@blamejs/core 0.14.27 → 0.15.0

package/lib/break-glass.js

@@ -49,6 +49,7 @@ var requestHelpers = require("./request-helpers");
 var safeAsync = require("./safe-async");
 var safeJson = require("./safe-json");
 var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var totp = require("./totp");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
@@ -86,6 +87,34 @@ var DEFAULT_AUDIT_REASON    = "cleartext";
 var ALLOWED_FACTORS         = ["totp", "passkey"];
 var ALLOWED_REASON_STORAGE  = ["cleartext", "hmac", "both"];
 
+// cryptoField REGISTRY KEYS for the two break-glass framework tables. These
+// are the names db.js's FRAMEWORK_SCHEMA registered the tables under, so
+// seal / unseal / computeDerived must key off the byte-identical literal —
+// resolving them through frameworkSchema.tableName would diverge the seal-side
+// key from the registration under a custom prefix and break decryption. (SQL
+// composed via b.sql passes the SAME bare logical name so clusterStorage can
+// rewrite the table reference; these constants cover only the cryptoField
+// keying.) allow:hand-rolled-sql — cryptoField registry keys, not SQL text.
+var POLICIES_TABLE = "_blamejs_break_glass_policies";   // allow:hand-rolled-sql
+var GRANTS_TABLE   = "_blamejs_break_glass_grants";     // allow:hand-rolled-sql
+
+// b.sql opts for every statement break-glass dispatches through
+// clusterStorage. Thread the ACTIVE backend dialect (clusterStorage.dialect()
+// — "sqlite" single-node, "postgres" | "mysql" in cluster mode) so the
+// emitted identifier quoting + dialect idioms (ON CONFLICT vs ON DUPLICATE
+// KEY) match the backend the SQL dispatches to. Defaulting to "sqlite" works
+// on Postgres only by accident (both double-quote identifiers) and emits the
+// wrong quoting on MySQL. clusterStorage.execute still rewrites framework
+// table names + translates `?` placeholders at dispatch; this controls only
+// the builder-side quoting + idiom selection.
+//   _sqlOpts()    — framework tables (policies / grants); name resolved bare,
+//                   clusterStorage rewrites the prefix.
+//   _appSqlOpts() — the operator's glass-locked app table; quoteName so b.sql
+//                   quotes the (validated) identifier, and it is NOT
+//                   framework-rewritten.
+function _sqlOpts()    { return { dialect: clusterStorage.dialect() }; }
+function _appSqlOpts() { return { dialect: clusterStorage.dialect(), quoteName: true }; }
+
 // In-memory policy cache. Cluster-shared via the policies table; the
 // cache short-circuits the DB roundtrip on the unsealRow hot path.
 // Populated on first access per-table; invalidated on policy.set/delete.
@@ -157,10 +186,14 @@ async function _ensureDek(table) {
   // DEK is vault-sealed and stored in the policy row's `dekSealed`
   // column. Generated lazily on first use of cryptographic-mode for
   // the table. Cached in-memory after first read.
-  var rows = await clusterStorage.executeAll(
-    "SELECT dekSealed FROM _blamejs_break_glass_policies WHERE tableName = ?",
-    [table]
-  );
+  // The policy table is external-only; its LOGICAL name IS the
+  // `_blamejs_`-prefixed name (self-mapped in LOCAL_TO_EXTERNAL), passed
+  // bare to b.sql so clusterStorage rewrites + placeholderizes.
+  var dekReadBuilt = sql.select("_blamejs_break_glass_policies", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(["dekSealed"])
+    .where("tableName", table)
+    .toSql();
+  var rows = await clusterStorage.executeAll(dekReadBuilt.sql, dekReadBuilt.params);
   if (!rows || rows.length === 0) {
     throw new BreakGlassError("breakglass/policy-not-set",
       "_ensureDek: no policy for table '" + table + "'", true);
@@ -172,10 +205,11 @@ async function _ensureDek(table) {
   } else {
     dek = generateBytes(DEK_BYTES);
     var sealedDek = vault().seal(dek.toString("base64"));
-    await clusterStorage.execute(
-      "UPDATE _blamejs_break_glass_policies SET dekSealed = ? WHERE tableName = ?",
-      [sealedDek, table]
-    );
+    var dekUpdBuilt = sql.update("_blamejs_break_glass_policies", _sqlOpts())   // allow:hand-rolled-sql
+      .set({ dekSealed: sealedDek })
+      .where("tableName", table)
+      .toSql();
+    await clusterStorage.execute(dekUpdBuilt.sql, dekUpdBuilt.params);
   }
   dekCache.set(table, dek);
   return dek;
@@ -347,14 +381,16 @@ async function migrate(table, opts) {
   var lastId = "";
   // Iterate via _id-keyset paging so we don't load the whole table into memory.
   while (true) {
-    // table is already validated as a safe identifier shape via
-    // _validatePolicySet — wrap in "..." per the framework's
-    // identifier-quoting convention.
-    var qTable = '"' + table + '"';
-    var rows = await clusterStorage.executeAll(
-      "SELECT * FROM " + qTable + " WHERE _id > ? ORDER BY _id ASC LIMIT ?",
-      [lastId, batchSize]
-    );
+    // `table` is an operator app table (already validated as a safe
+    // identifier via _validatePolicySet). quoteName:true makes b.sql quote
+    // the name (reserved-word / case-sensitive safe); it is NOT a framework
+    // table, so clusterStorage's resolveTables leaves it untouched.
+    var pageBuilt = sql.select(table, _appSqlOpts())
+      .whereOp("_id", ">", lastId)
+      .orderBy("_id", "asc")
+      .limit(batchSize)
+      .toSql();
+    var rows = await clusterStorage.executeAll(pageBuilt.sql, pageBuilt.params);
     if (!rows || rows.length === 0) break;
     for (var i = 0; i < rows.length; i++) {
       totalRows++;
@@ -378,16 +414,16 @@ async function migrate(table, opts) {
         // the cell ciphertext stays as a literal string, not double-sealed.
         var setCols = Object.keys(update).filter(function (k) { return k !== "_id"; });
         if (setCols.length > 0) {
-          // Column names came from the validated policy.columns —
-          // also wrap each in "..." for the same identifier-quoting
-          // convention.
-          var setSql = setCols.map(function (k) { return '"' + k + '" = ?'; }).join(", ");
-          var vals = setCols.map(function (k) { return update[k]; });
-          vals.push(row._id);
-          await clusterStorage.execute(
-            "UPDATE " + qTable + " SET " + setSql + " WHERE _id = ?",
-            vals
-          );
+          // Column names came from the validated policy.columns. b.sql
+          // quotes every SET target + binds every value; the operator app
+          // table is quoted (quoteName) and not framework-rewritten.
+          var setMap = {};
+          for (var sc = 0; sc < setCols.length; sc++) setMap[setCols[sc]] = update[setCols[sc]];
+          var updBuilt = sql.update(table, _appSqlOpts())
+            .set(setMap)
+            .where("_id", row._id)
+            .toSql();
+          await clusterStorage.execute(updBuilt.sql, updBuilt.params);
           migratedRows++;
         }
       } else {
@@ -662,17 +698,20 @@ async function policySet(table, opts, callerOpts) {
     auditReasonStorage:       validated.auditReasonStorage,
     updatedAt:                Date.now(),
   };
-  var sealed = cryptoField.sealRow("_blamejs_break_glass_policies", policyRow);
-  // UPSERT — both Postgres and SQLite support ON CONFLICT.
+  var sealed = cryptoField.sealRow(POLICIES_TABLE, policyRow);
+  // UPSERT via b.sql ON CONFLICT(tableName) DO UPDATE (Postgres + SQLite).
+  // BARE logical framework table — clusterStorage rewrites + placeholderizes;
+  // b.sql quotes every column + binds every sealed value. The conflict key
+  // (tableName) is excluded from the DO UPDATE set.
   var keys   = Object.keys(sealed);
-  var cols   = keys.join(", ");
-  var qs     = keys.map(function () { return "?"; }).join(", ");
-  var setSql = keys.filter(function (k) { return k !== "tableName"; })
-    .map(function (k) { return k + " = excluded." + k; }).join(", ");
-  var sql = "INSERT INTO _blamejs_break_glass_policies (" + cols + ") " +
-            "VALUES (" + qs + ") " +
-            "ON CONFLICT (tableName) DO UPDATE SET " + setSql;
-  await clusterStorage.execute(sql, keys.map(function (k) { return sealed[k]; }));
+  var setCols = keys.filter(function (k) { return k !== "tableName"; });
+  var policyBuilt = sql.upsert("_blamejs_break_glass_policies", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(keys)
+    .values(sealed)
+    .onConflict(["tableName"])
+    .doUpdateFromExcluded(setCols)
+    .toSql();
+  await clusterStorage.execute(policyBuilt.sql, policyBuilt.params);
   policyCache.delete(table);
 
   audit.safeEmit({
@@ -715,15 +754,15 @@ async function policyGet(table) {
   _requireInit();
   if (typeof table !== "string" || table.length === 0) return null;
   if (policyCache.has(table)) return policyCache.get(table);
-  var rows = await clusterStorage.executeAll(
-    "SELECT * FROM _blamejs_break_glass_policies WHERE tableName = ?",
-    [table]
-  );
+  var getBuilt = sql.select("_blamejs_break_glass_policies", _sqlOpts())   // allow:hand-rolled-sql
+    .where("tableName", table)
+    .toSql();
+  var rows = await clusterStorage.executeAll(getBuilt.sql, getBuilt.params);
   if (!rows || rows.length === 0) {
     policyCache.set(table, null);
     return null;
   }
-  var unsealed = cryptoField.unsealRow("_blamejs_break_glass_policies", rows[0]);
+  var unsealed = cryptoField.unsealRow(POLICIES_TABLE, rows[0]);
   var policy = {
     table:              unsealed.tableName,
     columns:            safeJson.parse(unsealed.columnsJson, { maxBytes: C.BYTES.kib(64) }),
@@ -767,9 +806,11 @@ async function policyGet(table) {
  */
 async function policyList() {
   _requireInit();
-  var rows = await clusterStorage.executeAll(
-    "SELECT tableName FROM _blamejs_break_glass_policies ORDER BY tableName"
-  );
+  var listBuilt = sql.select("_blamejs_break_glass_policies", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(["tableName"])
+    .orderBy("tableName", "asc")
+    .toSql();
+  var rows = await clusterStorage.executeAll(listBuilt.sql, listBuilt.params);
   var out = [];
   for (var i = 0; i < (rows || []).length; i++) {
     var p = await policyGet(rows[i].tableName);
@@ -801,10 +842,10 @@ async function policyDelete(table, callerOpts) {
     throw new BreakGlassError("breakglass/bad-policy",
       "policy.delete: table must be a non-empty string");
   }
-  await clusterStorage.execute(
-    "DELETE FROM _blamejs_break_glass_policies WHERE tableName = ?",
-    [table]
-  );
+  var delBuilt = sql.delete("_blamejs_break_glass_policies", _sqlOpts())   // allow:hand-rolled-sql
+    .where("tableName", table)
+    .toSql();
+  await clusterStorage.execute(delBuilt.sql, delBuilt.params);
   policyCache.delete(table);
   audit.safeEmit({
     action:   "breakglass.policy.delete",
@@ -1100,14 +1141,13 @@ async function grant(opts) {
     ip:                 ipFromReq,
     kwGrantHalf:        null,
   };
-  var sealed = cryptoField.sealRow("_blamejs_break_glass_grants", grantRow);
-  var keys = Object.keys(sealed);
-  var cols = keys.join(", ");
-  var qs   = keys.map(function () { return "?"; }).join(", ");
-  await clusterStorage.execute(
-    "INSERT INTO _blamejs_break_glass_grants (" + cols + ") VALUES (" + qs + ")",
-    keys.map(function (k) { return sealed[k]; })
-  );
+  var sealed = cryptoField.sealRow(GRANTS_TABLE, grantRow);
+  // BARE logical framework table — clusterStorage rewrites + placeholderizes;
+  // b.sql quotes every column + binds every sealed value.
+  var grantInsBuilt = sql.insert("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .values(sealed)
+    .toSql();
+  await clusterStorage.execute(grantInsBuilt.sql, grantInsBuilt.params);
 
   // Audit
   var reasonForAudit = _reasonForAudit(reason, policy.auditReasonStorage);
@@ -1273,16 +1313,16 @@ async function unsealRow(grantHandle, table, rowId, opts) {
     throw new BreakGlassError("breakglass/bad-grant-opts",
       "unsealRow: rowId is required");
   }
-  var grantRows = await clusterStorage.executeAll(
-    "SELECT * FROM _blamejs_break_glass_grants WHERE _id = ?",
-    [grantHandle.id]
-  );
+  var grantReadBuilt = sql.select("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .where("_id", grantHandle.id)
+    .toSql();
+  var grantRows = await clusterStorage.executeAll(grantReadBuilt.sql, grantReadBuilt.params);
   if (!grantRows || grantRows.length === 0) {
     throw new BreakGlassError("breakglass/grant-revoked",
       "unsealRow: grant " + grantHandle.id + " not found (deleted or never issued)", true);
   }
   var sealedGrant = grantRows[0];
-  var grantRow = cryptoField.unsealRow("_blamejs_break_glass_grants", sealedGrant);
+  var grantRow = cryptoField.unsealRow(GRANTS_TABLE, sealedGrant);
 
   // Table mismatch
   if (grantRow.scopeTable !== table) {
@@ -1343,30 +1383,41 @@ async function unsealRow(grantHandle, table, rowId, opts) {
   // grant should not be consumed. Without this ordering, a single
   // typo against `maxRowsPerGrant: 1` (the default) exhausts the
   // grant and forces the operator to re-do the step-up ceremony.
-  var rows = await clusterStorage.executeAll(
-    "SELECT * FROM " + '"' + table + '"' + " WHERE _id = ?",
-    [String(rowId)]
-  );
+  // Operator app table (validated identifier) — quoteName quotes it; it is
+  // not framework-rewritten.
+  var rowReadBuilt = sql.select(table, _appSqlOpts())
+    .where("_id", String(rowId))
+    .toSql();
+  var rows = await clusterStorage.executeAll(rowReadBuilt.sql, rowReadBuilt.params);
   if (!rows || rows.length === 0) {
     throw new BreakGlassError("breakglass/row-not-found",
       "unsealRow: " + table + "[" + rowId + "] not found", true);
   }
 
-  // Increment rowsConsumed (atomic UPDATE with WHERE rowsConsumed < cap
-  // so concurrent unseals can't both pass the runtime check above).
-  var updateRes = await clusterStorage.execute(
-    "UPDATE _blamejs_break_glass_grants " +
-    "SET rowsConsumed = rowsConsumed + 1 " +
-    "WHERE _id = ? AND rowsConsumed < maxRowsPerGrant AND " +
-    "(revokedAt IS NULL) AND expiresAt > ?",
-    [grantHandle.id, Date.now()]
-  );
+  // Increment rowsConsumed (atomic UPDATE with WHERE rowsConsumed < cap so
+  // concurrent unseals can't both pass the runtime check above). The
+  // rowsConsumed+1 RHS + the rowsConsumed<maxRowsPerGrant column comparison
+  // are guarded raw fragments (b.guardSql + placeholder/literal scan). The
+  // identifier quoting in those raw fragments is dialect-aware (backticks on
+  // MySQL, double-quotes on PG/SQLite) so the column references resolve as
+  // identifiers, not string literals, on the active backend.
+  var incDialect = clusterStorage.dialect();
+  var incBuilt = sql.update("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .setRaw("rowsConsumed", safeSql.quoteIdentifier("rowsConsumed", incDialect) + " + 1", [])
+    .where("_id", grantHandle.id)
+    .whereRaw(safeSql.quoteIdentifier("rowsConsumed", incDialect) + " < " +
+      safeSql.quoteIdentifier("maxRowsPerGrant", incDialect), [])
+    .whereNull("revokedAt")
+    .whereOp("expiresAt", ">", Date.now())
+    .toSql();
+  var updateRes = await clusterStorage.execute(incBuilt.sql, incBuilt.params);
   // executeAll-style result; some backends return rowsAffected, others a count.
   // Re-query to confirm the increment landed and get the post-increment counter.
-  var postRows = await clusterStorage.executeAll(
-    "SELECT rowsConsumed, revokedAt, expiresAt FROM _blamejs_break_glass_grants WHERE _id = ?",
-    [grantHandle.id]
-  );
+  var postReadBuilt = sql.select("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(["rowsConsumed", "revokedAt", "expiresAt"])
+    .where("_id", grantHandle.id)
+    .toSql();
+  var postRows = await clusterStorage.executeAll(postReadBuilt.sql, postReadBuilt.params);
   if (!postRows || postRows.length === 0) {
     throw new BreakGlassError("breakglass/grant-revoked",
       "unsealRow: grant " + grantHandle.id + " disappeared during unseal", true);
@@ -1469,11 +1520,14 @@ async function revoke(grantId, opts) {
   }
   opts = opts || {};
   var nowMs = Date.now();
-  await clusterStorage.execute(
-    "UPDATE _blamejs_break_glass_grants SET revokedAt = ? " +
-    "WHERE _id = ? AND revokedAt IS NULL",
-    [nowMs, grantId]
-  );
+  // revokedAt IS NULL keeps the revoke idempotent (already-revoked grants
+  // keep their original timestamp).
+  var revBuilt = sql.update("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .set({ revokedAt: nowMs })
+    .where("_id", grantId)
+    .whereNull("revokedAt")
+    .toSql();
+  await clusterStorage.execute(revBuilt.sql, revBuilt.params);
   audit.safeEmit({
     action:   "breakglass.grant.revoked",
     outcome:  "success",
@@ -1516,19 +1570,25 @@ async function listActive(opts) {
   // Use cryptoField's computeDerived so the hash matches the table's
   // hashNamespace prefix — raw sha3Hash would produce a different value.
   var derived = cryptoField.computeDerived(
-    "_blamejs_break_glass_grants", "issuedToActorId", actorId
+    GRANTS_TABLE, "issuedToActorId", actorId
   );
   if (!derived) return [];
   var nowMs = Date.now();
-  var rows = await clusterStorage.executeAll(
-    "SELECT * FROM _blamejs_break_glass_grants " +
-    "WHERE issuedToActorHash = ? AND (revokedAt IS NULL) AND expiresAt > ? AND rowsConsumed < maxRowsPerGrant " +
-    "ORDER BY issuedAt DESC",
-    [derived.value, nowMs]
-  );
+  // rowsConsumed < maxRowsPerGrant is a column-to-column comparison (guarded
+  // raw fragment); every other predicate is structured.
+  var laDialect = clusterStorage.dialect();
+  var laBuilt = sql.select("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .where("issuedToActorHash", derived.value)
+    .whereNull("revokedAt")
+    .whereOp("expiresAt", ">", nowMs)
+    .whereRaw(safeSql.quoteIdentifier("rowsConsumed", laDialect) + " < " +
+      safeSql.quoteIdentifier("maxRowsPerGrant", laDialect), [])
+    .orderBy("issuedAt", "desc")
+    .toSql();
+  var rows = await clusterStorage.executeAll(laBuilt.sql, laBuilt.params);
   var out = [];
   for (var i = 0; i < (rows || []).length; i++) {
-    var u = cryptoField.unsealRow("_blamejs_break_glass_grants", rows[i]);
+    var u = cryptoField.unsealRow(GRANTS_TABLE, rows[i]);
     out.push({
       id:             u._id,
       scopeTable:     u.scopeTable,
@@ -1644,11 +1704,12 @@ async function unsealRowAsService(req, table, rowId, opts) {
   }
 
   // Fetch + unseal the row (Model A or Model B path, same as
-  // operator-initiated unsealRow).
-  var rows = await clusterStorage.executeAll(
-    "SELECT * FROM " + '"' + table + '"' + " WHERE _id = ?",
-    [String(rowId)]
-  );
+  // operator-initiated unsealRow). Operator app table — quoteName quotes it;
+  // it is not framework-rewritten.
+  var svcRowBuilt = sql.select(table, _appSqlOpts())
+    .where("_id", String(rowId))
+    .toSql();
+  var rows = await clusterStorage.executeAll(svcRowBuilt.sql, svcRowBuilt.params);
   if (!rows || rows.length === 0) {
     throw new BreakGlassError("breakglass/row-not-found",
       "unsealRowAsService: " + table + "[" + rowId + "] not found", true);
@@ -1722,24 +1783,22 @@ async function listActiveAll(opts) {
   _requireInit();
   opts = opts || {};
   var nowMs = Date.now();
-  var clauses = ["(revokedAt IS NULL)", "expiresAt > ?", "rowsConsumed < maxRowsPerGrant"];
-  var params = [nowMs];
-  if (opts.table) {
-    clauses.push("scopeTable = ?");
-    params.push(opts.table);
-  }
-  if (opts.since) {
-    clauses.push("issuedAt >= ?");
-    params.push(opts.since);
-  }
-  var rows = await clusterStorage.executeAll(
-    "SELECT * FROM _blamejs_break_glass_grants WHERE " + clauses.join(" AND ") +
-    " ORDER BY issuedAt DESC",
-    params
-  );
+  // rowsConsumed < maxRowsPerGrant is a column-to-column comparison (guarded
+  // raw fragment); the rest are structured predicates.
+  var laaDialect = clusterStorage.dialect();
+  var laaQb = sql.select("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .whereNull("revokedAt")
+    .whereOp("expiresAt", ">", nowMs)
+    .whereRaw(safeSql.quoteIdentifier("rowsConsumed", laaDialect) + " < " +
+      safeSql.quoteIdentifier("maxRowsPerGrant", laaDialect), []);
+  if (opts.table) laaQb.where("scopeTable", opts.table);
+  if (opts.since) laaQb.whereOp("issuedAt", ">=", opts.since);
+  laaQb.orderBy("issuedAt", "desc");
+  var laaBuilt = laaQb.toSql();
+  var rows = await clusterStorage.executeAll(laaBuilt.sql, laaBuilt.params);
   var out = [];
   for (var i = 0; i < (rows || []).length; i++) {
-    var u = cryptoField.unsealRow("_blamejs_break_glass_grants", rows[i]);
+    var u = cryptoField.unsealRow(GRANTS_TABLE, rows[i]);
     out.push({
       id:             u._id,
       issuedToActorId: u.issuedToActorId,
@@ -1796,31 +1855,28 @@ async function revokeAll(criteria, opts) {
       "revokeAll: at least one of { actorId, table } is required (refusing to mass-revoke without scope)");
   }
   opts = opts || {};
-  var clauses = ["revokedAt IS NULL"];
-  var params = [];
-  if (criteria.actorId) {
-    var derived = cryptoField.computeDerived(
-      "_blamejs_break_glass_grants", "issuedToActorId", criteria.actorId
-    );
-    if (derived) {
-      clauses.push("issuedToActorHash = ?");
-      params.push(derived.value);
-    }
-  }
-  if (criteria.table) {
-    clauses.push("scopeTable = ?");
-    params.push(criteria.table);
+  // The SELECT (snapshot ids) and UPDATE (apply revoke) share one predicate
+  // set; applyRevokeCriteria replays it onto either builder so the WHERE can
+  // never drift between the two.
+  var derived = criteria.actorId
+    ? cryptoField.computeDerived(GRANTS_TABLE, "issuedToActorId", criteria.actorId)
+    : null;
+  function applyRevokeCriteria(qb) {
+    qb.whereNull("revokedAt");
+    if (criteria.actorId && derived) qb.where("issuedToActorHash", derived.value);
+    if (criteria.table) qb.where("scopeTable", criteria.table);
+    return qb;
   }
   // Snapshot the to-be-revoked grant ids first so audit captures specifics.
-  var ids = await clusterStorage.executeAll(
-    "SELECT _id FROM _blamejs_break_glass_grants WHERE " + clauses.join(" AND "),
-    params
-  );
+  var idSelBuilt = applyRevokeCriteria(
+    sql.select("_blamejs_break_glass_grants", _sqlOpts()).columns(["_id"])   // allow:hand-rolled-sql
+  ).toSql();
+  var ids = await clusterStorage.executeAll(idSelBuilt.sql, idSelBuilt.params);
   var nowMs = Date.now();
-  await clusterStorage.execute(
-    "UPDATE _blamejs_break_glass_grants SET revokedAt = ? WHERE " + clauses.join(" AND "),
-    [nowMs].concat(params)
-  );
+  var revAllBuilt = applyRevokeCriteria(
+    sql.update("_blamejs_break_glass_grants", _sqlOpts()).set({ revokedAt: nowMs })   // allow:hand-rolled-sql
+  ).toSql();
+  await clusterStorage.execute(revAllBuilt.sql, revAllBuilt.params);
   audit.safeEmit({
     action:   "breakglass.admin.revokeall",
     outcome:  "success",
@@ -1841,11 +1897,12 @@ async function revokeAll(criteria, opts) {
 async function _sweepExpired(opts) {
   opts = opts || {};
   var nowMs = Date.now();
-  var expired = await clusterStorage.executeAll(
-    "SELECT _id, issuedToActorId, scopeTable, rowsConsumed FROM _blamejs_break_glass_grants " +
-    "WHERE revokedAt IS NULL AND expiresAt <= ?",
-    [nowMs]
-  );
+  var expiredBuilt = sql.select("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(["_id", "issuedToActorId", "scopeTable", "rowsConsumed"])
+    .whereNull("revokedAt")
+    .whereOp("expiresAt", "<=", nowMs)
+    .toSql();
+  var expired = await clusterStorage.executeAll(expiredBuilt.sql, expiredBuilt.params);
   for (var i = 0; i < (expired || []).length; i++) {
     var row = expired[i];
     audit.safeEmit({
@@ -1855,11 +1912,12 @@ async function _sweepExpired(opts) {
       metadata: { grantId: row._id, table: row.scopeTable, rowsConsumed: Number(row.rowsConsumed) },
     });
   }
-  await clusterStorage.execute(
-    "UPDATE _blamejs_break_glass_grants SET revokedAt = ? " +
-    "WHERE revokedAt IS NULL AND expiresAt <= ?",
-    [nowMs, nowMs]
-  );
+  var sweepUpdBuilt = sql.update("_blamejs_break_glass_grants", _sqlOpts())   // allow:hand-rolled-sql
+    .set({ revokedAt: nowMs })
+    .whereNull("revokedAt")
+    .whereOp("expiresAt", "<=", nowMs)
+    .toSql();
+  await clusterStorage.execute(sweepUpdBuilt.sql, sweepUpdBuilt.params);
   return { expired: (expired || []).length };
 }