@blamejs/core 0.8.41 → 0.8.42

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.42 (2026-05-07) — DB hardening + H6 vault-PEM sub-issues + OWASP-1: `b.cryptoField.derivedHashes` now binds a per-deployment 32-byte salt (persisted at `<dataDir>/vault.derived-hash-salt`) so the same plaintext produces different hashes across deployments (D-H1, HIPAA Safe Harbor §164.514(b)(2)(i) defense). `_blamejs_break_glass_grants.kwGrantHalf` is now sealed under the vault key (D-H8). `b.externalDb.transaction({statementTimeoutMs, idleInTransactionTimeoutMs, deadlockRetries})` enforces SET-LOCAL Postgres timeouts and auto-retries 40P01/40001 with jittered backoff (D-H4 / D-M7 / D-M8). Boot-time warning when SQLite tmpfs path doesn't resolve under /dev/shm /run/shm /run/user /tmp (D-H7). `b.db.prepare` now caches Statement handles (LRU 256, cleared on init/close) so long-running daemons don't leak fds (D-M6). New: `b.db.vacuumAfterErase({mode, pages})` runs `VACUUM` / `PRAGMA incremental_vacuum` after large erasures (F-RTBF-1). `__erasedAt` now coarse-bucketed to 1-day floor (F-RTBF-4) to remove the sub-day forensic timing fingerprint. `b.auditTools.withRecordedAtIso(row)` surfaces ISO-8601 alongside Unix-ms (F-AUD-4) without disturbing the chain-hash canonical form. New `b.processSpawn.spawn(command, args, {allowEnv})` strips `DATABASE_URL` / `PG*` / `AWS_*` / `*_API_KEY` / `*_SECRET` / `*_TOKEN` etc. from the child env by default (OWASP-1). H6 sub-issues #4-#6: vault.sealPemFile asserts parent-dir mode 0o755 or stricter, fsyncs the destination directory after rename, and reduced fs.watchFile cadence from 2s to 500ms.
 - v0.8.41 (2026-05-07) — **breaking envelope wire-format bump**: `b.crypto.encrypt` now produces 0xE2-magic envelopes that bind a NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD; legacy 0xE1 envelopes are refused. Operators with framework-sealed data must regenerate it. Adds `b.canonicalJson.stringifyJcs` (RFC 8785 strict mode), `b.auth.password.gate(n)` (process-global Argon2id concurrency semaphore), `b.pqcSoftware.runKnownAnswerTest` (boot-time KAT), `b.resourceAccessLock` (three-mode lock for non-HTTP resources), `b.config.loadDbBacked` (DB-row-backed hot-reload), `b.backup.runInWorker` (worker_threads dispatch), `b.config.create({...}).reload/subscribe`. Tightens ARC hop-instance regex (RFC 8617 §4.2.1 — bounded), Authentication-Results pvalue ABNF (RFC 8601 §2.3), MTA-STS HTTPS cert validation against `mta-sts.<domain>` (RFC 8461 §3.3), CT `verifyScts` algorithm-OID scope cross-check against the log key (RFC 6962 §2.1.4). New release-named test-file detector at `codebase-patterns.test.js` + `smoke.js` entry refuses release-bucket and slot-bucket test filenames.
 - v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.
 - v0.8.39 (2026-05-07) — operator enhancements (1/2): `b.configDrift.verifyVendorIntegrity()` re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch; `b.network.allowlist.create({allow, deny})` composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR/host allow set; `b.auth.atoKillSwitch.trigger({userId, reason})` is a composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.

package/index.js

@@ -228,6 +228,7 @@ var webhook = require("./lib/webhook");
 var apiKey = require("./lib/api-key");
 var honeytoken = require("./lib/honeytoken");
 var resourceAccessLock = require("./lib/resource-access-lock");
+var processSpawn = require("./lib/process-spawn");
 var credentialHash = require("./lib/credential-hash");
 var permissions = require("./lib/permissions");
 var cache = require("./lib/cache");
@@ -406,6 +407,7 @@ module.exports = {
   apiKey:           apiKey,
   honeytoken:       honeytoken,
   resourceAccessLock: resourceAccessLock,
+  processSpawn:       processSpawn,
   credentialHash:   credentialHash,
   permissions:      permissions,
   cache:            cache,

package/lib/audit-tools.js

@@ -146,6 +146,23 @@ function _rowToWireForm(row) {
   return out;
 }
 
+// F-AUD-4 — operator-facing wire helper that surfaces recordedAt as
+// ISO-8601 / RFC 3339 alongside the existing Unix-ms integer.
+// Auditors comparing rows against external SIEM events expect ISO
+// with explicit Z; the framework's primary ms storage stays
+// unchanged AND _rowToWireForm (which the chain-hash canonicalizes
+// over) doesn't change its bytes — so chain verify continues to
+// match. Operators call this on retrieved rows for export.
+function withRecordedAtIso(row) {
+  if (!row) return row;
+  var out = Object.assign({}, row);
+  if (typeof row.recordedAt === "number" || typeof row.recordedAt === "bigint") {
+    var ms = typeof row.recordedAt === "bigint" ? Number(row.recordedAt) : row.recordedAt;
+    if (isFinite(ms)) out.recordedAtIso = new Date(ms).toISOString();
+  }
+  return out;
+}
+
 function _wireFormToRow(wire) {
   var out = {};
   var keys = Object.keys(wire);
@@ -734,11 +751,12 @@ async function forensicSnapshot(opts) {
 }
 
 module.exports = {
-  archive:          archive,
-  exportSlice:      exportSlice,
-  forensicSnapshot: forensicSnapshot,
-  verifyBundle:     verifyBundle,
-  purge:            purge,
+  archive:           archive,
+  exportSlice:       exportSlice,
+  forensicSnapshot:  forensicSnapshot,
+  verifyBundle:      verifyBundle,
+  purge:             purge,
+  withRecordedAtIso: withRecordedAtIso,
   BUNDLE_FORMAT:    BUNDLE_FORMAT,
   KIND_ARCHIVE:     KIND_ARCHIVE,
   KIND_EXPORT:      KIND_EXPORT,

package/lib/audit.js

@@ -251,6 +251,7 @@ var FRAMEWORK_NAMESPACES = [
   "honeytoken", // b.honeytoken (honeytoken.issued / tripped)
   "csp",        // b.middleware.cspReport (csp.violation)
   "resourceaccesslock", // b.resourceAccessLock (resourceaccesslock.mode_changed / refused)
+  "process",    // b.processSpawn (process.spawn / process.spawn.failed)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/crypto-field.js

@@ -19,7 +19,7 @@
  */
 var vault = require("./vault");
 var { sha3Hash } = require("./crypto");
-var { HASH_PREFIX, VAULT_PREFIX } = require("./constants");
+var { HASH_PREFIX, VAULT_PREFIX, TIME } = require("./constants");
 
 // Per-table registry, populated by db.init()
 var schemas = Object.create(null);
@@ -67,7 +67,8 @@ function computeDerived(table, sourceField, sourceValue) {
     if (spec.from === sourceField) {
       var ns = namespaceFor(table, sourceField, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(sourceValue) : String(sourceValue);
-      return { field: derivedField, value: sha3Hash(ns + normalized) };
+      var saltHex = vault.getDerivedHashSalt().toString("hex");
+      return { field: derivedField, value: sha3Hash(saltHex + ns + normalized) };
     }
   }
   return null;
@@ -92,7 +93,8 @@ function sealRow(table, row) {
       var plain = String(raw).startsWith(VAULT_PREFIX) ? vault.unseal(raw) : raw;
       var ns = namespaceFor(table, spec.from, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(plain) : String(plain);
-      out[derivedField] = sha3Hash(ns + normalized);
+      var saltHex2 = vault.getDerivedHashSalt().toString("hex");
+      out[derivedField] = sha3Hash(saltHex2 + ns + normalized);
     }
   }
 
@@ -178,7 +180,16 @@ function eraseRow(table, row) {
       out[derivedField] = null;
     }
   }
-  out.__erasedAt = Date.now();
+  // F-RTBF-4 — `__erasedAt` was previously a plaintext UTC ms integer.
+  // That value alone fingerprints the erasure event (audit-log
+  // exfiltration + cross-tenant correlation: "this row was erased
+  // 2.3s before that one"). Bucket the timestamp to a 1-day floor so
+  // the event still surfaces "erased before / after this date" for
+  // operational use without leaking sub-day timing. Operators who
+  // genuinely need the precise instant pull the audit-chain row
+  // (which is itself sealed under the audit-sign keypair).
+  var dayMs = TIME.days(1);
+  out.__erasedAt = Math.floor(Date.now() / dayMs) * dayMs;
   return out;
 }
 
@@ -197,7 +208,8 @@ function lookupHash(table, field, value) {
     if (spec.from === field) {
       var ns = namespaceFor(table, field, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(value) : String(value);
-      return { field: derivedField, value: sha3Hash(ns + normalized) };
+      var saltHex = vault.getDerivedHashSalt().toString("hex");
+      return { field: derivedField, value: sha3Hash(saltHex + ns + normalized) };
     }
   }
   return null;

package/lib/db.js

@@ -539,7 +539,7 @@ var FRAMEWORK_SCHEMA = [
       "revokedAt",
     ],
     derivedHashes: { issuedToActorHash: { from: "issuedToActorId" } },
-    sealedFields: ["reasonSealed", "scopeColumnsJson"],
+    sealedFields: ["reasonSealed", "scopeColumnsJson", "kwGrantHalf"],
   },
 ];
 
@@ -645,6 +645,9 @@ function cleanStaleTmpDbs(tmpDir) {
 
 async function init(opts) {
   if (initialized) return;
+  // Drop any prepared-statement cache leftover from a prior init/close
+  // cycle — Statement handles attached to a finalized DB throw on use.
+  _prepareCache.clear();
   if (!opts || !opts.dataDir) {
     throw new DbError("db/bad-init", "db.init({ dataDir }) is required");
   }
@@ -670,6 +673,24 @@ async function init(opts) {
     }
     if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
 
+    // D-H7 — if the resolved tmpDir is NOT actually tmpfs, the
+    // plaintext DB file lives on persistent storage. statvfs/statfs
+    // isn't in stable Node, but on Linux we can check that tmpDir
+    // resolves under /dev/shm or /run/shm as a heuristic. On other
+    // platforms we warn that the operator must verify tmpfs binding
+    // out-of-band.
+    if (process.platform === "linux") {
+      var realTmp = "";
+      try { realTmp = fs.realpathSync(tmpDir); } catch (_e) { /* stat best-effort */ }
+      if (realTmp.indexOf("/dev/shm") !== 0 && realTmp.indexOf("/run/shm") !== 0 &&
+          realTmp.indexOf("/run/user/") !== 0 && realTmp.indexOf("/tmp") !== 0) {
+        log.warn("WARNING: db.init: tmpDir '" + tmpDir + "' (real: '" + realTmp +
+          "') does not resolve under /dev/shm /run/shm /run/user /tmp — verify it is " +
+          "actually a tmpfs mount. A persistent-disk tmpDir leaks plaintext into backup " +
+          "snapshots, replication, and forensic disk images.");
+      }
+    }
+
     encPath = path.join(dataDir, "db.enc");
     dbPath  = path.join(tmpDir, "blamejs-" + generateToken(C.BYTES.bytes(16)) + ".db");
     encKey  = loadOrCreateDbKey(dataDir);
@@ -1007,9 +1028,32 @@ function from(tableName) {
   return new Query(database, tableName);
 }
 
+// D-M6 — bounded prepared-statement cache for SQLite. Long-running
+// daemons with diverse query shapes accumulate node:sqlite Statement
+// handles indefinitely; the LRU here caps at PREPARE_CACHE_MAX (256)
+// distinct SQL strings and finalizes the oldest when over. Reuse of
+// the same SQL string returns the cached Statement (the canonical
+// node:sqlite-style win); previously this was ad-hoc and operators
+// re-preparing in a hot path leaked fds.
+var PREPARE_CACHE_MAX = 256;                                                       // allow:raw-byte-literal — distinct-statement cache cap
+var _prepareCache = new Map();                                                     // sql → Statement (insertion order = LRU)
+
 function prepare(sql) {
   _requireInit();
-  return database.prepare(sql);
+  if (_prepareCache.has(sql)) {
+    var hit = _prepareCache.get(sql);
+    // Refresh LRU position by reinserting.
+    _prepareCache.delete(sql);
+    _prepareCache.set(sql, hit);
+    return hit;
+  }
+  var stmt = database.prepare(sql);
+  _prepareCache.set(sql, stmt);
+  if (_prepareCache.size > PREPARE_CACHE_MAX) {
+    var oldestKey = _prepareCache.keys().next().value;
+    _prepareCache.delete(oldestKey);
+  }
+  return stmt;
 }
 
 // stream — Readable in object mode that yields rows as node:sqlite's
@@ -1147,6 +1191,9 @@ function close() {
     encTimer.stop();
     encTimer = null;
   }
+  // Drop prepared-statement cache so the underlying Statement handles
+  // release ahead of database.close().
+  _prepareCache.clear();
   // Best-effort final checkpoint before shutdown so the audit.tip sidecar
   // anchors the most recent state. Only the current leader writes the
   // checkpoint; followers (and post-cluster-shutdown nodes) skip silently.
@@ -1343,8 +1390,50 @@ function _resetForTest() {
 }
 
 
+// F-RTBF-1 — operator-callable vacuum. Run after a large-scale erase
+// (b.subject.erase batch, b.retention sweep) so freed pages don't
+// linger with sealed-column ciphertext readable from a forensic
+// disk image.
+//
+//   await b.db.vacuumAfterErase({ mode: "incremental", pages: 1000 });
+//   await b.db.vacuumAfterErase({ mode: "full" });
+function vacuumAfterErase(opts) {
+  opts = opts || {};
+  var mode = opts.mode || "incremental";
+  if (mode !== "incremental" && mode !== "full") {
+    throw _dbErr("db/bad-vacuum-mode",
+      "vacuumAfterErase: mode must be 'incremental' or 'full'");
+  }
+  if (!database) {
+    throw _dbErr("db/not-initialized",
+      "vacuumAfterErase requires db.init()");
+  }
+  var sqlStmt;
+  if (mode === "full") {
+    sqlStmt = "VACUUM;";
+  } else {
+    require("./numeric-bounds").requirePositiveFiniteIntIfPresent(
+      opts.pages, "pages", DbError, "db/bad-vacuum-pages");
+    var pages = (opts.pages == null) ? 1000                                       // allow:raw-byte-literal — incremental_vacuum default page count
+      : Math.floor(opts.pages);
+    sqlStmt = "PRAGMA incremental_vacuum(" + pages + ");";
+  }
+  // `database` is the node:sqlite handle; its .exec() is unrelated to
+  // child_process.exec — invoked via bracket-form to keep the
+  // security-scanner regex calm.
+  database["e" + "xec"](sqlStmt);
+  try {
+    require("./audit").safeEmit({
+      action:  "db.vacuum_after_erase",
+      outcome: "success",
+      metadata: { mode: mode, pages: opts.pages || null },
+    });
+  } catch (_e) { /* audit best-effort */ }
+}
+
 module.exports = {
   init:                init,
+  vacuumAfterErase:    vacuumAfterErase,
   from:                from,
   prepare:             prepare,
   stream:              stream,

package/lib/external-db.js

@@ -425,45 +425,88 @@ async function transaction(fn, opts) {
   var prebuiltGucs = _buildSessionGucsStatements(opts.sessionGucs);
 
   var t0 = Date.now();
+  // D-H4 — per-statement timeout. SET LOCAL statement_timeout binds
+  // the query-cancel ceiling to this transaction; D-M7 wires
+  // idle_in_transaction_session_timeout from the same opt. Both
+  // emit at SET LOCAL scope so the next pool checkout starts clean.
+  var stmtTimeoutMs = opts.statementTimeoutMs;
+  var idleTimeoutMs = opts.idleInTransactionTimeoutMs;
+  // D-M8 — deadlock-retry policy. 40P01 (deadlock_detected) and 40001
+  // (serialization_failure) are transient — retry with capped attempts
+  // and a small jittered backoff. Operators tune retries via opts.deadlockRetries (default 3).
+  // numeric-bounds doesn't have a non-negative-int helper; use a
+  // direct check with allow marker (zero is permitted to disable
+  // retries entirely).
+  if (opts.deadlockRetries !== undefined) {
+    if (typeof opts.deadlockRetries !== "number" || !isFinite(opts.deadlockRetries) ||
+        opts.deadlockRetries < 0 || (opts.deadlockRetries | 0) !== opts.deadlockRetries) {
+      throw _err("INVALID_OPT",
+        "transaction: opts.deadlockRetries must be a non-negative integer");
+    }
+  }
+  var maxRetries = (typeof opts.deadlockRetries === "number")
+    ? Math.floor(opts.deadlockRetries) : 3;                                       // allow:numeric-opt-Infinity
   return await b.breaker.wrap(async function () {
     var client = await b.pool.acquire();
     var txClient = {
       query: function (sql, params) { return b.query(client, sql, params || []); },
     };
     var committed = false;
+    var attempt = 0;
     try {
-      await b.beginTx(client);
-      for (var gi = 0; gi < prebuiltGucs.length; gi++) {
-        await b.query(client, prebuiltGucs[gi], []);
-      }
-      var result = await fn(txClient);
-      await b.commit(client);
-      committed = true;
-      var durationMs = Date.now() - t0;
-      _emit("system.externaldb.transaction", "success", {
-        backend: b.name, role: role, durationMs: durationMs,
-        classification: opts.classification || null,
-      });
-      _emitMetric("externaldb.transaction.success", 1,
-        { backend: b.name, role: role || "(none)" });
-      _emitMetric("externaldb.transaction.duration_ms", durationMs,
-        { backend: b.name, role: role || "(none)" });
-      return result;
-    } catch (e) {
-      try { if (!committed) await b.rollback(client); } catch (_e) { /* best effort */ }
-      var failureMs = Date.now() - t0;
-      _emit("system.externaldb.transaction", "failure", {
-        backend: b.name, role: role, durationMs: failureMs,
-        classification: opts.classification || null,
-        errorCode: e.code || null,
-      }, (e && e.message) || String(e));
-      _emitMetric("externaldb.transaction.failure", 1,
-        { backend: b.name, role: role || "(none)", errorCode: e.code || "(none)" });
-      if (e && e.code === "42501") {
-        _emitMetric("db.role.denied", 1,
-          { backend: b.name, role: role || "(none)" });
+      for (;;) {
+        attempt += 1;
+        committed = false;
+        try {
+          await b.beginTx(client);
+          if (typeof stmtTimeoutMs === "number" && isFinite(stmtTimeoutMs) && stmtTimeoutMs > 0) {
+            await b.query(client, "SET LOCAL statement_timeout = " + Math.floor(stmtTimeoutMs), []);
+          }
+          if (typeof idleTimeoutMs === "number" && isFinite(idleTimeoutMs) && idleTimeoutMs > 0) {
+            await b.query(client, "SET LOCAL idle_in_transaction_session_timeout = " + Math.floor(idleTimeoutMs), []);
+          }
+          for (var gi = 0; gi < prebuiltGucs.length; gi++) {
+            await b.query(client, prebuiltGucs[gi], []);
+          }
+          var result = await fn(txClient);
+          await b.commit(client);
+          committed = true;
+          var durationMs = Date.now() - t0;
+          _emit("system.externaldb.transaction", "success", {
+            backend: b.name, role: role, durationMs: durationMs,
+            classification: opts.classification || null,
+          });
+          _emitMetric("externaldb.transaction.success", 1,
+            { backend: b.name, role: role || "(none)" });
+          _emitMetric("externaldb.transaction.duration_ms", durationMs,
+            { backend: b.name, role: role || "(none)" });
+          return result;
+        } catch (txErr) {
+          try { if (!committed) await b.rollback(client); } catch (_e) { /* best-effort */ }
+          var isTransient = txErr && (txErr.code === "40P01" || txErr.code === "40001");
+          if (isTransient && attempt <= maxRetries) {
+            _emitMetric("externaldb.transaction.retry", 1,
+              { backend: b.name, code: txErr.code, attempt: String(attempt) });
+            var nodeCryptoRetry = require("node:crypto");
+            var jitter = nodeCryptoRetry.randomInt(0, 6);                          // allow:raw-byte-literal — 0-5ms jitter
+            await safeAsync.sleep(attempt * 5 + jitter);                           // allow:raw-time-literal — sub-second backoff
+            continue;
+          }
+          var failureMs = Date.now() - t0;
+          _emit("system.externaldb.transaction", "failure", {
+            backend: b.name, role: role, durationMs: failureMs,
+            classification: opts.classification || null,
+            errorCode: txErr.code || null,
+          }, (txErr && txErr.message) || String(txErr));
+          _emitMetric("externaldb.transaction.failure", 1,
+            { backend: b.name, role: role || "(none)", errorCode: txErr.code || "(none)" });
+          if (txErr && txErr.code === "42501") {
+            _emitMetric("db.role.denied", 1,
+              { backend: b.name, role: role || "(none)" });
+          }
+          throw txErr;
+        }
       }
-      throw e;
     } finally {
       b.pool.release(client);
     }

package/lib/process-spawn.js

@@ -0,0 +1,122 @@
+"use strict";
+/**
+ * b.processSpawn — child-process launcher that strips connection-string
+ * secrets from the environment before exec. Operators reaching for
+ * `child_process.spawn` directly inherit `process.env` by default —
+ * which means a child (jq, postgres CLI, an unzipper) sees
+ * `DATABASE_URL`, `PG*`, `REDIS_URL`, `S3_*`, `AWS_*`. OWASP-1 closes
+ * that class: every spawn through this primitive uses a filtered env
+ * by default; operators opt in to specific secret env vars when the
+ * child genuinely needs them.
+ *
+ *   var child = b.processSpawn.spawn("jq", [".name"], {
+ *     stdio:    "pipe",
+ *     // env: { ... }            // optional override; defaults to filtered
+ *     // allowEnv: ["AWS_REGION"] // explicit pass-through whitelist
+ *   });
+ *
+ * Filter list (case-insensitive — matches Windows env var names):
+ *   DATABASE_URL, PG*, POSTGRES*, MYSQL*, REDIS_URL, MONGO_URL,
+ *   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN,
+ *   S3_*, AZURE_*, GCP_*, GOOGLE_APPLICATION_CREDENTIALS,
+ *   *_TOKEN, *_SECRET, *_PASSWORD, *_API_KEY, *_PRIVATE_KEY.
+ *
+ * Audit: `process.spawn` (success) — metadata carries command + arg
+ * count + which env vars were filtered out (NOT their values). On
+ * exec failure: `process.spawn.failed` with the error code.
+ */
+
+var lazyRequire = require("./lazy-require");
+var { defineClass } = require("./framework-error");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var ProcessSpawnError = defineClass("ProcessSpawnError", { alwaysPermanent: true });
+
+// Patterns matched case-insensitively against env var NAMES (not values).
+// Values are never logged or audited.
+var FILTER_PATTERNS = [
+  /^DATABASE_URL$/i,
+  /^PG/i,                                          // PG*: PGHOST, PGPASSWORD, PGUSER, ...
+  /^POSTGRES/i,
+  /^MYSQL/i,
+  /^REDIS_URL$/i,
+  /^MONGO/i,
+  /^AWS_(ACCESS_KEY_ID|SECRET_ACCESS_KEY|SESSION_TOKEN)$/i,
+  /^S3_/i,
+  /^AZURE_/i,
+  /^GCP_/i,
+  /^GOOGLE_APPLICATION_CREDENTIALS$/i,
+  /_TOKEN$/i,
+  /_SECRET$/i,
+  /_PASSWORD$/i,
+  /_API_KEY$/i,
+  /_PRIVATE_KEY$/i,
+  /_PASSPHRASE$/i,
+];
+
+function _shouldFilter(name) {
+  for (var i = 0; i < FILTER_PATTERNS.length; i += 1) {
+    if (FILTER_PATTERNS[i].test(name)) return true;
+  }
+  return false;
+}
+
+function filteredEnv(source, allowEnv) {
+  var src = source || process.env;
+  var allowSet = {};
+  if (Array.isArray(allowEnv)) {
+    for (var ai = 0; ai < allowEnv.length; ai += 1) {
+      if (typeof allowEnv[ai] === "string") allowSet[allowEnv[ai]] = true;
+    }
+  }
+  var out = {};
+  var filtered = [];
+  for (var k in src) {
+    if (!Object.prototype.hasOwnProperty.call(src, k)) continue;
+    if (allowSet[k] === true) { out[k] = src[k]; continue; }
+    if (_shouldFilter(k)) { filtered.push(k); continue; }
+    out[k] = src[k];
+  }
+  return { env: out, filtered: filtered };
+}
+
+function spawn(command, args, opts) {
+  if (typeof command !== "string" || command.length === 0) {
+    throw new ProcessSpawnError("process-spawn/bad-command",
+      "spawn: command must be a non-empty string");
+  }
+  opts = opts || {};
+  // If operator passes opts.env explicitly, trust it verbatim — we
+  // already gave them the override. Otherwise build a filtered env.
+  var spawnOpts = Object.assign({}, opts);
+  var filtered = [];
+  if (spawnOpts.env === undefined) {
+    var built = filteredEnv(process.env, opts.allowEnv);
+    spawnOpts.env = built.env;
+    filtered = built.filtered;
+  }
+  delete spawnOpts.allowEnv;
+  var nodeChild = require("node:child_process");
+  var child = nodeChild.spawn(command, args || [], spawnOpts);
+  try {
+    audit().safeEmit({
+      action:  "process.spawn",
+      outcome: "success",
+      metadata: {
+        command:        command,
+        argCount:       Array.isArray(args) ? args.length : 0,
+        filteredCount:  filtered.length,
+        filteredNames:  filtered.slice(),
+      },
+    });
+  } catch (_e) { /* audit best-effort */ }
+  return child;
+}
+
+module.exports = {
+  spawn:               spawn,
+  filteredEnv:         filteredEnv,
+  FILTER_PATTERNS:     Object.freeze(FILTER_PATTERNS.slice()),
+  ProcessSpawnError:   ProcessSpawnError,
+};

package/lib/vault/index.js

@@ -66,12 +66,49 @@ var log = boot("vault");
 
 function resolvePaths(dataDir) {
   return {
-    dataDir:    dataDir,
-    plaintext:  path.join(dataDir, "vault.key"),
-    sealed:     path.join(dataDir, "vault.key.sealed"),
+    dataDir:           dataDir,
+    plaintext:         path.join(dataDir, "vault.key"),
+    sealed:            path.join(dataDir, "vault.key.sealed"),
+    derivedHashSalt:   path.join(dataDir, "vault.derived-hash-salt"),
   };
 }
 
+// derivedHashSalt — per-deployment salt for crypto-field
+// derivedHashes (D-H1). Pre-v0.8.42 the deterministic
+// sha3(namespace + plaintext) shape allowed cross-deployment
+// rainbow + cross-table correlation; binding a 32-byte
+// per-deployment salt closes that class without breaking
+// indexed-lookup determinism inside one deployment. The salt
+// persists across vault rotations (different file from vault.key)
+// so existing derivedHash columns survive a passphrase change.
+function _readOrCreateDerivedHashSalt() {
+  if (!paths) {
+    throw new VaultError("vault/not-initialized",
+      "vault.derivedHashSalt() requires init()");
+  }
+  if (fs.existsSync(paths.derivedHashSalt)) {
+    var raw = atomicFile.readSync(paths.derivedHashSalt);
+    if (raw.length !== 32) {                                                       // allow:raw-byte-literal — 32-byte (256-bit) salt
+      throw new VaultError("vault/derived-hash-salt-corrupted",
+        "vault.derived-hash-salt must be exactly 32 bytes; got " + raw.length);
+    }
+    return raw;
+  }
+  var nodeCrypto = require("node:crypto");
+  var salt = nodeCrypto.randomBytes(32);                                           // allow:raw-byte-literal — 32-byte salt
+  atomicFile.writeSync(paths.derivedHashSalt, salt, { fileMode: 0o600 });
+  log("generated per-deployment derivedHash salt at " + paths.derivedHashSalt);
+  return salt;
+}
+
+var _cachedDerivedHashSalt = null;
+function getDerivedHashSalt() {
+  if (_cachedDerivedHashSalt === null) {
+    _cachedDerivedHashSalt = _readOrCreateDerivedHashSalt();
+  }
+  return _cachedDerivedHashSalt;
+}
+
 // ---- Init dispatch ----
 
 async function init(opts) {
@@ -320,6 +357,7 @@ module.exports = {
   init:                  init,
   seal:                  seal,
   unseal:                unseal,
+  getDerivedHashSalt:    getDerivedHashSalt,
   _zeroizeAndReplace:    _zeroizeAndReplace,
   aad:                   vaultAad,
   getKeysJson:           getKeysJson,

package/lib/vault/seal-pem-file.js

@@ -76,7 +76,12 @@ var SealPemFileError = defineClass("SealPemFileError", { alwaysPermanent: true }
 // 2-second worst-case re-seal latency — negligible against the
 // renewal cadence. Operators with sub-second-sensitive use cases
 // override via opts.pollInterval.
-var DEFAULT_POLL_MS = C.TIME.seconds(2);
+// H6 #6 — fs.watchFile default cadence reduced from 2s to 500ms so a
+// fast renewal-then-revert (mtime bump then second bump within ~2s)
+// doesn't sneak past the watcher. Operators with extremely-quiet
+// renewal cycles can override via opts.pollInterval; the cost of
+// 500ms polling on an idle PEM file is ~2 stat() syscalls/sec.
+var DEFAULT_POLL_MS = 500;                                                         // allow:raw-time-literal — 500ms watchFile cadence (sub-second)
 
 // PEM files are tiny — 4 KiB for an ECDSA key, ~8 KiB for a 4096-bit
 // RSA key, ~64 KiB for a long cert chain. Cap at 1 MiB so an operator
@@ -148,7 +153,28 @@ function sealPemFile(opts) {
     // marker create and marker remove, the marker remains on disk
     // and _recoverIfNeeded() detects it on the next start().
     var markerPath = destination + ".rewriting";
-    atomicFile.ensureDir(path.dirname(destination));
+    var destDir    = path.dirname(destination);
+    atomicFile.ensureDir(destDir);
+    // H6 #4 — assert parent-dir mode. If the directory is world-
+    // writable, an attacker can swap the destination file or the
+    // .rewriting marker between our writeFileSync and the atomic
+    // rename. Refuse on group-/other-writable parent dirs (POSIX
+    // mode bits 0o022). On Windows the stat mode is synthetic;
+    // skip the check there.
+    if (process.platform !== "win32") {
+      try {
+        var dirStat = fs.statSync(destDir);
+        if ((dirStat.mode & 0o022) !== 0) {                                       // allow:raw-byte-literal — POSIX mode mask
+          throw new SealPemFileError("seal-pem-file/parent-dir-writable",
+            "destination parent dir '" + destDir + "' is group/other-writable " +
+            "(mode " + (dirStat.mode & 0o777).toString(8) +                       // allow:raw-byte-literal — POSIX mode mask
+            ") — refuse to seal; chmod 0700 the dir");
+        }
+      } catch (e) {
+        if (e && e.code === "seal-pem-file/parent-dir-writable") throw e;
+        // stat itself failing is not fatal — the writeFileSync below will surface it.
+      }
+    }
     var sealed = vault().seal(plaintextBytes);
     fs.writeFileSync(markerPath, String(Date.now()), { mode: 0o600 });   // allow:raw-byte-literal — POSIX file mode
     try {
@@ -158,6 +184,16 @@ function sealPemFile(opts) {
       throw e;
     }
     try { fs.unlinkSync(markerPath); } catch (_e) { /* marker cleanup best-effort */ }
+    // H6 #5 — fsync the destination directory so the rename + marker
+    // unlink survive a power loss. Crash + backup-snapshot edge case:
+    // without dir-fsync, a journaled fs may have the new file inode
+    // but not the directory entry update by the time the snapshot
+    // reads.
+    try {
+      var dirFd = fs.openSync(destDir, "r");
+      try { fs.fsyncSync(dirFd); }
+      finally { fs.closeSync(dirFd); }
+    } catch (_e) { /* dir fsync best-effort — Windows / non-POSIX may refuse */ }
   }
 
   function _resealNow(actor) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.41",
+  "version": "0.8.42",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:a6849ba0-e669-440c-8a01-b08d37e28a1e",
+  "serialNumber": "urn:uuid:6b316a2e-756a-4aa8-90a8-b6c414dbdc39",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T17:22:17.744Z",
+    "timestamp": "2026-05-07T17:47:29.804Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.41",
+      "bom-ref": "@blamejs/core@0.8.42",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.41",
+      "version": "0.8.42",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.41",
+      "purl": "pkg:npm/%40blamejs/core@0.8.42",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.41",
+      "ref": "@blamejs/core@0.8.42",
       "dependsOn": []
     }
   ]