@blamejs/core 0.13.33 → 0.13.35

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.35 (2026-05-29) — **In-memory replay, idempotency, DNS, and i18n stores gain entry-count ceilings.** Several framework caches keyed on request-influenced input grew without an upper bound between their periodic sweeps, so a flood of unique keys could exhaust process memory faster than the sweep reclaimed it. Each now enforces a hard entry ceiling. The replay-protection nonce store is the security-sensitive one: rather than evict a live nonce to admit a new one — which would reopen a replay window for the evicted nonce — it purges expired entries and then fails closed at capacity, refusing the unrecordable request instead of admitting it unprotected. The idempotency, DNS, and i18n caches hold re-derivable values, so they evict the oldest entry instead (the worst case is a recomputed value or a single re-executed retry under flood). Ceilings are generous defaults that normal traffic never reaches; the nonce store and the agent idempotency in-memory backend expose options to tune them. **Fixed:** *Agent idempotency in-memory backend no longer grows without bound* — The default in-memory backend for `b.agent.idempotency` is keyed on the request-supplied idempotency key, and its garbage collector only reclaims expired rows when an operator wires a scheduler to call it — so a flood of distinct keys could grow it until the process ran out of memory. It now caps its entry count and evicts oldest-first; a dropped record just means that one key re-executes on a later retry, never a crash. A new `maxInMemoryEntries` option tunes the ceiling (default 100,000); deployments needing a hard guarantee at scale still supply a durable `store`. · *DNS resolver cache is bounded* — The positive and negative resolver caches in `b.network.dns` reclaimed an expired entry only when the same hostname was looked up again, so entries for never-requeried hostnames persisted — and hostnames reaching the resolver are request-influenced (outbound request targets, mail MX lookups). Both caches now cap their entry count and evict oldest-first; DNS simply re-resolves on the next miss. · *i18n formatter cache is bounded* — Per-instance `Intl` formatter caches in `b.i18n` are keyed on the locale plus a hash of the format options. The format-options shape is open-ended and caller-supplied, so the key space was request-influenced and uncapped. The cache now enforces an entry ceiling and evicts oldest-first — a formatter is pure-derived and re-created on the next miss. **Security:** *Replay-nonce store bounds memory and fails closed under a nonce flood* — The in-memory `b.nonceStore` backend recorded every request-supplied nonce until a periodic sweep ran, so a stream of unique nonces could exhaust memory between sweeps (a memory-amplification denial of service). It now caps its entry count. Because a replay-protection store must never evict a live nonce to make room — doing so would reopen a replay window for the evicted nonce — it instead purges expired entries inline and, if still at capacity with live nonces, fails closed: the new request is refused rather than admitted without replay protection. A new `maxEntries` option tunes the ceiling (default 1,000,000).
+
+- v0.13.34 (2026-05-29) — **Corrupt TLS certs self-heal at boot, and graceful shutdown no longer loses the final DB flush.** Two failure-mode fixes in the same family as the encrypted-DB recovery in 0.13.33. The cert manager treated a corrupt sealed cert or key worse than a missing one: a missing file re-issues via ACME, but a corrupt one let a raw decrypt error escape out of start(), so the same bad file was read on every boot — an unrecoverable crash loop. A corrupt sealed cert/key is now treated like an absent one and re-issued, and a corrupt derived meta.json is re-derived rather than fatal; the ACME account key (which binds order history) instead fails with an actionable error rather than a raw throw. On the shutdown side, an encrypted database that failed its final re-encrypt used to delete its plaintext working copy anyway, discarding every write since the last periodic flush; it now keeps the working copy so the next boot recovers it. The shutdown orchestrator also gains a hard-deadline watchdog: when the operator delegates signal handling to it, a phase that never settles can no longer hold the process open until the supervisor SIGKILLs it (which would skip the final DB re-encrypt) — the watchdog forces a clean exit, so exit handlers still flush. The wiki production and base compose files set a stop_grace_period above that budget so a docker stop or rolling redeploy lets the re-encrypt finish. **Changed:** *Shutdown watchdog forces a clean, DB-flushing exit if a phase hangs* — The graceful-shutdown orchestrator uses soft per-phase timeouts — on expiry the underlying work keeps running — so a phase that never settles could hold the event loop open past the grace window, after which a container supervisor SIGKILLs the process and skips the final DB re-encrypt. When the operator opts into signal handling, a watchdog now forces `process.exit` `graceMs + forceExitMarginMs` after the signal; exit runs the registered handlers (the DB re-encrypt), so the last flush still happens. A new `forceExitMarginMs` option (default 5000) tunes the headroom; set the container stop grace above `graceMs + forceExitMarginMs`. · *Wiki compose sets stop_grace_period above the shutdown budget* — `examples/wiki/docker-compose.yml` and `docker-compose.prod.yml` now set `stop_grace_period: 40s`. Docker's 10s default would SIGKILL the container before the 30s shutdown budget reaches the DB re-encrypt phase, losing the final flush on a `docker stop` or rolling redeploy. The production note also reminds PaaS platforms that regenerate the compose (Coolify, Dokku, CapRover) to set the stop grace via the platform UI alongside the persistent-storage mount and `--shm-size`. **Fixed:** *A corrupt sealed TLS cert or key re-issues instead of crash-looping at boot* — `b.cert`'s start path read the sealed `cert.pem`/`key.pem` and let a raw unseal/decrypt error escape if the file was truncated or corrupt, so a managed restart read the same bad file on every boot — a crash loop, and worse handling than an absent file (which already re-issues). A corrupt sealed cert/key is now treated like a missing one: it is logged, an audit event is emitted, and the certificate is re-issued via ACME. A corrupt derived `meta.json` is likewise re-derived rather than throwing `cert/bad-meta`. · *Unreadable ACME account key fails with an actionable error, not a raw decrypt throw* — Unlike a re-issuable certificate, the ACME account key binds existing order and authorization history, so it is not silently regenerated on corruption. An unreadable `account/jwk.json.sealed` now raises `cert/account-key-unreadable` naming the file and the recovery (restore from backup, or delete to register a fresh account) instead of letting a raw decrypt/parse error escape out of start(). · *Encrypted DB keeps its working copy when the final shutdown re-encrypt fails* — `db.close()` re-encrypts the tmpfs working copy to `db.enc`, then deletes the working copy. If that final re-encrypt failed (a full `/dev/shm`, a full disk), the delete still ran, discarding every write since the last periodic flush and leaving only the older `db.enc`. The working copy is now kept whenever the re-encrypt fails, so the next boot's integrity-probed recovery picks up the latest writes (and still falls back to `db.enc` if the working copy is itself corrupt). `db.enc` is never modified by this path. **Detectors:** *Cross-artifact guard that stop_grace_period covers the shutdown budget* — A new codebase check fails if either wiki compose file omits `stop_grace_period` or sets it below the orchestrator's `graceMs` plus the watchdog margin read from `lib/app-shutdown.js`, so raising the shutdown budget without bumping the compose — or dropping the setting — cannot silently reopen the SIGKILL-before-re-encrypt data-loss window.
+
 - v0.13.33 (2026-05-28) — **Encrypted-mode DB recovers from a corrupt tmpfs working copy instead of crash-looping.** In encrypted-at-rest mode the live SQLite copy is decrypted into a tmpfs working file and re-encrypted to db.enc periodically. If that working copy was corrupted (an unclean shutdown, or a full tmpfs — Docker's /dev/shm defaults to 64 MiB), the boot path trusted it because its mtime was newer than db.enc, so db.init failed its integrity gate with "database disk image is malformed" identically on every boot — an unrecoverable crash loop. db now integrity-probes the newer working copy before trusting it: if it is unreadable, the working copy is discarded and db.enc (the last-good encrypted snapshot) is re-decrypted, so the next boot self-heals. db.enc is never modified by this path, and a genuinely-corrupt db.enc still fails loudly rather than wiping data. The boot error on an unreadable database is now actionable (it names the tmpfs-size cause and the recovery). The wiki production compose also gains the storage settings encrypted mode needs. **Fixed:** *Corrupt tmpfs working copy no longer causes a boot crash loop (encrypted-at-rest mode)* — `db.init`'s crash-recovery path preferred a newer tmpfs working copy over `db.enc` unconditionally. When that copy was corrupt (truncated by an unclean shutdown or a full `/dev/shm`), every boot trusted it and failed the integrity gate the same way — an unrecoverable loop. The newer working copy is now integrity-probed (`PRAGMA quick_check`); if it is unreadable it is discarded and `db.enc` — the last-good encrypted snapshot — is re-decrypted, so boot self-heals. `db.enc` is never modified, so this only ever rolls back to the persistent copy; if `db.enc` is also corrupt, boot still fails loudly (no silent data loss). A regression test pins the recovery. · *Actionable boot error when the database is unreadable* — When SQLite reports a database too corrupt to even run an integrity check, the boot error now names the likely cause and recovery instead of surfacing the raw "database disk image is malformed": in encrypted mode it points at the tmpfs working copy and the most common operational cause (Docker's 64 MiB `/dev/shm` default — raise it via `shm_size` / `--shm-size`), or restoring `db.enc` / the DB file from backup. · *Wiki production compose ships the storage encrypted mode needs* — `examples/wiki/docker-compose.prod.yml` now sets `shm_size: '512m'` (so the encrypted-mode tmpfs working copy has headroom above Docker's 64 MiB default) and mounts a persistent `wiki-data` volume at `/data` (so `db.enc` + sealed keys survive container recreate, host reboot, and image redeploys, and give a restore point). A note flags that PaaS platforms which regenerate the compose on deploy (Coolify, Dokku, CapRover, …) must set both via the platform UI — a persistent-storage mount for `/data` and a `--shm-size 512m` custom option.
 
 - v0.13.32 (2026-05-28) — **`b.auditDailyReview` enforces notify under the sox-404 posture; compliance doc corrections.** b.auditDailyReview documented `sox-404` (SOX §404 ICFR — the internal-controls regime this primitive serves) as one of the postures that make a `notify` callback mandatory at construction, but the enforcement set used only `sox`, so pinning `posture: "sox-404"` without a notify channel was silently accepted. `sox-404` is now in the mandatory-notify set, so the advertised guarantee holds (a regression test pins it). The rest are documentation corrections with no behavior change: b.compliance.posturesByDomain / posturesByJurisdiction examples showed small fixed arrays where the functions return every matching posture (the catalog has grown); b.dataAct's surface list named two methods that do not exist (the real surface is declareProduct / recordUserAccess / shareWithThirdParty / recordSwitchRequest, with gatekeeper refusal folded into shareWithThirdParty); b.secCyber.eightKArtifact's documented return key `audit` is actually `deadlineBusinessDays`; and b.compliance.aiAct.transparency's helper summary named `cspMetaTag` / a `watermark({ kind })` argument that are really `metaTags` / `watermark({ mediaKind })`. **Fixed:** *`b.auditDailyReview` requires a notify channel under the `sox-404` posture* — The docs listed `sox-404` among the postures that make a `notify` callback mandatory at create-time, but the enforcement set contained only `sox` — so `posture: "sox-404"` without `notify` was accepted instead of refused. `sox-404` (SOX §404 ICFR) is now in the mandatory-notify set, matching the documented guarantee; constructing without a notify channel under it throws `auditDailyReview/notify-required-under-posture`. · *`b.compliance` jurisdiction/domain lister examples no longer enumerate a stale fixed set* — `posturesByDomain` and `posturesByJurisdiction` return every posture matching the domain/jurisdiction, but their `@example`s showed small fixed arrays from before the posture catalog grew. The examples now show a representative prefix with `...` and note they return the full matching set. · *`b.dataAct` surface list matches the real methods* — The module surface listed `userAccessible(...)` and `refuseGatekeeper(...)`, neither of which exists. The real surface is `declareProduct` / `recordUserAccess` / `shareWithThirdParty` / `recordSwitchRequest`, and DMA-gatekeeper refusal (Art 32 §1) is enforced inside `shareWithThirdParty`. The doc now reflects that. · *`b.secCyber.eightKArtifact` documented return shape corrected* — The signature line showed `{ artifact, deadline, audit }`; the function returns `{ artifact, deadline, deadlineBusinessDays }` (there is no `audit` key). The doc now matches. · *`b.compliance.aiAct.transparency` helper names corrected* — The helper summary named a `cspMetaTag(...)` function and a `watermark({ kind })` argument; the real names are `metaTags(...)` and `watermark({ mediaKind })`. Calling the documented names threw. Also corrected: a `b.aiAdverseDecision` illustration showed an ECOA `statutoryDeadlines` shape that didn't match the regime's actual deadlines.

package/lib/agent-idempotency.js

@@ -68,6 +68,16 @@ var bCrypto           = require("./crypto");
 var safeJson          = require("./safe-json");
 var guardIdempotencyKey = require("./guard-idempotency-key");
 var agentAudit        = require("./agent-audit");
+var { boundedMap }    = require("./bounded-map");
+
+// The default in-memory backend is keyed on (method, actorId, keyHash) —
+// the key hash comes from request-supplied idempotency keys, so a flood of
+// distinct keys would grow the Map without bound (gc only reclaims EXPIRED
+// rows, and only if the operator wires a scheduler to call it). Cap it.
+// Evict-oldest degrades gracefully under flood: the worst case is a dropped
+// dedup record, so a retry of that one key re-executes — never an OOM.
+// Operators who need a hard guarantee at scale supply a durable `opts.store`.
+var DEFAULT_IN_MEMORY_MAX_ENTRIES = 100000;
 
 var audit             = lazyRequire(function () { return require("./audit"); });
 var cryptoField       = lazyRequire(function () { return require("./crypto-field"); });
@@ -130,7 +140,7 @@ function _ensureSealTable() {
  */
 function create(opts) {
   opts = opts || {};
-  var store = opts.store || _inMemoryBackend();
+  var store = opts.store || _inMemoryBackend(opts.maxInMemoryEntries);
   if (typeof store.get !== "function" || typeof store.put !== "function" ||
       typeof store.delete !== "function") {
     throw new AgentIdempotencyError("agent-idempotency/bad-store",
@@ -470,8 +480,10 @@ function _checkArgs(method, actorId, key) {
   // key is validated separately via guardIdempotencyKey.validate.
 }
 
-function _inMemoryBackend() {
-  var map = new Map();
+function _inMemoryBackend(maxEntries) {
+  // boundedMap validates maxEntries (throws bounded-map/bad-max-entries on a
+  // non-positive-int); undefined falls back to the default ceiling.
+  var map = boundedMap({ maxEntries: maxEntries || DEFAULT_IN_MEMORY_MAX_ENTRIES, policy: "evict-oldest" });
   function _k(method, actorId, hash) { return method + "\0" + actorId + "\0" + hash; }
   return {
     get:    function (method, actorId, hash) {

package/lib/app-shutdown.js

@@ -53,6 +53,10 @@ var AppShutdownError = defineClass("AppShutdownError", { alwaysPermanent: true }
 var log = boot("app-shutdown");
 
 var DEFAULT_GRACE_MS = C.TIME.seconds(30);
+// Headroom between the shutdown grace budget and the hard forced-exit
+// watchdog, so the watchdog fires before a container supervisor's own
+// stop-grace SIGKILL (set stop_grace_period > graceMs + this margin).
+var FORCE_EXIT_MARGIN_MS = C.TIME.seconds(5);
 
 /**
  * @primitive b.appShutdown.create
@@ -71,6 +75,7 @@ var DEFAULT_GRACE_MS = C.TIME.seconds(30);
  *
  * @opts
  *   graceMs:               number,    // total budget across all phases (default 30000)
+ *   forceExitMarginMs:     number,    // headroom after graceMs before the signal-handler watchdog forces exit (default 5000); set the container stop grace above graceMs + this
  *   phases:                array,     // [{ name, run: async fn, timeoutMs? }]
  *   installSignalHandlers: boolean,   // wire SIGTERM/SIGINT (default false)
  *   signals:               array,     // signal names (default ["SIGTERM","SIGINT"])
@@ -94,6 +99,9 @@ function create(opts) {
   numericBounds.requirePositiveFiniteIntIfPresent(opts.graceMs,
     "app-shutdown.create: opts.graceMs", AppShutdownError, "app-shutdown/bad-grace-ms");
   var graceMs = opts.graceMs !== undefined ? opts.graceMs : DEFAULT_GRACE_MS;
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.forceExitMarginMs,
+    "app-shutdown.create: opts.forceExitMarginMs", AppShutdownError, "app-shutdown/bad-force-exit-margin-ms");
+  var forceExitMarginMs = opts.forceExitMarginMs !== undefined ? opts.forceExitMarginMs : FORCE_EXIT_MARGIN_MS;
   var phases = Array.isArray(opts.phases) ? opts.phases.slice() : [];
   var installSignalHandlers = !!opts.installSignalHandlers;
   for (var i = 0; i < phases.length; i++) {
@@ -224,6 +232,30 @@ function create(opts) {
   function _signalCallback(sig) {
     return function () {
       log("received " + sig + " — initiating graceful shutdown");
+      // Hard-deadline safety net. Per-phase budgets use a SOFT timeout
+      // (withTimeout lets the underlying work keep running on expiry), so
+      // shutdown() RESOLVING does not guarantee the process EXITS: a hung
+      // phase's leaked handle (a socket that won't close, a timer that keeps
+      // firing) can hold the event loop alive past the grace window, after
+      // which the supervisor SIGKILLs us and the final DB re-encrypt is lost.
+      // Arm an unref'd watchdog that forces a clean exit at the deadline.
+      // It is deliberately NOT cleared when shutdown() resolves — the whole
+      // point is to catch the case where the orchestration finished but the
+      // process won't die. unref() so it never itself keeps us alive: a clean
+      // shutdown with no leaked handles exits naturally well before it fires.
+      // process.exit() runs the registered exit handlers (db re-encrypts
+      // there), so the last flush still happens.
+      var watchdog = setTimeout(function () {
+        log.error("shutdown exceeded " + (graceMs + forceExitMarginMs) +
+          "ms without the process exiting — forcing exit (exit handlers run " +
+          "the final DB flush) before the supervisor SIGKILLs");
+        // Bounded forced exit after the grace deadline, armed ONLY inside the
+        // signal handler (operator opted into installSignalHandlers,
+        // delegating process lifecycle to the orchestrator).
+        // allow:process-exit — operator-delegated lifecycle, watchdog only
+        process.exit(process.exitCode || 1);
+      }, graceMs + forceExitMarginMs);
+      if (typeof watchdog.unref === "function") watchdog.unref();
       shutdown().then(function (result) {
         if (process.exitCode === undefined || process.exitCode === 0) {
           process.exitCode = result.ok ? 0 : 1;

package/lib/bounded-map.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * bounded-map — a Map facade that caps its entry count.
+ *
+ * Defends the unbounded-in-bounded resource-exhaustion class: an in-memory
+ * store keyed on request-derived input (a locale, a hostname, an
+ * idempotency key, a replay nonce) grows without limit between sweeps
+ * unless something enforces a ceiling. A periodic TTL sweep alone does not
+ * bound peak memory — a flood of unique keys arrives faster than the sweep
+ * interval. This adds the missing ceiling.
+ *
+ * Two policies for what happens on `set` when already at `maxEntries`:
+ *
+ *   "evict-oldest" (default) — drop the oldest entry (insertion order)
+ *     to make room, then store the new one. For caches whose entries are
+ *     re-derivable on demand (Intl formatters, DNS results, idempotency
+ *     records) eviction is cheap — the worst case is a recomputed value or
+ *     a missed dedup under active flood, never a correctness or security
+ *     hole. `set` always stores and returns true.
+ *
+ *   "reject" — refuse the new entry (do NOT evict a live one) and return
+ *     false. For stores where evicting an unexpired entry would be unsafe:
+ *     a replay-protection nonce store must not drop a live nonce to admit a
+ *     new one, because that reopens a replay window for the dropped nonce.
+ *     The caller fails closed on a false return (treats the request as
+ *     un-recordable → reject it). Callers should purge expired entries
+ *     before relying on this so the ceiling is hit only under genuine flood.
+ *
+ * This is deliberately NOT `b.cache` — that is an operator-facing primitive
+ * with TTL, LRU-touch, observability, and pluggable backends. This is the
+ * minimal internal ceiling the framework's own request-keyed Maps need, and
+ * leaves TTL/expiry semantics to the caller (which already owns them).
+ *
+ * `onEvict(key, value)` (optional) fires when an entry is dropped to make
+ * room under "evict-oldest" — for an observability counter, say. It never
+ * fires under "reject" (nothing is evicted; the new entry is dropped).
+ */
+
+var numericBounds = require("./numeric-bounds");
+var { defineClass } = require("./framework-error");
+
+var BoundedMapError = defineClass("BoundedMapError");
+
+/**
+ * @param {object} opts
+ * @param {number} opts.maxEntries    - hard ceiling; throws if not a positive finite int
+ * @param {string} [opts.policy]      - "evict-oldest" (default) | "reject"
+ * @param {function} [opts.onEvict]   - (key, value) called on eviction under "evict-oldest"
+ * @returns Map-like facade: get/has/set/delete/clear, size getter, keys/values/entries/forEach, [Symbol.iterator]
+ */
+function boundedMap(opts) {
+  opts = opts || {};
+  if (!numericBounds.isPositiveFiniteInt(opts.maxEntries)) {
+    throw new BoundedMapError("bounded-map/bad-max-entries",
+      "boundedMap: opts.maxEntries must be a positive finite integer, got " + JSON.stringify(opts.maxEntries));
+  }
+  var maxEntries = opts.maxEntries;
+  var policy = opts.policy || "evict-oldest";
+  if (policy !== "evict-oldest" && policy !== "reject") {
+    throw new BoundedMapError("bounded-map/bad-policy",
+      "boundedMap: opts.policy must be 'evict-oldest' | 'reject', got " + JSON.stringify(policy));
+  }
+  var onEvict = typeof opts.onEvict === "function" ? opts.onEvict : null;
+  var inner = new Map();
+
+  function set(key, value) {
+    // Updating an existing key never grows the map — always allowed.
+    if (inner.has(key)) { inner.set(key, value); return true; }
+    if (inner.size >= maxEntries) {
+      if (policy === "reject") return false;
+      // evict-oldest: the first key in insertion order is the oldest.
+      var oldest = inner.keys().next().value;
+      if (oldest !== undefined || inner.has(oldest)) {
+        var evictedVal = inner.get(oldest);
+        inner.delete(oldest);
+        if (onEvict) { try { onEvict(oldest, evictedVal); } catch (_e) { /* obs hook — drop-silent */ } }
+      }
+    }
+    inner.set(key, value);
+    return true;
+  }
+
+  return {
+    get:    function (k) { return inner.get(k); },
+    has:    function (k) { return inner.has(k); },
+    set:    set,
+    delete: function (k) { return inner.delete(k); },
+    clear:  function () { inner.clear(); },
+    keys:   function () { return inner.keys(); },
+    values: function () { return inner.values(); },
+    entries: function () { return inner.entries(); },
+    forEach: function (fn, thisArg) { return inner.forEach(fn, thisArg); },
+    get size() { return inner.size; },
+    get maxEntries() { return maxEntries; },
+    get policy() { return policy; },
+    // Iterable like a Map, so `for (var e of bmap)` yields [key, value]
+    // entries — callers that iterate a plain Map keep working unchanged.
+    [Symbol.iterator]: function () { return inner[Symbol.iterator](); },
+  };
+}
+
+module.exports = { boundedMap: boundedMap, BoundedMapError: BoundedMapError };

package/lib/cert.js

@@ -54,6 +54,7 @@ var atomicFile    = require("./atomic-file");
 var safeJson      = require("./safe-json");
 var { defineClass } = require("./framework-error");
 var C             = require("./constants");
+var { boot }      = require("./log");
 
 var acme          = lazyRequire(function () { return require("./acme"); });
 var vault         = lazyRequire(function () { return require("./vault"); });
@@ -62,6 +63,7 @@ var networkTls    = lazyRequire(function () { return require("./network-tls"); }
 var bCrypto       = lazyRequire(function () { return require("./crypto"); });
 
 var CertError = defineClass("CertError");
+var log = boot("cert");
 
 var DEFAULT_RENEW_INTERVAL_MS    = C.TIME.hours(6);
 var DEFAULT_MIN_DAYS_BEFORE_EXPIRY = 14;
@@ -140,8 +142,13 @@ function _createSealedDiskStorage(opts) {
       if (!nodeFs.existsSync(p)) return null;
       try { return safeJson.parse(nodeFs.readFileSync(p, "utf8"), { maxBytes: C.BYTES.kib(16) }); }
       catch (e) {
-        throw new CertError("cert/bad-meta",
-          "cert: meta.json for '" + certName + "' is corrupt: " + e.message);
+        // meta.json is a derived index (expiry + fingerprint), not a
+        // source of truth — the sealed cert is. A corrupt meta must not
+        // block renewal: treat it as absent so _ensureCert re-derives it
+        // from a fresh issue rather than throwing out of start().
+        log.warn("cert: meta.json for '" + certName + "' unreadable (" +
+          e.message + ") — treating as absent, will re-derive");
+        return null;
       }
     },
 
@@ -413,8 +420,21 @@ function create(opts) {
       ? nodeFs.readFileSync(nodePath.join(storage.rootDir, "account/jwk.json.sealed"))
       : null;
     if (sealedBuf) {
-      var plain = (opts.storage.vault || vault().getDefaultStore()).unseal(sealedBuf);
-      var jwk = safeJson.parse(plain.toString("utf8"), { maxBytes: C.BYTES.kib(64) });
+      var jwk;
+      try {
+        var plain = (opts.storage.vault || vault().getDefaultStore()).unseal(sealedBuf);
+        jwk = safeJson.parse(plain.toString("utf8"), { maxBytes: C.BYTES.kib(64) });
+      } catch (e) {
+        // The ACME account key binds existing order + authorization
+        // history, so it is NOT auto-regenerated on corruption (unlike a
+        // re-issuable cert) — that would silently abandon the account.
+        // Fail with an actionable error naming the file + recovery instead
+        // of letting a raw decrypt/parse error escape out of start().
+        throw new CertError("cert/account-key-unreadable",
+          "cert: ACME account key 'account/jwk.json.sealed' is unreadable (" +
+          e.message + "). Restore it from backup, or delete it to register " +
+          "a fresh ACME account (this abandons prior order history).");
+      }
       return _accountKeyFromJwk(jwk);
     }
     var pair = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
@@ -555,10 +575,29 @@ function create(opts) {
   // for emergency reissue / key rollover when the existing cert is
   // structurally fine but operationally compromised (suspected key
   // disclosure, CA misissuance investigation, posture-driven rotation).
+  // A corrupt sealed cert/key is RECOVERABLE state — the CA re-issues on
+  // demand. Treat an unreadable sealed file like a missing one (log +
+  // re-issue) rather than letting a raw unseal/decrypt error escape out of
+  // start(): on a managed restart the same corrupt file is read on every
+  // boot, so throwing here is an unrecoverable crash loop, and a corrupt
+  // file must never be handled worse than an absent one (which already
+  // falls through to issue). The ACME account key is the one piece NOT
+  // auto-recovered this way — see _loadOrGenerateAccountKey.
+  async function _readSealedOrReissue(relPath, certName) {
+    try {
+      return await storage.readSealed(relPath);
+    } catch (e) {
+      log.warn("cert: sealed '" + relPath + "' unreadable (" + e.message +
+        ") — re-issuing as if absent");
+      _emitAudit("cert.sealed.corrupt", "recovered", { path: relPath, name: certName });
+      return null;
+    }
+  }
+
   async function _ensureCert(certManifest, forceIssue) {
     var meta = await storage.readMeta(certManifest.name);
-    var certBuf = await storage.readSealed(certManifest.name + "/cert.pem");
-    var keyBuf  = await storage.readSealed(certManifest.name + "/key.pem");
+    var certBuf = await _readSealedOrReissue(certManifest.name + "/cert.pem", certManifest.name);
+    var keyBuf  = await _readSealedOrReissue(certManifest.name + "/key.pem", certManifest.name);
     if (!forceIssue && meta && certBuf && keyBuf &&
         meta.expiresAt > Date.now() + minDaysBeforeExpiry * C.TIME.days(1)) {
       // Cached, not due for renewal yet.

package/lib/db.js

@@ -1997,11 +1997,19 @@ function close() {
   // Order: encrypt while the DB is still open (so the file is consistent),
   // then close the SQLite handle (releases the file lock on Windows),
   // THEN unlink the plaintext sidecar files.
-  try { encryptToDisk(); } catch (e) {
-    log.error("close: final encrypt failed: " + e.message);
+  var encryptOk = false;
+  try { encryptToDisk(); encryptOk = true; } catch (e) {
+    log.error("close: final encrypt failed: " + e.message +
+      " — keeping the plaintext working copy so the next boot can recover " +
+      "the latest writes (db.enc still holds the prior snapshot)");
   }
   try { database.close(); } catch (_e) { /* already closed */ }
-  if (atRest === "encrypted") removePlaintextFiles();
+  // Only discard the plaintext working copy once it has been safely
+  // re-encrypted. If the final encrypt failed (full /dev/shm, disk-full),
+  // the working copy is the ONLY carrier of writes since the last periodic
+  // flush — keep it so decryptToTmp's newer-mtime recovery picks it up next
+  // boot (integrity-probed, falling back to db.enc if it is itself corrupt).
+  if (atRest === "encrypted" && encryptOk) removePlaintextFiles();
   database = null;
   initialized = false;
 }

package/lib/i18n.js

@@ -64,6 +64,15 @@ var requestHelpers = require("./request-helpers");
 var safeJson = require("./safe-json");
 var validateOpts = require("./validate-opts");
 var { I18nError } = require("./framework-error");
+var { boundedMap } = require("./bounded-map");
+
+// Per-instance formatter caches are keyed on (locale, JSON.stringify
+// formatOpts). A fixed `locales` set bounds the locale axis, but operators
+// can pass fresh formatOpts shapes per call (and `Intl` options are open-
+// ended), so the key space is request-influenced — cap it so it can't grow
+// without limit. Evict-oldest is free here: a formatter is pure-derived and
+// re-created on the next miss.
+var FORMATTER_CACHE_MAX_ENTRIES = 512;
 
 var observability = lazyRequire(function () { return require("./observability"); });
 
@@ -353,7 +362,7 @@ function _interpolate(template, vars, interpolation) {
 // only with operators handing in fresh literals every call (they
 // usually pass the same shape).
 function _makeFormatterCache(make, kind, emitObs) {
-  var cache = new Map();
+  var cache = boundedMap({ maxEntries: FORMATTER_CACHE_MAX_ENTRIES, policy: "evict-oldest" });
   return function getFormatter(locale, formatOpts) {
     var optsKey = formatOpts ? JSON.stringify(formatOpts) : "";
     var cacheKey = locale + "\x1f" + optsKey;

package/lib/network-dns.js

@@ -13,6 +13,7 @@ var safeBuffer = require("./safe-buffer");
 var safeUrl = require("./safe-url");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
+var { boundedMap } = require("./bounded-map");
 
 var DnsError = defineClass("DnsError", { alwaysPermanent: false });
 
@@ -89,8 +90,15 @@ function _ensureSecureDefault() {
   STATE.doh = { url: DEFAULT_DOH_URL, method: null, ca: null };
 }
 
-var POSITIVE_CACHE = new Map();
-var NEGATIVE_CACHE = new Map();
+// Resolver caches are keyed on (hostname, family). Hostnames reaching the
+// resolver are request-influenced (outbound HTTP targets, mail MX lookups,
+// operator-supplied URLs), and expired entries are only reclaimed lazily on
+// a re-query of the SAME key — so a stream of unique hostnames would grow
+// these without bound. Cap them; evict-oldest is free (DNS re-resolves on
+// the next miss). The cap bounds peak memory even with no periodic sweep.
+var DNS_CACHE_MAX_ENTRIES = 4096;
+var POSITIVE_CACHE = boundedMap({ maxEntries: DNS_CACHE_MAX_ENTRIES, policy: "evict-oldest" });
+var NEGATIVE_CACHE = boundedMap({ maxEntries: DNS_CACHE_MAX_ENTRIES, policy: "evict-oldest" });
 
 function _now() { return Date.now(); }
 

package/lib/nonce-store.js

@@ -45,10 +45,18 @@ var clusterStorage = require("./cluster-storage");
 var C = require("./constants");
 var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
+var { boundedMap } = require("./bounded-map");
 
 var NonceStoreError = defineClass("NonceStoreError");
 
 var DEFAULT_SWEEP_INTERVAL_MS = C.TIME.minutes(5);
+// Memory-backend ceiling. Each request carries an attacker-choosable unique
+// nonce, so between sweeps the store would otherwise grow without bound (a
+// memory-amplification DoS). Capped — but a replay-protection store must
+// NOT evict a live nonce to admit a new one (that reopens a replay window
+// for the evicted nonce), so the cap uses the "reject" policy and the
+// backend fails CLOSED at capacity (see checkAndInsert).
+var DEFAULT_MAX_ENTRIES = 1000000;
 
 function _err(code, message) {
   return new NonceStoreError(code, message, true);
@@ -58,14 +66,22 @@ function _err(code, message) {
 
 function _memoryBackend(opts) {
   var sweepIntervalMs = opts.sweepIntervalMs || DEFAULT_SWEEP_INTERVAL_MS;
-  var seen = new Map();   // nonce -> expireAt
+  var maxEntries = opts.maxEntries || DEFAULT_MAX_ENTRIES;
+  // policy "reject" — never evict a live nonce (that would reopen a replay
+  // window for the dropped one). At capacity the backend fails closed.
+  var seen = boundedMap({ maxEntries: maxEntries, policy: "reject" });
+  var capacityRejects = 0;
 
-  var sweepTimer = safeAsync.repeating(function () {
+  function _purgeExpiredSync() {
     var now = Date.now();
+    var removed = 0;
     for (var entry of seen) {
-      if (entry[1] <= now) seen.delete(entry[0]);
+      if (entry[1] <= now) { seen.delete(entry[0]); removed++; }
     }
-  }, sweepIntervalMs, { name: "nonce-sweep" });
+    return removed;
+  }
+
+  var sweepTimer = safeAsync.repeating(_purgeExpiredSync, sweepIntervalMs, { name: "nonce-sweep" });
 
   function checkAndInsert(nonce, expireAt) {
     if (typeof nonce !== "string" || nonce.length === 0) {
@@ -78,17 +94,26 @@ function _memoryBackend(opts) {
     if (existing !== undefined && existing > Date.now()) {
       return Promise.resolve(false);   // replay
     }
-    seen.set(nonce, expireAt);
+    var stored = seen.set(nonce, expireAt);
+    if (!stored) {
+      // At capacity. Reclaim expired entries inline, then retry once.
+      _purgeExpiredSync();
+      stored = seen.set(nonce, expireAt);
+    }
+    if (!stored) {
+      // Still full of LIVE nonces — a genuine flood. FAIL CLOSED: we
+      // cannot record this nonce, so we cannot prove it is first-seen.
+      // Refuse it (report as "seen") rather than admit an unprotected
+      // request. Evicting a live nonce to make room would reopen a replay
+      // window, so we never evict — the request is rejected instead.
+      capacityRejects += 1;
+      return Promise.resolve(false);
+    }
     return Promise.resolve(true);
   }
 
   function purgeExpired() {
-    var now = Date.now();
-    var removed = 0;
-    for (var entry of seen) {
-      if (entry[1] <= now) { seen.delete(entry[0]); removed++; }
-    }
-    return Promise.resolve(removed);
+    return Promise.resolve(_purgeExpiredSync());
   }
 
   function close() {
@@ -101,8 +126,10 @@ function _memoryBackend(opts) {
     checkAndInsert:  checkAndInsert,
     purgeExpired:    purgeExpired,
     close:           close,
-    // Test hook — direct read of the underlying Map size
+    // Test hooks — underlying entry count + count of capacity fail-closed
+    // rejections (a nonce flood that hit the ceiling).
     _size:           function () { return seen.size; },
+    _capacityRejects: function () { return capacityRejects; },
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.33",
+  "version": "0.13.35",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:b63cfcae-7595-4c46-9fd5-8d4a36ad0b85",
+  "serialNumber": "urn:uuid:6028bee9-9cbe-4913-ac29-c3b458c70b55",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-29T04:39:40.351Z",
+    "timestamp": "2026-05-29T13:13:34.221Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.33",
+      "bom-ref": "@blamejs/core@0.13.35",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.33",
+      "version": "0.13.35",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.33",
+      "purl": "pkg:npm/%40blamejs/core@0.13.35",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.33",
+      "ref": "@blamejs/core@0.13.35",
       "dependsOn": []
     }
   ]