@blamejs/core 0.14.27 → 0.15.1

package/CHANGELOG.md

@@ -6,6 +6,12 @@ Pre-1.0 the surface is intentionally evolving — every release may
 change something operators depend on. Read each entry before
 upgrading across more than a few patches at a time.
 
+## v0.15.x
+
+- v0.15.1 (2026-06-11) — **Sealed-column lookups find rows written before the v0.15.0 hash change, and API-key secrets re-hash to the active algorithm on verify.** v0.15.0 changed the default derived hash — the blind index a sealed column is looked up by — from an unkeyed salted hash to a keyed MAC, and promised a transparent migration via a dual read. But no lookup path actually performed the dual read, so on a deployment that already held data, a lookup by a sealed column (a session's user id, an API key's owner, an audit actor or resource, a consent or data-subject id, a mail thread) computed only the new keyed digest and missed every row written before the upgrade. This release wires the dual read into every lookup: a sealed-column equality now matches both the active keyed digest and the legacy salted digest, so pre-upgrade rows are found again. That restores two correctness guarantees the gap had quietly broken — revoking all of a user's sessions no longer skips sessions created before the upgrade, and a subject erasure no longer leaves pre-upgrade rows behind. Separately, the framework's API-key store now re-hashes a stored secret to the active hash algorithm on the next successful verify, the transparent rotation the credential-hash primitive documented but the store had never performed. **Fixed:** *Sealed-column lookups match rows written before the v0.15.0 keyed-MAC change* — After v0.15.0 flipped the default derived-hash mode to a keyed MAC, a lookup by a sealed column computed only the new keyed digest, so rows written under the previous salted-hash default were no longer found — a silent index miss on every existing deployment. Every framework lookup path now dual-reads: `b.db.from(...).where(sealedField, value)` and the framework's own api-key, session, audit, consent, data-subject, and mail-thread lookups match the column against both the active keyed digest and the legacy salted digest (`b.db.hashCandidatesFor` exposes the candidate list for operator code). No migration or operator action is required; rows re-hash to the keyed form on read over time and the candidate set collapses back to a single value. Two correctness consequences are restored: revoking all of a user's sessions now also revokes sessions created before the upgrade, and a data-subject erasure now also deletes (and crypto-shreds) the subject's pre-upgrade rows. · *API-key secret hashes upgrade to the active algorithm on verify* — The framework's API-key store now re-hashes a stored secret to the configured hash algorithm on the next successful verify (leader-gated, best-effort, primary-match only), emitting an `apikey.secret_rehash` audit and observability event. This is the transparent rotation `b.credentialHash` documents — a key stored under an older algorithm or parameter set silently moves to the current one as it is used, with no change to the verify result or the returned record.
+
+- v0.15.0 (2026-06-08) — **A chainable SQL builder, MySQL as a first-class data backend, and a keyed lookup-hash default — the data layer goes tri-dialect.** This release makes the framework's data layer dialect-portable. `b.sql` is a new chainable query builder that quotes every identifier by construction, binds every value as a placeholder, and emits dialect-correct SQL for SQLite, Postgres, and MySQL; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total size boundaries. The entire framework data layer — the signed audit chain, cluster leadership and fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, consent, and mail storage — is rebuilt on `b.sql`, which makes MySQL a supported external-database backend alongside Postgres and SQLite. Running the data layer on a real Postgres server surfaced two latent correctness bugs that only a non-SQLite backend exposes: identifiers were emitted unquoted at DDL time but read back camelCase (Postgres folds unquoted names to lowercase, silently breaking the audit chain, consent chain, cluster fencing, and vault-key consistency), and sealed columns coerced Buffer / object payloads through `String()` before encryption (corrupting non-string ciphertext); both are fixed by quoting every identifier and coercing per the column's declared type. Derived-hash columns — the blind-index lookup columns registered through `registerTable` — now default to a keyed MAC (SHAKE256 under the vault's per-deployment MAC key) instead of an unkeyed salted hash, so an exfiltrated database can no longer be brute-forced or rainbow-tabled to recover the indexed values; existing salted-hash indexes are read through a dual-read path and migrated forward, so the change is non-breaking. Audit-signing key rotation now preserves every historical checkpoint (rotation previously stranded checkpoints signed under the prior key). New cross-border data-residency postures (appi-jp, pdpa-sg, uk-gdpr) enforce a mandatory storage vacuum after erasure. Outbound TLS appends classical X25519 to its key-exchange preference so it can complete a handshake with a peer that advertises no post-quantum hybrid — previously the hybrids-only preference failed those handshakes outright — and emits a `tls.classical_downgrade` audit event whenever a connection lands on a classical group. Outbound HTTP/2 negotiation falls back to HTTP/1.1 against servers that only speak h1, the network heartbeat honors a target's permitted protocols instead of pinning cleartext targets down, a WebSocket connection closes cleanly on a peer's TCP half-close instead of wedging open, and the Azure blob backend encodes object-key path segments correctly. **Added:** *b.sql — a dialect-aware chainable SQL builder* — `b.sql` composes SELECT / INSERT / UPDATE / UPSERT / DELETE / DDL from a fluent chain. Every identifier is validated and quoted by construction (`"name"` on SQLite/Postgres, `` `name` `` on MySQL), every value binds as a placeholder rather than interpolating, and the emitted statement is validated as a single balanced, single-statement query before it leaves the builder. Pass `{ dialect: "postgres" | "mysql" | "sqlite" }` (default