@blamejs/blamejs-shop 0.4.31 → 0.4.33

package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js

@@ -255,6 +255,221 @@ function testV0882NewPostures() {
         euP.indexOf("dsa") !== -1 && euP.indexOf("dga") !== -1 && euP.indexOf("eu-cer") !== -1);
 }
 
+// ---- Seal-envelope floor (POSTURE_DEFAULTS data + registerTable gate) ----
+
+function testSealEnvelopeFloorData() {
+  check("postureDefault(hipaa, sealEnvelopeFloor) === 'aad'",
+        b.compliance.postureDefault("hipaa", "sealEnvelopeFloor") === "aad");
+  check("postureDefault(pci-dss, sealEnvelopeFloor) === 'aad'",
+        b.compliance.postureDefault("pci-dss", "sealEnvelopeFloor") === "aad");
+  // Absent on non-regulated / unfloored postures → null (back-compat).
+  check("postureDefault(gdpr, sealEnvelopeFloor) === null",
+        b.compliance.postureDefault("gdpr", "sealEnvelopeFloor") === null);
+  check("postureDefault(soc2, sealEnvelopeFloor) === null",
+        b.compliance.postureDefault("soc2", "sealEnvelopeFloor") === null);
+  check("postureDefault(dora, sealEnvelopeFloor) === null",
+        b.compliance.postureDefault("dora", "sealEnvelopeFloor") === null);
+}
+
+function testRegisterTableFloorBackCompatUnpinned() {
+  // No posture pinned: a plain sealed table registers exactly as before.
+  _resetState();
+  b.cryptoField.clearForTest();
+  var threw = null;
+  try {
+    b.cryptoField.registerTable("ct_floor_unpinned", { sealedFields: ["x"] });
+  } catch (e) { threw = e; }
+  check("plain sealed table registers under no posture (back-compat)",
+        threw === null);
+  b.cryptoField.clearForTest();
+}
+
+function testRegisterTableFloorThrowsUnderHipaa() {
+  _resetState();
+  b.cryptoField.clearForTest();
+  b.compliance.set("hipaa");
+  var threw = null;
+  try {
+    b.cryptoField.registerTable("ct_floor_hipaa_plain", { sealedFields: ["ssn"] });
+  } catch (e) { threw = e; }
+  check("plain sealed table under hipaa throws seal-envelope-below-floor",
+        threw && threw.code === "crypto-field/seal-envelope-below-floor");
+  b.cryptoField.clearForTest();
+  _resetState();
+}
+
+function testRegisterTableFloorAadSatisfiesHipaa() {
+  _resetState();
+  b.cryptoField.clearForTest();
+  b.compliance.set("hipaa");
+  var threw = null;
+  try {
+    b.cryptoField.registerTable("ct_floor_hipaa_aad",
+      { sealedFields: ["ssn"], aad: true, rowIdField: "id" });
+  } catch (e) { threw = e; }
+  check("aad-bound sealed table satisfies hipaa floor (no throw)",
+        threw === null);
+  b.cryptoField.clearForTest();
+  _resetState();
+}
+
+function testRegisterTableFloorNoSealedFieldsPasses() {
+  _resetState();
+  b.cryptoField.clearForTest();
+  b.compliance.set("pci-dss");
+  var threw = null;
+  try {
+    // No sealed columns → no envelope to gate.
+    b.cryptoField.registerTable("ct_floor_pci_nosealed", { sealedFields: [] });
+  } catch (e) { threw = e; }
+  check("table with no sealed fields passes under pci-dss floor",
+        threw === null);
+  b.cryptoField.clearForTest();
+  _resetState();
+}
+
+function testRegisterTableFloorPerRowKeySatisfies() {
+  _resetState();
+  b.cryptoField.clearForTest();
+  b.compliance.set("hipaa");
+  // declarePerRowKey before registerTable: the table's declared envelope
+  // is per-row-key, which is ABOVE the aad floor.
+  b.cryptoField.declarePerRowKey("ct_floor_hipaa_prk", { keySize: 32 });
+  var threw = null;
+  try {
+    b.cryptoField.registerTable("ct_floor_hipaa_prk", { sealedFields: ["ssn"] });
+  } catch (e) { threw = e; }
+  check("per-row-key table satisfies hipaa floor (no throw)",
+        threw === null);
+  b.cryptoField.clearForTest();
+  _resetState();
+}
+
+function testRegisterTableFloorUnflooredPosturePasses() {
+  // gdpr is regulated but declares no sealEnvelopeFloor → plain passes.
+  _resetState();
+  b.cryptoField.clearForTest();
+  b.compliance.set("gdpr");
+  var threw = null;
+  try {
+    b.cryptoField.registerTable("ct_floor_gdpr_plain", { sealedFields: ["email"] });
+  } catch (e) { threw = e; }
+  check("plain sealed table under gdpr (no floor) passes (back-compat)",
+        threw === null);
+  b.cryptoField.clearForTest();
+  _resetState();
+}
+
+// ---- Region-tag normalization + compatibility helpers (additive) ----
+
+function testNormalizeRegionTag() {
+  check("normalizeRegionTag('EU') === normalizeRegionTag('eu')",
+        b.compliance.normalizeRegionTag("EU") === b.compliance.normalizeRegionTag("eu"));
+  check("normalizeRegionTag(' eu ') trims + lowercases",
+        b.compliance.normalizeRegionTag(" eu ") === "eu");
+  check("normalizeRegionTag('global') folds to 'unrestricted'",
+        b.compliance.normalizeRegionTag("global") === "unrestricted");
+  check("normalizeRegionTag('unrestricted') === 'unrestricted'",
+        b.compliance.normalizeRegionTag("unrestricted") === "unrestricted");
+  check("normalizeRegionTag(null) === null",
+        b.compliance.normalizeRegionTag(null) === null);
+  check("normalizeRegionTag('') === null",
+        b.compliance.normalizeRegionTag("") === null);
+}
+
+function testIsRegionCompatible() {
+  check("isRegionCompatible('EU','eu') === true (case-insensitive)",
+        b.compliance.isRegionCompatible("EU", "eu") === true);
+  check("isRegionCompatible('eu','global') === true (wildcard)",
+        b.compliance.isRegionCompatible("eu", "global") === true);
+  check("isRegionCompatible('unrestricted','us') === true (wildcard)",
+        b.compliance.isRegionCompatible("unrestricted", "us") === true);
+  check("isRegionCompatible('eu','us') === false (distinct regions)",
+        b.compliance.isRegionCompatible("eu", "us") === false);
+  check("isRegionCompatible('EU',null) === true (no constraint)",
+        b.compliance.isRegionCompatible("EU", null) === true);
+}
+
+// ---- Bug C1: gate-contract unmapped-posture warning ----
+
+function _gcCfg() {
+  return {
+    profiles:           { strict: { a: 1 } },
+    compliancePostures: { hipaa: { piiPolicy: "redact" }, "pci-dss": { piiPolicy: "refuse" } },
+    defaults:           { piiPolicy: "serve" },
+    errCodePrefix:      "ct_c1",
+  };
+}
+
+function testGateContractUnmappedPostureWarns() {
+  _resetState();
+  b.gateContract._resetForTest();
+  // fedramp-rev5-moderate is a real posture with no overlay in _gcCfg.
+  b.compliance.set("fedramp-rev5-moderate");
+  var captured = [];
+  var origAudit = b.audit.safeEmit;
+  b.audit.safeEmit = function (e) { captured.push(e); };
+  var resolved;
+  try {
+    resolved = b.gateContract.resolveProfileAndPosture({}, _gcCfg());
+    // Second call same posture+guard must NOT re-warn (dedupe).
+    b.gateContract.resolveProfileAndPosture({}, _gcCfg());
+  } finally {
+    b.audit.safeEmit = origAudit;
+  }
+  var warns = captured.filter(function (e) {
+    return e.action === "gateContract.posture.unmapped";
+  });
+  check("unmapped global posture emits exactly one warning (deduped)",
+        warns.length === 1 && warns[0].metadata.posture === "fedramp-rev5-moderate");
+  check("unmapped posture keeps the safe (unposture-d) default",
+        resolved.piiPolicy === "serve");
+  b.gateContract._resetForTest();
+  _resetState();
+}
+
+function testGateContractMappedPostureNoWarn() {
+  _resetState();
+  b.gateContract._resetForTest();
+  b.compliance.set("hipaa");
+  var captured = [];
+  var origAudit = b.audit.safeEmit;
+  b.audit.safeEmit = function (e) { captured.push(e); };
+  var resolved;
+  try {
+    resolved = b.gateContract.resolveProfileAndPosture({}, _gcCfg());
+  } finally {
+    b.audit.safeEmit = origAudit;
+  }
+  var warns = captured.filter(function (e) {
+    return e.action === "gateContract.posture.unmapped";
+  });
+  check("mapped global posture does not warn", warns.length === 0);
+  check("mapped global posture applies overlay", resolved.piiPolicy === "redact");
+  b.gateContract._resetForTest();
+  _resetState();
+}
+
+function testGateContractUnpinnedNoWarn() {
+  _resetState();
+  b.gateContract._resetForTest();
+  var captured = [];
+  var origAudit = b.audit.safeEmit;
+  b.audit.safeEmit = function (e) { captured.push(e); };
+  var resolved;
+  try {
+    resolved = b.gateContract.resolveProfileAndPosture({}, _gcCfg());
+  } finally {
+    b.audit.safeEmit = origAudit;
+  }
+  var warns = captured.filter(function (e) {
+    return e.action === "gateContract.posture.unmapped";
+  });
+  check("unpinned deployment does not warn", warns.length === 0);
+  check("unpinned deployment keeps default", resolved.piiPolicy === "serve");
+  b.gateContract._resetForTest();
+}
+
 async function run() {
   testSurface();
   testSetThenCurrent();
@@ -266,7 +481,21 @@ async function run() {
   testV0870NewPostures();
   testV0881NewPostures();
   testV0882NewPostures();
+  testSealEnvelopeFloorData();
+  testRegisterTableFloorBackCompatUnpinned();
+  testRegisterTableFloorThrowsUnderHipaa();
+  testRegisterTableFloorAadSatisfiesHipaa();
+  testRegisterTableFloorNoSealedFieldsPasses();
+  testRegisterTableFloorPerRowKeySatisfies();
+  testRegisterTableFloorUnflooredPosturePasses();
+  testNormalizeRegionTag();
+  testIsRegionCompatible();
+  testGateContractUnmappedPostureWarns();
+  testGateContractMappedPostureNoWarn();
+  testGateContractUnpinnedNoWarn();
   // Reset at end so other tests don't see leaked posture.
+  b.cryptoField.clearForTest();
+  b.gateContract._resetForTest();
   _resetState();
 }
 

package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js

@@ -52,6 +52,24 @@ async function testShake256ConfigurableLength() {
   check("verify 64-byte envelope",             (await ch.verify("hi", env64)) === true);
   check("verify 192-byte envelope",            (await ch.verify("hi", env192)) === true);
   check("64 envelope can't verify against 192", env64 !== env192);
+
+  // #111 — needsRehash must drive the advertised SHAKE256 length-rotation: a
+  // digest stored at the old length must be flagged for rehash when the
+  // configured/default length is larger. needsRehash ignored payload length,
+  // so raising the output length was a silent no-op.
+  check("#111 a 64-byte digest needs rehash under the 128-byte default",
+        ch.needsRehash(env64) === true);
+  check("#111 a 64-byte digest needs rehash when the target length is raised to 192",
+        ch.needsRehash(env64, { params: { length: 192 } }) === true);
+  check("#111 a 64-byte digest does NOT need rehash when the target stays 64",
+        ch.needsRehash(env64, { params: { length: 64 } }) === false);
+  check("#111 a default-length (128) digest does not need rehash at the default",
+        ch.needsRehash(await ch.hash("hi")) === false);
+  // Upgrade-only, matching the Argon2 needsRehash convention (rehash when the
+  // stored strength is BELOW target, never to actively shorten): a 192-byte
+  // digest must NOT be rehashed down to a 128-byte target.
+  check("#111 a longer (192) digest is NOT rehashed down to a smaller target (128)",
+        ch.needsRehash(env192, { params: { length: 128 } }) === false);
 }
 
 async function testShake256BufferSecret() {

package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js

@@ -4,10 +4,12 @@
  *
  * Equality-lookup ("derived") hashes for sealed columns can be computed
  * two ways:
- *   - salted-sha3   (default) — SHA3-512 over a per-deployment salt.
- *   - hmac-shake256 (opt-in)  — keyed MAC off vault.getDerivedHashMacKey,
- *                               so the hash is unforgeable without the
- *                               per-deployment MAC key.
+ *   - hmac-shake256 (default, v0.15.0) — keyed MAC off
+ *                               vault.getDerivedHashMacKey, so an attacker
+ *                               who recovers the per-deployment salt alone
+ *                               cannot correlate low-entropy plaintexts.
+ *   - salted-sha3   (opt-out) — SHA3-512 over a per-deployment salt;
+ *                               byte-compatible with the legacy index.
  *
  * The mode is chosen per-table (derivedHashMode) or per-column
  * (spec.mode). The decision lives in _computeDerivedHash; call sites
@@ -25,17 +27,31 @@ async function run() {
   var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-cf-dh-"));
   await b.vault.init({ mode: "plaintext", dataDir: dir });
 
-  // ---- salted-sha3 is the default: SHA3-512 → 128 hex chars ----
+  // ---- DEFAULT (v0.15.0) is the keyed MAC: hmac-shake256 → 64 hex chars.
+  // A table that declares no derivedHashMode gets the keyed digest so an
+  // attacker who recovers the salt alone can't correlate plaintexts. ----
+  b.cryptoField.registerTable("cf_dh_default", {
+    sealedFields: ["email"],
+    derivedHashes: { emailHash: { from: "email" } },
+  });
+  var defaultH = b.cryptoField.lookupHash("cf_dh_default", "email", "a@b.com").value;
+  check("derivedHashMode default is keyed hmac-shake256 (64 hex)", defaultH.length === 64);
+  check("default keyed hash is deterministic",
+    defaultH === b.cryptoField.lookupHash("cf_dh_default", "email", "a@b.com").value);
+
+  // ---- documented opt-out: derivedHashMode:'salted-sha3' restores the
+  // deterministic-per-deployment SHA3-512 digest → 128 hex chars. ----
   b.cryptoField.registerTable("cf_dh_t1", {
     sealedFields: ["email"],
     derivedHashes: { emailHash: { from: "email" } },
+    derivedHashMode: "salted-sha3",
   });
   var saltedH = b.cryptoField.lookupHash("cf_dh_t1", "email", "a@b.com").value;
-  check("salted-sha3 default is 128 hex (SHA3-512)", saltedH.length === 128);
+  check("salted-sha3 opt-out is 128 hex (SHA3-512)", saltedH.length === 128);
   check("salted-sha3 is deterministic",
     saltedH === b.cryptoField.lookupHash("cf_dh_t1", "email", "a@b.com").value);
 
-  // ---- hmac-shake256 table mode: SHAKE256/32 → 64 hex chars ----
+  // ---- hmac-shake256 table mode (explicit): SHAKE256/32 → 64 hex chars ----
   b.cryptoField.registerTable("cf_dh_t2", {
     sealedFields: ["email"],
     derivedHashes: { emailHash: { from: "email" } },
@@ -46,6 +62,7 @@ async function run() {
   check("hmac-shake256 is deterministic",
     keyedH === b.cryptoField.lookupHash("cf_dh_t2", "email", "a@b.com").value);
   check("keyed hash differs from salted hash", keyedH !== saltedH);
+  check("explicit keyed mode matches the new default", keyedH === defaultH);
 
   // ---- per-column mode override on a salted-default table ----
   b.cryptoField.registerTable("cf_dh_t3", {

package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * b.cryptoField derived-hash dual-read + upgrade-on-read auto-migrate.
+ *
+ * The derived-hash default flipped from salted-sha3 (128 hex) to the keyed
+ * MAC hmac-shake256 (64 hex) in v0.15.0. The mode is resolved at
+ * registerTable from the current default and is NOT persisted, so on upgrade
+ * a row written under the OLD default still carries the salted-sha3 digest in
+ * its lookup column while new lookups compute the keyed-MAC digest — a silent
+ * index miss (find-by-email / destroyAllForUser would skip the legacy row).
+ *
+ * This proves the non-breaking landing:
+ *   1. lookupHashCandidates returns BOTH the keyed-MAC and the legacy
+ *      salted-sha3 digest, so a match-EITHER query finds the legacy row.
+ *   2. unsealRow upgrade-on-read re-hashes a row whose derived-hash column
+ *      holds the legacy salted digest to the keyed-MAC form (in the returned
+ *      row AND, with a writable db handle, durably on disk), so the candidate
+ *      set collapses back to a single value over time.
+ */
+
+var helpers = require("../helpers");
+var b     = helpers.b;
+var check = helpers.check;
+var fs   = require("fs");
+var os   = require("os");
+var path = require("path");
+var { setupTestDb, teardownTestDb } = require("../helpers/db");
+
+async function run() {
+  var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-cf-dual-"));
+  try {
+    // The default users fixture: sealedFields ["email","name"],
+    // derivedHashes { emailHash: { from: "email", normalize: lowercase } },
+    // keyed-MAC default mode.
+    await setupTestDb(dir);
+
+    var email = "Alice@Example.com";   // mixed-case → normalize lowercases it
+
+    // ---- 1. dual-read: lookupHashCandidates names both digests ----
+    var keyed = b.cryptoField.lookupHash("users", "email", email);
+    check("active lookup hash is the keyed MAC (64 hex)",
+      keyed && keyed.value.length === 64);
+    check("lookupHash surfaces the legacy salted digest as legacyValue (128 hex)",
+      typeof keyed.legacyValue === "string" && keyed.legacyValue.length === 128);
+
+    // The legacy digest the lib computes is the byte-form a pre-v0.15.0 row
+    // carries; treat it as ground truth for the forged legacy row below.
+    var legacyHash = keyed.legacyValue;
+    check("legacy digest is the salted-sha3 SHA3-512 width (128 hex), distinct from the keyed MAC",
+      legacyHash.length === 128 && legacyHash !== keyed.value);
+
+    var cands = b.cryptoField.lookupHashCandidates("users", "email", email);
+    check("lookupHashCandidates returns the derived field name",
+      cands && cands.field === "emailHash");
+    check("candidates list carries BOTH the keyed and legacy digests (match-either)",
+      cands.values.length === 2 &&
+      cands.values.indexOf(keyed.value) !== -1 &&
+      cands.values.indexOf(legacyHash) !== -1);
+
+    // ---- 2. forge a LEGACY-indexed row on disk ----
+    // Seal the email under the live envelope but OVERWRITE the derived-hash
+    // column with the legacy salted digest, mimicking a row written before
+    // the default flipped. Insert via the raw handle so the framework's
+    // write boundary doesn't recompute emailHash to the keyed form.
+    var sealed = b.cryptoField.sealRow("users", { _id: "u-legacy", email: email, name: "Alice" });
+    sealed.emailHash = legacyHash;   // pin the LEGACY digest, not the keyed one
+    b.db.prepare(
+      'INSERT INTO "users" ("_id","email","emailHash","name") VALUES (?,?,?,?)'
+    ).run(sealed._id, sealed.email, sealed.emailHash, sealed.name);
+
+    var onDiskBefore = b.db.prepare('SELECT "emailHash" AS h FROM "users" WHERE _id = ?').get("u-legacy");
+    check("forged row stores the legacy salted-sha3 emailHash on disk",
+      onDiskBefore.h === legacyHash && onDiskBefore.h.length === 128);
+
+    // A match-either query (the candidate list) FINDS the legacy row even
+    // though the keyed-only lookup would have missed it.
+    var foundLegacy = b.db.prepare(
+      'SELECT _id FROM "users" WHERE "emailHash" = ?'
+    ).get(legacyHash);
+    check("legacy-indexed row is found via the legacy candidate hash",
+      foundLegacy && foundLegacy._id === "u-legacy");
+    var missedByKeyed = b.db.prepare(
+      'SELECT _id FROM "users" WHERE "emailHash" = ?'
+    ).get(keyed.value);
+    check("keyed-only lookup MISSES the legacy row (why dual-read is needed)",
+      missedByKeyed === undefined || missedByKeyed === null);
+
+    // ---- 3. upgrade-on-read: unsealRow re-hashes to the keyed MAC ----
+    var rawRow = b.db.prepare('SELECT * FROM "users" WHERE _id = ?').get("u-legacy");
+    // Pass the writable local db handle so the durable rewrite fires.
+    var unsealed = b.cryptoField.unsealRow("users", rawRow, "actor-1", b.db);
+    check("unsealRow decrypted the sealed email back to plaintext",
+      unsealed.email === email);
+    check("upgrade-on-read: returned row's emailHash is now the keyed MAC",
+      unsealed.emailHash === keyed.value && unsealed.emailHash.length === 64);
+
+    var onDiskAfter = b.db.prepare('SELECT "emailHash" AS h FROM "users" WHERE _id = ?').get("u-legacy");
+    check("upgrade-on-read: the row's emailHash was durably re-written to the keyed MAC",
+      onDiskAfter.h === keyed.value && onDiskAfter.h.length === 64);
+
+    // After the upgrade, the keyed-only lookup now finds the row directly.
+    var foundKeyed = b.db.prepare(
+      'SELECT _id FROM "users" WHERE "emailHash" = ?'
+    ).get(keyed.value);
+    check("post-migrate: keyed-only lookup now finds the upgraded row",
+      foundKeyed && foundKeyed._id === "u-legacy");
+
+    // ---- 4. idempotence: a row already keyed is left untouched ----
+    var rawRow2 = b.db.prepare('SELECT * FROM "users" WHERE _id = ?').get("u-legacy");
+    var unsealed2 = b.cryptoField.unsealRow("users", rawRow2, "actor-1", b.db);
+    check("re-reading an already-keyed row leaves its emailHash unchanged",
+      unsealed2.emailHash === keyed.value);
+
+    // ---- 5. no-handle read resolves the framework db for the rewrite ----
+    // Re-forge a legacy row, unseal WITHOUT an explicit dbHandle: unsealRow
+    // resolves the framework's local db itself (the same fallback the K_row
+    // read path uses), so the returned row carries the keyed hash AND the
+    // durable rewrite still lands — keyed reads must work on every path.
+    var sealed3 = b.cryptoField.sealRow("users", { _id: "u-legacy-2", email: email, name: "Bob" });
+    sealed3.emailHash = legacyHash;
+    b.db.prepare(
+      'INSERT INTO "users" ("_id","email","emailHash","name") VALUES (?,?,?,?)'
+    ).run(sealed3._id, sealed3.email, sealed3.emailHash, sealed3.name);
+    var raw3 = b.db.prepare('SELECT * FROM "users" WHERE _id = ?').get("u-legacy-2");
+    var unsealedNoHandle = b.cryptoField.unsealRow("users", raw3);   // no explicit dbHandle
+    check("no-handle unseal surfaces the keyed hash on the returned row",
+      unsealedNoHandle.emailHash === keyed.value);
+    var disk3 = b.db.prepare('SELECT "emailHash" AS h FROM "users" WHERE _id = ?').get("u-legacy-2");
+    check("no-handle unseal still durably upgrades via the resolved framework db",
+      disk3.h === keyed.value);
+
+    // ---- 6. THE REAL CONSUMER PATH: b.db.from().where on a sealed field ----
+    // Operators — and the framework's own api-key / session / audit / mail
+    // stores — find a row by a sealed field through the equality rewrite,
+    // which MUST dual-read across the keyed-MAC flip or it silently drops
+    // un-migrated rows (the keyed-only lookup misses the legacy digest).
+    // Forge a FRESH legacy row (not yet upgraded) and find it via the real
+    // query path — this is the path the primitive-only test above never
+    // exercised.
+    var sealed6 = b.cryptoField.sealRow("users", { _id: "u-legacy-q", email: email, name: "Dave" });
+    sealed6.emailHash = legacyHash;
+    b.db.prepare(
+      'INSERT INTO "users" ("_id","email","emailHash","name") VALUES (?,?,?,?)'
+    ).run(sealed6._id, sealed6.email, sealed6.emailHash, sealed6.name);
+    var viaQuery = await b.db.from("users").where("email", email).all();
+    check("real consumer path (b.db.from().where on a sealed field) finds the un-migrated legacy row",
+      Array.isArray(viaQuery) && viaQuery.some(function (r) { return r._id === "u-legacy-q"; }));
+
+    // b.db.hashCandidatesFor — the db-level dual-read helper the framework's
+    // bespoke stores (consent/subject) compose for whereIn lookups.
+    var dbCands = b.db.hashCandidatesFor("users", "email", email);
+    check("b.db.hashCandidatesFor returns both the keyed and legacy digests",
+      dbCands && dbCands.field === "emailHash" && dbCands.values.length === 2);
+
+    console.log("OK — crypto-field dual-read + auto-migrate tests");
+  } finally {
+    await teardownTestDb(dir);
+  }
+}
+
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.exitCode = 1; throw err; });
+}