@blamejs/core 0.14.24 → 0.14.26

package/lib/request-helpers.js

@@ -254,6 +254,13 @@ function clientIp(req, opts) {
   }
   if (req.socket && typeof req.socket.remoteAddress === "string") return req.socket.remoteAddress;
   if (req.connection && typeof req.connection.remoteAddress === "string") return req.connection.remoteAddress;
+  // Express-shaped requests expose the resolved client address as `req.ip`
+  // (Express derives it from the socket, honoring its own trust-proxy
+  // setting) without a `socket.remoteAddress` surface. Fall back to it so a
+  // binding captured from such a request is populated rather than null —
+  // callers that pin a grant to the issuing IP otherwise capture null and
+  // could only be saved by a fail-closed guard at the consumer.
+  if (typeof req.ip === "string" && req.ip.length > 0) return req.ip;
   return null;
 }
 

package/lib/retention.js

@@ -274,8 +274,18 @@ function create(opts) {
     values.push(row._id);
     var upd2 = db.prepare("UPDATE \"" + table + "\" SET " + setClauses.join(", ") + " WHERE _id = ?");
     upd2.run.apply(upd2, values);
+    // Per-row-key tables (declarePerRowKey): NULLing the sealed columns
+    // is not enough — WAL / replica residuals keep the old K_row cells.
+    // Destroy the row's wrapped secret so K_row is unrecoverable and the
+    // residual ciphertext reads as absent (crypto-shred, GDPR Art. 17).
+    // rowId is row._id, the same identity materialize / eraseHard use.
+    var perRowKeysDestroyed = 0;
+    if (cryptoField.hasPerRowKey(table)) {
+      var dr = cryptoField.destroyPerRowKey(table, row._id, db);
+      perRowKeysDestroyed = (dr && dr.destroyed) || 0;
+    }
     void erased;
-    return { erased: 1, sealedFieldCount: sealedFields.length };
+    return { erased: 1, sealedFieldCount: sealedFields.length, perRowKeysDestroyed: perRowKeysDestroyed };
   }
 
   function _cascade(rule, rowId, dryRun) {

package/lib/vault/rotate.js

@@ -81,6 +81,11 @@ var agentSnapshotLazy = lazyRequire(function () { return require("../agent-snaps
 // rotation pipeline never walks, so archive-wrap exports the same external
 // AAD_ROTATION descriptor and must be gated here too.
 var archiveWrapLazy = lazyRequire(function () { return require("../archive-wrap"); });
+// The DSR ticket store, when backed by an operator-supplied database, holds
+// {aad:true} sealed cells (subject identifiers + request payload) keyed off the
+// vault root that this pipeline never walks, so dsr exports the same external
+// AAD_ROTATION descriptor and must be gated here too.
+var dsrLazy = lazyRequire(function () { return require("../dsr"); });
 var { defineClass } = require("../framework-error");
 
 var rotateLog = boot("vault-rotate");
@@ -439,7 +444,7 @@ var VAULT_PREFIX_LEN = C.VAULT_PREFIX.length;
 // so loading rotate.js doesn't eagerly pull the agent modules.
 var EXTERNAL_AAD_MODULE_LOADERS = [
   agentIdempotencyLazy, agentOrchestratorLazy, agentTenantLazy, agentSnapshotLazy,
-  archiveWrapLazy,
+  archiveWrapLazy, dsrLazy,
 ];
 
 function _externalAadTables() {
@@ -464,22 +469,25 @@ function _emit(cb, ev) {
   }
 }
 
-// Open a file for fsync. Different from atomicFile.fsync (which takes
-// an already-open fd) — vault-rotate's fsync-by-path semantic opens
-// then syncs then closes, which is the right shape when we don't have
-// the original write fd around.
-//
-// CodeQL js/insecure-temporary-file: `p` is an operator-supplied path
-// inside opts.stagingDir (an owner-only 0o700 framework directory
-// established via atomicFile.ensureDir at the top of rotate()). Not an
-// os.tmpdir-reachable path. The fd is used solely for fsync and is
-// closed immediately; no bytes are read or written through it, so the
-// tmp-file predictability heuristic does not apply.
-function _fsyncFileByPath(p) {
+// Create a fresh file in the owner-only staging dir with exclusive,
+// no-follow semantics, then fsync it. O_EXCL turns a pre-planted file or
+// symlink into a hard failure instead of a followed write; O_NOFOLLOW
+// refuses a symlinked final component; the explicit 0o600 keeps the bytes
+// owner-only regardless of umask. Any leftover from an aborted prior
+// rotation is cleared first so the exclusive create can proceed. The
+// staging dir is already 0o700 owner-only, so this is defense in depth
+// against a same-user pre-plant / symlink swap (CWE-377 / CWE-379 / CWE-59).
+function _writeStagedFileExclusive(p, data) {
+  try { nodeFs.unlinkSync(p); } catch (_e) { /* no stale entry to clear */ }
+  var fd = nodeFs.openSync(p,
+    nodeFs.constants.O_WRONLY | nodeFs.constants.O_CREAT |
+      nodeFs.constants.O_EXCL | (nodeFs.constants.O_NOFOLLOW || 0), 0o600);
   try {
-    var fd = nodeFs.openSync(p, "r+");
-    try { nodeFs.fsyncSync(fd); } finally { nodeFs.closeSync(fd); }
-  } catch (_e) { /* best-effort across platforms */ }
+    nodeFs.writeFileSync(fd, data);
+    nodeFs.fsyncSync(fd);
+  } finally {
+    nodeFs.closeSync(fd);
+  }
 }
 
 function _reSealValue(sealedValue, oldKeys, newKeys) {
@@ -670,7 +678,8 @@ async function rotate(opts) {
         "pipeline and would be orphaned under the retired keypair: " + externalAad.join(", ") +
         ". Re-seal each via its module hook (b.agent.idempotency.reseal / " +
         "b.agent.orchestrator.reseal / b.agent.tenant AAD_ROTATION reseal / " +
-        "b.agent.snapshot.reseal / b.archive.rewrapTenant for archive-wrap:tenant-blobs) " +
+        "b.agent.snapshot.reseal / b.archive.rewrapTenant for archive-wrap:tenant-blobs / " +
+        "b.dsr.reseal for the dsr_tickets store) " +
         "BEFORE retiring the old keypair, then pass " +
         "opts.externalAadResealed: [" + externalAad.map(function (t) { return JSON.stringify(t); }).join(", ") +
         "] to acknowledge. If you do not use these features, pass opts.externalAadResealed: true.");
@@ -709,7 +718,10 @@ async function rotate(opts) {
     }
     var dest = nodePath.join(stagingDir, entry.relativePath);
     atomicFile.ensureDir(nodePath.dirname(dest));
-    nodeFs.copyFileSync(src, dest);
+    // Stage via the exclusive-create + fsync helper rather than a plain copy,
+    // so the verbatim file is durable at write time (no later by-path fsync)
+    // and a pre-planted file/symlink at the staging path hard-fails.
+    _writeStagedFileExclusive(dest, nodeFs.readFileSync(src));
   }
   for (var vd = 0; vd < paths.verbatimDirs.length; vd++) {
     var dent = paths.verbatimDirs[vd];
@@ -737,9 +749,9 @@ async function rotate(opts) {
   var newRootJson = keysJson;
   if (mode === "wrapped") {
     var sealed = await vaultWrap().wrap(keysJson, opts.newPassphrase);
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.vaultKeySealed), sealed, { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.vaultKeySealed), sealed);
   } else {
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.vaultKeyPlain), keysJson, { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.vaultKeyPlain), keysJson);
   }
 
   // 3. re-seal db.key.enc + any operator-supplied additionalSealed files
@@ -759,14 +771,14 @@ async function rotate(opts) {
       var dbKeyB64Aad = vaultAad.unsealRoot(sealedKey, dbKeyAad, oldRootJson);
       dbKey = Buffer.from(dbKeyB64Aad, "base64");
       var resealedAad = vaultAad.sealRoot(dbKeyB64Aad, dbKeyAad, newRootJson);
-      nodeFs.writeFileSync(nodePath.join(stagingDir, paths.dbKeySealed), resealedAad, { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, paths.dbKeySealed), resealedAad);
     } else if (sealedKey.indexOf(C.VAULT_PREFIX) === 0) {
       // Legacy plain-sealed db.key.enc (pre-AAD). Re-key in place; db.init
       // read-migrates plain -> AAD on the next boot.
       var dbKeyB64 = bCrypto.decrypt(sealedKey.substring(VAULT_PREFIX_LEN), oldKeys);
       dbKey = Buffer.from(dbKeyB64, "base64");
       var resealedKey = C.VAULT_PREFIX + bCrypto.encrypt(dbKeyB64, newKeys);
-      nodeFs.writeFileSync(nodePath.join(stagingDir, paths.dbKeySealed), resealedKey, { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, paths.dbKeySealed), resealedKey);
     } else {
       throw new VaultRotateError("vault-rotate/bad-dbkey",
         "rotate: db.key.enc does not start with a vault prefix (vault: or vault.aad:)");
@@ -789,8 +801,8 @@ async function rotate(opts) {
     }
     var asDestDir = nodePath.join(stagingDir, nodePath.dirname(ase.relativePath));
     if (!nodeFs.existsSync(asDestDir)) atomicFile.ensureDir(asDestDir);
-    nodeFs.writeFileSync(nodePath.join(stagingDir, ase.relativePath),
-      _reSealValue(current, oldKeys, newKeys), { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, ase.relativePath),
+      _reSealValue(current, oldKeys, newKeys));
   }
 
   // 3b. Framework-managed crypto-field derived-hash files — always
@@ -801,14 +813,17 @@ async function rotate(opts) {
   // re-seals to the same value since the keypair is unchanged).
   var saltSrc = nodePath.join(dataDir, "vault.derived-hash-salt");
   if (nodeFs.existsSync(saltSrc)) {
-    nodeFs.copyFileSync(saltSrc, nodePath.join(stagingDir, "vault.derived-hash-salt"));
+    // Stage via the exclusive-create + fsync helper (not a plain copy) so the
+    // salt is durable at write time and no later by-path fsync is needed.
+    _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-salt"),
+      nodeFs.readFileSync(saltSrc));
   }
   var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
   if (nodeFs.existsSync(macSrc)) {
     var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
     if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
-      nodeFs.writeFileSync(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
-        _reSealValue(macCurrent, oldKeys, newKeys), { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
+        _reSealValue(macCurrent, oldKeys, newKeys));
     }
   }
 
@@ -830,7 +845,7 @@ async function rotate(opts) {
     try { plainBytes = bCrypto.decryptPacked(packed, dbKey, dbEncAad); }
     catch (_eAad) { plainBytes = bCrypto.decryptPacked(packed, dbKey); }
     var tmpDbPath = nodePath.join(stagingDir, "_blamejs_rotate.tmp.db");
-    nodeFs.writeFileSync(tmpDbPath, plainBytes, { mode: 0o600 });
+    _writeStagedFileExclusive(tmpDbPath, plainBytes);
 
     var db = new DatabaseSync(tmpDbPath);
     try {
@@ -893,25 +908,23 @@ async function rotate(opts) {
     try { nodeFs.unlinkSync(tmpDbPath + "-shm"); }
     catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: tmpDbPath + "-shm", error: e.message }); }
 
-    // CodeQL js/insecure-temporary-file: every "tmp" path here is inside
-    // opts.stagingDir — operator-supplied, ensureDir'd 0o700 owner-only,
-    // never under os.tmpdir(). The filenames are framework-internal
-    // markers (`_blamejs_rotate.tmp.db`, `_blamejs_verify.tmp.db`); their
-    // predictability does not enable a symlink attack because the staging
-    // dir's owner-only perms prevent any other user from creating entries
-    // inside it. Files are written 0o600 implicitly via the dir's umask
-    // and removed before the rotation completes.
+    // Every staged path lives inside opts.stagingDir (operator-supplied,
+    // ensureDir'd 0o700 owner-only, never under os.tmpdir()) and carries a
+    // framework-internal marker name. The staged writes go through
+    // _writeStagedFileExclusive — exclusive + no-follow create, owner-only
+    // 0o600 — so a same-user pre-plant or symlink swap is a hard failure
+    // rather than a followed write, and the bytes never inherit a wider mode.
     var rotatedBytes = nodeFs.readFileSync(tmpDbPath);
     // Re-encrypt under the SAME dataDir AAD so db.init's AAD-first open
     // succeeds after the staged dir is swapped over dataDir in place.
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.encryptedDb),
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.encryptedDb),
       bCrypto.encryptPacked(rotatedBytes, dbKey, dbEncAad));
     nodeFs.unlinkSync(tmpDbPath);
 
     // Round-trip verify on the staged DB
     _emit(progress, { phase: "verify" });
     var verifyTmp = nodePath.join(stagingDir, "_blamejs_verify.tmp.db");
-    nodeFs.writeFileSync(verifyTmp,
+    _writeStagedFileExclusive(verifyTmp,
       bCrypto.decryptPacked(nodeFs.readFileSync(nodePath.join(stagingDir, paths.encryptedDb)), dbKey, dbEncAad));
     var vdb = new DatabaseSync(verifyTmp);
     try {
@@ -934,19 +947,26 @@ async function rotate(opts) {
     }
   }
 
-  // 5. fsync staging for durability before caller does the swap
+  // 5. fsync staging directory entries for durability before the caller swaps.
+  // Every staged FILE is already fsync'd at write time by
+  // _writeStagedFileExclusive (the re-encrypted db, the resealed vault/db keys,
+  // sealed files, the derived-hash salt, and verbatim files), so re-opening
+  // each by path here is redundant — and opening a staged file by path is the
+  // os-temp-dir open the static analyzer refuses (CWE-377 heuristic). Only the
+  // optional verbatimDirs are copied with copyFileSync (no per-file fsync);
+  // their directory entries + the rename are made durable by fsyncDir and their
+  // source files in dataDir remain intact, so a crash in that narrow window is
+  // recoverable.
   _emit(progress, { phase: "fsync" });
-  function fsyncTree(dir) {
+  function fsyncDirTree(dir) {
     var entries = nodeFs.readdirSync(dir);
     for (var i = 0; i < entries.length; i++) {
       var p = nodePath.join(dir, entries[i]);
-      var st = nodeFs.statSync(p);
-      if (st.isFile()) _fsyncFileByPath(p);
-      else if (st.isDirectory()) fsyncTree(p);
+      if (nodeFs.statSync(p).isDirectory()) fsyncDirTree(p);
     }
     atomicFile.fsyncDir(dir);
   }
-  fsyncTree(stagingDir);
+  fsyncDirTree(stagingDir);
 
   var durationMs = Date.now() - startedAt;
   _emit(progress, {

package/lib/vault-aad.js

@@ -304,6 +304,12 @@ module.exports = {
   isAadSealed:        isAadSealed,
   buildColumnAad:     buildColumnAad,
   buildContextAad:    buildContextAad,
+  // canonicalizeAad — the length-prefixed, sorted-keys AAD-bytes
+  // encoder. Exported (internal) so a sibling primitive that runs its
+  // own AEAD (crypto-field's per-row K_row cells) threads byte-identical
+  // AAD into encryptPacked/decryptPacked as this module does for its
+  // own seal/unseal — one canonical encoder, no drift.
+  canonicalizeAad:    _canonicalize,
   AAD_PREFIX:         AAD_PREFIX,
   AAD_VERSION:        AAD_VERSION,
   VaultAadError:      VaultAadError,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.24",
+  "version": "0.14.26",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:0697fb13-faa3-47c7-8ac0-7a29c980f002",
+  "serialNumber": "urn:uuid:e0214cf9-5d77-475a-af9a-e3cedff9f6d7",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-06T15:36:19.660Z",
+    "timestamp": "2026-06-06T21:14:16.419Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.24",
+      "bom-ref": "@blamejs/core@0.14.26",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.24",
+      "version": "0.14.26",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.24",
+      "purl": "pkg:npm/%40blamejs/core@0.14.26",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.24",
+      "ref": "@blamejs/core@0.14.26",
       "dependsOn": []
     }
   ]