npm - @blamejs/blamejs-shop - Versions diffs - 0.4.30 → 0.4.32 - Mend

@blamejs/blamejs-shop 0.4.30 → 0.4.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (338) hide show

package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js CHANGED Viewed

@@ -12,6 +12,13 @@ var helpers = require("../helpers");
 var b = helpers.b;
 var check = helpers.check;
 var C = b.constants;
+var fs = helpers.fs;
+var os = helpers.os;
+var path = helpers.path;
+var setupTestDb = helpers.setupTestDb;
+var teardownTestDb = helpers.teardownTestDb;
+function _tmp() { return fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-dsr-")); }
 function _makeDsr(extraOpts) {
   var sources = [
@@ -759,6 +766,209 @@ async function testReceiptSignerError() {
         receipt.signature === undefined);
 }
+// ---- dbTicketStore: at-rest sealing + erasure purge + upgrade path ----
+function _dbDsr(extraOpts) {
+  var store = b.dsr.dbTicketStore({ db: b.db });
+  return {
+    store: store,
+    dsr: b.dsr.create(Object.assign({
+      ticketStore: store,
+      posture:     "gdpr",
+      identityResolver: async function (input) {
+        if (input.email === "alice@example.com") {
+          return { subjectId: "u-1", email: "alice@example.com", phone: "+15550001111" };
+        }
+        return null;
+      },
+      sources: [{
+        name:  "users",
+        query: async function () { return [{ id: 1 }]; },
+        erase: async function () { return { deletedIds: [1] }; },
+      }],
+    }, extraOpts || {})),
+  };
+}
+async function testDbStoreSealsAtRest() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    var h = _dbDsr();
+    var ticket = await h.dsr.submit({
+      type:    "access",
+      subject: { email: "alice@example.com" },
+      reason:  "sealing-at-rest verification",
+    });
+    // Read the RAW row directly (bypassing the store's unseal) and assert
+    // the PII columns + payload are NOT stored in plaintext.
+    var raw = b.db.prepare(
+      "SELECT subject_email, subject_phone, subject_id, subject_email_hash, payload " +
+      "FROM dsr_tickets WHERE id = $id").all({ $id: ticket.id })[0];
+    check("dbStore: raw row exists", !!raw);
+    check("dbStore: subject_email sealed at rest (not plaintext)",
+          typeof raw.subject_email === "string" &&
+          raw.subject_email.indexOf("alice@example.com") === -1);
+    check("dbStore: subject_phone sealed at rest (not plaintext)",
+          typeof raw.subject_phone === "string" &&
+          raw.subject_phone.indexOf("+15550001111") === -1);
+    check("dbStore: payload sealed at rest (no plaintext email leak)",
+          typeof raw.payload === "string" &&
+          raw.payload.indexOf("alice@example.com") === -1);
+    check("dbStore: derived email hash populated for lookup",
+          typeof raw.subject_email_hash === "string" && raw.subject_email_hash.length > 0);
+    // The store still round-trips the cleartext ticket via get().
+    var got = await h.store.get(ticket.id);
+    check("dbStore: get() unseals payload back to cleartext",
+          got && got.subject.email === "alice@example.com");
+    // list-by-subject matches via the derived hash (sealed columns can't
+    // be matched on plaintext).
+    var listed = await h.store.list({ subject: { email: "alice@example.com" } });
+    check("dbStore: list-by-subject matches via derived hash",
+          listed.length === 1 && listed[0].id === ticket.id);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+async function testDbStoreErasurePurgesPriorTickets() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    var h = _dbDsr();
+    // Two prior access tickets for alice + a final erasure.
+    var t1 = await h.dsr.submit({ type: "access", subject: { email: "alice@example.com" }, reason: "prior access one" });
+    var t2 = await h.dsr.submit({ type: "access", subject: { email: "alice@example.com" }, reason: "prior access two" });
+    var erasure = await h.dsr.submit({
+      type: "erasure", subject: { email: "alice@example.com" },
+      reason: "right to erasure", verificationLevel: "secondary",
+    });
+    var before = await h.store.list({ subject: { email: "alice@example.com" } });
+    check("dbStore erasure: 3 tickets before completion", before.length === 3);
+    var processed = await h.dsr.process(erasure.id, { actor: "compliance@", verificationLevel: "secondary" });
+    check("dbStore erasure: erasure completed", processed.status === "completed");
+    // After completion, the subject's prior tickets are purged; the
+    // erasure ticket itself survives (audit/receipt trail).
+    var after = await h.store.list({ subject: { email: "alice@example.com" } });
+    check("dbStore erasure: only the erasure ticket remains", after.length === 1 && after[0].id === erasure.id);
+    check("dbStore erasure: prior ticket t1 gone", (await h.store.get(t1.id)) === null);
+    check("dbStore erasure: prior ticket t2 gone", (await h.store.get(t2.id)) === null);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+async function testDbStoreUpgradePath() {
+  // Build an OLD-shape (v0.8.0) dsr_tickets table by hand — no
+  // subject_*_hash columns — then construct the store. ensureSchema must
+  // ALTER TABLE ADD COLUMN the missing columns so the first insert
+  // succeeds rather than throwing "no such column".
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    b.db.runSql("CREATE TABLE dsr_tickets (" +
+      "id TEXT PRIMARY KEY, type TEXT NOT NULL, status TEXT NOT NULL, " +
+      "subject_id TEXT, subject_email TEXT, subject_phone TEXT, " +
+      "submitted_at INTEGER NOT NULL, deadline_at INTEGER NOT NULL, " +
+      "processed_at INTEGER, verification_level TEXT, posture TEXT, " +
+      "payload TEXT NOT NULL)");
+    // Seed a legacy plaintext row to prove the ALTER survives existing data.
+    b.db.prepare("INSERT INTO dsr_tickets (id, type, status, subject_email, submitted_at, deadline_at, payload) " +
+      "VALUES ($id, $type, $status, $email, $sa, $da, $p)").run({
+        $id: "DSR-LEGACY-1", $type: "access", $status: "pending",
+        $email: "legacy@example.com", $sa: Date.now(), $da: Date.now() + 1000,
+        $p: JSON.stringify({ id: "DSR-LEGACY-1", status: "pending", subject: { email: "legacy@example.com" } }),
+      });
+    // Constructing the store runs ensureSchema → reconciles the columns.
+    var h = _dbDsr();
+    var cols = b.db.prepare("PRAGMA table_info(dsr_tickets)").all({});
+    var names = cols.map(function (c) { return c.name; });
+    check("dbStore upgrade: subject_email_hash column added",
+          names.indexOf("subject_email_hash") !== -1);
+    check("dbStore upgrade: subject_id_hash column added",
+          names.indexOf("subject_id_hash") !== -1);
+    // A fresh insert against the upgraded table succeeds (the bug under
+    // test threw "no such column: subject_email_hash" here).
+    var ticket = await h.dsr.submit({
+      type: "access", subject: { email: "alice@example.com" }, reason: "post-upgrade insert",
+    });
+    check("dbStore upgrade: insert succeeds after schema reconcile",
+          typeof ticket.id === "string");
+    var got = await h.store.get(ticket.id);
+    check("dbStore upgrade: round-trips the new ticket", got && got.subject.email === "alice@example.com");
+    // The legacy row was seeded with a plaintext subject and NULL hash. Once a
+    // vault is present, list({ subject }) matches on the hash column, so the
+    // upgrade MUST have backfilled the legacy row's hash — otherwise it is
+    // invisible to a subject lookup and the erasure-completion purge skips it.
+    var legacyFound = await h.store.list({ subject: { email: "legacy@example.com" } });
+    check("dbStore upgrade: legacy plaintext row backfilled + found by subject",
+          legacyFound.some(function (t) { return t.id === "DSR-LEGACY-1"; }));
+    var rawLegacy = b.db.prepare(
+      "SELECT subject_email, subject_email_hash FROM dsr_tickets WHERE id = $id")
+      .all({ $id: "DSR-LEGACY-1" })[0];
+    check("dbStore upgrade: legacy subject_email_hash populated by backfill",
+          rawLegacy && typeof rawLegacy.subject_email_hash === "string" &&
+          rawLegacy.subject_email_hash.length > 0);
+    check("dbStore upgrade: legacy subject_email sealed at rest by backfill (now erasable)",
+          rawLegacy && rawLegacy.subject_email !== "legacy@example.com");
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+// ---- AAD_ROTATION descriptor + reseal ----
+function testAadRotationDescriptor() {
+  var d = b.dsr.AAD_ROTATION;
+  check("AAD_ROTATION: exported", d && typeof d === "object");
+  check("AAD_ROTATION: table is dsr_tickets", d.table === "dsr_tickets");
+  check("AAD_ROTATION: rowIdField is id", d.rowIdField === "id");
+  check("AAD_ROTATION: backend external", d.backend === "external");
+  check("AAD_ROTATION: reseal is the fn", d.reseal === b.dsr.reseal && typeof d.reseal === "function");
+}
+async function testResealValidationAndStore() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    // Missing roots are rejected at entry.
+    var threw = null;
+    try { await b.dsr.reseal({ store: { listAll: function () { return []; }, putResealed: function () {} } }); }
+    catch (e) { threw = e; }
+    check("reseal: missing root snapshots refused",
+          threw && /dsr\/bad-root/.test(threw.code));
+    // Bad store shape is rejected.
+    var threw2 = null;
+    try { await b.dsr.reseal({ oldRootJson: "{}", newRootJson: "{}", store: {} }); }
+    catch (e) { threw2 = e; }
+    check("reseal: store missing listAll/putResealed refused",
+          threw2 && /dsr\/bad-reseal-store/.test(threw2.code));
+    // A store whose rows carry no AAD-sealed cells re-seals nothing
+    // (plaintext rows pass through) — exercises the row-walk + putResealed
+    // contract without needing a full keypair rotation.
+    var keys = b.vault.getKeysJson();
+    var puts = [];
+    var plainStore = {
+      listAll:     function () { return [{ id: "T1", payload: "plain-json" }]; },
+      putResealed: function (row) { puts.push(row.id); },
+    };
+    var rv = await b.dsr.reseal({ oldRootJson: keys, newRootJson: keys, store: plainStore });
+    check("reseal: returns table + resealed count", rv.table === "dsr_tickets" && rv.resealed === 0);
+    check("reseal: plaintext rows not re-persisted", puts.length === 0);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
 // ---- Run all ----
 (async function run() {
@@ -812,4 +1022,12 @@ async function testReceiptSignerError() {
   await testReceiptNotTerminal();
   await testReceiptWithSigner();
   await testReceiptSignerError();
+  // dbTicketStore at-rest sealing + erasure purge + upgrade path
+  await testDbStoreSealsAtRest();
+  await testDbStoreErasurePurgesPriorTickets();
+  await testDbStoreUpgradePath();
+  // AAD_ROTATION descriptor + reseal
+  testAadRotationDescriptor();
+  await testResealValidationAndStore();
 })().catch(function (e) { console.error(e); process.exit(1); });

package/lib/vendor/blamejs/test/layer-0-primitives/erase-posture-vacuum.test.js ADDED Viewed

@@ -0,0 +1,210 @@
+"use strict";
+/**
+ * b.cryptoField.eraseRow posture-driven VACUUM cascade.
+ *
+ * The advertised guarantee (crypto-field.js eraseRow docstring +
+ * compliance.js POSTURE_DEFAULTS): under a regulatory posture whose
+ * requireVacuumAfterErase floor is true, calling eraseRow on a sealed-
+ * column table automatically runs b.db.vacuumAfterErase({ mode:"full" })
+ * so SQLite's freed B-tree pages don't keep sealed-column ciphertext
+ * recoverable from a forensic disk image — the residual that would
+ * defeat the right-to-erasure the regime guarantees.
+ *
+ * This drives that guarantee end-to-end on a REAL encrypted-at-rest DB
+ * (wrapped vault, sealed db.enc, signed audit chain — the production
+ * path via setupTestDb). The vacuum entry point is wrapped with a
+ * call-through spy: the real VACUUM still executes against the real
+ * tmpfs SQLite, AND the framework's own `db.vacuum_after_erase` row is
+ * read back out of the signed audit chain as the observable side
+ * effect.
+ *
+ * gdpr / hipaa MUST trigger the vacuum (positive control).
+ *
+ * uk-gdpr / appi-jp / pdpa-sg are all in
+ * b.compliance.CROSS_BORDER_REGULATED_POSTURES — the same cross-border
+ * privacy regimes whose Art. 17-equivalent right-to-erasure applies
+ * identically (uk-gdpr is literally "retained EU GDPR"), so they MUST
+ * trigger the same mandatory residue VACUUM. An invariant below asserts
+ * that EVERY cross-border regulated posture carries the
+ * requireVacuumAfterErase floor, so a newly-added regime can never
+ * silently drop the residue cleanup the right-to-erasure depends on.
+ */
+var fs   = require("node:fs");
+var os   = require("node:os");
+var path = require("node:path");
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+var setupTestDb    = require("../helpers/db").setupTestDb;
+var teardownTestDb = require("../helpers/db").teardownTestDb;
+var SEALED_SCHEMA = [
+  {
+    name: "patients",
+    columns: {
+      _id:     "TEXT PRIMARY KEY",
+      ssn:     "TEXT",
+      ssnHash: "TEXT",
+      name:    "TEXT",
+    },
+    indexes: ["ssnHash"],
+    sealedFields:  ["ssn", "name"],
+    derivedHashes: { ssnHash: { from: "ssn" } },
+    // AAD-bound envelope so the table satisfies the HIPAA
+    // sealEnvelopeFloor:"aad" gate as well as the no-floor postures.
+    aad:        true,
+    rowIdField: "_id",
+  },
+];
+// Drive the full erase under one posture against a real encrypted DB
+// and report whether the posture-cascade actually fired the VACUUM.
+// Returns { vacuumCalled, modeFull, auditRowSeen }.
+async function eraseUnderPosture(posture) {
+  var dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-erasevac-"));
+  await setupTestDb(dataDir, SEALED_SCHEMA);
+  // Pin the posture. The cascade calls cryptoField.applyPosture(posture)
+  // (records _activePosture) + db.applyPosture(posture). This is the
+  // exact boot wiring an operator running under `posture` gets.
+  b.compliance._resetForTest();
+  b.compliance.set(posture);
+  check("compliance.current cascaded -> " + posture,
+        b.compliance.current() === posture);
+  check("cryptoField active posture cascaded -> " + posture,
+        b.cryptoField.getActivePosture() === posture);
+  // The sealed table is already in the field-crypto registry —
+  // setupTestDb's db.init registered it from the schema (sealedFields /
+  // derivedHashes / aad) — so eraseRow has a schema to tombstone against.
+  // Persist a real row through the real field-crypto + db path
+  // (insertOne seals the sealed columns itself), then delete it so the
+  // upcoming erase + vacuum has freed B-tree pages to reclaim. The
+  // residue the VACUUM clears is exactly those freed pages — they still
+  // hold the sealed-column ciphertext until a full rewrite.
+  var inserted = b.db.from("patients").insertOne({
+    ssn:  "123-45-6789",
+    name: "Alice Patient",
+  });
+  b.db.from("patients").where({ _id: inserted._id }).deleteOne();
+  // A sealed-shaped in-memory row for eraseRow to tombstone (eraseRow
+  // operates on a row object, NULLing its sealed + derived columns).
+  var sealed = b.cryptoField.sealRow("patients", {
+    _id:  inserted._id,
+    ssn:  "123-45-6789",
+    name: "Alice Patient",
+  });
+  // Wrap the real vacuum entry point with a call-through spy. eraseRow
+  // reaches it via require("./db").vacuumAfterErase, which is the same
+  // object as b.db — so the wrapper is what eraseRow invokes, and the
+  // real VACUUM still runs against the encrypted tmpfs SQLite.
+  var realVacuum = b.db.vacuumAfterErase;
+  var spy = { called: false, mode: null, threw: null };
+  b.db.vacuumAfterErase = function (opts) {
+    spy.called = true;
+    spy.mode   = opts && opts.mode;
+    try {
+      return realVacuum.call(b.db, opts);   // real VACUUM executes
+    } catch (e) {
+      spy.threw = e;
+      throw e;
+    }
+  };
+  var auditRowSeen = false;
+  try {
+    var sinceMs = Date.now();
+    // The advertised cascade: erasing a sealed row under a vacuum-floor
+    // posture auto-runs b.db.vacuumAfterErase({ mode:"full" }).
+    var erased = b.cryptoField.eraseRow("patients", sealed);
+    check("eraseRow NULLed the sealed ssn (" + posture + ")", erased.ssn === null);
+    check("eraseRow NULLed the derived ssnHash (" + posture + ")", erased.ssnHash === null);
+    // Real side effect: the framework's own audit row for the vacuum
+    // must be present in the signed chain when (and only when) the
+    // posture actually triggered it.
+    await b.audit.flush();
+    var rows = await b.audit.query({
+      action: "db.vacuum_after_erase",
+      from:   sinceMs - 1000,
+      limit:  50,
+    });
+    // The audit chain stores metadata as a JSON string column; parse
+    // it back to confirm the vacuum row carried mode:"full".
+    auditRowSeen = Array.isArray(rows) && rows.some(function (r) {
+      if (!r || r.metadata == null) return false;
+      var md = r.metadata;
+      if (typeof md === "string") { try { md = JSON.parse(md); } catch (_e) { return false; } }
+      return md && md.mode === "full";
+    });
+  } finally {
+    b.db.vacuumAfterErase = realVacuum;
+    await teardownTestDb(dataDir);
+    b.compliance._resetForTest();
+  }
+  return {
+    vacuumCalled: spy.called,
+    modeFull:     spy.mode === "full",
+    vacuumThrew:  spy.threw,
+    auditRowSeen: auditRowSeen,
+  };
+}
+async function run() {
+  // ---- Positive control: gdpr + hipaa MUST trigger the full VACUUM,
+  // the real VACUUM must execute, and the audit row must land. This is
+  // the genuine end-to-end proof of the advertised guarantee.
+  var gdpr = await eraseUnderPosture("gdpr");
+  check("gdpr eraseRow TRIGGERED vacuumAfterErase", gdpr.vacuumCalled === true);
+  check("gdpr vacuum ran with mode:'full'", gdpr.modeFull === true);
+  check("gdpr real VACUUM executed without throwing", gdpr.vacuumThrew === null);
+  check("gdpr db.vacuum_after_erase landed in the signed audit chain",
+        gdpr.auditRowSeen === true);
+  var hipaa = await eraseUnderPosture("hipaa");
+  check("hipaa eraseRow TRIGGERED vacuumAfterErase", hipaa.vacuumCalled === true);
+  check("hipaa vacuum ran with mode:'full'", hipaa.modeFull === true);
+  check("hipaa real VACUUM executed without throwing", hipaa.vacuumThrew === null);
+  check("hipaa db.vacuum_after_erase landed in the signed audit chain",
+        hipaa.auditRowSeen === true);
+  // ---- Invariant (recurrence guard): EVERY cross-border regulated posture
+  // must carry the requireVacuumAfterErase floor. A regime added to
+  // CROSS_BORDER_REGULATED_POSTURES without a POSTURE_DEFAULTS entry would
+  // silently skip the mandatory residue cleanup — this catches that drift.
+  var crossBorder = b.compliance.CROSS_BORDER_REGULATED_POSTURES.slice();
+  check("there is at least one cross-border regulated posture to check",
+        crossBorder.length > 0);
+  for (var k = 0; k < crossBorder.length; k += 1) {
+    check(crossBorder[k] + " carries the requireVacuumAfterErase floor",
+          b.compliance.postureDefault(crossBorder[k], "requireVacuumAfterErase") === true);
+  }
+  // ---- End-to-end: erasing under each cross-border posture triggers the
+  // same mandatory residue VACUUM the positive controls (gdpr/hipaa) do.
+  var sample = ["uk-gdpr", "appi-jp", "pdpa-sg"];
+  for (var i = 0; i < sample.length; i += 1) {
+    var p = sample[i];
+    var r = await eraseUnderPosture(p);
+    check(p + " eraseRow TRIGGERED the mandatory residue VACUUM",
+          r.vacuumCalled === true);
+    check(p + " vacuum ran with mode:'full'", r.modeFull === true);
+    check(p + " db.vacuum_after_erase landed in the signed audit chain",
+          r.auditRowSeen === true);
+  }
+}
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(
+    function () { console.log("[erase-posture-vacuum] OK"); },
+    function (e) { console.error(e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js CHANGED Viewed

@@ -26,7 +26,10 @@ function _instrumentingDriver(opts) {
         opts.failOnce = null;
         throw e;
       }
-      if (/^SELECT rolname FROM pg_roles/i.test(sql)) {
+      // assertRoleHardening composes the pg_roles scan through b.sql, which
+      // quotes the projected identifier (`SELECT "rolname" FROM pg_roles
+      // ORDER BY "rolname" ASC`). Match the quoted-or-bare form.
+      if (/^SELECT\s+"?rolname"?\s+FROM\s+pg_roles\b/i.test(sql)) {
         return { rows: rolesRow.map(function (n) { return { rolname: n }; }), rowCount: rolesRow.length };
       }
       if (/^SELECT 1$/i.test(sql)) return { rows: [{ n: 1 }], rowCount: 1 };

package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js CHANGED Viewed

@@ -172,12 +172,58 @@ async function run() {
     async function () { await migrate.up(); },
     /externaldb-migrate\/missing-up/);
-  // ---------- Cleanup ----------
   driver._close();
   b.externalDb._resetForTest();
   fs.rmSync(dataDir, { recursive: true, force: true });
   fs.rmSync(migDir,  { recursive: true, force: true });
+  // ---------- Residency: framework tracking writes survive a
+  // residency-tagged backend under a cross-border regulated posture ----
+  // The migrate runner's own tracking / history / lock INSERTs are
+  // region-neutral metadata and carry the "unrestricted" tag; without
+  // that exemption the per-row residency write gate would refuse every
+  // migration with RESIDENCY_GATE_REQUIRED on an eu-tagged backend
+  // under gdpr.
+  var resDataDir = _tempDir("blamejs-xmig-res-data");
+  var resMigDir  = _tempDir("blamejs-xmig-res-mig");
+  var resDriver  = _makeSqliteDriver(path.join(resDataDir, "fake-pg.db"));
+  b.externalDb._resetForTest();
+  b.externalDb.init({
+    backends: {
+      main: {
+        connect: resDriver.connect, query: resDriver.query,
+        close: resDriver.close, dialect: "postgres", residencyTag: "eu",
+      },
+    },
+  });
+  // DDL-only migration — the only DML in the transaction is the
+  // framework's tracking + history INSERTs (operator DML would itself
+  // be gated, which is correct, so the migration body stays DDL).
+  _writeMigration(resMigDir, "0001-ddl-only.js",
+    'module.exports = {\n' +
+    '  description: "create widget",\n' +
+    '  up:   async function (xdb) { await xdb.query("CREATE TABLE widget (id INTEGER PRIMARY KEY)", []); },\n' +
+    '  down: async function (xdb) { await xdb.query("DROP TABLE widget", []); },\n' +
+    '};\n');
+  var resMigrate = b.externalDb.migrate.create({ dir: resMigDir });
+  b.compliance.clear();
+  b.compliance.set("gdpr");
+  try {
+    var resR = await resMigrate.up();
+    check("migrate up() succeeds on eu backend under gdpr (framework writes exempt)",
+      resR.applied.length === 1 && resR.applied[0] === "0001-ddl-only.js");
+    // The tracking row landed — re-running is idempotent (proves the
+    // framework INSERT into the tracking table actually committed).
+    var resR2 = await resMigrate.up();
+    check("migrate is idempotent after the tracked apply (tracking INSERT committed)",
+      resR2.applied.length === 0 && resR2.skipped.length === 1);
+  } finally {
+    b.compliance.clear();
+    resDriver._close();
+    b.externalDb._resetForTest();
+    fs.rmSync(resDataDir, { recursive: true, force: true });
+    fs.rmSync(resMigDir,  { recursive: true, force: true });
+  }
 }
 module.exports = { run: run };