@blamejs/core 0.8.0 → 0.8.4

package/lib/mtls-ca.js

@@ -17,7 +17,7 @@
  *       caCert:         "ca.crt",
  *     },
  *     vault:            b.vault,         // optional; required when sealed
- *     caKeySealedMode:  "auto",          // "auto" | "required" | "disabled"
+ *     caKeySealedMode:  "required",      // "required" (default) | "disabled"
  *     generation:       1,               // current CA generation for OU=CAv{N}
  *     engine:           myCertEngine,    // optional — defaults to b.mtlsEngine
  *   });
@@ -27,10 +27,16 @@
  *   ca.key           CA private key (PEM, plaintext on disk)
  *   ca.key.sealed    CA private key (vault.seal of PEM bytes)
  *
- * caKeySealedMode:
- *   "auto"      load whichever exists (sealed if present, else plain)
- *   "required"  sealed file required; refuse plaintext
- *   "disabled"  plaintext required; refuse sealed
+ * caKeySealedMode (defaults to "required"):
+ *   "required"  sealed file required; refuse plaintext (default — vault
+ *               must be wired)
+ *   "disabled"  plaintext required; refuse sealed (dev-only opt-out;
+ *               operator must justify with audited reason)
+ *
+ * The legacy "auto" mode (load whichever exists, fall back to plaintext
+ * when no sealed file is present) was removed; it defaulted to writing
+ * plaintext on a fresh install, which is the inverse of the framework's
+ * security-defaults-on posture for at-rest key material.
  *
  * Generation tagging: every CA cert issued by the framework embeds a
  * "OU=CAv{N}" RDN in its subject DN. Status reads that back so an
@@ -114,7 +120,7 @@ var DEFAULT_PATHS = {
   crl:          "ca.crl",
 };
 
-var VALID_SEAL_MODES = { auto: 1, required: 1, disabled: 1 };
+var VALID_SEAL_MODES = { required: 1, disabled: 1 };
 
 function _resolvePaths(dataDir, paths) {
   var p = Object.assign({}, DEFAULT_PATHS, paths || {});
@@ -161,10 +167,11 @@ function create(opts) {
   }
   var paths = _resolvePaths(opts.dataDir, opts.paths);
   var vault = opts.vault || null;
-  var caKeySealedMode = (opts.caKeySealedMode || "auto").toLowerCase();
+  var caKeySealedMode = (opts.caKeySealedMode || "required").toLowerCase();
   if (!VALID_SEAL_MODES[caKeySealedMode]) {
     throw new MtlsCaError("mtls-ca/bad-mode",
-      "caKeySealedMode must be 'auto', 'required', or 'disabled'");
+      "caKeySealedMode must be 'required' or 'disabled' " +
+      "(legacy 'auto' was removed — it defaulted to plaintext-on-disk)");
   }
   var generation = typeof opts.generation === "number" && opts.generation >= 1
     ? Math.floor(opts.generation) : 1;
@@ -230,23 +237,10 @@ function create(opts) {
       }
       return Buffer.from(pem, "utf8");
     }
-    if (caKeySealedMode === "disabled") {
-      if (!hasPlain) {
-        throw new MtlsCaError("mtls-ca/plain-required",
-          "CA_KEY_SEALED='disabled' but " + paths.caKey + " does not exist");
-      }
-      return fs.readFileSync(paths.caKey);
-    }
-    // auto: prefer sealed if it exists (defense-in-depth default)
-    if (hasSealed) {
-      _requireVault("sealed CA key load");
-      var sealedBytesA = fs.readFileSync(paths.caKeySealed, "utf8").trim();
-      var pemA = vault.unseal(sealedBytesA);
-      if (!pemA) {
-        throw new MtlsCaError("mtls-ca/unseal-failed",
-          "vault.unseal of " + paths.caKeySealed + " returned empty");
-      }
-      return Buffer.from(pemA, "utf8");
+    // disabled: plaintext only.
+    if (!hasPlain) {
+      throw new MtlsCaError("mtls-ca/plain-required",
+        "caKeySealedMode='disabled' but " + paths.caKey + " does not exist");
     }
     return fs.readFileSync(paths.caKey);
   }
@@ -260,10 +254,10 @@ function create(opts) {
   }
 
   // Atomic commit: write .tmp + atomic rename for both key and cert.
-  // Honors caKeySealedMode — when 'required', the key is vault-sealed
-  // before the on-disk write so plaintext PEM never touches the
-  // filesystem; when 'disabled', it goes to disk as PEM. 'auto'
-  // defaults to plaintext-on-disk.
+  // Honors caKeySealedMode — when 'required' (the default), the key is
+  // vault-sealed before the on-disk write so plaintext PEM never touches
+  // the filesystem; when 'disabled', it goes to disk as PEM with the
+  // operator's audited reason on record.
   function commit(opts2) {
     if (!opts2 || typeof opts2.caKeyPem !== "string" || typeof opts2.caCertPem !== "string") {
       throw new MtlsCaError("mtls-ca/bad-commit",

package/lib/mtls-engine-default.js

@@ -134,7 +134,27 @@ async function _selectAlgorithm() {
   for (var i = 0; i < ALG_CANDIDATES.length; i++) {
     var c = ALG_CANDIDATES[i];
     var ok = await _probeCandidate(c);
-    if (ok) { _selectedAlg = c; return c; }
+    if (ok) {
+      _selectedAlg = c;
+      // Emit an audit row at first probe so operators see which
+      // algorithm landed without having to call b.mtlsCa.status().
+      // Pre-PQC ecosystems land on the ECDSA-P384 bridge silently;
+      // this puts the choice on the chain so compliance dashboards
+      // alert when an operator's deployment hasn't yet picked up the
+      // PQ-signed-cert capability the framework would otherwise
+      // prefer.
+      setImmediate(function () {
+        try {
+          var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
+          auditMod.safeEmit({
+            action:   "mtls.engine.algorithm_selected",
+            outcome:  "success",
+            metadata: { label: c.label, posture: c.posture, candidatesProbed: i + 1 },
+          });
+        } catch (_e) { /* drop-silent */ }
+      });
+      return c;
+    }
   }
   // Should never happen — ECDSA-P384-SHA384 is universal.
   throw new MtlsEngineError("mtls-engine/no-algorithm",

package/lib/network-tls.js

@@ -26,7 +26,7 @@ var STATE = {
   cas:             [],
   systemTrust:     false,
   baselineFingerprints: null,
-  tlsKeyShares:    ["X25519MLKEM768", "X25519", "secp256r1"],
+  tlsKeyShares:    ["SecP384r1MLKEM1024", "X25519MLKEM768", "X25519"],
 };
 
 function _normalizePem(pem) {
@@ -301,7 +301,7 @@ function expiryMonitor(opts) {
         try {
           audit().safeEmit({
             action:  "network.tls.ca.expiring",
-            outcome: "warn",
+            outcome: "success",
             metadata: {
               count:   rows.length,
               labels:  rows.map(function (r) { return r.label; }),
@@ -375,9 +375,9 @@ function applyToContext(opts) {
 //   resetKeyShares()                                  → restores default
 
 var DEFAULT_PQC_KEY_SHARES = Object.freeze([
-  "X25519MLKEM768",                                                              // hybrid KEM, draft-kwiatkowski-tls-ecdhe-mlkem-02
-  "X25519",                                                                      // classical fallback
-  "secp256r1",                                                                   // legacy peers
+  "SecP384r1MLKEM1024",                                                          // highest-PQC hybrid (codepoint 0x11ED, draft-kwiatkowski-tls-ecdhe-mlkem-02)
+  "X25519MLKEM768",                                                              // mid-PQC hybrid (codepoint 0x11EC, IETF/Cloudflare/Chrome interop)
+  "X25519",                                                                      // classical fallback (modern non-PQC peers)
 ]);
 
 function _validateKeyShare(name) {
@@ -990,9 +990,24 @@ function buildOcspRequest(opts) {
   var serial = _extractLeafSerial(opts.leafCertDer);
   // CertID hashes — SHA-1 per RFC 6960 §4.1.1 (the only universally
   // supported algorithm; SHA-256 in OCSP requests is RFC 6960 §4.3
-  // optional and many responders reject).
+  // optional and many responders reject). The hash isn't security-
+  // critical here — it's a name/key lookup, not an integrity check —
+  // but operator compliance dashboards alerting on "anywhere in the
+  // framework that touches SHA-1" need a signal. Emit an audit row
+  // on every OCSP request build so the algorithm choice is visible
+  // in the chain.
   var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest();
   var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest();
+  setImmediate(function () {
+    try {
+      var auditMod = require("./audit");                                            // allow:inline-require — circular-load defense (audit imports network-tls)
+      auditMod.safeEmit({
+        action:   "network.tls.ocsp.certid_built",
+        outcome:  "success",
+        metadata: { hashAlgorithm: "sha1", note: "RFC 6960 §4.1.1 — non-security-critical lookup hash" },
+      });
+    } catch (_e) { /* drop-silent */ }
+  });
   // hashAlgorithm AlgorithmIdentifier ::= SEQUENCE { algorithm OID, NULL }
   var algId = asn1.writeSequence([asn1.writeOid(OID_SHA1), asn1.writeNull()]);
   var certId = asn1.writeSequence([

package/lib/object-store/sigv4-bucket-ops.js

@@ -897,6 +897,47 @@ function create(config) {
     _validateRetention(opts);
     validateOpts(opts, ["mode", "retainUntil", "bypassGovernance", "req", "actor"],
       "bucketOps.setObjectRetention");
+    // COMPLIANCE-mode defense-in-depth: refuse client-side when the
+    // operator (or attacker with the s3:PutObjectRetention permission)
+    // tries to shorten an existing COMPLIANCE retention or pass
+    // bypassGovernance against COMPLIANCE. Real S3 also refuses but
+    // MinIO and other S3-compatible backends are implementation-
+    // dependent; the framework's job is defense-in-depth, not
+    // passthrough. Adds one RTT (the GET) to every PUT — acceptable.
+    //
+    // The pre-check is a soft gate: when the backend can't surface the
+    // existing retention (parse error, no-such-object, etc.), the
+    // framework falls through to the PUT and lets the backend's own
+    // enforcement handle it. The pre-check is value-add, not
+    // load-bearing.
+    return getObjectRetention(name, key).then(function (existing) {
+      if (existing && existing.mode === "COMPLIANCE") {
+        if (opts.bypassGovernance === true) {
+          throw new ObjectStoreError("objectstore/compliance-bypass-refused",
+            "setObjectRetention: bypassGovernance refused — existing retention mode is COMPLIANCE (cannot be bypassed by anyone, including root)", true);
+        }
+        if (opts.retainUntil && existing.retainUntil &&
+            opts.retainUntil.getTime() < existing.retainUntil.getTime()) {
+          throw new ObjectStoreError("objectstore/compliance-shortening-refused",
+            "setObjectRetention: cannot shorten COMPLIANCE retention (existing=" +
+            existing.retainUntil.toISOString() + ", proposed=" +
+            opts.retainUntil.toISOString() + ")", true);
+        }
+      }
+      return _doSetRetention(name, key, opts);
+    }, function (e) {
+      // Re-throw the framework's own COMPLIANCE refusals; everything
+      // else (parse errors, transient network errors, malformed
+      // backend responses) falls through to the PUT.
+      if (e && typeof e.code === "string" &&
+          e.code.indexOf("objectstore/compliance-") === 0) {
+        throw e;
+      }
+      return _doSetRetention(name, key, opts);
+    });
+  }
+
+  function _doSetRetention(name, key, opts) {
     var bodyXml = _buildRetentionXml(opts);
     var bodyBuf = Buffer.from(bodyXml, "utf8");
     var url = _objectUrl(name, key, { retention: "" });

package/lib/observability-otlp-exporter.js

@@ -41,6 +41,33 @@ var { defineClass } = require("./framework-error");
 var OtlpExporterError = defineClass("OtlpExporterError", { alwaysPermanent: true });
 
 var observability = lazyRequire(function () { return require("./observability"); });
+var httpClient    = lazyRequire(function () { return require("./http-client"); });
+
+// Default OTLP transport — uses the framework's own b.httpClient
+// (node:https through the PQC-hybrid agent + cert-pinning + SSRF
+// guard) rather than globalThis.fetch. Operators with a sidecar
+// collector that must be addressed via fetch (Cloudflare Workers,
+// Deno, fetch-only edge runtimes) override fetchImpl explicitly.
+// Returning a fetch-shaped { ok, status } so the existing _post
+// path stays the same regardless of which transport ran.
+function _defaultFetchImpl(endpoint, init) {
+  var hc = httpClient();
+  return hc.request({
+    url:           endpoint,
+    method:        init && init.method  ? init.method  : "POST",
+    headers:       init && init.headers ? init.headers : {},
+    body:          init && init.body    ? init.body    : "",
+    timeoutMs:     0,
+    responseMode:  "always-resolve",
+    allowInternal: true,
+  }).then(function (res) {
+    var status = res && res.statusCode;
+    return {
+      ok:     status >= 200 && status < 300,                                       // allow:raw-byte-literal — HTTP status ranges
+      status: status,
+    };
+  });
+}
 
 var DEFAULT_BATCH_SIZE         = 200;                                              // allow:raw-byte-literal — OTLP recommended batch
 var DEFAULT_MAX_QUEUE_SIZE     = 4096;                                             // allow:raw-byte-literal — operator-side queue cap
@@ -206,10 +233,16 @@ function create(opts) {
   var maxAttempts = opts.maxAttempts || DEFAULT_MAX_ATTEMPTS;
   var backoffInitial = opts.backoffInitialMs || DEFAULT_BACKOFF_INITIAL_MS;
   var backoffMax     = opts.backoffMaxMs     || DEFAULT_BACKOFF_MAX_MS;
-  var fetchImpl  = opts.fetchImpl    || ((typeof globalThis.fetch === "function") ? globalThis.fetch.bind(globalThis) : null);
+  // Default transport is the framework's b.httpClient (node:https +
+  // PQC-hybrid agent + SSRF guard). globalThis.fetch was the prior
+  // default; it leaked an outbound network surface that supply-chain
+  // scanners flagged because nothing in the framework's TLS posture
+  // wired through it. Operators on fetch-only runtimes still override
+  // by passing opts.fetchImpl.
+  var fetchImpl  = opts.fetchImpl || _defaultFetchImpl;
   if (typeof fetchImpl !== "function") {
     throw new OtlpExporterError("otlp/no-fetch",
-      "otlpExporter.create: fetchImpl required (globalThis.fetch unavailable)");
+      "otlpExporter.create: opts.fetchImpl must be a function (override the framework default)");
   }
 
   var queue = [];

package/lib/outbox.js

@@ -308,7 +308,7 @@ function create(opts) {
       " SET status = 'dead', attempts = $1, last_error = $2 WHERE id = $3",
       [attempts + 1, String(errMsg).slice(0, 1024), id]                            // allow:raw-byte-literal — error-message char cap
     );
-    _emitAudit("system.outbox.deadletter", "fail", { id: id, attempts: attempts + 1 });
+    _emitAudit("system.outbox.deadletter", "failure", { id: id, attempts: attempts + 1 });
     _emitMetric("dead-letter", 1);
   }
 
@@ -353,7 +353,7 @@ function create(opts) {
         .catch(function () { /* drop-silent — see _processOnce */ })
         .finally(function () { inFlight = null; });
     }, pollIntervalMs, { name: name + "-publisher" });
-    _emitAudit("system.outbox.started", "ok", { name: name });
+    _emitAudit("system.outbox.started", "success", { name: name });
   }
 
   async function stop() {
@@ -365,7 +365,7 @@ function create(opts) {
     if (inFlight) {
       try { await inFlight; } catch (_e) { /* drop-silent */ }
     }
-    _emitAudit("system.outbox.stopped", "ok", { name: name });
+    _emitAudit("system.outbox.stopped", "success", { name: name });
   }
 
   async function pendingCount() {

package/lib/permissions.js

@@ -491,8 +491,17 @@ function create(opts) {
       }
 
       if (enforceMfa) {
+        // Window floor — when neither route nor role supplies an
+        // explicit mfaWindowMs, default to 15 minutes. Without this
+        // floor, a stolen long-lived cookie carrying an old `mfaAt`
+        // walks past every requireMfa: true gate. Operators who want
+        // an explicit no-window pass-through must say so via
+        // mfaWindowMs: Infinity (audited reason).
+        if (enforceWindowMs === null) {
+          enforceWindowMs = C.TIME.minutes(15);
+        }
         var mfaOk = actor.mfaAuthenticated === true;
-        if (mfaOk && enforceWindowMs !== null) {
+        if (mfaOk && enforceWindowMs !== null && enforceWindowMs !== Infinity) {
           var mfaAt = typeof actor.mfaAt === "number" ? actor.mfaAt : 0;
           if (Date.now() - mfaAt > enforceWindowMs) {
             mfaOk = false;

package/lib/pqc-agent.js

@@ -48,7 +48,28 @@ var DEFAULT_OPTS = {
 function _buildAgentOpts(opts) {
   opts = opts || {};
   var merged = Object.assign({}, DEFAULT_OPTS, opts);
-  merged.ecdhCurve  = C.TLS_GROUP_CURVE_STR;
+  // Caller may narrow the framework's curve preference list (drop a
+  // group, keep the remaining ones in framework-preferred order) but
+  // cannot widen it. A caller-supplied `ecdhCurve` string is parsed
+  // into groups and every group must appear in TLS_GROUP_PREFERENCE,
+  // otherwise the agent build refuses. The empty narrowing is a
+  // misconfig — TLS won't negotiate a key share — so reject too.
+  if (typeof opts.ecdhCurve === "string" && opts.ecdhCurve.length > 0) {
+    var requested = opts.ecdhCurve.split(":");
+    for (var rgi = 0; rgi < requested.length; rgi++) {
+      if (C.TLS_GROUP_PREFERENCE.indexOf(requested[rgi]) === -1) {
+        throw new TypeError(
+          "pqc-agent: opts.ecdhCurve='" + opts.ecdhCurve + "' includes '" +
+          requested[rgi] + "' which is not in the framework PQC-hybrid " +
+          "preference (" + C.TLS_GROUP_CURVE_STR + "); construct an " +
+          "https.Agent directly to negotiate weaker groups."
+        );
+      }
+    }
+    merged.ecdhCurve = requested.join(":");
+  } else {
+    merged.ecdhCurve = C.TLS_GROUP_CURVE_STR;
+  }
   merged.minVersion = "TLSv1.3";
   if (networkTls && typeof networkTls.applyToContext === "function") {
     merged = networkTls.applyToContext({ base: merged });

package/lib/pubsub.js

@@ -379,16 +379,20 @@ function create(opts) {
           ? rv.remote : 1;
       } catch (e) {
         if (auditOn) {
-          try { audit().safeEmit("system.pubsub.publish-failed", {
-            channel: channel, error: (e && e.message) || String(e),
+          try { audit().safeEmit({
+            action: "system.pubsub.publish_failed",
+            outcome: "failure",
+            metadata: { channel: channel, error: (e && e.message) || String(e) },
           }); } catch (_e) { /* */ }
         }
         throw e;
       }
     }
     if (auditOn) {
-      try { audit().safeEmit("system.pubsub.publish", {
-        channel: channel, localDispatched: local, remoteWritten: remote,
+      try { audit().safeEmit({
+        action: "system.pubsub.publish",
+        outcome: "success",
+        metadata: { channel: channel, localDispatched: local, remoteWritten: remote },
       }); } catch (_e) { /* */ }
     }
     return { local: local, remote: remote };

package/lib/redact.js

@@ -35,6 +35,14 @@ var SENSITIVE_FIELDS = [
   "card_number", "cardnumber", "cvc", "cvv", "pin",
   "privatekey", "private_key", "passphrase", "session", "sid",
   "_authtoken", "auth_token", "bearer", "cookie",
+  // Header-shaped variants of api-key — substring matching against a
+  // lowercased field name treats hyphen + underscore + dot as
+  // literal, so each header form needs its own entry.
+  "x-api-key", "x_api_key", "x-apikey", "api-key",
+  // DPoP / OAuth 2.1 / OIDC proof-of-possession + selective-disclosure
+  // fields — operator-error metadata logging often carries these.
+  "jwk", "dpop", "proof", "assertion", "client_assertion", "id_token_hint",
+  "code_verifier", "client_secret", "refresh_token", "access_token",
   // Vault-sealed values (don't log even though they're encrypted —
   // operational logs aren't a place to leak ciphertext shape either)
   // matched separately by value detector below
@@ -74,6 +82,20 @@ var VALUE_DETECTORS = [
     },
     replacement: "[REDACTED-JWT]",
   },
+  {
+    // URL with bearer-shaped query parameter — the parent field is
+    // typically `url` or `referer`, neither of which the field-name
+    // pass redacts. Replace the whole querystring after the marker
+    // so the path stays useful for log triage.
+    name:        "url-bearer-query",
+    test:        function (v) {
+      return typeof v === "string" &&
+        /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^\s]*[?&#](?:access_token|id_token|token|api_key|apikey)=/.test(v);
+    },
+    replacement: function (v) {
+      return String(v).replace(/(access_token|id_token|token|api_key|apikey)=[^&#]*/g, "$1=[REDACTED]");
+    },
+  },
   {
     name:        "pem",
     test:        function (v) { return typeof v === "string" && /-----BEGIN [A-Z ]+-----/.test(v); },
@@ -151,7 +173,10 @@ function _redactValue(value) {
   if (typeof value !== "string") return value;
   var allDetectors = VALUE_DETECTORS.concat(customDetectors);
   for (var i = 0; i < allDetectors.length; i++) {
-    if (allDetectors[i].test(value)) return allDetectors[i].replacement;
+    if (allDetectors[i].test(value)) {
+      var rep = allDetectors[i].replacement;
+      return typeof rep === "function" ? rep(value) : rep;
+    }
   }
   return value;
 }

package/lib/retention.js

@@ -58,6 +58,7 @@
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
+var safeSql = require("./safe-sql");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -66,6 +67,21 @@ var cryptoField = require("./crypto-field");
 var RetentionError = defineClass("RetentionError", { alwaysPermanent: true });
 var _err = RetentionError.factory;
 
+// Identifier-level SQLi defense: every operator-supplied table name,
+// column name, and cascade FK must pass safeSql.validateIdentifier
+// before reaching SQL string concatenation. Without this gate a
+// rule registered with `table: 'users"; DROP TABLE audit_log;--'`
+// would break out of the quoted-identifier wrap and execute the
+// embedded statement.
+function _validateRuleIdentifier(value, label) {
+  try {
+    safeSql.validateIdentifier(value, { allowReserved: true });
+  } catch (e) {
+    throw _err("BAD_RULE",
+      label + " is not a safe SQL identifier: " + (e && e.message || String(e)));
+  }
+}
+
 function _validateRule(rule) {
   if (!rule || typeof rule !== "object") {
     throw _err("BAD_RULE", "rule must be an object");
@@ -76,9 +92,11 @@ function _validateRule(rule) {
   if (typeof rule.table !== "string" || rule.table.length === 0) {
     throw _err("BAD_RULE", "rule.table (string) is required");
   }
+  _validateRuleIdentifier(rule.table, "rule.table");
   if (typeof rule.ageField !== "string" || rule.ageField.length === 0) {
     throw _err("BAD_RULE", "rule.ageField (string) is required");
   }
+  _validateRuleIdentifier(rule.ageField, "rule.ageField");
   if (typeof rule.ttlMs !== "number" || !isFinite(rule.ttlMs) || rule.ttlMs <= 0) {
     throw _err("BAD_RULE", "rule.ttlMs must be a positive finite number");
   }
@@ -99,10 +117,16 @@ function _validateRule(rule) {
       (typeof rule.softDeleteField !== "string" || rule.softDeleteField.length === 0)) {
     throw _err("BAD_RULE", "rule.softDeleteField must be a non-empty string");
   }
+  if (rule.softDeleteField !== undefined) {
+    _validateRuleIdentifier(rule.softDeleteField, "rule.softDeleteField");
+  }
   if (rule.legalHoldField !== undefined &&
       (typeof rule.legalHoldField !== "string" || rule.legalHoldField.length === 0)) {
     throw _err("BAD_RULE", "rule.legalHoldField must be a non-empty string");
   }
+  if (rule.legalHoldField !== undefined) {
+    _validateRuleIdentifier(rule.legalHoldField, "rule.legalHoldField");
+  }
   if (rule.cascade !== undefined) {
     if (!Array.isArray(rule.cascade) || rule.cascade.length === 0) {
       throw _err("BAD_RULE", "rule.cascade must be a non-empty array of { table, foreignKey } entries");
@@ -113,6 +137,8 @@ function _validateRule(rule) {
           typeof c.foreignKey !== "string" || c.foreignKey.length === 0) {
         throw _err("BAD_RULE", "rule.cascade[" + ci + "] must be { table: string, foreignKey: string }");
       }
+      _validateRuleIdentifier(c.table, "rule.cascade[" + ci + "].table");
+      _validateRuleIdentifier(c.foreignKey, "rule.cascade[" + ci + "].foreignKey");
     }
   }
   if (rule.stages !== undefined) {

package/lib/router.js

@@ -651,6 +651,7 @@ class Router {
         maxHeaderListPairs:        100,                                            // allow:raw-byte-literal — CVE-2024-27983 CONTINUATION-flood cap
         maxSettings:               32,                                             // allow:raw-byte-literal — SETTINGS-frame entry ceiling
         peerMaxConcurrentStreams:  100,                                            // allow:raw-byte-literal — peer-side stream cap
+        maxOutstandingPings:       10,                                             // allow:raw-byte-literal — CVE-2019-9512 ping-flood cap (pin to Node default rather than letting it drift)
         unknownProtocolTimeout:    C.TIME.seconds(10),
       }, tlsOptions), requestHandler);
     } else {

package/lib/scheduler.js

@@ -682,8 +682,63 @@ function create(opts) {
     started = false;
   }
 
-  return {
+  // Shorthand for the common interval-based registration shape:
+  //   register("rotate-keys", C.TIME.minutes(5), runFn)
+  // is equivalent to schedule({ name, every: 300000, run: runFn }).
+  // Operators wanting cron expressions or job-queue dispatch keep
+  // using schedule() — register() is the every-N-ms direct-function
+  // path. Returns the scheduler instance for method chaining.
+  function register(name, intervalMs, fn) {
+    if (typeof name !== "string" || name.length === 0) {
+      throw _err("INVALID_NAME", "scheduler.register: name must be a non-empty string", true);
+    }
+    if (typeof intervalMs !== "number" || !Number.isFinite(intervalMs) || intervalMs < C.TIME.seconds(1)) {
+      throw _err("INVALID_SPEC",
+        "scheduler.register: intervalMs must be a finite number ≥ 1000", true);
+    }
+    if (typeof fn !== "function") {
+      throw _err("INVALID_SPEC", "scheduler.register: fn must be a function", true);
+    }
+    schedule({ name: name, every: intervalMs, run: fn });
+    return facade;
+  }
+
+  // Operator-facing health surface — every task with its lifecycle
+  // counters plus an aggregate. Probes / dashboards / readiness gates
+  // get a single object they can serialize. This is `list()` plus
+  // started state and aggregate stats.
+  function getStatus() {
+    var taskList = list();
+    var aggregate = {
+      total:          taskList.length,
+      running:        0,
+      withErrors:     0,
+      totalFires:     0,
+      totalMisses:    0,
+      nonLeaderSkips: 0,
+      tickClaimLost:  0,
+    };
+    for (var i = 0; i < taskList.length; i++) {
+      var t = taskList[i];
+      if (t.running)        aggregate.running        += 1;
+      if (t.lastError)      aggregate.withErrors     += 1;
+      aggregate.totalFires      += t.fires || 0;
+      aggregate.totalMisses     += t.misses || 0;
+      aggregate.nonLeaderSkips  += t.nonLeaderSkips || 0;
+      aggregate.tickClaimLost   += t.tickClaimLost || 0;
+    }
+    return {
+      started:   started,
+      isLeader:  _isLeaderHere(),
+      tasks:     taskList,
+      aggregate: aggregate,
+    };
+  }
+
+  var facade = {
     schedule:      schedule,
+    register:      register,
+    getStatus:     getStatus,
     start:         start,
     stop:          stop,
     list:          list,
@@ -695,6 +750,7 @@ function create(opts) {
     },
     _resetForTest: _resetForTest,
   };
+  return facade;
 }
 
 module.exports = {

package/lib/session.js

@@ -238,7 +238,7 @@ async function verify(token, verifyOpts) {
     if ((nowMs - lastActivity) > idleMs) {
       try {
         audit.safeEmit({
-          action: "auth.session.expired_idle", outcome: "warning",
+          action: "auth.session.expired_idle", outcome: "success",
           metadata: { idleMs: nowMs - lastActivity, threshold: idleMs },
         });
       } catch (_ignored) { /* audit best-effort */ }
@@ -253,7 +253,7 @@ async function verify(token, verifyOpts) {
     if ((nowMs - createdAt) > absMs) {
       try {
         audit.safeEmit({
-          action: "auth.session.expired_absolute", outcome: "warning",
+          action: "auth.session.expired_absolute", outcome: "success",
           metadata: { ageMs: nowMs - createdAt, threshold: absMs },
         });
       } catch (_ignored) { /* audit best-effort */ }
@@ -334,7 +334,7 @@ async function verify(token, verifyOpts) {
       try {
         audit.safeEmit({
           action:   "auth.session.fingerprint_drift",
-          outcome:  "warning",
+          outcome:  "success",
           metadata: { hasUserId: !!unsealed.userId,
             anomalyScore: fingerprintAnomalyScore },
         });

package/lib/ssrf-guard.js

@@ -140,10 +140,25 @@ var CLOUD_METADATA_IPS = [
 
 function _ipv4ToInt(ip) {
   var parts = ip.split(".");
-  return ((parts[0] | 0) << 24 >>> 0) +
-         ((parts[1] | 0) << 16) +
-         ((parts[2] | 0) << 8) +
-          (parts[3] | 0);
+  if (parts.length !== 4) return NaN;
+  var nums = [0, 0, 0, 0];
+  for (var i = 0; i < 4; i += 1) {
+    var s = parts[i];
+    // Strict octet validation: each segment must be 1-3 ASCII digits
+    // representing 0-255. The previous `parts[i] | 0` coerced
+    // anything non-numeric to 0 silently — exposed via cidrContains
+    // (network-allowlist) where a typo'd CIDR could collapse to
+    // 0.0.0.0/16 with no signal.
+    if (typeof s !== "string" || s.length === 0 || s.length > 3) return NaN;
+    if (!/^\d{1,3}$/.test(s)) return NaN;
+    var n = parseInt(s, 10);
+    if (n < 0 || n > 255) return NaN;
+    nums[i] = n;
+  }
+  return ((nums[0] << 24) >>> 0) +
+         (nums[1] << 16) +
+         (nums[2] << 8) +
+          nums[3];
 }
 
 function _ipv6ToBytes(ip) {