@blamejs/blamejs-shop 0.0.128 → 0.0.129

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.0.x
 
+- v0.0.129 (2026-05-25) — **Recently viewed — a signed-in customer's browse history at /account/recently-viewed.** Signed-in customers now have a browse history. Opening a product page records the view against the customer's account, and `/account/recently-viewed` lists those products newest-first as a grid, with a one-tap Clear history control. Recording is best-effort and never blocks the product page; archived products drop out of the grid; the page is login-gated like the rest of the account area. **Added:** *Recently viewed account page* — `GET /account/recently-viewed` renders the customer's most-recently-opened products newest-first, reusing the standard product card (image, title, price, link to the PDP). A `POST /account/recently-viewed/clear` control wipes the history. Linked from the account dashboard. · *Server-side view recording* — A signed-in customer's product-page visit records the view against their account — no client script. Recording is drop-silent: a write failure never breaks the product page. The history de-dupes per product and is capped per customer.
+
 - v0.0.128 (2026-05-25) — **Collections — browse curated and smart product lists at /collections.** The storefront now has real collection pages. `/collections` lists the shop's active collections, and `/collections/:slug` shows a collection's products as a grid — resolving both operator-curated manual collections (hand-picked members) and smart collections (rule-matched against the catalog). The footer links to it from every page, so collections are a first-class browse entry point rather than a search query. Unknown or malformed collection slugs return 404, never a 500. **Added:** *Collection browse pages* — `GET /collections` renders the active collections as cards (title, description, hero); `GET /collections/:slug` renders the collection's product grid, reusing the standard product card (image, title, price, link to the PDP). Public pages — no sign-in. · *Manual + smart resolution* — Manual collections list their hand-picked members; smart collections evaluate their stored rules against the active catalog and apply the collection's sort strategy. The page resolves each product fresh, so archived products drop out of the grid. · *Footer entry point* — The footer's Shop column links to `/collections` on every storefront page (edge- and container-rendered alike), making collections a real browse path. A bad or unknown slug is a 404.
 
 - v0.0.127 (2026-05-24) — **Self-serve returns — customers request RMAs on their orders, operators approve and refund.** Signed-in customers can request a return against one of their own orders — pick the items and a reason at the order, then track status at /account/returns. Operators work the queue at /admin/returns: approve (with a refund amount), mark received, refund, or reject with a reason, following the pending → approved → received → refunded lifecycle. The customer request route loads the order and confirms it belongs to the signed-in customer before showing it, and builds the return lines from the order's own records, so a foreign or guessed order id returns 404 and a client can't return items it never bought. **Added:** *Customer return requests + status* — `/account/orders/:order_id/return` shows the order's items with a reason picker; `/account/returns` lists the customer's RMAs with status (pending / approved / received / refunded / rejected) and any rejection reason. The account dashboard links to it. Empty selection or a bad reason re-renders the form with the message. · *Operator return queue* — `GET /admin/returns?status=pending` lists the queue across all orders; `GET /admin/returns/:id` reads one; `POST /admin/returns/:id/approve` (with refund amount), `/received`, `/refund`, and `/reject` (with reason) walk the lifecycle. Bearer-token-gated; an illegal transition is a 409 and a bad id a 404, never a 500. · *`returns.listByStatus(status, opts)`* — Lists return authorizations across all orders by status, newest first, with the same opaque cursor as `listForCustomer`. Backs the operator queue.

package/README.md

@@ -68,6 +68,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
 | **`lib/addresses.js`** | Per-customer address book at `/account/addresses` — add / edit / set default shipping or billing / remove. One-default-per-role invariant (promoting clears the prior). Every by-id route confirms the address belongs to the signed-in customer before acting (a guessed id returns 404). `b.guardUuid` ids, 2-char ISO country. |
 | **`lib/returns.js`** | Self-serve RMAs. Customer requests a return against their own order at `/account/orders/:id/return` (items + reason, ownership-checked, lines built from the order's own records) and tracks status at `/account/returns`. Operators work `/admin/returns` — approve (refund amount) / mark received / refund / reject — over the pending → approved → received → refunded FSM; illegal transitions are 409, bad ids 404. |
+| **`lib/recently-viewed.js`** | Signed-in customer browse history. A product-page visit records the view server-side against the customer's account (drop-silent — never blocks the page); `/account/recently-viewed` lists them newest-first as a grid with a Clear-history control. De-duped + capped per customer, archived products drop out, login-gated. Guest/session history is opt-in (a client beacon) and not shipped — the lib's `forSession` + `merge` support it. |
 | **`lib/collections.js`** | Curated + smart product groupings. `GET /collections` lists the shop's active collections; `GET /collections/:slug` renders the grid — manual collections list hand-picked members, smart collections evaluate stored rules against the active catalog and apply the collection's sort strategy. Each product resolves fresh, so archived products drop out. Public, no sign-in; a bad or unknown slug is a 404 (never a 500). Linked from the footer on every page. |
 | **`lib/subscriptions.js`** | Stripe-backed recurring billing — `subscription_plans` (interval / amount / trial) + `subscriptions` (mirrors Stripe's object byte-for-byte). `subscriptions.create` POSTs to Stripe via the payment dep, then persists the returned object locally. `handleStripeEvent` replays `customer.subscription.*` events into the local row so the shop has an authoritative view without round-tripping. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
@@ -92,6 +93,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0026_customer_addresses.sql` — per-customer address book (default shipping/billing flags)
 - `migrations-d1/0023_returns.sql` — return authorizations + lines (RMA lifecycle FSM)
 - `migrations-d1/0043_collections.sql` — manual + smart product collections (members + rules + sort strategy)
+- `migrations-d1/0050_recently_viewed.sql` — per-customer / per-session product browse history (dedup + per-subject cap)
 
 ### Demo seed
 

package/lib/storefront.js

@@ -1199,6 +1199,40 @@ function renderCollection(opts) {
   });
 }
 
+// Account "Recently viewed" page — a newest-first grid of products the
+// signed-in customer has opened, reusing the standard product card.
+// `opts.products` is a resolved [{ slug, title, price, image_url,
+// image_alt }] list (archived products are dropped before render, so
+// the grid is orphan-tolerant). A "Clear history" control renders only
+// when the list is non-empty.
+function renderRecentlyViewed(opts) {
+  var products = opts.products || [];
+  var cards = products.map(function (p) { return _buildProductCard(p); }).join("");
+  var grid = cards
+    ? "<div class=\"catalog-grid recently-viewed-grid\">" + cards + "</div>"
+    : "<p class=\"recently-viewed-empty\">You haven't viewed any products yet. As you browse the shop, the products you open show up here.</p>";
+  var clear = cards
+    ? "<form class=\"recently-viewed__clear\" method=\"post\" action=\"/account/recently-viewed/clear\">" +
+        "<button type=\"submit\" class=\"btn-ghost btn-ghost--sm\">Clear history</button></form>"
+    : "";
+  var body =
+    "<section class=\"account-recently-viewed\">" +
+      "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
+        "<li><a href=\"/account\">Account</a></li>" +
+        "<li aria-current=\"page\">Recently viewed</li>" +
+      "</ol></nav>" +
+      "<header class=\"account-recently-viewed__head\">" +
+        "<h1 class=\"account-recently-viewed__title\">Recently viewed</h1>" +
+        clear +
+      "</header>" +
+      grid +
+    "</section>";
+  return _wrap({
+    title: "Recently viewed", shop_name: opts.shop_name || "blamejs.shop",
+    cart_count: opts.cart_count == null ? 0 : opts.cart_count, theme_css: opts.theme_css, body: body,
+  });
+}
+
 var RETURN_REASONS = [
   ["defective", "Defective / doesn't work"],
   ["wrong-item", "Wrong item received"],
@@ -2244,6 +2278,7 @@ var ACCOUNT_DASH_PAGE =
   "    <div class=\"account-dash__actions\">\n" +
   "      <a class=\"btn-secondary\" href=\"/account/wishlist\">Wishlist</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/saved\">Saved for later</a>\n" +
+  "      <a class=\"btn-secondary\" href=\"/account/recently-viewed\">Recently viewed</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/addresses\">Addresses</a>\n" +
   "      <a class=\"btn-secondary\" href=\"/account/returns\">Returns</a>\n" +
   "      <form method=\"post\" action=\"/account/logout\"><button type=\"submit\" class=\"btn-ghost\">Sign out</button></form>\n" +
@@ -2380,6 +2415,45 @@ function mount(router, deps) {
     return lines.length;
   }
 
+  // The signed-in customer's sealed-cookie envelope, or null. Shared by
+  // the PDP view recorder (mounted outside the `if (deps.customers)`
+  // block) and the account routes inside it, so there's one auth-cookie
+  // reader rather than a copy per call site. A missing / malformed /
+  // expired cookie returns null — never throws.
+  function _currentCustomerEnv(req) {
+    var raw = _readCookie(req, AUTH_COOKIE_NAME);
+    if (!raw) return null;
+    var env;
+    try { env = JSON.parse(_b().vault.unseal(raw)); } catch (_e) { return null; }
+    if (!env || !env.customer_id || !env.exp || env.exp < Date.now()) return null;
+    return env;
+  }
+
+  // Resolve a product id into the { slug, title, price, image_url,
+  // image_alt } shape `_buildProductCard` expects. Returns null for an
+  // archived / missing product so it drops out of any grid (collections,
+  // recently-viewed). Shared so the decoration rule lives in one place.
+  var _cardAssetPrefix = deps.asset_prefix || "/assets/";
+  async function _decorateProductCard(pid) {
+    var product = await deps.catalog.products.get(pid);
+    if (!product || product.status !== "active") return null;
+    var priceStr = "—";
+    var variants = await deps.catalog.variants.listForProduct(pid);
+    if (variants.length) {
+      var pr = await deps.catalog.prices.current(variants[0].id, "USD");
+      if (pr) priceStr = pricing.format(pr.amount_minor, pr.currency);
+    }
+    var media = await deps.catalog.media.listForProduct(pid);
+    var hero = media.length ? media[0] : null;
+    return {
+      slug:      product.slug,
+      title:     product.title,
+      price:     priceStr,
+      image_url: hero ? (_cardAssetPrefix + hero.r2_key) : null,
+      image_alt: hero ? (hero.alt_text || product.title) : null,
+    };
+  }
+
   // Resolve the cart for this request — read session_id from the
   // sealed cookie, create one (and the cart) if absent. Returns
   // the cart row OR null when the cart was just created (caller can
@@ -2520,6 +2594,19 @@ function mount(router, deps) {
       try { wishlistCount = await deps.wishlist.countForProduct(product.id); }
       catch (_e) { wishlistCount = 0; }
     }
+    // Log the view for a signed-in customer so it surfaces on their
+    // "Recently viewed" account page. Drop-silent — a recording failure
+    // (table not migrated, write contention) must never break the PDP
+    // render. Guests aren't recorded here: their PDP is edge-cached with
+    // no per-request container hop, so session-scoped guest history is a
+    // separate opt-in (a client beacon) the storefront doesn't ship yet.
+    if (deps.recentlyViewed && deps.customers) {
+      var rvEnv = _currentCustomerEnv(req);
+      if (rvEnv) {
+        try { await deps.recentlyViewed.recordView({ customer_id: rvEnv.customer_id, product_id: product.id }); }
+        catch (_e) { /* drop-silent — recently-viewed is supplementary to the buy path */ }
+      }
+    }
     var html = renderProduct({
       product:        product,
       variants:       variants,
@@ -2539,36 +2626,11 @@ function mount(router, deps) {
   // Collections — operator-curated + smart product lists. Public browse
   // pages; mounted when the collections primitive is wired.
   if (deps.collections) {
-    var _collAssetPrefix = deps.asset_prefix || "/assets/";
-
-    // Decorate a product id into the { slug, title, price, image_url }
-    // shape _buildProductCard expects. Returns null for an archived /
-    // missing product so it drops out of the grid.
-    async function _decorateCollectionProduct(pid) {
-      var product = await deps.catalog.products.get(pid);
-      if (!product || product.status !== "active") return null;
-      var priceStr = "—";
-      var variants = await deps.catalog.variants.listForProduct(pid);
-      if (variants.length) {
-        var pr = await deps.catalog.prices.current(variants[0].id, "USD");
-        if (pr) priceStr = pricing.format(pr.amount_minor, pr.currency);
-      }
-      var media = await deps.catalog.media.listForProduct(pid);
-      var hero = media.length ? media[0] : null;
-      return {
-        slug:      product.slug,
-        title:     product.title,
-        price:     priceStr,
-        image_url: hero ? (_collAssetPrefix + hero.r2_key) : null,
-        image_alt: hero ? (hero.alt_text || product.title) : null,
-      };
-    }
-
     router.get("/collections", async function (req, res) {
       var cols = await deps.collections.list({ active_only: true });
       var cartCount = await _cartCountForReq(req);
       _send(res, 200, renderCollectionList({
-        collections: cols, shop_name: shopName, cart_count: cartCount, asset_prefix: _collAssetPrefix,
+        collections: cols, shop_name: shopName, cart_count: cartCount, asset_prefix: _cardAssetPrefix,
       }));
     });
 
@@ -2589,7 +2651,7 @@ function mount(router, deps) {
       var products = [];
       for (var i = 0; i < result.rows.length; i += 1) {
         var pid = result.rows[i].product_id || result.rows[i].id;
-        var card = await _decorateCollectionProduct(pid);
+        var card = await _decorateProductCard(pid);
         if (card) products.push(card);
       }
       var cartCount = await _cartCountForReq(req);
@@ -2820,12 +2882,7 @@ function mount(router, deps) {
     }
 
     function _currentCustomer(req) {
-      var raw = _readCookie(req, AUTH_COOKIE_NAME);
-      if (!raw) return null;
-      var env = _unsealEnvelope(raw);
-      if (!env || !env.customer_id || !env.exp) return null;
-      if (env.exp < Date.now()) return null;
-      return env;
+      return _currentCustomerEnv(req);
     }
 
     function _serviceUnavailable(res, msg) {
@@ -3553,6 +3610,50 @@ function mount(router, deps) {
       });
     }
 
+    // Recently viewed — the signed-in customer's newest-first browse
+    // history. Views are recorded server-side on the (container-rendered)
+    // PDP; this surface lets the customer review + clear that history.
+    if (deps.recentlyViewed) {
+      function _rvAuth(req, res) {
+        var auth;
+        try { auth = _currentCustomer(req); }
+        catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return null; }
+          throw e;
+        }
+        if (!auth) {
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login");
+          res.end ? res.end() : res.send("");
+          return null;
+        }
+        return auth;
+      }
+
+      router.get("/account/recently-viewed", async function (req, res) {
+        var auth = _rvAuth(req, res); if (!auth) return;
+        // A read failure (table not migrated) degrades to the empty
+        // state rather than 500-ing the account page.
+        var rows = [];
+        try { rows = await deps.recentlyViewed.forCustomer(auth.customer_id, { limit: 24 }); }
+        catch (_e) { rows = []; }
+        var products = [];
+        for (var i = 0; i < rows.length; i += 1) {
+          var card = await _decorateProductCard(rows[i].product_id);
+          if (card) products.push(card);
+        }
+        var cartCount = await _cartCountForReq(req);
+        _send(res, 200, renderRecentlyViewed({ products: products, shop_name: shopName, cart_count: cartCount }));
+      });
+
+      router.post("/account/recently-viewed/clear", async function (req, res) {
+        var auth = _rvAuth(req, res); if (!auth) return;
+        try { await deps.recentlyViewed.purgeCustomer(auth.customer_id); }
+        catch (_e) { /* drop-silent — a failed clear leaves history intact, no error surface needed */ }
+        res.status(303); res.setHeader && res.setHeader("location", "/account/recently-viewed");
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
     // Product reviews — submission requires a logged-in customer AND a
     // verified purchase of the product (the gate, not just a badge).
     // Only mounts when both the reviews primitive and an order handle

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.39",
-      "tag": "v0.12.39",
+      "version": "0.12.40",
+      "tag": "v0.12.40",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.40 (2026-05-24) — **`b.mdoc` — ISO 18013-5 mdoc / mDL issuer-data verification.** Verify the issuer-signed data of an ISO/IEC 18013-5 mdoc — the credential format behind mobile driving licences (mDL) and the ISO track of the EU Digital Identity Wallet. This is the relying-party side: confirm that the data elements a holder presents were signed by the issuer and have not been altered. An mdoc's IssuerSigned carries the disclosed data elements and an issuerAuth that is a COSE_Sign1 (b.cose) over a Mobile Security Object (MSO) holding a per-element digest. b.mdoc.verifyIssuerSigned verifies the COSE signature with the issuer certificate from the COSE x5chain header, parses the MSO, enforces its validityInfo window, and recomputes each disclosed element's digest (the full Tag-24 IssuerSignedItemBytes) to match it against the MSO constant-time — the integrity check that makes selective disclosure trustworthy. An absent or mismatched digest is refused. Signing algorithms follow b.cose verification (the classical ES256/384/512 + EdDSA that real mDL issuers use; the caller names the allowlist); opts.trustAnchorsPem additionally verifies the issuer certificate chain. This completes the credential trio alongside W3C VCDM (b.vc) and IETF SD-JWT VC (b.auth.sdJwtVc). Composes b.cose + b.cbor; no new runtime dependency. **Added:** *`b.mdoc.verifyIssuerSigned(issuerSigned, opts)`* — Takes the CBOR `IssuerSigned` map (the operator extracts it from the device response / QR) and returns `{ docType, version, digestAlgorithm, validityInfo, namespaces, signerCert, alg }`. Verifies the COSE_Sign1 `issuerAuth` against the mandatory `opts.algorithms` allowlist using the issuer certificate from its `x5chain` (label 33) header; parses the Tag-24 Mobile Security Object; enforces the MSO `validityInfo` window against `opts.at` (default now; must be a valid Date; malformed dates fail closed); and recomputes the digest of every disclosed `IssuerSignedItem` (over the full Tag-24 bytes, with the MSO `digestAlgorithm` — SHA-256/384/512) to match the MSO `valueDigests` constant-time — an absent or mismatched digest is refused with `mdoc/digest-mismatch`. `opts.expectedDocType` pins the document type; `opts.trustAnchorsPem` (a PEM string or array) additionally verifies the issuer certificate chain and validity at the asserted time. A malformed `x5chain` certificate is refused with a clean `mdoc/bad-cert`. The mdoc device-authentication half (the SessionTranscript-bound holder-binding proof) is a presentation-protocol concern and is not part of issuer-data verification.
+
 - v0.12.39 (2026-05-24) — **`b.vc` — W3C Verifiable Credentials 2.0 (issue / verify, JOSE + COSE securing).** Issue and verify W3C Verifiable Credentials (VC Data Model 2.0, a W3C Recommendation) secured per Securing Verifiable Credentials using JOSE and COSE (VC-JOSE-COSE, also a W3C Recommendation, May 2025). A verifiable credential is a tamper-evident, signed set of claims an issuer makes about a subject — a diploma, a membership, a license, an age assertion. Two securing mechanisms are supported, both signing the credential itself (no JWT/CWT claims wrapper): JOSE produces a compact JWS with the vc+jwt media type, signed with ES256/384/512 or EdDSA; COSE produces a COSE_Sign1 (application/vc+cose) over b.cose, which also accepts ML-DSA-87 for PQC-forward deployments. b.vc.verify auto-detects the form from the input, requires an algorithm allowlist, always refuses the JOSE none algorithm, re-checks the VCDM 2.0 structural rules, and enforces the validFrom / validUntil window. This is the W3C credential model, distinct from the IETF SD-JWT VC already at b.auth.sdJwtVc. Composes b.cose; no new runtime dependency. **Added:** *`b.vc.issue(credential, opts)` / `b.vc.verify(secured, opts)`* — `issue` validates the credential against the VCDM 2.0 structural rules (the `credentials/v2` context first, a `VerifiableCredential` type, an issuer, a credential subject) and signs it: `securing: "jose"` returns a compact JWS string (`typ` header `vc+jwt`), `securing: "cose"` returns COSE_Sign1 bytes (`typ` header `application/vc+cose`, content type `application/vc`) via `b.cose`. The credential is the exact signed payload — no JWT/CWT claims are injected. `verify` auto-detects the securing form from the input (compact-JWS string vs. COSE_Sign1 bytes), verifies the signature against the mandatory `opts.algorithms` allowlist (the JOSE `none` algorithm is always refused), re-checks the structural rules, enforces the `validFrom` / `validUntil` window against `opts.at` (default now; must be a valid Date), and optionally matches `opts.expectedIssuer` against the credential issuer id. Returns `{ credential, securing, alg, issuer }`.
 
 - v0.12.38 (2026-05-24) — **`b.tsa` — RFC 3161 trusted timestamping client (build / parse / verify).** A timestamp authority binds a hash of your data to a trusted time, producing a token that proves the data existed at that instant — timestamp a release artifact, an audit-log checkpoint, a b.scitt signed statement, or a contract. b.tsa is the requester/verifier side of RFC 3161: buildRequest produces the DER TimeStampReq (the message imprint plus an optional nonce and a cert request), parseResponse reads the TimeStampResp (PKIStatus, failure-info bits, and the token), and verifyToken checks a token against your data and returns the asserted time. Verification is done in full per §2.4.2 / §2.3: the token is a CMS SignedData (b.cms) whose eContentType must be id-ct-TSTInfo; the message imprint must equal the hash of your data (constant-time); a sent nonce must round-trip; the signer certificate's extendedKeyUsage must be a critical, sole id-kp-timeStamping; and the CMS signature over the signed attributes must verify after the messageDigest attribute is matched to the recomputed eContent digest. An optional trust-anchor set verifies the certificate chain and validity at the asserted time. The HTTP transport to the TSA is the operator's to make. Composes b.cms and the in-tree ASN.1 DER codec; no new runtime dependency. **Added:** *`b.tsa.buildRequest(data, opts?)` / `b.tsa.parseResponse(der)` / `b.tsa.verifyToken(token, opts)`* — `buildRequest` returns `{ der, nonce, hashAlg, messageImprint }`; the imprint hash defaults to SHA-512 and may be SHA-256/384/512 or SHA3-256/512, a random 64-bit nonce and a certificate request are included by default, and a pre-hashed input is accepted with `hashed: true`. `parseResponse` returns `{ granted, status, statusString, failInfo, token }`, decoding the PKIFailureInfo bits for a non-granted response rather than throwing. `verifyToken` enforces the imprint match (`opts.data` or `opts.hash`), the nonce round-trip, the critical/sole `id-kp-timeStamping` EKU, and the CMS signature, returning `{ genTime, policy, serialHex, accuracy, hashAlg, signerCertPem }`; pass `opts.trustAnchorsPem` to also verify the certificate chain and validity at the asserted time. Timestamp tokens are third-party artifacts, so verification accepts the classical RSA (PKCS#1 v1.5 and PSS) and ECDSA-over-SHA-2 signatures that public TSAs emit — the same consume-what-exists posture as `b.cose` verification, not a framework signing default.

package/lib/vendor/blamejs/README.md

@@ -132,6 +132,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **SCITT signed statements** — `b.scitt` sign/verify a signed, attributable claim about an artifact (signed SBOM, build attestation, release approval) over `b.cose`: the issuer + subject bind in the integrity-protected CWT_Claims header (RFC 9597); verification refuses any statement missing the iss/sub binding. The issuer side, on finalized RFCs; the transparency receipt (COSE Receipts draft) opts in on publication
 - **Trusted timestamping** — `b.tsa` RFC 3161 timestamp client: `buildRequest` a TimeStampReq, `parseResponse`, and `verifyToken` against your data — the message imprint, sent nonce, critical/sole `id-kp-timeStamping` EKU, and CMS signature are all checked, with optional certificate-chain verification. Timestamp a release artifact, audit checkpoint, or signed statement against any RFC 3161 TSA. Composes `b.cms` + the in-tree ASN.1 DER codec
 - **Verifiable Credentials** — `b.vc` W3C Verifiable Credentials Data Model 2.0 (VC-JOSE-COSE): `issue` / `verify` a signed credential as a compact JWS (`vc+jwt`, ES256/384/512 + EdDSA) or a COSE_Sign1 (`vc+cose`, + ML-DSA-87) over `b.cose`. VCDM structural + `validFrom`/`validUntil` checks; the JOSE `none` algorithm is always refused. The W3C model, distinct from the IETF SD-JWT VC at `b.auth.sdJwtVc`
+- **Mobile credentials (mDL)** — `b.mdoc` ISO/IEC 18013-5 issuer-data verification: `verifyIssuerSigned` checks the COSE_Sign1 IssuerAuth (issuer cert from the `x5chain` header), the Mobile Security Object validity window, and every disclosed element's digest against the MSO `valueDigests` (the selective-disclosure integrity check), with optional issuer-chain verification. The ISO credential ecosystem alongside `b.vc` and `b.auth.sdJwtVc`. Composes `b.cose` + `b.cbor`
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)
 - **File-type detection** — `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.)
 ### Content-safety gates

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.39",
-  "createdAt": "2026-05-25T02:42:46.281Z",
+  "frameworkVersion": "0.12.40",
+  "createdAt": "2026-05-25T03:52:08.305Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -40319,6 +40319,36 @@
         }
       }
     },
+    "mdoc": {
+      "type": "object",
+      "members": {
+        "DIGEST_ALGS": {
+          "type": "object",
+          "members": {
+            "SHA-256": {
+              "type": "primitive",
+              "valueType": "string"
+            },
+            "SHA-384": {
+              "type": "primitive",
+              "valueType": "string"
+            },
+            "SHA-512": {
+              "type": "primitive",
+              "valueType": "string"
+            }
+          }
+        },
+        "MdocError": {
+          "type": "function",
+          "arity": 4
+        },
+        "verifyIssuerSigned": {
+          "type": "function",
+          "arity": 2
+        }
+      }
+    },
     "metrics": {
       "type": "object",
       "members": {

package/lib/vendor/blamejs/index.js

@@ -462,6 +462,7 @@ module.exports = {
   scitt:            require("./lib/scitt"),
   tsa:              require("./lib/tsa"),
   vc:               require("./lib/vc"),
+  mdoc:             require("./lib/mdoc"),
   queue:            queue,
   logStream:        logStream,
   redact:           redact,

package/lib/vendor/blamejs/lib/mdoc.js

@@ -0,0 +1,305 @@
+"use strict";
+/**
+ * @module b.mdoc
+ * @nav    Crypto
+ * @title  ISO mdoc / mDL (ISO 18013-5)
+ *
+ * @intro
+ *   Verify the issuer-signed data of an ISO/IEC 18013-5 mdoc — the
+ *   credential format behind mobile driving licences (mDL) and the ISO
+ *   track of the EU Digital Identity Wallet. This is the relying-party
+ *   side: confirm that the data elements a holder presents were signed
+ *   by the issuer and have not been altered.
+ *
+ *   An mdoc's <code>IssuerSigned</code> structure carries the disclosed
+ *   data elements (<code>nameSpaces</code>) and an <code>issuerAuth</code>
+ *   that is a COSE_Sign1 (<code>b.cose</code>) over a Mobile Security
+ *   Object (MSO). The MSO holds, per namespace, a SHA-256/384/512 digest
+ *   of every issued element. <code>b.mdoc.verifyIssuerSigned</code>
+ *   verifies the COSE signature with the issuer certificate carried in
+ *   the COSE <code>x5chain</code> (label 33), parses the MSO, enforces
+ *   its <code>validityInfo</code> window, and — the integrity check that
+ *   makes selective disclosure trustworthy — recomputes the digest of
+ *   every disclosed element (the full Tag-24 <code>IssuerSignedItemBytes</code>)
+ *   and matches it against the MSO, constant-time. A disclosed element
+ *   whose digest is absent or mismatched is refused.
+ *
+ *   Signing algorithms follow <code>b.cose</code> verification: the
+ *   classical ES256 / 384 / 512 and EdDSA that real mDL issuers use are
+ *   accepted (consume-what-exists; the caller names the allowlist).
+ *   <code>opts.trustAnchorsPem</code> additionally verifies the issuer
+ *   certificate chain and its validity at the asserted time.
+ *
+ *   <strong>Scope.</strong> This is issuer-data authentication
+ *   (ISO 18013-5 §9.1.2.4) — the data is genuine and issuer-signed. The
+ *   mdoc <em>device authentication</em> half (DeviceSigned / the
+ *   SessionTranscript-bound holder-binding proof, §9.1.3) is deferred:
+ *   it needs the live session transcript a verifier negotiates, so it is
+ *   a presentation-protocol concern rather than a credential check.
+ *   Composes <code>b.cose</code> + <code>b.cbor</code>; no new runtime
+ *   dependency. Distinct from W3C VCDM (<code>b.vc</code>) and IETF
+ *   SD-JWT VC (<code>b.auth.sdJwtVc</code>) — the three credential
+ *   ecosystems.
+ *
+ * @card
+ *   ISO 18013-5 mdoc / mDL issuer-data verification — checks the
+ *   COSE_Sign1 IssuerAuth, the MSO validity window, and every disclosed
+ *   element's digest against the Mobile Security Object. Composes
+ *   b.cose + b.cbor; device-auth holder-binding deferred.
+ */
+
+var nodeCrypto = require("node:crypto");
+var C = require("./constants");
+var cbor = require("./cbor");
+var cose = require("./cose");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var MdocError = defineClass("MdocError", { alwaysPermanent: true });
+
+var HDR_X5CHAIN = 33;                                  // allow:raw-byte-literal allow:raw-time-literal — x5chain COSE header label (RFC 9360 is a spec number, not a size/duration)
+var TAG_ENCODED_CBOR = 24;                             // allow:raw-byte-literal — RFC 8949 §3.4.5.1 embedded-CBOR tag
+// Tags ISO 18013-5 uses in issuer data: tdate(0), epoch(1), embedded
+// CBOR(24), full-date(1004, RFC 8943). Bounded — others are refused.
+var ALLOWED_TAGS = [0, 1, TAG_ENCODED_CBOR, 1004];
+var DIGEST_ALGS = { "SHA-256": "sha256", "SHA-384": "sha384", "SHA-512": "sha512" };
+
+function _bytes(x, what) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  throw new MdocError("mdoc/bad-input", "mdoc: " + what + " must be a Buffer / Uint8Array of CBOR");
+}
+
+// validityInfo dates are tdate (Tag 0, an RFC 3339 string) or epoch
+// (Tag 1). Returns epoch-ms; fails closed on a malformed value.
+function _validityMs(v, name) {
+  var raw = (v instanceof cbor.Tag) ? v.value : v;
+  if (typeof raw === "string") {
+    var ms = Date.parse(raw);
+    if (!isFinite(ms)) throw new MdocError("mdoc/bad-validity", "mdoc: validityInfo." + name + " is not a valid date: " + raw);
+    return ms;
+  }
+  if (typeof raw === "number" && isFinite(raw)) return raw * C.TIME.seconds(1);    // epoch seconds → ms
+  throw new MdocError("mdoc/bad-validity", "mdoc: validityInfo." + name + " is missing or malformed");
+}
+
+function _mapGet(m, k) { return m instanceof Map ? m.get(k) : (m ? m[k] : undefined); }
+
+/**
+ * @primitive b.mdoc.verifyIssuerSigned
+ * @signature b.mdoc.verifyIssuerSigned(issuerSigned, opts)
+ * @since     0.12.40
+ * @status    experimental
+ * @compliance gdpr, soc2
+ * @related   b.cose.verify, b.vc.verify
+ *
+ * Verify the issuer-signed data of an ISO 18013-5 mdoc and return the
+ * disclosed elements. <code>issuerSigned</code> is the CBOR
+ * <code>IssuerSigned</code> map (the operator extracts it from the
+ * device response / QR). The COSE_Sign1 <code>issuerAuth</code> is
+ * verified with the issuer certificate from its <code>x5chain</code>
+ * header against the mandatory <code>opts.algorithms</code> allowlist;
+ * the MSO <code>validityInfo</code> window is enforced; and every
+ * disclosed element's digest is matched against the Mobile Security
+ * Object (a mismatch or absence is refused). Pass
+ * <code>opts.trustAnchorsPem</code> to also verify the issuer
+ * certificate chain.
+ *
+ * @opts
+ *   {
+ *     algorithms:      string[],  // required — accepted COSE alg names (ES256/384/512, EdDSA)
+ *     trustAnchorsPem: string|string[], // optional issuer roots — enables chain + validity verification
+ *     expectedDocType: string,    // require the MSO docType to match (e.g. "org.iso.18013.5.1.mDL")
+ *     at:              Date,      // validity instant (default now); must be a valid Date
+ *     maxBytes:        number,    // forwarded to b.cbor.decode
+ *     maxDepth:        number,
+ *   }
+ *
+ * @example
+ *   var out = await b.mdoc.verifyIssuerSigned(issuerSignedBytes, {
+ *     algorithms: ["ES256"], expectedDocType: "org.iso.18013.5.1.mDL",
+ *   });
+ *   // → { docType, validityInfo, namespaces: { "org.iso.18013.5.1": { family_name, age_over_18, … } }, signerCert, alg }
+ */
+async function verifyIssuerSigned(issuerSigned, opts) {
+  validateOpts.requireObject(opts, "mdoc.verifyIssuerSigned", MdocError);
+  validateOpts(opts, ["algorithms", "trustAnchorsPem", "expectedDocType", "at", "maxBytes", "maxDepth"], "mdoc.verifyIssuerSigned");
+  if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
+    throw new MdocError("mdoc/algorithms-required", "mdoc.verifyIssuerSigned: opts.algorithms is required");
+  }
+  var at = new Date();
+  if (opts.at !== undefined && opts.at !== null) {
+    if (!(opts.at instanceof Date) || !isFinite(opts.at.getTime())) {
+      throw new MdocError("mdoc/bad-at", "mdoc.verifyIssuerSigned: opts.at must be a valid Date");
+    }
+    at = opts.at;
+  }
+  var decodeOpts = { allowedTags: ALLOWED_TAGS, maxBytes: opts.maxBytes, maxDepth: opts.maxDepth };
+
+  var top = cbor.decode(_bytes(issuerSigned, "issuerSigned"), decodeOpts);
+  var nameSpaces = _mapGet(top, "nameSpaces");
+  var issuerAuth = _mapGet(top, "issuerAuth");
+  if (!Array.isArray(issuerAuth) || issuerAuth.length !== 4) {
+    throw new MdocError("mdoc/malformed", "mdoc.verifyIssuerSigned: issuerAuth must be a COSE_Sign1 (4-element array)");
+  }
+
+  // The signer certificate rides in the COSE x5chain (label 33): a
+  // single cert bstr or an array of bstrs, leaf first.
+  var unprotected = issuerAuth[1];
+  var x5 = _mapGet(unprotected, HDR_X5CHAIN);
+  var chain = Array.isArray(x5) ? x5 : (x5 != null ? [x5] : []);
+  if (!chain.length || !Buffer.isBuffer(chain[0])) {
+    throw new MdocError("mdoc/no-cert", "mdoc.verifyIssuerSigned: issuerAuth has no x5chain certificate (label 33)");
+  }
+  // The x5chain certificate is attacker-controlled — a malformed DER
+  // must surface as a clean error, not a raw OpenSSL throw.
+  var signerCert;
+  try { signerCert = new nodeCrypto.X509Certificate(chain[0]); }
+  catch (e) {
+    throw new MdocError("mdoc/bad-cert", "mdoc.verifyIssuerSigned: x5chain certificate is not valid DER: " + ((e && e.message) || e));
+  }
+
+  // Verify the COSE_Sign1 signature with the embedded signer key.
+  var coseBytes = cbor.encode(issuerAuth);
+  var verified = await cose.verify(coseBytes, {
+    algorithms:  opts.algorithms,
+    keyResolver: function () { return signerCert.publicKey; },
+    maxBytes:    opts.maxBytes,
+    maxDepth:    opts.maxDepth,
+  });
+
+  // payload = Tag 24 ( bstr .cbor MSO ).
+  var payloadTag = cbor.decode(verified.payload, decodeOpts);
+  var msoBytes = (payloadTag instanceof cbor.Tag && payloadTag.tag === TAG_ENCODED_CBOR) ? payloadTag.value : null;
+  if (!Buffer.isBuffer(msoBytes)) {
+    throw new MdocError("mdoc/malformed", "mdoc.verifyIssuerSigned: issuerAuth payload is not a Tag-24 MobileSecurityObject");
+  }
+  var mso = cbor.decode(msoBytes, decodeOpts);
+
+  var digestAlgName = _mapGet(mso, "digestAlgorithm");
+  var digestNode = DIGEST_ALGS[digestAlgName];
+  if (!digestNode) {
+    throw new MdocError("mdoc/bad-digest-alg", "mdoc.verifyIssuerSigned: unsupported MSO digestAlgorithm '" + digestAlgName + "'");
+  }
+  var docType = _mapGet(mso, "docType");
+  if (opts.expectedDocType !== undefined && docType !== opts.expectedDocType) {
+    throw new MdocError("mdoc/doctype-mismatch", "mdoc.verifyIssuerSigned: MSO docType '" + docType + "' does not match expectedDocType");
+  }
+
+  // validityInfo window (fail closed on malformed dates).
+  var vi = _mapGet(mso, "validityInfo");
+  if (!(vi instanceof Map) && (!vi || typeof vi !== "object")) {
+    throw new MdocError("mdoc/malformed", "mdoc.verifyIssuerSigned: MSO has no validityInfo");
+  }
+  var nowMs = at.getTime();
+  var validFromMs = _validityMs(_mapGet(vi, "validFrom"), "validFrom");
+  var validUntilMs = _validityMs(_mapGet(vi, "validUntil"), "validUntil");
+  if (nowMs < validFromMs) throw new MdocError("mdoc/not-yet-valid", "mdoc.verifyIssuerSigned: credential not yet valid");
+  if (nowMs > validUntilMs) throw new MdocError("mdoc/expired", "mdoc.verifyIssuerSigned: credential validity has passed");
+
+  // Match every disclosed element's digest against the MSO. The digest
+  // covers the full Tag-24 IssuerSignedItemBytes (ISO 18013-5 §9.1.2.5).
+  var valueDigests = _mapGet(mso, "valueDigests");
+  var out = {};
+  if (nameSpaces instanceof Map) {
+    var nsNames = Array.from(nameSpaces.keys());
+    for (var ni = 0; ni < nsNames.length; ni += 1) {
+      var ns = nsNames[ni];
+      var items = nameSpaces.get(ns);
+      var nsDigests = _mapGet(valueDigests, ns);
+      if (!Array.isArray(items) || !(nsDigests instanceof Map)) {
+        throw new MdocError("mdoc/malformed", "mdoc.verifyIssuerSigned: namespace '" + ns + "' has no matching valueDigests");
+      }
+      out[ns] = {};
+      var seen = Object.create(null);                 // dup-elementIdentifier guard (proto-safe)
+      for (var ii = 0; ii < items.length; ii += 1) {
+        var item = items[ii];
+        if (!(item instanceof cbor.Tag) || item.tag !== TAG_ENCODED_CBOR || !Buffer.isBuffer(item.value)) {
+          throw new MdocError("mdoc/malformed", "mdoc.verifyIssuerSigned: IssuerSignedItem is not a Tag-24 byte string");
+        }
+        var itemBytes = cbor.encode(new cbor.Tag(TAG_ENCODED_CBOR, item.value));
+        var digest = nodeCrypto.createHash(digestNode).update(itemBytes).digest();
+        var inner = cbor.decode(item.value, decodeOpts);
+        var digestID = _mapGet(inner, "digestID");
+        var expected = nsDigests.get(digestID);
+        if (!Buffer.isBuffer(expected) || !bCrypto.timingSafeEqual(digest, expected)) {
+          throw new MdocError("mdoc/digest-mismatch",
+            "mdoc.verifyIssuerSigned: disclosed element (digestID " + digestID + ", namespace " + ns + ") does not match the MSO");
+        }
+        // Refuse a duplicate elementIdentifier within a namespace — two
+        // signed values for one element is ambiguous; fail closed rather
+        // than silently keep the last.
+        var elementId = _mapGet(inner, "elementIdentifier");
+        if (seen[elementId]) {
+          throw new MdocError("mdoc/duplicate-element",
+            "mdoc.verifyIssuerSigned: namespace '" + ns + "' has duplicate elementIdentifier '" + elementId + "'");
+        }
+        seen[elementId] = true;
+        out[ns][elementId] = _mapGet(inner, "elementValue");
+      }
+    }
+  }
+
+  // Optional issuer chain + validity at the asserted time.
+  if (opts.trustAnchorsPem !== undefined && opts.trustAnchorsPem !== null) {
+    var anchors = typeof opts.trustAnchorsPem === "string" ? [opts.trustAnchorsPem] : opts.trustAnchorsPem;
+    if (!Array.isArray(anchors) || anchors.length === 0 ||
+        !anchors.every(function (a) { return typeof a === "string" && a.length > 0; })) {
+      throw new MdocError("mdoc/bad-trust-anchors", "mdoc.verifyIssuerSigned: trustAnchorsPem must be a non-empty PEM string or array");
+    }
+    _verifyChain(chain, anchors, at);
+  }
+
+  return {
+    docType:      docType,
+    version:      _mapGet(mso, "version"),
+    digestAlgorithm: digestAlgName,
+    validityInfo: { validFrom: new Date(validFromMs), validUntil: new Date(validUntilMs) },
+    namespaces:   out,
+    signerCert:   signerCert.toString(),
+    alg:          verified.alg,
+  };
+}
+
+// Verify the leaf (chain[0]) chains to a supplied anchor and every cert
+// is valid at `at`. Intermediates in the x5chain are consulted.
+function _verifyChain(chainDer, anchorsPem, at) {
+  var anchors = anchorsPem.map(function (p) { return new nodeCrypto.X509Certificate(p); });
+  var pool = chainDer.map(function (d) { return new nodeCrypto.X509Certificate(d); });
+  var current = pool[0];
+  var atMs = at.getTime();
+  var steps = 0;
+  while (steps <= pool.length + 1) {
+    _assertValidAt(current, atMs);
+    for (var a = 0; a < anchors.length; a += 1) {
+      if (_issued(anchors[a], current)) { _assertValidAt(anchors[a], atMs); return; }
+      if (current.fingerprint256 === anchors[a].fingerprint256) return;
+    }
+    var parent = null;
+    for (var p = 0; p < pool.length; p += 1) {
+      if (pool[p].fingerprint256 !== current.fingerprint256 && _issued(pool[p], current)) { parent = pool[p]; break; }
+    }
+    if (!parent) {
+      throw new MdocError("mdoc/untrusted-chain", "mdoc.verifyIssuerSigned: issuer certificate does not chain to a supplied trust anchor");
+    }
+    current = parent;
+    steps += 1;
+  }
+  throw new MdocError("mdoc/chain-loop", "mdoc.verifyIssuerSigned: certificate chain did not terminate");
+}
+function _issued(issuer, subject) {
+  try { return subject.checkIssued(issuer) && subject.verify(issuer.publicKey); }
+  catch (_e) { return false; }
+}
+function _assertValidAt(cert, atMs) {
+  if (atMs < cert.validFromDate.getTime() || atMs > cert.validToDate.getTime()) {
+    throw new MdocError("mdoc/cert-expired", "mdoc.verifyIssuerSigned: certificate '" + cert.subject + "' is not valid at the asserted time");
+  }
+}
+
+module.exports = {
+  verifyIssuerSigned: verifyIssuerSigned,
+  DIGEST_ALGS:        DIGEST_ALGS,
+  MdocError:          MdocError,
+};

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.39",
+  "version": "0.12.40",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.40.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.40",
+  "date": "2026-05-24",
+  "headline": "`b.mdoc` — ISO 18013-5 mdoc / mDL issuer-data verification",
+  "summary": "Verify the issuer-signed data of an ISO/IEC 18013-5 mdoc — the credential format behind mobile driving licences (mDL) and the ISO track of the EU Digital Identity Wallet. This is the relying-party side: confirm that the data elements a holder presents were signed by the issuer and have not been altered. An mdoc's IssuerSigned carries the disclosed data elements and an issuerAuth that is a COSE_Sign1 (b.cose) over a Mobile Security Object (MSO) holding a per-element digest. b.mdoc.verifyIssuerSigned verifies the COSE signature with the issuer certificate from the COSE x5chain header, parses the MSO, enforces its validityInfo window, and recomputes each disclosed element's digest (the full Tag-24 IssuerSignedItemBytes) to match it against the MSO constant-time — the integrity check that makes selective disclosure trustworthy. An absent or mismatched digest is refused. Signing algorithms follow b.cose verification (the classical ES256/384/512 + EdDSA that real mDL issuers use; the caller names the allowlist); opts.trustAnchorsPem additionally verifies the issuer certificate chain. This completes the credential trio alongside W3C VCDM (b.vc) and IETF SD-JWT VC (b.auth.sdJwtVc). Composes b.cose + b.cbor; no new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.mdoc.verifyIssuerSigned(issuerSigned, opts)`",
+          "body": "Takes the CBOR `IssuerSigned` map (the operator extracts it from the device response / QR) and returns `{ docType, version, digestAlgorithm, validityInfo, namespaces, signerCert, alg }`. Verifies the COSE_Sign1 `issuerAuth` against the mandatory `opts.algorithms` allowlist using the issuer certificate from its `x5chain` (label 33) header; parses the Tag-24 Mobile Security Object; enforces the MSO `validityInfo` window against `opts.at` (default now; must be a valid Date; malformed dates fail closed); and recomputes the digest of every disclosed `IssuerSignedItem` (over the full Tag-24 bytes, with the MSO `digestAlgorithm` — SHA-256/384/512) to match the MSO `valueDigests` constant-time — an absent or mismatched digest is refused with `mdoc/digest-mismatch`. `opts.expectedDocType` pins the document type; `opts.trustAnchorsPem` (a PEM string or array) additionally verifies the issuer certificate chain and validity at the asserted time. A malformed `x5chain` certificate is refused with a clean `mdoc/bad-cert`. The mdoc device-authentication half (the SessionTranscript-bound holder-binding proof) is a presentation-protocol concern and is not part of issuer-data verification."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2252,6 +2252,24 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "v0.12.33 — opts / structure validation prelude (`validateOpts(allowedKeys) + chained required-field + typeof guards + typed-error throw`). cose.verify validates a COSE_Sign1 opts blob + decoded structure (RFC 9052); the peers each validate a distinct spec's shape (SD-JWT-VC issuer opts / break-glass policy set / JSCalendar object / DDL dual-control declaration / DSR request / FedCM well-known manifest / Android Asset Links / heartbeat config). Each throws a primitive-specific typed error; the shingle is the validateOpts-then-guard idiom, not behaviour. Same family as the v0.12.29 input-shape-validation cluster.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/mdoc.js:verifyIssuerSigned",
+        "lib/tsa.js:verifyToken",
+        "lib/vc.js:verify",
+      ],
+      reason: "v0.12.40 — signature-verify entry preamble shared by three credential / token verifiers: `validateOpts(allowedKeys) + mandatory algorithms-allowlist check + opts.at valid-Date guard + publicKey/keyResolver presence check`, then divergent domain logic. tsa.verifyToken verifies an RFC 3161 timestamp token (CMS SignedData + message-imprint + EKU); vc.verify verifies a W3C VC-JOSE-COSE credential (JWS/COSE + VCDM structural + validity window); mdoc.verifyIssuerSigned verifies an ISO 18013-5 mdoc (COSE_Sign1 IssuerAuth + MSO valueDigests matching). Each consumes a different wire format, returns a different shape, and throws a primitive-specific typed error — the shingle is the validate-then-guard preamble, not behaviour. Same family as the v0.12.33 cose.verify cluster.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/dual-control.js:create",
+        "lib/mdoc.js:verifyIssuerSigned",
+        "lib/tsa.js:verifyToken",
+      ],
+      reason: "v0.12.40 — validateOpts-then-guard prelude shared between a create-style validator (dual-control.create builds a two-person-rule grant after validating its opts) and the timestamp / mdoc verifiers. The common shingle is the `validateOpts(allowedKeys) + chained guard + typed-error` idiom; the bodies diverge entirely (dual-control persists a control record; tsa/mdoc verify cryptographic structures). Same validate-then-guard family as the v0.12.29 / v0.12.33 clusters.",
+    },
     {
       mode:  "family-subset",
       files: [

package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js

@@ -0,0 +1,230 @@
+"use strict";
+/**
+ * Layer 0 — b.mdoc (ISO 18013-5 mdoc / mDL issuer-data verification).
+ * A pure-node mock issuer builds an IssuerSigned structure (COSE_Sign1
+ * IssuerAuth over a Tag-24 MobileSecurityObject, with the signer cert in
+ * the x5chain header) so the verifier's full path is exercised: COSE
+ * signature, MSO validity window, per-element digest matching against
+ * the MSO, selective disclosure, and the tamper / expiry / docType /
+ * malformed-validity refusal paths. The trust core (COSE_Sign1 + CBOR)
+ * is the framework's tested b.cose / b.cbor substrate.
+ */
+
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+var asn1 = require("../../lib/asn1-der");
+var cbor = b.cbor;
+var nodeCrypto = require("node:crypto");
+
+var NS = "org.iso.18013.5.1";
+var DOCTYPE = "org.iso.18013.5.1.mDL";
+
+function _algId(oid, withNull) {
+  return withNull ? asn1.writeSequence([asn1.writeOid(oid), asn1.writeNull()]) : asn1.writeSequence([asn1.writeOid(oid)]);
+}
+function _name(cn) {
+  return asn1.writeSequence([asn1.writeSet([asn1.writeSequence([asn1.writeOid("2.5.4.3"), asn1.writeUtf8String(cn)])])]);
+}
+function _utc(d) { return asn1.writeNode(0x17, Buffer.from(d.toISOString().replace(/[-:T]/g, "").slice(2, 14) + "Z", "ascii")); }
+
+// Minimal self-signed EC cert (mdoc issuer-data verify reads the key,
+// not an EKU). Returns { certDer, key, pem }.
+function _makeCert(cn) {
+  var kp = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var spki = kp.publicKey.export({ type: "spki", format: "der" });
+  var sa = _algId("1.2.840.10045.4.3.2", false);
+  var nm = _name(cn || "mDL Issuer");
+  var now = Date.now();
+  var tbs = asn1.writeSequence([
+    asn1.writeContextExplicit(0, asn1.writeInteger(Buffer.from([2]))),
+    asn1.writeInteger(Buffer.from([0x2a])), sa, nm,
+    asn1.writeSequence([_utc(new Date(now - 86400000)), _utc(new Date(now + 86400000 * 3650))]),
+    nm, spki,
+  ]);
+  var certDer = asn1.writeSequence([tbs, sa, asn1.writeBitString(nodeCrypto.sign("sha256", tbs, kp.privateKey), 0)]);
+  return { certDer: certDer, key: kp.privateKey, pem: new nodeCrypto.X509Certificate(certDer).toString() };
+}
+
+// Build an IssuerSigned (CBOR bytes). opts: { elements, validFrom,
+// validUntil, docType, digestAlg } — defaults are a valid mDL.
+async function _makeMdoc(cert, opts) {
+  opts = opts || {};
+  var elements = opts.elements || [["family_name", "Doe"], ["age_over_18", true], ["given_name", "Jane"]];
+  var digestNode = opts.digestNode || "sha256";
+  var digestAlg = opts.digestAlg || "SHA-256";
+  var now = Date.now();
+  var items = [];
+  var digests = new Map();
+  elements.forEach(function (el, i) {
+    var inner = cbor.encode(new Map([
+      ["digestID", i], ["random", nodeCrypto.randomBytes(32)],
+      ["elementIdentifier", el[0]], ["elementValue", el[1]],
+    ]));
+    items.push(new cbor.Tag(24, inner));
+    digests.set(i, nodeCrypto.createHash(digestNode).update(cbor.encode(new cbor.Tag(24, inner))).digest());
+  });
+  var validFromMs = opts.validFrom != null ? opts.validFrom : now - 86400000;
+  var validUntilMs = opts.validUntil != null ? opts.validUntil : now + 86400000 * 3650;
+  var validUntilTag = opts.validUntilRaw !== undefined ? opts.validUntilRaw : new cbor.Tag(0, new Date(validUntilMs).toISOString());
+  var mso = new Map([
+    ["version", "1.0"], ["digestAlgorithm", digestAlg], ["docType", opts.docType || DOCTYPE],
+    ["valueDigests", new Map([[NS, digests]])],
+    ["validityInfo", new Map([
+      ["signed", new cbor.Tag(0, new Date(now).toISOString())],
+      ["validFrom", new cbor.Tag(0, new Date(validFromMs).toISOString())],
+      ["validUntil", validUntilTag],
+    ])],
+  ]);
+  var payload = cbor.encode(new cbor.Tag(24, cbor.encode(mso)));
+  var signed = await b.cose.sign(payload, { alg: opts.alg || "ES256", privateKey: cert.key, unprotectedHeaders: { 33: cert.certDer } });
+  var issuerAuth = cbor.decode(signed, { allowedTags: [18, 24] }).value;
+  return cbor.encode(new Map([["nameSpaces", new Map([[NS, items]])], ["issuerAuth", issuerAuth]]));
+}
+
+function testSurface() {
+  check("b.mdoc.verifyIssuerSigned is a function", typeof b.mdoc.verifyIssuerSigned === "function");
+  check("b.mdoc.DIGEST_ALGS has SHA-256", b.mdoc.DIGEST_ALGS["SHA-256"] === "sha256");
+  check("b.mdoc.MdocError is a class", typeof b.mdoc.MdocError === "function");
+}
+
+async function testRoundTrip() {
+  var cert = _makeCert();
+  var mdoc = await _makeMdoc(cert);
+  var out = await b.mdoc.verifyIssuerSigned(mdoc, { algorithms: ["ES256"], expectedDocType: DOCTYPE });
+  check("verify: docType", out.docType === DOCTYPE);
+  check("verify: alg reported", out.alg === "ES256");
+  check("verify: digestAlgorithm", out.digestAlgorithm === "SHA-256");
+  check("verify: disclosed elements extracted", out.namespaces[NS].family_name === "Doe" && out.namespaces[NS].age_over_18 === true && out.namespaces[NS].given_name === "Jane");
+  check("verify: validityInfo dates returned", out.validityInfo.validUntil instanceof Date);
+  check("verify: signerCert PEM returned", /BEGIN CERTIFICATE/.test(out.signerCert));
+
+  // chain verify against the self-signed issuer as anchor
+  var ok = await b.mdoc.verifyIssuerSigned(mdoc, { algorithms: ["ES256"], trustAnchorsPem: cert.pem });
+  check("verify: chain to issuer anchor (string)", ok.docType === DOCTYPE);
+}
+
+async function testDigestAndSignatureRefusals() {
+  var cert = _makeCert();
+  var mdoc = await _makeMdoc(cert);
+
+  // Tamper a disclosed element's value: re-pack one IssuerSignedItem
+  // with a changed value but keep the MSO digest → digest mismatch.
+  var top = cbor.decode(mdoc, { allowedTags: [0, 1, 24, 1004] });
+  var items = top.get("nameSpaces").get(NS);
+  var inner0 = cbor.decode(items[0].value, { allowedTags: [0, 1, 24, 1004] });
+  inner0.set("elementValue", "Tampered");
+  items[0] = new cbor.Tag(24, cbor.encode(inner0));
+  var tampered = cbor.encode(top);
+  var e1 = null;
+  try { await b.mdoc.verifyIssuerSigned(tampered, { algorithms: ["ES256"] }); } catch (e) { e1 = e; }
+  check("verify: tampered element refused (digest-mismatch)", e1 && e1.code === "mdoc/digest-mismatch");
+
+  // Tamper the COSE signature deterministically (flip a byte in the
+  // issuerAuth signature element) → bad-signature.
+  var top2 = cbor.decode(mdoc, { allowedTags: [0, 1, 24, 1004] });
+  var ia = top2.get("issuerAuth");
+  ia[3] = Buffer.from(ia[3]); ia[3][0] ^= 0xff;
+  var bad = cbor.encode(top2);
+  var e2 = null;
+  try { await b.mdoc.verifyIssuerSigned(bad, { algorithms: ["ES256"] }); } catch (e) { e2 = e; }
+  check("verify: tampered COSE signature refused", e2 && e2.code === "cose/bad-signature");
+
+  // A malformed x5chain certificate surfaces a clean error (not raw OpenSSL).
+  var top3 = cbor.decode(mdoc, { allowedTags: [0, 1, 24, 1004] });
+  top3.get("issuerAuth")[1].set(33, Buffer.from([0x30, 0x03, 0x02, 0x01, 0x01]));
+  var e6 = null;
+  try { await b.mdoc.verifyIssuerSigned(cbor.encode(top3), { algorithms: ["ES256"] }); } catch (e) { e6 = e; }
+  check("verify: malformed x5chain cert refused cleanly", e6 && e6.code === "mdoc/bad-cert");
+
+  // alg outside allowlist
+  var e3 = null;
+  try { await b.mdoc.verifyIssuerSigned(mdoc, { algorithms: ["EdDSA"] }); } catch (e) { e3 = e; }
+  check("verify: alg outside allowlist refused", e3 && (e3.code === "cose/alg-not-allowed"));
+}
+
+async function testValidityAndDocType() {
+  var cert = _makeCert();
+
+  // expired (valid window 10 days ago .. 1 day ago)
+  var expired = await _makeMdoc(cert, { validFrom: Date.now() - 86400000 * 10, validUntil: Date.now() - 86400000 });
+  var e1 = null;
+  try { await b.mdoc.verifyIssuerSigned(expired, { algorithms: ["ES256"] }); } catch (e) { e1 = e; }
+  check("verify: expired credential refused", e1 && e1.code === "mdoc/expired");
+
+  // not yet valid
+  var future = await _makeMdoc(cert, { validFrom: Date.now() + 86400000 * 30 });
+  var e2 = null;
+  try { await b.mdoc.verifyIssuerSigned(future, { algorithms: ["ES256"] }); } catch (e) { e2 = e; }
+  check("verify: not-yet-valid credential refused", e2 && e2.code === "mdoc/not-yet-valid");
+
+  // opts.at within window accepts an otherwise-expired credential
+  var ok = await b.mdoc.verifyIssuerSigned(expired, { algorithms: ["ES256"], at: new Date(Date.now() - 86400000 * 2) });
+  check("verify: opts.at within window accepts", ok.docType === DOCTYPE);
+
+  // docType mismatch
+  var e3 = null;
+  try { await b.mdoc.verifyIssuerSigned(await _makeMdoc(cert), { algorithms: ["ES256"], expectedDocType: "org.iso.18013.5.1.photoID" }); } catch (e) { e3 = e; }
+  check("verify: docType mismatch refused", e3 && e3.code === "mdoc/doctype-mismatch");
+
+  // malformed validUntil (a non-date) fails closed
+  var badValidity = await _makeMdoc(cert, { validUntilRaw: new cbor.Tag(0, "not-a-date") });
+  var e4 = null;
+  try { await b.mdoc.verifyIssuerSigned(badValidity, { algorithms: ["ES256"] }); } catch (e) { e4 = e; }
+  check("verify: malformed validUntil refused (fail closed)", e4 && e4.code === "mdoc/bad-validity");
+
+  // invalid opts.at refused (lesson carried from b.tsa / b.vc)
+  var e5 = null;
+  try { await b.mdoc.verifyIssuerSigned(await _makeMdoc(cert), { algorithms: ["ES256"], at: new Date("nope") }); } catch (e) { e5 = e; }
+  check("verify: invalid opts.at refused", e5 && e5.code === "mdoc/bad-at");
+
+  // Two signed IssuerSignedItems with the same elementIdentifier (each
+  // with a valid MSO digest) is ambiguous → fail closed, not last-wins.
+  var dup = await _makeMdoc(cert, { elements: [["family_name", "Doe"], ["family_name", "Roe"]] });
+  var e6 = null;
+  try { await b.mdoc.verifyIssuerSigned(dup, { algorithms: ["ES256"] }); } catch (e) { e6 = e; }
+  check("verify: duplicate elementIdentifier refused", e6 && e6.code === "mdoc/duplicate-element");
+}
+
+async function testChainAndInputGuards() {
+  var cert = _makeCert();
+  var mdoc = await _makeMdoc(cert);
+
+  // unrelated anchor → untrusted
+  var other = _makeCert("Unrelated Root");
+  var e1 = null;
+  try { await b.mdoc.verifyIssuerSigned(mdoc, { algorithms: ["ES256"], trustAnchorsPem: [other.pem] }); } catch (e) { e1 = e; }
+  check("verify: unrelated anchor refused", e1 && e1.code === "mdoc/untrusted-chain");
+
+  // empty trust-anchor shape refused (no fail-open)
+  var e2 = null;
+  try { await b.mdoc.verifyIssuerSigned(mdoc, { algorithms: ["ES256"], trustAnchorsPem: [] }); } catch (e) { e2 = e; }
+  check("verify: empty trustAnchorsPem refused", e2 && e2.code === "mdoc/bad-trust-anchors");
+
+  // garbage input → not CBOR / malformed
+  var e3 = null;
+  try { await b.mdoc.verifyIssuerSigned(Buffer.from([0x00, 0x01]), { algorithms: ["ES256"] }); } catch (e) { e3 = e; }
+  check("verify: garbage input refused", e3 && (e3.code === "mdoc/malformed" || e3.code === "mdoc/bad-input" || /cbor/.test(e3.code || "")));
+
+  // missing algorithms
+  var e4 = null;
+  try { await b.mdoc.verifyIssuerSigned(mdoc, {}); } catch (e) { e4 = e; }
+  check("verify: missing algorithms refused", e4 && e4.code === "mdoc/algorithms-required");
+}
+
+async function run() {
+  testSurface();
+  await testRoundTrip();
+  await testDigestAndSignatureRefusals();
+  await testValidityAndDocType();
+  await testChainAndInputGuards();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[mdoc] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.128",
+  "version": "0.0.129",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {