@blamejs/core 0.9.7 → 0.9.9

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.9 (2026-05-13) — **`b.vendorData`: replace dynamic `require(variable)` with static literal-string requires so SEA / esbuild / pkg bundling actually works**. v0.9.8 shipped `b.vendorData` to remove `__dirname`-relative `fs.readFileSync` calls and make the loader packaging-mode-invariant. The implementation looked up each `.data.js` module via `require(entry.module)` where `entry.module` was read from a frozen lookup table — a *dynamic* require, opaque to every bundler's static-analysis pass. esbuild, webpack, ncc, rollup, pkg, nexe, Bun's bundler, and Deno's bundler all trace `require("./literal")` calls; none of them trace `require(variable)`. Result: the three `.data.js` payload modules never made it into SEA / pkg / esbuild bundles, defeating the v0.9.8 promise at boot ("vendor-data/module-missing" thrown by every consumer that bundled the framework). v0.9.9 replaces the lookup with a `_MODULES` table whose three values are each a top-level `var X = require("./vendor/<name>.data")` — literal string, statically traceable. Caught by hermitstash-sync operator review post-v0.9.8 publish. Net surface change: zero (the public `b.vendorData.get` / `getAsString` / `verifyAll` / `inventory` shape is identical); the fix is internal-only. **New codebase-patterns drift detector** `testNoDynamicRequires` refuses any future `require(variable)` in `lib/`; legitimate operator-extensibility points (`b.cli`, migrations, seeders) carry an explicit `allow:dynamic-require` marker with rationale. **Operators upgrade from v0.9.8 to v0.9.9 if they bundle the framework via SEA / esbuild / pkg / Bun-compile** — direct `node` consumers were unaffected (Node's runtime require always resolves dynamic strings correctly).
+- v0.9.8 (2026-05-13) — **`b.vendorData` — packaging-mode-invariant + signed + canary-guarded loader for vendored data files**. The three plaintext vendor data files (`public-suffix-list.dat`, `common-passwords-top-10000.txt`, `bimi-trust-anchors.pem`) are now loaded via inline `Buffer.from(base64)` modules (`<name>.data.js`), eliminating the `__dirname`-relative `fs.readFileSync` paths that broke under Single Executable Application (SEA), `pkg`, `nexe`, esbuild, Bun compile, Deno compile, and AWS Lambda layer bundling. Every load runs four orthogonal integrity checks before returning a byte: SHA-256 + SHA3-512 + SLH-DSA-SHAKE-256f signature against the maintainer's pinned public key (`lib/vendor/.vendor-data-pubkey`) + in-payload canary entry that the parsed structure must surface. Tamper at any layer throws `VendorDataError` at module-load — fail-fast rather than first-request-touches-PSL surprise. **Public API**: `b.vendorData.get(name)` returns the verified Buffer; `b.vendorData.getAsString(name)` returns UTF-8 string; `b.vendorData.verifyAll()` runs all four layers across every registered vendor data file and is invoked at framework boot; `b.vendorData.inventory()` returns per-file metadata (name, source, fetchedAt, sha256, sha3_512, signedBy, canary, byteLength, description) for compliance reporting + SBOM emission. **Migrated call sites**: `b.publicSuffix` (PSL load), `b.auth.password._loadBundledCommon` (common-passwords), `b.mail.bimi` (trust anchors) now route through `b.vendorData` — removes any downstream consumer's need to patch the loader for SEA / bundler builds. **Maintainer signing infrastructure**: vendor data files signed at refresh time by a maintainer-held SLH-DSA-SHAKE-256f keypair (private key stays in `.keys/` and is never committed; public key ships in `lib/vendor/.vendor-data-pubkey` in every npm tarball). Adds a fourth orthogonal trust root alongside SSH-signed release tags + SLSA L3 npm provenance + Sigstore-keyless SBOM signatures. **MANIFEST.json**: per-vendor-data entry gains `runtime_artifact` + `integrity_layers` + dual-file `hashes` (raw `.dat/.txt/.pem` + companion `.data.js`). **New scripts**: `scripts/vendor-data-keygen.js` (one-time keypair generation), `scripts/vendor-data-gen.js` (generator invoked by `scripts/vendor-update.sh --refresh-data`).
 - v0.9.7 (2026-05-13) — **SECURITY.md: release-tag verification path documented + signed-tag invariant from v0.9.7+**. SECURITY.md gains a "Verifying release authenticity" section documenting how operators verify a release tag's authenticity independently of GitHub's UI. The maintainer Ed25519 SSH signing key fingerprint (`SHA256:5oF/XWhFpMde9TRfEX2GAHiApAq/MXOS4vti5zQbD7g`) is published alongside the public-key retrieval URL (`https://github.com/dotCooCoo.keys`) and a `git tag -v` recipe that bypasses the "Verified" badge. From v0.9.7 onward, every release tag is an annotated SSH-signed tag; the repository's `release-tags` ruleset's `required_signatures` rule refuses any unsigned or lightweight tag push at the server side. Earlier tags (v0.9.6 and prior) remain as lightweight commits and don't verify via `git tag -v`; they continue to verify via the SLSA L3 npm provenance + Sigstore-keyless SBOM signatures already attached to those releases (the `cosign verify-blob` recipe is in the same SECURITY.md section). No framework-surface changes; this release ships the documentation + invariant only.
