@blamejs/core 0.9.6 → 0.9.8

package/lib/vendor/vendor-data-pubkey.js

@@ -0,0 +1,16 @@
+// vendor-data-pubkey — SLH-DSA-SHAKE-256f public key inlined as a CommonJS
+// module so lib/vendor-data.js can verify .data.js signatures without
+// any fs.readFileSync call. Packaging-mode-invariant (SEA / pkg / nexe /
+// esbuild / Bun compile / Deno compile / Lambda all preserve require()
+// resolution but not __dirname-relative file lookups).
+//
+// Fingerprint (SHA-256 of the raw SPKI): dd02aaf2f700e1403172f1e57619ba6308642e107853891866ffd8589b4164d1
+//
+// Regenerated by scripts/vendor-data-keygen.js whenever the maintainer
+// vendor-data signing key rotates. The companion PEM at
+// lib/vendor/.vendor-data-pubkey is the operator-readable form; this
+// JS module is the runtime form. Both regenerate together.
+
+"use strict";
+
+module.exports = "-----BEGIN SLH-DSA-SHAKE-256F PUBLIC KEY-----\nNyFNN00fxmgkHnZwtfy1FU9SodrVbgJRihT5/S605tM7c6YAKIS1mry4y8VCKh2h\nG+oRhGOPLb1ebxNmcQZw+g==\n-----END SLH-DSA-SHAKE-256F PUBLIC KEY-----\n";

package/lib/vendor-data.js

@@ -0,0 +1,339 @@
+"use strict";
+/**
+ * @module     b.vendorData
+ * @nav        Supply Chain
+ * @title      Vendor Data — packaging-mode-invariant + signed + canary-guarded
+ * @order      710
+ *
+ * @intro
+ *   Loader for vendored data files that ship inside the framework
+ *   tarball (`lib/vendor/*`). Inline-as-JS means the data survives any
+ *   packaging mode — SEA, esbuild bundle, `pkg`, `nexe`, Bun compile,
+ *   AWS Lambda — without `__dirname`-relative `fs.readFileSync` paths
+ *   collapsing under the bundler. Every load runs four orthogonal
+ *   integrity checks before returning a byte to the caller:
+ *
+ *     1. SHA-256 of the embedded payload matches the expected constant
+ *     2. SHA3-512 of the embedded payload matches the expected constant
+ *     3. SLH-DSA-SHAKE-256f signature over the payload verifies against
+ *        the maintainer's pinned public key (`lib/vendor/.vendor-data-pubkey`)
+ *     4. The known canary entry (where applicable per data file) is
+ *        present in the parsed payload — defends against content swap
+ *        even when an attacker forges hashes + signatures
+ *
+ *   Refusal at any step throws `VendorDataError`. `verifyAll()` runs
+ *   at framework boot so a tampered vendor file is a fail-fast — not
+ *   a first-request-touches-PSL surprise.
+ *
+ *   Each vendored data file ships as a `<name>.data.js` module that
+ *   exports `{ payload, metadata, canary }`. The `.data.js` is
+ *   regenerated by `scripts/vendor-update.sh --refresh-data` whenever
+ *   the upstream source is refreshed; it is never hand-edited.
+ *
+ * @card
+ *   Signed + dual-hashed + canary-guarded loader for vendored data.
+ *   Survives SEA / pkg / bundler builds because the data is inline,
+ *   not `fs.readFileSync`-loaded.
+ */
+
+var nodeCrypto = require("crypto");
+var safeEnv = require("./parsers/safe-env");
+var { defineClass } = require("./framework-error");
+var pqcSoftware = require("./pqc-software");
+
+// Framework-pinned vendor-data public key. Inlined as a CommonJS
+// module (lib/vendor/vendor-data-pubkey.js) so the loader has zero
+// fs.readFileSync calls and survives any packaging mode that
+// preserves require() resolution (SEA, pkg, nexe, esbuild, Bun /
+// Deno compile, Lambda layers). The companion PEM at
+// lib/vendor/.vendor-data-pubkey is the operator-readable form for
+// external inspection; this JS module is the runtime trust root.
+// Both regenerate together whenever the maintainer signing key
+// rotates (scripts/vendor-data-keygen.js).
+var PUBKEY_PEM = require("./vendor/vendor-data-pubkey");
+
+var VendorDataError = defineClass("VendorDataError", { alwaysPermanent: true });
+
+// KNOWN_VENDOR_DATA — the canonical list of vendored data names. Each
+// entry maps name → `<name>.data.js` module + the canary token the
+// payload must contain after parse (where applicable). Adding a new
+// vendored data file: append to this table, ship the `.data.js`,
+// migrate the caller. The framework's drift detector
+// (codebase-patterns) refuses any `.data.js` not registered here.
