@blamejs/core 0.11.1 → 0.11.3

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.11.x
 
+- v0.11.3 (2026-05-19) — **SPF `a` and `mx` mechanism dispatch + smaller deferral-condition cleanups.** `b.mail.spf.verify` now evaluates the `a` and `mx` mechanisms per [RFC 7208 §5.3 + §5.4](https://www.rfc-editor.org/rfc/rfc7208), including the dual-cidr-length syntax (`a:foo.example/24//64`, `mx//64`). Senders publishing `v=spf1 mx -all` or `v=spf1 a -all` previously permerrored against this framework even though those are the second-most-common SPF mechanisms in fielded policies; verification now resolves the operator-supplied A / AAAA / MX records (via the existing `dnsLookup` callback contract — which is now honored for every record type, not only TXT) and matches the connecting IP under the parsed cidr. MX expansion is capped at the RFC §4.6.4 limit of 10 hosts (over-limit = permerror); each MX-host A/AAAA expansion counts toward the 10-lookup global ceiling and the 2-lookup void-lookup sub-limit. Empty digit segments in the dual-cidr-length grammar (`a/`, `a//`, `mx/`, `mx//`, `a/24//`) permerror with an explanatory message — RFC §5.3/§5.4 grammar requires `1*DIGIT` after each slash, and accepting empty would over-authorize senders publishing `v=spf1 a/ -all` (would match every IP in the /32 of every A record). The `exists` (RFC §5.7) and `ptr` (RFC §5.5) mechanisms remain deferred — `exists` needs macro-string expansion (RFC §7) to be usable in fielded policies, `ptr` is "strongly discouraged" by the RFC and rarely seen — and each now permerrors with an explanatory message naming the RFC section and a practical operator-side mitigation. `b.mail.crypto.smime` `@card` and the v1-only-emits-metadata comment in `lib/mail-crypto-smime.js` are corrected to reflect that sign + verify shipped in v0.10.16 on the `b.cms` substrate (EFAIL-class encrypt/decrypt remains the only deferred slice). `b.acme.create.revokeCert({ useCertKey: true })` and the `BAD UID <subverb>` IMAP listener response now carry explicit re-open conditions + named operator escape hatches alongside the deferral. **New codebase-patterns detector `slice1-optional-parseint-silent-default`** flags the class — any `.slice(1)` followed by an `if (X.length > 0)` guard around `parseInt(X, 10)` MUST sit in a file that also carries an explicit empty-segment refusal phrasing, so future cidr-length / prefix-length / port-range parsers inherit the discipline automatically. **References:** [RFC 7208 §5.3 a mechanism](https://www.rfc-editor.org/rfc/rfc7208#section-5.3) · [RFC 7208 §5.4 mx mechanism](https://www.rfc-editor.org/rfc/rfc7208#section-5.4) · [RFC 7208 §4.6.4 DNS-lookup limits](https://www.rfc-editor.org/rfc/rfc7208#section-4.6.4) · [RFC 8551 S/MIME 4.0](https://www.rfc-editor.org/rfc/rfc8551.html) · [RFC 9051 IMAP4rev2 §6.4.9 UID](https://www.rfc-editor.org/rfc/rfc9051#section-6.4.9).
+
+- v0.11.2 (2026-05-19) — **Node 26 floor-bump preparation.** Today's `engines.node` floor is `>=24.14.1` and the framework runs cleanly on Node 26 (which satisfies the floor). This release ships the **prep** scaffolding so the future floor-bump slice (when Node 26 promotes to Active LTS and `>=26.x` becomes the floor) is mechanical. **`b.backup.diskStorage(opts)`** is the new canonical name for the local-filesystem backup storage backend; `b.backup.localStorage(opts)` continues to work and emits a one-time deprecation warning via `b.deprecate.alias`, with removal scheduled for the next major. The rename avoids the Node 26 platform-level `localStorage` global naming collision; the deprecation path follows the framework's stable upgrade policy (one minor with deprecation warnings before removal). **New codebase-patterns detector `map-get-or-insert-pre-node-26`** flags the `if (!m.has(k)) m.set(k, factory()); m.get(k)` shape that Node 26's `Map.prototype.getOrInsertComputed(key, factory)` replaces in a single call. The detector lands as an allowlist marker — every existing call site in `lib/` is allowlisted with the spec file as the migration target; new code post-this-patch trips the gate. When the floor bumps the allowlist is walked + the detector flips to enforce. **`test/integration/pqc-pkcs8-forward-compat.test.js`** captures the ML-KEM-1024 / ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f / Ed25519 PKCS8 export-byte shape on the current Node, asserts the sign+verify / encap+decap roundtrip via a re-imported KeyObject, and embeds a Node-26-shape fixture that re-imports every run — so the forward-compat contract is testable today and the reverse-direction (Node-26-exported → Node-24-imported) test follows the floor-bump. **SECURITY.md gains a "Node 26 compatibility" section** documenting the `localStorage` global naming collision (bare references in operator handler code now resolve to a Node global rather than throwing `ReferenceError`) and the ML-KEM / ML-DSA seed-only PKCS8 export shape (Node-24-sealed material re-imports cleanly on Node 26; new material from Node 26 is seed-only — parallel Node 24 readers of the same sealed disk need a one-time migration when the writer moves). README "Requirements" line gains the matching Node 26 note. **References:** [Node.js v26 release notes](https://nodejs.org/en/blog/release/v26.0.0) · [TC39 Map.getOrInsertComputed](https://github.com/tc39/proposal-upsert) · [RFC 8032 §5.1 Ed25519 context parameter](https://www.rfc-editor.org/rfc/rfc8032.html#section-5.1).
+
 - v0.11.1 (2026-05-19) — **Integration suite hardening + live coverage for the v0.11.0 surface.** **`b.httpClient.request`** now skips the local SSRF DNS lookup when a proxy is configured AND the operator passes `allowInternal: true`. The proxy resolves the destination hostname in its own network context, so requiring local resolution refused legitimate intranet / docker-service-name targets routed through the proxy. The SSRF gate still runs when `allowInternal` is false / array-form (the proxy's freedom to reach internal IPs is not a blanket license; the explicit opt-in is still required). **`b.mtlsCa`** integration tests now compose with the `caKeySealedMode: "disabled"` opt for fixture purposes; production deployments continue to wire `opts.vault` for sealed-at-rest CA-key storage. **`b.mail.crypto.smime.verify`** return shape gains a `chainVerified: boolean` field reflecting whether `opts.trustAnchorCertsPem` was supplied and the leaf-to-root chain walk completed. **Integration coverage added for v0.11.0 primitives:** new `test/integration/mail-crypto-smime.test.js` round-trips S/MIME sign + verify with a real X.509 chain issued by `b.mtlsCa` (CA → leaf cert → ML-DSA-65 signer), exercises tamper / wrong-key / untrusted-anchor refusal paths, and validates the `chainVerified` return field. `test/integration/federation-auth.test.js` extends to cover SAML SLO (`buildLogoutRequest` against Keycloak's `/protocol/saml` SLO endpoint with the wire-format-parse assertion) and RFC 7592 Dynamic Client Registration Management (`registerClient` / `readClient` / `updateClient` / `deleteClient` against Keycloak's DCR endpoint).
 
 - v0.11.0 (2026-05-19) — **Mail-crypto sign/verify + encrypt/decrypt, SAML Single Logout (Redirect / POST / SOAP) + EncryptedAssertion + Holder-of-Key, browser identity (FedCM / DBSC / VAPID), CSP3 builder, hypermedia + observability formats, OAuth DCR management + OIDC Native SSO, sectoral compliance posture growth.** **`b.cms.parseSignedData(buf)`** walks an inbound RFC 5652 SignedData ContentInfo and returns `{ digestAlgs, encapContent, certificates, signerInfos }` so consumers verify signatures without re-implementing the SignedData walker. **`b.mail.crypto.smime.sign(opts)` + `.verify(opts)`** are now live on the `b.cms` substrate: `sign` emits an RFC 8551 `multipart/signed; protocol="application/pkcs7-signature"; micalg=sha3-{256,512}` envelope; `verify` recomputes the message digest, compares it against the signed-attrs `messageDigest` attribute, refuses tamper with `mail-crypto/smime/message-digest-mismatch`, and PQC-verifies the signature against the operator-supplied signer public key. Supports ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f signers; SHA-2 family refused at `cms/bad-digest`. **`b.mail.crypto.pgp.experimental.encrypt(opts)` + `.decrypt(opts)` + `.wkd.computeUrl(email)`** ship under the `experimental` namespace because the relevant IANA codepoint registrations are still in draft: ML-KEM-1024 KEM + ChaCha20-Poly1305 AEAD multi-recipient envelope; WKD URL computer per [draft-koch-openpgp-webkey-service](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) (SHAKE256-hash localpart + zbase32 encoding; operators supply their own HTTPS fetcher). **`b.auth.saml.sp.buildLogoutRequest({...})` + `parseLogoutRequest(b64, opts)` + `buildLogoutResponse({...})`** implement SAML 2.0 Single Logout on the HTTP-Redirect binding per SAML Bindings §3.4.4.1 with PQC-signed canonical query (ML-DSA-65 / ML-DSA-87 / Ed25519); SP metadata now emits `<md:SingleLogoutService>` bindings when `singleLogoutServiceUrl` is set; tamper / wrong-key / missing-signature each refuse as typed errors. **`b.webPush.generateVapidKeypair()` + `.buildVapidAuthHeader(opts)`** sign the RFC 8292 VAPID JWT inline (ECDSA-P256 per the spec; the framework's PQC-default JWT signer refuses ES256 by design, so `b.webPush` owns the signing rather than relaxing the broader policy). **`b.fedcm`** ships the W3C FedCM 2024 IdP-side response builders: `wellKnown({ provider_urls })` / `config({ accounts_endpoint, ... })` / `accountsResponse({ accounts })` / `idAssertionResponse({ token })`. **`b.dbsc`** implements IETF Device-Bound Session Credentials: `challenge({ secretKey })` mints an HMAC-SHA3-512-signed token requiring no server-side storage; `verifyBindingAssertion(jwt, opts)` refuses HS256 / none as algorithm-confusion, validates ES256/RS256 against the embedded JWK, and returns the RFC 7638 JWK thumbprint so operators pin the binding key to a session. **`b.importmapIntegrity.build({ modules })`** emits a WICG Import Maps + SRI integrity map (SHA-384 default) so browsers refuse module bytes that don't match. **OpenMetrics 1.0 exposition** — `b.metrics` registry `exposition({ format: "openmetrics" })` emits the counter `_total` suffix, `# UNIT` lines, exemplar trace IDs on histograms, and `# EOF` terminator per the openmetrics.io 1.0 wire format. **`b.standardWebhooks.sign + verify`** implement the standardwebhooks.com consortium spec (Stripe / Svix / Okta wire format): HMAC-SHA256, multi-version signature header, 5-minute default skew tolerance. **`b.lro`** implements AIP-151 Long-Running Operations (`create({ store }) → { submit, status, list, cancel }`) with operator-supplied storage and AbortSignal-aware cancellation. **`b.jsonApi.dataResponse(data, opts) + .errorResponse(errors)`** wraps domain payloads in the JSON:API v1.1 top-level shape; refuses missing Resource Object `type`. **`b.hal.resource(payload, { links, embedded, templates })`** builds HAL responses (draft-kelly-json-hal) with an RFC 8288 link-object normaliser. **Lib-side codebase-patterns detector `number-coerce-or-zero-on-json-source`** refuses `Number(<var>['<kebab-cased-key>']) || 0` shapes — that coercion silently accepts `Infinity`, NaN, negative values, and arbitrary strings on operator-untrusted JSON-source input. **(a) `b.cms.parseSignedData(buf)`** — RFC 5652 §5.1 SignedData walker that surfaces `digestAlgs` / `encapContent` / `certificates` / `signerInfos` as structured arrays so downstream verifiers can check signatures without re-implementing the walker. **(b) `b.mail.crypto.smime.sign(opts)` + `b.mail.crypto.smime.verify(opts)` — LIVE on the b.cms substrate.** `sign` composes `b.cms.encodeSignedData` and wraps in an RFC 8551 `multipart/signed; protocol="application/pkcs7-signature"; micalg=sha3-{256,512}` envelope. `verify` parses the CMS SignedData payload, walks signed-attributes to extract the `messageDigest` attribute, recomputes the message digest, refuses tamper with `mail-crypto/smime/message-digest-mismatch`, and PQC-verifies the signature against the operator-supplied signer public key. Supports ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f signers; SHA-2 family refused at `cms/bad-digest`. **(c) `b.mail.crypto.pgp.experimental.encrypt(opts)` + `decrypt(opts)` + `wkd.computeUrl(email)`** — PQC PGP encrypt/decrypt under `experimental` namespace (RFC 9580bis PKESK ML-KEM codepoints haven't IANA-registered yet; framework-private envelope similar to v0.10.10 `b.jose.jwe.experimental`). ML-KEM-1024 KEM + ChaCha20-Poly1305 AEAD + per-recipient KEK derived via SHAKE256 bound to the literal label `pgp/experimental/chacha20-poly1305`. Multi-recipient envelopes; tamper / wrong-key refusal as typed errors. WKD URL computer per [draft-koch-openpgp-webkey-service](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) — SHAKE256-hash localpart + zbase32 encoding; returns `{ direct, advanced }` URLs (operators supply their own HTTPS fetcher). **(d) `b.auth.saml.sp.buildLogoutRequest({...})` + `parseLogoutRequest(b64, opts)` + `buildLogoutResponse({...})`** — SAML 2.0 Single Logout on the HTTP-Redirect binding per SAML Bindings §3.4.4.1 with PQC-signed canonical query string (ML-DSA-65 / ML-DSA-87 / Ed25519). `parseLogoutRequest` inflates the operator-supplied SAMLRequest, optionally verifies the redirect-binding signature against an IdP public key, and surfaces NameID / SessionIndex / Issuer. Tamper / wrong-key / missing-signature each refuse as typed errors. Closes the largest item from the v0.10.15 SAML SLO + identity-residual queued plan. **(e) Codex P2 detector `number-coerce-or-zero-on-json-source`** (lib-side) — flags `Number(<var>['<kebab-cased-key>']) || 0` shapes that silently accept Infinity / NaN / negative on operator-untrusted JSON-source numeric input. The v0.10.15 TLS-RPT fix was a one-off; this detector forces the discipline. **Additional residual closure:** `b.auth.saml.sp.buildLogoutRequestPost` / `parseLogoutRequestPost` / `buildLogoutRequestSoap` / `parseLogoutResponseSoap` add SAML SLO HTTP-POST + SOAP synchronous back-channel bindings with embedded XMLDSig-Enveloped signatures. **SignatureMethod surface** spans the W3C XMLDSig Core 1.1 + RFC 9231 vocabulary so the framework interops with deployed IdPs out of the box: `rsa-sha256` / `rsa-sha384` / `rsa-sha512` (W3C XMLDSig Core 1.1), `ecdsa-sha256` / `ecdsa-sha384` / `ecdsa-sha512` (W3C XMLDSig Core 1.1), `ed25519` (RFC 9231). Classical keys are PEM strings or `node:crypto` KeyObject instances; PQC keys remain `Uint8Array` from `b.pqcSoftware.ml_dsa_*.keygen()`. Post-quantum `ml-dsa-65` / `ml-dsa-87` are also accepted on the same surface under clearly framework-private URIs (`urn:blamejs:experimental:saml-sig-alg:ml-dsa-65` / `:ml-dsa-87`) — no IETF/W3C XMLDSig registration exists for ML-DSA yet (LAMPS WG drafts in flight). Verification refuses `'unsupported-c14n'` (only exclusive c14n; inclusive-c14n IdPs must upgrade), alg-confusion (SignatureMethod URI must match the operator-declared `idpVerifyAlg`), signature-wrapping (Reference URI must match root ID via timing-safe digest compare), and SHA-1 digest methods (CVE-2017-7525-class). **EncryptedAssertion (SAML 2.0 §2.5)** decrypts AES-128-GCM / AES-256-GCM (W3C XMLEnc 1.1 §5.2.4) content + RSA-OAEP-MGF1P / xmlenc11 RSA-OAEP key transport (SHA-256/384/512 only — SHA-1 OAEP refused as CVE-2023-49141-class). AES-CBC content encryption is **refused** under both `xmlenc#aes128-cbc` and `xmlenc#aes256-cbc` — CVE-2011-1473 padding-oracle research makes CBC mode under XMLEnc unsuitable without a per-content MAC; operators integrating with IdPs that default to CBC (older ADFS / Azure AD / Okta / Keycloak / OneLogin) switch the IdP's content-encryption setting to AES-128-GCM or AES-256-GCM. Framework-experimental URIs `urn:blamejs:experimental:xmlenc:ml-kem-1024` (key transport) and `urn:blamejs:experimental:xmlenc:xchacha20-poly1305` (content) are accepted alongside the W3C URIs. `b.mail.crypto.smime.verify({ trustAnchorCertsPem })` now walks the SignerInfo cert chain leaf-to-root via `node:crypto.X509Certificate` with notBefore/notAfter checks and refuses `mail-crypto/smime/untrusted-chain` / `cert-expired` / `cert-not-yet-valid`; revocation is operator-wired via `b.network.tls.ocsp` when freshness is required. `b.auth.saml.sp.verifyResponse({ holderOfKey: { presentedCertPem } })` honors `urn:oasis:names:tc:SAML:2.0:cm:holder-of-key` SubjectConfirmation: SHA3-512 fingerprint of the embedded KeyInfo/X509Data certificate is compared against the operator-supplied presented mTLS / possession-proof cert via timingSafeEqual; HoK and Bearer confirmations coexist. `b.auth.oauth.readClient(uri, token)` / `updateClient(uri, token, metadata)` / `deleteClient(uri, token)` implement RFC 7592 Dynamic Client Registration Management Protocol (GET/PUT/DELETE bound to the registration_access_token returned by `registerClient`); updateClient enforces the same redirect_uris-array refusal as registerClient. `b.auth.oauth.nativeSsoExchange({ deviceSecret, idToken, audience })` convenience-wraps `exchangeToken` for OpenID Connect Native SSO 1.0 §6 with `urn:openid:params:token-type:device-secret` added to the RFC 8693 §3 token-type allowlist. **`b.csp.build(directives, opts?)` + `b.csp.nonce(byteLen?)` + `b.csp.hash(scriptBody, alg?)`** ship the CSP Level 3 builder surface: refuses `'unsafe-*'` / catch-all `*` / `https:` / `data:` in non-image directives without an explicit acknowledgement opt; auto-appends `require-trusted-types-for 'script'` plus the operator-supplied `trusted-types` policy list when any script-* directive is set; emits ≥128-bit nonces by default; computes sha256/sha384/sha512 hash sources for inline scripts. `b.middleware.securityHeaders` `coep` opt now documents the W3C CR 2024-12 `credentialless` value alongside `require-corp`. **`b.compliance` posture catalog gains 17 sectoral / cybersecurity / AI-governance regimes:** `42-cfr-part-2`, `hti-1`, `uscdi-v4`, `irs-1075`, `nist-800-172-r3`, `tlp-2.0`, `soci-au`, `nis2`, `cra`, `ffiec-cat-2`, `cri-profile-v2.0`, `m-22-09`, `m-22-18`, `nist-800-53-r5-privacy`, `nist-ai-600-1-genai`, `nist-csf-2.0`, `sb-53`, `nyc-ll144-2024`. Each posture cascade pins the regime's normative floor (backupEncryptionRequired / auditChainSignedRequired / tlsMinVersion / requireVacuumAfterErase). **References:** [RFC 5652 CMS](https://www.rfc-editor.org/rfc/rfc5652.html) · [RFC 8551 S/MIME 4.0](https://www.rfc-editor.org/rfc/rfc8551.html) · [RFC 9580 OpenPGP](https://www.rfc-editor.org/rfc/rfc9580.html) · [draft-koch-openpgp-webkey-service](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) · [SAML Bindings §3.4 HTTP-Redirect + §3.5 HTTP-POST + §3.2 SOAP](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) · [SAML 2.0 §2.5 EncryptedAssertion](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) · [W3C XML-Encryption 1.1](https://www.w3.org/TR/xmlenc-core1/) · [RFC 7592 Dynamic Client Management](https://www.rfc-editor.org/rfc/rfc7592.html) · [OpenID Connect Native SSO 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html) · [W3C CSP Level 3](https://www.w3.org/TR/CSP3/) · [W3C Trusted Types](https://www.w3.org/TR/trusted-types/).

package/MIGRATING.md

@@ -4,9 +4,16 @@ Operator-facing migration recipes per breaking change. The bulk of this file is
 
 **Out-of-band breaking changes** (schema breaks, config-shape changes, on-disk format breaks) cannot be expressed as `deprecate()` calls because there's no in-process runtime to warn from. They're hardcoded in the OUT_OF_BAND_BREAKS table inside `scripts/gen-migrating.js` so the operator sees the full upgrade path here without needing to grep CHANGELOG.
 
-## No active deprecations
+## Removed in v0.x
 
-The framework has no `deprecate()`-marked surface awaiting removal.
+### `localStorage`
+
+- **Since:** 0.11.2
+- **Removed in:** 0.12.0
+- **Defined at:** [`lib/backup/index.js`](lib/backup/index.js)
+- **Renamed to:** `diskStorage`
+
+b.backup.localStorage was renamed to b.backup.diskStorage — the Node 26 `localStorage` global doesn't clash today, but the rename keeps the operator-facing surface unambiguous. Update the call site; removal lands in the next major.
 
 ---
 

package/README.md

@@ -52,7 +52,7 @@ var b = require("@blamejs/core");
 })();
 ```
 
-**Requirements:** Node.js 24.14+ (current active LTS, fixes CVE-2026-21713 non-constant-time HMAC compare).
+**Requirements:** Node.js 24.14+ (current active LTS, fixes CVE-2026-21713 non-constant-time HMAC compare). Node 26 satisfies the floor and the framework test suite runs cleanly on it today; the floor itself will bump to `>=26.x` when Node 26 promotes to Active LTS. Two Node 26 platform changes operators integrating with blamejs should know about: the new `localStorage` global (the framework's storage backend was renamed from `b.backup.localStorage` to `b.backup.diskStorage` in v0.11.2 to avoid the ambiguity; the legacy name still works with a deprecation warning), and the seed-only ML-KEM / ML-DSA PKCS8 export shape (sealed material from Node 24 re-imports cleanly on Node 26; new material from Node 26 in the seed-only shape). See [SECURITY.md](SECURITY.md#node-26-compatibility) for the details.
 
 ## What ships in the box
 

package/lib/acme.js

@@ -822,13 +822,28 @@ function create(opts) {
     if (typeof ropts.reason === "number") payload.reason = ropts.reason;
     var signedOpts = { useJwk: false };                  // account-key signed by default
     if (ropts.useCertKey === true) {
-      // RFC 8555 §7.6 alternate: certificate's own key as signer. Operator
-      // supplies the cert's private key via ropts.certPrivateKey; we
-      // build a one-off signed-post bypassing _signedPost's state.accountUrl
-      // assumption. For minimal v1 we support account-key signing only and
-      // document the cert-key path as not-yet-implemented.
+      // RFC 8555 §7.6 alternate signer: the certificate's own private
+      // key signs the revocation JWS (bypassing the account-key
+      // requirement). Useful when the account that originally issued
+      // the cert is lost / compromised but the cert's private key is
+      // still under operator control.
+      //
+      // Re-open condition: operator surfaces a CA whose only accepted
+      // revocation path is cert-key signing (rare — Let's Encrypt /
+      // ZeroSSL / Google CA all accept account-key signing as the
+      // primary path), OR the operator's account-recovery posture
+      // demands cert-key as a break-glass route. Track via a new opt
+      // shape: `ropts.certPrivateKey: <PEM string>` would route
+      // through a dedicated signed-post that detaches from
+      // state.accountUrl.
+      //
+      // Operator escape hatch today: account-key signing covers every
+      // mainstream public CA. Operators in the rare cert-key-only
+      // scenario reach the CA directly via the CA's own revocation
+      // portal (web UI / out-of-band API) until this lights up.
       throw _err("acme/revoke-cert-key-not-implemented",
-        "revokeCert: cert-key signing path not yet implemented; use account-key signing", true);
+        "revokeCert: cert-key signing path (RFC 8555 §7.6 alternate) is deferred; " +
+        "use account-key signing (the default, omit useCertKey)", true);
     }
     var rsp = await _signedPost(state.directory.revokeCert, payload, signedOpts);
     if (rsp.statusCode !== 200) {

package/lib/backup/index.js

@@ -13,8 +13,11 @@
  *   The namespace wires `b.backupBundle.create` (encrypt + emit a bundle
  *   directory) to a pluggable storage backend, plus retention policy +
  *   audit emission. Ships with a local-filesystem backend
- *   (`b.backup.localStorage`); S3 or any custom backend drops in through
- *   the same interface.
+ *   (`b.backup.diskStorage`); S3 or any custom backend drops in through
+ *   the same interface. The legacy alias `b.backup.localStorage` still
+ *   works and routes through `b.deprecate.alias` (warns once per
+ *   process; removal scheduled for the next major). The rename avoids
+ *   the Node 26 `localStorage` global naming collision.
  *
  *   Storage backend contract:
  *
@@ -58,6 +61,7 @@ var backupManifest = require("./manifest");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var numericBounds = require("../numeric-bounds");
+var deprecate = require("../deprecate");
 var audit = lazyRequire(function () { return require("../audit"); });
 var compliance = lazyRequire(function () { return require("../compliance"); });
 // lazyRequire ../db so backup stays a leaf module operators can use
@@ -110,9 +114,9 @@ function _dirSize(p) {
 // ---- Local filesystem storage backend (the default) ----
 
 /**
- * @primitive b.backup.localStorage
- * @signature b.backup.localStorage(opts)
- * @since     0.4.0
+ * @primitive b.backup.diskStorage
+ * @signature b.backup.diskStorage(opts)
+ * @since     0.11.2
  * @status    stable
  * @related   b.backup.create
  *
@@ -126,6 +130,12 @@ function _dirSize(p) {
  * custom backend matching the same shape; the engine never touches the
  * filesystem directly.
  *
+ * Renamed from `b.backup.localStorage` to avoid the Node 26 global
+ * `localStorage` naming collision (Node 26 adds `localStorage` as a
+ * platform-wide global). The legacy `b.backup.localStorage` alias
+ * continues to work and emits a one-time deprecation warning per
+ * `b.deprecate.alias`; removal is scheduled for the next major.
+ *
  * @opts
  *   root: string,   // required; directory under which bundle dirs land
  *
@@ -135,14 +145,14 @@ function _dirSize(p) {
  *   var os   = require("node:os");
  *   var root = fs.mkdtempSync(path.join(os.tmpdir(), "backup-root-"));
  *
- *   var storage = b.backup.localStorage({ root: root });
+ *   var storage = b.backup.diskStorage({ root: root });
  *   storage.name;                                      // → "local"
  *   typeof storage.writeBundle;                        // → "function"
  *   typeof storage.listBundles;                        // → "function"
  */
-function localStorage(opts) {
+function diskStorage(opts) {
   opts = opts || {};
-  validateOpts.requireNonEmptyString(opts.root, "localStorage: opts.root", BackupError, "backup/no-storage-root");
+  validateOpts.requireNonEmptyString(opts.root, "diskStorage: opts.root", BackupError, "backup/no-storage-root");
   var root = opts.root;
 
   function _bundlePath(bundleId) {
@@ -215,7 +225,7 @@ function localStorage(opts) {
 function _validateStorage(storage) {
   if (!storage || typeof storage !== "object") {
     throw new BackupError("backup/bad-storage",
-      "storage backend is required (use b.backup.localStorage or pass a custom one)");
+      "storage backend is required (use b.backup.diskStorage or pass a custom one)");
   }
   var required = ["writeBundle", "readBundle", "listBundles", "deleteBundle", "hasBundle"];
   for (var i = 0; i < required.length; i++) {
@@ -247,7 +257,7 @@ async function _resolveVaultKeyJson(vaultKeyJsonOpt) {
  * @since     0.4.0
  * @status    stable
  * @compliance hipaa, pci-dss, gdpr, soc2, dora
- * @related   b.backup.localStorage, b.backup.recommendedFiles, b.backup.verifyManifestSignature, b.backupBundle.create
+ * @related   b.backup.diskStorage, b.backup.recommendedFiles, b.backup.verifyManifestSignature, b.backupBundle.create
  *
  * Build a backup engine bound to a data directory, a storage backend,
  * the operator's passphrase, and an include list. Returns an object
@@ -266,7 +276,7 @@ async function _resolveVaultKeyJson(vaultKeyJsonOpt) {
  *
  * @opts
  *   dataDir:           string,                       // required; must exist on disk
- *   storage:           StorageBackend,               // required; localStorage() or custom
+ *   storage:           StorageBackend,               // required; diskStorage() or custom
  *   passphrase:        Buffer | string,              // required; KEK for per-file Argon2id wrap
  *   files:             Array<{ relativePath, kind, required }>,
  *   vaultKeyJson:      string | () => string | Promise<string>,
@@ -292,7 +302,7 @@ async function _resolveVaultKeyJson(vaultKeyJsonOpt) {
  *
  *   var engine = b.backup.create({
  *     dataDir:      dataDir,
- *     storage:      b.backup.localStorage({ root: root }),
+ *     storage:      b.backup.diskStorage({ root: root }),
  *     passphrase:   Buffer.from("operator backup passphrase"),
  *     files: [
  *       { relativePath: "db.enc",     kind: "raw", required: true },
@@ -991,7 +1001,7 @@ function runInWorker(opts) {
 
 module.exports = {
   create:                    create,
-  localStorage:              localStorage,
+  diskStorage:               diskStorage,
   recommendedFiles:          recommendedFiles,
   runInWorker:               runInWorker,
   verifyManifestSignature:   verifyManifestSignature,
@@ -999,3 +1009,17 @@ module.exports = {
   BackupError:               BackupError,
   BUNDLE_ID_RE:              BUNDLE_ID_RE,
 };
+
+// Legacy alias — `b.backup.localStorage(...)`. The Node 26 `localStorage`
+// global doesn't clash with this property-access shape inside the
+// framework, but the rename keeps operator-facing surface unambiguous
+// and avoids any future drift on the bare identifier. Removed in the
+// next major (engines.node bump to >=26 — Node 24 LTS sunset window).
+deprecate.alias(module.exports, "localStorage", "diskStorage", {
+  since:    "0.11.2",
+  removeIn: "0.12.0",
+  message:  "b.backup.localStorage was renamed to b.backup.diskStorage — " +
+            "the Node 26 `localStorage` global doesn't clash today, but the " +
+            "rename keeps the operator-facing surface unambiguous. " +
+            "Update the call site; removal lands in the next major.",
+});

package/lib/cli.js

@@ -742,7 +742,7 @@ async function _runAudit(args, ctx) {
 // inspect a specific one, do a live in-place restore (with rollback
 // preservation), and roll back to a previous restore point. Wraps the
 // restore primitive's run / inspect / list / rollback / list-rollbacks
-// surface; uses b.backup.localStorage as the storage adapter (the same
+// surface; uses b.backup.diskStorage as the storage adapter (the same
 // adapter that wrote the bundles).
 //
 // Two ways to identify a bundle for inspect / apply:
@@ -846,7 +846,7 @@ async function _runRestore(args, ctx) {
     var sel = _resolveRestoreBundleSelector(args, ctx, report, false);
     if (!sel) return 2;
     try {
-      var storage = backup.localStorage({ root: sel.storageRoot });
+      var storage = backup.diskStorage({ root: sel.storageRoot });
       var bundles = await storage.listBundles();
       if (bundles.length === 0) {
         report.write("no bundles in " + sel.storageRoot);
@@ -869,7 +869,7 @@ async function _runRestore(args, ctx) {
     var selI = _resolveRestoreBundleSelector(args, ctx, report, true);
     if (!selI) return 2;
     try {
-      var storageI = backup.localStorage({ root: selI.storageRoot });
+      var storageI = backup.diskStorage({ root: selI.storageRoot });
       // restore.create needs a passphrase + dataDir even for inspect because
       // its closure captures them; pass placeholders since inspect doesn't
       // touch them.
@@ -918,7 +918,7 @@ async function _runRestore(args, ctx) {
       return report.error("--max-pulled-files must be a positive number", 2);
     }
     try {
-      var storageA = backup.localStorage({ root: selA.storageRoot });
+      var storageA = backup.diskStorage({ root: selA.storageRoot });
       var rA = restore.create({
         dataDir:         dd,
         storage:         storageA,

package/lib/mail-auth.js

@@ -13,11 +13,21 @@
  *   b.mail.dmarc.evaluate({ from, spf, dkim, dnsLookup })  → result
  *   b.mail.arc.verify(rfc822, opts)                        → chain status
  *
- * SPF (RFC 7208) — IPv4 / IPv6 / a / mx / include / all mechanisms.
- *   Mechanism limit: 10 DNS lookups per RFC 7208 §4.6.4.
- *   Macro expansion + redirect + ptr + exists are deferred (rare in
- *   practice; the framework returns "permerror" / "neutral" for
- *   policies that require them, so operators see the diagnosis).
+ * SPF (RFC 7208) — ip4 / ip6 / a / mx / include / all / redirect=
+ *   mechanisms.
+ *   Mechanism limit: 10 DNS lookups per RFC 7208 §4.6.4 (with the
+ *   void-lookup sub-limit at 2). The `a` and `mx` arms honor RFC
+ *   §5.3 / §5.4 dual-cidr-length syntax (`a:foo.com/24//64`).
+ *
+ *   Deferred mechanisms (each carries an explicit Re-open condition
+ *   in the dispatch arm in this file):
+ *     - exists: requires macro-string expansion (§7) to be useful;
+ *               re-opens when macros land OR an operator surfaces a
+ *               real macro-less `exists:` policy.
+ *     - ptr:    "strongly discouraged" by §5.5; re-opens when an
+ *               operator surfaces a legitimate ptr-only sender.
+ *     - macro-string expansion (§7) itself — separate slice tracked
+ *               under blamejs-roadmap.md.
  *
  * DMARC (RFC 7489) — TXT record at _dmarc.<domain>; alignment check
  *   between From-header domain and DKIM-d / SPF-from-domain;
@@ -27,9 +37,9 @@
  *   List).
  *
  * ARC (RFC 8617) — chain-of-custody verification. The framework parses
- *   the existing chain headers + reports validity; full per-hop
- *   signature verification is deferred (composes the same DKIM
- *   verifier that's deferred from this patch).
+ *   the existing chain headers, recomputes the per-hop signatures, and
+ *   reports validity by composing `lib/mail-dkim.js` (which carries
+ *   the actual signature-verification surface).
  */
 
 var zlib = require("node:zlib");
@@ -76,16 +86,21 @@ var SPF_RECORD_MAX_BYTES = 450;
 // alone tripped.
 var SPF_REDIRECT_DEPTH_LIMIT = 10;                                               // allow:raw-byte-literal — same shape as RFC 7208 §4.6.4 lookup ceiling
 
-// Shared safe-DNS TXT/A/AAAA/PTR lookup. Operator-supplied
-// `dnsLookup` (legacy `[[strings]]` shape for TXT; flat `[addr, ...]`
-// for A/AAAA; flat `[name]` for PTR) takes precedence; otherwise
-// routes through `b.network.dns.resolver` (DoH by default per
-// v0.7.23). CVE-2008-1447 (Kaminsky) + CVE-2022-3204
-// (NRDelegationAttack) class — the encrypted DoH transport plus
-// b.safeDns parse caps defend transport and parse-side. Earlier
-// shape fell back to `node:dns.promises.resolveTxt` directly, which
-// sent plaintext UDP/53 to whatever the system resolver was — every
-// downstream finding inherited that exposure.
+// Shared safe-DNS TXT/A/AAAA/MX/PTR lookup. Operator-supplied
+// `dnsLookup(qname, type)` is honored for every type when present:
+//   TXT  → [[ "v=spf1 ...", ... ], ...]   (array of TXT-string-arrays)
+//   A    → [ "192.0.2.1", ... ]           (flat IPv4 string array)
+//   AAAA → [ "2001:db8::1", ... ]         (flat IPv6 string array)
+//   MX   → [ { exchange, preference }, ...]  (or [ "mx1.example.", ... ]
+//                                             when operator omits preference)
+//   PTR  → [ "host.example.", ... ]       (flat PTR-name array)
+// When no operator callback is supplied, requests route through
+// `b.network.dns.resolver` (DoH by default per v0.7.23). CVE-2008-1447
+// (Kaminsky) + CVE-2022-3204 (NRDelegationAttack) class — the encrypted
+// DoH transport plus b.safeDns parse caps defend transport and parse-
+// side. Earlier shape fell back to `node:dns.promises.resolveTxt`
+// directly, which sent plaintext UDP/53 to whatever the system
+// resolver was — every downstream finding inherited that exposure.
 var _defaultResolver = null;
 function _getDefaultResolver() {
   if (_defaultResolver) return _defaultResolver;
@@ -111,7 +126,21 @@ async function _safeResolveTxt(qname, operatorLookup) {
   return out;
 }
 
-async function _safeResolveA(qname, family /* 4|6 */) {
+async function _safeResolveA(qname, family /* 4|6 */, operatorLookup) {
+  // Pre-v0.11.3 the operatorLookup parameter wasn't threaded here, so
+  // the documented `dnsLookup` shape for A/AAAA was unhonored — SPF a/
+  // mx mechanism tests had no operator-mockable path. The function
+  // signature now matches the docstring contract above. Operator
+  // returns a flat string array of IP literals.
+  if (operatorLookup) {
+    var resp = await operatorLookup(qname, family === 6 ? "AAAA" : "A");
+    if (!Array.isArray(resp) || resp.length === 0) {
+      var aerr = new Error("no " + (family === 6 ? "AAAA" : "A") + " records for " + qname);
+      aerr.code = "ENODATA";
+      throw aerr;
+    }
+    return resp.map(function (x) { return String(x); });
+  }
   var r = await _getDefaultResolver().query(qname, family === 6 ? "AAAA" : "A");
   var out = [];
   for (var i = 0; i < r.rrs.length; i += 1) {
@@ -127,6 +156,50 @@ async function _safeResolveA(qname, family /* 4|6 */) {
   return out;
 }
 
+// RFC 1035 §3.3.9 MX record: { preference, exchange }. Returns array of
+// exchange hostnames sorted by preference (lowest first). Operator-
+// supplied dnsLookup callback may return either:
+//   - [ { exchange, preference }, ... ]  — full shape (preferred)
+//   - [ "mx1.example.", ... ]            — exchanges only (preference
+//                                           treated as 0 → first-served)
+async function _safeResolveMx(qname, operatorLookup) {
+  if (operatorLookup) {
+    var resp = await operatorLookup(qname, "MX");
+    if (!Array.isArray(resp) || resp.length === 0) {
+      var merr = new Error("no MX records for " + qname);
+      merr.code = "ENODATA";
+      throw merr;
+    }
+    var normalized = resp.map(function (entry) {
+      if (typeof entry === "string") return { exchange: entry.replace(/\.$/, ""), preference: 0 };
+      var ex = entry && entry.exchange;
+      var pref = (entry && typeof entry.preference === "number") ? entry.preference : 0;
+      return { exchange: String(ex || "").replace(/\.$/, ""), preference: pref };
+    }).filter(function (e) { return e.exchange.length > 0; });
+    normalized.sort(function (a, b) { return a.preference - b.preference; });
+    return normalized.map(function (e) { return e.exchange; });
+  }
+  var r = await _getDefaultResolver().query(qname, "MX");
+  var entries = [];
+  for (var i = 0; i < r.rrs.length; i += 1) {
+    var rr = r.rrs[i];
+    if (rr && rr.type === 15) {                                                  // allow:raw-byte-literal — IANA DNS qtype MX
+      var d = rr.decoded || {};
+      if (d.exchange) {
+        entries.push({ exchange: String(d.exchange).replace(/\.$/, ""),
+                       preference: typeof d.preference === "number" ? d.preference : 0 });
+      }
+    }
+  }
+  if (entries.length === 0) {
+    var err = new Error("no MX records for " + qname);
+    err.code = "ENODATA";
+    throw err;
+  }
+  entries.sort(function (a, b) { return a.preference - b.preference; });
+  return entries.map(function (e) { return e.exchange; });
+}
+
 async function _safeReverse(ip) {
   // PTR query against the reverse-arpa name. IPv4: a.b.c.d.in-addr.arpa
   // (reversed octets); IPv6: nibble-reversed under ip6.arpa.
@@ -273,7 +346,13 @@ function _parseSpfRecord(text) {
               ? colonAt : slashAt;
     var mech = sep === -1 ? p : p.slice(0, sep);
     var arg  = sep === -1 ? null : p.slice(sep + 1);
-    mechanisms.push({ qualifier: qualifier, mechanism: mech.toLowerCase(), arg: arg });
+    // `raw` preserves the full mechanism+arg token after qualifier-
+    // strip. The a/mx dispatch arm reparses this directly because
+    // RFC 7208 §5.3/§5.4 allow `dual-cidr-length` after the optional
+    // domain-spec (e.g. `a:example.com/24//64`); the simple `arg`
+    // field above splits on the first separator and loses the
+    // information about whether that separator was `:` or `/`.
+    mechanisms.push({ qualifier: qualifier, mechanism: mech.toLowerCase(), arg: arg, raw: p });
   }
   // Surface modifiers via a non-enumerable property so callers that
   // don't expect them don't see them in JSON-serialized records but
@@ -322,9 +401,188 @@ async function _fetchSpfRecord(domain, dnsLookup) {
   return { kind: "found", record: matches[0] };
 }
 
-// SPF verify — recursive include resolution + ip4/ip6/all/+a/+mx
-// (a / mx omit deferred — operators rarely depend on them at this
-// scope; permerror surfaces the diagnosis).
+// RFC 7208 §5.3 / §5.4 — `a [ ":" domain-spec ] [ dual-cidr-length ]`
+// and `mx [ ":" domain-spec ] [ dual-cidr-length ]`. dual-cidr-length
+// is `[ "/" ip4-cidr ] [ "//" ip6-cidr ]`. Returns the parsed target
+// domain plus per-family prefix lengths (32 / 128 when omitted).
+//
+// `raw` is the post-qualifier token (e.g. "a", "a:foo.com", "a/24",
+// "a//64", "a:foo.com/24//64"). Throws MailAuthError on bad cidr.
+function _parseADualCidr(raw, mech, defaultDomain) {
+  var rest   = raw.slice(mech.length);
+  var domain = defaultDomain;
+  var v4Mask = 32;                                                                 // allow:raw-byte-literal — IPv4 max prefix
+  var v6Mask = 128;                                                                // allow:raw-byte-literal — IPv6 max prefix
+
+  if (rest.charAt(0) === ":") {
+    rest = rest.slice(1);
+    var slashAt = rest.indexOf("/");
+    if (slashAt === -1) { domain = rest; rest = ""; }
+    else { domain = rest.slice(0, slashAt); rest = rest.slice(slashAt); }
+  }
+
+  if (rest.length > 0) {
+    // rest is now "" | "/v4" | "//v6" | "/v4//v6".
+    var dblSlash = rest.indexOf("//");
+    var v4Part = "";
+    var v6Part = "";
+    if (dblSlash !== -1) {
+      v4Part = rest.slice(0, dblSlash);                                            // "" or "/24"
+      v6Part = rest.slice(dblSlash + 2);                                           // "64"
+    } else {
+      v4Part = rest;                                                               // "/24"
+    }
+    if (v4Part.length > 0) {
+      if (v4Part.charAt(0) !== "/") {
+        throw new MailAuthError("mail-auth/spf-bad-cidr",
+          "SPF " + mech + " dual-cidr malformed: " + JSON.stringify(raw));
+      }
+      var v4Str = v4Part.slice(1);
+      // RFC 7208 §5.3 / §5.4 — `ip4-cidr-length = "/" 1*DIGIT`. An
+      // empty digit segment (`a/`, `mx/`) is malformed grammar; the
+      // receiver MUST permerror. Pre-fix this silently kept the
+      // default /32 and would authorize the connecting IP under any
+      // A record of the target, which can over-authorize senders
+      // publishing `v=spf1 a/ -all` (would match every IP in the
+      // /32 of every A record).
+      if (v4Str.length === 0) {
+        throw new MailAuthError("mail-auth/spf-bad-cidr",
+          "SPF " + mech + " v4 cidr-length is empty (RFC 7208 §5.3/§5.4 grammar requires 1*DIGIT): " +
+          JSON.stringify(raw));
+      }
+      var v4n = parseInt(v4Str, 10);
+      if (!isFinite(v4n) || v4n < 0 || v4n > 32 || String(v4n) !== v4Str) {         // allow:raw-byte-literal — IPv4 max prefix
+        throw new MailAuthError("mail-auth/spf-bad-cidr",
+          "SPF " + mech + " v4 cidr-length invalid: " + JSON.stringify(raw));
+      }
+      v4Mask = v4n;
+    }
+    // RFC 7208 §5.3 / §5.4 — `ip6-cidr-length = "/" 1*DIGIT` (after
+    // the "//" separator). When the `//` separator IS present (i.e.
+    // the raw token contained `//`) the digit segment MUST be 1*DIGIT.
+    // Empty (`a//`, `a/24//`, `mx//`) is malformed grammar; permerror.
+    if (dblSlash !== -1) {
+      if (v6Part.length === 0) {
+        throw new MailAuthError("mail-auth/spf-bad-cidr",
+          "SPF " + mech + " v6 cidr-length is empty (RFC 7208 §5.3/§5.4 grammar requires 1*DIGIT): " +
+          JSON.stringify(raw));
+      }
+      var v6n = parseInt(v6Part, 10);
+      if (!isFinite(v6n) || v6n < 0 || v6n > 128 || String(v6n) !== v6Part) {       // allow:raw-byte-literal — IPv6 max prefix
+        throw new MailAuthError("mail-auth/spf-bad-cidr",
+          "SPF " + mech + " v6 cidr-length invalid: " + JSON.stringify(raw));
+      }
+      v6Mask = v6n;
+    }
+  }
+
+  if (!domain || domain.length === 0) {
+    throw new MailAuthError("mail-auth/spf-bad-cidr",
+      "SPF " + mech + " has no target domain (current-domain unavailable)");
+  }
+  return { domain: domain.toLowerCase(), v4Mask: v4Mask, v6Mask: v6Mask };
+}
+
+// RFC 7208 §5.3 / §5.4 — `a` and `mx` mechanism evaluation. Both
+// resolve the target domain (or the current SPF-evaluating domain when
+// arg omitted) to a set of IP addresses; the connecting IP matches if
+// it falls inside any of those addresses under the parsed cidr prefix.
+//
+// Lookup accounting per §4.6.4:
+//   - `a`: the outer evaluator has already counted this as one DNS-
+//          touching mechanism. The single A/AAAA query is THAT one
+//          lookup; no additional increment here.
+//   - `mx`: the outer evaluator has counted the MX query itself.
+//          EACH MX hostname's A/AAAA expansion adds an additional
+//          lookup; total expansion is capped at 10 MX hostnames per
+//          §4.6.4 (the explicit "MX limit"). Crossing the global
+//          10-lookup ceiling at any expansion step permerrors.
+//
+// Returns one of:
+//   { match: true }                       — connecting IP matched
+//   { match: false }                      — no IP matched / record absent
+//   { error: "temperror", reason: "..." } — transient DNS failure
+//   { error: "permerror", reason: "..." } — over-limit / bad CIDR / bad MX count
+async function _spfMatchAMx(mech, raw, ip, isIpv6, defaultDomain, dnsLookup, lookups) {
+  var parsed;
+  try { parsed = _parseADualCidr(raw, mech, defaultDomain); }
+  catch (e) { return { error: "permerror", reason: e.message }; }
+
+  var mask = isIpv6 ? parsed.v6Mask : parsed.v4Mask;
+  var family = isIpv6 ? 6 : 4;                                                     // allow:raw-byte-literal — IP family marker
+
+  var targetIps = [];
+  if (mech === "a") {
+    try { targetIps = await _safeResolveA(parsed.domain, family, dnsLookup); }
+    catch (e) {
+      var code = e && e.code;
+      if (code === "ENOTFOUND" || code === "ENODATA") return { match: false };
+      return { error: "temperror",
+               reason: "SPF a:" + parsed.domain + " lookup failed: " +
+                       ((e && e.message) || String(e)) };
+    }
+  } else {                                                                          // mech === "mx"
+    var mxHosts;
+    try { mxHosts = await _safeResolveMx(parsed.domain, dnsLookup); }
+    catch (e) {
+      var mcode = e && e.code;
+      if (mcode === "ENOTFOUND" || mcode === "ENODATA") return { match: false };
+      return { error: "temperror",
+               reason: "SPF mx:" + parsed.domain + " MX lookup failed: " +
+                       ((e && e.message) || String(e)) };
+    }
+    // RFC 7208 §4.6.4 — the MX expansion is capped at 10 hostnames.
+    // Crossing this is a permerror; receivers MUST NOT silently
+    // truncate, since a misconfigured sender publishing 20 MX hosts
+    // would otherwise have only the first 10 contribute to authz.
+    if (mxHosts.length > 10) {                                                      // allow:raw-byte-literal — RFC 7208 §4.6.4 MX limit
+      return { error: "permerror",
+               reason: "SPF mx:" + parsed.domain + " resolved " + mxHosts.length +
+                       " MX hosts (RFC 7208 §4.6.4 caps at 10)" };
+    }
+    for (var mi = 0; mi < mxHosts.length; mi += 1) {
+      lookups.count += 1;
+      if (lookups.count > lookups.limit) {
+        return { error: "permerror",
+                 reason: "DNS lookup limit exceeded (RFC 7208 §4.6.4) during mx:" +
+                         parsed.domain + " expansion" };
+      }
+      try {
+        var hostIps = await _safeResolveA(mxHosts[mi], family, dnsLookup);
+        for (var hi = 0; hi < hostIps.length; hi += 1) targetIps.push(hostIps[hi]);
+      } catch (e) {
+        var hcode = e && e.code;
+        if (hcode === "ENOTFOUND" || hcode === "ENODATA") {
+          // Void lookup — counts toward §4.6.4 ceiling for the MX
+          // expansion (the MX hostname has no A/AAAA in the relevant
+          // family). Some hosts are v4-only and won't have AAAA; we
+          // skip the host but charge the void slot.
+          lookups.void = (lookups.void || 0) + 1;
+          if (lookups.void > SPF_VOID_LOOKUP_LIMIT) {
+            return { error: "permerror",
+                     reason: "SPF void-lookup limit exceeded (RFC 7208 §4.6.4) during mx expansion" };
+          }
+          continue;
+        }
+        return { error: "temperror",
+                 reason: "SPF mx host " + mxHosts[mi] + " A/AAAA lookup failed: " +
+                         ((e && e.message) || String(e)) };
+      }
+    }
+  }
+
+  for (var ti = 0; ti < targetIps.length; ti += 1) {
+    var cidr = targetIps[ti] + "/" + mask;
+    if (isIpv6) { if (_ipv6InCidr(ip, cidr)) return { match: true }; }
+    else        { if (_ipv4InCidr(ip, cidr)) return { match: true }; }
+  }
+  return { match: false };
+}
+
+// SPF verify — recursive include resolution + ip4 / ip6 / a / mx /
+// include / all / redirect=. The `exists` and `ptr` mechanisms +
+// macro-string expansion remain deferred (see the mechanism dispatch
+// arm for the Re-open condition + operator escape hatch).
 async function spfVerify(opts) {
   opts = opts || {};
   validateOpts(opts, ["ip", "mailFrom", "helo", "dnsLookup"], "mail.spf.verify");
@@ -427,15 +685,69 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
         return { verdict: "permerror",
                  explanation: "include:" + m.arg + " has no SPF record (RFC 7208 §5.2)" };
       }
-    } else if (m.mechanism === "a" || m.mechanism === "mx" ||
-               m.mechanism === "exists" || m.mechanism === "ptr") {
-      // Out of scope this patch — operators with these get permerror
-      // so they know to investigate.
+    } else if (m.mechanism === "a" || m.mechanism === "mx") {
+      // RFC 7208 §5.3 / §5.4. The mechanism itself counts as one DNS
+      // lookup per §4.6.4 (already incremented by the outer loop's
+      // `lookups.count += 1` for non-initial domains; ip4/ip6/all are
+      // overcounted as a result, but only by mechanisms whose lookup
+      // budget the spec doesn't care about — they're not DNS-touching).
+      // The `a` / `mx` arms additionally expand per RFC §4.6.4 (each
+      // MX hostname adds another lookup); the helper handles that
+      // accounting.
+      lookups.count += 1;
+      if (lookups.count > lookups.limit) {
+        return { verdict: "permerror",
+                 explanation: "DNS lookup limit exceeded (RFC 7208 §4.6.4) at " +
+                              m.mechanism };
+      }
+      var amRes = await _spfMatchAMx(m.mechanism, m.raw, ip, isIpv6,
+                                      domain, dnsLookup, lookups);
+      if (amRes.error === "permerror") {
+        return { verdict: "permerror", explanation: amRes.reason };
+      }
+      if (amRes.error === "temperror") {
+        return { verdict: "temperror", explanation: amRes.reason };
+      }
+      if (amRes.match) match = true;
+    } else if (m.mechanism === "exists" || m.mechanism === "ptr") {
+      // RFC 7208 §5.7 (exists) + §5.5 (ptr) — deferred from v0.11.3.
+      //
+      // exists: requires macro-string expansion (RFC 7208 §7) to be
+      //   useful in practice; almost every published `exists:` policy
+      //   uses macros like `exists:%{l}.%{d}._spf.example.com` to do
+      //   per-recipient or per-IP lookups. A non-macro `exists:` is
+      //   technically valid but vanishingly rare in published policies.
+      //
+      // ptr:    RFC 7208 §5.5 explicitly says "use of this mechanism
+      //   is strongly discouraged" — the receiver does reverse-DNS +
+      //   forward-confirm per query, doubling DNS load and tying the
+      //   sender's authz to whoever controls their PTR zone. Despite
+      //   this discouragement, a small minority of legacy senders
+      //   still publish `+ptr -all` policies as their only SPF stance.
+      //
+      // Re-open conditions:
+      //   - exists: macro-string expansion lands in the framework (a
+      //     standalone slice; tracked under blamejs-roadmap.md), OR an
+      //     operator surfaces a real `exists:` policy without macros
+      //     and asks for the simple A-existence form.
+      //   - ptr:    an operator surfaces a legitimate sender whose
+      //     ONLY SPF stance is `ptr` and needs the framework to
+      //     evaluate it (rather than the operator's MTA already doing
+      //     iprev via `b.mail.auth.iprev`).
+      //
+      // Operator escape hatch today:
+      //   - exists: senders almost universally have a non-`exists:`
+      //     mechanism alongside; the framework returns "permerror"
+      //     here, surfacing the gap, but legitimate mail flow that
+      //     ALSO carries a passing ip4/ip6/include path is unaffected.
+      //   - ptr: operators evaluating a ptr-only sender wire
+      //     `b.mail.auth.iprev(ip)` and treat fcrdns=true the same as
+      //     SPF pass for that domain.
       return {
         verdict: "permerror",
-        explanation: "SPF mechanism '" + m.mechanism + "' is not yet implemented; " +
-                     "operator can wire b.mail.spf.verify({ dnsLookup }) with their " +
-                     "own resolver",
+        explanation: "SPF mechanism '" + m.mechanism + "' is not yet implemented (RFC 7208 §" +
+                     (m.mechanism === "exists" ? "5.7 + §7 macros" : "5.5") +
+                     "); senders typically publish ip4 / ip6 / a / mx / include alongside",
       };
     }
     if (match) {

package/lib/mail-crypto-smime.js

@@ -7,8 +7,10 @@
  * @slug       mail-crypto-smime
  *
  * @card
- *   S/MIME 4.0 signature verification per RFC 8551 + RFC 5652 CMS
- *   SignedData. v1 surface is cert preflight; sign/verify deferred.
+ *   S/MIME 4.0 sign + verify (PQC-first ML-DSA / SLH-DSA signers) on
+ *   the b.cms substrate. RFC 8551 multipart/signed with RFC 5652
+ *   SignedData; EFAIL-class encrypt/decrypt deferred until the AAD-
+ *   binding posture lands.
  *
  * @intro
  *   S/MIME 4.0 (RFC 8551, replacing RFC 5751) `multipart/signed;
@@ -110,8 +112,10 @@ var ALLOWED_HASHES = ["sha256", "sha384", "sha512"];
 var REFUSED_HASHES = ["md5", "sha1"];                                             // allow:raw-byte-literal — CVE-2017-9006-class
 
 // PROFILES + COMPLIANCE_POSTURES — the framework's standard cross-
-// primitive contract. v1 only emits the metadata; the deferred sign/
-// verify methods read them when they light up.
+// primitive contract. sign() and verify() (live since v0.10.16) read
+// these to determine which hash + RSA-bit floors apply per operator
+// posture; encrypt() / decrypt() (deferred per the @intro EFAIL note)
+// will compose the same set when they land.
 var PROFILES = ["strict", "balanced", "permissive"];
 var COMPLIANCE_POSTURES = {
   hipaa:     "strict",

package/lib/mail-server-imap.js

@@ -1251,7 +1251,29 @@ function create(opts) {
     var subArgs = sub[2];
     if (subVerb === "FETCH") return _handleFetch(state, socket, tag, subArgs, true);
     if (subVerb === "STORE") return _handleStore(state, socket, tag, subArgs, true);
-    _writeTagged(socket, tag, "BAD UID " + subVerb + " not implemented in v1");
+    // RFC 9051 §6.4.9 also defines UID SEARCH / UID COPY / UID MOVE /
+    // UID EXPUNGE; deferred from the initial listener slice.
+    //
+    //   SEARCH:  composes with the existing _handleSearch path; needs
+    //            the searchRange path threaded through `useUid: true`.
+    //   COPY:    composes with the existing _handleCopy path; needs
+    //            the mailStore.copyRange opt accepted.
+    //   MOVE:    RFC 6851; same shape as COPY plus an atomic-delete
+    //            step on the source mailbox.
+    //   EXPUNGE: RFC 4315 UIDPLUS; expunges by uid-set instead of by
+    //            \Deleted-flag scan.
+    //
+    // Re-open condition: operator surfaces a real IMAP client that
+    // refuses to fall back to seq-number variants (most modern
+    // clients — mutt / Thunderbird / Apple Mail / Outlook — already
+    // use the seq-number forms when UID variants are unavailable).
+    //
+    // Operator escape hatch today: clients that issue these UID
+    // sub-commands receive `BAD` and retry against the seq-number
+    // variant (SEARCH / COPY / MOVE / EXPUNGE) which the listener
+    // does serve.
+    _writeTagged(socket, tag, "BAD UID " + subVerb +
+                 " is not yet implemented; client may retry with the seq-number form");
   }
 
   function _handleIdle(state, socket, tag) {

package/lib/restore.js

@@ -11,7 +11,7 @@
  *
  *   var restore = b.restore.create({
  *     dataDir:      "./data",
- *     storage:      b.backup.localStorage({ root: "./backups" }),
+ *     storage:      b.backup.diskStorage({ root: "./backups" }),
  *     passphrase:   Buffer.from("operator backup passphrase"),
  *     rollbackRoot: "./data.rollbacks",   // optional; default <dataDir>.rollbacks
  *     audit:        true,
@@ -76,7 +76,7 @@ class RestoreError extends FrameworkError {
 function _validateStorage(storage) {
   if (!storage || typeof storage !== "object") {
     throw new RestoreError("restore/bad-storage",
-      "storage backend is required (use b.backup.localStorage or pass a custom one)");
+      "storage backend is required (use b.backup.diskStorage or pass a custom one)");
   }
   var required = ["readBundle", "listBundles", "hasBundle"];
   for (var i = 0; i < required.length; i++) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.11.1",
+  "version": "0.11.3",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:7fbc6c04-e867-4e6a-b8a0-d1686fdb9dc7",
+  "serialNumber": "urn:uuid:b5450662-adf2-4f43-baef-731a1c66e80f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-19T15:04:27.770Z",
+    "timestamp": "2026-05-19T17:04:46.477Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.11.1",
+      "bom-ref": "@blamejs/core@0.11.3",
       "type": "library",
       "name": "blamejs",
-      "version": "0.11.1",
+      "version": "0.11.3",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.11.1",
+      "purl": "pkg:npm/%40blamejs/core@0.11.3",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.11.1",
+      "ref": "@blamejs/core@0.11.3",
       "dependsOn": []
     }
   ]