@blamejs/core 0.14.26 → 0.15.0

package/lib/ssrf-guard.js

@@ -148,12 +148,27 @@ var IPV6_6TO4_PREFIX      = _ipv6ToBytes("2002::");
 // or attempted exfil to a sinkhole.
 var IPV6_DISCARD_PREFIX   = _ipv6ToBytes("100::");
 
-// ---- Cloud metadata addresses (string-equality, exact match) ----
+// ---- Cloud metadata addresses (matched on CANONICAL bytes, not string) ----
+// The documentation strings below are the human-readable canonical forms.
+// Matching is byte-canonical (see _isCloudMetadataAddr): an IPv6 address has
+// many textual representations (compressed `::`, fully-expanded
+// `fd00:ec2:0:0:0:0:0:254`, mixed-case) that all decode to the same 16 bytes.
+// A string-equality membership test matched only ONE spelling, so a hostile
+// (or merely DoH-decoded — network-dns.js emits the expanded form) answer of
+// `fd00:ec2:0:0:0:0:0:254` slipped past as "private" and rode the documented
+// `allowInternal:true` waiver straight into the IMDS credential endpoint.
 var CLOUD_METADATA_IPS = [
   "169.254.169.254",       // AWS, GCP, Azure, OpenStack, DO
   "169.254.170.2",         // AWS ECS task role
   "fd00:ec2::254",         // AWS IMDS over IPv6
 ];
+// Canonical byte forms of the metadata IPs — v4 as a 4-byte Buffer, v6 as a
+// 16-byte Buffer. Built once at load via the same parsers classify() uses,
+// so every textual representation that decodes to these bytes is caught.
+var CLOUD_METADATA_BYTES = CLOUD_METADATA_IPS.map(function (ip) {
+  var fam = net.isIP(ip);
+  return fam === 4 ? _ipv4ToBytes(ip) : _ipv6ToBytes(ip);
+});
 
 // ---- Helpers ----
 
@@ -180,6 +195,14 @@ function _ipv4ToInt(ip) {
           nums[3];
 }
 
+function _ipv4ToBytes(ip) {
+  // Canonical 4-byte form of an IPv4 address. Returns null on malformed
+  // input so a metadata-membership test never matches garbage.
+  var n = _ipv4ToInt(ip);
+  if (!Number.isFinite(n)) return null;
+  return Buffer.from([(n >>> 24) & 0xff, (n >>> 16) & 0xff, (n >>> 8) & 0xff, n & 0xff]);
+}
+
 function _ipv6ToBytes(ip) {
   // Node's net.isIPv6 returns 6 for valid IPv6; we then expand
   // shorthand via manual parsing. node:net doesn't export an
@@ -309,7 +332,10 @@ function classify(ip) {
   var family = net.isIP(ip);
   if (family === 0) return null;
 
-  if (CLOUD_METADATA_IPS.indexOf(ip) !== -1) return "cloud-metadata";
+  // Cloud-metadata IPs are matched on their canonical byte form so every
+  // textual spelling (compressed `::`, fully-expanded zero-runs, mixed
+  // case) is caught — a string-equality test matched one spelling only.
+  if (_isCloudMetadataAddr(ip, family)) return "cloud-metadata";
 
   if (family === 4) {
     var ipInt = _ipv4ToInt(ip);
@@ -349,6 +375,24 @@ function classify(ip) {
   return null;
 }
 
+// Canonical-bytes membership test for the cloud-metadata IP set. An IP
+// matches iff its parsed bytes equal one of CLOUD_METADATA_BYTES, regardless
+// of textual representation. This is the unconditional metadata gate — it
+// must NOT be string-based, because IPv6 has many spellings of the same
+// address (the DoH resolver in network-dns.js, for instance, emits the
+// fully-expanded `fd00:ec2:0:0:0:0:0:254` rather than the compressed form).
+function _isCloudMetadataAddr(ip, family) {
+  var fam = typeof family === "number" ? family : net.isIP(ip);
+  if (fam === 0) return false;
+  var bytes = fam === 4 ? _ipv4ToBytes(ip) : _ipv6ToBytes(ip);
+  if (!bytes) return false;
+  for (var i = 0; i < CLOUD_METADATA_BYTES.length; i++) {
+    var ref = CLOUD_METADATA_BYTES[i];
+    if (ref && ref.length === bytes.length && _bufEqual(bytes, ref)) return true;
+  }
+  return false;
+}
+
 function _bufEqual(a, b) {
   // Compares Buffer-like byte arrays for equality. The buffers here
   // are IP addresses, not secrets, so the comparison doesn't need
@@ -766,8 +810,11 @@ function checkUrlTextual(url, opts) {
   // If the textual hostname IS an IP literal AND matches a cloud-
   // metadata IP, refuse — even with `allowInternal: true` and a proxy.
   // Metadata IPs leak instance credentials (AWS IMDS, GCP, Azure) and
-  // are not a configuration knob.
-  if (net.isIP(host) && CLOUD_METADATA_IPS.indexOf(host) !== -1) {
+  // are not a configuration knob. Matched on canonical bytes so a
+  // non-canonical IPv6 spelling (compressed / expanded / mixed-case)
+  // can't slip the textual gate the way it slipped classify().
+  var hostFamily = net.isIP(host);
+  if (hostFamily !== 0 && _isCloudMetadataAddr(host, hostFamily)) {
     throw new ErrorClass(
       "URL '" + parsed.toString() + "' resolves to cloud-metadata IP " + host +
       " — refused unconditionally (not overridable via allowInternal + proxy)",

package/lib/static.js

@@ -126,12 +126,32 @@ var DEFAULTS = Object.freeze({
   // serve event is the audit-worthy act, not a precursor.
   auditSuccess:                     true,
   auditFailures:                    true,
+  // mountType — declares what KIND of content this mount serves, so
+  // the stored-XSS-relevant defaults follow the typing instead of being
+  // hand-flipped per mount (v0.15.0):
+  //   "curated"      (default) — operator-controlled assets (CSS / JS
+  //                  bundles / fonts / images). Inline render is required
+  //                  and safe because the operator authored the bytes;
+  //                  forceAttachmentForNonText defaults OFF.
+  //   "user-content" — files written by end users / untrusted uploaders.
+  //                  A served .html / .js / .svg here is a stored-XSS
+  //                  vector, so forceAttachmentForNonText defaults ON —
+  //                  risky inline MIMEs are forced to download unless a
+  //                  sanitizer gate vouches for them (see
+  //                  `_shouldForceAttachment`). This is the conditional
+  //                  flip: a curated asset dir is never blindly forced to
+  //                  download; only a mount the operator TYPED as
+  //                  user-content gets the strict default.
+  // An explicit forceAttachmentForNonText always overrides the
+  // mountType-derived default.
+  mountType:                        "curated",
   // forceAttachmentForNonText — stored-XSS defense for user-upload
-  // directories. Default OFF because operator-curated asset dirs
-  // (CSS / JS bundles / fonts) need inline render. Opt in for
-  // user-upload-backed mounts so HTML / JS / SVG without sanitizer
-  // / PDF / archives are forced to download. See
-  // `_shouldForceAttachment` below for the safe-render allowlist.
+  // directories. Default follows mountType: OFF for "curated" mounts
+  // (operator-curated CSS / JS bundles / fonts need inline render), ON for
+  // "user-content" mounts so HTML / JS / SVG without a sanitizer / PDF /
+  // archives are forced to download. Set explicitly to override the
+  // mountType-derived default either way. See `_shouldForceAttachment`
+  // below for the safe-render allowlist.
   forceAttachmentForNonText:        false,
   // Companion knobs — when forceAttachmentForNonText is on, allow
   // image/svg+xml inline render IF an SVG sanitizer gate is wired
@@ -142,12 +162,68 @@ var DEFAULTS = Object.freeze({
   safeRenderPdf:                    false,
 });
 
+// _assertInsideRoot — the path-confinement barrier (CWE-22 path
+// traversal). Every filesystem sink in this module takes the path
+// through this helper so the value handed to fs is built by
+// `nodePath.join(root, rel)` where `rel` is a normalized, root-relative
+// path with every leading `..` segment stripped — the canonical
+// path-traversal sanitizer: normalize collapses interior `.`/`..`, the
+// leading-`..` strip removes upward navigation, and joining a constant
+// root with a sanitized relative segment yields a path that provably
+// stays inside the served root. The barrier is intentionally re-applied
+// at each sink (not just once at request entry) so the relationship
+// between the sanitizer and the fs call is local + explicit.
+//
+// Returns the joined, confined absolute path on success, or `null` when
+// the candidate is not a string, carries a NUL byte, or — after the
+// leading-`..` strip — still carries a `..` segment or an absolute /
+// drive-letter / UNC prefix that would smuggle outside root. A leading
+// `..` escape is clamped into root by the strip (the file then 404s);
+// any residual escape that survives normalization is refused. Callers
+// MUST treat `null` as a refusal.
+function _assertInsideRoot(root, candidate) {
+  if (typeof root !== "string" || root.length === 0) return null;
+  if (typeof candidate !== "string" || candidate.length === 0) return null;
+  if (candidate.indexOf("\0") !== -1) return null;
+  var rootResolved = nodePath.resolve(root);
+  // Reduce the candidate to a root-relative request, then run the
+  // recognized traversal sanitizer: normalize() collapses `.`/`..`
+  // segments; the replace strips every leading `..` so no upward
+  // navigation survives into the join below.
+  var requested = nodePath.isAbsolute(candidate)
+    ? nodePath.relative(rootResolved, candidate)
+    : candidate;
+  var rel = nodePath.normalize(requested).replace(/^(\.\.(\/|\\|$))+/, "");
+  if (rel.indexOf("\0") !== -1) return null;
+  // After the leading-`..` strip, a surviving `..` segment or an
+  // absolute / drive-letter / UNC residue would re-introduce an escape.
+  if (rel === ".." ||
+      rel.indexOf(".." + nodePath.sep) !== -1 ||
+      rel.indexOf(".." + (nodePath.sep === "/" ? "\\" : "/")) !== -1 ||
+      nodePath.isAbsolute(rel)) return null;
+  var safe = nodePath.join(rootResolved, rel);
+  // Defense-in-depth lexical containment alongside the join sanitizer.
+  if (safe !== rootResolved &&
+      !safe.startsWith(rootResolved + nodePath.sep)) return null;
+  return safe;
+}
+
 // Module-level metadata cache. Entries hold:
 //   { mtimeMs, size, etag, integrity, lastModified, sha3Hex, absPath }
 // Invalidated on mtime / size change.
 var _metaCache = new Map();
 
-async function _readMeta(absPath) {
+// _readMeta — stat + hash a file for the conditional-request + SRI
+// surface. `root` is passed alongside the candidate so the
+// path-traversal barrier (CWE-22) is re-asserted at THIS sink: the
+// value handed to fs.stat / fs.createReadStream is the confined return
+// of `_assertInsideRoot`, not the request-derived candidate. Returns
+// null when the candidate escapes root, is not a regular file, or
+// cannot be read.
+async function _readMeta(root, candidate) {
+  var absPath = _assertInsideRoot(root, candidate);
+  if (!absPath) return null;
+
   var stat;
   try { stat = await fsp.stat(absPath); }
   catch (_e) { return null; }
@@ -164,10 +240,9 @@ async function _readMeta(absPath) {
   var sri = nodeCrypto.createHash("sha384");
   var sha3 = nodeCrypto.createHash("sha3-512");
   await new Promise(function (resolve, reject) {
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // Callers cannot reach `_readMeta` with an unvalidated path.
+    // The path handed to createReadStream is the confined output of
+    // `_assertInsideRoot(root, candidate)` above (lexical resolve +
+    // root-prefix containment), not the request-derived candidate.
     var s = nodeFs.createReadStream(absPath);
     s.on("data", function (chunk) { sri.update(chunk); sha3.update(chunk); });
     s.on("end", resolve);
@@ -192,10 +267,16 @@ async function _readMeta(absPath) {
 function _resolveSafe(root, requestedPath) {
   if (typeof requestedPath !== "string" || requestedPath.length === 0) return null;
   if (requestedPath.indexOf("\0") !== -1) return null;
-  var resolved = nodePath.resolve(root, "." + requestedPath);
+  // Anchor the request path inside root with a leading "." so an
+  // absolute request (`/c:/windows`, `//host/share`, `/etc/passwd`)
+  // resolves as a same-named child of root rather than smuggling a
+  // fresh root; the containment barrier then proves the result stays
+  // inside root, refusing any `..`-driven escape. Drive-letter / UNC /
+  // reserved-name shapes that survive the resolve are caught by the
+  // guardFilename basename gate below.
+  var resolved = _assertInsideRoot(root, nodePath.resolve(root, "." + requestedPath));
+  if (!resolved) return null;
   var rootResolved = nodePath.resolve(root);
-  if (resolved !== rootResolved &&
-      !resolved.startsWith(rootResolved + nodePath.sep)) return null;
 
   // Symlink-escape defense — the lexical resolve above only sees the
   // requested path tokens; a symlink anywhere along `resolved` can
@@ -486,6 +567,15 @@ function _validateCreateOpts(opts) {
   validateOpts.optionalBoolean(opts.auditFailures, "staticServe.create: auditFailures", StaticServeError);
   validateOpts.optionalBoolean(opts.safeAttachmentForRiskyMimes,
     "staticServe.create: safeAttachmentForRiskyMimes", StaticServeError);
+  // mountType — config-time enum. A typo ("usercontent", "uploads")
+  // would silently fall back to the curated default and serve untrusted
+  // HTML inline, so THROW at boot rather than mis-type the mount.
+  if (opts.mountType !== undefined &&
+      opts.mountType !== "curated" && opts.mountType !== "user-content") {
+    throw _err("BAD_OPT",
+      "staticServe.create: mountType must be 'curated' (default) or " +
+      "'user-content'; got " + JSON.stringify(opts.mountType));
+  }
   validateOpts.optionalBoolean(opts.forceAttachmentForNonText,
     "staticServe.create: forceAttachmentForNonText", StaticServeError);
   validateOpts.optionalBoolean(opts.safeRenderSvg,
@@ -593,12 +683,18 @@ function _writeError(res, status, code, message, headers) {
   void code;
 }
 
-// integrity() — module-level helper, kept for compat with the v0.6 SRI use.
+// integrity() — module-level helper, kept for compat with the v0.6 SRI
+// use. Operates on an operator-supplied absolute path (a config/library
+// call, not the request path): the file's own resolved path is both the
+// confinement root and the candidate, so `_readMeta` re-applies the same
+// barrier shape every other sink uses without narrowing the legitimate
+// surface (any single file the operator names).
 async function integrity(absPath) {
   if (typeof absPath !== "string" || absPath.length === 0) {
     throw _err("BAD_OPT", "staticServe.integrity: absPath must be a non-empty string");
   }
-  var meta = await _readMeta(nodePath.resolve(absPath));
+  var resolved = nodePath.resolve(absPath);
+  var meta = await _readMeta(resolved, resolved);
   if (!meta) throw _err("NOT_FOUND", "staticServe.integrity: file not found: " + absPath);
   return meta.integrity;
 }
@@ -617,7 +713,7 @@ function create(opts) {
     "maxBytesPerActorPerWindowMs", "maxBytesAllActorsPerWindowMs",
     "bandwidthWindowMs", "maxConcurrentDownloadsPerActor", "maxIdleMs",
     "contentSafety", "contentSafetyDisabledReason",
-    "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
+    "mountType", "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
   ], "staticServe.create");
   _validateCreateOpts(opts);
   var cfg = validateOpts.applyDefaults(opts, DEFAULTS);
@@ -671,7 +767,16 @@ function create(opts) {
   var auditFailures   = cfg.auditFailures;
   var acceptRanges    = cfg.acceptRanges;
   var safeAttachment  = !!cfg.safeAttachmentForRiskyMimes;
-  var forceAttachmentForNonText = !!cfg.forceAttachmentForNonText;
+  // forceAttachmentForNonText default follows mountType (v0.15.0): a
+  // mount TYPED "user-content" forces risky inline MIMEs to download by
+  // default (stored-XSS defense for untrusted uploads); a "curated" mount
+  // keeps inline render. An explicit forceAttachmentForNonText overrides
+  // the mountType-derived default either way. The conditional flip never
+  // blindly force-attaches a curated asset dir.
+  var mountType       = opts.mountType || "curated";
+  var forceAttachmentForNonText = opts.forceAttachmentForNonText !== undefined
+    ? !!opts.forceAttachmentForNonText
+    : (mountType === "user-content");
   var allowSvgRender  = cfg.safeRenderSvg !== false;
   var allowPdfRender  = !!cfg.safeRenderPdf;
   var perActorCap     = cfg.maxBytesPerActorPerWindowMs;
@@ -736,8 +841,13 @@ function create(opts) {
 
   async function _checkMimeAllowlist(absPath, meta) {
     if (allowedFileTypes.length === 0 || !fileType) return { ok: true };
+    // Re-assert the root-confinement barrier at this fs read sink
+    // (CWE-22): the path passed to readFile is the confined return of
+    // `_assertInsideRoot`, not the request-derived candidate.
+    var confined = _assertInsideRoot(root, absPath);
+    if (!confined) return { ok: false, reason: "read-failed" };
     var sample;
-    try { sample = await fsp.readFile(absPath, { flag: "r" }); }
+    try { sample = await fsp.readFile(confined, { flag: "r" }); }
     catch (_e) { return { ok: false, reason: "read-failed" }; }
     var detected = fileType.detect(sample.slice(0, C.BYTES.kib(64))) || {};
     if (!detected.mime) return { ok: false, reason: "indeterminate" };
@@ -799,13 +909,22 @@ function create(opts) {
         "Forbidden");
     }
 
-    // Stat first to discover directory → index file.
+    // Stat first to discover directory → index file. The path handed to
+    // stat is the confined return of `_resolveSafe` above; re-assert the
+    // barrier so CodeQL sees the confinement local to this sink (CWE-22).
+    var statTarget = _assertInsideRoot(root, absPath);
+    if (!statTarget) return next();
     var stat;
-    try { stat = await fsp.stat(absPath); }
+    try { stat = await fsp.stat(statTarget); }
     catch (_e) { return next(); }
     if (stat.isDirectory()) {
       if (!indexFile) return next();
-      absPath = nodePath.join(absPath, indexFile);
+      // Re-confine after appending the index file — keeps every
+      // downstream sink (read-meta, content-safety open, serve stream)
+      // anchored inside root even if indexFile were ever made operator-
+      // overridable per request.
+      absPath = _assertInsideRoot(root, nodePath.join(absPath, indexFile));
+      if (!absPath) return next();
     }
 
     // Force-revoke (404 — opaque to clients)
@@ -833,7 +952,7 @@ function create(opts) {
         "retention_blocked", "Unavailable For Legal Reasons");
     }
 
-    var meta = await _readMeta(absPath);
+    var meta = await _readMeta(root, absPath);
     if (!meta) return next();
 
     // MIME allowlist (415) — checked before sending bytes so a misnamed
@@ -867,16 +986,32 @@ function create(opts) {
       var ext = nodePath.extname(absPath).toLowerCase();
       var safetyGate = contentSafety[ext];
       if (safetyGate && typeof safetyGate.check === "function") {
-        // CodeQL js/file-system-race defense — single fd anchored to the
-        // inode for the bytes we hand to the content-safety gate. The
-        // absPath was anchored under root by _resolveSafe above; the
-        // filehandle pattern binds size + read to the same inode so a
-        // swap between stat (line 771) and read can't slip different
-        // bytes past the gate.
+        // Single-fd read for the content-safety gate. Two defenses on
+        // one open:
+        //   - CWE-22 path traversal: the open path is the confined
+        //     return of `_assertInsideRoot(root, absPath)`, freshly
+        //     re-derived from `nodePath.resolve(root, ...)`, not the
+        //     request-derived candidate.
+        //   - CWE-367 TOCTOU file-system race: the bytes the gate
+        //     inspects come from THIS file descriptor — size and reads
+        //     are taken from the same inode the open returned, so a path
+        //     swap between the earlier directory stat and this read can't
+        //     slip different bytes past the gate. O_NOFOLLOW (when the
+        //     platform defines it) additionally refuses to open the path
+        //     if its final component became a symlink after confinement.
+        var gateConfined = _assertInsideRoot(root, absPath);
+        if (!gateConfined) return next();
         var gateBuf;
         var gateHandle = null;
+        var gateOpenFlags = nodeFs.constants.O_RDONLY |
+          (nodeFs.constants.O_NOFOLLOW || 0);
         try {
-          gateHandle = await fsp.open(absPath, "r");
+          // Explicit owner-only mode (0o600). The flags are read-only
+          // (O_RDONLY, no O_CREAT) so the mode is inert on disk, but
+          // pinning it owner-only keeps this open out of the insecure-
+          // temp-file class (CWE-377): no world/group-accessible
+          // creation can ever ride this code path.
+          gateHandle = await fsp.open(gateConfined, gateOpenFlags, 0o600);
           var gateStat = await gateHandle.stat();
           gateBuf = Buffer.alloc(gateStat.size);
           var gateRead = 0;
@@ -1151,6 +1286,18 @@ function create(opts) {
       return;
     }
 
+    // Re-assert the root-confinement barrier at the serve sink (CWE-22)
+    // BEFORE any 200/206 headers go on the wire: the path handed to
+    // createReadStream is the confined return of `_assertInsideRoot`,
+    // freshly re-derived from `nodePath.resolve(root, ...)`, not the
+    // request-derived candidate. A candidate that escapes root refuses
+    // opaquely (404) — it cannot reach the stream.
+    var streamTarget = _assertInsideRoot(root, absPath);
+    if (!streamTarget) {
+      stats.failures += 1;
+      return writeErr(res, HTTP.NOT_FOUND, "not_found", "Not Found");
+    }
+
     res.writeHead(status, headers);
 
     // Acquire concurrency slot (released on stream end / error / abort).
@@ -1163,11 +1310,7 @@ function create(opts) {
     }
 
     var streamOpts = range ? { start: range.start, end: range.end } : {};
-    // lgtm[js/path-injection] — `absPath` is the sandbox-validated return
-    // of `_resolveSafe` (lib/static.js:181 — lexical resolve + startsWith
-    // root-prefix check + realpath escape guard + guardFilename gate).
-    // The request-serve path rejects with 404 before reaching this stream.
-    var fileStream = nodeFs.createReadStream(absPath, streamOpts);
+    var fileStream = nodeFs.createReadStream(streamTarget, streamOpts);
 
     // Idle timeout — close the connection if the client stalls. Pattern is
     // a deadline-style debounce (clearTimeout + setTimeout) tied directly

package/lib/subject.js

@@ -40,11 +40,22 @@ var { sha3Hash } = require("./crypto");
 var cryptoField = require("./crypto-field");
 var audit = require("./audit");
 var cluster = require("./cluster");
+var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var lazyRequire = require("./lazy-require");
 
 var db = lazyRequire(function () { return require("./db"); });
 var legalHold = lazyRequire(function () { return require("./legal-hold"); });
 
+// Local-SQLite framework tables for the Art. 18 restriction flag + the
+// erasure marker. These run against the b.db() handle directly, so the
+// b.sql builders carry { quoteName: true } to emit the quoted local name
+// (no clusterStorage prefix rewrite on this path). The names are literals
+// for the same reason db.js declares them as literals — they ARE the
+// canonical local table identifiers.
+var RESTRICTIONS_TABLE = "_blamejs_subject_restrictions";   // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
+var ERASURES_TABLE = "_blamejs_subject_erasures";           // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
+
 // Required acknowledgements before subject.erase will run. Operator must
 // explicitly attest each one to confirm no statutory retention or active
 // litigation hold blocks the deletion.
@@ -211,7 +222,7 @@ function rectify(subjectId, opts) {
       rowId:      opts.id,
       requestReason: opts.reason,
     });
-    throw new Error("subject.rectify: row not found in '" + opts.table + "' with _id '" + opts.id + "'");
+    throw new Error("subject.rectify: row not found in '" + opts.table + "' for _id '" + opts.id + "'");
   }
 
   var changedKeys = Object.keys(opts.changes);
@@ -478,7 +489,10 @@ function eraseHard(subjectId, opts) {
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's
       // index entries are rebuilt — closes the erase-vacuum residual class.
-      try { db().runSql('REINDEX "' + spec.name + '"'); }                                        // table name comes from FRAMEWORK_SCHEMA
+      // REINDEX is a sqlite maintenance verb with no b.sql builder; the
+      // table identifier is quoted through b.safeSql so the name is safe by
+      // construction (it comes from FRAMEWORK_SCHEMA / the subject-table set).
+      try { db().runSql("REINDEX " + safeSql.quoteIdentifier(spec.name, "sqlite", { allowReserved: true })); }
       catch (_e) { /* cluster mode / unsupported dialect */ }
     }
     _markErased(subjectId);
@@ -536,20 +550,31 @@ function restrict(subjectId, opts) {
   if (!opts || typeof opts.on !== "boolean") {
     throw new Error("subject.restrict requires { on: true|false }");
   }
-  var existing = db().prepare(
-    "SELECT subjectIdHash FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-  ).get(_subjectHash(subjectId));
+  var restrictSelBuilt = sql.select(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+    .columns(["subjectIdHash"])
+    .where("subjectIdHash", _subjectHash(subjectId))
+    .toSql();
+  var restrictSelStmt = db().prepare(restrictSelBuilt.sql);
+  var existing = restrictSelStmt.get.apply(restrictSelStmt, restrictSelBuilt.params);
 
   if (opts.on) {
     if (!existing) {
-      db().prepare(
-        "INSERT INTO _blamejs_subject_restrictions (subjectIdHash, since, reason) VALUES (?, ?, ?)"
-      ).run(_subjectHash(subjectId), Date.now(), opts.reason || null);
+      var restrictInsBuilt = sql.insert(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+        .values({
+          subjectIdHash: _subjectHash(subjectId),
+          since:         Date.now(),
+          reason:        opts.reason || null,
+        })
+        .toSql();
+      var restrictInsStmt = db().prepare(restrictInsBuilt.sql);
+      restrictInsStmt.run.apply(restrictInsStmt, restrictInsBuilt.params);
     }
   } else if (existing) {
-    db().prepare(
-      "DELETE FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-    ).run(_subjectHash(subjectId));
+    var restrictDelBuilt = sql.delete(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+      .where("subjectIdHash", _subjectHash(subjectId))
+      .toSql();
+    var restrictDelStmt = db().prepare(restrictDelBuilt.sql);
+    restrictDelStmt.run.apply(restrictDelStmt, restrictDelBuilt.params);
   }
 
   _writeAudit("subject.restrict", subjectId, "success", {
@@ -581,9 +606,15 @@ function restrict(subjectId, opts) {
  */
 function isRestricted(subjectId) {
   if (!subjectId) return false;
-  var row = db().prepare(
-    "SELECT 1 FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-  ).get(_subjectHash(subjectId));
+  // Presence check — project the PK column (b.sql columns must be real
+  // identifiers, not a `SELECT 1` literal); a matched row is truthy.
+  var built = sql.select(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+    .columns(["subjectIdHash"])
+    .where("subjectIdHash", _subjectHash(subjectId))
+    .limit(1)
+    .toSql();
+  var stmt = db().prepare(built.sql);
+  var row = stmt.get.apply(stmt, built.params);
   return !!row;
 }
 
@@ -629,9 +660,16 @@ function recordObjection(subjectId, opts) {
 // ---- Internal helpers ----
 
 function _markErased(subjectId) {
-  db().prepare(
-    "INSERT OR REPLACE INTO _blamejs_subject_erasures (subjectIdHash, erasedAt) VALUES (?, ?)"
-  ).run(_subjectHash(subjectId), Date.now());
+  // "INSERT OR REPLACE" is the sqlite upsert idiom — express it portably as
+  // INSERT … ON CONFLICT(subjectIdHash) DO UPDATE SET erasedAt = EXCLUDED.erasedAt
+  // (the row is keyed by subjectIdHash; a re-erase just refreshes the timestamp).
+  var built = sql.upsert(ERASURES_TABLE, { dialect: "sqlite", quoteName: true })
+    .values({ subjectIdHash: _subjectHash(subjectId), erasedAt: Date.now() })
+    .onConflict(["subjectIdHash"])
+    .doUpdateFromExcluded(["erasedAt"])
+    .toSql();
+  var stmt = db().prepare(built.sql);
+  stmt.run.apply(stmt, built.params);
 }
 
 function _subjectHash(subjectId) {

package/lib/vault/index.js

@@ -71,6 +71,7 @@ var { boot } = require("../log");
 var safeBuffer = require("../safe-buffer");
 var safeJson = require("../safe-json");
 var observability = require("../observability");
+var frameworkFiles = require("../framework-files");
 var vaultPassphraseSource = require("./passphrase-source");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");
@@ -99,8 +100,8 @@ var log = boot("vault");
 function resolvePaths(dataDir) {
   return {
     dataDir:           dataDir,
-    plaintext:         nodePath.join(dataDir, "vault.key"),
-    sealed:            nodePath.join(dataDir, "vault.key.sealed"),
+    plaintext:         nodePath.join(dataDir, frameworkFiles.fileName("vaultKey")),
+    sealed:            nodePath.join(dataDir, frameworkFiles.fileName("vaultKey") + ".sealed"),
     derivedHashSalt:   nodePath.join(dataDir, "vault.derived-hash-salt"),
     derivedHashMacKey: nodePath.join(dataDir, "vault.derived-hash-mac.sealed"),
   };

package/lib/vault/passphrase-ops.js

@@ -38,13 +38,14 @@
 var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
+var frameworkFiles = require("../framework-files");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");
 
 var VaultPassphraseError = defineClass("VaultPassphraseError", { alwaysPermanent: true });
 
-var PLAINTEXT_NAME = "vault.key";
-var SEALED_NAME    = "vault.key.sealed";
+var PLAINTEXT_NAME = frameworkFiles.fileName("vaultKey");
+var SEALED_NAME    = frameworkFiles.fileName("vaultKey") + ".sealed";
 
 function _paths(dataDir) {
   return {