@blamejs/core 0.14.8 → 0.14.10

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.14.x
 
+- v0.14.10 (2026-05-31) — **Full-text-search token hashes move to a keyed MAC; existing mail-store search indexes rebuild automatically on upgrade.** The mail-store full-text-search index hashed its tokens with a hand-rolled salted-SHA3 derived hash. It now routes through the framework's sealed-column hashing primitive in keyed mode (HMAC-SHAKE256 off the per-deployment MAC key), so a search-index token hash is unforgeable and un-correlatable across deployments without that key — the same posture the sealed-column lookup hashes already use. Because the keyed hash changes the stored token values, a mail-store opened after upgrade detects its index as old-format and rebuilds it once from the sealed message rows. The rebuild runs under a format marker: the index is marked `rebuilding` before it is cleared and only marked current after every row is re-hashed inside an explicit transaction, and search falls back to its cursor path (rather than returning partial hits) whenever the marker is not current — so an interrupted rebuild leaves the old index intact and queryable and retries on the next open, never serving a half-built index. A new `b.cryptoField.computeNamespacedHash` primitive backs the keyed hashing for callers that hash outside the registered-column path. **Added:** *`b.cryptoField.computeNamespacedHash`* — A mode-aware namespaced hash for indexed-lookup callers that hash a value outside the registered-column derived-hash path. `computeNamespacedHash(ns, value, { mode, truncateBytes })` routes through the same engine as `computeDerived` — `salted-sha3` (default) or the keyed `hmac-shake256` — with optional hex truncation. The mail-store full-text index is the first consumer. **Changed:** *Mail-store full-text index rehashes to a keyed MAC on upgrade* — The full-text-search token hash now uses `b.cryptoField.computeNamespacedHash` in `hmac-shake256` mode instead of a hand-rolled salted-SHA3. The first time a store is opened after upgrade, its index is detected as old-format and rebuilt once from the sealed message rows; subsequent opens are no-ops. Search is unaffected once the rebuild completes. The rebuild requires the vault to be initialized and fails closed (a clear error) at construction if it is not, rather than leaving a stale searchable index. **Security:** *Keyed, un-correlatable full-text-search token hashes* — A search-index token hash is now a keyed MAC over a per-deployment key, not a static-salted digest — it cannot be forged or correlated across deployments without that key, closing the low-entropy-token correlation gap on the search index. The index remains unrecoverable from a database dump alone, as before. **Detectors:** *Hand-rolled lookup-hash check covers the split form* — The check that requires sealed-column lookup hashes to compose the framework primitive now also catches the across-lines hand-roll (`var salt = getDerivedHashSalt(); var hex = salt.toString(...); sha3(hex + ns + value)`), not only the single-expression form, so the bypass that the mail-store index used can't reappear. **Migration:** *Automatic, one-time full-text index rebuild* — No operator action is required: the rebuild runs automatically and idempotently on first open after upgrade, atomically and crash-safe (an interrupted rebuild keeps the old index and retries). The only requirement is that the vault is initialized before the mail-store is constructed. One caveat for shared stores: do not run a pre-upgrade and post-upgrade node against the same backend file concurrently across this format change — the old node would write old-format hashes the new node cannot match. Roll the deployment fully across the upgrade. This re-open condition is lifted once all nodes are on 0.14.10 or later.
+
+- v0.14.9 (2026-05-30) — **Corrects EU AI Act doc paths that named an uncallable namespace, plus source-comment hygiene and two new codebase checks.** A documentation fix and internal hygiene. The `@primitive` / `@signature` / `@example` blocks for the EU AI Act fundamental-rights-impact-assessment and GPAI training-data-summary helpers advertised `b.complianceAiAct.*`, which is undefined — the callable path is `b.compliance.aiAct.*` — so an operator copying the documented call got `undefined is not a function`. The documented paths now match the real surface. Alongside that: a duplicate parser entry in a doc block is removed, version stamps embedded in section-divider comments are stripped, and two codebase checks are added — one that fails the build when a `@primitive` block documents a wholly-unresolvable namespace (the gap that hid the AI Act paths), and one that flags a version stamp left inside a section divider. No exported API, error code, wire format, or runtime behaviour changes. **Changed:** *Source-comment hygiene* — Removed a duplicate `env` entry from the parsers `@module` doc block, and stripped internal version stamps (`vX.Y.Z`) from `// ---- ... ----` section-divider comments across several files, keeping the descriptive label. Comment-only; no behaviour change. **Fixed:** *EU AI Act helper documentation named an uncallable path* — `b.compliance.aiAct.fundamentalRightsImpactAssessment` and `b.compliance.aiAct.gpai.trainingDataSummary` were documented as `b.complianceAiAct.*` in their `@primitive` / `@signature` / `@example` blocks (and one returned reference string). `b.complianceAiAct` is undefined, so the documented call failed; the documented paths now match the callable surface. **Detectors:** *`@primitive` reachability covers wrong-namespace paths* — The reachability check previously only flagged a missing leaf on a resolved namespace; a `@primitive` whose entire dotted prefix is unresolvable (the shape that hid the AI Act doc paths) was silently skipped. It now walks each prefix segment and fails the build on any unresolvable one, while preserving the factory-instance-shorthand exemption. · *Version-stamp-in-divider check* — A new check flags a version stamp (`vX.Y.Z`) left immediately after a section divider's dashes (`// ---- vX.Y.Z ...`) — internal release vocabulary that does not belong in shipped source comments — without matching legitimate `@since` tags or prose version references.
+
 - v0.14.8 (2026-05-30) — **Source-comment and codebase-check hygiene, plus a new require-block alignment check; no API or behaviour changes.** Internal lint and comment cleanup with no operator-facing surface change. Several codebase-check comments and one stub helper name that described behaviour the check no longer has are corrected; an unused lint-suppression class and a set of stale duplicate-cluster qualifiers (functions that were since renamed or extracted) are pruned or re-pointed. Fifty-nine `// allow:` markers that named the byte-size or time-literal check on values those checks no longer flag are removed, and twenty self-negating rationales on markers the time check genuinely fires on are rewritten to say why the value coincidentally matches. A new codebase check holds top-of-file require blocks to consistent `=` column alignment, with the files that currently carry drift listed as a migration allowlist. No exported API, error code, wire format, or runtime behaviour changes. **Changed:** *Lint-suppression and codebase-check comment cleanup* — Corrected codebase-check comments that overstated their check's scope (a duplicate-code threshold described as three files when the advisory threshold is two, a narrowed byte-literal check carrying its pre-narrowing description, and a deferred-scan helper named as though it enforced a guarantee it does not yet provide). Removed an unused lint-suppression class and its one dead in-code marker, and pruned or re-pointed stale duplicate-cluster qualifiers that named functions since renamed or extracted into shared helpers. Removed fifty-nine `// allow:` markers that suppressed nothing, and rewrote twenty self-negating marker rationales (which read "not seconds" while sitting on a value the time check fires on) to explain the coincidental match. Source-comment and test hygiene only. **Detectors:** *Require-block `=` alignment check* — A new codebase check flags a top-of-file require block that mixes its `=` column alignment — a fittable line whose `=` drifts off the column the rest of the block shares. Compact single-space blocks are exempt (only blocks that declare alignment intent are checked), as are destructures and long names physically too wide to reach the column, and blank- or comment-separated tiers align independently. The files that currently carry such drift are an explicit migration allowlist, reflowed over time; new code is held to the rule.
 
 - v0.14.7 (2026-05-30) — **Storage and audit-trail hardening: queries are gated to declared columns, raw SQL refuses embedded literals, the database key is bound to its location, sealed-column lookup hashes gain a keyed mode, audit-chain purges can require dual control, and breach deadlines ship a running clock.** This release tightens the data and audit layers against a set of failure modes that were previously reachable. Database queries are now checked against the columns a table declared in its schema: a reference to an undeclared column fails closed by default instead of silently matching nothing, and the `whereRaw` escape hatch refuses an embedded string literal so values bind through placeholders. The database encryption key is sealed with its purpose, data directory, and key path as additional authenticated data, so a key file cannot be relocated to another deployment and unsealed there; an older key without that binding upgrades itself on first load. Sealed-column equality-lookup hashes can now be computed as a keyed MAC (HMAC-SHAKE256) off a per-deployment key, making the lookup hash unforgeable without that key, while the salted-SHA3 default is unchanged. Purging the tamper-evident audit chain can be placed under a two-authorizer dual-control grant so one operator cannot erase it alone, and database credential-rejection audits now record which relation the rejected credential tried to reach. Finally, breach-notification deadlines get a running clock that raises approaching and passed alerts as each regime's window elapses. One behavior change to note: the column gate defaults to reject — if a service issues queries against columns it did not declare in its schema, set `db.init({ columnGate: "warn" })` (audited, allowed) or `"off"` while the schema is reconciled. **Added:** *Column-membership gate on every query* — `b.db.from(table)` now checks each referenced column against the table's declared schema. The mode is set with `db.init({ columnGate: "reject" | "warn" | "off" })` (default `reject`), and `query.allowedColumns([...])` narrows a single query to an explicit allowlist that is always enforced. `b.db.getDeclaredColumns(table)` returns a table's declared column names (or `null` for an unknown table). This is defense in depth against typo'd or caller-influenced column names reaching the SQL layer (CWE-89). · *Keyed mode for sealed-column lookup hashes* — Equality-lookup ("derived") hashes for sealed columns can be computed as `hmac-shake256` — a keyed MAC over a per-deployment key — instead of the default `salted-sha3`. Set it per table with `cryptoField.registerTable(name, { derivedHashMode: "hmac-shake256" })` or per column with `{ from, mode: "hmac-shake256" }`. The keyed hash is unforgeable and un-correlatable without the deployment's MAC key, which raises the bar against offline lookup-table attacks on low-entropy sealed values (CWE-916). `b.vault.getDerivedHashMacKey()` exposes the 32-byte per-deployment key; it is created on first use and re-sealed across key rotation automatically. · *Dual-control gate on audit-chain purge* — `b.auditTools.purge` accepts `dualControlGrant`. When `audit_log` is placed under dual control, a verified archive and `confirm: true` are no longer sufficient: the purge additionally requires a consumed m-of-n grant whose action is bound to the purge, so a grant minted for another operation cannot be replayed and one operator cannot erase the tamper-evident chain alone (NIST SP 800-53 AU-9, separation of duties). · *Running clock for breach-notification deadlines* — `b.incident.report.createDeadlineClock({ notify, approachThresholds })` tracks open incidents and raises `deadline_approaching` and `deadline_passed` alerts as each regime's window elapses (GDPR 72h, DORA, NIS2, and the rest of the registry). Alerts are deduplicated per incident and stage, suppressed once a submission stage is acknowledged, and the clock can run on an interval or be ticked manually. **Changed:** *Queries against undeclared columns now fail closed by default* — The column gate defaults to `reject`: a query that references a column the table did not declare throws rather than silently matching nothing. A service that intentionally queries undeclared columns can set `db.init({ columnGate: "warn" })` to audit and allow, or `"off"` to disable the gate, while its schema is reconciled. Framework-declared columns (including `_id` and derived-hash columns) are always members. **Security:** *Database encryption key bound to its location* — `db.key.enc` is sealed with additional authenticated data over its purpose, resolved data directory, and resolved key path. A sealed key copied to a different deployment or path no longer unseals there — the AEAD authentication fails — which prevents silent key relocation. A legacy key sealed without this binding is detected and re-sealed in the bound format on first load, with no operator action required. · *`whereRaw` refuses embedded string literals* — `whereRaw(sql, params)` and `WhereBuilder.raw(sql, params)` reject a raw fragment containing a string literal (`'...'`); values must bind through the `params` array. A static, operator-controlled literal can opt in with `{ allowLiterals: true }`. This closes a path where a value concatenated into a raw fragment would reintroduce SQL injection (CWE-89). · *Credential-rejection audits record the attempted relation* — A `db.auth.failed` audit row (SQLSTATE 28000 / 28P01 / 42501) now carries `attemptedTable`, the relation the rejected credential tried to reach, extracted defensively from the statement. Triage can scope the blast radius of a credential-abuse event without correlating back to the raw SQL log (CWE-778). **Detectors:** *Audit-purge dual-control gate* — A new check fails the build if a call to `purgeAuditChain` appears in a file that does not also route through the dual-control gate, so a future caller cannot physically delete chain rows without two-authorizer enforcement. · *Raw-SQL literal/interpolation guard* — A new check fails the build on a `whereRaw` / `.raw` call whose SQL argument is built by template interpolation or string concatenation, keeping the bound-params discipline enforceable in framework code. · *Hand-rolled lookup-hash guard* — A new check fails the build if a sealed-column lookup hash is derived from the per-deployment salt outside the canonical helper, so call sites cannot bypass the keyed-mode and per-column mode policy. · *Auth-audit attempted-relation guard* — A new check fails the build if a `db.auth.failed` audit is emitted in a file that does not name `attemptedTable`, so the forensic field cannot be dropped from a future emitter.

package/lib/auth/saml.js

@@ -842,7 +842,7 @@ function create(opts) {
       "</md:EntityDescriptor>";
   }
 
-  // ---- v0.10.16 — Single Logout (RFC SAML Bindings §3.4 HTTP-Redirect) ----
+  // ---- Single Logout (RFC SAML Bindings §3.4 HTTP-Redirect) ----
 
   /**
    * @primitive b.auth.saml.sp.buildLogoutRequest
@@ -1250,7 +1250,7 @@ function create(opts) {
     };
   }
 
-  // ---- v0.10.16 — SLO HTTP-POST binding (SAML Bindings §3.5) ----
+  // ---- SLO HTTP-POST binding (SAML Bindings §3.5) ----
 
   /**
    * @primitive b.auth.saml.sp.buildLogoutRequestPost
@@ -1524,7 +1524,7 @@ function create(opts) {
   };
 }
 
-// ---- v0.10.16 — SAML EncryptedAssertion decrypt (XMLEnc) ----
+// ---- SAML EncryptedAssertion decrypt (XMLEnc) ----
 
 // XMLEnc Algorithm URIs we support.
 //
@@ -1722,7 +1722,7 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
   return clearBytes.toString("utf8");
 }
 
-// ---- v0.10.16 — SAML SLO XMLDSig-Enveloped (HTTP-POST/SOAP) ----
+// ---- SAML SLO XMLDSig-Enveloped (HTTP-POST/SOAP) ----
 
 // PQC SignatureMethod URIs used by the embedded XMLDSig signatures.
 // Standard XMLDSig vocabulary classical signing URIs (W3C XMLDSig
@@ -1936,7 +1936,7 @@ function _verifyEmbeddedXmlDsig(xml, idpVerifyKey, idpVerifyAlg, expectedRootLoc
   }
 }
 
-// ---- v0.10.16 SAML SLO signature-alg dispatch ----
+// ---- SAML SLO signature-alg dispatch ----
 
 function _sigAlgUrn(alg) {
   // PQC signers — framework-private experimental URIs. The `urn:`

package/lib/backup/index.js

@@ -1015,7 +1015,7 @@ module.exports = {
   BUNDLE_ID_RE:              BUNDLE_ID_RE,
 };
 
-// ---- v0.12.7: bundleAdapterStorage ---------------------------------------
+// ---- bundleAdapterStorage ---------------------------------------
 
 /**
  * @primitive b.backup.bundleAdapterStorage
@@ -2257,7 +2257,7 @@ bundleAdapterStorage.fsAdapter = function (fsOpts) {
   };
 };
 
-// ---- v0.12.13: objectStoreAdapter ----------------------------------------
+// ---- objectStoreAdapter ----------------------------------------
 
 /**
  * @primitive b.backup.bundleAdapterStorage.objectStoreAdapter
@@ -2475,7 +2475,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
   };
 };
 
-// ---- v0.12.8: migrate ----------------------------------------------------
+// ---- migrate ----------------------------------------------------
 
 /**
  * @primitive b.backup.migrate

package/lib/compliance-ai-act.js

@@ -538,8 +538,8 @@ function deployerChecklist(assessment) {
 }
 
 /**
- * @primitive b.complianceAiAct.fundamentalRightsImpactAssessment
- * @signature b.complianceAiAct.fundamentalRightsImpactAssessment(opts)
+ * @primitive b.compliance.aiAct.fundamentalRightsImpactAssessment
+ * @signature b.compliance.aiAct.fundamentalRightsImpactAssessment(opts)
  * @since     0.8.77
  *
  * EU AI Act Article 27 — Fundamental Rights Impact Assessment (FRIA).
@@ -569,7 +569,7 @@ function deployerChecklist(assessment) {
  *   }
  *
  * @example
- *   var fria = b.complianceAiAct.fundamentalRightsImpactAssessment({
+ *   var fria = b.compliance.aiAct.fundamentalRightsImpactAssessment({
  *     systemId: "credit-scoring-v3",
  *     deploymentContext: { purpose: "loan approval", sector: "financial",
  *                          geography: "EU", scale: "1M decisions/year" },
@@ -603,13 +603,13 @@ function fundamentalRightsImpactAssessment(opts) {
     notificationStatus:   "operator-must-notify",
     note:                 "Notify national market-surveillance authority before first use (Art 27(3))",
     auditHook:            "b.audit emission action='aiact.fria.completed' recommended",
-    annexIVReference:     "see b.complianceAiAct.annexIVScaffold for technical documentation",
+    annexIVReference:     "see b.compliance.aiAct.annexIVScaffold for technical documentation",
   };
 }
 
 /**
- * @primitive b.complianceAiAct.gpai.trainingDataSummary
- * @signature b.complianceAiAct.gpai.trainingDataSummary(opts)
+ * @primitive b.compliance.aiAct.gpai.trainingDataSummary
+ * @signature b.compliance.aiAct.gpai.trainingDataSummary(opts)
  * @since     0.8.77
  *
  * EU AI Act Article 53(1)(d) — GPAI training-data summary template
@@ -634,7 +634,7 @@ function fundamentalRightsImpactAssessment(opts) {
  *   contentProvenance: object,    // { synthIdEmbed, c2paManifestEmbed, watermarkProvider }
  *
  * @example
- *   var summary = b.complianceAiAct.gpai.trainingDataSummary({
+ *   var summary = b.compliance.aiAct.gpai.trainingDataSummary({
  *     modelId:        "acme-llm-7b",
  *     modelVersion:   "1.0",
  *     provider:       { name: "Acme AI", address: "1 St", contact: "ai@acme.example" },

package/lib/compliance.js

@@ -107,12 +107,12 @@ var KNOWN_POSTURES = Object.freeze([
   "bsi-c5",          // Germany BSI C5
   "ens-es",          // Spain Esquema Nacional de Seguridad
   "uk-g-cloud",      // UK G-Cloud
-  // ---- v0.8.70 expansion — 2026 effective deadlines ----
+  // ---- 2026 effective deadlines ----
   "modpa",           // Maryland Online Data Privacy Act (effective 2025-10-01) — strict data-min
   "nydfs-500",       // NYDFS 23 NYCRR 500 Amendment 2 — financial cybersecurity (multi-factor + asset inventory + governance)
   "hipaa-2026",      // HHS HIPAA Security Rule 2026-Q4 final — extends hipaa with mandatory MFA + asset inventory + 72h restoration testing
   "quebec-25",       // Quebec Law 25 final phase (effective 2026-09-22) — DPIA + automated-decision opt-out
-  // ---- v0.8.77 expansion — US state consumer-privacy postures ----
+  // ---- US state consumer-privacy postures ----
   // Each posture carries per-state cure-period, profiling opt-out
   // and minor-consent metadata via b.dsr.stateRules(state). The
   // generic DSR primitive (b.dsr.submit) covers ~80% of the surface;
@@ -139,7 +139,7 @@ var KNOWN_POSTURES = Object.freeze([
   "ct-sb3",          // Connecticut SB 3 Consumer Health Data
   "tx-cubi",         // Texas Capture or Use of Biometric Identifier
   "fl-fdbr",         // Florida Digital Bill of Rights (SB 262, effective 2024-07-01) — narrow scope ($1B+ revenue threshold)
-  // ---- v0.8.81 expansion — AI-governance postures ----
+  // ---- AI-governance postures ----
   // State + sectoral AI regulations crystallizing through 2026. Each
   // posture is a flag that operators pin alongside their base
   // privacy/sectoral posture; the floors enforce audit-chain signing
@@ -153,20 +153,20 @@ var KNOWN_POSTURES = Object.freeze([
   "ca-tfaia",        // California SB 53 — Transparency in Frontier AI Act (effective 2026-01-01)
   "kr-ai-basic",     // South Korea AI Basic Act (effective 2026-01-22)
   "cn-ai-label",     // China Measures for Labelling of AI-Generated Content (effective 2025-09-01)
-  // ---- v0.8.81 expansion — AI management cross-walks ----
+  // ---- AI management cross-walks ----
   "iso-42001",       // ISO/IEC 42001:2023 — AI Management System
   "iso-23894",       // ISO/IEC 23894:2023 — AI Risk Management Guidance
-  // ---- v0.8.81 expansion — content-credentials posture flags ----
+  // ---- content-credentials posture flags ----
   "ca-sb942",        // California SB-942 (Cal. Bus. & Prof. Code §22757) gen-AI disclosure (effective 2026-08-02)             // regulatory identifier + date, not bytes
   "ca-ab853",        // California AB-853 platform-side gen-AI detection (effective 2026-08-02)                                // regulatory identifier + date, not bytes
-  // ---- v0.8.81 expansion — substrate-to-posture cleanup ----
+  // ---- substrate-to-posture cleanup ----
   "eaa",             // EU Accessibility Act / Directive (EU) 2019/882 (effective 2025-06-28)
   "wcag-2-2",        // W3C Web Content Accessibility Guidelines 2.2 (Oct 2023 Recommendation)
   "eu-data-act",     // EU Data Act / Regulation (EU) 2023/2854 (effective 2025-09-12)
   "hitech",          // Health Information Technology for Economic and Clinical Health Act (2009)
   "ferpa",           // Family Educational Rights and Privacy Act (20 U.S.C. §1232g)
   "dpdp",            // India Digital Personal Data Protection Act 2023 (rules-pending; cascade tier exists)
-  // ---- v0.8.82 expansion — privacy 2026 sweep ----
+  // ---- privacy 2026 sweep ----
   // US federal child / financial privacy
   "coppa",           // Children's Online Privacy Protection Act (15 U.S.C. §6501)
   "coppa-2025",      // COPPA 2025 Amendment (FTC final 2025-04-22; effective 2026-06-23 — biometric expansion + knowing-collection disclosure)
@@ -203,7 +203,7 @@ var KNOWN_POSTURES = Object.freeze([
   "eu-cer",          // EU Critical Entities Resilience Directive (2022/2557; transposition 2024-10-17)
   "eu-cyber-sol",    // EU Cyber Solidarity Act (Regulation 2025/38; effective 2025-02-04)
   "eidas-2",         // eIDAS 2 / EUDI Wallet (Regulation 2024/1183; rollout 2026-2027)
-  // ---- v0.8.86 expansion — sectoral + cybersecurity directives ----
+  // ---- sectoral + cybersecurity directives ----
   "cmmc-2.0",        // US DoD Cybersecurity Maturity Model Certification 2.0 (effective 2025-Q1)
   "cjis-v6",         // FBI Criminal Justice Information Services Security Policy v6.0 (Dec 2024)
   "iso-27001-2022",  // ISO/IEC 27001:2022 — Information Security Management System
@@ -214,7 +214,7 @@ var KNOWN_POSTURES = Object.freeze([
   "nist-800-66-r2",  // NIST SP 800-66 Rev 2 — HIPAA Security Rule implementation guidance                                       // NIST publication number, not bytes
   "ehds",            // EU European Health Data Space (Regulation 2025/327; phased 2027-2029)
   "circia",          // US Cyber Incident Reporting for Critical Infrastructure Act (final rule pending)
-  // ---- v0.9.6 expansion — exceptd framework-control-gap closure ----
+  // ---- exceptd framework-control-gap closure ----
   // Postures added to recognise every framework cited in the
   // exceptd 2026-05-11 framework-control-gaps catalog. Each posture
   // either (a) maps to a framework the operator must audit against,
@@ -248,7 +248,7 @@ var KNOWN_POSTURES = Object.freeze([
   "cwe-top-25-2024",             // CWE Top 25 Most Dangerous Software Weaknesses (2024)
   "cis-controls-v8",             // CIS Controls v8
   "cmmc-2.0-level-2",            // CMMC 2.0 Level 2 (Advanced) — 110 NIST 800-171 Rev 2 controls                                                                                                          // NIST pub number / level, not bytes
-  // ---- v0.9.57 — granular CMMC level distinction ----
+  // ---- granular CMMC level distinction ----
   // CMMC 2.0 maturity levels carry distinct control-mapping
   // expectations: Level 1 = 15 controls (FAR 52.204-21), Level 2 =
   // 110 controls (NIST 800-171 Rev 2), Level 3 = additional NIST
@@ -257,7 +257,7 @@ var KNOWN_POSTURES = Object.freeze([
   // L1/L2/L3 postures are the recommended pin for new deployments.
   "cmmc-2.0-level-1",            // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data        // regulatory identifier, not bytes
   "cmmc-2.0-level-3",            // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2       // regulatory identifier, not bytes
-  // ---- v0.12.1 — promote POSTURE_DEFAULTS-only entries into the
+  // ---- promote POSTURE_DEFAULTS-only entries into the
   // canonical KNOWN_POSTURES surface so operators can actually
   // `b.compliance.set(...)` them. Each entry had cascade
   // configuration wired but couldn't be pinned because set()'s
@@ -757,7 +757,7 @@ var REGIME_MAP = Object.freeze({
   "ct-sb3":    { name: "Connecticut SB 3 Consumer Health Data",        citation: "Conn. P.A. 23-56 (effective 2023-07-01)", jurisdiction: "US-CT", domain: "health" },
   "tx-cubi":   { name: "Texas Capture or Use of Biometric Identifier", citation: "Tex. Bus. & Com. Code §503.001 (effective 2009-09-01)", jurisdiction: "US-TX", domain: "biometric" },
   "fl-fdbr":   { name: "Florida Digital Bill of Rights",              citation: "Fla. Stat. §501.701 et seq. SB 262 (effective 2024-07-01)", jurisdiction: "US-FL", domain: "privacy" },
-  // ---- v0.8.81 — AI governance ----
+  // ---- AI governance ----
   "co-ai":       { name: "Colorado AI Act",                            citation: "C.R.S. §6-1-1701 et seq. SB24-205 (postponed to 2026-06-30; enforcement stayed)", jurisdiction: "US-CO", domain: "ai-governance" },
   "il-hb3773":   { name: "Illinois HB 3773 — AI in Employment",        citation: "775 ILCS 5 IHRA AI amendment (effective 2026-01-01)", jurisdiction: "US-IL", domain: "ai-governance" },
   "tx-traiga":   { name: "Texas Responsible AI Governance Act",        citation: "Tex. Bus. & Com. Code Ch. 552 HB 149 (effective 2026-01-01)", jurisdiction: "US-TX", domain: "ai-governance" },
@@ -766,20 +766,20 @@ var REGIME_MAP = Object.freeze({
   "ca-tfaia":    { name: "California Transparency in Frontier AI Act",  citation: "Cal. Bus. & Prof. Code §22757.10 et seq. SB 53 (effective 2026-01-01)", jurisdiction: "US-CA", domain: "ai-governance" },
   "kr-ai-basic": { name: "South Korea AI Basic Act",                    citation: "Framework Act on Development of AI (effective 2026-01-22)", jurisdiction: "KR", domain: "ai-governance" },
   "cn-ai-label": { name: "China — Measures for Labelling AI-Generated Content", citation: "CAC + MIIT + Ministry of Public Security + NRTA Order (effective 2025-09-01)", jurisdiction: "CN", domain: "ai-governance" },
-  // ---- v0.8.81 — AI management cross-walks ----
+  // ---- AI management cross-walks ----
   "iso-42001":   { name: "ISO/IEC 42001 — AI Management System",        citation: "ISO/IEC 42001:2023", jurisdiction: "international", domain: "ai-governance" },
   "iso-23894":   { name: "ISO/IEC 23894 — AI Risk Management",          citation: "ISO/IEC 23894:2023", jurisdiction: "international", domain: "ai-governance" },
-  // ---- v0.8.81 — content-credentials posture flags ----
+  // ---- content-credentials posture flags ----
   "ca-sb942":    { name: "California Gen-AI Provenance Disclosure",     citation: "Cal. Bus. & Prof. Code §22757 SB-942 (effective 2026-08-02)", jurisdiction: "US-CA", domain: "content-credentials" },
   "ca-ab853":    { name: "California Platform Gen-AI Detection",        citation: "Cal. Bus. & Prof. Code §22757 AB-853 (effective 2026-08-02)", jurisdiction: "US-CA", domain: "content-credentials" },
-  // ---- v0.8.81 — substrate-to-posture cleanup ----
+  // ---- substrate-to-posture cleanup ----
   "eaa":         { name: "EU Accessibility Act",                        citation: "Directive (EU) 2019/882 (effective 2025-06-28)", jurisdiction: "EU", domain: "accessibility" },
   "wcag-2-2":    { name: "W3C Web Content Accessibility Guidelines 2.2", citation: "W3C Recommendation (Oct 2023)", jurisdiction: "international", domain: "accessibility" },
   "eu-data-act": { name: "EU Data Act",                                 citation: "Regulation (EU) 2023/2854 (effective 2025-09-12)", jurisdiction: "EU", domain: "data-sharing" },
   "hitech":      { name: "Health Information Technology for Economic and Clinical Health Act", citation: "Pub. L. 111-5, Title XIII, Subtitle D (2009)", jurisdiction: "US", domain: "health" },
   "ferpa":       { name: "Family Educational Rights and Privacy Act",   citation: "20 U.S.C. §1232g; 34 CFR Part 99", jurisdiction: "US", domain: "student-records" },
   "dpdp":        { name: "Digital Personal Data Protection Act 2023",   citation: "Act 22 of 2023 (India; rules pending)", jurisdiction: "IN", domain: "privacy" },
-  // ---- v0.8.82 — privacy 2026 sweep ----
+  // ---- privacy 2026 sweep ----
   // US federal
   "coppa":           { name: "Children's Online Privacy Protection Act",         citation: "15 U.S.C. §§6501-6506; 16 CFR Part 312 (effective 2000-04-21)", jurisdiction: "US", domain: "child-privacy" },
   "coppa-2025":      { name: "COPPA 2025 Amendment",                              citation: "FTC final rule (2025-04-22; effective 2026-06-23) — biometric expansion + knowing-collection-13-and-under disclosure", jurisdiction: "US", domain: "child-privacy" },
@@ -815,7 +815,7 @@ var REGIME_MAP = Object.freeze({
   "eu-cer":          { name: "EU Critical Entities Resilience Directive",        citation: "Directive (EU) 2022/2557 (transposition 2024-10-17)", jurisdiction: "EU", domain: "cybersecurity" },
   "eu-cyber-sol":    { name: "EU Cyber Solidarity Act",                          citation: "Regulation (EU) 2025/38 (effective 2025-02-04)", jurisdiction: "EU", domain: "cybersecurity" },
   "eidas-2":         { name: "eIDAS 2 / EUDI Wallet",                            citation: "Regulation (EU) 2024/1183 (rollout 2026-2027)", jurisdiction: "EU", domain: "identity" },
-  // ---- v0.8.86 — sectoral + cybersecurity directives ----
+  // ---- sectoral + cybersecurity directives ----
   "cmmc-2.0":        { name: "Cybersecurity Maturity Model Certification 2.0",   citation: "32 CFR Part 170 (DFARS rule effective 2025-Q1)", jurisdiction: "US", domain: "cybersecurity" },
   "cjis-v6":         { name: "FBI CJIS Security Policy v6.0",                    citation: "CJIS Security Policy v6.0 (effective 2024-12)", jurisdiction: "US", domain: "law-enforcement" },
   "iso-27001-2022":  { name: "ISO/IEC 27001:2022 Information Security Management System", citation: "ISO/IEC 27001:2022", jurisdiction: "international", domain: "cybersecurity" },
@@ -826,7 +826,7 @@ var REGIME_MAP = Object.freeze({
   "nist-800-66-r2":  { name: "NIST SP 800-66 Rev 2 — HIPAA Security Rule Guidance", citation: "NIST SP 800-66 Rev 2 (Feb 2024)", jurisdiction: "US", domain: "health" },
   "ehds":            { name: "European Health Data Space",                        citation: "Regulation (EU) 2025/327 (phased 2027-2029)", jurisdiction: "EU", domain: "health" },
   "circia":          { name: "Cyber Incident Reporting for Critical Infrastructure Act", citation: "6 U.S.C. §681 et seq. (final rule pending)", jurisdiction: "US", domain: "cybersecurity" },
-  // ---- v0.12.1 — REGIME_MAP backfill for KNOWN_POSTURES without
+  // ---- REGIME_MAP backfill for KNOWN_POSTURES without
   // describe() coverage. Each entry resolves `b.compliance.describe
   // (posture)` → { name, citation, jurisdiction, domain } so admin
   // UI / generated audit reports rendering "running under <name>
@@ -870,7 +870,7 @@ var REGIME_MAP = Object.freeze({
   "bsi-c5":          { name: "Germany BSI C5 — Cloud Computing Compliance Catalogue", citation: "BSI Cloud Computing Compliance Criteria Catalogue (C5:2020)", jurisdiction: "DE", domain: "cybersecurity" },
   "ens-es":          { name: "Spain Esquema Nacional de Seguridad",             citation: "Real Decreto 311/2022",                            jurisdiction: "ES", domain: "cybersecurity" },
   "uk-g-cloud":      { name: "UK G-Cloud Framework",                            citation: "UK Crown Commercial Service G-Cloud 14",          jurisdiction: "UK", domain: "cybersecurity" },
-  // ---- v0.9.6 expansion REGIME_MAP backfill (cybersecurity / AI / supply-chain frameworks) ----
+  // ---- REGIME_MAP backfill (cybersecurity / AI / supply-chain frameworks) ----
   "nist-800-53":              { name: "NIST SP 800-53 Rev 5 — Security & Privacy Controls", citation: "NIST SP 800-53 Rev 5",                jurisdiction: "US", domain: "cybersecurity" },
   "nist-ai-rmf-1.0":          { name: "NIST AI Risk Management Framework 1.0",  citation: "NIST AI 100-1 (Jan 2023)",                        jurisdiction: "US", domain: "ai" },
   "iso-42001-2023":           { name: "ISO/IEC 42001:2023 — AI Management System", citation: "ISO/IEC 42001:2023",                          jurisdiction: "international", domain: "ai" },
@@ -1176,7 +1176,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   "nist-800-66-r2":  Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "ehds":            Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "circia":          Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
-  // ---- v0.9.6 — exceptd framework-control-gap closure cascade ----
+  // ---- exceptd framework-control-gap closure cascade ----
   "nist-800-53":             Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   // NIST AI-RMF MANAGE.4.3 / ISO 23894 §6.5 / ISO 42001
   // §A.6 require encrypted backups for AI system state (model
@@ -1242,7 +1242,7 @@ var POSTURE_DEFAULTS = Object.freeze({
   "cmmc-2.0-level-1":        Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cmmc-2.0-level-2":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "cmmc-2.0-level-3":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true, fipsMode: false }),
-  // ---- v0.10.16 — sectoral catch-up ----
+  // ---- sectoral catch-up ----
   // 42 CFR Part 2 — Substance Use Disorder records confidentiality
   // (HHS final rule 2024-04-16 aligns Part 2 with HIPAA but retains
   // a stricter consent floor; encrypted backups + signed audit chain

package/lib/crypto-field.js

@@ -235,6 +235,74 @@ function _computeDerivedHash(spec, tableMode, ns, normalized) {
   return sha3Hash(vault.getDerivedHashSalt().toString("hex") + ns + normalized);
 }
 
+/**
+ * @primitive b.cryptoField.computeNamespacedHash
+ * @signature b.cryptoField.computeNamespacedHash(ns, value, opts?)
+ * @since     0.14.10
+ * @compliance gdpr, hipaa
+ * @related   b.cryptoField.computeDerived, b.cryptoField.lookupHash
+ *
+ * Computes a namespaced indexed-lookup digest of `value` for a
+ * pseudo-field that is NOT backed by a registered derived-hash column
+ * (e.g. the sealed-token FTS index in `b.mailStore.fts`). The caller
+ * supplies the full namespace string directly — there is no schema
+ * lookup — so the same keyed/salted hash machinery that protects
+ * registered derived hashes also covers ad-hoc indexed tokens. This is
+ * the canonical entry point: hand-rolling
+ * `sha3Hash(vault.getDerivedHashSalt() + ns + value)` at a call site
+ * bypasses the keyed-MAC mode (`hmac-shake256` off
+ * `vault.getDerivedHashMacKey`) and the per-deployment salt policy.
+ *
+ * `opts.mode` selects the digest:
+ *   - `"salted-sha3"` (default): SHA3-512 over `<salt-hex> + ns + value`
+ *     (deterministic per deployment; byte-identical to the legacy
+ *     hand-rolled scheme).
+ *   - `"hmac-shake256"`: SHAKE256(`<vault MAC key> || ns + value`) — a
+ *     keyed MAC so an attacker who recovers the salt alone cannot
+ *     correlate two low-entropy plaintexts.
+ *
+ * `opts.truncateBytes` truncates the hex digest to that many BYTES
+ * (the hex string is sliced to `truncateBytes * 2` characters). Throws
+ * (config-time / entry-point tier) on an unknown `mode` or a
+ * non-positive-integer `truncateBytes` so an operator catches the typo
+ * at boot rather than silently indexing under a malformed digest.
+ *
+ * @opts
+ *   mode:          string,   // "salted-sha3" (default) | "hmac-shake256"
+ *   truncateBytes: number,   // optional; positive integer byte width to slice to
+ *
+ * @example
+ *   var ns = "bj-mail_messages-body:fts:";
+ *   var h = b.cryptoField.computeNamespacedHash(ns, "kubernetes", {
+ *     mode: "hmac-shake256", truncateBytes: 8
+ *   });
+ *   /^[0-9a-f]{16}$/.test(h);   // → true
+ *
+ *   // Default mode is byte-identical to the legacy salted-sha3 hash.
+ *   b.cryptoField.computeNamespacedHash(ns, "kubernetes").length;   // → 128
+ */
+function computeNamespacedHash(ns, value, opts) {
+  opts = opts || {};
+  var mode = opts.mode || "salted-sha3";
+  if (mode !== "salted-sha3" && mode !== "hmac-shake256") {
+    throw new Error("computeNamespacedHash: opts.mode must be 'salted-sha3' " +
+      "(default) or 'hmac-shake256', got " + JSON.stringify(mode));
+  }
+  var truncateBytes = opts.truncateBytes;
+  if (truncateBytes !== undefined) {
+    if (typeof truncateBytes !== "number" || !isFinite(truncateBytes) ||
+        truncateBytes <= 0 || Math.floor(truncateBytes) !== truncateBytes) {
+      throw new Error("computeNamespacedHash: opts.truncateBytes must be a " +
+        "positive integer (bytes), got " + JSON.stringify(truncateBytes));
+    }
+  }
+  var hex = _computeDerivedHash({ mode: mode }, mode, ns, String(value));
+  if (truncateBytes !== undefined) {
+    return hex.slice(0, truncateBytes * 2);
+  }
+  return hex;
+}
+
 /**
  * @primitive b.cryptoField.getSchema
  * @signature b.cryptoField.getSchema(table)
@@ -1046,6 +1114,7 @@ module.exports = {
   applyPosture:     applyPosture,
   getActivePosture: getActivePosture,
   computeDerived:   computeDerived,
+  computeNamespacedHash: computeNamespacedHash,
   lookupHash:       lookupHash,
   clearForTest:     clearForTest,
   declareColumnResidency: declareColumnResidency,

package/lib/dsr.js

@@ -1078,7 +1078,7 @@ function dbTicketStore(opts) {
   };
 }
 
-// ---- v0.8.77 — US state-law DSR drift registry -------------------
+// ---- US state-law DSR drift registry -------------------
 //
 // Each US state consumer-privacy law expresses the same DSR core
 // (access / deletion / correction / portability) but with per-state

package/lib/guard-archive.js

@@ -905,7 +905,7 @@ module.exports = {
   tarEntryPolicy:      tarEntryPolicy,
 };
 
-// ---- v0.12.7 extensions ---------------------------------------------------
+// ---- extensions ---------------------------------------------------
 
 /**
  * @primitive b.guardArchive.inspect

package/lib/mail-crypto-pgp.js

@@ -928,7 +928,7 @@ function _audit(auditHandle, action, outcome, metadata) {
   } catch (_e) { /* drop-silent — audit failures must not crash callers */ }
 }
 
-// ---- v0.10.16 experimental encrypt/decrypt + WKD ----
+// ---- experimental encrypt/decrypt + WKD ----
 //
 // PQC PGP encrypt/decrypt for ML-KEM-1024 recipients shipped under
 // `experimental` namespace (RFC 9580bis PKESK ML-KEM codepoints

package/lib/mail-store-fts.js

@@ -54,10 +54,23 @@
  *   nothing readable; search works against ciphertext.
  */
 
-var bCrypto      = require("./crypto");
-var vault        = require("./vault");
+var cryptoField  = require("./crypto-field");
 var C            = require("./constants");
 
+// Sealed-token FTS on-disk format version. Bumped when the token-hash
+// transform changes so the mail-store reindex path can detect a stale
+// index and rebuild it from the sealed messages table. v1 was the
+// legacy salted-sha3-truncated hand-roll; v2 is the keyed
+// hmac-shake256 digest computed via cryptoField.computeNamespacedHash.
+var FTS_FORMAT_VERSION = 2;
+
+// Per-token hash width, in bytes. 8 bytes -> 16 hex chars. Full 64-char
+// SHA3 / SHAKE digest is overkill for the FTS hash space, and the
+// shorter token compresses the FTS5 row 4x without observable collision
+// risk at corpus sizes the framework targets (<= 10^9 unique tokens,
+// where 64-bit collision space leaves the birthday bound > 10^9).
+var FTS_HASH_BYTES = 8;
+
 // Stopwords are dropped before hashing — they'd dominate every row's
 // token set without adding query selectivity. Kept conservative to
 // stay locale-neutral for v1.
@@ -154,26 +167,29 @@ function tokenize(text) {
   return out;
 }
 
-// Hash one token using the same scheme cryptoField uses for derived-
-// hash mirrors: `sha3Hash(vaultSalt + namespace + token)`. The
+// Hash one token through the canonical cryptoField primitive
+// (computeNamespacedHash) so the FTS index inherits the keyed-MAC
+// digest used for derived-hash mirrors on sealed columns. The
 // namespace is per-table, per-field, per-purpose ("fts") so that
-// rotating an operator's vault salt invalidates every FTS row in
-// the same step as every sealed column. Returns a 16-char hex prefix
-// — full 64-char SHA3 is overkill for FTS hash space, and shorter
-// tokens compress the FTS5 row 4x without observable collision risk
-// at corpus sizes the framework targets (≤ 10^9 unique tokens, where
-// 64-bit collision space leaves the birthday bound > 10^9).
+// rotating an operator's vault key invalidates every FTS row in the
+// same step as every sealed column. Returns a 16-char hex prefix
+// (FTS_HASH_BYTES bytes) — full 64-char digest is overkill for the
+// FTS hash space, and shorter tokens compress the FTS5 row 4x without
+// observable collision risk at corpus sizes the framework targets
+// (<= 10^9 unique tokens, where 64-bit collision space leaves the
+// birthday bound > 10^9).
 /**
  * @primitive b.mailStore.fts.hashToken
  * @signature b.mailStore.fts.hashToken(table, field, token)
  * @since     0.11.25
  * @status    stable
  *
- * Vault-salted hash of one token under the (table, field) namespace.
- * The same scheme `b.cryptoField.computeDerived` uses for derived-
- * hash mirrors on sealed columns — rotating the vault salt
- * invalidates every FTS hash in step with every sealed-column hash.
- * Returns a 16-char hex prefix.
+ * Keyed hash of one token under the (table, field) namespace. Routes
+ * through `b.cryptoField.computeNamespacedHash` in `hmac-shake256`
+ * mode — the same keyed-MAC machinery that protects sealed-column
+ * derived hashes — so rotating the vault key invalidates every FTS
+ * hash in step with every sealed-column hash. Returns a 16-char hex
+ * prefix.
  *
  * @example
  *   var h = b.mailStore.fts.hashToken("mail_messages", "body", "kubernetes");
@@ -185,9 +201,10 @@ function hashToken(table, field, token) {
   // fields are pseudo-fields (no sealed-column registration), so the
   // canonical fallback path is always the right answer here.
   var ns = "bj-" + table + "-" + field + ":fts:";
-  var salt = vault.getDerivedHashSalt();
-  var saltHex = (salt && typeof salt.toString === "function") ? salt.toString("hex") : "";
-  return bCrypto.sha3Hash(saltHex + ns + token).slice(0, 16);                                          // 16-char hex prefix length, not bytes
+  return cryptoField.computeNamespacedHash(ns, token, {
+    mode:          "hmac-shake256",
+    truncateBytes: FTS_HASH_BYTES,
+  });
 }
 
 // Hash a token array → space-separated string suitable for FTS5
@@ -391,4 +408,9 @@ module.exports = {
   MAX_TOKEN_LEN:       MAX_TOKEN_LEN,
   MAX_TOKENS_PER_FIELD: MAX_TOKENS_PER_FIELD,
   FTS_FIELDS:          FTS_FIELDS,
+  FTS_HASH_BYTES:      FTS_HASH_BYTES,
+  // On-disk format marker — the mail-store reindex path stamps this
+  // into `<prefix>_meta` once a full rebuild completes; a stale/missing
+  // marker triggers a rebuild from the sealed messages table.
+  FTS_FORMAT_VERSION:  FTS_FORMAT_VERSION,
 };

package/lib/mail-store.js

@@ -60,6 +60,7 @@
 var C = require("./constants");
 var bCrypto = require("./crypto");
 var cryptoField = require("./crypto-field");
+var vault = require("./vault");
 var safeMime = require("./safe-mime");
 var safeSql = require("./safe-sql");
 var guardMessageId = require("./guard-message-id");
@@ -72,6 +73,14 @@ var DEFAULT_TABLE_PREFIX = "blamejs_mail";
 var DEFAULT_MAX_MESSAGE_BYTES = C.BYTES.mib(50);
 var DEFAULT_MAX_BODY_BYTES    = C.BYTES.mib(25);
 
+// `<prefix>_meta` marker key carrying the FTS on-disk format version.
+// The reindex path writes a `'rebuilding'` sentinel BEFORE clearing the
+// index and the final format-version string only AFTER every row is
+// reinserted, so a partial / interrupted rebuild is never marked
+// complete and never queried as a finished index.
+var FTS_FORMAT_META_KEY = "fts_format";
+var FTS_REBUILDING_SENTINEL = "rebuilding";
+
 // Standard IMAP4rev2 default folders + JMAP role mapping.
 var DEFAULT_FOLDERS = Object.freeze([
   { name: "INBOX",   role: "inbox" },
@@ -129,6 +138,7 @@ function create(opts) {
   var qFlags   = safeSql.quoteIdentifier(prefix + "_flags",     "sqlite");
   var qQuota   = safeSql.quoteIdentifier(prefix + "_quota",     "sqlite");
   var qFts     = safeSql.quoteIdentifier(prefix + "_messages_fts", "sqlite");
+  var qMeta    = safeSql.quoteIdentifier(prefix + "_meta",      "sqlite");
   var messagesTable = prefix + "_messages";
 
   var maxMessageBytes = opts.maxMessageBytes !== undefined ? opts.maxMessageBytes : DEFAULT_MAX_MESSAGE_BYTES;
@@ -150,7 +160,7 @@ function create(opts) {
   });
 
   if (doInit) {
-    _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts);
+    _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts, qMeta);
     _ensureDefaultFolders(db, qFolders);
   }
 
@@ -207,6 +217,150 @@ function create(opts) {
     "INSERT INTO " + qFts + " (objectid, subject_toks, addr_toks, body_toks) VALUES (?, ?, ?, ?)");
   var stmtDeleteFts        = db.prepare("DELETE FROM " + qFts + " WHERE objectid = ?");
 
+  // `<prefix>_meta` marker read — used by the reindex gate at create()
+  // AND by every FTS query path (search) to refuse a half-built index.
+  // Guarded behind a closure so a store opened with init:false against a
+  // pre-format-version database (no _meta table) reads as "no marker"
+  // instead of throwing.
+  function _readFtsMarker() {
+    try {
+      var row = db.prepare("SELECT value FROM " + qMeta + " WHERE key = ?")
+        .get(FTS_FORMAT_META_KEY);
+      return row ? row.value : null;
+    } catch (_e) {
+      // _meta table absent (init:false against a legacy store) — treat
+      // as no marker so the FTS query path falls back rather than
+      // querying a possibly-stale index as if it were current.
+      return null;
+    }
+  }
+  // The FTS index is queryable only when the on-disk marker equals the
+  // current format version. A `'rebuilding'` sentinel or any other
+  // value (stale format, missing marker) means the index is non-final;
+  // search() falls back to the modseq cursor rather than returning
+  // partial / mixed-scheme FTS hits.
+  var CURRENT_FTS_FMT = String(mailStoreFts.FTS_FORMAT_VERSION);
+  function _ftsIndexUsable() {
+    return _readFtsMarker() === CURRENT_FTS_FMT;
+  }
+
+  // Reindex-on-upgrade. Runs once at create() (when doInit) AFTER the
+  // schema is ensured. Rebuilds the sealed-token FTS index from the
+  // canonical (sealed) messages table whenever the on-disk format
+  // marker is missing or stale — the token-hash transform changed, so
+  // every previously-indexed row hashes to a different value and the
+  // old rows are unsearchable under the new scheme.
+  //
+  // Data-safety contract:
+  //   - A `'rebuilding'` sentinel is written BEFORE the DELETE, so an
+  //     interrupted rebuild leaves a non-final marker; search() refuses
+  //     the index until a later create() completes the rebuild.
+  //   - The DELETE + every reinsert run inside an explicit
+  //     BEGIN/COMMIT/ROLLBACK (ordinary SQLite — works on node:sqlite
+  //     and b.db alike; neither exposes a usable `.transaction(fn)()`
+  //     for this shape). A throw inside the insert loop rolls the whole
+  //     rebuild back, leaving the OLD index intact + queryable... except
+  //     the marker still reads as non-final, so search falls back until
+  //     the next successful create() — the index is never silently
+  //     half-built.
+  //   - The final format-version marker is written ONLY after every row
+  //     reinserts and the COMMIT lands.
+  function _reindexFts() {
+    var fmt = _readFtsMarker();
+    if (fmt === CURRENT_FTS_FMT) return { reindexed: false, reason: "current" };
+
+    // Count existing FTS rows AFTER the early-return so the common
+    // already-current path pays nothing for the scan.
+    var ftsCountRow = db.prepare("SELECT COUNT(*) AS n FROM " + qFts).get();
+    var ftsCount = (ftsCountRow && ftsCountRow.n) || 0;
+    var msgCountRow = db.prepare("SELECT COUNT(*) AS n FROM " + qMsgs).get();
+    var msgCount = (msgCountRow && msgCountRow.n) || 0;
+
+    // Fresh store — no marker AND nothing indexed AND no messages to
+    // index. Just stamp the current format; there is nothing to rebuild.
+    if (fmt === null && ftsCount === 0 && msgCount === 0) {
+      _writeFtsMarker(CURRENT_FTS_FMT);
+      return { reindexed: false, reason: "fresh" };
+    }
+
+    // Reindex unseals EVERY message row — a runtime dependency on the
+    // vault that a bare create() otherwise wouldn't have. Fail loud at
+    // boot (entry-point tier) rather than silently leaving a stale,
+    // wrong-scheme index searchable: an operator who constructs the
+    // store before vault.init() must see the misordering immediately.
+    if (!vault.isInitialized()) {
+      throw new MailStoreError("mail-store/fts-reindex-vault-uninitialized",
+        "mailStore.create: FTS index format is stale (marker=" +
+        JSON.stringify(fmt) + ", current=" + CURRENT_FTS_FMT + ") and a " +
+        "reindex from the sealed messages table requires the vault - call " +
+        "b.vault.init(...) BEFORE b.mailStore.create(...). Refusing to leave " +
+        "a stale, wrong-scheme search index queryable.");
+    }
+
+    // Sentinel BEFORE any destructive work — a crash between here and
+    // the final marker leaves the index marked non-final.
+    _writeFtsMarker(FTS_REBUILDING_SENTINEL);
+
+    // BEGIN IMMEDIATE takes the write lock up front so the message
+    // snapshot, the FTS delete, and the reinsert are one isolated window.
+    // The snapshot is read INSIDE the lock: a concurrent writer in another
+    // process cannot append a message between the snapshot and the delete
+    // (which would otherwise drop that row's freshly-inserted FTS entry
+    // without re-adding it, silently losing it from search).
+    var allRows;
+    db.prepare("BEGIN IMMEDIATE").run();
+    try {
+      allRows = db.prepare("SELECT * FROM " + qMsgs).all();
+      db.prepare("DELETE FROM " + qFts).run();
+      for (var i = 0; i < allRows.length; i += 1) {
+        // unsealRow returns the DB column names (subject / from_addr /
+        // to_addrs / body_text); map them into the FTS param shape
+        // (subject / from / to / body) rowFromMessage expects.
+        var clear = cryptoField.unsealRow(messagesTable, allRows[i]);
+        var ftsRow = mailStoreFts.rowFromMessage(messagesTable, {
+          objectid: clear.objectid,
+          subject:  clear.subject   || "",
+          from:     clear.from_addr || "",
+          to:       clear.to_addrs  || "",
+          body:     clear.body_text || "",
+        });
+        stmtInsertFts.run(ftsRow.objectid, ftsRow.subject_toks,
+          ftsRow.addr_toks, ftsRow.body_toks);
+      }
+      db.prepare("COMMIT").run();
+    } catch (e) {
+      // Roll the partial rebuild back — the OLD index rows are restored
+      // (the DELETE is undone), so the prior scheme stays intact and
+      // queryable. The marker still reads as the sentinel, so search()
+      // falls back until a later create() completes the rebuild: a
+      // retriable, never-silently-half-built state.
+      try { db.prepare("ROLLBACK").run(); } catch (_re) { /* best-effort */ }
+      throw new MailStoreError("mail-store/fts-reindex-failed",
+        "mailStore.create: FTS reindex from the sealed messages table " +
+        "failed and was rolled back (the prior index is intact); retry " +
+        "after resolving: " + ((e && e.message) || String(e)));
+    }
+
+    // Full rebuild committed — stamp the current format LAST so the
+    // index only reads as final once every row is present.
+    _writeFtsMarker(CURRENT_FTS_FMT);
+    return { reindexed: true, rows: allRows.length };
+  }
+
+  function _writeFtsMarker(value) {
+    db.prepare(
+      "INSERT INTO " + qMeta + " (key, value) VALUES (?, ?) " +
+      "ON CONFLICT(key) DO UPDATE SET value = excluded.value"
+    ).run(FTS_FORMAT_META_KEY, value);
+  }
+
+  // Wire the reindex into create() AFTER schema bootstrap. A fresh store
+  // (no marker, 0 FTS rows, 0 messages) just stamps the format; a store
+  // carrying an old-format index rebuilds from the sealed rows.
+  if (doInit) {
+    _reindexFts();
+  }
+
   return {
     appendMessage:    function (folderName, rawBytes, appendOpts) {
       // Wrap canonical row insert + FTS row insert in a single backend
@@ -277,6 +431,27 @@ function create(opts) {
       var limit = f.limit || 100;
       if (limit > 1000) limit = 1000;                                                                  // query row cap, not bytes
 
+      // The FTS index is queryable only when the on-disk format marker
+      // is current. A `'rebuilding'` sentinel (mid-rebuild / interrupted
+      // rebuild) or a stale/missing marker means the index is non-final
+      // — fall back to the bare modseq cursor rather than returning
+      // partial or wrong-scheme FTS hits. Returning a subset of the true
+      // matches as if it were complete is the corruption hazard the
+      // reindex sentinel exists to prevent.
+      if (!_ftsIndexUsable()) {
+        var nonFinal = stmtQueryByModseq.all(folder.id, sinceModseq, limit);
+        return {
+          rows: nonFinal.map(function (r) {
+            return {
+              objectid: r.objectid, modseq: r.modseq, sizeBytes: r.size_bytes,
+              internalDate: r.internal_date, legalHold: r.legal_hold === 1,
+            };
+          }),
+          nextModseq: nonFinal.length > 0 ? nonFinal[nonFinal.length - 1].modseq : sinceModseq,
+          ftsUnavailable: true,
+        };
+      }
+
       var matchClauses = [];
       function addMatch(filterKey, term) {
         if (!term) return;
@@ -834,7 +1009,7 @@ function _normalizeMsgId(s) {
 
 // ---- Schema bootstrap ----------------------------------------------------
 
-function _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts) {
+function _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts, qMeta) {
   // Folders table — created first since messages reference folder_id.
   db.prepare(
     "CREATE TABLE IF NOT EXISTS " + qFolders + " (" +
@@ -910,6 +1085,17 @@ function _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts) {
   // tokens on whitespace exactly — hashes are ASCII-hex-only, so no
   // Unicode case-fold runs at MATCH time.
   db.prepare(mailStoreFts.createSql(qFts)).run();
+
+  // Per-prefix key/value metadata table. Holds the FTS on-disk format
+  // marker (`fts_format`) so the reindex path can detect a stale index
+  // and rebuild it. Scoped per table-prefix (NOT PRAGMA user_version,
+  // which is db-global and would collide across stores sharing one
+  // sqlite file).
+  db.prepare(
+    "CREATE TABLE IF NOT EXISTS " + qMeta + " (" +
+    "key TEXT PRIMARY KEY, " +
+    "value TEXT)"
+  ).run();
 }
 
 function _ensureDefaultFolders(db, qFolders) {

package/lib/parsers/index.js

@@ -36,12 +36,6 @@
  *           parsed as `country: false`). Block + flow style;
  *           literal `|` and folded `>` block scalars with chomp
  *           indicators.
- *   env  — .env file loader with size cap + schema validation;
- *           refuses to expand $VAR references; refuses to silently
- *           overwrite existing process.env values unless explicitly
- *           opted in. Dev-tooling — production secrets should still
- *           come through the operator's secrets-management; this is
- *           the local-development convenience.
  *   ini  — INI / .gitconfig / systemd-unit / php.ini / tox.ini parser.
  *           Sections (incl. [parent.child] / [parent "child"] nesting),
  *           ; or # comments (inline + leading), single + double quoting

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.8",
+  "version": "0.14.10",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:013c541c-8703-45e9-9154-89bc05b3998c",
+  "serialNumber": "urn:uuid:a284c3a3-4413-4bda-9a99-ef60b057cc3a",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T23:34:15.711Z",
+    "timestamp": "2026-05-31T11:30:02.144Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.8",
+      "bom-ref": "@blamejs/core@0.14.10",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.8",
+      "version": "0.14.10",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.8",
+      "purl": "pkg:npm/%40blamejs/core@0.14.10",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.8",
+      "ref": "@blamejs/core@0.14.10",
       "dependsOn": []
     }
   ]