npm - @blamejs/blamejs-shop - Versions diffs - 0.1.7 → 0.1.8 - Mend

@blamejs/blamejs-shop 0.1.7 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/CHANGELOG.md +2 -0
package/README.md +1 -1
package/lib/admin.js +272 -33
package/lib/order.js +70 -12
package/lib/vendor/MANIFEST.json +2 -2
package/lib/vendor/blamejs/CHANGELOG.md +2 -0
package/lib/vendor/blamejs/README.md +1 -1
package/lib/vendor/blamejs/SECURITY.md +1 -1
package/lib/vendor/blamejs/api-snapshot.json +10 -2
package/lib/vendor/blamejs/lib/network-dnssec.js +158 -7
package/lib/vendor/blamejs/package.json +1 -1
package/lib/vendor/blamejs/release-notes/v0.12.50.json +18 -0
package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +13 -0
package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js +121 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.1.x
+- v0.1.8 (2026-05-25) — **Admin console — an orders screen with full lifecycle control.** Orders join the admin console. `/admin/orders` lists recent orders newest-first with one-click status filters, and each order opens to its line items, totals, shipping address, and payment reference. From the detail page an operator drives the order through its lifecycle — mark paid, start fulfilment, mark shipped, mark delivered, cancel, refund — with only the moves that are legal from the current status offered as buttons; an illegal move is refused with a notice rather than an error. Refund moves money, so the console Refund button issues a real payment-provider refund (and only appears when a provider is wired and the order has a captured intent) before the order advances to refunded. As with Products, every path content-negotiates: a bearer-token client gets the JSON API unchanged, a signed-in browser gets the HTML console. **Added:** *Orders management screen* — `/admin/orders` renders recent orders as a table (order, status, item count, total, placed date) with status-filter chips, when opened in a signed-in browser; the same path serves a new JSON list to a bearer-token client. Each order links to a detail page showing its line items, subtotal / tax / shipping / total, shipping address, and linked payment intent, with the order's legal next transitions as action buttons that post back and redirect (PRG). The Refund button posts to the payment-refund flow — it issues the provider refund and then advances the order, so a console refund never marks an order refunded without moving the money; it appears only when a payment provider is wired and the order has a captured intent (partial refunds remain on the JSON API). A bad or unknown order id renders a 404 page, never a 500; an illegal or failed action redirects back with a notice and leaves the order unchanged. · *order.listRecent + order.transitionsFrom* — `order.listRecent({ limit, status })` returns recent orders across all customers (guest orders included), newest-first, optionally filtered to one status, with line items and shipping hydrated. `order.transitionsFrom(status)` returns the lifecycle moves legal from a given status as `{ on, to, label }` — both derived from a single order-FSM edge list, so the console actions stay in lockstep with the state machine. **Changed:** *Console nav gains Orders; dashboard orders link through* — The signed-in admin nav now includes Orders alongside Home, Dashboard, Products, Integrations, and Setup. The dashboard's recent-orders list links each row to its order detail.
 - v0.1.7 (2026-05-25) — **Admin console — persistent navigation and a products screen.** The admin is now a cohesive, navigable web console rather than a set of disconnected pages. A persistent nav (Home, Dashboard, Products, Integrations, Setup) runs across every signed-in page, and Products is the first full management screen: browse the catalog, create a product, and archive or restore one — all from the browser. The JSON API is unchanged: an endpoint serves the HTML console to a signed-in browser and JSON to a bearer-token client, so tooling keeps working exactly as before. **Added:** *Console navigation* — Every signed-in admin page shares a top nav with the current section highlighted, so the dashboard, products, integrations, and setup wizard are one console. The shell is the same brand-matched layout as the dashboard. · *Products management screen* — `/admin/products` renders the catalog as a table (title, slug, status) with Archive / Restore actions and a New-product form, when opened in a signed-in browser. The same path returns the existing JSON list to a bearer-token client; create, archive, and restore content-negotiate the same way (browser form → redirect; bad input re-renders with a notice, never a 500). The product create / archive / restore JSON API is unchanged.
 - v0.1.6 (2026-05-25) — **Claim past guest orders when a shopper signs in.** A shopper who checked out as a guest and later signs in with a provider-verified email now finds those past orders attached to their account. Checkout records a hash of the buyer's email on the order; on Google sign-in, orders placed under that same email — and not yet owned by anyone — are claimed into the account. Linking happens only on an email the identity provider verified, never on an unverified one, so it can't be used to steal another shopper's order history. **Added:** *Guest-order reconciliation on sign-in* — Orders now carry a `customer_email_hash` (migration 0206), written at checkout from the buyer's email with the same key the customers table uses. On a verified Google sign-in, `order.linkGuestOrdersByEmailHash` claims every ownerless order under that email into the account — so prior guest purchases appear in /account and satisfy customer-scoped checks (e.g. verified-buyer reviews). Only ownerless orders are touched (an order already attached to a customer is never reassigned), and only a provider-verified email triggers a link.

package/README.md CHANGED Viewed

@@ -72,7 +72,7 @@ Every primitive is composed on the vendored blamejs surface — no npm runtime d
 | **`lib/collections.js`** | Curated + smart product groupings. `GET /collections` lists the shop's active collections; `GET /collections/:slug` renders the grid — manual collections list hand-picked members, smart collections evaluate stored rules against the active catalog and apply the collection's sort strategy. Each product resolves fresh, so archived products drop out. Public, no sign-in; a bad or unknown slug is a 404 (never a 500). Linked from the footer on every page. |
 | **`lib/subscriptions.js`** | Stripe-backed recurring billing — `subscription_plans` (interval / amount / trial) + `subscriptions` (mirrors Stripe's object byte-for-byte). `subscriptions.create` POSTs to Stripe via the payment dep, then persists the returned object locally. `handleStripeEvent` replays `customer.subscription.*` events into the local row so the shop has an authoritative view without round-tripping. |
 | **`lib/newsletter.js`** | Operator-collected email broadcast list — `signup({ email, source })` composes `b.guardEmail` for shape validation, `b.crypto.namespaceHash` for the dedup key, and `INSERT OR IGNORE` for idempotency. Storefront POST `/newsletter` route renders a designed thank-you card with separate copy for the `new` vs `dedup` branches. |
-| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), a guided **setup wizard** at `/admin/setup` that writes shop identity to config, and the analytics dashboard — all reachable by the cookie or the bearer token. |
+| **`lib/admin.js`** | Bearer-token-gated CRUD over catalog + orders + refunds + bulk CSV import + subscription plans + review moderation + return moderation. Token compared via `b.crypto.timingSafeEqual`. Errors as RFC 9457 problem documents via `b.problemDetails`. Audit emission on every mutation. Also serves a **browser admin console**: sign in at `/admin` by pasting the API key (sealed `shop_admin` session cookie, SameSite=Strict, /admin-scoped), with a persistent nav across every signed-in page. A guided **setup wizard** at `/admin/setup` writes shop identity to config; **Products** (`/admin/products`) browses the catalog and creates / archives / restores; **Orders** (`/admin/orders`) lists recent orders with status filters, opens an order's items, totals, and shipping address, and drives the lifecycle (mark paid → fulfil → ship → deliver, cancel, refund) through the order FSM. Each console path content-negotiates: a bearer-token client still gets the JSON API unchanged, a signed-in browser gets HTML. Reachable by the cookie or the bearer token. |
 | **`lib/catalog-import.js`** | Bulk CSV import — `POST /admin/catalog/import` accepts a `text/csv` body, parses via `b.csv`, content-safety-filters every cell through `b.guardCsv` (formula-injection / bidi / control / dangerous-function denylist), validates exact header order, de-dupes rows by `product_slug`, returns per-row errors without aborting. Default 1 MiB / 10000 rows caps. |
 | **`lib/theme.js`** | File-backed templates with fallback chain. Operators register a named theme under `<themesDir>/<name>/*.html` and the storefront dispatches every renderer through it. `assetUrl(path)` resolves to `/assets/themes/<name>/<path>`. The shipped `default` theme is the fallback. |

package/lib/admin.js CHANGED Viewed

@@ -599,50 +599,152 @@ function mount(router, deps) {
   // ---- orders ---------------------------------------------------------
-  router.get("/admin/orders/:id", R(async function (req, res) {
-    var o = await order.get(req.params.id);
-    if (!o) return _problem(res, 404, "order-not-found");
-    _json(res, 200, o);
-  }));
-  router.post("/admin/orders/:id/transition", W("order.transition", async function (req, res) {
-    var body = req.body || {};
-    if (!body.event) throw new TypeError("admin.order.transition: body.event required");
-    var o = await order.transition(req.params.id, body.event, { reason: body.reason, metadata: body.metadata });
-    _json(res, 200, o);
-    return o;
-  }));
-  // ---- refunds --------------------------------------------------------
+  // Recent orders across all customers. Bearer → no list endpoint existed
+  // before, so this adds one (JSON); a signed-in browser gets the console.
+  router.get("/admin/orders", _pageOrApi(true,
+    R(async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var status = url && url.searchParams.get("status");
+      var limitS = url && url.searchParams.get("limit");
+      var limit  = limitS == null ? 50 : parseInt(limitS, 10);
+      var list = await order.listRecent({ status: status || undefined, limit: limit });
+      _json(res, 200, list);
+    }),
+    async function (req, res) {
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      var statusRaw = url && url.searchParams.get("status");
+      // A bad ?status= filter falls back to "all" rather than erroring the
+      // page — the operator just sees everything, which is a safe default.
+      var status = null, notice = null;
+      if (statusRaw) {
+        try { await order.listRecent({ status: statusRaw, limit: 1 }); status = statusRaw; }
+        catch (_e) { notice = "Unknown status filter — showing all orders."; }
+      }
+      var list = await order.listRecent({ status: status || undefined, limit: 100 });
+      _sendHtml(res, 200, renderAdminOrders({
+        shop_name: deps.shop_name, orders: list.rows || [],
+        status: status, notice: notice,
+      }));
+    },
+  ));
-  if (payment) {
-    router.post("/admin/orders/:id/refund", W("order.refund", async function (req, res) {
+  router.get("/admin/orders/:id", _pageOrApi(true,
+    R(async function (req, res) {
       var o = await order.get(req.params.id);
       if (!o) return _problem(res, 404, "order-not-found");
-      if (!o.payment_intent_id) return _problem(res, 422, "no-payment-intent", "Order has no linked payment intent");
+      _json(res, 200, o);
+    }),
+    async function (req, res) {
+      var o;
+      // A malformed id throws (defensive id reader) — render 404, not 500.
+      try { o = await order.get(req.params.id); }
+      catch (e) { if (!(e instanceof TypeError)) throw e; o = null; }
+      if (!o) return _sendHtml(res, 404, renderAdminOrders({
+        shop_name: deps.shop_name, orders: [], notice: "Order not found.",
+      }));
+      var url = req.url ? new URL(req.url, "http://localhost") : null;
+      _sendHtml(res, 200, renderAdminOrder({
+        shop_name:   deps.shop_name,
+        order:       o,
+        transitions: order.transitionsFrom(o.status),
+        // Refund moves money, so the console only offers it when a payment
+        // provider is wired AND the order has a captured intent to refund.
+        can_refund:  !!(payment && o.payment_intent_id),
+        moved:       url && url.searchParams.get("moved"),
+        notice:      url && url.searchParams.get("err") ? "That action couldn't be completed for this order." : null,
+      }));
+    },
+  ));
+  router.post("/admin/orders/:id/transition", _pageOrApi(false,
+    W("order.transition", async function (req, res) {
       var body = req.body || {};
-      var refundIdempotencyKey = "refund:" + o.id + ":" + (body.idempotency_suffix || _b().uuid.v7());
-      var refund;
+      if (!body.event) throw new TypeError("admin.order.transition: body.event required");
+      var o = await order.transition(req.params.id, body.event, { reason: body.reason, metadata: body.metadata });
+      _json(res, 200, o);
+      return o;
+    }),
+    async function (req, res) {
+      // Browser form → run the transition, then redirect back to the
+      // detail (PRG). A bad id (TypeError) or an FSM refusal (the move
+      // isn't legal from this status) surfaces as a notice, not a 500;
+      // any other failure propagates.
+      var id = req.params.id;
+      var event = (req.body || {}).event;
+      if (!event) return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
       try {
-        refund = await payment.refund({
-          payment_intent: o.payment_intent_id,
-          amount_minor:   body.amount_minor || undefined,
-          reason:         body.reason || undefined,
-          metadata:       { order_id: o.id },
-        }, refundIdempotencyKey);
+        await order.transition(id, event, { reason: "admin:console" });
       } catch (e) {
-        return _problem(res, 502, "stripe-refund-failed", (e && e.message) || String(e));
+        if (e instanceof TypeError || (e && e.code && /FSM|TRANSITION|GUARD/i.test(e.code))) {
+          return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
+        }
+        throw e;
       }
+      _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.transition", outcome: "success", metadata: { id: id, event: event } });
+      _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?moved=1");
+    },
+  ));
+  // ---- refunds --------------------------------------------------------
+  if (payment) {
+    // Issue the actual payment-provider refund, then advance the order
+    // FSM. Shared by the JSON API and the browser console so a console
+    // "Refund" moves the money first (never a bare state change — that
+    // would mark an order refunded with the customer never paid back).
+    async function _refundOrder(o, body) {
+      var refundIdempotencyKey = "refund:" + o.id + ":" + (body.idempotency_suffix || _b().uuid.v7());
+      var refund = await payment.refund({
+        payment_intent: o.payment_intent_id,
+        amount_minor:   body.amount_minor || undefined,
+        reason:         body.reason || undefined,
+        metadata:       { order_id: o.id },
+      }, refundIdempotencyKey);
       try {
         await order.transition(o.id, "refund", {
           reason:   "admin:refund:" + (body.reason || "requested_by_customer"),
           metadata: { stripe_refund_id: refund.id, amount_minor: refund.amount },
         });
-      } catch (_e) { /* refund succeeded at Stripe; transition refusal logged, surface to operator via re-fetch */ }
-      var updated = await order.get(o.id);
-      _json(res, 200, { refund: refund, order: updated });
-      return { id: o.id };
-    }));
+      } catch (_e) { /* refund succeeded at the provider; transition refusal logged, surfaced via re-fetch */ }
+      return { refund: refund, order: await order.get(o.id) };
+    }
+    router.post("/admin/orders/:id/refund", _pageOrApi(false,
+      W("order.refund", async function (req, res) {
+        var o = await order.get(req.params.id);
+        if (!o) return _problem(res, 404, "order-not-found");
+        if (!o.payment_intent_id) return _problem(res, 422, "no-payment-intent", "Order has no linked payment intent");
+        var result;
+        try {
+          result = await _refundOrder(o, req.body || {});
+        } catch (e) {
+          return _problem(res, 502, "stripe-refund-failed", (e && e.message) || String(e));
+        }
+        _json(res, 200, result);
+        return { id: o.id };
+      }),
+      async function (req, res) {
+        // Browser console: full refund (partial refunds stay on the JSON
+        // API via amount_minor), then PRG back to the detail. A bad id or
+        // missing payment intent surfaces as a notice, never a 500.
+        var id = req.params.id;
+        var o;
+        try { o = await order.get(id); }
+        catch (e) { if (!(e instanceof TypeError)) throw e; o = null; }
+        if (!o || !o.payment_intent_id) {
+          return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
+        }
+        try {
+          await _refundOrder(o, { reason: "requested_by_customer" });
+        } catch (_e) {
+          // Provider refund failed — the order is untouched (the FSM
+          // transition only runs after a successful refund).
+          return _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?err=1");
+        }
+        _b().audit.safeEmit({ action: AUDIT_NAMESPACE + ".order.refund", outcome: "success", metadata: { id: id } });
+        _redirect(res, "/admin/orders/" + encodeURIComponent(id) + "?moved=1");
+      },
+    ));
   }
   // ---- reviews (moderation) -------------------------------------------
@@ -1232,6 +1334,15 @@ var DASHBOARD_LAYOUT =
   "    .btn:hover { background:var(--accent-d); border-color:var(--accent-d); }\n" +
   "    .btn--ghost { background:transparent; color:var(--ink); border-color:var(--ink); }\n" +
   "    .btn--ghost:hover { background:var(--ink); color:var(--paper); }\n" +
+  "    .btn--danger { background:transparent; color:var(--accent-d); border-color:var(--accent-d); }\n" +
+  "    .btn--danger:hover { background:var(--accent-d); color:var(--paper); }\n" +
+  "    .order-filters { display:flex; flex-wrap:wrap; gap:.5rem; margin-bottom:1.25rem; }\n" +
+  "    .chip { display:inline-block; padding:.3rem .8rem; border-radius:999px; border:1px solid var(--hair); color:var(--ink-2); text-decoration:none; font-size:.78rem; text-transform:capitalize; }\n" +
+  "    .chip:hover { border-color:var(--accent); }\n" +
+  "    .chip--on { background:var(--ink); color:var(--paper); border-color:var(--ink); }\n" +
+  "    .order-totals { width:100%; }\n" +
+  "    .order-totals td { padding:.3rem 0; }\n" +
+  "    .order-actions { display:flex; flex-wrap:wrap; gap:.6rem; }\n" +
   "    .nav-cards { display:grid; grid-template-columns:repeat(auto-fit,minmax(14rem,1fr)); gap:1rem; }\n" +
   "    .nav-card { display:block; background:var(--paper); border:1px solid var(--hair); border-radius:8px; padding:1.4rem; text-decoration:none; color:var(--ink); }\n" +
   "    .nav-card:hover { border-color:var(--accent); box-shadow:0 8px 20px -12px rgba(0,0,0,.25); }\n" +
@@ -1364,7 +1475,7 @@ function renderDashboard(opts) {
     ? recent.map(function (o) {
         var statusClass = _htmlEscape(o.status);
         return "<tr>" +
-          "<td><span class=\"order-id\">" + _htmlEscape(o.id.slice(0, 8)) + "</span></td>" +
+          "<td><a class=\"order-id\" href=\"/admin/orders/" + _htmlEscape(o.id) + "\">" + _htmlEscape(o.id.slice(0, 8)) + "</a></td>" +
           "<td><span class=\"status-pill " + statusClass + "\">" + _htmlEscape(o.status) + "</span></td>" +
           "<td class=\"num\">" + _htmlEscape(pricing.format(o.grand_total_minor, o.currency)) + "</td>" +
           "</tr>";
@@ -1407,6 +1518,7 @@ var ADMIN_NAV_ITEMS = [
   { key: "home",         href: "/admin",              label: "Home" },
   { key: "dashboard",    href: "/admin/dashboard",    label: "Dashboard" },
   { key: "products",     href: "/admin/products",     label: "Products" },
+  { key: "orders",       href: "/admin/orders",       label: "Orders" },
   { key: "integrations", href: "/admin/integrations", label: "Integrations" },
   { key: "setup",        href: "/admin/setup",        label: "Setup" },
 ];
@@ -1580,6 +1692,131 @@ function renderAdminProducts(opts) {
   return _renderAdminShell(opts.shop_name, "Products", body, "products");
 }
+// created_at / updated_at are epoch-ms numbers (order._now()); render a
+// short, locale-neutral date. Guards against a string or a bad value so a
+// malformed row never throws inside the template.
+function _fmtDate(v) {
+  var n = typeof v === "number" ? v : Date.parse(v);
+  if (!isFinite(n)) return "—";
+  return new Date(n).toISOString().slice(0, 10);
+}
+// The status values an operator can filter the orders list by — drives the
+// filter chips. Kept in render-layer order (lifecycle, then terminal).
+var ORDER_STATUS_FILTERS = ["pending", "paid", "fulfilling", "shipped", "delivered", "refunded", "cancelled"];
+function renderAdminOrders(opts) {
+  opts = opts || {};
+  var orders = opts.orders || [];
+  var notice = opts.notice ? "<div class=\"banner banner--warn\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var active = opts.status || null;
+  var chips = "<div class=\"order-filters\">" +
+    "<a class=\"chip" + (active ? "" : " chip--on") + "\" href=\"/admin/orders\">All</a>" +
+    ORDER_STATUS_FILTERS.map(function (s) {
+      return "<a class=\"chip" + (active === s ? " chip--on" : "") + "\" href=\"/admin/orders?status=" + encodeURIComponent(s) + "\">" + _htmlEscape(s) + "</a>";
+    }).join("") +
+    "</div>";
+  var rows = orders.map(function (o) {
+    var items = (o.lines || []).reduce(function (n, l) { return n + (l.qty || 0); }, 0);
+    return "<tr>" +
+      "<td><a class=\"order-id\" href=\"/admin/orders/" + _htmlEscape(o.id) + "\">" + _htmlEscape(o.id.slice(0, 8)) + "</a></td>" +
+      "<td><span class=\"status-pill " + _htmlEscape(o.status) + "\">" + _htmlEscape(o.status) + "</span></td>" +
+      "<td class=\"num\">" + _htmlEscape(String(items)) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(pricing.format(o.grand_total_minor, o.currency)) + "</td>" +
+      "<td>" + _htmlEscape(_fmtDate(o.created_at)) + "</td>" +
+      "</tr>";
+  }).join("");
+  var table = orders.length
+    ? "<div class=\"panel\"><table><thead><tr><th>Order</th><th>Status</th><th class=\"num\">Items</th><th class=\"num\">Total</th><th>Placed</th></tr></thead><tbody>" + rows + "</tbody></table></div>"
+    : "<p class=\"empty\">No orders" + (active ? " with status “" + _htmlEscape(active) + "”" : " yet") + ".</p>";
+  var body = "<section><h2>Orders</h2>" + notice + chips + table + "</section>";
+  return _renderAdminShell(opts.shop_name, "Orders", body, "orders");
+}
+function renderAdminOrder(opts) {
+  opts = opts || {};
+  var o = opts.order;
+  var transitions = opts.transitions || [];
+  var moved  = opts.moved  ? "<div class=\"banner banner--ok\">Order updated.</div>" : "";
+  var notice = opts.notice ? "<div class=\"banner banner--err\">" + _htmlEscape(opts.notice) + "</div>" : "";
+  var lineRows = (o.lines || []).map(function (l) {
+    return "<tr>" +
+      "<td>" + _htmlEscape(l.sku) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(String(l.qty)) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(pricing.format(l.unit_amount_minor, l.unit_currency)) + "</td>" +
+      "<td class=\"num\">" + _htmlEscape(pricing.format(l.line_total_minor, l.unit_currency)) + "</td>" +
+      "</tr>";
+  }).join("");
+  var linesTable = (o.lines && o.lines.length)
+    ? "<table><thead><tr><th>SKU</th><th class=\"num\">Qty</th><th class=\"num\">Unit</th><th class=\"num\">Line</th></tr></thead><tbody>" + lineRows + "</tbody></table>"
+    : "<p class=\"empty\">No line items recorded.</p>";
+  function _total(label, minor, strong) {
+    return "<tr><td>" + _htmlEscape(label) + "</td><td class=\"num\">" +
+      (strong ? "<strong>" : "") + _htmlEscape(pricing.format(minor, o.currency)) + (strong ? "</strong>" : "") +
+      "</td></tr>";
+  }
+  var totals = "<table class=\"order-totals\"><tbody>" +
+    _total("Subtotal", o.subtotal_minor, false) +
+    (o.discount_minor ? _total("Discount", -o.discount_minor, false) : "") +
+    _total("Tax", o.tax_minor, false) +
+    _total("Shipping", o.shipping_minor, false) +
+    _total("Total", o.grand_total_minor, true) +
+    "</tbody></table>";
+  var ship = o.ship_to || {};
+  var shipLines = [ship.name, ship.line1, ship.line2,
+    [ship.city, ship.region, ship.postal_code].filter(Boolean).join(", "), ship.country]
+    .filter(Boolean).map(function (s) { return _htmlEscape(String(s)); }).join("<br>");
+  // One form per legal next transition. `refund` is special: it moves
+  // money, so it posts to the payment-refund endpoint (which issues the
+  // provider refund THEN advances the FSM) rather than the bare
+  // state-transition endpoint — and only when there's a captured payment
+  // to refund. Every other move posts to /transition. A terminal status
+  // (empty list) shows a note instead of buttons.
+  var actionForms = transitions.map(function (t) {
+    if (t.on === "refund") {
+      if (!opts.can_refund) return "";  // no payment intent — nothing to refund here
+      return "<form method=\"post\" action=\"/admin/orders/" + _htmlEscape(o.id) + "/refund\" style=\"display:inline;\">" +
+        "<button class=\"btn btn--danger\" type=\"submit\">" + _htmlEscape(t.label) + "</button>" +
+        "</form>";
+    }
+    var danger = (t.on === "cancel");
+    return "<form method=\"post\" action=\"/admin/orders/" + _htmlEscape(o.id) + "/transition\" style=\"display:inline;\">" +
+      "<input type=\"hidden\" name=\"event\" value=\"" + _htmlEscape(t.on) + "\">" +
+      "<button class=\"btn" + (danger ? " btn--danger" : "") + "\" type=\"submit\">" + _htmlEscape(t.label) + "</button>" +
+      "</form>";
+  }).filter(Boolean).join(" ");
+  var actions = actionForms || "<span class=\"meta\">This order is in a final state — no further changes.</span>";
+  var body =
+    "<section style=\"max-width:48rem;\">" +
+      "<div class=\"actions-row\"><a class=\"btn btn--ghost\" href=\"/admin/orders\">&larr; Orders</a></div>" +
+      "<h2>Order <code class=\"order-id\">" + _htmlEscape(o.id.slice(0, 8)) + "</code> " +
+        "<span class=\"status-pill " + _htmlEscape(o.status) + "\">" + _htmlEscape(o.status) + "</span></h2>" +
+      "<p class=\"meta\">Placed " + _htmlEscape(_fmtDate(o.created_at)) + " · last updated " + _htmlEscape(_fmtDate(o.updated_at)) +
+        (o.payment_intent_id ? " · payment <code class=\"order-id\">" + _htmlEscape(o.payment_intent_id) + "</code>" : "") + "</p>" +
+      moved + notice +
+      "<div class=\"two-col\">" +
+        "<div class=\"panel\"><h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">Items</h3>" + linesTable + "</div>" +
+        "<div class=\"panel\"><h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">Ship to</h3>" +
+          (shipLines || "<span class=\"meta\">No shipping address.</span>") +
+          "<h3 style=\"font-size:.95rem; margin:1.25rem 0 .75rem;\">Totals</h3>" + totals +
+        "</div>" +
+      "</div>" +
+      "<div class=\"panel\" style=\"margin-top:1.5rem;\"><h3 style=\"font-size:.95rem; margin-bottom:.75rem;\">Actions</h3>" +
+        "<div class=\"order-actions\">" + actions + "</div>" +
+      "</div>" +
+    "</section>";
+  return _renderAdminShell(opts.shop_name, "Order " + o.id.slice(0, 8), body, "orders");
+}
 module.exports = {
   mount:           mount,
   AUDIT_NAMESPACE: AUDIT_NAMESPACE,
@@ -1589,4 +1826,6 @@ module.exports = {
   renderAdminSetup:        renderAdminSetup,
   renderAdminIntegrations: renderAdminIntegrations,
   renderAdminProducts:     renderAdminProducts,
+  renderAdminOrders:       renderAdminOrders,
+  renderAdminOrder:        renderAdminOrder,
 };

package/lib/order.js CHANGED Viewed

@@ -45,6 +45,23 @@ function _b() {
 // ---- FSM definition -----------------------------------------------------
 var _orderFsm = null;
+// The order lifecycle, as edges of the FSM. Single source of truth: the
+// FSM definition below is built from it, and the operator console derives
+// the available actions for an order from it (so a new edge here lights up
+// a button in /admin/orders with no separate map to keep in sync).
+var ORDER_TRANSITIONS = Object.freeze([
+  { from: "pending",    to: "paid",       on: "mark_paid",         label: "Mark paid" },
+  { from: "paid",       to: "fulfilling", on: "start_fulfillment", label: "Start fulfilment" },
+  { from: "fulfilling", to: "shipped",    on: "mark_shipped",      label: "Mark shipped" },
+  { from: "shipped",    to: "delivered",  on: "mark_delivered",    label: "Mark delivered" },
+  { from: "pending",    to: "cancelled",  on: "cancel",            label: "Cancel" },
+  { from: "paid",       to: "cancelled",  on: "cancel",            label: "Cancel" },
+  { from: "paid",       to: "refunded",   on: "refund",            label: "Refund" },
+  { from: "fulfilling", to: "refunded",   on: "refund",            label: "Refund" },
+  { from: "shipped",    to: "refunded",   on: "refund",            label: "Refund" },
+  { from: "delivered",  to: "refunded",   on: "refund",            label: "Refund" },
+]);
 function _getOrderFsm() {
   if (_orderFsm) return _orderFsm;
   // b.fsm emits audit events under the 'fsm' namespace —
@@ -63,24 +80,21 @@ function _getOrderFsm() {
       refunded:   {},
       cancelled:  {},
     },
-    transitions: [
-      { from: "pending",    to: "paid",       on: "mark_paid" },
-      { from: "paid",       to: "fulfilling", on: "start_fulfillment" },
-      { from: "fulfilling", to: "shipped",    on: "mark_shipped" },
-      { from: "shipped",    to: "delivered",  on: "mark_delivered" },
-      { from: "pending",    to: "cancelled",  on: "cancel" },
-      { from: "paid",       to: "cancelled",  on: "cancel" },
-      { from: "paid",       to: "refunded",   on: "refund" },
-      { from: "fulfilling", to: "refunded",   on: "refund" },
-      { from: "shipped",    to: "refunded",   on: "refund" },
-      { from: "delivered",  to: "refunded",   on: "refund" },
-    ],
+    transitions: ORDER_TRANSITIONS.map(function (t) {
+      return { from: t.from, to: t.to, on: t.on };
+    }),
   });
   return _orderFsm;
 }
 var TERMINAL_STATES = Object.freeze(["refunded", "cancelled", "delivered"]);
+// Every state the order FSM can occupy — the allowed values for the
+// `status` filter on the operator-facing recent-orders list.
+var ORDER_STATES = Object.freeze([
+  "pending", "paid", "fulfilling", "shipped", "delivered", "refunded", "cancelled",
+]);
 // Cursor key for listForCustomer — paginates by (updated_at DESC, id
 // DESC) so a newly transitioned order surfaces at the top of the
 // customer's order history without a stable-id tie-break flake.
@@ -356,6 +370,50 @@ function create(opts) {
       return { rows: rows, next_cursor: next };
     },
+    // Operator-facing recent-orders list across ALL customers (guest
+    // orders included), newest first. Unlike listForCustomer this is an
+    // admin view, so it's capped + uncursored: the console shows the most
+    // recent N, optionally filtered to one status. ship_to + lines are
+    // hydrated so the table renders without a trip per row.
+    listRecent: async function (listOpts) {
+      listOpts = listOpts || {};
+      var limit = listOpts.limit == null ? 50 : listOpts.limit;
+      if (!Number.isInteger(limit) || limit <= 0 || limit > MAX_LIST_LIMIT) {
+        throw new TypeError("order.listRecent: limit must be 1..." + MAX_LIST_LIMIT);
+      }
+      var status = listOpts.status == null ? null : listOpts.status;
+      if (status !== null) {
+        if (typeof status !== "string" || ORDER_STATES.indexOf(status) === -1) {
+          throw new TypeError("order.listRecent: status must be one of " + ORDER_STATES.join(", "));
+        }
+      }
+      var sql, params;
+      if (status) {
+        sql = "SELECT * FROM orders WHERE status = ?1 ORDER BY created_at DESC, id DESC LIMIT ?2";
+        params = [status, limit];
+      } else {
+        sql = "SELECT * FROM orders ORDER BY created_at DESC, id DESC LIMIT ?1";
+        params = [limit];
+      }
+      var rows = (await query(sql, params)).rows;
+      for (var i = 0; i < rows.length; i += 1) {
+        rows[i].ship_to = JSON.parse(rows[i].ship_to_json);
+        rows[i].lines   = (await query(
+          "SELECT * FROM order_lines WHERE order_id = ?1 ORDER BY id ASC",
+          [rows[i].id],
+        )).rows;
+      }
+      return { rows: rows };
+    },
+    // The actions available from a given status, as {on, to, label} —
+    // drives the transition buttons on the operator order-detail page.
+    // A terminal status returns []. Synchronous (pure lookup).
+    transitionsFrom: function (status) {
+      return ORDER_TRANSITIONS.filter(function (t) { return t.from === status; })
+        .map(function (t) { return { on: t.on, to: t.to, label: t.label }; });
+    },
     setPaymentIntent: async function (orderId, paymentIntentId) {
       _uuid(orderId, "order id");
       if (typeof paymentIntentId !== "string" || !paymentIntentId.length) {

package/lib/vendor/MANIFEST.json CHANGED Viewed

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.49",
-      "tag": "v0.12.49",
+      "version": "0.12.50",
+      "tag": "v0.12.50",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.12.x
+- v0.12.50 (2026-05-25) — **`b.network.dns.dnssec.verifyChain` — validate a DNSSEC delegation chain to a pinned root anchor.** Completes local DNSSEC verification: validate a full delegation chain from the root down to a zone against a pinned trust anchor (RFC 4035 §5), instead of trusting any single resolver. For each link, the zone's DNSKEY RRset must be self-signed by one of its keys, and that key must be vouched for either by a pinned anchor (at the root) or by a DS record served + signed by the already-trusted parent — so trust flows root → TLD → zone with no gap. The IANA root KSKs (KSK-2017 tag 20326, KSK-2024 tag 38696) ship as the default anchors; override with opts.trustAnchors for a private root. verifyChain returns the leaf zone's trusted DNSKEY set, which you then hand to verifyRrset / verifyDenial for the actual answer. Composes verifyRrset + verifyDs + the key tag; verified end-to-end against a live root→org chain. **Added:** *`b.network.dns.dnssec.verifyChain(opts)`* — Walks an ordered, root-first list of `links` ({ zone, dnskeys, dnskeyRrsig, dsRdatas?, dsRrsig? }). At each link it verifies the DNSKEY RRset's self-signature (composing `verifyRrset`), then establishes trust in the signing key: at the root by matching a pinned anchor's DS digest (`verifyDs`), at every delegation by verifying the parent-served DS RRset's signature with the already-trusted parent key and confirming the signing KSK matches one of those DS records. Returns `{ ok, zone, keys, path }` with the leaf zone's trusted DNSKEY set. Refuses a root key that matches no anchor (`dnssec/chain-anchor-mismatch`), a KSK that matches no parent DS (`dnssec/chain-ds-mismatch`), and a missing parent key (`dnssec/chain-no-parent-key`). The default `DEFAULT_ROOT_ANCHORS` are the published IANA root KSK DS records; `opts.trustAnchors` overrides them for a private or test root.
 - v0.12.49 (2026-05-25) — **`b.network.dns.dnssec.verifyDenial` — NSEC / NSEC3 denial-of-existence.** Prove a DNS name does not exist, or has no records of a given type, from the signed NSEC (RFC 4034 §4) or NSEC3 (RFC 5155) records a server returns. This is the other half of local DNSSEC verification: verifyRrset proves a positive answer, verifyDenial proves a negative — so a resolver client can confirm an NXDOMAIN / NODATA itself instead of trusting the upstream resolver. NSEC3 proofs run the closest-encloser / next-closer / covering-range logic over iterated-SHA-1 hashes, with the iteration count capped (default 500) to bound the work an attacker can force, and an Opt-Out NXDOMAIN refused unless explicitly accepted (opt-out only proves 'no signed records', not non-existence). The companion b.network.dns.dnssec.nsec3Hash computes the RFC 5155 §5 hash directly. NSEC verifyRrset support is also enabled: per RFC 6840 §5.1 the NSEC Next Domain Name is not downcased, so its RDATA is verbatim-canonical. **Added:** *`b.network.dns.dnssec.verifyDenial(opts)`* — Proves NXDOMAIN or NODATA from already-verified NSEC / NSEC3 records (supply one of `opts.nsec3` or `opts.nsec`). Like `verifyDs`, it checks the denial RELATION — closest-encloser matching, covering ranges, and type-bitmap absence — not the record signatures, which the caller verifies with `verifyRrset` first. NSEC3 supports name-error proofs (matching closest encloser + covered next-closer + covered wildcard), NODATA (matching record with the type and CNAME absent from the bitmap), Opt-Out DS NODATA, and wildcard NODATA. The iterated-SHA-1 count is capped by `opts.maxIterations` (default 500); an NXDOMAIN proof that depends on an Opt-Out NSEC3 is refused unless `opts.allowOptOut` is set. NSEC supports covering-name NXDOMAIN (with the source-of-synthesis wildcard) and matching-name NODATA. Verified end-to-end against a live iana.org NXDOMAIN proof. · *`b.network.dns.dnssec.nsec3Hash(name, opts)`* — Computes the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the canonical (lowercased, root-terminated) wire form with the zone salt. The base32hex encoding of the result is the NSEC3 owner label. SHA-1 is the only hash IANA registers for NSEC3, so this is a wire-protocol constant rather than a cryptographic default. Useful for checking an owner label or analyzing a zone's hashing parameters. **Changed:** *`verifyRrset` now accepts NSEC and NSEC3 RRsets* — NSEC (type 47) and NSEC3 (type 50) are no longer refused as uncanonicalizable: NSEC3's next-owner is a hash, and per RFC 6840 §5.1 the NSEC Next Domain Name field is not downcased for DNSSEC canonical form, so both RDATAs are verbatim-canonical. This lets a caller verify the signatures on the records that `verifyDenial` then reasons over.
 - v0.12.48 (2026-05-25) — **`b.network.dns.dnssec` — local DNSSEC signature verification (RFC 4035).** Verify a DNS answer's RRSIG signature yourself instead of trusting the upstream resolver's AD bit. b.network.dns.dnssec.verifyRrset reconstructs the RFC 4034 §3.1.8.1 signed data — the RRSIG RDATA without the signature, followed by the RRset in canonical form (owner names lowercased, RRs ordered by canonical RDATA, the RRSIG's Original TTL) — and checks the signature against the DNSKEY, enforcing the inception / expiration window. Supports RSA/SHA-256 (alg 8), ECDSA P-256/SHA-256 (13), ECDSA P-384/SHA-384 (14), and Ed25519 (15) — the modern deployed set. verifyDs checks a delegation-signer digest against a DNSKEY (SHA-256 / SHA-384) and keyTag computes the RFC 4034 Appendix B key tag. The verification core is what a chain-walker composes; it defends against a compromised or on-path resolver that lies about authentication. **Added:** *`b.network.dns.dnssec.verifyRrset(opts)`* — Verifies an RRSIG over a canonicalised RRset against a DNSKEY. `opts` carries the owner `name`, the RR `type`, the wire-format `rdatas`, the parsed `rrsig` (algorithm / labels / originalTtl / inception / expiration / keyTag / signerName / signature), and the `dnskey` (algorithm + raw public key). The signed data is rebuilt per RFC 4034 §3.1.8.1: the RRSIG prefix (type covered | algorithm | labels | original TTL | expiration | inception | key tag | canonical signer name) followed by each RR in canonical form (lowercased owner | type | class | original TTL | rdlen | rdata), sorted by `Buffer.compare` on the RDATA. The validity window is enforced against `opts.at` (defaults to now; an invalid Date is refused, not treated as now). An RRSIG whose algorithm disagrees with the DNSKEY is refused before any key is built. RR types that embed domain names in their RDATA (NS, CNAME, SOA, MX, SRV, …) need RDATA-internal name-lowercasing this version does not perform, so they are refused with `dnssec/uncanonicalizable-type` rather than mis-validated; the security-critical DNSKEY / DS and the name-free address / text types (A, AAAA, TXT, CAA, TLSA, …) are fully supported. · *`b.network.dns.dnssec.verifyDs(opts)` / `b.network.dns.dnssec.keyTag(dnskeyRdata)`* — `verifyDs` confirms a delegation-signer record matches a DNSKEY: it checks the key tag, then compares the DS digest (SHA-256 type 2 / SHA-384 type 4) against the digest computed over the canonical owner name and the DNSKEY RDATA, constant-time. `keyTag` computes the RFC 4034 Appendix B 16-bit key tag from a DNSKEY's full RDATA — the identifier an RRSIG or DS uses to select the signing key. Together with `verifyRrset` these are the per-RRset building blocks a recursive chain-walk (root → TLD → zone) composes; the chain-walk itself, NSEC / NSEC3 denial-of-existence, and the bundled IANA root trust anchor are not part of this core.

package/lib/vendor/blamejs/README.md CHANGED Viewed

@@ -120,7 +120,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - In-process CIDR fence (`b.middleware.networkAllowlist`)
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
-- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
+- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling, plus `verifyChain` to validate a full root→TLD→zone delegation chain against the pinned IANA root anchors) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
 - **Error pages** — operator-rendered, no app-frame leakage (`b.errorPage`)
 ### Defensive parsers

package/lib/vendor/blamejs/SECURITY.md CHANGED Viewed

@@ -351,7 +351,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly
 - [ ] If the deployment sits behind a deep-packet-inspection proxy with its own re-signing CA: install the CA via `b.network.tls.addCa("/path/to/corp-ca.pem", { label: "corp-mitm" })` and pass `allowDpiTrust: true` to `b.security.assertProduction` — every CA addition audits with subject + fingerprint so a forensic review can reconstruct the trust path
 - [ ] For authenticated time (HIPAA / PCI / FIPS shops): use `b.network.ntp.nts.query({ host: ntsKeServer })` (RFC 8915) instead of plain SNTP; set `BLAMEJS_NTS_REQUIRE=1` to fail closed on negotiation failure
-- [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the DNSKEY against the parent's DS with `b.network.dns.dnssec.verifyDs(...)` up the chain to a trust anchor you pin. For a negative answer that drives a fail-closed decision (an allowlist lookup, a revocation check), verify the NSEC / NSEC3 proof with `b.network.dns.dnssec.verifyDenial(...)` so a forged NXDOMAIN cannot suppress a record; keep the default Opt-Out refusal unless the zone's opt-out spans are acceptable for that decision
+- [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the whole delegation chain root→TLD→zone with `b.network.dns.dnssec.verifyChain(...)` (default-pinned to the IANA root KSKs, or `trustAnchors` for a private root) so trust is anchored, not borrowed from the resolver. For a negative answer that drives a fail-closed decision (an allowlist lookup, a revocation check), verify the NSEC / NSEC3 proof with `b.network.dns.dnssec.verifyDenial(...)` so a forged NXDOMAIN cannot suppress a record; keep the default Opt-Out refusal unless the zone's opt-out spans are acceptable for that decision
 - [ ] At boot in production: call `await b.security.assertProduction({ vault: "wrapped", dbAtRest: "encrypted", auditSigning: "wrapped", ntpStrict: true, requireEnv: ["BLAMEJS_VAULT_PASSPHRASE"], dataDir: "./data" })` to refuse to start on weak posture instead of warning
 - [ ] At boot: call `await b.configDrift.create({ dataDir, audit }).checkpoint({ allowedOrigins, csp, vaultMode, ... })` so the next boot detects + audits any silent runtime config change
 - [ ] At boot, before any listener opens: call `b.configDrift.verifyVendorIntegrity({ manifestPath: "./lib/vendor/MANIFEST.json", audit: b.audit })` so a tampered `lib/vendor/*.cjs` artifact aborts start instead of running with a swapped crypto bundle

package/lib/vendor/blamejs/api-snapshot.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.49",
-  "createdAt": "2026-05-25T12:28:18.912Z",
+  "frameworkVersion": "0.12.50",
+  "createdAt": "2026-05-25T13:31:06.521Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -41674,6 +41674,10 @@
                     }
                   }
                 },
+                "DEFAULT_ROOT_ANCHORS": {
+                  "type": "instance",
+                  "ctorName": "Array"
+                },
                 "DnssecError": {
                   "type": "function",
                   "arity": 4
@@ -41686,6 +41690,10 @@
                   "type": "function",
                   "arity": 2
                 },
+                "verifyChain": {
+                  "type": "function",
+                  "arity": 1
+                },
                 "verifyDenial": {
                   "type": "function",
                   "arity": 1

package/lib/vendor/blamejs/lib/network-dnssec.js CHANGED Viewed

@@ -721,12 +721,163 @@ function _commonSuffixLen(a, b) {
   return n;
 }
+// ---------------------------------------------------------------------------
+// Chain validation (RFC 4035 §5) — walk a delegation chain root → … → zone,
+// anchoring at a pinned trust anchor.
+// ---------------------------------------------------------------------------
+// IANA root zone trust anchors (DS / SHA-256). KSK-2017 (tag 20326) and
+// KSK-2024 (tag 38696), published at data.iana.org/root-anchors. An
+// operator pins their own via opts.trustAnchors.
+var DEFAULT_ROOT_ANCHORS = [
+  { keyTag: 20326, algorithm: 8, digestType: 2, digest: Buffer.from("E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D", "hex") },   // allow:raw-byte-literal — IANA root KSK-2017 DS
+  { keyTag: 38696, algorithm: 8, digestType: 2, digest: Buffer.from("683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16", "hex") },   // allow:raw-byte-literal — IANA root KSK-2024 DS
+];
+function _dnskeyParts(rdata, what) {
+  var rd = _bytes(rdata, what || "dnskey rdata");
+  if (rd.length < 4) throw new DnssecError("dnssec/bad-key", "dnssec: DNSKEY RDATA too short");   // allow:raw-byte-literal — DNSKEY fixed header octets
+  return { flags: rd.readUInt16BE(0), algorithm: rd[3], publicKey: rd.slice(4) };
+}
+function _parseDsRdata(rd) {
+  if (rd.length < 5) throw new DnssecError("dnssec/bad-ds", "dnssec: DS RDATA too short");   // allow:raw-byte-literal — DS fixed header octets
+  return { keyTag: rd.readUInt16BE(0), algorithm: rd[2], digestType: rd[3], digest: rd.slice(4) };
+}
+// ALL DNSKEYs whose key tag matches — 16-bit key tags collide (RFC 4034
+// App B), so a verifier must try every candidate, not just the first.
+function _keysByTag(dnskeys, tag) {
+  var out = [];
+  for (var i = 0; i < dnskeys.length; i++) if (keyTag(dnskeys[i]) === tag) out.push(dnskeys[i]);
+  return out;
+}
+// Verify an RRset against EVERY DNSKEY whose tag matches the RRSIG,
+// returning the key that validated. A wrong colliding key yields
+// `dnssec/bad-signature` — that is not terminal, the next candidate is
+// tried; any other error (expired, alg) is terminal. RFC 4035 §5.3.1.
+function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg) {
+  if (candidates.length === 0) throw new DnssecError(noKeyCode, noKeyMsg);
+  var lastErr = null;
+  for (var i = 0; i < candidates.length; i++) {
+    var kp = _dnskeyParts(candidates[i]);
+    if (kp.algorithm !== rrsig.algorithm) { lastErr = new DnssecError("dnssec/alg-mismatch", "dnssec.verifyChain: candidate key algorithm does not match the RRSIG"); continue; }
+    try {
+      verifyRrset(Object.assign({}, rrsetBase, { rrsig: rrsig, dnskey: { algorithm: kp.algorithm, publicKey: kp.publicKey } }));
+      return candidates[i];
+    } catch (e) {
+      if (e && e.code === "dnssec/bad-signature") { lastErr = e; continue; }   // colliding non-signing key — try the next
+      throw e;
+    }
+  }
+  throw lastErr;
+}
+/**
+ * @primitive b.network.dns.dnssec.verifyChain
+ * @signature b.network.dns.dnssec.verifyChain(opts)
+ * @since     0.12.50
+ * @status    stable
+ * @compliance soc2
+ * @related   b.network.dns.dnssec.verifyRrset, b.network.dns.dnssec.verifyDs
+ *
+ * Validate a DNSSEC delegation chain from the root down to a zone, against
+ * a pinned trust anchor (RFC 4035 §5). For each link, the zone's DNSKEY
+ * RRset must be self-signed by one of its keys; that signing key must be
+ * vouched for either by a pinned anchor (root) or by a DS record served by
+ * the already-trusted parent. The DS RRset itself is verified against the
+ * parent's keys, so trust flows root → TLD → zone with no gap. The default
+ * anchors are the IANA root KSKs; override with <code>opts.trustAnchors</code>.
+ *
+ * This composes <code>verifyRrset</code> + <code>verifyDs</code> + the key
+ * tag; it returns the leaf zone's trusted DNSKEY set, which the caller then
+ * passes to <code>verifyRrset</code> / <code>verifyDenial</code> for the
+ * actual answer.
+ *
+ * @opts
+ *   {
+ *     links: [ {                        // ordered root-first
+ *       zone:        string,
+ *       dnskeys:     Buffer[],          // the zone's DNSKEY RRset RDATAs
+ *       dnskeyRrsig: { algorithm, labels, originalTtl, expiration, inception, keyTag, signerName, signature },
+ *       dsRdatas?:   Buffer[],          // DS RRset for this zone (served by parent; omit for root)
+ *       dsRrsig?:    { ... },           // RRSIG over the DS RRset (signed by parent; omit for root)
+ *     } ],
+ *     trustAnchors?: [ { keyTag, algorithm, digestType, digest: Buffer } ],  // default IANA root
+ *     at?:           Date,             // validity instant (default now)
+ *   }
+ *
+ * @example
+ *   var trusted = b.network.dns.dnssec.verifyChain({ links: [rootLink, orgLink] });
+ *   // → { ok: true, zone: "org.", keys: [ ...trusted org DNSKEY rdatas ] }
+ */
+function verifyChain(opts) {
+  validateOpts.requireObject(opts, "dnssec.verifyChain", DnssecError);
+  validateOpts(opts, ["links", "trustAnchors", "at"], "dnssec.verifyChain");
+  if (!Array.isArray(opts.links) || opts.links.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.links must be a non-empty array");
+  var anchors = opts.trustAnchors !== undefined ? opts.trustAnchors : DEFAULT_ROOT_ANCHORS;
+  if (!Array.isArray(anchors) || anchors.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.trustAnchors must be a non-empty array");
+  var trustedKeys = null, path = [];
+  for (var i = 0; i < opts.links.length; i++) {
+    var link = opts.links[i];
+    if (!link || typeof link.zone !== "string" || link.zone === "") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].zone is required");
+    if (!Array.isArray(link.dnskeys) || link.dnskeys.length === 0) throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeys must be a non-empty array");
+    if (!link.dnskeyRrsig || typeof link.dnskeyRrsig !== "object") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeyRrsig is required");
+    // 1. The DNSKEY RRset is self-signed by one of its own keys (trying
+    //    every key whose tag matches, since tags collide).
+    var signer = _verifyRrsetWithAnyKey(
+      { name: link.zone, type: "DNSKEY", rdatas: link.dnskeys, at: opts.at },
+      link.dnskeyRrsig,
+      _keysByTag(link.dnskeys, link.dnskeyRrsig.keyTag),
+      "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG"
+    );
+    // 2. Establish trust in the signing key.
+    var signerTag = keyTag(signer);
+    if (i === 0) {
+      // Root: the signing key must match a pinned anchor's DS digest.
+      var matched = false;
+      for (var a = 0; a < anchors.length; a++) {
+        if (anchors[a].keyTag !== signerTag) continue;
+        try { verifyDs({ ownerName: link.zone, dnskeyRdata: signer, ds: anchors[a] }); matched = true; break; } catch (_e) { /* try the next anchor */ }
+      }
+      if (!matched) throw new DnssecError("dnssec/chain-anchor-mismatch", "dnssec.verifyChain: root DNSKEY does not match any pinned trust anchor");
+    } else {
+      // Delegation: the parent (already trusted) signed a DS RRset for this
+      // zone, and the signing KSK matches one of those DS records.
+      if (!Array.isArray(link.dsRdatas) || link.dsRdatas.length === 0 || !link.dsRrsig || typeof link.dsRrsig !== "object") {
+        throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "] needs dsRdatas + dsRrsig (DS served by the parent)");
+      }
+      _verifyRrsetWithAnyKey(
+        { name: link.zone, type: "DS", rdatas: link.dsRdatas, at: opts.at },
+        link.dsRrsig,
+        _keysByTag(trustedKeys, link.dsRrsig.keyTag),
+        "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'"
+      );
+      var dsMatched = false;
+      for (var d = 0; d < link.dsRdatas.length; d++) {
+        var dsObj = _parseDsRdata(_bytes(link.dsRdatas[d], "dsRdatas[" + d + "]"));
+        if (dsObj.keyTag !== signerTag) continue;
+        try { verifyDs({ ownerName: link.zone, dnskeyRdata: signer, ds: dsObj }); dsMatched = true; break; } catch (_e) { /* try the next DS */ }
+      }
+      if (!dsMatched) throw new DnssecError("dnssec/chain-ds-mismatch", "dnssec.verifyChain: the signing KSK of '" + link.zone + "' matches no parent-signed DS");
+    }
+    trustedKeys = link.dnskeys;
+    path.push(link.zone);
+  }
+  return { ok: true, zone: opts.links[opts.links.length - 1].zone, keys: trustedKeys, path: path };
+}
 module.exports = {
-  verifyRrset:  verifyRrset,
-  verifyDs:     verifyDs,
-  verifyDenial: verifyDenial,
-  nsec3Hash:    nsec3Hash,
-  keyTag:       keyTag,
-  ALGORITHMS:   ALGS,
-  DnssecError:  DnssecError,
+  verifyRrset:        verifyRrset,
+  verifyDs:           verifyDs,
+  verifyDenial:       verifyDenial,
+  verifyChain:        verifyChain,
+  nsec3Hash:          nsec3Hash,
+  keyTag:             keyTag,
+  ALGORITHMS:         ALGS,
+  DEFAULT_ROOT_ANCHORS: DEFAULT_ROOT_ANCHORS,
+  DnssecError:        DnssecError,
 };

package/lib/vendor/blamejs/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.49",
+  "version": "0.12.50",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.50.json ADDED Viewed

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.50",
+  "date": "2026-05-25",
+  "headline": "`b.network.dns.dnssec.verifyChain` — validate a DNSSEC delegation chain to a pinned root anchor",
+  "summary": "Completes local DNSSEC verification: validate a full delegation chain from the root down to a zone against a pinned trust anchor (RFC 4035 §5), instead of trusting any single resolver. For each link, the zone's DNSKEY RRset must be self-signed by one of its keys, and that key must be vouched for either by a pinned anchor (at the root) or by a DS record served + signed by the already-trusted parent — so trust flows root → TLD → zone with no gap. The IANA root KSKs (KSK-2017 tag 20326, KSK-2024 tag 38696) ship as the default anchors; override with opts.trustAnchors for a private root. verifyChain returns the leaf zone's trusted DNSKEY set, which you then hand to verifyRrset / verifyDenial for the actual answer. Composes verifyRrset + verifyDs + the key tag; verified end-to-end against a live root→org chain.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.network.dns.dnssec.verifyChain(opts)`",
+          "body": "Walks an ordered, root-first list of `links` ({ zone, dnskeys, dnskeyRrsig, dsRdatas?, dsRrsig? }). At each link it verifies the DNSKEY RRset's self-signature (composing `verifyRrset`), then establishes trust in the signing key: at the root by matching a pinned anchor's DS digest (`verifyDs`), at every delegation by verifying the parent-served DS RRset's signature with the already-trusted parent key and confirming the signing KSK matches one of those DS records. Returns `{ ok, zone, keys, path }` with the leaf zone's trusted DNSKEY set. Refuses a root key that matches no anchor (`dnssec/chain-anchor-mismatch`), a KSK that matches no parent DS (`dnssec/chain-ds-mismatch`), and a missing parent key (`dnssec/chain-no-parent-key`). The default `DEFAULT_ROOT_ANCHORS` are the published IANA root KSK DS records; `opts.trustAnchors` overrides them for a private or test root."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js CHANGED Viewed

@@ -6277,6 +6277,19 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "DNSSEC NXDOMAIN over-acceptance — for a Name Error proof the source-of-synthesis wildcard must be COVERED (proven absent). A matching wildcard owner means the wildcard exists and the query should have been answered by expansion, so a response claiming NXDOMAIN is forged. The `!findCover(x) && !findMatch(x)` gate accepts a matching wildcard as proof and must never appear; the correct gate is `!findCover(x)`. Detection is precise: only the cover-OR-match denial gate matches. Wildcard-NODATA (which legitimately needs a MATCHING wildcard with the type absent) uses `findMatch(...)` standalone with a type-bitmap check, not this gate, so it does not match.",
   },
+  {
+    // DNSSEC key selection: 16-bit key tags collide (RFC 4034 App B), so
+    // selecting a SINGLE DNSKEY by tag and verifying only against it
+    // yields a false `bad-signature` when a colliding non-signing key
+    // appears first in the RRset. A verifier must try EVERY key whose
+    // tag (and algorithm) match (RFC 4035 §5.3.1) — `_keysByTag` +
+    // `_verifyRrsetWithAnyKey`, never a `_findKeyByTag`-style single pick.
+    id: "dnssec-single-key-by-tag",
+    primitive: "_keysByTag(...) + try-every-candidate — never a single-result _findKeyByTag for signature verification",
+    regex: /_findKeyByTag\s*\(/,
+    allowlist: [],
+    reason: "DNSSEC key-tag collision false-negative — a 16-bit DNSKEY tag is not unique within an RRset (RFC 4034 Appendix B explicitly permits collisions). Picking the first key with a matching tag and verifying only against it rejects an otherwise-valid chain when a colliding non-signing key sorts earlier. RFC 4035 §5.3.1 requires trying every key whose tag and algorithm match until one validates; the framework does this via `_keysByTag` + `_verifyRrsetWithAnyKey`. The single-result `_findKeyByTag` helper must not be (re)introduced for signature key selection.",
+  },
   {
     // CVE-2026-23552 — cross-realm JWT acceptance via non-CT iss
     // compare. `payload.iss !== expectedIssuer` (or claims.iss / token.iss)

package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js CHANGED Viewed

@@ -59,6 +59,10 @@ function testSurface() {
   check("b.network.dns.dnssec.verifyRrset is a function", typeof b.network.dns.dnssec.verifyRrset === "function");
   check("b.network.dns.dnssec.verifyDs is a function", typeof b.network.dns.dnssec.verifyDs === "function");
   check("b.network.dns.dnssec.keyTag is a function", typeof b.network.dns.dnssec.keyTag === "function");
+  check("b.network.dns.dnssec.verifyDenial is a function", typeof b.network.dns.dnssec.verifyDenial === "function");
+  check("b.network.dns.dnssec.nsec3Hash is a function", typeof b.network.dns.dnssec.nsec3Hash === "function");
+  check("b.network.dns.dnssec.verifyChain is a function", typeof b.network.dns.dnssec.verifyChain === "function");
+  check("b.network.dns.dnssec.DEFAULT_ROOT_ANCHORS includes the IANA KSK tags", Array.isArray(b.network.dns.dnssec.DEFAULT_ROOT_ANCHORS) && b.network.dns.dnssec.DEFAULT_ROOT_ANCHORS.some(function (a) { return a.keyTag === 20326; }));
 }
 function testRealVectors() {
@@ -270,11 +274,128 @@ function testDenialArgs() {
   check("verifyDenial: nodata without qtype refused", code(function () { b.network.dns.dnssec.verifyDenial({ qname: "iana.org", proof: "nodata", zone: "iana.org", nsec3: ianaRecords() }); }) === "dnssec/bad-arg");
 }
+// --- Chain validation (verifyChain) ---
+// Real root→org DNSSEC chain captured via Cloudflare DoH: the root DNSKEY
+// RRset (signed by the IANA KSK), the org DS RRset (served + signed by the
+// root), and the org DNSKEY RRset (signed by org's KSK).
+var ROOT_DNSKEY_HEX = "123481a00001000400000001000030000100003000010000000e01080100030803010001be5d0d87dfa60009f155062f042d5973e5416b2320526d08cd34fd768a53ef259fea1f6a1dead8ac44223bf3420fa7a9dc518fef1e9ad3e77b59ad61c6c558fe10f44f839e23892cad3d474e45bb3bc66eb1bb0c37510d45ff71e745755ecef29144018a49a98351f4109320057def70ced9b89ab8a480df56fb23694aff0a31a11d6d7f972a27848c6c952f8ae1e2700128522d804ecc25a193567794f9b619841599f1171ec3e5480a098ee87e54bbf8653b74d27012d9859d66151131cdd241d7573e9a82ea2e680669ef4e985cd22847f893810866b11ed75fec0bd19f103362f1408c94eaf459d3a232b8930644c8b0912b861256ee9b206dd762596eb500003000010000000e01080101030803010001acffb409bcc939f831f7a1e5ec88f7a59255ec53040be432027390a4ce896d6f9086f3c5e177fbfe118163aaec7af1462c47945944c4e2c026be5e98bbcded25978272e1e3e079c5094d573f0e83c92f02b32d3513b1550b826929c80dd0f92cac966d17769fd5867b647c3f38029abdc48152eb8f207159ecc5d232c7c1537c79f4b7ac28ff11682f21681bf6d6aba555032bf6f9f036beb2aaa5b3778d6eebfba6bf9ea191be4ab0caea759e2f773a1f9029c73ecb8d5735b9321db085f1b8e2d8038fe2941992548cee0d67dd4547e11dd63af9c9fc1c5466fb684cf009d7197c2cf79e792ab501e6a8a1ca519af2cb9b5f6367e94c0d47502451357be1b500003000010000000e01080101030803010001af7a8deba49d995a792aefc80263e991efdbc86138a931deb2c65d5682eab5d3b03738e3dfdc89d96da64c86c0224d9ce02514d285da3068b19054e5e787b2969058e98e12566c8c808c40c0b769e1db1a24a1bd9b31e303184a31fc7bb56b85bbba8abc02cd5040a444a36d47695969849e16ad856bb58e8fac8855224400319bdab224d83fc0e66aab32ff74bfeaf0f91c454e6850a1295207bbd4cdde8f6ffb08faa9755c2e3284efa01f99393e18786cb132f1e66ebc6517318e1ce8a3b7337ebb54d035ab57d9706ecd9350d4afacd825e43c8668eece89819caf6817af62dc4fbd82f0e33f6647b2b6bda175f14607f59f4635451e6b27df282ef73d8700002e00010000000e0113003008000002a3006a29fa806a0e4b004f66003eb63aef891c6aa08533d04c2e51d08c1a6834df2a30af63d3fec27ec4ac17dfc21384c03bc1c1df400af2f1c2ab80788e20f8383a3dfd8eb01f48b8d4430d191e58baddb7fcdeec2cf381d042d094535b7595071c082aa88794db2c0d56fda210a29df0b7f456699235921050261075ecb2ab6c63e716768c0b5db2def27eb62958808a5a2dddde98a2375e2bd9ed6e89f34fea1f222fb7fa70032c1e9357dafc378ab72207826c9d7674584679a743825e68146d759c0e886a2de996daf752aa5ae00f8297842aef9eac3bd27a698ec475719f22ac9ee8345e3b07a2a67aedee0a406309744bb7907ed1de6e266bad02f9e2caa297277e7715d77ce7d2772f00002904d0000080000000";
+var ORG_DS_HEX = "123481a00001000200000001036f726700002b0001c00c002b0001000112ef0024695e08024fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32c00c002e0001000112ef0113002b0801000151806a24fad06a13c940d4790018af430b9631a0da77f1b652ce2a45e82d045e6efb87d9b9e90e25d463a73ae86001e74a171f1c43a23115c4ab9192939cddc1a90c4405998c8d508f0ec5b345a11a64b7d9ea660b497bb629c8ed908c69ed982301cdc5b108272b06aa9626cd5174028f9ac03609d1c560fb96309b6c5166653b21b7a197a5c30678b5be18dd8e405df36414e04ca33658b7a1da402bd2f0e2a31c84c01385ca70cf6492ec2f2e6c04085308a1ac112638d6f286f66f0b726bacad46ea75f4221b173008db2d21f412cecbc085893f273110d4afc485e804ba80a96d7729ba84bddb684d502fd0041f8285306874860cb9cda0da394426b5df50debf57ef6d0f9261d8d7576300002904d0000080000000";
+var ORG_DNSKEY_HEX = "123481a00001000400000001036f72670000300001c00c003000010000013200880100030803010001b1ac5fd2e78ca6b3eeb87e59ae4826bbdbaaddc35318f337942d3f207026d95c135d8e35863309bcd365a5c46223c90a6305467dfd6c3a874eb952ae11c7a9e5f177ae31ce9c0f6eeff1b331fcad3e32683cc254f38de0d92ef8188669ea9b7f30d78e82e8e6961dd390673941d67f397df95bd00859ec2306924eee737ec62bc00c003000010000013200880100030803010001d737ce87b2f7a67133bcf13a4c21b78ea38fa07bf278dbd919161afcaeafca081b1e1e01bcfe237f0dd929f7c695dea6c5e19853935224f6034b52c9eeb255a0b797304b771bf466d28f38b0e039276e90c673d7901a3937e9a3294e4d78ce1f9c26ff722e1b68b735bc680b405221ef6cd6a4da982778ee42d0db2bfd8031f1c00c003000010000013201080101030803010001ec5927fd707f2342c4d3eb4d98b3686ed49626c684ff80ca8811e9baa3a6d2b0784804e200fc1b1450264b7e167e690a836ace69b56671282aabe6f77b8e62d6ca918403187f96ebd27ae8c48aa602324be993ff889a5e7fa5a5be68f7d97fb1fee51cc6bdef93bf7ea37a68f5259788546cdd93d4b1efe87cd0b900ad351240f231c6c17e6ad0d32687667ec9a1ba07d70849eae37bd9792fe203db2749eb35eab98b5ea0852f5f6c73aa75c27473d2bc3fa82fa47fc1e5beb73b5d152d61a24ff5cf7b67e4dce671a38b965f675e7882a331292c51063ecc32beda615a0098848f1b053aa152c2307c8c0b481413120da8097eec4b909b5e0e383aac21216fc00c002e00010000013201170030080100000e106a258d3e6a09cfae695e036f726700831ed0c4fcc15125bfdd584858c72a88c4f837d8c15e7e276976417a3de45fe6ed14418035accd04081facdc0a0091bde55164a4e820514b49857155c2163b7ab07bf6d7d41003cd7971154bbf345f10ef04e9aa88e861c727c63d3f0ac2c484916360a1efa3ebef5cead2092b7c61ed8ebfccb40a79bce9d0082892d097cbd5541256ccaa09c96117e45ccdbd4d45b46145f902a81d660441f6e28ce6ec2cc83e773508947a7892cd2b1c91f8de73ed13f4199e7f3c097cb979c97bd97a34cfd0011647037c2c23da4a865960aa0f55a1d7a1c3817f0fb2f1bb7d6380eb5da578898fb0aebd5a9383ac5a1b76d6013a1a20832c53ea46ae5c6d35a06e6cc50300002904d0000080000000";
+function _readN(buf, off) {
+  var ls = [], jumped = false, end = off, g = 0;
+  for (;;) { if (++g > 128) throw new Error("name guard"); var len = buf[off]; if (len === 0) { off++; if (!jumped) end = off; break; } if ((len & 0xc0) === 0xc0) { if (!jumped) end = off + 2; off = ((len & 0x3f) << 8) | buf[off + 1]; jumped = true; continue; } off++; ls.push(buf.slice(off, off + len).toString("ascii")); off += len; }
+  return { name: ls.join(".") + (ls.length ? "." : "."), end: end };
+}
+function parseAnswer(hex) {
+  var buf = Buffer.from(hex, "hex");
+  var qd = buf.readUInt16BE(4), an = buf.readUInt16BE(6), off = 12;
+  for (var i = 0; i < qd; i++) off = _readN(buf, off).end + 4;
+  var out = { dnskeys: [], ds: [], rrsig: {} };
+  for (var j = 0; j < an; j++) {
+    off = _readN(buf, off).end;
+    var type = buf.readUInt16BE(off), rdlen = buf.readUInt16BE(off + 8); off += 10;
+    var rd = buf.slice(off, off + rdlen); off += rdlen;
+    if (type === 48) out.dnskeys.push(rd);
+    else if (type === 43) out.ds.push(rd);
+    else if (type === 46) { var sn = _readN(rd, 18); out.rrsig[rd.readUInt16BE(0)] = { algorithm: rd[2], labels: rd[3], originalTtl: rd.readUInt32BE(4), expiration: rd.readUInt32BE(8), inception: rd.readUInt32BE(12), keyTag: rd.readUInt16BE(16), signerName: sn.name, signature: rd.slice(sn.end) }; }
+  }
+  return out;
+}
+function testVerifyChain() {
+  var root = parseAnswer(ROOT_DNSKEY_HEX), orgDs = parseAnswer(ORG_DS_HEX), orgDk = parseAnswer(ORG_DNSKEY_HEX);
+  var maxInc = Math.max(root.rrsig[48].inception, orgDs.rrsig[43].inception, orgDk.rrsig[48].inception);
+  var at = new Date((maxInc + 60) * 1000);
+  function rootLink() { return { zone: ".", dnskeys: root.dnskeys, dnskeyRrsig: root.rrsig[48] }; }
+  function orgLink() { return { zone: "org.", dnskeys: orgDk.dnskeys, dnskeyRrsig: orgDk.rrsig[48], dsRdatas: orgDs.ds, dsRrsig: orgDs.rrsig[43] }; }
+  var out = b.network.dns.dnssec.verifyChain({ links: [rootLink(), orgLink()], at: at });
+  check("verifyChain: real root→org chain validates to the pinned IANA anchor", out.ok && out.zone === "org." && out.path.join(",") === ".,org." && out.keys.length === 3);
+  // Root link alone validates against the default anchor.
+  var rootOnly = b.network.dns.dnssec.verifyChain({ links: [rootLink()], at: at });
+  check("verifyChain: root DNSKEY alone validates against the default anchor", rootOnly.ok && rootOnly.zone === ".");
+  function code(fn) { try { fn(); return "NO-THROW"; } catch (e) { return e.code; } }
+  // A bogus trust anchor breaks the chain at the root.
+  var badAnchor = [{ keyTag: 20326, algorithm: 8, digestType: 2, digest: Buffer.alloc(32, 0xff) }];
+  check("verifyChain: wrong trust anchor refused", code(function () { b.network.dns.dnssec.verifyChain({ links: [rootLink()], at: at, trustAnchors: badAnchor }); }) === "dnssec/chain-anchor-mismatch");
+  // A tampered org DS digest breaks the DS RRset signature.
+  check("verifyChain: tampered DS RRset refused", code(function () {
+    var bad = orgLink(); bad.dsRdatas = [Buffer.from(orgDs.ds[0])]; bad.dsRdatas[0][bad.dsRdatas[0].length - 1] ^= 0xff;
+    b.network.dns.dnssec.verifyChain({ links: [rootLink(), bad], at: at });
+  }) === "dnssec/bad-signature");
+  // Expired (at past every window).
+  check("verifyChain: expired link refused", code(function () { b.network.dns.dnssec.verifyChain({ links: [rootLink()], at: new Date((root.rrsig[48].expiration + 86400) * 1000) }); }) === "dnssec/expired");
+  // Empty links refused.
+  check("verifyChain: empty links refused", code(function () { b.network.dns.dnssec.verifyChain({ links: [] }); }) === "dnssec/bad-arg");
+  // Key-tag collision: two keys in the SIGNED DNSKEY RRset share a tag
+  // (16-bit tags collide, RFC 4034 App B). The non-signing one sorts
+  // first; verifyChain must try every matching key (RFC 4035 §5.3.1) and
+  // not return a false bad-signature.
+  testKeyTagCollision();
+}
+var nodeCrypto = require("node:crypto");
+function _ecDnskey(pubKey) {
+  var jwk = pubKey.export({ format: "jwk" });
+  var x = Buffer.from(jwk.x, "base64url"), y = Buffer.from(jwk.y, "base64url");
+  return Buffer.concat([Buffer.from([0x01, 0x01, 3, 13]), x, y]); // flags 257 (KSK/SEP), proto 3, alg 13 (ECDSAP256SHA256)
+}
+function _canonName(name) {
+  var n = name.replace(/\.$/, ""), parts = [];
+  if (n !== "") n.split(".").forEach(function (l) { var bb = Buffer.from(l.toLowerCase(), "ascii"); parts.push(Buffer.from([bb.length]), bb); });
+  parts.push(Buffer.from([0]));
+  return Buffer.concat(parts);
+}
+function _u16b(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); }
+function _u32b(n) { var b2 = Buffer.alloc(4); b2.writeUInt32BE(n >>> 0, 0); return b2; }
+// Build an RRSIG over a DNSKEY RRset signed by an EC P-256 key (mirrors
+// the RFC 4034 §3.1.8.1 signed-data form verifyRrset reconstructs).
+function _signDnskeyRrset(zone, rdatas, priv, signerRdata, inc, exp) {
+  var owner = _canonName(zone), ttl = _u32b(3600), labels = zone.replace(/\.$/, "") === "" ? 0 : zone.replace(/\.$/, "").split(".").length;
+  var keyTag = b.network.dns.dnssec.keyTag(signerRdata);
+  var sorted = rdatas.slice().sort(Buffer.compare);
+  var rrs = [];
+  sorted.forEach(function (rd) { rrs.push(owner, _u16b(48), _u16b(1), ttl, _u16b(rd.length), rd); });
+  var prefix = Buffer.concat([_u16b(48), Buffer.from([13, labels]), ttl, _u32b(exp), _u32b(inc), _u16b(keyTag), _canonName(zone)]);
+  var signed = Buffer.concat([prefix].concat(rrs));
+  var signature = nodeCrypto.sign("sha256", signed, { key: priv, dsaEncoding: "ieee-p1363" });
+  return { algorithm: 13, labels: labels, originalTtl: 3600, expiration: exp, inception: inc, keyTag: keyTag, signerName: zone, signature: signature };
+}
+function testKeyTagCollision() {
+  // Generate EC P-256 keypairs until two DNSKEYs collide on key tag.
+  var byTag = {}, a = null, b2 = null;
+  for (var i = 0; i < 4000 && !b2; i++) {
+    var kp = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "prime256v1" });
+    var rd = _ecDnskey(kp.publicKey);
+    var t = b.network.dns.dnssec.keyTag(rd);
+    if (byTag[t]) { a = byTag[t]; b2 = { rd: rd, priv: kp.privateKey }; } else byTag[t] = { rd: rd, priv: kp.privateKey };
+  }
+  check("test generated a key-tag collision", b2 !== null);
+  if (!b2) return;
+  // `a` is the signer; `b2` (same tag, different key) sorts into the set.
+  var rdatas = [a.rd, b2.rd];
+  var now = Math.floor(Date.now() / 1000);
+  var rrsig = _signDnskeyRrset("test.", rdatas, a.priv, a.rd, now - 60, now + 86400);
+  // Trust anchor = DS of the signer (SHA-256 over owner + DNSKEY rdata).
+  var digest = nodeCrypto.createHash("sha256").update(Buffer.concat([_canonName("test."), a.rd])).digest();
+  var anchor = { keyTag: b.network.dns.dnssec.keyTag(a.rd), algorithm: 13, digestType: 2, digest: digest };
+  // Order the set so the non-signing colliding key is tried first.
+  var ordered = (b.network.dns.dnssec.keyTag(rdatas[0]) === rrsig.keyTag && rdatas[0] !== a.rd) ? rdatas : [b2.rd, a.rd];
+  var out = b.network.dns.dnssec.verifyChain({ links: [{ zone: "test.", dnskeys: ordered, dnskeyRrsig: rrsig }], trustAnchors: [anchor], at: new Date((now) * 1000) });
+  check("verifyChain: validates despite a colliding-tag key in the signed set", out.ok === true);
+}
 async function run() {
   testSurface();
   testRealVectors();
   testRefusals();
   testVerifyDs();
+  testVerifyChain();
   testNsec3Real();
   testNsec3Caps();
   testNsec3OptOut();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {