@blamejs/blamejs-shop 0.1.16 → 0.1.18

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.1.x
 
+- v0.1.18 (2026-05-25) — **Admin console — a subscription-plans screen.** Subscription plans join the admin console. `/admin/subscription-plans` lists the recurring-offer catalog — price, interval, trial, and Stripe price id — with an active / archived filter, creates a plan from a signed-in browser, and archives one. As with the other console screens, the same path serves the existing JSON API to a bearer-token client unchanged. **Added:** *Subscription-plans management screen* — `/admin/subscription-plans` renders the plan catalog (price and interval, trial length, Stripe price id, linked variant, status) with an active / archived filter, when opened in a signed-in browser; the same path serves the JSON list to a bearer-token client. A form creates a plan — Stripe price id, interval, interval count, currency, amount, trial days, and an optional variant link — and each active row archives in one submit. A bad-shape create re-renders the form with the validator's message rather than a 500, and archiving an unknown plan is a no-op notice. Archiving is terminal from the console: because a plan mirrors a Stripe price id that can go stale, a retired plan is re-offered by creating a new one against a fresh price id. **Changed:** *Console nav gains Subscriptions* — The signed-in admin nav now includes Subscriptions alongside Products, Inventory, Orders, Returns, and Reviews, shown when the subscriptions primitive is wired. The `/admin/subscription-plans` list, create, and archive endpoints content-negotiate like the other screens: a bearer-token client gets the JSON API, a signed-in browser gets HTML. A request without the bearer token returns the sign-in form on a GET and redirects on a write.
+
+- v0.1.17 (2026-05-25) — **Admin console — an inventory screen.** Inventory joins the admin console. `/admin/inventory` lists stock per SKU — on hand, held, and available — with a low-stock filter, restocks a SKU, sets or clears its per-SKU low-stock threshold, and tracks a new SKU, all from a signed-in browser. As with the other console screens, the same path serves the existing JSON API to a bearer-token client unchanged. **Added:** *Inventory management screen* — `/admin/inventory` renders the inventory table (SKU, on-hand, held, available) with a low-stock filter (`?low=1`) that surfaces SKUs at or below their threshold, when opened in a signed-in browser; the same path serves a new JSON list to a bearer-token client. Each row's form restocks (add quantity) and sets the low-stock threshold (blank clears it) in one submit, and a form below tracks a new SKU. The create / restock JSON API is unchanged for tooling; the browser forms post and redirect (PRG), and a bad SKU is a no-op notice rather than a 500. · *catalog.inventory.list* — `catalog.inventory.list({ limit, low_only })` returns inventory rows (SKU ascending), optionally only those at or below their configured low-stock threshold — the read backing the console list and the JSON endpoint. **Changed:** *Console nav gains Inventory* — The signed-in admin nav now includes Inventory alongside Products, Orders, Returns, and Reviews. The `/admin/inventory` list and the create / restock endpoints content-negotiate like the other screens: a bearer-token client gets the JSON API, a signed-in browser gets HTML. A request without the bearer token on these paths now returns the sign-in form on a GET and redirects on a write, matching the other console screens.
+
 - v0.1.16 (2026-05-25) — **PayPal express checkout — the on-page button.** PayPal checkout is now usable from the storefront. When PayPal is configured, the checkout page shows a native PayPal button (distinct from PayPal-through-Stripe): it opens a PayPal order for the current cart, the buyer approves in the PayPal popup, and the order is captured and marked paid. A verified PayPal webhook is the asynchronous backstop. This completes the native PayPal integration on top of the adapter and checkout orchestration shipped in the previous two releases. Card / Stripe checkout is unchanged. **Added:** *PayPal button + create/capture routes on the storefront* — The checkout page renders a PayPal button when `PAYPAL_CLIENT_ID` is configured. Its create step posts to `POST /checkout/paypal/create` (prices the cart, opens a PayPal order, persists the local order pending) and its approve step posts to `POST /checkout/paypal/capture` (captures and advances the order to paid, then redirects to the order page). Both validate input and never 500 on a missing cart or id. The buttons collect the same shipping fields as the card form. · *PayPal webhook endpoint* — `POST /api/webhooks/paypal` is the asynchronous backstop for captures completed or refunded out of band. The container verifies each event server-to-server through PayPal's verify-webhook-signature API (no edge HMAC pre-check, unlike Stripe), then advances the order; re-deliveries are idempotent. Point a PayPal webhook at `/api/webhooks/paypal`. **Changed:** *PayPal listed as configurable; CSP note* — The integrations status page and README document PayPal as a first-class checkout option once configured. As with the Stripe pay page's `js.stripe.com`, operators must allow `www.paypal.com` in their Content-Security-Policy `script-src` / `frame-src` for the PayPal SDK and approval popup.
 
 - v0.1.15 (2026-05-25) — **PayPal checkout orchestration.** Checkout can now run a PayPal order end to end, building on the adapter from the previous release. The orchestrator prices the cart, opens a PayPal order and persists the local order as pending, captures it after the buyer approves and advances the order to paid, and has a webhook backstop for captures completed or refunded out of band. Wired in when a PayPal app's credentials are present, and surfaced on the integrations status page. The storefront button and routes that drive this from the pay page come next; card / Stripe checkout is unchanged. **Added:** *checkout PayPal methods* — With a PayPal adapter wired (`paypal` dep), checkout gains three methods. `createPaypalOrder({ cart_id, ship_to, selected_shipping_id, customer, idempotency_key, return_url?, cancel_url? })` prices the cart, opens a PayPal Orders-v2 order, persists the local order in `pending` with the PayPal order id linked, and marks the cart converted. `capturePaypalOrder(paypalOrderId)` captures the approved order and advances the local order to `paid` (idempotent — a retry or a webhook that beat it won't double-transition). `handlePaypalEvent({ headers, rawBody })` is the asynchronous backstop: it verifies the event through PayPal, then maps `PAYMENT.CAPTURE.COMPLETED` → paid and `PAYMENT.CAPTURE.REFUNDED` → refunded, idempotent across re-deliveries. · *PayPal wired from configuration* — When `PAYPAL_CLIENT_ID` + `PAYPAL_SECRET` are set (with `PAYPAL_ENV` and `PAYPAL_WEBHOOK_ID`), the server builds the PayPal adapter and passes it to checkout; the integrations status page lists PayPal as action-needed once card checkout is also live. Off until configured; the existing checkout flow is untouched.

package/README.md

@@ -72,7 +72,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/collections.js`** | Curated + smart product groupings. `GET /collections` lists the shop's active collections; `GET /collections/:slug` renders the grid — manual collections list hand-picked members, smart collections evaluate stored rules against the active catalog and apply the collection's sort strategy. Each product resolves fresh, so archived products drop out. Public, no sign-in; a bad or unknown slug is a 404 (never a 500). Linked from the footer on every page. |
 | **`lib/subscriptions.js`** | Stripe-backed recurring billing — `subscription_plans` (interval / amount / trial) + `subscriptions` (mirrors Stripe's object byte-for-byte). `subscriptions.create` POSTs to Stripe via the payment dep, then persists the returned object locally. `handleStripeEvent` replays `customer.subscription.*` events into the local row so the shop has an authoritative view without round-tripping. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline. The Returns and Reviews links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores; **Inventory** (`/admin/inventory`) lists stock per SKU (on-hand / held / available) with a low-stock filter, restocks, sets per-SKU thresholds, and tracks new SKUs; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel — Refund goes through the payment provider) through the order FSM; **Returns** (`/admin/returns`) is the RMA moderation queue — filter by status, open a request's items and reason, and approve (with refund amount) → mark received → refund, or reject with a reason, over the return FSM; **Reviews** (`/admin/reviews`) is the review moderation queue — filter by status and publish, reject (with a reason), or take down each submission inline; **Subscriptions** (`/admin/subscription-plans`) is the recurring-offer catalog — filter active / archived, create a plan (Stripe price id, interval, amount, trial), and archive one, with archiving terminal because the mirrored Stripe price can go stale. The Returns, Reviews, and Subscriptions links appear only when those primitives are wired. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |
 

package/lib/admin.js

@@ -225,7 +225,7 @@ function mount(router, deps) {
   // Which optional console sections are wired — gates their nav links so a
   // signed-in admin is never sent to a route that wasn't mounted. Passed
   // into every authed render call as `nav_available`.
-  var navAvailable = { returns: !!returns, reviews: !!reviews };
+  var navAvailable = { returns: !!returns, reviews: !!reviews, subscriptions: !!deps.subscriptions };
 
   try { b.audit.registerNamespace(AUDIT_NAMESPACE); } catch (_e) { /* idempotent */ }
 
@@ -400,22 +400,90 @@ function mount(router, deps) {
 
   // ---- inventory ------------------------------------------------------
 
-  router.post("/admin/inventory", W("inventory.create", async function (req, res) {
-    var body = req.body || {};
-    if (!body.sku) throw new TypeError("admin.inventory.create: body.sku required");
-    var inv = await catalog.inventory.create(body.sku, body);
-    _json(res, 201, inv);
-    return Object.assign({ id: body.sku }, inv);
-  }));
+  // Inventory list — JSON for the bearer token, HTML console for a signed-in
+  // browser. `?low=1` filters to SKUs at/below their low-stock threshold.
+  router.get("/admin/inventory", _pageOrApi(true,
+    R(async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var page = await catalog.inventory.list({ low_only: !!(url && url.searchParams.get("low")), limit: 500 });
+      _json(res, 200, page);
+    }),
+    async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var low = !!(url && url.searchParams.get("low"));
+      var page = await catalog.inventory.list({ low_only: low, limit: 500 });
+      _sendHtml(res, 200, renderAdminInventory({
+        shop_name: deps.shop_name, nav_available: navAvailable,
+        inventory: page.rows || [], low: low,
+        notice: url && url.searchParams.get("err") ? "That SKU wasn't found — nothing was changed." : null,
+        updated: !!(url && url.searchParams.get("updated")),
+        created: !!(url && url.searchParams.get("created")),
+      }));
+    },
+  ));
 
-  router.post("/admin/inventory/:sku/restock", W("inventory.restock", async function (req, res) {
-    var qty = parseInt((req.body || {}).qty, 10);
-    if (!Number.isFinite(qty)) throw new TypeError("admin.inventory.restock: body.qty required (integer)");
-    var inv = await catalog.inventory.restock(req.params.sku, qty);
-    if (!inv) return _problem(res, 404, "inventory-not-found");
-    _json(res, 200, inv);
-    return Object.assign({ id: req.params.sku }, inv);
-  }));
+  router.post("/admin/inventory", _pageOrApi(false,
+    W("inventory.create", async function (req, res) {
+      var body = req.body || {};
+      if (!body.sku) throw new TypeError("admin.inventory.create: body.sku required");
+      var inv = await catalog.inventory.create(body.sku, body);
+      _json(res, 201, inv);
+      return Object.assign({ id: body.sku }, inv);
+    }),
+    async function (req, res) {
+      var body = req.body || {};
+      try {
+        if (!body.sku) throw new TypeError("sku required");
+        await catalog.inventory.create(body.sku, { stock_on_hand: parseInt(body.stock_on_hand, 10) || 0 });
+      } catch (e) {
+        if (e instanceof TypeError || /exists|duplicate|UNIQUE/i.test(e.message || "")) {
+          var page = await catalog.inventory.list({ limit: 500 });
+          return _sendHtml(res, 400, renderAdminInventory({
+            shop_name: deps.shop_name, nav_available: navAvailable, inventory: page.rows || [],
+            notice: (e && e.message) || "Couldn't create that SKU.",
+          }));
+        }
+        throw e;
+      }
+      b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.create", outcome: "success", metadata: { sku: body.sku } });
+      _redirect(res, "/admin/inventory?created=1");
+    },
+  ));
+
+  router.post("/admin/inventory/:sku/restock", _pageOrApi(false,
+    W("inventory.restock", async function (req, res) {
+      var qty = parseInt((req.body || {}).qty, 10);
+      if (!Number.isFinite(qty)) throw new TypeError("admin.inventory.restock: body.qty required (integer)");
+      var inv = await catalog.inventory.restock(req.params.sku, qty);
+      if (!inv) return _problem(res, 404, "inventory-not-found");
+      _json(res, 200, inv);
+      return Object.assign({ id: req.params.sku }, inv);
+    }),
+    async function (req, res) {
+      // Browser row form: restock by qty (when > 0) and/or set the low-stock
+      // threshold (when the field is non-empty; blank clears it). A bad sku is
+      // a no-op notice, never a 500.
+      var body = req.body || {};
+      var sku = req.params.sku;
+      var changed = false;
+      try {
+        var qty = parseInt(body.qty, 10);
+        if (Number.isFinite(qty) && qty > 0) { if (await catalog.inventory.restock(sku, qty)) changed = true; }
+        if (Object.prototype.hasOwnProperty.call(body, "threshold")) {
+          var raw = String(body.threshold).trim();
+          var threshold = raw === "" ? null : parseInt(raw, 10);
+          if (threshold === null || (Number.isInteger(threshold) && threshold >= 0)) {
+            if (await catalog.inventory.setThreshold(sku, threshold)) changed = true;
+          }
+        }
+      } catch (e) { if (!(e instanceof TypeError)) throw e; }
+      // restock / setThreshold return null for an unknown SKU — don't report
+      // success on a stale/tampered form to a non-existent SKU.
+      if (!changed) return _redirect(res, "/admin/inventory?err=1");
+      b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".inventory.restock", outcome: "success", metadata: { sku: sku } });
+      _redirect(res, "/admin/inventory?updated=1");
+    },
+  ));
 
   // Per-SKU low-stock threshold. Body `{ threshold }` — null clears.
   router.patch("/admin/inventory/:sku/threshold", W("inventory.set_threshold", async function (req, res) {
@@ -1224,22 +1292,69 @@ function mount(router, deps) {
 
   var subscriptions = deps.subscriptions || null;
   if (subscriptions) {
-    router.post("/admin/subscription-plans", W("subscription_plan.create", async function (req, res) {
-      var p = await subscriptions.plans.create(req.body || {});
-      _json(res, 201, p);
-      return p;
-    }));
+    // Create content-negotiates: bearer → JSON (unchanged for tooling);
+    // signed-in browser form → create, then PRG back to the catalog (a
+    // bad-shape submit re-renders the form with the validator's message
+    // rather than 500-ing).
+    router.post("/admin/subscription-plans", _pageOrApi(false,
+      W("subscription_plan.create", async function (req, res) {
+        var p = await subscriptions.plans.create(req.body || {});
+        _json(res, 201, p);
+        return p;
+      }),
+      async function (req, res) {
+        var body = req.body || {};
+        var input = {
+          stripe_price_id: typeof body.stripe_price_id === "string" ? body.stripe_price_id.trim() : body.stripe_price_id,
+          interval:        body.interval,
+          currency:        typeof body.currency === "string" ? body.currency.trim().toLowerCase() : body.currency,
+        };
+        if (body.amount_minor   != null && body.amount_minor   !== "") input.amount_minor   = parseInt(body.amount_minor, 10);
+        if (body.interval_count != null && body.interval_count !== "") input.interval_count = parseInt(body.interval_count, 10);
+        if (body.trial_days     != null && body.trial_days     !== "") input.trial_days     = parseInt(body.trial_days, 10);
+        if (body.variant_id) input.variant_id = String(body.variant_id).trim();
+        try {
+          await subscriptions.plans.create(input);
+        } catch (e) {
+          if (!(e instanceof TypeError)) throw e;
+          var rows = await subscriptions.plans.list({});
+          return _sendHtml(res, 400, renderAdminSubscriptionPlans({
+            shop_name: deps.shop_name, nav_available: navAvailable, plans: rows,
+            notice: e.message.replace(/^subscriptions[.:]\s*/, ""),
+          }));
+        }
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".subscription_plan.create", outcome: "success" });
+        _redirect(res, "/admin/subscription-plans?created=1");
+      },
+    ));
 
-    router.get("/admin/subscription-plans", R(async function (req, res) {
-      var url = req.url ? new URL(req.url, "http://localhost") : null;
-      var variantId = url && url.searchParams.get("variant_id");
-      var activeS   = url && url.searchParams.get("active");
-      var filter = {};
-      if (variantId) filter.variant_id = variantId;
-      if (activeS != null) filter.active = activeS === "1" || activeS === "true";
-      var rows = await subscriptions.plans.list(filter);
-      _json(res, 200, { rows: rows });
-    }));
+    router.get("/admin/subscription-plans", _pageOrApi(true,
+      R(async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var variantId = url && url.searchParams.get("variant_id");
+        var activeS   = url && url.searchParams.get("active");
+        var filter = {};
+        if (variantId) filter.variant_id = variantId;
+        if (activeS != null) filter.active = activeS === "1" || activeS === "true";
+        var rows = await subscriptions.plans.list(filter);
+        _json(res, 200, { rows: rows });
+      }),
+      async function (req, res) {
+        var url = req.url ? new URL(req.url, "http://localhost") : null;
+        var activeS = url && url.searchParams.get("active");
+        var filter = {};
+        if (activeS === "1" || activeS === "true")  filter.active = true;
+        else if (activeS === "0" || activeS === "false") filter.active = false;
+        var rows = await subscriptions.plans.list(filter);
+        _sendHtml(res, 200, renderAdminSubscriptionPlans({
+          shop_name: deps.shop_name, nav_available: navAvailable, plans: rows,
+          active_filter: activeS,
+          created:  url && url.searchParams.get("created"),
+          archived: url && url.searchParams.get("archived"),
+          notice:   (url && url.searchParams.get("err")) ? "That action couldn't be completed for the plan." : null,
+        }));
+      },
+    ));
 
     router.get("/admin/subscription-plans/:id", R(async function (req, res) {
       var p = await subscriptions.plans.get(req.params.id);
@@ -1254,12 +1369,25 @@ function mount(router, deps) {
       return p;
     }));
 
-    router.post("/admin/subscription-plans/:id/archive", W("subscription_plan.archive", async function (req, res) {
-      var p = await subscriptions.plans.archive(req.params.id);
-      if (!p) return _problem(res, 404, "subscription-plan-not-found");
-      _json(res, 200, p);
-      return p;
-    }));
+    // Archive content-negotiates: bearer → JSON; browser form → archive,
+    // then PRG. An unknown / malformed id is a no-op notice (?err=1),
+    // never a 500.
+    router.post("/admin/subscription-plans/:id/archive", _pageOrApi(false,
+      W("subscription_plan.archive", async function (req, res) {
+        var p = await subscriptions.plans.archive(req.params.id);
+        if (!p) return _problem(res, 404, "subscription-plan-not-found");
+        _json(res, 200, p);
+        return p;
+      }),
+      async function (req, res) {
+        var p = null;
+        try { p = await subscriptions.plans.archive(req.params.id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; }
+        if (!p) return _redirect(res, "/admin/subscription-plans?err=1");
+        b.audit.safeEmit({ action: AUDIT_NAMESPACE + ".subscription_plan.archive", outcome: "success", metadata: { id: req.params.id } });
+        _redirect(res, "/admin/subscription-plans?archived=1");
+      },
+    ));
 
     router.get("/admin/subscriptions", R(async function (req, res) {
       var url = req.url ? new URL(req.url, "http://localhost") : null;
@@ -1278,13 +1406,21 @@ function mount(router, deps) {
       _json(res, 200, s);
     }));
 
-    router.post("/admin/subscriptions/:id/cancel", W("subscription.cancel", async function (req, res) {
-      var body = req.body || {};
-      var s = await subscriptions.subscriptions.cancel(req.params.id, { at_period_end: !!body.at_period_end });
-      if (!s) return _problem(res, 404, "subscription-not-found");
-      _json(res, 200, s);
-      return s;
-    }));
+    // Cancelling composes the Stripe API (payment.subscriptions.cancel),
+    // so the route only mounts when a payment handle is wired — exactly
+    // like the refund routes. Without Stripe it stays unmounted (404
+    // "feature unavailable") rather than 400-ing with internal error
+    // text when the handler dereferences a null payment. Plan CRUD and
+    // the read-only instance views above need no Stripe and always mount.
+    if (payment) {
+      router.post("/admin/subscriptions/:id/cancel", W("subscription.cancel", async function (req, res) {
+        var body = req.body || {};
+        var s = await subscriptions.subscriptions.cancel(req.params.id, { at_period_end: !!body.at_period_end });
+        if (!s) return _problem(res, 404, "subscription-not-found");
+        _json(res, 200, s);
+        return s;
+      }));
+    }
   }
 
   // ---- admin web pages (browser session + setup wizard) ---------------
@@ -1497,6 +1633,9 @@ var DASHBOARD_LAYOUT =
   "    .review-stars { color:#c9821f; letter-spacing:.1em; }\n" +
   "    .review-reject { display:inline-flex; gap:.4rem; align-items:center; }\n" +
   "    .review-reject input { padding:.45rem .6rem; border:1px solid var(--hair); border-radius:6px; font-size:.82rem; }\n" +
+  "    .inv-row-form { display:flex; gap:.4rem; align-items:center; }\n" +
+  "    .inv-row-form input { padding:.4rem .5rem; border:1px solid var(--hair); border-radius:6px; font-size:.82rem; }\n" +
+  "    tr.row--low td { background:#fff8e1; }\n" +
   "    .nav-cards { display:grid; grid-template-columns:repeat(auto-fit,minmax(14rem,1fr)); gap:1rem; }\n" +
   "    .nav-card { display:block; background:var(--paper); border:1px solid var(--hair); border-radius:8px; padding:1.4rem; text-decoration:none; color:var(--ink); }\n" +
   "    .nav-card:hover { border-color:var(--accent); box-shadow:0 8px 20px -12px rgba(0,0,0,.25); }\n" +
@@ -1677,9 +1816,11 @@ var ADMIN_NAV_ITEMS = [
   { key: "home",         href: "/admin",              label: "Home" },
   { key: "dashboard",    href: "/admin/dashboard",    label: "Dashboard" },
   { key: "products",     href: "/admin/products",     label: "Products" },
+  { key: "inventory",    href: "/admin/inventory",    label: "Inventory" },
   { key: "orders",       href: "/admin/orders",       label: "Orders" },
   { key: "returns",      href: "/admin/returns",      label: "Returns",      requires: "returns" },
   { key: "reviews",      href: "/admin/reviews",      label: "Reviews",      requires: "reviews" },
+  { key: "subscriptions", href: "/admin/subscription-plans", label: "Subscriptions", requires: "subscriptions" },
   { key: "integrations", href: "/admin/integrations", label: "Integrations" },
   { key: "setup",        href: "/admin/setup",        label: "Setup" },
 ];
@@ -2178,6 +2319,121 @@ function renderAdminReviews(opts) {
   return _renderAdminShell(opts.shop_name, "Reviews", body, "reviews", opts.nav_available);
 }
 
+function renderAdminInventory(opts) {
+  opts = opts || {};
+  var rows = opts.inventory || [];
+  var created = opts.created ? "<div class=\"banner banner--ok\">SKU created.</div>" : "";
+  var updated = opts.updated ? "<div class=\"banner banner--ok\">Inventory updated.</div>" : "";
+  var notice  = opts.notice  ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+
+  var chips = "<div class=\"order-filters\">" +
+    "<a class=\"chip" + (opts.low ? "" : " chip--on") + "\" href=\"/admin/inventory\">All</a>" +
+    "<a class=\"chip" + (opts.low ? " chip--on" : "") + "\" href=\"/admin/inventory?low=1\">Low stock</a>" +
+    "</div>";
+
+  var body = rows.map(function (r) {
+    var available = (r.stock_on_hand || 0) - (r.stock_held || 0);
+    var th = r.low_stock_threshold;
+    var isLow = th != null && available <= th;
+    var thVal = th == null ? "" : String(th);
+    return "<tr" + (isLow ? " class=\"row--low\"" : "") + ">" +
+      "<td><code class=\"order-id\">" + _htmlEscape(r.sku) + "</code>" + (isLow ? " <span class=\"status-pill pending\">low</span>" : "") + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(String(r.stock_on_hand)) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(String(r.stock_held)) + "</td>" +
+      "<td class=\"num\"><strong>" + _htmlEscape(String(available)) + "</strong></td>" +
+      "<td>" +
+        "<form method=\"post\" action=\"/admin/inventory/" + _htmlEscape(r.sku) + "/restock\" class=\"inv-row-form\">" +
+          "<input type=\"number\" name=\"qty\" min=\"1\" placeholder=\"+ qty\" style=\"width:6rem;\">" +
+          "<input type=\"number\" name=\"threshold\" min=\"0\" value=\"" + _htmlEscape(thVal) + "\" placeholder=\"alert ≤\" title=\"low-stock threshold (blank clears)\" style=\"width:6rem;\">" +
+          "<button class=\"btn btn--ghost\" type=\"submit\">Save</button>" +
+        "</form>" +
+      "</td></tr>";
+  }).join("");
+
+  var table = rows.length
+    ? "<div class=\"panel\"><table><thead><tr><th>SKU</th><th class=\"num\">On hand</th><th class=\"num\">Held</th><th class=\"num\">Available</th><th>Restock / threshold</th></tr></thead><tbody>" + body + "</tbody></table></div>"
+    : "<p class=\"empty\">No inventory rows" + (opts.low ? " below threshold" : " yet") + ".</p>";
+
+  var createForm =
+    "<div class=\"panel\" style=\"margin-top:1.5rem; max-width:34rem;\">" +
+      "<h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">Track a new SKU</h3>" +
+      "<form method=\"post\" action=\"/admin/inventory\">" +
+        _setupField("SKU", "sku", "", "text", "Must match a variant SKU.", " maxlength=\"128\" required") +
+        _setupField("Starting stock on hand", "stock_on_hand", "0", "number", "", " min=\"0\"") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Track SKU</button></div>" +
+      "</form>" +
+    "</div>";
+
+  var bodyHtml = "<section><h2>Inventory</h2>" + created + updated + notice + chips + table + createForm + "</section>";
+  return _renderAdminShell(opts.shop_name, "Inventory", bodyHtml, "inventory", opts.nav_available);
+}
+
+function renderAdminSubscriptionPlans(opts) {
+  opts = opts || {};
+  var rows = opts.plans || [];
+  var created  = opts.created  ? "<div class=\"banner banner--ok\">Plan created.</div>" : "";
+  var archived = opts.archived ? "<div class=\"banner banner--ok\">Plan archived.</div>" : "";
+  var notice   = opts.notice   ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+
+  var af = opts.active_filter;
+  var chips = "<div class=\"order-filters\">" +
+    "<a class=\"chip" + (af == null ? " chip--on" : "") + "\" href=\"/admin/subscription-plans\">All</a>" +
+    "<a class=\"chip" + (af === "1" ? " chip--on" : "") + "\" href=\"/admin/subscription-plans?active=1\">Active</a>" +
+    "<a class=\"chip" + (af === "0" ? " chip--on" : "") + "\" href=\"/admin/subscription-plans?active=0\">Archived</a>" +
+    "</div>";
+
+  // Each plan mirrors a recurring Stripe Price (Stripe stays the pricing
+  // source of truth). Archiving is terminal from the console — because the
+  // mirrored Stripe price id may go stale, a retired plan is re-offered by
+  // creating a new one against a fresh price id, never reactivated in place.
+  var bodyRows = rows.map(function (p) {
+    var every = p.interval_count > 1 ? p.interval_count + " " + p.interval + "s" : p.interval;
+    // Plans store currency lowercase (the subscriptions validator's form);
+    // pricing.format wants the uppercase ISO 4217 code.
+    var price = pricing.format(p.amount_minor, String(p.currency || "").toUpperCase()) + " / " + every;
+    var isActive = p.active === 1 || p.active === true;
+    var archiveCell = isActive
+      ? "<form method=\"post\" action=\"/admin/subscription-plans/" + _htmlEscape(p.id) + "/archive\" style=\"display:inline;\">" +
+          "<button class=\"btn btn--ghost\" type=\"submit\">Archive</button></form>"
+      : "<span class=\"meta\">—</span>";
+    return "<tr>" +
+      "<td><strong>" + _htmlEscape(price) + "</strong>" +
+        (p.trial_days ? " <span class=\"status-pill pending\">" + _htmlEscape(String(p.trial_days)) + "d trial</span>" : "") + "</td>" +
+      "<td><code class=\"order-id\">" + _htmlEscape(p.stripe_price_id) + "</code></td>" +
+      "<td>" + (p.variant_id ? "<code class=\"order-id\">" + _htmlEscape(String(p.variant_id).slice(0, 8)) + "</code>" : "<span class=\"meta\">standalone</span>") + "</td>" +
+      "<td><span class=\"status-pill " + (isActive ? "paid" : "cancelled") + "\">" + (isActive ? "active" : "archived") + "</span></td>" +
+      "<td>" + archiveCell + "</td>" +
+    "</tr>";
+  }).join("");
+
+  var table = rows.length
+    ? "<div class=\"panel\"><table><thead><tr><th>Price / interval</th><th>Stripe price</th><th>Variant</th><th>Status</th><th>Actions</th></tr></thead><tbody>" + bodyRows + "</tbody></table></div>"
+    : "<p class=\"empty\">No subscription plans" + (af === "0" ? " archived" : af === "1" ? " active" : " yet") + ".</p>";
+
+  var intervalOpts = ["month", "year", "week", "day"].map(function (iv) {
+    return "<option value=\"" + iv + "\">" + iv + "</option>";
+  }).join("");
+
+  var createForm =
+    "<div class=\"panel\" style=\"margin-top:1.5rem; max-width:34rem;\">" +
+      "<h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">Create a plan</h3>" +
+      "<p class=\"meta\">Pre-create the recurring Price in Stripe, then mirror it here so the storefront can render the plan without a network hop.</p>" +
+      "<form method=\"post\" action=\"/admin/subscription-plans\">" +
+        _setupField("Stripe price id", "stripe_price_id", "", "text", "The recurring Price id from your Stripe dashboard (e.g. price_…).", " maxlength=\"255\" required") +
+        "<label class=\"form-field\"><span>Billing interval</span><select name=\"interval\">" + intervalOpts + "</select></label>" +
+        _setupField("Interval count", "interval_count", "1", "number", "Bill every N intervals (1–12).", " min=\"1\" max=\"12\"") +
+        _setupField("Currency", "currency", "", "text", "3-letter ISO 4217 (e.g. USD).", " maxlength=\"3\" required") +
+        _setupField("Amount (minor units)", "amount_minor", "", "number", "In the currency's smallest unit — e.g. 1999 = $19.99.", " min=\"1\" required") +
+        _setupField("Trial days", "trial_days", "0", "number", "Free trial length before the first charge (0–730).", " min=\"0\" max=\"730\"") +
+        _setupField("Variant id (optional)", "variant_id", "", "text", "Link to a storefront variant, or leave blank for a standalone tier.", " maxlength=\"64\"") +
+        "<div class=\"actions-row\"><button class=\"btn\" type=\"submit\">Create plan</button></div>" +
+      "</form>" +
+    "</div>";
+
+  var bodyHtml = "<section><h2>Subscription plans</h2>" + created + archived + notice + chips + table + createForm + "</section>";
+  return _renderAdminShell(opts.shop_name, "Subscription plans", bodyHtml, "subscriptions", opts.nav_available);
+}
+
 module.exports = {
   mount:           mount,
   AUDIT_NAMESPACE: AUDIT_NAMESPACE,
@@ -2187,6 +2443,7 @@ module.exports = {
   renderAdminSetup:        renderAdminSetup,
   renderAdminIntegrations: renderAdminIntegrations,
   renderAdminProducts:     renderAdminProducts,
+  renderAdminInventory:    renderAdminInventory,
   renderAdminOrders:       renderAdminOrders,
   renderAdminOrder:        renderAdminOrder,
   renderAdminReturns:      renderAdminReturns,

package/lib/catalog.js

@@ -629,6 +629,22 @@ function _inventoryModule(query, opts) {
       return r.rows[0] || null;
     },
 
+    // Operator-facing inventory list (sku ASC), optionally only the SKUs at
+    // or below their configured low-stock threshold. Capped + uncursored —
+    // it backs the admin inventory console, not a hot path.
+    list: async function (listOpts) {
+      listOpts = listOpts || {};
+      var limit = listOpts.limit == null ? 200 : listOpts.limit;
+      if (!Number.isInteger(limit) || limit <= 0 || limit > 1000) {
+        throw new TypeError("catalog.inventory.list: limit must be 1..1000");
+      }
+      var sql = listOpts.low_only
+        ? "SELECT * FROM inventory WHERE low_stock_threshold IS NOT NULL AND " +
+          "(stock_on_hand - stock_held) <= low_stock_threshold ORDER BY sku ASC LIMIT ?1"
+        : "SELECT * FROM inventory ORDER BY sku ASC LIMIT ?1";
+      return { rows: (await query(sql, [limit])).rows };
+    },
+
     // Hot-path decrement happens via the Worker's InventoryLock
     // Durable Object — this primitive is for admin restock / release
     // operations that don't need the DO serialization. Concurrent

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.55",
-      "tag": "v0.12.55",
+      "version": "0.12.56",
+      "tag": "v0.12.56",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.56 (2026-05-25) — **`b.canonicalJson` — RFC 8785 JSON Canonicalization Scheme, now a public primitive.** The deterministic JSON serializer the framework uses internally for audit-chain and config-drift fingerprints is now an operator-facing primitive, for signing your own JSON (custom credentials, receipts, deterministic request signing). b.canonicalJson.stringifyJcs is strict RFC 8785: keys sorted in UTF-16 code-unit order at every depth, numbers in the ECMAScript format JCS references, and types JCS does not define (BigInt / Buffer / Date / Map / Set / circular references) refused rather than silently lost. b.canonicalJson.stringify is a lenient variant that also serializes Buffers (hex), Dates (ISO-8601), and BigInts. Exposing it surfaced and fixed a latent ordering bug: the serializer built a sorted-key object and let JSON.stringify emit it, but V8 hoists integer-like keys ("1", "10") to the front — so canonical output was wrong for objects with integer-like string keys. Members are now written in sorted order directly. Validated against the official cyberphone/json-canonicalization conformance vectors. **Added:** *`b.canonicalJson.stringifyJcs(value)` / `stringify(value, opts?)` / `sortKeys(obj)`* — `stringifyJcs` produces strict RFC 8785 canonical JSON — the byte-for-byte stable form to hash or sign — with UTF-16 code-unit key sorting and ECMAScript number formatting, refusing BigInt / Buffer / Date / Map / Set / RegExp / Symbol / function / circular references. `stringify` is the lenient framework variant (Buffers → hex, Dates → ISO-8601, BigInts → decimal; `opts.bufferAs: "reject"` to forbid binary). `sortKeys` returns an object's own keys in the canonical UTF-16 ordering. These were framework-internal; they are now documented public API. **Fixed:** *Canonical JSON now emits integer-like keys in sorted order* — The canonical serializer built a sorted-key object and serialized it with JSON.stringify, which hoists integer-like string keys ("1", "10") to the front per V8 own-property ordering — producing non-canonical output for objects containing such keys (a violation of RFC 8785 §3.2.3). Members are now written in sorted-key order directly. Real-world consumers (audit-chain, config-drift) use named fields and are unaffected; only objects with integer-like string keys change, and the new output is the correct canonical form.
+
 - v0.12.55 (2026-05-25) — **`b.structuredFields` — RFC 9651 Date and Display String types.** Brings the Structured Fields codec up to RFC 9651, which obsoletes RFC 8941 by adding two bare-item types. A Date (`@1659578233`) is an Integer number of seconds since the Unix epoch; a Display String (`%"f%c3%bc%c3%bc"`) is a Unicode string conveyed as percent-escaped UTF-8. parse returns them as distinct SfDate / SfDisplayString values, and serialize emits them canonically — a Date as `@` + integer, a Display String as `%"`-wrapped lowercase-percent-escaped UTF-8 that escapes only what RFC 9651 requires. Parsing is strict: a Date rejects a decimal / out-of-range value, and a Display String rejects uppercase escapes, raw non-ASCII, bad hex, and invalid UTF-8. Validated against the official httpwg structured-field-tests date and display-string vectors. **Added:** *RFC 9651 Date (`@…`) and Display String (`%"…"`) in `b.structuredFields`* — `parse` now reads the two RFC 9651 types: `@` + an Integer yields an `SfDate` (rejecting a decimal `@1.5`, an empty `@`, a sign-only `@-`, and out-of-range values), and `%"…"` yields an `SfDisplayString` (decoding lowercase `%XX` escapes as UTF-8, rejecting uppercase escapes, raw non-ASCII or control characters, malformed hex, and invalid UTF-8). `serialize` is the inverse — a Date as `@` + the integer, a Display String percent-escaping only non-printable / non-ASCII bytes plus `%` and `"`. The new `b.structuredFields.Date` and `b.structuredFields.DisplayString` wrappers construct these values. The module now tracks RFC 9651 (which obsoletes RFC 8941); the existing Item / List / Dictionary parsing is unchanged.
 
 - v0.12.54 (2026-05-25) — **`b.structuredFields.parse` / `serialize` — full RFC 8941 Structured Fields codec.** The structured-fields module gains a complete RFC 8941 parser and serializer alongside its existing quote-aware helpers. b.structuredFields.parse reads an Item, List, or Dictionary into a typed value model — items are { value, params }, lists are arrays of items / inner lists, dictionaries are Maps — with Tokens and byte sequences returned as distinct SfToken / SfByteSequence instances. It enforces the grammar strictly: integer and decimal digit caps, printable-ASCII strings, canonical base64 byte sequences, valid token and key grammar, and no trailing characters. b.structuredFields.serialize is the exact inverse. This is the real parser the framework's Content-Digest, Client Hints, Web Push, and HTTP Message Signature surfaces can build on instead of open-coding each field. Validated against the official httpwg structured-field-tests conformance vectors. **Added:** *`b.structuredFields.parse(input, type, opts?)` / `serialize(value, type, opts?)` / `Token` / `ByteSequence`* — `parse` accepts `type` of `"item"`, `"list"`, or `"dictionary"` and returns the value model (items as `{ value, params }` with a `Map` of parameters; lists as arrays of items or inner lists; dictionaries as `Map`s). Bare items are JS numbers (Integer / Decimal), strings, booleans, `SfToken`, or `SfByteSequence`. Malformed input is rejected — out-of-range integers, over-long decimals, non-printable string bytes, non-canonical base64, invalid tokens / keys, and any trailing characters — and `opts.ErrorClass` yields a typed error. `serialize` is the inverse, rounding decimals to three fractional digits and refusing values outside the RFC's ranges or grammar. `b.structuredFields.Token` and `b.structuredFields.ByteSequence` wrap those bare-item types for serialization. The existing `splitTopLevel` / `refuseControlBytes` / `unquoteSfString` helpers are unchanged.

package/lib/vendor/blamejs/README.md

@@ -98,6 +98,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`)
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
+- **Canonical JSON** — RFC 8785 JSON Canonicalization Scheme (`b.canonicalJson.stringifyJcs`): the deterministic, sorted-key byte form to hash or sign (custom credentials, receipts, deterministic request signing); UTF-16 key ordering + ECMAScript number formatting, with a lenient `stringify` variant for Buffers / Dates / BigInts
 - **Structured Fields** — full RFC 9651 codec (`b.structuredFields.parse` / `serialize`): Items / Lists / Dictionaries, Inner Lists, Parameters, and every bare-item type (Integer / Decimal / String / Token / Byte Sequence / Boolean / Date / Display String) with strict grammar + range enforcement — the parser behind Content-Digest, Client Hints, and HTTP Message Signatures
 - **CMS codec** — RFC 5652 Cryptographic Message Syntax encoder + decoder with PQC signers (ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f; RFC 9909 + 9881) and KEMRecipientInfo recipients (ML-KEM-1024; RFC 9629 + 9936); ChaCha20-Poly1305 content encryption (RFC 8103) so Efail-class malleability cannot apply (`b.cms`)
 - **Stream throttle** — shared token-bucket bandwidth limiter (RFC 2697 srTCM shape); N concurrent `node:stream` pipelines draw from one operator-configured `bytesPerSec` budget (`b.streamThrottle`)

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.55",
-  "createdAt": "2026-05-25T19:45:48.985Z",
+  "frameworkVersion": "0.12.56",
+  "createdAt": "2026-05-25T21:09:07.457Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -6005,6 +6005,23 @@
         }
       }
     },
+    "canonicalJson": {
+      "type": "object",
+      "members": {
+        "sortKeys": {
+          "type": "function",
+          "arity": 1
+        },
+        "stringify": {
+          "type": "function",
+          "arity": 2
+        },
+        "stringifyJcs": {
+          "type": "function",
+          "arity": 1
+        }
+      }
+    },
     "cbor": {
       "type": "object",
       "members": {

package/lib/vendor/blamejs/index.js

@@ -396,6 +396,7 @@ var dbsc = require("./lib/dbsc");
 var importmapIntegrity = require("./lib/importmap-integrity");
 var privacyPass = require("./lib/privacy-pass");
 var contentDigest = require("./lib/content-digest");
+var canonicalJson = require("./lib/canonical-json");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -413,6 +414,7 @@ module.exports = {
   importmapIntegrity: importmapIntegrity,
   privacyPass:      privacyPass,
   contentDigest:    contentDigest,
+  canonicalJson:    canonicalJson,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/vendor/blamejs/lib/canonical-json.js

@@ -1,79 +1,83 @@
 "use strict";
 /**
- * Canonical JSON — deterministic stringify with sorted keys at every depth.
+ * @module b.canonicalJson
+ * @nav    Data
+ * @title  Canonical JSON
  *
- * Replaces the four near-identical implementations that grew up across
- * `lib/audit-chain.js`, `lib/audit-tools.js`, `lib/config-drift.js`, and
- * `lib/pagination.js`. They all walked `typeof === "object"` with
- * `Object.keys(...).sort()` and silently round-tripped Date as `{}`,
- * Buffer as `{"0":97,"1":98,…}`, Map / Set / RegExp as `{}`, Symbol /
- * function as missing keys, and BigInt as a thrown
- * `Do not know how to serialize a BigInt` mid-emit. Circular references
- * stack-overflowed instead of producing a clean framework error.
+ * @intro
+ *   Deterministic JSON serialization with keys sorted at every depth —
+ *   the byte-for-byte stable form you hash or sign so two parties that
+ *   build the same data produce the same bytes. <code>stringifyJcs</code>
+ *   is strict RFC 8785 (JSON Canonicalization Scheme); <code>stringify</code>
+ *   is a lenient variant that additionally serializes Buffers (as hex),
+ *   Dates (ISO-8601), and BigInts (decimal) for the framework's own audit
+ *   / config-drift fingerprints.
  *
- * The walk:
+ *   Both walks close the silent-data-loss class that ad-hoc
+ *   <code>Object.keys(...).sort()</code> serializers fall into: Map /
+ *   Set / RegExp / class instances, Symbols, functions, and circular
+ *   references all throw a clean error rather than emitting <code>{}</code>
+ *   or stack-overflowing. RFC 8785 strict mode additionally refuses
+ *   BigInt / Buffer / Date (types JCS does not define) so the operator
+ *   converts them to JSON-native shapes before signing.
  *
- *   primitives + null + undefined → JSON.stringify (undefined → "null")
- *   bigint                        → decimal string  ("123" not 123n)
- *   Date                          → ISO string
- *   Buffer / Uint8Array           → hex (when bufferAs = "hex", default)
- *                                   throw     (when bufferAs = "reject")
- *   Map / Set / RegExp            → throw with constructor name
- *   symbol / function             → throw with type name
- *   circular reference            → throw via WeakSet detection
- *   plain array                   → recurse, preserve order
- *   plain object                  → recurse with sorted keys
+ *   Key ordering is V8's <code>Object.keys(...).sort()</code> —
+ *   lexicographic UTF-16 code-unit order, which is exactly RFC 8785
+ *   §3.2.3 — and numbers are formatted by <code>JSON.stringify</code>,
+ *   whose output is the ECMA-262 Number-to-string algorithm that RFC
+ *   8785 §3.2.2.3 references.
  *
- * Two consumer policies on Buffer / Uint8Array are documented because
- * the framework historically chose differently per call site:
- *
- *   bufferAs: "hex"     audit-chain / audit-tools / config-drift —
- *                        binary data is legitimate (cert PEMs, key
- *                        material, hash bytes); preserve as hex so the
- *                        canonical output is reversible.
- *   bufferAs: "reject"  pagination — cursor state is operator-supplied
- *                        primitive data; binary in a cursor is almost
- *                        always a bug; reject loudly.
- *
- * Operators don't call this directly — it's a framework-internal walker.
+ * @card
+ *   Canonical JSON (RFC 8785 JCS) — the deterministic, sorted-key byte
+ *   form you sign or hash. Strict <code>stringifyJcs</code> for
+ *   interop, plus a lenient framework variant that serializes Buffers /
+ *   Dates / BigInts. Lossy ad-hoc serializers (Map / Set / circular →
+ *   <code>{}</code>) are refused.
  */
 
-function _scrub(value, seen, bufferAs) {
-  if (value === null || typeof value === "undefined") return null;
+// Emit the canonical JSON STRING in one ordered pass. Object members are
+// written in sorted-key order directly — building a plain object and
+// relying on JSON.stringify would silently hoist integer-like keys
+// ("1", "10") to the front (V8 own-property ordering), breaking the
+// RFC 8785 §3.2.3 sort. Primitives, strings, and numbers use
+// JSON.stringify, whose escaping (§3.2.2.2) and ECMAScript number format
+// (§3.2.2.3) are exactly what JCS references.
+function _emit(value, seen, bufferAs) {
+  if (value === null || typeof value === "undefined") return "null";
   var t = typeof value;
-  if (t === "string" || t === "boolean" || t === "number") return value;
+  if (t === "number" || t === "string" || t === "boolean") return JSON.stringify(value);
   if (t === "bigint") {
     if (bufferAs === "reject-jcs") {
       throw new Error("canonical-json: BigInt is not serialisable under " +
         "RFC 8785 (JCS); convert to a string or number before passing in");
     }
-    return String(value);
+    return JSON.stringify(String(value));
   }
   if (t === "symbol" || t === "function") {
     throw new Error("canonical-json: " + t + " value is not " +
       "serialisable; convert to a string before passing in");
   }
   // Buffer / Uint8Array — policy-driven
-  if (Buffer.isBuffer(value))           {
+  if (Buffer.isBuffer(value)) {
     if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Buffer is not serialisable in this " +
         "context (bufferAs=reject); convert to a string or hex first");
     }
-    return value.toString("hex");
+    return JSON.stringify(value.toString("hex"));
   }
   if (value instanceof Uint8Array) {
     if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Uint8Array is not serialisable in " +
         "this context (bufferAs=reject); convert to a string or hex first");
     }
-    return Buffer.from(value).toString("hex");
+    return JSON.stringify(Buffer.from(value).toString("hex"));
   }
   if (value instanceof Date) {
     if (bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Date is not serialisable under " +
         "RFC 8785 (JCS); convert to ISO-8601 string before passing in");
     }
-    return value.toISOString();
+    return JSON.stringify(value.toISOString());
   }
   // After primitives + Date + Buffer + Uint8Array, any remaining "object"
   // must be a plain object or array. Map / Set / RegExp / class instances
@@ -88,35 +92,73 @@ function _scrub(value, seen, bufferAs) {
   }
   seen.add(value);
   if (Array.isArray(value)) {
-    return value.map(function (v) { return _scrub(v, seen, bufferAs); });
+    // Index loop, not .map(): map() skips holes in a sparse array,
+    // which join() would then render as invalid elisions ([,1]). A hole
+    // reads as undefined → _emit returns "null" (matching JSON.stringify).
+    var items = [];
+    for (var ai = 0; ai < value.length; ai += 1) {
+      items.push(_emit(value[ai], seen, bufferAs));
+    }
+    return "[" + items.join(",") + "]";
   }
   // Canonical-json IS the destination for sorted-keys walks across the
   // codebase; the keys-then-sort here is the canonical primitive itself.
   var keys = Object.keys(value);
   keys.sort();
-  var out = {};
+  var parts = [];
   for (var i = 0; i < keys.length; i++) {
-    out[keys[i]] = _scrub(value[keys[i]], seen, bufferAs);
+    parts.push(JSON.stringify(keys[i]) + ":" + _emit(value[keys[i]], seen, bufferAs));
   }
-  return out;
+  return "{" + parts.join(",") + "}";
 }
 
-// Return the deterministic JSON string. opts.bufferAs picks the Buffer
-// policy ("hex" default, "reject" for callers like pagination).
+/**
+ * @primitive b.canonicalJson.stringify
+ * @signature b.canonicalJson.stringify(value, opts?)
+ * @since     0.5.0
+ * @status    stable
+ * @related   b.canonicalJson.stringifyJcs, b.canonicalJson.sortKeys
+ *
+ * Deterministic JSON with keys sorted at every depth — the lenient
+ * framework variant. Beyond JSON-native values it serializes Buffers /
+ * Uint8Arrays (hex), Dates (ISO-8601), and BigInts (decimal string); Map
+ * / Set / RegExp / class instances, Symbols, functions, and circular
+ * references throw rather than silently emitting <code>{}</code>. Use
+ * <code>stringifyJcs</code> for strict RFC 8785 interop.
+ *
+ * @opts
+ *   bufferAs: string,   // "hex" (default) | "reject" — Buffer / Uint8Array policy
+ *
+ * @example
+ *   b.canonicalJson.stringify({ b: 1, a: 2 });
+ *   // → '{"a":2,"b":1}'
+ */
 function stringify(value, opts) {
   var bufferAs = (opts && opts.bufferAs) || "hex";
   if (bufferAs !== "hex" && bufferAs !== "reject" && bufferAs !== "reject-jcs") {
     throw new Error("canonical-json: bufferAs must be 'hex' / 'reject' / 'reject-jcs'; got " +
       JSON.stringify(bufferAs));
   }
-  return JSON.stringify(_scrub(value, null, bufferAs));
+  return _emit(value, null, bufferAs);
 }
 
-// Stable key ordering for an object — same lexicographic sort used by
-// the canonical-json walker. Exposed so call sites that need a sorted
-// key list (CLI report ordering, fingerprint inputs) route through
-// the framework's single source-of-truth ordering rule rather than
-// re-implementing the keys-then-sort dance inline.
+/**
+ * @primitive b.canonicalJson.sortKeys
+ * @signature b.canonicalJson.sortKeys(obj)
+ * @since     0.5.0
+ * @status    stable
+ * @related   b.canonicalJson.stringify
+ *
+ * The object's own keys in the framework's single canonical ordering —
+ * lexicographic UTF-16 code-unit sort (the same ordering the canonical
+ * serializers use). Returns an empty array for a non-object. Route
+ * fingerprint / report ordering through this rather than re-implementing
+ * the keys-then-sort dance inline.
+ *
+ * @example
+ *   b.canonicalJson.sortKeys({ b: 1, a: 2, c: 3 });
+ *   // → ["a", "b", "c"]
+ */
 function sortKeys(obj) {
   if (!obj || typeof obj !== "object") return [];
   var keys = Object.keys(obj);
@@ -124,16 +166,30 @@ function sortKeys(obj) {
   return keys;
 }
 
-// stringifyJcs — RFC 8785 (JSON Canonicalization Scheme) strict mode.
-// Refuses inputs JCS does NOT cover (BigInt, Buffer / Uint8Array, Date,
-// Map, Set, RegExp, Symbol, function); operators carrying those types
-// must convert to JSON-native shapes upfront. Object key ordering and
-// number formatting already match JCS §3.2.2 — V8's
-// `Object.keys(...).sort()` is lexicographic UTF-16 code-unit order
-// (JCS §3.2.3) and `JSON.stringify` formats numbers per
-// ECMA-262 §7.1.12.1 which JCS §3.2.2.3 references.
+/**
+ * @primitive b.canonicalJson.stringifyJcs
+ * @signature b.canonicalJson.stringifyJcs(value)
+ * @since     0.12.56
+ * @status    stable
+ * @compliance soc2
+ * @related   b.canonicalJson.stringify, b.vc.issue, b.scitt.signStatement
+ *
+ * Strict RFC 8785 JSON Canonicalization Scheme — the deterministic byte
+ * form to hash or sign when two parties must agree on the exact bytes
+ * (signed JSON credentials, receipts, deterministic request signing).
+ * Keys are sorted in UTF-16 code-unit order at every depth (§3.2.3) and
+ * numbers use the ECMAScript Number-to-string formatting §3.2.2.3
+ * references. Inputs JCS does not define — BigInt, Buffer / Uint8Array,
+ * Date, Map, Set, RegExp, Symbol, function, and circular references —
+ * are refused, so the operator converts them to JSON-native shapes
+ * before signing rather than getting a silently lossy result.
+ *
+ * @example
+ *   b.canonicalJson.stringifyJcs({ "€": 1, "$": 2 });
+ *   // → '{"$":2,"€":1}'   (keys sorted by UTF-16 code unit)
+ */
 function stringifyJcs(value) {
-  return JSON.stringify(_scrub(value, null, "reject-jcs"));
+  return _emit(value, null, "reject-jcs");
 }
 
 module.exports = {

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.55",
+  "version": "0.12.56",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.56.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.56",
+  "date": "2026-05-25",
+  "headline": "`b.canonicalJson` — RFC 8785 JSON Canonicalization Scheme, now a public primitive",
+  "summary": "The deterministic JSON serializer the framework uses internally for audit-chain and config-drift fingerprints is now an operator-facing primitive, for signing your own JSON (custom credentials, receipts, deterministic request signing). b.canonicalJson.stringifyJcs is strict RFC 8785: keys sorted in UTF-16 code-unit order at every depth, numbers in the ECMAScript format JCS references, and types JCS does not define (BigInt / Buffer / Date / Map / Set / circular references) refused rather than silently lost. b.canonicalJson.stringify is a lenient variant that also serializes Buffers (hex), Dates (ISO-8601), and BigInts. Exposing it surfaced and fixed a latent ordering bug: the serializer built a sorted-key object and let JSON.stringify emit it, but V8 hoists integer-like keys (\"1\", \"10\") to the front — so canonical output was wrong for objects with integer-like string keys. Members are now written in sorted order directly. Validated against the official cyberphone/json-canonicalization conformance vectors.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.canonicalJson.stringifyJcs(value)` / `stringify(value, opts?)` / `sortKeys(obj)`",
+          "body": "`stringifyJcs` produces strict RFC 8785 canonical JSON — the byte-for-byte stable form to hash or sign — with UTF-16 code-unit key sorting and ECMAScript number formatting, refusing BigInt / Buffer / Date / Map / Set / RegExp / Symbol / function / circular references. `stringify` is the lenient framework variant (Buffers → hex, Dates → ISO-8601, BigInts → decimal; `opts.bufferAs: \"reject\"` to forbid binary). `sortKeys` returns an object's own keys in the canonical UTF-16 ordering. These were framework-internal; they are now documented public API."
+        }
+      ]
+    },
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "Canonical JSON now emits integer-like keys in sorted order",
+          "body": "The canonical serializer built a sorted-key object and serialized it with JSON.stringify, which hoists integer-like string keys (\"1\", \"10\") to the front per V8 own-property ordering — producing non-canonical output for objects containing such keys (a violation of RFC 8785 §3.2.3). Members are now written in sorted-key order directly. Real-world consumers (audit-chain, config-drift) use named fields and are unaffected; only objects with integer-like string keys change, and the new output is the correct canonical form."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json.test.js

@@ -0,0 +1,84 @@
+"use strict";
+/**
+ * Layer 0 — b.canonicalJson (RFC 8785 JSON Canonicalization Scheme).
+ * The oracle is the official cyberphone/json-canonicalization conformance
+ * suite: the structures / french / values vectors (nested key sort,
+ * locale-independent UTF-16 ordering, and the ECMAScript number format)
+ * must serialize byte-for-byte to the published output.
+ */
+
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+var cj = b.canonicalJson;
+function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code || e.message; } }
+
+function testSurface() {
+  check("b.canonicalJson.stringifyJcs is a function", typeof cj.stringifyJcs === "function");
+  check("b.canonicalJson.stringify is a function", typeof cj.stringify === "function");
+  check("b.canonicalJson.sortKeys returns the UTF-16 sorted keys", cj.sortKeys({ b: 1, a: 2, c: 3 }).join() === "a,b,c");
+}
+
+function testJcsConformance() {
+  // cyberphone/json-canonicalization testdata — "structures": nested
+  // key sort at every depth, 56.0 → 56.
+  var structures = { "1": { "f": { "f": "hi", "F": 5 }, "\n": 56.0 }, "10": {}, "": "empty", "a": {}, "111": [{ "e": "yes", "E": "no" }], "A": {} };
+  check("JCS: nested structures vector", cj.stringifyJcs(structures) === '{"":"empty","1":{"\\n":56,"f":{"F":5,"f":"hi"}},"10":{},"111":[{"E":"no","e":"yes"}],"A":{},"a":{}}');
+
+  // "french": sorting ignores locale (UTF-16 code-unit order).
+  var french = { "peach": "This sorting order", "péché": "is wrong according to French", "pêche": "but canonicalization MUST", "sin": "ignore locale" };
+  check("JCS: locale-independent french vector", cj.stringifyJcs(french) === '{"peach":"This sorting order","péché":"is wrong according to French","pêche":"but canonicalization MUST","sin":"ignore locale"}');
+
+  // "values" numbers: the ECMAScript Number-to-string format JCS §3.2.2.3 references.
+  // Number("…") avoids a loss-of-precision lint on the deliberately
+  // over-precise vector value (333333333.33333329 → 333333333.3333333).
+  check("JCS: number formatting vector", cj.stringifyJcs([Number("333333333.33333329"), 1e30, 4.50, 2e-3, Number("0.000000000000000000000000001")]) === "[333333333.3333333,1e+30,4.5,0.002,1e-27]");
+
+  // Astral key sorts by UTF-16 code unit: "$"(U+0024) < "€"(U+20AC) <
+  // "😂"(lead surrogate U+D83D).
+  check("JCS: astral key UTF-16 ordering", cj.stringifyJcs({ "€": 1, "$": 2, "😂": 3 }) === '{"$":2,"€":1,"😂":3}');
+
+  // Unnormalized Unicode is preserved, NOT normalized (A + combining ring
+  // stays two code points).
+  check("JCS: no Unicode normalization", cj.stringifyJcs({ k: "Å" }) === '{"k":"Å"}');
+}
+
+function testSparseArrays() {
+  // Sparse-array holes serialize as null, not invalid JSON elisions ([,1]).
+  var sparse = [1, , 3]; // eslint-disable-line no-sparse-arrays
+  check("JCS: sparse array holes → null", cj.stringifyJcs(sparse) === "[1,null,3]");
+  check("JCS: explicit undefined in array → null", cj.stringifyJcs([1, undefined, 3]) === "[1,null,3]");
+}
+
+function testStrictRefusals() {
+  check("JCS: BigInt refused", /BigInt/.test(code(function () { cj.stringifyJcs({ n: 1n }); })));
+  check("JCS: Buffer refused", /Buffer/.test(code(function () { cj.stringifyJcs({ b: Buffer.from("x") }); })));
+  check("JCS: Date refused", /Date/.test(code(function () { cj.stringifyJcs({ d: new Date() }); })));
+  check("JCS: Map refused", /Map/.test(code(function () { cj.stringifyJcs({ m: new Map() }); })));
+  check("JCS: circular reference refused", /circular/.test(code(function () { var o = {}; o.self = o; cj.stringifyJcs(o); })));
+}
+
+function testLenientStringify() {
+  // The lenient framework variant serializes Buffers (hex), Dates (ISO),
+  // and BigInts (decimal) while still sorting keys.
+  check("stringify: sorts keys", cj.stringify({ b: 1, a: 2 }) === '{"a":2,"b":1}');
+  check("stringify: Buffer → hex", cj.stringify({ k: Buffer.from("ab") }) === '{"k":"6162"}');
+  check("stringify: bufferAs reject throws", /reject/.test(code(function () { cj.stringify({ k: Buffer.from("x") }, { bufferAs: "reject" }); })));
+}
+
+async function run() {
+  testSurface();
+  testJcsConformance();
+  testSparseArrays();
+  testStrictRefusals();
+  testLenientStringify();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[canonical-json] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.16",
+  "version": "0.1.18",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {