@blamejs/core 0.14.16 → 0.14.18

package/lib/external-db.js

@@ -44,6 +44,7 @@ var lazyRequire = require("./lazy-require");
 var { boot } = require("./log");
 var safeAsync = require("./safe-async");
 var safeSql = require("./safe-sql");
+var validateOpts = require("./validate-opts");
 var { ExternalDbError } = require("./framework-error");
 
 var log = boot("external-db");
@@ -61,7 +62,13 @@ function _emitMetric(name, value, labels) {
 // the leading keyword only so an attacker-controlled trailing fragment
 // can't smuggle a false classification. Skips leading whitespace plus
 // SQL line / block comments before reading the keyword.
-var _STATEMENT_CLASS_RE = /^\s*(?:\/\*[\s\S]*?\*\/\s*|--[^\n]*\n\s*)*([A-Za-z]+)/;
+// Linear (non-backtracking) comment/whitespace skip: each iteration of
+// the outer group consumes exactly one whitespace char, one complete
+// block comment (matched with the star-not-slash form, never a lazy
+// `[\s\S]*?`), or one complete line comment — disjoint by first char,
+// so there is no ambiguous repetition for a crafted SQL string of
+// nested `/**/` or `*/--` runs to backtrack on (CWE-1333 ReDoS).
+var _STATEMENT_CLASS_RE = /^(?:\s|\/\*(?:[^*]|\*(?!\/))*\*\/|--[^\n]*\n)*([A-Za-z]+)/;
 var _STATEMENT_CLASS_MAP = Object.freeze({
   SELECT: "SELECT", WITH: "SELECT", VALUES: "SELECT", TABLE: "SELECT",
   INSERT: "DML", UPDATE: "DML", DELETE: "DML", MERGE: "DML", UPSERT: "DML",
@@ -83,6 +90,61 @@ function _classifyStatement(sql) {
   return _STATEMENT_CLASS_MAP[m[1].toUpperCase()] || "OTHER";
 }
 
+// ---- OpenTelemetry database-client semantic conventions ----
+//
+// db.* span / metric attributes on the query / transaction / read emit
+// paths, so dashboards built on the OTel semconv correlate external-db
+// activity without a per-framework adapter. The DDL-audit side already
+// stamps these on db.ddl.executed; this mirrors the shape on the data
+// path. Reference: OpenTelemetry semantic conventions for database
+// client calls (db.system / db.operation / db.statement / db.name).
+//
+// db.system is the OTel-registered identifier for the DBMS — it is NOT
+// the framework's dialect string (Postgres is "postgresql" in the
+// registry, not "postgres"). Unknown dialects fall through to the
+// "other_sql" registry value.
+var _OTEL_DB_SYSTEM = Object.freeze({
+  postgres: "postgresql",
+  mysql:    "mysql",
+  sqlite:   "sqlite",
+  mongodb:  "mongodb",
+  other:    "other_sql",
+});
+
+// db.operation is the leading SQL keyword (SELECT / INSERT / BEGIN /
+// ...), uppercased — the OTel-conventional operation name, distinct
+// from the coarser forensic statement CLASS (_classifyStatement).
+// Reuses the comment-skipping leading-keyword regex; defensive reader,
+// returns null on anything unparseable so the attribute is simply
+// omitted rather than carrying a partial fragment.
+function _otelOperation(sql) {
+  if (typeof sql !== "string" || sql.length === 0) return null;
+  var m = _STATEMENT_CLASS_RE.exec(sql);
+  if (!m) return null;
+  return m[1].toUpperCase();
+}
+
+// db.system / db.operation / db.name carry no statement text and are
+// always emitted. db.statement is the SQL text — bound parameter values
+// are passed out-of-band to the driver (never folded in), but a caller
+// that inlines literals can still embed PII / secrets in the statement.
+// So db.statement is gated behind the SAME opts.includeSqlInAudit
+// opt-out that governs the raw `sql` audit field: the OTel attribute
+// must never re-expose statement text the operator opted out of. When
+// included it is truncated to the framework's 256-char log length.
+function _otelDbAttributes(b, sql, includeStatement) {
+  var attrs = {
+    "db.system":    _OTEL_DB_SYSTEM[b.dialect] || "other_sql",
+    "db.name":      b.name,
+  };
+  var op = _otelOperation(sql);
+  if (op !== null) attrs["db.operation"] = op;
+  if (includeStatement) {
+    attrs["db.statement"] = String(sql == null ? "" : sql).slice(0, 256);   // log-truncation length, not bytes
+  }
+  return attrs;
+}
+
 // Best-effort target-relation extractor for auth-failure forensics: the
 // table the denied role attempted to touch, so the audit row records
 // the OBJECT (SOC2 CC7.2 / NIST SP 800-53 AU-3 "what was accessed"),
@@ -321,6 +383,16 @@ class Pool {
  * `residencyTag` in the allowed-region list — refused with
  * `RESIDENCY_VIOLATION` when not.
  *
+ * Opt-in transport posture: set `requireTls: true` on a backend to
+ * refuse it at config time (`TLS_REQUIRED`) unless its declared
+ * transport is encrypted (`tls: true`, an `ssl` object, or
+ * `sslmode: "require" | "verify-ca" | "verify-full"`). `sslmode` values
+ * that permit a plaintext fallback (`prefer` / `allow` / `disable`) are
+ * refused. The gate is OFF by default — a backend that omits
+ * `requireTls` is used exactly as supplied, with no transport check.
+ * Mandated for cardholder data by PCI-DSS v4.0 Req 4 and for ePHI by
+ * HIPAA §164.312(e).
+ *
  * @opts
  *   backends:        { [name]: BackendConfig },   // required; one or more named backends
  *   defaultBackend?: string,                      // pool used when no opts.backend / classification / role match (defaults to first)
@@ -333,6 +405,8 @@ class Pool {
  *   //   ping(client):         async → void                             (optional; default `SELECT 1`)
  *   //   beginTx / commit / rollback(client):  async → void             (optional; default `BEGIN`/`COMMIT`/`ROLLBACK`)
  *   //   dialect:              "postgres" | "mysql" | "sqlite" | "mongodb" | "other"  (default "postgres")
+ *   //   requireTls:           boolean                                  (opt-in TLS posture gate; default off — see below)
+ *   //   tls / ssl / sslmode:  transport-TLS declaration consulted by requireTls (tls:true | ssl:<obj> | sslmode:"require"|"verify-ca"|"verify-full")
  *   //   applicationName:      string ≤ 63 bytes, no CR/LF/NUL          (Postgres pg_stat_activity tag; default null)
  *   //   pool:                 { min, max, idleTimeoutMs }              (defaults: 1 / 10 / C.TIME.minutes(1))
  *   //   classifications:      string[]                                 (defaults to ["*"])
@@ -387,6 +461,8 @@ function init(opts) {
         "backend '" + name + "': dialect must be one of " +
         "'postgres' | 'mysql' | 'sqlite' | 'mongodb' | 'other', got '" + dialect + "'", true);
     }
+    // requireTls posture gate (opt-in; default OFF → no behavior change).
+    _assertConnectionTls(name, cfg);
     // OWASP-3 — application_name normalization for Postgres backends.
     // Always set on every fresh connection (not just connectAs branch)
     // so pg_stat_activity / log_line_prefix / audit log surfaces show
@@ -506,6 +582,76 @@ function init(opts) {
   initialized = true;
 }
 
+// ---- requireTls posture gate (opt-in) ----
+//
+// PCI-DSS v4.0 Requirement 4 (protect cardholder data with strong
+// cryptography during transmission over open networks) and HIPAA
+// §164.312(e)(1) (transmission security — encrypt ePHI in transit)
+// both require that the connection between the app and an external
+// database is encrypted. The framework does not open the connection
+// itself — the operator supplies the driver via connect() — so the
+// posture is declared on the backend config and enforced at config
+// time.
+//
+// Default: OFF. A backend that does not set requireTls behaves exactly
+// as before — the operator-supplied connection is used as-is with no
+// gate. When requireTls is true, init() refuses the backend unless its
+// declared transport is TLS, surfacing the misconfiguration at boot
+// rather than letting plaintext credentials/PHI ride an open network.
+//
+// TLS posture is declared via any of (mirroring libpq SSLMODE / common
+// driver shapes):
+//   - tls: true                         — explicit boolean
+//   - ssl: <truthy>                      — node-postgres / mysql2 ssl object
+//   - sslmode: "require" | "verify-ca" | "verify-full"
+//
+// libpq SSLMODE semantics: only require / verify-ca / verify-full
+// GUARANTEE an encrypted channel. "prefer" and "allow" fall back to
+// plaintext when the server declines TLS, and "disable" never
+// encrypts — none of those satisfy a "must be encrypted" posture, so
+// they are refused under requireTls.
+var _TLS_GUARANTEED_SSLMODES = Object.freeze({
+  require:       true,
+  "verify-ca":   true,
+  "verify-full": true,
+});
+var _TLS_PLAINTEXT_SSLMODES = Object.freeze({
+  disable: true,
+  allow:   true,
+  prefer:  true,
+});
+
+function _declaresTls(cfg) {
+  if (cfg.tls === true) return true;
+  if (cfg.ssl !== undefined && cfg.ssl !== null && cfg.ssl !== false) return true;
+  if (typeof cfg.sslmode === "string") {
+    return _TLS_GUARANTEED_SSLMODES[cfg.sslmode.toLowerCase()] === true;
+  }
+  return false;
+}
+
+function _assertConnectionTls(name, cfg) {
+  // Opt-in: absent requireTls → no gate, no behavior change.
+  if (cfg.requireTls === undefined || cfg.requireTls === null) return;
+  validateOpts.optionalBoolean(cfg.requireTls,
+    "backend '" + name + "': requireTls", ExternalDbError, "INVALID_CONFIG");
+  if (cfg.requireTls !== true) return;
+  if (_declaresTls(cfg)) return;
+  var declared;
+  if (typeof cfg.sslmode === "string" && _TLS_PLAINTEXT_SSLMODES[cfg.sslmode.toLowerCase()]) {
+    declared = "sslmode '" + cfg.sslmode +
+      "' permits a plaintext fallback (only 'require' / 'verify-ca' / 'verify-full' guarantee encryption)";
+  } else if (cfg.tls === false || cfg.ssl === false) {
+    declared = "transport is declared non-TLS (tls/ssl is false)";
+  } else {
+    declared = "no TLS transport is declared (set tls: true, an ssl object, or sslmode: 'require' / 'verify-ca' / 'verify-full')";
+  }
+  throw _err("TLS_REQUIRED",
+    "backend '" + name + "': requireTls is set but " + declared +
+    ". PCI-DSS v4.0 Req 4 / HIPAA §164.312(e) require an encrypted channel " +
+    "for cardholder data / ePHI in transit.", true);
+}
+
 function _validateResidency() {
   var residency;
   try { residency = db().getDataResidency(); } catch (_e) { residency = null; }
@@ -634,7 +780,7 @@ async function query(sql, params, opts) {
     }, b.retryConfig);
 
     var durationMs = Date.now() - t0;
-    _emit("system.externaldb.query", "success", {
+    _emit("system.externaldb.query", "success", Object.assign({
       backend:        b.name,
       role:           role,
       durationMs:     durationMs,
@@ -645,7 +791,7 @@ async function query(sql, params, opts) {
       // metadata pass opts.includeSqlInAudit: true (then sealed via
       // field-crypto on the audit row).
       sql:            opts.includeSqlInAudit ? sql : null,
-    });
+    }, _otelDbAttributes(b, sql, opts.includeSqlInAudit)));
     _emitMetric("externaldb.query.success", 1,
       { backend: b.name, role: role || "(none)" });
     _emitMetric("externaldb.query.duration_ms", durationMs,
@@ -654,13 +800,13 @@ async function query(sql, params, opts) {
     return result;
   } catch (e) {
     var failureMs = Date.now() - t0;
-    _emit("system.externaldb.query", "failure", {
+    _emit("system.externaldb.query", "failure", Object.assign({
       backend:        b.name,
       role:           role,
       durationMs:     failureMs,
       classification: opts.classification || null,
       errorCode:      e.code || null,
-    }, (e && e.message) || String(e));
+    }, _otelDbAttributes(b, sql, opts.includeSqlInAudit)), (e && e.message) || String(e));
     _emitMetric("externaldb.query.failure", 1,
       { backend: b.name, role: role || "(none)", errorCode: e.code || "(none)" });
     _emitSlowQuery(b.name, role, failureMs, _classifyStatement(sql));
@@ -787,10 +933,15 @@ async function transaction(fn, opts) {
           await b.commit(client);
           committed = true;
           var durationMs = Date.now() - t0;
-          _emit("system.externaldb.transaction", "success", {
+          // OTel db.* semconv on the transaction span. The body runs N
+          // statements via tx.query; the span describes the unit of work,
+          // so db.operation reads "BEGIN" (the OTel-conventional marker
+          // for a transaction-scoped span) rather than any one inner
+          // statement.
+          _emit("system.externaldb.transaction", "success", Object.assign({
             backend: b.name, role: role, durationMs: durationMs,
             classification: opts.classification || null,
-          });
+          }, _otelDbAttributes(b, "BEGIN", opts.includeSqlInAudit)));
           _emitMetric("externaldb.transaction.success", 1,
             { backend: b.name, role: role || "(none)" });
           _emitMetric("externaldb.transaction.duration_ms", durationMs,
@@ -807,11 +958,11 @@ async function transaction(fn, opts) {
             continue;
           }
           var failureMs = Date.now() - t0;
-          _emit("system.externaldb.transaction", "failure", {
+          _emit("system.externaldb.transaction", "failure", Object.assign({
             backend: b.name, role: role, durationMs: failureMs,
             classification: opts.classification || null,
             errorCode: txErr.code || null,
-          }, (txErr && txErr.message) || String(txErr));
+          }, _otelDbAttributes(b, "BEGIN", opts.includeSqlInAudit)), (txErr && txErr.message) || String(txErr));
           _emitMetric("externaldb.transaction.failure", 1,
             { backend: b.name, role: role || "(none)", errorCode: txErr.code || "(none)" });
           if (txErr && txErr.code === "42501") {
@@ -1202,13 +1353,13 @@ async function _readQuery(sql, params, opts) {
       replica.pool.release(client);
       replica.consecutiveFailures = 0;
       var durationMs = Date.now() - t0;
-      _emit("system.externaldb.read", "success", {
+      _emit("system.externaldb.read", "success", Object.assign({
         backend:    b.name,
         role:       role,
         replicaIdx: replica.index,
         durationMs: durationMs,
         rowCount:   res && res.rowCount,
-      });
+      }, _otelDbAttributes(b, sql, opts.includeSqlInAudit)));
       _emitMetric("externaldb.read.success", 1,
         { backend: b.name, role: role || "(none)", replicaIdx: replica.index });
       _emitMetric("externaldb.read.duration_ms", durationMs,
@@ -1228,13 +1379,13 @@ async function _readQuery(sql, params, opts) {
       throw e;
     }
   } catch (e) {
-    _emit("system.externaldb.read", "failure", {
+    _emit("system.externaldb.read", "failure", Object.assign({
       backend:    b.name,
       role:       role,
       replicaIdx: replica.index,
       durationMs: Date.now() - t0,
       errorCode:  e.code || null,
-    }, (e && e.message) || String(e));
+    }, _otelDbAttributes(b, sql, opts.includeSqlInAudit)), (e && e.message) || String(e));
     _emitMetric("externaldb.read.failure", 1,
       { backend: b.name, role: role || "(none)", errorCode: e.code || "(none)" });
     if (e && e.code === "42501") {

package/lib/guard-email.js

@@ -6,8 +6,9 @@
  *
  * @intro
  *   RFC 822 / 5322 single-address validator + RFC 5322 message gate
- *   with header-injection defense, EAI / SMTPUTF8 support, label
- *   length caps, IP-literal denial, and sub-address handling.
+ *   with header-injection defense, domain-side IDN / Punycode
+ *   handling, mixed-script confusable detection, label length caps,
+ *   IP-literal denial, and sub-address handling.
  *
  *   Two entry shapes:
  *     - `validateAddress(addr, opts)` — single mailbox (RFC 5321
@@ -15,6 +16,20 @@
  *       domain 255 / address 320. Flags multi-`@`, IP literals,
  *       Punycode, mixed-script confusables, and codepoint-class
  *       threats (BIDI / control / null / zero-width).
+ *
+ *   Scope of Unicode handling: the DOMAIN side recognizes IDN /
+ *   Punycode (`xn--`) labels and mixed-script confusables, gated by
+ *   `allowedScripts` (RFC 5890 / RFC 5891). The LOCAL part is
+ *   ASCII atext only (RFC 5321 §4.1.2 / RFC 5322 §3.2.3) — a unicode
+ *   mailbox (RFC 6531 SMTPUTF8 / EAI) is NOT accepted and surfaces as
+ *   an `address-syntax` issue. This is deliberate: a unicode
+ *   local-part widens the homograph / confusable attack surface
+ *   beyond the domain (where registry IDN policy and Punycode
+ *   normalization apply) into the unregulated mailbox name, where no
+ *   equivalent normalization authority exists. RFC 6531 local-part
+ *   acceptance re-opens behind an explicit `allowUnicodeLocalPart`
+ *   opt-in when operator demand for genuine EAI mailboxes lands;
+ *   until then the conservative ASCII contract holds by default.
  *     - `validateMessage(rfc822, opts)` — full RFC 5322 message.
  *       Splits header section, unfolds folded headers, walks every
  *       single-line header for embedded CR/LF, drives address checks
@@ -32,7 +47,7 @@
  *   sanitization is safe.
  *
  * @card
- *   RFC 822 / 5322 single-address validator + RFC 5322 message gate with header-injection defense, EAI / SMTPUTF8 support, label length caps, IP-literal denial, and sub-address handling.
+ *   RFC 822 / 5322 single-address validator + RFC 5322 message gate with header-injection defense, domain-side IDN / Punycode and mixed-script confusable detection (ASCII-only local-part), label length caps, IP-literal denial, and sub-address handling.
  */
 
 var codepointClass = require("./codepoint-class");
@@ -99,6 +114,15 @@ function _hasCrlfInHeaderValue(value) {
 // can produce a useful local-part-cap issue (instead of failing the
 // regex first and surfacing address-syntax). RFC 5321 cap is enforced
 // downstream via opts.maxLocalPartBytes.
+//
+// The local-part class is ASCII atext only — the printable-ASCII set
+// of RFC 5321 §4.1.2 / RFC 5322 §3.2.3. A unicode (non-ASCII)
+// local-part per RFC 6531 (SMTPUTF8 / EAI) is intentionally NOT
+// matched: it fails this regex and surfaces as an `address-syntax`
+// issue. Domain-side Unicode is handled separately (Punycode + mixed-
+// script detection, gated by allowedScripts). Keeping the local-part
+// ASCII avoids extending homograph / confusable exposure into the
+// mailbox name, which has no registry-level normalization authority.
 var _LOCAL = "[A-Za-z0-9!#$%&'*+/=?^_`{|}~.-]+";
 var _LABEL = "[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?";
 var _DOMAIN = "(?:" + _LABEL + "(?:\\." + _LABEL + ")+)";
@@ -445,6 +469,15 @@ function _detectAddressIssues(input, opts) {
  * Cyrillic / Greek / Armenian / Cherokee), strict-ASCII regex shape,
  * and codepoint-class threats (BIDI / null / control / zero-width).
  *
+ * The local-part is validated as ASCII atext only (RFC 5321 §4.1.2 /
+ * RFC 5322 §3.2.3). A unicode local-part (RFC 6531 SMTPUTF8 / EAI)
+ * is rejected as an `address-syntax` issue — keeping the mailbox name
+ * ASCII bounds homograph / confusable exposure to the domain side,
+ * where Punycode normalization and `allowedScripts` gating apply.
+ * RFC 6531 local-part acceptance re-opens behind a future explicit
+ * `allowUnicodeLocalPart` opt-in on operator demand. Domain-side
+ * IDN / Punycode and mixed-script handling are already supported.
+ *
  * @opts
  *   profile:                 "strict" | "balanced" | "permissive",
  *   compliancePosture:       "hipaa" | "pci-dss" | "gdpr" | "soc2",

package/lib/http-client.js

@@ -378,6 +378,39 @@ function _isPermanentStatus(statusCode) {
   return false;
 }
 
+// Reject a streamed non-2xx response, preserving a bounded prefix of the
+// error body (problem+json / encrypted error) on err.body instead of
+// silently draining it.
+function _rejectStreamHttpError(stream, errorClass, statusCode, statusMessage, reject) {
+  var cap = C.BYTES.kib(16);
+  var collector = safeBuffer.boundedChunkCollector({ maxBytes: cap });
+  var done = false;
+  function finish() {
+    if (done) return;
+    done = true;
+    var e = _makeError(errorClass, "HTTP_ERROR",
+      "HTTP " + statusCode + (statusMessage ? " " + statusMessage : ""),
+      _isPermanentStatus(statusCode), statusCode);
+    e.body = collector.result();
+    reject(e);
+  }
+  // Collect at most `cap` bytes of the error body, slicing each chunk to the
+  // remaining room so the bounded collector never overflows. As soon as the
+  // prefix is full, reject + destroy the stream — don't leave the request
+  // promise pending while a large / slow error body drains to its close.
+  stream.on("data", function (c) {
+    if (done) return;
+    var room = cap - collector.bytesCollected();
+    if (room > 0) collector.push(c.length > room ? c.subarray(0, room) : c);
+    if (collector.bytesCollected() >= cap) {
+      if (typeof stream.destroy === "function") stream.destroy();
+      finish();
+    }
+  });
+  stream.on("end", finish);
+  stream.on("error", finish);
+}
+
 // h2 sends headers as lowercased keys plus :method / :path / :scheme /
 // :authority pseudo-headers. Convert from h1-shaped headers.
 function _toH2Headers(method, u, headers) {
@@ -1421,10 +1454,8 @@ function _requestH1(transport, u, opts) {
 
       if (responseMode === "stream") {
         if (res.statusCode >= 400 && responseMode !== "always-resolve") {
-          res.resume();
-          return _reject(_makeError(opts.errorClass, "HTTP_ERROR",
-            "HTTP " + res.statusCode + " " + (res.statusMessage || ""),
-            _isPermanentStatus(res.statusCode), res.statusCode));
+          _rejectStreamHttpError(res, opts.errorClass, res.statusCode, res.statusMessage || "", _reject);
+          return;
         }
         if (onDownloadProgress || onChunk) {
           // Wrap the stream so chunks emit progress + onChunk to the
@@ -1639,9 +1670,8 @@ function _requestH2(transport, u, opts) {
 
       if (responseMode === "stream") {
         if (statusCode >= 400 && responseMode !== "always-resolve") {
-          stream.resume();
-          return _reject(_makeError(opts.errorClass, "HTTP_ERROR",
-            "HTTP " + statusCode, _isPermanentStatus(statusCode), statusCode));
+          _rejectStreamHttpError(stream, opts.errorClass, statusCode, "", _reject);
+          return;
         }
         if (onChunkH2) {
           var passthroughH2 = new nodeStream.PassThrough();

package/lib/mail-send-deliver.js

@@ -256,10 +256,10 @@ async function _applyMtaStsPolicy(domain, mxs, policyMode, auditEmit) {
 // The primitive composes the lookup; per-cert chain verification is
 // the operator's responsibility (or future b.network.smtp.policy.dane.
 // verifyChain extension).
-async function _fetchDaneTlsa(mxHost, daneMode, auditEmit) {
+async function _fetchDaneTlsa(mxHost, port, daneMode, auditEmit) {
   if (daneMode === "off") return null;
   try {
-    var tlsa = await smtpPolicy().dane.tlsa(mxHost, DEFAULT_PORT_SMTP);
+    var tlsa = await smtpPolicy().dane.tlsa(mxHost, port || DEFAULT_PORT_SMTP);
     return tlsa && tlsa.length > 0 ? tlsa : null;
   } catch (e) {
     auditEmit("mail.send.deliver.dane.skip", "warn",
@@ -281,7 +281,7 @@ async function _tryHost(envelope, mxHost, hostnameLocal, opts) {
   var factory = opts.transportFactory || mailModule().smtpTransport;
   var transport = factory({
     host:         mxHost,
-    port:         DEFAULT_PORT_SMTP,
+    port:         opts.port || DEFAULT_PORT_SMTP,
     ehloName:     hostnameLocal,
     timeoutMs:    opts.perHostTimeoutMs || DEFAULT_PER_HOST_TIMEOUT_MS,
     requireTls:   envelope.requireTls === true,
@@ -327,7 +327,7 @@ async function _deliverOne(envelope, recipient, ctx) {
     // composes directly into smtpTransport.dane); this branch carries
     // the discovery so the audit chain records the policy posture
     // applied to each delivery attempt.
-    await _fetchDaneTlsa(mx.exchange, ctx.policy.dane, ctx.auditEmit);
+    await _fetchDaneTlsa(mx.exchange, ctx.port, ctx.policy.dane, ctx.auditEmit);
     try {
       var rv = await _tryHost({
         from:       envelope.from,
@@ -396,6 +396,7 @@ async function _deliverOne(envelope, recipient, ctx) {
  *
  * @opts
  *   hostname:   string,                    // required — local hostname for HELO/EHLO + DSN Reporting-MTA
+ *   port:       number,                    // default 25 (IANA SMTP, RFC 5321) — set 587 (RFC 6409 submission) or 465 (RFC 8314 implicit-TLS) for a smarthost relay
  *   resolver:   object | null,             // optional — b.network.dns.resolver handle; falls back to node:dns when omitted
  *   policy: {
  *     mtaSts:   "enforce" | "testing" | "off",  // default "enforce" — RFC 8461 posture
@@ -438,11 +439,19 @@ function create(opts) {
     throw new DeliverError("deliver/bad-opts", "mail.send.deliver.create: opts is required");
   }
   validateOpts(opts,
-    ["hostname", "resolver", "policy", "retry", "dsn", "timeouts", "audit", "transportFactory"],
+    ["hostname", "resolver", "policy", "retry", "dsn", "timeouts", "audit", "transportFactory", "port"],
     "mail.send.deliver.create");
   validateOpts.requireNonEmptyString(opts.hostname,
     "mail.send.deliver.create: hostname (local HELO/EHLO + DSN Reporting-MTA)",
     DeliverError, "deliver/bad-hostname");
+  // Submission/smarthost relays listen on 587 (RFC 6409) or implicit-TLS
+  // 465 (RFC 8314) rather than the IANA SMTP port 25 (RFC 5321 §2.3.4)
+  // that direct MX delivery uses. Operators routing through such a relay
+  // set opts.port; the value is range-checked here (RFC 6335 §6) so a
+  // typo fails at config time, not on the first connect attempt.
+  validateOpts.optionalPort(opts.port,
+    "mail.send.deliver.create: port", DeliverError, "deliver/bad-port");
+  var port = opts.port || DEFAULT_PORT_SMTP;
 
   var policy = opts.policy || {};
   validateOpts(policy, ["mtaSts", "dane"], "mail.send.deliver.create.policy");
@@ -516,6 +525,7 @@ function create(opts) {
       resolver:           opts.resolver || null,
       policy:             { mtaSts: policyMtaSts, dane: policyDane },
       hostname:           opts.hostname,
+      port:               port,
       mxLookupTimeoutMs:  mxLookupTimeoutMs,
       perHostTimeoutMs:   perHostTimeoutMs,
       transportFactory:   opts.transportFactory || null,

package/lib/mail-sieve.js

@@ -61,6 +61,7 @@ var safeSieve = require("./safe-sieve");
 var { defineClass } = require("./framework-error");
 var numericBounds = require("./numeric-bounds");
 var validateOpts = require("./validate-opts");
+var codepointClass = require("./codepoint-class");
 
 var MailSieveError = defineClass("MailSieveError", { alwaysPermanent: true });
 
@@ -122,7 +123,7 @@ function _envelopeAddresses(env, key) {
 // ---- match-type ---------------------------------------------------------
 
 function _escapeRe(s) {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return codepointClass.escapeRegExp(s);
 }
 
 function _wildcardToRe(pattern, caseInsensitive) {

package/lib/middleware/ai-act-disclosure.js

@@ -19,9 +19,14 @@
  *   - "html"               — when the response Content-Type is HTML,
  *                            injects a <div role="status" ...> banner
  *                            immediately after the <body> tag plus a
- *                            <meta> tag inside <head>. Skipped when
- *                            response is already past headers OR not
- *                            text/html.
+ *                            <meta> tag inside <head>. Handles both a
+ *                            string and a Buffer body (the common server-
+ *                            render path); a Buffer is decoded under the
+ *                            response charset, injected, and re-encoded
+ *                            for utf-8 / ascii / latin1. Other charsets
+ *                            warn once and serve the original bytes (the
+ *                            disclosure headers still carry the notice).
+ *                            Skipped when the response is not text/html.
  *
  * The middleware does NOT alter the response when:
  *   - response status >= 400 (operator's error pages stay clean)
@@ -41,6 +46,24 @@ var requestHelpers = require("../request-helpers");
 
 var aiActMod  = lazyRequire(function () { return require("../compliance-ai-act"); });
 var audit     = lazyRequire(function () { return require("../audit"); });
+var logger    = lazyRequire(function () { return require("../log").boot("ai-act-disclosure"); });
+
+// Charsets whose byte<->string round-trip is lossless for the inject
+// operation: utf-8 (and its ascii / latin1 subsets, which Node decodes
+// byte-for-byte). Other charsets (utf-16le, big5, gb18030, …) are not
+// safe to decode→inject→re-encode without a transcoder we don't vendor,
+// so the Buffer path warns once and serves the original bytes untouched
+// rather than risk corrupting the page.
+var SAFE_INJECT_ENCODINGS = { "utf-8": "utf8", "utf8": "utf8", "us-ascii": "utf8", "ascii": "utf8", "latin1": "latin1", "iso-8859-1": "latin1" };
+
+// Read the charset token out of a Content-Type header, lowercased and
+// stripped of surrounding quotes. Returns "" when absent (the caller
+// treats a missing charset as the HTML default, utf-8).
+function _charsetOf(contentType) {
+  if (typeof contentType !== "string") return "";
+  var m = /;\s*charset\s*=\s*"?([^";]+)"?/i.exec(contentType);
+  return m ? m[1].trim().toLowerCase() : "";
+}
 
 /**
  * @primitive b.middleware.aiActDisclosure
@@ -53,7 +76,10 @@ var audit     = lazyRequire(function () { return require("../audit"); });
  * responses. In `mode: "header"` (default) it sets `AI-Act-Notice` and
  * `AI-Act-Article` response headers — cheapest, works for both JSON
  * and HTML. In `mode: "html"` it additionally inserts a status banner
- * after `<body>` and a `<meta>` inside `<head>` for HTML responses.
+ * after `<body>` for HTML responses, handling both a string and a
+ * Buffer body (a Buffer is decoded under the response charset, injected,
+ * and re-encoded for utf-8 / ascii / latin1; other charsets warn once
+ * and serve the original bytes with the disclosure headers still set).
  * Skips error pages, redirects, requests bearing the configured
  * skip-header, and responses opted out via `res.locals.aiActSkip`.
  * Emits `compliance.aiact.disclosed` audits on success.
@@ -138,22 +164,29 @@ function create(opts) {
       res.end = function (chunk, encoding) {
         try {
           var ctype = (res.getHeader && res.getHeader("Content-Type")) || "";
-          if (typeof ctype === "string" && ctype.indexOf("text/html") !== -1 &&
-              chunk && Buffer.isBuffer(chunk) === false &&
-              typeof chunk === "string") {
-            var bannerHtml = aiActMod().transparency.htmlBanner({
-              kind: opts.kind || "ai-interaction",
-              lang: opts.lang || "en",
-            });
-            // Inject after <body> if present, else prepend.
-            var bodyOpen = chunk.indexOf("<body");
-            if (bodyOpen !== -1) {
-              var afterTag = chunk.indexOf(">", bodyOpen);
-              if (afterTag !== -1) {
-                chunk = chunk.slice(0, afterTag + 1) + bannerHtml + chunk.slice(afterTag + 1);
+          if (typeof ctype === "string" && ctype.indexOf("text/html") !== -1 && chunk) {
+            if (typeof chunk === "string") {
+              chunk = _injectBanner(chunk, opts);
+            } else if (Buffer.isBuffer(chunk)) {
+              // res.end(Buffer.from(html)) is the common server-render path
+              // (b.render serves a Buffer). Decode under the response charset,
+              // inject the Art. 50 banner, re-encode — but only for charsets
+              // whose round-trip is lossless. Unknown charsets warn once and
+              // serve the original bytes (no transcoder is vendored).
+              var charset = _charsetOf(ctype) || "utf-8";
+              var nodeEnc = SAFE_INJECT_ENCODINGS[charset];
+              if (nodeEnc) {
+                var injected = _injectBanner(chunk.toString(nodeEnc), opts);
+                chunk = Buffer.from(injected, nodeEnc);
+                // Content-Length, if the operator pre-set it, now understates
+                // the body — clear it so the runtime recomputes / chunks.
+                if (res.getHeader && res.getHeader("Content-Length") != null &&
+                    typeof res.removeHeader === "function") {
+                  res.removeHeader("Content-Length");
+                }
+              } else {
+                _warnUnsafeCharset(charset);
               }
-            } else {
-              chunk = bannerHtml + chunk;
             }
           }
         } catch (_e) { /* injection best-effort */ }
@@ -186,6 +219,42 @@ function create(opts) {
   };
 }
 
+// Insert the EU AI Act Art. 50 status banner into an HTML string. The
+// banner goes immediately after the opening <body> tag when present, else
+// it is prepended. Returns the original string unchanged on any builder
+// error (best-effort injection — the disclosure header still carries the
+// machine-readable notice).
+function _injectBanner(html, opts) {
+  var bannerHtml = aiActMod().transparency.htmlBanner({
+    kind: opts.kind || "ai-interaction",
+    lang: opts.lang || "en",
+  });
+  var bodyOpen = html.indexOf("<body");
+  if (bodyOpen !== -1) {
+    var afterTag = html.indexOf(">", bodyOpen);
+    if (afterTag !== -1) {
+      return html.slice(0, afterTag + 1) + bannerHtml + html.slice(afterTag + 1);
+    }
+  }
+  return bannerHtml + html;
+}
+
+// Warn once per process per charset that a Buffer HTML body in an
+// unsupported charset was served without the banner injected, so an
+// operator can switch the response to utf-8 (or accept the header-only
+// disclosure). Drop-silent if the logger is unavailable.
+var _warnedCharsets = Object.create(null);
+function _warnUnsafeCharset(charset) {
+  if (_warnedCharsets[charset]) return;
+  _warnedCharsets[charset] = true;
+  try {
+    logger().warn("ai-act-disclosure: HTML response body is a Buffer in charset '" +
+      charset + "'; the Art. 50 banner was not injected (no transcoder for that " +
+      "charset). The disclosure headers are still set. Serve text/html as utf-8 to " +
+      "get the in-page banner.");
+  } catch (_e) { /* drop-silent — logger optional */ }
+}
+
 function _articleFor(kind) {
   switch (kind) {
     case "ai-interaction":            return "Art. 50(1)";