@blamejs/core 0.14.26 → 0.15.0

package/lib/vault/rotate.js

@@ -52,12 +52,13 @@ var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var { DatabaseSync } = require("node:sqlite");
 var atomicFile = require("../atomic-file");
-var safeSql = require("../safe-sql");
+var sql = require("../sql");
 var C = require("../constants");
 var cryptoField = require("../crypto-field");
 var bCrypto = require("../crypto");
 var vaultAad = require("../vault-aad");
 var dbSchema = require("../db-schema");
+var frameworkFiles = require("../framework-files");
 var lazyRequire = require("../lazy-require");
 var { boot } = require("../log");
 var numericBounds = require("../numeric-bounds");
@@ -97,18 +98,30 @@ var DEFAULT_DRIFT_SAMPLE_LIMIT = 100;
 var DEFAULT_VERIFY_SAMPLE_MIN  = 5;
 var DEFAULT_VERIFY_SAMPLE_FRAC = 0.01;
 
+// The catalog/PRAGMA statements all compose through b.sql's narrow audited
+// catalog sub-API (b.sql.catalog / b.sql.pragma) - the only path that emits
+// an sqlite_master reference or a PRAGMA verb, allowlisting exactly the
+// statements the key-rotation walk needs and refusing every other internal
+// identifier / PRAGMA verb. Each returns { sql, params }; the node:sqlite
+// handle takes the params positionally.
+function _all(db, built) {
+  var stmt = db.prepare(built.sql);
+  return built.params.length > 0 ? stmt.all.apply(stmt, built.params) : stmt.all();
+}
+function _get(db, built) {
+  var stmt = db.prepare(built.sql);
+  return built.params.length > 0 ? stmt.get.apply(stmt, built.params) : stmt.get();
+}
+
 function _listLiveTables(db) {
-  return db.prepare(
-    "SELECT name FROM sqlite_master " +
-    "WHERE type='table' AND name NOT LIKE 'sqlite_%'"
-  ).all().map(function (r) { return r.name; });
+  return _all(db, sql.catalog.listTables()).map(function (r) { return r.name; });
 }
 
 function _listLiveColumns(db, table) {
   // PRAGMA table_info — table name comes from sqlite_master so it's
-  // already validated as an existing identifier.
-  return db.prepare("PRAGMA table_info(\"" + table.replace(/"/g, '""') + "\")").all()
-    .map(function (c) { return c.name; });
+  // already validated as an existing identifier; b.sql.catalog.tableInfo
+  // quotes it by construction.
+  return _all(db, sql.catalog.tableInfo(table)).map(function (c) { return c.name; });
 }
 
 function _knownColumnsFor(schema, infraColumns) {
@@ -201,12 +214,13 @@ function validateSchemaMatch(db, opts) {
     }
     if (unknown.length === 0) continue;
 
-    var quotedCols = unknown.map(function (n) { return '"' + n.replace(/"/g, '""') + '"'; }).join(", ");
-    var sampleSql = "SELECT " + quotedCols +
-      " FROM \"" + table.replace(/"/g, '""') + "\" LIMIT " + sampleLimit;
+    var sampleBuilt = sql.select(table, { dialect: "sqlite", quoteName: true })
+      .columns(unknown)
+      .limit(sampleLimit)
+      .toSql();
     var sampled;
     try {
-      sampled = db.prepare(sampleSql).all();
+      sampled = _all(db, sampleBuilt);
     } catch (e) {
       warnings.push({
         kind:    "sample_failed",
@@ -312,7 +326,8 @@ function verify(opts) {
     var schema = cryptoField.getSchema(table);
     if (!schema || !Array.isArray(schema.sealedFields) || schema.sealedFields.length === 0) continue;
 
-    var totalRow = db.prepare('SELECT COUNT(*) AS n FROM "' + table.replace(/"/g, '""') + '"').get();
+    var totalRow = _get(db, sql.select(table, { dialect: "sqlite", quoteName: true })
+      .count("*", "n").toSql());
     var total = totalRow ? totalRow.n : 0;
     if (total === 0) continue;
 
@@ -320,10 +335,10 @@ function verify(opts) {
     if (sampleN > total) sampleN = total;
 
