@blamejs/core 0.14.27 → 0.15.0

package/lib/retention.js

@@ -46,6 +46,7 @@ var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -55,6 +56,25 @@ var legalHold = lazyRequire(function () { return require("./legal-hold"); });
 var RetentionError = defineClass("RetentionError", { alwaysPermanent: true });
 var _err = RetentionError.factory;
 
+// Resolve the b.sql dialect for the operator-supplied handle. The framework's
+// local b.db handle is always node:sqlite (db.js pins { dialect: "sqlite",
+// quoteName: true }) and exposes no .dialect, so this defaults to "sqlite" —
+// every sweep statement runs against that handle via .prepare(). An operator
+// handle that DOES advertise a dialect (string or () -> string) has it
+// threaded through so the emitted identifier quoting + idioms match the
+// backend the handle dispatches to. quoteName stays on for every retention
+// statement: the rule's table / ageField / softDeleteField identifiers are
+// validated then quoted by construction (no clusterStorage prefix rewrite on
+// this operator-app-schema path).
+function _handleDialect(db) {
+  if (db && typeof db.dialect === "function") {
+    try { var d = db.dialect(); return typeof d === "string" ? d : "sqlite"; }
+    catch (_e) { return "sqlite"; }
+  }
+  if (db && typeof db.dialect === "string") return db.dialect;
+  return "sqlite";
+}
+
 // Identifier-level SQLi defense: every operator-supplied table name,
 // column name, and cascade FK must pass safeSql.validateIdentifier
 // before reaching SQL string concatenation. Without this gate a
@@ -196,6 +216,11 @@ function create(opts) {
     throw _err("BAD_OPT", "create: opts.db is required (a b.db handle with .prepare(sql))");
   }
   var db = opts.db;
+  // b.sql opts for every retention statement built against this handle. The
+  // dialect tracks the handle (sqlite for the framework's local b.db); the
+  // validated operator identifiers are quoted by construction (quoteName)
+  // with no clusterStorage prefix rewrite on this path.
+  var SQL_OPTS = { dialect: _handleDialect(db), quoteName: true };
   var auditOn = opts.audit !== false && opts.audit != null;
   var auditInstance = (opts.audit && opts.audit !== true) ? opts.audit : null;
   var rules = {};
@@ -235,16 +260,24 @@ function create(opts) {
 
   function _hardDelete(table, rowId, dryRun) {
     if (dryRun) return { wouldDelete: 1 };
-    var del = db.prepare("DELETE FROM \"" + table + "\" WHERE _id = ?");
-    del.run(rowId);
+    // Operator app table — quoteName so the validated identifier emits as a
+    // quoted local name; the row id binds as a placeholder.
+    var built = sql.delete(table, SQL_OPTS)
+      .where("_id", rowId)
+      .toSql();
+    var del = db.prepare(built.sql);
+    del.run.apply(del, built.params);
     return { deleted: 1 };
   }
 
   function _softDelete(table, rowId, softField, dryRun) {
     if (dryRun) return { wouldSoftDelete: 1 };
-    var upd = db.prepare(
-      "UPDATE \"" + table + "\" SET \"" + softField + "\" = ? WHERE _id = ?");
-    upd.run(Date.now(), rowId);
+    var built = sql.update(table, SQL_OPTS)
+      .set(softField, Date.now())
+      .where("_id", rowId)
+      .toSql();
+    var upd = db.prepare(built.sql);
+    upd.run.apply(upd, built.params);
     return { softDeleted: 1 };
   }
 
@@ -261,19 +294,17 @@ function create(opts) {
       return _hardDelete(table, row._id, dryRun);
     }
     if (dryRun) return { wouldErase: 1, sealedFieldCount: sealedFields.length };
-    var setClauses = [];
-    var values = [];
-    for (var si = 0; si < sealedFields.length; si++) {
-      setClauses.push('"' + sealedFields[si] + '" = ?');
-      values.push(null);
-    }
-    for (var hi = 0; hi < hashFields.length; hi++) {
-      setClauses.push('"' + hashFields[hi] + '" = ?');
-      values.push(null);
-    }
-    values.push(row._id);
-    var upd2 = db.prepare("UPDATE \"" + table + "\" SET " + setClauses.join(", ") + " WHERE _id = ?");
-    upd2.run.apply(upd2, values);
+    // NULL every sealed column + its derived-hash sibling. b.sql binds each
+    // null as a placeholder (the set map preserves the column ordering).
+    var eraseSet = {};
+    for (var si = 0; si < sealedFields.length; si++) eraseSet[sealedFields[si]] = null;
+    for (var hi = 0; hi < hashFields.length; hi++) eraseSet[hashFields[hi]] = null;
+    var eraseBuilt = sql.update(table, SQL_OPTS)
+      .set(eraseSet)
+      .where("_id", row._id)
+      .toSql();
+    var upd2 = db.prepare(eraseBuilt.sql);
+    upd2.run.apply(upd2, eraseBuilt.params);
     // Per-row-key tables (declarePerRowKey): NULLing the sealed columns
     // is not enough — WAL / replica residuals keep the old K_row cells.
     // Destroy the row's wrapped secret so K_row is unrecoverable and the
@@ -294,15 +325,20 @@ function create(opts) {
     for (var i = 0; i < rule.cascade.length; i++) {
       var c = rule.cascade[i];
       if (dryRun) {
-        var sel = db.prepare(
-          "SELECT COUNT(*) AS n FROM \"" + c.table + "\" WHERE \"" + c.foreignKey + "\" = ?");
-        var n = sel.get(rowId);
+        var selBuilt = sql.select(c.table, SQL_OPTS)
+          .count("*", "n")
+          .where(c.foreignKey, rowId)
+          .toSql();
+        var sel = db.prepare(selBuilt.sql);
+        var n = sel.get.apply(sel, selBuilt.params);
         cascadeSummary.push({ table: c.table, foreignKey: c.foreignKey,
           wouldDelete: (n && typeof n.n === "number") ? n.n : 0 });
       } else {
-        var del = db.prepare(
-          "DELETE FROM \"" + c.table + "\" WHERE \"" + c.foreignKey + "\" = ?");
-        var result = del.run(rowId);
+        var delBuilt = sql.delete(c.table, SQL_OPTS)
+          .where(c.foreignKey, rowId)
+          .toSql();
+        var del = db.prepare(delBuilt.sql);
+        var result = del.run.apply(del, delBuilt.params);
         cascadeSummary.push({ table: c.table, foreignKey: c.foreignKey,
           deleted: result.changes || 0 });
       }
@@ -392,24 +428,31 @@ function create(opts) {
       while (moreRows) {
         var rows;
         // The candidate WHERE-clause: age + not-already-erased + not-on-legal-hold +
-        // (when soft-delete is configured) not-already-soft-deleted.
-        var whereParts = ['"' + rule.ageField + '" <= ?'];
-        var whereArgs = [cutoff];
-        if (rule.softDeleteField) {
-          whereParts.push('("' + rule.softDeleteField + '" IS NULL)');
+        // (when soft-delete is configured) not-already-soft-deleted. Built
+        // through b.sql so the operator-supplied table / ageField / softDeleteField
+        // identifiers are quoted by construction and every value binds as a
+        // placeholder (the '' empty-string compare included — no embedded literal).
+        function _candidateBase() {
+          var qb = sql.select(rule.table, SQL_OPTS)
+            .where(rule.ageField, "<=", cutoff);
+          if (rule.softDeleteField) qb.whereNull(rule.softDeleteField);
+          return qb;
         }
-        var sql = "SELECT * FROM \"" + rule.table + "\" " +
-          "WHERE " + whereParts.join(" AND ") + " " +
-          "AND (__erasedAt IS NULL OR __erasedAt = '') " +
-          "LIMIT ?";
         var selStmt;
-        try { selStmt = db.prepare(sql); rows = selStmt.all.apply(selStmt, whereArgs.concat([rule.batchSize])); }
-        catch (_eA) {
+        try {
+          var built = _candidateBase()
+            .whereGroup(function (g) {
+              g.whereNull("__erasedAt").orWhereOp("__erasedAt", "=", "");
+            })
+            .limit(rule.batchSize)
+            .toSql();
+          selStmt = db.prepare(built.sql);
+          rows = selStmt.all.apply(selStmt, built.params);
+        } catch (_eA) {
           // Fallback: tables without __erasedAt
-          var sqlPlain = "SELECT * FROM \"" + rule.table + "\" " +
-            "WHERE " + whereParts.join(" AND ") + " LIMIT ?";
-          var selPlain = db.prepare(sqlPlain);
-          rows = selPlain.all.apply(selPlain, whereArgs.concat([rule.batchSize]));
+          var plainBuilt = _candidateBase().limit(rule.batchSize).toSql();
+          var selPlain = db.prepare(plainBuilt.sql);
+          rows = selPlain.all.apply(selPlain, plainBuilt.params);
         }
         if (!rows || rows.length === 0) { moreRows = false; break; }
         summary.scanned += rows.length;

package/lib/safe-dns.js

@@ -57,6 +57,7 @@
 
 var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
+var gateContract       = require("./gate-contract");
 
 var SafeDnsError = defineClass("SafeDnsError", { alwaysPermanent: true });
 
@@ -153,11 +154,15 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: SafeDnsError,
+  codePrefix: "safe-dns",
+  byObject:   true,
 });
 
 /**
@@ -349,22 +354,6 @@ function checkCnameChainDepth(depth, opts) {
   }
 }
 
-/**
- * @primitive b.safeDns.compliancePosture
- * @signature b.safeDns.compliancePosture(posture)
- * @since     0.9.31
- * @status    stable
- *
- * Return the effective profile name for a compliance posture, or
- * `null` for unknown posture names (operator typo surfaces here).
- *
- * @example
- *   b.safeDns.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
 function _readName(state, pointerDepth) {
   if (pointerDepth > state.caps.maxPointerDepth) {
     throw new SafeDnsError("safe-dns/oversize-pointer-depth",
@@ -639,27 +628,22 @@ function _decodeOpt(rr, caps) {
   };
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new SafeDnsError("safe-dns/bad-profile",
-      "safeDns: unknown profile '" + p + "' (valid: strict / balanced / permissive)");
-  }
-  return PROFILES[p];
-}
-
-module.exports = {
-  parseResponse:        parseResponse,
-  boundEdns0:           boundEdns0,
-  checkCnameChainDepth: checkCnameChainDepth,
-  compliancePosture:    compliancePosture,
-  PROFILES:             PROFILES,
-  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
-  RTYPE_NAMES:          RTYPE_NAMES,
-  SafeDnsError:         SafeDnsError,
-  NAME:                 "dns",
-  KIND:                 "dns-response",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "dns",
+  entry:      parseResponse,
+  entryName:  "parseResponse",
+  errorClass: SafeDnsError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    boundEdns0:           boundEdns0,
+    checkCnameChainDepth: checkCnameChainDepth,
+    RTYPE_NAMES:          RTYPE_NAMES,
+    NAME:                 "dns",
+    KIND:                 "dns-response",
+  },
+});

package/lib/safe-ical.js

@@ -81,6 +81,7 @@
 
 var C = require("./constants");
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var SafeIcalError = defineClass("SafeIcalError", { alwaysPermanent: true });
 
@@ -116,12 +117,7 @@ var PROFILES = Object.freeze({
   }),
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // Property-name allowlist per RFC 5545 §8.7 (Property Registry) +
 // RFC 5546 §4.3 (iTIP additions) + RFC 7986 §5 (new calendar
@@ -273,24 +269,6 @@ function parse(text, opts) {
     : { vcalendar: vcalendars[0], vcalendars: vcalendars };
 }
 
-/**
- * @primitive b.safeIcal.compliancePosture
- * @signature b.safeIcal.compliancePosture(name)
- * @since     0.9.81
- * @status    stable
- * @related   b.safeIcal.parse
- *
- * Map a compliance-posture name to its profile. Returns the profile
- * string for a known posture, `null` for unknown names.
- *
- * @example
- *   b.safeIcal.compliancePosture("hipaa");   // → "strict"
- *   b.safeIcal.compliancePosture("loose");   // → null
- */
-function compliancePosture(name) {
-  return COMPLIANCE_POSTURES[name] || null;
-}
-
 // ---- Profile / opt resolution ----
 
 function _resolveCaps(opts) {
@@ -623,12 +601,19 @@ function _preview(s) {
   return s.length > 64 ? s.slice(0, 64) + "..." : s;                                                       // log-preview length cap
 }
 
-module.exports = {
-  parse:               parse,
-  compliancePosture:   compliancePosture,
-  PROFILES:            PROFILES,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  KNOWN_PROPERTIES:    KNOWN_PROPERTIES,
-  KNOWN_COMPONENTS:    KNOWN_COMPONENTS,
-  SafeIcalError:       SafeIcalError,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "ical",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeIcalError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    KNOWN_PROPERTIES: KNOWN_PROPERTIES,
+    KNOWN_COMPONENTS: KNOWN_COMPONENTS,
+  },
+});

package/lib/safe-icap.js

@@ -77,6 +77,7 @@
 
 var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
+var gateContract       = require("./gate-contract");
 
 var SafeIcapError = defineClass("SafeIcapError", { alwaysPermanent: true });
 
@@ -131,11 +132,15 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: SafeIcapError,
+  codePrefix: "safe-icap",
+  byObject:   true,
 });
 
 /**
@@ -257,22 +262,6 @@ function parse(buf, opts) {
   };
 }
 
-/**
- * @primitive b.safeIcap.compliancePosture
- * @signature b.safeIcap.compliancePosture(posture)
- * @since     0.9.81
- * @status    stable
- *
- * Return the effective profile name for a compliance posture, or
- * `null` for unknown posture names.
- *
- * @example
- *   b.safeIcap.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
 // ---- internals ----
 
 function _findHeaderEnd(buf, maxHeaderBytes) {
@@ -479,25 +468,20 @@ function _detectThreat(statusCode, headers) {
   return { found: found, name: name };
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new SafeIcapError("safe-icap/bad-profile",
-      "safeIcap: unknown profile '" + p + "' (valid: strict / balanced / permissive)");
-  }
-  return PROFILES[p];
-}
-
-module.exports = {
-  parse:                parse,
-  compliancePosture:    compliancePosture,
-  PROFILES:             PROFILES,
-  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
-  ALLOWED_STATUS:       ALLOWED_STATUS,
-  SafeIcapError:        SafeIcapError,
-  NAME:                 "icap",
-  KIND:                 "icap-response",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "icap",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeIcapError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    ALLOWED_STATUS: ALLOWED_STATUS,
+    NAME:           "icap",
+    KIND:           "icap-response",
+  },
+});

package/lib/safe-sieve.js

@@ -49,6 +49,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var SafeSieveError = defineClass("SafeSieveError", { alwaysPermanent: true });
 
@@ -82,12 +83,7 @@ var PROFILES = Object.freeze({
   }),
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // RFC 5228 §1.2 capability identifiers. Each entry lists whether the
 // framework's v0.9.55 interpreter implements the capability. Unknown
@@ -648,37 +644,22 @@ function validate(script, opts) {
   }
 }
 
-/**
- * @primitive  b.safeSieve.compliancePosture
- * @signature  b.safeSieve.compliancePosture(name)
- * @since      0.9.55
- * @status     stable
- * @related    b.safeSieve.parse, b.safeSieve.validate
- *
- * Look up the recommended profile name for a compliance posture
- * (`hipaa` / `pci-dss` / `gdpr` / `soc2`). Returns `"strict"` for any
- * known posture, `null` for unknown names. Operator-facing primitives
- * that thread `compliancePosture` opt through to safeSieve compose
- * this for the explicit-cast pattern when they need the name string
- * (rather than relying on `_resolveOpts` to do the lookup).
- *
- * @example
- *   b.safeSieve.compliancePosture("hipaa");            // → "strict"
- *   b.safeSieve.compliancePosture("loose");            // → null
- */
-function compliancePosture(name) {
-  return COMPLIANCE_POSTURES[name] || null;
-}
-
-module.exports = {
-  parse:              parse,
-  validate:           validate,
-  compliancePosture:  compliancePosture,
-  KNOWN_CAPABILITIES: KNOWN_CAPABILITIES,
-  PROFILES:           PROFILES,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  SafeSieveError:     SafeSieveError,
-  // Internal exports for the interpreter at lib/mail-sieve.js.
-  _tokenize:          _tokenize,
-  _resolveCaps:       _resolveCaps,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "sieve",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeSieveError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    validate:           validate,
+    KNOWN_CAPABILITIES: KNOWN_CAPABILITIES,
+    // Internal exports for the interpreter at lib/mail-sieve.js.
+    _tokenize:          _tokenize,
+    _resolveCaps:       _resolveCaps,
+  },
+});