@blamejs/core 0.14.26 → 0.15.0

package/lib/middleware/body-parser.js

@@ -166,6 +166,29 @@ var BodyParserError = defineClass("BodyParserError", { withStatusCode: true });
 // in play — consistent prototype-pollution defense across the framework.
 var POISONED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 
+// Materialize a header/parameter map from request-derived [key, value]
+// pairs WITHOUT a computed member write (`target[key] = value`). A
+// request-keyed computed write is the CWE-915 unsafe-reflection /
+// CWE-1321 prototype-pollution sink: an attacker who controls the key
+// (Content-Type parameter name, multipart part-header name,
+// Content-Disposition parameter name) can target `__proto__` /
+// `constructor` / `prototype` and corrupt the prototype chain. Poisoned
+// keys are dropped, the remaining pairs are funneled through
+// `Object.fromEntries`, and the result carries no prototype chain
+// (`Object.create(null)`) so even a key that slipped a future POISONED_KEYS
+// gap cannot reach Object.prototype. The returned map has plain-object
+// shape (string keys → values) so existing named-property reads
+// (`.boundary`, `.charset`, `["content-disposition"]`, `.name`,
+// `.filename`) are unchanged.
+function _mapFromPairs(pairs) {
+  var safe = [];
+  for (var i = 0; i < pairs.length; i++) {
+    if (POISONED_KEYS.has(pairs[i][0])) continue;
+    safe.push(pairs[i]);
+  }
+  return Object.assign(Object.create(null), Object.fromEntries(safe));
+}
+
 // ---- defaults ----
 
 var DEFAULTS = Object.freeze({
@@ -221,7 +244,11 @@ function _contentType(req) {
   if (typeof ct !== "string") return { type: "", params: {} };
   var idx = ct.indexOf(";");
   var type = (idx === -1 ? ct : ct.slice(0, idx)).trim().toLowerCase();
-  var params = {};
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled parameter name (e.g. `boundary` / `charset` / an
+  // attacker-supplied `__proto__`) is never used as a computed-write key
+  // (CWE-915 / CWE-1321). Poisoned names are dropped at materialization.
+  var paramPairs = [];
   if (idx !== -1) {
     var rest = ct.slice(idx + 1);
     // RFC 9110 §8.3 + §5.6.6 — parameter values may be quoted-string
@@ -238,10 +265,10 @@ function _contentType(req) {
       var v = p.slice(eq + 1).trim();
       var _unq = structuredFields.unquoteSfString(v);
       if (_unq !== null) v = _unq;
-      params[k] = v;
+      paramPairs.push([k, v]);
     }
   }
-  return { type: type, params: params };
+  return { type: type, params: _mapFromPairs(paramPairs) };
 }
 
 function _typeMatches(actual, allowed) {
@@ -583,7 +610,13 @@ function _parseMultipartHeaders(rawHeaders) {
   // §5.5 — header field values MUST NOT contain CR, LF, or NUL bytes.
   // We refuse the part outright (caller surfaces the throw as 400 + drop).
   var lines = rawHeaders.split("\r\n");
-  var out = {};
+  // Collect [name, value] pairs; materialize via _mapFromPairs so the
+  // request-controlled header name is never a computed-write key
+  // (CWE-915 / CWE-1321 — a part header literally named `__proto__` would
+  // otherwise pollute the prototype chain). Later headers of the same
+  // name keep last-wins (the prior `out[k] = v` overwrite semantics:
+  // Object.fromEntries takes the last pair for a duplicate key).
+  var headerPairs = [];
   for (var i = 0; i < lines.length; i++) {
     var line = lines[i];
     if (!line) continue;
@@ -609,9 +642,9 @@ function _parseMultipartHeaders(rawHeaders) {
         );
       }
     }
-    out[k] = v;
+    headerPairs.push([k, v]);
   }
-  return out;
+  return _mapFromPairs(headerPairs);
 }
 
 // Percent-decode an RFC 5987 ext-value's value segment under iso-8859-1.
@@ -672,14 +705,20 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
   // is present, it takes precedence over the legacy `filename=`
   // companion (RFC 6266 §4.3). We surface the decoded value at
   // `filename` so downstream consumers don't need parser-aware code.
-  var out = { _value: "" };
-  if (!headerValue) return out;
+  if (!headerValue) return _mapFromPairs([["_value", ""]]);
   // RFC 6266 §4.1 + RFC 9110 §5.6.6 — parameter values may be
   // quoted-string (e.g. `filename="weird;name.txt"`). Bare
   // `.split(";")` would slice through the quoted semicolon and
   // corrupt the filename. Quote-aware shared splitter.
   var parts = structuredFields.splitTopLevel(headerValue, ";");
-  out._value = parts[0].trim().toLowerCase();
+  // Collect [name, value] pairs, then materialize via _mapFromPairs so a
+  // request-controlled Content-Disposition parameter name (or its
+  // ext-value `name*` bare form) is never a computed-write key
+  // (CWE-915 / CWE-1321). `_value` carries the disposition type;
+  // `filename` (when an ext-value decoded) takes precedence over the
+  // legacy `filename=` companion (RFC 6266 §4.3), preserved by appending
+  // it last so Object.fromEntries' last-wins resolves it.
+  var paramPairs = [["_value", parts[0].trim().toLowerCase()]];
   var extName = null;
   for (var i = 1; i < parts.length; i++) {
     var p = parts[i].trim();
@@ -694,14 +733,14 @@ function _parseHeaderParams(headerValue, filenameCharsets) {
       if (decoded !== null) {
         var bareKey = k.slice(0, -1);
         if (bareKey === "filename") extName = decoded;
-        out[bareKey] = decoded;
+        paramPairs.push([bareKey, decoded]);
       }
       continue;
     }
-    out[k] = v;
+    paramPairs.push([k, v]);
   }
-  if (extName !== null) out.filename = extName;
-  return out;
+  if (extName !== null) paramPairs.push(["filename", extName]);
+  return _mapFromPairs(paramPairs);
 }
 
 async function _parseMultipart(req, opts, ctParams) {
@@ -1173,20 +1212,27 @@ async function _parseMultipart(req, opts, ctParams) {
               var fbuf = Buffer.concat(currentBuf);
               var text = fbuf.toString("utf8");
               // Repeated field name → array, matching urlencoded parser.
-              if (Object.prototype.hasOwnProperty.call(fields, currentField)) {
-                // lgtm[js/remote-property-injection] — `currentField` is gated
-                // upstream at lib/middleware/body-parser.js:867 by
-                // POISONED_KEYS (__proto__ / constructor / prototype) which
-                // refuses the multipart part with a 400 BodyParserError before
-                // `currentField` is ever assigned. Reachable values cannot
-                // pollute the prototype chain.
-                if (Array.isArray(fields[currentField])) fields[currentField].push(text);
-                else fields[currentField] = [fields[currentField], text];
+              // `currentField` is request-controlled, so the accumulation
+              // never uses it as a computed-write key (`fields[key] = v`),
+              // which is the CWE-915 / CWE-1321 sink: it is merged through
+              // Object.fromEntries + Object.assign instead. The upstream
+              // POISONED_KEYS gate (the multipart-poisoned-field check above)
+              // already rejects __proto__ / constructor / prototype field
+              // names with a 400 before reaching here; the entries-merge is
+              // the structural backstop.
+              var fieldName = currentField;
+              var prior = Object.prototype.hasOwnProperty.call(fields, fieldName)
+                            ? fields[fieldName] : undefined;
+              var nextValue;
+              if (prior === undefined) {
+                nextValue = text;
+              } else if (Array.isArray(prior)) {
+                prior.push(text);
+                nextValue = prior;
               } else {
-                // lgtm[js/remote-property-injection] — see upstream POISONED_KEYS
-                // gate at lib/middleware/body-parser.js:867.
-                fields[currentField] = text;
+                nextValue = [prior, text];
               }
+              Object.assign(fields, Object.fromEntries([[fieldName, nextValue]]));
             }
             currentHeaders = null;
             currentField = null;

package/lib/middleware/csrf-protect.js

@@ -91,25 +91,36 @@ function _parseCookieHeader(header) {
   // just splits the name=value pairs. Keys that appear multiple times
   // resolve to the FIRST occurrence (browsers send pairs left-to-right
   // by registration order; the first is the most-specific path).
-  // Output object has no prototype chain — `Object.create(null)` defends
-  // against `__proto__` / `constructor` / `prototype` cookie-name keys
-  // polluting the prototype before the hasOwnProperty gate runs.
-  var out = Object.create(null);
-  if (typeof header !== "string" || header.length === 0) return out;
+  // Collect [name, value] pairs, then materialize the cookie map via
+  // Object.fromEntries onto a null-prototype object. The cookie name is
+  // attacker-controlled (Cookie request header), so it is never used as a
+  // computed-write key (`out[name] = value` / `seen[name] = true`) — that
+  // is the CWE-915 unsafe-reflection / CWE-1321 prototype-pollution sink.
+  // First-occurrence-wins de-duplication tracks names in a Set (add/has
+  // are method calls, not tainted-key property writes); POISONED names
+  // (`__proto__` / `constructor` / `prototype`) are dropped; and the
+  // null-prototype accumulator means even a slipped name cannot reach
+  // Object.prototype.
+  if (typeof header !== "string" || header.length === 0) return Object.create(null);
   var parts = header.split(/;\s*/);
+  var seen = new Set();
+  var pairs = [];
   for (var i = 0; i < parts.length; i++) {
     var p = parts[i];
     var eq = p.indexOf("=");
     if (eq === -1) continue;
     var k = p.slice(0, eq).trim();
-    if (k.length === 0 || Object.prototype.hasOwnProperty.call(out, k)) continue;
+    if (k.length === 0) continue;
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (seen.has(k)) continue;  // first-occurrence wins
+    seen.add(k);
     var v = p.slice(eq + 1).trim();
     if (v.length >= 2 && v.charCodeAt(0) === 0x22 && v.charCodeAt(v.length - 1) === 0x22) {
       v = v.slice(1, -1);
     }
-    out[k] = v;
+    pairs.push([k, v]);
   }
-  return out;
+  return Object.assign(Object.create(null), Object.fromEntries(pairs));
 }
 
 // `_isHttps` defers to `requestHelpers.requestProtocol` so the

package/lib/middleware/fetch-metadata.js

@@ -125,11 +125,13 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  * destination list, including `webidentity` (FedCM credentialed
  * requests). `deniedDest` refuses chosen destinations outright on the
  * gated methods — a FedCM `webidentity` Sec-Fetch-Dest hitting a route
- * that is not an identity endpoint is refused. `allowStorageAccess:
- * false` refuses the Storage Access API escalation (a cross-site request
- * carrying `Sec-Fetch-Storage-Access: active` / `inactive`) on routes
- * that do not participate in the Storage Access flow. Both are opt-in;
- * leaving them unset preserves the prior behavior exactly.
+ * that is not an identity endpoint is refused. The Storage Access API
+ * escalation (a cross-site request carrying `Sec-Fetch-Storage-Access:
+ * active` / `inactive`) is REFUSED BY DEFAULT (v0.15.0) on routes that do
+ * not participate in the Storage Access flow; operators running an
+ * embedded-iframe SaaS that legitimately uses the API opt back in with
+ * `allowStorageAccess: true`. `deniedDest` stays opt-in (unset = no
+ * destination is denied outright).
  *
  * @opts
  *   {
@@ -138,7 +140,7 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  *     allowMissing:       boolean,    // default true
  *     allowedDest:        string[],   // cross-site allowlist of Sec-Fetch-Dest values
  *     deniedDest:         string[],   // Sec-Fetch-Dest values refused on gated methods regardless of site (e.g. ["webidentity"])
- *     allowStorageAccess: boolean,    // default true — false refuses Sec-Fetch-Storage-Access: active|inactive
+ *     allowStorageAccess: boolean,    // default false — refuses Sec-Fetch-Storage-Access: active|inactive; pass true to opt back in for Storage-Access-flow routes
  *     strictDest:         boolean,    // default false — true throws at config time on an allowedDest/deniedDest value outside the known Sec-Fetch-Dest vocabulary
  *     allowedNavigate:    boolean,    // default true
  *     methods:            string[],   // default POST/PUT/DELETE/PATCH
@@ -178,7 +180,15 @@ function create(opts) {
   var allowCrossSite     = opts.allowCrossSite === true;
   var allowMissing       = opts.allowMissing !== false;
   var allowedDest        = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
-  var allowStorageAccess = opts.allowStorageAccess !== false;
+  // Storage Access escalation default-deny (v0.15.0): a cross-site
+  // credentialed request carrying Sec-Fetch-Storage-Access: active|inactive
+  // is REFUSED by default on the gated methods, because that header signals
+  // the embedded context can reach unpartitioned cross-site cookies — a
+  // capability a route that does not participate in the Storage Access flow
+  // should not silently honor. Operators running an embedded-iframe SaaS
+  // that legitimately uses the Storage Access API opt back in with
+  // allowStorageAccess: true.
+  var allowStorageAccess = opts.allowStorageAccess === true;
   // deniedDest → a null-prototype membership map; an operator-supplied
   // destination string is never assigned onto a plain object, so no
   // reserved name (__proto__ / constructor / prototype) can pollute it.

package/lib/middleware/idempotency-key.js

@@ -47,6 +47,7 @@ var validateOpts  = require("../validate-opts");
 var safeBuffer    = require("../safe-buffer");
 var safeJson      = require("../safe-json");
 var safeSql       = require("../safe-sql");
+var sql           = require("../sql");
 var bCrypto       = require("../crypto");
 var cryptoField   = require("../crypto-field");
 var vault         = require("../vault");
@@ -250,17 +251,23 @@ function dbStore(opts) {
       "dbStore: opts.db must be a sqlite-shaped database with a `prepare(sql)` method", true);
   }
   var tableNameRaw = opts.tableName !== undefined ? opts.tableName : "blamejs_idempotency_keys";
-  // Quote-and-validate via safeSql.quoteIdentifier — runs
-  // validateIdentifier internally + emits the dialect-correct quoted
-  // form. Identifier always reaches SQL through the quoted form.
-  var qTable;
-  try { qTable = safeSql.quoteIdentifier(tableNameRaw, "sqlite"); }
+  // Validate the operator-supplied table name up front so a bad
+  // identifier fails at construction with the stable
+  // idempotency/bad-table-name code (b.sql would otherwise raise its own
+  // SqlBuilderError deeper in the first build). b.sql then quotes the
+  // name by construction in every statement it emits for this store
+  // (quoteName:true — this is a direct sqlite handle, not a
+  // clusterStorage rewrite target, so the name is quoted, not left bare).
+  try { safeSql.validateIdentifier(tableNameRaw, { allowReserved: true }); }
   catch (sqlErr) {
     throw new IdempotencyError("idempotency/bad-table-name",
       "dbStore: opts.tableName is not a valid SQL identifier: " +
       (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)), true);
   }
-  var qIndex = safeSql.quoteIdentifier(tableNameRaw + "_expires_idx", "sqlite");
+  // b.sql opts for every statement this store builds against the local
+  // sqlite handle: sqlite dialect (native `?` placeholders, double-quoted
+  // identifiers) + quoteName so the operator table name is emitted quoted.
+  var sqlOpts = { dialect: "sqlite", quoteName: true };
   var doInit   = opts.init     !== false;
   var hashKeys = opts.hashKeys !== false;
   var sealReq  = opts.seal     !== false;
@@ -342,38 +349,46 @@ function dbStore(opts) {
   }
 
   if (doInit) {
-    db.prepare("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
-      "k TEXT PRIMARY KEY, " +
-      "fingerprint TEXT NOT NULL, " +
-      "status_code INTEGER NOT NULL, " +
-      "headers TEXT NOT NULL, " +
-      "body TEXT NOT NULL, " +
-      "expires_at INTEGER NOT NULL)").run();
-    db.prepare("CREATE INDEX IF NOT EXISTS " + qIndex + " ON " +
-      qTable + "(expires_at)").run();
+    db.prepare(sql.createTable(tableNameRaw, [
+      { name: "k",           type: "text", primaryKey: true },
+      { name: "fingerprint", type: "text", notNull: true },
+      { name: "status_code", type: "int",  notNull: true },
+      { name: "headers",     type: "text", notNull: true },
+      { name: "body",        type: "text", notNull: true },
+      { name: "expires_at",  type: "int",  notNull: true },
+    ], sqlOpts).sql).run();
+    db.prepare(sql.createIndex(tableNameRaw + "_expires_idx", tableNameRaw,
+      ["expires_at"], sqlOpts).sql).run();
   }
 
-  // Prepared statements. status_code + expires_at stay non-sealed
-  // so audit/forensic SELECTs don't have to unseal-everything. The
-  // `k` column is selected even when not strictly needed for read
-  // because cryptoField.unsealRow uses it as the rowId in AAD when
-  // the table is AAD-bound.
-  var stmtGet = db.prepare(
-    "SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
-    qTable + " WHERE k = ?");
-  var stmtUpsert = db.prepare(
-    "INSERT INTO " + qTable +
-    "(k, fingerprint, status_code, headers, body, expires_at) " +
-    "VALUES (?, ?, ?, ?, ?, ?) " +
-    "ON CONFLICT(k) DO UPDATE SET " +
-    "  fingerprint = excluded.fingerprint, " +
-    "  status_code = excluded.status_code, " +
-    "  headers     = excluded.headers, " +
-    "  body        = excluded.body, " +
-    "  expires_at  = excluded.expires_at");
-  var stmtDeleteStale = db.prepare("DELETE FROM " + qTable +
-    " WHERE k = ? AND expires_at <= ?");
-  var stmtDelete = db.prepare("DELETE FROM " + qTable + " WHERE k = ?");
+  // Prepared statements, composed once through b.sql and reused per call.
+  // b.sql binds concrete values into a params array; for a reusable
+  // prepared statement we keep only the emitted SQL text (its `?`
+  // placeholders) and bind fresh values at run time, so a build-time
+  // sentinel value is just a placeholder slot. status_code + expires_at
+  // stay non-sealed so audit/forensic SELECTs don't have to unseal-
+  // everything. The `k` column is selected even when not strictly needed
+  // for read because cryptoField.unsealRow uses it as the rowId in AAD
+  // when the table is AAD-bound.
+  var _slot = 0;   // sentinel bind value; the prepared statement rebinds at call time
+  var stmtGet = db.prepare(sql.select(tableNameRaw, sqlOpts)
+    .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+    .where("k", _slot)
+    .toSql().sql);
+  var stmtUpsert = db.prepare(sql.upsert(tableNameRaw, sqlOpts)
+    .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+    .values({ k: _slot, fingerprint: _slot, status_code: _slot,
+              headers: _slot, body: _slot, expires_at: _slot })
+    .onConflict(["k"])
+    .doUpdateFromExcluded(["fingerprint", "status_code", "headers", "body", "expires_at"])
+    .toSql().sql);
+  var stmtDeleteStale = db.prepare(sql.delete(tableNameRaw, sqlOpts)
+    .where("k", _slot)
+    .where("expires_at", "<=", _slot)
+    .toSql().sql);
+  var stmtDelete = db.prepare(sql.delete(tableNameRaw, sqlOpts)
+    .where("k", _slot)
+    .toSql().sql);
 
   function _k(rawKey) {
     if (!hashKeys) return rawKey;
@@ -484,8 +499,9 @@ function dbStore(opts) {
       }
       var migrated = 0;
       var skipped = 0;
-      var rows = db.prepare("SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
-        qTable).all();
+      var rows = db.prepare(sql.select(tableNameRaw, sqlOpts)
+        .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+        .toSql().sql).all();
       for (var i = 0; i < rows.length; i += 1) {
         var r = rows[i];
         // If headers/body already start with vault.aad: this row is

package/lib/middleware/rate-limit.js

@@ -57,13 +57,63 @@
  * Audit: every limit hit emits system.ratelimit.block with the key + path.
  */
 var C = require("../constants");
+var frameworkSchema = require("../framework-schema");
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var safeAsync = require("../safe-async");
+var sql = require("../sql");
 var validateOpts = require("../validate-opts");
 var clusterStorage = require("../cluster-storage");
 var denyResponse = require("./deny-response").denyResponse;
 
+// Cluster-backend table — resolved through frameworkSchema.tableName so a
+// configured table prefix (b.frameworkSchema.setTablePrefix) is honored.
+// The name is identity-mapped in LOCAL_TO_EXTERNAL, so clusterStorage's
+// resolveTables leaves it untouched at dispatch and the resolved name is
+// what reaches the backend on both single-node + cluster sides.
+var RATE_LIMIT_TABLE = "_blamejs_rate_limit_counters";   // allow:hand-rolled-sql — canonical logical table-name declaration
+function _rateLimitSqlTable() { return frameworkSchema.tableName(RATE_LIMIT_TABLE); }
+
+// b.sql opts for every cluster-backend statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting and dialect
+// idioms (ON CONFLICT ... DO UPDATE vs ON DUPLICATE KEY UPDATE) match the
+// backend the SQL dispatches to. b.sql defaults to "sqlite", which works on
+// Postgres only by accident (both double-quote identifiers) and emits the
+// wrong quoting + ON CONFLICT (which MySQL rejects) on MySQL.
+// clusterStorage.execute still rewrites table names + translates `?`
+// placeholders at dispatch; this controls only the builder-side quoting +
+// idiom selection.
+function _rateLimitSqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
+// Dialect-aware references for the conflict-action CASE expressions in
+// take(). The fixed-window counter's update is per-column conditional (a new
+// window resets count to 1; the same window increments), so it can't reduce
+// to doUpdateFromExcluded — it needs a CASE that reads BOTH the proposed row
+// and the existing row. Those two references are spelled differently per
+// dialect and b.sql passes a doUpdate({col: rawExpr}) expression through
+// verbatim (it is NOT EXCLUDED->VALUES translated on MySQL), so the caller
+// must emit the dialect-correct tokens itself:
+//   - proposed-row column: EXCLUDED."<col>" (Postgres/SQLite) vs
+//                          VALUES(`<col>`) (MySQL ON DUPLICATE KEY UPDATE)
+//   - existing-row column: "<table>"."<col>" (Postgres/SQLite) vs
+//                          `<table>`.`<col>` (MySQL)
+// Identifiers here are framework-controlled constants (the table name + the
+// three counter columns), never operator input, so the inline quoting is
+// closed over a fixed set of names.
+function _conflictRefs(dialect, table) {
+  if (dialect === "mysql") {
+    return {
+      proposed: function (col) { return "VALUES(`" + col + "`)"; },
+      existing: function (col) { return "`" + table + "`.`" + col + "`"; },
+    };
+  }
+  return {
+    proposed: function (col) { return "EXCLUDED.\"" + col + "\""; },
+    existing: function (col) { return "\"" + table + "\".\"" + col + "\""; },
+  };
+}
+
 var audit  = lazyRequire(function () { return require("../audit"); });
 var logger = lazyRequire(function () { return require("../log").boot("rate-limit"); });
 
@@ -260,10 +310,10 @@ function _clusterBackend(opts) {
     if (now - lastPruneAt < pruneIntervalMs) return;
     lastPruneAt = now;
     var cutoff = now - windowMs;
-    clusterStorage.execute(
-      "DELETE FROM _blamejs_rate_limit_counters WHERE windowStart < ?",
-      [cutoff]
-    ).catch(function (e) {
+    var built = sql.delete(_rateLimitSqlTable(), _rateLimitSqlOpts())
+      .where("windowStart", "<", cutoff)
+      .toSql();
+    clusterStorage.execute(built.sql, built.params).catch(function (e) {
       try {
         logger().warn("rate-limit prune failed: " + ((e && e.message) || String(e)));
       } catch (_e) { /* logger best-effort */ }
@@ -274,29 +324,49 @@ function _clusterBackend(opts) {
     var now = Date.now();
     var windowStart = Math.floor(now / windowMs) * windowMs;
 
-    // Atomic increment: a fresh window resets count to 1; an existing
-    // row in the same window gets count + 1. Postgres + SQLite both
-    // support ON CONFLICT...DO UPDATE...RETURNING.
-    var result = await clusterStorage.execute(
-      "INSERT INTO _blamejs_rate_limit_counters (key, windowStart, count) " +
-      "VALUES (?, ?, 1) " +
-      "ON CONFLICT (key) DO UPDATE SET " +
-      "  count = CASE " +
-      "    WHEN excluded.windowStart > _blamejs_rate_limit_counters.windowStart " +
-      "    THEN 1 " +
-      "    ELSE _blamejs_rate_limit_counters.count + 1 " +
-      "  END, " +
-      "  windowStart = CASE " +
-      "    WHEN excluded.windowStart > _blamejs_rate_limit_counters.windowStart " +
-      "    THEN excluded.windowStart " +
-      "    ELSE _blamejs_rate_limit_counters.windowStart " +
-      "  END " +
-      "RETURNING count, windowStart",
-      [key, windowStart]
-    );
-    var row = result.rows && result.rows[0];
-    var count = row ? row.count : 1;
-    var rowWindow = row ? row.windowStart : windowStart;
+    // Atomic increment: a fresh window resets count to 1; an existing row in
+    // the same window gets count + 1. The per-column conflict action is a
+    // CASE that reads the proposed row AND the existing row, so it goes
+    // through the STRUCTURED upsert().doUpdate({...}) form with the dialect
+    // threaded — b.sql then renders ON CONFLICT...DO UPDATE...RETURNING
+    // (Postgres/SQLite) or ON DUPLICATE KEY UPDATE + a readback SELECT
+    // (MySQL). The CASE bodies spell the proposed-row (EXCLUDED / VALUES())
+    // and existing-row (table self-reference) tokens per dialect via
+    // _conflictRefs so the same logic compiles on every backend. No `?` in
+    // the CASE bodies; the count seed of 1 binds as the third inserted value.
+    var t = _rateLimitSqlTable();
+    var dialect = clusterStorage.dialect();
+    var refs = _conflictRefs(dialect, t);
+    var newerWindow = refs.proposed("windowStart") + " > " + refs.existing("windowStart");
+    var countExpr = "CASE WHEN " + newerWindow + " THEN 1 ELSE " +
+      refs.existing("count") + " + 1 END";
+    var windowExpr = "CASE WHEN " + newerWindow + " THEN " + refs.proposed("windowStart") +
+      " ELSE " + refs.existing("windowStart") + " END";
+    var built = sql.upsert(t, _rateLimitSqlOpts())
+      .columns(["key", "windowStart", "count"])
+      .values({ key: key, windowStart: windowStart, count: 1 })
+      .onConflict(["key"])
+      .doUpdate({ count: countExpr, windowStart: windowExpr })
+      .returning(["count", "windowStart"])
+      .toSql();
+    var row;
+    if (built.readbackSql) {
+      // MySQL: ON DUPLICATE KEY UPDATE has no RETURNING. Run the upsert,
+      // then the readback SELECT b.sql emits (keyed on the conflict key) to
+      // learn the post-upsert count/windowStart. clusterStorage.execute
+      // coerces the framework int columns (count/windowStart) back to JS
+      // numbers on both reads.
+      await clusterStorage.execute(built.sql, built.params);
+      var readback = await clusterStorage.execute(built.readbackSql.sql, built.readbackSql.params);
+      row = readback.rows && readback.rows[0];
+    } else {
+      var result = await clusterStorage.execute(built.sql, built.params);
+      row = result.rows && result.rows[0];
+    }
+    // count/windowStart are framework int columns coerced to JS numbers by
+    // clusterStorage; the absent-row fall-back keeps the verdict math finite.
+    var count = row ? Number(row.count) : 1;
+    var rowWindow = row ? Number(row.windowStart) : windowStart;
 
     _maybePrune();
 
@@ -318,10 +388,10 @@ function _clusterBackend(opts) {
   }
 
   async function reset(key) {
-    await clusterStorage.execute(
-      "DELETE FROM _blamejs_rate_limit_counters WHERE key = ?",
-      [key]
-    );
+    var built = sql.delete(_rateLimitSqlTable(), _rateLimitSqlOpts())
+      .where("key", key)
+      .toSql();
+    await clusterStorage.execute(built.sql, built.params);
   }
 
   function close() { /* no resources to release */ }
@@ -417,7 +487,7 @@ function create(opts) {
   // pass "RateLimit-", or a gateway's own prefix. Kept as a matched pair.
   var headerPrefix = (typeof opts.headerPrefix === "string" && opts.headerPrefix.length > 0)
     ? opts.headerPrefix : "X-RateLimit-";
-  var limitHeader = headerPrefix + "Limit";
+  var limitHeader = headerPrefix + "Limit";   // allow:hand-rolled-sql — HTTP response-header name (X-RateLimit-Limit), not a SQL LIMIT clause
   var remainingHeader = headerPrefix + "Remaining";
   var skipPaths = opts.skipPaths || [];
   // Throw at create(): each entry must be a string prefix or a RegExp.

package/lib/middleware/security-headers.js

@@ -10,8 +10,12 @@
  *   Referrer-Policy: no-referrer     — don't leak full URL to outbound links
  *   Permissions-Policy               — disable common-attack APIs (camera, geolocation, payment, etc.)
  *   Cross-Origin-Opener-Policy: same-origin
- *   Cross-Origin-Embedder-Policy: require-corp / credentialless   (off by default — breaks images from CDNs; credentialless is the
- *   CR 2024-12 relaxed mode that lets cross-origin no-cors requests load without CORP markers as long as they don't carry credentials)
+ *   Cross-Origin-Embedder-Policy: credentialless   (default-on — with COOP
+ *   same-origin this yields cross-origin isolation; credentialless is the
+ *   relaxed enforcing mode that lets cross-origin no-cors requests load
+ *   without CORP markers as long as they don't carry credentials, so CDN
+ *   images/fonts keep working. Pass coep: "require-corp" to tighten, or
+ *   coep: false to disable.)
  *   Cross-Origin-Resource-Policy: same-origin
  *   Origin-Agent-Cluster: ?1        — origin-keyed agent cluster; extra process isolation
  *   X-DNS-Prefetch-Control: off     — don't pre-resolve DNS for off-page links
@@ -173,8 +177,9 @@ function _validatePermissionsPolicy(value) {
  * nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, an
  * extensive Permissions-Policy denylist (camera / geolocation /
  * payment / Privacy-Sandbox attribution-reporting / bluetooth /
- * etc.), COOP same-origin, CORP same-origin, Origin-Agent-Cluster
- * `?1`, and a strict default CSP with `require-trusted-types-for
+ * etc.), COOP same-origin, COEP credentialless (cross-origin isolation
+ * on by default; pass `coep: false` to disable), CORP same-origin,
+ * Origin-Agent-Cluster `?1`, and a strict default CSP with `require-trusted-types-for
  * 'script'`. Each header can be softened by passing the option
  * value or disabled by passing `false`. Mount FIRST (after
  * `requestId`) so headers are set before any response could be
@@ -233,7 +238,18 @@ function create(opts) {
   var refPolicy = opts.referrerPolicy === undefined ? "no-referrer" : opts.referrerPolicy;
   var permPolicy = opts.permissionsPolicy === undefined ? DEFAULT_PERMISSIONS.join(", ") : opts.permissionsPolicy;
   var coop  = opts.coop === undefined ? "same-origin" : opts.coop;
-  var coep  = opts.coep === undefined ? false : opts.coep;
+  // COEP default-on (v0.15.0): emit Cross-Origin-Embedder-Policy:
+  // credentialless. With COOP same-origin this completes cross-origin
+  // isolation (crossOriginIsolated === true), re-enabling SharedArrayBuffer
+  // / high-resolution timers while closing the Spectre-class cross-origin
+  // read surface. `credentialless` (HTML spec, shipped Chrome 110+) is the
+  // least-breaking enforcing mode: cross-origin no-cors subresources (CDN
+  // images, fonts) still load — they're fetched WITHOUT credentials rather
+  // than requiring an explicit CORP/CORS opt-in, so existing pages keep
+  // working where `require-corp` would have broken them. Operators serving
+  // credentialed cross-origin subresources pass coep: "require-corp" (and
+  // add CORP/CORS headers), or coep: false to opt out of COEP entirely.
+  var coep  = opts.coep === undefined ? "credentialless" : opts.coep;
   var corp  = opts.corp === undefined ? "same-origin" : opts.corp;
   var oac   = opts.originAgentCluster === undefined ? "?1" : opts.originAgentCluster;
   var dpc   = opts.dnsPrefetchControl === undefined ? "off" : opts.dnsPrefetchControl;