@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js

@@ -0,0 +1,147 @@
+"use strict";
+
+var fs = require("node:fs");
+var os = require("node:os");
+var path = require("node:path");
+var helpers = require("../helpers");
+var check = helpers.check;
+var b = helpers.b;
+
+async function _mintTestCert() {
+  // Use the framework's mtls engine to mint a self-signed cert. The
+  // CA shape (caCertPem + caKeyPem) is itself a valid self-signed pair
+  // that node:tls.createSecureContext accepts.
+  var ca = await b.mtlsEngine.generateCa({ generation: 1 });
+  return { certPem: ca.caCertPem, keyPem: ca.caKeyPem };
+}
+
+function _mkTmpDir(label) {
+  return fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-mail-tls-" + label + "-"));
+}
+
+function _writeFile(p, content) {
+  fs.writeFileSync(p, content);
+  return p;
+}
+
+async function run() {
+  var modSurface = b.mail.server.tls;
+  check("surface: context is fn",            typeof modSurface.context === "function");
+  check("surface: MailServerTlsError class", typeof modSurface.MailServerTlsError === "function");
+
+  // ---- happy path: plain PEM files load + return a SecureContext ----
+  var tmp1 = _mkTmpDir("happy");
+  try {
+    var pair = await _mintTestCert();
+    var certFile = _writeFile(path.join(tmp1, "cert.pem"), pair.certPem);
+    var keyFile  = _writeFile(path.join(tmp1, "key.pem"),  pair.keyPem);
+    var tlsCtx = b.mail.server.tls.context({ certFile: certFile, keyFile: keyFile });
+    check("context: returns a handle with secureContext getter",
+          tlsCtx && typeof tlsCtx.secureContext === "object" &&
+          tlsCtx.secureContext !== null);
+    check("context: reload is fn",        typeof tlsCtx.reload === "function");
+    check("context: onReload is fn",      typeof tlsCtx.onReload === "function");
+    check("context: stop is fn",          typeof tlsCtx.stop === "function");
+    tlsCtx.stop();
+  } finally {
+    fs.rmSync(tmp1, { recursive: true, force: true });
+  }
+
+  // ---- bad-input refusals ----
+  function expectThrow(label, fn, codeMatch) {
+    var threw = null;
+    try { fn(); } catch (e) { threw = e; }
+    check(label,
+      threw && threw.code && threw.code.indexOf(codeMatch) !== -1);
+  }
+  expectThrow("refuses missing opts",
+    function () { b.mail.server.tls.context(); },
+    "mail-server-tls/bad-opts");
+  expectThrow("refuses missing certFile",
+    function () { b.mail.server.tls.context({ keyFile: "/x" }); },
+    "mail-server-tls/bad-cert-file");
+  expectThrow("refuses missing keyFile",
+    function () { b.mail.server.tls.context({ certFile: "/x" }); },
+    "mail-server-tls/bad-key-file");
+  expectThrow("refuses non-vault-shaped vault",
+    function () { b.mail.server.tls.context({ certFile: "/x", keyFile: "/y", vault: {} }); },
+    "mail-server-tls/bad-vault");
+  expectThrow("refuses non-boolean watch",
+    function () { b.mail.server.tls.context({ certFile: "/x", keyFile: "/y", watch: "yes" }); },
+    "mail-server-tls/bad-watch");
+  expectThrow("refuses pollMs below 1000",
+    function () { b.mail.server.tls.context({ certFile: "/x", keyFile: "/y", pollMs: 100 }); },
+    "mail-server-tls/bad-poll-ms");
+
+  // ---- file-not-found surfaces typed error ----
+  expectThrow("refuses unreadable certFile",
+    function () { b.mail.server.tls.context({
+      certFile: "/this/path/does/not/exist.pem",
+      keyFile:  "/this/path/also/does/not/exist.pem",
+    }); },
+    "mail-server-tls/cert-unreadable");
+
+  // ---- reload() rebuilds the context + fires onReload listeners ----
+  var tmp3 = _mkTmpDir("reload");
+  try {
+    var pair1 = await _mintTestCert();
+    var certFile3 = _writeFile(path.join(tmp3, "cert.pem"), pair1.certPem);
+    var keyFile3  = _writeFile(path.join(tmp3, "key.pem"),  pair1.keyPem);
+    var tlsCtx3 = b.mail.server.tls.context({ certFile: certFile3, keyFile: keyFile3 });
+    var firstCtx = tlsCtx3.secureContext;
+    var listenerCalls = 0;
+    var lastSeenCtx = null;
+    tlsCtx3.onReload(function (newCtx) { listenerCalls += 1; lastSeenCtx = newCtx; });
+
+    // Simulate cert rotation — overwrite both files with a fresh pair
+    var pair2 = await _mintTestCert();
+    fs.writeFileSync(certFile3, pair2.certPem);
+    fs.writeFileSync(keyFile3,  pair2.keyPem);
+    var reloadedCtx = tlsCtx3.reload();
+
+    check("reload: returns a fresh SecureContext",
+      reloadedCtx && reloadedCtx !== firstCtx);
+    check("reload: secureContext getter now returns the fresh one",
+      tlsCtx3.secureContext === reloadedCtx);
+    check("reload: fires onReload listeners",
+      listenerCalls === 1);
+    check("reload: listener receives the fresh context",
+      lastSeenCtx === reloadedCtx);
+    tlsCtx3.stop();
+  } finally {
+    fs.rmSync(tmp3, { recursive: true, force: true });
+  }
+
+  // ---- onReload rejects non-function ----
+  var tmp4 = _mkTmpDir("badlistener");
+  try {
+    var pair4 = await _mintTestCert();
+    var certFile4 = _writeFile(path.join(tmp4, "cert.pem"), pair4.certPem);
+    var keyFile4  = _writeFile(path.join(tmp4, "key.pem"),  pair4.keyPem);
+    var tlsCtx4 = b.mail.server.tls.context({ certFile: certFile4, keyFile: keyFile4 });
+    var threw = null;
+    try { tlsCtx4.onReload("not a fn"); } catch (e) { threw = e; }
+    check("onReload: refuses non-function",
+      threw && threw.code === "mail-server-tls/bad-listener");
+    tlsCtx4.stop();
+  } finally {
+    fs.rmSync(tmp4, { recursive: true, force: true });
+  }
+
+  // ---- MX listener's no-tls-context error message points at this primitive ----
+  var threwNoTls = null;
+  try { b.mail.server.mx.create({ }); } catch (e) { threwNoTls = e; }
+  check("MX no-tls-context error: points at b.mail.server.tls.context",
+    threwNoTls && /b\.mail\.server\.tls\.context/.test(threwNoTls.message));
+  check("MX no-tls-context error: points at b.acme for provisioning",
+    threwNoTls && /b\.acme/.test(threwNoTls.message));
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[mail-server-tls] OK"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js

@@ -0,0 +1,151 @@
+"use strict";
+
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+
+function testSurface() {
+  check("b.mail.sieve.run exists",       typeof b.mail.sieve.run === "function");
+  check("b.mail.sieve.runScript exists", typeof b.mail.sieve.runScript === "function");
+  check("b.mail.sieve.create exists",    typeof b.mail.sieve.create === "function");
+}
+
+function testImplicitKeep() {
+  var rv = b.mail.sieve.runScript('# empty script\r\n', {});
+  check("implicit keep when no action fires",
+    rv.actions.length === 1 && rv.actions[0].kind === "keep" && rv.actions[0].implicit);
+}
+
+function testFileinto() {
+  var script = 'require ["fileinto"];\r\n' +
+    'if header :contains "Subject" "[bug]" { fileinto "bugs"; }\r\n';
+  var rv = b.mail.sieve.runScript(script, {
+    headers: [{ name: "Subject", value: "Re: [bug] crash" }],
+  });
+  check("fileinto fires + cancels implicit keep",
+    rv.actions.length === 1 && rv.actions[0].kind === "fileinto" && rv.actions[0].folder === "bugs");
+}
+
+function testAddressDomain() {
+  var script = 'if address :is :domain "From" "trusted.com" { keep; }\r\n';
+  var rv1 = b.mail.sieve.runScript(script, {
+    headers: [{ name: "From", value: "alice@trusted.com" }],
+  });
+  check("address :domain match",
+    rv1.actions.length === 1 && rv1.actions[0].kind === "keep");
+  var rv2 = b.mail.sieve.runScript(script, {
+    headers: [{ name: "From", value: "alice@untrusted.com" }],
+  });
+  check("address :domain non-match → implicit keep",
+    rv2.actions[0].implicit === true);
+}
+
+function testEnvelope() {
+  var script = 'if envelope :is "from" "boss@example.com" { fileinto "Boss"; }\r\n';
+  var rv = b.mail.sieve.runScript(script, {
+    envelope: { from: "boss@example.com", to: "me@example.com" },
+    headers:  [],
+  });
+  check("envelope test reads env.envelope",
+    rv.actions[0].kind === "fileinto" && rv.actions[0].folder === "Boss");
+}
+
+function testSize() {
+  var script = 'if size :over 1K { discard; }\r\n';
+  var big = b.mail.sieve.runScript(script, { sizeBytes: 2048 });
+  check("size :over fires on 2KB",
+    big.actions[0].kind === "discard");
+  var small = b.mail.sieve.runScript(script, { sizeBytes: 512 });
+  check("size :over below threshold → implicit keep",
+    small.actions[0].implicit === true);
+}
+
+function testWildcardMatches() {
+  var script = 'if header :matches "Subject" "[bug]*" { fileinto "bugs"; }\r\n';
+  var rv = b.mail.sieve.runScript('require ["fileinto"];\r\n' + script, {
+    headers: [{ name: "Subject", value: "[bug] tracker #42" }],
+  });
+  check("`:matches` wildcard fires",
+    rv.actions[0].kind === "fileinto");
+}
+
+function testAnyofAllof() {
+  var script =
+    'if anyof(header :is "X-Spam" "yes", header :contains "Subject" "viagra") {\r\n' +
+    '  discard;\r\n' +
+    '}\r\n';
+  var rv = b.mail.sieve.runScript(script, {
+    headers: [{ name: "Subject", value: "buy viagra now" }],
+  });
+  check("anyof matches second branch", rv.actions[0].kind === "discard");
+}
+
+function testRedirect() {
+  var script = 'if header :is "From" "alerts@example.com" { redirect "ops@example.com"; }\r\n';
+  var rv = b.mail.sieve.runScript(script, {
+    headers: [{ name: "From", value: "alerts@example.com" }],
+  });
+  check("redirect captures address",
+    rv.actions[0].kind === "redirect" && rv.actions[0].address === "ops@example.com");
+}
+
+function testStop() {
+  var script =
+    'if header :is "From" "ignore@x.com" { stop; }\r\n' +
+    'keep;\r\n';
+  var rv = b.mail.sieve.runScript(script, {
+    headers: [{ name: "From", value: "ignore@x.com" }],
+  });
+  check("stop halts further commands → implicit keep applies (no explicit keep ran)",
+    rv.stopped === true);
+}
+
+function testGasExhaustion() {
+  // Wide allof to consume gas without nesting.
+  var subs = []; for (var i = 0; i < 20; i++) subs.push("true");
+  var script = "if allof(" + subs.join(", ") + ") { keep; }\r\n";
+  var threw = null;
+  try { b.mail.sieve.runScript(script, {}, { maxGas: 3 }); } catch (e) { threw = e; }
+  check("gas exhaustion throws",
+    threw && threw.code === "mail-sieve/gas-exhausted");
+}
+
+function testBadAst() {
+  var threw = null;
+  try { b.mail.sieve.run({ notAnAst: true }, {}); } catch (e) { threw = e; }
+  check("non-script ast refused",
+    threw && threw.code === "mail-sieve/bad-ast");
+}
+
+function testCreateHandle() {
+  var sieve = b.mail.sieve.create({ maxGas: 100 });
+  var rv = sieve.runScript('require ["fileinto"];\r\nfileinto "Test";\r\n', { headers: [] });
+  check("handle runScript returns action",
+    rv.actions[0].kind === "fileinto" && rv.actions[0].folder === "Test");
+  var v = sieve.validateScript('require ["nonsense"];\nkeep;\n');
+  check("handle validateScript surfaces unknown cap",
+    !v.ok && v.issues[0].ruleId === "safe-sieve/unknown-capability");
+}
+
+function run() {
+  testSurface();
+  testImplicitKeep();
+  testFileinto();
+  testAddressDomain();
+  testEnvelope();
+  testSize();
+  testWildcardMatches();
+  testAnyofAllof();
+  testRedirect();
+  testStop();
+  testGasExhaustion();
+  testBadAst();
+  testCreateHandle();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  try { run(); console.log("[mail-sieve] OK"); }
+  catch (e) { process.stderr.write("FAIL: " + (e && e.stack || e) + "\n"); process.exit(1); }
+}

package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js

@@ -0,0 +1,204 @@
+"use strict";
+/**
+ * b.mail.spamScore — operator-supplied spam-scorer facade.
+ */
+
+var helpers = require("../helpers");
+var check   = helpers.check;
+var mailSpamScore = require("../../lib/mail-spam-score");
+
+function _fakeAudit() {
+  var emitted = [];
+  return {
+    emitted: emitted,
+    safeEmit: function (rec) { emitted.push(rec); },
+  };
+}
+
+function _scorer(score, reasons) {
+  return function (_ctx) {
+    return Promise.resolve({ score: score, reasons: reasons || [] });
+  };
+}
+
+function testSurface() {
+  check("create is fn",                   typeof mailSpamScore.create === "function");
+  check("compliancePosture is fn",        typeof mailSpamScore.compliancePosture === "function");
+  check("MailSpamScoreError is fn",       typeof mailSpamScore.MailSpamScoreError === "function");
+  check("PROFILES.strict threshold 5.0",  mailSpamScore.PROFILES.strict.threshold === 5.0);
+  check("PROFILES.balanced threshold 7.5", mailSpamScore.PROFILES.balanced.threshold === 7.5);
+  check("PROFILES.permissive threshold 10.0",
+    mailSpamScore.PROFILES.permissive.threshold === 10.0);
+  check("posture hipaa → strict", mailSpamScore.compliancePosture("hipaa") === "strict");
+}
+
+function expectThrow(label, fn, expectedCodePrefix) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw && typeof threw.code === "string" &&
+    threw.code.indexOf(expectedCodePrefix) === 0);
+}
+
+function testRefuseMissingScorer() {
+  expectThrow("refuses missing scorer",
+    function () { mailSpamScore.create({}); },
+    "mail-spam-score/bad-scorer");
+}
+
+function testRefuseBadScorerType() {
+  expectThrow("refuses scorer not-a-fn",
+    function () { mailSpamScore.create({ scorer: "not-a-fn" }); },
+    "mail-spam-score/bad-scorer");
+}
+
+function testRefuseBadProfile() {
+  expectThrow("refuses unknown profile",
+    function () { mailSpamScore.create({ scorer: _scorer(0), profile: "loose" }); },
+    "mail-spam-score/bad-profile");
+}
+
+function testRefuseBadThreshold() {
+  expectThrow("refuses non-finite threshold",
+    function () { mailSpamScore.create({ scorer: _scorer(0), threshold: Infinity }); },
+    "mail-spam-score/bad-threshold");
+  expectThrow("refuses NaN threshold",
+    function () { mailSpamScore.create({ scorer: _scorer(0), threshold: NaN }); },
+    "mail-spam-score/bad-threshold");
+  expectThrow("refuses string threshold",
+    function () { mailSpamScore.create({ scorer: _scorer(0), threshold: "5" }); },
+    "mail-spam-score/bad-threshold");
+}
+
+function testRefuseUnknownOpt() {
+  var threw = null;
+  try { mailSpamScore.create({ scorer: _scorer(0), bogus: 1 }); }
+  catch (e) { threw = e; }
+  check("refuses unknown opt", threw && /unknown option/i.test(threw.message || ""));
+}
+
+function testHandleSurface() {
+  var h = mailSpamScore.create({ scorer: _scorer(0) });
+  check("handle.score is fn",       typeof h.score === "function");
+  check("handle.threshold 5.0",     h.threshold === 5.0);
+  check("handle.profile strict",    h.profile === "strict");
+}
+
+async function testScoreBelowThresholdAccepts() {
+  var audit = _fakeAudit();
+  var h = mailSpamScore.create({ scorer: _scorer(3.2, ["BAYES_50"]), audit: audit });
+  var rv = await h.score({ rawBytes: Buffer.from("body") });
+  check("score 3.2 below 5.0 → accept", rv.verdict === "accept");
+  check("score value preserved",         rv.score === 3.2);
+  check("reasons preserved",             rv.reasons[0] === "BAYES_50");
+  var seen = audit.emitted.map(function (e) { return e.action; });
+  check("audit emitted mail.spam_score.score",
+    seen.indexOf("mail.spam_score.score") !== -1);
+  check("audit emitted mail.spam_score.accept",
+    seen.indexOf("mail.spam_score.accept") !== -1);
+}
+
+async function testScoreEqualsThresholdScoreTags() {
+  // strict threshold = 5.0; exact match should be "score-tag" verdict.
+  var audit = _fakeAudit();
+  var h = mailSpamScore.create({ scorer: _scorer(5.0, ["EXACT_MATCH"]), audit: audit });
+  var rv = await h.score({ rawBytes: Buffer.from("body") });
+  check("score === threshold → score-tag",  rv.verdict === "score-tag");
+  var seen = audit.emitted.map(function (e) { return e.action; });
+  check("audit emitted mail.spam_score.score_tag",
+    seen.indexOf("mail.spam_score.score_tag") !== -1);
+}
+
+async function testScoreAboveThresholdRefuses() {
+  var audit = _fakeAudit();
+  var h = mailSpamScore.create({ scorer: _scorer(8.7, ["BAYES_99", "URIBL_RED"]), audit: audit });
+  var rv = await h.score({ rawBytes: Buffer.from("body") });
+  check("score 8.7 above 5.0 → refuse", rv.verdict === "refuse");
+  var seen = audit.emitted.map(function (e) { return e.action; });
+  check("audit emitted mail.spam_score.refuse",
+    seen.indexOf("mail.spam_score.refuse") !== -1);
+}
+
+async function testScorerReturnsNanScoreRefused() {
+  var h = mailSpamScore.create({ scorer: _scorer(NaN) });
+  var threw = null;
+  try { await h.score({ rawBytes: Buffer.from("body") }); } catch (e) { threw = e; }
+  check("scorer NaN score → refused", threw && threw.code === "mail-spam-score/bad-score");
+}
+
+async function testScorerThrowsBubblesError() {
+  var audit = _fakeAudit();
+  var h = mailSpamScore.create({
+    scorer: function () { throw new Error("scorer down"); },
+    audit:  audit,
+  });
+  var threw = null;
+  try { await h.score({ rawBytes: Buffer.from("body") }); } catch (e) { threw = e; }
+  check("scorer throw → wrapped as mail-spam-score/scorer-threw",
+    threw && threw.code === "mail-spam-score/scorer-threw");
+  var seen = audit.emitted.map(function (e) { return e.action; });
+  check("audit emitted mail.spam_score.error",
+    seen.indexOf("mail.spam_score.error") !== -1);
+}
+
+async function testRefuseControlByteInReason() {
+  // Compromised scorer tries to smuggle CRLF into a reason tag.
+  var h = mailSpamScore.create({ scorer: _scorer(3.0, ["GOOD\r\nX-Inject: bad"]) });
+  var threw = null;
+  try { await h.score({ rawBytes: Buffer.from("body") }); } catch (e) { threw = e; }
+  check("CRLF in reason refused",
+    threw && threw.code === "mail-spam-score/control-byte");
+}
+
+async function testRefuseOversizeReason() {
+  var huge = new Array(300).join("X");                                                             // 299 chars > 256-byte cap
+  var h = mailSpamScore.create({ scorer: _scorer(3.0, [huge]) });
+  var threw = null;
+  try { await h.score({ rawBytes: Buffer.from("body") }); } catch (e) { threw = e; }
+  check("oversize reason refused",
+    threw && threw.code === "mail-spam-score/oversize-reason");
+}
+
+async function testRefuseTooManyReasons() {
+  var many = [];
+  for (var i = 0; i < 50; i += 1) many.push("R" + i);
+  var h = mailSpamScore.create({ scorer: _scorer(3.0, many) });
+  var threw = null;
+  try { await h.score({ rawBytes: Buffer.from("body") }); } catch (e) { threw = e; }
+  check("too-many reasons refused",
+    threw && threw.code === "mail-spam-score/too-many-reasons");
+}
+
+async function testCustomThresholdHonored() {
+  var h = mailSpamScore.create({ scorer: _scorer(3.0), threshold: 1.5 });
+  var rv = await h.score({ rawBytes: Buffer.from("body") });
+  check("score 3.0 above custom 1.5 → refuse", rv.verdict === "refuse");
+  check("handle.threshold reflects custom",     h.threshold === 1.5);
+}
+
+function run() {
+  testSurface();
+  testRefuseMissingScorer();
+  testRefuseBadScorerType();
+  testRefuseBadProfile();
+  testRefuseBadThreshold();
+  testRefuseUnknownOpt();
+  testHandleSurface();
+
+  return Promise.resolve()
+    .then(testScoreBelowThresholdAccepts)
+    .then(testScoreEqualsThresholdScoreTags)
+    .then(testScoreAboveThresholdRefuses)
+    .then(testScorerReturnsNanScoreRefused)
+    .then(testScorerThrowsBubblesError)
+    .then(testRefuseControlByteInReason)
+    .then(testRefuseOversizeReason)
+    .then(testRefuseTooManyReasons)
+    .then(testCustomThresholdHonored);
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(function () { console.log("[mail-spam-score] OK"); },
+    function (e) { process.stderr.write("FAIL: " + (e && e.stack || e) + "\n"); process.exit(1); });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js

@@ -0,0 +1,152 @@
+"use strict";
+/**
+ * b.mail.srs — Sender Rewriting Scheme (SRS0).
+ */
+
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+
+function _newSrs(opts) {
+  return b.mail.srs.create(Object.assign({
+    secret:          b.crypto.generateToken(32),
+    forwarderDomain: "forwarder.example",
+  }, opts || {}));
+}
+
+function testSurface() {
+  check("mail.srs.create is fn", typeof b.mail.srs.create === "function");
+  check("mail.srs.SrsError is a constructor",
+        typeof b.mail.srs.SrsError === "function");
+}
+
+function testRoundTrip() {
+  var srs = _newSrs();
+  var rw = srs.rewrite("alice@bob.com");
+  check("rewrite: starts with SRS0=", rw.startsWith("SRS0="));
+  check("rewrite: ends with @forwarder.example",
+        rw.endsWith("@forwarder.example"));
+  check("reverse: round-trip recovers original",
+        srs.reverse(rw) === "alice@bob.com");
+}
+
+function testTagTampering() {
+  var srs = _newSrs();
+  var rw = srs.rewrite("alice@bob.com");
+  // Tamper the 4-char tag immediately after "SRS0=" — flip a char.
+  var tampered = "SRS0=ZZZZ=" + rw.slice(10);
+  var threw = null;
+  try { srs.reverse(tampered); } catch (e) { threw = e; }
+  check("reverse: tampered tag refused",
+        threw && /srs\/bad-tag/.test(threw.code || ""));
+}
+
+function testSecretDivergence() {
+  var srs1 = _newSrs();
+  var srs2 = _newSrs();  // different secret
+  var rw = srs1.rewrite("alice@bob.com");
+  var threw = null;
+  try { srs2.reverse(rw); } catch (e) { threw = e; }
+  check("reverse: different secret refuses",
+        threw && /srs\/bad-tag/.test(threw.code || ""));
+}
+
+function testExpiry() {
+  var srs = b.mail.srs.create({
+    secret:          b.crypto.generateToken(32),
+    forwarderDomain: "forwarder.example",
+    expiryDays:      30,
+  });
+  var pastMs = Date.now() - (40 * 86400000);                                                       // 40 days ago
+  var rw = srs.rewrite("alice@bob.com", pastMs);
+  var threw = null;
+  try { srs.reverse(rw); } catch (e) { threw = e; }
+  check("reverse: rewrites older than expiry refused",
+        threw && /srs\/expired/.test(threw.code || ""));
+}
+
+function testBadShape() {
+  function expectCode(label, fn, code) {
+    var threw = null;
+    try { fn(); } catch (e) { threw = e; }
+    check(label, threw && (threw.code || "").indexOf(code) !== -1);
+  }
+  expectCode("create: missing opts",
+             function () { b.mail.srs.create(); }, "srs/bad-opts");
+  expectCode("create: short secret",
+             function () { b.mail.srs.create({ secret: "abc", forwarderDomain: "x.com" }); }, "srs/bad-secret");
+  expectCode("create: bad expiryDays",
+             function () { b.mail.srs.create({ secret: b.crypto.generateToken(32), forwarderDomain: "x.com", expiryDays: 0 }); }, "srs/bad-expiry");
+
+  var srs = _newSrs();
+  expectCode("rewrite: empty address",
+             function () { srs.rewrite(""); }, "srs/bad-address");
+  expectCode("rewrite: no @",
+             function () { srs.rewrite("notanemail"); }, "srs/bad-address");
+  expectCode("rewrite: already SRS-encoded",
+             function () { srs.rewrite("SRS0=abc=de=bob.com=alice@forwarder.example"); }, "srs/already-rewritten");
+  expectCode("reverse: not SRS0",
+             function () { srs.reverse("plain@example.com"); }, "srs/not-srs0");
+  expectCode("reverse: malformed",
+             function () { srs.reverse("SRS0=abc@forwarder.example"); }, "srs/malformed");
+}
+
+function testForwarderDomainBinding() {
+  // create({ forwarderDomain }) binds the rewriter to a specific
+  // forwarder. reverse() must refuse bounces addressed to a
+  // DIFFERENT domain even when the SRS0 local-part is otherwise
+  // signed by the same secret — otherwise multi-domain handlers
+  // can mis-deliver bounces.
+  var secret = b.crypto.generateToken(32);
+  var srs1 = b.mail.srs.create({ secret: secret, forwarderDomain: "fwd1.example" });
+  var srs2 = b.mail.srs.create({ secret: secret, forwarderDomain: "fwd2.example" });
+
+  var rw1 = srs1.rewrite("alice@bob.com");
+  check("rewrite: ends with bound forwarder domain",
+        rw1.endsWith("@fwd1.example"));
+
+  // Use the same secret on srs2 — same HMAC tag verifies.
+  var threw = null;
+  try { srs2.reverse(rw1); } catch (e) { threw = e; }
+  check("reverse: bounce addressed to wrong forwarder refused",
+        threw && /srs\/wrong-forwarder/.test(threw.code || ""));
+
+  // Same forwarder, different case — RFC 5321 §2.3.5 says domains
+  // are case-insensitive, so reverse() must accept the bounce.
+  var srsUpper = b.mail.srs.create({ secret: secret, forwarderDomain: "FWD1.example" });
+  check("reverse: case-insensitive domain match",
+        srsUpper.reverse(rw1) === "alice@bob.com");
+
+  // Empty local-part / no domain refused.
+  var threw2 = null;
+  try { srs1.reverse("SRS0=abc=de=bob.com=alice@"); } catch (e) { threw2 = e; }
+  check("reverse: empty domain refused",
+        threw2 && /srs\/bad-address/.test(threw2.code || ""));
+}
+
+function testLocalPartWithEquals() {
+  // Some local-parts can contain "=" in RFC 5321; SRS reverse should
+  // recover the full original local-part by re-joining slice(3).
+  var srs = _newSrs();
+  var rw = srs.rewrite("foo=bar@bob.com");
+  check("reverse: local-part with '=' survives round-trip",
+        srs.reverse(rw) === "foo=bar@bob.com");
+}
+
+async function run() {
+  testSurface();
+  testRoundTrip();
+  testTagTampering();
+  testSecretDivergence();
+  testExpiry();
+  testBadShape();
+  testForwarderDomainBinding();
+  testLocalPartWithEquals();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(function () { console.log("OK"); })
+       .catch(function (e) { console.error(e); process.exit(1); });
+}