@blamejs/core 0.10.2 → 0.10.4

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.10.x
 
+- v0.10.4 (2026-05-16) — **Mail-protocol hardening across the four listener primitives.** Ten refusals + two new operator-visible opts spanning `b.mail.server.{mx,submission,imap,pop3}`, `b.mail.server.rateLimit`, `b.safeMime`, `b.guardListUnsubscribe`. Layered on top of the v0.10.0 mail-stack baseline; addresses residual gaps in inbound RCPT enumeration, header-count amplification, POP3 UPDATE-state commit timeouts, list-unsubscribe URI shape, and the per-listener auth-failure / connection-rate maps. **(a) `b.mail.server.rateLimit.checkRcptAdmit(ip)` + `noteRcptFailure(ip)`** — new per-IP RCPT-failure budget (default 50/min, rolling 60s window) wired into the MX + submission listeners. RFC 5321 §3.5 enumeration class: an attacker probing `RCPT TO:` to map valid recipients now trips the budget after 50 failures and gets `421` for the next minute. Operators tune via `rateLimit.create({ rcptFailuresPerMinute, rcptWindowMs })`. **(b) `b.safeMime.parse({ maxHeaderCount })`** — new opt, default 512. Bounded header-count cap prevents `From: ...\r\nSubject: ...\r\n` × 100k header-list amplification in operator pipelines that pass full RFC 5322 messages through `safeMime.parse`. Refused with `safe-mime/too-many-headers` when exceeded. **(c) `b.mail.server.pop3.create({ commitTimeoutMs })`** — new opt, default `C.TIME.seconds(30)`. POP3 UPDATE-state commit (DELE materialization) now runs under `safeAsync.withTimeout` so a hung commit can no longer pin the connection past `idleTimeoutMs`. Past the cap, the connection gets `421` and the in-flight DELE batch is rolled back (RFC 1939 §6 — UPDATE state aborts on transport failure). **(d) `b.guardListUnsubscribe.validate`** refuses empty `<>` URI lists per RFC 2369 §3.1 (the `List-Unsubscribe` header value `<>` is a smuggled-empty class that downstream mail-renderers may interpret as an active unsubscribe link to the local-origin). **(e) `b.mail.server.rateLimit` GC sweep** — the previously asymmetric `connectionTimes` Map (filled in `noteConnection`, never explicitly cleaned) now sweeps empty arrays alongside the existing `authFailureTimes` cleanup. Closes a CWE-770 unbounded-memory class for long-running mail servers seeing transient IP fan-in. **(f) `b.mail.server.imap` `_close()` writes `state.stage = "closed"`** — the drain-loop guard was previously unreachable because the close path didn't update the state machine. Operators on the older path saw `state.stage === "authenticated"` linger after socket close; the new path resolves cleanly. **(g) `b.mail.server.imap` per-line cap before `Buffer.concat`** — closes a CWE-770 unbounded-`Buffer.concat` class on the IMAP line accumulator (the cap was applied AFTER concat, so a malicious peer could send 10 GiB of unterminated tag bytes and the listener would allocate before refusing). Per-line cap now gates the concat. **(h) `b.mail.server.pop3` `_handleApop` cleartext refusal** — APOP gets the same `!state.tls && profile !== "permissive"` refusal as USER / PASS, closing the cleartext-credentials gap symmetric to the other auth verbs (RFC 1939 §7 APOP MD5 is also cleartext in transit). **(i) `b.mail.server.pop3` RETR / TOP dot-stuffing via `safeSmtp.dotStuff(buf)`** — the prior `.replace(/^\./gm, "..")` on a JS string treats bare LF as a line boundary, so bodies containing bare-LF lines starting with `.` gained spurious stuffing that the receiver's strict-CRLF parser couldn't undo. Routes through the byte-level dot-stuffer that only recognizes canonical `\r\n` (RFC 1939 §3 / RFC 5321 §4.5.2). **(j) `b.mail.store` deletion atomicity** — sealed deletion no longer leaves partial state when the in-memory delete succeeds but the disk flush fails (CWE-707 — transactional integrity). **(k) `b.mail.server.submission` cleartext-AUTH audit** — the `auth_success` audit emit captures the `mechanism` field before nulling `authPending` (was recording `null`); operators tailing the audit log now see which SASL mechanism succeeded. **(l) Codebase-patterns** — new `family-subset` entry covering the rate-limit admit-check shape across `mail-server-{imap,mx,submission}` so the contract is enforced at every listener (every primitive that opens a peer socket on a mail port must consult the rate limiter before sending the greeting). **Operator impact:** `b.mail.server.rateLimit` consumers see a new public surface (`checkRcptAdmit` / `noteRcptFailure`); existing operators who don't wire these get the framework default (50/min). `b.safeMime.parse` callers with >512-header messages now get `safe-mime/too-many-headers` — operators with bespoke headers (DMARC aggregate reports can run into hundreds of `Authentication-Results`) opt up via `maxHeaderCount: 4096` per call. POP3 operators see a new `commitTimeoutMs` opt — default applies retroactively. References: [RFC 5321 §3.5](https://www.rfc-editor.org/rfc/rfc5321#section-3.5), [RFC 5322](https://www.rfc-editor.org/rfc/rfc5322), [RFC 1939](https://www.rfc-editor.org/rfc/rfc1939), [RFC 2369 §3.1](https://www.rfc-editor.org/rfc/rfc2369#section-3.1), [CWE-770](https://cwe.mitre.org/data/definitions/770.html), [CWE-707](https://cwe.mitre.org/data/definitions/707.html).
+- v0.10.3 (2026-05-16) — **`b.crypto` hardening — three entry-tier refusals on hot paths.** **(a) `b.crypto.timingSafeEqual` rejects non-Buffer / non-string inputs** — previous `Buffer.from(String(x))` coercion let a prototype-pollution-influenced caller (an Object whose `toString` returns attacker-chosen bytes) redirect the compare through bytes unrelated to the supplied value. Now throws `TypeError` at the entry boundary; string args use explicit `Buffer.from(s, "utf8")` instead of bare coercion. **(b) `b.crypto.hashCertFingerprint` caps PEM input at 64 KiB** — the `/-----BEGIN .+? -----END/` lazy-quantifier on this hot path (mTLS bootstrap / webhook verification / peer-cert pinning) is polynomial-ReDoS-class on multi-MB attacker-controlled input ([CodeQL js/polynomial-redos](https://codeql.github.com/codeql-query-help/javascript/js-polynomial-redos/)). 64 KiB covers a P-384 cert + full chain at ~3× margin; larger inputs throw `TypeError` before the regex runs. **(c) `b.crypto.namespaceHash` refuses CR / LF in string-typed `value`** — closes a log-injection / record-separator surface where an attacker-controlled HTTP header (e.g. `Idempotency-Key`) could smuggle line-break bytes into any consumer that logs the value verbatim before hashing (debug paths, audit envelopes, derived-column shadow logs). NUL is NOT refused — multiple internal callers (`b.agent.idempotency` / `b.mail.greylist` / `b.middleware.composePipeline`) use NUL as a composite-key separator, and NUL is not a log-injection byte in any standard logger. `Buffer` / `Uint8Array` inputs remain operator-side opaque bytes by contract — `namespaceHash` digests them as raw bytes, not as text, so the control-char gate does not apply there either. **Operator impact:** any caller passing a number / Object / boolean to `b.crypto.timingSafeEqual` now throws at the entry boundary instead of silently comparing coerced bytes — the API contract was already documented as Buffer-or-string, this enforces it. PEM strings larger than 64 KiB to `b.crypto.hashCertFingerprint` now throw — operators with bespoke multi-cert bundles split the inputs before calling. `namespaceHash` callers passing strings with embedded CR / LF now throw — operators ingesting attacker-influenced text validate / strip line-break bytes at the boundary, or hash opaque bytes via `Buffer` / `Uint8Array`. References: [OWASP Log Injection](https://owasp.org/www-community/attacks/Log_Injection), [CWE-117](https://cwe.mitre.org/data/definitions/117.html), [CWE-1333 ReDoS](https://cwe.mitre.org/data/definitions/1333.html).
 - v0.10.2 (2026-05-16) — **CVE backstops layered on top of v0.10.0.** Five additional refusals across `b.guardRegex`, `b.otelExport`, `b.guardXml`, `b.guardGraphql`, plus a host-side ingress route for `b.cli`. Every change is opt-out (refusal at every profile); no API removals. **(a) `b.guardRegex` glob-shape detectors with explicit `inputKind` gate** — new `consecutiveStarPolicy` + `nestedExtglobPolicy` (defaults `"reject"`) + `maxConsecutiveStars` (default 2) + `inputKind: "regex" | "glob"` (default `"regex"`). The glob-shape detectors fire ONLY when the caller passes `inputKind: "glob"` — ECMAScript regex syntax cannot produce `***` (SyntaxError) and the extglob heads `*(`/`+(`/`?(`/`@(`/`!(`  collide with valid `quantifier + capturing group` shapes, so applying these detectors to regex inputs is false-positive territory. Callers handling glob fragments (picomatch / micromatch-style patterns) opt in via `inputKind: "glob"` and get refusals for ≥3 consecutive `*` metacharacters ([CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996) — O(4^N) backtracking on non-matching literal) and for any extglob whose body contains another extglob ([CVE-2026-33671](https://nvd.nist.gov/vuln/detail/CVE-2026-33671) — picomatch nested-quantifier backtracking). `**` recursive-glob stays permitted under `maxConsecutiveStars: 2`. **(b) `b.cli --ignore` ReDoS ingress closure** — `cli --ignore <pattern>` arguments route through `b.guardRegex.sanitize({ profile: "strict" })` before reaching `new RegExp(pattern)`. Strict-profile refusal of nested-quantifier / lookaround-quantifier / unbounded-bounded-repeat shapes still applies in default `inputKind: "regex"` mode, closing the host-side surface for the classic ReDoS classes. **(c) `b.otelExport.flush()` response cap** — every outbound OTLP request now pins `maxResponseBytes: 1 MiB` + a typed `errorClass`, so a malicious / misconfigured collector cannot exhaust memory in the export loop ([CVE-2026-40891](https://nvd.nist.gov/vuln/detail/CVE-2026-40891) / [CVE-2026-40182](https://nvd.nist.gov/vuln/detail/CVE-2026-40182) class). **(d) `b.guardXml` numeric-character-reference fan-out cap** — new `maxNumericCharRefs` opt (strict 1024 / balanced 16384 / permissive 262144). NCRs are counted independently of `entityPolicy`, so a signed-XML path that legitimately permits entity expansion cannot accidentally disable the NCR cap ([CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) / [CVE-2026-33036](https://nvd.nist.gov/vuln/detail/CVE-2026-33036) — billion-NCR fan-out class). **(e) `b.guardGraphql` prototype-pollution refusal** — refuses `__proto__` / `constructor` / `prototype` as top-level variable keys (`Object.prototype.hasOwnProperty.call(variables, ...)` check, sidesteps a poisoned-prototype `in` lookup) AND as field / alias / `$variable` identifiers in the query body, including the no-whitespace alias form `query { a:__proto__ }` (the colon is a valid identifier-position prefix). Refused at every profile, severity `critical` ([CVE-2026-32621](https://nvd.nist.gov/vuln/detail/CVE-2026-32621) class). **(f) `b.auth.sdJwtVc.present()` defense-in-depth comment** — documents that the holder-side pre-parse of `_sd_alg` reads from unsigned bytes safely because `verify()` re-parses from the cryptographically-verified signing input; no behavioral change. **Regression coverage** — `test/fixtures/exploit-corpus/corpus.json` gains four entries: glob-mode positive refusal for `***+nonmatch` and `*(*(a))`, regex-mode pass for `a*(b+(c))` (false-positive class the design refused to ship), and the colon-prefix GraphQL alias `query { a:__proto__ }`. **Operator impact:** existing operators see no change in default behavior — the new glob detectors are opt-in via `inputKind: "glob"`. Operators wiring `b.guardRegex` over glob fragments (file-pattern allowlists, rsync-style rules) opt in and get the CVE-2026-26996 / -33671 refusals; opt back out per call via `consecutiveStarPolicy: "allow"` / `nestedExtglobPolicy: "allow"`. `b.guardXml` operators on signed-XML pipelines opt out via `maxNumericCharRefs: Infinity` if they bound NCRs upstream. GraphQL variable / query-body refusals are not opt-out — `__proto__` / `constructor` / `prototype` are never legitimate identifiers in operator-supplied input. References: [picomatch CVE-2024-4067 family](https://nvd.nist.gov/vuln/detail/CVE-2024-4067), [OWASP ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS), [OWASP XXE / Billion Laughs](https://owasp.org/www-community/vulnerabilities/XML_Entity_Expansion), [GraphQL Server Security Best Practices](https://www.apollographql.com/docs/router/configuration/overview/).
 - v0.10.1 (2026-05-16) — **First npm-published v0.10.x artifact.** v0.10.0 was tagged + released on GitHub but its npm-publish workflow OOM'd at the lint+smoke gate (default Node ~4GB heap couldn't load the expanded mail-stack + audit-fix test surface). v0.10.1 adds `NODE_OPTIONS=--max-old-space-size=8192` to the workflow's smoke step so the parent process gets the same headroom the forked test workers already get. No runtime / API changes from v0.10.0 — every primitive, posture, and security default ships exactly as documented in the v0.10.0 release notes below. Operators who fetched the v0.10.0 git tag can re-tag from v0.10.1 (`git fetch origin v0.10.1`) to land on the npm-published commit; the framework code itself is byte-identical apart from the workflow file + version bump.
 - v0.10.0 (2026-05-16) — **Mail-stack feature-complete + cross-surface hardening.** Bundled minor closing the blamepost mail-stack roadmap (five new operator-facing namespaces) plus a multi-domain hardening sweep across auth / crypto / vendor data / mail-protocol / mail-auth / agent substrate / Node.js CVE backstops.

package/lib/crypto.js

@@ -55,6 +55,11 @@ var C = require("./constants");
 // require() inside setImmediate (top-of-file requires per rule §3).
 var lazyRequire = require("./lazy-require");
 var audit       = lazyRequire(function () { return require("./audit"); });
+// safe-buffer hosts the canonical hasCrlf(s) helper used by every
+// log-injection / CRLF-smuggling refusal in the framework. Lazy-
+// loaded because safe-buffer.js itself imports b.crypto for
+// hex-compare helpers (circular).
+var safeBuffer  = lazyRequire(function () { return require("./safe-buffer"); });
 
 // Streaming-hash algorithm allowlist. Mirrors the framework's PQC-
 // first crypto policy: SHA3 / SHAKE family is the default surface;
@@ -399,12 +404,15 @@ function generateKeyPair(algorithm, options) {
  * @since     0.1.0
  * @related   b.crypto.hmacSha3
  *
- * Constant-time equality comparison. Coerces non-Buffer inputs via
- * `Buffer.from(String(...))`, returns `false` immediately when lengths
- * differ (length itself is not a secret), then routes equal-length
- * inputs through `crypto.timingSafeEqual`. Use when comparing HMAC
- * digests, session tokens, password-reset codes, or any
- * attacker-influenced value where a timing oracle would leak bits.
+ * Constant-time equality comparison. Accepts only Buffer or string
+ * inputs — non-string non-Buffer arguments throw at the entry tier so
+ * a `Object.prototype.toString`-poisoned caller can't redirect the
+ * compare through arbitrary attacker-controlled bytes. Returns
+ * `false` immediately when lengths differ (length itself is not a
+ * secret), then routes equal-length inputs through
+ * `crypto.timingSafeEqual`. Use when comparing HMAC digests, session
+ * tokens, password-reset codes, or any attacker-influenced value
+ * where a timing oracle would leak bits.
  *
  * @example
  *   var expected = b.crypto.hmacSha3("server-key", "payload");
@@ -413,8 +421,25 @@ function generateKeyPair(algorithm, options) {
  *   // → true when bytes match, false otherwise (no early exit on mismatch)
  */
 function timingSafeEqual(a, b) {
-  var bufA = Buffer.isBuffer(a) ? a : Buffer.from(String(a));
-  var bufB = Buffer.isBuffer(b) ? b : Buffer.from(String(b));
+  // Entry-tier validation. The prior `Buffer.from(String(x))` coercion
+  // let a prototype-pollution-influenced caller (Object whose toString
+  // returns attacker-chosen bytes) redirect the compare through bytes
+  // that have nothing to do with the supplied value. Refuse any
+  // non-string non-Buffer input outright.
+  if (!Buffer.isBuffer(a) && typeof a !== "string") {
+    throw new TypeError(
+      "crypto.timingSafeEqual: argument 'a' must be a Buffer or string, got " +
+      (a === null ? "null" : typeof a)
+    );
+  }
+  if (!Buffer.isBuffer(b) && typeof b !== "string") {
+    throw new TypeError(
+      "crypto.timingSafeEqual: argument 'b' must be a Buffer or string, got " +
+      (b === null ? "null" : typeof b)
+    );
+  }
+  var bufA = Buffer.isBuffer(a) ? a : Buffer.from(a, "utf8");
+  var bufB = Buffer.isBuffer(b) ? b : Buffer.from(b, "utf8");
   if (bufA.length !== bufB.length) return false;
   return nodeCrypto.timingSafeEqual(bufA, bufB);
 }
@@ -581,8 +606,10 @@ function namespaceHash(prefix, value, opts) {
   // caller surfaces the type error explicitly rather than silently
   // hashing `[object Object]`.
   var valueStr;
+  var valueWasString = false;
   if (typeof value === "string") {
     valueStr = value;
+    valueWasString = true;
   } else if (Buffer.isBuffer(value)) {
     valueStr = value.toString("utf8");
   } else if (value instanceof Uint8Array) {
@@ -592,6 +619,25 @@ function namespaceHash(prefix, value, opts) {
       "crypto.namespaceHash: value must be a string, Buffer, or Uint8Array"
     );
   }
+  // Refuse CR / LF in string-typed values. The prior gap let an
+  // attacker-controlled string `value` (e.g. an HTTP header that
+  // becomes an Idempotency-Key) smuggle log-injection / record-
+  // separator bytes into any consumer that logs the value verbatim
+  // before hashing (debug paths, audit envelopes, derived-column
+  // shadow logs). NUL is NOT refused — multiple internal callers
+  // use NUL as a composite-key separator (`method\0actorId\0key`
+  // shape in agent-idempotency / mail-greylist / compose-pipeline),
+  // and NUL is not a log-injection byte in any standard logger. NUL
+  // in operator-supplied content is the operator-boundary
+  // responsibility. Buffer / Uint8Array inputs remain operator-side
+  // opaque bytes by contract — namespaceHash treats them as raw
+  // bytes to be digested without rendering, so the control-char
+  // gate does not apply there either.
+  if (valueWasString && safeBuffer().hasCrlf(valueStr)) {
+    throw new TypeError(
+      "crypto.namespaceHash: value (string-typed) contains CR / LF — refuse"
+    );
+  }
   return hash(prefix + ":" + valueStr, "sha3-512").toString("hex");
 }
 
@@ -1664,6 +1710,20 @@ function _pemToDer(pemOrDer) {
   if (typeof pemOrDer !== "string") {
     throw new TypeError("crypto.hashCertFingerprint: input must be a Buffer (DER) or a PEM-encoded string");
   }
+  // Bound the regex input. The /-----BEGIN .+? -----END/ pattern is
+  // lazy-quantified, which CodeQL flags as polynomial-ReDoS
+  // (js/polynomial-redos) when fed multi-MB attacker-controlled input
+  // — every backtrack step is O(n) and the pattern is on a hot path
+  // for mTLS bootstrap / webhook verification / peer-cert pinning.
+  // 64 KiB caps the largest plausible PEM (a P-384 cert + chain) at
+  // ~3× margin while refusing pathological inputs outright.
+  if (pemOrDer.length > C.BYTES.kib(64)) {
+    throw new TypeError(
+      "crypto.hashCertFingerprint: PEM input exceeds 64 KiB (" +
+      pemOrDer.length + " bytes); refuse oversized input to avoid " +
+      "polynomial-ReDoS on the BEGIN/END marker regex"
+    );
+  }
   var match = pemOrDer.match(/-----BEGIN [A-Z0-9 ]+-----([\s\S]+?)-----END [A-Z0-9 ]+-----/);
   if (!match) {
     throw new TypeError("crypto.hashCertFingerprint: PEM input lacks BEGIN/END markers");

package/lib/guard-list-unsubscribe.js

@@ -197,6 +197,15 @@ function validate(headers, opts) {
   var hasMailtoUri = false;
   for (var i = 0; i < uriParts.length; i += 1) {
     var u = uriParts[i];
+    // RFC 2369 §3.1 — the URI between `<` and `>` is REQUIRED. An
+    // empty `<>` is grammatically invalid + carries no unsubscribe
+    // semantics; the earlier shape accepted it and downstream URI-
+    // dispatch decisions treated it as a scheme-less URI rather than
+    // refusing the whole header.
+    if (u.length === 0) {
+      return _verdict("refuse", "List-Unsubscribe contains empty `<>` URI (RFC 2369 §3.1)",
+        { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
+    }
     if (Buffer.byteLength(u, "utf8") > caps.maxUriBytes) {
       return _verdict("refuse", "URI '" + _trunc(u) + "' exceeds maxUriBytes=" + caps.maxUriBytes,
         { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });

package/lib/mail-server-imap.js

@@ -747,9 +747,17 @@ function create(opts) {
         if (typeof mailStore.selectFolder === "function") {
           return mailStore.selectFolder(state.actor, name, { readOnly: examine });
         }
-        // Fallback shape — operators without selectFolder get a minimal
-        // OK with sentinel UIDVALIDITY 1.
-        return { exists: 0, recent: 0, uidvalidity: 1, uidnext: 1, modseq: 0, flags: [] };
+        // RFC 9051 §2.3.1.1 — UIDVALIDITY MUST be strictly increasing
+        // and 32-bit unique across the mailbox lifetime. The earlier
+        // fallback returned a sentinel `uidvalidity: 1` to keep tests
+        // green when the operator hadn't wired `selectFolder`, but the
+        // sentinel value collides with any real UIDVALIDITY=1 from a
+        // legitimate backend and tricks clients into believing they
+        // have a valid synced state. Refuse SELECT instead — operators
+        // MUST wire `mailStore.selectFolder` to expose mailboxes.
+        var err = new Error("mailStore.selectFolder is not configured (RFC 9051 §2.3.1.1 requires a unique strictly-increasing UIDVALIDITY)");
+        err.code = "mail-server-imap/no-select-backend";
+        throw err;
       })
       .then(function (info) {
         state.selectedMailbox = name;
@@ -855,6 +863,37 @@ function create(opts) {
     }
     Promise.resolve()
       .then(function () {
+        // RFC 9208 — when the backend exposes a per-mailbox / per-user
+        // quota, APPEND MUST check against it BEFORE writing the
+        // message. The earlier shape called `appendMessage` directly,
+        // leaving quota enforcement entirely up to the backend; an
+        // operator wiring a bare `appendMessage` without quota plumbing
+        // could be DoS'd via unbounded APPENDs filling the mailbox
+        // beyond the advertised QUOTA limit. Honor `mailStore.quota`
+        // (RFC 9208 GETQUOTA / IMAP-QUOTA returns the same shape) and
+        // surface 5.7.4 OVERQUOTA per §5.
+        if (typeof mailStore.quota === "function") {
+          // mailStore.quota(folderName) returns
+          // { usedBytes, usedCount, capBytes, capCount } per the
+          // lib/mail-store.js contract. capBytes is null when no
+          // quota is configured for the folder; honor it only when
+          // it's a positive number.
+          return Promise.resolve(mailStore.quota(name))
+            .then(function (q) {
+              if (q && typeof q.usedBytes === "number" &&
+                  typeof q.capBytes === "number" &&
+                  q.capBytes > 0 &&
+                  q.usedBytes + literalBody.length > q.capBytes) {
+                var err = new Error("APPEND would exceed quota (used " + q.usedBytes +
+                  " + " + literalBody.length + " > cap " + q.capBytes + ")");
+                err.code = "mail-server-imap/overquota";
+                err.overquota = true;
+                err.limit = q.capBytes;
+                throw err;
+              }
+              return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
+            });
+        }
         return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
       })
       .then(function (info) {
@@ -864,6 +903,10 @@ function create(opts) {
         _writeTagged(socket, tag, "OK " + token + "APPEND completed");
       })
       .catch(function (err) {
+        if (err && err.overquota) {
+          _writeTagged(socket, tag, "NO [OVERQUOTA] Quota exceeded (RFC 9208 §5)");
+          return;
+        }
         _writeTagged(socket, tag, "NO " + ((err && err.message) || "Append failed").slice(0, ERR_CLAMP));
       });
   }

package/lib/mail-server-mx.js

@@ -660,8 +660,24 @@ function create(opts) {
           "4.5.3 Too many recipients (limit " + maxRcptsPerMsg + ")");
         return;
       }
+      // RFC 5321 §3.5 — RCPT-TO 550 vs 250 surfaces a mailbox-existence
+      // oracle. Once the per-IP recipient-failure cap is reached, the
+      // listener returns 421 + closes so the IP backs off; without this
+      // a scanner can RCPT-TO-flood the listener to enumerate every
+      // valid local recipient at the bare cost of an SMTP greeting.
+      var rcptAdmit = rateLimit.checkRcptAdmit(state.remoteAddress);
+      if (!rcptAdmit.ok) {
+        _emit("mail.server.mx.rcpt_rate_limit_refused",
+          { connectionId: state.id, remoteAddress: state.remoteAddress,
+            reason: rcptAdmit.reason }, "denied");
+        _writeReply(socket, REPLY_421_SERVICE_NOT_AVAIL,
+          "4.7.0 Too many RCPT failures from your IP");
+        _closeConnection(socket);
+        return;
+      }
       var match = line.match(RE_RCPT_TO);
       if (!match) {
+        rateLimit.noteRcptFailure(state.remoteAddress);
         _writeReply(socket, REPLY_501_BAD_ARGS, "5.5.4 Syntax: RCPT TO:<address>");
         return;
       }
@@ -675,6 +691,7 @@ function create(opts) {
       if (rcptDomain && rcptDomain[0] !== "[" && guardDomainProfile) {
         var rcptVerdict = _validateDomainHardened(rcptDomain, "rcpt_to");
         if (!rcptVerdict.ok) {
+          rateLimit.noteRcptFailure(state.remoteAddress);
           _writeReply(socket, REPLY_501_BAD_ARGS,
             "5.5.4 RCPT TO domain refused (" +
             (rcptVerdict.issues && rcptVerdict.issues[0] && rcptVerdict.issues[0].kind) + ")");
@@ -686,6 +703,7 @@ function create(opts) {
       if (localDomains.length > 0) {
         if (localDomains.indexOf(rcptDomain) === -1 &&
             !_isRelayAllowed(state.remoteAddress, rcpt)) {
+          rateLimit.noteRcptFailure(state.remoteAddress);
           _emit("mail.server.mx.relay_refused",
             { connectionId: state.id, mailFrom: state.mailFrom, rcptTo: rcpt,
               remoteAddress: state.remoteAddress }, "denied");

package/lib/mail-server-pop3.js

@@ -112,6 +112,7 @@ var guardPop3Command = require("./guard-pop3-command");
 var mailServerRateLimit = require("./mail-server-rate-limit");
 var mailServerTls = require("./mail-server-tls");
 var safeSmtp = require("./safe-smtp");
+var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -120,6 +121,13 @@ var MailServerPop3Error = defineClass("MailServerPop3Error", { alwaysPermanent:
 
 var DEFAULT_MAX_LINE_BYTES   = 1024;                                                                  // allow:raw-byte-literal — RFC 2449 §4 line cap (permissive)
 var DEFAULT_IDLE_TIMEOUT_MS  = C.TIME.minutes(10);
+// RFC 1939 §6 — UPDATE-state commit (the actual delete on QUIT) is
+// the only place the backend writes; a hung commitPop3Drop leaves
+// the connection in update-state forever, defeating the idle timeout
+// (the socket is awaiting the .then(), not blocked on socket I/O).
+// Bound the commit; on timeout the connection closes with -ERR and
+// the next session re-attempts the commit.
+var DEFAULT_COMMIT_TIMEOUT_MS = C.TIME.seconds(30);
 var DEFAULT_GREETING_VENDOR  = "blamejs POP3";
 
 var ERR_CLAMP = 200;                                                                                  // allow:raw-byte-literal — protocol-reply error-message clamp
@@ -141,6 +149,7 @@ var ERR_CLAMP = 200;
  *   greeting:          string,                   // default "blamejs POP3"
  *   maxLineBytes:      number,                   // default 1024
  *   idleTimeoutMs:     number,                   // default 10 min
+ *   commitTimeoutMs:   number,                   // default 30 s (UPDATE-state mailStore.commitPop3Drop cap)
  *   profile:           "strict" | "balanced" | "permissive",
  *   auth: {
  *     mechanisms:      ["PLAIN"],                 // SASL mechs to advertise
@@ -177,12 +186,13 @@ function create(opts) {
       "getMessage/listMessages/markDelete; compose b.mailStore.create or operator-supplied backend)");
   }
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
-    ["maxLineBytes", "idleTimeoutMs"],
+    ["maxLineBytes", "idleTimeoutMs", "commitTimeoutMs"],
     "mail.server.pop3.", MailServerPop3Error, "mail-server-pop3/bad-bound");
 
   var greeting        = opts.greeting        || DEFAULT_GREETING_VENDOR;
   var maxLineBytes    = opts.maxLineBytes    || DEFAULT_MAX_LINE_BYTES;
   var idleTimeoutMs   = opts.idleTimeoutMs   || DEFAULT_IDLE_TIMEOUT_MS;
+  var commitTimeoutMs = opts.commitTimeoutMs || DEFAULT_COMMIT_TIMEOUT_MS;
   var profile         = opts.profile         || "strict";
   var authConfig      = opts.auth            || null;
   var mailStore       = opts.mailStore;
@@ -397,7 +407,7 @@ function create(opts) {
     // refuses USER over cleartext under strict at the wire boundary,
     // but balanced/permissive operators previously reached this path
     // and accepted a plaintext password. Refuse here too so a guard
-    // relax doesn't open BUG-11/MAIL-37 (cleartext credentials in
+    // relax doesn't open (cleartext credentials in
     // POP3 USER/PASS) by composition. Permissive operators opt out
     // by explicitly setting profile: "permissive".
     if (!state.tls && profile !== "permissive") {
@@ -421,7 +431,7 @@ function create(opts) {
       _writeErr(socket, "AUTH not configured on this listener");
       return;
     }
-    // BUG-11 / MAIL-37 — refuse PASS over cleartext when not permissive.
+    // refuse PASS over cleartext when not permissive.
     // USER already gated above, but this is defense-in-depth in case the
     // USER guard was bypassed by a future codepath.
     if (!state.tls && profile !== "permissive") {
@@ -540,6 +550,13 @@ function create(opts) {
     // configuration where the gate was relaxed but the AUTH path
     // still receives traffic).
     if (!state.tls && profile === "strict") {
+      // Count cleartext-AUTH refusal against the auth-failure budget
+      // so scanners that probe for plaintext-mech tolerance hit the
+      // same per-IP cap that protects PASS / APOP. Without this, a
+      // scanner could enumerate auth mechanisms freely (the refusal
+      // itself was free) and shop for the first wire-protocol path
+      // the listener honored.
+      rateLimit.noteAuthFailure(state.remoteAddress);
       _emit("mail.server.pop3.auth_refused_cleartext",
         { connectionId: state.id, verb: "AUTH", mech: args[0] }, "denied");
       _writeErr(socket, "AUTH refused over cleartext (use STLS first; RFC 2595 §2.1)");
@@ -605,8 +622,18 @@ function create(opts) {
       return;
     }
     state.stage = "update";
-    Promise.resolve()
-      .then(function () { return mailStore.commitPop3Drop(state.actor, state.dropId); })
+    // RFC 1939 §6 — bound the UPDATE-state commit. A hung backend
+    // (DB row-lock / replica failover / sealed-row unseal stuck on a
+    // KMS call) otherwise leaves the connection in update-state past
+    // the socket idleTimeoutMs (which guards inbound bytes, not
+    // pending Promises).
+    safeAsync.withTimeout(
+      Promise.resolve().then(function () {
+        return mailStore.commitPop3Drop(state.actor, state.dropId);
+      }),
+      commitTimeoutMs,
+      { label: "mail.server.pop3.commitPop3Drop" }
+    )
       .then(function (info) {
         _emit("mail.server.pop3.update_commit",
           { connectionId: state.id, deleted: (info && info.deleted) || 0 });
@@ -614,6 +641,8 @@ function create(opts) {
         _close(socket);
       })
       .catch(function (err) {
+        _emit("mail.server.pop3.update_commit_failed",
+          { connectionId: state.id, error: (err && err.message) || String(err) }, "failure");
         _writeErr(socket, "Commit failed: " + ((err && err.message) || "backend error").slice(0, ERR_CLAMP));
         _close(socket);
       });
@@ -740,7 +769,7 @@ function create(opts) {
       .then(function (msg) {
         if (!msg) { _writeErr(socket, "no such message"); return; }
         _writeOk(socket, "headers + " + headerLines + " body lines");
-        // MAIL-15 — see _handleRetr; same byte-level CRLF-aware
+        // see _handleRetr; same byte-level CRLF-aware
         // dot-stuffing primitive for the TOP partial-body path.
         var bodyBuf = msg.rawBytes
           ? msg.rawBytes

package/lib/mail-server-rate-limit.js

@@ -99,11 +99,20 @@ var DEFAULTS = Object.freeze({
   connectionsPerIpPerMinute:     60,                                                                  // allow:raw-time-literal — connection count, not a time value
   authFailuresPerIpPer15Min:     10,
   minBytesPerSecond:             100,                                                                 // allow:raw-byte-literal — slow-loris byte-rate floor
+  // RCPT-TO recipient-failure cap defends against the 550-vs-250
+  // enumeration shape (RFC 5321 §3.5 — RCPT-TO surfaces the
+  // mailbox-exists oracle; an attacker that hammers RCPT TO can
+  // enumerate a domain's mailbox map without ever sending DATA).
+  // Per-IP, per-minute. Tuned higher than auth-failure since
+  // legitimate senders can RCPT-TO multiple recipients per message;
+  // operator overrides via `rcptFailuresPerIpPerMinute`.
+  rcptFailuresPerIpPerMinute:    50,                                                                  // allow:raw-byte-literal — RCPT enumeration bound
   disabled:                      false,
 });
 
 var CONNECTION_RATE_WINDOW_MS = C.TIME.minutes(1);
 var AUTH_FAILURE_WINDOW_MS    = C.TIME.minutes(15);
+var RCPT_FAILURE_WINDOW_MS    = C.TIME.minutes(1);
 
 /**
  * @primitive b.mail.server.rateLimit.create
@@ -124,6 +133,7 @@ var AUTH_FAILURE_WINDOW_MS    = C.TIME.minutes(15);
  *   connectionsPerIpPerMinute:     number,   // default 60
  *   authFailuresPerIpPer15Min:     number,   // default 10
  *   minBytesPerSecond:             number,   // default 100 (DATA-body slow-loris floor)
+ *   rcptFailuresPerIpPerMinute:    number,   // default 50 (RCPT 550 enumeration bound)
  *   disabled:                      boolean,  // default false — test escape hatch
  *
  * @example
@@ -145,6 +155,7 @@ function create(opts) {
     "connectionsPerIpPerMinute",
     "authFailuresPerIpPer15Min",
     "minBytesPerSecond",
+    "rcptFailuresPerIpPerMinute",
   ], "b.mail.server.rateLimit.create.", MailServerRateLimitError, "mail-server-rate-limit/bad-bound");
   validateOpts.optionalBoolean(opts.disabled,
     "b.mail.server.rateLimit.create: opts.disabled",
@@ -159,6 +170,8 @@ function create(opts) {
       ? DEFAULTS.authFailuresPerIpPer15Min : opts.authFailuresPerIpPer15Min,
     minBytesPerSecond: opts.minBytesPerSecond === undefined
       ? DEFAULTS.minBytesPerSecond : opts.minBytesPerSecond,
+    rcptFailuresPerIpPerMinute: opts.rcptFailuresPerIpPerMinute === undefined
+      ? DEFAULTS.rcptFailuresPerIpPerMinute : opts.rcptFailuresPerIpPerMinute,
     disabled: opts.disabled === true,
   };
 
@@ -170,6 +183,7 @@ function create(opts) {
   var concurrentByIp   = new Map();        // ip → integer count
   var connectionTimes  = new Map();        // ip → [timestampMs, ...]
   var authFailureTimes = new Map();        // ip → [timestampMs, ...]
+  var rcptFailureTimes = new Map();        // ip → [timestampMs, ...]
 
   function _pruneWindow(arr, windowMs) {
     var cutoff = Date.now() - windowMs;
@@ -210,7 +224,7 @@ function create(opts) {
     var concurrent = concurrentByIp.get(ip) || 0;
     if (concurrent <= 1) concurrentByIp.delete(ip);
     else concurrentByIp.set(ip, concurrent - 1);
-    // BUG-2 — CWE-400. authFailureTimes auto-deletes when its array
+    // CWE-400. authFailureTimes auto-deletes when its array
     // empties in checkAuthAdmit; connectionTimes was the asymmetric
     // case. Sweep this IP's rate-window now that it has released its
     // last concurrent slot: if the per-minute window has fully
@@ -249,6 +263,36 @@ function create(opts) {
     times.push(Date.now());
   }
 
+  // RFC 5321 §3.5 — RCPT TO 550 vs 250 responses surface a mailbox-
+  // existence oracle. An IP that issues many RCPT-TO commands receiving
+  // 550 should hit the same admit / refuse shape used for AUTH failures.
+  // checkRcptAdmit returns ok=false once the per-minute cap is reached;
+  // listeners then return a transient 421 (close + back off) instead of
+  // continuing to surface the per-recipient oracle.
+  function checkRcptAdmit(ip) {
+    if (cfg.disabled) return { ok: true };
+    var times = rcptFailureTimes.get(ip);
+    if (!times) return { ok: true };
+    _pruneWindow(times, RCPT_FAILURE_WINDOW_MS);
+    if (times.length === 0) {
+      rcptFailureTimes.delete(ip);
+      return { ok: true };
+    }
+    if (times.length >= cfg.rcptFailuresPerIpPerMinute) {
+      _audit("mail.server.rate_limit.rcpt_refused", "denied",
+        { reason: "rcpt-failures-per-ip", ip: ip, cap: cfg.rcptFailuresPerIpPerMinute });
+      return { ok: false, reason: "rcpt-failures-per-ip" };
+    }
+    return { ok: true };
+  }
+
+  function noteRcptFailure(ip) {
+    if (cfg.disabled) return;
+    var times = rcptFailureTimes.get(ip);
+    if (!times) { times = []; rcptFailureTimes.set(ip, times); }
+    times.push(Date.now());
+  }
+
   function minBytesPerSecond() { return cfg.disabled ? 0 : cfg.minBytesPerSecond; }
   function isDisabled() { return cfg.disabled; }
 
@@ -257,6 +301,8 @@ function create(opts) {
     releaseConnection:  releaseConnection,
     checkAuthAdmit:     checkAuthAdmit,
     noteAuthFailure:    noteAuthFailure,
+    checkRcptAdmit:     checkRcptAdmit,
+    noteRcptFailure:    noteRcptFailure,
     minBytesPerSecond:  minBytesPerSecond,
     isDisabled:         isDisabled,
   };

package/lib/mail-server-submission.js

@@ -726,16 +726,25 @@ function create(opts) {
       }
 
       // Identity binding — under strict profile, MAIL FROM MUST match
-      // an entry in the authenticated actor's mailbox set.
+      // an entry in the authenticated actor's mailbox set. An actor
+      // whose mailbox set is empty MUST also be refused: an empty
+      // allowlist is "no mailboxes" (account has no send-as identity
+      // assigned), NOT "all mailboxes." The earlier shape allowed any
+      // MAIL FROM when allowed.length === 0, turning a missing-config
+      // case (operator hasn't assigned mailboxes to the actor) into
+      // an open relay binding.
       if (state.authenticated && identityBinding === "strict") {
         var allowed = _actorMailboxes(state.actor);
-        if (allowed.length > 0 && allowed.indexOf(mailFrom) === -1) {
+        if (allowed.length === 0 || allowed.indexOf(mailFrom) === -1) {
           _emit("mail.server.submission.identity_mismatch", {
             connectionId: state.id, authIdentity: state.actor.id || null,
             mailFrom: mailFrom, allowed: allowed,
+            reason: allowed.length === 0 ? "actor-has-no-mailboxes" : "mail-from-not-in-actor-set",
           }, "denied");
           _writeReply(socket, REPLY_553_SENDER_REJECTED,
-            "5.7.1 Sender address rejected: not owned by authenticated identity");
+            allowed.length === 0
+              ? "5.7.1 Sender address rejected: authenticated identity has no assigned mailboxes"
+              : "5.7.1 Sender address rejected: not owned by authenticated identity");
           return;
         }
       }

package/lib/mail-store.js

@@ -322,7 +322,28 @@ function _appendMessage(args) {
     }
   }
   var inReplyTo = _extractMessageId(tree, "in-reply-to");
-  var referencesCsv = _extractReferences(tree);
+  if (inReplyTo) {
+    try { guardMessageId.validate(inReplyTo); }
+    catch (e) {
+      throw new MailStoreError("mail-store/bad-in-reply-to",
+        "appendMessage: In-Reply-To refused: " + e.message);
+    }
+  }
+  // RFC 5322 §3.6.4 — References is `1*msg-id`; each entry MUST satisfy
+  // the same msg-id grammar as Message-Id. Pre-this-patch the framework
+  // validated Message-Id but accepted any whitespace-separated token list
+  // in References / In-Reply-To, leaving an injection surface where
+  // attacker-controlled bytes reached the threading hash + JMAP
+  // `references` array. Loop the full list through the same guard.
+  var refList = _extractReferencesList(tree);
+  for (var __ri = 0; __ri < refList.length; __ri += 1) {
+    try { guardMessageId.validate(refList[__ri]); }
+    catch (e2) {
+      throw new MailStoreError("mail-store/bad-references",
+        "appendMessage: References entry refused: " + e2.message);
+    }
+  }
+  var referencesCsv = refList.join(",");
   var subject = tree.headers.get("subject") || "";
   var fromAddr = tree.headers.get("from") || "";
   var toAddrs = (tree.headers.getAll("to") || []).join(", ");
@@ -501,12 +522,19 @@ function _setFlags(args) {
   if (args.objectids.length > 0 && (setFlags.length > 0 || unsetFlags.length > 0)) {
     // Bulk-update via IN-clause. SQLite caps IN-clause at 32766 (max
     // bound parameters); chunk for very large operands.
+    // Prepare ONCE per chunk shape — the earlier shape called
+    // args.db.prepare(sql) twice in the same expression (once for the
+    // function reference, once for the `this` binding to .apply()),
+    // which both leaks a prepared-statement handle per chunk and
+    // doubles the SQL parse cost. Hold the stmt on a local + invoke
+    // .run() directly with the bound argument list.
     var CHUNK = 500;                                                                               // allow:raw-byte-literal — IN-clause chunk size, not bytes
     for (var i = 0; i < args.objectids.length; i += CHUNK) {
       var chunk = args.objectids.slice(i, i + CHUNK);
       var placeholders = chunk.map(function () { return "?"; }).join(",");
       var sql = "UPDATE " + args.qMsgs + " SET modseq = ? WHERE objectid IN (" + placeholders + ")";
-      args.db.prepare(sql).run.apply(args.db.prepare(sql), [newModseq].concat(chunk));
+      var stmt = args.db.prepare(sql);
+      stmt.run.apply(stmt, [newModseq].concat(chunk));
     }
   }
   args.stmtBumpFolderModseq.run(newModseq, args.folderName);
@@ -547,9 +575,13 @@ function _extractMessageId(tree, headerName) {
 }
 
 function _extractReferences(tree) {
+  return _extractReferencesList(tree).join(",");
+}
+
+function _extractReferencesList(tree) {
   var raw = tree.headers.get("references");
-  if (!raw) return "";
-  return String(raw).split(/\s+/).filter(function (s) { return s.length > 0; }).join(",");
+  if (!raw) return [];
+  return String(raw).split(/\s+/).filter(function (s) { return s.length > 0; });
 }
 
 function _normalizeAddr(s) {

package/lib/middleware/compose-pipeline.js

@@ -244,7 +244,7 @@ function composePipeline(entries, opts) {
   }
 
   var pipelineId = bCrypto.namespaceHash("system.middleware.compose.pipeline",
-    resolved.map(function (r) { return r.name; }).join("\n"));
+    resolved.map(function (r) { return r.name; }).join("\0"));
 
   _emitAudit("system.middleware.compose.pipeline_built", {
     pipelineId:   pipelineId,

package/lib/safe-mime.js

@@ -54,6 +54,16 @@ var DEFAULT_MAX_NESTING_DEPTH = 16;
 var DEFAULT_MAX_BOUNDARY      = 70;                          // RFC 2046 §5.1.1
 var DEFAULT_MAX_HEADER_BYTES  = C.BYTES.kib(64);
 var DEFAULT_MAX_HEADER_LINE   = 998;                         // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
+// Per-message header-count cap. RFC 5322 places no upper bound on
+// the number of headers in a message; without one, a sender can pack
+// tens of thousands of one-byte headers into the maxHeaderBytes budget
+// and force O(N²) lookup cost across every consumer that walks the
+// header list (DKIM verify, IMAP FETCH, JMAP serializer). Mainstream
+// MTAs (Postfix `header_size_limit`, Exim `received_headers_max`,
+// Microsoft 365 `MaxRecipientEnvelopePerMessage`) cap in the low
+// hundreds; the framework picks 512 as a generous default with
+// `maxHeaderCount` exposed for operators that legitimately need more.
+var DEFAULT_MAX_HEADER_COUNT  = 512;                         // allow:raw-byte-literal — DoS bound, not bytes
 var DEFAULT_MAX_BODY_BYTES    = C.BYTES.mib(25);
 var DEFAULT_MAX_MESSAGE_BYTES = C.BYTES.mib(50);
 
@@ -87,7 +97,8 @@ var DEFAULT_TRANSFER_ENCODINGS = Object.freeze([
  *   `oversize-nesting` / `oversize-boundary` / `oversize-headers` /
  *   `oversize-header-line` / `oversize-body` / `unknown-charset` /
  *   `unknown-transfer-encoding` / `malformed-boundary` /
- *   `malformed-headers` / `control-char-in-header` / `bad-input`.
+ *   `too-many-headers` / `malformed-headers` /
+ *   `control-char-in-header` / `bad-input`.
  *
  * @opts
  *   maxParts:                 number,     // default 64
@@ -95,6 +106,7 @@ var DEFAULT_TRANSFER_ENCODINGS = Object.freeze([
  *   maxBoundary:              number,     // default 70 (RFC 2046 §5.1.1)
  *   maxHeaderBytes:           number,     // default 64 KiB
  *   maxHeaderLineBytes:       number,     // default 998 (RFC 5322 §2.1.1)
+ *   maxHeaderCount:           number,     // default 512 (DoS bound)
  *   maxBodyBytes:             number,     // default 25 MiB
  *   maxMessageBytes:          number,     // default 50 MiB
  *   charsetAllowlist:         string[],   // default UTF-8 / US-ASCII / common legacy 8-bit
@@ -113,6 +125,7 @@ function parse(bytes, opts) {
   var maxBoundary     = _intOpt(opts, "maxBoundary",     DEFAULT_MAX_BOUNDARY);
   var maxHeaderBytes  = _intOpt(opts, "maxHeaderBytes",  DEFAULT_MAX_HEADER_BYTES);
   var maxHeaderLine   = _intOpt(opts, "maxHeaderLineBytes", DEFAULT_MAX_HEADER_LINE);
+  var maxHeaderCount  = _intOpt(opts, "maxHeaderCount",  DEFAULT_MAX_HEADER_COUNT);
   var maxBodyBytes    = _intOpt(opts, "maxBodyBytes",    DEFAULT_MAX_BODY_BYTES);
   var maxMessageBytes = _intOpt(opts, "maxMessageBytes", DEFAULT_MAX_MESSAGE_BYTES);
   var charsets        = _normalizeStringSet(opts.charsetAllowlist || DEFAULT_CHARSETS);
@@ -130,6 +143,7 @@ function parse(bytes, opts) {
     maxBoundary:     maxBoundary,
     maxHeaderBytes:  maxHeaderBytes,
     maxHeaderLine:   maxHeaderLine,
+    maxHeaderCount:  maxHeaderCount,
     maxBodyBytes:    maxBodyBytes,
     charsets:        charsets,
     encodings:       encodings,
@@ -346,6 +360,15 @@ function _parsePart(buf, ctx, depth) {
         "safeMime.parse: boundary length " + boundary.length + " exceeds maxBoundary=" + ctx.maxBoundary +
         " (RFC 2046 §5.1.1)");
     }
+    // RFC 2046 §5.1.1 — boundary value MUST match the `bcharsnospace
+    // *bchars` grammar (max 70 chars, no CR/LF/NUL, no leading or
+    // trailing SP). A boundary containing newline bytes lets an
+    // attacker confuse multipart engines that re-split on different
+    // EOL forms downstream.
+    if (!_isValidMimeBoundary(boundary)) {
+      throw new SafeMimeError("safe-mime/malformed-boundary",
+        "safeMime.parse: multipart boundary does not match RFC 2046 §5.1.1 bcharsnospace *bchars grammar");
+    }
     var partBuffers = _splitMultipart(bodyBytes, boundary);
     var parts = [];
     for (var i = 0; i < partBuffers.length; i += 1) {
@@ -409,6 +432,14 @@ function _findHeaderBodySep(buf) {
 
 function _parseHeaders(buf, ctx) {
   var lines = _splitHeaderLines(buf, ctx);
+  // Per-message header-count cap (DoS bound). RFC 5322 does not bound
+  // header count; without a cap, a sender packs many short headers
+  // into the byte budget and forces quadratic walk cost downstream.
+  if (lines.length > ctx.maxHeaderCount) {
+    throw new SafeMimeError("safe-mime/too-many-headers",
+      "safeMime.parse: header count " + lines.length +
+      " exceeds maxHeaderCount=" + ctx.maxHeaderCount);
+  }
   var headerMap = Object.create(null);
   for (var i = 0; i < lines.length; i += 1) {
     var line = lines[i];
@@ -507,6 +538,11 @@ function _splitMultipart(buf, boundary) {
         var prevEnd = idx;
         if (prevEnd >= 2 && buf[prevEnd - 2] === 0x0D && buf[prevEnd - 1] === 0x0A) prevEnd -= 2;
         else if (prevEnd >= 1 && buf[prevEnd - 1] === 0x0A) prevEnd -= 1;
+        // RFC 2046 §5.1.1 — a malformed body where a final boundary
+        // immediately follows the opening of a part (no body bytes
+        // between them) MUST NOT produce a negative-length slice.
+        // Clamp to the part's start so the slice is well-formed.
+        if (prevEnd < prev.start) prevEnd = prev.start;
         parts[parts.length - 1] = buf.subarray(prev.start, prevEnd);
       }
       break;
@@ -518,6 +554,7 @@ function _splitMultipart(buf, boundary) {
       var prevEnd2 = idx;
       if (prevEnd2 >= 2 && buf[prevEnd2 - 2] === 0x0D && buf[prevEnd2 - 1] === 0x0A) prevEnd2 -= 2;
       else if (prevEnd2 >= 1 && buf[prevEnd2 - 1] === 0x0A) prevEnd2 -= 1;
+      if (prevEnd2 < prev2.start) prevEnd2 = prev2.start;
       parts[parts.length - 1] = buf.subarray(prev2.start, prevEnd2);
     }
     parts.push({ start: lineEnd });
@@ -529,6 +566,23 @@ function _splitMultipart(buf, boundary) {
   });
 }
 
+// RFC 2046 §5.1.1 — boundary param grammar is `bcharsnospace *bchars`
+// where `bcharsnospace = DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" /
+// "," / "-" / "." / "/" / ":" / "=" / "?"` and `bchars = bcharsnospace
+// / " "` (max 70 chars). Without validating against this set the
+// parser would happily accept a boundary containing CR / LF / NUL /
+// `--` which can be wielded to confuse downstream multipart engines.
+var _BOUNDARY_BCHARSNOSPACE = /^[0-9A-Za-z'()+_,./:=?-]+$/;                         // allow:regex-no-length-cap — length checked separately
+var _BOUNDARY_BCHARS_WITH_SP = /^[0-9A-Za-z'()+_,./:=? -]+$/;                       // allow:regex-no-length-cap — length checked separately
+function _isValidMimeBoundary(value) {
+  if (typeof value !== "string" || value.length === 0 || value.length > 70) return false; // allow:raw-byte-literal — RFC 2046 §5.1.1 bound
+  // First char MUST be bcharsnospace; remainder MAY be bchars (which
+  // permits SP). Last char MUST also be bcharsnospace (no trailing SP).
+  if (!_BOUNDARY_BCHARSNOSPACE.test(value.charAt(0))) return false;
+  if (!_BOUNDARY_BCHARSNOSPACE.test(value.charAt(value.length - 1))) return false;
+  return _BOUNDARY_BCHARS_WITH_SP.test(value);
+}
+
 // Find `--<boundary>` at a position preceded by CRLF, LF, or buf start.
 // Walks via indexOf scans + verifies the line-start invariant; loops
 // past non-line-start hits.
@@ -721,6 +775,7 @@ module.exports = {
     maxBoundary:               DEFAULT_MAX_BOUNDARY,
     maxHeaderBytes:            DEFAULT_MAX_HEADER_BYTES,
     maxHeaderLineBytes:        DEFAULT_MAX_HEADER_LINE,
+    maxHeaderCount:            DEFAULT_MAX_HEADER_COUNT,
     maxBodyBytes:              DEFAULT_MAX_BODY_BYTES,
     maxMessageBytes:           DEFAULT_MAX_MESSAGE_BYTES,
     charsetAllowlist:          DEFAULT_CHARSETS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.2",
+  "version": "0.10.4",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:c1165275-044f-4a5a-b7dc-061727bfd076",
+  "serialNumber": "urn:uuid:a7f8cb0b-12df-4ba4-a501-86a191573153",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-16T23:28:39.659Z",
+    "timestamp": "2026-05-17T06:19:36.522Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.2",
+      "bom-ref": "@blamejs/core@0.10.4",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.2",
+      "version": "0.10.4",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.2",
+      "purl": "pkg:npm/%40blamejs/core@0.10.4",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.2",
+      "ref": "@blamejs/core@0.10.4",
       "dependsOn": []
     }
   ]