@blamejs/core 0.9.8 → 0.9.12

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.12 (2026-05-13) — **Republish of v0.9.10 / v0.9.11 — `npm audit signatures` grep widened for the npm-message variant that fires post-v0.9.11**. The publish workflow's "Verify npm registry signing chain" step treats an empty-tree result as success (the framework's zero-runtime-deps posture means `npm audit signatures --omit dev` finds nothing to audit). The exact phrasing has drifted across npm versions: older npm prints `found no installed dependencies to audit`; newer npm (the version on the GH Actions runner post-v0.9.11) prints `found no dependencies to audit that were installed from a supported registry`. The shell guard's grep only matched the older phrasing, so v0.9.11's publish failed at the audit-signatures gate even though every other step succeeded. The grep is now `no (installed )?dependencies to audit` — covers both known empty-tree variants. v0.9.10's broken-smoke fix (added `npm install` before smoke) plus v0.9.12's audit-signatures-grep fix together complete the publish-pipeline repair. v0.9.12 is functionally identical to v0.9.10's intended surface. Operators stuck at v0.9.9 (because v0.9.10 + v0.9.11 never reached the npm registry) jump directly to v0.9.12.
+- v0.9.11 (2026-05-13) — **Republish of v0.9.10 — npm-publish.yml now installs devDependencies before smoke**. v0.9.10's tag was pushed and the GitHub release published, but `npm-publish.yml`'s Framework-smoke step ran `node test/smoke.js` without first running `npm install`. The new bundler-output gate added in v0.9.10 requires `esbuild` (a devDependency) to be present, so the publish workflow failed at the smoke step before reaching the publish step — the v0.9.10 npm tarball was never published. The fix adds `npm install --no-audit --no-fund` to `.github/workflows/npm-publish.yml` directly before the smoke step (mirroring the same fix already present in `.github/workflows/ci.yml`). Operators consuming via `npm install @blamejs/core` should pull v0.9.11; functionally identical to the intended-v0.9.10 surface. Zero runtime deps invariant preserved.
+- v0.9.10 (2026-05-13) — **Bundler-output e2e gate** — `test/layer-5-integration/bundler-output.test.js`. Bundles the framework via `esbuild --bundle --platform=node` (also `--minify`), runs the bundled consumer, and asserts the four-layer vendor-data integrity surface (dual-hash + SLH-DSA signature + canary) survives bundling. The PSL canary roundtrips through `b.publicSuffix.isPublicSuffix(...)` after bundle exec — proves the `.data.js` payloads physically reached the bundle bytes, not just the runtime require shape. Plus a byte-search sentinel that grep's the produced bundle for the canary tokens directly (defense-in-depth, independent failure mode from the runtime path). Plus a SEA gate (Linux + Node >= 22 only) that runs `--experimental-sea-config` + `postject` to produce an actual single-executable binary and runs it. The whole class of bugs — dynamic-require breaks bundling, SEA `assets` map missing, esbuild static-trace failures — is now smoke-gated. Had this test existed when v0.9.8 published, it would have refused that release at smoke-time (the v0.9.8 dynamic-require defect produced bundles that exited with `vendor-data/module-missing` on first vendor-data access; this gate's `BUNDLE-OK psl=co.uk entries=3` stdout-check refuses that exit). No framework-surface changes.
+- v0.9.9 (2026-05-13) — **`b.vendorData`: replace dynamic `require(variable)` with static literal-string requires so SEA / esbuild / pkg bundling actually works**. v0.9.8 shipped `b.vendorData` to remove `__dirname`-relative `fs.readFileSync` calls and make the loader packaging-mode-invariant. The implementation looked up each `.data.js` module via `require(entry.module)` where `entry.module` was read from a frozen lookup table — a *dynamic* require, opaque to every bundler's static-analysis pass. esbuild, webpack, ncc, rollup, pkg, nexe, Bun's bundler, and Deno's bundler all trace `require("./literal")` calls; none of them trace `require(variable)`. Result: the three `.data.js` payload modules never made it into SEA / pkg / esbuild bundles, defeating the v0.9.8 promise at boot ("vendor-data/module-missing" thrown by every consumer that bundled the framework). v0.9.9 replaces the lookup with a `_MODULES` table whose three values are each a top-level `var X = require("./vendor/<name>.data")` — literal string, statically traceable. Caught by hermitstash-sync operator review post-v0.9.8 publish. Net surface change: zero (the public `b.vendorData.get` / `getAsString` / `verifyAll` / `inventory` shape is identical); the fix is internal-only. **New codebase-patterns drift detector** `testNoDynamicRequires` refuses any future `require(variable)` in `lib/`; legitimate operator-extensibility points (`b.cli`, migrations, seeders) carry an explicit `allow:dynamic-require` marker with rationale. **Operators upgrade from v0.9.8 to v0.9.9 if they bundle the framework via SEA / esbuild / pkg / Bun-compile** — direct `node` consumers were unaffected (Node's runtime require always resolves dynamic strings correctly).
 - v0.9.8 (2026-05-13) — **`b.vendorData` — packaging-mode-invariant + signed + canary-guarded loader for vendored data files**. The three plaintext vendor data files (`public-suffix-list.dat`, `common-passwords-top-10000.txt`, `bimi-trust-anchors.pem`) are now loaded via inline `Buffer.from(base64)` modules (`<name>.data.js`), eliminating the `__dirname`-relative `fs.readFileSync` paths that broke under Single Executable Application (SEA), `pkg`, `nexe`, esbuild, Bun compile, Deno compile, and AWS Lambda layer bundling. Every load runs four orthogonal integrity checks before returning a byte: SHA-256 + SHA3-512 + SLH-DSA-SHAKE-256f signature against the maintainer's pinned public key (`lib/vendor/.vendor-data-pubkey`) + in-payload canary entry that the parsed structure must surface. Tamper at any layer throws `VendorDataError` at module-load — fail-fast rather than first-request-touches-PSL surprise. **Public API**: `b.vendorData.get(name)` returns the verified Buffer; `b.vendorData.getAsString(name)` returns UTF-8 string; `b.vendorData.verifyAll()` runs all four layers across every registered vendor data file and is invoked at framework boot; `b.vendorData.inventory()` returns per-file metadata (name, source, fetchedAt, sha256, sha3_512, signedBy, canary, byteLength, description) for compliance reporting + SBOM emission. **Migrated call sites**: `b.publicSuffix` (PSL load), `b.auth.password._loadBundledCommon` (common-passwords), `b.mail.bimi` (trust anchors) now route through `b.vendorData` — removes any downstream consumer's need to patch the loader for SEA / bundler builds. **Maintainer signing infrastructure**: vendor data files signed at refresh time by a maintainer-held SLH-DSA-SHAKE-256f keypair (private key stays in `.keys/` and is never committed; public key ships in `lib/vendor/.vendor-data-pubkey` in every npm tarball). Adds a fourth orthogonal trust root alongside SSH-signed release tags + SLSA L3 npm provenance + Sigstore-keyless SBOM signatures. **MANIFEST.json**: per-vendor-data entry gains `runtime_artifact` + `integrity_layers` + dual-file `hashes` (raw `.dat/.txt/.pem` + companion `.data.js`). **New scripts**: `scripts/vendor-data-keygen.js` (one-time keypair generation), `scripts/vendor-data-gen.js` (generator invoked by `scripts/vendor-update.sh --refresh-data`).
 - v0.9.7 (2026-05-13) — **SECURITY.md: release-tag verification path documented + signed-tag invariant from v0.9.7+**. SECURITY.md gains a "Verifying release authenticity" section documenting how operators verify a release tag's authenticity independently of GitHub's UI. The maintainer Ed25519 SSH signing key fingerprint (`SHA256:5oF/XWhFpMde9TRfEX2GAHiApAq/MXOS4vti5zQbD7g`) is published alongside the public-key retrieval URL (`https://github.com/dotCooCoo.keys`) and a `git tag -v` recipe that bypasses the "Verified" badge. From v0.9.7 onward, every release tag is an annotated SSH-signed tag; the repository's `release-tags` ruleset's `required_signatures` rule refuses any unsigned or lightweight tag push at the server side. Earlier tags (v0.9.6 and prior) remain as lightweight commits and don't verify via `git tag -v`; they continue to verify via the SLSA L3 npm provenance + Sigstore-keyless SBOM signatures already attached to those releases (the `cosign verify-blob` recipe is in the same SECURITY.md section). No framework-surface changes; this release ships the documentation + invariant only.
 - v0.9.6 (2026-05-12) — **`b.vex` (OASIS CSAF 2.1 VEX) + framework-control compliance posture sweep**. *(PR feedback: CSAF-conformance fixes folded in pre-merge — `cwes` is now a list per §3.2.3.4 instead of a singleton `cwe` field; CWE alone is no longer accepted as a vulnerability identity per §3.2.3.2 (operator supplies `cveId` or `ids[]: [{ systemName, text }]` per §3.2.3.5); TLP allowlist corrected to TLP 2.0 (FIRST 2022) per §3.2.1.12.1.1 — `CLEAR / GREEN / AMBER / AMBER+STRICT / RED` (added the previously-omitted `AMBER+STRICT` restriction tier and removed the legacy TLP 1.0 `WHITE` label, which was renamed `CLEAR` in TLP 2.0). Public opt name `cwe` is now `cweId` to mirror `cveId`; this is a v0.9.6 surface that never shipped to npm so the rename is not a breaking change.)* Closes the framework-side findings from the 2026-05-11 exceptd framework-gap-analysis (49 gaps across CVE-triage / framework-compliance / threat-modeling / AI-security / identity-assurance / crypto-posture / supply-chain / sector-specific). **`b.vex.statement({ cveId, status, productIds, justification?, impactStatement?, references?, firstReleased?, lastUpdated? })`** builds an OASIS CSAF 2.1 §3.2.3 vulnerability statement with `product_status` keyed by status enum (`known_not_affected` / `affected` / `fixed` / `under_investigation`), `flags[].label` for §3.2.2.7 justifications (`component_not_present` / `vulnerable_code_not_present` / `vulnerable_code_not_in_execute_path` / `vulnerable_code_cannot_be_controlled_by_adversary` / `inline_mitigations_already_exist`), and `notes[].text` for impact narrative. Refuses missing CVE/CWE id, malformed CVE shape, unknown status, missing productIds, and `known_not_affected` without justification. **`b.vex.document({ documentId, title, publisher, trackingId, trackingVersion, currentReleaseDate, initialReleaseDate, statements, tlp? })`** assembles the §3.2 CSAF document envelope with category `csaf_vex`, csaf_version `2.1`, publisher category `vendor`, tracking status `final`, and `distribution.tlp.label` (default `CLEAR`; refuses non-TLP labels). **`b.vex.serialize(doc)`** routes through `b.canonicalJson.stringify` for byte-stable sorted-key output then re-indents at 2 spaces for human-diffable artifacts. Exports `STATUS_VALUES` / `JUSTIFICATION_VALUES` / `TLP_LABELS` / `CSAF_VERSION` / `VexError`. **25 new compliance postures** added to `b.compliance.KNOWN_POSTURES` (with matching `POSTURE_DEFAULTS` cascade entries): `nist-800-53` (NIST SP 800-53 Rev 5 control catalog), `nist-ai-rmf-1.0` (NIST AI Risk Management Framework 1.0), `iso-42001-2023` (AI management systems), `iso-23894-2023` (AI risk management guidance), `owasp-llm-top-10-2025` (LLM application risk catalog), `owasp-asvs-v5.0` (Application Security Verification Standard v5.0), `nist-800-218-ssdf` (Secure Software Development Framework), `nist-800-82-r3` (industrial control systems), `nist-800-63b-rev4` (digital identity authenticator guidance), `iec-62443-3-3` (industrial security), `fedramp-rev5-moderate` (federal cloud baseline), `hipaa-security-rule` (45 CFR §164.302-318 administrative + technical safeguards), `hitrust-csf-v11.4` (healthcare common security framework), `nerc-cip-007-6` (bulk electric system cyber asset security), `psd2-rts-sca` (PSD2 Regulatory Technical Standards for Strong Customer Authentication), `swift-cscf-v2026` (SWIFT Customer Security Controls Framework 2026), `slsa-v1.0-build-l3` (SLSA build-track L3 provenance), `vex-csaf-2.1` (the standard `b.vex` emits), `cyclonedx-v1.6` (already shipped via `sbom.cdx.json`), `spdx-v3.0` (SPDX 3.0 software bill of materials), `owasp-wstg-v5` (Web Security Testing Guide v5), `ptes` (Penetration Testing Execution Standard), `nist-800-115` (technical guide to information security testing), `cwe-top-25-2024` (CWE most dangerous software weaknesses 2024), `cis-controls-v8` (Center for Internet Security Critical Controls v8), `cmmc-2.0-level-2` (DoD CMMC Level 2 advanced; complements the existing `cmmc-2.0` posture). Each cascade entry encodes the regime's data-tier mandate (encrypted backups + signed audit chain + TLS 1.3 minimum + vacuum-after-erase where applicable).

package/lib/cli.js

@@ -426,14 +426,20 @@ var API_SNAPSHOT_USAGE = [
 ].join("\n");
 
 function _resolveTargetModule(modulePath, ctx) {
-  // Default: load index.js from the framework root (one level up from lib/cli.js)
+  // Default: load index.js from the framework root (one level up from lib/cli.js).
+  // Dynamic require by design — the CLI loads either the framework root index.js
+  // or an operator-supplied module path from the command line. Operator-
+  // extensibility surfaces by definition can't be statically traced by a
+  // bundler — anyone bundling this CLI surface into SEA/pkg accepts that
+  // runtime --module=<path> arguments won't resolve. Internal framework
+  // code never reaches this path.
   if (!modulePath) {
     var root = path.resolve(__dirname, "..");
-    return require(path.join(root, "index.js"));
+    return require(path.join(root, "index.js"));   // allow:dynamic-require — operator-extensibility entry point
   }
   var abs = path.isAbsolute(modulePath) ? modulePath : path.resolve(ctx.cwd, modulePath);
   delete require.cache[require.resolve(abs)];
-  return require(abs);
+  return require(abs);                              // allow:dynamic-require — operator-extensibility entry point
 }
 
 function _runApiSnapshot(args, ctx) {

package/lib/db-schema.js

@@ -283,7 +283,10 @@ function runMigrations(database, migrationDir) {
     var fullPath = path.join(migrationDir, file);
     var mig;
     try {
-      mig = require(fullPath);
+      // Operator-supplied migration file — by definition not statically
+      // require-able by a bundler. Anyone bundling this surface into SEA
+      // accepts that runtime migration loading won't resolve.
+      mig = require(fullPath);   // allow:dynamic-require — operator-supplied migration
     } catch (e) {
       throw new Error("migration '" + file + "' failed to load: " + e.message);
     }

package/lib/external-db-migrate.js

@@ -290,7 +290,10 @@ function _loadMigration(file, dir) {
   // new content. Matches lib/migrations.js semantics.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
   var mod;
-  try { mod = require(fullPath); }
+  // Operator-supplied migration file — dynamic by design, won't survive
+  // SEA / pkg bundling. External DB migration tooling is host-CLI scope,
+  // not framework-internal scope.
+  try { mod = require(fullPath); }   // allow:dynamic-require — operator-supplied migration
   catch (e) {
     throw _err("externaldb-migrate/load-failed",
       "migration '" + file + "' failed to load: " + ((e && e.message) || String(e)));

package/lib/migrations.js

@@ -241,7 +241,9 @@ function _loadMigration(file, dir) {
   // keeps test fixtures sane.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
   var mod;
-  try { mod = require(fullPath); }
+  // Operator-supplied migration — dynamic by design, can't be bundle-
+  // traced. Host-CLI scope; deploying via SEA / pkg drops this surface.
+  try { mod = require(fullPath); }   // allow:dynamic-require — operator-supplied migration
   catch (e) {
     throw new MigrationError("migrations/load-failed",
       "migration '" + file + "' failed to load: " + ((e && e.message) || String(e)),

package/lib/seeders.js

@@ -176,7 +176,9 @@ function _loadSeed(rootDir, env, file) {
   // between calls picks it up. Production restarts the process anyway.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
   var mod;
-  try { mod = require(fullPath); }
+  // Operator-supplied seed — dynamic by design, can't be bundle-traced.
+  // Host-CLI scope; deploying via SEA / pkg drops this surface.
+  try { mod = require(fullPath); }   // allow:dynamic-require — operator-supplied seed
   catch (e) {
     throw _err("LOAD_FAILED",
       "seed '" + env + "/" + file + "' failed to load: " + ((e && e.message) || String(e)));

package/lib/vendor-data.js

@@ -52,21 +52,46 @@ var pqcSoftware = require("./pqc-software");
 // rotates (scripts/vendor-data-keygen.js).
 var PUBKEY_PEM = require("./vendor/vendor-data-pubkey");
 
+// Static require()s — every modern bundler (esbuild, webpack, ncc,
+// rollup, Bun's bundler, Deno's bundler) traces these at bundle time
+// only when the require() argument is a STRING LITERAL. A dynamic
+// `require(variable)` is opaque to static analysis: bundlers can't
+// determine what files to include, so the .data.js payloads silently
+// fall out of the SEA / pkg / nexe / esbuild blob and the SEA-mode
+// promise of v0.9.8 is defeated at boot. Each require below sits at
+// column 0 with a literal-string argument so static analysis traces
+// them; codebase-patterns enforces this via the testNoDynamicRequires
+// + testNoInlineRequires detectors.
+var _PSL_DATA           = require("./vendor/public-suffix-list.data");
+var _COMMON_PW_DATA     = require("./vendor/common-passwords-top-10000.data");
+var _BIMI_ANCHORS_DATA  = require("./vendor/bimi-trust-anchors.data");
+
+var _MODULES = {
+  "public-suffix-list":         _PSL_DATA,
+  "common-passwords-top-10000": _COMMON_PW_DATA,
+  "bimi-trust-anchors":         _BIMI_ANCHORS_DATA,
+};
+
 var VendorDataError = defineClass("VendorDataError", { alwaysPermanent: true });
 
 // KNOWN_VENDOR_DATA — the canonical list of vendored data names. Each
-// entry maps name → `<name>.data.js` module + the canary token the
-// payload must contain after parse (where applicable). Adding a new
-// vendored data file: append to this table, ship the `.data.js`,
-// migrate the caller. The framework's drift detector
-// (codebase-patterns) refuses any `.data.js` not registered here.
+// entry carries the canary token the payload must contain after parse
+// (where applicable) and a description for the inventory surface.
+//
+// The `module` string is documentation-only as of v0.9.9 — the runtime
+// uses the `_MODULES` table above (static literal-string requires) so
+// bundlers can statically trace the .data.js dependency. The `module`
+// field stays exported for downstream tooling that inspects
+// `b.vendorData.KNOWN_VENDOR_DATA[name].module` for diagnostics or
+// vendor-refresh tooling. NEVER call `require(entry.module)` — dynamic
+// require(variable) breaks SEA / esbuild / pkg bundling.
 var KNOWN_VENDOR_DATA = Object.freeze({
   "public-suffix-list": {
     module: "./vendor/public-suffix-list.data",
     canary: "_blamejs_canary_v0_9_8_.local",
-    // Canary parse check — operator-side `b.publicSuffix.isPublicSuffix(canary)` MUST return true after the PSL parser ingests
-    // the data. The check is run by `verifyAll()` at boot via the
-    // caller-supplied canaryCheck closure registered in the .data.js.
+    // Canary parse check — operator-side `b.publicSuffix.isPublicSuffix(canary)`
+    // MUST return true after the PSL parser ingests the data. The check
+    // is run by every `get()` via the .data.js's canaryCheck closure.
     description: "Mozilla Public Suffix List (PSL). Used by b.publicSuffix for organizational-domain + public-suffix lookups.",
   },
   "common-passwords-top-10000": {
@@ -102,14 +127,13 @@ function _loadAndVerify(name) {
       "Registered names: " + Object.keys(KNOWN_VENDOR_DATA).join(", "));
   }
 
-  var mod;
-  try {
-    mod = require(entry.module);
-  } catch (e) {
+  var mod = _MODULES[name];
+  if (!mod) {
     throw new VendorDataError("vendor-data/module-missing",
-      "vendorData: '" + name + "' module not loadable at " + entry.module +
-      " — has scripts/vendor-update.sh --refresh-data been run? " +
-      "(" + (e && e.message ? e.message : "unknown error") + ")");
+      "vendorData: '" + name + "' .data.js module not statically " +
+      "require'd by lib/vendor-data.js. Add the literal-string require " +
+      "to the _MODULES table at the top of the file — dynamic " +    // allow:dynamic-require — diagnostic message text
+      "require(variable) breaks SEA / esbuild bundling.");           // allow:dynamic-require — diagnostic message text
   }
 
   // Module-shape gate
@@ -298,7 +322,7 @@ function inventory() {
     var name = names[i];
     var entry = KNOWN_VENDOR_DATA[name];
     _loadAndVerify(name);
-    var mod = require(entry.module);
+    var mod = _MODULES[name];
     var meta = mod.metadata;
     out.push({
       name:        name,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.8",
+  "version": "0.9.12",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",
@@ -74,6 +74,8 @@
     "prepack": "node scripts/check-pack-against-gitignore.js",
     "check:vendor-currency": "node scripts/check-vendor-currency.js"
   },
-  "dependencies": {},
-  "devDependencies": {}
+  "devDependencies": {
+    "esbuild": "0.28.0",
+    "postject": "1.0.0-alpha.6"
+  }
 }

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:b2d344e9-ce35-4d60-9617-51bdb1f2c4a4",
+  "serialNumber": "urn:uuid:d4b77800-e22b-4c36-be2e-cecdcb0c34da",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-13T13:08:39.464Z",
+    "timestamp": "2026-05-13T16:54:10.092Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.8",
+      "bom-ref": "@blamejs/core@0.9.12",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.8",
+      "version": "0.9.12",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.8",
+      "purl": "pkg:npm/%40blamejs/core@0.9.12",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.8",
+      "ref": "@blamejs/core@0.9.12",
       "dependsOn": []
     }
   ]