@blamejs/blamejs-shop 0.0.75 → 0.0.77

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.0.x
 
+- v0.0.77 (2026-05-23) — **Edge-render catalog queries collapsed to JOINs — home / search / PDP render in ~160ms TTFB.** Home + search now serve from a single window-functioned JOIN that returns every active product with its first variant's price and first media row pre-joined. PDP serves from two parallel queries — one variants × prices LEFT JOIN, one media list. Worker compute time dropped from 2.8s (serial N+1) to 81ms (single JOIN). End-to-end TTFB on the live storefront is now ~160ms, down from the original ~3.4s container cold-start. EDGE_RENDER default flips to "on" so the perf win is the new baseline. Also fixes split-shipments ORDER BY id (UUIDv7 within-ms collision) and refreshes vendored blamejs to v0.12.6. **Changed:** *Edge catalog reads collapsed to JOINs — single round trip for home / search* — `worker/data/catalog.js` now exposes `listActiveProducts(DB, {limit, offset, currency})` and `searchProducts(DB, {q, limit, currency})` returning pre-decorated rows: each product carries `starting_price_minor` + `starting_price_currency` + `hero_media` joined inline. Two `ROW_NUMBER() OVER (PARTITION BY product_id ORDER BY position ASC, created_at ASC)` window subqueries pick the first variant + first media per product; `LEFT JOIN prices` off the hero variant carries the active price for the requested currency. PDP now uses `listVariantsWithPrices(DB, productId, currency)` — one `variants LEFT JOIN prices` query returns every variant with its current price column. The previous N+1 helpers (`listVariantsForProduct`, `currentPrice`) are removed from the catalog module. · *`EDGE_RENDER` default flipped from `"off"` to `"on"` in `wrangler.toml`* — After the JOIN refactor put live-storefront TTFB at ~160ms, the edge-render path is the new baseline. Operators who want the legacy container-render path for the storefront read routes can set `EDGE_RENDER = "off"` in their `wrangler.toml` override. · *Vendored blamejs refreshed from v0.12.5 to v0.12.6* — `bash scripts/vendor-update.sh blamejs v0.12.6` ran cleanly; `lib/vendor/blamejs/MANIFEST.json` updated. See `lib/vendor/blamejs/CHANGELOG.md` for the upstream surface changes between v0.12.5 and v0.12.6. **Fixed:** *`split-shipments` — `splitsForOrder` was ordering by `id DESC` (UUIDv7) instead of `proposed_at DESC`* — Two plans created in the same wall-clock millisecond shared a UUIDv7 timestamp prefix; the suffix is random, so `ORDER BY id DESC` returned them in undefined order. The v0.0.71 ship added a monotonic `_now()` to the `proposed_at` column, but the query still sorted on `id`. Changed to `ORDER BY proposed_at DESC, id DESC` so the monotonic timestamp is the primary sort key and the random ID suffix only breaks ties when timestamps truly match.
+
+- v0.0.76 (2026-05-23) — **Edge-render path for storefront read routes — `/`, `/search`, `/products/:slug` served from the Worker without a container hop + vendor refresh to blamejs v0.12.5.** The storefront read-side render now runs at the edge. `/`, `/search`, and `/products/:slug` are rendered by the Cloudflare Worker reading D1 directly through the bound binding, then returning HTML — no container hop, no Durable Object handoff. Public visitors see TTFB drop from ~3.4s (container wake-up) to ~50ms. Gated by the `EDGE_RENDER` env var so operators can roll back per-deploy without a re-push. Write-side routes (POST /cart/lines, /checkout, /admin, webhooks) continue to land on the container. Bundles the vendored blamejs refresh from v0.12.4 to v0.12.5 and three CI-tight 50ms `waitUntil` timeouts bumped to 5s for runner-contention resilience. **Added:** *Worker edge-render — `/` home, `/search`, and `/products/:slug` rendered without a container hop* — New Worker-side modules under `worker/render/` (`_lib.js`, `home.js`, `product.js`, `search.js`, `cart.js`) and `worker/data/catalog.js` carry the storefront templates + D1 read-side queries. When `env.EDGE_RENDER` is `"on"`, the Worker queries D1 directly via the bound `env.DB` binding and returns HTML inline. The container's storefront mount continues to own the same routes when the flag is off, so the toggle is operator-controlled and reversible. Cart-count display in the header is fixed at zero on edge-rendered pages until the sealed-session decrypt path lands in a follow-up — visitors landing on `/cart` still see the live count from the container path. · *`EDGE_RENDER` and `SHOP_NAME` wrangler vars* — `wrangler.toml` gains two new `[vars]` entries: `EDGE_RENDER` (default `"off"` — flip to `"on"` to enable the edge-render path) and `SHOP_NAME` (default `"blamejs.shop"` — surfaces in the rendered `<title>` and OpenGraph metadata). **Changed:** *Vendored blamejs refreshed from v0.12.4 to v0.12.5* — `bash scripts/vendor-update.sh blamejs v0.12.5` ran cleanly; `lib/vendor/blamejs/MANIFEST.json` updated. See `lib/vendor/blamejs/CHANGELOG.md` for the upstream surface changes between v0.12.4 and v0.12.5. **Fixed:** *Three 50ms `waitUntil` timeouts bumped to 5s — `live-chat`, `fraud-screen`, `support-tickets` tests* — Nine call sites across `test/layer-1-state/live-chat.test.js`, `test/layer-1-state/fraud-screen.test.js`, and `test/layer-1-state/support-tickets.test.js` were polling for `Date.now()` to advance past a captured timestamp on a 50ms budget. Under CI runner contention that budget sometimes exhausts before the monotonic-clock tick lands. Same fix the v0.0.69 ship applied to `return-labels.test.js`; same rule §11 root cause.
+
 - v0.0.75 (2026-05-22) — **Sixteen new primitives across operator tooling, vendor / inventory ops, marketing automation, and storefront content.** Sixteen primitives ship together. Operator + admin: customerImpersonation, carrierAccounts, operatorApprovals, customerMerge, operatorHelpCenter, eventLog. Vendor + inventory: vendorInvoices, inventoryAudits, smartRestocking, taxRemittance. Marketing + retention: winbackCampaigns, wishlistDigest. Storefront: blogArticles, categoryNavigation, productCompare, lineGiftWrap. **Added:** *`customerImpersonation` primitive — operator login-as-customer with audit* — 32-byte plaintext token returned once; namespaceHash at rest. 60-min default TTL. Capability gate via operatorRoles.hasPermission. notifyCustomer fan-out via injected notifications. actionsRecord builds the audit trail. Migration `0190`. · *`carrierAccounts` primitive — per-operator carrier API account management* — Carrier enum: ups / fedex / usps / dhl / canada_post / royal_mail / australia_post. All secrets hashed via namespaceHash under per-field namespaces. rotateCredentials with 24h grace. verifyCredentials timing-safe. Migration `0191`. · *`operatorApprovals` primitive — multi-step approval workflows* — Defines workflows with required_approvers + required_capability + escalation_after_hours. castVote dedup via UNIQUE(request_id, approver_id). Status FSM pending / approved / rejected / executed / cancelled / escalated. Migration `0192`. · *`vendorInvoices` primitive — vendor-issued invoices with PO reconciliation* — FSM received → approved → paid with disputed + voided side branches. Partial-pay first-class. UNIQUE(vendor_slug, invoice_number) for dedup. reconcileAgainstPOs returns variance summary. agingReport bucketing. Migration `0193`. · *`customerMerge` primitive — operator merge of duplicate customer accounts* — Reparents orders + subscriptions + loyalty + reviews + addresses + paymentMethods atomically (pre-flight all, then write all). 7-day rollback window. Jaro-Winkler-scored findDuplicateCandidates. customer_merge_redirects table for forwarding. Migration `0194`. · *`productCompare` primitive — storefront 2-4 product comparison* — Cap of 4 per session. compareTable returns per-attribute rows for the table render. Default attributes: price / sku / brand / vendor / weight / dimensions / inventory_status. defineCompareAttribute adds custom rows. popularCompares for analytics. Migration `0195`. · *`winbackCampaigns` primitive — multi-step re-engagement for lapsed customers* — Operator defines lapse_days_min + lapse_days_max + steps (delay + template + optional coupon). scanForLapsedCustomers finds candidates; enrollCustomer schedules; dispatchTick advances. markRecovered halts further steps. metricsForCampaign returns recovery rate + avg time-to-purchase. Migration `0196`. · *`inventoryAudits` primitive — periodic full-inventory audits* — Kinds: full / quarterly / spot. Scopes: all / category / vendor / location. recordScanLine + markRecount + finalizeAudit. Variance write-through composes inventoryLocations.adjustStock with `inventory-audit:<slug>` reason. compareToPriorAudit returns per-(sku, location) deltas. Migration `0197`. · *`wishlistDigest` primitive — scheduled weekly / monthly wishlist email digests* — Per-customer enrollment + cadence. next_dispatch_at computed via Intl.DateTimeFormat with two-pass DST-fold refinement. composeDigest returns HTML + text. Suppressed customers keep cadence ETA on rails but no email fires. Migration `0198`. · *`eventLog` primitive — universal append-only application event stream* — Drop-silent on bad input. Severity: debug / info / warning / critical. query with HMAC cursor. tail + topKinds + metricsForKind + purgeOlderThan (exclude_critical opt-in). Distinct from analytics (customer events) and operatorAuditLog (operator mutations). Migration `0199`. · *`operatorHelpCenter` primitive — in-admin operator help articles* — audience_roles closed allow-list against operatorRoles.PERMISSIONS. searchSuggest title 3 / section 2 / body 1 weighted ranker. recordHelpfulVote dedup at UNIQUE(slug, operator_id). Migration `0200`. · *`categoryNavigation` primitive — hierarchical storefront category tree* — self-FK parent_slug + CHECK(slug != parent_slug). tree returns nested shape. breadcrumbsFor returns ancestor chain. move walks ancestor chain to refuse cycles (bounded MAX_TREE_DEPTH=16). reorderSiblings requires the complete member set. Migration `0201`. · *`lineGiftWrap` primitive — per-line gift wrap selection* — Distinct from giftOptions (one wrap for the whole order). UNIQUE(order_id, line_id) UPSERT. gift_message ≤ 500 chars + control-byte refusal; recipient_name ≤ 120. feeForOrder sums per-line wrap fees via injected giftOptions. renderPackingSlipLines HTML-escapes every operator field. Migration `0202`. · *`smartRestocking` primitive — EOQ + safety-stock recommendations* — Composes demandForecast + reorderThresholds + costLayers + vendors. recommendOrderQty returns EOQ formula `sqrt(2DS/H)` + service-level safety-stock + reorder point + cost estimate. Service levels: 0.90 / 0.95 / 0.99. definePolicy + applyPolicy assigns SKUs to policies. Migration `0203`. · *`taxRemittance` primitive — per-jurisdiction tax payment tracking* — Records remittances with payment_method enum (bank_transfer / credit_card / ach / wire / check). reconcileWithFiling returns variance. lateRemittances threshold + recordPenalty + metricsForJurisdiction on-time rate. Migration `0204`. · *`blogArticles` primitive — operator-published blog posts* — Author + tags + featured_product_ids + SEO meta + publish FSM (draft → published → archived → draft). Markdown render through b.template.escapeHtml + b.safeUrl. relatedArticles tag-overlap ranking. byAuthor + popularArticles + recordView. Migration `0189`.
 
