@blamejs/blamejs-shop 0.1.1 → 0.1.4

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.1.x
 
+- v0.1.4 (2026-05-25) — **Sign in with Google.** Customers can sign in with Google alongside passkeys. The account login page gains a Continue with Google button; the OIDC authorization-code flow (PKCE, state, nonce, ID-token verification) runs through the framework's OAuth adapter, and the verified identity becomes a shop session. Accounts are keyed on the provider's stable subject, and an existing account is only ever linked on an email the provider has verified — an unverified email that collides with an existing account is refused rather than linked. A cart built before signing in is adopted into the account, so checkout attaches the order to the customer. **Added:** *Google sign-in* — Mounts `/account/login/google` + `/account/auth/google/callback` when the operator sets `GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`, and `SHOP_ORIGIN`. The in-flight state (CSRF state + nonce + PKCE verifier) rides a sealed, /account-scoped, SameSite=Lax cookie; the callback verifies the state before exchanging the code. A forged or stale callback is dropped to the login page. On success the guest session cart is adopted into the account (`cart.setCustomer`), matching the passkey path. · *Federated identity model + safe account linking* — `customers.signInWithOIDC` resolves a verified sign-in to a customer: an existing `(provider, subject)` link, else — only on a provider-verified email — an existing account with that email, else a new account. It never links to an existing account on an unverified email (account-takeover defense). New `customer_oauth_identities` table (migration 0205) + `customers.byOAuthIdentity`.
+
+- v0.1.2 (2026-05-25) — **Apple Pay and Google Pay express checkout.** The pay page now offers one-tap wallet checkout. Stripe's Express Checkout Element renders Apple Pay and Google Pay buttons above the card form on eligible devices, confirming the same PaymentIntent as the card path — so the webhook and order flow are unchanged. To turn the wallets on, the operator registers the shop's web domain with Stripe once via the admin API; Stripe performs Apple merchant validation and hosts the domain-association file, so no Apple Developer account is needed. **Added:** *Wallet buttons on the pay page* — The Stripe Express Checkout Element mounts above the card form and auto-renders Apple Pay / Google Pay (and Link) when the device and the shop's registered domain make them available. It stays hidden until Stripe reports an available wallet, and confirms the existing per-order PaymentIntent — the payment-completion path (webhook → order FSM) is identical to the card flow. · *Payment-method domain registration* — `POST /admin/payment-method-domains` (with `{ "domain_name": "shop.example.com" }`) registers a domain with Stripe to enable the wallets; `GET /admin/payment-method-domains` lists registered domains and their per-method status. The payment adapter gains `registerPaymentMethodDomain` + `listPaymentMethodDomains`. Apex, www, and each subdomain register separately; a live-mode registration also covers sandbox.
+
 - v0.1.1 (2026-05-25) — **Admin setup wizard + a browser-accessible admin console.** The admin is now reachable from a browser, not just the bearer-token JSON API. Sign in once at /admin by pasting the ADMIN_API_KEY and a sealed, /admin-scoped session cookie carries you through the guided setup wizard (shop name, contact email, default currency, support URL — saved to shop config) and the analytics dashboard. The shop name set in the wizard drives the storefront header, page titles, and the admin header. **Added:** *Browser admin sign-in* — `/admin` renders a sign-in form; pasting the ADMIN_API_KEY sets a sealed `shop_admin` session cookie (SameSite=Strict, scoped to /admin) so the rendered admin pages are reachable from a browser. The JSON API stays bearer-only; the dashboard accepts either the cookie or the bearer token. · *Setup wizard* — `/admin/setup` is a guided form for the shop's core identity — name, contact email, default currency, support URL — validated (ISO-4217 currency, RFC-shaped email, http(s) support URL) and saved to shop config. The landing nags until setup is complete; the shop name then drives the storefront and admin headers.
 
 - v0.1.0 (2026-05-25) — **Responsive cart + storefront cookie handling moved onto the framework primitive.** A storefront polish pass. The cart, order-confirmation, and account-history tables now reflow into stacked, labelled cards on phones and fit their column on wider screens — no more inner horizontal scroll. The quantity field reads clearly and accepts up to 99,999. The line actions (Update / Save for later / Remove) are compact with a clear hierarchy. Under the hood, all storefront cookie handling now composes the framework's cookie primitive (RFC 6265 parse/serialize plus vault-sealed read/write) instead of hand-built headers, and a malformed session cookie can no longer turn the cart — or any page that shows the cart count — into a 500. **Changed:** *Quantity field is readable and accepts up to 99,999* — The cart quantity input is wide enough to read a five-digit quantity, and the per-line maximum is raised to 99,999 (enforced on the server). · *Compact, clearly-ranked line actions* — Update is a small accent button, Save for later a quiet secondary, Remove a danger-tinted secondary — so the primary checkout call stays dominant. · *Cookie handling composes the framework primitive* — Session, authentication, WebAuthn-challenge, and payment cookies are all parsed and written through the framework cookie primitive (sealed read/write for the authenticated-session cookie), replacing hand-built Set-Cookie strings and manual header parsing. Cookie lifetimes are expressed through the framework's duration constants. **Fixed:** *Cart tables no longer scroll sideways* — The cart, order-confirmation, and account order-history tables reflow into one labelled card per row below 48rem and are sized to fit their column on wider layouts, so content is never trapped behind an inner horizontal scrollbar. · *Malformed session cookie no longer 500s the storefront* — A `shop_sid` cookie carrying a value that isn't a well-formed session id now reads as "no session" instead of reaching the cart lookup (which rejected it and surfaced a 500 on every page that renders the cart count). · *Account dashboard controls wrap on narrow screens* — The row of account actions (Wishlist / Saved for later / Recently viewed / Addresses / Returns / Sign out) now wraps instead of overflowing the viewport on a phone.

package/README.md

@@ -57,12 +57,12 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/pricing.js`** | Pure-function money math — `lineTotal`, `subtotal`, `totals`, `format`. Multi-currency refused, banker's-style rounding, locale-aware via `Intl.NumberFormat`. |
 | **`lib/tax.js`** | Operator-table adapter. Country / state / postal_prefix → rate_bps. Most-specific-first match, banker's rounding. Pluggable adapter shape for future Stripe Tax / TaxJar / Avalara. |
 | **`lib/shipping.js`** | Operator-table adapter. Services with zones (flat or per-gram + base + min/max), free-over-threshold, `digital_only` flag. |
-| **`lib/payment.js`** | Stripe adapter — verify webhook (HMAC-SHA256 via upstream `b.webhook.verify` alg `hmac-sha256-stripe`), create / retrieve / confirm / cancel PaymentIntent, refund. No `stripe` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
+| **`lib/payment.js`** | Stripe adapter — verify webhook (HMAC-SHA256 via upstream `b.webhook.verify` alg `hmac-sha256-stripe`), create / retrieve / confirm / cancel PaymentIntent, refund, register / list payment-method domains (Apple Pay + Google Pay enablement for the Express Checkout Element). No `stripe` npm dep — outbound through `b.httpClient` (SSRF-gated, retried, circuit-broken). |
 | **`lib/order.js`** | FSM-driven post-checkout record via upstream `b.fsm`. States: pending → paid → fulfilling → shipped → delivered (+ refunded / cancelled). Every transition appends to `order_transitions`. |
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` creates PaymentIntent + persists order in pending; `handleStripeEvent()` verifies webhook + fires the FSM transition (idempotent on re-delivery). |
 | **`lib/email.js`** | Transactional templates — order receipt, ship notification, refund confirmation. Strict `{{var}}` renderer with HTML escape + refusal of unknown / unused placeholders. Composed on `b.mail` (DKIM/SPF/DMARC/BIMI upstream). |
 | **`lib/storefront.js`** | Server-rendered HTML — utility bar + sticky header + dark hero with code-preview card + primitives marquee + featured-product callout + collections grid + framework feature band + designed catalog grid + newsletter band + four-column footer. Designed surfaces also for PDP, cart, checkout, pay, order, account login / register / dashboard, search results, `/admin` API landing, 404. Image-bearing cards on the home + search grids pull from `catalog.media`. The default theme stylesheet is external (R2-served `themes/default/assets/css/main.css`) and CSP-compliant — operators override by uploading a replacement at the same key, by passing `opts.theme_css` to renderers, or by registering a named theme through the `theme` primitive. |
-| **`lib/customers.js`** | Customer accounts — passkey-only (WebAuthn). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. Account routes (`/account/login`, `/account/register`, `/account`) ship as designed cards on the storefront. |
+| **`lib/customers.js`** | Customer accounts — passkey (WebAuthn) + **Sign in with Google** (OIDC). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. `signInWithOIDC` keys federated accounts on the provider `(provider, subject)` and links an existing account only on a provider-verified email (never on an unverified one). Account routes (`/account/login`, `/account/register`, `/account`, `/account/login/google`) ship as designed cards on the storefront. |
 | **`lib/reviews.js`** | Operator-moderated product ratings. Submission requires a signed-in customer **and** a verified purchase — `/products/:slug/review` confirms a completed order for the product (via `order.hasPurchasedProduct`) before accepting, re-checked on POST; reviews land `pending`. Author identity is hash-only (`b.crypto.namespaceHash`); the raw email is never stored. The PDP renders the average, per-star distribution, and published reviews with `AggregateRating` JSON-LD. `/admin/reviews` is the moderation queue (`listByStatus` → publish / reject). |
 | **`lib/wishlist.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. UUID-shape-validated ids, `b.pagination` HMAC cursors. |
 | **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
@@ -92,6 +92,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 - `migrations-d1/0041_save_for_later.sql` — per-customer cart holding list (price snapshot + source line)
 - `migrations-d1/0026_customer_addresses.sql` — per-customer address book (default shipping/billing flags)
 - `migrations-d1/0023_returns.sql` — return authorizations + lines (RMA lifecycle FSM)
+- `migrations-d1/0205_customer_oauth_identities.sql` — federated sign-in identities (provider + subject, verified-email gating)
 - `migrations-d1/0043_collections.sql` — manual + smart product collections (members + rules + sort strategy)
 - `migrations-d1/0050_recently_viewed.sql` — per-customer / per-session product browse history (dedup + per-subject cap)
 

package/lib/admin.js

@@ -789,6 +789,31 @@ function mount(router, deps) {
     }));
   }
 
+  // ---- payment-method domains (Apple Pay / Google Pay enablement) -----
+  //
+  // Registering the shop's web domain with Stripe enables the wallet
+  // methods for the Express Checkout Element on the pay page. Stripe
+  // performs Apple merchant validation + hosts the association file, so
+  // there's no Apple Developer account to wire — this is the operator's
+  // one-shot action. Disabled when the payment dep is absent.
+  if (payment) {
+    router.post("/admin/payment-method-domains", W("payment_domain.register", async function (req, res) {
+      var body = req.body || {};
+      var domainName = body.domain_name;
+      var result = await payment.registerPaymentMethodDomain(domainName);
+      _json(res, 201, result);
+      return { id: (result && result.id) || domainName };
+    }));
+
+    router.get("/admin/payment-method-domains", R(async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var domainName = url && url.searchParams.get("domain_name");
+      var filter = domainName ? { domain_name: domainName } : {};
+      var result = await payment.listPaymentMethodDomains(filter);
+      _json(res, 200, result);
+    }));
+  }
+
   // ---- webhooks -------------------------------------------------------
 
   var webhooks = deps.webhooks || null;

package/lib/customers.js

@@ -36,6 +36,8 @@ function _b() {
 }
 
 var EMAIL_NAMESPACE = "customer-email";
+// Federated identity providers the OIDC sign-in path accepts.
+var OAUTH_PROVIDERS = ["google", "apple"];
 var MAX_DISPLAY_NAME_LEN  = 128;
 var MAX_CRED_FIELD_BYTES  = 4096;
 var TRANSPORTS_RE = /^[a-z]+(?:,[a-z]+)*$/;
@@ -144,7 +146,7 @@ function create(opts) {
     return _b().crypto.namespaceHash(EMAIL_NAMESPACE, email);
   }
 
-  return {
+  var api = {
     EMAIL_NAMESPACE: EMAIL_NAMESPACE,
 
     // Hash an email without writing — useful for login lookups
@@ -202,6 +204,102 @@ function create(opts) {
       return r.rows[0] || null;
     },
 
+    // ---- federated (OAuth / OIDC) sign-in -------------------------------
+
+    // The customer linked to an external (provider, subject) identity, or
+    // null. `subject` is the IdP `sub` claim — the durable account key.
+    byOAuthIdentity: async function (provider, subject) {
+      if (OAUTH_PROVIDERS.indexOf(provider) === -1) {
+        throw new TypeError("customers.byOAuthIdentity: unknown provider " + JSON.stringify(provider));
+      }
+      if (typeof subject !== "string" || !subject.length || subject.length > 255) {
+        throw new TypeError("customers.byOAuthIdentity: subject must be a non-empty string ≤ 255 chars");
+      }
+      var r = await query(
+        "SELECT c.* FROM customers c " +
+        "JOIN customer_oauth_identities i ON i.customer_id = c.id " +
+        "WHERE i.provider = ?1 AND i.subject = ?2 LIMIT 1",
+        [provider, subject],
+      );
+      return r.rows[0] || null;
+    },
+
+    // Resolve (or create) the customer for a verified OIDC sign-in.
+    // Resolution order, per standard federated-identity discipline:
+    //   1. an existing (provider, subject) link → that customer (the
+    //      durable key; email changes don't break it);
+    //   2. else, ONLY when the IdP verified the email, an existing
+    //      customer with that email_hash → link the identity to it;
+    //   3. else register a new customer + link.
+    // Never links to an existing account on an UNVERIFIED email (that
+    // would be account takeover). Returns { customer, created,
+    // linked_via }.
+    signInWithOIDC: async function (input) {
+      if (!input || typeof input !== "object") {
+        throw new TypeError("customers.signInWithOIDC: input object required");
+      }
+      var provider = input.provider;
+      if (OAUTH_PROVIDERS.indexOf(provider) === -1) {
+        throw new TypeError("customers.signInWithOIDC: unknown provider " + JSON.stringify(provider));
+      }
+      var subject = input.subject;
+      if (typeof subject !== "string" || !subject.length || subject.length > 255) {
+        throw new TypeError("customers.signInWithOIDC: subject must be a non-empty string ≤ 255 chars");
+      }
+      var emailVerified  = input.email_verified === true;
+      var canonicalEmail = input.email ? _normalizeEmail(input.email) : null;
+      var ts = _now();
+
+      // (1) Existing federated link — refresh the captured email + flag.
+      var existing = await api.byOAuthIdentity(provider, subject);
+      if (existing) {
+        await query(
+          "UPDATE customer_oauth_identities SET email = ?1, email_verified = ?2, updated_at = ?3 " +
+          "WHERE provider = ?4 AND subject = ?5",
+          [canonicalEmail, emailVerified ? 1 : 0, ts, provider, subject],
+        );
+        return { customer: existing, created: false, linked_via: "oauth-subject" };
+      }
+
+      // (2) Link to an existing customer — verified email only.
+      var customer = null, linkedVia = null, created = false;
+      if (emailVerified && canonicalEmail) {
+        customer = await api.byEmailHash(_hashEmail(canonicalEmail));
+        if (customer) linkedVia = "verified-email";
+      }
+
+      // (3) New account. Reaching here with a duplicate email means the
+      // address already belongs to an account but step (2) declined to
+      // link it — i.e. the IdP did NOT verify the email. Refuse rather
+      // than link (account takeover) or create a colliding row.
+      if (!customer) {
+        if (!canonicalEmail) {
+          throw new TypeError("customers.signInWithOIDC: an email is required to create a new account");
+        }
+        var displayName = input.display_name || canonicalEmail.split("@")[0] || "Customer";
+        try {
+          customer = await api.register({ email: canonicalEmail, display_name: displayName });
+        } catch (e) {
+          if (e && e.code === "CUSTOMER_DUPLICATE") {
+            var conflict = new Error("customers.signInWithOIDC: that email is registered to another account and " + provider + " has not verified it — sign in with your existing method or verify the email first");
+            conflict.code = "OAUTH_EMAIL_UNVERIFIED_CONFLICT";
+            throw conflict;
+          }
+          throw e;
+        }
+        linkedVia = "new";
+        created   = true;
+      }
+
+      await query(
+        "INSERT INTO customer_oauth_identities " +
+        "(id, customer_id, provider, subject, email, email_verified, created_at, updated_at) " +
+        "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?7)",
+        [_b().uuid.v7(), customer.id, provider, subject, canonicalEmail, emailVerified ? 1 : 0, ts],
+      );
+      return { customer: customer, created: created, linked_via: linkedVia };
+    },
+
     listPasskeys: async function (customerId) {
       _uuid(customerId, "customer id");
       var r = await query(
@@ -312,6 +410,7 @@ function create(opts) {
       return true;
     },
   };
+  return api;
 }
 
 module.exports = {

package/lib/payment.js

@@ -370,6 +370,33 @@ function stripe(opts) {
                           {}, idempotencyKey);
     },
 
+    // Register a web domain so Stripe enables the wallet methods (Apple
+    // Pay / Google Pay / Link / PayPal) for the Express Checkout Element
+    // served from it. Stripe performs Apple merchant validation + hosts
+    // the domain-association file — the operator does not need an Apple
+    // Developer account. Registering in live mode also registers
+    // sandbox. One-shot operator action (admin endpoint). `domainName`
+    // is a bare hostname — apex, www, and subdomains register separately.
+    registerPaymentMethodDomain: function (domainName, idempotencyKey) {
+      if (typeof domainName !== "string" ||
+          !/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/i.test(domainName)) {
+        throw new TypeError("payment.registerPaymentMethodDomain: domainName must be a bare hostname (no scheme / path / port)");
+      }
+      return _stripeCall(opts, "POST", "/payment_method_domains", { domain_name: domainName }, idempotencyKey);
+    },
+
+    // List registered payment-method domains (optionally filtered to one
+    // hostname) with each method's enablement status. Read-only.
+    listPaymentMethodDomains: function (filter) {
+      filter = filter || {};
+      var path = "/payment_method_domains";
+      if (filter.domain_name) {
+        if (typeof filter.domain_name !== "string") throw new TypeError("payment.listPaymentMethodDomains: domain_name must be a string");
+        path += "?domain_name=" + encodeURIComponent(filter.domain_name);
+      }
+      return _stripeCall(opts, "GET", path, null, null);
+    },
+
     refund: function (input, idempotencyKey) {
       if (!input || typeof input !== "object") throw new TypeError("payment.refund: input object required");
       _assertSecret(input.payment_intent, "refund.payment_intent");

package/lib/storefront.js

@@ -1617,6 +1617,10 @@ var PAY_PAGE =
   "    <p class=\"section-head__lede\">Order <code class=\"inline-code\">{{order_id}}</code> · the Stripe Payment Element is mounted below in a same-origin form.</p>\n" +
   "  </header>\n" +
   "  <div class=\"pay-card\">\n" +
+  "    <div id=\"express-checkout\" class=\"pay-card__express\" hidden>\n" +
+  "      <div id=\"express-checkout-element\"></div>\n" +
+  "      <div class=\"pay-card__divider\"><span>or pay with card</span></div>\n" +
+  "    </div>\n" +
   "    <div id=\"payment-element\" class=\"pay-card__element\"></div>\n" +
   "    <button id=\"submit\" type=\"button\" class=\"btn-primary pay-card__submit\">Pay {{grand_total}}</button>\n" +
   "    <p id=\"payment-message\" class=\"pay-card__message\"></p>\n" +
@@ -1626,14 +1630,29 @@ var PAY_PAGE =
   "    (function () {\n" +
   "      var stripe = Stripe({{pk_json}});\n" +
   "      var elements = stripe.elements({ clientSecret: {{client_secret_json}}, appearance: { theme: \"stripe\" } });\n" +
-  "      var paymentElement = elements.create(\"payment\");\n" +
-  "      paymentElement.mount(\"#payment-element\");\n" +
-  "      document.getElementById(\"submit\").addEventListener(\"click\", function () {\n" +
-  "        document.getElementById(\"payment-message\").textContent = \"Processing...\";\n" +
-  "        stripe.confirmPayment({ elements: elements, confirmParams: { return_url: window.location.origin + \"/orders/{{order_id}}\" } }).then(function (result) {\n" +
-  "          if (result.error) { document.getElementById(\"payment-message\").textContent = result.error.message || \"Payment failed.\"; }\n" +
+  "      var returnUrl = window.location.origin + \"/orders/{{order_id}}\";\n" +
+  "      var message = document.getElementById(\"payment-message\");\n" +
+  "      function confirm() {\n" +
+  "        message.textContent = \"Processing...\";\n" +
+  "        return stripe.confirmPayment({ elements: elements, confirmParams: { return_url: returnUrl } }).then(function (result) {\n" +
+  "          if (result.error) { message.textContent = result.error.message || \"Payment failed.\"; }\n" +
   "        });\n" +
+  "      }\n" +
+  "      // Express Checkout Element — renders Apple Pay / Google Pay /\n" +
+  "      // Link wallet buttons when the device + the shop's registered\n" +
+  "      // payment-method domain make them available. It confirms the\n" +
+  "      // same PaymentIntent as the card form, so the webhook + order\n" +
+  "      // FSM are identical. Hidden until Stripe reports an available\n" +
+  "      // wallet so the divider never sits over an empty box.\n" +
+  "      var ece = elements.create(\"expressCheckout\");\n" +
+  "      ece.on(\"ready\", function (ev) {\n" +
+  "        if (ev && ev.availablePaymentMethods) { document.getElementById(\"express-checkout\").hidden = false; }\n" +
   "      });\n" +
+  "      ece.on(\"confirm\", function () { confirm(); });\n" +
+  "      ece.mount(\"#express-checkout-element\");\n" +
+  "      var paymentElement = elements.create(\"payment\");\n" +
+  "      paymentElement.mount(\"#payment-element\");\n" +
+  "      document.getElementById(\"submit\").addEventListener(\"click\", function () { confirm(); });\n" +
   "    })();\n" +
   "  </script>\n" +
   "</section>\n";
@@ -2103,6 +2122,12 @@ var CHALLENGE_COOKIE_NAME = "shop_auth_chal";
 // SameSite=Strict so it's only ever sent to the pay route.
 var PAY_COOKIE_NAME = "shop_pay";
 
+// Short-lived sealed cookie holding the in-flight OIDC sign-in state
+// (provider + CSRF state + nonce + PKCE verifier) between the redirect
+// to the identity provider and the callback. Path-scoped to /account;
+// SameSite=Lax so it survives the provider's top-level GET redirect back.
+var OAUTH_COOKIE_NAME = "shop_oauth";
+
 // Shape of a valid session id — mirrors cart.js's SESSION_ID_RE.
 var SID_SHAPE_RE = /^[A-Za-z0-9_-]{16,64}$/;
 
@@ -2180,11 +2205,13 @@ var ACCOUNT_LOGIN_PAGE =
   "    <p class=\"eyebrow\">Sign in</p>\n" +
   "    <h1 class=\"auth-card__title\">Welcome back</h1>\n" +
   "    <p class=\"auth-card__lede\">Enter your email and authenticate with your passkey. No password to type, no recovery email to click.</p>\n" +
+  "    RAW_LOGIN_ERROR\n" +
   "    <form id=\"login-form\" method=\"post\" class=\"form-stack auth-form\">\n" +
   "      <div class=\"form-row\"><label class=\"form-field\"><span class=\"form-field__label\">Email</span><input type=\"email\" name=\"email\" id=\"email\" required autocomplete=\"email\" autofocus></label></div>\n" +
   "      <div class=\"form-actions\"><button type=\"submit\" class=\"btn-primary auth-form__submit\">Sign in with passkey</button></div>\n" +
   "      <p id=\"login-message\" class=\"auth-form__message\"></p>\n" +
   "    </form>\n" +
+  "    RAW_LOGIN_OAUTH\n" +
   "    <p class=\"auth-card__alt\">New here? <a href=\"/account/register\">Create an account →</a></p>\n" +
   "  </div>\n" +
   "  <script>\n" +
@@ -2211,14 +2238,31 @@ var ACCOUNT_LOGIN_PAGE =
   "  </script>\n" +
   "</section>\n";
 
+var LOGIN_ERROR_MESSAGES = {
+  oauth:           "We couldn't complete that sign-in. Please try again.",
+  "email-conflict": "That email already has an account — sign in with your passkey instead.",
+};
+
 function renderAccountLogin(opts) {
   opts = opts || {};
+  var oauthHtml = opts.google_enabled
+    ? "<div class=\"auth-oauth\">" +
+        "<div class=\"auth-oauth__divider\"><span>or</span></div>" +
+        "<a class=\"btn-secondary auth-oauth__btn\" href=\"/account/login/google\">Continue with Google</a>" +
+      "</div>"
+    : "";
+  var errHtml = (opts.error && LOGIN_ERROR_MESSAGES[opts.error])
+    ? "<p class=\"auth-form__message auth-form__message--err\">" + _b().template.escapeHtml(LOGIN_ERROR_MESSAGES[opts.error]) + "</p>"
+    : "";
+  var body = ACCOUNT_LOGIN_PAGE
+    .replace("RAW_LOGIN_OAUTH", oauthHtml)
+    .replace("RAW_LOGIN_ERROR", errHtml);
   return _wrap({
     title:      "Sign in",
     shop_name:  opts.shop_name || "blamejs.shop",
     cart_count: opts.cart_count,
     theme_css: opts.theme_css,
-    body:       ACCOUNT_LOGIN_PAGE,
+    body:       body,
   });
 }
 
@@ -2888,7 +2932,13 @@ function mount(router, deps) {
 
     router.get("/account/login", async function (req, res) {
       var cartCount = await _cartCountForReq(req);
-      _send(res, 200, renderAccountLogin({ shop_name: shopName, cart_count: cartCount }));
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      _send(res, 200, renderAccountLogin({
+        shop_name:      shopName,
+        cart_count:     cartCount,
+        google_enabled: !!deps.oauthGoogle,
+        error:          url && url.searchParams.get("error"),
+      }));
     });
 
     router.get("/account/register", async function (req, res) {
@@ -3169,6 +3219,87 @@ function mount(router, deps) {
       return res.end ? res.end() : res.send("");
     });
 
+    // Sign in with Google (OIDC). Mounts when the operator wires an
+    // `oauthGoogle` adapter (b.auth.oauth, google preset). The framework
+    // adapter owns discovery + PKCE + ID-token verification (signature,
+    // iss, aud, exp, nonce); this layer manages the sealed in-flight
+    // state cookie and turns the verified identity into a shop session
+    // via customers.signInWithOIDC (which gates account linking on a
+    // verified email).
+    if (deps.oauthGoogle) {
+      router.get("/account/login/google", async function (req, res) {
+        try {
+          var a = await deps.oauthGoogle.authorizationUrl({ prompt: "select_account" });
+          _cookieJar().writeSealed(res, OAUTH_COOKIE_NAME, JSON.stringify({
+            provider: "google", state: a.state, nonce: a.nonce, verifier: a.verifier,
+          }), { expires: new Date(Date.now() + _b().constants.TIME.minutes(10)), path: "/account", sameSite: "Lax" });
+          res.status(302);
+          res.setHeader && res.setHeader("location", a.url);
+          return res.end ? res.end() : res.send("");
+        } catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return; }
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login?error=oauth");
+          return res.end ? res.end() : res.send("");
+        }
+      });
+
+      router.get("/account/auth/google/callback", async function (req, res) {
+        function _toLogin(err) {
+          res.status(303);
+          res.setHeader && res.setHeader("location", "/account/login" + (err ? "?error=" + err : ""));
+          return res.end ? res.end() : res.send("");
+        }
+        var url   = req.url ? new URL(req.url, "http://localhost") : null;
+        var code  = url && url.searchParams.get("code");
+        var state = url && url.searchParams.get("state");
+        if (!code || !state) return _toLogin("oauth");
+
+        // Recover + clear the sealed sign-in state; the CSRF state must
+        // match the value we issued (a forged callback is dropped here).
+        var saved;
+        try { var raw = _cookieJar().readSealed(req, OAUTH_COOKIE_NAME); saved = raw ? JSON.parse(raw) : null; }
+        catch (_e) { saved = null; }
+        _cookieJar().clear(res, OAUTH_COOKIE_NAME, { path: "/account" });
+        if (!saved || saved.provider !== "google" || saved.state !== state) return _toLogin("oauth");
+
+        var claims;
+        try {
+          var tokens = await deps.oauthGoogle.exchangeCode({ code: code, verifier: saved.verifier, nonce: saved.nonce });
+          claims = tokens && tokens.claims;
+        } catch (_e) { return _toLogin("oauth"); }
+        if (!claims || !claims.sub) return _toLogin("oauth");
+
+        var rv;
+        try {
+          rv = await deps.customers.signInWithOIDC({
+            provider:       "google",
+            subject:        String(claims.sub),
+            email:          claims.email,
+            email_verified: claims.email_verified === true,
+            display_name:   claims.name,
+          });
+        } catch (e) {
+          if (e && e.code === "OAUTH_EMAIL_UNVERIFIED_CONFLICT") return _toLogin("email-conflict");
+          if (e instanceof TypeError) return _toLogin("oauth");
+          throw e;
+        }
+        // Adopt the guest cart into the now-authenticated account so a
+        // cart built before sign-in isn't lost — and so checkout.confirm
+        // (which derives order.customer_id from cart.customer_id) attaches
+        // the order to the customer. Mirrors the passkey login path.
+        var sid = _readSidCookie(req);
+        if (sid) {
+          try {
+            var anonCart = await deps.cart.bySession(sid);
+            if (anonCart) await deps.cart.setCustomer(anonCart.id, rv.customer.id);
+          } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
+        }
+        _setAuthCookie(res, { customer_id: rv.customer.id, exp: Date.now() + _b().constants.TIME.days(14) });
+        res.status(303); res.setHeader && res.setHeader("location", "/account");
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
     // Wishlist — saved products scoped to the logged-in customer.
     // Mounts when the wishlist primitive is wired.
     if (deps.wishlist) {

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.48",
-      "tag": "v0.12.48",
+      "version": "0.12.49",
+      "tag": "v0.12.49",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.49 (2026-05-25) — **`b.network.dns.dnssec.verifyDenial` — NSEC / NSEC3 denial-of-existence.** Prove a DNS name does not exist, or has no records of a given type, from the signed NSEC (RFC 4034 §4) or NSEC3 (RFC 5155) records a server returns. This is the other half of local DNSSEC verification: verifyRrset proves a positive answer, verifyDenial proves a negative — so a resolver client can confirm an NXDOMAIN / NODATA itself instead of trusting the upstream resolver. NSEC3 proofs run the closest-encloser / next-closer / covering-range logic over iterated-SHA-1 hashes, with the iteration count capped (default 500) to bound the work an attacker can force, and an Opt-Out NXDOMAIN refused unless explicitly accepted (opt-out only proves 'no signed records', not non-existence). The companion b.network.dns.dnssec.nsec3Hash computes the RFC 5155 §5 hash directly. NSEC verifyRrset support is also enabled: per RFC 6840 §5.1 the NSEC Next Domain Name is not downcased, so its RDATA is verbatim-canonical. **Added:** *`b.network.dns.dnssec.verifyDenial(opts)`* — Proves NXDOMAIN or NODATA from already-verified NSEC / NSEC3 records (supply one of `opts.nsec3` or `opts.nsec`). Like `verifyDs`, it checks the denial RELATION — closest-encloser matching, covering ranges, and type-bitmap absence — not the record signatures, which the caller verifies with `verifyRrset` first. NSEC3 supports name-error proofs (matching closest encloser + covered next-closer + covered wildcard), NODATA (matching record with the type and CNAME absent from the bitmap), Opt-Out DS NODATA, and wildcard NODATA. The iterated-SHA-1 count is capped by `opts.maxIterations` (default 500); an NXDOMAIN proof that depends on an Opt-Out NSEC3 is refused unless `opts.allowOptOut` is set. NSEC supports covering-name NXDOMAIN (with the source-of-synthesis wildcard) and matching-name NODATA. Verified end-to-end against a live iana.org NXDOMAIN proof. · *`b.network.dns.dnssec.nsec3Hash(name, opts)`* — Computes the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the canonical (lowercased, root-terminated) wire form with the zone salt. The base32hex encoding of the result is the NSEC3 owner label. SHA-1 is the only hash IANA registers for NSEC3, so this is a wire-protocol constant rather than a cryptographic default. Useful for checking an owner label or analyzing a zone's hashing parameters. **Changed:** *`verifyRrset` now accepts NSEC and NSEC3 RRsets* — NSEC (type 47) and NSEC3 (type 50) are no longer refused as uncanonicalizable: NSEC3's next-owner is a hash, and per RFC 6840 §5.1 the NSEC Next Domain Name field is not downcased for DNSSEC canonical form, so both RDATAs are verbatim-canonical. This lets a caller verify the signatures on the records that `verifyDenial` then reasons over.
+
 - v0.12.48 (2026-05-25) — **`b.network.dns.dnssec` — local DNSSEC signature verification (RFC 4035).** Verify a DNS answer's RRSIG signature yourself instead of trusting the upstream resolver's AD bit. b.network.dns.dnssec.verifyRrset reconstructs the RFC 4034 §3.1.8.1 signed data — the RRSIG RDATA without the signature, followed by the RRset in canonical form (owner names lowercased, RRs ordered by canonical RDATA, the RRSIG's Original TTL) — and checks the signature against the DNSKEY, enforcing the inception / expiration window. Supports RSA/SHA-256 (alg 8), ECDSA P-256/SHA-256 (13), ECDSA P-384/SHA-384 (14), and Ed25519 (15) — the modern deployed set. verifyDs checks a delegation-signer digest against a DNSKEY (SHA-256 / SHA-384) and keyTag computes the RFC 4034 Appendix B key tag. The verification core is what a chain-walker composes; it defends against a compromised or on-path resolver that lies about authentication. **Added:** *`b.network.dns.dnssec.verifyRrset(opts)`* — Verifies an RRSIG over a canonicalised RRset against a DNSKEY. `opts` carries the owner `name`, the RR `type`, the wire-format `rdatas`, the parsed `rrsig` (algorithm / labels / originalTtl / inception / expiration / keyTag / signerName / signature), and the `dnskey` (algorithm + raw public key). The signed data is rebuilt per RFC 4034 §3.1.8.1: the RRSIG prefix (type covered | algorithm | labels | original TTL | expiration | inception | key tag | canonical signer name) followed by each RR in canonical form (lowercased owner | type | class | original TTL | rdlen | rdata), sorted by `Buffer.compare` on the RDATA. The validity window is enforced against `opts.at` (defaults to now; an invalid Date is refused, not treated as now). An RRSIG whose algorithm disagrees with the DNSKEY is refused before any key is built. RR types that embed domain names in their RDATA (NS, CNAME, SOA, MX, SRV, …) need RDATA-internal name-lowercasing this version does not perform, so they are refused with `dnssec/uncanonicalizable-type` rather than mis-validated; the security-critical DNSKEY / DS and the name-free address / text types (A, AAAA, TXT, CAA, TLSA, …) are fully supported. · *`b.network.dns.dnssec.verifyDs(opts)` / `b.network.dns.dnssec.keyTag(dnskeyRdata)`* — `verifyDs` confirms a delegation-signer record matches a DNSKEY: it checks the key tag, then compares the DS digest (SHA-256 type 2 / SHA-384 type 4) against the digest computed over the canonical owner name and the DNSKEY RDATA, constant-time. `keyTag` computes the RFC 4034 Appendix B 16-bit key tag from a DNSKEY's full RDATA — the identifier an RRSIG or DS uses to select the signing key. Together with `verifyRrset` these are the per-RRset building blocks a recursive chain-walk (root → TLD → zone) composes; the chain-walk itself, NSEC / NSEC3 denial-of-existence, and the bundled IANA root trust anchor are not part of this core.
 
 - v0.12.47 (2026-05-25) — **`b.cose.mac0` / `b.cose.macVerify0` — COSE_Mac0 (RFC 9052 §6.2).** Completes the COSE message-type set (COSE_Sign1 / COSE_Encrypt0 / COSE_Mac0) with single shared-key MACs. b.cose.mac0 produces a tagged COSE_Mac0 over a payload using HMAC-SHA-256/384/512 (the COSE-standard MAC algorithms; HMAC is symmetric, so its post-quantum strength is preserved). b.cose.macVerify0 recomputes the tag over the MAC_structure and compares it in constant time, with a mandatory algorithm allowlist. Use when both parties hold a shared key — e.g. an ECDH-derived key — and a non-repudiable signature is not wanted; detached payloads are supported (the proximity mdoc device-MAC variant and MACed CWTs are the consumers). Composes b.cbor + the framework's constant-time compare; no new runtime dependency. **Added:** *`b.cose.mac0(payload, opts)` / `b.cose.macVerify0(coseMac0, opts)`* — `mac0` emits a tagged COSE_Mac0 (tag 17) with `alg` (`HMAC-256/256` | `HMAC-384/384` | `HMAC-512/512`) in the protected header and the HMAC tag computed over the MAC_structure `["MAC0", protected, external_aad, payload]`; `detached: true` emits a nil payload. `macVerify0` reads the algorithm from the protected header (must be in the required `opts.algorithms` allowlist), recomputes the tag, and compares it constant-time — a wrong key, tampered tag, or `external_aad` mismatch is refused with `cose/bad-tag`; a detached payload is supplied via `opts.externalPayload`. `external_aad` binds context into the tag.

package/lib/vendor/blamejs/README.md

@@ -120,7 +120,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - In-process CIDR fence (`b.middleware.networkAllowlist`)
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
-- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag) so a resolver client can verify an answer instead of trusting the upstream AD bit; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
+- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
 - **Error pages** — operator-rendered, no app-frame leakage (`b.errorPage`)
 ### Defensive parsers
 

package/lib/vendor/blamejs/SECURITY.md

@@ -351,7 +351,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly
 - [ ] If the deployment sits behind a deep-packet-inspection proxy with its own re-signing CA: install the CA via `b.network.tls.addCa("/path/to/corp-ca.pem", { label: "corp-mitm" })` and pass `allowDpiTrust: true` to `b.security.assertProduction` — every CA addition audits with subject + fingerprint so a forensic review can reconstruct the trust path
 - [ ] For authenticated time (HIPAA / PCI / FIPS shops): use `b.network.ntp.nts.query({ host: ntsKeServer })` (RFC 8915) instead of plain SNTP; set `BLAMEJS_NTS_REQUIRE=1` to fail closed on negotiation failure
-- [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the DNSKEY against the parent's DS with `b.network.dns.dnssec.verifyDs(...)` up the chain to a trust anchor you pin
+- [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the DNSKEY against the parent's DS with `b.network.dns.dnssec.verifyDs(...)` up the chain to a trust anchor you pin. For a negative answer that drives a fail-closed decision (an allowlist lookup, a revocation check), verify the NSEC / NSEC3 proof with `b.network.dns.dnssec.verifyDenial(...)` so a forged NXDOMAIN cannot suppress a record; keep the default Opt-Out refusal unless the zone's opt-out spans are acceptable for that decision
 - [ ] At boot in production: call `await b.security.assertProduction({ vault: "wrapped", dbAtRest: "encrypted", auditSigning: "wrapped", ntpStrict: true, requireEnv: ["BLAMEJS_VAULT_PASSPHRASE"], dataDir: "./data" })` to refuse to start on weak posture instead of warning
 - [ ] At boot: call `await b.configDrift.create({ dataDir, audit }).checkpoint({ allowedOrigins, csp, vaultMode, ... })` so the next boot detects + audits any silent runtime config change
 - [ ] At boot, before any listener opens: call `b.configDrift.verifyVendorIntegrity({ manifestPath: "./lib/vendor/MANIFEST.json", audit: b.audit })` so a tampered `lib/vendor/*.cjs` artifact aborts start instead of running with a swapped crypto bundle

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.48",
-  "createdAt": "2026-05-25T11:29:28.593Z",
+  "frameworkVersion": "0.12.49",
+  "createdAt": "2026-05-25T12:28:18.912Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -41682,6 +41682,14 @@
                   "type": "function",
                   "arity": 1
                 },
+                "nsec3Hash": {
+                  "type": "function",
+                  "arity": 2
+                },
+                "verifyDenial": {
+                  "type": "function",
+                  "arity": 1
+                },
                 "verifyDs": {
                   "type": "function",
                   "arity": 1

package/lib/vendor/blamejs/lib/network-dnssec.js

@@ -60,16 +60,21 @@ var ALGS = {
 // DS digest algorithms (IANA) → node hash.
 var DS_DIGESTS = { 2: "sha256", 4: "sha384" };
 
-// RR types whose RDATA contains NO embedded domain name, so the wire
-// RDATA is already in canonical form (RFC 4034 §6.2 needs no rewrite).
-// Name-bearing types are refused rather than silently mis-canonicalised.
+// RR types whose RDATA contains NO embedded domain name that needs
+// downcasing, so the wire RDATA is already in canonical form (RFC 4034
+// §6.2 needs no rewrite). Name-bearing types are refused rather than
+// silently mis-canonicalised. NSEC (47) is included because RFC 6840
+// §5.1 corrected RFC 4034 §6.2: the NSEC Next Domain Name field is NOT
+// downcased for DNSSEC canonical form, so its uncompressed RDATA is
+// verbatim-canonical. NSEC3 (50) carries a hashed next-owner, not a name.
 // (type numbers IANA): A 1, AAAA 28, TXT 16, DNSKEY 48, DS 43, CAA 257,
-// TLSA 52, SSHFP 44, HINFO 13, CDS 59, CDNSKEY 60, OPENPGPKEY 61, SMIMEA 53.
-var NAME_FREE_TYPE_NUMS = [1, 28, 16, 48, 43, 257, 52, 44, 13, 59, 60, 61, 53];          // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers (no embedded names)
+// TLSA 52, SSHFP 44, HINFO 13, CDS 59, CDNSKEY 60, OPENPGPKEY 61, SMIMEA
+// 53, NSEC 47, NSEC3 50.
+var NAME_FREE_TYPE_NUMS = [1, 28, 16, 48, 43, 257, 52, 44, 13, 59, 60, 61, 53, 47, 50];  // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers (no downcased embedded names)
 var TYPE_NUM = {
   A: 1, NS: 2, CNAME: 5, SOA: 6, PTR: 12, MX: 15, TXT: 16, AAAA: 28, SRV: 33,
-  DS: 43, SSHFP: 44, RRSIG: 46, DNSKEY: 48, TLSA: 52, SMIMEA: 53, CDS: 59, CDNSKEY: 60, // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers
-  OPENPGPKEY: 61, CAA: 257, HINFO: 13,
+  DS: 43, SSHFP: 44, RRSIG: 46, NSEC: 47, DNSKEY: 48, NSEC3: 50, TLSA: 52,            // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers
+  SMIMEA: 53, CDS: 59, CDNSKEY: 60, OPENPGPKEY: 61, CAA: 257, HINFO: 13,
 };
 
 function _bytes(x, what) {
@@ -319,10 +324,409 @@ function verifyRrset(opts) {
   return { ok: true, algorithm: alg.name, keyTag: rrsig.keyTag, signerName: rrsig.signerName };
 }
 
+// ---------------------------------------------------------------------------
+// Denial of existence (RFC 4034 §4 NSEC, RFC 5155 NSEC3).
+//
+// These helpers prove a name (or a name+type) DOES NOT EXIST from the
+// signed NSEC / NSEC3 records a server returns in the Authority section.
+// They operate on records the caller has ALREADY verified with
+// verifyRrset — like verifyDs, this is the relation check, not the
+// signature check. Passing unverified records proves nothing.
+// ---------------------------------------------------------------------------
+
+var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";          // allow:raw-byte-literal — RFC 4648 §7 extended-hex alphabet (RFC number in comment)
+var TYPE_DS = 43;                                            // allow:raw-byte-literal — IANA RR type DS
+var TYPE_CNAME = 5;
+var NSEC3_HASH_SHA1 = 1;                                     // RFC 5155 §5 — the only registered NSEC3 hash
+var DEFAULT_MAX_NSEC3_ITERATIONS = 500;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1 (RFC 9276 wants 0; deployed zones still use >0)
+
+// RFC 4648 §7 base32hex decode (no padding, case-insensitive) — the
+// label encoding of an NSEC3 owner-name hash.
+function _base32hexDecode(s, label) {
+  var up = String(s).toUpperCase();
+  var bits = 0, value = 0, out = [];
+  for (var i = 0; i < up.length; i++) {
+    var idx = BASE32HEX.indexOf(up[i]);
+    if (idx === -1) throw new DnssecError("dnssec/bad-nsec3", "dnssec: " + label + " is not valid base32hex");
+    value = (value << 5) | idx;                              // allow:raw-byte-literal — base32 5-bit group
+    bits += 5;                                               // allow:raw-byte-literal — base32 5-bit group
+    if (bits >= 8) { bits -= 8; out.push((value >> bits) & 0xff); }   // allow:raw-byte-literal — emit a full octet
+  }
+  return Buffer.from(out);
+}
+
+// RFC 4034 §4.1.2 / RFC 5155 §3.2.1 type bitmap → Set of type numbers.
+function _parseTypeBitmaps(buf, off, end) {
+  var types = new Set();
+  var i = off;
+  while (i + 2 <= end) {
+    var win = buf[i], len = buf[i + 1];
+    i += 2;
+    if (len < 1 || len > 32 || i + len > end) {              // allow:raw-byte-literal — bitmap window ≤ 256 bits = 32 octets (RFC 4034 §4.1.2)
+      throw new DnssecError("dnssec/bad-bitmap", "dnssec: malformed NSEC type bitmap");
+    }
+    for (var j = 0; j < len; j++) {
+      var octet = buf[i + j];
+      for (var bit = 0; bit < 8; bit++) {                    // allow:raw-byte-literal — 8 bits per octet
+        if (octet & (0x80 >> bit)) types.add(win * 256 + j * 8 + bit);   // allow:raw-byte-literal — bit→type-number (window*256 + octet*8 + bit)
+      }
+    }
+    i += len;
+  }
+  return types;
+}
+
+// Read an uncompressed wire-format domain name (compression pointers are
+// illegal in signed RDATA). Returns { name, end }.
+function _readWireName(buf, off) {
+  var labels = [];
+  var i = off;
+  for (;;) {
+    if (i >= buf.length) throw new DnssecError("dnssec/bad-name", "dnssec: truncated name in RDATA");
+    var len = buf[i];
+    if (len === 0) { i++; break; }
+    if ((len & 0xc0) !== 0) throw new DnssecError("dnssec/bad-name", "dnssec: compression pointer in signed RDATA");   // allow:raw-byte-literal — RFC 1035 label-length top-two-bits flag
+    i++;
+    labels.push(buf.slice(i, i + len).toString("ascii"));
+    i += len;
+  }
+  return { name: labels.length ? labels.join(".") + "." : ".", end: i };
+}
+
+function _parseNsec3Rdata(rd) {
+  if (rd.length < 6) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 RDATA too short");   // allow:raw-byte-literal — fixed NSEC3 header octets
+  var hashAlg = rd[0], flags = rd[1], iterations = rd.readUInt16BE(2), saltLen = rd[4];
+  var off = 5 + saltLen;
+  if (off + 1 > rd.length) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 salt overruns RDATA");
+  var salt = rd.slice(5, 5 + saltLen);
+  var hashLen = rd[off]; off += 1;
+  if (off + hashLen > rd.length) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 next-hashed-owner overruns RDATA");
+  var nextHashed = rd.slice(off, off + hashLen);
+  return { hashAlg: hashAlg, flags: flags, iterations: iterations, salt: salt, nextHashed: nextHashed, types: _parseTypeBitmaps(rd, off + hashLen, rd.length) };
+}
+
+function _parseNsecRdata(rd) {
+  var n = _readWireName(rd, 0);
+  return { nextName: n.name, types: _parseTypeBitmaps(rd, n.end, rd.length) };
+}
+
+// RFC 5155 §5 iterated hash: IH(salt, x, 0)=SHA-1(x‖salt);
+// IH(salt, x, k)=SHA-1(IH(salt,x,k-1)‖salt). SHA-1 is the only NSEC3
+// hash IANA defines — a wire-protocol constant, not a framework default.
+function _nsec3HashWire(nameWire, salt, iterations) {
+  var h = nodeCrypto.createHash("sha1").update(Buffer.concat([nameWire, salt])).digest();
+  for (var k = 0; k < iterations; k++) {
+    h = nodeCrypto.createHash("sha1").update(Buffer.concat([h, salt])).digest();
+  }
+  return h;
+}
+
+function _nameLabels(name) {
+  var n = String(name).replace(/\.$/, "");
+  return n === "" ? [] : n.split(".");
+}
+
+// RFC 4034 §6.1 canonical name ordering: compare label sequences from
+// the least-significant (rightmost) label, octets lowercased.
+function _canonicalNameCompare(a, b) {
+  var la = _nameLabels(a).reverse(), lb = _nameLabels(b).reverse();
+  var min = Math.min(la.length, lb.length);
+  for (var i = 0; i < min; i++) {
+    var c = Buffer.compare(Buffer.from(la[i].toLowerCase(), "ascii"), Buffer.from(lb[i].toLowerCase(), "ascii"));
+    if (c !== 0) return c;
+  }
+  return la.length - lb.length;
+}
+
+// Closest-encloser candidates: proper suffixes of qname from longest
+// (qname minus one label) down to the zone apex, longest first.
+function _closestEncloserCandidates(qname, zone) {
+  var ql = _nameLabels(qname), zl = _nameLabels(zone);
+  var out = [];
+  for (var k = ql.length - 1; k >= zl.length; k--) {
+    out.push(ql.slice(ql.length - k).join(".") + ".");
+  }
+  return out;
+}
+
+// The "next closer" name: the closest encloser with one more label of
+// qname prepended (RFC 5155 §1.3).
+function _nextCloser(qname, ce) {
+  var ql = _nameLabels(qname), n = _nameLabels(ce).length + 1;
+  return ql.slice(ql.length - n).join(".") + ".";
+}
+
+/**
+ * @primitive b.network.dns.dnssec.nsec3Hash
+ * @signature b.network.dns.dnssec.nsec3Hash(name, opts)
+ * @since     0.12.49
+ * @status    stable
+ * @related   b.network.dns.dnssec.verifyDenial
+ *
+ * Compute the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the
+ * canonical (lowercased, root-terminated) wire form with the zone's salt.
+ * The result is the unencoded hash; the NSEC3 owner label is its
+ * base32hex encoding. SHA-1 is the only hash IANA registers for NSEC3,
+ * so this is a wire-protocol constant, not a cryptographic default.
+ *
+ * @opts
+ *   {
+ *     salt:        Buffer,  // zone NSEC3 salt (may be empty)
+ *     iterations:  number,  // additional hash iterations (>= 0)
+ *   }
+ *
+ * @example
+ *   var h = b.network.dns.dnssec.nsec3Hash("a.example.com", { salt: salt, iterations: 0 });
+ */
+function nsec3Hash(name, opts) {
+  validateOpts.requireObject(opts, "dnssec.nsec3Hash", DnssecError);
+  validateOpts(opts, ["salt", "iterations"], "dnssec.nsec3Hash");
+  var salt = _bytes(opts.salt, "salt");
+  var iters = opts.iterations;
+  if (typeof iters !== "number" || !isFinite(iters) || iters < 0 || Math.floor(iters) !== iters) {
+    throw new DnssecError("dnssec/bad-iterations", "dnssec.nsec3Hash: iterations must be a non-negative integer");
+  }
+  return _nsec3HashWire(_canonicalName(name), salt, iters);
+}
+
+/**
+ * @primitive b.network.dns.dnssec.verifyDenial
+ * @signature b.network.dns.dnssec.verifyDenial(opts)
+ * @since     0.12.49
+ * @status    stable
+ * @compliance soc2
+ * @related   b.network.dns.dnssec.verifyRrset, b.network.dns.dnssec.nsec3Hash
+ *
+ * Prove that a name does not exist (NXDOMAIN) or that a name has no
+ * records of a given type (NODATA) from the signed NSEC (RFC 4034 §4) or
+ * NSEC3 (RFC 5155) records in a response's Authority section. This is the
+ * other half of "verify the answer yourself": <code>verifyRrset</code>
+ * proves a positive answer, <code>verifyDenial</code> proves a negative.
+ *
+ * The records MUST already be verified with <code>verifyRrset</code> —
+ * this checks the denial RELATION (closest-encloser, covering ranges,
+ * type-bitmap absence), not the signatures. For NSEC3, the iterated-hash
+ * count is capped (<code>opts.maxIterations</code>, default 500) to bound
+ * the SHA-1 work an attacker can force. An NXDOMAIN proof that relies on
+ * an Opt-Out NSEC3 (RFC 5155 §6) is refused unless
+ * <code>opts.allowOptOut</code> — opt-out only proves "no signed records",
+ * not non-existence.
+ *
+ * @opts
+ *   {
+ *     qname:   string,        // the queried name
+ *     qtype:   string|number, // queried type (required for proof "nodata")
+ *     proof:   string,        // "nxdomain" | "nodata"
+ *     zone:    string,        // the signer zone apex (a suffix of qname)
+ *     nsec3?:  [ { owner: string, rdata: Buffer } ],  // NSEC3 records (owner = base32hex-label.zone)
+ *     nsec?:   [ { owner: string, rdata: Buffer } ],  // NSEC records
+ *     maxIterations?: number, // NSEC3 iteration cap (default 500)
+ *     allowOptOut?:   boolean, // accept an Opt-Out NXDOMAIN proof (default false)
+ *   }
+ *
+ * @example
+ *   b.network.dns.dnssec.verifyDenial({
+ *     qname: "nope.example.com", proof: "nxdomain", zone: "example.com", nsec3: records,
+ *   });
+ */
+function verifyDenial(opts) {
+  validateOpts.requireObject(opts, "dnssec.verifyDenial", DnssecError);
+  validateOpts(opts, ["qname", "qtype", "proof", "zone", "nsec3", "nsec", "maxIterations", "allowOptOut"], "dnssec.verifyDenial");
+  if (typeof opts.qname !== "string" || opts.qname === "") throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.qname is required");
+  if (typeof opts.zone !== "string" || opts.zone === "") throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.zone is required");
+  if (opts.proof !== "nxdomain" && opts.proof !== "nodata") throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.proof must be 'nxdomain' or 'nodata'");
+  var zl = _nameLabels(opts.zone), ql = _nameLabels(opts.qname);
+  if (zl.length > ql.length || zl.join(".").toLowerCase() !== ql.slice(ql.length - zl.length).join(".").toLowerCase()) {
+    throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.zone must be a suffix of opts.qname");
+  }
+  var qtypeNum;
+  if (opts.proof === "nodata") {
+    if (opts.qtype === undefined || opts.qtype === null) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.qtype is required for a nodata proof");
+    qtypeNum = _typeNumber(opts.qtype);
+  } else if (opts.qtype !== undefined && opts.qtype !== null) {
+    qtypeNum = _typeNumber(opts.qtype);
+  }
+
+  var hasNsec3 = Array.isArray(opts.nsec3) && opts.nsec3.length > 0;
+  var hasNsec = Array.isArray(opts.nsec) && opts.nsec.length > 0;
+  if (hasNsec3 === hasNsec) {
+    throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: supply exactly one of opts.nsec3 or opts.nsec");
+  }
+  return hasNsec3 ? _verifyNsec3Denial(opts, qtypeNum) : _verifyNsecDenial(opts, qtypeNum);
+}
+
+function _verifyNsec3Denial(opts, qtypeNum) {
+  var maxIter = typeof opts.maxIterations === "number" ? opts.maxIterations : DEFAULT_MAX_NSEC3_ITERATIONS;
+  if (typeof maxIter !== "number" || !isFinite(maxIter) || maxIter < 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: maxIterations must be a non-negative number");
+
+  // Parse + sanity-check every NSEC3 record; the chain shares one salt /
+  // iteration / hash-algorithm tuple.
+  var recs = opts.nsec3.map(function (r, i) {
+    if (!r || typeof r.owner !== "string") throw new DnssecError("dnssec/bad-nsec3", "dnssec.verifyDenial: nsec3[" + i + "].owner must be a string");
+    var rd = _bytes(r.rdata, "nsec3[" + i + "].rdata");
+    var p = _parseNsec3Rdata(rd);
+    if (p.hashAlg !== NSEC3_HASH_SHA1) throw new DnssecError("dnssec/unsupported-nsec3-hash", "dnssec.verifyDenial: NSEC3 hash algorithm " + p.hashAlg + " is not supported (only SHA-1 / 1 is defined)");
+    if (p.iterations > maxIter) throw new DnssecError("dnssec/nsec3-iterations-excessive", "dnssec.verifyDenial: NSEC3 iterations " + p.iterations + " exceed the cap " + maxIter);
+    var firstLabel = _nameLabels(r.owner)[0];
+    if (!firstLabel) throw new DnssecError("dnssec/bad-nsec3", "dnssec.verifyDenial: nsec3[" + i + "].owner has no hash label");
+    return { ownerHash: _base32hexDecode(firstLabel, "nsec3[" + i + "].owner"), p: p };
+  });
+  var salt = recs[0].p.salt, iterations = recs[0].p.iterations;
+  for (var s = 1; s < recs.length; s++) {
+    if (recs[s].p.iterations !== iterations || Buffer.compare(recs[s].p.salt, salt) !== 0) {
+      throw new DnssecError("dnssec/nsec3-param-mismatch", "dnssec.verifyDenial: NSEC3 records disagree on salt / iterations");
+    }
+  }
+
+  function hashOf(name) { return _nsec3HashWire(_canonicalName(name), salt, iterations); }
+  function findMatch(name) {
+    var h = hashOf(name);
+    for (var i = 0; i < recs.length; i++) if (Buffer.compare(recs[i].ownerHash, h) === 0) return recs[i];
+    return null;
+  }
+  function findCover(name) {
+    var h = hashOf(name);
+    for (var i = 0; i < recs.length; i++) {
+      var owner = recs[i].ownerHash, next = recs[i].p.nextHashed;
+      var oc = Buffer.compare(owner, next);
+      var covered = oc < 0
+        ? (Buffer.compare(owner, h) < 0 && Buffer.compare(h, next) < 0)
+        : (Buffer.compare(owner, h) < 0 || Buffer.compare(h, next) < 0);   // last NSEC3 wraps past the apex
+      if (covered) return recs[i];
+    }
+    return null;
+  }
+
+  if (opts.proof === "nodata") {
+    // RFC 5155 §8.5 — a matching NSEC3 with the type (and CNAME) absent.
+    var m = findMatch(opts.qname);
+    if (m) {
+      if (qtypeNum === TYPE_DS) {
+        if (m.p.types.has(TYPE_DS)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: DS is present in the matching NSEC3 bitmap");
+        return { ok: true, proof: "nodata", mechanism: "nsec3", matched: true };
+      }
+      if (m.p.types.has(qtypeNum)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: type " + qtypeNum + " is present in the matching NSEC3 bitmap");
+      if (m.p.types.has(TYPE_CNAME)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: name is a CNAME (query should have been redirected)");
+      return { ok: true, proof: "nodata", mechanism: "nsec3", matched: true };
+    }
+    // RFC 5155 §8.6 — Opt-Out DS NODATA: a covering NSEC3 with Opt-Out set
+    // proves an insecure delegation has no DS.
+    if (qtypeNum === TYPE_DS) {
+      var ce = _nsec3ClosestEncloser(opts, recs, findMatch);
+      if (ce) {
+        var nc = _nextCloser(opts.qname, ce);
+        var cov = findCover(nc);
+        if (cov && (cov.p.flags & 1) === 1) return { ok: true, proof: "nodata", mechanism: "nsec3", matched: false, optOut: true };
+      }
+    }
+    // RFC 5155 §8.7 — wildcard NODATA: closest encloser proof + a matching
+    // wildcard NSEC3 with the type absent.
+    var ce2 = _nsec3ClosestEncloser(opts, recs, findMatch);
+    if (ce2) {
+      var wc = findMatch("*." + ce2);
+      if (wc && !wc.p.types.has(qtypeNum) && !wc.p.types.has(TYPE_CNAME)) {
+        return { ok: true, proof: "nodata", mechanism: "nsec3", matched: false, wildcard: true, closestEncloser: ce2 };
+      }
+    }
+    throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no matching NSEC3 proves NODATA for the queried type");
+  }
+
+  // NXDOMAIN (RFC 5155 §8.4): matching closest encloser + covered next
+  // closer + covered wildcard. Opt-Out on the next-closer cover only
+  // proves "no signed records", so it is refused unless allowOptOut.
+  var ceName = _nsec3ClosestEncloser(opts, recs, findMatch);
+  if (!ceName) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no NSEC3 matches any closest-encloser candidate");
+  var nextCloser = _nextCloser(opts.qname, ceName);
+  var ncCover = findCover(nextCloser);
+  if (!ncCover) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: the next-closer name is not covered by any NSEC3");
+  var optOut = (ncCover.p.flags & 1) === 1;
+  if (optOut && !opts.allowOptOut) throw new DnssecError("dnssec/denial-opt-out", "dnssec.verifyDenial: NXDOMAIN relies on an Opt-Out NSEC3 (set allowOptOut to accept it as 'no signed records')");
+  // The wildcard at the closest encloser must be proven NON-EXISTENT
+  // (covered). A MATCHING wildcard means it exists, so the name should
+  // have been wildcard-synthesised and NXDOMAIN would be a forgery.
+  if (!findCover("*." + ceName)) {
+    throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: the wildcard at the closest encloser is not covered (a matching wildcard would mean the name should have been synthesised)");
+  }
+  return { ok: true, proof: "nxdomain", mechanism: "nsec3", closestEncloser: ceName, optOut: optOut };
+}
+
+function _nsec3ClosestEncloser(opts, recs, findMatch) {
+  var cands = _closestEncloserCandidates(opts.qname, opts.zone);
+  for (var i = 0; i < cands.length; i++) if (findMatch(cands[i])) return cands[i];
+  return null;
+}
+
+function _verifyNsecDenial(opts, qtypeNum) {
+  var recs = opts.nsec.map(function (r, i) {
+    if (!r || typeof r.owner !== "string") throw new DnssecError("dnssec/bad-nsec", "dnssec.verifyDenial: nsec[" + i + "].owner must be a string");
+    return { owner: r.owner, p: _parseNsecRdata(_bytes(r.rdata, "nsec[" + i + "].rdata")) };
+  });
+  function findMatch(name) {
+    for (var i = 0; i < recs.length; i++) if (_canonicalNameCompare(recs[i].owner, name) === 0) return recs[i];
+    return null;
+  }
+  function findCover(name) {
+    for (var i = 0; i < recs.length; i++) {
+      var owner = recs[i].owner, next = recs[i].p.nextName;
+      var oc = _canonicalNameCompare(owner, next);
+      var afterOwner = _canonicalNameCompare(owner, name) < 0;
+      var covered = oc < 0
+        ? (afterOwner && _canonicalNameCompare(name, next) < 0)
+        : afterOwner;   // last NSEC (next wraps to apex): any name after owner
+      if (covered) return recs[i];
+    }
+    return null;
+  }
+
+  if (opts.proof === "nodata") {
+    var m = findMatch(opts.qname);
+    if (!m) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no NSEC matches the queried name");
+    if (m.p.types.has(qtypeNum)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: type " + qtypeNum + " is present in the matching NSEC bitmap");
+    if (qtypeNum !== TYPE_CNAME && m.p.types.has(TYPE_CNAME)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: name is a CNAME (query should have been redirected)");
+    return { ok: true, proof: "nodata", mechanism: "nsec", matched: true };
+  }
+
+  // NXDOMAIN (RFC 4035 §5.4): an NSEC covering qname AND an NSEC proving
+  // the source-of-synthesis wildcard does not exist.
+  var cover = findCover(opts.qname);
+  if (!cover) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no NSEC covers the queried name");
+  // The closest encloser is the longest common ancestor of qname and the
+  // covering NSEC's owner/next; the wildcard sits one label below it.
+  var ce = _nsecClosestEncloser(opts.qname, cover);
+  // The source-of-synthesis wildcard must be proven NON-EXISTENT
+  // (covered). A MATCHING wildcard owner means it exists, so the query
+  // should have been answered by wildcard expansion, not NXDOMAIN.
+  var wildcard = "*." + ce;
+  if (!findCover(wildcard)) {
+    throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: the wildcard at the closest encloser is not covered (a matching wildcard would mean the name should have been synthesised)");
+  }
+  return { ok: true, proof: "nxdomain", mechanism: "nsec", closestEncloser: ce };
+}
+
+// The closest encloser for an NSEC NXDOMAIN proof is the longest name
+// that is a suffix of qname and an ancestor of both the covering NSEC's
+// owner and its next name (RFC 4035 §5.3.4 / §5.4).
+function _nsecClosestEncloser(qname, cover) {
+  var ql = _nameLabels(qname);
+  var a = _commonSuffixLen(qname, cover.owner);
+  var b = _commonSuffixLen(qname, cover.p.nextName);
+  var ceLen = Math.max(a, b);
+  return ql.slice(ql.length - ceLen).join(".") + ".";
+}
+
+function _commonSuffixLen(a, b) {
+  var la = _nameLabels(a).reverse(), lb = _nameLabels(b).reverse();
+  var n = 0, min = Math.min(la.length, lb.length);
+  while (n < min && la[n].toLowerCase() === lb[n].toLowerCase()) n++;
+  return n;
+}
+
 module.exports = {
-  verifyRrset: verifyRrset,
-  verifyDs:    verifyDs,
-  keyTag:      keyTag,
-  ALGORITHMS:  ALGS,
-  DnssecError: DnssecError,
+  verifyRrset:  verifyRrset,
+  verifyDs:     verifyDs,
+  verifyDenial: verifyDenial,
+  nsec3Hash:    nsec3Hash,
+  keyTag:       keyTag,
+  ALGORITHMS:   ALGS,
+  DnssecError:  DnssecError,
 };

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.48",
+  "version": "0.12.49",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.49.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.49",
+  "date": "2026-05-25",
+  "headline": "`b.network.dns.dnssec.verifyDenial` — NSEC / NSEC3 denial-of-existence",
+  "summary": "Prove a DNS name does not exist, or has no records of a given type, from the signed NSEC (RFC 4034 §4) or NSEC3 (RFC 5155) records a server returns. This is the other half of local DNSSEC verification: verifyRrset proves a positive answer, verifyDenial proves a negative — so a resolver client can confirm an NXDOMAIN / NODATA itself instead of trusting the upstream resolver. NSEC3 proofs run the closest-encloser / next-closer / covering-range logic over iterated-SHA-1 hashes, with the iteration count capped (default 500) to bound the work an attacker can force, and an Opt-Out NXDOMAIN refused unless explicitly accepted (opt-out only proves 'no signed records', not non-existence). The companion b.network.dns.dnssec.nsec3Hash computes the RFC 5155 §5 hash directly. NSEC verifyRrset support is also enabled: per RFC 6840 §5.1 the NSEC Next Domain Name is not downcased, so its RDATA is verbatim-canonical.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.network.dns.dnssec.verifyDenial(opts)`",
+          "body": "Proves NXDOMAIN or NODATA from already-verified NSEC / NSEC3 records (supply one of `opts.nsec3` or `opts.nsec`). Like `verifyDs`, it checks the denial RELATION — closest-encloser matching, covering ranges, and type-bitmap absence — not the record signatures, which the caller verifies with `verifyRrset` first. NSEC3 supports name-error proofs (matching closest encloser + covered next-closer + covered wildcard), NODATA (matching record with the type and CNAME absent from the bitmap), Opt-Out DS NODATA, and wildcard NODATA. The iterated-SHA-1 count is capped by `opts.maxIterations` (default 500); an NXDOMAIN proof that depends on an Opt-Out NSEC3 is refused unless `opts.allowOptOut` is set. NSEC supports covering-name NXDOMAIN (with the source-of-synthesis wildcard) and matching-name NODATA. Verified end-to-end against a live iana.org NXDOMAIN proof."
+        },
+        {
+          "title": "`b.network.dns.dnssec.nsec3Hash(name, opts)`",
+          "body": "Computes the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the canonical (lowercased, root-terminated) wire form with the zone salt. The base32hex encoding of the result is the NSEC3 owner label. SHA-1 is the only hash IANA registers for NSEC3, so this is a wire-protocol constant rather than a cryptographic default. Useful for checking an owner label or analyzing a zone's hashing parameters."
+        }
+      ]
+    },
+    {
+      "heading": "Changed",
+      "items": [
+        {
+          "title": "`verifyRrset` now accepts NSEC and NSEC3 RRsets",
+          "body": "NSEC (type 47) and NSEC3 (type 50) are no longer refused as uncanonicalizable: NSEC3's next-owner is a hash, and per RFC 6840 §5.1 the NSEC Next Domain Name field is not downcased for DNSSEC canonical form, so both RDATAs are verbatim-canonical. This lets a caller verify the signatures on the records that `verifyDenial` then reasons over."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -6263,6 +6263,20 @@ var KNOWN_ANTIPATTERNS = [
     ],
     reason: "CVE-2026-22817 — every JWT verifier that resolves a JWK BY ATTACKER-CONTROLLED HEADER (kid / x5t) must cross-check the declared alg against the JWK's kty (and crv for EC) BEFORE handing the key to node:crypto.verify. Imports that skip the check are exactly the confused-deputy shape (RS256→HS256 family). The shared helper `jwtExternal._assertAlgKtyMatch(alg, jwk)` is the single point of enforcement; new code routes through it. Allowlist entries are sign-side / pinned-cert paths where the JWK is not attacker-supplied, or (did.js) where a kty/crv allowlist stands in for alg/kty because the format carries no verification alg.",
   },
+  {
+    // DNSSEC denial-of-existence: a wildcard at the closest encloser in
+    // an NXDOMAIN (Name Error) proof must be proven NON-EXISTENT
+    // (covered). Accepting a MATCHING wildcard owner as proof lets a
+    // forged NXDOMAIN suppress data that wildcard expansion should have
+    // synthesised (RFC 4035 §5.4, RFC 5155 §8.4). The bug shape is a
+    // boolean gate that treats "covered OR matched" as acceptable:
+    // `!findCover(x) && !findMatch(x)`. The fix requires cover alone.
+    id: "nsec-wildcard-cover-or-match-accepted",
+    primitive: "wildcard non-existence in an NXDOMAIN proof requires findCover() alone — never `!findCover(x) && !findMatch(x)`",
+    regex: /!\s*findCover\s*\([^)]*\)\s*&&\s*!\s*findMatch\s*\(/,
+    allowlist: [],
+    reason: "DNSSEC NXDOMAIN over-acceptance — for a Name Error proof the source-of-synthesis wildcard must be COVERED (proven absent). A matching wildcard owner means the wildcard exists and the query should have been answered by expansion, so a response claiming NXDOMAIN is forged. The `!findCover(x) && !findMatch(x)` gate accepts a matching wildcard as proof and must never appear; the correct gate is `!findCover(x)`. Detection is precise: only the cover-OR-match denial gate matches. Wildcard-NODATA (which legitimately needs a MATCHING wildcard with the type absent) uses `findMatch(...)` standalone with a type-bitmap check, not this gate, so it does not match.",
+  },
   {
     // CVE-2026-23552 — cross-realm JWT acceptance via non-CT iss
     // compare. `payload.iss !== expectedIssuer` (or claims.iss / token.iss)

package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js

@@ -113,11 +113,174 @@ function testVerifyDs() {
   check("verifyDs: key-tag mismatch refused", code(function () { b.network.dns.dnssec.verifyDs({ ownerName: "cloudflare.com", dnskeyRdata: cf.ksk.rdata, ds: Object.assign({}, ds, { keyTag: (tag + 1) & 0xffff }) }); }) === "dnssec/keytag-mismatch");
 }
 
+// --- Denial of existence (NSEC / NSEC3) ---
+
+var B32H = "0123456789ABCDEFGHIJKLMNOPQRSTUV";
+function b32hDecode(s) {
+  s = s.toUpperCase();
+  var bits = 0, val = 0, out = [];
+  for (var i = 0; i < s.length; i++) { val = (val << 5) | B32H.indexOf(s[i]); bits += 5; if (bits >= 8) { bits -= 8; out.push((val >> bits) & 0xff); } }
+  return Buffer.from(out);
+}
+var TY = { A: 1, NS: 2, CNAME: 5, SOA: 6, MX: 15, TXT: 16, AAAA: 28, RRSIG: 46, DNSKEY: 48, NSEC3PARAM: 51, CAA: 257, SRV: 33, DS: 43 };
+function encodeBitmap(names) {
+  if (!names.length) return Buffer.alloc(0);
+  var byWin = {};
+  names.forEach(function (nm) { var t = TY[nm]; (byWin[t >> 8] = byWin[t >> 8] || {})[t & 0xff] = 1; });
+  var parts = [];
+  Object.keys(byWin).map(Number).sort(function (a, c) { return a - c; }).forEach(function (w) {
+    var bitsSet = Object.keys(byWin[w]).map(Number);
+    var len = (Math.max.apply(null, bitsSet) >> 3) + 1, bm = Buffer.alloc(len);
+    bitsSet.forEach(function (bit) { bm[bit >> 3] |= 0x80 >> (bit & 7); });
+    parts.push(Buffer.from([w, len]), bm);
+  });
+  return Buffer.concat(parts);
+}
+function nsec3Rdata(opts) {
+  var salt = opts.salt || Buffer.alloc(0);
+  var next = Buffer.isBuffer(opts.next) ? opts.next : b32hDecode(opts.next);
+  return Buffer.concat([
+    Buffer.from([opts.hashAlg === undefined ? 1 : opts.hashAlg, opts.flags || 0, (opts.iterations >> 8) & 0xff, opts.iterations & 0xff, salt.length]),
+    salt, Buffer.from([next.length]), next, encodeBitmap(opts.types || []),
+  ]);
+}
+function nsecRdata(nextName, types) {
+  var labels = nextName.replace(/\.$/, "").split(".");
+  var parts = [];
+  labels.forEach(function (l) { var bb = Buffer.from(l, "ascii"); parts.push(Buffer.from([bb.length]), bb); });
+  parts.push(Buffer.from([0]));
+  return Buffer.concat(parts.concat([encodeBitmap(types)]));
+}
+function bufInc(buf, delta) { var b2 = Buffer.from(buf); b2[b2.length - 1] = (b2[b2.length - 1] + delta) & 0xff; return b2; }
+
+// Real `iana.org` NXDOMAIN proof (NSEC3, SHA-1, 0 iterations, empty salt),
+// captured via Cloudflare DoH for nonexistent-blamejs-test-xyz.iana.org.
+var IANA_NSEC3 = [
+  { owner: "uqk2hjod270o42j2v1hoi7qtr945lhmb.iana.org", next: "VAVBTBDJ8O7H3CJCP1HL1CDPRTFQP46L", types: [] },
+  { owner: "mvnqhoigoa305s1i78hp6cdv5n7lcutc.iana.org", next: "NGJOKE6KAKN5BC83M0IAPQVRBAJKQI3M", types: ["A", "NS", "SOA", "MX", "TXT", "AAAA", "RRSIG", "DNSKEY", "NSEC3PARAM", "CAA"] },
+  { owner: "0d5cbi611aogl6kk8jjsopfic6dcb42t.iana.org", next: "26CS5JG5RASD1SS5VNTJ9PSC7FDVQIEO", types: ["CNAME", "RRSIG"] },
+];
+function ianaRecords() {
+  return IANA_NSEC3.map(function (r) { return { owner: r.owner, rdata: nsec3Rdata({ iterations: 0, next: r.next, types: r.types }) }; });
+}
+
+function testNsec3Real() {
+  // The NSEC3 hash of the apex equals the real apex owner label byte-exact.
+  var h = b.network.dns.dnssec.nsec3Hash("iana.org", { salt: Buffer.alloc(0), iterations: 0 });
+  check("nsec3Hash: matches the real iana.org apex owner label", Buffer.compare(h, b32hDecode("MVNQHOIGOA305S1I78HP6CDV5N7LCUTC")) === 0);
+
+  var out = b.network.dns.dnssec.verifyDenial({ qname: "nonexistent-blamejs-test-xyz.iana.org", proof: "nxdomain", zone: "iana.org", nsec3: ianaRecords() });
+  check("verifyDenial: real iana.org NXDOMAIN proven (NSEC3)", out.ok && out.proof === "nxdomain" && out.mechanism === "nsec3" && out.closestEncloser === "iana.org." && out.optOut === false);
+
+  // Apex NODATA: the apex NSEC3 matches iana.org; a type absent from its
+  // bitmap is proven NODATA, a type present is refused.
+  var nodata = b.network.dns.dnssec.verifyDenial({ qname: "iana.org", qtype: "SRV", proof: "nodata", zone: "iana.org", nsec3: ianaRecords() });
+  check("verifyDenial: real iana.org NODATA for absent type proven", nodata.ok && nodata.proof === "nodata" && nodata.matched === true);
+
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  check("verifyDenial: NODATA refused when type IS present", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "iana.org", qtype: "A", proof: "nodata", zone: "iana.org", nsec3: ianaRecords() }); }) === "dnssec/denial-not-proven");
+  // Removing the next-closer cover breaks the NXDOMAIN proof.
+  check("verifyDenial: NXDOMAIN refused without a covering NSEC3", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "nonexistent-blamejs-test-xyz.iana.org", proof: "nxdomain", zone: "iana.org", nsec3: [ianaRecords()[1]] }); }) === "dnssec/denial-not-proven");
+}
+
+function testNsec3Caps() {
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  // Iterations beyond the cap are refused (iterated-SHA-1 DoS bound).
+  var heavy = [{ owner: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.x", rdata: nsec3Rdata({ iterations: 9999, next: b32hDecode("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB") }) }];
+  check("verifyDenial: excessive NSEC3 iterations refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "q.x", proof: "nxdomain", zone: "x", nsec3: heavy }); }) === "dnssec/nsec3-iterations-excessive");
+  // Unsupported hash algorithm refused.
+  var badHash = [{ owner: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.x", rdata: nsec3Rdata({ hashAlg: 2, iterations: 0, next: b32hDecode("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB") }) }];
+  check("verifyDenial: unsupported NSEC3 hash algorithm refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "q.x", proof: "nxdomain", zone: "x", nsec3: badHash }); }) === "dnssec/unsupported-nsec3-hash");
+}
+
+function testNsec3OptOut() {
+  // Construct an Opt-Out NXDOMAIN: matching apex + opt-out next-closer
+  // cover + covered wildcard, using real hashes of chosen names.
+  var salt = Buffer.alloc(0);
+  function H(n) { return b.network.dns.dnssec.nsec3Hash(n, { salt: salt, iterations: 0 }); }
+  var hT = H("test"), hX = H("x.test"), hW = H("*.test");
+  function b32hEncode(buf) {
+    var bits = 0, val = 0, out = "";
+    for (var i = 0; i < buf.length; i++) { val = (val << 8) | buf[i]; bits += 8; while (bits >= 5) { bits -= 5; out += B32H[(val >> bits) & 31]; } }
+    if (bits > 0) out += B32H[(val << (5 - bits)) & 31];
+    return out;
+  }
+  var recs = [
+    { owner: b32hEncode(hT) + ".test", rdata: nsec3Rdata({ flags: 0, iterations: 0, next: bufInc(hT, 1), types: ["NS", "SOA"] }) },
+    { owner: b32hEncode(bufInc(hX, -1)) + ".test", rdata: nsec3Rdata({ flags: 1, iterations: 0, next: bufInc(hX, 1) }) },
+    { owner: b32hEncode(bufInc(hW, -1)) + ".test", rdata: nsec3Rdata({ flags: 0, iterations: 0, next: bufInc(hW, 1) }) },
+  ];
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  check("verifyDenial: Opt-Out NXDOMAIN refused by default", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "x.test", proof: "nxdomain", zone: "test", nsec3: recs }); }) === "dnssec/denial-opt-out");
+  var out = b.network.dns.dnssec.verifyDenial({ qname: "x.test", proof: "nxdomain", zone: "test", nsec3: recs, allowOptOut: true });
+  check("verifyDenial: Opt-Out NXDOMAIN accepted with allowOptOut", out.ok && out.optOut === true);
+}
+
+function testWildcardMatchRejected() {
+  // NXDOMAIN must NOT be accepted when the wildcard at the closest
+  // encloser EXISTS (matches). A forged NXDOMAIN could otherwise suppress
+  // data that wildcard expansion should have synthesised.
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  var salt = Buffer.alloc(0);
+  function H(n) { return b.network.dns.dnssec.nsec3Hash(n, { salt: salt, iterations: 0 }); }
+  function enc(buf) {
+    var bits = 0, val = 0, out = "";
+    for (var i = 0; i < buf.length; i++) { val = (val << 8) | buf[i]; bits += 8; while (bits >= 5) { bits -= 5; out += B32H[(val >> bits) & 31]; } }
+    if (bits > 0) out += B32H[(val << (5 - bits)) & 31];
+    return out;
+  }
+  var hT = H("test"), hX = H("x.test"), hW = H("*.test");
+  var recs = [
+    { owner: enc(hT) + ".test", rdata: nsec3Rdata({ iterations: 0, next: bufInc(hT, 1), types: ["NS", "SOA"] }) },
+    { owner: enc(bufInc(hX, -1)) + ".test", rdata: nsec3Rdata({ iterations: 0, next: bufInc(hX, 1) }) },
+    { owner: enc(hW) + ".test", rdata: nsec3Rdata({ iterations: 0, next: bufInc(hW, 1), types: ["A"] }) }, // wildcard EXISTS (matches)
+  ];
+  check("verifyDenial: NSEC3 NXDOMAIN refused when wildcard matches (exists)", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "x.test", proof: "nxdomain", zone: "test", nsec3: recs }); }) === "dnssec/denial-not-proven");
+
+  // NSEC equivalent: the wildcard owner exists in the chain.
+  var nsec = [
+    { owner: "example.com", rdata: nsecRdata("*.example.com", ["A", "NS", "SOA", "RRSIG", "DNSKEY"]) },
+    { owner: "*.example.com", rdata: nsecRdata("a.example.com", ["A", "RRSIG"]) },
+    { owner: "a.example.com", rdata: nsecRdata("example.com", ["A", "RRSIG"]) },
+  ];
+  check("verifyDenial: NSEC NXDOMAIN refused when wildcard owner exists", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "b.example.com", proof: "nxdomain", zone: "example.com", nsec: nsec }); }) === "dnssec/denial-not-proven");
+}
+
+function testNsec() {
+  // Synthetic NSEC zone: apex + one name, both with bitmaps.
+  var recs = [
+    { owner: "example.com", rdata: nsecRdata("a.example.com", ["A", "NS", "SOA", "RRSIG", "DNSKEY"]) },
+    { owner: "a.example.com", rdata: nsecRdata("example.com", ["A", "RRSIG"]) },
+  ];
+  var nx = b.network.dns.dnssec.verifyDenial({ qname: "b.example.com", proof: "nxdomain", zone: "example.com", nsec: recs });
+  check("verifyDenial: NSEC NXDOMAIN proven (covering + wildcard)", nx.ok && nx.mechanism === "nsec" && nx.closestEncloser === "example.com.");
+
+  var nd = b.network.dns.dnssec.verifyDenial({ qname: "example.com", qtype: "MX", proof: "nodata", zone: "example.com", nsec: recs });
+  check("verifyDenial: NSEC NODATA proven for absent type", nd.ok && nd.matched === true);
+
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  check("verifyDenial: NSEC NODATA refused when type present", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "example.com", qtype: "A", proof: "nodata", zone: "example.com", nsec: recs }); }) === "dnssec/denial-not-proven");
+}
+
+function testDenialArgs() {
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  check("verifyDenial: bad proof value refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "x.iana.org", proof: "maybe", zone: "iana.org", nsec3: ianaRecords() }); }) === "dnssec/bad-arg");
+  check("verifyDenial: zone not a suffix of qname refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "x.example.org", proof: "nxdomain", zone: "iana.org", nsec3: ianaRecords() }); }) === "dnssec/bad-arg");
+  check("verifyDenial: both nsec and nsec3 supplied refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "x.iana.org", proof: "nxdomain", zone: "iana.org", nsec3: ianaRecords(), nsec: [{ owner: "iana.org", rdata: nsecRdata("a.iana.org", []) }] }); }) === "dnssec/bad-arg");
+  check("verifyDenial: nodata without qtype refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "iana.org", proof: "nodata", zone: "iana.org", nsec3: ianaRecords() }); }) === "dnssec/bad-arg");
+}
+
 async function run() {
   testSurface();
   testRealVectors();
   testRefusals();
   testVerifyDs();
+  testNsec3Real();
+  testNsec3Caps();
+  testNsec3OptOut();
+  testWildcardMatchRejected();
+  testNsec();
+  testDenialArgs();
 }
 
 module.exports = { run: run };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.1",
+  "version": "0.1.4",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {