@blamejs/core 0.14.5 → 0.14.7

package/lib/network.js

@@ -108,8 +108,8 @@ function _socketDefaults() {
 }
 
 /**
- * @primitive b.network.applyToSocket
- * @signature b.network.applyToSocket(socket)
+ * @primitive b.network.socket.applyToSocket
+ * @signature b.network.socket.applyToSocket(socket)
  * @since     0.7.68
  * @related   b.network.bootFromEnv, b.network.snapshot
  *
@@ -124,7 +124,7 @@ function _socketDefaults() {
  * @example
  *   var net = require("net");
  *   var s   = new net.Socket();
- *   var ret = b.network.applyToSocket(s);
+ *   var ret = b.network.socket.applyToSocket(s);
  *   ret === s;
  *   // → true
  *   s.destroy();
@@ -164,7 +164,7 @@ var ntpFacade = {
  * @primitive b.network.bootFromEnv
  * @signature b.network.bootFromEnv(opts)
  * @since     0.7.68
- * @related   b.network.snapshot, b.network.applyToSocket
+ * @related   b.network.snapshot, b.network.socket.applyToSocket
  *
  * Read `BLAMEJS_*` environment variables once and apply the union to
  * the live network facade. Recognised keys cover NTP servers /

package/lib/outbox.js

@@ -342,7 +342,7 @@ function create(opts) {
   var stopping = false;
   var inFlight = null;
 
-  // SUBSTRATE-23 — `FOR UPDATE SKIP LOCKED` is Postgres / MySQL 8+ only.
+  // `FOR UPDATE SKIP LOCKED` is Postgres / MySQL 8+ only.
   // SQLite (single-writer at the DB level, but WAL mode lets multiple
   // processes share the file with concurrent SELECTs) doesn't support
   // SKIP LOCKED — feeding it Postgres syntax silently double-publishes

package/lib/pqc-agent.js

@@ -322,7 +322,7 @@ function _getDefaultAgent() {
  *   logger.info("pqc-agent reloaded", res);
  */
 function reload() {
-  // CRYPTO-9 — null the cached agent BEFORE calling destroy. The
+  // Null the cached agent BEFORE calling destroy. The
   // previous order let a concurrent _getDefaultAgent() see the
   // destroyed-not-null agent and hand it to a caller; the caller
   // then tries to issue a request through a torn-down keep-alive

package/lib/retention.js

@@ -569,7 +569,7 @@ function complianceFloor(posture, candidateTtlMs) {
   return candidateTtlMs > floor ? candidateTtlMs : floor;
 }
 
-// applyPosture — F-POSTURE-1 cascade hook. b.compliance.set(posture)
+// applyPosture — cascade hook. b.compliance.set(posture)
 // calls this to merge posture defaults into retention's state. The
 // retention module itself doesn't carry per-instance global defaults;
 // the cascade's job here is to surface the posture's audit-log

package/lib/retry.js

@@ -275,7 +275,7 @@ function backoffDelay(attempt, opts) {
   opts = opts || DEFAULT_RETRY;
   var base = opts.baseDelayMs * Math.pow(2, attempt - 1);
   var capped = Math.min(base, opts.maxDelayMs);
-  // CRYPTO-12 — jitter exists to spread retry storms across the
+  // Jitter exists to spread retry storms across the
   // millisecond window so N peer clients waking from the same
   // upstream outage don't all hit the recovering service at the same
   // tick. The value is observable to every client by construction

package/lib/safe-archive.js

@@ -225,7 +225,7 @@ async function extract(opts) {
         }
         inner = await archiveWrap().unwrapWithPassphrase(sealedBytes, { passphrase: opts.passphrase });
       }
-      // Codex P1 on v0.12.15 PR #166 — close the original source
+      // Close the original source
       // adapter BEFORE replacing it. When opts.source was a string
       // path, the fs adapter opened a file descriptor; overwriting
       // `source` loses the close reference and the descriptor
@@ -236,7 +236,7 @@ async function extract(opts) {
       if (typeof source.close === "function" && typeof opts.source === "string") {
         try { source.close(); } catch (_e) { /* drop-silent */ }
       }
-      // Codex P2 on v0.12.15 PR #166 — forward opts.signal to the
+      // Forward opts.signal to the
       // inner buffer adapter so abort propagation stays intact
       // across the unwrap boundary. Without it, an abort raised
       // after unwrapping would no longer cancel inner range()

package/lib/safe-ical.js

@@ -251,9 +251,9 @@ function parse(text, opts) {
   var vcal = consumed.component;
   // RFC 5545 §3.4 — a stream may carry multiple VCALENDAR objects.
   // Walk the remainder so trailing objects are validated under the
-  // same caps + control-char + property allowlist (Codex P2 — without
+  // same caps + control-char + property allowlist; without
   // this, CalDAV ingest can pass validation on the first object while
-  // trailing malformed objects ride through untouched).
+  // trailing malformed objects ride through untouched.
   var vcalendars = [_shapeVcalendar(vcal)];
   var cursor = consumed.nextIdx;
   while (cursor < lines.length) {

package/lib/safe-mime.js

@@ -549,7 +549,7 @@ function _splitMultipart(buf, boundary) {
     // Per RFC 2046 §5.1.1 a boundary delimiter is `--<value>` preceded
     // by CRLF (or LF) — OR at the very start of the body. A boundary-
     // shaped sequence elsewhere in a part's body MUST NOT be treated
-    // as a delimiter. Per Codex P1 on PR #49.
+    // as a delimiter.
     var idx = _findBoundaryAtLineStart(buf, delimiter, pos);
     if (idx < 0) break;
     if (buf[idx + delimiter.length] === 0x2D && buf[idx + delimiter.length + 1] === 0x2D) {

package/lib/self-update-standalone-verifier.js

@@ -208,7 +208,7 @@ function verify(assetPath, signaturePath, pubkeyPem) {
   // produces. 64 KiB chunks match the framework's hash-while-streaming
   // convention elsewhere.
   //
-  // CRYPTO-2 hardening (v0.9.58): fstat the asset BEFORE the read loop
+  // Hardening (v0.9.58): fstat the asset BEFORE the read loop
   // for every alg path, clamp every readSync to (assetStat.size -
   // fullOff), and reject if the final fullOff diverges from
   // assetStat.size. A grow-during-read race (writer appends as we

package/lib/self-update.js

@@ -115,7 +115,7 @@ function _normalizeTag(tag) {
  * Missing numeric components on either side are treated as `"0"` so
  * `"1.0"` and `"1.0.0"` compare equal.
  *
- * CRYPTO-20 (v0.9.58) — pre-v0.9.58 the pre-release segment fell back
+ * Hardening (v0.9.58) — pre-v0.9.58 the pre-release segment fell back
  * to lexicographic comparison, which silently misordered `"1.0.0-alpha.10"`
  * (the strict-§11 LARGER pre-release) and `"1.0.0-alpha.9"`: as strings
  * "10" < "9" so `alpha.10 < alpha.9`, and a downstream consumer polling
@@ -294,7 +294,7 @@ function _matchAsset(name, pattern, fallback) {
  *   timeoutMs:        number,    // request timeout (default 15s)
  *   headers:          object,    // additional request headers
  *   etag:             string,    // last-seen etag for If-None-Match
- *                                  // (CRYPTO-16 — etags are RFC 9110 §13.1.1
+ *                                  // (etags are RFC 9110 §13.1.1
  *                                  // per-resource; an etag captured for
  *                                  // releasesUrl=A is meaningless against
  *                                  // releasesUrl=B. Operators rotating

package/lib/static.js

@@ -216,7 +216,7 @@ function _resolveSafe(root, requestedPath) {
   // deposited disk content: shell-exec extensions (.exe / .bin / .so /
   // legitimate `<name>.<hash>.js` bundler output) are valid here. The
   // other balanced checks still reject the traversal + smuggling
-  // surface the user surfaced.
+  // surface.
   var fname = nodePath.basename(resolved);
   var rv = guardFilename().validate(fname, {
     profile:             "balanced",

package/lib/subject.js

@@ -362,7 +362,7 @@ function erase(subjectId, opts) {
 
 // ---- Crypto-shred erase (Art. 17 + WAL/replica residual closure) ----
 //
-// F-RTBF-3 — when a table opts into per-row keying via
+// When a table opts into per-row keying via
 // b.cryptoField.declarePerRowKey, this primitive deletes the
 // per-row K_row entries from _blamejs_per_row_keys, leaving any
 // residual ciphertext in WAL / replica / backup storage
@@ -477,7 +477,7 @@ function eraseHard(subjectId, opts) {
       totalDeleted += deleted;
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's
-      // index entries are rebuilt — closes the F-RTBF-2 residual class.
+      // index entries are rebuilt — closes the erase-vacuum residual class.
       try { db().runSql('REINDEX "' + spec.name + '"'); }                                        // table name comes from FRAMEWORK_SCHEMA
       catch (_e) { /* cluster mode / unsupported dialect */ }
     }

package/lib/vault/index.js

@@ -102,11 +102,12 @@ function resolvePaths(dataDir) {
     plaintext:         nodePath.join(dataDir, "vault.key"),
     sealed:            nodePath.join(dataDir, "vault.key.sealed"),
     derivedHashSalt:   nodePath.join(dataDir, "vault.derived-hash-salt"),
+    derivedHashMacKey: nodePath.join(dataDir, "vault.derived-hash-mac.sealed"),
   };
 }
 
 // derivedHashSalt — per-deployment salt for crypto-field
-// derivedHashes (D-H1). Pre-v0.8.42 the deterministic
+// derivedHashes. Pre-v0.8.42 the deterministic
 // sha3(namespace + plaintext) shape allowed cross-deployment
 // rainbow + cross-table correlation; binding a 32-byte
 // per-deployment salt closes that class without breaking
@@ -175,6 +176,66 @@ function getDerivedHashSalt() {
   return _cachedDerivedHashSalt;
 }
 
+// derivedHashMacKey — per-deployment SECRET key for crypto-field's
+// keyed (hmac-shake256) derived-hash mode. Unlike the salt, this is
+// SEALED at rest (vault.derived-hash-mac.sealed), so an attacker with
+// disk access alone cannot recompute the keyed digest and correlate
+// low-entropy plaintexts. Like the salt, it is keypair-bound and
+// survives a passphrase-only rotation; an ENVELOPE rotation re-seals it
+// because it is registered in rotate's additionalSealed sweep.
+function _readOrCreateDerivedHashMacKey() {
+  if (!paths) {
+    throw new VaultError("vault/not-initialized",
+      "vault.getDerivedHashMacKey() requires init()");
+  }
+  if (nodeFs.existsSync(paths.derivedHashMacKey)) {
+    var sealed = atomicFile.readSync(paths.derivedHashMacKey, { encoding: "utf8" }).trim();
+    var b64 = unseal(sealed);
+    var key = Buffer.from(b64, "base64");
+    if (key.length !== 32) {                                                        // 32-byte (256-bit) MAC key
+      throw new VaultError("vault/derived-hash-mac-key-corrupted",
+        "vault.derived-hash-mac key must unseal to exactly 32 bytes; got " + key.length);
+    }
+    return key;
+  }
+  var nodeCrypto = require("node:crypto");
+  var raw = nodeCrypto.randomBytes(32);                                            // 32-byte MAC key
+  atomicFile.writeSync(paths.derivedHashMacKey, seal(raw.toString("base64")), { fileMode: 0o600 });
+  log("generated per-deployment derivedHash MAC key at " + paths.derivedHashMacKey);
+  return raw;
+}
+
+var _cachedDerivedHashMacKey = null;
+/**
+ * @primitive b.vault.getDerivedHashMacKey
+ * @signature b.vault.getDerivedHashMacKey()
+ * @since     0.14.7
+ * @related   b.vault.getDerivedHashSalt, b.cryptoField.registerTable
+ *
+ * Returns the 32-byte per-deployment SECRET key that backs crypto-
+ * field's keyed (`hmac-shake256`) derived-hash mode. Generated once on
+ * first use, SEALED at rest (`vault.derived-hash-mac.sealed`, mode
+ * `0o600`) so disk access alone does not expose it, and re-sealed by an
+ * envelope vault rotation. Distinct from `getDerivedHashSalt`, which is
+ * a non-secret salt stored in plaintext.
+ *
+ * Throws `VaultError("vault/not-initialized")` before `init()`, or
+ * `vault/derived-hash-mac-key-corrupted` if the sealed file does not
+ * unseal to exactly 32 bytes.
+ *
+ * @example
+ *   await b.vault.init({ dataDir: "/var/lib/blamejs", mode: "plaintext" });
+ *   var k = b.vault.getDerivedHashMacKey();
+ *   k.length;           // → 32
+ *   Buffer.isBuffer(k); // → true
+ */
+function getDerivedHashMacKey() {
+  if (_cachedDerivedHashMacKey === null) {
+    _cachedDerivedHashMacKey = _readOrCreateDerivedHashMacKey();
+  }
+  return _cachedDerivedHashMacKey;
+}
+
 // ---- Init dispatch ----
 
 /**
@@ -620,6 +681,7 @@ module.exports = {
   seal:                  seal,
   unseal:                unseal,
   getDerivedHashSalt:    getDerivedHashSalt,
+  getDerivedHashMacKey:  getDerivedHashMacKey,
   _zeroizeAndReplace:    _zeroizeAndReplace,
   aad:                   vaultAad,
   getKeysJson:           getKeysJson,
@@ -633,6 +695,7 @@ module.exports = {
   _resetForTest:         function () {
     if (currentPassphrase) safeBuffer.secureZero(currentPassphrase);
     keys = null; initialized = false; currentPassphrase = null; paths = null; currentMode = null;
+    _cachedDerivedHashSalt = null; _cachedDerivedHashMacKey = null;
   },
   _getKeysForTest:       function () { return keys; },
   _getPathsForTest:      function () { return paths; },

package/lib/vault/rotate.js

@@ -651,6 +651,25 @@ async function rotate(opts) {
       _reSealValue(current, oldKeys, newKeys), { mode: 0o600 });
   }
 
+  // 3b. Framework-managed crypto-field derived-hash files — always
+  // rotated regardless of operator opts.paths, so the staging copy is
+  // complete. The plaintext salt is copied verbatim; the SEALED MAC key
+  // (keyed hmac-shake256 mode) is re-sealed under the new keypair so an
+  // envelope rotation doesn't orphan it (a passphrase-only rotation
+  // re-seals to the same value since the keypair is unchanged).
+  var saltSrc = nodePath.join(dataDir, "vault.derived-hash-salt");
+  if (nodeFs.existsSync(saltSrc)) {
+    nodeFs.copyFileSync(saltSrc, nodePath.join(stagingDir, "vault.derived-hash-salt"));
+  }
+  var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
+  if (nodeFs.existsSync(macSrc)) {
+    var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
+    if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
+      nodeFs.writeFileSync(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
+        _reSealValue(macCurrent, oldKeys, newKeys), { mode: 0o600 });
+    }
+  }
+
   // 4. decrypt + rotate + re-encrypt db.enc
   _emit(progress, { phase: "rotate_db" });
   var encDbPath = nodePath.join(dataDir, paths.encryptedDb);

package/lib/vendor-data.js

@@ -306,7 +306,7 @@ function _loadAndVerify(name) {
 // Memoized — "sha256:" + sha256(pemToRaw(PUBKEY_PEM)). Matches the
 // canonical fingerprint shape `scripts/vendor-data-gen.js` writes into
 // each .data.js's `metadata.publicKeyFingerprint`. Computed lazily on
-// first verify (also lazily by verifyAll at boot). CRYPTO-11 — every
+// first verify (also lazily by verifyAll at boot). Every
 // per-entry verify cross-checks this against the entry's declared
 // `meta.publicKeyFingerprint` so a pubkey-swap attack fails before
 // signature verify even runs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.5",
+  "version": "0.14.7",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:5c0853e1-1ea7-4fb1-8fb6-58b2ae51671f",
+  "serialNumber": "urn:uuid:5777b851-3edb-4e73-9a6a-0538d8e52a91",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T15:10:40.322Z",
+    "timestamp": "2026-05-30T21:03:08.883Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.5",
+      "bom-ref": "@blamejs/core@0.14.7",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.5",
+      "version": "0.14.7",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.5",
+      "purl": "pkg:npm/%40blamejs/core@0.14.7",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.5",
+      "ref": "@blamejs/core@0.14.7",
       "dependsOn": []
     }
   ]