npm - @blamejs/blamejs-shop - Versions diffs - 0.4.30 → 0.4.32 - Mend

@blamejs/blamejs-shop 0.4.30 → 0.4.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (338) hide show

package/lib/vendor/blamejs/lib/subject.js CHANGED Viewed

@@ -40,11 +40,22 @@ var { sha3Hash } = require("./crypto");
 var cryptoField = require("./crypto-field");
 var audit = require("./audit");
 var cluster = require("./cluster");
+var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var lazyRequire = require("./lazy-require");
 var db = lazyRequire(function () { return require("./db"); });
 var legalHold = lazyRequire(function () { return require("./legal-hold"); });
+// Local-SQLite framework tables for the Art. 18 restriction flag + the
+// erasure marker. These run against the b.db() handle directly, so the
+// b.sql builders carry { quoteName: true } to emit the quoted local name
+// (no clusterStorage prefix rewrite on this path). The names are literals
+// for the same reason db.js declares them as literals — they ARE the
+// canonical local table identifiers.
+var RESTRICTIONS_TABLE = "_blamejs_subject_restrictions";   // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
+var ERASURES_TABLE = "_blamejs_subject_erasures";           // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
 // Required acknowledgements before subject.erase will run. Operator must
 // explicitly attest each one to confirm no statutory retention or active
 // litigation hold blocks the deletion.
@@ -138,15 +149,13 @@ function exportData(subjectId, opts) {
 }
 function _findRowsForSubject(tableName, subjectField, subjectId) {
-  var hash = db().hashFor(tableName, subjectField, subjectId);
-  if (hash) {
-    // The schema has a derived hash for the subjectField — look up via that
-    var derivedFieldName = _getDerivedFieldName(tableName, subjectField);
-    if (derivedFieldName) {
-      var pred = {};
-      pred[derivedFieldName] = hash;
-      return db().from(tableName).where(pred).all();
-    }
+  var cand = db().hashCandidatesFor(tableName, subjectField, subjectId);
+  if (cand) {
+    // The schema has a derived hash for the subjectField — look up via it,
+    // dual-reading across the keyed-MAC flip (whereIn matches both the active
+    // keyed-MAC digest and the legacy salted-sha3 digest a pre-flip row
+    // carries) so the subject's pre-flip rows are not silently skipped.
+    return db().from(tableName).whereIn(cand.field, cand.values).all();
   }
   // No derived hash — assume subjectField is raw, do direct equality
   var rawPred = {};
@@ -211,7 +220,7 @@ function rectify(subjectId, opts) {
       rowId:      opts.id,
       requestReason: opts.reason,
     });
-    throw new Error("subject.rectify: row not found in '" + opts.table + "' with _id '" + opts.id + "'");
+    throw new Error("subject.rectify: row not found in '" + opts.table + "' for _id '" + opts.id + "'");
   }
   var changedKeys = Object.keys(opts.changes);
@@ -330,19 +339,18 @@ function erase(subjectId, opts) {
   for (var t = 0; t < tables.length; t++) {
     var spec = tables[t];
-    var hash = db().hashFor(spec.name, spec.subjectField, subjectId);
-    var pred;
-    if (hash) {
-      var derivedField = _getDerivedFieldName(spec.name, spec.subjectField);
-      if (derivedField) {
-        pred = {}; pred[derivedField] = hash;
-      } else {
-        pred = {}; pred[spec.subjectField] = subjectId;
-      }
+    var cand = db().hashCandidatesFor(spec.name, spec.subjectField, subjectId);
+    var delQb = db().from(spec.name);
+    if (cand) {
+      // Dual-read across the keyed-MAC flip so erasure matches (and deletes)
+      // the subject's pre-flip rows carrying the legacy salted-sha3 digest —
+      // a GDPR erasure that skips un-migrated rows would leave PII behind.
+      delQb.whereIn(cand.field, cand.values);
     } else {
-      pred = {}; pred[spec.subjectField] = subjectId;
+      var delPred = {}; delPred[spec.subjectField] = subjectId;
+      delQb.where(delPred);
     }
-    var deleted = db().from(spec.name).where(pred).deleteMany();
+    var deleted = delQb.deleteMany();
     totalDeleted += deleted;
     perTable[spec.name] = deleted;
   }
@@ -450,20 +458,18 @@ function eraseHard(subjectId, opts) {
   db().transaction(function () {
     for (var t = 0; t < tables.length; t++) {
       var spec = tables[t];
-      var hash = db().hashFor(spec.name, spec.subjectField, subjectId);
-      var pred;
-      if (hash) {
-        var derivedField = _getDerivedFieldName(spec.name, spec.subjectField);
-        if (derivedField) {
-          pred = {}; pred[derivedField] = hash;
-        } else {
-          pred = {}; pred[spec.subjectField] = subjectId;
-        }
+      var cand = db().hashCandidatesFor(spec.name, spec.subjectField, subjectId);
+      var findQb = db().from(spec.name);
+      if (cand) {
+        // Dual-read across the keyed-MAC flip so per-row-key destruction +
+        // erasure covers the subject's pre-flip (legacy salted-sha3) rows too.
+        findQb.whereIn(cand.field, cand.values);
       } else {
-        pred = {}; pred[spec.subjectField] = subjectId;
+        var rawPred = {}; rawPred[spec.subjectField] = subjectId;
+        findQb.where(rawPred);
       }
       // Find rows so we can destroy their per-row keys before delete.
-      var rows = db().from(spec.name).where(pred).all();