 - v0.9.6 (2026-05-12) — **`b.vex` (OASIS CSAF 2.1 VEX) + framework-control compliance posture sweep**. *(PR feedback: CSAF-conformance fixes folded in pre-merge — `cwes` is now a list per §3.2.3.4 instead of a singleton `cwe` field; CWE alone is no longer accepted as a vulnerability identity per §3.2.3.2 (operator supplies `cveId` or `ids[]: [{ systemName, text }]` per §3.2.3.5); TLP allowlist corrected to TLP 2.0 (FIRST 2022) per §3.2.1.12.1.1 — `CLEAR / GREEN / AMBER / AMBER+STRICT / RED` (added the previously-omitted `AMBER+STRICT` restriction tier and removed the legacy TLP 1.0 `WHITE` label, which was renamed `CLEAR` in TLP 2.0). Public opt name `cwe` is now `cweId` to mirror `cveId`; this is a v0.9.6 surface that never shipped to npm so the rename is not a breaking change.)* Closes the framework-side findings from the 2026-05-11 exceptd framework-gap-analysis (49 gaps across CVE-triage / framework-compliance / threat-modeling / AI-security / identity-assurance / crypto-posture / supply-chain / sector-specific). **`b.vex.statement({ cveId, status, productIds, justification?, impactStatement?, references?, firstReleased?, lastUpdated? })`** builds an OASIS CSAF 2.1 §3.2.3 vulnerability statement with `product_status` keyed by status enum (`known_not_affected` / `affected` / `fixed` / `under_investigation`), `flags[].label` for §3.2.2.7 justifications (`component_not_present` / `vulnerable_code_not_present` / `vulnerable_code_not_in_execute_path` / `vulnerable_code_cannot_be_controlled_by_adversary` / `inline_mitigations_already_exist`), and `notes[].text` for impact narrative. Refuses missing CVE/CWE id, malformed CVE shape, unknown status, missing productIds, and `known_not_affected` without justification. **`b.vex.document({ documentId, title, publisher, trackingId, trackingVersion, currentReleaseDate, initialReleaseDate, statements, tlp? })`** assembles the §3.2 CSAF document envelope with category `csaf_vex`, csaf_version `2.1`, publisher category `vendor`, tracking status `final`, and `distribution.tlp.label` (default `CLEAR`; refuses non-TLP labels). **`b.vex.serialize(doc)`** routes through `b.canonicalJson.stringify` for byte-stable sorted-key output then re-indents at 2 spaces for human-diffable artifacts. Exports `STATUS_VALUES` / `JUSTIFICATION_VALUES` / `TLP_LABELS` / `CSAF_VERSION` / `VexError`. **25 new compliance postures** added to `b.compliance.KNOWN_POSTURES` (with matching `POSTURE_DEFAULTS` cascade entries): `nist-800-53` (NIST SP 800-53 Rev 5 control catalog), `nist-ai-rmf-1.0` (NIST AI Risk Management Framework 1.0), `iso-42001-2023` (AI management systems), `iso-23894-2023` (AI risk management guidance), `owasp-llm-top-10-2025` (LLM application risk catalog), `owasp-asvs-v5.0` (Application Security Verification Standard v5.0), `nist-800-218-ssdf` (Secure Software Development Framework), `nist-800-82-r3` (industrial control systems), `nist-800-63b-rev4` (digital identity authenticator guidance), `iec-62443-3-3` (industrial security), `fedramp-rev5-moderate` (federal cloud baseline), `hipaa-security-rule` (45 CFR §164.302-318 administrative + technical safeguards), `hitrust-csf-v11.4` (healthcare common security framework), `nerc-cip-007-6` (bulk electric system cyber asset security), `psd2-rts-sca` (PSD2 Regulatory Technical Standards for Strong Customer Authentication), `swift-cscf-v2026` (SWIFT Customer Security Controls Framework 2026), `slsa-v1.0-build-l3` (SLSA build-track L3 provenance), `vex-csaf-2.1` (the standard `b.vex` emits), `cyclonedx-v1.6` (already shipped via `sbom.cdx.json`), `spdx-v3.0` (SPDX 3.0 software bill of materials), `owasp-wstg-v5` (Web Security Testing Guide v5), `ptes` (Penetration Testing Execution Standard), `nist-800-115` (technical guide to information security testing), `cwe-top-25-2024` (CWE most dangerous software weaknesses 2024), `cis-controls-v8` (Center for Internet Security Critical Controls v8), `cmmc-2.0-level-2` (DoD CMMC Level 2 advanced; complements the existing `cmmc-2.0` posture). Each cascade entry encodes the regime's data-tier mandate (encrypted backups + signed audit chain + TLS 1.3 minimum + vacuum-after-erase where applicable).
 - v0.9.5 (2026-05-12) — **Fix-up for v0.9.3 + v0.9.4 audit-derived primitives** (five reported reachability/contract bugs). (1) **`b.middleware.dpop` `trustForwardedHeaders` was unreachable** — the v0.9.4 X-Forwarded-* trust gate added the option to `_reconstructHtu` but the `create()` validateOpts whitelist still rejected unknown keys. Operators behind a trusted reverse proxy got `unknown-option` instead of the documented opt-in, leaving valid DPoP proofs failing htu matching. The whitelist now includes `trustForwardedHeaders`. (2) **`b.auth.jwt.verifyExternal` `allowKidlessJwks` was unreachable** — same shape, fixed the same way. (3) **OAuth `allowKidlessJwks` didn't reach token-exchange flows** — pre-v0.9.5 the opt was per-`verifyIdToken`-call, but `_normalizeTokens()` (called from `exchangeCode` / `pollDeviceCode` / `exchangeToken` / `refreshAccessToken`) passed a reduced `{ nonce, skipNonceCheck }` shape that dropped the operator opt. Surface promoted to client-level: pass `b.auth.oauth.create({ allowKidlessJwks: true })` once and it threads through every code path that lands on the verifier. The per-call `vopts.allowKidlessJwks` continues to work for direct `verifyIdToken` callers. (4) **`b.auth.oauth.refreshAccessToken` `checkAndInsert` return-value contract inverted** — pre-v0.9.5 interpreted `true` as "already seen → replay" but the framework-wide `checkAndInsert` contract (`b.nonceStore`, `b.auth.jwt`) is the opposite: `true` = unseen-and-now-inserted (first sighting), `false` = already-present (replay). Operators reusing an existing `b.nonceStore`-style backend got every first refresh attempt rejected as token theft, breaking normal refresh flows. The handler now normalizes `inserted === false` → `alreadySeen = true`, consistent with the rest of the framework. (5) **`b.auth.ciba` `_intervalState` memory leak on error paths** — pre-v0.9.5 entries were only deleted on successful token issuance; denied / expired auth requests, and ping/push delivery modes that never call `pollToken` successfully, left permanent entries causing unbounded growth in long-running processes. Now entries carry an `expireAtMs` derived from the IdP-supplied `expires_in` of the auth_req_id, and an opportunistic sweep runs on every `_registerInitialInterval` call (no separate timer needed). Terminal CIBA errors (`expired_token` / `access_denied` / `invalid_grant` / `transaction_failed`) also delete the entry immediately on the error path.

package/index.js

@@ -149,6 +149,7 @@ var cdnCacheControl = require("./lib/cdn-cache-control");
 var clientHints = require("./lib/client-hints");
 var structuredFields = require("./lib/structured-fields");
 var vex = require("./lib/vex");
+var vendorData = require("./lib/vendor-data");
 var serverTiming = require("./lib/server-timing");
 var earlyHints = require("./lib/early-hints");
 var gateContract = require("./lib/gate-contract");
@@ -385,6 +386,7 @@ module.exports = {
   clientHints:      clientHints,
   structuredFields: structuredFields,
   vex:              vex,
+  vendorData:       vendorData,
   serverTiming:     serverTiming,
   earlyHints:       earlyHints,
   gateContract:     gateContract,

package/lib/auth/password.js

@@ -207,13 +207,14 @@ var POLICY_PROFILES = Object.freeze({
 // Operators wanting deeper enforcement supply opts.forbidCommon (set
 // of additional plaintexts) and/or opts.forbidCommonExtra (operator's
 // own breach list); both layer additively on top of the bundled set.
-var path = require("node:path");
-var fs   = require("node:fs");
+var vendorData = require("../vendor-data");
 var _bundledCommonPasswords = null;
 function _loadBundledCommon() {
   if (_bundledCommonPasswords) return _bundledCommonPasswords;
-  var p = path.join(__dirname, "..", "vendor", "common-passwords-top-10000.txt");
-  var text = fs.readFileSync(p, "utf8");
+  // b.vendorData verifies the dual-hash + SLH-DSA signature + in-payload
+  // canary before returning the bytes. Packaging-mode-invariant — no
+  // __dirname-relative file lookup that breaks under SEA / pkg / bundler.
+  var text = vendorData.getAsString("common-passwords-top-10000");
   var set = new Set();
   var lines = text.split(/\r?\n/);
   for (var i = 0; i < lines.length; i++) {

package/lib/cli.js

@@ -426,14 +426,20 @@ var API_SNAPSHOT_USAGE = [
 ].join("\n");
 
 function _resolveTargetModule(modulePath, ctx) {
-  // Default: load index.js from the framework root (one level up from lib/cli.js)
+  // Default: load index.js from the framework root (one level up from lib/cli.js).
+  // Dynamic require by design — the CLI loads either the framework root index.js
+  // or an operator-supplied module path from the command line. Operator-
+  // extensibility surfaces by definition can't be statically traced by a
+  // bundler — anyone bundling this CLI surface into SEA/pkg accepts that
+  // runtime --module=<path> arguments won't resolve. Internal framework
+  // code never reaches this path.
   if (!modulePath) {
     var root = path.resolve(__dirname, "..");
-    return require(path.join(root, "index.js"));
+    return require(path.join(root, "index.js"));   // allow:dynamic-require — operator-extensibility entry point
   }
   var abs = path.isAbsolute(modulePath) ? modulePath : path.resolve(ctx.cwd, modulePath);
   delete require.cache[require.resolve(abs)];
-  return require(abs);
+  return require(abs);                              // allow:dynamic-require — operator-extensibility entry point
 }
 
 function _runApiSnapshot(args, ctx) {

package/lib/db-schema.js

@@ -283,7 +283,10 @@ function runMigrations(database, migrationDir) {
     var fullPath = path.join(migrationDir, file);
     var mig;
     try {
-      mig = require(fullPath);
+      // Operator-supplied migration file — by definition not statically
+      // require-able by a bundler. Anyone bundling this surface into SEA
+      // accepts that runtime migration loading won't resolve.
+      mig = require(fullPath);   // allow:dynamic-require — operator-supplied migration
     } catch (e) {
       throw new Error("migration '" + file + "' failed to load: " + e.message);
     }

package/lib/external-db-migrate.js

@@ -290,7 +290,10 @@ function _loadMigration(file, dir) {
   // new content. Matches lib/migrations.js semantics.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
   var mod;
-  try { mod = require(fullPath); }
+  // Operator-supplied migration file — dynamic by design, won't survive
+  // SEA / pkg bundling. External DB migration tooling is host-CLI scope,
+  // not framework-internal scope.
+  try { mod = require(fullPath); }   // allow:dynamic-require — operator-supplied migration
   catch (e) {
     throw _err("externaldb-migrate/load-failed",
       "migration '" + file + "' failed to load: " + ((e && e.message) || String(e)));

package/lib/mail-bimi.js

@@ -50,8 +50,6 @@
 var dns = require("node:dns");
 var nodeCrypto = require("node:crypto");
 var dnsPromises = dns.promises;
-var fs = require("node:fs");
-var nodePath = require("node:path");
 
 var asn1 = require("./asn1-der");
 var C = require("./constants");
@@ -112,15 +110,16 @@ var CMC_POLICY_OID = "1.3.6.1.4.1.53087.1.2";
 // RFC 3709 4.2 — the logotype extension OID.
 var ID_PE_LOGOTYPE = "1.3.6.1.5.5.7.1.12";
 
-// Vendored BIMI Group trust anchors. Read once at module load. The
-// vendor file may be empty-of-PEM in source trees (operators populate
-// via the documented refresh procedure); fetchAndVerifyMark refuses
-// to validate if both the vendored bundle is empty and the call-site
-// `trustAnchorsPem` opt is absent.
-var _vendoredTrustAnchorsPath = nodePath.join(__dirname, "vendor", "bimi-trust-anchors.pem");
+// Vendored BIMI Group trust anchors. Loaded via b.vendorData which
+// dual-hash + SLH-DSA-SHAKE-256f-signature-verifies before returning
+// the bytes. The vendor file may be empty-of-PEM in source trees
+// (operators populate via the documented refresh procedure);
+// fetchAndVerifyMark refuses to validate if both the vendored bundle
+// is empty and the call-site `trustAnchorsPem` opt is absent.
+var vendorData = require("./vendor-data");
 var _vendoredTrustAnchorsPem = "";
 try {
-  _vendoredTrustAnchorsPem = fs.readFileSync(_vendoredTrustAnchorsPath, "utf8");
+  _vendoredTrustAnchorsPem = vendorData.getAsString("bimi-trust-anchors");
 } catch (_e) {
   _vendoredTrustAnchorsPem = "";
 }

package/lib/migrations.js

@@ -241,7 +241,9 @@ function _loadMigration(file, dir) {
   // keeps test fixtures sane.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
   var mod;
-  try { mod = require(fullPath); }
+  // Operator-supplied migration — dynamic by design, can't be bundle-
+  // traced. Host-CLI scope; deploying via SEA / pkg drops this surface.
+  try { mod = require(fullPath); }   // allow:dynamic-require — operator-supplied migration
   catch (e) {
     throw new MigrationError("migrations/load-failed",
       "migration '" + file + "' failed to load: " + ((e && e.message) || String(e)),

package/lib/public-suffix.js

@@ -52,18 +52,17 @@
  *   before lookup. Bad inputs throw `PublicSuffixError`.
  */
 
-var fs       = require("node:fs");
-var nodePath = require("node:path");
-var nodeCrypto = require("node:crypto");
 var nodeUrl  = require("node:url");
+var vendorData = require("./vendor-data");
+var pslDataModule = require("./vendor/public-suffix-list.data");
 var { PublicSuffixError } = require("./framework-error");
 
-// Vendored PSL data file. Per the framework's vendoring policy this
-// is checked in alongside the bundled npm-deps and tracked in
-// lib/vendor/MANIFEST.json. Loaded synchronously at module-init —
-// missing file is a packaging break operators must catch at boot,
-// not on first lookup at request time.
-var PSL_PATH = nodePath.join(__dirname, "vendor", "public-suffix-list.dat");
+// Vendored PSL data file. Loaded via b.vendorData which inlines the
+// bytes as a CommonJS module, dual-hash + SLH-DSA-SHAKE-256f-signature
+// verifies on first access, and carries an in-payload canary the
+// PSL parser must observe. Packaging-mode-invariant — survives SEA,
+// pkg, nexe, esbuild bundles, Lambda layers, Bun/Deno compile. See
+// lib/vendor-data.js for the integrity surface.
 
 function _err(code, message) {
   return new PublicSuffixError(code, message);
@@ -185,34 +184,24 @@ var _sourceMeta;
 (function _init() {
   var raw;
   try {
-    raw = fs.readFileSync(PSL_PATH);
+    raw = vendorData.get("public-suffix-list");
   } catch (e) {
     throw _err("public-suffix/not-loaded",
-      "publicSuffix: vendored PSL data file missing at " + PSL_PATH +
-      " (" + (e && e.message ? e.message : "unknown error") + ")");
+      "publicSuffix: vendored PSL data not loadable via b.vendorData " +
+      "(" + (e && e.message ? e.message : "unknown error") + ")");
   }
-  var sha256 = nodeCrypto.createHash("sha256").update(raw).digest("hex");
   var parsed = _parsePsl(raw.toString("utf8"));
   _data = parsed;
-  // Read vendoredAt from MANIFEST.json so the metadata stays in lock-
-  // step with the vendor refresh. Falls back to "unknown" if the
-  // manifest can't be read or doesn't carry the entry — the parsed
-  // sha256 still uniquely identifies the file content.
-  var vendoredAt = "unknown";
-  try {
-    var manifestPath = nodePath.join(__dirname, "vendor", "MANIFEST.json");
-    var manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));  // allow:bare-json-parse — MANIFEST.json is a framework-internal vendored file checked in alongside code; never from operator / network input
-    var entry = manifest && manifest.packages && manifest.packages["publicsuffix-list"];
-    if (entry && typeof entry.bundledAt === "string") vendoredAt = entry.bundledAt;
-  } catch (_e) {
-    // Manifest missing / malformed — continue with vendoredAt =
-    // "unknown". This is observability-only metadata; a request-path
-    // failure here would punish operators for a non-fatal drift.
-  }
+  // Provenance comes from the .data.js module's own metadata, which
+  // carries sha256 + sha3-512 + signing public-key fingerprint +
+  // upstream fetchedAt timestamp. All four were verified by
+  // vendorData.get() before the bytes reached this caller.
+  var meta = pslDataModule.metadata;
   _sourceMeta = Object.freeze({
-    vendoredAt: vendoredAt,
+    vendoredAt: meta.fetchedAt,
     entries: parsed.entries,
-    sha256: sha256,
+    sha256: meta.sha256,
+    signedBy: meta.publicKeyFingerprint,
   });
 })();
 

package/lib/seeders.js

@@ -176,7 +176,9 @@ function _loadSeed(rootDir, env, file) {
   // between calls picks it up. Production restarts the process anyway.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
   var mod;
-  try { mod = require(fullPath); }
+  // Operator-supplied seed — dynamic by design, can't be bundle-traced.
+  // Host-CLI scope; deploying via SEA / pkg drops this surface.
+  try { mod = require(fullPath); }   // allow:dynamic-require — operator-supplied seed
   catch (e) {
     throw _err("LOAD_FAILED",
       "seed '" + env + "/" + file + "' failed to load: " + ((e && e.message) || String(e)));

package/lib/vendor/.vendor-data-pubkey

@@ -0,0 +1,4 @@
+-----BEGIN SLH-DSA-SHAKE-256F PUBLIC KEY-----
+NyFNN00fxmgkHnZwtfy1FU9SodrVbgJRihT5/S605tM7c6YAKIS1mry4y8VCKh2h
+G+oRhGOPLb1ebxNmcQZw+g==
+-----END SLH-DSA-SHAKE-256F PUBLIC KEY-----

package/lib/vendor/MANIFEST.json

@@ -1,144 +1,156 @@
-{
-  "_comment": "Vendored dependencies — no npm runtime packages. Use scripts/vendor-update.sh to update.",
-  "packages": {
-    "@noble/ciphers": {
-      "version": "2.2.0",
-      "license": "MIT",
-      "author": "Paul Miller",
-      "source": "https://github.com/paulmillr/noble-ciphers",
-      "exports": [
-        "xchacha20poly1305"
-      ],
-      "files": {
-        "server": "lib/vendor/noble-ciphers.cjs"
-      },
-      "bundler": "esbuild --format=cjs --minify --platform=node",
-      "bundledAt": "2026-04-25",
-      "hashes": {
-        "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
-      }
-    },
-    "@noble/post-quantum": {
-      "version": "0.6.1",
-      "license": "MIT",
-      "author": "Paul Miller",
-      "source": "https://github.com/paulmillr/noble-post-quantum",
-      "_about": "FIPS 203 / 204 / 205 PQC algorithms in pure JS. First-class on both server-side and client-side — interoperable with Node's built-in WebCrypto ML-KEM (a ciphertext encapsulated with Node ML-KEM-1024 decapsulates correctly with b.pqcSoftware.ml_kem_1024 and vice versa). Operators wire it server-side via `b.pqcSoftware.{ml_kem_1024,ml_dsa_87,slh_dsa_shake_256f,...}` (security-first defaults are the highest cat-5 levels), or re-bundle for browser / mobile clients shipping b.middleware.apiEncrypt.client. Older Node versions without the experimental WebCrypto ML-KEM extension can use the vendored bundle as the primary PQC path.",
-      "exports": [
-        "ml_kem512",
-        "ml_kem768",
-        "ml_kem1024",
-        "ml_dsa44",
-        "ml_dsa65",
-        "ml_dsa87",
-        "slh_dsa_sha2_128f",
-        "slh_dsa_sha2_192f",
-        "slh_dsa_sha2_256f",
-        "slh_dsa_shake_128f",
-        "slh_dsa_shake_192f",
-        "slh_dsa_shake_256f"
-      ],
-      "files": {
-        "server": "lib/vendor/noble-post-quantum.cjs"
-      },
-      "bundler": "esbuild --format=cjs --minify --platform=node",
-      "bundledAt": "2026-05-06",
-      "hashes": {
-        "server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
-      }
-    },
-    "@simplewebauthn/server": {
-      "version": "13.3.0",
-      "license": "MIT",
-      "author": "Matthew Miller",
-      "source": "https://github.com/MasterKale/SimpleWebAuthn",
-      "exports": [
-        "generateRegistrationOptions",
-        "verifyRegistrationResponse",
-        "generateAuthenticationOptions",
-        "verifyAuthenticationResponse",
-        "MetadataService"
-      ],
-      "files": {
-        "server": "lib/vendor/simplewebauthn-server.cjs"
-      },
-      "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
-      "bundledAt": "2026-04-26",
-      "hashes": {
-        "server": "sha256:a9777dca582095d67f17ca24e19a0791de29928555b6b779c2233429175eb3f0"
-      }
-    },
-    "SecLists-common-passwords-top-10000": {
-      "version": "10k-most-common (master)",
-      "license": "CC-BY-3.0",
-      "author": "Daniel Miessler / SecLists contributors",
-      "source": "https://github.com/danielmiessler/SecLists",
-      "_about": "Top 10,000 most-common passwords (breach-derived). Loaded by b.auth.password.policy() to satisfy NIST 800-63B §5.1.1.2 'previously breached' check. Operators with deeper enforcement (HIBP downloads, NCSC 100k) layer on top via opts.forbidCommon — the bundled set is additive.",
-      "files": {
-        "server": "lib/vendor/common-passwords-top-10000.txt"
-      },
-      "bundler": "curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt",
-      "bundledAt": "2026-05-02",
-      "hashes": {
-        "server": "sha256:4adb3f0afb4a10cf19ebe48d8c69a46f934bbc8d77c694c210564f9583e7f4ba"
-      }
-    },
-    "bimi-trust-anchors": {
-      "version": "operator-managed",
-      "license": "BIMI Group / per-issuer",
-      "author": "BIMI Group / DigiCert / Entrust",
-      "source": "https://bimigroup.org/",
-      "_about": "RFC 9091 BIMI Group Verified Mark trust-anchor bundle (PEM, concatenated). Loaded by lib/mail-bimi.js for VMC + CMC chain validation. Source-tree default is empty-of-PEM (operators populate via the documented refresh procedure in the file header); call-site overrides via b.mail.bimi.fetchAndVerifyMark({ trustAnchorsPem }) are supported. Refresh procedure pulls https://www.digicert.com/CACerts/DigiCertVerifiedMarkRootCA.pem + https://web.entrust.com/root-certificates/entrust_verified_mark_root_g3.cer and concatenates them into the file.",
-      "exports": [
-        "bimi-vmc-trust-anchors"
-      ],
-      "files": {
-        "server": "lib/vendor/bimi-trust-anchors.pem"
-      },
-      "bundler": "operator-managed (see file header for refresh procedure)",
-      "bundledAt": "2026-05-09",
-      "hashes": {
-        "server": "sha256:81ff9f5ab3c9774132c845684e783be95cf73146f8b670d964105f0a3765b4b4"
-      }
-    },
-    "publicsuffix-list": {
-      "version": "master",
-      "license": "MPL-2.0",
-      "author": "Mozilla Foundation",
-      "source": "https://publicsuffix.org/list/public_suffix_list.dat",
-      "_about": "Mozilla Public Suffix List — canonical catalog of effective top-level domains used by b.publicSuffix to derive organizational domains for DMARCbis (psd= / np=), BIMI, cookie-scope checks, and same-site policies. Loaded at module-init from lib/vendor/public-suffix-list.dat; the file is the data, not a code bundle.",
-      "files": {
-        "server": "lib/vendor/public-suffix-list.dat"
-      },
-      "bundler": "curl https://publicsuffix.org/list/public_suffix_list.dat",
-      "bundledAt": "2026-05-09",
-      "hashes": {
-        "server": "sha256:a00855bbf027ca86cead1cf0bafc0b9b1ae904dda97f3e24b0062aa2e6e289e2"
-      }
-    },
-    "peculiar-pki": {
-      "version": "2.0.0+pkijs-3.4.0",
-      "license": "MIT",
-      "author": "Peculiar Ventures",
-      "source": "https://github.com/PeculiarVentures",
-      "_about": "Meta-bundle of @peculiar/x509 + pkijs + reflect-metadata + every transitive ASN.1 schema package. Used by lib/mtls-engine-default.js as the pure-JS CA + PKCS#12 engine wired into b.mtlsCa.",
-      "components": {
-        "@peculiar/x509": "https://github.com/PeculiarVentures/x509",
-        "pkijs": "https://github.com/PeculiarVentures/PKI.js"
-      },
-      "exports": [
-        "x509",
-        "pkijs",
-        "crypto"
-      ],
-      "files": {
-        "server": "lib/vendor/pki.cjs"
-      },
-      "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
-      "bundledAt": "2026-04-29",
-      "hashes": {
-        "server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
-      }
-    }
-  }
-}
+{
+  "_comment": "Vendored dependencies \u00e2\u20ac\u201d no npm runtime packages. Use scripts/vendor-update.sh to update.",
+  "packages": {
+    "@noble/ciphers": {
+      "version": "2.2.0",
+      "license": "MIT",
+      "author": "Paul Miller",
+      "source": "https://github.com/paulmillr/noble-ciphers",
+      "exports": [
+        "xchacha20poly1305"
+      ],
+      "files": {
+        "server": "lib/vendor/noble-ciphers.cjs"
+      },
+      "bundler": "esbuild --format=cjs --minify --platform=node",
+      "bundledAt": "2026-04-25",
+      "hashes": {
+        "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
+      }
+    },
+    "@noble/post-quantum": {
+      "version": "0.6.1",
+      "license": "MIT",
+      "author": "Paul Miller",
+      "source": "https://github.com/paulmillr/noble-post-quantum",
+      "_about": "FIPS 203 / 204 / 205 PQC algorithms in pure JS. First-class on both server-side and client-side \u00e2\u20ac\u201d interoperable with Node's built-in WebCrypto ML-KEM (a ciphertext encapsulated with Node ML-KEM-1024 decapsulates correctly with b.pqcSoftware.ml_kem_1024 and vice versa). Operators wire it server-side via `b.pqcSoftware.{ml_kem_1024,ml_dsa_87,slh_dsa_shake_256f,...}` (security-first defaults are the highest cat-5 levels), or re-bundle for browser / mobile clients shipping b.middleware.apiEncrypt.client. Older Node versions without the experimental WebCrypto ML-KEM extension can use the vendored bundle as the primary PQC path.",
+      "exports": [
+        "ml_kem512",
+        "ml_kem768",
+        "ml_kem1024",
+        "ml_dsa44",
+        "ml_dsa65",
+        "ml_dsa87",
+        "slh_dsa_sha2_128f",
+        "slh_dsa_sha2_192f",
+        "slh_dsa_sha2_256f",
+        "slh_dsa_shake_128f",
+        "slh_dsa_shake_192f",
+        "slh_dsa_shake_256f"
+      ],
+      "files": {
+        "server": "lib/vendor/noble-post-quantum.cjs"
+      },
+      "bundler": "esbuild --format=cjs --minify --platform=node",
+      "bundledAt": "2026-05-06",
+      "hashes": {
+        "server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
+      }
+    },
+    "@simplewebauthn/server": {
+      "version": "13.3.0",
+      "license": "MIT",
+      "author": "Matthew Miller",
+      "source": "https://github.com/MasterKale/SimpleWebAuthn",
+      "exports": [
+        "generateRegistrationOptions",
+        "verifyRegistrationResponse",
+        "generateAuthenticationOptions",
+        "verifyAuthenticationResponse",
+        "MetadataService"
+      ],
+      "files": {
+        "server": "lib/vendor/simplewebauthn-server.cjs"
+      },
+      "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
+      "bundledAt": "2026-04-26",
+      "hashes": {
+        "server": "sha256:a9777dca582095d67f17ca24e19a0791de29928555b6b779c2233429175eb3f0"
+      }
+    },
+    "SecLists-common-passwords-top-10000": {
+      "version": "10k-most-common (master)",
+      "license": "CC-BY-3.0",
+      "author": "Daniel Miessler / SecLists contributors",
+      "source": "https://github.com/danielmiessler/SecLists",
+      "_about": "Top 10,000 most-common passwords (breach-derived). Loaded by b.auth.password.policy() to satisfy NIST 800-63B \u00c2\u00a75.1.1.2 'previously breached' check. Operators with deeper enforcement (HIBP downloads, NCSC 100k) layer on top via opts.forbidCommon \u00e2\u20ac\u201d the bundled set is additive.",
+      "files": {
+        "server": "lib/vendor/common-passwords-top-10000.txt",
+        "data_js": "lib/vendor/common-passwords-top-10000.data.js"
+      },
+      "bundler": "curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt",
+      "bundledAt": "2026-05-13",
+      "hashes": {
+        "server": "sha256:3c04e3cec775a7d0e21e544d33810dd434cccdb02e98903ba12e506dd9cd01bd",
+        "data_js": "sha256:87b223beca89f33d2c2c32a2cfda0bc187e58061de40e7127bb5ffc4258c6e2a"
+      },
+      "runtime_artifact": "lib/vendor/common-passwords-top-10000.data.js",
+      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)"
+    },
+    "bimi-trust-anchors": {
+      "version": "operator-managed",
+      "license": "BIMI Group / per-issuer",
+      "author": "BIMI Group / DigiCert / Entrust",
+      "source": "https://bimigroup.org/",
+      "_about": "RFC 9091 BIMI Group Verified Mark trust-anchor bundle (PEM, concatenated). Loaded by lib/mail-bimi.js for VMC + CMC chain validation. Source-tree default is empty-of-PEM (operators populate via the documented refresh procedure in the file header); call-site overrides via b.mail.bimi.fetchAndVerifyMark({ trustAnchorsPem }) are supported. Refresh procedure pulls https://www.digicert.com/CACerts/DigiCertVerifiedMarkRootCA.pem + https://web.entrust.com/root-certificates/entrust_verified_mark_root_g3.cer and concatenates them into the file.",
+      "exports": [
+        "bimi-vmc-trust-anchors"
+      ],
+      "files": {
+        "server": "lib/vendor/bimi-trust-anchors.pem",
+        "data_js": "lib/vendor/bimi-trust-anchors.data.js"
+      },
+      "bundler": "operator-managed (see file header for refresh procedure)",
+      "bundledAt": "2026-05-13",
+      "hashes": {
+        "server": "sha256:81ff9f5ab3c9774132c845684e783be95cf73146f8b670d964105f0a3765b4b4",
+        "data_js": "sha256:aa7a4d33b65a68422a2a2c1670177689f66fdcaa08bd2514d78798b827bd1608"
+      },
+      "runtime_artifact": "lib/vendor/bimi-trust-anchors.data.js",
+      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)"
+    },
+    "publicsuffix-list": {
+      "version": "master",
+      "license": "MPL-2.0",
+      "author": "Mozilla Foundation",
+      "source": "https://publicsuffix.org/list/public_suffix_list.dat",
+      "_about": "Mozilla Public Suffix List \u00e2\u20ac\u201d canonical catalog of effective top-level domains used by b.publicSuffix to derive organizational domains for DMARCbis (psd= / np=), BIMI, cookie-scope checks, and same-site policies. Loaded at module-init from lib/vendor/public-suffix-list.dat; the file is the data, not a code bundle.",
+      "files": {
+        "server": "lib/vendor/public-suffix-list.dat",
+        "data_js": "lib/vendor/public-suffix-list.data.js"
+      },
+      "bundler": "curl https://publicsuffix.org/list/public_suffix_list.dat",
+      "bundledAt": "2026-05-13",
+      "hashes": {
+        "server": "sha256:f15642cea028662c39d380caa9ddfbe36c81466e3a82f8f4b10703d83760295c",
+        "data_js": "sha256:b4b6ae76fdacbfe07683c4ea62761326f42894c2ccf4359f253bbcab9826ed04"
+      },
+      "runtime_artifact": "lib/vendor/public-suffix-list.data.js",
+      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)"
+    },
+    "peculiar-pki": {
+      "version": "2.0.0+pkijs-3.4.0",
+      "license": "MIT",
+      "author": "Peculiar Ventures",
+      "source": "https://github.com/PeculiarVentures",
+      "_about": "Meta-bundle of @peculiar/x509 + pkijs + reflect-metadata + every transitive ASN.1 schema package. Used by lib/mtls-engine-default.js as the pure-JS CA + PKCS#12 engine wired into b.mtlsCa.",
+      "components": {
+        "@peculiar/x509": "https://github.com/PeculiarVentures/x509",
+        "pkijs": "https://github.com/PeculiarVentures/PKI.js"
+      },
+      "exports": [
+        "x509",
+        "pkijs",
+        "crypto"
+      ],
+      "files": {
+        "server": "lib/vendor/pki.cjs"
+      },
+      "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
+      "bundledAt": "2026-04-29",
+      "hashes": {
+        "server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
+      }
+    }
+  }
+}