@blamejs/core 0.13.40 → 0.13.41

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.41 (2026-05-29) — **Agent registry reads can be tenant-scoped; compliance-erasure docs clarify actor is an audit field.** The agent orchestrator's registry reads (list and lookup) gated only on the flat agent-registry:read scope, so any holder could enumerate every tenant's agents and resolve a handle to one — even though the event bus already scopes subscribe and delivery by tenant. The orchestrator now mirrors that: with the new tenantScope option enabled, list returns only the actor's own tenant's agents and lookup refuses a cross-tenant name, unless the actor holds the framework cross-tenant-admin scope. Off by default, so single-tenant deployments are unaffected. Separately, the subject-erasure docs now state explicitly that the recorded actor is an audit field, not authentication — the caller must be authorized upstream. **Added:** *Tenant-scoped agent registry reads (opts.tenantScope)* — `b.agent.orchestrator.create({ tenantScope: true })` now scopes `list` and `lookup` to the calling actor's tenant: `list` filters out agents in other tenants and `lookup` returns null for a cross-tenant name, unless the actor holds the cross-tenant-admin scope (`b.agent.tenant.CROSS_TENANT_ADMIN_SCOPE`). This closes a cross-tenant metadata-enumeration and handle-acquisition path — `agent-registry:read` alone no longer exposes other tenants' agents — and mirrors the tenant scoping the event bus enforces on subscribe and delivery. The option defaults off; existing single-tenant orchestrators behave exactly as before. The `tenantId` argument to `list` remains a convenience filter, distinct from this authorization boundary. **Changed:** *Subject-erasure docs clarify the actor is an audit field, not authentication* — `b.subject.erase` and `b.subject.eraseHard` gate the deletion on operator acknowledgements and the legal-hold registry, not on caller identity. Their documentation now states explicitly that the recorded `actor` is an audit-record field, not authentication — the caller MUST be authenticated and authorized by the route before invoking. No behavior change; this removes an implicit assumption that could otherwise be read as the primitive authorizing the call.
+
 - v0.13.40 (2026-05-29) — **Redis client stops leaking a socket and blocking exit after close; DB exit-handler registers once.** Two handle-lifecycle fixes. The Redis client's reconnect backoff used an untracked, non-unref'd timer: during a backoff window it alone could keep the event loop alive (a process that won't exit), and a reconnect scheduled before close() fired afterward and opened a fresh socket because the connect path didn't re-check the closing flag. The timer is now tracked, unref'd, cancelled in close(), and the connect path refuses to re-open once closing. Separately, the encrypted database registered its process-exit final-flush handler on every init(), so repeated init/close cycles (long test runs, hot reload) accumulated 'exit' listeners toward the MaxListenersExceeded warning; it now registers once for the process lifetime. **Fixed:** *Redis client cancels its reconnect timer on close and won't re-open a closed connection* — The reconnect backoff scheduled `setTimeout(reconnect, delay)` without keeping a handle, without `unref()`, and the reconnect path checked only `connected`/`connecting` — not `closing`. So a backoff window could by itself hold the process open (it won't exit), and a reconnect scheduled before `close()` would fire afterward and open a fresh socket with listeners — a leak after explicit close. The timer is now tracked and `unref()`'d (a backoff no longer blocks exit), cancelled in `close()`, and the connect path returns early once closing so no socket is opened after close. · *Encrypted DB registers its process-exit flush handler once, not per init()* — `b.db.init()` in encrypted mode added a `process.on("exit")` final-flush handler on every call. Across repeated init/close cycles — long test suites, hot reload, embedded re-inits — these accumulated and tripped Node's MaxListenersExceeded warning (and grew memory slightly). The handler is now registered once for the process lifetime, guarded by a module flag, and still flushes whichever encrypted DB is open at exit time.
 
 - v0.13.39 (2026-05-29) — **Dual-control approvals are atomic — no quorum bypass or double-consume under concurrency.** The dual-control approval store read a grant, mutated it in memory, and wrote it back with an await in between — a non-atomic read-modify-write. Under concurrent calls (two approvals, or a retried one) each could act on a stale snapshot: the same approver could be appended twice and reach the M-of-N quorum with a single human, or a single-use grant could be consumed twice. approve / consume / revoke / cancel now commit through a new atomic cache.update primitive, so the check and the mutation are one indivisible step. The new b.cache.update is available to application code too — the memory backend is atomic by single-thread, and the cluster backend uses a transaction with compare-and-set so a concurrent writer on another node cannot lose an update. **Added:** *b.cache.update(key, mutatorFn, opts?) — atomic read-modify-write* — Reads the current value, calls `mutatorFn(current | null)`, and commits the result in one operation so a concurrent writer cannot clobber the change — the lost-update race that makes a plain `get` → mutate → `set` unsafe for counters, sets, and quorum state. The memory backend is atomic by single-thread; the cluster backend runs a transaction with a compare-and-set (and retries on contention) so the guarantee holds across nodes. `mutatorFn` returns `{ value }` to commit, `{ abort: data }` to leave the entry untouched and surface `data`, or `{ delete: true }` to remove it; the call resolves to `{ updated, value }`, `{ updated, deleted }`, or `{ aborted }`. **Security:** *Dual-control quorum and single-use guarantees hold under concurrent approvals* — `b.dualControl` persisted each grant through a cache read → in-memory mutate → write-back. Because the read and the write were separate awaited steps, two concurrent `approve` calls (or a retried one behind a load balancer) could each read the same pre-approval snapshot, so the duplicate-approver guard passed twice and the same approver was counted toward the M-of-N quorum twice — reaching quorum with one human. The same shape let two concurrent `consume` calls each see an unconsumed grant and both run the destructive operation. `approve` / `consume` / `revoke` / `cancel` now perform the check-and-mutate atomically via `cache.update`, so exactly one concurrent caller wins each transition.

package/lib/agent-orchestrator.js

@@ -64,6 +64,7 @@ var cluster           = lazyRequire(function () { return require("./cluster"); }
 var vault             = lazyRequire(function () { return require("./vault"); });
 var cryptoField       = lazyRequire(function () { return require("./crypto-field"); });
 var safeJson          = require("./safe-json");
+var agentTenant       = lazyRequire(function () { return require("./agent-tenant"); });
 
 var AgentOrchestratorError = defineClass("AgentOrchestratorError", { alwaysPermanent: true });
 
@@ -168,6 +169,12 @@ function create(opts) {
     cluster:     clusterImpl,
     audit:       auditImpl,
     permissions: permissions,
+    // When true, registry reads (list / lookup) are scoped to the actor's
+    // tenant — an actor only sees / resolves agents in its own tenant
+    // unless it holds the cross-tenant-admin scope. Mirrors the tenant
+    // scoping agent-event-bus enforces on subscribe / delivery. Off by
+    // default (single-tenant deployments are unaffected).
+    tenantScope: opts.tenantScope === true,
     spawnedConsumers: [],
     streams:     new Map(),
     elections:   new Map(),
@@ -358,6 +365,19 @@ async function _unregister(ctx, name, args) {
 async function _lookup(ctx, name, args) {
   guardAgentRegistry.validate({ kind: "lookup", name: name }, {});
   _checkPermission(ctx, args.actor, "agent-registry:read");
+  // Tenant-scope gate: the row's declared tenant gates access even to a
+  // live in-process ref, so an actor can't acquire a handle to another
+  // tenant's agent. Consult the backend row (it exists as a metadata
+  // declaration even where a live ref is hydrated).
+  if (ctx.tenantScope) {
+    var sealedRow = await ctx.backend.get(name);
+    var declRow = sealedRow ? _unsealRegistryRow(sealedRow) : null;
+    if (declRow && !_tenantAllows(ctx, args.actor, declRow.tenantId)) {
+      _safeAudit(ctx, "agent.orchestrator.lookup_denied", args.actor,
+        { name: name, reason: "cross-tenant" });
+      return null;
+    }
+  }
   // Live agent ref lives in-process; the backend row exists only as
   // a metadata declaration. In multi-process deployments each process
   // hydrates its own liveAgents map by calling register() locally.
@@ -383,6 +403,10 @@ async function _list(ctx, args) {
   return rows.filter(function (r) {
     if (args.kind && r.kind !== args.kind) return false;
     if (args.tenantId && r.tenantId !== args.tenantId) return false;
+    // Tenant-scope gate: drop rows the actor's tenant may not see, so
+    // enumeration can't disclose other tenants' agents. The args.tenantId
+    // above is a caller-supplied FILTER, not an authorization boundary.
+    if (!_tenantAllows(ctx, args.actor, r.tenantId)) return false;
     return true;
   }).map(function (r) {
     return {
@@ -753,6 +777,21 @@ function _checkPermission(ctx, actor, scope) {
   }
 }
 
+// Tenant-scope gate for registry reads. Returns true when the actor may
+// see / resolve an agent row in `rowTenantId`: scoping disabled, the actor
+// holds the cross-tenant-admin scope, or the actor's tenant matches the
+// row's. Mirrors agent-tenant's CROSS_TENANT_ADMIN_SCOPE check so registry
+// enumeration can't leak agents (or hand out live refs) across tenants.
+function _tenantAllows(ctx, actor, rowTenantId) {
+  if (!ctx.tenantScope) return true;
+  if (ctx.permissions && actor &&
+      ctx.permissions.check(actor, agentTenant().CROSS_TENANT_ADMIN_SCOPE)) {
+    return true;
+  }
+  var actorTenant = (actor && actor.tenantId) || null;
+  return actorTenant !== null && actorTenant === (rowTenantId || null);
+}
+
 function _safeAudit(ctx, action, actor, metadata) {
   agentAudit.safeAudit(ctx.audit, action, actor, metadata);
 }

package/lib/subject.js

@@ -257,6 +257,11 @@ function rectify(subjectId, opts) {
  * override an active hold (FRCP Rule 26/37(e), GDPR Art 17(3)(e),
  * SEC Rule 17a-4, HIPAA §164.530(j)(2)).
  *
+ * Security: any `actor` recorded here is an audit-record field, NOT
+ * authentication. This primitive gates the deletion on acknowledgements
+ * and the legal-hold registry, not on caller identity — the caller MUST be
+ * authenticated and authorized by your route before invoking.
+ *
  * Returns `{ rowsDeleted, perTable }`. Use `b.subject.eraseHard` when
  * residual ciphertext in WAL / replicas / backups must also be made
  * undecryptable.
@@ -383,7 +388,9 @@ function erase(subjectId, opts) {
  * Art. 17 erasure shape the framework offers.
  *
  * Same legal-hold + acknowledgement gates as `b.subject.erase`.
- * Leader-only. Returns `{ rowsDeleted, perRowKeysDestroyed, perTable }`.
+ * Security: the `actor` is an audit-record field, not authentication —
+ * authorize the caller upstream. Leader-only.
+ * Returns `{ rowsDeleted, perRowKeysDestroyed, perTable }`.
  *
  * @opts
  *   reason:           string,    // ticket reference recorded in the audit event

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.40",
+  "version": "0.13.41",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:949239a7-6f00-4f14-9e96-43c3b5935fb9",
+  "serialNumber": "urn:uuid:857f3ba9-146d-4174-ba61-fed4e89f9c16",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-29T17:53:59.118Z",
+    "timestamp": "2026-05-29T18:38:58.148Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.40",
+      "bom-ref": "@blamejs/core@0.13.41",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.40",
+      "version": "0.13.41",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.40",
+      "purl": "pkg:npm/%40blamejs/core@0.13.41",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.40",
+      "ref": "@blamejs/core@0.13.41",
       "dependsOn": []
     }
   ]