@blamejs/core 0.14.25 → 0.14.26

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.14.x
 
+- v0.14.26 (2026-06-06) — **Break-glass IP and session pins fail closed, DSR ticket PII is sealed and erasable, and queue jobs are sealed at rest from the first write.** Break-glass grant pins (`pinIp` / `sessionPin`, documented default-ON) were enforced only when the grant had captured a binding at mint time; a grant minted without an IP or session was redeemable from anywhere, so the pin failed open exactly when it mattered. Pins now fail closed: a grant carrying no binding is refused at redemption, and the redeeming client IP falls back to `req.ip` when not threaded explicitly. The Data Subject Request ticket store kept the subject's identifiers and the raw request body in plaintext, so an erasure request could not destroy the very PII it was processing; those columns are now sealed under the vault with `(table, rowId)` additional-data binding, erasure purges the ticket on completion, and an in-place schema upgrade seals existing stores. Queue jobs were sealed at rest only after a table had been registered, which did not happen until the first explicit registration — the queue now self-registers its job table on `init`, so jobs are sealed from the first write. Rounding out the bundle: the OAuth back-channel-logout `logout_token` is parsed under a byte ceiling, the SD-JWT-VC holder key-binding JWT signs with an algorithm asserted against the holder key's type (an RSA or OKP holder no longer mints a self-invalid token), and a pushed authorization request carrying a signed request object emits `authorization_details` as a native array. **Security:** *Break-glass IP and session pins fail closed* — `b.breakGlass` grants document `pinIp` and `sessionPin` as default-ON, and grant minting captures the issuing IP and session at that time. Redemption now refuses a grant whose binding was never captured (`pinIp` on but no IP recorded, or `sessionPin` on but no session) instead of treating the absent binding as 'nothing to check' and allowing the redemption from any origin. The redeeming client IP is resolved from the redemption request and falls back to `req.ip` when the caller does not thread an explicit address. The one-time-code replay floor is keyed per `(actor, secret)` so a code consumed under one actor cannot be replayed under another, and the accepted TOTP step is reserved atomically as part of acceptance, so two concurrent grants presenting the same in-window code cannot both pass. · *DSR ticket store seals subject identifiers and request payload, and erasure purges the ticket* — `b.dsr` with the database-backed ticket store now seals the data subject's identifiers and the raw request payload via `b.cryptoField.registerTable` with `(table, rowId)` additional-data binding, so the PII a request processes is encrypted at rest and is destroyed when the ticket's row key is shredded. An erasure request purges its own ticket on completion rather than leaving the subject's identifiers behind. Existing ticket stores are upgraded in place on the next `init` — sealed columns are added via `ALTER TABLE ADD COLUMN` and the legacy `payload NOT NULL` constraint relaxes to `DEFAULT ''` so the add succeeds without data loss. Wrapped ticket keys are re-sealed under the new root on vault keypair rotation (`b.dsr.reseal`), so rotation does not strand tickets. Rows written before the upgrade (plaintext subject, no lookup hash) are backfilled on the next `init` — their hashes are computed and their subject columns sealed — so a subject lookup still finds them and an erasure request can purge them. · *Queue jobs are sealed at rest from the first write* — The local queue backend self-registers its job table for sealing on `init` rather than on first explicit registration, so a job persisted before any other code touched the seal table is encrypted at rest instead of written in plaintext. `b.cryptoField.sealRow` is a silent no-op against an unregistered table; the self-register on `init` closes that fail-open window for the queue's own rows. · *OAuth back-channel logout is bounded; SD-JWT-VC holder binding matches the holder key type* — The OAuth back-channel-logout endpoint parses the `logout_token` under an explicit byte ceiling, so an unauthenticated caller cannot exhaust memory with an oversized body. The SD-JWT-VC holder key-binding JWT now signs with an algorithm asserted against the holder key's type, so a holder presenting an RSA or OKP key no longer mints a key-binding JWT that fails its own verification. A pushed authorization request (PAR) that carries a signed request object emits `authorization_details` as a native JSON array per RFC 9396, not a JSON-encoded string. · *Vault keypair rotation writes its staging files with exclusive, no-follow create* — Every file the rotation pipeline writes into its staging directory — the re-encrypted database, the resealed vault and database keys, additional sealed files, the derived-hash material, and the transient plaintext database — is now created with exclusive, symlink-refusing semantics (`O_CREAT | O_EXCL | O_NOFOLLOW`, owner-only `0o600`), and the fsync-by-path step refuses to follow a symlink. A same-user pre-planted file or symlink swap in the staging directory is now a hard failure rather than a followed write, closing a local tamper window during rotation (CWE-377 / CWE-379 / CWE-59) on top of the directory's existing `0o700` owner-only permissions. **Detectors:** *break-glass-pin-fails-open-on-null-binding* — The pattern catalog refuses a break-glass pin comparison guarded by a `grantRow.ip != null &&` (or `sessionId`) short-circuit — a guard that skips enforcement when the captured binding is absent, which is precisely the fail-open. Pin enforcement must refuse a grant with no captured binding, not wave it through. · *dsr-ticket-store-pii-must-be-sealed* — The catalog requires the DSR database ticket store to register its seal table, so the subject identifiers and request payload it holds cannot regress to plaintext-at-rest and remain un-erasable. The queue self-register, the bounded logout parse, and the holder key-type parity are covered by their expanded request-driven tests and the existing fixed-classical-algorithm-default guard. **Migration:** *Break-glass grants now require a resolvable binding to redeem under default pins* — With `pinIp` left at its default (on), a grant is now refused at redemption unless the issuing IP was captured and the redeeming client IP can be resolved. In-tree redemption paths thread the request and resolve the IP automatically. If your redemption path does not surface a client address and you do not intend to bind to IP, set `pinIp: false` (and `sessionPin: false`) explicitly on the grant; the previous behavior silently accepted such grants from any origin. · *DSR ticket stores are sealed in place on next init* — An existing database-backed DSR ticket store gains sealed columns via `ALTER TABLE ADD COLUMN` on the next `init`, and the legacy `payload NOT NULL` constraint relaxes to `DEFAULT ''` to permit the in-place add. No data is lost; tickets written before the upgrade remain readable and become sealed as they are rewritten.
+
 - v0.14.25 (2026-06-06) — **Per-row crypto-shred is real and AAD-bound, and the idempotency fingerprint key is sealed at rest.** The per-row encryption-key feature that backs `b.subject.eraseHard` crypto-shred was both non-functional and, as documented, unsound: the per-row key (`K_row`) was derived deterministically from a salt that is stored in plaintext in the data directory, so an actor with disk access could re-derive it and decrypt 'shredded' residual ciphertext (WAL / replica / backup) — and the key was never actually materialized on insert, so no table ever used it. Per-row keys are now derived from a fresh 32-byte CSPRNG secret stored only in `_blamejs_per_row_keys`, wrapped under the vault with AEAD additional-data binding `(table, rowId)`, and materialized on insert for tables that declare them; destroying the wrapped secret now genuinely renders the row's residual ciphertext undecryptable. The same plaintext-salt class is fixed for the idempotency request-fingerprint HMAC, which now seeds off the sealed-at-rest `vault.getDerivedHashMacKey()`. There is no migration: the per-row-key table was empty in every deployment, so keyed tables are correct from their first write. **Security:** *Per-row crypto-shred: random secret, AAD-bound wrap, materialized on insert* — `b.cryptoField.declarePerRowKey` tables now get a per-row key derived from a fresh `b.crypto.generateBytes(32)` secret — never from the plaintext per-deployment salt — so the key has no input recomputable from disk. The secret is stored in `_blamejs_per_row_keys` wrapped via `b.vault.aad.seal` with additional-data bound to `(table, rowId)`, so a wrapped key copied onto another row fails its Poly1305 tag. Sealed columns are encrypted under the per-row key and tagged with a `vault.row:` envelope (`b.cryptoField.isRowSealed`); the residency-tag column is never key-sealed so the write-boundary residency gate can still read it. The key is materialized on insert (it previously never was) and re-derived once per read; `b.subject.eraseHard` and the retention sweep destroy the wrapped secret, after which the row's residual ciphertext reads as absent and cannot be recovered even if the vault root is later compromised. Wrapped keys are re-sealed under the new root on vault keypair rotation, so rotation does not strand keyed rows. · *Idempotency request-fingerprint HMAC seeds off the sealed MAC key* — The `fingerprintSeal` HMAC over the request fingerprint was keyed from the plaintext per-deployment salt, so a disk-access actor could recompute the key and brute-force the low-entropy preimage (method + URL + body) offline. It now seeds off `b.vault.getDerivedHashMacKey()`, which is sealed at rest. Fingerprints cached before the upgrade no longer match, so a replayed request re-executes once (the safe direction). **Detectors:** *kdf-key-from-plaintext-derived-hash-salt* — The pattern catalog refuses a key-derivation (`kdf(... getDerivedHashSalt() ...)`) that seeds a per-row shred key or a vault-secret-promising keyed-MAC off the plaintext-on-disk derived-hash salt. Such a key is re-derivable by anyone with the data directory, defeating the shred / secrecy it advertises; the correct sources are a CSPRNG secret or the sealed `getDerivedHashMacKey()`. The deterministic salted-SHA3 equality index is a distinct shape and is unaffected. **Migration:** *No action required* — No data migration: the per-row-key table was empty in every deployment, so tables that declare per-row keys are correct from their first write going forward. The only observable change is that the first request after upgrade matching a pre-upgrade idempotency fingerprint re-executes once.
 
 - v0.14.24 (2026-06-05) — **Per-row data residency enforced at the write boundary, and the long-advertised column-residency gate is wired.** Rows can now carry their own residency tag, and the database write paths enforce it: under a cross-border regulated posture (GDPR / UK-GDPR / DPDP / PIPL / LGPD / APPI / PDPA) a row tagged for one region is refused before it lands on a backend in another. `b.cryptoField.declarePerRowResidency` declares which column carries the tag; local SQLite writes check it against the deployment's `dataResidency` region set, and `b.externalDb.query` / `transaction` DML to a residency-tagged backend takes the tag per call via `rowResidencyTag`. The column-scoped gate (`assertColumnResidency`) — exported and documented since v0.7.27 but never composed into any write path — is now enforced on the same boundary. Unregulated deployments are unaffected: every gate passes with an advisory audit instead of a refusal, so operators can observe before adopting a posture. Note: v0.14.23 was tagged but not published to npm (its publish run timed out in validation); its changes — the MX DATA-phase SPF/DKIM/DMARC gate and the inbound mail authentication pipeline — are included in this package, and the publish-validation timeout is fixed here. **Added:** *`b.cryptoField.declarePerRowResidency` / `getPerRowResidency` — row-scoped residency tags* — Declares the plaintext column carrying each row's residency tag plus the whitelist of valid tag values (`{ residencyColumn, allowedTags }`). On INSERT to a declared table the tag is required and must be in `allowedTags`; rows tagged `global` or `unrestricted` pass any backend. The declaration registry mirrors `declareColumnResidency`, and `clearResidencyForTest` now clears both. The tag comes from application logic (the user's declared region) — the framework never infers it from request metadata. · *Local write gate on `b.db.from(...).insertOne` / `update`* — Runs on the plaintext row before sealing, so the tag column stays inspectable when sibling columns seal. Under a cross-border regulated posture, a row whose tag falls outside the deployment's region set (`dataResidency.region` plus `allowedStorageRegions`) is refused with `db-query/row-residency-local-mismatch`; a missing or out-of-whitelist tag refuses with `db-query/row-residency-tag-missing` / `-tag-invalid` regardless of posture. UPDATEs gate when the change set touches the residency column — an update that doesn't move residency is not a transfer. Refusals are typed `DbQueryError`s (new error class) and land in the audit chain (`db.residency.gate.rejected`); unregulated postures emit `db.residency.gate.advisory` and pass. · *External write gate — `rowResidencyTag` on `b.externalDb.query` / `transaction`* — External-db takes raw SQL, not row objects, so the row's tag travels as `opts.rowResidencyTag` (validated at transaction entry too). Under a regulated posture, a write to a residency-tagged backend requires the tag (`RESIDENCY_GATE_REQUIRED`) and refuses a mismatch (`RESIDENCY_TAG_MISMATCH`) before the statement reaches the wire. The gate classifies by what a statement does, not its leading keyword: it resolves the effective verb behind a `WITH` (CTE) or `EXPLAIN ANALYZE` prefix and treats `INSERT`/`UPDATE`/`DELETE`/`MERGE`/`REPLACE`, `CALL`/`EXECUTE`/`DO`, and `COPY ... FROM` as writes — only recognized pure reads (`SELECT`, `SHOW`/`DESCRIBE`/`PRAGMA`, a `COPY ... TO` export, plan-only `EXPLAIN`, and session/transaction statements) pass untagged. A statement whose class can't be resolved, or a multi-statement string that hides a trailing write behind a harmless prefix, is refused (`STATEMENT_UNRESOLVED_REFUSED` / `MULTI_STATEMENT_REFUSED`). Inside `transaction()`, the transaction-level tag applies to every statement and a per-call override on `tx.query(sql, params, opts)` wins for that statement; a refusal rolls the transaction back. Replica reads that carry a tag refuse routing to an incompatible replica (`REPLICA_RESIDENCY_INCOMPATIBLE`) unless the replica is configured `allowCrossBorder: true`, which is audited (`db.residency.replica.cross_border` at read time, `db.residency.replica.cross_border_allowed` at config time). Unrestricted backends are not gated, and the migration runner's own tracking writes are region-neutral so migrations run unaffected on a residency-tagged backend. · *`b.compliance.isCrossBorderRegulated` — shared posture vocabulary* — The cross-border regulated posture set (gdpr, uk-gdpr, dpdp, pipl-cn, lgpd-br, appi-jp, pdpa-sg) now lives on `b.compliance` (`CROSS_BORDER_REGULATED_POSTURES` + the membership helper), one source of truth shared by the local gate, the external gate, and the existing replica-topology boot check. **Fixed:** *`assertColumnResidency` is now actually enforced* — `b.cryptoField.declareColumnResidency` / `assertColumnResidency` shipped in v0.7.27 documenting a write-time gate, but no write path ever called the assertion — column tags were recorded and never checked. The local write paths now run it against the deployment region: a mismatch refuses with `db-query/column-residency-mismatch` under a regulated posture and emits an advisory otherwise. Operators tag columns with the region value their `dataResidency` declares. · *Cross-border-allowed replica audit event is now recorded* — The config-time audit event for a consciously-permitted cross-border replica used a malformed action name that the audit validator silently dropped, so a compliance reviewer saw no record of the `allowCrossBorder` decision in the audit chain. It now emits as `db.residency.replica.cross_border_allowed` and lands like every other audit row. · *Publish-validation timeout that blocked the v0.14.23 npm release* — The v0.14.23 publish run timed out in release validation — the pattern-catalog self-test crossed a per-file watchdog budget as the codebase grew, and the same self-test, which scans the whole library and runs far longer on the slower macOS CI runner, hit the same wall on this package's first CI run. The validation budgets are corrected so a genuinely stuck file still fails fast while the catalog completes. v0.14.23 exists as a signed tag; npm goes 0.14.22 → 0.14.24 carrying both releases' changes. **Detectors:** *db-query-write-without-residency-gate* — Every local write method that seals a row must run the residency gates on the plaintext first — a future write path (upsert, bulk) inherits the requirement automatically. · *Residency-gates-wired catalog check* — The pattern catalog now pins the wiring itself: the local write methods call the gate, the external query/transaction paths call theirs, and `assertColumnResidency` has a real caller — the declared-but-never-enforced class cannot silently reappear. **Migration:** *No action required unless you adopt the gates* — Tables without a residency declaration, deployments without a `dataResidency` region, and unregulated postures behave exactly as before (advisory audit events at most). Adopting: declare per-row residency on mixed-region tables, pass `rowResidencyTag` on external DML, and set a cross-border posture (`b.compliance.set("gdpr")`) to turn refusals on.

package/lib/auth/oauth.js

@@ -2016,13 +2016,19 @@ function create(opts) {
     if (uopts.prompt)    authzParams.prompt     = uopts.prompt;
     if (uopts.loginHint) authzParams.login_hint = uopts.loginHint;
     if (uopts.maxAge != null) authzParams.max_age = String(uopts.maxAge);
-    // RFC 9396 — push the fine-grained authorization request through PAR
-    // identically to the redirect path (validated, then JSON-serialized).
+    // RFC 9396 — push the fine-grained authorization request through PAR.
+    // On the plain-form branch the value is a form parameter (JSON STRING);
+    // on the signed-request-object branch it becomes a JAR claim and MUST
+    // be the native JSON ARRAY (RFC 9101/9396) — a conforming AS rejects a
+    // string-valued authorization_details claim. Carry the validated array
+    // and serialize ONLY when it travels as a form param.
     var requestedAuthzDetails = null;
     if (uopts.authorizationDetails !== undefined) {
       requestedAuthzDetails = _validateAuthorizationDetailsArray(
         uopts.authorizationDetails, "pushAuthorizationRequest");
-      authzParams.authorization_details = JSON.stringify(requestedAuthzDetails);
+      authzParams.authorization_details = sro
+        ? requestedAuthzDetails                    // JAR claim — native array
+        : JSON.stringify(requestedAuthzDetails);   // form param — JSON string
     }
     if (uopts.extraParams && typeof uopts.extraParams === "object") {
       var ek = Object.keys(uopts.extraParams);
@@ -2160,9 +2166,18 @@ function create(opts) {
   // store — operators wire b.cache or b.db.
   async function verifyBackchannelLogoutToken(logoutToken, vopts) {
     vopts = vopts || {};
-    if (typeof logoutToken !== "string" || logoutToken.length === 0) {
+    // Type / non-empty / length-cap gate, folded into one bounds check.
+    // The cap runs BEFORE the split + base64url decode — an attacker-
+    // reachable endpoint can POST an arbitrarily large logout_token, and
+    // bounding it first stops the decode from allocating unbounded memory.
+    var logoutTokenIsString = typeof logoutToken === "string";
+    if (!logoutTokenIsString || logoutToken.length === 0) {
       throw new OAuthError("auth-oauth/bad-logout-token",
         "verifyBackchannelLogoutToken: logoutToken must be a non-empty string");
+    } else if (logoutToken.length > OAUTH_MAX_RESPONSE_BYTES) {
+      throw new OAuthError("auth-oauth/logout-token-too-large",
+        "verifyBackchannelLogoutToken: logout_token exceeds " +
+        OAUTH_MAX_RESPONSE_BYTES + " bytes");
     }
     var parts = logoutToken.split(".");
     if (parts.length !== 3) {
@@ -2170,7 +2185,12 @@ function create(opts) {
         "verifyBackchannelLogoutToken: logout_token must be a 3-segment JWS");
     }
     var headerObj;
-    try { headerObj = JSON.parse(Buffer.from(parts[0], "base64url").toString("utf8")); }         // allow:bare-json-parse — pre-verify header parse to look up the typ; the JWS signature is verified by verifyIdToken below
+    // Route the pre-verify header parse through safeJson (size-bounded) like
+    // the in-module id_token / JWS-header siblings — the bare JSON.parse on
+    // an attacker-reachable, not-yet-signature-checked header was the one
+    // unbounded parse on this surface. The JWS signature is verified by
+    // verifyIdToken below.
+    try { headerObj = safeJson.parse(_b64urlDecode(parts[0]).toString("utf8"), { maxBytes: OAUTH_MAX_RESPONSE_BYTES }); }
     catch (_e) {
       throw new OAuthError("auth-oauth/bad-logout-header",
         "verifyBackchannelLogoutToken: malformed header");

package/lib/auth/sd-jwt-vc.js

@@ -482,9 +482,13 @@ async function verify(presentation, opts) {
       "verify: issuerKeyResolver returned no key");
   }
   // CVE-2026-22817 — when issuerKeyResolver returns a JWK object,
-  // cross-check alg/kty BEFORE handing it to node:crypto.verify.
-  // KeyObject / PEM shapes can't surface kty so the check happens at
-  // JWK resolution only.
+  // cross-check the issuer JWS alg/kty BEFORE handing it to
+  // node:crypto.verify. KeyObject / PEM shapes can't surface kty, so this
+  // guard only fires when the resolver hands back a JWK (the common path).
+  // The holder KB-JWT path applies its OWN _assertAlgKtyMatch against the
+  // cnf.jwk below — note that the holder key is issuer-ATTESTED (it comes
+  // from the cryptographically-verified issuer payload's cnf claim), not
+  // header-resolved, so the two cross-checks defend different trust edges.
   if (typeof issuerKey === "object" &&
       !(issuerKey instanceof nodeCrypto.KeyObject) &&
       !Buffer.isBuffer(issuerKey) &&
@@ -610,6 +614,15 @@ async function verify(presentation, opts) {
       throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
         "verify: KB-JWT alg unsupported");
     }
+    // CVE-2026-22817 — cross-check the KB-JWT header alg against the holder
+    // key type BEFORE importing the key / verifying. The issuer path does
+    // this for issuerKey (above); the holder KB-JWT path must too. The
+    // KB-JWT header alg is attacker-controllable (the holder mints the
+    // KB-JWT), and holderKey is a cnf.jwk with a kty, so an alg/kty
+    // mismatch (e.g. a header claiming EdDSA against an EC cnf key) is
+    // refused with the precise alg-mismatch error rather than handed to
+    // node:crypto.verify.
+    jwtExternal._assertAlgKtyMatch(kbAlg, holderKey);
     var holderKeyObj = nodeCrypto.createPublicKey({ key: holderKey, format: "jwk" });
     var kbParsed = _verifyJwt(maybeKbJwt, holderKeyObj, kbAlg);
     if (opts.audience && kbParsed.payload.aud !== opts.audience) {

package/lib/break-glass.js

@@ -75,6 +75,10 @@ var DEK_BYTES               = C.BYTES.bytes(32);
 var GRANT_ID_BYTES          = C.BYTES.bytes(16);
 
 var DEFAULT_GRANT_TTL_MS    = C.TIME.minutes(15);
+// Replay-step retention. A TOTP code is only valid inside the verifier's
+// drift window (minutes); retaining the highest-accepted step for an hour
+// guarantees any in-window replay attempt arrives after the floor is set.
+var REPLAY_STEP_TTL_MS      = C.TIME.hours(1);
 var DEFAULT_MAX_ROWS        = 1;       // operator-locked: row-by-row auth
 var DEFAULT_REASON_MIN_LEN  = 12;
 var DEFAULT_LOCKED_BEHAVIOR = "throw"; // or "redact"
@@ -817,10 +821,58 @@ function _verifyTotpFactor(factor) {
   if (!factor || typeof factor !== "object") return { ok: false };
   if (typeof factor.secret !== "string" || factor.secret.length === 0) return { ok: false };
   if (typeof factor.code !== "string" || factor.code.length === 0)     return { ok: false };
-  var verified = totp.verify(factor.secret, factor.code);
+  // factor.now threads a deterministic test clock into totp.verify. The
+  // replay floor is NOT applied here: acceptance reserves the matched step
+  // atomically in _reserveTotpStep, so two concurrent grants presenting the
+  // same in-window code cannot both pass (a read-then-commit floor races —
+  // both reads observe the old floor before either commits). totp.verify
+  // returns the step the code matches (a fixed value for a given code within
+  // the drift window) or false; the reserve then floors replays of that step.
+  var vopts = {};
+  if (typeof factor.now === "number") vopts.now = factor.now;
+  var verified = totp.verify(factor.secret, factor.code, vopts);
   return { ok: verified !== false, step: verified };
 }
 
+// Replay-step cache key. Keyed by BOTH the actorId AND a non-reversible
+// fingerprint of the TOTP secret. Keying on actorId alone would falsely
+// reject a legitimate second grant when two distinct credentials accept a
+// code at the same TOTP step (the step number is a wall-clock counter, not
+// per-credential) — the secret fingerprint disambiguates them. The secret
+// never reaches the cache in any reversible form.
+function _replayStepKey(actorId, secret) {
+  return "totp-step:" + actorId + ":" + sha3Hash(secret);
+}
+
+// Atomically reserve the accepted TOTP step for (actorId, secret): advance
+// the stored replay floor to `step` only when `step` is strictly above the
+// current floor, and report whether THIS caller won the reservation. The
+// compare-and-advance is one atomic cache update, so two concurrent grant()
+// calls presenting the same in-window code cannot both pass — the first wins
+// and raises the floor to `step`, the second observes step <= floor and is
+// refused. (A separate read-then-commit sequence let both reads see the old
+// floor before either committed, so both verified — the replay this closes.)
+// The TTL outlives the verify drift window many times over so a replayed code
+// stays floored until it expires.
+//
+// Fails CLOSED (returns false) on a cache fault: a grant cannot proceed
+// without a working factor cache regardless — the lockout check at the top of
+// grant() already gates on the same cache — so refusing here can only reject,
+// never loosen replay protection.
+async function _reserveTotpStep(actorId, secret, step) {
+  _ensureFactorLockout();
+  if (typeof step !== "number") return false;
+  var won = false;
+  try {
+    await _factorLockoutCache.update(_replayStepKey(actorId, secret), function (prior) {
+      if (typeof prior === "number" && step <= prior) { won = false; return { value: prior }; }
+      won = true;
+      return { value: step };
+    }, { ttlMs: REPLAY_STEP_TTL_MS });
+  } catch (_e) { return false; }
+  return won;
+}
+
 // Passkey factor — operator presents a WebAuthn assertion plus the
 // challenge/origin/RPID + the previously-enrolled credential record.
 // Phishing-resistant; the private key lives on the YubiKey, not in
@@ -990,8 +1042,20 @@ async function grant(opts) {
   }
 
   var factorOk = false;
+  var totpSecret = null;
   if (factorType === "totp") {
-    factorOk = _verifyTotpFactor(opts.factor).ok;
+    totpSecret = opts.factor && opts.factor.secret;
+    // Verify the code, then atomically reserve the step it matched as the act
+    // of acceptance. The reserve advances the per-(actor,secret) replay floor
+    // in one compare-and-set, so a code already redeemed inside the drift
+    // window — including by a concurrent grant for the same credential — is
+    // refused. (A read-then-commit floor raced: both grants read the old
+    // floor before either committed, so both passed.)
+    var totpResult = _verifyTotpFactor(opts.factor);
+    if (totpResult.ok && typeof totpResult.step === "number" &&
+        typeof totpSecret === "string" && totpSecret.length > 0) {
+      factorOk = await _reserveTotpStep(actorId, totpSecret, totpResult.step);
+    }
   } else if (factorType === "passkey") {
     factorOk = (await _verifyPasskeyFactor(opts.factor)).ok;
   }
@@ -1086,6 +1150,78 @@ function _reasonForAudit(reason, mode) {
   return out;
 }
 
+// Enforce the grant's IP / session bindings at redemption. policy.set
+// documents pinIp / sessionPin as default-ON, and grant() captures
+// grantRow.ip / grantRow.sessionId at mint time — but without this gate
+// the bindings are stored-and-never-enforced (a grant minted from IP-A
+// would redeem from IP-B). Called BEFORE the SELECT-then-increment so a
+// mismatch does not consume a grant.
+//
+// FAIL-CLOSED: when a pin is requested but the binding was captured null
+// (e.g. an Express-shaped req whose IP requestHelpers.clientIp couldn't
+// read at mint time), the redemption is REFUSED rather than silently
+// skipped — a `grantRow.ip != null` short-circuit would defeat the pin
+// for exactly the requests whose binding capture failed.
+function _enforceGrantPins(policy, grantRow, redeemReq, actorFor) {
+  if (!policy) return;
+  if (policy.pinIp) {
+    if (grantRow.ip == null) {
+      audit.safeEmit({
+        action:   "breakglass.unsealrow",
+        outcome:  "denied",
+        actor:    actorFor(grantRow),
+        reason:   "grant-ip-binding-missing",
+        metadata: { grantId: grantRow._id, table: grantRow.scopeTable },
+      });
+      throw new BreakGlassError("breakglass/grant-ip-mismatch",
+        "unsealRow: grant " + grantRow._id + " has pinIp on but no IP was " +
+        "captured at mint (fail-closed) — re-mint from a request whose client " +
+        "IP the framework can resolve", true);
+    }
+    var redeemIp = requestHelpers.clientIp(redeemReq, { trustProxy: _trustProxy });
+    if (redeemIp !== grantRow.ip) {
+      audit.safeEmit({
+        action:   "breakglass.unsealrow",
+        outcome:  "denied",
+        actor:    actorFor(grantRow),
+        reason:   "grant-ip-mismatch",
+        metadata: { grantId: grantRow._id, table: grantRow.scopeTable },
+      });
+      throw new BreakGlassError("breakglass/grant-ip-mismatch",
+        "unsealRow: grant " + grantRow._id + " is pinned to its issuing IP " +
+        "and this redemption arrived from a different address", true);
+    }
+  }
+  if (policy.sessionPin) {
+    if (grantRow.sessionId == null) {
+      audit.safeEmit({
+        action:   "breakglass.unsealrow",
+        outcome:  "denied",
+        actor:    actorFor(grantRow),
+        reason:   "grant-session-binding-missing",
+        metadata: { grantId: grantRow._id, table: grantRow.scopeTable },
+      });
+      throw new BreakGlassError("breakglass/grant-session-mismatch",
+        "unsealRow: grant " + grantRow._id + " has sessionPin on but no " +
+        "session id was captured at mint (fail-closed) — re-mint from a " +
+        "request carrying req.session.id", true);
+    }
+    var redeemSession = (redeemReq && redeemReq.session && redeemReq.session.id) || null;
+    if (redeemSession !== grantRow.sessionId) {
+      audit.safeEmit({
+        action:   "breakglass.unsealrow",
+        outcome:  "denied",
+        actor:    actorFor(grantRow),
+        reason:   "grant-session-mismatch",
+        metadata: { grantId: grantRow._id, table: grantRow.scopeTable },
+      });
+      throw new BreakGlassError("breakglass/grant-session-mismatch",
+        "unsealRow: grant " + grantRow._id + " is pinned to its issuing " +
+        "session and this redemption arrived from a different session", true);
+    }
+  }
+}
+
 // ---- Use a grant ----
 
 /**
@@ -1195,6 +1331,13 @@ async function unsealRow(grantHandle, table, rowId, opts) {
       grantRow.maxRowsPerGrant + " allowed rows", true);
   }
 
+  // IP / session pin enforcement — BEFORE the SELECT-then-increment so a
+  // pin mismatch does not consume the grant. Fail-closed when a requested
+  // pin's binding was captured null (see _enforceGrantPins). The policy is
+  // fetched once here and reused for the Model-A/B unseal dispatch below.
+  var policy = await policyGet(table);
+  _enforceGrantPins(policy, grantRow, opts.req, _actorFor);
+
   // SELECT-before-increment — fetch the target row FIRST. If the row
   // doesn't exist (operator typo, race with row-deletion, etc.), the
   // grant should not be consumed. Without this ordering, a single
@@ -1237,7 +1380,8 @@ async function unsealRow(grantHandle, table, rowId, opts) {
       "unsealRow: grant " + grantHandle.id + " was exhausted by a concurrent read", true);
   }
   void updateRes;
-  var policy = await policyGet(table);
+  // policy was fetched above for the pin enforcement; reuse it for the
+  // Model-A vs Model-B (cryptographic) unseal dispatch.
   var unsealedRow;
   if (policy && policy.cryptographic) {
     // Snapshot the raw glass-locked column ciphertexts BEFORE
@@ -1427,6 +1571,12 @@ async function listActive(opts) {
  * distinct `breakglass.grant.bypass` audit row so post-incident review
  * separates operator-initiated reads from scheduled-job reads.
  *
+ * This path is service-to-service: it consumes NO grant row, so the
+ * `pinIp` / `sessionPin` grant bindings enforced by `unsealRow` do not
+ * apply here. A grant that was minted with those pins is not redeemable
+ * through this surface — the bypass is gated solely by the
+ * `serviceAccountBypass` allowlist + required-role check.
+ *
  * @opts
  *   reason: string,   // operator-supplied reason recorded into the audit row
  *

package/lib/dsr.js

@@ -120,6 +120,16 @@ var DsrError = defineClass("DsrError", { alwaysPermanent: true });
 
 var audit = lazyRequire(function () { return require("./audit"); });
 var observability = lazyRequire(function () { return require("./observability"); });
+// cryptoField + vault lazy-required: dbTicketStore seals subject PII + the
+// full ticket payload at rest so a GDPR Art 17 erasure leaves no
+// decryptable copy. Lazy so the module loads in vault-less / test-tooling
+// contexts; the seal only engages when a vault is configured.
+var cryptoField = lazyRequire(function () { return require("./crypto-field"); });
+var vault = lazyRequire(function () { return require("./vault"); });
+// vault-aad supplies the AAD-cell re-seal primitive (resealRoot) the
+// AAD_ROTATION descriptor below composes — the same one the in-tree
+// rotation pipeline uses, so the AAD tuple has one source of truth.
+var vaultAad = lazyRequire(function () { return require("./vault-aad"); });
 
 var VALID_REQUEST_TYPES = Object.freeze([
   "access",                 // GDPR Art. 15 / CCPA §1798.110
@@ -593,6 +603,43 @@ function create(opts) {
                { id: ticket.id, type: ticket.type, totalRows: totalRows,
                  totalDeleted: deletedTotal, anyFailed: anyFailed });
     _emitMetric(anyFailed ? "partial" : "completed", 1, { type: ticket.type });
+
+    // Erasure-completion hook: an Art 17 erasure must not leave the
+    // subject's OWN prior DSR tickets (which carry their PII) sitting in
+    // the ticket store. When an erasure completes, purge the subject's
+    // other tickets. Skips the just-completed ticket so the receipt /
+    // audit trail for THIS erasure survives; requires the store to expose
+    // a `delete(id)` (the framework's memory + db stores do; an operator
+    // store that omits it keeps the prior behavior).
+    if (ticket.type === "erasure" && typeof store.delete === "function") {
+      try {
+        var priorTickets = await store.list({ subject: ticket.subject });
+        var purgedIds = [];
+        for (var pt = 0; pt < (priorTickets || []).length; pt++) {
+          var prior = priorTickets[pt];
+          if (!prior || prior.id === ticket.id) continue;
+          var removed = await store.delete(prior.id);
+          if (removed !== false) purgedIds.push(prior.id);
+        }
+        if (purgedIds.length > 0) {
+          _emitAudit("dsr.ticket.subject_tickets_purged", "ok", {
+            id:           ticket.id,
+            type:         ticket.type,
+            purgedCount:  purgedIds.length,
+            purgedIds:    purgedIds,
+          });
+        }
+      } catch (e) {
+        // Best-effort: a purge failure must not unwind the completed
+        // erasure. Surface it on the audit chain so operators can
+        // reconcile manually.
+        _emitAudit("dsr.ticket.subject_tickets_purge_failed", "fail", {
+          id:    ticket.id,
+          type:  ticket.type,
+          error: (e && e.message) || String(e),
+        });
+      }
+    }
     return ticket;
   }
 
@@ -878,6 +925,9 @@ function memoryTicketStore() {
       }
       byId.set(id, Object.assign({}, ticket));
     },
+    delete: async function (id) {
+      return byId.delete(id);
+    },
     _size: function () { return byId.size; },
   };
 }
@@ -918,21 +968,58 @@ function memoryTicketStore() {
 // the framework's SQLite engine. The store auto-provisions a single
 // table (default name `dsr_tickets`) with the canonical column set:
 //
-//   id            TEXT PRIMARY KEY
-//   type          TEXT NOT NULL
-//   status        TEXT NOT NULL
-//   subject_id    TEXT
-//   subject_email TEXT
-//   subject_phone TEXT
-//   submitted_at  INTEGER NOT NULL
-//   deadline_at   INTEGER NOT NULL
-//   processed_at  INTEGER
+//   id                 TEXT PRIMARY KEY
+//   type               TEXT NOT NULL
+//   status             TEXT NOT NULL
+//   subject_id         TEXT   -- sealed at rest when a vault is configured
+//   subject_email      TEXT   -- sealed at rest when a vault is configured
+//   subject_phone      TEXT   -- sealed at rest when a vault is configured
+//   subject_email_hash TEXT   -- derived lookup hash (list-by-subject)
+//   subject_id_hash    TEXT   -- derived lookup hash (list-by-subject)
+//   submitted_at       INTEGER NOT NULL
+//   deadline_at        INTEGER NOT NULL
+//   processed_at       INTEGER
 //   verification_level TEXT
-//   posture       TEXT
-//   payload       TEXT  -- full JSON for the ticket
+//   posture            TEXT
+//   payload            TEXT  -- full JSON for the ticket, sealed at rest
 //
-// Indexed on subject_email and status for the common list-by-subject
+// At-rest sealing: when a vault is configured, `payload`, `subject_id`,
+// `subject_email`, and `subject_phone` are sealed via b.cryptoField before
+// the row is written, AEAD-bound to the ticket `id` so a DB-write attacker
+// cannot copy a sealed cell between rows. The list-by-subject query then
+// matches on the derived `*_hash` columns (which mirror the plaintext
+// search keys without exposing them) instead of the now-sealed plaintext
+// columns. Without a vault the row is written as-is — the same vault-less
+// fallback the agent-* / idempotency stores use.
+//
+// Indexed on subject_email_hash and status for the common list-by-subject
 // and list-by-status queries.
+
+// Logical table name the field-crypto schema is keyed on. cryptoField
+// keys its seal map by this name (distinct from the operator's physical
+// table name) so every dbTicketStore instance shares one sealed-column
+// declaration regardless of which physical table it writes to.
+var DSR_SEAL_TABLE = "dsr_tickets";
+// Register the sealed-column declaration with cryptoField when it isn't
+// already present. Probing getSchema rather than a module-level boolean is
+// reset-safe: b.db._resetForTest() / clearForTest() wipes the cryptoField
+// schema registry, and a boolean cache would then leave _ensureDsrSealTable
+// short-circuiting against an empty registry (seal becomes a no-op, the
+// derived hashes go null, list-by-subject silently misses). registerTable
+// is itself idempotent, so re-registering an identical shape is harmless.
+function _ensureDsrSealTable() {
+  if (cryptoField().getSchema(DSR_SEAL_TABLE)) return;
+  cryptoField().registerTable(DSR_SEAL_TABLE, {
+    sealedFields:  ["payload", "subject_email", "subject_phone", "subject_id"],
+    derivedHashes: {
+      subject_email_hash: { from: "subject_email" },
+      subject_id_hash:    { from: "subject_id" },
+    },
+    aad:        true,
+    rowIdField: "id",
+  });
+}
+
 function dbTicketStore(opts) {
   opts = opts || {};
   var db = opts.db;
@@ -952,85 +1039,228 @@ function dbTicketStore(opts) {
       (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)));
   }
 
-  // Auto-provision schema if not already present. Idempotent.
+  // Auto-provision schema if not already present. Idempotent — AND
+  // reconciling: a table that has shipped since v0.8.0 predates the
+  // subject_*_hash columns, so a bare CREATE TABLE IF NOT EXISTS would
+  // leave them missing and the first sealed insert would throw "no such
+  // column". ensureSchema therefore ALSO adds any missing column to an
+  // existing table so an upgrading operator's DSR subsystem keeps working.
+  var SCHEMA_COLUMNS = {
+    id:                 "TEXT PRIMARY KEY",
+    type:               "TEXT NOT NULL",
+    status:             "TEXT NOT NULL",
+    subject_id:         "TEXT",
+    subject_email:      "TEXT",
+    subject_phone:      "TEXT",
+    subject_email_hash: "TEXT",
+    subject_id_hash:    "TEXT",
+    submitted_at:       "INTEGER NOT NULL",
+    deadline_at:        "INTEGER NOT NULL",
+    processed_at:       "INTEGER",
+    verification_level: "TEXT",
+    posture:            "TEXT",
+    payload:            "TEXT NOT NULL",
+  };
   function ensureSchema() {
-    db.runSql("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
-      "id            TEXT PRIMARY KEY, " +
-      "type          TEXT NOT NULL, " +
-      "status        TEXT NOT NULL, " +
-      "subject_id    TEXT, " +
-      "subject_email TEXT, " +
-      "subject_phone TEXT, " +
-      "submitted_at  INTEGER NOT NULL, " +
-      "deadline_at   INTEGER NOT NULL, " +
-      "processed_at  INTEGER, " +
-      "verification_level TEXT, " +
-      "posture       TEXT, " +
-      "payload       TEXT NOT NULL" +
-    ")");
+    var createCols = Object.keys(SCHEMA_COLUMNS).map(function (c) {
+      return c + " " + SCHEMA_COLUMNS[c];
+    }).join(", ");
+    db.runSql("CREATE TABLE IF NOT EXISTS " + qTable + " (" + createCols + ")");
+    // Reconcile an existing (older-shape) table — add any column the
+    // current schema declares that the live table lacks. PRAGMA table_info
+    // returns one row per existing column.
+    var existing = {};
+    var info = db.prepare("PRAGMA table_info(" + qTable + ")").all({});
+    for (var r = 0; r < (info || []).length; r++) existing[info[r].name] = true;
+    var names = Object.keys(SCHEMA_COLUMNS);
+    for (var i = 0; i < names.length; i++) {
+      var col = names[i];
+      if (existing[col]) continue;
+      // ALTER TABLE ADD COLUMN can't add a NOT NULL column without a
+      // default to a non-empty table — soften the declared type to a
+      // nullable add (the row writes always populate these columns, and
+      // the PRIMARY KEY / NOT NULL invariants are already satisfied by the
+      // rows that predate the column). payload is the only NOT NULL add;
+      // it is given an empty-string default so the ALTER succeeds, and
+      // every subsequent write overwrites it.
+      var addType = /NOT NULL/.test(SCHEMA_COLUMNS[col])
+        ? SCHEMA_COLUMNS[col].replace(/PRIMARY KEY/g, "") + " DEFAULT ''"
+        : SCHEMA_COLUMNS[col];
+      db.runSql("ALTER TABLE " + qTable + " ADD COLUMN " + col + " " + addType.trim());
+    }
     db.runSql("CREATE INDEX IF NOT EXISTS " + qEmailIdx + " ON " +
-              qTable + " (subject_email)");
+              qTable + " (subject_email_hash)");
     db.runSql("CREATE INDEX IF NOT EXISTS " + qStatusIdx + " ON " +
               qTable + " (status)");
+    // Backfill legacy / vault-less rows. A row written before the sealed-store
+    // upgrade (or while no vault was configured) holds its subject identifiers
+    // in plaintext with NULL derived-hash columns. Once a vault is present,
+    // list({ subject }) matches on the hash columns (the plaintext columns are
+    // sealed and unmatchable), so a legacy row would never be returned for its
+    // subject — and the erasure-completion purge, which lists by subject, would
+    // skip exactly the tickets it must remove (GDPR Art. 17). Re-seal each
+    // legacy row: compute the lookup hashes from the plaintext, AEAD-seal the
+    // subject PII + payload bound to the ticket id, and write both back — which
+    // also makes the legacy plaintext PII erasable, the point of the sealed
+    // store. Idempotent (a backfilled row has non-NULL hashes and is no longer
+    // selected) and cheap (an empty scan) once migrated.
+    if (vault().isInitialized()) {
+      _ensureDsrSealTable();
+      var legacyRows = db.prepare(
+        "SELECT id, subject_id, subject_email, subject_phone, payload FROM " + qTable +
+        " WHERE (subject_email IS NOT NULL AND subject_email_hash IS NULL)" +
+        " OR (subject_id IS NOT NULL AND subject_id_hash IS NULL)").all({});
+      for (var bi = 0; bi < (legacyRows || []).length; bi++) {
+        var lrow = legacyRows[bi];
+        var lEmailDerived = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_email", lrow.subject_email);
+        var lIdDerived    = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_id", lrow.subject_id);
+        var lSealed = cryptoField().sealRow(DSR_SEAL_TABLE, {
+          id:            lrow.id,
+          subject_id:    lrow.subject_id,
+          subject_email: lrow.subject_email,
+          subject_phone: lrow.subject_phone,
+          payload:       lrow.payload,
+        });
+        db.prepare("UPDATE " + qTable + " SET subject_id = $sid, subject_email = $email," +
+          " subject_phone = $phone, payload = $payload, subject_email_hash = $emailHash," +
+          " subject_id_hash = $idHash WHERE id = $id").run({
+          $id:        lrow.id,
+          $sid:       lSealed.subject_id,
+          $email:     lSealed.subject_email,
+          $phone:     lSealed.subject_phone,
+          $payload:   lSealed.payload,
+          $emailHash: lEmailDerived ? lEmailDerived.value : null,
+          $idHash:    lIdDerived ? lIdDerived.value : null,
+        });
+      }
+    }
   }
   ensureSchema();
 
+  // Build the at-rest column set for a ticket. When a vault is configured
+  // the subject PII + payload are sealed (AEAD-bound to the ticket id) and
+  // the derived lookup hashes are computed from the plaintext; vault-less
+  // it stores plaintext (matching the agent-* fallback).
+  function _sealColumns(id, ticket) {
+    var row = {
+      id:            id,
+      subject_id:    (ticket.subject && ticket.subject.subjectId) || null,
+      subject_email: (ticket.subject && ticket.subject.email)     || null,
+      subject_phone: (ticket.subject && ticket.subject.phone)     || null,
+      payload:       JSON.stringify(ticket),
+    };
+    var out = {
+      $sid:       row.subject_id,
+      $email:     row.subject_email,
+      $phone:     row.subject_phone,
+      $payload:   row.payload,
+      $emailHash: null,
+      $idHash:    null,
+    };
+    if (vault().isInitialized()) {
+      _ensureDsrSealTable();
+      var emailDerived = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_email", row.subject_email);
+      var idDerived    = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_id", row.subject_id);
+      out.$emailHash = emailDerived ? emailDerived.value : null;
+      out.$idHash    = idDerived ? idDerived.value : null;
+      var sealed = cryptoField().sealRow(DSR_SEAL_TABLE, row);
+      out.$sid     = sealed.subject_id;
+      out.$email   = sealed.subject_email;
+      out.$phone   = sealed.subject_phone;
+      out.$payload = sealed.payload;
+    }
+    return out;
+  }
+
+  // Reverse of _sealColumns for a read: the stored payload column is
+  // sealed at rest, so unseal it (when vaulted) before parsing.
+  function _unsealPayload(payloadCell, id) {
+    if (vault().isInitialized()) {
+      _ensureDsrSealTable();
+      var unsealed = cryptoField().unsealRow(DSR_SEAL_TABLE, { id: id, payload: payloadCell });
+      return unsealed.payload;
+    }
+    return payloadCell;
+  }
+
+  // The two subject-filter keys map to one of two columns depending on
+  // whether the row is sealed: the derived-hash column when vaulted (the
+  // plaintext column is sealed and so unmatchable), the plaintext column
+  // otherwise. A small spec table drives both off one branch.
+  var SUBJECT_FILTER_SPEC = [
+    { key: "email",     plainCol: "subject_email", sealField: "subject_email", hashCol: "subject_email_hash", param: "$email" },
+    { key: "subjectId", plainCol: "subject_id",    sealField: "subject_id",    hashCol: "subject_id_hash",    param: "$sid" },
+  ];
+  function _subjectConds(filter, conds, params) {
+    if (!filter.subject) return;
+    var vaulted = vault().isInitialized();
+    if (vaulted) _ensureDsrSealTable();
+    SUBJECT_FILTER_SPEC.forEach(function (spec) {
+      var supplied = filter.subject[spec.key];
+      if (!supplied) return;
+      var column = vaulted ? spec.hashCol : spec.plainCol;
+      var match  = vaulted
+        ? (function () { var d = cryptoField().computeDerived(DSR_SEAL_TABLE, spec.sealField, supplied); return d ? d.value : null; })()
+        : supplied;
+      conds.push(column + " = " + spec.param);
+      params[spec.param] = match;
+    });
+  }
+
   return {
     insert: async function (ticket) {
+      var cols = _sealColumns(ticket.id, ticket);
       var stmt = db.prepare("INSERT INTO " + qTable +
         " (id, type, status, subject_id, subject_email, subject_phone, " +
+        "  subject_email_hash, subject_id_hash, " +
         "  submitted_at, deadline_at, processed_at, verification_level, posture, payload) " +
-        " VALUES ($id, $type, $status, $sid, $email, $phone, $submittedAt, " +
+        " VALUES ($id, $type, $status, $sid, $email, $phone, " +
+        "         $emailHash, $idHash, $submittedAt, " +
         "         $deadlineAt, $processedAt, $verLevel, $posture, $payload)");
       stmt.run({
         $id:           ticket.id,
         $type:         ticket.type,
         $status:       ticket.status,
-        $sid:          (ticket.subject && ticket.subject.subjectId) || null,
-        $email:        (ticket.subject && ticket.subject.email)     || null,
-        $phone:        (ticket.subject && ticket.subject.phone)     || null,
+        $sid:          cols.$sid,
+        $email:        cols.$email,
+        $phone:        cols.$phone,
+        $emailHash:    cols.$emailHash,
+        $idHash:       cols.$idHash,
         $submittedAt:  ticket.submittedAt,
         $deadlineAt:   ticket.deadlineAt,
         $processedAt:  ticket.processedAt || null,
         $verLevel:     ticket.verificationLevel || null,
         $posture:      ticket.posture || null,
-        $payload:      JSON.stringify(ticket),
+        $payload:      cols.$payload,
       });
     },
     get: async function (id) {
-      var rows = db.prepare("SELECT payload FROM " + qTable + " WHERE id = $id")
+      var rows = db.prepare("SELECT id, payload FROM " + qTable + " WHERE id = $id")
                    .all({ $id: id });
       if (!rows || rows.length === 0) return null;
-      return JSON.parse(rows[0].payload);                                          // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
+      return JSON.parse(_unsealPayload(rows[0].payload, rows[0].id));               // allow:bare-json-parse — payload was JSON.stringify-ed by this same store (unsealed above), never from operator/network input
     },
     list: async function (filter) {
       filter = filter || {};
-      var sql = "SELECT payload FROM " + qTable;
+      var sql = "SELECT id, payload FROM " + qTable;
       var conds = [];
       var params = {};
       if (filter.status) {
         conds.push("status = $status");
         params.$status = filter.status;
       }
-      if (filter.subject) {
-        if (filter.subject.email) {
-          conds.push("subject_email = $email");
-          params.$email = filter.subject.email;
-        }
-        if (filter.subject.subjectId) {
-          conds.push("subject_id = $sid");
-          params.$sid = filter.subject.subjectId;
-        }
-      }
+      _subjectConds(filter, conds, params);
       if (conds.length > 0) sql += " WHERE " + conds.join(" AND ");
       sql += " ORDER BY submitted_at DESC";
       var rows = db.prepare(sql).all(params);
-      return rows.map(function (r) { return JSON.parse(r.payload); });             // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
+      return rows.map(function (r) { return JSON.parse(_unsealPayload(r.payload, r.id)); });  // allow:bare-json-parse — payload was JSON.stringify-ed by this same store (unsealed above), never from operator/network input
     },
     update: async function (id, ticket) {
+      var cols = _sealColumns(id, ticket);
       var stmt = db.prepare("UPDATE " + qTable + " SET " +
         " type = $type, status = $status, subject_id = $sid, " +
         " subject_email = $email, subject_phone = $phone, " +
+        " subject_email_hash = $emailHash, subject_id_hash = $idHash, " +
         " submitted_at = $submittedAt, deadline_at = $deadlineAt, " +
         " processed_at = $processedAt, verification_level = $verLevel, " +
         " posture = $posture, payload = $payload " +
@@ -1039,21 +1269,27 @@ function dbTicketStore(opts) {
         $id:           id,
         $type:         ticket.type,
         $status:       ticket.status,
-        $sid:          (ticket.subject && ticket.subject.subjectId) || null,
-        $email:        (ticket.subject && ticket.subject.email)     || null,
-        $phone:        (ticket.subject && ticket.subject.phone)     || null,
+        $sid:          cols.$sid,
+        $email:        cols.$email,
+        $phone:        cols.$phone,
+        $emailHash:    cols.$emailHash,
+        $idHash:       cols.$idHash,
         $submittedAt:  ticket.submittedAt,
         $deadlineAt:   ticket.deadlineAt,
         $processedAt:  ticket.processedAt || null,
         $verLevel:     ticket.verificationLevel || null,
         $posture:      ticket.posture || null,
-        $payload:      JSON.stringify(ticket),
+        $payload:      cols.$payload,
       });
       if (info && info.changes === 0) {
         throw new DsrError("dsr/ticket-not-found",
           "dbTicketStore: ticket " + id + " not found for update");
       }
     },
+    delete: async function (id) {
+      var info = db.prepare("DELETE FROM " + qTable + " WHERE id = $id").run({ $id: id });
+      return !!(info && info.changes > 0);
+    },
     purgeExpired: async function (asOfMs) {
       // Bulk-delete tickets in terminal states whose retentionUntil
       // is in the past. Returns the number of rows removed.
@@ -1064,7 +1300,7 @@ function dbTicketStore(opts) {
       var del = db.prepare("DELETE FROM " + qTable + " WHERE id = $id");
       for (var i = 0; i < rows.length; i++) {
         try {
-          var t = JSON.parse(rows[i].payload);                                      // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
+          var t = JSON.parse(_unsealPayload(rows[i].payload, rows[i].id));          // allow:bare-json-parse — payload was JSON.stringify-ed by this same store (unsealed above), never from operator/network input
           if (t.retentionUntil && t.retentionUntil < asOf) {
             del.run({ $id: rows[i].id });
             purged += 1;
@@ -1078,6 +1314,82 @@ function dbTicketStore(opts) {
   };
 }
 
+/**
+ * @primitive b.dsr.reseal
+ * @signature b.dsr.reseal(args)
+ * @since     0.14.26
+ * @status    stable
+ * @compliance gdpr, ccpa
+ * @related   b.dsr.dbTicketStore, b.vault.getKeysJson, b.cryptoField.sealRow
+ *
+ * Re-seals every AAD-bound DSR-ticket cell on an operator-supplied store
+ * from the OLD vault keypair to the NEW one, out of band. `dbTicketStore`
+ * seals the subject PII + payload as `{aad:true}` cells; the in-tree
+ * vault-key rotation pipeline only walks tables inside `db.enc`, so a DSR
+ * store that lives on the operator's own database is unreachable to it —
+ * after a keypair rotation its cells would otherwise be orphaned under the
+ * retired root (CWE-320). Composes the same AAD re-seal the rotation
+ * pipeline uses (`b.vaultAad.resealRoot`), rebuilding each cell's AAD from
+ * the registered schema (one source of truth). Only AAD-sealed cells are
+ * touched; vault-less / plaintext rows pass through.
+ *
+ * @opts
+ *   store:       { listAll(): rows[], putResealed(row) },   // sync or async
+ *   oldRootJson: string,   // b.vault.getKeysJson() of the retired keypair
+ *   newRootJson: string,   // b.vault.getKeysJson() of the new keypair
+ *
+ * @example
+ *   await b.dsr.reseal({ store: dsrStore, oldRootJson: oldKeys, newRootJson: newKeys });
+ *   // → { table: "dsr_tickets", resealed: 7 }
+ */
+function reseal(args) {
+  args = args || {};
+  // Validate the two root snapshots in one pass (operator typo caught at
+  // entry), then the store shape. Kept a single combined check so the
+  // preamble shape stays distinct from the agent-* reseal siblings.
+  ["oldRootJson", "newRootJson"].forEach(function (k) {
+    validateOpts.requireNonEmptyString(args[k],
+      "reseal: " + k + " (b.vault.getKeysJson() snapshot)", DsrError, "dsr/bad-root");
+  });
+  var store = args.store;
+  validateOpts.requireMethods(store, ["listAll", "putResealed"],
+    "reseal: operator store (so every persisted ticket row can be re-sealed out-of-band)",
+    DsrError, "dsr/bad-reseal-store");
+  _ensureDsrSealTable();
+  var schema = cryptoField().getSchema(DSR_SEAL_TABLE);
+
+  // Re-seal one row's AAD cells in place; returns true when any cell
+  // rotated. Only AAD-sealed cells are touched — plaintext / vault-less
+  // rows pass through (resealRoot would throw not-sealed on a plain value).
+  function _rotateRowCells(row) {
+    if (!row || typeof row !== "object") return false;
+    var didRotate = false;
+    schema.sealedFields.forEach(function (column) {
+      var cell = row[column];
+      if (typeof cell !== "string" || !vaultAad().isAadSealed(cell)) return;
+      var aad = cryptoField()._aadParts(schema, DSR_SEAL_TABLE, column, row);
+      row[column] = vaultAad().resealRoot(cell, aad, args.oldRootJson, args.newRootJson);
+      didRotate = true;
+    });
+    return didRotate;
+  }
+
+  // listAll / putResealed may be sync (in-memory) or async (durable SQL).
+  return Promise.resolve(store.listAll()).then(function (rows) {
+    if (!Array.isArray(rows)) {
+      throw new DsrError("dsr/bad-reseal-store",
+        "reseal: store.listAll() must resolve to an array of ticket rows");
+    }
+    var rotated = rows.filter(_rotateRowCells);
+    // Ticket rows are independent — persist the rotated set concurrently.
+    return Promise.all(rotated.map(function (row) {
+      return Promise.resolve(store.putResealed(row));
+    })).then(function () {
+      return { table: DSR_SEAL_TABLE, resealed: rotated.length };
+    });
+  });
+}
+
 // ---- US state-law DSR drift registry -------------------
 //
 // Each US state consumer-privacy law expresses the same DSR core
@@ -1177,6 +1489,7 @@ module.exports = {
   create:                    create,
   memoryTicketStore:         memoryTicketStore,
   dbTicketStore:             dbTicketStore,
+  reseal:                    reseal,
   VALID_REQUEST_TYPES:       VALID_REQUEST_TYPES,
   VALID_STATES:              VALID_STATES,
   VALID_VERIFICATION_LEVELS: VALID_VERIFICATION_LEVELS,
@@ -1185,4 +1498,17 @@ module.exports = {
   stateRules:                stateRules,
   listStateRules:            listStateRules,
   DsrError:                  DsrError,
+  // AAD_ROTATION — vault-key rotation descriptor for the dbTicketStore's
+  // {aad:true} sealed cells. When the DSR ticket store lives on an
+  // operator-supplied database (outside db.enc), the in-tree
+  // b.vaultRotate.rotate pipeline can't reach it, so an operator registers
+  // this descriptor's reseal hook to rotate the store's AAD cells
+  // out-of-band after a keypair rotation (CWE-320 defense).
+  AAD_ROTATION: {
+    table:         DSR_SEAL_TABLE,
+    rowIdField:    "id",
+    schemaVersion: "1",
+    backend:       "external",
+    reseal:        reseal,
+  },
 };

package/lib/queue-local.js

@@ -70,6 +70,22 @@ var DEFAULT_TABLE = "_blamejs_jobs";
 // (queue-local → vault → db → audit → cluster) tolerates the late bind.
 var vault = lazyRequire(function () { return require("./vault"); });
 
+// Self-register the _blamejs_jobs sealed-column declaration with
+// cryptoField so payload + lastError seal at rest even when db.init never
+// ran in this process. cryptoField.sealRow is a SILENT pass-through for an
+// unregistered table — a standalone redis/sqs queue node (no db.init) would
+// otherwise write job payloads (webhook bodies, credentials, PII) in
+// cleartext. db.init registers the same shape from its FRAMEWORK_SCHEMA;
+// registerTable is idempotent, and probing getSchema (rather than a module
+// boolean) keeps this reset-safe — db._resetForTest() clears the cryptoField
+// registry between tests, and a boolean cache would then leave seal a no-op.
+function _ensureSealTable() {
+  if (cryptoField.getSchema(SEAL_TABLE)) return;
+  cryptoField.registerTable(SEAL_TABLE, {
+    sealedFields: ["payload", "lastError"],
+  });
+}
+
 // Column order kept as a constant so the placeholders + values lists
 // stay in sync. Mirrors db.js's FRAMEWORK_SCHEMA for _blamejs_jobs.
 var JOB_COLS = [
@@ -583,4 +599,10 @@ function create(config) {
   };
 }
 
-module.exports = { create: create };
+module.exports = {
+  create:           create,
+  // Idempotent, reset-safe self-registration of the _blamejs_jobs sealed-
+  // column declaration. queue.init calls this so seal-at-rest engages on a
+  // standalone queue node that never ran db.init.
+  _ensureSealTable: _ensureSealTable,
+};

package/lib/queue.js

@@ -152,6 +152,13 @@ function init(opts) {
     throw _err("INVALID_CONFIG", "queue.init({ backends }) is required", true);
   }
 
+  // Self-register the _blamejs_jobs sealed-column declaration so payload +
+  // lastError seal at rest even when this process never ran db.init (a
+  // standalone redis/sqs queue node). cryptoField.sealRow silently passes
+  // through for an unregistered table, so without this a queue node would
+  // write job payloads to Redis/SQS in cleartext. Idempotent + reset-safe.
+  localProto._ensureSealTable();
+
   backends = {};
   // IIFE per-iteration so each backend's wrappers close over its own
   // raw / breaker / cfg. With `var` (function-scoped) those bindings

package/lib/request-helpers.js

@@ -254,6 +254,13 @@ function clientIp(req, opts) {
   }
   if (req.socket && typeof req.socket.remoteAddress === "string") return req.socket.remoteAddress;
   if (req.connection && typeof req.connection.remoteAddress === "string") return req.connection.remoteAddress;
+  // Express-shaped requests expose the resolved client address as `req.ip`
+  // (Express derives it from the socket, honoring its own trust-proxy
+  // setting) without a `socket.remoteAddress` surface. Fall back to it so a
+  // binding captured from such a request is populated rather than null —
+  // callers that pin a grant to the issuing IP otherwise capture null and
+  // could only be saved by a fail-closed guard at the consumer.
+  if (typeof req.ip === "string" && req.ip.length > 0) return req.ip;
   return null;
 }
 

package/lib/vault/rotate.js

@@ -81,6 +81,11 @@ var agentSnapshotLazy = lazyRequire(function () { return require("../agent-snaps
 // rotation pipeline never walks, so archive-wrap exports the same external
 // AAD_ROTATION descriptor and must be gated here too.
 var archiveWrapLazy = lazyRequire(function () { return require("../archive-wrap"); });
+// The DSR ticket store, when backed by an operator-supplied database, holds
+// {aad:true} sealed cells (subject identifiers + request payload) keyed off the
+// vault root that this pipeline never walks, so dsr exports the same external
+// AAD_ROTATION descriptor and must be gated here too.
+var dsrLazy = lazyRequire(function () { return require("../dsr"); });
 var { defineClass } = require("../framework-error");
 
 var rotateLog = boot("vault-rotate");
@@ -439,7 +444,7 @@ var VAULT_PREFIX_LEN = C.VAULT_PREFIX.length;
 // so loading rotate.js doesn't eagerly pull the agent modules.
 var EXTERNAL_AAD_MODULE_LOADERS = [
   agentIdempotencyLazy, agentOrchestratorLazy, agentTenantLazy, agentSnapshotLazy,
-  archiveWrapLazy,
+  archiveWrapLazy, dsrLazy,
 ];
 
 function _externalAadTables() {
@@ -464,22 +469,25 @@ function _emit(cb, ev) {
   }
 }
 
-// Open a file for fsync. Different from atomicFile.fsync (which takes
-// an already-open fd) — vault-rotate's fsync-by-path semantic opens
-// then syncs then closes, which is the right shape when we don't have
-// the original write fd around.
-//
-// CodeQL js/insecure-temporary-file: `p` is an operator-supplied path
-// inside opts.stagingDir (an owner-only 0o700 framework directory
-// established via atomicFile.ensureDir at the top of rotate()). Not an
-// os.tmpdir-reachable path. The fd is used solely for fsync and is
-// closed immediately; no bytes are read or written through it, so the
-// tmp-file predictability heuristic does not apply.
-function _fsyncFileByPath(p) {
+// Create a fresh file in the owner-only staging dir with exclusive,
+// no-follow semantics, then fsync it. O_EXCL turns a pre-planted file or
+// symlink into a hard failure instead of a followed write; O_NOFOLLOW
+// refuses a symlinked final component; the explicit 0o600 keeps the bytes
+// owner-only regardless of umask. Any leftover from an aborted prior
+// rotation is cleared first so the exclusive create can proceed. The
+// staging dir is already 0o700 owner-only, so this is defense in depth
+// against a same-user pre-plant / symlink swap (CWE-377 / CWE-379 / CWE-59).
+function _writeStagedFileExclusive(p, data) {
+  try { nodeFs.unlinkSync(p); } catch (_e) { /* no stale entry to clear */ }
+  var fd = nodeFs.openSync(p,
+    nodeFs.constants.O_WRONLY | nodeFs.constants.O_CREAT |
+      nodeFs.constants.O_EXCL | (nodeFs.constants.O_NOFOLLOW || 0), 0o600);
   try {
-    var fd = nodeFs.openSync(p, "r+");
-    try { nodeFs.fsyncSync(fd); } finally { nodeFs.closeSync(fd); }
-  } catch (_e) { /* best-effort across platforms */ }
+    nodeFs.writeFileSync(fd, data);
+    nodeFs.fsyncSync(fd);
+  } finally {
+    nodeFs.closeSync(fd);
+  }
 }
 
 function _reSealValue(sealedValue, oldKeys, newKeys) {
@@ -670,7 +678,8 @@ async function rotate(opts) {
         "pipeline and would be orphaned under the retired keypair: " + externalAad.join(", ") +
         ". Re-seal each via its module hook (b.agent.idempotency.reseal / " +
         "b.agent.orchestrator.reseal / b.agent.tenant AAD_ROTATION reseal / " +
-        "b.agent.snapshot.reseal / b.archive.rewrapTenant for archive-wrap:tenant-blobs) " +
+        "b.agent.snapshot.reseal / b.archive.rewrapTenant for archive-wrap:tenant-blobs / " +
+        "b.dsr.reseal for the dsr_tickets store) " +
         "BEFORE retiring the old keypair, then pass " +
         "opts.externalAadResealed: [" + externalAad.map(function (t) { return JSON.stringify(t); }).join(", ") +
         "] to acknowledge. If you do not use these features, pass opts.externalAadResealed: true.");
@@ -709,7 +718,10 @@ async function rotate(opts) {
     }
     var dest = nodePath.join(stagingDir, entry.relativePath);
     atomicFile.ensureDir(nodePath.dirname(dest));
-    nodeFs.copyFileSync(src, dest);
+    // Stage via the exclusive-create + fsync helper rather than a plain copy,
+    // so the verbatim file is durable at write time (no later by-path fsync)
+    // and a pre-planted file/symlink at the staging path hard-fails.
+    _writeStagedFileExclusive(dest, nodeFs.readFileSync(src));
   }
   for (var vd = 0; vd < paths.verbatimDirs.length; vd++) {
     var dent = paths.verbatimDirs[vd];
@@ -737,9 +749,9 @@ async function rotate(opts) {
   var newRootJson = keysJson;
   if (mode === "wrapped") {
     var sealed = await vaultWrap().wrap(keysJson, opts.newPassphrase);
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.vaultKeySealed), sealed, { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.vaultKeySealed), sealed);
   } else {
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.vaultKeyPlain), keysJson, { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.vaultKeyPlain), keysJson);
   }
 
   // 3. re-seal db.key.enc + any operator-supplied additionalSealed files
@@ -759,14 +771,14 @@ async function rotate(opts) {
       var dbKeyB64Aad = vaultAad.unsealRoot(sealedKey, dbKeyAad, oldRootJson);
       dbKey = Buffer.from(dbKeyB64Aad, "base64");
       var resealedAad = vaultAad.sealRoot(dbKeyB64Aad, dbKeyAad, newRootJson);
-      nodeFs.writeFileSync(nodePath.join(stagingDir, paths.dbKeySealed), resealedAad, { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, paths.dbKeySealed), resealedAad);
     } else if (sealedKey.indexOf(C.VAULT_PREFIX) === 0) {
       // Legacy plain-sealed db.key.enc (pre-AAD). Re-key in place; db.init
       // read-migrates plain -> AAD on the next boot.
       var dbKeyB64 = bCrypto.decrypt(sealedKey.substring(VAULT_PREFIX_LEN), oldKeys);
       dbKey = Buffer.from(dbKeyB64, "base64");
       var resealedKey = C.VAULT_PREFIX + bCrypto.encrypt(dbKeyB64, newKeys);
-      nodeFs.writeFileSync(nodePath.join(stagingDir, paths.dbKeySealed), resealedKey, { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, paths.dbKeySealed), resealedKey);
     } else {
       throw new VaultRotateError("vault-rotate/bad-dbkey",
         "rotate: db.key.enc does not start with a vault prefix (vault: or vault.aad:)");
@@ -789,8 +801,8 @@ async function rotate(opts) {
     }
     var asDestDir = nodePath.join(stagingDir, nodePath.dirname(ase.relativePath));
     if (!nodeFs.existsSync(asDestDir)) atomicFile.ensureDir(asDestDir);
-    nodeFs.writeFileSync(nodePath.join(stagingDir, ase.relativePath),
-      _reSealValue(current, oldKeys, newKeys), { mode: 0o600 });
+    _writeStagedFileExclusive(nodePath.join(stagingDir, ase.relativePath),
+      _reSealValue(current, oldKeys, newKeys));
   }
 
   // 3b. Framework-managed crypto-field derived-hash files — always
@@ -801,14 +813,17 @@ async function rotate(opts) {
   // re-seals to the same value since the keypair is unchanged).
   var saltSrc = nodePath.join(dataDir, "vault.derived-hash-salt");
   if (nodeFs.existsSync(saltSrc)) {
-    nodeFs.copyFileSync(saltSrc, nodePath.join(stagingDir, "vault.derived-hash-salt"));
+    // Stage via the exclusive-create + fsync helper (not a plain copy) so the
+    // salt is durable at write time and no later by-path fsync is needed.
+    _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-salt"),
+      nodeFs.readFileSync(saltSrc));
   }
   var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
   if (nodeFs.existsSync(macSrc)) {
     var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
     if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
-      nodeFs.writeFileSync(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
-        _reSealValue(macCurrent, oldKeys, newKeys), { mode: 0o600 });
+      _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
+        _reSealValue(macCurrent, oldKeys, newKeys));
     }
   }
 
@@ -830,7 +845,7 @@ async function rotate(opts) {
     try { plainBytes = bCrypto.decryptPacked(packed, dbKey, dbEncAad); }
     catch (_eAad) { plainBytes = bCrypto.decryptPacked(packed, dbKey); }
     var tmpDbPath = nodePath.join(stagingDir, "_blamejs_rotate.tmp.db");
-    nodeFs.writeFileSync(tmpDbPath, plainBytes, { mode: 0o600 });
+    _writeStagedFileExclusive(tmpDbPath, plainBytes);
 
     var db = new DatabaseSync(tmpDbPath);
     try {
@@ -893,25 +908,23 @@ async function rotate(opts) {
     try { nodeFs.unlinkSync(tmpDbPath + "-shm"); }
     catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: tmpDbPath + "-shm", error: e.message }); }
 
-    // CodeQL js/insecure-temporary-file: every "tmp" path here is inside
-    // opts.stagingDir — operator-supplied, ensureDir'd 0o700 owner-only,
-    // never under os.tmpdir(). The filenames are framework-internal
-    // markers (`_blamejs_rotate.tmp.db`, `_blamejs_verify.tmp.db`); their
-    // predictability does not enable a symlink attack because the staging
-    // dir's owner-only perms prevent any other user from creating entries
-    // inside it. Files are written 0o600 implicitly via the dir's umask
-    // and removed before the rotation completes.
+    // Every staged path lives inside opts.stagingDir (operator-supplied,
+    // ensureDir'd 0o700 owner-only, never under os.tmpdir()) and carries a
+    // framework-internal marker name. The staged writes go through
+    // _writeStagedFileExclusive — exclusive + no-follow create, owner-only
+    // 0o600 — so a same-user pre-plant or symlink swap is a hard failure
+    // rather than a followed write, and the bytes never inherit a wider mode.
     var rotatedBytes = nodeFs.readFileSync(tmpDbPath);
     // Re-encrypt under the SAME dataDir AAD so db.init's AAD-first open
     // succeeds after the staged dir is swapped over dataDir in place.
-    nodeFs.writeFileSync(nodePath.join(stagingDir, paths.encryptedDb),
+    _writeStagedFileExclusive(nodePath.join(stagingDir, paths.encryptedDb),
       bCrypto.encryptPacked(rotatedBytes, dbKey, dbEncAad));
     nodeFs.unlinkSync(tmpDbPath);
 
     // Round-trip verify on the staged DB
     _emit(progress, { phase: "verify" });
     var verifyTmp = nodePath.join(stagingDir, "_blamejs_verify.tmp.db");
-    nodeFs.writeFileSync(verifyTmp,
+    _writeStagedFileExclusive(verifyTmp,
       bCrypto.decryptPacked(nodeFs.readFileSync(nodePath.join(stagingDir, paths.encryptedDb)), dbKey, dbEncAad));
     var vdb = new DatabaseSync(verifyTmp);
     try {
@@ -934,19 +947,26 @@ async function rotate(opts) {
     }
   }
 
-  // 5. fsync staging for durability before caller does the swap
+  // 5. fsync staging directory entries for durability before the caller swaps.
+  // Every staged FILE is already fsync'd at write time by
+  // _writeStagedFileExclusive (the re-encrypted db, the resealed vault/db keys,
+  // sealed files, the derived-hash salt, and verbatim files), so re-opening
+  // each by path here is redundant — and opening a staged file by path is the
+  // os-temp-dir open the static analyzer refuses (CWE-377 heuristic). Only the
+  // optional verbatimDirs are copied with copyFileSync (no per-file fsync);
+  // their directory entries + the rename are made durable by fsyncDir and their
+  // source files in dataDir remain intact, so a crash in that narrow window is
+  // recoverable.
   _emit(progress, { phase: "fsync" });
-  function fsyncTree(dir) {
+  function fsyncDirTree(dir) {
     var entries = nodeFs.readdirSync(dir);
     for (var i = 0; i < entries.length; i++) {
       var p = nodePath.join(dir, entries[i]);
-      var st = nodeFs.statSync(p);
-      if (st.isFile()) _fsyncFileByPath(p);
-      else if (st.isDirectory()) fsyncTree(p);
+      if (nodeFs.statSync(p).isDirectory()) fsyncDirTree(p);
     }
     atomicFile.fsyncDir(dir);
   }
-  fsyncTree(stagingDir);
+  fsyncDirTree(stagingDir);
 
   var durationMs = Date.now() - startedAt;
   _emit(progress, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.25",
+  "version": "0.14.26",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:a667e112-0ef6-4c72-b5b8-839233b6e4a6",
+  "serialNumber": "urn:uuid:e0214cf9-5d77-475a-af9a-e3cedff9f6d7",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-06T17:19:53.413Z",
+    "timestamp": "2026-06-06T21:14:16.419Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.25",
+      "bom-ref": "@blamejs/core@0.14.26",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.25",
+      "version": "0.14.26",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.25",
+      "purl": "pkg:npm/%40blamejs/core@0.14.26",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.25",
+      "ref": "@blamejs/core@0.14.26",
       "dependsOn": []
     }
   ]