@blamejs/blamejs-shop 0.4.49 → 0.4.51

package/lib/vendor/blamejs/lib/storage.js

@@ -425,7 +425,7 @@ async function getFileStream(key, sealedKey, opts) {
  * @example
  *   b.storage.init({ backend: "local", uploadDir: "./data/uploads" });
  *   var saved = await b.storage.saveRaw(Buffer.from("public-bytes"), "logo.png");
- *   // → { storedPath: "logo.png", backend: "default" }
+ *   // → { storedPath: "logo.png", backend: "default", versionId: null }
  */
 async function saveRaw(buffer, key, opts) {
   _requireInit();
@@ -443,7 +443,9 @@ async function saveRaw(buffer, key, opts) {
       raw:            true,
     },
   });
-  return { storedPath: key, backend: picked.backend.name };
+  // versionId is non-null only on a versioning-enabled (S3 Object-Lock)
+  // backend; capture it to target the exact version for later erasure.
+  return { storedPath: key, backend: picked.backend.name, versionId: result.versionId || null };
 }
 
 /**
@@ -486,14 +488,24 @@ async function getRawBuffer(key, opts) {
  * Remove `key` from the routed backend. Returns `true` when the
  * object existed and was removed, `false` when it was already
  * absent. Emits `system.storage.delete` with `{ backend, key,
- * existed }` so the audit chain records GDPR right-to-erasure
+ * existed, versionId }` so the audit chain records GDPR right-to-erasure
  * flows. The sealed encryption key the caller persisted alongside
  * the row should be discarded by the caller after a successful
  * delete — without the bytes, the key has no recovery value.
  *
+ * On a versioning-enabled (S3 Object-Lock) backend an unversioned
+ * delete only writes a delete-marker — the data version survives. To
+ * erase a specific version pass `versionId` (from `saveRaw`'s return or
+ * `listVersions`); a version under an active retention is refused (the
+ * call throws), and `bypassGovernanceRetention` lifts a GOVERNANCE-mode
+ * retention for callers with the permission (COMPLIANCE stays immutable).
+ * `versionId` is S3/sigv4-only and is refused on other backends.
+ *
  * @opts
  *   classification:  string,    // route to a backend serving this classification
  *   backend:         string,    // explicit backend by name
+ *   versionId:       string,    // erase a specific object version (S3 Object-Lock)
+ *   bypassGovernanceRetention: boolean, // lift GOVERNANCE retention (not COMPLIANCE)
  *
  * @example
  *   b.storage.init({ backend: "local", uploadDir: "./data/uploads" });
@@ -507,12 +519,16 @@ async function deleteFile(key, opts) {
   _requireInit();
   opts = opts || {};
   var picked = _pickBackend(opts);
-  var result = await picked.backend.delete(key);
+  var result = await picked.backend.delete(key, {
+    versionId:                 opts.versionId,
+    bypassGovernanceRetention: opts.bypassGovernanceRetention,
+  });
   _emit("system.storage.delete", {
     metadata: {
-      backend: picked.backend.name,
-      key:     key,
-      existed: result,
+      backend:   picked.backend.name,
+      key:       key,
+      existed:   result,
+      versionId: opts.versionId || null,
     },
   });
   return result;
@@ -556,6 +572,53 @@ async function exists(key, opts) {
   }
 }
 
+/**
+ * @primitive b.storage.listVersions
+ * @signature b.storage.listVersions(prefix, opts?)
+ * @since     0.15.10
+ * @status    stable
+ * @compliance gdpr, sox-404, soc2
+ * @related   b.storage.deleteFile, b.storage.saveRaw, b.worm.create
+ *
+ * Enumerate every object VERSION and delete-marker under `prefix` on a
+ * versioning-enabled (S3 Object-Lock) backend. Plain reads only see the
+ * current version; right-to-erasure / crypto-shred on an Object-Lock
+ * bucket must target prior versions by `versionId`, which only this call
+ * surfaces. Each item is `{ key, versionId, isLatest, deleteMarker, size,
+ * lastModified, etag }`; `deleteMarker: true` rows are tombstones with no
+ * data. Pair with `deleteFile(key, { versionId })` to erase a version.
+ *
+ * Versioning is an S3/sigv4 feature — a backend without a version surface
+ * (filesystem, and the current Azure/GCS adapters) throws
+ * `VERSIONS_UNSUPPORTED` rather than silently returning the current view,
+ * so an erasure workflow can never mistake a single-version backend for a
+ * fully-enumerated one.
+ *
+ * @opts
+ *   classification:   string,   // route to a backend serving this classification
+ *   backend:          string,   // explicit backend by name
+ *   maxResults:       number,   // page size
+ *   keyMarker:        string,   // pagination cursor (from a prior page)
+ *   versionIdMarker:  string,   // pagination cursor (from a prior page)
+ *
+ * @example
+ *   var page = await b.storage.listVersions("filings/2026/");
+ *   for (var v of page.items) {
+ *     if (!v.isLatest) await b.storage.deleteFile(v.key, { versionId: v.versionId });
+ *   }
+ */
+async function listVersions(prefix, opts) {
+  _requireInit();
+  opts = opts || {};
+  var picked = _pickBackend(opts);
+  if (typeof picked.backend.listVersions !== "function") {
+    throw _err("VERSIONS_UNSUPPORTED",
+      "listVersions: backend '" + picked.backend.name + "' has no version surface " +
+      "(S3/sigv4 only). A filesystem / single-version backend cannot enumerate versions.", true);
+  }
+  return picked.backend.listVersions(prefix, opts);
+}
+
 /**
  * @primitive b.storage.listBackends
  * @signature b.storage.listBackends()
@@ -1266,6 +1329,7 @@ module.exports = {
   getRawBuffer:   getRawBuffer,
   deleteFile:     deleteFile,
   exists:         exists,
+  listVersions:   listVersions,
   presignedUploadUrl:    presignedUploadUrl,
   presignedDownloadUrl:  presignedDownloadUrl,
   presignedUploadPolicy: presignedUploadPolicy,

package/lib/vendor/blamejs/lib/vault/rotate.js

@@ -544,12 +544,6 @@ function _walkAndReSeal(node, oldKeys, newKeys) {
   return { value: node, changed: false };
 }
 
-// Transaction-control statements only (BEGIN / COMMIT / ROLLBACK) - fixed
-// keywords, no identifier / value, so they stay verbatim rather than route
-// through b.sql (the builder has no transaction-control verb). The param is
-// named `stmtText` so it does not shadow the module-level `sql` builder.
-function _runStmt(db, stmtText) { db.prepare(stmtText).run(); }
-
 function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
   // Every statement composes through b.sql (sqlite dialect, quoteName so
   // the concrete handle's table is quoted, not left bare for a cluster
@@ -655,8 +649,9 @@ function _rotateOverflow(db, table, oldKeys, newKeys, batchSize, progress, warni
     var rows = sel.all(lastId);
     if (rows.length === 0) break;
 
-    _runStmt(db, "BEGIN");
-    try {
+    // One transaction per page via the shared wrapper — the rotate worker
+    // no longer hand-rolls the BEGIN/COMMIT/ROLLBACK skeleton.
+    dbSchema.runInTransaction(db, function () {
       for (var i = 0; i < rows.length; i++) {
         var row = rows[i];
         var doc;
@@ -671,11 +666,7 @@ function _rotateOverflow(db, table, oldKeys, newKeys, batchSize, progress, warni
         var rv = _walkAndReSeal(doc, oldKeys, newKeys);
         if (rv.changed) upd.run(JSON.stringify(rv.value), row._id);
       }
-      _runStmt(db, "COMMIT");
-    } catch (e) {
-      _runStmt(db, "ROLLBACK");
-      throw e;
-    }
+    });
     processed += rows.length;
     lastId = rows[rows.length - 1]._id;
     _emit(progress, { phase: "rotate_overflow", table: table, rowsProcessed: processed, rowsTotal: total });

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.15.9",
+  "version": "0.15.11",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.15.10.json

@@ -0,0 +1,53 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.15.10",
+  "date": "2026-06-13",
+  "headline": "Makes S3 Object-Lock version erasure reachable through the object store, and pins the build toolchain's native binary to a reviewed hash",
+  "summary": "The object store gains the versioned-delete surface its S3 Object Lock support always needed for real erasure. An unversioned delete on a versioning-enabled (Object-Lock) bucket only writes a delete-marker — the data version survives — so the framework's own delete could report success while a record protected for compliance, or one a data subject asked to erase, stayed on disk. b.objectStore / b.storage now carry a versionId: put and saveRaw return the version they created, deleteFile(key, { versionId, bypassGovernanceRetention }) targets a specific version (refused — not silently delete-markered — when it is under an active retention), and listVersions enumerates versions and delete-markers so an erasure workflow can find them. Backends with no version surface (the filesystem backend, and the current Azure and GCS adapters) refuse a versioned delete loudly rather than silently dropping the current object. Separately, the build toolchain's native bundler binary is now verified against a reviewed SHA-256 pin so a tampered or drifted binary is caught before it bundles the framework.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "Versioned object delete + listVersions for S3 Object-Lock erasure",
+          "body": "b.storage.deleteFile and the b.objectStore sigv4 backend now accept opts.versionId to erase a specific object version, and opts.bypassGovernanceRetention to lift a GOVERNANCE-mode retention for callers with the permission (COMPLIANCE stays immutable to everyone). b.storage.saveRaw and the backend put now return the versionId they created on a versioning-enabled bucket, and a new b.storage.listVersions(prefix) / backend listVersions enumerates every version and delete-marker (key, versionId, isLatest, deleteMarker, size, lastModified, etag) so a right-to-erasure or crypto-shred workflow can target prior versions. On a backend with no version surface, listVersions throws VERSIONS_UNSUPPORTED and a versioned delete throws VERSIONID_UNSUPPORTED rather than silently acting on the current object."
+        },
+        {
+          "title": "b.localDb.thin reaches SQLite resource-limit parity (limits option)",
+          "body": "b.localDb.thin now opens its node:sqlite handle with the same parse-time statement-size cap as b.db and the CLI — a SQL statement over 1 MiB is rejected at parse time, the SQLITE_LIMIT_LENGTH floor that guards prepare()/exec() of raw SQL against an attacker-influenced megaquery (SQLite's default is 1 GB). The cap is on by default; a new limits option (e.g. { sqlLength: 2 * 1024 * 1024 } or other SQLITE_LIMIT_* keys) lets an operator raise or extend it. Previously the thin opener had no limits plumbing, so a consumer on that path could not reach parity with the rest of the framework's SQLite surface."
+        }
+      ]
+    },
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "S3 Object-Lock version erasure is reachable through the framework delete path",
+          "body": "On a versioning-enabled (Object-Lock) bucket, an unversioned DELETE only writes a delete-marker — the protected data version survives untouched — yet the framework's delete had no versionId surface, so it issued the unversioned form and reported success while the bytes the lock protects remained. A retention or legal hold could therefore look enforced to the framework caller while the operation WORM actually blocks was unreachable. The delete path now targets the exact version: deleting a version under a COMPLIANCE retention is refused (it throws, even with bypassGovernanceRetention), a no-retention version erases cleanly, and the enforcement is proven end-to-end against MinIO through the framework's own API."
+        },
+        {
+          "title": "b.configDrift.verifyVendorIntegrity is now working-directory-independent",
+          "body": "The vendored-dependency integrity check resolved each manifest file path against process.cwd(), so it only worked when run from the application root. Run from anywhere else it read-failed every entry (reporting ok:false), and under a crafted working directory that happened to contain a clean vendor tree it could hash a different tree than the one actually loaded. It now resolves each file under the framework's own vendor directory by default — the tree loaded at runtime — and honors an explicit libVendorDir for verifying a deployed tree elsewhere, so the result no longer depends on where the process was started."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Build toolchain native binary pinned to a reviewed hash",
+          "body": "The native bundler binary the build toolchain runs (esbuild's per-platform compiler, a development dependency that never ships in the runtime) is now verified against a SHA-256 pin captured by diffing the published package tarballs and hashing the binary. The build gate fails if the on-disk binary does not match the reviewed hash for its (version, platform); for a version that has not been reviewed it notes the gap and skips rather than trusting an unverified binary. A cross-artifact check keeps the version in agreement across package.json, the CI install step, and the hash map, so the gate can never quietly test a version that was never diffed — closing a real drift where CI had been installing an older patch than package.json declared. The reviewed diff is benign: version strings plus an installer size-bound and error-message hardening, no new install hooks, files, or network paths, and no runtime-dependency impact."
+        }
+      ]
+    },
+    {
+      "heading": "Detectors",
+      "items": [
+        {
+          "title": "Object-store erasure guard, esbuild-pin agreement, + structural re-anchoring of the lint detectors",
+          "body": "A new guard locks the object-store delete path to the versioned-erasure contract: b.storage.deleteFile must thread versionId to the backend, so it can never silently revert to the WORM-blind unversioned delete. A second guard enforces that the esbuild build-tool version agrees across package.json, the CI install step, and the binary-hash map, so a future bump can't update one and leave the gate testing an unreviewed version. Separately, the framework's internal codebase-pattern lint detectors were re-anchored from fixed character spans to structural code boundaries, so they keep matching the code they guard as those functions grow rather than aging out of range; reviving them surfaced a few internal validation and transaction sites that now route through shared helpers (a required positive-integer-with-range validator and an async transaction wrapper) instead of hand-rolling the check. No public API change."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.15.11.json

@@ -0,0 +1,52 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.15.11",
+  "date": "2026-06-14",
+  "headline": "Replaces a family of quadratic-time regexes that hostile input could use to stall a worker with linear scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when enabling row-level security behind a non-native driver, and scans the vendored crypto for known CVEs on every build",
+  "summary": "Several text-handling primitives stripped trailing whitespace or extracted a mail address with a regex whose backtracking is quadratic in the input length on adversarial strings — a request body, a YAML document, a CSV cell, or a From header crafted as a long run of spaces could pin a worker's CPU. Each is now a linear character scan with identical output. The HTML-content check the MCP tool surface applies gained the vbscript: and data:text/html vectors it was missing. On the data-at-rest side, an AAD-bound (or per-row-key) column now refuses a plain, unbound vault cell on read — a relocatable envelope an attacker with write access could copy in from another row defeats the cross-row binding, so the field is nulled rather than surfaced; operators mid-migration opt back in with registerTable({ allowPlainMigration: true }). declareRowPolicy now treats row-level-security as enabled only on a value that unambiguously means true, so a non-native Postgres driver that returns the string \"f\" can no longer be read as \"already on\" and silently skip the ENABLE that protects the table's rows. Finally, because the framework's crypto is vendored rather than installed, npm audit and Dependabot never see it: every build now matches the vendored versions against the OSV vulnerability database, with a complementary Semgrep pass and workflow-file static analysis alongside.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "b.safeBuffer.indexAfterOpenTag(html, tagName)",
+          "body": "A linear helper that returns the offset just past a `<tag ...>` opening tag (case-insensitive), or -1 when absent or unterminated — the insertion point a response rewriter uses to splice content after <body> or <head> without a regex. It replaces the O(n^2) html.match(/<body[^>]*>/i) shape and is stricter than it: a real tag boundary is required after the name, so <bodyfoo> is not mistaken for <body>."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Linear-time replacements across a family of quadratic regexes (ReDoS class)",
+          "body": "Several primitives located or stripped text with a regex whose backtracking is quadratic in V8 on adversarial input (CWE-1333): b.safeBuffer and the safe-env / safe-yaml / guard-csv parsers stripped trailing horizontal whitespace with /[ \\t]+$/; b.mail extracted the address from a `Name <addr>` header with /<([^>]+)>/; the bot-disclosure and speculation-rules response middleware found the <body> insertion point with /<body[^>]*>/i; and the BIMI certificate-chain splitter walked PEM blocks with a lazy /BEGIN[\\s\\S]*?END/ scan. A crafted field — a long run of spaces, an unterminated bracket, a body carrying many <body starts with no closing >, a chain of BEGIN markers — could drive a worker's CPU to seconds of work. Each is now a linear scan: a shared b.safeBuffer.stripTrailingHspace (backward char walk), b.safeBuffer.indexAfterOpenTag (forward indexOf walk for the tag insertion point), a forward indexOf for address extraction, and an indexOf walk for the PEM split. Output is byte-identical (the tag-find is stricter — it no longer mistakes <bodyfoo> for <body>), and 400K-character adversarial inputs that took 8–85 seconds now complete in under 2 ms."
+        },
+        {
+          "title": "MCP HTML-content check covers vbscript: and data:text/html",
+          "body": "The dangerous-markup check applied to text/html tool content matched <script>/<iframe>/<object>/<embed> and javascript: URLs but not the vbscript: scheme or data:text/html payloads. Both are now refused; data: URLs carrying non-HTML media (data:image/png and similar) are unaffected."
+        },
+        {
+          "title": "AAD-bound columns refuse a plain sealed cell on read",
+          "body": "b.cryptoField.unsealRow now refuses a plain, unbound vault: envelope found on an AAD-bound (or per-row-key) column and nulls the field instead of returning it. A plain envelope carries no per-cell binding, so a writer who could place one — copied from anywhere under the same vault root — would otherwise relocate a value across rows or columns and defeat the copy-protection the AAD binding advertises. Operators migrating pre-AAD rows up to bound ciphertext opt into a bounded acceptance window with registerTable({ allowPlainMigration: true }) and clear it when migration completes."
+        },
+        {
+          "title": "Row-level-security enablement fails closed on non-native drivers",
+          "body": "b.db.declareRowPolicy read pg_class.relrowsecurity to skip a redundant ENABLE ROW LEVEL SECURITY, but tested it with a bare truthiness check. A native pg driver returns a JS boolean; a proxy or ORM may return the string \"f\" for a disabled table — and \"f\" is truthy, so the check read it as already-enabled and silently skipped the ENABLE, leaving every row in the table unprotected while the migration reported success. RLS now counts as enabled only on a value that unambiguously means true (true, 1, or \"t\"/\"true\"/\"1\"/\"on\"/\"yes\"); every other shape re-issues ENABLE, a harmless no-op on an already-enabled table."
+        },
+        {
+          "title": "Vendored-crypto CVE scanning, complementary SAST, and workflow static analysis in CI",
+          "body": "The framework ships zero npm runtime dependencies — its crypto (the noble suite, the WebAuthn server, the PKI layer) is vendored under lib/vendor/, where npm audit, Dependabot, and Socket cannot see it. Every build now generates a CycloneDX SBOM of the vendored tree (each library carrying an npm purl) and runs it through OSV-Scanner, matching the exact pinned version against the OSV vulnerability database; a published CVE or GHSA affecting a vendored version fails the build so the copy is refreshed before merge. A Semgrep pass (registry security-audit + javascript packs at ERROR severity) runs alongside CodeQL as complementary SAST, and actionlint statically checks the workflow files. All three install the OSS tool from its upstream release, matching the existing secret-scan gate's posture."
+        }
+      ]
+    },
+    {
+      "heading": "Detectors",
+      "items": [
+        {
+          "title": "Quadratic trailing-whitespace and tag-find regex detectors",
+          "body": "Two codebase-pattern detectors refuse reintroduction of the quadratic shapes: the /[ \\t]+$/ trailing-whitespace strip (as .replace, .test, or via the named TRAILING_HSPACE_RE export) outside the linear helper that owns it, and the str.match(/<tag[^>]*>/) document-tag find that the response middleware must route through b.safeBuffer.indexAfterOpenTag. Each is proven to fire on the removed shape and stay silent on the linear replacement, so the ReDoS class cannot creep back into a new parser, guard, or response rewriter."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js

@@ -18,24 +18,32 @@
  * has its version deleted successfully, proving the refusal is the lock
  * and not a blanket failure.
  *
- * Why the versioned delete matters — and what it exposes about the
- * framework: WORM protects a specific object VERSION. An unversioned
- * `DELETE /key` on a versioned bucket always succeeds (it writes a
- * delete-marker; the protected version survives untouched). The
- * framework's object-store delete (`backend.delete(key)` /
- * `bucketOps.delete`) issues ONLY the unversioned form — there is no
- * versionId surface anywhere in lib/object-store. So:
+ * Why the versioned delete matters: WORM protects a specific object
+ * VERSION. An unversioned `DELETE /key` on a versioned bucket always
+ * succeeds (it writes a delete-marker; the protected version survives
+ * untouched). To actually erase — or be refused on — a protected version
+ * the request must carry `?versionId=<v>`.
  *
- *   (a) the framework's own delete() on a retained object SUCCEEDS and
- *       returns a clean result, masking the fact that the data version
- *       is still there — the framework delete path is not WORM-aware;
- *   (b) the operation WORM actually blocks (delete the protected version)
- *       can only be issued by hand-signing `DELETE /key?versionId=<v>`.
+ * The framework now exposes that surface: `backend.put()` returns the
+ * `versionId` it created, `backend.delete(key, { versionId })` targets a
+ * specific version (with `bypassGovernanceRetention` for GOVERNANCE mode),
+ * and `backend.listVersions(prefix)` enumerates versions + delete-markers
+ * so an erasure workflow can find them. This test proves WORM enforcement
+ * two ways:
  *
- * This test hand-signs that versioned delete with the framework's OWN
- * SigV4 signer (lib/object-store/sigv4.signRequest) so the proof is that
- * MinIO enforces the lock under a request the framework signed correctly
- * — no security bypass, real handshake, real signature.
+ *   (a) the SHIPPED consumer path — `backend.put` / `backend.delete({
+ *       versionId })` / `backend.listVersions` — reaches the lock: a
+ *       versioned delete of a COMPLIANCE version THROWS (refused), even
+ *       with bypassGovernanceRetention, while a no-retention version
+ *       erases cleanly;
+ *   (b) an independent hand-signed control with the framework's OWN SigV4
+ *       signer (lib/object-store/sigv4.signRequest), establishing MinIO's
+ *       ground-truth refusal under a correctly-signed request — no bypass,
+ *       real handshake, real signature.
+ *
+ * An unversioned `backend.delete(key)` still writes a delete-marker (the
+ * data version survives); that remains asserted so the delete-marker vs
+ * version-erasure distinction is not silently lost.
  *
  * Observed MinIO behaviour (ground truth, captured live): the versioned
  * delete of a COMPLIANCE-retained version is refused with HTTP 400
@@ -224,6 +232,72 @@ async function _runWormOnEndpoint(label, endpoint, extraConfig) {
         afterRefuse.statusCode === 200 &&
         Buffer.compare(Buffer.from(afterRefuse.body || []), payload) === 0);
 
+  // ============================================================
+  // FRAMEWORK API — the shipped versionId surface reaches the lock
+  // ============================================================
+  // Everything above is hand-signed ground truth. This block drives the
+  // SHIPPED consumer path (backend.put / backend.delete({versionId}) /
+  // backend.listVersions) to prove the framework itself now reaches WORM
+  // enforcement — no hand-signing.
+  var fwKey = "fw-worm-" + Math.floor(Math.random() * 1e6) + ".txt";
+  var fwPayload = Buffer.from("framework-immutable " + new Date().toISOString(), "utf8");
+
+  // put() now RETURNS the versionId it used to discard.
+  var fwPut = await backend.put(fwKey, fwPayload, { multipart: false });
+  check("[" + label + "] framework put() returns a versionId (was discarded before this fix)",
+        typeof fwPut.versionId === "string" && fwPut.versionId.length > 0);
+
+  await ops.setObjectRetention(bucket, fwKey, {
+    mode:        "COMPLIANCE",
+    retainUntil: new Date(Date.now() + b.constants.TIME.hours(1)),
+  });
+
+  // listVersions() enumerates the version so an erasure workflow can find it.
+  var listed = await backend.listVersions(fwKey);
+  var foundFw = listed.items.filter(function (it) {
+    return it.key === fwKey && it.versionId === fwPut.versionId;
+  });
+  check("[" + label + "] framework listVersions() enumerates the protected version " +
+        "(isLatest, not a delete-marker)",
+        foundFw.length === 1 && foundFw[0].isLatest === true && foundFw[0].deleteMarker === false);
+
+  // An UNVERSIONED framework delete still writes a delete-marker — the data
+  // version survives. Asserted so the delete-marker vs version-erasure
+  // distinction is never silently lost.
+  var fwMarkerDel = await backend.delete(fwKey);
+  check("[" + label + "] framework delete(key) without versionId still succeeds (delete-marker)",
+        fwMarkerDel === true);
+  var fwSurvived = await backend.get(fwKey, { versionId: fwPut.versionId });
+  check("[" + label + "] protected version survives the unversioned framework delete",
+        Buffer.compare(Buffer.from(fwSurvived || []), fwPayload) === 0);
+
+  // delete({ versionId }) targets the protected version → WORM refuses → the
+  // framework call THROWS (no longer a silent delete-marker success).
+  var fwRefused = false;
+  try {
+    await backend.delete(fwKey, { versionId: fwPut.versionId });
+  } catch (_e) { fwRefused = true; }
+  check("[" + label + "] framework delete({versionId}) on a COMPLIANCE version is REFUSED (throws)",
+        fwRefused === true);
+
+  // bypassGovernanceRetention via the framework does NOT defeat COMPLIANCE.
+  var fwBypassRefused = false;
+  try {
+    await backend.delete(fwKey, { versionId: fwPut.versionId, bypassGovernanceRetention: true });
+  } catch (_e) { fwBypassRefused = true; }
+  check("[" + label + "] framework delete({versionId, bypassGovernanceRetention}) STILL refused — " +
+        "COMPLIANCE is immutable to everyone",
+        fwBypassRefused === true);
+
+  // Control via the framework: a no-retention version erases through
+  // delete({ versionId }) → true. Proves the refusal above is the lock, not
+  // a blanket failure of the framework versioned-delete path.
+  var fwCtlKey = "fw-control-" + Math.floor(Math.random() * 1e6) + ".txt";
+  var fwCtlPut = await backend.put(fwCtlKey, Buffer.from("fw-disposable"), { multipart: false });
+  var fwCtlErased = await backend.delete(fwCtlKey, { versionId: fwCtlPut.versionId });
+  check("[" + label + "] framework delete({versionId}) erases a no-retention version (true)",
+        fwCtlErased === true);
+
   // ============================================================
   // CONTROL — no retention: the version deletes fine
   // ============================================================