@blamejs/blamejs-shop 0.0.122 → 0.0.124

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.0.x
 
+- v0.0.124 (2026-05-24) — **Save for later — move cart items into a holding list and back.** Each cart line now has a "Save for later" control that moves the item out of the cart into a per-customer holding list without losing it. Saved items live on a new account page where they can be moved back to the cart or removed. Moving an item back reprices it to the current catalog price and checks stock first, so a saved item that sold out (and isn't backorderable) can't silently re-enter the cart. Login-required, since the list is scoped to one customer. **Added:** *Save-for-later control on cart lines* — Each editable cart line gets a Save-for-later control. `POST /cart/lines/:line_id/save` moves the line out of the cart into the customer's saved list (`moveFromCart`). Login-gated — a signed-out shopper is redirected to sign in. · *`/account/saved` — the holding list* — A new account page lists saved items with a thumbnail, the saved price for reference, and Move-to-cart / Remove controls. Items whose product was archived render as "no longer available" rather than breaking the list. The account dashboard links to it (alongside Wishlist). · *Move back to cart, repriced + stock-checked* — `POST /saved/:save_id/move-to-cart` returns the item to the session cart at the current catalog price (not the stale snapshot) and refuses if the SKU is out of stock and not backorderable. `POST /saved/:save_id/remove` drops a saved row.
+
+- v0.0.123 (2026-05-24) — **Wishlist — save products to your account, with social-proof counts on the product page.** Signed-in customers can now save products to a wishlist from the product page. A "N shoppers saved this" count surfaces social proof, and saved items live on a new account page where they can be removed or reopened. The save control and count render identically on the edge and container paths; the toggle is idempotent (saving twice is a no-op, toggling again removes) and login-gated, since a wishlist is scoped to one customer. **Added:** *Save to wishlist on the product page* — The PDP renders a "Save to wishlist" control and, once any customer has saved it, a "N shoppers saved this" social-proof count. Both render server-side on the edge and container paths. The count is public; the save action requires sign-in. · *`/account/wishlist` — saved items* — A new account page lists the customer's saved products with a thumbnail, a link back to the product, and a Remove control. Entries whose product was archived render as "no longer available" rather than breaking the list (wishlist rows are orphan-tolerant by design). The account dashboard links to it. · *`POST /wishlist/toggle`* — Login-required endpoint that saves the product if it isn't saved and removes it if it is. Idempotent (`INSERT OR IGNORE`). Redirects back to the product by resolving its canonical slug from the product id, or to a safe same-origin `return_to` (the account page's Remove uses it) — a forged or off-site redirect target is rejected.
+
 - v0.0.122 (2026-05-24) — **Product reviews on the storefront — verified-buyer submission, operator moderation, and rich-snippet ratings.** The product page now shows customer reviews: an average rating, a per-star distribution, and the published review list, with `AggregateRating` structured data so star ratings can surface in search results. Submission is gated to signed-in customers who have actually purchased the product — the route confirms a completed order for that product before accepting a review, and re-checks on submit. Reviews land in a pending state; operators publish or reject them through new bearer-token admin endpoints. Display and structured data are identical whether the page is served at the edge or from the container. **Added:** *Reviews on the product page* — The PDP renders an average rating, a per-star distribution bar chart, and the published reviews (newest first, verified-buyer badge, date). Products with no reviews show an invite to be the first. Rendered server-side on both the edge and container paths. · *Verified-buyer review submission* — `GET /products/:slug/review` shows the review form to a signed-in customer who has purchased the product; everyone else is redirected to sign in or told only verified buyers can review. `POST /products/:slug/review` re-checks the purchase before accepting the review, so a direct POST can't bypass the gate. Submitted reviews start pending. · *Operator review moderation* — `GET /admin/reviews?status=pending` lists the moderation queue across all products; `GET /admin/reviews/:id` reads one; `POST /admin/reviews/:id/publish` and `POST /admin/reviews/:id/reject` move it. Bearer-token-gated like the rest of the admin API. Pending and rejected reviews never appear on the storefront. · *`AggregateRating` structured data* — The product page emits Schema.org `AggregateRating` (rating value + review count) nested in the existing `Product` JSON-LD when published reviews exist, so eligible products can show star ratings in search results. Omitted entirely at zero reviews to stay valid. The container render path now emits the full `Product` + `AggregateOffer` + `BreadcrumbList` JSON-LD that the edge already did. · *`order.hasPurchasedProduct(customerId, productId)`* — Existence check — true when the customer has an order line for any variant of the product in an order that reached `paid` or later (excludes `pending` and `cancelled`). Backs the review purchase gate. · *`reviews.listByStatus(status, opts)`* — Lists reviews across all products by status, newest first, with the same opaque tuple cursor as `listForProduct`. Backs the admin moderation queue.
 
 - v0.0.121 (2026-05-24) — **Codebase-patterns detector blocks SHA3 primitives in `worker/` — prevents the regression that broke newsletter signup.** v0.0.120 fixed the newsletter signup by routing the POST to the container instead of computing `b.crypto.namespaceHash` (SHA3-512) at the edge — Workers' `nodejs_compat` doesn't expose SHA3-family digests. New `worker-uses-sha3-primitive` codebase-patterns detector flags any `b.crypto.{sha3Hash, hmacSha3, namespaceHash, shake256, shake512, hkdfSha3}(...)` call under `worker/` so the next operator can't re-introduce the substrate-mismatch bug. Catalog grows 121 → 122. Detector targets the exact SHA3-family primitive names rather than a general regex match — Worker code that legitimately uses `b.crypto.toBase64Url`, `b.crypto.timingSafeEqual`, `b.crypto.generateBytes`, `b.crypto.hmacSha256` (the Stripe webhook augment), etc. is unaffected. **Added:** *`worker-uses-sha3-primitive` detector* — Flags `b.crypto.sha3Hash(...)`, `hmacSha3(...)`, `namespaceHash(...)`, `shake256(...)`, `shake512(...)`, and `hkdfSha3(...)` in any file under `worker/`. Catches the substrate-mismatch class that broke v0.0.92's edge newsletter handler (live for 28 versions before being routed back to the container in v0.0.120). When edge code needs a stable hash: route to the container OR use `b.crypto.hmacSha256` IFF both sides read with the same SHA-256 path. Never have one substrate write SHA3 and another read SHA-256 — silent divergence breaks cross-substrate lookups (e.g. unsubscribe-by-email_hash).

package/README.md

@@ -64,6 +64,8 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/storefront.js`** | Server-rendered HTML — utility bar + sticky header + dark hero with code-preview card + primitives marquee + featured-product callout + collections grid + framework feature band + designed catalog grid + newsletter band + four-column footer. Designed surfaces also for PDP, cart, checkout, pay, order, account login / register / dashboard, search results, `/admin` API landing, 404. Image-bearing cards on the home + search grids pull from `catalog.media`. The default theme stylesheet is external (R2-served `themes/default/assets/css/main.css`) and CSP-compliant — operators override by uploading a replacement at the same key, by passing `opts.theme_css` to renderers, or by registering a named theme through the `theme` primitive. |
 | **`lib/customers.js`** | Customer accounts — passkey-only (WebAuthn). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. Account routes (`/account/login`, `/account/register`, `/account`) ship as designed cards on the storefront. |
 | **`lib/reviews.js`** | Operator-moderated product ratings. Submission requires a signed-in customer **and** a verified purchase — `/products/:slug/review` confirms a completed order for the product (via `order.hasPurchasedProduct`) before accepting, re-checked on POST; reviews land `pending`. Author identity is hash-only (`b.crypto.namespaceHash`); the raw email is never stored. The PDP renders the average, per-star distribution, and published reviews with `AggregateRating` JSON-LD. `/admin/reviews` is the moderation queue (`listByStatus` → publish / reject). |
+| **`lib/wishlist.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. UUID-shape-validated ids, `b.pagination` HMAC cursors. |
+| **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
 | **`lib/subscriptions.js`** | Stripe-backed recurring billing — `subscription_plans` (interval / amount / trial) + `subscriptions` (mirrors Stripe's object byte-for-byte). `subscriptions.create` POSTs to Stripe via the payment dep, then persists the returned object locally. `handleStripeEvent` replays `customer.subscription.*` events into the local row so the shop has an authoritative view without round-tripping. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
 | **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. |
@@ -82,6 +84,8 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0009_subscriptions.sql` — subscription_plans + subscriptions (Stripe-mirrored)
 - `migrations-d1/0010_newsletter_signups.sql` — email signups with hash-based dedup
 - `migrations-d1/0011_reviews.sql` — operator-moderated product reviews (hash-only author identity)
+- `migrations-d1/0012_wishlist.sql` — per-customer saved products (unique customer + product + variant)
+- `migrations-d1/0041_save_for_later.sql` — per-customer cart holding list (price snapshot + source line)
 
 ### Demo seed
 

package/SECURITY.md

@@ -92,8 +92,8 @@ node -e "
 
 | Purpose                           | Algorithm  | Fingerprint               |
 |-----------------------------------|------------|---------------------------|
-| Maintainer commit/tag signing key | SSH-ED25519 | *(populate on first signed tag — see below)* |
-| Release-signing public key        | ML-DSA-65 (FIPS 204) | `0d9d241e23c333201911afd6d6d0b0ba9a2feb4f60bf5fdd976bb33e0678f7ff0ec3db816c3cb2d9caf50c681caf8b04939ffe8cf4652eae9e6c90c988bfb87e` (SHA3-512 of `keys/release-pqc-pub.json#publicKey`) |
+| Maintainer commit/tag signing key | SSH-ED25519 | `SHA256:5oF/XWhFpMde9TRfEX2GAHiApAq/MXOS4vti5zQbD7g` (cross-check against `https://github.com/<maintainer>.keys` — see below) |
+| Release-signing public key        | ML-DSA-65 (FIPS 204) | `d40e1e2b06a2509271cc3cf76bd34c63d2fbb093f42e1e1f6b349288900ec044509ca183b3d735cda003d80eb6cf5d80fd9181ad897889e1c1f701d61b7902c9` (SHA3-512 of `keys/release-pqc-pub.json#publicKey`) |
 
 To populate the maintainer SSH fingerprint:
 ```

package/lib/storefront.js

@@ -676,6 +676,7 @@ var PRODUCT_PAGE =
   "          </table>\n" +
   "        </div>\n" +
   "      </div>\n" +
+  "      RAW_WISHLIST_PLACEHOLDER\n" +
   "    </div>\n" +
   "  </div>\n" +
   "  RAW_REVIEWS_PLACEHOLDER\n" +
@@ -900,6 +901,158 @@ function _reviewMessagePage(opts, heading, message, cta) {
   });
 }
 
+// Remove control for a wishlist entry — a form POST back through the
+// toggle route with `return_to` so the customer lands back on the
+// account page (not the product PDP the default toggle returns to).
+function _wishlistRemoveForm(productId, esc) {
+  return "<form class=\"wishlist-item__remove\" method=\"post\" action=\"/wishlist/toggle\">" +
+           "<input type=\"hidden\" name=\"product_id\" value=\"" + esc(productId) + "\">" +
+           "<input type=\"hidden\" name=\"return_to\" value=\"/account/wishlist\">" +
+           "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Remove</button>" +
+         "</form>";
+}
+
+// Account "Saved items" page. `opts.items` is a resolved list:
+// { product, hero_media } for live products, or { product: null,
+// product_id } for entries whose product was archived/deleted (the
+// wishlist row is orphan-tolerant by design — render "unavailable",
+// never crash the listing).
+function renderWishlist(opts) {
+  var esc = _b().template.escapeHtml;
+  var items = opts.items || [];
+  var prefix = opts.asset_prefix || "/assets/";
+  var rowsHtml = "";
+  for (var i = 0; i < items.length; i += 1) {
+    var it = items[i];
+    if (!it.product) {
+      rowsHtml +=
+        "<li class=\"wishlist-item wishlist-item--gone\">" +
+          "<span class=\"wishlist-item__title\">This item is no longer available.</span>" +
+          _wishlistRemoveForm(it.product_id, esc) +
+        "</li>";
+      continue;
+    }
+    var slug = esc(it.product.slug);
+    var thumb = it.hero_media
+      ? "<img src=\"" + esc(prefix + it.hero_media.r2_key) + "\" alt=\"" + esc(it.hero_media.alt_text || it.product.title) + "\" loading=\"lazy\">"
+      : "<span class=\"wishlist-item__mark\" aria-hidden=\"true\">" + esc((it.product.title || "?").trim().charAt(0).toUpperCase() || "?") + "</span>";
+    rowsHtml +=
+      "<li class=\"wishlist-item\">" +
+        "<a class=\"wishlist-item__media\" href=\"/products/" + slug + "\">" + thumb + "</a>" +
+        "<div class=\"wishlist-item__body\">" +
+          "<a class=\"wishlist-item__title\" href=\"/products/" + slug + "\">" + esc(it.product.title) + "</a>" +
+          "<a class=\"wishlist-item__view card-link\" href=\"/products/" + slug + "\">View product →</a>" +
+        "</div>" +
+        _wishlistRemoveForm(it.product.id, esc) +
+      "</li>";
+  }
+  var inner = rowsHtml
+    ? "<ul class=\"wishlist-list\">" + rowsHtml + "</ul>"
+    : "<p class=\"wishlist-empty\">You haven't saved anything yet. Browse the shop and tap <strong>Save to wishlist</strong> on products you want to keep an eye on.</p>";
+  var body =
+    "<section class=\"account-wishlist\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Saved items</li>" +
+      "</ol></nav>" +
+      "<h1 class=\"account-wishlist__title\">Saved items</h1>" +
+      inner +
+    "</section>";
+  return _wrap({
+    title:      "Saved items",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// Account "Saved for later" page. `opts.items` is a resolved list:
+// { save, product, hero_media } for live products, or { save,
+// product: null } when the variant/product behind a saved row was
+// archived (orphan-tolerant — render "no longer available").
+function renderSaved(opts) {
+  var esc = _b().template.escapeHtml;
+  var items = opts.items || [];
+  var prefix = opts.asset_prefix || "/assets/";
+  var rowsHtml = "";
+  for (var i = 0; i < items.length; i += 1) {
+    var it = items[i];
+    var save = it.save;
+    var moveForm =
+      "<form method=\"post\" action=\"/saved/" + esc(save.id) + "/move-to-cart\">" +
+        "<button type=\"submit\" class=\"btn-secondary btn-secondary--sm\">Move to cart</button></form>";
+    var removeForm =
+      "<form method=\"post\" action=\"/saved/" + esc(save.id) + "/remove\">" +
+        "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Remove</button></form>";
+    if (!it.product) {
+      // Archived/unavailable product — only Remove. Move-to-cart can't
+      // succeed (no current price / stock), so don't offer it.
+      rowsHtml +=
+        "<li class=\"saved-item saved-item--gone\">" +
+          "<span class=\"saved-item__title\">" + esc(save.sku) + " — no longer available</span>" +
+          "<div class=\"saved-item__actions\">" + removeForm + "</div>" +
+        "</li>";
+      continue;
+    }
+    var actions = "<div class=\"saved-item__actions\">" + moveForm + removeForm + "</div>";
+    var slug = esc(it.product.slug);
+    var thumb = it.hero_media
+      ? "<img src=\"" + esc(prefix + it.hero_media.r2_key) + "\" alt=\"" + esc(it.hero_media.alt_text || it.product.title) + "\" loading=\"lazy\">"
+      : "<span class=\"saved-item__mark\" aria-hidden=\"true\">" + esc((it.product.title || "?").trim().charAt(0).toUpperCase() || "?") + "</span>";
+    var priceStr = pricing.format(Number(save.snapshot_price_minor) || 0, "USD");
+    rowsHtml +=
+      "<li class=\"saved-item\">" +
+        "<a class=\"saved-item__media\" href=\"/products/" + slug + "\">" + thumb + "</a>" +
+        "<div class=\"saved-item__body\">" +
+          "<a class=\"saved-item__title\" href=\"/products/" + slug + "\">" + esc(it.product.title) + "</a>" +
+          "<span class=\"saved-item__meta\">Qty " + (Number(save.quantity) || 1) + " &middot; " + esc(priceStr) + " <span class=\"saved-item__snapshot\">(saved price)</span></span>" +
+        "</div>" +
+        actions +
+      "</li>";
+  }
+  var inner = rowsHtml
+    ? "<ul class=\"saved-list\">" + rowsHtml + "</ul>"
+    : "<p class=\"saved-empty\">Nothing saved for later. Use <strong>Save for later</strong> on a cart item to move it here without losing it.</p>";
+  var body =
+    "<section class=\"account-saved\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Saved for later</li>" +
+      "</ol></nav>" +
+      "<h1 class=\"account-saved__title\">Saved for later</h1>" +
+      inner +
+    "</section>";
+  return _wrap({
+    title:      "Saved for later",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// Product-level "Save to wishlist" control + social-proof count.
+// Byte-compatible with the edge renderer (`worker/render/product.js`)
+// so both paths emit identical markup. Action-only label — the toggle
+// route resolves add/remove server-side against the sealed session.
+function _buildWishlist(productId, count) {
+  var esc = _b().template.escapeHtml;
+  var n = Number(count) || 0;
+  var countHtml = n > 0
+    ? "<span class=\"wishlist__count\">" + n + (n === 1 ? " shopper saved this" : " shoppers saved this") + "</span>"
+    : "";
+  return "<div class=\"wishlist\">" +
+           "<form class=\"wishlist__form\" method=\"post\" action=\"/wishlist/toggle\">" +
+             "<input type=\"hidden\" name=\"product_id\" value=\"" + esc(productId) + "\">" +
+             "<button type=\"submit\" class=\"btn-secondary wishlist__btn\">" +
+               "<span class=\"wishlist__heart\" aria-hidden=\"true\">♡</span> Save to wishlist" +
+             "</button>" +
+           "</form>" +
+           countHtml +
+         "</div>";
+}
+
 // Schema.org JSON-LD block. JSON.stringify covers the standard escapes;
 // the `</` → `<\/` rewrite neutralises any literal `</script>` in a
 // value. Mirrors the edge renderer's `jsonLdScript`.
@@ -933,6 +1086,7 @@ function renderProduct(opts) {
       // theme's `{{{ reviews_html }}}` raw slot. The bundled themes
       // include the slot; a custom theme opts in by adding it.
       reviews_html:   _buildReviews(opts.review_summary, opts.reviews, opts.review_cta),
+      wishlist_html:  _buildWishlist(opts.product.id, opts.wishlist_count),
       asset_css_main: opts.theme.assetUrl("css/main.css"),
     });
   }
@@ -942,6 +1096,7 @@ function renderProduct(opts) {
   if (!rows) rows = "<tr><td colspan=\"4\" class=\"empty\">No variants available.</td></tr>";
   var galleryHtml = _buildPdpGallery(opts.product, opts.media || [], opts.asset_prefix || "/assets/");
   var reviewsHtml = _buildReviews(opts.review_summary, opts.reviews, opts.review_cta);
+  var wishlistHtml = _buildWishlist(opts.product.id, opts.wishlist_count);
   var body = _render(PRODUCT_PAGE, {
     title:        opts.product.title,
     description:  description,
@@ -949,6 +1104,7 @@ function renderProduct(opts) {
   })
     .replace("RAW_GALLERY_PLACEHOLDER", galleryHtml)
     .replace("RAW_ROWS_PLACEHOLDER", rows)
+    .replace("RAW_WISHLIST_PLACEHOLDER", wishlistHtml)
     .replace("RAW_REVIEWS_PLACEHOLDER", reviewsHtml);
   // Product-specific OpenGraph + Twitter Card values so shares
   // unfurl as "Operator Tee — blamejs.shop" with the SVG hero, not
@@ -1074,6 +1230,7 @@ var CART_LINE_EDITABLE =
   "  <td class=\"price\">{{unit}}</td>\n" +
   "  <td class=\"price\">{{total}}</td>\n" +
   "  <td class=\"cart-line__remove-cell\">\n" +
+  "    RAW_CART_LINE_SAVE" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/remove\">\n" +
   "      <button type=\"submit\" class=\"cart-line__btn cart-line__btn--remove\" aria-label=\"Remove line\">Remove</button>\n" +
   "    </form>\n" +
@@ -1420,10 +1577,18 @@ function renderCart(opts) {
   if (rendered.length === 0) {
     body = CART_EMPTY_PAGE;
   } else {
+    var canSave = !!opts.can_save;
     var rows = rendered.map(function (l) {
       var thumb = l.image_url
         ? "<span class=\"cart-line__thumb\"><img src=\"" + _escAttr(l.image_url) + "\" alt=\"" + _escAttr(l.image_alt) + "\" loading=\"lazy\"></span>"
         : "<span class=\"cart-line__thumb cart-line__thumb--empty\" aria-hidden=\"true\"></span>";
+      // "Save for later" moves the line into the customer's saved list.
+      // Rendered only when the feature is wired (and account auth is
+      // present); the route itself enforces login, redirecting a guest
+      // to sign in.
+      var saveBtn = canSave
+        ? "<form method=\"post\" action=\"/cart/lines/" + _escAttr(l.id) + "/save\"><button type=\"submit\" class=\"cart-line__btn cart-line__btn--save\">Save for later</button></form>"
+        : "";
       return _render(CART_LINE_EDITABLE, {
         sku:            l.sku,
         qty:            l.qty,
@@ -1432,7 +1597,7 @@ function renderCart(opts) {
         line_id:        l.id,
         product_title:  l.product_title,
         product_url:    l.product_url,
-      }).replace("RAW_CART_LINE_THUMB", thumb);
+      }).replace("RAW_CART_LINE_THUMB", thumb).replace("RAW_CART_LINE_SAVE", saveBtn);
     }).join("");
     body = _render(CART_PAGE, {
       line_rows: "RAW_LINES",
@@ -1795,7 +1960,11 @@ var ACCOUNT_DASH_PAGE =
   "      <h1 class=\"section-head__title\">Hi, {{display_name}}</h1>\n" +
   "      <p class=\"section-head__lede\">Your orders + account controls. Every order ships from origin with a Stripe-secured receipt.</p>\n" +
   "    </div>\n" +
-  "    <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
+  "    <div class=\"account-dash__actions\">\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Wishlist</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/saved\">Saved for later</a>\n" +
+  "      <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
+  "    </div>\n" +
   "  </header>\n" +
   "  <dl class=\"account-dash__stats\">\n" +
   "    <div><dt>Orders</dt><dd>{{order_count}}</dd></div>\n" +
@@ -2061,6 +2230,13 @@ function mount(router, deps) {
       reviewCta = "<a class=\"btn-secondary reviews__cta\" href=\"/products/" +
         _b().template.escapeHtml(product.slug) + "/review\">Write a review</a>";
     }
+    // Wishlist social-proof count — degrades to 0 on a read failure
+    // (e.g. table not yet migrated) rather than 500-ing the PDP.
+    var wishlistCount = 0;
+    if (deps.wishlist) {
+      try { wishlistCount = await deps.wishlist.countForProduct(product.id); }
+      catch (_e) { wishlistCount = 0; }
+    }
     var html = renderProduct({
       product:        product,
       variants:       variants,
@@ -2069,6 +2245,7 @@ function mount(router, deps) {
       review_summary: reviewSummary,
       reviews:        reviewRows,
       review_cta:     reviewCta,
+      wishlist_count: wishlistCount,
       shop_name:      shopName,
       cart_count:     cartCount,
       theme:          theme,
@@ -2114,6 +2291,7 @@ function mount(router, deps) {
       lines:           lines,
       totals:          totals,
       product_lookup:  productLookup,
+      can_save:        !!(deps.saveForLater && deps.customers),
       shop_name:       shopName,
       theme:           theme,
     }));
@@ -2607,6 +2785,209 @@ function mount(router, deps) {
       return res.end ? res.end() : res.send("");
     });
 
+    // Wishlist — saved products scoped to the logged-in customer.
+    // Mounts when the wishlist primitive is wired.
+    if (deps.wishlist) {
+      // POST /wishlist/toggle — add the product if not saved, remove it
+      // if already saved. Login required (the wishlist is per-customer).
+      // Redirects to `return_to` when it's a safe same-origin path
+      // (the account page's Remove uses it), otherwise back to the
+      // product PDP (the canonical slug is resolved from product_id, so
+      // a forged slug can't drive an open redirect).
+      router.post("/wishlist/toggle", async function (req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          return res.end ? res.end() : res.send("");
+        }
+        var productId = (req.body || {}).product_id;
+        try {
+          var already = await deps.wishlist.isWishlisted({ customer_id: auth.customer_id, product_id: productId });
+          if (already) await deps.wishlist.remove({ customer_id: auth.customer_id, product_id: productId });
+          else         await deps.wishlist.add({ customer_id: auth.customer_id, product_id: productId });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        var rt = (req.body || {}).return_to;
+        var dest;
+        if (typeof rt === "string" && /^\/[^/]/.test(rt)) {
+          dest = rt;
+        } else {
+          var product = null;
+          try { product = await deps.catalog.products.get(productId); } catch (_e) { product = null; }
+          dest = product ? ("/products/" + encodeURIComponent(product.slug)) : "/account/wishlist";
+        }
+        res.status(303); res.setHeader && res.setHeader("location", dest);
+        return res.end ? res.end() : res.send("");
+      });
+
+      // GET /account/wishlist — the customer's saved items. Each entry
+      // resolves its product + hero image; an entry whose product was
+      // archived renders as "unavailable" (the row is orphan-tolerant).
+      router.get("/account/wishlist", async function (req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") return _serviceUnavailable(res, "auth not configured");
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          return res.end ? res.end() : res.send("");
+        }
+        var page = await deps.wishlist.listForCustomer(auth.customer_id, { limit: 50 });
+        var items = [];
+        for (var i = 0; i < page.rows.length; i += 1) {
+          var entry = page.rows[i];
+          var product = null;
+          try { product = await deps.catalog.products.get(entry.product_id); } catch (_e) { product = null; }
+          if (!product) { items.push({ product: null, product_id: entry.product_id }); continue; }
+          var media = await deps.catalog.media.listForProduct(product.id);
+          items.push({ product: product, hero_media: media.length ? media[0] : null });
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderWishlist({
+          items:        items,
+          shop_name:    shopName,
+          cart_count:   cartCount,
+          asset_prefix: deps.asset_prefix || "/assets/",
+        }));
+      });
+    }
+
+    // Save for later — move a cart line into a per-customer holding
+    // list and back. Login required (the list is per-customer).
+    if (deps.saveForLater) {
+      function _savedAuth(req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        return auth;
+      }
+
+      // POST /cart/lines/:line_id/save — move the line out of the cart
+      // into the customer's saved list. Redirects back to /cart.
+      router.post("/cart/lines/:line_id/save", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var sid = _readSidCookie(req);
+        var cart = sid ? await deps.cart.bySession(sid) : null;
+        if (!cart) {
+          res.status(303); res.setHeader && res.setHeader("location", "/cart");
+          return res.end ? res.end() : res.send("");
+        }
+        try {
+          await deps.saveForLater.moveFromCart({
+            customer_id: auth.customer_id,
+            cart_id:     cart.id,
+            line_id:     req.params && req.params.line_id,
+          });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/cart");
+        return res.end ? res.end() : res.send("");
+      });
+
+      // GET /account/saved — the customer's saved-for-later list.
+      router.get("/account/saved", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var page = await deps.saveForLater.listForCustomer({ customer_id: auth.customer_id, limit: 50 });
+        var items = [];
+        for (var i = 0; i < page.rows.length; i += 1) {
+          var row = page.rows[i];
+          var product = null;
+          if (row.variant_id) {
+            try {
+              var v = await deps.catalog.variants.get(row.variant_id);
+              if (v) product = await deps.catalog.products.get(v.product_id);
+            } catch (_e) { product = null; }
+          }
+          if (!product) { items.push({ save: row, product: null }); continue; }
+          var media = await deps.catalog.media.listForProduct(product.id);
+          items.push({ save: row, product: product, hero_media: media.length ? media[0] : null });
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderSaved({
+          items:        items,
+          shop_name:    shopName,
+          cart_count:   cartCount,
+          asset_prefix: deps.asset_prefix || "/assets/",
+        }));
+      });
+
+      // POST /saved/:save_id/move-to-cart — move a saved row back into
+      // the session cart (created if absent). Redirects to /cart.
+      router.post("/saved/:save_id/move-to-cart", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var resolved = await _getOrCreateCart(req, res, "USD");
+        try {
+          await deps.saveForLater.moveToCart({
+            customer_id: auth.customer_id,
+            save_id:     req.params && req.params.save_id,
+            cart_id:     resolved.cart.id,
+            // Reprice to the live catalog price so the cart never carries
+            // a stale snapshot; the saved page shows the snapshot for
+            // reference only.
+            use_price:   "current",
+          });
+        } catch (e) {
+          if (e instanceof TypeError) {
+            res.status(400);
+            return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+          }
+          // The cart enforces one line per (cart_id, variant_id). If the
+          // shopper re-added this variant before moving the saved copy,
+          // moveToCart's INSERT collides — but the end state they want
+          // (variant in the cart) already holds. Drop the saved row and
+          // treat it as success instead of surfacing a 500. The lib
+          // leaves the save row intact on collision, so removing it here
+          // is what completes the "move".
+          if (/unique|constraint/i.test((e && e.message) || "")) {
+            try {
+              await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
+            } catch (_e) { /* drop-silent — the move is already effectively done */ }
+            res.status(303); res.setHeader && res.setHeader("location", "/cart");
+            return res.end ? res.end() : res.send("");
+          }
+          throw e;
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/cart");
+        return res.end ? res.end() : res.send("");
+      });
+
+      // POST /saved/:save_id/remove — drop a saved row.
+      router.post("/saved/:save_id/remove", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        try {
+          await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/saved");
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
     // Product reviews — submission requires a logged-in customer AND a
     // verified purchase of the product (the gate, not just a badge).
     // Only mounts when both the reviews primitive and an order handle

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.28",
-      "tag": "v0.12.28",
+      "version": "0.12.29",
+      "tag": "v0.12.29",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.29 (2026-05-24) — **`b.ai.dp` — float-safe differential privacy: snapping-mechanism Laplace + discrete Gaussian + Rényi-DP budgets.** Differential privacy adds calibrated noise so an aggregate is provably insensitive to any single record — but the guarantee is fragile: Mironov (2012) showed that a Laplace mechanism sampled with naive double-precision floats lets an attacker distinguish neighbouring datasets with > 35% probability from a single output, silently destroying the promise. `b.ai.dp` ships only mechanisms whose sampling is hardened against that attack class: Laplace via the snapping mechanism (clamp + CSPRNG sign + full-mantissa uniform + power-of-two-grid rounding) and the discrete Gaussian (Canonne–Kamath–Steinke 2020) via integer-exact rejection sampling built from Bernoulli(exp(−γ)) over exact rationals — no floating-point noise at all. All randomness comes from `b.crypto.generateBytes` (SHAKE256 over the OS CSPRNG), never `Math.random`. `b.ai.dp.budget({ scope, epsilon, delta })` tracks a privacy budget per scope and refuses a `consume` that would exceed it, accounting composition either by basic summation (default) or a Rényi-DP accountant (Mironov 2017) for a much tighter bound under repeated Gaussian releases. NIST SP 800-226 (2025) is the evaluation standard; Dwork & Roth is the canonical reference. The exponential and sparse-vector mechanisms are deferred-with-condition — their float-safe constructions (base-2 / permute-and-flip; snapped SVT) re-open on operator demand, since shipping them float-unsafe would defeat the module's purpose. **Added:** *`b.ai.dp.mechanism({ type, sensitivity, epsilon, ... })` — float-safe noise mechanisms* — `type: "laplace"` is the snapping mechanism (pure ε-DP, real-valued, requires a clamp `bound` the guarantee depends on); `type: "gaussian"` is the discrete Gaussian (integer-valued, (ε, δ)-DP, requires `delta`). The Gaussian uses the classic calibration σ = √(2 ln(1.25/δ))·Δ/ε, proven for ε ≤ 1 — larger ε is refused with a pointer to splitting the release under an rdp budget. Descriptors are validated + frozen at construction so a malformed parameter fails fast. · *`b.ai.dp.budget({ scope, epsilon, delta, accounting })` — per-scope privacy budget* — Returns `{ consume, remaining, spent, reset }`. `consume(mechanism, value)` adds the mechanism's noise, charges the accountant, and throws `aiDp/budget-exhausted` if the release would push the scope past its (ε, δ). `accounting: "basic"` (default) sums per-release ε and δ; `accounting: "rdp"` runs a Rényi-DP accountant across a grid of orders and converts to (ε, δ) at the scope's δ for a tight composition bound under repeated Gaussian releases (requires `delta > 0`). The scope budget is enforced on both ε and δ independently. **Security:** *`b.crypto.generateBytes` uniformity fix at 1-byte length* — Node's SHAKE256 XOF is non-uniform at `outputLength: 1` — the byte values 0x00 and 0xff never occur and the low bit skews to ~0.54. `b.crypto.generateBytes(1)` (and the underlying `random(1)`) now draws at least 2 bytes and slices, so a single-byte CSPRNG request is uniform. Surfaced by `b.ai.dp` per-byte noise sampling; any per-byte consumer of `generateBytes` inherits the fix. A regression test asserts 0x00 / 0xff occur and the low bit is balanced.
+
 - v0.12.28 (2026-05-24) — **`b.ai.capability` — model-capability registry + cheapest-satisfying-model router.** `b.ai.capability.create({ models })` turns a fleet of AI model descriptors into a routing decision: given a set of requirements (context window, input/output modalities, tool use, structured output, reasoning tier, citation support, prompt-caching size), it picks the cheapest model that satisfies all of them. NIST AI RMF (AI 100-1) MAP 2.x requires documenting each model's capabilities and limitations; the Model Cards convention (Mitchell et al., 2019) formalizes that descriptor — this primitive makes the descriptor actionable. Routing to the cheapest sufficient model is a front-line defense against over-provisioning spend and composes directly with `b.ai.quota`'s `cost-usd` dimension (the chosen descriptor's rate feeds the budget charge); refusing to route a request to a model that cannot satisfy it (missing modality, too-small context window, no tool use) catches a capability mismatch before the inference call burns tokens on a guaranteed-bad result. Cost ranking uses a supplied `costBasis` (`{ inputTokens, outputTokens }`) for real per-call spend, else the sum of the per-1k rates; ties break by model id so the choice is deterministic across calls and nodes. **Added:** *`b.ai.capability.create({ models })` — capability registry + router* — Returns `{ describe, list, register, satisfies, route }`. A descriptor carries `maxContextTokens`, `maxOutputTokens`, `modalitiesIn` / `modalitiesOut` (arrays), `toolUse`, `structuredOutput`, `fineTunable`, `reasoningTier` (`none` / `basic` / `standard` / `advanced`, ordered), `citationSupport`, `promptCachingMaxTokens`, and the cost rates `costPer1kInputTokens` / `costPer1kOutputTokens`. Descriptors are validated + frozen at registration so a typo (negative cost, unknown reasoning tier, non-array modality list) surfaces at config time rather than as a silent mis-route. `describe(modelId)` returns the frozen descriptor; `register(modelId, descriptor)` adds or replaces one at runtime. · *`route({ requirements, fallback?, costBasis? })` — cheapest-satisfying selection* — Collects every model whose descriptor satisfies all requirements, then returns the cheapest (`{ modelId, descriptor, estimatedCost, reason }`). Requirements: `minContextTokens`, `minOutputTokens`, `modalitiesIn` / `modalitiesOut` (model must support every listed modality), `toolUse`, `structuredOutput`, `fineTunable`, `minReasoningTier` (tier ordering — `standard` is met by `standard` or `advanced`), `citationSupport`, `minPromptCachingTokens`. When no model matches, `fallback` (a registered model id) is returned with `reason: "fallback"`, or the call refuses with `aiCapability/no-candidate` if no fallback was supplied. Routing decisions emit `ai/capability-routed` / `ai/capability-fallback` / `ai/capability-no-candidate` through the drop-silent audit chain. · *`satisfies(modelId, requirements)` — precise capability-mismatch reasons* — Returns `{ ok, failures }` where each failure names the `requirement`, the `need`, and what the model `have`s — so a caller surfaces a precise reason (e.g. `minReasoningTier need advanced have basic`) instead of a bare boolean. Use it to explain a routing miss or to gate a request against a specific model before calling it.
 
 - v0.12.27 (2026-05-24) — **`b.ai.quota` — per-tenant, per-model AI usage budgets with atomic consume-and-check.** `b.ai.quota.create(opts)` builds an enforcer that caps AI inference usage per `(tenant, model, dimension, period)` and defends OWASP LLM Top 10 2025 LLM10 (Unbounded Consumption) — the class that includes denial-of-wallet, where an attacker drives a high volume of pay-per-use inferences until the bill itself is the attack. Meter by `tokens`, `requests`, `cost-usd`, or `compute-hours` over a calendar-aligned UTC window (`second` through `month`). `consume(tenant, model, amount)` is a single atomic check-and-charge: under the default `hard` enforcement it reserves the amount only if it fits under the ceiling, otherwise it refuses without charging — the limit test and the charge are one indivisible operation, so there is no charge-then-refund window for a concurrent call to observe. The in-memory counter is per-process; multi-node deployments supply an `opts.store` adapter whose `reserve` (an atomic conditional test-and-charge — a Redis Lua script, a SQL `UPDATE ... WHERE used + :amt <= :limit RETURNING used`) and `add` are atomic on the shared backend to enforce one aggregate ceiling across the cluster without false denials under contention. Limit resolution is most-specific-first: `perTenantModel` over `perTenant` over `perModel` over the default `limit`; tenant and model identifiers are percent-encoded into the counter key so a hostile tenant name cannot collide with another tenant's budget. **Added:** *`b.ai.quota.create(opts)` — per-tenant AI usage-budget enforcer* — Returns `{ consume, check, snapshot, reset }` scoped to one `dimension` (`tokens` / `requests` / `cost-usd` / `compute-hours`) and one `period` (`second` / `minute` / `hour` / `day` / `week` (Monday-aligned) / `month` (1st-of-month), all UTC-aligned). `consume(tenant, model, amount, opts?)` returns `{ used, limit, remaining, allowed, exceeded, windowStart, resetsAt, ... }`. `check(tenant, model)` is the read-only snapshot. Spin up one enforcer per dimension you meter — a monthly `cost-usd` budget and a per-minute `tokens` burst cap coexist as two `create()` calls sharing one store. Defends OWASP LLM10:2025 Unbounded Consumption / denial-of-wallet; maps to NIST AI RMF (AI 100-1) MANAGE 2.x and EU AI Act Art. 15 (robustness / resource-exhaustion resilience). · *`hard` / `soft` / `warn` enforcement* — `hard` (default) refuses the over-budget call and throws `aiQuota/exceeded` without charging — the rejected reservation is refunded so the counter is untouched. `soft` admits the charge but reports `allowed: false` so the caller decides whether to honor it. `warn` admits and allows (advisory), flagging `exceeded: true`. A per-call `consume(..., { enforcement })` override lets one endpoint soften the mode for a trusted internal caller without a second enforcer. Every over-budget event emits `ai/quota-exceeded` through the drop-silent audit chain (`ai/quota-applied` on success), tagged with the active cluster node id for attribution. · *Cross-node aggregate budgets via `opts.store`* — The default counter is in-memory (per-process). Supply `opts.store` exposing atomic `reserve` / `add` / `get` / `reset` (a Redis Lua script, a shared SQL row) and the ceiling is enforced on the cluster-wide aggregate. `hard` mode goes through `reserve`, an atomic conditional test-and-charge that adds the amount only if it fits — so a concurrent over-budget call cannot transiently inflate the counter and falsely deny a smaller call that should fit. Per-tenant and per-model limit overrides (`perTenant` / `perModel` / `perTenantModel`) are validated at config time so a malformed cap surfaces at boot, not as a silent fall-through to the default.

package/lib/vendor/blamejs/README.md

@@ -182,6 +182,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Audit + segregation** — 21 CFR Part 11 §11.10(e) audit-content gate + §11.50(b) electronicSignature (`b.fda21cfr11`); PCI DSS 4.0 Req 10.4.1.1 daily-review automation (`b.auditDailyReview`); SOX §404 + SOC 2 CC1.3 segregation-of-duties via Postgres trigger DDL (`b.audit.bindActor`, `b.audit.assertSegregation`)
 - **Change control + WORM** — m-of-n approver DDL change-control with maintenance-window + ML-DSA-87 signed proposals (`b.ddlChangeControl`); row-level WORM triggers boot-asserted under `sec-17a-4` / `finra-4511` / `fda-21cfr11` (`b.db.declareWorm`); dual-control physical delete + crypto-erase + REINDEX in one transaction (`b.db.declareRequireDualControl`, `b.db.eraseHard`)
 - **Consumer-protection** — FTC click-to-cancel UX-parity attestation (`ftc-2024` / `ca-sb942` / `strict`) (`b.darkPatterns`)
+- **Differential privacy** — float-safe DP for aggregate releases: snapping-mechanism Laplace (Mironov 2012) + discrete Gaussian (Canonne–Kamath–Steinke 2020), CSPRNG noise, per-scope ε/δ budgets with basic + Rényi-DP accounting; defends the floating-point distinguishing attack that breaks naive Laplace samplers (NIST SP 800-226) (`b.ai.dp`)
 - **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2.3 consent-string parser + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`)
 - **Incident reporters** — EU DORA Article 17 ICT-incident workflow per Commission Delegated Regulation 2024/1772 (`b.dora`); EU NIS2 (`b.nis2`); EU Cyber Resilience Act SBOM + secure-software-attestation (`b.cra`); SEC Form 8-K Item 1.05 cybersecurity-incident materiality-disclosure (`b.secCyber`); incident lifecycle coordinator (`b.incident`)
 - **Outbound DLP** — interceptor-installed on httpClient + mail + webhook with built-in detectors for PAN (Luhn), SSN, EIN, IBAN (mod-97), api-key shapes, PEM, SSH private keys, JWTs, AWS access keys, PHI composite; refuse / redact / audit-only verdicts under pci-dss / hipaa / fapi2 / soc2 / gdpr presets (`b.redact.installOutboundDlp`)

package/lib/vendor/blamejs/SECURITY.md

@@ -342,6 +342,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] For OAuth / OIDC RP callbacks: call `b.auth.oauth.parseCallback(query, opts?)` BEFORE consuming `code` — validates RFC 9207 AS Issuer Identifier (refuses iss-mismatch + OP `error=` redirects + state-mismatch CSRF). For FAPI 2.0 deployments add `b.fapi2.assertCallback(query)` (refuses missing iss; refuses bare-param under `fapi-2.0-message-signing` posture, requiring JARM `response`) and `b.fapi2.assertAuthzRequest(authzParams)` BEFORE issuing the redirect (refuses non-JAR authorization requests). For refresh-token flows, pass `seen({ jti, iss })` to `b.auth.oauth.refreshAccessToken` so reuse of an already-rotated token refuses BEFORE the HTTP exchange (RFC 9700 §4.13 / OAuth 2.1 §6.1)
 - [ ] For Model Context Protocol servers exposing tools to LLM agents: wire `b.mcp.toolResult.sanitize(result, { posture: "refuse" })` over EVERY tool output before returning it to the model — defends OWASP LLM07 (sensitive tool output / prompt-injection echo back into the agent loop), refuses dangerous-HTML + off-allowlist URLs. Wrap each tool's input handler with `b.mcp.validateToolInput(toolName, input, schema)` (JSON Schema 2020-12 subset — `type` / `properties` / `required` / `enum` / `const` / length + range caps) so an LLM-supplied argument shape that doesn't match refuses BEFORE the tool runs. Define each tool's required scopes via `b.mcp.capability.create(scopes)` and gate execution on `cap.satisfiedBy(grantedScopes)` (LLM08 least-privilege)
 - [ ] For AI inference endpoints (especially pay-per-use provider models): wire `b.ai.quota.create({ dimension, period, limit, enforcement: "hard" })` and call `quota.consume(tenant, model, amount)` BEFORE every inference — caps tokens / requests / cost-usd / compute-hours per tenant per window so one tenant cannot run up an unbounded bill (OWASP LLM10:2025 unbounded consumption / denial-of-wallet). For multi-node deployments supply an `opts.store` whose `reserve` (atomic conditional test-and-charge) + `add` are atomic on the shared backend (Redis Lua / a SQL `UPDATE ... WHERE used + :amt <= :limit`) so the ceiling is enforced on the cluster-wide aggregate, not per-process
+- [ ] For endpoints returning aggregate statistics over personal data (counts / sums / means / histograms): add calibrated noise with `b.ai.dp` and gate spend with `b.ai.dp.budget({ scope, epsilon, delta })` — use `type: "laplace"` (snapping mechanism) or `type: "gaussian"` (discrete Gaussian), NEVER a hand-rolled `Math.random`-based noise generator: a naive double-precision Laplace sampler lets an attacker distinguish neighbouring datasets from a single output (Mironov 2012), silently breaking the guarantee. Track the per-scope ε/δ budget so repeated queries can't be averaged to cancel the noise
 - [ ] For data with a TTL (GDPR Art. 17, PCI 3.1, retention windows): declare retention rules via `b.retention.create({ db, audit }).declare({ name, table, ageField, ttlMs, action: "erase" })` and run on a `b.scheduler` cadence; honour legal-hold via `legalHoldField`
 - [ ] For write-once-read-many object archives (SEC 17a-4, FINRA, HIPAA-shaped retention): create the bucket with `b.objectStore.bucketOps.create(name, { objectLockEnabled: true })` (Object Lock can ONLY be flipped at create time), apply a default retention via `setObjectLockConfiguration(name, { mode: "COMPLIANCE", years })`, and pin individual objects with `setObjectRetention(name, key, { mode, retainUntil })` or `setObjectLegalHold(name, key, "ON")` — `COMPLIANCE` cannot be shortened or bypassed by anyone (including root); pick deliberately
 - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly