@blamejs/blamejs-shop 0.4.31 → 0.4.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (343) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/README.md +1 -1
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/vendor/MANIFEST.json +400 -282
  5. package/lib/vendor/blamejs/.github/workflows/ci.yml +34 -3
  6. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +21 -4
  7. package/lib/vendor/blamejs/.gitignore +6 -0
  8. package/lib/vendor/blamejs/CHANGELOG.md +28 -0
  9. package/lib/vendor/blamejs/MIGRATING.md +55 -0
  10. package/lib/vendor/blamejs/README.md +8 -6
  11. package/lib/vendor/blamejs/SECURITY.md +19 -3
  12. package/lib/vendor/blamejs/api-snapshot.json +2190 -664
  13. package/lib/vendor/blamejs/docker/caddy/localstack.Caddyfile +19 -0
  14. package/lib/vendor/blamejs/docker/init/generate-certs.sh +1 -1
  15. package/lib/vendor/blamejs/docker/otel/config.yaml +42 -0
  16. package/lib/vendor/blamejs/docker/otel/export/.gitkeep +0 -0
  17. package/lib/vendor/blamejs/docker/postgres/initdb/10-replication.sh +15 -0
  18. package/lib/vendor/blamejs/docker/postgres/replica-entrypoint.sh +38 -0
  19. package/lib/vendor/blamejs/docker/toxiproxy/toxiproxy.json +14 -0
  20. package/lib/vendor/blamejs/docker-compose.test.yml +209 -0
  21. package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +132 -0
  22. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +221 -61
  23. package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +144 -9
  24. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +99 -0
  25. package/lib/vendor/blamejs/fuzz/guard-sql.fuzz.js +36 -0
  26. package/lib/vendor/blamejs/index.js +4 -0
  27. package/lib/vendor/blamejs/lib/agent-envelope-mac.js +104 -0
  28. package/lib/vendor/blamejs/lib/agent-event-bus.js +105 -4
  29. package/lib/vendor/blamejs/lib/agent-posture-chain.js +8 -42
  30. package/lib/vendor/blamejs/lib/ai-content-detect.js +9 -10
  31. package/lib/vendor/blamejs/lib/api-key.js +158 -77
  32. package/lib/vendor/blamejs/lib/atomic-file.js +62 -4
  33. package/lib/vendor/blamejs/lib/audit-chain.js +47 -11
  34. package/lib/vendor/blamejs/lib/audit-sign.js +77 -2
  35. package/lib/vendor/blamejs/lib/audit-tools.js +79 -51
  36. package/lib/vendor/blamejs/lib/audit.js +259 -123
  37. package/lib/vendor/blamejs/lib/auth/elevation-grant.js +6 -2
  38. package/lib/vendor/blamejs/lib/auth/oauth.js +66 -9
  39. package/lib/vendor/blamejs/lib/auth/openid-federation.js +108 -47
  40. package/lib/vendor/blamejs/lib/auth/saml.js +6 -8
  41. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +36 -7
  42. package/lib/vendor/blamejs/lib/backup/index.js +45 -10
  43. package/lib/vendor/blamejs/lib/break-glass.js +355 -147
  44. package/lib/vendor/blamejs/lib/cache.js +174 -105
  45. package/lib/vendor/blamejs/lib/chain-writer.js +38 -16
  46. package/lib/vendor/blamejs/lib/cli.js +19 -14
  47. package/lib/vendor/blamejs/lib/cluster-provider-db.js +130 -104
  48. package/lib/vendor/blamejs/lib/cluster-storage.js +119 -22
  49. package/lib/vendor/blamejs/lib/cluster.js +119 -71
  50. package/lib/vendor/blamejs/lib/codepoint-class.js +23 -0
  51. package/lib/vendor/blamejs/lib/compliance.js +210 -4
  52. package/lib/vendor/blamejs/lib/consent.js +82 -29
  53. package/lib/vendor/blamejs/lib/constants.js +27 -11
  54. package/lib/vendor/blamejs/lib/credential-hash.js +9 -0
  55. package/lib/vendor/blamejs/lib/crypto-field.js +916 -156
  56. package/lib/vendor/blamejs/lib/db-declare-row-policy.js +35 -22
  57. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +3 -2
  58. package/lib/vendor/blamejs/lib/db-query.js +882 -260
  59. package/lib/vendor/blamejs/lib/db-schema.js +228 -44
  60. package/lib/vendor/blamejs/lib/db.js +249 -99
  61. package/lib/vendor/blamejs/lib/dsr.js +385 -55
  62. package/lib/vendor/blamejs/lib/error-page.js +14 -1
  63. package/lib/vendor/blamejs/lib/external-db-migrate.js +239 -137
  64. package/lib/vendor/blamejs/lib/external-db.js +549 -34
  65. package/lib/vendor/blamejs/lib/file-upload.js +52 -7
  66. package/lib/vendor/blamejs/lib/framework-error.js +20 -1
  67. package/lib/vendor/blamejs/lib/framework-files.js +73 -0
  68. package/lib/vendor/blamejs/lib/framework-schema.js +695 -394
  69. package/lib/vendor/blamejs/lib/gate-contract.js +659 -1
  70. package/lib/vendor/blamejs/lib/guard-agent-registry.js +26 -44
  71. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  72. package/lib/vendor/blamejs/lib/guard-auth.js +42 -112
  73. package/lib/vendor/blamejs/lib/guard-cidr.js +33 -154
  74. package/lib/vendor/blamejs/lib/guard-csv.js +46 -113
  75. package/lib/vendor/blamejs/lib/guard-domain.js +34 -157
  76. package/lib/vendor/blamejs/lib/guard-dsn.js +27 -43
  77. package/lib/vendor/blamejs/lib/guard-email.js +47 -69
  78. package/lib/vendor/blamejs/lib/guard-envelope.js +19 -32
  79. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +24 -42
  80. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +25 -43
  81. package/lib/vendor/blamejs/lib/guard-filename.js +42 -106
  82. package/lib/vendor/blamejs/lib/guard-graphql.js +42 -123
  83. package/lib/vendor/blamejs/lib/guard-html.js +53 -108
  84. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +24 -42
  85. package/lib/vendor/blamejs/lib/guard-image.js +46 -103
  86. package/lib/vendor/blamejs/lib/guard-imap-command.js +18 -32
  87. package/lib/vendor/blamejs/lib/guard-jmap.js +16 -30
  88. package/lib/vendor/blamejs/lib/guard-json.js +38 -108
  89. package/lib/vendor/blamejs/lib/guard-jsonpath.js +38 -171
  90. package/lib/vendor/blamejs/lib/guard-jwt.js +49 -179
  91. package/lib/vendor/blamejs/lib/guard-list-id.js +25 -41
  92. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +27 -43
  93. package/lib/vendor/blamejs/lib/guard-mail-compose.js +24 -42
  94. package/lib/vendor/blamejs/lib/guard-mail-move.js +26 -44
  95. package/lib/vendor/blamejs/lib/guard-mail-query.js +28 -46
  96. package/lib/vendor/blamejs/lib/guard-mail-reply.js +24 -42
  97. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +24 -42
  98. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +17 -31
  99. package/lib/vendor/blamejs/lib/guard-markdown.js +37 -104
  100. package/lib/vendor/blamejs/lib/guard-message-id.js +26 -45
  101. package/lib/vendor/blamejs/lib/guard-mime.js +39 -151
  102. package/lib/vendor/blamejs/lib/guard-oauth.js +54 -135
  103. package/lib/vendor/blamejs/lib/guard-pdf.js +45 -101
  104. package/lib/vendor/blamejs/lib/guard-pop3-command.js +21 -31
  105. package/lib/vendor/blamejs/lib/guard-posture-chain.js +24 -42
  106. package/lib/vendor/blamejs/lib/guard-regex.js +33 -107
  107. package/lib/vendor/blamejs/lib/guard-saga-config.js +24 -42
  108. package/lib/vendor/blamejs/lib/guard-shell.js +42 -172
  109. package/lib/vendor/blamejs/lib/guard-smtp-command.js +48 -54
  110. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +24 -42
  111. package/lib/vendor/blamejs/lib/guard-sql.js +1491 -0
  112. package/lib/vendor/blamejs/lib/guard-stream-args.js +24 -43
  113. package/lib/vendor/blamejs/lib/guard-svg.js +47 -65
  114. package/lib/vendor/blamejs/lib/guard-template.js +35 -172
  115. package/lib/vendor/blamejs/lib/guard-tenant-id.js +26 -45
  116. package/lib/vendor/blamejs/lib/guard-time.js +32 -154
  117. package/lib/vendor/blamejs/lib/guard-trace-context.js +25 -44
  118. package/lib/vendor/blamejs/lib/guard-uuid.js +32 -153
  119. package/lib/vendor/blamejs/lib/guard-xml.js +38 -113
  120. package/lib/vendor/blamejs/lib/guard-yaml.js +51 -163
  121. package/lib/vendor/blamejs/lib/http-client.js +37 -9
  122. package/lib/vendor/blamejs/lib/inbox.js +120 -107
  123. package/lib/vendor/blamejs/lib/legal-hold.js +121 -50
  124. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +47 -31
  125. package/lib/vendor/blamejs/lib/log-stream-otlp.js +32 -18
  126. package/lib/vendor/blamejs/lib/mail-auth.js +236 -0
  127. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +2 -6
  128. package/lib/vendor/blamejs/lib/mail-dkim.js +1 -0
  129. package/lib/vendor/blamejs/lib/mail-greylist.js +2 -6
  130. package/lib/vendor/blamejs/lib/mail-helo.js +2 -6
  131. package/lib/vendor/blamejs/lib/mail-journal.js +85 -64
  132. package/lib/vendor/blamejs/lib/mail-rbl.js +2 -6
  133. package/lib/vendor/blamejs/lib/mail-scan.js +2 -6
  134. package/lib/vendor/blamejs/lib/mail-server-jmap.js +117 -12
  135. package/lib/vendor/blamejs/lib/mail-server-mx.js +276 -7
  136. package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -6
  137. package/lib/vendor/blamejs/lib/mail-store.js +293 -154
  138. package/lib/vendor/blamejs/lib/mail.js +8 -4
  139. package/lib/vendor/blamejs/lib/middleware/body-parser.js +71 -25
  140. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +19 -8
  141. package/lib/vendor/blamejs/lib/middleware/dpop.js +10 -1
  142. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +17 -7
  143. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +75 -51
  144. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +102 -32
  145. package/lib/vendor/blamejs/lib/middleware/security-headers.js +21 -5
  146. package/lib/vendor/blamejs/lib/migrations.js +108 -66
  147. package/lib/vendor/blamejs/lib/network-heartbeat.js +7 -0
  148. package/lib/vendor/blamejs/lib/network-proxy.js +24 -1
  149. package/lib/vendor/blamejs/lib/nonce-store.js +31 -9
  150. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +9 -4
  151. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +57 -3
  152. package/lib/vendor/blamejs/lib/object-store/gcs.js +4 -1
  153. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +5 -2
  154. package/lib/vendor/blamejs/lib/object-store/sigv4.js +38 -6
  155. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -1
  156. package/lib/vendor/blamejs/lib/observability.js +124 -0
  157. package/lib/vendor/blamejs/lib/otel-export.js +12 -3
  158. package/lib/vendor/blamejs/lib/outbox.js +184 -83
  159. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +47 -7
  160. package/lib/vendor/blamejs/lib/pqc-agent.js +44 -0
  161. package/lib/vendor/blamejs/lib/pubsub-cluster.js +42 -20
  162. package/lib/vendor/blamejs/lib/queue-local.js +225 -140
  163. package/lib/vendor/blamejs/lib/queue-redis.js +9 -1
  164. package/lib/vendor/blamejs/lib/queue-sqs.js +6 -0
  165. package/lib/vendor/blamejs/lib/queue.js +7 -0
  166. package/lib/vendor/blamejs/lib/redact.js +68 -11
  167. package/lib/vendor/blamejs/lib/redis-client.js +160 -31
  168. package/lib/vendor/blamejs/lib/request-helpers.js +7 -0
  169. package/lib/vendor/blamejs/lib/retention.js +117 -42
  170. package/lib/vendor/blamejs/lib/router.js +212 -5
  171. package/lib/vendor/blamejs/lib/safe-dns.js +29 -45
  172. package/lib/vendor/blamejs/lib/safe-ical.js +18 -33
  173. package/lib/vendor/blamejs/lib/safe-icap.js +27 -43
  174. package/lib/vendor/blamejs/lib/safe-sieve.js +21 -40
  175. package/lib/vendor/blamejs/lib/safe-sql.js +212 -3
  176. package/lib/vendor/blamejs/lib/safe-url.js +170 -3
  177. package/lib/vendor/blamejs/lib/safe-vcard.js +18 -33
  178. package/lib/vendor/blamejs/lib/scheduler.js +47 -12
  179. package/lib/vendor/blamejs/lib/seeders.js +122 -74
  180. package/lib/vendor/blamejs/lib/session-stores.js +42 -14
  181. package/lib/vendor/blamejs/lib/session.js +175 -77
  182. package/lib/vendor/blamejs/lib/sql.js +3842 -0
  183. package/lib/vendor/blamejs/lib/sse.js +26 -0
  184. package/lib/vendor/blamejs/lib/ssrf-guard.js +169 -4
  185. package/lib/vendor/blamejs/lib/static.js +177 -34
  186. package/lib/vendor/blamejs/lib/subject.js +96 -49
  187. package/lib/vendor/blamejs/lib/vault/index.js +3 -2
  188. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +3 -2
  189. package/lib/vendor/blamejs/lib/vault/rotate.js +168 -108
  190. package/lib/vendor/blamejs/lib/vault-aad.js +6 -0
  191. package/lib/vendor/blamejs/lib/vendor-data.js +2 -0
  192. package/lib/vendor/blamejs/lib/websocket.js +35 -5
  193. package/lib/vendor/blamejs/lib/worker-pool.js +11 -0
  194. package/lib/vendor/blamejs/package.json +2 -2
  195. package/lib/vendor/blamejs/release-notes/v0.14.x.json +1503 -0
  196. package/lib/vendor/blamejs/release-notes/v0.15.0.json +77 -0
  197. package/lib/vendor/blamejs/release-notes/v0.15.1.json +22 -0
  198. package/lib/vendor/blamejs/release-notes/v0.15.2.json +22 -0
  199. package/lib/vendor/blamejs/release-notes/v0.15.3.json +39 -0
  200. package/lib/vendor/blamejs/release-notes/v0.15.4.json +39 -0
  201. package/lib/vendor/blamejs/release-notes/v0.15.5.json +22 -0
  202. package/lib/vendor/blamejs/release-notes/v0.15.6.json +59 -0
  203. package/lib/vendor/blamejs/release-notes/v0.15.7.json +43 -0
  204. package/lib/vendor/blamejs/scripts/check-services.js +21 -0
  205. package/lib/vendor/blamejs/scripts/gen-migrating.js +67 -0
  206. package/lib/vendor/blamejs/scripts/release.js +398 -38
  207. package/lib/vendor/blamejs/test/00-primitives.js +168 -0
  208. package/lib/vendor/blamejs/test/10-state.js +140 -14
  209. package/lib/vendor/blamejs/test/20-db.js +65 -2
  210. package/lib/vendor/blamejs/test/helpers/db.js +9 -0
  211. package/lib/vendor/blamejs/test/helpers/drivers.js +27 -15
  212. package/lib/vendor/blamejs/test/helpers/services.js +21 -0
  213. package/lib/vendor/blamejs/test/integration/audit-actor-binding-pg.test.js +246 -0
  214. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +517 -0
  215. package/lib/vendor/blamejs/test/integration/audit-stack-mysql.test.js +639 -0
  216. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +832 -0
  217. package/lib/vendor/blamejs/test/integration/backup-restore-objectstore.test.js +453 -0
  218. package/lib/vendor/blamejs/test/integration/data-layer-cluster-mysql.test.js +649 -0
  219. package/lib/vendor/blamejs/test/integration/data-layer-cluster-pg.test.js +770 -0
  220. package/lib/vendor/blamejs/test/integration/data-layer-mysql-privacy.test.js +630 -0
  221. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +610 -0
  222. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +577 -0
  223. package/lib/vendor/blamejs/test/integration/data-layer-postgres.test.js +771 -0
  224. package/lib/vendor/blamejs/test/integration/db-layer-mysql.test.js +549 -0
  225. package/lib/vendor/blamejs/test/integration/db-layer-postgres.test.js +598 -0
  226. package/lib/vendor/blamejs/test/integration/distributed-scheduler-fencing-pg.test.js +602 -0
  227. package/lib/vendor/blamejs/test/integration/external-db-postgres.test.js +576 -0
  228. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +353 -0
  229. package/lib/vendor/blamejs/test/integration/log-stream-cloudwatch.test.js +224 -0
  230. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +142 -17
  231. package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +25 -10
  232. package/lib/vendor/blamejs/test/integration/object-store-azure.test.js +101 -0
  233. package/lib/vendor/blamejs/test/integration/object-store-gcs.test.js +239 -0
  234. package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +35 -16
  235. package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js +291 -0
  236. package/lib/vendor/blamejs/test/integration/pubsub.test.js +14 -0
  237. package/lib/vendor/blamejs/test/integration/queue-sqs.test.js +322 -0
  238. package/lib/vendor/blamejs/test/integration/redis-reconnect-toxiproxy.test.js +300 -0
  239. package/lib/vendor/blamejs/test/integration/sql-fts5-catalog-sqlite.test.js +154 -0
  240. package/lib/vendor/blamejs/test/integration/tls-classical-downgrade-audit.test.js +71 -0
  241. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +175 -12
  242. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js +216 -0
  243. package/lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js +203 -0
  244. package/lib/vendor/blamejs/test/layer-0-primitives/audit-query-self-log.test.js +126 -0
  245. package/lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js +196 -0
  246. package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +197 -0
  247. package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +209 -0
  248. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-key-encoding.test.js +121 -0
  249. package/lib/vendor/blamejs/test/layer-0-primitives/backup-residency-posture.test.js +168 -0
  250. package/lib/vendor/blamejs/test/layer-0-primitives/backup-scheduletest-drill.test.js +318 -0
  251. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +233 -7
  252. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +1196 -14
  253. package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +229 -0
  254. package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +18 -0
  255. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js +24 -7
  256. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js +165 -0
  257. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +350 -0
  258. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-unseal-rate-cap.test.js +27 -9
  259. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-upgrade-dialect.test.js +76 -0
  260. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-interop-oracles.test.js +392 -0
  261. package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +159 -0
  262. package/lib/vendor/blamejs/test/layer-0-primitives/db-column-gate.test.js +180 -1
  263. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +5 -2
  264. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-sealed-field-in.test.js +101 -0
  265. package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +128 -0
  266. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-drift.test.js +38 -5
  267. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-reconcile-emittable.test.js +127 -0
  268. package/lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js +267 -0
  269. package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +150 -0
  270. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +30 -0
  271. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +46 -0
  272. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +218 -0
  273. package/lib/vendor/blamejs/test/layer-0-primitives/erase-posture-vacuum.test.js +210 -0
  274. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +4 -1
  275. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +48 -2
  276. package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +237 -5
  277. package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +20 -9
  278. package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js +193 -0
  279. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +90 -0
  280. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +85 -0
  281. package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +10 -6
  282. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -4
  283. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +146 -0
  284. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +189 -0
  285. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +3 -1
  286. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +123 -4
  287. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +207 -2
  288. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +74 -0
  289. package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +43 -0
  290. package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +133 -0
  291. package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +101 -0
  292. package/lib/vendor/blamejs/test/layer-0-primitives/outbox-inflight-reaper.test.js +136 -0
  293. package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +83 -0
  294. package/lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js +429 -0
  295. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +21 -11
  296. package/lib/vendor/blamejs/test/layer-0-primitives/queue-byo-db.test.js +40 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +83 -0
  298. package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +113 -0
  299. package/lib/vendor/blamejs/test/layer-0-primitives/retention-dryrun-no-vacuum.test.js +99 -0
  300. package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +59 -0
  301. package/lib/vendor/blamejs/test/layer-0-primitives/router-use-path-scope.test.js +255 -0
  302. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-canonicalize.test.js +362 -0
  303. package/lib/vendor/blamejs/test/layer-0-primitives/safe-xml.test.js +143 -0
  304. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +287 -0
  305. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js +71 -0
  306. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js +79 -0
  307. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +50 -0
  308. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +31 -4
  309. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +45 -0
  310. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +49 -0
  311. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +595 -0
  312. package/lib/vendor/blamejs/test/layer-0-primitives/sse-backpressure.test.js +91 -0
  313. package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +69 -0
  314. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +194 -2
  315. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-extension-header.test.js +88 -0
  316. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool-recycle-race.test.js +66 -0
  317. package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +84 -0
  318. package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +638 -0
  319. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +21 -0
  320. package/lib/vendor/blamejs/test/smoke.js +79 -21
  321. package/package.json +2 -2
  322. package/lib/vendor/blamejs/release-notes/v0.14.0.json +0 -43
  323. package/lib/vendor/blamejs/release-notes/v0.14.1.json +0 -60
  324. package/lib/vendor/blamejs/release-notes/v0.14.10.json +0 -54
  325. package/lib/vendor/blamejs/release-notes/v0.14.11.json +0 -72
  326. package/lib/vendor/blamejs/release-notes/v0.14.12.json +0 -95
  327. package/lib/vendor/blamejs/release-notes/v0.14.13.json +0 -52
  328. package/lib/vendor/blamejs/release-notes/v0.14.14.json +0 -31
  329. package/lib/vendor/blamejs/release-notes/v0.14.16.json +0 -45
  330. package/lib/vendor/blamejs/release-notes/v0.14.17.json +0 -57
  331. package/lib/vendor/blamejs/release-notes/v0.14.18.json +0 -127
  332. package/lib/vendor/blamejs/release-notes/v0.14.19.json +0 -61
  333. package/lib/vendor/blamejs/release-notes/v0.14.2.json +0 -18
  334. package/lib/vendor/blamejs/release-notes/v0.14.20.json +0 -73
  335. package/lib/vendor/blamejs/release-notes/v0.14.21.json +0 -98
  336. package/lib/vendor/blamejs/release-notes/v0.14.22.json +0 -91
  337. package/lib/vendor/blamejs/release-notes/v0.14.3.json +0 -18
  338. package/lib/vendor/blamejs/release-notes/v0.14.4.json +0 -18
  339. package/lib/vendor/blamejs/release-notes/v0.14.5.json +0 -18
  340. package/lib/vendor/blamejs/release-notes/v0.14.6.json +0 -60
  341. package/lib/vendor/blamejs/release-notes/v0.14.7.json +0 -77
  342. package/lib/vendor/blamejs/release-notes/v0.14.8.json +0 -27
  343. package/lib/vendor/blamejs/release-notes/v0.14.9.json +0 -40
package/lib/vendor/blamejs/lib/db-schema.js CHANGED
@@ -37,10 +37,18 @@
37
37
  * swallowing the original error.
38
38
  */
39
39
  var nodePath = require("node:path");
40
+ var lazyRequire = require("./lazy-require");
40
41
  var atomicFile = require("./atomic-file");
42
+ var frameworkSchema = require("./framework-schema");
41
43
  var safeSql = require("./safe-sql");
44
+ var sql = require("./sql");
42
45
  var observability = require("./observability");
43
46
 
47
+ // Lazy to break the db-schema -> compliance -> (audit/db) load chain.
48
+ // resolveDriftMode reads the globally-pinned posture so a regulated
49
+ // deployment refuses to boot under undeclared schema drift by default.
50
+ var compliance = lazyRequire(function () { return require("./compliance"); });
51
+
44
52
  // SQLite raw-SQL helper. node:sqlite DatabaseSync exposes a method on the
45
53
  // database object that runs raw SQL without bind parameters — used for DDL,
46
54
  // BEGIN/COMMIT/ROLLBACK, and PRAGMA. Bracket notation here avoids a
@@ -92,20 +100,22 @@ function runInTransaction(db, fn, opts) {
92
100
 
93
101
  // ---- Internal migrations table ----
94
102
 
95
- var MIGRATIONS_TABLE = "_blamejs_migrations";
96
- // Pre-quoted for SQL interpolation keeps the call sites consistent
97
- // with lib/migrations.js and lib/seeders.js so an identifier rename
98
- // doesn't silently break.
99
- var Q_MIGRATIONS_TABLE = '"' + MIGRATIONS_TABLE + '"';
103
+ // Logical name; the physical name + configured prefix resolve through
104
+ // frameworkSchema.tableName, and every statement composes b.sql
105
+ // (quoteName: true) so the resolved name is quoted by construction.
106
+ var MIGRATIONS_TABLE = "_blamejs_migrations"; // allow:hand-rolled-sql logical name declaration; physical name + prefix resolve via frameworkSchema.tableName
107
+ function _migrationsTable() { return frameworkSchema.tableName(MIGRATIONS_TABLE); }
108
+ // b.sql opts for the local single-node sqlite handle this module's helpers
109
+ // run against (database.exec / database.prepare, never clusterStorage):
110
+ // "sqlite" dialect + quoteName so the resolved framework name quotes.
111
+ var _SQL_OPTS = { dialect: "sqlite", quoteName: true };
100
112
 
101
113
  function ensureMigrationsTable(database) {
102
- runSql(database,
103
- "CREATE TABLE IF NOT EXISTS " + Q_MIGRATIONS_TABLE + " (" +
104
- " name TEXT PRIMARY KEY," +
105
- " description TEXT," +
106
- " appliedAt TEXT NOT NULL" +
107
- ")"
108
- );
114
+ runSql(database, sql.createTable(_migrationsTable(), [
115
+ { name: "name", type: "text", primaryKey: true },
116
+ { name: "description", type: "text" },
117
+ { name: "appliedAt", type: "text", notNull: true },
118
+ ], _SQL_OPTS).sql);
109
119
  }
110
120
 
111
121
  // ---- Declarative reconcile ----
@@ -114,7 +124,7 @@ function ensureMigrationsTable(database) {
114
124
  // additive ALTER TABLE ADD COLUMN + CREATE INDEX IF NOT EXISTS for every
115
125
  // table in `schema`. Never drops columns or tables (data-loss safety).
116
126
  //
117
- // `opts.onDrift` adds opt-in detection of config-vs-live divergence — a
127
+ // `opts.onDrift` controls detection of config-vs-live divergence — a
118
128
  // compliance-evidence concern: the live DB should match the declared data
119
129
  // model so an auditor can trust the schema config as ground truth (the
120
130
  // change-/configuration-management control families in ISO 27001:2022
@@ -131,14 +141,24 @@ function ensureMigrationsTable(database) {
131
141
  // contract; this is detection + an operator-chosen reaction only.
132
142
  //
133
143
  // onDrift values (config-time enum; bad value throws):
134
- // "ignore" (default) pre-detection behavior, byte-for-byte; no
135
- // detection side effects. Existing deployments
136
- // with drift are not broken.
144
+ // "ignore" — no detection side effects. Existing deployments with
145
+ // benign drift are not broken.
137
146
  // "warn" — detect + emit a "db.schema.drift" observability event per
138
147
  // drifted table; never throws.
139
148
  // "refuse" — detect + THROW on the first drifted table, so a strict-
140
- // schema posture refuses to boot under divergence. The
141
- // operator's explicit posture choice.
149
+ // schema posture refuses to boot under divergence.
150
+ //
151
+ // Default (v0.15.0): "ignore" on an unpinned / non-regulated deployment
152
+ // (back-compat); "refuse" when a regulated compliance posture is
153
+ // globally pinned (b.compliance.set) and the operator did not pass an
154
+ // explicit onDrift. The live DB diverging from the declared data model
155
+ // is a change-/configuration-management finding the auditor reads as
156
+ // ground truth (ISO 27001:2022 A.8.9 + SOC 2 CC8.1 turn on "the running
157
+ // system equals the approved definition"); under a regulated posture
158
+ // the safe default is to refuse boot rather than silently serve a
159
+ // schema no one approved. Operators who knowingly run with drift under
160
+ // a regulated posture opt back to the prior behaviour with an explicit
161
+ // onDrift: "ignore" (or "warn" to keep the signal without the throw).
142
162
  //
143
163
  // Returns a { tables: [...], drifted: boolean } report.
144
164
  function reconcile(database, schema, opts) {
@@ -165,6 +185,13 @@ function reconcileTable(database, table, opts) {
165
185
  throw new Error("schema entry '" + table.name + "' missing 'columns' object");
166
186
  }
167
187
  var driftMode = resolveDriftMode(opts);
188
+ // Identifier quoting follows the handle's dialect (double-quote on
189
+ // sqlite/postgres, backtick on mysql) so the reconciler's CREATE / ALTER
190
+ // / FK DDL is portable. Reserved-word column names stay safe by being
191
+ // quoted; the operator's verbatim TYPE strings are emitted unchanged in
192
+ // type position (after a quoted identifier), never in identifier position.
193
+ var dialect = _handleDialect(database);
194
+ function q(ident) { return safeSql.quoteIdentifier(ident, dialect, { allowReserved: true }); }
168
195
 
169
196
  var name = table.name;
170
197
  validateIdent(name, "table name");
@@ -172,7 +199,7 @@ function reconcileTable(database, table, opts) {
172
199
  var colDefs = [];
173
200
  for (var col in table.columns) {
174
201
  validateIdent(col, "column name");
175
- colDefs.push('"' + col + '" ' + table.columns[col]);
202
+ colDefs.push(q(col) + " " + table.columns[col]);
176
203
  }
177
204
  if (colDefs.length === 0) {
178
205
  throw new Error("schema entry '" + name + "' has no columns");
@@ -188,7 +215,7 @@ function reconcileTable(database, table, opts) {
188
215
  throw new Error("primaryKey '" + c + "' is not declared in columns of table '" + name + "'");
189
216
  }
190
217
  });
191
- colDefs.push("PRIMARY KEY (" + pkCols.map(function (c) { return '"' + c + '"'; }).join(", ") + ")");
218
+ colDefs.push("PRIMARY KEY (" + pkCols.map(function (c) { return q(c); }).join(", ") + ")");
192
219
  }
193
220
 
194
221
  // Structured FOREIGN KEY declarations. Each entry:
@@ -217,21 +244,35 @@ function reconcileTable(database, table, opts) {
217
244
  if (localCols.length !== refCols.length) {
218
245
  throw new Error("foreignKey on '" + name + "': local-column count must match referenced-column count");
219
246
  }
220
- var clause = "FOREIGN KEY (" + localCols.map(function (c) { return '"' + c + '"'; }).join(", ") + ")" +
221
- ' REFERENCES "' + refTable + '" (' + refCols.map(function (c) { return '"' + c + '"'; }).join(", ") + ")";
247
+ var clause = "FOREIGN KEY (" + localCols.map(function (c) { return q(c); }).join(", ") + ")" +
248
+ " REFERENCES " + q(refTable) + " (" + refCols.map(function (c) { return q(c); }).join(", ") + ")";
222
249
  if (fk.onDelete) clause += " ON DELETE " + _validateAction(fk.onDelete, "ON DELETE", name);
223
250
  if (fk.onUpdate) clause += " ON UPDATE " + _validateAction(fk.onUpdate, "ON UPDATE", name);
224
251
  colDefs.push(clause);
225
252
  }
226
253
  }
227
254
 
228
- runSql(database, 'CREATE TABLE IF NOT EXISTS "' + name + '" (' + colDefs.join(", ") + ")");
255
+ // Operator-schema reconcile: colDefs carries the operator's VERBATIM
256
+ // per-column DDL strings (e.g. "TEXT PRIMARY KEY", "INTEGER NOT NULL
257
+ // DEFAULT 0") plus composite FOREIGN KEY clauses with referential
258
+ // actions — a grammar b.sql.createTable's structured { name, type,
259
+ // notNull, references } column specs cannot faithfully reproduce
260
+ // (no table-level composite-FK or arbitrary-inline-constraint slot).
261
+ // Every identifier here is validated (validateIdent) + quoted by
262
+ // construction, so quote-by-construction safety is preserved.
263
+ // allow:hand-rolled-sql — operator verbatim column DDL + composite FK clauses outside b.sql.createTable's structured API
264
+ runSql(database, safeSql.assertSingleStatement(
265
+ "CREATE TABLE IF NOT EXISTS " + q(name) + " (" + colDefs.join(", ") + ")",
266
+ { label: "schema.reconcile" }));
229
267
 
230
268
  var existingCols = listColumns(database, name);
231
269
  for (var newCol in table.columns) {
232
270
  if (!existingCols.has(newCol)) {
233
271
  try {
234
- runSql(database, 'ALTER TABLE "' + name + '" ADD COLUMN "' + newCol + '" ' + table.columns[newCol]);
272
+ // allow:hand-rolled-sql operator verbatim ADD COLUMN DDL (validated + quoted identifier); type string is operator-controlled
273
+ runSql(database, safeSql.assertSingleStatement(
274
+ "ALTER TABLE " + q(name) + " ADD COLUMN " + q(newCol) + " " + table.columns[newCol],
275
+ { label: "schema.reconcile" }));
235
276
  } catch (e) {
236
277
  throw new Error("failed to add column '" + newCol + "' to '" + name + "': " + e.message);
237
278
  }
@@ -244,9 +285,10 @@ function reconcileTable(database, table, opts) {
244
285
  }
245
286
  }
246
287
 
247
- // Schema-drift detection (opt-in; default "ignore" => no-op). Compares
248
- // the live table's columns against the declared model AFTER the additive
249
- // ADD COLUMN pass so the diff reflects what reconcile could not fix:
288
+ // Schema-drift detection. Default mode is posture-driven: "refuse"
289
+ // under a regulated pinned posture, "ignore" otherwise (resolveDriftMode).
290
+ // Compares the live table's columns against the declared model AFTER the
291
+ // additive ADD COLUMN pass so the diff reflects what reconcile could not fix:
250
292
  // - extra = live-but-undeclared (out-of-band ALTER / hand-edit);
251
293
  // - missing = declared-but-still-absent (ADD COLUMN could not apply).
252
294
  // Dropped columns are never acted on — reconcile stays non-destructive.
@@ -310,17 +352,51 @@ function _validateAction(action, label, tableName) {
310
352
  return up;
311
353
  }
312
354
 
313
- // onDrift reaction modes. "ignore" preserves pre-drift-detection
314
- // behavior byte-for-byte; "warn" emits an observability signal and
315
- // reports; "refuse" throws so a strict-schema posture refuses to boot
316
- // when the live DB has diverged from the declared model.
355
+ // onDrift reaction modes. "ignore" takes no action on detected drift;
356
+ // "warn" emits an observability signal and reports; "refuse" throws so a
357
+ // strict-schema posture refuses to boot when the live DB has diverged
358
+ // from the declared model.
317
359
  var DRIFT_MODES = ["ignore", "warn", "refuse"];
318
360
 
319
- // resolveDriftMode config-time enum validation. Undefined => "ignore"
320
- // (default; existing deployments see zero behavior change). A bad value
321
- // is an operator typo at config time THROW (entry-point tier).
361
+ // Compliance postures under which schema conformance is an audit-evidence
362
+ // floor (change-/configuration-management control families: ISO 27001:2022
363
+ // A.8.9, SOC 2 CC8.1). When one of these is the globally-pinned posture
364
+ // and the operator left onDrift unset, the default flips from "ignore" to
365
+ // "refuse" so an unapproved live schema fails boot rather than serving
366
+ // silently. Membership match is exact against compliance().current().
367
+ var REGULATED_DRIFT_REFUSE = Object.freeze({
368
+ "hipaa": true, "pci-dss": true, "gdpr": true, "soc2": true,
369
+ "iso-27001-2022": true, "dora": true, "fedramp-rev5-moderate": true,
370
+ "nist-800-53": true, "nist-800-53-r5-privacy": true, "dpdp": true,
371
+ "lgpd-br": true, "pipl-cn": true, "uk-gdpr": true,
372
+ });
373
+
374
+ // _pinnedRegulatedDrift — the posture-driven default when onDrift is unset.
375
+ // Returns "refuse" when a regulated posture is globally pinned, "ignore"
376
+ // otherwise. Drop-safe: any failure resolving the posture (compliance not
377
+ // loaded, no posture pinned) yields the back-compat "ignore" — the gate
378
+ // only tightens the default when a regulated posture is provably pinned,
379
+ // never the reverse.
380
+ function _pinnedRegulatedDrift() {
381
+ try {
382
+ var pinned = compliance().current();
383
+ if (typeof pinned === "string" && REGULATED_DRIFT_REFUSE[pinned] === true) {
384
+ return "refuse";
385
+ }
386
+ } catch (_e) { /* compliance unavailable — fall through to back-compat */ }
387
+ return "ignore";
388
+ }
389
+
390
+ // resolveDriftMode — config-time enum validation. Unset => the
391
+ // posture-driven default ("refuse" under a regulated pinned posture,
392
+ // "ignore" otherwise; see REGULATED_DRIFT_REFUSE). An explicit value
393
+ // always wins, including "ignore" to opt back out under a regulated
394
+ // posture. A bad value is an operator typo at config time => THROW
395
+ // (entry-point tier).
322
396
  function resolveDriftMode(opts) {
323
- if (!opts || opts.onDrift === undefined || opts.onDrift === null) return "ignore";
397
+ if (!opts || opts.onDrift === undefined || opts.onDrift === null) {
398
+ return _pinnedRegulatedDrift();
399
+ }
324
400
  var mode = opts.onDrift;
325
401
  if (typeof mode !== "string" || DRIFT_MODES.indexOf(mode) === -1) {
326
402
  throw new TypeError(
@@ -345,17 +421,114 @@ function reconcileIndex(database, tableName, idx) {
345
421
  }
346
422
  validateIdent(indexName, "index name");
347
423
  cols.forEach(function (c) { validateIdent(c, "indexed column"); });
348
- var quotedCols = cols.map(function (c) { return '"' + c + '"'; }).join(", ");
424
+ var dialect = _handleDialect(database);
425
+ function q(ident) { return safeSql.quoteIdentifier(ident, dialect, { allowReserved: true }); }
426
+ var quotedCols = cols.map(function (c) { return q(c); }).join(", ");
427
+ // MySQL has no CREATE INDEX IF NOT EXISTS; a re-run of a declared index
428
+ // would error "Duplicate key name". The reconciler is idempotent by
429
+ // contract, so on MySQL a duplicate-index error is swallowed (the index
430
+ // already exists, which is the desired end state). Postgres + SQLite use
431
+ // the IF NOT EXISTS form natively.
432
+ if (dialect === "mysql") {
433
+ try {
434
+ runSql(database,
435
+ "CREATE " + (unique ? "UNIQUE " : "") + "INDEX " + q(indexName) +
436
+ " ON " + q(tableName) + " (" + quotedCols + ")");
437
+ } catch (e) {
438
+ if (!/exist|duplicate/i.test((e && e.message) || "")) throw e;
439
+ }
440
+ return;
441
+ }
349
442
  runSql(database,
350
- "CREATE " + (unique ? "UNIQUE " : "") + "INDEX IF NOT EXISTS \"" + indexName + "\"" +
351
- ' ON "' + tableName + '" (' + quotedCols + ")"
443
+ "CREATE " + (unique ? "UNIQUE " : "") + "INDEX IF NOT EXISTS " + q(indexName) +
444
+ " ON " + q(tableName) + " (" + quotedCols + ")"
352
445
  );
353
446
  }
354
447
 
448
+ // The dialect of a data-layer handle. db.init / db.from drive the
449
+ // framework's local node:sqlite handle (the default). An operator who
450
+ // reconciles / migrates / seeds their OWN Postgres / MySQL handle declares
451
+ // the dialect on the handle via `handle.dialect` so the SQL matches the
452
+ // backend. Absent / unknown falls back to "sqlite" — every existing
453
+ // local-handle caller is byte-identical. Shared by db-schema's reconciler,
454
+ // migrations.js, and seeders.js (the three sync data-layer files that drive
455
+ // a handle directly), so the resolution lives in one place.
456
+ function handleDialect(database) {
457
+ var d = database && database.dialect;
458
+ if (d === "postgres" || d === "mysql" || d === "sqlite") return d;
459
+ return "sqlite";
460
+ }
461
+ // Back-compat internal alias used throughout this module.
462
+ var _handleDialect = handleDialect;
463
+
464
+ // b.sql opts for a statement run directly against `database` (db.prepare /
465
+ // runSqlOnHandle, never clusterStorage): the handle's dialect + quoteName so
466
+ // the resolved framework table name quotes by construction.
467
+ function sqlOpts(database) {
468
+ return { dialect: handleDialect(database), quoteName: true };
469
+ }
470
+
471
+ // A registry/lock PRIMARY-KEY (or composite-PK / indexed) TEXT column type.
472
+ // MySQL refuses an unbounded TEXT/BLOB in a key without a prefix length, so
473
+ // a key-participating text column is VARCHAR(191) there (utf8mb4
474
+ // index-safe); Postgres + SQLite index TEXT directly. The value is emitted
475
+ // verbatim by b.sql in type position (after a quoted identifier), never as
476
+ // an identifier.
477
+ function keyTextType(database) {
478
+ return handleDialect(database) === "mysql" ? "VARCHAR(191)" : "text";
479
+ }
480
+
481
+ // List the live column names of a table. SQLite reads `PRAGMA table_info`;
482
+ // Postgres + MySQL read information_schema.columns (PRAGMA is SQLite-only —
483
+ // it throws "syntax error at PRAGMA" on the others). The table name binds
484
+ // as a `?` parameter (never concatenated into the SQL text), so an operator
485
+ // table name with metacharacters can't break the introspection query. On
486
+ // Postgres / MySQL the introspection is confined to current_schema() /
487
+ // DATABASE() (where the bare-named CREATE TABLE lands); an operator running
488
+ // multiple schemas qualifies via the `schema.table` handle convention
489
+ // elsewhere — listColumns reconciles by bare name here, matching the
490
+ // reconciler's CREATE TABLE (which is also bare-named).
355
491
  function listColumns(database, tableName) {
356
- var rows = database.prepare('PRAGMA table_info("' + tableName + '")').all();
492
+ var dialect = _handleDialect(database);
357
493
  var set = new Set();
358
- for (var i = 0; i < rows.length; i++) set.add(rows[i].name);
494
+ if (dialect === "sqlite") {
495
+ var rows = database.prepare('PRAGMA table_info("' + tableName + '")').all();
496
+ for (var i = 0; i < rows.length; i++) set.add(rows[i].name);
497
+ return set;
498
+ }
499
+ // Postgres + MySQL: information_schema.columns is SQL-standard on both.
500
+ // The column-name column is `column_name` on both; the table name binds.
501
+ // A fixed catalog-introspection SELECT against the SQL-standard
502
+ // information_schema.columns view (a schema-qualified system table b.sql's
503
+ // verb builders don't model); the ONLY value (table name) binds as a `?`,
504
+ // every column/table reference is a static literal — no injection surface.
505
+ // The schema predicate confines introspection to the schema/database the
506
+ // reconciler's bare-named CREATE TABLE actually writes into (Postgres
507
+ // current_schema() = the first writable schema on the search_path; MySQL
508
+ // DATABASE() = the connection's default database). Without it a same-named
509
+ // table in another schema/database pollutes the column set - silently skipping
510
+ // a needed ADD COLUMN or fabricating a drift "extra" that refuses a regulated-
511
+ // posture boot. Both are zero-arg SQL functions in predicate position, so the
512
+ // table name stays the single bound parameter (no new placeholder).
513
+ // Two fully-static introspection strings, one per dialect: DATABASE() /
514
+ // current_schema() are SQL functions baked into the literal (never a
515
+ // concatenated value), so the only bound value remains the table name `?`.
516
+ // allow:hand-rolled-sql — static information_schema introspection, single bound param
517
+ var infoSql = dialect === "mysql"
518
+ ? "SELECT column_name FROM information_schema.columns " +
519
+ "WHERE table_schema = DATABASE() AND table_name = ?"
520
+ // allow:hand-rolled-sql — Postgres branch, same static-introspection shape
521
+ : "SELECT column_name FROM information_schema.columns " +
522
+ "WHERE table_schema = current_schema() AND table_name = ?";
523
+ var stmt = database.prepare(infoSql);
524
+ var irows = stmt.all.apply(stmt, [tableName]);
525
+ for (var j = 0; j < irows.length; j++) {
526
+ // node-postgres folds unquoted output column names to lowercase, so the
527
+ // result key is `column_name` on every driver; read it directly.
528
+ var name = irows[j].column_name;
529
+ if (name === undefined) name = irows[j].COLUMN_NAME; // some MySQL drivers upper-case
530
+ if (name !== undefined && name !== null) set.add(name);
531
+ }
359
532
  return set;
360
533
  }
361
534
 
@@ -384,7 +557,9 @@ function runMigrations(database, migrationDir) {
384
557
  }).map(function (e) { return e.name; }).sort();
385
558
 
386
559
  var appliedSet = new Set();
387
- database.prepare("SELECT name FROM " + Q_MIGRATIONS_TABLE).all().forEach(function (r) {
560
+ var namesQ = sql.select(_migrationsTable(), _SQL_OPTS).columns(["name"]).toSql();
561
+ var namesStmt = database.prepare(namesQ.sql);
562
+ namesStmt.all.apply(namesStmt, namesQ.params).forEach(function (r) {
388
563
  appliedSet.add(r.name);
389
564
  });
390
565
 
@@ -413,9 +588,11 @@ function runMigrations(database, migrationDir) {
413
588
  try {
414
589
  runInTransaction(database, function () {
415
590
  mig.up(database);
416
- database.prepare(
417
- "INSERT INTO " + Q_MIGRATIONS_TABLE + " (name, description, appliedAt) VALUES (?, ?, ?)"
418
- ).run(file, mig.description || "", new Date().toISOString());
591
+ var insQ = sql.insert(_migrationsTable(), _SQL_OPTS)
592
+ .values({ name: file, description: mig.description || "",
593
+ appliedAt: new Date().toISOString() }).toSql();
594
+ var insStmt = database.prepare(insQ.sql);
595
+ insStmt.run.apply(insStmt, insQ.params);
419
596
  });
420
597
  } catch (e) {
421
598
  throw new Error("migration '" + file + "' failed: " + e.message);
@@ -434,6 +611,13 @@ module.exports = {
434
611
  runSql: runSql,
435
612
  runSqlOnHandle: runSqlOnHandle,
436
613
  runInTransaction: runInTransaction,
614
+ // Shared data-layer dialect resolution — composed by migrations.js +
615
+ // seeders.js so the handle-dialect / b.sql-opts / key-text-type logic
616
+ // lives in exactly one place.
617
+ handleDialect: handleDialect,
618
+ sqlOpts: sqlOpts,
619
+ keyTextType: keyTextType,
620
+ listColumns: listColumns,
437
621
  MIGRATIONS_TABLE: MIGRATIONS_TABLE,
438
622
  DRIFT_MODES: DRIFT_MODES,
439
623
  };