@blamejs/core 0.10.3 → 0.10.5

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.10.x
 
+- v0.10.5 (2026-05-16) — **`b.mail.server.pop3` APOP cleartext refusal + `b.vendorData` constant-time digest compares.** Two small entry-tier refusals on the mail and vendor-data surfaces. **(a) `b.mail.server.pop3._handleApop`** refuses APOP when the connection is cleartext and the profile is not permissive, symmetric with the existing USER / PASS refusal. APOP transmits `MD5(timestamp+secret)` (not cleartext credentials), but an attacker who captures the digest plus the known greeting timestamp can mount an offline dictionary attack against the shared secret. RFC 1939 §7 explicitly warns about this; the wire MUST be TLS-protected to deny the offline-attack vector. Emits the same `mail.server.pop3.auth_refused_cleartext` audit event + writes `-ERR APOP refused over cleartext (use STLS first; RFC 1939 §7)`. The cleartext-refusal line was advertised in the v0.10.4 release notes but the wire-level enforcement only lands here; operators relying on v0.10.4 saw the comment but not the runtime gate. **(b) `b.vendorData.verifyAll()`** boot-time digest verifies (SHA-256 layer 1, SHA3-512 layer 2, and the SLH-DSA-SHAKE-256f pubkey-fingerprint cross-check) now compare via a length-prechecked `nodeCrypto.timingSafeEqual` instead of `!==`. The framework convention is that every digest / MAC compare is constant-time regardless of whether the value is a secret — reaching for `!==` whenever a value "isn't a secret" is the smell; the convention is the gate. Uses `nodeCrypto.timingSafeEqual` directly (not `b.crypto.timingSafeEqual`) because `b.crypto` is `lazyRequire`'d to break a circular load chain and isn't available during boot-time `verifyAll()`. **Operator impact:** APOP users on plaintext POP3 (port 110) without STLS first now get `-ERR` instead of authenticating — the operator either wires STLS, switches the listener to implicit TLS (port 995), or sets `profile: "permissive"` for the deliberately-open path. `b.vendorData` consumers see no behavioral change — the timing-safe compare returns the same boolean as `!==` for length-equal inputs. References: [RFC 1939 §7](https://www.rfc-editor.org/rfc/rfc1939#section-7), [CWE-208 timing attack](https://cwe.mitre.org/data/definitions/208.html), [NIST SP 800-38B §6.3 MAC verification](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf).
+- v0.10.4 (2026-05-16) — **Mail-protocol hardening across the four listener primitives.** Ten refusals + two new operator-visible opts spanning `b.mail.server.{mx,submission,imap,pop3}`, `b.mail.server.rateLimit`, `b.safeMime`, `b.guardListUnsubscribe`. Layered on top of the v0.10.0 mail-stack baseline; addresses residual gaps in inbound RCPT enumeration, header-count amplification, POP3 UPDATE-state commit timeouts, list-unsubscribe URI shape, and the per-listener auth-failure / connection-rate maps. **(a) `b.mail.server.rateLimit.checkRcptAdmit(ip)` + `noteRcptFailure(ip)`** — new per-IP RCPT-failure budget (default 50/min, rolling 60s window) wired into the MX + submission listeners. RFC 5321 §3.5 enumeration class: an attacker probing `RCPT TO:` to map valid recipients now trips the budget after 50 failures and gets `421` for the next minute. Operators tune via `rateLimit.create({ rcptFailuresPerMinute, rcptWindowMs })`. **(b) `b.safeMime.parse({ maxHeaderCount })`** — new opt, default 512. Bounded header-count cap prevents `From: ...\r\nSubject: ...\r\n` × 100k header-list amplification in operator pipelines that pass full RFC 5322 messages through `safeMime.parse`. Refused with `safe-mime/too-many-headers` when exceeded. **(c) `b.mail.server.pop3.create({ commitTimeoutMs })`** — new opt, default `C.TIME.seconds(30)`. POP3 UPDATE-state commit (DELE materialization) now runs under `safeAsync.withTimeout` so a hung commit can no longer pin the connection past `idleTimeoutMs`. Past the cap, the connection gets `421` and the in-flight DELE batch is rolled back (RFC 1939 §6 — UPDATE state aborts on transport failure). **(d) `b.guardListUnsubscribe.validate`** refuses empty `<>` URI lists per RFC 2369 §3.1 (the `List-Unsubscribe` header value `<>` is a smuggled-empty class that downstream mail-renderers may interpret as an active unsubscribe link to the local-origin). **(e) `b.mail.server.rateLimit` GC sweep** — the previously asymmetric `connectionTimes` Map (filled in `noteConnection`, never explicitly cleaned) now sweeps empty arrays alongside the existing `authFailureTimes` cleanup. Closes a CWE-770 unbounded-memory class for long-running mail servers seeing transient IP fan-in. **(f) `b.mail.server.imap` `_close()` writes `state.stage = "closed"`** — the drain-loop guard was previously unreachable because the close path didn't update the state machine. Operators on the older path saw `state.stage === "authenticated"` linger after socket close; the new path resolves cleanly. **(g) `b.mail.server.imap` per-line cap before `Buffer.concat`** — closes a CWE-770 unbounded-`Buffer.concat` class on the IMAP line accumulator (the cap was applied AFTER concat, so a malicious peer could send 10 GiB of unterminated tag bytes and the listener would allocate before refusing). Per-line cap now gates the concat. **(h) `b.mail.server.pop3` `_handleApop` cleartext refusal** — APOP gets the same `!state.tls && profile !== "permissive"` refusal as USER / PASS, closing the cleartext-credentials gap symmetric to the other auth verbs (RFC 1939 §7 APOP MD5 is also cleartext in transit). **(i) `b.mail.server.pop3` RETR / TOP dot-stuffing via `safeSmtp.dotStuff(buf)`** — the prior `.replace(/^\./gm, "..")` on a JS string treats bare LF as a line boundary, so bodies containing bare-LF lines starting with `.` gained spurious stuffing that the receiver's strict-CRLF parser couldn't undo. Routes through the byte-level dot-stuffer that only recognizes canonical `\r\n` (RFC 1939 §3 / RFC 5321 §4.5.2). **(j) `b.mail.store` deletion atomicity** — sealed deletion no longer leaves partial state when the in-memory delete succeeds but the disk flush fails (CWE-707 — transactional integrity). **(k) `b.mail.server.submission` cleartext-AUTH audit** — the `auth_success` audit emit captures the `mechanism` field before nulling `authPending` (was recording `null`); operators tailing the audit log now see which SASL mechanism succeeded. **(l) Codebase-patterns** — new `family-subset` entry covering the rate-limit admit-check shape across `mail-server-{imap,mx,submission}` so the contract is enforced at every listener (every primitive that opens a peer socket on a mail port must consult the rate limiter before sending the greeting). **Operator impact:** `b.mail.server.rateLimit` consumers see a new public surface (`checkRcptAdmit` / `noteRcptFailure`); existing operators who don't wire these get the framework default (50/min). `b.safeMime.parse` callers with >512-header messages now get `safe-mime/too-many-headers` — operators with bespoke headers (DMARC aggregate reports can run into hundreds of `Authentication-Results`) opt up via `maxHeaderCount: 4096` per call. POP3 operators see a new `commitTimeoutMs` opt — default applies retroactively. References: [RFC 5321 §3.5](https://www.rfc-editor.org/rfc/rfc5321#section-3.5), [RFC 5322](https://www.rfc-editor.org/rfc/rfc5322), [RFC 1939](https://www.rfc-editor.org/rfc/rfc1939), [RFC 2369 §3.1](https://www.rfc-editor.org/rfc/rfc2369#section-3.1), [CWE-770](https://cwe.mitre.org/data/definitions/770.html), [CWE-707](https://cwe.mitre.org/data/definitions/707.html).
 - v0.10.3 (2026-05-16) — **`b.crypto` hardening — three entry-tier refusals on hot paths.** **(a) `b.crypto.timingSafeEqual` rejects non-Buffer / non-string inputs** — previous `Buffer.from(String(x))` coercion let a prototype-pollution-influenced caller (an Object whose `toString` returns attacker-chosen bytes) redirect the compare through bytes unrelated to the supplied value. Now throws `TypeError` at the entry boundary; string args use explicit `Buffer.from(s, "utf8")` instead of bare coercion. **(b) `b.crypto.hashCertFingerprint` caps PEM input at 64 KiB** — the `/-----BEGIN .+? -----END/` lazy-quantifier on this hot path (mTLS bootstrap / webhook verification / peer-cert pinning) is polynomial-ReDoS-class on multi-MB attacker-controlled input ([CodeQL js/polynomial-redos](https://codeql.github.com/codeql-query-help/javascript/js-polynomial-redos/)). 64 KiB covers a P-384 cert + full chain at ~3× margin; larger inputs throw `TypeError` before the regex runs. **(c) `b.crypto.namespaceHash` refuses CR / LF in string-typed `value`** — closes a log-injection / record-separator surface where an attacker-controlled HTTP header (e.g. `Idempotency-Key`) could smuggle line-break bytes into any consumer that logs the value verbatim before hashing (debug paths, audit envelopes, derived-column shadow logs). NUL is NOT refused — multiple internal callers (`b.agent.idempotency` / `b.mail.greylist` / `b.middleware.composePipeline`) use NUL as a composite-key separator, and NUL is not a log-injection byte in any standard logger. `Buffer` / `Uint8Array` inputs remain operator-side opaque bytes by contract — `namespaceHash` digests them as raw bytes, not as text, so the control-char gate does not apply there either. **Operator impact:** any caller passing a number / Object / boolean to `b.crypto.timingSafeEqual` now throws at the entry boundary instead of silently comparing coerced bytes — the API contract was already documented as Buffer-or-string, this enforces it. PEM strings larger than 64 KiB to `b.crypto.hashCertFingerprint` now throw — operators with bespoke multi-cert bundles split the inputs before calling. `namespaceHash` callers passing strings with embedded CR / LF now throw — operators ingesting attacker-influenced text validate / strip line-break bytes at the boundary, or hash opaque bytes via `Buffer` / `Uint8Array`. References: [OWASP Log Injection](https://owasp.org/www-community/attacks/Log_Injection), [CWE-117](https://cwe.mitre.org/data/definitions/117.html), [CWE-1333 ReDoS](https://cwe.mitre.org/data/definitions/1333.html).
 - v0.10.2 (2026-05-16) — **CVE backstops layered on top of v0.10.0.** Five additional refusals across `b.guardRegex`, `b.otelExport`, `b.guardXml`, `b.guardGraphql`, plus a host-side ingress route for `b.cli`. Every change is opt-out (refusal at every profile); no API removals. **(a) `b.guardRegex` glob-shape detectors with explicit `inputKind` gate** — new `consecutiveStarPolicy` + `nestedExtglobPolicy` (defaults `"reject"`) + `maxConsecutiveStars` (default 2) + `inputKind: "regex" | "glob"` (default `"regex"`). The glob-shape detectors fire ONLY when the caller passes `inputKind: "glob"` — ECMAScript regex syntax cannot produce `***` (SyntaxError) and the extglob heads `*(`/`+(`/`?(`/`@(`/`!(`  collide with valid `quantifier + capturing group` shapes, so applying these detectors to regex inputs is false-positive territory. Callers handling glob fragments (picomatch / micromatch-style patterns) opt in via `inputKind: "glob"` and get refusals for ≥3 consecutive `*` metacharacters ([CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996) — O(4^N) backtracking on non-matching literal) and for any extglob whose body contains another extglob ([CVE-2026-33671](https://nvd.nist.gov/vuln/detail/CVE-2026-33671) — picomatch nested-quantifier backtracking). `**` recursive-glob stays permitted under `maxConsecutiveStars: 2`. **(b) `b.cli --ignore` ReDoS ingress closure** — `cli --ignore <pattern>` arguments route through `b.guardRegex.sanitize({ profile: "strict" })` before reaching `new RegExp(pattern)`. Strict-profile refusal of nested-quantifier / lookaround-quantifier / unbounded-bounded-repeat shapes still applies in default `inputKind: "regex"` mode, closing the host-side surface for the classic ReDoS classes. **(c) `b.otelExport.flush()` response cap** — every outbound OTLP request now pins `maxResponseBytes: 1 MiB` + a typed `errorClass`, so a malicious / misconfigured collector cannot exhaust memory in the export loop ([CVE-2026-40891](https://nvd.nist.gov/vuln/detail/CVE-2026-40891) / [CVE-2026-40182](https://nvd.nist.gov/vuln/detail/CVE-2026-40182) class). **(d) `b.guardXml` numeric-character-reference fan-out cap** — new `maxNumericCharRefs` opt (strict 1024 / balanced 16384 / permissive 262144). NCRs are counted independently of `entityPolicy`, so a signed-XML path that legitimately permits entity expansion cannot accidentally disable the NCR cap ([CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) / [CVE-2026-33036](https://nvd.nist.gov/vuln/detail/CVE-2026-33036) — billion-NCR fan-out class). **(e) `b.guardGraphql` prototype-pollution refusal** — refuses `__proto__` / `constructor` / `prototype` as top-level variable keys (`Object.prototype.hasOwnProperty.call(variables, ...)` check, sidesteps a poisoned-prototype `in` lookup) AND as field / alias / `$variable` identifiers in the query body, including the no-whitespace alias form `query { a:__proto__ }` (the colon is a valid identifier-position prefix). Refused at every profile, severity `critical` ([CVE-2026-32621](https://nvd.nist.gov/vuln/detail/CVE-2026-32621) class). **(f) `b.auth.sdJwtVc.present()` defense-in-depth comment** — documents that the holder-side pre-parse of `_sd_alg` reads from unsigned bytes safely because `verify()` re-parses from the cryptographically-verified signing input; no behavioral change. **Regression coverage** — `test/fixtures/exploit-corpus/corpus.json` gains four entries: glob-mode positive refusal for `***+nonmatch` and `*(*(a))`, regex-mode pass for `a*(b+(c))` (false-positive class the design refused to ship), and the colon-prefix GraphQL alias `query { a:__proto__ }`. **Operator impact:** existing operators see no change in default behavior — the new glob detectors are opt-in via `inputKind: "glob"`. Operators wiring `b.guardRegex` over glob fragments (file-pattern allowlists, rsync-style rules) opt in and get the CVE-2026-26996 / -33671 refusals; opt back out per call via `consecutiveStarPolicy: "allow"` / `nestedExtglobPolicy: "allow"`. `b.guardXml` operators on signed-XML pipelines opt out via `maxNumericCharRefs: Infinity` if they bound NCRs upstream. GraphQL variable / query-body refusals are not opt-out — `__proto__` / `constructor` / `prototype` are never legitimate identifiers in operator-supplied input. References: [picomatch CVE-2024-4067 family](https://nvd.nist.gov/vuln/detail/CVE-2024-4067), [OWASP ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS), [OWASP XXE / Billion Laughs](https://owasp.org/www-community/vulnerabilities/XML_Entity_Expansion), [GraphQL Server Security Best Practices](https://www.apollographql.com/docs/router/configuration/overview/).
 - v0.10.1 (2026-05-16) — **First npm-published v0.10.x artifact.** v0.10.0 was tagged + released on GitHub but its npm-publish workflow OOM'd at the lint+smoke gate (default Node ~4GB heap couldn't load the expanded mail-stack + audit-fix test surface). v0.10.1 adds `NODE_OPTIONS=--max-old-space-size=8192` to the workflow's smoke step so the parent process gets the same headroom the forked test workers already get. No runtime / API changes from v0.10.0 — every primitive, posture, and security default ships exactly as documented in the v0.10.0 release notes below. Operators who fetched the v0.10.0 git tag can re-tag from v0.10.1 (`git fetch origin v0.10.1`) to land on the npm-published commit; the framework code itself is byte-identical apart from the workflow file + version bump.

package/lib/guard-list-unsubscribe.js

@@ -197,6 +197,15 @@ function validate(headers, opts) {
   var hasMailtoUri = false;
   for (var i = 0; i < uriParts.length; i += 1) {
     var u = uriParts[i];
+    // RFC 2369 §3.1 — the URI between `<` and `>` is REQUIRED. An
+    // empty `<>` is grammatically invalid + carries no unsubscribe
+    // semantics; the earlier shape accepted it and downstream URI-
+    // dispatch decisions treated it as a scheme-less URI rather than
+    // refusing the whole header.
+    if (u.length === 0) {
+      return _verdict("refuse", "List-Unsubscribe contains empty `<>` URI (RFC 2369 §3.1)",
+        { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
+    }
     if (Buffer.byteLength(u, "utf8") > caps.maxUriBytes) {
       return _verdict("refuse", "URI '" + _trunc(u) + "' exceeds maxUriBytes=" + caps.maxUriBytes,
         { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });

package/lib/mail-server-imap.js

@@ -747,9 +747,17 @@ function create(opts) {
         if (typeof mailStore.selectFolder === "function") {
           return mailStore.selectFolder(state.actor, name, { readOnly: examine });
         }
-        // Fallback shape — operators without selectFolder get a minimal
-        // OK with sentinel UIDVALIDITY 1.
-        return { exists: 0, recent: 0, uidvalidity: 1, uidnext: 1, modseq: 0, flags: [] };
+        // RFC 9051 §2.3.1.1 — UIDVALIDITY MUST be strictly increasing
+        // and 32-bit unique across the mailbox lifetime. The earlier
+        // fallback returned a sentinel `uidvalidity: 1` to keep tests
+        // green when the operator hadn't wired `selectFolder`, but the
+        // sentinel value collides with any real UIDVALIDITY=1 from a
+        // legitimate backend and tricks clients into believing they
+        // have a valid synced state. Refuse SELECT instead — operators
+        // MUST wire `mailStore.selectFolder` to expose mailboxes.
+        var err = new Error("mailStore.selectFolder is not configured (RFC 9051 §2.3.1.1 requires a unique strictly-increasing UIDVALIDITY)");
+        err.code = "mail-server-imap/no-select-backend";
+        throw err;
       })
       .then(function (info) {
         state.selectedMailbox = name;
@@ -855,6 +863,37 @@ function create(opts) {
     }
     Promise.resolve()
       .then(function () {
+        // RFC 9208 — when the backend exposes a per-mailbox / per-user
+        // quota, APPEND MUST check against it BEFORE writing the
+        // message. The earlier shape called `appendMessage` directly,
+        // leaving quota enforcement entirely up to the backend; an
+        // operator wiring a bare `appendMessage` without quota plumbing
+        // could be DoS'd via unbounded APPENDs filling the mailbox
+        // beyond the advertised QUOTA limit. Honor `mailStore.quota`
+        // (RFC 9208 GETQUOTA / IMAP-QUOTA returns the same shape) and
+        // surface 5.7.4 OVERQUOTA per §5.
+        if (typeof mailStore.quota === "function") {
+          // mailStore.quota(folderName) returns
+          // { usedBytes, usedCount, capBytes, capCount } per the
+          // lib/mail-store.js contract. capBytes is null when no
+          // quota is configured for the folder; honor it only when
+          // it's a positive number.
+          return Promise.resolve(mailStore.quota(name))
+            .then(function (q) {
+              if (q && typeof q.usedBytes === "number" &&
+                  typeof q.capBytes === "number" &&
+                  q.capBytes > 0 &&
+                  q.usedBytes + literalBody.length > q.capBytes) {
+                var err = new Error("APPEND would exceed quota (used " + q.usedBytes +
+                  " + " + literalBody.length + " > cap " + q.capBytes + ")");
+                err.code = "mail-server-imap/overquota";
+                err.overquota = true;
+                err.limit = q.capBytes;
+                throw err;
+              }
+              return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
+            });
+        }
         return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
       })
       .then(function (info) {
@@ -864,6 +903,10 @@ function create(opts) {
         _writeTagged(socket, tag, "OK " + token + "APPEND completed");
       })
       .catch(function (err) {
+        if (err && err.overquota) {
+          _writeTagged(socket, tag, "NO [OVERQUOTA] Quota exceeded (RFC 9208 §5)");
+          return;
+        }
         _writeTagged(socket, tag, "NO " + ((err && err.message) || "Append failed").slice(0, ERR_CLAMP));
       });
   }

package/lib/mail-server-mx.js

@@ -660,8 +660,24 @@ function create(opts) {
           "4.5.3 Too many recipients (limit " + maxRcptsPerMsg + ")");
         return;
       }
+      // RFC 5321 §3.5 — RCPT-TO 550 vs 250 surfaces a mailbox-existence
+      // oracle. Once the per-IP recipient-failure cap is reached, the
+      // listener returns 421 + closes so the IP backs off; without this
+      // a scanner can RCPT-TO-flood the listener to enumerate every
+      // valid local recipient at the bare cost of an SMTP greeting.
+      var rcptAdmit = rateLimit.checkRcptAdmit(state.remoteAddress);
+      if (!rcptAdmit.ok) {
+        _emit("mail.server.mx.rcpt_rate_limit_refused",
+          { connectionId: state.id, remoteAddress: state.remoteAddress,
+            reason: rcptAdmit.reason }, "denied");
+        _writeReply(socket, REPLY_421_SERVICE_NOT_AVAIL,
+          "4.7.0 Too many RCPT failures from your IP");
+        _closeConnection(socket);
+        return;
+      }
       var match = line.match(RE_RCPT_TO);
       if (!match) {
+        rateLimit.noteRcptFailure(state.remoteAddress);
         _writeReply(socket, REPLY_501_BAD_ARGS, "5.5.4 Syntax: RCPT TO:<address>");
         return;
       }
@@ -675,6 +691,7 @@ function create(opts) {
       if (rcptDomain && rcptDomain[0] !== "[" && guardDomainProfile) {
         var rcptVerdict = _validateDomainHardened(rcptDomain, "rcpt_to");
         if (!rcptVerdict.ok) {
+          rateLimit.noteRcptFailure(state.remoteAddress);
           _writeReply(socket, REPLY_501_BAD_ARGS,
             "5.5.4 RCPT TO domain refused (" +
             (rcptVerdict.issues && rcptVerdict.issues[0] && rcptVerdict.issues[0].kind) + ")");
@@ -686,6 +703,7 @@ function create(opts) {
       if (localDomains.length > 0) {
         if (localDomains.indexOf(rcptDomain) === -1 &&
             !_isRelayAllowed(state.remoteAddress, rcpt)) {
+          rateLimit.noteRcptFailure(state.remoteAddress);
           _emit("mail.server.mx.relay_refused",
             { connectionId: state.id, mailFrom: state.mailFrom, rcptTo: rcpt,
               remoteAddress: state.remoteAddress }, "denied");

package/lib/mail-server-pop3.js

@@ -112,6 +112,7 @@ var guardPop3Command = require("./guard-pop3-command");
 var mailServerRateLimit = require("./mail-server-rate-limit");
 var mailServerTls = require("./mail-server-tls");
 var safeSmtp = require("./safe-smtp");
+var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -120,6 +121,13 @@ var MailServerPop3Error = defineClass("MailServerPop3Error", { alwaysPermanent:
 
 var DEFAULT_MAX_LINE_BYTES   = 1024;                                                                  // allow:raw-byte-literal — RFC 2449 §4 line cap (permissive)
 var DEFAULT_IDLE_TIMEOUT_MS  = C.TIME.minutes(10);
+// RFC 1939 §6 — UPDATE-state commit (the actual delete on QUIT) is
+// the only place the backend writes; a hung commitPop3Drop leaves
+// the connection in update-state forever, defeating the idle timeout
+// (the socket is awaiting the .then(), not blocked on socket I/O).
+// Bound the commit; on timeout the connection closes with -ERR and
+// the next session re-attempts the commit.
+var DEFAULT_COMMIT_TIMEOUT_MS = C.TIME.seconds(30);
 var DEFAULT_GREETING_VENDOR  = "blamejs POP3";
 
 var ERR_CLAMP = 200;                                                                                  // allow:raw-byte-literal — protocol-reply error-message clamp
@@ -141,6 +149,7 @@ var ERR_CLAMP = 200;
  *   greeting:          string,                   // default "blamejs POP3"
  *   maxLineBytes:      number,                   // default 1024
  *   idleTimeoutMs:     number,                   // default 10 min
+ *   commitTimeoutMs:   number,                   // default 30 s (UPDATE-state mailStore.commitPop3Drop cap)
  *   profile:           "strict" | "balanced" | "permissive",
  *   auth: {
  *     mechanisms:      ["PLAIN"],                 // SASL mechs to advertise
@@ -177,12 +186,13 @@ function create(opts) {
       "getMessage/listMessages/markDelete; compose b.mailStore.create or operator-supplied backend)");
   }
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
-    ["maxLineBytes", "idleTimeoutMs"],
+    ["maxLineBytes", "idleTimeoutMs", "commitTimeoutMs"],
     "mail.server.pop3.", MailServerPop3Error, "mail-server-pop3/bad-bound");
 
   var greeting        = opts.greeting        || DEFAULT_GREETING_VENDOR;
   var maxLineBytes    = opts.maxLineBytes    || DEFAULT_MAX_LINE_BYTES;
   var idleTimeoutMs   = opts.idleTimeoutMs   || DEFAULT_IDLE_TIMEOUT_MS;
+  var commitTimeoutMs = opts.commitTimeoutMs || DEFAULT_COMMIT_TIMEOUT_MS;
   var profile         = opts.profile         || "strict";
   var authConfig      = opts.auth            || null;
   var mailStore       = opts.mailStore;
@@ -397,7 +407,7 @@ function create(opts) {
     // refuses USER over cleartext under strict at the wire boundary,
     // but balanced/permissive operators previously reached this path
     // and accepted a plaintext password. Refuse here too so a guard
-    // relax doesn't open BUG-11/MAIL-37 (cleartext credentials in
+    // relax doesn't open (cleartext credentials in
     // POP3 USER/PASS) by composition. Permissive operators opt out
     // by explicitly setting profile: "permissive".
     if (!state.tls && profile !== "permissive") {
@@ -421,7 +431,7 @@ function create(opts) {
       _writeErr(socket, "AUTH not configured on this listener");
       return;
     }
-    // BUG-11 / MAIL-37 — refuse PASS over cleartext when not permissive.
+    // refuse PASS over cleartext when not permissive.
     // USER already gated above, but this is defense-in-depth in case the
     // USER guard was bypassed by a future codepath.
     if (!state.tls && profile !== "permissive") {
@@ -485,6 +495,21 @@ function create(opts) {
       _writeErr(socket, "AUTH not configured");
       return;
     }
+    // Defense-in-depth, symmetric with USER / PASS. APOP transmits
+    // MD5(timestamp+secret), not cleartext, but an
+    // attacker who captures the digest + the known greeting timestamp
+    // can mount an offline dictionary attack against the shared secret.
+    // RFC 1939 §7 explicitly warns about this; balanced/permissive
+    // operators reach this path only when they opted in, but the
+    // wire MUST be TLS-protected to deny the offline-attack vector.
+    if (!state.tls && profile !== "permissive") {
+      _emit("mail.server.pop3.auth_refused_cleartext",
+        { connectionId: state.id, verb: "APOP", remoteAddress: state.remoteAddress },
+        "denied");
+      rateLimit.noteAuthFailure(state.remoteAddress);
+      _writeErr(socket, "APOP refused over cleartext (use STLS first; RFC 1939 §7)");
+      return;
+    }
     var authAdmit = rateLimit.checkAuthAdmit(state.remoteAddress);
     if (!authAdmit.ok) {
       _writeErr(socket, "Too many AUTH failures from your IP");
@@ -540,6 +565,13 @@ function create(opts) {
     // configuration where the gate was relaxed but the AUTH path
     // still receives traffic).
     if (!state.tls && profile === "strict") {
+      // Count cleartext-AUTH refusal against the auth-failure budget
+      // so scanners that probe for plaintext-mech tolerance hit the
+      // same per-IP cap that protects PASS / APOP. Without this, a
+      // scanner could enumerate auth mechanisms freely (the refusal
+      // itself was free) and shop for the first wire-protocol path
+      // the listener honored.
+      rateLimit.noteAuthFailure(state.remoteAddress);
       _emit("mail.server.pop3.auth_refused_cleartext",
         { connectionId: state.id, verb: "AUTH", mech: args[0] }, "denied");
       _writeErr(socket, "AUTH refused over cleartext (use STLS first; RFC 2595 §2.1)");
@@ -605,8 +637,18 @@ function create(opts) {
       return;
     }
     state.stage = "update";
-    Promise.resolve()
-      .then(function () { return mailStore.commitPop3Drop(state.actor, state.dropId); })
+    // RFC 1939 §6 — bound the UPDATE-state commit. A hung backend
+    // (DB row-lock / replica failover / sealed-row unseal stuck on a
+    // KMS call) otherwise leaves the connection in update-state past
+    // the socket idleTimeoutMs (which guards inbound bytes, not
+    // pending Promises).
+    safeAsync.withTimeout(
+      Promise.resolve().then(function () {
+        return mailStore.commitPop3Drop(state.actor, state.dropId);
+      }),
+      commitTimeoutMs,
+      { label: "mail.server.pop3.commitPop3Drop" }
+    )
       .then(function (info) {
         _emit("mail.server.pop3.update_commit",
           { connectionId: state.id, deleted: (info && info.deleted) || 0 });
@@ -614,6 +656,8 @@ function create(opts) {
         _close(socket);
       })
       .catch(function (err) {
+        _emit("mail.server.pop3.update_commit_failed",
+          { connectionId: state.id, error: (err && err.message) || String(err) }, "failure");
         _writeErr(socket, "Commit failed: " + ((err && err.message) || "backend error").slice(0, ERR_CLAMP));
         _close(socket);
       });
@@ -740,7 +784,7 @@ function create(opts) {
       .then(function (msg) {
         if (!msg) { _writeErr(socket, "no such message"); return; }
         _writeOk(socket, "headers + " + headerLines + " body lines");
-        // MAIL-15 — see _handleRetr; same byte-level CRLF-aware
+        // see _handleRetr; same byte-level CRLF-aware
         // dot-stuffing primitive for the TOP partial-body path.
         var bodyBuf = msg.rawBytes
           ? msg.rawBytes

package/lib/mail-server-rate-limit.js

@@ -99,11 +99,20 @@ var DEFAULTS = Object.freeze({
   connectionsPerIpPerMinute:     60,                                                                  // allow:raw-time-literal — connection count, not a time value
   authFailuresPerIpPer15Min:     10,
   minBytesPerSecond:             100,                                                                 // allow:raw-byte-literal — slow-loris byte-rate floor
+  // RCPT-TO recipient-failure cap defends against the 550-vs-250
+  // enumeration shape (RFC 5321 §3.5 — RCPT-TO surfaces the
+  // mailbox-exists oracle; an attacker that hammers RCPT TO can
+  // enumerate a domain's mailbox map without ever sending DATA).
+  // Per-IP, per-minute. Tuned higher than auth-failure since
+  // legitimate senders can RCPT-TO multiple recipients per message;
+  // operator overrides via `rcptFailuresPerIpPerMinute`.
+  rcptFailuresPerIpPerMinute:    50,                                                                  // allow:raw-byte-literal — RCPT enumeration bound
   disabled:                      false,
 });
 
 var CONNECTION_RATE_WINDOW_MS = C.TIME.minutes(1);
 var AUTH_FAILURE_WINDOW_MS    = C.TIME.minutes(15);
+var RCPT_FAILURE_WINDOW_MS    = C.TIME.minutes(1);
 
 /**
  * @primitive b.mail.server.rateLimit.create
@@ -124,6 +133,7 @@ var AUTH_FAILURE_WINDOW_MS    = C.TIME.minutes(15);
  *   connectionsPerIpPerMinute:     number,   // default 60
  *   authFailuresPerIpPer15Min:     number,   // default 10
  *   minBytesPerSecond:             number,   // default 100 (DATA-body slow-loris floor)
+ *   rcptFailuresPerIpPerMinute:    number,   // default 50 (RCPT 550 enumeration bound)
  *   disabled:                      boolean,  // default false — test escape hatch
  *
  * @example
@@ -145,6 +155,7 @@ function create(opts) {
     "connectionsPerIpPerMinute",
     "authFailuresPerIpPer15Min",
     "minBytesPerSecond",
+    "rcptFailuresPerIpPerMinute",
   ], "b.mail.server.rateLimit.create.", MailServerRateLimitError, "mail-server-rate-limit/bad-bound");
   validateOpts.optionalBoolean(opts.disabled,
     "b.mail.server.rateLimit.create: opts.disabled",
@@ -159,6 +170,8 @@ function create(opts) {
       ? DEFAULTS.authFailuresPerIpPer15Min : opts.authFailuresPerIpPer15Min,
     minBytesPerSecond: opts.minBytesPerSecond === undefined
       ? DEFAULTS.minBytesPerSecond : opts.minBytesPerSecond,
+    rcptFailuresPerIpPerMinute: opts.rcptFailuresPerIpPerMinute === undefined
+      ? DEFAULTS.rcptFailuresPerIpPerMinute : opts.rcptFailuresPerIpPerMinute,
     disabled: opts.disabled === true,
   };
 
@@ -170,6 +183,7 @@ function create(opts) {
   var concurrentByIp   = new Map();        // ip → integer count
   var connectionTimes  = new Map();        // ip → [timestampMs, ...]
   var authFailureTimes = new Map();        // ip → [timestampMs, ...]
+  var rcptFailureTimes = new Map();        // ip → [timestampMs, ...]
 
   function _pruneWindow(arr, windowMs) {
     var cutoff = Date.now() - windowMs;
@@ -210,7 +224,7 @@ function create(opts) {
     var concurrent = concurrentByIp.get(ip) || 0;
     if (concurrent <= 1) concurrentByIp.delete(ip);
     else concurrentByIp.set(ip, concurrent - 1);
-    // BUG-2 — CWE-400. authFailureTimes auto-deletes when its array
+    // CWE-400. authFailureTimes auto-deletes when its array
     // empties in checkAuthAdmit; connectionTimes was the asymmetric
     // case. Sweep this IP's rate-window now that it has released its
     // last concurrent slot: if the per-minute window has fully
@@ -249,6 +263,36 @@ function create(opts) {
     times.push(Date.now());
   }
 
+  // RFC 5321 §3.5 — RCPT TO 550 vs 250 responses surface a mailbox-
+  // existence oracle. An IP that issues many RCPT-TO commands receiving
+  // 550 should hit the same admit / refuse shape used for AUTH failures.
+  // checkRcptAdmit returns ok=false once the per-minute cap is reached;
+  // listeners then return a transient 421 (close + back off) instead of
+  // continuing to surface the per-recipient oracle.
+  function checkRcptAdmit(ip) {
+    if (cfg.disabled) return { ok: true };
+    var times = rcptFailureTimes.get(ip);
+    if (!times) return { ok: true };
+    _pruneWindow(times, RCPT_FAILURE_WINDOW_MS);
+    if (times.length === 0) {
+      rcptFailureTimes.delete(ip);
+      return { ok: true };
+    }
+    if (times.length >= cfg.rcptFailuresPerIpPerMinute) {
+      _audit("mail.server.rate_limit.rcpt_refused", "denied",
+        { reason: "rcpt-failures-per-ip", ip: ip, cap: cfg.rcptFailuresPerIpPerMinute });
+      return { ok: false, reason: "rcpt-failures-per-ip" };
+    }
+    return { ok: true };
+  }
+
+  function noteRcptFailure(ip) {
+    if (cfg.disabled) return;
+    var times = rcptFailureTimes.get(ip);
+    if (!times) { times = []; rcptFailureTimes.set(ip, times); }
+    times.push(Date.now());
+  }
+
   function minBytesPerSecond() { return cfg.disabled ? 0 : cfg.minBytesPerSecond; }
   function isDisabled() { return cfg.disabled; }
 
@@ -257,6 +301,8 @@ function create(opts) {
     releaseConnection:  releaseConnection,
     checkAuthAdmit:     checkAuthAdmit,
     noteAuthFailure:    noteAuthFailure,
+    checkRcptAdmit:     checkRcptAdmit,
+    noteRcptFailure:    noteRcptFailure,
     minBytesPerSecond:  minBytesPerSecond,
     isDisabled:         isDisabled,
   };

package/lib/mail-server-submission.js

@@ -726,16 +726,25 @@ function create(opts) {
       }
 
       // Identity binding — under strict profile, MAIL FROM MUST match
-      // an entry in the authenticated actor's mailbox set.
+      // an entry in the authenticated actor's mailbox set. An actor
+      // whose mailbox set is empty MUST also be refused: an empty
+      // allowlist is "no mailboxes" (account has no send-as identity
+      // assigned), NOT "all mailboxes." The earlier shape allowed any
+      // MAIL FROM when allowed.length === 0, turning a missing-config
+      // case (operator hasn't assigned mailboxes to the actor) into
+      // an open relay binding.
       if (state.authenticated && identityBinding === "strict") {
         var allowed = _actorMailboxes(state.actor);
-        if (allowed.length > 0 && allowed.indexOf(mailFrom) === -1) {
+        if (allowed.length === 0 || allowed.indexOf(mailFrom) === -1) {
           _emit("mail.server.submission.identity_mismatch", {
             connectionId: state.id, authIdentity: state.actor.id || null,
             mailFrom: mailFrom, allowed: allowed,
+            reason: allowed.length === 0 ? "actor-has-no-mailboxes" : "mail-from-not-in-actor-set",
           }, "denied");
           _writeReply(socket, REPLY_553_SENDER_REJECTED,
-            "5.7.1 Sender address rejected: not owned by authenticated identity");
+            allowed.length === 0
+              ? "5.7.1 Sender address rejected: authenticated identity has no assigned mailboxes"
+              : "5.7.1 Sender address rejected: not owned by authenticated identity");
           return;
         }
       }

package/lib/mail-store.js

@@ -322,7 +322,28 @@ function _appendMessage(args) {
     }
   }
   var inReplyTo = _extractMessageId(tree, "in-reply-to");
-  var referencesCsv = _extractReferences(tree);
+  if (inReplyTo) {
+    try { guardMessageId.validate(inReplyTo); }
+    catch (e) {
+      throw new MailStoreError("mail-store/bad-in-reply-to",
+        "appendMessage: In-Reply-To refused: " + e.message);
+    }
+  }
+  // RFC 5322 §3.6.4 — References is `1*msg-id`; each entry MUST satisfy
+  // the same msg-id grammar as Message-Id. Pre-this-patch the framework
+  // validated Message-Id but accepted any whitespace-separated token list
+  // in References / In-Reply-To, leaving an injection surface where
+  // attacker-controlled bytes reached the threading hash + JMAP
+  // `references` array. Loop the full list through the same guard.
+  var refList = _extractReferencesList(tree);
+  for (var __ri = 0; __ri < refList.length; __ri += 1) {
+    try { guardMessageId.validate(refList[__ri]); }
+    catch (e2) {
+      throw new MailStoreError("mail-store/bad-references",
+        "appendMessage: References entry refused: " + e2.message);
+    }
+  }
+  var referencesCsv = refList.join(",");
   var subject = tree.headers.get("subject") || "";
   var fromAddr = tree.headers.get("from") || "";
   var toAddrs = (tree.headers.getAll("to") || []).join(", ");
@@ -501,12 +522,19 @@ function _setFlags(args) {
   if (args.objectids.length > 0 && (setFlags.length > 0 || unsetFlags.length > 0)) {
     // Bulk-update via IN-clause. SQLite caps IN-clause at 32766 (max
     // bound parameters); chunk for very large operands.
+    // Prepare ONCE per chunk shape — the earlier shape called
+    // args.db.prepare(sql) twice in the same expression (once for the
+    // function reference, once for the `this` binding to .apply()),
+    // which both leaks a prepared-statement handle per chunk and
+    // doubles the SQL parse cost. Hold the stmt on a local + invoke
+    // .run() directly with the bound argument list.
     var CHUNK = 500;                                                                               // allow:raw-byte-literal — IN-clause chunk size, not bytes
     for (var i = 0; i < args.objectids.length; i += CHUNK) {
       var chunk = args.objectids.slice(i, i + CHUNK);
       var placeholders = chunk.map(function () { return "?"; }).join(",");
       var sql = "UPDATE " + args.qMsgs + " SET modseq = ? WHERE objectid IN (" + placeholders + ")";
-      args.db.prepare(sql).run.apply(args.db.prepare(sql), [newModseq].concat(chunk));
+      var stmt = args.db.prepare(sql);
+      stmt.run.apply(stmt, [newModseq].concat(chunk));
     }
   }
   args.stmtBumpFolderModseq.run(newModseq, args.folderName);
@@ -547,9 +575,13 @@ function _extractMessageId(tree, headerName) {
 }
 
 function _extractReferences(tree) {
+  return _extractReferencesList(tree).join(",");
+}
+
+function _extractReferencesList(tree) {
   var raw = tree.headers.get("references");
-  if (!raw) return "";
-  return String(raw).split(/\s+/).filter(function (s) { return s.length > 0; }).join(",");
+  if (!raw) return [];
+  return String(raw).split(/\s+/).filter(function (s) { return s.length > 0; });
 }
 
 function _normalizeAddr(s) {

package/lib/safe-mime.js

@@ -54,6 +54,16 @@ var DEFAULT_MAX_NESTING_DEPTH = 16;
 var DEFAULT_MAX_BOUNDARY      = 70;                          // RFC 2046 §5.1.1
 var DEFAULT_MAX_HEADER_BYTES  = C.BYTES.kib(64);
 var DEFAULT_MAX_HEADER_LINE   = 998;                         // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
+// Per-message header-count cap. RFC 5322 places no upper bound on
+// the number of headers in a message; without one, a sender can pack
+// tens of thousands of one-byte headers into the maxHeaderBytes budget
+// and force O(N²) lookup cost across every consumer that walks the
+// header list (DKIM verify, IMAP FETCH, JMAP serializer). Mainstream
+// MTAs (Postfix `header_size_limit`, Exim `received_headers_max`,
+// Microsoft 365 `MaxRecipientEnvelopePerMessage`) cap in the low
+// hundreds; the framework picks 512 as a generous default with
+// `maxHeaderCount` exposed for operators that legitimately need more.
+var DEFAULT_MAX_HEADER_COUNT  = 512;                         // allow:raw-byte-literal — DoS bound, not bytes
 var DEFAULT_MAX_BODY_BYTES    = C.BYTES.mib(25);
 var DEFAULT_MAX_MESSAGE_BYTES = C.BYTES.mib(50);
 
@@ -87,7 +97,8 @@ var DEFAULT_TRANSFER_ENCODINGS = Object.freeze([
  *   `oversize-nesting` / `oversize-boundary` / `oversize-headers` /
  *   `oversize-header-line` / `oversize-body` / `unknown-charset` /
  *   `unknown-transfer-encoding` / `malformed-boundary` /
- *   `malformed-headers` / `control-char-in-header` / `bad-input`.
+ *   `too-many-headers` / `malformed-headers` /
+ *   `control-char-in-header` / `bad-input`.
  *
  * @opts
  *   maxParts:                 number,     // default 64
@@ -95,6 +106,7 @@ var DEFAULT_TRANSFER_ENCODINGS = Object.freeze([
  *   maxBoundary:              number,     // default 70 (RFC 2046 §5.1.1)
  *   maxHeaderBytes:           number,     // default 64 KiB
  *   maxHeaderLineBytes:       number,     // default 998 (RFC 5322 §2.1.1)
+ *   maxHeaderCount:           number,     // default 512 (DoS bound)
  *   maxBodyBytes:             number,     // default 25 MiB
  *   maxMessageBytes:          number,     // default 50 MiB
  *   charsetAllowlist:         string[],   // default UTF-8 / US-ASCII / common legacy 8-bit
@@ -113,6 +125,7 @@ function parse(bytes, opts) {
   var maxBoundary     = _intOpt(opts, "maxBoundary",     DEFAULT_MAX_BOUNDARY);
   var maxHeaderBytes  = _intOpt(opts, "maxHeaderBytes",  DEFAULT_MAX_HEADER_BYTES);
   var maxHeaderLine   = _intOpt(opts, "maxHeaderLineBytes", DEFAULT_MAX_HEADER_LINE);
+  var maxHeaderCount  = _intOpt(opts, "maxHeaderCount",  DEFAULT_MAX_HEADER_COUNT);
   var maxBodyBytes    = _intOpt(opts, "maxBodyBytes",    DEFAULT_MAX_BODY_BYTES);
   var maxMessageBytes = _intOpt(opts, "maxMessageBytes", DEFAULT_MAX_MESSAGE_BYTES);
   var charsets        = _normalizeStringSet(opts.charsetAllowlist || DEFAULT_CHARSETS);
@@ -130,6 +143,7 @@ function parse(bytes, opts) {
     maxBoundary:     maxBoundary,
     maxHeaderBytes:  maxHeaderBytes,
     maxHeaderLine:   maxHeaderLine,
+    maxHeaderCount:  maxHeaderCount,
     maxBodyBytes:    maxBodyBytes,
     charsets:        charsets,
     encodings:       encodings,
@@ -346,6 +360,15 @@ function _parsePart(buf, ctx, depth) {
         "safeMime.parse: boundary length " + boundary.length + " exceeds maxBoundary=" + ctx.maxBoundary +
         " (RFC 2046 §5.1.1)");
     }
+    // RFC 2046 §5.1.1 — boundary value MUST match the `bcharsnospace
+    // *bchars` grammar (max 70 chars, no CR/LF/NUL, no leading or
+    // trailing SP). A boundary containing newline bytes lets an
+    // attacker confuse multipart engines that re-split on different
+    // EOL forms downstream.
+    if (!_isValidMimeBoundary(boundary)) {
+      throw new SafeMimeError("safe-mime/malformed-boundary",
+        "safeMime.parse: multipart boundary does not match RFC 2046 §5.1.1 bcharsnospace *bchars grammar");
+    }
     var partBuffers = _splitMultipart(bodyBytes, boundary);
     var parts = [];
     for (var i = 0; i < partBuffers.length; i += 1) {
@@ -409,6 +432,14 @@ function _findHeaderBodySep(buf) {
 
 function _parseHeaders(buf, ctx) {
   var lines = _splitHeaderLines(buf, ctx);
+  // Per-message header-count cap (DoS bound). RFC 5322 does not bound
+  // header count; without a cap, a sender packs many short headers
+  // into the byte budget and forces quadratic walk cost downstream.
+  if (lines.length > ctx.maxHeaderCount) {
+    throw new SafeMimeError("safe-mime/too-many-headers",
+      "safeMime.parse: header count " + lines.length +
+      " exceeds maxHeaderCount=" + ctx.maxHeaderCount);
+  }
   var headerMap = Object.create(null);
   for (var i = 0; i < lines.length; i += 1) {
     var line = lines[i];
@@ -507,6 +538,11 @@ function _splitMultipart(buf, boundary) {
         var prevEnd = idx;
         if (prevEnd >= 2 && buf[prevEnd - 2] === 0x0D && buf[prevEnd - 1] === 0x0A) prevEnd -= 2;
         else if (prevEnd >= 1 && buf[prevEnd - 1] === 0x0A) prevEnd -= 1;
+        // RFC 2046 §5.1.1 — a malformed body where a final boundary
+        // immediately follows the opening of a part (no body bytes
+        // between them) MUST NOT produce a negative-length slice.
+        // Clamp to the part's start so the slice is well-formed.
+        if (prevEnd < prev.start) prevEnd = prev.start;
         parts[parts.length - 1] = buf.subarray(prev.start, prevEnd);
       }
       break;
@@ -518,6 +554,7 @@ function _splitMultipart(buf, boundary) {
       var prevEnd2 = idx;
       if (prevEnd2 >= 2 && buf[prevEnd2 - 2] === 0x0D && buf[prevEnd2 - 1] === 0x0A) prevEnd2 -= 2;
       else if (prevEnd2 >= 1 && buf[prevEnd2 - 1] === 0x0A) prevEnd2 -= 1;
+      if (prevEnd2 < prev2.start) prevEnd2 = prev2.start;
       parts[parts.length - 1] = buf.subarray(prev2.start, prevEnd2);
     }
     parts.push({ start: lineEnd });
@@ -529,6 +566,23 @@ function _splitMultipart(buf, boundary) {
   });
 }
 
+// RFC 2046 §5.1.1 — boundary param grammar is `bcharsnospace *bchars`
+// where `bcharsnospace = DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" /
+// "," / "-" / "." / "/" / ":" / "=" / "?"` and `bchars = bcharsnospace
+// / " "` (max 70 chars). Without validating against this set the
+// parser would happily accept a boundary containing CR / LF / NUL /
+// `--` which can be wielded to confuse downstream multipart engines.
+var _BOUNDARY_BCHARSNOSPACE = /^[0-9A-Za-z'()+_,./:=?-]+$/;                         // allow:regex-no-length-cap — length checked separately
+var _BOUNDARY_BCHARS_WITH_SP = /^[0-9A-Za-z'()+_,./:=? -]+$/;                       // allow:regex-no-length-cap — length checked separately
+function _isValidMimeBoundary(value) {
+  if (typeof value !== "string" || value.length === 0 || value.length > 70) return false; // allow:raw-byte-literal — RFC 2046 §5.1.1 bound
+  // First char MUST be bcharsnospace; remainder MAY be bchars (which
+  // permits SP). Last char MUST also be bcharsnospace (no trailing SP).
+  if (!_BOUNDARY_BCHARSNOSPACE.test(value.charAt(0))) return false;
+  if (!_BOUNDARY_BCHARSNOSPACE.test(value.charAt(value.length - 1))) return false;
+  return _BOUNDARY_BCHARS_WITH_SP.test(value);
+}
+
 // Find `--<boundary>` at a position preceded by CRLF, LF, or buf start.
 // Walks via indexOf scans + verifies the line-start invariant; loops
 // past non-line-start hits.
@@ -721,6 +775,7 @@ module.exports = {
     maxBoundary:               DEFAULT_MAX_BOUNDARY,
     maxHeaderBytes:            DEFAULT_MAX_HEADER_BYTES,
     maxHeaderLineBytes:        DEFAULT_MAX_HEADER_LINE,
+    maxHeaderCount:            DEFAULT_MAX_HEADER_COUNT,
     maxBodyBytes:              DEFAULT_MAX_BODY_BYTES,
     maxMessageBytes:           DEFAULT_MAX_MESSAGE_BYTES,
     charsetAllowlist:          DEFAULT_CHARSETS,

package/lib/vendor-data.js

@@ -83,6 +83,39 @@ var _MODULES = {
 
 var VendorDataError = defineClass("VendorDataError", { alwaysPermanent: true });
 
+// Boot-time-safe constant-time hex compare. Framework convention
+// is timingSafeEqual for every digest / MAC compare even
+// when the value is a public tag (a `!==` here is the smell, not
+// the secret/public distinction). b.crypto.timingSafeEqual would
+// match the convention but it's lazyRequire'd to break a circular
+// load chain and is not available during verifyAll()'s boot-time
+// pass; nodeCrypto.timingSafeEqual is the direct primitive.
+//
+// Both inputs MUST be hex strings (0-9a-fA-F only). The hex shape
+// guard sidesteps the UTF-16 / UTF-8 byte-length skew that would
+// otherwise let `Buffer.from(non-ascii-string, "utf8")` produce
+// different byte lengths for equal-string-length inputs — which
+// would make nodeCrypto.timingSafeEqual throw
+// ERR_CRYPTO_TIMING_SAFE_EQUAL_LENGTH instead of returning false,
+// surfacing an unexpected boot-time error on a tampered metadata
+// instead of the documented VendorDataError. Refuse non-hex with
+// a plain false return so the caller's `!equal` branch throws the
+// VendorDataError as designed.
+// Accept bare hex digests (Layer 1 / Layer 2 SHA outputs) and
+// `<alg>:<hex>` fingerprint shapes (Layer 3 — `sha256:abc...`). All
+// chars are ASCII so UTF-8 byte length equals string length.
+var ASCII_TAG_RE_VD = /^[0-9a-zA-Z:]+$/;
+function _timingSafeHexEqual(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  if (a.length !== b.length) return false;
+  if (!ASCII_TAG_RE_VD.test(a) || !ASCII_TAG_RE_VD.test(b)) return false;
+  // Hex chars are ASCII; UTF-8 encode is identity, so equal string
+  // length now guarantees equal byte length.
+  var ba = Buffer.from(a, "utf8");
+  var bb = Buffer.from(b, "utf8");
+  return nodeCrypto.timingSafeEqual(ba, bb);                                    // allow:raw-timing-safe-equal — hex + length pre-check above guarantees same-length ASCII inputs; b.crypto wrapper would be circular at boot
+}
+
 // KNOWN_VENDOR_DATA — the canonical list of vendored data names. Each
 // entry carries the canary token the payload must contain after parse
 // (where applicable) and a description for the inventory surface.
@@ -159,17 +192,23 @@ function _loadAndVerify(name) {
       "File is hand-edited or corrupted; re-run vendor-update.sh --refresh-data.");
   }
 
-  // Layer 1: SHA-256 self-verify
+  // Layer 1: SHA-256 self-verify. Timing-safe compare matches the
+  // framework convention (every other digest / MAC compare uses
+  // timing-safe regardless of whether the value is a secret). The SHA
+  // is a public tag here, but reaching for `!==` whenever a value
+  // "isn't a secret" is the smell — the convention is the gate.
+  // nodeCrypto direct (not lazy bCrypto) because this runs at boot
+  // before b.crypto is initialized on the module-graph hot path.
   var actual256 = nodeCrypto.createHash("sha256").update(mod.payload).digest("hex");
-  if (actual256 !== meta.sha256) {
+  if (!_timingSafeHexEqual(actual256, meta.sha256)) {
     throw new VendorDataError("vendor-data/sha256-mismatch",
       "vendorData: '" + name + "' SHA-256 mismatch — payload tampered. " +
       "expected=" + meta.sha256.slice(0, 12) + "… got=" + actual256.slice(0, 12) + "…");
   }
 
-  // Layer 2: SHA3-512 self-verify
+  // Layer 2: SHA3-512 self-verify (timing-safe compare; see Layer 1).
   var actual3 = nodeCrypto.createHash("sha3-512").update(mod.payload).digest("hex");
-  if (actual3 !== meta.sha3_512) {
+  if (!_timingSafeHexEqual(actual3, meta.sha3_512)) {
     throw new VendorDataError("vendor-data/sha3-512-mismatch",
       "vendorData: '" + name + "' SHA3-512 mismatch — payload tampered. " +
       "expected=" + meta.sha3_512.slice(0, 12) + "… got=" + actual3.slice(0, 12) + "…");
@@ -186,7 +225,7 @@ function _loadAndVerify(name) {
   var actualPubkeyFp = _actualPubkeyFingerprint();
   if (typeof meta.publicKeyFingerprint === "string" &&
       meta.publicKeyFingerprint.length > 0 &&
-      meta.publicKeyFingerprint !== actualPubkeyFp) {
+      !_timingSafeHexEqual(meta.publicKeyFingerprint, actualPubkeyFp)) {
     throw new VendorDataError("vendor-data/pubkey-fingerprint-mismatch",
       "vendorData: '" + name + "' declared publicKeyFingerprint '" +
       meta.publicKeyFingerprint + "' does not match the inlined pubkey " +

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.3",
+  "version": "0.10.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:65836635-3daf-43b2-804d-050f9f4a4082",
+  "serialNumber": "urn:uuid:b04fba78-2d19-4469-a4dc-ecdf4677187f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-17T05:24:59.072Z",
+    "timestamp": "2026-05-17T16:21:47.795Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.3",
+      "bom-ref": "@blamejs/core@0.10.5",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.3",
+      "version": "0.10.5",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.3",
+      "purl": "pkg:npm/%40blamejs/core@0.10.5",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.3",
+      "ref": "@blamejs/core@0.10.5",
       "dependsOn": []
     }
   ]