@blamejs/core 0.11.32 → 0.11.33

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.11.x
 
+- v0.11.33 (2026-05-21) — **IMAP QRESYNC (RFC 7162 §3.2) — VANISHED responses + SELECT delta on `b.mail.server.imap`.** Closes the v0.11.27 deferral. The IMAP listener now advertises QRESYNC in CAPABILITY, accepts `ENABLE QRESYNC` (which implicitly engages CONDSTORE per §3.2.5), and parses the `(QRESYNC (<uidvalidity> <modseq> [<knownUids>] [<knownSequenceMatchData>]))` parameter list on SELECT / EXAMINE. When the client's UIDVALIDITY matches the backend's, the listener emits a single `* VANISHED (EARLIER) <uid-set>` listing UIDs the server expunged since the client's snapshot — operators implement the actual delta computation via `mailStore.selectFolder(actor, mailbox, { qresync }) → { ..., vanishedEarlier }`. Stale-UIDVALIDITY clients fall through to a full re-SELECT. **Added:** *CAPABILITY advertises `QRESYNC`* — Sits next to the existing `CONDSTORE` advertisement. Both extensions are server-advertised; clients ENABLE before relying on the responses. RFC 7162 §3.2.5 — QRESYNC implies CONDSTORE. · *`ENABLE QRESYNC` engages both flags* — The handler flips `state.enabledQResync = true` AND `state.enabledCondStore = true` and emits `* ENABLED QRESYNC` + `OK ENABLE completed`. Already-engaged QRESYNC re-issues skip the advertisement line (only newly-engaged extensions appear). · *`SELECT mailbox (QRESYNC (<uidvalidity> <modseq> [<knownUids>] [<knownSeq>]))`* — The QRESYNC parameter list is stripped from the SELECT args before the mailbox-name validator runs and forwarded to `mailStore.selectFolder` as `opts.qresync = { uidvalidity, modseq, knownUids, knownSeq }`. Backends compute the delta and return `vanishedEarlier` (sequence-set string) in the existing select-info object. Non-finite uidvalidity / modseq values refuse with `BAD SELECT QRESYNC params must be (<uidvalidity> <modseq> ...) numerics` before the backend call. · *Implicit CONDSTORE+QRESYNC engagement on parameterised SELECT* — Per RFC 7162 §3.2.4, a client that issues `SELECT INBOX (QRESYNC (...))` without a prior `ENABLE QRESYNC` flips both flags implicitly for the session. Subsequent FETCH responses include `MODSEQ (<n>)` just as they would after explicit ENABLE. · *`* VANISHED (EARLIER) <uid-set>` emission* — The listener emits a single VANISHED untagged response between `HIGHESTMODSEQ` and the tagged OK when (a) the client supplied a QRESYNC parameter, (b) the client's UIDVALIDITY matches the backend's, AND (c) the backend supplied a non-empty `vanishedEarlier`. Mismatched UIDVALIDITY suppresses the VANISHED line so the client correctly falls through to a full re-sync (RFC 7162 §3.2.5). **Security:** *QRESYNC parameter parse is bounded* — The regex anchors on `\(\s*QRESYNC\s*\(\s*([^)]+)\)` — `[^)]*` not `.*` — so a malformed parameter list cannot consume the entire SELECT args. Both `uidvalidity` and `modseq` parse strictly as `\d+` via `parseInt(...)` + `isFinite` check; non-numeric values refuse before the backend dispatch. · *VANISHED suppressed on UIDVALIDITY mismatch* — RFC 7162 §3.2.5 — when the client's `uidvalidity` does NOT match the server's current value, the mailbox has been reset (e.g., recreated under the same name) and the client's UID cache is invalid. The listener intentionally drops the VANISHED line so the client forces a fresh full-sync instead of acting on a delta that references a different message set. **References:** [RFC 7162 §3.2 (QRESYNC — Quick Mailbox Resynchronization)](https://www.rfc-editor.org/rfc/rfc7162.html) · [RFC 9051 (IMAP4rev2)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 5161 (IMAP ENABLE Extension)](https://www.rfc-editor.org/rfc/rfc5161.html)
+
 - v0.11.32 (2026-05-21) — **`b.mail.crypto.pgp.encrypt` / `.decrypt` / `.wkd` promoted to stable — WKD IDN-homograph defense.** The PGP encrypt / decrypt / Web Key Directory (WKD) primitives that shipped under `b.mail.crypto.pgp.experimental.*` at v0.10.16 are promoted to top-level stable. `b.mail.crypto.pgp.encrypt` / `b.mail.crypto.pgp.decrypt` / `b.mail.crypto.pgp.wkd.fetch` / `b.mail.crypto.pgp.wkd.computeUrl` are now the canonical paths; the v0.10.16 `experimental` aliases continue to work so existing operator code keeps importing through the old path until they migrate at their own pace. WKD picks up a hard IDN-homograph refusal at `wkd.computeUrl` — Cyrillic / Greek / full-width / Han confusable domain characters refuse with `mail-crypto/pgp/bad-domain` before any HTTP fetch runs. Operators with internationalised domains MUST Punycode-encode upstream (RFC 3492 `xn--` form). **Added:** *Top-level `b.mail.crypto.pgp.encrypt` / `.decrypt` / `.wkd.{fetch,computeUrl}`* — Same function bodies that shipped under `b.mail.crypto.pgp.experimental.*` at v0.10.16 are now exported at the top of the namespace. The framework-private envelope (BJ-PGP-PQ magic + version) is unchanged; the IANA-pending RFC 9580bis ML-KEM PKESK codepoints will land as an alternate-encoding option in a follow-up slice. The `experimental` alias keeps the v0.10.16 import paths working — operator migration is opt-in. `b.mail.crypto.pgp.encrypt === b.mail.crypto.pgp.experimental.encrypt` (same reference) so a feature-detection test like `typeof b.mail.crypto.pgp.encrypt === 'function'` is the new operator-facing pattern. **Security:** *WKD IDN-homograph refusal at `wkd.computeUrl`* — `wkd.computeUrl(email)` now refuses any domain containing characters outside the LDH+dot ASCII subset (RFC 952 / RFC 1123 §2). The threat model: Cyrillic `а` (U+0430), Greek `ο` (U+03BF), full-width `Ａ` (U+FF21), and Han homographs visually impersonate Latin letters in `paypa1.com` / `gοogle.com` style phishing host strings; a naive `toLowerCase` + concat into the WKD URL would route the key fetch to the attacker's domain. Operators with legitimate internationalised domains MUST Punycode-encode upstream (the `xn--` form is plain ASCII LDH and passes). The framework's `b.httpClient` already refuses non-ASCII hostnames at the SSRF guard layer; this primitive surfaces the same refusal at the WKD entry point so the error surface is consistent. · *RFC 5321 + RFC 1035 length caps* — Email length capped at 320 octets (RFC 5321 §4.5.3.1 maximum). Domain length capped at 253 octets (RFC 1035 §2.3.4). Empty labels (`bad..example.com`), leading-dot, and trailing-dot domains refuse before any URL construction. Adversarial-length inputs cannot reach the tokenizer / hasher path. **References:** [draft-koch-openpgp-webkey-service (Web Key Directory)](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) · [RFC 9580 (OpenPGP)](https://www.rfc-editor.org/rfc/rfc9580.html) · [RFC 3492 (Punycode — IDNA `xn--` form)](https://www.rfc-editor.org/rfc/rfc3492.html) · [RFC 5891 (IDNA 2008)](https://www.rfc-editor.org/rfc/rfc5891.html) · [RFC 5321 §4.5.3.1 (SMTP — local-part + domain octet maximums)](https://www.rfc-editor.org/rfc/rfc5321.html) · [RFC 1035 §2.3.4 (domain label length)](https://www.rfc-editor.org/rfc/rfc1035.html) · [Unicode TR 39 (Security Mechanisms — confusable identifiers)](https://www.unicode.org/reports/tr39/)
 
 - v0.11.31 (2026-05-21) — **`b.calendar` — JSCalendar (RFC 8984) primitive + JMAP Calendars method catalogue.** JSCalendar is the JSON-native calendar grammar JMAP Calendars rides on. The framework now ships `b.calendar` — a thin layer over the existing `b.safeIcal.parse` (RFC 5545 bounded parser shipped earlier) that exposes validate / fromIcal / toIcal / expandRecurrence. The JMAP method catalogue at `b.mail.serverRegistry` picks up the 15 Calendar / CalendarEvent / CalendarEventNotification / ParticipantIdentity methods per the draft-ietf-jmap-calendars spec, so operators wire them through the existing `b.mail.server.jmap.create({ methods: { ... } })` dispatch path without `allowExperimental: true` escape-hatches.

package/lib/mail-server-imap.js

@@ -646,8 +646,11 @@ function create(opts) {
     var caps = ["IMAP4rev2"];
     if (!state.tls) caps.push("STARTTLS");
     // RFC 7162 §3 — CONDSTORE is server-advertised; clients ENABLE
-    // before relying on MODSEQ in untagged FETCH responses.
+    // before relying on MODSEQ in untagged FETCH responses. QRESYNC
+    // (§3.2) adds the VANISHED responses on SELECT + post-EXPUNGE
+    // and implicitly engages CONDSTORE per §3.2.5.
     caps.push("CONDSTORE");
+    caps.push("QRESYNC");
     // v0.11.28 — opt-in extensions (advertised so capable clients can
     // exercise them; each handler refuses gracefully when the operator
     // backend doesn't supply the corresponding hook).
@@ -690,10 +693,18 @@ function create(opts) {
           state.enabledCondStore = true;
           enabled.push("CONDSTORE");
         }
+      } else if (name === "QRESYNC") {
+        // RFC 7162 §3.2.5 — QRESYNC implicitly engages CONDSTORE.
+        // The client signals it can consume `* VANISHED (EARLIER)`
+        // responses on SELECT / EXAMINE + post-EXPUNGE; the listener
+        // flips both flags and the SELECT handler honours the
+        // QRESYNC parameter list when present.
+        if (!state.enabledQResync) {
+          state.enabledQResync   = true;
+          state.enabledCondStore = true;
+          enabled.push("QRESYNC");
+        }
       }
-      // QRESYNC (RFC 7162 §3.2.5) implies CONDSTORE — accepted only
-      // when the operator backend supplies the QRESYNC vanished /
-      // expunged-set surface; v1 of the listener stops at CONDSTORE.
     }
     _writeUntagged(socket, "ENABLED" + (enabled.length ? " " + enabled.join(" ") : ""));
     _writeTagged(socket, tag, "OK ENABLE completed");
@@ -1148,15 +1159,47 @@ function create(opts) {
 
   function _handleSelect(state, socket, tag, args, examine) {
     if (!_requireAuth(state, socket, tag)) return;
-    var name = _unquote(args.trim());
+    var trimmed = (args || "").trim();
+    // RFC 7162 §3.2.4 — `SELECT mailbox (QRESYNC (<uidvalidity>
+    // <modseq> [<knownUids>] [<knownSequenceMatchData>]))`. The
+    // QRESYNC parameter is wrapped in an outer parenthesis pair after
+    // the mailbox name. Extract it before parsing the mailbox so the
+    // mailbox-name validator sees just the name.
+    var qresyncParam = null;
+    var qresyncMatch = trimmed.match(/^(\S+|"[^"]+")\s+\(\s*QRESYNC\s*\(\s*([^)]+)\)\s*(?:\(\s*([^)]+)\)\s*)?\)\s*$/i);  // allow:regex-no-length-cap — args length already capped upstream
+    if (qresyncMatch) {
+      var inner = qresyncMatch[2].trim().split(/\s+/);
+      qresyncParam = {
+        uidvalidity: parseInt(inner[0], 10),
+        modseq:      parseInt(inner[1], 10),
+        knownUids:   inner[2] || null,
+        knownSeq:    qresyncMatch[3] || null,
+      };
+      if (!isFinite(qresyncParam.uidvalidity) || !isFinite(qresyncParam.modseq)) {
+        _writeTagged(socket, tag, "BAD SELECT QRESYNC params must be (<uidvalidity> <modseq> ...) numerics");
+        return;
+      }
+      trimmed = qresyncMatch[1];
+    }
+    var name = _unquote(trimmed);
     if (!_validateMailboxName(name, { allowLegacyMUtf7: allowLegacyMUtf7 })) {
       _writeTagged(socket, tag, "BAD Mailbox name refused");
       return;
     }
+    // QRESYNC requires CONDSTORE to be engaged; if the client sent
+    // the parameter without having issued ENABLE first, RFC 7162
+    // §3.2.4 lets the server flip the flags implicitly.
+    if (qresyncParam && !state.enabledQResync) {
+      state.enabledQResync   = true;
+      state.enabledCondStore = true;
+    }
     Promise.resolve()
       .then(function () {
         if (typeof mailStore.selectFolder === "function") {
-          return mailStore.selectFolder(state.actor, name, { readOnly: examine });
+          return mailStore.selectFolder(state.actor, name, {
+            readOnly:    examine,
+            qresync:     qresyncParam,
+          });
         }
         // RFC 9051 §2.3.1.1 — UIDVALIDITY MUST be strictly increasing
         // and 32-bit unique across the mailbox lifetime. The earlier
@@ -1183,9 +1226,26 @@ function create(opts) {
         if (info.modseq !== undefined) {
           _writeUntagged(socket, "OK [HIGHESTMODSEQ " + info.modseq + "]");
         }
+        // RFC 7162 §3.2.5 — when SELECT carried a QRESYNC parameter
+        // AND the client's UIDVALIDITY matches, emit a single
+        // `* VANISHED (EARLIER) <uid-set>` listing UIDs the server
+        // expunged since the client's snapshot. The backend supplies
+        // this via `info.vanishedEarlier` (sequence-set string) — the
+        // listener does the wire emission. Mismatched UIDVALIDITY
+        // means the client's cache is stale and MUST re-SELECT; we
+        // skip the VANISHED line in that case so the client falls
+        // through to a full re-sync. RFC 7162 §3.2.5.2 says the
+        // server MAY also include changed-since-modseq FETCH lines
+        // — those flow through the normal FETCH path with
+        // CHANGEDSINCE so we leave them to the operator.
+        if (qresyncParam && info.vanishedEarlier &&
+            info.uidvalidity === qresyncParam.uidvalidity) {
+          _writeUntagged(socket, "VANISHED (EARLIER) " + info.vanishedEarlier);
+        }
         _emit("mail.server.imap.select", {
           connectionId: state.id, mailbox: name,
           modseq: info.modseq || 0, exists: info.exists,
+          qresync: qresyncParam !== null,
         });
         _writeTagged(socket, tag, "OK [" + (examine ? "READ-ONLY" : "READ-WRITE") + "] " +
           (examine ? "EXAMINE" : "SELECT") + " completed");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.11.32",
+  "version": "0.11.33",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3c063952-23ab-48f4-9274-e30b6d7bed0d",
+  "serialNumber": "urn:uuid:10fe079a-bfcc-4ffe-84e1-55a6b5b11ccf",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-21T17:46:32.271Z",
+    "timestamp": "2026-05-21T18:47:05.672Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.11.32",
+      "bom-ref": "@blamejs/core@0.11.33",
       "type": "application",
       "name": "blamejs",
-      "version": "0.11.32",
+      "version": "0.11.33",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.11.32",
+      "purl": "pkg:npm/%40blamejs/core@0.11.33",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.11.32",
+      "ref": "@blamejs/core@0.11.33",
       "dependsOn": []
     }
   ]