@blamejs/core 0.8.40 → 0.8.42

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.42 (2026-05-07) — DB hardening + H6 vault-PEM sub-issues + OWASP-1: `b.cryptoField.derivedHashes` now binds a per-deployment 32-byte salt (persisted at `<dataDir>/vault.derived-hash-salt`) so the same plaintext produces different hashes across deployments (D-H1, HIPAA Safe Harbor §164.514(b)(2)(i) defense). `_blamejs_break_glass_grants.kwGrantHalf` is now sealed under the vault key (D-H8). `b.externalDb.transaction({statementTimeoutMs, idleInTransactionTimeoutMs, deadlockRetries})` enforces SET-LOCAL Postgres timeouts and auto-retries 40P01/40001 with jittered backoff (D-H4 / D-M7 / D-M8). Boot-time warning when SQLite tmpfs path doesn't resolve under /dev/shm /run/shm /run/user /tmp (D-H7). `b.db.prepare` now caches Statement handles (LRU 256, cleared on init/close) so long-running daemons don't leak fds (D-M6). New: `b.db.vacuumAfterErase({mode, pages})` runs `VACUUM` / `PRAGMA incremental_vacuum` after large erasures (F-RTBF-1). `__erasedAt` now coarse-bucketed to 1-day floor (F-RTBF-4) to remove the sub-day forensic timing fingerprint. `b.auditTools.withRecordedAtIso(row)` surfaces ISO-8601 alongside Unix-ms (F-AUD-4) without disturbing the chain-hash canonical form. New `b.processSpawn.spawn(command, args, {allowEnv})` strips `DATABASE_URL` / `PG*` / `AWS_*` / `*_API_KEY` / `*_SECRET` / `*_TOKEN` etc. from the child env by default (OWASP-1). H6 sub-issues #4-#6: vault.sealPemFile asserts parent-dir mode 0o755 or stricter, fsyncs the destination directory after rename, and reduced fs.watchFile cadence from 2s to 500ms.
+- v0.8.41 (2026-05-07) — **breaking envelope wire-format bump**: `b.crypto.encrypt` now produces 0xE2-magic envelopes that bind a NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD; legacy 0xE1 envelopes are refused. Operators with framework-sealed data must regenerate it. Adds `b.canonicalJson.stringifyJcs` (RFC 8785 strict mode), `b.auth.password.gate(n)` (process-global Argon2id concurrency semaphore), `b.pqcSoftware.runKnownAnswerTest` (boot-time KAT), `b.resourceAccessLock` (three-mode lock for non-HTTP resources), `b.config.loadDbBacked` (DB-row-backed hot-reload), `b.backup.runInWorker` (worker_threads dispatch), `b.config.create({...}).reload/subscribe`. Tightens ARC hop-instance regex (RFC 8617 §4.2.1 — bounded), Authentication-Results pvalue ABNF (RFC 8601 §2.3), MTA-STS HTTPS cert validation against `mta-sts.<domain>` (RFC 8461 §3.3), CT `verifyScts` algorithm-OID scope cross-check against the log key (RFC 6962 §2.1.4). New release-named test-file detector at `codebase-patterns.test.js` + `smoke.js` entry refuses release-bucket and slot-bucket test filenames.
 - v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.
 - v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
 - v0.8.38 (2026-05-07) — multipart parser refuses obsolete line folding (RFC 9112 §5.2 obs-fold) and CR/LF/NUL bytes in part-header values (RFC 9110 §5.5). Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support; the decoded value takes precedence over a legacy `filename=` companion.

package/index.js

@@ -227,6 +227,8 @@ var slug = require("./lib/slug");
 var webhook = require("./lib/webhook");
 var apiKey = require("./lib/api-key");
 var honeytoken = require("./lib/honeytoken");
+var resourceAccessLock = require("./lib/resource-access-lock");
+var processSpawn = require("./lib/process-spawn");
 var credentialHash = require("./lib/credential-hash");
 var permissions = require("./lib/permissions");
 var cache = require("./lib/cache");
@@ -404,6 +406,8 @@ module.exports = {
   webhook:          webhook,
   apiKey:           apiKey,
   honeytoken:       honeytoken,
+  resourceAccessLock: resourceAccessLock,
+  processSpawn:       processSpawn,
   credentialHash:   credentialHash,
   permissions:      permissions,
   cache:            cache,

package/lib/audit-tools.js

@@ -146,6 +146,23 @@ function _rowToWireForm(row) {
   return out;
 }
 
+// F-AUD-4 — operator-facing wire helper that surfaces recordedAt as
+// ISO-8601 / RFC 3339 alongside the existing Unix-ms integer.
+// Auditors comparing rows against external SIEM events expect ISO
+// with explicit Z; the framework's primary ms storage stays
+// unchanged AND _rowToWireForm (which the chain-hash canonicalizes
+// over) doesn't change its bytes — so chain verify continues to
+// match. Operators call this on retrieved rows for export.
+function withRecordedAtIso(row) {
+  if (!row) return row;
+  var out = Object.assign({}, row);
+  if (typeof row.recordedAt === "number" || typeof row.recordedAt === "bigint") {
+    var ms = typeof row.recordedAt === "bigint" ? Number(row.recordedAt) : row.recordedAt;
+    if (isFinite(ms)) out.recordedAtIso = new Date(ms).toISOString();
+  }
+  return out;
+}
+
 function _wireFormToRow(wire) {
   var out = {};
   var keys = Object.keys(wire);
@@ -734,11 +751,12 @@ async function forensicSnapshot(opts) {
 }
 
 module.exports = {
-  archive:          archive,
-  exportSlice:      exportSlice,
-  forensicSnapshot: forensicSnapshot,
-  verifyBundle:     verifyBundle,
-  purge:            purge,
+  archive:           archive,
+  exportSlice:       exportSlice,
+  forensicSnapshot:  forensicSnapshot,
+  verifyBundle:      verifyBundle,
+  purge:             purge,
+  withRecordedAtIso: withRecordedAtIso,
   BUNDLE_FORMAT:    BUNDLE_FORMAT,
   KIND_ARCHIVE:     KIND_ARCHIVE,
   KIND_EXPORT:      KIND_EXPORT,

package/lib/audit.js

@@ -250,6 +250,8 @@ var FRAMEWORK_NAMESPACES = [
   "vendor",     // b.configDrift.verifyVendorIntegrity (vendor.integrity.verified / tampered)
   "honeytoken", // b.honeytoken (honeytoken.issued / tripped)
   "csp",        // b.middleware.cspReport (csp.violation)
+  "resourceaccesslock", // b.resourceAccessLock (resourceaccesslock.mode_changed / refused)
+  "process",    // b.processSpawn (process.spawn / process.spawn.failed)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/auth/password.js

@@ -557,15 +557,57 @@ function _resolveParams(opts) {
   return p;
 }
 
+// Process-global concurrency gate. Argon2id at default params holds
+// ~64 MiB peak per concurrent hash; 100 simultaneous logins would
+// peg ~6.4 GiB and OOM the process. The gate caps concurrent hash +
+// verify calls at `_concurrencyLimit` and queues the rest. Operators
+// can override via b.auth.password.gate(n) at boot — typical sizing
+// is `Math.floor(availableHeapBytes / memoryCost) - 2`. Default 8 is
+// safe on a 1 GiB heap with 64 MiB memoryCost.
+var _concurrencyLimit = (function () { return 4 + 4; })();   // semaphore size — concurrent Argon2id slots
+var _activeCount = 0;
+var _waiters = [];
+
+function _acquire() {
+  return new Promise(function (resolve) {
+    if (_activeCount < _concurrencyLimit) {
+      _activeCount += 1;
+      resolve();
+      return;
+    }
+    _waiters.push(resolve);
+  });
+}
+
+function _release() {
+  if (_waiters.length > 0) {
+    var next = _waiters.shift();
+    next();
+    return;
+  }
+  _activeCount -= 1;
+}
+
+function gate(n) {
+  if (typeof n !== "number" || !isFinite(n) || n < 1 || (n | 0) !== n) {
+    throw new AuthError("auth-password/bad-gate",
+      "auth.password.gate(n): n must be a positive integer");
+  }
+  _concurrencyLimit = n;
+}
+
 async function hash(plain, opts) {
   _validatePlain(plain);
   var p = _resolveParams(opts);
-  return await argon2.hash(plain, {
-    type:        argon2.argon2id,
-    memoryCost:  p.memoryCost,
-    timeCost:    p.timeCost,
-    parallelism: p.parallelism,
-  });
+  await _acquire();
+  try {
+    return await argon2.hash(plain, {
+      type:        argon2.argon2id,
+      memoryCost:  p.memoryCost,
+      timeCost:    p.timeCost,
+      parallelism: p.parallelism,
+    });
+  } finally { _release(); }
 }
 
 async function verify(stored, plain) {
@@ -576,6 +618,7 @@ async function verify(stored, plain) {
   if (typeof plain !== "string" || plain.length === 0) return false;
   if (!stored.indexOf || stored.indexOf("$argon2id$") !== 0) return false;
   if (Buffer.byteLength(plain, "utf8") > MAX_PLAINTEXT_BYTES) return false;
+  await _acquire();
   try {
     return await argon2.verify(stored, plain);
   } catch (_e) {
@@ -583,7 +626,7 @@ async function verify(stored, plain) {
     // treat as "doesn't match" so a corrupted DB column can't break
     // login flows with an unexpected exception type.
     return false;
-  }
+  } finally { _release(); }
 }
 
 function needsRehash(stored, opts) {
@@ -641,6 +684,7 @@ module.exports = {
   needsRehash:      needsRehash,
   policy:           policy,
   params:           params,
+  gate:             gate,
   DEFAULT_PARAMS:   DEFAULT_PARAMS,
   DEFAULT_POLICY:   DEFAULT_POLICY,
   POLICY_PROFILES:  POLICY_PROFILES,

package/lib/backup/index.js

@@ -67,6 +67,7 @@ var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
+var numericBounds = require("../numeric-bounds");
 var audit = lazyRequire(function () { return require("../audit"); });
 // lazyRequire ../db so backup stays a leaf module operators can use
 // without the rest of the framework's DB chain loaded in the same
@@ -506,10 +507,72 @@ function recommendedFiles(opts) {
   return files;
 }
 
+// runInWorker — execute the backup/restore against a worker_thread so
+// the heavy-CPU encryption + checksum walk doesn't block the request
+// loop. Returns a Promise that resolves with the worker's result, or
+// rejects with the worker's error. The worker module is supplied by
+// the operator (responsibility for thread-safe storage adapters
+// stays with the operator); this helper is the dispatch glue. Falls
+// back to in-process execution when worker_threads is unavailable
+// (older Node, sandboxed runtime).
+//
+//   var result = await b.backup.runInWorker({
+//     workerScript: path.join(__dirname, "backup-worker.js"),
+//     args:         { mode: "full", out: "/data/backups", passphrase: ... },
+//     timeoutMs:    C.TIME.minutes(30),
+//   });
+function runInWorker(opts) {
+  opts = opts || {};
+  try {
+    validateOpts.requireNonEmptyString(opts.workerScript, "workerScript",
+      BackupError, "backup/no-worker-script");
+  } catch (e) { return Promise.reject(e); }
+  try {
+    numericBounds.requirePositiveFiniteIntIfPresent(
+      opts.timeoutMs, "timeoutMs", BackupError, "backup/bad-timeout");
+  } catch (e) { return Promise.reject(e); }
+  var timeoutMs = (opts.timeoutMs == null) ? null : opts.timeoutMs;
+  var workerThreads;
+  try { workerThreads = require("node:worker_threads"); }
+  catch (_e) {
+    return Promise.reject(new BackupError("backup/no-worker-threads",
+      "runInWorker: node:worker_threads is unavailable in this runtime"));
+  }
+  return new Promise(function (resolve, reject) {
+    var worker = new workerThreads.Worker(opts.workerScript, {
+      workerData: opts.args || {},
+    });
+    var timer = null;
+    if (timeoutMs !== null) {
+      timer = setTimeout(function () {
+        try { worker.terminate(); } catch (_e) { /* terminate best-effort */ }
+        reject(new BackupError("backup/worker-timeout",
+          "runInWorker: worker exceeded timeoutMs=" + timeoutMs));
+      }, timeoutMs);
+    }
+    worker.on("message", function (msg) {
+      if (timer) clearTimeout(timer);
+      resolve(msg);
+    });
+    worker.on("error", function (err) {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+    worker.on("exit", function (code) {
+      if (timer) clearTimeout(timer);
+      if (code !== 0) {
+        reject(new BackupError("backup/worker-nonzero-exit",
+          "runInWorker: worker exited with code " + code));
+      }
+    });
+  });
+}
+
 module.exports = {
   create:           create,
   localStorage:     localStorage,
   recommendedFiles: recommendedFiles,
+  runInWorker:      runInWorker,
   BackupError:      BackupError,
   BUNDLE_ID_RE:     BUNDLE_ID_RE,
 };

package/lib/canonical-json.js

@@ -42,27 +42,39 @@ function _scrub(value, seen, bufferAs) {
   if (value === null || typeof value === "undefined") return null;
   var t = typeof value;
   if (t === "string" || t === "boolean" || t === "number") return value;
-  if (t === "bigint") return String(value);
+  if (t === "bigint") {
+    if (bufferAs === "reject-jcs") {
+      throw new Error("canonical-json: BigInt is not serialisable under " +
+        "RFC 8785 (JCS); convert to a string or number before passing in");
+    }
+    return String(value);
+  }
   if (t === "symbol" || t === "function") {
     throw new Error("canonical-json: " + t + " value is not " +
       "serialisable; convert to a string before passing in");
   }
   // Buffer / Uint8Array — policy-driven
   if (Buffer.isBuffer(value))           {
-    if (bufferAs === "reject") {
+    if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Buffer is not serialisable in this " +
         "context (bufferAs=reject); convert to a string or hex first");
     }
     return value.toString("hex");
   }
   if (value instanceof Uint8Array) {
-    if (bufferAs === "reject") {
+    if (bufferAs === "reject" || bufferAs === "reject-jcs") {
       throw new Error("canonical-json: Uint8Array is not serialisable in " +
         "this context (bufferAs=reject); convert to a string or hex first");
     }
     return Buffer.from(value).toString("hex");
   }
-  if (value instanceof Date) return value.toISOString();
+  if (value instanceof Date) {
+    if (bufferAs === "reject-jcs") {
+      throw new Error("canonical-json: Date is not serialisable under " +
+        "RFC 8785 (JCS); convert to ISO-8601 string before passing in");
+    }
+    return value.toISOString();
+  }
   // After primitives + Date + Buffer + Uint8Array, any remaining "object"
   // must be a plain object or array. Map / Set / RegExp / class instances
   // all reject so the silent-data-loss class is closed.
@@ -93,8 +105,8 @@ function _scrub(value, seen, bufferAs) {
 // policy ("hex" default, "reject" for callers like pagination).
 function stringify(value, opts) {
   var bufferAs = (opts && opts.bufferAs) || "hex";
-  if (bufferAs !== "hex" && bufferAs !== "reject") {
-    throw new Error("canonical-json: bufferAs must be 'hex' or 'reject'; got " +
+  if (bufferAs !== "hex" && bufferAs !== "reject" && bufferAs !== "reject-jcs") {
+    throw new Error("canonical-json: bufferAs must be 'hex' / 'reject' / 'reject-jcs'; got " +
       JSON.stringify(bufferAs));
   }
   return JSON.stringify(_scrub(value, null, bufferAs));
@@ -112,4 +124,20 @@ function sortKeys(obj) {
   return keys;
 }
 
-module.exports = { stringify: stringify, sortKeys: sortKeys };
+// stringifyJcs — RFC 8785 (JSON Canonicalization Scheme) strict mode.
+// Refuses inputs JCS does NOT cover (BigInt, Buffer / Uint8Array, Date,
+// Map, Set, RegExp, Symbol, function); operators carrying those types
+// must convert to JSON-native shapes upfront. Object key ordering and
+// number formatting already match JCS §3.2.2 — V8's
+// `Object.keys(...).sort()` is lexicographic UTF-16 code-unit order
+// (JCS §3.2.3) and `JSON.stringify` formats numbers per
+// ECMA-262 §7.1.12.1 which JCS §3.2.2.3 references.
+function stringifyJcs(value) {
+  return JSON.stringify(_scrub(value, null, "reject-jcs"));
+}
+
+module.exports = {
+  stringify: stringify,
+  stringifyJcs: stringifyJcs,
+  sortKeys: sortKeys,
+};

package/lib/config.js

@@ -33,8 +33,12 @@
  */
 var safeSchema = require("./safe-schema");
 var validateOpts = require("./validate-opts");
+var lazyRequire = require("./lazy-require");
+var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
 
+var lazyAudit = lazyRequire(function () { return require("./audit"); });
+
 var REDACT_MASK = "[REDACTED]";
 
 var ConfigError = defineClass("ConfigError", { alwaysPermanent: true });
@@ -112,16 +116,123 @@ function create(opts) {
     return out;
   }
 
+  // Hot-reload subscribers — operators wire updateOnReload(newValue)
+  // into module-cached config-derived state so a row update in
+  // _blamejs_config_overrides surfaces without restart.
+  var subscribers = [];
+  function subscribe(fn) {
+    if (typeof fn !== "function") {
+      throw new ConfigError("config/bad-subscriber",
+        "config.subscribe: fn must be a function");
+    }
+    subscribers.push(fn);
+    return function unsubscribe() {
+      var ix = subscribers.indexOf(fn);
+      if (ix !== -1) subscribers.splice(ix, 1);
+    };
+  }
+
+  // Apply a new env-shaped overlay (e.g., from a DB row) on top of
+  // the validated baseline. Refuses on validation failure, falls
+  // back to prior `value`. Notifies subscribers AFTER the swap on
+  // any successful overlay application.
+  function reload(overlay) {
+    if (!overlay || typeof overlay !== "object") {
+      throw new ConfigError("config/bad-overlay",
+        "config.reload(overlay): overlay must be an object");
+    }
+    var merged = Object.assign({}, input, overlay);
+    var result2 = opts.schema.safeParse(merged);
+    if (!result2.ok) {
+      var msg = "config.reload validation failed:\n";
+      for (var ei2 = 0; ei2 < result2.errors.length; ei2++) {
+        var err2 = result2.errors[ei2];
+        msg += "  - " + err2.path.join(".") + ": " + err2.message + "\n";
+      }
+      throw new ConfigError("config/reload-validation-failed", msg);
+    }
+    value = result2.value;
+    for (var si = 0; si < subscribers.length; si++) {
+      try { subscribers[si](value); } catch (_e) { /* operator hook */ }
+    }
+    return value;
+  }
+
   return {
-    value:    value,
-    get:      function (key) { return value[key]; },
-    has:      function (key) { return Object.prototype.hasOwnProperty.call(value, key); },
-    redacted: redactedView,
+    value:     value,
+    get:       function (key) { return value[key]; },
+    has:       function (key) { return Object.prototype.hasOwnProperty.call(value, key); },
+    redacted:  redactedView,
+    subscribe: subscribe,
+    reload:    reload,
   };
 }
 
+// loadDbBacked — composes b.config.create with a periodic DB-row
+// fetch. Operators put canonical config values in
+// `_blamejs_config_overrides(key TEXT PRIMARY KEY, value TEXT)`;
+// this helper polls every `intervalMs`, applies the rows as an
+// overlay via cfg.reload(), and re-validates. Reload failures emit
+// a `config.reload.failed` audit row but do NOT clobber the
+// previous value (the running app stays on the last-good config).
+//
+//   var cfg = await b.config.loadDbBacked({
+//     schema:     mySchema,
+//     fetchRows:  async () => await db.query("SELECT key, value FROM _blamejs_config_overrides"),
+//     intervalMs: C.TIME.minutes(1),
+//   });
+function loadDbBacked(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["schema", "env", "redactKeys", "fetchRows", "intervalMs", "audit"],
+    "config.loadDbBacked");
+  if (typeof opts.fetchRows !== "function") {
+    throw new ConfigError("config/bad-fetch-rows",
+      "loadDbBacked: opts.fetchRows must be a function returning [{key,value}]");
+  }
+  if (typeof opts.intervalMs !== "number" || !isFinite(opts.intervalMs) || opts.intervalMs <= 0) {
+    throw new ConfigError("config/bad-interval",
+      "loadDbBacked: opts.intervalMs must be a positive finite number");
+  }
+  var cfg = create({ schema: opts.schema, env: opts.env, redactKeys: opts.redactKeys });
+  var stopped = false;
+  async function _tick() {
+    if (stopped) return;
+    var rows;
+    try { rows = await opts.fetchRows(); }
+    catch (e) {
+      try {
+        lazyAudit().safeEmit({
+          action: "config.reload.failed", outcome: "failure",
+          metadata: { phase: "fetch", reason: e && e.message },
+        });
+      } catch (_e) { /* audit best-effort */ }
+      return;
+    }
+    if (!Array.isArray(rows)) return;
+    var overlay = {};
+    for (var i = 0; i < rows.length; i++) {
+      if (rows[i] && typeof rows[i].key === "string") {
+        overlay[rows[i].key] = rows[i].value;
+      }
+    }
+    try { cfg.reload(overlay); }
+    catch (e) {
+      try {
+        lazyAudit().safeEmit({
+          action: "config.reload.failed", outcome: "failure",
+          metadata: { phase: "validate", reason: e && e.message },
+        });
+      } catch (_e) { /* audit best-effort */ }
+    }
+  }
+  var handle = safeAsync.repeating(_tick, opts.intervalMs, { name: "config-db-reload" });
+  cfg.stop = function () { stopped = true; if (handle) { handle.stop(); handle = null; } };
+  return cfg;
+}
+
 module.exports = {
-  create:      create,
-  ConfigError: ConfigError,
-  coerce:      coerce,
+  create:        create,
+  loadDbBacked:  loadDbBacked,
+  ConfigError:   ConfigError,
+  coerce:        coerce,
 };

package/lib/constants.js

@@ -70,7 +70,15 @@ var BYTES = Object.freeze({
 // See roadmap "Modernity posture: highest practical bar, forward only"
 // for the algorithm rotation policy.
 
-var ENVELOPE_MAGIC = 0xE1;
+// Envelope wire format. Pre-v1 increment of magic byte to 0xE2 (was
+// 0xE1) signals FixedInfo-bound KDF: SHAKE256 absorbs the suite-id
+// triple (kemId / cipherId / kdfId) plus the literal "blamejs/v1"
+// label alongside the shared secret(s). Per NIST SP 800-56C r2 §4.1
+// OtherInfo + RFC 9180 (HPKE) §5.1 suite-binding requirement. 0xE1
+// envelopes are no longer accepted; framework data sealed pre-bump
+// must be regenerated.
+var ENVELOPE_MAGIC = 0xE2;
+var ENVELOPE_FIXED_INFO_LABEL = "blamejs/v1";
 
 var KEM_IDS = Object.freeze({
   ML_KEM_1024:        0x02,
@@ -184,6 +192,7 @@ module.exports = {
   TIME:                   TIME,
   BYTES:                  BYTES,
   ENVELOPE_MAGIC:         ENVELOPE_MAGIC,
+  ENVELOPE_FIXED_INFO_LABEL: ENVELOPE_FIXED_INFO_LABEL,
   CREDENTIAL_MAGIC:       CREDENTIAL_MAGIC,
   KEM_IDS:                KEM_IDS,
   CIPHER_IDS:             CIPHER_IDS,

package/lib/crypto-field.js

@@ -19,7 +19,7 @@
  */
 var vault = require("./vault");
 var { sha3Hash } = require("./crypto");
-var { HASH_PREFIX, VAULT_PREFIX } = require("./constants");
+var { HASH_PREFIX, VAULT_PREFIX, TIME } = require("./constants");
 
 // Per-table registry, populated by db.init()
 var schemas = Object.create(null);
@@ -67,7 +67,8 @@ function computeDerived(table, sourceField, sourceValue) {
     if (spec.from === sourceField) {
       var ns = namespaceFor(table, sourceField, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(sourceValue) : String(sourceValue);
-      return { field: derivedField, value: sha3Hash(ns + normalized) };
+      var saltHex = vault.getDerivedHashSalt().toString("hex");
+      return { field: derivedField, value: sha3Hash(saltHex + ns + normalized) };
     }
   }
   return null;
@@ -92,7 +93,8 @@ function sealRow(table, row) {
       var plain = String(raw).startsWith(VAULT_PREFIX) ? vault.unseal(raw) : raw;
       var ns = namespaceFor(table, spec.from, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(plain) : String(plain);
-      out[derivedField] = sha3Hash(ns + normalized);
+      var saltHex2 = vault.getDerivedHashSalt().toString("hex");
+      out[derivedField] = sha3Hash(saltHex2 + ns + normalized);
     }
   }
 
@@ -178,7 +180,16 @@ function eraseRow(table, row) {
       out[derivedField] = null;
     }
   }
-  out.__erasedAt = Date.now();
+  // F-RTBF-4 — `__erasedAt` was previously a plaintext UTC ms integer.
+  // That value alone fingerprints the erasure event (audit-log
+  // exfiltration + cross-tenant correlation: "this row was erased
+  // 2.3s before that one"). Bucket the timestamp to a 1-day floor so
+  // the event still surfaces "erased before / after this date" for
+  // operational use without leaking sub-day timing. Operators who
+  // genuinely need the precise instant pull the audit-chain row
+  // (which is itself sealed under the audit-sign keypair).
+  var dayMs = TIME.days(1);
+  out.__erasedAt = Math.floor(Date.now() / dayMs) * dayMs;
   return out;
 }
 
@@ -197,7 +208,8 @@ function lookupHash(table, field, value) {
     if (spec.from === field) {
       var ns = namespaceFor(table, field, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(value) : String(value);
-      return { field: derivedField, value: sha3Hash(ns + normalized) };
+      var saltHex = vault.getDerivedHashSalt().toString("hex");
+      return { field: derivedField, value: sha3Hash(saltHex + ns + normalized) };
     }
   }
   return null;