npm - @blamejs/blamejs-shop - Versions diffs - 0.0.98 → 0.0.100 - Mend

@blamejs/blamejs-shop 0.0.98 → 0.0.100

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/CHANGELOG.md +4 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.0.x
+- v0.0.100 (2026-05-23) — **Remove the broken `worker-esbuild-parse` gate (v0.0.99 deploy blocker) + compose `b.cookies` for the session-cookie presence check.** v0.0.99's `worker-esbuild-parse` smoke gate ran `npx esbuild` inside the container's Dockerfile test stage. The test stage doesn't carry `node_modules` and the build environment has no network access at that point, so `npx esbuild` couldn't download esbuild and exited non-zero — breaking the smoke gate, breaking the auto-deploy. Gate removed. The original failure mode the gate was guarding against (a missing closing brace that Node tolerates but esbuild refuses) still surfaces in the Cloudflare Workers Builds run itself; a redesigned gate that doesn't need a network-reachable npm registry will land in a follow-up. Same patch composes `b.cookies.parseSafe` for the `_hasSessionCookie` presence check (replaces the inline regex with the framework's parser + grammar enforcement). **Changed:** *`_hasSessionCookie` composes `b.cookies.parseSafe` instead of a regex presence check* — Previous shape: `/\b(shop_sid|shop_auth)=/.test(cookieHeader)` — close enough for presence but skipped the framework's RFC 6265bis token-grammar enforcement (length cap, duplicate-key resolution, CRLF refusal). New shape: `b.cookies.parseSafe(cookieHeader)` returns `{ jar, issues }`; `jar` is a null-prototype object the presence check inspects via `hasOwnProperty` for the session cookie names. `b.cookies` joins the Worker-side primitive surface via `worker/b.js`. **Fixed:** *Remove `worker-esbuild-parse` smoke gate* — The gate ran `npx esbuild worker/index.js --bundle ...` from `test/smoke.js`. Locally + in CI it worked because `node_modules` was already populated. The container's test stage in the Dockerfile doesn't install dependencies — the smoke test runs against the source tree only — so `npx` had to download esbuild fresh, which the Cloudflare Workers Builds environment refuses (network-restricted build stage). Gate removed to unblock the auto-deploy; replacement gate (parser that doesn't need esbuild) tracked for a follow-up.
+- v0.0.99 (2026-05-23) — **`worker-esbuild-parse` smoke gate — catches the node-tolerates / esbuild-refuses syntax mismatch that broke v0.0.95 + v0.0.97 deploys.** v0.0.95 and v0.0.97 shipped `worker/index.js` with a missing closing brace on `_warmingHtml`. Node's parser tolerated the unterminated declaration; `node --check` returned OK, smoke passed, the commits merged. Wrangler's esbuild refused with `Unexpected end of file` and blocked the Cloudflare Workers Builds deploy on both versions. v0.0.98 restored the brace. This patch adds a `worker-esbuild-parse` gate to `test/smoke.js` that runs `npx esbuild worker/index.js --bundle --format=esm --platform=neutral` (with the `@cloudflare/containers` + `node:*` imports externalised so the local run doesn't need the polyfills wrangler ships at deploy time) — parse-success-only check that catches the regression class before the commit lands. **Added:** *`worker-esbuild-parse` static gate in `test/smoke.js`* — Runs `npx esbuild worker/index.js --bundle --format=esm --platform=neutral --external:@cloudflare/containers --external:node:* --log-level=error` against the Worker entrypoint. esbuild's parser is stricter than Node's at EOF — it catches unterminated function declarations, unclosed braces / parens / template literals, and similar shapes that node tolerates. The gate runs alongside the existing release-notes-rollup / changelog-in-sync / vendor-drift checks; verified by injection that an appended `function _badInject() {` trips it. The actual bundle resolution (Cloudflare Workers Builds runs `wrangler deploy` which composes the same esbuild + the nodejs_compat polyfills) stays the source of truth for runtime — this gate is parse-only, fast, and runs on every local + CI smoke.
 - v0.0.98 (2026-05-23) — **Restore the missing closing brace on `_warmingHtml` — wrangler bundle was failing at EOF.** An earlier patch trimmed too many trailing lines from `worker/index.js` while removing a detector-injection leftover, accidentally taking the closing `}` of `_warmingHtml` along with it. `node --check` parsed the file fine (Node's parser is more forgiving at EOF) but wrangler's esbuild reported `Unexpected end of file` because the function declaration was unterminated. v0.0.95 / v0.0.97 builds both failed on Cloudflare Workers Builds because of this. The brace is back. The smoke + detector gates passed at every prior ship because Node's parser tolerated the missing brace; adding a brace-balance gate to smoke is the next-shipped follow-up. **Fixed:** *`_warmingHtml`'s closing brace restored* — The function body's string-concat return statement ends on the same line as the closing brace in the source template, and an earlier `head -n -N` trim that was meant to undo a detector-injection took the brace along with the injection. Node's `node --check` accepted the unterminated declaration (its parser doesn't require the brace at EOF in the same way esbuild does) but wrangler / esbuild refused with `Unexpected end of file`. v0.0.95 and v0.0.97 Cloudflare Workers Builds deploys both failed on this — they're now unblocked.
 - v0.0.97 (2026-05-23) — **Guest `/cart` on the edge + emergency fix for stray detector-injection leftover that broke wrangler bundling on v0.0.95.** v0.0.95 shipped with a one-line leftover at the bottom of `worker/index.js` — a stray `function _testCatchReturnNull() {` from an earlier detector-verification injection that wasn't fully cleaned up. `node --check` accepted the unterminated declaration but wrangler's esbuild refused with `Unexpected end of file`, blocking the v0.0.95 auto-deploy on Cloudflare Workers Builds. This patch removes the leftover and ships v0.0.96's guest-`/cart` edge route at the same time. The release-notes/v0.0.96.json file lands in this ship too (PR #96 was closed in favour of this consolidated release). **Added:** *Guest `/cart` rendered at the edge (carried from the closed PR #96)* — GET `/cart` for visitors without a `shop_sid` / `shop_auth` cookie now renders the empty-cart page directly at the edge — same `worker/render/cart.js#renderCart` that ships in the Worker bundle, called with `lines: []` and zero totals. Cookie-bearing visitors fall through to the container path which has the framework's vault keychain and can decrypt the sealed session to look up the real cart row. Session-cookie detection reuses `_hasSessionCookie` — same predicate that's gated the edge cache since v0.0.78. **Fixed:** *Stray `function _testCatchReturnNull() {` removed from `worker/index.js`* — A detector-verification injection that should have been fully reverted left a single unterminated `function` declaration at EOF. Node's parser tolerates the shape (`node --check` returned OK) but wrangler's esbuild reports `Unexpected end of file` and refuses to build, blocking the v0.0.95 Cloudflare Workers Builds deploy. The leftover is gone.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.98",
+  "version": "0.0.100",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {