@blamejs/core 0.14.27 → 0.15.0

package/lib/static.js

@@ -126,12 +126,32 @@ var DEFAULTS = Object.freeze({
   // serve event is the audit-worthy act, not a precursor.
   auditSuccess:                     true,
   auditFailures:                    true,
+  // mountType — declares what KIND of content this mount serves, so
+  // the stored-XSS-relevant defaults follow the typing instead of being
+  // hand-flipped per mount (v0.15.0):
+  //   "curated"      (default) — operator-controlled assets (CSS / JS
+  //                  bundles / fonts / images). Inline render is required
+  //                  and safe because the operator authored the bytes;
+  //                  forceAttachmentForNonText defaults OFF.
+  //   "user-content" — files written by end users / untrusted uploaders.
+  //                  A served .html / .js / .svg here is a stored-XSS
+  //                  vector, so forceAttachmentForNonText defaults ON —
+  //                  risky inline MIMEs are forced to download unless a
+  //                  sanitizer gate vouches for them (see
+  //                  `_shouldForceAttachment`). This is the conditional
+  //                  flip: a curated asset dir is never blindly forced to
+  //                  download; only a mount the operator TYPED as
+  //                  user-content gets the strict default.
+  // An explicit forceAttachmentForNonText always overrides the
+  // mountType-derived default.
+  mountType:                        "curated",
   // forceAttachmentForNonText — stored-XSS defense for user-upload
-  // directories. Default OFF because operator-curated asset dirs
-  // (CSS / JS bundles / fonts) need inline render. Opt in for
-  // user-upload-backed mounts so HTML / JS / SVG without sanitizer
-  // / PDF / archives are forced to download. See
-  // `_shouldForceAttachment` below for the safe-render allowlist.
+  // directories. Default follows mountType: OFF for "curated" mounts
+  // (operator-curated CSS / JS bundles / fonts need inline render), ON for
+  // "user-content" mounts so HTML / JS / SVG without a sanitizer / PDF /
+  // archives are forced to download. Set explicitly to override the
+  // mountType-derived default either way. See `_shouldForceAttachment`
+  // below for the safe-render allowlist.
   forceAttachmentForNonText:        false,
   // Companion knobs — when forceAttachmentForNonText is on, allow
   // image/svg+xml inline render IF an SVG sanitizer gate is wired
@@ -547,6 +567,15 @@ function _validateCreateOpts(opts) {
   validateOpts.optionalBoolean(opts.auditFailures, "staticServe.create: auditFailures", StaticServeError);
   validateOpts.optionalBoolean(opts.safeAttachmentForRiskyMimes,
     "staticServe.create: safeAttachmentForRiskyMimes", StaticServeError);
+  // mountType — config-time enum. A typo ("usercontent", "uploads")
+  // would silently fall back to the curated default and serve untrusted
+  // HTML inline, so THROW at boot rather than mis-type the mount.
+  if (opts.mountType !== undefined &&
+      opts.mountType !== "curated" && opts.mountType !== "user-content") {
+    throw _err("BAD_OPT",
+      "staticServe.create: mountType must be 'curated' (default) or " +
+      "'user-content'; got " + JSON.stringify(opts.mountType));
+  }
   validateOpts.optionalBoolean(opts.forceAttachmentForNonText,
     "staticServe.create: forceAttachmentForNonText", StaticServeError);
   validateOpts.optionalBoolean(opts.safeRenderSvg,
@@ -684,7 +713,7 @@ function create(opts) {
     "maxBytesPerActorPerWindowMs", "maxBytesAllActorsPerWindowMs",
     "bandwidthWindowMs", "maxConcurrentDownloadsPerActor", "maxIdleMs",
     "contentSafety", "contentSafetyDisabledReason",
-    "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
+    "mountType", "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
   ], "staticServe.create");
   _validateCreateOpts(opts);
   var cfg = validateOpts.applyDefaults(opts, DEFAULTS);
@@ -738,7 +767,16 @@ function create(opts) {
   var auditFailures   = cfg.auditFailures;
   var acceptRanges    = cfg.acceptRanges;
   var safeAttachment  = !!cfg.safeAttachmentForRiskyMimes;
-  var forceAttachmentForNonText = !!cfg.forceAttachmentForNonText;
+  // forceAttachmentForNonText default follows mountType (v0.15.0): a
+  // mount TYPED "user-content" forces risky inline MIMEs to download by
+  // default (stored-XSS defense for untrusted uploads); a "curated" mount
+  // keeps inline render. An explicit forceAttachmentForNonText overrides
+  // the mountType-derived default either way. The conditional flip never
+  // blindly force-attaches a curated asset dir.
+  var mountType       = opts.mountType || "curated";
+  var forceAttachmentForNonText = opts.forceAttachmentForNonText !== undefined
+    ? !!opts.forceAttachmentForNonText
+    : (mountType === "user-content");
   var allowSvgRender  = cfg.safeRenderSvg !== false;
   var allowPdfRender  = !!cfg.safeRenderPdf;
   var perActorCap     = cfg.maxBytesPerActorPerWindowMs;

package/lib/subject.js

@@ -40,11 +40,22 @@ var { sha3Hash } = require("./crypto");
 var cryptoField = require("./crypto-field");
 var audit = require("./audit");
 var cluster = require("./cluster");
+var safeSql = require("./safe-sql");
+var sql = require("./sql");
 var lazyRequire = require("./lazy-require");
 
 var db = lazyRequire(function () { return require("./db"); });
 var legalHold = lazyRequire(function () { return require("./legal-hold"); });
 
+// Local-SQLite framework tables for the Art. 18 restriction flag + the
+// erasure marker. These run against the b.db() handle directly, so the
+// b.sql builders carry { quoteName: true } to emit the quoted local name
+// (no clusterStorage prefix rewrite on this path). The names are literals
+// for the same reason db.js declares them as literals — they ARE the
+// canonical local table identifiers.
+var RESTRICTIONS_TABLE = "_blamejs_subject_restrictions";   // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
+var ERASURES_TABLE = "_blamejs_subject_erasures";           // allow:hand-rolled-sql — canonical local table-name; passed to b.sql with quoteName
+
 // Required acknowledgements before subject.erase will run. Operator must
 // explicitly attest each one to confirm no statutory retention or active
 // litigation hold blocks the deletion.
@@ -211,7 +222,7 @@ function rectify(subjectId, opts) {
       rowId:      opts.id,
       requestReason: opts.reason,
     });
-    throw new Error("subject.rectify: row not found in '" + opts.table + "' with _id '" + opts.id + "'");
+    throw new Error("subject.rectify: row not found in '" + opts.table + "' for _id '" + opts.id + "'");
   }
 
   var changedKeys = Object.keys(opts.changes);
@@ -478,7 +489,10 @@ function eraseHard(subjectId, opts) {
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's
       // index entries are rebuilt — closes the erase-vacuum residual class.
-      try { db().runSql('REINDEX "' + spec.name + '"'); }                                        // table name comes from FRAMEWORK_SCHEMA
+      // REINDEX is a sqlite maintenance verb with no b.sql builder; the
+      // table identifier is quoted through b.safeSql so the name is safe by
+      // construction (it comes from FRAMEWORK_SCHEMA / the subject-table set).
+      try { db().runSql("REINDEX " + safeSql.quoteIdentifier(spec.name, "sqlite", { allowReserved: true })); }
       catch (_e) { /* cluster mode / unsupported dialect */ }
     }
     _markErased(subjectId);
@@ -536,20 +550,31 @@ function restrict(subjectId, opts) {
   if (!opts || typeof opts.on !== "boolean") {
     throw new Error("subject.restrict requires { on: true|false }");
   }
-  var existing = db().prepare(
-    "SELECT subjectIdHash FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-  ).get(_subjectHash(subjectId));
+  var restrictSelBuilt = sql.select(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+    .columns(["subjectIdHash"])
+    .where("subjectIdHash", _subjectHash(subjectId))
+    .toSql();
+  var restrictSelStmt = db().prepare(restrictSelBuilt.sql);
+  var existing = restrictSelStmt.get.apply(restrictSelStmt, restrictSelBuilt.params);
 
   if (opts.on) {
     if (!existing) {
-      db().prepare(
-        "INSERT INTO _blamejs_subject_restrictions (subjectIdHash, since, reason) VALUES (?, ?, ?)"
-      ).run(_subjectHash(subjectId), Date.now(), opts.reason || null);
+      var restrictInsBuilt = sql.insert(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+        .values({
+          subjectIdHash: _subjectHash(subjectId),
+          since:         Date.now(),
+          reason:        opts.reason || null,
+        })
+        .toSql();
+      var restrictInsStmt = db().prepare(restrictInsBuilt.sql);
+      restrictInsStmt.run.apply(restrictInsStmt, restrictInsBuilt.params);
     }
   } else if (existing) {
-    db().prepare(
-      "DELETE FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-    ).run(_subjectHash(subjectId));
+    var restrictDelBuilt = sql.delete(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+      .where("subjectIdHash", _subjectHash(subjectId))
+      .toSql();
+    var restrictDelStmt = db().prepare(restrictDelBuilt.sql);
+    restrictDelStmt.run.apply(restrictDelStmt, restrictDelBuilt.params);
   }
 
   _writeAudit("subject.restrict", subjectId, "success", {
@@ -581,9 +606,15 @@ function restrict(subjectId, opts) {
  */
 function isRestricted(subjectId) {
   if (!subjectId) return false;
-  var row = db().prepare(
-    "SELECT 1 FROM _blamejs_subject_restrictions WHERE subjectIdHash = ?"
-  ).get(_subjectHash(subjectId));
+  // Presence check — project the PK column (b.sql columns must be real
+  // identifiers, not a `SELECT 1` literal); a matched row is truthy.
+  var built = sql.select(RESTRICTIONS_TABLE, { dialect: "sqlite", quoteName: true })
+    .columns(["subjectIdHash"])
+    .where("subjectIdHash", _subjectHash(subjectId))
+    .limit(1)
+    .toSql();
+  var stmt = db().prepare(built.sql);
+  var row = stmt.get.apply(stmt, built.params);
   return !!row;
 }
 
@@ -629,9 +660,16 @@ function recordObjection(subjectId, opts) {
 // ---- Internal helpers ----
 
 function _markErased(subjectId) {
-  db().prepare(
-    "INSERT OR REPLACE INTO _blamejs_subject_erasures (subjectIdHash, erasedAt) VALUES (?, ?)"
-  ).run(_subjectHash(subjectId), Date.now());
+  // "INSERT OR REPLACE" is the sqlite upsert idiom — express it portably as
+  // INSERT … ON CONFLICT(subjectIdHash) DO UPDATE SET erasedAt = EXCLUDED.erasedAt
+  // (the row is keyed by subjectIdHash; a re-erase just refreshes the timestamp).
+  var built = sql.upsert(ERASURES_TABLE, { dialect: "sqlite", quoteName: true })
+    .values({ subjectIdHash: _subjectHash(subjectId), erasedAt: Date.now() })
+    .onConflict(["subjectIdHash"])
+    .doUpdateFromExcluded(["erasedAt"])
+    .toSql();
+  var stmt = db().prepare(built.sql);
+  stmt.run.apply(stmt, built.params);
 }
 
 function _subjectHash(subjectId) {

package/lib/vault/index.js

@@ -71,6 +71,7 @@ var { boot } = require("../log");
 var safeBuffer = require("../safe-buffer");
 var safeJson = require("../safe-json");
 var observability = require("../observability");
+var frameworkFiles = require("../framework-files");
 var vaultPassphraseSource = require("./passphrase-source");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");
@@ -99,8 +100,8 @@ var log = boot("vault");
 function resolvePaths(dataDir) {
   return {
     dataDir:           dataDir,
-    plaintext:         nodePath.join(dataDir, "vault.key"),
-    sealed:            nodePath.join(dataDir, "vault.key.sealed"),
+    plaintext:         nodePath.join(dataDir, frameworkFiles.fileName("vaultKey")),
+    sealed:            nodePath.join(dataDir, frameworkFiles.fileName("vaultKey") + ".sealed"),
     derivedHashSalt:   nodePath.join(dataDir, "vault.derived-hash-salt"),
     derivedHashMacKey: nodePath.join(dataDir, "vault.derived-hash-mac.sealed"),
   };

package/lib/vault/passphrase-ops.js

@@ -38,13 +38,14 @@
 var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
+var frameworkFiles = require("../framework-files");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");
 
 var VaultPassphraseError = defineClass("VaultPassphraseError", { alwaysPermanent: true });
 
-var PLAINTEXT_NAME = "vault.key";
-var SEALED_NAME    = "vault.key.sealed";
+var PLAINTEXT_NAME = frameworkFiles.fileName("vaultKey");
+var SEALED_NAME    = frameworkFiles.fileName("vaultKey") + ".sealed";
 
 function _paths(dataDir) {
   return {

package/lib/vault/rotate.js

@@ -52,12 +52,13 @@ var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var { DatabaseSync } = require("node:sqlite");
 var atomicFile = require("../atomic-file");
-var safeSql = require("../safe-sql");
+var sql = require("../sql");
 var C = require("../constants");
 var cryptoField = require("../crypto-field");
 var bCrypto = require("../crypto");
 var vaultAad = require("../vault-aad");
 var dbSchema = require("../db-schema");
+var frameworkFiles = require("../framework-files");
 var lazyRequire = require("../lazy-require");
 var { boot } = require("../log");
 var numericBounds = require("../numeric-bounds");
@@ -97,18 +98,30 @@ var DEFAULT_DRIFT_SAMPLE_LIMIT = 100;
 var DEFAULT_VERIFY_SAMPLE_MIN  = 5;
 var DEFAULT_VERIFY_SAMPLE_FRAC = 0.01;
 
+// The catalog/PRAGMA statements all compose through b.sql's narrow audited
+// catalog sub-API (b.sql.catalog / b.sql.pragma) - the only path that emits
+// an sqlite_master reference or a PRAGMA verb, allowlisting exactly the
+// statements the key-rotation walk needs and refusing every other internal
+// identifier / PRAGMA verb. Each returns { sql, params }; the node:sqlite
+// handle takes the params positionally.
+function _all(db, built) {
+  var stmt = db.prepare(built.sql);
+  return built.params.length > 0 ? stmt.all.apply(stmt, built.params) : stmt.all();
+}
+function _get(db, built) {
+  var stmt = db.prepare(built.sql);
+  return built.params.length > 0 ? stmt.get.apply(stmt, built.params) : stmt.get();
+}
+
 function _listLiveTables(db) {
-  return db.prepare(
-    "SELECT name FROM sqlite_master " +
-    "WHERE type='table' AND name NOT LIKE 'sqlite_%'"
-  ).all().map(function (r) { return r.name; });
+  return _all(db, sql.catalog.listTables()).map(function (r) { return r.name; });
 }
 
 function _listLiveColumns(db, table) {
   // PRAGMA table_info — table name comes from sqlite_master so it's
-  // already validated as an existing identifier.
-  return db.prepare("PRAGMA table_info(\"" + table.replace(/"/g, '""') + "\")").all()
-    .map(function (c) { return c.name; });
+  // already validated as an existing identifier; b.sql.catalog.tableInfo
+  // quotes it by construction.
+  return _all(db, sql.catalog.tableInfo(table)).map(function (c) { return c.name; });
 }
 
 function _knownColumnsFor(schema, infraColumns) {
@@ -201,12 +214,13 @@ function validateSchemaMatch(db, opts) {
     }
     if (unknown.length === 0) continue;
 
-    var quotedCols = unknown.map(function (n) { return '"' + n.replace(/"/g, '""') + '"'; }).join(", ");
-    var sampleSql = "SELECT " + quotedCols +
-      " FROM \"" + table.replace(/"/g, '""') + "\" LIMIT " + sampleLimit;
+    var sampleBuilt = sql.select(table, { dialect: "sqlite", quoteName: true })
+      .columns(unknown)
+      .limit(sampleLimit)
+      .toSql();
     var sampled;
     try {
-      sampled = db.prepare(sampleSql).all();
+      sampled = _all(db, sampleBuilt);
     } catch (e) {
       warnings.push({
         kind:    "sample_failed",
@@ -312,7 +326,8 @@ function verify(opts) {
     var schema = cryptoField.getSchema(table);
     if (!schema || !Array.isArray(schema.sealedFields) || schema.sealedFields.length === 0) continue;
 
-    var totalRow = db.prepare('SELECT COUNT(*) AS n FROM "' + table.replace(/"/g, '""') + '"').get();
+    var totalRow = _get(db, sql.select(table, { dialect: "sqlite", quoteName: true })
+      .count("*", "n").toSql());
     var total = totalRow ? totalRow.n : 0;
     if (total === 0) continue;
 
@@ -320,10 +335,10 @@ function verify(opts) {
     if (sampleN > total) sampleN = total;
 
     // RANDOM() is fine for a sampler — we're picking representative rows,
-    // not building cryptographic randomness.
-    var sampled = db.prepare(
-      'SELECT * FROM "' + table.replace(/"/g, '""') + '" ORDER BY RANDOM() LIMIT ?'
-    ).all(sampleN);
+    // not building cryptographic randomness. b.sql.catalog.sampleRandom is
+    // the audited ORDER BY RANDOM() form (the general builder has no random-
+    // order clause); columns omitted -> `*`.
+    var sampled = _all(db, sql.catalog.sampleRandom(table, null, { limit: sampleN }));
 
     var foundOldFail = !oldKeys; // when no oldKeys supplied, this check is N/A
     var verifiedRows = 0;
@@ -529,15 +544,19 @@ function _walkAndReSeal(node, oldKeys, newKeys) {
   return { value: node, changed: false };
 }
 
-function _runStmt(db, sql) { db.prepare(sql).run(); }
+// Transaction-control statements only (BEGIN / COMMIT / ROLLBACK) - fixed
+// keywords, no identifier / value, so they stay verbatim rather than route
+// through b.sql (the builder has no transaction-control verb). The param is
+// named `stmtText` so it does not shadow the module-level `sql` builder.
+function _runStmt(db, stmtText) { db.prepare(stmtText).run(); }
 
 function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
-  // Identifiers reach SQL through safeSql.quoteIdentifier — runs
-  // validateIdentifier (rejects bad shape / reserved words /
-  // sqlite_-prefix) + emits the dialect-correct quoted form.
-  var qt = safeSql.quoteIdentifier(table, "sqlite");
-  var qc = safeSql.quoteIdentifier(column, "sqlite");
-  var total = db.prepare("SELECT COUNT(*) AS n FROM " + qt + " WHERE " + qc + " IS NOT NULL").get().n;
+  // Every statement composes through b.sql (sqlite dialect, quoteName so
+  // the concrete handle's table is quoted, not left bare for a cluster
+  // rewrite that does not apply here). Identifiers are validated + quoted
+  // by construction; the cursor bound (_id) + LIMIT bind as ? placeholders.
+  var total = _get(db, sql.select(table, { dialect: "sqlite", quoteName: true })
+    .count("*", "n").whereNotNull(column).toSql()).n;
   if (total === 0) return 0;
 
   // AAD-bound tables (registerTable({aad:true})) seal each cell under a
@@ -548,36 +567,54 @@ function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
   var aadMode = !!(schema && schema.aad);
   var rowIdField = aadMode ? schema.rowIdField : null;
   var needRid = aadMode && rowIdField && rowIdField !== "_id";
-  var qrid = needRid ? safeSql.quoteIdentifier(rowIdField, "sqlite") : null;
 
-  var sel = db.prepare(
-    "SELECT _id, " + qc + " AS v" + (qrid ? ", " + qrid + " AS rid" : "") + " FROM " + qt +
-    " WHERE " + qc + " IS NOT NULL AND _id > ? ORDER BY _id LIMIT ?"
-  );
-  var upd = db.prepare("UPDATE " + qt + " SET " + qc + " = ? WHERE _id = ?");
+  // Keyset-cursor page over (_id) ascending. The projected columns are read
+  // by their REAL names off the result row (no AS alias) - the column value
+  // is row[column], the row-id value is row[rowIdField]. The SQL text is
+  // constant across the loop (only the bound _id-cursor changes; LIMIT is a
+  // builder-inlined integer literal, validated non-negative), so prepare
+  // once + re-run with the fresh cursor param positionally. The SELECT
+  // carries exactly one `?` (the _id cursor); the UPDATE carries two (the
+  // resealed value + the _id).
+  var selCols = ["_id", column];
+  if (needRid) selCols.push(rowIdField);
+  var selBuilt = sql.select(table, { dialect: "sqlite", quoteName: true })
+    .columns(selCols)
+    .whereNotNull(column)
+    .whereOp("_id", ">", "")
+    .orderBy("_id")
+    .limit(batchSize)
+    .toSql();
+  var sel = db.prepare(selBuilt.sql);
+  var updBuilt = sql.update(table, { dialect: "sqlite", quoteName: true })
+    .set(column, "")
+    .where("_id", "")
+    .toSql();
+  var upd = db.prepare(updBuilt.sql);
 
   var processed = 0;
   var lastId = "";
   while (true) {
-    var rows = sel.all(lastId, batchSize);
+    var rows = sel.all(lastId);
     if (rows.length === 0) break;
 
     dbSchema.runInTransaction(db, function () {
       for (var i = 0; i < rows.length; i++) {
         var row = rows[i];
-        if (typeof row.v !== "string") continue;
-        if (aadMode && vaultAad.isAadSealed(row.v)) {
+        var cellVal = row[column];
+        if (typeof cellVal !== "string") continue;
+        if (aadMode && vaultAad.isAadSealed(cellVal)) {
           // Rebuild the exact AAD the seal side used. cryptoField._aadParts
           // reads row[schema.rowIdField]; feed it the rowIdField value we
-          // selected (rid, or _id when rowIdField IS _id).
+          // selected (row[rowIdField], or _id when rowIdField IS _id).
           var rowForAad = {};
-          rowForAad[rowIdField] = needRid ? row.rid : row._id;
+          rowForAad[rowIdField] = needRid ? row[rowIdField] : row._id;
           var aad = cryptoField._aadParts(schema, table, column, rowForAad);
-          upd.run(vaultAad.resealRoot(row.v, aad, roots.oldRootJson, roots.newRootJson), row._id);
-        } else if (row.v.indexOf(C.VAULT_PREFIX) === 0) {
+          upd.run(vaultAad.resealRoot(cellVal, aad, roots.oldRootJson, roots.newRootJson), row._id);
+        } else if (cellVal.indexOf(C.VAULT_PREFIX) === 0) {
           // Plain vault: cell (non-AAD table, or a legacy pre-AAD cell in
           // an AAD table that the next sealRow upgrades).
-          upd.run(_reSealValue(row.v, roots.oldKeys, roots.newKeys), row._id);
+          upd.run(_reSealValue(cellVal, roots.oldKeys, roots.newKeys), row._id);
         }
       }
     });
@@ -589,23 +626,33 @@ function _rotateColumn(db, table, column, schema, roots, batchSize, progress) {
 }
 
 function _rotateOverflow(db, table, oldKeys, newKeys, batchSize, progress, warnings) {
-  var qt = '"' + table.replace(/"/g, '""') + '"';
-  var cols = db.prepare("PRAGMA table_info(" + qt + ")").all();
+  var cols = _all(db, sql.catalog.tableInfo(table));
   if (!cols.some(function (c) { return c.name === "data"; })) return 0;
 
-  var total = db.prepare("SELECT COUNT(*) AS n FROM " + qt + " WHERE data IS NOT NULL").get().n;
+  var total = _get(db, sql.select(table, { dialect: "sqlite", quoteName: true })
+    .count("*", "n").whereNotNull("data").toSql()).n;
   if (total === 0) return 0;
 
-  var sel = db.prepare(
-    "SELECT _id, data FROM " + qt +
-    " WHERE data IS NOT NULL AND _id > ? ORDER BY _id LIMIT ?"
-  );
-  var upd = db.prepare("UPDATE " + qt + " SET data = ? WHERE _id = ?");
+  // Same keyset cursor as _rotateColumn over the overflow `data` JSON
+  // column: one bound `?` (the _id cursor), builder-inlined LIMIT literal.
+  var selBuilt = sql.select(table, { dialect: "sqlite", quoteName: true })
+    .columns(["_id", "data"])
+    .whereNotNull("data")
+    .whereOp("_id", ">", "")
+    .orderBy("_id")
+    .limit(batchSize)
+    .toSql();
+  var sel = db.prepare(selBuilt.sql);
+  var updBuilt = sql.update(table, { dialect: "sqlite", quoteName: true })
+    .set("data", "")
+    .where("_id", "")
+    .toSql();
+  var upd = db.prepare(updBuilt.sql);
 
   var processed = 0;
   var lastId = "";
   while (true) {
-    var rows = sel.all(lastId, batchSize);
+    var rows = sel.all(lastId);
     if (rows.length === 0) break;
 
     _runStmt(db, "BEGIN");
@@ -689,10 +736,10 @@ async function rotate(opts) {
   var progress = opts.progressCallback;
   var warnings = [];
   var paths = Object.assign({
-    encryptedDb:      "db.enc",
-    dbKeySealed:      "db.key.enc",
-    vaultKeyPlain:    "vault.key",
-    vaultKeySealed:   "vault.key.sealed",
+    encryptedDb:      frameworkFiles.fileName("dbEnc"),
+    dbKeySealed:      frameworkFiles.fileName("dbKeyEnc"),
+    vaultKeyPlain:    frameworkFiles.fileName("vaultKey"),
+    vaultKeySealed:   frameworkFiles.fileName("vaultKey") + ".sealed",
     additionalSealed: [],
     verbatimFiles:    [],
     verbatimDirs:     [],
@@ -849,18 +896,15 @@ async function rotate(opts) {
 
     var db = new DatabaseSync(tmpDbPath);
     try {
-      _runStmt(db, "PRAGMA journal_mode=WAL");
-      _runStmt(db, "PRAGMA synchronous=NORMAL");
+      db.prepare(sql.pragma("journal_mode", "WAL").sql).run();
+      db.prepare(sql.pragma("synchronous", "NORMAL").sql).run();
 
       // Walk tables. For each, re-seal every column declared sealed
       // by the field-crypto registry, plus the overflow `data` JSON
       // column if present.
       var tablesToRotate = Array.isArray(opts.tables) && opts.tables.length > 0
         ? opts.tables.slice()
-        : db.prepare(
-            "SELECT name FROM sqlite_master " +
-            "WHERE type='table' AND name NOT LIKE 'sqlite_%'"
-          ).all().map(function (r) { return r.name; });
+        : _listLiveTables(db);
 
       // Serialized roots threaded to the AAD reseal path; oldRootJson /
       // newRootJson match b.vault.getKeysJson() so rotated AAD cells unseal
@@ -869,15 +913,11 @@ async function rotate(opts) {
 
       for (var ti = 0; ti < tablesToRotate.length; ti++) {
         var table = tablesToRotate[ti];
-        var tableExists = db.prepare(
-          "SELECT name FROM sqlite_master WHERE type='table' AND name = ?"
-        ).get(table);
+        var tableExists = _get(db, sql.catalog.tableExists(table));
         if (!tableExists) continue;
 
         var schema = cryptoField.getSchema(table);
-        var liveCols = db.prepare(
-          'PRAGMA table_info("' + table.replace(/"/g, '""') + '")'
-        ).all().map(function (c) { return c.name; });
+        var liveCols = _listLiveColumns(db, table);
         var liveColSet = Object.create(null);
         for (var lc = 0; lc < liveCols.length; lc++) liveColSet[liveCols[lc]] = true;
 
@@ -894,7 +934,7 @@ async function rotate(opts) {
         if (tableRows > 0) { tablesProcessed++; totalRowsProcessed += tableRows; }
       }
 
-      _runStmt(db, "PRAGMA wal_checkpoint(TRUNCATE)");
+      db.prepare(sql.pragma("wal_checkpoint", "TRUNCATE").sql).run();
     } finally {
       db.close();
     }

package/lib/vendor-data.js

@@ -130,6 +130,7 @@ function _timingSafeHexEqual(a, b) {
 var KNOWN_VENDOR_DATA = Object.freeze({
   "public-suffix-list": {
     module: "./vendor/public-suffix-list.data",
+    // allow:hand-rolled-sql — `_blamejs_canary_*` is an in-payload tamper-canary token, not a SQL table name (no DB sink in this file)
     canary: "_blamejs_canary_v0_9_8_.local",
     // Canary parse check — operator-side `b.publicSuffix.isPublicSuffix(canary)`
     // MUST return true after the PSL parser ingests the data. The check
@@ -138,6 +139,7 @@ var KNOWN_VENDOR_DATA = Object.freeze({
   },
   "common-passwords-top-10000": {
     module: "./vendor/common-passwords-top-10000.data",
+    // allow:hand-rolled-sql — `_blamejs_canary_*` is an in-payload tamper-canary token, not a SQL table name (no DB sink in this file)
     canary: "_blamejs_canary_password_2026_05_13_blamejs_internal_",
     description: "Top-10000 most common passwords (SecLists). Used by b.auth.password to refuse known-breached credentials.",
   },

package/lib/websocket.js

@@ -971,6 +971,22 @@ class WebSocketConnection extends EventEmitter {
         self._transitionToClosed(1006, "abnormal closure", false, null);
       }
     });
+    socket.on("end", function ()        {
+      // Peer half-closed (TCP FIN) without sending a Close frame. HTTP
+      // 'upgrade' sockets default to allowHalfOpen=true, so this arrives
+      // as 'end' (readable side ended) while the writable side stays
+      // open — the 'close' handler above never fires and the connection
+      // would otherwise wedge open (ping timer running, no 'close' event,
+      // peer's socket never destroyed). RFC 6455 §7.1.1 treats a TCP
+      // close without a prior Close frame as abnormal closure: surface
+      // the lifecycle event and end our writable side so the socket
+      // actually tears down. _transitionToClosed is idempotent, so the
+      // native 'close' that follows is a no-op.
+      if (self._state !== STATE_CLOSED) {
+        self._transitionToClosed(1006, "abnormal closure", false, null);
+      }
+      try { socket.end(); } catch (_e) { /* socket already closing */ }
+    });
   }
 
   // Single state-transition method. Idempotent — repeat calls after

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.27",
+  "version": "0.15.0",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:c78c9561-3578-4ff6-99f8-a3e2a52ddc17",
+  "serialNumber": "urn:uuid:d63a172d-d92b-4a98-ae64-7dcb04e82076",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-07T00:11:04.881Z",
+    "timestamp": "2026-06-08T20:30:45.961Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.27",
+      "bom-ref": "@blamejs/core@0.15.0",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.27",
+      "version": "0.15.0",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.27",
+      "purl": "pkg:npm/%40blamejs/core@0.15.0",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.27",
+      "ref": "@blamejs/core@0.15.0",
       "dependsOn": []
     }
   ]