     // RANDOM() is fine for a sampler — we're picking representative rows,
-    // not building cryptographic randomness.
-    var sampled = db.prepare(
-      'SELECT * FROM "' + table.replace(/"/g, '""') + '" ORDER BY RANDOM() LIMIT ?'
-    ).all(sampleN);
+    // not building cryptographic randomness. b.sql.catalog.sampleRandom is
+    // the audited ORDER BY RANDOM() form (the general builder has no random-
+    // order clause); columns omitted -> `*`.
+    var sampled = _all(db, sql.catalog.sampleRandom(table, null, { limit: sampleN }));
 
     var foundOldFail = !oldKeys; // when no oldKeys supplied, this check is N/A
     var verifiedRows = 0;
@@ -529,15 +544,19 @@ function _walkAndReSeal(node, oldKeys, newKeys) {
   return { value: node, changed: false };
 }
 
-function _runStmt(db, sql) { db.prepare(sql).run(); }
+// Transaction-control statements only (BEGIN / COMMIT / ROLLBACK) - fixed
+// keywords, no identifier / value, so they stay verbatim rather than route
+// through b.sql (the builder has no transaction-control verb). The param is
+// named `stmtText` so it does not shadow the module-level `sql` builder.
+function _runStmt(db, stmtText) { db.prepare(stmtText).run(); }
 
 function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
-  // Identifiers reach SQL through safeSql.quoteIdentifier — runs
-  // validateIdentifier (rejects bad shape / reserved words /
-  // sqlite_-prefix) + emits the dialect-correct quoted form.
-  var qt = safeSql.quoteIdentifier(table, "sqlite");
-  var qc = safeSql.quoteIdentifier(column, "sqlite");
-  var total = db.prepare("SELECT COUNT(*) AS n FROM " + qt + " WHERE " + qc + " IS NOT NULL").get().n;
+  // Every statement composes through b.sql (sqlite dialect, quoteName so
+  // the concrete handle's table is quoted, not left bare for a cluster
+  // rewrite that does not apply here). Identifiers are validated + quoted
+  // by construction; the cursor bound (_id) + LIMIT bind as ? placeholders.
+  var total = _get(db, sql.select(table, { dialect: "sqlite", quoteName: true })
+    .count("*", "n").whereNotNull(column).toSql()).n;
   if (total === 0) return 0;
 
   // AAD-bound tables (registerTable({aad:true})) seal each cell under a
@@ -548,36 +567,54 @@ function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
   var aadMode = !!(schema && schema.aad);
   var rowIdField = aadMode ? schema.rowIdField : null;
   var needRid = aadMode && rowIdField && rowIdField !== "_id";
-  var qrid = needRid ? safeSql.quoteIdentifier(rowIdField, "sqlite") : null;
 
-  var sel = db.prepare(
-    "SELECT _id, " + qc + " AS v" + (qrid ? ", " + qrid + " AS rid" : "") + " FROM " + qt +
-    " WHERE " + qc + " IS NOT NULL AND _id > ? ORDER BY _id LIMIT ?"
-  );
-  var upd = db.prepare("UPDATE " + qt + " SET " + qc + " = ? WHERE _id = ?");
+  // Keyset-cursor page over (_id) ascending. The projected columns are read
+  // by their REAL names off the result row (no AS alias) - the column value
+  // is row[column], the row-id value is row[rowIdField]. The SQL text is
+  // constant across the loop (only the bound _id-cursor changes; LIMIT is a
+  // builder-inlined integer literal, validated non-negative), so prepare
+  // once + re-run with the fresh cursor param positionally. The SELECT
+  // carries exactly one `?` (the _id cursor); the UPDATE carries two (the
+  // resealed value + the _id).
+  var selCols = ["_id", column];
+  if (needRid) selCols.push(rowIdField);
+  var selBuilt = sql.select(table, { dialect: "sqlite", quoteName: true })
+    .columns(selCols)
+    .whereNotNull(column)
+    .whereOp("_id", ">", "")
+    .orderBy("_id")
+    .limit(batchSize)
+    .toSql();
+  var sel = db.prepare(selBuilt.sql);
+  var updBuilt = sql.update(table, { dialect: "sqlite", quoteName: true })
+    .set(column, "")
+    .where("_id", "")
+    .toSql();
+  var upd = db.prepare(updBuilt.sql);
 
   var processed = 0;
   var lastId = "";
   while (true) {
-    var rows = sel.all(lastId, batchSize);
+    var rows = sel.all(lastId);
     if (rows.length === 0) break;
 
     dbSchema.runInTransaction(db, function () {
       for (var i = 0; i < rows.length; i++) {
         var row = rows[i];
-        if (typeof row.v !== "string") continue;
-        if (aadMode && vaultAad.isAadSealed(row.v)) {
+        var cellVal = row[column];
+        if (typeof cellVal !== "string") continue;
+        if (aadMode && vaultAad.isAadSealed(cellVal)) {
           // Rebuild the exact AAD the seal side used. cryptoField._aadParts
           // reads row[schema.rowIdField]; feed it the rowIdField value we
-          // selected (rid, or _id when rowIdField IS _id).
+          // selected (row[rowIdField], or _id when rowIdField IS _id).
           var rowForAad = {};
-          rowForAad[rowIdField] = needRid ? row.rid : row._id;
+          rowForAad[rowIdField] = needRid ? row[rowIdField] : row._id;
           var aad = cryptoField._aadParts(schema, table, column, rowForAad);
-          upd.run(vaultAad.resealRoot(row.v, aad, roots.oldRootJson, roots.newRootJson), row._id);
-        } else if (row.v.indexOf(C.VAULT_PREFIX) === 0) {
+          upd.run(vaultAad.resealRoot(cellVal, aad, roots.oldRootJson, roots.newRootJson), row._id);
+        } else if (cellVal.indexOf(C.VAULT_PREFIX) === 0) {
           // Plain vault: cell (non-AAD table, or a legacy pre-AAD cell in
           // an AAD table that the next sealRow upgrades).
-          upd.run(_reSealValue(row.v, roots.oldKeys, roots.newKeys), row._id);
+          upd.run(_reSealValue(cellVal, roots.oldKeys, roots.newKeys), row._id);
         }
       }
     });
@@ -589,23 +626,33 @@ function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
 }
 
 function _rotateOverflow(db, table, oldKeys, newKeys, batchSize, progress, warnings) {
-  var qt = '"' + table.replace(/"/g, '""') + '"';
-  var cols = db.prepare("PRAGMA table_info(" + qt + ")").all();
+  var cols = _all(db, sql.catalog.tableInfo(table));
   if (!cols.some(function (c) { return c.name === "data"; })) return 0;
 
-  var total = db.prepare("SELECT COUNT(*) AS n FROM " + qt + " WHERE data IS NOT NULL").get().n;
+  var total = _get(db, sql.select(table, { dialect: "sqlite", quoteName: true })
+    .count("*", "n").whereNotNull("data").toSql()).n;
   if (total === 0) return 0;
 
-  var sel = db.prepare(
-    "SELECT _id, data FROM " + qt +
-    " WHERE data IS NOT NULL AND _id > ? ORDER BY _id LIMIT ?"
-  );
-  var upd = db.prepare("UPDATE " + qt + " SET data = ? WHERE _id = ?");
+  // Same keyset cursor as _rotateColumn over the overflow `data` JSON
+  // column: one bound `?` (the _id cursor), builder-inlined LIMIT literal.
+  var selBuilt = sql.select(table, { dialect: "sqlite", quoteName: true })
+    .columns(["_id", "data"])
+    .whereNotNull("data")
+    .whereOp("_id", ">", "")
+    .orderBy("_id")
+    .limit(batchSize)
+    .toSql();
+  var sel = db.prepare(selBuilt.sql);
+  var updBuilt = sql.update(table, { dialect: "sqlite", quoteName: true })
+    .set("data", "")
+    .where("_id", "")
+    .toSql();
+  var upd = db.prepare(updBuilt.sql);
 
   var processed = 0;
   var lastId = "";
   while (true) {
-    var rows = sel.all(lastId, batchSize);
+    var rows = sel.all(lastId);
     if (rows.length === 0) break;
 
     _runStmt(db, "BEGIN");
@@ -689,10 +736,10 @@ async function rotate(opts) {
   var progress = opts.progressCallback;
   var warnings = [];
   var paths = Object.assign({
-    encryptedDb:      "db.enc",
-    dbKeySealed:      "db.key.enc",
-    vaultKeyPlain:    "vault.key",
-    vaultKeySealed:   "vault.key.sealed",
+    encryptedDb:      frameworkFiles.fileName("dbEnc"),
+    dbKeySealed:      frameworkFiles.fileName("dbKeyEnc"),
+    vaultKeyPlain:    frameworkFiles.fileName("vaultKey"),
+    vaultKeySealed:   frameworkFiles.fileName("vaultKey") + ".sealed",
     additionalSealed: [],
     verbatimFiles:    [],
     verbatimDirs:     [],
@@ -849,18 +896,15 @@ async function rotate(opts) {
 
     var db = new DatabaseSync(tmpDbPath);
     try {
-      _runStmt(db, "PRAGMA journal_mode=WAL");
-      _runStmt(db, "PRAGMA synchronous=NORMAL");
+      db.prepare(sql.pragma("journal_mode", "WAL").sql).run();
+      db.prepare(sql.pragma("synchronous", "NORMAL").sql).run();
 
       // Walk tables. For each, re-seal every column declared sealed
       // by the field-crypto registry, plus the overflow `data` JSON
       // column if present.
       var tablesToRotate = Array.isArray(opts.tables) && opts.tables.length > 0
         ? opts.tables.slice()
-        : db.prepare(
-            "SELECT name FROM sqlite_master " +
-            "WHERE type='table' AND name NOT LIKE 'sqlite_%'"
-          ).all().map(function (r) { return r.name; });
+        : _listLiveTables(db);
 
       // Serialized roots threaded to the AAD reseal path; oldRootJson /
       // newRootJson match b.vault.getKeysJson() so rotated AAD cells unseal
@@ -869,15 +913,11 @@ async function rotate(opts) {
 
       for (var ti = 0; ti < tablesToRotate.length; ti++) {
         var table = tablesToRotate[ti];
-        var tableExists = db.prepare(
-          "SELECT name FROM sqlite_master WHERE type='table' AND name = ?"
-        ).get(table);
+        var tableExists = _get(db, sql.catalog.tableExists(table));
         if (!tableExists) continue;
 
         var schema = cryptoField.getSchema(table);
-        var liveCols = db.prepare(
-          'PRAGMA table_info("' + table.replace(/"/g, '""') + '")'
-        ).all().map(function (c) { return c.name; });
+        var liveCols = _listLiveColumns(db, table);
         var liveColSet = Object.create(null);
         for (var lc = 0; lc < liveCols.length; lc++) liveColSet[liveCols[lc]] = true;
 
@@ -894,7 +934,7 @@ async function rotate(opts) {
         if (tableRows > 0) { tablesProcessed++; totalRowsProcessed += tableRows; }
       }
 
-      _runStmt(db, "PRAGMA wal_checkpoint(TRUNCATE)");
+      db.prepare(sql.pragma("wal_checkpoint", "TRUNCATE").sql).run();
     } finally {
       db.close();
     }

package/lib/vendor-data.js

@@ -130,6 +130,7 @@ function _timingSafeHexEqual(a, b) {
 var KNOWN_VENDOR_DATA = Object.freeze({
   "public-suffix-list": {
     module: "./vendor/public-suffix-list.data",
+    // allow:hand-rolled-sql — `_blamejs_canary_*` is an in-payload tamper-canary token, not a SQL table name (no DB sink in this file)
     canary: "_blamejs_canary_v0_9_8_.local",
     // Canary parse check — operator-side `b.publicSuffix.isPublicSuffix(canary)`
     // MUST return true after the PSL parser ingests the data. The check
@@ -138,6 +139,7 @@ var KNOWN_VENDOR_DATA = Object.freeze({
   },
   "common-passwords-top-10000": {
     module: "./vendor/common-passwords-top-10000.data",
+    // allow:hand-rolled-sql — `_blamejs_canary_*` is an in-payload tamper-canary token, not a SQL table name (no DB sink in this file)
     canary: "_blamejs_canary_password_2026_05_13_blamejs_internal_",
     description: "Top-10000 most common passwords (SecLists). Used by b.auth.password to refuse known-breached credentials.",
   },

package/lib/websocket.js

@@ -530,22 +530,32 @@ function _parseExtensionHeader(header) {
   for (var i = 0; i < entries.length; i++) {
     var parts = structuredFields.splitTopLevel(entries[i], ";").map(function (s) { return s.trim(); });
     if (!parts[0]) continue;
-    // `params` has no prototype chain — `Object.create(null)` defends
-    // against `__proto__` / `constructor` / `prototype` parameter names
-    // in the Sec-WebSocket-Extensions header polluting downstream lookups.
-    var ext = { name: parts[0].toLowerCase(), params: Object.create(null) };
+    // Collect [name, value] pairs, then materialize the params map via
+    // Object.fromEntries onto a null-prototype object. The extension-
+    // parameter name is taken from the client-supplied Sec-WebSocket-
+    // Extensions header, so it is never used as a computed-write key
+    // (`params[name] = value`) — that is the CWE-915 unsafe-reflection /
+    // CWE-1321 prototype-pollution sink. POISONED params (`__proto__` /
+    // `constructor` / `prototype`) are dropped, and the null-prototype
+    // accumulator means even a slipped name cannot reach Object.prototype.
+    var paramPairs = [];
     for (var j = 1; j < parts.length; j++) {
       var kv = parts[j].split("=");
       var k = kv[0].trim().toLowerCase();
       if (!k) continue;
+      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
       var v = kv.length > 1 ? kv.slice(1).join("=").trim() : true;
       // Strip surrounding quotes per the token-or-quoted-string grammar.
       if (typeof v === "string") {
         var _unq = structuredFields.unquoteSfString(v);
         if (_unq !== null) v = _unq;
       }
-      ext.params[k] = v;
+      paramPairs.push([k, v]);
     }
+    var ext = {
+      name:   parts[0].toLowerCase(),
+      params: Object.assign(Object.create(null), Object.fromEntries(paramPairs)),
+    };
     out.push(ext);
   }
   return out;
@@ -961,6 +971,22 @@ class WebSocketConnection extends EventEmitter {
         self._transitionToClosed(1006, "abnormal closure", false, null);
       }
     });
+    socket.on("end", function ()        {
+      // Peer half-closed (TCP FIN) without sending a Close frame. HTTP
+      // 'upgrade' sockets default to allowHalfOpen=true, so this arrives
+      // as 'end' (readable side ended) while the writable side stays
+      // open — the 'close' handler above never fires and the connection
+      // would otherwise wedge open (ping timer running, no 'close' event,
+      // peer's socket never destroyed). RFC 6455 §7.1.1 treats a TCP
+      // close without a prior Close frame as abnormal closure: surface
+      // the lifecycle event and end our writable side so the socket
+      // actually tears down. _transitionToClosed is idempotent, so the
+      // native 'close' that follows is a no-op.
+      if (self._state !== STATE_CLOSED) {
+        self._transitionToClosed(1006, "abnormal closure", false, null);
+      }
+      try { socket.end(); } catch (_e) { /* socket already closing */ }
+    });
   }
 
   // Single state-transition method. Idempotent — repeat calls after
@@ -1541,6 +1567,10 @@ module.exports = {
   // Server-side entrypoints
   handleUpgrade:           handleUpgrade,           // h1 — RFC 6455 HTTP upgrade
   handleExtendedConnect:   handleExtendedConnect,   // h2 — RFC 8441 Extended CONNECT
+  // Internal helper exposed for tests — the Sec-WebSocket-Extensions
+  // parser (RFC 7692 negotiation feeds off this). Underscore-prefixed so
+  // it is not part of the public primitive surface.
+  _parseExtensionHeader:   _parseExtensionHeader,
   // Constants
   GUID:                    GUID,
   REFUSED_AUTH_QUERY_PARAMS: REFUSED_AUTH_QUERY_PARAMS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.26",
+  "version": "0.15.0",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:e0214cf9-5d77-475a-af9a-e3cedff9f6d7",
+  "serialNumber": "urn:uuid:d63a172d-d92b-4a98-ae64-7dcb04e82076",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-06T21:14:16.419Z",
+    "timestamp": "2026-06-08T20:30:45.961Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.26",
+      "bom-ref": "@blamejs/core@0.15.0",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.26",
+      "version": "0.15.0",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.26",
+      "purl": "pkg:npm/%40blamejs/core@0.15.0",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.26",
+      "ref": "@blamejs/core@0.15.0",
       "dependsOn": []
     }
   ]