SQLite) to target a backend; `upsert` emits the dialect-final conflict syntax. It composes `b.safeSql` for the identifier and placeholder primitives, so a SQL string can no longer be assembled by hand inside the framework. · *b.guardSql — result-row output validation* — `b.guardSql` gates query result rows against embedded NUL bytes, quote-jump sequences, and configurable per-column and total-size boundaries, with the standard guard profiles (strict / balanced / permissive) and compliance postures (hipaa / pci-dss / gdpr / soc2). It is the output-side complement to the input-side `b.safeSql`. · *MySQL is a first-class data backend* — MySQL joins Postgres and SQLite as a supported external-database backend. The framework's schema reconciler emits MySQL DDL, and the full data layer — signed audit chain (append + verify), cluster leadership and lease fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, and consent — runs against a real MySQL server. Select the backend at `b.cluster.init` / `b.externalDb` configuration via the `dialect` option; `b.clusterStorage.dialect()` exposes the configured backend dialect to composing code. · *Cross-border erasure postures: appi-jp, pdpa-sg, uk-gdpr* — Three data-residency compliance postures are added (Japan APPI, Singapore PDPA, UK GDPR). Each requires a mandatory storage vacuum after erasure (so deleted rows are reclaimed from the page store, not just tombstoned), a signed audit chain, encrypted backups, and a minimum TLS version. Pin one with `b.compliance.set`. **Fixed:** *Cross-border erasure performs the mandatory vacuum* — Erasure under the uk-gdpr, appi-jp, and pdpa-sg residency postures now runs the storage vacuum the posture mandates, reclaiming erased rows from the page store rather than leaving them recoverable as free-list tombstones. **Security:** *Lookup-hash columns default to a keyed MAC* — Derived-hash (blind-index) columns registered through `registerTable` now default to `derivedHashMode: "hmac-shake256"` — SHAKE256 keyed with the vault's per-deployment MAC key — instead of the previous unkeyed `salted-sha3`. The index value is no longer recomputable from the indexed plaintext alone, so an attacker who exfiltrates the database cannot brute-force or rainbow-table a lookup column (for example a subject-email index) without also holding the vault MAC key (CWE-916 / CWE-759). Existing `salted-sha3` indexes are read through a dual-read path and re-derived on write, so deployments upgrade without re-indexing up front. · *Postgres identifier casing no longer breaks the audit and cluster chains* — Identifiers were written unquoted in DDL but read back in camelCase. On Postgres (which folds an unquoted identifier to lowercase) this silently desynchronized the signed audit chain, the consent chain, cluster leadership and fencing, and vault-key consistency — each reads a column the server had stored under a lowercased name. Every framework identifier is now quoted at both DDL and query time so the stored and read names match on every dialect (CWE-670). SQLite deployments were unaffected and remain byte-compatible. · *Sealed columns preserve non-string payloads* — A sealed column coerced its value through `String()` before encryption, corrupting Buffer and object payloads (a Buffer became `"[object Object]"`-class garbage, an object its `toString`). Sealed values are now encoded per the column's declared type before the seal, so binary and structured payloads round-trip intact (CWE-704). · *Audit-signing key rotation preserves historical checkpoints* — Rotating the audit-signing key stranded every checkpoint signed under the prior key — `verifyCheckpoints` ignored the per-fingerprint history file the rotation writes, so post-rotation verification failed on otherwise-valid historical checkpoints. Verification now resolves each checkpoint's signing key by fingerprint (`getPublicKeyByFingerprint`) across the rotation history, so the full chain verifies after a key rotation. · *Outbound TLS reaches classical-only peers and audits the downgrade* — The framework's outbound TLS offered only ML-KEM hybrid key-exchange groups, so a handshake with a peer that does not advertise a post-quantum hybrid — most of today's internet — failed outright (`handshake_failure`), leaving outbound connections to webhooks, OAuth providers, ACME directories, object stores, and DoT/DoH/SMTP/Redis-over-TLS unable to complete. Classical X25519 is now appended to the group preference so the hybrid is still negotiated whenever the peer supports it, and the connection completes over classical X25519 when it does not. Every connection that lands on a classical group rather than the post-quantum hybrid emits a `tls.classical_downgrade` audit event (carrying the negotiated group) so operators can observe and alert on which peers are not yet post-quantum-capable. · *Transport reachability and correctness* — Outbound HTTP/2 negotiation now falls back to HTTP/1.1 when a TLS server offers only h1 (an ALPN protocol_version alert no longer fails the request). The network heartbeat honors a target's permitted protocols instead of dropping non-default ones, so a cleartext `http://` health target is no longer reported permanently down. A WebSocket connection closes cleanly when a peer half-closes its TCP socket (a bare FIN) instead of wedging the connection open. The Azure blob backend percent-encodes each object-key path segment, so a key containing reserved characters can no longer corrupt the request URL. **Migration:** *Derived-hash default change is non-breaking; MySQL is opt-in* — Lookup-hash columns default to the keyed MAC on new writes and migrate existing rows on access through the dual-read path — no upfront re-indexing, no operator action required. To pin the previous unkeyed index (for example to keep a column byte-compatible with an external system), pass `derivedHashMode: "salted-sha3"` to `registerTable`. MySQL as a data backend is opt-in: existing SQLite and Postgres deployments are unchanged unless you set `dialect: "mysql"`. The Postgres identifier-casing and sealed-column-coercion fixes change the emitted DDL and the at-rest encoding of non-string sealed values; a Postgres deployment created before this release reconciles its schema to the quoted identifiers on the next schema-ensure pass.
+
 ## v0.14.x
 
 - v0.14.27 (2026-06-06) — **Security-hardening sweep: exclusive temp creation, request path confinement, prototype-safe parsing, cross-tenant authentication, telemetry and error redaction, and posture enforcement floors.** A broad security-hardening release closing classes of bug across the request, storage, identity, and data-governance surfaces. Files that stage data before an atomic rename (the atomic-write substrate, the HTTP client's downloads, the static file server's cache) now create those files exclusively and refuse to follow a symlink, so a same-user pre-planted file or symlink can no longer be truncated or written through. The static file server re-confines every request-derived path to its served root at the filesystem call, and its content-safety read is anchored to a single no-follow descriptor. The request body parser, the WebSocket extension parser, and the cookie parser build their maps from key/value pairs instead of attacker-named computed writes, so a field named after an Object prototype member can neither pollute the prototype nor surface inherited members. The SSRF guard compares cloud-metadata addresses canonically; OIDC federation derives a subordinate's policy and keys from the superior-signed statement rather than self-published config; the JMAP listener rejects a cross-tenant account id with accountNotFound before dispatch; the agent event bus authenticates each envelope's tenant and posture with a vault-keyed MAC; and the audit query no longer under-logs concurrent reads. Telemetry attributes exported over OTLP and the 5xx error record written to the signed audit chain are now redacted, closing two egress paths that previously shipped secrets in plaintext. Regulated compliance postures enforce a minimum seal-envelope strength at table registration, warn when a pinned posture has no content-safety overlay or no outbound DLP wired, and expose region-tag normalization helpers. The local queue's Redis backend no longer wedges a caller on a failed connect or double-schedules reconnects, file uploads audit every content-safety skip, the Azure blob backend percent-encodes object keys, the XML parser rejects prototype-poisoning names, and router path-scoped middleware (`use(path, mw)`) works as documented instead of dropping the gate. **Security:** *Staged writes are created exclusively and refuse symlinks* — The atomic-write substrate (`b.atomicFile`), the HTTP client's download staging, and the static file server's pre-serve read now open files with `O_CREAT | O_EXCL | O_NOFOLLOW` at owner-only `0o600` (the vault-rotation pipeline adopted the same in v0.14.26). A pre-planted file or a symlink at a staging path is now a hard failure rather than a truncated or followed write (CWE-377 / CWE-379 / CWE-59). The temp+rename atomicity and download streaming semantics are unchanged. · *Static file server re-confines request paths and reads through one no-follow descriptor* — Every request-derived path is re-resolved under the served root and refused if it escapes (`startsWith(root + sep)`) at the filesystem call, not only upstream, and the content-safety gate reads size and bytes from a single `O_NOFOLLOW` descriptor so a final-component symlink swap between stat and read cannot redirect it (CWE-22 / CWE-367). Percent-encoded traversal, NUL bytes, and absolute/drive-letter paths are refused before any filesystem access. · *Body, WebSocket, and cookie parsers build maps without attacker-named writes* — The request body parser (Content-Type/Content-Disposition params, multipart headers and fields), the WebSocket `Sec-WebSocket-Extensions` parser, and the CSRF cookie parser now collect key/value pairs and materialize them via `Object.fromEntries` onto a null-prototype accumulator with prototype-poisoning keys dropped, instead of a request-keyed computed write. A field or parameter named `__proto__` / `constructor` / `prototype` can no longer pollute the prototype or surface inherited members (CWE-915 / CWE-1321). Parsed object shapes are unchanged for all legitimate input. · *Prototype-safe XML parsing* — `b.safeXml` builds its element, attribute, and grouping accumulators with `Object.create(null)` and rejects element/attribute names `__proto__` / `constructor` / `prototype` with `xml/forbidden-name` (CWE-1321), matching the TOML/YAML/INI parsers. The returned tree has a null prototype; consumers using bracket/dot access, `Object.keys`, or `JSON.stringify` are unaffected. · *SSRF guard compares cloud-metadata addresses canonically* — The SSRF guard now canonicalizes addresses before comparing against the cloud metadata endpoints, so a non-canonical encoding of a link-local / metadata address can no longer slip past the block to reach an instance metadata service (CWE-918). · *OIDC federation trusts the superior-signed statement, not self-config* — A subordinate entity's `metadata_policy` is now read from the superior's signed entity statement, and trust-chain building verifies each subordinate against attested keys in a two-phase walk rather than the subordinate's self-published JWKS, closing a trust-substitution gap (RFC 9068 / OpenID Federation). A subordinate that publishes no attested keys is refused. · *Cross-tenant authentication on the JMAP listener and agent event bus* — The JMAP listener rejects a client-supplied `accountId` outside the actor's permitted set with `accountNotFound` before any method or blob handler runs (RFC 8620 §3.6.1). The agent event bus authenticates each envelope's tenant id and posture with a vault-keyed HMAC and drops a forged or tampered envelope before routing. The audit query no longer suppresses its own `audit.read` self-log under concurrency, so concurrent reads are each recorded (PCI-DSS 10.2). · *Telemetry and error records are redacted before egress* — Span and metric attributes exported over OTLP now pass through a redactor (`b.observability.setRedactor`, defaulting to `b.redact`) before leaving the process, and the 5xx error record written to the durable, signed audit chain now uses the redacting `audit.safeEmit` rather than the raw `audit.emit` — closing two egress paths that previously shipped a secret embedded in a span attribute or an exception message/stack in plaintext (CWE-532). The error response itself is byte-identical. · *Regulated postures enforce a seal-envelope floor* — Compliance postures now carry a `sealEnvelopeFloor`; `hipaa` and `pci-dss` require at least AEAD additional-data binding. Registering a table that seals columns under a weaker envelope while such a posture is pinned is refused at configuration time, so a regulated deployment can no longer register a copy-paste-vulnerable plain-sealed table (CWE-311 / CWE-326; 45 CFR 164.312, PCI-DSS v4 Req. 3.5). · *Redis backend connect/reconnect robustness* — The local queue's Redis backend always settles its connect promise (resolve on ready, reject on error/timeout) so a caller can no longer wedge on a failed connect, schedules at most one reconnect per failure (a lost socket fires both error and close), and gives up idempotently — fixing a caller hang and a reconnect storm on a flapping backend (CWE-833 / CWE-400). · *File-upload skip auditing and Azure object-key encoding* — Every content-safety skip path in `b.fileUpload` now emits a `content_safety_skipped` audit naming why the scan was bypassed (opt-out / no gate for the extension / over the reassembly cap), so an unscanned upload is visible in the audit log (CWE-778). The Azure blob backend percent-encodes each object-key path segment before URL interpolation, so a key containing `?` / `#` / spaces can no longer corrupt the request or escape its container path (CWE-20). · *Router path-scoped middleware works as documented* — `router.use(pathPrefix, middleware)` — documented across the security middleware but previously unimplemented (the path string was pushed as the middleware, 500-ing every request, or the gate silently never ran) — now mounts the middleware scoped to a segment-boundary path prefix, preserving registration order and refusing a non-string prefix or non-function middleware at configuration time (CWE-670). **Detectors:** *Recurrence guards for the fixed shapes* — The pattern catalog gains detectors for the exclusive-temp-create (atomic-file, http-client, static), request-path confinement (static serve + gate), request-keyed map writes (body-parser, WebSocket), prototype-safe XML accumulators, Azure object-key encoding, file-upload skip auditing, OTLP attribute redaction, JMAP account gating, the seal-envelope floor, and the router path-scoped mount. The data-flow and timing shapes (SSRF canonicalization, federation trust-chain, audit self-log concurrency, event-bus envelope MAC, Redis reconnect scheduling, error-record redaction, posture-overlay warnings) are guarded by request-driven tests where a precise regex would false-positive. **Migration:** *Behavior changes to review* — Several hardening changes alter behavior, all fail-closed: (1) the agent event bus now requires a shared vault to authenticate envelopes and refuses to publish/deliver without one — single-process callers without a vault must pass `requireMac: false`; (2) OIDC federation subordinates must publish attested keys (a subordinate relying on self-published JWKS is refused); (3) `b.safeXml` throws `xml/forbidden-name` on element/attribute names `__proto__`/`constructor`/`prototype`; (4) registering a table that seals columns below the pinned regulated posture's seal-envelope floor throws at configuration time — add `{ aad: true }` or a per-row key; (5) OTLP telemetry attributes are now redacted by default — install a domain redactor via `b.observability.setRedactor` if you need different handling (it cannot be disabled outright); (6) `router.use(path, mw)` now path-scopes instead of applying globally or 500-ing. New advisory audit rows appear when a pinned posture has no content-safety overlay or no outbound DLP wired; `b.compliance.set` does not auto-install outbound DLP (call `b.redact.installForPosture` with your client/mail/webhook handles).

package/README.md

@@ -64,7 +64,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Chainable query builder** — atomic `.increment(col, delta)`, closure-form `.whereGroup` / top-level `.orWhere` OR composition, `.search(fields, term)` LIKE-OR with safe `%`/`_` ESCAPE handling, `.paginate(opts)` returning `{ items, total, page, totalPages }`; a column-membership gate (`db.init({ columnGate })`, default reject) fails a query closed when it names a column the table never declared, and `whereRaw` refuses an embedded string literal so values bind through placeholders
 - **Mongo-style document-store facade** — `b.db.collection(name, opts?)` with `$set` / `$inc` / `$unset` / `$eq` / `$ne` / `$gt` / `$gte` / `$lt` / `$lte` / `$in` / `$like`; schemaless-document opts via `overflow: "<col>"` (folds unknown fields into a JSON-text column; rewrites `WHERE` on virtual fields to `JSON_EXTRACT`), `jsonColumns: [...]` (auto-stringify on write + parse via `b.safeJson` on read), `sealedFields: { email: "emailHash" }` (co-locates a `b.cryptoField` sealed-column / derived-hash declaration so plaintext lookups auto-rewrite to hash-column lookups)
 - **DB lifecycle** — in-memory encrypted snapshot via `b.db.snapshot()`; standalone encrypted-DB-file lifecycle (`b.db.fileLifecycle({ dataDir, vault })` — decrypt-to-tmpfs, periodic re-encrypt flush, graceful shutdown — same envelope as `b.db`, no schema/audit-chain coupling); `db.init` opt-outs `frameworkTables: false` / `auditSigning: false` and path overrides `encryptedDbPath` / `encryptedDbName` / `dbKeyPath`
-- **External RDBMS** — bring-your-own Postgres / MySQL with pool tuning + role-aware connect + read-replica routing (`b.externalDb`); declarative role-narrowed views and Postgres row-level-security migrations (`b.db.declareView`, `b.db.declareRowPolicy`); an opt-in `requireTls` transport posture refuses a non-TLS backend at boot, and query / transaction / read traces carry OpenTelemetry `db.*` attributes
+- **External RDBMS** — bring-your-own Postgres / MySQL with pool tuning + role-aware connect + read-replica routing (`b.externalDb`); declarative role-narrowed views and Postgres row-level-security migrations (`b.db.declareView`, `b.db.declareRowPolicy`); an opt-in `requireTls` transport posture refuses a non-TLS backend at boot, and query / transaction / read traces carry OpenTelemetry `db.*` attributes. The framework's own data layer — the signed audit chain, cluster leadership and lease fencing, sessions, break-glass, and the local queue / cache / scheduler — is composed through the dialect-aware `b.sql` builder (every identifier quoted by construction, every value bound as a placeholder, dialect-correct SQLite / Postgres / MySQL output), so the framework's tables run on a Postgres or MySQL backend, not only local SQLite; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total-size boundaries
 - **Object store** — S3 / R2 / B2 / GCS / Azure with multipart upload + SSE + bucket-ops (create / delete / list / lifecycle / CORS); S3 Object Lock + per-object retention + legal hold for write-once-read-many compliance workloads (`b.storage`, `b.objectStore`)
 - **Queues + cache** — durable queue with priority + cron + flows on local SQLite, shared Redis, OR AWS SQS via SigV4 + AWSJsonProtocol_1.0 (`b.queue`, `b.jobs`) — the local backend can target an operator-supplied database / table / schema; cluster-shared cache (`b.cache`)
 ### Identity & access
@@ -97,7 +97,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)
 - **Power-on self-test** — `b.crypto.selfTest()` runs FIPS 140-3-style integrity checks: NIST FIPS 202 known-answer tests (SHA3-256/512, SHAKE256), AEAD round-trip + tamper-detect, and ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f pairwise-consistency + negative tests; fails closed (throws) on any mismatch
-- **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column and per-row data residency tagging enforced at the write boundary (cross-border DML refused under GDPR / UK-GDPR / DPDP / PIPL / LGPD / APPI / PDPA postures) + per-row keys (`K_row = HKDF(K_table, rowId)`) so erasing the per-row key makes WAL / replica residuals undecryptable (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowResidency`, `b.cryptoField.declarePerRowKey`)
+- **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column and per-row data residency tagging enforced at the write boundary (cross-border DML refused under GDPR / UK-GDPR / DPDP / PIPL / LGPD / APPI / PDPA postures) + per-row keys (each row's key derives from a CSPRNG row-secret sealed under the vault root, never from an on-disk value) so destroying a row's wrapped secret leaves its WAL / replica / backup residual ciphertext undecryptable even with the vault root key (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowResidency`, `b.cryptoField.declarePerRowKey`)
 - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load. A vault-key rotation re-seals every AAD-bound cell, the database key, and tenant archives under the new keypair and refuses rather than silently orphaning a store it cannot reach (`b.vaultRotate`, `b.vault.aad.resealRoot`, `b.archive.rewrapTenant`)
 - **Keyed lookup hashes** — sealed-column equality-lookup hashes default to salted SHA3-512 and can opt into a keyed `hmac-shake256` MAC off a per-deployment key (`cryptoField.registerTable({ derivedHashMode })`, `b.vault.getDerivedHashMacKey`), making the lookup hash unforgeable and un-correlatable across deployments
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)

package/index.js

@@ -120,6 +120,7 @@ var clusterStorage = require("./lib/cluster-storage");
 var safeAsync = require("./lib/safe-async");
 var handlers = require("./lib/handlers");
 var safeSql = require("./lib/safe-sql");
+var sql = require("./lib/sql");
 var chainWriter = require("./lib/chain-writer");
 var safeBuffer = require("./lib/safe-buffer");
 var safeDecompress = require("./lib/safe-decompress").safeDecompress;
@@ -181,6 +182,7 @@ var guardSvg = require("./lib/guard-svg");
 var guardFilename = require("./lib/guard-filename");
 var guardMessageId = require("./lib/guard-message-id");
 var guardSmtpCommand = require("./lib/guard-smtp-command");
+var guardSql = require("./lib/guard-sql");
 var guardImapCommand = require("./lib/guard-imap-command");
 var guardPop3Command = require("./lib/guard-pop3-command");
 var guardManageSieveCommand = require("./lib/guard-managesieve-command");
@@ -520,6 +522,7 @@ module.exports = {
   safeAsync:        safeAsync,
   handlers:         handlers,
   safeSql:          safeSql,
+  sql:              sql,
   chainWriter:      chainWriter,
   safeBuffer:       safeBuffer,
   safeDecompress:   safeDecompress,
@@ -569,6 +572,7 @@ module.exports = {
   guardFilename:    guardFilename,
   guardMessageId:   guardMessageId,
   guardSmtpCommand: guardSmtpCommand,
+  guardSql:         guardSql,
   guardImapCommand: guardImapCommand,
   guardPop3Command: guardPop3Command,
   guardManageSieveCommand: guardManageSieveCommand,

package/lib/ai-content-detect.js

@@ -43,6 +43,7 @@ var lazyRequire = require("./lazy-require");
 var contentCredentials = lazyRequire(function () { return require("./content-credentials"); });
 var audit = require("./audit");
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var AiContentDetectError = defineClass("AiContentDetectError", { alwaysPermanent: true });
 
@@ -64,16 +65,14 @@ var COMPLIANCE_POSTURES = Object.freeze({
   "nist-ai-rmf":        "balanced",
 });
 
-function _resolveProfile(opts) {
-  if (opts && typeof opts.posture === "string") {
-    var profile = COMPLIANCE_POSTURES[opts.posture];
-    if (profile) return PROFILES[profile];
-  }
-  if (opts && typeof opts.profile === "string" && PROFILES[opts.profile]) {
-    return PROFILES[opts.profile];
-  }
-  return PROFILES[DEFAULT_PROFILE];
-}
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: AiContentDetectError,
+  codePrefix: "ai-content-detect",
+  byObject:   true,
+});
 
 /**
  * @primitive b.ai.aiContentDetect.report

package/lib/api-key.js

@@ -43,6 +43,7 @@ var cluster = require("./cluster");
 var cryptoField = require("./crypto-field");
 var requestHelpers = require("./request-helpers");
 var validateOpts = require("./validate-opts");
+var sql = require("./sql");
 var C = require("./constants");
 var numericChecks = require("./numeric-checks");
 var { ApiKeyError } = require("./framework-error");
@@ -53,16 +54,28 @@ function _emitEvent(n, v, l) { observability().safeEvent(n, v, l || {}); }
 
 var _err = ApiKeyError.factory;
 
-var TABLE   = "_blamejs_api_keys";
-// Pre-quoted form for SQL interpolation. Defense-in-depth: even though
-// our constant is bare-identifier-shaped, every interpolation site uses
-// the wrapped form so a future rename to a reserved-word or
-// whitespace-bearing name would still resolve correctly.
-var Q_TABLE = '"' + TABLE + '"';
-
-// Column order used for INSERT — kept as a constant so the placeholders
-// list and the values list stay in sync. Must match _blamejs_api_keys'
-// schema in db.js (single-node) and framework-schema.js (cluster mode).
+// Logical framework table name. Self-mapped in LOCAL_TO_EXTERNAL, so it is
+// passed BARE to b.sql: clusterStorage.execute rewrites it to the configured
+// prefix and placeholderizes the `?` markers, so one query text runs against
+// the local SQLite single-node backend and the operator's external DB in
+// cluster mode.
+var TABLE   = "_blamejs_api_keys";   // allow:hand-rolled-sql — bare logical name, passed to b.sql for clusterStorage rewrite
+
+// b.sql opts for every _blamejs_api_keys statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting + dialect idioms
+// match the backend the SQL dispatches to. Defaulting to "sqlite" works on
+// Postgres only by accident (both double-quote identifiers) and emits the
+// wrong quoting on MySQL, so this is the canonical resolver threaded into
+// b.sql. clusterStorage.execute still rewrites the bare table name +
+// translates `?` placeholders at dispatch; this controls only the builder-
+// side quoting + idiom selection. The table name stays BARE (no quoteName)
+// so clusterStorage's prefix rewrite still fires.
+function _sqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
+// Column order used for INSERT — kept as a constant so the column list and
+// the row object stay in sync. Must match _blamejs_api_keys' schema in
+// db.js (single-node) and framework-schema.js (cluster mode).
 var COLS = [
   "id", "namespace", "ownerId", "ownerIdHash", "secretHash",
   "secondarySecretHash", "secondaryExpiresAt",
@@ -305,10 +318,11 @@ function create(opts) {
     );
   }
 
-  function _selectAll() {
-    return "SELECT id, namespace, ownerId, ownerIdHash, secretHash, " +
-           "secondarySecretHash, secondaryExpiresAt, " +
-           "scopes, metadata, createdAt, expiresAt, revokedAt, lastUsedAt, prefix FROM " + Q_TABLE;
+  // Fresh SELECT builder over the full column set. BARE logical table name
+  // (_blamejs_api_keys) — clusterStorage rewrites it to the configured
+  // prefix and placeholderizes. Callers chain the WHERE family + .toSql().
+  function _selectBuilder() {
+    return sql.select(TABLE, _sqlOpts()).columns(COLS);   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
   }
 
   function _scrubRecord(row) {
@@ -369,14 +383,13 @@ function create(opts) {
       lastUsedAt:          null,
       prefix:              prefix,
     });
-    var values = COLS.map(function (c) { return sealed[c]; });
-    var placeholders = COLS.map(function () { return "?"; }).join(", ");
-    var quoted = COLS.map(function (c) { return '"' + c + '"'; }).join(", ");
-
-    await clusterStorage.execute(
-      "INSERT INTO " + Q_TABLE + " (" + quoted + ") VALUES (" + placeholders + ")",
-      values
-    );
+    var insertRow = {};
+    for (var ci = 0; ci < COLS.length; ci++) insertRow[COLS[ci]] = sealed[COLS[ci]];
+    var insertBuilt = sql.insert(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+      .columns(COLS)
+      .values(insertRow)
+      .toSql();
+    await clusterStorage.execute(insertBuilt.sql, insertBuilt.params);
 
     _emit("apikey.issue", {
       actor:    _actor(issueOpts, issueOpts.ownerId),
@@ -402,10 +415,8 @@ function create(opts) {
     if (parsed.prefix !== prefix || parsed.namespace !== namespace) return null;
 
     var compositeId = _composedId(namespace, parsed.idHex);
-    var row = await clusterStorage.executeOne(
-      _selectAll() + " WHERE id = ?",
-      [compositeId]
-    );
+    var verifyBuilt = _selectBuilder().where("id", compositeId).toSql();
+    var row = await clusterStorage.executeOne(verifyBuilt.sql, verifyBuilt.params);
     if (!row) {
       if (auditFailures) {
         _emit("apikey.verify", {
@@ -472,13 +483,55 @@ function create(opts) {
       return null;
     }
 
-    if (trackLastUsedAt && cluster.isLeader()) {
-      try {
-        await clusterStorage.execute(
-          "UPDATE " + Q_TABLE + " SET lastUsedAt = ? WHERE id = ?",
-          [nowMs, compositeId]
-        );
-      } catch (_e) { /* best-effort; verify success not blocked by lastUsed update */ }
+    // Leader-gated best-effort writes on a successful verify: bump
+    // lastUsedAt when tracked, and transparently re-hash the stored secret
+    // when its envelope no longer matches the active algorithm — the
+    // rotate-on-next-verify that credentialHash documents but, until now,
+    // no consumer wired. Primary match only: the secondary (graceful-
+    // rotation) slot is not the active secret, so it must not overwrite
+    // secretHash. The whole block is best-effort — the credential already
+    // verified under the stored hash and stays valid even if the write
+    // fails; the row re-upgrades on the next leader verify.
+    if (cluster.isLeader()) {
+      var touchFields = trackLastUsedAt ? { lastUsedAt: nowMs } : null;
+      var didRehash = false;
+      if (primaryMatch && credentialHash.needsRehash(row.secretHash, { algo: hashAlgo })) {
+        try {
+          var freshSecretHash = await credentialHash.hash(parsed.secretHex, { algo: hashAlgo });
+          touchFields = touchFields || {};
+          touchFields.secretHash = freshSecretHash;
+          didRehash = true;
+        } catch (_e) { /* re-hash is best-effort; verify success stands */ }
+      }
+      if (touchFields) {
+        try {
+          var touchQb = sql.update(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+            .set(touchFields)
+            .where("id", compositeId);
+          if (didRehash) {
+            // Compare-and-swap on the exact hash we verified against: only land
+            // the re-hash if the stored primary is STILL that value. A verify
+            // that races rotate()/hardRotate (which already installed a new
+            // secretHash) must not clobber the rotated secret back to the old
+            // one — the predicate then matches no rows and the upgrade no-ops,
+            // which is correct because the row is already on a fresh hash.
+            touchQb.where("secretHash", row.secretHash);
+          }
+          var touchBuilt = touchQb.toSql();
+          var touchResult = await clusterStorage.execute(touchBuilt.sql, touchBuilt.params);
+          // Only record the migration when the CAS actually swapped a row (a
+          // rowCount of 0 means a concurrent rotation won the race).
+          if (didRehash && !(touchResult && touchResult.rowCount === 0)) {
+            _emitEvent("apikey.secret_rehash", 1, { namespace: namespace, algo: hashAlgo });
+            _emit("apikey.secret_rehash", {
+              actor:    _actor(verifyOpts, rowOwnerId),
+              resource: { kind: "apikey", id: compositeId },
+              outcome:  "success",
+              metadata: { algo: hashAlgo },
+            });
+          }
+        } catch (_e) { /* best-effort; verify success not blocked by the write */ }
+      }
     }
 
     if (auditSuccess) {
@@ -501,10 +554,12 @@ function create(opts) {
     if (typeof idHex !== "string" || idHex.length === 0) return false;
     var compositeId = _composedId(namespace, idHex);
     var nowMs = clock();
-    var result = await clusterStorage.execute(
-      "UPDATE " + Q_TABLE + " SET revokedAt = ? WHERE id = ? AND revokedAt IS NULL",
-      [nowMs, compositeId]
-    );
+    var revokeBuilt = sql.update(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+      .set({ revokedAt: nowMs })
+      .where("id", compositeId)
+      .whereNull("revokedAt")
+      .toSql();
+    var result = await clusterStorage.execute(revokeBuilt.sql, revokeBuilt.params);
     var changed = (result.rowCount || 0) > 0;
     if (changed) {
       _emit("apikey.revoke", {
@@ -542,10 +597,8 @@ function create(opts) {
     }
 
     var compositeId = _composedId(namespace, idHex);
-    var existing = await clusterStorage.executeOne(
-      _selectAll() + " WHERE id = ?",
-      [compositeId]
-    );
+    var rotateSelBuilt = _selectBuilder().where("id", compositeId).toSql();
+    var existing = await clusterStorage.executeOne(rotateSelBuilt.sql, rotateSelBuilt.params);
     if (!existing) {
       throw _err("NOT_FOUND", "apiKey.rotate: id '" + idHex + "' not found in namespace '" + namespace + "'");
     }
@@ -558,19 +611,27 @@ function create(opts) {
 
     if (gracePeriodMs > 0) {
       // Move current hash → secondary slot, install new hash as primary.
-      await clusterStorage.execute(
-        "UPDATE " + Q_TABLE + " SET secretHash = ?, " +
-        "secondarySecretHash = ?, secondaryExpiresAt = ? WHERE id = ?",
-        [newHash, existing.secretHash, nowMs + gracePeriodMs, compositeId]
-      );
+      var graceBuilt = sql.update(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+        .set({
+          secretHash:          newHash,
+          secondarySecretHash: existing.secretHash,
+          secondaryExpiresAt:  nowMs + gracePeriodMs,
+        })
+        .where("id", compositeId)
+        .toSql();
+      await clusterStorage.execute(graceBuilt.sql, graceBuilt.params);
     } else {
       // Hard cutover — old secret stops working immediately. Clears
-      // any prior secondary slot too.
-      await clusterStorage.execute(
-        "UPDATE " + Q_TABLE + " SET secretHash = ?, " +
-        "secondarySecretHash = NULL, secondaryExpiresAt = NULL WHERE id = ?",
-        [newHash, compositeId]
-      );
+      // any prior secondary slot too (bound NULL via the set map).
+      var cutoverBuilt = sql.update(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+        .set({
+          secretHash:          newHash,
+          secondarySecretHash: null,
+          secondaryExpiresAt:  null,
+        })
+        .where("id", compositeId)
+        .toSql();
+      await clusterStorage.execute(cutoverBuilt.sql, cutoverBuilt.params);
     }
 
     _emit("apikey.rotate", {
@@ -598,17 +659,30 @@ function create(opts) {
     var lookup = cryptoField.lookupHash(TABLE, "ownerId", ownerId);
     if (!lookup) {
       throw _err("MISCONFIGURED",
-        "_blamejs_api_keys schema is missing the ownerIdHash derived hash — framework misconfigured");
+        TABLE + " schema is missing the ownerIdHash derived hash — framework misconfigured");
     }
-    var sql = _selectAll() + " WHERE namespace = ? AND ownerIdHash = ?";
-    var params = [namespace, lookup.value];
-    if (!includeRevoked) sql += " AND revokedAt IS NULL";
+    // Dual-read across the keyed-MAC flip: match the active digest AND the
+    // legacy salted-sha3 digest a pre-v0.15.0 row carries (whereIn with a
+    // single value emits `IN (?)`, equivalent to `=`).
+    var ownerHashes = [lookup.value];
+    if (lookup.legacyValue != null && lookup.legacyValue !== lookup.value) {
+      ownerHashes.push(lookup.legacyValue);
+    }
+    var listQb = _selectBuilder()
+      .where("namespace", namespace)
+      .whereIn("ownerIdHash", ownerHashes);
+    if (!includeRevoked) listQb.whereNull("revokedAt");
     if (!includeExpired) {
-      sql += " AND (expiresAt IS NULL OR expiresAt >= ?)";
-      params.push(clock());
+      var nowForExpiry = clock();
+      // (expiresAt IS NULL OR expiresAt >= now) — an OR group ANDed onto
+      // the chain so the optional clause keeps its own precedence.
+      listQb.whereGroup(function (g) {
+        g.whereNull("expiresAt").orWhereOp("expiresAt", ">=", nowForExpiry);
+      });
     }
-    sql += " ORDER BY createdAt DESC";
-    var rows = await clusterStorage.execute(sql, params);
+    listQb.orderBy("createdAt", "desc");
+    var listBuilt = listQb.toSql();
+    var rows = await clusterStorage.execute(listBuilt.sql, listBuilt.params);
     var list = (rows.rows || []).map(_scrubRecord);
     _emitEvent("apikey.list", 1, { namespace: namespace, count: list.length });
     // Read-access audit: "who listed whose keys at time T" — gated by
@@ -635,10 +709,8 @@ function create(opts) {
   async function getById(idHex, getOpts) {
     if (typeof idHex !== "string" || idHex.length === 0) return null;
     var compositeId = _composedId(namespace, idHex);
-    var row = await clusterStorage.executeOne(
-      _selectAll() + " WHERE id = ?",
-      [compositeId]
-    );
+    var getBuilt = _selectBuilder().where("id", compositeId).toSql();
+    var row = await clusterStorage.executeOne(getBuilt.sql, getBuilt.params);
     var record = _scrubRecord(row);
     _emitEvent("apikey.get", 1,
       { namespace: namespace, found: record !== null });
@@ -659,13 +731,24 @@ function create(opts) {
     // Compliance auditors expect "key X was purged at time T" — a count-
     // only audit is too coarse for forensic reconstruction. Cost is one
     // extra round-trip per purge call which runs on a schedule (not
-    // request-rate), so the cost is irrelevant.
-    var idRows = await clusterStorage.execute(
-      "SELECT id FROM " + Q_TABLE + " WHERE namespace = ? AND " +
-      "((revokedAt IS NOT NULL AND revokedAt < ?) OR " +
-      " (expiresAt IS NOT NULL AND expiresAt < ?))",
-      [namespace, threshold, threshold]
-    );
+    // request-rate), so the cost is irrelevant. The purge predicate
+    // (namespace match + an OR of the two "past-threshold" age groups) is
+    // applied identically to the SELECT and the DELETE via _applyPurgeWhere.
+    function _applyPurgeWhere(qb) {
+      return qb
+        .where("namespace", namespace)
+        .whereGroup(function (g) {
+          g.whereGroup(function (a) {
+            a.whereNotNull("revokedAt").where("revokedAt", "<", threshold);
+          }).orWhereGroup(function (b2) {
+            b2.whereNotNull("expiresAt").where("expiresAt", "<", threshold);
+          });
+        });
+    }
+    var purgeSelBuilt = _applyPurgeWhere(
+      sql.select(TABLE, _sqlOpts()).columns(["id"])   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+    ).toSql();
+    var idRows = await clusterStorage.execute(purgeSelBuilt.sql, purgeSelBuilt.params);
     var purgedCompositeIds = (idRows.rows || []).map(function (r) { return r.id; });
 
     if (purgedCompositeIds.length === 0) {
@@ -673,12 +756,10 @@ function create(opts) {
       return 0;
     }
 
-    var result = await clusterStorage.execute(
-      "DELETE FROM " + Q_TABLE + " WHERE namespace = ? AND " +
-      "((revokedAt IS NOT NULL AND revokedAt < ?) OR " +
-      " (expiresAt IS NOT NULL AND expiresAt < ?))",
-      [namespace, threshold, threshold]
-    );
+    var purgeDelBuilt = _applyPurgeWhere(
+      sql.delete(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+    ).toSql();
+    var result = await clusterStorage.execute(purgeDelBuilt.sql, purgeDelBuilt.params);
     var count = result.rowCount || purgedCompositeIds.length;
 
     _emit("apikey.purge", {

package/lib/atomic-file.js

@@ -416,6 +416,34 @@ function conflictPath(originalPath, opts) {
  *   );
  *   // → { bytesWritten: 7, hash: "<sha3-512 hex>" }
  */
+// Synchronous bounded sleep (writeSync is a sync primitive, so no await).
+// Uses Atomics.wait on a throwaway shared buffer; falls back to a short spin
+// if SharedArrayBuffer is unavailable.
+function _sleepSync(ms) {
+  try { Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms); return; }
+  catch (_e) { /* fall through to spin */ }
+  var end = Date.now() + ms;
+  while (Date.now() < end) { /* spin */ }
+}
+
+// Atomic rename with a bounded retry on Windows-transient lock errors. On
+// Windows a rename target is briefly held by AV / the search indexer / a
+// file-sync client (Dropbox, OneDrive), surfacing as EPERM / EACCES / EBUSY
+// even though the freshly-written temp file is fine; the lock clears in a few
+// ms. POSIX rename is atomic and never hits this, so the first attempt
+// succeeds there. Surface the error if it is not transient or persists.
+function _renameWithRetry(from, to) {
+  var delays = [0, 5, 15, 40, 100];
+  for (var i = 0; i < delays.length; i += 1) {
+    if (delays[i] > 0) _sleepSync(delays[i]);
+    try { nodeFs.renameSync(from, to); return; }
+    catch (e) {
+      var transient = e && (e.code === "EPERM" || e.code === "EACCES" || e.code === "EBUSY");
+      if (!transient || i === delays.length - 1) throw e;
+    }
+  }
+}
+
 function writeSync(filepath, data, opts) {
   opts = Object.assign({}, DEFAULTS, opts || {});
   var buf = safeBuffer.toBuffer(data, {
@@ -440,7 +468,7 @@ function writeSync(filepath, data, opts) {
     } finally {
       try { nodeFs.closeSync(fd); } catch (_e) { /* already closed? */ }
     }
-    nodeFs.renameSync(tmpPath, filepath);
+    _renameWithRetry(tmpPath, filepath);
     renamed = true;
     _fsyncDir(dir);
   } finally {

package/lib/audit-chain.js

@@ -35,8 +35,23 @@
  */
 var canonicalJson = require("./canonical-json");
 var C = require("./constants");
+var clusterStorage = require("./cluster-storage");
+var frameworkSchema = require("./framework-schema");
+var sql = require("./sql");
 var { sha3Hash } = require("./crypto");
 
+// b.sql opts for the chain read SQL these primitives compose. The reader
+// (queryAllAsync / queryOneAsync, normally clusterStorage.execute*) rewrites
+// the bare framework table name + translates `?` placeholders at dispatch,
+// but the IDENTIFIER QUOTING + ORDER-BY column reference are baked into the
+// b.sql output at build time — so they must carry the ACTIVE backend dialect
+// (clusterStorage.dialect() — "sqlite" single-node, "postgres" | "mysql" in
+// cluster mode). Defaulting to "sqlite" double-quotes `monotonicCounter`,
+// which MySQL reads as a STRING LITERAL: `ORDER BY '<constant>'` imposes no
+// ordering, so verifyChain walks the rows out of order and falsely reports a
+// chain break. Backtick-quoting on MySQL makes it an identifier again.
+function _sqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 // SHA3-512 outputs 64 bytes; routed through C.BYTES so the file's byte
 // arithmetic has one source of truth. Hex-encoded width is twice the
 // byte count.
@@ -140,11 +155,20 @@ function computeRowHash(prevHash, rowFields, nonce) {
  *   // → { prevHash: "<128-char hex>", counter: 4217 }
  */
 async function getChainTip(queryOneAsync, tableName) {
-  var row = await queryOneAsync(
-    'SELECT rowHash, monotonicCounter FROM "' + tableName + '" ' +
-    "ORDER BY monotonicCounter DESC LIMIT 1"
-  );
+  // Emit a BARE logical table name — the operator-supplied reader routes
+  // through clusterStorage, which rewrites bare framework names to the
+  // configured-prefix form and placeholderizes. b.sql quotes the camelCase
+  // columns + runs the output validator.
+  var built = sql.select(tableName, _sqlOpts())
+    .columns(["rowHash", "monotonicCounter"])
+    .orderBy("monotonicCounter", "desc")
+    .limit(1)
+    .toSql();
+  var row = await queryOneAsync(built.sql, built.params);
   if (!row) return { prevHash: ZERO_HASH, counter: 0 };
+  // Normalize driver shape (Postgres returns BIGINT monotonicCounter as a
+  // string) so callers get a numeric counter on every backend.
+  frameworkSchema.coerceRow(row);
   return { prevHash: row.rowHash, counter: row.monotonicCounter };
 }
 
@@ -186,10 +210,15 @@ async function verifyChain(queryAllAsync, tableName, opts) {
   if (tableName === "audit_log") {
     var anchor;
     try {
-      anchor = await queryAllAsync(
-        "SELECT lastPurgedCounter, lastPurgedRowHash FROM _blamejs_audit_purge_anchor " +
-        "WHERE scope = 'audit'"
-      );
+      // External-only table whose LOGICAL name IS the `_blamejs_`-prefixed
+      // name (self-mapped in LOCAL_TO_EXTERNAL), passed bare so the reader's
+      // clusterStorage rewrites it; the 'audit' scope binds as a ? param.
+      // allow:hand-rolled-sql — bare logical key.
+      var anchorBuilt = sql.select("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+        .columns(["lastPurgedCounter", "lastPurgedRowHash"])
+        .where("scope", "audit")
+        .toSql();
+      anchor = await queryAllAsync(anchorBuilt.sql, anchorBuilt.params);
     } catch (_e) {
       // Anchor table may not exist on a deployment that has never been
       // through a purge. Treat as no anchor.
@@ -201,9 +230,16 @@ async function verifyChain(queryAllAsync, tableName, opts) {
     }
   }
 
-  var rows = await queryAllAsync(
-    'SELECT * FROM "' + tableName + '" ORDER BY monotonicCounter ASC'
-  );
+  var rowsBuilt = sql.select(tableName, _sqlOpts())
+    .orderBy("monotonicCounter", "asc")
+    .toSql();
+  var rows = await queryAllAsync(rowsBuilt.sql, rowsBuilt.params);
+  // Normalize driver shape before hashing: node-postgres returns BIGINT
+  // columns (recordedAt / monotonicCounter) as strings, which would hash
+  // differently from the numbers the chain-writer signed — the chain only
+  // verified on SQLite without this. coerceRow makes the recompute
+  // type-stable across backends (no-op on already-numeric SQLite rows).
+  rows = frameworkSchema.coerceRows(rows);
   if (skipBeforeCounter > 0) {
     rows = rows.filter(function (r) {
       return Number(r.monotonicCounter) > skipBeforeCounter;