@blamejs/core 0.14.6 → 0.14.7

package/lib/middleware/idempotency-key.js

@@ -175,7 +175,7 @@ function memoryStore(opts) {
  *     headers. Requires `b.vault.init(...)` to have run; falls back to
  *     plain-text with a one-shot audit warning when vault isn't ready,
  *     so test-fixture / boot-script callers still work.
- *   - `aad: true` (since 0.9.58 — CRYPTO-1) — sealed columns are bound
+ *   - `aad: true` (since 0.9.58) — sealed columns are bound
  *     via Additional Authenticated Data to (table, k, column,
  *     schemaVersion) so a DB-write attacker can't copy a sealed
  *     header/body cell from one row to another (which previously
@@ -184,12 +184,12 @@ function memoryStore(opts) {
  *     detects the envelope shape; lazy re-seal on next `set()` upgrades
  *     each row to AAD form. Operators wanting a one-shot migration
  *     call `b.middleware.idempotencyKey.resealMigrate(store)`.
- *   - `fingerprintSeal: true` (since 0.9.58 — CRYPTO-4) — the request
+ *   - `fingerprintSeal: true` (since 0.9.58) — the request
  *     `fingerprint` column carries an HMAC under a vault-derived
  *     secret instead of a bare SHA3-256 of method+path+body. The
  *     compare path is constant-time so the column doubles as a
  *     mismatch oracle without offline-brute-force exposure.
- *   - `bodyFingerprintFallback: "deny"` (since 0.9.58 — SUBSTRATE-13) —
+ *   - `bodyFingerprintFallback: "deny"` (since 0.9.58) —
  *     when neither `bodyFingerprint` nor `req._rawBody`/`req.body` is
  *     populated for a body-bearing method, the middleware previously
  *     silently degraded the fingerprint to method+path. Set to
@@ -228,8 +228,8 @@ function memoryStore(opts) {
  *   init?:      boolean,  // default true — run CREATE TABLE IF NOT EXISTS at construction
  *   hashKeys?:  boolean,  // default true — store sha3-512 namespace-hash of the key, not the raw key
  *   seal?:      boolean,  // default true — seal headers + body via b.cryptoField when vault is ready
- *   aad?:       boolean,  // default true — AAD-bind seal to (table,k,column) so a DB-write attacker can't cross-row swap (CRYPTO-1)
- *   fingerprintSeal?: boolean, // default true — HMAC fingerprint under a vault-derived secret instead of bare sha3-256 (CRYPTO-4)
+ *   aad?:       boolean,  // default true — AAD-bind seal to (table,k,column) so a DB-write attacker can't cross-row swap
+ *   fingerprintSeal?: boolean, // default true — HMAC fingerprint under a vault-derived secret instead of bare sha3-256
  *
  * @example
  *   // single-process daemon, framework's internal sqlite, both defaults on:
@@ -264,11 +264,11 @@ function dbStore(opts) {
   var doInit   = opts.init     !== false;
   var hashKeys = opts.hashKeys !== false;
   var sealReq  = opts.seal     !== false;
-  // CRYPTO-1 — AAD-bind sealing to (table, k, column) by default.
+  // AAD-bind sealing to (table, k, column) by default.
   // Forms a defense-in-depth pair with seal: cross-row swap fails
   // Poly1305 even when the attacker controls the DB layer.
   var aadOn    = opts.aad      !== false;
-  // CRYPTO-4 — HMAC the fingerprint under a vault-derived secret by
+  // HMAC the fingerprint under a vault-derived secret by
   // default. Bare SHA3-256 of method+path+body is offline-brute-
   // forceable for any DB-dump attacker; HMAC under a vault secret
   // forces them to break the vault first.
@@ -297,7 +297,7 @@ function dbStore(opts) {
 
   // Register the table with cryptoField. registerTable is idempotent
   // — subsequent dbStore() calls with the same tableName re-declare
-  // the same sealedFields and no-op. CRYPTO-1: when aad is on,
+  // the same sealedFields and no-op. When aad is on,
   // (table, k, column) is threaded into the AEAD AAD so a DB-write
   // attacker can't copy a sealed value between rows.
   if (sealEnabled) {
@@ -309,7 +309,7 @@ function dbStore(opts) {
     });
   }
 
-  // CRYPTO-4 — derive a per-vault HMAC secret for fingerprint sealing.
+  // Derive a per-vault HMAC secret for fingerprint sealing.
   // The vault root key is the trust root; without it the secret is
   // unrecoverable. Lazy: only derived when fpSealOn is enabled AND the
   // vault is ready, so test fixtures that haven't initialized the
@@ -349,7 +349,7 @@ function dbStore(opts) {
   // so audit/forensic SELECTs don't have to unseal-everything. The
   // `k` column is selected even when not strictly needed for read
   // because cryptoField.unsealRow uses it as the rowId in AAD when
-  // the table is AAD-bound (CRYPTO-1).
+  // the table is AAD-bound.
   var stmtGet = db.prepare(
     "SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
     qTable + " WHERE k = ?");
@@ -372,7 +372,7 @@ function dbStore(opts) {
     return bCrypto.namespaceHash("idempotency-key", rawKey);
   }
 
-  // CRYPTO-4 — emit / compare HMAC-shape fingerprints. The store
+  // Emit / compare HMAC-shape fingerprints. The store
   // round-trips the column as plain text (no transformation per-get);
   // sealing happens at MINT time (when the middleware builds the
   // fingerprint and hands it to set()). The store's responsibility is
@@ -391,7 +391,7 @@ function dbStore(opts) {
       if (sealEnabled) {
         try { liveRow = cryptoField.unsealRow(tableNameRaw, row); }
         catch (_unsealErr) {
-          // CRYPTO-13 — decryption failure used to delete the row,
+          // Decryption failure used to delete the row,
           // which let an attacker probe key presence via a "tamper +
           // observe subsequent SELECT" oracle. The fix: emit audit,
           // return null, do NOT delete. TTL sweeps stale rows out
@@ -407,7 +407,7 @@ function dbStore(opts) {
       }
       var headersObj;
       try {
-        // CRYPTO-22 — route through C.BYTES.mib(4); raw `4 * 1024 * 1024`
+        // Route through C.BYTES.mib(4); raw `4 * 1024 * 1024`
         // was a drift smell flagged by codebase-patterns. 4 MiB ceiling
         // unchanged.
         headersObj = safeJson.parse(liveRow.headers, { maxBytes: C.BYTES.mib(4) });
@@ -421,7 +421,6 @@ function dbStore(opts) {
         //      DELETING it would clobber another process's cache and
         //      turn a hit into a miss with potential side-effect re-
         //      execution. Treat as miss + LEAVE the row in place.
-        //      Per Codex P1 on PR #45.
         var lookedSealed = typeof liveRow.headers === "string" &&
           (liveRow.headers.indexOf("vault:") === 0 ||
            liveRow.headers.indexOf("vault.aad:") === 0);
@@ -456,7 +455,7 @@ function dbStore(opts) {
     delete: function (rawKey) {
       stmtDelete.run(_k(rawKey));
     },
-    // CRYPTO-4 — the middleware consults this hook to HMAC the
+    // The middleware consults this hook to HMAC the
     // method+path+body digest under a vault-derived secret before
     // insert + compare. Returns null when fpSeal is disabled OR the
     // vault wasn't ready at construction; the middleware then falls
@@ -466,7 +465,7 @@ function dbStore(opts) {
       return nodeCrypto.createHmac("sha3-256", fpHmacSecret)
         .update(preimageBytes).digest("hex");
     },
-    // CRYPTO-1 — operator helper: walk the table and reseal every row
+    // Operator helper: walk the table and reseal every row
     // under the AAD form. Existing v0.9.15-v0.9.57 rows continue to
     // read on a per-row basis (unsealRow auto-detects shape), but
     // operators wanting an explicit migration step call this once.
@@ -526,7 +525,7 @@ function _fingerprintRequest(req, bodyBytes, store) {
   // Fingerprint preimage = method + path + body. Per the draft §4.3,
   // a key+body mismatch is a client-side mistake; our preimage covers
   // method + path so a client reusing a key across different
-  // endpoints is also caught. CRYPTO-4: when the store exposes a
+  // endpoints is also caught. When the store exposes a
   // `fingerprintHmac` hook (dbStore with fingerprintSeal:true + vault
   // ready), the preimage is HMAC'd under a vault-derived secret so a
   // DB dump leaks neither the preimage nor a brute-forceable digest.
@@ -602,7 +601,7 @@ function _emitAudit(action, metadata, outcome) {
  *   requireIdempotencyKey: boolean,  // default: false — refuse missing-key
  *   bodyFingerprint:       function, // (req) => Buffer|string|object|null — operator-supplied body extractor
  *   maxBodyBytes:          number,   // default: 1 MiB — replay-cache body cap
- *   bodyFingerprintFallback: string, // default "deny" (SUBSTRATE-13) — when neither
+ *   bodyFingerprintFallback: string, // default "deny" — when neither
  *                                    // bodyFingerprint nor req._rawBody / req.body is
  *                                    // available for POST/PUT/PATCH, refuse with HTTP 400
  *                                    // idempotency/missing-body-fingerprint instead of
@@ -669,7 +668,7 @@ function create(opts) {
     opts.bodyFingerprint, "idempotencyKey.bodyFingerprint",
     IdempotencyError, "idempotency/bad-body-fingerprint"
   ) || null;
-  // SUBSTRATE-13 — default "deny" refuses body-bearing requests that
+  // Default "deny" refuses body-bearing requests that
   // arrive with neither req._rawBody / req.body NOR an operator-
   // supplied bodyFingerprint hook. The silent-degrade-to-method+path
   // path was a §4.3 violation (same key + different body returned
@@ -762,7 +761,7 @@ function create(opts) {
     // Misordered-mount detector — body-bearing method reached us
     // with neither a parsed body nor a raw-body buffer. Most likely
     // body-parser hasn't run yet, which used to silently degrade the
-    // fingerprint to method+path; SUBSTRATE-13 (v0.9.58) makes that
+    // fingerprint to method+path; v0.9.58 makes that
     // case refuse with HTTP 400 by default. The audit emit fires in
     // both fallback modes so operator review surfaces the
     // misconfiguration regardless of the chosen fallback.
@@ -929,8 +928,8 @@ function _redactKey(key) {
  * @related   b.middleware.idempotencyKey.dbStore
  *
  * One-shot operator helper that walks a dbStore's table and reseals
- * every row under the AAD-bound envelope shape introduced in v0.9.58
- * (CRYPTO-1). Existing v0.9.15-v0.9.57 rows continue to read on a
+ * every row under the AAD-bound envelope shape introduced in v0.9.58.
+ * Existing v0.9.15-v0.9.57 rows continue to read on a
  * per-row basis (unsealRow auto-detects shape) so a deploy without
  * this call is correct, but operators who want to upgrade in bulk
  * call this once after upgrading.

package/lib/middleware/protected-resource-metadata.js

@@ -94,7 +94,7 @@ function create(opts) {
       "middleware/protected-resource-metadata/no-as",
       "authorizationServers must be a non-empty array of issuer URLs");
   }
-  // AUTH-17 — RFC 9728 §3 + RFC 8414 §3.1: authorizationServers entries
+  // RFC 9728 §3 + RFC 8414 §3.1: authorizationServers entries
   // are issuer URLs and MUST be https://. Pre-v0.9.x only required
   // non-empty string, so an operator typo could ship `http://idp.test`
   // (or, worse, `javascript:` / `data:`) to clients via the well-known
@@ -156,7 +156,7 @@ function create(opts) {
   if (opts.dpopBoundAccessTokensRequired === true) doc.dpop_bound_access_tokens_required = true;
   if (opts.mtlsBoundAccessTokensRequired === true) doc.tls_client_certificate_bound_access_tokens = true;
 
-  // AUTH-18 — RFC 9728 §3.2 signed_metadata. Operators with an
+  // RFC 9728 §3.2 signed_metadata. Operators with an
   // anti-tamper requirement pass `signMetadata: { key, alg, kid }`;
   // the middleware emits `application/jwt` carrying the JWS-signed
   // metadata. Default output remains cleartext `application/json`.

package/lib/network-dns-resolver.js

@@ -126,7 +126,7 @@ var DEFAULT_MAX_TTL_MS    = C.TIME.hours(24);
 var DEFAULT_MIN_TTL_MS    = C.TIME.seconds(60);
 var DEFAULT_STALE_WINDOW  = C.TIME.hours(6);
 var DEFAULT_PROFILE       = "strict";
-// BUG-1 / MAIL-26 — CWE-400/770. Bound the cache so a hostile peer
+// CWE-400/770. Bound the cache so a hostile peer
 // that can drive query-name selection (e.g. inbound SMTP forwarding
 // DKIM `s=` / `d=` tag-controlled lookups) cannot inflate the Map to
 // OOM. Default 5000 entries: a parsed-response object ~100 bytes ×
@@ -216,7 +216,7 @@ function create(opts) {
 
   var cache = new Map();                  // key → { response, parsed, ttl, expiresAt, staleUntil }
 
-  // CWE-400/770 / BUG-1 — LRU eviction on insert when the cache is at
+  // CWE-400/770. LRU eviction on insert when the cache is at
   // capacity. v8 Map preserves insertion order; oldest key is the
   // first entry returned by Map.keys().next().
   function _evictIfFull() {

package/lib/network-dns.js

@@ -39,8 +39,7 @@ var STATE = {
   // Default-on secure DNS (DoH via Cloudflare) when neither doh nor dot
   // is operator-configured AND no opt-out env var is set. Operators
   // who explicitly want the system resolver call useSystemResolver()
-  // or set BLAMEJS_DNS_TRANSPORT=system. Default-on per Core Rule §3
-  // ("security defaults are not opt-in").
+  // or set BLAMEJS_DNS_TRANSPORT=system. Default-on (security defaults are not opt-in).
   systemResolver: false,
 };
 

package/lib/network-tls.js

@@ -1136,7 +1136,6 @@ function evaluateOcspResponse(ocspDer, opts) {
     // length inputs but fast-paths on length mismatch; not security-
     // critical here (the OCSP response is CA-signed and signature
     // already verified) but matches the project discipline.
-    // (Audit 2026-05-11.)
     if (!bCrypto.timingSafeEqual(parsed.basic.nonce, opts.expectedNonce)) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP nonce mismatch — possible replay or wrong responder"] };

package/lib/outbox.js

@@ -342,7 +342,7 @@ function create(opts) {
   var stopping = false;
   var inFlight = null;
 
-  // SUBSTRATE-23 — `FOR UPDATE SKIP LOCKED` is Postgres / MySQL 8+ only.
+  // `FOR UPDATE SKIP LOCKED` is Postgres / MySQL 8+ only.
   // SQLite (single-writer at the DB level, but WAL mode lets multiple
   // processes share the file with concurrent SELECTs) doesn't support
   // SKIP LOCKED — feeding it Postgres syntax silently double-publishes

package/lib/pqc-agent.js

@@ -322,7 +322,7 @@ function _getDefaultAgent() {
  *   logger.info("pqc-agent reloaded", res);
  */
 function reload() {
-  // CRYPTO-9 — null the cached agent BEFORE calling destroy. The
+  // Null the cached agent BEFORE calling destroy. The
   // previous order let a concurrent _getDefaultAgent() see the
   // destroyed-not-null agent and hand it to a caller; the caller
   // then tries to issue a request through a torn-down keep-alive

package/lib/retention.js

@@ -569,7 +569,7 @@ function complianceFloor(posture, candidateTtlMs) {
   return candidateTtlMs > floor ? candidateTtlMs : floor;
 }
 
-// applyPosture — F-POSTURE-1 cascade hook. b.compliance.set(posture)
+// applyPosture — cascade hook. b.compliance.set(posture)
 // calls this to merge posture defaults into retention's state. The
 // retention module itself doesn't carry per-instance global defaults;
 // the cascade's job here is to surface the posture's audit-log

package/lib/retry.js

@@ -275,7 +275,7 @@ function backoffDelay(attempt, opts) {
   opts = opts || DEFAULT_RETRY;
   var base = opts.baseDelayMs * Math.pow(2, attempt - 1);
   var capped = Math.min(base, opts.maxDelayMs);
-  // CRYPTO-12 — jitter exists to spread retry storms across the
+  // Jitter exists to spread retry storms across the
   // millisecond window so N peer clients waking from the same
   // upstream outage don't all hit the recovering service at the same
   // tick. The value is observable to every client by construction

package/lib/safe-archive.js

@@ -225,7 +225,7 @@ async function extract(opts) {
         }
         inner = await archiveWrap().unwrapWithPassphrase(sealedBytes, { passphrase: opts.passphrase });
       }
-      // Codex P1 on v0.12.15 PR #166 — close the original source
+      // Close the original source
       // adapter BEFORE replacing it. When opts.source was a string
       // path, the fs adapter opened a file descriptor; overwriting
       // `source` loses the close reference and the descriptor
@@ -236,7 +236,7 @@ async function extract(opts) {
       if (typeof source.close === "function" && typeof opts.source === "string") {
         try { source.close(); } catch (_e) { /* drop-silent */ }
       }
-      // Codex P2 on v0.12.15 PR #166 — forward opts.signal to the
+      // Forward opts.signal to the
       // inner buffer adapter so abort propagation stays intact
       // across the unwrap boundary. Without it, an abort raised
       // after unwrapping would no longer cancel inner range()

package/lib/safe-ical.js

@@ -251,9 +251,9 @@ function parse(text, opts) {
   var vcal = consumed.component;
   // RFC 5545 §3.4 — a stream may carry multiple VCALENDAR objects.
   // Walk the remainder so trailing objects are validated under the
-  // same caps + control-char + property allowlist (Codex P2 — without
+  // same caps + control-char + property allowlist; without
   // this, CalDAV ingest can pass validation on the first object while
-  // trailing malformed objects ride through untouched).
+  // trailing malformed objects ride through untouched.
   var vcalendars = [_shapeVcalendar(vcal)];
   var cursor = consumed.nextIdx;
   while (cursor < lines.length) {

package/lib/safe-mime.js

@@ -549,7 +549,7 @@ function _splitMultipart(buf, boundary) {
     // Per RFC 2046 §5.1.1 a boundary delimiter is `--<value>` preceded
     // by CRLF (or LF) — OR at the very start of the body. A boundary-
     // shaped sequence elsewhere in a part's body MUST NOT be treated
-    // as a delimiter. Per Codex P1 on PR #49.
+    // as a delimiter.
     var idx = _findBoundaryAtLineStart(buf, delimiter, pos);
     if (idx < 0) break;
     if (buf[idx + delimiter.length] === 0x2D && buf[idx + delimiter.length + 1] === 0x2D) {

package/lib/self-update-standalone-verifier.js

@@ -208,7 +208,7 @@ function verify(assetPath, signaturePath, pubkeyPem) {
   // produces. 64 KiB chunks match the framework's hash-while-streaming
   // convention elsewhere.
   //
-  // CRYPTO-2 hardening (v0.9.58): fstat the asset BEFORE the read loop
+  // Hardening (v0.9.58): fstat the asset BEFORE the read loop
   // for every alg path, clamp every readSync to (assetStat.size -
   // fullOff), and reject if the final fullOff diverges from
   // assetStat.size. A grow-during-read race (writer appends as we

package/lib/self-update.js

@@ -115,7 +115,7 @@ function _normalizeTag(tag) {
  * Missing numeric components on either side are treated as `"0"` so
  * `"1.0"` and `"1.0.0"` compare equal.
  *
- * CRYPTO-20 (v0.9.58) — pre-v0.9.58 the pre-release segment fell back
+ * Hardening (v0.9.58) — pre-v0.9.58 the pre-release segment fell back
  * to lexicographic comparison, which silently misordered `"1.0.0-alpha.10"`
  * (the strict-§11 LARGER pre-release) and `"1.0.0-alpha.9"`: as strings
  * "10" < "9" so `alpha.10 < alpha.9`, and a downstream consumer polling
@@ -294,7 +294,7 @@ function _matchAsset(name, pattern, fallback) {
  *   timeoutMs:        number,    // request timeout (default 15s)
  *   headers:          object,    // additional request headers
  *   etag:             string,    // last-seen etag for If-None-Match
- *                                  // (CRYPTO-16 — etags are RFC 9110 §13.1.1
+ *                                  // (etags are RFC 9110 §13.1.1
  *                                  // per-resource; an etag captured for
  *                                  // releasesUrl=A is meaningless against
  *                                  // releasesUrl=B. Operators rotating

package/lib/static.js

@@ -216,7 +216,7 @@ function _resolveSafe(root, requestedPath) {
   // deposited disk content: shell-exec extensions (.exe / .bin / .so /
   // legitimate `<name>.<hash>.js` bundler output) are valid here. The
   // other balanced checks still reject the traversal + smuggling
-  // surface the user surfaced.
+  // surface.
   var fname = nodePath.basename(resolved);
   var rv = guardFilename().validate(fname, {
     profile:             "balanced",

package/lib/subject.js

@@ -362,7 +362,7 @@ function erase(subjectId, opts) {
 
 // ---- Crypto-shred erase (Art. 17 + WAL/replica residual closure) ----
 //
-// F-RTBF-3 — when a table opts into per-row keying via
+// When a table opts into per-row keying via
 // b.cryptoField.declarePerRowKey, this primitive deletes the
 // per-row K_row entries from _blamejs_per_row_keys, leaving any
 // residual ciphertext in WAL / replica / backup storage
@@ -477,7 +477,7 @@ function eraseHard(subjectId, opts) {
       totalDeleted += deleted;
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's
-      // index entries are rebuilt — closes the F-RTBF-2 residual class.
+      // index entries are rebuilt — closes the erase-vacuum residual class.
       try { db().runSql('REINDEX "' + spec.name + '"'); }                                        // table name comes from FRAMEWORK_SCHEMA
       catch (_e) { /* cluster mode / unsupported dialect */ }
     }

package/lib/vault/index.js

@@ -102,11 +102,12 @@ function resolvePaths(dataDir) {
     plaintext:         nodePath.join(dataDir, "vault.key"),
     sealed:            nodePath.join(dataDir, "vault.key.sealed"),
     derivedHashSalt:   nodePath.join(dataDir, "vault.derived-hash-salt"),
+    derivedHashMacKey: nodePath.join(dataDir, "vault.derived-hash-mac.sealed"),
   };
 }
 
 // derivedHashSalt — per-deployment salt for crypto-field
-// derivedHashes (D-H1). Pre-v0.8.42 the deterministic
+// derivedHashes. Pre-v0.8.42 the deterministic
 // sha3(namespace + plaintext) shape allowed cross-deployment
 // rainbow + cross-table correlation; binding a 32-byte
 // per-deployment salt closes that class without breaking
@@ -175,6 +176,66 @@ function getDerivedHashSalt() {
   return _cachedDerivedHashSalt;
 }
 
+// derivedHashMacKey — per-deployment SECRET key for crypto-field's
+// keyed (hmac-shake256) derived-hash mode. Unlike the salt, this is
+// SEALED at rest (vault.derived-hash-mac.sealed), so an attacker with
+// disk access alone cannot recompute the keyed digest and correlate
+// low-entropy plaintexts. Like the salt, it is keypair-bound and
+// survives a passphrase-only rotation; an ENVELOPE rotation re-seals it
+// because it is registered in rotate's additionalSealed sweep.
+function _readOrCreateDerivedHashMacKey() {
+  if (!paths) {
+    throw new VaultError("vault/not-initialized",
+      "vault.getDerivedHashMacKey() requires init()");
+  }
+  if (nodeFs.existsSync(paths.derivedHashMacKey)) {
+    var sealed = atomicFile.readSync(paths.derivedHashMacKey, { encoding: "utf8" }).trim();
+    var b64 = unseal(sealed);
+    var key = Buffer.from(b64, "base64");
+    if (key.length !== 32) {                                                        // 32-byte (256-bit) MAC key
+      throw new VaultError("vault/derived-hash-mac-key-corrupted",
+        "vault.derived-hash-mac key must unseal to exactly 32 bytes; got " + key.length);
+    }
+    return key;
+  }
+  var nodeCrypto = require("node:crypto");
+  var raw = nodeCrypto.randomBytes(32);                                            // 32-byte MAC key
+  atomicFile.writeSync(paths.derivedHashMacKey, seal(raw.toString("base64")), { fileMode: 0o600 });
+  log("generated per-deployment derivedHash MAC key at " + paths.derivedHashMacKey);
+  return raw;
+}
+
+var _cachedDerivedHashMacKey = null;
+/**
+ * @primitive b.vault.getDerivedHashMacKey
+ * @signature b.vault.getDerivedHashMacKey()
+ * @since     0.14.7
+ * @related   b.vault.getDerivedHashSalt, b.cryptoField.registerTable
+ *
+ * Returns the 32-byte per-deployment SECRET key that backs crypto-
+ * field's keyed (`hmac-shake256`) derived-hash mode. Generated once on
+ * first use, SEALED at rest (`vault.derived-hash-mac.sealed`, mode
+ * `0o600`) so disk access alone does not expose it, and re-sealed by an
+ * envelope vault rotation. Distinct from `getDerivedHashSalt`, which is
+ * a non-secret salt stored in plaintext.
+ *
+ * Throws `VaultError("vault/not-initialized")` before `init()`, or
+ * `vault/derived-hash-mac-key-corrupted` if the sealed file does not
+ * unseal to exactly 32 bytes.
+ *
+ * @example
+ *   await b.vault.init({ dataDir: "/var/lib/blamejs", mode: "plaintext" });
+ *   var k = b.vault.getDerivedHashMacKey();
+ *   k.length;           // → 32
+ *   Buffer.isBuffer(k); // → true
+ */
+function getDerivedHashMacKey() {
+  if (_cachedDerivedHashMacKey === null) {
+    _cachedDerivedHashMacKey = _readOrCreateDerivedHashMacKey();
+  }
+  return _cachedDerivedHashMacKey;
+}
+
 // ---- Init dispatch ----
 
 /**
@@ -620,6 +681,7 @@ module.exports = {
   seal:                  seal,
   unseal:                unseal,
   getDerivedHashSalt:    getDerivedHashSalt,
+  getDerivedHashMacKey:  getDerivedHashMacKey,
   _zeroizeAndReplace:    _zeroizeAndReplace,
   aad:                   vaultAad,
   getKeysJson:           getKeysJson,
@@ -633,6 +695,7 @@ module.exports = {
   _resetForTest:         function () {
     if (currentPassphrase) safeBuffer.secureZero(currentPassphrase);
     keys = null; initialized = false; currentPassphrase = null; paths = null; currentMode = null;
+    _cachedDerivedHashSalt = null; _cachedDerivedHashMacKey = null;
   },
   _getKeysForTest:       function () { return keys; },
   _getPathsForTest:      function () { return paths; },

package/lib/vault/rotate.js

@@ -651,6 +651,25 @@ async function rotate(opts) {
       _reSealValue(current, oldKeys, newKeys), { mode: 0o600 });
   }
 
+  // 3b. Framework-managed crypto-field derived-hash files — always
+  // rotated regardless of operator opts.paths, so the staging copy is
+  // complete. The plaintext salt is copied verbatim; the SEALED MAC key
+  // (keyed hmac-shake256 mode) is re-sealed under the new keypair so an
+  // envelope rotation doesn't orphan it (a passphrase-only rotation
+  // re-seals to the same value since the keypair is unchanged).
+  var saltSrc = nodePath.join(dataDir, "vault.derived-hash-salt");
+  if (nodeFs.existsSync(saltSrc)) {
+    nodeFs.copyFileSync(saltSrc, nodePath.join(stagingDir, "vault.derived-hash-salt"));
+  }
+  var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
+  if (nodeFs.existsSync(macSrc)) {
+    var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
+    if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
+      nodeFs.writeFileSync(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
+        _reSealValue(macCurrent, oldKeys, newKeys), { mode: 0o600 });
+    }
+  }
+
   // 4. decrypt + rotate + re-encrypt db.enc
   _emit(progress, { phase: "rotate_db" });
   var encDbPath = nodePath.join(dataDir, paths.encryptedDb);

package/lib/vendor-data.js

@@ -306,7 +306,7 @@ function _loadAndVerify(name) {
 // Memoized — "sha256:" + sha256(pemToRaw(PUBKEY_PEM)). Matches the
 // canonical fingerprint shape `scripts/vendor-data-gen.js` writes into
 // each .data.js's `metadata.publicKeyFingerprint`. Computed lazily on
-// first verify (also lazily by verifyAll at boot). CRYPTO-11 — every
+// first verify (also lazily by verifyAll at boot). Every
 // per-entry verify cross-checks this against the entry's declared
 // `meta.publicKeyFingerprint` so a pubkey-swap attack fails before
 // signature verify even runs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.6",
+  "version": "0.14.7",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ba3e9bdd-f642-4d42-a03c-794d89554a0a",
+  "serialNumber": "urn:uuid:5777b851-3edb-4e73-9a6a-0538d8e52a91",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T16:30:23.236Z",
+    "timestamp": "2026-05-30T21:03:08.883Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.6",
+      "bom-ref": "@blamejs/core@0.14.7",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.6",
+      "version": "0.14.7",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.6",
+      "purl": "pkg:npm/%40blamejs/core@0.14.7",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.6",
+      "ref": "@blamejs/core@0.14.7",
       "dependsOn": []
     }
   ]