@blamejs/core 0.14.6 → 0.14.7

package/lib/backup/index.js

@@ -81,7 +81,7 @@ var BackupError = defineClass("BackupError");
 // compliance.js); list them here so bundleAdapterStorage's
 // posture check refuses plaintext bundles under these regimes
 // alongside the long-standing HIPAA + PCI-DSS pair.
-// Codex P1 on v0.12.26 PR #177 — the legacy `ai-act` short
+// The legacy `ai-act` short
 // name MUST appear in the backup encryption-required list too,
 // otherwise a deployment pinned to `posture: "ai-act"` (the
 // stated back-compat path) bypasses the cryptoStrategy refusal
@@ -339,7 +339,7 @@ function create(opts) {
       "create: opts.vaultKeyJson is required (string or function returning string)");
   }
 
-  // Posture-enforced backup encryption (F-BUDR-4). HIPAA / PCI-DSS
+  // Posture-enforced backup encryption. HIPAA / PCI-DSS
   // operators MUST keep encryption on. The framework's backup pipeline
   // is encrypted-by-default — passphrase + per-file XChaCha20-Poly1305
   // — but operators in third-party storage backends sometimes pass
@@ -361,7 +361,7 @@ function create(opts) {
     }
   }
 
-  // F-CBT-3 — backup destination residency posture. EU-tagged primary
+  // Backup destination residency posture. EU-tagged primary
   // backing up to a US-region destination is a GDPR Article 46
   // cross-border transfer; without an explicit operator opt-in the
   // framework refuses to create the pipeline under gdpr / dpdp /
@@ -1110,7 +1110,7 @@ function bundleAdapterStorage(opts) {
   // HIPAA + PCI-DSS recipe raises the floor to 128 bits (per
   // BACKUP_ENCRYPTION_REQUIRED_POSTURES below); default 80 matches
   // OWASP "strong password" guidance for generic deployments.
-  // Codex P1 on v0.12.11 PR #162 — typeof NaN === "number" and
+  // Typeof NaN === "number" and
   // typeof Infinity === "number" both pass the typeof gate but
   // bypass downstream comparisons (NaN < 128 is false; estimated
   // < NaN is false). Use Number.isFinite + a finite integer check
@@ -1136,7 +1136,7 @@ function bundleAdapterStorage(opts) {
         "passphraseMinEntropyBits defaults to 80; HIPAA / PCI-DSS postures raise the floor to 128.");
     }
   }
-  // Codex P1 on v0.12.10 PR #161 — the wrap layers (recipient AND
+  // The wrap layers (recipient AND
   // passphrase) compose only with the tar / tar.gz writeBundle
   // branches. Pairing encryption strategy with format: "directory"
   // would silently write plaintext per-file payloads. Refuse upfront
@@ -1168,7 +1168,7 @@ function bundleAdapterStorage(opts) {
       passphraseMinEntropyBits = 128;                                                  // entropy-bits floor, not byte count
     }
   }
-  // Codex P2 on v0.12.8 PR #159 — tar mode builds the whole archive
+  // Tar mode builds the whole archive
   // in memory before adapter.writeFile because the v0.12.8 adapter
   // contract is bytes-in (no writeStream method). The OOM-prevention
   // gate is maxBundleBytes: writeBundle pre-walks the source tree,
@@ -1244,7 +1244,7 @@ function bundleAdapterStorage(opts) {
         // wire). Bundle sizes drop ~3-5× on text-heavy backups
         // (databases, JSON exports, mail spools) under tar.gz.
         //
-        // Codex P2 on v0.12.8 PR #159 — tar bytes are materialized in
+        // Tar bytes are materialized in
         // memory because the v0.12.8 adapter contract is bytes-in
         // (writeFile takes a Buffer, no writeStream method). The
         // maxBundleBytes pre-walk computes the uncompressed payload
@@ -1312,7 +1312,7 @@ function bundleAdapterStorage(opts) {
       }
       atomicFile.ensureDir(destDir);
       if (hasTarGz) {
-        // Codex P1/P2 on v0.12.9 PR #160 — propagate maxBundleBytes
+        // Propagate maxBundleBytes
         // to the gz restore path + disable the expansion-ratio cap.
         // archive.read.gz defaults (1 GiB output / 100× ratio) are
         // bomb-defense settings appropriate for adversarial input;
@@ -1386,7 +1386,7 @@ function bundleAdapterStorage(opts) {
       // writeBundle path produced (rule §2 — the format is part
       // of the storage layout, not behind a probe).
       //
-      // Codex P2 on v0.12.17 PR #168 — track WHICH suffixes a
+      // Track WHICH suffixes a
       // bundle carries (set of booleans) then apply explicit
       // precedence at the end: tar.gz > tar > directory. Matches
       // readBundle's preference (which checks hasTarGz first)
@@ -1595,7 +1595,7 @@ function bundleAdapterStorage(opts) {
           "cloneBundle: dstBundleId '" + dstBundleId + "' already exists; " +
           "pass opts.overwrite=true to replace");
       }
-      // Codex P1 on v0.12.23 PR #174 — when overwrite=true, the
+      // When overwrite=true, the
       // existence guard was the only protection but it didn't
       // delete the destination's existing keys before writing
       // the source keys. Stale-format bundles (dst=tar, src=
@@ -1654,7 +1654,7 @@ function bundleAdapterStorage(opts) {
       var rwKeySuffix = info.format === "tar.gz" ? TAR_GZ_KEY_SUFFIX : TAR_KEY_SUFFIX;
       var sealed = await adapter.readFile(bundleId + rwKeySuffix);
       var envelopeKind = info.envelopeKind;
-      // Codex P2 on v0.12.21 PR #172 — when the adapter has no
+      // When the adapter has no
       // readPartial capability, bundleInfo returns envelopeKind:
       // "unknown" rather than risk a full payload load. For
       // rewrap, we already have to load the payload (to unwrap),
@@ -1705,7 +1705,7 @@ function bundleAdapterStorage(opts) {
           "rewrapBundle: opts.newPassphrase is required (string or Buffer) to re-seal");
       }
       inner = await archiveLazy().unwrapWithPassphrase(sealed, { passphrase: oldPass });
-      // Codex P1 on v0.12.21 PR #172 — preserve the storage's
+      // Preserve the storage's
       // configured entropy floor across rewrap. The
       // writeBundle path raises the floor to 128 bits under
       // HIPAA / PCI-DSS postures (per
@@ -1770,7 +1770,7 @@ function bundleAdapterStorage(opts) {
       var inflight = [];
       var aborted = false;
       function _spawn() {
-        // Codex P1 on v0.12.22 PR #173 — synchronously drain
+        // Synchronously drain
         // non-wrappable entries inside _spawn until we hit one
         // that actually needs an async rewrap (or the pending
         // queue empties). The prior implementation returned
@@ -1850,7 +1850,7 @@ function bundleAdapterStorage(opts) {
     },
     async verifyAllBundles(vOpts) {
       vOpts = vOpts || {};
-      // Codex P1 on v0.12.20 PR #171 — clamp fractional + zero
+      // Clamp fractional + zero
       // floors so a stray `0.5` doesn't spawn zero workers + return
       // a silent ok=0/failed=0 report on non-empty storage. Default
       // 4; minimum 1; non-finite / non-positive falls back to
@@ -1876,7 +1876,7 @@ function bundleAdapterStorage(opts) {
         if (aborted) return null;
         if (pending.length === 0) return null;
         var entry = pending.shift();
-        // Codex P2 on v0.12.20 PR #171 — wrap each worker so any
+        // Wrap each worker so any
         // verifyBundle rejection becomes a failed-result entry
         // rather than rejecting the whole batch. Without this, a
         // mid-walk failure (payload disappeared between listBundles
@@ -2063,7 +2063,7 @@ function bundleAdapterStorage(opts) {
       var envelopeKind = "none";
       var sizeBytes = null;
       var createdAt = null;
-      // Codex P2 on v0.12.18 PR #169 — directory-format bundles
+      // Directory-format bundles
       // leave payloadKey null but DO have a manifest.json that
       // statKey can read. For createdAt parity with
       // listBundles({ withStats }), stat the manifest in the
@@ -2085,7 +2085,7 @@ function bundleAdapterStorage(opts) {
         }
       }
       if (payloadKey !== null) {
-        // Codex P1 on v0.12.17 PR #168 — claim was a 5-byte magic
+        // Claim was a 5-byte magic
         // probe; the implementation was reading the entire bundle
         // into memory. For multi-GB bundles, an administrative
         // metadata call would allocate the whole payload and put
@@ -2381,7 +2381,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
       // prefix manually so `listKeys("")` enumerates everything
       // under the operator-supplied namespace.
       var realScoped = prefix + (keyPrefix || "");
-      // Codex P1 on v0.12.13 PR #164 — object-store backends page
+      // Object-store backends page
       // results (default 1000 keys). Without continuation, listKeys
       // silently dropped bundles past page 1 — listBundles missed
       // them, deleteBundle skipped them. Follow the

package/lib/cache.js

@@ -85,7 +85,7 @@ var { CacheError } = require("./framework-error");
 
 var log = boot("cache");
 var observability = lazyRequire(function () { return require("./observability"); });
-// D-L5 — opt-in vault seal for cluster-backend cache values. Lazy so
+// Opt-in vault seal for cluster-backend cache values. Lazy so
 // vault-not-initialized in tests with a memory cache doesn't crash
 // at module load.
 var vault = lazyRequire(function () { return require("./vault"); });
@@ -501,7 +501,7 @@ function _clusterBackend(cfg) {
       ).catch(function () { /* best-effort */ });
     }
     var stored = row.valueJson;
-    // D-L5 — sealed-row decode. Sealed entries are prefixed at write
+    // Sealed-row decode. Sealed entries are prefixed at write
     // time so the unseal-on-read path is a strict opt-in: rows
     // written without seal:true continue parsing as before.
     if (typeof stored === "string" && stored.indexOf(CACHE_SEAL_PREFIX) === 0) {
@@ -521,7 +521,7 @@ function _clusterBackend(cfg) {
     // changed value, app code treats it as the original" — a subtle
     // freshness bug that's hard to debug.
     var json = safeJson.stringify(value);
-    // D-L5 — opt-in vault seal. When the caller passes seal: true,
+    // Opt-in vault seal. When the caller passes seal: true,
     // wrap the JSON via b.vault.seal (XChaCha20-Poly1305) before
     // landing in _blamejs_cache.valueJson. The marker prefix is what
     // get() looks for to know it must unseal on read.
@@ -1091,7 +1091,7 @@ function create(opts) {
         }
       }
     }
-    // D-L5 — opt-in vault seal. Strict-shape check: must be the literal
+    // Opt-in vault seal. Strict-shape check: must be the literal
     // boolean true, not just truthy. Backends that don't support seal
     // (memory, custom) ignore the flag transparently; cluster backend
     // wraps valueJson via b.vault.seal before INSERT.

package/lib/calendar.js

@@ -263,7 +263,7 @@ function validate(jsCal) {
         "b.calendar.validate: Group.source MUST be a string URI when present (RFC 8984 §1.4.4)");
     }
     if (jsCal.categories !== undefined) {
-      // Codex P1 — `typeof null === "object"` would let `categories:
+      // `typeof null === "object"` would let `categories:
       // null` through this check, and the subsequent Object.keys
       // throws a raw TypeError instead of a structured CalendarError.
       // Refuse null explicitly so callers depending on the
@@ -687,7 +687,7 @@ function _expandSingleRule(rule, startMs, ctx) {
       var n = parseInt(arr[i], 10);
       if (isFinite(n) && n >= lo && n <= hi) { s[n] = true; hasAny = true; }
     }
-    // Codex P2 — when every value in the BY* list is out of range,
+    // When every value in the BY* list is out of range,
     // return null instead of an empty set. An empty truthy set would
     // cause `_matchesBy` to reject every candidate (`!set[n]` is
     // true) and silently turn malformed input into a "match nothing"
@@ -728,7 +728,7 @@ function _expandSingleRule(rule, startMs, ctx) {
     if (byMonthSet && !byMonthSet[d.getUTCMonth() + 1]) return false;
     if (byMonthDaySet && !byMonthDaySet[d.getUTCDate()]) return false;
     if (byWeekNoSet) {
-      // Codex P1 — ISO week-year vs Gregorian year. 2021-01-01 is ISO
+      // ISO week-year vs Gregorian year. 2021-01-01 is ISO
       // week 53 of WEEK-YEAR 2020 (since 2021 only has 52 ISO weeks).
       // Comparing only the numeric week would let a Jan 1 2021 date
       // match a BYWEEKNO=53 rule whose implicit year is 2021. Refuse
@@ -884,7 +884,7 @@ function _expandWithBysetpos(ctx) {
     // Emit picked candidates in ascending order, gated by window +
     // untilMs + per-rule count cap.
     //
-    // Codex P1 — recurrence instances MUST NOT precede DTSTART (per
+    // Recurrence instances MUST NOT precede DTSTART (per
     // RFC 5545 §3.8.5.3). The period-boundary enumeration above
     // includes candidates BEFORE startMs when the period containing
     // startMs has earlier BY*-matching days (e.g. start = May 20
@@ -960,7 +960,7 @@ function _veventToJsCalEvent(ve) {
   if (tzid) {
     jsCal.timeZone = tzid;
   } else if (typeof dtstart === "string" && /Z$/.test(dtstart)) {
-    // Codex P1 — RFC 8984 §1.4.4: a UTC-suffix DTSTART (`...Z`) in
+    // RFC 8984 §1.4.4: a UTC-suffix DTSTART (`...Z`) in
     // iCalendar maps to a JSCalendar Event with `timeZone: "Etc/UTC"`.
     // Without this, round-tripping `fromIcal` → `toIcal` would drop
     // the UTC anchor + emit floating time, shifting the absolute

package/lib/circuit-breaker.js

@@ -82,7 +82,7 @@ function create(opts) {
   // split the name out of opts before invoking the constructor.
   // Caught by hermitstash-sync operator review against v0.9.12.
   //
-  // CRYPTO-19 — the previous empty-string fallback was unreachable
+  // The previous empty-string fallback was unreachable
   // (retryHelper.CircuitBreaker validator throws on "" first) AND
   // produced a confusing error message ("name must be a non-empty
   // string, got string \"\"") that obscured the real opt-shape

package/lib/cms-codec.js

@@ -367,7 +367,7 @@ function decode(buf, opts) {
 
 // OIDs whose AlgorithmIdentifier specifies ABSENT parameters per their
 // publishing RFC — emitting NULL here would make the CMS structure
-// non-conformant for strict validators (Codex P1 finding on PR #102).
+// non-conformant for strict validators.
 // ML-DSA per RFC 9909 §3, SLH-DSA per RFC 9881 §3, ML-KEM per
 // RFC 9936 §3. SHAKE-family per FIPS 202 (NIST registry — absent params).
 var ABSENT_PARAM_OIDS = new Set([
@@ -407,7 +407,7 @@ function _writeImplicitPrimitive(tagNumber, value) {
   // [N] IMPLICIT context-specific PRIMITIVE — for wrapping primitive
   // ASN.1 types (OCTET STRING / INTEGER / OID) that have been IMPLICIT-
   // tagged. The constructed bit MUST NOT be set or strict CMS parsers
-  // reject the structure (Codex P1 finding on PR #102 — RecipientIdentifier
+  // reject the structure (RecipientIdentifier
   // CHOICE's SubjectKeyIdentifier alternative is `[0] IMPLICIT OCTET STRING`,
   // a primitive type).
   var tagByte = 0x80 | (tagNumber & 0x1f);                                                            // context-specific primitive mask

package/lib/compliance.js

@@ -280,7 +280,7 @@ var KNOWN_POSTURES = Object.freeze([
   "nyc-ll144-2024",              // NYC Local Law 144 — Automated Employment Decision Tool bias audits (2024 enforcement update)             // statute identifier, not bytes
 ]);
 
-// SUPPLY-34 — Artifact standards (SBOM / VEX format families) are NOT
+// Artifact standards (SBOM / VEX format families) are NOT
 // regulatory regimes. Pinning a posture like `cyclonedx-v1.6` to
 // cascade audit + TLS floors conflates the act of EMITTING a SBOM
 // format with the regulatory floor an operator needs. Operators who
@@ -385,7 +385,7 @@ function set(posture) {
   STATE.setAt   = Date.now();
   _emitAudit("compliance.posture.set", { posture: posture });
 
-  // SUPPLY-34 — emit a `format_as_regime` audit warning when an
+  // Emit a `format_as_regime` audit warning when an
   // operator pins an artifact-standard format (cyclonedx-v1.6 /
   // spdx-v3.0 / vex-csaf-2.1) as the regulatory posture. These names
   // remain in KNOWN_POSTURES for back-compat but pinning them as the
@@ -400,7 +400,7 @@ function set(posture) {
       "warning");
   }
 
-  // SUPPLY-21 — emit `fips_conflict` audit warning when posture is
+  // Emit `fips_conflict` audit warning when posture is
   // FedRAMP / CMMC L3 AND the framework's PQC-first crypto defaults
   // are active without an explicit fipsMode opt-in. Operators see
   // this in the audit chain and either (a) document the deviation
@@ -417,7 +417,7 @@ function set(posture) {
       "warning");
   }
 
-  // F-POSTURE-1 — cascade the posture into every primitive that owns a
+  // Cascade the posture into every primitive that owns a
   // posture-conditioned default. Each primitive exposes an
   // `applyPosture(name)` that merges the POSTURE_DEFAULTS entry for the
   // posture into its own state and emits
@@ -429,7 +429,7 @@ function set(posture) {
   // skipped rows surface in the audit chain so a forensic review can
   // reconstruct the boot order.
   _applyPostureCascade(posture);
-  // F-AUD-5 — TZ awareness. Auditors expect timestamps in UTC.
+  // TZ awareness. Auditors expect timestamps in UTC.
   // process.env.TZ controls Node's local-time conversion for any
   // operator code that uses non-UTC formatters; under regulated
   // postures (hipaa / pci-dss / sox / gdpr / soc2) emit a boot
@@ -447,7 +447,7 @@ function set(posture) {
   }
 }
 
-// _applyPostureCascade — F-POSTURE-1. Walks every primitive that
+// _applyPostureCascade — walks every primitive that
 // participates in posture-conditioned defaults and asks it to merge
 // the named posture into its state. Each step is best-effort at the
 // audit-emission level (a primitive that isn't loaded yet emits
@@ -936,11 +936,11 @@ function describe(posture) {
 // floors.
 //
 // Keys per posture:
-//   backupEncryptionRequired  — backup.create refuses encrypt:false (F-BUDR-4)
+//   backupEncryptionRequired  — backup.create refuses encrypt:false
 //   auditChainSignedRequired  — audit emissions MUST be ML-DSA-87 chain-signed
 //   tlsMinVersion             — minimum TLS version (string e.g. "TLSv1.3")
 //   sessionAbsoluteTimeoutMs  — hard session expiry ceiling
-//   requireVacuumAfterErase   — F-RTBF-2: cryptoField.eraseRow must call
+//   requireVacuumAfterErase   — cryptoField.eraseRow must call
 //                               b.db.vacuumAfterErase({ mode: "full" })
 //                               so freed B-tree index pages don't linger
 //                               with sealed-column ciphertext readable
@@ -1178,7 +1178,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   "circia":          Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   // ---- v0.9.6 — exceptd framework-control-gap closure cascade ----
   "nist-800-53":             Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
-  // SUPPLY-18 — NIST AI-RMF MANAGE.4.3 / ISO 23894 §6.5 / ISO 42001
+  // NIST AI-RMF MANAGE.4.3 / ISO 23894 §6.5 / ISO 42001
   // §A.6 require encrypted backups for AI system state (model
   // weights, training data, prompt logs all contain regulated
   // payload). All AI-domain postures now enforce backupEncryption.
@@ -1186,7 +1186,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   "iso-42001-2023":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "iso-23894-2023":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "owasp-llm-top-10-2025":   Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
-  // SUPPLY-19 — OWASP ASVS v5.0 §8.3.4 (sensitive-data deletion)
+  // OWASP ASVS v5.0 §8.3.4 (sensitive-data deletion)
   // requires post-delete storage reclamation. Set requireVacuumAfterErase
   // so operators pinning ASVS v5.0 inherit the proper floor.
   "owasp-asvs-v5.0":         Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
@@ -1194,7 +1194,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   "nist-800-82-r3":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "nist-800-63b-rev4":       Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "iec-62443-3-3":           Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
-  // SUPPLY-21 — FedRAMP Rev 5 Moderate baseline references FIPS 140-3
+  // FedRAMP Rev 5 Moderate baseline references FIPS 140-3
   // validated cryptography for protect-against-disclosure controls
   // (SC-13, SC-28). The framework's PQC-first defaults (ML-KEM-1024,
   // XChaCha20-Poly1305, SHA3-512) are NOT FIPS-140-3 validated as of
@@ -1230,7 +1230,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   "nist-800-115":            Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cwe-top-25-2024":         Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cis-controls-v8":         Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
-  // SUPPLY-20 — CMMC 2.0 levels differ in control mapping:
+  // CMMC 2.0 levels differ in control mapping:
   //   L1 (Foundational, 15 FAR controls, FCI data only) — encrypted
   //       backups NOT mandated; audit-chain encouraged.
   //   L2 (Advanced, 110 NIST 800-171 Rev 2 controls, CUI data) —
@@ -1325,7 +1325,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   // erased from a system's storage, the residual EXIF / metadata
   // entries pointing at the model must be cleared too.
   "eu-ai-act":               Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
-  // Codex P1 on v0.12.26 PR #177 — the legacy `ai-act` short
+  // The legacy `ai-act` short
   // name carries the SAME cascade as `eu-ai-act` so deployments
   // pinned to the legacy alias get the new encryption / audit /
   // TLS / vacuum floors instead of falling through to null. The
@@ -1526,7 +1526,7 @@ function list() {
  * Return the set of SBOM / VEX artifact standards the framework can
  * emit. These are FORMAT FAMILIES, not regulatory regimes — pinning
  * one of these names as the deployment's compliance posture conflates
- * "format I emit" with "regulatory floor I meet" (SUPPLY-34). Pin
+ * "format I emit" with "regulatory floor I meet". Pin
  * the regulatory regime (FedRAMP / SSDF / HIPAA / etc.) via
  * `b.compliance.set()` and surface the emitted artifact standards via
  * this read-only catalog.

package/lib/crypto-field.js

@@ -52,7 +52,7 @@ var compliance    = lazyRequire(function () { return require("./compliance"); })
 var db            = lazyRequire(function () { return require("./db"); });
 var audit         = lazyRequire(function () { return require("./audit"); });
 
-// F-POSTURE-1 cascade hook + F-RTBF-2 integration. Recording the
+// Posture cascade hook + erase-vacuum integration. Recording the
 // posture lets eraseRow call b.db.vacuumAfterErase({ mode: "full" })
 // automatically under postures whose POSTURE_DEFAULTS sets
 // requireVacuumAfterErase: true (gdpr / dpdp / pipl-cn / lgpd-br /
@@ -113,7 +113,7 @@ function getActivePosture() { return _activePosture; }
 // Per-table registry, populated by db.init()
 var schemas = Object.create(null);
 
-// F-CBT-1 — per-COLUMN data residency registry. Real GDPR / DPDP
+// Per-COLUMN data residency registry. Real GDPR / DPDP
 // deployments have row-level mixed residency: a `users.name` column
 // may be global, but `users.addressLine1` must stay in EU storage.
 // db.init({ schema }) carries the operator's residency declaration
@@ -123,7 +123,7 @@ var schemas = Object.create(null);
 //   { tableName: { columnName: "eu" | "us" | "global" | <tag> } }
 var columnResidency = Object.create(null);
 
-// F-RTBF-3 — per-row key declaration registry. For tables that opt
+// Per-row key declaration registry. For tables that opt
 // into per-row keying, b.subject.eraseHard deletes the wrapped K_row
 // from _blamejs_per_row_keys, leaving WAL/replica residual ciphertext
 // undecryptable.
@@ -152,7 +152,7 @@ var perRowKeyTables = Object.create(null);
  *                                          // b.vault.aad — AEAD-binds the ciphertext
  *                                          // to (table, rowIdField=primary key, column)
  *                                          // so a DB-write attacker can't copy a
- *                                          // sealed value between rows. CRYPTO-1.
+ *                                          // sealed value between rows.
  *   rowIdField:     string,                // when aad=true, the column name carrying
  *                                          // the row identity. Default "id". The row
  *                                          // passed to sealRow MUST already have this
@@ -173,7 +173,7 @@ var perRowKeyTables = Object.create(null);
  *   });
  *   b.cryptoField.getSealedFields("patients");   // → ["ssn", "diagnosis"]
  *
- *   // AAD-bound table (recommended for new schemas — CRYPTO-1).
+ *   // AAD-bound table (recommended for new schemas).
  *   b.cryptoField.registerTable("idempotency_keys", {
  *     sealedFields: ["headers", "body"],
  *     aad:          true,
@@ -185,16 +185,56 @@ function registerTable(name, opts) {
   var rowIdField = typeof opts.rowIdField === "string" && opts.rowIdField.length > 0
     ? opts.rowIdField : "id";
   var schemaVersion = opts.schemaVersion != null ? String(opts.schemaVersion) : "1";
+  var derivedHashMode = opts.derivedHashMode || "salted-sha3";
+  if (derivedHashMode !== "salted-sha3" && derivedHashMode !== "hmac-shake256") {
+    throw new Error("registerTable: derivedHashMode must be 'salted-sha3' (default) or " +
+      "'hmac-shake256', got " + JSON.stringify(derivedHashMode));
+  }
+  var derivedHashes = Object.assign({}, opts.derivedHashes || {});
+  for (var col in derivedHashes) {
+    if (!Object.prototype.hasOwnProperty.call(derivedHashes, col)) continue;
+    var colMode = derivedHashes[col] && derivedHashes[col].mode;
+    if (colMode !== undefined && colMode !== "salted-sha3" && colMode !== "hmac-shake256") {
+      throw new Error("registerTable: derivedHashes." + col + ".mode must be " +
+        "'salted-sha3' or 'hmac-shake256', got " + JSON.stringify(colMode));
+    }
+  }
   schemas[name] = {
-    sealedFields:   Array.isArray(opts.sealedFields)   ? opts.sealedFields.slice()   : [],
-    derivedHashes:  Object.assign({}, opts.derivedHashes || {}),
-    hashNamespaces: Object.assign({}, opts.hashNamespaces || {}),
-    aad:            aadOn,
-    rowIdField:     rowIdField,
-    schemaVersion:  schemaVersion,
+    sealedFields:    Array.isArray(opts.sealedFields)   ? opts.sealedFields.slice()   : [],
+    derivedHashes:   derivedHashes,
+    hashNamespaces:  Object.assign({}, opts.hashNamespaces || {}),
+    aad:             aadOn,
+    rowIdField:      rowIdField,
+    schemaVersion:   schemaVersion,
+    derivedHashMode: derivedHashMode,
   };
 }
 
+// Derived-hash digest width for the keyed (hmac-shake256) mode: 32
+// bytes -> 64 hex chars.
+var DERIVED_HASH_BYTES = 32;
+
+// Compute the indexed-lookup digest for a derived-hash column.
+//   - "salted-sha3" (default): SHA3-512 over <per-deployment salt> + ns
+//     + value (128 hex). Deterministic per deployment.
+//   - "hmac-shake256": SHAKE256(<vault-sealed MAC key> || ns + value)
+//     truncated to 32 bytes (64 hex). The key is a vault-derived secret,
+//     NOT a static salt, so an attacker who recovers the salt alone
+//     can't correlate two low-entropy plaintexts; the sponge has no
+//     length-extension weakness. (b.crypto.hmacSha3 (HMAC-SHA3-512) was
+//     considered; SHAKE256(key||msg) is chosen for the fixed-width keyed
+//     digest with the same MAC-grade guarantee.) FIPS 202; NIST SP
+//     800-185; GDPR Art. 4(5) pseudonymisation; HIPAA 45 CFR 164.514(b).
+function _computeDerivedHash(spec, tableMode, ns, normalized) {
+  var mode = (spec && spec.mode) || tableMode || "salted-sha3";
+  if (mode === "hmac-shake256") {
+    var macKey = vault.getDerivedHashMacKey();
+    return kdf(Buffer.concat([macKey, Buffer.from(ns + normalized, "utf8")]),
+      DERIVED_HASH_BYTES).toString("hex");
+  }
+  return sha3Hash(vault.getDerivedHashSalt().toString("hex") + ns + normalized);
+}
+
 /**
  * @primitive b.cryptoField.getSchema
  * @signature b.cryptoField.getSchema(table)
@@ -308,8 +348,7 @@ function computeDerived(table, sourceField, sourceValue) {
     if (spec.from === sourceField) {
       var ns = namespaceFor(table, sourceField, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(sourceValue) : String(sourceValue);
-      var saltHex = vault.getDerivedHashSalt().toString("hex");
-      return { field: derivedField, value: sha3Hash(saltHex + ns + normalized) };
+      return { field: derivedField, value: _computeDerivedHash(spec, s.derivedHashMode, ns, normalized) };
     }
   }
   return null;
@@ -367,12 +406,11 @@ function sealRow(table, row) {
       }
       var ns = namespaceFor(table, spec.from, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(plain) : String(plain);
-      var saltHex2 = vault.getDerivedHashSalt().toString("hex");
-      out[derivedField] = sha3Hash(saltHex2 + ns + normalized);
+      out[derivedField] = _computeDerivedHash(spec, s.derivedHashMode, ns, normalized);
     }
   }
 
-  // CRYPTO-1 — AAD-bound table requires the row's identity column to
+  // AAD-bound table requires the row's identity column to
   // be populated BEFORE sealRow runs. Sealing under a placeholder /
   // missing rowId produces ciphertext that no later unseal can open
   // because the AAD on read is computed against the row's actual id.
@@ -390,7 +428,7 @@ function sealRow(table, row) {
   // Seal fields. Plain mode: vault.seal (idempotent — already-sealed
   // values pass through). AAD mode: vault.aad.seal binds the AEAD tag
   // to (table, rowId, column, schemaVersion) — cross-row copy of a
-  // ciphertext fails Poly1305 on read. CRYPTO-1.
+  // ciphertext fails Poly1305 on read.
   for (var i = 0; i < s.sealedFields.length; i++) {
     var field = s.sealedFields[i];
     if (out[field] !== undefined && out[field] !== null) {
@@ -573,7 +611,7 @@ function eraseRow(table, row) {
       out[derivedField] = null;
     }
   }
-  // F-RTBF-4 — `__erasedAt` was previously a plaintext UTC ms integer.
+  // `__erasedAt` was previously a plaintext UTC ms integer.
   // That value alone fingerprints the erasure event (audit-log
   // exfiltration + cross-tenant correlation: "this row was erased
   // 2.3s before that one"). Bucket the timestamp to a 1-day floor so
@@ -584,7 +622,7 @@ function eraseRow(table, row) {
   var dayMs = TIME.days(1);
   out.__erasedAt = Math.floor(Date.now() / dayMs) * dayMs;
 
-  // F-RTBF-2 — under regulatory postures whose POSTURE_DEFAULTS sets
+  // Under regulatory postures whose POSTURE_DEFAULTS sets
   // requireVacuumAfterErase: true (gdpr / dpdp / pipl-cn / lgpd-br /
   // hipaa), the B-tree index pages freed by the upcoming UPDATE/DELETE
   // would otherwise linger with sealed-column ciphertext readable
@@ -662,8 +700,7 @@ function lookupHash(table, field, value) {
     if (spec.from === field) {
       var ns = namespaceFor(table, field, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(value) : String(value);
-      var saltHex = vault.getDerivedHashSalt().toString("hex");
-      return { field: derivedField, value: sha3Hash(saltHex + ns + normalized) };
+      return { field: derivedField, value: _computeDerivedHash(spec, s.derivedHashMode, ns, normalized) };
     }
   }
   return null;

package/lib/crypto.js

@@ -168,7 +168,7 @@ function hashFile(filePath, algorithm) {
 // `algorithms` entry. Used by hashFilesParallel below; not exported
 // directly because the common case is the parallel-many shape.
 //
-// CRYPTO-5 hardening (v0.9.58):
+// Hardening (v0.9.58):
 //   - lstat-then-stat so symlinks are detected before open; refused
 //     unless opts.followSymlinks === true (default false — a symlink-
 //     in-input-list attack lets a write-restricted caller hash files
@@ -269,9 +269,8 @@ function _hashFileMulti(filePath, algorithms, opts) {
  * SBOM regeneration / vendor-data integrity sweeps / release-asset
  * bundling — situations where N files each need both SHA-256 (legacy
  * compat) and SHA-3-512 (PQC-first) digests and rolling a worker
- * pool by hand has cost a downstream consumer (`hermitstash-sync`
- * 2026-05-13) the same two-loop, capture-N-promises, settle-Q boilerplate
- * every release.
+ * pool by hand means the same two-loop, capture-N-promises, settle-Q
+ * boilerplate every release.
  *
  * @opts
  *   algorithms?:     string[], // default ["sha256", "sha3-512"]; any node:crypto-known digest
@@ -333,7 +332,7 @@ function hashFilesParallel(filePaths, opts) {
       "crypto.hashFilesParallel: opts.onProgress must be a function when supplied"
     ));
   }
-  // CRYPTO-5 — DoS cap. Default 1 GiB per file; operators with larger
+  // DoS cap. Default 1 GiB per file; operators with larger
   // legitimate hashing workloads (firmware images, vendor packs)
   // override per-call.
   var maxBytesPerFile = opts.maxBytesPerFile !== undefined
@@ -1202,7 +1201,7 @@ function decrypt(ciphertext, privateKeys, opts) {
     }
     // Audit-emit every legacy decrypt so the migration window is
     // visible. Emit success ONLY on actual decrypt success; emit
-    // failure on throw. Codex P2 PR #74 — pre-fix the audit fired
+    // failure on throw. Before this fix, the audit fired
     // before decryptEnvelope() ran, so corrupted 0xE1 blobs / wrong
     // private keys / unsupported KEMs got logged as successful legacy
     // decrypts when the call actually threw, inflating real success