@blamejs/core 0.14.26 → 0.15.0

package/lib/otel-export.js

@@ -42,6 +42,7 @@
 var C = require("./constants");
 var canonicalJson = require("./canonical-json");
 var httpClient = require("./http-client");
+var observability = require("./observability");
 var safeAsync = require("./safe-async");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
@@ -64,6 +65,28 @@ var MAX_RESPONSE_BYTES = C.BYTES.mib(1);
 // receiving backend handles the running sum.
 var TEMPORALITY_DELTA = 1;
 
+// Run a single attribute value through the active telemetry redactor.
+// Telemetry is a first-class EGRESS sink — an attribute value holding a
+// user email, bearer token, or vault-sealed ciphertext would otherwise
+// be serialized verbatim onto the OTLP wire (CWE-532: insertion of
+// sensitive information into an externally-shipped sink). The redactor is
+// resolved per-call from b.observability so an operator-installed
+// override (setRedactor) takes effect without re-creating the exporter.
+//
+// Drop-silent by design: this runs on the export hot path, where a throw
+// from the redactor must never crash the request that produced the span.
+// On a throw we DROP the attribute (signalled by the `_DROP` sentinel)
+// rather than fall through to the raw value — failing toward dropping,
+// not leaking.
+var _DROP = {};
+function _redactAttrValue(key, value) {
+  try {
+    return observability.getRedactor()(value, key);
+  } catch (_e) {
+    return _DROP;   // redactor threw — drop the attribute, never export raw
+  }
+}
+
 // ---- attribute encoding ----
 // OTLP attributes are KeyValue with typed `value` fields:
 //   { key, value: { stringValue | intValue | doubleValue | boolValue } }
@@ -72,7 +95,8 @@ function _attrsToOtlp(attrs) {
   var out = [];
   for (var k in attrs) {
     if (!Object.prototype.hasOwnProperty.call(attrs, k)) continue;
-    var v = attrs[k];
+    var v = _redactAttrValue(k, attrs[k]);
+    if (v === _DROP) continue;                // redactor threw — drop, don't leak
     var kv;
     if (typeof v === "string")  kv = { stringValue: v };
     else if (typeof v === "number") {

package/lib/outbox.js

@@ -70,6 +70,7 @@ var lazyRequire = require("./lazy-require");
 var safeAsync = require("./safe-async");
 var safeJson = require("./safe-json");
 var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 
@@ -93,6 +94,15 @@ function _validateTableName(name) {
   return safeSql.quoteIdentifier(name);
 }
 
+// Map the operator backend's dialect tag to the b.sql dialect vocabulary.
+// b.sql's terminal toExternalSql() then emits $1..$N for postgres and `?`
+// for sqlite / mysql, matching what the operator-supplied driver expects.
+function _sqlDialect(externalDb) {
+  var d = externalDb && externalDb.dialect;
+  if (d === "postgres" || d === "mysql") return d;
+  return "sqlite";
+}
+
 function _utcNowExpr(externalDb) {
   // The framework's externalDb backends wrap Postgres + SQLite. Both
   // accept a parameterized timestamp via JS Date → ISO string for
@@ -198,7 +208,10 @@ function create(opts) {
   }
   validateOpts.requireNonEmptyString(opts.table,
     "outbox.create: table", OutboxError, "outbox/bad-table");
-  var quotedTable = _validateTableName(opts.table);
+  // Validate the table identifier at create-time so a bad name throws at
+  // boot, not at first query. b.sql re-quotes the name by construction on
+  // every emitted statement (the builder owns identifier quoting now).
+  _validateTableName(opts.table);
 
   if (typeof opts.publisher !== "function") {
     throw new OutboxError("outbox/bad-publisher",
@@ -302,38 +315,57 @@ function create(opts) {
         "outbox.enqueue: payload/headers must be JSON-serializable: " + e.message);
     }
 
-    var sql = "INSERT INTO " + quotedTable +
-      " (topic, payload, key, headers, enqueued_at, next_attempt_at, attempts, status)" +
-      " VALUES ($1, $2, $3, $4, $5, $5, 0, 'pending')";
     var now = _utcNowExpr(externalDb);
-    await txn.query(sql, [
-      event.topic, payloadJson, event.key || null, headersJson, now,
-    ]);
+    // enqueued_at and next_attempt_at both take the same publisher-clock
+    // moment; b.sql binds it as two separate `?` so the placeholder/param
+    // parity gate holds (no $5-reused-twice shorthand).
+    var stmt = sql.insert(opts.table, { dialect: _sqlDialect(externalDb) })
+      .values({
+        topic:           event.topic,
+        payload:         payloadJson,
+        key:             event.key || null,
+        headers:         headersJson,
+        enqueued_at:     now,
+        next_attempt_at: now,
+        attempts:        0,
+        status:          "pending",
+      })
+      .toExternalSql(_sqlDialect(externalDb));
+    await txn.query(stmt.sql, stmt.params);
     _emitMetric("enqueued", 1);
   }
 
   async function declareSchema(xdb) {
     var target = xdb || externalDb;
-    var ddl =
-      "CREATE TABLE IF NOT EXISTS " + quotedTable + " (" +
-        "id BIGSERIAL PRIMARY KEY, " +
-        "topic VARCHAR(255) NOT NULL, " +
-        "payload TEXT NOT NULL, " +
-        "key VARCHAR(255), " +
-        "headers TEXT, " +
-        "enqueued_at TIMESTAMPTZ NOT NULL, " +
-        "next_attempt_at TIMESTAMPTZ NOT NULL, " +
-        "published_at TIMESTAMPTZ, " +
-        "attempts INTEGER NOT NULL DEFAULT 0, " +
-        "last_error TEXT, " +
-        "status VARCHAR(16) NOT NULL DEFAULT 'pending'" +
-      ")";
-    var idxName = _validateTableName(opts.table + "_pending_idx");
-    var idx =
-      "CREATE INDEX IF NOT EXISTS " + idxName + " ON " + quotedTable +
-      " (next_attempt_at) WHERE status = 'pending'";
-    await target.query(ddl, []);
-    await target.query(idx, []);
+    var dialect = _sqlDialect(target);
+    // The identity PK renders dialect-correct (BIGSERIAL on postgres,
+    // INTEGER PRIMARY KEY AUTOINCREMENT on sqlite, BIGINT AUTO_INCREMENT
+    // on mysql) - the prior hand-rolled DDL hardcoded Postgres BIGSERIAL /
+    // TIMESTAMPTZ even on a sqlite backend, which the dialect-aware type
+    // map now corrects. A varchar-with-length / timestamp-with-zone is
+    // passed verbatim by the type map (it sits in type position after a
+    // quoted column name, so no identifier injection is possible).
+    var tsType = dialect === "postgres" ? "TIMESTAMPTZ" : "TIMESTAMP";
+    var ddl = sql.toExternalSql(sql.createTable(opts.table, [
+      { name: "id",              serial: true },
+      { name: "topic",           type: "VARCHAR(255)", notNull: true },
+      { name: "payload",         type: "TEXT",         notNull: true },
+      { name: "key",             type: "VARCHAR(255)" },
+      { name: "headers",         type: "TEXT" },
+      { name: "enqueued_at",     type: tsType,         notNull: true },
+      { name: "next_attempt_at", type: tsType,         notNull: true },
+      { name: "published_at",    type: tsType },
+      { name: "attempts",        type: "INTEGER",      notNull: true, default: 0 },
+      { name: "last_error",      type: "TEXT" },
+      { name: "status",          type: "VARCHAR(16)",  notNull: true, default: "pending" },
+    ], { dialect: dialect }), dialect);
+    // Partial index on the pending pool (the publisher's claim path scans
+    // status='pending' ORDER BY next_attempt_at). The 'pending' literal is
+    // a builder-emitted static predicate, opted in via allowLiterals.
+    var idx = sql.toExternalSql(sql.createIndex(opts.table + "_pending_idx", opts.table,
+      ["next_attempt_at"], { dialect: dialect, where: "status = 'pending'" }), dialect);
+    await target.query(ddl.sql, ddl.params);
+    await target.query(idx.sql, idx.params);
   }
 
   // ---- Publisher worker ----
@@ -363,18 +395,24 @@ function create(opts) {
 
   async function _claimBatch() {
     var supportsSkipLocked = _supportsForUpdateSkipLocked();
+    var dialect = _sqlDialect(externalDb);
+    var CLAIM_COLS = ["id", "topic", "payload", "key", "headers", "attempts"];
     return await externalDb.transaction(async function (xdb) {
       var nowExpr = _utcNowExpr(externalDb);
-      var selectSql =
-        "SELECT id, topic, payload, key, headers, attempts" +
-        " FROM " + quotedTable +
-        " WHERE status = 'pending' AND next_attempt_at <= $1" +
-        " ORDER BY next_attempt_at" +
-        " LIMIT $2";
-      if (supportsSkipLocked) {
-        selectSql += " FOR UPDATE SKIP LOCKED";
-      }
-      var rows = await xdb.query(selectSql, [nowExpr, batchSize]);
+      // status='pending' is a builder-emitted static predicate (opted in
+      // via allowLiterals); next_attempt_at <= ? + the LIMIT both bind.
+      var selectBuilder = sql.select(opts.table, { dialect: dialect })
+        .columns(CLAIM_COLS)
+        .whereRaw("status = 'pending'", [], { allowLiterals: true })
+        .whereRaw("next_attempt_at <= ?", [nowExpr])
+        .orderBy("next_attempt_at")
+        .limit(batchSize);
+      // FOR UPDATE SKIP LOCKED on postgres / mysql; sqlite is a single
+      // writer with no row lock, so the claim there is the conservative
+      // mark-then-reselect path below (b.sql refuses forUpdate on sqlite).
+      if (supportsSkipLocked) selectBuilder.forUpdate({ skipLocked: true });
+      var selectSql = selectBuilder.toExternalSql(dialect);
+      var rows = await xdb.query(selectSql.sql, selectSql.params);
       if (!rows || !rows.rows || rows.rows.length === 0) return [];
       var ids = rows.rows.map(function (r) { return r.id; });
       // Atomic claim: when the dialect lacks SKIP LOCKED, the UPDATE
@@ -386,30 +424,33 @@ function create(opts) {
       // way Postgres does).
       var actuallyClaimed;
       if (supportsSkipLocked) {
-        // Postgres/MySQL: row lock held; ANY($1) update is safe.
-        await xdb.query(
-          "UPDATE " + quotedTable + " SET status = 'in-flight' WHERE id = ANY($1)",
-          [ids]
-        );
+        // Postgres/MySQL: row lock held; whereInArray emits `id = ANY(?)`
+        // on postgres (the whole id set as one bound array) / expanded
+        // `IN (?, ?, ...)` on mysql.
+        var claimUpdate = sql.update(opts.table, { dialect: dialect })
+          .set({ status: "in-flight" })
+          .whereInArray("id", ids)
+          .toExternalSql(dialect);
+        await xdb.query(claimUpdate.sql, claimUpdate.params);
         actuallyClaimed = rows.rows;
       } else {
         // SQLite (or "other") path: emit a portable UPDATE that
         // refuses overlap by gating on status='pending'. After the
         // update we re-read the in-flight rows we own; rows that
-        // another publisher beat us to are skipped.
-        // Use placeholders so the SQL stays parameterized regardless
-        // of dialect array semantics.
-        var placeholders = ids.map(function (_, i) { return "$" + (i + 1); }).join(",");
-        await xdb.query(
-          "UPDATE " + quotedTable +
-          " SET status = 'in-flight' WHERE status = 'pending' AND id IN (" + placeholders + ")",
-          ids
-        );
-        var afterRows = await xdb.query(
-          "SELECT id, topic, payload, key, headers, attempts FROM " + quotedTable +
-          " WHERE status = 'in-flight' AND id IN (" + placeholders + ")",
-          ids
-        );
+        // another publisher beat us to are skipped. whereInArray expands
+        // to an `IN (?, ?, ...)` placeholder list on sqlite.
+        var markUpdate = sql.update(opts.table, { dialect: dialect })
+          .set({ status: "in-flight" })
+          .whereRaw("status = 'pending'", [], { allowLiterals: true })
+          .whereInArray("id", ids)
+          .toExternalSql(dialect);
+        await xdb.query(markUpdate.sql, markUpdate.params);
+        var afterSelect = sql.select(opts.table, { dialect: dialect })
+          .columns(CLAIM_COLS)
+          .whereRaw("status = 'in-flight'", [], { allowLiterals: true })
+          .whereInArray("id", ids)
+          .toExternalSql(dialect);
+        var afterRows = await xdb.query(afterSelect.sql, afterSelect.params);
         actuallyClaimed = (afterRows && afterRows.rows) || [];
       }
       return actuallyClaimed.map(function (r) {
@@ -426,29 +467,40 @@ function create(opts) {
   }
 
   async function _markPublished(id) {
-    await externalDb.query(
-      "UPDATE " + quotedTable +
-      " SET status = 'published', published_at = $1 WHERE id = $2",
-      [_utcNowExpr(externalDb), id]
-    );
+    var dialect = _sqlDialect(externalDb);
+    var stmt = sql.update(opts.table, { dialect: dialect })
+      .set({ status: "published", published_at: _utcNowExpr(externalDb) })
+      .where("id", id)
+      .toExternalSql(dialect);
+    await externalDb.query(stmt.sql, stmt.params);
   }
 
   async function _markRetry(id, attempts, errMsg) {
+    var dialect = _sqlDialect(externalDb);
     var nextAt = new Date(Date.now() + _backoffMs(attempts + 1));
-    await externalDb.query(
-      "UPDATE " + quotedTable +
-      " SET status = 'pending', attempts = $1, last_error = $2, next_attempt_at = $3" +
-      " WHERE id = $4",
-      [attempts + 1, String(errMsg).slice(0, 1024), nextAt, id]                    // error-message char cap
-    );
+    var stmt = sql.update(opts.table, { dialect: dialect })
+      .set({
+        status:          "pending",
+        attempts:        attempts + 1,
+        last_error:      String(errMsg).slice(0, 1024),                            // error-message char cap
+        next_attempt_at: nextAt,
+      })
+      .where("id", id)
+      .toExternalSql(dialect);
+    await externalDb.query(stmt.sql, stmt.params);
   }
 
   async function _markDead(id, attempts, errMsg) {
-    await externalDb.query(
-      "UPDATE " + quotedTable +
-      " SET status = 'dead', attempts = $1, last_error = $2 WHERE id = $3",
-      [attempts + 1, String(errMsg).slice(0, 1024), id]                            // error-message char cap
-    );
+    var dialect = _sqlDialect(externalDb);
+    var stmt = sql.update(opts.table, { dialect: dialect })
+      .set({
+        status:     "dead",
+        attempts:   attempts + 1,
+        last_error: String(errMsg).slice(0, 1024),                                // error-message char cap
+      })
+      .where("id", id)
+      .toExternalSql(dialect);
+    await externalDb.query(stmt.sql, stmt.params);
     _emitAudit("system.outbox.deadletter", "failure", { id: id, attempts: attempts + 1 });
     _emitMetric("dead-letter", 1);
   }
@@ -516,19 +568,21 @@ function create(opts) {
     _emitAudit("system.outbox.stopped", "success", { name: name });
   }
 
-  async function pendingCount() {
-    var res = await externalDb.query(
-      "SELECT COUNT(*) AS n FROM " + quotedTable + " WHERE status = 'pending'", []
-    );
+  async function _statusCount(status) {
+    var dialect = _sqlDialect(externalDb);
+    // status is a fixed builder-internal literal ('pending' / 'dead'),
+    // never operator input; opted in via allowLiterals. COUNT(*) AS n is
+    // the count aggregate with an alias.
+    var stmt = sql.select(opts.table, { dialect: dialect })
+      .count("*", "n")
+      .whereRaw("status = '" + status + "'", [], { allowLiterals: true })
+      .toExternalSql(dialect);
+    var res = await externalDb.query(stmt.sql, stmt.params);
     return Number((res && res.rows && res.rows[0] && res.rows[0].n) || 0);
   }
 
-  async function deadCount() {
-    var res = await externalDb.query(
-      "SELECT COUNT(*) AS n FROM " + quotedTable + " WHERE status = 'dead'", []
-    );
-    return Number((res && res.rows && res.rows[0] && res.rows[0].n) || 0);
-  }
+  async function pendingCount() { return await _statusCount("pending"); }
+  async function deadCount() { return await _statusCount("dead"); }
 
   return {
     enqueue:       enqueue,

package/lib/parsers/safe-xml.js

@@ -13,10 +13,18 @@
  *   - Processing instructions referencing external resources
  *   - Unbounded recursion / element count / attribute count
  *   - CDATA sections of arbitrary length
+ *   - Prototype pollution: an element or attribute named __proto__,
+ *     constructor, or prototype landing as a key in the result tree
+ *     (CWE-1321 / OWASP prototype-pollution)
  *
  * This parser closes all of them by default. DOCTYPE, external entities,
  * and processing instructions other than '<?xml ?>' are REJECTED — apps
- * that need them are using the wrong parser.
+ * that need them are using the wrong parser. Element and attribute names
+ * equal to __proto__ / constructor / prototype are REJECTED with
+ * xml/forbidden-name so they can never collide with an inherited member
+ * or reassign an accumulator's prototype; the result tree and every
+ * nested object it contains have a null prototype, so a consumer reading
+ * an absent key sees undefined rather than an inherited Object member.
  *
  * Output: a plain JS object. Element with attributes + children:
  *   <root id="x"><child>text</child></root>
@@ -75,6 +83,18 @@ var ABSOLUTE_MAX_ATTRIBUTES = 1_000;
 // XML built-in entities (the ONLY entities allowed)
 var BUILT_IN_ENTITIES = { lt: "<", gt: ">", amp: "&", quot: "\"", apos: "'" };
 
+// Names that must never become a key in the result tree. A plain object
+// inherits these from Object.prototype; an element/attribute named after
+// one of them would otherwise collide with the inherited member (a
+// consumer sees a function/object instead of undefined) or — for a
+// computed-member write of an object value — reassign the accumulator's
+// prototype (CWE-1321 / OWASP prototype-pollution). The accumulators are
+// built with a null prototype, and these names are rejected outright so
+// the result is always a clean key→value map. Mirrors the
+// __proto__/constructor/prototype rejection the toml / yaml / ini
+// parsers in this family already apply.
+var FORBIDDEN_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+
 function _validateAndCap(name, value, defaultValue, ceiling) {
   if (value === undefined) return defaultValue;
   if (!numericBounds.isPositiveFiniteInt(value)) {
@@ -178,7 +198,12 @@ function parse(input, opts) {
       } else break;
     }
     if (pos === start) throw _err("expected name", "xml/bad-name");
-    return input.substring(start, pos);
+    var parsed = input.substring(start, pos);
+    if (FORBIDDEN_KEYS.has(parsed)) {
+      throw _err("element/attribute name '" + parsed +
+        "' is reserved (prototype-pollution defense)", "xml/forbidden-name");
+    }
+    return parsed;
   }
 
   // Parse an attribute value (single- or double-quoted)
@@ -267,7 +292,12 @@ function parse(input, opts) {
 
     expectChar("<");
     var name = parseName();
-    var attrs = {};
+    // Null-prototype accumulator keyed by attacker-influenced attribute
+    // names — no inherited Object member can shadow a missing key, and the
+    // duplicate-attribute check below can't be fooled by an inherited
+    // function (CWE-1321). Forbidden names are already rejected in
+    // parseName.
+    var attrs = Object.create(null);
     var attrCount = 0;
 
     while (pos < len) {
@@ -351,10 +381,15 @@ function parse(input, opts) {
       // Pure-text element → string
       return _make(name, textParts.join("").trim() === "" ? textParts.join("") : textParts.join(""));
     }
-    // Mixed / attributed element → object
-    var obj = {};
+    // Mixed / attributed element → object. Both accumulators carry a null
+    // prototype: `grouped` is keyed by attacker-influenced child element
+    // names and `obj` receives them via Object.assign, so neither may
+    // expose an inherited Object member or be prototype-poisoned by a
+    // computed-member write (CWE-1321). Forbidden child names were already
+    // rejected in parseName.
+    var obj = Object.create(null);
     if (hasAttrs) obj["@attrs"] = attrs;
-    var grouped = {};
+    var grouped = Object.create(null);
     for (var i = 0; i < elementChildren.length; i++) {
       var childWrap = elementChildren[i].value;
       var childName = Object.keys(childWrap)[0];
@@ -374,7 +409,12 @@ function parse(input, opts) {
   }
 
   function _make(name, value) {
-    var out = {};
+    // Null-prototype wrapper keyed by the element name (parser-controlled,
+    // attacker-influenced). `out[name] = value` with a forbidden name
+    // would otherwise reassign the wrapper's prototype when value is an
+    // object; the name is already rejected in parseName and the null
+    // prototype removes the inherited-member surface entirely (CWE-1321).
+    var out = Object.create(null);
     out[name] = value;
     return out;
   }

package/lib/pqc-agent.js

@@ -41,6 +41,33 @@ var PqcAgentError = defineClass("PqcAgentError", { alwaysPermanent: true });
 // cycles when pqc-agent is required during framework bootstrap.
 var audit = lazyRequire(function () { return require("./audit"); });
 
+// Observe an outbound socket's negotiated TLS key-exchange group and audit a
+// classical (non-PQC) downgrade. node:tls reports getEphemeralKeyInfo() as
+// { type:"ECDH", name:"X25519", ... } for a classical group and as {} for an
+// ML-KEM hybrid (it doesn't model the hybrid as ECDH). So a NON-empty name
+// that doesn't carry "MLKEM" means the peer offered no hybrid and the
+// handshake fell back to classical X25519 (the framework's last-resort
+// group) — emit the downgrade so operators can see which dependencies are
+// not yet PQC-ready. Best-effort + drop-silent: an audit failure must never
+// break the request that triggered it.
+function auditClassicalDowngrade(socket, meta) {
+  try {
+    if (!socket || typeof socket.getEphemeralKeyInfo !== "function") return;
+    var info = socket.getEphemeralKeyInfo() || {};
+    var group = info.name;
+    if (!group || /MLKEM/i.test(group)) return;   // hybrid (or unreported) — not a downgrade
+    audit().safeEmit({
+      action:   "tls.classical_downgrade",
+      outcome:  "success",
+      metadata: {
+        group: group,
+        host:  (meta && (meta.host || meta.servername)) || null,
+        port:  (meta && meta.port) || null,
+      },
+    });
+  } catch (_e) { /* drop-silent — audit is best-effort; never break TLS */ }
+}
+
 // IANA TLS Supported Groups Registry — every named-group identifier
 // the framework knows by name. Operators with `allowOperatorGroups:
 // true` may pass any entry from this registry; entries outside it
@@ -186,6 +213,19 @@ function create(opts) {
   var built = _buildAgentOpts(opts);
   var agent = new https.Agent(built);
   agent._builtOpts = built;
+  // Observe each NEW outbound socket's negotiated group (createConnection
+  // runs per fresh connection, not per keep-alive reuse). A classical
+  // negotiation means the peer offered no ML-KEM hybrid — audit the
+  // downgrade. Hybrid stays preferred on every handshake; this only fires on
+  // the classical fallback.
+  var _origCreateConnection = agent.createConnection.bind(agent);
+  agent.createConnection = function (options, cb) {
+    var socket = _origCreateConnection(options, cb);
+    if (socket && typeof socket.once === "function") {
+      socket.once("secureConnect", function () { auditClassicalDowngrade(socket, options); });
+    }
+    return socket;
+  };
   // Per-instance cert rotation. The pre-v0.10.9 path required process
   // restart for cert rotation on agents built via explicit `create()`
   // (only the framework's lazy default had `b.pqcAgent.reload()`).
@@ -345,6 +385,10 @@ module.exports = {
   create:      create,
   createHttp:  createHttp,
   reload:      reload,
+  // Internal — shared with lib/http-client.js's h2 transport, which connects
+  // via node:http2 (not this agent) and so needs the same downgrade
+  // observation. Underscore-prefixed: not a public operator primitive.
+  _auditClassicalDowngrade: auditClassicalDowngrade,
   DEFAULT_OPTS: DEFAULT_OPTS,
   KNOWN_TLS_GROUPS: KNOWN_TLS_GROUPS,
   enforced:    true,

package/lib/pubsub-cluster.js

@@ -22,6 +22,8 @@
  * publishedBy)`. Created by `lib/cluster-storage.js` migrations.
  */
 var clusterStorage = require("./cluster-storage");
+var frameworkSchema = require("./framework-schema");
+var sql = require("./sql");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
@@ -31,6 +33,24 @@ var logger = lazyRequire(function () { return require("./log").boot("pubsub-clus
 
 var PubsubError = defineClass("PubsubError");
 
+// Resolved once: the fan-out table's concrete name, honoring the
+// configurable framework-table prefix. clusterStorage.execute leaves
+// this self-prefixed name unrewritten (its rewrite map is identity-
+// filtered for already-prefixed tables) and translates `?` to `$N` for
+// Postgres, so b.sql emits the bare resolved name + `?` placeholders.
+var MESSAGES_TABLE = frameworkSchema.tableName("_blamejs_pubsub_messages");   // allow:hand-rolled-sql — single canonical logical-name reference
+
+// b.sql opts for every fan-out statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting matches the
+// backend the SQL dispatches to. Without it b.sql defaults to "sqlite"
+// and double-quotes identifiers — correct on Postgres (both double-quote)
+// but read as STRING LITERALS by MySQL (no ANSI_QUOTES), turning the
+// INSERT/SELECT/DELETE into syntax errors. clusterStorage.execute still
+// rewrites table names + translates `?` placeholders at dispatch; this
+// controls only the builder-side identifier quoting.
+function _sqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 var DEFAULT_POLL_INTERVAL_MS = 100;
 var DEFAULT_RETENTION_MS     = C.TIME.minutes(1);
 var DEFAULT_PRUNE_EVERY_MS   = C.TIME.minutes(5);
@@ -65,11 +85,13 @@ function create(opts) {
 
   async function publishRemote(scopedChannel, payload) {
     var serialized = JSON.stringify(payload);
-    await clusterStorage.execute(
-      "INSERT INTO _blamejs_pubsub_messages " +
-      "(topic, payload, publishedAt, publishedBy) VALUES (?, ?, ?, ?)",
-      [scopedChannel, serialized, Date.now(), _nodeId()]
-    );
+    var built = sql.insert(MESSAGES_TABLE, _sqlOpts()).values({
+      topic:       scopedChannel,
+      payload:     serialized,
+      publishedAt: Date.now(),
+      publishedBy: _nodeId(),
+    }).toSql();
+    await clusterStorage.execute(built.sql, built.params);
     return { remote: 1 };
   }
 
@@ -78,24 +100,25 @@ function create(opts) {
     var nodeId = _nodeId();
     try {
       // First poll: prime lastSeenId to the current MAX so we don't
-      // re-dispatch every historical row on startup.
+      // re-dispatch every historical row on startup. MAX(id) is NULL on
+      // an empty table; Number(null) || 0 below maps that to 0 (the same
+      // result the prior COALESCE(MAX(id), 0) produced).
       if (!primed) {
-        var primer = await clusterStorage.execute(
-          "SELECT COALESCE(MAX(id), 0) AS maxId FROM _blamejs_pubsub_messages",
-          []
-        );
+        var primerBuilt = sql.select(MESSAGES_TABLE, _sqlOpts()).max("id", "maxId").toSql();
+        var primer = await clusterStorage.execute(primerBuilt.sql, primerBuilt.params);
         if (primer.rows && primer.rows[0]) {
           lastSeenId = Number(primer.rows[0].maxId) || 0;
         }
         primed = true;
         return;
       }
-      var result = await clusterStorage.execute(
-        "SELECT id, topic, payload, publishedAt, publishedBy " +
-        "FROM _blamejs_pubsub_messages " +
-        "WHERE id > ? AND publishedBy <> ? ORDER BY id ASC",
-        [lastSeenId, nodeId]
-      );
+      var pollBuilt = sql.select(MESSAGES_TABLE, _sqlOpts())
+        .columns(["id", "topic", "payload", "publishedAt", "publishedBy"])
+        .where("id", ">", lastSeenId)
+        .where("publishedBy", "<>", nodeId)
+        .orderBy("id", "asc")
+        .toSql();
+      var result = await clusterStorage.execute(pollBuilt.sql, pollBuilt.params);
       var rows = result.rows || [];
       for (var i = 0; i < rows.length; i++) {
         var row = rows[i];
@@ -116,10 +139,9 @@ function create(opts) {
       var now = Date.now();
       if (now - lastPruneAt >= pruneEveryMs) {
         lastPruneAt = now;
-        await clusterStorage.execute(
-          "DELETE FROM _blamejs_pubsub_messages WHERE publishedAt < ?",
-          [now - retentionMs]
-        );
+        var pruneBuilt = sql.delete(MESSAGES_TABLE, _sqlOpts())
+          .where("publishedAt", "<", now - retentionMs).toSql();
+        await clusterStorage.execute(pruneBuilt.sql, pruneBuilt.params);
       }
     } catch (e) {
       try { logger().warn("pubsub-cluster poll failed: " +