@blamejs/core 0.9.9 → 0.9.14

package/CHANGELOG.md

@@ -8,6 +8,11 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.14 (2026-05-13) — **Audit-existing-code sweep: `safeSql.quoteIdentifier` adopted across every framework primitive that interpolates SQL identifiers; new `raw-sql-identifier-interpolation` detector seals the bug class.** Codex P1 on PR #44 flagged that `dbStore.get`'s expired-row cleanup was an unconditional `DELETE WHERE k = ?` between SELECT and DELETE — in a multi-process deployment another process could upsert the same key in the race window, and the unconditional delete would erase the fresh row. Fix: scope the delete by the observed `expires_at`. While reviewing, a wider gap surfaced — every `db.prepare("CREATE TABLE " + tableName + ...)` site in the framework had been concatenating identifiers raw, sometimes with inline shape-regex validation that varied per module. The framework already shipped `b.safeSql.quoteIdentifier(name, dialect?)` for exactly this; per the audit-existing-code rule the same patch (a) routes every site through the helper (`lib/audit.js` segregation-of-duties trigger DDL, `lib/dsr.js` ticket store, `lib/inbox.js` message-receive table, `lib/middleware/idempotency-key.js` dbStore, `lib/vault/rotate.js` column-rotation DDL) and (b) adds a `raw-sql-identifier-interpolation` codebase-patterns detector so the bug class can't return. The detector skips variables whose names signal already-quoted identifiers (`q<X>` / `Q_<X>` / `quoted<X>` prefix), so future primitives that use the helper read naturally. **Plus: bounded JSON parse for two file-/DB-backed primitives.** `b.metrics.snapshot.read` and `b.middleware.idempotencyKey.dbStore.get` previously used bare `JSON.parse` with `allow:bare-json-parse` markers; both are read by processes separate from where they were written (CLI/sidecar reads daemon-written snapshot; multi-process fleet shares DB) where a hostile or misbehaving writer could plant a multi-GB value and OOM the reader. Both now route through `b.safeJson.parse(raw, { maxBytes: 4 MiB })`. **Three new primitives — `b.crypto.hashFilesParallel`, `b.pqcAgent.reload`, `b.middleware.idempotencyKey.dbStore` — plus republish of v0.9.13's surface**. v0.9.13's npm-publish workflow failed at the wiki-e2e gate (the Codex P1 fix removed the `opts` parameter from `b.selfUpdate.standaloneVerifier.verify` but the `@signature` JSDoc still declared four arguments — three vs. four arity drift). The v0.9.13 git tag + GH release reached operators but the npm tarball did not; the registry stayed at v0.9.12. v0.9.14 carries v0.9.13's entire shipped surface (circuitBreaker.create({...}) opts-object fix + `b.selfUpdate.standaloneVerifier` + `b.metrics.snapshot` + `b.retry.withBreaker`) plus three additional Tier 2 primitives surfaced by the same downstream consumer that flagged the v0.9.13 batch. (1) **`b.crypto.hashFilesParallel(filePaths, opts?)`** — parallel multi-digest hashing for many files in a single read pass per file. Worker-pool concurrency cap (default `min(8, paths.length)`, 1..256), operator-tunable `algorithms` list (default `["sha256", "sha3-512"]`), optional `onProgress(completed, total)` callback (throws swallowed). Returns rows in the same order as input. The common consumer-side reason to reach for this is SBOM regeneration / vendor-data integrity sweeps / release-asset bundling — situations where N files each need both SHA-256 (legacy compat) and SHA-3-512 (PQC-first) digests and rolling a worker pool by hand has cost a downstream consumer the same two-loop, capture-N-promises, settle-Q boilerplate every release. (2) **`b.pqcAgent.reload()`** — tear down the lazily-built default agent and reset to null so the next `b.pqcAgent.agent` access rebuilds against current TLS posture + `b.network.tls.applyToContext` output. Long-running daemons that rotate the framework's TLS posture (TLS-pinset reload, certificate-pinset refresh, `C.TLS_GROUP_PREFERENCE` update behind a feature flag) need a way to re-source the outbound `https.Agent` without forking a new process. `reload()` calls `.destroy()` on the existing default agent (Node closes idle keep-alive sockets, lets in-flight sockets complete) then nulls the cache. Agents handed out via explicit `b.pqcAgent.create()` are unaffected. Returns `{ destroyed: boolean }`. (3) **`b.middleware.idempotencyKey.dbStore({ db, tableName?, init? })`** — persistent-backed store for the `idempotencyKey` middleware. Same three-method interface as `memoryStore` (`get` / `set` / `delete`) but stores records in any sqlite-shaped database (`{ prepare(sql) → { run, get, all } }`) — the framework's internal `b.db`, an operator-supplied better-sqlite3 instance, or a custom adapter. Use this instead of `memoryStore` when (a) multiple processes share the request-handling fleet so retries can land on a different process than the original, (b) the daemon may restart between the original request and the retry (graceful rolling deploy, OOM kill), or (c) audit / compliance review needs to walk historic idempotency-cache decisions queryable via `SELECT * FROM <tableName>`. TTL is lazily enforced at read time; `set()` upserts on conflict so concurrent retries on different processes don't error. The `tableName` is validated via `b.safeSql.validateIdentifier` (ASCII identifier shape, 63-char cap, no reserved words). (4) **Internal fix**: `b.apiSnapshot.read` now passes `maxBytes: 64 MiB` to `safeJson.parse` — the framework-generated snapshot file outgrew safeJson's 1 MiB default after v0.9.13. Operators consuming `@blamejs/core` via npm jump from v0.9.12 directly to v0.9.14; v0.9.13's content is included.
+- v0.9.13 (2026-05-13) — **Two `b.circuitBreaker.create` / `b.retry` bug fixes plus three new operator-facing primitives: `b.selfUpdate.standaloneVerifier`, `b.metrics.snapshot`, `b.retry.withBreaker`**. (1) `b.circuitBreaker.create({...})` was rejecting the documented opts-object call shape with `name must be a non-empty string, got object` — every consumer following the docstring hit a hard error. The factory now reads `opts.name` (defaulting to empty string) and forwards to the internal `CircuitBreaker(name, opts)` constructor. (2) The breaker's open-circuit error code was documented as `retry/circuit-open` but the runtime threw `CIRCUIT_OPEN`. The docstring is corrected to match the runtime; an alias rename will follow with a deprecation cycle in a future minor. (3) **`b.selfUpdate.standaloneVerifier`** — zero-dep verifier for install-pipeline contexts that run BEFORE the framework is installed (Dockerfile build stages, `install.sh`, `update.sh`, SEA-bundle verification at deploy time). Surface: `verify(assetPath, sigPath, pubkeyPem, opts?)` returns `{ ok, sha3_512, sha256, alg }`. Streams the asset in 64 KiB chunks through SHA-256 + SHA-3-512 + the signature verifier in parallel — multi-GB SEA bundles don't OOM the install runner. Supports ECDSA P-384 (both IEEE-P1363 96-byte and DER encodings), Ed25519, and ML-DSA-87. Detects signature format from length so `verifier.verify(...)` runs exactly once (calling it twice returns stale state and silently passes tampered assets). Module is hermetic: `node:crypto` + `node:fs` only, no framework imports. Operators copy the file via `cp "$(node -p "require('@blamejs/core').selfUpdate.standaloneVerifier.path")" install/standalone-verifier.js` into version control on their side. (4) **`b.metrics.snapshot`** — out-of-process metrics export for long-running daemons. `startWriter({ path, intervalMs, fields })` atomically flushes a JSON snapshot (first flush synchronous so the file exists by return-time; subsequent flushes on the interval with `.unref()`; `stop()` clears + final-flushes). `read(path)` parses with shape validation (writtenAt + fields). `render(snap, { format, prefix })` produces operator-readable text or Prometheus 0.0.4 exposition (gauge metrics, prefixed; only finite numeric scalars with prom-compatible names emit; invalid-name / non-numeric / non-finite fields skipped silently). Lets a CLI process scrape a daemon's live metrics without opening an HTTP port. (5) **`b.retry.withBreaker(fn, { retry, breaker })`** — composition primitive collapsing the two-line wrapper every consumer rolls: `breaker.wrap(() => retry.withRetry(fn, opts.retry))`. One breaker call per retry loop (the retry budget is INSIDE the breaker's accounting, so a single transient burst doesn't open the breaker spuriously). Throws on non-function `fn` or breaker without `.wrap`.
+- v0.9.12 (2026-05-13) — **Republish of v0.9.10 / v0.9.11 — `npm audit signatures` grep widened for the npm-message variant that fires post-v0.9.11**. The publish workflow's "Verify npm registry signing chain" step treats an empty-tree result as success (the framework's zero-runtime-deps posture means `npm audit signatures --omit dev` finds nothing to audit). The exact phrasing has drifted across npm versions: older npm prints `found no installed dependencies to audit`; newer npm (the version on the GH Actions runner post-v0.9.11) prints `found no dependencies to audit that were installed from a supported registry`. The shell guard's grep only matched the older phrasing, so v0.9.11's publish failed at the audit-signatures gate even though every other step succeeded. The grep is now `no (installed )?dependencies to audit` — covers both known empty-tree variants. v0.9.10's broken-smoke fix (added `npm install` before smoke) plus v0.9.12's audit-signatures-grep fix together complete the publish-pipeline repair. v0.9.12 is functionally identical to v0.9.10's intended surface. Operators stuck at v0.9.9 (because v0.9.10 + v0.9.11 never reached the npm registry) jump directly to v0.9.12.
+- v0.9.11 (2026-05-13) — **Republish of v0.9.10 — npm-publish.yml now installs devDependencies before smoke**. v0.9.10's tag was pushed and the GitHub release published, but `npm-publish.yml`'s Framework-smoke step ran `node test/smoke.js` without first running `npm install`. The new bundler-output gate added in v0.9.10 requires `esbuild` (a devDependency) to be present, so the publish workflow failed at the smoke step before reaching the publish step — the v0.9.10 npm tarball was never published. The fix adds `npm install --no-audit --no-fund` to `.github/workflows/npm-publish.yml` directly before the smoke step (mirroring the same fix already present in `.github/workflows/ci.yml`). Operators consuming via `npm install @blamejs/core` should pull v0.9.11; functionally identical to the intended-v0.9.10 surface. Zero runtime deps invariant preserved.
+- v0.9.10 (2026-05-13) — **Bundler-output e2e gate** — `test/layer-5-integration/bundler-output.test.js`. Bundles the framework via `esbuild --bundle --platform=node` (also `--minify`), runs the bundled consumer, and asserts the four-layer vendor-data integrity surface (dual-hash + SLH-DSA signature + canary) survives bundling. The PSL canary roundtrips through `b.publicSuffix.isPublicSuffix(...)` after bundle exec — proves the `.data.js` payloads physically reached the bundle bytes, not just the runtime require shape. Plus a byte-search sentinel that grep's the produced bundle for the canary tokens directly (defense-in-depth, independent failure mode from the runtime path). Plus a SEA gate (Linux + Node >= 22 only) that runs `--experimental-sea-config` + `postject` to produce an actual single-executable binary and runs it. The whole class of bugs — dynamic-require breaks bundling, SEA `assets` map missing, esbuild static-trace failures — is now smoke-gated. Had this test existed when v0.9.8 published, it would have refused that release at smoke-time (the v0.9.8 dynamic-require defect produced bundles that exited with `vendor-data/module-missing` on first vendor-data access; this gate's `BUNDLE-OK psl=co.uk entries=3` stdout-check refuses that exit). No framework-surface changes.
 - v0.9.9 (2026-05-13) — **`b.vendorData`: replace dynamic `require(variable)` with static literal-string requires so SEA / esbuild / pkg bundling actually works**. v0.9.8 shipped `b.vendorData` to remove `__dirname`-relative `fs.readFileSync` calls and make the loader packaging-mode-invariant. The implementation looked up each `.data.js` module via `require(entry.module)` where `entry.module` was read from a frozen lookup table — a *dynamic* require, opaque to every bundler's static-analysis pass. esbuild, webpack, ncc, rollup, pkg, nexe, Bun's bundler, and Deno's bundler all trace `require("./literal")` calls; none of them trace `require(variable)`. Result: the three `.data.js` payload modules never made it into SEA / pkg / esbuild bundles, defeating the v0.9.8 promise at boot ("vendor-data/module-missing" thrown by every consumer that bundled the framework). v0.9.9 replaces the lookup with a `_MODULES` table whose three values are each a top-level `var X = require("./vendor/<name>.data")` — literal string, statically traceable. Caught by hermitstash-sync operator review post-v0.9.8 publish. Net surface change: zero (the public `b.vendorData.get` / `getAsString` / `verifyAll` / `inventory` shape is identical); the fix is internal-only. **New codebase-patterns drift detector** `testNoDynamicRequires` refuses any future `require(variable)` in `lib/`; legitimate operator-extensibility points (`b.cli`, migrations, seeders) carry an explicit `allow:dynamic-require` marker with rationale. **Operators upgrade from v0.9.8 to v0.9.9 if they bundle the framework via SEA / esbuild / pkg / Bun-compile** — direct `node` consumers were unaffected (Node's runtime require always resolves dynamic strings correctly).
 - v0.9.8 (2026-05-13) — **`b.vendorData` — packaging-mode-invariant + signed + canary-guarded loader for vendored data files**. The three plaintext vendor data files (`public-suffix-list.dat`, `common-passwords-top-10000.txt`, `bimi-trust-anchors.pem`) are now loaded via inline `Buffer.from(base64)` modules (`<name>.data.js`), eliminating the `__dirname`-relative `fs.readFileSync` paths that broke under Single Executable Application (SEA), `pkg`, `nexe`, esbuild, Bun compile, Deno compile, and AWS Lambda layer bundling. Every load runs four orthogonal integrity checks before returning a byte: SHA-256 + SHA3-512 + SLH-DSA-SHAKE-256f signature against the maintainer's pinned public key (`lib/vendor/.vendor-data-pubkey`) + in-payload canary entry that the parsed structure must surface. Tamper at any layer throws `VendorDataError` at module-load — fail-fast rather than first-request-touches-PSL surprise. **Public API**: `b.vendorData.get(name)` returns the verified Buffer; `b.vendorData.getAsString(name)` returns UTF-8 string; `b.vendorData.verifyAll()` runs all four layers across every registered vendor data file and is invoked at framework boot; `b.vendorData.inventory()` returns per-file metadata (name, source, fetchedAt, sha256, sha3_512, signedBy, canary, byteLength, description) for compliance reporting + SBOM emission. **Migrated call sites**: `b.publicSuffix` (PSL load), `b.auth.password._loadBundledCommon` (common-passwords), `b.mail.bimi` (trust anchors) now route through `b.vendorData` — removes any downstream consumer's need to patch the loader for SEA / bundler builds. **Maintainer signing infrastructure**: vendor data files signed at refresh time by a maintainer-held SLH-DSA-SHAKE-256f keypair (private key stays in `.keys/` and is never committed; public key ships in `lib/vendor/.vendor-data-pubkey` in every npm tarball). Adds a fourth orthogonal trust root alongside SSH-signed release tags + SLSA L3 npm provenance + Sigstore-keyless SBOM signatures. **MANIFEST.json**: per-vendor-data entry gains `runtime_artifact` + `integrity_layers` + dual-file `hashes` (raw `.dat/.txt/.pem` + companion `.data.js`). **New scripts**: `scripts/vendor-data-keygen.js` (one-time keypair generation), `scripts/vendor-data-gen.js` (generator invoked by `scripts/vendor-update.sh --refresh-data`).
 - v0.9.7 (2026-05-13) — **SECURITY.md: release-tag verification path documented + signed-tag invariant from v0.9.7+**. SECURITY.md gains a "Verifying release authenticity" section documenting how operators verify a release tag's authenticity independently of GitHub's UI. The maintainer Ed25519 SSH signing key fingerprint (`SHA256:5oF/XWhFpMde9TRfEX2GAHiApAq/MXOS4vti5zQbD7g`) is published alongside the public-key retrieval URL (`https://github.com/dotCooCoo.keys`) and a `git tag -v` recipe that bypasses the "Verified" badge. From v0.9.7 onward, every release tag is an annotated SSH-signed tag; the repository's `release-tags` ruleset's `required_signatures` rule refuses any unsigned or lightweight tag push at the server side. Earlier tags (v0.9.6 and prior) remain as lightweight commits and don't verify via `git tag -v`; they continue to verify via the SLSA L3 npm provenance + Sigstore-keyless SBOM signatures already attached to those releases (the `cosign verify-blob` recipe is in the same SECURITY.md section). No framework-surface changes; this release ships the documentation + invariant only.

package/lib/api-snapshot.js

@@ -241,7 +241,10 @@ function read(filePath) {
       "read: cannot read " + filePath + ": " + ((e && e.message) || String(e)));
   }
   var parsed;
-  try { parsed = safeJson.parse(raw); }
+  // api-snapshot is framework-generated, not operator-supplied; grow
+  // the safeJson cap so wide-surface releases don't hit the 1 MiB
+  // default. Cap at the safeJson absolute max (64 MiB).
+  try { parsed = safeJson.parse(raw, { maxBytes: 64 * 1024 * 1024 }); }    // allow:raw-byte-literal — internal-file maxBytes ceiling
   catch (e) {
     throw new ApiSnapshotError("api-snapshot/bad-json",
       "read: not valid JSON: " + ((e && e.message) || String(e)));

package/lib/audit.js

@@ -55,6 +55,7 @@ var cluster = require("./cluster");
 var clusterStorage = require("./cluster-storage");
 var { generateToken } = require("./crypto");
 var cryptoField = require("./crypto-field");
+var safeSql = require("./safe-sql");
 var dbRoleContext = require("./db-role-context");
 var handlers = require("./handlers");
 var { boot } = require("./log");
@@ -1334,37 +1335,48 @@ function bindActor(actorId, opts) {
  */
 function generateActorBindingTriggerSql(opts) {
   opts = opts || {};
-  var column = opts.column || "actorUserId";
-  var tableName = opts.tableName || "_blamejs_audit_log";
-  var allowRoles = Array.isArray(opts.allowRoles) ? opts.allowRoles : [];
-  var fnName = "_blamejs_audit_actor_binding_check";
-  var trigName = "_blamejs_audit_actor_binding_trig";
+  var columnRaw    = opts.column || "actorUserId";
+  var tableNameRaw = opts.tableName || "_blamejs_audit_log";
+  var allowRoles   = Array.isArray(opts.allowRoles) ? opts.allowRoles : [];
+  var fnNameRaw    = "_blamejs_audit_actor_binding_check";
+  var trigNameRaw  = "_blamejs_audit_actor_binding_trig";
+  // Quote-and-validate every identifier through safeSql.quoteIdentifier
+  // so operator-supplied opts.column / opts.tableName / opts.roleMappingFn
+  // can't reach raw concatenation. PostgreSQL + SQLite both use the
+  // double-quote dialect.
+  var qColumn   = safeSql.quoteIdentifier(columnRaw, "postgres");
+  var qTable    = safeSql.quoteIdentifier(tableNameRaw, "postgres");
+  var qFn       = safeSql.quoteIdentifier(fnNameRaw, "postgres");
+  var qTrig     = safeSql.quoteIdentifier(trigNameRaw, "postgres");
+  var qRoleMapFn = opts.roleMappingFn
+    ? safeSql.quoteIdentifier(opts.roleMappingFn, "postgres")
+    : null;
   var allowList = allowRoles.length === 0 ? "" :
     "  IF current_user IN (" +
     allowRoles.map(function (r) { return "'" + r.replace(/'/g, "''") + "'"; }).join(", ") +
     ") THEN RETURN NEW; END IF;\n";
-  var roleMatch = opts.roleMappingFn
-    ? "  IF " + opts.roleMappingFn + "(NEW.\"" + column + "\") IS DISTINCT FROM current_user THEN\n"
-    : "  IF NEW.\"" + column + "\" IS DISTINCT FROM current_user THEN\n";
+  var roleMatch = qRoleMapFn
+    ? "  IF " + qRoleMapFn + "(NEW." + qColumn + ") IS DISTINCT FROM current_user THEN\n"
+    : "  IF NEW." + qColumn + " IS DISTINCT FROM current_user THEN\n";
   var up =
-    "CREATE OR REPLACE FUNCTION " + fnName + "() RETURNS trigger AS $$\n" +
+    "CREATE OR REPLACE FUNCTION " + qFn + "() RETURNS trigger AS $$\n" +
     "BEGIN\n" +
     allowList +
     roleMatch +
-    "    RAISE EXCEPTION 'segregation-of-duties violation: actor=% does not match current_user=%', NEW.\"" + column + "\", current_user\n" +
+    "    RAISE EXCEPTION 'segregation-of-duties violation: actor=% does not match current_user=%', NEW." + qColumn + ", current_user\n" +
     "      USING ERRCODE = 'P0001';\n" +
     "  END IF;\n" +
     "  RETURN NEW;\n" +
     "END;\n" +
     "$$ LANGUAGE plpgsql;\n" +
-    "DROP TRIGGER IF EXISTS " + trigName + " ON " + tableName + ";\n" +
-    "CREATE TRIGGER " + trigName + "\n" +
-    "  BEFORE INSERT ON " + tableName + "\n" +
-    "  FOR EACH ROW EXECUTE FUNCTION " + fnName + "();\n";
+    "DROP TRIGGER IF EXISTS " + qTrig + " ON " + qTable + ";\n" +
+    "CREATE TRIGGER " + qTrig + "\n" +
+    "  BEFORE INSERT ON " + qTable + "\n" +
+    "  FOR EACH ROW EXECUTE FUNCTION " + qFn + "();\n";
   var down =
-    "DROP TRIGGER IF EXISTS " + trigName + " ON " + tableName + ";\n" +
-    "DROP FUNCTION IF EXISTS " + fnName + "();\n";
-  return { up: up, down: down, functionName: fnName, triggerName: trigName };
+    "DROP TRIGGER IF EXISTS " + qTrig + " ON " + qTable + ";\n" +
+    "DROP FUNCTION IF EXISTS " + qFn + "();\n";
+  return { up: up, down: down, functionName: fnNameRaw, triggerName: trigNameRaw };
 }
 
 // Boot-time check operators wire under sox-404 / soc2 posture. Verifies

package/lib/circuit-breaker.js

@@ -34,11 +34,18 @@ var retry = require("./retry");
  * @related   b.retry, b.httpClient
  *
  * Build a circuit-breaker. Returns a CircuitBreaker instance with
- * `wrap(fn)` (executes `fn` if the breaker is closed; throws RetryError
- * with `code: "retry/circuit-open"` when open), `state()`, `reset()`,
- * and `onStateChange(handler)` listener registration. Pass-through
- * factory: identical instance shape to `b.retry.CircuitBreaker`, with
- * the framework's `create(opts)` vocabulary.
+ * `wrap(fn)` (executes `fn` if the breaker is closed; throws an
+ * `Error` with `code: "CIRCUIT_OPEN"` + `isObjectStoreError: true` +
+ * `permanent: false` when open), `state()`, `reset()`, and
+ * `onStateChange(handler)` listener registration. Pass-through
+ * factory: identical instance shape to `b.retry.CircuitBreaker`,
+ * with the framework's `create(opts)` vocabulary.
+ *
+ * The `CIRCUIT_OPEN` error code is a pre-v1 artifact — every other
+ * framework error class uses namespaced codes (`retry/...`). The
+ * rename is deferred to v0.10 with a deprecation cycle so existing
+ * operators who match `err.code === "CIRCUIT_OPEN"` aren't broken
+ * in a patch.
  *
  * @opts
  *   name:             string,    // identifier used in audit + state-change events
@@ -65,7 +72,15 @@ var retry = require("./retry");
  *   result.value;     // → 42
  */
 function create(opts) {
-  return new retry.CircuitBreaker(opts || {});
+  // The CircuitBreaker class constructor is `(name, opts)` — passing a
+  // single opts object lands it in the positional `name` slot, and the
+  // validator throws "name must be a non-empty string, got object."
+  // The factory's documented shape is `create({ name, ...opts })`;
+  // split the name out of opts before invoking the constructor.
+  // Caught by hermitstash-sync operator review against v0.9.12.
+  opts = opts || {};
+  var name = (opts && typeof opts.name === "string") ? opts.name : "";
+  return new retry.CircuitBreaker(name, opts);
 }
 
 module.exports = {

package/lib/crypto.js

@@ -147,6 +147,150 @@ function hashFile(filePath, algorithm) {
   return hashStream(nodeFs.createReadStream(filePath), algorithm);
 }
 
+// _hashFileMulti — single-pass stream of a file through N hashers in
+// parallel. Returns { path, byteLength, <alg>: hex } for every
+// `algorithms` entry. Used by hashFilesParallel below; not exported
+// directly because the common case is the parallel-many shape.
+function _hashFileMulti(filePath, algorithms) {
+  return new Promise(function (resolve, reject) {
+    var hashers = new Array(algorithms.length);
+    for (var i = 0; i < algorithms.length; i += 1) {
+      try { hashers[i] = nodeCrypto.createHash(algorithms[i]); }
+      catch (e) {
+        reject(new Error("crypto.hashFilesParallel: unknown algorithm '" +
+          algorithms[i] + "': " + (e && e.message ? e.message : String(e))));
+        return;
+      }
+    }
+    var byteLength = 0;
+    var stream = nodeFs.createReadStream(filePath);
+    stream.on("error", reject);
+    stream.on("data", function (chunk) {
+      byteLength += chunk.length;
+      for (var j = 0; j < hashers.length; j += 1) hashers[j].update(chunk);
+    });
+    stream.on("end", function () {
+      var out = { path: filePath, byteLength: byteLength };
+      for (var k = 0; k < hashers.length; k += 1) {
+        // Field name = algorithm with `-` → `_` so "sha3-512" surfaces
+        // as `out.sha3_512` (matches the standalone-verifier shape).
+        out[algorithms[k].replace(/-/g, "_")] = hashers[k].digest("hex");
+      }
+      resolve(out);
+    });
+  });
+}
+
+/**
+ * @primitive b.crypto.hashFilesParallel
+ * @signature b.crypto.hashFilesParallel(filePaths, opts?)
+ * @since     0.9.14
+ * @status    stable
+ * @related   b.crypto.hashFile, b.crypto.hashStream
+ *
+ * Hash many files in parallel, streaming each one through one or
+ * more digest algorithms in a single read pass. Returns an array of
+ * `{ path, byteLength, sha256, sha3_512, ... }` records in the same
+ * order as `filePaths`. Concurrency is operator-tunable; the default
+ * (`min(8, filePaths.length)`) matches the framework's
+ * hash-while-streaming convention elsewhere without saturating the
+ * fs read queue on spinning-disk hosts.
+ *
+ * The common consumer-side reason to reach for this primitive is
+ * SBOM regeneration / vendor-data integrity sweeps / release-asset
+ * bundling — situations where N files each need both SHA-256 (legacy
+ * compat) and SHA-3-512 (PQC-first) digests and rolling a worker
+ * pool by hand has cost a downstream consumer (`hermitstash-sync`
+ * 2026-05-13) the same two-loop, capture-N-promises, settle-Q boilerplate
+ * every release.
+ *
+ * @opts
+ *   algorithms?:  string[], // default ["sha256", "sha3-512"]; any node:crypto-known digest
+ *   concurrency?: number,   // default min(8, filePaths.length); 1..256
+ *   onProgress?:  function (completed, total) // best-effort; thrown errors swallowed
+ *
+ * @example
+ *   var rows = await b.crypto.hashFilesParallel(
+ *     ["/var/lib/blamejs/asset-a.bin",
+ *      "/var/lib/blamejs/asset-b.bin"],
+ *     { algorithms: ["sha256", "sha3-512"], concurrency: 4 }
+ *   );
+ *   // rows[0] → { path: "...asset-a.bin", byteLength: 4096,
+ *   //            sha256: "...", sha3_512: "..." }
+ */
+function hashFilesParallel(filePaths, opts) {
+  if (!Array.isArray(filePaths)) {
+    return Promise.reject(new TypeError(
+      "crypto.hashFilesParallel: filePaths must be an array of non-empty strings"
+    ));
+  }
+  for (var i = 0; i < filePaths.length; i += 1) {
+    if (typeof filePaths[i] !== "string" || filePaths[i].length === 0) {
+      return Promise.reject(new TypeError(
+        "crypto.hashFilesParallel: filePaths[" + i + "] must be a non-empty string"
+      ));
+    }
+  }
+  opts = opts || {};
+  var algorithms = opts.algorithms !== undefined
+    ? opts.algorithms : ["sha256", "sha3-512"];
+  if (!Array.isArray(algorithms) || algorithms.length === 0) {
+    return Promise.reject(new TypeError(
+      "crypto.hashFilesParallel: opts.algorithms must be a non-empty array"
+    ));
+  }
+  for (var ai = 0; ai < algorithms.length; ai += 1) {
+    if (typeof algorithms[ai] !== "string" || algorithms[ai].length === 0) {
+      return Promise.reject(new TypeError(
+        "crypto.hashFilesParallel: opts.algorithms[" + ai + "] must be a non-empty string"
+      ));
+    }
+  }
+  var concurrency = opts.concurrency !== undefined
+    ? opts.concurrency
+    : Math.min(8, Math.max(1, filePaths.length));                                                  // allow:raw-byte-literal — worker fan-out cap, not bytes
+  if (typeof concurrency !== "number" || !isFinite(concurrency) ||
+      concurrency < 1 || concurrency > 256 ||                                                       // allow:raw-byte-literal — concurrency upper cap
+      Math.floor(concurrency) !== concurrency) {
+    return Promise.reject(new TypeError(
+      "crypto.hashFilesParallel: opts.concurrency must be an integer in [1, 256], got " + concurrency
+    ));
+  }
+  var onProgress = opts.onProgress;
+  if (onProgress !== undefined && typeof onProgress !== "function") {
+    return Promise.reject(new TypeError(
+      "crypto.hashFilesParallel: opts.onProgress must be a function when supplied"
+    ));
+  }
+  if (filePaths.length === 0) return Promise.resolve([]);
+
+  var results = new Array(filePaths.length);
+  var nextIdx = 0;
+  var completed = 0;
+  var total = filePaths.length;
+  function _worker() {
+    function _step() {
+      var idx = nextIdx;
+      nextIdx += 1;
+      if (idx >= total) return Promise.resolve();
+      return _hashFileMulti(filePaths[idx], algorithms).then(function (rec) {
+        results[idx] = rec;
+        completed += 1;
+        if (onProgress) {
+          try { onProgress(completed, total); }
+          catch (_e) { /* progress callback errors are not fatal */ }
+        }
+        return _step();
+      });
+    }
+    return _step();
+  }
+  var workerCount = Math.min(concurrency, total);
+  var workers = new Array(workerCount);
+  for (var w = 0; w < workerCount; w += 1) workers[w] = _worker();
+  return Promise.all(workers).then(function () { return results; });
+}
+
 function random(byteLength) {
   var n = byteLength || 32;
   // SHAKE256 over OS-RNG bytes. The OS RNG (nodeCrypto.randomBytes) is
@@ -1374,6 +1518,7 @@ module.exports = {
   sha3Hash:                    sha3Hash,
   hmacSha3:                    hmacSha3,
   hashFile:                    hashFile,
+  hashFilesParallel:           hashFilesParallel,
   hashStream:                  hashStream,
   namespaceHash:               namespaceHash,
   kdf:                         kdf,

package/lib/dsr.js

@@ -113,6 +113,7 @@ var C = require("./constants");
 var bCrypto = require("./crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
+var safeSql = require("./safe-sql");
 var { defineClass } = require("./framework-error");
 
 var DsrError = defineClass("DsrError", { alwaysPermanent: true });
@@ -939,15 +940,21 @@ function dbTicketStore(opts) {
     throw new DsrError("dsr/bad-db",
       "dbTicketStore: opts.db must be a b.db-shaped handle (with runSql + prepare)");
   }
-  var table = opts.table || "dsr_tickets";
-  if (typeof table !== "string" || !/^[A-Za-z][A-Za-z0-9_]*$/.test(table)) {
+  var tableRaw = opts.table || "dsr_tickets";
+  var qTable, qEmailIdx, qStatusIdx;
+  try {
+    qTable     = safeSql.quoteIdentifier(tableRaw, "sqlite");
+    qEmailIdx  = safeSql.quoteIdentifier(tableRaw + "_email_idx", "sqlite");
+    qStatusIdx = safeSql.quoteIdentifier(tableRaw + "_status_idx", "sqlite");
+  } catch (sqlErr) {
     throw new DsrError("dsr/bad-table",
-      "dbTicketStore: table must be a SQL identifier ([A-Za-z][A-Za-z0-9_]*)");
+      "dbTicketStore: table must be a valid SQL identifier: " +
+      (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)));
   }
 
   // Auto-provision schema if not already present. Idempotent.
   function ensureSchema() {
-    db.runSql("CREATE TABLE IF NOT EXISTS " + table + " (" +
+    db.runSql("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
       "id            TEXT PRIMARY KEY, " +
       "type          TEXT NOT NULL, " +
       "status        TEXT NOT NULL, " +
@@ -961,16 +968,16 @@ function dbTicketStore(opts) {
       "posture       TEXT, " +
       "payload       TEXT NOT NULL" +
     ")");
-    db.runSql("CREATE INDEX IF NOT EXISTS " + table + "_email_idx ON " +
-              table + " (subject_email)");
-    db.runSql("CREATE INDEX IF NOT EXISTS " + table + "_status_idx ON " +
-              table + " (status)");
+    db.runSql("CREATE INDEX IF NOT EXISTS " + qEmailIdx + " ON " +
+              qTable + " (subject_email)");
+    db.runSql("CREATE INDEX IF NOT EXISTS " + qStatusIdx + " ON " +
+              qTable + " (status)");
   }
   ensureSchema();
 
   return {
     insert: async function (ticket) {
-      var stmt = db.prepare("INSERT INTO " + table +
+      var stmt = db.prepare("INSERT INTO " + qTable +
         " (id, type, status, subject_id, subject_email, subject_phone, " +
         "  submitted_at, deadline_at, processed_at, verification_level, posture, payload) " +
         " VALUES ($id, $type, $status, $sid, $email, $phone, $submittedAt, " +
@@ -991,14 +998,14 @@ function dbTicketStore(opts) {
       });
     },
     get: async function (id) {
-      var rows = db.prepare("SELECT payload FROM " + table + " WHERE id = $id")
+      var rows = db.prepare("SELECT payload FROM " + qTable + " WHERE id = $id")
                    .all({ $id: id });
       if (!rows || rows.length === 0) return null;
       return JSON.parse(rows[0].payload);                                          // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
     },
     list: async function (filter) {
       filter = filter || {};
-      var sql = "SELECT payload FROM " + table;
+      var sql = "SELECT payload FROM " + qTable;
       var conds = [];
       var params = {};
       if (filter.status) {
@@ -1021,7 +1028,7 @@ function dbTicketStore(opts) {
       return rows.map(function (r) { return JSON.parse(r.payload); });             // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
     },
     update: async function (id, ticket) {
-      var stmt = db.prepare("UPDATE " + table + " SET " +
+      var stmt = db.prepare("UPDATE " + qTable + " SET " +
         " type = $type, status = $status, subject_id = $sid, " +
         " subject_email = $email, subject_phone = $phone, " +
         " submitted_at = $submittedAt, deadline_at = $deadlineAt, " +
@@ -1051,10 +1058,10 @@ function dbTicketStore(opts) {
       // Bulk-delete tickets in terminal states whose retentionUntil
       // is in the past. Returns the number of rows removed.
       var asOf = (typeof asOfMs === "number" && isFinite(asOfMs)) ? asOfMs : Date.now();
-      var rows = db.prepare("SELECT id, payload FROM " + table +
+      var rows = db.prepare("SELECT id, payload FROM " + qTable +
                             " WHERE status IN ('completed','partially_completed','cancelled','rejected','expired')").all({});
       var purged = 0;
-      var del = db.prepare("DELETE FROM " + table + " WHERE id = $id");
+      var del = db.prepare("DELETE FROM " + qTable + " WHERE id = $id");
       for (var i = 0; i < rows.length; i++) {
         try {
           var t = JSON.parse(rows[i].payload);                                      // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
@@ -1066,7 +1073,7 @@ function dbTicketStore(opts) {
       }
       return purged;
     },
-    _table:    table,
+    _table:    tableRaw,
     _ensureSchema: ensureSchema,
   };
 }

package/lib/inbox.js

@@ -143,7 +143,13 @@ function create(opts) {
   _validateTableName(opts.table);
 
   var externalDb     = opts.externalDb;
-  var table          = opts.table;
+  var tableRaw       = opts.table;
+  // Identifiers reach SQL through safeSql.quoteIdentifier — runs
+  // validateIdentifier internally + emits the dialect-correct quoted
+  // form. sqlite + postgres both use the double-quote dialect (per
+  // lib/safe-sql.js), so one quoted form serves both inbox paths.
+  var qTable         = safeSql.quoteIdentifier(tableRaw, "sqlite");
+  var qIndex         = safeSql.quoteIdentifier(tableRaw + "_received_at_idx", "sqlite");
   var retentionDays  = (typeof opts.retentionDays === "number" && opts.retentionDays > 0)        // allow:numeric-opt-Infinity
     ? opts.retentionDays : 30;                                                                   // allow:raw-byte-literal — default retention days
   var auditOn        = opts.audit !== false;
@@ -226,7 +232,7 @@ function create(opts) {
 
     if (dialect === "postgres") {
       var rs = await txn.query(
-        "INSERT INTO " + table +
+        "INSERT INTO " + qTable +
         " (message_id, source, received_at, metadata_json) " +
         " VALUES ($1, $2, " + nowExpr + ", $3::jsonb) " +
         " ON CONFLICT (source, message_id) DO NOTHING " +
@@ -248,7 +254,7 @@ function create(opts) {
     // that the framework can't prevent. RETURNING 1 collapses both
     // round-trips into one and removes the changes() dependency.
     var sqlInsert = await txn.query(
-      "INSERT OR IGNORE INTO " + table +
+      "INSERT OR IGNORE INTO " + qTable +
       " (message_id, source, received_at, metadata_json) " +
       " VALUES (?, ?, " + nowExpr + ", ?) RETURNING 1",
       [receiveOpts.messageId, receiveOpts.source, metaJson]);
@@ -268,7 +274,7 @@ function create(opts) {
     _validateReceiveOpts(receiveOpts, "markProcessed");
     var nowExpr = _utcNowExpr(externalDb);
     var dialect = (externalDb.dialect === "postgres") ? "postgres" : "sqlite";
-    var sql = "UPDATE " + table +
+    var sql = "UPDATE " + qTable +
               " SET processed_at = " + nowExpr +
               " WHERE source = " + (dialect === "postgres" ? "$1" : "?") +
               " AND message_id = " + (dialect === "postgres" ? "$2" : "?");
@@ -318,7 +324,7 @@ function create(opts) {
     var dialect = (xdb && xdb.dialect === "postgres") ? "postgres" : "sqlite";
     if (dialect === "postgres") {
       await xdb.query(
-        "CREATE TABLE IF NOT EXISTS " + table + " (" +
+        "CREATE TABLE IF NOT EXISTS " + qTable + " (" +
         "  message_id   TEXT NOT NULL," +
         "  source       TEXT NOT NULL," +
         "  received_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()," +
@@ -327,11 +333,11 @@ function create(opts) {
         "  PRIMARY KEY (source, message_id)" +
         ")");
       await xdb.query(
-        "CREATE INDEX IF NOT EXISTS " + table + "_received_at_idx " +
-        "ON " + table + " (received_at)");
+        "CREATE INDEX IF NOT EXISTS " + qIndex + " " +
+        "ON " + qTable + " (received_at)");
     } else {
       await xdb.query(
-        "CREATE TABLE IF NOT EXISTS " + table + " (" +
+        "CREATE TABLE IF NOT EXISTS " + qTable + " (" +
         "  message_id   TEXT NOT NULL," +
         "  source       TEXT NOT NULL," +
         "  received_at  TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP," +
@@ -340,8 +346,8 @@ function create(opts) {
         "  PRIMARY KEY (source, message_id)" +
         ")");
       await xdb.query(
-        "CREATE INDEX IF NOT EXISTS " + table + "_received_at_idx " +
-        "ON " + table + " (received_at)");
+        "CREATE INDEX IF NOT EXISTS " + qIndex + " " +
+        "ON " + qTable + " (received_at)");
     }
   }
 
@@ -351,7 +357,7 @@ function create(opts) {
     await externalDb.transaction(async function (xdb) {
       if (dialect === "postgres") {
         var rs = await xdb.query(
-          "DELETE FROM " + table +
+          "DELETE FROM " + qTable +
           " WHERE received_at < NOW() - $1::interval " +
           " AND (processed_at IS NOT NULL OR received_at < NOW() - $2::interval)",
           [retentionDays + " days", (retentionDays * 2) + " days"]);
@@ -360,7 +366,7 @@ function create(opts) {
         var staleDate = new Date(Date.now() - retentionDays * C.TIME.days(1)).toISOString();
         var unprocStaleDate = new Date(Date.now() - retentionDays * 2 * C.TIME.days(1)).toISOString();
         await xdb.query(
-          "DELETE FROM " + table +
+          "DELETE FROM " + qTable +
           " WHERE received_at < ? " +
           " AND (processed_at IS NOT NULL OR received_at < ?)",
           [staleDate, unprocStaleDate]);
@@ -378,7 +384,7 @@ function create(opts) {
   async function isFresh(receiveOpts) {
     _validateReceiveOpts(receiveOpts, "isFresh");
     var dialect = (externalDb.dialect === "postgres") ? "postgres" : "sqlite";
-    var sql = "SELECT 1 FROM " + table +
+    var sql = "SELECT 1 FROM " + qTable +
               " WHERE source = " + (dialect === "postgres" ? "$1" : "?") +
               " AND message_id = " + (dialect === "postgres" ? "$2" : "?");
     var rs = await externalDb.transaction(async function (xdb) {
@@ -395,7 +401,7 @@ function create(opts) {
     var stats = await externalDb.transaction(async function (xdb) {
       var sql = "SELECT COUNT(*) AS total," +
                 "       COUNT(processed_at) AS processed " +
-                "  FROM " + table +
+                "  FROM " + qTable +
                 (sourceFilter ? " WHERE source = " +
                   (dialect === "postgres" ? "$1" : "?") : "");
       var args = sourceFilter ? [sourceFilter] : [];
@@ -418,7 +424,7 @@ function create(opts) {
     sweep:          sweep,
     isFresh:        isFresh,
     getStats:       getReceiveStats,
-    table:          table,
+    table:          tableRaw,
     retentionDays:  retentionDays,
   };
 }