@blamejs/blamejs-shop 0.1.10 → 0.1.12

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.1.x
 
+- v0.1.12 (2026-05-25) — **Card payments now finalize the order — the Stripe webhook is handled end to end.** A confirmed Stripe payment now advances the order from pending to paid. The container now serves the `POST /api/webhooks/stripe` route the edge worker forwards to: it re-verifies the event signature over the exact raw bytes, maps the event to the order's FSM transition, and is idempotent across Stripe's re-deliveries. Previously the edge verified the webhook but nothing consumed it on the container, so a paid PaymentIntent (card, Apple Pay, or Google Pay) left the order stuck in pending — no fulfillment, no paid status. Operators running checkout should upgrade and confirm their Stripe webhook points at `/api/webhooks/stripe`. **Added:** *Raw-body capture for payment webhooks* — A small middleware preserves the exact request bytes for the webhook path before the JSON body-parser runs, so signature verification (which is computed over the raw body) is reliable. It is scoped to the webhook routes and leaves every other request untouched. **Fixed:** *Stripe webhook completes the order* — `POST /api/webhooks/stripe` is now handled on the container: the event signature is re-verified against `STRIPE_WEBHOOK_SECRET` over the raw request body (a tampered or unsigned event is rejected with 400), then `payment_intent.succeeded` / `.canceled` / `charge.refunded` drive the order FSM (`mark_paid` / `cancel` / `refund`). Re-deliveries are idempotent — an event for an order already in the target state is acknowledged with 200 and skipped. A delivery for an unknown PaymentIntent is acknowledged without effect. This closes the gap where a confirmed payment never moved the order out of `pending`.
+
+- v0.1.11 (2026-05-25) — **Sign in with Apple.** Customers can now sign in with Apple, alongside passkeys and Google. A “Continue with Apple” button appears on the account login page once the operator wires the Apple credentials; the callback turns the verified Apple identity into a shop session, adopts the guest cart, and claims prior guest orders placed under the same verified email — the same way Google sign-in does. Apple's OAuth client secret is itself an ES256 JWT, which the shop mints from the team's Sign-in-with-Apple key. Sign in with Apple is off until the credentials are set, like every other integration. **Added:** *Sign in with Apple (OIDC)* — `GET /account/login/apple` starts the flow (sealed in-flight state cookie, PKCE, nonce); Apple posts the result back to `POST /account/auth/apple/callback` (response_mode=form_post). The callback verifies the state, exchanges the code, signs the customer in on `(provider=apple, subject)`, adopts the guest cart, and — when Apple reports the email as verified — claims prior guest orders under that email. The display name is captured from Apple's first-authorization `user` field (Apple sends it only once and never in the ID token). The button appears on `/account/login` only when the credentials are configured, and is listed on `/admin/integrations`. · *customers.mintAppleClientSecret* — Mints Apple's required ES256 client-secret JWT from a Services-ID `.p8` key (team id, key id, client id). This is the one signature the protocol forces to be classical ECDSA P-256 rather than the framework's post-quantum default — an external identity provider's wire format, not an application default. The secret is minted at boot with a 150-day life (inside Apple's six-month ceiling) and re-minted on each deploy. **Changed:** *Account login offers Apple when configured* — The login page shows Continue-with-Google and Continue-with-Apple buttons independently, each gated on its own credentials. Set `APPLE_TEAM_ID`, `APPLE_KEY_ID`, `APPLE_CLIENT_ID` (your Services ID), `APPLE_PRIVATE_KEY` (the `.p8` contents), and `SHOP_ORIGIN`, and add `<SHOP_ORIGIN>/account/auth/apple/callback` as a Return URL on the Services ID. Requires an Apple Developer Program membership. See the README “Optional integrations” section.
+
 - v0.1.10 (2026-05-25) — **Admin console — a review moderation screen.** Reviews join the admin console, completing the set of management screens. `/admin/reviews` is the moderation queue: filter by status (pending, published, rejected) and act on each submission inline — publish it, reject it with a reason, or take a published one back down. Reviews are short, so the queue shows each one in full (rating, title, body, verified-purchase flag) with its actions, no separate detail page. As with the other screens, every path content-negotiates: a bearer-token client gets the JSON API unchanged, a signed-in browser gets the HTML console. **Added:** *Review moderation screen* — `/admin/reviews` renders the review queue as inline cards (rating stars, title, body, verified-purchase flag, product, date) with status-filter chips, when opened in a signed-in browser; the same path serves the existing JSON list to a bearer-token client. Each card offers the actions that fit its status — a pending review can be published or rejected, a published one taken down, a rejected one published — with Reject taking a reason. Publish and reject post to their endpoints and redirect (PRG); a missing id is a no-op notice, never a 500. **Changed:** *Console nav gains Reviews; the reviews API content-negotiates* — The signed-in admin nav now includes Reviews — shown, like Returns, only when the reviews primitive is wired. The `/admin/reviews` list and the publish / reject endpoints serve the HTML console to a signed-in browser while continuing to serve the JSON API to a bearer-token client unchanged. A request without the bearer token is no longer answered with a 401 on the list path — a browser GET receives the sign-in form — matching the other console screens.
 
 - v0.1.9 (2026-05-25) — **Admin console — a returns moderation screen.** Returns join the admin console. `/admin/returns` is the RMA moderation queue: filter by status (pending, approved, received, refunded, rejected), and open a request to see its items, reason, customer notes, and linked order. From the detail page an operator works the return through its lifecycle — approve with a refund amount, mark the goods received, record the refund, or reject with a reason shown to the customer — with only the moves legal from the current status offered. An illegal move or a bad id is refused with a notice rather than an error. As with Products and Orders, every path content-negotiates: a bearer-token client gets the JSON API unchanged, a signed-in browser gets the HTML console. **Added:** *Returns moderation screen* — `/admin/returns` renders the RMA queue as a table (RMA code, order, reason, status, item count, refund amount, requested date) with status-filter chips, when opened in a signed-in browser; the same path serves the existing JSON list to a bearer-token client. Each return links to a detail page showing its line items, reason and customer notes, linked order, and refund details, with the legal next actions as forms — Approve takes a refund amount and currency, Reject takes a reason, Mark received and Refund are single-click. Each posts to its own endpoint and redirects (PRG); an unknown id renders a 404 page and an illegal or refused action redirects back with a notice, never a 500. · *returns.transitionsFrom* — `returns.transitionsFrom(status)` returns the moderation events legal from a given status as `{ on, to }`, derived from the same transition table the setters use — so the console's action buttons stay in lockstep with the return state machine. **Changed:** *Console nav gains Returns; the returns API content-negotiates* — The signed-in admin nav now includes Returns alongside Home, Dashboard, Products, Orders, Integrations, and Setup — shown only when the returns primitive is wired, so the link never points at an unmounted route. The `/admin/returns` list, detail, and approve / received / refund / reject endpoints now serve the HTML console to a signed-in browser while continuing to serve the JSON API to a bearer-token client unchanged. A request without the bearer token is no longer answered with a 401 on these paths — a browser GET receives the sign-in form and a write redirects to the console, matching the other console screens.

package/README.md

@@ -62,7 +62,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/checkout.js`** | Orchestrator. `quote()` returns priced quote; `confirm()` creates PaymentIntent + persists order in pending; `handleStripeEvent()` verifies webhook + fires the FSM transition (idempotent on re-delivery). |
 | **`lib/email.js`** | Transactional templates — order receipt, ship notification, refund confirmation. Strict `{{var}}` renderer with HTML escape + refusal of unknown / unused placeholders. Composed on `b.mail` (DKIM/SPF/DMARC/BIMI upstream). |
 | **`lib/storefront.js`** | Server-rendered HTML — utility bar + sticky header + dark hero with code-preview card + primitives marquee + featured-product callout + collections grid + framework feature band + designed catalog grid + newsletter band + four-column footer. Designed surfaces also for PDP, cart, checkout, pay, order, account login / register / dashboard, search results, `/admin` API landing, 404. Image-bearing cards on the home + search grids pull from `catalog.media`. The default theme stylesheet is external (R2-served `themes/default/assets/css/main.css`) and CSP-compliant — operators override by uploading a replacement at the same key, by passing `opts.theme_css` to renderers, or by registering a named theme through the `theme` primitive. |
-| **`lib/customers.js`** | Customer accounts — passkey (WebAuthn) + **Sign in with Google** (OIDC). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. `signInWithOIDC` keys federated accounts on the provider `(provider, subject)` and links an existing account only on a provider-verified email (never on an unverified one). Account routes (`/account/login`, `/account/register`, `/account`, `/account/login/google`) ship as designed cards on the storefront. |
+| **`lib/customers.js`** | Customer accounts — passkey (WebAuthn) + **Sign in with Google / Apple** (OIDC). Email is stored hash-only (`b.crypto.namespaceHash` namespace `customer-email`); the raw address never lands in D1. Passkey credentials carry CBOR-encoded public keys, transport hints, and SHA3-512-fingerprinted attestation. `signInWithOIDC` keys federated accounts on the provider `(provider, subject)` and links an existing account only on a provider-verified email (never on an unverified one). `mintAppleClientSecret` produces Apple's required ES256 client-secret JWT from a Services-ID `.p8` key (the one classical signature the protocol mandates; the PQC default doesn't apply to an external IdP's wire format). Account routes (`/account/login`, `/account/register`, `/account`, `/account/login/google`, `/account/login/apple`) ship as designed cards on the storefront. |
 | **`lib/reviews.js`** | Operator-moderated product ratings. Submission requires a signed-in customer **and** a verified purchase — `/products/:slug/review` confirms a completed order for the product (via `order.hasPurchasedProduct`) before accepting, re-checked on POST; reviews land `pending`. Author identity is hash-only (`b.crypto.namespaceHash`); the raw email is never stored. The PDP renders the average, per-star distribution, and published reviews with `AggregateRating` JSON-LD. `/admin/reviews` is the moderation queue (`listByStatus` → publish / reject). |
 | **`lib/wishlist.js`** | Per-customer saved products. The PDP renders a login-gated "Save to wishlist" toggle and a "N shoppers saved this" social-proof count; `/account/wishlist` lists saved items (remove + reopen, orphan-tolerant when a product is archived). `POST /wishlist/toggle` is idempotent (`INSERT OR IGNORE`) and redirects to the canonical product slug or a safe same-origin `return_to`. UUID-shape-validated ids, `b.pagination` HMAC cursors. |
 | **`lib/save-for-later.js`** | Per-customer cart holding list. Each cart line gets a login-gated "Save for later" control (`POST /cart/lines/:id/save` → `moveFromCart`); `/account/saved` lists items with Move-to-cart / Remove. `moveToCart` reprices to the current catalog price and stock-gates (out-of-stock + non-backorderable is refused). Composes `catalog.inventory` + `catalog.prices` + `catalog.variants`. |
@@ -162,12 +162,10 @@ variables. A signed-in operator can see the live on/off status of each at
 | **Card checkout (Stripe)** | Checkout + the Payment Element on the pay page; refunds; subscription billing. | `STRIPE_API_KEY` (`sk_…`), `STRIPE_WEBHOOK_SECRET` (`whsec_…`), `STRIPE_PUBLISHABLE_KEY` (`pk_…`) | Point your Stripe webhook at `/api/webhooks/stripe`. Without these the shop stays browsable but checkout doesn't mount. |
 | **Apple Pay & Google Pay** | One-tap wallet buttons (Express Checkout Element) on the pay page. | Stripe (above) **+** register each web domain: `POST /admin/payment-method-domains {"domain_name":"shop.example.com"}` | Stripe performs Apple merchant validation and hosts the association file — **no Apple Developer account needed**. Apex, `www`, and each subdomain register separately; a live-mode registration also covers sandbox. |
 | **Sign in with Google** | A *Continue with Google* button on `/account/login` (OIDC). | `GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`, `SHOP_ORIGIN` (e.g. `https://shop.example.com`) | Create a Google Cloud **OAuth 2.0 Web** client; add `<SHOP_ORIGIN>/account/auth/google/callback` as an Authorized redirect URI; consent-screen scopes `openid email profile`. The button appears only when all three are set. |
+| **Sign in with Apple** | A *Continue with Apple* button on `/account/login` (OIDC). | `APPLE_TEAM_ID`, `APPLE_KEY_ID`, `APPLE_CLIENT_ID` (your **Services ID**), `APPLE_PRIVATE_KEY` (the `.p8` key contents), `SHOP_ORIGIN` | Needs an **Apple Developer Program** membership. Create a Services ID, enable Sign in with Apple, add `<SHOP_ORIGIN>/account/auth/apple/callback` as a Return URL, and create a Sign-in-with-Apple key (`.p8`). The shop mints Apple's ES256 client secret from the key at boot (re-minted each deploy, inside Apple's 6-month window). The button appears only when all five are set. |
 
 **Planned / not available:**
 
-- **Sign in with Apple** — the flow is wired in the framework, but it needs an
-  Apple Developer Program membership ($99/yr) and an ES256 client-secret minted
-  from your `.p8` key. Config-optional; shipping behind those credentials.
 - **PayPal** — a separate adapter (Orders v2 + its own webhook); planned.
 - **Shop Pay / "Sign in with Shop"** — **not available** to a self-hosted,
   non-Shopify store: the credentials only issue from a Shopify Admin and payment

package/lib/admin.js

@@ -1787,6 +1787,8 @@ var INTEGRATIONS_CATALOG = [
     set: "Configure Stripe (above), then register each domain: POST /admin/payment-method-domains {\"domain_name\":\"shop.example.com\"}. No Apple Developer account needed." },
   { key: "google_signin",    name: "Sign in with Google",     enables: "A “Continue with Google” button on the account login page.",
     set: "GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, SHOP_ORIGIN. Add <SHOP_ORIGIN>/account/auth/google/callback as a Google OAuth redirect URI." },
+  { key: "apple_signin",     name: "Sign in with Apple",      enables: "A “Continue with Apple” button on the account login page.",
+    set: "APPLE_TEAM_ID, APPLE_KEY_ID, APPLE_CLIENT_ID (your Services ID), APPLE_PRIVATE_KEY (the .p8 key contents), SHOP_ORIGIN. Add <SHOP_ORIGIN>/account/auth/apple/callback as a Return URL on the Services ID. Requires an Apple Developer Program membership." },
 ];
 
 function renderAdminIntegrations(opts) {

package/lib/customers.js

@@ -29,6 +29,12 @@
  *       <= 4 KiB) but never tries to parse them.
  */
 
+// Apple's OAuth client secret must be an ES256 (ECDSA P-256, IEEE-P1363)
+// JWT; the PQC-first framework ships no classical ES256 signer and
+// b.crypto.sign can't select P1363 encoding. node:crypto is the only way to
+// mint it (used solely by mintAppleClientSecret below).
+var nodeCrypto = require("node:crypto");                                   // allow:non-shop-require — Apple mandates ES256/P1363; framework has no classical ES256 signer
+
 var bShop;
 function _b() {
   if (!bShop) bShop = require("./index");
@@ -413,8 +419,56 @@ function create(opts) {
   return api;
 }
 
+// "Sign in with Apple" requires the OAuth client secret to be an
+// ES256-signed JWT — Apple's protocol mandates ECDSA P-256, the one
+// signature in this codebase that is NOT the PQC default (the framework
+// ships no ES256 signer by design). It's an external-protocol constraint,
+// not an application default, exactly like a Stripe/PayPal webhook
+// signature: the remote party dictates the algorithm. Minted from the
+// team's `.p8` EC private key:
+//   header  { alg:"ES256", kid:<key_id> }
+//   payload { iss:<team_id>, iat, exp, aud:"https://appleid.apple.com", sub:<client_id> }
+// Returns the compact JWS to hand to `b.auth.oauth.create({ clientSecret })`.
+// `ttl_seconds` defaults to 150 days (inside Apple's 180-day ceiling); the
+// secret is re-minted on the next process start, so a normal deploy
+// cadence refreshes it well within the window. A config-time / entry-point
+// helper — THROWS on bad input so a misconfigured `.p8` fails at boot.
+function mintAppleClientSecret(opts) {
+  opts = opts || {};
+  var teamId        = opts.team_id;
+  var keyId         = opts.key_id;
+  var clientId      = opts.client_id;
+  var privateKeyPem = opts.private_key;   // .p8 contents (PKCS#8 PEM)
+  if (!teamId || !keyId || !clientId || !privateKeyPem) {
+    throw new TypeError("mintAppleClientSecret: team_id, key_id, client_id, private_key are all required");
+  }
+  // Apple's exp/iat are unix SECONDS, so derive the default from C.TIME
+  // (the single duration source of truth, in ms) rather than a hand-rolled
+  // literal: 150 days, inside Apple's 180-day ceiling.
+  var ttl = opts.ttl_seconds == null ? _b().constants.TIME.days(150) / 1000 : opts.ttl_seconds;
+  if (typeof ttl !== "number" || !isFinite(ttl) || ttl <= 0 || ttl > 15777000) {
+    throw new TypeError("mintAppleClientSecret: ttl_seconds must be 1..15777000 (Apple's 6-month maximum)");
+  }
+  var key;
+  try { key = nodeCrypto.createPrivateKey(privateKeyPem); }
+  catch (e) { throw new TypeError("mintAppleClientSecret: private_key is not a valid PEM key — " + (e && e.message || e)); }
+  if (key.asymmetricKeyType !== "ec") {
+    throw new TypeError("mintAppleClientSecret: private_key must be an EC P-256 (.p8) key, got " + key.asymmetricKeyType);
+  }
+  var now     = Math.floor(Date.now() / 1000);
+  var header  = { alg: "ES256", kid: keyId };
+  var payload = { iss: teamId, iat: now, exp: now + ttl, aud: "https://appleid.apple.com", sub: clientId };
+  var b64u = _b().crypto.toBase64Url;
+  var signingInput = b64u(JSON.stringify(header)) + "." + b64u(JSON.stringify(payload));
+  // ES256 = ECDSA P-256 over SHA-256, JOSE-encoded as raw r||s (IEEE
+  // P1363), not the DER node emits by default — `dsaEncoding` selects it.
+  var sig = nodeCrypto.sign("sha256", Buffer.from(signingInput), { key: key, dsaEncoding: "ieee-p1363" });
+  return signingInput + "." + b64u(sig);
+}
+
 module.exports = {
   create:                  create,
+  mintAppleClientSecret:   mintAppleClientSecret,
   EMAIL_NAMESPACE:         EMAIL_NAMESPACE,
   MAX_DISPLAY_NAME_LEN:    MAX_DISPLAY_NAME_LEN,
   MAX_CRED_FIELD_BYTES:    MAX_CRED_FIELD_BYTES,

package/lib/storefront.js

@@ -34,6 +34,34 @@ function _b() {
   return bShop.framework;
 }
 
+// Payment-webhook signatures (Stripe's HMAC, PayPal's, …) are computed over
+// the EXACT raw request bytes, but the global JSON body-parser reparses and
+// discards them. This middleware buffers the raw body for the given POST
+// paths into `req.rawBody` BEFORE the body-parser runs, and pre-sets
+// `req.body` so the parser short-circuits (its `req.body !== undefined`
+// guard) instead of re-reading an already-drained stream. Mount it ahead of
+// `b.middleware.bodyParser()`; the webhook handlers read `req.rawBody`.
+function webhookRawBodyCapture(paths) {
+  var pathSet = {};
+  (paths || []).forEach(function (p) { pathSet[p] = true; });
+  // Compose the framework's raw body-parser (req.body ← a Buffer of the
+  // exact request bytes) instead of hand-reading the stream — it already
+  // honours the router's await/next contract and the byte-limit cap.
+  // Scoped to the webhook paths and mounted ahead of the global JSON parser:
+  // payment webhooks verify the signature over the raw body, which the JSON
+  // parser would reparse + discard. The JSON parser then skips these paths
+  // via its own `req.body !== undefined` guard.
+  var rawParser = _b().middleware.bodyParser.raw({
+    limit:        _b().constants.BYTES.mib(1),
+    contentTypes: ["application/json", "application/*"],
+  });
+  return function (req, res, next) {
+    var path = String(req.url || "").split("?")[0];
+    if ((req.method || "").toUpperCase() !== "POST" || !pathSet[path]) return next();
+    return rawParser(req, res, next);
+  };
+}
+
 // Re-use the strict renderer from the email primitive (same shape,
 // same XSS guard, same unknown / unused refusal).
 var _render = emailModule._render;
@@ -2245,10 +2273,17 @@ var LOGIN_ERROR_MESSAGES = {
 
 function renderAccountLogin(opts) {
   opts = opts || {};
-  var oauthHtml = opts.google_enabled
+  var oauthButtons = "";
+  if (opts.google_enabled) {
+    oauthButtons += "<a class=\"btn-secondary auth-oauth__btn\" href=\"/account/login/google\">Continue with Google</a>";
+  }
+  if (opts.apple_enabled) {
+    oauthButtons += "<a class=\"btn-secondary auth-oauth__btn\" href=\"/account/login/apple\">Continue with Apple</a>";
+  }
+  var oauthHtml = oauthButtons
     ? "<div class=\"auth-oauth\">" +
         "<div class=\"auth-oauth__divider\"><span>or</span></div>" +
-        "<a class=\"btn-secondary auth-oauth__btn\" href=\"/account/login/google\">Continue with Google</a>" +
+        oauthButtons +
       "</div>"
     : "";
   var errHtml = (opts.error && LOGIN_ERROR_MESSAGES[opts.error])
@@ -2891,6 +2926,36 @@ function mount(router, deps) {
         theme:          theme,
       }));
     });
+
+    // Stripe webhook — the order-completion path. A PaymentIntent succeeds
+    // asynchronously (the customer may close the tab before Stripe fires),
+    // so the order's pending→paid transition lands here, not on the return
+    // page. The body is verified over the RAW bytes (captured upstream by
+    // webhookRawBodyCapture into req.rawBody); handleStripeEvent re-verifies
+    // the signature, maps the event to an FSM transition, and dedupes
+    // Stripe's re-deliveries. A bad signature is 400; a handler error is
+    // 500 so Stripe retries; otherwise 200.
+    router.post("/api/webhooks/stripe", async function (req, res) {
+      // webhookRawBodyCapture set req.body to the exact bytes as a Buffer.
+      var raw = Buffer.isBuffer(req.body) ? req.body.toString("utf8")
+        : (typeof req.body === "string" ? req.body : "");
+      try {
+        var result = await deps.checkout.handleStripeEvent({ headers: req.headers || {}, rawBody: raw });
+        res.status(200);
+        res.setHeader && res.setHeader("content-type", "application/json; charset=utf-8");
+        var payload = JSON.stringify({ ok: true, handled: !!(result && result.handled) });
+        return res.end ? res.end(payload) : res.send(payload);
+      } catch (e) {
+        if (e && e.code === "WEBHOOK_INVALID") {
+          res.status(400);
+          return res.end ? res.end("invalid signature") : res.send("");
+        }
+        // A real failure (e.g. an illegal FSM transition) — 500 so Stripe
+        // retries the delivery rather than marking it permanently failed.
+        res.status(500);
+        return res.end ? res.end("handler error") : res.send("");
+      }
+    });
   }
 
   // ---- customer accounts (passkey-only) ------------------------------
@@ -2937,6 +3002,7 @@ function mount(router, deps) {
         shop_name:      shopName,
         cart_count:     cartCount,
         google_enabled: !!deps.oauthGoogle,
+        apple_enabled:  !!deps.oauthApple,
         error:          url && url.searchParams.get("error"),
       }));
     });
@@ -3309,6 +3375,112 @@ function mount(router, deps) {
       });
     }
 
+    // Sign in with Apple (OIDC). Mounts when the operator wires an
+    // `oauthApple` adapter (b.auth.oauth, apple preset). Two differences
+    // from Google: (1) Apple uses response_mode=form_post, so the callback
+    // is a POST whose `code`/`state` arrive in the form body, not the query
+    // string; (2) Apple returns the user's name ONLY on the first
+    // authorization, in a `user` form field (JSON) — never in the ID token
+    // — so we read it from there and fall back to the (usually absent)
+    // token name. Everything after the verified identity (sealed-state
+    // check, sign-in, cart merge, guest-order reconciliation, auth cookie)
+    // mirrors the Google path.
+    if (deps.oauthApple) {
+      router.get("/account/login/apple", async function (req, res) {
+        try {
+          var a = await deps.oauthApple.authorizationUrl({});
+          // Apple returns via response_mode=form_post — a CROSS-SITE POST
+          // from appleid.apple.com back to our callback. A SameSite=Lax
+          // cookie is NOT sent on a cross-site POST navigation (Lax only
+          // covers top-level GETs), so the sealed state would be lost and
+          // every sign-in would fail. It must be SameSite=None; Secure.
+          // (Google's callback is a GET, so Lax is fine there.)
+          _cookieJar().writeSealed(res, OAUTH_COOKIE_NAME, JSON.stringify({
+            provider: "apple", state: a.state, nonce: a.nonce, verifier: a.verifier,
+          }), { expires: new Date(Date.now() + _b().constants.TIME.minutes(10)), path: "/account", sameSite: "None", secure: true });
+          res.status(302);
+          res.setHeader && res.setHeader("location", a.url);
+          return res.end ? res.end() : res.send("");
+        } catch (e) {
+          if (e && e.code === "vault/not-initialized") { _serviceUnavailable(res, "auth not configured"); return; }
+          res.status(303); res.setHeader && res.setHeader("location", "/account/login?error=oauth");
+          return res.end ? res.end() : res.send("");
+        }
+      });
+
+      router.post("/account/auth/apple/callback", async function (req, res) {
+        function _toLogin(err) {
+          res.status(303);
+          res.setHeader && res.setHeader("location", "/account/login" + (err ? "?error=" + err : ""));
+          return res.end ? res.end() : res.send("");
+        }
+        // form_post: code + state (+ the first-auth `user` blob) are in the
+        // request body, not the query string.
+        var body  = req.body || {};
+        var code  = body.code;
+        var state = body.state;
+        if (!code || !state) return _toLogin("oauth");
+
+        var saved;
+        try { var raw = _cookieJar().readSealed(req, OAUTH_COOKIE_NAME); saved = raw ? JSON.parse(raw) : null; }
+        catch (_e) { saved = null; }
+        _cookieJar().clear(res, OAUTH_COOKIE_NAME, { path: "/account" });
+        if (!saved || saved.provider !== "apple" || saved.state !== state) return _toLogin("oauth");
+
+        var claims;
+        try {
+          var tokens = await deps.oauthApple.exchangeCode({ code: code, verifier: saved.verifier, nonce: saved.nonce });
+          claims = tokens && tokens.claims;
+        } catch (_e) { return _toLogin("oauth"); }
+        if (!claims || !claims.sub) return _toLogin("oauth");
+
+        // Apple sends the display name only on first consent, as a JSON
+        // `user` form field: { name: { firstName, lastName }, email }.
+        var displayName = claims.name || null;
+        if (typeof body.user === "string" && body.user.length) {
+          try {
+            var u = JSON.parse(body.user);
+            if (u && u.name) {
+              displayName = [u.name.firstName, u.name.lastName].filter(Boolean).join(" ") || displayName;
+            }
+          } catch (_e) { /* malformed user blob — fall back to the token name */ }
+        }
+        // Apple's email_verified arrives as a boolean OR the string "true".
+        var emailVerified = claims.email_verified === true || claims.email_verified === "true";
+
+        var rv;
+        try {
+          rv = await deps.customers.signInWithOIDC({
+            provider:       "apple",
+            subject:        String(claims.sub),
+            email:          claims.email,
+            email_verified: emailVerified,
+            display_name:   displayName,
+          });
+        } catch (e) {
+          if (e && e.code === "OAUTH_EMAIL_UNVERIFIED_CONFLICT") return _toLogin("email-conflict");
+          if (e instanceof TypeError) return _toLogin("oauth");
+          throw e;
+        }
+        var sid = _readSidCookie(req);
+        if (sid) {
+          try {
+            var anonCart = await deps.cart.bySession(sid);
+            if (anonCart) await deps.cart.setCustomer(anonCart.id, rv.customer.id);
+          } catch (_e) { /* best-effort merge; sign-in itself succeeds */ }
+        }
+        if (emailVerified && claims.email && deps.order &&
+            typeof deps.order.linkGuestOrdersByEmailHash === "function") {
+          try {
+            await deps.order.linkGuestOrdersByEmailHash(rv.customer.id, deps.customers.hashEmail(claims.email));
+          } catch (_e) { /* best-effort reconciliation; sign-in succeeds regardless */ }
+        }
+        _setAuthCookie(res, { customer_id: rv.customer.id, exp: Date.now() + _b().constants.TIME.days(14) });
+        res.status(303); res.setHeader && res.setHeader("location", "/account");
+        return res.end ? res.end() : res.send("");
+      });
+    }
+
     // Wishlist — saved products scoped to the logged-in customer.
     // Mounts when the wishlist primitive is wired.
     if (deps.wishlist) {
@@ -4066,6 +4238,7 @@ function mount(router, deps) {
 
 module.exports = {
   mount:                 mount,
+  webhookRawBodyCapture: webhookRawBodyCapture,
   renderHome:            renderHome,
   renderSearch:          renderSearch,
   renderProduct:         renderProduct,

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.51",
-      "tag": "v0.12.51",
+      "version": "0.12.52",
+      "tag": "v0.12.52",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.52 (2026-05-25) — **`b.privacyPass` — Privacy Pass origin-side token verification (RFC 9577 / 9578).** Anonymous, publicly verifiable authorization: an origin issues a WWW-Authenticate: PrivateToken challenge and verifies a presented token cryptographically, without learning who the client is and without a callback to the issuer. b.privacyPass implements the publicly verifiable token type 0x0002 (Blind RSA, 2048-bit): the token's authenticator is an RSA Blind Signature (RFC 9474) checked as RSASSA-PSS (SHA-384, 48-byte salt) over token_input = token_type ‖ nonce ‖ challenge_digest ‖ token_key_id, using only the issuer's public key. The token is bound to that key (token_key_id) and, optionally, to the challenge it answers, so a token minted for another origin is refused. Blind RSA is the algorithm Privacy Pass defines on the wire — like the DNSSEC / DANE verifiers it validates an external protocol's signatures rather than introducing classical crypto as a framework default. Verified against the RFC 9578 §8.2 test vector. **Added:** *`b.privacyPass.verifyToken(opts)` / `parseToken` / `buildChallenge`* — `buildChallenge` builds a TokenChallenge (RFC 9577 §2.1) and the matching `WWW-Authenticate: PrivateToken challenge=…, token-key=…` header an origin returns to request a token, scoped to an issuer (and optionally an origin and a 32-byte redemption context). `parseToken` splits a token into its fields (type / nonce / challenge_digest / token_key_id / authenticator). `verifyToken` verifies a type 0x0002 (Blind RSA) token: it confirms the token's `token_key_id` is the SHA-256 of the supplied issuer public key, optionally that its `challenge_digest` matches `opts.challenge`, and that the authenticator is a valid RSASSA-PSS signature over the token input. Refuses unknown / privately verifiable token types (the VOPRF type 0x0001 needs the issuer secret and is an issuer-side operation), key-id and challenge mismatches, and tampered authenticators. Marked experimental while the issuance protocols see deployment.
+
 - v0.12.51 (2026-05-25) — **`b.network.dns.dane.matchCertificate` — DANE / TLSA certificate matching (RFC 6698 / 7671).** Pin a service's certificate through DNS instead of a public CA. matchCertificate checks a server certificate against a set of TLSA records: the selected data — the full certificate (selector 0) or its subjectPublicKeyInfo (selector 1) — is hashed per the matching type (exact / SHA-256 / SHA-512) and compared in constant time to the record's association data. For a DANE-EE (usage 3) record a match is self-authenticating — the TLSA pins the key, so no public-CA path is needed (the common SMTP-DANE case, RFC 7672); for the PKIX usages a match is reported as necessary-but-not-sufficient so the caller still runs PKIX. This is the payoff of the DNSSEC verifier: verify the TLSA RRset with b.network.dns.dnssec, then match the certificate. Verified against a live DNSSEC-signed TLSA record and the matching server certificate. **Added:** *`b.network.dns.dane.matchCertificate(opts)`* — Matches a leaf certificate (and optional `chain`) against a TLSA RRset (`{ usage, selector, matchingType, data }`). Selector 0 hashes the full certificate DER, selector 1 the subjectPublicKeyInfo; matching type 0 is an exact comparison, 1 SHA-256, 2 SHA-512 (SHA-1 and any other type are refused, not guessed). End-entity usages (PKIX-EE 1, DANE-EE 3) match the leaf; trust-anchor usages (PKIX-TA 0, DANE-TA 2) match the leaf or any supplied chain certificate. Returns `{ ok, matched, daneAuthenticated, trustAnchorMatch, pkixRequired, matchedCertIndex }` — `daneAuthenticated` is true only for a DANE-EE match (the key is pinned, no CA needed); `pkixRequired` flags the PKIX usages. Throws `dane/no-match` when nothing matches, and refuses unknown usage / selector / matching values and unparseable certificates. Verify the TLSA RRset with `b.network.dns.dnssec` first — an unauthenticated TLSA record proves nothing.
 
 - v0.12.50 (2026-05-25) — **`b.network.dns.dnssec.verifyChain` — validate a DNSSEC delegation chain to a pinned root anchor.** Completes local DNSSEC verification: validate a full delegation chain from the root down to a zone against a pinned trust anchor (RFC 4035 §5), instead of trusting any single resolver. For each link, the zone's DNSKEY RRset must be self-signed by one of its keys, and that key must be vouched for either by a pinned anchor (at the root) or by a DS record served + signed by the already-trusted parent — so trust flows root → TLD → zone with no gap. The IANA root KSKs (KSK-2017 tag 20326, KSK-2024 tag 38696) ship as the default anchors; override with opts.trustAnchors for a private root. verifyChain returns the leaf zone's trusted DNSKEY set, which you then hand to verifyRrset / verifyDenial for the actual answer. Composes verifyRrset + verifyDs + the key tag; verified end-to-end against a live root→org chain. **Added:** *`b.network.dns.dnssec.verifyChain(opts)`* — Walks an ordered, root-first list of `links` ({ zone, dnskeys, dnskeyRrsig, dsRdatas?, dsRrsig? }). At each link it verifies the DNSKEY RRset's self-signature (composing `verifyRrset`), then establishes trust in the signing key: at the root by matching a pinned anchor's DS digest (`verifyDs`), at every delegation by verifying the parent-served DS RRset's signature with the already-trusted parent key and confirming the signing KSK matches one of those DS records. Returns `{ ok, zone, keys, path }` with the leaf zone's trusted DNSKEY set. Refuses a root key that matches no anchor (`dnssec/chain-anchor-mismatch`), a KSK that matches no parent DS (`dnssec/chain-ds-mismatch`), and a missing parent key (`dnssec/chain-no-parent-key`). The default `DEFAULT_ROOT_ANCHORS` are the published IANA root KSK DS records; `opts.trustAnchors` overrides them for a private or test root.

package/lib/vendor/blamejs/README.md

@@ -89,6 +89,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Financial / Open Banking** — FAPI 2.0 Final composite posture (PAR + PKCE-S256 + DPoP-or-mTLS + RFC 9207); runtime enforcement helpers `b.fapi2.assertCallback` (refuses missing iss + bare-param under message-signing) and `b.fapi2.assertAuthzRequest` (refuses non-JAR); CFPB §1033 / FDX 6.0 consumer-financial-data-sharing wrapper (`b.fdx`)
 - **Data-subject coordination** — cross-table export / rectify / erase / restrict / objection (`b.subject`, `b.subject.eraseHard`); subject-level legal-hold registry consulted by erase + retention paths (FRCP Rule 26/37(e), GDPR Art 17(3)(e), SEC Rule 17a-4, HIPAA §164.530(j)(2)) (`b.legalHold`)
 - **Account safety** — adaptive bot-challenge staircase (`b.authBotChallenge`); session-to-device-posture binding with fail-closed verify (`b.sessionDeviceBinding`)
+- **Anonymous authorization** — Privacy Pass origin side (RFC 9577/9578 — `b.privacyPass`): issue a `WWW-Authenticate: PrivateToken` challenge and verify a presented Blind-RSA (type 0x0002) token against the issuer public key, with no issuer callback and no client identity
 ### Crypto
 
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.51",
-  "createdAt": "2026-05-25T14:53:56.538Z",
+  "frameworkVersion": "0.12.52",
+  "createdAt": "2026-05-25T16:02:59.536Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -44979,6 +44979,31 @@
         }
       }
     },
+    "privacyPass": {
+      "type": "object",
+      "members": {
+        "PrivacyPassError": {
+          "type": "function",
+          "arity": 4
+        },
+        "TOKEN_TYPE_BLIND_RSA": {
+          "type": "primitive",
+          "valueType": "number"
+        },
+        "buildChallenge": {
+          "type": "function",
+          "arity": 1
+        },
+        "parseToken": {
+          "type": "function",
+          "arity": 1
+        },
+        "verifyToken": {
+          "type": "function",
+          "arity": 1
+        }
+      }
+    },
     "problemDetails": {
       "type": "object",
       "members": {

package/lib/vendor/blamejs/index.js

@@ -394,6 +394,7 @@ var webPush = require("./lib/web-push-vapid");
 var fedcm = require("./lib/fedcm");
 var dbsc = require("./lib/dbsc");
 var importmapIntegrity = require("./lib/importmap-integrity");
+var privacyPass = require("./lib/privacy-pass");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -409,6 +410,7 @@ module.exports = {
   fedcm:            fedcm,
   dbsc:             dbsc,
   importmapIntegrity: importmapIntegrity,
+  privacyPass:      privacyPass,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/vendor/blamejs/lib/privacy-pass.js

@@ -0,0 +1,267 @@
+"use strict";
+/**
+ * @module b.privacyPass
+ * @nav    Identity
+ * @title  Privacy Pass
+ *
+ * @intro
+ *   Origin / relying-party side of Privacy Pass (RFC 9577 HTTP
+ *   authentication scheme, RFC 9578 issuance protocols) — issue a token
+ *   challenge and verify a presented token without learning who the
+ *   client is. An origin asks for a token with a
+ *   <code>WWW-Authenticate: PrivateToken</code> challenge; the client
+ *   obtains a token from an issuer and presents it; the origin verifies
+ *   it cryptographically.
+ *
+ *   This implements the publicly verifiable token type
+ *   <strong>0x0002 (Blind RSA, 2048-bit)</strong>: the token's
+ *   authenticator is an RSA Blind Signature (RFC 9474) that any party
+ *   holding the issuer's public key can verify with RSASSA-PSS — so the
+ *   origin verifies tokens itself, with no issuer secret and no callback.
+ *   The privately verifiable VOPRF type (0x0001) requires the issuer's
+ *   secret key and is an issuer-side operation, not implemented here.
+ *
+ *   Blind RSA is the algorithm Privacy Pass defines on the wire; like
+ *   the framework's DNSSEC / DANE verifiers it validates an external
+ *   protocol's signatures (RSASSA-PSS, SHA-384) rather than introducing
+ *   classical crypto as a framework default.
+ *
+ * @card
+ *   Privacy Pass origin side (RFC 9577 / 9578). Issue a
+ *   <code>WWW-Authenticate: PrivateToken</code> challenge and verify a
+ *   presented Blind-RSA (type 0x0002) token against the issuer public
+ *   key — anonymous, publicly verifiable authorization with no issuer
+ *   callback.
+ */
+
+var nodeCrypto = require("node:crypto");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var PrivacyPassError = defineClass("PrivacyPassError", { alwaysPermanent: true });
+
+var TOKEN_TYPE_BLIND_RSA = 0x0002;
+// RFC 9578 §5.3 token type 0x0002: RSABSSA-SHA384-PSS, salt length 48.
+var PSS_HASH = "sha384";
+var PSS_SALT_LEN = 48;                                        // allow:raw-byte-literal — RFC 9578 §5.3 PSS salt length (= SHA-384 digest size)
+// Fixed-size token fields (RFC 9577 §2.2): type(2) nonce(32)
+// challenge_digest(32) token_key_id(32), then the authenticator.
+var TOKEN_PREFIX_LEN = 98;                                    // allow:raw-byte-literal — 2 + 32 + 32 + 32 (token_input length)
+
+// RFC 9577 §2.1 sends the challenge / token-key auth-params as base64url
+// WITH padding; Node's "base64url" output is unpadded, so pad to a
+// multiple of 4 so strict clients / proxies accept the header.
+function _b64urlPadded(buf) {
+  var s = Buffer.from(buf).toString("base64url");
+  while (s.length % 4 !== 0) s += "=";                        // allow:raw-byte-literal — base64 quantum is 4 chars
+  return s;
+}
+
+function _bytes(x, what) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  if (typeof x === "string") return Buffer.from(x, "base64");
+  throw new PrivacyPassError("privacy-pass/bad-bytes", "privacyPass: " + what + " must be a Buffer / Uint8Array / base64 string");
+}
+
+// Import the issuer public key and capture the SubjectPublicKeyInfo
+// bytes used to derive token_key_id. When the caller supplies the
+// published SPKI DER directly, hash THOSE bytes — re-exporting an
+// rsa-pss KeyObject can re-encode the AlgorithmIdentifier and change the
+// digest. token_key_id is SHA-256 of the issuer's distributed key
+// (RFC 9577 §2.2), which is the SPKI as published.
+function _importIssuerKey(k) {
+  if (k && typeof k === "object" && typeof k.export === "function" && k.type === "public") {
+    return { key: k, spki: k.export({ format: "der", type: "spki" }) };
+  }
+  try {
+    if (Buffer.isBuffer(k) || k instanceof Uint8Array) {
+      var der = Buffer.from(k);
+      return { key: nodeCrypto.createPublicKey({ key: der, format: "der", type: "spki" }), spki: der };
+    }
+    // A "PUBLIC KEY" PEM body IS the SubjectPublicKeyInfo DER — decode it
+    // directly so token_key_id is SHA-256 of the issuer's exact bytes,
+    // not a re-encoding (Node can re-emit rsa-pss AlgorithmIdentifier
+    // parameters differently on export).
+    if (typeof k === "string" && /-----BEGIN PUBLIC KEY-----/.test(k)) {
+      var body = k.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
+      var pemDer = Buffer.from(body, "base64");
+      return { key: nodeCrypto.createPublicKey(k), spki: pemDer };
+    }
+    var key = nodeCrypto.createPublicKey(k);                  // other key spec (best-effort SPKI export)
+    return { key: key, spki: key.export({ format: "der", type: "spki" }) };
+  } catch (e) {
+    throw new PrivacyPassError("privacy-pass/bad-key", "privacyPass: could not import issuerPublicKey: " + ((e && e.message) || e));
+  }
+}
+
+/**
+ * @primitive b.privacyPass.parseToken
+ * @signature b.privacyPass.parseToken(token)
+ * @since     0.12.52
+ * @status    experimental
+ * @related   b.privacyPass.verifyToken, b.privacyPass.buildChallenge
+ *
+ * Parse a Privacy Pass token (RFC 9577 §2.2) into its fields: the
+ * <code>tokenType</code>, the client <code>nonce</code>, the
+ * <code>challengeDigest</code> (SHA-256 of the TokenChallenge the token
+ * answers), the <code>tokenKeyId</code> (SHA-256 of the issuer public
+ * key), and the <code>authenticator</code>. Structural only — call
+ * <code>verifyToken</code> to check the signature.
+ *
+ * @example
+ *   var t = b.privacyPass.parseToken(tokenBytes);
+ *   // → { tokenType: 2, nonce, challengeDigest, tokenKeyId, authenticator }
+ */
+function parseToken(token) {
+  var b = _bytes(token, "token");
+  if (b.length < TOKEN_PREFIX_LEN + 1) throw new PrivacyPassError("privacy-pass/bad-token", "privacyPass.parseToken: token too short");
+  return {
+    tokenType:       b.readUInt16BE(0),
+    nonce:           b.slice(2, 34),
+    challengeDigest: b.slice(34, 66),
+    tokenKeyId:      b.slice(66, 98),
+    authenticator:   b.slice(98),
+    tokenInput:      b.slice(0, TOKEN_PREFIX_LEN),
+  };
+}
+
+/**
+ * @primitive b.privacyPass.verifyToken
+ * @signature b.privacyPass.verifyToken(opts)
+ * @since     0.12.52
+ * @status    experimental
+ * @compliance soc2
+ * @related   b.privacyPass.buildChallenge, b.privacyPass.parseToken
+ *
+ * Verify a publicly verifiable Privacy Pass token (type 0x0002, Blind
+ * RSA — RFC 9578 §8.2). The authenticator is checked as an RSASSA-PSS
+ * (SHA-384, MGF1-SHA-384, 48-byte salt) signature over
+ * <code>token_input = token_type ‖ nonce ‖ challenge_digest ‖
+ * token_key_id</code> using the issuer's public key. The token is bound
+ * to that key — its <code>token_key_id</code> must equal the SHA-256 of
+ * the supplied key's SubjectPublicKeyInfo — and, when
+ * <code>opts.challenge</code> is given, to that challenge (its SHA-256
+ * must equal the token's <code>challenge_digest</code>), so a token
+ * minted for a different origin's challenge is refused.
+ *
+ * @opts
+ *   {
+ *     token:            Buffer|base64,   // the presented token
+ *     issuerPublicKey:  KeyObject|Buffer(SPKI DER)|PEM,
+ *     challenge?:       Buffer|base64,   // the TokenChallenge this token must answer
+ *   }
+ *
+ * @example
+ *   var r = b.privacyPass.verifyToken({ token: tok, issuerPublicKey: issuerSpki });
+ *   // → { ok: true, tokenType: 2, nonce, challengeDigest, tokenKeyId }
+ */
+function verifyToken(opts) {
+  validateOpts.requireObject(opts, "privacyPass.verifyToken", PrivacyPassError);
+  validateOpts(opts, ["token", "issuerPublicKey", "challenge"], "privacyPass.verifyToken");
+  if (opts.issuerPublicKey === undefined || opts.issuerPublicKey === null) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.verifyToken: opts.issuerPublicKey is required");
+
+  var parsed = parseToken(opts.token);
+  if (parsed.tokenType !== TOKEN_TYPE_BLIND_RSA) {
+    throw new PrivacyPassError("privacy-pass/unsupported-token-type", "privacyPass.verifyToken: only token type 0x0002 (Blind RSA) is verifiable by the origin; got 0x" + parsed.tokenType.toString(16).padStart(4, "0"));  // allow:raw-byte-literal — base-16 radix + 4-hex-digit pad, not a size
+  }
+
+  var imported = _importIssuerKey(opts.issuerPublicKey);
+  var key = imported.key;
+  if (key.asymmetricKeyType !== "rsa" && key.asymmetricKeyType !== "rsa-pss") {
+    throw new PrivacyPassError("privacy-pass/bad-key", "privacyPass.verifyToken: issuerPublicKey must be an RSA key for token type 0x0002");
+  }
+
+  // Bind the token to the issuer key: token_key_id = SHA-256(SPKI).
+  var keyId = nodeCrypto.createHash("sha256").update(imported.spki).digest();
+  if (!bCrypto.timingSafeEqual(keyId, parsed.tokenKeyId)) {
+    throw new PrivacyPassError("privacy-pass/key-id-mismatch", "privacyPass.verifyToken: token_key_id does not match the issuer public key");
+  }
+
+  // Bind the token to the challenge, when supplied.
+  if (opts.challenge !== undefined && opts.challenge !== null) {
+    var cd = nodeCrypto.createHash("sha256").update(_bytes(opts.challenge, "challenge")).digest();
+    if (!bCrypto.timingSafeEqual(cd, parsed.challengeDigest)) {
+      throw new PrivacyPassError("privacy-pass/challenge-mismatch", "privacyPass.verifyToken: challenge_digest does not match opts.challenge");
+    }
+  }
+
+  var ok;
+  try {
+    ok = nodeCrypto.verify(PSS_HASH, parsed.tokenInput, { key: key, padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: PSS_SALT_LEN }, parsed.authenticator);
+  } catch (e) {
+    throw new PrivacyPassError("privacy-pass/verify-threw", "privacyPass.verifyToken: signature verification threw: " + ((e && e.message) || e));
+  }
+  if (!ok) throw new PrivacyPassError("privacy-pass/bad-authenticator", "privacyPass.verifyToken: token authenticator did not verify");
+  return { ok: true, tokenType: parsed.tokenType, nonce: parsed.nonce, challengeDigest: parsed.challengeDigest, tokenKeyId: parsed.tokenKeyId };
+}
+
+/**
+ * @primitive b.privacyPass.buildChallenge
+ * @signature b.privacyPass.buildChallenge(opts)
+ * @since     0.12.52
+ * @status    experimental
+ * @related   b.privacyPass.verifyToken
+ *
+ * Build a TokenChallenge (RFC 9577 §2.1) and the matching
+ * <code>WWW-Authenticate: PrivateToken</code> header value an origin
+ * returns to ask a client for a token. The challenge binds the token to
+ * this issuer (and optionally this origin and a redemption context);
+ * its SHA-256 is the <code>challenge_digest</code> that
+ * <code>verifyToken</code> checks.
+ *
+ * @opts
+ *   {
+ *     issuerName:        string,   // the token issuer's name
+ *     tokenType?:        number,   // default 0x0002 (Blind RSA)
+ *     originInfo?:       string,   // origin name(s) the token is scoped to (default: any)
+ *     redemptionContext?: Buffer,  // 0 or 32 bytes (default: empty)
+ *     tokenKey?:         Buffer|KeyObject,  // issuer SPKI, included as token-key= when given
+ *   }
+ *
+ * @example
+ *   var c = b.privacyPass.buildChallenge({ issuerName: "issuer.example", originInfo: "origin.example" });
+ *   res.setHeader("WWW-Authenticate", c.wwwAuthenticate);
+ */
+function buildChallenge(opts) {
+  validateOpts.requireObject(opts, "privacyPass.buildChallenge", PrivacyPassError);
+  validateOpts(opts, ["issuerName", "tokenType", "originInfo", "redemptionContext", "tokenKey"], "privacyPass.buildChallenge");
+  if (typeof opts.issuerName !== "string" || opts.issuerName === "") throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: opts.issuerName is required");
+  var tokenType = opts.tokenType === undefined ? TOKEN_TYPE_BLIND_RSA : opts.tokenType;
+  if (typeof tokenType !== "number" || !Number.isInteger(tokenType) || tokenType < 0 || tokenType > 0xffff) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: tokenType must be a uint16");
+
+  var issuer = Buffer.from(opts.issuerName, "utf8");
+  if (issuer.length > 0xffff) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: issuerName too long");
+  var origin = Buffer.alloc(0);
+  if (opts.originInfo !== undefined && opts.originInfo !== null) {
+    if (typeof opts.originInfo !== "string") throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: originInfo must be a string");
+    origin = Buffer.from(opts.originInfo, "utf8");
+    if (origin.length > 0xffff) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: originInfo too long");
+  }
+  var rc = opts.redemptionContext !== undefined && opts.redemptionContext !== null ? _bytes(opts.redemptionContext, "redemptionContext") : Buffer.alloc(0);
+  if (rc.length !== 0 && rc.length !== 32) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: redemptionContext must be empty or 32 bytes");  // allow:raw-byte-literal — RFC 9577 redemption_context is 0 or 32 bytes
+
+  var u16 = function (n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); };
+  var challenge = Buffer.concat([
+    u16(tokenType),
+    u16(issuer.length), issuer,
+    Buffer.from([rc.length]), rc,
+    u16(origin.length), origin,
+  ]);
+
+  var parts = ['PrivateToken challenge="' + _b64urlPadded(challenge) + '"'];
+  if (opts.tokenKey !== undefined && opts.tokenKey !== null) {
+    var spki = (opts.tokenKey && typeof opts.tokenKey.export === "function") ? opts.tokenKey.export({ format: "der", type: "spki" }) : _bytes(opts.tokenKey, "tokenKey");
+    parts.push('token-key="' + _b64urlPadded(spki) + '"');
+  }
+  return { challenge: challenge, wwwAuthenticate: parts.join(", ") };
+}
+
+module.exports = {
+  parseToken:     parseToken,
+  verifyToken:    verifyToken,
+  buildChallenge: buildChallenge,
+  TOKEN_TYPE_BLIND_RSA: TOKEN_TYPE_BLIND_RSA,
+  PrivacyPassError: PrivacyPassError,
+};

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.51",
+  "version": "0.12.52",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.52.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.52",
+  "date": "2026-05-25",
+  "headline": "`b.privacyPass` — Privacy Pass origin-side token verification (RFC 9577 / 9578)",
+  "summary": "Anonymous, publicly verifiable authorization: an origin issues a WWW-Authenticate: PrivateToken challenge and verifies a presented token cryptographically, without learning who the client is and without a callback to the issuer. b.privacyPass implements the publicly verifiable token type 0x0002 (Blind RSA, 2048-bit): the token's authenticator is an RSA Blind Signature (RFC 9474) checked as RSASSA-PSS (SHA-384, 48-byte salt) over token_input = token_type ‖ nonce ‖ challenge_digest ‖ token_key_id, using only the issuer's public key. The token is bound to that key (token_key_id) and, optionally, to the challenge it answers, so a token minted for another origin is refused. Blind RSA is the algorithm Privacy Pass defines on the wire — like the DNSSEC / DANE verifiers it validates an external protocol's signatures rather than introducing classical crypto as a framework default. Verified against the RFC 9578 §8.2 test vector.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.privacyPass.verifyToken(opts)` / `parseToken` / `buildChallenge`",
+          "body": "`buildChallenge` builds a TokenChallenge (RFC 9577 §2.1) and the matching `WWW-Authenticate: PrivateToken challenge=…, token-key=…` header an origin returns to request a token, scoped to an issuer (and optionally an origin and a 32-byte redemption context). `parseToken` splits a token into its fields (type / nonce / challenge_digest / token_key_id / authenticator). `verifyToken` verifies a type 0x0002 (Blind RSA) token: it confirms the token's `token_key_id` is the SHA-256 of the supplied issuer public key, optionally that its `challenge_digest` matches `opts.challenge`, and that the authenticator is a valid RSASSA-PSS signature over the token input. Refuses unknown / privately verifiable token types (the VOPRF type 0x0001 needs the issuer secret and is an issuer-side operation), key-id and challenge mismatches, and tampered authenticators. Marked experimental while the issuance protocols see deployment."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2271,9 +2271,10 @@ async function testNoDuplicateCodeBlocks() {
         "lib/mdoc.js:_bytes",
         "lib/network-dnssec.js:_bytes",
         "lib/network-dane.js:_bytes",
+        "lib/privacy-pass.js:_bytes",
         "lib/tsa.js:_bytes",
       ],
-      reason: "v0.12.48 / v0.12.51 — Buffer-coercion guard (`if (Buffer.isBuffer(x)) return x; if (x instanceof Uint8Array) return Buffer.from(x); throw <Error>`) repeats across byte-string-consuming primitives. Each throws a MODULE-LOCAL typed error code (cose/bad-cose-key, mdoc/bad-input, dnssec/bad-bytes, dane/bad-bytes, tsa/bad-input) naming the local argument; network-dane additionally coerces a hex string. The duplicated three-line shape is the symptom, the cause is that JS can't throw a caller-namespaced ErrorClass without the local closure. Same documented exception as the v0.12.7 require-non-empty-string cluster — the typed-error CODE is the divergence the dup detector can't see.",
+      reason: "v0.12.48 / v0.12.51 / v0.12.52 — Buffer-coercion guard (`if (Buffer.isBuffer(x)) return x; if (x instanceof Uint8Array) return Buffer.from(x); throw <Error>`) repeats across byte-string-consuming primitives. Each throws a MODULE-LOCAL typed error code (cose/bad-cose-key, mdoc/bad-input, dnssec/bad-bytes, dane/bad-bytes, tsa/bad-input) naming the local argument; network-dane additionally coerces a hex string. The duplicated three-line shape is the symptom, the cause is that JS can't throw a caller-namespaced ErrorClass without the local closure. Same documented exception as the v0.12.7 require-non-empty-string cluster — the typed-error CODE is the divergence the dup detector can't see.",
     },
     {
       mode:  "family-subset",

package/lib/vendor/blamejs/test/layer-0-primitives/privacy-pass.test.js

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Layer 0 — b.privacyPass (Privacy Pass origin side, RFC 9577 / 9578).
+ * The oracle is the published RFC 9578 §8.2 test vector for token type
+ * 0x0002 (Blind RSA): the issuer public key, the TokenChallenge, and the
+ * issued token. A wrong token_input layout or PSS parameter would fail
+ * the real RSASSA-PSS verification, and the build-then-digest round trip
+ * reproduces the vector's challenge_digest byte-for-byte.
+ */
+
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+var crypto = require("node:crypto");
+
+// RFC 9578 §8.2, test vector 1 (token type 0x0002, Blind RSA 2048).
+var PKI_SPKI_HEX = "30820152303d06092a864886f70d01010a3030a00d300b0609608648016503040202a11a301806092a864886f70d010108300b0609608648016503040202a2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c500a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce453b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c732db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073fe49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9babd612d03cad02db134b7e225a5f0203010001";
+var TOKEN_CHALLENGE_HEX = "0002000e6973737565722e6578616d706c65208e7acc900e393381e8810b7c9e4a68b5163f1f880ab6688a6ffe780923609e88000e6f726967696e2e6578616d706c65";
+var TOKEN_HEX = "0002aa72019d1f951df197021ce63876fe8b0a02dc1c31a12b0a2dd1508d07827f055969f643b4cfda5196d4aa86aeb5368834f4f06de46950ed435b3b81bd036d44ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708bc6a21b533d07294b5e900faf5537dd3eb33cee4e08c9670d1e5358fd184b0e00c637174f5206b14c7bb0e724ebf6b56271e5aa2ed94c051c4a433d302b23bc52460810d489fb050f9de5c868c6c1b06e3849fd087629f704cc724bc0d0984d5c339686fcdd75f9a9cdd25f37f855f6f4c584d84f716864f546b696d620c5bd41a811498de84ff9740ba3003ba2422d26b91eb745c084758974642a42078201543246ddb58030ea8e722376aa82484dca9610a8fb7e018e396165462e17a03e40ea7e128c090a911ecc708066cb201833010c1ebd4e910fc8e27a1be467f78671836a508257123a45e4e0ae2180a434bd1037713466347a8ebe46439d3da1970";
+
+function spki() { return Buffer.from(PKI_SPKI_HEX, "hex"); }
+function token() { return Buffer.from(TOKEN_HEX, "hex"); }
+function challenge() { return Buffer.from(TOKEN_CHALLENGE_HEX, "hex"); }
+function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+
+function testSurface() {
+  check("b.privacyPass.verifyToken is a function", typeof b.privacyPass.verifyToken === "function");
+  check("b.privacyPass.parseToken is a function", typeof b.privacyPass.parseToken === "function");
+  check("b.privacyPass.buildChallenge is a function", typeof b.privacyPass.buildChallenge === "function");
+  check("b.privacyPass.TOKEN_TYPE_BLIND_RSA is 0x0002", b.privacyPass.TOKEN_TYPE_BLIND_RSA === 0x0002);
+  check("b.privacyPass.PrivacyPassError is the typed error class", typeof b.privacyPass.PrivacyPassError === "function" && code(function () { b.privacyPass.parseToken(Buffer.alloc(2)); }) === "privacy-pass/bad-token");
+  var threw = null; try { b.privacyPass.parseToken(Buffer.alloc(2)); } catch (e) { threw = e; }
+  check("PrivacyPassError instances are thrown", threw instanceof b.privacyPass.PrivacyPassError);
+}
+
+function testParse() {
+  var t = b.privacyPass.parseToken(token());
+  check("parseToken: token type 0x0002", t.tokenType === 0x0002);
+  check("parseToken: 32-byte nonce / digest / key-id", t.nonce.length === 32 && t.challengeDigest.length === 32 && t.tokenKeyId.length === 32);
+  check("parseToken: 256-byte authenticator (RSA-2048)", t.authenticator.length === 256);
+  // The embedded token_key_id is SHA-256 of the issuer SPKI.
+  var keyId = crypto.createHash("sha256").update(spki()).digest();
+  check("parseToken: token_key_id == SHA-256(issuer SPKI)", Buffer.compare(keyId, t.tokenKeyId) === 0);
+}
+
+function testRealVector() {
+  var out = b.privacyPass.verifyToken({ token: token(), issuerPublicKey: spki() });
+  check("verifyToken: real RFC 9578 §8.2 Blind RSA token verifies", out.ok && out.tokenType === 0x0002);
+  // Bound to the challenge it answers.
+  var out2 = b.privacyPass.verifyToken({ token: token(), issuerPublicKey: spki(), challenge: challenge() });
+  check("verifyToken: verifies when bound to the matching challenge", out2.ok === true);
+}
+
+function testBuildChallengeRoundTrip() {
+  // Rebuilding the vector's TokenChallenge reproduces it byte-for-byte,
+  // and its SHA-256 is the challenge_digest embedded in the token.
+  var rc = challenge().slice(19, 51); // the 32-byte redemption_context (after the 1-byte length at offset 18)
+  var c = b.privacyPass.buildChallenge({ issuerName: "issuer.example", originInfo: "origin.example", redemptionContext: rc });
+  check("buildChallenge: reproduces the RFC TokenChallenge bytes", Buffer.compare(c.challenge, challenge()) === 0);
+  var digest = crypto.createHash("sha256").update(c.challenge).digest();
+  var t = b.privacyPass.parseToken(token());
+  check("buildChallenge: SHA-256(challenge) == token challenge_digest", Buffer.compare(digest, t.challengeDigest) === 0);
+  check("buildChallenge: emits a PrivateToken WWW-Authenticate header", /^PrivateToken challenge="/.test(c.wwwAuthenticate));
+  // RFC 9577 §2.1: auth-param values are padded base64url.
+  var cv = c.wwwAuthenticate.match(/challenge="([^"]+)"/)[1];
+  check("buildChallenge: challenge value is base64url with padding (len % 4 === 0)", cv.length % 4 === 0 && !/[+/]/.test(cv));
+  var ck = b.privacyPass.buildChallenge({ issuerName: "issuer.example", tokenKey: spki() });
+  check("buildChallenge: token-key value is padded base64url", /token-key="([^"]+)"/.test(ck.wwwAuthenticate) && ck.wwwAuthenticate.match(/token-key="([^"]+)"/)[1].length % 4 === 0);
+}
+
+function testPemKeyId() {
+  // A PEM-encoded issuer key must derive the same token_key_id as the raw
+  // SPKI bytes (Node can re-encode an rsa-pss AlgorithmIdentifier on
+  // export, so the PEM body bytes — not a re-export — must be hashed).
+  var pem = "-----BEGIN PUBLIC KEY-----\n" + spki().toString("base64").replace(/(.{64})/g, "$1\n").replace(/\n$/, "") + "\n-----END PUBLIC KEY-----\n";
+  var out = b.privacyPass.verifyToken({ token: token(), issuerPublicKey: pem });
+  check("verifyToken: real token verifies with a PEM issuer key", out.ok === true);
+}
+
+function testRefusals() {
+  // Tampered authenticator fails.
+  check("verifyToken: tampered authenticator refused", code(function () {
+    var bad = token(); bad[bad.length - 1] ^= 0xff;
+    b.privacyPass.verifyToken({ token: bad, issuerPublicKey: spki() });
+  }) === "privacy-pass/bad-authenticator");
+  // Wrong issuer key → token_key_id mismatch (caught before signature).
+  check("verifyToken: wrong issuer key refused (key-id mismatch)", code(function () {
+    var otherKey = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 }).publicKey.export({ format: "der", type: "spki" });
+    b.privacyPass.verifyToken({ token: token(), issuerPublicKey: otherKey });
+  }) === "privacy-pass/key-id-mismatch");
+  // Wrong challenge → challenge_digest mismatch.
+  check("verifyToken: mismatched challenge refused", code(function () {
+    b.privacyPass.verifyToken({ token: token(), issuerPublicKey: spki(), challenge: Buffer.from("not the challenge") });
+  }) === "privacy-pass/challenge-mismatch");
+  // Privately verifiable VOPRF (0x0001) is not an origin-verify operation.
+  check("verifyToken: token type 0x0001 (VOPRF) refused", code(function () {
+    var t = token(); t.writeUInt16BE(0x0001, 0);
+    b.privacyPass.verifyToken({ token: t, issuerPublicKey: spki() });
+  }) === "privacy-pass/unsupported-token-type");
+  // Truncated token refused.
+  check("parseToken: short token refused", code(function () { b.privacyPass.parseToken(Buffer.alloc(40)); }) === "privacy-pass/bad-token");
+}
+
+async function run() {
+  testSurface();
+  testParse();
+  testRealVector();
+  testBuildChallengeRoundTrip();
+  testPemKeyId();
+  testRefusals();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[privacy-pass] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {