@blamejs/core 0.9.14 → 0.9.16

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.16 (2026-05-14) — **Operator-facing prose cleanup + `require-binding-name` detector now covers `lazyRequire` wrappers + dbStore seal round-trip test added.** Post-v0.9.15 audit surfaced three classes of follow-up. (1) **Operator-facing prose leaks (7 sites)** — the v0.9.15 mechanical rename pattern `<OLD>.` → `<NEW>.` also caught occurrences inside JSDoc `@opts` comments and error-message string literals, so operators reading `b.keychain.create(opts)` saw `// absolute nodePath; required if file fallback may engage` instead of `// absolute path`. Fixed: `lib/db.js` (stream-limit error), `lib/keychain.js` (fallback-file error + 3 JSDoc lines), `lib/restore-bundle.js` (staging-dir error), `lib/watcher.js` (fs.watch failure error). Operators see plain English; internal binding names stay internal. (2) **`require-binding-name` detector extended to cover `lazyRequire`** — the v0.9.15 detector only matched plain `var X = require("M")` and missed the framework's `var X = lazyRequire(function () { return require("M"); })` pattern (used to break load cycles). 34 additional inconsistencies surfaced (`auditFwk` / `auditMod` / `auditModule` / `lazyAudit` → `audit`, `crypto` / `fwCrypto` → `bCrypto`, `dbMod` / `dbModule` → `db`, etc.) — every minority site renamed per the same canonical-name map. (3) **dbStore seal round-trip test** — the v0.9.15 test suite covered seal-falls-back-when-vault-not-ready and cross-process-sealed-row-preserved, but did NOT exercise the actual default-ON seal/unseal path because the test environment didn't `b.vault.init(...)`. New `testDbStoreSealRoundTripWithVault` bootstraps a plaintext vault, builds a dbStore with `seal: true`, writes a record + reads it back, and asserts (a) `headers` + `body` columns carry the `vault:` envelope on disk, (b) the round-trip restores the original values, and (c) `status_code` stays plaintext so forensic SELECTs still work without unsealing.
+- v0.9.15 (2026-05-13) — **`b.middleware.idempotencyKey.dbStore` hardening + framework-wide `require()` binding-name consistency.** Two operator-surfaced gaps closed: (1) **dbStore now hashes keys + seals body/headers by default.** Operator-supplied idempotency keys sometimes carry PII (order numbers, emails, vendor prefixes); the `k` column previously stored them raw, leaving every DB dump as a PII surface. v0.9.15 sha3-512 namespace-hashes the key via `b.crypto.namespaceHash("idempotency-key", key)` before insert/lookup — round-trips are transparent (operators still pass raw keys), but the DB never sees the original. The schema also splits the previous single-`v` JSON-envelope column into discrete `fingerprint` / `status_code` / `headers` / `body` / `expires_at` columns; `headers` + `body` are sealed via `b.cryptoField.sealRow` (vault-managed AEAD envelope) when vault is initialized, so a DB dump leaks neither cached response bodies nor headers. Non-sealed columns (`status_code`, `fingerprint`, `expires_at`) stay forensic-queryable. Both defaults are operator-opt-out via `opts.hashKeys: false` and `opts.seal: false`; the seal path silently falls back to plaintext + emits an `idempotency.seal_skipped_no_vault` audit warning on first use when vault isn't ready, so test fixtures and boot scripts still work. **Schema migration**: v0.9.15's split columns are incompatible with v0.9.14's single-`v` column — operators with a v0.9.14 idempotency table `DROP TABLE <tableName>;` (or pick a fresh `tableName`) before upgrading. Pre-v1 framework breaks across patch versions for security correctness. (2) **New `require-binding-name` codebase-patterns detector enforces consistent `var X = require("M")` names framework-wide.** Inconsistent names (`fs` vs `nodeFs`, `crypto` vs `nodeCrypto`, `path` vs `nodePath`, `nb` vs `numericBounds`) made `grep` across the lib unreliable and let reviewers miss shadowing bugs (`var crypto = require("crypto")` collides with the framework's own `b.crypto`). The detector carries a `CANONICAL_REQUIRE_BINDINGS` map with safety-first defaults: Node built-ins get a `node<X>` prefix (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl`) so a local var named `fs` / `path` / `crypto` can never shadow them; the framework's own `lib/crypto.js` binds as `bCrypto` (matches the `b.crypto` public-namespace shape and doesn't shadow node:crypto). Modules without a declared canonical fall back to majority-wins (most-sites name wins, alphabetical tiebreak). Fix is rename, not allowlist — every minority site was updated. **Sweep**: 184 require-binding renames across 108 framework files in this release; primitives + tests unchanged in surface. (3) **`b.graphqlFederation` internal `_timingSafeEqual` now routes through `b.crypto.timingSafeEqual`** (was re-implementing the length-tolerant wrapper inline; the new require-binding-name detector surfaced this; same-patch fix per the audit-existing-code rule).
 - v0.9.14 (2026-05-13) — **Audit-existing-code sweep: `safeSql.quoteIdentifier` adopted across every framework primitive that interpolates SQL identifiers; new `raw-sql-identifier-interpolation` detector seals the bug class.** Codex P1 on PR #44 flagged that `dbStore.get`'s expired-row cleanup was an unconditional `DELETE WHERE k = ?` between SELECT and DELETE — in a multi-process deployment another process could upsert the same key in the race window, and the unconditional delete would erase the fresh row. Fix: scope the delete by the observed `expires_at`. While reviewing, a wider gap surfaced — every `db.prepare("CREATE TABLE " + tableName + ...)` site in the framework had been concatenating identifiers raw, sometimes with inline shape-regex validation that varied per module. The framework already shipped `b.safeSql.quoteIdentifier(name, dialect?)` for exactly this; per the audit-existing-code rule the same patch (a) routes every site through the helper (`lib/audit.js` segregation-of-duties trigger DDL, `lib/dsr.js` ticket store, `lib/inbox.js` message-receive table, `lib/middleware/idempotency-key.js` dbStore, `lib/vault/rotate.js` column-rotation DDL) and (b) adds a `raw-sql-identifier-interpolation` codebase-patterns detector so the bug class can't return. The detector skips variables whose names signal already-quoted identifiers (`q<X>` / `Q_<X>` / `quoted<X>` prefix), so future primitives that use the helper read naturally. **Plus: bounded JSON parse for two file-/DB-backed primitives.** `b.metrics.snapshot.read` and `b.middleware.idempotencyKey.dbStore.get` previously used bare `JSON.parse` with `allow:bare-json-parse` markers; both are read by processes separate from where they were written (CLI/sidecar reads daemon-written snapshot; multi-process fleet shares DB) where a hostile or misbehaving writer could plant a multi-GB value and OOM the reader. Both now route through `b.safeJson.parse(raw, { maxBytes: 4 MiB })`. **Three new primitives — `b.crypto.hashFilesParallel`, `b.pqcAgent.reload`, `b.middleware.idempotencyKey.dbStore` — plus republish of v0.9.13's surface**. v0.9.13's npm-publish workflow failed at the wiki-e2e gate (the Codex P1 fix removed the `opts` parameter from `b.selfUpdate.standaloneVerifier.verify` but the `@signature` JSDoc still declared four arguments — three vs. four arity drift). The v0.9.13 git tag + GH release reached operators but the npm tarball did not; the registry stayed at v0.9.12. v0.9.14 carries v0.9.13's entire shipped surface (circuitBreaker.create({...}) opts-object fix + `b.selfUpdate.standaloneVerifier` + `b.metrics.snapshot` + `b.retry.withBreaker`) plus three additional Tier 2 primitives surfaced by the same downstream consumer that flagged the v0.9.13 batch. (1) **`b.crypto.hashFilesParallel(filePaths, opts?)`** — parallel multi-digest hashing for many files in a single read pass per file. Worker-pool concurrency cap (default `min(8, paths.length)`, 1..256), operator-tunable `algorithms` list (default `["sha256", "sha3-512"]`), optional `onProgress(completed, total)` callback (throws swallowed). Returns rows in the same order as input. The common consumer-side reason to reach for this is SBOM regeneration / vendor-data integrity sweeps / release-asset bundling — situations where N files each need both SHA-256 (legacy compat) and SHA-3-512 (PQC-first) digests and rolling a worker pool by hand has cost a downstream consumer the same two-loop, capture-N-promises, settle-Q boilerplate every release. (2) **`b.pqcAgent.reload()`** — tear down the lazily-built default agent and reset to null so the next `b.pqcAgent.agent` access rebuilds against current TLS posture + `b.network.tls.applyToContext` output. Long-running daemons that rotate the framework's TLS posture (TLS-pinset reload, certificate-pinset refresh, `C.TLS_GROUP_PREFERENCE` update behind a feature flag) need a way to re-source the outbound `https.Agent` without forking a new process. `reload()` calls `.destroy()` on the existing default agent (Node closes idle keep-alive sockets, lets in-flight sockets complete) then nulls the cache. Agents handed out via explicit `b.pqcAgent.create()` are unaffected. Returns `{ destroyed: boolean }`. (3) **`b.middleware.idempotencyKey.dbStore({ db, tableName?, init? })`** — persistent-backed store for the `idempotencyKey` middleware. Same three-method interface as `memoryStore` (`get` / `set` / `delete`) but stores records in any sqlite-shaped database (`{ prepare(sql) → { run, get, all } }`) — the framework's internal `b.db`, an operator-supplied better-sqlite3 instance, or a custom adapter. Use this instead of `memoryStore` when (a) multiple processes share the request-handling fleet so retries can land on a different process than the original, (b) the daemon may restart between the original request and the retry (graceful rolling deploy, OOM kill), or (c) audit / compliance review needs to walk historic idempotency-cache decisions queryable via `SELECT * FROM <tableName>`. TTL is lazily enforced at read time; `set()` upserts on conflict so concurrent retries on different processes don't error. The `tableName` is validated via `b.safeSql.validateIdentifier` (ASCII identifier shape, 63-char cap, no reserved words). (4) **Internal fix**: `b.apiSnapshot.read` now passes `maxBytes: 64 MiB` to `safeJson.parse` — the framework-generated snapshot file outgrew safeJson's 1 MiB default after v0.9.13. Operators consuming `@blamejs/core` via npm jump from v0.9.12 directly to v0.9.14; v0.9.13's content is included.
 - v0.9.13 (2026-05-13) — **Two `b.circuitBreaker.create` / `b.retry` bug fixes plus three new operator-facing primitives: `b.selfUpdate.standaloneVerifier`, `b.metrics.snapshot`, `b.retry.withBreaker`**. (1) `b.circuitBreaker.create({...})` was rejecting the documented opts-object call shape with `name must be a non-empty string, got object` — every consumer following the docstring hit a hard error. The factory now reads `opts.name` (defaulting to empty string) and forwards to the internal `CircuitBreaker(name, opts)` constructor. (2) The breaker's open-circuit error code was documented as `retry/circuit-open` but the runtime threw `CIRCUIT_OPEN`. The docstring is corrected to match the runtime; an alias rename will follow with a deprecation cycle in a future minor. (3) **`b.selfUpdate.standaloneVerifier`** — zero-dep verifier for install-pipeline contexts that run BEFORE the framework is installed (Dockerfile build stages, `install.sh`, `update.sh`, SEA-bundle verification at deploy time). Surface: `verify(assetPath, sigPath, pubkeyPem, opts?)` returns `{ ok, sha3_512, sha256, alg }`. Streams the asset in 64 KiB chunks through SHA-256 + SHA-3-512 + the signature verifier in parallel — multi-GB SEA bundles don't OOM the install runner. Supports ECDSA P-384 (both IEEE-P1363 96-byte and DER encodings), Ed25519, and ML-DSA-87. Detects signature format from length so `verifier.verify(...)` runs exactly once (calling it twice returns stale state and silently passes tampered assets). Module is hermetic: `node:crypto` + `node:fs` only, no framework imports. Operators copy the file via `cp "$(node -p "require('@blamejs/core').selfUpdate.standaloneVerifier.path")" install/standalone-verifier.js` into version control on their side. (4) **`b.metrics.snapshot`** — out-of-process metrics export for long-running daemons. `startWriter({ path, intervalMs, fields })` atomically flushes a JSON snapshot (first flush synchronous so the file exists by return-time; subsequent flushes on the interval with `.unref()`; `stop()` clears + final-flushes). `read(path)` parses with shape validation (writtenAt + fields). `render(snap, { format, prefix })` produces operator-readable text or Prometheus 0.0.4 exposition (gauge metrics, prefixed; only finite numeric scalars with prom-compatible names emit; invalid-name / non-numeric / non-finite fields skipped silently). Lets a CLI process scrape a daemon's live metrics without opening an HTTP port. (5) **`b.retry.withBreaker(fn, { retry, breaker })`** — composition primitive collapsing the two-line wrapper every consumer rolls: `breaker.wrap(() => retry.withRetry(fn, opts.retry))`. One breaker call per retry loop (the retry budget is INSIDE the breaker's accounting, so a single transient burst doesn't open the breaker spuriously). Throws on non-function `fn` or breaker without `.wrap`.
 - v0.9.12 (2026-05-13) — **Republish of v0.9.10 / v0.9.11 — `npm audit signatures` grep widened for the npm-message variant that fires post-v0.9.11**. The publish workflow's "Verify npm registry signing chain" step treats an empty-tree result as success (the framework's zero-runtime-deps posture means `npm audit signatures --omit dev` finds nothing to audit). The exact phrasing has drifted across npm versions: older npm prints `found no installed dependencies to audit`; newer npm (the version on the GH Actions runner post-v0.9.11) prints `found no dependencies to audit that were installed from a supported registry`. The shell guard's grep only matched the older phrasing, so v0.9.11's publish failed at the audit-signatures gate even though every other step succeeded. The grep is now `no (installed )?dependencies to audit` — covers both known empty-tree variants. v0.9.10's broken-smoke fix (added `npm install` before smoke) plus v0.9.12's audit-signatures-grep fix together complete the publish-pipeline repair. v0.9.12 is functionally identical to v0.9.10's intended surface. Operators stuck at v0.9.9 (because v0.9.10 + v0.9.11 never reached the npm registry) jump directly to v0.9.12.

package/lib/a2a-tasks.js

@@ -92,14 +92,14 @@ function _emitAudit(action, metadata, outcome) {
   } catch (_e) { /* best-effort */ }
 }
 
-var crypto = lazyRequire(function () { return require("./crypto"); });
+var bCrypto = lazyRequire(function () { return require("./crypto"); });
 
 // _newTaskId is reserved for the operator-handler path that mints
 // peer-assigned task IDs server-side. The underscore prefix already
 // satisfies the framework's unused-var policy so the helper stays
 // available without an explicit disable directive.
 function _newTaskId() {
-  return crypto().generateToken(12);                                                               // allow:raw-byte-literal — 96-bit task id, not byte arithmetic on payload
+  return bCrypto().generateToken(12);                                                               // allow:raw-byte-literal — 96-bit task id, not byte arithmetic on payload
 }
 
 function _validateTaskShape(task, where) {

package/lib/a2a.js

@@ -31,10 +31,10 @@
  *   Linux Foundation A2A (Agent-to-Agent) standard — agents advertise identity, declared capabilities, endpoints, and policies via a signed "agent card" that a peer agent fetches before initiating collaboration.
  */
 
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var canonicalJson = require("./canonical-json");
 var C = require("./constants");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var audit = require("./audit");
 var { A2aError } = require("./framework-error");
 
@@ -230,7 +230,7 @@ function signCard(card, privateKeyPem, opts) {
       "a2a.signCard: privateKeyPem required");
   }
 
-  nb.requirePositiveFiniteIntIfPresent(opts.ttlMs, "a2a.signCard: opts.ttlMs", errorClass, "BAD_TTL");
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.ttlMs, "a2a.signCard: opts.ttlMs", errorClass, "BAD_TTL");
   var ttlMs = opts.ttlMs || C.TIME.hours(24);
   var signedAt = Date.now();
   var expiresAt = signedAt + ttlMs;
@@ -241,11 +241,11 @@ function signCard(card, privateKeyPem, opts) {
     expiresAt: expiresAt,
   };
   var canonical = canonicalize(envelopePayload);
-  var digest = crypto.shake256
-    ? crypto.shake256(Buffer.from(canonical, "utf8"), SHAKE256_BYTES)
+  var digest = bCrypto.shake256
+    ? bCrypto.shake256(Buffer.from(canonical, "utf8"), SHAKE256_BYTES)
     : null;
   var dataToSign = digest ? digest : Buffer.from(canonical, "utf8");
-  var signature = crypto.sign(dataToSign, privateKeyPem);
+  var signature = bCrypto.sign(dataToSign, privateKeyPem);
 
   if (auditOn) {
     audit.safeEmit({
@@ -300,8 +300,8 @@ function signCard(card, privateKeyPem, opts) {
 function verifyCard(envelope, publicKeyPem, opts) {
   opts = opts || {};
   var errorClass = opts.errorClass || A2aError;
-  nb.requirePositiveFiniteIntIfPresent(opts.maxBytes, "a2a.verifyCard: opts.maxBytes", errorClass, "BAD_MAX_BYTES");
-  nb.requireNonNegativeFiniteIntIfPresent(opts.clockSkewMs, "a2a.verifyCard: opts.clockSkewMs", errorClass, "BAD_SKEW");
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxBytes, "a2a.verifyCard: opts.maxBytes", errorClass, "BAD_MAX_BYTES");
+  numericBounds.requireNonNegativeFiniteIntIfPresent(opts.clockSkewMs, "a2a.verifyCard: opts.clockSkewMs", errorClass, "BAD_SKEW");
   var maxBytes = opts.maxBytes || C.BYTES.kib(64);
   var clockSkewMs = opts.clockSkewMs !== undefined ? opts.clockSkewMs : C.TIME.minutes(5);
   var expectedIssuer = typeof opts.expectedIssuer === "string" ? opts.expectedIssuer : null;
@@ -354,8 +354,8 @@ function verifyCard(envelope, publicKeyPem, opts) {
   if (Buffer.byteLength(canonical, "utf8") > maxBytes) {
     return { valid: false, claims: null, reason: "card-too-large" };
   }
-  var digest = crypto.shake256
-    ? crypto.shake256(Buffer.from(canonical, "utf8"), SHAKE256_BYTES)
+  var digest = bCrypto.shake256
+    ? bCrypto.shake256(Buffer.from(canonical, "utf8"), SHAKE256_BYTES)
     : null;
   var dataToVerify = digest ? digest : Buffer.from(canonical, "utf8");
   var sigBuf;
@@ -363,7 +363,7 @@ function verifyCard(envelope, publicKeyPem, opts) {
   catch (_e) {
     return { valid: false, claims: null, reason: "signature-base64-bad" };
   }
-  var ok = crypto.verify(dataToVerify, sigBuf, publicKeyPem);
+  var ok = bCrypto.verify(dataToVerify, sigBuf, publicKeyPem);
   if (!ok) {
     if (auditOn) {
       audit.safeEmit({

package/lib/acme.js

@@ -940,8 +940,8 @@ function create(opts) {
       throw _err("acme/bad-token", "tlsAlpn01KeyAuthorization: token must be a non-empty string", true);
     }
     var keyAuth = token + "." + _jwkThumbprint(publicJwk);
-    var crypto  = require("node:crypto");
-    return crypto.createHash("sha256").update(keyAuth, "utf8").digest();
+    var nodeCrypto  = require("node:crypto");
+    return nodeCrypto.createHash("sha256").update(keyAuth, "utf8").digest();
   }
 
   /**
@@ -1041,14 +1041,14 @@ function create(opts) {
       throw _err("acme/bad-ttl",
         "dnsAccount01ChallengeRecord: ttl must be a positive integer <= 86400 seconds", true);
     }
-    var crypto = require("node:crypto");
+    var nodeCrypto = require("node:crypto");
     // Account label: lowercase base32 of first 10 bytes of SHA-256(accountUrl)
     // (per draft-ietf-acme-dns-account-label §3.1 — 80-bit truncated label).
-    var hash = crypto.createHash("sha256").update(state.accountUrl, "utf8").digest();
+    var hash = nodeCrypto.createHash("sha256").update(state.accountUrl, "utf8").digest();
     var label = _base32lc(hash.subarray(0, 10));
     // Record value: same key-authorization digest shape as dns-01.
     var keyAuth = token + "." + _jwkThumbprint(publicJwk);
-    var digest  = crypto.createHash("sha256").update(keyAuth, "utf8").digest();
+    var digest  = nodeCrypto.createHash("sha256").update(keyAuth, "utf8").digest();
     return {
       name:  "_" + label + "._acme-challenge." + opts2.identifier,
       value: _b64u(digest),

package/lib/ai-input.js

@@ -13,7 +13,7 @@
  */
 
 var C = require("./constants");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var audit = require("./audit");
 var { AiInputError } = require("./framework-error");
 
@@ -70,7 +70,7 @@ function _featuresOf(input) {
 function classify(input, opts) {
   opts = opts || {};
   var errorClass = opts.errorClass || AiInputError;
-  nb.requirePositiveFiniteIntIfPresent(opts.maxBytes, "aiInput.classify: opts.maxBytes", errorClass, "BAD_MAX_BYTES");
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxBytes, "aiInput.classify: opts.maxBytes", errorClass, "BAD_MAX_BYTES");
   var maxBytes = opts.maxBytes || C.BYTES.kib(64);
   var auditOn = opts.audit !== false;
 

package/lib/api-key.js

@@ -34,7 +34,7 @@
  *   Long-lived API token primitives — generate / verify / revoke / rotate; sealed at rest; per-key scope + rate-limit.
  */
 
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var credentialHash = require("./credential-hash");
 var safeJson = require("./safe-json");
 var lazyRequire = require("./lazy-require");
@@ -345,8 +345,8 @@ function create(opts) {
   async function issue(issueOpts) {
     cluster.requireLeader();
     _validateIssueOpts(issueOpts);
-    var idHex     = crypto.generateToken(idBytes);
-    var secretHex = crypto.generateToken(secretBytes);
+    var idHex     = bCrypto.generateToken(idBytes);
+    var secretHex = bCrypto.generateToken(secretBytes);
     var compositeId = _composedId(namespace, idHex);
     var nowMs     = clock();
     var scopes    = issueOpts.scopes || [];
@@ -552,7 +552,7 @@ function create(opts) {
     if (existing.revokedAt != null) {
       throw _err("REVOKED", "apiKey.rotate: id '" + idHex + "' is revoked");
     }
-    var newSecretHex = crypto.generateToken(secretBytes);
+    var newSecretHex = bCrypto.generateToken(secretBytes);
     var newHash = await credentialHash.hash(newSecretHex, { algo: hashAlgo });
     var nowMs = clock();
 

package/lib/api-snapshot.js

@@ -50,8 +50,8 @@
  *   Public-API surface walker plus breaking-change detector — the framework's LTS-contract enforcement at the type level.
  */
 
-var fs = require("fs");
-var nb = require("./numeric-bounds");
+var nodeFs = require("fs");
+var numericBounds = require("./numeric-bounds");
 var safeJson = require("./safe-json");
 var { FrameworkError } = require("./framework-error");
 
@@ -147,7 +147,7 @@ function capture(target, opts) {
     throw new ApiSnapshotError("api-snapshot/bad-target",
       "capture: target must be a module's exports object");
   }
-  var maxDepth = nb.isPositiveFiniteInt(opts.maxDepth) ? opts.maxDepth : DEFAULT_MAX_DEPTH;
+  var maxDepth = numericBounds.isPositiveFiniteInt(opts.maxDepth) ? opts.maxDepth : DEFAULT_MAX_DEPTH;
   var skipUnderscore = opts.skipUnderscore !== false;
   var snapshot = _walkNode(target, 0, maxDepth, new Set(), skipUnderscore);
   if (snapshot.type !== "object") {
@@ -199,7 +199,7 @@ function write(snapshot, filePath) {
     createdAt:        snapshot.createdAt,
     exports:          snapshot.exports,
   };
-  fs.writeFileSync(filePath, JSON.stringify(canonical, null, 2) + "\n", { mode: 0o644 });
+  nodeFs.writeFileSync(filePath, JSON.stringify(canonical, null, 2) + "\n", { mode: 0o644 });
   return filePath;
 }
 
@@ -230,12 +230,12 @@ function read(filePath) {
     throw new ApiSnapshotError("api-snapshot/bad-path",
       "read: filePath is required");
   }
-  if (!fs.existsSync(filePath)) {
+  if (!nodeFs.existsSync(filePath)) {
     throw new ApiSnapshotError("api-snapshot/missing",
       "read: snapshot file not found at " + filePath);
   }
   var raw;
-  try { raw = fs.readFileSync(filePath, "utf8"); }
+  try { raw = nodeFs.readFileSync(filePath, "utf8"); }
   catch (e) {
     throw new ApiSnapshotError("api-snapshot/read-failed",
       "read: cannot read " + filePath + ": " + ((e && e.message) || String(e)));

package/lib/app-shutdown.js

@@ -42,7 +42,7 @@
  */
 
 var safeAsync = require("./safe-async");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var tracing = null;
 try { tracing = require("./tracing"); } catch (_e) { /* tracing optional */ }
 var { defineClass } = require("./framework-error");
@@ -91,7 +91,7 @@ var DEFAULT_GRACE_MS = C.TIME.seconds(30);
  */
 function create(opts) {
   opts = opts || {};
-  nb.requirePositiveFiniteIntIfPresent(opts.graceMs,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.graceMs,
     "app-shutdown.create: opts.graceMs", AppShutdownError, "app-shutdown/bad-grace-ms");
   var graceMs = opts.graceMs !== undefined ? opts.graceMs : DEFAULT_GRACE_MS;
   var phases = Array.isArray(opts.phases) ? opts.phases.slice() : [];

package/lib/app.js

@@ -89,8 +89,8 @@
  * level tables still get the framework tables (sessions, queue jobs,
  * audit_log, consent_log).
  */
-var fs = require("fs");
-var path = require("path");
+var nodeFs = require("fs");
+var nodePath = require("path");
 var appShutdown = require("./app-shutdown");
 var C = require("./constants");
 var cluster = require("./cluster");
@@ -123,9 +123,9 @@ async function createApp(opts) {
   if (!opts.dataDir || typeof opts.dataDir !== "string") {
     throw new Error("createApp: opts.dataDir is required");
   }
-  var dataDir = path.resolve(opts.dataDir);
-  if (!fs.existsSync(dataDir)) {
-    fs.mkdirSync(dataDir, { recursive: true });
+  var dataDir = nodePath.resolve(opts.dataDir);
+  if (!nodeFs.existsSync(dataDir)) {
+    nodeFs.mkdirSync(dataDir, { recursive: true });
   }
 
   // ---- 1. Vault ----

package/lib/archive.js

@@ -48,9 +48,9 @@
  *   ZIP archive creation primitive.
  */
 var zlib = require("node:zlib");
-var fs   = require("node:fs");
+var nodeFs   = require("node:fs");
 var nodeCrypto = require("node:crypto");
-var stream = require("node:stream");
+var nodeStream = require("node:stream");
 var streamPromises = require("node:stream/promises");
 var C = require("./constants");
 var { defineClass } = require("./framework-error");
@@ -159,7 +159,7 @@ function zip() {
     // Duck-type: Readable instance or any object exposing .pipe + .on +
     // a `readable` flag / readableState. Avoids importing every consumer's
     // stream class; matches Node's own stream-detection pattern.
-    return !!o && (o instanceof stream.Readable ||
+    return !!o && (o instanceof nodeStream.Readable ||
       (typeof o.pipe === "function" && typeof o.on === "function"));
   }
 
@@ -323,7 +323,7 @@ function zip() {
 
   function writeTo(filepath) {
     var buf = toBuffer();
-    fs.writeFileSync(filepath, buf);
+    nodeFs.writeFileSync(filepath, buf);
     return buf.length;
   }
 
@@ -379,7 +379,7 @@ function zip() {
     // CRC tap — a passthrough Transform that observes uncompressed bytes
     // and updates usize / CRC before forwarding to the next stage. Avoids
     // consuming the source twice via parallel listeners.
-    var crcTap = new stream.Transform({
+    var crcTap = new nodeStream.Transform({
       transform: function (chunk, enc, cb) {
         usize += chunk.length;
         _crcChunk(chunk);
@@ -395,7 +395,7 @@ function zip() {
       // may leak to dest on failure, but no EOCD is ever written, so
       // consumers see a broken stream rather than a half-archive that
       // pretends to be complete.
-      var sinkWritable = new stream.Writable({
+      var sinkWritable = new nodeStream.Writable({
         write: function (chunk, enc, cb) {
           csize += chunk.length;
           var ok = writable.write(chunk);
@@ -411,7 +411,7 @@ function zip() {
       }
     } else {
       // STORE: pipe source -> crcTap -> writable. csize === usize.
-      var storeCollect = new stream.Writable({
+      var storeCollect = new nodeStream.Writable({
         write: function (chunk, enc, cb) {
           csize += chunk.length;
           var ok = writable.write(chunk);
@@ -445,7 +445,7 @@ function zip() {
     var returnReadable = !writable;
     var dest = writable;
     if (returnReadable) {
-      dest = new stream.PassThrough();
+      dest = new nodeStream.PassThrough();
     } else if (typeof writable.write !== "function") {
       throw new ArchiveError("archive/bad-writable",
         "toStream: writable must be a Writable (or omit to receive a Readable)");

package/lib/argon2-builtin.js

@@ -21,7 +21,7 @@
  */
 
 var nodeCrypto = require("crypto");
-var blamejsCrypto = require("./crypto");
+var bCrypto = require("./crypto");
 var C = require("./constants");
 
 var ARGON2ID = "argon2id";
@@ -137,7 +137,7 @@ async function verify(stored, plain) {
   var actual;
   try { actual = await _runArgon2(message, dec.salt, dec.params, dec.hash.length); }
   catch (_e) { return false; }
-  return blamejsCrypto.timingSafeEqual(actual, dec.hash);
+  return bCrypto.timingSafeEqual(actual, dec.hash);
 }
 
 function needsRehash(stored, opts) {