@blamejs/core 0.13.15 → 0.13.16

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.16 (2026-05-27) — **`b.mail.agent` docs now describe the facade accurately, and not-yet-wired verbs point to the primitive to use.** b.mail.agent's module documentation claimed it was "the standardization contract for every mail protocol" that JMAP / IMAP / POP3 all route through — but no protocol server actually dispatches through the agent (the framework's own JMAP EmailSubmission handler composes b.mail.send.deliver directly), and the compose / send / reply / forward, sieve.list / sieve.activate, identity / vacation / mdn.* and export / job / import verbs throw mail-agent/not-implemented. The docs are corrected to describe what the agent is: a mailbox-access facade (RBAC + posture + audit + dispatch around a mail store) whose read surface plus the mailbox-mutation and Sieve-upload methods are wired, with the remaining verbs not yet routed through it. Those verbs' error message now names the underlying primitive to compose directly (b.mail.send.deliver, b.mail.sieve, b.mailMdn, …) instead of citing a version tag that had long passed. The public WIRED_AT export (a method→version map that no longer reflected reality) is replaced by COMPOSE_HINT (a method→primitive-to-compose map). No behaviour change: the same methods are wired or throw exactly as before. **Changed:** *`b.mail.agent` documentation corrected; not-implemented errors point to the primitive to compose* — The `@module` / `@card` no longer claim the agent is the universal protocol-dispatch contract — it's documented as a mailbox-access facade with a wired read + mutation + Sieve-upload surface, and the compose/send/identity/vacation/MDN/export verbs documented as not yet routed through it (compose the underlying primitive directly until a protocol server adopts the agent). The `mail-agent/not-implemented` error now names that primitive (e.g. `b.mail.send.deliver`) rather than a passed version tag. **Removed:** *`b.mail.agent.WIRED_AT` export replaced by `COMPOSE_HINT`* — The `WIRED_AT` export mapped each method to a framework version that was supposed to "light it up" — versions that have all shipped without the wiring, so the map was misleading. It is replaced by `COMPOSE_HINT`, mapping each not-yet-wired method to the primitive an operator composes directly. Operators reading `b.mail.agent.WIRED_AT` should read `b.mail.agent.COMPOSE_HINT` instead (pre-1.0: no compatibility shim).
+
 - v0.13.15 (2026-05-27) — **Corrected more source citations and made deferred/reserved options honest in their docs.** A second accuracy pass over source threat-annotations and option docs. Three citation corrections: the base64url strict-decode guard cited CVE-2022-0235 (which is actually a node-fetch cookie-leak, unrelated) — it now names the weakness class it defends (CWE-347 / CWE-1286 signature canonicalization); the glob consecutive-wildcard ReDoS cap cited the wrong library (the CVE-2026-26996 ReDoS is minimatch, not picomatch — the adjacent picomatch one is CVE-2026-33671); and CVE-2026-32178 is reframed to the CWE-138 header-injection-spoofing class the public record actually documents (and dropped from the end-of-data SMTP-smuggling list, which is a different class). Several options/statuses are now honest about not-yet-implemented surface: b.archive.read.zip.fromTrustedStream is marked experimental (its methods throw and its options aren't honored yet — the example now shows the supported buffer-then-random-access path); b.acme revokeCert's useCertKey / certPrivateKey are marked reserved (the cert-key path throws; account-key signing is the supported default); and a stale message claiming passkey break-glass factors were a future feature is removed (passkeys are a live allowed factor). No runtime behaviour changes beyond message/doc text. **Changed:** *Deferred / reserved surface now documented honestly* — `b.archive.read.zip.fromTrustedStream` is marked `experimental` — its `inspect`/`entries`/`extract` throw and its `bombPolicy`/`audit` options aren't honored yet; the documented example now shows the supported path (buffer the stream, then use the random-access reader). `b.acme` `revokeCert`'s `useCertKey` / `certPrivateKey` options are marked reserved (the cert-key-signed-revocation path throws; account-key signing, the default, covers mainstream CAs). A `b.breakGlass` policy error and comment that called passkey factors a future feature are corrected — passkeys are a live allowed factor. **Fixed:** *Corrected misattributed CVE citations in source threat-annotations* — `b.crypto.fromBase64Url`'s strict-decode guard cited CVE-2022-0235 (a node-fetch header-leak, unrelated to base64/JWT decoding); it now cites the weakness class it actually defends — CWE-347 / CWE-1286 signature canonicalization. `b.guardRegex`'s consecutive-`*` cap attributed CVE-2026-26996 to picomatch; that ReDoS is in minimatch (the picomatch ReDoS it also defends is CVE-2026-33671) — the library name is corrected. CVE-2026-32178 is reframed to the CWE-138 header-injection spoofing class the public advisory documents, and removed from the end-of-data SMTP-smuggling trio (a distinct class). No behaviour change — the defenses are unchanged.
 
 - v0.13.14 (2026-05-27) — **DNSSEC chain validation now bounds KeyTrap (CVE-2023-50387) amplification with hard caps.** b.network.dns.dnssec.verifyChain tried every DNSKEY whose 16-bit key tag matched an RRSIG, with no cap on how many candidates or total signature verifications a single response could drive. A hostile zone publishing many DNSKEYs sharing one key tag (plus matching RRSIGs) could force O(keys x signatures) full public-key verifications from one query — the KeyTrap denial-of-service (CVE-2023-50387). Validation is now bounded by non-configurable caps that match the BIND / Unbound mitigations: at most 4 same-tag candidate keys are tried per RRSIG, at most 64 DNSKEYs per zone link and 16 DS records per delegation are accepted, the chain is at most 128 links deep, and the whole response is held to a signature-validation budget that scales with chain depth (so a legitimate deep delegation is never false-rejected while bounded collisions stay bounded); exceeding any of these refuses the response rather than performing the work. Separately, a domain name that encodes to more than 255 octets is now refused at canonicalization (RFC 1035 §2.3.4), which also bounds the NSEC3 closest-encloser label enumeration, and the NSEC3 iteration ceiling is lowered from 500 to 150 to match the BIND 9.16.33+ / Unbound 1.17.1 fix for the sibling CVE-2023-50868. **Security:** *`verifyChain` caps colliding-key fan-out and total signature validations (KeyTrap / CVE-2023-50387)* — A zone advertising many same-key-tag DNSKEYs and RRSIGs can no longer drive unbounded public-key verifications. New refusals: `dnssec/too-many-colliding-keys` (>4 same-tag candidates per RRSIG), `dnssec/too-many-dnskeys` (>64 DNSKEYs per zone link), `dnssec/too-many-ds` (>16 DS records per delegation), `dnssec/too-many-links` (chain deeper than 128), and `dnssec/validation-budget-exceeded` (signature validations beyond the depth-scaled budget). The caps are intentionally non-configurable — they sit well above any legitimate zone, and the budget scales with chain depth so deep delegations validate normally. · *Domain-name octet cap + lower NSEC3 iteration ceiling* — A name that canonicalizes to more than 255 octets is refused (`dnssec/bad-name`, RFC 1035 §2.3.4), which bounds the per-label NSEC3 closest-encloser enumeration (CVE-2023-50868 class). The default NSEC3 iteration ceiling drops from 500 to 150, matching the BIND 9.16.33+ / Unbound 1.17.1 post-CVE defaults (RFC 9276 recommends 0).

package/lib/mail-agent.js

@@ -7,19 +7,26 @@
  * @featured   true
  *
  * @intro
- *   The standardization contract for every mail protocol blamejs ships.
- *   JMAP (v0.9.27), IMAP (v0.9.28), POP3 (v0.9.29), ManageSieve (v0.9.30),
- *   the inbound MX listener (v0.9.24), and the submission listener
- *   (v0.9.25) all translate their protocol calls into `agent.X(args)`.
- *   The agent owns RBAC, posture enforcement, audit emission,
- *   dispatch, and worker isolation; every protocol on top is a thin
- *   shell.
+ *   A mailbox-access facade that owns RBAC, posture enforcement, audit
+ *   emission, dispatch (local / worker-pool / queue), and worker
+ *   isolation around a mail store, so a protocol server built on top
+ *   can stay a thin shell. It is designed to be the shared dispatch
+ *   layer mail-protocol servers route through; today the read surface
+ *   and the mailbox-mutation + Sieve-upload methods are wired, while the
+ *   compose/send and identity/vacation/MDN/export verbs are not yet
+ *   wired into the facade (see below).
  *
- *   `agent.create()` returns the facade. Methods backed by v0.9.19's
- *   `b.mailStore` run immediately; methods that depend on later slices
- *   throw `mail-agent/not-implemented` with a `wiredAt` tag naming the
- *   version that lights them up (defer-with-condition — operator can
- *   match against the tag to scope their integration).
+ *   `agent.create()` returns the facade. Methods backed by
+ *   `b.mailStore` (folders / fetch / search / move / flag / delete /
+ *   expunge, plus `sieve.put`) run immediately. The remaining verbs —
+ *   compose / send / reply / forward, sieve.list / sieve.activate,
+ *   identity / vacation / mdn.*, export / job / import — throw
+ *   `mail-agent/not-implemented`: they are not yet routed through the
+ *   agent. Until they are, compose the underlying primitive directly
+ *   (`b.mail.send.deliver` for outbound, `b.mail.sieve` for Sieve,
+ *   `b.mailMdn` for MDN, etc.) — which is what the framework's own JMAP
+ *   `emailSubmissionSet` handler does. They wire into the facade when a
+ *   protocol server adopts the agent as its dispatch layer.
  *
  *   ```js
  *   var agent = b.mail.agent.create({
@@ -58,9 +65,11 @@
  *   on every entrypoint.
  *
  * @card
- *   The standardization contract for every mail protocol — JMAP / IMAP /
- *   POP3 all translate into `agent.X(args)`. RBAC + posture + audit +
- *   dispatch owned here; protocols on top are thin shells.
+ *   Mailbox-access facade — RBAC + posture + audit + dispatch around a
+ *   mail store, so a protocol server on top stays a thin shell. Read +
+ *   mailbox-mutation + Sieve-upload methods are wired; compose/send and
+ *   identity/vacation/MDN/export verbs compose the underlying primitive
+ *   directly until a protocol server routes them through the agent.
  */
 
 var lazyRequire        = require("./lazy-require");
@@ -118,25 +127,25 @@ var SCOPE_FOR_METHOD = Object.freeze({
   import:           "mail:import",
 });
 
-// Methods deferred behind a `wiredAt` version. Operator gets a clear
-// error pointing at the slice that lights them up — defer-with-
-// condition per the v1-defensible-scope rule.
-var WIRED_AT = Object.freeze({
-  compose:          "v0.9.25",
-  send:             "v0.9.25",
-  reply:            "v0.9.25",
-  forward:          "v0.9.25",
-  "sieve.list":     "v0.9.26",
-  "sieve.put":      "v0.9.26",
-  "sieve.activate": "v0.9.26",
-  "identity.set":   "v0.9.25",
-  "vacation.set":   "v0.9.25",
-  "mdn.send":       "v0.9.25",
-  "mdn.parse":      "v0.9.25",
-  "mdn.allowList":  "v0.9.25",
-  export:           "v0.9.34a",
-  job:              "v0.9.34a",
-  import:           "v0.9.34",
+// Verbs not yet routed through the agent facade. The error points the
+// operator at the underlying primitive to compose directly (the
+// escape hatch) — defer-with-condition: these wire into the agent when
+// a protocol server adopts it as its dispatch layer.
+var COMPOSE_HINT = Object.freeze({
+  compose:          "b.mail.send.deliver",
+  send:             "b.mail.send.deliver",
+  reply:            "b.mail.send.deliver",
+  forward:          "b.mail.send.deliver",
+  "sieve.list":     "b.mail.sieve",
+  "sieve.activate": "b.mail.sieve",
+  "identity.set":   "your identity store + b.mail.sieve",
+  "vacation.set":   "b.mail.sieve (vacation extension)",
+  "mdn.send":       "b.mailMdn",
+  "mdn.parse":      "b.mailMdn",
+  "mdn.allowList":  "b.mailMdn",
+  export:           "b.mailStore / b.auditTools",
+  job:              "the dispatch queue directly",
+  import:           "b.mailStore",
 });
 
 /**
@@ -653,9 +662,10 @@ function _notImplemented(ctx, method, args) {
   // the slice lights up.
   if (ctx.posture) guardMailQuery.validateActor(args && args.actor, ctx.posture);
   _checkPermission(ctx, method, args);
-  ctx.auditEmit("mail.agent.not_implemented", args && args.actor, { method: method, wiredAt: WIRED_AT[method] });
+  ctx.auditEmit("mail.agent.not_implemented", args && args.actor, { method: method, composeDirectly: COMPOSE_HINT[method] });
   return Promise.reject(new MailAgentError("mail-agent/not-implemented",
-    "agent." + method + ": wired at " + WIRED_AT[method] + " (defer-with-condition)"));
+    "agent." + method + " is not yet routed through the agent facade — compose " +
+    COMPOSE_HINT[method] + " directly"));
 }
 
 // ---- Internals ------------------------------------------------------------
@@ -771,7 +781,7 @@ module.exports = {
   consumer:         consumer,
   MailAgentError:   MailAgentError,
   SCOPE_FOR_METHOD: SCOPE_FOR_METHOD,
-  WIRED_AT:         WIRED_AT,
+  COMPOSE_HINT:     COMPOSE_HINT,
   HEAVY_METHODS:    HEAVY_METHODS,
   // Re-export the guard family so callers can introspect without
   // separate requires.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.15",
+  "version": "0.13.16",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:f4f503eb-ba54-47ab-8286-d7c3e006249e",
+  "serialNumber": "urn:uuid:cd0375e1-7520-4024-b6eb-d8c708fc00db",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T16:53:17.354Z",
+    "timestamp": "2026-05-27T17:24:50.447Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.15",
+      "bom-ref": "@blamejs/core@0.13.16",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.15",
+      "version": "0.13.16",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.15",
+      "purl": "pkg:npm/%40blamejs/core@0.13.16",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.15",
+      "ref": "@blamejs/core@0.13.16",
       "dependsOn": []
     }
   ]