@blamejs/core 0.10.13 → 0.10.15

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.10.x
 
+- v0.10.15 (2026-05-18) — **TLS-RPT receiver — RFC 8460 aggregate-report ingest.** New primitive surface under `b.mail.deploy` that closes the receive-side of TLS-RPT (the publish-side shipped v0.7.29 + v0.9.56). **(a) `b.mail.deploy.parseTlsRptReport(bytes, opts?)`** — pure parser + RFC 8460 §4.4 schema validator. Accepts `application/tlsrpt+json` (raw) and `application/tlsrpt+gzip` (auto-detected via the RFC 1952 gzip magic bytes `0x1f 0x8b` or routed when `opts.contentType` names a gzip media-type). Caps compressed payload at 4 MiB (RFC 8460 §5.2 community ceiling), decompressed at 32 MiB (operator-overridable), and refuses decompression amplification > 50:1 — defends [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725) (libcurl + zlib decompression amplification) and the broader CVE-2024-zlib bomb class. Routes through `b.guardJson.parse` for proto-pollution / depth / key-count defenses before walking the §4.4 schema. Refuses on missing required fields (`organization-name` / `contact-info` / `report-id` / `date-range.{start,end}-datetime` / `policies`) and enforces the §4.4 erratum that `policies` MUST be a non-empty array even for single-policy reports. Returns the normalized report shape plus `sessionTotals: { success, failure }` and a `wasCompressed` flag. **(b) `b.mail.deploy.tlsRptIngestHttp({...})`** — factory returning an `(req, res)` HTTPS POST handler mounted at the operator's `rua=https://<host>/<path>` endpoint per RFC 8460 §5.4. Negotiates the two IANA-registered media types ([RFC 8460 §6.4-6.5](https://www.rfc-editor.org/rfc/rfc8460.html#section-6.4)), returns 405 on non-POST, 415 on bad media-type (with `Accept:` header), 413 on size / bomb / ratio refusal, 400 on parse failure (with `Error-Type:` header naming the typed error code), 201 on accept. Optional `trustedReporters` array refuses non-trusted reporting domains (RFC 8460 §5.3-class defense extended to the HTTPS path). Body collection routes through `b.safeBuffer.boundedChunkCollector` — cap enforced at every `push()`, not after — so a hostile reporter sending a 10-GB body rejects on the chunk that overflows. Emits the `mail.tlsrpt.ingest_http` audit event with `policyDomains` set + session totals on every accept / refuse. **(c) `b.mail.deploy.tlsRptReportSchema()`** — schema descriptor (required fields, policy types, result types) for operator dashboards. Pure function. **(d) Codebase-patterns detector `gunzip-without-output-size-cap`** (lib-side) — every `zlib.gunzipSync` / `zlib.createGunzip` / `zlib.brotliDecompressSync` MUST sit in a file that also names `maxOutputLength` (Node-native cap) per the CVE-2025-0725 defense class. Companion-check `requires` field added to the lib-side runner. **Deferred from v1:** mailto: ingest (no operator demand surfaced — HTTPS POST is the de-facto deployment shape for TLS-RPT; operators wanting mailto: today compose `b.mail.server.mx` + `parseTlsRptReport`) and brotli decompression (no fielded reporter uses `Content-Encoding: br` for TLS-RPT; the RFC 8460 §6.4-6.5 IANA registry only names `+json` and `+gzip`). Each reopens with a documented condition. References: [RFC 8460 SMTP TLS Reporting](https://www.rfc-editor.org/rfc/rfc8460.html) · [RFC 8461 MTA-STS](https://www.rfc-editor.org/rfc/rfc8461.html) · [RFC 1952 gzip](https://www.rfc-editor.org/rfc/rfc1952.html) · [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725).
+- v0.10.14 (2026-05-18) — **codebase-patterns hardening — test-side catalog gains 3 new detectors + 1 migration; lib-side catalog gains 1 new detector with comment-skip preprocessing.** Closes the same class of bug that caused the v0.10.13 macOS hang (test-discipline-without-enforcement). **(a) `test-codebase-patterns.test.js` — test-side antipattern runner** now supports `matchOn: "basename"` mode and `requires` companion-content checks. **(b) M1 migration —** `testNoReleaseNamedTestFiles` moves from the lib-side catalog to the test-side catalog (the rule scans test-file basenames, not lib-source content). **(c) N1 — `Promise + setTimeout` direct sleep in tests refused.** Tests calling `await new Promise(r => setTimeout(r, N))` for synchronization MUST use `helpers.waitUntil` per CLAUDE.md rule §11b. 49 pre-existing files are allowlisted as a documented v0.10.14 migration backlog; the gate prevents new occurrences. **(d) N2 — hardcoded server bind ports refused.** Tests calling `.listen(N)` with a literal non-zero port MUST use `.listen(0)` + `server.address().port` to avoid `SMOKE_PARALLEL=64` bind races. Detector scoped to the bind path (`.listen(...)`); read-only protocol-constant references (`port: 993` / `port: 587` in autoconfig XML) don't trip. **(e) N3 — tests creating `b.db` handles without an isolation primitive refused.** Any test calling `b.db.create(` MUST also wire one of `helpers.setupTestDb` / `helpers.setupVaultOnly` / `node:fs.mkdtempSync`. Leaked per-test SQLite state corrupts subsequent tests under `SMOKE_PARALLEL=64`. **(f) N4 — raw `audit.emit(...)` outside drop-silent wrap refused (lib).** Per CLAUDE.md rule §5 hot-path audit sinks must be drop-silent. Detector found and fixed an existing violation in `lib/subject.js:_writeAudit` whose comment promised swallowing but actually let the throw escape. The lib-side runner gains a `skipCommentLines` per-entry opt so docstring `@example` lines don't trip detectors that match comment-friendly tokens. **(g) N5 deferred —** `Date.now()` vs `process.hrtime()` for elapsed-time math needs semantic distinction (elapsed-math vs row-age); regex alone is too noisy. v0.10.13's stream-throttle elapsed-clamp shipped the highest-value fix already; remaining call sites get per-file review in a later patch.
 - v0.10.13 (2026-05-18) — **`b.cms` CMS codec + `b.streamThrottle` bandwidth limiter + histogram-aware snapshot writer + Windows-safe daemonize.** **`b.cms` — RFC 5652 Cryptographic Message Syntax codec.** New crypto primitive: in-tree CMS encoder + decoder built on the existing `b.asn1Der` walker and the vendored noble-post-quantum primitives. **(a) `b.cms.encodeSignedData({ encapContent, digestAlg, signers })`** — emits a DER-encoded `ContentInfo` carrying `SignedData` per RFC 5652 §5 with PQC signers: ML-DSA-65 + ML-DSA-87 ([RFC 9909](https://www.rfc-editor.org/rfc/rfc9909.html)) and SLH-DSA-SHAKE-256f ([RFC 9881](https://www.rfc-editor.org/rfc/rfc9881.html)). Digest algorithms are SHA3-256 or SHA3-512 (PQC-first; SHA-2 family refused with `cms/bad-digest`). Signed-attributes carry `contentType` + `messageDigest` + `signingTime` in DER-canonical SET-OF ordering; the signature input re-tags the IMPLICIT `[0]` to the universal SET (`0x31`) per §5.4 paragraph 3 so signatures round-trip with any conforming verifier. Signer identifiers carry the full `issuerAndSerialNumber` extracted from the operator-supplied cert DER ([RFC 5652 §10.2.4](https://www.rfc-editor.org/rfc/rfc5652#section-10.2.4)). **(b) `b.cms.encodeEnvelopedData({ plaintext, recipients })`** — emits a DER-encoded `ContentInfo` carrying `EnvelopedData` with `KEMRecipientInfo` recipients per [RFC 9629](https://www.rfc-editor.org/rfc/rfc9629.html) and ML-KEM-1024 per [RFC 9936](https://www.rfc-editor.org/rfc/rfc9936.html). Each recipient encapsulates against the operator-supplied ML-KEM-1024 public key; the framework's SHAKE256 KDF derives a 32-byte content-encryption KEK from the KEM shared-secret bound to the literal label `cms/kemri/chacha20-poly1305` (so a key derived for this composition cannot be confused with one derived for any other framework path). Content encryption is ChaCha20-Poly1305 ([RFC 8103](https://www.rfc-editor.org/rfc/rfc8103.html) OID); the AEAD tag makes Efail-class CBC-malleability impossible by construction ([CVE-2017-17688](https://nvd.nist.gov/vuln/detail/CVE-2017-17688) / [CVE-2017-17689](https://nvd.nist.gov/vuln/detail/CVE-2017-17689)). **(c) `b.cms.decode(buf, { maxBytes? })`** — returns `{ contentType, content }` where `contentType` is the dotted-OID string and `content` is the inner `asn1-der` node. Refuses input past `maxBytes` (default 64 MiB), non-SEQUENCE top-level, missing `[0] EXPLICIT` content, and malformed OID encodings (closes the [CVE-2022-47629](https://nvd.nist.gov/vuln/detail/CVE-2022-47629) libksba class via the existing `b.asn1Der` strict-decode posture). **(d) Refusal posture documented in `lib/cms-codec.js` @intro**: only PQC signature algorithms (`cms/bad-sig-alg`), only ML-KEM-1024 recipients (`cms/bad-recipient-type`), non-empty signers / recipients required at encode (`cms/no-signers` / `cms/no-recipients`). **Operator impact:** no breaking changes; new primitive at `b.cms`. **Deferred to v0.10.14:** the on-the-wire S/MIME 4.0 layer ([RFC 8551](https://www.rfc-editor.org/rfc/rfc8551.html) `multipart/signed` framing, base64 DER body, `micalg` mapping) and OpenPGP encrypt + decrypt + WKD discovery ([RFC 9580](https://www.rfc-editor.org/rfc/rfc9580.html) §5.1 / §5.13 packets plus [draft-koch-openpgp-webkey-service](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/)) land together so the mail-crypto surface lights up coherently rather than half-on-each-side across two patches. AuthEnvelopedData ([RFC 5083](https://www.rfc-editor.org/rfc/rfc5083.html)) as a distinct `ContentInfo` shape is deferred — EnvelopedData with ChaCha20-Poly1305 is already AEAD by construction; the §5083 OID rewrap lights up alongside S/MIME for peers that refuse the EnvelopedData form. References: [RFC 5652 CMS](https://www.rfc-editor.org/rfc/rfc5652.html) · [RFC 9629 KEMRecipientInfo](https://www.rfc-editor.org/rfc/rfc9629.html) · [RFC 9909 ML-DSA in X.509+CMS](https://www.rfc-editor.org/rfc/rfc9909.html) · [RFC 9881 SLH-DSA in X.509+CMS](https://www.rfc-editor.org/rfc/rfc9881.html) · [RFC 9936 ML-KEM in CMS](https://www.rfc-editor.org/rfc/rfc9936.html) · [RFC 8103 ChaCha20-Poly1305 in CMS](https://www.rfc-editor.org/rfc/rfc8103.html). **(e) `b.streamThrottle` — token-bucket bandwidth limiter.** New primitive: `b.streamThrottle.create({ bytesPerSec, burstBytes? })` returns a shared token bucket whose `.transform()` instances each consume from the same budget. The missing primitive between per-request rate-limit and per-process worker pools: N parallel transfers share the operator-configured byte budget rather than each getting their own. Composes with `node:stream.pipeline` as a regular `stream.Transform`; chunks larger than `burstBytes` refuse with `stream-throttle/oversize-chunk` unless `transform({ allowOversize: true })`. Algorithm is the [RFC 2697 srTCM](https://www.rfc-editor.org/rfc/rfc2697.html) single-rate token-bucket shape, with lazy refill so there is no per-throttle background timer. **(f) Histogram-aware metrics snapshot writer.** `b.metrics.snapshot.startWriter` gains an opt-in `registry` field. When supplied, the JSON snapshot grows a `metrics` field carrying every registered counter / gauge / histogram in structured form — histograms include `buckets` + `observations: [{ labels, counts, sum, count }]`, so sidecar readers compose `histogram_quantile()` against the snapshot file without running a separate `/metrics` HTTP endpoint. `fileMode` default unchanged (0o640). **(g) Windows-safe daemonize.** `b.daemon.start` detached-fork mode now branches by platform. POSIX continues inheriting the parent-opened log FD via `stdio: ["ignore", logFd, logFd]` (unchanged). Windows now uses `stdio: "ignore"` + `windowsHide: true` so the child has no inherited handles that the OS invalidates on parent exit — the previously-broken Windows daemonize path now produces a survivable detached process. The child is responsible for opening its own log file (operators pass `--log` in `opts.args`). `daemon.started` audit gains `stdioMode` so operators can grep for the chosen strategy. **Closes: [#94](https://github.com/blamejs/blamejs/issues/94), [#100](https://github.com/blamejs/blamejs/issues/100), [#101](https://github.com/blamejs/blamejs/issues/101); also closes [#92](https://github.com/blamejs/blamejs/issues/92) and [#93](https://github.com/blamejs/blamejs/issues/93) (already shipped in v0.10.9 as `b.promisePool` / `b.sdNotify` — left open until now).**
 - v0.10.12 (2026-05-18) — **`b.agent.tenant` adoption across the mail-server listeners.** The v0.10.11 shared `b.mail.serverRegistry` primitive gains optional `opts.tenantScope` (a `b.agent.tenant.create()` instance) + `opts.agentTenantId` (the tenant this listener serves). When supplied, every method dispatch first gates on `tenantScope.check(state.actor, agentTenantId)` BEFORE guard validation or audit emission; cross-tenant access surfaces as the v0.9.25-typed `agent-tenant/cross-tenant-access-refused` which the listener's catch-path converts to the protocol's `BAD` / `NO` refusal reply. **(a) `b.mail.server.imap.create({ tenantScope, agentTenantId })`** — IMAP dispatch is gated for every command after AUTH. **(b) `b.mail.server.jmap.create({ tenantScope, agentTenantId })`** — JMAP per-method dispatch routes through the tenant scope alongside its existing per-`accountId` isolation. **(c) `b.mail.server.managesieve.create({ tenantScope, agentTenantId })`** — ManageSieve same pattern. **(d) `b.mail.server.submission.create({ tenantScope, agentTenantId })`** — submission listener gates at the AUTH-success boundary (before `state.actor` is committed) so cross-tenant authentication surfaces as `535 5.7.0 Authentication rejected (cross-tenant)` and the SMTP envelope never begins under the wrong tenant. **(e) `b.mail.server.pop3.create({ tenantScope, agentTenantId })`** — same AUTH-success gate; cross-tenant refusal returns `-ERR Authentication rejected (cross-tenant)`. New audit events: `mail.server.submission.cross_tenant_refused` and `mail.server.pop3.cross_tenant_refused`. **Operator impact:** no breaking changes — `tenantScope` / `agentTenantId` are optional; operators not running multi-tenant see identical behavior. Operators with multi-tenant deployments wire `b.agent.tenant.create({...})` once and pass the same scope to every per-tenant listener instance — cross-tenant isolation becomes structural rather than per-handler opt-in. **Deferred to v0.10.12.1:** per-tenant `b.mailStore` seal-key derivation via `tenantScope.derivedKey(tenantId, "seal")` and per-tenant audit namespaces via `tenantScope.auditFor(tenantId)`. Today every mail listener seals through the framework primary vault key — adequate for single-tenant and multi-tenant-trusted deployments; the v0.10.12.1 follow-up adds per-tenant key separation for compromise-isolation use cases. References: [RFC 9051 IMAP4rev2 §3 state machine](https://www.rfc-editor.org/rfc/rfc9051#section-3) · [RFC 8620 JMAP Core §1.6.2 accountId](https://www.rfc-editor.org/rfc/rfc8620#section-1.6.2) · [RFC 6409 Submission §6.1 actor-to-MAIL-FROM identity binding](https://www.rfc-editor.org/rfc/rfc6409#section-6.1) · [RFC 1939 POP3 §6 transaction state](https://www.rfc-editor.org/rfc/rfc1939#section-6) · v0.9.25 `b.agent.tenant` contract.
 - v0.10.11 (2026-05-18) — **Mail-server per-method registration sweep.** New shared primitive `b.mail.serverRegistry` (`lib/mail-server-registry.js`) replaces the hand-rolled `switch (verb)` dispatchers in the IMAP, JMAP, and ManageSieve listener factories. Operators can now override individual command / method handlers (e.g. IMAP `FETCH`, JMAP `Email/query`, ManageSieve `PUTSCRIPT`) via `opts.overrides: { NAME: { fn, maxHandlerBytes, maxHandlerMs } }` without re-implementing wire-protocol state machines or bypassing the guard substrate. **(a) Per-handler resource budgets — required at registration.** Operators MUST supply `maxHandlerBytes` (≤ 256 MiB) and `maxHandlerMs` (≤ 5 min) on every override; the registration throws `mail-server-registry/bad-max-handler-bytes` / `bad-max-handler-ms` on missing or out-of-range budgets. Defends [CVE-2024-34055](https://nvd.nist.gov/vuln/detail/CVE-2024-34055) (Cyrus authenticated OOM) and [CVE-2026-26312](https://nvd.nist.gov/vuln/detail/CVE-2026-26312) (Stalwart malformed nested `message/rfc822` cyclical OOM) by forcing operators to declare the resource ceiling explicitly. **(b) Catalogue gate.** Per-protocol method names outside the IANA / RFC catalogue refuse registration unless `allowExperimental: true` is supplied — opting in audits the registration so operators can grep for off-spec handlers. **(c) Guard chain preserved.** The listener factories run `b.guardImapCommand` / `b.guardJmap` / `b.guardManagesieveCommand` BEFORE the registry lookup; operator overrides cannot bypass the wire-protocol validation, smuggling defenses, or rate-limit budgets. **(d) Handler timeout.** Promise-returning handlers wrap through `b.safeAsync.withTimeout(maxHandlerMs)`; a runaway override raises `mail-server-registry/handler-timeout` rather than pinning the connection. **(e) Defaults seeded.** IMAP picks up 30 verbs (CAPABILITY, NOOP, LOGOUT, ID, STARTTLS, AUTHENTICATE, LOGIN, ENABLE, SELECT, EXAMINE, LIST, STATUS, NAMESPACE, APPEND, CHECK, CLOSE, UNSELECT, EXPUNGE, FETCH, STORE, UID, IDLE, DONE — plus the previously-undispatched SEARCH / CREATE / DELETE / RENAME / SUBSCRIBE / UNSUBSCRIBE / COPY / MOVE which default to `NO not-configured` until operator overrides); ManageSieve picks up 12 verbs (CAPABILITY, NOOP, STARTTLS, LOGOUT, AUTHENTICATE, HAVESPACE, PUTSCRIPT, LISTSCRIPTS, SETACTIVE, GETSCRIPT, DELETESCRIPT, RENAMESCRIPT); JMAP wraps the existing `opts.methods` map with a one-time deprecation audit (`mail.server.jmap.methods_opt_deprecated`) and routes through the same registry — operators migrate to `opts.overrides` with explicit budgets. **(f) New audit event:** `mail.serverRegistry.method_dispatch` carries `{ protocol, name, source: "builtin" | "operator-override" }` on every dispatch; `mail.serverRegistry.experimental_registration` audits opt-in off-catalogue registrations. **Operator impact:** existing JMAP `opts.methods` callers see the deprecation audit but continue to function (legacy auto-budget = 10 MiB / 30 s); existing IMAP / ManageSieve operators have no migration burden — the listener factories continue to accept the same opts shape. Operators wiring NEW overrides MUST supply explicit budgets. References: [RFC 9051 IMAP4rev2](https://www.rfc-editor.org/rfc/rfc9051) · [RFC 8620 JMAP Core](https://www.rfc-editor.org/rfc/rfc8620) · [RFC 8621 JMAP for Mail](https://www.rfc-editor.org/rfc/rfc8621) · [RFC 5804 ManageSieve](https://www.rfc-editor.org/rfc/rfc5804) · [RFC 2971 IMAP4 ID](https://www.rfc-editor.org/rfc/rfc2971) · [RFC 2177 IMAP IDLE](https://www.rfc-editor.org/rfc/rfc2177) · [CVE-2024-34055](https://nvd.nist.gov/vuln/detail/CVE-2024-34055) · [CVE-2026-26312](https://nvd.nist.gov/vuln/detail/CVE-2026-26312).

package/README.md

@@ -97,6 +97,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`)
 - **CMS codec** — RFC 5652 Cryptographic Message Syntax encoder + decoder with PQC signers (ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f; RFC 9909 + 9881) and KEMRecipientInfo recipients (ML-KEM-1024; RFC 9629 + 9936); ChaCha20-Poly1305 content encryption (RFC 8103) so Efail-class malleability cannot apply (`b.cms`)
 - **Stream throttle** — shared token-bucket bandwidth limiter (RFC 2697 srTCM shape); N concurrent `node:stream` pipelines draw from one operator-configured `bytesPerSec` budget (`b.streamThrottle`)
+- **TLS-RPT receiver** — RFC 8460 inbound aggregate-report ingest; HTTPS POST handler + §4.4 schema parser with gzip-bomb / ratio-bomb / depth-bomb defenses (`b.mail.deploy.parseTlsRptReport` / `b.mail.deploy.tlsRptIngestHttp`)
 - **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs with `{ jitter: true }` fleet-scheduling (`b.acme.renewIfDue`); draft-aaron-acme-profiles (`acme.listProfiles()` + `newOrder({ profile })`); draft-ietf-acme-dns-account-label (`acme.dnsAccount01ChallengeRecord(token, { identifier })`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`)
 - **mTLS CA** — pure-JS, issues clientAuth / serverAuth / dual-EKU certs with SAN; auto-detects highest-PQC signature alg (today ECDSA-P384-SHA384; self-upgrades to SLH-DSA / ML-DSA when X.509 ecosystem catches up); PQC TLS gates inbound + outbound (`b.mtlsCa`, `b.pqcGate`, `b.pqcAgent`)
 ### HTTP

package/lib/mail-deploy.js

@@ -46,11 +46,19 @@
  */
 
 var nodeCrypto = require("node:crypto");
+var zlib = require("node:zlib");
+var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var numericBounds = require("./numeric-bounds");
+var C = require("./constants");
+var safeJson = require("./safe-json");
+var safeBuffer = require("./safe-buffer");
+var guardJson = lazyRequire(function () { return require("./guard-json"); });
+var audit = lazyRequire(function () { return require("./audit"); });
 var { defineClass } = require("./framework-error");
 
 var MailDeployError = defineClass("MailDeployError", { alwaysPermanent: true });
+var TlsRptParseError = defineClass("TlsRptParseError", { alwaysPermanent: true });
 
 // RFC 8461 §3.2 MTA-STS policy field allowlist. Field values typed +
 // bounded — operator supplies them; we never echo arbitrary bytes
@@ -483,10 +491,629 @@ function autoDiscoverXml(opts) {
     "</Autodiscover>\n";
 }
 
+// ---- TLS-RPT receiver (RFC 8460) ----
+//
+// Inbound aggregate-report ingest for operators who publish
+// `rua=https://reports.example.com/tlsrpt` on `_smtp._tls.<domain>`.
+// Reporters POST `application/tlsrpt+json` (raw) or
+// `application/tlsrpt+gzip` (gzip-wrapped JSON) per RFC 8460 §5.4
+// + §6.4-6.5 IANA media-type registrations.
+//
+// v1 scope (this slice):
+//   - `parseTlsRptReport(bytes, opts?)` — pure parser + §4.4 schema
+//     validator. Caps decompressed size (default 32 MiB), compressed
+//     size (default 4 MiB), and compression ratio (default 50:1) to
+//     defend CVE-2025-0725 / generic decompression-amplification.
+//   - `tlsRptIngestHttp({...})` — (req, res) factory returning an
+//     RFC 8460 §5.4-compliant handler (201 on accept / 400 on bad
+//     JSON / 413 on size / 415 on bad media-type / 405 on non-POST).
+//   - `tlsRptReportSchema()` — schema descriptor for operator
+//     dashboards.
+//
+// Deferred from v1 (each with documented condition):
+//   - `mailto:` ingest via b.mail.server.mx. Defer condition: no
+//     operator demand has surfaced; HTTPS POST is the de-facto
+//     deployment shape for TLS-RPT today (reporters with `rua=mailto:`
+//     ingest are a long tail). Operators wanting mailto: ingest
+//     compose b.mail.server.mx today + call `parseTlsRptReport` on
+//     the extracted body part themselves. Reopens when an operator
+//     surfaces concrete demand AND the mail.server.mx surface stays
+//     stable across the upcoming UTA-draft revisions.
+//   - Brotli decompression. Defer condition: no fielded reporter
+//     uses `Content-Encoding: br` for TLS-RPT today; the IANA
+//     media-type registry (RFC 8460 §6.4) only registers +json and
+//     +gzip. Operators behind a brotli-encoding proxy decode at the
+//     proxy layer. Reopens when at least one fielded reporter ships
+//     brotli or the in-progress UTA-draft requires it.
+
+// Hard caps — defensive against CVE-2025-0725 (libcurl/zlib
+// integer overflow), CVE-2024-zlib decompression amplification, and
+// the §5.2 community ceiling (receivers commonly cap at 10 MiB).
+var TLSRPT_MAX_COMPRESSED_BYTES   = C.BYTES.mib(4);                                                   // allow:raw-byte-literal — 4 MiB compressed cap per §5.2 community practice
+var TLSRPT_MAX_DECOMPRESSED_BYTES = C.BYTES.mib(32);                                                  // allow:raw-byte-literal — 32 MiB decompressed cap (operators override via opts)
+var TLSRPT_MAX_RATIO              = 50;                                                               // allow:raw-byte-literal — 50:1 compression ratio refusal
+var TLSRPT_MAX_POLICIES           = 1000;                                                             // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §4.4 policy-cardinality cap
+var TLSRPT_MAX_FAILURE_DETAILS    = 10000;                                                            // allow:raw-byte-literal — per-policy failure-details cap
+var TLSRPT_GZIP_MAGIC_0           = 0x1f;                                                             // allow:raw-byte-literal — RFC 1952 gzip magic byte 0
+var TLSRPT_GZIP_MAGIC_1           = 0x8b;                                                             // allow:raw-byte-literal — RFC 1952 gzip magic byte 1
+
+// Valid RFC 8460 §4.4 result-type values for `failure-details[].result-type`.
+var TLSRPT_RESULT_TYPES = Object.freeze({
+  "starttls-not-supported":       1,
+  "certificate-host-mismatch":    1,
+  "certificate-expired":          1,
+  "certificate-not-trusted":      1,
+  "validation-failure":           1,
+  "tlsa-invalid":                 1,
+  "dnssec-invalid":               1,
+  "dane-required":                1,
+  "sts-policy-fetch-error":       1,
+  "sts-policy-invalid":           1,
+  "sts-webpki-invalid":           1,
+});
+
+// Valid RFC 8460 §4.4 policy-type values.
+var TLSRPT_POLICY_TYPES = Object.freeze({
+  sts: 1, tlsa: 1, "no-policy-found": 1,
+});
+
+/**
+ * @primitive  b.mail.deploy.parseTlsRptReport
+ * @signature  b.mail.deploy.parseTlsRptReport(input, opts?)
+ * @since      0.10.15
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.mail.deploy.tlsRptIngestHttp, b.mail.deploy.tlsRptReportSchema
+ *
+ * Parse + validate an RFC 8460 TLS-RPT aggregate report. Accepts:
+ *   - Raw `application/tlsrpt+json` bytes (Buffer or string).
+ *   - `application/tlsrpt+gzip` bytes (gzip magic auto-detected via
+ *     `0x1f 0x8b` per RFC 1952, or routed when `opts.contentType`
+ *     names a gzip media-type).
+ *
+ * Refusal posture:
+ *   - Compressed payload > `opts.maxCompressedBytes` (default 4 MiB)
+ *     → `mail-tlsrpt/oversize-compressed`.
+ *   - Decompressed payload > `opts.maxDecompressedBytes` (default
+ *     32 MiB) → `mail-tlsrpt/gunzip-bomb`.
+ *   - Compression ratio > `opts.maxRatio` (default 50:1) →
+ *     `mail-tlsrpt/ratio-bomb`.
+ *   - Malformed gzip → `mail-tlsrpt/gunzip-failed`.
+ *   - Routes through `b.guardJson.parse` for proto-pollution / depth
+ *     / key-count defenses before the §4.4 schema walk.
+ *   - Missing REQUIRED §4.4 fields → `mail-tlsrpt/bad-schema`.
+ *   - `policies` MUST be an array (RFC 8460 §4.4 erratum, even for
+ *     single-policy reports).
+ *
+ * @opts
+ *   contentType:           string,    // optional — hint for gzip routing
+ *   maxCompressedBytes:    number,    // default TLSRPT_MAX_COMPRESSED_BYTES (4 MiB)
+ *   maxDecompressedBytes:  number,    // default TLSRPT_MAX_DECOMPRESSED_BYTES (32 MiB)
+ *   maxRatio:              number,    // default 50 (compressed:decompressed cap)
+ *
+ * @example
+ *   var report = b.mail.deploy.parseTlsRptReport(reqBody, {
+ *     contentType: req.headers["content-type"],
+ *   });
+ *   // → { organization-name, date-range: {start, end}, contact-info,
+ *   //     report-id, policies: [{ policy-type, policy-domain, ... }] }
+ */
+function parseTlsRptReport(input, opts) {
+  opts = opts || {};
+  var bytes;
+  if (Buffer.isBuffer(input)) bytes = input;
+  else if (typeof input === "string") bytes = Buffer.from(input, "utf8");
+  else {
+    throw new TlsRptParseError("mail-tlsrpt/bad-input",
+      "parseTlsRptReport: input must be a Buffer or string");
+  }
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxCompressedBytes", "maxDecompressedBytes", "maxRatio"],
+    "parseTlsRptReport", TlsRptParseError, "mail-tlsrpt/bad-opts");
+  var maxCompressed   = opts.maxCompressedBytes   || TLSRPT_MAX_COMPRESSED_BYTES;
+  var maxDecompressed = opts.maxDecompressedBytes || TLSRPT_MAX_DECOMPRESSED_BYTES;
+  var maxRatio        = opts.maxRatio             || TLSRPT_MAX_RATIO;
+  if (bytes.length > maxCompressed) {
+    throw new TlsRptParseError("mail-tlsrpt/oversize-compressed",
+      "parseTlsRptReport: compressed payload " + bytes.length +
+      " bytes exceeds maxCompressedBytes=" + maxCompressed);
+  }
+
+  // gzip auto-detect — magic 0x1f 0x8b per RFC 1952. Routes through
+  // the same defensive shape as DMARC RUA (lib/mail-auth.js): bound
+  // decompression at the cap, surface bomb-vs-malformed as distinct
+  // typed errors so audit / alert wiring can react differently.
+  var contentType = (opts.contentType || "").toLowerCase();
+  var compressedLen = bytes.length;
+  var looksGzip = bytes.length >= 2 && bytes[0] === TLSRPT_GZIP_MAGIC_0 && bytes[1] === TLSRPT_GZIP_MAGIC_1;
+  var wasCompressed = false;
+  if (contentType.indexOf("gzip") !== -1 || looksGzip) {
+    wasCompressed = true;
+    try { bytes = zlib.gunzipSync(bytes, { maxOutputLength: maxDecompressed }); }
+    catch (e) {
+      var msg = (e && e.message) || String(e);
+      var isBomb = (e && (e.code === "ERR_BUFFER_TOO_LARGE" || e.code === "ERR_OUT_OF_RANGE")) ||
+                   /output length|max(?:imum)?\s+output|exceeds?/i.test(msg);
+      if (isBomb) {
+        throw new TlsRptParseError("mail-tlsrpt/gunzip-bomb",
+          "parseTlsRptReport: gunzip output exceeded " + maxDecompressed +
+          " bytes (decompression amplification — refused per CVE-2025-0725 class)");
+      }
+      throw new TlsRptParseError("mail-tlsrpt/gunzip-failed",
+        "parseTlsRptReport: gunzip failed: " + msg);
+    }
+    if (compressedLen > 0 && bytes.length / compressedLen > maxRatio) {
+      throw new TlsRptParseError("mail-tlsrpt/ratio-bomb",
+        "parseTlsRptReport: decompression ratio " +
+        Math.round(bytes.length / compressedLen) + ":1 exceeds maxRatio=" +
+        maxRatio + ":1 (decompression amplification — refused)");
+    }
+  }
+
+  // Route through b.guardJson — proto-pollution / depth / key-count
+  // defenses on every untrusted-JSON parse path (closes v0.10.14
+  // detector class for untrusted-json-without-guardjson).
+  var raw;
+  try {
+    raw = guardJson().parse(bytes.toString("utf8"), {
+      maxBytes:  maxDecompressed,
+      maxDepth:  32,                                                                                  // allow:raw-byte-literal — JSON depth cap
+      maxKeys:   1000,                                                                                // allow:raw-byte-literal — top-level key cap
+    });
+  } catch (_e) {
+    // Fall back to b.safeJson.parse if guardJson isn't available (in
+    // certain bootstrap paths). Both refuse __proto__ / depth-bombs.
+    try { raw = safeJson.parse(bytes.toString("utf8")); }
+    catch (e2) {
+      throw new TlsRptParseError("mail-tlsrpt/bad-json",
+        "parseTlsRptReport: JSON parse failed: " + ((e2 && e2.message) || String(e2)));
+    }
+  }
+
+  return _validateTlsRptReport(raw, { wasCompressed: wasCompressed });
+}
+
+function _validateTlsRptReport(raw, ctx) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: top-level must be a JSON object");
+  }
+  // RFC 8460 §4.4 REQUIRED fields.
+  var orgName = raw["organization-name"];
+  var contact = raw["contact-info"];
+  var reportId = raw["report-id"];
+  var dateRange = raw["date-range"];
+  var policies = raw["policies"];
+  if (typeof orgName  !== "string" || orgName.length === 0) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: missing required string 'organization-name'");
+  }
+  if (typeof contact !== "string" || contact.length === 0) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: missing required string 'contact-info'");
+  }
+  if (typeof reportId !== "string" || reportId.length === 0) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: missing required string 'report-id'");
+  }
+  if (!dateRange || typeof dateRange !== "object" ||
+      typeof dateRange["start-datetime"] !== "string" ||
+      typeof dateRange["end-datetime"]   !== "string") {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: 'date-range' must have string start-datetime + end-datetime");
+  }
+  // RFC 8460 §4.4 erratum — `policies` MUST be an array even for a
+  // single-policy report. Some legacy implementations emit a bare
+  // object; we refuse to normalize so the operator catches the
+  // upstream non-conformance.
+  if (!Array.isArray(policies)) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: 'policies' must be an array (RFC 8460 §4.4 erratum); single-policy reports still use [policy] form");
+  }
+  if (policies.length === 0) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-schema",
+      "parseTlsRptReport: 'policies' must be a non-empty array");
+  }
+  if (policies.length > TLSRPT_MAX_POLICIES) {
+    throw new TlsRptParseError("mail-tlsrpt/too-many-policies",
+      "parseTlsRptReport: report has " + policies.length +
+      " policies (cap " + TLSRPT_MAX_POLICIES + ")");
+  }
+  // Codex P2 (v0.10.15) — validate summary counts as finite non-negative
+  // integers before summing. `Number(...) || 0` would accept
+  // `Infinity` (from JSON literal `1e309` or string "Infinity"),
+  // negative values, and arbitrary strings (coerced to NaN→0). Each
+  // is operator-untrusted input on an audit-emitted path.
+  var totalSuccess = 0, totalFailure = 0;
+  for (var i = 0; i < policies.length; i += 1) {
+    _validatePolicy(policies[i], i);
+    var summary = policies[i]["summary"];
+    if (summary && typeof summary === "object") {
+      var sRaw = summary["total-successful-session-count"];
+      var fRaw = summary["total-failure-session-count"];
+      if (sRaw !== undefined) {
+        if (typeof sRaw !== "number" || !isFinite(sRaw) || sRaw < 0 || Math.floor(sRaw) !== sRaw) {
+          throw new TlsRptParseError("mail-tlsrpt/bad-summary",
+            "parseTlsRptReport: policies[" + i + "].summary.total-successful-session-count must be a finite non-negative integer");
+        }
+        totalSuccess += sRaw;
+      }
+      if (fRaw !== undefined) {
+        if (typeof fRaw !== "number" || !isFinite(fRaw) || fRaw < 0 || Math.floor(fRaw) !== fRaw) {
+          throw new TlsRptParseError("mail-tlsrpt/bad-summary",
+            "parseTlsRptReport: policies[" + i + "].summary.total-failure-session-count must be a finite non-negative integer");
+        }
+        totalFailure += fRaw;
+      }
+    }
+  }
+  // Return a normalized shape — preserve every operator-readable
+  // field, plus add framework-attached metadata (sessionTotals,
+  // wasCompressed) that doesn't conflict with the RFC schema.
+  return {
+    "organization-name": orgName,
+    "contact-info":      contact,
+    "report-id":         reportId,
+    "date-range":        {
+      "start-datetime":  dateRange["start-datetime"],
+      "end-datetime":    dateRange["end-datetime"],
+    },
+    "policies":          policies,
+    sessionTotals:       {
+      success:           totalSuccess,
+      failure:           totalFailure,
+    },
+    wasCompressed:       ctx.wasCompressed === true,
+  };
+}
+
+function _validatePolicy(p, idx) {
+  if (!p || typeof p !== "object") {
+    throw new TlsRptParseError("mail-tlsrpt/bad-policy",
+      "parseTlsRptReport: policies[" + idx + "] must be an object");
+  }
+  var policy = p["policy"];
+  if (!policy || typeof policy !== "object") {
+    throw new TlsRptParseError("mail-tlsrpt/bad-policy",
+      "parseTlsRptReport: policies[" + idx + "].policy missing");
+  }
+  var pType = policy["policy-type"];
+  if (!TLSRPT_POLICY_TYPES[pType]) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-policy",
+      "parseTlsRptReport: policies[" + idx + "].policy.policy-type '" + pType +
+      "' not in {sts, tlsa, no-policy-found}");
+  }
+  if (typeof policy["policy-domain"] !== "string" || policy["policy-domain"].length === 0) {
+    throw new TlsRptParseError("mail-tlsrpt/bad-policy",
+      "parseTlsRptReport: policies[" + idx + "].policy.policy-domain missing");
+  }
+  // policy-string is optional for no-policy-found, REQUIRED otherwise.
+  // We don't enforce — operators may receive partial reports from
+  // legacy reporters; we surface the field as-is.
+  var failureDetails = p["failure-details"];
+  if (failureDetails !== undefined) {
+    if (!Array.isArray(failureDetails)) {
+      throw new TlsRptParseError("mail-tlsrpt/bad-policy",
+        "parseTlsRptReport: policies[" + idx + "].failure-details must be an array");
+    }
+    if (failureDetails.length > TLSRPT_MAX_FAILURE_DETAILS) {
+      throw new TlsRptParseError("mail-tlsrpt/too-many-failures",
+        "parseTlsRptReport: policies[" + idx + "] has " + failureDetails.length +
+        " failure-details (cap " + TLSRPT_MAX_FAILURE_DETAILS + ")");
+    }
+    for (var k = 0; k < failureDetails.length; k += 1) {
+      var fd = failureDetails[k];
+      if (!fd || typeof fd !== "object") {
+        throw new TlsRptParseError("mail-tlsrpt/bad-failure-detail",
+          "parseTlsRptReport: policies[" + idx + "].failure-details[" + k + "] must be an object");
+      }
+      if (typeof fd["result-type"] === "string" && !TLSRPT_RESULT_TYPES[fd["result-type"]]) {
+        // Unknown result-type — surface as audit metadata but don't
+        // refuse; RFC 8460 §4.4 result-type registry can grow over
+        // time and we shouldn't break on new IANA entries.
+      }
+    }
+  }
+}
+
+/**
+ * @primitive  b.mail.deploy.tlsRptReportSchema
+ * @signature  b.mail.deploy.tlsRptReportSchema()
+ * @since      0.10.15
+ * @status     stable
+ * @related    b.mail.deploy.parseTlsRptReport
+ *
+ * Returns a structured RFC 8460 §4.4 schema descriptor — operator
+ * dashboards consume this to render report shape consistently.
+ * The descriptor names every required + optional field with type +
+ * cardinality + brief description. Pure function; safe to cache.
+ *
+ * @example
+ *   var schema = b.mail.deploy.tlsRptReportSchema();
+ *   schema.required.indexOf("report-id") !== -1;  // → true
+ */
+function tlsRptReportSchema() {
+  return {
+    rfc: "RFC 8460 §4.4",
+    required: [
+      "organization-name", "contact-info", "report-id", "date-range", "policies",
+    ],
+    fields: {
+      "organization-name":   { type: "string",  required: true,  description: "Reporter organisation display name." },
+      "contact-info":         { type: "string",  required: true,  description: "Email / URI for reporter contact." },
+      "report-id":            { type: "string",  required: true,  description: "Reporter-issued unique report identifier (RFC 5322 msg-id shape)." },
+      "date-range":           { type: "object",  required: true,  description: "Window the report covers; { start-datetime, end-datetime } in RFC 3339 form." },
+      "policies":             { type: "array",   required: true,  description: "Array of policy evaluations (RFC 8460 §4.4 erratum — always array, even for single-policy reports)." },
+    },
+    policyFields: {
+      "policy":               { type: "object",  required: true,  description: "{ policy-type, policy-string, policy-domain, mx-host }." },
+      "summary":              { type: "object",  required: false, description: "{ total-successful-session-count, total-failure-session-count }." },
+      "failure-details":      { type: "array",   required: false, description: "Per-failure details (result-type, sending-mta-ip, etc.)." },
+    },
+    policyTypes:  Object.keys(TLSRPT_POLICY_TYPES),
+    resultTypes:  Object.keys(TLSRPT_RESULT_TYPES),
+  };
+}
+
+/**
+ * @primitive  b.mail.deploy.tlsRptIngestHttp
+ * @signature  b.mail.deploy.tlsRptIngestHttp(opts)
+ * @since      0.10.15
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.mail.deploy.parseTlsRptReport, b.mail.deploy.tlsRptReportSchema
+ *
+ * Returns an `(req, res)` request handler mounted at the operator's
+ * `rua=https://<host>/<path>` endpoint. Implements the receive-side
+ * of RFC 8460 §5.4:
+ *
+ *   - POST only — non-POST returns 405 with Allow: POST.
+ *   - Accepts `application/tlsrpt+json` and `application/tlsrpt+gzip`
+ *     (RFC 8460 §6.4-6.5 IANA media types). 415 on others.
+ *   - Body size cap (default 4 MiB compressed) — 413 on exceed.
+ *   - Routes the bytes through `parseTlsRptReport`. 400 on parse
+ *     failure (with `Error-Type:` header naming the typed error
+ *     code). 201 on accept.
+ *   - Calls `opts.onAccept(report, req)` after successful parse.
+ *     Operator's hook decides storage (most operators journal +
+ *     emit a metric); the framework does NOT persist by default.
+ *   - Emits a `mail.tlsrpt.ingest_http` audit event with
+ *     posture-aware payload (organization-name, report-id,
+ *     policy-domain set, session totals).
+ *
+ * Authentication discipline (Codex P2 v0.10.15):
+ *   - `trustedReporters` is a CONTENT-SIDE soft filter — it compares
+ *     the reporter's self-declared `organization-name` field (the
+ *     report body, operator-untrusted) against the operator's
+ *     allowlist. A hostile sender can forge any `organization-name`
+ *     string to bypass it. This option is ADVISORY: a tripwire that
+ *     surfaces unexpected reporter-name strings in audit, not an
+ *     authentication boundary.
+ *   - For real authentication, supply `opts.authenticate(req)` — the
+ *     hook fires BEFORE parsing the body and returns truthy / falsy
+ *     (or a Promise). False / falsy refuses with 401 + the
+ *     `mail-tlsrpt/unauthenticated` audit code. Operators wire this
+ *     to their mTLS-peer-cert / IP-allowlist / signed-header /
+ *     reverse-proxy auth boundary. The framework intentionally does
+ *     NOT couple to any specific auth scheme.
+ *
+ * @opts
+ *   authenticate:            Function,  // (req) → boolean | Promise<boolean>; SHA real auth boundary
+ *   trustedReporters:        string[],  // ADVISORY content filter on report.organization-name (operator-untrusted field)
+ *   maxCompressedBytes:      number,    // default 4 MiB
+ *   maxDecompressedBytes:    number,    // default 32 MiB
+ *   maxRatio:                number,    // default 50
+ *   onAccept:                Function,  // (report, req) → void | Promise
+ *   onRefuse:                Function,  // (errCode, errMessage, req) → void
+ *   audit:                   object,    // optional b.audit handle (default: framework audit)
+ *
+ * @example
+ *   app.post("/tlsrpt", b.mail.deploy.tlsRptIngestHttp({
+ *     onAccept: function (report) {
+ *       b.journal.append({ kind: "tlsrpt", report: report });
+ *     },
+ *   }));
+ */
+function tlsRptIngestHttp(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["authenticate", "trustedReporters", "maxCompressedBytes",
+                       "maxDecompressedBytes", "maxRatio", "onAccept", "onRefuse",
+                       "audit", "compliance"],
+    "mail.deploy.tlsRptIngestHttp");
+  validateOpts.optionalFunction(opts.authenticate, "tlsRptIngestHttp: opts.authenticate",
+    MailDeployError, "mail-tlsrpt/bad-opts");
+  if (opts.trustedReporters !== undefined &&
+      (!Array.isArray(opts.trustedReporters) ||
+       opts.trustedReporters.some(function (s) { return typeof s !== "string"; }))) {
+    throw new MailDeployError("mail-tlsrpt/bad-opts",
+      "tlsRptIngestHttp: opts.trustedReporters must be an array of strings");
+  }
+  var authenticate = typeof opts.authenticate === "function" ? opts.authenticate : null;
+  var trusted = opts.trustedReporters
+    ? Object.freeze(opts.trustedReporters.reduce(function (a, s) { a[s] = 1; return a; }, {}))
+    : null;
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxCompressedBytes, "maxCompressedBytes", MailDeployError, "mail-tlsrpt/bad-opts");
+  var maxCompressed = opts.maxCompressedBytes || TLSRPT_MAX_COMPRESSED_BYTES;
+  // Cache the other caps so the per-request parser call sees them.
+  var parseOpts = {
+    maxCompressedBytes:   maxCompressed,
+    maxDecompressedBytes: opts.maxDecompressedBytes,
+    maxRatio:             opts.maxRatio,
+  };
+  var onAccept = typeof opts.onAccept === "function" ? opts.onAccept : null;
+  var onRefuse = typeof opts.onRefuse === "function" ? opts.onRefuse : null;
+
+  return function tlsRptHandler(req, res) {
+    if (req.method !== "POST") {
+      res.writeHead(405, { "Allow": "POST", "Content-Type": "text/plain" });                          // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+      res.end("RFC 8460 §5.4 requires POST\n");
+      return;
+    }
+    var ct = (req.headers["content-type"] || "").toLowerCase();
+    var ctRoot = ct.split(";")[0].trim();
+    if (ctRoot !== "application/tlsrpt+json" && ctRoot !== "application/tlsrpt+gzip") {
+      _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
+        reason: "bad-content-type", contentType: ctRoot,
+      });
+      if (onRefuse) try { onRefuse("mail-tlsrpt/bad-content-type", "unexpected content-type " + ctRoot, req); }
+      catch (_e) { /* drop-silent */ }
+      res.writeHead(415, { "Content-Type": "text/plain", "Accept": "application/tlsrpt+json, application/tlsrpt+gzip" });   // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+      res.end("RFC 8460 §6.4-6.5 media types required\n");
+      return;
+    }
+    // Codex P2 (v0.10.15) — real-authentication boundary BEFORE body
+    // collection. The operator-supplied `authenticate(req)` hook
+    // routes to mTLS peer-cert / IP-allowlist / signed-header /
+    // reverse-proxy header inspection. Sync-or-async; falsy → 401.
+    if (authenticate) {
+      var authPromise;
+      try { authPromise = Promise.resolve(authenticate(req)); }
+      catch (e) { authPromise = Promise.reject(e); }
+      authPromise.then(function (ok) {
+        if (!ok) {
+          _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", { reason: "unauthenticated" });
+          if (onRefuse) try { onRefuse("mail-tlsrpt/unauthenticated", "authenticate(req) returned falsy", req); }
+          catch (_e) { /* drop-silent */ }
+          res.writeHead(401, { "Content-Type": "text/plain", "Error-Type": "mail-tlsrpt/unauthenticated" });   // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+          res.end("authentication required\n");
+          return;
+        }
+        _collectAndProcess();
+      }, function (err) {
+        _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
+          reason: "auth-error", message: (err && err.message) || String(err),
+        });
+        if (onRefuse) try { onRefuse("mail-tlsrpt/auth-error", (err && err.message) || String(err), req); }
+        catch (_e) { /* drop-silent */ }
+        res.writeHead(500, { "Content-Type": "text/plain", "Error-Type": "mail-tlsrpt/auth-error" });   // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+        res.end("authenticate hook threw\n");
+      });
+      return;
+    }
+    _collectAndProcess();
+
+    function _collectAndProcess() {
+    var collector = safeBuffer.boundedChunkCollector({
+      maxBytes:   maxCompressed,
+      errorClass: MailDeployError,
+      sizeCode:   "mail-tlsrpt/oversize-compressed",
+    });
+    var aborted = false;
+    req.on("data", function (chunk) {
+      if (aborted) return;
+      try { collector.push(chunk); }
+      catch (e) {
+        aborted = true;
+        try { req.destroy(); } catch (_e) { /* best-effort */ }
+        _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
+          reason: "oversize-compressed", bytes: collector.bytesCollected(), cap: maxCompressed,
+        });
+        if (onRefuse) try { onRefuse("mail-tlsrpt/oversize-compressed", "body exceeded " + maxCompressed + " bytes", req); }
+        catch (_e) { /* drop-silent */ }
+        if (!res.headersSent) {
+          res.writeHead(413, { "Content-Type": "text/plain" });                                       // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+          res.end("RFC 8460 §5.4 — body exceeds " + maxCompressed + " bytes\n");
+        }
+        void e;   // _e shadowed by lower scope; mark intent
+      }
+    });
+    req.on("end", function () {
+      if (aborted) return;
+      var report;
+      try {
+        report = parseTlsRptReport(collector.result(), Object.assign({
+          contentType: ctRoot,
+        }, parseOpts));
+      } catch (e) {
+        var code = (e && e.code) || "mail-tlsrpt/unknown";
+        _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
+          reason: code, message: (e && e.message) || String(e),
+        });
+        if (onRefuse) try { onRefuse(code, (e && e.message) || String(e), req); }
+        catch (_e) { /* drop-silent */ }
+        var status = code === "mail-tlsrpt/oversize-compressed" ? 413
+                  : code === "mail-tlsrpt/gunzip-bomb"           ? 413
+                  : code === "mail-tlsrpt/ratio-bomb"             ? 413
+                  : code === "mail-tlsrpt/bad-content-type"       ? 415
+                  : 400;                                                                              // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+        res.writeHead(status, { "Content-Type": "text/plain", "Error-Type": code });
+        res.end("RFC 8460 §5.4 — refused: " + code + "\n");
+        return;
+      }
+      if (trusted && !trusted[report["organization-name"]]) {
+        _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
+          reason: "untrusted-reporter", reporter: report["organization-name"],
+        });
+        if (onRefuse) try { onRefuse("mail-tlsrpt/untrusted-reporter",
+          "reporter '" + report["organization-name"] + "' not in trustedReporters", req); }
+        catch (_e) { /* drop-silent */ }
+        res.writeHead(403, { "Content-Type": "text/plain", "Error-Type": "mail-tlsrpt/untrusted-reporter" });   // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+        res.end("RFC 8460 §5.3-class: untrusted reporter\n");
+        return;
+      }
+      var policyDomains = report.policies.map(function (p) {
+        return p && p.policy && p.policy["policy-domain"];
+      }).filter(Boolean);
+      _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "success", {
+        reporter:         report["organization-name"],
+        reportId:         report["report-id"],
+        policyDomains:    policyDomains,
+        sessionTotals:    report.sessionTotals,
+        policyCount:      report.policies.length,
+        wasCompressed:    report.wasCompressed,
+      });
+      if (onAccept) {
+        try {
+          var ret = onAccept(report, req);
+          if (ret && typeof ret.then === "function") {
+            ret.then(function () {
+              if (!res.headersSent) {
+                res.writeHead(201, { "Content-Type": "text/plain" });                                 // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+                res.end("RFC 8460 §5.4 — accepted\n");
+              }
+            }, function (_e) {
+              if (!res.headersSent) {
+                res.writeHead(500, { "Content-Type": "text/plain" });                                 // allow:raw-byte-literal — internal-error status
+                res.end("internal error processing report\n");
+              }
+            });
+            return;
+          }
+        } catch (_e) { /* fall through to 201 — operator hook is best-effort */ }
+      }
+      res.writeHead(201, { "Content-Type": "text/plain" });                                           // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+      res.end("RFC 8460 §5.4 — accepted\n");
+    });
+    req.on("error", function () {
+      if (aborted) return;
+      aborted = true;
+      _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", { reason: "req-error" });
+      if (!res.headersSent) {
+        res.writeHead(400, { "Content-Type": "text/plain" });                                         // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
+        res.end("malformed request\n");
+      }
+    });
+    }   // end _collectAndProcess
+  };
+}
+
+function _safeAuditEmit(handle, action, outcome, metadata) {
+  try {
+    var a = handle || audit();
+    if (a && typeof a.safeEmit === "function") {
+      a.safeEmit({ action: action, outcome: outcome, actor: {}, metadata: metadata });
+    }
+  } catch (_e) { /* drop-silent — audit failure must not block ingest */ }
+}
+
 module.exports = {
-  mtaStsPublish:    mtaStsPublish,
-  danePublish:      danePublish,
-  autoConfigXml:    autoConfigXml,
-  autoDiscoverXml:  autoDiscoverXml,
-  MailDeployError:  MailDeployError,
+  mtaStsPublish:       mtaStsPublish,
+  danePublish:         danePublish,
+  autoConfigXml:       autoConfigXml,
+  autoDiscoverXml:     autoDiscoverXml,
+  parseTlsRptReport:   parseTlsRptReport,
+  tlsRptReportSchema:  tlsRptReportSchema,
+  tlsRptIngestHttp:    tlsRptIngestHttp,
+  MailDeployError:     MailDeployError,
+  TlsRptParseError:    TlsRptParseError,
 };

package/lib/subject.js

@@ -635,16 +635,20 @@ function _subjectHash(subjectId) {
 
 function _writeAudit(action, subjectId, outcome, metadata) {
   // recordSafe — audit failure must not roll back the subject mutation
-  // that already touched the database. Best-effort emission with errors
-  // swallowed; operators see them in stderr if they fire.
-  audit.emit({
-    actor:    {},
-    action:   action,
-    resource: { kind: "subject", id: subjectId },
-    outcome:  outcome,
-    reason:   metadata && metadata.requestReason ? metadata.requestReason : null,
-    metadata: metadata || null,
-  });
+  // that already touched the database. Drop-silent per CLAUDE.md rule
+  // §5 (hot-path audit sinks): swallow any throw from audit.emit so a
+  // misconfigured sink doesn't crash a partially-committed subject
+  // mutation. Errors surface via the audit sink's own logger.
+  try {
+    audit.emit({
+      actor:    {},
+      action:   action,
+      resource: { kind: "subject", id: subjectId },
+      outcome:  outcome,
+      reason:   metadata && metadata.requestReason ? metadata.requestReason : null,
+      metadata: metadata || null,
+    });
+  } catch (_e) { /* drop-silent — audit emit failure must not block subject mutation */ }
 }
 
 function _resetForTest() { db.reset(); }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.13",
+  "version": "0.10.15",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:7f2411e6-1488-4a9f-954b-bef06640070c",
+  "serialNumber": "urn:uuid:3a0ed9ad-ab9e-433f-80ae-8bd6213c52d8",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-18T20:01:39.367Z",
+    "timestamp": "2026-05-19T02:11:46.591Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.13",
+      "bom-ref": "@blamejs/core@0.10.15",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.13",
+      "version": "0.10.15",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.13",
+      "purl": "pkg:npm/%40blamejs/core@0.10.15",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.13",
+      "ref": "@blamejs/core@0.10.15",
       "dependsOn": []
     }
   ]