@blamejs/blamejs-shop 0.0.128 → 0.1.0

package/lib/subscriptions.js

@@ -214,7 +214,9 @@ function _extractFromStripeObject(obj) {
   // Stripe nests current_period_start/_end at the top level when the
   // event is `customer.subscription.*`. Both are unix seconds; we
   // store epoch ms.
+  // allow:raw-time-literal — Stripe sends unix SECONDS; the * 1000 converts a runtime field to epoch ms, not a fixed duration
   var periodStart = obj && obj.current_period_start != null ? obj.current_period_start * 1000 : null;
+  // allow:raw-time-literal — Stripe sends unix SECONDS; the * 1000 converts a runtime field to epoch ms, not a fixed duration
   var periodEnd   = obj && obj.current_period_end   != null ? obj.current_period_end   * 1000 : null;
   return {
     stripe_subscription_id: obj && obj.id,

package/lib/support-tickets.js

@@ -75,10 +75,10 @@ var ALLOWED_STATUSES   = [
 // ticket is considered breached. Closed / resolved tickets never
 // breach. Drives `slaCheck()` for the scheduler.
 var SLA_MS = {
-  urgent: 1   * 3600 * 1000,
-  high:   4   * 3600 * 1000,
-  normal: 24  * 3600 * 1000,
-  low:    72  * 3600 * 1000,
+  urgent: _b().constants.TIME.hours(1),
+  high:   _b().constants.TIME.hours(4),
+  normal: _b().constants.TIME.hours(24),
+  low:    _b().constants.TIME.hours(72),
 };
 
 // FSM. Encoded as an explicit allow-list keyed by from-state. Every

package/lib/tax-cert-renewals.js

@@ -71,6 +71,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 var JURISDICTION_RE = /^[A-Z]{2}(-[A-Z0-9]{1,3})?$/;
 var SLUG_RE         = /^[a-z0-9](?:[a-z0-9._-]{0,126}[a-z0-9])?$/;
@@ -81,7 +82,7 @@ var MAX_ESCALATE_DAYS     = 365;
 var MAX_ESCALATED_TO_LEN  = 256;
 var DEFAULT_CHANNELS      = Object.freeze(["email"]);
 
-var DAY_MS = 86400000;
+var DAY_MS = C.TIME.days(1);
 
 var STATUSES = Object.freeze(["queued", "sent", "escalated", "renewed", "expired"]);
 

package/lib/tax-remittance.js

@@ -90,6 +90,7 @@ function _b() {
   if (!bShop) bShop = require("./index");
   return bShop.framework;
 }
+var C = _b().constants;
 
 // ---- constants ----------------------------------------------------------
 
@@ -107,7 +108,7 @@ var MAX_PENALTY_REASON_LEN  = 1000;
 
 var DEFAULT_DAYS_LATE_MIN   = 1;
 var MAX_DAYS_LATE_MIN       = 3650;            // ~10 years
-var MS_PER_DAY              = 24 * 60 * 60 * 1000;
+var MS_PER_DAY              = C.TIME.days(1);
 
 var CONTROL_BYTE_RE         = /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
 

package/lib/theme-assets.js

@@ -137,7 +137,7 @@ var ZERO_WIDTH_RE = new RegExp(
   "[\\u200B-\\u200F\\u202A-\\u202E\\u2060-\\u2064\\u2066-\\u2069\\uFEFF\\u061C]"
 );
 
-var MS_PER_DAY = 86400000;
+var MS_PER_DAY = _b().constants.TIME.days(1);
 
 var bShop;
 function _b() {

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.39",
-      "tag": "v0.12.39",
+      "version": "0.12.41",
+      "tag": "v0.12.41",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.41 (2026-05-24) — **`b.did` — W3C DID resolution (did:key + did:web) feeding the credential verifiers.** Resolve W3C Decentralized Identifiers (DID Core 1.0) to verification keys — the link that lets a credential's issuer be named by a DID rather than a raw key. Resolve the issuer DID of a b.vc / b.mdoc / b.scitt credential to a node:crypto KeyObject and hand it to the verifier. did:key encodes the public key in the identifier (multicodec + base58btc), so resolution is deterministic and offline — Ed25519, P-256, P-384, and secp256k1 round-trip; did:web places the DID document at an HTTPS URL derived from the identifier, with the network fetch left to the operator (the framework parses the operator-fetched document and extracts its verification methods, as publicKeyMultibase or publicKeyJwk). b.did.keyToDid encodes a KeyObject as a did:key (an issuer naming itself), b.did.parse splits the identifier (and returns the did:web URL to fetch), and b.did.resolve returns the document and verification keys. DID Core 1.0 is a W3C Recommendation; the method specs (did:key W3C CCG report, did:web DID method registry — EUDI-mandated) are deployed-stable. Composes node:crypto; no new runtime dependency. **Added:** *`b.did.resolve(did, opts?)` / `b.did.keyToDid(publicKey)` / `b.did.parse(did)`* — `resolve` returns `{ didDocument, verificationMethods: [{ id, controller, type, publicKey }] }` with each `publicKey` a `node:crypto` KeyObject ready for `b.vc.verify` / `b.mdoc.verifyIssuerSigned` / `b.scitt.verifyStatement`. did:key resolves deterministically and offline (base58btc + multicodec → Ed25519 raw key or EC compressed point, rebuilt via SPKI); did:web requires the operator to pass the fetched DID document as `opts.document` (the URL to GET is on `b.did.parse(did).url`) and the document `id` must match the requested DID. A publicKeyJwk in a DID document is imported only after its `kty`/`crv` is allowlisted (Ed25519 / P-256 / P-384 / secp256k1) — an unexpected key type from an untrusted document is refused, not blindly imported. `keyToDid` encodes an Ed25519 / P-256 / P-384 / secp256k1 KeyObject as a did:key; `parse` derives the did:web HTTPS URL (`host[:port][:path]` → `https://host/path/did.json`, or `/.well-known/did.json`). Unknown methods, malformed base58, unsupported multicodec codes, and unsupported key types are each refused.
+
+- v0.12.40 (2026-05-24) — **`b.mdoc` — ISO 18013-5 mdoc / mDL issuer-data verification.** Verify the issuer-signed data of an ISO/IEC 18013-5 mdoc — the credential format behind mobile driving licences (mDL) and the ISO track of the EU Digital Identity Wallet. This is the relying-party side: confirm that the data elements a holder presents were signed by the issuer and have not been altered. An mdoc's IssuerSigned carries the disclosed data elements and an issuerAuth that is a COSE_Sign1 (b.cose) over a Mobile Security Object (MSO) holding a per-element digest. b.mdoc.verifyIssuerSigned verifies the COSE signature with the issuer certificate from the COSE x5chain header, parses the MSO, enforces its validityInfo window, and recomputes each disclosed element's digest (the full Tag-24 IssuerSignedItemBytes) to match it against the MSO constant-time — the integrity check that makes selective disclosure trustworthy. An absent or mismatched digest is refused. Signing algorithms follow b.cose verification (the classical ES256/384/512 + EdDSA that real mDL issuers use; the caller names the allowlist); opts.trustAnchorsPem additionally verifies the issuer certificate chain. This completes the credential trio alongside W3C VCDM (b.vc) and IETF SD-JWT VC (b.auth.sdJwtVc). Composes b.cose + b.cbor; no new runtime dependency. **Added:** *`b.mdoc.verifyIssuerSigned(issuerSigned, opts)`* — Takes the CBOR `IssuerSigned` map (the operator extracts it from the device response / QR) and returns `{ docType, version, digestAlgorithm, validityInfo, namespaces, signerCert, alg }`. Verifies the COSE_Sign1 `issuerAuth` against the mandatory `opts.algorithms` allowlist using the issuer certificate from its `x5chain` (label 33) header; parses the Tag-24 Mobile Security Object; enforces the MSO `validityInfo` window against `opts.at` (default now; must be a valid Date; malformed dates fail closed); and recomputes the digest of every disclosed `IssuerSignedItem` (over the full Tag-24 bytes, with the MSO `digestAlgorithm` — SHA-256/384/512) to match the MSO `valueDigests` constant-time — an absent or mismatched digest is refused with `mdoc/digest-mismatch`. `opts.expectedDocType` pins the document type; `opts.trustAnchorsPem` (a PEM string or array) additionally verifies the issuer certificate chain and validity at the asserted time. A malformed `x5chain` certificate is refused with a clean `mdoc/bad-cert`. The mdoc device-authentication half (the SessionTranscript-bound holder-binding proof) is a presentation-protocol concern and is not part of issuer-data verification.
+
 - v0.12.39 (2026-05-24) — **`b.vc` — W3C Verifiable Credentials 2.0 (issue / verify, JOSE + COSE securing).** Issue and verify W3C Verifiable Credentials (VC Data Model 2.0, a W3C Recommendation) secured per Securing Verifiable Credentials using JOSE and COSE (VC-JOSE-COSE, also a W3C Recommendation, May 2025). A verifiable credential is a tamper-evident, signed set of claims an issuer makes about a subject — a diploma, a membership, a license, an age assertion. Two securing mechanisms are supported, both signing the credential itself (no JWT/CWT claims wrapper): JOSE produces a compact JWS with the vc+jwt media type, signed with ES256/384/512 or EdDSA; COSE produces a COSE_Sign1 (application/vc+cose) over b.cose, which also accepts ML-DSA-87 for PQC-forward deployments. b.vc.verify auto-detects the form from the input, requires an algorithm allowlist, always refuses the JOSE none algorithm, re-checks the VCDM 2.0 structural rules, and enforces the validFrom / validUntil window. This is the W3C credential model, distinct from the IETF SD-JWT VC already at b.auth.sdJwtVc. Composes b.cose; no new runtime dependency. **Added:** *`b.vc.issue(credential, opts)` / `b.vc.verify(secured, opts)`* — `issue` validates the credential against the VCDM 2.0 structural rules (the `credentials/v2` context first, a `VerifiableCredential` type, an issuer, a credential subject) and signs it: `securing: "jose"` returns a compact JWS string (`typ` header `vc+jwt`), `securing: "cose"` returns COSE_Sign1 bytes (`typ` header `application/vc+cose`, content type `application/vc`) via `b.cose`. The credential is the exact signed payload — no JWT/CWT claims are injected. `verify` auto-detects the securing form from the input (compact-JWS string vs. COSE_Sign1 bytes), verifies the signature against the mandatory `opts.algorithms` allowlist (the JOSE `none` algorithm is always refused), re-checks the structural rules, enforces the `validFrom` / `validUntil` window against `opts.at` (default now; must be a valid Date), and optionally matches `opts.expectedIssuer` against the credential issuer id. Returns `{ credential, securing, alg, issuer }`.
 
 - v0.12.38 (2026-05-24) — **`b.tsa` — RFC 3161 trusted timestamping client (build / parse / verify).** A timestamp authority binds a hash of your data to a trusted time, producing a token that proves the data existed at that instant — timestamp a release artifact, an audit-log checkpoint, a b.scitt signed statement, or a contract. b.tsa is the requester/verifier side of RFC 3161: buildRequest produces the DER TimeStampReq (the message imprint plus an optional nonce and a cert request), parseResponse reads the TimeStampResp (PKIStatus, failure-info bits, and the token), and verifyToken checks a token against your data and returns the asserted time. Verification is done in full per §2.4.2 / §2.3: the token is a CMS SignedData (b.cms) whose eContentType must be id-ct-TSTInfo; the message imprint must equal the hash of your data (constant-time); a sent nonce must round-trip; the signer certificate's extendedKeyUsage must be a critical, sole id-kp-timeStamping; and the CMS signature over the signed attributes must verify after the messageDigest attribute is matched to the recomputed eContent digest. An optional trust-anchor set verifies the certificate chain and validity at the asserted time. The HTTP transport to the TSA is the operator's to make. Composes b.cms and the in-tree ASN.1 DER codec; no new runtime dependency. **Added:** *`b.tsa.buildRequest(data, opts?)` / `b.tsa.parseResponse(der)` / `b.tsa.verifyToken(token, opts)`* — `buildRequest` returns `{ der, nonce, hashAlg, messageImprint }`; the imprint hash defaults to SHA-512 and may be SHA-256/384/512 or SHA3-256/512, a random 64-bit nonce and a certificate request are included by default, and a pre-hashed input is accepted with `hashed: true`. `parseResponse` returns `{ granted, status, statusString, failInfo, token }`, decoding the PKIFailureInfo bits for a non-granted response rather than throwing. `verifyToken` enforces the imprint match (`opts.data` or `opts.hash`), the nonce round-trip, the critical/sole `id-kp-timeStamping` EKU, and the CMS signature, returning `{ genTime, policy, serialHex, accuracy, hashAlg, signerCertPem }`; pass `opts.trustAnchorsPem` to also verify the certificate chain and validity at the asserted time. Timestamp tokens are third-party artifacts, so verification accepts the classical RSA (PKCS#1 v1.5 and PSS) and ECDSA-over-SHA-2 signatures that public TSAs emit — the same consume-what-exists posture as `b.cose` verification, not a framework signing default.

package/lib/vendor/blamejs/README.md

@@ -132,6 +132,8 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **SCITT signed statements** — `b.scitt` sign/verify a signed, attributable claim about an artifact (signed SBOM, build attestation, release approval) over `b.cose`: the issuer + subject bind in the integrity-protected CWT_Claims header (RFC 9597); verification refuses any statement missing the iss/sub binding. The issuer side, on finalized RFCs; the transparency receipt (COSE Receipts draft) opts in on publication
 - **Trusted timestamping** — `b.tsa` RFC 3161 timestamp client: `buildRequest` a TimeStampReq, `parseResponse`, and `verifyToken` against your data — the message imprint, sent nonce, critical/sole `id-kp-timeStamping` EKU, and CMS signature are all checked, with optional certificate-chain verification. Timestamp a release artifact, audit checkpoint, or signed statement against any RFC 3161 TSA. Composes `b.cms` + the in-tree ASN.1 DER codec
 - **Verifiable Credentials** — `b.vc` W3C Verifiable Credentials Data Model 2.0 (VC-JOSE-COSE): `issue` / `verify` a signed credential as a compact JWS (`vc+jwt`, ES256/384/512 + EdDSA) or a COSE_Sign1 (`vc+cose`, + ML-DSA-87) over `b.cose`. VCDM structural + `validFrom`/`validUntil` checks; the JOSE `none` algorithm is always refused. The W3C model, distinct from the IETF SD-JWT VC at `b.auth.sdJwtVc`
+- **Mobile credentials (mDL)** — `b.mdoc` ISO/IEC 18013-5 issuer-data verification: `verifyIssuerSigned` checks the COSE_Sign1 IssuerAuth (issuer cert from the `x5chain` header), the Mobile Security Object validity window, and every disclosed element's digest against the MSO `valueDigests` (the selective-disclosure integrity check), with optional issuer-chain verification. The ISO credential ecosystem alongside `b.vc` and `b.auth.sdJwtVc`. Composes `b.cose` + `b.cbor`
+- **Decentralized Identifiers** — `b.did` W3C DID resolution (DID Core 1.0): `resolve` a `did:key` (deterministic, offline — Ed25519 / P-256 / P-384 / secp256k1) or `did:web` (operator-fetched document) to `node:crypto` verification keys, so a credential's issuer DID resolves to the key that verifies it (`b.vc` / `b.mdoc` / `b.scitt`). `keyToDid` names a key as a `did:key`; document JWKs are kty/crv-allowlisted before import
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)
 - **File-type detection** — `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.)
 ### Content-safety gates

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.39",
-  "createdAt": "2026-05-25T02:42:46.281Z",
+  "frameworkVersion": "0.12.41",
+  "createdAt": "2026-05-25T05:05:33.017Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -14411,6 +14411,96 @@
         }
       }
     },
+    "did": {
+      "type": "object",
+      "members": {
+        "DidError": {
+          "type": "function",
+          "arity": 4
+        },
+        "MULTICODEC": {
+          "type": "object",
+          "members": {
+            "231": {
+              "type": "object",
+              "members": {
+                "curveOid": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "kind": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "name": {
+                  "type": "primitive",
+                  "valueType": "string"
+                }
+              }
+            },
+            "237": {
+              "type": "object",
+              "members": {
+                "kind": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "name": {
+                  "type": "primitive",
+                  "valueType": "string"
+                }
+              }
+            },
+            "4608": {
+              "type": "object",
+              "members": {
+                "curveOid": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "kind": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "name": {
+                  "type": "primitive",
+                  "valueType": "string"
+                }
+              }
+            },
+            "4609": {
+              "type": "object",
+              "members": {
+                "curveOid": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "kind": {
+                  "type": "primitive",
+                  "valueType": "string"
+                },
+                "name": {
+                  "type": "primitive",
+                  "valueType": "string"
+                }
+              }
+            }
+          }
+        },
+        "keyToDid": {
+          "type": "function",
+          "arity": 1
+        },
+        "parse": {
+          "type": "function",
+          "arity": 1
+        },
+        "resolve": {
+          "type": "function",
+          "arity": 2
+        }
+      }
+    },
     "dora": {
       "type": "object",
       "members": {
@@ -40319,6 +40409,36 @@
         }
       }
     },
+    "mdoc": {
+      "type": "object",
+      "members": {
+        "DIGEST_ALGS": {
+          "type": "object",
+          "members": {
+            "SHA-256": {
+              "type": "primitive",
+              "valueType": "string"
+            },
+            "SHA-384": {
+              "type": "primitive",
+              "valueType": "string"
+            },
+            "SHA-512": {
+              "type": "primitive",
+              "valueType": "string"
+            }
+          }
+        },
+        "MdocError": {
+          "type": "function",
+          "arity": 4
+        },
+        "verifyIssuerSigned": {
+          "type": "function",
+          "arity": 2
+        }
+      }
+    },
     "metrics": {
       "type": "object",
       "members": {

package/lib/vendor/blamejs/index.js

@@ -462,6 +462,8 @@ module.exports = {
   scitt:            require("./lib/scitt"),
   tsa:              require("./lib/tsa"),
   vc:               require("./lib/vc"),
+  mdoc:             require("./lib/mdoc"),
+  did:              require("./lib/did"),
   queue:            queue,
   logStream:        logStream,
   redact:           redact,

package/lib/vendor/blamejs/lib/did.js

@@ -0,0 +1,367 @@
+"use strict";
+/**
+ * @module b.did
+ * @nav    Crypto
+ * @title  Decentralized Identifiers (DID)
+ *
+ * @intro
+ *   Resolve W3C Decentralized Identifiers (DID Core 1.0, a W3C
+ *   Recommendation) to verification keys — the missing link that lets a
+ *   credential's issuer be named by a DID rather than a raw key. Resolve
+ *   the issuer DID of a <code>b.vc</code> / <code>b.mdoc</code> /
+ *   <code>b.scitt</code> credential to a <code>node:crypto</code>
+ *   KeyObject, then hand that key to the verifier.
+ *
+ *   Two methods are supported. <strong>did:key</strong> encodes a public
+ *   key directly in the identifier (multicodec + base58btc multibase),
+ *   so resolution is deterministic and offline — Ed25519, P-256, P-384,
+ *   and secp256k1 keys round-trip. <strong>did:web</strong> places the
+ *   DID document at an HTTPS URL derived from the identifier; the network
+ *   fetch is the operator's to make (the same operator-supplied-input
+ *   stance as the rest of the framework), and <code>resolve</code> takes
+ *   the fetched document and extracts its verification methods.
+ *
+ *   <code>b.did.keyToDid(publicKey)</code> produces a did:key from a
+ *   KeyObject (an issuer naming itself); <code>b.did.parse(did)</code>
+ *   splits the identifier (and, for did:web, returns the HTTPS URL to
+ *   fetch); <code>b.did.resolve(did, opts)</code> returns the DID
+ *   document and its verification methods as KeyObjects. Verification
+ *   methods expressed as <code>publicKeyMultibase</code> or
+ *   <code>publicKeyJwk</code> are both understood.
+ *
+ *   <strong>Maturity.</strong> DID Core 1.0 is a Recommendation, but the
+ *   method specs are deployed-stable rather than Recommendations:
+ *   did:key is a W3C CCG report and did:web is a registered DID method
+ *   (mandated by the EU Digital Identity Wallet). They are widely
+ *   deployed and interoperable today; pin the dependency deliberately.
+ *
+ * @card
+ *   W3C DID resolution (did:key + did:web) → verification KeyObjects for
+ *   the credential verifiers. did:key is deterministic + offline
+ *   (Ed25519 / P-256 / P-384 / secp256k1); did:web parses an
+ *   operator-fetched DID document. Composes node:crypto; no new dep.
+ */
+
+var nodeCrypto = require("node:crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var DidError = defineClass("DidError", { alwaysPermanent: true });
+
+var B58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+var B58_MAP = (function () {
+  var m = {};
+  for (var i = 0; i < B58_ALPHABET.length; i += 1) m[B58_ALPHABET[i]] = i;
+  return m;
+})();
+var MAX_MULTIBASE_CHARS = 1024;                        // allow:raw-byte-literal — bounded did:key multibase length (DoS cap)
+
+// multicodec public-key codes (unsigned-varint) → curve descriptor.
+// keyLen is the multicodec payload: Ed25519 raw 32; EC compressed point.
+var MULTICODEC = {
+  0xed:   { name: "Ed25519",   kind: "okp" },                                    // ed25519-pub
+  0x1200: { name: "P-256",     kind: "ec", curveOid: "1.2.840.10045.3.1.7" },    // allow:raw-byte-literal allow:raw-time-literal — p256-pub multicodec code + OID dotted-form
+  0x1201: { name: "P-384",     kind: "ec", curveOid: "1.3.132.0.34" },           // allow:raw-byte-literal — p384-pub multicodec code
+  0xe7:   { name: "secp256k1", kind: "ec", curveOid: "1.3.132.0.10" },           // secp256k1-pub
+};
+var NAME_TO_CODE = {};
+Object.keys(MULTICODEC).forEach(function (c) { NAME_TO_CODE[MULTICODEC[c].name] = Number(c); });
+
+// ---- base58btc (bounded) ----
+
+function _b58decode(str) {
+  if (str.length > MAX_MULTIBASE_CHARS) {
+    throw new DidError("did/too-long", "did: multibase value exceeds the " + MAX_MULTIBASE_CHARS + "-char cap");
+  }
+  var bytes = [0];
+  for (var i = 0; i < str.length; i += 1) {
+    var v = B58_MAP[str[i]];
+    if (v === undefined) throw new DidError("did/bad-base58", "did: invalid base58btc character '" + str[i] + "'");
+    var carry = v;
+    for (var j = 0; j < bytes.length; j += 1) {
+      carry += bytes[j] * 58;
+      bytes[j] = carry & 0xff;
+      carry >>= 8;                                     // allow:raw-byte-literal — base-256 carry
+    }
+    while (carry > 0) { bytes.push(carry & 0xff); carry >>= 8; }   // allow:raw-byte-literal — base-256 carry
+  }
+  // Leading '1's are leading zero bytes.
+  for (var k = 0; k < str.length && str[k] === "1"; k += 1) bytes.push(0);
+  return Buffer.from(bytes.reverse());
+}
+
+function _b58encode(buf) {
+  var digits = [0];
+  for (var i = 0; i < buf.length; i += 1) {
+    var carry = buf[i];
+    for (var j = 0; j < digits.length; j += 1) {
+      carry += digits[j] << 8;                         // allow:raw-byte-literal — base-256 shift
+      digits[j] = carry % 58;
+      carry = (carry / 58) | 0;
+    }
+    while (carry > 0) { digits.push(carry % 58); carry = (carry / 58) | 0; }
+  }
+  var out = "";
+  for (var z = 0; z < buf.length && buf[z] === 0; z += 1) out += "1";
+  for (var d = digits.length - 1; d >= 0; d -= 1) out += B58_ALPHABET[digits[d]];
+  return out;
+}
+
+// Read an unsigned LEB128 varint (multicodec code). Bounded to 4 bytes.
+function _readVarint(buf) {
+  var value = 0, shift = 0, len = 0;
+  for (var i = 0; i < buf.length && i < 4; i += 1) {   // allow:raw-byte-literal — multicodec varint ≤ 4 bytes
+    var b = buf[i];
+    value |= (b & 0x7f) << shift;
+    len += 1;
+    if ((b & 0x80) === 0) return { value: value >>> 0, length: len };
+    shift += 7;                                        // allow:raw-byte-literal — 7 bits per varint byte
+  }
+  throw new DidError("did/bad-multicodec", "did: multicodec varint did not terminate");
+}
+function _encodeVarint(code) {
+  var out = [];
+  var n = code;
+  do { var b = n & 0x7f; n >>>= 7; if (n > 0) b |= 0x80; out.push(b); } while (n > 0);   // allow:raw-byte-literal — LEB128 7-bit groups
+  return Buffer.from(out);
+}
+
+// ---- key <-> bytes ----
+
+var ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex");   // RFC 8410 Ed25519 SubjectPublicKeyInfo header
+
+function _keyObjectFromMulticodec(code, keyBytes) {
+  var desc = MULTICODEC[code];
+  if (!desc) throw new DidError("did/unsupported-key", "did: unsupported multicodec key code 0x" + code.toString(16));   // allow:raw-byte-literal — hex radix
+  if (desc.kind === "okp") {
+    if (keyBytes.length !== 32) {                      // allow:raw-byte-literal — Ed25519 public key is 32 bytes
+      throw new DidError("did/bad-key", "did: Ed25519 key must be 32 bytes (got " + keyBytes.length + ")");
+    }
+    return nodeCrypto.createPublicKey({ key: Buffer.concat([ED25519_SPKI_PREFIX, keyBytes]), format: "der", type: "spki" });
+  }
+  // EC: keyBytes is a compressed point (0x02/0x03 + X). Build an SPKI and
+  // let node decompress.
+  if (keyBytes.length < 2 || (keyBytes[0] !== 0x02 && keyBytes[0] !== 0x03)) {
+    throw new DidError("did/bad-key", "did: EC key must be a compressed point (0x02/0x03 prefix)");
+  }
+  var algid = _ecAlgId(desc.curveOid);
+  var bitstr = Buffer.concat([Buffer.from([0x03, keyBytes.length + 1, 0x00]), keyBytes]);
+  var body = Buffer.concat([algid, bitstr]);
+  var spki = Buffer.concat([Buffer.from([0x30, body.length]), body]);      // allow:raw-byte-literal — SEQUENCE tag; single-byte DER length holds for these curves
+  try { return nodeCrypto.createPublicKey({ key: spki, format: "der", type: "spki" }); }
+  catch (e) { throw new DidError("did/bad-key", "did: could not import EC key: " + ((e && e.message) || e)); }
+}
+
+// AlgorithmIdentifier SEQUENCE { id-ecPublicKey, namedCurve OID }.
+function _ecAlgId(curveOid) {
+  var idEcPublicKey = Buffer.from("06072a8648ce3d0201", "hex");            // allow:raw-byte-literal allow:raw-time-literal — DER OID for id-ecPublicKey
+  var curve = _oidDer(curveOid);
+  var inner = Buffer.concat([idEcPublicKey, curve]);
+  return Buffer.concat([Buffer.from([0x30, inner.length]), inner]);
+}
+function _oidDer(dotted) {
+  var parts = dotted.split(".").map(Number);
+  var bytes = [parts[0] * 40 + parts[1]];                                  // allow:raw-byte-literal — X.690 first-arc encoding
+  for (var i = 2; i < parts.length; i += 1) {
+    var arc = parts[i], stack = [];
+    do { stack.unshift(arc & 0x7f); arc >>>= 7; } while (arc > 0);        // allow:raw-byte-literal — base-128 OID arc
+    for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80;       // allow:raw-byte-literal — continuation bit
+    bytes = bytes.concat(stack);
+  }
+  return Buffer.concat([Buffer.from([0x06, bytes.length]), Buffer.from(bytes)]);
+}
+
+// Compressed point + curve name from an EC KeyObject's JWK.
+function _compressedPoint(jwk) {
+  var x = Buffer.from(jwk.x, "base64url");
+  var y = Buffer.from(jwk.y, "base64url");
+  return Buffer.concat([Buffer.from([(y[y.length - 1] & 1) ? 0x03 : 0x02]), x]);
+}
+
+/**
+ * @primitive b.did.parse
+ * @signature b.did.parse(did)
+ * @since     0.12.41
+ * @status    experimental
+ * @related   b.did.resolve, b.did.keyToDid
+ *
+ * Split a DID string into its method and method-specific id. For
+ * <code>did:web</code> the HTTPS URL of the DID document is also
+ * returned (host[:port][:path] → <code>https://host/path/did.json</code>,
+ * or <code>/.well-known/did.json</code> with no path).
+ *
+ * @example
+ *   b.did.parse("did:web:example.com:issuers:42");
+ *   // → { method: "web", id: "example.com:issuers:42", url: "https://example.com/issuers/42/did.json" }
+ */
+function parse(did) {
+  if (typeof did !== "string" || did.indexOf("did:") !== 0) {
+    throw new DidError("did/bad-did", "did.parse: not a DID (must start with 'did:')");
+  }
+  var rest = did.slice(4);
+  var colon = rest.indexOf(":");
+  if (colon <= 0) throw new DidError("did/bad-did", "did.parse: DID is missing a method-specific id");
+  var method = rest.slice(0, colon);
+  var id = rest.slice(colon + 1);
+  var out = { method: method, id: id };
+  if (method === "web") out.url = _didWebUrl(id);
+  return out;
+}
+
+function _didWebUrl(id) {
+  // did-method-web §read: ':' separates segments (→ '/'); only the host
+  // may carry a percent-encoded port (%3A → ':'). Path segments are kept
+  // verbatim — NOT percent-decoded — so an escaped reserved char (e.g.
+  // %3F) stays path data rather than becoming URL control syntax, and a
+  // malformed escape never throws a raw URIError.
+  var segs = id.split(":");
+  var host = segs[0].replace(/%3[Aa]/g, ":");
+  if (!host) throw new DidError("did/bad-did", "did:web: missing host");
+  var path = segs.slice(1);
+  var base = "https://" + host;
+  return path.length ? base + "/" + path.join("/") + "/did.json" : base + "/.well-known/did.json";
+}
+
+/**
+ * @primitive b.did.keyToDid
+ * @signature b.did.keyToDid(publicKey)
+ * @since     0.12.41
+ * @status    experimental
+ * @related   b.did.resolve
+ *
+ * Encode a public key (a <code>node:crypto</code> KeyObject or PEM) as a
+ * <code>did:key</code> — the inverse of resolution, for an issuer that
+ * names itself by its key. Ed25519, P-256, P-384, and secp256k1 are
+ * supported.
+ *
+ * @example
+ *   var did = b.did.keyToDid(issuerPublicKey);   // → "did:key:z6Mk…"
+ */
+function keyToDid(publicKey) {
+  var key = (publicKey && typeof publicKey === "object" && publicKey.asymmetricKeyType)
+    ? publicKey : nodeCrypto.createPublicKey(publicKey);
+  var jwk = key.export({ format: "jwk" });
+  var code, payload;
+  if (jwk.kty === "OKP" && jwk.crv === "Ed25519") {
+    code = NAME_TO_CODE["Ed25519"];
+    payload = Buffer.from(jwk.x, "base64url");
+  } else if (jwk.kty === "EC") {
+    var name = jwk.crv === "P-256" ? "P-256" : jwk.crv === "P-384" ? "P-384" : jwk.crv === "secp256k1" ? "secp256k1" : null;
+    if (!name) throw new DidError("did/unsupported-key", "did.keyToDid: unsupported EC curve '" + jwk.crv + "'");
+    code = NAME_TO_CODE[name];
+    payload = _compressedPoint(jwk);
+  } else {
+    throw new DidError("did/unsupported-key", "did.keyToDid: unsupported key type '" + jwk.kty + "/" + jwk.crv + "'");
+  }
+  return "did:key:z" + _b58encode(Buffer.concat([_encodeVarint(code), payload]));
+}
+
+/**
+ * @primitive b.did.resolve
+ * @signature b.did.resolve(did, opts?)
+ * @since     0.12.41
+ * @status    experimental
+ * @compliance soc2
+ * @related   b.did.parse, b.vc.verify, b.mdoc.verifyIssuerSigned
+ *
+ * Resolve a DID to its document and verification methods (each with a
+ * <code>node:crypto</code> public KeyObject ready for a verifier).
+ * <code>did:key</code> resolves deterministically and offline.
+ * <code>did:web</code> requires the operator to supply the fetched DID
+ * document as <code>opts.document</code> (the network fetch is the
+ * operator's; the URL to fetch is on <code>b.did.parse(did).url</code>).
+ *
+ * @opts
+ *   {
+ *     document: object,   // did:web — the fetched did.json (required for did:web)
+ *   }
+ *
+ * @example
+ *   var r = b.did.resolve("did:key:z6Mk…");
+ *   var key = r.verificationMethods[0].publicKey;   // → KeyObject for b.vc.verify / b.mdoc / b.scitt
+ */
+function resolve(did, opts) {
+  opts = opts || {};
+  validateOpts.requireObject(opts, "did.resolve", DidError);
+  validateOpts(opts, ["document"], "did.resolve");
+  var parsed = parse(did);
+
+  if (parsed.method === "key") {
+    if (parsed.id[0] !== "z") {
+      throw new DidError("did/bad-did", "did:key: method-specific id must be base58btc multibase (start with 'z')");
+    }
+    var raw = _b58decode(parsed.id.slice(1));
+    var vh = _readVarint(raw);
+    var key = _keyObjectFromMulticodec(vh.value, raw.slice(vh.length));
+    var vmId = did + "#" + parsed.id;
+    var vm = { id: vmId, controller: did, type: MULTICODEC[vh.value].name, publicKey: key };
+    var doc = {
+      "@context": ["https://www.w3.org/ns/did/v1"],
+      id: did,
+      verificationMethod: [{ id: vmId, controller: did, type: "Multikey", publicKeyMultibase: parsed.id }],
+      assertionMethod: [vmId], authentication: [vmId],
+    };
+    return { didDocument: doc, verificationMethods: [vm] };
+  }
+
+  if (parsed.method === "web") {
+    if (!opts.document || typeof opts.document !== "object") {
+      throw new DidError("did/document-required",
+        "did:web: the DID document must be fetched by the operator and passed as opts.document (GET " + parsed.url + ")");
+    }
+    var docW = opts.document;
+    if (docW.id !== did) {
+      throw new DidError("did/document-mismatch", "did:web: document id '" + docW.id + "' does not match the requested DID");
+    }
+    return { didDocument: docW, verificationMethods: _extractVerificationMethods(docW) };
+  }
+
+  throw new DidError("did/unsupported-method", "did.resolve: unsupported DID method '" + parsed.method + "' (did:key and did:web only)");
+}
+
+// Import a publicKeyJwk after allowlisting its kty/crv — a DID document
+// is untrusted input, so an unexpected key type (RSA / oct / unknown
+// curve) is refused before it reaches node:crypto rather than blindly
+// imported (the DID-context equivalent of the JWT alg/kty cross-check;
+// there is no single verification `alg` in a DID document).
+function _jwkToKey(jwk) {
+  var ok = (jwk.kty === "OKP" && jwk.crv === "Ed25519") ||
+    (jwk.kty === "EC" && (jwk.crv === "P-256" || jwk.crv === "P-384" || jwk.crv === "secp256k1"));
+  if (!ok) {
+    throw new DidError("did/unsupported-key",
+      "did: verificationMethod publicKeyJwk has unsupported kty/crv (" + jwk.kty + "/" + jwk.crv + ")");
+  }
+  try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
+  catch (e) { throw new DidError("did/bad-key", "did: verificationMethod publicKeyJwk is invalid: " + ((e && e.message) || e)); }
+}
+
+// Extract verification methods from a DID document → KeyObjects.
+function _extractVerificationMethods(doc) {
+  var vms = Array.isArray(doc.verificationMethod) ? doc.verificationMethod : [];
+  var out = [];
+  for (var i = 0; i < vms.length; i += 1) {
+    var vm = vms[i];
+    if (!vm || typeof vm !== "object") continue;
+    var key = null;
+    if (typeof vm.publicKeyMultibase === "string" && vm.publicKeyMultibase[0] === "z") {
+      var raw = _b58decode(vm.publicKeyMultibase.slice(1));
+      var vh = _readVarint(raw);
+      key = _keyObjectFromMulticodec(vh.value, raw.slice(vh.length));
+    } else if (vm.publicKeyJwk && typeof vm.publicKeyJwk === "object") {
+      key = _jwkToKey(vm.publicKeyJwk);
+    } else {
+      continue;   // unknown key encoding — skip rather than guess
+    }
+    out.push({ id: vm.id, controller: vm.controller, type: vm.type, publicKey: key });
+  }
+  if (!out.length) throw new DidError("did/no-keys", "did: document has no resolvable verification methods");
+  return out;
+}
+
+module.exports = {
+  parse:       parse,
+  keyToDid:    keyToDid,
+  resolve:     resolve,
+  MULTICODEC:  MULTICODEC,
+  DidError:    DidError,
+};