@blamejs/core 0.10.6 → 0.10.8

package/lib/external-db.js

@@ -36,6 +36,7 @@
  *   External-database integration for app data — Postgres / MySQL / SQLite / MongoDB connection pooling, retry, circuit breaker, classification routing, residency enforcement, and audit hooks.
  */
 var retryHelper = require("./retry");
+var bCrypto = require("./crypto");
 var C = require("./constants");
 var dbRoleContext = require("./db-role-context");
 var externalDbMigrate = require("./external-db-migrate");
@@ -754,8 +755,7 @@ async function transaction(fn, opts) {
           if (isTransient && attempt <= maxRetries) {
             _emitMetric("externaldb.transaction.retry", 1,
               { backend: b.name, code: txErr.code, attempt: String(attempt) });
-            var nodeCrypto = require("node:crypto");
-            var jitter = nodeCrypto.randomInt(0, 6);                          // allow:raw-byte-literal — 0-5ms jitter
+            var jitter = bCrypto.randomInt(0, 6);                                // allow:raw-byte-literal — 0-5ms jitter
             await safeAsync.sleep(attempt * 5 + jitter);                           // allow:raw-time-literal — sub-second backoff
             continue;
           }

package/lib/guard-dsn.js

@@ -279,12 +279,15 @@ function compliancePosture(posture) {
 }
 
 function _splitBlocks(text) {
-  // RFC 3464 §2.1: blank line separates per-message from
-  // per-recipient blocks; blank lines also separate consecutive
-  // per-recipient blocks.
-  // Normalize CRLF + bare-CR to LF for split.
+  // RFC 3464 §2.1.1: block separator is `CRLF CRLF` only — a "blank
+  // line" in message-syntax terms. `\n\s*\n` admits `\v` / `\f` /
+  // mixed whitespace which a hostile sender can use to bend the
+  // block boundary (folded fields drift between per-message and
+  // per-recipient blocks). Normalize CR(LF)? → LF, then split on
+  // strict `\n\n` (an LF, an empty line, an LF) — anything else is
+  // either intra-block CFWS or an intra-field continuation.
   var normalized = text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");                                    // allow:regex-no-length-cap — input length already capped
-  return normalized.split(/\n\s*\n/);                                                                    // allow:regex-no-length-cap — input length already capped
+  return normalized.split("\n\n");
 }
 
 function _parseFieldBlock(block, maxHeaderLine) {

package/lib/guard-list-id.js

@@ -224,22 +224,26 @@ function validate(headerValue, opts) {
   }
   // RFC 2919 §2 requires AT LEAST one `.` (label + namespace);
   // strict/balanced ALSO require the namespace to be a FQDN, which
-  // means a minimum of 3 labels total (label + ns-label + ns-tld)
-  // OR a 2-label list-id where the namespace is `localhost`.
+  // means a minimum of 3 labels total (label + ns-label + ns-tld) OR
+  // a 2-label list-id where the namespace ends in a reserved-local
+  // TLD: `localhost` (RFC 6761 §6.3), `local` (RFC 6762 mDNS), or
+  // `lan` (IETF draft-chapin-rfc2606bis). All three are non-routable
+  // single-network labels and the FQDN floor doesn't apply.
+  var lastLabel = parts[parts.length - 1].toLowerCase();
+  var isLocalScopeTld = lastLabel === "localhost" || lastLabel === "local" || lastLabel === "lan";
   if (caps.requireFqdn) {
-    var lastLabel = parts[parts.length - 1].toLowerCase();
-    if (parts.length < 3 && lastLabel !== "localhost") {                                                 // allow:raw-byte-literal — FQDN requires ≥ 3 labels for non-localhost
-      return _refuse("list-id has < 3 labels for non-localhost namespace (FQDN required under '" +
+    if (parts.length < 3 && !isLocalScopeTld) {                                                          // allow:raw-byte-literal — FQDN requires ≥ 3 labels for non-local-scope namespace
+      return _refuse("list-id has < 3 labels for non-local-scope namespace (FQDN required under '" +
         (opts.profile || DEFAULT_PROFILE) + "')");
     }
   }
 
-  // RFC 2919 §3: `localhost` namespace SHOULD carry 32-hex
-  // randomness in the label.
-  var isLocalhost = parts[parts.length - 1].toLowerCase() === "localhost";
-  if (isLocalhost) {
+  // RFC 2919 §3: `localhost`-class namespaces SHOULD carry 32-hex
+  // randomness in the label so cross-host listserv operators can't
+  // collide. Applies to all three reserved-local TLDs.
+  if (isLocalScopeTld) {
     if (caps.requireRandomForLocalhost && !RANDOM_HEX_RE.test(listId)) {                                 // allow:regex-no-length-cap — listId length-bounded above
-      return _refuse("localhost namespace requires 32-hex random component per RFC 2919 §3 SHOULD");
+      return _refuse("local-scope namespace requires 32-hex random component per RFC 2919 §3 SHOULD");
     }
   }
 

package/lib/guard-list-unsubscribe.js

@@ -134,6 +134,59 @@ var DANGEROUS_SCHEMES = Object.freeze({
   "blob:":       true,
 });
 
+// IP-literal + reserved-hostname refusal for HTTPS one-click URIs.
+// One-click receivers POST to the URI without further operator gate;
+// an attacker-supplied List-Unsubscribe URI pointing at `127.0.0.1`
+// / `169.254.169.254` (cloud metadata) / `[::1]` / `localhost` lets
+// the mailbox provider's auto-fetcher target the operator's own
+// infrastructure — classic SSRF. The check is wholly host-name-shape
+// based (no DNS resolution); DNS-rebinding defense is left to the
+// fetcher (which should pin the IP across resolution + request).
+var IPV4_LITERAL_RE = /^\d+\.\d+\.\d+\.\d+$/;                                                            // allow:regex-no-length-cap — anchored shape, hostname length bounded by URL parser
+var IPV6_LITERAL_RE = /^\[[0-9A-Fa-f:.]+\]$/;                                                            // allow:regex-no-length-cap — anchored shape, hostname length bounded by URL parser
+var RESERVED_LOCAL_HOSTS = Object.freeze({
+  "localhost":          true,
+  "localhost.localdomain": true,
+  "ip6-localhost":      true,
+  "ip6-loopback":       true,
+});
+
+function _isRefusedAutoFetchHost(hostname, allowedHosts) {
+  if (typeof hostname !== "string" || hostname.length === 0) return "missing-host";
+  // Normalize the trailing root-zone dot BEFORE comparison — RFC 1034
+  // §3.1: `foo.` is the absolute form of `foo` (both resolve to the
+  // same target). A naive byte-equality check against `localhost`
+  // would let an attacker bypass the gate by appending the dot. Same
+  // for any reserved-local suffix family. Multiple trailing dots are
+  // not valid DNS but we strip them anyway to keep the gate robust
+  // against any URL parser that leaves them in `hostname`.
+  var lower = hostname.toLowerCase();
+  while (lower.length > 0 && lower.charAt(lower.length - 1) === ".") {
+    lower = lower.slice(0, -1);
+  }
+  if (lower.length === 0) return "missing-host";
+  if (IPV4_LITERAL_RE.test(lower) || IPV6_LITERAL_RE.test(lower)) return "ip-literal";
+  if (RESERVED_LOCAL_HOSTS[lower]) return "reserved-local-host";
+  // Hostname suffix refusal — RFC 6761 reserved / mDNS / single-network.
+  if (lower === "local" || lower.endsWith(".local")) return "reserved-local-suffix";
+  if (lower === "lan" || lower.endsWith(".lan")) return "reserved-local-suffix";
+  if (lower === "internal" || lower.endsWith(".internal")) return "reserved-local-suffix";
+  // Optional operator allowlist — when supplied, hostname (or any
+  // ancestor domain) MUST be present.
+  if (Array.isArray(allowedHosts) && allowedHosts.length > 0) {
+    var matched = false;
+    for (var i = 0; i < allowedHosts.length; i += 1) {
+      var allowed = String(allowedHosts[i]).toLowerCase();
+      if (lower === allowed || lower.endsWith("." + allowed)) {
+        matched = true;
+        break;
+      }
+    }
+    if (!matched) return "not-on-allowlist";
+  }
+  return null;
+}
+
 /**
  * @primitive b.guardListUnsubscribe.validate
  * @signature b.guardListUnsubscribe.validate(headers, opts?)
@@ -225,12 +278,25 @@ function validate(headers, opts) {
         { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
     }
     if (scheme === "https:") {
+      var parsed;
       try {
-        safeUrl.parse(u, { allowedProtocols: safeUrl.ALLOW_HTTPS });
+        parsed = safeUrl.parse(u, { allowedProtocols: safeUrl.ALLOW_HTTPS });
       } catch (e) {
         return _verdict("refuse", "HTTPS URI '" + _trunc(u) + "' failed safeUrl parse: " + (e && e.message || String(e)),
           { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
       }
+      // SSRF defense — refuse IP-literal hosts, loopback names,
+      // reserved-local TLDs, and (when operator supplied
+      // `allowedHosts`) anything outside the allowlist. The mailbox
+      // provider's auto-fetcher POSTs without our involvement; the
+      // header is the only place this can be stopped.
+      var refusedHostReason = _isRefusedAutoFetchHost(parsed.hostname, opts.allowedHosts);
+      if (refusedHostReason) {
+        return _verdict("refuse",
+          "HTTPS URI '" + _trunc(u) + "' host '" + parsed.hostname +
+          "' refused (" + refusedHostReason + "; auto-fetch SSRF defense)",
+          { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: false });
+      }
       hasHttpsUri = true;
     } else if (scheme === "mailto:") {
       hasMailtoUri = true;

package/lib/guard-message-id.js

@@ -74,6 +74,13 @@ var COMPLIANCE_POSTURES = Object.freeze({
 // CVE-2021-42574 RTLO class in mail header context).
 var BIDI_RE = /[؜‎‏‪-‮⁦-⁩]/;
 
+// RFC 5322 §3.2.3 dot-atom-text — used at strict profile to validate
+// the id-left and id-right shape inside the bracketed Message-Id.
+// `atext` = ALPHA / DIGIT / "!#$%&'*+-/=?^_`{|}~"; `dot-atom-text` is
+// 1*atext *("." 1*atext). Length-bounded by the maxBytes cap above so
+// the regex CPU is amortised; pattern is single-pass linear.
+var DOT_ATOM_TEXT_RE = /^[A-Za-z0-9!#$%&'*+\-/=?^_`{|}~]+(?:\.[A-Za-z0-9!#$%&'*+\-/=?^_`{|}~]+)*$/;
+
 /**
  * @primitive b.guardMessageId.validate
  * @signature b.guardMessageId.validate(value, opts?)
@@ -154,6 +161,25 @@ function validate(value, opts) {
       throw new GuardMessageIdError("message-id/nested-brackets",
         "guardMessageId.validate: nested angle brackets refused");
     }
+    // RFC 5322 §3.6.4: id-left and id-right MUST conform to
+    // dot-atom-text shape (§3.2.3). A second `@` inside id-left or
+    // id-right falls out of dot-atom-text and is refused here. The
+    // last `@` is the local/domain separator — `lastIndexOf` rather
+    // than `indexOf` handles `a@b@c` correctly: id-left would be
+    // `a@b` which fails dot-atom-text on the `@` character.
+    var atLast = inner.lastIndexOf("@");
+    var idLeft = inner.slice(0, atLast);
+    var idRight = inner.slice(atLast + 1);
+    if (!DOT_ATOM_TEXT_RE.test(idLeft)) {                                                            // allow:regex-no-length-cap — idLeft length-bounded by maxBytes above
+      throw new GuardMessageIdError("message-id/id-left-shape",
+        "guardMessageId.validate: id-left '" + idLeft +
+        "' not dot-atom-text shape (RFC 5322 §3.2.3 / §3.6.4)");
+    }
+    if (!DOT_ATOM_TEXT_RE.test(idRight)) {                                                           // allow:regex-no-length-cap — idRight length-bounded by maxBytes above
+      throw new GuardMessageIdError("message-id/id-right-shape",
+        "guardMessageId.validate: id-right '" + idRight +
+        "' not dot-atom-text shape (RFC 5322 §3.2.3 / §3.6.4)");
+    }
   }
 
   return value;

package/lib/mail-arc-sign.js

@@ -128,10 +128,19 @@ function _bodyHashB64(body, algorithm) {
   return nodeCrypto.createHash(hashAlgo).update(canonical).digest("base64");
 }
 
+// RFC 8617 §5 — ARC chains MUST NOT exceed 50 hops. The verifier
+// caps in `mail-auth.js` (`ARC_MAX_HOPS`); the signer's prior-hop
+// extractor needs the same ceiling so a message arriving with a
+// hostile chain (51+ instances) doesn't expand the per-hop walk to
+// unbounded work before the signer's own validation catches up.
+var ARC_MAX_HOPS_FOR_EXTRACT = 50;                                                      // allow:raw-byte-literal — RFC 8617 §5 chain bound
+
 function _arcExtractPriorHops(parsedHeaders) {
   // Walk parsedHeaders; for each ARC-Authentication-Results /
   // ARC-Message-Signature / ARC-Seal entry, extract instance via i=N
-  // and group by hop.
+  // and group by hop. The `i=` value is bounded against the RFC's
+  // 50-hop ceiling before being used as a map key, so an attacker-
+  // chosen `i=999999` can't allocate a sparse map.
   var hopMap = {};
   for (var i = 0; i < parsedHeaders.length; i += 1) {
     var h = parsedHeaders[i];
@@ -142,11 +151,22 @@ function _arcExtractPriorHops(parsedHeaders) {
     var iMatch = h.value.match(/(?:^|[;,\s])i=(\d+)/);                                  // allow:regex-no-length-cap — ARC header bounded by RFC 5322 §2.1.1
     if (!iMatch) continue;
     var instance = parseInt(iMatch[1], 10);
+    if (!isFinite(instance) || instance < 1 || instance > ARC_MAX_HOPS_FOR_EXTRACT) {
+      // Out-of-spec instance number — refuse to consider it. Upstream
+      // `sign` will see `priorHops.length !== opts.instance - 1` and
+      // refuse the message.
+      continue;
+    }
     if (!hopMap[instance]) hopMap[instance] = { instance: instance };
     hopMap[instance][lcName] = h.value;
   }
   var hops = [];
   var keys = Object.keys(hopMap).sort(function (a, b) { return Number(a) - Number(b); });
+  if (keys.length > ARC_MAX_HOPS_FOR_EXTRACT) {
+    throw new MailAuthError("arc-sign/chain-too-long",
+      "_arcExtractPriorHops: chain has " + keys.length +
+      " hops, exceeds RFC 8617 §5 ceiling of " + ARC_MAX_HOPS_FOR_EXTRACT);
+  }
   for (var k = 0; k < keys.length; k += 1) hops.push(hopMap[keys[k]]);
   return hops;
 }

package/lib/mail-auth.js

@@ -37,6 +37,7 @@ var net = require("node:net");
 var nodeCrypto = require("node:crypto");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
+var bCrypto = require("./crypto");
 var C = require("./constants");
 var dkim = require("./mail-dkim");
 var safeXml = require("./parsers/safe-xml");
@@ -722,7 +723,7 @@ async function dmarcEvaluate(opts) {
     var u32 = (hash[0] << 24 >>> 0) + (hash[1] << 16) + (hash[2] << 8) + hash[3];               // allow:raw-byte-literal — uint32 bit assembly
     sampleRoll = u32 % 100;                                                                     // allow:raw-byte-literal — pct sample roll
   } else {
-    sampleRoll = nodeCrypto.randomInt(0, 100);                                                  // allow:raw-byte-literal — pct sample roll
+    sampleRoll = bCrypto.randomInt(0, 100);                                                     // allow:raw-byte-literal — pct sample roll
   }
   var sampled = !pass && pct < 100 && sampleRoll >= pct;
   var recommendedAction = pass ? "deliver" :

package/lib/mail-dkim.js

@@ -525,6 +525,11 @@ var DKIM_KEY_CACHE_MAX_ENTRIES = 1024;
 // receivers cap at 5–8. Operators that legitimately accept more
 // override via verify({ maxSignatures }).
 var DKIM_MAX_SIGNATURES_PER_MESSAGE = 8;                                         // allow:raw-byte-literal — receiver-fan-out DoS bound
+// Operator-supplied `maxSignatures` opt is range-checked against this
+// ceiling. RFC 6376 §6.1 sets no upper bound; 16 is generous headroom
+// for legitimate relay chains with hop signatures while keeping the
+// verify-fan-out within a CPU-DoS envelope.
+var DKIM_MAX_SIGNATURES_PER_MESSAGE_CEILING = 16;                                // allow:raw-byte-literal — operator-opt range ceiling
 
 function _cacheGet(qname) {
   var ent = DKIM_KEY_CACHE.get(qname);
@@ -836,6 +841,7 @@ async function verify(rfc822, opts) {
   opts = opts || {};
   validateOpts(opts, ["dnsLookup", "audit", "clockSkewMs", "maxSignatures",
                        "minRsaBits"], "mail.dkim.verify");
+  var auditOn = opts.audit !== false;
 
   // Bounded clock skew: refuse non-numeric / negative / infinite /
   // beyond-ceiling. Throwing on bad config-time input per the
@@ -855,10 +861,27 @@ async function verify(rfc822, opts) {
     clockSkewMs = Math.floor(opts.clockSkewMs);
   }
 
-  var maxSignatures = (typeof opts.maxSignatures === "number" &&
-                        isFinite(opts.maxSignatures) && opts.maxSignatures >= 1)
-                       ? Math.floor(opts.maxSignatures)
-                       : DKIM_MAX_SIGNATURES_PER_MESSAGE;
+  // RFC 6376 §6.1 — verifier MUST handle multiple signatures but the
+  // RFC sets no count cap. An unbounded count is a CPU-DoS surface
+  // (each sig forces a DNS fetch + cryptographic verify). Range 1-16
+  // — mainstream receivers (Gmail/Yahoo/MS 2024 bulk-sender guidance)
+  // cite 2-3 valid signatures per message as the operational ceiling;
+  // 16 is generous headroom for relay chains with hop signatures. The
+  // operator opt is range-checked at config time — values < 1 or > 16
+  // throw rather than silently clamp so an over-large config doesn't
+  // re-introduce the DoS surface.
+  var maxSignatures = DKIM_MAX_SIGNATURES_PER_MESSAGE;
+  if (opts.maxSignatures !== undefined) {
+    if (typeof opts.maxSignatures !== "number" ||
+        !isFinite(opts.maxSignatures) ||
+        opts.maxSignatures < 1 ||
+        opts.maxSignatures > DKIM_MAX_SIGNATURES_PER_MESSAGE_CEILING) {
+      throw new DkimError("dkim/bad-max-signatures",
+        "verify: maxSignatures must be an integer in [1, " +
+        DKIM_MAX_SIGNATURES_PER_MESSAGE_CEILING + "] (got " + opts.maxSignatures + ")");
+    }
+    maxSignatures = Math.floor(opts.maxSignatures);
+  }
   var verifyOpts = { minRsaBits: opts.minRsaBits };
 
   var split = _splitHeadersBody(rfc822);
@@ -867,12 +890,30 @@ async function verify(rfc822, opts) {
   if (sigHeaders.length === 0) {
     return [{ result: "none", errors: ["no DKIM-Signature headers"] }];
   }
-  // RFC 6376 §6.1 — verifier MUST handle multiple signatures but the
-  // RFC sets no count cap. An unbounded count is a CPU-DoS surface
-  // (each sig forces a DNS fetch + cryptographic verify). Cap and
-  // surface the truncation in the result for operator visibility.
+  // When the message carries more signatures than the cap allows,
+  // surface a `policy` verdict before any cryptographic work runs.
+  // The prior `slice(0, maxSignatures)` shape silently truncated; an
+  // operator-visible refusal lets postmasters see DoS attempts in
+  // their authentication-results stream.
   if (sigHeaders.length > maxSignatures) {
-    sigHeaders = sigHeaders.slice(0, maxSignatures);
+    if (auditOn) {
+      try {
+        audit().safeEmit({
+          action:  "dkim.verify.signature_count_cap",
+          outcome: "denied",
+          actor:   null,
+          metadata: {
+            sigCount:      sigHeaders.length,
+            maxSignatures: maxSignatures,
+            severity:      "warning",
+          },
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+    return [{ result: "policy",
+              errors: ["DKIM-Signature count " + sigHeaders.length +
+                       " exceeds maxSignatures=" + maxSignatures +
+                       " (RFC 6376 §6.1; verifier DoS cap)"] }];
   }
 
   var results = [];

package/lib/mail-server-imap.js

@@ -144,6 +144,51 @@ var pkgVersion = require("../package.json").version;
 var ERR_CLAMP = 200;                                                                                  // allow:raw-byte-literal — protocol-reply error-message clamp
 var LINE_PREVIEW = 80;                                                                                // allow:raw-byte-literal — audit-line preview clamp
 
+// RFC 9051 §6.3.12 + RFC 5322 §3.3 date-time parser for IMAP APPEND.
+// Format: `DD-Mon-YYYY HH:MM:SS ±HHMM` where Mon is the 3-letter
+// English month abbreviation (case-insensitive on parse, but the IMAP
+// spec emits canonical mixed-case `Jan`/`Feb`/...). Returns the
+// millisecond epoch, or null on any parse failure — the caller emits
+// `BAD` rather than silently using `Date.now()`.
+var IMAP_MONTHS = Object.freeze({
+  jan: 0, feb: 1, mar: 2, apr: 3, may: 4, jun: 5,                                                         // allow:raw-byte-literal — month-index table (0-5)
+  jul: 6, aug: 7, sep: 8, oct: 9, nov: 10, dec: 11,                                                       // allow:raw-byte-literal — month-index table (6-11)
+});
+var IMAP_DT_RE = /^\s*(\d{1,2})-([A-Za-z]{3})-(\d{4})\s+(\d{2}):(\d{2}):(\d{2})\s+([+-])(\d{2})(\d{2})\s*$/;
+function _parseImapDateTime(s) {
+  if (typeof s !== "string") return null;
+  var m = s.match(IMAP_DT_RE);                                                                            // allow:regex-no-length-cap — input bounded by IMAP literal cap
+  if (!m) return null;
+  var day = parseInt(m[1], 10);
+  var month = IMAP_MONTHS[m[2].toLowerCase()];
+  if (month === undefined) return null;
+  var year = parseInt(m[3], 10);
+  var hour = parseInt(m[4], 10);
+  var min  = parseInt(m[5], 10);
+  var sec  = parseInt(m[6], 10);
+  var sign = m[7] === "-" ? -1 : 1;
+  var tzH  = parseInt(m[8], 10);
+  var tzM  = parseInt(m[9], 10);
+  if (day < 1 || day > 31 || hour > 23 || min > 59 || sec > 59 || tzH > 23 || tzM > 59) return null;
+  var utcMs = Date.UTC(year, month, day, hour, min, sec);
+  if (!isFinite(utcMs)) return null;
+  // RFC 5322 §3.3 — date-time MUST be a real calendar date. `Date.UTC`
+  // silently normalises impossible inputs (`Feb 31 2026` → `Mar 3 2026`);
+  // round-trip via the calendar fields and refuse any drift so a
+  // hostile client can't smuggle a different internalDate than the
+  // wire suggests.
+  var probe = new Date(utcMs);
+  if (probe.getUTCFullYear() !== year ||
+      probe.getUTCMonth()    !== month ||
+      probe.getUTCDate()     !== day ||
+      probe.getUTCHours()    !== hour ||
+      probe.getUTCMinutes()  !== min ||
+      probe.getUTCSeconds()  !== sec) {
+    return null;
+  }
+  return utcMs - sign * (tzH * C.TIME.hours(1) + tzM * C.TIME.minutes(1));
+}
+
 // Mailbox name validator. RFC 9051 §5.1 — UTF-8 hierarchy. Refuse
 // path-traversal (`..`), NUL, C0 controls, leading/trailing slash,
 // oversize.
@@ -707,15 +752,39 @@ function create(opts) {
 
   function _parseLoginArgs(args) {
     if (typeof args !== "string") return null;
-    // Quoted or atom — simple parser sufficient for happy path.
+    // Quoted or atom — RFC 9051 §5.1 quoted ABNF. Inside a quoted
+    // string `\"` and `\\` are escape sequences for `"` and `\`
+    // respectively; any other `\<chr>` is invalid. The earlier shape
+    // terminated the quoted string at the first `"`, so a hostile
+    // client passing `LOGIN "alice\"@example.com" "pw"` would have
+    // its username truncated at `alice` and the rest of the line
+    // reparsed as the password / literal — wrong identity bound to
+    // the AUTH state.
     var rest = args.trim();
     function _take() {
       if (rest[0] === "\"") {
-        var end = rest.indexOf("\"", 1);
-        if (end === -1) return null;
-        var v = rest.slice(1, end);
-        rest = rest.slice(end + 1).trim();
-        return v;
+        // Walk the quoted-string body, accumulating into `out` while
+        // honoring the `\"` / `\\` escape pairs. A bare `\` followed
+        // by any other character is refused (parse fails → null).
+        var out = "";
+        var i = 1;
+        while (i < rest.length) {
+          var ch = rest.charAt(i);
+          if (ch === "\\") {
+            var esc = rest.charAt(i + 1);
+            if (esc !== "\"" && esc !== "\\") return null;
+            out += esc;
+            i += 2;
+            continue;
+          }
+          if (ch === "\"") {
+            rest = rest.slice(i + 1).trim();
+            return out;
+          }
+          out += ch;
+          i += 1;
+        }
+        return null;   // unterminated quoted string
       }
       var sp = rest.indexOf(" ");
       var v2 = sp === -1 ? rest : rest.slice(0, sp);
@@ -857,6 +926,22 @@ function create(opts) {
     }
     var name = _unquote(match[1]);
     var flags = match[2] ? match[2].split(/\s+/).filter(Boolean) : [];
+    // RFC 9051 §6.3.12 — optional date-time argument sets INTERNALDATE
+    // on the appended message. Earlier shape captured the token but
+    // never threaded it; backends now receive it as `internalDate`
+    // (ms-since-epoch) and the mail-store applies it instead of the
+    // append-time clock. Refused as syntax error when the date-time
+    // can't be parsed (rather than silently using the clock).
+    var dateTimeArg = match[3] ? _unquote(match[3]) : null;
+    var internalDate = null;
+    if (dateTimeArg) {
+      internalDate = _parseImapDateTime(dateTimeArg);
+      if (internalDate === null) {
+        _writeTagged(socket, tag, "BAD APPEND date-time '" + dateTimeArg +
+          "' not in RFC 9051 §6.3.12 / RFC 5322 §3.3 date-time grammar");
+        return;
+      }
+    }
     if (!_validateMailboxName(name, { allowLegacyMUtf7: allowLegacyMUtf7 })) {
       _writeTagged(socket, tag, "BAD Mailbox name refused");
       return;
@@ -891,10 +976,12 @@ function create(opts) {
                 err.limit = q.capBytes;
                 throw err;
               }
-              return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
+              return mailStore.appendMessage(name, literalBody, {
+                actor: state.actor, flags: flags, internalDate: internalDate });
             });
         }
-        return mailStore.appendMessage(name, literalBody, { actor: state.actor, flags: flags });
+        return mailStore.appendMessage(name, literalBody, {
+          actor: state.actor, flags: flags, internalDate: internalDate });
       })
       .then(function (info) {
         _emit("mail.server.imap.append",
@@ -947,7 +1034,10 @@ function create(opts) {
 
   function _handleFetch(state, socket, tag, args, useUid) {
     if (!state.selectedMailbox) {
-      _writeTagged(socket, tag, "NO No mailbox selected");
+      // RFC 9051 §6.4.5 — FETCH outside of Selected state is a
+      // protocol-context violation, not a server-policy refusal.
+      // BAD signals the client to fix its dialog rather than retry.
+      _writeTagged(socket, tag, "BAD FETCH only valid in Selected state (RFC 9051 §6.4.5)");
       return;
     }
     if (typeof mailStore.fetchRange !== "function") {
@@ -988,7 +1078,11 @@ function create(opts) {
 
   function _handleStore(state, socket, tag, args, useUid) {
     if (!state.selectedMailbox) {
-      _writeTagged(socket, tag, "NO No mailbox selected");
+      // RFC 9051 §6.4.6 — STORE outside of Selected state is a
+      // protocol-context violation. BAD (not NO) is the correct
+      // response per the IMAP grammar; UID STORE has the same rule
+      // since the verb is just a `UID` prefix on STORE.
+      _writeTagged(socket, tag, "BAD STORE only valid in Selected state (RFC 9051 §6.4.6)");
       return;
     }
     if (state.selectedReadOnly) {