@blamejs/blamejs-shop 0.0.66 → 0.0.72

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.4",
-      "tag": "v0.12.4",
+      "version": "0.12.5",
+      "tag": "v0.12.5",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.5 (2026-05-22) — **`b.metrics` content-negotiates OpenMetrics 1.0 + auto-attaches trace exemplars on request histograms.** The `/metrics` scrape endpoint now serves `application/openmetrics-text; version=1.0.0; charset=utf-8` when the scraper requests it via the `Accept` header (Prometheus 2.x strict mode, OpenObservability tooling). Legacy scrapers still get `text/plain; version=0.0.4` — no operator with the default Prometheus client sees a content-type change. Separately, the framework's request-duration histogram middleware now auto-attaches the active sampled trace's `trace_id` + `span_id` as the OpenMetrics §6.2 exemplar on every bucket sample, so Grafana / Tempo / Jaeger scrapers can pivot from a slow-bucket histogram to the exact trace that produced the sample. The wiring is composition-only — `b.middleware.tracePropagate` populates `req.trace.{traceId,parentId,sampled}`, the metrics middleware reads it, no operator opt-in needed. **Added:** *`Accept` content-negotiation on `b.metrics.expositionHandler()`* — When the scraper's `Accept` header includes `application/openmetrics-text`, the handler renders the OpenMetrics 1.0 wire format (`# UNIT` lines, `_total` suffix on counters, `# EOF` terminator, exemplar shape) and serves `application/openmetrics-text; version=1.0.0; charset=utf-8`. Otherwise serves Prometheus 0.0.4 `text/plain` as before. Operators relying on the legacy Prometheus content-type see no change. · *Auto-attached trace exemplars on request-duration histograms* — When `b.middleware.spanHttpServer` populates `req.span.{traceId, spanId, sampled}` on the inbound request and the span is sampled, the framework's built-in `requestDuration` histogram middleware attaches `{ labels: { trace_id, span_id }, value: <duration>, timestamp: <unix-sec> }` as the OpenMetrics §6.2 exemplar on the corresponding bucket. The exemplar's `span_id` is the server-handling span, not the upstream `traceparent`'s parent-id, so the metric-to-trace pivot in Grafana / Tempo / Jaeger lands on the work the metric measured. Operators wiring `tracePropagate` without `spanHttpServer` fall back to `req.trace.spanId` when populated; the framework never invents a span_id from the upstream parent. **Fixed:** *Accept-header weighted negotiation (Codex P1)* — The first pass treated any `Accept` header containing `application/openmetrics-text` as an unconditional OpenMetrics request — clients sending `Accept: text/plain;q=1.0, application/openmetrics-text;q=0.5` got OpenMetrics back instead of their preferred Prometheus 0.0.4. Fix: parse Accept via `b.requestHelpers.parseQualityList` and compare q-values for `application/openmetrics-text` vs `text/plain` (wildcards `*/*`, `application/*`, `text/*` honored). Defaults to Prometheus when both q-values are equal or zero (backward compatibility with the legacy default content-type). · *Exemplar span_id sources the active server span, not the upstream parent (Codex P2)* — The first pass used `req.trace.parentId` for the exemplar's `span_id` label — but `parentId` is the upstream caller's span (or empty for root requests), not the server-handling span. Fix: prefer `req.span.spanId` (set by `b.middleware.spanHttpServer`), falling back to `req.trace.spanId` for operators wiring `tracePropagate` without `spanHttpServer`. Never synthesises a span_id from `parentId`. **References:** [OpenMetrics 1.0 §1.2 (content negotiation)](https://prometheus.io/docs/specs/om/open_metrics_spec/) · [OpenMetrics 1.0 §6.2 (exemplars)](https://prometheus.io/docs/specs/om/open_metrics_spec/) · [W3C Trace Context (traceparent header)](https://www.w3.org/TR/trace-context/)
+
 - v0.12.4 (2026-05-22) — **`SECURITY.md` Watch list — remove stale "framework doesn't ship CMS / S/MIME" entry.** The Watch list bullet claiming `framework does not ship a CMS / S/MIME / PKCS#7 surface today` has been wrong since v0.10.13 — `b.cms.encodeSignedData` / `decode` / `encodeEnvelopedData` / `parseSignedData` shipped then, and `b.mail.crypto.smime.sign` / `verify` / `verifyAll` / `checkCert` shipped under the mail-stack. The Watch list is for CVE classes the framework deliberately doesn't ship a primitive for; CMS no longer fits that shape. Entry removed. **Fixed:** *Watch list no longer claims CMS / S/MIME are unshipped* — `b.cms` exposes RFC 5652 ContentInfo / SignedData / EnvelopedData encode + decode with PQC signer support (ML-DSA-65 per RFC 9909 §5, ML-DSA-87 per RFC 9909 §6, SLH-DSA-SHAKE-256f per RFC 9881). `b.mail.crypto.smime` builds on it for RFC 8551 S/MIME signed + enveloped mail with `checkCert` for X.509 chain validation. The SECURITY.md Watch list entry that pointed operators to external CMS libraries is gone; operators on regulated mail interop reach for the in-framework primitives instead.
 
