@blamejs/core 0.14.11 → 0.14.13

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.14.x
 
+- v0.14.13 (2026-05-31) — **Close advertised-but-missing surface: SRS1 chained forwarding, DCQL array-wildcard claim paths, and in-memory safe-archive extraction.** Three primitives advertised a capability in their documentation or card but refused or omitted it at runtime; this release implements each. b.mail.srs gains srs1Rewrite for the SRS1 double-forward (and multi-hop) case — previously the @intro described SRS1 and create() threw, pointing at a function that was never exported. b.safeArchive gains extractToMemory, the in-memory counterpart to extract for read-only / serverless filesystems — previously the card advertised in-memory extraction but the orchestrator required a destination directory. b.auth.oid4vp.matchDcql now honours a null claims-path segment as the array wildcard the OpenID4VP DCQL spec defines, rather than refusing it as unsupported while the card advertised DCQL. A stale version-pinned wording in a safe-archive error message is corrected. Every change is additive or message-only — no existing caller changes behaviour. **Added:** *`b.mail.srs` SRS1 chained forwarding — `srs1Rewrite`* — `b.mail.srs.create(...)` now returns `srs1Rewrite` alongside `rewrite` / `reverse`. `srs1Rewrite(srsAddress)` chains an already-SRS0 (or SRS1) envelope-from for a further forwarding hop: it keeps the original SRS0 body verbatim, prepends the SRS0 originator's domain, and binds the pair with this forwarder's own HMAC-SHA-256 tag — no new timestamp, no repeated original local-part — emitting `SRS1=tag=originator==<SRS0-body>@thisForwarder`. `reverse()` now detects an SRS1 address, verifies this hop's tag and forwarder-domain binding, and unwraps exactly one hop back to the originator's SRS0 so a multi-hop bounce routes straight to the forwarder that can recover the original sender. Typed failure modes: `srs/not-srs0` (input not SRS-encoded), `srs/malformed` (missing the `==` separator), `srs/bad-tag` (tampered), `srs/too-long` (chain exceeds the RFC 5321 256-octet path limit). Implements the Sender Rewriting Scheme SRS1 wire format; the second-hop SPF rationale is RFC 7208 §2.4. · *`b.safeArchive.extractToMemory` — in-memory safe extraction* — An async generator counterpart to `b.safeArchive.extract` for read-only / serverless filesystems: it resolves the source, sniffs the format, auto-unwraps recipient (`BAWRP`) / passphrase (`BAWPP`) envelopes, and dispatches to the zip / tar / tar.gz reader's in-memory `extractEntries()`, yielding `{ name, bytes, size }` per regular-file entry without ever writing to disk. It takes no `destination`. Every defense the disk path runs applies unchanged: the zip-bomb caps (entry-count / per-entry / total / expansion-ratio), the `b.guardArchive` metadata cascade (Zip-Slip / path-traversal / symlink-escape / encrypted-entry refusal, CVE-2025-3445 class), and the entry-type policy. The disk-only realpath-agreement check (CVE-2025-4517 PATH_MAX TOCTOU defense) is intentionally absent — there is no extraction root — so the archive-level name refusals carry containment. Trusted-stream sources are refused upfront (the adversarial-safe central-directory walk needs random access). gzip magic per RFC 1952 §2.3.1. **Fixed:** *OID4VP DCQL `null` claim-path segment now resolves the array wildcard* — `b.auth.oid4vp.matchDcql` previously threw `auth-oid4vp/null-path-segment-not-supported` for a `null` claims-path segment while the namespace card advertised DCQL — under-disclosing a legitimate presentation (CWE-863). Per OpenID4VP 1.0 §7.1.1 a `null` segment selects all elements of the array at that depth; the matcher now recurses over array elements with existence semantics (with DCQL value-matching applied to any selected leaf), composed to arbitrary depth. A `null` segment on a non-array node — like an integer index into a non-array, or a string key into an array — is a clean non-match, not a thrown error, because the matcher walks holder credential data rather than operator config. String and integer claim paths are byte-identical to before; only queries that previously threw now succeed or fail cleanly. · *safe-archive trusted-stream refusal message no longer cites a stale version* — The thrown `safe-archive/trusted-stream-unsupported` message and its comment claimed trusted-stream extraction was "deferred to v0.12.8 / when the v0.12.8 sequential extract path lands." That path shipped long ago — `b.archive.read.zip.fromTrustedStream` and the tar sequential mode exist — so the message now points at them as present capabilities and drops the version-pinned wording. The error code is unchanged. **Detectors:** *A primitive may not advertise a capability and then throw an unimplemented stub* — A new check flags a bare `not yet supported` / `operator demand TBD` / `not supported in v1` refusal in a lib throw string (comments excluded). A defer is only complete with a written re-open condition; the SRS1 and DCQL stubs that this release implements both carried this bare-defer shape, and the detector keeps it from re-entering. · *DCQL `null` path segments must recurse, never refuse* — A new check flags the `null path segment not supported` refusal shape in `lib/auth/oid4vp.js`, so the spec-mandated array wildcard cannot be re-stubbed. · *`extractToMemory` must stay disk-free* — A new check flags any `writeFileSync` / `renameSync` / `mkdirSync` / `createWriteStream` inside the `extractToMemory` generator body, so the read-only / serverless contract cannot regress into a disk write.
+
+- v0.14.12 (2026-05-31) — **Vault key rotation re-seals AAD-bound storage under the new root instead of silently orphaning it.** Every AAD-sealed cell derives its key from the live vault root, so rotating the vault keypair changes those keys. `b.vaultRotate.rotate` previously re-sealed only legacy `vault:`-prefixed cells in `db.enc` and skipped `vault.aad:` cells, AAD-bound at-rest files, and operator-supplied AAD stores — leaving them encrypted under the retired keypair while still returning a success result and a passing round-trip verify, so the loss was invisible until the old keypair was discarded and the cells became permanently undecryptable. Rotation now re-seals `db.enc` (preserving its dataDir-bound AAD), `db.key.enc` (location-bound), every `{ aad: true }` table column, and the overflow store under the new root; refuses up front with a fail-closed error when operator-supplied AAD stores (agent idempotency / orchestrator / tenant / snapshot) are reachable unless each has been re-sealed via its module hook and explicitly acknowledged; and the round-trip verify now decrypts AAD-sealed cells under the new root and treats any cell that still opens under the old root as a regression. New explicit-root `b.vault.aad` seal / unseal / reseal primitives carry a cell from the old root to the new one while preserving its AAD tuple; `b.archive.rewrapTenant` re-wraps tenant-scoped archive envelopes; and `b.cluster` can adopt a rotated vault-key fingerprint instead of partitioning the membership during a rolling rotation. **Added:** *`b.vault.aad.sealRoot` / `unsealRoot` / `resealRoot`* — Explicit-root variants of the AAD seal / unseal that take a root-keypair JSON (`b.vault.getKeysJson()` output) instead of reading the live vault singleton. `resealRoot(value, aadParts, oldRootJson, newRootJson)` opens a cell under the old root and re-seals it under the new one while preserving the same AAD tuple (`table` / `rowId` / `column` / `schemaVersion`), which is what lets a rotation worker move AAD-bound state across a keypair change without altering the bound context. The default-root `b.vault.aad.seal` / `unseal` behaviour is unchanged. · *Per-store AAD re-seal hooks on the agent primitives* — `b.agent.idempotency.reseal`, `b.agent.orchestrator.reseal`, `b.agent.snapshot.reseal`, and the `b.agent.tenant` registry / tenant-cell reseal paths re-seal that module's AAD-bound rows from an old root to a new root over the operator's own store. Each module also exposes an `AAD_ROTATION` descriptor naming the store the rotation pipeline cannot reach on its own, so an operator can enumerate exactly what to re-seal before a rotation. · *`b.archive.rewrapTenant`* — Re-wraps a `recipient: "tenant"` archive envelope from an old vault root to a new one for a given `tenantId`, so a keypair rotation does not strand tenant-scoped archives. Opens the blob under the old root + tenantId, refuses a blob that is not a tenant-recipient envelope or that does not open under the supplied old root, and emits a fresh envelope bound to the new root. This is offered alongside the documented re-export path (decrypt with the old keypair, re-archive with the new one) for operators who hold the envelope but not the source. · *Cluster vault-key rotation acceptance* — A vault-key rotation changes the public-key fingerprint recorded in the canonical cluster-state row, which a peer would otherwise report as `VAULT_KEY_DRIFT`. `b.cluster` configuration gains `acceptVaultKeyRotation: true` to declare the change legitimate — the node adopts the rotated fingerprint and bumps a rotation epoch instead of refusing — and an optional `expectedVaultKeyFp` that narrows acceptance to a single blessed post-rotation fingerprint. The drift guard stays in force whenever a rotation is not declared; supplying `expectedVaultKeyFp` without `acceptVaultKeyRotation` is rejected at configuration time as a misconfiguration. **Changed:** *`b.vaultRotate.rotate` refuses when reachable AAD stores are not acknowledged* — Because the rotation pipeline walks only `db.enc` and cannot introspect an operator's own AAD-backed stores, it now detects which AAD-store modules are loadable and throws `vault-rotate/external-aad-unresealed` unless `opts.externalAadResealed` is either `true` (you do not use those features) or an array naming every detected store (you have re-sealed each via its hook). This converts a path that previously discarded data and reported success into a fail-closed gate. The error names each store and the hook to call. **Fixed:** *Rotation re-seals `vault.aad:` cells and AAD-bound at-rest files* — `db.enc` is re-written bound to its dataDir-scoped AAD (it was previously re-written un-bound, silently stripping the at-rest AAD binding on every rotation), `db.key.enc` retains its location-bound AAD, and every `{ aad: true }` table column plus the overflow store is re-sealed under the new root. Previously only `vault:`-prefixed cells were carried across, so AAD-sealed data was left encrypted under the retired keypair and lost once it was discarded. · *Round-trip verify no longer reports a false success* — `b.vaultRotate.verify` now samples and decrypts AAD-sealed cells under the new root and treats any cell that still decrypts under the old root as a regression, so an incomplete rotation fails verification instead of passing it. The prior verify checked only `vault:` cells and therefore reported `ok` even when AAD-sealed cells had been orphaned. **Security:** *A vault key rotation can no longer silently destroy encrypted data* — The orphaning path lost agent idempotency / orchestrator / tenant / snapshot state, `{ aad: true }` columns, and tenant archives with no error and a passing verify; the data became unrecoverable the moment the old keypair was retired. Rotation is now fail-closed end to end: it re-seals what it can reach, refuses to proceed past what it cannot until you acknowledge it, and verifies the result under the new root. If you performed a rotation on v0.14.11 or earlier and still hold the retired keypair, re-seal the affected cells under the current root with the explicit-root primitives before discarding it. **Detectors:** *AAD-backed store modules must expose a rotation reseal path* — A new check flags a module that registers an external `{ aad: true }` store but does not expose an `AAD_ROTATION` descriptor and reseal hook, which would leave its state unreachable by the rotation pipeline. · *A root-keyed seal family must ship its reseal* — A new check flags adding a `sealRoot` / `unsealRoot` pair without the matching `resealRoot`, since without it a rotated cell cannot be carried from the old root to the new one. · *Live-root AAD seals need a reseal path* — A new check flags a primitive that AAD-seals under the live vault root without a way to re-seal that state under a new root during rotation. · *Tenant archive re-wrapping must compose `b.archive.rewrapTenant`* — A new check flags tenant-scoped archive re-wrapping that opens and re-seals a tenant envelope by hand instead of routing through `b.archive.rewrapTenant`. · *Cluster vault-key drift needs the rotation-epoch accept gate* — A new check flags a cluster vault-key fingerprint comparison that hard-rejects a mismatch without honouring the `acceptVaultKeyRotation` epoch window. **Migration:** *Re-seal operator AAD stores before rotating* — Before calling `b.vaultRotate.rotate`, re-seal each AAD-backed store you use via its hook (`b.agent.idempotency.reseal`, `b.agent.orchestrator.reseal`, `b.agent.snapshot.reseal`, the `b.agent.tenant` `AAD_ROTATION` reseal paths) with the old and new root JSON, re-wrap tenant archives with `b.archive.rewrapTenant`, then pass `opts.externalAadResealed` as an array naming each re-sealed store. If you use none of these features, pass `opts.externalAadResealed: true`. Declare the rotation to each cluster node with `acceptVaultKeyRotation: true` so the membership adopts the new fingerprint rather than reporting drift.
+
 - v0.14.11 (2026-05-31) — **Defensive LLM model-I/O primitives, C2PA timestamp countersignatures with CAWG identity assertions, and signed EU AI Act GPAI adherence declarations.** Closes the output side of the LLM trust boundary and hardens content provenance and AI-Act attestation. b.ai.output.sanitize treats model output as untrusted and neutralizes XSS, gates every markdown-image / link and HTML src/href URL against SSRF (the EchoLeak zero-click exfiltration class, CVE-2025-32711), and flags SQL- and command-shaped fragments; b.ai.output.redact strips PII and secret disclosures. b.ai.input.classifyWithSources classifies a prompt together with its retrieval-augmented sources under a stricter, trust-tier-relative threshold, and the new b.ai.prompt namespace assembles prompts with escape-by-default boundaries — untrusted context / user segments are fenced in a per-render crypto-nonce delimiter the content cannot forge and stripped of bidi, control, zero-width, and Unicode-Tags smuggling characters. b.contentCredentials COSE signatures now carry an RFC 3161 timestamp countersignature (C2PA sigTst2, RFC 9921) verified entirely through b.tsa, so a signed manifest stays verifiable after its signing certificate expires, plus a CAWG identity assertion with trust-anchored verification. b.compliance.aiAct.gpai.declareAdherence emits a tamper-evident, ML-DSA-87-signed GPAI Code-of-Practice adherence declaration whose obligation set is derived from the regulation rather than operator-asserted. **Added:** *`b.ai.output.sanitize` and `b.ai.output.redact`* — A new `b.ai.output` namespace that treats LLM output as untrusted before it reaches a browser, a downstream fetcher, a SQL / command sink, or a log. `sanitize(text, opts)` neutralizes active markup via `b.guardHtml`, gates every markdown image / link and HTML `src` / `href` URL through `b.safeUrl.parse` (scheme + credential) and `b.ssrfGuard.classify` (internal / loopback / link-local / cloud-metadata IP-range) so auto-fetch URLs to attacker or internal hosts are neutralized, and flags SQL- and command-shaped fragments rather than silently repairing them. `redact(text, opts)` strips PII and secret disclosures via `b.redact` plus an entity-selectable pass (`pan` / `ssn` / `ein` / `iban` / `jwt` / `aws` / `phi` / `email` / `phone`). Defends OWASP LLM05:2025 Improper Output Handling and LLM02:2025 Sensitive Information Disclosure; the markdown-image URL gate closes the EchoLeak zero-click exfiltration class (CVE-2025-32711, CVSS 9.3). · *`b.ai.input.classifyWithSources`* — Classifies a prompt together with its retrieval-augmented (RAG) sources, applying a stricter, trust-tier-relative threshold to retrieved data. Each source is `{ id, text, trust? }` with `trust` of `trusted` / `internal` / `untrusted` (unset defaults to `untrusted`, fail-closed); untrusted and internal sources escalate to `suspicious` on a single severity-2 signal and to `malicious` on any severity-3, where the direct prompt keeps the baseline threshold. The aggregate verdict is the worst across the prompt and all sources, and every malicious source is reported in `taintedSources`. Defends indirect prompt injection from poisoned context (OWASP LLM01:2025; NIST AI 600-1). · *`b.ai.prompt.template`* — A new `b.ai.prompt` namespace for assembling LLM prompts with escape-by-default boundaries. The `system` segment is operator-trusted; `context` and `user` segments are treated as untrusted (no global opt-out — mark a segment `{ text, trusted: true }` individually). Untrusted segments are wrapped in a per-render, high-entropy delimiter nonce the content cannot forge, with any forged boundary stripped before wrapping (spotlighting / datamarking, Microsoft 2024; NIST AI 100-2e2025), and stripped of bidi overrides (CVE-2021-42574 Trojan Source), C0 controls, zero-width characters, null bytes, and Unicode Tags (U+E0000..U+E007F ASCII-smuggling). Run `b.ai.input.refuseIfMalicious` on the untrusted content as defense in depth. · *C2PA RFC 3161 timestamp countersignature and CAWG identity assertion* — `b.contentCredentials.signCose` attaches an RFC 3161 timestamp countersignature (C2PA `sigTst2`, RFC 9921) and `b.contentCredentials.verifyCose` verifies it. Pass `timestamp:{ token }` to embed a TimeStampToken, or `timestamp:{}` to get back the DER `application/timestamp-query` to POST to a timestamp authority. `b.contentCredentials.attachIdentityAssertion` / `verifyIdentityAssertion` add the CAWG Identity Assertion v1.2: a signed creator / organization identity hash-bound to a manifest's referenced assertions, where the `x509` binding reports `verified:true` only when an identity trust anchor is supplied and the leaf chain verifies, and the `identity-claims-aggregator` and self-asserted paths stay `verified:false`. · *`b.compliance.aiAct.gpai.declareAdherence` / `verifyAdherence`* — Signed, tamper-evident GPAI Code-of-Practice adherence declarations (Regulation (EU) 2024/1689 Art. 53(1)(a-d); Art. 55 for systemic-risk models under Art. 51(2)). The in-scope obligation set is derived from the classifier, never operator-asserted — a model at or above the 10^25-FLOP systemic-risk threshold that omits the Art. 55 chapter is refused. Each commitment's evidence reference must be a SHA3-512 digest; a malformed hash is rejected so a hollow attestation cannot bind. The declaration ships inside an ML-DSA-87-signed CycloneDX 1.6 ML-BOM via `b.ai.modelManifest`; verify re-canonicalizes before trusting any field and rejects a declaration past its validity window. Cites the GPAI Code of Practice (10 July 2025), Annex XI/XII, and Directive (EU) 2019/790 Art. 4(3). **Security:** *Model output is now an untrusted channel by default* — When feeding retrieved documents into an LLM, classify them with `b.ai.input.classifyWithSources` (untrusted sources escalate on a single signal) rather than trusting model input; assemble prompts with `b.ai.prompt.template` so untrusted context / user text is fenced in a per-render crypto-nonce boundary it cannot forge; and pass model output through `b.ai.output.sanitize` / `b.ai.output.redact` before it is rendered, fetched, or logged. Each primitive is on by default and fail-closed — no opt-in flag enables the protection. · *Timestamp verification routes only through `b.tsa.verifyToken`* — C2PA `sigTst2` verification performs the full RFC 3161 check (CMS signature over the signed attributes, messageDigest recompute, critical sole `id-kp-timeStamping` EKU) — never a chain-only shortcut — closing the timestamp-validation-bypass class (CVE-2025-52556, CWE-347). Supply `timestampTrustAnchorsPem` to `verifyCose` to check the timestamp certificate chain; `verifyCose` returns `{ valid, reason, claims, alg, timestamp }` and never throws. **Detectors:** *LLM output URLs must keep the SSRF gate* — A new check requires the output sanitizer to gate every extracted URL through both `b.safeUrl.parse` and `b.ssrfGuard.classify`, so the markdown-image SSRF gate (the EchoLeak class) cannot be silently dropped. · *RAG sources must compose `classifyWithSources`* — A new check flags any code that maps `b.ai.input.classify` over a sources array by hand, which would lose the trust-tier-relative threshold for retrieved data. · *Prompt boundaries must use a per-render nonce* — A new check flags prompt-assembly that wraps untrusted content in a fixed, guessable literal fence (`<user_input>`, `[DATA]`) instead of a per-render high-entropy delimiter the content cannot forge. · *C2PA timestamp verification must route through `b.tsa`* — A new check flags any bespoke certificate-chain-only walk on a timestamp token in place of `b.tsa.verifyToken`, preventing a re-introduction of the timestamp-validation-bypass class. · *GPAI adherence declarations must be signed* — A new check flags any code that emits the GPAI Code-of-Practice adherence property without routing it through the `b.ai.modelManifest` signed envelope, keeping the declaration tamper-evident.
 
 - v0.14.10 (2026-05-31) — **Full-text-search token hashes move to a keyed MAC; existing mail-store search indexes rebuild automatically on upgrade.** The mail-store full-text-search index hashed its tokens with a hand-rolled salted-SHA3 derived hash. It now routes through the framework's sealed-column hashing primitive in keyed mode (HMAC-SHAKE256 off the per-deployment MAC key), so a search-index token hash is unforgeable and un-correlatable across deployments without that key — the same posture the sealed-column lookup hashes already use. Because the keyed hash changes the stored token values, a mail-store opened after upgrade detects its index as old-format and rebuilds it once from the sealed message rows. The rebuild runs under a format marker: the index is marked `rebuilding` before it is cleared and only marked current after every row is re-hashed inside an explicit transaction, and search falls back to its cursor path (rather than returning partial hits) whenever the marker is not current — so an interrupted rebuild leaves the old index intact and queryable and retries on the next open, never serving a half-built index. A new `b.cryptoField.computeNamespacedHash` primitive backs the keyed hashing for callers that hash outside the registered-column path. **Added:** *`b.cryptoField.computeNamespacedHash`* — A mode-aware namespaced hash for indexed-lookup callers that hash a value outside the registered-column derived-hash path. `computeNamespacedHash(ns, value, { mode, truncateBytes })` routes through the same engine as `computeDerived` — `salted-sha3` (default) or the keyed `hmac-shake256` — with optional hex truncation. The mail-store full-text index is the first consumer. **Changed:** *Mail-store full-text index rehashes to a keyed MAC on upgrade* — The full-text-search token hash now uses `b.cryptoField.computeNamespacedHash` in `hmac-shake256` mode instead of a hand-rolled salted-SHA3. The first time a store is opened after upgrade, its index is detected as old-format and rebuilt once from the sealed message rows; subsequent opens are no-ops. Search is unaffected once the rebuild completes. The rebuild requires the vault to be initialized and fails closed (a clear error) at construction if it is not, rather than leaving a stale searchable index. **Security:** *Keyed, un-correlatable full-text-search token hashes* — A search-index token hash is now a keyed MAC over a per-deployment key, not a static-salted digest — it cannot be forged or correlated across deployments without that key, closing the low-entropy-token correlation gap on the search index. The index remains unrecoverable from a database dump alone, as before. **Detectors:** *Hand-rolled lookup-hash check covers the split form* — The check that requires sealed-column lookup hashes to compose the framework primitive now also catches the across-lines hand-roll (`var salt = getDerivedHashSalt(); var hex = salt.toString(...); sha3(hex + ns + value)`), not only the single-expression form, so the bypass that the mail-store index used can't reappear. **Migration:** *Automatic, one-time full-text index rebuild* — No operator action is required: the rebuild runs automatically and idempotently on first open after upgrade, atomically and crash-safe (an interrupted rebuild keeps the old index and retries). The only requirement is that the vault is initialized before the mail-store is constructed. One caveat for shared stores: do not run a pre-upgrade and post-upgrade node against the same backend file concurrently across this format change — the old node would write old-format hashes the new node cannot match. Roll the deployment fully across the upgrade. This re-open condition is lifted once all nodes are on 0.14.10 or later.

package/README.md

@@ -98,7 +98,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)
 - **Power-on self-test** — `b.crypto.selfTest()` runs FIPS 140-3-style integrity checks: NIST FIPS 202 known-answer tests (SHA3-256/512, SHAKE256), AEAD round-trip + tamper-detect, and ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f pairwise-consistency + negative tests; fails closed (throws) on any mismatch
 - **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column data residency tagging + per-row keys (`K_row = HKDF(K_table, rowId)`) so erasing the per-row key makes WAL / replica residuals undecryptable (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowKey`)
-- **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load
+- **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load. A vault-key rotation re-seals every AAD-bound cell, the database key, and tenant archives under the new keypair and refuses rather than silently orphaning a store it cannot reach (`b.vaultRotate`, `b.vault.aad.resealRoot`, `b.archive.rewrapTenant`)
 - **Keyed lookup hashes** — sealed-column equality-lookup hashes default to salted SHA3-512 and can opt into a keyed `hmac-shake256` MAC off a per-deployment key (`cryptoField.registerTable({ derivedHashMode })`, `b.vault.getDerivedHashMacKey`), making the lookup hash unforgeable and un-correlatable across deployments
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
@@ -230,7 +230,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **i18n** — CLDR plural rules, Accept-Language negotiation, Intl formatters, RTL (`b.i18n`)
 - **CSV** — RFC 4180 with Excel formula-injection prevention (`b.csv`)
 - **IDs + slugs** — RFC 9562 UUID v4 + v7 (`b.uuid`); URL-safe slugs (`b.slug`)
-- **Time + archive** — TZ-aware datetime (`b.time`); ZIP creation + adversarial-safe read with bomb caps + path-traversal + LFH/CD-skew defense (`b.archive` + `b.archive.read.zip`); one-liner quarantine extraction (`b.safeArchive.extract`); in-memory extraction with no disk write for read-only / serverless filesystems (`b.archive.read.zip(...).extractEntries()` / `.tar`); fs / objectStore / http / buffer / trusted-stream adapter contract (`b.archive.adapters`); recipient-sealed envelopes — hybrid-PQC key-pair, peer certificate, or per-tenant key with no key-pair to manage (`b.archive.wrap({ recipient: "tenant", tenantId })`)
+- **Time + archive** — TZ-aware datetime (`b.time`); ZIP creation + adversarial-safe read with bomb caps + path-traversal + LFH/CD-skew defense (`b.archive` + `b.archive.read.zip`); one-liner quarantine extraction (`b.safeArchive.extract`); one-liner in-memory extraction with no disk write for read-only / serverless filesystems (`b.safeArchive.extractToMemory`, or the low-level `b.archive.read.zip(...).extractEntries()` / `.tar`); fs / objectStore / http / buffer / trusted-stream adapter contract (`b.archive.adapters`); recipient-sealed envelopes — hybrid-PQC key-pair, peer certificate, or per-tenant key with no key-pair to manage (`b.archive.wrap({ recipient: "tenant", tenantId })`)
 - **Pagination + forms** — HMAC-signed cursor pagination (`b.pagination`); HTML form rendering + validation + CSRF (`b.forms`)
 
 ### Production

package/lib/agent-idempotency.js

@@ -69,6 +69,8 @@ var safeJson          = require("./safe-json");
 var guardIdempotencyKey = require("./guard-idempotency-key");
 var agentAudit        = require("./agent-audit");
 var { boundedMap }    = require("./bounded-map");
+var vaultAad          = require("./vault-aad");
+var validateOpts      = require("./validate-opts");
 
 // The default in-memory backend is keyed on (method, actorId, keyHash) —
 // the key hash comes from request-supplied idempotency keys, so a flood of
@@ -540,10 +542,121 @@ function _safeAudit(auditImpl, action, actor, metadata) {
   agentAudit.safeAudit(auditImpl, action, actor, metadata);
 }
 
+// ---- Vault-key rotation: out-of-band reseal hook -------------------------
+//
+// The cached-result column is AAD-sealed on an OPERATOR-SUPPLIED backing
+// store (opts.store / the in-memory default), NOT in the framework's db.enc.
+// The vault-key rotation pipeline (b.vaultRotate.rotate) only walks tables
+// that live inside db.enc, so it cannot reach this store — the rows would be
+// ORPHANED under the old vault root after a rotation (CWE-320 cryptographic-
+// key-management failure: ciphertext stranded under a retired key, then
+// unreadable once the old keypair is destroyed). This reseal hook lets an
+// operator rotate the store out-of-band, composing the SAME explicit-root
+// primitive the in-tree pipeline uses (vaultAad.resealRoot) and the SAME
+// AAD builder the seal path used (cryptoField._aadParts) so the re-sealed
+// AAD tuple is byte-identical — one source of truth, no drift.
+//
+// Reseal store contract (the durable SQL / Redis backend the operator
+// already wired for opts.store also exposes):
+//   - listAll()        → array of every stored row (each row carries the
+//                        sealed `resultBlob` column + its keyHash identity).
+//   - putResealed(row) → write the row back, addressed by its own stored
+//                        identity (keyHash). Distinct from the per-request
+//                        put(method, actorId, key) because reseal addresses
+//                        a row by the row identity already on disk, not by
+//                        the raw idempotency key (which is never stored —
+//                        only its namespaced keyHash is).
+/**
+ * @primitive b.agent.idempotency.reseal
+ * @signature b.agent.idempotency.reseal(opts)
+ * @since      0.14.12
+ * @status     stable
+ * @compliance gdpr, soc2
+ * @related    b.vault.getKeysJson, b.cryptoField.sealRow
+ *
+ * Re-seals every AAD-bound cached-result cell on an operator-supplied
+ * store from the OLD vault keypair to the NEW one, out-of-band. The
+ * in-tree vault-key rotation pipeline only walks tables inside `db.enc`,
+ * so an operator-supplied idempotency store is unreachable to it — after a
+ * keypair rotation its cells would otherwise be orphaned under the retired
+ * root (CWE-320). Composes the same AAD-cell re-seal the rotation pipeline
+ * uses, rebuilding each cell's AAD from the registered schema (one source
+ * of truth). Only AAD-sealed cells are touched; plain rows pass through.
+ *
+ * @opts
+ *   store:       Object,   // { listAll(): rows[], putResealed(row) } (sync or async)
+ *   oldRootJson: string,   // b.vault.getKeysJson() of the retired keypair
+ *   newRootJson: string,   // b.vault.getKeysJson() of the new keypair
+ *
+ * @example
+ *   await b.agent.idempotency.reseal({ store: durableStore, oldRootJson: oldKeys, newRootJson: newKeys });
+ *   // → { table: "agent_idempotency", resealed: 12 }
+ */
+function reseal(args) {
+  args = args || {};
+  validateOpts.requireNonEmptyString(args.oldRootJson,
+    "reseal: oldRootJson (b.vault.getKeysJson() of the OLD keypair)",
+    AgentIdempotencyError, "agent-idempotency/bad-root");
+  validateOpts.requireNonEmptyString(args.newRootJson,
+    "reseal: newRootJson (b.vault.getKeysJson() of the NEW keypair)",
+    AgentIdempotencyError, "agent-idempotency/bad-root");
+  var store = args.store;
+  validateOpts.requireMethods(store, ["listAll", "putResealed"],
+    "reseal: operator store (so every persisted row can be re-sealed out-of-band)",
+    AgentIdempotencyError, "agent-idempotency/bad-reseal-store");
+  _ensureSealTable();
+  var schema = cryptoField().getSchema(SEAL_TABLE);
+  // listAll / putResealed may be sync (in-memory) or async (durable SQL /
+  // Redis). Thread both through Promise.resolve so either shape works.
+  return Promise.resolve(store.listAll()).then(function (rows) {
+    if (!Array.isArray(rows)) {
+      throw new AgentIdempotencyError("agent-idempotency/bad-reseal-store",
+        "reseal: store.listAll() must resolve to an array of rows");
+    }
+    var chain = Promise.resolve();
+    var resealed = 0;
+    rows.forEach(function (row) {
+      if (!row || typeof row !== "object") return;
+      var changed = false;
+      for (var f = 0; f < schema.sealedFields.length; f += 1) {
+        var column = schema.sealedFields[f];
+        var value = row[column];
+        // Only AAD-sealed cells need rotating. Vault-less / pre-sealing rows
+        // carry plain JSON; a plain `vault:` cell would have been written by
+        // a non-AAD path that doesn't exist for this table — leave both
+        // untouched (resealRoot would throw not-sealed on a plain value).
+        if (typeof value !== "string" || !vaultAad.isAadSealed(value)) continue;
+        var aadParts = cryptoField()._aadParts(schema, SEAL_TABLE, column, row);
+        row[column] = vaultAad.resealRoot(value, aadParts, args.oldRootJson, args.newRootJson);
+        changed = true;
+      }
+      if (changed) {
+        resealed += 1;
+        chain = chain.then(function () { return store.putResealed(row); });
+      }
+    });
+    return chain.then(function () { return { table: SEAL_TABLE, resealed: resealed }; });
+  });
+}
+
 module.exports = {
   create:                 create,
+  reseal:                 reseal,
   AgentIdempotencyError:  AgentIdempotencyError,
   guards: {
     key: guardIdempotencyKey,
   },
+  // AAD_ROTATION — the vault-key rotation descriptor every framework module
+  // that seals an {aad:true} table on an OPERATOR-SUPPLIED store (outside
+  // db.enc) exports, so an operator can register it with a rotation eager-
+  // sweep and the codebase-patterns detect-and-refuse gate can confirm no
+  // such external-store table is silently orphaned. `backend: "external"`
+  // flags that the in-tree b.vaultRotate.rotate pipeline cannot reach it.
+  AAD_ROTATION: {
+    table:         SEAL_TABLE,
+    rowIdField:    "keyHash",
+    schemaVersion: "1",
+    backend:       "external",
+    reseal:        reseal,
+  },
 };

package/lib/agent-orchestrator.js

@@ -58,6 +58,8 @@ var { defineClass }   = require("./framework-error");
 var guardAgentRegistry = require("./guard-agent-registry");
 var bCrypto           = require("./crypto");
 var agentAudit        = require("./agent-audit");
+var vaultAad          = require("./vault-aad");
+var validateOpts      = require("./validate-opts");
 
 var audit             = lazyRequire(function () { return require("./audit"); });
 var cluster           = lazyRequire(function () { return require("./cluster"); });
@@ -796,13 +798,119 @@ function _safeAudit(ctx, action, actor, metadata) {
   agentAudit.safeAudit(ctx.audit, action, actor, metadata);
 }
 
+// ---- Vault-key rotation: out-of-band reseal hook -------------------------
+//
+// Registry rows are AAD-sealed on an OPERATOR-SUPPLIED backend (opts.backend /
+// the in-memory default), NOT in the framework's db.enc. The vault-key
+// rotation pipeline (b.vaultRotate.rotate) only walks tables inside db.enc,
+// so it cannot reach this backend — sealed tenantId + metadata cells would be
+// ORPHANED under the old vault root after a rotation (CWE-320 cryptographic-
+// key-management failure: ciphertext stranded under a retired key, then
+// unreadable once the old keypair is destroyed). This reseal hook rotates the
+// backend out-of-band, composing the SAME explicit-root primitive the in-tree
+// pipeline uses (vaultAad.resealRoot) and the SAME AAD builder the seal path
+// used (cryptoField._aadParts) so the re-sealed AAD tuple is byte-identical —
+// one source of truth, no drift.
+//
+// Reseal store contract: the durable backend the operator wired for
+// opts.backend already exposes list() (enumerate every row) + set(name, row)
+// (write by name). The row identity column `name` is the AAD anchor and is
+// never sealed, so it is always present in plaintext for the write-back.
+// `tenantId` is a plain sealed string; `metadata` is a sealed JSON string —
+// both are AAD-sealed cells, so each is re-sealed in place under the same AAD
+// without unwrapping the metadata JSON.
+/**
+ * @primitive b.agent.orchestrator.reseal
+ * @signature b.agent.orchestrator.reseal(opts)
+ * @since      0.14.12
+ * @status     stable
+ * @compliance gdpr, soc2
+ * @related    b.vault.getKeysJson, b.cryptoField.sealRow
+ *
+ * Re-seals every AAD-bound registry cell (tenantId / metadata) on an
+ * operator-supplied backend from the OLD vault keypair to the NEW one,
+ * out-of-band. The in-tree vault-key rotation pipeline only walks tables
+ * inside `db.enc`, so an operator-supplied orchestrator backend is
+ * unreachable to it — after a keypair rotation its cells would otherwise be
+ * orphaned under the retired root (CWE-320). Rebuilds each cell's AAD from
+ * the registered schema (one source of truth); only AAD-sealed cells are
+ * touched. The `name` row-identity column is the AAD anchor and is never
+ * sealed, so it is always present for the write-back.
+ *
+ * @opts
+ *   store:       Object,   // { list(): rows[], set(name, row) } (the create() backend contract)
+ *   oldRootJson: string,   // b.vault.getKeysJson() of the retired keypair
+ *   newRootJson: string,   // b.vault.getKeysJson() of the new keypair
+ *
+ * @example
+ *   await b.agent.orchestrator.reseal({ store: backend, oldRootJson: oldKeys, newRootJson: newKeys });
+ *   // → { table: "agent_orchestrator_registry", resealed: 4 }
+ */
+function reseal(args) {
+  args = args || {};
+  validateOpts.requireNonEmptyString(args.oldRootJson,
+    "reseal: oldRootJson (b.vault.getKeysJson() of the OLD keypair)",
+    AgentOrchestratorError, "agent-orchestrator/bad-root");
+  validateOpts.requireNonEmptyString(args.newRootJson,
+    "reseal: newRootJson (b.vault.getKeysJson() of the NEW keypair)",
+    AgentOrchestratorError, "agent-orchestrator/bad-root");
+  var store = args.store;
+  validateOpts.requireMethods(store, ["list", "set"],
+    "reseal: operator store (same backend contract as create({ backend }))",
+    AgentOrchestratorError, "agent-orchestrator/bad-reseal-store");
+  _ensureSealTable();
+  var schema = cryptoField().getSchema(SEAL_TABLE);
+  return Promise.resolve(store.list()).then(function (rows) {
+    if (!Array.isArray(rows)) {
+      throw new AgentOrchestratorError("agent-orchestrator/bad-reseal-store",
+        "reseal: store.list() must resolve to an array of rows");
+    }
+    var chain = Promise.resolve();
+    var resealed = 0;
+    rows.forEach(function (row) {
+      if (!row || typeof row !== "object") return;
+      var changed = false;
+      for (var f = 0; f < schema.sealedFields.length; f += 1) {
+        var column = schema.sealedFields[f];
+        var value = row[column];
+        // Only AAD-sealed cells need rotating. Vault-less / pre-sealing rows
+        // carry plain values (sealRow leaves them untouched when vault-less);
+        // resealRoot would throw not-sealed on a plain value, so skip.
+        if (typeof value !== "string" || !vaultAad.isAadSealed(value)) continue;
+        var aadParts = cryptoField()._aadParts(schema, SEAL_TABLE, column, row);
+        row[column] = vaultAad.resealRoot(value, aadParts, args.oldRootJson, args.newRootJson);
+        changed = true;
+      }
+      if (changed) {
+        resealed += 1;
+        chain = chain.then(function () { return store.set(row.name, row); });
+      }
+    });
+    return chain.then(function () { return { table: SEAL_TABLE, resealed: resealed }; });
+  });
+}
+
 module.exports = {
   create:                   create,
   shardFor:                 shardFor,
+  reseal:                   reseal,
   AgentOrchestratorError:   AgentOrchestratorError,
   guards: {
     registry: guardAgentRegistry,
   },
+  // AAD_ROTATION — the vault-key rotation descriptor every framework module
+  // that seals an {aad:true} table on an OPERATOR-SUPPLIED backend (outside
+  // db.enc) exports, so an operator can register it with a rotation eager-
+  // sweep and the codebase-patterns detect-and-refuse gate can confirm no
+  // such external-store table is silently orphaned. `backend: "external"`
+  // flags that the in-tree b.vaultRotate.rotate pipeline cannot reach it.
+  AAD_ROTATION: {
+    table:         SEAL_TABLE,
+    rowIdField:    "name",
+    schemaVersion: "1",
+    backend:       "external",
+    reseal:        reseal,
+  },
   // Test-only — flush the salted FNV basis cache so a vault reset
   // between tests forces re-derivation.
   _resetForTest: function () { _saltedFnvBasisCache = null; },

package/lib/agent-snapshot.js

@@ -53,6 +53,8 @@ var bCrypto               = require("./crypto");
 var guardSnapshotEnvelope = require("./guard-snapshot-envelope");
 var agentAudit            = require("./agent-audit");
 var safeJson              = require("./safe-json");
+var vaultAad              = require("./vault-aad");
+var validateOpts          = require("./validate-opts");
 
 var audit                 = lazyRequire(function () { return require("./audit"); });
 var auditSign             = lazyRequire(function () { return require("./audit-sign"); });
@@ -163,6 +165,117 @@ function create(opts) {
   };
 }
 
+// ---- Wrapped-AAD root re-seal (vault-key rotation pipeline) ----------------
+
+/**
+ * @primitive b.agent.snapshot.reseal
+ * @signature b.agent.snapshot.reseal(opts)
+ * @since     0.14.12
+ * @status    stable
+ * @related   b.agent.snapshot.create, b.vault.getKeysJson
+ *
+ * Re-seal every persisted snapshot envelope from the OLD vault root to
+ * the NEW vault root under the SAME column-shaped AAD, for a vault-key
+ * rotation. The snapshot seal is a `vault.aad:` ciphertext hidden behind
+ * the `snap-sealed-v1:` wrapper prefix and written to an operator
+ * backend, so a `db.enc` scan for the bare `vault.aad:` prefix can
+ * neither detect nor reach it — the rotation pipeline drives the re-key
+ * through this explicit backend walk. Each row is unsealed under the old
+ * root and re-sealed under the new root in memory (composing
+ * `b.vault.aad.resealRoot`); the plaintext envelope is never written to
+ * operator-readable storage. The decorative wrapper fields the backend's
+ * `list()` filters on (`snapshotId` / `takenAt` / `tenantId`) are
+ * preserved, so the index is untouched.
+ *
+ * `allowPlaintext` envelopes (no `sealed` wrapper) carry no AAD-sealed
+ * blob to re-key and are skipped; the returned `resealed` count reflects
+ * only re-sealed rows. A row sealed by a non-default KMS sealer (the
+ * inner blob is not a `vault.aad:` value) is refused — re-key it through
+ * the operator's own KMS, not this path.
+ *
+ * @opts
+ *   backend:     { put, get, list },  // the same backend create() was wired with
+ *   oldRootJson: string,              // b.vault.getKeysJson() of the OLD keypair
+ *   newRootJson: string,              // b.vault.getKeysJson() of the NEW keypair
+ *
+ * @example
+ *   var result = await b.agent.snapshot.reseal({
+ *     backend:     operatorBackend,
+ *     oldRootJson: oldKeysJson,
+ *     newRootJson: newKeysJson,
+ *   });
+ *   result.table;      // → "agent.snapshot"
+ *   result.resealed;   // → <count of re-keyed snapshots>
+ */
+async function reseal(opts) {
+  opts = opts || {};
+  var backend = opts.backend;
+  validateOpts.requireMethods(backend, ["put", "get", "list"],
+    "reseal: opts.backend (same backend create() was wired with)",
+    AgentSnapshotError, "agent-snapshot/bad-backend");
+  validateOpts.requireNonEmptyString(opts.oldRootJson,
+    "reseal: opts.oldRootJson (b.vault.getKeysJson() of the OLD keypair)",
+    AgentSnapshotError, "agent-snapshot/bad-root");
+  validateOpts.requireNonEmptyString(opts.newRootJson,
+    "reseal: opts.newRootJson (b.vault.getKeysJson() of the NEW keypair)",
+    AgentSnapshotError, "agent-snapshot/bad-root");
+
+  var entries = await backend.list();
+  if (!Array.isArray(entries)) return { table: SNAPSHOT_TABLE, resealed: 0 };
+  var resealed = 0;
+  for (var i = 0; i < entries.length; i += 1) {
+    var snapshotId = entries[i] && entries[i].snapshotId;
+    if (typeof snapshotId !== "string" || snapshotId.length === 0) continue;
+    var raw = await backend.get(snapshotId);
+    if (!raw) continue;
+    // Only the sealed-wrapper shape carries a re-keyable blob. The
+    // allowPlaintext path stores the bare envelope (no `sealed`) — skip.
+    if (!raw.sealed || typeof raw.sealed !== "string" ||
+        raw.sealed.indexOf(SEALED_PREFIX) !== 0) {
+      continue;
+    }
+    var innerBlob = raw.sealed.slice(SEALED_PREFIX.length);
+    // The inner blob is a vault.aad: ciphertext (when sealed by the
+    // default b.vault.aad sealer — the only sealer resealRoot can
+    // re-key). A custom KMS sealer's blob isn't a vault.aad: value, so
+    // refuse rather than silently no-op: the operator must drive the
+    // re-key through their own KMS.
+    if (!vaultAad.isAadSealed(innerBlob)) {
+      throw new AgentSnapshotError("agent-snapshot/not-vault-sealed",
+        "reseal: snapshot " + snapshotId + " was sealed by a non-vault sealer " +
+        "(no " + JSON.stringify(vaultAad.AAD_PREFIX) + " prefix on the inner blob); " +
+        "re-key it through the KMS the operator wired as opts.sealer at create() time");
+    }
+    // Rebuild the EXACT AAD the envelope was sealed under via the
+    // module's own _snapshotAad builder — single source of truth with
+    // the seal (_persist) + unseal (_unwrapAndVerify) paths. The wrapper
+    // carries snapshotId; schemaVersion mirrors the unseal path's
+    // `raw.schemaVersion || SCHEMA_VERSION` fallback so an envelope
+    // written under an older SCHEMA_VERSION re-keys under its original
+    // AAD, not the current one.
+    var aad = _snapshotAad({
+      snapshotId:    snapshotId,
+      schemaVersion: raw.schemaVersion != null ? raw.schemaVersion : SCHEMA_VERSION,
+    });
+    var rekeyed;
+    try {
+      rekeyed = vaultAad.resealRoot(innerBlob, aad, opts.oldRootJson, opts.newRootJson);
+    } catch (e) {
+      throw new AgentSnapshotError("agent-snapshot/reseal-failed",
+        "reseal: snapshot " + snapshotId + " failed to re-key — the value may not have " +
+        "been sealed under oldRootJson + this AAD, or the bytes are tampered (" +
+        ((e && e.message) || String(e)) + ")");
+    }
+    // Re-apply the prefix + preserve every decorative wrapper field
+    // (snapshotId / takenAt / tenantId the backend's list() filters on)
+    // so the rotation leaves the index untouched.
+    var rewritten = Object.assign({}, raw, { sealed: SEALED_PREFIX + rekeyed });
+    await backend.put(snapshotId, rewritten);
+    resealed += 1;
+  }
+  return { table: SNAPSHOT_TABLE, resealed: resealed };
+}
+
 // ---- Signer + sealer resolution -------------------------------------------
 
 function _resolveSigner(ctx) {
@@ -666,11 +779,35 @@ function _frameworkVersion() {
   catch (_e) { return "unknown"; }
 }
 
+// AAD_ROTATION — the eager-register descriptor the vault-key rotation
+// pipeline consumes. backend "external" because snapshot envelopes live
+// in an operator-supplied backend (not the framework db.enc store), so a
+// `db.enc` scan for the bare "vault.aad:" prefix can't reach them — the
+// pipeline drives the re-key through `reseal` against the same backend.
+// The descriptor's `reseal({ store, oldRootJson, newRootJson })` maps the
+// pipeline's generic `store` term onto this module's `backend` (the
+// snapshot backing store), then defers to the module's own reseal.
 module.exports = {
   create:               create,
+  reseal:               reseal,
   SCHEMA_VERSION:       SCHEMA_VERSION,
+  SEALED_PREFIX:        SEALED_PREFIX,
   AgentSnapshotError:   AgentSnapshotError,
   guards: {
     envelope: guardSnapshotEnvelope,
   },
+  AAD_ROTATION: {
+    table:         SNAPSHOT_TABLE,
+    rowIdField:    "snapshotId",
+    schemaVersion: String(SCHEMA_VERSION),
+    backend:       "external",
+    reseal: function (rotationOpts) {
+      rotationOpts = rotationOpts || {};
+      return reseal({
+        backend:     rotationOpts.store || rotationOpts.backend,
+        oldRootJson: rotationOpts.oldRootJson,
+        newRootJson: rotationOpts.newRootJson,
+      });
+    },
+  },
 };