npm - @blamejs/blamejs-shop - Versions diffs - 0.4.31 → 0.4.32 - Mend

@blamejs/blamejs-shop 0.4.31 → 0.4.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (336) hide show

package/lib/vendor/blamejs/lib/legal-hold.js CHANGED Viewed

@@ -63,8 +63,20 @@ var bCrypto = require("./crypto");
 var lazyRequire = require("./lazy-require");
 var safeJson = require("./safe-json");
 var validateOpts = require("./validate-opts");
+var sql = require("./sql");
+var cryptoField = require("./crypto-field");
 var { defineClass } = require("./framework-error");
+// Local-SQLite framework table names. These run against the b.db() handle
+// directly (single-node legal-hold registry + the audit_log read), so the
+// b.sql builders carry { quoteName: true } to emit the quoted local name
+// (no clusterStorage prefix rewrite on this path) and bind every value as a
+// placeholder. The names are passed as literals here for the same reason
+// db.js declares them as literals — they ARE the canonical local table
+// identifiers.
+var HOLD_TABLE = "_blamejs_legal_hold";   // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
+var AUDIT_TABLE = "audit_log";
 var audit = lazyRequire(function () { return require("./audit"); });
 var LegalHoldError = defineClass("LegalHoldError", { alwaysPermanent: true });
@@ -99,6 +111,24 @@ function _hashSubject(subjectId) {
   return bCrypto.sha3Hash("bj-legal-hold:" + subjectId);
 }
+// Resolve the b.sql dialect for the operator-supplied handle. The framework's
+// local b.db handle is always node:sqlite (db.js pins { dialect: "sqlite",
+// quoteName: true }) and exposes no .dialect, so this defaults to "sqlite" —
+// the registry + the audit_log read both run against that local handle via
+// .prepare(). An operator handle that DOES advertise a dialect (string or
+// () -> string) has it threaded through so the emitted identifier quoting +
+// idioms match the backend the handle dispatches to. quoteName stays on for
+// every legal-hold statement: these are canonical local table names quoted by
+// construction (no clusterStorage prefix rewrite on this path).
+function _handleDialect(db) {
+  if (db && typeof db.dialect === "function") {
+    try { var d = db.dialect(); return typeof d === "string" ? d : "sqlite"; }
+    catch (_e) { return "sqlite"; }
+  }
+  if (db && typeof db.dialect === "string") return db.dialect;
+  return "sqlite";
+}
 function create(opts) {
   opts = opts || {};
   validateOpts(opts, ["db", "audit", "signWith"], "legalHold");
@@ -106,6 +136,11 @@ function create(opts) {
     throw _err("BAD_OPT", "create: opts.db is required (a b.db handle)");
   }
   var db = opts.db;
+  // b.sql opts for every legal-hold statement built against this handle. The
+  // dialect tracks the handle (sqlite for the framework's local b.db); the
+  // local table names are quoted by construction (quoteName) with no
+  // clusterStorage prefix rewrite on this path.
+  var SQL_OPTS = { dialect: _handleDialect(db), quoteName: true };
   var auditOn = opts.audit !== false && opts.audit != null;
   var auditInstance = (opts.audit && opts.audit !== true) ? opts.audit : null;
   // signWith is reserved for future per-event detached signatures;
@@ -135,19 +170,31 @@ function create(opts) {
     // table via FRAMEWORK_SCHEMA at boot; this guard is for the
     // external-db / cluster path where schema migrations are operator-
     // driven. Either way the IF NOT EXISTS shape is safe to re-run.
+    // DDL built through b.sql.createTable so every identifier is quoted by
+    // construction (quoteName) and the type tokens come from the framework
+    // type map.
     var fn = db.runSql || db.execRaw;
     if (typeof fn === "function") {
-      fn(
-        'CREATE TABLE IF NOT EXISTS "_blamejs_legal_hold" (' +
-        '"subjectIdHash" TEXT PRIMARY KEY,' +
-        '"placedAt" INTEGER NOT NULL,' +
-        '"placedBy" TEXT,' +
-        '"reason" TEXT NOT NULL,' +
-        '"custodian" TEXT,' +
-        '"citation" TEXT,' +
-        '"retainUntil" INTEGER' +
-        ')'
-      );
+      var ddl = sql.createTable(HOLD_TABLE, [
+        { name: "subjectIdHash", type: "text", primaryKey: true },
+        { name: "placedAt",      type: "int",  notNull: true },
+        { name: "placedBy",      type: "text" },
+        { name: "reason",        type: "text", notNull: true },
+        { name: "custodian",     type: "text" },
+        { name: "citation",      type: "text" },
+        { name: "retainUntil",   type: "int" },
+      ], SQL_OPTS);
+      fn(ddl.sql);
+    }
+    // Register the table's PII columns for at-rest sealing. The framework
+    // SQLite path also registers this via db.init() FRAMEWORK_SCHEMA, but the
+    // external-db / cluster path and a post-_resetForTest registry need this
+    // idempotent guard so sealRow/unsealRow below are never no-ops (which would
+    // store the legal-basis / custodian / citation free text in clear).
+    if (!cryptoField.getSchema(HOLD_TABLE)) {
+      cryptoField.registerTable(HOLD_TABLE, {
+        sealedFields: ["reason", "placedBy", "custodian", "citation"],
+      });
     }
   }
@@ -171,9 +218,12 @@ function create(opts) {
     }
     _ensureSchema();
     var hash = _hashSubject(sid);
-    var existing = db.prepare(
-      'SELECT placedAt FROM "_blamejs_legal_hold" WHERE subjectIdHash = ?'
-    ).get(hash);
+    var placeSelBuilt = sql.select(HOLD_TABLE, SQL_OPTS)
+      .columns(["placedAt"])
+      .where("subjectIdHash", hash)
+      .toSql();
+    var placeSelStmt = db.prepare(placeSelBuilt.sql);
+    var existing = placeSelStmt.get.apply(placeSelStmt, placeSelBuilt.params);
     if (existing) {
       _emit("legalhold.place_rejected",
         { subjectId: sid, reason: "already-held",
@@ -182,18 +232,19 @@ function create(opts) {
       return { error: "already-held", placedAt: existing.placedAt };
     }
     var nowMs = Date.now();
-    db.prepare(
-      'INSERT INTO "_blamejs_legal_hold" ' +
-      '(subjectIdHash, placedAt, placedBy, reason, custodian, citation, retainUntil) ' +
-      'VALUES (?, ?, ?, ?, ?, ?, ?)'
-    ).run(
-      hash, nowMs,
-      args.placedBy || null,
-      args.reason,
-      args.custodian || null,
-      args.citation || null,
-      args.retainUntil || null
-    );
+    var placeInsBuilt = sql.insert(HOLD_TABLE, SQL_OPTS)
+      .values(cryptoField.sealRow(HOLD_TABLE, {
+        subjectIdHash: hash,
+        placedAt:      nowMs,
+        placedBy:      args.placedBy || null,
+        reason:        args.reason,
+        custodian:     args.custodian || null,
+        citation:      args.citation || null,
+        retainUntil:   args.retainUntil || null,
+      }))
+      .toSql();
+    var placeInsStmt = db.prepare(placeInsBuilt.sql);
+    placeInsStmt.run.apply(placeInsStmt, placeInsBuilt.params);
     _emit("legalhold.placed",
       { subjectId: sid, reason: args.reason,
         custodian: args.custodian || null,
@@ -216,18 +267,24 @@ function create(opts) {
     }
     _ensureSchema();
     var hash = _hashSubject(sid);
-    var existing = db.prepare(
-      'SELECT placedAt, reason FROM "_blamejs_legal_hold" WHERE subjectIdHash = ?'
-    ).get(hash);
+    var relSelBuilt = sql.select(HOLD_TABLE, SQL_OPTS)
+      .columns(["placedAt", "reason"])
+      .where("subjectIdHash", hash)
+      .toSql();
+    var relSelStmt = db.prepare(relSelBuilt.sql);
+    var existing = relSelStmt.get.apply(relSelStmt, relSelBuilt.params);
     if (!existing) {
       _emit("legalhold.release_rejected",
         { subjectId: sid, reason: "not-held" },
         "denied");
       return { error: "not-held" };
     }
-    db.prepare(
-      'DELETE FROM "_blamejs_legal_hold" WHERE subjectIdHash = ?'
-    ).run(hash);
+    existing = cryptoField.unsealRow(HOLD_TABLE, existing);
+    var relDelBuilt = sql.delete(HOLD_TABLE, SQL_OPTS)
+      .where("subjectIdHash", hash)
+      .toSql();
+    var relDelStmt = db.prepare(relDelBuilt.sql);
+    relDelStmt.run.apply(relDelStmt, relDelBuilt.params);
     _emit("legalhold.released",
       { subjectId: sid, reason: args.reason,
         approver: args.approver,
@@ -241,9 +298,12 @@ function create(opts) {
     var sid = _subjectIdString(subjectId);
     _ensureSchema();
     var hash = _hashSubject(sid);
-    var row = db.prepare(
-      'SELECT retainUntil FROM "_blamejs_legal_hold" WHERE subjectIdHash = ?'
-    ).get(hash);
+    var heldBuilt = sql.select(HOLD_TABLE, SQL_OPTS)
+      .columns(["retainUntil"])
+      .where("subjectIdHash", hash)
+      .toSql();
+    var heldStmt = db.prepare(heldBuilt.sql);
+    var row = heldStmt.get.apply(heldStmt, heldBuilt.params);
     if (!row) return false;
     // retainUntil expiry — when the operator pinned a sunset and it
     // has passed, the hold has lapsed and isHeld returns false. The
@@ -257,11 +317,14 @@ function create(opts) {
     var sid = _subjectIdString(subjectId);
     _ensureSchema();
     var hash = _hashSubject(sid);
-    var row = db.prepare(
-      'SELECT subjectIdHash, placedAt, placedBy, reason, custodian, citation, retainUntil ' +
-      'FROM "_blamejs_legal_hold" WHERE subjectIdHash = ?'
-    ).get(hash);
+    var getBuilt = sql.select(HOLD_TABLE, SQL_OPTS)
+      .columns(["subjectIdHash", "placedAt", "placedBy", "reason", "custodian", "citation", "retainUntil"])
+      .where("subjectIdHash", hash)
+      .toSql();
+    var getStmt = db.prepare(getBuilt.sql);
+    var row = getStmt.get.apply(getStmt, getBuilt.params);
     if (!row) return null;
+    row = cryptoField.unsealRow(HOLD_TABLE, row);
     return {
       subjectId:   sid,
       placedAt:    row.placedAt,
@@ -276,12 +339,15 @@ function create(opts) {
   function list() {
     _ensureSchema();
-    var rows = db.prepare(
-      'SELECT subjectIdHash, placedAt, placedBy, reason, custodian, citation, retainUntil ' +
-      'FROM "_blamejs_legal_hold" ORDER BY placedAt'
-    ).all();
+    var listBuilt = sql.select(HOLD_TABLE, SQL_OPTS)
+      .columns(["subjectIdHash", "placedAt", "placedBy", "reason", "custodian", "citation", "retainUntil"])
+      .orderBy("placedAt", "asc")
+      .toSql();
+    var listStmt = db.prepare(listBuilt.sql);
+    var rows = listStmt.all.apply(listStmt, listBuilt.params);
     var nowMs = Date.now();
     return rows.map(function (r) {
+      r = cryptoField.unsealRow(HOLD_TABLE, r);
       return {
         subjectIdHash: r.subjectIdHash,
         placedAt:      r.placedAt,
@@ -302,15 +368,20 @@ function create(opts) {
     var sid = _subjectIdString(subjectId);
     var rows = [];
     try {
-      var auditQuery = db.prepare(
-        'SELECT recordedAt, action, metadata, outcome ' +
-        'FROM audit_log ' +
-        'WHERE action LIKE ? AND resourceKind = ? ' +
-        'ORDER BY recordedAt'
-      );
+      // `action LIKE 'legalhold.%'` is a prefix match — b.sql's whereLike
+      // in prefix mode emits `"action" LIKE ? ESCAPE '~'` with the live
+      // trailing wildcard while escaping the term's own metacharacters
+      // (none here), so the wildcard stays builder-controlled.
+      var histBuilt = sql.select(AUDIT_TABLE, SQL_OPTS)
+        .columns(["recordedAt", "action", "metadata", "outcome"])
+        .whereLike("action", "legalhold.", "prefix")
+        .where("resourceKind", "legal-hold")
+        .orderBy("recordedAt", "asc")
+        .toSql();
+      var auditQuery = db.prepare(histBuilt.sql);
       // resourceId is sealed, so match on resourceKind + post-filter
       // by parsed metadata.
-      var raw = auditQuery.all("legalhold.%", "legal-hold");
+      var raw = auditQuery.all.apply(auditQuery, histBuilt.params);
       for (var i = 0; i < raw.length; i++) {
         var meta = null;
         try { meta = safeJson.parse(raw[i].metadata || "{}"); } catch (_e) { meta = null; }

package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js CHANGED Viewed

@@ -205,6 +205,10 @@ function create(config) {
   var inFlight = false;
   var closed = false;
   var sequenceToken = null;
+  // Captures the in-flight drain (the IIFE inside _flush) so close() can await
+  // the actual run before flipping `closed` — otherwise the _flush while-loop's
+  // `&& !closed` bails and buffered records are stranded at shutdown.
+  var inFlightPromise = null;
   var flushScheduler = safeAsync.makeScheduledFlush(cfg.maxBatchAgeMs, function () { return _flush(); });
   function _takeBatch() {
@@ -236,40 +240,44 @@ function create(config) {
   }
   async function _flush() {
-    if (inFlight) return;
+    if (inFlight) return inFlightPromise;
     if (buffer.length === 0) return;
     inFlight = true;
-    try {
-      try { await _ensureAutoCreated(); }
-      catch (acErr) {
-        // autoCreate failure is permanent — every subsequent batch
-        // would hit the same error. Drop the queue with the
-        // operator-supplied onDrop callback so they see exactly which
-        // events were lost AND why, then bail.
-        var allBuffered = buffer.splice(0, buffer.length);
-        dropCount += allBuffered.length;
-        _emitDrop("autocreate-failed", allBuffered, acErr);
-        return;
-      }
-      while (buffer.length > 0 && !closed) {
-        var batch = _takeBatch();
-        if (batch.length === 0) break;
-        try {
-          await retryHelper.withRetry(function () {
-            return _send(batch);
-          }, Object.assign({
-            isPermanent: _isPermanentAwsError,
-          }, cfg.retry || {}));
-        } catch (e) {
-          dropCount += batch.length;
-          _emitDrop("retry-exhausted", batch, e);
-          break;
+    inFlightPromise = (async function () {
+      try {
+        try { await _ensureAutoCreated(); }
+        catch (acErr) {
+          // autoCreate failure is permanent — every subsequent batch
+          // would hit the same error. Drop the queue with the
+          // operator-supplied onDrop callback so they see exactly which
+          // events were lost AND why, then bail.
+          var allBuffered = buffer.splice(0, buffer.length);
+          dropCount += allBuffered.length;
+          _emitDrop("autocreate-failed", allBuffered, acErr);
+          return;
+        }
+        while (buffer.length > 0 && !closed) {
+          var batch = _takeBatch();
+          if (batch.length === 0) break;
+          try {
+            await retryHelper.withRetry(function () {
+              return _send(batch);
+            }, Object.assign({
+              isPermanent: _isPermanentAwsError,
+            }, cfg.retry || {}));
+          } catch (e) {
+            dropCount += batch.length;
+            _emitDrop("retry-exhausted", batch, e);
+            break;
+          }
         }
+      } finally {
+        inFlight = false;
+        inFlightPromise = null;
+        if (buffer.length > 0) flushScheduler.schedule();
       }
-    } finally {
-      inFlight = false;
-      if (buffer.length > 0) flushScheduler.schedule();
-    }
+    })();
+    return inFlightPromise;
   }
   async function _send(batch) {
@@ -333,9 +341,17 @@ function create(config) {
   }
   async function close() {
-    closed = true;
+    // Drain BEFORE flipping closed=true — _flush()'s `while (... && !closed)`
+    // loop bails on !closed, so flipping the flag first strands the records the
+    // operator queued just before shutdown (the b.logStream drain contract).
+    // Stop the timer, await any in-flight drain, drain the remainder, THEN
+    // refuse new enqueues. Mirrors the webhook sink.
     flushScheduler.cancel();
+    if (inFlightPromise) {
+      try { await inFlightPromise; } catch (_e) { /* surfaced via onDrop */ }
+    }
     await _flush();
+    closed = true;
   }
   function stats() {

package/lib/vendor/blamejs/lib/log-stream-otlp.js CHANGED Viewed

@@ -210,30 +210,38 @@ function create(config) {
   var dropCount = 0;
   var inFlight = false;
   var closed = false;
+  // Captures the in-flight drain so close() awaits the real run before flipping
+  // `closed` (the _flush while-loop bails on !closed → flipping first strands
+  // buffered records at shutdown).
+  var inFlightPromise = null;
   var flushScheduler = safeAsync.makeScheduledFlush(cfg.maxBatchAgeMs, function () { return _flush(); });
   async function _flush() {
-    if (inFlight) return;
+    if (inFlight) return inFlightPromise;
     if (buffer.length === 0) return;
     inFlight = true;
-    try {
-      while (buffer.length > 0 && !closed) {
-        var batch = buffer.splice(0, cfg.batchSize);
-        var body = _serializeBatch(batch, cfg, scopeVersion);
-        try {
-          await retryHelper.withRetry(function () {
-            return _post(resolvedUrl, body, headers, cfg.timeoutMs, cfg.allowedProtocols, cfg.allowInternal);
-          }, cfg.retry);
-        } catch (e) {
-          dropCount += batch.length;
-          _emitDrop("retry-exhausted", batch, e);
-          break;
+    inFlightPromise = (async function () {
+      try {
+        while (buffer.length > 0 && !closed) {
+          var batch = buffer.splice(0, cfg.batchSize);
+          var body = _serializeBatch(batch, cfg, scopeVersion);
+          try {
+            await retryHelper.withRetry(function () {
+              return _post(resolvedUrl, body, headers, cfg.timeoutMs, cfg.allowedProtocols, cfg.allowInternal);
+            }, cfg.retry);
+          } catch (e) {
+            dropCount += batch.length;
+            _emitDrop("retry-exhausted", batch, e);
+            break;
+          }
         }
+      } finally {
+        inFlight = false;
+        inFlightPromise = null;
+        if (buffer.length > 0) flushScheduler.schedule();
       }
-    } finally {
-      inFlight = false;
-      if (buffer.length > 0) flushScheduler.schedule();
-    }
+    })();
+    return inFlightPromise;
   }
   function emit(record) {
@@ -253,9 +261,15 @@ function create(config) {
   }
   async function close() {
-    closed = true;
+    // Drain BEFORE flipping closed=true (see _flush's `&& !closed` guard) so
+    // records queued just before shutdown reach the wire. Mirrors the webhook
+    // + cloudwatch sinks.
     flushScheduler.cancel();
+    if (inFlightPromise) {
+      try { await inFlightPromise; } catch (_e) { /* surfaced via onDrop */ }
+    }
     await _flush();
+    closed = true;
   }
   function stats() {