 - v0.12.3 (2026-05-22) — **README "What ships in the box" backfill — mail-stack listeners + JSCalendar + new postures.** The README's "Communication" + "Compliance regimes" bullets lagged behind the v0.11.24-v0.12.1 ship cadence. Backfilled: `b.mail.send.deliver` (turnkey outbound delivery chain), the four mail-server listeners (mx / submission / imap / jmap), the JMAP EmailSubmission/set reference handler, mail-crypto (CMS + PGP+WKD), the mail-stack agent, `b.calendar` (RFC 8984 JSCalendar substrate with full BY*+BYSETPOS+multi-rule expansion), and the 16 newly-promoted postures from v0.12.1 (`42-cfr-part-2` / `hti-1` / `uscdi-v4` / `irs-1075` / `nist-800-172-r3` / `tlp-2.0` / `soci-au` / `ffiec-cat-2` / `cri-profile-v2.0` / `m-22-09` / `m-22-18` / `nist-800-53-r5-privacy` / `nist-ai-600-1-genai` / `nist-csf-2.0` / `sb-53` / `nyc-ll144-2024`). **Changed:** *Communication section names every mail-stack listener + delivery chain + crypto primitive* — New entries: `b.mail.send.deliver` (MX → MTA-STS → DANE → REQUIRETLS → SMTP → DSN chain), four `b.mail.server.*` listeners, JMAP EmailSubmission reference handler, `b.mail.crypto.cms` + `b.mail.crypto.pgp`, `b.mail.agent` + `b.mailStore`, and `b.calendar` (JSCalendar / iCalendar bridge for JMAP Calendars interop). · *Compliance regimes section lists the 16 v0.12.1 backfilled postures* — New rows organise the additions under three sub-bullets: AI governance adds `nyc-ll144-2024` / `sb-53` / `nist-ai-rmf-1.0` / `nist-ai-600-1-genai` alongside the existing AI-act / NYC-LL144 / Colorado / Illinois entries; a new "Federal / sectoral" row covers `42-cfr-part-2` / `hti-1` / `uscdi-v4` / `irs-1075` / `nist-csf-2.0` / `nist-800-53-r5-privacy` / `nist-800-172-r3` / `m-22-09` / `m-22-18` / `ffiec-cat-2` / `cri-profile-v2.0`; a new "Critical infrastructure / info-sharing" row covers `soci-au` / `tlp-2.0`.

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.4",
-  "createdAt": "2026-05-22T23:12:46.997Z",
+  "frameworkVersion": "0.12.5",
+  "createdAt": "2026-05-23T01:16:54.749Z",
   "exports": {
     "a2a": {
       "type": "object",

package/lib/vendor/blamejs/lib/metrics.js

@@ -45,7 +45,8 @@ var safeJson = require("./safe-json");
 var { defineClass } = require("./framework-error");
 var { boot } = require("./log");
 var numericBounds = require("./numeric-bounds");
-var { resolveRoute, captureResponseStatus, HTTP_STATUS } = require("./request-helpers");
+var requestHelpers = require("./request-helpers");
+var { resolveRoute, captureResponseStatus, HTTP_STATUS } = requestHelpers;
 var validateOpts = require("./validate-opts");
 
 var MetricsError = defineClass("MetricsError", { alwaysPermanent: true });
@@ -635,9 +636,42 @@ function create(opts) {
 
   function expositionHandler() {
     return function metricsHandler(req, res) {
-      var body = exposition();
+      // OpenMetrics §1.2 content-negotiation. Operators with
+      // OpenMetrics-strict scrapers (Prometheus 2.x with strict mode,
+      // OpenObservability tooling) send
+      // `Accept: application/openmetrics-text; version=1.0.0`. The
+      // handler returns the OpenMetrics-1.0 wire format when that
+      // media type has the highest q-value among supported types;
+      // defaults to Prometheus 0.0.4 otherwise. Codex P1 v0.12.5 —
+      // honor RFC 9110 §12.5.1 weighted negotiation: a client that
+      // sends `Accept: text/plain;q=1.0, application/openmetrics-
+      // text;q=0.5` (or `;q=0`) gets text/plain back, even though
+      // both media types are supported.
+      var acceptHeader = req && req.headers ? String(req.headers.accept || "") : "";
+      var entries = requestHelpers.parseQualityList(acceptHeader);
+      var openMetricsQ = 0;
+      var prometheusQ = 0;
+      var sawAccept = entries.length > 0;
+      for (var i = 0; i < entries.length; i += 1) {
+        var v = entries[i].value;
+        var q = entries[i].q;
+        if (v === "application/openmetrics-text" || v === "*/*" || v === "application/*") {
+          if (q > openMetricsQ) openMetricsQ = q;
+        }
+        if (v === "text/plain" || v === "*/*" || v === "text/*") {
+          if (q > prometheusQ) prometheusQ = q;
+        }
+      }
+      // Default Prometheus when client sent no Accept header or both
+      // q-values are zero. Tie-break favours Prometheus for
+      // backward-compatibility with legacy scrapers.
+      var wantOpenMetrics = sawAccept && openMetricsQ > prometheusQ && openMetricsQ > 0;
+      var body = exposition(wantOpenMetrics ? { format: "openmetrics" } : undefined);
+      var contentType = wantOpenMetrics
+        ? "application/openmetrics-text; version=1.0.0; charset=utf-8"
+        : "text/plain; version=0.0.4; charset=utf-8";
       res.writeHead(HTTP_STATUS.OK, {
-        "Content-Type":   "text/plain; version=0.0.4; charset=utf-8",
+        "Content-Type":   contentType,
         "Content-Length": Buffer.byteLength(body),
         "Cache-Control":  "no-store",
       });
@@ -679,7 +713,37 @@ function create(opts) {
         // the rest of the framework's diagnostics.
         try { requestsTotal.inc(labels); }
         catch (e) { log.warn("metrics/request-counter-failed: " + e.message); }
-        try { requestDuration.observe(durLabels, elapsedSec); }
+        // OpenMetrics §6.2 — when a sampled trace context is active
+        // on the request, attach the trace + active SERVER-span id
+        // as the histogram bucket's exemplar so downstream scrapers
+        // (Prometheus 2.x, Grafana exemplar-renderer) can pivot
+        // from a slow-request bucket to the trace that produced it.
+        //
+        // Codex P2 v0.12.5 — the span_id MUST be the server-handling
+        // span (created by b.middleware.spanHttpServer + stamped on
+        // req.span), not the upstream `traceparent`'s parent-id.
+        // The parent-id points at the CALLER's span (or nothing for
+        // root requests); using it would mis-pivot the exemplar.
+        var exemplar = null;
+        if (req.span && req.span.traceId && req.span.spanId && req.span.sampled !== false) {
+          exemplar = {
+            labels:    { trace_id: req.span.traceId, span_id: req.span.spanId },
+            value:     elapsedSec,
+            timestamp: Date.now() / 1000,                                         // allow:raw-time-literal — OpenMetrics §6.2 unix epoch seconds with subsecond fraction
+          };
+        } else if (req.trace && req.trace.sampled && req.trace.traceId && req.trace.spanId) {
+          // Operators wiring traceparent directly without
+          // spanHttpServer surface the inbound span as
+          // req.trace.spanId. Fall back to it; refuse to invent a
+          // span_id from parentId since that points at the upstream
+          // caller, not the work the metric measures.
+          exemplar = {
+            labels:    { trace_id: req.trace.traceId, span_id: req.trace.spanId },
+            value:     elapsedSec,
+            timestamp: Date.now() / 1000,                                         // allow:raw-time-literal — OpenMetrics §6.2 unix epoch seconds with subsecond fraction
+          };
+        }
+        try { requestDuration.observe(durLabels, elapsedSec, exemplar); }
         catch (e) { log.warn("metrics/request-duration-failed: " + e.message); }
       });
       return next();

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.4",
+  "version": "0.12.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.5.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.5",
+  "date": "2026-05-22",
+  "headline": "`b.metrics` content-negotiates OpenMetrics 1.0 + auto-attaches trace exemplars on request histograms",
+  "summary": "The `/metrics` scrape endpoint now serves `application/openmetrics-text; version=1.0.0; charset=utf-8` when the scraper requests it via the `Accept` header (Prometheus 2.x strict mode, OpenObservability tooling). Legacy scrapers still get `text/plain; version=0.0.4` — no operator with the default Prometheus client sees a content-type change. Separately, the framework's request-duration histogram middleware now auto-attaches the active sampled trace's `trace_id` + `span_id` as the OpenMetrics §6.2 exemplar on every bucket sample, so Grafana / Tempo / Jaeger scrapers can pivot from a slow-bucket histogram to the exact trace that produced the sample. The wiring is composition-only — `b.middleware.tracePropagate` populates `req.trace.{traceId,parentId,sampled}`, the metrics middleware reads it, no operator opt-in needed.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`Accept` content-negotiation on `b.metrics.expositionHandler()`",
+          "body": "When the scraper's `Accept` header includes `application/openmetrics-text`, the handler renders the OpenMetrics 1.0 wire format (`# UNIT` lines, `_total` suffix on counters, `# EOF` terminator, exemplar shape) and serves `application/openmetrics-text; version=1.0.0; charset=utf-8`. Otherwise serves Prometheus 0.0.4 `text/plain` as before. Operators relying on the legacy Prometheus content-type see no change."
+        },
+        {
+          "title": "Auto-attached trace exemplars on request-duration histograms",
+          "body": "When `b.middleware.spanHttpServer` populates `req.span.{traceId, spanId, sampled}` on the inbound request and the span is sampled, the framework's built-in `requestDuration` histogram middleware attaches `{ labels: { trace_id, span_id }, value: <duration>, timestamp: <unix-sec> }` as the OpenMetrics §6.2 exemplar on the corresponding bucket. The exemplar's `span_id` is the server-handling span, not the upstream `traceparent`'s parent-id, so the metric-to-trace pivot in Grafana / Tempo / Jaeger lands on the work the metric measured. Operators wiring `tracePropagate` without `spanHttpServer` fall back to `req.trace.spanId` when populated; the framework never invents a span_id from the upstream parent."
+        }
+      ]
+    },
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "Accept-header weighted negotiation (Codex P1)",
+          "body": "The first pass treated any `Accept` header containing `application/openmetrics-text` as an unconditional OpenMetrics request — clients sending `Accept: text/plain;q=1.0, application/openmetrics-text;q=0.5` got OpenMetrics back instead of their preferred Prometheus 0.0.4. Fix: parse Accept via `b.requestHelpers.parseQualityList` and compare q-values for `application/openmetrics-text` vs `text/plain` (wildcards `*/*`, `application/*`, `text/*` honored). Defaults to Prometheus when both q-values are equal or zero (backward compatibility with the legacy default content-type)."
+        },
+        {
+          "title": "Exemplar span_id sources the active server span, not the upstream parent (Codex P2)",
+          "body": "The first pass used `req.trace.parentId` for the exemplar's `span_id` label — but `parentId` is the upstream caller's span (or empty for root requests), not the server-handling span. Fix: prefer `req.span.spanId` (set by `b.middleware.spanHttpServer`), falling back to `req.trace.spanId` for operators wiring `tracePropagate` without `spanHttpServer`. Never synthesises a span_id from `parentId`."
+        }
+      ]
+    }
+  ],
+  "references": [
+    { "label": "OpenMetrics 1.0 §1.2 (content negotiation)",  "url": "https://prometheus.io/docs/specs/om/open_metrics_spec/" },
+    { "label": "OpenMetrics 1.0 §6.2 (exemplars)",            "url": "https://prometheus.io/docs/specs/om/open_metrics_spec/" },
+    { "label": "W3C Trace Context (traceparent header)",      "url": "https://www.w3.org/TR/trace-context/" }
+  ]
+}