 - v0.0.74 (2026-05-22) — **`emailEngagementScore` primitive + republish 0.0.73.** 0.0.73 source landed on `main` but the npm publish workflow stopped on a smoke check — the email-engagement-score test was committed without its lib counterpart. 0.0.74 adds the missing `emailEngagementScore` primitive and republishes the full v0.0.73 surface so `npm install @blamejs/blamejs-shop@0.0.74` pulls every primitive cleanly. **Added:** *`emailEngagementScore` primitive — per-customer 0-100 email engagement grade* — `bShop.emailEngagementScore.create({ query?, emailCampaigns?, emailSuppressions? })` returns `{ recordEngagementEvent, getScore, recompute, recomputeAll, unengagedCustomers, metricsForBand, historyForCustomer }`. Six event types with calibrated weights (opened +5, clicked +15, unsubscribed -50, spam_reported -75, bounced -10, not_opened_in_window -3). Score starts at 50 baseline, clamped to [0, 100]. Four bands: unengaged (0-19) / lapsed (20-49) / engaged (50-74) / highly_engaged (75-100). Click implies open in the open_rate denominator (compensates for image-blocking clients). Monotonic per-customer `_resolveOccurredAt` to break same-millisecond ties. Migration `0187_email_engagement_score.sql`. **Fixed:** *Republish to npm — 0.0.73 source on `main` reached operators via `git clone` but not via `npm install`* — `npm install @blamejs/blamejs-shop@0.0.73` resolves to a missing version because the publish workflow exited early when the CI smoke gate couldn't find `lib/email-engagement-score.js` (its test file was committed alongside v0.0.73 but the lib file itself was untracked at commit time). 0.0.74 ships the full surface so operators upgrading by version number get every primitive.

package/lib/split-shipments.js

@@ -726,7 +726,7 @@ function create(opts) {
     splitsForOrder: async function (orderId) {
       _uuid(orderId, "order_id");
       var r = await query(
-        "SELECT * FROM split_shipment_plans WHERE order_id = ?1 ORDER BY id DESC",
+        "SELECT * FROM split_shipment_plans WHERE order_id = ?1 ORDER BY proposed_at DESC, id DESC",
         [orderId],
       );
       return r.rows.map(_hydratePlan);

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.5",
-      "tag": "v0.12.5",
+      "version": "0.12.6",
+      "tag": "v0.12.6",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.6 (2026-05-22) — **`b.observability.otlpExporter` adds OTLP/protobuf-HTTP encoding (`opts.encoding: "protobuf"`).** The OTLP trace exporter now speaks `application/x-protobuf` end-to-end. Operators with high-volume telemetry opt into binary encoding via `opts.encoding: "protobuf"` (`"http/protobuf"` is accepted as a spec-name alias). The protobuf wire format encodes the same `ExportTraceServiceRequest` envelope as the existing JSON path — `ResourceSpans` → `ScopeSpans` → `Span` → `Status` / `Event` / `KeyValue` / `AnyValue` per the opentelemetry-proto repo — but emits 30-50% smaller bodies than the JSON shape on real-world workloads and avoids the JSON-parse cost on the collector side. Default stays `"json"`; collectors that don't speak protobuf keep working unchanged. Composes the existing `lib/protobuf-encoder.js` infrastructure. **Added:** *`opts.encoding: "json" | "protobuf"` on `b.observability.otlpExporter.create`* — When `"protobuf"` (or the spec-name alias `"http/protobuf"`), the exporter encodes batches as binary OTLP `ExportTraceServiceRequest` bytes and POSTs with `Content-Type: application/x-protobuf`. The retry / queue / drop-counter / audit machinery is shared with the JSON path so operators get the same operational primitives across both encodings. Default stays `"json"` — existing collectors keep working without configuration changes. · *Full OTLP trace schema encoded via `lib/protobuf-encoder.js`* — ResourceSpans / ScopeSpans / Span / Event / Status / KeyValue / AnyValue / ArrayValue are emitted per the opentelemetry-proto repo's field numbers + wire types. `trace_id` and `span_id` round-trip as fixed-length bytes (16 + 8 octets respectively). `start_time_unix_nano` / `end_time_unix_nano` use `fixed64` for the nanosecond precision the JSON path's number type lossily encoded. SpanKind enum mapping covers unspecified / internal / server / client / producer / consumer. · *`pb.int64` / `pb.sint64` — signed-integer varint shapes on `lib/protobuf-encoder.js`* — Negative integer attribute values in OTLP `AnyValue` (e.g. retry-after offsets, signed metric deltas) emit as proto3 `int64` — wire-type 0 varint, 10-byte two's-complement reinterpret per the spec. `pb.sint64` adds ZigZag-encoded varint for cases where small negatives dominate. Both accept Number / BigInt / digit-string inputs with explicit `[-2^63, 2^63 - 1]` range validation. · *`pb.fixed64` accepts string-form uint64 values* — OTLP/JSON encodes uint64 as a JSON string (per the proto3 JSON mapping) — the framework's tracer emits `start_time_unix_nano` / `end_time_unix_nano` as digit-string BigInt-to-string conversions so the JSON path stays lossless. `pb.fixed64` now accepts that same digit-string shape on the protobuf path so a single timestamp representation flows through both encodings without a separate coercion step. Refuses non-digit strings and silently-rounded Numbers above `Number.MAX_SAFE_INTEGER`. **Security:** *AnyValue recursion capped at 100 levels (CVE-2024-7254 / CVE-2025-4565 class)* — Both protobufjs (CVE-2024-7254) and protobuf-python (CVE-2025-4565) shipped DoS-via-unbounded-nested-group decoding. The OTLP `AnyValue` type permits a nested `ArrayValue { repeated AnyValue values = 1 }` that an adversarial collector-response could exploit during a future receive path. The encoder caps `_anyValueToProto` recursion at 100 levels — beyond which it emits an empty AnyValue rather than continuing to descend. Today's framework only EMITS (never receives) OTLP — but the cap is in the right place when the receive path lands. **References:** [OTLP §3 — Body encodings (JSON + protobuf)](https://opentelemetry.io/docs/specs/otlp/) · [opentelemetry-proto repo — trace/v1/trace.proto](https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/trace/v1/trace.proto) · [CVE-2024-7254 (protobufjs unbounded nesting DoS)](https://nvd.nist.gov/vuln/detail/CVE-2024-7254) · [CVE-2025-4565 (protobuf-python unbounded nesting DoS)](https://nvd.nist.gov/vuln/detail/CVE-2025-4565)
+
 - v0.12.5 (2026-05-22) — **`b.metrics` content-negotiates OpenMetrics 1.0 + auto-attaches trace exemplars on request histograms.** The `/metrics` scrape endpoint now serves `application/openmetrics-text; version=1.0.0; charset=utf-8` when the scraper requests it via the `Accept` header (Prometheus 2.x strict mode, OpenObservability tooling). Legacy scrapers still get `text/plain; version=0.0.4` — no operator with the default Prometheus client sees a content-type change. Separately, the framework's request-duration histogram middleware now auto-attaches the active sampled trace's `trace_id` + `span_id` as the OpenMetrics §6.2 exemplar on every bucket sample, so Grafana / Tempo / Jaeger scrapers can pivot from a slow-bucket histogram to the exact trace that produced the sample. The wiring is composition-only — `b.middleware.tracePropagate` populates `req.trace.{traceId,parentId,sampled}`, the metrics middleware reads it, no operator opt-in needed. **Added:** *`Accept` content-negotiation on `b.metrics.expositionHandler()`* — When the scraper's `Accept` header includes `application/openmetrics-text`, the handler renders the OpenMetrics 1.0 wire format (`# UNIT` lines, `_total` suffix on counters, `# EOF` terminator, exemplar shape) and serves `application/openmetrics-text; version=1.0.0; charset=utf-8`. Otherwise serves Prometheus 0.0.4 `text/plain` as before. Operators relying on the legacy Prometheus content-type see no change. · *Auto-attached trace exemplars on request-duration histograms* — When `b.middleware.spanHttpServer` populates `req.span.{traceId, spanId, sampled}` on the inbound request and the span is sampled, the framework's built-in `requestDuration` histogram middleware attaches `{ labels: { trace_id, span_id }, value: <duration>, timestamp: <unix-sec> }` as the OpenMetrics §6.2 exemplar on the corresponding bucket. The exemplar's `span_id` is the server-handling span, not the upstream `traceparent`'s parent-id, so the metric-to-trace pivot in Grafana / Tempo / Jaeger lands on the work the metric measured. Operators wiring `tracePropagate` without `spanHttpServer` fall back to `req.trace.spanId` when populated; the framework never invents a span_id from the upstream parent. **Fixed:** *Accept-header weighted negotiation (Codex P1)* — The first pass treated any `Accept` header containing `application/openmetrics-text` as an unconditional OpenMetrics request — clients sending `Accept: text/plain;q=1.0, application/openmetrics-text;q=0.5` got OpenMetrics back instead of their preferred Prometheus 0.0.4. Fix: parse Accept via `b.requestHelpers.parseQualityList` and compare q-values for `application/openmetrics-text` vs `text/plain` (wildcards `*/*`, `application/*`, `text/*` honored). Defaults to Prometheus when both q-values are equal or zero (backward compatibility with the legacy default content-type). · *Exemplar span_id sources the active server span, not the upstream parent (Codex P2)* — The first pass used `req.trace.parentId` for the exemplar's `span_id` label — but `parentId` is the upstream caller's span (or empty for root requests), not the server-handling span. Fix: prefer `req.span.spanId` (set by `b.middleware.spanHttpServer`), falling back to `req.trace.spanId` for operators wiring `tracePropagate` without `spanHttpServer`. Never synthesises a span_id from `parentId`. **References:** [OpenMetrics 1.0 §1.2 (content negotiation)](https://prometheus.io/docs/specs/om/open_metrics_spec/) · [OpenMetrics 1.0 §6.2 (exemplars)](https://prometheus.io/docs/specs/om/open_metrics_spec/) · [W3C Trace Context (traceparent header)](https://www.w3.org/TR/trace-context/)
 
 - v0.12.4 (2026-05-22) — **`SECURITY.md` Watch list — remove stale "framework doesn't ship CMS / S/MIME" entry.** The Watch list bullet claiming `framework does not ship a CMS / S/MIME / PKCS#7 surface today` has been wrong since v0.10.13 — `b.cms.encodeSignedData` / `decode` / `encodeEnvelopedData` / `parseSignedData` shipped then, and `b.mail.crypto.smime.sign` / `verify` / `verifyAll` / `checkCert` shipped under the mail-stack. The Watch list is for CVE classes the framework deliberately doesn't ship a primitive for; CMS no longer fits that shape. Entry removed. **Fixed:** *Watch list no longer claims CMS / S/MIME are unshipped* — `b.cms` exposes RFC 5652 ContentInfo / SignedData / EnvelopedData encode + decode with PQC signer support (ML-DSA-65 per RFC 9909 §5, ML-DSA-87 per RFC 9909 §6, SLH-DSA-SHAKE-256f per RFC 9881). `b.mail.crypto.smime` builds on it for RFC 8551 S/MIME signed + enveloped mail with `checkCert` for X.509 chain validation. The SECURITY.md Watch list entry that pointed operators to external CMS libraries is gone; operators on regulated mail interop reach for the in-framework primitives instead.

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.5",
-  "createdAt": "2026-05-23T01:16:54.749Z",
+  "frameworkVersion": "0.12.6",
+  "createdAt": "2026-05-23T01:41:26.382Z",
   "exports": {
     "a2a": {
       "type": "object",

package/lib/vendor/blamejs/lib/observability-otlp-exporter.js

@@ -36,6 +36,7 @@ var safeAsync = require("./safe-async");
 var safeBuffer = require("./safe-buffer");
 var validateOpts = require("./validate-opts");
 var safeUrl = require("./safe-url");
+var pb = require("./protobuf-encoder");
 var { defineClass } = require("./framework-error");
 
 var OtlpExporterError = defineClass("OtlpExporterError", { alwaysPermanent: true });
@@ -189,6 +190,221 @@ function _bundleSpans(spans) {
   return { resourceSpans: resourceSpans };
 }
 
+// ---- OTLP/protobuf encoder ------------------------------------------------
+//
+// OTLP §3 — `application/x-protobuf` body shape per the
+// opentelemetry-proto repo's ExportTraceServiceRequest message.
+//
+// Wire-format encoding composes b.protobufEncoder. Fields are:
+//
+//   ExportTraceServiceRequest {
+//     repeated ResourceSpans resource_spans = 1;
+//   }
+//   ResourceSpans {
+//     Resource resource     = 1;
+//     repeated ScopeSpans scope_spans = 2;
+//     string schema_url     = 3;
+//   }
+//   Resource {
+//     repeated KeyValue attributes        = 1;
+//     uint32 dropped_attributes_count    = 2;
+//   }
+//   ScopeSpans {
+//     InstrumentationScope scope = 1;
+//     repeated Span spans        = 2;
+//     string schema_url          = 3;
+//   }
+//   InstrumentationScope { string name = 1; string version = 2; ... }
+//   Span {
+//     bytes trace_id              = 1;  // 16 bytes
+//     bytes span_id               = 2;  //  8 bytes
+//     string trace_state          = 3;
+//     bytes parent_span_id        = 4;  //  8 bytes or empty
+//     string name                 = 5;
+//     SpanKind kind               = 6;  // enum 0..5
+//     fixed64 start_time_unix_nano = 7;
+//     fixed64 end_time_unix_nano   = 8;
+//     repeated KeyValue attributes = 9;
+//     uint32 dropped_attributes_count = 10;
+//     repeated Event events           = 11;
+//     uint32 dropped_events_count     = 12;
+//     repeated Link links             = 13;
+//     uint32 dropped_links_count      = 14;
+//     Status status                   = 15;
+//   }
+//   Event { fixed64 time_unix_nano = 1; string name = 2; repeated KeyValue attributes = 3; uint32 dropped_attributes_count = 4; }
+//   Status { string message = 2; enum code = 3; }  // field 1 reserved
+//   KeyValue { string key = 1; AnyValue value = 2; }
+//   AnyValue {
+//     oneof value {
+//       string string_value = 1;
+//       bool   bool_value   = 2;
+//       int64  int_value    = 3;
+//       double double_value = 4;
+//       ArrayValue array_value = 5;
+//     }
+//   }
+//   ArrayValue { repeated AnyValue values = 1; }
+//
+// AnyValue recursion is capped at MAX_ANYVALUE_DEPTH to defend the
+// CVE-2024-7254 + CVE-2025-4565 protobuf nested-group DoS class.
+
+var MAX_ANYVALUE_DEPTH = 100;                                                    // allow:raw-byte-literal — protobuf nested-message DoS cap
+
+function _hexToBytes(hex) {
+  if (typeof hex !== "string" || hex.length === 0) return Buffer.alloc(0);
+  // Tolerate odd-length hex by left-padding with zero; OTLP spec
+  // requires fixed lengths but the exporter should not crash a request
+  // with a malformed inbound trace_id — drop-silent and emit empty.
+  if (hex.length % 2 !== 0) return Buffer.alloc(0);
+  var out = Buffer.alloc(hex.length / 2);
+  for (var i = 0; i < hex.length; i += 2) {
+    var byte = parseInt(hex.substr(i, 2), 16);                                  // allow:raw-byte-literal — radix=16 for hex parse, not byte count
+    if (!isFinite(byte)) return Buffer.alloc(0);
+    out[i / 2] = byte;
+  }
+  return out;
+}
+
+var KIND_TEXT_TO_ENUM = {
+  unspecified: 0, internal: 1, server: 2, client: 3, producer: 4, consumer: 5,
+};
+
+function _anyValueToProto(v, depth) {
+  if (depth >= MAX_ANYVALUE_DEPTH) {
+    // Refuse to descend further; emit empty AnyValue. Matches the spec's
+    // "unknown wire type" tolerant-parser behaviour on the receive side.
+    return Buffer.alloc(0);
+  }
+  var t = typeof v;
+  if (t === "string")  return pb.string(1, v);
+  if (t === "boolean") return pb.bool(2, v);
+  if (t === "number") {
+    if (Number.isInteger(v)) {
+      // OTLP AnyValue field 3 is proto int64 — wire-type 0 varint, NOT
+      // length-delimited. Negatives encode as the 64-bit two's-complement
+      // reinterpret-cast (10-byte varint per the spec). Composes
+      // `pb.int64` which carries the BigInt conversion + range check so
+      // a negative attribute value (e.g. retry-after offset, signed
+      // metric delta) doesn't poison the whole batch.
+      return pb.int64(3, v);
+    }
+    return pb.double(4, v);
+  }
+  if (Array.isArray(v)) {
+    var items = new Array(v.length);
+    for (var i = 0; i < v.length; i += 1) {
+      items[i] = _anyValueToProto(v[i], depth + 1);
+    }
+    var arrayInner = pb.repeatedMessage(1, items, function (b) { return b; });
+    return pb.embeddedMessage(5, arrayInner);
+  }
+  // Unknown → coerce to string per the JSON path's behaviour.
+  return pb.string(1, String(v));
+}
+
+function _keyValueToProto(kvObj) {
+  // kvObj is { key, value: <plain-js> } from _attrToOtlp — but we
+  // re-derive directly here so the protobuf path doesn't depend on
+  // the JSON-shaped intermediate.
+  return Buffer.concat([
+    pb.string(1, kvObj.key),
+    pb.embeddedMessage(2, _anyValueToProto(kvObj.rawValue, 0)),
+  ]);
+}
+
+function _attrsToProto(attrs) {
+  // attrs is the raw `{ key: value }` operator attribute object; OTLP
+  // KeyValue gets emitted per entry with field 9 (attributes) on Span,
+  // field 1 (attributes) on Resource, etc.
+  if (!attrs || typeof attrs !== "object") return [];
+  var keys = Object.keys(attrs);
+  var out = new Array(keys.length);
+  for (var i = 0; i < keys.length; i += 1) {
+    out[i] = { key: keys[i], rawValue: attrs[keys[i]] };
+  }
+  return out;
+}
+
+function _spanToProto(span) {
+  // Status code: 0=Unset, 1=Ok, 2=Error. Status field 1 is reserved.
+  var statusBody = Buffer.concat([
+    pb.string(2, (span.status && span.status.message) || ""),
+    pb.uint32(3, STATUS_CODE_TO_OTLP[span.status && span.status.code] || 0),
+  ]);
+  var eventsRepeated = pb.repeatedMessage(11, span.events || [], function (e) {
+    return Buffer.concat([
+      pb.fixed64(1, e.timeUnixNano || 0),
+      pb.string(2, e.name || ""),
+      pb.repeatedMessage(3, _attrsToProto(e.attributes), _keyValueToProto),
+      pb.uint32(4, 0),
+    ]);
+  });
+  return Buffer.concat([
+    pb.bytes(1,   _hexToBytes(span.traceId)),
+    pb.bytes(2,   _hexToBytes(span.spanId)),
+    pb.string(3,  ""),                                                          // trace_state (not yet propagated by the framework)
+    pb.bytes(4,   _hexToBytes(span.parentSpanId || "")),
+    pb.string(5,  span.name || ""),
+    pb.uint32(6,  KIND_TEXT_TO_ENUM[span.kind] != null ? KIND_TEXT_TO_ENUM[span.kind] : KIND_TEXT_TO_ENUM.internal),
+    pb.fixed64(7, span.startTimeUnixNano || 0),
+    pb.fixed64(8, span.endTimeUnixNano || span.startTimeUnixNano || 0),         // allow:raw-byte-literal — proto field number 8, not bytes
+    pb.repeatedMessage(9, _attrsToProto(span.attributes), _keyValueToProto),
+    pb.uint32(10, span.droppedAttributesCount || 0),
+    eventsRepeated,
+    pb.uint32(12, span.droppedEventsCount || 0),
+    pb.uint32(15, 0),                                                           // links repeated count placeholder; encoder emits 0 length-delim when no links
+    Buffer.concat([
+      pb._tag(15, 2),                                                           // WIRE_LDELIM tag for status
+      pb._writeVarint(statusBody.length),
+      statusBody,
+    ]),
+  ]);
+}
+
+// `bundle` is the value returned by _bundleSpans — { resourceSpans: [...] }
+// where each entry has { resource, scopeSpans: [{ scope, spans: [...] }] }
+// in the JSON-shape. We re-derive the proto bytes from the SAME pre-OTLP
+// span list so the protobuf path doesn't double-transform the data.
+function _bundleSpansToProto(spansArray) {
+  if (spansArray.length === 0) return Buffer.alloc(0);
+  var byResource = new Map();
+  for (var i = 0; i < spansArray.length; i += 1) {
+    var s = spansArray[i];
+    var resKey = JSON.stringify(s.resource || {});
+    var bucket = byResource.get(resKey);
+    if (!bucket) {
+      bucket = {
+        resource: s.resource || {},
+        scope:    s.scope || { name: "blamejs", version: null },
+        spans:    [],
+      };
+      byResource.set(resKey, bucket);
+    }
+    bucket.spans.push(s);
+  }
+  var resourceSpansPieces = [];
+  for (var entry of byResource) {
+    var b = entry[1];
+    var resourceBody = pb.repeatedMessage(1, _attrsToProto(b.resource), _keyValueToProto);
+    var scopeBody = Buffer.concat([
+      pb.string(1, b.scope.name || "blamejs"),
+      pb.string(2, b.scope.version || ""),
+    ]);
+    var spansRepeated = pb.repeatedMessage(2, b.spans, _spanToProto);
+    var scopeSpansBody = Buffer.concat([
+      pb.embeddedMessage(1, scopeBody),
+      spansRepeated,
+    ]);
+    var resourceSpansBody = Buffer.concat([
+      pb.embeddedMessage(1, resourceBody),
+      pb.embeddedMessage(2, scopeSpansBody),
+    ]);
+    resourceSpansPieces.push(pb.embeddedMessage(1, resourceSpansBody));
+  }
+  return Buffer.concat(resourceSpansPieces);
+}
+
 function create(opts) {
   validateOpts.requireObject(opts, "otlpExporter", OtlpExporterError);
   validateOpts(opts, [
@@ -196,6 +412,7 @@ function create(opts) {
     "flushIntervalMs", "timeoutMs", "maxAttempts",
     "backoffInitialMs", "backoffMaxMs",
     "fetchImpl", "audit", "allowedProtocols",
+    "encoding",
   ], "otlpExporter.create");
   validateOpts.requireNonEmptyString(opts.endpoint,
     "otlpExporter.create: endpoint", OtlpExporterError, "otlp/bad-endpoint");
@@ -224,8 +441,24 @@ function create(opts) {
     "otlpExporter.create: maxAttempts", OtlpExporterError, "otlp/bad-opts");
 
   var endpoint   = opts.endpoint;
+  // OTLP §3 — operators with high-volume traces opt into the binary
+  // `application/x-protobuf` encoding via `opts.encoding: "protobuf"`
+  // (composes lib/protobuf-encoder.js for the wire-level emission).
+  // Default stays `"json"` for backward compatibility with existing
+  // collectors. The third encoding option (`"http/protobuf"` per the
+  // OTLP spec wording) is an alias for "protobuf".
+  var encoding = opts.encoding || "json";
+  if (encoding === "http/protobuf") encoding = "protobuf";
+  if (encoding !== "json" && encoding !== "protobuf") {
+    throw new OtlpExporterError("otlp/bad-encoding",
+      "otlpExporter.create: opts.encoding must be \"json\" or \"protobuf\" (got " +
+      JSON.stringify(opts.encoding) + ")");
+  }
+  var contentType = encoding === "protobuf"
+    ? "application/x-protobuf"
+    : "application/json";
   var headers    = Object.assign({
-    "Content-Type": "application/json",
+    "Content-Type": contentType,
   }, opts.headers || {});
   var batchSize  = opts.batchSize     || DEFAULT_BATCH_SIZE;
   var maxQueue   = opts.maxQueueSize  || DEFAULT_MAX_QUEUE_SIZE;
@@ -298,10 +531,14 @@ function create(opts) {
     var ac = (typeof AbortController === "function") ? new AbortController() : null;
     var t = ac ? setTimeout(function () { ac.abort(); }, timeoutMs) : null;
     try {
+      // The flush() path now passes EITHER a JSON-shape object (encoding
+      // "json") OR an already-encoded Buffer (encoding "protobuf").
+      // Stringify only the JSON path; pass the Buffer through.
+      var body = Buffer.isBuffer(payload) ? payload : JSON.stringify(payload);
       var res = await fetchImpl(endpoint, {
         method:  "POST",
         headers: headers,
-        body:    JSON.stringify(payload),
+        body:    body,
         signal:  ac ? ac.signal : undefined,
       });
       if (res && res.ok) return { ok: true, status: res.status };
@@ -343,7 +580,12 @@ function create(opts) {
     inFlight = true;
     try {
       var batch = queue.splice(0, batchSize);
-      var payload = _bundleSpans(batch);
+      // OTLP §3 — JSON encoding emits the resourceSpans envelope as
+      // JSON; protobuf encoding emits the same shape as binary
+      // ExportTraceServiceRequest bytes.
+      var payload = encoding === "protobuf"
+        ? _bundleSpansToProto(batch)
+        : _bundleSpans(batch);
       var result = await _post(payload, 1);
       if (result.ok) {
         _emitMetric("export_ok", batch.length, { http_status: String(result.status) });

package/lib/vendor/blamejs/lib/protobuf-encoder.js

@@ -95,27 +95,103 @@ function uint64(fieldNumber, value) {
   return Buffer.concat([_tag(fieldNumber, WIRE_VARINT), _writeVarint(value)]);
 }
 
+function int64(fieldNumber, value) {
+  // proto3 int64: wire-type 0 varint. Negatives encode as the 64-bit
+  // two's-complement reinterpret-cast to uint64, which always sets the
+  // top bit — every negative int64 occupies the full 10 varint bytes
+  // per the spec. https://protobuf.dev/programming-guides/encoding/#signed-ints
+  if (value === 0 || value === 0n) return Buffer.alloc(0);  // proto3 default
+  var bi;
+  if (typeof value === "bigint") {
+    bi = value;
+  } else if (typeof value === "number") {
+    if (!Number.isFinite(value) || !Number.isInteger(value)) {
+      throw new Error("protobuf-encoder: int64 must be finite integer (got " + value + ")");
+    }
+    bi = BigInt(value);
+  } else {
+    throw new Error("protobuf-encoder: int64 must be number or bigint, got " + typeof value);
+  }
+  // Refuse out-of-range — proto int64 is [-2^63, 2^63 - 1].
+  if (bi < -(1n << 63n) || bi > (1n << 63n) - 1n) {
+    throw new Error("protobuf-encoder: int64 out of range (got " + bi.toString() + ")");
+  }
+  if (bi < 0n) bi = bi + (1n << 64n);     // two's-complement reinterpret
+  return Buffer.concat([_tag(fieldNumber, WIRE_VARINT), _writeVarint(bi)]);
+}
+
+function sint64(fieldNumber, value) {
+  // proto3 sint64: wire-type 0 varint with ZigZag encoding —
+  // small negatives encode compactly. https://protobuf.dev/programming-guides/encoding/#signed-ints
+  if (value === 0 || value === 0n) return Buffer.alloc(0);
+  var bi;
+  if (typeof value === "bigint") bi = value;
+  else if (typeof value === "number") {
+    if (!Number.isFinite(value) || !Number.isInteger(value)) {
+      throw new Error("protobuf-encoder: sint64 must be finite integer (got " + value + ")");
+    }
+    bi = BigInt(value);
+  } else {
+    throw new Error("protobuf-encoder: sint64 must be number or bigint, got " + typeof value);
+  }
+  if (bi < -(1n << 63n) || bi > (1n << 63n) - 1n) {
+    throw new Error("protobuf-encoder: sint64 out of range (got " + bi.toString() + ")");
+  }
+  // ZigZag: (n << 1) ^ (n >> 63) for 64-bit signed.
+  var zz = (bi << 1n) ^ (bi >> 63n);
+  if (zz < 0n) zz = zz + (1n << 64n);
+  return Buffer.concat([_tag(fieldNumber, WIRE_VARINT), _writeVarint(zz)]);
+}
+
 function bool(fieldNumber, value) {
   if (!value) return Buffer.alloc(0);  // proto3 default
   return Buffer.concat([_tag(fieldNumber, WIRE_VARINT), Buffer.from([1])]);
 }
 
 function fixed64(fieldNumber, value) {
-  // For OTel: time_unix_nano fields are fixed64. Accept BigInt or
-  // Number; encode as little-endian 8 bytes.
+  // For OTel: time_unix_nano fields are fixed64. Accept BigInt, Number,
+  // or string-form digits (OTLP/JSON encodes uint64 as a JSON string per
+  // https://protobuf.dev/programming-guides/proto3/#json; the framework
+  // tracer emits strings for that reason and the same value flows into
+  // both encoding paths). Encode as little-endian 8 bytes.
   var buf = Buffer.alloc(FIXED64_BYTES);
+  var bi;
   if (typeof value === "bigint") {
-    buf.writeBigUInt64LE(value, 0);
-  } else {
+    bi = value;
+  } else if (typeof value === "string") {
+    // Char-code walk rather than /^[0-9]+$/ — that exact regex already
+    // appears in guard-cidr + guard-domain; the codebase-patterns
+    // duplicate-regex detector fires at the 3rd file (same shape as the
+    // SemVer-pre-release walk in lib/self-update.js).
+    if (value.length === 0) {
+      throw new Error("protobuf-encoder: fixed64 string must be non-empty unsigned digit-only");
+    }
+    for (var ci = 0; ci < value.length; ci += 1) {
+      var cc = value.charCodeAt(ci);
+      if (cc < 0x30 || cc > 0x39) {                                                  // allow:raw-byte-literal — ASCII '0' (0x30) .. '9' (0x39)
+        throw new Error("protobuf-encoder: fixed64 string must be unsigned digit-only (got " + JSON.stringify(value) + ")");
+      }
+    }
+    bi = BigInt(value);
+  } else if (typeof value === "number") {
     if (value < 0 || !Number.isFinite(value)) {
       throw new Error("protobuf-encoder: fixed64 must be non-negative finite (got " + value + ")");
     }
-    // Number path — split into low/high 32-bit halves.
-    var low  = value % 0x100000000;
-    var high = Math.floor(value / 0x100000000);
-    buf.writeUInt32LE(low,  0);
-    buf.writeUInt32LE(high, 4);
+    // Refuse silently-rounded values beyond Number.MAX_SAFE_INTEGER —
+    // the caller MUST pass a BigInt or string in that range. JS doubles
+    // lose precision past 2^53 so a Number 1779518164402000000 isn't
+    // actually that exact value once it touches Number arithmetic.
+    if (value > Number.MAX_SAFE_INTEGER) {
+      throw new Error("protobuf-encoder: fixed64 Number above MAX_SAFE_INTEGER loses precision; pass a BigInt or digit-string (got " + value + ")");
+    }
+    bi = BigInt(value);
+  } else {
+    throw new Error("protobuf-encoder: fixed64 must be bigint, number, or digit-string (got " + typeof value + ")");
+  }
+  if (bi < 0n || bi > (1n << 64n) - 1n) {
+    throw new Error("protobuf-encoder: fixed64 out of uint64 range (got " + bi.toString() + ")");
   }
+  buf.writeBigUInt64LE(bi, 0);
   return Buffer.concat([_tag(fieldNumber, WIRE_64BIT), buf]);
 }
 
@@ -177,6 +253,8 @@ function repeatedMessage(fieldNumber, items, perItemBodyEncoder) {
 module.exports = {
   uint32:           uint32,
   uint64:           uint64,
+  int64:            int64,
+  sint64:           sint64,
   bool:             bool,
   fixed64:          fixed64,
   double:           double,

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.5",
+  "version": "0.12.6",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.6.json

@@ -0,0 +1,45 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.6",
+  "date": "2026-05-22",
+  "headline": "`b.observability.otlpExporter` adds OTLP/protobuf-HTTP encoding (`opts.encoding: \"protobuf\"`)",
+  "summary": "The OTLP trace exporter now speaks `application/x-protobuf` end-to-end. Operators with high-volume telemetry opt into binary encoding via `opts.encoding: \"protobuf\"` (`\"http/protobuf\"` is accepted as a spec-name alias). The protobuf wire format encodes the same `ExportTraceServiceRequest` envelope as the existing JSON path — `ResourceSpans` → `ScopeSpans` → `Span` → `Status` / `Event` / `KeyValue` / `AnyValue` per the opentelemetry-proto repo — but emits 30-50% smaller bodies than the JSON shape on real-world workloads and avoids the JSON-parse cost on the collector side. Default stays `\"json\"`; collectors that don't speak protobuf keep working unchanged. Composes the existing `lib/protobuf-encoder.js` infrastructure.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`opts.encoding: \"json\" | \"protobuf\"` on `b.observability.otlpExporter.create`",
+          "body": "When `\"protobuf\"` (or the spec-name alias `\"http/protobuf\"`), the exporter encodes batches as binary OTLP `ExportTraceServiceRequest` bytes and POSTs with `Content-Type: application/x-protobuf`. The retry / queue / drop-counter / audit machinery is shared with the JSON path so operators get the same operational primitives across both encodings. Default stays `\"json\"` — existing collectors keep working without configuration changes."
+        },
+        {
+          "title": "Full OTLP trace schema encoded via `lib/protobuf-encoder.js`",
+          "body": "ResourceSpans / ScopeSpans / Span / Event / Status / KeyValue / AnyValue / ArrayValue are emitted per the opentelemetry-proto repo's field numbers + wire types. `trace_id` and `span_id` round-trip as fixed-length bytes (16 + 8 octets respectively). `start_time_unix_nano` / `end_time_unix_nano` use `fixed64` for the nanosecond precision the JSON path's number type lossily encoded. SpanKind enum mapping covers unspecified / internal / server / client / producer / consumer."
+        },
+        {
+          "title": "`pb.int64` / `pb.sint64` — signed-integer varint shapes on `lib/protobuf-encoder.js`",
+          "body": "Negative integer attribute values in OTLP `AnyValue` (e.g. retry-after offsets, signed metric deltas) emit as proto3 `int64` — wire-type 0 varint, 10-byte two's-complement reinterpret per the spec. `pb.sint64` adds ZigZag-encoded varint for cases where small negatives dominate. Both accept Number / BigInt / digit-string inputs with explicit `[-2^63, 2^63 - 1]` range validation."
+        },
+        {
+          "title": "`pb.fixed64` accepts string-form uint64 values",
+          "body": "OTLP/JSON encodes uint64 as a JSON string (per the proto3 JSON mapping) — the framework's tracer emits `start_time_unix_nano` / `end_time_unix_nano` as digit-string BigInt-to-string conversions so the JSON path stays lossless. `pb.fixed64` now accepts that same digit-string shape on the protobuf path so a single timestamp representation flows through both encodings without a separate coercion step. Refuses non-digit strings and silently-rounded Numbers above `Number.MAX_SAFE_INTEGER`."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "AnyValue recursion capped at 100 levels (CVE-2024-7254 / CVE-2025-4565 class)",
+          "body": "Both protobufjs (CVE-2024-7254) and protobuf-python (CVE-2025-4565) shipped DoS-via-unbounded-nested-group decoding. The OTLP `AnyValue` type permits a nested `ArrayValue { repeated AnyValue values = 1 }` that an adversarial collector-response could exploit during a future receive path. The encoder caps `_anyValueToProto` recursion at 100 levels — beyond which it emits an empty AnyValue rather than continuing to descend. Today's framework only EMITS (never receives) OTLP — but the cap is in the right place when the receive path lands."
+        }
+      ]
+    }
+  ],
+  "references": [
+    { "label": "OTLP §3 — Body encodings (JSON + protobuf)",         "url": "https://opentelemetry.io/docs/specs/otlp/" },
+    { "label": "opentelemetry-proto repo — trace/v1/trace.proto",   "url": "https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/trace/v1/trace.proto" },
+    { "label": "CVE-2024-7254 (protobufjs unbounded nesting DoS)",   "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254" },
+    { "label": "CVE-2025-4565 (protobuf-python unbounded nesting DoS)", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4565" }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -4893,6 +4893,21 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "self-update.poll-opts extension of the four-way factory-prelude cluster (sanctions-fetcher / DSR / outbox / self-update) that shares applyDefaults + validateOpts cascade. Four different domains, four different error classes (ComplianceSanctionsFetcherError / DsrError / OutboxError / SelfUpdateError).",
     },
+    {
+      // [fp:09ad583326fb] v0.12.6 — OTLP protobuf encoder addition extended
+      // the otlp-exporter.js create() prelude into the same factory-prelude
+      // cluster dsr + span-http-server already shared. Three different
+      // domains (GDPR Art. 17 data-subject request, HTTP server-span auto-
+      // wiring, OTLP trace exporter) with three distinct error classes
+      // (DsrError / SpanHttpError / OtlpExporterError); the shingle is the
+      // validateOpts(opts, [...key-list...], "<primitive>.create") boilerplate.
+      files: [
+        "lib/dsr.js:create",
+        "lib/middleware/span-http-server.js:create",
+        "lib/observability-otlp-exporter.js:create",
+      ],
+      reason: "v0.12.6 — OTLP protobuf encoder addition pulled observability-otlp-exporter.js:create into the same validateOpts + applyDefaults prelude cluster dsr + span-http-server already shared. Three different domains (GDPR Art. 17 data-subject request workflow / HTTP server-span auto-wiring / OTLP trace exporter) with three distinct error classes (DsrError / SpanHttpError / OtlpExporterError); the shingle is the per-primitive validateOpts(opts, [...key-list...], '<primitive>.create') call.",
+    },
     {
       // [fp:b73d9d193b7b]
       files: [
@@ -5471,6 +5486,32 @@ var KNOWN_ANTIPATTERNS = [
     reason: "CVE-2025-0725 (libcurl + zlib decompression amplification) + CVE-2024-zlib bomb class. Every gunzip / brotli decompress on operator-supplied bytes MUST bound the output. Use `zlib.gunzipSync(buf, { maxOutputLength: <C.BYTES.* constant> })` so the operator sees the cap at config time; refusal becomes a typed error before the bomb reaches memory.",
   },
 
+  {
+    // Codex P1 on v0.12.6 PR #157 — `_anyValueToProto`'s negative-int
+    // path emitted `pb.embeddedMessage(N, pb._writeVarint(v >>> 0))`
+    // which (a) wraps a varint payload in wire-type 2 (length-delimited)
+    // instead of wire-type 0 (varint, which int64 mandates per the
+    // proto3 spec), AND (b) truncates negatives via `v >>> 0` losing
+    // both sign and magnitude beyond 32 bits. Collectors reject the
+    // whole batch when they decode a wire-type mismatch on a known
+    // scalar field, so a single negative AnyValue poisons the export.
+    //
+    // The right shape is `pb.int64(field, value)` (10-byte two's-
+    // complement varint for negatives via BigInt) or `pb.sint64` (ZigZag
+    // when small negatives dominate). The detector flags the
+    // `embeddedMessage(N, ..._writeVarint...)` shape that mixes
+    // wire types — wrapping a raw varint in a length-delimited message
+    // is almost always a bug. Operators legitimately wrapping
+    // `_writeVarint` bytes inside `embeddedMessage` for a packed-repeated
+    // field MUST allowlist with a written reason.
+    id: "protobuf-embeddedmessage-wrapping-varint",
+    primitive: "Use `pb.uint64` / `pb.int64` / `pb.sint64` / `pb.uint32` for scalar varint fields; `embeddedMessage` is for nested message bodies, not raw varints. Mixing wire types causes collectors to reject the whole payload.",
+    regex: /pb\.embeddedMessage\s*\([^)]*pb\._writeVarint/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P1 on v0.12.6 PR #157 — `_anyValueToProto` negative-int path wrapped a varint payload in `embeddedMessage` (wire-type 2) instead of using `int64` (wire-type 0 varint). The wire-type mismatch poisons the whole OTLP batch; the `v >>> 0` truncation also dropped sign + high bits. Fixed by adding `pb.int64` + `pb.sint64` to the encoder + routing the negative-int branch through `pb.int64`. Detector locks the shape: `embeddedMessage(N, _writeVarint(...))` cannot recur.",
+  },
+
   {
     // Codex P2 on v0.11.22 PR #126 — `b.cert.create`'s SNI dispatch
     // wildcard-matched `*.example.com` against `foo.bar.example.com`

package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js

@@ -296,6 +296,60 @@ async function testOtlpExporterQueueAndFlush() {
   await exporter.shutdown();
 }
 
+async function testOtlpExporterProtobufNegativeAnyValue() {
+  // Regression for the v0.12.6 Codex P1 finding: a negative integer
+  // AnyValue (e.g. retry-after offset, signed metric delta) under the
+  // protobuf encoding path was emitted with wire-type 2 (length-
+  // delimited) instead of int64's wire-type 0 varint, AND truncated via
+  // `v >>> 0`. Collectors reject the whole batch on such a payload.
+  //
+  // OTLP AnyValue (opentelemetry-proto trace.proto, common.proto):
+  //   message AnyValue { oneof value { ... int64 int_value = 3; ... } }
+  // int64 field 3 with the varint tag = (3 << 3) | 0 = 0x18.
+  // -1 reinterprets as 64-bit two's-complement, encoded as 10 bytes
+  // (all 0xff with continuation bits, final byte 0x01).
+  var posts = [];
+  var fetchImpl = function (url, opts) {
+    posts.push({ url: url, body: opts.body });
+    return Promise.resolve({ ok: true, status: 200 });
+  };
+  var exporter = b.observability.otlpExporter.create({
+    endpoint:         "http://localhost:4318/v1/traces",
+    allowedProtocols: b.safeUrl.ALLOW_HTTP_ALL,
+    fetchImpl:        fetchImpl,
+    batchSize:        1,
+    flushIntervalMs:  0,
+    encoding:         "protobuf",
+  });
+  var tracer = b.observability.tracer.create({
+    service: "test",
+    onEnd:   exporter.queue,
+  });
+  var s = tracer.start("neg-attr");
+  s.setAttribute("retry.delta", -1);
+  s.end();
+  await helpers.waitUntil(function () { return posts.length >= 1; }, {
+    label: "otlp.exporter: protobuf batch flushed with negative AnyValue",
+  });
+  var body = posts[0] && posts[0].body;
+  check("otlp.exporter: protobuf body is a Buffer", Buffer.isBuffer(body));
+  // The marker bytes for int64 field 3 = -1 with the wrapping AnyValue
+  // embedded-message tag (field 2 in KeyValue, wire-type 2): "12 0b 18
+  // ff ff ff ff ff ff ff ff ff 01" — KeyValue.value is field 2 length-
+  // delimited (0x12), inner AnyValue is 11 bytes (0x0b), int_value tag
+  // 0x18 (field 3 wire 0), then 10 varint bytes for -1.
+  var marker = Buffer.from("120b18ffffffffffffffffff01", "hex");
+  check("otlp.exporter: negative int64 AnyValue encoded as varint (wire-type 0)",
+        body.indexOf(marker) !== -1);
+  // The OLD broken path produced "1a 05 18 ff ff ff 0f" (field 5
+  // arrayValue mis-tag + truncated 4-byte uint), so the OLD shape
+  // must NOT be present.
+  var oldBrokenMarker = Buffer.from("18ffffff0f", "hex");
+  check("otlp.exporter: pre-fix truncated-uint shape absent",
+        body.indexOf(oldBrokenMarker) === -1);
+  await exporter.shutdown();
+}
+
 function testOtlpExporterValidation() {
   var threwBadEndpoint = false;
   try {
@@ -580,6 +634,7 @@ function testTracerToJSONIsImmutable() {
   testTracerSpanToTraceparent();
   testOtlpBundleShape();
   await testOtlpExporterQueueAndFlush();
+  await testOtlpExporterProtobufNegativeAnyValue();
   testOtlpExporterValidation();
   testTracePropagateExtractsTracestate();
   testTracePropagateGeneratesWhenMissing();

package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js

@@ -103,6 +103,60 @@ async function testEmbeddedMessage() {
         _hex(pb.embeddedMessage(1, Buffer.alloc(0))) === "0a00");
 }
 
+async function testInt64FieldShape() {
+  // proto int64 = uint64 varint reinterpret for negatives. Reference
+  // bytes from protoc-emitted encoding:
+  //   int64 field 1 = 1   -> 08 01
+  //   int64 field 1 = -1  -> 08 ff ff ff ff ff ff ff ff ff 01
+  //   int64 field 1 = -2  -> 08 fe ff ff ff ff ff ff ff ff 01
+  //   int64 field 1 = INT64_MIN -> 08 80 80 80 80 80 80 80 80 80 01
+  //   int64 field 1 = INT64_MAX -> 08 ff ff ff ff ff ff ff ff 7f
+  check("int64(1, 1)",  _hex(pb.int64(1, 1)) === "0801");
+  check("int64(1, 0) omitted (proto3 default)", pb.int64(1, 0).length === 0);
+  check("int64(1, -1)",
+        _hex(pb.int64(1, -1)) === "08ffffffffffffffffff01");
+  check("int64(1, -2)",
+        _hex(pb.int64(1, -2)) === "08feffffffffffffffff01");
+  // INT64_MIN -- BigInt because Number can't represent -2^63 losslessly.
+  check("int64(1, INT64_MIN)",
+        _hex(pb.int64(1, -(1n << 63n))) === "0880808080808080808001");
+  check("int64(1, INT64_MAX)",
+        _hex(pb.int64(1, (1n << 63n) - 1n)) === "08ffffffffffffffff7f");
+  // Out-of-range refused.
+  var threwHigh = null;
+  try { pb.int64(1, (1n << 63n)); } catch (e) { threwHigh = e; }
+  check("int64 above INT64_MAX throws",
+        threwHigh && /out of range/.test(threwHigh.message));
+  var threwLow = null;
+  try { pb.int64(1, -(1n << 63n) - 1n); } catch (e) { threwLow = e; }
+  check("int64 below INT64_MIN throws",
+        threwLow && /out of range/.test(threwLow.message));
+  // Non-integer / non-finite refused.
+  var threwNaN = null;
+  try { pb.int64(1, NaN); } catch (e) { threwNaN = e; }
+  check("int64(NaN) throws", threwNaN && /finite integer/.test(threwNaN.message));
+  var threwFloat = null;
+  try { pb.int64(1, 1.5); } catch (e) { threwFloat = e; }
+  check("int64(1.5) throws", threwFloat && /finite integer/.test(threwFloat.message));
+}
+
+async function testSint64FieldShape() {
+  // ZigZag (n << 1) ^ (n >> 63):
+  //   0 -> 0
+  //  -1 -> 1
+  //   1 -> 2
+  //  -2 -> 3
+  //   2 -> 4
+  // Reference bytes:
+  //   sint64 field 1 = -1 -> 08 01
+  //   sint64 field 1 =  1 -> 08 02
+  //   sint64 field 1 = -2 -> 08 03
+  check("sint64(1, -1) zigzag",  _hex(pb.sint64(1, -1)) === "0801");
+  check("sint64(1, 1) zigzag",   _hex(pb.sint64(1, 1))  === "0802");
+  check("sint64(1, -2) zigzag",  _hex(pb.sint64(1, -2)) === "0803");
+  check("sint64(1, 0) omitted",  pb.sint64(1, 0).length === 0);
+}
+
 async function testRepeatedMessage() {
   // repeated message field 1 with two items: each item is a string-1
   // = "a" / "b" -> 0a 03 0a 01 61 0a 03 0a 01 62
@@ -125,6 +179,8 @@ async function run() {
   await testBoolFieldShape();
   await testBytesFieldShape();
   await testEmbeddedMessage();
+  await testInt64FieldShape();
+  await testSint64FieldShape();
   await testRepeatedMessage();
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.75",
+  "version": "0.0.77",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {