@blamejs/core 0.14.26 → 0.15.0

package/CHANGELOG.md

@@ -6,8 +6,14 @@ Pre-1.0 the surface is intentionally evolving — every release may
 change something operators depend on. Read each entry before
 upgrading across more than a few patches at a time.
 
+## v0.15.x
+
+- v0.15.0 (2026-06-08) — **A chainable SQL builder, MySQL as a first-class data backend, and a keyed lookup-hash default — the data layer goes tri-dialect.** This release makes the framework's data layer dialect-portable. `b.sql` is a new chainable query builder that quotes every identifier by construction, binds every value as a placeholder, and emits dialect-correct SQL for SQLite, Postgres, and MySQL; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total size boundaries. The entire framework data layer — the signed audit chain, cluster leadership and fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, consent, and mail storage — is rebuilt on `b.sql`, which makes MySQL a supported external-database backend alongside Postgres and SQLite. Running the data layer on a real Postgres server surfaced two latent correctness bugs that only a non-SQLite backend exposes: identifiers were emitted unquoted at DDL time but read back camelCase (Postgres folds unquoted names to lowercase, silently breaking the audit chain, consent chain, cluster fencing, and vault-key consistency), and sealed columns coerced Buffer / object payloads through `String()` before encryption (corrupting non-string ciphertext); both are fixed by quoting every identifier and coercing per the column's declared type. Derived-hash columns — the blind-index lookup columns registered through `registerTable` — now default to a keyed MAC (SHAKE256 under the vault's per-deployment MAC key) instead of an unkeyed salted hash, so an exfiltrated database can no longer be brute-forced or rainbow-tabled to recover the indexed values; existing salted-hash indexes are read through a dual-read path and migrated forward, so the change is non-breaking. Audit-signing key rotation now preserves every historical checkpoint (rotation previously stranded checkpoints signed under the prior key). New cross-border data-residency postures (appi-jp, pdpa-sg, uk-gdpr) enforce a mandatory storage vacuum after erasure. Outbound TLS appends classical X25519 to its key-exchange preference so it can complete a handshake with a peer that advertises no post-quantum hybrid — previously the hybrids-only preference failed those handshakes outright — and emits a `tls.classical_downgrade` audit event whenever a connection lands on a classical group. Outbound HTTP/2 negotiation falls back to HTTP/1.1 against servers that only speak h1, the network heartbeat honors a target's permitted protocols instead of pinning cleartext targets down, a WebSocket connection closes cleanly on a peer's TCP half-close instead of wedging open, and the Azure blob backend encodes object-key path segments correctly. **Added:** *b.sql — a dialect-aware chainable SQL builder* — `b.sql` composes SELECT / INSERT / UPDATE / UPSERT / DELETE / DDL from a fluent chain. Every identifier is validated and quoted by construction (`"name"` on SQLite/Postgres, `` `name` `` on MySQL), every value binds as a placeholder rather than interpolating, and the emitted statement is validated as a single balanced, single-statement query before it leaves the builder. Pass `{ dialect: "postgres" | "mysql" | "sqlite" }` (default SQLite) to target a backend; `upsert` emits the dialect-final conflict syntax. It composes `b.safeSql` for the identifier and placeholder primitives, so a SQL string can no longer be assembled by hand inside the framework. · *b.guardSql — result-row output validation* — `b.guardSql` gates query result rows against embedded NUL bytes, quote-jump sequences, and configurable per-column and total-size boundaries, with the standard guard profiles (strict / balanced / permissive) and compliance postures (hipaa / pci-dss / gdpr / soc2). It is the output-side complement to the input-side `b.safeSql`. · *MySQL is a first-class data backend* — MySQL joins Postgres and SQLite as a supported external-database backend. The framework's schema reconciler emits MySQL DDL, and the full data layer — signed audit chain (append + verify), cluster leadership and lease fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, and consent — runs against a real MySQL server. Select the backend at `b.cluster.init` / `b.externalDb` configuration via the `dialect` option; `b.clusterStorage.dialect()` exposes the configured backend dialect to composing code. · *Cross-border erasure postures: appi-jp, pdpa-sg, uk-gdpr* — Three data-residency compliance postures are added (Japan APPI, Singapore PDPA, UK GDPR). Each requires a mandatory storage vacuum after erasure (so deleted rows are reclaimed from the page store, not just tombstoned), a signed audit chain, encrypted backups, and a minimum TLS version. Pin one with `b.compliance.set`. **Fixed:** *Cross-border erasure performs the mandatory vacuum* — Erasure under the uk-gdpr, appi-jp, and pdpa-sg residency postures now runs the storage vacuum the posture mandates, reclaiming erased rows from the page store rather than leaving them recoverable as free-list tombstones. **Security:** *Lookup-hash columns default to a keyed MAC* — Derived-hash (blind-index) columns registered through `registerTable` now default to `derivedHashMode: "hmac-shake256"` — SHAKE256 keyed with the vault's per-deployment MAC key — instead of the previous unkeyed `salted-sha3`. The index value is no longer recomputable from the indexed plaintext alone, so an attacker who exfiltrates the database cannot brute-force or rainbow-table a lookup column (for example a subject-email index) without also holding the vault MAC key (CWE-916 / CWE-759). Existing `salted-sha3` indexes are read through a dual-read path and re-derived on write, so deployments upgrade without re-indexing up front. · *Postgres identifier casing no longer breaks the audit and cluster chains* — Identifiers were written unquoted in DDL but read back in camelCase. On Postgres (which folds an unquoted identifier to lowercase) this silently desynchronized the signed audit chain, the consent chain, cluster leadership and fencing, and vault-key consistency — each reads a column the server had stored under a lowercased name. Every framework identifier is now quoted at both DDL and query time so the stored and read names match on every dialect (CWE-670). SQLite deployments were unaffected and remain byte-compatible. · *Sealed columns preserve non-string payloads* — A sealed column coerced its value through `String()` before encryption, corrupting Buffer and object payloads (a Buffer became `"[object Object]"`-class garbage, an object its `toString`). Sealed values are now encoded per the column's declared type before the seal, so binary and structured payloads round-trip intact (CWE-704). · *Audit-signing key rotation preserves historical checkpoints* — Rotating the audit-signing key stranded every checkpoint signed under the prior key — `verifyCheckpoints` ignored the per-fingerprint history file the rotation writes, so post-rotation verification failed on otherwise-valid historical checkpoints. Verification now resolves each checkpoint's signing key by fingerprint (`getPublicKeyByFingerprint`) across the rotation history, so the full chain verifies after a key rotation. · *Outbound TLS reaches classical-only peers and audits the downgrade* — The framework's outbound TLS offered only ML-KEM hybrid key-exchange groups, so a handshake with a peer that does not advertise a post-quantum hybrid — most of today's internet — failed outright (`handshake_failure`), leaving outbound connections to webhooks, OAuth providers, ACME directories, object stores, and DoT/DoH/SMTP/Redis-over-TLS unable to complete. Classical X25519 is now appended to the group preference so the hybrid is still negotiated whenever the peer supports it, and the connection completes over classical X25519 when it does not. Every connection that lands on a classical group rather than the post-quantum hybrid emits a `tls.classical_downgrade` audit event (carrying the negotiated group) so operators can observe and alert on which peers are not yet post-quantum-capable. · *Transport reachability and correctness* — Outbound HTTP/2 negotiation now falls back to HTTP/1.1 when a TLS server offers only h1 (an ALPN protocol_version alert no longer fails the request). The network heartbeat honors a target's permitted protocols instead of dropping non-default ones, so a cleartext `http://` health target is no longer reported permanently down. A WebSocket connection closes cleanly when a peer half-closes its TCP socket (a bare FIN) instead of wedging the connection open. The Azure blob backend percent-encodes each object-key path segment, so a key containing reserved characters can no longer corrupt the request URL. **Migration:** *Derived-hash default change is non-breaking; MySQL is opt-in* — Lookup-hash columns default to the keyed MAC on new writes and migrate existing rows on access through the dual-read path — no upfront re-indexing, no operator action required. To pin the previous unkeyed index (for example to keep a column byte-compatible with an external system), pass `derivedHashMode: "salted-sha3"` to `registerTable`. MySQL as a data backend is opt-in: existing SQLite and Postgres deployments are unchanged unless you set `dialect: "mysql"`. The Postgres identifier-casing and sealed-column-coercion fixes change the emitted DDL and the at-rest encoding of non-string sealed values; a Postgres deployment created before this release reconciles its schema to the quoted identifiers on the next schema-ensure pass.
+
 ## v0.14.x
 
+- v0.14.27 (2026-06-06) — **Security-hardening sweep: exclusive temp creation, request path confinement, prototype-safe parsing, cross-tenant authentication, telemetry and error redaction, and posture enforcement floors.** A broad security-hardening release closing classes of bug across the request, storage, identity, and data-governance surfaces. Files that stage data before an atomic rename (the atomic-write substrate, the HTTP client's downloads, the static file server's cache) now create those files exclusively and refuse to follow a symlink, so a same-user pre-planted file or symlink can no longer be truncated or written through. The static file server re-confines every request-derived path to its served root at the filesystem call, and its content-safety read is anchored to a single no-follow descriptor. The request body parser, the WebSocket extension parser, and the cookie parser build their maps from key/value pairs instead of attacker-named computed writes, so a field named after an Object prototype member can neither pollute the prototype nor surface inherited members. The SSRF guard compares cloud-metadata addresses canonically; OIDC federation derives a subordinate's policy and keys from the superior-signed statement rather than self-published config; the JMAP listener rejects a cross-tenant account id with accountNotFound before dispatch; the agent event bus authenticates each envelope's tenant and posture with a vault-keyed MAC; and the audit query no longer under-logs concurrent reads. Telemetry attributes exported over OTLP and the 5xx error record written to the signed audit chain are now redacted, closing two egress paths that previously shipped secrets in plaintext. Regulated compliance postures enforce a minimum seal-envelope strength at table registration, warn when a pinned posture has no content-safety overlay or no outbound DLP wired, and expose region-tag normalization helpers. The local queue's Redis backend no longer wedges a caller on a failed connect or double-schedules reconnects, file uploads audit every content-safety skip, the Azure blob backend percent-encodes object keys, the XML parser rejects prototype-poisoning names, and router path-scoped middleware (`use(path, mw)`) works as documented instead of dropping the gate. **Security:** *Staged writes are created exclusively and refuse symlinks* — The atomic-write substrate (`b.atomicFile`), the HTTP client's download staging, and the static file server's pre-serve read now open files with `O_CREAT | O_EXCL | O_NOFOLLOW` at owner-only `0o600` (the vault-rotation pipeline adopted the same in v0.14.26). A pre-planted file or a symlink at a staging path is now a hard failure rather than a truncated or followed write (CWE-377 / CWE-379 / CWE-59). The temp+rename atomicity and download streaming semantics are unchanged. · *Static file server re-confines request paths and reads through one no-follow descriptor* — Every request-derived path is re-resolved under the served root and refused if it escapes (`startsWith(root + sep)`) at the filesystem call, not only upstream, and the content-safety gate reads size and bytes from a single `O_NOFOLLOW` descriptor so a final-component symlink swap between stat and read cannot redirect it (CWE-22 / CWE-367). Percent-encoded traversal, NUL bytes, and absolute/drive-letter paths are refused before any filesystem access. · *Body, WebSocket, and cookie parsers build maps without attacker-named writes* — The request body parser (Content-Type/Content-Disposition params, multipart headers and fields), the WebSocket `Sec-WebSocket-Extensions` parser, and the CSRF cookie parser now collect key/value pairs and materialize them via `Object.fromEntries` onto a null-prototype accumulator with prototype-poisoning keys dropped, instead of a request-keyed computed write. A field or parameter named `__proto__` / `constructor` / `prototype` can no longer pollute the prototype or surface inherited members (CWE-915 / CWE-1321). Parsed object shapes are unchanged for all legitimate input. · *Prototype-safe XML parsing* — `b.safeXml` builds its element, attribute, and grouping accumulators with `Object.create(null)` and rejects element/attribute names `__proto__` / `constructor` / `prototype` with `xml/forbidden-name` (CWE-1321), matching the TOML/YAML/INI parsers. The returned tree has a null prototype; consumers using bracket/dot access, `Object.keys`, or `JSON.stringify` are unaffected. · *SSRF guard compares cloud-metadata addresses canonically* — The SSRF guard now canonicalizes addresses before comparing against the cloud metadata endpoints, so a non-canonical encoding of a link-local / metadata address can no longer slip past the block to reach an instance metadata service (CWE-918). · *OIDC federation trusts the superior-signed statement, not self-config* — A subordinate entity's `metadata_policy` is now read from the superior's signed entity statement, and trust-chain building verifies each subordinate against attested keys in a two-phase walk rather than the subordinate's self-published JWKS, closing a trust-substitution gap (RFC 9068 / OpenID Federation). A subordinate that publishes no attested keys is refused. · *Cross-tenant authentication on the JMAP listener and agent event bus* — The JMAP listener rejects a client-supplied `accountId` outside the actor's permitted set with `accountNotFound` before any method or blob handler runs (RFC 8620 §3.6.1). The agent event bus authenticates each envelope's tenant id and posture with a vault-keyed HMAC and drops a forged or tampered envelope before routing. The audit query no longer suppresses its own `audit.read` self-log under concurrency, so concurrent reads are each recorded (PCI-DSS 10.2). · *Telemetry and error records are redacted before egress* — Span and metric attributes exported over OTLP now pass through a redactor (`b.observability.setRedactor`, defaulting to `b.redact`) before leaving the process, and the 5xx error record written to the durable, signed audit chain now uses the redacting `audit.safeEmit` rather than the raw `audit.emit` — closing two egress paths that previously shipped a secret embedded in a span attribute or an exception message/stack in plaintext (CWE-532). The error response itself is byte-identical. · *Regulated postures enforce a seal-envelope floor* — Compliance postures now carry a `sealEnvelopeFloor`; `hipaa` and `pci-dss` require at least AEAD additional-data binding. Registering a table that seals columns under a weaker envelope while such a posture is pinned is refused at configuration time, so a regulated deployment can no longer register a copy-paste-vulnerable plain-sealed table (CWE-311 / CWE-326; 45 CFR 164.312, PCI-DSS v4 Req. 3.5). · *Redis backend connect/reconnect robustness* — The local queue's Redis backend always settles its connect promise (resolve on ready, reject on error/timeout) so a caller can no longer wedge on a failed connect, schedules at most one reconnect per failure (a lost socket fires both error and close), and gives up idempotently — fixing a caller hang and a reconnect storm on a flapping backend (CWE-833 / CWE-400). · *File-upload skip auditing and Azure object-key encoding* — Every content-safety skip path in `b.fileUpload` now emits a `content_safety_skipped` audit naming why the scan was bypassed (opt-out / no gate for the extension / over the reassembly cap), so an unscanned upload is visible in the audit log (CWE-778). The Azure blob backend percent-encodes each object-key path segment before URL interpolation, so a key containing `?` / `#` / spaces can no longer corrupt the request or escape its container path (CWE-20). · *Router path-scoped middleware works as documented* — `router.use(pathPrefix, middleware)` — documented across the security middleware but previously unimplemented (the path string was pushed as the middleware, 500-ing every request, or the gate silently never ran) — now mounts the middleware scoped to a segment-boundary path prefix, preserving registration order and refusing a non-string prefix or non-function middleware at configuration time (CWE-670). **Detectors:** *Recurrence guards for the fixed shapes* — The pattern catalog gains detectors for the exclusive-temp-create (atomic-file, http-client, static), request-path confinement (static serve + gate), request-keyed map writes (body-parser, WebSocket), prototype-safe XML accumulators, Azure object-key encoding, file-upload skip auditing, OTLP attribute redaction, JMAP account gating, the seal-envelope floor, and the router path-scoped mount. The data-flow and timing shapes (SSRF canonicalization, federation trust-chain, audit self-log concurrency, event-bus envelope MAC, Redis reconnect scheduling, error-record redaction, posture-overlay warnings) are guarded by request-driven tests where a precise regex would false-positive. **Migration:** *Behavior changes to review* — Several hardening changes alter behavior, all fail-closed: (1) the agent event bus now requires a shared vault to authenticate envelopes and refuses to publish/deliver without one — single-process callers without a vault must pass `requireMac: false`; (2) OIDC federation subordinates must publish attested keys (a subordinate relying on self-published JWKS is refused); (3) `b.safeXml` throws `xml/forbidden-name` on element/attribute names `__proto__`/`constructor`/`prototype`; (4) registering a table that seals columns below the pinned regulated posture's seal-envelope floor throws at configuration time — add `{ aad: true }` or a per-row key; (5) OTLP telemetry attributes are now redacted by default — install a domain redactor via `b.observability.setRedactor` if you need different handling (it cannot be disabled outright); (6) `router.use(path, mw)` now path-scopes instead of applying globally or 500-ing. New advisory audit rows appear when a pinned posture has no content-safety overlay or no outbound DLP wired; `b.compliance.set` does not auto-install outbound DLP (call `b.redact.installForPosture` with your client/mail/webhook handles).
+
 - v0.14.26 (2026-06-06) — **Break-glass IP and session pins fail closed, DSR ticket PII is sealed and erasable, and queue jobs are sealed at rest from the first write.** Break-glass grant pins (`pinIp` / `sessionPin`, documented default-ON) were enforced only when the grant had captured a binding at mint time; a grant minted without an IP or session was redeemable from anywhere, so the pin failed open exactly when it mattered. Pins now fail closed: a grant carrying no binding is refused at redemption, and the redeeming client IP falls back to `req.ip` when not threaded explicitly. The Data Subject Request ticket store kept the subject's identifiers and the raw request body in plaintext, so an erasure request could not destroy the very PII it was processing; those columns are now sealed under the vault with `(table, rowId)` additional-data binding, erasure purges the ticket on completion, and an in-place schema upgrade seals existing stores. Queue jobs were sealed at rest only after a table had been registered, which did not happen until the first explicit registration — the queue now self-registers its job table on `init`, so jobs are sealed from the first write. Rounding out the bundle: the OAuth back-channel-logout `logout_token` is parsed under a byte ceiling, the SD-JWT-VC holder key-binding JWT signs with an algorithm asserted against the holder key's type (an RSA or OKP holder no longer mints a self-invalid token), and a pushed authorization request carrying a signed request object emits `authorization_details` as a native array. **Security:** *Break-glass IP and session pins fail closed* — `b.breakGlass` grants document `pinIp` and `sessionPin` as default-ON, and grant minting captures the issuing IP and session at that time. Redemption now refuses a grant whose binding was never captured (`pinIp` on but no IP recorded, or `sessionPin` on but no session) instead of treating the absent binding as 'nothing to check' and allowing the redemption from any origin. The redeeming client IP is resolved from the redemption request and falls back to `req.ip` when the caller does not thread an explicit address. The one-time-code replay floor is keyed per `(actor, secret)` so a code consumed under one actor cannot be replayed under another, and the accepted TOTP step is reserved atomically as part of acceptance, so two concurrent grants presenting the same in-window code cannot both pass. · *DSR ticket store seals subject identifiers and request payload, and erasure purges the ticket* — `b.dsr` with the database-backed ticket store now seals the data subject's identifiers and the raw request payload via `b.cryptoField.registerTable` with `(table, rowId)` additional-data binding, so the PII a request processes is encrypted at rest and is destroyed when the ticket's row key is shredded. An erasure request purges its own ticket on completion rather than leaving the subject's identifiers behind. Existing ticket stores are upgraded in place on the next `init` — sealed columns are added via `ALTER TABLE ADD COLUMN` and the legacy `payload NOT NULL` constraint relaxes to `DEFAULT ''` so the add succeeds without data loss. Wrapped ticket keys are re-sealed under the new root on vault keypair rotation (`b.dsr.reseal`), so rotation does not strand tickets. Rows written before the upgrade (plaintext subject, no lookup hash) are backfilled on the next `init` — their hashes are computed and their subject columns sealed — so a subject lookup still finds them and an erasure request can purge them. · *Queue jobs are sealed at rest from the first write* — The local queue backend self-registers its job table for sealing on `init` rather than on first explicit registration, so a job persisted before any other code touched the seal table is encrypted at rest instead of written in plaintext. `b.cryptoField.sealRow` is a silent no-op against an unregistered table; the self-register on `init` closes that fail-open window for the queue's own rows. · *OAuth back-channel logout is bounded; SD-JWT-VC holder binding matches the holder key type* — The OAuth back-channel-logout endpoint parses the `logout_token` under an explicit byte ceiling, so an unauthenticated caller cannot exhaust memory with an oversized body. The SD-JWT-VC holder key-binding JWT now signs with an algorithm asserted against the holder key's type, so a holder presenting an RSA or OKP key no longer mints a key-binding JWT that fails its own verification. A pushed authorization request (PAR) that carries a signed request object emits `authorization_details` as a native JSON array per RFC 9396, not a JSON-encoded string. · *Vault keypair rotation writes its staging files with exclusive, no-follow create* — Every file the rotation pipeline writes into its staging directory — the re-encrypted database, the resealed vault and database keys, additional sealed files, the derived-hash material, and the transient plaintext database — is now created with exclusive, symlink-refusing semantics (`O_CREAT | O_EXCL | O_NOFOLLOW`, owner-only `0o600`), and the fsync-by-path step refuses to follow a symlink. A same-user pre-planted file or symlink swap in the staging directory is now a hard failure rather than a followed write, closing a local tamper window during rotation (CWE-377 / CWE-379 / CWE-59) on top of the directory's existing `0o700` owner-only permissions. **Detectors:** *break-glass-pin-fails-open-on-null-binding* — The pattern catalog refuses a break-glass pin comparison guarded by a `grantRow.ip != null &&` (or `sessionId`) short-circuit — a guard that skips enforcement when the captured binding is absent, which is precisely the fail-open. Pin enforcement must refuse a grant with no captured binding, not wave it through. · *dsr-ticket-store-pii-must-be-sealed* — The catalog requires the DSR database ticket store to register its seal table, so the subject identifiers and request payload it holds cannot regress to plaintext-at-rest and remain un-erasable. The queue self-register, the bounded logout parse, and the holder key-type parity are covered by their expanded request-driven tests and the existing fixed-classical-algorithm-default guard. **Migration:** *Break-glass grants now require a resolvable binding to redeem under default pins* — With `pinIp` left at its default (on), a grant is now refused at redemption unless the issuing IP was captured and the redeeming client IP can be resolved. In-tree redemption paths thread the request and resolve the IP automatically. If your redemption path does not surface a client address and you do not intend to bind to IP, set `pinIp: false` (and `sessionPin: false`) explicitly on the grant; the previous behavior silently accepted such grants from any origin. · *DSR ticket stores are sealed in place on next init* — An existing database-backed DSR ticket store gains sealed columns via `ALTER TABLE ADD COLUMN` on the next `init`, and the legacy `payload NOT NULL` constraint relaxes to `DEFAULT ''` to permit the in-place add. No data is lost; tickets written before the upgrade remain readable and become sealed as they are rewritten.
 
 - v0.14.25 (2026-06-06) — **Per-row crypto-shred is real and AAD-bound, and the idempotency fingerprint key is sealed at rest.** The per-row encryption-key feature that backs `b.subject.eraseHard` crypto-shred was both non-functional and, as documented, unsound: the per-row key (`K_row`) was derived deterministically from a salt that is stored in plaintext in the data directory, so an actor with disk access could re-derive it and decrypt 'shredded' residual ciphertext (WAL / replica / backup) — and the key was never actually materialized on insert, so no table ever used it. Per-row keys are now derived from a fresh 32-byte CSPRNG secret stored only in `_blamejs_per_row_keys`, wrapped under the vault with AEAD additional-data binding `(table, rowId)`, and materialized on insert for tables that declare them; destroying the wrapped secret now genuinely renders the row's residual ciphertext undecryptable. The same plaintext-salt class is fixed for the idempotency request-fingerprint HMAC, which now seeds off the sealed-at-rest `vault.getDerivedHashMacKey()`. There is no migration: the per-row-key table was empty in every deployment, so keyed tables are correct from their first write. **Security:** *Per-row crypto-shred: random secret, AAD-bound wrap, materialized on insert* — `b.cryptoField.declarePerRowKey` tables now get a per-row key derived from a fresh `b.crypto.generateBytes(32)` secret — never from the plaintext per-deployment salt — so the key has no input recomputable from disk. The secret is stored in `_blamejs_per_row_keys` wrapped via `b.vault.aad.seal` with additional-data bound to `(table, rowId)`, so a wrapped key copied onto another row fails its Poly1305 tag. Sealed columns are encrypted under the per-row key and tagged with a `vault.row:` envelope (`b.cryptoField.isRowSealed`); the residency-tag column is never key-sealed so the write-boundary residency gate can still read it. The key is materialized on insert (it previously never was) and re-derived once per read; `b.subject.eraseHard` and the retention sweep destroy the wrapped secret, after which the row's residual ciphertext reads as absent and cannot be recovered even if the vault root is later compromised. Wrapped keys are re-sealed under the new root on vault keypair rotation, so rotation does not strand keyed rows. · *Idempotency request-fingerprint HMAC seeds off the sealed MAC key* — The `fingerprintSeal` HMAC over the request fingerprint was keyed from the plaintext per-deployment salt, so a disk-access actor could recompute the key and brute-force the low-entropy preimage (method + URL + body) offline. It now seeds off `b.vault.getDerivedHashMacKey()`, which is sealed at rest. Fingerprints cached before the upgrade no longer match, so a replayed request re-executes once (the safe direction). **Detectors:** *kdf-key-from-plaintext-derived-hash-salt* — The pattern catalog refuses a key-derivation (`kdf(... getDerivedHashSalt() ...)`) that seeds a per-row shred key or a vault-secret-promising keyed-MAC off the plaintext-on-disk derived-hash salt. Such a key is re-derivable by anyone with the data directory, defeating the shred / secrecy it advertises; the correct sources are a CSPRNG secret or the sealed `getDerivedHashMacKey()`. The deterministic salted-SHA3 equality index is a distinct shape and is unaffected. **Migration:** *No action required* — No data migration: the per-row-key table was empty in every deployment, so tables that declare per-row keys are correct from their first write going forward. The only observable change is that the first request after upgrade matching a pre-upgrade idempotency fingerprint re-executes once.

package/README.md

@@ -64,7 +64,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Chainable query builder** — atomic `.increment(col, delta)`, closure-form `.whereGroup` / top-level `.orWhere` OR composition, `.search(fields, term)` LIKE-OR with safe `%`/`_` ESCAPE handling, `.paginate(opts)` returning `{ items, total, page, totalPages }`; a column-membership gate (`db.init({ columnGate })`, default reject) fails a query closed when it names a column the table never declared, and `whereRaw` refuses an embedded string literal so values bind through placeholders
 - **Mongo-style document-store facade** — `b.db.collection(name, opts?)` with `$set` / `$inc` / `$unset` / `$eq` / `$ne` / `$gt` / `$gte` / `$lt` / `$lte` / `$in` / `$like`; schemaless-document opts via `overflow: "<col>"` (folds unknown fields into a JSON-text column; rewrites `WHERE` on virtual fields to `JSON_EXTRACT`), `jsonColumns: [...]` (auto-stringify on write + parse via `b.safeJson` on read), `sealedFields: { email: "emailHash" }` (co-locates a `b.cryptoField` sealed-column / derived-hash declaration so plaintext lookups auto-rewrite to hash-column lookups)
 - **DB lifecycle** — in-memory encrypted snapshot via `b.db.snapshot()`; standalone encrypted-DB-file lifecycle (`b.db.fileLifecycle({ dataDir, vault })` — decrypt-to-tmpfs, periodic re-encrypt flush, graceful shutdown — same envelope as `b.db`, no schema/audit-chain coupling); `db.init` opt-outs `frameworkTables: false` / `auditSigning: false` and path overrides `encryptedDbPath` / `encryptedDbName` / `dbKeyPath`
-- **External RDBMS** — bring-your-own Postgres / MySQL with pool tuning + role-aware connect + read-replica routing (`b.externalDb`); declarative role-narrowed views and Postgres row-level-security migrations (`b.db.declareView`, `b.db.declareRowPolicy`); an opt-in `requireTls` transport posture refuses a non-TLS backend at boot, and query / transaction / read traces carry OpenTelemetry `db.*` attributes
+- **External RDBMS** — bring-your-own Postgres / MySQL with pool tuning + role-aware connect + read-replica routing (`b.externalDb`); declarative role-narrowed views and Postgres row-level-security migrations (`b.db.declareView`, `b.db.declareRowPolicy`); an opt-in `requireTls` transport posture refuses a non-TLS backend at boot, and query / transaction / read traces carry OpenTelemetry `db.*` attributes. The framework's own data layer — the signed audit chain, cluster leadership and lease fencing, sessions, break-glass, and the local queue / cache / scheduler — is composed through the dialect-aware `b.sql` builder (every identifier quoted by construction, every value bound as a placeholder, dialect-correct SQLite / Postgres / MySQL output), so the framework's tables run on a Postgres or MySQL backend, not only local SQLite; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total-size boundaries
 - **Object store** — S3 / R2 / B2 / GCS / Azure with multipart upload + SSE + bucket-ops (create / delete / list / lifecycle / CORS); S3 Object Lock + per-object retention + legal hold for write-once-read-many compliance workloads (`b.storage`, `b.objectStore`)
 - **Queues + cache** — durable queue with priority + cron + flows on local SQLite, shared Redis, OR AWS SQS via SigV4 + AWSJsonProtocol_1.0 (`b.queue`, `b.jobs`) — the local backend can target an operator-supplied database / table / schema; cluster-shared cache (`b.cache`)
 ### Identity & access
@@ -97,7 +97,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)
 - **Power-on self-test** — `b.crypto.selfTest()` runs FIPS 140-3-style integrity checks: NIST FIPS 202 known-answer tests (SHA3-256/512, SHAKE256), AEAD round-trip + tamper-detect, and ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f pairwise-consistency + negative tests; fails closed (throws) on any mismatch
-- **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column and per-row data residency tagging enforced at the write boundary (cross-border DML refused under GDPR / UK-GDPR / DPDP / PIPL / LGPD / APPI / PDPA postures) + per-row keys (`K_row = HKDF(K_table, rowId)`) so erasing the per-row key makes WAL / replica residuals undecryptable (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowResidency`, `b.cryptoField.declarePerRowKey`)
+- **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column and per-row data residency tagging enforced at the write boundary (cross-border DML refused under GDPR / UK-GDPR / DPDP / PIPL / LGPD / APPI / PDPA postures) + per-row keys (each row's key derives from a CSPRNG row-secret sealed under the vault root, never from an on-disk value) so destroying a row's wrapped secret leaves its WAL / replica / backup residual ciphertext undecryptable even with the vault root key (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowResidency`, `b.cryptoField.declarePerRowKey`)
 - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load. A vault-key rotation re-seals every AAD-bound cell, the database key, and tenant archives under the new keypair and refuses rather than silently orphaning a store it cannot reach (`b.vaultRotate`, `b.vault.aad.resealRoot`, `b.archive.rewrapTenant`)
 - **Keyed lookup hashes** — sealed-column equality-lookup hashes default to salted SHA3-512 and can opt into a keyed `hmac-shake256` MAC off a per-deployment key (`cryptoField.registerTable({ derivedHashMode })`, `b.vault.getDerivedHashMacKey`), making the lookup hash unforgeable and un-correlatable across deployments
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)

package/index.js

@@ -120,6 +120,7 @@ var clusterStorage = require("./lib/cluster-storage");
 var safeAsync = require("./lib/safe-async");
 var handlers = require("./lib/handlers");
 var safeSql = require("./lib/safe-sql");
+var sql = require("./lib/sql");
 var chainWriter = require("./lib/chain-writer");
 var safeBuffer = require("./lib/safe-buffer");
 var safeDecompress = require("./lib/safe-decompress").safeDecompress;
@@ -181,6 +182,7 @@ var guardSvg = require("./lib/guard-svg");
 var guardFilename = require("./lib/guard-filename");
 var guardMessageId = require("./lib/guard-message-id");
 var guardSmtpCommand = require("./lib/guard-smtp-command");
+var guardSql = require("./lib/guard-sql");
 var guardImapCommand = require("./lib/guard-imap-command");
 var guardPop3Command = require("./lib/guard-pop3-command");
 var guardManageSieveCommand = require("./lib/guard-managesieve-command");
@@ -520,6 +522,7 @@ module.exports = {
   safeAsync:        safeAsync,
   handlers:         handlers,
   safeSql:          safeSql,
+  sql:              sql,
   chainWriter:      chainWriter,
   safeBuffer:       safeBuffer,
   safeDecompress:   safeDecompress,
@@ -569,6 +572,7 @@ module.exports = {
   guardFilename:    guardFilename,
   guardMessageId:   guardMessageId,
   guardSmtpCommand: guardSmtpCommand,
+  guardSql:         guardSql,
   guardImapCommand: guardImapCommand,
   guardPop3Command: guardPop3Command,
   guardManageSieveCommand: guardManageSieveCommand,

package/lib/agent-envelope-mac.js

@@ -0,0 +1,104 @@
+"use strict";
+/**
+ * b.agent._envelopeMac — internal shared keyed-MAC mechanism for
+ * authenticating agent cross-process envelopes (`b.agent.postureChain`
+ * delegation envelopes, `b.agent.eventBus` wire envelopes, and any
+ * future agent boundary that carries security-relevant fields over a
+ * shared transport).
+ *
+ * The threat is uniform across these boundaries: an attacker with write
+ * access to the shared transport (queue / pubsub) can forge or tamper an
+ * envelope's authority-bearing fields — posture set, tenant id, topic —
+ * because schema/shape validation alone proves nothing about
+ * authenticity. The defense is a keyed MAC (HMAC-SHA3-512) over the
+ * canonical bytes of exactly those fields, keyed off the vault master so
+ * an attacker without the vault key cannot forge it and a vault rotation
+ * invalidates every in-flight MAC.
+ *
+ * Each calling domain supplies a stable `label` (domain separation) and
+ * the canonical bytes of the fields it protects; the key derivation,
+ * HMAC construction, and constant-time comparison live here so there is
+ * a single mechanism to audit, not one per agent module.
+ *
+ * Internal — operator-facing surface is each primitive's envelope
+ * sign/verify behaviour; this is the implementation detail.
+ */
+
+var nodeCrypto = require("node:crypto");
+var lazyRequire = require("./lazy-require");
+var { defineClass } = require("./framework-error");
+var bCrypto = require("./crypto");
+
+var vault = lazyRequire(function () { return require("./vault"); });
+
+var AgentEnvelopeMacError = defineClass("AgentEnvelopeMacError", { alwaysPermanent: true });
+
+var ENVELOPE_MAC_KEY_BYTES = 32;                                                                        // HMAC-SHA3-512 keyed bytes
+
+// Per-label memoized keys — each domain-separation label derives its own
+// sub-key from the vault master so a MAC minted for one boundary can
+// never validate on another. Memoization is process-local; a vault
+// rotation implies an operator restart (which clears the cache).
+var _macKeyCache = Object.create(null);
+
+// Resolve (and memoize) the MAC sub-key for a domain-separation `label`,
+// derived from the vault master. Throws when the vault is not
+// initialized — there is no key to authenticate with, so callers MUST
+// treat that as fail-closed for any cross-tenant / authority decision
+// rather than proceeding unauthenticated.
+function resolveKey(label) {
+  if (typeof label !== "string" || label.length === 0) {
+    throw new AgentEnvelopeMacError("agent-envelope-mac/bad-label",
+      "resolveKey: label must be a non-empty string");
+  }
+  if (_macKeyCache[label]) return _macKeyCache[label];
+  var v;
+  try { v = vault(); } catch (_e) { v = null; }
+  if (!v || typeof v.getKeysJson !== "function") {
+    throw new AgentEnvelopeMacError("agent-envelope-mac/vault-not-initialized",
+      "envelope MAC: vault must be initialized before agent envelopes can be authenticated " +
+      "(operator wires b.vault.init() at boot)");
+  }
+  var keysJson;
+  try { keysJson = v.getKeysJson(); }
+  catch (e) {
+    throw new AgentEnvelopeMacError("agent-envelope-mac/vault-not-initialized",
+      "envelope MAC: vault.getKeysJson threw — " + (e && e.message ? e.message : String(e)));
+  }
+  var rootBytes = Buffer.from(bCrypto.sha3Hash(keysJson), "hex");
+  var input = Buffer.concat([
+    Buffer.from(label, "utf8"),
+    Buffer.from([0x00]),
+    rootBytes,
+  ]);
+  _macKeyCache[label] = bCrypto.kdf(input, ENVELOPE_MAC_KEY_BYTES);
+  return _macKeyCache[label];
+}
+
+// Compute the base64 HMAC-SHA3-512 of `canonicalBytes` under the
+// `label`'s vault-derived sub-key.
+function sign(label, canonicalBytes) {
+  var key = resolveKey(label);
+  return nodeCrypto.createHmac("sha3-512", key).update(canonicalBytes).digest().toString("base64");
+}
+
+// Constant-time verify that `mac` (base64) is the correct HMAC for
+// `canonicalBytes` under the `label`'s sub-key. Returns false for a
+// missing / malformed `mac`; propagates AgentEnvelopeMacError from
+// resolveKey when the vault is absent so the caller fails closed rather
+// than treating a missing key as a verification pass.
+function verify(label, canonicalBytes, mac) {
+  if (typeof mac !== "string" || mac.length === 0) return false;
+  var expected = sign(label, canonicalBytes);
+  return bCrypto.timingSafeEqual(mac, expected);
+}
+
+module.exports = {
+  resolveKey:             resolveKey,
+  sign:                   sign,
+  verify:                 verify,
+  AgentEnvelopeMacError:  AgentEnvelopeMacError,
+  ENVELOPE_MAC_KEY_BYTES: ENVELOPE_MAC_KEY_BYTES,
+  // Test-only — flush the memoized per-label MAC keys after a vault reset.
+  _resetForTest:          function () { _macKeyCache = Object.create(null); },
+};

package/lib/agent-event-bus.js

@@ -67,11 +67,25 @@ var { defineClass }       = require("./framework-error");
 var guardEventBusTopic    = require("./guard-event-bus-topic");
 var guardEventBusPayload  = require("./guard-event-bus-payload");
 var agentAudit            = require("./agent-audit");
+var envelopeMac           = require("./agent-envelope-mac");
+var safeJson              = require("./safe-json");
+var bCrypto               = require("./crypto");
 
 var audit                 = lazyRequire(function () { return require("./audit"); });
 
 var AgentEventBusError = defineClass("AgentEventBusError", { alwaysPermanent: true });
 
+// Wire-envelope authentication. An attacker with pubsub write access can
+// set _tenantId to a victim subscriber's tenant + a schema-valid payload
+// and forge a cross-tenant event; the tenant/posture/schema checks at the
+// consumer prove SHAPE, not authenticity. Defense is a keyed MAC over the
+// envelope's authority-bearing fields, minted at publish and verified at
+// the consumer BEFORE the tenant/schema checks. The key derivation +
+// HMAC live in the shared b.agent.envelopeMac mechanism (one keyed-MAC
+// mechanism for every agent boundary); this label domain-separates the
+// event-bus MAC from the posture-chain MAC.
+var ENVELOPE_MAC_LABEL = "blamejs.agent.eventBus/v1";
+
 /**
  * @primitive b.agent.eventBus.create
  * @signature b.agent.eventBus.create(opts)
@@ -88,6 +102,7 @@ var AgentEventBusError = defineClass("AgentEventBusError", { alwaysPermanent: tr
  *   pubsub:       { publish, subscribe, unsubscribe },   // required
  *   audit:        b.audit namespace,                      // optional
  *   permissions:  b.permissions instance,                  // optional
+ *   requireMac:   boolean,                                 // default: true — keyed-MAC envelope auth; false only for single-process unit tests with no vault
  *
  * @example
  *   var bus = b.agent.eventBus.create({ pubsub: myPubsub });
@@ -109,12 +124,18 @@ function create(opts) {
   var auditImpl   = opts.audit || audit();
   var permissions = opts.permissions || null;
   var topics      = new Map();
+  // Envelope MAC (M6): default ON. Only single-process unit tests with no
+  // vault should opt out. When off, the cross-tenant MAC gate is bypassed
+  // and that is audit-visible at publish + delivery; production /
+  // multi-process / queue-spanning deployments leave the default so a
+  // pubsub-write attacker can't forge a cross-tenant event.
+  var requireMac  = opts.requireMac !== false;
 
   return {
     registerTopic:   function (name, topicOpts)    { return _registerTopic(topics, name, topicOpts || {}, auditImpl); },
     unregisterTopic: function (name)               { return _unregisterTopic(topics, name, auditImpl); },
-    publish:         function (name, payload, pOpts) { return _publish(topics, opts.pubsub, name, payload, pOpts || {}, permissions, auditImpl); },
-    subscribe:       function (name, handler, sOpts) { return _subscribe(topics, opts.pubsub, name, handler, sOpts || {}, permissions, auditImpl); },
+    publish:         function (name, payload, pOpts) { return _publish(topics, opts.pubsub, name, payload, pOpts || {}, permissions, auditImpl, requireMac); },
+    subscribe:       function (name, handler, sOpts) { return _subscribe(topics, opts.pubsub, name, handler, sOpts || {}, permissions, auditImpl, requireMac); },
     listTopics:      function (args)                { return _listTopics(topics, args || {}, permissions); },
     AgentEventBusError: AgentEventBusError,
     guards: {
@@ -201,7 +222,30 @@ function _listTopics(topics, args, permissions) {
 
 // ---- Publish --------------------------------------------------------------
 
-async function _publish(topics, pubsub, name, payload, pOpts, permissions, auditImpl) {
+// Canonical bytes the MAC covers: _topic, _tenantId, _posture,
+// _publishedAt, and a hash of the payload (so the payload can't be
+// swapped without invalidating the MAC, without copying the whole
+// payload into the signed preimage). Field set matches the consumer's
+// authority decision inputs. Built as an ordered [key,value] tuple list
+// so the canonical preimage is stable regardless of source key order.
+function _macField(value, kind) {
+  if (kind === "string") return typeof value === "string" ? value : null;
+  if (kind === "number") return typeof value === "number" ? value : null;
+  return value === undefined ? null : value;   // pass-through (posture)
+}
+function _envelopeMacBytes(wrapped) {
+  var payloadForHash = wrapped.payload === undefined ? null : wrapped.payload;
+  var tuples = [
+    ["_topic",       _macField(wrapped._topic, "string")],
+    ["_tenantId",    _macField(wrapped._tenantId, "string")],
+    ["_posture",     _macField(wrapped._posture, "any")],
+    ["_publishedAt", _macField(wrapped._publishedAt, "number")],
+    ["payloadHash",  bCrypto.sha3Hash(safeJson.canonical(payloadForHash))],
+  ];
+  return Buffer.from(safeJson.canonical(tuples), "utf8");
+}
+
+async function _publish(topics, pubsub, name, payload, pOpts, permissions, auditImpl, requireMac) {
   guardEventBusTopic.validate(name);
   var entry = topics.get(name);
   if (!entry) {
@@ -256,6 +300,32 @@ async function _publish(topics, pubsub, name, payload, pOpts, permissions, audit
     _publishedAt: Date.now(),
     payload:      payload,
   };
+  // Authenticate the envelope's authority-bearing fields with a keyed MAC
+  // (M6). The consumer verifies this BEFORE the tenant/schema checks, so a
+  // pubsub-write attacker can't forge a cross-tenant event. If the vault
+  // isn't initialized there's no key to mint with — fail closed at publish
+  // (requireMac default) rather than emit an unauthenticatable envelope
+  // onto the bus. requireMac:false is the single-process unit-test escape
+  // hatch and is audit-visible.
+  try {
+    wrapped._mac = envelopeMac.sign(ENVELOPE_MAC_LABEL, _envelopeMacBytes(wrapped));
+  } catch (e) {
+    if (requireMac) {
+      _safeAudit(auditImpl, "agent.event_bus.publish_denied", pOpts.actor || null, {
+        topic: name, reason: "envelope-mac-unavailable",
+      });
+      throw new AgentEventBusError("agent-event-bus/envelope-mac-unavailable",
+        "publish: cannot authenticate the event envelope — " +
+        ((e && e.message) || String(e)) +
+        " (vault must be initialized so the bus MAC key is derivable, or " +
+        "set requireMac:false for single-process unit tests)");
+    }
+    // Escape hatch: no key + requireMac disabled → emit unauthenticated.
+    wrapped._mac = null;
+    _safeAudit(auditImpl, "agent.event_bus.mac_bypassed", pOpts.actor || null, {
+      topic: name, reason: "require-mac-disabled", phase: "publish",
+    });
+  }
   await pubsub.publish(name, wrapped);
   _safeAudit(auditImpl, "agent.event_bus.published", pOpts.actor, {
     topic: name, posture: entry.posture,
@@ -265,7 +335,7 @@ async function _publish(topics, pubsub, name, payload, pOpts, permissions, audit
 
 // ---- Subscribe ------------------------------------------------------------
 
-async function _subscribe(topics, pubsub, name, handler, sOpts, permissions, auditImpl) {
+async function _subscribe(topics, pubsub, name, handler, sOpts, permissions, auditImpl, requireMac) {
   guardEventBusTopic.validate(name);
   var entry = topics.get(name);
   if (!entry) {
@@ -320,6 +390,37 @@ async function _subscribe(topics, pubsub, name, handler, sOpts, permissions, aud
         { topic: name, reason: "malformed-envelope" });
       return;
     }
+    // Envelope authentication FIRST (M6): verify the keyed MAC over the
+    // authority-bearing fields (_topic / _tenantId / _posture /
+    // _publishedAt / payload-hash) BEFORE trusting _tenantId / _posture
+    // for any routing or schema decision. A pubsub-write attacker who
+    // forges _tenantId (cross-tenant routing) or tampers _posture / the
+    // payload produces a MAC mismatch and the delivery drops. If the
+    // vault key is unavailable, verify() throws — we fail CLOSED (drop),
+    // never deliver an unauthenticatable envelope cross-tenant.
+    // requireMac:false is the single-process unit-test escape hatch and
+    // is audit-visible.
+    if (requireMac) {
+      var macOk = false;
+      try {
+        macOk = envelopeMac.verify(ENVELOPE_MAC_LABEL, _envelopeMacBytes(wrapped), wrapped._mac);
+      } catch (_e) {
+        macOk = false;
+      }
+      if (!macOk) {
+        _safeAudit(auditImpl, "agent.event_bus.cross_tenant_drop", sOpts.actor, {
+          topic: name,
+          publisherTenant:  typeof wrapped._tenantId === "string" ? wrapped._tenantId : null,
+          subscriberTenant: subscriberTenant,
+          reason: "envelope-mac-invalid",
+        });
+        return;
+      }
+    } else {
+      _safeAudit(auditImpl, "agent.event_bus.mac_bypassed", sOpts.actor, {
+        topic: name, reason: "require-mac-disabled", phase: "delivery",
+      });
+    }
     // Tenant-scope check: subscriber's tenantId must match the
     // publisher's tenantId from the wire envelope. If the envelope
     // lacks _tenantId (publisher omitted), that's a tampered or

package/lib/agent-posture-chain.js

@@ -51,15 +51,13 @@
  */
 
 var lazyRequire             = require("./lazy-require");
-var nodeCrypto              = require("node:crypto");
 var { defineClass }         = require("./framework-error");
 var guardPostureChain       = require("./guard-posture-chain");
 var agentAudit              = require("./agent-audit");
 var safeJson                = require("./safe-json");
-var bCrypto                 = require("./crypto");
+var envelopeMac             = require("./agent-envelope-mac");
 
 var audit                   = lazyRequire(function () { return require("./audit"); });
-var vault                   = lazyRequire(function () { return require("./vault"); });
 
 var AgentPostureChainError = defineClass("AgentPostureChainError", { alwaysPermanent: true });
 
@@ -70,44 +68,16 @@ var BUILTIN_REGIMES = Object.freeze(["hipaa", "pci-dss", "gdpr", "soc2"]);
 // strips postureSet to [] and re-sends a saga / sub-agent envelope
 // can bypass the downgrade refusal in _validate (which only checks
 // SHAPE, not authenticity). Defense is a keyed MAC over the canonical
-// envelope bytes, computed at appendHop and verified at validate.
+// envelope bytes, computed at appendHop and verified at validate. The
+// key derivation + HMAC construction live in the shared
+// b.agent.envelopeMac mechanism (one keyed-MAC mechanism for every
+// agent boundary); this label domain-separates the posture-chain MAC.
 var ENVELOPE_MAC_LABEL = "blamejs.agent.postureChain/v1";
-var ENVELOPE_MAC_KEY_BYTES = 32;                                                                        // HMAC-SHA3-512 keyed bytes
 // Hop count cap defends infinite recursion across
 // agent delegation. 16 is the spec default; operators can lower via
 // opts.maxHopCount but never raise (audit fan-out without a cap is a
 // DoS class).
 var DEFAULT_MAX_HOP_COUNT = 16;                                                                         // hop count cap
-var _macKeyCache = null;                                                                                // memoized per-vault-master key
-
-function _resolveMacKey() {
-  // Lazy derivation keyed off the vault master. Operator rotating
-  // vault keys invalidates every in-flight MAC — desired property.
-  // Memoization is process-local; if vault rotates within the same
-  // process the operator restarts (vault rotation already implies it).
-  if (_macKeyCache) return _macKeyCache;
-  var v;
-  try { v = vault(); } catch (_e) { v = null; }
-  if (!v || typeof v.getKeysJson !== "function") {
-    throw new AgentPostureChainError("agent-posture-chain/vault-not-initialized",
-      "envelope MAC: vault must be initialized before posture-chain envelopes can be authenticated " +
-      "(operator wires b.vault.init() at boot)");
-  }
-  var keysJson;
-  try { keysJson = v.getKeysJson(); }
-  catch (e) {
-    throw new AgentPostureChainError("agent-posture-chain/vault-not-initialized",
-      "envelope MAC: vault.getKeysJson threw — " + (e && e.message ? e.message : String(e)));
-  }
-  var rootBytes = Buffer.from(bCrypto.sha3Hash(keysJson), "hex");
-  var input = Buffer.concat([
-    Buffer.from(ENVELOPE_MAC_LABEL, "utf8"),
-    Buffer.from([0x00]),
-    rootBytes,
-  ]);
-  _macKeyCache = bCrypto.kdf(input, ENVELOPE_MAC_KEY_BYTES);
-  return _macKeyCache;
-}
 
 function _envelopeMacBytes(envelope) {
   // Sign every field that downstream consumers verify off the wire,
@@ -124,15 +94,11 @@ function _envelopeMacBytes(envelope) {
 }
 
 function _signEnvelope(envelope) {
-  var key = _resolveMacKey();
-  var mac = nodeCrypto.createHmac("sha3-512", key).update(_envelopeMacBytes(envelope)).digest();
-  return mac.toString("base64");
+  return envelopeMac.sign(ENVELOPE_MAC_LABEL, _envelopeMacBytes(envelope));
 }
 
 function _verifyEnvelopeMac(envelope) {
-  if (typeof envelope._mac !== "string" || envelope._mac.length === 0) return false;
-  var expected = _signEnvelope(envelope);
-  return bCrypto.timingSafeEqual(envelope._mac, expected);
+  return envelopeMac.verify(ENVELOPE_MAC_LABEL, _envelopeMacBytes(envelope), envelope._mac);
 }
 
 /**
@@ -362,5 +328,5 @@ module.exports = {
     chain: guardPostureChain,
   },
   // Test-only — flush the memoized MAC key after a vault reset.
-  _resetForTest: function () { _macKeyCache = null; },
+  _resetForTest: function () { envelopeMac._resetForTest(); },
 };

package/lib/ai-content-detect.js

@@ -43,6 +43,7 @@ var lazyRequire = require("./lazy-require");
 var contentCredentials = lazyRequire(function () { return require("./content-credentials"); });
 var audit = require("./audit");
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var AiContentDetectError = defineClass("AiContentDetectError", { alwaysPermanent: true });
 
@@ -64,16 +65,14 @@ var COMPLIANCE_POSTURES = Object.freeze({
   "nist-ai-rmf":        "balanced",
 });
 
-function _resolveProfile(opts) {
-  if (opts && typeof opts.posture === "string") {
-    var profile = COMPLIANCE_POSTURES[opts.posture];
-    if (profile) return PROFILES[profile];
-  }
-  if (opts && typeof opts.profile === "string" && PROFILES[opts.profile]) {
-    return PROFILES[opts.profile];
-  }
-  return PROFILES[DEFAULT_PROFILE];
-}
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: AiContentDetectError,
+  codePrefix: "ai-content-detect",
+  byObject:   true,
+});
 
 /**
  * @primitive b.ai.aiContentDetect.report