npm - @blamejs/core - Versions diffs - 0.9.14 → 0.9.16 - Mend

@blamejs/core 0.9.14 → 0.9.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (127) hide show

package/CHANGELOG.md +2 -0
package/lib/a2a-tasks.js +2 -2
package/lib/a2a.js +11 -11
package/lib/acme.js +5 -5
package/lib/ai-input.js +2 -2
package/lib/api-key.js +4 -4
package/lib/api-snapshot.js +6 -6
package/lib/app-shutdown.js +2 -2
package/lib/app.js +5 -5
package/lib/archive.js +8 -8
package/lib/argon2-builtin.js +2 -2
package/lib/atomic-file.js +53 -53
package/lib/audit-sign.js +8 -8
package/lib/audit-tools.js +22 -22
package/lib/auth/dpop.js +3 -3
package/lib/auth/elevation-grant.js +3 -3
package/lib/auth/fido-mds3.js +6 -6
package/lib/auth/jwt-external.js +2 -2
package/lib/auth/sd-jwt-vc.js +2 -2
package/lib/backup/bundle.js +17 -17
package/lib/backup/index.js +36 -36
package/lib/budr.js +3 -3
package/lib/bundler.js +20 -20
package/lib/circuit-breaker.js +4 -4
package/lib/cli.js +25 -26
package/lib/cluster.js +2 -2
package/lib/compliance-sanctions.js +2 -2
package/lib/compliance.js +6 -7
package/lib/config-drift.js +15 -15
package/lib/config.js +6 -6
package/lib/content-credentials.js +4 -4
package/lib/credential-hash.js +7 -7
package/lib/crypto-field.js +9 -9
package/lib/daemon.js +19 -19
package/lib/db-file-lifecycle.js +24 -24
package/lib/db-schema.js +2 -2
package/lib/db.js +34 -34
package/lib/dev.js +10 -10
package/lib/dr-runbook.js +5 -5
package/lib/dual-control.js +2 -2
package/lib/external-db-migrate.js +17 -17
package/lib/external-db.js +2 -2
package/lib/fdx.js +2 -2
package/lib/file-upload.js +30 -30
package/lib/flag-evaluation-context.js +2 -2
package/lib/flag-providers.js +4 -4
package/lib/gate-contract.js +5 -5
package/lib/graphql-federation.js +4 -7
package/lib/honeytoken.js +6 -6
package/lib/http-client-cookie-jar.js +6 -6
package/lib/http-client.js +18 -18
package/lib/i18n.js +5 -5
package/lib/keychain.js +5 -5
package/lib/legal-hold.js +2 -2
package/lib/local-db-thin.js +9 -9
package/lib/log-stream-local.js +17 -17
package/lib/log-stream-syslog.js +2 -2
package/lib/log-stream.js +3 -3
package/lib/log.js +2 -2
package/lib/mail-bounce.js +2 -2
package/lib/mail-mdn.js +2 -2
package/lib/mail-srs.js +2 -2
package/lib/mail.js +7 -7
package/lib/mcp-tool-registry.js +6 -6
package/lib/mcp.js +2 -2
package/lib/metrics.js +2 -2
package/lib/middleware/api-encrypt.js +16 -16
package/lib/middleware/body-parser.js +18 -18
package/lib/middleware/compression.js +3 -3
package/lib/middleware/csp-nonce.js +4 -4
package/lib/middleware/health.js +7 -7
package/lib/middleware/idempotency-key.js +163 -63
package/lib/middleware/require-bound-key.js +4 -4
package/lib/middleware/require-mtls.js +4 -4
package/lib/migrations.js +5 -5
package/lib/mtls-ca.js +26 -26
package/lib/mtls-engine-default.js +5 -5
package/lib/network-byte-quota.js +2 -2
package/lib/network-dns.js +2 -2
package/lib/network-nts.js +2 -2
package/lib/network-proxy.js +3 -3
package/lib/network-smtp-policy.js +2 -2
package/lib/network-tls.js +17 -17
package/lib/network.js +25 -25
package/lib/notify.js +11 -11
package/lib/object-store/gcs-bucket-ops.js +2 -2
package/lib/object-store/gcs.js +5 -5
package/lib/object-store/index.js +6 -6
package/lib/object-store/local.js +19 -19
package/lib/object-store/sigv4.js +3 -3
package/lib/observability-tracer.js +4 -4
package/lib/otel-export.js +3 -3
package/lib/pagination.js +5 -5
package/lib/parsers/safe-env.js +3 -3
package/lib/parsers/safe-xml.js +3 -3
package/lib/pqc-gate.js +5 -5
package/lib/pubsub-redis.js +2 -2
package/lib/queue-local.js +3 -3
package/lib/queue.js +2 -2
package/lib/redis-client.js +4 -4
package/lib/restore-bundle.js +17 -17
package/lib/restore-rollback.js +34 -34
package/lib/restore.js +16 -16
package/lib/router.js +25 -25
package/lib/sandbox.js +8 -8
package/lib/sec-cyber.js +3 -3
package/lib/security-assert.js +2 -2
package/lib/seeders.js +6 -6
package/lib/self-update.js +18 -18
package/lib/session-device-binding.js +2 -2
package/lib/static.js +22 -22
package/lib/template.js +19 -19
package/lib/testing.js +9 -9
package/lib/tls-exporter.js +5 -5
package/lib/tracing.js +3 -3
package/lib/vault/index.js +11 -11
package/lib/vault/passphrase-ops.js +37 -37
package/lib/vault/passphrase-source.js +2 -2
package/lib/vault/rotate.js +64 -64
package/lib/vault/seal-pem-file.js +26 -26
package/lib/vault-aad.js +5 -5
package/lib/watcher.js +22 -22
package/lib/webhook.js +10 -10
package/lib/worker-pool.js +6 -6
package/lib/ws-client.js +6 -6
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/middleware/body-parser.js CHANGED Viewed

@@ -100,7 +100,7 @@
  *     dots collapsed, control characters stripped, length capped at 255.
  *     Tmp file path is generated by the framework, never derived from
  *     the operator-supplied filename — so a malicious filename can't
- *     collide with a sensitive path.
+ *     collide with a sensitive nodePath.
  *   - Multipart parser refuses fields whose `name` is in POISONED_KEYS
  *     (consistent with the JSON path).
  *   - Tmp files set with mode 0o600, parent dir created with 0o700.
@@ -108,12 +108,12 @@
  *     error) so a crashing handler doesn't leak files.
  */
-var fs = require("fs");
+var nodeFs = require("fs");
 var os = require("os");
-var path = require("path");
+var nodePath = require("path");
 var nodeCrypto = require("node:crypto");
 var atomicFile      = require("../atomic-file");
-var crypto          = require("../crypto");
+var bCrypto         = require("../crypto");
 var lazyRequire     = require("../lazy-require");
 var requestHelpers  = require("../request-helpers");
 var safeBuffer      = require("../safe-buffer");
@@ -123,7 +123,7 @@ var validateOpts    = require("../validate-opts");
 var C = require("../constants");
 var { defineClass } = require("../framework-error");
-var auditFwk = lazyRequire(function () { return require("../audit"); });
+var audit = lazyRequire(function () { return require("../audit"); });
 // Node's HTTP parser surfaces malformed chunked-transfer-encoding via a
 // stable family of HPE_* codes. RFC 9112 §7.1 — when a server rejects a
@@ -682,7 +682,7 @@ async function _parseMultipart(req, opts, ctParams) {
   }
   // Resolve tmpDir per-request so directory-creation failure surfaces as a
   // structured error rather than a deferred fs throw.
-  var tmpDir = opts.tmpDir || path.join(os.tmpdir(), "blamejs-uploads");
+  var tmpDir = opts.tmpDir || nodePath.join(os.tmpdir(), "blamejs-uploads");
   try { atomicFile.ensureDir(tmpDir, 0o700); }
   catch (e) {
     throw new BodyParserError(
@@ -733,7 +733,7 @@ async function _parseMultipart(req, opts, ctParams) {
     currentFilename = null;
     currentMime = null;
     currentTmpPath = null;
-    if (currentFd !== null) { try { fs.closeSync(currentFd); } catch (_e) { /* fd already closed */ } currentFd = null; }
+    if (currentFd !== null) { try { nodeFs.closeSync(currentFd); } catch (_e) { /* fd already closed */ } currentFd = null; }
     currentSize = 0;
     currentHash = null;
     currentBuf = null;
@@ -762,10 +762,10 @@ async function _parseMultipart(req, opts, ctParams) {
   }
   function _cleanup() {
-    if (currentFd !== null) { try { fs.closeSync(currentFd); } catch (_e) { /* fd already closed */ } currentFd = null; }
-    if (currentTmpPath) { try { fs.unlinkSync(currentTmpPath); } catch (_e) { /* tmp file already removed */ } }
+    if (currentFd !== null) { try { nodeFs.closeSync(currentFd); } catch (_e) { /* fd already closed */ } currentFd = null; }
+    if (currentTmpPath) { try { nodeFs.unlinkSync(currentTmpPath); } catch (_e) { /* tmp file already removed */ } }
     for (var i = 0; i < files.length; i++) {
-      try { fs.unlinkSync(files[i].path); } catch (_e) { /* tmp file already removed */ }
+      try { nodeFs.unlinkSync(files[i].path); } catch (_e) { /* tmp file already removed */ }
     }
   }
@@ -945,10 +945,10 @@ async function _parseMultipart(req, opts, ctParams) {
               // Generate the tmp path — never derived from the
               // operator-supplied filename.
-              var unique = crypto.generateToken(C.BYTES.bytes(16));
-              currentTmpPath = path.join(tmpDir, "blamejs-up-" + unique);
+              var unique = bCrypto.generateToken(C.BYTES.bytes(16));
+              currentTmpPath = nodePath.join(tmpDir, "blamejs-up-" + unique);
               try {
-                currentFd = fs.openSync(currentTmpPath, "wx", 0o600);
+                currentFd = nodeFs.openSync(currentTmpPath, "wx", 0o600);
               } catch (e) {
                 done(new BodyParserError("body-parser/multipart-tmp-open",
                   "could not open multipart tmp file: " + ((e && e.message) || String(e)),
@@ -1027,7 +1027,7 @@ async function _parseMultipart(req, opts, ctParams) {
                 try {
                   var written = 0;
                   while (written < bodyChunk.length) {
-                    written += fs.writeSync(currentFd, bodyChunk, written, bodyChunk.length - written);
+                    written += nodeFs.writeSync(currentFd, bodyChunk, written, bodyChunk.length - written);
                   }
                 } catch (e) {
                   done(new BodyParserError("body-parser/multipart-tmp-write",
@@ -1068,7 +1068,7 @@ async function _parseMultipart(req, opts, ctParams) {
               // fileFilter rejected — already recorded in filesRejected; no
               // tmp file was opened, nothing to clean up here.
             } else if (currentFd !== null) {
-              try { fs.closeSync(currentFd); } catch (_e) { /* fd already closed */ }
+              try { nodeFs.closeSync(currentFd); } catch (_e) { /* fd already closed */ }
               currentFd = null;
               files.push({
                 field:    currentField,
@@ -1247,7 +1247,7 @@ function create(opts) {
           if (cleanedUp) return;
           cleanedUp = true;
           for (var i = 0; i < mpResult.files.length; i++) {
-            try { fs.unlinkSync(mpResult.files[i].path); } catch (_e) { /* tmp file already removed */ }
+            try { nodeFs.unlinkSync(mpResult.files[i].path); } catch (_e) { /* tmp file already removed */ }
           }
         }
         res.on("finish", cleanup);
@@ -1294,7 +1294,7 @@ function create(opts) {
           ? "http.chunked.extension.refused"
           : "http.chunked.malformed.refused";
         try {
-          auditFwk().safeEmit({
+          audit().safeEmit({
             action:  chunkAction,
             outcome: "denied",
             metadata: {
@@ -1500,7 +1500,7 @@ module.exports = {
   BodyParserError:  BodyParserError,
   // Standalone async helpers — surfaced via b.parsers.{json,multipart}.
   // The middleware composes these so the request-handling pipeline and
-  // the operator-callable surface share one parsing path.
+  // the operator-callable surface share one parsing nodePath.
   parseJson:        parseJsonStandalone,
   parseMultipart:   parseMultipartStandalone,
   // Internal helpers exposed for tests + the csrf-protect refactor.

package/lib/middleware/compression.js CHANGED Viewed

@@ -90,7 +90,7 @@
 var zlib = require("node:zlib");
 var C = require("../constants");
-var nb = require("../numeric-bounds");
+var numericBounds = require("../numeric-bounds");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
 var { defineClass } = require("../framework-error");
@@ -271,12 +271,12 @@ function create(opts) {
   var threshold;
   if (opts.threshold === undefined) {
     threshold = DEFAULT_OPTS.threshold;
-  } else if (nb.isNonNegativeFiniteInt(opts.threshold)) {
+  } else if (numericBounds.isNonNegativeFiniteInt(opts.threshold)) {
     threshold = opts.threshold;
   } else {
     throw new CompressionError("compression/bad-opt",
       "middleware.compression: threshold must be a non-negative finite integer; got " +
-        nb.shape(opts.threshold));
+        numericBounds.shape(opts.threshold));
   }
   var encodings     = Array.isArray(opts.encodings) && opts.encodings.length > 0
                         ? opts.encodings.slice() : DEFAULT_OPTS.encodings.slice();

package/lib/middleware/csp-nonce.js CHANGED Viewed

@@ -113,7 +113,7 @@
  */
 var C = require("../constants");
-var crypto = require("../crypto");
+var bCrypto = require("../crypto");
 var numericBounds = require("../numeric-bounds");
 var validateOpts = require("../validate-opts");
 var { defineClass } = require("../framework-error");
@@ -283,7 +283,7 @@ function create(opts) {
   // Pre-fix the typeof-only check accepted Infinity / NaN — both
   // bypassed the `< MIN_NONCE_BYTES` guard (NaN < N is always false,
   // Infinity < N is always false), then crashed per-request when
-  // `crypto.generateBytes(Infinity)` hit ERR_OUT_OF_RANGE. Route through
+  // `bCrypto.generateBytes(Infinity)` hit ERR_OUT_OF_RANGE. Route through
   // shared numeric-bounds (positive finite int) before the lower-bound
   // check so the typo / coercion is caught at create() time.
   if (!numericBounds.isPositiveFiniteInt(nonceBytes)) {
@@ -322,7 +322,7 @@ function create(opts) {
   if (opts.placeholder === undefined) {
     // OS-RNG → SHAKE256 → hex via the framework random helper.
     placeholder = PLACEHOLDER_PREFIX +
-                  crypto.generateToken(PLACEHOLDER_RAND_BYTES) +
+                  bCrypto.generateToken(PLACEHOLDER_RAND_BYTES) +
                   PLACEHOLDER_SUFFIX;
   } else if (typeof opts.placeholder !== "string" || opts.placeholder.length === 0) {
     throw new CspNonceError("csp-nonce/bad-placeholder",
@@ -336,7 +336,7 @@ function create(opts) {
     // Generate the nonce. Cheap (16 bytes from getrandom → SHAKE256 →
     // base64 encode); do it always for consistency unless `always:
     // false` was set explicitly.
-    var nonce = crypto.generateBytes(nonceBytes).toString("base64");
+    var nonce = bCrypto.generateBytes(nonceBytes).toString("base64");
     // Attach to req for handler access.
     req[property] = nonce;

package/lib/middleware/health.js CHANGED Viewed

@@ -100,7 +100,7 @@
  */
 var C = require("../constants");
-var nb = require("../numeric-bounds");
+var numericBounds = require("../numeric-bounds");
 var requestHelpers = require("../request-helpers");
 var safeAsync = require("../safe-async");
 var validateOpts = require("../validate-opts");
@@ -179,22 +179,22 @@ function create(opts) {
   var defaultTimeoutMs;
   if (opts.defaultTimeoutMs === undefined) {
     defaultTimeoutMs = DEFAULT_TIMEOUT_MS;
-  } else if (nb.isPositiveFiniteInt(opts.defaultTimeoutMs)) {
+  } else if (numericBounds.isPositiveFiniteInt(opts.defaultTimeoutMs)) {
     defaultTimeoutMs = opts.defaultTimeoutMs;
   } else {
     throw new HealthError("health/bad-opt",
       "defaultTimeoutMs must be a positive finite integer; got " +
-        nb.shape(opts.defaultTimeoutMs));
+        numericBounds.shape(opts.defaultTimeoutMs));
   }
   var cacheMs;
   if (opts.cacheMs === undefined) {
     cacheMs = 0;
-  } else if (nb.isNonNegativeFiniteInt(opts.cacheMs)) {
+  } else if (numericBounds.isNonNegativeFiniteInt(opts.cacheMs)) {
     cacheMs = opts.cacheMs;
   } else {
     throw new HealthError("health/bad-opt",
       "cacheMs must be a non-negative finite integer; got " +
-        nb.shape(opts.cacheMs));
+        numericBounds.shape(opts.cacheMs));
   }
   var includeMeta = opts.includeMeta !== false;
   var version = opts.version || null;
@@ -237,12 +237,12 @@ function create(opts) {
     var timeoutMs;
     if (copts.timeoutMs === undefined) {
       timeoutMs = defaultTimeoutMs;
-    } else if (nb.isPositiveFiniteInt(copts.timeoutMs)) {
+    } else if (numericBounds.isPositiveFiniteInt(copts.timeoutMs)) {
       timeoutMs = copts.timeoutMs;
     } else {
       throw new HealthError("health/bad-opt",
         "registerCheck: timeoutMs must be a positive finite integer; got " +
-          nb.shape(copts.timeoutMs));
+          numericBounds.shape(copts.timeoutMs));
     }
     checks.push({
       name:      name,

package/lib/middleware/idempotency-key.js CHANGED Viewed

@@ -46,6 +46,9 @@ var numericBounds = require("../numeric-bounds");
 var safeBuffer    = require("../safe-buffer");
 var safeJson      = require("../safe-json");
 var safeSql       = require("../safe-sql");
+var bCrypto       = require("../crypto");
+var cryptoField   = require("../crypto-field");
+var vault         = require("../vault");
 var { defineClass } = require("../framework-error");
 var audit          = lazyRequire(function () { return require("../audit"); });
@@ -136,7 +139,7 @@ function memoryStore(opts) {
  * @signature b.middleware.idempotencyKey.dbStore(opts)
  * @since     0.9.14
  * @status    stable
- * @related   b.middleware.idempotencyKey, b.middleware.idempotencyKey.memoryStore, b.db
+ * @related   b.middleware.idempotencyKey, b.middleware.idempotencyKey.memoryStore, b.db, b.cryptoField
  *
  * Persistent-backed store for `idempotencyKey` middleware. Implements
  * the same three-method interface as `memoryStore` (`get` / `set` /
@@ -148,30 +151,62 @@ function memoryStore(opts) {
  *
  *   - multiple processes share the request-handling fleet (forks
  *     behind a load balancer, multi-instance K8s deployment) and a
- *     retry can land on a different process than the original
- *     request — only a shared store satisfies the §2 replay
- *     semantics across the fleet;
+ *     retry can land on a different process than the original;
  *   - the daemon may restart between the original request and the
  *     retry (graceful rolling deploy, OOM kill, planned reboot) —
  *     `memoryStore` is volatile, `dbStore` survives the restart;
  *   - audit / compliance review needs to walk historic
- *     idempotency cache decisions — `dbStore` is queryable with
- *     `SELECT * FROM <tableName>`, `memoryStore` is opaque.
+ *     idempotency cache decisions queryable with
+ *     `SELECT k, status_code, expires_at FROM <tableName>` —
+ *     non-sealed columns are forensic-queryable without unsealing.
+ *
+ * **Defense-in-depth defaults (since 0.9.15) — both can be opted out:**
+ *
+ *   - `hashKeys: true` — operator-supplied keys are sha3-512
+ *     namespace-hashed via `b.crypto.namespaceHash("idempotency-key",
+ *     key)` before insert/lookup. The `k` column carries the hash, not
+ *     the raw key. Operator keys often carry PII (order numbers,
+ *     emails, vendor prefixes); the DB never sees them.
+ *   - `seal: true` — `headers` and `body` columns are sealed via
+ *     `b.cryptoField.sealRow` (vault-managed key, AEAD envelope) so a
+ *     DB dump leaks neither cached response bodies nor headers.
+ *     Requires `b.vault.init(...)` to have run; falls back to plain-
+ *     text with a one-shot audit warning when vault isn't ready, so
+ *     test-fixture / boot-script callers still work.
  *
  * Lazily-expired: `get(key)` returns `null` for any row whose
- * `expires_at` has passed (the row is deleted on the same call).
- * `set(key, value, ttlMs)` upserts on conflict so a concurrent retry
- * landing on a different process doesn't error out. `delete(key)` is
- * idempotent (no-op when absent).
+ * `expires_at` has passed. The cleanup is scoped by the observed
+ * `expires_at` so a concurrent upsert from a sibling process isn't
+ * clobbered.
+ *
+ * **Schema (v0.9.15, split columns):**
+ *
+ * ```
+ *   k             TEXT PRIMARY KEY   -- hashed key when hashKeys=true
+ *   fingerprint   TEXT NOT NULL      -- request method+path+body digest
+ *   status_code   INTEGER NOT NULL   -- forensic-queryable
+ *   headers       TEXT NOT NULL      -- JSON, sealed when seal=true
+ *   body          TEXT NOT NULL      -- base64, sealed when seal=true
+ *   expires_at    INTEGER NOT NULL
+ * ```
+ *
+ * **Migration note**: v0.9.14 used a single `v` JSON envelope column.
+ * Operators with a v0.9.14 table must `DROP TABLE <tableName>;` (or
+ * pick a fresh `tableName`) before upgrading — `CREATE TABLE IF NOT
+ * EXISTS` won't migrate column layout. Pre-v1 the framework breaks
+ * across patch versions for security correctness.
  *
  * @opts
  *   db:         object,   // required — sqlite-shaped: { prepare(sql) → { run, get, all } }
  *   tableName?: string,   // default "blamejs_idempotency_keys"; validated via b.safeSql.validateIdentifier
  *   init?:      boolean,  // default true — run CREATE TABLE IF NOT EXISTS at construction
+ *   hashKeys?:  boolean,  // default true — store sha3-512 namespace-hash of the key, not the raw key
+ *   seal?:      boolean,  // default true — seal headers + body via b.cryptoField when vault is ready
  *
  * @example
- *   // single-process daemon, framework's internal sqlite:
+ *   // single-process daemon, framework's internal sqlite, both defaults on:
  *   var b = require("blamejs");
+ *   await b.vault.init({ dataDir: "/var/lib/myapp" });
  *   await b.db.init({ dataDir: "/var/lib/myapp", schema: [] });
  *   var store = b.middleware.idempotencyKey.dbStore({ db: b.db });
  *   var mw = b.middleware.idempotencyKey({
@@ -179,16 +214,6 @@ function memoryStore(opts) {
  *     ttlMs: b.constants.TIME.hours(24),
  *   });
  *   app.use(mw);
- *
- * @example
- *   // multi-process fleet, shared better-sqlite3 instance over WAL:
- *   var Database = require("better-sqlite3");
- *   var db = new Database("/var/lib/myapp/idempotency.db", { fileMustExist: false });
- *   db.pragma("journal_mode = WAL");
- *   var store = b.middleware.idempotencyKey.dbStore({
- *     db:        db,
- *     tableName: "request_idempotency",
- *   });
  */
 function dbStore(opts) {
   opts = opts || {};
@@ -197,12 +222,9 @@ function dbStore(opts) {
       "dbStore: opts.db must be a sqlite-shaped database with a `prepare(sql)` method", true);
   }
   var tableNameRaw = opts.tableName !== undefined ? opts.tableName : "blamejs_idempotency_keys";
-  // Quote-and-validate in one step. safeSql.quoteIdentifier runs
-  // validateIdentifier internally (rejects bad shape / reserved
-  // words / sqlite_-prefixed names) and emits the dialect-correct
-  // double-quoted form. Identifier ALWAYS reaches SQL through the
-  // quoted form — defense-in-depth so a future shape-regex bypass
-  // can't reach raw concatenation. Per PR #44 review.
+  // Quote-and-validate via safeSql.quoteIdentifier — runs
+  // validateIdentifier internally + emits the dialect-correct quoted
+  // form. Identifier always reaches SQL through the quoted form.
   var qTable;
   try { qTable = safeSql.quoteIdentifier(tableNameRaw, "sqlite"); }
   catch (sqlErr) {
@@ -211,65 +233,143 @@ function dbStore(opts) {
       (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)), true);
   }
   var qIndex = safeSql.quoteIdentifier(tableNameRaw + "_expires_idx", "sqlite");
-  var doInit = opts.init !== false;
+  var doInit   = opts.init     !== false;
+  var hashKeys = opts.hashKeys !== false;
+  var sealReq  = opts.seal     !== false;
   var db = opts.db;
+  // Probe vault readiness with a sentinel seal. If vault.init() hasn't
+  // run (test fixture / boot-script / operator simply hasn't wired the
+  // posture yet) sealing falls back to plaintext for the lifetime of
+  // this dbStore instance and a single audit warning emits so the
+  // posture gap is visible in the chain.
+  var sealEnabled = false;
+  if (sealReq) {
+    try {
+      vault.seal("__idempotency_seal_probe__");
+      sealEnabled = true;
+    } catch (_vaultErr) {
+      _emitAudit("idempotency.seal_skipped_no_vault",
+        { tableName: tableNameRaw,
+          reason: "vault.init() has not run; sealing falls back to plaintext" },
+        "warning");
+    }
+  }
+  // Register the table with cryptoField. registerTable is idempotent
+  // — subsequent dbStore() calls with the same tableName re-declare
+  // the same sealedFields and no-op.
+  if (sealEnabled) {
+    cryptoField.registerTable(tableNameRaw, {
+      sealedFields: ["headers", "body"],
+    });
+  }
   if (doInit) {
     db.prepare("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
       "k TEXT PRIMARY KEY, " +
-      "v TEXT NOT NULL, " +
+      "fingerprint TEXT NOT NULL, " +
+      "status_code INTEGER NOT NULL, " +
+      "headers TEXT NOT NULL, " +
+      "body TEXT NOT NULL, " +
       "expires_at INTEGER NOT NULL)").run();
     db.prepare("CREATE INDEX IF NOT EXISTS " + qIndex + " ON " +
       qTable + "(expires_at)").run();
   }
-  // Prepare once; reused on every store call. Statements cache to the
-  // framework's bounded prepare-cache automatically when db = b.db.
-  var stmtGet         = db.prepare("SELECT v, expires_at FROM " + qTable + " WHERE k = ?");
-  var stmtUpsert      = db.prepare("INSERT INTO " + qTable + "(k, v, expires_at) VALUES (?, ?, ?) " +
-    "ON CONFLICT(k) DO UPDATE SET v = excluded.v, expires_at = excluded.expires_at");
-  var stmtDelete      = db.prepare("DELETE FROM " + qTable + " WHERE k = ?");
-  // Conditional delete — only removes the row when expires_at still
-  // matches the version we observed. In a multi-process deployment
-  // another process can upsert the same key between our SELECT and
-  // DELETE; an unconditional `DELETE WHERE k = ?` would erase the
-  // FRESH replacement and turn a valid cached response into a miss
-  // (idempotency replay broken under concurrent retries). Per Codex
-  // P1 on PR #44.
+  // Prepared statements. status_code + expires_at stay non-sealed
+  // so audit/forensic SELECTs don't have to unseal-everything.
+  var stmtGet = db.prepare(
+    "SELECT fingerprint, status_code, headers, body, expires_at FROM " +
+    qTable + " WHERE k = ?");
+  var stmtUpsert = db.prepare(
+    "INSERT INTO " + qTable +
+    "(k, fingerprint, status_code, headers, body, expires_at) " +
+    "VALUES (?, ?, ?, ?, ?, ?) " +
+    "ON CONFLICT(k) DO UPDATE SET " +
+    "  fingerprint = excluded.fingerprint, " +
+    "  status_code = excluded.status_code, " +
+    "  headers     = excluded.headers, " +
+    "  body        = excluded.body, " +
+    "  expires_at  = excluded.expires_at");
   var stmtDeleteStale = db.prepare("DELETE FROM " + qTable +
     " WHERE k = ? AND expires_at <= ?");
+  var stmtDelete = db.prepare("DELETE FROM " + qTable + " WHERE k = ?");
+  function _k(rawKey) {
+    if (!hashKeys) return rawKey;
+    return bCrypto.namespaceHash("idempotency-key", rawKey);
+  }
   return {
-    get: function (key) {
-      var row = stmtGet.get(key);
+    get: function (rawKey) {
+      var row = stmtGet.get(_k(rawKey));
       if (!row) return null;
       if (row.expires_at < Date.now()) {
-        // Scoped delete by the observed expires_at so a concurrent
-        // upsert that wrote a fresher row isn't clobbered.
-        stmtDeleteStale.run(key, row.expires_at);
+        stmtDeleteStale.run(_k(rawKey), row.expires_at);
         return null;
       }
-      // safeJson.parse with bounded maxBytes — even though row.v is
-      // written by our own .set() below, a multi-process deployment
-      // shares the table across processes; a misbehaving sibling
-      // could write a huge value that OOMs the reader. The default
-      // maxBodyBytes (1 MiB) bounds what the middleware captures, so
-      // a 4 MiB ceiling here gives headroom for JSON-envelope overhead.
-      try { return safeJson.parse(row.v, { maxBytes: 4 * 1024 * 1024 }); }                           // allow:raw-byte-literal — 4 MiB row-value ceiling
-      catch (_e) {
-        // Corrupt row — scope the delete by the observed expires_at so
-        // a concurrent upsert of valid bytes survives.
-        stmtDeleteStale.run(key, row.expires_at);
+      var liveRow = row;
+      if (sealEnabled) {
+        try { liveRow = cryptoField.unsealRow(tableNameRaw, row); }
+        catch (_unsealErr) {
+          // Decryption failed (key rotation gap / corrupt envelope).
+          // Treat as miss + drop the row so the handler runs fresh
+          // and we capture a re-sealable replacement.
+          stmtDeleteStale.run(_k(rawKey), row.expires_at);
+          return null;
+        }
+      }
+      var headersObj;
+      try {
+        headersObj = safeJson.parse(liveRow.headers, { maxBytes: 4 * 1024 * 1024 });               // allow:raw-byte-literal — 4 MiB headers ceiling
+      } catch (_jsonErr) {
+        // Parse failure has two distinct causes:
+        //   1. Genuine corruption (truncated row, encoding mishap) — drop.
+        //   2. The row was sealed by a sibling process (vault: prefix
+        //      present) but THIS process has sealEnabled=false (vault
+        //      not initialized OR opts.seal=false). The row is valid
+        //      cross-process state we just can't read locally;
+        //      DELETING it would clobber another process's cache and
+        //      turn a hit into a miss with potential side-effect re-
+        //      execution. Treat as miss + LEAVE the row in place.
+        //      Per Codex P1 on PR #45.
+        var lookedSealed = typeof liveRow.headers === "string" &&
+          liveRow.headers.indexOf("vault:") === 0;
+        if (!lookedSealed) {
+          stmtDeleteStale.run(_k(rawKey), row.expires_at);
+        }
         return null;
       }
+      return {
+        fingerprint: liveRow.fingerprint,
+        statusCode:  liveRow.status_code,
+        headers:     headersObj,
+        body:        liveRow.body,
+      };
     },
-    set: function (key, value, ttlMs) {
-      stmtUpsert.run(key, JSON.stringify(value), Date.now() + ttlMs);
+    set: function (rawKey, value, ttlMs) {
+      var rowOut = {
+        k:           _k(rawKey),
+        fingerprint: value.fingerprint,
+        status_code: value.statusCode,
+        headers:     JSON.stringify(value.headers || {}),
+        body:        value.body || "",
+        expires_at:  Date.now() + ttlMs,
+      };
+      if (sealEnabled) {
+        rowOut = cryptoField.sealRow(tableNameRaw, rowOut);
+      }
+      stmtUpsert.run(
+        rowOut.k, rowOut.fingerprint, rowOut.status_code,
+        rowOut.headers, rowOut.body, rowOut.expires_at);
     },
-    delete: function (key) {
-      stmtDelete.run(key);
+    delete: function (rawKey) {
+      stmtDelete.run(_k(rawKey));
     },
-    _tableName: tableNameRaw,
+    _tableName:   tableNameRaw,
+    _hashKeys:    hashKeys,
+    _sealEnabled: sealEnabled,
   };
 }

package/lib/middleware/require-bound-key.js CHANGED Viewed

@@ -52,7 +52,7 @@ var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
-var crypto = lazyRequire(function () { return require("../crypto"); });
+var bCrypto = lazyRequire(function () { return require("../crypto"); });
 var audit  = lazyRequire(function () { return require("../audit"); });
 var RequireBoundKeyError = defineClass("RequireBoundKeyError", { alwaysPermanent: true });
@@ -67,7 +67,7 @@ function _parseBearer(req) {
 function _timingSafeStringEqual(a, b) {
   if (typeof a !== "string" || typeof b !== "string") return false;
   if (a.length !== b.length) return false;
-  return crypto().timingSafeEqual(Buffer.from(a), Buffer.from(b));
+  return bCrypto().timingSafeEqual(Buffer.from(a), Buffer.from(b));
 }
 /**
@@ -243,7 +243,7 @@ function create(opts) {
       var fpColon = req.peerFingerprint && req.peerFingerprint.colon;
       if (!fpHex && req.peerCert && req.peerCert.raw) {
         try {
-          var fp = crypto().hashCertFingerprint(req.peerCert.raw);
+          var fp = bCrypto().hashCertFingerprint(req.peerCert.raw);
           fpHex = fp.hex; fpColon = fp.colon;
         } catch (_e) { /* fall through to refused below */ }
       }
@@ -256,7 +256,7 @@ function create(opts) {
             keyId: record.id || null,
           });
         }
-      } else if (!crypto().isCertRevoked(req.peerCert.raw, pinned)) {
+      } else if (!bCrypto().isCertRevoked(req.peerCert.raw, pinned)) {
         // isCertRevoked returns true on MATCH against the deny-list
         // shape; we use it here as a fingerprint-set membership test
         // because it does the same constant-time hex/colon comparison

package/lib/middleware/require-mtls.js CHANGED Viewed

@@ -49,7 +49,7 @@ var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
-var crypto = lazyRequire(function () { return require("../crypto"); });
+var bCrypto = lazyRequire(function () { return require("../crypto"); });
 var audit  = lazyRequire(function () { return require("../audit"); });
 var RequireMtlsError = defineClass("RequireMtlsError", { alwaysPermanent: true });
@@ -169,18 +169,18 @@ function create(opts) {
     // allow/deny matching.
     var fp;
     try {
-      fp = crypto().hashCertFingerprint(peerCert.raw);
+      fp = bCrypto().hashCertFingerprint(peerCert.raw);
     } catch (e) {
       return _refuse(res, "fingerprint-failed", { error: (e && e.message) || String(e) });
     }
-    if (denyList.length > 0 && crypto().isCertRevoked(peerCert.raw, denyList)) {
+    if (denyList.length > 0 && bCrypto().isCertRevoked(peerCert.raw, denyList)) {
       return _refuse(res, "fingerprint-on-deny-list", {
         fingerprint: fp.colon,
         subject:     (peerCert.subject && peerCert.subject.CN) || null,
       });
     }
-    if (allowList && allowList.length > 0 && !crypto().isCertRevoked(peerCert.raw, allowList)) {
+    if (allowList && allowList.length > 0 && !bCrypto().isCertRevoked(peerCert.raw, allowList)) {
       return _refuse(res, "fingerprint-not-allowed", {
         fingerprint: fp.colon,
         subject:     (peerCert.subject && peerCert.subject.CN) || null,

package/lib/migrations.js CHANGED Viewed

@@ -38,14 +38,14 @@
  * down() succeeds.
  */
-var path = require("path");
+var nodePath = require("path");
 var atomicFile = require("./atomic-file");
 var dbSchema = require("./db-schema");
 var lazyRequire = require("./lazy-require");
 var { boot } = require("./log");
 var migrationFiles = require("./migration-files");
 var numericBounds = require("./numeric-bounds");
-var dbModule = lazyRequire(function () { return require("./db"); });
+var db = lazyRequire(function () { return require("./db"); });
 var validateOpts = require("./validate-opts");
 var { FrameworkError } = require("./framework-error");
@@ -200,7 +200,7 @@ function _acquireLock(db, opts) {
 function _releaseLock(db, holder) {
   // Only release our own lock — a process whose deploy was killed
   // shouldn't have its lock cleared by an unrelated next deploy unless
-  // the operator explicitly used the staleAfterMs path.
+  // the operator explicitly used the staleAfterMs nodePath.
   try {
     db.prepare(
       "DELETE FROM " + Q_LOCK_TABLE + " WHERE scope = 'lock' AND lockedBy = ?"
@@ -224,7 +224,7 @@ function _resolveDb(opts) {
   if (opts && opts.db && typeof opts.db.prepare === "function") return opts.db;
   // Fall back to the framework's singleton db when one isn't passed —
   // operator-side wiring usually does `b.migrations.create({ dir })`.
-  var d = dbModule();
+  var d = db();
   if (typeof d.prepare !== "function") {
     throw new MigrationError("migrations/no-db",
       "no db handle: pass opts.db or initialize b.db before create()",
@@ -234,7 +234,7 @@ function _resolveDb(opts) {
 }
 function _loadMigration(file, dir) {
-  var fullPath = path.join(dir, file);
+  var fullPath = nodePath.join(dir, file);
   // Drop the require cache for this path before loading so a test that
   // changes a migration file between calls picks up the new content.
   // Production deployments would always restart the process, but this