@blamejs/blamejs-shop 0.4.31 → 0.4.32

package/lib/vendor/blamejs/lib/mail.js

@@ -1944,15 +1944,19 @@ module.exports = {
   // default, ed25519-sha256 opt-in). Wire it into the smtp transport
   // via opts.dkimSigner. See lib/mail-dkim.js for the full surface.
   dkim:       dkim,
-  // Inbound mail authentication-results verification: SPF (RFC 7208),
-  // DMARC (RFC 7489), ARC (RFC 8617). Outbound DKIM signing lives in
-  // .dkim above; per-hop DKIM verification is deferred (composes with
-  // the existing canonicalization helpers in lib/mail-dkim.js).
+  // Inbound mail authentication verification: SPF (RFC 7208), DKIM
+  // verify (RFC 6376, on .dkim above alongside outbound signing),
+  // DMARC (RFC 7489), ARC (RFC 8617). `.inbound.verify` is the
+  // one-call receiver pipeline — SPF + DKIM + From-header extraction +
+  // DMARC policy + the RFC 8601 Authentication-Results header —
+  // composed by b.mail.server.mx at DATA time via its guardEnvelope
+  // opt and callable directly by operator-built listeners.
   spf:         mailAuth.spf,
   dmarc:       mailAuth.dmarc,
   arc:         mailAuth.arc,
   iprev:       mailAuth.iprev,
   authResults: mailAuth.authResults,
+  inbound:     mailAuth.inbound,
   bimi:        mailBimi,
   // Test-only export: lets unit tests inspect the wire format without
   // standing up a TLS-capable SMTP fixture. Operators don't call this.

package/lib/vendor/blamejs/lib/middleware/body-parser.js

@@ -166,6 +166,29 @@ var BodyParserError = defineClass("BodyParserError", { withStatusCode: true });
 // in play — consistent prototype-pollution defense across the framework.
 var POISONED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 
+// Materialize a header/parameter map from request-derived [key, value]
+// pairs WITHOUT a computed member write (`target[key] = value`). A
+// request-keyed computed write is the CWE-915 unsafe-reflection /
+// CWE-1321 prototype-pollution sink: an attacker who controls the key
+// (Content-Type parameter name, multipart part-header name,
+// Content-Disposition parameter name) can target `__proto__` /
+// `constructor` / `prototype` and corrupt the prototype chain. Poisoned
+// keys are dropped, the remaining pairs are funneled through
+// `Object.fromEntries`, and the result carries no prototype chain
+// (`Object.create(null)`) so even a key that slipped a future POISONED_KEYS
+// gap cannot reach Object.prototype. The returned map has plain-object
+// shape (string keys → values) so existing named-property reads
+// (`.boundary`, `.charset`, `["content-disposition"]`, `.name`,
+// `.filename`) are unchanged.
+function _mapFromPairs(pairs) {
+  var safe = [];
+  for (var i = 0; i < pairs.length; i++) {
+    if (POISONED_KEYS.has(pairs[i][0])) continue;
+    safe.push(pairs[i]);
+  }
+  return Object.assign(Object.create(null), Object.fromEntries(safe));
+}
+
 // ---- defaults ----
 
 var DEFAULTS = Object.freeze({
@@ -221,7 +244,11 @@ function _contentType(req) {
   if (typeof ct !== "string") return { type: "", params: {} };
   var idx = ct.indexOf(";");
   var type = (idx === -1 ? ct : ct.slice(0, idx)).trim().toLowerCase();
-  var params = {};
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled parameter name (e.g. `boundary` / `charset` / an
+  // attacker-supplied `__proto__`) is never used as a computed-write key
+  // (CWE-915 / CWE-1321). Poisoned names are dropped at materialization.
+  var paramPairs = [];
   if (idx !== -1) {
     var rest = ct.slice(idx + 1);
     // RFC 9110 §8.3 + §5.6.6 — parameter values may be quoted-string
@@ -238,10 +265,10 @@ function _contentType(req) {
       var v = p.slice(eq + 1).trim();
       var _unq = structuredFields.unquoteSfString(v);
       if (_unq !== null) v = _unq;
-      params[k] = v;
+      paramPairs.push([k, v]);
     }
   }
-  return { type: type, params: params };
+  return { type: type, params: _mapFromPairs(paramPairs) };
 }
 
 function _typeMatches(actual, allowed) {
@@ -583,7 +610,13 @@ function _parseMultipartHeaders(rawHeaders) {
   // §5.5 — header field values MUST NOT contain CR, LF, or NUL bytes.
   // We refuse the part outright (caller surfaces the throw as 400 + drop).
   var lines = rawHeaders.split("\r\n");
-  var out = {};
+  // Collect [name, value] pairs; materialize via _mapFromPairs so the
+  // request-controlled header name is never a computed-write key
+  // (CWE-915 / CWE-1321 — a part header literally named `__proto__` would
+  // otherwise pollute the prototype chain). Later headers of the same
+  // name keep last-wins (the prior `out[k] = v` overwrite semantics:
+  // Object.fromEntries takes the last pair for a duplicate key).
+  var headerPairs = [];
   for (var i = 0; i < lines.length; i++) {
     var line = lines[i];
     if (!line) continue;
@@ -609,9 +642,9 @@ function _parseMultipartHeaders(rawHeaders) {
         );
       }
     }
-    out[k] = v;
+    headerPairs.push([k, v]);
   }
-  return out;
+  return _mapFromPairs(headerPairs);
 }
 
 // Percent-decode an RFC 5987 ext-value's value segment under iso-8859-1.
@@ -672,14 +705,20 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
   // is present, it takes precedence over the legacy `filename=`
   // companion (RFC 6266 §4.3). We surface the decoded value at
   // `filename` so downstream consumers don't need parser-aware code.
-  var out = { _value: "" };
-  if (!headerValue) return out;
+  if (!headerValue) return _mapFromPairs([["_value", ""]]);
   // RFC 6266 §4.1 + RFC 9110 §5.6.6 — parameter values may be
   // quoted-string (e.g. `filename="weird;name.txt"`). Bare
   // `.split(";")` would slice through the quoted semicolon and
   // corrupt the filename. Quote-aware shared splitter.
   var parts = structuredFields.splitTopLevel(headerValue, ";");
-  out._value = parts[0].trim().toLowerCase();
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled Content-Disposition parameter name (or its
+  // ext-value `name*` bare form) is never a computed-write key
+  // (CWE-915 / CWE-1321). `_value` carries the disposition type;
+  // `filename` (when an ext-value decoded) takes precedence over the
+  // legacy `filename=` companion (RFC 6266 §4.3), preserved by appending
+  // it last so Object.fromEntries' last-wins resolves it.
+  var paramPairs = [["_value", parts[0].trim().toLowerCase()]];
   var extName = null;
   for (var i = 1; i < parts.length; i++) {
     var p = parts[i].trim();
@@ -694,14 +733,14 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
       if (decoded !== null) {
         var bareKey = k.slice(0, -1);
         if (bareKey === "filename") extName = decoded;
-        out[bareKey] = decoded;
+        paramPairs.push([bareKey, decoded]);
       }
       continue;
     }
-    out[k] = v;
+    paramPairs.push([k, v]);
   }
-  if (extName !== null) out.filename = extName;
-  return out;
+  if (extName !== null) paramPairs.push(["filename", extName]);
+  return _mapFromPairs(paramPairs);
 }
 
 async function _parseMultipart(req, opts, ctParams) {
@@ -1173,20 +1212,27 @@ async function _parseMultipart(req, opts, ctParams) {
               var fbuf = Buffer.concat(currentBuf);
               var text = fbuf.toString("utf8");
               // Repeated field name → array, matching urlencoded parser.
-              if (Object.prototype.hasOwnProperty.call(fields, currentField)) {
-                // lgtm[js/remote-property-injection] — `currentField` is gated
-                // upstream at lib/middleware/body-parser.js:867 by
-                // POISONED_KEYS (__proto__ / constructor / prototype) which
-                // refuses the multipart part with a 400 BodyParserError before
-                // `currentField` is ever assigned. Reachable values cannot
-                // pollute the prototype chain.
-                if (Array.isArray(fields[currentField])) fields[currentField].push(text);
-                else fields[currentField] = [fields[currentField], text];
+              // `currentField` is request-controlled, so the accumulation
+              // never uses it as a computed-write key (`fields[key] = v`),
+              // which is the CWE-915 / CWE-1321 sink: it is merged through
+              // Object.fromEntries + Object.assign instead. The upstream
+              // POISONED_KEYS gate (the multipart-poisoned-field check above)
+              // already rejects __proto__ / constructor / prototype field
+              // names with a 400 before reaching here; the entries-merge is
+              // the structural backstop.
+              var fieldName = currentField;
+              var prior = Object.prototype.hasOwnProperty.call(fields, fieldName)
+                            ? fields[fieldName] : undefined;
+              var nextValue;
+              if (prior === undefined) {
+                nextValue = text;
+              } else if (Array.isArray(prior)) {
+                prior.push(text);
+                nextValue = prior;
               } else {
-                // lgtm[js/remote-property-injection] — see upstream POISONED_KEYS
-                // gate at lib/middleware/body-parser.js:867.
-                fields[currentField] = text;
+                nextValue = [prior, text];
               }
+              Object.assign(fields, Object.fromEntries([[fieldName, nextValue]]));
             }
             currentHeaders = null;
             currentField = null;

package/lib/vendor/blamejs/lib/middleware/csrf-protect.js

@@ -91,25 +91,36 @@ function _parseCookieHeader(header) {
   // just splits the name=value pairs. Keys that appear multiple times
   // resolve to the FIRST occurrence (browsers send pairs left-to-right
   // by registration order; the first is the most-specific path).
-  // Output object has no prototype chain — `Object.create(null)` defends
-  // against `__proto__` / `constructor` / `prototype` cookie-name keys
-  // polluting the prototype before the hasOwnProperty gate runs.
-  var out = Object.create(null);
-  if (typeof header !== "string" || header.length === 0) return out;
+  // Collect [name, value] pairs, then materialize the cookie map via
+  // Object.fromEntries onto a null-prototype object. The cookie name is
+  // attacker-controlled (Cookie request header), so it is never used as a
+  // computed-write key (`out[name] = value` / `seen[name] = true`) — that
+  // is the CWE-915 unsafe-reflection / CWE-1321 prototype-pollution sink.
+  // First-occurrence-wins de-duplication tracks names in a Set (add/has
+  // are method calls, not tainted-key property writes); POISONED names
+  // (`__proto__` / `constructor` / `prototype`) are dropped; and the
+  // null-prototype accumulator means even a slipped name cannot reach
+  // Object.prototype.
+  if (typeof header !== "string" || header.length === 0) return Object.create(null);
   var parts = header.split(/;\s*/);
+  var seen = new Set();
+  var pairs = [];
   for (var i = 0; i < parts.length; i++) {
     var p = parts[i];
     var eq = p.indexOf("=");
     if (eq === -1) continue;
     var k = p.slice(0, eq).trim();
-    if (k.length === 0 || Object.prototype.hasOwnProperty.call(out, k)) continue;
+    if (k.length === 0) continue;
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (seen.has(k)) continue;  // first-occurrence wins
+    seen.add(k);
     var v = p.slice(eq + 1).trim();
     if (v.length >= 2 && v.charCodeAt(0) === 0x22 && v.charCodeAt(v.length - 1) === 0x22) {
       v = v.slice(1, -1);
     }
-    out[k] = v;
+    pairs.push([k, v]);
   }
-  return out;
+  return Object.assign(Object.create(null), Object.fromEntries(pairs));
 }
 
 // `_isHttps` defers to `requestHelpers.requestProtocol` so the

package/lib/vendor/blamejs/lib/middleware/dpop.js

@@ -239,6 +239,15 @@ function create(opts) {
   var auditOn = opts.audit !== false;
   var algorithms = opts.algorithms;
   var iatWindowSec = opts.iatWindowSec;
+  // replayStore is the jti-replay defense (RFC 9449 §11.1) — REQUIRED. Reading
+  // it optionally and gating the check behind `if (replayStore)` would silently
+  // mount a proof-of-possession gate that performs no replay check, letting a
+  // captured proof replay indefinitely. Fail closed at config time: a missing
+  // store and a store lacking checkAndInsert both throw here, not at the first
+  // request. (The low-level b.auth.dpop.verify primitive keeps replayStore
+  // optional for advanced callers that track jti themselves.)
+  validateOpts.requireMethods(opts.replayStore, ["checkAndInsert"],
+    "middleware.dpop: opts.replayStore", AuthError, "auth-dpop/replay-store-required");
   var replayStore = opts.replayStore;
   var requireNonce = opts.requireNonce === true;
 
@@ -328,7 +337,7 @@ function create(opts) {
     if (iatWindowSec !== undefined) verifyOpts.iatWindowSec = iatWindowSec;
     if (accessToken) verifyOpts.accessToken = accessToken;
     if (nonce) verifyOpts.nonce = nonce;
-    if (replayStore) verifyOpts.replayStore = replayStore;
+    verifyOpts.replayStore = replayStore;   // required at create() — always present
 
     var result;
     try { result = await dpop().verify(proofHeader, verifyOpts); }

package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js

@@ -125,11 +125,13 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  * destination list, including `webidentity` (FedCM credentialed
  * requests). `deniedDest` refuses chosen destinations outright on the
  * gated methods — a FedCM `webidentity` Sec-Fetch-Dest hitting a route
- * that is not an identity endpoint is refused. `allowStorageAccess:
- * false` refuses the Storage Access API escalation (a cross-site request
- * carrying `Sec-Fetch-Storage-Access: active` / `inactive`) on routes
- * that do not participate in the Storage Access flow. Both are opt-in;
- * leaving them unset preserves the prior behavior exactly.
+ * that is not an identity endpoint is refused. The Storage Access API
+ * escalation (a cross-site request carrying `Sec-Fetch-Storage-Access:
+ * active` / `inactive`) is REFUSED BY DEFAULT (v0.15.0) on routes that do
+ * not participate in the Storage Access flow; operators running an
+ * embedded-iframe SaaS that legitimately uses the API opt back in with
+ * `allowStorageAccess: true`. `deniedDest` stays opt-in (unset = no
+ * destination is denied outright).
  *
  * @opts
  *   {
@@ -138,7 +140,7 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  *     allowMissing:       boolean,    // default true
  *     allowedDest:        string[],   // cross-site allowlist of Sec-Fetch-Dest values
  *     deniedDest:         string[],   // Sec-Fetch-Dest values refused on gated methods regardless of site (e.g. ["webidentity"])
- *     allowStorageAccess: boolean,    // default true — false refuses Sec-Fetch-Storage-Access: active|inactive
+ *     allowStorageAccess: boolean,    // default false — refuses Sec-Fetch-Storage-Access: active|inactive; pass true to opt back in for Storage-Access-flow routes
  *     strictDest:         boolean,    // default false — true throws at config time on an allowedDest/deniedDest value outside the known Sec-Fetch-Dest vocabulary
  *     allowedNavigate:    boolean,    // default true
  *     methods:            string[],   // default POST/PUT/DELETE/PATCH
@@ -178,7 +180,15 @@ function create(opts) {
   var allowCrossSite     = opts.allowCrossSite === true;
   var allowMissing       = opts.allowMissing !== false;
   var allowedDest        = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
-  var allowStorageAccess = opts.allowStorageAccess !== false;
+  // Storage Access escalation default-deny (v0.15.0): a cross-site
+  // credentialed request carrying Sec-Fetch-Storage-Access: active|inactive
+  // is REFUSED by default on the gated methods, because that header signals
+  // the embedded context can reach unpartitioned cross-site cookies — a
+  // capability a route that does not participate in the Storage Access flow
+  // should not silently honor. Operators running an embedded-iframe SaaS
+  // that legitimately uses the Storage Access API opt back in with
+  // allowStorageAccess: true.
+  var allowStorageAccess = opts.allowStorageAccess === true;
   // deniedDest → a null-prototype membership map; an operator-supplied
   // destination string is never assigned onto a plain object, so no
   // reserved name (__proto__ / constructor / prototype) can pollute it.

package/lib/vendor/blamejs/lib/middleware/idempotency-key.js

@@ -47,6 +47,7 @@ var validateOpts  = require("../validate-opts");
 var safeBuffer    = require("../safe-buffer");
 var safeJson      = require("../safe-json");
 var safeSql       = require("../safe-sql");
+var sql           = require("../sql");
 var bCrypto       = require("../crypto");
 var cryptoField   = require("../crypto-field");
 var vault         = require("../vault");
@@ -250,17 +251,23 @@ function dbStore(opts) {
       "dbStore: opts.db must be a sqlite-shaped database with a `prepare(sql)` method", true);
   }
   var tableNameRaw = opts.tableName !== undefined ? opts.tableName : "blamejs_idempotency_keys";
-  // Quote-and-validate via safeSql.quoteIdentifier — runs
-  // validateIdentifier internally + emits the dialect-correct quoted
-  // form. Identifier always reaches SQL through the quoted form.
-  var qTable;
-  try { qTable = safeSql.quoteIdentifier(tableNameRaw, "sqlite"); }
+  // Validate the operator-supplied table name up front so a bad
+  // identifier fails at construction with the stable
+  // idempotency/bad-table-name code (b.sql would otherwise raise its own
+  // SqlBuilderError deeper in the first build). b.sql then quotes the
+  // name by construction in every statement it emits for this store
+  // (quoteName:true — this is a direct sqlite handle, not a
+  // clusterStorage rewrite target, so the name is quoted, not left bare).
+  try { safeSql.validateIdentifier(tableNameRaw, { allowReserved: true }); }
   catch (sqlErr) {
     throw new IdempotencyError("idempotency/bad-table-name",
       "dbStore: opts.tableName is not a valid SQL identifier: " +
       (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)), true);
   }
-  var qIndex = safeSql.quoteIdentifier(tableNameRaw + "_expires_idx", "sqlite");
+  // b.sql opts for every statement this store builds against the local
+  // sqlite handle: sqlite dialect (native `?` placeholders, double-quoted
+  // identifiers) + quoteName so the operator table name is emitted quoted.
+  var sqlOpts = { dialect: "sqlite", quoteName: true };
   var doInit   = opts.init     !== false;
   var hashKeys = opts.hashKeys !== false;
   var sealReq  = opts.seal     !== false;
@@ -309,63 +316,79 @@ function dbStore(opts) {
     });
   }
 
-  // Derive a per-vault HMAC secret for fingerprint sealing.
-  // The vault root key is the trust root; without it the secret is
-  // unrecoverable. Lazy: only derived when fpSealOn is enabled AND the
-  // vault is ready, so test fixtures that haven't initialized the
-  // vault still construct a dbStore (the fingerprint then falls back
-  // to bare sha3-256 with a single audit warning).
+  // Derive a per-vault HMAC secret for fingerprint sealing. Seed off the
+  // SEALED per-deployment MAC key (vault.getDerivedHashMacKey, sealed at
+  // rest under the vault root) — NOT getDerivedHashSalt, which sits in
+  // PLAINTEXT on disk. With the salt-derived seed an attacker who read
+  // the disk could recompute the HMAC key and forge / correlate request
+  // fingerprints; the sealed MAC key closes that (the vault root is the
+  // trust root, so the secret is unrecoverable without it). Lazy: only
+  // derived when fpSealOn is enabled AND the vault is ready, so test
+  // fixtures that haven't initialized the vault still construct a
+  // dbStore (the fingerprint then falls back to bare sha3-256 with a
+  // single audit warning).
   var fpHmacSecret = null;
   if (fpSealOn) {
     try {
-      // Use vault.aad.buildContextAad as a stable derivation input;
-      // the derivedHashSalt is per-deployment so the same dbStore
-      // instance across hosts converges on the same HMAC key.
-      var fpDeriveInput = "idempotency.fingerprint:" + tableNameRaw + ":" +
-        vault.getDerivedHashSalt().toString("hex");
-      fpHmacSecret = bCrypto.kdf(Buffer.from(fpDeriveInput, "utf8"), C.BYTES.bytes(32));
+      // The MAC key is per-deployment + sealed, so the same dbStore
+      // instance across hosts converges on the same HMAC key while disk
+      // access alone cannot recover it. The table name domain-separates
+      // the fingerprint secret from other consumers of the MAC key.
+      var fpDeriveInput = Buffer.concat([
+        vault.getDerivedHashMacKey(),
+        Buffer.from("idempotency.fingerprint:" + tableNameRaw, "utf8"),
+      ]);
+      fpHmacSecret = bCrypto.kdf(fpDeriveInput, C.BYTES.bytes(32));
     } catch (_fpErr) {
       _emitAudit("idempotency.fingerprint_seal_skipped_no_vault",
         { tableName: tableNameRaw,
-          reason: "vault.getDerivedHashSalt() unavailable; fingerprint falls back to plain sha3-256" },
+          reason: "vault.getDerivedHashMacKey() unavailable; fingerprint falls back to plain sha3-256" },
         "warning");
       fpHmacSecret = null;
     }
   }
 
   if (doInit) {
-    db.prepare("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
-      "k TEXT PRIMARY KEY, " +
-      "fingerprint TEXT NOT NULL, " +
-      "status_code INTEGER NOT NULL, " +
-      "headers TEXT NOT NULL, " +
-      "body TEXT NOT NULL, " +
-      "expires_at INTEGER NOT NULL)").run();
-    db.prepare("CREATE INDEX IF NOT EXISTS " + qIndex + " ON " +
-      qTable + "(expires_at)").run();
+    db.prepare(sql.createTable(tableNameRaw, [
+      { name: "k",           type: "text", primaryKey: true },
+      { name: "fingerprint", type: "text", notNull: true },
+      { name: "status_code", type: "int",  notNull: true },
+      { name: "headers",     type: "text", notNull: true },
+      { name: "body",        type: "text", notNull: true },
+      { name: "expires_at",  type: "int",  notNull: true },
+    ], sqlOpts).sql).run();
+    db.prepare(sql.createIndex(tableNameRaw + "_expires_idx", tableNameRaw,
+      ["expires_at"], sqlOpts).sql).run();
   }
 
-  // Prepared statements. status_code + expires_at stay non-sealed
-  // so audit/forensic SELECTs don't have to unseal-everything. The
-  // `k` column is selected even when not strictly needed for read
-  // because cryptoField.unsealRow uses it as the rowId in AAD when
-  // the table is AAD-bound.
-  var stmtGet = db.prepare(
-    "SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
-    qTable + " WHERE k = ?");
-  var stmtUpsert = db.prepare(
-    "INSERT INTO " + qTable +
-    "(k, fingerprint, status_code, headers, body, expires_at) " +
-    "VALUES (?, ?, ?, ?, ?, ?) " +
-    "ON CONFLICT(k) DO UPDATE SET " +
-    "  fingerprint = excluded.fingerprint, " +
-    "  status_code = excluded.status_code, " +
-    "  headers     = excluded.headers, " +
-    "  body        = excluded.body, " +
-    "  expires_at  = excluded.expires_at");
-  var stmtDeleteStale = db.prepare("DELETE FROM " + qTable +
-    " WHERE k = ? AND expires_at <= ?");
-  var stmtDelete = db.prepare("DELETE FROM " + qTable + " WHERE k = ?");
+  // Prepared statements, composed once through b.sql and reused per call.
+  // b.sql binds concrete values into a params array; for a reusable
+  // prepared statement we keep only the emitted SQL text (its `?`
+  // placeholders) and bind fresh values at run time, so a build-time
+  // sentinel value is just a placeholder slot. status_code + expires_at
+  // stay non-sealed so audit/forensic SELECTs don't have to unseal-
+  // everything. The `k` column is selected even when not strictly needed
+  // for read because cryptoField.unsealRow uses it as the rowId in AAD
+  // when the table is AAD-bound.
+  var _slot = 0;   // sentinel bind value; the prepared statement rebinds at call time
+  var stmtGet = db.prepare(sql.select(tableNameRaw, sqlOpts)
+    .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+    .where("k", _slot)
+    .toSql().sql);
+  var stmtUpsert = db.prepare(sql.upsert(tableNameRaw, sqlOpts)
+    .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+    .values({ k: _slot, fingerprint: _slot, status_code: _slot,
+              headers: _slot, body: _slot, expires_at: _slot })
+    .onConflict(["k"])
+    .doUpdateFromExcluded(["fingerprint", "status_code", "headers", "body", "expires_at"])
+    .toSql().sql);
+  var stmtDeleteStale = db.prepare(sql.delete(tableNameRaw, sqlOpts)
+    .where("k", _slot)
+    .where("expires_at", "<=", _slot)
+    .toSql().sql);
+  var stmtDelete = db.prepare(sql.delete(tableNameRaw, sqlOpts)
+    .where("k", _slot)
+    .toSql().sql);
 
   function _k(rawKey) {
     if (!hashKeys) return rawKey;
@@ -476,8 +499,9 @@ function dbStore(opts) {
       }
       var migrated = 0;
       var skipped = 0;
-      var rows = db.prepare("SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
-        qTable).all();
+      var rows = db.prepare(sql.select(tableNameRaw, sqlOpts)
+        .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+        .toSql().sql).all();
       for (var i = 0; i < rows.length; i += 1) {
         var r = rows[i];
         // If headers/body already start with vault.aad: this row is