@blamejs/blamejs-shop 0.0.52 → 0.0.54

package/lib/tax.js

@@ -154,8 +154,396 @@ function create(opts) {
   return operatorTable(opts);
 }
 
+// ---- VAT / GST primitives ----------------------------------------------
+//
+// Sales tax (US-style) is *added* to a displayed price: $10 + 8.75% =
+// $10.875. VAT (EU) and GST (AU / CA / IN / NZ / SG) are typically
+// *extracted* from a displayed price: a €10 line at 20% VAT means the
+// operator receives €8.33 net + €1.67 VAT, not €10 + €2. The B2B
+// "reverse charge" mechanism on intra-EU trade moves the VAT
+// obligation to the buyer (the seller invoices zero VAT and documents
+// the buyer's VAT ID); the buyer self-assesses + remits in their own
+// member state.
+//
+// These helpers are *pure functions* — they don't touch the network
+// and they don't talk to the operator-table adapter. They're the
+// math + format-validation surface the storefront / invoice
+// primitives compose against. The operator-table adapter still owns
+// jurisdiction-rule selection.
+
+// Banker's rounding (round-half-to-even) for non-negative `raw`.
+// JS Math.round is round-half-up, which biases tax totals upward
+// across many small carts; this matches the rounding mode the
+// existing operatorTable adapter uses.
+function _bankersRound(raw) {
+  var floor = Math.floor(raw);
+  var frac  = raw - floor;
+  if (frac < 0.5) return floor;
+  if (frac > 0.5) return floor + 1;
+  return (floor % 2 === 0) ? floor : floor + 1;
+}
+
+function _currency(c) {
+  if (typeof c !== "string" || !/^[A-Z]{3}$/.test(c)) {
+    throw new TypeError("tax: currency must be a 3-letter ISO 4217 code (uppercase), got " + JSON.stringify(c));
+  }
+}
+
+/**
+ * Extract VAT from a VAT-inclusive (gross) price.
+ *
+ *   tax   = round(gross * rate_bps / (10000 + rate_bps))
+ *   net   = gross - tax
+ *
+ * Returns `{ net_minor, tax_minor, gross_minor, rate_bps }`. The
+ * gross figure round-trips exactly (`net + tax === gross`) by
+ * construction — `net` is derived from `tax`, not rounded
+ * independently.
+ *
+ * Use when the storefront displays VAT-inclusive prices (the EU
+ * default for B2C). Banker's rounding to even.
+ */
+function calculateInclusive(args) {
+  if (!args || typeof args !== "object") throw new TypeError("tax.calculateInclusive: args object required");
+  _nonNegInt(args.amount_minor, "amount_minor");
+  _bps(args.rate_bps);
+  _currency(args.currency);
+  var gross = args.amount_minor;
+  var rate  = args.rate_bps;
+  var tax   = _bankersRound(gross * rate / (10000 + rate));
+  return {
+    net_minor:   gross - tax,
+    tax_minor:   tax,
+    gross_minor: gross,
+    rate_bps:    rate,
+  };
+}
+
+/**
+ * Add VAT to a VAT-exclusive (net) price.
+ *
+ *   tax   = round(net * rate_bps / 10000)
+ *   gross = net + tax
+ *
+ * Returns `{ net_minor, tax_minor, gross_minor, rate_bps }`. Use
+ * when the storefront displays VAT-exclusive prices (the standard
+ * B2B presentation, and the US-sales-tax shape). Banker's rounding
+ * to even — same convention as `operatorTable.calculate`.
+ */
+function calculateExclusive(args) {
+  if (!args || typeof args !== "object") throw new TypeError("tax.calculateExclusive: args object required");
+  _nonNegInt(args.amount_minor, "amount_minor");
+  _bps(args.rate_bps);
+  _currency(args.currency);
+  var net  = args.amount_minor;
+  var rate = args.rate_bps;
+  var tax  = _bankersRound(net * rate / 10000);
+  return {
+    net_minor:   net,
+    tax_minor:   tax,
+    gross_minor: net + tax,
+    rate_bps:    rate,
+  };
+}
+
+// ---- VAT ID format validation -------------------------------------------
+//
+// VAT IDs have country-specific formats. The well-known patterns
+// below cover the EU-27 + GB + Switzerland. These regexes validate
+// the *format* only — they do NOT confirm the VAT ID is registered
+// or active. That requires a live HTTPS call to the EU VIES service
+// (or the equivalent national registry), which this primitive
+// deliberately does NOT make:
+//
+//   - Zero npm runtime deps (composing an HTTPS+XML client here is
+//     out of scope for a math primitive).
+//   - No SSRF surface in the tax math path.
+//   - VIES is a soft availability commitment; operators that depend
+//     on it need their own retry / cache / fallback policy, which
+//     belongs in the operator's checkout pipeline, not in lib/tax.js.
+//
+// Operators are responsible for VIES live-checking before storing
+// any buyer VAT ID. This primitive only refuses obviously-malformed
+// IDs (wrong country prefix, wrong length, wrong character class).
+//
+// The format table is operator-extensible — assign to
+// `tax.VAT_FORMATS["XX"]` (a RegExp) to add or override a country.
+//
+// References: each pattern matches the published national format
+// rule; mixed alphanumeric positions (FR, ES, IE) are preserved.
+var VAT_FORMATS = {
+  AT: /^ATU[0-9]{8}$/,                                    // Austria — U + 8 digits
+  BE: /^BE[01][0-9]{9}$/,                                 // Belgium — 10 digits starting 0 or 1
+  BG: /^BG[0-9]{9,10}$/,                                  // Bulgaria — 9 or 10 digits
+  CY: /^CY[0-9]{8}[A-Z]$/,                                // Cyprus — 8 digits + letter
+  CZ: /^CZ[0-9]{8,10}$/,                                  // Czechia — 8-10 digits
+  DE: /^DE[0-9]{9}$/,                                     // Germany — 9 digits
+  DK: /^DK[0-9]{8}$/,                                     // Denmark — 8 digits
+  EE: /^EE[0-9]{9}$/,                                     // Estonia — 9 digits
+  EL: /^EL[0-9]{9}$/,                                     // Greece (EU-internal — Greece uses EL not GR)
+  GR: /^EL[0-9]{9}$/,                                     // Greece alias — operators sometimes pass GR
+  ES: /^ES[A-Z0-9][0-9]{7}[A-Z0-9]$/,                     // Spain — alpha/digit, 7 digits, alpha/digit
+  FI: /^FI[0-9]{8}$/,                                     // Finland — 8 digits
+  FR: /^FR[0-9A-HJ-NP-Z]{2}[0-9]{9}$/,                    // France — 2-char prefix (no I/O) + 9 digits
+  HR: /^HR[0-9]{11}$/,                                    // Croatia — 11 digits
+  HU: /^HU[0-9]{8}$/,                                     // Hungary — 8 digits
+  IE: /^IE[0-9][0-9A-Z*+][0-9]{5}[A-Z]{1,2}$/,            // Ireland — 9-character mixed
+  IT: /^IT[0-9]{11}$/,                                    // Italy — 11 digits
+  LT: /^LT(?:[0-9]{9}|[0-9]{12})$/,                       // Lithuania — 9 or 12 digits
+  LU: /^LU[0-9]{8}$/,                                     // Luxembourg — 8 digits
+  LV: /^LV[0-9]{11}$/,                                    // Latvia — 11 digits
+  MT: /^MT[0-9]{8}$/,                                     // Malta — 8 digits
+  NL: /^NL[0-9]{9}B[0-9]{2}$/,                            // Netherlands — 9 digits + B + 2 digits
+  PL: /^PL[0-9]{10}$/,                                    // Poland — 10 digits
+  PT: /^PT[0-9]{9}$/,                                     // Portugal — 9 digits
+  RO: /^RO[0-9]{2,10}$/,                                  // Romania — 2-10 digits
+  SE: /^SE[0-9]{12}$/,                                    // Sweden — 12 digits
+  SI: /^SI[0-9]{8}$/,                                     // Slovenia — 8 digits
+  SK: /^SK[0-9]{10}$/,                                    // Slovakia — 10 digits
+  // Non-EU, retained for the EU-adjacent operator surface:
+  GB: /^GB(?:[0-9]{9}|[0-9]{12}|GD[0-9]{3}|HA[0-9]{3})$/, // United Kingdom — 9 / 12 digits or GD/HA + 3
+  CH: /^CHE[0-9]{9}(?:MWST|TVA|IVA)?$/,                   // Switzerland — CHE + 9 digits, optional suffix
+};
+
+// EU-27 member-state country codes (for reverse-charge eligibility).
+// GB is intentionally NOT included — Brexit removed the UK from the
+// intra-EU reverse-charge mechanism. CH was never an EU member.
+var EU_COUNTRY_CODES = [
+  "AT", "BE", "BG", "CY", "CZ", "DE", "DK", "EE", "ES", "FI",
+  "FR", "GR", "HR", "HU", "IE", "IT", "LT", "LU", "LV", "MT",
+  "NL", "PL", "PT", "RO", "SE", "SI", "SK",
+];
+var _EU_SET = EU_COUNTRY_CODES.reduce(function (acc, c) { acc[c] = true; return acc; }, {});
+
+function _isEu(cc) {
+  if (typeof cc !== "string") return false;
+  return _EU_SET[cc] === true;
+}
+
+/**
+ * Validate a VAT ID's *format* against the country's published
+ * pattern. Returns `{ ok, country, vat_number, format }`:
+ *
+ *   ok          — true when the ID matches the country's regex
+ *   country     — the country code (uppercase, normalised)
+ *   vat_number  — the ID with the country prefix stripped
+ *   format      — the regex source string, for diagnostics
+ *
+ * On a mismatch returns `{ ok: false, country, vat_number: null,
+ * format }`. On an unknown country code throws — the caller asked
+ * for validation against a country we don't have a pattern for, and
+ * silently returning `{ ok: true }` would be unsafe.
+ *
+ * IMPORTANT: this is FORMAT validation only. It does NOT confirm
+ * the VAT ID is registered, active, or assigned to the named buyer.
+ * Operators MUST cross-check against VIES (https://ec.europa.eu/
+ * taxation_customs/vies/) or the equivalent national registry
+ * before relying on a VAT ID for reverse-charge invoicing. This
+ * primitive is the cheap pre-filter, not the legal record-of-truth.
+ *
+ * Extend `tax.VAT_FORMATS["XX"] = /^XX.../` to register additional
+ * country patterns at boot time.
+ */
+function validateVatId(vat_id, country_code) {
+  if (typeof vat_id !== "string") {
+    throw new TypeError("tax.validateVatId: vat_id must be a string, got " + JSON.stringify(vat_id));
+  }
+  if (typeof country_code !== "string" || !/^[A-Z]{2}$/.test(country_code)) {
+    throw new TypeError("tax.validateVatId: country_code must be a 2-letter uppercase ISO 3166-1 code, got " + JSON.stringify(country_code));
+  }
+  var pattern = VAT_FORMATS[country_code];
+  if (!pattern) {
+    throw new TypeError("tax.validateVatId: no VAT format registered for country " + JSON.stringify(country_code) + " — extend tax.VAT_FORMATS to add one");
+  }
+  // Normalise: strip whitespace; uppercase. Many invoicing UIs let
+  // operators paste "DE 123 456 789" or "de123456789" — accept both.
+  var normalised = vat_id.replace(/\s+/g, "").toUpperCase();
+  var matched = pattern.test(normalised);
+  if (!matched) {
+    return {
+      ok:         false,
+      country:    country_code,
+      vat_number: null,
+      format:     pattern.source,
+    };
+  }
+  // The country prefix on EU/GB/CH VAT IDs is always the first 2-3
+  // chars. We strip the matching country prefix from the front and
+  // return the remainder as the bare VAT number.
+  var prefix = normalised.indexOf(country_code) === 0 ? country_code : normalised.slice(0, 3);
+  return {
+    ok:         true,
+    country:    country_code,
+    vat_number: normalised.slice(prefix.length),
+    format:     pattern.source,
+  };
+}
+
+/**
+ * Decide whether the intra-EU B2B reverse-charge mechanism applies
+ * to the current transaction. Returns one of:
+ *
+ *   { rate_bps: 0, reverse_charge: true,  reason: "eu-b2b",
+ *     seller: { country, vat_number }, buyer: { country, vat_number } }
+ *
+ *   { rate_bps: null, reverse_charge: false, reason: <why-not> }
+ *
+ * When the function returns `reverse_charge: true` the caller MUST
+ * invoice with VAT zero AND document both VAT IDs on the invoice;
+ * the buyer self-assesses + remits in their member state.
+ *
+ * Conditions (ALL must hold):
+ *   1. Seller has a VAT ID AND its country is in EU_COUNTRY_CODES.
+ *   2. Buyer has a VAT ID AND its country is in EU_COUNTRY_CODES.
+ *   3. Both VAT IDs pass format validation.
+ *   4. The buyer's billing country matches the buyer-VAT-ID country
+ *      (a mismatch is a fraud red flag — the operator should refuse
+ *      reverse charge and either charge the seller's rate or block
+ *      checkout pending VIES confirmation).
+ *
+ * The `ctx` argument is reserved for future signals (e.g. a
+ * cached VIES-confirmation flag the operator's storefront sets
+ * after a successful live check). Today only the `vat_validated_at`
+ * timestamp is honoured as an advisory field on the seller side.
+ *
+ * IMPORTANT: this primitive does NOT call VIES. The operator must
+ * confirm the buyer's VAT ID against the EU VIES service (or
+ * equivalent national registry) BEFORE relying on the
+ * `reverse_charge: true` outcome to suppress VAT on an invoice.
+ * Format-pass + VIES-fail is a fraud vector; the operator's
+ * checkout pipeline owns the live check.
+ */
+function applyReverseCharge(args) {
+  if (!args || typeof args !== "object") throw new TypeError("tax.applyReverseCharge: args object required");
+  var ctx = args.ctx || {};
+  var buyerCountry = args.buyer_country;
+  if (typeof buyerCountry !== "string" || !/^[A-Z]{2}$/.test(buyerCountry)) {
+    throw new TypeError("tax.applyReverseCharge: buyer_country must be a 2-letter uppercase ISO 3166-1 code, got " + JSON.stringify(buyerCountry));
+  }
+  var sellerVatId = args.seller_vat_id;
+  var buyerVatId  = args.buyer_vat_id;
+
+  // Both VAT IDs must be present. Missing either one means the
+  // buyer is treated as a B2C consumer — charge the seller's rate.
+  if (typeof sellerVatId !== "string" || !sellerVatId) {
+    return { rate_bps: null, reverse_charge: false, reason: "missing-seller-vat-id" };
+  }
+  if (typeof buyerVatId !== "string" || !buyerVatId) {
+    return { rate_bps: null, reverse_charge: false, reason: "missing-buyer-vat-id" };
+  }
+
+  // The seller's country prefix is the first 2 chars of the VAT ID.
+  // CH starts CHE — handle that out-of-band.
+  var sellerCountry = sellerVatId.slice(0, 2).toUpperCase();
+  if (sellerCountry === "CH") sellerCountry = "CH";
+
+  if (!_isEu(sellerCountry)) {
+    return { rate_bps: null, reverse_charge: false, reason: "seller-not-eu" };
+  }
+  if (!_isEu(buyerCountry)) {
+    return { rate_bps: null, reverse_charge: false, reason: "buyer-not-eu" };
+  }
+
+  // Both VAT IDs must format-validate.
+  var sellerCheck;
+  var buyerCheck;
+  try { sellerCheck = validateVatId(sellerVatId, sellerCountry); }
+  catch (_e) { return { rate_bps: null, reverse_charge: false, reason: "seller-vat-id-unknown-country" }; }
+  if (!sellerCheck.ok) {
+    return { rate_bps: null, reverse_charge: false, reason: "seller-vat-id-bad-format" };
+  }
+
+  // The buyer's VAT ID country prefix must match the declared
+  // buyer_country. A mismatch is a red flag — the buyer may be
+  // trying to invoice into the wrong jurisdiction.
+  var buyerVatCountry = buyerVatId.slice(0, 2).toUpperCase();
+  if (buyerVatCountry !== buyerCountry) {
+    return { rate_bps: null, reverse_charge: false, reason: "buyer-vat-id-country-mismatch" };
+  }
+  try { buyerCheck = validateVatId(buyerVatId, buyerCountry); }
+  catch (_e) { return { rate_bps: null, reverse_charge: false, reason: "buyer-vat-id-unknown-country" }; }
+  if (!buyerCheck.ok) {
+    return { rate_bps: null, reverse_charge: false, reason: "buyer-vat-id-bad-format" };
+  }
+
+  return {
+    rate_bps:       0,
+    reverse_charge: true,
+    reason:         "eu-b2b",
+    seller:         { country: sellerCountry, vat_number: sellerCheck.vat_number },
+    buyer:          { country: buyerCountry,  vat_number: buyerCheck.vat_number },
+    // Advisory: timestamp at which the operator last live-checked
+    // VIES for the buyer (if supplied via ctx). The primitive does
+    // not consume this — it's surfaced so downstream invoice
+    // rendering can show "VIES-confirmed YYYY-MM-DD".
+    vies_validated_at: typeof ctx.vies_validated_at === "string" ? ctx.vies_validated_at : null,
+  };
+}
+
+/**
+ * Render a `rate_bps` value as a human-readable percentage string,
+ * locale-aware via `Intl.NumberFormat`. Returns:
+ *
+ *   format({ rate_bps: 2000 })                     -> "20.0%"
+ *   format({ rate_bps: 550 })                      -> "5.5%"
+ *   format({ rate_bps: 0, reverse_charge: true })  -> "0% (reverse charge)"
+ *   format({ rate_bps: 2000, locale: "de-DE" })    -> "20,0 %"
+ *   format({ rate_bps: 2000, locale: "fr-FR" })    -> "20,0 %" (or NBSP variant)
+ *
+ * Locale defaults to `"en-US"`. The `reverse_charge` annotation is
+ * intentionally English-only in v1 — operator-facing accounting
+ * strings ship in English on every storefront the framework
+ * currently supports; localising the bracketed phrase lands when
+ * the storefront primitive grows a translation surface.
+ */
+function format(args) {
+  if (!args || typeof args !== "object") throw new TypeError("tax.format: args object required");
+  _bps(args.rate_bps);
+  if (args.locale !== undefined && args.locale !== null) {
+    if (typeof args.locale !== "string" || args.locale.length === 0) {
+      throw new TypeError("tax.format: locale must be a non-empty BCP 47 string");
+    }
+  }
+  var locale = args.locale || "en-US";
+  var nf;
+  try {
+    nf = new Intl.NumberFormat(locale, {
+      style:                 "percent",
+      minimumFractionDigits: 1,
+      maximumFractionDigits: 2,
+    });
+  } catch (_e) {
+    throw new TypeError("tax.format: locale " + JSON.stringify(locale) + " rejected by Intl.NumberFormat");
+  }
+  // Intl percent formatter expects a decimal fraction (0.2 → "20%").
+  var rendered = nf.format(args.rate_bps / 10000);
+  // Strip a redundant ".0" / ",0" when the rate is a whole percent
+  // AND not the zero rate — "20.0%" reads naturally; "0.0%" reads
+  // as a precision claim we don't intend. For 0% with the reverse-
+  // charge flag we always render "0%" to keep the annotation
+  // grammatical.
+  if (args.reverse_charge === true && args.rate_bps === 0) {
+    // Intl renders 0 as "0%" already in en-US but as "0 %" in de/fr;
+    // we want a stable shape with the annotation.
+    var zero = new Intl.NumberFormat(locale, {
+      style:                 "percent",
+      minimumFractionDigits: 0,
+      maximumFractionDigits: 0,
+    }).format(0);
+    return zero + " (reverse charge)";
+  }
+  return rendered;
+}
+
 module.exports = {
-  create:        create,
-  operatorTable: operatorTable,
-  MAX_BPS:       MAX_BPS,
+  create:              create,
+  operatorTable:       operatorTable,
+  MAX_BPS:             MAX_BPS,
+  calculateInclusive:  calculateInclusive,
+  calculateExclusive:  calculateExclusive,
+  validateVatId:       validateVatId,
+  applyReverseCharge:  applyReverseCharge,
+  format:              format,
+  VAT_FORMATS:         VAT_FORMATS,
+  EU_COUNTRY_CODES:    EU_COUNTRY_CODES,
 };

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.3",
-      "tag": "v0.12.3",
+      "version": "0.12.4",
+      "tag": "v0.12.4",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.4 (2026-05-22) — **`SECURITY.md` Watch list — remove stale "framework doesn't ship CMS / S/MIME" entry.** The Watch list bullet claiming `framework does not ship a CMS / S/MIME / PKCS#7 surface today` has been wrong since v0.10.13 — `b.cms.encodeSignedData` / `decode` / `encodeEnvelopedData` / `parseSignedData` shipped then, and `b.mail.crypto.smime.sign` / `verify` / `verifyAll` / `checkCert` shipped under the mail-stack. The Watch list is for CVE classes the framework deliberately doesn't ship a primitive for; CMS no longer fits that shape. Entry removed. **Fixed:** *Watch list no longer claims CMS / S/MIME are unshipped* — `b.cms` exposes RFC 5652 ContentInfo / SignedData / EnvelopedData encode + decode with PQC signer support (ML-DSA-65 per RFC 9909 §5, ML-DSA-87 per RFC 9909 §6, SLH-DSA-SHAKE-256f per RFC 9881). `b.mail.crypto.smime` builds on it for RFC 8551 S/MIME signed + enveloped mail with `checkCert` for X.509 chain validation. The SECURITY.md Watch list entry that pointed operators to external CMS libraries is gone; operators on regulated mail interop reach for the in-framework primitives instead.
+
 - v0.12.3 (2026-05-22) — **README "What ships in the box" backfill — mail-stack listeners + JSCalendar + new postures.** The README's "Communication" + "Compliance regimes" bullets lagged behind the v0.11.24-v0.12.1 ship cadence. Backfilled: `b.mail.send.deliver` (turnkey outbound delivery chain), the four mail-server listeners (mx / submission / imap / jmap), the JMAP EmailSubmission/set reference handler, mail-crypto (CMS + PGP+WKD), the mail-stack agent, `b.calendar` (RFC 8984 JSCalendar substrate with full BY*+BYSETPOS+multi-rule expansion), and the 16 newly-promoted postures from v0.12.1 (`42-cfr-part-2` / `hti-1` / `uscdi-v4` / `irs-1075` / `nist-800-172-r3` / `tlp-2.0` / `soci-au` / `ffiec-cat-2` / `cri-profile-v2.0` / `m-22-09` / `m-22-18` / `nist-800-53-r5-privacy` / `nist-ai-600-1-genai` / `nist-csf-2.0` / `sb-53` / `nyc-ll144-2024`). **Changed:** *Communication section names every mail-stack listener + delivery chain + crypto primitive* — New entries: `b.mail.send.deliver` (MX → MTA-STS → DANE → REQUIRETLS → SMTP → DSN chain), four `b.mail.server.*` listeners, JMAP EmailSubmission reference handler, `b.mail.crypto.cms` + `b.mail.crypto.pgp`, `b.mail.agent` + `b.mailStore`, and `b.calendar` (JSCalendar / iCalendar bridge for JMAP Calendars interop). · *Compliance regimes section lists the 16 v0.12.1 backfilled postures* — New rows organise the additions under three sub-bullets: AI governance adds `nyc-ll144-2024` / `sb-53` / `nist-ai-rmf-1.0` / `nist-ai-600-1-genai` alongside the existing AI-act / NYC-LL144 / Colorado / Illinois entries; a new "Federal / sectoral" row covers `42-cfr-part-2` / `hti-1` / `uscdi-v4` / `irs-1075` / `nist-csf-2.0` / `nist-800-53-r5-privacy` / `nist-800-172-r3` / `m-22-09` / `m-22-18` / `ffiec-cat-2` / `cri-profile-v2.0`; a new "Critical infrastructure / info-sharing" row covers `soci-au` / `tlp-2.0`.
 
 - v0.12.2 (2026-05-22) — **Release-process docs point at `scripts/release.js` (the orchestrator shipped in v0.12.0).** `CONTRIBUTING.md` (maintainer section) and `examples/wiki/DEPLOY.md` ("Tag-driven releases") described the old multi-step manual release flow — version bump → commit → push → tag → push tag — without mentioning the v0.12.0 orchestrator. Both docs now point at `node scripts/release.js` as the canonical release mechanism, list the eight idempotent subcommands, and call out the two pre-requisites the script enforces (release-notes JSON + signed-commit config). **Added:** *`scripts/release.js regen` — re-run artifact regeneration mid-flow* — Edits to `release-notes/v<next>.json` after `prepare` (e.g. addressing a Codex finding, fixing a leak-vocabulary refusal) previously required running `node scripts/generate-changelog-entry.js --rebuild` + `scripts/refresh-api-snapshot.js` + `scripts/check-api-snapshot.js` + `scripts/check-changelog-extract.js` manually. The new `regen` subcommand wraps all four into a single idempotent step. Safe to run any time from any branch. The `prepare` phase calls the same shared helper internally so behaviour stays consistent. **Changed:** *`CONTRIBUTING.md` maintainer section names the orchestrator* — The release-process bullet now reads `node scripts/release.js — eight idempotent subcommands (prepare → smoke → commit → push → watch → merge → tag → publish) plus all for a one-shot`. The existing DEPLOY.md link stays as a pointer for the wiki-container side of the same flow. · *`examples/wiki/DEPLOY.md` Tag-driven releases section rewritten* — Replaces the four-bullet manual flow with the orchestrator surface, including the `all` / `all --minor` one-shot, the per-phase subcommands, and the pre-requisites the script enforces (release-notes JSON present, SSH signing config in place). The downstream wiki-image deploy step on the host (pin `docker-compose.prod.yml` + `docker compose pull && up -d`) is unchanged. **Fixed:** *`scripts/release.js` signature verification uses `git verify-commit` as the canonical truth* — The v0.12.0 orchestrator's commit-signature gate parsed `git log -1 --pretty=%h %G? %GS` looking for `G` in the second column. On some platforms the `%G?` format token's `?` character can be eaten by argument resolution, returning empty stdout even when the signature is Good. The fix runs `git verify-commit HEAD` (whose exit code is the canonical signal `required_signatures` GH ruleset enforces) as the primary check; the `%G?` parse stays as a human-readable confirmation but no longer gates the script. Surfaced via dogfooding the orchestrator on this very release. · *`scripts/release.js` Docker bind-mount path handles Windows host paths with spaces* — The `push` phase's gitleaks step bind-mounted the repo root via `-v <path>:/repo`. The previous path transform produced `/C:/Users/...` on Windows, which Docker's `-v src:dst[:mode]` parser interpreted as having three colon-separated fields. Fix: transform `C:\Users\...` to `//c/Users/...` (lowercased drive letter, double-slash prefix — matches Git Bash's `$(pwd)` form Docker Desktop accepts). POSIX hosts pass through unchanged. Operators with Windows paths containing spaces, parentheses, or special characters can now run `node scripts/release.js push` without manual mount fiddling.

package/lib/vendor/blamejs/SECURITY.md

@@ -412,7 +412,6 @@ CVE classes the framework tracks but does not currently ship a primitive for —
 - **AdonisJS multipart-filename → arbitrary-write class** — the framework's `b.fileUpload` routes every multipart filename through `b.guardFilename.gate({ profile: "strict" })` by default (path traversal / null-byte / NTFS ADS / UNC / overlong UTF-8 / Windows reserved names / RTLO bidi). Operators implementing a parallel multipart receiver outside the framework's primitive must wire the same gate.
 - **fs.realpath symlink-chain Permission Model bypass class** — see "Operator territory" entry above; the framework's symlink defenses live at the application layer (`b.vault` PEM-file read-side + `b.staticServe` realpath gate); operators using Node's experimental Permission Model add it as defense-in-depth, never as the primary symlink-resolution boundary.
 - **QUIC / HTTP/3 outbound (RFC 9000 / RFC 9001)** — the framework's `b.httpClient` is HTTP/1.1 + HTTP/2 only. QUIC + HTTP/3 are deferred-with-condition: re-open when Node's `--experimental-quic` flag graduates to stable and `node:http3` ships. Until then, operators wanting outbound h3 wire their own client outside the framework (see `lib/http-client.js` header note on the future `kind: "h3"` transport shape). The framework's TLS 1.3 + h2 anti-amplification + flow-control caps remain in force on every other transport. Inbound h3 is similarly deferred; operators terminating h3 at the edge route h2 / h1 to the framework's `b.router`.
-- **CMS (RFC 5083 / RFC 5652) + SHAKE-in-CMS (RFC 8702)** — the framework does not ship a CMS / S/MIME / PKCS#7 surface today. Operators integrating S/MIME-encoded mail or PKCS#7-signed payloads route through a separately-firewalled CMS library and pin the SHAKE-256 / SHA3-512 hash identifiers from RFC 8702 §3 / §4 when they set the signing algorithm. CMS support is deferred-with-condition: re-open when operator demand surfaces for S/MIME-encoded mail receivers OR when a regulatory regime mandates CMS-shaped envelope formats. The framework's existing `b.crypto` envelope (XChaCha20-Poly1305 + ML-KEM-1024 + SLH-DSA) covers the at-rest + in-transit shapes operators need today without the CMS legacy surface.
 
 ---
 

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.3",
-  "createdAt": "2026-05-22T21:50:06.665Z",
+  "frameworkVersion": "0.12.4",
+  "createdAt": "2026-05-22T23:12:46.997Z",
   "exports": {
     "a2a": {
       "type": "object",

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.3",
+  "version": "0.12.4",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.4.json

@@ -0,0 +1,19 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.4",
+  "date": "2026-05-22",
+  "headline": "`SECURITY.md` Watch list — remove stale \"framework doesn't ship CMS / S/MIME\" entry",
+  "summary": "The Watch list bullet claiming `framework does not ship a CMS / S/MIME / PKCS#7 surface today` has been wrong since v0.10.13 — `b.cms.encodeSignedData` / `decode` / `encodeEnvelopedData` / `parseSignedData` shipped then, and `b.mail.crypto.smime.sign` / `verify` / `verifyAll` / `checkCert` shipped under the mail-stack. The Watch list is for CVE classes the framework deliberately doesn't ship a primitive for; CMS no longer fits that shape. Entry removed.",
+  "sections": [
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "Watch list no longer claims CMS / S/MIME are unshipped",
+          "body": "`b.cms` exposes RFC 5652 ContentInfo / SignedData / EnvelopedData encode + decode with PQC signer support (ML-DSA-65 per RFC 9909 §5, ML-DSA-87 per RFC 9909 §6, SLH-DSA-SHAKE-256f per RFC 9881). `b.mail.crypto.smime` builds on it for RFC 8551 S/MIME signed + enveloped mail with `checkCert` for X.509 chain validation. The SECURITY.md Watch list entry that pointed operators to external CMS libraries is gone; operators on regulated mail interop reach for the in-framework primitives instead."
+        }
+      ]
+    }
+  ],
+  "references": []
+}