+var KNOWN_VENDOR_DATA = Object.freeze({
+  "public-suffix-list": {
+    module: "./vendor/public-suffix-list.data",
+    canary: "_blamejs_canary_v0_9_8_.local",
+    // Canary parse check — operator-side `b.publicSuffix.isPublicSuffix(canary)` MUST return true after the PSL parser ingests
+    // the data. The check is run by `verifyAll()` at boot via the
+    // caller-supplied canaryCheck closure registered in the .data.js.
+    description: "Mozilla Public Suffix List (PSL). Used by b.publicSuffix for organizational-domain + public-suffix lookups.",
+  },
+  "common-passwords-top-10000": {
+    module: "./vendor/common-passwords-top-10000.data",
+    canary: "_blamejs_canary_password_2026_05_13_blamejs_internal_",
+    description: "Top-10000 most common passwords (SecLists). Used by b.auth.password to refuse known-breached credentials.",
+  },
+  "bimi-trust-anchors": {
+    module: "./vendor/bimi-trust-anchors.data",
+    canary: null,
+    // BIMI trust anchor file is a PEM bundle; injecting an in-payload
+    // canary would require minting a real self-signed cert against
+    // every refresh which would inflate the vendor pipeline. The
+    // dual-hash + SLH-DSA signature layers cover the threat; canary
+    // is intentionally skipped for this entry.
+    description: "BIMI Group VMC + CMC trust anchors. Used by b.mail.bimi.fetchAndVerifyMark for chain validation.",
+  },
+});
+
+// Per-name cache so verify-once-on-first-load + boot-time verifyAll
+// don't pay the SLH-DSA-SHAKE-256f verify cost twice. Cached entries
+// are payload Buffers (caller-receivable); signature verification
+// runs at module-load (in `_loadAndVerify`), not at every `get()`.
+var _payloadCache = Object.create(null);
+
+function _loadAndVerify(name) {
+  if (_payloadCache[name]) return _payloadCache[name];
+
+  var entry = KNOWN_VENDOR_DATA[name];
+  if (!entry) {
+    throw new VendorDataError("vendor-data/unknown",
+      "vendorData: '" + name + "' not in KNOWN_VENDOR_DATA. " +
+      "Registered names: " + Object.keys(KNOWN_VENDOR_DATA).join(", "));
+  }
+
+  var mod;
+  try {
+    mod = require(entry.module);
+  } catch (e) {
+    throw new VendorDataError("vendor-data/module-missing",
+      "vendorData: '" + name + "' module not loadable at " + entry.module +
+      " — has scripts/vendor-update.sh --refresh-data been run? " +
+      "(" + (e && e.message ? e.message : "unknown error") + ")");
+  }
+
+  // Module-shape gate
+  if (!mod || !Buffer.isBuffer(mod.payload) || !mod.metadata) {
+    throw new VendorDataError("vendor-data/bad-shape",
+      "vendorData: '" + name + "' .data.js missing payload Buffer or metadata. " +
+      "File is hand-edited or corrupted; re-run vendor-update.sh --refresh-data.");
+  }
+  var meta = mod.metadata;
+  if (typeof meta.sha256 !== "string" || typeof meta.sha3_512 !== "string" ||
+      typeof meta.signatureB64 !== "string") {
+    throw new VendorDataError("vendor-data/bad-metadata",
+      "vendorData: '" + name + "' metadata missing sha256 / sha3_512 / signatureB64. " +
+      "File is hand-edited or corrupted; re-run vendor-update.sh --refresh-data.");
+  }
+
+  // Layer 1: SHA-256 self-verify
+  var actual256 = nodeCrypto.createHash("sha256").update(mod.payload).digest("hex");
+  if (actual256 !== meta.sha256) {
+    throw new VendorDataError("vendor-data/sha256-mismatch",
+      "vendorData: '" + name + "' SHA-256 mismatch — payload tampered. " +
+      "expected=" + meta.sha256.slice(0, 12) + "… got=" + actual256.slice(0, 12) + "…");
+  }
+
+  // Layer 2: SHA3-512 self-verify
+  var actual3 = nodeCrypto.createHash("sha3-512").update(mod.payload).digest("hex");
+  if (actual3 !== meta.sha3_512) {
+    throw new VendorDataError("vendor-data/sha3-512-mismatch",
+      "vendorData: '" + name + "' SHA3-512 mismatch — payload tampered. " +
+      "expected=" + meta.sha3_512.slice(0, 12) + "… got=" + actual3.slice(0, 12) + "…");
+  }
+
+  // Layer 3: SLH-DSA-SHAKE-256f signature verify against maintainer pubkey
+  var sigBytes = Buffer.from(meta.signatureB64, "base64");
+  var pubkeyBytes = _pemToRaw(PUBKEY_PEM);
+  var slh = pqcSoftware.slh_dsa_shake_256f;
+  var sigOk = false;
+  try {
+    // noble API: verify(signature, message, publicKey)
+    sigOk = slh.verify(sigBytes, mod.payload, pubkeyBytes);
+  } catch (e) {
+    throw new VendorDataError("vendor-data/signature-verify-error",
+      "vendorData: '" + name + "' SLH-DSA-SHAKE-256f verify threw: " +
+      (e && e.message ? e.message : "unknown error"));
+  }
+  if (!sigOk) {
+    throw new VendorDataError("vendor-data/signature-invalid",
+      "vendorData: '" + name + "' SLH-DSA-SHAKE-256f signature INVALID — " +
+      "payload not signed by maintainer pubkey (fingerprint " +
+      meta.publicKeyFingerprint + "). An attacker has swapped content + " +
+      "forged hashes but cannot forge the signature without the maintainer " +
+      "private key. Stop the framework and audit the install path immediately.");
+  }
+
+  // Layer 4: canary check (always-on, runs per get() not only at verifyAll).
+  // For entries with a registered canary, the .data.js exports a
+  // canaryCheck closure that scans the raw payload for the expected
+  // token. Refuses to return the bytes if the canary is absent.
+  if (entry.canary !== null) {
+    if (typeof mod.canaryCheck !== "function" || mod.canaryCheck() !== true) {
+      throw new VendorDataError("vendor-data/canary-absent",
+        "vendorData: '" + name + "' canary '" + entry.canary +
+        "' NOT FOUND in payload. An attacker has swapped data bytes with " +
+        "correctly-forged hashes + signatures but failed to preserve the " +
+        "canary token the framework expects.");
+    }
+  }
+
+  _payloadCache[name] = mod.payload;
+  return mod.payload;
+}
+
+// _pemToRaw — extract the raw SPKI bytes from a PEM-wrapped public key.
+// The .vendor-data-pubkey file ships as PEM (BEGIN PUBLIC KEY ... END
+// PUBLIC KEY); the SLH-DSA verifier expects raw bytes. We strip the
+// header/footer + decode base64. Defensive — refuses anything that
+// doesn't look like the expected PEM shape.
+function _pemToRaw(pem) {
+  var lines = pem.replace(/\r/g, "").split("\n");
+  if (lines[0].indexOf("-----BEGIN ") !== 0) {
+    throw new VendorDataError("vendor-data/pubkey-bad-pem",
+      "vendorData: inlined pubkey module is not PEM-shaped (lib/vendor/vendor-data-pubkey.js corrupted; re-run scripts/vendor-data-keygen.js)");
+  }
+  var body = "";
+  for (var i = 1; i < lines.length; i++) {
+    if (lines[i].indexOf("-----END ") === 0) break;
+    body += lines[i];
+  }
+  return Buffer.from(body, "base64");
+}
+
+/**
+ * @primitive  b.vendorData.get
+ * @signature  b.vendorData.get(name)
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.verifyAll, b.vendorData.inventory
+ *
+ * Return the verified payload Buffer for the named vendored data file.
+ * First call per name runs all integrity layers (dual-hash + SLH-DSA
+ * signature); subsequent calls return from cache. The canary-in-payload
+ * check is run by `verifyAll()` at framework boot; `get()` skips it on
+ * the hot path because the canary's parse-side semantics are caller-
+ * specific (PSL parser vs password-set lookup vs PEM chain).
+ *
+ * @example
+ *   var pslBytes = b.vendorData.get("public-suffix-list");
+ *   var psl = pslBytes.toString("utf8");
+ */
+function get(name) {
+  return _loadAndVerify(name);
+}
+
+/**
+ * @primitive  b.vendorData.getAsString
+ * @signature  b.vendorData.getAsString(name)
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.get
+ *
+ * Convenience wrapper around `get(name)` that returns the payload
+ * decoded as UTF-8. Use when the caller wants a string directly; the
+ * underlying Buffer caches once so repeated calls don't re-decode.
+ *
+ * @example
+ *   var passwordList = b.vendorData.getAsString("common-passwords-top-10000");
+ *   var lines = passwordList.split(/\r?\n/);
+ */
+function getAsString(name) {
+  return _loadAndVerify(name).toString("utf8");
+}
+
+/**
+ * @primitive  b.vendorData.verifyAll
+ * @signature  b.vendorData.verifyAll()
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.get, b.vendorData.inventory
+ *
+ * Run all four integrity layers across every registered vendored data
+ * file — including the in-payload canary check via the caller-supplied
+ * canaryCheck closure each `.data.js` exports. Returns the inventory
+ * of names verified. Throws on any failure. Operators wire this into
+ * framework boot so a tampered install fails fast.
+ *
+ * @example
+ *   b.vendorData.verifyAll();   // throws VendorDataError on any tamper
+ */
+function verifyAll() {
+  var names = Object.keys(KNOWN_VENDOR_DATA);
+  for (var i = 0; i < names.length; i++) {
+    // _loadAndVerify runs all four layers (sha256 + sha3-512 +
+    // SLH-DSA signature + canary). verifyAll() now just forces
+    // eager-load of every registered entry — useful in tests and
+    // for operators wanting "verify everything upfront at boot"
+    // semantics even before any caller touches a specific entry.
+    _loadAndVerify(names[i]);
+  }
+  return names.slice();
+}
+
+/**
+ * @primitive  b.vendorData.inventory
+ * @signature  b.vendorData.inventory()
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.verifyAll
+ *
+ * Return per-vendor-data metadata for compliance reporting. Each
+ * entry: `{ name, source, fetchedAt, sha256, sha3_512, signedBy,
+ * canary, byteLength }`. Pipes directly into SBOM emission +
+ * b.compliance posture rendering.
+ *
+ * @example
+ *   var inv = b.vendorData.inventory();
+ *   inv.forEach(function (entry) {
+ *     console.log(entry.name + " (" + entry.byteLength + " bytes) " +
+ *                 "fetched " + entry.fetchedAt + " from " + entry.source +
+ *                 " — signed by " + entry.signedBy);
+ *   });
+ */
+function inventory() {
+  var out = [];
+  var names = Object.keys(KNOWN_VENDOR_DATA);
+  for (var i = 0; i < names.length; i++) {
+    var name = names[i];
+    var entry = KNOWN_VENDOR_DATA[name];
+    _loadAndVerify(name);
+    var mod = require(entry.module);
+    var meta = mod.metadata;
+    out.push({
+      name:        name,
+      source:      meta.source,
+      fetchedAt:   meta.fetchedAt,
+      license:     meta.license,
+      sha256:      meta.sha256,
+      sha3_512:    meta.sha3_512,
+      signedBy:    meta.publicKeyFingerprint,
+      canary:      entry.canary,
+      byteLength:  mod.payload.length,
+      description: entry.description,
+    });
+  }
+  return out;
+}
+
+// Eager verification at module-load. The first time anything
+// require()s b.vendorData (e.g. lib/public-suffix.js, lib/auth/
+// password.js, lib/mail-bimi.js — all of which load early in any
+// framework consumer's import graph), every registered vendor data
+// file is dual-hash + signature + canary-verified before any caller
+// gets the chance to call get(). Tamper = fail-fast at boot, not at
+// first-request-touches-PSL surprise. Operators wanting to defer
+// verification (e.g. test rigs that mock require() resolution) set
+// BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1 in the environment.
+if (safeEnv.readVar("BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY", { default: "" }) !== "1") {
+  verifyAll();
+}
+
+module.exports = {
+  get:                get,
+  getAsString:        getAsString,
+  verifyAll:          verifyAll,
+  inventory:          inventory,
+  KNOWN_VENDOR_DATA:  KNOWN_VENDOR_DATA,
+  VendorDataError:    VendorDataError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.6",
+  "version": "0.9.8",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:1564ed32-1ca1-46e6-be60-6ea469f08940",
+  "serialNumber": "urn:uuid:b2d344e9-ce35-4d60-9617-51bdb1f2c4a4",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T13:18:41.980Z",
+    "timestamp": "2026-05-13T13:08:39.464Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.6",
+      "bom-ref": "@blamejs/core@0.9.8",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.6",
+      "version": "0.9.8",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.6",
+      "purl": "pkg:npm/%40blamejs/core@0.9.8",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.6",
+      "ref": "@blamejs/core@0.9.8",
       "dependsOn": []
     }
   ]