@blamejs/core 0.9.15 → 0.9.17

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.17 (2026-05-14) — **Two new `codebase-patterns` detectors + 192-site cleanup sweep — `node:` prefix consistency + internal-binding leak prevention.** Post-v0.9.16 audit surfaced two enforceable invariants the existing detectors didn't cover. (1) **`node-builtin-prefix` detector** — every `require("<X>")` of a Node built-in (`fs`, `path`, `crypto`, `stream`, `tls`, `url`, `os`, `net`, `http`, `http2`, `https`, `zlib`, `dgram`, `events`, `child_process`, `readline`, …) must use the modern `require("node:<X>")` form. Three reasons: (a) userland packages on npm CAN be named after built-ins, so without the `node:` prefix a typo or `npm install` accident could shadow the built-in; (b) the prefix is a clearer at-a-glance signal that the dependency is on Node, not on a userland module; (c) bundler / SEA static-trace passes treat `node:` prefix as an unambiguous Node-builtin marker. Sweep: 153 `require()` rewrites across 79 framework files (2 parallel agents). The detector skips JSDoc `@example` block continuation lines (`*`-prefixed), so operator-facing examples that show `var fs = require("fs")` aren't rewritten — operators write their own bindings however they prefer. (2) **`internal-binding-in-prose` detector** — internal binding names (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl` / `bCrypto` / `retryHelper`) must NOT appear in operator-facing surface: JSDoc/comment continuation lines or string literals (error messages, audit metadata). Operators see the public API name (`path` / `fs` / `crypto` / `retry` / …), never the framework's internal alias. Sweep: 39 prose-leak fixes across 16 files — comments rewritten to use the operator-facing word (`nodePath` → `path`, `nodeFs.watch failed` → `fs.watch failed`, debug-log `"op": "nodeFs.unlinkSync"` → `"op": "fs.unlinkSync"`). (3) **2 follow-on require-binding canonicalizations** surfaced by the node-prefix sweep — `lib/ws-client.js` now destructures `var { EventEmitter } = require("node:events")` (was binding the entire `events` module to a class-shaped name) and `lib/process-spawn.js` renames inline `nodeChild` → `childProcess` (matches the module-level `childProcess` lazyRequire in `lib/dev.js`).
+- v0.9.16 (2026-05-14) — **Operator-facing prose cleanup + `require-binding-name` detector now covers `lazyRequire` wrappers + dbStore seal round-trip test added.** Post-v0.9.15 audit surfaced three classes of follow-up. (1) **Operator-facing prose leaks (7 sites)** — the v0.9.15 mechanical rename pattern `<OLD>.` → `<NEW>.` also caught occurrences inside JSDoc `@opts` comments and error-message string literals, so operators reading `b.keychain.create(opts)` saw `// absolute nodePath; required if file fallback may engage` instead of `// absolute path`. Fixed: `lib/db.js` (stream-limit error), `lib/keychain.js` (fallback-file error + 3 JSDoc lines), `lib/restore-bundle.js` (staging-dir error), `lib/watcher.js` (fs.watch failure error). Operators see plain English; internal binding names stay internal. (2) **`require-binding-name` detector extended to cover `lazyRequire`** — the v0.9.15 detector only matched plain `var X = require("M")` and missed the framework's `var X = lazyRequire(function () { return require("M"); })` pattern (used to break load cycles). 34 additional inconsistencies surfaced (`auditFwk` / `auditMod` / `auditModule` / `lazyAudit` → `audit`, `crypto` / `fwCrypto` → `bCrypto`, `dbMod` / `dbModule` → `db`, etc.) — every minority site renamed per the same canonical-name map. (3) **dbStore seal round-trip test** — the v0.9.15 test suite covered seal-falls-back-when-vault-not-ready and cross-process-sealed-row-preserved, but did NOT exercise the actual default-ON seal/unseal path because the test environment didn't `b.vault.init(...)`. New `testDbStoreSealRoundTripWithVault` bootstraps a plaintext vault, builds a dbStore with `seal: true`, writes a record + reads it back, and asserts (a) `headers` + `body` columns carry the `vault:` envelope on disk, (b) the round-trip restores the original values, and (c) `status_code` stays plaintext so forensic SELECTs still work without unsealing.
 - v0.9.15 (2026-05-13) — **`b.middleware.idempotencyKey.dbStore` hardening + framework-wide `require()` binding-name consistency.** Two operator-surfaced gaps closed: (1) **dbStore now hashes keys + seals body/headers by default.** Operator-supplied idempotency keys sometimes carry PII (order numbers, emails, vendor prefixes); the `k` column previously stored them raw, leaving every DB dump as a PII surface. v0.9.15 sha3-512 namespace-hashes the key via `b.crypto.namespaceHash("idempotency-key", key)` before insert/lookup — round-trips are transparent (operators still pass raw keys), but the DB never sees the original. The schema also splits the previous single-`v` JSON-envelope column into discrete `fingerprint` / `status_code` / `headers` / `body` / `expires_at` columns; `headers` + `body` are sealed via `b.cryptoField.sealRow` (vault-managed AEAD envelope) when vault is initialized, so a DB dump leaks neither cached response bodies nor headers. Non-sealed columns (`status_code`, `fingerprint`, `expires_at`) stay forensic-queryable. Both defaults are operator-opt-out via `opts.hashKeys: false` and `opts.seal: false`; the seal path silently falls back to plaintext + emits an `idempotency.seal_skipped_no_vault` audit warning on first use when vault isn't ready, so test fixtures and boot scripts still work. **Schema migration**: v0.9.15's split columns are incompatible with v0.9.14's single-`v` column — operators with a v0.9.14 idempotency table `DROP TABLE <tableName>;` (or pick a fresh `tableName`) before upgrading. Pre-v1 framework breaks across patch versions for security correctness. (2) **New `require-binding-name` codebase-patterns detector enforces consistent `var X = require("M")` names framework-wide.** Inconsistent names (`fs` vs `nodeFs`, `crypto` vs `nodeCrypto`, `path` vs `nodePath`, `nb` vs `numericBounds`) made `grep` across the lib unreliable and let reviewers miss shadowing bugs (`var crypto = require("crypto")` collides with the framework's own `b.crypto`). The detector carries a `CANONICAL_REQUIRE_BINDINGS` map with safety-first defaults: Node built-ins get a `node<X>` prefix (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl`) so a local var named `fs` / `path` / `crypto` can never shadow them; the framework's own `lib/crypto.js` binds as `bCrypto` (matches the `b.crypto` public-namespace shape and doesn't shadow node:crypto). Modules without a declared canonical fall back to majority-wins (most-sites name wins, alphabetical tiebreak). Fix is rename, not allowlist — every minority site was updated. **Sweep**: 184 require-binding renames across 108 framework files in this release; primitives + tests unchanged in surface. (3) **`b.graphqlFederation` internal `_timingSafeEqual` now routes through `b.crypto.timingSafeEqual`** (was re-implementing the length-tolerant wrapper inline; the new require-binding-name detector surfaced this; same-patch fix per the audit-existing-code rule).
 - v0.9.14 (2026-05-13) — **Audit-existing-code sweep: `safeSql.quoteIdentifier` adopted across every framework primitive that interpolates SQL identifiers; new `raw-sql-identifier-interpolation` detector seals the bug class.** Codex P1 on PR #44 flagged that `dbStore.get`'s expired-row cleanup was an unconditional `DELETE WHERE k = ?` between SELECT and DELETE — in a multi-process deployment another process could upsert the same key in the race window, and the unconditional delete would erase the fresh row. Fix: scope the delete by the observed `expires_at`. While reviewing, a wider gap surfaced — every `db.prepare("CREATE TABLE " + tableName + ...)` site in the framework had been concatenating identifiers raw, sometimes with inline shape-regex validation that varied per module. The framework already shipped `b.safeSql.quoteIdentifier(name, dialect?)` for exactly this; per the audit-existing-code rule the same patch (a) routes every site through the helper (`lib/audit.js` segregation-of-duties trigger DDL, `lib/dsr.js` ticket store, `lib/inbox.js` message-receive table, `lib/middleware/idempotency-key.js` dbStore, `lib/vault/rotate.js` column-rotation DDL) and (b) adds a `raw-sql-identifier-interpolation` codebase-patterns detector so the bug class can't return. The detector skips variables whose names signal already-quoted identifiers (`q<X>` / `Q_<X>` / `quoted<X>` prefix), so future primitives that use the helper read naturally. **Plus: bounded JSON parse for two file-/DB-backed primitives.** `b.metrics.snapshot.read` and `b.middleware.idempotencyKey.dbStore.get` previously used bare `JSON.parse` with `allow:bare-json-parse` markers; both are read by processes separate from where they were written (CLI/sidecar reads daemon-written snapshot; multi-process fleet shares DB) where a hostile or misbehaving writer could plant a multi-GB value and OOM the reader. Both now route through `b.safeJson.parse(raw, { maxBytes: 4 MiB })`. **Three new primitives — `b.crypto.hashFilesParallel`, `b.pqcAgent.reload`, `b.middleware.idempotencyKey.dbStore` — plus republish of v0.9.13's surface**. v0.9.13's npm-publish workflow failed at the wiki-e2e gate (the Codex P1 fix removed the `opts` parameter from `b.selfUpdate.standaloneVerifier.verify` but the `@signature` JSDoc still declared four arguments — three vs. four arity drift). The v0.9.13 git tag + GH release reached operators but the npm tarball did not; the registry stayed at v0.9.12. v0.9.14 carries v0.9.13's entire shipped surface (circuitBreaker.create({...}) opts-object fix + `b.selfUpdate.standaloneVerifier` + `b.metrics.snapshot` + `b.retry.withBreaker`) plus three additional Tier 2 primitives surfaced by the same downstream consumer that flagged the v0.9.13 batch. (1) **`b.crypto.hashFilesParallel(filePaths, opts?)`** — parallel multi-digest hashing for many files in a single read pass per file. Worker-pool concurrency cap (default `min(8, paths.length)`, 1..256), operator-tunable `algorithms` list (default `["sha256", "sha3-512"]`), optional `onProgress(completed, total)` callback (throws swallowed). Returns rows in the same order as input. The common consumer-side reason to reach for this is SBOM regeneration / vendor-data integrity sweeps / release-asset bundling — situations where N files each need both SHA-256 (legacy compat) and SHA-3-512 (PQC-first) digests and rolling a worker pool by hand has cost a downstream consumer the same two-loop, capture-N-promises, settle-Q boilerplate every release. (2) **`b.pqcAgent.reload()`** — tear down the lazily-built default agent and reset to null so the next `b.pqcAgent.agent` access rebuilds against current TLS posture + `b.network.tls.applyToContext` output. Long-running daemons that rotate the framework's TLS posture (TLS-pinset reload, certificate-pinset refresh, `C.TLS_GROUP_PREFERENCE` update behind a feature flag) need a way to re-source the outbound `https.Agent` without forking a new process. `reload()` calls `.destroy()` on the existing default agent (Node closes idle keep-alive sockets, lets in-flight sockets complete) then nulls the cache. Agents handed out via explicit `b.pqcAgent.create()` are unaffected. Returns `{ destroyed: boolean }`. (3) **`b.middleware.idempotencyKey.dbStore({ db, tableName?, init? })`** — persistent-backed store for the `idempotencyKey` middleware. Same three-method interface as `memoryStore` (`get` / `set` / `delete`) but stores records in any sqlite-shaped database (`{ prepare(sql) → { run, get, all } }`) — the framework's internal `b.db`, an operator-supplied better-sqlite3 instance, or a custom adapter. Use this instead of `memoryStore` when (a) multiple processes share the request-handling fleet so retries can land on a different process than the original, (b) the daemon may restart between the original request and the retry (graceful rolling deploy, OOM kill), or (c) audit / compliance review needs to walk historic idempotency-cache decisions queryable via `SELECT * FROM <tableName>`. TTL is lazily enforced at read time; `set()` upserts on conflict so concurrent retries on different processes don't error. The `tableName` is validated via `b.safeSql.validateIdentifier` (ASCII identifier shape, 63-char cap, no reserved words). (4) **Internal fix**: `b.apiSnapshot.read` now passes `maxBytes: 64 MiB` to `safeJson.parse` — the framework-generated snapshot file outgrew safeJson's 1 MiB default after v0.9.13. Operators consuming `@blamejs/core` via npm jump from v0.9.12 directly to v0.9.14; v0.9.13's content is included.
 - v0.9.13 (2026-05-13) — **Two `b.circuitBreaker.create` / `b.retry` bug fixes plus three new operator-facing primitives: `b.selfUpdate.standaloneVerifier`, `b.metrics.snapshot`, `b.retry.withBreaker`**. (1) `b.circuitBreaker.create({...})` was rejecting the documented opts-object call shape with `name must be a non-empty string, got object` — every consumer following the docstring hit a hard error. The factory now reads `opts.name` (defaulting to empty string) and forwards to the internal `CircuitBreaker(name, opts)` constructor. (2) The breaker's open-circuit error code was documented as `retry/circuit-open` but the runtime threw `CIRCUIT_OPEN`. The docstring is corrected to match the runtime; an alias rename will follow with a deprecation cycle in a future minor. (3) **`b.selfUpdate.standaloneVerifier`** — zero-dep verifier for install-pipeline contexts that run BEFORE the framework is installed (Dockerfile build stages, `install.sh`, `update.sh`, SEA-bundle verification at deploy time). Surface: `verify(assetPath, sigPath, pubkeyPem, opts?)` returns `{ ok, sha3_512, sha256, alg }`. Streams the asset in 64 KiB chunks through SHA-256 + SHA-3-512 + the signature verifier in parallel — multi-GB SEA bundles don't OOM the install runner. Supports ECDSA P-384 (both IEEE-P1363 96-byte and DER encodings), Ed25519, and ML-DSA-87. Detects signature format from length so `verifier.verify(...)` runs exactly once (calling it twice returns stale state and silently passes tampered assets). Module is hermetic: `node:crypto` + `node:fs` only, no framework imports. Operators copy the file via `cp "$(node -p "require('@blamejs/core').selfUpdate.standaloneVerifier.path")" install/standalone-verifier.js` into version control on their side. (4) **`b.metrics.snapshot`** — out-of-process metrics export for long-running daemons. `startWriter({ path, intervalMs, fields })` atomically flushes a JSON snapshot (first flush synchronous so the file exists by return-time; subsequent flushes on the interval with `.unref()`; `stop()` clears + final-flushes). `read(path)` parses with shape validation (writtenAt + fields). `render(snap, { format, prefix })` produces operator-readable text or Prometheus 0.0.4 exposition (gauge metrics, prefixed; only finite numeric scalars with prom-compatible names emit; invalid-name / non-numeric / non-finite fields skipped silently). Lets a CLI process scrape a daemon's live metrics without opening an HTTP port. (5) **`b.retry.withBreaker(fn, { retry, breaker })`** — composition primitive collapsing the two-line wrapper every consumer rolls: `breaker.wrap(() => retry.withRetry(fn, opts.retry))`. One breaker call per retry loop (the retry budget is INSIDE the breaker's accounting, so a single transient burst doesn't open the breaker spuriously). Throws on non-function `fn` or breaker without `.wrap`.

package/lib/a2a-tasks.js

@@ -92,14 +92,14 @@ function _emitAudit(action, metadata, outcome) {
   } catch (_e) { /* best-effort */ }
 }
 
-var crypto = lazyRequire(function () { return require("./crypto"); });
+var bCrypto = lazyRequire(function () { return require("./crypto"); });
 
 // _newTaskId is reserved for the operator-handler path that mints
 // peer-assigned task IDs server-side. The underscore prefix already
 // satisfies the framework's unused-var policy so the helper stays
 // available without an explicit disable directive.
 function _newTaskId() {
-  return crypto().generateToken(12);                                                               // allow:raw-byte-literal — 96-bit task id, not byte arithmetic on payload
+  return bCrypto().generateToken(12);                                                               // allow:raw-byte-literal — 96-bit task id, not byte arithmetic on payload
 }
 
 function _validateTaskShape(task, where) {

package/lib/acme.js

@@ -302,8 +302,8 @@ function _findAkiKeyIdentifier(rawDer) {
  *   maxBytes:         number,                                       // default 2 MiB — response body cap
  *
  * @example
- *   var nodeCrypto = require("crypto");
- *   var pair = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+ *   var crypto = require("crypto");
+ *   var pair = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
  *   var acme = b.acme.create({
  *     directory:  "https://acme-staging-v02.api.letsencrypt.org/directory",
  *     accountKey: {

package/lib/api-snapshot.js

@@ -50,7 +50,7 @@
  *   Public-API surface walker plus breaking-change detector — the framework's LTS-contract enforcement at the type level.
  */
 
-var nodeFs = require("fs");
+var nodeFs = require("node:fs");
 var numericBounds = require("./numeric-bounds");
 var safeJson = require("./safe-json");
 var { FrameworkError } = require("./framework-error");

package/lib/app-shutdown.js

@@ -449,8 +449,8 @@ function standardPhases(components) {
 // fs.openSync) which gives the same single-instance guarantee but
 // without the cross-process advisory lock — the lock file presence
 // IS the lock.
-var nodeFs   = require("fs");
-var nodePath = require("path");
+var nodeFs   = require("node:fs");
+var nodePath = require("node:path");
 
 /**
  * @primitive b.appShutdown.pidLock

package/lib/app.js

@@ -89,8 +89,8 @@
  * level tables still get the framework tables (sessions, queue jobs,
  * audit_log, consent_log).
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var appShutdown = require("./app-shutdown");
 var C = require("./constants");
 var cluster = require("./cluster");

package/lib/argon2-builtin.js

@@ -20,7 +20,7 @@
  * `needsRehash` shape this wrapper exposes.
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var bCrypto = require("./crypto");
 var C = require("./constants");
 

package/lib/atomic-file.js

@@ -11,8 +11,8 @@
  *   Every write goes through the same crash-safe sequence:
  *     1. write payload to a sibling temp file (`<filepath>.tmp-<token>`)
  *     2. fsync the file descriptor before close
- *     3. nodeFs.rename() the temp file over the destination — POSIX rename
- *        is atomic on the same filesystem; on Windows, nodeFs.rename uses
+ *     3. fs.rename() the temp file over the destination — POSIX rename
+ *        is atomic on the same filesystem; on Windows, fs.rename uses
  *        MoveFileEx with REPLACE_EXISTING for the same guarantee
  *     4. fsync the parent directory so the rename itself is durable
  *
@@ -38,8 +38,8 @@
  * @card
  *   Atomic file I/O with integrity verification, retry on transient errors, and cross-process locking.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var { generateToken, sha3Hash } = require("./crypto");
 var safeJson = require("./safe-json");
 var C = require("./constants");
@@ -114,7 +114,7 @@ async function _withRetry(fn, opts) {
  * @status    stable
  * @related   b.atomicFile.fsyncDir, b.atomicFile.write
  *
- * Best-effort nodeFs.fsyncSync wrapper. Silently swallows errors because
+ * Best-effort fs.fsyncSync wrapper. Silently swallows errors because
  * not every platform / fd type supports fsync (some FUSE mounts, some
  * device fds). Use this when you want the durability hint but don't
  * want a non-fsyncable target to crash the caller.
@@ -124,7 +124,7 @@ async function _withRetry(fn, opts) {
  *   var fd = fs.openSync("/tmp/note.txt", "w");
  *   fs.writeSync(fd, "hello\n");
  *   b.atomicFile.fsync(fd);
- *   nodeFs.closeSync(fd);
+ *   fs.closeSync(fd);
  */
 function fsync(fd) {
   try { nodeFs.fsyncSync(fd); } catch (_e) { /* not all platforms support fsync on every fd type */ }
@@ -354,7 +354,7 @@ function writeSync(filepath, data, opts) {
  * predict — only glob-by-prefix and prune by age. Operators should
  * call this at boot for every "important" filepath (vault.key.sealed,
  * audit-sign.key.sealed, db.enc, ...) BEFORE the first atomic write
- * to that nodePath. Returns the number of orphans removed.
+ * to that path. Returns the number of orphans removed.
  *
  * @opts
  *   olderThanMs: 300000,   // only prune temp files older than this many ms (default 5 minutes)
@@ -706,7 +706,7 @@ async function copy(src, dst, opts) {
  * @status    stable
  * @related   b.atomicFile.read, b.atomicFile.readSync
  *
- * Synchronous existence check. Thin wrapper over `nodeFs.existsSync` that
+ * Synchronous existence check. Thin wrapper over `fs.existsSync` that
  * normalises the answer for callers that already require this module
  * — saves an additional `require("fs")` in modules that otherwise
  * only need atomicFile.

package/lib/audit-sign.js

@@ -58,9 +58,9 @@
  * @card
  *   SLH-DSA-SHAKE-256f post-quantum signature for audit-chain checkpoints.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
-var nodeCrypto = require("crypto");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
+var nodeCrypto = require("node:crypto");
 var atomicFile = require("./atomic-file");
 var { sha3Hash } = require("./crypto");
 var { defineClass } = require("./framework-error");

package/lib/audit-tools.js

@@ -54,8 +54,8 @@
  *   Operator-side audit-chain inspection / export — verify chain integrity end-to-end, export RFC 8785 canonical-JSON slices, format rows for downstream SIEM (CADF / ISO 19395), and generate tamper-evident compliance-evidence bundles auditors can verify off-line.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var pkg = require("../package.json");
 var atomicFile = require("./atomic-file");
 var auditChain = require("./audit-chain");

package/lib/auth/dpop.js

@@ -26,7 +26,7 @@
  * Middleware: see `lib/middleware/dpop.js` (`b.middleware.dpop`).
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var bCrypto = require("../crypto");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");

package/lib/auth/elevation-grant.js

@@ -28,7 +28,7 @@
  * time entry-point); verify() returns structured errors (hot path).
  */
 
-var nodeCrypto    = require("crypto");
+var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("../validate-opts");
 var lazyRequire   = require("../lazy-require");
 var safeJson      = require("../safe-json");
@@ -36,7 +36,7 @@ var C             = require("../constants");
 var { AuthError } = require("../framework-error");
 
 var audit         = lazyRequire(function () { return require("../audit"); });
-var fwCrypto      = lazyRequire(function () { return require("../crypto"); });
+var bCrypto      = lazyRequire(function () { return require("../crypto"); });
 
 var DEFAULT_TTL_SEC      = C.TIME.minutes(15) / C.TIME.seconds(1);
 var MAX_TTL_SEC          = C.TIME.hours(1)    / C.TIME.seconds(1);
@@ -82,7 +82,7 @@ function _macFor(payloadB64) {
 
 function _timingSafeEqualBuf(a, b) {
   if (!Buffer.isBuffer(a) || !Buffer.isBuffer(b)) return false;
-  return fwCrypto().timingSafeEqual(a, b);
+  return bCrypto().timingSafeEqual(a, b);
 }
 
 function create(opts) {
@@ -128,7 +128,7 @@ function create(opts) {
   }
   var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
     ? opts.now : Math.floor(Date.now() / C.TIME.seconds(1));
-  var jti = fwCrypto().generateBytes(C.BYTES.bytes(16)).toString("base64url");
+  var jti = bCrypto().generateBytes(C.BYTES.bytes(16)).toString("base64url");
   var payload = {
     sub:      opts.subject,
     scope:    opts.scope,

package/lib/auth/fido-mds3.js

@@ -47,8 +47,8 @@ var _wa          = require("../vendor/simplewebauthn-server.cjs");
 var { FidoMds3Error } = require("../framework-error");
 
 var httpClient = lazyRequire(function () { return require("../http-client"); });
-var cacheFwk   = lazyRequire(function () { return require("../cache"); });
-var auditFwk   = lazyRequire(function () { return require("../audit"); });
+var cache      = lazyRequire(function () { return require("../cache"); });
+var audit      = lazyRequire(function () { return require("../audit"); });
 
 var DEFAULT_URL          = "https://mds3.fidoalliance.org/";
 var DEFAULT_TIMEOUT_MS   = C.TIME.seconds(30);
@@ -289,7 +289,7 @@ function _verifyJws(jws, leafCert) {
 var _sharedCache = null;
 function _getCache() {
   if (_sharedCache) return _sharedCache;
-  _sharedCache = cacheFwk().create({
+  _sharedCache = cache().create({
     namespace:  "auth-fido-mds3.blob",
     ttlMs:      MAX_CACHE_TTL_MS,
     maxEntries: 8,                                                                 // allow:raw-byte-literal — operator-pinned URL set
@@ -440,7 +440,7 @@ async function fetch(opts) {   // allow:raw-outbound-http — function name is f
         },
       });
     } catch (e) {
-      try { auditFwk().safeEmit({
+      try { audit().safeEmit({
         action:   "auth.fido_mds3.fetch.network",
         outcome:  "failure",
         metadata: { url: url, reason: (e && e.message) || String(e) },
@@ -482,7 +482,7 @@ async function fetch(opts) {   // allow:raw-outbound-http — function name is f
     // wrap-call's safe-minimum seed).
     try { await c.set(cacheKey, record, _ttlFromNextUpdate(nextUpdate)); }
     catch (_e) { /* cache.set best-effort */ }
-    try { auditFwk().safeEmit({
+    try { audit().safeEmit({
       action:   "auth.fido_mds3.fetch",
       outcome:  "success",
       metadata: { url: url, no: payload.no, entries: payload.entries.length,
@@ -633,7 +633,7 @@ function verifyAuthenticator(blob, registrationInfo, vopts) {
   }
   var certifiedLevel = _certifiedLevel(statusReports);
   if (refusedStatus) {
-    try { auditFwk().safeEmit({
+    try { audit().safeEmit({
       action:   "auth.fido_mds3.verify.refused",
       outcome:  "denied",
       metadata: { aaguid: registrationInfo.aaguid, status: refusedStatus },

package/lib/auth/jwt-external.js

@@ -49,7 +49,7 @@
  * can route alerts on a single class.
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
 var lazyRequire = require("../lazy-require");
@@ -59,7 +59,7 @@ var { AuthError } = require("../framework-error");
 
 var httpClient = lazyRequire(function () { return require("../http-client"); });
 var cache      = lazyRequire(function () { return require("../cache"); });
-var auditFwk   = lazyRequire(function () { return require("../audit"); });
+var audit      = lazyRequire(function () { return require("../audit"); });
 
 // ---- constants ----
 
@@ -271,7 +271,7 @@ async function verifyExternal(token, opts) {
   // outright. Operators with JWE need a separate handler wired to
   // their KMS — never a defaulted JWE path on the JWS verifier.
   if (parts.length === 5) {
-    try { auditFwk().safeEmit({
+    try { audit().safeEmit({
       action:   "jwt.jwe.refused",
       outcome:  "denied",
       metadata: { reason: "jwe-on-jws-verifier" },

package/lib/auth/jwt.js

@@ -70,7 +70,7 @@
  * codes per failure class so callers can branch (display "expired"
  * vs "not yet valid" UX, audit "bad-signature" attempts separately).
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var C = require("../constants");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");

package/lib/auth/oauth.js

@@ -112,7 +112,7 @@ var { generateBytes, timingSafeEqual: cryptoTimingSafeEqual } = require("../cryp
 var httpClient = require("../http-client");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
-var { URL } = require("url");
+var { URL } = require("node:url");
 var { defineClass } = require("../framework-error");
 
 // Cap on responses parsed from upstream OAuth providers. Token /

package/lib/auth/status-list.js

@@ -44,7 +44,7 @@
  * to a few KB on the wire when most bits are zero.
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var zlib = require("node:zlib");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");

package/lib/backup/bundle.js

@@ -46,8 +46,8 @@
  * compressor (gzip, zstd) downstream of the framework primitive.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var bCrypto = require("./crypto");
 var backupManifest = require("./manifest");

package/lib/backup/index.js

@@ -48,9 +48,9 @@
  *   PQC-encrypted backup bundles — sealed columns + audit chain + keyring.
  */
 
-var nodeFs = require("fs");
-var os = require("os");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var os = require("node:os");
+var nodePath = require("node:path");
 var bCrypto = require("../crypto");
 var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
@@ -285,10 +285,10 @@ async function _resolveVaultKeyJson(vaultKeyJsonOpt) {
  *   var path   = require("node:path");
  *   var os     = require("node:os");
  *
- *   var dataDir = nodeFs.mkdtempSync(nodePath.join(os.tmpdir(), "backup-data-"));
- *   var root    = nodeFs.mkdtempSync(nodePath.join(os.tmpdir(), "backup-root-"));
- *   nodeFs.writeFileSync(nodePath.join(dataDir, "db.enc"),     Buffer.from([1, 2, 3]));
- *   nodeFs.writeFileSync(nodePath.join(dataDir, "db.key.enc"), Buffer.from([4, 5, 6]));
+ *   var dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "backup-data-"));
+ *   var root    = fs.mkdtempSync(path.join(os.tmpdir(), "backup-root-"));
+ *   fs.writeFileSync(path.join(dataDir, "db.enc"),     Buffer.from([1, 2, 3]));
+ *   fs.writeFileSync(path.join(dataDir, "db.key.enc"), Buffer.from([4, 5, 6]));
  *
  *   var engine = b.backup.create({
  *     dataDir:      dataDir,

package/lib/bundler.js

@@ -26,7 +26,7 @@
  *   override via `opts.hashLen` between 4 and 64). Source maps written
  *   by an engine land as `<hashed>.<ext>.map` siblings.
  *
- *   Watch mode: `bundler.watch(callback)` arms `nodeFs.watch` on each
+ *   Watch mode: `bundler.watch(callback)` arms `fs.watch` on each
  *   entry's directory, debounces bursts via `opts.graceMs` (default
  *   100 ms), and rebuilds the entire entry set on change.
  *
@@ -43,8 +43,8 @@
  *   Client-side asset bundler — produces content-hashed `dist/<name>.<hash>.<ext>` files plus a `manifest.json` mapping logical name to hashed filename.
  */
 
-var nodePath = require("path");
-var nodeFs = require("fs");
+var nodePath = require("node:path");
+var nodeFs = require("node:fs");
 var bCrypto = require("./crypto");
 var atomicFile = require("./atomic-file");
 var logModule = require("./log");
@@ -200,7 +200,7 @@ function _validateEngine(eng) {
  * Build a content-hashed asset pipeline for a fixed set of named
  * entries. The returned object exposes `build()` (one-shot rebuild,
  * resolves to `{ outputs, manifestPath, manifest, durationMs }`),
- * `watch(callback)` (arm `nodeFs.watch` and debounce-rebuild on change),
+ * `watch(callback)` (arm `fs.watch` and debounce-rebuild on change),
  * and `close()` (drop watchers and pending timers).
  *
  * Throws `BundlerError` at config time on missing / malformed entries,

package/lib/cli.js

@@ -36,7 +36,7 @@
 
 var nodeFs = require("node:fs");
 var os = require("node:os");
-var nodePath = require("path");
+var nodePath = require("node:path");
 var apiSnapshot = require("./api-snapshot");
 var argParser = require("./arg-parser");
 var auditChain = require("./audit-chain");

package/lib/cloud-events.js

@@ -34,7 +34,7 @@
  *   Produce and consume webhook / pubsub / queue payloads in the framework-neutral CNCF CloudEvents v1.0 schema (cloudevents.io/spec/v1.0).
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 

package/lib/compliance-sanctions.js

@@ -483,7 +483,7 @@ function create(opts) {
   // ignorable for the audit-trail use case (operators store the
   // ruleVersion + entry count alongside).
   function snapshot() {
-    var nodeCrypto = require("crypto");
+    var nodeCrypto = require("node:crypto");
     var ids = index.map(function (e) { return e.id; }).sort();
     var hash = nodeCrypto.createHash("sha3-512");
     for (var i = 0; i < ids.length; i++) hash.update(ids[i]);

package/lib/compliance.js

@@ -46,11 +46,10 @@ var sanctions = require("./compliance-sanctions");
 var aiAct     = require("./compliance-ai-act");
 var { ComplianceError } = require("./framework-error");
 
-var audit = lazyRequire(function () { return require("./audit"); });
+var audit         = lazyRequire(function () { return require("./audit"); });
 var retentionMod  = lazyRequire(function () { return require("./retention"); });
-var auditFwk      = lazyRequire(function () { return require("./audit"); });
-var dbMod         = lazyRequire(function () { return require("./db"); });
-var cryptoFieldMod = lazyRequire(function () { return require("./crypto-field"); });
+var db            = lazyRequire(function () { return require("./db"); });
+var cryptoField   = lazyRequire(function () { return require("./crypto-field"); });
 
 // Recognised posture names. Aligns with the compliance-posture
 // vocabulary every guard / retention floor / etc. accepts. Operators
@@ -371,9 +370,9 @@ function set(posture) {
 function _applyPostureCascade(posture) {
   var steps = [
     { primitive: "retention",   resolver: function () { return retentionMod(); } },
-    { primitive: "audit",       resolver: function () { return auditFwk();    } },
-    { primitive: "db",          resolver: function () { return dbMod();        } },
-    { primitive: "cryptoField", resolver: function () { return cryptoFieldMod(); } },
+    { primitive: "audit",       resolver: function () { return audit();       } },
+    { primitive: "db",          resolver: function () { return db();        } },
+    { primitive: "cryptoField", resolver: function () { return cryptoField(); } },
   ];
   for (var i = 0; i < steps.length; i += 1) {
     var step = steps[i];

package/lib/config.js

@@ -29,7 +29,7 @@ var lazyRequire = require("./lazy-require");
 var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
 
-var lazyAudit = lazyRequire(function () { return require("./audit"); });
+var audit = lazyRequire(function () { return require("./audit"); });
 
 var REDACT_MASK = "[REDACTED]";
 
@@ -349,7 +349,7 @@ function loadDbBacked(opts) {
     try { rows = await opts.fetchRows(); }
     catch (e) {
       try {
-        lazyAudit().safeEmit({
+        audit().safeEmit({
           action: "config.reload.failed", outcome: "failure",
           metadata: { phase: "fetch", reason: e && e.message },
         });
@@ -367,7 +367,7 @@ function loadDbBacked(opts) {
           value = await transformValue(row);
         } catch (e) {
           try {
-            lazyAudit().safeEmit({
+            audit().safeEmit({
               action: "config.reload.failed", outcome: "failure",
               metadata: { phase: "transform", key: row.key, reason: e && e.message },
             });
@@ -376,7 +376,7 @@ function loadDbBacked(opts) {
         }
         if (typeof value !== "string") {
           try {
-            lazyAudit().safeEmit({
+            audit().safeEmit({
               action: "config.reload.failed", outcome: "failure",
               metadata: { phase: "transform", key: row.key, reason: "transformValue did not return a string" },
             });
@@ -390,7 +390,7 @@ function loadDbBacked(opts) {
     // applied its newer fetch — my overlay would clobber fresher data.
     if (mySeq <= ticksAppliedMax) {
       try {
-        lazyAudit().safeEmit({
+        audit().safeEmit({
           action: "config.reload.skipped", outcome: "success",
           metadata: { phase: "stale-tick", mySeq: mySeq, appliedMax: ticksAppliedMax },
         });
@@ -408,7 +408,7 @@ function loadDbBacked(opts) {
     }
     catch (e) {
       try {
-        lazyAudit().safeEmit({
+        audit().safeEmit({
           action: "config.reload.failed", outcome: "failure",
           metadata: { phase: "validate", reason: e && e.message },
         });

package/lib/credential-hash.js

@@ -79,7 +79,7 @@ function _shake256(secret, length) {
 
 // auth/password is required lazily because it imports the (large)
 // argon2 vendor; loading it for SHA3-only callers is wasted work.
-var passwordPrimitive = lazyRequire(function () { return require("./auth/password"); });
+var passwordModule = lazyRequire(function () { return require("./auth/password"); });
 
 class CredentialHashError extends FrameworkError {
   constructor(message, code) {
@@ -219,7 +219,7 @@ async function hash(secret, opts) {
   }
   if (algoId === C.CRED_HASH_IDS.ARGON2ID) {
     var plain = Buffer.isBuffer(secret) ? secret.toString("utf8") : secret;
-    var phc = await passwordPrimitive().hash(plain, opts && opts.params);
+    var phc = await passwordModule().hash(plain, opts && opts.params);
     var argonEnv = _envelope(algoId, Buffer.from(phc, "utf8"));
     _emitEvent("credentialHash.hash", 1, { algo: algoName });
     return argonEnv;
@@ -300,7 +300,7 @@ async function verify(secret, envelope) {
     var phc = decoded.payload.toString("utf8");
     var plain = Buffer.isBuffer(secret) ? secret.toString("utf8") : secret;
     var argOk = false;
-    try { argOk = await passwordPrimitive().verify(phc, plain); }
+    try { argOk = await passwordModule().verify(phc, plain); }
     catch (_e) { argOk = false; }
     _emitEvent("credentialHash.verify", 1,
       { outcome: argOk ? "success" : "failure", algo: algoName });
@@ -377,7 +377,7 @@ function needsRehash(envelope, opts) {
     // Defer the parameter-lag check to the password primitive's
     // own needsRehash so the threshold stays in one place.
     var phc = decoded.payload.toString("utf8");
-    try { return passwordPrimitive().needsRehash(phc, opts && opts.params); }
+    try { return passwordModule().needsRehash(phc, opts && opts.params); }
     catch (_e) { return true; }
   }
   return false;

package/lib/crypto-field.js

@@ -47,9 +47,9 @@ var vault = require("./vault");
 var { sha3Hash, kdf } = require("./crypto");
 var { HASH_PREFIX, VAULT_PREFIX, TIME } = require("./constants");
 
-var complianceMod = lazyRequire(function () { return require("./compliance"); });
-var dbMod         = lazyRequire(function () { return require("./db"); });
-var auditMod      = lazyRequire(function () { return require("./audit"); });
+var compliance    = lazyRequire(function () { return require("./compliance"); });
+var db            = lazyRequire(function () { return require("./db"); });
+var audit         = lazyRequire(function () { return require("./audit"); });
 
 // F-POSTURE-1 cascade hook + F-RTBF-2 integration. Recording the
 // posture lets eraseRow call b.db.vacuumAfterErase({ mode: "full" })
@@ -88,7 +88,7 @@ function applyPosture(posture) {
   _activePosture = posture;
   var requireVacuum = false;
   try {
-    requireVacuum = complianceMod().postureDefault(posture, "requireVacuumAfterErase") === true;
+    requireVacuum = compliance().postureDefault(posture, "requireVacuumAfterErase") === true;
   } catch (_e) { /* compliance not loaded — record posture only */ }
   return { posture: posture, requireVacuumAfterErase: requireVacuum };
 }
@@ -495,14 +495,14 @@ function eraseRow(table, row) {
   if (_activePosture) {
     var requireVacuum = false;
     try {
-      requireVacuum = complianceMod().postureDefault(
+      requireVacuum = compliance().postureDefault(
         _activePosture, "requireVacuumAfterErase") === true;
     } catch (_e) { /* compliance lookup best-effort */ }
     if (requireVacuum) {
       try {
-        var db = dbMod();
-        if (db && typeof db.vacuumAfterErase === "function") {
-          db.vacuumAfterErase({ mode: "full" });
+        var dbInst = db();
+        if (dbInst && typeof dbInst.vacuumAfterErase === "function") {
+          dbInst.vacuumAfterErase({ mode: "full" });
         }
       } catch (_vacErr) {
         // VACUUM is best-effort at the eraseRow seam — DB might not be
@@ -510,7 +510,7 @@ function eraseRow(table, row) {
         // captures the skip; operators on regulated postures wire the
         // sweep through b.retention which gates erasure on db.init().
         try {
-          auditMod().safeEmit({
+          audit().safeEmit({
             action:  "cryptofield.vacuum.skipped",
             outcome: "failure",
             metadata: {

package/lib/crypto-hpke.js

@@ -51,7 +51,7 @@
  * (recipientPubKey shape, plaintext type, missing private key on open).
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");