@blamejs/core 0.14.26 → 0.15.0

package/lib/mail-journal.js

@@ -72,7 +72,7 @@ var C = require("./constants");
 var validateOpts = require("./validate-opts");
 var numericBounds = require("./numeric-bounds");
 var safeJson = require("./safe-json");
-var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var { defineClass } = require("./framework-error");
 var lazyRequire = require("./lazy-require");
 
@@ -213,33 +213,40 @@ function create(opts) {
   // / `messageId` / `archivedAt` / `sizeBytes` / `regimes` / `legalHold`
   // queryable without unsealing the payload. The payload (headers +
   // body) lives in the WORM bucket sealed via b.cryptoField.sealRow.
-  // Route every identifier through safeSql.quoteIdentifier — the
-  // shared substrate validates the unquoted name AND emits the
-  // dialect-correct quoted form. Index names must be built from the
-  // unquoted base then quoted independently; appending suffixes to
-  // an already-quoted token produces invalid SQL like
-  // `"_mail_journal_x"_archived_at_idx`.
-  var rawTable    = "_mail_journal_" + namespace.replace(/-/g, "_");
-  var qTable      = safeSql.quoteIdentifier(rawTable);
-  var qIdxArchAt  = safeSql.quoteIdentifier(rawTable + "_archived_at_idx");
-  var qIdxMsgId   = safeSql.quoteIdentifier(rawTable + "_message_id_idx");
-  opts.db.runSql(
-    "CREATE TABLE IF NOT EXISTS " + qTable + " (" +
-    "journal_id TEXT PRIMARY KEY, " +
-    "direction TEXT NOT NULL, " +
-    "actor_id TEXT, " +
-    "message_id TEXT, " +
-    "archived_at INTEGER NOT NULL, " +
-    "size_bytes INTEGER NOT NULL, " +
-    "regimes TEXT NOT NULL, " +
-    "floor_until INTEGER NOT NULL, " +
-    "legal_hold INTEGER NOT NULL DEFAULT 0, " +
-    "storage_key TEXT NOT NULL UNIQUE, " +
-    "sealed_payload BLOB NOT NULL" +
-    ");" +
-    "CREATE INDEX IF NOT EXISTS " + qIdxArchAt + " ON " + qTable + " (archived_at);" +
-    "CREATE INDEX IF NOT EXISTS " + qIdxMsgId  + " ON " + qTable + " (message_id);"
-  );
+  //
+  // The journal table is an operator-namespaced local table (NOT a
+  // framework `_blamejs_` table that clusterStorage rewrites), so every
+  // statement composes b.sql with quoteName:true — b.sql validates the
+  // identifier through b.safeSql and emits the dialect-quoted form,
+  // running against opts.db (the local sqlite handle) directly. `_t()`
+  // opens each verb builder pre-bound to this table so the name resolves
+  // in exactly one place.
+  var rawTable = "_mail_journal_" + namespace.replace(/-/g, "_");
+  var TBL_OPTS = { dialect: "sqlite", quoteName: true };
+  function _t(verb) { return sql[verb](rawTable, TBL_OPTS); }
+
+  // Bootstrap DDL — CREATE TABLE + the archived_at / message_id indexes.
+  // runSql is a multi-statement helper, so the three b.sql DDL strings
+  // join with `;` into one call (each b.sql build is a single validated
+  // statement; the join is the multi-statement boundary runSql expects).
+  var ddl = [
+    sql.createTable(rawTable, [
+      { name: "journal_id",     type: "text", primaryKey: true },
+      { name: "direction",      type: "text", notNull: true },
+      { name: "actor_id",       type: "text" },
+      { name: "message_id",     type: "text" },
+      { name: "archived_at",    type: "int",  notNull: true },
+      { name: "size_bytes",     type: "int",  notNull: true },
+      { name: "regimes",        type: "text", notNull: true },
+      { name: "floor_until",    type: "int",  notNull: true },
+      { name: "legal_hold",     type: "int",  notNull: true, default: 0 },
+      { name: "storage_key",    type: "text", notNull: true, unique: true },
+      { name: "sealed_payload", type: "blob", notNull: true },
+    ], TBL_OPTS).sql,
+    sql.createIndex(rawTable + "_archived_at_idx", rawTable, ["archived_at"], TBL_OPTS).sql,
+    sql.createIndex(rawTable + "_message_id_idx",  rawTable, ["message_id"],  TBL_OPTS).sql,
+  ].join(";");
+  opts.db.runSql(ddl);
 
   async function record(req) {
     validateOpts.requireObject(req, "mail.journal.record",
@@ -292,13 +299,24 @@ function create(opts) {
 
     var regimesJson = JSON.stringify(opts.regimes);
     var floorUntil  = archivedAt + floorMs;
-    opts.db.runSql(
-      "INSERT INTO " + qTable + " (journal_id, direction, actor_id, message_id, " +
-      "archived_at, size_bytes, regimes, floor_until, legal_hold, storage_key, sealed_payload) " +
-      "VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0, ?, ?);",
-      [journalId, req.direction, req.actorId, req.messageId,
-       archivedAt, sizeBytes, regimesJson, floorUntil, storageKey, sealedBlob]
-    );
+    // legal_hold is omitted from the INSERT so the column's
+    // `NOT NULL DEFAULT 0` applies (the prior inline `0` SQL literal) — b.sql
+    // binds every value it is given, so leaving the column out keeps the row
+    // unsealed-at-rest default without binding a redundant constant. b.sql
+    // quotes every column + binds every remaining value as a placeholder.
+    var insBuilt = _t("insert").values({
+      journal_id:     journalId,
+      direction:      req.direction,
+      actor_id:       req.actorId,
+      message_id:     req.messageId,
+      archived_at:    archivedAt,
+      size_bytes:     sizeBytes,
+      regimes:        regimesJson,
+      floor_until:    floorUntil,
+      storage_key:    storageKey,
+      sealed_payload: sealedBlob,
+    }).toSql();
+    opts.db.runSql(insBuilt.sql, insBuilt.params);
 
     _emit("mail.journal.record", "success", {
       journalId:  journalId,
@@ -317,11 +335,12 @@ function create(opts) {
       throw new MailJournalError("mail-journal/bad-id",
         "mail.journal.getById: journalId must be a non-empty string");
     }
-    var rows = opts.db.runSql(
-      "SELECT direction, message_id, archived_at, size_bytes, regimes, floor_until, " +
-      "legal_hold, storage_key, sealed_payload FROM " + qTable + " WHERE journal_id = ?;",
-      [journalId]
-    );
+    var gbBuilt = _t("select")
+      .columns(["direction", "message_id", "archived_at", "size_bytes", "regimes",
+                "floor_until", "legal_hold", "storage_key", "sealed_payload"])
+      .where("journal_id", journalId)
+      .toSql();
+    var rows = opts.db.runSql(gbBuilt.sql, gbBuilt.params);
     if (!rows || rows.length === 0) return null;
     var r = rows[0];
     var unsealed = safeJson.parse(opts.vault.unseal(r.sealed_payload));
@@ -344,30 +363,27 @@ function create(opts) {
 
   function list(filter) {
     filter = filter || {};
+    var limit = numericBounds.isPositiveFiniteInt(filter.limit) ? Math.min(filter.limit, 1000) : 100; // list page cap
+    // Each filter term is an optional .where() leaf (AND-composed); b.sql
+    // quotes the columns + binds the values. A diagnostic clause list is
+    // kept for the audit metadata (the prior `filter: clauses` field).
     var clauses = [];
-    var args    = [];
+    var qb = _t("select").columns(["journal_id", "direction", "actor_id", "message_id",
+      "archived_at", "size_bytes", "regimes", "floor_until", "legal_hold", "storage_key"]);
     if (filter.direction && ALLOWED_DIRECTIONS[filter.direction]) {
-      clauses.push("direction = ?");
-      args.push(filter.direction);
+      qb.where("direction", filter.direction); clauses.push("direction = ?");
     }
     if (typeof filter.since === "number" && numericBounds.isPositiveFiniteInt(filter.since)) {
-      clauses.push("archived_at >= ?");
-      args.push(filter.since);
+      qb.whereOp("archived_at", ">=", filter.since); clauses.push("archived_at >= ?");
     }
     if (typeof filter.until === "number" && numericBounds.isPositiveFiniteInt(filter.until)) {
-      clauses.push("archived_at < ?");
-      args.push(filter.until);
+      qb.whereOp("archived_at", "<", filter.until); clauses.push("archived_at < ?");
     }
     if (filter.actorId && typeof filter.actorId === "string") {
-      clauses.push("actor_id = ?");
-      args.push(filter.actorId);
+      qb.where("actor_id", filter.actorId); clauses.push("actor_id = ?");
     }
-    var limit = numericBounds.isPositiveFiniteInt(filter.limit) ? Math.min(filter.limit, 1000) : 100; // list page cap
-    var where = clauses.length > 0 ? " WHERE " + clauses.join(" AND ") : "";
-    var sql = "SELECT journal_id, direction, actor_id, message_id, archived_at, " +
-              "size_bytes, regimes, floor_until, legal_hold, storage_key FROM " +
-              qTable + where + " ORDER BY archived_at DESC LIMIT " + limit + ";";
-    var rows = opts.db.runSql(sql, args);
+    var listBuilt = qb.orderBy("archived_at", "desc").limit(limit).toSql();
+    var rows = opts.db.runSql(listBuilt.sql, listBuilt.params);
     _emit("mail.journal.list", "success", { count: rows ? rows.length : 0, filter: clauses });
     return (rows || []).map(function (r) {
       return {
@@ -387,11 +403,15 @@ function create(opts) {
 
   function expireSurface(now) {
     if (now === undefined) now = Date.now();
-    var rows = opts.db.runSql(
-      "SELECT journal_id, archived_at, floor_until, message_id, regimes FROM " +
-      qTable + " WHERE floor_until < ? AND legal_hold = 0 ORDER BY archived_at ASC LIMIT 1000;",   // expiry-surface cap
-      [now]
-    );
+    // legal_hold = 0 binds as a value (the prior inline `0` literal).
+    var esBuilt = _t("select")
+      .columns(["journal_id", "archived_at", "floor_until", "message_id", "regimes"])
+      .whereOp("floor_until", "<", now)
+      .where("legal_hold", 0)
+      .orderBy("archived_at", "asc")
+      .limit(1000)                                                                                  // expiry-surface cap
+      .toSql();
+    var rows = opts.db.runSql(esBuilt.sql, esBuilt.params);
     _emit("mail.journal.expire_surface", "success", { count: rows ? rows.length : 0, now: now });
     return (rows || []).map(function (r) {
       return {
@@ -409,10 +429,11 @@ function create(opts) {
       throw new MailJournalError("mail-journal/bad-id",
         "mail.journal.setLegalHold: journalId required");
     }
-    opts.db.runSql(
-      "UPDATE " + qTable + " SET legal_hold = ? WHERE journal_id = ?;",
-      [onHold ? 1 : 0, journalId]
-    );
+    var lhBuilt = _t("update")
+      .set("legal_hold", onHold ? 1 : 0)
+      .where("journal_id", journalId)
+      .toSql();
+    opts.db.runSql(lhBuilt.sql, lhBuilt.params);
     _emit("mail.journal.legal_hold_change", "success", { journalId: journalId, onHold: !!onHold });
   }
 

package/lib/mail-rbl.js

@@ -86,6 +86,7 @@ var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
 var lazyRequire        = require("./lazy-require");
 var ipUtils            = require("./ip-utils");
+var gateContract       = require("./gate-contract");
 
 var audit              = lazyRequire(function () { return require("./audit"); });
 
@@ -105,12 +106,7 @@ var PROFILES = Object.freeze({
   permissive: { maxConcurrent: 32, perListTimeoutMs: C.TIME.seconds(20), maxListsPerQuery: 64 },         // list-count cap
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 /**
  * @primitive b.mail.rbl.create

package/lib/mail-scan.js

@@ -85,6 +85,7 @@ var lazyRequire       = require("./lazy-require");
 var validateOpts      = require("./validate-opts");
 var numericBounds     = require("./numeric-bounds");
 var safeIcap          = require("./safe-icap");
+var gateContract = require("./gate-contract");
 
 var audit             = lazyRequire(function () { return require("./audit"); });
 var guardArchive      = lazyRequire(function () { return require("./guard-archive"); });
@@ -107,12 +108,7 @@ var PROFILES = Object.freeze({
   permissive: { timeoutMs: C.TIME.seconds(120), maxMessageBytes: C.BYTES.mib(150), maxResponseBytes: C.BYTES.mib(300) },  // operator-facing default mailbox cap
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 var ALLOWED_PROTOCOLS = Object.freeze({
   "icap":            true,

package/lib/mail-server-jmap.js

@@ -316,6 +316,33 @@ function create(opts) {
     return cur;
   }
 
+  // ---- Account authorization (RFC 8620 §3.6.1 accountNotFound) ------------
+  //
+  // The set of accountIds an actor may touch is whatever
+  // `opts.accountsFor(actor)` enumerates in its `accounts` map — the same
+  // source the session resource advertises. Resolving it ONCE per request
+  // and rejecting any client-supplied accountId outside that set is the
+  // cross-tenant authorization control: without it, a tenant's request can
+  // name another tenant's accountId and reach the operator's method/blob
+  // handler, which must then independently re-check or leak. The listener
+  // owns this gate so every account-scoped op (method dispatch + blob
+  // upload/download) is covered uniformly.
+  async function _permittedAccountIds(actor) {
+    var info = await opts.accountsFor(actor);
+    info = info || {};
+    var accounts = info.accounts || {};
+    // A Set of the accountIds the actor is enumerated for. An empty/garbage
+    // accounts map yields an empty set → every account-scoped reference is
+    // rejected (fail-closed), which is the correct posture for an actor the
+    // operator declined to grant any account.
+    var set = Object.create(null);
+    if (accounts && typeof accounts === "object") {
+      var ids = Object.keys(accounts);
+      for (var i = 0; i < ids.length; i += 1) set[ids[i]] = true;
+    }
+    return set;
+  }
+
   // ---- Dispatch ------------------------------------------------------------
   //
   // `dispatch(actor, body)` is the operator-callable form — accepts a
@@ -340,6 +367,20 @@ function create(opts) {
       return _refusalResponse(errType, (e && e.message) || "request refused");
     }
 
+    // Resolve the actor's permitted accountId set ONCE for the whole
+    // request (RFC 8620 §3.6.1). Every account-scoped method call is gated
+    // against it below, BEFORE the operator handler runs, so a client can't
+    // name another tenant's accountId and reach the backend.
+    var permittedAccounts;
+    try {
+      permittedAccounts = await _permittedAccountIds(actor);
+    } catch (e) {
+      _emit("mail.server.jmap.accounts_for_threw",
+        { error: (e && e.message) || String(e) }, "failure");
+      return _refusalResponse("urn:ietf:params:jmap:error:serverFail",
+        "account authorization unavailable");
+    }
+
     var methodResponses = [];
     var byClientId = Object.create(null);
     for (var i = 0; i < parsed.methodCalls.length; i += 1) {
@@ -361,6 +402,24 @@ function create(opts) {
             description: "Method '" + methodName + "' not implemented on this server" }, clientId]);
         continue;
       }
+      // Cross-tenant gate (RFC 8620 §3.6.1): if the call names an accountId,
+      // it MUST be one the actor is enumerated for. Rejected BEFORE the
+      // operator handler runs so a forged/foreign accountId never reaches
+      // the backend. Calls without an accountId (account-agnostic methods)
+      // pass through unchanged.
+      if (resolvedArgs && typeof resolvedArgs === "object" &&
+          resolvedArgs.accountId !== undefined && resolvedArgs.accountId !== null) {
+        var callAccountId = resolvedArgs.accountId;
+        if (typeof callAccountId !== "string" || !permittedAccounts[callAccountId]) {
+          _emit("mail.server.jmap.account_not_found",
+            { method: methodName, accountId: typeof callAccountId === "string" ? callAccountId : null,
+              clientId: clientId }, "denied");
+          methodResponses.push(["error",
+            { type: "urn:ietf:params:jmap:error:accountNotFound",
+              description: "accountId is not accessible to this actor" }, clientId]);
+          continue;
+        }
+      }
       if (!_legacyDeprecationEmitted && registry.source(methodName) === "builtin") {
         _legacyDeprecationEmitted = true;
         _emit("mail.server.jmap.methods_opt_deprecated",
@@ -813,6 +872,40 @@ function create(opts) {
       if (refused) return;
       var bytes = collector.result();
       Promise.resolve()
+        // Cross-tenant gate (RFC 8620 §3.6.1): the accountId in the upload
+        // URL must be one the actor is enumerated for, else accountNotFound
+        // — the foreign accountId never reaches uploadBlob.
+        .then(function () { return _permittedAccountIds(actor); })
+        .then(function (permitted) {
+          if (!permitted[accountId]) {
+            _emit("mail.server.jmap.account_not_found",
+              { op: "upload", accountId: accountId }, "denied");
+            res.statusCode = 404;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({
+              type:        "urn:ietf:params:jmap:error:accountNotFound",
+              description: "accountId is not accessible to this actor",
+            }));
+            return;
+          }
+          return _completeUpload(bytes);
+        })
+        .catch(function (err) {
+          _emit("mail.server.jmap.upload_threw",
+            { accountId: accountId, error: (err && err.message) || String(err) }, "failure");
+          if (!res.headersSent) {
+            res.statusCode = 500;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({
+              type:        "urn:ietf:params:jmap:error:serverFail",
+              description: "Upload failed",
+            }));
+          }
+        });
+    });
+
+    function _completeUpload(bytes) {
+      return Promise.resolve()
         .then(function () { return opts.mailStore.uploadBlob(actor, accountId, contentType, bytes); })
         .then(function (meta) {
           if (!meta || typeof meta !== "object" || typeof meta.blobId !== "string") {
@@ -827,18 +920,10 @@ function create(opts) {
             type:      meta.type || contentType,
             size:      typeof meta.size === "number" ? meta.size : bytes.length,
           }));
-        })
-        .catch(function (err) {
-          _emit("mail.server.jmap.upload_threw",
-            { accountId: accountId, error: (err && err.message) || String(err) }, "failure");
-          res.statusCode = 500;
-          res.setHeader("Content-Type", "application/json; charset=utf-8");
-          res.end(JSON.stringify({
-            type:        "urn:ietf:params:jmap:error:serverFail",
-            description: "Upload failed",
-          }));
         });
-    });
+      // Errors from uploadBlob propagate to the req.on("end") chain's
+      // .catch (single serverFail responder, headersSent-guarded).
+    }
     req.on("error", function () {
       if (!refused) {
         refused = true;
@@ -944,9 +1029,29 @@ function create(opts) {
       }));
       return;
     }
+    var downloadDenied = false;
     Promise.resolve()
-      .then(function () { return opts.mailStore.downloadBlob(actor, accountId, blobId); })
+      // Cross-tenant gate (RFC 8620 §3.6.1): the accountId in the download
+      // URL must be one the actor is enumerated for, else accountNotFound —
+      // the foreign accountId never reaches downloadBlob.
+      .then(function () { return _permittedAccountIds(actor); })
+      .then(function (permitted) {
+        if (!permitted[accountId]) {
+          downloadDenied = true;
+          _emit("mail.server.jmap.account_not_found",
+            { op: "download", accountId: accountId, blobId: blobId }, "denied");
+          res.statusCode = 404;
+          res.setHeader("Content-Type", "application/json; charset=utf-8");
+          res.end(JSON.stringify({
+            type:        "urn:ietf:params:jmap:error:accountNotFound",
+            description: "accountId is not accessible to this actor",
+          }));
+          return undefined;
+        }
+        return opts.mailStore.downloadBlob(actor, accountId, blobId);
+      })
       .then(function (result) {
+        if (downloadDenied) return;
         if (!result || (typeof result !== "object" && !Buffer.isBuffer(result))) {
           res.statusCode = 404;
           res.setHeader("Content-Type", "application/json; charset=utf-8");

package/lib/mail-spam-score.js

@@ -70,6 +70,7 @@
 var { defineClass }   = require("./framework-error");
 var lazyRequire       = require("./lazy-require");
 var validateOpts      = require("./validate-opts");
+var gateContract      = require("./gate-contract");
 
 var audit = lazyRequire(function () { return require("./audit"); });
 
@@ -90,12 +91,7 @@ var PROFILES = Object.freeze({
   permissive: { threshold: 10.0, maxReasons: MAX_REASONS, maxReasonBytes: MAX_REASON_BYTES },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 /**
  * @primitive b.mail.spamScore.create