@blamejs/core 0.9.16 → 0.9.18

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.18 (2026-05-14) — **18 CodeQL alerts closed across 4 rule classes + SECURITY.md hardening checklist additions for v0.9.13+ primitives + MIGRATING.md out-of-band breaking-changes section.** Post-v0.9.17 audit identified 18 pre-existing CodeQL security findings on `main` — accumulated over many releases, surfaced explicitly when v0.9.15's rename sweep changed line content. v0.9.18 closes them all. (1) **`js/file-system-race` (6 sites)** — TOCTOU between `fs.existsSync()` / `fs.statSync()` and a subsequent file op. Fixed via the framework's canonical TOCTOU-safe-read scaffold (open fd first → `fstatSync` → `readSync` loop → `closeSync` in `finally`) at `lib/atomic-file.js` (`_readSyncCore`), `lib/restore-rollback.js` (marker write switched to exclusive-create `wx` + EEXIST-tolerant), `lib/network-tls.js` (`_readPathFile` extraction with per-file ENOENT tolerance), `lib/backup/bundle.js` (open-fd-first plus required-vs-skip branch routing), `lib/static.js` (request-serve hot path narrowed to single fd). `lib/vault/seal-pem-file.js` retained as-is with a CodeQL suppression — the site has an in-line `lstat.ino === fstat.ino` inode-equality defense (line 290) that refuses with `seal-pem-file/toctou-detected` if an attacker swaps the file between `lstat` and `open`. (2) **`js/insecure-temporary-file` (6 sites)** — predictable temp paths. `lib/vault/rotate.js` now uses `mkdtempSync` for a per-rotation random scratch dir + plain filenames inside (replaces the predictable `_blamejs_rotate.tmp.db` / `_blamejs_verify.tmp.db` paths in `stagingDir`). `lib/mtls-ca.js` switched to exclusive-create `openSync(..., "wx", 0o600)` + `writeSync` + `fsyncSync` so an attacker pre-creating the path is refused at `EEXIST`. `lib/atomic-file.js` (`fsyncDir`), `lib/vault/rotate.js` (`_fsyncFileByPath`), `lib/http-client.js` (atomic tmp path) retained as-is with suppressions — `dirPath` / `p` are operator-supplied framework data paths (not `os.tmpdir`-reachable), and `tmpPath` carries 16 hex chars of crypto-random suffix (line 1802 `dest + ".tmp-" + bCrypto.generateToken(8)`). (3) **`js/path-injection` (2 sites in `lib/static.js`)** — `nodeFs.createReadStream(absPath)` in `_readMeta` (line 161) and the request-serve hot path (line 1115). Suppression comments added referencing the upstream `_resolveSafe` lexical-resolve + `startsWith(rootResolved + nodePath.sep)` + realpath escape check at lines 181-207 — `absPath` is sandbox-validated against `root` before reaching these lines. (4) **`js/remote-property-injection` (4 sites)** — `lib/websocket.js` (`ext.params: {}` → `Object.create(null)`), `lib/middleware/csrf-protect.js` (`var out = {}` → `Object.create(null)` for cookie-parse output). `lib/middleware/body-parser.js` (multipart `fields[currentField] = ...`) retained as-is with suppression — `currentField` is gated upstream at line 867 by `POISONED_KEYS = new Set(["__proto__", "constructor", "prototype"])` refusing the field BEFORE assignment with a 400 BodyParserError. **Plus: SECURITY.md hardening checklist** gains 5 lines covering `b.middleware.idempotencyKey.dbStore` (hash + seal defaults), `b.metrics.snapshot` (out-of-process metrics export), `b.selfUpdate.standaloneVerifier` (zero-dep install-pipeline verifier), `b.pqcAgent.reload` (TLS-posture refresh without restart), `b.crypto.hashFilesParallel` (parallel SBOM/integrity-sweep hashing). **Plus: MIGRATING.md** now carries an "Out-of-band breaking changes" section (the v0.9.15 dbStore schema break is the first entry); `scripts/gen-migrating.js` extended with an `OUT_OF_BAND_BREAKS` table so future schema/on-disk format breaks land in MIGRATING.md without operators needing to grep CHANGELOG.
+- v0.9.17 (2026-05-14) — **Two new `codebase-patterns` detectors + 192-site cleanup sweep — `node:` prefix consistency + internal-binding leak prevention.** Post-v0.9.16 audit surfaced two enforceable invariants the existing detectors didn't cover. (1) **`node-builtin-prefix` detector** — every `require("<X>")` of a Node built-in (`fs`, `path`, `crypto`, `stream`, `tls`, `url`, `os`, `net`, `http`, `http2`, `https`, `zlib`, `dgram`, `events`, `child_process`, `readline`, …) must use the modern `require("node:<X>")` form. Three reasons: (a) userland packages on npm CAN be named after built-ins, so without the `node:` prefix a typo or `npm install` accident could shadow the built-in; (b) the prefix is a clearer at-a-glance signal that the dependency is on Node, not on a userland module; (c) bundler / SEA static-trace passes treat `node:` prefix as an unambiguous Node-builtin marker. Sweep: 153 `require()` rewrites across 79 framework files (2 parallel agents). The detector skips JSDoc `@example` block continuation lines (`*`-prefixed), so operator-facing examples that show `var fs = require("fs")` aren't rewritten — operators write their own bindings however they prefer. (2) **`internal-binding-in-prose` detector** — internal binding names (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl` / `bCrypto` / `retryHelper`) must NOT appear in operator-facing surface: JSDoc/comment continuation lines or string literals (error messages, audit metadata). Operators see the public API name (`path` / `fs` / `crypto` / `retry` / …), never the framework's internal alias. Sweep: 39 prose-leak fixes across 16 files — comments rewritten to use the operator-facing word (`nodePath` → `path`, `nodeFs.watch failed` → `fs.watch failed`, debug-log `"op": "nodeFs.unlinkSync"` → `"op": "fs.unlinkSync"`). (3) **2 follow-on require-binding canonicalizations** surfaced by the node-prefix sweep — `lib/ws-client.js` now destructures `var { EventEmitter } = require("node:events")` (was binding the entire `events` module to a class-shaped name) and `lib/process-spawn.js` renames inline `nodeChild` → `childProcess` (matches the module-level `childProcess` lazyRequire in `lib/dev.js`).
 - v0.9.16 (2026-05-14) — **Operator-facing prose cleanup + `require-binding-name` detector now covers `lazyRequire` wrappers + dbStore seal round-trip test added.** Post-v0.9.15 audit surfaced three classes of follow-up. (1) **Operator-facing prose leaks (7 sites)** — the v0.9.15 mechanical rename pattern `<OLD>.` → `<NEW>.` also caught occurrences inside JSDoc `@opts` comments and error-message string literals, so operators reading `b.keychain.create(opts)` saw `// absolute nodePath; required if file fallback may engage` instead of `// absolute path`. Fixed: `lib/db.js` (stream-limit error), `lib/keychain.js` (fallback-file error + 3 JSDoc lines), `lib/restore-bundle.js` (staging-dir error), `lib/watcher.js` (fs.watch failure error). Operators see plain English; internal binding names stay internal. (2) **`require-binding-name` detector extended to cover `lazyRequire`** — the v0.9.15 detector only matched plain `var X = require("M")` and missed the framework's `var X = lazyRequire(function () { return require("M"); })` pattern (used to break load cycles). 34 additional inconsistencies surfaced (`auditFwk` / `auditMod` / `auditModule` / `lazyAudit` → `audit`, `crypto` / `fwCrypto` → `bCrypto`, `dbMod` / `dbModule` → `db`, etc.) — every minority site renamed per the same canonical-name map. (3) **dbStore seal round-trip test** — the v0.9.15 test suite covered seal-falls-back-when-vault-not-ready and cross-process-sealed-row-preserved, but did NOT exercise the actual default-ON seal/unseal path because the test environment didn't `b.vault.init(...)`. New `testDbStoreSealRoundTripWithVault` bootstraps a plaintext vault, builds a dbStore with `seal: true`, writes a record + reads it back, and asserts (a) `headers` + `body` columns carry the `vault:` envelope on disk, (b) the round-trip restores the original values, and (c) `status_code` stays plaintext so forensic SELECTs still work without unsealing.
 - v0.9.15 (2026-05-13) — **`b.middleware.idempotencyKey.dbStore` hardening + framework-wide `require()` binding-name consistency.** Two operator-surfaced gaps closed: (1) **dbStore now hashes keys + seals body/headers by default.** Operator-supplied idempotency keys sometimes carry PII (order numbers, emails, vendor prefixes); the `k` column previously stored them raw, leaving every DB dump as a PII surface. v0.9.15 sha3-512 namespace-hashes the key via `b.crypto.namespaceHash("idempotency-key", key)` before insert/lookup — round-trips are transparent (operators still pass raw keys), but the DB never sees the original. The schema also splits the previous single-`v` JSON-envelope column into discrete `fingerprint` / `status_code` / `headers` / `body` / `expires_at` columns; `headers` + `body` are sealed via `b.cryptoField.sealRow` (vault-managed AEAD envelope) when vault is initialized, so a DB dump leaks neither cached response bodies nor headers. Non-sealed columns (`status_code`, `fingerprint`, `expires_at`) stay forensic-queryable. Both defaults are operator-opt-out via `opts.hashKeys: false` and `opts.seal: false`; the seal path silently falls back to plaintext + emits an `idempotency.seal_skipped_no_vault` audit warning on first use when vault isn't ready, so test fixtures and boot scripts still work. **Schema migration**: v0.9.15's split columns are incompatible with v0.9.14's single-`v` column — operators with a v0.9.14 idempotency table `DROP TABLE <tableName>;` (or pick a fresh `tableName`) before upgrading. Pre-v1 framework breaks across patch versions for security correctness. (2) **New `require-binding-name` codebase-patterns detector enforces consistent `var X = require("M")` names framework-wide.** Inconsistent names (`fs` vs `nodeFs`, `crypto` vs `nodeCrypto`, `path` vs `nodePath`, `nb` vs `numericBounds`) made `grep` across the lib unreliable and let reviewers miss shadowing bugs (`var crypto = require("crypto")` collides with the framework's own `b.crypto`). The detector carries a `CANONICAL_REQUIRE_BINDINGS` map with safety-first defaults: Node built-ins get a `node<X>` prefix (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl`) so a local var named `fs` / `path` / `crypto` can never shadow them; the framework's own `lib/crypto.js` binds as `bCrypto` (matches the `b.crypto` public-namespace shape and doesn't shadow node:crypto). Modules without a declared canonical fall back to majority-wins (most-sites name wins, alphabetical tiebreak). Fix is rename, not allowlist — every minority site was updated. **Sweep**: 184 require-binding renames across 108 framework files in this release; primitives + tests unchanged in surface. (3) **`b.graphqlFederation` internal `_timingSafeEqual` now routes through `b.crypto.timingSafeEqual`** (was re-implementing the length-tolerant wrapper inline; the new require-binding-name detector surfaced this; same-patch fix per the audit-existing-code rule).
 - v0.9.14 (2026-05-13) — **Audit-existing-code sweep: `safeSql.quoteIdentifier` adopted across every framework primitive that interpolates SQL identifiers; new `raw-sql-identifier-interpolation` detector seals the bug class.** Codex P1 on PR #44 flagged that `dbStore.get`'s expired-row cleanup was an unconditional `DELETE WHERE k = ?` between SELECT and DELETE — in a multi-process deployment another process could upsert the same key in the race window, and the unconditional delete would erase the fresh row. Fix: scope the delete by the observed `expires_at`. While reviewing, a wider gap surfaced — every `db.prepare("CREATE TABLE " + tableName + ...)` site in the framework had been concatenating identifiers raw, sometimes with inline shape-regex validation that varied per module. The framework already shipped `b.safeSql.quoteIdentifier(name, dialect?)` for exactly this; per the audit-existing-code rule the same patch (a) routes every site through the helper (`lib/audit.js` segregation-of-duties trigger DDL, `lib/dsr.js` ticket store, `lib/inbox.js` message-receive table, `lib/middleware/idempotency-key.js` dbStore, `lib/vault/rotate.js` column-rotation DDL) and (b) adds a `raw-sql-identifier-interpolation` codebase-patterns detector so the bug class can't return. The detector skips variables whose names signal already-quoted identifiers (`q<X>` / `Q_<X>` / `quoted<X>` prefix), so future primitives that use the helper read naturally. **Plus: bounded JSON parse for two file-/DB-backed primitives.** `b.metrics.snapshot.read` and `b.middleware.idempotencyKey.dbStore.get` previously used bare `JSON.parse` with `allow:bare-json-parse` markers; both are read by processes separate from where they were written (CLI/sidecar reads daemon-written snapshot; multi-process fleet shares DB) where a hostile or misbehaving writer could plant a multi-GB value and OOM the reader. Both now route through `b.safeJson.parse(raw, { maxBytes: 4 MiB })`. **Three new primitives — `b.crypto.hashFilesParallel`, `b.pqcAgent.reload`, `b.middleware.idempotencyKey.dbStore` — plus republish of v0.9.13's surface**. v0.9.13's npm-publish workflow failed at the wiki-e2e gate (the Codex P1 fix removed the `opts` parameter from `b.selfUpdate.standaloneVerifier.verify` but the `@signature` JSDoc still declared four arguments — three vs. four arity drift). The v0.9.13 git tag + GH release reached operators but the npm tarball did not; the registry stayed at v0.9.12. v0.9.14 carries v0.9.13's entire shipped surface (circuitBreaker.create({...}) opts-object fix + `b.selfUpdate.standaloneVerifier` + `b.metrics.snapshot` + `b.retry.withBreaker`) plus three additional Tier 2 primitives surfaced by the same downstream consumer that flagged the v0.9.13 batch. (1) **`b.crypto.hashFilesParallel(filePaths, opts?)`** — parallel multi-digest hashing for many files in a single read pass per file. Worker-pool concurrency cap (default `min(8, paths.length)`, 1..256), operator-tunable `algorithms` list (default `["sha256", "sha3-512"]`), optional `onProgress(completed, total)` callback (throws swallowed). Returns rows in the same order as input. The common consumer-side reason to reach for this is SBOM regeneration / vendor-data integrity sweeps / release-asset bundling — situations where N files each need both SHA-256 (legacy compat) and SHA-3-512 (PQC-first) digests and rolling a worker pool by hand has cost a downstream consumer the same two-loop, capture-N-promises, settle-Q boilerplate every release. (2) **`b.pqcAgent.reload()`** — tear down the lazily-built default agent and reset to null so the next `b.pqcAgent.agent` access rebuilds against current TLS posture + `b.network.tls.applyToContext` output. Long-running daemons that rotate the framework's TLS posture (TLS-pinset reload, certificate-pinset refresh, `C.TLS_GROUP_PREFERENCE` update behind a feature flag) need a way to re-source the outbound `https.Agent` without forking a new process. `reload()` calls `.destroy()` on the existing default agent (Node closes idle keep-alive sockets, lets in-flight sockets complete) then nulls the cache. Agents handed out via explicit `b.pqcAgent.create()` are unaffected. Returns `{ destroyed: boolean }`. (3) **`b.middleware.idempotencyKey.dbStore({ db, tableName?, init? })`** — persistent-backed store for the `idempotencyKey` middleware. Same three-method interface as `memoryStore` (`get` / `set` / `delete`) but stores records in any sqlite-shaped database (`{ prepare(sql) → { run, get, all } }`) — the framework's internal `b.db`, an operator-supplied better-sqlite3 instance, or a custom adapter. Use this instead of `memoryStore` when (a) multiple processes share the request-handling fleet so retries can land on a different process than the original, (b) the daemon may restart between the original request and the retry (graceful rolling deploy, OOM kill), or (c) audit / compliance review needs to walk historic idempotency-cache decisions queryable via `SELECT * FROM <tableName>`. TTL is lazily enforced at read time; `set()` upserts on conflict so concurrent retries on different processes don't error. The `tableName` is validated via `b.safeSql.validateIdentifier` (ASCII identifier shape, 63-char cap, no reserved words). (4) **Internal fix**: `b.apiSnapshot.read` now passes `maxBytes: 64 MiB` to `safeJson.parse` — the framework-generated snapshot file outgrew safeJson's 1 MiB default after v0.9.13. Operators consuming `@blamejs/core` via npm jump from v0.9.12 directly to v0.9.14; v0.9.13's content is included.

package/MIGRATING.md

@@ -1,7 +1,29 @@
 # Migrating
 
-Operator-facing migration recipes per breaking change. Each entry below is a `deprecate()`-marked surface in the framework — the running app will warn about it (with `BLAMEJS_DEPRECATIONS=warn` set, or by default outside production) before the noted removal version. Re-run `node scripts/gen-migrating.js` before each release; the file is committed so operators can diff it against the prior tag.
+Operator-facing migration recipes per breaking change. The bulk of this file is auto-generated from `deprecate()`-marked surface in the framework — the running app warns about each (with `BLAMEJS_DEPRECATIONS=warn` set, or by default outside production) before the noted removal version. Re-run `node scripts/gen-migrating.js` before each release; the file is committed so operators can diff it against the prior tag.
+
+**Out-of-band breaking changes** (schema breaks, config-shape changes, on-disk format breaks) cannot be expressed as `deprecate()` calls because there's no in-process runtime to warn from. They're hardcoded in the OUT_OF_BAND_BREAKS table inside `scripts/gen-migrating.js` so the operator sees the full upgrade path here without needing to grep CHANGELOG.
 
 ## No active deprecations
 
 The framework has no `deprecate()`-marked surface awaiting removal.
+
+---
+
+## Out-of-band breaking changes
+
+Listed newest-first.
+
+### v0.9.15 — `b.middleware.idempotencyKey.dbStore — table schema`
+
+Single `v` JSON-envelope column split into discrete `fingerprint` / `status_code` / `headers` / `body` / `expires_at` columns; `headers` + `body` are sealed via `b.cryptoField.sealRow` when vault is initialized; `k` column carries the sha3-512 namespace-hash of the operator-supplied key.
+
+Operators with a v0.9.14 (or earlier) idempotency table on disk:
+
+```sql
+DROP TABLE <tableName>;   -- default: blamejs_idempotency_keys
+```
+
+Or pick a fresh `tableName` in v0.9.15+ `dbStore({ tableName: "..." })`. The init step (`init: true`, default) creates the new split-column schema. `CREATE TABLE IF NOT EXISTS` does NOT migrate column layout on an existing table, so the drop-and-recreate is required.
+
+Cached records in the existing table are not recoverable across the schema break — operators who care about replay continuity warm the new table by retrying the in-flight requests under the new dbStore.

package/lib/acme.js

@@ -302,8 +302,8 @@ function _findAkiKeyIdentifier(rawDer) {
  *   maxBytes:         number,                                       // default 2 MiB — response body cap
  *
  * @example
- *   var nodeCrypto = require("crypto");
- *   var pair = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+ *   var crypto = require("crypto");
+ *   var pair = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
  *   var acme = b.acme.create({
  *     directory:  "https://acme-staging-v02.api.letsencrypt.org/directory",
  *     accountKey: {

package/lib/api-snapshot.js

@@ -50,7 +50,7 @@
  *   Public-API surface walker plus breaking-change detector — the framework's LTS-contract enforcement at the type level.
  */
 
-var nodeFs = require("fs");
+var nodeFs = require("node:fs");
 var numericBounds = require("./numeric-bounds");
 var safeJson = require("./safe-json");
 var { FrameworkError } = require("./framework-error");

package/lib/app-shutdown.js

@@ -449,8 +449,8 @@ function standardPhases(components) {
 // fs.openSync) which gives the same single-instance guarantee but
 // without the cross-process advisory lock — the lock file presence
 // IS the lock.
-var nodeFs   = require("fs");
-var nodePath = require("path");
+var nodeFs   = require("node:fs");
+var nodePath = require("node:path");
 
 /**
  * @primitive b.appShutdown.pidLock

package/lib/app.js

@@ -89,8 +89,8 @@
  * level tables still get the framework tables (sessions, queue jobs,
  * audit_log, consent_log).
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var appShutdown = require("./app-shutdown");
 var C = require("./constants");
 var cluster = require("./cluster");

package/lib/argon2-builtin.js

@@ -20,7 +20,7 @@
  * `needsRehash` shape this wrapper exposes.
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var bCrypto = require("./crypto");
 var C = require("./constants");
 

package/lib/atomic-file.js

@@ -11,8 +11,8 @@
  *   Every write goes through the same crash-safe sequence:
  *     1. write payload to a sibling temp file (`<filepath>.tmp-<token>`)
  *     2. fsync the file descriptor before close
- *     3. nodeFs.rename() the temp file over the destination — POSIX rename
- *        is atomic on the same filesystem; on Windows, nodeFs.rename uses
+ *     3. fs.rename() the temp file over the destination — POSIX rename
+ *        is atomic on the same filesystem; on Windows, fs.rename uses
  *        MoveFileEx with REPLACE_EXISTING for the same guarantee
  *     4. fsync the parent directory so the rename itself is durable
  *
@@ -38,8 +38,8 @@
  * @card
  *   Atomic file I/O with integrity verification, retry on transient errors, and cross-process locking.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var { generateToken, sha3Hash } = require("./crypto");
 var safeJson = require("./safe-json");
 var C = require("./constants");
@@ -114,7 +114,7 @@ async function _withRetry(fn, opts) {
  * @status    stable
  * @related   b.atomicFile.fsyncDir, b.atomicFile.write
  *
- * Best-effort nodeFs.fsyncSync wrapper. Silently swallows errors because
+ * Best-effort fs.fsyncSync wrapper. Silently swallows errors because
  * not every platform / fd type supports fsync (some FUSE mounts, some
  * device fds). Use this when you want the durability hint but don't
  * want a non-fsyncable target to crash the caller.
@@ -124,7 +124,7 @@ async function _withRetry(fn, opts) {
  *   var fd = fs.openSync("/tmp/note.txt", "w");
  *   fs.writeSync(fd, "hello\n");
  *   b.atomicFile.fsync(fd);
- *   nodeFs.closeSync(fd);
+ *   fs.closeSync(fd);
  */
 function fsync(fd) {
   try { nodeFs.fsyncSync(fd); } catch (_e) { /* not all platforms support fsync on every fd type */ }
@@ -354,7 +354,7 @@ function writeSync(filepath, data, opts) {
  * predict — only glob-by-prefix and prune by age. Operators should
  * call this at boot for every "important" filepath (vault.key.sealed,
  * audit-sign.key.sealed, db.enc, ...) BEFORE the first atomic write
- * to that nodePath. Returns the number of orphans removed.
+ * to that path. Returns the number of orphans removed.
  *
  * @opts
  *   olderThanMs: 300000,   // only prune temp files older than this many ms (default 5 minutes)
@@ -706,7 +706,7 @@ async function copy(src, dst, opts) {
  * @status    stable
  * @related   b.atomicFile.read, b.atomicFile.readSync
  *
- * Synchronous existence check. Thin wrapper over `nodeFs.existsSync` that
+ * Synchronous existence check. Thin wrapper over `fs.existsSync` that
  * normalises the answer for callers that already require this module
  * — saves an additional `require("fs")` in modules that otherwise
  * only need atomicFile.

package/lib/audit-sign.js

@@ -58,9 +58,9 @@
  * @card
  *   SLH-DSA-SHAKE-256f post-quantum signature for audit-chain checkpoints.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
-var nodeCrypto = require("crypto");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
+var nodeCrypto = require("node:crypto");
 var atomicFile = require("./atomic-file");
 var { sha3Hash } = require("./crypto");
 var { defineClass } = require("./framework-error");

package/lib/audit-tools.js

@@ -54,8 +54,8 @@
  *   Operator-side audit-chain inspection / export — verify chain integrity end-to-end, export RFC 8785 canonical-JSON slices, format rows for downstream SIEM (CADF / ISO 19395), and generate tamper-evident compliance-evidence bundles auditors can verify off-line.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var pkg = require("../package.json");
 var atomicFile = require("./atomic-file");
 var auditChain = require("./audit-chain");

package/lib/auth/dpop.js

@@ -26,7 +26,7 @@
  * Middleware: see `lib/middleware/dpop.js` (`b.middleware.dpop`).
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var bCrypto = require("../crypto");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");

package/lib/auth/elevation-grant.js

@@ -28,7 +28,7 @@
  * time entry-point); verify() returns structured errors (hot path).
  */
 
-var nodeCrypto    = require("crypto");
+var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("../validate-opts");
 var lazyRequire   = require("../lazy-require");
 var safeJson      = require("../safe-json");

package/lib/auth/jwt-external.js

@@ -49,7 +49,7 @@
  * can route alerts on a single class.
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
 var lazyRequire = require("../lazy-require");

package/lib/auth/jwt.js

@@ -70,7 +70,7 @@
  * codes per failure class so callers can branch (display "expired"
  * vs "not yet valid" UX, audit "bad-signature" attempts separately).
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var C = require("../constants");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");

package/lib/auth/oauth.js

@@ -112,7 +112,7 @@ var { generateBytes, timingSafeEqual: cryptoTimingSafeEqual } = require("../cryp
 var httpClient = require("../http-client");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
-var { URL } = require("url");
+var { URL } = require("node:url");
 var { defineClass } = require("../framework-error");
 
 // Cap on responses parsed from upstream OAuth providers. Token /

package/lib/auth/status-list.js

@@ -44,7 +44,7 @@
  * to a few KB on the wire when most bits are zero.
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var zlib = require("node:zlib");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");

package/lib/backup/bundle.js

@@ -46,8 +46,8 @@
  * compressor (gzip, zstd) downstream of the framework primitive.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var bCrypto = require("./crypto");
 var backupManifest = require("./manifest");

package/lib/backup/index.js

@@ -48,9 +48,9 @@
  *   PQC-encrypted backup bundles — sealed columns + audit chain + keyring.
  */
 
-var nodeFs = require("fs");
-var os = require("os");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var os = require("node:os");
+var nodePath = require("node:path");
 var bCrypto = require("../crypto");
 var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
@@ -285,10 +285,10 @@ async function _resolveVaultKeyJson(vaultKeyJsonOpt) {
  *   var path   = require("node:path");
  *   var os     = require("node:os");
  *
- *   var dataDir = nodeFs.mkdtempSync(nodePath.join(os.tmpdir(), "backup-data-"));
- *   var root    = nodeFs.mkdtempSync(nodePath.join(os.tmpdir(), "backup-root-"));
- *   nodeFs.writeFileSync(nodePath.join(dataDir, "db.enc"),     Buffer.from([1, 2, 3]));
- *   nodeFs.writeFileSync(nodePath.join(dataDir, "db.key.enc"), Buffer.from([4, 5, 6]));
+ *   var dataDir = fs.mkdtempSync(path.join(os.tmpdir(), "backup-data-"));
+ *   var root    = fs.mkdtempSync(path.join(os.tmpdir(), "backup-root-"));
+ *   fs.writeFileSync(path.join(dataDir, "db.enc"),     Buffer.from([1, 2, 3]));
+ *   fs.writeFileSync(path.join(dataDir, "db.key.enc"), Buffer.from([4, 5, 6]));
  *
  *   var engine = b.backup.create({
  *     dataDir:      dataDir,

package/lib/bundler.js

@@ -26,7 +26,7 @@
  *   override via `opts.hashLen` between 4 and 64). Source maps written
  *   by an engine land as `<hashed>.<ext>.map` siblings.
  *
- *   Watch mode: `bundler.watch(callback)` arms `nodeFs.watch` on each
+ *   Watch mode: `bundler.watch(callback)` arms `fs.watch` on each
  *   entry's directory, debounces bursts via `opts.graceMs` (default
  *   100 ms), and rebuilds the entire entry set on change.
  *
@@ -43,8 +43,8 @@
  *   Client-side asset bundler — produces content-hashed `dist/<name>.<hash>.<ext>` files plus a `manifest.json` mapping logical name to hashed filename.
  */
 
-var nodePath = require("path");
-var nodeFs = require("fs");
+var nodePath = require("node:path");
+var nodeFs = require("node:fs");
 var bCrypto = require("./crypto");
 var atomicFile = require("./atomic-file");
 var logModule = require("./log");
@@ -200,7 +200,7 @@ function _validateEngine(eng) {
  * Build a content-hashed asset pipeline for a fixed set of named
  * entries. The returned object exposes `build()` (one-shot rebuild,
  * resolves to `{ outputs, manifestPath, manifest, durationMs }`),
- * `watch(callback)` (arm `nodeFs.watch` and debounce-rebuild on change),
+ * `watch(callback)` (arm `fs.watch` and debounce-rebuild on change),
  * and `close()` (drop watchers and pending timers).
  *
  * Throws `BundlerError` at config time on missing / malformed entries,

package/lib/cli.js

@@ -36,7 +36,7 @@
 
 var nodeFs = require("node:fs");
 var os = require("node:os");
-var nodePath = require("path");
+var nodePath = require("node:path");
 var apiSnapshot = require("./api-snapshot");
 var argParser = require("./arg-parser");
 var auditChain = require("./audit-chain");

package/lib/cloud-events.js

@@ -34,7 +34,7 @@
  *   Produce and consume webhook / pubsub / queue payloads in the framework-neutral CNCF CloudEvents v1.0 schema (cloudevents.io/spec/v1.0).
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 

package/lib/compliance-sanctions.js

@@ -483,7 +483,7 @@ function create(opts) {
   // ignorable for the audit-trail use case (operators store the
   // ruleVersion + entry count alongside).
   function snapshot() {
-    var nodeCrypto = require("crypto");
+    var nodeCrypto = require("node:crypto");
     var ids = index.map(function (e) { return e.id; }).sort();
     var hash = nodeCrypto.createHash("sha3-512");
     for (var i = 0; i < ids.length; i++) hash.update(ids[i]);

package/lib/crypto-hpke.js

@@ -51,7 +51,7 @@
  * (recipientPubKey shape, plaintext type, missing private key on open).
  */
 
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");

package/lib/crypto.js

@@ -44,9 +44,9 @@
  * @card
  *   The framework's PQC-first cryptography surface.
  */
-var nodeCrypto = require("crypto");
-var nodeFs = require("fs");
-var { pipeline } = require("stream/promises");
+var nodeCrypto = require("node:crypto");
+var nodeFs = require("node:fs");
+var { pipeline } = require("node:stream/promises");
 var { xchacha20poly1305 } = require("./vendor/noble-ciphers.cjs");
 var C = require("./constants");
 

package/lib/daemon.js

@@ -37,8 +37,8 @@
  *   Long-running process orchestration — supervisor wiring around `b.appShutdown`, foreground signal handling, detached-fork spawn via `b.processSpawn`, PID-file health probes, and a SIGTERM-then-SIGKILL restart policy on stop.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var numericBounds = require("./numeric-bounds");
 var appShutdown = require("./app-shutdown");
 var processSpawn = require("./process-spawn");

package/lib/db-file-lifecycle.js

@@ -57,9 +57,9 @@
  *   bun:sqlite).
  */
 
-var nodeFs   = require("fs");
-var os   = require("os");
-var nodePath = require("path");
+var nodeFs   = require("node:fs");
+var os   = require("node:os");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
 var { generateBytes, generateToken, encryptPacked, decryptPacked } = require("./crypto");
@@ -115,8 +115,8 @@ function _resolveTmpDir(operatorTmpDir, allowDiskFallback) {
  * Returns an encrypted-DB-file lifecycle handle. Methods:
  *
  *   - `decryptToTmp()` — decrypt the encrypted DB file to a fresh
- *     tmpfs path and return the nodePath. Idempotent: subsequent calls
- *     return the existing nodePath.
+ *     tmpfs path and return the path. Idempotent: subsequent calls
+ *     return the existing path.
  *   - `dbPath` — the resolved plaintext-tmpfs path (set after
  *     `decryptToTmp()` runs).
  *   - `startFlushTimer(db, opts?)` — start a periodic flush timer

package/lib/db-schema.js

@@ -36,7 +36,7 @@
  *                             surfaces a rollback throw without
  *                             swallowing the original error.
  */
-var nodePath = require("path");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var safeSql = require("./safe-sql");
 

package/lib/db.js

@@ -41,8 +41,8 @@
  * @card
  *   Database core — SQLite (node:sqlite) wrapped in encrypted-at-rest storage, sealed-column field-level crypto, append-only audit-chain integration, declarative schema reconcile, and run-once migrations.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var { DatabaseSync } = require("node:sqlite");
 var { Readable } = require("node:stream");
 var atomicFile = require("./atomic-file");

package/lib/dev.js

@@ -11,7 +11,7 @@
  *   spawned app's logs unchanged.
  *
  *   The hot-reload loop spawns the app as a child process, watches the
- *   source directories with `nodeFs.watch({ recursive: true })`, and
+ *   source directories with `fs.watch({ recursive: true })`, and
  *   restarts the child when an unignored file changes. On-disk state
  *   (vault keys, encrypted DB, sealed cookies) survives the restart
  *   because the child re-opens the files; only in-process state is
@@ -41,15 +41,15 @@
  *
  *   Test seams: `opts._spawn(cmd, args, sopts)` and
  *   `opts._watch(dir, wopts, listener)` default to `child_process.spawn`
- *   and `nodeFs.watch`; unit tests pass fakes to drive the engine without
+ *   and `fs.watch`; unit tests pass fakes to drive the engine without
  *   real subprocesses.
  *
  * @card
  *   Dev-mode helpers — hot-reload signal (file watch + child-process restart), route-list dump exposed via `dev.stats()`, and a request inspector courtesy of `stdio: 'inherit'` so the operator sees the spawned app's logs unchanged.
  */
 
-var nodePath = require("path");
-var nodeFs = require("fs");
+var nodePath = require("node:path");
+var nodeFs = require("node:fs");
 var lazyRequire = require("./lazy-require");
 var logModule = require("./log");
 var numericBounds = require("./numeric-bounds");
@@ -65,7 +65,7 @@ var { FrameworkError } = require("./framework-error");
 // inspecting a deployed bundle don't see it as a top-level dep of an
 // otherwise hermetic framework. Production deployments additionally
 // refuse to construct dev.create() — see _refuseInProduction below.
-var childProcess = lazyRequire(function () { return require("child_process"); });
+var childProcess = lazyRequire(function () { return require("node:child_process"); });
 
 class DevError extends FrameworkError {
   constructor(code, message) {

package/lib/dr-runbook.js

@@ -42,8 +42,8 @@
  *   Disaster-recovery runbook executor — composes pre-recorded regulatory steps, operator confirmation gates, and the framework's audit chain into a posture-appropriate Markdown runbook a regulator can read alongside `b.audit`.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var C = require("./constants");
 var atomicFile = require("./atomic-file");
 var lazyRequire = require("./lazy-require");

package/lib/external-db-migrate.js

@@ -48,7 +48,7 @@
  *   - externaldb.migrate.lock.acquired   { holder }
  *   - externaldb.migrate.lock.released   { holder }
  */
-var nodePath = require("path");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var canonicalJson = require("./canonical-json");
 var { sha3Hash } = require("./crypto");

package/lib/flag-evaluation-context.js

@@ -16,7 +16,7 @@
  * then evaluate.
  */
 
-var nodeCrypto    = require("crypto");
+var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("./validate-opts");
 var lazyRequire   = require("./lazy-require");
 var { defineClass } = require("./framework-error");

package/lib/flag-providers.js

@@ -36,7 +36,7 @@
  *   provider.kind   -> "local-file" | "memory" | "environment" | <operator-defined>
  */
 
-var nodeFs = require("fs");
+var nodeFs = require("node:fs");
 var validateOpts   = require("./validate-opts");
 var lazyRequire    = require("./lazy-require");
 var safeJson       = require("./safe-json");

package/lib/http-client.js

@@ -35,15 +35,15 @@
  *   Outbound HTTP client with SSRF gate, retry, circuit breaker, wall-clock + idle timeouts, AbortSignal propagation, connection pooling, streaming, and ALPN-negotiated HTTP/2.
  */
 
-var nodeFs = require("fs");
-var http  = require("http");
-var https = require("https");
-var http2 = require("http2");
-var nodeCrypto = require("crypto");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var http  = require("node:http");
+var https = require("node:https");
+var http2 = require("node:http2");
+var nodeCrypto = require("node:crypto");
+var nodePath = require("node:path");
 var nodeStream = require("node:stream");
 var streamPromises = require("node:stream/promises");
-var { URL } = require("url");
+var { URL } = require("node:url");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
 var bCrypto = require("./crypto");
@@ -476,9 +476,9 @@ function _attachJarCookie(headers, jar, url) {
 function _buildMultipartBody(spec) {
   var boundary = "----blamejs-mp-" + bCrypto.generateToken(C.BYTES.bytes(16));
   var CRLF = "\r\n";
-  var nodeFs = require("fs");                                             // allow:inline-require — only on multipart paths that touch the filesystem
-  var path = require("path");                                         // allow:inline-require — same
-  var nodeStream = require("stream");                                 // allow:inline-require — Readable subclass only when streaming
+  var nodeFs = require("node:fs");                                             // allow:inline-require — only on multipart paths that touch the filesystem
+  var path = require("node:path");                                         // allow:inline-require — same
+  var nodeStream = require("node:stream");                                 // allow:inline-require — Readable subclass only when streaming
 
   // Each entry is { headerBytes, source } where source is one of:
   //   { kind: "buffer", buf: Buffer }
@@ -1959,7 +1959,7 @@ function _validateUploadOpts(opts) {
  *
  * POSTs a file body via `multipart/form-data` without buffering the
  * file in memory. Streams from disk through the request body using
- * `nodeFs.createReadStream` + `node:stream/promises` pipeline. Throws
+ * `fs.createReadStream` + `node:stream/promises` pipeline. Throws
  * `httpclient/missing-file` when `opts.file.path` doesn't exist or
  * isn't a regular file. Composes through `request()` so SSRF gating,
  * proxy routing, and the per-origin transport cache apply unchanged.

package/lib/http-message-signature.js

@@ -59,7 +59,7 @@
  *   // → { valid, label, keyid, alg, covered, reason? }
  */
 
-var nodeCrypto       = require("crypto");
+var nodeCrypto       = require("node:crypto");
 var safeUrl          = require("./safe-url");
 var safeBuffer       = require("./safe-buffer");
 var C                = require("./constants");

package/lib/keychain.js

@@ -43,8 +43,8 @@
  *   OS keychain abstraction with encrypted-file fallback — stores / retrieves / removes a `(service, account) -> password` binding via the host operating system's native credential store.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 
 var atomicFile = require("./atomic-file");
 var C = require("./constants");

package/lib/local-db-thin.js

@@ -53,8 +53,8 @@
  *   localdb.thin.closed     { file }
  */
 
-var nodeFs   = require("fs");
-var nodePath = require("path");
+var nodeFs   = require("node:fs");
+var nodePath = require("node:path");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeSql = require("./safe-sql");