches RFC 5321 §2.3.5
+// 32-hex-char random component RFC 2919 §3 recommends for
+// `localhost` namespace identifiers. We test for AT LEAST 32 hex
+// chars somewhere in the list-label part.
+var RANDOM_HEX_RE = /[0-9a-fA-F]{32}/;                                                                  // allow:regex-no-length-cap — anchored repeat-cap
+
+/**
+ * @primitive b.guardListId.validate
+ * @signature b.guardListId.validate(headerValue, opts?)
+ * @since     0.9.40
+ * @status    stable
+ * @related   b.guardListUnsubscribe.validate, b.guardEmail.validateMessage
+ *
+ * Validate an RFC 2919 `List-Id` header value. Accepts:
+ *
+ *   - `<my-list.example.com>` (bracketed bare-identifier form)
+ *   - `My Newsletter <my-list.example.com>` (phrase + bracketed)
+ *   - `my-list.example.com` (bare, no brackets — RFC 2919 allows)
+ *
+ * Returns `{ action, listId, namespace, phrase?, reason }`.
+ * Action one of `"accept"` / `"refuse"`.
+ *
+ * @opts
+ *   profile:   "strict" | "balanced" | "permissive",
+ *   posture:   "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *
+ * @example
+ *   var v = b.guardListId.validate("My Newsletter <newsletter.example.com>");
+ *   if (v.action === "accept") emit("List-Id: " + v.raw);
+ */
+function validate(headerValue, opts) {
+  opts = opts || {};
+  var caps = _resolveProfile(opts);
+  if (typeof headerValue !== "string") {
+    throw new GuardListIdError("guard-list-id/bad-input",
+      "validate: headerValue must be a string");
+  }
+  if (headerValue.length === 0) {
+    return _refuse("empty List-Id header value");
+  }
+  if (Buffer.byteLength(headerValue, "utf8") > caps.maxBytes) {
+    return _refuse("List-Id header exceeds maxBytes=" + caps.maxBytes + " (RFC 5322 §2.1.1)");
+  }
+  if (_hasControlChar(headerValue) || headerValue.indexOf("\r") !== -1 || headerValue.indexOf("\n") !== -1) {
+    return _refuse("header contains CRLF / NUL / C0 / DEL (header-injection defense)");
+  }
+
+  // Extract optional phrase + bracketed identifier OR bare identifier.
+  var trimmed = headerValue.trim();
+  var phrase  = null;
+  var listId  = null;
+  var lt = trimmed.indexOf("<");
+  if (lt !== -1) {
+    var gt = trimmed.indexOf(">", lt + 1);
+    if (gt === -1 || trimmed.indexOf("<", lt + 1) !== -1) {
+      return _refuse("malformed angle brackets in List-Id");
+    }
+    if (gt !== trimmed.length - 1) {
+      return _refuse("trailing content after '>' in List-Id");
+    }
+    phrase = trimmed.slice(0, lt).trim();
+    listId = trimmed.slice(lt + 1, gt).trim();
+    if (phrase.length > 0) {
+      if (!caps.allowPhrase) {
+        return _refuse("phrase before <list-id> refused by profile");
+      }
+      // Phrase-injection defense — phrase MUST NOT carry `<` / `>`
+      // (would smuggle a second bracketed identifier).
+      if (phrase.indexOf("<") !== -1 || phrase.indexOf(">") !== -1) {
+        return _refuse("phrase contains '<' or '>' (List-Id smuggling defense)");
+      }
+    }
+  } else {
+    // Bare identifier — RFC 2919 §3 allows.
+    listId = trimmed;
+  }
+
+  if (listId.length === 0) {
+    return _refuse("empty list-id (RFC 2919 §3)");
+  }
+  if (Buffer.byteLength(listId, "utf8") > caps.maxListIdBytes) {
+    return _refuse("list-id exceeds RFC 2919 §3 cap=" + caps.maxListIdBytes);
+  }
+
+  // RFC 2919 §2: `list-id = list-label "." list-id-namespace`.
+  // Both sides are dot-atom-text, so string parsing alone can't
+  // recover the boundary without Public Suffix List awareness
+  // (`team.example.com` could be label=team / ns=example.com OR
+  // label=team.example / ns=com). The earlier last-2-segment
+  // heuristic produced empty `label` for 2-label IDs (Codex P1 on
+  // PR #64), which violates RFC 2919 §2's required label "."
+  // namespace decomposition.
+  //