+      var rows = findQb.all();
       if (cryptoField.hasPerRowKey(spec.name)) {
         for (var r = 0; r < rows.length; r++) {
           var rowId = rows[r]._id;
@@ -473,12 +479,22 @@ function eraseHard(subjectId, opts) {
           }
         }
       }
-      var deleted = db().from(spec.name).where(pred).deleteMany();
+      var delQb2 = db().from(spec.name);
+      if (cand) {
+        delQb2.whereIn(cand.field, cand.values);
+      } else {
+        var delPred3 = {}; delPred3[spec.subjectField] = subjectId;
+        delQb2.where(delPred3);
+      }
+      var deleted = delQb2.deleteMany();
       totalDeleted += deleted;
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's
       // index entries are rebuilt — closes the erase-vacuum residual class.
-      try { db().runSql('REINDEX "' + spec.name + '"'); }                                        // table name comes from FRAMEWORK_SCHEMA
+      // REINDEX is a sqlite maintenance verb with no b.sql builder; the
+      // table identifier is quoted through b.safeSql so the name is safe by
+      // construction (it comes from FRAMEWORK_SCHEMA / the subject-table set).
+      try { db().runSql("REINDEX " + safeSql.quoteIdentifier(spec.name, "sqlite", { allowReserved: true })); }
       catch (_e) { /* cluster mode / unsupported dialect */ }
     }
     _markErased(subjectId);
@@ -536,20 +552,38 @@ function restrict(subjectId, opts) {
   if (!opts || typeof opts.on !== "boolean") {
     throw new Error("subject.restrict requires { on: true|false }");
   }
-  var existing = db().prepare(
-    "SELECT subjectIdHash FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-  ).get(_subjectHash(subjectId));
+  var restrictSelBuilt = sql.select(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+    .columns(["subjectIdHash"])
+    .where("subjectIdHash", _subjectHash(subjectId))
+    .toSql();
+  var restrictSelStmt = db().prepare(restrictSelBuilt.sql);
+  var existing = restrictSelStmt.get.apply(restrictSelStmt, restrictSelBuilt.params);
   if (opts.on) {
     if (!existing) {
-      db().prepare(
-        "INSERT INTO _blamejs_subject_restrictions (subjectIdHash, since, reason) VALUES (?, ?, ?)"
-      ).run(_subjectHash(subjectId), Date.now(), opts.reason || null);
+      // The restriction `reason` is a ticket reference / legal basis — PII at
+      // rest. db.js declares sealedFields:["reason"] on this table, but the raw
+      // write path bypasses the structured builder's auto-seal, so seal here
+      // explicitly (idempotent registration guard covers a reset registry).
+      if (!cryptoField.getSchema(RESTRICTIONS_TABLE)) {
+        cryptoField.registerTable(RESTRICTIONS_TABLE, { sealedFields: ["reason"] });
+      }
+      var restrictInsBuilt = sql.insert(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+        .values(cryptoField.sealRow(RESTRICTIONS_TABLE, {
+          subjectIdHash: _subjectHash(subjectId),
+          since:         Date.now(),
+          reason:        opts.reason || null,
+        }))
+        .toSql();
+      var restrictInsStmt = db().prepare(restrictInsBuilt.sql);
+      restrictInsStmt.run.apply(restrictInsStmt, restrictInsBuilt.params);
     }
   } else if (existing) {
-    db().prepare(
-      "DELETE FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-    ).run(_subjectHash(subjectId));
+    var restrictDelBuilt = sql.delete(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+      .where("subjectIdHash", _subjectHash(subjectId))
+      .toSql();
+    var restrictDelStmt = db().prepare(restrictDelBuilt.sql);
+    restrictDelStmt.run.apply(restrictDelStmt, restrictDelBuilt.params);
   }
   _writeAudit("subject.restrict", subjectId, "success", {
@@ -581,9 +615,15 @@ function restrict(subjectId, opts) {
  */
 function isRestricted(subjectId) {
   if (!subjectId) return false;
-  var row = db().prepare(
-    "SELECT 1 FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-  ).get(_subjectHash(subjectId));
+  // Presence check — project the PK column (b.sql columns must be real
+  // identifiers, not a `SELECT 1` literal); a matched row is truthy.
+  var built = sql.select(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+    .columns(["subjectIdHash"])
+    .where("subjectIdHash", _subjectHash(subjectId))
+    .limit(1)
+    .toSql();
+  var stmt = db().prepare(built.sql);
+  var row = stmt.get.apply(stmt, built.params);
   return !!row;
 }
@@ -629,9 +669,16 @@ function recordObjection(subjectId, opts) {
 // ---- Internal helpers ----
 function _markErased(subjectId) {
-  db().prepare(
-    "INSERT OR REPLACE INTO _blamejs_subject_erasures (subjectIdHash, erasedAt) VALUES (?, ?)"
-  ).run(_subjectHash(subjectId), Date.now());
+  // "INSERT OR REPLACE" is the sqlite upsert idiom — express it portably as
+  // INSERT … ON CONFLICT(subjectIdHash) DO UPDATE SET erasedAt = EXCLUDED.erasedAt
+  // (the row is keyed by subjectIdHash; a re-erase just refreshes the timestamp).
+  var built = sql.upsert(ERASURES_TABLE, { dialect: "sqlite", quoteName: true })
+    .values({ subjectIdHash: _subjectHash(subjectId), erasedAt: Date.now() })
+    .onConflict(["subjectIdHash"])
+    .doUpdateFromExcluded(["erasedAt"])
+    .toSql();
+  var stmt = db().prepare(built.sql);
+  stmt.run.apply(stmt, built.params);
 }
 function _subjectHash(subjectId) {

package/lib/vendor/blamejs/lib/vault/index.js CHANGED Viewed

@@ -71,6 +71,7 @@ var { boot } = require("../log");
 var safeBuffer = require("../safe-buffer");
 var safeJson = require("../safe-json");
 var observability = require("../observability");
+var frameworkFiles = require("../framework-files");
 var vaultPassphraseSource = require("./passphrase-source");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");
@@ -99,8 +100,8 @@ var log = boot("vault");
 function resolvePaths(dataDir) {
   return {
     dataDir:           dataDir,
-    plaintext:         nodePath.join(dataDir, "vault.key"),
-    sealed:            nodePath.join(dataDir, "vault.key.sealed"),
+    plaintext:         nodePath.join(dataDir, frameworkFiles.fileName("vaultKey")),
+    sealed:            nodePath.join(dataDir, frameworkFiles.fileName("vaultKey") + ".sealed"),
     derivedHashSalt:   nodePath.join(dataDir, "vault.derived-hash-salt"),
     derivedHashMacKey: nodePath.join(dataDir, "vault.derived-hash-mac.sealed"),
   };

package/lib/vendor/blamejs/lib/vault/passphrase-ops.js CHANGED Viewed

@@ -38,13 +38,14 @@
 var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
+var frameworkFiles = require("../framework-files");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");
 var VaultPassphraseError = defineClass("VaultPassphraseError", { alwaysPermanent: true });
-var PLAINTEXT_NAME = "vault.key";
-var SEALED_NAME    = "vault.key.sealed";
+var PLAINTEXT_NAME = frameworkFiles.fileName("vaultKey");
+var SEALED_NAME    = frameworkFiles.fileName("vaultKey") + ".sealed";
 function _paths(dataDir) {
   return {