@blamejs/core 0.9.12 → 0.9.15

package/lib/db-file-lifecycle.js

@@ -57,9 +57,9 @@
  *   bun:sqlite).
  */
 
-var fs   = require("fs");
+var nodeFs   = require("fs");
 var os   = require("os");
-var path = require("path");
+var nodePath = require("path");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
 var { generateBytes, generateToken, encryptPacked, decryptPacked } = require("./crypto");
@@ -92,7 +92,7 @@ function _resolveTmpDir(operatorTmpDir, allowDiskFallback) {
   // Linux: /dev/shm is the standard tmpfs mount.
   if (process.platform === "linux") {
     try {
-      var st = fs.statSync("/dev/shm");
+      var st = nodeFs.statSync("/dev/shm");
       if (st && st.isDirectory()) return "/dev/shm";
     } catch (_e) { /* fall through */ }
   }
@@ -115,8 +115,8 @@ function _resolveTmpDir(operatorTmpDir, allowDiskFallback) {
  * Returns an encrypted-DB-file lifecycle handle. Methods:
  *
  *   - `decryptToTmp()` — decrypt the encrypted DB file to a fresh
- *     tmpfs path and return the path. Idempotent: subsequent calls
- *     return the existing path.
+ *     tmpfs path and return the nodePath. Idempotent: subsequent calls
+ *     return the existing nodePath.
  *   - `dbPath` — the resolved plaintext-tmpfs path (set after
  *     `decryptToTmp()` runs).
  *   - `startFlushTimer(db, opts?)` — start a periodic flush timer
@@ -164,15 +164,15 @@ function fileLifecycle(opts) {
   var label = opts.label || "default";
   var encName = opts.encryptedDbName || "db.enc";
   var encPath = opts.encryptedDbPath
-    ? path.resolve(opts.encryptedDbPath)
-    : path.join(opts.dataDir, encName);
+    ? nodePath.resolve(opts.encryptedDbPath)
+    : nodePath.join(opts.dataDir, encName);
   var keyPath = opts.dbKeyPath
-    ? path.resolve(opts.dbKeyPath)
-    : path.join(opts.dataDir, "db.key.enc");
+    ? nodePath.resolve(opts.dbKeyPath)
+    : nodePath.join(opts.dataDir, "db.key.enc");
   var flushIntervalMs = opts.flushIntervalMs || DEFAULT_FLUSH_INTERVAL_MS;
   var tmpDir = _resolveTmpDir(opts.tmpDir, opts.allowDiskFallback === true);
-  if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
-  if (!fs.existsSync(opts.dataDir)) fs.mkdirSync(opts.dataDir, { recursive: true });
+  if (!nodeFs.existsSync(tmpDir)) nodeFs.mkdirSync(tmpDir, { recursive: true });
+  if (!nodeFs.existsSync(opts.dataDir)) nodeFs.mkdirSync(opts.dataDir, { recursive: true });
 
   var dbPath = null;
   var encKey = null;
@@ -181,8 +181,8 @@ function fileLifecycle(opts) {
 
   function _loadOrGenerateKey() {
     if (encKey) return encKey;
-    if (fs.existsSync(keyPath)) {
-      var sealedKey = fs.readFileSync(keyPath, "utf8");
+    if (nodeFs.existsSync(keyPath)) {
+      var sealedKey = nodeFs.readFileSync(keyPath, "utf8");
       var keyB64;
       try { keyB64 = opts.vault.unseal(sealedKey); }
       catch (e) {
@@ -208,10 +208,10 @@ function fileLifecycle(opts) {
   function decryptToTmp() {
     if (decrypted) return dbPath;
     _loadOrGenerateKey();
-    dbPath = path.join(tmpDir, "blamejs-fl-" + label + "-" +
+    dbPath = nodePath.join(tmpDir, "blamejs-fl-" + label + "-" +
       generateToken(TMP_NAME_BYTES) + ".db");
-    if (fs.existsSync(encPath)) {
-      var packed = fs.readFileSync(encPath);
+    if (nodeFs.existsSync(encPath)) {
+      var packed = nodeFs.readFileSync(encPath);
       if (packed.length < 26) {                                                                  // allow:raw-byte-literal — minimum envelope length
         throw new DbFileLifecycleError("db-file-lifecycle/short-envelope",
           "fileLifecycle: " + encPath + " too short to be a valid envelope (" + packed.length + " bytes)");
@@ -231,7 +231,7 @@ function fileLifecycle(opts) {
       label:    label,
       encPath:  encPath,
       dbPath:   dbPath,
-      isEmpty:  !fs.existsSync(encPath),
+      isEmpty:  !nodeFs.existsSync(encPath),
     });
     _emitMetric("decrypted");
     return dbPath;
@@ -246,8 +246,8 @@ function fileLifecycle(opts) {
       try { db.prepare("PRAGMA wal_checkpoint(TRUNCATE)").run(); }
       catch (_e) { /* best-effort — operators on read-only handles or pre-init still flush */ }
     }
-    if (!fs.existsSync(dbPath)) return null;
-    var plain = fs.readFileSync(dbPath);
+    if (!nodeFs.existsSync(dbPath)) return null;
+    var plain = nodeFs.readFileSync(dbPath);
     var packed = encryptPacked(plain, encKey, _aad(opts.dataDir, label));
     atomicFile.writeSync(encPath, packed);
     _emitAudit("flushed", "success", { label: label, bytes: plain.length });
@@ -264,11 +264,11 @@ function fileLifecycle(opts) {
       try { db.prepare("PRAGMA wal_checkpoint(TRUNCATE)").run(); }
       catch (_e) { /* best-effort */ }
     }
-    if (!fs.existsSync(dbPath)) {
+    if (!nodeFs.existsSync(dbPath)) {
       throw new DbFileLifecycleError("db-file-lifecycle/no-source",
         "fileLifecycle.snapshot: " + dbPath + " is missing");
     }
-    var plain = fs.readFileSync(dbPath);
+    var plain = nodeFs.readFileSync(dbPath);
     return encryptPacked(plain, encKey, _aad(opts.dataDir, label));
   }
 
@@ -308,9 +308,9 @@ function fileLifecycle(opts) {
       try { db.close(); } catch (_e) { /* best-effort */ }
     }
     if (fopts.removePlaintext === true && dbPath) {
-      try { fs.unlinkSync(dbPath); } catch (_e) { /* best-effort */ }
-      try { fs.unlinkSync(dbPath + "-wal"); } catch (_e) { /* best-effort */ }
-      try { fs.unlinkSync(dbPath + "-shm"); } catch (_e) { /* best-effort */ }
+      try { nodeFs.unlinkSync(dbPath); } catch (_e) { /* best-effort */ }
+      try { nodeFs.unlinkSync(dbPath + "-wal"); } catch (_e) { /* best-effort */ }
+      try { nodeFs.unlinkSync(dbPath + "-shm"); } catch (_e) { /* best-effort */ }
     }
     _emitAudit("shutdown", "success", { label: label });
   }

package/lib/db-schema.js

@@ -36,7 +36,7 @@
  *                             surfaces a rollback throw without
  *                             swallowing the original error.
  */
-var path = require("path");
+var nodePath = require("path");
 var atomicFile = require("./atomic-file");
 var safeSql = require("./safe-sql");
 
@@ -280,7 +280,7 @@ function runMigrations(database, migrationDir) {
       skipped.push(file);
       continue;
     }
-    var fullPath = path.join(migrationDir, file);
+    var fullPath = nodePath.join(migrationDir, file);
     var mig;
     try {
       // Operator-supplied migration file — by definition not statically

package/lib/db.js

@@ -41,8 +41,8 @@
  * @card
  *   Database core — SQLite (node:sqlite) wrapped in encrypted-at-rest storage, sealed-column field-level crypto, append-only audit-chain integration, declarative schema reconcile, and run-once migrations.
  */
-var fs = require("fs");
-var path = require("path");
+var nodeFs = require("fs");
+var nodePath = require("path");
 var { DatabaseSync } = require("node:sqlite");
 var { Readable } = require("node:stream");
 var atomicFile = require("./atomic-file");
@@ -92,7 +92,7 @@ var _dbErr = DbError.factory;
 
 // Lazy: cluster-storage's _localDb pulls db back in, so eager require
 // would deadlock the load order. cluster-storage is only used on the
-// purge-audit-chain external-db path, which always runs after init.
+// purge-audit-chain external-db nodePath, which always runs after init.
 var clusterStorage = lazyRequire(function () { return require("./cluster-storage"); });
 
 // Lazy refs for the test-reset cascade. Each module requires db.js
@@ -639,7 +639,7 @@ function resolveTmpDir(optsTmpDir) {
   if (optsTmpDir) return optsTmpDir;
   var envTmp = safeEnv.readVar("BLAMEJS_TMPDIR");
   if (envTmp) return envTmp;
-  if (fs.existsSync("/dev/shm")) return "/dev/shm";
+  if (nodeFs.existsSync("/dev/shm")) return "/dev/shm";
   return null;
 }
 
@@ -650,8 +650,8 @@ function loadOrCreateDbKey(dataDirPath, keyPathOverride) {
   // needs to live outside `dataDir` (e.g. a separate volume mounted
   // from a KMS-fronted secret store). Default places it next to the
   // encrypted DB so backup capture is one-tarball.
-  var keyPath = keyPathOverride || path.join(dataDirPath, "db.key.enc");
-  if (fs.existsSync(keyPath)) {
+  var keyPath = keyPathOverride || nodePath.join(dataDirPath, "db.key.enc");
+  if (nodeFs.existsSync(keyPath)) {
     var sealed = atomicFile.readSync(keyPath, { encoding: "utf8" }).trim();
     var b64 = vault.unseal(sealed);
     if (!b64) {
@@ -669,18 +669,18 @@ function loadOrCreateDbKey(dataDirPath, keyPathOverride) {
 }
 
 function decryptToTmp() {
-  if (!encPath || !fs.existsSync(encPath)) return;
+  if (!encPath || !nodeFs.existsSync(encPath)) return;
   // If a plaintext file already exists in tmpfs from a prior process, prefer
   // the newer mtime (crash recovery — operator's most recent state wins).
-  if (fs.existsSync(dbPath)) {
-    var plainStat = fs.statSync(dbPath);
-    var encStat = fs.statSync(encPath);
+  if (nodeFs.existsSync(dbPath)) {
+    var plainStat = nodeFs.statSync(dbPath);
+    var encStat = nodeFs.statSync(encPath);
     if (plainStat.mtimeMs > encStat.mtimeMs && plainStat.size > 0) {
       log("plaintext is newer than encrypted — keeping plaintext (crash recovery)");
       return;
     }
   }
-  var packed = fs.readFileSync(encPath);
+  var packed = nodeFs.readFileSync(encPath);
   if (packed.length < 26) return; // too short to be a valid envelope
   // AAD binds the envelope to this deployment's data dir so two
   // installs sharing the same operator passphrase can't swap each
@@ -703,8 +703,8 @@ function encryptToDisk() {
   if (!encPath) return;
   // Force WAL checkpoint so the .db file holds all committed transactions.
   try { runSql(database, "PRAGMA wal_checkpoint(TRUNCATE)"); } catch (_e) { /* best effort */ }
-  if (!fs.existsSync(dbPath)) return;
-  atomicFile.writeSync(encPath, encryptPacked(fs.readFileSync(dbPath), encKey, _dbEncAad(dataDir)));
+  if (!nodeFs.existsSync(dbPath)) return;
+  atomicFile.writeSync(encPath, encryptPacked(nodeFs.readFileSync(dbPath), encKey, _dbEncAad(dataDir)));
 }
 
 /**
@@ -737,11 +737,11 @@ function snapshot() {
   // so the snapshot reflects the current logical state, not just the
   // pre-WAL pages.
   try { runSql(database, "PRAGMA wal_checkpoint(TRUNCATE)"); } catch (_e) { /* best effort */ }
-  if (!fs.existsSync(dbPath)) {
+  if (!nodeFs.existsSync(dbPath)) {
     throw _dbErr("db/snapshot-no-source",
       "snapshot: plaintext DB at " + dbPath + " is missing — did init complete?");
   }
-  var plain = fs.readFileSync(dbPath);
+  var plain = nodeFs.readFileSync(dbPath);
   if (!encPath || !encKey) {
     // atRest: 'plain' — return the raw bytes. Operators wanting an
     // encrypted snapshot under plain mode wrap with their own
@@ -756,9 +756,9 @@ function snapshot() {
 // database.close().
 function removePlaintextFiles() {
   if (!dbPath) return;
-  try { fs.unlinkSync(dbPath); } catch (_e) { /* cleanup */ }
-  try { fs.unlinkSync(dbPath + "-wal"); } catch (_e) { /* cleanup */ }
-  try { fs.unlinkSync(dbPath + "-shm"); } catch (_e) { /* cleanup */ }
+  try { nodeFs.unlinkSync(dbPath); } catch (_e) { /* cleanup */ }
+  try { nodeFs.unlinkSync(dbPath + "-wal"); } catch (_e) { /* cleanup */ }
+  try { nodeFs.unlinkSync(dbPath + "-shm"); } catch (_e) { /* cleanup */ }
 }
 
 // Clean up stale plaintext DB files left by previously-crashed processes.
@@ -771,9 +771,9 @@ function cleanStaleTmpDbs(tmpDir) {
   for (var i = 0; i < entries.length; i++) {
     var full = entries[i].fullPath;
     if (full === dbPath) continue;
-    try { fs.unlinkSync(full); } catch (_e) { /* concurrent cleanup */ }
-    try { fs.unlinkSync(full + "-wal"); } catch (_e) { /* may not exist */ }
-    try { fs.unlinkSync(full + "-shm"); } catch (_e) { /* may not exist */ }
+    try { nodeFs.unlinkSync(full); } catch (_e) { /* concurrent cleanup */ }
+    try { nodeFs.unlinkSync(full + "-wal"); } catch (_e) { /* may not exist */ }
+    try { nodeFs.unlinkSync(full + "-shm"); } catch (_e) { /* may not exist */ }
   }
 }
 
@@ -865,7 +865,7 @@ async function init(opts) {
     streamLimit = opts.streamLimit;
   }
   dataDir = opts.dataDir;
-  if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+  if (!nodeFs.existsSync(dataDir)) nodeFs.mkdirSync(dataDir, { recursive: true });
 
   if (atRest === "encrypted") {
     var tmpDir = resolveTmpDir(opts.tmpDir);
@@ -874,7 +874,7 @@ async function init(opts) {
         "FATAL: atRest: 'encrypted' (default) requires tmpfs but none was found. " +
         "Provide opts.tmpDir or set BLAMEJS_TMPDIR, or pass atRest: 'plain' (with warning).");
     }
-    if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
+    if (!nodeFs.existsSync(tmpDir)) nodeFs.mkdirSync(tmpDir, { recursive: true });
 
     // D-H7 — if the resolved tmpDir is NOT actually tmpfs, the
     // plaintext DB file lives on persistent storage. statvfs/statfs
@@ -884,7 +884,7 @@ async function init(opts) {
     // out-of-band.
     if (process.platform === "linux") {
       var realTmp = "";
-      try { realTmp = fs.realpathSync(tmpDir); } catch (_e) { /* stat best-effort */ }
+      try { realTmp = nodeFs.realpathSync(tmpDir); } catch (_e) { /* stat best-effort */ }
       if (realTmp.indexOf("/dev/shm") !== 0 && realTmp.indexOf("/run/shm") !== 0 &&
           realTmp.indexOf("/run/user/") !== 0 && realTmp.indexOf("/tmp") !== 0) {
         log.warn("WARNING: db.init: tmpDir '" + tmpDir + "' (real: '" + realTmp +
@@ -894,13 +894,13 @@ async function init(opts) {
       }
     }
 
-    // Operator overrides for the encrypted-DB on-disk path. `opts.encryptedDbPath`
-    // takes a fully-qualified path; `opts.encryptedDbName` overrides
+    // Operator overrides for the encrypted-DB on-disk nodePath. `opts.encryptedDbPath`
+    // takes a fully-qualified nodePath; `opts.encryptedDbName` overrides
     // just the basename under `dataDir` (default "db.enc"). Helps when
     // multiple framework-shaped instances share a dataDir.
     encPath = opts.encryptedDbPath ||
-              path.join(dataDir, opts.encryptedDbName || "db.enc");
-    dbPath  = path.join(tmpDir, "blamejs-" + generateToken(C.BYTES.bytes(16)) + ".db");
+              nodePath.join(dataDir, opts.encryptedDbName || "db.enc");
+    dbPath  = nodePath.join(tmpDir, "blamejs-" + generateToken(C.BYTES.bytes(16)) + ".db");
     encKey  = loadOrCreateDbKey(dataDir, opts.dbKeyPath);
 
     cleanStaleTmpDbs(tmpDir);
@@ -910,7 +910,7 @@ async function init(opts) {
     log.warn("WARNING: atRest: 'plain' — DB structure and row counts visible on disk.");
     log.warn("         Field-level encryption (sealedFields) still protects sealed columns,");
     log.warn("         but the simpler at-rest model is opt-out only. Default is 'encrypted'.");
-    dbPath = path.join(dataDir, "blamejs.db");
+    dbPath = nodePath.join(dataDir, "blamejs.db");
     encPath = null;
     encKey = null;
   }
@@ -1479,7 +1479,7 @@ function stream(sql) {
           this.destroy(new DbError("db/stream-limit-exceeded",
             "db.stream: emitted " + emitted + " rows, exceeding streamLimit " +
             perCallLimit + ". Pass opts.streamLimit higher OR raise via " +
-            "db.init({ streamLimit }) after auditing the export path."));
+            "db.init({ streamLimit }) after auditing the export nodePath."));
           return;
         }
         var step = iter.next();
@@ -1499,7 +1499,7 @@ function stream(sql) {
 // review can reconstruct schema evolution from the chain alone (D-M1).
 var DDL_RE = /^\s*(CREATE|DROP|ALTER|TRUNCATE|RENAME|ATTACH|DETACH|REINDEX)\b/i;
 
-// D-L7 — slow-query observability buckets for the local SQLite path.
+// D-L7 — slow-query observability buckets for the local SQLite nodePath.
 // Highest matched bucket wins so the per-query emit is single-shot;
 // operators dashboard on the `bucket` label.
 var _SLOW_QUERY_BUCKETS_LOCAL = Object.freeze([
@@ -1907,7 +1907,7 @@ function exportCsv(opts) {
  * cluster leader, re-encrypts the live tmpfs database back to
  * `<dataDir>/db.enc`, closes the SQLite handle (releasing the file
  * lock on Windows), then unlinks the plaintext sidecar files in
- * tmpfs. Safe to call multiple times — no-ops after the first
+ * tmpnodeFs. Safe to call multiple times — no-ops after the first
  * successful close.
  *
  * @example
@@ -2327,8 +2327,8 @@ function eraseHard(tableName, rowId, opts) {
 // Read the audit.tip sidecar file in dataDir and compare to the current
 // audit_log MAX(monotonicCounter). Refuse boot on rollback (current < tip).
 function _checkRollback(dataDirPath) {
-  var tipPath = path.join(dataDirPath, "audit.tip");
-  if (!fs.existsSync(tipPath)) {
+  var tipPath = nodePath.join(dataDirPath, "audit.tip");
+  if (!nodeFs.existsSync(tipPath)) {
     log("no audit.tip sidecar — skipping rollback check (first boot or operator-cleared)");
     return;
   }
@@ -3104,7 +3104,7 @@ module.exports = {
   // Helper for audit.checkpoint to write the rollback-detection sidecar
   _writeAuditTip: function (tip) {
     if (!dataDir) return;
-    var tipPath = path.join(dataDir, "audit.tip");
+    var tipPath = nodePath.join(dataDir, "audit.tip");
     atomicFile.writeSync(tipPath, JSON.stringify(tip, null, 2), { fileMode: 0o600 });
   },
 };

package/lib/dev.js

@@ -11,7 +11,7 @@
  *   spawned app's logs unchanged.
  *
  *   The hot-reload loop spawns the app as a child process, watches the
- *   source directories with `fs.watch({ recursive: true })`, and
+ *   source directories with `nodeFs.watch({ recursive: true })`, and
  *   restarts the child when an unignored file changes. On-disk state
  *   (vault keys, encrypted DB, sealed cookies) survives the restart
  *   because the child re-opens the files; only in-process state is
@@ -41,18 +41,18 @@
  *
  *   Test seams: `opts._spawn(cmd, args, sopts)` and
  *   `opts._watch(dir, wopts, listener)` default to `child_process.spawn`
- *   and `fs.watch`; unit tests pass fakes to drive the engine without
+ *   and `nodeFs.watch`; unit tests pass fakes to drive the engine without
  *   real subprocesses.
  *
  * @card
  *   Dev-mode helpers — hot-reload signal (file watch + child-process restart), route-list dump exposed via `dev.stats()`, and a request inspector courtesy of `stdio: 'inherit'` so the operator sees the spawned app's logs unchanged.
  */
 
-var path = require("path");
-var fs = require("fs");
+var nodePath = require("path");
+var nodeFs = require("fs");
 var lazyRequire = require("./lazy-require");
 var logModule = require("./log");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var safeEnv = require("./parsers/safe-env");
 var validateOpts = require("./validate-opts");
 var { FrameworkError } = require("./framework-error");
@@ -166,11 +166,11 @@ function create(opts) {
   var ignore       = Array.isArray(opts.ignore)
     ? DEFAULT_IGNORE.concat(opts.ignore)
     : DEFAULT_IGNORE.slice();
-  nb.requireNonNegativeFiniteIntIfPresent(opts.graceMs,
+  numericBounds.requireNonNegativeFiniteIntIfPresent(opts.graceMs,
     "dev.create: opts.graceMs", DevError, "dev/bad-grace-ms");
   var graceMs = opts.graceMs !== undefined ? opts.graceMs : DEFAULT_GRACE_MS;
   var killSignal   = typeof opts.killSignal === "string" ? opts.killSignal : DEFAULT_KILL_SIGNAL;
-  nb.requireNonNegativeFiniteIntIfPresent(opts.killTimeoutMs,
+  numericBounds.requireNonNegativeFiniteIntIfPresent(opts.killTimeoutMs,
     "dev.create: opts.killTimeoutMs", DevError, "dev/bad-kill-timeout-ms");
   var killTimeoutMs = opts.killTimeoutMs !== undefined ? opts.killTimeoutMs : DEFAULT_KILL_TIMEOUT_MS;
   var log          = opts.log || null;
@@ -198,7 +198,7 @@ function create(opts) {
     return childProcess().spawn(cmd, sargs, sopts);
   };
   var watchFn = opts._watch || function (dir, wopts, listener) {
-    return fs.watch(dir, wopts, listener);
+    return nodeFs.watch(dir, wopts, listener);
   };
   var setTimeoutFn  = opts._setTimeout  || setTimeout;
   var clearTimeoutFn = opts._clearTimeout || clearTimeout;
@@ -313,7 +313,7 @@ function create(opts) {
   function _onWatchEvent(dir, eventType, filename) {
     if (!filename) return;
     var rel = String(filename);
-    var full = path.join(dir, rel);
+    var full = nodePath.join(dir, rel);
     if (_matchesAny(ignore, rel) || _matchesAny(ignore, full)) return;
     _scheduleRestart(eventType + ":" + rel);
   }
@@ -321,7 +321,7 @@ function create(opts) {
   function _armWatchers() {
     for (var i = 0; i < watch.length; i++) {
       (function (dir) {
-        var resolved = path.isAbsolute(dir) ? dir : path.resolve(cwd, dir);
+        var resolved = nodePath.isAbsolute(dir) ? dir : nodePath.resolve(cwd, dir);
         var w;
         try {
           w = watchFn(resolved, { recursive: true, persistent: false }, function (eventType, filename) {

package/lib/dr-runbook.js

@@ -42,8 +42,8 @@
  *   Disaster-recovery runbook executor — composes pre-recorded regulatory steps, operator confirmation gates, and the framework's audit chain into a posture-appropriate Markdown runbook a regulator can read alongside `b.audit`.
  */
 
-var fs = require("fs");
-var path = require("path");
+var nodeFs = require("fs");
+var nodePath = require("path");
 var C = require("./constants");
 var atomicFile = require("./atomic-file");
 var lazyRequire = require("./lazy-require");
@@ -333,11 +333,11 @@ async function emit(opts) {
   var body = sections.join("\n");
 
   // Ensure outDir exists.
-  if (!fs.existsSync(opts.outDir)) {
-    fs.mkdirSync(opts.outDir, { recursive: true });
+  if (!nodeFs.existsSync(opts.outDir)) {
+    nodeFs.mkdirSync(opts.outDir, { recursive: true });
   }
   var filename = opts.filename || ("runbook-" + opts.posture + ".md");
-  var outPath = path.join(opts.outDir, filename);
+  var outPath = nodePath.join(opts.outDir, filename);
   atomicFile.writeSync(outPath, body, { fileMode: 0o644 });
 
   if (auditOn) {

package/lib/dsr.js

@@ -113,6 +113,7 @@ var C = require("./constants");
 var bCrypto = require("./crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
+var safeSql = require("./safe-sql");
 var { defineClass } = require("./framework-error");
 
 var DsrError = defineClass("DsrError", { alwaysPermanent: true });
@@ -939,15 +940,21 @@ function dbTicketStore(opts) {
     throw new DsrError("dsr/bad-db",
       "dbTicketStore: opts.db must be a b.db-shaped handle (with runSql + prepare)");
   }
-  var table = opts.table || "dsr_tickets";
-  if (typeof table !== "string" || !/^[A-Za-z][A-Za-z0-9_]*$/.test(table)) {
+  var tableRaw = opts.table || "dsr_tickets";
+  var qTable, qEmailIdx, qStatusIdx;
+  try {
+    qTable     = safeSql.quoteIdentifier(tableRaw, "sqlite");
+    qEmailIdx  = safeSql.quoteIdentifier(tableRaw + "_email_idx", "sqlite");
+    qStatusIdx = safeSql.quoteIdentifier(tableRaw + "_status_idx", "sqlite");
+  } catch (sqlErr) {
     throw new DsrError("dsr/bad-table",
-      "dbTicketStore: table must be a SQL identifier ([A-Za-z][A-Za-z0-9_]*)");
+      "dbTicketStore: table must be a valid SQL identifier: " +
+      (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)));
   }
 
   // Auto-provision schema if not already present. Idempotent.
   function ensureSchema() {
-    db.runSql("CREATE TABLE IF NOT EXISTS " + table + " (" +
+    db.runSql("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
       "id            TEXT PRIMARY KEY, " +
       "type          TEXT NOT NULL, " +
       "status        TEXT NOT NULL, " +
@@ -961,16 +968,16 @@ function dbTicketStore(opts) {
       "posture       TEXT, " +
       "payload       TEXT NOT NULL" +
     ")");
-    db.runSql("CREATE INDEX IF NOT EXISTS " + table + "_email_idx ON " +
-              table + " (subject_email)");
-    db.runSql("CREATE INDEX IF NOT EXISTS " + table + "_status_idx ON " +
-              table + " (status)");
+    db.runSql("CREATE INDEX IF NOT EXISTS " + qEmailIdx + " ON " +
+              qTable + " (subject_email)");
+    db.runSql("CREATE INDEX IF NOT EXISTS " + qStatusIdx + " ON " +
+              qTable + " (status)");
   }
   ensureSchema();
 
   return {
     insert: async function (ticket) {
-      var stmt = db.prepare("INSERT INTO " + table +
+      var stmt = db.prepare("INSERT INTO " + qTable +
         " (id, type, status, subject_id, subject_email, subject_phone, " +
         "  submitted_at, deadline_at, processed_at, verification_level, posture, payload) " +
         " VALUES ($id, $type, $status, $sid, $email, $phone, $submittedAt, " +
@@ -991,14 +998,14 @@ function dbTicketStore(opts) {
       });
     },
     get: async function (id) {
-      var rows = db.prepare("SELECT payload FROM " + table + " WHERE id = $id")
+      var rows = db.prepare("SELECT payload FROM " + qTable + " WHERE id = $id")
                    .all({ $id: id });
       if (!rows || rows.length === 0) return null;
       return JSON.parse(rows[0].payload);                                          // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
     },
     list: async function (filter) {
       filter = filter || {};
-      var sql = "SELECT payload FROM " + table;
+      var sql = "SELECT payload FROM " + qTable;
       var conds = [];
       var params = {};
       if (filter.status) {
@@ -1021,7 +1028,7 @@ function dbTicketStore(opts) {
       return rows.map(function (r) { return JSON.parse(r.payload); });             // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
     },
     update: async function (id, ticket) {
-      var stmt = db.prepare("UPDATE " + table + " SET " +
+      var stmt = db.prepare("UPDATE " + qTable + " SET " +
         " type = $type, status = $status, subject_id = $sid, " +
         " subject_email = $email, subject_phone = $phone, " +
         " submitted_at = $submittedAt, deadline_at = $deadlineAt, " +
@@ -1051,10 +1058,10 @@ function dbTicketStore(opts) {
       // Bulk-delete tickets in terminal states whose retentionUntil
       // is in the past. Returns the number of rows removed.
       var asOf = (typeof asOfMs === "number" && isFinite(asOfMs)) ? asOfMs : Date.now();
-      var rows = db.prepare("SELECT id, payload FROM " + table +
+      var rows = db.prepare("SELECT id, payload FROM " + qTable +
                             " WHERE status IN ('completed','partially_completed','cancelled','rejected','expired')").all({});
       var purged = 0;
-      var del = db.prepare("DELETE FROM " + table + " WHERE id = $id");
+      var del = db.prepare("DELETE FROM " + qTable + " WHERE id = $id");
       for (var i = 0; i < rows.length; i++) {
         try {
           var t = JSON.parse(rows[i].payload);                                      // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
@@ -1066,7 +1073,7 @@ function dbTicketStore(opts) {
       }
       return purged;
     },
-    _table:    table,
+    _table:    tableRaw,
     _ensureSchema: ensureSchema,
   };
 }

package/lib/dual-control.js

@@ -31,7 +31,7 @@
  *   M-of-N approval workflow for destructive operations (eraseHard, key rotation, etc.).
  */
 var lazyRequire = require("./lazy-require");
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var requestHelpers = require("./request-helpers");
 var validateOpts = require("./validate-opts");
 var C = require("./constants");
@@ -261,7 +261,7 @@ function create(opts) {
     if (reasonProblem) {
       return Object.assign({ grantId: null }, reasonProblem);
     }
-    var grantId = "dc-" + crypto.generateToken(C.BYTES.bytes(8));
+    var grantId = "dc-" + bCrypto.generateToken(C.BYTES.bytes(8));
     var nowMs = Date.now();
     var record = {
       grantId:        grantId,

package/lib/external-db-migrate.js

@@ -48,7 +48,7 @@
  *   - externaldb.migrate.lock.acquired   { holder }
  *   - externaldb.migrate.lock.released   { holder }
  */
-var path = require("path");
+var nodePath = require("path");
 var atomicFile = require("./atomic-file");
 var canonicalJson = require("./canonical-json");
 var { sha3Hash } = require("./crypto");
@@ -285,7 +285,7 @@ function _list(dir) {
 }
 
 function _loadMigration(file, dir) {
-  var fullPath = path.join(dir, file);
+  var fullPath = nodePath.join(dir, file);
   // Drop the require cache so a test/dev that edits a file picks up the
   // new content. Matches lib/migrations.js semantics.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }

package/lib/external-db.js

@@ -754,8 +754,8 @@ async function transaction(fn, opts) {
           if (isTransient && attempt <= maxRetries) {
             _emitMetric("externaldb.transaction.retry", 1,
               { backend: b.name, code: txErr.code, attempt: String(attempt) });
-            var nodeCryptoRetry = require("node:crypto");
-            var jitter = nodeCryptoRetry.randomInt(0, 6);                          // allow:raw-byte-literal — 0-5ms jitter
+            var nodeCrypto = require("node:crypto");
+            var jitter = nodeCrypto.randomInt(0, 6);                          // allow:raw-byte-literal — 0-5ms jitter
             await safeAsync.sleep(attempt * 5 + jitter);                           // allow:raw-time-literal — sub-second backoff
             continue;
           }

package/lib/fdx.js

@@ -85,7 +85,7 @@ var fapi2 = require("./fapi2");
 var C = require("./constants");
 var audit = require("./audit");
 var validateOpts = require("./validate-opts");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var { defineClass } = require("./framework-error");
 var FdxError = defineClass("FdxError", { alwaysPermanent: true });
 
@@ -327,7 +327,7 @@ function consentReceipt(opts) {
     throw FdxError.factory("BAD_SCOPES",
       "fdx.consentReceipt: scopes must be a non-empty array");
   }
-  nb.requirePositiveFiniteIntIfPresent(opts.durationMs,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.durationMs,
     "fdx.consentReceipt: durationMs", FdxError, "BAD_DURATION");
 
   var issuedAt = Date.now();