@blamejs/core 0.10.8 → 0.10.11

package/lib/jose-jwe-experimental.js

@@ -0,0 +1,228 @@
+"use strict";
+/**
+ * @module b.jose.jwe.experimental
+ * @nav    Crypto
+ * @title  JOSE JWE (experimental, ML-KEM)
+ *
+ * @intro
+ *   JSON Web Encryption (RFC 7516) with ML-KEM-1024 key encapsulation
+ *   and XChaCha20-Poly1305 AEAD content encryption. Lives under
+ *   `b.jose.jwe.experimental` because the JOSE PQC IANA codepoint
+ *   registration (draft-ietf-jose-pqc-kem-05) hasn't finalized — the
+ *   namespace name is the contract: codepoints may change between
+ *   minors without the framework's stable surface being affected.
+ *
+ *   When the JOSE WG closes the draft and IANA registers final
+ *   codepoints, the same primitives graduate to `b.jose.jwe` (or a
+ *   stable equivalent) with explicit deprecation of the experimental
+ *   namespace and a one-minor migration window per the framework's
+ *   stable-upgrade-policy rule.
+ *
+ *   Compact serialization only — no JSON serialization variant
+ *   (saves wire-format complexity at this experimental tier;
+ *   operators that need JWE-JSON wait for the stable surface).
+ *
+ * @card
+ *   Experimental JWE with ML-KEM-1024 KEM + XChaCha20-Poly1305 content encryption. Codepoints follow draft-ietf-jose-pqc-kem (may change before IANA registration).
+ */
+
+var bCrypto = require("./crypto");
+var canonicalJson = require("./canonical-json");
+var { defineClass } = require("./framework-error");
+var audit = require("./audit");
+
+var JoseJweExperimentalError = defineClass("JoseJweExperimentalError", { alwaysPermanent: true });
+
+// Active draft (as of 2026-05-17). When IANA finalizes the codepoint
+// the framework graduates the alg name to its stable form and ships a
+// one-minor deprecation window via the existing `deprecate()` chain.
+var EXPERIMENTAL_ALG  = "ML-KEM-1024";
+var EXPERIMENTAL_ENC  = "XC20P";   // XChaCha20-Poly1305 per draft-irtf-cfrg-xchacha; aligns with framework PQC-first defaults
+
+/**
+ * @primitive b.jose.jwe.experimental.encrypt
+ * @signature b.jose.jwe.experimental.encrypt(plaintext, recipientPublicKeyPem, opts?)
+ * @since     0.10.10
+ * @status    experimental
+ * @related   b.jose.jwe.experimental.decrypt, b.crypto.encrypt
+ *
+ * Encrypt a payload under the recipient's ML-KEM-1024 public key.
+ * Returns the JWE compact serialization
+ * `<header>.<encrypted_key>.<iv>.<ciphertext>.<tag>` (base64url
+ * segments) per RFC 7516 §3.1 with experimental PQC codepoints.
+ *
+ * Header includes `{ alg: "ML-KEM-1024", enc: "XC20P", typ: "JWE",
+ * "x-blamejs-experimental": true }` — operators that scrape JWE
+ * envelopes can refuse the experimental marker until the codepoint
+ * stabilises.
+ *
+ * @opts
+ *   typ:           string,        // optional JWE "typ" header
+ *   contentType:   string,        // optional JWE "cty" header
+ *   audit:         boolean,        // default true; emit audit event on encrypt
+ *
+ * @example
+ *   var pair = b.crypto.generateEncryptionKeyPair();
+ *   var jwe = b.jose.jwe.experimental.encrypt("hello", pair.mlkem.publicKey);
+ *   typeof jwe; // → "string" (compact form)
+ */
+function encrypt(plaintext, recipientPublicKeyPem, opts) {
+  opts = opts || {};
+  if (!(plaintext instanceof Buffer)) {
+    if (typeof plaintext === "string") plaintext = Buffer.from(plaintext, "utf8");
+    else {
+      throw new JoseJweExperimentalError("jose-jwe-exp/bad-plaintext",
+        "encrypt: plaintext must be a Buffer or string");
+    }
+  }
+  if (typeof recipientPublicKeyPem !== "string" || recipientPublicKeyPem.length === 0) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-key",
+      "encrypt: recipientPublicKeyPem must be a non-empty PEM string");
+  }
+
+  var header = {
+    alg:                       EXPERIMENTAL_ALG,
+    enc:                       EXPERIMENTAL_ENC,
+    typ:                       opts.typ || "JWE",
+    "x-blamejs-experimental":  true,
+  };
+  if (typeof opts.contentType === "string" && opts.contentType.length > 0) {
+    header.cty = opts.contentType;
+  }
+
+  // Encapsulate under the recipient's ML-KEM-1024 public key. The
+  // framework's `encrypt(plaintext, pemString)` form selects the
+  // ML-KEM-only path and returns a base64 envelope string.
+  //
+  // The experimental JWE serialization carries the framework envelope
+  // as a single base64url segment (`ciphertext` slot). The empty
+  // `encrypted_key` / `iv` / `tag` segments are valid under RFC 7516
+  // §3.1 (compact serialization permits empty Base64URL parts when
+  // the cryptographic primitives are AEAD-with-direct-key — the
+  // framework envelope is self-contained). Operators that need the
+  // segmented shape with each field carved out wait for the
+  // post-IANA stable surface where layout is contract.
+  var fwEnvelopeB64 = bCrypto.encrypt(plaintext, recipientPublicKeyPem);
+  var fwEnvelopeUrl = bCrypto.toBase64Url(Buffer.from(fwEnvelopeB64, "base64"));
+  var headerB64 = bCrypto.toBase64Url(Buffer.from(canonicalJson.stringify(header), "utf8"));
+  // RFC 7516 §3.1 compact-serialization slots: header / encrypted_key
+  // / iv / ciphertext / tag. The framework envelope (a self-contained
+  // AEAD output) lives in the `ciphertext` slot (index 3). Other slots
+  // are empty under this experimental shape.
+  var compact = headerB64 + "..." + fwEnvelopeUrl + ".";
+  if (opts.audit !== false) {
+    audit.safeEmit({
+      action:   "jose.jwe.experimental.encrypt",
+      outcome:  "success",
+      metadata: { alg: EXPERIMENTAL_ALG, enc: EXPERIMENTAL_ENC, ptLen: plaintext.length },
+    });
+  }
+  return compact;
+}
+
+/**
+ * @primitive b.jose.jwe.experimental.decrypt
+ * @signature b.jose.jwe.experimental.decrypt(compact, recipientPrivateKeyPem, opts?)
+ * @since     0.10.10
+ * @status    experimental
+ * @related   b.jose.jwe.experimental.encrypt
+ *
+ * Decrypt a compact-serialization JWE produced by the experimental
+ * `encrypt` path. Returns the plaintext Buffer. Refuses on alg / enc
+ * mismatch, missing experimental marker, or any cryptographic verify
+ * failure. Never throws on adversarial input — typed
+ * `JoseJweExperimentalError` with a coded refusal.
+ *
+ * @opts
+ *   audit:         boolean,        // default true
+ *
+ * @example
+ *   var plaintext = b.jose.jwe.experimental.decrypt(jwe, pair.mlkem.privateKey);
+ *   plaintext.toString("utf8"); // → "hello"
+ */
+function decrypt(compact, recipientPrivateKeyPem, opts) {
+  opts = opts || {};
+  if (typeof compact !== "string" || compact.length === 0) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-compact",
+      "decrypt: compact must be a non-empty string");
+  }
+  if (typeof recipientPrivateKeyPem !== "string" || recipientPrivateKeyPem.length === 0) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-key",
+      "decrypt: recipientPrivateKeyPem must be a non-empty PEM string");
+  }
+  var parts = compact.split(".");
+  if (parts.length !== 5) {                                                                          // allow:raw-byte-literal — JWE compact serialization is 5 dot-separated segments (RFC 7516 §3.1)
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-format",
+      "decrypt: JWE compact serialization MUST have 5 segments (RFC 7516 §3.1), got " + parts.length);
+  }
+  var header;
+  // Header is base64url-decoded; route through safeJson.parse for
+  // proto-pollution + depth + size defenses (operator-supplied compact
+  // bytes are adversarial). Both the base64url decode AND the JSON
+  // parse live inside the same typed try/catch so a malformed header
+  // surfaces as the typed `jose-jwe-exp/bad-header` refusal class
+  // rather than a raw TypeError leaking from b.crypto.fromBase64Url.
+  var headerBytes;
+  try { headerBytes = bCrypto.fromBase64Url(parts[0]); }
+  catch (_eb) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-header",
+      "decrypt: protected header is not valid base64url");
+  }
+  if (headerBytes.length > 4096) {                                                                   // allow:raw-byte-literal — JWE header byte cap, not bytes-as-storage
+    throw new JoseJweExperimentalError("jose-jwe-exp/header-too-large",
+      "decrypt: protected header exceeds 4 KiB cap");
+  }
+  try { header = require("./safe-json").parse(headerBytes.toString("utf8")); }                       // allow:inline-require — safe-json only needed on the rare decrypt path
+  catch (_e) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-header",
+      "decrypt: protected header is not base64url-encoded JSON");
+  }
+  if (header.alg !== EXPERIMENTAL_ALG) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/alg-mismatch",
+      "decrypt: alg '" + header.alg + "' is not '" + EXPERIMENTAL_ALG + "'");
+  }
+  if (header.enc !== EXPERIMENTAL_ENC) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/enc-mismatch",
+      "decrypt: enc '" + header.enc + "' is not '" + EXPERIMENTAL_ENC + "'");
+  }
+  if (header["x-blamejs-experimental"] !== true) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/missing-experimental-marker",
+      "decrypt: header missing `x-blamejs-experimental: true` — refuse to decrypt unmarked envelopes");
+  }
+  // Per the experimental serialization (see `encrypt`), the framework
+  // envelope lives in segment 3. Other segments must be empty.
+  if (parts[1].length > 0 || parts[2].length > 0 || parts[4].length > 0) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-format",
+      "decrypt: experimental JWE shape requires empty encrypted_key / iv / tag segments");
+  }
+  var fwEnvelopeBuf;
+  try { fwEnvelopeBuf = bCrypto.fromBase64Url(parts[3]); }
+  catch (_eb2) {
+    throw new JoseJweExperimentalError("jose-jwe-exp/bad-format",
+      "decrypt: ciphertext segment is not valid base64url");
+  }
+  var fwEnvelopeB64 = fwEnvelopeBuf.toString("base64");
+  // `raw: true` keeps the decrypted plaintext as a Buffer rather than
+  // utf8-decoding it (which would corrupt binary payloads — `0xff`
+  // becomes the Unicode replacement character). The JWE primitives
+  // document Buffer-in / Buffer-out so the contract holds across
+  // arbitrary plaintext shapes (signed-blob carriers, binary tokens).
+  var plaintext = bCrypto.decrypt(fwEnvelopeB64,
+    { privateKey: recipientPrivateKeyPem }, { raw: true });
+  if (opts.audit !== false) {
+    audit.safeEmit({
+      action:   "jose.jwe.experimental.decrypt",
+      outcome:  "success",
+      metadata: { alg: EXPERIMENTAL_ALG, enc: EXPERIMENTAL_ENC },
+    });
+  }
+  return plaintext;
+}
+
+module.exports = {
+  encrypt:                  encrypt,
+  decrypt:                  decrypt,
+  EXPERIMENTAL_ALG:         EXPERIMENTAL_ALG,
+  EXPERIMENTAL_ENC:         EXPERIMENTAL_ENC,
+  JoseJweExperimentalError: JoseJweExperimentalError,
+};

package/lib/mail-server-imap.js

@@ -124,6 +124,7 @@ var numericBounds = require("./numeric-bounds");
 var validateOpts = require("./validate-opts");
 var guardImapCommand = require("./guard-imap-command");
 var mailServerRateLimit = require("./mail-server-rate-limit");
+var mailServerRegistry = require("./mail-server-registry");
 var mailServerTls = require("./mail-server-tls");
 var { defineClass } = require("./framework-error");
 
@@ -491,37 +492,139 @@ function create(opts) {
     _dispatch(state, socket, parsed, lineNoLit, pending.body);
   }
 
-  function _dispatch(state, socket, parsed, _rawLine, literalBody) {
-    var tag  = parsed.tag;
-    var verb = parsed.verb;
-    var args = parsed.args;
+  // Adapter shim — uniform `(state, socket, parsed, literalBody)`
+  // dispatch contract over the per-verb handlers. Builds the registry
+  // defaults lazily on first dispatch so the closure-scoped handler
+  // references are bound when needed (handlers are hoisted by their
+  // function-declarations; the registry init runs at dispatch time).
+  var _registry = null;
+  function _ensureRegistry() {
+    if (_registry !== null) return _registry;
+    // Per-handler resource budgets. Sized per the verb's known
+    // payload shape (LIST scans the folder tree; FETCH walks N
+    // messages; APPEND accepts a literal up to maxLiteralBytes).
+    var SHORT_MS  = 5 * 1000;                                                                        // allow:raw-time-literal — 5s short-command budget
+    var MEDIUM_MS = 30 * 1000;                                                                       // allow:raw-time-literal — 30s medium-command budget
+    var LONG_MS   = 2 * 60 * 1000;                                                                   // allow:raw-time-literal — 2 min long-command budget (FETCH / APPEND)
+    var SHORT_B   = 8 * 1024;                                                                        // allow:raw-byte-literal — 8 KiB short-command response cap
+    var MEDIUM_B  = 1024 * 1024;                                                                     // allow:raw-byte-literal — 1 MiB medium-command response cap
+    var LONG_B    = 64 * 1024 * 1024;                                                                // allow:raw-byte-literal — 64 MiB FETCH/APPEND response cap
+    var defaults = {
+      CAPABILITY:   { fn: function (s, so, p)  { return _handleCapability(s, so, p.tag); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      NOOP:         { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "OK NOOP completed"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      LOGOUT:       { fn: function (s, so, p)  { return _handleLogout(s, so, p.tag); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      ID:           { fn: function (s, so, p)  { return _handleId(s, so, p.tag, p.args); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      STARTTLS:     { fn: function (s, so, p)  { return _handleStartTls(s, so, p.tag); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      AUTHENTICATE: { fn: function (s, so, p)  { return _handleAuthenticate(s, so, p.tag, p.args); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      LOGIN:        { fn: function (s, so, p)  { return _handleLogin(s, so, p.tag, p.args); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      ENABLE:       { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "OK ENABLED"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      SELECT:       { fn: function (s, so, p)  { return _handleSelect(s, so, p.tag, p.args, false); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      EXAMINE:      { fn: function (s, so, p)  { return _handleSelect(s, so, p.tag, p.args, true); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      LIST:         { fn: function (s, so, p)  { return _handleList(s, so, p.tag, p.args); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      STATUS:       { fn: function (s, so, p)  { return _handleStatus(s, so, p.tag, p.args); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      NAMESPACE:    { fn: function (s, so, p)  {
+                        _writeUntagged(so, "NAMESPACE ((\"\" \"/\")) NIL NIL");
+                        return _writeTagged(so, p.tag, "OK NAMESPACE completed");
+                      },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      APPEND:       { fn: function (s, so, p, lit) { return _handleAppend(s, so, p.tag, p.args, lit); },
+                      maxHandlerBytes: LONG_B,   maxHandlerMs: LONG_MS },
+      CHECK:        { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "OK CHECK completed"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      CLOSE:        { fn: function (s, so, p)  { return _handleClose(s, so, p.tag); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      UNSELECT:     { fn: function (s, so, p)  { return _handleClose(s, so, p.tag); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      EXPUNGE:      { fn: function (s, so, p)  { return _handleExpunge(s, so, p.tag); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      FETCH:        { fn: function (s, so, p)  { return _handleFetch(s, so, p.tag, p.args); },
+                      maxHandlerBytes: LONG_B,   maxHandlerMs: LONG_MS },
+      STORE:        { fn: function (s, so, p)  { return _handleStore(s, so, p.tag, p.args); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      UID:          { fn: function (s, so, p)  { return _handleUid(s, so, p.tag, p.args); },
+                      maxHandlerBytes: LONG_B,   maxHandlerMs: LONG_MS },
+      IDLE:         { fn: function (s, so, p)  { return _handleIdle(s, so, p.tag); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: LONG_MS },
+      DONE:         { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "BAD DONE outside IDLE"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      // Defaults for the verbs the v0.9.49 listener didn't dispatch —
+      // operators wire concrete handlers via opts.overrides.
+      SEARCH:       { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO SEARCH not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      CREATE:       { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO CREATE not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      DELETE:       { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO DELETE not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      RENAME:       { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO RENAME not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      SUBSCRIBE:    { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO SUBSCRIBE not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      UNSUBSCRIBE:  { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO UNSUBSCRIBE not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      COPY:         { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO COPY not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      MOVE:         { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "NO MOVE not configured"); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+    };
+    _registry = mailServerRegistry.create({
+      protocol:        "imap",
+      defaults:        defaults,
+      overrides:       opts.overrides || {},
+      notFoundHandler: function (verb, _state, socket, parsed) {
+        return _writeTagged(socket, parsed.tag,
+          "BAD Verb '" + verb + "' not implemented in v1");
+      },
+    });
+    return _registry;
+  }
 
-    switch (verb) {
-    case "CAPABILITY": return _handleCapability(state, socket, tag);
-    case "NOOP":       return _writeTagged(socket, tag, "OK NOOP completed");
-    case "LOGOUT":     return _handleLogout(state, socket, tag);
-    case "ID":         return _handleId(state, socket, tag, args);
-    case "STARTTLS":   return _handleStartTls(state, socket, tag);
-    case "AUTHENTICATE": return _handleAuthenticate(state, socket, tag, args);
-    case "LOGIN":      return _handleLogin(state, socket, tag, args);
-    case "ENABLE":     return _writeTagged(socket, tag, "OK ENABLED");
-    case "SELECT":
-    case "EXAMINE":    return _handleSelect(state, socket, tag, args, verb === "EXAMINE");
-    case "LIST":       return _handleList(state, socket, tag, args);
-    case "STATUS":     return _handleStatus(state, socket, tag, args);
-    case "NAMESPACE":  return _writeUntagged(socket, "NAMESPACE ((\"\" \"/\")) NIL NIL"), _writeTagged(socket, tag, "OK NAMESPACE completed");
-    case "APPEND":     return _handleAppend(state, socket, tag, args, literalBody);
-    case "CHECK":      return _writeTagged(socket, tag, "OK CHECK completed");
-    case "CLOSE":
-    case "UNSELECT":   return _handleClose(state, socket, tag);
-    case "EXPUNGE":    return _handleExpunge(state, socket, tag);
-    case "FETCH":      return _handleFetch(state, socket, tag, args);
-    case "STORE":      return _handleStore(state, socket, tag, args);
-    case "UID":        return _handleUid(state, socket, tag, args);
-    case "IDLE":       return _handleIdle(state, socket, tag);
-    case "DONE":       return _writeTagged(socket, tag, "BAD DONE outside IDLE");
-    default:           return _writeTagged(socket, tag, "BAD Verb '" + verb + "' not implemented in v1");
+  function _dispatch(state, socket, parsed, _rawLine, literalBody) {
+    // Registry dispatch may return a Promise (async override handler,
+    // or a safeAsync.withTimeout-wrapped Promise). The caller's
+    // try/catch is synchronous, so a Promise rejection would surface
+    // as an unhandled rejection AND the client would never receive
+    // the tagged error reply. Attach a catch that converts the
+    // rejection into a `BAD`/`NO` tagged response + audit emit.
+    var result;
+    try {
+      result = _ensureRegistry().dispatch(parsed.verb, state, socket, parsed, literalBody);
+    } catch (err) {
+      _writeTagged(socket, parsed.tag,
+        "NO " + ((err && err.message) || "handler threw").slice(0, ERR_CLAMP));
+      _emit("mail.server.imap.handler_threw",
+        { connectionId: state.id, verb: parsed.verb,
+          error: (err && err.message) || String(err) }, "failure");
+      return;
+    }
+    if (result && typeof result.then === "function") {
+      result.then(
+        function () { /* tagged response already written by handler */ },
+        function (err) {
+          try {
+            _writeTagged(socket, parsed.tag,
+              "NO " + ((err && err.message) || "handler rejected").slice(0, ERR_CLAMP));
+          } catch (_we) { /* socket may already be gone */ }
+          try {
+            _emit("mail.server.imap.handler_rejected",
+              { connectionId: state.id, verb: parsed.verb,
+                error: (err && err.message) || String(err) }, "failure");
+          } catch (_ae) { /* drop-silent */ }
+        }
+      );
     }
+    return result;
   }
 
   function _capabilityLine(state) {

package/lib/mail-server-jmap.js

@@ -123,6 +123,7 @@ var bCrypto = require("./crypto");
 var safeJson = require("./safe-json");
 var validateOpts = require("./validate-opts");
 var guardJmap = require("./guard-jmap");
+var mailServerRegistry = require("./mail-server-registry");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -195,7 +196,34 @@ function create(opts) {
   var profile = opts.profile || DEFAULT_PROFILE;
   var posture = opts.posture || null;
   var serverCapabilities = opts.serverCapabilities || {};
-  var methods = opts.methods;
+
+  // JMAP method registry. Wrap operator-supplied `opts.methods` map
+  // through `b.mail.serverRegistry` so per-handler resource budgets
+  // (maxHandlerBytes / maxHandlerMs) apply uniformly across the IMAP
+  // / JMAP / ManageSieve listeners. Legacy `opts.methods` callers get
+  // an auto-default budget (10 MiB / 30s) with a one-time deprecation
+  // audit event per process; new callers use `opts.overrides` with
+  // explicit budgets per the stricter-mode register contract.
+  var LEGACY_JMAP_BYTES = 10 * 1024 * 1024;                                                          // allow:raw-byte-literal — 10 MiB legacy auto-budget for JMAP methods
+  var LEGACY_JMAP_MS    = 30 * 1000;                                                                 // allow:raw-time-literal — 30s legacy auto-budget
+  var _legacyDeprecationEmitted = false;
+  var defaults = {};
+  var methodNames = Object.keys(opts.methods);
+  for (var mi = 0; mi < methodNames.length; mi += 1) {
+    var mname = methodNames[mi];
+    if (typeof opts.methods[mname] !== "function") continue;
+    defaults[mname] = {
+      fn:               opts.methods[mname],
+      maxHandlerBytes:  LEGACY_JMAP_BYTES,
+      maxHandlerMs:     LEGACY_JMAP_MS,
+      allowExperimental: true,   // legacy callers wired anything; preserve the openness
+    };
+  }
+  var registry = mailServerRegistry.create({
+    protocol:  "jmap",
+    defaults:  defaults,
+    overrides: opts.overrides || {},
+  });
   var sessionState = bCrypto.generateToken(16);                                                       // allow:raw-byte-literal — opaque session-state token length
 
   function _emit(action, metadata, outcome) {
@@ -321,18 +349,24 @@ function create(opts) {
         methodResponses.push(["error", { type: refType, description: (e && e.message) || "" }, clientId]);
         continue;
       }
-      var handler = methods[methodName];
-      if (typeof handler !== "function") {
+      if (!registry.has(methodName)) {
         methodResponses.push(["error",
           { type: "urn:ietf:params:jmap:error:unknownMethod",
             description: "Method '" + methodName + "' not implemented on this server" }, clientId]);
         continue;
       }
+      if (!_legacyDeprecationEmitted && registry.source(methodName) === "builtin") {
+        _legacyDeprecationEmitted = true;
+        _emit("mail.server.jmap.methods_opt_deprecated",
+          { note: "opts.methods is shimmed through b.mail.serverRegistry with auto-budget; " +
+                  "future minor will require opts.overrides with explicit budgets" },
+          "warning");
+      }
       try {
         // JMAP methodCalls execute sequentially by spec (RFC 8620 §3.7 —
         // back-references require strict ordering). The await-in-loop
         // pattern is intentional here.
-        var result = await handler(actor, resolvedArgs, {
+        var result = await registry.dispatch(methodName, actor, resolvedArgs, {
           using:       parsed.using,
           createdIds:  parsed.createdIds,
           methodName:  methodName,

package/lib/mail-server-managesieve.js

@@ -136,6 +136,7 @@ var validateOpts = require("./validate-opts");
 var guardManageSieveCommand = require("./guard-managesieve-command");
 var safeSieve = require("./safe-sieve");
 var mailServerRateLimit = require("./mail-server-rate-limit");
+var mailServerRegistry = require("./mail-server-registry");
 var { defineClass } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -378,7 +379,26 @@ function create(opts) {
       return;
     }
     try {
-      _dispatch(state, socket, parsed);
+      var result = _dispatch(state, socket, parsed);
+      // Registry dispatch may return a Promise (async override handler
+      // or safeAsync.withTimeout-wrapped Promise). The synchronous
+      // try/catch above only catches throw-during-dispatch; Promise
+      // rejections need an attached catch to avoid unhandled-rejection
+      // termination + missing NO reply.
+      if (result && typeof result.then === "function") {
+        result.then(
+          function () { /* OK reply already written by handler */ },
+          function (e) {
+            try {
+              _emit("mail.server.managesieve.handler_rejected",
+                { connectionId: state.id, verb: parsed && parsed.verb,
+                  error: (e && e.message) || String(e) }, "failure");
+            } catch (_ae) { /* drop-silent */ }
+            try { _writeNo(socket, "Internal error"); }
+            catch (_we) { /* socket may already be gone */ }
+          }
+        );
+      }
     } catch (e) {
       _emit("mail.server.managesieve.handler_threw",
         { connectionId: state.id, verb: parsed && parsed.verb,
@@ -387,23 +407,54 @@ function create(opts) {
     }
   }
 
+  var _registry = null;
+  function _ensureRegistry() {
+    if (_registry !== null) return _registry;
+    var SHORT_MS  = 5 * 1000;                                                                        // allow:raw-time-literal — 5s short-command budget
+    var MEDIUM_MS = 30 * 1000;                                                                       // allow:raw-time-literal — 30s medium-command budget
+    var LONG_MS   = 2 * 60 * 1000;                                                                   // allow:raw-time-literal — 2 min PUTSCRIPT / GETSCRIPT budget
+    var SHORT_B   = 8 * 1024;                                                                        // allow:raw-byte-literal — 8 KiB short-command cap
+    var MEDIUM_B  = 1024 * 1024;                                                                     // allow:raw-byte-literal — 1 MiB medium-command cap
+    var LONG_B    = 16 * 1024 * 1024;                                                                // allow:raw-byte-literal — 16 MiB PUTSCRIPT cap
+    var defaults = {
+      CAPABILITY:   { fn: function (s, so)    { return _handleCapability(s, so); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      NOOP:         { fn: function (s, so, p) { return _handleNoop(s, so, p); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      STARTTLS:     { fn: function (s, so)    { return _handleStartTls(s, so); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      LOGOUT:       { fn: function (s, so)    { return _handleLogout(s, so); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      AUTHENTICATE: { fn: function (s, so, p) { return _handleAuthenticate(s, so, p); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      HAVESPACE:    { fn: function (s, so, p) { return _handleHaveSpace(s, so, p); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      PUTSCRIPT:    { fn: function (s, so, p) { return _handlePutScript(s, so, p); },
+                      maxHandlerBytes: LONG_B,   maxHandlerMs: LONG_MS },
+      LISTSCRIPTS:  { fn: function (s, so)    { return _handleListScripts(s, so); },
+                      maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
+      SETACTIVE:    { fn: function (s, so, p) { return _handleSetActive(s, so, p); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      GETSCRIPT:    { fn: function (s, so, p) { return _handleGetScript(s, so, p); },
+                      maxHandlerBytes: LONG_B,   maxHandlerMs: LONG_MS },
+      DELETESCRIPT: { fn: function (s, so, p) { return _handleDeleteScript(s, so, p); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+      RENAMESCRIPT: { fn: function (s, so, p) { return _handleRenameScript(s, so, p); },
+                      maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
+    };
+    _registry = mailServerRegistry.create({
+      protocol:        "managesieve",
+      defaults:        defaults,
+      overrides:       opts.overrides || {},
+      notFoundHandler: function (verb, _state, socket) {
+        return _writeNo(socket, "Unknown verb '" + verb + "'");
+      },
+    });
+    return _registry;
+  }
+
   function _dispatch(state, socket, parsed) {
-    var verb = parsed.verb;
-    switch (verb) {
-    case "CAPABILITY":   return _handleCapability(state, socket);
-    case "NOOP":         return _handleNoop(state, socket, parsed);
-    case "STARTTLS":     return _handleStartTls(state, socket);
-    case "LOGOUT":       return _handleLogout(state, socket);
-    case "AUTHENTICATE": return _handleAuthenticate(state, socket, parsed);
-    case "HAVESPACE":    return _handleHaveSpace(state, socket, parsed);
-    case "PUTSCRIPT":    return _handlePutScript(state, socket, parsed);
-    case "LISTSCRIPTS":  return _handleListScripts(state, socket);
-    case "SETACTIVE":    return _handleSetActive(state, socket, parsed);
-    case "GETSCRIPT":    return _handleGetScript(state, socket, parsed);
-    case "DELETESCRIPT": return _handleDeleteScript(state, socket, parsed);
-    case "RENAMESCRIPT": return _handleRenameScript(state, socket, parsed);
-    default:             return _writeNo(socket, "Unknown verb '" + verb + "'");
-    }
+    return _ensureRegistry().dispatch(parsed.verb, state, socket, parsed);
   }
 
   // _emitCapabilityBanner — RFC 5804 §1.7 capability banner. Lines