@blamejs/core 0.10.6 → 0.10.7

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.10.x
 
+- v0.10.7 (2026-05-17) — **Mail-stack P3 / P4 hardening sweep.** Twenty-plus refusals + observability additions across the four mail listeners, the DKIM verifier, ARC signer, MIME parser, and the DNS / DSN / List-* guards. No new public primitives; one substrate addition (`b.crypto.randomInt`); two new operator-visible opts on the submission listener. **(a) `b.crypto.randomInt(min, max)`** — substrate wrapper that routes every framework integer draw through one greppable primitive. Migrates the inline `nodeCrypto.randomInt` sites in `b.network.dns` / `b.network.dns.resolver` (DNS query-ID), `b.mail.auth` (DMARC `pct` sampling), and `b.externalDb` (transaction-retry jitter) so the audit trail is uniform and future detectors see one shape. **(b) `b.mail.server.submission.create({ requireDkim, dkimRequireMode })`** — outbound DKIM-required gate per Yahoo / Google 2024 bulk-sender alignment. `requireDkim` defaults `true` under `strict` profile (`false` under `balanced` / `permissive`). `dkimRequireMode` is `"self"` (signer's `d=` must match authenticated identity's domain), `"any"` (any signer present), or `"off"` (no gate). Default `"any"`. Submission listener that doesn't carry a `DKIM-Signature:` header at DATA-end refuses with `5.7.20`. **(c) `b.mail.server.{mx,submission}.create({ allowSmtpUtf8 })`** — single per-listener SMTPUTF8 (RFC 6531) switch threaded end-to-end into `guardSmtpCommand.validate`. Default `false`. Operators that accept EAI envelopes flip to `true` and the toggle reaches every wire-line guard call. **(d) DKIM verifier signature-count cap.** `b.mail.dkim.verify` now refuses (`policy` verdict) rather than silently truncating when a message carries more `DKIM-Signature` headers than `maxSignatures` (default 8). The opt is range-checked at config time against a ceiling of 16; out-of-range throws `dkim/bad-max-signatures`. Closes a verifier-fan-out DoS shape per RFC 6376 §6.1. Emits `dkim.verify.signature_count_cap` audit on the refusal so postmasters see DoS attempts in the authentication-results stream. **(e) MX listener size-overrun + observability.** `MAIL FROM SIZE=` is now reconciled against the actual DATA byte count after dot-stuffing reversal — senders that understate `SIZE=` to probe `maxMessageBytes` get `552 5.3.4` rather than silently accepted, with `mail.server.mx.size_overrun` audit. Refused-recipient list (bounded at 32 per transaction) now surfaces in the `data_accepted` / `delivered` audit metadata. Write-backpressure on every reply attaches a once-per-socket `mail.server.mx.write_backpressure` audit so operators see stalled connections without flooding on every reply. **(f) IMAP refinements.** `APPEND mailbox [flags] [date-time] {literal}` now honors the optional RFC 9051 §6.3.12 date-time argument (parsed into `internalDate` ms-epoch, refused with `BAD` rather than silently falling back to `Date.now()`). `FETCH` / `STORE` outside of Selected state now respond `BAD` (RFC 9051 §6.4.5 / §6.4.6 — protocol-context violation, not policy refusal). `LOGIN` quoted-string args honor `\"` / `\\` escape pairs per the RFC 9051 §5.1 grammar (the prior shape terminated at the first `"`, letting a hostile client smuggle `LOGIN "alice\"@example.com" "pw"` past the username binding). **(g) ARC signer hop-count ceiling.** `b.mail.arc.sign` extracts prior hops with the RFC 8617 §5 50-hop cap; an inbound chain claiming >50 hops or an out-of-range `i=` tag is refused rather than enumerated. **(h) MIME parser charset + observability.** `b.safeMime.parse` now decodes `utf-16` (RFC 2781 §3.3 BOM detection + BE default), `utf-16be`, and `utf-16le` end-to-end — the prior shape advertised `utf-16` / `utf-16be` in the allowlist but only decoded `utf-16le`. `binary` Content-Transfer-Encoding is removed from the default allowlist (RFC 3030 §3 — `binary` requires explicit BINARYMIME negotiation; operators that wire BINARYMIME opt back in via `transferEncodingAllowlist: [..., "binary"]`). Control-character refusal errors now report the BYTE offset (via `Buffer.byteLength` on the JS string prefix) rather than the UTF-16 code-unit index, so audit lines align with wire-level inspection. **(i) DKIM / DMARC / ARC / iPrev / DSN tightening.** `b.guardDsn` splits the RFC 3464 §2.1.1 block separator on literal `\r\n\r\n` only (the prior `\n\s*\n` accepted `\v` / `\f` whitespace as a block boundary, letting a hostile sender bend the per-message vs per-recipient boundary). `b.guardMessageId` now validates id-left + id-right against RFC 5322 §3.2.3 dot-atom-text shape under `strict` profile; `b.guardListId` extends the localhost FQDN exception to `.local` (RFC 6762) and `.lan` (draft-chapin-rfc2606bis). **(j) `b.guardListUnsubscribe` SSRF defense.** HTTPS one-click URIs now refuse IP-literal hosts (v4 + v6), reserved-local hostnames (`localhost` / `localhost.localdomain` / `ip6-localhost` / `ip6-loopback`), and reserved-local TLD suffixes (`.local` / `.lan` / `.internal`). New optional `allowedHosts` opt provides a domain allowlist — when supplied, every HTTPS host (or any ancestor) must be on the list. **(k) `b.mailStore` JMAP objectid bump to 128 bits.** RFC 8474 §1.5.1 — the prior 24-char hex prefix cut entropy to 96 bits; full 32-char hex restores 128 bits. **Operator impact:** Submission listeners on `strict` profile WITHOUT operator-side DKIM signing (`b.mail.dkim.sign` pre-relay) now refuse outbound DATA — operators in this state either wire DKIM signing, opt to `dkimRequireMode: "off"`, or step down to `balanced`. `b.mail.dkim.verify` callers passing `maxSignatures > 16` now throw at config time — clamp via the opt or rely on the framework default. `b.safeMime.parse` callers that legitimately receive `binary` Content-Transfer-Encoding (BINARYMIME-aware downstream pipelines) opt back in via `transferEncodingAllowlist`. `b.guardListUnsubscribe.validate` callers that legitimately rely on IP-literal one-click URIs (test harnesses, internal-network operators) opt in via `allowedHosts: ["10.0.0.0/8"]` style ancestor matches. **Deferred to v0.10.8 / v0.10.12:** per-tenant pepper on `b.mailStore` derived hashes (`from_hash` / `message_id_hash`) ships in v0.10.12 alongside the `b.agent.tenant` adoption refactor; the schema migration is too invasive to fold into this patch. `b.mailStore` forensic-recovery columns (original Content-Transfer-Encoding + charset preserved alongside decoded body) defer to v0.10.8 — the schema change carries its own backwards-compatibility surface. References: [RFC 9051 IMAP4rev2](https://www.rfc-editor.org/rfc/rfc9051), [RFC 6376 DKIM §6.1](https://www.rfc-editor.org/rfc/rfc6376#section-6.1), [RFC 6531 SMTPUTF8](https://www.rfc-editor.org/rfc/rfc6531), [RFC 3030 BINARYMIME](https://www.rfc-editor.org/rfc/rfc3030), [RFC 2781 UTF-16 BOM](https://www.rfc-editor.org/rfc/rfc2781), [RFC 1870 SMTP SIZE](https://www.rfc-editor.org/rfc/rfc1870), [RFC 8474 JMAP objectid](https://www.rfc-editor.org/rfc/rfc8474), [RFC 8617 ARC §5](https://www.rfc-editor.org/rfc/rfc8617#section-5), [RFC 3464 DSN §2.1.1](https://www.rfc-editor.org/rfc/rfc3464#section-2.1.1), [RFC 5322 Message Format §3.2.3](https://www.rfc-editor.org/rfc/rfc5322#section-3.2.3), [RFC 6761 Reserved Domain Names](https://www.rfc-editor.org/rfc/rfc6761), [Yahoo / Gmail bulk-sender 2024](https://blog.google/products/gmail/gmail-security-authentication-spam-protection/).
 - v0.10.6 (2026-05-17) — **Vendored-SBOM CycloneDX 1.6 conformance + cosign verification recipe pin.** Build-side + verification-side improvements; no runtime changes. **(a) `scripts/build-vendored-sbom.js` per-component `cpe` field** — every vendored bundle gets a CPE 2.3 string (`cpe:2.3:a:<vendor>:<product>:<version>:*:*:*:*:*:*:*`). CISA / NVD CVE-matching tools (Dependency-Track, OWASP Dependency-Check, Snyk SBOM Monitor) match CVE advisories against components by CPE; the prior emit had no CPE field, so vendored bundles were invisible to operator-side CVE scanners. **(b) Per-component `supplier` block** — `metadata.supplier` (framework-level) was already populated; each vendored bundle now also carries its own `components[].supplier` with the upstream maintainer / org per [SLSA v1.0 provenance requirements](https://slsa.dev/spec/v1.0/provenance) — operators auditing the SBOM see both the framework supplier (blamejs) AND the vendored bundle's upstream supplier (noble-curves, noble-ciphers, etc.) at the component level. **(c) `metadata.lifecycles[].externalReferences[]`** — CycloneDX 1.6 §4.4.2 requires `lifecycles` entries to carry build-provenance references (workflow URL, run ID); the npm-publish workflow now populates these so the SBOM points back at the SLSA-attesting workflow run that produced the tarball. **(d) Sub-component `dependsOn` graph** — when a vendored bundle exposes sub-components (e.g. `noble-ciphers` exports `xchacha20poly1305` + `aes-gcm` as named sub-modules), each sub-component now emits its own SBOM entry with a `dependencies` edge pointing to its parent (CycloneDX 1.6 §4.7). Operators get the full transitive graph instead of just the top-level vendored bundle. **(e) `_licenseFor()` inline-path fix** — the path-resolution branch that handles vendored bundles whose `package.json` is under `lib/vendor/<name>/package.json` now correctly returns the SPDX `license.id` (was returning `null` for that branch, causing CycloneDX-validator warnings). **(f) `SECURITY.md` cosign verification recipe pinned to workflow path + tag-ref** — the operator-side recipe now constrains `cosign verify-blob --certificate-identity-regexp` to the specific workflow file (`.github/workflows/npm-publish.yml`) + tag-ref shape (`refs/tags/v[0-9]+\.[0-9]+\.[0-9]+`), refusing certificates issued for any other workflow or ref class. Also documents `--rekor-url` for operators running on an air-gapped network with a local transparency log + offline TUF root path for `cosign initialize --root <local-root.json>`. **(g) `.github/workflows/npm-publish.yml` recipe comment** synchronized to match the SECURITY.md recipe so operators copy-pasting from either source see identical verification steps. **Operator impact:** SBOM consumers that previously saw vendored bundles as opaque now see CPE-matched components with proper supplier attribution + transitive sub-component graph. The Sigstore-keyless verification recipe is more restrictive (rejects certificates issued for non-`npm-publish.yml` workflows on this repo) — operators already verifying against the prior recipe see the same successful verification with the tighter identity match. References: [CycloneDX 1.6 §4](https://cyclonedx.org/docs/1.6/json/), [CPE 2.3 spec](https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf), [SLSA v1.0 provenance](https://slsa.dev/spec/v1.0/provenance), [Sigstore cosign verify-blob](https://docs.sigstore.dev/cosign/verifying/verify/), [TUF specification](https://theupdateframework.github.io/specification/latest/).
 - v0.10.5 (2026-05-16) — **`b.mail.server.pop3` APOP cleartext refusal + `b.vendorData` constant-time digest compares.** Two small entry-tier refusals on the mail and vendor-data surfaces. **(a) `b.mail.server.pop3._handleApop`** refuses APOP when the connection is cleartext and the profile is not permissive, symmetric with the existing USER / PASS refusal. APOP transmits `MD5(timestamp+secret)` (not cleartext credentials), but an attacker who captures the digest plus the known greeting timestamp can mount an offline dictionary attack against the shared secret. RFC 1939 §7 explicitly warns about this; the wire MUST be TLS-protected to deny the offline-attack vector. Emits the same `mail.server.pop3.auth_refused_cleartext` audit event + writes `-ERR APOP refused over cleartext (use STLS first; RFC 1939 §7)`. The cleartext-refusal line was advertised in the v0.10.4 release notes but the wire-level enforcement only lands here; operators relying on v0.10.4 saw the comment but not the runtime gate. **(b) `b.vendorData.verifyAll()`** boot-time digest verifies (SHA-256 layer 1, SHA3-512 layer 2, and the SLH-DSA-SHAKE-256f pubkey-fingerprint cross-check) now compare via a length-prechecked `nodeCrypto.timingSafeEqual` instead of `!==`. The framework convention is that every digest / MAC compare is constant-time regardless of whether the value is a secret — reaching for `!==` whenever a value "isn't a secret" is the smell; the convention is the gate. Uses `nodeCrypto.timingSafeEqual` directly (not `b.crypto.timingSafeEqual`) because `b.crypto` is `lazyRequire`'d to break a circular load chain and isn't available during boot-time `verifyAll()`. **Operator impact:** APOP users on plaintext POP3 (port 110) without STLS first now get `-ERR` instead of authenticating — the operator either wires STLS, switches the listener to implicit TLS (port 995), or sets `profile: "permissive"` for the deliberately-open path. `b.vendorData` consumers see no behavioral change — the timing-safe compare returns the same boolean as `!==` for length-equal inputs. References: [RFC 1939 §7](https://www.rfc-editor.org/rfc/rfc1939#section-7), [CWE-208 timing attack](https://cwe.mitre.org/data/definitions/208.html), [NIST SP 800-38B §6.3 MAC verification](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf).
 - v0.10.4 (2026-05-16) — **Mail-protocol hardening across the four listener primitives.** Ten refusals + two new operator-visible opts spanning `b.mail.server.{mx,submission,imap,pop3}`, `b.mail.server.rateLimit`, `b.safeMime`, `b.guardListUnsubscribe`. Layered on top of the v0.10.0 mail-stack baseline; addresses residual gaps in inbound RCPT enumeration, header-count amplification, POP3 UPDATE-state commit timeouts, list-unsubscribe URI shape, and the per-listener auth-failure / connection-rate maps. **(a) `b.mail.server.rateLimit.checkRcptAdmit(ip)` + `noteRcptFailure(ip)`** — new per-IP RCPT-failure budget (default 50/min, rolling 60s window) wired into the MX + submission listeners. RFC 5321 §3.5 enumeration class: an attacker probing `RCPT TO:` to map valid recipients now trips the budget after 50 failures and gets `421` for the next minute. Operators tune via `rateLimit.create({ rcptFailuresPerMinute, rcptWindowMs })`. **(b) `b.safeMime.parse({ maxHeaderCount })`** — new opt, default 512. Bounded header-count cap prevents `From: ...\r\nSubject: ...\r\n` × 100k header-list amplification in operator pipelines that pass full RFC 5322 messages through `safeMime.parse`. Refused with `safe-mime/too-many-headers` when exceeded. **(c) `b.mail.server.pop3.create({ commitTimeoutMs })`** — new opt, default `C.TIME.seconds(30)`. POP3 UPDATE-state commit (DELE materialization) now runs under `safeAsync.withTimeout` so a hung commit can no longer pin the connection past `idleTimeoutMs`. Past the cap, the connection gets `421` and the in-flight DELE batch is rolled back (RFC 1939 §6 — UPDATE state aborts on transport failure). **(d) `b.guardListUnsubscribe.validate`** refuses empty `<>` URI lists per RFC 2369 §3.1 (the `List-Unsubscribe` header value `<>` is a smuggled-empty class that downstream mail-renderers may interpret as an active unsubscribe link to the local-origin). **(e) `b.mail.server.rateLimit` GC sweep** — the previously asymmetric `connectionTimes` Map (filled in `noteConnection`, never explicitly cleaned) now sweeps empty arrays alongside the existing `authFailureTimes` cleanup. Closes a CWE-770 unbounded-memory class for long-running mail servers seeing transient IP fan-in. **(f) `b.mail.server.imap` `_close()` writes `state.stage = "closed"`** — the drain-loop guard was previously unreachable because the close path didn't update the state machine. Operators on the older path saw `state.stage === "authenticated"` linger after socket close; the new path resolves cleanly. **(g) `b.mail.server.imap` per-line cap before `Buffer.concat`** — closes a CWE-770 unbounded-`Buffer.concat` class on the IMAP line accumulator (the cap was applied AFTER concat, so a malicious peer could send 10 GiB of unterminated tag bytes and the listener would allocate before refusing). Per-line cap now gates the concat. **(h) `b.mail.server.pop3` `_handleApop` cleartext refusal** — APOP gets the same `!state.tls && profile !== "permissive"` refusal as USER / PASS, closing the cleartext-credentials gap symmetric to the other auth verbs (RFC 1939 §7 APOP MD5 is also cleartext in transit). **(i) `b.mail.server.pop3` RETR / TOP dot-stuffing via `safeSmtp.dotStuff(buf)`** — the prior `.replace(/^\./gm, "..")` on a JS string treats bare LF as a line boundary, so bodies containing bare-LF lines starting with `.` gained spurious stuffing that the receiver's strict-CRLF parser couldn't undo. Routes through the byte-level dot-stuffer that only recognizes canonical `\r\n` (RFC 1939 §3 / RFC 5321 §4.5.2). **(j) `b.mail.store` deletion atomicity** — sealed deletion no longer leaves partial state when the in-memory delete succeeds but the disk flush fails (CWE-707 — transactional integrity). **(k) `b.mail.server.submission` cleartext-AUTH audit** — the `auth_success` audit emit captures the `mechanism` field before nulling `authPending` (was recording `null`); operators tailing the audit log now see which SASL mechanism succeeded. **(l) Codebase-patterns** — new `family-subset` entry covering the rate-limit admit-check shape across `mail-server-{imap,mx,submission}` so the contract is enforced at every listener (every primitive that opens a peer socket on a mail port must consult the rate limiter before sending the greeting). **Operator impact:** `b.mail.server.rateLimit` consumers see a new public surface (`checkRcptAdmit` / `noteRcptFailure`); existing operators who don't wire these get the framework default (50/min). `b.safeMime.parse` callers with >512-header messages now get `safe-mime/too-many-headers` — operators with bespoke headers (DMARC aggregate reports can run into hundreds of `Authentication-Results`) opt up via `maxHeaderCount: 4096` per call. POP3 operators see a new `commitTimeoutMs` opt — default applies retroactively. References: [RFC 5321 §3.5](https://www.rfc-editor.org/rfc/rfc5321#section-3.5), [RFC 5322](https://www.rfc-editor.org/rfc/rfc5322), [RFC 1939](https://www.rfc-editor.org/rfc/rfc1939), [RFC 2369 §3.1](https://www.rfc-editor.org/rfc/rfc2369#section-3.1), [CWE-770](https://cwe.mitre.org/data/definitions/770.html), [CWE-707](https://cwe.mitre.org/data/definitions/707.html).

package/lib/crypto.js

@@ -390,6 +390,35 @@ function random(byteLength) {
     .digest();
 }
 
+/**
+ * @primitive b.crypto.randomInt
+ * @signature b.crypto.randomInt(min, max)
+ * @since     0.10.7
+ * @status    stable
+ *
+ * Cryptographically-secure uniform integer in `[min, max)`. Substrate
+ * wrapper that routes every framework integer draw (DNS query-ID,
+ * DMARC `pct` sampling, retry jitter) through one greppable primitive.
+ * Both bounds must be safe integers, `max > min`, and the half-open
+ * span must not exceed 2^48 (the underlying runtime's hard cap).
+ *
+ * @example
+ *   var n = b.crypto.randomInt(0, 100);
+ *   // → integer in [0, 100)
+ */
+function randomInt(min, max) {
+  if (typeof min !== "number" || !Number.isInteger(min)) {
+    throw new TypeError("b.crypto.randomInt: min must be an integer");
+  }
+  if (typeof max !== "number" || !Number.isInteger(max)) {
+    throw new TypeError("b.crypto.randomInt: max must be an integer");
+  }
+  if (max <= min) {
+    throw new RangeError("b.crypto.randomInt: max must be greater than min");
+  }
+  return nodeCrypto.randomInt(min, max);
+}
+
 function generateKeyPair(algorithm, options) {
   var pair = nodeCrypto.generateKeyPairSync(algorithm, Object.assign({
     publicKeyEncoding: { type: "spki", format: "pem" },
@@ -1845,6 +1874,7 @@ module.exports = {
   // Random
   generateBytes:               generateBytes,
   generateToken:               generateToken,
+  randomInt:                   randomInt,
   toBase64Url:                 toBase64Url,
   fromBase64Url:               fromBase64Url,
   // Keys

package/lib/external-db.js

@@ -36,6 +36,7 @@
  *   External-database integration for app data — Postgres / MySQL / SQLite / MongoDB connection pooling, retry, circuit breaker, classification routing, residency enforcement, and audit hooks.
  */
 var retryHelper = require("./retry");
+var bCrypto = require("./crypto");
 var C = require("./constants");
 var dbRoleContext = require("./db-role-context");
 var externalDbMigrate = require("./external-db-migrate");
@@ -754,8 +755,7 @@ async function transaction(fn, opts) {
           if (isTransient && attempt <= maxRetries) {
             _emitMetric("externaldb.transaction.retry", 1,
               { backend: b.name, code: txErr.code, attempt: String(attempt) });
-            var nodeCrypto = require("node:crypto");
-            var jitter = nodeCrypto.randomInt(0, 6);                          // allow:raw-byte-literal — 0-5ms jitter
+            var jitter = bCrypto.randomInt(0, 6);                                // allow:raw-byte-literal — 0-5ms jitter
             await safeAsync.sleep(attempt * 5 + jitter);                           // allow:raw-time-literal — sub-second backoff
             continue;
           }

package/lib/guard-dsn.js

@@ -279,12 +279,15 @@ function compliancePosture(posture) {
 }
 
 function _splitBlocks(text) {
-  // RFC 3464 §2.1: blank line separates per-message from
-  // per-recipient blocks; blank lines also separate consecutive
-  // per-recipient blocks.
-  // Normalize CRLF + bare-CR to LF for split.
+  // RFC 3464 §2.1.1: block separator is `CRLF CRLF` only — a "blank
+  // line" in message-syntax terms. `\n\s*\n` admits `\v` / `\f` /
+  // mixed whitespace which a hostile sender can use to bend the
+  // block boundary (folded fields drift between per-message and
+  // per-recipient blocks). Normalize CR(LF)? → LF, then split on
+  // strict `\n\n` (an LF, an empty line, an LF) — anything else is
+  // either intra-block CFWS or an intra-field continuation.
   var normalized = text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");                                    // allow:regex-no-length-cap — input length already capped
-  return normalized.split(/\n\s*\n/);                                                                    // allow:regex-no-length-cap — input length already capped
+  return normalized.split("\n\n");
 }
 
 function _parseFieldBlock(block, maxHeaderLine) {

package/lib/guard-list-id.js

@@ -224,22 +224,26 @@ function validate(headerValue, opts) {
   }
   // RFC 2919 §2 requires AT LEAST one `.` (label + namespace);
   // strict/balanced ALSO require the namespace to be a FQDN, which
-  // means a minimum of 3 labels total (label + ns-label + ns-tld)
-  // OR a 2-label list-id where the namespace is `localhost`.
+  // means a minimum of 3 labels total (label + ns-label + ns-tld) OR
+  // a 2-label list-id where the namespace ends in a reserved-local
+  // TLD: `localhost` (RFC 6761 §6.3), `local` (RFC 6762 mDNS), or
+  // `lan` (IETF draft-chapin-rfc2606bis). All three are non-routable
+  // single-network labels and the FQDN floor doesn't apply.
+  var lastLabel = parts[parts.length - 1].toLowerCase();
+  var isLocalScopeTld = lastLabel === "localhost" || lastLabel === "local" || lastLabel === "lan";
   if (caps.requireFqdn) {
-    var lastLabel = parts[parts.length - 1].toLowerCase();
-    if (parts.length < 3 && lastLabel !== "localhost") {                                                 // allow:raw-byte-literal — FQDN requires ≥ 3 labels for non-localhost
-      return _refuse("list-id has < 3 labels for non-localhost namespace (FQDN required under '" +
+    if (parts.length < 3 && !isLocalScopeTld) {                                                          // allow:raw-byte-literal — FQDN requires ≥ 3 labels for non-local-scope namespace
+      return _refuse("list-id has < 3 labels for non-local-scope namespace (FQDN required under '" +
         (opts.profile || DEFAULT_PROFILE) + "')");
     }
   }
 
-  // RFC 2919 §3: `localhost` namespace SHOULD carry 32-hex
-  // randomness in the label.
-  var isLocalhost = parts[parts.length - 1].toLowerCase() === "localhost";
-  if (isLocalhost) {
+  // RFC 2919 §3: `localhost`-class namespaces SHOULD carry 32-hex
+  // randomness in the label so cross-host listserv operators can't
+  // collide. Applies to all three reserved-local TLDs.
+  if (isLocalScopeTld) {
     if (caps.requireRandomForLocalhost && !RANDOM_HEX_RE.test(listId)) {                                 // allow:regex-no-length-cap — listId length-bounded above
-      return _refuse("localhost namespace requires 32-hex random component per RFC 2919 §3 SHOULD");
+      return _refuse("local-scope namespace requires 32-hex random component per RFC 2919 §3 SHOULD");
     }
   }
 

package/lib/guard-list-unsubscribe.js

@@ -134,6 +134,59 @@ var DANGEROUS_SCHEMES = Object.freeze({
   "blob:":       true,
 });
 
+// IP-literal + reserved-hostname refusal for HTTPS one-click URIs.
+// One-click receivers POST to the URI without further operator gate;
+// an attacker-supplied List-Unsubscribe URI pointing at `127.0.0.1`
+// / `169.254.169.254` (cloud metadata) / `[::1]` / `localhost` lets
+// the mailbox provider's auto-fetcher target the operator's own
+// infrastructure — classic SSRF. The check is wholly host-name-shape
+// based (no DNS resolution); DNS-rebinding defense is left to the
+// fetcher (which should pin the IP across resolution + request).
+var IPV4_LITERAL_RE = /^\d+\.\d+\.\d+\.\d+$/;                                                            // allow:regex-no-length-cap — anchored shape, hostname length bounded by URL parser
+var IPV6_LITERAL_RE = /^\[[0-9A-Fa-f:.]+\]$/;                                                            // allow:regex-no-length-cap — anchored shape, hostname length bounded by URL parser
+var RESERVED_LOCAL_HOSTS = Object.freeze({
+  "localhost":          true,
+  "localhost.localdomain": true,
+  "ip6-localhost":      true,
+  "ip6-loopback":       true,
+});
+
+function _isRefusedAutoFetchHost(hostname, allowedHosts) {
+  if (typeof hostname !== "string" || hostname.length === 0) return "missing-host";
+  // Normalize the trailing root-zone dot BEFORE comparison — RFC 1034
+  // §3.1: `foo.` is the absolute form of `foo` (both resolve to the
+  // same target). A naive byte-equality check against `localhost`
+  // would let an attacker bypass the gate by appending the dot. Same
+  // for any reserved-local suffix family. Multiple trailing dots are
+  // not valid DNS but we strip them anyway to keep the gate robust
+  // against any URL parser that leaves them in `hostname`.
+  var lower = hostname.toLowerCase();
+  while (lower.length > 0 && lower.charAt(lower.length - 1) === ".") {
+    lower = lower.slice(0, -1);
+  }
+  if (lower.length === 0) return "missing-host";
+  if (IPV4_LITERAL_RE.test(lower) || IPV6_LITERAL_RE.test(lower)) return "ip-literal";
+  if (RESERVED_LOCAL_HOSTS[lower]) return "reserved-local-host";
+  // Hostname suffix refusal — RFC 6761 reserved / mDNS / single-network.
+  if (lower === "local" || lower.endsWith(".local")) return "reserved-local-suffix";
+  if (lower === "lan" || lower.endsWith(".lan")) return "reserved-local-suffix";
+  if (lower === "internal" || lower.endsWith(".internal")) return "reserved-local-suffix";
+  // Optional operator allowlist — when supplied, hostname (or any
+  // ancestor domain) MUST be present.
+  if (Array.isArray(allowedHosts) && allowedHosts.length > 0) {
+    var matched = false;
+    for (var i = 0; i < allowedHosts.length; i += 1) {
+      var allowed = String(allowedHosts[i]).toLowerCase();
+      if (lower === allowed || lower.endsWith("." + allowed)) {
+        matched = true;
+        break;
+      }
+    }
+    if (!matched) return "not-on-allowlist";
+  }
+  return null;
+}
+
 /**
  * @primitive b.guardListUnsubscribe.validate
  * @signature b.guardListUnsubscribe.validate(headers, opts?)
@@ -225,12 +278,25 @@ function validate(headers, opts) {
         { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
     }
     if (scheme === "https:") {
+      var parsed;
       try {
-        safeUrl.parse(u, { allowedProtocols: safeUrl.ALLOW_HTTPS });
+        parsed = safeUrl.parse(u, { allowedProtocols: safeUrl.ALLOW_HTTPS });
       } catch (e) {
         return _verdict("refuse", "HTTPS URI '" + _trunc(u) + "' failed safeUrl parse: " + (e && e.message || String(e)),
           { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
       }
+      // SSRF defense — refuse IP-literal hosts, loopback names,
+      // reserved-local TLDs, and (when operator supplied
+      // `allowedHosts`) anything outside the allowlist. The mailbox
+      // provider's auto-fetcher POSTs without our involvement; the
+      // header is the only place this can be stopped.
+      var refusedHostReason = _isRefusedAutoFetchHost(parsed.hostname, opts.allowedHosts);
+      if (refusedHostReason) {
+        return _verdict("refuse",
+          "HTTPS URI '" + _trunc(u) + "' host '" + parsed.hostname +
+          "' refused (" + refusedHostReason + "; auto-fetch SSRF defense)",
+          { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
+      }
       hasHttpsUri = true;
     } else if (scheme === "mailto:") {
       hasMailtoUri = true;

package/lib/guard-message-id.js

@@ -74,6 +74,13 @@ var COMPLIANCE_POSTURES = Object.freeze({
 // CVE-2021-42574 RTLO class in mail header context).
 var BIDI_RE = /[؜‎‏‪-‮⁦-⁩]/;
 
+// RFC 5322 §3.2.3 dot-atom-text — used at strict profile to validate
+// the id-left and id-right shape inside the bracketed Message-Id.
+// `atext` = ALPHA / DIGIT / "!#$%&'*+-/=?^_`{|}~"; `dot-atom-text` is
+// 1*atext *("." 1*atext). Length-bounded by the maxBytes cap above so
+// the regex CPU is amortised; pattern is single-pass linear.
+var DOT_ATOM_TEXT_RE = /^[A-Za-z0-9!#$%&'*+\-/=?^_`{|}~]+(?:\.[A-Za-z0-9!#$%&'*+\-/=?^_`{|}~]+)*$/;
+
 /**
  * @primitive b.guardMessageId.validate
  * @signature b.guardMessageId.validate(value, opts?)
@@ -154,6 +161,25 @@ function validate(value, opts) {
       throw new GuardMessageIdError("message-id/nested-brackets",
         "guardMessageId.validate: nested angle brackets refused");
     }
+    // RFC 5322 §3.6.4: id-left and id-right MUST conform to
+    // dot-atom-text shape (§3.2.3). A second `@` inside id-left or
+    // id-right falls out of dot-atom-text and is refused here. The
+    // last `@` is the local/domain separator — `lastIndexOf` rather
+    // than `indexOf` handles `a@b@c` correctly: id-left would be
+    // `a@b` which fails dot-atom-text on the `@` character.
+    var atLast = inner.lastIndexOf("@");
+    var idLeft = inner.slice(0, atLast);
+    var idRight = inner.slice(atLast + 1);
+    if (!DOT_ATOM_TEXT_RE.test(idLeft)) {                                                            // allow:regex-no-length-cap — idLeft length-bounded by maxBytes above
+      throw new GuardMessageIdError("message-id/id-left-shape",
+        "guardMessageId.validate: id-left '" + idLeft +
+        "' not dot-atom-text shape (RFC 5322 §3.2.3 / §3.6.4)");
+    }
+    if (!DOT_ATOM_TEXT_RE.test(idRight)) {                                                           // allow:regex-no-length-cap — idRight length-bounded by maxBytes above
+      throw new GuardMessageIdError("message-id/id-right-shape",
+        "guardMessageId.validate: id-right '" + idRight +
+        "' not dot-atom-text shape (RFC 5322 §3.2.3 / §3.6.4)");
+    }
   }
 
   return value;

package/lib/mail-arc-sign.js

@@ -128,10 +128,19 @@ function _bodyHashB64(body, algorithm) {
   return nodeCrypto.createHash(hashAlgo).update(canonical).digest("base64");
 }
 
+// RFC 8617 §5 — ARC chains MUST NOT exceed 50 hops. The verifier
+// caps in `mail-auth.js` (`ARC_MAX_HOPS`); the signer's prior-hop
+// extractor needs the same ceiling so a message arriving with a
+// hostile chain (51+ instances) doesn't expand the per-hop walk to
+// unbounded work before the signer's own validation catches up.
+var ARC_MAX_HOPS_FOR_EXTRACT = 50;                                                      // allow:raw-byte-literal — RFC 8617 §5 chain bound
+
 function _arcExtractPriorHops(parsedHeaders) {
   // Walk parsedHeaders; for each ARC-Authentication-Results /
   // ARC-Message-Signature / ARC-Seal entry, extract instance via i=N
-  // and group by hop.
+  // and group by hop. The `i=` value is bounded against the RFC's
+  // 50-hop ceiling before being used as a map key, so an attacker-
+  // chosen `i=999999` can't allocate a sparse map.
   var hopMap = {};
   for (var i = 0; i < parsedHeaders.length; i += 1) {
     var h = parsedHeaders[i];
@@ -142,11 +151,22 @@ function _arcExtractPriorHops(parsedHeaders) {
     var iMatch = h.value.match(/(?:^|[;,\s])i=(\d+)/);                                  // allow:regex-no-length-cap — ARC header bounded by RFC 5322 §2.1.1
     if (!iMatch) continue;
     var instance = parseInt(iMatch[1], 10);
+    if (!isFinite(instance) || instance < 1 || instance > ARC_MAX_HOPS_FOR_EXTRACT) {
+      // Out-of-spec instance number — refuse to consider it. Upstream
+      // `sign` will see `priorHops.length !== opts.instance - 1` and
+      // refuse the message.
+      continue;
+    }
     if (!hopMap[instance]) hopMap[instance] = { instance: instance };
     hopMap[instance][lcName] = h.value;
   }
   var hops = [];
   var keys = Object.keys(hopMap).sort(function (a, b) { return Number(a) - Number(b); });
+  if (keys.length > ARC_MAX_HOPS_FOR_EXTRACT) {
+    throw new MailAuthError("arc-sign/chain-too-long",
+      "_arcExtractPriorHops: chain has " + keys.length +
+      " hops, exceeds RFC 8617 §5 ceiling of " + ARC_MAX_HOPS_FOR_EXTRACT);
+  }
   for (var k = 0; k < keys.length; k += 1) hops.push(hopMap[keys[k]]);
   return hops;
 }

package/lib/mail-auth.js

@@ -37,6 +37,7 @@ var net = require("node:net");
 var nodeCrypto = require("node:crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
+var bCrypto = require("./crypto");
 var C = require("./constants");
 var dkim = require("./mail-dkim");
 var safeXml = require("./parsers/safe-xml");
@@ -722,7 +723,7 @@ async function dmarcEvaluate(opts) {
     var u32 = (hash[0] << 24 >>> 0) + (hash[1] << 16) + (hash[2] << 8) + hash[3];               // allow:raw-byte-literal — uint32 bit assembly
     sampleRoll = u32 % 100;                                                                     // allow:raw-byte-literal — pct sample roll
   } else {
-    sampleRoll = nodeCrypto.randomInt(0, 100);                                                  // allow:raw-byte-literal — pct sample roll
+    sampleRoll = bCrypto.randomInt(0, 100);                                                     // allow:raw-byte-literal — pct sample roll
   }
   var sampled = !pass && pct < 100 && sampleRoll >= pct;
   var recommendedAction = pass ? "deliver" :

package/lib/mail-dkim.js

@@ -525,6 +525,11 @@ var DKIM_KEY_CACHE_MAX_ENTRIES = 1024;
 // receivers cap at 5–8. Operators that legitimately accept more
 // override via verify({ maxSignatures }).
 var DKIM_MAX_SIGNATURES_PER_MESSAGE = 8;                                         // allow:raw-byte-literal — receiver-fan-out DoS bound
+// Operator-supplied `maxSignatures` opt is range-checked against this
+// ceiling. RFC 6376 §6.1 sets no upper bound; 16 is generous headroom
+// for legitimate relay chains with hop signatures while keeping the
+// verify-fan-out within a CPU-DoS envelope.
+var DKIM_MAX_SIGNATURES_PER_MESSAGE_CEILING = 16;                                // allow:raw-byte-literal — operator-opt range ceiling
 
 function _cacheGet(qname) {
   var ent = DKIM_KEY_CACHE.get(qname);
@@ -836,6 +841,7 @@ async function verify(rfc822, opts) {
   opts = opts || {};
   validateOpts(opts, ["dnsLookup", "audit", "clockSkewMs", "maxSignatures",
                        "minRsaBits"], "mail.dkim.verify");
+  var auditOn = opts.audit !== false;
 
   // Bounded clock skew: refuse non-numeric / negative / infinite /
   // beyond-ceiling. Throwing on bad config-time input per the
@@ -855,10 +861,27 @@ async function verify(rfc822, opts) {
     clockSkewMs = Math.floor(opts.clockSkewMs);
   }
 
-  var maxSignatures = (typeof opts.maxSignatures === "number" &&
-                        isFinite(opts.maxSignatures) && opts.maxSignatures >= 1)
-                       ? Math.floor(opts.maxSignatures)
-                       : DKIM_MAX_SIGNATURES_PER_MESSAGE;
+  // RFC 6376 §6.1 — verifier MUST handle multiple signatures but the
+  // RFC sets no count cap. An unbounded count is a CPU-DoS surface
+  // (each sig forces a DNS fetch + cryptographic verify). Range 1-16
+  // — mainstream receivers (Gmail/Yahoo/MS 2024 bulk-sender guidance)
+  // cite 2-3 valid signatures per message as the operational ceiling;
+  // 16 is generous headroom for relay chains with hop signatures. The
+  // operator opt is range-checked at config time — values < 1 or > 16
+  // throw rather than silently clamp so an over-large config doesn't
+  // re-introduce the DoS surface.
+  var maxSignatures = DKIM_MAX_SIGNATURES_PER_MESSAGE;
+  if (opts.maxSignatures !== undefined) {
+    if (typeof opts.maxSignatures !== "number" ||
+        !isFinite(opts.maxSignatures) ||
+        opts.maxSignatures < 1 ||
+        opts.maxSignatures > DKIM_MAX_SIGNATURES_PER_MESSAGE_CEILING) {
+      throw new DkimError("dkim/bad-max-signatures",
+        "verify: maxSignatures must be an integer in [1, " +
+        DKIM_MAX_SIGNATURES_PER_MESSAGE_CEILING + "] (got " + opts.maxSignatures + ")");
+    }
+    maxSignatures = Math.floor(opts.maxSignatures);
+  }
   var verifyOpts = { minRsaBits: opts.minRsaBits };
 
   var split = _splitHeadersBody(rfc822);
@@ -867,12 +890,30 @@ async function verify(rfc822, opts) {
   if (sigHeaders.length === 0) {
     return [{ result: "none", errors: ["no DKIM-Signature headers"] }];
   }
-  // RFC 6376 §6.1 — verifier MUST handle multiple signatures but the
-  // RFC sets no count cap. An unbounded count is a CPU-DoS surface
-  // (each sig forces a DNS fetch + cryptographic verify). Cap and
-  // surface the truncation in the result for operator visibility.
+  // When the message carries more signatures than the cap allows,
+  // surface a `policy` verdict before any cryptographic work runs.
+  // The prior `slice(0, maxSignatures)` shape silently truncated; an
+  // operator-visible refusal lets postmasters see DoS attempts in
+  // their authentication-results stream.
   if (sigHeaders.length > maxSignatures) {
-    sigHeaders = sigHeaders.slice(0, maxSignatures);
+    if (auditOn) {
+      try {
+        audit().safeEmit({
+          action:  "dkim.verify.signature_count_cap",
+          outcome: "denied",
+          actor:   null,
+          metadata: {
+            sigCount:      sigHeaders.length,
+            maxSignatures: maxSignatures,
+            severity:      "warning",
+          },
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+    return [{ result: "policy",
+              errors: ["DKIM-Signature count " + sigHeaders.length +
+                       " exceeds maxSignatures=" + maxSignatures +
+                       " (RFC 6376 §6.1; verifier DoS cap)"] }];
   }
 
   var results = [];

package/lib/mail-server-imap.js

@@ -144,6 +144,51 @@ var pkgVersion = require("../package.json").version;
 var ERR_CLAMP = 200;                                                                                  // allow:raw-byte-literal — protocol-reply error-message clamp
 var LINE_PREVIEW = 80;                                                                                // allow:raw-byte-literal — audit-line preview clamp
 
+// RFC 9051 §6.3.12 + RFC 5322 §3.3 date-time parser for IMAP APPEND.
+// Format: `DD-Mon-YYYY HH:MM:SS ±HHMM` where Mon is the 3-letter
+// English month abbreviation (case-insensitive on parse, but the IMAP
+// spec emits canonical mixed-case `Jan`/`Feb`/...). Returns the
+// millisecond epoch, or null on any parse failure — the caller emits
+// `BAD` rather than silently using `Date.now()`.
+var IMAP_MONTHS = Object.freeze({
+  jan: 0, feb: 1, mar: 2, apr: 3, may: 4, jun: 5,                                                         // allow:raw-byte-literal — month-index table (0-5)
+  jul: 6, aug: 7, sep: 8, oct: 9, nov: 10, dec: 11,                                                       // allow:raw-byte-literal — month-index table (6-11)
+});
+var IMAP_DT_RE = /^\s*(\d{1,2})-([A-Za-z]{3})-(\d{4})\s+(\d{2}):(\d{2}):(\d{2})\s+([+-])(\d{2})(\d{2})\s*$/;
+function _parseImapDateTime(s) {
+  if (typeof s !== "string") return null;
+  var m = s.match(IMAP_DT_RE);                                                                            // allow:regex-no-length-cap — input bounded by IMAP literal cap
+  if (!m) return null;
+  var day = parseInt(m[1], 10);
+  var month = IMAP_MONTHS[m[2].toLowerCase()];
+  if (month === undefined) return null;
+  var year = parseInt(m[3], 10);
+  var hour = parseInt(m[4], 10);
+  var min  = parseInt(m[5], 10);
+  var sec  = parseInt(m[6], 10);
+  var sign = m[7] === "-" ? -1 : 1;
+  var tzH  = parseInt(m[8], 10);
+  var tzM  = parseInt(m[9], 10);
+  if (day < 1 || day > 31 || hour > 23 || min > 59 || sec > 59 || tzH > 23 || tzM > 59) return null;
+  var utcMs = Date.UTC(year, month, day, hour, min, sec);
+  if (!isFinite(utcMs)) return null;
+  // RFC 5322 §3.3 — date-time MUST be a real calendar date. `Date.UTC`
+  // silently normalises impossible inputs (`Feb 31 2026` → `Mar 3 2026`);
+  // round-trip via the calendar fields and refuse any drift so a
+  // hostile client can't smuggle a different internalDate than the
+  // wire suggests.
+  var probe = new Date(utcMs);
+  if (probe.getUTCFullYear() !== year ||
+      probe.getUTCMonth()    !== month ||
+      probe.getUTCDate()     !== day ||
+      probe.getUTCHours()    !== hour ||
+      probe.getUTCMinutes()  !== min ||
+      probe.getUTCSeconds()  !== sec) {
+    return null;
+  }
+  return utcMs - sign * (tzH * C.TIME.hours(1) + tzM * C.TIME.minutes(1));
+}
+
 // Mailbox name validator. RFC 9051 §5.1 — UTF-8 hierarchy. Refuse
 // path-traversal (`..`), NUL, C0 controls, leading/trailing slash,
 // oversize.
@@ -707,15 +752,39 @@ function create(opts) {
 
   function _parseLoginArgs(args) {
     if (typeof args !== "string") return null;
-    // Quoted or atom — simple parser sufficient for happy path.
+    // Quoted or atom — RFC 9051 §5.1 quoted ABNF. Inside a quoted
+    // string `\"` and `\\` are escape sequences for `"` and `\`
+    // respectively; any other `\<chr>` is invalid. The earlier shape
+    // terminated the quoted string at the first `"`, so a hostile
+    // client passing `LOGIN "alice\"@example.com" "pw"` would have
+    // its username truncated at `alice` and the rest of the line
+    // reparsed as the password / literal — wrong identity bound to
+    // the AUTH state.
     var rest = args.trim();
     function _take() {
       if (rest[0] === "\"") {
-        var end = rest.indexOf("\"", 1);
-        if (end === -1) return null;
-        var v = rest.slice(1, end);
-        rest = rest.slice(end + 1).trim();
-        return v;
+        // Walk the quoted-string body, accumulating into `out` while
+        // honoring the `\"` / `\\` escape pairs. A bare `\` followed
+        // by any other character is refused (parse fails → null).
+        var out = "";
+        var i = 1;
+        while (i < rest.length) {
+          var ch = rest.charAt(i);
+          if (ch === "\\") {
+            var esc = rest.charAt(i + 1);
+            if (esc !== "\"" && esc !== "\\") return null;
+            out += esc;
+            i += 2;
+            continue;
+          }
+          if (ch === "\"") {
+            rest = rest.slice(i + 1).trim();
+            return out;
+          }
+          out += ch;
+          i += 1;
+        }
+        return null;   // unterminated quoted string
       }
       var sp = rest.indexOf(" ");
       var v2 = sp === -1 ? rest : rest.slice(0, sp);
@@ -857,6 +926,22 @@ function create(opts) {
     }
     var name = _unquote(match[1]);
     var flags = match[2] ? match[2].split(/\s+/).filter(Boolean) : [];
+    // RFC 9051 §6.3.12 — optional date-time argument sets INTERNALDATE
+    // on the appended message. Earlier shape captured the token but
+    // never threaded it; backends now receive it as `internalDate`
+    // (ms-since-epoch) and the mail-store applies it instead of the
+    // append-time clock. Refused as syntax error when the date-time
+    // can't be parsed (rather than silently using the clock).
+    var dateTimeArg = match[3] ? _unquote(match[3]) : null;
+    var internalDate = null;
+    if (dateTimeArg) {
+      internalDate = _parseImapDateTime(dateTimeArg);
+      if (internalDate === null) {
+        _writeTagged(socket, tag, "BAD APPEND date-time '" + dateTimeArg +
+          "' not in RFC 9051 §6.3.12 / RFC 5322 §3.3 date-time grammar");
+        return;
+      }
+    }
     if (!_validateMailboxName(name, { allowLegacyMUtf7: allowLegacyMUtf7 })) {
       _writeTagged(socket, tag, "BAD Mailbox name refused");
       return;
@@ -891,10 +976,12 @@ function create(opts) {
                 err.limit = q.capBytes;
                 throw err;
               }
-              return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
+              return mailStore.appendMessage(name, literalBody, {
+                actor: state.actor, flags: flags, internalDate: internalDate });
             });
         }
-        return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
+        return mailStore.appendMessage(name, literalBody, {
+          actor: state.actor, flags: flags, internalDate: internalDate });
       })
       .then(function (info) {
         _emit("mail.server.imap.append",
@@ -947,7 +1034,10 @@ function create(opts) {
 
   function _handleFetch(state, socket, tag, args, useUid) {
     if (!state.selectedMailbox) {
-      _writeTagged(socket, tag, "NO No mailbox selected");
+      // RFC 9051 §6.4.5 — FETCH outside of Selected state is a
+      // protocol-context violation, not a server-policy refusal.
+      // BAD signals the client to fix its dialog rather than retry.
+      _writeTagged(socket, tag, "BAD FETCH only valid in Selected state (RFC 9051 §6.4.5)");
       return;
     }
     if (typeof mailStore.fetchRange !== "function") {
@@ -988,7 +1078,11 @@ function create(opts) {
 
   function _handleStore(state, socket, tag, args, useUid) {
     if (!state.selectedMailbox) {
-      _writeTagged(socket, tag, "NO No mailbox selected");
+      // RFC 9051 §6.4.6 — STORE outside of Selected state is a
+      // protocol-context violation. BAD (not NO) is the correct
+      // response per the IMAP grammar; UID STORE has the same rule
+      // since the verb is just a `UID` prefix on STORE.
+      _writeTagged(socket, tag, "BAD STORE only valid in Selected state (RFC 9051 §6.4.6)");
       return;
     }
     if (state.selectedReadOnly) {

package/lib/mail-server-mx.js

@@ -236,6 +236,13 @@ function create(opts) {
   var localDomains      = (opts.localDomains || []).map(function (d) { return String(d).toLowerCase(); });
   var relayAllowedFor   = opts.relayAllowedFor || [];
   var profile           = opts.profile || "strict";
+  // SMTPUTF8 (RFC 6531) — single switch threaded end-to-end. The MX
+  // listener doesn't advertise SMTPUTF8 to the peer regardless, so
+  // this defaults `false` (refuse non-ASCII bytes in every command
+  // line). Operators that want to accept SMTPUTF8 for downstream
+  // relay flip this `true` and the same switch reaches every
+  // `guardSmtpCommand.validate` call.
+  var allowSmtpUtf8     = opts.allowSmtpUtf8 === true;
 
   // Default-on per-IP rate limit. Operators pass `rateLimit: false` to
   // disable (only for tests / closed networks), pass a rate-limit
@@ -331,6 +338,15 @@ function create(opts) {
     var connectionId = "mxconn-" + bCrypto.generateToken(8);                                          // allow:raw-byte-literal — connection-id length
     connections.add(socket);
 
+    // Backpressure observer — `_writeReply` flips `_bpEmitted` after
+    // the first audit emission per socket to bound the audit volume.
+    socket._bpEmit = function () {
+      _emit("mail.server.mx.write_backpressure",
+        { connectionId: connectionId, remoteAddress: remoteAddress,
+          stage: state && state.stage, bufferedBytes: socket.writableLength || 0 },
+        "warning");
+    };
+
     var state = {
       id:            connectionId,
       remoteAddress: remoteAddress,
@@ -452,7 +468,11 @@ function create(opts) {
       // Per-line guard — refuse bare LF / NUL / C0 / DEL / oversize
       // BEFORE state-machine dispatch.
       try {
-        guardSmtpCommand.validate(line, { profile: profile, maxLineBytes: maxLineBytes });
+        guardSmtpCommand.validate(line, {
+          profile:        profile,
+          maxLineBytes:   maxLineBytes,
+          allowSmtpUtf8:  allowSmtpUtf8,
+        });
       } catch (err) {
         if (err.code === "guard-smtp-command/bare-lf" ||
             err.code === "guard-smtp-command/bare-cr" ||
@@ -633,17 +653,19 @@ function create(opts) {
       }
       var paramStr = match[2] || "";
       var sizeMatch = paramStr.match(RE_SIZE);
+      var declaredSize = null;
       if (sizeMatch) {
-        var declaredSize = parseInt(sizeMatch[1], 10);
+        declaredSize = parseInt(sizeMatch[1], 10);
         if (declaredSize > maxMessageBytes) {
           _writeReply(socket, REPLY_552_SIZE_EXCEEDED,
             "5.3.4 Message size exceeds fixed maximum (" + maxMessageBytes + " bytes)");
           return;
         }
       }
-      state.mailFrom = mailFrom;
-      state.stage    = "rcpt";
-      state.rcpts    = [];
+      state.mailFrom    = mailFrom;
+      state.declaredSize = declaredSize;
+      state.stage       = "rcpt";
+      state.rcpts       = [];
       _emit("mail.server.mx.mail_from",
         { connectionId: state.id, mailFrom: mailFrom });
       _writeReply(socket, REPLY_250_OK, "2.1.0 Sender OK");
@@ -692,6 +714,7 @@ function create(opts) {
         var rcptVerdict = _validateDomainHardened(rcptDomain, "rcpt_to");
         if (!rcptVerdict.ok) {
           rateLimit.noteRcptFailure(state.remoteAddress);
+          _trackRefusedRcpt(state, rcpt, "domain-refused");
           _writeReply(socket, REPLY_501_BAD_ARGS,
             "5.5.4 RCPT TO domain refused (" +
             (rcptVerdict.issues && rcptVerdict.issues[0] && rcptVerdict.issues[0].kind) + ")");
@@ -704,6 +727,7 @@ function create(opts) {
         if (localDomains.indexOf(rcptDomain) === -1 &&
             !_isRelayAllowed(state.remoteAddress, rcpt)) {
           rateLimit.noteRcptFailure(state.remoteAddress);
+          _trackRefusedRcpt(state, rcpt, "relay-denied");
           _emit("mail.server.mx.relay_refused",
             { connectionId: state.id, mailFrom: state.mailFrom, rcptTo: rcpt,
               remoteAddress: state.remoteAddress }, "denied");
@@ -739,9 +763,32 @@ function create(opts) {
       // body is the raw bytes BEFORE dot-stuffing reversal. RFC 5321
       // §4.5.2 — a single leading "." is doubled on the wire; undo.
       var dedotted = safeSmtp.dotUnstuff(body);
+      // RFC 1870 §6.3 — reconcile MAIL FROM SIZE= against the actual
+      // DATA byte count. The pre-DATA reservation at MAIL FROM time
+      // (above) is advisory; the sender's declared size is a HINT,
+      // not a guarantee. If the actual unstuffed body exceeds the
+      // declared SIZE= (with a small slack to absorb header lines the
+      // sender didn't count), refuse with 552 — defends against
+      // senders that probe maxMessageBytes by understating SIZE.
+      if (typeof state.declaredSize === "number" && isFinite(state.declaredSize)) {
+        if (dedotted.length > state.declaredSize) {
+          _emit("mail.server.mx.size_overrun", {
+            connectionId: state.id,
+            mailFrom:     state.mailFrom,
+            declaredSize: state.declaredSize,
+            actualSize:   dedotted.length,
+          }, "denied");
+          _writeReply(socket, REPLY_552_SIZE_EXCEEDED,
+            "5.3.4 Message exceeds declared SIZE=" + state.declaredSize +
+            " bytes (got " + dedotted.length + "; RFC 1870 §6.3)");
+          _resetTransaction(state);
+          return;
+        }
+      }
       // operator-supplied agent handoff — when wired, persist via
       // agent + write the 250 reply. When not wired, accept-and-drop
       // (audit-only mode useful for staging deployments).
+      var refusedSnapshot = Array.isArray(state.refusedRcpts) ? state.refusedRcpts.slice() : [];
       if (opts.agent && typeof opts.agent.handoff === "function") {
         opts.agent.handoff({
           mailFrom: state.mailFrom,
@@ -753,7 +800,8 @@ function create(opts) {
           connectionId: state.id,
         }).then(function (ack) {
           _emit("mail.server.mx.delivered",
-            { connectionId: state.id, messageId: ack && ack.messageId, sizeBytes: dedotted.length });
+            { connectionId: state.id, messageId: ack && ack.messageId,
+              sizeBytes: dedotted.length, refusedRcpts: refusedSnapshot });
           _writeReply(socket, REPLY_250_OK,
             "2.6.0 Message accepted" + (ack && ack.messageId ? " <" + ack.messageId + ">" : ""));
           _resetTransaction(state);
@@ -769,18 +817,32 @@ function create(opts) {
       }
       _emit("mail.server.mx.data_accepted",
         { connectionId: state.id, mailFrom: state.mailFrom, rcptCount: state.rcpts.length,
-          sizeBytes: dedotted.length });
+          sizeBytes: dedotted.length, refusedRcpts: refusedSnapshot });
       _writeReply(socket, REPLY_250_OK, "2.6.0 Message queued (audit-only)");
       _resetTransaction(state);
     }
 
     function _resetTransaction(state) {
-      state.mailFrom = null;
-      state.rcpts    = [];
-      state.stage    = "ehlo";
+      state.mailFrom     = null;
+      state.declaredSize = null;
+      state.rcpts        = [];
+      state.refusedRcpts = [];
+      state.stage        = "ehlo";
       state.messageBytes = 0;
     }
 
+    // Track up to MAX_REFUSED_RCPTS_PER_TXN refused recipients so the
+    // `data_accepted` / `delivered` audit can surface the bounded list
+    // for observability. Bounded to keep the audit metadata size
+    // predictable; the per-IP recipient-failure rate-limit elsewhere
+    // bounds long-run scanner damage.
+    var MAX_REFUSED_RCPTS_PER_TXN = 32;                                                                   // allow:raw-byte-literal — bounded audit-metadata list cap
+    function _trackRefusedRcpt(state, rcpt, reason) {
+      if (!Array.isArray(state.refusedRcpts)) state.refusedRcpts = [];
+      if (state.refusedRcpts.length >= MAX_REFUSED_RCPTS_PER_TXN) return;
+      state.refusedRcpts.push({ rcptTo: rcpt, reason: reason });
+    }
+
     function _requiresStartTls() {
       // Strict / balanced require STARTTLS before MAIL FROM.
       // Permissive accepts plaintext — operator-acknowledged downgrade
@@ -857,10 +919,26 @@ function create(opts) {
 
 // ---- Wire-protocol helpers --------------------------------------------------
 
+// Write back-pressure observability — when `socket.write()` returns
+// false the kernel send-buffer is full and the server is dropping
+// behind the network. Listeners attach a `_bpEmit` function to the
+// socket; we invoke it once per socket-lifetime on the first
+// backpressure event so the audit log surfaces stalled connections
+// without flooding on every reply.
+function _observeBackpressure(socket, ok) {
+  if (ok) return;
+  if (typeof socket._bpEmit !== "function") return;
+  if (socket._bpEmitted) return;
+  socket._bpEmitted = true;
+  try { socket._bpEmit(socket); } catch (_e) { /* drop-silent */ }
+}
+
 function _writeReply(socket, code, text) {
   // Single-line reply per RFC 5321 §4.2 — code SP text CRLF.
-  try { socket.write(code + " " + text + "\r\n"); }
-  catch (_e) { /* socket already closed */ }
+  try {
+    var ok = socket.write(code + " " + text + "\r\n");
+    _observeBackpressure(socket, ok);
+  } catch (_e) { /* socket already closed */ }
 }
 
 function _writeMultiline(socket, code, lines) {
@@ -868,8 +946,10 @@ function _writeMultiline(socket, code, lines) {
   // continuation, code SP text CRLF for the final line.
   for (var i = 0; i < lines.length; i += 1) {
     var sep = i === lines.length - 1 ? " " : "-";
-    try { socket.write(code + sep + lines[i] + "\r\n"); }
-    catch (_e) { /* socket already closed */ }
+    try {
+      var ok = socket.write(code + sep + lines[i] + "\r\n");
+      _observeBackpressure(socket, ok);
+    } catch (_e) { /* socket already closed */ }
   }
 }
 

package/lib/mail-server-submission.js

@@ -153,6 +153,69 @@ var RE_RCPT_TO   = /^RCPT\s+TO:\s*<([^>]+)>(?:\s+.*)?$/i;
 var RE_SIZE      = /SIZE=(\d+)/i;
 var RE_AUTH      = /^AUTH\s+([A-Za-z0-9_-]{1,32})(?:\s+(.*))?$/i;
 
+// Header/body boundary scanner. RFC 5322 §2.1 — header section ends
+// at the first empty line (CRLF CRLF). `Buffer#indexOf` runs a
+// SIMD-accelerated needle scan over the haystack without an
+// interpreter-level char-by-char walk, and the 4-byte literal
+// `_CRLF_CRLF` is a module-level singleton so the JIT folds it.
+var _CRLF_CRLF = Buffer.from([0x0d, 0x0a, 0x0d, 0x0a]);                                                 // allow:raw-byte-literal — RFC 5322 §2.1 header/body separator
+function _findHeaderEnd(buf) {
+  return buf.indexOf(_CRLF_CRLF);
+}
+
+// Walk a header block and return every unfolded `DKIM-Signature:`
+// value. RFC 5322 §2.2.3 / RFC 6376 §3.5 — DKIM signatures are
+// permitted to fold and a message MAY carry multiple signatures.
+function _extractDkimSignatures(headerBlock) {
+  var lines = headerBlock.replace(/\r\n/g, "\n").split("\n");                                           // allow:regex-no-length-cap — headerBlock length bounded by maxMessageBytes
+  var result = [];
+  var current = null;
+  for (var i = 0; i < lines.length; i += 1) {
+    var line = lines[i];
+    if (line.length === 0) break;   // end of header block
+    if (line.charAt(0) === " " || line.charAt(0) === "\t") {
+      if (current !== null) current += " " + line.replace(/^[ \t]+/, "");                                // allow:regex-no-length-cap — line length bounded by maxLineBytes // allow:duplicate-regex — RFC 5322 header continuation trim
+      continue;
+    }
+    if (current !== null) {
+      result.push(current);
+      current = null;
+    }
+    if (/^DKIM-Signature\s*:/i.test(line)) {                                                            // allow:regex-no-length-cap — line length bounded by maxLineBytes
+      current = line.slice(line.indexOf(":") + 1).replace(/^\s+/, "");                                  // allow:regex-no-length-cap — line length bounded by maxLineBytes // allow:duplicate-regex — leading-WS trim
+    }
+  }
+  if (current !== null) result.push(current);
+  return result;
+}
+
+// Pull the `d=` (signing domain) tag out of a DKIM-Signature value.
+// RFC 6376 §3.5 — tag-list `tag=value` separated by `;`. Returns
+// null if not present.
+function _extractDkimDTag(sigValue) {
+  var tags = sigValue.split(";");
+  for (var i = 0; i < tags.length; i += 1) {
+    var t = tags[i].replace(/^\s+|\s+$/g, "");                                                          // allow:regex-no-length-cap — tag length bounded by header line cap // allow:duplicate-regex — trim shape
+    if (t.length > 2 && t.charAt(0) === "d" && t.charAt(1) === "=") {
+      return t.slice(2).replace(/\s+/g, "");                                                            // allow:regex-no-length-cap — value length bounded by tag length // allow:duplicate-regex — internal-WS strip
+    }
+  }
+  return null;
+}
+
+// Domain part of the authenticated identity, falling back to the
+// envelope-sender domain when the actor doesn't carry one.
+function _actorDomain(actor, mailFrom) {
+  if (actor && typeof actor.domain === "string" && actor.domain.length > 0) return actor.domain;
+  if (actor && typeof actor.id === "string" && actor.id.indexOf("@") !== -1) {
+    return actor.id.slice(actor.id.lastIndexOf("@") + 1);
+  }
+  if (typeof mailFrom === "string" && mailFrom.indexOf("@") !== -1) {
+    return mailFrom.slice(mailFrom.lastIndexOf("@") + 1);
+  }
+  return null;
+}
+
 /**
  * @primitive b.mail.server.submission.create
  * @signature b.mail.server.submission.create(opts)
@@ -208,6 +271,30 @@ function create(opts) {
     "mail.server.submission.", MailServerSubmissionError, "mail-server-submission/bad-bound");
 
   var profile = opts.profile || "strict";
+  // SMTPUTF8 (RFC 6531) — single switch threaded end-to-end into
+  // `guardSmtpCommand.validate`. Defaults `false`; submission
+  // operators that accept EAI envelopes flip this `true`.
+  var allowSmtpUtf8 = opts.allowSmtpUtf8 === true;
+
+  // Outbound DKIM-required gate (Yahoo / Google 2024 bulk-sender
+  // alignment + RFC 6376 §1). Under `strict` profile the listener
+  // refuses outbound DATA that doesn't carry at least one
+  // `DKIM-Signature:` header; `dkimRequireMode` chooses whether the
+  // signer must match the authenticated identity's domain (`self`)
+  // or just be present (`any`). Operators that act as a smarthost
+  // relay for downstream MTAs that DKIM-sign themselves want `any`;
+  // primary senders want `self`. Default-off outside strict so
+  // unauthenticated `permissive` profiles don't break.
+  var requireDkim = opts.requireDkim === undefined
+    ? (profile === "strict")
+    : opts.requireDkim === true;
+  var dkimRequireMode = opts.dkimRequireMode || "any";
+  if (dkimRequireMode !== "self" && dkimRequireMode !== "any" && dkimRequireMode !== "off") {
+    throw new MailServerSubmissionError("mail-server-submission/bad-dkim-require-mode",
+      "mail.server.submission.create: dkimRequireMode must be 'self', 'any', or 'off' (got '" +
+      dkimRequireMode + "')");
+  }
+  if (dkimRequireMode === "off") requireDkim = false;
 
   if (profile !== "permissive" && !opts.auth) {
     throw new MailServerSubmissionError("mail-server-submission/no-auth",
@@ -424,7 +511,11 @@ function create(opts) {
 
       // guardSmtpCommand check (smuggling + shape).
       try {
-        guardSmtpCommand.validate(line, { profile: profile, maxLineBytes: maxLineBytes });
+        guardSmtpCommand.validate(line, {
+          profile:        profile,
+          maxLineBytes:   maxLineBytes,
+          allowSmtpUtf8:  allowSmtpUtf8,
+        });
       } catch (err) {
         if (err.code === "guard-smtp-command/bare-lf" ||
             err.code === "guard-smtp-command/bare-cr" ||
@@ -911,6 +1002,49 @@ function create(opts) {
 
     function _finalizeDataBody(state, socket, body) {
       var dedotted = safeSmtp.dotUnstuff(body);
+
+      // Outbound DKIM-required gate. Scan the header block for a
+      // `DKIM-Signature:` line; under `self` mode also require at
+      // least one signature whose `d=` tag matches the authenticated
+      // identity's domain part.
+      if (requireDkim) {
+        var headerEnd = _findHeaderEnd(dedotted);
+        var headerBlock = headerEnd === -1
+          ? dedotted.toString("utf8")
+          : dedotted.subarray(0, headerEnd).toString("utf8");
+        var dkimSigs = _extractDkimSignatures(headerBlock);
+        var dkimOk = false;
+        if (dkimSigs.length > 0) {
+          if (dkimRequireMode === "any") {
+            dkimOk = true;
+          } else if (dkimRequireMode === "self") {
+            var actorDomain = _actorDomain(state.actor, state.mailFrom);
+            for (var i = 0; i < dkimSigs.length; i += 1) {
+              var d = _extractDkimDTag(dkimSigs[i]);
+              if (d && actorDomain && d.toLowerCase() === actorDomain.toLowerCase()) {
+                dkimOk = true;
+                break;
+              }
+            }
+          }
+        }
+        if (!dkimOk) {
+          _emit("mail.server.submission.data_refused", {
+            connectionId:    state.id,
+            reason:          "dkim-required",
+            dkimRequireMode: dkimRequireMode,
+            mailFrom:        state.mailFrom,
+            sigCount:        dkimSigs.length,
+            actor:           state.actor && state.actor.id,
+          }, "denied");
+          _writeReply(socket, REPLY_550_MAILBOX_UNAVAIL,
+            "5.7.20 DKIM-Signature required on outbound submission " +
+            "(dkimRequireMode='" + dkimRequireMode + "'; RFC 6376; bulk-sender 2024)");
+          _resetTransaction(state);
+          return;
+        }
+      }
+
       if (opts.agent && typeof opts.agent.handoff === "function") {
         opts.agent.handoff({
           mailFrom: state.mailFrom,

package/lib/mail-store.js

@@ -368,7 +368,12 @@ function _appendMessage(args) {
   });
 
   // Allocate objectid + modseq atomically.
-  var objectid = "obj_" + bCrypto.generateToken(16).slice(0, 24);                                  // allow:raw-byte-literal — 16-byte token, 24-char hex prefix as JMAP objectid (RFC 8474)
+  // RFC 8474 §1.5.1: objectid SHOULD be sufficiently long to make
+  // collision improbable across the lifetime of the account. 16-byte
+  // token = 32-char hex = 128 bits, well above the birthday bound
+  // for any plausible message corpus. The prior `.slice(0, 24)` cut
+  // entropy to 96 bits; removed.
+  var objectid = "obj_" + bCrypto.generateToken(16);                                                // allow:raw-byte-literal — 16-byte token, 32-char hex JMAP objectid (RFC 8474 §1.5.1)
   var modseq = (folder.modseq_max || 0) + 1;
   if (!threadRootId) threadRootId = objectid;   // root of new thread
 

package/lib/network-dns-resolver.js

@@ -106,7 +106,6 @@
 
 var C                  = require("./constants");
 var https              = require("node:https");
-var nodeCrypto         = require("node:crypto");
 var bCrypto            = require("./crypto");
 var { defineClass }    = require("./framework-error");
 var networkDns         = require("./network-dns");
@@ -499,7 +498,7 @@ function _encodeWireQuery(name, qtype) {
   var nameLen = 1;
   for (var i = 0; i < parts.length; i += 1) nameLen += 1 + Buffer.byteLength(parts[i], "ascii");
   var buf = Buffer.alloc(12 + nameLen + 4);                                                              // allow:raw-byte-literal — RFC 1035 §4.1.1 header (12) + question tail (4) + name
-  var id = nodeCrypto.randomInt(0, 0x10000);
+  var id = bCrypto.randomInt(0, 0x10000);                                                              // allow:raw-byte-literal — RFC 1035 §4.1.1 16-bit query ID space
   buf.writeUInt16BE(id, 0);
   buf.writeUInt16BE(0x0100, 2);                                                                          // allow:raw-byte-literal — RFC 1035 §4.1.1 RD=1 flags
   buf.writeUInt16BE(1, 4);                                                                               // allow:raw-byte-literal — RFC 1035 §4.1.1 qdcount

package/lib/network-dns.js

@@ -2,7 +2,6 @@
 
 var dns = require("node:dns");
 var net = require("node:net");
-var nodeCrypto = require("node:crypto");
 var https = require("node:https");
 var nodeTls = require("node:tls");
 var dnsPromises = dns.promises;
@@ -274,9 +273,10 @@ function _encodeDnsQuery(host, qtype) {
   for (var i = 0; i < parts.length; i++) nameLen += 1 + Buffer.byteLength(parts[i], "ascii");
   var buf = Buffer.alloc(12 + nameLen + 4);
   // Cryptographic RNG for the 16-bit DNS query ID — frustrates poisoning
-  // attempts that guess the transaction ID. Math.random would be technically
-  // acceptable (id is non-secret) but we prefer the framework's RNG path.
-  var id = nodeCrypto.randomInt(0, 0x10000);
+  // attempts that guess the transaction ID. Routes through `b.crypto.randomInt`
+  // (which wraps nodeCrypto.randomInt) so every framework random-int draw
+  // is greppable through one substrate.
+  var id = bCrypto.randomInt(0, 0x10000);
   buf.writeUInt16BE(id, 0);
   buf.writeUInt16BE(0x0100, 2);
   buf.writeUInt16BE(1, 4);

package/lib/safe-mime.js

@@ -53,7 +53,15 @@ var DEFAULT_MAX_PARTS         = 64;                          // allow:raw-byte-l
 var DEFAULT_MAX_NESTING_DEPTH = 16;
 var DEFAULT_MAX_BOUNDARY      = 70;                          // RFC 2046 §5.1.1
 var DEFAULT_MAX_HEADER_BYTES  = C.BYTES.kib(64);
-var DEFAULT_MAX_HEADER_LINE   = 998;                         // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
+// RFC 5322 §2.1.1 line cap. The spec defines TWO limits: a SHOULD of
+// 78 bytes (the readability target) and a MUST of 998 bytes (the
+// hard ceiling). The 78-byte SHOULD is intentionally NOT enforced
+// here — modern senders routinely emit header lines longer than 78
+// bytes (long URLs in List-Unsubscribe, EAI display names) and a
+// strict 78-byte refusal would reject legitimate mail. We enforce
+// only the 998-byte MUST. Future drift attempting to "fix" this to
+// 78 would be a regression and should fail the audit gate.
+var DEFAULT_MAX_HEADER_LINE   = 998;                         // allow:raw-byte-literal — RFC 5322 §2.1.1 MUST (998); the SHOULD (78) is by design not enforced
 // Per-message header-count cap. RFC 5322 places no upper bound on
 // the number of headers in a message; without one, a sender can pack
 // tens of thousands of one-byte headers into the maxHeaderBytes budget
@@ -77,8 +85,15 @@ var DEFAULT_CHARSETS = Object.freeze([
   "euc-kr", "euc-jp",
 ]);
 
+// RFC 3030 §3 — `binary` CTE on receive REQUIRES the receiving MTA
+// to have advertised BINARYMIME during ESMTP negotiation. Inbound
+// flows without explicit BINARYMIME wiring must refuse `binary`
+// because consumers downstream (DKIM canonicalization, message
+// rewriting) assume CRLF line structure that `binary` doesn't
+// guarantee. Operators that wire BINARYMIME end-to-end opt back in
+// via `transferEncodingAllowlist: ["7bit", ..., "binary"]`.
 var DEFAULT_TRANSFER_ENCODINGS = Object.freeze([
-  "7bit", "8bit", "binary", "quoted-printable", "base64",
+  "7bit", "8bit", "quoted-printable", "base64",
 ]);
 
 /**
@@ -453,12 +468,18 @@ function _parseHeaders(buf, ctx) {
     // Refuse NUL, CR, LF, and other C0 control chars in header values.
     // Tab (0x09) is allowed (header folding). C1 control range
     // (0x80-0x9F) NOT refused — legitimate non-ASCII via EAI/RFC 2047
-    // decoded-words can produce bytes in that range.
+    // decoded-words can produce bytes in that range. Error metadata
+    // surfaces the BYTE offset (via `Buffer.byteLength` on the JS
+    // string prefix) rather than the UTF-16 code-unit index, so the
+    // operator audit log lines up with the wire-level byte stream
+    // they're inspecting.
     for (var hci = 0; hci < value.length; hci += 1) {
       var hcc = value.charCodeAt(hci);
       if ((hcc < 0x20 && hcc !== 0x09) || hcc === 0x7F) {                                          // allow:raw-byte-literal — C0 control char + DEL refusal
+        var byteOffset = Buffer.byteLength(value.slice(0, hci), "utf8");
         throw new SafeMimeError("safe-mime/control-char-in-header",
-          "safeMime.parse: header '" + name + "' contains control char 0x" + hcc.toString(16));
+          "safeMime.parse: header '" + name + "' contains control char 0x" +
+          hcc.toString(16) + " at byte offset " + byteOffset);                                            // allow:raw-byte-literal — toString radix 16 hex, not bytes
       }
     }
     value = _decodeRfc2047Words(value);
@@ -673,9 +694,35 @@ function _decodeBufferAs(buf, charset) {
   if (c === "us-ascii" || c === "ascii") return buf.toString("ascii");
   if (c === "iso-8859-1" || c === "latin1") return buf.toString("latin1");
   if (c === "utf-16le") return buf.toString("utf16le");
+  if (c === "utf-16be") return _decodeUtf16BE(buf);
+  if (c === "utf-16") {
+    // RFC 2781 §3.3 — `utf-16` with a leading BOM (FE FF = BE, FF FE
+    // = LE). When no BOM is present the spec defaults to BE; Node
+    // doesn't speak BE natively so we transcode either way.
+    if (buf.length >= 2 && buf[0] === 0xff && buf[1] === 0xfe) {
+      return buf.subarray(2).toString("utf16le");
+    }
+    if (buf.length >= 2 && buf[0] === 0xfe && buf[1] === 0xff) {
+      return _decodeUtf16BE(buf.subarray(2));
+    }
+    return _decodeUtf16BE(buf);   // RFC 2781 §3.3 BE default with no BOM
+  }
   return buf.toString("utf8");
 }
 
+// utf-16be → utf-16le swap (Node has no direct utf-16be decoder).
+// Byte-pair endian flip into a temporary buffer, then decode as
+// utf-16le. Allocates a single buffer (no per-character churn).
+function _decodeUtf16BE(buf) {
+  var n = buf.length & ~1;                                                                                // allow:raw-byte-literal — pair alignment mask
+  var swapped = Buffer.alloc(n);
+  for (var i = 0; i < n; i += 2) {
+    swapped[i]     = buf[i + 1];
+    swapped[i + 1] = buf[i];
+  }
+  return swapped.toString("utf16le");
+}
+
 function _materializeText(part) {
   return {
     contentType: part.leaf.contentType,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.6",
+  "version": "0.10.7",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:eeaab12e-3641-448e-8bad-29a2842f802b",
+  "serialNumber": "urn:uuid:62b21ffc-fcde-4782-a950-d9b2db933f5c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-17T18:41:38.896Z",
+    "timestamp": "2026-05-17T20:52:27.570Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.6",
+      "bom-ref": "@blamejs/core@0.10.7",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.6",
+      "version": "0.10.7",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.6",
+      "purl": "pkg:npm/%40blamejs/core@0.10.7",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.6",
+      "ref": "@blamejs/core@0.10.7",
       "dependsOn": []
     }
   ]