npm - @blamejs/core - Versions diffs - 0.13.38 → 0.13.40 - Mend

@blamejs/core 0.13.38 → 0.13.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.13.x
+- v0.13.40 (2026-05-29) — **Redis client stops leaking a socket and blocking exit after close; DB exit-handler registers once.** Two handle-lifecycle fixes. The Redis client's reconnect backoff used an untracked, non-unref'd timer: during a backoff window it alone could keep the event loop alive (a process that won't exit), and a reconnect scheduled before close() fired afterward and opened a fresh socket because the connect path didn't re-check the closing flag. The timer is now tracked, unref'd, cancelled in close(), and the connect path refuses to re-open once closing. Separately, the encrypted database registered its process-exit final-flush handler on every init(), so repeated init/close cycles (long test runs, hot reload) accumulated 'exit' listeners toward the MaxListenersExceeded warning; it now registers once for the process lifetime. **Fixed:** *Redis client cancels its reconnect timer on close and won't re-open a closed connection* — The reconnect backoff scheduled `setTimeout(reconnect, delay)` without keeping a handle, without `unref()`, and the reconnect path checked only `connected`/`connecting` — not `closing`. So a backoff window could by itself hold the process open (it won't exit), and a reconnect scheduled before `close()` would fire afterward and open a fresh socket with listeners — a leak after explicit close. The timer is now tracked and `unref()`'d (a backoff no longer blocks exit), cancelled in `close()`, and the connect path returns early once closing so no socket is opened after close. · *Encrypted DB registers its process-exit flush handler once, not per init()* — `b.db.init()` in encrypted mode added a `process.on("exit")` final-flush handler on every call. Across repeated init/close cycles — long test suites, hot reload, embedded re-inits — these accumulated and tripped Node's MaxListenersExceeded warning (and grew memory slightly). The handler is now registered once for the process lifetime, guarded by a module flag, and still flushes whichever encrypted DB is open at exit time.
+- v0.13.39 (2026-05-29) — **Dual-control approvals are atomic — no quorum bypass or double-consume under concurrency.** The dual-control approval store read a grant, mutated it in memory, and wrote it back with an await in between — a non-atomic read-modify-write. Under concurrent calls (two approvals, or a retried one) each could act on a stale snapshot: the same approver could be appended twice and reach the M-of-N quorum with a single human, or a single-use grant could be consumed twice. approve / consume / revoke / cancel now commit through a new atomic cache.update primitive, so the check and the mutation are one indivisible step. The new b.cache.update is available to application code too — the memory backend is atomic by single-thread, and the cluster backend uses a transaction with compare-and-set so a concurrent writer on another node cannot lose an update. **Added:** *b.cache.update(key, mutatorFn, opts?) — atomic read-modify-write* — Reads the current value, calls `mutatorFn(current | null)`, and commits the result in one operation so a concurrent writer cannot clobber the change — the lost-update race that makes a plain `get` → mutate → `set` unsafe for counters, sets, and quorum state. The memory backend is atomic by single-thread; the cluster backend runs a transaction with a compare-and-set (and retries on contention) so the guarantee holds across nodes. `mutatorFn` returns `{ value }` to commit, `{ abort: data }` to leave the entry untouched and surface `data`, or `{ delete: true }` to remove it; the call resolves to `{ updated, value }`, `{ updated, deleted }`, or `{ aborted }`. **Security:** *Dual-control quorum and single-use guarantees hold under concurrent approvals* — `b.dualControl` persisted each grant through a cache read → in-memory mutate → write-back. Because the read and the write were separate awaited steps, two concurrent `approve` calls (or a retried one behind a load balancer) could each read the same pre-approval snapshot, so the duplicate-approver guard passed twice and the same approver was counted toward the M-of-N quorum twice — reaching quorum with one human. The same shape let two concurrent `consume` calls each see an unconsumed grant and both run the destructive operation. `approve` / `consume` / `revoke` / `cancel` now perform the check-and-mutate atomically via `cache.update`, so exactly one concurrent caller wins each transition.
 - v0.13.38 (2026-05-29) — **Atomic cache tag invalidation, and a clusterStorage.transaction primitive for multi-statement framework writes.** The cluster cache stored a value and its tag index with separate statements, so two concurrent writes to the same key could interleave their tag updates and leave the index out of step with the value — a later tag-based invalidation would then miss the key, letting a stale (possibly authorization-bearing) value survive a wipe. The value and tag writes now commit as one atomic unit. The enabling piece is a new b.clusterStorage.transaction primitive that runs a multi-statement read-modify-write all-or-nothing against the active backend — the external DB's pooled transaction in cluster mode, and a serialized transaction on the shared SQLite connection in single-node mode (so no concurrent statement can interleave into an open transaction). **Added:** *b.clusterStorage.transaction(fn) — atomic multi-statement framework-state writes* — Runs `fn` inside one transaction against the active backend so a multi-statement read-modify-write commits all-or-nothing. `fn` receives a transaction handle with the same `execute` / `executeOne` / `executeAll` surface, scoped to the open transaction. Cluster mode uses the external DB's pooled transaction (with its deadlock retry); single-node mode serializes against other transactions and against `execute` on the shared SQLite connection, so a concurrent statement cannot interleave into an open transaction. Use the handle's methods inside `fn` — calling the module-level `execute` from within `fn` would wait on the very transaction it is running. **Fixed:** *Cluster cache tag invalidation can no longer miss a key under concurrent writes* — The cluster cache wrote a value (`INSERT ... ON CONFLICT DO UPDATE`) and then rewrote its tag index (`DELETE` prior tags, `INSERT` new ones) as separate statements. Two concurrent `set()`s on the same key could interleave those tag statements, leaving the tag index inconsistent with the value — so a later `invalidateTag` could miss the key and a stale value would survive the wipe. The value and tag writes now run inside a single `clusterStorage.transaction`, so a concurrent writer observes either the whole prior state or the whole new state, never a mix.
 - v0.13.37 (2026-05-29) — **Encrypted-mode DB refuses writes before a full tmpfs corrupts it.** In encrypted-at-rest mode the live SQLite working copy is on a tmpfs (Docker's /dev/shm defaults to 64 MiB). If that fills — an append-only audit chain and session rows grow over time — SQLite hits ENOSPC and the working copy is corrupted. Earlier releases made that corruption self-heal on the next boot by rolling back to the last encrypted snapshot, but the rollback still loses writes since the last flush. This adds the prevention side: a periodic free-space probe refuses growth writes (INSERT / UPDATE / REPLACE) with a clear db/storage-low error once free space drops below a threshold, before the tmpfs fills. DELETE and reads stay available so retention can reclaim space and the application keeps serving, and the refusal lifts automatically once free space recovers. The threshold defaults to 16 MiB of headroom and is tunable; the guard is encrypted-mode only. **Security:** *Free-space guard refuses growth writes before the tmpfs working copy fills* — `b.db` in encrypted-at-rest mode now probes free space on the tmpfs holding the working copy and, when it falls below `minFreeBytes` (default 16 MiB), refuses `INSERT` / `UPDATE` / `REPLACE` with a clear `db/storage-low` error instead of letting the write run the mount out of space and corrupt the database. `DELETE`, reads, and DDL stay available so retention can prune and the app keeps serving; the refusal clears automatically when free space recovers. The error message points at the cause (Docker's 64 MiB `/dev/shm` default) and the fix (`shm_size` / `--shm-size`, or pruning). Set `minFreeBytes` to tune the headroom, or `0` to disable. This complements the existing boot-time recovery: prevention (fail clear, keep recent writes) ahead of recovery (roll back to the last snapshot).

package/lib/cache.js CHANGED Viewed

@@ -331,6 +331,25 @@ function _memoryBackend(cfg) {
     return true;
   }
+  // Atomic read-modify-write. Single-process V8 is single-threaded and the
+  // read + mutatorFn decision run with no `await` before the write, so no
+  // concurrent task can interleave between reading the current value and
+  // committing the new one. Same contract as the cluster backend's update.
+  async function _updateEntry(key, mutatorFn, expiresAt, meta) {
+    var now = clock();
+    var entry = entries.get(key);
+    var current = (entry && !_isExpired(entry, now)) ? entry.value : null;
+    var decision = mutatorFn(current);
+    if (decision && decision.abort !== undefined) return { aborted: decision.abort };
+    if (decision && decision.delete === true) {
+      if (entry) { _untrack(key, entry); entries.delete(key); }
+      return { updated: true, deleted: true };
+    }
+    var effExpires = (decision.expiresAt !== undefined) ? decision.expiresAt : expiresAt;
+    await set(key, decision.value, effExpires, meta);
+    return { updated: true, value: decision.value };
+  }
   async function has(key) {
     var entry = entries.get(key);
     if (!entry) return false;
@@ -420,6 +439,7 @@ function _memoryBackend(cfg) {
     name:           "memory",
     get:            get,
     set:            set,
+    update:         _updateEntry,
     del:            del,
     has:            has,
     clear:          clear,
@@ -548,6 +568,74 @@ function _clusterBackend(cfg) {
     });
   }
+  // Atomic read-modify-write. Reads the current value, calls mutatorFn,
+  // and commits the result in one transaction — with a compare-and-set
+  // (UPDATE ... WHERE valueJson = <the exact bytes we read>) so a
+  // concurrent writer on another node cannot clobber the change (lost
+  // update). On a CAS miss the whole thing retries against the fresh
+  // value. Single-node serializes via clusterStorage.transaction, so the
+  // CAS never misses there; the retry only fires in cluster mode.
+  // mutatorFn(current|null) returns { value } to commit, { abort: data }
+  // to leave the row untouched and surface `data`, or { delete: true }.
+  async function _updateRow(key, mutatorFn, expiresAt, meta) {
+    var ck = _composedKey(key);
+    var maxRetries = 5;
+    for (var attempt = 0; attempt < maxRetries; attempt++) {
+      var outcome = await clusterStorage.transaction(async function (tx) {
+        var now = clock();
+        var row = await tx.executeOne(
+          "SELECT valueJson, expiresAt FROM _blamejs_cache WHERE cacheKey = ?", [ck]);
+        var oldRaw = null;
+        var current = null;
+        if (row && row.expiresAt > now) {
+          oldRaw = row.valueJson;
+          var stored = row.valueJson;
+          if (typeof stored === "string" && stored.indexOf(CACHE_SEAL_PREFIX) === 0) {
+            stored = vault().unseal(stored.substring(CACHE_SEAL_PREFIX.length));
+          }
+          current = safeJson.parse(stored, { maxBytes: C.BYTES.mib(64) });
+        }
+        var decision = mutatorFn(current);
+        if (decision && decision.abort !== undefined) return { aborted: decision.abort };
+        if (decision && decision.delete === true) {
+          if (oldRaw !== null) {
+            await tx.execute("DELETE FROM _blamejs_cache WHERE cacheKey = ? AND valueJson = ?", [ck, oldRaw]);
+            await tx.execute("DELETE FROM _blamejs_cache_tags WHERE cacheKey = ?", [ck]);
+          }
+          return { updated: true, deleted: true };
+        }
+        var json = safeJson.stringify(decision.value);
+        if (meta && meta.seal === true) json = CACHE_SEAL_PREFIX + vault().seal(json);
+        // The mutator may pin the entry's expiry to the value's own
+        // lifetime (e.g. a grant whose expiresAt the mutator just read);
+        // otherwise the caller-resolved ttl applies.
+        var effExpires = (decision.expiresAt !== undefined) ? decision.expiresAt : expiresAt;
+        var storedExpires = (effExpires === Infinity) ? Number.MAX_SAFE_INTEGER : effExpires;
+        if (oldRaw === null) {
+          // Row was absent/expired — insert, but lose the race if another
+          // writer inserted concurrently (ON CONFLICT DO NOTHING → 0 rows).
+          var ins = await tx.execute(
+            "INSERT INTO _blamejs_cache (cacheKey, valueJson, expiresAt, updatedAt) " +
+            "VALUES (?, ?, ?, ?) ON CONFLICT (cacheKey) DO NOTHING",
+            [ck, json, storedExpires, now]);
+          if (!ins || ins.rowCount !== 1) return { conflict: true };
+        } else {
+          // CAS: only commit if the row still holds the exact bytes we read.
+          var upd = await tx.execute(
+            "UPDATE _blamejs_cache SET valueJson = ?, expiresAt = ?, updatedAt = ? " +
+            "WHERE cacheKey = ? AND valueJson = ?",
+            [json, storedExpires, now, ck, oldRaw]);
+          if (!upd || upd.rowCount !== 1) return { conflict: true };
+        }
+        return { updated: true, value: decision.value };
+      });
+      if (outcome && outcome.conflict) continue;   // value moved under us — retry
+      return outcome;
+    }
+    throw _err("UPDATE_CONTENTION",
+      "cache.update: exceeded " + maxRetries + " retries under write contention for key");
+  }
   async function del(key) {
     var ck = _composedKey(key);
     var result = await clusterStorage.execute(
@@ -681,6 +769,7 @@ function _clusterBackend(cfg) {
     name:           "cluster",
     get:            get,
     set:            set,
+    update:         _updateRow,
     del:            del,
     has:            has,
     clear:          clear,
@@ -1023,6 +1112,68 @@ function create(opts) {
     emitObs("cache.set", { namespace: namespace });
   }
+  /**
+   * @primitive b.cache.update
+   * @signature b.cache.update(key, mutatorFn, opts?)
+   * @since     0.13.39
+   * @status    stable
+   * @related   b.cache.create
+   *
+   * Atomic read-modify-write. Reads the current value, calls
+   * `mutatorFn(current | null)`, and commits the result in one operation
+   * so a concurrent writer cannot clobber the change (lost update) — the
+   * race that makes a plain `get` → mutate → `set` unsafe for counters,
+   * sets, and quorum state. The memory backend is atomic by single-thread;
+   * the cluster backend uses a transaction with compare-and-set + retry.
+   *
+   * `mutatorFn` returns one of: `{ value }` to commit the new value,
+   * `{ abort: data }` to leave the entry untouched and surface `data` to
+   * the caller, or `{ delete: true }` to remove the entry. The call
+   * resolves to `{ updated: true, value }`, `{ updated: true, deleted: true }`,
+   * or `{ aborted: data }`.
+   *
+   * @opts
+   *   ttlMs:  number | Infinity,   // lifetime of the written value; default the instance ttlMs
+   *   seal:   boolean,             // cluster backend only — seal the value at rest
+   *
+   * @example
+   *   await counters.update("hits", function (n) {
+   *     return { value: (n || 0) + 1 };
+   *   });
+   */
+  async function update(key, mutatorFn, callerOpts) {
+    _ensureOpen("update");
+    _validateKey(key, "cache.update");
+    if (typeof mutatorFn !== "function") {
+      throw _err("BAD_OPT", "cache.update: mutatorFn must be a function, got " + typeof mutatorFn);
+    }
+    if (typeof backend.update !== "function") {
+      throw _err("UNSUPPORTED",
+        "cache.update is unsupported by the '" + (backend.name || "custom") + "' backend " +
+        "(memory + cluster implement it; a custom backend must provide update for atomic RMW).");
+    }
+    var ttlMs = _resolveTtl(callerOpts, "update");
+    var expiresAt = (ttlMs === Infinity) ? Infinity : (clock() + ttlMs);
+    var seal = !!(callerOpts && callerOpts.seal === true);
+    if (seal && backend.name !== "cluster") {
+      throw _err("BAD_OPT",
+        "cache.update: seal: true is only supported on the cluster backend " +
+        "(this cache instance uses '" + (backend.name || "custom") + "').");
+    }
+    var result;
+    try { result = await backend.update(key, mutatorFn, expiresAt, { ttlMs: ttlMs, seal: seal }); }
+    catch (e) {
+      emitObs("cache.backend.failed", { namespace: namespace, op: "update" });
+      _backendFailedAudit("update", e);
+      throw e;
+    }
+    if (result && (result.updated || result.deleted)) {
+      emitObs("cache.update", { namespace: namespace });
+      if (result.deleted) { softExpiry.delete(key); _publishInvalidation({ kind: "del", key: key }); }
+    }
+    return result;
+  }
   async function del(key) {
     _ensureOpen("del");
     _validateKey(key, "cache.del");
@@ -1317,6 +1468,7 @@ function create(opts) {
   return {
     get:                    get,
     set:                    set,
+    update:                 update,
     del:                    del,
     has:                    has,
     clear:                  clear,

package/lib/db.js CHANGED Viewed

@@ -142,6 +142,12 @@ var storageProbeTimer = null;  // periodic free-space probe handle
 var writesRefused = false;     // true when free space < minFreeBytes
 var minFreeBytes  = 0;         // refuse growth writes below this (0 = guard off)
 var statfsProbe   = null;      // free-space reader (fs.statfsSync; injectable for tests)
+// The process-exit final-flush handler is registered ONCE at first
+// encrypted init. Re-registering per init() leaked an 'exit' listener on
+// every init/close cycle (MaxListenersExceeded in long test runs / hot
+// reload); the flag makes it idempotent. The handler reads live module
+// state at exit time, so a later re-init is still covered.
+var _exitHandlerRegistered = false;
 var dataDir   = null;
 var initialized = false;
 var dataResidency = null;   // operator's declared region config (validated by storage backends)
@@ -1436,10 +1442,16 @@ async function init(opts) {
     // Final encrypt on process exit. We don't try to unlink the plaintext
     // here — the SQLite handle may still be open, and the OS reclaims tmpfs
-    // on reboot anyway. close() does the orderly shutdown.
-    process.on("exit", function () {
-      try { encryptToDisk(); } catch (_e) { /* exit handler — silent */ }
-    });
+    // on reboot anyway. close() does the orderly shutdown. Registered ONCE
+    // (guarded by the module flag) — re-registering per init() leaked an
+    // 'exit' listener on every init/close cycle. The handler reads live
+    // module state, so it still flushes whatever DB is open at exit.
+    if (!_exitHandlerRegistered) {
+      _exitHandlerRegistered = true;
+      process.on("exit", function () {
+        try { if (atRest === "encrypted") encryptToDisk(); } catch (_e) { /* exit handler — silent */ }
+      });
+    }
   }
   log("ready (mode: " + atRest + ", path: " + dbPath + ")");

package/lib/dual-control.js CHANGED Viewed

@@ -301,27 +301,27 @@ function create(opts) {
   async function cancel(args) {
     if (!args || typeof args !== "object") throw _err("BAD_ARG", "cancel: args required");
-    var record = await _load(args.grantId);
-    if (!record) return { error: "grant-not-found", grantId: args.grantId };
-    if (record.consumedAt !== null) return { error: "grant-already-consumed", grantId: record.grantId };
-    if (record.revokedAt !== null)  return { error: "grant-revoked", grantId: record.grantId };
-    if (record.cancelledAt !== null) return { error: "grant-already-cancelled", grantId: record.grantId };
     var actorId = _actorIdOf(args.cancelledBy);
-    if (actorId !== record.requestedBy) {
-      // Cancellation by anyone other than the requester is a revoke,
-      // not a cancel. Surface explicitly.
-      return { error: "only-requester-can-cancel", grantId: record.grantId,
-        requestedBy: record.requestedBy };
-    }
-    record.cancelledAt = Date.now();
-    record.cancelledReason = args.reason || null;
-    var ttlRemaining = Math.max(1, record.expiresAt - Date.now());
-    await cache.set(_key(record.grantId), record, { ttlMs: ttlRemaining });
+    var outcome = await cache.update(_key(args.grantId), function (record) {
+      if (!record) return { abort: { response: { error: "grant-not-found", grantId: args.grantId } } };
+      if (record.consumedAt !== null) return { abort: { response: { error: "grant-already-consumed", grantId: record.grantId } } };
+      if (record.revokedAt !== null)  return { abort: { response: { error: "grant-revoked", grantId: record.grantId } } };
+      if (record.cancelledAt !== null) return { abort: { response: { error: "grant-already-cancelled", grantId: record.grantId } } };
+      // Cancellation by anyone other than the requester is a revoke, not a
+      // cancel — surface explicitly.
+      if (actorId !== record.requestedBy) {
+        return { abort: { response: { error: "only-requester-can-cancel", grantId: record.grantId, requestedBy: record.requestedBy } } };
+      }
+      record.cancelledAt = Date.now();
+      record.cancelledReason = args.reason || null;
+      return { value: record, expiresAt: record.expiresAt };
+    }, { ttlMs: ttlMs });
+    if (outcome.aborted) return outcome.aborted.response;
+    var rec = outcome.value;
     _emit("dual.grant.cancelled",
-      { grantId: record.grantId, action: record.action,
-        cancelledBy: actorId, reason: args.reason || null },
+      { grantId: rec.grantId, action: rec.action, cancelledBy: actorId, reason: args.reason || null },
       "success", args.req);
-    return { grantId: record.grantId, status: "cancelled" };
+    return { grantId: rec.grantId, status: "cancelled" };
   }
   async function _load(grantId) {
@@ -334,156 +334,152 @@ function create(opts) {
   async function approve(args) {
     if (!args || typeof args !== "object") throw _err("BAD_ARG", "approve: args required");
-    var record = await _load(args.grantId);
-    if (!record) {
-      return { error: "grant-not-found", grantId: args.grantId };
-    }
-    if (record.consumedAt !== null) {
-      return { error: "grant-already-consumed", grantId: record.grantId };
-    }
-    if (record.revokedAt !== null) {
-      return { error: "grant-revoked", grantId: record.grantId, revokedReason: record.revokedReason };
-    }
-    if (record.cancelledAt !== null) {
-      return { error: "grant-cancelled", grantId: record.grantId };
-    }
-    if (record.expiresAt < Date.now()) {
-      _emit("dual.grant.expired", { grantId: record.grantId, action: record.action },
-        "failure", args.req);
-      await cache.del(_key(record.grantId));
-      return { error: "grant-expired", grantId: record.grantId };
-    }
     var approverId = _actorIdOf(args.approver);
     if (!approverId) throw _err("BAD_ARG", "approve: args.approver must be an actor with a stable id");
-    if (forbidSelfApprove && approverId === record.requestedBy) {
-      _emit("dual.grant.self_approval_denied",
-        { grantId: record.grantId, action: record.action, approver: approverId },
-        "denied", args.req);
-      return { error: "self-approval-forbidden", grantId: record.grantId };
-    }
-    if (!_approverRoleOk(args.approver)) {
-      _emit("dual.grant.role_denied",
-        { grantId: record.grantId, action: record.action, approver: approverId,
-          requiredRoles: approverRoles,
-          actorRoles: (args.approver && Array.isArray(args.approver.roles)) ? args.approver.roles : [] },
-        "denied", args.req);
-      return { error: "approver-role-required", grantId: record.grantId,
-        requiredRoles: approverRoles };
-    }
-    if (record.approvedBy.indexOf(approverId) !== -1) {
-      return { error: "already-approved-by-this-actor", grantId: record.grantId,
-        approvedBy: record.approvedBy };
-    }
+    // Pre-compute the pure, record-independent checks so the mutator stays
+    // side-effect-free (it may re-run under cluster CAS contention).
+    var roleOk = _approverRoleOk(args.approver);
     var reasonProblem = _checkReason(args.reason, "approve");
-    if (reasonProblem) {
-      return Object.assign({ grantId: record.grantId }, reasonProblem);
-    }
-    record.approvedBy.push(approverId);
-    record.approvalsAt.push(Date.now());
-    record.approvalReasons.push(args.reason || null);
-    if (approverRoles && args.approver && Array.isArray(args.approver.roles)) {
-      // Record which of the required roles satisfied the approval —
-      // useful when an audit reviewer needs to confirm the actor
-      // approved as e.g. their security-officer role and not their
-      // engineer role.
-      var hits = args.approver.roles.filter(function (r) { return approverRoles.indexOf(r) !== -1; });
-      record.approverRoleHits.push(hits);
-    }
-    var status = "pending";
-    if (record.approvedBy.length >= record.minApprovers) {
-      status = "approved";
-      if (record.quorumReachedAt === null) record.quorumReachedAt = Date.now();
+    var roleHits = (approverRoles && args.approver && Array.isArray(args.approver.roles))
+      ? args.approver.roles.filter(function (r) { return approverRoles.indexOf(r) !== -1; })
+      : null;
+    // Atomic read-modify-write: the duplicate-approver guard and the
+    // approvedBy append commit together, so two concurrent approvals (or a
+    // retried one) cannot each read a stale snapshot and append the same
+    // approver twice — the quorum-bypass the get/set version allowed.
+    var outcome = await cache.update(_key(args.grantId), function (record) {
+      if (!record) return { abort: { response: { error: "grant-not-found", grantId: args.grantId } } };
+      if (record.consumedAt !== null) return { abort: { response: { error: "grant-already-consumed", grantId: record.grantId } } };
+      if (record.revokedAt !== null) return { abort: { response: { error: "grant-revoked", grantId: record.grantId, revokedReason: record.revokedReason } } };
+      if (record.cancelledAt !== null) return { abort: { response: { error: "grant-cancelled", grantId: record.grantId } } };
+      if (record.expiresAt < Date.now()) {
+        return { abort: { response: { error: "grant-expired", grantId: record.grantId },
+          event: "dual.grant.expired", meta: { grantId: record.grantId, action: record.action }, outcome: "failure" } };
+      }
+      if (forbidSelfApprove && approverId === record.requestedBy) {
+        return { abort: { response: { error: "self-approval-forbidden", grantId: record.grantId },
+          event: "dual.grant.self_approval_denied",
+          meta: { grantId: record.grantId, action: record.action, approver: approverId }, outcome: "denied" } };
+      }
+      if (!roleOk) {
+        return { abort: { response: { error: "approver-role-required", grantId: record.grantId, requiredRoles: approverRoles },
+          event: "dual.grant.role_denied",
+          meta: { grantId: record.grantId, action: record.action, approver: approverId, requiredRoles: approverRoles,
+            actorRoles: (args.approver && Array.isArray(args.approver.roles)) ? args.approver.roles : [] }, outcome: "denied" } };
+      }
+      if (record.approvedBy.indexOf(approverId) !== -1) {
+        return { abort: { response: { error: "already-approved-by-this-actor", grantId: record.grantId, approvedBy: record.approvedBy.slice() } } };
+      }
+      if (reasonProblem) return { abort: { response: Object.assign({ grantId: record.grantId }, reasonProblem) } };
+      record.approvedBy.push(approverId);
+      record.approvalsAt.push(Date.now());
+      record.approvalReasons.push(args.reason || null);
+      // Record which required role satisfied the approval — an audit
+      // reviewer can confirm the actor approved as e.g. security-officer.
+      if (roleHits) record.approverRoleHits.push(roleHits);
+      if (record.approvedBy.length >= record.minApprovers && record.quorumReachedAt === null) {
+        record.quorumReachedAt = Date.now();
+      }
+      return { value: record, expiresAt: record.expiresAt };
+    }, { ttlMs: ttlMs });
+    if (outcome.aborted) {
+      var ab = outcome.aborted;
+      if (ab.event) _emit(ab.event, ab.meta, ab.outcome, args.req);
+      return ab.response;
     }
-    var ttlRemaining = Math.max(1, record.expiresAt - Date.now());
-    await cache.set(_key(record.grantId), record, { ttlMs: ttlRemaining });
+    var rec = outcome.value;
+    var status = (rec.approvedBy.length >= rec.minApprovers) ? "approved" : "pending";
+    var consumeUnlockAt = rec.quorumReachedAt !== null ? rec.quorumReachedAt + rec.consumeLockMs : null;
     _emit("dual.grant.approved",
-      { grantId: record.grantId, action: record.action, approver: approverId,
-        approverCount: record.approvedBy.length, needs: record.minApprovers,
-        status: status, reason: args.reason || null,
-        consumeUnlockAt: record.quorumReachedAt !== null
-          ? record.quorumReachedAt + record.consumeLockMs : null },
+      { grantId: rec.grantId, action: rec.action, approver: approverId,
+        approverCount: rec.approvedBy.length, needs: rec.minApprovers,
+        status: status, reason: args.reason || null, consumeUnlockAt: consumeUnlockAt },
       "success", args.req);
     return {
-      grantId:    record.grantId,
+      grantId:    rec.grantId,
       status:     status,
-      approvedBy: record.approvedBy.slice(),
-      needs:      record.minApprovers,
-      expiresAt:  record.expiresAt,
-      consumeUnlockAt: record.quorumReachedAt !== null
-        ? record.quorumReachedAt + record.consumeLockMs : null,
+      approvedBy: rec.approvedBy.slice(),
+      needs:      rec.minApprovers,
+      expiresAt:  rec.expiresAt,
+      consumeUnlockAt: consumeUnlockAt,
     };
   }
   async function revoke(args) {
     if (!args || typeof args !== "object") throw _err("BAD_ARG", "revoke: args required");
-    var record = await _load(args.grantId);
-    if (!record) return { error: "grant-not-found", grantId: args.grantId };
-    if (record.consumedAt !== null) {
-      return { error: "grant-already-consumed", grantId: record.grantId };
-    }
-    record.revokedAt = Date.now();
-    record.revokedReason = args.reason || null;
-    var ttlRemaining = Math.max(1, record.expiresAt - Date.now());
-    await cache.set(_key(record.grantId), record, { ttlMs: ttlRemaining });
+    var revokedById = _actorIdOf(args.revokedBy);
+    var outcome = await cache.update(_key(args.grantId), function (record) {
+      if (!record) return { abort: { response: { error: "grant-not-found", grantId: args.grantId } } };
+      if (record.consumedAt !== null) return { abort: { response: { error: "grant-already-consumed", grantId: record.grantId } } };
+      record.revokedAt = Date.now();
+      record.revokedReason = args.reason || null;
+      return { value: record, expiresAt: record.expiresAt };
+    }, { ttlMs: ttlMs });
+    if (outcome.aborted) return outcome.aborted.response;
+    var rec = outcome.value;
     _emit("dual.grant.denied",
-      { grantId: record.grantId, action: record.action,
-        revokedBy: _actorIdOf(args.revokedBy), reason: args.reason || null },
+      { grantId: rec.grantId, action: rec.action, revokedBy: revokedById, reason: args.reason || null },
       "denied", args.req);
-    return { grantId: record.grantId, status: "revoked" };
+    return { grantId: rec.grantId, status: "revoked" };
   }
   async function consume(grantId, args) {
     args = args || {};
-    var record = await _load(grantId);
-    if (!record) return { ready: false, reason: "grant-not-found" };
-    if (record.revokedAt !== null) {
-      return { ready: false, reason: "revoked" };
-    }
-    if (record.cancelledAt !== null) {
-      return { ready: false, reason: "cancelled" };
-    }
-    if (record.consumedAt !== null) {
-      return { ready: false, reason: "already-consumed" };
-    }
-    if (record.expiresAt < Date.now()) {
-      _emit("dual.grant.expired", { grantId: record.grantId, action: record.action },
-        "failure", args.req);
-      await cache.del(_key(record.grantId));
-      return { ready: false, reason: "expired" };
-    }
-    if (record.approvedBy.length < record.minApprovers) {
-      return { ready: false, reason: "not-enough-approvers",
-        approvedBy: record.approvedBy.slice(), needs: record.minApprovers };
-    }
-    // Cooling-off lock: ANY approval-quorum-reached grant can't consume
-    // until consumeLockMs has passed since the final approval. Defends
-    // against rapid-burst compromise of requester+approver.
-    if ((record.consumeLockMs || 0) > 0 && record.quorumReachedAt !== null) {
-      var unlockAt = record.quorumReachedAt + record.consumeLockMs;
-      if (Date.now() < unlockAt) {
-        _emit("dual.grant.consume_locked",
-          { grantId: record.grantId, action: record.action,
-            unlockAt: unlockAt, waitMs: unlockAt - Date.now() },
-          "denied", args.req);
-        return { ready: false, reason: "consume-locked", unlockAt: unlockAt,
-          waitMs: unlockAt - Date.now() };
+    // Atomic read-modify-write: the consumedAt check and the consumedAt set
+    // commit together (compare-and-set), so two concurrent consumes cannot
+    // both observe consumedAt === null and both proceed — exactly one wins
+    // and runs the destructive operation. The get/set version let a
+    // single-use grant be consumed twice.
+    var outcome = await cache.update(_key(grantId), function (record) {
+      if (!record) return { abort: { response: { ready: false, reason: "grant-not-found" } } };
+      if (record.revokedAt !== null) return { abort: { response: { ready: false, reason: "revoked" } } };
+      if (record.cancelledAt !== null) return { abort: { response: { ready: false, reason: "cancelled" } } };
+      if (record.consumedAt !== null) return { abort: { response: { ready: false, reason: "already-consumed" } } };
+      if (record.expiresAt < Date.now()) {
+        return { abort: { response: { ready: false, reason: "expired" }, del: true,
+          event: "dual.grant.expired", meta: { grantId: record.grantId, action: record.action }, outcome: "failure" } };
       }
+      if (record.approvedBy.length < record.minApprovers) {
+        return { abort: { response: { ready: false, reason: "not-enough-approvers",
+          approvedBy: record.approvedBy.slice(), needs: record.minApprovers } } };
+      }
+      // Cooling-off lock: a quorum-reached grant can't consume until
+      // consumeLockMs has passed since the final approval — defends against
+      // rapid-burst compromise of requester + approver.
+      if ((record.consumeLockMs || 0) > 0 && record.quorumReachedAt !== null) {
+        var unlockAt = record.quorumReachedAt + record.consumeLockMs;
+        if (Date.now() < unlockAt) {
+          return { abort: { response: { ready: false, reason: "consume-locked", unlockAt: unlockAt, waitMs: unlockAt - Date.now() },
+            event: "dual.grant.consume_locked",
+            meta: { grantId: record.grantId, action: record.action, unlockAt: unlockAt, waitMs: unlockAt - Date.now() }, outcome: "denied" } };
+        }
+      }
+      record.consumedAt = Date.now();
+      return { value: record, expiresAt: record.expiresAt };
+    }, { ttlMs: ttlMs });
+    if (outcome.aborted) {
+      var ab = outcome.aborted;
+      if (ab.event) _emit(ab.event, ab.meta, ab.outcome, args.req);
+      if (ab.del) { try { await cache.del(_key(grantId)); } catch (_e) { /* sweep handles it */ } }
+      return ab.response;
     }
-    record.consumedAt = Date.now();
-    // Drop the grant from the cache after consume — single-use by design.
-    await cache.del(_key(record.grantId));
+    var rec = outcome.value;
+    // Single-use by design — drop the (now consumed) grant from the cache.
+    await cache.del(_key(rec.grantId));
     _emit("dual.grant.consumed",
-      { grantId: record.grantId, action: record.action,
-        approvedBy: record.approvedBy.slice(),
-        approvalReasons: record.approvalReasons.slice() },
+      { grantId: rec.grantId, action: rec.action,
+        approvedBy: rec.approvedBy.slice(), approvalReasons: rec.approvalReasons.slice() },
       "success", args.req);
     return {
       ready:      true,
-      grantId:    record.grantId,
-      action:     record.action,
-      resource:   record.resource,
-      approvedBy: record.approvedBy.slice(),
-      requestedBy:record.requestedBy,
+      grantId:    rec.grantId,
+      action:     rec.action,
+      resource:   rec.resource,
+      approvedBy: rec.approvedBy.slice(),
+      requestedBy:rec.requestedBy,
     };
   }

package/lib/redis-client.js CHANGED Viewed

@@ -182,6 +182,11 @@ function create(opts) {
   var connected = false;
   var connecting = false;
   var closing = false;
+  // Tracked + unref'd reconnect timer. Tracked so close() can cancel a
+  // pending backoff (otherwise a reconnect scheduled before close fires
+  // after it and opens a fresh socket); unref'd so a backoff window doesn't
+  // by itself keep the event loop alive (the process-won't-exit class).
+  var reconnectTimer = null;
   var rxBuffer = Buffer.alloc(0);
   // FIFO of in-flight commands awaiting a response
   var pending = [];
@@ -210,7 +215,11 @@ function create(opts) {
     }
     reconnectAttempt++;
     var delay = Math.min(C.TIME.seconds(30), 100 * Math.pow(2, reconnectAttempt - 1));
-    setTimeout(function () { _connect().catch(function () { /* will reschedule */ }); }, delay);
+    reconnectTimer = setTimeout(function () {
+      reconnectTimer = null;
+      _connect().catch(function () { /* will reschedule */ });
+    }, delay);
+    if (typeof reconnectTimer.unref === "function") reconnectTimer.unref();
   }
   function _drainPending(err) {
@@ -290,6 +299,9 @@ function create(opts) {
   }
   async function _connect() {
+    // A reconnect timer scheduled before close() can still fire afterward;
+    // refuse to re-open once closing so it doesn't leak a fresh socket.
+    if (closing) return;
     if (connected) return;
     if (connecting) {
       // Wait until current connect attempt resolves
@@ -423,6 +435,7 @@ function create(opts) {
   async function close() {
     closing = true;
+    if (reconnectTimer) { clearTimeout(reconnectTimer); reconnectTimer = null; }
     var err = _err("CLOSED", "redis client closed");
     _drainPending(err);
     if (socket) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.38",
+  "version": "0.13.40",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:fc7082b3-a639-421e-8e57-fac70e7ced00",
+  "serialNumber": "urn:uuid:949239a7-6f00-4f14-9e96-43c3b5935fb9",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-29T16:34:17.392Z",
+    "timestamp": "2026-05-29T17:53:59.118Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.38",
+      "bom-ref": "@blamejs/core@0.13.40",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.38",
+      "version": "0.13.40",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.38",
+      "purl": "pkg:npm/%40blamejs/core@0.13.40",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.38",
+      "ref": "@blamejs/core@0.13.40",
       "dependsOn": []
     }
   ]