@blamejs/core 0.15.0 → 0.15.2

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.15.x
 
+- v0.15.2 (2026-06-12) — **Object keys with a space, +, &, or other reserved characters now sign correctly against S3-compatible stores and Google Cloud Storage.** The SigV4 request signer (and the Google Cloud Storage V4 signer that shares it) URI-encoded the object-key path a second time when building the canonical request it signs, while the request on the wire carried the path encoded once. Amazon S3 — and every S3-compatible store such as MinIO, Cloudflare R2, Wasabi, and Backblaze B2, plus GCS — signs the canonical path encoded exactly once, so any object key containing a space, a +, an &, parentheses, or a non-ASCII character was signed over a path the server never received and the request was rejected with HTTP 403 SignatureDoesNotMatch. Keys built only from unreserved characters were unaffected, which is why the regression went unnoticed. This release makes the canonical-path encoding match the service: S3 and GCS encode the path once, while the AWS services that genuinely require a second encoding (SQS, CloudWatch Logs, SNS) keep it. Object reads, writes, deletes, listings, presigned URLs, and backup or restore through the object-store adapter now succeed for keys with reserved characters. Separately, the bucket-operations key encoder now uses the AWS reserved-character set, so a key containing !, *, ', or ( is escaped to match the bytes the store signs over. **Fixed:** *SigV4 and GCS V4 sign object-key paths with the single encoding S3 and GCS expect* — A request to read, write, delete, list, or presign an object whose key contained a space, +, &, (, ), or a non-ASCII character failed with 403 SignatureDoesNotMatch against S3, every S3-compatible store, and Google Cloud Storage, because the canonical request double-encoded the path the wire carried once. The signer is now service-aware: S3 and GCS sign the path encoded once (matching the wire and the store's own canonicalization), while SQS, CloudWatch Logs, and SNS keep the second encoding the AWS spec requires for those services. No configuration change or migration is needed — object operations and presigned URLs for keys with reserved characters simply start working. Object keys made only of unreserved characters are byte-for-byte unchanged. · *Bucket-operations key encoder escapes the AWS reserved set* — The bucket-level object operations encoded key path segments with a generic URI encoder that left !, *, ', and ( unescaped. Those now route through the same AWS encoder the read and write paths use, so a key containing one of those characters is escaped consistently and signs correctly.
+
+- v0.15.1 (2026-06-11) — **Sealed-column lookups find rows written before the v0.15.0 hash change, and API-key secrets re-hash to the active algorithm on verify.** v0.15.0 changed the default derived hash — the blind index a sealed column is looked up by — from an unkeyed salted hash to a keyed MAC, and promised a transparent migration via a dual read. But no lookup path actually performed the dual read, so on a deployment that already held data, a lookup by a sealed column (a session's user id, an API key's owner, an audit actor or resource, a consent or data-subject id, a mail thread) computed only the new keyed digest and missed every row written before the upgrade. This release wires the dual read into every lookup: a sealed-column equality now matches both the active keyed digest and the legacy salted digest, so pre-upgrade rows are found again. That restores two correctness guarantees the gap had quietly broken — revoking all of a user's sessions no longer skips sessions created before the upgrade, and a subject erasure no longer leaves pre-upgrade rows behind. Separately, the framework's API-key store now re-hashes a stored secret to the active hash algorithm on the next successful verify, the transparent rotation the credential-hash primitive documented but the store had never performed. **Fixed:** *Sealed-column lookups match rows written before the v0.15.0 keyed-MAC change* — After v0.15.0 flipped the default derived-hash mode to a keyed MAC, a lookup by a sealed column computed only the new keyed digest, so rows written under the previous salted-hash default were no longer found — a silent index miss on every existing deployment. Every framework lookup path now dual-reads: `b.db.from(...).where(sealedField, value)` and the framework's own api-key, session, audit, consent, data-subject, and mail-thread lookups match the column against both the active keyed digest and the legacy salted digest (`b.db.hashCandidatesFor` exposes the candidate list for operator code). No migration or operator action is required; rows re-hash to the keyed form on read over time and the candidate set collapses back to a single value. Two correctness consequences are restored: revoking all of a user's sessions now also revokes sessions created before the upgrade, and a data-subject erasure now also deletes (and crypto-shreds) the subject's pre-upgrade rows. · *API-key secret hashes upgrade to the active algorithm on verify* — The framework's API-key store now re-hashes a stored secret to the configured hash algorithm on the next successful verify (leader-gated, best-effort, primary-match only), emitting an `apikey.secret_rehash` audit and observability event. This is the transparent rotation `b.credentialHash` documents — a key stored under an older algorithm or parameter set silently moves to the current one as it is used, with no change to the verify result or the returned record.
+
 - v0.15.0 (2026-06-08) — **A chainable SQL builder, MySQL as a first-class data backend, and a keyed lookup-hash default — the data layer goes tri-dialect.** This release makes the framework's data layer dialect-portable. `b.sql` is a new chainable query builder that quotes every identifier by construction, binds every value as a placeholder, and emits dialect-correct SQL for SQLite, Postgres, and MySQL; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total size boundaries. The entire framework data layer — the signed audit chain, cluster leadership and fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, consent, and mail storage — is rebuilt on `b.sql`, which makes MySQL a supported external-database backend alongside Postgres and SQLite. Running the data layer on a real Postgres server surfaced two latent correctness bugs that only a non-SQLite backend exposes: identifiers were emitted unquoted at DDL time but read back camelCase (Postgres folds unquoted names to lowercase, silently breaking the audit chain, consent chain, cluster fencing, and vault-key consistency), and sealed columns coerced Buffer / object payloads through `String()` before encryption (corrupting non-string ciphertext); both are fixed by quoting every identifier and coercing per the column's declared type. Derived-hash columns — the blind-index lookup columns registered through `registerTable` — now default to a keyed MAC (SHAKE256 under the vault's per-deployment MAC key) instead of an unkeyed salted hash, so an exfiltrated database can no longer be brute-forced or rainbow-tabled to recover the indexed values; existing salted-hash indexes are read through a dual-read path and migrated forward, so the change is non-breaking. Audit-signing key rotation now preserves every historical checkpoint (rotation previously stranded checkpoints signed under the prior key). New cross-border data-residency postures (appi-jp, pdpa-sg, uk-gdpr) enforce a mandatory storage vacuum after erasure. Outbound TLS appends classical X25519 to its key-exchange preference so it can complete a handshake with a peer that advertises no post-quantum hybrid — previously the hybrids-only preference failed those handshakes outright — and emits a `tls.classical_downgrade` audit event whenever a connection lands on a classical group. Outbound HTTP/2 negotiation falls back to HTTP/1.1 against servers that only speak h1, the network heartbeat honors a target's permitted protocols instead of pinning cleartext targets down, a WebSocket connection closes cleanly on a peer's TCP half-close instead of wedging open, and the Azure blob backend encodes object-key path segments correctly. **Added:** *b.sql — a dialect-aware chainable SQL builder* — `b.sql` composes SELECT / INSERT / UPDATE / UPSERT / DELETE / DDL from a fluent chain. Every identifier is validated and quoted by construction (`"name"` on SQLite/Postgres, `` `name` `` on MySQL), every value binds as a placeholder rather than interpolating, and the emitted statement is validated as a single balanced, single-statement query before it leaves the builder. Pass `{ dialect: "postgres" | "mysql" | "sqlite" }` (default SQLite) to target a backend; `upsert` emits the dialect-final conflict syntax. It composes `b.safeSql` for the identifier and placeholder primitives, so a SQL string can no longer be assembled by hand inside the framework. · *b.guardSql — result-row output validation* — `b.guardSql` gates query result rows against embedded NUL bytes, quote-jump sequences, and configurable per-column and total-size boundaries, with the standard guard profiles (strict / balanced / permissive) and compliance postures (hipaa / pci-dss / gdpr / soc2). It is the output-side complement to the input-side `b.safeSql`. · *MySQL is a first-class data backend* — MySQL joins Postgres and SQLite as a supported external-database backend. The framework's schema reconciler emits MySQL DDL, and the full data layer — signed audit chain (append + verify), cluster leadership and lease fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, and consent — runs against a real MySQL server. Select the backend at `b.cluster.init` / `b.externalDb` configuration via the `dialect` option; `b.clusterStorage.dialect()` exposes the configured backend dialect to composing code. · *Cross-border erasure postures: appi-jp, pdpa-sg, uk-gdpr* — Three data-residency compliance postures are added (Japan APPI, Singapore PDPA, UK GDPR). Each requires a mandatory storage vacuum after erasure (so deleted rows are reclaimed from the page store, not just tombstoned), a signed audit chain, encrypted backups, and a minimum TLS version. Pin one with `b.compliance.set`. **Fixed:** *Cross-border erasure performs the mandatory vacuum* — Erasure under the uk-gdpr, appi-jp, and pdpa-sg residency postures now runs the storage vacuum the posture mandates, reclaiming erased rows from the page store rather than leaving them recoverable as free-list tombstones. **Security:** *Lookup-hash columns default to a keyed MAC* — Derived-hash (blind-index) columns registered through `registerTable` now default to `derivedHashMode: "hmac-shake256"` — SHAKE256 keyed with the vault's per-deployment MAC key — instead of the previous unkeyed `salted-sha3`. The index value is no longer recomputable from the indexed plaintext alone, so an attacker who exfiltrates the database cannot brute-force or rainbow-table a lookup column (for example a subject-email index) without also holding the vault MAC key (CWE-916 / CWE-759). Existing `salted-sha3` indexes are read through a dual-read path and re-derived on write, so deployments upgrade without re-indexing up front. · *Postgres identifier casing no longer breaks the audit and cluster chains* — Identifiers were written unquoted in DDL but read back in camelCase. On Postgres (which folds an unquoted identifier to lowercase) this silently desynchronized the signed audit chain, the consent chain, cluster leadership and fencing, and vault-key consistency — each reads a column the server had stored under a lowercased name. Every framework identifier is now quoted at both DDL and query time so the stored and read names match on every dialect (CWE-670). SQLite deployments were unaffected and remain byte-compatible. · *Sealed columns preserve non-string payloads* — A sealed column coerced its value through `String()` before encryption, corrupting Buffer and object payloads (a Buffer became `"[object Object]"`-class garbage, an object its `toString`). Sealed values are now encoded per the column's declared type before the seal, so binary and structured payloads round-trip intact (CWE-704). · *Audit-signing key rotation preserves historical checkpoints* — Rotating the audit-signing key stranded every checkpoint signed under the prior key — `verifyCheckpoints` ignored the per-fingerprint history file the rotation writes, so post-rotation verification failed on otherwise-valid historical checkpoints. Verification now resolves each checkpoint's signing key by fingerprint (`getPublicKeyByFingerprint`) across the rotation history, so the full chain verifies after a key rotation. · *Outbound TLS reaches classical-only peers and audits the downgrade* — The framework's outbound TLS offered only ML-KEM hybrid key-exchange groups, so a handshake with a peer that does not advertise a post-quantum hybrid — most of today's internet — failed outright (`handshake_failure`), leaving outbound connections to webhooks, OAuth providers, ACME directories, object stores, and DoT/DoH/SMTP/Redis-over-TLS unable to complete. Classical X25519 is now appended to the group preference so the hybrid is still negotiated whenever the peer supports it, and the connection completes over classical X25519 when it does not. Every connection that lands on a classical group rather than the post-quantum hybrid emits a `tls.classical_downgrade` audit event (carrying the negotiated group) so operators can observe and alert on which peers are not yet post-quantum-capable. · *Transport reachability and correctness* — Outbound HTTP/2 negotiation now falls back to HTTP/1.1 when a TLS server offers only h1 (an ALPN protocol_version alert no longer fails the request). The network heartbeat honors a target's permitted protocols instead of dropping non-default ones, so a cleartext `http://` health target is no longer reported permanently down. A WebSocket connection closes cleanly when a peer half-closes its TCP socket (a bare FIN) instead of wedging the connection open. The Azure blob backend percent-encodes each object-key path segment, so a key containing reserved characters can no longer corrupt the request URL. **Migration:** *Derived-hash default change is non-breaking; MySQL is opt-in* — Lookup-hash columns default to the keyed MAC on new writes and migrate existing rows on access through the dual-read path — no upfront re-indexing, no operator action required. To pin the previous unkeyed index (for example to keep a column byte-compatible with an external system), pass `derivedHashMode: "salted-sha3"` to `registerTable`. MySQL as a data backend is opt-in: existing SQLite and Postgres deployments are unchanged unless you set `dialect: "mysql"`. The Postgres identifier-casing and sealed-column-coercion fixes change the emitted DDL and the at-rest encoding of non-string sealed values; a Postgres deployment created before this release reconciles its schema to the quoted identifiers on the next schema-ensure pass.
 
 ## v0.14.x

package/lib/api-key.js

@@ -483,14 +483,55 @@ function create(opts) {
       return null;
     }
 
-    if (trackLastUsedAt && cluster.isLeader()) {
-      try {
-        var touchBuilt = sql.update(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
-          .set({ lastUsedAt: nowMs })
-          .where("id", compositeId)
-          .toSql();
-        await clusterStorage.execute(touchBuilt.sql, touchBuilt.params);
-      } catch (_e) { /* best-effort; verify success not blocked by lastUsed update */ }
+    // Leader-gated best-effort writes on a successful verify: bump
+    // lastUsedAt when tracked, and transparently re-hash the stored secret
+    // when its envelope no longer matches the active algorithm — the
+    // rotate-on-next-verify that credentialHash documents but, until now,
+    // no consumer wired. Primary match only: the secondary (graceful-
+    // rotation) slot is not the active secret, so it must not overwrite
+    // secretHash. The whole block is best-effort — the credential already
+    // verified under the stored hash and stays valid even if the write
+    // fails; the row re-upgrades on the next leader verify.
+    if (cluster.isLeader()) {
+      var touchFields = trackLastUsedAt ? { lastUsedAt: nowMs } : null;
+      var didRehash = false;
+      if (primaryMatch && credentialHash.needsRehash(row.secretHash, { algo: hashAlgo })) {
+        try {
+          var freshSecretHash = await credentialHash.hash(parsed.secretHex, { algo: hashAlgo });
+          touchFields = touchFields || {};
+          touchFields.secretHash = freshSecretHash;
+          didRehash = true;
+        } catch (_e) { /* re-hash is best-effort; verify success stands */ }
+      }
+      if (touchFields) {
+        try {
+          var touchQb = sql.update(TABLE, _sqlOpts())   // allow:hand-rolled-sql — bare logical name for clusterStorage rewrite
+            .set(touchFields)
+            .where("id", compositeId);
+          if (didRehash) {
+            // Compare-and-swap on the exact hash we verified against: only land
+            // the re-hash if the stored primary is STILL that value. A verify
+            // that races rotate()/hardRotate (which already installed a new
+            // secretHash) must not clobber the rotated secret back to the old
+            // one — the predicate then matches no rows and the upgrade no-ops,
+            // which is correct because the row is already on a fresh hash.
+            touchQb.where("secretHash", row.secretHash);
+          }
+          var touchBuilt = touchQb.toSql();
+          var touchResult = await clusterStorage.execute(touchBuilt.sql, touchBuilt.params);
+          // Only record the migration when the CAS actually swapped a row (a
+          // rowCount of 0 means a concurrent rotation won the race).
+          if (didRehash && !(touchResult && touchResult.rowCount === 0)) {
+            _emitEvent("apikey.secret_rehash", 1, { namespace: namespace, algo: hashAlgo });
+            _emit("apikey.secret_rehash", {
+              actor:    _actor(verifyOpts, rowOwnerId),
+              resource: { kind: "apikey", id: compositeId },
+              outcome:  "success",
+              metadata: { algo: hashAlgo },
+            });
+          }
+        } catch (_e) { /* best-effort; verify success not blocked by the write */ }
+      }
     }
 
     if (auditSuccess) {
@@ -620,9 +661,16 @@ function create(opts) {
       throw _err("MISCONFIGURED",
         TABLE + " schema is missing the ownerIdHash derived hash — framework misconfigured");
     }
+    // Dual-read across the keyed-MAC flip: match the active digest AND the
+    // legacy salted-sha3 digest a pre-v0.15.0 row carries (whereIn with a
+    // single value emits `IN (?)`, equivalent to `=`).
+    var ownerHashes = [lookup.value];
+    if (lookup.legacyValue != null && lookup.legacyValue !== lookup.value) {
+      ownerHashes.push(lookup.legacyValue);
+    }
     var listQb = _selectBuilder()
       .where("namespace", namespace)
-      .where("ownerIdHash", lookup.value);
+      .whereIn("ownerIdHash", ownerHashes);
     if (!includeRevoked) listQb.whereNull("revokedAt");
     if (!includeExpired) {
       var nowForExpiry = clock();

package/lib/audit.js

@@ -805,11 +805,21 @@ async function _queryCluster(criteria) {
   if (criteria.to)   qb.whereOp("recordedAt", "<=", _toMs(criteria.to));
   if (criteria.actorUserId) {
     var auh = cryptoField.lookupHash("audit_log", "actorUserId", criteria.actorUserId);
-    if (auh) qb.where(auh.field, auh.value);
+    if (auh) {
+      // Dual-read across the keyed-MAC flip so an actor query still returns
+      // audit rows written under the legacy salted-sha3 actor digest.
+      var auv = [auh.value];
+      if (auh.legacyValue != null && auh.legacyValue !== auh.value) auv.push(auh.legacyValue);
+      qb.whereIn(auh.field, auv);
+    }
   }
   if (criteria.resourceId) {
     var rh = cryptoField.lookupHash("audit_log", "resourceId", criteria.resourceId);
-    if (rh) qb.where(rh.field, rh.value);
+    if (rh) {
+      var rhv = [rh.value];
+      if (rh.legacyValue != null && rh.legacyValue !== rh.value) rhv.push(rh.legacyValue);
+      qb.whereIn(rh.field, rhv);
+    }
   }
   if (criteria.action)       qb.where("action", criteria.action);
   if (criteria.resourceKind) qb.where("resourceKind", criteria.resourceKind);

package/lib/consent.js

@@ -302,16 +302,18 @@ function isGranted(opts) {
   }
   // Find the most recent consent row for this (subjectId, purpose).
   // subjectId is sealed → look up via subjectIdHash (derived).
-  var hash = db().hashFor("consent_log", "subjectId", opts.subjectId);
-  if (!hash) {
+  var subjectCand = db().hashCandidatesFor("consent_log", "subjectId", opts.subjectId);
+  if (!subjectCand) {
     throw new Error("consent_log subjectId is missing a derived hash — schema misconfigured");
   }
   // Local db() handle: emit the LOCAL table name (consent_log) quoted so
   // the camelCase subjectIdHash / monotonicCounter columns resolve, and
-  // run the built { sql, params } against the prepared statement.
+  // run the built { sql, params } against the prepared statement. whereIn
+  // dual-reads across the keyed-MAC flip so a row written under the legacy
+  // salted-sha3 subjectIdHash is still matched.
   var isGrantedBuilt = sql.select("consent_log", { dialect: "sqlite", quoteName: true })
     .columns(["action"])
-    .where("subjectIdHash", hash)
+    .whereIn("subjectIdHash", subjectCand.values)
     .where("purpose", opts.purpose)
     .orderBy("monotonicCounter", "desc")
     .limit(1)
@@ -344,12 +346,14 @@ function isGranted(opts) {
  */
 function history(subjectId) {
   if (!subjectId) throw new Error("consent.history requires a subjectId");
-  var hash = db().hashFor("consent_log", "subjectId", subjectId);
-  if (!hash) {
+  var subjectCand = db().hashCandidatesFor("consent_log", "subjectId", subjectId);
+  if (!subjectCand) {
     throw new Error("consent_log subjectId is missing a derived hash — schema misconfigured");
   }
+  // whereIn dual-reads across the keyed-MAC flip so the subject's pre-flip
+  // (legacy salted-sha3) consent rows still appear in the access response.
   var rows = db().from("consent_log")
-    .where({ subjectIdHash: hash })
+    .whereIn(subjectCand.field, subjectCand.values)
     .orderBy("monotonicCounter", "asc")
     .all();
   return rows;

package/lib/db-query.js

@@ -359,6 +359,14 @@ class Query {
     return this._addCondition(fieldOrObj, op, value);
   }
 
+  // whereIn(field, values) — AND an `IN (...)` membership predicate. Facade
+  // over where(field, "IN", values) symmetric with b.sql's whereIn, so a
+  // caller can match a column against a value list (e.g. the dual-read
+  // derived-hash candidate set) without spelling the "IN" operator.
+  whereIn(field, values) {
+    return this.where(field, "IN", values);
+  }
+
   // Resolve a (field, op, value) predicate through the framework gates
   // (JSONB value guard, sealed-field → derived-hash rewrite, column
   // membership) and return the post-rewrite { field, op, value } that
@@ -422,7 +430,18 @@ class Query {
         );
       }
       field = lookup.field;
-      value = lookup.value;
+      if (op === "=" && lookup.legacyValue != null && lookup.legacyValue !== lookup.value) {
+        // Dual-read across the v0.15.0 keyed-MAC default flip: a row written
+        // before the flip carries the legacy salted-sha3 digest, so an
+        // equality lookup on a sealed field must match BOTH the active
+        // keyed-MAC digest and the legacy one — otherwise the flip silently
+        // drops every un-migrated row from the result. b.sql expands the
+        // IN-list to (?, ?) and binds each digest.
+        op = "IN";
+        value = [lookup.value, lookup.legacyValue];
+      } else {
+        value = lookup.value;
+      }
     }
     _validateField(field);
     // Gate the post-sealed-rewrite physical column (derived-hash

package/lib/db.js

@@ -1984,6 +1984,31 @@ function hashFor(table, field, value) {
   return lookup ? lookup.value : null;
 }
 
+/**
+ * @primitive b.db.hashCandidatesFor
+ * @signature b.db.hashCandidatesFor(table, field, value)
+ * @since     0.15.1
+ * @status    stable
+ * @related   b.db.hashFor, b.db.from
+ *
+ * Dual-read sibling of `hashFor`. Returns `{ field, values }` where `values`
+ * holds the active derived-hash digest AND — across the v0.15.0 keyed-MAC
+ * default flip — the legacy salted-sha3 digest a row written before the flip
+ * carries. A `WHERE <hashColumn> IN (...)` lookup over `values` matches both
+ * keyed-indexed and legacy-indexed rows, so the flip never silently drops an
+ * un-migrated row. Returns `null` when the field has no derived-hash
+ * declaration on the table.
+ *
+ * @example
+ *   var c = b.db.hashCandidatesFor("users", "email", "alice@example.com");
+ *   b.db.from("users").whereIn(c.field, c.values).all();
+ *   // → rows matching either the keyed-MAC or the legacy digest
+ */
+function hashCandidatesFor(table, field, value) {
+  _requireInit();
+  return cryptoField.lookupHashCandidates(table, field, value);
+}
+
 // _ddlToJsonSchemaType — best-effort SQL→JSON Schema type mapping.
 // SQLite is dynamically typed but the framework's DDL syntax pins
 // concrete types; we map them here. Operator-supplied custom types
@@ -3254,6 +3279,7 @@ module.exports = {
   ["e" + "xec"]:        execRaw,
   transaction:         transaction,
   hashFor:             hashFor,
+  hashCandidatesFor:   hashCandidatesFor,
   close:               close,
   // flushToDisk — force the live tmpfs SQLite to be re-encrypted to
   // <dataDir>/db.enc immediately. In encrypted-at-rest mode the

package/lib/mail-store.js

@@ -1081,7 +1081,13 @@ function _findThreadRoot(args) {
   for (var c = 0; c < candidates.length; c += 1) {
     var lookup = cryptoField.lookupHash(args.messagesTable, "message_id", candidates[c]);
     if (!lookup) continue;
+    // Dual-read across the keyed-MAC flip: try the active digest, then fall
+    // back to the legacy salted-sha3 digest a pre-v0.15.0 row carries, so
+    // thread-matching still finds messages indexed before the flip.
     var row = args.stmtFindThreadByMsgId.get(lookup.value);
+    if (!row && lookup.legacyValue != null && lookup.legacyValue !== lookup.value) {
+      row = args.stmtFindThreadByMsgId.get(lookup.legacyValue);
+    }
     if (row) return row.thread_root_id;
   }
   return null;

package/lib/object-store/gcs.js

@@ -364,7 +364,10 @@ function create(config) {
     // Build the canonical request — identical shape to SigV4. The
     // sigv4 export gives us the formatter so this stays in lockstep
     // with the AWS implementation.
-    var canon = sigv4.canonicalRequest(method, url, headers, "UNSIGNED-PAYLOAD");
+    // GCS's V4 signature, like S3, URI-encodes the canonical path ONCE; the key
+    // is already single-encoded into url.pathname above, so pass doubleEncodePath
+    // = false (a second encode would 403 any key with a space/+/&/unicode).
+    var canon = sigv4.canonicalRequest(method, url, headers, "UNSIGNED-PAYLOAD", false);
     var stringToSign = [
       GCS_V4_ALGORITHM,
       amzDate,

package/lib/object-store/sigv4-bucket-ops.js

@@ -514,8 +514,11 @@ function create(config) {
   function _objectUrl(name, key, query) {
     // Each key segment is encoded individually so that legitimate "/"
     // separators in the key are preserved (S3 treats keys with slashes
-    // as flat names, not directories).
-    var encKey = key.split("/").map(encodeURIComponent).join("/");
+    // as flat names, not directories). Use sigv4.awsUriEncode (not
+    // encodeURIComponent, which leaves !*'() unescaped) so the wire path
+    // matches the bytes S3 canonicalizes the signature over — same encoder
+    // _keyToUrl uses for the put/get path.
+    var encKey = key.split("/").map(function (s) { return sigv4.awsUriEncode(s, true); }).join("/");
     var uo = _internalUrl(endpoint, allowedProtocols);
     if (pathStyle) {
       uo.pathname = "/" + name + "/" + encKey;

package/lib/object-store/sigv4.js

@@ -86,9 +86,16 @@ function hmacSha256(key, data) {
 // AWS-style URI encoding: same as RFC 3986 except path '/' may be preserved.
 function awsUriEncode(str, encodeSlash) {
   var out = "";
-  for (var i = 0; i < str.length; i++) {
-    var c = str.charCodeAt(i);
-    var ch = str.charAt(i);
+  // Iterate by Unicode code point, not UTF-16 code unit. Array.from() keeps a
+  // non-BMP character's surrogate pair together (one element), so a key like
+  // "photo-<U+1F600>.jpg" encodes as a single UTF-8 sequence. Iterating by
+  // index would hand encodeURIComponent a lone surrogate, which throws
+  // "URIError: URI malformed". Output is byte-for-byte identical for the
+  // BMP/ASCII keys that are the overwhelming common case.
+  var cps = Array.from(str);
+  for (var i = 0; i < cps.length; i++) {
+    var ch = cps[i];
+    var c = ch.codePointAt(0);
     if ((c >= 0x41 && c <= 0x5A) || (c >= 0x61 && c <= 0x7A) ||
         (c >= 0x30 && c <= 0x39) ||
         ch === "-" || ch === "_" || ch === "." || ch === "~") {
@@ -137,13 +144,24 @@ function canonicalHeaders(headers) {
   return { canonical: canon, signed: signed.join(";") };
 }
 
-function canonicalRequest(method, urlObj, headers, payloadHash) {
+// AWS SigV4 canonical URI. Per the SigV4 spec, S3 (and S3-compatible stores +
+// GCS's V4) URI-encode the path EXACTLY ONCE; every other AWS service (sqs,
+// logs, sns, ...) encodes it TWICE. Callers build urlObj through the WHATWG URL
+// parser, so urlObj.pathname is ALREADY the single-encoded wire form (a key
+// "a b.txt" is "/a%20b.txt") and the request sends that pathname verbatim. So
+// for S3/GCS the canonical path MUST equal the pathname as-is: a second
+// awsUriEncode would sign "/a%2520b.txt", a path the wire never carries, giving
+// SignatureDoesNotMatch (403) for any key with a space/+/&/unicode. For the
+// double-encode services the second pass is the spec requirement. signRequest
+// derives doubleEncodePath from the service; GCS's V4 signer passes false.
+function canonicalRequest(method, urlObj, headers, payloadHash, doubleEncodePath) {
   var canonHeaders = canonicalHeaders(headers);
   var path = urlObj.pathname;
   if (!path) path = "/";
+  var canonicalPath = doubleEncodePath ? awsUriEncode(path, false) : path;
   return [
     method.toUpperCase(),
-    awsUriEncode(path, false),
+    canonicalPath,
     canonicalQueryString(urlObj.searchParams),
     canonHeaders.canonical,
     canonHeaders.signed,
@@ -204,7 +222,11 @@ function signRequest(opts) {
     headers["x-amz-security-token"] = opts.sessionToken;
   }
 
-  var canon = canonicalRequest(opts.method, url, headers, opts.payloadHash);
+  // S3 single-encodes the canonical path; every other AWS service double-encodes
+  // it (see canonicalRequest). The path itself is "/" for the non-S3 callers
+  // (cloudwatch/sqs put params in the query or body), so this only changes the
+  // wire result for S3, where it fixes the long-standing double-encode 403.
+  var canon = canonicalRequest(opts.method, url, headers, opts.payloadHash, service !== "s3");
   var credentialScope = dateStamp + "/" + opts.region + "/" + service + "/aws4_request";
   var sts = stringToSign(amzDate, credentialScope, canon);
   var signingKey = deriveSigningKey(opts.secretAccessKey, dateStamp, opts.region, service);

package/lib/session.js

@@ -751,8 +751,15 @@ async function destroyAllForUser(userId) {
       "the session table schema is missing the userIdHash derived hash — framework misconfigured",
       true);
   }
+  // Dual-read across the keyed-MAC flip: a pre-v0.15.0 session row carries
+  // the legacy salted-sha3 userIdHash, so destroy must match both digests
+  // or it leaves un-migrated sessions for the user un-revoked.
+  var userHashes = [lookup.value];
+  if (lookup.legacyValue != null && lookup.legacyValue !== lookup.value) {
+    userHashes.push(lookup.legacyValue);
+  }
   var built = sql.delete(_sessionSqlTable(), _sessionSqlOpts())
-    .where("userIdHash", lookup.value)
+    .whereIn("userIdHash", userHashes)
     .toSql();
   var result = await _currentStore().execute(built.sql, built.params);
   return result.rowCount || 0;

package/lib/subject.js

@@ -149,15 +149,13 @@ function exportData(subjectId, opts) {
 }
 
 function _findRowsForSubject(tableName, subjectField, subjectId) {
-  var hash = db().hashFor(tableName, subjectField, subjectId);
-  if (hash) {
-    // The schema has a derived hash for the subjectField — look up via that
-    var derivedFieldName = _getDerivedFieldName(tableName, subjectField);
-    if (derivedFieldName) {
-      var pred = {};
-      pred[derivedFieldName] = hash;
-      return db().from(tableName).where(pred).all();
-    }
+  var cand = db().hashCandidatesFor(tableName, subjectField, subjectId);
+  if (cand) {
+    // The schema has a derived hash for the subjectField — look up via it,
+    // dual-reading across the keyed-MAC flip (whereIn matches both the active
+    // keyed-MAC digest and the legacy salted-sha3 digest a pre-flip row
+    // carries) so the subject's pre-flip rows are not silently skipped.
+    return db().from(tableName).whereIn(cand.field, cand.values).all();
   }
   // No derived hash — assume subjectField is raw, do direct equality
   var rawPred = {};
@@ -341,19 +339,18 @@ function erase(subjectId, opts) {
 
   for (var t = 0; t < tables.length; t++) {
     var spec = tables[t];
-    var hash = db().hashFor(spec.name, spec.subjectField, subjectId);
-    var pred;
-    if (hash) {
-      var derivedField = _getDerivedFieldName(spec.name, spec.subjectField);
-      if (derivedField) {
-        pred = {}; pred[derivedField] = hash;
-      } else {
-        pred = {}; pred[spec.subjectField] = subjectId;
-      }
+    var cand = db().hashCandidatesFor(spec.name, spec.subjectField, subjectId);
+    var delQb = db().from(spec.name);
+    if (cand) {
+      // Dual-read across the keyed-MAC flip so erasure matches (and deletes)
+      // the subject's pre-flip rows carrying the legacy salted-sha3 digest —
+      // a GDPR erasure that skips un-migrated rows would leave PII behind.
+      delQb.whereIn(cand.field, cand.values);
     } else {
-      pred = {}; pred[spec.subjectField] = subjectId;
+      var delPred = {}; delPred[spec.subjectField] = subjectId;
+      delQb.where(delPred);
     }
-    var deleted = db().from(spec.name).where(pred).deleteMany();
+    var deleted = delQb.deleteMany();
     totalDeleted += deleted;
     perTable[spec.name] = deleted;
   }
@@ -461,20 +458,18 @@ function eraseHard(subjectId, opts) {
   db().transaction(function () {
     for (var t = 0; t < tables.length; t++) {
       var spec = tables[t];
-      var hash = db().hashFor(spec.name, spec.subjectField, subjectId);
-      var pred;
-      if (hash) {
-        var derivedField = _getDerivedFieldName(spec.name, spec.subjectField);
-        if (derivedField) {
-          pred = {}; pred[derivedField] = hash;
-        } else {
-          pred = {}; pred[spec.subjectField] = subjectId;
-        }
+      var cand = db().hashCandidatesFor(spec.name, spec.subjectField, subjectId);
+      var findQb = db().from(spec.name);
+      if (cand) {
+        // Dual-read across the keyed-MAC flip so per-row-key destruction +
+        // erasure covers the subject's pre-flip (legacy salted-sha3) rows too.
+        findQb.whereIn(cand.field, cand.values);
       } else {
-        pred = {}; pred[spec.subjectField] = subjectId;
+        var rawPred = {}; rawPred[spec.subjectField] = subjectId;
+        findQb.where(rawPred);
       }
       // Find rows so we can destroy their per-row keys before delete.
-      var rows = db().from(spec.name).where(pred).all();
+      var rows = findQb.all();
       if (cryptoField.hasPerRowKey(spec.name)) {
         for (var r = 0; r < rows.length; r++) {
           var rowId = rows[r]._id;
@@ -484,7 +479,14 @@ function eraseHard(subjectId, opts) {
           }
         }
       }
-      var deleted = db().from(spec.name).where(pred).deleteMany();
+      var delQb2 = db().from(spec.name);
+      if (cand) {
+        delQb2.whereIn(cand.field, cand.values);
+      } else {
+        var delPred3 = {}; delPred3[spec.subjectField] = subjectId;
+        delQb2.where(delPred3);
+      }
+      var deleted = delQb2.deleteMany();
       totalDeleted += deleted;
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.15.0",
+  "version": "0.15.2",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:d63a172d-d92b-4a98-ae64-7dcb04e82076",
+  "serialNumber": "urn:uuid:ff927df0-9d1a-45d2-9e38-dfeac8f50738",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-08T20:30:45.961Z",
+    "timestamp": "2026-06-12T02:42:36.413Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.15.0",
+      "bom-ref": "@blamejs/core@0.15.2",
       "type": "application",
       "name": "blamejs",
-      "version": "0.15.0",
+      "version": "0.15.2",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.15.0",
+      "purl": "pkg:npm/%40blamejs/core@0.15.2",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.15.0",
+      "ref": "@blamejs/core@0.15.2",
       "dependsOn": []
     }
   ]