@blamejs/blamejs-shop 0.4.47 → 0.4.48

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.48 (2026-06-14) — **Hardening: pickup scheduling integrity, the save-for-later CSRF token, a store-credit expiry race, and gift-card ledger verification.** A batch of correctness and security hardening. A click-and-collect pickup already marked ready could be silently un-readied by re-scheduling it, which the pickup state machine has no transition for; re-scheduling in place is now restricted to a pending pickup. The pickup capacity gate counted bookings and then inserted in two steps, so two concurrent checkouts could over-book a full time slot; the cap is now enforced inside the write atomically. The authenticated Save-for-later cart action (POST /cart/lines/:line_id/save) inherited the edge cart forms' CSRF exemption by a path-prefix accident and shipped without requiring a token; it now demands the double-submit CSRF token like any other authenticated mutation, while the genuinely token-less edge cart forms stay exempt. Two concurrent store-credit expiry sweeps could over-burn still-valid credit; the sweep is now atomic and idempotent. And the gift-card ledger's chain verification accepted a populated ledger whose hash columns had all been cleared — a full-ledger rewrite read as verified; an unanchored populated chain now fails verification, while a genuinely empty ledger still passes. No migration to apply. **Fixed:** *A ready pickup can't be un-readied by re-scheduling* — Re-scheduling a click-and-collect pickup in place is now allowed only while it is still scheduled. A pickup already marked ready (its goods on the hold shelf) no longer regresses to scheduled and loses its ready timestamp when re-scheduled — the pickup state machine has no ready-to-scheduled transition, so the operator completes or escalates a ready pickup instead. · *Pickup time slots can't be over-booked under concurrency* — The pickup capacity limit is now enforced inside the booking write as a single conditional insert gated on the live count for the time slot, so two checkouts booking the same nearly-full slot at once can't both slip past the limit. Previously the count and the insert were separate steps, leaving a window where concurrent bookings over-filled a slot. · *Concurrent store-credit expiry sweeps can't over-burn valid credit* — The store-credit expiry sweep now burns expired credit atomically: the amount to expire is computed inside the write and conditioned on the credit still being unexpired, so a second sweep running at the same time finds nothing left to burn and can't dip into still-valid balance. Previously the sweep read the expirable total and then wrote in separate steps, so two concurrent sweeps could double-burn. **Security:** *The save-for-later cart action now requires its CSRF token* — POST /cart/lines/:line_id/save is a login-required cart mutation rendered only on the session-bound cart page, but it sat under the /cart/lines path prefix that exempts the cookie-less, token-less edge cart forms from CSRF — so it inherited that exemption and accepted state changes without a double-submit token. The exemption now carves this authenticated path back into CSRF protection from a single source shared by the request guard and the form renderer (so the set the guard enforces and the set the renderer tokenizes can't drift), while the legitimate edge cart forms remain exempt. · *A hash-cleared gift-card ledger no longer verifies as valid* — The gift-card ledger's chain verification reported a populated ledger whose hash-chain columns had all been nulled as verified — so an attacker who rewrote balances and cleared the chain hashes could pass verification undetected. A populated ledger with no chain anchor now fails verification; a genuinely empty ledger (no rows) still passes.
+
 - v0.4.47 (2026-06-14) — **Signing out wipes the browser's client-side state via Clear-Site-Data.** Both the storefront account sign-out and the admin sign-out now emit an RFC 9527 Clear-Site-Data response header, instructing the browser to clear its cookies, storage, cache, and execution contexts for the origin. Previously sign-out tore down the server-side session and expired the auth cookie but left the rest of the browser's client-side state in place — on a shared or public browser, the next person could find a cached authenticated page or leftover local/session storage. This is defense-in-depth on top of the existing server-side session teardown. No migration to apply. **Security:** *Sign-out clears client-side browser state* — The /account/logout and /admin/logout routes now send Clear-Site-Data with the cookies, storage, cache, and execution-context directives, so a browser drops the origin's client-side state on sign-out rather than only expiring the auth cookie. This closes the window on a shared or public machine where a cached authenticated page or leftover storage could outlive the session.
 
 - v0.4.46 (2026-06-14) — **A refund webhook records its own amount, so refunds processed out of order can't over-count the refunded total.** The Stripe charge.refunded mirror recorded the difference between the charge's cumulative refunded figure and the order's recorded refund total. When two refunds happen close together and the second refund's webhook is processed before the first's has been recorded — including two webhooks racing on the same order — both read the same not-yet-updated recorded total, so the later one records the full cumulative difference and double-counts the earlier refund, overstating the order's refunded total (and, with the over-refund cap keyed on that total, potentially distorting later refund limits). The mirror now records each event's own refund amount — the charge lists its refunds newest-first — keyed on the refund id, so a re-delivery or the console's own mirror of the same refund is still de-duplicated. Each refund is counted exactly once regardless of the order or timing its webhooks arrive in. No migration to apply. **Fixed:** *A refund webhook records its own amount, not the cumulative difference* — The charge.refunded mirror now records the specific refund that triggered the event, taken from the charge's own refunds list, instead of the difference between the charge's cumulative refunded figure and the order's ledger. The previous difference-based approach read the recorded total once and could record a value that included an earlier refund whose webhook hadn't landed yet — so when that earlier webhook arrived, the order's refunded total over-counted. Keying each entry on the refund id keeps re-deliveries and the console's own mirror de-duplicated, so the same refund is never recorded twice and the total converges on the true figure whatever order the webhooks arrive in.

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.47",
+  "version": "0.4.48",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/click-and-collect.js

@@ -441,32 +441,34 @@ function create(opts) {
       // discretisation in the storefront's window picker.
       var bucketStart = Math.floor(input.scheduled_window_start / HOUR_MS) * HOUR_MS;
       var bucketEnd   = bucketStart + HOUR_MS;
-      var booked = await _capacityBookedForBucket(input.location_code, bucketStart, bucketEnd);
-      // Re-scheduling the SAME order_id within the same bucket should
-      // not consume an additional capacity slot — check whether an
-      // existing schedule for this order already lives in the bucket
-      // and exclude it from the cap.
-      var existing = await _getScheduleByOrder(orderId);
-      if (existing && existing.location_code === input.location_code &&
-          existing.scheduled_window_start >= bucketStart &&
-          existing.scheduled_window_start <  bucketEnd &&
-          (existing.status === "scheduled" || existing.status === "ready")) {
-        booked -= 1;
-      }
-      if (booked >= Number(loc.capacity_per_hour)) {
-        throw new TypeError("click-and-collect.scheduleAtLocation: location_code " +
-          JSON.stringify(input.location_code) + " is at capacity for the requested window");
-      }
+      var capacity    = Number(loc.capacity_per_hour);
 
+      var existing = await _getScheduleByOrder(orderId);
       if (existing) {
-        // Re-schedule in place. Refuses to overwrite a terminal row —
-        // a picked_up / no_show / cancelled order books a new pickup
-        // by going through the operator's cancel + re-place flow,
-        // never by mutating the original schedule.
-        if (existing.status !== "scheduled" && existing.status !== "ready") {
+        // Re-schedule in place. Only a `scheduled` row re-schedules:
+        // once goods are on the hold shelf (`ready`) the FSM does not
+        // regress to `scheduled` (that would silently un-ready a
+        // confirmed pickup and wipe ready_at) — the operator completes
+        // the pickup or escalates. A terminal row (picked_up / no_show
+        // / cancelled) books a new pickup through the operator's
+        // cancel + re-place flow, never by mutating the original.
+        if (existing.status !== "scheduled") {
           throw new TypeError("click-and-collect.scheduleAtLocation: order " + orderId +
-            " has a terminal pickup schedule (status=" + existing.status +
-            "); operator must place a new order to reschedule");
+            " has a non-rescheduleable pickup (status=" + existing.status +
+            "); only a scheduled pickup can be re-scheduled in place");
+        }
+        // A re-schedule moves a slot the order already holds, so the
+        // order's own existing row in the target bucket is not counted
+        // against the cap.
+        var booked = await _capacityBookedForBucket(input.location_code, bucketStart, bucketEnd);
+        if (existing.location_code === input.location_code &&
+            existing.scheduled_window_start >= bucketStart &&
+            existing.scheduled_window_start <  bucketEnd) {
+          booked -= 1;
+        }
+        if (booked >= capacity) {
+          throw new TypeError("click-and-collect.scheduleAtLocation: location_code " +
+            JSON.stringify(input.location_code) + " is at capacity for the requested window");
         }
         await query(
           "UPDATE pickup_schedules SET location_code = ?1, scheduled_window_start = ?2, " +
@@ -476,13 +478,25 @@ function create(opts) {
             now, orderId],
         );
       } else {
-        await query(
+        // New booking — fold the capacity check into the INSERT so a
+        // count-then-insert race can't over-book the bucket. The row
+        // only lands when the live bucket count is still below the
+        // cap; a lost race writes zero rows and refuses identically.
+        var ins = await query(
           "INSERT INTO pickup_schedules (id, order_id, location_code, " +
           "scheduled_window_start, scheduled_window_end, status, created_at, updated_at) " +
-          "VALUES (?1, ?2, ?3, ?4, ?5, 'scheduled', ?6, ?7)",
+          "SELECT ?1, ?2, ?3, ?4, ?5, 'scheduled', ?6, ?7 WHERE (" +
+          "SELECT COUNT(*) FROM pickup_schedules WHERE location_code = ?3 " +
+          "AND status IN ('scheduled', 'ready') " +
+          "AND scheduled_window_start >= ?8 AND scheduled_window_start < ?9) < ?10",
           [b.uuid.v7(), orderId, input.location_code,
-            input.scheduled_window_start, input.scheduled_window_end, now, now],
+            input.scheduled_window_start, input.scheduled_window_end, now, now,
+            bucketStart, bucketEnd, capacity],
         );
+        if (Number(ins.rowCount || 0) === 0) {
+          throw new TypeError("click-and-collect.scheduleAtLocation: location_code " +
+            JSON.stringify(input.location_code) + " is at capacity for the requested window");
+        }
       }
       return await _getScheduleByOrder(orderId);
     },

package/lib/gift-card-ledger.js

@@ -478,8 +478,11 @@ function create(opts) {
     // unverifiable legacy PREFIX and counted, but once a hashed row
     // appears every later row must link — an unhashed row after the
     // anchor, a prev_hash that doesn't name its parent, or a row_hash
-    // that doesn't recompute is a break. O(n) per card; operator-audit
-    // use, not hot-path.
+    // that doesn't recompute is a break. A populated ledger that never
+    // anchors (every row NULL-hashed — the shape a full-ledger rewrite
+    // leaves behind) fails: an all-NULL chain is unanchored, not valid.
+    // An empty ledger (zero rows) is the only no-anchor case that passes.
+    // O(n) per card; operator-audit use, not hot-path.
     verifyChain: async function (giftCardId) {
       _uuid(giftCardId, "gift_card_id");
       var r = await query(
@@ -532,6 +535,22 @@ function create(opts) {
         }
         prevHash = row.row_hash;
       }
+      // A populated ledger that never anchored has no cryptographic root to
+      // verify against — every row read as an unverifiable legacy prefix.
+      // That's the shape a full-ledger rewrite produces (clear every
+      // row_hash, then edit balances freely): an all-NULL chain is
+      // unanchored, not "valid". Only a genuinely empty ledger (zero rows)
+      // is legitimately ok with no anchor.
+      if (!anchored && rows.length > 0) {
+        return {
+          ok:             false,
+          rows_verified:  0,
+          legacy_prefix:  legacyPrefix,
+          break_at:       0,
+          break_row_id:   rows[0].id,
+          reason:         "unanchored chain (no hashed row in a populated ledger)",
+        };
+      }
       return {
         ok:            true,
         rows_verified: rows.length - legacyPrefix,

package/lib/security-middleware.js

@@ -225,6 +225,39 @@ var EDGE_POST_PATHS = [
   "/stock-alert/unsubscribe",
 ];
 
+// Authenticated, container-only POST routes that fall UNDER an EDGE_POST_PATHS
+// prefix but must NOT inherit the edge exemption. `/cart/lines` is exempt for
+// the edge-cached add / qty-update / remove forms (worker/render/*), which are
+// cookie-less and token-less. But `POST /cart/lines/:line_id/save` is a
+// login-required mutation rendered ONLY by the container (the "Save for later"
+// control on the session-bound cart page), where a session exists and the page
+// carries the per-request `_csrf` token. A bare `/cart/lines` prefix match
+// would exempt it by accident, dropping double-submit CSRF on an authenticated
+// state change. These carve-backs re-arm the token check on exactly those
+// paths while leaving every legitimate edge form exempt. Matched as exact
+// regexes (anchored, `:line_id` as a free segment) so a sibling edge path is
+// never re-captured.
+var EDGE_EXEMPT_CARVEBACKS = [
+  /^\/cart\/lines\/[^/]+\/save$/,
+];
+
+/**
+ * Is `pathname` covered by the edge-form CSRF exemption? True when it matches
+ * an EDGE_POST_PATHS prefix AND is not one of the authenticated container-only
+ * carve-backs above. The single source both the container csrfGuard and the
+ * storefront's `_csrf` form-injection consult, so the exemption set the guard
+ * skips and the set the renderer leaves token-less can never drift apart.
+ * Request-shape reader — returns a boolean for any input, never throws.
+ */
+function isEdgeExemptPath(pathname) {
+  var p = typeof pathname === "string" ? pathname : "";
+  if (!_hasPrefix(p, EDGE_POST_PATHS)) return false;
+  for (var i = 0; i < EDGE_EXEMPT_CARVEBACKS.length; i += 1) {
+    if (EDGE_EXEMPT_CARVEBACKS[i].test(p)) return false;
+  }
+  return true;
+}
+
 // The TLS-terminated public origin(s) the storefront is served on. Behind
 // the Cloudflare Worker the container socket is plain http, so the CSRF
 // origin pre-check would otherwise build `http://<host>` and refuse every
@@ -710,7 +743,7 @@ function mountRouteGuards(r) {
   r.use(function csrfGuard(req, res, next) {
     var pathname = req.pathname || req.url || "/";
     if (_hasPrefix(pathname, WEBHOOK_PATHS) || pathname === HEALTH_PATH) return next();
-    if (_hasPrefix(pathname, EDGE_POST_PATHS)) return next();
+    if (isEdgeExemptPath(pathname)) return next();
     return csrfGate(req, res, next);
   });
 
@@ -822,5 +855,7 @@ module.exports = {
   PAYPAL_WEBHOOK_BUDGET_PER_MINUTE: PAYPAL_WEBHOOK_BUDGET_PER_MINUTE,
   TIGHT_PREFIXES:       TIGHT_PREFIXES,
   EDGE_POST_PATHS:      EDGE_POST_PATHS,
+  EDGE_EXEMPT_CARVEBACKS: EDGE_EXEMPT_CARVEBACKS,
+  isEdgeExemptPath:     isEdgeExemptPath,
   PUBLIC_WELL_KNOWN_PATHS: PUBLIC_WELL_KNOWN_PATHS,
 };

