@blamejs/blamejs-shop 0.0.123 → 0.0.126

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.0.x
 
+- v0.0.126 (2026-05-24) — **Address book — saved shipping and billing addresses on the account page.** Signed-in customers can now keep a book of addresses at /account/addresses: add, edit, set a default shipping or billing address, and remove. Addresses are per-customer; every action that targets a specific address first confirms it belongs to the signed-in customer, so a guessed id can't read or change someone else's address. **Added:** *Address book at `/account/addresses`* — List, add, and edit saved addresses (recipient, company, two street lines, city, region, postal code, ISO country, phone). The account dashboard links to it. A blank product catalog isn't required — this is account surface only. · *Default shipping / billing* — Mark one address as the default shipping and one as the default billing; promoting a new default clears the previous one. Surfaced as badges on each card. · *Ownership-checked mutations* — Edit, update, set-default, and remove all resolve the address by id and verify it belongs to the signed-in customer before acting — a foreign or guessed id returns 404, never another customer's data. Add/edit re-render the form with the validation message on bad input.
+
+- v0.0.124 (2026-05-24) — **Save for later — move cart items into a holding list and back.** Each cart line now has a "Save for later" control that moves the item out of the cart into a per-customer holding list without losing it. Saved items live on a new account page where they can be moved back to the cart or removed. Moving an item back reprices it to the current catalog price and checks stock first, so a saved item that sold out (and isn't backorderable) can't silently re-enter the cart. Login-required, since the list is scoped to one customer. **Added:** *Save-for-later control on cart lines* — Each editable cart line gets a Save-for-later control. `POST /cart/lines/:line_id/save` moves the line out of the cart into the customer's saved list (`moveFromCart`). Login-gated — a signed-out shopper is redirected to sign in. · *`/account/saved` — the holding list* — A new account page lists saved items with a thumbnail, the saved price for reference, and Move-to-cart / Remove controls. Items whose product was archived render as "no longer available" rather than breaking the list. The account dashboard links to it (alongside Wishlist). · *Move back to cart, repriced + stock-checked* — `POST /saved/:save_id/move-to-cart` returns the item to the session cart at the current catalog price (not the stale snapshot) and refuses if the SKU is out of stock and not backorderable. `POST /saved/:save_id/remove` drops a saved row.
+
 - v0.0.123 (2026-05-24) — **Wishlist — save products to your account, with social-proof counts on the product page.** Signed-in customers can now save products to a wishlist from the product page. A "N shoppers saved this" count surfaces social proof, and saved items live on a new account page where they can be removed or reopened. The save control and count render identically on the edge and container paths; the toggle is idempotent (saving twice is a no-op, toggling again removes) and login-gated, since a wishlist is scoped to one customer. **Added:** *Save to wishlist on the product page* — The PDP renders a "Save to wishlist" control and, once any customer has saved it, a "N shoppers saved this" social-proof count. Both render server-side on the edge and container paths. The count is public; the save action requires sign-in. · *`/account/wishlist` — saved items* — A new account page lists the customer's saved products with a thumbnail, a link back to the product, and a Remove control. Entries whose product was archived render as "no longer available" rather than breaking the list (wishlist rows are orphan-tolerant by design). The account dashboard links to it. · *`POST /wishlist/toggle`* — Login-required endpoint that saves the product if it isn't saved and removes it if it is. Idempotent (`INSERT OR IGNORE`). Redirects back to the product by resolving its canonical slug from the product id, or to a safe same-origin `return_to` (the account page's Remove uses it) — a forged or off-site redirect target is rejected.
 
 - v0.0.122 (2026-05-24) — **Product reviews on the storefront — verified-buyer submission, operator moderation, and rich-snippet ratings.** The product page now shows customer reviews: an average rating, a per-star distribution, and the published review list, with `AggregateRating` structured data so star ratings can surface in search results. Submission is gated to signed-in customers who have actually purchased the product — the route confirms a completed order for that product before accepting a review, and re-checks on submit. Reviews land in a pending state; operators publish or reject them through new bearer-token admin endpoints. Display and structured data are identical whether the page is served at the edge or from the container. **Added:** *Reviews on the product page* — The PDP renders an average rating, a per-star distribution bar chart, and the published reviews (newest first, verified-buyer badge, date). Products with no reviews show an invite to be the first. Rendered server-side on both the edge and container paths. · *Verified-buyer review submission* — `GET /products/:slug/review` shows the review form to a signed-in customer who has purchased the product; everyone else is redirected to sign in or told only verified buyers can review. `POST /products/:slug/review` re-checks the purchase before accepting the review, so a direct POST can't bypass the gate. Submitted reviews start pending. · *Operator review moderation* — `GET /admin/reviews?status=pending` lists the moderation queue across all products; `GET /admin/reviews/:id` reads one; `POST /admin/reviews/:id/publish` and `POST /admin/reviews/:id/reject` move it. Bearer-token-gated like the rest of the admin API. Pending and rejected reviews never appear on the storefront. · *`AggregateRating` structured data* — The product page emits Schema.org `AggregateRating` (rating value + review count) nested in the existing `Product` JSON-LD when published reviews exist, so eligible products can show star ratings in search results. Omitted entirely at zero reviews to stay valid. The container render path now emits the full `Product` + `AggregateOffer` + `BreadcrumbList` JSON-LD that the edge already did. · *`order.hasPurchasedProduct(customerId, productId)`* — Existence check — true when the customer has an order line for any variant of the product in an order that reached `paid` or later (excludes `pending` and `cancelled`). Backs the review purchase gate. · *`reviews.listByStatus(status, opts)`* — Lists reviews across all products by status, newest first, with the same opaque tuple cursor as `listForProduct`. Backs the admin moderation queue.

package/README.md

@@ -65,6 +65,8 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/customers.js`** | Customer accounts — passkey-only (WebAuthn). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. Account routes (`/account/login`, `/account/register`, `/account`) ship as designed cards on the storefront. |
 | **`lib/reviews.js`** | Operator-moderated product ratings. Submission requires a signed-in customer **and** a verified purchase — `/products/:slug/review` confirms a completed order for the product (via `order.hasPurchasedProduct`) before accepting, re-checked on POST; reviews land `pending`. Author identity is hash-only (`b.crypto.namespaceHash`); the raw email is never stored. The PDP renders the average, per-star distribution, and published reviews with `AggregateRating` JSON-LD. `/admin/reviews` is the moderation queue (`listByStatus` → publish / reject). |
 | **`lib/wishlist.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. UUID-shape-validated ids, `b.pagination` HMAC cursors. |
+| **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
+| **`lib/addresses.js`** | Per-customer address book at `/account/addresses` — add / edit / set default shipping or billing / remove. One-default-per-role invariant (promoting clears the prior). Every by-id route confirms the address belongs to the signed-in customer before acting (a guessed id returns 404). `b.guardUuid` ids, 2-char ISO country. |
 | **`lib/subscriptions.js`** | Stripe-backed recurring billing — `subscription_plans` (interval / amount / trial) + `subscriptions` (mirrors Stripe's object byte-for-byte). `subscriptions.create` POSTs to Stripe via the payment dep, then persists the returned object locally. `handleStripeEvent` replays `customer.subscription.*` events into the local row so the shop has an authoritative view without round-tripping. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
 | **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. |
@@ -84,6 +86,8 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0010_newsletter_signups.sql` — email signups with hash-based dedup
 - `migrations-d1/0011_reviews.sql` — operator-moderated product reviews (hash-only author identity)
 - `migrations-d1/0012_wishlist.sql` — per-customer saved products (unique customer + product + variant)
+- `migrations-d1/0041_save_for_later.sql` — per-customer cart holding list (price snapshot + source line)
+- `migrations-d1/0026_customer_addresses.sql` — per-customer address book (default shipping/billing flags)
 
 ### Demo seed
 

package/lib/storefront.js

@@ -967,6 +967,173 @@ function renderWishlist(opts) {
   });
 }
 
+// Account "Saved for later" page. `opts.items` is a resolved list:
+// { save, product, hero_media } for live products, or { save,
+// product: null } when the variant/product behind a saved row was
+// archived (orphan-tolerant — render "no longer available").
+function renderSaved(opts) {
+  var esc = _b().template.escapeHtml;
+  var items = opts.items || [];
+  var prefix = opts.asset_prefix || "/assets/";
+  var rowsHtml = "";
+  for (var i = 0; i < items.length; i += 1) {
+    var it = items[i];
+    var save = it.save;
+    var moveForm =
+      "<form method=\"post\" action=\"/saved/" + esc(save.id) + "/move-to-cart\">" +
+        "<button type=\"submit\" class=\"btn-secondary btn-secondary--sm\">Move to cart</button></form>";
+    var removeForm =
+      "<form method=\"post\" action=\"/saved/" + esc(save.id) + "/remove\">" +
+        "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Remove</button></form>";
+    if (!it.product) {
+      // Archived/unavailable product — only Remove. Move-to-cart can't
+      // succeed (no current price / stock), so don't offer it.
+      rowsHtml +=
+        "<li class=\"saved-item saved-item--gone\">" +
+          "<span class=\"saved-item__title\">" + esc(save.sku) + " — no longer available</span>" +
+          "<div class=\"saved-item__actions\">" + removeForm + "</div>" +
+        "</li>";
+      continue;
+    }
+    var actions = "<div class=\"saved-item__actions\">" + moveForm + removeForm + "</div>";
+    var slug = esc(it.product.slug);
+    var thumb = it.hero_media
+      ? "<img src=\"" + esc(prefix + it.hero_media.r2_key) + "\" alt=\"" + esc(it.hero_media.alt_text || it.product.title) + "\" loading=\"lazy\">"
+      : "<span class=\"saved-item__mark\" aria-hidden=\"true\">" + esc((it.product.title || "?").trim().charAt(0).toUpperCase() || "?") + "</span>";
+    var priceStr = pricing.format(Number(save.snapshot_price_minor) || 0, "USD");
+    rowsHtml +=
+      "<li class=\"saved-item\">" +
+        "<a class=\"saved-item__media\" href=\"/products/" + slug + "\">" + thumb + "</a>" +
+        "<div class=\"saved-item__body\">" +
+          "<a class=\"saved-item__title\" href=\"/products/" + slug + "\">" + esc(it.product.title) + "</a>" +
+          "<span class=\"saved-item__meta\">Qty " + (Number(save.quantity) || 1) + " &middot; " + esc(priceStr) + " <span class=\"saved-item__snapshot\">(saved price)</span></span>" +
+        "</div>" +
+        actions +
+      "</li>";
+  }
+  var inner = rowsHtml
+    ? "<ul class=\"saved-list\">" + rowsHtml + "</ul>"
+    : "<p class=\"saved-empty\">Nothing saved for later. Use <strong>Save for later</strong> on a cart item to move it here without losing it.</p>";
+  var body =
+    "<section class=\"account-saved\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Saved for later</li>" +
+      "</ol></nav>" +
+      "<h1 class=\"account-saved__title\">Saved for later</h1>" +
+      inner +
+    "</section>";
+  return _wrap({
+    title:      "Saved for later",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
+// One labelled text input for the address form. `required` and other
+// attrs are passed through; `value` is pre-filled (escaped) for edit.
+function _addrField(name, labelText, value, opts) {
+  var esc = _b().template.escapeHtml;
+  opts = opts || {};
+  var attrs = "";
+  if (opts.required) attrs += " required";
+  if (opts.maxlength) attrs += " maxlength=\"" + opts.maxlength + "\"";
+  if (opts.pattern) attrs += " pattern=\"" + esc(opts.pattern) + "\"";
+  if (opts.autocomplete) attrs += " autocomplete=\"" + esc(opts.autocomplete) + "\"";
+  var req = opts.required ? " <span class=\"form-field__req\" aria-hidden=\"true\">*</span>" : "";
+  return "<label class=\"form-field\">" +
+           "<span class=\"form-field__label\">" + esc(labelText) + req + "</span>" +
+           "<input type=\"text\" name=\"" + esc(name) + "\" value=\"" + esc(value == null ? "" : String(value)) + "\"" + attrs + ">" +
+         "</label>";
+}
+
+// Shared add/edit address form. `addr` pre-fills for edit (null = add).
+function _addressForm(action, addr, submitLabel) {
+  var esc = _b().template.escapeHtml;
+  addr = addr || {};
+  function _checked(v) { return Number(v) === 1 ? " checked" : ""; }
+  return "<form class=\"address-form form-stack\" method=\"post\" action=\"" + esc(action) + "\">" +
+    _addrField("recipient_name", "Recipient name", addr.recipient_name, { required: true, maxlength: 120, autocomplete: "name" }) +
+    _addrField("label", "Label (e.g. Home, Work)", addr.label, { maxlength: 60 }) +
+    _addrField("company", "Company", addr.company, { maxlength: 120, autocomplete: "organization" }) +
+    _addrField("street_line1", "Street address", addr.street_line1, { required: true, maxlength: 200, autocomplete: "address-line1" }) +
+    _addrField("street_line2", "Apt / suite / unit", addr.street_line2, { maxlength: 200, autocomplete: "address-line2" }) +
+    "<div class=\"form-row form-row--inline\">" +
+      _addrField("city", "City", addr.city, { required: true, maxlength: 120, autocomplete: "address-level2" }) +
+      _addrField("region", "State / region", addr.region, { maxlength: 120, autocomplete: "address-level1" }) +
+    "</div>" +
+    "<div class=\"form-row form-row--inline\">" +
+      _addrField("postal_code", "Postal code", addr.postal_code, { required: true, maxlength: 32, autocomplete: "postal-code" }) +
+      _addrField("country", "Country (ISO 3166-1)", addr.country || "US", { required: true, maxlength: 2, pattern: "[A-Za-z]{2}", autocomplete: "country" }) +
+    "</div>" +
+    _addrField("phone", "Phone", addr.phone, { maxlength: 40, autocomplete: "tel" }) +
+    "<label class=\"address-form__check\"><input type=\"checkbox\" name=\"is_default_shipping\" value=\"1\"" + _checked(addr.is_default_shipping) + "> Default shipping address</label>" +
+    "<label class=\"address-form__check\"><input type=\"checkbox\" name=\"is_default_billing\" value=\"1\"" + _checked(addr.is_default_billing) + "> Default billing address</label>" +
+    "<button type=\"submit\" class=\"btn-primary\">" + esc(submitLabel) + "</button>" +
+  "</form>";
+}
+
+// Account address book. `opts.addresses` is the customer's non-archived
+// rows; `opts.edit` (when set) pre-fills the form for editing that row,
+// otherwise the form is a blank "add" form.
+function renderAddresses(opts) {
+  var esc = _b().template.escapeHtml;
+  var list = opts.addresses || [];
+  var rowsHtml = "";
+  for (var i = 0; i < list.length; i += 1) {
+    var a = list[i];
+    var badges =
+      (Number(a.is_default_shipping) === 1 ? "<span class=\"address-card__badge\">Default shipping</span>" : "") +
+      (Number(a.is_default_billing) === 1 ? "<span class=\"address-card__badge\">Default billing</span>" : "");
+    var lines = [a.recipient_name, a.company, a.street_line1, a.street_line2,
+      [a.city, a.region, a.postal_code].filter(Boolean).join(", "), a.country, a.phone]
+      .filter(function (x) { return x != null && String(x).length; })
+      .map(function (x) { return "<span>" + esc(String(x)) + "</span>"; }).join("");
+    rowsHtml +=
+      "<li class=\"address-card\">" +
+        (a.label ? "<p class=\"address-card__label\">" + esc(a.label) + "</p>" : "") +
+        (badges ? "<p class=\"address-card__badges\">" + badges + "</p>" : "") +
+        "<address class=\"address-card__body\">" + lines + "</address>" +
+        "<div class=\"address-card__actions\">" +
+          "<a class=\"btn-ghost btn-ghost--sm\" href=\"/account/addresses/" + esc(a.id) + "/edit\">Edit</a>" +
+          (Number(a.is_default_shipping) === 1 ? "" : "<form method=\"post\" action=\"/account/addresses/" + esc(a.id) + "/default-shipping\"><button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Set default shipping</button></form>") +
+          (Number(a.is_default_billing) === 1 ? "" : "<form method=\"post\" action=\"/account/addresses/" + esc(a.id) + "/default-billing\"><button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Set default billing</button></form>") +
+          "<form method=\"post\" action=\"/account/addresses/" + esc(a.id) + "/archive\"><button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Remove</button></form>" +
+        "</div>" +
+      "</li>";
+  }
+  var listHtml = rowsHtml
+    ? "<ul class=\"address-list\">" + rowsHtml + "</ul>"
+    : "<p class=\"address-empty\">No saved addresses yet. Add one below to speed up checkout.</p>";
+  var notice = opts.notice
+    ? "<p class=\"form-notice form-notice--error\" role=\"alert\">" + esc(String(opts.notice)) + "</p>"
+    : "";
+  var editing = opts.edit || null;
+  var formHeading = editing ? "Edit address" : "Add an address";
+  var formAction  = editing ? ("/account/addresses/" + editing.id) : "/account/addresses";
+  var body =
+    "<section class=\"account-addresses\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Addresses</li>" +
+      "</ol></nav>" +
+      "<h1 class=\"account-addresses__title\">Addresses</h1>" +
+      listHtml +
+      "<h2 class=\"account-addresses__form-title\">" + esc(formHeading) + "</h2>" +
+      notice +
+      _addressForm(formAction, editing, editing ? "Save changes" : "Add address") +
+    "</section>";
+  return _wrap({
+    title:      "Addresses",
+    shop_name:  opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count,
+    theme_css:  opts.theme_css,
+    body:       body,
+  });
+}
+
 // Product-level "Save to wishlist" control + social-proof count.
 // Byte-compatible with the edge renderer (`worker/render/product.js`)
 // so both paths emit identical markup. Action-only label — the toggle
@@ -1165,6 +1332,7 @@ var CART_LINE_EDITABLE =
   "  <td class=\"price\">{{unit}}</td>\n" +
   "  <td class=\"price\">{{total}}</td>\n" +
   "  <td class=\"cart-line__remove-cell\">\n" +
+  "    RAW_CART_LINE_SAVE" +
   "    <form method=\"post\" action=\"/cart/lines/{{line_id}}/remove\">\n" +
   "      <button type=\"submit\" class=\"cart-line__btn cart-line__btn--remove\" aria-label=\"Remove line\">Remove</button>\n" +
   "    </form>\n" +
@@ -1511,10 +1679,18 @@ function renderCart(opts) {
   if (rendered.length === 0) {
     body = CART_EMPTY_PAGE;
   } else {
+    var canSave = !!opts.can_save;
     var rows = rendered.map(function (l) {
       var thumb = l.image_url
         ? "<span class=\"cart-line__thumb\"><img src=\"" + _escAttr(l.image_url) + "\" alt=\"" + _escAttr(l.image_alt) + "\" loading=\"lazy\"></span>"
         : "<span class=\"cart-line__thumb cart-line__thumb--empty\" aria-hidden=\"true\"></span>";
+      // "Save for later" moves the line into the customer's saved list.
+      // Rendered only when the feature is wired (and account auth is
+      // present); the route itself enforces login, redirecting a guest
+      // to sign in.
+      var saveBtn = canSave
+        ? "<form method=\"post\" action=\"/cart/lines/" + _escAttr(l.id) + "/save\"><button type=\"submit\" class=\"cart-line__btn cart-line__btn--save\">Save for later</button></form>"
+        : "";
       return _render(CART_LINE_EDITABLE, {
         sku:            l.sku,
         qty:            l.qty,
@@ -1523,7 +1699,7 @@ function renderCart(opts) {
         line_id:        l.id,
         product_title:  l.product_title,
         product_url:    l.product_url,
-      }).replace("RAW_CART_LINE_THUMB", thumb);
+      }).replace("RAW_CART_LINE_THUMB", thumb).replace("RAW_CART_LINE_SAVE", saveBtn);
     }).join("");
     body = _render(CART_PAGE, {
       line_rows: "RAW_LINES",
@@ -1887,7 +2063,9 @@ var ACCOUNT_DASH_PAGE =
   "      <p class=\"section-head__lede\">Your orders + account controls. Every order ships from origin with a Stripe-secured receipt.</p>\n" +
   "    </div>\n" +
   "    <div class=\"account-dash__actions\">\n" +
-  "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Saved items</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Wishlist</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/saved\">Saved for later</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/addresses\">Addresses</a>\n" +
   "      <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
   "    </div>\n" +
   "  </header>\n" +
@@ -2216,6 +2394,7 @@ function mount(router, deps) {
       lines:           lines,
       totals:          totals,
       product_lookup:  productLookup,
+      can_save:        !!(deps.saveForLater && deps.customers),
       shop_name:       shopName,
       theme:           theme,
     }));
@@ -2785,6 +2964,256 @@ function mount(router, deps) {
       });
     }
 
+    // Save for later — move a cart line into a per-customer holding
+    // list and back. Login required (the list is per-customer).
+    if (deps.saveForLater) {
+      function _savedAuth(req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        return auth;
+      }
+
+      // POST /cart/lines/:line_id/save — move the line out of the cart
+      // into the customer's saved list. Redirects back to /cart.
+      router.post("/cart/lines/:line_id/save", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var sid = _readSidCookie(req);
+        var cart = sid ? await deps.cart.bySession(sid) : null;
+        if (!cart) {
+          res.status(303); res.setHeader && res.setHeader("location", "/cart");
+          return res.end ? res.end() : res.send("");
+        }
+        try {
+          await deps.saveForLater.moveFromCart({
+            customer_id: auth.customer_id,
+            cart_id:     cart.id,
+            line_id:     req.params && req.params.line_id,
+          });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/cart");
+        return res.end ? res.end() : res.send("");
+      });
+
+      // GET /account/saved — the customer's saved-for-later list.
+      router.get("/account/saved", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var page = await deps.saveForLater.listForCustomer({ customer_id: auth.customer_id, limit: 50 });
+        var items = [];
+        for (var i = 0; i < page.rows.length; i += 1) {
+          var row = page.rows[i];
+          var product = null;
+          if (row.variant_id) {
+            try {
+              var v = await deps.catalog.variants.get(row.variant_id);
+              if (v) product = await deps.catalog.products.get(v.product_id);
+            } catch (_e) { product = null; }
+          }
+          if (!product) { items.push({ save: row, product: null }); continue; }
+          var media = await deps.catalog.media.listForProduct(product.id);
+          items.push({ save: row, product: product, hero_media: media.length ? media[0] : null });
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderSaved({
+          items:        items,
+          shop_name:    shopName,
+          cart_count:   cartCount,
+          asset_prefix: deps.asset_prefix || "/assets/",
+        }));
+      });
+
+      // POST /saved/:save_id/move-to-cart — move a saved row back into
+      // the session cart (created if absent). Redirects to /cart.
+      router.post("/saved/:save_id/move-to-cart", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        var resolved = await _getOrCreateCart(req, res, "USD");
+        try {
+          await deps.saveForLater.moveToCart({
+            customer_id: auth.customer_id,
+            save_id:     req.params && req.params.save_id,
+            cart_id:     resolved.cart.id,
+            // Reprice to the live catalog price so the cart never carries
+            // a stale snapshot; the saved page shows the snapshot for
+            // reference only.
+            use_price:   "current",
+          });
+        } catch (e) {
+          if (e instanceof TypeError) {
+            res.status(400);
+            return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+          }
+          // The cart enforces one line per (cart_id, variant_id). If the
+          // shopper re-added this variant before moving the saved copy,
+          // moveToCart's INSERT collides — but the end state they want
+          // (variant in the cart) already holds. Drop the saved row and
+          // treat it as success instead of surfacing a 500. The lib
+          // leaves the save row intact on collision, so removing it here
+          // is what completes the "move".
+          if (/unique|constraint/i.test((e && e.message) || "")) {
+            try {
+              await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
+            } catch (_e) { /* drop-silent — the move is already effectively done */ }
+            res.status(303); res.setHeader && res.setHeader("location", "/cart");
+            return res.end ? res.end() : res.send("");
+          }
+          throw e;
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/cart");
+        return res.end ? res.end() : res.send("");
+      });
+
+      // POST /saved/:save_id/remove — drop a saved row.
+      router.post("/saved/:save_id/remove", async function (req, res) {
+        var auth = _savedAuth(req, res);
+        if (!auth) return;
+        try {
+          await deps.saveForLater.remove({ customer_id: auth.customer_id, save_id: req.params && req.params.save_id });
+        } catch (e) {
+          res.status(e instanceof TypeError ? 400 : 500);
+          return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/saved");
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
+    // Address book — per-customer saved addresses. Every by-id route
+    // verifies the address belongs to the authed customer before acting
+    // (the primitive operates by id alone, so ownership is enforced here
+    // to prevent cross-customer access via a guessed id).
+    if (deps.addresses) {
+      function _addrAuth(req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        return auth;
+      }
+      async function _ownedAddress(req, res, auth) {
+        var addr;
+        try {
+          addr = await deps.addresses.get(req.params && req.params.id);
+        } catch (e) {
+          // `get` throws TypeError on a non-UUID id — a malformed path
+          // segment is a 404, not a 500.
+          if (e instanceof TypeError) { _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme })); return null; }
+          throw e;
+        }
+        if (!addr || addr.customer_id !== auth.customer_id || Number(addr.is_archived) === 1) {
+          _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
+          return null;
+        }
+        return addr;
+      }
+      async function _renderAddrPage(req, res, auth, editAddr, notice, code) {
+        var rows = await deps.addresses.listForCustomer(auth.customer_id, { limit: 50 });
+        var cartCount = await _cartCountForReq(req);
+        _send(res, code || 200, renderAddresses({
+          addresses:  rows,
+          edit:       editAddr || null,
+          notice:     notice || null,
+          shop_name:  shopName,
+          cart_count: cartCount,
+        }));
+      }
+      function _addrInput(body, customerId) {
+        return {
+          customer_id:         customerId,
+          label:               body.label,
+          recipient_name:      body.recipient_name,
+          company:             body.company,
+          street_line1:        body.street_line1,
+          street_line2:        body.street_line2,
+          city:                body.city,
+          region:              body.region,
+          postal_code:         body.postal_code,
+          country:             body.country,
+          phone:               body.phone,
+          // Checkboxes arrive as "1" when ticked, absent otherwise — the
+          // primitive's _bool wants an integer, so coerce here.
+          is_default_shipping: body.is_default_shipping === "1" ? 1 : 0,
+          is_default_billing:  body.is_default_billing === "1" ? 1 : 0,
+        };
+      }
+
+      router.get("/account/addresses", async function (req, res) {
+        var auth = _addrAuth(req, res); if (!auth) return;
+        await _renderAddrPage(req, res, auth, null);
+      });
+
+      router.get("/account/addresses/:id/edit", async function (req, res) {
+        var auth = _addrAuth(req, res); if (!auth) return;
+        var addr = await _ownedAddress(req, res, auth); if (!addr) return;
+        await _renderAddrPage(req, res, auth, addr);
+      });
+
+      router.post("/account/addresses", async function (req, res) {
+        var auth = _addrAuth(req, res); if (!auth) return;
+        try {
+          await deps.addresses.add(_addrInput(req.body || {}, auth.customer_id));
+        } catch (e) {
+          if (e instanceof TypeError) return _renderAddrPage(req, res, auth, null, (e && e.message) || "Please check the address.", 400);
+          throw e;
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/addresses");
+        return res.end ? res.end() : res.send("");
+      });
+
+      router.post("/account/addresses/:id", async function (req, res) {
+        var auth = _addrAuth(req, res); if (!auth) return;
+        var addr = await _ownedAddress(req, res, auth); if (!addr) return;
+        try {
+          await deps.addresses.update(addr.id, _addrInput(req.body || {}, auth.customer_id));
+        } catch (e) {
+          if (e instanceof TypeError) {
+            var merged = Object.assign({}, addr, _addrInput(req.body || {}, auth.customer_id));
+            return _renderAddrPage(req, res, auth, merged, (e && e.message) || "Please check the address.", 400);
+          }
+          throw e;
+        }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/addresses");
+        return res.end ? res.end() : res.send("");
+      });
+
+      function _addrAction(verb, fn) {
+        router.post("/account/addresses/:id/" + verb, async function (req, res) {
+          var auth = _addrAuth(req, res); if (!auth) return;
+          var addr = await _ownedAddress(req, res, auth); if (!addr) return;
+          try { await fn(addr.id); }
+          catch (e) {
+            res.status(e instanceof TypeError ? 400 : 500);
+            return res.end ? res.end((e && e.message) || "Error") : res.send((e && e.message) || "Error");
+          }
+          res.status(303); res.setHeader && res.setHeader("location", "/account/addresses");
+          return res.end ? res.end() : res.send("");
+        });
+      }
+      _addrAction("default-shipping", function (id) { return deps.addresses.setDefaultShipping(id); });
+      _addrAction("default-billing",  function (id) { return deps.addresses.setDefaultBilling(id); });
+      _addrAction("archive",          function (id) { return deps.addresses.archive(id); });
+    }
+
     // Product reviews — submission requires a logged-in customer AND a
     // verified purchase of the product (the gate, not just a badge).
     // Only mounts when both the reviews primitive and an order handle

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.29",
-      "tag": "v0.12.29",
+      "version": "0.12.32",
+      "tag": "v0.12.32",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,12 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.32 (2026-05-24) — **`b.cbor` — bounded, deterministic in-tree CBOR codec (RFC 8949).** CBOR is the binary serialization underneath COSE (RFC 9052), CWT, SCITT, and WebAuthn attestation — a foundational substrate the framework needs in-tree to build signed-statement primitives without a third-party parser. `b.cbor` is that codec, bounded by default like every parser the framework ships: a binary decoder is attack surface, so the defaults refuse the shapes a hostile encoder uses to exhaust memory or stack. The encoder emits Deterministically Encoded CBOR (RFC 8949 §4.2) — shortest-form heads, definite lengths, map keys sorted by encoded bytes, no indefinite-length items — so two semantically-equal values encode to byte-identical output, the property COSE signatures and SCITT receipts depend on. **Added:** *`b.cbor.encode(value, opts?)` / `b.cbor.decode(buffer, opts?)` / `b.cbor.Tag`* — `encode` produces deterministic CBOR from numbers (integers + float64), bigint (64-bit range), strings, `Buffer` / `Uint8Array`, arrays, `Map` or plain objects, `b.cbor.Tag`, and the simple values. `decode` returns the value with maps decoded to a `Map` (CBOR keys may be integers — COSE header labels are) and byte strings to `Buffer`. `b.cbor.Tag(tag, value)` carries a major-type-6 tagged item. `decode(buf, { requireDeterministic: true })` additionally asserts the input was itself canonically encoded (decode → re-encode → byte-compare), refusing a non-canonical re-encoding on a signature-verify path where it would be a malleability vector. **Security:** *Bounded-by-default decoder* — `maxDepth` (default 64, ceiling 256) caps nesting against stack exhaustion; `maxBytes` (default 16 MiB, ceiling 64 MiB) caps total input, and a declared string / array / map length exceeding the remaining bytes is refused before any allocation (no length-prefix memory bomb). Indefinite-length items (additional-info 31) are refused — a streaming-complexity / DoS vector forbidden by deterministic encoding. Reserved additional-info (28–30) is refused. Tags are refused unless allowlisted via `allowedTags` (a tag triggers semantic reprocessing — an un-vetted tag is a confused-deputy vector). Duplicate map keys (RFC 8949 §5.6) and trailing bytes after the data item are refused.
+
+- v0.12.31 (2026-05-24) — **`b.auth.jar.parse` — verify RFC 9101 JWT-Secured Authorization Requests (server side).** A plain OAuth authorization request carries its parameters in the URL query string, where a browser, proxy, or referer log can tamper with or leak them. RFC 9101 JAR packs those parameters into a JWT the client signs — the request object — so the authorization server can confirm they arrived exactly as sent. `b.auth.jar.parse(jar, opts)` is the server-side verifier and the request-side counterpart to the existing JARM response handling (`b.auth.oauth.parseJarmResponse`). It delegates the signature check to `b.auth.jwt.verifyExternal` — which already enforces a mandatory `algorithms` allowlist and refuses the alg-confusion (`alg: "none"`, HMAC-vs-RSA) and JWE-on-a-JWS-verifier shapes against a JWKS public-key trust source — then pins `iss` and the `client_id` claim to the expected client, pins `aud` to this server's issuer identifier, refuses a nested `request` / `request_uri` (RFC 9101 §6.3 recursion / confused-deputy vector), and returns the authorization parameters with the JWT envelope claims stripped. **Added:** *`b.auth.jar.parse(jar, opts)` — request-object verification* — `opts.clientId` (the expected client — pins `iss` + the `client_id` claim), `opts.audience` (this server's issuer identifier — pins `aud`), `opts.algorithms` (required signature allowlist — no defaults, the alg-confusion defense), and one of `opts.jwks` / `opts.jwksUri` / `opts.keyResolver` (the client's verification key). Returns `{ params, claims }` where `params` is the authorization parameters (`response_type`, `redirect_uri`, `scope`, `state`, `nonce`, …) with the JWT envelope claims (`iss`, `aud`, `exp`, `iat`, `nbf`, `jti`) removed. A request object whose `client_id` claim disagrees with `opts.clientId`, or that nests a `request` / `request_uri`, is refused. Emitting a request object (the client side) is deferred-with-condition: it requires signing with the client's key under a classical JWS algorithm, and the framework's own JWT signer is PQC-only for the tokens it issues — a PQC-signed request object would not interoperate with a standard authorization server; client-side emission re-opens when a classical JWS signer lands or operators surface the need. Until then clients sign request objects with their existing JOSE tooling.
+
+- v0.12.30 (2026-05-24) — **`bundleAdapterStorage.keyRotation(opts)` — verified whole-repository envelope key rotation.** Rotating the key that wraps a backup repository is only safe if you can prove every bundle still reads under the new key — a rotation that silently corrupts one bundle is a time-bomb the operator discovers at restore time, exactly when they can least afford it. `storage.keyRotation(opts)` rotates every bundle's envelope from the old key to the new key (composing `rewrapAllBundles`) and then re-reads every bundle under the NEW key (composing `verifyAllBundles`), so a bad rotation surfaces as `verifyFailed > 0` immediately instead of at restore. It emits a `backup/key-rotated` audit event with the rotation id + per-status counts — a key-rotation event is a compliance record (SOC 2 CC6.1, PCI DSS 3.6.4) operators wire into their signed audit chain. Works for both `recipient` (hybrid PQC envelope) and `passphrase` (Argon2id) storage; refused cleanly on plaintext (`cryptoStrategy: "none"`) storage and when the new key is missing. **Added:** *`bundleAdapterStorage.keyRotation(opts)` — rotate then prove* — `opts.newRecipient` / `opts.newPassphrase` is the key bundles rotate TO (matched to the storage's `cryptoStrategy`); `opts.oldRecipient` / `opts.oldPassphrase` unwraps the current envelope when it differs from the configured key. Returns `{ rotationId, rotatedAt, total, rotated, skipped, failed, verified, verifyFailed, rotateResults, verifyResults }`. `opts.verify` (default true) runs the post-rotation read-back under the new key; `opts.concurrency` / `opts.stopOnFirstFailure` forward to the batch passes. Plaintext bundles + non-wrappable formats are skipped cleanly; a rotation that leaves any bundle unreadable reports `verifyFailed > 0` and emits the audit event with `outcome: "failure"`. A true overlap window where BOTH the old and new key decrypt a bundle (`dualWrap: true`) is refused with `backup/dual-wrap-unsupported` — it needs multi-recipient archive envelopes `b.archive.wrap` does not yet emit, and re-opens when the wrap layer gains them; until then stage a rotation by keeping the old key available to readers until `keyRotation` reports `failed: 0` + `verifyFailed: 0`, then retire it.
+
 - v0.12.29 (2026-05-24) — **`b.ai.dp` — float-safe differential privacy: snapping-mechanism Laplace + discrete Gaussian + Rényi-DP budgets.** Differential privacy adds calibrated noise so an aggregate is provably insensitive to any single record — but the guarantee is fragile: Mironov (2012) showed that a Laplace mechanism sampled with naive double-precision floats lets an attacker distinguish neighbouring datasets with > 35% probability from a single output, silently destroying the promise. `b.ai.dp` ships only mechanisms whose sampling is hardened against that attack class: Laplace via the snapping mechanism (clamp + CSPRNG sign + full-mantissa uniform + power-of-two-grid rounding) and the discrete Gaussian (Canonne–Kamath–Steinke 2020) via integer-exact rejection sampling built from Bernoulli(exp(−γ)) over exact rationals — no floating-point noise at all. All randomness comes from `b.crypto.generateBytes` (SHAKE256 over the OS CSPRNG), never `Math.random`. `b.ai.dp.budget({ scope, epsilon, delta })` tracks a privacy budget per scope and refuses a `consume` that would exceed it, accounting composition either by basic summation (default) or a Rényi-DP accountant (Mironov 2017) for a much tighter bound under repeated Gaussian releases. NIST SP 800-226 (2025) is the evaluation standard; Dwork & Roth is the canonical reference. The exponential and sparse-vector mechanisms are deferred-with-condition — their float-safe constructions (base-2 / permute-and-flip; snapped SVT) re-open on operator demand, since shipping them float-unsafe would defeat the module's purpose. **Added:** *`b.ai.dp.mechanism({ type, sensitivity, epsilon, ... })` — float-safe noise mechanisms* — `type: "laplace"` is the snapping mechanism (pure ε-DP, real-valued, requires a clamp `bound` the guarantee depends on); `type: "gaussian"` is the discrete Gaussian (integer-valued, (ε, δ)-DP, requires `delta`). The Gaussian uses the classic calibration σ = √(2 ln(1.25/δ))·Δ/ε, proven for ε ≤ 1 — larger ε is refused with a pointer to splitting the release under an rdp budget. Descriptors are validated + frozen at construction so a malformed parameter fails fast. · *`b.ai.dp.budget({ scope, epsilon, delta, accounting })` — per-scope privacy budget* — Returns `{ consume, remaining, spent, reset }`. `consume(mechanism, value)` adds the mechanism's noise, charges the accountant, and throws `aiDp/budget-exhausted` if the release would push the scope past its (ε, δ). `accounting: "basic"` (default) sums per-release ε and δ; `accounting: "rdp"` runs a Rényi-DP accountant across a grid of orders and converts to (ε, δ) at the scope's δ for a tight composition bound under repeated Gaussian releases (requires `delta > 0`). The scope budget is enforced on both ε and δ independently. **Security:** *`b.crypto.generateBytes` uniformity fix at 1-byte length* — Node's SHAKE256 XOF is non-uniform at `outputLength: 1` — the byte values 0x00 and 0xff never occur and the low bit skews to ~0.54. `b.crypto.generateBytes(1)` (and the underlying `random(1)`) now draws at least 2 bytes and slices, so a single-byte CSPRNG request is uniform. Surfaced by `b.ai.dp` per-byte noise sampling; any per-byte consumer of `generateBytes` inherits the fix. A regression test asserts 0x00 / 0xff occur and the low bit is balanced.
 
 - v0.12.28 (2026-05-24) — **`b.ai.capability` — model-capability registry + cheapest-satisfying-model router.** `b.ai.capability.create({ models })` turns a fleet of AI model descriptors into a routing decision: given a set of requirements (context window, input/output modalities, tool use, structured output, reasoning tier, citation support, prompt-caching size), it picks the cheapest model that satisfies all of them. NIST AI RMF (AI 100-1) MAP 2.x requires documenting each model's capabilities and limitations; the Model Cards convention (Mitchell et al., 2019) formalizes that descriptor — this primitive makes the descriptor actionable. Routing to the cheapest sufficient model is a front-line defense against over-provisioning spend and composes directly with `b.ai.quota`'s `cost-usd` dimension (the chosen descriptor's rate feeds the budget charge); refusing to route a request to a model that cannot satisfy it (missing modality, too-small context window, no tool use) catches a capability mismatch before the inference call burns tokens on a guaranteed-bad result. Cost ranking uses a supplied `costBasis` (`{ inputTokens, outputTokens }`) for real per-call spend, else the sum of the per-1k rates; ties break by model id so the choice is deterministic across calls and nodes. **Added:** *`b.ai.capability.create({ models })` — capability registry + router* — Returns `{ describe, list, register, satisfies, route }`. A descriptor carries `maxContextTokens`, `maxOutputTokens`, `modalitiesIn` / `modalitiesOut` (arrays), `toolUse`, `structuredOutput`, `fineTunable`, `reasoningTier` (`none` / `basic` / `standard` / `advanced`, ordered), `citationSupport`, `promptCachingMaxTokens`, and the cost rates `costPer1kInputTokens` / `costPer1kOutputTokens`. Descriptors are validated + frozen at registration so a typo (negative cost, unknown reasoning tier, non-array modality list) surfaces at config time rather than as a silent mis-route. `describe(modelId)` returns the frozen descriptor; `register(modelId, descriptor)` adds or replaces one at runtime. · *`route({ requirements, fallback?, costBasis? })` — cheapest-satisfying selection* — Collects every model whose descriptor satisfies all requirements, then returns the cheapest (`{ modelId, descriptor, estimatedCost, reason }`). Requirements: `minContextTokens`, `minOutputTokens`, `modalitiesIn` / `modalitiesOut` (model must support every listed modality), `toolUse`, `structuredOutput`, `fineTunable`, `minReasoningTier` (tier ordering — `standard` is met by `standard` or `advanced`), `citationSupport`, `minPromptCachingTokens`. When no model matches, `fallback` (a registered model id) is returned with `reason: "fallback"`, or the call refuses with `aiCapability/no-candidate` if no fallback was supplied. Routing decisions emit `ai/capability-routed` / `ai/capability-fallback` / `ai/capability-no-candidate` through the drop-silent audit chain. · *`satisfies(modelId, requirements)` — precise capability-mismatch reasons* — Returns `{ ok, failures }` where each failure names the `requirement`, the `need`, and what the model `have`s — so a caller surfaces a precise reason (e.g. `minReasoningTier need advanced have basic`) instead of a bare boolean. Use it to explain a routing miss or to gate a request against a specific model before calling it.

package/lib/vendor/blamejs/README.md

@@ -75,6 +75,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - RP-Initiated / Front-Channel / Back-Channel Logout 1.0 (`parseFrontchannelLogoutRequest` + `verifyBackchannelLogoutToken` with jti-replay defense)
   - RFC 9207 AS Issuer Identifier validation on callbacks (`parseCallback` — refuses iss mismatch + OP `error=` redirect)
   - OAuth 2.0 JARM signed-response decode (`parseJarmResponse`)
+  - RFC 9101 JWT-Secured Authorization Request verification — server-side request-object parse with mandatory alg allowlist + iss/client_id/aud binding + anti-nesting (`b.auth.jar.parse`)
   - One-time-use refresh-token rotation with operator-supplied replay-defense callback (RFC 9700 §4.13 / OAuth 2.1 §6.1 — `refreshAccessToken({ seen })`)
 - **Federation / VC** — CIBA Core 1.0 (`b.auth.ciba`, poll/ping/push); OpenID Federation 1.0 trust chain + metadata_policy (`b.auth.openidFederation`); SAML 2.0 SP with XMLDSig signature-wrapping defense + RFC 9525 server-identity (`b.auth.saml`); OpenID4VCI 1.0 issuer (`b.auth.oid4vci`); OpenID4VP 1.0 verifier with DCQL (`b.auth.oid4vp`); SD-JWT VC with `key_attestation` extension (`b.auth.sdJwtVc`)
 - **Sessions** — `b.session`
@@ -124,6 +125,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 
 - **JSON / SQL / schema** — `b.safeJson` (with `maxKeys` cap defending CVE-2026-21717 V8 HashDoS), `b.safeBuffer`, `b.safeSql`, `b.safeSchema`
 - **URL + path** — `b.safeUrl` (IDN mixed-script / homograph refuse); `b.safeJsonPath` (refuses filter `?(...)`, deep-scan `$..`, script-shape `(@.x)` for safe Postgres JSONB ops)
+- **Binary codec** — `b.cbor` bounded deterministic CBOR (RFC 8949 §4.2): depth/size caps, indefinite-length + reserved-info + tag + duplicate-key refusal, `requireDeterministic` canonical-form check; the in-tree substrate under COSE / CWT / SCITT / WebAuthn attestation
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)
 - **File-type detection** — `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.)
 ### Content-safety gates