@blamejs/core 0.11.26 → 0.11.27

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.11.x
 
+- v0.11.27 (2026-05-20) — **IMAP CONDSTORE (RFC 7162) — modseq-aware FETCH + STORE on `b.mail.server.imap`.** The IMAP listener advertises and honours the CONDSTORE extension. Clients that issue `ENABLE CONDSTORE` get MODSEQ attributes in every untagged FETCH response; FETCH parses the `(CHANGEDSINCE <modseq>)` modifier and forwards it to the operator's backend so the backend can prune unchanged rows server-side; STORE parses the `(UNCHANGEDSINCE <modseq>)` conditional-update modifier and surfaces the backend's MODIFIED conflict set in the tagged OK response (`OK [MODIFIED <set>] STORE completed`). The backend interface picks up four new opts on the existing `fetchRange` / `storeFlags` calls: `changedSince`, `includeVanished`, `includeModseq`, `unchangedSince`. Backends MAY return modseq on each row; the listener injects `MODSEQ (<n>)` into the payload when present and CONDSTORE is enabled. QRESYNC (RFC 7162 §3.2) is deferred — accepted in ENABLE but no vanished-set surface is exposed yet. **Added:** *CAPABILITY advertises `CONDSTORE` unconditionally* — Per RFC 7162 §3 servers advertise CONDSTORE; clients ENABLE before relying on MODSEQ in untagged FETCH responses. The advertisement is unconditional (state-independent) so clients that issue CAPABILITY pre-LOGIN see CONDSTORE in the same untagged-response shape they'll see post-LOGIN. The old SELECT-side `HIGHESTMODSEQ` emission keeps working. · *`ENABLE CONDSTORE` handler flips `state.enabledCondStore`* — Replaces the no-op `OK ENABLED` shortcut with a real handler that parses the requested capability set, flips `state.enabledCondStore = true` on CONDSTORE, and replies with `ENABLED CONDSTORE` + `OK ENABLE completed`. Unknown extensions are silently ignored per RFC 5161 §3.1. QRESYNC is recognised but accepted only when a v1+ backend exposes the vanished-set surface. · *FETCH parses `(CHANGEDSINCE <modseq>)` + injects MODSEQ in responses* — When the FETCH args carry a trailing `(CHANGEDSINCE <n>)` modifier (RFC 7162 §3.1.4) the listener strips it from the fetch-att spec and forwards `opts.changedSince` to `mailStore.fetchRange`. The backend can prune unchanged messages server-side. When CONDSTORE is enabled (or the client explicitly requested MODSEQ as a fetch-att), each untagged FETCH response includes `MODSEQ (<n>)` — synthesised from `row.modseq` if the backend supplies it and the payload doesn't already contain it. Also recognises the QRESYNC `VANISHED` modifier (flag forwarded as `opts.includeVanished`); the vanished-set emission is the backend's responsibility for now. · *STORE parses `(UNCHANGEDSINCE <modseq>)` + emits `[MODIFIED <set>]` on conflict* — Per RFC 7162 §3.1.3 the conditional STORE refuses to update messages whose modseq advanced past `unchangedSince` since the client last fetched. The listener parses the modifier between the seq-set and the FLAGS op, forwards `opts.unchangedSince` to `mailStore.storeFlags`, and accepts either the legacy `rows: [...]` shape or a structured `{ rows, modified }` shape. When `modified` is non-empty, the tagged response carries `OK [MODIFIED <set>] STORE completed` so the client knows which messages need re-fetching before retry. Untagged FETCH responses also include `MODSEQ (<n>)` when STORE accepted updates under CONDSTORE. **Security:** *Modifier parsing is bounded + non-greedy* — The CHANGEDSINCE / UNCHANGEDSINCE matchers use `[^)]*` rather than `.*` so a malformed modifier can't consume the entire fetch-att spec. Both modifiers parse `\d+` only — non-integer / negative / Infinity values are silently dropped (the modifier becomes a no-op), so a client cannot ride the modifier to inject arbitrary fragments into the backend opts. · *Modseq attribute is opt-in* — MODSEQ injection into untagged FETCH responses ONLY happens when (a) CONDSTORE is enabled OR (b) the client's fetch-att spec contains the `MODSEQ` keyword. Pre-CONDSTORE clients see exactly the responses they saw before this release. The IMAP wire-format compatibility line is unchanged for the IMAP4rev1 / IMAP4rev2 cohorts that never issue `ENABLE CONDSTORE`. **References:** [RFC 7162 (IMAP4 CONDSTORE / QRESYNC)](https://www.rfc-editor.org/rfc/rfc7162.html) · [RFC 9051 (IMAP4rev2)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 5161 (IMAP ENABLE Extension)](https://www.rfc-editor.org/rfc/rfc5161.html) · [RFC 4315 (IMAP UIDPLUS Extension)](https://www.rfc-editor.org/rfc/rfc4315.html)
+
 - v0.11.26 (2026-05-20) — **`b.mail.server.submission` — CHUNKING / BDAT (RFC 3030).** The outbound submission listener now advertises and accepts the RFC 3030 BDAT (binary data) command, the chunked-upload alternative to DATA. Operators with large outbound payloads (attachments, MIME multipart bodies, encoded HTML) no longer pay the dot-stuffing cost of DATA; clients can stream chunks of arbitrary size and finalise with a `BDAT 0 LAST` (or `BDAT N LAST` for the final chunk). Mixing DATA + BDAT within one transaction is refused per RFC 3030 §3. Same `agent.handoff` contract — the body bytes arrive at the agent layer in their canonical SMTP form, no dot-stuffing applied (BDAT payloads are opaque). **Added:** *EHLO advertises `CHUNKING` + new `BDAT <chunk-size> [LAST]` command* — The EHLO 250-line list now includes `CHUNKING` (RFC 3030 §2.1). A new `BDAT` command handler accepts `BDAT <chunk-size> [LAST]` after MAIL FROM + RCPT TO; the server reads exactly `<chunk-size>` bytes from the socket — no dot-stuffing, no end-of-data marker — and acknowledges with `250 2.0.0 <octets> octets received`. Multiple BDAT chunks accumulate into the message body; the final chunk carries the `LAST` keyword and triggers the same agent-handoff path as DATA. A `BDAT 0 LAST` finalises an empty trailer when the last chunk's byte count is unknown in advance. · *Cumulative size cap honoured up-front* — `BDAT <large-size>` is refused with `552 5.3.4 BDAT cumulative size <total> exceeds maxMessageBytes (<cap>)` BEFORE the server begins reading bytes off the wire. A misconfigured client that pipelines `BDAT 999999999 LAST` and 1 GB of body is rejected at the command line, not after the byte stream lands. The collector bound on the receive side enforces the same cap as a backstop. · *Mid-segment payload drainage* — When `BDAT N LAST\r\n<payload>` arrives in one TCP segment (typical for pipelined small messages), the line-loop drains the post-`\r\n` bytes from the command buffer straight into the BDAT collector before returning. Any tail bytes after the BDAT chunk completes get re-fed as the next command. Operators get pipelining + chunking with no extra round-trip cost. **Security:** *BDAT state cleared on every STARTTLS upgrade* — Same threat model as CVE-2021-38371 (Exim) / CVE-2021-33515 (Dovecot): pre-handshake bytes a malicious peer pipelined MUST NOT reach the post-TLS state machine. The STARTTLS handler clears `inBdatChunk` / `bdatRemaining` / `bdatCollector` / `bdatTotalBytes` alongside the existing line-buffer + DATA-collector reset, so a smuggled `BDAT <n>` + body that lands before the TLS upgrade can't bleed into the encrypted transaction. · *Refusal on BDAT outside transaction* — BDAT before MAIL FROM / with zero RCPT returns `503 5.5.1` and does not enter chunk-collection mode. A misbehaving client that issues BDAT eagerly cannot leak state into the next transaction; the RSET reset path also clears all BDAT-side state. · *Pipelining race gate mirrors DATA* — If the operator's `recipientPolicy` is async and not all RCPT verdicts have resolved, BDAT returns `451 4.5.0 RCPT TO verdicts pending; reissue BDAT after recipient replies` — same shape as the DATA pipelining-race gate. The transaction never commits with a partially-resolved recipient set. **References:** [RFC 3030 (SMTP Service Extensions — CHUNKING / BDAT / BINARYMIME)](https://www.rfc-editor.org/rfc/rfc3030.html) · [RFC 5321 (SMTP)](https://www.rfc-editor.org/rfc/rfc5321.html) · [RFC 6409 (Message Submission for Mail)](https://www.rfc-editor.org/rfc/rfc6409.html) · [RFC 8314 (Cleartext considered obsolete — submission ports)](https://www.rfc-editor.org/rfc/rfc8314.html) · [CVE-2021-38371 (Exim STARTTLS injection)](https://nvd.nist.gov/vuln/detail/CVE-2021-38371) · [CVE-2021-33515 (Dovecot STARTTLS pre-handshake state leak)](https://nvd.nist.gov/vuln/detail/CVE-2021-33515)
 
 - v0.11.25 (2026-05-20) — **Five new primitives: sealed-token mail FTS + Stripe HMAC-SHA256 webhook verify + `b.money` + `b.fsm` + `b.auth.botChallenge`.** Five additive primitives in one release. Every consumer building on the framework — mail UIs, billing pipelines, e-commerce backends, multi-step business workflows, public web endpoints — now finds the substrate in-tree instead of reimplementing it. None of these replaces a default; every primitive is opt-in at the call site. Mail full-text search hashes tokens with the per-deployment vault salt before any byte hits the SQLite FTS5 index, so the index is searchable but a database dump leaks nothing readable. The Stripe-shaped HMAC-SHA-256 verifier sits next to the existing PQC and SHA3-512 webhook signers; the `whsec_` prefix stays in the key bytes per Stripe's spec; signatures are constant-time-compared and replay-defended via an operator-supplied nonce store. `b.money` arithmetic is BigInt-only across 40 ISO 4217 currencies with largest-remainder allocation and banker's-rounding FX conversion. `b.fsm` is the in-process sibling of `b.agent.saga` — declarative state + transition definition, guards, async on-enter/on-exit, drop-silent audit on every transition, with a transition-serialisation lock that makes concurrent `.transition()` calls deterministic. `b.auth.botChallenge` composes `b.httpClient` for siteverify against Cloudflare Turnstile (default), hCaptcha, and reCAPTCHA-v3 — the secret bytes never appear in any audit metadata. **Added:** *`b.mailStore.fts` — sealed-token full-text index + `b.mailStore.create().search(folder, filter)`* — Every `appendMessage` now inserts a row into a SQLite FTS5 virtual table whose subject / address / body columns hold space-separated 16-char hex hashes — vault-salted SHA3 over each NFC-normalised token. The salt is the same `b.vault.getDerivedHashSalt()` `b.cryptoField` uses for sealed-column derived hashes, so rotating the vault salt invalidates the FTS index in step with every other sealed-row hash. Query terms go through the same tokenize → hash transform on the search path and issue FTS5 MATCH against the hash-token rows — the index is fully searchable without ever materialising the plaintext on disk. `b.mail.agent.search({ folder, filter })` now accepts `text` / `subject` / `body` / `from` / `to` filter keys; the agent layer hands them to the store. `hardExpunge` deletes the FTS row inside the same transaction as the canonical message row so the two cannot drift. Limits: 8192 tokens / row / field, 2..64 codepoint length band, 8 MiB input cap per field. Exact-token only (no prefix wildcard, no stemmer) — the cost of sealed-at-rest. · *`b.webhook.verify({ alg: 'hmac-sha256-stripe', secret, header, body, toleranceMs?, nonceStore? })` + `b.webhook.sign(...)`* — Stripe-spec inbound webhook signature verifier (Paddle + Shopify use the same shape). Parses `Stripe-Signature: t=<unix>,v1=<hex>[,v1=<hex>...]`, validates the timestamp is within the tolerance window (default 5 min; refuses below 30s), HMAC-SHA-256s `<t>.<body>` with the `whsec_...` secret bytes verbatim (the prefix IS the key — `b.webhook.verify` never strips it), and walks the v1 entries with `b.crypto.timingSafeEqual` so a rotation grace window doesn't leak which entry matched. `b.webhook.sign` is the round-trip companion for outbound Stripe-shaped emission and round-trip tests. Optional `nonceStore: { has(k), set(k, ttlMs) }` records the accepted signature so a replay within the tolerance window refuses. The header value is hard-capped at 4096 bytes and per-`v1` hex at 256 chars (anti-DoS). · *`b.money` — decimal-safe money + 40-currency ISO 4217 catalog* — BigInt minor units throughout — Number is refused at construction. Currency exponents covering 0 (JPY/KRW), 2 (USD/EUR/GBP/…), 3 (KWD/BHD/JOD/OMR/TND), 4 (CLF) are pre-populated. Surface: `b.money.of(amount, code)` / `b.money.fromMinorUnits(bigint, code)` / `b.money.parse('12.50 USD')` / `b.money.zero(code)` plus instance methods `.add` / `.subtract` / `.multiply` / `.allocate(weights[])` / `.negate` / `.abs` / `.equals` / comparison family / `.toMinorUnits()` / `.toString()` / `.toJSON()` / `.format(locale?)`. `b.money.convert(money, toCurrency, fxRateProvider)` rounds half-to-even (banker's rounding) by default. Cross-currency arithmetic throws; `0.10 + 0.20 === 0.30` exactly. Allocation uses largest-remainder so $10 / 3 = [$3.34, $3.33, $3.33] with sum preserved. · *`b.fsm` — in-process state machine (sibling of `b.agent.saga`)* — `b.fsm.define({ name, initial, states, transitions })` returns a frozen machine factory. `Machine.create({ initialContext })` returns an instance with `.state` / `.context` / `.history` / `.allowed()` / `.can(name)` / `.transition(name, opts)` / `.toJSON()`. Transitions carry an optional guard (predicate; refusal throws `fsm/guard-refused`) and trigger per-state `onEnter` / `onExit` side-effects (sync or returned-Promise — `.transition` awaits). Every transition emits a `fsm.<machineName>.transition` audit event via `b.audit.safeEmit` (drop-silent on hot path), including the actor + metadata the caller passed in. A transition lock serialises concurrent `.transition()` calls — the test suite exercises five parallel transitions and verifies only the legal path runs. State + transition names are identifier-shape only (`safeSql.DEFAULT_IDENTIFIER_RE`) so a name never lands in SQL / HTML un-validated. `Machine.restore(snapshot)` rebuilds an instance from a prior `.toJSON()` snapshot — state + history + context survive a process restart. · *`b.auth.botChallenge.create({ secret, provider?, ... }) → { verify(token, opts?) }`* — Server-side challenge-response verifier for Cloudflare Turnstile (default), hCaptcha, and reCAPTCHA-v3. Composes `b.httpClient` for the outbound `/siteverify` POST — every request rides the framework's SSRF guard + DNS pinning + retry policy; the operator's secret never appears in a URL or any audit metadata field. Body encoding is `application/x-www-form-urlencoded` per the provider specs. Returns `{ ok, provider, hostname, action, challengeTs, score?, raw }` on success; throws `BotChallengeError` with structured codes (`invalid-token`, `timeout`, `hostname-mismatch`, `action-mismatch`, `provider-error`) on failure, with the upstream `error-codes` array exposed at `err.errorCodes`. Per-factory `allowedHostnames` + `allowedActions` allowlists; per-call `expectedHostname` + `expectedAction` overrides. Tokens are refused at the factory boundary if empty / non-string / > 4096 bytes, before any outbound call. **Security:** *Mail FTS index leaks zero plaintext (sealed-at-rest invariant extended)* — Pre-v0.11.25, the only operator-facing search path on `b.mail.agent` was a modseq cursor + post-fetch unseal — fast for cursoring but useless for text content discovery. Plaintext-FTS would have broken the sealed-at-rest invariant. The new index hashes every indexed token with the per-deployment vault salt before insert; a `sqlite3 .dump` produces ASCII-hex tokens indistinguishable from random. The same vault salt protects every `b.cryptoField`-sealed column, so adding the FTS index does NOT widen the cryptographic trust boundary. · *Stripe verifier defends the documented attack surface* — Constant-time HMAC compare (timing-safe across the v1 rotation list — operators don't leak which entry matched). Per-`v1` 256-hex anti-DoS cap. Tolerance-window minimum 30s — refuses operator misconfiguration that would accept hour-old signatures. The `whsec_` prefix preservation is encoded as a `codebase-patterns` detector (`stripe-hmac-sha256-no-strip-whsec-prefix`) so re-introducing the strip-bug is impossible without tripping a release gate. · *Bot-challenge secret never reaches audit / logs* — `b.auth.botChallenge` audit emits `{ provider, hostname, ok, errorCodes }` — the operator's secret bytes never appear in any metadata key. A `codebase-patterns` detector (`bot-challenge-secret-not-in-audit`) scans `lib/auth/bot-challenge.js` for any `audit.*emit` window that references `secret` so a future refactor cannot regress. **Detectors:** *Five new `codebase-patterns` detectors encode the shape-specific bug classes* — `stripe-hmac-sha256-no-strip-whsec-prefix` flags `secret.replace(/^whsec_/, '')` / `secret.slice(6)` near an HMAC call (the `whsec_` prefix IS the key). `no-number-money-arithmetic` flags `b.money.of(<Number>, ...)` and Number / Money arithmetic (precision lost; only BigInt / string OK at construction). `fsm-transition-without-await` flags `<fsm>.transition(...)` without `await` or `.then` in `lib/` (the transition is async; sync misuse swallows errors). `bot-challenge-secret-not-in-audit` is file-scoped to `lib/auth/bot-challenge.js` and flags any `audit.*emit` window or `metadata: { ... }` object literal referencing `secret`. Each detector is wired into `codebase-patterns.test.js`'s `run()` so every future commit re-checks the shape. **References:** [RFC 2104 (HMAC)](https://www.rfc-editor.org/rfc/rfc2104.html) · [RFC 6234 (US Secure Hash Algorithms — SHA-256)](https://www.rfc-editor.org/rfc/rfc6234.html) · [Stripe webhook signature spec](https://docs.stripe.com/webhooks/signature) · [Paddle webhook signature verification](https://developer.paddle.com/webhooks/signature-verification) · [Shopify webhooks — HMAC verification](https://shopify.dev/docs/apps/webhooks/configuration/https) · [ISO 4217 (Currency codes + minor unit catalog)](https://www.iso.org/iso-4217-currency-codes.html) · [IEEE 754 (the float-precision problem `b.money` avoids)](https://standards.ieee.org/standard/754-2019.html) · [Cloudflare Turnstile — server-side validation](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) · [hCaptcha — verify the user response server-side](https://docs.hcaptcha.com/) · [reCAPTCHA-v3 — server-side verification](https://developers.google.com/recaptcha/docs/v3) · [OWASP ASVS v5 §11.5 — bot defense controls](https://owasp.org/www-project-application-security-verification-standard/) · [RFC 9051 (IMAP4rev2 — SEARCH semantics)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 8621 (JMAP Mail — Email/query)](https://www.rfc-editor.org/rfc/rfc8621.html) · [SQLite FTS5](https://www.sqlite.org/fts5.html) · [UML State Machine (OMG UML 2.5.1 §14)](https://www.omg.org/spec/UML/2.5.1)

package/lib/mail-server-imap.js

@@ -524,7 +524,7 @@ function create(opts) {
                       maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
       LOGIN:        { fn: function (s, so, p)  { return _handleLogin(s, so, p.tag, p.args); },
                       maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
-      ENABLE:       { fn: function (s, so, p)  { return _writeTagged(so, p.tag, "OK ENABLED"); },
+      ENABLE:       { fn: function (s, so, p)  { return _handleEnable(s, so, p.tag, p.args); },
                       maxHandlerBytes: SHORT_B,  maxHandlerMs: SHORT_MS },
       SELECT:       { fn: function (s, so, p)  { return _handleSelect(s, so, p.tag, p.args, false); },
                       maxHandlerBytes: MEDIUM_B, maxHandlerMs: MEDIUM_MS },
@@ -638,6 +638,9 @@ function create(opts) {
   function _capabilityLine(state) {
     var caps = ["IMAP4rev2"];
     if (!state.tls) caps.push("STARTTLS");
+    // RFC 7162 §3 — CONDSTORE is server-advertised; clients ENABLE
+    // before relying on MODSEQ in untagged FETCH responses.
+    caps.push("CONDSTORE");
     // Advertise AUTH=<mech> ONLY for mechanisms the operator wired
     // in opts.auth.mechanisms. RFC 9051 §7.2 — clients pick from the
     // advertised list; advertising AUTH=PLAIN when authConfig is null
@@ -653,6 +656,31 @@ function create(opts) {
     return caps.join(" ");
   }
 
+  // RFC 7162 §3.1 — ENABLE CONDSTORE flips the per-state flag that
+  // makes subsequent untagged FETCH responses include the MODSEQ
+  // attribute and lets STORE / FETCH carry CHANGEDSINCE /
+  // UNCHANGEDSINCE modifiers. Unknown ENABLE arguments are silently
+  // ignored per RFC 5161 §3.1 — the server lists in `ENABLED <name>`
+  // only the extensions it actually turned on.
+  function _handleEnable(state, socket, tag, args) {
+    var requested = (args || "").split(/\s+/).filter(Boolean);
+    var enabled = [];
+    for (var i = 0; i < requested.length; i += 1) {
+      var name = requested[i].toUpperCase();
+      if (name === "CONDSTORE") {
+        if (!state.enabledCondStore) {
+          state.enabledCondStore = true;
+          enabled.push("CONDSTORE");
+        }
+      }
+      // QRESYNC (RFC 7162 §3.2.5) implies CONDSTORE — accepted only
+      // when the operator backend supplies the QRESYNC vanished /
+      // expunged-set surface; v1 of the listener stops at CONDSTORE.
+    }
+    _writeUntagged(socket, "ENABLED" + (enabled.length ? " " + enabled.join(" ") : ""));
+    _writeTagged(socket, tag, "OK ENABLE completed");
+  }
+
   function _handleCapability(state, socket, tag) {
     _writeUntagged(socket, "CAPABILITY " + _capabilityLine(state));
     _writeTagged(socket, tag, "OK CAPABILITY completed");
@@ -1162,23 +1190,57 @@ function create(opts) {
     }
     var seqSet = match[1];
     var partsSpec = match[2];
+    // RFC 7162 §3.1.4 — FETCH may carry a CHANGEDSINCE modifier in a
+    // trailing parenthesised list:
+    //   FETCH 1:* (FLAGS) (CHANGEDSINCE 12345)
+    // and/or VANISHED (QRESYNC) which is deferred to a later slice.
+    // The modifier list is parsed off the END of partsSpec; what
+    // remains is handed to the backend as the fetch-att spec.
+    var changedSince = null;
+    var includeVanished = false;
+    var modMatch = partsSpec.match(/\s*\(([^)]*)\)\s*$/);                                              // allow:regex-no-length-cap — partsSpec already bounded upstream
+    if (modMatch && /\b(CHANGEDSINCE|VANISHED)\b/i.test(modMatch[1])) {
+      var modBody = modMatch[1];
+      var changedMatch = modBody.match(/CHANGEDSINCE\s+(\d+)/i);                                       // allow:regex-no-length-cap — modBody already bounded
+      if (changedMatch) {
+        var csN = parseInt(changedMatch[1], 10);
+        if (isFinite(csN) && csN >= 0) changedSince = csN;
+      }
+      includeVanished = /\bVANISHED\b/i.test(modBody);
+      partsSpec = partsSpec.slice(0, partsSpec.length - modMatch[0].length).trim();
+    }
+    // RFC 7162 §3.1.2 — any FETCH that uses CHANGEDSINCE implicitly
+    // engages CONDSTORE for the session; the client expects MODSEQ
+    // in responses even without a prior `ENABLE CONDSTORE`. RFC 7162
+    // §3.1.4.1 — when CONDSTORE is engaged (explicit ENABLE OR
+    // implicit via CHANGEDSINCE) OR the client requested MODSEQ as a
+    // fetch-att, every untagged FETCH response includes the MODSEQ
+    // attribute. Engaging CONDSTORE via CHANGEDSINCE also sticks for
+    // the rest of the session.
+    if (changedSince !== null && !state.enabledCondStore) {
+      state.enabledCondStore = true;
+    }
+    var includeModseq = state.enabledCondStore === true ||
+                        changedSince !== null ||
+                        /\bMODSEQ\b/i.test(partsSpec);
     Promise.resolve()
       .then(function () {
-        // useUid: true tells the backend to interpret seqSet as UIDs
-        // per RFC 9051 §6.4.9 — distinct from message-sequence-numbers
-        // under the SELECT context. UID FETCH responses MUST include
-        // the UID in the parts list per §6.4.9 ("the server SHOULD also
-        // include UID information in its response").
         return mailStore.fetchRange(state.actor, state.selectedMailbox, seqSet, partsSpec,
-          { useUid: useUid === true });
+          { useUid: useUid === true, changedSince: changedSince, includeVanished: includeVanished,
+            includeModseq: includeModseq });
       })
       .then(function (rows) {
         var rs = rows || [];
         _emit("mail.server.imap.fetch_bulk",
-          { connectionId: state.id, mailbox: state.selectedMailbox, count: rs.length });
+          { connectionId: state.id, mailbox: state.selectedMailbox, count: rs.length,
+            changedSince: changedSince, condStore: state.enabledCondStore === true });
         for (var i = 0; i < rs.length; i += 1) {
           var r = rs[i];
-          _writeUntagged(socket, r.seq + " FETCH (" + (r.payload || "") + ")");
+          var payload = r.payload || "";
+          if (includeModseq && r.modseq !== undefined && !/MODSEQ\s*\(/.test(payload)) {
+            payload = (payload ? payload + " " : "") + "MODSEQ (" + r.modseq + ")";
+          }
+          _writeUntagged(socket, r.seq + " FETCH (" + payload + ")");
         }
         _writeTagged(socket, tag, "OK FETCH completed");
       })
@@ -1204,6 +1266,20 @@ function create(opts) {
       _writeTagged(socket, tag, "BAD STORE backend not configured");
       return;
     }
+    // RFC 7162 §3.1.3 — STORE may carry a parenthesised UNCHANGEDSINCE
+    // modifier between the sequence-set and the FLAGS op:
+    //   STORE 1:* (UNCHANGEDSINCE 12345) +FLAGS (\Deleted)
+    // The backend's response shape is { rows, modified } — `modified`
+    // is the seq-set string of message ids whose modseq advanced past
+    // unchangedSince before this STORE ran. We surface those via
+    // [MODIFIED <set>] OK response (RFC 7162 §3.1.3).
+    var unchangedSince = null;
+    var unchangedMatch = args.match(/^(\S+)\s+\(UNCHANGEDSINCE\s+(\d+)\)\s+(.+)$/i);                   // allow:regex-no-length-cap — args length already capped upstream
+    if (unchangedMatch) {
+      var usN = parseInt(unchangedMatch[2], 10);
+      if (isFinite(usN) && usN >= 0) unchangedSince = usN;
+      args = unchangedMatch[1] + " " + unchangedMatch[3];
+    }
     var match = args.match(/^(\S+)\s+([+-]?FLAGS(?:\.SILENT)?)\s+\(([^)]*)\)$/i);                     // allow:regex-no-length-cap — args length already capped upstream
     if (!match) {
       _writeTagged(socket, tag, "BAD STORE expects seq-set FLAGS (...)");
@@ -1214,20 +1290,61 @@ function create(opts) {
     var flagsArr = match[3].split(/\s+/).filter(Boolean);
     var silent = /\.SILENT$/i.test(op);
     var mode = op[0] === "+" ? "add" : op[0] === "-" ? "remove" : "replace";
+    // RFC 7162 §3.1.2 — UNCHANGEDSINCE in STORE engages CONDSTORE for
+    // the session (same implicit-enable rule as FETCH CHANGEDSINCE).
+    if (unchangedSince !== null && !state.enabledCondStore) {
+      state.enabledCondStore = true;
+    }
+    var includeModseqStore = state.enabledCondStore === true || unchangedSince !== null;
     Promise.resolve()
       .then(function () {
         return mailStore.storeFlags(state.actor, state.selectedMailbox, seqSet, mode, flagsArr,
-          { useUid: useUid === true });
+          { useUid: useUid === true, unchangedSince: unchangedSince, includeModseq: includeModseqStore });
       })
-      .then(function (rows) {
-        if (!silent) {
-          var rs = rows || [];
+      .then(function (result) {
+        // Backend may return either an array of rows (legacy shape)
+        // OR an object `{ rows, modified }`. Normalise.
+        var rs, modifiedSet;
+        if (Array.isArray(result)) { rs = result; modifiedSet = null; }
+        else if (result && typeof result === "object") {
+          rs = result.rows || [];
+          modifiedSet = result.modified || null;
+        } else { rs = []; modifiedSet = null; }
+        // RFC 7162 §3.1.3 — under CONDSTORE / UNCHANGEDSINCE, the
+        // server MUST emit a FETCH response carrying the new MODSEQ
+        // for every successfully-updated message EVEN UNDER .SILENT.
+        // Without it, CONDSTORE clients cannot refresh their local
+        // modseq state and drift out of sync. Under non-CONDSTORE
+        // .SILENT, the legacy behaviour stays (no untagged FETCH).
+        var emitFlags = !silent;
+        var emitModseqOnly = silent && includeModseqStore;
+        if (emitFlags || emitModseqOnly) {
           for (var i = 0; i < rs.length; i += 1) {
             var r = rs[i];
-            _writeUntagged(socket, r.seq + " FETCH (FLAGS (" + (r.flags || []).join(" ") + "))");
+            var payload;
+            if (emitFlags) {
+              payload = "FLAGS (" + (r.flags || []).join(" ") + ")";
+              if (includeModseqStore && r.modseq !== undefined) {
+                payload = payload + " MODSEQ (" + r.modseq + ")";
+              }
+            } else if (r.modseq !== undefined) {
+              // SILENT + CONDSTORE — emit MODSEQ alone (no FLAGS).
+              payload = "MODSEQ (" + r.modseq + ")";
+            } else {
+              continue;
+            }
+            _writeUntagged(socket, r.seq + " FETCH (" + payload + ")");
           }
         }
-        _writeTagged(socket, tag, "OK STORE completed");
+        var okTag = "OK STORE completed";
+        // RFC 7162 §3.1.3 — MODIFIED carries the set of ids the
+        // conditional STORE refused to update because their modseq
+        // advanced past unchangedSince. Clients re-issue FETCH against
+        // the set to refresh state before retry.
+        if (modifiedSet && String(modifiedSet).length > 0) {
+          okTag = "OK [MODIFIED " + modifiedSet + "] STORE completed";
+        }
+        _writeTagged(socket, tag, okTag);
       })
       .catch(function (err) {
         _writeTagged(socket, tag, "NO " + ((err && err.message) || "Store failed").slice(0, ERR_CLAMP));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.11.26",
+  "version": "0.11.27",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3dcc0cb1-fcfe-4b62-b09b-3c1ab41e0b08",
+  "serialNumber": "urn:uuid:15b60ad9-cf33-4ad4-a874-947682ac8125",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-21T06:48:21.305Z",
+    "timestamp": "2026-05-21T13:46:21.069Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.11.26",
+      "bom-ref": "@blamejs/core@0.11.27",
       "type": "application",
       "name": "blamejs",
-      "version": "0.11.26",
+      "version": "0.11.27",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.11.26",
+      "purl": "pkg:npm/%40blamejs/core@0.11.27",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.11.26",
+      "ref": "@blamejs/core@0.11.27",
       "dependsOn": []
     }
   ]