@blamejs/core 0.9.12 → 0.9.15

package/lib/file-upload.js

@@ -184,12 +184,12 @@
  *     point. Operator wires their scanner of choice.
  */
 
-var fs = require("node:fs");
-var path = require("node:path");
-var stream = require("node:stream");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
+var nodeStream = require("node:stream");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var gateContract = require("./gate-contract");
 var lazyRequire = require("./lazy-require");
 var numericBounds = require("./numeric-bounds");
@@ -250,7 +250,7 @@ function _validateUploadId(id) {
 function _validateCreateOpts(opts) {
   validateOpts.requireObject(opts, "fileUpload.create", FileUploadError);
   validateOpts.requireNonEmptyString(opts.stagingDir, "fileUpload.create: stagingDir", FileUploadError);
-  if (!path.isAbsolute(opts.stagingDir)) {
+  if (!nodePath.isAbsolute(opts.stagingDir)) {
     throw _err("BAD_OPT", "fileUpload.create: stagingDir must be an absolute path, got " +
       JSON.stringify(opts.stagingDir));
   }
@@ -472,10 +472,10 @@ function create(opts) {
   // staging files.
   atomicFile.ensureDir(stagingDir, 0o700);
 
-  function _uploadDir(uploadId) { return path.join(stagingDir, uploadId); }
-  function _chunkPath(uploadId, index) { return path.join(_uploadDir(uploadId), String(index)); }
-  function _receivedPath(uploadId) { return path.join(_uploadDir(uploadId), "_received.json"); }
-  function _metaPath(uploadId) { return path.join(_uploadDir(uploadId), "_meta.json"); }
+  function _uploadDir(uploadId) { return nodePath.join(stagingDir, uploadId); }
+  function _chunkPath(uploadId, index) { return nodePath.join(_uploadDir(uploadId), String(index)); }
+  function _receivedPath(uploadId) { return nodePath.join(_uploadDir(uploadId), "_received.json"); }
+  function _metaPath(uploadId) { return nodePath.join(_uploadDir(uploadId), "_meta.json"); }
 
   function _checkPermission(action, actor) {
     if (!permissions) return;
@@ -491,7 +491,7 @@ function create(opts) {
 
   function _readReceivedIndices(uploadId) {
     var p = _receivedPath(uploadId);
-    if (!fs.existsSync(p)) return [];
+    if (!nodeFs.existsSync(p)) return [];
     try {
       var raw = atomicFile.readSync(p, { maxBytes: SIDECAR_MAX_BYTES });
       var parsed = safeJson.parse(raw.toString("utf8"));
@@ -504,7 +504,7 @@ function create(opts) {
 
   function _readMeta(uploadId) {
     var p = _metaPath(uploadId);
-    if (!fs.existsSync(p)) return null;
+    if (!nodeFs.existsSync(p)) return null;
     try {
       var raw = atomicFile.readSync(p, { maxBytes: SIDECAR_MAX_BYTES });
       return safeJson.parse(raw.toString("utf8"));
@@ -521,7 +521,7 @@ function create(opts) {
   }
 
   function _enumerateUploads() {
-    if (!fs.existsSync(stagingDir)) return [];
+    if (!nodeFs.existsSync(stagingDir)) return [];
     var entries;
     try { entries = atomicFile.listDir(stagingDir, { includeStat: true }); }
     catch (_e) { return []; }
@@ -578,7 +578,7 @@ function create(opts) {
     }
 
     // Refuse re-init of an existing upload (caller-side bug).
-    if (fs.existsSync(_uploadDir(uploadId))) {
+    if (nodeFs.existsSync(_uploadDir(uploadId))) {
       throw _err("UPLOAD_EXISTS",
         "fileUpload.init: upload '" + uploadId + "' already exists; cancel or finalize first");
     }
@@ -675,8 +675,8 @@ function create(opts) {
     }
 
     // Verify chunk hash matches the supplied header.
-    var actualHex = crypto.sha3Hash(body);
-    if (!crypto.timingSafeEqual(actualHex, sha3Hex)) {
+    var actualHex = bCrypto.sha3Hash(body);
+    if (!bCrypto.timingSafeEqual(actualHex, sha3Hex)) {
       _emitObs("fileUpload.chunk_hash_mismatch", 1);
       _emitAudit("fileUpload.chunk_received", {
         actor:    requestHelpers.extractActorContext(actor),
@@ -718,9 +718,9 @@ function create(opts) {
     // Idempotent re-PUT: if this index is already received with a
     // matching body, no-op. Different body = caller bug.
     var p = _chunkPath(uploadId, index);
-    if (fs.existsSync(p)) {
+    if (nodeFs.existsSync(p)) {
       var existing = atomicFile.readSync(p, { maxBytes: maxChunkBytes });
-      if (crypto.timingSafeEqual(crypto.sha3Hash(existing), sha3Hex)) {
+      if (bCrypto.timingSafeEqual(bCrypto.sha3Hash(existing), sha3Hex)) {
         return {
           received:           _readReceivedIndices(uploadId).length,
           totalBytesAccepted: meta.totalBytesAccepted,
@@ -744,8 +744,8 @@ function create(opts) {
     meta.lastChunkAt = clock();
     meta.totalBytesAccepted = (meta.totalBytesAccepted || 0) + body.length;
     if (meta.totalBytesAccepted > maxFileBytes) {
-      // Reclaim staging — the upload exceeded the cap mid-stream.
-      try { fs.rmSync(_uploadDir(uploadId), { recursive: true, force: true }); }
+      // Reclaim staging — the upload exceeded the cap mid-nodeStream.
+      try { nodeFs.rmSync(_uploadDir(uploadId), { recursive: true, force: true }); }
       catch (_e) { /* purgeIncomplete will reclaim */ }
       _emitObs("fileUpload.file_too_large", 1);
       throw _err("FILE_TOO_LARGE",
@@ -824,13 +824,13 @@ function create(opts) {
           SHA3_512_HEX_LENGTH + " chars)");
       }
       var chunkPath = _chunkPath(uploadId, ck.index);
-      if (!fs.existsSync(chunkPath)) {
+      if (!nodeFs.existsSync(chunkPath)) {
         throw _err("MISSING_CHUNK",
           "fileUpload.finalize: chunk " + ck.index + " missing from staging");
       }
       var chunkBody = atomicFile.readSync(chunkPath, { maxBytes: maxChunkBytes });
-      var actualChunkHex = crypto.sha3Hash(chunkBody);
-      if (!crypto.timingSafeEqual(actualChunkHex, ck.sha3)) {
+      var actualChunkHex = bCrypto.sha3Hash(chunkBody);
+      if (!bCrypto.timingSafeEqual(actualChunkHex, ck.sha3)) {
         throw _err("CHUNK_HASH_MISMATCH",
           "fileUpload.finalize: chunk " + ck.index +
           " on-disk SHA3-512 doesn't match manifest");
@@ -849,7 +849,7 @@ function create(opts) {
         " bytes, manifest declares " + manifest.totalBytes);
     }
     var totalHashHex = hasher.digest("hex");
-    if (!crypto.timingSafeEqual(totalHashHex, manifest.sha3)) {
+    if (!bCrypto.timingSafeEqual(totalHashHex, manifest.sha3)) {
       throw _err("MANIFEST_HASH_MISMATCH",
         "fileUpload.finalize: reassembled SHA3-512 doesn't match manifest.sha3");
     }
@@ -911,13 +911,13 @@ function create(opts) {
     // onFinalize reads through to wherever they're piping.
     async function* generate() {
       for (var i = 0; i < paths.length; i += 1) {
-        var fh = fs.createReadStream(paths[i]);
+        var fh = nodeFs.createReadStream(paths[i]);
         for await (var chunk of fh) {
           yield chunk;
         }
       }
     }
-    return stream.Readable.from(generate(), { objectMode: false });
+    return nodeStream.Readable.from(generate(), { objectMode: false });
   }
 
   async function finalize(callerOpts) {
@@ -1034,7 +1034,7 @@ function create(opts) {
       }
     }
     if (contentSafety) {
-      var safetyExt = path.extname(filename).toLowerCase();
+      var safetyExt = nodePath.extname(filename).toLowerCase();
       var safetyGate = contentSafety[safetyExt];
       if (safetyGate && typeof safetyGate.check === "function" && bodyBuffer) {
         var safetyDecision;
@@ -1109,7 +1109,7 @@ function create(opts) {
     }
 
     // Cleanup staging on success.
-    try { fs.rmSync(_uploadDir(uploadId), { recursive: true, force: true }); }
+    try { nodeFs.rmSync(_uploadDir(uploadId), { recursive: true, force: true }); }
     catch (_e) { /* best-effort */ }
 
     _emitObs("fileUpload.finalize_success", 1);
@@ -1175,7 +1175,7 @@ function create(opts) {
     _checkPermission("cancel", callerOpts.actor);
     var meta = _readMeta(uploadId);
     if (!meta) return { ok: false, uploadId: uploadId, reason: "not-found" };
-    try { fs.rmSync(_uploadDir(uploadId), { recursive: true, force: true }); }
+    try { nodeFs.rmSync(_uploadDir(uploadId), { recursive: true, force: true }); }
     catch (_e) { /* best-effort */ }
     _emitObs("fileUpload.cancelled", 1);
     _emitAudit("fileUpload.cancelled", {
@@ -1190,7 +1190,7 @@ function create(opts) {
   // ---- purgeIncomplete ----
 
   function purgeIncomplete() {
-    if (!fs.existsSync(stagingDir)) return { purged: 0, ids: [] };
+    if (!nodeFs.existsSync(stagingDir)) return { purged: 0, ids: [] };
     var now = clock();
     var entries;
     try { entries = atomicFile.listDir(stagingDir, { includeStat: true }); }
@@ -1211,7 +1211,7 @@ function create(opts) {
       }
       if (!purgeReason) continue;
       try {
-        fs.rmSync(e.fullPath, { recursive: true, force: true });
+        nodeFs.rmSync(e.fullPath, { recursive: true, force: true });
         purged.push({ id: e.name, reason: purgeReason });
       } catch (_e2) { /* best-effort; will retry */ }
     }

package/lib/flag-providers.js

@@ -36,7 +36,7 @@
  *   provider.kind   -> "local-file" | "memory" | "environment" | <operator-defined>
  */
 
-var fs = require("fs");
+var nodeFs = require("fs");
 var validateOpts   = require("./validate-opts");
 var lazyRequire    = require("./lazy-require");
 var safeJson       = require("./safe-json");
@@ -128,7 +128,7 @@ function localFile(opts) {
   validateOpts.requireNonEmptyString(opts.path,
     "providers.localFile: path", FlagError, "flag/bad-provider");
   var raw;
-  try { raw = fs.readFileSync(opts.path, "utf8"); }
+  try { raw = nodeFs.readFileSync(opts.path, "utf8"); }
   catch (e) {
     throw new FlagError("flag/bad-provider",
       "providers.localFile: cannot read file " + JSON.stringify(opts.path) +
@@ -152,9 +152,9 @@ function localFile(opts) {
   provider._path = opts.path;
   if (opts.watch === true) {
     try {
-      fs.watch(opts.path, { persistent: false }, function () {
+      nodeFs.watch(opts.path, { persistent: false }, function () {
         try {
-          var nextRaw = fs.readFileSync(opts.path, "utf8");
+          var nextRaw = nodeFs.readFileSync(opts.path, "utf8");
           var nextParsed = safeJson.parse(nextRaw, { maxBytes: C.BYTES.mib(1) });
           if (nextParsed && nextParsed.flags) {
             for (var k in nextParsed.flags) {

package/lib/gate-contract.js

@@ -46,7 +46,7 @@
  */
 
 var C = require("./constants");
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var lazyRequire = require("./lazy-require");
 var safeAsync = require("./safe-async");
 var validateOpts = require("./validate-opts");
@@ -341,13 +341,13 @@ function defineGate(opts) {
   async function check(ctx) {
     var startedAt = Date.now();
     ctx = ctx || {};
-    if (!ctx.forensicId) ctx.forensicId = crypto.generateToken(FORENSIC_ID_BYTES);
+    if (!ctx.forensicId) ctx.forensicId = bCrypto.generateToken(FORENSIC_ID_BYTES);
 
     // Decision cache lookup (memoize per-forensicHash).
     var bytes = ctx.bytes;
     var forensicHash = bytes && Buffer.isBuffer(bytes)
-      ? crypto.sha3Hash(bytes, "hex")
-      : (typeof bytes === "string" ? crypto.sha3Hash(Buffer.from(bytes, "utf8"), "hex") : null);
+      ? bCrypto.sha3Hash(bytes, "hex")
+      : (typeof bytes === "string" ? bCrypto.sha3Hash(Buffer.from(bytes, "utf8"), "hex") : null);
     var cacheKey = forensicHash ? (opts.name + ":" + ruleHash + ":" + forensicHash) : null;
     if (decisionCache && cacheKey) {
       try {
@@ -555,7 +555,7 @@ function _build(partial) {
 }
 
 function _hashFingerprint(obj) {
-  return crypto.sha3Hash(JSON.stringify(obj), "hex").slice(0, FINGERPRINT_HEX_LENGTH);
+  return bCrypto.sha3Hash(JSON.stringify(obj), "hex").slice(0, FINGERPRINT_HEX_LENGTH);
 }
 
 // ---- Host-side helpers ----

package/lib/graphql-federation.js

@@ -21,9 +21,9 @@
  *   GraphQL federation gateway with SDL trust boundary, sub-graph health, subgraph SDL signing, query plan caps.
  */
 
-var crypto = require("crypto");
+var bCrypto = require("./crypto");
 var C = require("./constants");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var safeJson = require("./safe-json");
 var safeBuffer = require("./safe-buffer");
 var requestHelpers = require("./request-helpers");
@@ -73,10 +73,7 @@ function _readBearer(req) {
 
 function _timingSafeEqual(a, b) {
   if (typeof a !== "string" || typeof b !== "string") return false;
-  var ab = Buffer.from(a, "utf8");
-  var bb = Buffer.from(b, "utf8");
-  if (ab.length !== bb.length) return false;
-  return crypto.timingSafeEqual(ab, bb);
+  return bCrypto.timingSafeEqual(a, b);
 }
 
 function _readBody(req, errorClass) {
@@ -141,7 +138,7 @@ function guardSdl(opts) {
   }
   var nonceStore = opts.nonceStore && typeof opts.nonceStore.has === "function" &&
                    typeof opts.nonceStore.remember === "function" ? opts.nonceStore : null;
-  nb.requirePositiveFiniteIntIfPresent(opts.nonceTtlMs, "graphqlFederation.guardSdl: opts.nonceTtlMs", errorClass, "BAD_TTL");
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.nonceTtlMs, "graphqlFederation.guardSdl: opts.nonceTtlMs", errorClass, "BAD_TTL");
   var nonceTtlMs = opts.nonceTtlMs || C.TIME.minutes(5);
   var auditOn = opts.audit !== false;
 

package/lib/honeytoken.js

@@ -30,7 +30,7 @@
  *   Framework-seeded canary records that trigger an audit alert on read; integrates with sealed columns.
  */
 
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
@@ -40,10 +40,10 @@ var audit = lazyRequire(function () { return require("./audit"); });
 var HoneytokenError = defineClass("HoneytokenError", { alwaysPermanent: true });
 
 var KINDS = Object.freeze({
-  apiKey:  function () { return "bk_canary_"  + crypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte (128-bit) canary entropy
-  session: function () { return "bks_canary_" + crypto.generateToken(24); },     // allow:raw-byte-literal — 24-byte (192-bit) canary entropy
-  url:     function () { return "/admin/canary-" + crypto.generateToken(16); },  // allow:raw-byte-literal — 16-byte canary entropy
-  rowId:   function () { return "ht_canary_"  + crypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte canary entropy
+  apiKey:  function () { return "bk_canary_"  + bCrypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte (128-bit) canary entropy
+  session: function () { return "bks_canary_" + bCrypto.generateToken(24); },     // allow:raw-byte-literal — 24-byte (192-bit) canary entropy
+  url:     function () { return "/admin/canary-" + bCrypto.generateToken(16); },  // allow:raw-byte-literal — 16-byte canary entropy
+  rowId:   function () { return "ht_canary_"  + bCrypto.generateToken(16); },     // allow:raw-byte-literal — 16-byte canary entropy
 });
 
 /**
@@ -102,7 +102,7 @@ function create(opts) {
         "(supported: " + Object.keys(KINDS).join(", ") + ")");
     }
     var value = KINDS[kind]();
-    var id = "ht_" + crypto.generateToken(8);                                    // allow:raw-byte-literal — 8-byte registry id
+    var id = "ht_" + bCrypto.generateToken(8);                                    // allow:raw-byte-literal — 8-byte registry id
     var record = Object.freeze({
       id:        id,
       kind:      kind,

package/lib/http-client-cookie-jar.js

@@ -60,8 +60,8 @@
  *   }
  */
 
-var fs = require("node:fs");
-var path = require("node:path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var C                = require("./constants");
 var numericBounds    = require("./numeric-bounds");
 var safeAsync        = require("./safe-async");
@@ -181,7 +181,7 @@ function create(opts) {
     filePath = opts.file;
     // Refuse relative paths so a process running in a different cwd
     // doesn't accidentally serialize to a sibling directory.
-    if (!path.isAbsolute(filePath)) {
+    if (!nodePath.isAbsolute(filePath)) {
       throw _err("BAD_OPT",
         "cookieJar.create: opts.file must be an absolute path, got " + JSON.stringify(filePath));
     }
@@ -441,7 +441,7 @@ function create(opts) {
     var rows = getAll();
     var serialized = JSON.stringify(rows);
     var blob = vault ? vault.seal(serialized) : serialized;
-    fs.writeFileSync(filePath, blob);
+    nodeFs.writeFileSync(filePath, blob);
   }
   var flushScheduler = safeAsync.makeScheduledFlush(flushDebounceMs, function () {
     if (!filePath) return;
@@ -477,9 +477,9 @@ function create(opts) {
   // Persist file may be operator-tampered (or vault-sealed) — route through
   // safeJson with an explicit byte cap so a maliciously-large file can't
   // OOM the process before the parse fails.
-  if (filePath && fs.existsSync(filePath)) {
+  if (filePath && nodeFs.existsSync(filePath)) {
     try {
-      var raw = fs.readFileSync(filePath, "utf8");
+      var raw = nodeFs.readFileSync(filePath, "utf8");
       var serialized = vault ? vault.unseal(raw) : raw;
       if (serialized && serialized.length > 0) {
         var rows = safeJson.parse(serialized, { maxBytes: C.BYTES.mib(16) });

package/lib/http-client.js

@@ -35,7 +35,7 @@
  *   Outbound HTTP client with SSRF gate, retry, circuit breaker, wall-clock + idle timeouts, AbortSignal propagation, connection pooling, streaming, and ALPN-negotiated HTTP/2.
  */
 
-var fs = require("fs");
+var nodeFs = require("fs");
 var http  = require("http");
 var https = require("https");
 var http2 = require("http2");
@@ -46,7 +46,7 @@ var streamPromises = require("node:stream/promises");
 var { URL } = require("url");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var pqcAgent = require("./pqc-agent");
 var safeAsync = require("./safe-async");
 var safeBuffer = require("./safe-buffer");
@@ -461,7 +461,7 @@ function _attachJarCookie(headers, jar, url) {
 //       emits boundary headers + content + CRLF in order. Avoids the
 //       Buffer.concat() OOM class on large uploads. contentLength is
 //       a finite number when every source's size is statically
-//       resolvable (Buffer length, fs.statSync().size, opts.size on
+//       resolvable (Buffer length, nodeFs.statSync().size, opts.size on
 //       a stream entry); null otherwise — caller falls back to
 //       chunked transfer.
 //
@@ -474,9 +474,9 @@ function _attachJarCookie(headers, jar, url) {
 // `filename` and `contentType` apply to all three shapes; for
 // `filePath` entries, `filename` defaults to path.basename(filePath).
 function _buildMultipartBody(spec) {
-  var boundary = "----blamejs-mp-" + crypto.generateToken(C.BYTES.bytes(16));
+  var boundary = "----blamejs-mp-" + bCrypto.generateToken(C.BYTES.bytes(16));
   var CRLF = "\r\n";
-  var fs = require("fs");                                             // allow:inline-require — only on multipart paths that touch the filesystem
+  var nodeFs = require("fs");                                             // allow:inline-require — only on multipart paths that touch the filesystem
   var path = require("path");                                         // allow:inline-require — same
   var nodeStream = require("stream");                                 // allow:inline-require — Readable subclass only when streaming
 
@@ -558,7 +558,7 @@ function _buildMultipartBody(spec) {
     } else if (hasFilePath) {
       anyStreaming = true;
       var st;
-      try { st = fs.statSync(file.filePath); }
+      try { st = nodeFs.statSync(file.filePath); }
       catch (e) { throw new Error("multipart: file.filePath not readable: " + e.message); }
       if (!st.isFile()) throw new Error("multipart: file.filePath is not a regular file");
       _addEntry(head, { kind: "filePath", filePath: file.filePath, size: st.size });
@@ -613,7 +613,7 @@ function _buildMultipartBody(spec) {
       if (entry.source.kind === "buffer") {
         yield entry.source.buf;
       } else if (entry.source.kind === "filePath") {
-        var rs = fs.createReadStream(entry.source.filePath);
+        var rs = nodeFs.createReadStream(entry.source.filePath);
         try {
           for await (var chunk of rs) yield chunk;
         } finally {
@@ -1699,7 +1699,7 @@ function _requestH2(transport, u, opts) {
 //
 // uploadMultipartStream — POST a file body via multipart/form-data
 // without buffering. Streams from disk through the request body using
-// `fs.createReadStream` + `node:stream/promises` pipeline.
+// `nodeFs.createReadStream` + `node:stream/promises` pipeline.
 //
 // Both compose through `request()` (responseMode: "stream") so safeUrl,
 // ssrfGuard, allowedHosts, network-proxy, audit-on-host-deny, and the
@@ -1799,7 +1799,7 @@ async function downloadStream(opts) {
   _validateDownloadOpts(opts);
   var alg     = opts.hash || DEFAULT_DOWNLOAD_HASH_ALG;
   var dest    = opts.dest;
-  var tmpPath = dest + ".tmp-" + crypto.generateToken(C.BYTES.bytes(8));
+  var tmpPath = dest + ".tmp-" + bCrypto.generateToken(C.BYTES.bytes(8));
   var dir     = nodePath.dirname(dest);
 
   atomicFile.ensureDir(dir);
@@ -1857,13 +1857,13 @@ async function downloadStream(opts) {
   });
   counter.bytesWritten = 0;
 
-  var fileStream = fs.createWriteStream(tmpPath, { mode: DEFAULT_DOWNLOAD_FILE_MODE, flags: "w" });
+  var fileStream = nodeFs.createWriteStream(tmpPath, { mode: DEFAULT_DOWNLOAD_FILE_MODE, flags: "w" });
 
   try {
     await streamPromises.pipeline(res.body, counter, fileStream);
   } catch (e) {
     // Pipeline failure → tmp may be partially written. Remove + audit.
-    try { fs.unlinkSync(tmpPath); } catch (_u) { /* best-effort cleanup */ }
+    try { nodeFs.unlinkSync(tmpPath); } catch (_u) { /* best-effort cleanup */ }
     _emitAudit(opts, "system.httpclient.download_stream.refused", "denied", {
       reason: "pipeline-failed", message: e.message, code: e.code,
     });
@@ -1876,15 +1876,15 @@ async function downloadStream(opts) {
   // across platforms but matches the discipline of the rest of the
   // framework's atomic-write paths.
   try {
-    var fd = fs.openSync(tmpPath, "r+");
-    try { atomicFile.fsync(fd); } finally { try { fs.closeSync(fd); } catch (_c) { /* best-effort fd close */ } }
+    var fd = nodeFs.openSync(tmpPath, "r+");
+    try { atomicFile.fsync(fd); } finally { try { nodeFs.closeSync(fd); } catch (_c) { /* best-effort fd close */ } }
   } catch (_fe) { /* fsync best-effort */ }
 
   var actualHex = hasher.digest("hex");
   if (typeof opts.expected === "string" && opts.expected.length > 0) {
     var expected = opts.expected.toLowerCase();
     if (actualHex.toLowerCase() !== expected) {
-      try { fs.unlinkSync(tmpPath); } catch (_u) { /* best-effort cleanup */ }
+      try { nodeFs.unlinkSync(tmpPath); } catch (_u) { /* best-effort cleanup */ }
       _emitAudit(opts, "system.httpclient.download_stream.refused", "denied", {
         reason: "hash-mismatch", alg: alg, expected: expected, actual: actualHex,
         statusCode: res.statusCode, bytesWritten: counter.bytesWritten,
@@ -1897,10 +1897,10 @@ async function downloadStream(opts) {
 
   // Atomic rename + dir fsync.
   try {
-    fs.renameSync(tmpPath, dest);
+    nodeFs.renameSync(tmpPath, dest);
     atomicFile.fsyncDir(dir);
   } catch (e) {
-    try { fs.unlinkSync(tmpPath); } catch (_u) { /* best-effort cleanup */ }
+    try { nodeFs.unlinkSync(tmpPath); } catch (_u) { /* best-effort cleanup */ }
     _emitAudit(opts, "system.httpclient.download_stream.refused", "denied", {
       reason: "rename-failed", message: e.message,
     });
@@ -1959,7 +1959,7 @@ function _validateUploadOpts(opts) {
  *
  * POSTs a file body via `multipart/form-data` without buffering the
  * file in memory. Streams from disk through the request body using
- * `fs.createReadStream` + `node:stream/promises` pipeline. Throws
+ * `nodeFs.createReadStream` + `node:stream/promises` pipeline. Throws
  * `httpclient/missing-file` when `opts.file.path` doesn't exist or
  * isn't a regular file. Composes through `request()` so SSRF gating,
  * proxy routing, and the per-origin transport cache apply unchanged.
@@ -1989,7 +1989,7 @@ async function uploadMultipartStream(opts) {
 
   var filePath = opts.file.path;
   var st;
-  try { st = fs.statSync(filePath); }
+  try { st = nodeFs.statSync(filePath); }
   catch (e) {
     _emitAudit(opts, "system.httpclient.upload_stream.refused", "denied", {
       reason: "missing-file", path: filePath, message: e.message,

package/lib/i18n.js

@@ -57,8 +57,8 @@
  *   ICU MessageFormat + CLDR Plural Rules + locale-aware Intl formatters with translation lookup.
  */
 
-var fs = require("node:fs");
-var path = require("node:path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var lazyRequire = require("./lazy-require");
 var requestHelpers = require("./request-helpers");
 var safeJson = require("./safe-json");
@@ -227,13 +227,13 @@ function _loadFromDir(dir, locales) {
   var out = {};
   for (var i = 0; i < locales.length; i++) {
     var locale = locales[i];
-    var filePath = path.join(dir, locale + ".json");
-    if (!fs.existsSync(filePath)) {
+    var filePath = nodePath.join(dir, locale + ".json");
+    if (!nodeFs.existsSync(filePath)) {
       throw _err("LOAD_FAILED",
         "i18n: translations file not found for locale '" + locale + "': " + filePath);
     }
     var raw;
-    try { raw = fs.readFileSync(filePath, "utf8"); }
+    try { raw = nodeFs.readFileSync(filePath, "utf8"); }
     catch (e) {
       throw _err("LOAD_FAILED",
         "i18n: failed to read '" + filePath + "': " + ((e && e.message) || String(e)));

package/lib/inbox.js

@@ -143,7 +143,13 @@ function create(opts) {
   _validateTableName(opts.table);
 
   var externalDb     = opts.externalDb;
-  var table          = opts.table;
+  var tableRaw       = opts.table;
+  // Identifiers reach SQL through safeSql.quoteIdentifier — runs
+  // validateIdentifier internally + emits the dialect-correct quoted
+  // form. sqlite + postgres both use the double-quote dialect (per
+  // lib/safe-sql.js), so one quoted form serves both inbox paths.
+  var qTable         = safeSql.quoteIdentifier(tableRaw, "sqlite");
+  var qIndex         = safeSql.quoteIdentifier(tableRaw + "_received_at_idx", "sqlite");
   var retentionDays  = (typeof opts.retentionDays === "number" && opts.retentionDays > 0)        // allow:numeric-opt-Infinity
     ? opts.retentionDays : 30;                                                                   // allow:raw-byte-literal — default retention days
   var auditOn        = opts.audit !== false;
@@ -226,7 +232,7 @@ function create(opts) {
 
     if (dialect === "postgres") {
       var rs = await txn.query(
-        "INSERT INTO " + table +
+        "INSERT INTO " + qTable +
         " (message_id, source, received_at, metadata_json) " +
         " VALUES ($1, $2, " + nowExpr + ", $3::jsonb) " +
         " ON CONFLICT (source, message_id) DO NOTHING " +
@@ -248,7 +254,7 @@ function create(opts) {
     // that the framework can't prevent. RETURNING 1 collapses both
     // round-trips into one and removes the changes() dependency.
     var sqlInsert = await txn.query(
-      "INSERT OR IGNORE INTO " + table +
+      "INSERT OR IGNORE INTO " + qTable +
       " (message_id, source, received_at, metadata_json) " +
       " VALUES (?, ?, " + nowExpr + ", ?) RETURNING 1",
       [receiveOpts.messageId, receiveOpts.source, metaJson]);
@@ -268,7 +274,7 @@ function create(opts) {
     _validateReceiveOpts(receiveOpts, "markProcessed");
     var nowExpr = _utcNowExpr(externalDb);
     var dialect = (externalDb.dialect === "postgres") ? "postgres" : "sqlite";
-    var sql = "UPDATE " + table +
+    var sql = "UPDATE " + qTable +
               " SET processed_at = " + nowExpr +
               " WHERE source = " + (dialect === "postgres" ? "$1" : "?") +
               " AND message_id = " + (dialect === "postgres" ? "$2" : "?");
@@ -318,7 +324,7 @@ function create(opts) {
     var dialect = (xdb && xdb.dialect === "postgres") ? "postgres" : "sqlite";
     if (dialect === "postgres") {
       await xdb.query(
-        "CREATE TABLE IF NOT EXISTS " + table + " (" +
+        "CREATE TABLE IF NOT EXISTS " + qTable + " (" +
         "  message_id   TEXT NOT NULL," +
         "  source       TEXT NOT NULL," +
         "  received_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()," +
@@ -327,11 +333,11 @@ function create(opts) {
         "  PRIMARY KEY (source, message_id)" +
         ")");
       await xdb.query(
-        "CREATE INDEX IF NOT EXISTS " + table + "_received_at_idx " +
-        "ON " + table + " (received_at)");
+        "CREATE INDEX IF NOT EXISTS " + qIndex + " " +
+        "ON " + qTable + " (received_at)");
     } else {
       await xdb.query(
-        "CREATE TABLE IF NOT EXISTS " + table + " (" +
+        "CREATE TABLE IF NOT EXISTS " + qTable + " (" +
         "  message_id   TEXT NOT NULL," +
         "  source       TEXT NOT NULL," +
         "  received_at  TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP," +
@@ -340,8 +346,8 @@ function create(opts) {
         "  PRIMARY KEY (source, message_id)" +
         ")");
       await xdb.query(
-        "CREATE INDEX IF NOT EXISTS " + table + "_received_at_idx " +
-        "ON " + table + " (received_at)");
+        "CREATE INDEX IF NOT EXISTS " + qIndex + " " +
+        "ON " + qTable + " (received_at)");
     }
   }
 
@@ -351,7 +357,7 @@ function create(opts) {
     await externalDb.transaction(async function (xdb) {
       if (dialect === "postgres") {
         var rs = await xdb.query(
-          "DELETE FROM " + table +
+          "DELETE FROM " + qTable +
           " WHERE received_at < NOW() - $1::interval " +
           " AND (processed_at IS NOT NULL OR received_at < NOW() - $2::interval)",
           [retentionDays + " days", (retentionDays * 2) + " days"]);
@@ -360,7 +366,7 @@ function create(opts) {
         var staleDate = new Date(Date.now() - retentionDays * C.TIME.days(1)).toISOString();
         var unprocStaleDate = new Date(Date.now() - retentionDays * 2 * C.TIME.days(1)).toISOString();
         await xdb.query(
-          "DELETE FROM " + table +
+          "DELETE FROM " + qTable +
           " WHERE received_at < ? " +
           " AND (processed_at IS NOT NULL OR received_at < ?)",
           [staleDate, unprocStaleDate]);
@@ -378,7 +384,7 @@ function create(opts) {
   async function isFresh(receiveOpts) {
     _validateReceiveOpts(receiveOpts, "isFresh");
     var dialect = (externalDb.dialect === "postgres") ? "postgres" : "sqlite";
-    var sql = "SELECT 1 FROM " + table +
+    var sql = "SELECT 1 FROM " + qTable +
               " WHERE source = " + (dialect === "postgres" ? "$1" : "?") +
               " AND message_id = " + (dialect === "postgres" ? "$2" : "?");
     var rs = await externalDb.transaction(async function (xdb) {
@@ -395,7 +401,7 @@ function create(opts) {
     var stats = await externalDb.transaction(async function (xdb) {
       var sql = "SELECT COUNT(*) AS total," +
                 "       COUNT(processed_at) AS processed " +
-                "  FROM " + table +
+                "  FROM " + qTable +
                 (sourceFilter ? " WHERE source = " +
                   (dialect === "postgres" ? "$1" : "?") : "");
       var args = sourceFilter ? [sourceFilter] : [];
@@ -418,7 +424,7 @@ function create(opts) {
     sweep:          sweep,
     isFresh:        isFresh,
     getStats:       getReceiveStats,
-    table:          table,
+    table:          tableRaw,
     retentionDays:  retentionDays,
   };
 }