package/lib/store-credit.js

@@ -183,10 +183,21 @@ function create(opts) {
   //   expire — burns MIN(amount, live), gated on live > 0 (zero rows =
   //            wallet already empty; callers degrade gracefully — by
   //            design, never a throw).
+  //   sweep  — the scheduled expiry burn. `amount` carries the
+  //            customer's expired-credit total; the still-unburned
+  //            remainder (total minus the live SUM of prior
+  //            SWEEP_SOURCE_REF expire rows) is recomputed INSIDE the
+  //            insert and capped at the live balance, so two concurrent
+  //            sweeps can't both burn the same expired pool. The second
+  //            sweep serializes behind the first's committed row, sees
+  //            zero pending, and matches no rows — never burning the
+  //            still-valid (non-expired) credit left in the wallet.
+  //            Stored as an `expire` row stamped SWEEP_SOURCE_REF.
   // Returns the written row's resolved values, or null when the guard
   // refused the write.
   async function _writeRowAtomic(kind, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs) {
     var id = b.uuid.v7();
+    var storedKind = kind === "sweep" ? "expire" : kind;
     var balSub = "COALESCE((SELECT balance_after_minor FROM store_credit_ledger " +
                  "WHERE customer_id = ?2 ORDER BY occurred_at DESC, id DESC LIMIT 1), 0)";
     var tsSub  = "COALESCE((SELECT occurred_at FROM store_credit_ledger " +
@@ -201,6 +212,17 @@ function create(opts) {
       amountExpr = "?3";
       afterExpr  = balSub + " - ?3";
       guard      = balSub + " >= ?3";
+    } else if (kind === "sweep") {
+      // `?3` is this customer's expired-credit total. Subtract the live
+      // sum of prior sweep-stamped expire rows to get the still-pending
+      // burn, then cap at the live balance — both recomputed at INSERT
+      // time so a racing second sweep sees the first's committed row.
+      var sweptSub = "COALESCE((SELECT SUM(amount_minor) FROM store_credit_ledger " +
+                     "WHERE customer_id = ?2 AND kind = 'expire' AND source_ref = ?5), 0)";
+      var pending  = "(?3 - " + sweptSub + ")";
+      amountExpr   = "CASE WHEN " + balSub + " < " + pending + " THEN " + balSub + " ELSE " + pending + " END";
+      afterExpr    = "CASE WHEN " + balSub + " < " + pending + " THEN 0 ELSE " + balSub + " - " + pending + " END";
+      guard        = pending + " > 0 AND " + balSub + " > 0";
     } else {            // expire — burn MIN(amount, live balance)
       amountExpr = "CASE WHEN " + balSub + " < ?3 THEN " + balSub + " ELSE ?3 END";
       afterExpr  = "CASE WHEN " + balSub + " < ?3 THEN 0 ELSE " + balSub + " - ?3 END";
@@ -211,7 +233,7 @@ function create(opts) {
       "(id, customer_id, kind, amount_minor, source, source_ref, order_id, balance_after_minor, expires_at, occurred_at) " +
       "SELECT ?1, ?2, ?9, " + amountExpr + ", ?4, ?5, ?6, " + afterExpr + ", ?7, " + tsExpr + " " +
       "WHERE " + guard,
-      [id, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs, kind],
+      [id, customerId, amount, source, sourceRef, orderId, expiresAt, requestedTs, storedKind],
     );
     if (Number(res.rowCount || 0) === 0) return null;
     var row = (await query(
@@ -572,17 +594,26 @@ function create(opts) {
       // per-credit-row because expire rows have no parent pointer at
       // the schema level. The idempotency key is the SWEEP's OWN prior
       // output — expire rows stamped with `SWEEP_SOURCE_REF` — NOT
-      // every expire row. Counting all expire rows here was the bug:
+      // every expire row. Counting all expire rows here was a bug:
       // an operator-initiated `expire()` (a clawback, a goodwill burn)
       // or any non-sweep expire would be subtracted from the expired-
-      // credit total, shrinking `pendingBurn` and leaving genuinely
+      // credit total, shrinking the pending burn and leaving genuinely
       // expired credit un-swept. Operator expires + debits already
-      // reduced the BALANCE; the `min(pendingBurn, balance)` cap below
-      // is what keeps the sweep from over-burning when the wallet was
+      // reduced the BALANCE; the live-balance cap inside the write is
+      // what keeps the sweep from over-burning when the wallet was
       // partly drained — so they must not also be netted out of the
-      // expired pool, or the reduction is double-counted. When the
-      // unburned remainder is zero, the sweep is a no-op for that
-      // customer (idempotent re-run produces no duplicates).
+      // expired pool, or the reduction is double-counted.
+      //
+      // The pending-burn arithmetic (expired total minus this sweep's
+      // own prior output) and the balance cap both run INSIDE the
+      // guarded insert, not from a JS-side read. A read-then-write here
+      // raced: two concurrent sweeps both read a zero prior-burn before
+      // either wrote, both computed the full expired total as pending,
+      // and the second's capped write then burned the still-valid
+      // (non-expired) credit the first sweep left behind. With the
+      // remainder recomputed at insert time, the second sweep serializes
+      // behind the first's committed row, sees zero pending, and matches
+      // no rows — an idempotent no-op that never touches valid balance.
       var expiredByCustomer = (await query(
         "SELECT customer_id, SUM(amount_minor) AS total " +
         "FROM store_credit_ledger " +
@@ -597,30 +628,18 @@ function create(opts) {
         var customerId = row.customer_id;
         var expiredTotal = row.total;
 
-        var burnRow = (await query(
-          "SELECT COALESCE(SUM(amount_minor), 0) AS total " +
-          "FROM store_credit_ledger " +
-          "WHERE customer_id = ?1 AND kind = 'expire' AND source_ref = ?2",
-          [customerId, SWEEP_SOURCE_REF],
-        )).rows[0];
-        var alreadyBurned = burnRow ? burnRow.total : 0;
-        var pendingBurn   = expiredTotal - alreadyBurned;
-
-        if (pendingBurn <= 0) {
-          // The sweep already burned this customer's expired credit on
-          // a prior run. Idempotent skip.
-          continue;
-        }
-
-        // The burn caps at the wallet's current balance INSIDE the
-        // guarded insert. Debits between the credit and the sweep may
-        // have spent the expired amount already; the write never drives
-        // the balance negative, and a wallet already at zero refuses the
-        // write entirely (no CHECK > 0 violation; operator reconciles
-        // via history). The expired credits were "first-out" from the
-        // operator's POV — the schema doesn't track FIFO at row level,
-        // so the audit trail reflects what was actually burned.
-        var w = await _writeRowAtomic("expire", customerId, pendingBurn, null, SWEEP_SOURCE_REF, null, null, now);
+        // The burn amount = (expired total − sweep's own prior burn),
+        // capped at the wallet's current balance — all computed INSIDE
+        // the guarded insert. Debits between the credit and the sweep
+        // may have spent the expired amount already; the write never
+        // drives the balance negative, and a wallet already at zero (or
+        // a fully-swept expired pool) refuses the write entirely. A
+        // refused write is the idempotent skip — no duplicate row, no
+        // CHECK > 0 violation; the operator reconciles via history. The
+        // expired credits are "first-out" from the operator's POV — the
+        // schema doesn't track FIFO at row level, so the audit trail
+        // reflects what was actually burned.
+        var w = await _writeRowAtomic("sweep", customerId, expiredTotal, null, SWEEP_SOURCE_REF, null, null, now);
         if (!w) continue;
         processed.push({
           id:                  w.id,

package/lib/storefront.js

@@ -145,20 +145,23 @@ function _spliceRaw(html, token, fragment) {
 // byte-identical to the edge copy (the render-parity gate). They keep their
 // SameSite + fetch-metadata defense and are exempt from the token check, so
 // tokening only the container copy would both break parity and 403 a no-JS
-// edge submission. The exempt list is the SAME prefix set the guard exempts,
-// imported from lib/security-middleware so the two never drift.
-var _EDGE_POST_PATHS = securityMiddleware.EDGE_POST_PATHS;
+// edge submission. The exempt decision is the SAME one the guard makes —
+// `securityMiddleware.isEdgeExemptPath` — so the set skipped and the set left
+// token-less never drift.
 
 // The escaper the storefront uses for every attribute interpolation
 // (b.template.escapeHtml — attribute-safe; escapes & < > " '). Aliased so the
 // rewrite reads as "escape this attribute value".
 var _escAttr = b.template.escapeHtml;
 
+// Delegate the edge-exempt decision to lib/security-middleware so the set the
+// csrfGuard skips and the set this renderer leaves token-less are ONE source.
+// That helper applies the EDGE_POST_PATHS prefixes minus the authenticated
+// container-only carve-backs (e.g. `/cart/lines/:line_id/save`), so a form
+// under an edge prefix that the guard DOES protect (and therefore needs the
+// token) gets `_csrf` injected here instead of shipping token-less.
 function _actionIsEdgeExempt(action) {
-  for (var i = 0; i < _EDGE_POST_PATHS.length; i += 1) {
-    if (action.indexOf(_EDGE_POST_PATHS[i]) === 0) return true;
-  }
-  return false;
+  return securityMiddleware.isEdgeExemptPath(action);
 }
 
 // Inject a hidden `_csrf` field into every container POST form in `html`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.47",
+  "version": "0.4.48",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {