@blamejs/core 0.13.39 → 0.13.41

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.41 (2026-05-29) — **Agent registry reads can be tenant-scoped; compliance-erasure docs clarify actor is an audit field.** The agent orchestrator's registry reads (list and lookup) gated only on the flat agent-registry:read scope, so any holder could enumerate every tenant's agents and resolve a handle to one — even though the event bus already scopes subscribe and delivery by tenant. The orchestrator now mirrors that: with the new tenantScope option enabled, list returns only the actor's own tenant's agents and lookup refuses a cross-tenant name, unless the actor holds the framework cross-tenant-admin scope. Off by default, so single-tenant deployments are unaffected. Separately, the subject-erasure docs now state explicitly that the recorded actor is an audit field, not authentication — the caller must be authorized upstream. **Added:** *Tenant-scoped agent registry reads (opts.tenantScope)* — `b.agent.orchestrator.create({ tenantScope: true })` now scopes `list` and `lookup` to the calling actor's tenant: `list` filters out agents in other tenants and `lookup` returns null for a cross-tenant name, unless the actor holds the cross-tenant-admin scope (`b.agent.tenant.CROSS_TENANT_ADMIN_SCOPE`). This closes a cross-tenant metadata-enumeration and handle-acquisition path — `agent-registry:read` alone no longer exposes other tenants' agents — and mirrors the tenant scoping the event bus enforces on subscribe and delivery. The option defaults off; existing single-tenant orchestrators behave exactly as before. The `tenantId` argument to `list` remains a convenience filter, distinct from this authorization boundary. **Changed:** *Subject-erasure docs clarify the actor is an audit field, not authentication* — `b.subject.erase` and `b.subject.eraseHard` gate the deletion on operator acknowledgements and the legal-hold registry, not on caller identity. Their documentation now states explicitly that the recorded `actor` is an audit-record field, not authentication — the caller MUST be authenticated and authorized by the route before invoking. No behavior change; this removes an implicit assumption that could otherwise be read as the primitive authorizing the call.
+
+- v0.13.40 (2026-05-29) — **Redis client stops leaking a socket and blocking exit after close; DB exit-handler registers once.** Two handle-lifecycle fixes. The Redis client's reconnect backoff used an untracked, non-unref'd timer: during a backoff window it alone could keep the event loop alive (a process that won't exit), and a reconnect scheduled before close() fired afterward and opened a fresh socket because the connect path didn't re-check the closing flag. The timer is now tracked, unref'd, cancelled in close(), and the connect path refuses to re-open once closing. Separately, the encrypted database registered its process-exit final-flush handler on every init(), so repeated init/close cycles (long test runs, hot reload) accumulated 'exit' listeners toward the MaxListenersExceeded warning; it now registers once for the process lifetime. **Fixed:** *Redis client cancels its reconnect timer on close and won't re-open a closed connection* — The reconnect backoff scheduled `setTimeout(reconnect, delay)` without keeping a handle, without `unref()`, and the reconnect path checked only `connected`/`connecting` — not `closing`. So a backoff window could by itself hold the process open (it won't exit), and a reconnect scheduled before `close()` would fire afterward and open a fresh socket with listeners — a leak after explicit close. The timer is now tracked and `unref()`'d (a backoff no longer blocks exit), cancelled in `close()`, and the connect path returns early once closing so no socket is opened after close. · *Encrypted DB registers its process-exit flush handler once, not per init()* — `b.db.init()` in encrypted mode added a `process.on("exit")` final-flush handler on every call. Across repeated init/close cycles — long test suites, hot reload, embedded re-inits — these accumulated and tripped Node's MaxListenersExceeded warning (and grew memory slightly). The handler is now registered once for the process lifetime, guarded by a module flag, and still flushes whichever encrypted DB is open at exit time.
+
 - v0.13.39 (2026-05-29) — **Dual-control approvals are atomic — no quorum bypass or double-consume under concurrency.** The dual-control approval store read a grant, mutated it in memory, and wrote it back with an await in between — a non-atomic read-modify-write. Under concurrent calls (two approvals, or a retried one) each could act on a stale snapshot: the same approver could be appended twice and reach the M-of-N quorum with a single human, or a single-use grant could be consumed twice. approve / consume / revoke / cancel now commit through a new atomic cache.update primitive, so the check and the mutation are one indivisible step. The new b.cache.update is available to application code too — the memory backend is atomic by single-thread, and the cluster backend uses a transaction with compare-and-set so a concurrent writer on another node cannot lose an update. **Added:** *b.cache.update(key, mutatorFn, opts?) — atomic read-modify-write* — Reads the current value, calls `mutatorFn(current | null)`, and commits the result in one operation so a concurrent writer cannot clobber the change — the lost-update race that makes a plain `get` → mutate → `set` unsafe for counters, sets, and quorum state. The memory backend is atomic by single-thread; the cluster backend runs a transaction with a compare-and-set (and retries on contention) so the guarantee holds across nodes. `mutatorFn` returns `{ value }` to commit, `{ abort: data }` to leave the entry untouched and surface `data`, or `{ delete: true }` to remove it; the call resolves to `{ updated, value }`, `{ updated, deleted }`, or `{ aborted }`. **Security:** *Dual-control quorum and single-use guarantees hold under concurrent approvals* — `b.dualControl` persisted each grant through a cache read → in-memory mutate → write-back. Because the read and the write were separate awaited steps, two concurrent `approve` calls (or a retried one behind a load balancer) could each read the same pre-approval snapshot, so the duplicate-approver guard passed twice and the same approver was counted toward the M-of-N quorum twice — reaching quorum with one human. The same shape let two concurrent `consume` calls each see an unconsumed grant and both run the destructive operation. `approve` / `consume` / `revoke` / `cancel` now perform the check-and-mutate atomically via `cache.update`, so exactly one concurrent caller wins each transition.
 
 - v0.13.38 (2026-05-29) — **Atomic cache tag invalidation, and a clusterStorage.transaction primitive for multi-statement framework writes.** The cluster cache stored a value and its tag index with separate statements, so two concurrent writes to the same key could interleave their tag updates and leave the index out of step with the value — a later tag-based invalidation would then miss the key, letting a stale (possibly authorization-bearing) value survive a wipe. The value and tag writes now commit as one atomic unit. The enabling piece is a new b.clusterStorage.transaction primitive that runs a multi-statement read-modify-write all-or-nothing against the active backend — the external DB's pooled transaction in cluster mode, and a serialized transaction on the shared SQLite connection in single-node mode (so no concurrent statement can interleave into an open transaction). **Added:** *b.clusterStorage.transaction(fn) — atomic multi-statement framework-state writes* — Runs `fn` inside one transaction against the active backend so a multi-statement read-modify-write commits all-or-nothing. `fn` receives a transaction handle with the same `execute` / `executeOne` / `executeAll` surface, scoped to the open transaction. Cluster mode uses the external DB's pooled transaction (with its deadlock retry); single-node mode serializes against other transactions and against `execute` on the shared SQLite connection, so a concurrent statement cannot interleave into an open transaction. Use the handle's methods inside `fn` — calling the module-level `execute` from within `fn` would wait on the very transaction it is running. **Fixed:** *Cluster cache tag invalidation can no longer miss a key under concurrent writes* — The cluster cache wrote a value (`INSERT ... ON CONFLICT DO UPDATE`) and then rewrote its tag index (`DELETE` prior tags, `INSERT` new ones) as separate statements. Two concurrent `set()`s on the same key could interleave those tag statements, leaving the tag index inconsistent with the value — so a later `invalidateTag` could miss the key and a stale value would survive the wipe. The value and tag writes now run inside a single `clusterStorage.transaction`, so a concurrent writer observes either the whole prior state or the whole new state, never a mix.

package/lib/agent-orchestrator.js

@@ -64,6 +64,7 @@ var cluster           = lazyRequire(function () { return require("./cluster"); }
 var vault             = lazyRequire(function () { return require("./vault"); });
 var cryptoField       = lazyRequire(function () { return require("./crypto-field"); });
 var safeJson          = require("./safe-json");
+var agentTenant       = lazyRequire(function () { return require("./agent-tenant"); });
 
 var AgentOrchestratorError = defineClass("AgentOrchestratorError", { alwaysPermanent: true });
 
@@ -168,6 +169,12 @@ function create(opts) {
     cluster:     clusterImpl,
     audit:       auditImpl,
     permissions: permissions,
+    // When true, registry reads (list / lookup) are scoped to the actor's
+    // tenant — an actor only sees / resolves agents in its own tenant
+    // unless it holds the cross-tenant-admin scope. Mirrors the tenant
+    // scoping agent-event-bus enforces on subscribe / delivery. Off by
+    // default (single-tenant deployments are unaffected).
+    tenantScope: opts.tenantScope === true,
     spawnedConsumers: [],
     streams:     new Map(),
     elections:   new Map(),
@@ -358,6 +365,19 @@ async function _unregister(ctx, name, args) {
 async function _lookup(ctx, name, args) {
   guardAgentRegistry.validate({ kind: "lookup", name: name }, {});
   _checkPermission(ctx, args.actor, "agent-registry:read");
+  // Tenant-scope gate: the row's declared tenant gates access even to a
+  // live in-process ref, so an actor can't acquire a handle to another
+  // tenant's agent. Consult the backend row (it exists as a metadata
+  // declaration even where a live ref is hydrated).
+  if (ctx.tenantScope) {
+    var sealedRow = await ctx.backend.get(name);
+    var declRow = sealedRow ? _unsealRegistryRow(sealedRow) : null;
+    if (declRow && !_tenantAllows(ctx, args.actor, declRow.tenantId)) {
+      _safeAudit(ctx, "agent.orchestrator.lookup_denied", args.actor,
+        { name: name, reason: "cross-tenant" });
+      return null;
+    }
+  }
   // Live agent ref lives in-process; the backend row exists only as
   // a metadata declaration. In multi-process deployments each process
   // hydrates its own liveAgents map by calling register() locally.
@@ -383,6 +403,10 @@ async function _list(ctx, args) {
   return rows.filter(function (r) {
     if (args.kind && r.kind !== args.kind) return false;
     if (args.tenantId && r.tenantId !== args.tenantId) return false;
+    // Tenant-scope gate: drop rows the actor's tenant may not see, so
+    // enumeration can't disclose other tenants' agents. The args.tenantId
+    // above is a caller-supplied FILTER, not an authorization boundary.
+    if (!_tenantAllows(ctx, args.actor, r.tenantId)) return false;
     return true;
   }).map(function (r) {
     return {
@@ -753,6 +777,21 @@ function _checkPermission(ctx, actor, scope) {
   }
 }
 
+// Tenant-scope gate for registry reads. Returns true when the actor may
+// see / resolve an agent row in `rowTenantId`: scoping disabled, the actor
+// holds the cross-tenant-admin scope, or the actor's tenant matches the
+// row's. Mirrors agent-tenant's CROSS_TENANT_ADMIN_SCOPE check so registry
+// enumeration can't leak agents (or hand out live refs) across tenants.
+function _tenantAllows(ctx, actor, rowTenantId) {
+  if (!ctx.tenantScope) return true;
+  if (ctx.permissions && actor &&
+      ctx.permissions.check(actor, agentTenant().CROSS_TENANT_ADMIN_SCOPE)) {
+    return true;
+  }
+  var actorTenant = (actor && actor.tenantId) || null;
+  return actorTenant !== null && actorTenant === (rowTenantId || null);
+}
+
 function _safeAudit(ctx, action, actor, metadata) {
   agentAudit.safeAudit(ctx.audit, action, actor, metadata);
 }

package/lib/db.js

@@ -142,6 +142,12 @@ var storageProbeTimer = null;  // periodic free-space probe handle
 var writesRefused = false;     // true when free space < minFreeBytes
 var minFreeBytes  = 0;         // refuse growth writes below this (0 = guard off)
 var statfsProbe   = null;      // free-space reader (fs.statfsSync; injectable for tests)
+// The process-exit final-flush handler is registered ONCE at first
+// encrypted init. Re-registering per init() leaked an 'exit' listener on
+// every init/close cycle (MaxListenersExceeded in long test runs / hot
+// reload); the flag makes it idempotent. The handler reads live module
+// state at exit time, so a later re-init is still covered.
+var _exitHandlerRegistered = false;
 var dataDir   = null;
 var initialized = false;
 var dataResidency = null;   // operator's declared region config (validated by storage backends)
@@ -1436,10 +1442,16 @@ async function init(opts) {
 
     // Final encrypt on process exit. We don't try to unlink the plaintext
     // here — the SQLite handle may still be open, and the OS reclaims tmpfs
-    // on reboot anyway. close() does the orderly shutdown.
-    process.on("exit", function () {
-      try { encryptToDisk(); } catch (_e) { /* exit handler — silent */ }
-    });
+    // on reboot anyway. close() does the orderly shutdown. Registered ONCE
+    // (guarded by the module flag) — re-registering per init() leaked an
+    // 'exit' listener on every init/close cycle. The handler reads live
+    // module state, so it still flushes whatever DB is open at exit.
+    if (!_exitHandlerRegistered) {
+      _exitHandlerRegistered = true;
+      process.on("exit", function () {
+        try { if (atRest === "encrypted") encryptToDisk(); } catch (_e) { /* exit handler — silent */ }
+      });
+    }
   }
 
   log("ready (mode: " + atRest + ", path: " + dbPath + ")");

package/lib/redis-client.js

@@ -182,6 +182,11 @@ function create(opts) {
   var connected = false;
   var connecting = false;
   var closing = false;
+  // Tracked + unref'd reconnect timer. Tracked so close() can cancel a
+  // pending backoff (otherwise a reconnect scheduled before close fires
+  // after it and opens a fresh socket); unref'd so a backoff window doesn't
+  // by itself keep the event loop alive (the process-won't-exit class).
+  var reconnectTimer = null;
   var rxBuffer = Buffer.alloc(0);
   // FIFO of in-flight commands awaiting a response
   var pending = [];
@@ -210,7 +215,11 @@ function create(opts) {
     }
     reconnectAttempt++;
     var delay = Math.min(C.TIME.seconds(30), 100 * Math.pow(2, reconnectAttempt - 1));
-    setTimeout(function () { _connect().catch(function () { /* will reschedule */ }); }, delay);
+    reconnectTimer = setTimeout(function () {
+      reconnectTimer = null;
+      _connect().catch(function () { /* will reschedule */ });
+    }, delay);
+    if (typeof reconnectTimer.unref === "function") reconnectTimer.unref();
   }
 
   function _drainPending(err) {
@@ -290,6 +299,9 @@ function create(opts) {
   }
 
   async function _connect() {
+    // A reconnect timer scheduled before close() can still fire afterward;
+    // refuse to re-open once closing so it doesn't leak a fresh socket.
+    if (closing) return;
     if (connected) return;
     if (connecting) {
       // Wait until current connect attempt resolves
@@ -423,6 +435,7 @@ function create(opts) {
 
   async function close() {
     closing = true;
+    if (reconnectTimer) { clearTimeout(reconnectTimer); reconnectTimer = null; }
     var err = _err("CLOSED", "redis client closed");
     _drainPending(err);
     if (socket) {

package/lib/subject.js

@@ -257,6 +257,11 @@ function rectify(subjectId, opts) {
  * override an active hold (FRCP Rule 26/37(e), GDPR Art 17(3)(e),
  * SEC Rule 17a-4, HIPAA §164.530(j)(2)).
  *
+ * Security: any `actor` recorded here is an audit-record field, NOT
+ * authentication. This primitive gates the deletion on acknowledgements
+ * and the legal-hold registry, not on caller identity — the caller MUST be
+ * authenticated and authorized by your route before invoking.
+ *
  * Returns `{ rowsDeleted, perTable }`. Use `b.subject.eraseHard` when
  * residual ciphertext in WAL / replicas / backups must also be made
  * undecryptable.
@@ -383,7 +388,9 @@ function erase(subjectId, opts) {
  * Art. 17 erasure shape the framework offers.
  *
  * Same legal-hold + acknowledgement gates as `b.subject.erase`.
- * Leader-only. Returns `{ rowsDeleted, perRowKeysDestroyed, perTable }`.
+ * Security: the `actor` is an audit-record field, not authentication —
+ * authorize the caller upstream. Leader-only.
+ * Returns `{ rowsDeleted, perRowKeysDestroyed, perTable }`.
  *
  * @opts
  *   reason:           string,    // ticket reference recorded in the audit event

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.39",
+  "version": "0.13.41",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:8c1e3aad-b831-4d99-b528-7ca57a3a6ba3",
+  "serialNumber": "urn:uuid:857f3ba9-146d-4174-ba61-fed4e89f9c16",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-29T17:14:11.141Z",
+    "timestamp": "2026-05-29T18:38:58.148Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.39",
+      "bom-ref": "@blamejs/core@0.13.41",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.39",
+      "version": "0.13.41",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.39",
+      "purl": "pkg:npm/%40blamejs/core@0.13.41",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.39",
+      "ref": "@blamejs/core@0.13.41",
       "dependsOn": []
     }
   ]