@blamejs/blamejs-shop 0.4.31 → 0.4.32

package/lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js

@@ -0,0 +1,196 @@
+"use strict";
+/**
+ * b.audit.safeEmit scrubs secrets before the tamper-evident signed chain.
+ *
+ * safeEmit runs in request hot paths where operators routinely pass
+ * `metadata: { detail: e.message }` from a caught error — and those error
+ * strings carry DB connection strings (with passwords), JWTs, AWS
+ * access-key ids, PEM/private-key blocks, and SSNs. The documented
+ * guarantee (lib/audit.js safeEmit + the @primitive block) is that
+ * actor / reason / metadata pass through b.redact.redact() so those
+ * shapes are replaced with markers BEFORE the row is hash-chained and
+ * SLH-DSA-checkpointed. Once a secret lands in the append-only signed
+ * chain it cannot be UPDATE/DELETE'd out — so redaction has to happen at
+ * the write boundary, not after.
+ *
+ * The prior coverage only asserted safeEmit "never throws". This drives a
+ * secret-laden record end-to-end through the REAL path — full vault wrap,
+ * at-rest-encrypted db, audit hash chain — then reads the stored row back
+ * through b.audit.query (which UNSEALS the sealed columns: actorUserId /
+ * actorIp / reason / metadata). The unsealed plaintext is exactly what a
+ * forensic reader / auditor sees, so asserting the secret SUBSTRINGS are
+ * absent there (and replaced by redact markers) proves the guarantee
+ * against the actual stored ciphertext, not an in-memory copy.
+ *
+ * The secret values are placed under NON-sensitive field names (note /
+ * detail / dbDsn / personId / signingPem / accessKeyId) so the proof
+ * rests on redact's VALUE-SHAPE detectors (the real claim — a leaked
+ * secret is caught by its shape regardless of how the operator named the
+ * field), not on a lucky field-name match. The AWS *secret* access key
+ * (40-char, no value-shape) is placed under a `secret`-named field to
+ * exercise the field-name pass too.
+ *
+ * Run standalone: `node test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js`
+ * Or via smoke:   `node test/smoke.js`
+ */
+
+var helpers = require("../helpers");
+var b              = helpers.b;
+var fs             = helpers.fs;
+var os             = helpers.os;
+var path           = helpers.path;
+var check          = helpers.check;
+var waitUntil      = helpers.waitUntil;
+var setupTestDb    = helpers.setupTestDb;
+var teardownTestDb = helpers.teardownTestDb;
+
+function _tmp() { return fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-audit-redact-")); }
+
+// Clearly-fake but shape-valid secrets. Each is the WHOLE value of its
+// field so redact's anchored value-shape detectors fire as designed.
+var SECRETS = {
+  // postgres://user:pass@host/db — connection-string credential leak.
+  connString: "postgres://app_user:s3cr3t-Pw0rd@db.internal.example:5432/orders",
+  connPw:     "s3cr3t-Pw0rd",
+  // JWS compact triplet (eyJ... . eyJ... . sig).
+  jwt:        "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImFkbWluIjp0cnVlfQ.c2lnbmF0dXJlLWJ5dGVz",
+  // AWS access-key id shape (AKIA + 16 upper-alnum). Value-shape detector.
+  awsAccessKeyId: "AKIAIOSFODNN7EXAMPLE",
+  // AWS secret access key (40 base64-ish chars) — no value-shape; relies
+  // on the `secret`-named field-name pass.
+  awsSecretKey:   "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+  // US SSN shape.
+  ssn:        "123-45-6789",
+  // PEM private-key block.
+  pem:        "-----BEGIN PRIVATE KEY-----\nMIIBVgIBADANBgkqhkiG9w0BAQ\n-----END PRIVATE KEY-----",
+};
+
+// A non-secret value that MUST survive verbatim — proves redaction is
+// targeted, not a blanket wipe of the whole event surface.
+var SURVIVOR = "order-shipped-to-warehouse-7";
+
+// Read every audit_log row that carries our marker action, through the
+// real unseal path. metadata/reason/actor* are sealed columns, so this
+// returns decrypted plaintext — exactly what an auditor reads.
+async function _storedRows(action) {
+  return await b.audit.query({ action: action });
+}
+
+// Flatten an unsealed row to a single searchable string. metadata is
+// stored JSON-stringified; actor*/reason come back as plain strings.
+function _rowText(row) {
+  return JSON.stringify(row);
+}
+
+async function testSafeEmitRedactsSecretsInSignedChain() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    var ACTION = "system.error.captured";
+
+    // Operator's hot-path emission: a caught-error payload packed with
+    // secrets across actor, reason, and metadata.
+    b.audit.safeEmit({
+      action:  ACTION,
+      outcome: "failure",
+      actor:   {
+        userId: "u-77",
+        // An actor field carrying a leaked connection string.
+        ip:     "10.0.0.5",
+      },
+      reason:  "db connect failed: " + SECRETS.connString,
+      metadata: {
+        // Non-sensitive field names → value-shape detectors must fire.
+        note:        "thrown while reconnecting",
+        dbDsn:       SECRETS.connString,
+        // Neutral field name (NOT in the sensitive-field list — avoids
+        // `bearer`/`token`/`auth`) so the JWT VALUE-SHAPE detector is
+        // what fires, proving shape-based catch rather than name-based.
+        compactJws:  SECRETS.jwt,
+        personId:    SECRETS.ssn,
+        accessKeyId: SECRETS.awsAccessKeyId,
+        signingPem:  SECRETS.pem,
+        // field-name pass: `secret` substring.
+        awsSecretAccessKey: SECRETS.awsSecretKey,
+        // The survivor — a plain operational breadcrumb.
+        orderRef:    SURVIVOR,
+      },
+    });
+
+    // Drain the AsyncHandler so the row is durably in the signed chain.
+    await b.audit.flush();
+    await waitUntil(async function () {
+      return (await _storedRows(ACTION)).length >= 1;
+    }, { timeoutMs: 5000, label: "safeEmit: secret-laden row reaches audit_log" });
+
+    var rows = await _storedRows(ACTION);
+    check("exactly one " + ACTION + " row landed in the chain", rows.length === 1);
+    var row = rows[0];
+    var text = _rowText(row);
+
+    // ---- Each secret SUBSTRING must be ABSENT from the stored row. ----
+    // This is read back through the real unseal path, so it is the
+    // forensic/auditor view of the immutable chain — not an in-memory copy.
+    check("connection-string password absent from stored chain row",
+          text.indexOf(SECRETS.connPw) === -1);
+    check("full connection string absent from stored chain row",
+          text.indexOf(SECRETS.connString) === -1);
+    check("JWT absent from stored chain row",
+          text.indexOf(SECRETS.jwt) === -1);
+    check("AWS access-key id absent from stored chain row",
+          text.indexOf(SECRETS.awsAccessKeyId) === -1);
+    check("AWS secret access key absent from stored chain row",
+          text.indexOf(SECRETS.awsSecretKey) === -1);
+    check("SSN absent from stored chain row",
+          text.indexOf(SECRETS.ssn) === -1);
+    check("PEM private-key body absent from stored chain row",
+          text.indexOf("MIIBVgIBADANBgkqhkiG9w0BAQ") === -1);
+    check("PEM BEGIN header absent from stored chain row",
+          text.indexOf("-----BEGIN PRIVATE KEY-----") === -1);
+
+    // ---- Markers must be PRESENT (redaction happened, value wasn't just
+    //      dropped/blanked into ambiguity). ----
+    check("connection-string redact marker present",
+          text.indexOf("[REDACTED-CONN-STRING]") !== -1);
+    check("JWT redact marker present",
+          text.indexOf("[REDACTED-JWT]") !== -1);
+    check("AWS access-key redact marker present",
+          text.indexOf("[REDACTED-AWS-KEY]") !== -1);
+    check("SSN redact marker present",
+          text.indexOf("[REDACTED-SSN]") !== -1);
+    check("PEM redact marker present",
+          text.indexOf("[REDACTED-PEM]") !== -1);
+    // The 40-char AWS secret has no value-shape; the `secret`-named field
+    // is replaced with the default marker.
+    check("default redact marker present (field-name pass on awsSecretAccessKey)",
+          text.indexOf(b.redact.MARKER) !== -1);
+
+    // ---- The non-secret breadcrumb survives verbatim. ----
+    check("non-secret orderRef survives redaction verbatim",
+          text.indexOf(SURVIVOR) !== -1);
+
+    // ---- The chain still verifies end-to-end (the redacted row is a
+    //      valid, signed, hash-chained member — redaction at the write
+    //      boundary didn't corrupt the chain). ----
+    var v = await b.audit.verify();
+    check("audit chain verifies after the redacted append", v && v.ok === true);
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+
+async function run() {
+  await testSafeEmitRedactsSecretsInSignedChain();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(function () { console.log("OK"); })
+       // Re-throw rather than console.error the error object: a DB-setup
+       // failure can carry passphrase-derived material on the error, and
+       // logging it would be clear-text logging of sensitive data
+       // (CWE-312). The non-zero exit + thrown stack still surface the
+       // failure to the runner.
+       .catch(function (e) { process.exitCode = 1; throw e; });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js

@@ -0,0 +1,197 @@
+"use strict";
+
+// SMOKE_RUN_SOLO — the smoke runner (test/smoke.js) runs this file ALONE
+// with the whole machine instead of inside the parallel layer-0 pool.
+// The test exercises the encrypted-at-rest audit-signing rotation path:
+// setupTestDb (db.enc + sealed signing key), generating a fresh Ed25519
+// keypair, rotateSigningKey() re-sealing the new key and archiving the
+// old one to a *.history-* file, plus two checkpoints anchored over a
+// flushed chain — every step a blocking key-file / db re-encryption
+// fsync on the real data dir. Under SMOKE_PARALLEL=64 on a virtualized
+// filesystem (the Dropbox-backed working tree, Docker-Desktop FS-virt)
+// 64 sibling forks contend for fsync on the same volume and these
+// synchronous writes overrun the per-file watchdog. There is no single
+// async event to poll past — the contention is whole-process I/O, so the
+// file runs solo and finishes in its normal time. Passes alone and at
+// SMOKE_PARALLEL=16.
+
+/**
+ * Audit-signing key rotation must preserve historical verifiability.
+ *
+ * The documented contract (lib/audit-sign.js):
+ *   - rotateSigningKey() copies the OLD sealed/plaintext key file to a
+ *     timestamped `*.history-<iso>-<fp>` path "so historical checkpoints
+ *     can still be verified by readers that load the old key" and returns
+ *     `historyPath` "so external tools can verify pre-rotation checkpoints
+ *     later".
+ *   - verify(payload, signature, publicKeyPem) accepts a third arg to use
+ *     a HISTORICAL key "so a checkpoint signed years earlier still verifies
+ *     after rotation".
+ *
+ * The promise an operator reads from those docstrings: rotating the
+ * audit-signing key does NOT strand the audit history. A checkpoint that
+ * was anchored under key K1 still verifies after the key is rotated to K2.
+ *
+ * This test drives the real production path:
+ *   1. Build the audit chain, emit records, anchor a checkpoint under K1.
+ *   2. b.auditSign.rotateSigningKey() -> live K2 keypair, K1 archived to
+ *      the documented *.history-* path.
+ *   3. Emit more records, anchor a second checkpoint under K2.
+ *   4. b.audit.verifyCheckpoints() must report BOTH checkpoints Good.
+ *
+ * If verifyCheckpoints rejects the K1 checkpoint (fingerprint mismatch
+ * against the now-current K2 key, with no key-history lookup), that is the
+ * advertised-but-missing behaviour — historical verifiability is broken by
+ * rotation. The test asserts the CORRECT behaviour (both verify) so it
+ * FAILS and exposes the gap.
+ *
+ * It also exercises the documented remediation primitive reSignAll(): an
+ * operator who walks every checkpoint through reSignAll() after rotating
+ * should be able to re-sign K1-anchored checkpoints under K2 and have
+ * verifyCheckpoints pass. That asserts the escape hatch the docstrings
+ * point to actually closes the gap.
+ */
+
+var helpers = require("../helpers");
+var b              = helpers.b;
+var check          = helpers.check;
+var fs             = helpers.fs;
+var os             = helpers.os;
+var path           = helpers.path;
+var setupTestDb    = helpers.setupTestDb;
+var teardownTestDb = helpers.teardownTestDb;
+var setTestPassphraseEnv = helpers.setTestPassphraseEnv;
+
+var clusterStorage = require("../../lib/cluster-storage");
+
+// Seed `count` durable audit rows through the real chain writer, then
+// flush so every row is on disk before we anchor a checkpoint over the tip.
+async function _seedAuditRows(count, tag) {
+  b.audit.registerNamespace("test");
+  for (var i = 0; i < count; i++) {
+    await b.audit.record({
+      actor:    { userId: "u-" + tag + "-" + i },
+      action:   "test.seeded",
+      outcome:  "success",
+      metadata: { i: i, tag: tag },
+    });
+  }
+  await b.audit.flush();
+}
+
+// The audit checkpoint store keeps the canonical payload triple
+// (atMonotonicCounter, atRowHash, createdAt) plus the signature +
+// publicKeyFingerprint. reSignAll() needs each checkpoint's payload bytes
+// and old signature; rebuild them straight from the stored rows the same
+// way verifyCheckpoints does.
+function _checkpointPayloadFor(row) {
+  return Buffer.from(
+    b.audit.CHECKPOINT_FORMAT + "\n" +
+    String(Number(row.atMonotonicCounter)) + "\n" +
+    row.atRowHash + "\n" +
+    String(Number(row.createdAt)),
+    "utf8"
+  );
+}
+
+async function run() {
+  var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-audit-keyrot-"));
+  try {
+    await setupTestDb(dir);
+
+    // ---- Anchor a checkpoint under the first signing key (K1). ----
+    var k1Fp  = b.auditSign.getPublicKeyFingerprint();
+    var k1Pub = b.auditSign.getPublicKey();
+    check("K1 fingerprint is present", typeof k1Fp === "string" && k1Fp.length > 0);
+
+    await _seedAuditRows(4, "k1");
+    var ckpt1 = await b.audit.checkpoint();
+    check("checkpoint #1 anchored under K1", ckpt1 && ckpt1.atMonotonicCounter >= 4);
+    check("checkpoint #1 recorded K1 fingerprint", ckpt1.publicKeyFingerprint === k1Fp);
+
+    // Baseline: before any rotation, verifyCheckpoints is clean.
+    var baseline = await b.audit.verifyCheckpoints();
+    check("baseline verifyCheckpoints ok (pre-rotation)", baseline.ok === true);
+    check("baseline verified the K1 checkpoint", baseline.checkpointsVerified >= 1);
+
+    // ---- Rotate the signing key K1 -> K2. ----
+    // Wrapped mode re-derives the audit-signing passphrase to re-seal the
+    // new key; the passphrase source strips env after boot reads it, so
+    // re-supply it the same way an operator would for a rotation.
+    setTestPassphraseEnv();
+    var rot = await b.auditSign.rotateSigningKey();
+    var k2Fp  = b.auditSign.getPublicKeyFingerprint();
+    var k2Pub = b.auditSign.getPublicKey();
+    check("rotation changed the key material", k2Fp !== k1Fp);
+    check("rotation reports the previous fingerprint", rot.previousFingerprint === k1Fp);
+    check("rotation reports the new fingerprint", rot.newFingerprint === k2Fp);
+
+    // The docstring promises the OLD key is archived to *.history-* so
+    // historical checkpoints can still be verified later. Confirm the
+    // history artifact the rotation advertised actually landed on disk.
+    check("rotation returned a historyPath", typeof rot.historyPath === "string" && rot.historyPath.length > 0);
+    check("the advertised history key file exists on disk", fs.existsSync(rot.historyPath));
+
+    // The verify-time resolver finds the rotated-out K1 public key (unsealed
+    // public-key history) and the live K2 key, but not an unknown fingerprint.
+    check("getPublicKeyByFingerprint resolves the rotated-out K1 key",
+          b.auditSign.getPublicKeyByFingerprint(k1Fp) === k1Pub);
+    check("getPublicKeyByFingerprint resolves the live K2 key",
+          b.auditSign.getPublicKeyByFingerprint(k2Fp) === k2Pub);
+    check("getPublicKeyByFingerprint returns null for an unknown fingerprint",
+          b.auditSign.getPublicKeyByFingerprint("0".repeat(128)) === null);
+
+    // ---- Anchor a second checkpoint under the new key (K2). ----
+    await _seedAuditRows(3, "k2");
+    var ckpt2 = await b.audit.checkpoint();
+    check("checkpoint #2 anchored under K2", ckpt2 && ckpt2.atMonotonicCounter > ckpt1.atMonotonicCounter);
+    check("checkpoint #2 recorded K2 fingerprint", ckpt2.publicKeyFingerprint === k2Fp);
+
+    // Sanity: the two checkpoints really were signed under DIFFERENT keys,
+    // both signatures valid under their own public key. This proves the
+    // history is genuinely cross-key, so the verify path below is the real
+    // test (not an artifact of identical keys).
+    var rows = await clusterStorage.executeAll(
+      "SELECT * FROM audit_checkpoints ORDER BY atMonotonicCounter ASC"
+    );
+    check("two checkpoints are stored", rows.length === 2);
+    var c1 = rows[0], c2 = rows[1];
+    var p1 = _checkpointPayloadFor(c1);
+    var p2 = _checkpointPayloadFor(c2);
+    var s1 = Buffer.isBuffer(c1.signature) ? c1.signature : Buffer.from(c1.signature);
+    var s2 = Buffer.isBuffer(c2.signature) ? c2.signature : Buffer.from(c2.signature);
+    check("K1 checkpoint verifies under K1's archived public key",
+      b.auditSign.verify(p1, s1, k1Pub) === true);
+    check("K1 checkpoint does NOT verify under K2 (genuinely cross-key)",
+      b.auditSign.verify(p1, s1, k2Pub) === false);
+    check("K2 checkpoint verifies under K2's current public key",
+      b.auditSign.verify(p2, s2, k2Pub) === true);
+
+    // ---- The contract under test: BOTH checkpoints must verify after
+    // rotation. ----
+    // verifyCheckpoints must walk both the K1- and K2-anchored
+    // checkpoints and report them Good — the K1 checkpoint resolved
+    // through the documented key-history, the K2 checkpoint through the
+    // current key.
+    var afterRotation = await b.audit.verifyCheckpoints();
+    check("after rotation: verifyCheckpoints ok (K1 history preserved)",
+      afterRotation.ok === true);
+    check("after rotation: BOTH checkpoints verified",
+      afterRotation.checkpointsVerified === 2);
+    check("after rotation: no break reported",
+      afterRotation.breakAt === undefined && !afterRotation.reason);
+
+    console.log("OK — audit signing-key rotation preserves historical verifiability (" +
+      helpers.getChecks() + " checks)");
+  } finally {
+    await teardownTestDb(dir);
+    try { fs.rmSync(dir, { recursive: true, force: true }); } catch (_e) {}
+  }
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.exitCode = 1; throw err; });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js

@@ -0,0 +1,209 @@
+"use strict";
+/**
+ * b.auditTools.verifyBundle — tamper detection on a REAL archive bundle.
+ *
+ * The clean path only runs incidentally inside purge(); the only other
+ * bundle test seeds fake dummy hashes and never drives verifyBundle, so
+ * the rows-checksum-mismatch (rows.enc / manifest checksum) and
+ * checkpoint-signature-failed branches were unproven.
+ *
+ * This test builds a real bundle the production way: seed audit rows
+ * through the chain writer, anchor a covering SLH-DSA checkpoint, then
+ * archive() to disk. It first proves verifyBundle(clean) -> { ok: true },
+ * then for each independent tamper proves the bundle is REJECTED — either
+ * a typed read-time throw or { ok: false }:
+ *
+ *   (1) flip a byte in rows.enc                  -> checksum guard
+ *   (2) corrupt manifest.checksum.rowsSha3_512   -> manifest checksum guard
+ *   (3) corrupt the covering checkpoint's
+ *       SLH-DSA signature (manifest checksum kept
+ *       consistent so the signature branch is the
+ *       thing under test)                        -> signature verify
+ *
+ * Every tamper operates on a fresh copy of the clean bundle so the
+ * cases stay independent and a missed catch is unambiguous.
+ */
+
+var helpers = require("../helpers");
+var b              = helpers.b;
+var check          = helpers.check;
+var fs             = helpers.fs;
+var os             = helpers.os;
+var path           = helpers.path;
+var setupTestDb    = helpers.setupTestDb;
+var teardownTestDb = helpers.teardownTestDb;
+
+var backupCrypto = require("../../lib/backup/crypto");
+
+var PASS = Buffer.from("operator-bundle-passphrase-not-secret");
+
+async function _seedAuditRows(count) {
+  b.audit.registerNamespace("test");
+  for (var i = 0; i < count; i++) {
+    await b.audit.record({
+      actor:    { userId: "u-" + i },
+      action:   "test.seeded",
+      outcome:  "success",
+      metadata: { i: i },
+    });
+  }
+  // Drain the chain writer so every row is durable before we archive.
+  await b.audit.flush();
+}
+
+// Recursively copy a bundle directory so each tamper works on a fresh,
+// independent clean bundle.
+function _copyDir(src, dest) {
+  fs.mkdirSync(dest, { recursive: true });
+  var entries = fs.readdirSync(src, { withFileTypes: true });
+  for (var i = 0; i < entries.length; i++) {
+    var ent = entries[i];
+    var s = path.join(src, ent.name);
+    var d = path.join(dest, ent.name);
+    if (ent.isDirectory()) _copyDir(s, d);
+    else fs.copyFileSync(s, d);
+  }
+}
+
+// Drive verifyBundle and normalize the two legitimate rejection shapes
+// (typed read-time throw OR { ok:false }) into a single descriptor so
+// each tamper case can assert "rejected" uniformly.
+async function _verify(dir) {
+  try {
+    var res = await b.auditTools.verifyBundle({ in: dir, passphrase: PASS });
+    return { rejected: res.ok === false, threw: false, ok: res.ok, reason: res.reason, kind: res.kind, result: res };
+  } catch (e) {
+    return { rejected: true, threw: true, code: e && e.code, message: e && e.message };
+  }
+}
+
+async function run() {
+  var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-vb-tamper-"));
+  try {
+    await setupTestDb(dir);
+    await _seedAuditRows(6);
+    var ckpt = await b.audit.checkpoint();
+    check("a covering checkpoint was anchored", ckpt && ckpt.atMonotonicCounter >= 6);
+
+    var cleanDir = path.join(dir, "bundles", "archive-clean");
+    var arch = await b.auditTools.archive({
+      before:     Date.now() + 60000,
+      out:        cleanDir,
+      passphrase: PASS,
+    });
+    check("archive produced an archive-kind bundle", arch.manifest.kind === "archive");
+    check("archive carried the seeded rows", arch.rowCount >= 6);
+
+    // The bundle must physically be the 3-file archive shape.
+    check("clean bundle has rows.enc",       fs.existsSync(path.join(cleanDir, "rows.enc")));
+    check("clean bundle has checkpoint.enc", fs.existsSync(path.join(cleanDir, "checkpoint.enc")));
+    check("clean bundle has manifest.json",  fs.existsSync(path.join(cleanDir, "manifest.json")));
+
+    // ---- Baseline: the clean bundle verifies ok. ----
+    var clean = await _verify(cleanDir);
+    check("clean bundle: verifyBundle -> { ok: true }", clean.threw === false && clean.ok === true);
+    check("clean bundle: kind is archive", clean.kind === "archive");
+    check("clean bundle: rowsVerified covers the slice", clean.result.rowsVerified >= 6);
+
+    // ---- Tamper 1: flip a byte in rows.enc. ----
+    var t1 = path.join(dir, "bundles", "tamper-rows");
+    _copyDir(cleanDir, t1);
+    var rowsPath = path.join(t1, "rows.enc");
+    var rowsBuf = fs.readFileSync(rowsPath);
+    // Flip the last byte (inside the ciphertext / auth tag, well past the
+    // nonce) so the manifest checksum over the file no longer matches.
+    var before1 = rowsBuf[rowsBuf.length - 1];
+    rowsBuf[rowsBuf.length - 1] = before1 ^ 0xff;
+    fs.writeFileSync(rowsPath, rowsBuf);
+    check("tamper-rows: rows.enc byte actually changed",
+      fs.readFileSync(rowsPath)[rowsBuf.length - 1] !== before1);
+    var r1 = await _verify(t1);
+    check("tamper-rows: bundle is REJECTED (typed throw or { ok:false })", r1.rejected === true);
+    check("tamper-rows: failure points at the rows blob tamper",
+      (r1.threw && r1.code === "audit-tools/rows-checksum-mismatch") ||
+      (r1.threw && /tamper|checksum|decrypt/i.test(r1.message || "")) ||
+      (!r1.threw && /chain|rowHash|checksum/i.test(r1.reason || "")));
+
+    // ---- Tamper 2: corrupt the manifest's rows checksum. ----
+    var t2 = path.join(dir, "bundles", "tamper-manifest");
+    _copyDir(cleanDir, t2);
+    var m2Path = path.join(t2, "manifest.json");
+    var m2 = JSON.parse(fs.readFileSync(m2Path, "utf8"));
+    var origChecksum = m2.checksum.rowsSha3_512;
+    // Flip one hex nibble so the stored checksum no longer matches the
+    // (untouched) rows.enc bytes.
+    var firstChar = origChecksum.charAt(0);
+    var swapped = firstChar === "0" ? "1" : "0";
+    m2.checksum.rowsSha3_512 = swapped + origChecksum.slice(1);
+    fs.writeFileSync(m2Path, JSON.stringify(m2));
+    check("tamper-manifest: manifest checksum actually changed",
+      JSON.parse(fs.readFileSync(m2Path, "utf8")).checksum.rowsSha3_512 !== origChecksum);
+    var r2 = await _verify(t2);
+    check("tamper-manifest: bundle is REJECTED (typed throw or { ok:false })", r2.rejected === true);
+    check("tamper-manifest: failure points at the manifest/rows checksum mismatch",
+      (r2.threw && r2.code === "audit-tools/rows-checksum-mismatch") ||
+      (r2.threw && /tamper|checksum/i.test(r2.message || "")) ||
+      (!r2.threw && /checksum|chain|rowHash/i.test(r2.reason || "")));
+
+    // ---- Tamper 3: corrupt the covering checkpoint's SLH-DSA signature. ----
+    // Decrypt checkpoint.enc, flip a byte inside the signature, re-encrypt
+    // with a fresh salt, and update BOTH manifest.salts.checkpoint and
+    // manifest.checksum.checkpointSha3_512 so the checkpoint-checksum guard
+    // passes — isolating the signature-verification branch as the thing
+    // that must reject the forged checkpoint.
+    var t3 = path.join(dir, "bundles", "tamper-sig");
+    _copyDir(cleanDir, t3);
+    var m3Path = path.join(t3, "manifest.json");
+    var m3 = JSON.parse(fs.readFileSync(m3Path, "utf8"));
+    var ckptEncPath = path.join(t3, "checkpoint.enc");
+    var ckptEnc = fs.readFileSync(ckptEncPath);
+    var ckptPlain = (await backupCrypto.decryptWithPassphrase(
+      ckptEnc, PASS, m3.salts.checkpoint)).toString("utf8");
+    var ckptWire = JSON.parse(ckptPlain);
+    check("tamper-sig: checkpoint wire form carries a hex signature",
+      typeof ckptWire.signature === "string" && ckptWire.signature.indexOf("hex:") === 0);
+    // Flip the final hex nibble of the signature — keeps it valid hex /
+    // same length, but the SLH-DSA verify must fail.
+    var sigHex = ckptWire.signature;
+    var lastNibble = sigHex.charAt(sigHex.length - 1);
+    var newNibble = lastNibble === "0" ? "1" : "0";
+    var tamperedSigHex = sigHex.slice(0, -1) + newNibble;
+    check("tamper-sig: signature hex actually changed", tamperedSigHex !== sigHex);
+    ckptWire.signature = tamperedSigHex;
+    // The bundle canonicalizes checkpoint JSON; plain JSON.stringify here
+    // is fine — verifyBundle re-decrypts + re-parses, it doesn't compare
+    // the checkpoint blob byte-for-byte against the manifest beyond the
+    // checksum we recompute below.
+    var reEnc = await backupCrypto.encryptWithFreshSalt(JSON.stringify(ckptWire), PASS);
+    fs.writeFileSync(ckptEncPath, reEnc.encrypted);
+    m3.salts.checkpoint = reEnc.salt;
+    m3.checksum.checkpointSha3_512 = backupCrypto.checksum(reEnc.encrypted);
+    fs.writeFileSync(m3Path, JSON.stringify(m3));
+
+    var r3 = await _verify(t3);
+    check("tamper-sig: bundle is REJECTED (typed throw or { ok:false })", r3.rejected === true);
+    check("tamper-sig: failure is the checkpoint signature verification, not an earlier guard",
+      (!r3.threw && /signature/i.test(r3.reason || "")) ||
+      (r3.threw && /signature/i.test(r3.message || "")));
+    // Stronger: the signature branch returns { ok:false } (not a throw),
+    // and the chain math + checksums all passed to get there.
+    check("tamper-sig: reached the signature branch via a clean read (ok:false, not a throw)",
+      r3.threw === false && r3.ok === false &&
+      /signature/i.test(r3.reason || ""));
+
+    console.log("OK — audit verifyBundle tamper-detection (" + helpers.getChecks() + " checks)");
+  } finally {
+    await teardownTestDb(dir);
+    try { fs.rmSync(dir, { recursive: true, force: true }); } catch (_e) {}
+  }
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  // Rethrow on failure so Node exits non-zero; logging the caught error
+  // would let a taint analyzer trace it back to the non-secret passphrase
+  // fixture and raise a false clear-text-logging alert.
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.exitCode = 1; throw err; });
+}