@blamejs/core 0.14.26 → 0.15.0

package/lib/cache.js

@@ -74,15 +74,38 @@ var cacheRedis = require("./cache-redis");
 var redisClient = require("./redis-client");
 var clusterStorage = require("./cluster-storage");
 var C = require("./constants");
+var frameworkSchema = require("./framework-schema");
 var lazyRequire = require("./lazy-require");
 var { boot } = require("./log");
 var numericChecks = require("./numeric-checks");
 var requestHelpers = require("./request-helpers");
 var safeAsync = require("./safe-async");
 var safeJson = require("./safe-json");
+var sql = require("./sql");
 var validateOpts = require("./validate-opts");
 var { CacheError } = require("./framework-error");
 
+// Cluster-backend tables — resolved through frameworkSchema.tableName so a
+// configured table prefix (b.frameworkSchema.setTablePrefix) is honored.
+// Both names are identity-mapped in LOCAL_TO_EXTERNAL, so clusterStorage's
+// resolveTables leaves them untouched at dispatch and the resolved name is
+// what reaches the backend on both single-node + cluster sides.
+var CACHE_TABLE      = "_blamejs_cache";        // allow:hand-rolled-sql — canonical logical table-name declaration
+var CACHE_TAGS_TABLE = "_blamejs_cache_tags";   // allow:hand-rolled-sql — canonical logical table-name declaration
+function _cacheSqlTable() { return frameworkSchema.tableName(CACHE_TABLE); }
+function _cacheTagsSqlTable() { return frameworkSchema.tableName(CACHE_TAGS_TABLE); }
+// b.sql opts for every cluster-backend statement: thread the ACTIVE
+// backend dialect (clusterStorage.dialect() — "sqlite" single-node,
+// "postgres" | "mysql" in cluster mode) so the emitted identifier quoting
+// and dialect idioms (ON CONFLICT vs ON DUPLICATE KEY) match the backend
+// the SQL dispatches to. Defaulting to "sqlite" works on Postgres only by
+// accident (both double-quote identifiers) and emits the wrong quoting on
+// MySQL, so this is the canonical resolver the data-layer threads into
+// b.sql. clusterStorage.execute still rewrites table names + translates
+// `?` placeholders at dispatch; this controls only the builder-side
+// quoting + idiom selection.
+function _cacheSqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 var log = boot("cache");
 var observability = lazyRequire(function () { return require("./observability"); });
 // Opt-in vault seal for cluster-backend cache values. Lazy so
@@ -471,19 +494,21 @@ function _clusterBackend(cfg) {
 
   async function get(key) {
     var now = clock();
-    var result = await clusterStorage.execute(
-      "SELECT valueJson, expiresAt FROM _blamejs_cache WHERE cacheKey = ?",
-      [_composedKey(key)]
-    );
+    var getBuilt = sql.select(_cacheSqlTable(), _cacheSqlOpts())
+      .columns(["valueJson", "expiresAt"])
+      .where("cacheKey", _composedKey(key))
+      .toSql();
+    var result = await clusterStorage.execute(getBuilt.sql, getBuilt.params);
     if (!result || !result.rows || result.rows.length === 0) return undefined;
     var row = result.rows[0];
     if (row.expiresAt <= now) {
       // Lazy purge: opportunistic delete on stale read.
       try {
-        await clusterStorage.execute(
-          "DELETE FROM _blamejs_cache WHERE cacheKey = ? AND expiresAt <= ?",
-          [_composedKey(key), now]
-        );
+        var delBuilt = sql.delete(_cacheSqlTable(), _cacheSqlOpts())
+          .where("cacheKey", _composedKey(key))
+          .where("expiresAt", "<=", now)
+          .toSql();
+        await clusterStorage.execute(delBuilt.sql, delBuilt.params);
       } catch (_e) { /* sweeper will catch it next pass */ }
       emitObs("cache.eviction.expired", { namespace: namespace });
       return undefined;
@@ -494,11 +519,13 @@ function _clusterBackend(cfg) {
     // Fire-and-forget — best-effort lifetime extension.
     if (slidingTtl && defaultTtlMs !== Infinity && typeof defaultTtlMs === "number") {
       var newExpires = now + defaultTtlMs;
-      clusterStorage.execute(
-        "UPDATE _blamejs_cache SET expiresAt = ?, updatedAt = ? " +
-        "WHERE cacheKey = ? AND expiresAt > ?",
-        [newExpires, now, _composedKey(key), now]
-      ).catch(function () { /* best-effort */ });
+      var slideBuilt = sql.update(_cacheSqlTable(), _cacheSqlOpts())
+        .set({ expiresAt: newExpires, updatedAt: now })
+        .where("cacheKey", _composedKey(key))
+        .where("expiresAt", ">", now)
+        .toSql();
+      clusterStorage.execute(slideBuilt.sql, slideBuilt.params)
+        .catch(function () { /* best-effort */ });
     }
     var stored = row.valueJson;
     // Sealed-row decode. Sealed entries are prefixed at write
@@ -541,28 +568,30 @@ function _clusterBackend(cfg) {
     // Wrapping them in a transaction makes a concurrent set see either the
     // whole prior state or the whole new state, never a mix.
     // SQLite + Postgres both honor ON CONFLICT (cacheKey) DO UPDATE.
+    var upsertBuilt = sql.upsert(_cacheSqlTable(), _cacheSqlOpts())
+      .columns(["cacheKey", "valueJson", "expiresAt", "updatedAt"])
+      .values({ cacheKey: ck, valueJson: json, expiresAt: storedExpires, updatedAt: now })
+      .onConflict(["cacheKey"])
+      .doUpdate({ valueJson: "?", expiresAt: "?", updatedAt: "?" }, [json, storedExpires, now])
+      .toSql();
+    var tagsDelBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+      .where("cacheKey", ck)
+      .toSql();
     await clusterStorage.transaction(async function (tx) {
-      await tx.execute(
-        "INSERT INTO _blamejs_cache (cacheKey, valueJson, expiresAt, updatedAt) " +
-        "VALUES (?, ?, ?, ?) " +
-        "ON CONFLICT (cacheKey) DO UPDATE SET " +
-        "valueJson = ?, expiresAt = ?, updatedAt = ?",
-        [ck, json, storedExpires, now, json, storedExpires, now]
-      );
+      await tx.execute(upsertBuilt.sql, upsertBuilt.params);
       // Drop any prior tags for this key (tags can change across sets),
       // then INSERT the new ones. The PRIMARY KEY on (cacheKey, tag) makes
       // the INSERT idempotent if duplicate tags sneak in.
-      await tx.execute(
-        "DELETE FROM _blamejs_cache_tags WHERE cacheKey = ?",
-        [ck]
-      );
+      await tx.execute(tagsDelBuilt.sql, tagsDelBuilt.params);
       if (tags && tags.length > 0) {
         for (var i = 0; i < tags.length; i++) {
-          await tx.execute(
-            "INSERT INTO _blamejs_cache_tags (cacheKey, tag) VALUES (?, ?) " +
-            "ON CONFLICT (cacheKey, tag) DO NOTHING",
-            [ck, tags[i]]
-          );
+          var tagInsBuilt = sql.upsert(_cacheTagsSqlTable(), _cacheSqlOpts())
+            .columns(["cacheKey", "tag"])
+            .values({ cacheKey: ck, tag: tags[i] })
+            .onConflict(["cacheKey", "tag"])
+            .doNothing()
+            .toSql();
+          await tx.execute(tagInsBuilt.sql, tagInsBuilt.params);
         }
       }
     });
@@ -583,8 +612,11 @@ function _clusterBackend(cfg) {
     for (var attempt = 0; attempt < maxRetries; attempt++) {
       var outcome = await clusterStorage.transaction(async function (tx) {
         var now = clock();
-        var row = await tx.executeOne(
-          "SELECT valueJson, expiresAt FROM _blamejs_cache WHERE cacheKey = ?", [ck]);
+        var rowSelBuilt = sql.select(_cacheSqlTable(), _cacheSqlOpts())
+          .columns(["valueJson", "expiresAt"])
+          .where("cacheKey", ck)
+          .toSql();
+        var row = await tx.executeOne(rowSelBuilt.sql, rowSelBuilt.params);
         var oldRaw = null;
         var current = null;
         if (row && row.expiresAt > now) {
@@ -599,8 +631,15 @@ function _clusterBackend(cfg) {
         if (decision && decision.abort !== undefined) return { aborted: decision.abort };
         if (decision && decision.delete === true) {
           if (oldRaw !== null) {
-            await tx.execute("DELETE FROM _blamejs_cache WHERE cacheKey = ? AND valueJson = ?", [ck, oldRaw]);
-            await tx.execute("DELETE FROM _blamejs_cache_tags WHERE cacheKey = ?", [ck]);
+            var casDelBuilt = sql.delete(_cacheSqlTable(), _cacheSqlOpts())
+              .where("cacheKey", ck)
+              .where("valueJson", oldRaw)
+              .toSql();
+            await tx.execute(casDelBuilt.sql, casDelBuilt.params);
+            var casTagDelBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+              .where("cacheKey", ck)
+              .toSql();
+            await tx.execute(casTagDelBuilt.sql, casTagDelBuilt.params);
           }
           return { updated: true, deleted: true };
         }
@@ -614,17 +653,22 @@ function _clusterBackend(cfg) {
         if (oldRaw === null) {
           // Row was absent/expired — insert, but lose the race if another
           // writer inserted concurrently (ON CONFLICT DO NOTHING → 0 rows).
-          var ins = await tx.execute(
-            "INSERT INTO _blamejs_cache (cacheKey, valueJson, expiresAt, updatedAt) " +
-            "VALUES (?, ?, ?, ?) ON CONFLICT (cacheKey) DO NOTHING",
-            [ck, json, storedExpires, now]);
+          var insBuilt = sql.upsert(_cacheSqlTable(), _cacheSqlOpts())
+            .columns(["cacheKey", "valueJson", "expiresAt", "updatedAt"])
+            .values({ cacheKey: ck, valueJson: json, expiresAt: storedExpires, updatedAt: now })
+            .onConflict(["cacheKey"])
+            .doNothing()
+            .toSql();
+          var ins = await tx.execute(insBuilt.sql, insBuilt.params);
           if (!ins || ins.rowCount !== 1) return { conflict: true };
         } else {
           // CAS: only commit if the row still holds the exact bytes we read.
-          var upd = await tx.execute(
-            "UPDATE _blamejs_cache SET valueJson = ?, expiresAt = ?, updatedAt = ? " +
-            "WHERE cacheKey = ? AND valueJson = ?",
-            [json, storedExpires, now, ck, oldRaw]);
+          var updBuilt = sql.update(_cacheSqlTable(), _cacheSqlOpts())
+            .set({ valueJson: json, expiresAt: storedExpires, updatedAt: now })
+            .where("cacheKey", ck)
+            .where("valueJson", oldRaw)
+            .toSql();
+          var upd = await tx.execute(updBuilt.sql, updBuilt.params);
           if (!upd || upd.rowCount !== 1) return { conflict: true };
         }
         return { updated: true, value: decision.value };
@@ -638,59 +682,67 @@ function _clusterBackend(cfg) {
 
   async function del(key) {
     var ck = _composedKey(key);
-    var result = await clusterStorage.execute(
-      "DELETE FROM _blamejs_cache WHERE cacheKey = ?",
-      [ck]
-    );
+    var delBuilt = sql.delete(_cacheSqlTable(), _cacheSqlOpts())
+      .where("cacheKey", ck)
+      .toSql();
+    var result = await clusterStorage.execute(delBuilt.sql, delBuilt.params);
     // Drop any matching tag rows. Best-effort: a stale tag row pointing
     // at a non-existent cacheKey is dropped on the next invalidateTag
     // sweep (by the JOIN-shape DELETE) anyway.
-    await clusterStorage.execute(
-      "DELETE FROM _blamejs_cache_tags WHERE cacheKey = ?",
-      [ck]
-    ).catch(function () { /* best-effort */ });
+    var tagDelBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+      .where("cacheKey", ck)
+      .toSql();
+    await clusterStorage.execute(tagDelBuilt.sql, tagDelBuilt.params)
+      .catch(function () { /* best-effort */ });
     return !!(result && result.rowCount && result.rowCount > 0);
   }
 
   async function invalidateTag(tag) {
-    // Find every cacheKey carrying the tag (namespace-scoped via the LIKE
-    // on the composed key), delete from the cache table + the junction.
-    var like = namespace + ":%";
-    var keysResult = await clusterStorage.execute(
-      "SELECT cacheKey FROM _blamejs_cache_tags WHERE tag = ? AND cacheKey LIKE ?",
-      [tag, like]
-    );
+    // Find every cacheKey carrying the tag (namespace-scoped via a prefix
+    // LIKE on the composed "<namespace>:<key>" form), delete from the
+    // cache table + the junction. whereLike(..., "prefix") escapes the
+    // namespace's own metacharacters and appends the live wildcard, so the
+    // scope stays "this namespace's keys" without a hand-rolled LIKE.
+    var prefix = namespace + ":";
+    var keysBuilt = sql.select(_cacheTagsSqlTable(), _cacheSqlOpts())
+      .columns(["cacheKey"])
+      .where("tag", tag)
+      .whereLike("cacheKey", prefix, "prefix")
+      .toSql();
+    var keysResult = await clusterStorage.execute(keysBuilt.sql, keysBuilt.params);
     var keys = (keysResult && keysResult.rows) || [];
     if (keys.length === 0) {
       // Nothing to invalidate; still drop any orphan tag rows for
       // this tag scoped to our namespace.
-      await clusterStorage.execute(
-        "DELETE FROM _blamejs_cache_tags WHERE tag = ? AND cacheKey LIKE ?",
-        [tag, like]
-      );
+      var orphanBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+        .where("tag", tag)
+        .whereLike("cacheKey", prefix, "prefix")
+        .toSql();
+      await clusterStorage.execute(orphanBuilt.sql, orphanBuilt.params);
       return 0;
     }
     var purged = 0;
     for (var i = 0; i < keys.length; i++) {
       var ck = keys[i].cacheKey;
-      var r = await clusterStorage.execute(
-        "DELETE FROM _blamejs_cache WHERE cacheKey = ?",
-        [ck]
-      );
+      var rBuilt = sql.delete(_cacheSqlTable(), _cacheSqlOpts())
+        .where("cacheKey", ck)
+        .toSql();
+      var r = await clusterStorage.execute(rBuilt.sql, rBuilt.params);
       if (r && r.rowCount > 0) purged += r.rowCount;
-      await clusterStorage.execute(
-        "DELETE FROM _blamejs_cache_tags WHERE cacheKey = ?",
-        [ck]
-      );
+      var tagDelBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+        .where("cacheKey", ck)
+        .toSql();
+      await clusterStorage.execute(tagDelBuilt.sql, tagDelBuilt.params);
     }
     return purged;
   }
 
   async function getTags(key) {
-    var result = await clusterStorage.execute(
-      "SELECT tag FROM _blamejs_cache_tags WHERE cacheKey = ?",
-      [_composedKey(key)]
-    );
+    var built = sql.select(_cacheTagsSqlTable(), _cacheSqlOpts())
+      .columns(["tag"])
+      .where("cacheKey", _composedKey(key))
+      .toSql();
+    var result = await clusterStorage.execute(built.sql, built.params);
     if (!result || !result.rows) return [];
     return result.rows.map(function (r) { return r.tag; });
   }
@@ -700,60 +752,77 @@ function _clusterBackend(cfg) {
     // track LRU at all, so "without bumping" is automatic. Honors
     // expiresAt the same as get().
     var now = clock();
-    var result = await clusterStorage.execute(
-      "SELECT expiresAt FROM _blamejs_cache WHERE cacheKey = ? AND expiresAt > ?",
-      [_composedKey(key), now]
-    );
+    var built = sql.select(_cacheSqlTable(), _cacheSqlOpts())
+      .columns(["expiresAt"])
+      .where("cacheKey", _composedKey(key))
+      .where("expiresAt", ">", now)
+      .toSql();
+    var result = await clusterStorage.execute(built.sql, built.params);
     return !!(result && result.rows && result.rows.length > 0);
   }
 
   async function clear() {
     // Namespace-scoped wipe so two CacheInstance instances sharing the
-    // table don't cross-purge each other.
-    var like = namespace + ":%";
-    var result = await clusterStorage.execute(
-      "DELETE FROM _blamejs_cache WHERE cacheKey LIKE ?",
-      [like]
-    );
+    // table don't cross-purge each other. Prefix LIKE on the composed
+    // "<namespace>:<key>" form scopes the wipe to this instance.
+    var prefix = namespace + ":";
+    var clrBuilt = sql.delete(_cacheSqlTable(), _cacheSqlOpts())
+      .whereLike("cacheKey", prefix, "prefix")
+      .toSql();
+    var result = await clusterStorage.execute(clrBuilt.sql, clrBuilt.params);
     // Drop matching tag rows in the same namespace.
-    await clusterStorage.execute(
-      "DELETE FROM _blamejs_cache_tags WHERE cacheKey LIKE ?",
-      [like]
-    ).catch(function () { /* best-effort */ });
+    var tagClrBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+      .whereLike("cacheKey", prefix, "prefix")
+      .toSql();
+    await clusterStorage.execute(tagClrBuilt.sql, tagClrBuilt.params)
+      .catch(function () { /* best-effort */ });
     return (result && result.rowCount) || 0;
   }
 
   async function size() {
     var now = clock();
-    var like = namespace + ":%";
-    var result = await clusterStorage.execute(
-      "SELECT COUNT(*) AS n FROM _blamejs_cache WHERE cacheKey LIKE ? AND expiresAt > ?",
-      [like, now]
-    );
+    var prefix = namespace + ":";
+    var built = sql.select(_cacheSqlTable(), _cacheSqlOpts())
+      .count("*", "n")
+      .whereLike("cacheKey", prefix, "prefix")
+      .where("expiresAt", ">", now)
+      .toSql();
+    var result = await clusterStorage.execute(built.sql, built.params);
     if (!result || !result.rows || result.rows.length === 0) return 0;
-    return result.rows[0].n || 0;
+    // COUNT(*) comes back as a BIGINT — node-postgres / mysql2 hand that
+    // back as a decimal STRING, and "5" || 0 stays the string "5". A caller
+    // comparing size() numerically (>= maxEntries, capacity math) would
+    // then compare a string and silently mis-decide. The COUNT alias `n`
+    // is not a framework-schema column, so coerceRows does not touch it —
+    // coerce it here at the read boundary.
+    var n = result.rows[0].n;
+    return Number(n) || 0;
   }
 
   async function _sweep() {
     var now = clock();
-    var like = namespace + ":%";
+    var prefix = namespace + ":";
     // Capture the to-be-purged keys first so we can drop matching tag
     // rows in the same sweep — keeps the junction table free of orphans
     // pointing at expired cacheKeys.
-    var expiredResult = await clusterStorage.execute(
-      "SELECT cacheKey FROM _blamejs_cache WHERE cacheKey LIKE ? AND expiresAt <= ?",
-      [like, now]
-    );
+    var expiredBuilt = sql.select(_cacheSqlTable(), _cacheSqlOpts())
+      .columns(["cacheKey"])
+      .whereLike("cacheKey", prefix, "prefix")
+      .where("expiresAt", "<=", now)
+      .toSql();
+    var expiredResult = await clusterStorage.execute(expiredBuilt.sql, expiredBuilt.params);
     var expiredKeys = (expiredResult && expiredResult.rows) || [];
-    await clusterStorage.execute(
-      "DELETE FROM _blamejs_cache WHERE cacheKey LIKE ? AND expiresAt <= ?",
-      [like, now]
-    );
+    var sweepDelBuilt = sql.delete(_cacheSqlTable(), _cacheSqlOpts())
+      .whereLike("cacheKey", prefix, "prefix")
+      .where("expiresAt", "<=", now)
+      .toSql();
+    await clusterStorage.execute(sweepDelBuilt.sql, sweepDelBuilt.params);
     for (var i = 0; i < expiredKeys.length; i++) {
-      await clusterStorage.execute(
-        "DELETE FROM _blamejs_cache_tags WHERE cacheKey = ?",
-        [expiredKeys[i].cacheKey]
-      ).catch(function () { /* best-effort */ });
+      var tagSweepBuilt = sql.delete(_cacheTagsSqlTable(), _cacheSqlOpts())
+        .where("cacheKey", expiredKeys[i].cacheKey)
+        .toSql();
+      await clusterStorage.execute(tagSweepBuilt.sql, tagSweepBuilt.params)
+        .catch(function () { /* best-effort */ });
     }
   }
 

package/lib/chain-writer.js

@@ -43,6 +43,7 @@ var cluster = require("./cluster");
 var clusterStorage = require("./cluster-storage");
 var safeAsync = require("./safe-async");
 var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var C = require("./constants");
 var { FrameworkError } = require("./framework-error");
 
@@ -54,6 +55,16 @@ var ALLOWED_CHAIN_TABLES = new Set(["audit_log", "consent_log"]);
 
 var FRAMEWORK_SQL_TIMEOUT_MS = C.TIME.seconds(30);
 
+// b.sql opts for every chain-table statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting + dialect
+// idioms match the backend the SQL dispatches to. Defaulting to "sqlite"
+// works on Postgres only by accident (both double-quote identifiers) and
+// emits the wrong quoting on MySQL. clusterStorage.execute still rewrites
+// table names + translates `?` placeholders at dispatch; this controls only
+// the builder-side quoting + idiom selection.
+function _sqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 class ChainWriterError extends FrameworkError {
   constructor(message, code) {
     super(message);
@@ -140,11 +151,15 @@ function create(opts) {
   function _ensureCounterInit() {
     if (!_counterInit) {
       _counterInit = new safeAsync.Once(async function () {
+        // BARE logical table name — clusterStorage rewrites the framework
+        // name to the configured-prefix form and placeholderizes; b.sql
+        // quotes the camelCase column + emits the MAX aggregate.
+        var maxBuilt = sql.select(table, _sqlOpts())
+          .max("monotonicCounter", "m")
+          .toSql();
         var row = await safeAsync.withTimeout(
           safeAsync.asyncRetry(function () {
-            return clusterStorage.executeOne(
-              "SELECT MAX(monotonicCounter) AS m FROM " + safeSql.quoteIdentifier(table)
-            );
+            return clusterStorage.executeOne(maxBuilt.sql, maxBuilt.params);
           }),
           FRAMEWORK_SQL_TIMEOUT_MS,
           { name: table + ".readMaxCounter" }
@@ -156,12 +171,14 @@ function create(opts) {
   }
 
   async function _readChainTipRow() {
+    var tipBuilt = sql.select(table, _sqlOpts())
+      .columns(["rowHash"])
+      .orderBy("monotonicCounter", "desc")
+      .limit(1)
+      .toSql();
     return await safeAsync.withTimeout(
       safeAsync.asyncRetry(function () {
-        return clusterStorage.executeOne(
-          "SELECT rowHash FROM " + safeSql.quoteIdentifier(table) +
-          " ORDER BY monotonicCounter DESC LIMIT 1"
-        );
+        return clusterStorage.executeOne(tipBuilt.sql, tipBuilt.params);
       }),
       FRAMEWORK_SQL_TIMEOUT_MS,
       { name: table + ".readChainTip" }
@@ -169,16 +186,21 @@ function create(opts) {
   }
 
   async function _insertRow(values) {
-    // Build INSERT with quoted identifiers + ? placeholders. cluster-
-    // storage handles dialect-specific placeholder translation.
-    var quoted = columnsForInsert.map(function (c) { return safeSql.quoteIdentifier(c); }).join(", ");
-    var placeholders = columnsForInsert.map(function () { return "?"; }).join(", ");
+    // b.sql INSERT: map each column (identifier-validated at create()) to
+    // its positional value and bind as a row object — the unambiguous form
+    // (a flat value array whose first element is a Buffer/object would be
+    // misread as an array-of-rows). BARE logical table name — clusterStorage
+    // rewrites + placeholderizes per dialect.
+    var rowObj = {};
+    for (var ci = 0; ci < columnsForInsert.length; ci++) {
+      rowObj[columnsForInsert[ci]] = values[ci];
+    }
+    var insBuilt = sql.insert(table, _sqlOpts())
+      .columns(columnsForInsert)
+      .values(rowObj)
+      .toSql();
     return await safeAsync.withTimeout(
-      clusterStorage.execute(
-        "INSERT INTO " + safeSql.quoteIdentifier(table) +
-        " (" + quoted + ") VALUES (" + placeholders + ")",
-        values
-      ),
+      clusterStorage.execute(insBuilt.sql, insBuilt.params),
       FRAMEWORK_SQL_TIMEOUT_MS,
       { name: table + ".insertRow" }
     );

package/lib/cli.js

@@ -2030,7 +2030,14 @@ async function _runErase(args, ctx) {
     }
     var row;
     try {
-      row = b.db.prepare("SELECT * FROM \"" + safeTable + "\" WHERE _id = ?").get(String(rowId));
+      // Compose the lookup through b.sql so the identifier is quoted by
+      // construction and the _id binds as a placeholder. quoteName: true
+      // emits the local-sqlite `"table"` form (this runs against the
+      // bootstrapped single-node b.db handle, no clusterStorage rewrite).
+      var selBuilt = b.sql.select(safeTable, { quoteName: true })
+        .where("_id", String(rowId)).toSql();
+      var selStmt = b.db.prepare(selBuilt.sql);
+      row = selStmt.get.apply(selStmt, selBuilt.params);
     } catch (e) {
       return report.error("row lookup failed: " + ((e && e.message) || String(e)));
     }
@@ -2044,20 +2051,18 @@ async function _runErase(args, ctx) {
       return report.error("table " + safeTable + " has no sealed columns or derived hashes; " +
         "use a regular DELETE for non-sealed rows");
     }
-    var setClauses = [];
-    var values = [];
-    for (var si = 0; si < sealedFields.length; si++) {
-      setClauses.push('"' + sealedFields[si] + '" = ?');
-      values.push(null);
-    }
-    for (var di = 0; di < derivedHashes.length; di++) {
-      setClauses.push('"' + derivedHashes[di] + '" = ?');
-      values.push(null);
-    }
-    values.push(String(rowId));
+    // NULL every sealed column + derived hash. Build the SET map for
+    // b.sql.update — each column binds NULL as a placeholder, the
+    // identifiers quote by construction, and the WHERE keeps the write
+    // scoped to the single _id (b.sql refuses an unconditional update).
+    var eraseSet = {};
+    for (var si = 0; si < sealedFields.length; si++) eraseSet[sealedFields[si]] = null;
+    for (var di = 0; di < derivedHashes.length; di++) eraseSet[derivedHashes[di]] = null;
     try {
-      var upd = b.db.prepare("UPDATE \"" + safeTable + "\" SET " + setClauses.join(", ") + " WHERE _id = ?");
-      upd.run.apply(upd, values);
+      var updBuilt = b.sql.update(safeTable, { quoteName: true })
+        .set(eraseSet).where("_id", String(rowId)).toSql();
+      var upd = b.db.prepare(updBuilt.sql);
+      upd.run.apply(upd, updBuilt.params);
     } catch (e) {
       return report.error("UPDATE failed: " + ((e && e.message) || String(e)));
     }