@blamejs/core 0.14.24 → 0.14.26

package/lib/db-query.js

@@ -509,7 +509,9 @@ class Query {
               this._whereClause() + this._orderLimitOffset() + " LIMIT 1";
     var stmt = this._db.prepare(sql);
     var row = stmt.get.apply(stmt, this._whereParams);
-    return row ? cryptoField.unsealRow(this._cryptoFieldKey(), row) : null;
+    // 4th arg (dbHandle) lets unsealRow fetch + unwrap the row-scoped
+    // K_row for vault.row: cells (declarePerRowKey tables).
+    return row ? cryptoField.unsealRow(this._cryptoFieldKey(), row, undefined, this._db) : null;
   }
 
   all() {
@@ -519,8 +521,9 @@ class Query {
     var rows = stmt.all.apply(stmt, this._whereParams);
     var out = new Array(rows.length);
     var key = this._cryptoFieldKey();
+    var dbHandle = this._db;
     for (var i = 0; i < rows.length; i++) {
-      out[i] = cryptoField.unsealRow(key, rows[i]);
+      out[i] = cryptoField.unsealRow(key, rows[i], undefined, dbHandle);
     }
     return out;
   }
@@ -549,6 +552,7 @@ class Query {
     }
     var stmt = this._db.prepare(sql);
     var key = this._cryptoFieldKey();
+    var dbHandle = this._db;
     var iter;
     try { iter = stmt.iterate.apply(stmt, this._whereParams); }
     catch (e) {
@@ -570,7 +574,7 @@ class Query {
           var step = iter.next();
           if (step.done) { this.push(null); return; }
           emitted += 1;
-          this.push(cryptoField.unsealRow(key, step.value));
+          this.push(cryptoField.unsealRow(key, step.value, undefined, dbHandle));
         } catch (e) {
           this.destroy(e);
         }
@@ -596,7 +600,19 @@ class Query {
     // Residency gates read the PLAINTEXT row (the tag column must be
     // inspectable even when sibling columns seal below).
     _assertLocalResidency(this._cryptoFieldKey(), withId, "insert");
-    var sealed = cryptoField.sealRow(this._cryptoFieldKey(), withId);
+    // Per-row-key tables (declarePerRowKey): materialize a fresh K_row
+    // BEFORE sealRow so sealed columns encrypt under the row-scoped key
+    // (vault.row: cells). rowId MUST be withId._id — the same value
+    // b.subject.eraseHard / b.retention destroy on, so a later shred
+    // makes these cells undecryptable. Materialize stores the random
+    // row-secret AAD-sealed in _blamejs_per_row_keys.
+    var sealOpts;
+    var cfKey = this._cryptoFieldKey();
+    if (cryptoField.hasPerRowKey(cfKey)) {
+      var kRow = cryptoField.materializePerRowKey(cfKey, withId._id, this._db);
+      sealOpts = { kRow: kRow, rowId: withId._id };
+    }
+    var sealed = cryptoField.sealRow(cfKey, withId, sealOpts);
     var cols = Object.keys(sealed);
     var placeholders = cols.map(function () { return "?"; }).join(", ");
     var quotedCols = cols.map(function (c) { return '"' + c + '"'; }).join(", ");
@@ -637,7 +653,16 @@ class Query {
     // touches the residency tag (or a region-bound column) is a
     // transfer and goes through the same refusal matrix as INSERT.
     _assertLocalResidency(this._cryptoFieldKey(), changes, "update");
-    var sealed = cryptoField.sealRow(this._cryptoFieldKey(), changes);
+    var cfKey = this._cryptoFieldKey();
+    // Per-row-key tables: sealed columns must re-encrypt under EACH
+    // affected row's own K_row, so a single set-based UPDATE can't seal
+    // one value across rows. Resolve the affected _id set, then seal +
+    // write each row under its row-scoped key. Idempotent materialize
+    // re-derives the existing K_row (created on INSERT).
+    if (cryptoField.hasPerRowKey(cfKey)) {
+      return this._updatePerRowKey(cfKey, changes, single);
+    }
+    var sealed = cryptoField.sealRow(cfKey, changes);
     var setKeys = Object.keys(sealed);
     if (setKeys.length === 0) {
       throw new Error("update changes object is empty");
@@ -666,6 +691,41 @@ class Query {
     return info.changes;
   }
 
+  // Per-row-key UPDATE. Sealed columns on a declarePerRowKey table are
+  // K_row cells (vault.row:), so each affected row must be re-sealed
+  // under its OWN K_row — a single set-based UPDATE can't carry per-row
+  // ciphertext. Resolve the affected _id set via the WHERE, then for
+  // each row: materialize (idempotent) its K_row, seal the change set
+  // under it (derived hashes computed from plaintext as usual), and
+  // UPDATE that single row by _id. `single` stops after the first row.
+  _updatePerRowKey(cfKey, changes, single) {
+    var whereSql = this._where.join(" AND ");
+    var qt = this._quotedTable();
+    var idStmt = this._db.prepare(
+      "SELECT _id FROM " + qt + " WHERE " + whereSql + (single ? " LIMIT 1" : ""));
+    var idRows = idStmt.all.apply(idStmt, this._whereParams);
+    var changed = 0;
+    for (var r = 0; r < idRows.length; r++) {
+      var rowId = idRows[r]._id;
+      if (rowId === undefined || rowId === null) continue;
+      var kRow = cryptoField.materializePerRowKey(cfKey, rowId, this._db);
+      var sealed = cryptoField.sealRow(cfKey, changes, { kRow: kRow, rowId: rowId });
+      var setKeys = Object.keys(sealed);
+      if (setKeys.length === 0) {
+        throw new Error("update changes object is empty");
+      }
+      setKeys.forEach(_validateField);
+      var selfUpd = this;
+      setKeys.forEach(function (k) { selfUpd._assertColumnMember(k, "update"); });
+      var setClause = setKeys.map(function (k) { return '"' + k + '" = ?'; }).join(", ");
+      var setValues = setKeys.map(function (k) { return sealed[k]; });
+      var updStmt = this._db.prepare("UPDATE " + qt + " SET " + setClause + " WHERE _id = ?");
+      var info = updStmt.run.apply(updStmt, setValues.concat([rowId]));
+      changed += (info && info.changes) || 0;
+    }
+    return changed;
+  }
+
   deleteOne() {
     return this._delete(true) > 0;
   }

package/lib/db.js

@@ -295,11 +295,21 @@ var FRAMEWORK_SCHEMA = [
   },
   {
     // Per-row crypto-erasure key registry — per-row keys.
-    // Each entry holds a sealed wrapped K_row keyed by (table,
-    // rowId). b.subject.eraseHard deletes the entry, leaving WAL /
-    // replica residuals undecryptable.
+    // Each entry holds the AAD-sealed random row-secret keyed by
+    // (tableName, rowId); the row-scoped K_row is derived from it.
+    // b.subject.eraseHard / b.retention destroy the entry, leaving WAL /
+    // replica residuals undecryptable. wrappedKey is registered as an
+    // AAD-bound sealed field (aad:true, rowIdField:"rowId") so a vault
+    // keypair rotation auto-reseals it old-root -> new-root via
+    // rotate._rotateColumn — without this a rotation would orphan every
+    // wrapped secret and brick every keyed row.
     name: "_blamejs_per_row_keys",
     columns: {
+      // _id is the rotation pipeline's keyset-pagination + UPDATE key
+      // (rotate._rotateColumn SELECTs _id and orders by it); the natural
+      // identity stays the composite (tableName, rowId). materialize
+      // populates _id with a fresh token.
+      _id:        "TEXT",
       tableName:  "TEXT NOT NULL",
       rowId:      "TEXT NOT NULL",
       wrappedKey: "BLOB NOT NULL",
@@ -307,6 +317,10 @@ var FRAMEWORK_SCHEMA = [
     },
     primaryKey: ["tableName", "rowId"],
     indexes: [],
+    sealedFields:  ["wrappedKey"],
+    aad:           true,
+    rowIdField:    "rowId",
+    schemaVersion: "1",
   },
   {
     // Operator-declared WORM (write-once-read-many) registry. Each