@blamejs/core 0.15.2 → 0.15.3

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.15.x
 
+- v0.15.3 (2026-06-12) — **DDL hardening in b.sql, schema-confined column introspection on Postgres and MySQL, and a classical-downgrade audit on proxy-tunneled TLS.** This release hardens the data layer and closes a transport audit gap. The b.sql builder refuses an unrecognised column type that carries a statement terminator, quote, or comment marker - the one position in an otherwise quote-by-construction DDL builder where a verbatim string reached the emitted statement - and routes the finished CREATE TABLE through the same single-statement gate every other verb uses. The schema reconciler's column introspection is now confined to the schema or database the bare-named CREATE TABLE actually writes into (current_schema() on Postgres, DATABASE() on MySQL), so a same-named table in another schema no longer pollutes the column set, silently skipping an ADD COLUMN or fabricating false schema drift that refuses a regulated-posture boot. Two further builder gaps are fixed: a column-level primary key combined with a composite primaryKey now fails at build time with a clear error instead of producing invalid DDL, and a MySQL upsert read-back keyed by a cast or a server-evaluated function now renders the cast (or refuses the function) instead of binding an internal wrapper. Finally, an HTTPS request sent through a configured proxy now emits the tls.classical_downgrade audit when the handshake falls back to a classical group, the same as a direct connection. **Fixed:** *Schema reconciliation reads columns from the right schema on Postgres and MySQL* — The reconciler's column introspection queried information_schema with no schema filter, so on a Postgres instance or MySQL server hosting more than one schema/database with a same-named table, the live column set was the union across schemas. That could silently skip an ADD COLUMN the table needed, or report false drift that refuses a boot under a pinned regulated posture. Introspection is now confined to current_schema() (Postgres) / DATABASE() (MySQL) - the schema the bare-named CREATE TABLE lands in. SQLite (PRAGMA, per-file) is unchanged. · *createTable rejects a contradictory primary-key declaration at build time* — Declaring both a column-level primary key (primaryKey / autoIncrement / serial) and a composite opts.primaryKey emitted two PRIMARY KEY clauses, which every dialect rejects at the driver mid-migration. The builder now refuses the contradiction at build time with a clear error; a single column PK, or a composite primaryKey with no column-level PK, is unaffected. · *MySQL upsert read-back resolves a cast or function conflict key instead of binding a wrapper* — On MySQL, an upsert whose conflict key was a b.sql.cast(...) or b.sql.fn(...) built a read-back SELECT that bound the wrapper object, so the read-back matched no rows. A cast conflict key now renders as CAST(? AS type) binding the inner value; a server-evaluated function conflict key (which has no stable read-back identity) is refused with a clear error. Plain scalar conflict keys are unchanged. · *Proxy-tunneled TLS emits the classical-downgrade audit* — An HTTPS upstream reached through a configured proxy performed its TLS handshake without emitting the tls.classical_downgrade audit on a classical-group fallback, leaving the post-quantum-readiness inventory incomplete for proxied requests. Both the upstream handshake and the proxy-leg handshake now emit the audit on a classical fallback, matching the direct connection path. The handshake itself is unchanged (still hybrid-preferred TLSv1.3). **Security:** *b.sql refuses an injection-bearing verbatim column type and gates every CREATE TABLE* — An unrecognised column type passed to b.sql.createTable / alterTable was emitted into the DDL verbatim - the single raw-emission position in a builder that otherwise quotes every identifier and guards every constraint fragment. A type such as "text); DROP TABLE secrets; --" could therefore smuggle a stacked statement. The builder now refuses, at build time, a verbatim type carrying a statement terminator or comment marker, and routes the finished CREATE TABLE / ALTER TABLE statement through the same single-statement / NUL / unterminated-quote / unbalanced-paren gate every SELECT / INSERT / UPDATE / DELETE / UPSERT already used - so an unbalanced quote is caught there. Legitimate types are unaffected: VARCHAR(255), NUMERIC(10,2), DOUBLE PRECISION, TIMESTAMP WITH TIME ZONE, and MySQL ENUM('a','b') / SET(...) (which need balanced quotes) all still pass.
+
 - v0.15.2 (2026-06-12) — **Object keys with a space, +, &, or other reserved characters now sign correctly against S3-compatible stores and Google Cloud Storage.** The SigV4 request signer (and the Google Cloud Storage V4 signer that shares it) URI-encoded the object-key path a second time when building the canonical request it signs, while the request on the wire carried the path encoded once. Amazon S3 — and every S3-compatible store such as MinIO, Cloudflare R2, Wasabi, and Backblaze B2, plus GCS — signs the canonical path encoded exactly once, so any object key containing a space, a +, an &, parentheses, or a non-ASCII character was signed over a path the server never received and the request was rejected with HTTP 403 SignatureDoesNotMatch. Keys built only from unreserved characters were unaffected, which is why the regression went unnoticed. This release makes the canonical-path encoding match the service: S3 and GCS encode the path once, while the AWS services that genuinely require a second encoding (SQS, CloudWatch Logs, SNS) keep it. Object reads, writes, deletes, listings, presigned URLs, and backup or restore through the object-store adapter now succeed for keys with reserved characters. Separately, the bucket-operations key encoder now uses the AWS reserved-character set, so a key containing !, *, ', or ( is escaped to match the bytes the store signs over. **Fixed:** *SigV4 and GCS V4 sign object-key paths with the single encoding S3 and GCS expect* — A request to read, write, delete, list, or presign an object whose key contained a space, +, &, (, ), or a non-ASCII character failed with 403 SignatureDoesNotMatch against S3, every S3-compatible store, and Google Cloud Storage, because the canonical request double-encoded the path the wire carried once. The signer is now service-aware: S3 and GCS sign the path encoded once (matching the wire and the store's own canonicalization), while SQS, CloudWatch Logs, and SNS keep the second encoding the AWS spec requires for those services. No configuration change or migration is needed — object operations and presigned URLs for keys with reserved characters simply start working. Object keys made only of unreserved characters are byte-for-byte unchanged. · *Bucket-operations key encoder escapes the AWS reserved set* — The bucket-level object operations encoded key path segments with a generic URI encoder that left !, *, ', and ( unescaped. Those now route through the same AWS encoder the read and write paths use, so a key containing one of those characters is escaped consistently and signs correctly.
 
 - v0.15.1 (2026-06-11) — **Sealed-column lookups find rows written before the v0.15.0 hash change, and API-key secrets re-hash to the active algorithm on verify.** v0.15.0 changed the default derived hash — the blind index a sealed column is looked up by — from an unkeyed salted hash to a keyed MAC, and promised a transparent migration via a dual read. But no lookup path actually performed the dual read, so on a deployment that already held data, a lookup by a sealed column (a session's user id, an API key's owner, an audit actor or resource, a consent or data-subject id, a mail thread) computed only the new keyed digest and missed every row written before the upgrade. This release wires the dual read into every lookup: a sealed-column equality now matches both the active keyed digest and the legacy salted digest, so pre-upgrade rows are found again. That restores two correctness guarantees the gap had quietly broken — revoking all of a user's sessions no longer skips sessions created before the upgrade, and a subject erasure no longer leaves pre-upgrade rows behind. Separately, the framework's API-key store now re-hashes a stored secret to the active hash algorithm on the next successful verify, the transparent rotation the credential-hash primitive documented but the store had never performed. **Fixed:** *Sealed-column lookups match rows written before the v0.15.0 keyed-MAC change* — After v0.15.0 flipped the default derived-hash mode to a keyed MAC, a lookup by a sealed column computed only the new keyed digest, so rows written under the previous salted-hash default were no longer found — a silent index miss on every existing deployment. Every framework lookup path now dual-reads: `b.db.from(...).where(sealedField, value)` and the framework's own api-key, session, audit, consent, data-subject, and mail-thread lookups match the column against both the active keyed digest and the legacy salted digest (`b.db.hashCandidatesFor` exposes the candidate list for operator code). No migration or operator action is required; rows re-hash to the keyed form on read over time and the candidate set collapses back to a single value. Two correctness consequences are restored: revoking all of a user's sessions now also revokes sessions created before the upgrade, and a data-subject erasure now also deletes (and crypto-shreds) the subject's pre-upgrade rows. · *API-key secret hashes upgrade to the active algorithm on verify* — The framework's API-key store now re-hashes a stored secret to the configured hash algorithm on the next successful verify (leader-gated, best-effort, primary-match only), emitting an `apikey.secret_rehash` audit and observability event. This is the transparent rotation `b.credentialHash` documents — a key stored under an older algorithm or parameter set silently moves to the current one as it is used, with no change to the verify result or the returned record.

package/lib/db-schema.js

@@ -479,8 +479,8 @@ function keyTextType(database) {
 // it throws "syntax error at PRAGMA" on the others). The table name binds
 // as a `?` parameter (never concatenated into the SQL text), so an operator
 // table name with metacharacters can't break the introspection query. On
-// Postgres the unqualified information_schema query matches the table in
-// any schema on the search_path; an operator running the same table name in
+// Postgres / MySQL the introspection is confined to current_schema() /
+// DATABASE() (where the bare-named CREATE TABLE lands); an operator running
 // multiple schemas qualifies via the `schema.table` handle convention
 // elsewhere — listColumns reconciles by bare name here, matching the
 // reconciler's CREATE TABLE (which is also bare-named).
@@ -498,9 +498,24 @@ function listColumns(database, tableName) {
   // information_schema.columns view (a schema-qualified system table b.sql's
   // verb builders don't model); the ONLY value (table name) binds as a `?`,
   // every column/table reference is a static literal — no injection surface.
+  // The schema predicate confines introspection to the schema/database the
+  // reconciler's bare-named CREATE TABLE actually writes into (Postgres
+  // current_schema() = the first writable schema on the search_path; MySQL
+  // DATABASE() = the connection's default database). Without it a same-named
+  // table in another schema/database pollutes the column set - silently skipping
+  // a needed ADD COLUMN or fabricating a drift "extra" that refuses a regulated-
+  // posture boot. Both are zero-arg SQL functions in predicate position, so the
+  // table name stays the single bound parameter (no new placeholder).
+  // Two fully-static introspection strings, one per dialect: DATABASE() /
+  // current_schema() are SQL functions baked into the literal (never a
+  // concatenated value), so the only bound value remains the table name `?`.
   // allow:hand-rolled-sql — static information_schema introspection, single bound param
-  var infoSql = "SELECT column_name FROM information_schema.columns " +
-                "WHERE table_name = ?";
+  var infoSql = dialect === "mysql"
+    ? "SELECT column_name FROM information_schema.columns " +
+      "WHERE table_schema = DATABASE() AND table_name = ?"
+    // allow:hand-rolled-sql — Postgres branch, same static-introspection shape
+    : "SELECT column_name FROM information_schema.columns " +
+      "WHERE table_schema = current_schema() AND table_name = ?";
   var stmt = database.prepare(infoSql);
   var irows = stmt.all.apply(stmt, [tableName]);
   for (var j = 0; j < irows.length; j++) {

package/lib/network-proxy.js

@@ -20,6 +20,11 @@ var DEFAULT_HTTPS_PORT   = 443;                 // RFC 9110 §4.2.2
 var DEFAULT_HTTP_PORT    = C.BYTES.bytes(80);   // RFC 9110 §4.2.1
 
 var observability = lazyRequire(function () { return require("./observability"); });
+// Lazy so pqc-agent's TLS/audit graph isn't pulled into every process that
+// imports network-proxy but never proxies an https upstream. Used only to audit
+// a classical-group fallback on a proxy-tunneled TLS handshake (the direct path
+// audits in pqc-agent.create()).
+var pqcAgent = lazyRequire(function () { return require("./pqc-agent"); });
 
 var STATE = {
   http:    null,
@@ -167,6 +172,13 @@ function _connectThroughTunnel(proxyUrl, targetHost, targetPort, callback) {
   function done(err, sock) { if (settled) return; settled = true; callback(err, sock); }
   proxySocket.on("error", function (e) { done(e); });
   proxySocket.on(proxyUrl.protocol === "https:" ? "secureConnect" : "connect", function () {
+    if (proxyUrl.protocol === "https:") {
+      // The CONNECT-tunnel leg to an https proxy is itself a TLS handshake;
+      // audit a classical fallback to the proxy too, not only to the upstream.
+      pqcAgent()._auditClassicalDowngrade(proxySocket, {
+        host: proxyUrl.hostname, port: proxyPort,
+      });
+    }
     var lines = [
       "CONNECT " + targetHost + ":" + targetPort + " HTTP/1.1",
       "Host: " + targetHost + ":" + targetPort,
@@ -218,7 +230,18 @@ function agentFor(targetUrl) {
           minVersion: "TLSv1.3",
           ecdhCurve:  C.TLS_GROUP_CURVE_STR,
           ALPNProtocols: options.ALPNProtocols,
-        }, function () { cb(null, secure); });
+        }, function () {
+          // Audit a classical-group fallback on the upstream (target) handshake
+          // reached through the proxy tunnel, so the "every outbound TLS path
+          // emits tls.classical_downgrade" guarantee holds for proxied requests
+          // too (the direct path audits in pqc-agent.create). Drop-silent; the
+          // handshake itself is unchanged (still hybrid-preferred TLSv1.3).
+          pqcAgent()._auditClassicalDowngrade(secure, {
+            host: options.servername || options.host,
+            port: options.port,
+          });
+          cb(null, secure);
+        });
         secure.on("error", function (e) { cb(e); });
       });
     };

package/lib/sql.js

@@ -229,9 +229,17 @@ function _ddlType(logical, dialect) {
   if (key === "JSON") {
     return dialect === "postgres" ? "JSONB" : (dialect === "mysql" ? "JSON" : "TEXT");
   }
-  // Unrecognised: a verbatim dialect-specific type. Emitted as the
-  // operator wrote it (it follows a quoted identifier, so it is in type
-  // position, never identifier position).
+  // Unrecognised: a verbatim dialect-specific type (VARCHAR(255), GEOGRAPHY,
+  // NUMERIC(10,2), DOUBLE PRECISION, TIMESTAMP WITH TIME ZONE, MySQL
+  // ENUM('a','b') / SET(...), ...). It follows a quoted identifier so it is in
+  // type position, never identifier position. Injection safety for the type
+  // token is enforced at the statement level: createTable / alterTable route
+  // the finished DDL through _assertCatalogEmittable, whose quote-aware
+  // single-statement scan refuses a top-level ';', a comment marker, an
+  // unbalanced quote, an unbalanced paren, and a NUL - while CORRECTLY allowing
+  // those same characters when they sit inside a balanced quoted label (e.g.
+  // ENUM('needs;review')). A non-quote-aware pre-scan here would over-reject
+  // such valid labels, so the one quote-aware gate is the right place to check.
   return logical;
 }
 
@@ -2486,8 +2494,25 @@ class UpsertBuilder extends Builder {
         throw _err("upsert readback: conflict key '" + keys[i] + "' is not in the value set",
           "sql-builder/bad-conflict");
       }
-      conds.push(_quoteId(keys[i], dialect) + " = ?");
-      params.push(this._values[idx]);
+      var keyVal = this._values[idx];
+      if (keyVal instanceof SqlFunction) {
+        // A server-evaluated function (NOW() / CURRENT_TIMESTAMP / ...) as a
+        // conflict key has no stable readback identity: the row holds the value
+        // the server computed at INSERT time, which a fresh evaluation in this
+        // WHERE would never equal, so the readback would silently match zero
+        // rows. Refuse rather than return a wrong (empty) result.
+        throw _err("upsert readback: conflict key '" + keys[i] + "' is a " +
+          "server-evaluated function (b.sql.fn) with no stable readback identity " +
+          "- use a literal/cast conflict key or read the row back explicitly",
+          "sql-builder/bad-conflict");
+      }
+      // Resolve the key value through the same cell renderer the VALUES tuple
+      // uses, so a b.sql.cast(...) conflict key emits `col = CAST(? AS type)`
+      // (Postgres `col = ?::type`) binding the inner value, and a plain scalar
+      // still emits `col = ?` binding the value unchanged.
+      var cell = _renderValueCell(keyVal, dialect);
+      conds.push(_quoteId(keys[i], dialect) + " = " + cell.sql);
+      for (var cp = 0; cp < cell.params.length; cp++) params.push(cell.params[cp]);
     }
     sql += " WHERE " + conds.join(" AND ");
     return { sql: sql, params: params };
@@ -2614,6 +2639,20 @@ function createTable(name, columns, opts) {
     return def;
   });
   if (Array.isArray(opts.primaryKey) && opts.primaryKey.length > 0) {
+    // A column-level primary key (primaryKey / autoIncrement / serial) and a
+    // composite opts.primaryKey are mutually exclusive: emitting both produces
+    // two PRIMARY KEY clauses, which sqlite / Postgres / MySQL all reject at the
+    // driver. Catch the contradiction at build time with a clear error rather
+    // than a cryptic "multiple primary keys" failure mid-migration. Lives in the
+    // shared composer so defineTable is covered too.
+    var colHasPk = columns.some(function (c) {
+      return c && (c.primaryKey || c.autoIncrement || c.serial);
+    });
+    if (colHasPk) {
+      throw _err("createTable: a column-level primary key (primaryKey / " +
+        "autoIncrement / serial) and a composite opts.primaryKey are mutually " +
+        "exclusive", "sql-builder/bad-column");
+    }
     opts.primaryKey.forEach(_validateColumn);
     pieces.push("PRIMARY KEY (" + opts.primaryKey.map(function (k) {
       return _quoteId(k, dialect);
@@ -2621,7 +2660,11 @@ function createTable(name, columns, opts) {
   }
   var ifNot = opts.ifNotExists === false ? "" : "IF NOT EXISTS ";
   var sql = "CREATE TABLE " + ifNot + ref.ref(dialect) + " (" + pieces.join(", ") + ")";
-  return { sql: sql, params: [] };
+  // Route the finished DDL through the same emittable gate every SELECT /
+  // INSERT / UPDATE / DELETE verb uses: it refuses a stacked top-level ';', a
+  // NUL, an unterminated quote, and unbalanced parens - a defence-in-depth
+  // backstop behind the per-column type / constraint guards.
+  return _assertCatalogEmittable(sql, []);
 }
 
 // DDL DEFAULT renderer - numeric / boolean / null inline; a string
@@ -2767,11 +2810,11 @@ function alterTable(name, change, opts) {
     if (col.notNull) def += " NOT NULL";
     if (col.unique) def += " UNIQUE";
     if (col.default !== undefined) def += " DEFAULT " + _ddlDefault(col.default);
-    return { sql: head + "ADD COLUMN " + def, params: [] };
+    return _assertCatalogEmittable(head + "ADD COLUMN " + def, []);
   }
   if (change.dropColumn) {
     _validateColumn(change.dropColumn);
-    return { sql: head + "DROP COLUMN " + _quoteId(change.dropColumn, dialect), params: [] };
+    return _assertCatalogEmittable(head + "DROP COLUMN " + _quoteId(change.dropColumn, dialect), []);
   }
   if (change.renameColumn) {
     var rc = change.renameColumn;
@@ -2780,10 +2823,8 @@ function alterTable(name, change, opts) {
     }
     _validateColumn(rc.from);
     _validateColumn(rc.to);
-    return {
-      sql: head + "RENAME COLUMN " + _quoteId(rc.from, dialect) + " TO " + _quoteId(rc.to, dialect),
-      params: [],
-    };
+    return _assertCatalogEmittable(
+      head + "RENAME COLUMN " + _quoteId(rc.from, dialect) + " TO " + _quoteId(rc.to, dialect), []);
   }
   throw _err("alterTable change must be addColumn / dropColumn / renameColumn",
     "sql-builder/bad-alter");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.15.2",
+  "version": "0.15.3",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ff927df0-9d1a-45d2-9e38-dfeac8f50738",
+  "serialNumber": "urn:uuid:43ee488f-aee3-40ee-8d42-ed3f547dcbe3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-12T02:42:36.413Z",
+    "timestamp": "2026-06-12T15:44:45.267Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.15.2",
+      "bom-ref": "@blamejs/core@0.15.3",
       "type": "application",
       "name": "blamejs",
-      "version": "0.15.2",
+      "version": "0.15.3",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.15.2",
+      "purl": "pkg:npm/%40blamejs/core@0.15.3",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.15.2",
+      "ref": "@blamejs/core@0.15.3",
       "dependsOn": []
     }
   ]