@blamejs/core 0.10.11 → 0.10.13

package/lib/daemon.js

@@ -237,13 +237,37 @@ function start(opts) {
       throw new DaemonError("daemon/already-running",
         "daemon.start: pidFile '" + pidFile + "' held by live PID " + existingLive);
     }
-    var logFd = logFile ? _openLogFd(logFile) : "ignore";
+    // Detached-stdio strategy diverges by platform:
+    //
+    //   POSIX: inherit the parent's open log FD via stdio so the child
+    //   writes to the operator's log file without re-opening it. POSIX
+    //   keeps the FD alive across the parent's exit; the child sees it
+    //   as fd 1 / 2 and writes normally.
+    //
+    //   Windows: passing a parent-opened FD through stdio causes the
+    //   child to die the moment the parent's handle is closed (the OS
+    //   ref-counts file handles per-process and the inherited handle
+    //   becomes invalid on parent exit). The Windows-safe pattern is
+    //   `stdio: "ignore"` + `windowsHide: true` so the child has no
+    //   inherited handles to lose, and the operator's child code opens
+    //   the log file itself once its logger initialises. The child is
+    //   responsible for `--log` parsing on Windows — pass it via
+    //   `opts.args` and let the application code handle the open.
+    var isWindows = process.platform === "win32";
+    var logFd = (!isWindows && logFile) ? _openLogFd(logFile) : null;
+    var spawnStdio;
+    if (isWindows || logFd === null) {
+      spawnStdio = "ignore";
+    } else {
+      spawnStdio = ["ignore", logFd, logFd];
+    }
     var child;
     try {
       child = processSpawn.spawn(opts.command, opts.args || [], {
-        detached: true,
-        stdio:    ["ignore", logFd, logFd],
-        cwd:      typeof opts.cwd === "string" ? opts.cwd : undefined,
+        detached:    true,
+        stdio:       spawnStdio,
+        cwd:         typeof opts.cwd === "string" ? opts.cwd : undefined,
+        windowsHide: isWindows ? true : undefined,
       });
     } catch (e) {
       try { if (typeof logFd === "number") nodeFs.closeSync(logFd); }
@@ -267,6 +291,7 @@ function start(opts) {
       logFile:     logFile,
       commandKind: "detached-fork",
       pid:         child.pid,
+      stdioMode:   isWindows ? "ignore-windows" : (logFd === null ? "ignore" : "inherit-logfd"),
     });
     log("daemon started (detached) pid=" + child.pid + " pidFile=" + pidFile);
     return { pid: child.pid, pidFile: pidFile, logFile: logFile, mode: "detached" };

package/lib/mail-crypto-pgp.js

@@ -60,15 +60,16 @@
  *   Deferred from v1 (each with the documented condition for opting in):
  *     - In-process encrypt + decrypt (Message Encrypted Session Key +
  *       Symmetrically Encrypted Integrity Protected Data packets,
- *       RFC 9580 §5.1 / §5.13). Defer condition: no operator demand
- *       surfaced for in-process encrypt-to-recipient yet. Operators
- *       wanting at-rest encrypted mail blobs compose `b.vault` +
- *       `b.cryptoField`; operators wanting wire-level encrypt-to-
- *       recipient with WKD key discovery wait for v0.9.59 once
- *       `b.publicSuffix` + WKD lookup are confirmed. Cheap escape
- *       hatch: operators wire a third-party OpenPGP library in their
- *       own consumer code and call sign() / verify() on the resulting
- *       cleartext blob.
+ *       RFC 9580 §5.1 / §5.13) and WKD key discovery (draft-koch-
+ *       openpgp-webkey-service). Defer condition: ships in v0.10.14
+ *       alongside `b.mail.crypto.smime` sign + verify — the CMS
+ *       substrate `b.cms` landed in v0.10.13 unblocked the S/MIME
+ *       side, and OpenPGP encrypt rides the same release so the
+ *       mail-crypto surface lights up coherently rather than half-
+ *       on-each-side across two patches. Cheap escape hatch (pre-
+ *       v0.10.14): operators wire a third-party OpenPGP library in
+ *       their own consumer code and call this module's sign() /
+ *       verify() on the resulting cleartext blob.
  *     - v6 signature packets (RFC 9580 §5.2.3, packet version 6 with
  *       SHA2-512 fingerprints and salted hashes). Defer condition: v6
  *       is not yet emitted by GnuPG 2.4 LTS or by Sequoia stable, so

package/lib/mail-crypto-smime.js

@@ -64,38 +64,22 @@
  *     packet decoder shipped in `b.mail.crypto.pgp` — but with
  *     dramatically more shape variation across implementations.
  *
- *     Defer condition: no operator demand has surfaced for in-process
- *     S/MIME verification; operators receiving S/MIME-signed mail
- *     today either (a) trust the gateway's authentication-results
- *     header (composed via `b.mail.authResults`) and treat S/MIME as
- *     a downstream concern, or (b) run S/MIME verification in their
- *     own consumer code with a vetted CMS library. Reopen this
- *     surface when ALL of the following hold:
- *       1. At least one operator surfaces concrete demand for
- *          in-process S/MIME verify (use case + sample message
- *          shape).
- *       2. A vendorable ASN.1 BER/DER decoder lands in `lib/vendor/`
- *          under the framework's vendoring discipline (MANIFEST.json
- *          + sha256 pin + no transitive deps), OR an operator
- *          provides a tested decoder we can fold in directly.
- *       3. RFC 8551 §2.5 + RFC 5652 §11 conformance test vectors are
- *          available to drive the implementation. (NIST PKITS-style
- *          test vectors exist for X.509 chain validation; equivalent
- *          coverage for CMS SignedData is sparser.)
+ *     Reopen condition: the in-tree CMS substrate (`b.cms`) shipped
+ *     in v0.10.13 — the RFC 5652 SignedData encode + decode + PQC
+ *     signer dispatch is now available. The S/MIME wire layer
+ *     (multipart/signed framing, micalg mapping, base64 DER body,
+ *     Content-Type parameters) lights up on top of `b.cms` in
+ *     v0.10.14 alongside `b.mail.crypto.pgp` encrypt + decrypt + WKD
+ *     discovery, so operators get the full mail-crypto surface in a
+ *     single release rather than half of each side.
  *
- *     Cheap escape hatch: operators wire `node-forge` / `pkijs` /
- *     openssl(1) (via child_process) in their own consumer code,
- *     extract the signed payload + signature components, and compose
- *     with `b.mail.authResults` to record the verification outcome
- *     for downstream policy. The S/MIME wire-format constants
- *     (Content-Type protocol parameter, micalg mapping, base64 DER
- *     framing) are stable and operator-side code interoperates with
- *     any inbound S/MIME-signed message regardless of this module's
- *     state.
- *
- *     v2 reopen tag: the next minor (v0.9.60+) once the conditions
- *     above are met. The deferred surface lights up sign+verify
- *     together so operators never see a half-implementation.
+ *     Cheap escape hatch (pre-v0.10.14): operators wanting in-process
+ *     S/MIME today compose `b.cms.encodeSignedData` directly with a
+ *     hand-written multipart/signed wrapper. The MIME framing is two
+ *     parts (the signed content + `application/pkcs7-signature` body
+ *     carrying the base64-encoded CMS DER from `b.cms`); the helper
+ *     in v0.10.14 collapses that into `b.mail.crypto.smime.sign({ ... })`
+ *     so the next-release path is additive, not a rewrite.
  *
  * RFC citations:
  *   - RFC 8551 (S/MIME 4.0 Message Specification, April 2019;

package/lib/mail-server-imap.js

@@ -582,6 +582,14 @@ function create(opts) {
       protocol:        "imap",
       defaults:        defaults,
       overrides:       opts.overrides || {},
+      // b.agent.tenant adoption (v0.10.12). Operators wiring multi-
+      // tenant IMAP deployments pass `tenantScope` from
+      // `b.agent.tenant.create({...})` plus the per-listener tenant id.
+      // The registry then gates every dispatch on
+      // `tenantScope.check(state.actor, agentTenantId)` before guard
+      // validation or audit emission.
+      tenantScope:     opts.tenantScope    || null,
+      agentTenantId:   opts.agentTenantId  || null,
       notFoundHandler: function (verb, _state, socket, parsed) {
         return _writeTagged(socket, parsed.tag,
           "BAD Verb '" + verb + "' not implemented in v1");

package/lib/mail-server-jmap.js

@@ -220,9 +220,15 @@ function create(opts) {
     };
   }
   var registry = mailServerRegistry.create({
-    protocol:  "jmap",
-    defaults:  defaults,
-    overrides: opts.overrides || {},
+    protocol:      "jmap",
+    defaults:      defaults,
+    overrides:     opts.overrides || {},
+    // b.agent.tenant adoption (v0.10.12). When `opts.tenantScope` is
+    // supplied, every method dispatch first gates on
+    // `tenantScope.check(state.actor, agentTenantId)` — JMAP's
+    // accountId scoping continues to apply inside operator handlers.
+    tenantScope:   opts.tenantScope   || null,
+    agentTenantId: opts.agentTenantId || null,
   });
   var sessionState = bCrypto.generateToken(16);                                                       // allow:raw-byte-literal — opaque session-state token length
 

package/lib/mail-server-managesieve.js

@@ -446,6 +446,10 @@ function create(opts) {
       protocol:        "managesieve",
       defaults:        defaults,
       overrides:       opts.overrides || {},
+      // b.agent.tenant adoption (v0.10.12) — see imap factory for the
+      // shape.
+      tenantScope:     opts.tenantScope    || null,
+      agentTenantId:   opts.agentTenantId  || null,
       notFoundHandler: function (verb, _state, socket) {
         return _writeNo(socket, "Unknown verb '" + verb + "'");
       },

package/lib/mail-server-pop3.js

@@ -196,6 +196,38 @@ function create(opts) {
   var profile         = opts.profile         || "strict";
   var authConfig      = opts.auth            || null;
   var mailStore       = opts.mailStore;
+  // b.agent.tenant adoption (v0.10.12) — cross-tenant authentication
+  // is refused at the AUTH-success boundary BEFORE the listener
+  // accepts the actor into transaction state. The scope's `.check`
+  // method is validated at create() time so a malformed scope object
+  // surfaces as a configuration error rather than rejecting every
+  // otherwise-valid auth as "cross-tenant".
+  var tenantScope     = opts.tenantScope     || null;
+  var agentTenantId   = opts.agentTenantId   || null;
+  if (tenantScope && typeof tenantScope.check !== "function") {
+    throw new MailServerPop3Error("mail-server-pop3/bad-tenant-scope",
+      "create: opts.tenantScope must be a b.agent.tenant.create() instance " +
+      "(missing .check); a malformed scope would refuse every auth as cross-tenant");
+  }
+  if (tenantScope && !agentTenantId) {
+    throw new MailServerPop3Error("mail-server-pop3/no-agent-tenant-id",
+      "create: opts.tenantScope requires opts.agentTenantId");
+  }
+
+  function _assertTenantOrRefuse(state, socket, result) {
+    if (!tenantScope || !agentTenantId) return true;
+    try { tenantScope.check(result.actor, agentTenantId); return true; }
+    catch (tenantErr) {
+      _emit("mail.server.pop3.cross_tenant_refused",
+        { connectionId: state.id,
+          actorTenant:  (result.actor && result.actor.tenantId) || null,
+          agentTenant:  agentTenantId,
+          code:         (tenantErr && tenantErr.code) || null },
+        "denied");
+      _writeErr(socket, "Authentication rejected (cross-tenant)");
+      return false;
+    }
+  }
 
   var rateLimit;
   if (opts.rateLimit === false) {
@@ -467,6 +499,7 @@ function create(opts) {
       })
       .then(function (result) {
         if (result && result.ok && result.actor) {
+          if (!_assertTenantOrRefuse(state, socket, result)) return;
           state.actor = result.actor;
           _enterTransaction(state, socket, "PASS");
           return;
@@ -527,6 +560,7 @@ function create(opts) {
       })
       .then(function (result) {
         if (result && result.ok && result.actor) {
+          if (!_assertTenantOrRefuse(state, socket, result)) return;
           state.actor = result.actor;
           _enterTransaction(state, socket, "APOP");
           return;
@@ -595,6 +629,7 @@ function create(opts) {
       })
       .then(function (result) {
         if (result && result.ok && result.actor) {
+          if (!_assertTenantOrRefuse(state, socket, result)) return;
           state.actor = result.actor;
           _enterTransaction(state, socket, "AUTH/" + mech);
           return;

package/lib/mail-server-registry.js

@@ -131,6 +131,27 @@ function create(opts) {
     throw new MailServerRegistryError("mail-server-registry/unknown-protocol",
       "create: protocol must be 'imap', 'jmap', or 'managesieve' (got '" + opts.protocol + "')");
   }
+  // Tenant scope (v0.10.12 — b.agent.tenant adoption).
+  // When `opts.tenantScope` is supplied alongside `opts.agentTenantId`,
+  // every dispatch first gates on `tenantScope.check(actor,
+  // agentTenantId)`. Actor without matching tenantId surfaces as a
+  // typed `agent-tenant/cross-tenant-access-refused` per the v0.9.25
+  // contract — the listener's catch path converts that into the
+  // protocol's `BAD AUTH` / `NO not authorized` reply.
+  //
+  // Optional: when omitted, dispatch behaves identically to v0.10.11
+  // (no per-tenant gate; operators that don't run multi-tenant don't
+  // pay the check cost).
+  var tenantScope    = opts.tenantScope    || null;
+  var agentTenantId  = opts.agentTenantId  || null;
+  if (tenantScope && typeof tenantScope.check !== "function") {
+    throw new MailServerRegistryError("mail-server-registry/bad-tenant-scope",
+      "create: opts.tenantScope must be a b.agent.tenant.create() instance (missing .check)");
+  }
+  if (tenantScope && !agentTenantId) {
+    throw new MailServerRegistryError("mail-server-registry/no-agent-tenant-id",
+      "create: opts.tenantScope requires opts.agentTenantId (the tenant this listener serves)");
+  }
   var catalogue = CATALOGUE[opts.protocol];
   var entries = Object.create(null);
 
@@ -251,6 +272,30 @@ function create(opts) {
    */
   function dispatch(name) {
     var argsArr = Array.prototype.slice.call(arguments, 1);
+    // Tenant scope check — pre-dispatch, pre-guard, pre-audit.
+    //
+    // Two argument shapes occur across the three listeners:
+    //   - IMAP / ManageSieve dispatch with `(state, socket, parsed)` —
+    //     state.actor is the actor.
+    //   - JMAP dispatches with `(actor, resolvedArgs, ctx)` — the
+    //     first argument IS the actor object directly.
+    //
+    // Detect both shapes: if argsArr[0].actor exists, use it; else if
+    // argsArr[0] itself carries a `tenantId` field, treat it as the
+    // actor. The dispatch shapes are documented at the listener
+    // factory layer; the registry's job here is uniform enforcement.
+    if (tenantScope && argsArr.length > 0 && argsArr[0]) {
+      var actor = argsArr[0].actor ||
+                  (typeof argsArr[0] === "object" && argsArr[0] !== null &&
+                   Object.prototype.hasOwnProperty.call(argsArr[0], "tenantId")
+                     ? argsArr[0] : null);
+      if (actor) {
+        // tenantScope.check throws AgentTenantError on cross-tenant;
+        // we let the typed error propagate so the listener's
+        // catch-path converts it to the protocol's refusal reply.
+        tenantScope.check(actor, agentTenantId);
+      }
+    }
     var entry = entries[name];
     if (!entry) {
       if (typeof opts.notFoundHandler === "function") {

package/lib/mail-server-submission.js

@@ -266,6 +266,18 @@ function create(opts) {
     throw new MailServerSubmissionError("mail-server-submission/no-tls-context",
       "mail.server.submission.create: tlsContext is required");
   }
+  // b.agent.tenant shape validation at create() time — a malformed
+  // scope object would refuse every auth as cross-tenant, masking the
+  // configuration error as an auth outage.
+  if (opts.tenantScope && typeof opts.tenantScope.check !== "function") {
+    throw new MailServerSubmissionError("mail-server-submission/bad-tenant-scope",
+      "create: opts.tenantScope must be a b.agent.tenant.create() instance " +
+      "(missing .check); a malformed scope would refuse every auth as cross-tenant");
+  }
+  if (opts.tenantScope && !opts.agentTenantId) {
+    throw new MailServerSubmissionError("mail-server-submission/no-agent-tenant-id",
+      "create: opts.tenantScope requires opts.agentTenantId");
+  }
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
     ["maxLineBytes", "maxMessageBytes", "maxRcptsPerMessage", "idleTimeoutMs"],
     "mail.server.submission.", MailServerSubmissionError, "mail-server-submission/bad-bound");
@@ -742,6 +754,27 @@ function create(opts) {
             // successful verify, not whatever state.authPending happens
             // to be at the post-null read (which is always null).
             var successfulMechanism = state.authPending && state.authPending.mechanism;
+            // b.agent.tenant gate (v0.10.12). When the listener is
+            // wired with `opts.tenantScope` + `opts.agentTenantId`,
+            // every authenticated actor must belong to the listener's
+            // tenant. Cross-tenant authentication surfaces here as a
+            // `535 5.7.0` refusal — the actor never reaches authenticated
+            // state, mail submission never begins under the wrong tenant.
+            if (opts.tenantScope && opts.agentTenantId) {
+              try { opts.tenantScope.check(result.actor, opts.agentTenantId); }
+              catch (tenantErr) {
+                state.authPending = null;
+                _emit("mail.server.submission.cross_tenant_refused",
+                  { connectionId: state.id,
+                    actorTenant:  (result.actor && result.actor.tenantId) || null,
+                    agentTenant:  opts.agentTenantId,
+                    code:         (tenantErr && tenantErr.code) || null },
+                  "denied");
+                _writeReply(socket, REPLY_535_AUTH_FAILED,
+                  "5.7.0 Authentication rejected (cross-tenant)");
+                return;
+              }
+            }
             state.authenticated = true;
             state.actor         = result.actor;
             state.authPending   = null;

package/lib/metrics.js

@@ -783,23 +783,66 @@ function _resetForTest() {
  *   path:        string,    // absolute path to write the snapshot
  *   intervalMs:  number,    // milliseconds between flushes (>=100)
  *   fields:      Function,  // returns an object — written as JSON
+ *   registry:    object,    // optional `b.metrics.create()` handle — adds a
+ *                           //   structured `metrics` field carrying every
+ *                           //   registered counter / gauge / histogram (incl.
+ *                           //   bucket counts) so sidecar readers compose
+ *                           //   histogram_quantile() against the snapshot
  *   fileMode:    number,    // POSIX mode (default 0o640 — owner rw, group r)
  *
  * @example
+ *   var registry = b.metrics.create();
+ *   var latency  = registry.histogram("op_latency_seconds", { buckets: [0.01, 0.1, 1] });
  *   var stop = b.metrics.snapshot.startWriter({
  *     path:       "/run/blamejs/metrics.json",
  *     intervalMs: 5000,
- *     fields:     function () {
- *       return {
- *         uptimeMs:    process.uptime() * 1000,
- *         queueDepth:  myQueue.size,
- *         lastSyncAt:  lastSyncAt,
- *       };
- *     },
+ *     registry:   registry,
+ *     fields:     function () { return { uptimeMs: process.uptime() * 1000 }; },
  *   });
- *   // ... on SIGTERM:
+ *   // Snapshot file: { writtenAt, fields, metrics: { op_latency_seconds: { type, buckets, observations: [{ labels, counts, sum, count }] } } }
  *   stop();
  */
+function _serializeRegistry(registry) {
+  // Walk every registered metric in the registry.metrics Map and emit
+  // a JSON-friendly structured shape. Histograms get full buckets +
+  // bucket counts so downstream consumers compose
+  // `histogram_quantile()` against the snapshot without a separate
+  // exposition endpoint (issue #100).
+  var out = {};
+  var names = registry.metrics instanceof Map
+    ? Array.from(registry.metrics.keys()).sort()
+    : Object.keys(registry.metrics).sort();
+  for (var i = 0; i < names.length; i += 1) {
+    var name = names[i];
+    var m = registry.metrics instanceof Map ? registry.metrics.get(name) : registry.metrics[name];
+    if (!m) continue;
+    var entry = { type: m.type, help: m.help || "", labelNames: m.labelNames || [] };
+    if (m.type === "histogram") {
+      entry.buckets = m.buckets.slice();
+      entry.observations = [];
+      var hKeys = m.values instanceof Map ? Array.from(m.values.keys()).sort() : Object.keys(m.values).sort();
+      for (var hi = 0; hi < hKeys.length; hi += 1) {
+        var hv = m.values instanceof Map ? m.values.get(hKeys[hi]) : m.values[hKeys[hi]];
+        entry.observations.push({
+          labels: hv.labels,
+          counts: hv.counts.slice(),
+          sum:    hv.sum,
+          count:  hv.count,
+        });
+      }
+    } else {
+      entry.observations = [];
+      var vKeys = m.values instanceof Map ? Array.from(m.values.keys()).sort() : Object.keys(m.values).sort();
+      for (var vi = 0; vi < vKeys.length; vi += 1) {
+        var vv = m.values instanceof Map ? m.values.get(vKeys[vi]) : m.values[vKeys[vi]];
+        entry.observations.push({ labels: vv.labels, value: vv.value });
+      }
+    }
+    out[name] = entry;
+  }
+  return out;
+}
+
 function snapshotStartWriter(opts) {
   opts = opts || {};
   validateOpts.requireNonEmptyString(opts.path,
@@ -813,8 +856,21 @@ function snapshotStartWriter(opts) {
     throw new MetricsError("metrics-snapshot/bad-fields",
       "metrics.snapshot.startWriter: opts.fields must be a function returning the snapshot object");
   }
+  // Issue #100 — optional `registry` handle pulls every registered
+  // metric into a structured `metrics` field in the JSON snapshot:
+  // counters / gauges as `{ value }` per label set, histograms as
+  // `{ buckets, observations }` with bucket counts + sum + count.
+  // Sidecar readers compose `histogram_quantile()` against the
+  // snapshot file without running a separate /metrics endpoint.
+  if (opts.registry !== undefined && opts.registry !== null &&
+      (typeof opts.registry !== "object" || typeof opts.registry.metrics !== "object")) {
+    throw new MetricsError("metrics-snapshot/bad-registry",
+      "metrics.snapshot.startWriter: opts.registry must be a metrics registry " +
+      "(from b.metrics.create()) or omitted");
+  }
   var p          = opts.path;
   var fieldsFn   = opts.fields;
+  var registry   = opts.registry || null;
   var intervalMs = opts.intervalMs;
   // CRYPTO-6 — file mode for the atomic write. Default 0o640
   // (owner rw, group r, world none). Operators with a sidecar
@@ -844,6 +900,10 @@ function snapshotStartWriter(opts) {
       writtenAt: new Date().toISOString(),
       fields:    snap,
     };
+    if (registry) {
+      try { payload.metrics = _serializeRegistry(registry); }
+      catch (e2) { log("snapshot.metrics serialize failed: " + ((e2 && e2.message) || String(e2))); }
+    }
     try {
       // CRYPTO-6 — default 0o640 (owner rw, group r, world none) so
       // operator-supplied snapshot fields aren't world-readable on a