@blamejs/core 0.14.26 → 0.15.0

package/lib/redact.js

@@ -309,6 +309,7 @@ function _redact(value, depth, maxDepth, marker, parentKey) {
 function _resetForTest() {
   sensitiveFieldsSet = new Set(SENSITIVE_FIELDS);
   customDetectors = [];
+  outboundInstallCount = 0;
 }
 
 // ---- Classifier presets (for outbound DLP) ----
@@ -625,6 +626,14 @@ function classifyDefaults(opts) {
 
 var OUTBOUND_INSTALL_REGISTRY = new WeakMap();
 
+// Count of primitive instances currently wrapped by an outbound-DLP
+// interceptor. A WeakMap can't be enumerated, so this counter is the
+// cheap "is anything installed?" signal b.compliance.set reads to decide
+// whether to warn that a DLP-floor posture was pinned without wiring.
+// Incremented per primitive on install, decremented on uninstall; never
+// negative.
+var outboundInstallCount = 0;
+
 function _emitDlp(action, outcome, metadata) {
   try {
     audit().safeEmit({
@@ -740,15 +749,15 @@ function installOutboundDlp(opts) {
 
   if (opts.httpClient) {
     var u1 = _installHttpClient(opts.httpClient, classifier, opts);
-    if (u1) { uninstallers.push(u1); installed.httpClient = true; }
+    if (u1) { uninstallers.push(u1); installed.httpClient = true; outboundInstallCount += 1; }
   }
   if (opts.mail) {
     var u2 = _installMail(opts.mail, classifier, opts);
-    if (u2) { uninstallers.push(u2); installed.mail = true; }
+    if (u2) { uninstallers.push(u2); installed.mail = true; outboundInstallCount += 1; }
   }
   if (opts.webhook) {
     var u3 = _installWebhook(opts.webhook, classifier, opts);
-    if (u3) { uninstallers.push(u3); installed.webhook = true; }
+    if (u3) { uninstallers.push(u3); installed.webhook = true; outboundInstallCount += 1; }
   }
 
   _emitDlp("dlp.outbound.installed", "success", {
@@ -761,12 +770,37 @@ function installOutboundDlp(opts) {
     uninstall:  function () {
       while (uninstallers.length > 0) {
         var fn = uninstallers.pop();
-        try { fn(); } catch (_e) { /* best-effort */ }
+        try { fn(); if (outboundInstallCount > 0) outboundInstallCount -= 1; }
+        catch (_e) { /* best-effort */ }
       }
     },
   };
 }
 
+/**
+ * @primitive b.redact.isOutboundDlpInstalled
+ * @signature b.redact.isOutboundDlpInstalled()
+ * @since     0.14.27
+ * @compliance hipaa, pci-dss, gdpr, soc2, fapi2
+ * @related   b.redact.installForPosture, b.redact.installOutboundDlp
+ *
+ * Returns `true` when at least one primitive instance (httpClient /
+ * mail / webhook) currently carries an outbound-DLP interceptor.
+ * `b.compliance.set` reads this to decide whether to emit the one-time
+ * `compliance.posture.outbound_dlp_unwired` warning when a posture whose
+ * floor implies outbound DLP is pinned without any wiring. Read-only.
+ *
+ * @example
+ *   b.redact.isOutboundDlpInstalled();   // → false
+ *   var dlp = b.redact.installForPosture("hipaa", { httpClient: myHttp });
+ *   b.redact.isOutboundDlpInstalled();   // → true
+ *   dlp.uninstall();
+ *   b.redact.isOutboundDlpInstalled();   // → false
+ */
+function isOutboundDlpInstalled() {
+  return outboundInstallCount > 0;
+}
+
 function _resolvePosturePatterns(name) {
   var n = String(name).toLowerCase();
   if (n === "pci-dss" || n === "pci") {
@@ -779,6 +813,15 @@ function _resolvePosturePatterns(name) {
     return ["pan", "credit-card", "iban", "pem", "aws-access-key", "jwt", "api-key-shape"];
   }
   if (n === "soc2" || n === "gdpr") {
+    // Known fidelity collapse: soc2 and gdpr share one outbound-DLP
+    // pattern set here. They are distinct regimes — GDPR's special-
+    // category personal data (Art. 9) is broader than the SOC 2 Trust
+    // Services criteria this preset targets — but the built-in
+    // value-shape detectors don't yet distinguish them, so the same
+    // pattern list backs both. Operators needing GDPR-specific shapes
+    // pass an explicit classifier (classifyDefaults) rather than the
+    // posture preset. This is intentional, not an accidental alias —
+    // documented so it isn't mistaken for per-regime handling.
     return ["ssn", "ein", "pem", "ssh-private", "aws-access-key", "api-key-shape"];
   }
   throw new DlpError("redact-dlp/unknown-posture",
@@ -959,9 +1002,12 @@ function _summarizeHit(h) {
   return { label: h.label, action: h.action, where: h.where };
 }
 
-// Posture-coordinated install — a thin wrapper used by b.compliance.set
-// to wire DLP automatically when the posture is set. Operators using
-// b.compliance can rely on this; direct callers use installOutboundDlp.
+// Posture-coordinated install — the operator passes the primitive
+// instances to wire (httpClient / mail / webhook); the posture name
+// selects the default classifier. b.compliance.set does NOT call this:
+// it holds no httpClient / mail / webhook handles, so it cannot install
+// outbound interceptors. Operators wire DLP explicitly by calling this
+// (or installOutboundDlp) with their own primitive instances.
 /**
  * @primitive b.redact.installForPosture
  * @signature b.redact.installForPosture(posture, primitives)
@@ -970,10 +1016,20 @@ function _summarizeHit(h) {
  * @compliance hipaa, pci-dss, gdpr, soc2, fapi2
  * @related   b.redact.installOutboundDlp, b.redact.classifyDefaults
  *
- * Posture-coordinated install — a thin wrapper used by
- * `b.compliance.set` so picking a posture also wires outbound DLP
- * automatically. Direct callers usually want `installOutboundDlp`
- * because it accepts the full hook surface.
+ * Posture-coordinated install — picks the default classifier for
+ * `posture` and wraps the operator-supplied `primitives.httpClient` /
+ * `.mail` / `.webhook` so every outbound payload runs through it. A
+ * thin convenience over `installOutboundDlp`; direct callers usually
+ * want `installOutboundDlp` because it accepts the full hook surface.
+ *
+ * The operator MUST call this with the primitive instances — pinning a
+ * posture via `b.compliance.set` does NOT auto-install outbound DLP,
+ * because the compliance coordinator holds no httpClient / mail /
+ * webhook handles. When a posture whose floor implies outbound DLP
+ * (hipaa / pci-dss / gdpr / soc2 / fapi-2.0) is pinned without this
+ * call, `b.compliance.set` emits a one-time
+ * `compliance.posture.outbound_dlp_unwired` audit warning so the gap is
+ * grep-able in the audit chain.
  *
  * @example
  *   var dlp = b.redact.installForPosture("hipaa", {
@@ -999,6 +1055,7 @@ module.exports = {
   classifyDefaults:      classifyDefaults,
   installOutboundDlp:    installOutboundDlp,
   installForPosture:     installForPosture,
+  isOutboundDlpInstalled: isOutboundDlpInstalled,
   CLASSIFIER_PATTERNS:   CLASSIFIER_PATTERNS,
   MARKER:                DEFAULT_MARKER,
   SENSITIVE_FIELDS:      SENSITIVE_FIELDS,

package/lib/redis-client.js

@@ -28,7 +28,6 @@ var net = require("node:net");
 var nodeTls = require("node:tls");
 var nodeUrl = require("node:url");
 var C = require("./constants");
-var safeAsync = require("./safe-async");
 var validateOpts = require("./validate-opts");
 var ipUtils = require("./ip-utils");
 var { RedisError } = require("./framework-error");
@@ -215,11 +214,28 @@ function create(opts) {
   var connected = false;
   var connecting = false;
   var closing = false;
+  // Shared in-flight connect. Every _connect() call returns the SAME
+  // promise while a connect is in progress, so concurrent callers all
+  // observe the same resolve/reject instead of polling a flag. It is
+  // ALWAYS settled (resolve on ready, reject on socket-error / connect-
+  // timeout / AUTH-or-SELECT failure) and cleared the moment it settles
+  // so the next caller starts a fresh attempt — a connect that fails
+  // can never leave a never-settling promise behind for the next
+  // awaiter to wedge on.
+  var connectPromise = null;
   // Tracked + unref'd reconnect timer. Tracked so close() can cancel a
   // pending backoff (otherwise a reconnect scheduled before close fires
   // after it and opens a fresh socket); unref'd so a backoff window doesn't
   // by itself keep the event loop alive (the process-won't-exit class).
+  // Single-flight: a non-null reconnectTimer means a backoff is already
+  // pending — socket-error AND socket-close firing for the same failure
+  // must not stack two timers (which would burn the reconnect budget at
+  // 2x and open redundant sockets).
   var reconnectTimer = null;
+  // Set once the reconnect budget is exhausted. Makes the give-up path
+  // idempotent (drains pending+backlog exactly once) and stops a stray
+  // close/error after give-up from re-draining or racing a later success.
+  var gaveUp = false;
   var rxBuffer = Buffer.alloc(0);
   // FIFO of in-flight commands awaiting a response
   var pending = [];
@@ -239,18 +255,31 @@ function create(opts) {
 
   function _scheduleReconnect() {
     if (closing) return;
+    // Single-flight: a socket failure surfaces as both an `error` and a
+    // `close` event. Without this guard each one schedules its own timer,
+    // stacking two reconnects for one failure — the budget burns at 2x
+    // and two fresh sockets open. A pending backoff already covers the
+    // failure, so a second call is a no-op.
+    if (reconnectTimer !== null) return;
     if (maxReconnectAttempts >= 0 && reconnectAttempt >= maxReconnectAttempts) {
-      // Drain pending callbacks with a clear error
+      // Reconnect budget exhausted. Drain pending + backlog exactly once;
+      // a later stray close/error must not re-drain or race a future
+      // success path.
+      if (gaveUp) return;
+      gaveUp = true;
       var err = _err("RECONNECT_GAVE_UP",
         "redis: gave up after " + reconnectAttempt + " reconnect attempts");
       _drainPending(err);
       return;
     }
     reconnectAttempt++;
+    // Exponential backoff capped at 30s. Base 100ms is the first-retry
+    // delay (not a duration unit), so it stays a literal; the cap routes
+    // through C.TIME.
     var delay = Math.min(C.TIME.seconds(30), 100 * Math.pow(2, reconnectAttempt - 1));
     reconnectTimer = setTimeout(function () {
       reconnectTimer = null;
-      _connect().catch(function () { /* will reschedule */ });
+      _connect().catch(function () { /* failure reschedules via the teardown path */ });
     }, delay);
     if (typeof reconnectTimer.unref === "function") reconnectTimer.unref();
   }
@@ -261,7 +290,10 @@ function create(opts) {
     batch.forEach(function (p) { p.reject(err); });
     var bl = backlog.slice();
     backlog.length = 0;
-    bl.forEach(function (p) { p.reject(err); });
+    bl.forEach(function (p) {
+      if (p.timer) { clearTimeout(p.timer); p.timer = null; }
+      p.reject(err);
+    });
   }
 
   function _onData(chunk) {
@@ -312,39 +344,74 @@ function create(opts) {
     }
   }
 
-  function _onSocketError(err) {
-    var werr = _err("SOCKET", "redis socket error: " + ((err && err.message) || String(err)));
-    _drainPending(werr);
+  // Single teardown path for a lost socket. A failure surfaces as an
+  // `error` event AND a `close` event (and `error` then destroys the
+  // socket, which fires `close` again) — three callbacks for ONE lost
+  // connection. Routing all of them here, guarded by a "are we still
+  // attached to this socket" check, means pending is drained once and
+  // exactly one reconnect is scheduled (the single-flight guard in
+  // _scheduleReconnect absorbs the rest). `err` is the diagnostic to
+  // reject in-flight commands with.
+  function _teardownSocket(err) {
+    // Already torn down for this socket (the sibling event already ran).
+    if (!connected && socket === null) {
+      // Still let a stray event re-arm a reconnect if one isn't pending
+      // and we haven't been closed — but never re-drain pending.
+      if (!closing) _scheduleReconnect();
+      return;
+    }
     connected = false;
-    try { if (socket) socket.destroy(); } catch (_e) { /* best-effort socket teardown */ }
+    var dead = socket;
     socket = null;
+    if (dead) {
+      try {
+        dead.removeListener("error", _onSocketError);
+        dead.removeListener("close", _onSocketClose);
+        dead.removeListener("data", _onData);
+        dead.destroy();
+      } catch (_e) { /* best-effort socket teardown */ }
+    }
+    _drainPending(err);
     if (!closing) _scheduleReconnect();
   }
 
+  function _onSocketError(err) {
+    _teardownSocket(_err("SOCKET",
+      "redis socket error: " + ((err && err.message) || String(err))));
+  }
+
   function _onSocketClose() {
-    connected = false;
-    if (!closing) {
-      var err = _err("SOCKET_CLOSED", "redis socket closed unexpectedly");
-      _drainPending(err);
-      socket = null;
-      _scheduleReconnect();
-    }
+    _teardownSocket(_err("SOCKET_CLOSED", "redis socket closed unexpectedly"));
   }
 
-  async function _connect() {
-    // A reconnect timer scheduled before close() can still fire afterward;
-    // refuse to re-open once closing so it doesn't leak a fresh socket.
-    if (closing) return;
-    if (connected) return;
-    if (connecting) {
-      // Wait until current connect attempt resolves
-      while (connecting) await safeAsync.sleep(20);
-      return;
-    }
+  // _connect() — public entry. Returns a promise that ALWAYS settles.
+  // Concurrent callers (and the reconnect timer) share the single
+  // in-flight connectPromise rather than each starting a parallel dial,
+  // and they all observe the same resolve/reject. A previous version
+  // polled a `connecting` flag in a `while (connecting) await sleep(20)`
+  // loop; if a failure path failed to clear that flag the waiter spun
+  // forever. The shared promise removes that wedge — the promise is
+  // cleared the instant it settles, so a failed connect can never leave
+  // a never-settling promise behind.
+  function _connect() {
+    if (closing) return Promise.resolve();
+    if (connected) return Promise.resolve();
+    if (connectPromise) return connectPromise;
+    connectPromise = _doConnect();
+    // Clear the shared promise once it settles (either way) so the next
+    // _connect() starts a fresh attempt instead of re-awaiting a stale
+    // settled promise.
+    var clear = function () { connectPromise = null; };
+    connectPromise.then(clear, clear);
+    return connectPromise;
+  }
+
+  async function _doConnect() {
     connecting = true;
     rxBuffer = Buffer.alloc(0);
+    var newSocket = null;
     try {
-      socket = await new Promise(function (resolve, reject) {
+      newSocket = await new Promise(function (resolve, reject) {
         var sock;
         var timer = setTimeout(function () {
           try { if (sock) sock.destroy(); } catch (_e) { /* best-effort socket teardown */ }
@@ -371,16 +438,19 @@ function create(opts) {
         }
         sock.once("error", onErr);
       });
+      socket = newSocket;
       socket.setNoDelay(true);
       socket.on("data", _onData);
       socket.on("error", _onSocketError);
       socket.on("close", _onSocketClose);
       connected = true;
-      reconnectAttempt = 0;
 
       // Auth + select db on (re)connect — without resetting the
       // backlog of commands queued during disconnect. Send these
       // BEFORE the backlog so the server is ready when backlog flushes.
+      // A failure here (wrong password, server SELECT rejection, socket
+      // dropped mid-AUTH) must not leave connected=true on a half-open
+      // socket — the catch below tears the socket down and rethrows.
       if (password) {
         var authArgs = username ? ["AUTH", username, password] : ["AUTH", password];
         await _sendNoQueue(authArgs);
@@ -389,15 +459,47 @@ function create(opts) {
         await _sendNoQueue(["SELECT", String(db)]);
       }
 
-      // Flush backlog
+      // Connect fully succeeded — only now reset the backoff counter +
+      // the give-up latch so a future disconnect gets a fresh budget.
+      reconnectAttempt = 0;
+      gaveUp = false;
+      connecting = false;
+
+      // Flush backlog. Clear each queued entry's not-connected timeout
+      // before it goes on the wire — the in-flight command timeout in
+      // _writeAndAwait now owns its lifetime.
       var bl = backlog.slice();
       backlog.length = 0;
-      bl.forEach(function (entry) { _writeAndAwait(entry.args, entry.resolve, entry.reject); });
+      bl.forEach(function (entry) {
+        if (entry.timer) { clearTimeout(entry.timer); entry.timer = null; }
+        _writeAndAwait(entry.args, entry.resolve, entry.reject);
+      });
     } catch (err) {
       connecting = false;
+      connected = false;
+      // Tear down a half-open socket (came up, then AUTH/SELECT failed)
+      // so we never leave connected=false with a live socket whose data/
+      // error/close handlers would fire against stale state. If the
+      // socket-error handler already ran it set socket=null.
+      var dead = socket || newSocket;
+      socket = null;
+      if (dead) {
+        try {
+          dead.removeListener("error", _onSocketError);
+          dead.removeListener("close", _onSocketClose);
+          dead.removeListener("data", _onData);
+          dead.destroy();
+        } catch (_e) { /* best-effort socket teardown */ }
+      }
+      // A failed dial (reset before ready) or an AUTH/SELECT failure must keep
+      // the reconnect loop alive. The post-ready error/close handlers that
+      // normally drive reconnect are not attached yet during the dial, so
+      // without scheduling here a connection lost mid-dial rejects the connect
+      // promise and the client never reconnects. Single-flight + budget-guarded
+      // by _scheduleReconnect; the caller still observes this attempt's rejection.
+      if (!closing) _scheduleReconnect();
       throw err;
     }
-    connecting = false;
   }
 
   // Internal helper that bypasses the connect-pending backlog (used
@@ -448,7 +550,28 @@ function create(opts) {
         return;
       }
       if (!connected) {
-        backlog.push({ args: args, resolve: resolve, reject: reject });
+        // Reconnect budget exhausted and no reconnect is in flight — a
+        // backlogged command here would never be flushed (nothing will
+        // reconnect to drain it) and would wedge the caller forever.
+        // Reject immediately instead.
+        if (gaveUp && reconnectTimer === null && !connecting) {
+          reject(_err("RECONNECT_GAVE_UP",
+            "redis: client disconnected and reconnect budget exhausted"));
+          return;
+        }
+        // Queued until the next successful connect flushes the backlog.
+        // Bound it with a timeout so a connect that never completes (the
+        // backend is down for the whole window) settles the caller with
+        // a clear error instead of leaving the await pending forever.
+        var entry = { args: args, resolve: resolve, reject: reject, timer: null };
+        entry.timer = setTimeout(function () {
+          var idx = backlog.indexOf(entry);
+          if (idx !== -1) backlog.splice(idx, 1);
+          reject(_err("COMMAND_TIMEOUT",
+            "redis " + args[0] + " timed out while queued (client not connected)"));
+        }, commandTimeoutMs);
+        if (typeof entry.timer.unref === "function") entry.timer.unref();
+        backlog.push(entry);
         return;
       }
       _writeAndAwait(args, resolve, reject);
@@ -469,6 +592,9 @@ function create(opts) {
   async function close() {
     closing = true;
     if (reconnectTimer) { clearTimeout(reconnectTimer); reconnectTimer = null; }
+    // Drop the shared connect promise so a re-create after close (or a
+    // late awaiter) doesn't re-await a stale in-flight attempt.
+    connectPromise = null;
     var err = _err("CLOSED", "redis client closed");
     _drainPending(err);
     if (socket) {
@@ -492,8 +618,11 @@ function create(opts) {
     _state:     function () {
       return {
         connected: connected, closing: closing,
+        connecting: connecting,
         pending:   pending.length, backlog: backlog.length,
         reconnect: reconnectAttempt,
+        reconnectPending: reconnectTimer !== null,
+        gaveUp:    gaveUp,
         host:      host, port: port, db: db, tls: useTls,
         connectTimeoutMs:     connectTimeoutMs,
         commandTimeoutMs:     commandTimeoutMs,

package/lib/retention.js

@@ -46,6 +46,7 @@ var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -55,6 +56,25 @@ var legalHold = lazyRequire(function () { return require("./legal-hold"); });
 var RetentionError = defineClass("RetentionError", { alwaysPermanent: true });
 var _err = RetentionError.factory;
 
+// Resolve the b.sql dialect for the operator-supplied handle. The framework's
+// local b.db handle is always node:sqlite (db.js pins { dialect: "sqlite",
+// quoteName: true }) and exposes no .dialect, so this defaults to "sqlite" —
+// every sweep statement runs against that handle via .prepare(). An operator
+// handle that DOES advertise a dialect (string or () -> string) has it
+// threaded through so the emitted identifier quoting + idioms match the
+// backend the handle dispatches to. quoteName stays on for every retention
+// statement: the rule's table / ageField / softDeleteField identifiers are
+// validated then quoted by construction (no clusterStorage prefix rewrite on
+// this operator-app-schema path).
+function _handleDialect(db) {
+  if (db && typeof db.dialect === "function") {
+    try { var d = db.dialect(); return typeof d === "string" ? d : "sqlite"; }
+    catch (_e) { return "sqlite"; }
+  }
+  if (db && typeof db.dialect === "string") return db.dialect;
+  return "sqlite";
+}
+
 // Identifier-level SQLi defense: every operator-supplied table name,
 // column name, and cascade FK must pass safeSql.validateIdentifier
 // before reaching SQL string concatenation. Without this gate a
@@ -196,6 +216,11 @@ function create(opts) {
     throw _err("BAD_OPT", "create: opts.db is required (a b.db handle with .prepare(sql))");
   }
   var db = opts.db;
+  // b.sql opts for every retention statement built against this handle. The
+  // dialect tracks the handle (sqlite for the framework's local b.db); the
+  // validated operator identifiers are quoted by construction (quoteName)
+  // with no clusterStorage prefix rewrite on this path.
+  var SQL_OPTS = { dialect: _handleDialect(db), quoteName: true };
   var auditOn = opts.audit !== false && opts.audit != null;
   var auditInstance = (opts.audit && opts.audit !== true) ? opts.audit : null;
   var rules = {};
@@ -235,16 +260,24 @@ function create(opts) {
 
   function _hardDelete(table, rowId, dryRun) {
     if (dryRun) return { wouldDelete: 1 };
-    var del = db.prepare("DELETE FROM \"" + table + "\" WHERE _id = ?");
-    del.run(rowId);
+    // Operator app table — quoteName so the validated identifier emits as a
+    // quoted local name; the row id binds as a placeholder.
+    var built = sql.delete(table, SQL_OPTS)
+      .where("_id", rowId)
+      .toSql();
+    var del = db.prepare(built.sql);
+    del.run.apply(del, built.params);
     return { deleted: 1 };
   }
 
   function _softDelete(table, rowId, softField, dryRun) {
     if (dryRun) return { wouldSoftDelete: 1 };
-    var upd = db.prepare(
-      "UPDATE \"" + table + "\" SET \"" + softField + "\" = ? WHERE _id = ?");
-    upd.run(Date.now(), rowId);
+    var built = sql.update(table, SQL_OPTS)
+      .set(softField, Date.now())
+      .where("_id", rowId)
+      .toSql();
+    var upd = db.prepare(built.sql);
+    upd.run.apply(upd, built.params);
     return { softDeleted: 1 };
   }
 
@@ -261,19 +294,17 @@ function create(opts) {
       return _hardDelete(table, row._id, dryRun);
     }
     if (dryRun) return { wouldErase: 1, sealedFieldCount: sealedFields.length };
-    var setClauses = [];
-    var values = [];
-    for (var si = 0; si < sealedFields.length; si++) {
-      setClauses.push('"' + sealedFields[si] + '" = ?');
-      values.push(null);
-    }
-    for (var hi = 0; hi < hashFields.length; hi++) {
-      setClauses.push('"' + hashFields[hi] + '" = ?');
-      values.push(null);
-    }
-    values.push(row._id);
-    var upd2 = db.prepare("UPDATE \"" + table + "\" SET " + setClauses.join(", ") + " WHERE _id = ?");
-    upd2.run.apply(upd2, values);
+    // NULL every sealed column + its derived-hash sibling. b.sql binds each
+    // null as a placeholder (the set map preserves the column ordering).
+    var eraseSet = {};
+    for (var si = 0; si < sealedFields.length; si++) eraseSet[sealedFields[si]] = null;
+    for (var hi = 0; hi < hashFields.length; hi++) eraseSet[hashFields[hi]] = null;
+    var eraseBuilt = sql.update(table, SQL_OPTS)
+      .set(eraseSet)
+      .where("_id", row._id)
+      .toSql();
+    var upd2 = db.prepare(eraseBuilt.sql);
+    upd2.run.apply(upd2, eraseBuilt.params);
     // Per-row-key tables (declarePerRowKey): NULLing the sealed columns
     // is not enough — WAL / replica residuals keep the old K_row cells.
     // Destroy the row's wrapped secret so K_row is unrecoverable and the
@@ -294,15 +325,20 @@ function create(opts) {
     for (var i = 0; i < rule.cascade.length; i++) {
       var c = rule.cascade[i];
       if (dryRun) {
-        var sel = db.prepare(
-          "SELECT COUNT(*) AS n FROM \"" + c.table + "\" WHERE \"" + c.foreignKey + "\" = ?");
-        var n = sel.get(rowId);
+        var selBuilt = sql.select(c.table, SQL_OPTS)
+          .count("*", "n")
+          .where(c.foreignKey, rowId)
+          .toSql();
+        var sel = db.prepare(selBuilt.sql);
+        var n = sel.get.apply(sel, selBuilt.params);
         cascadeSummary.push({ table: c.table, foreignKey: c.foreignKey,
           wouldDelete: (n && typeof n.n === "number") ? n.n : 0 });
       } else {
-        var del = db.prepare(
-          "DELETE FROM \"" + c.table + "\" WHERE \"" + c.foreignKey + "\" = ?");
-        var result = del.run(rowId);
+        var delBuilt = sql.delete(c.table, SQL_OPTS)
+          .where(c.foreignKey, rowId)
+          .toSql();
+        var del = db.prepare(delBuilt.sql);
+        var result = del.run.apply(del, delBuilt.params);
         cascadeSummary.push({ table: c.table, foreignKey: c.foreignKey,
           deleted: result.changes || 0 });
       }
@@ -392,24 +428,31 @@ function create(opts) {
       while (moreRows) {
         var rows;
         // The candidate WHERE-clause: age + not-already-erased + not-on-legal-hold +
-        // (when soft-delete is configured) not-already-soft-deleted.
-        var whereParts = ['"' + rule.ageField + '" <= ?'];
-        var whereArgs = [cutoff];
-        if (rule.softDeleteField) {
-          whereParts.push('("' + rule.softDeleteField + '" IS NULL)');
+        // (when soft-delete is configured) not-already-soft-deleted. Built
+        // through b.sql so the operator-supplied table / ageField / softDeleteField
+        // identifiers are quoted by construction and every value binds as a
+        // placeholder (the '' empty-string compare included — no embedded literal).
+        function _candidateBase() {
+          var qb = sql.select(rule.table, SQL_OPTS)
+            .where(rule.ageField, "<=", cutoff);
+          if (rule.softDeleteField) qb.whereNull(rule.softDeleteField);
+          return qb;
         }
-        var sql = "SELECT * FROM \"" + rule.table + "\" " +
-          "WHERE " + whereParts.join(" AND ") + " " +
-          "AND (__erasedAt IS NULL OR __erasedAt = '') " +
-          "LIMIT ?";
         var selStmt;
-        try { selStmt = db.prepare(sql); rows = selStmt.all.apply(selStmt, whereArgs.concat([rule.batchSize])); }
-        catch (_eA) {
+        try {
+          var built = _candidateBase()
+            .whereGroup(function (g) {
+              g.whereNull("__erasedAt").orWhereOp("__erasedAt", "=", "");
+            })
+            .limit(rule.batchSize)
+            .toSql();
+          selStmt = db.prepare(built.sql);
+          rows = selStmt.all.apply(selStmt, built.params);
+        } catch (_eA) {
           // Fallback: tables without __erasedAt
-          var sqlPlain = "SELECT * FROM \"" + rule.table + "\" " +
-            "WHERE " + whereParts.join(" AND ") + " LIMIT ?";
-          var selPlain = db.prepare(sqlPlain);
-          rows = selPlain.all.apply(selPlain, whereArgs.concat([rule.batchSize]));
+          var plainBuilt = _candidateBase().limit(rule.batchSize).toSql();
+          var selPlain = db.prepare(plainBuilt.sql);
+          rows = selPlain.all.apply(selPlain, plainBuilt.params);
         }
         if (!rows || rows.length === 0) { moreRows = false; break; }
         summary.scanned += rows.length;