+  // Drop the heuristic split — surface only the raw `listId` (and
+  // the parsed `phrase`). Consumers that need an org-domain split
+  // compose `b.publicSuffix.organizationalDomain(listId)` directly,
+  // which is PSL-accurate (handles `.co.uk`, `.com.au`, etc.).
+  if (listId.indexOf(".") === -1) {
+    return _refuse("list-id missing '.' separator (RFC 2919 §2; bare-host '" + listId + "')");
+  }
+  var parts = listId.split(".");
+  for (var i = 0; i < parts.length; i += 1) {
+    if (parts[i].length === 0) {
+      return _refuse("empty label in list-id '" + listId + "' (RFC 5322 dot-atom-text)");
+    }
+    if (!DOT_ATOM_LABEL_RE.test(parts[i])) {                                                             // allow:regex-no-length-cap — label length-bounded by maxListIdBytes
+      return _refuse("label '" + parts[i] + "' not dot-atom-text shape (RFC 5322 §3.2.3)");
+    }
+  }
+  // RFC 2919 §2 requires AT LEAST one `.` (label + namespace);
+  // strict/balanced ALSO require the namespace to be a FQDN, which
+  // means a minimum of 3 labels total (label + ns-label + ns-tld)
+  // OR a 2-label list-id where the namespace is `localhost`.
+  if (caps.requireFqdn) {
+    var lastLabel = parts[parts.length - 1].toLowerCase();
+    if (parts.length < 3 && lastLabel !== "localhost") {                                                 // allow:raw-byte-literal — FQDN requires ≥ 3 labels for non-localhost
+      return _refuse("list-id has < 3 labels for non-localhost namespace (FQDN required under '" +
+        (opts.profile || DEFAULT_PROFILE) + "')");
+    }
+  }
+
+  // RFC 2919 §3: `localhost` namespace SHOULD carry 32-hex
+  // randomness in the label.
+  var isLocalhost = parts[parts.length - 1].toLowerCase() === "localhost";
+  if (isLocalhost) {
+    if (caps.requireRandomForLocalhost && !RANDOM_HEX_RE.test(listId)) {                                 // allow:regex-no-length-cap — listId length-bounded above
+      return _refuse("localhost namespace requires 32-hex random component per RFC 2919 §3 SHOULD");
+    }
+  }
+
+  return {
+    action:    "accept",
+    listId:    listId,
+    phrase:    phrase,
+    reason:    "List-Id compliant with RFC 2919 §2",
+  };
+}
+
+/**
+ * @primitive b.guardListId.compliancePosture
+ * @signature b.guardListId.compliancePosture(posture)
+ * @since     0.9.40
+ * @status    stable
+ *
+ * Return the effective profile name for a compliance posture, or
+ * `null` for unknown posture names.
+ *
+ * @example
+ *   b.guardListId.compliancePosture("hipaa");   // → "strict"
+ */
+function compliancePosture(posture) {
+  return COMPLIANCE_POSTURES[posture] || null;
+}
+
+function _hasControlChar(s) {
+  for (var i = 0; i < s.length; i += 1) {
+    var c = s.charCodeAt(i);
+    if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) {                                          // allow:raw-byte-literal — RFC 5322 control + TAB allow
+      return true;
+    }
+  }
+  return false;
+}
+
+function _refuse(reason) {
+  return {
+    action:    "refuse",
+    listId:    null,
+    phrase:    null,
+    reason:    reason,
+  };
+}
+
+function _resolveProfile(opts) {
+  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
+    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
+  }
+  var p = opts.profile || DEFAULT_PROFILE;
+  if (!PROFILES[p]) {
+    throw new GuardListIdError("guard-list-id/bad-profile",
+      "guardListId: unknown profile '" + p + "'");
+  }
+  return PROFILES[p];
+}
+
+module.exports = {
+  validate:               validate,
+  compliancePosture:      compliancePosture,
+  PROFILES:               PROFILES,
+  COMPLIANCE_POSTURES:    COMPLIANCE_POSTURES,
+  GuardListIdError:       GuardListIdError,
+  NAME:                   "listId",
+  KIND:                   "list-id",
+};

