@blamejs/core 0.10.12 → 0.10.14

package/lib/daemon.js

@@ -237,13 +237,37 @@ function start(opts) {
       throw new DaemonError("daemon/already-running",
         "daemon.start: pidFile '" + pidFile + "' held by live PID " + existingLive);
     }
-    var logFd = logFile ? _openLogFd(logFile) : "ignore";
+    // Detached-stdio strategy diverges by platform:
+    //
+    //   POSIX: inherit the parent's open log FD via stdio so the child
+    //   writes to the operator's log file without re-opening it. POSIX
+    //   keeps the FD alive across the parent's exit; the child sees it
+    //   as fd 1 / 2 and writes normally.
+    //
+    //   Windows: passing a parent-opened FD through stdio causes the
+    //   child to die the moment the parent's handle is closed (the OS
+    //   ref-counts file handles per-process and the inherited handle
+    //   becomes invalid on parent exit). The Windows-safe pattern is
+    //   `stdio: "ignore"` + `windowsHide: true` so the child has no
+    //   inherited handles to lose, and the operator's child code opens
+    //   the log file itself once its logger initialises. The child is
+    //   responsible for `--log` parsing on Windows — pass it via
+    //   `opts.args` and let the application code handle the open.
+    var isWindows = process.platform === "win32";
+    var logFd = (!isWindows && logFile) ? _openLogFd(logFile) : null;
+    var spawnStdio;
+    if (isWindows || logFd === null) {
+      spawnStdio = "ignore";
+    } else {
+      spawnStdio = ["ignore", logFd, logFd];
+    }
     var child;
     try {
       child = processSpawn.spawn(opts.command, opts.args || [], {
-        detached: true,
-        stdio:    ["ignore", logFd, logFd],
-        cwd:      typeof opts.cwd === "string" ? opts.cwd : undefined,
+        detached:    true,
+        stdio:       spawnStdio,
+        cwd:         typeof opts.cwd === "string" ? opts.cwd : undefined,
+        windowsHide: isWindows ? true : undefined,
       });
     } catch (e) {
       try { if (typeof logFd === "number") nodeFs.closeSync(logFd); }
@@ -267,6 +291,7 @@ function start(opts) {
       logFile:     logFile,
       commandKind: "detached-fork",
       pid:         child.pid,
+      stdioMode:   isWindows ? "ignore-windows" : (logFd === null ? "ignore" : "inherit-logfd"),
     });
     log("daemon started (detached) pid=" + child.pid + " pidFile=" + pidFile);
     return { pid: child.pid, pidFile: pidFile, logFile: logFile, mode: "detached" };

package/lib/mail-crypto-pgp.js

@@ -60,15 +60,16 @@
  *   Deferred from v1 (each with the documented condition for opting in):
  *     - In-process encrypt + decrypt (Message Encrypted Session Key +
  *       Symmetrically Encrypted Integrity Protected Data packets,
- *       RFC 9580 §5.1 / §5.13). Defer condition: no operator demand
- *       surfaced for in-process encrypt-to-recipient yet. Operators
- *       wanting at-rest encrypted mail blobs compose `b.vault` +
- *       `b.cryptoField`; operators wanting wire-level encrypt-to-
- *       recipient with WKD key discovery wait for v0.9.59 once
- *       `b.publicSuffix` + WKD lookup are confirmed. Cheap escape
- *       hatch: operators wire a third-party OpenPGP library in their
- *       own consumer code and call sign() / verify() on the resulting
- *       cleartext blob.
+ *       RFC 9580 §5.1 / §5.13) and WKD key discovery (draft-koch-
+ *       openpgp-webkey-service). Defer condition: ships in v0.10.14
+ *       alongside `b.mail.crypto.smime` sign + verify — the CMS
+ *       substrate `b.cms` landed in v0.10.13 unblocked the S/MIME
+ *       side, and OpenPGP encrypt rides the same release so the
+ *       mail-crypto surface lights up coherently rather than half-
+ *       on-each-side across two patches. Cheap escape hatch (pre-
+ *       v0.10.14): operators wire a third-party OpenPGP library in
+ *       their own consumer code and call this module's sign() /
+ *       verify() on the resulting cleartext blob.
  *     - v6 signature packets (RFC 9580 §5.2.3, packet version 6 with
  *       SHA2-512 fingerprints and salted hashes). Defer condition: v6
  *       is not yet emitted by GnuPG 2.4 LTS or by Sequoia stable, so

package/lib/mail-crypto-smime.js

@@ -64,38 +64,22 @@
  *     packet decoder shipped in `b.mail.crypto.pgp` — but with
  *     dramatically more shape variation across implementations.
  *
- *     Defer condition: no operator demand has surfaced for in-process
- *     S/MIME verification; operators receiving S/MIME-signed mail
- *     today either (a) trust the gateway's authentication-results
- *     header (composed via `b.mail.authResults`) and treat S/MIME as
- *     a downstream concern, or (b) run S/MIME verification in their
- *     own consumer code with a vetted CMS library. Reopen this
- *     surface when ALL of the following hold:
- *       1. At least one operator surfaces concrete demand for
- *          in-process S/MIME verify (use case + sample message
- *          shape).
- *       2. A vendorable ASN.1 BER/DER decoder lands in `lib/vendor/`
- *          under the framework's vendoring discipline (MANIFEST.json
- *          + sha256 pin + no transitive deps), OR an operator
- *          provides a tested decoder we can fold in directly.
- *       3. RFC 8551 §2.5 + RFC 5652 §11 conformance test vectors are
- *          available to drive the implementation. (NIST PKITS-style
- *          test vectors exist for X.509 chain validation; equivalent
- *          coverage for CMS SignedData is sparser.)
+ *     Reopen condition: the in-tree CMS substrate (`b.cms`) shipped
+ *     in v0.10.13 — the RFC 5652 SignedData encode + decode + PQC
+ *     signer dispatch is now available. The S/MIME wire layer
+ *     (multipart/signed framing, micalg mapping, base64 DER body,
+ *     Content-Type parameters) lights up on top of `b.cms` in
+ *     v0.10.14 alongside `b.mail.crypto.pgp` encrypt + decrypt + WKD
+ *     discovery, so operators get the full mail-crypto surface in a
+ *     single release rather than half of each side.
  *
- *     Cheap escape hatch: operators wire `node-forge` / `pkijs` /
- *     openssl(1) (via child_process) in their own consumer code,
- *     extract the signed payload + signature components, and compose
- *     with `b.mail.authResults` to record the verification outcome
- *     for downstream policy. The S/MIME wire-format constants
- *     (Content-Type protocol parameter, micalg mapping, base64 DER
- *     framing) are stable and operator-side code interoperates with
- *     any inbound S/MIME-signed message regardless of this module's
- *     state.
- *
- *     v2 reopen tag: the next minor (v0.9.60+) once the conditions
- *     above are met. The deferred surface lights up sign+verify
- *     together so operators never see a half-implementation.
+ *     Cheap escape hatch (pre-v0.10.14): operators wanting in-process
+ *     S/MIME today compose `b.cms.encodeSignedData` directly with a
+ *     hand-written multipart/signed wrapper. The MIME framing is two
+ *     parts (the signed content + `application/pkcs7-signature` body
+ *     carrying the base64-encoded CMS DER from `b.cms`); the helper
+ *     in v0.10.14 collapses that into `b.mail.crypto.smime.sign({ ... })`
+ *     so the next-release path is additive, not a rewrite.
  *
  * RFC citations:
  *   - RFC 8551 (S/MIME 4.0 Message Specification, April 2019;

package/lib/metrics.js

@@ -783,23 +783,66 @@ function _resetForTest() {
  *   path:        string,    // absolute path to write the snapshot
  *   intervalMs:  number,    // milliseconds between flushes (>=100)
  *   fields:      Function,  // returns an object — written as JSON
+ *   registry:    object,    // optional `b.metrics.create()` handle — adds a
+ *                           //   structured `metrics` field carrying every
+ *                           //   registered counter / gauge / histogram (incl.
+ *                           //   bucket counts) so sidecar readers compose
+ *                           //   histogram_quantile() against the snapshot
  *   fileMode:    number,    // POSIX mode (default 0o640 — owner rw, group r)
  *
  * @example
+ *   var registry = b.metrics.create();
+ *   var latency  = registry.histogram("op_latency_seconds", { buckets: [0.01, 0.1, 1] });
  *   var stop = b.metrics.snapshot.startWriter({
  *     path:       "/run/blamejs/metrics.json",
  *     intervalMs: 5000,
- *     fields:     function () {
- *       return {
- *         uptimeMs:    process.uptime() * 1000,
- *         queueDepth:  myQueue.size,
- *         lastSyncAt:  lastSyncAt,
- *       };
- *     },
+ *     registry:   registry,
+ *     fields:     function () { return { uptimeMs: process.uptime() * 1000 }; },
  *   });
- *   // ... on SIGTERM:
+ *   // Snapshot file: { writtenAt, fields, metrics: { op_latency_seconds: { type, buckets, observations: [{ labels, counts, sum, count }] } } }
  *   stop();
  */
+function _serializeRegistry(registry) {
+  // Walk every registered metric in the registry.metrics Map and emit
+  // a JSON-friendly structured shape. Histograms get full buckets +
+  // bucket counts so downstream consumers compose
+  // `histogram_quantile()` against the snapshot without a separate
+  // exposition endpoint (issue #100).
+  var out = {};
+  var names = registry.metrics instanceof Map
+    ? Array.from(registry.metrics.keys()).sort()
+    : Object.keys(registry.metrics).sort();
+  for (var i = 0; i < names.length; i += 1) {
+    var name = names[i];
+    var m = registry.metrics instanceof Map ? registry.metrics.get(name) : registry.metrics[name];
+    if (!m) continue;
+    var entry = { type: m.type, help: m.help || "", labelNames: m.labelNames || [] };
+    if (m.type === "histogram") {
+      entry.buckets = m.buckets.slice();
+      entry.observations = [];
+      var hKeys = m.values instanceof Map ? Array.from(m.values.keys()).sort() : Object.keys(m.values).sort();
+      for (var hi = 0; hi < hKeys.length; hi += 1) {
+        var hv = m.values instanceof Map ? m.values.get(hKeys[hi]) : m.values[hKeys[hi]];
+        entry.observations.push({
+          labels: hv.labels,
+          counts: hv.counts.slice(),
+          sum:    hv.sum,
+          count:  hv.count,
+        });
+      }
+    } else {
+      entry.observations = [];
+      var vKeys = m.values instanceof Map ? Array.from(m.values.keys()).sort() : Object.keys(m.values).sort();
+      for (var vi = 0; vi < vKeys.length; vi += 1) {
+        var vv = m.values instanceof Map ? m.values.get(vKeys[vi]) : m.values[vKeys[vi]];
+        entry.observations.push({ labels: vv.labels, value: vv.value });
+      }
+    }
+    out[name] = entry;
+  }
+  return out;
+}
+
 function snapshotStartWriter(opts) {
   opts = opts || {};
   validateOpts.requireNonEmptyString(opts.path,
@@ -813,8 +856,21 @@ function snapshotStartWriter(opts) {
     throw new MetricsError("metrics-snapshot/bad-fields",
       "metrics.snapshot.startWriter: opts.fields must be a function returning the snapshot object");
   }
+  // Issue #100 — optional `registry` handle pulls every registered
+  // metric into a structured `metrics` field in the JSON snapshot:
+  // counters / gauges as `{ value }` per label set, histograms as
+  // `{ buckets, observations }` with bucket counts + sum + count.
+  // Sidecar readers compose `histogram_quantile()` against the
+  // snapshot file without running a separate /metrics endpoint.
+  if (opts.registry !== undefined && opts.registry !== null &&
+      (typeof opts.registry !== "object" || typeof opts.registry.metrics !== "object")) {
+    throw new MetricsError("metrics-snapshot/bad-registry",
+      "metrics.snapshot.startWriter: opts.registry must be a metrics registry " +
+      "(from b.metrics.create()) or omitted");
+  }
   var p          = opts.path;
   var fieldsFn   = opts.fields;
+  var registry   = opts.registry || null;
   var intervalMs = opts.intervalMs;
   // CRYPTO-6 — file mode for the atomic write. Default 0o640
   // (owner rw, group r, world none). Operators with a sidecar
@@ -844,6 +900,10 @@ function snapshotStartWriter(opts) {
       writtenAt: new Date().toISOString(),
       fields:    snap,
     };
+    if (registry) {
+      try { payload.metrics = _serializeRegistry(registry); }
+      catch (e2) { log("snapshot.metrics serialize failed: " + ((e2 && e2.message) || String(e2))); }
+    }
     try {
       // CRYPTO-6 — default 0o640 (owner rw, group r, world none) so
       // operator-supplied snapshot fields aren't world-readable on a

package/lib/stream-throttle.js

@@ -0,0 +1,235 @@
+"use strict";
+/**
+ * @module     b.streamThrottle
+ * @nav        Networking
+ * @title      Stream Throttle
+ * @order      130
+ * @slug       stream-throttle
+ *
+ * @card
+ *   Shared token-bucket bandwidth limiter for `node:stream` pipelines.
+ *   Caps aggregate bytes-per-second across N concurrent streams that
+ *   draw from the same bucket — the missing primitive between per-
+ *   request rate-limit and per-process worker pool.
+ *
+ * @intro
+ *   `b.streamThrottle.create({ bytesPerSec, burstBytes })` returns a
+ *   token bucket that hands out `transform()` instances; every
+ *   transform consumes from the same shared bucket. Operators wiring
+ *   bulk-transfer daemons (object-storage fan-out, log shippers,
+ *   replication readers) compose a single throttle and apply it
+ *   to every concurrent transfer — N parallel transforms share the
+ *   `bytesPerSec` budget rather than each getting their own.
+ *
+ *   Algorithm:
+ *
+ *   - Bucket holds up to `burstBytes` tokens (default = `bytesPerSec`,
+ *     i.e. one second of headroom). Tokens refill at `bytesPerSec`
+ *     bytes per second, capped at `burstBytes`. Refill is computed
+ *     lazily on every chunk write so there is no per-throttle timer.
+ *   - On each chunk, the transform asks the bucket for the chunk's
+ *     byte count. If enough tokens are available, the chunk passes
+ *     immediately and the tokens are decremented. If not, the
+ *     transform sleeps for `ceil((bytes - tokens) / bytesPerSec * 1000)`
+ *     ms and then retries — the chunk is forwarded as-is once the
+ *     debt is paid.
+ *
+ *   Composes with:
+ *
+ *   - `node:stream.pipeline(src, throttle.transform(), dst)` — the
+ *     transform is a regular `stream.Transform`, so backpressure
+ *     flows in both directions without operator wiring.
+ *   - `b.appShutdown` — the throttle has no background timer; once
+ *     every transform finishes its `_transform`, the bucket is
+ *     garbage-collected with the surrounding daemon.
+ *
+ *   Refusal posture:
+ *
+ *   - `bytesPerSec <= 0` / non-finite throws `stream-throttle/bad-rate`.
+ *   - `burstBytes < bytesPerSec` throws `stream-throttle/bad-burst`
+ *     (smaller burst than refill rate would stall on a single full-rate
+ *     chunk forever).
+ *   - Chunks larger than `burstBytes` would never fit in the bucket;
+ *     `transform({ allowOversize: true })` opts into splitting them
+ *     across multiple wait windows. Default refuses with a typed error
+ *     so operators catch this at config time.
+ *
+ *   RFC + reference:
+ *
+ *   - [RFC 2697 srTCM](https://www.rfc-editor.org/rfc/rfc2697.html) — single-rate
+ *     three-color marker, the canonical token-bucket shape this primitive
+ *     implements (single PIR + CBS, no committed burst tier).
+ *   - [Wikipedia: Token bucket](https://en.wikipedia.org/wiki/Token_bucket).
+ */
+
+var nodeStream = require("node:stream");
+var { defineClass } = require("./framework-error");
+
+var StreamThrottleError = defineClass("StreamThrottleError", { alwaysPermanent: true });
+
+// Milliseconds-per-second conversion factor — used for rate arithmetic
+// (bytes/sec ↔ wait-ms). This is a unit-conversion constant, not a
+// memory cap or protocol-byte literal; the framework's C.TIME / C.BYTES
+// helpers don't apply.
+var MS_PER_SECOND = 1000;                                                                             // allow:raw-byte-literal — ms/sec unit conversion // allow:raw-time-literal — ms/sec unit conversion
+var NS_PER_MS     = 1e6;                                                                              // allow:raw-byte-literal — ns/ms unit conversion
+var MS_PER_SECOND_HRTIME = 1000;                                                                      // allow:raw-byte-literal — hrtime seconds→ms // allow:raw-time-literal — hrtime seconds→ms
+
+/**
+ * @primitive b.streamThrottle.create
+ * @signature b.streamThrottle.create(opts)
+ * @since     0.10.13
+ * @status    stable
+ * @related   b.streamThrottle
+ *
+ * Create a shared token bucket. Returns `{ transform(opts?), state() }`.
+ * `transform(tOpts?)` returns a `stream.Transform` that consumes from
+ * the shared bucket; multiple transforms returned from the same
+ * bucket share the rate budget. `state()` returns
+ * `{ bytesPerSec, burstBytes, tokens, lastRefillMs }` for observation.
+ *
+ * Refill resilience: `_refill` clamps elapsed-since-last-refill to
+ * the "empty-to-full" duration (`burstBytes / bytesPerSec` seconds)
+ * so an NTP clock step or VM resume can't credit hours of pent-up
+ * tokens into the bucket in a single call.
+ *
+ * @opts
+ *   bytesPerSec:  number,    // refill rate (bytes per second; required, > 0)
+ *   burstBytes:   number,    // bucket capacity (default = bytesPerSec)
+ *
+ * `transform(tOpts)` opts:
+ *   allowOversize: boolean,  // permit chunks larger than burstBytes (default false)
+ *   maxWaitMs:     number,   // per-chunk wait ceiling — when set, any
+ *                            //   computed wait > maxWaitMs refuses the chunk
+ *                            //   with `stream-throttle/wait-exceeds-max`
+ *                            //   instead of silently pinning the pipeline.
+ *
+ * @example
+ *   var throttle = b.streamThrottle.create({ bytesPerSec: 5 * 1024 * 1024 });
+ *   await new Promise(function (resolve, reject) {
+ *     require("node:stream").pipeline(src, throttle.transform(), dst,
+ *       function (e) { return e ? reject(e) : resolve(); });
+ *   });
+ */
+function create(opts) {
+  opts = opts || {};
+  if (typeof opts.bytesPerSec !== "number" || !isFinite(opts.bytesPerSec) || opts.bytesPerSec <= 0) {
+    throw new StreamThrottleError("stream-throttle/bad-rate",
+      "streamThrottle.create: opts.bytesPerSec must be a finite number > 0, got " + opts.bytesPerSec);
+  }
+  var bytesPerSec = opts.bytesPerSec;
+  var burstBytes  = opts.burstBytes !== undefined ? opts.burstBytes : bytesPerSec;
+  if (typeof burstBytes !== "number" || !isFinite(burstBytes) || burstBytes <= 0) {
+    throw new StreamThrottleError("stream-throttle/bad-burst",
+      "streamThrottle.create: opts.burstBytes must be a finite number > 0, got " + burstBytes);
+  }
+  if (burstBytes < bytesPerSec) {
+    throw new StreamThrottleError("stream-throttle/bad-burst",
+      "streamThrottle.create: opts.burstBytes (" + burstBytes + ") must be >= bytesPerSec (" +
+      bytesPerSec + ") — a smaller burst than refill rate stalls forever on a single full-rate chunk");
+  }
+  var tokens     = burstBytes;
+  var lastRefill = _hrtimeMs();
+
+  // Cap how far elapsed-since-last-refill can stretch in one call.
+  // Without the cap, a system clock jump (NTP step / VM resume / a
+  // process suspended in a debugger) credits the bucket with enough
+  // tokens to drain hours of pent-up backlog in a single chunk —
+  // defeating the rate ceiling for the recovery window. The cap
+  // is `burstBytes / bytesPerSec` seconds — exactly the time it
+  // takes to refill an empty bucket to full at the configured rate
+  // — so legitimate idle periods recover correctly while clock
+  // skew never overshoots.
+  var maxElapsedMs = Math.ceil((burstBytes / bytesPerSec) * MS_PER_SECOND);
+
+  function _refill() {
+    var now      = _hrtimeMs();
+    var elapsed  = now - lastRefill;
+    if (elapsed > maxElapsedMs) elapsed = maxElapsedMs;
+    if (elapsed > 0) {
+      tokens     = Math.min(burstBytes, tokens + (elapsed / MS_PER_SECOND) * bytesPerSec);
+      lastRefill = now;
+    }
+  }
+
+  function _consume(bytes, allowOversize) {
+    if (bytes > burstBytes && !allowOversize) {
+      throw new StreamThrottleError("stream-throttle/oversize-chunk",
+        "chunk of " + bytes + " bytes exceeds burstBytes=" + burstBytes +
+        "; pass transform({ allowOversize: true }) to split across wait windows");
+    }
+    _refill();
+    if (tokens >= bytes) {
+      tokens -= bytes;
+      return 0;
+    }
+    // Bucket has a deficit. Deduct the full chunk's bytes — the bucket
+    // goes negative — and tell the caller to wait for the deficit to
+    // refill. Subsequent _refill() calls re-accumulate from there, so
+    // the next consume sees an accurate budget. A parallel transform
+    // hitting the same bucket while it is negative also waits.
+    var deficitBytes = bytes - tokens;
+    var waitMs       = Math.ceil((deficitBytes / bytesPerSec) * MS_PER_SECOND);
+    tokens -= bytes;
+    return waitMs;
+  }
+
+  function transform(tOpts) {
+    tOpts = tOpts || {};
+    var allowOversize = tOpts.allowOversize === true;
+    // Per-chunk wait ceiling. A misconfigured operator passing
+    // chunkBytes / bytesPerSec ratios that schedule a 10-minute
+    // single-chunk wait would otherwise pin the pipeline silently;
+    // when `maxWaitMs` is set, any computed wait > maxWaitMs refuses
+    // the chunk with `stream-throttle/wait-exceeds-max`. Defaults to
+    // omitted (no ceiling) for back-compat with operators wanting
+    // the historical "wait however long" behavior.
+    var maxWaitMs = tOpts.maxWaitMs;
+    if (maxWaitMs !== undefined &&
+        (typeof maxWaitMs !== "number" || !isFinite(maxWaitMs) || maxWaitMs <= 0)) {
+      throw new StreamThrottleError("stream-throttle/bad-max-wait",
+        "transform: maxWaitMs must be a finite number > 0, got " + maxWaitMs);
+    }
+    return new nodeStream.Transform({
+      transform: function (chunk, _enc, cb) {
+        var buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        var bytes = buf.length;
+        var waitMs;
+        try { waitMs = _consume(bytes, allowOversize); }
+        catch (e) { cb(e); return; }
+        if (maxWaitMs !== undefined && waitMs > maxWaitMs) {
+          cb(new StreamThrottleError("stream-throttle/wait-exceeds-max",
+            "computed wait " + waitMs + "ms exceeds maxWaitMs=" + maxWaitMs +
+            " (chunk=" + bytes + " bytes, rate=" + bytesPerSec + " bytes/s) — " +
+            "reduce chunk size, increase rate, or raise maxWaitMs"));
+          return;
+        }
+        if (waitMs === 0) { cb(null, buf); return; }
+        setTimeout(function () { cb(null, buf); }, waitMs);
+      },
+    });
+  }
+
+  function state() {
+    _refill();
+    return {
+      bytesPerSec: bytesPerSec,
+      burstBytes:  burstBytes,
+      tokens:      tokens,
+      lastRefillMs: lastRefill,
+    };
+  }
+
+  return { transform: transform, state: state };
+}
+
+function _hrtimeMs() {
+  // hrtime returns [s, ns] integer pair; convert to ms float.
+  var t = process.hrtime();
+  return t[0] * MS_PER_SECOND_HRTIME + t[1] / NS_PER_MS;
+}
+
+module.exports = {
+  create:              create,
+  StreamThrottleError: StreamThrottleError,
+};

package/lib/subject.js

@@ -635,16 +635,20 @@ function _subjectHash(subjectId) {
 
 function _writeAudit(action, subjectId, outcome, metadata) {
   // recordSafe — audit failure must not roll back the subject mutation
-  // that already touched the database. Best-effort emission with errors
-  // swallowed; operators see them in stderr if they fire.
-  audit.emit({
-    actor:    {},
-    action:   action,
-    resource: { kind: "subject", id: subjectId },
-    outcome:  outcome,
-    reason:   metadata && metadata.requestReason ? metadata.requestReason : null,
-    metadata: metadata || null,
-  });
+  // that already touched the database. Drop-silent per CLAUDE.md rule
+  // §5 (hot-path audit sinks): swallow any throw from audit.emit so a
+  // misconfigured sink doesn't crash a partially-committed subject
+  // mutation. Errors surface via the audit sink's own logger.
+  try {
+    audit.emit({
+      actor:    {},
+      action:   action,
+      resource: { kind: "subject", id: subjectId },
+      outcome:  outcome,
+      reason:   metadata && metadata.requestReason ? metadata.requestReason : null,
+      metadata: metadata || null,
+    });
+  } catch (_e) { /* drop-silent — audit emit failure must not block subject mutation */ }
 }
 
 function _resetForTest() { db.reset(); }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.12",
+  "version": "0.10.14",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:c0157c5c-5ef3-45a3-aef2-004727f9fd8c",
+  "serialNumber": "urn:uuid:538b90b1-594c-4130-b06c-a5a105757062",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-18T06:22:30.244Z",
+    "timestamp": "2026-05-18T21:01:40.359Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.12",
+      "bom-ref": "@blamejs/core@0.10.14",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.12",
+      "version": "0.10.14",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.12",
+      "purl": "pkg:npm/%40blamejs/core@0.10.14",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.12",
+      "ref": "@blamejs/core@0.10.14",
       "dependsOn": []
     }
   ]