package/lib/problem-details.js

@@ -358,6 +358,48 @@ function respond(res, problem) {
   res.end(body);
 }
 
+/**
+ * @primitive b.problemDetails.send
+ * @signature b.problemDetails.send(res, fields)
+ * @since     0.9.41
+ * @status    stable
+ * @related   b.problemDetails.create, b.problemDetails.respond
+ *
+ * Build + emit a problem-details response in one call. Equivalent
+ * to `respond(res, create(fields))` but lets routes migrate
+ * incrementally from inline `res.status(400).json({ error: "..." })`
+ * shapes without restructuring the handler around an error throw.
+ *
+ * The same RFC 9457 §3 `application/problem+json` content type +
+ * `Cache-Control: no-store` are written; status code defaults to
+ * 500 when omitted.
+ *
+ * @opts
+ *   status:    number,           // HTTP status code (100..599); default 500
+ *   title:     string,           // operator-supplied short title
+ *   detail:    string,           // operator-supplied human-readable explanation
+ *   type:      string,           // problem-type URI (defaults to "about:blank")
+ *   instance:  string,           // optional per-occurrence URI
+ *   extensions: object,          // operator-specific extension fields
+ *
+ * @example
+ *   // Migrating from inline JSON-error shape:
+ *   //   res.status(400).json({ error: "Missing 'name' field" });
+ *   // to RFC 9457 problem-details:
+ *   b.problemDetails.send(res, {
+ *     status: 400,
+ *     title:  "Missing required field",
+ *     detail: "Body field 'name' is required",
+ *   });
+ */
+function send(res, fields) {
+  if (!fields || typeof fields !== "object" || Array.isArray(fields)) {
+    throw new ProblemDetailsError("problem-details/bad-fields",
+      "send: fields must be a non-null object", true);
+  }
+  return respond(res, create(fields));
+}
+
 /**
  * @primitive b.problemDetails.validate
  * @signature b.problemDetails.validate(doc)
@@ -431,6 +473,7 @@ module.exports = {
   create:     create,
   fromError:  fromError,
   respond:    respond,
+  send:       send,
   validate:   validate,
   RESERVED_FIELDS:     RESERVED_FIELDS,
   ProblemDetailsError: ProblemDetailsError,

package/lib/storage.js

@@ -577,13 +577,23 @@ function listBackends() {
   _requireInit();
   var out = [];
   for (var name in backends) {
-    out.push({
+    var entry = {
       name:            name,
       protocol:        backends[name].protocol,
       classifications: backends[name].classifications.slice(),
       residencyTag:    backends[name].residencyTag,
       breakerState:    backends[name].breaker.getState(),
-    });
+    };
+    // Surface the resolved local rootDir so downstream operators
+    // building path-traversal guards or scratch-dir layouts read the
+    // live path (with config-reload propagation) directly from the
+    // backend rather than re-deriving from operator-supplied opts.
+    // Remote protocols (sigv4 / gcs / azure-blob / http-put) don't
+    // have a rootDir; the field stays absent for those.
+    if (backends[name].protocol === "local" && backends[name].raw && typeof backends[name].raw.rootDir === "string") {
+      entry.rootDir = backends[name].raw.rootDir;
+    }
+    out.push(entry);
   }
   return out;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.39",
+  "version": "0.9.41",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:d55cbdf2-6290-49a7-8fa5-692b14276458",
+  "serialNumber": "urn:uuid:2ba814f6-24ab-4017-914e-f9ddba6c50ef",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-15T10:14:41.717Z",
+    "timestamp": "2026-05-15T14:40:55.638Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.39",
+      "bom-ref": "@blamejs/core@0.9.41",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.39",
+      "version": "0.9.41",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.39",
+      "purl": "pkg:npm/%40blamejs/core@0.9.41",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.39",
+      "ref": "@blamejs/core@0.9.41",
       "dependsOn": []
     }
   ]