@blamejs/core 0.14.17 → 0.14.19

package/lib/mail-send-deliver.js

@@ -256,10 +256,10 @@ async function _applyMtaStsPolicy(domain, mxs, policyMode, auditEmit) {
 // The primitive composes the lookup; per-cert chain verification is
 // the operator's responsibility (or future b.network.smtp.policy.dane.
 // verifyChain extension).
-async function _fetchDaneTlsa(mxHost, daneMode, auditEmit) {
+async function _fetchDaneTlsa(mxHost, port, daneMode, auditEmit) {
   if (daneMode === "off") return null;
   try {
-    var tlsa = await smtpPolicy().dane.tlsa(mxHost, DEFAULT_PORT_SMTP);
+    var tlsa = await smtpPolicy().dane.tlsa(mxHost, port || DEFAULT_PORT_SMTP);
     return tlsa && tlsa.length > 0 ? tlsa : null;
   } catch (e) {
     auditEmit("mail.send.deliver.dane.skip", "warn",
@@ -281,7 +281,7 @@ async function _tryHost(envelope, mxHost, hostnameLocal, opts) {
   var factory = opts.transportFactory || mailModule().smtpTransport;
   var transport = factory({
     host:         mxHost,
-    port:         DEFAULT_PORT_SMTP,
+    port:         opts.port || DEFAULT_PORT_SMTP,
     ehloName:     hostnameLocal,
     timeoutMs:    opts.perHostTimeoutMs || DEFAULT_PER_HOST_TIMEOUT_MS,
     requireTls:   envelope.requireTls === true,
@@ -327,7 +327,7 @@ async function _deliverOne(envelope, recipient, ctx) {
     // composes directly into smtpTransport.dane); this branch carries
     // the discovery so the audit chain records the policy posture
     // applied to each delivery attempt.
-    await _fetchDaneTlsa(mx.exchange, ctx.policy.dane, ctx.auditEmit);
+    await _fetchDaneTlsa(mx.exchange, ctx.port, ctx.policy.dane, ctx.auditEmit);
     try {
       var rv = await _tryHost({
         from:       envelope.from,
@@ -396,6 +396,7 @@ async function _deliverOne(envelope, recipient, ctx) {
  *
  * @opts
  *   hostname:   string,                    // required — local hostname for HELO/EHLO + DSN Reporting-MTA
+ *   port:       number,                    // default 25 (IANA SMTP, RFC 5321) — set 587 (RFC 6409 submission) or 465 (RFC 8314 implicit-TLS) for a smarthost relay
  *   resolver:   object | null,             // optional — b.network.dns.resolver handle; falls back to node:dns when omitted
  *   policy: {
  *     mtaSts:   "enforce" | "testing" | "off",  // default "enforce" — RFC 8461 posture
@@ -438,11 +439,19 @@ function create(opts) {
     throw new DeliverError("deliver/bad-opts", "mail.send.deliver.create: opts is required");
   }
   validateOpts(opts,
-    ["hostname", "resolver", "policy", "retry", "dsn", "timeouts", "audit", "transportFactory"],
+    ["hostname", "resolver", "policy", "retry", "dsn", "timeouts", "audit", "transportFactory", "port"],
     "mail.send.deliver.create");
   validateOpts.requireNonEmptyString(opts.hostname,
     "mail.send.deliver.create: hostname (local HELO/EHLO + DSN Reporting-MTA)",
     DeliverError, "deliver/bad-hostname");
+  // Submission/smarthost relays listen on 587 (RFC 6409) or implicit-TLS
+  // 465 (RFC 8314) rather than the IANA SMTP port 25 (RFC 5321 §2.3.4)
+  // that direct MX delivery uses. Operators routing through such a relay
+  // set opts.port; the value is range-checked here (RFC 6335 §6) so a
+  // typo fails at config time, not on the first connect attempt.
+  validateOpts.optionalPort(opts.port,
+    "mail.send.deliver.create: port", DeliverError, "deliver/bad-port");
+  var port = opts.port || DEFAULT_PORT_SMTP;
 
   var policy = opts.policy || {};
   validateOpts(policy, ["mtaSts", "dane"], "mail.send.deliver.create.policy");
@@ -516,6 +525,7 @@ function create(opts) {
       resolver:           opts.resolver || null,
       policy:             { mtaSts: policyMtaSts, dane: policyDane },
       hostname:           opts.hostname,
+      port:               port,
       mxLookupTimeoutMs:  mxLookupTimeoutMs,
       perHostTimeoutMs:   perHostTimeoutMs,
       transportFactory:   opts.transportFactory || null,

package/lib/mail-sieve.js

@@ -61,6 +61,7 @@ var safeSieve = require("./safe-sieve");
 var { defineClass } = require("./framework-error");
 var numericBounds = require("./numeric-bounds");
 var validateOpts = require("./validate-opts");
+var codepointClass = require("./codepoint-class");
 
 var MailSieveError = defineClass("MailSieveError", { alwaysPermanent: true });
 
@@ -122,7 +123,7 @@ function _envelopeAddresses(env, key) {
 // ---- match-type ---------------------------------------------------------
 
 function _escapeRe(s) {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return codepointClass.escapeRegExp(s);
 }
 
 function _wildcardToRe(pattern, caseInsensitive) {

package/lib/middleware/ai-act-disclosure.js

@@ -19,9 +19,14 @@
  *   - "html"               — when the response Content-Type is HTML,
  *                            injects a <div role="status" ...> banner
  *                            immediately after the <body> tag plus a
- *                            <meta> tag inside <head>. Skipped when
- *                            response is already past headers OR not
- *                            text/html.
+ *                            <meta> tag inside <head>. Handles both a
+ *                            string and a Buffer body (the common server-
+ *                            render path); a Buffer is decoded under the
+ *                            response charset, injected, and re-encoded
+ *                            for utf-8 / ascii / latin1. Other charsets
+ *                            warn once and serve the original bytes (the
+ *                            disclosure headers still carry the notice).
+ *                            Skipped when the response is not text/html.
  *
  * The middleware does NOT alter the response when:
  *   - response status >= 400 (operator's error pages stay clean)
@@ -41,6 +46,24 @@ var requestHelpers = require("../request-helpers");
 
 var aiActMod  = lazyRequire(function () { return require("../compliance-ai-act"); });
 var audit     = lazyRequire(function () { return require("../audit"); });
+var logger    = lazyRequire(function () { return require("../log").boot("ai-act-disclosure"); });
+
+// Charsets whose byte<->string round-trip is lossless for the inject
+// operation: utf-8 (and its ascii / latin1 subsets, which Node decodes
+// byte-for-byte). Other charsets (utf-16le, big5, gb18030, …) are not
+// safe to decode→inject→re-encode without a transcoder we don't vendor,
+// so the Buffer path warns once and serves the original bytes untouched
+// rather than risk corrupting the page.
+var SAFE_INJECT_ENCODINGS = { "utf-8": "utf8", "utf8": "utf8", "us-ascii": "utf8", "ascii": "utf8", "latin1": "latin1", "iso-8859-1": "latin1" };
+
+// Read the charset token out of a Content-Type header, lowercased and
+// stripped of surrounding quotes. Returns "" when absent (the caller
+// treats a missing charset as the HTML default, utf-8).
+function _charsetOf(contentType) {
+  if (typeof contentType !== "string") return "";
+  var m = /;\s*charset\s*=\s*"?([^";]+)"?/i.exec(contentType);
+  return m ? m[1].trim().toLowerCase() : "";
+}
 
 /**
  * @primitive b.middleware.aiActDisclosure
@@ -53,7 +76,10 @@ var audit     = lazyRequire(function () { return require("../audit"); });
  * responses. In `mode: "header"` (default) it sets `AI-Act-Notice` and
  * `AI-Act-Article` response headers — cheapest, works for both JSON
  * and HTML. In `mode: "html"` it additionally inserts a status banner
- * after `<body>` and a `<meta>` inside `<head>` for HTML responses.
+ * after `<body>` for HTML responses, handling both a string and a
+ * Buffer body (a Buffer is decoded under the response charset, injected,
+ * and re-encoded for utf-8 / ascii / latin1; other charsets warn once
+ * and serve the original bytes with the disclosure headers still set).
  * Skips error pages, redirects, requests bearing the configured
  * skip-header, and responses opted out via `res.locals.aiActSkip`.
  * Emits `compliance.aiact.disclosed` audits on success.
@@ -138,22 +164,29 @@ function create(opts) {
       res.end = function (chunk, encoding) {
         try {
           var ctype = (res.getHeader && res.getHeader("Content-Type")) || "";
-          if (typeof ctype === "string" && ctype.indexOf("text/html") !== -1 &&
-              chunk && Buffer.isBuffer(chunk) === false &&
-              typeof chunk === "string") {
-            var bannerHtml = aiActMod().transparency.htmlBanner({
-              kind: opts.kind || "ai-interaction",
-              lang: opts.lang || "en",
-            });
-            // Inject after <body> if present, else prepend.
-            var bodyOpen = chunk.indexOf("<body");
-            if (bodyOpen !== -1) {
-              var afterTag = chunk.indexOf(">", bodyOpen);
-              if (afterTag !== -1) {
-                chunk = chunk.slice(0, afterTag + 1) + bannerHtml + chunk.slice(afterTag + 1);
+          if (typeof ctype === "string" && ctype.indexOf("text/html") !== -1 && chunk) {
+            if (typeof chunk === "string") {
+              chunk = _injectBanner(chunk, opts);
+            } else if (Buffer.isBuffer(chunk)) {
+              // res.end(Buffer.from(html)) is the common server-render path
+              // (b.render serves a Buffer). Decode under the response charset,
+              // inject the Art. 50 banner, re-encode — but only for charsets
+              // whose round-trip is lossless. Unknown charsets warn once and
+              // serve the original bytes (no transcoder is vendored).
+              var charset = _charsetOf(ctype) || "utf-8";
+              var nodeEnc = SAFE_INJECT_ENCODINGS[charset];
+              if (nodeEnc) {
+                var injected = _injectBanner(chunk.toString(nodeEnc), opts);
+                chunk = Buffer.from(injected, nodeEnc);
+                // Content-Length, if the operator pre-set it, now understates
+                // the body — clear it so the runtime recomputes / chunks.
+                if (res.getHeader && res.getHeader("Content-Length") != null &&
+                    typeof res.removeHeader === "function") {
+                  res.removeHeader("Content-Length");
+                }
+              } else {
+                _warnUnsafeCharset(charset);
               }
-            } else {
-              chunk = bannerHtml + chunk;
             }
           }
         } catch (_e) { /* injection best-effort */ }
@@ -186,6 +219,42 @@ function create(opts) {
   };
 }
 
+// Insert the EU AI Act Art. 50 status banner into an HTML string. The
+// banner goes immediately after the opening <body> tag when present, else
+// it is prepended. Returns the original string unchanged on any builder
+// error (best-effort injection — the disclosure header still carries the
+// machine-readable notice).
+function _injectBanner(html, opts) {
+  var bannerHtml = aiActMod().transparency.htmlBanner({
+    kind: opts.kind || "ai-interaction",
+    lang: opts.lang || "en",
+  });
+  var bodyOpen = html.indexOf("<body");
+  if (bodyOpen !== -1) {
+    var afterTag = html.indexOf(">", bodyOpen);
+    if (afterTag !== -1) {
+      return html.slice(0, afterTag + 1) + bannerHtml + html.slice(afterTag + 1);
+    }
+  }
+  return bannerHtml + html;
+}
+
+// Warn once per process per charset that a Buffer HTML body in an
+// unsupported charset was served without the banner injected, so an
+// operator can switch the response to utf-8 (or accept the header-only
+// disclosure). Drop-silent if the logger is unavailable.
+var _warnedCharsets = Object.create(null);
+function _warnUnsafeCharset(charset) {
+  if (_warnedCharsets[charset]) return;
+  _warnedCharsets[charset] = true;
+  try {
+    logger().warn("ai-act-disclosure: HTML response body is a Buffer in charset '" +
+      charset + "'; the Art. 50 banner was not injected (no transcoder for that " +
+      "charset). The disclosure headers are still set. Serve text/html as utf-8 to " +
+      "get the in-page banner.");
+  } catch (_e) { /* drop-silent — logger optional */ }
+}
+
 function _articleFor(kind) {
   switch (kind) {
     case "ai-interaction":            return "Art. 50(1)";

package/lib/middleware/asyncapi-serve.js

@@ -22,9 +22,42 @@
 var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("../validate-opts");
 var lazyRequire   = require("../lazy-require");
+var safeUrl       = require("../safe-url");
 var { defineClass } = require("../framework-error");
 var AsyncApiError = defineClass("AsyncApiError", { alwaysPermanent: true });
 
+// Validate an operator-supplied accessControl.allowOrigin and return the
+// canonical `scheme://host[:port]` string for the Access-Control-Allow-
+// Origin response header. CORS (Fetch Standard §3.2.1) requires a single
+// concrete origin with no path / query / fragment; the empty-string and
+// "*" wildcard forms are spelled separately ("same-origin" / "public").
+// Parsing through safeUrl rejects header-injection bytes (CR/LF) and
+// userinfo, and confirms the value is a real http(s) origin. Throws so
+// the operator catches a typo'd allowOrigin at boot.
+function _canonicalAllowOrigin(value, label) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new AsyncApiError("asyncapi/bad-access-control",
+      label + ": accessControl.allowOrigin must be a non-empty origin string " +
+      "(e.g. \"https://docs.example.com\")");
+  }
+  var parsed;
+  try {
+    parsed = safeUrl.parse(value, { allowedProtocols: safeUrl.ALLOW_HTTP_ALL });
+  } catch (e) {
+    throw new AsyncApiError("asyncapi/bad-access-control",
+      label + ": accessControl.allowOrigin '" + value + "' is not a valid " +
+      "http(s) origin: " + ((e && e.message) || String(e)));
+  }
+  var path = parsed.pathname || "";
+  if ((path !== "" && path !== "/") || parsed.search || parsed.hash) {
+    throw new AsyncApiError("asyncapi/bad-access-control",
+      label + ": accessControl.allowOrigin must be a bare origin " +
+      "(scheme://host[:port]) with no path / query / fragment; got '" + value + "'");
+  }
+  var port = parsed.port;
+  return parsed.protocol + "//" + parsed.hostname.toLowerCase() + (port ? ":" + port : "");
+}
+
 var openapiYaml   = lazyRequire(function () { return require("../openapi-yaml"); });
 var audit         = lazyRequire(function () { return require("../audit"); });
 
@@ -38,8 +71,12 @@ var audit         = lazyRequire(function () { return require("../audit"); });
  * configurable JSON + YAML mount points. Matches `openapiServe`
  * behaviour: GET/HEAD only, SHA3-512 ETag with conditional 304,
  * operator-controlled CORS gate, falls through on unmatched paths
- * or methods. Use to publish channel + operation + message + schema
- * specs for event-driven APIs (Kafka, AMQP, MQTT, WebSocket).
+ * or methods. `accessControl: "public"` (default) emits
+ * `Access-Control-Allow-Origin: *`; `same-origin` omits the header;
+ * `{ allowOrigin: "https://docs.example.com" }` echoes one validated
+ * origin with `Vary: Origin`. Use to publish channel + operation +
+ * message + schema specs for event-driven APIs (Kafka, AMQP, MQTT,
+ * WebSocket).
  *
  * @opts
  *   {
@@ -79,6 +116,17 @@ function create(opts) {
   var cacheControl  = (typeof opts.cacheControl === "string" && opts.cacheControl.length > 0)
     ? opts.cacheControl : "public, max-age=300";
   var accessControl = opts.accessControl || "public";
+  // Resolve the Access-Control-Allow-Origin value once at config time.
+  // "public" → "*"; an { allowOrigin } object → the canonical origin
+  // (validated, throws on a bad value); "same-origin" / anything else →
+  // null (no CORS header emitted).
+  var allowOriginHeader = null;
+  if (accessControl === "public") {
+    allowOriginHeader = "*";
+  } else if (accessControl && typeof accessControl === "object" &&
+             typeof accessControl.allowOrigin === "string") {
+    allowOriginHeader = _canonicalAllowOrigin(accessControl.allowOrigin, "asyncapiServe");
+  }
   var auditOn       = opts.audit !== false;
 
   if (typeof pathJson !== "string" || pathJson.charAt(0) !== "/") {
@@ -117,8 +165,12 @@ function create(opts) {
       "Cache-Control":  cacheControl,
       "ETag":           etag,
     };
-    if (accessControl === "public") {
-      headers["Access-Control-Allow-Origin"] = "*";
+    if (allowOriginHeader !== null) {
+      headers["Access-Control-Allow-Origin"] = allowOriginHeader;
+      // A specific (non-"*") origin makes the response vary by Origin;
+      // advertise it so shared caches don't serve one operator's allowed
+      // origin to another's request (Fetch Standard §3.2.1).
+      if (allowOriginHeader !== "*") headers["Vary"] = "Origin";
     }
     res.writeHead(200, headers);                                                     // HTTP 200
     res.end(body);

package/lib/middleware/attach-user.js

@@ -33,18 +33,27 @@
  *
  * Options:
  *   {
- *     cookieName:  'blamejs_session'                 (cookie name to read)
- *     tokenFrom:   'both' | 'cookie' | 'header'      (default 'both')
- *     sealed:      false                             (use cookies.readSealed)
- *     vault:       b.vault                           (required when sealed)
- *     userLoader:  async (verifiedSession) => user   (REQUIRED)
- *     audit:       true                              (emit user-load audits)
+ *     cookieName:     'blamejs_session'              (cookie name to read)
+ *     tokenFrom:      'both' | 'cookie' | 'header'   (default 'both')
+ *     bearerScheme:   'Bearer'                       (Authorization scheme token; RFC 6750 §2.1)
+ *     tokenExtractor: (req) => token | null          (overrides header extraction entirely)
+ *     sealed:         false                          (use cookies.readSealed)
+ *     vault:          b.vault                        (required when sealed)
+ *     userLoader:     async (verifiedSession) => user (REQUIRED)
+ *     audit:          true                           (emit user-load audits)
  *   }
+ *
+ * The Authorization-header path matches the `Bearer` scheme by default
+ * (RFC 6750 §2.1). Operators behind a gateway that issues a different
+ * scheme (e.g. `Token`, `DPoP` per RFC 9449) set bearerScheme, or pass
+ * tokenExtractor(req) to read the credential from anywhere on the
+ * request. The scheme match is case-insensitive (RFC 9110 §11.1).
  */
 var lazyRequire = require("../lazy-require");
 var cookies = require("../cookies");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var codepointClass = require("../codepoint-class");
 var session = lazyRequire(function () { return require("../session"); });
 var audit   = lazyRequire(function () { return require("../audit"); });
 
@@ -56,10 +65,17 @@ function _readCookie(cookieHeader, name) {
   return Object.prototype.hasOwnProperty.call(jar, name) ? jar[name] : null;
 }
 
-function _readBearer(authHeader) {
+// Read the credential after an Authorization scheme token. Default scheme
+// is "Bearer" (RFC 6750 §2.1); operators fronted by a gateway that mints
+// "Token", "DPoP" (RFC 9449), or a custom scheme pass that name so the
+// header is consumed instead of silently ignored. The scheme match is
+// case-insensitive per RFC 9110 §11.1 (auth-scheme is case-insensitive).
+function _readBearer(authHeader, scheme) {
   if (!authHeader || typeof authHeader !== "string") return null;
-  // case-insensitive scheme match
-  var m = authHeader.match(/^Bearer\s+(.+)$/i);
+  var schemeTok = (typeof scheme === "string" && scheme.length > 0) ? scheme : "Bearer";
+  // allow:dynamic-regex — schemeTok is RegExp-escaped via codepointClass.escapeRegExp,
+  // so the operator-supplied scheme matches literally and cannot inject a pattern
+  var m = authHeader.match(new RegExp("^" + codepointClass.escapeRegExp(schemeTok) + "\\s+(.+)$", "i"));
   return m ? m[1].trim() : null;
 }
 
@@ -86,6 +102,8 @@ function _readBearer(authHeader) {
  *     userLoader:              async function(session): user|null,  // required
  *     cookieName:              string,    // default "blamejs_session"
  *     tokenFrom:               "both"|"cookie"|"header",  // default "both"
+ *     bearerScheme:            string,    // default "Bearer" (RFC 6750); set "Token"/"DPoP"/etc. for a gateway scheme
+ *     tokenExtractor:          function,  // (req) → token|null; fully owns header extraction when supplied
  *     sealed:                  boolean,
  *     vault:                   object,    // required when sealed
  *     requireFingerprintMatch: boolean,
@@ -108,15 +126,28 @@ function create(opts) {
   validateOpts(opts, [
     "cookieName", "tokenFrom", "sealed", "vault", "userLoader", "audit",
     "requireFingerprintMatch", "maxAnomalyScore", "scorer",
+    "bearerScheme", "tokenExtractor",
   ], "middleware.attachUser");
   if (typeof opts.userLoader !== "function") {
     throw new Error("middleware.attachUser: opts.userLoader is required " +
       "(async function (verifiedSession) → user | null)");
   }
+  validateOpts.optionalNonEmptyString(opts.bearerScheme,
+    "middleware.attachUser: opts.bearerScheme (the Authorization scheme token, " +
+    "e.g. \"Bearer\", \"Token\", \"DPoP\")");
+  validateOpts.optionalFunction(opts.tokenExtractor,
+    "middleware.attachUser: opts.tokenExtractor (req) → token | null");
   var cookieName = opts.cookieName || "blamejs_session";
   var tokenFrom  = opts.tokenFrom  || "both";
   var auditOn    = opts.audit !== false;
   var sealed     = !!opts.sealed;
+  // Authorization-header scheme token (default "Bearer", RFC 6750 §2.1).
+  // tokenExtractor, when supplied, fully owns header-token extraction so
+  // gateway-specific schemes (a forwarded JWT in a non-standard header,
+  // DPoP-bound tokens, etc.) work without the framework assuming the
+  // RFC 6750 shape.
+  var bearerScheme   = opts.bearerScheme || "Bearer";
+  var tokenExtractor = typeof opts.tokenExtractor === "function" ? opts.tokenExtractor : null;
   // Fingerprint-drift / IP-UA pin / anomaly-score opts thread through
   // session.verify so the documented session.create({ req,
   // fingerprintFields }) defenses actually engage on every verify
@@ -153,7 +184,11 @@ function create(opts) {
       // the header re-read here avoids the duplicate verify and the
       // confusing "session.verify failed" audit row that would land
       // when the bearer token is a JWT or API key, not a session ID.
-      token = _readBearer(req.headers && req.headers.authorization);
+      if (tokenExtractor) {
+        token = tokenExtractor(req) || null;
+      } else {
+        token = _readBearer(req.headers && req.headers.authorization, bearerScheme);
+      }
     }
     if (!token) return next();
 

package/lib/middleware/body-parser.js

@@ -69,6 +69,11 @@
  *         document: { maxBytes: b.constants.BYTES.mib(25) },
  *       },
  *
+ *       // RFC 5987 filename* charsets to decode. utf-8 is always
+ *       // supported (RFC 8187 §3.2); add "iso-8859-1" (RFC 5987 §3.2)
+ *       // to accept legacy senders that encode filenames in Latin-1.
+ *       filenameCharsets: ["utf-8"],
+ *
  *       // When wired, fileFilter rejections emit body-parser.multipart.file_rejected
  *       // on the audit chain with the field, filename, mime, and reason.
  *       audit: b.audit,
@@ -121,6 +126,7 @@ var safeBuffer      = require("../safe-buffer");
 var safeJson        = require("../safe-json");
 var structuredFields = require("../structured-fields");
 var validateOpts    = require("../validate-opts");
+var codepointClass  = require("../codepoint-class");
 var C = require("../constants");
 var { defineClass } = require("../framework-error");
 
@@ -196,6 +202,7 @@ var DEFAULTS = Object.freeze({
     fileFilter:    null,             // fn({ field, filename, mimeType, partHeaders }) → bool | { reject, code, message }
     fields:        null,             // per-field overrides: { name: { maxBytes?, mimeTypes? } }
     audit:         null,             // when wired, file-rejection emits an audit event
+    filenameCharsets: ["utf-8"],     // RFC 5987 filename* charsets to decode; add "iso-8859-1" to opt that legacy charset in
     contentTypes:  ["multipart/form-data"],
   },
 });
@@ -344,9 +351,16 @@ function _detectSmuggling(req) {
 function _writeError(res, status, message, code) {
   if (res.headersSent) return;
   var body = JSON.stringify({ error: message, code: code });
+  // Connection: close on a body-parse rejection (malformed JSON, poisoned
+  // key, oversize payload) so an upstream proxy can't reuse a socket whose
+  // request stream we abandoned mid-body. Pairing the 4xx with a forced
+  // socket teardown closes the desync window a partially-consumed body
+  // would otherwise leave open (RFC 9112 §9.6 — a server MAY close after
+  // an error response; doing so here prevents request-smuggling reuse).
   res.writeHead(status, {
     "Content-Type":   "application/json; charset=utf-8",
     "Content-Length": Buffer.byteLength(body),
+    "Connection":     "close",
   });
   res.end(body);
 }
@@ -600,28 +614,58 @@ function _parseMultipartHeaders(rawHeaders) {
   return out;
 }
 
+// Percent-decode an RFC 5987 ext-value's value segment under iso-8859-1.
+// RFC 5987 §3.2 / RFC 2231 §7 define iso-8859-1 (Latin-1) as the only
+// non-utf-8 charset a recipient is expected to understand: each decoded
+// byte is itself the Latin-1 code point, so a byte b maps directly to
+// U+00bb. We percent-unescape to raw bytes, then map each byte to its
+// code point. Returns null on a malformed `%`-escape.
+function _percentDecodeLatin1(encoded) {
+  var out = "";
+  for (var i = 0; i < encoded.length; i += 1) {
+    var ch = encoded.charAt(i);
+    if (ch === "%") {
+      var hex = encoded.substr(i + 1, 2);
+      if (hex.length !== 2 || !codepointClass.HEX_PAIR_RE.test(hex)) return null;
+      out += String.fromCharCode(parseInt(hex, 16));
+      i += 2;
+    } else {
+      out += ch;
+    }
+  }
+  return out;
+}
+
 // RFC 5987 / 8187 — `filename*=UTF-8''percent%20encoded.txt` extended
-// parameter form for non-ASCII filenames. Charset MUST be `UTF-8`
-// (case-insensitive); we refuse other charsets to keep the decode
-// path single-encoding. Language tag (between the two `'`s) is
-// permitted but ignored.
-function _decodeRfc5987(raw) {
+// parameter form for non-ASCII filenames. utf-8 is always accepted
+// (RFC 8187 §3.2 mandates support); iso-8859-1 (RFC 5987 §3.2 / RFC 2231
+// §7) decodes only when the operator opts it in via
+// `multipart.filenameCharsets`. Any other charset is refused to keep the
+// decode path bounded to the two RFC-defined encodings. The language tag
+// (between the two `'`s) is permitted but ignored. `allowed` is a
+// lower-cased charset allowlist; it always includes "utf-8".
+function _decodeRfc5987(raw, allowed) {
   if (typeof raw !== "string") return null;
   var firstTick  = raw.indexOf("'");
   if (firstTick === -1) return null;
   var secondTick = raw.indexOf("'", firstTick + 1);
   if (secondTick === -1) return null;
   var charset = raw.slice(0, firstTick).toLowerCase();
-  if (charset !== "utf-8") return null;       // RFC 5987 mandated charset; refuse anything else
   var encoded = raw.slice(secondTick + 1);
-  try {
-    return decodeURIComponent(encoded);
-  } catch (_e) {
-    return null;
+  if (charset === "utf-8") {
+    try {
+      return decodeURIComponent(encoded);
+    } catch (_e) {
+      return null;
+    }
   }
+  if (charset === "iso-8859-1" && allowed && allowed.indexOf("iso-8859-1") !== -1) {
+    return _percentDecodeLatin1(encoded);
+  }
+  return null;                                // charset not enabled — refuse
 }
 
-function _parseHeaderParams(headerValue) {
+function _parseHeaderParams(headerValue, filenameCharsets) {
   // Content-Disposition: form-data; name="field"; filename="x.txt"
   // Returns { _value: "form-data", name: "field", filename: "x.txt" }
   // RFC 5987 / 8187 — when a `filename*=UTF-8''...` extended parameter
@@ -646,7 +690,7 @@ function _parseHeaderParams(headerValue) {
     var _unq = structuredFields.unquoteSfString(v);
     if (_unq !== null) v = _unq;
     if (k.charAt(k.length - 1) === "*") {
-      var decoded = _decodeRfc5987(v);
+      var decoded = _decodeRfc5987(v, filenameCharsets);
       if (decoded !== null) {
         var bareKey = k.slice(0, -1);
         if (bareKey === "filename") extName = decoded;
@@ -682,6 +726,17 @@ async function _parseMultipart(req, opts, ctParams) {
       true, HTTP_STATUS.BAD_REQUEST
     );
   }
+  // RFC 5987 filename* charsets the operator opts into decoding. utf-8 is
+  // always present (RFC 8187 §3.2 mandates it); operators add "iso-8859-1"
+  // for legacy senders. Lower-cased once here so the per-part decode does
+  // a plain membership check.
+  var filenameCharsets = ["utf-8"];
+  if (Array.isArray(opts.filenameCharsets)) {
+    filenameCharsets = opts.filenameCharsets.map(function (c) {
+      return String(c).toLowerCase();
+    });
+    if (filenameCharsets.indexOf("utf-8") === -1) filenameCharsets.push("utf-8");
+  }
   // storage: "memory" buffers file parts in RAM (capped by fileSize ×
   // fileCount, the same DoS bound as disk mode) and exposes each file as
   // req.files[].buffer with no filesystem touch — the read-only /
@@ -870,7 +925,7 @@ async function _parseMultipart(req, opts, ctParams) {
             }
             pending = pending.slice(headEnd + 4);
             // Decode Content-Disposition.
-            var cd = _parseHeaderParams(currentHeaders["content-disposition"]);
+            var cd = _parseHeaderParams(currentHeaders["content-disposition"], filenameCharsets);
             if (cd._value !== "form-data" || typeof cd.name !== "string" || cd.name.length === 0) {
               done(new BodyParserError("body-parser/multipart-bad-disposition",
                 "multipart part missing form-data Content-Disposition", true, HTTP_STATUS.BAD_REQUEST));
@@ -1211,7 +1266,8 @@ async function _parseMultipart(req, opts, ctParams) {
  *     raw:         false | { limit, contentTypes },
  *     multipart:   false | {
  *       storage, tmpDir, fileSize, totalSize, fileCount, fieldCount,
- *       fieldSize, mimeAllowlist, fileFilter, fields, audit, contentTypes,
+ *       fieldSize, mimeAllowlist, fileFilter, fields, audit,
+ *       filenameCharsets, contentTypes,
  *     },
  *     keepRawBody: boolean,    // expose req.bodyRaw for webhook signing
  *   }

package/lib/middleware/csp-report.js

@@ -99,9 +99,21 @@ function _normalizeOne(reportLike) {
  * `csp.violation`, and forwarded to the operator's `onReport`
  * callback for metrics or alerting.
  *
+ * The rejection paths (405 / 413 / 400) are otherwise empty-bodied —
+ * the spec'd Reporting API (W3C Reporting API §3.1) ignores the
+ * response body, so there's nothing for the browser to read. `onReject`
+ * surfaces these refusals to the operator for the same metrics /
+ * alerting use as `onReport`: a flood of 413s signals a misconfigured
+ * `Reporting-Endpoints` URL or a report-bomb. It receives
+ * `(req, res, { status, reason })` where `reason` is one of
+ * `method-not-allowed` / `payload-too-large` / `invalid-json`. Invoked
+ * after the rejection response is written; a throwing hook is swallowed
+ * so a broken metrics sink can't crash the endpoint.
+ *
  * @opts
  *   {
  *     onReport: function(report): void,
+ *     onReject: function(req, res, { status, reason }): void,
  *     maxBytes: number,    // default 64 KiB
  *     audit:    boolean,   // default true
  *   }
@@ -118,23 +130,38 @@ function _normalizeOne(reportLike) {
  */
 function create(opts) {
   opts = opts || {};
-  validateOpts(opts, ["audit", "onReport", "maxBytes"], "middleware.cspReport");
+  validateOpts(opts, ["audit", "onReport", "onReject", "maxBytes"], "middleware.cspReport");
+  if (opts.onReject !== undefined && opts.onReject !== null &&
+      typeof opts.onReject !== "function") {
+    throw new TypeError("middleware.cspReport: opts.onReject must be a function");
+  }
   var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
     ? opts.maxBytes : DEFAULT_MAX_BYTES;
   var onReport = (typeof opts.onReport === "function") ? opts.onReport : null;
+  var onReject = (typeof opts.onReject === "function") ? opts.onReject : null;
+
+  // Drop-silent observability sink — the rejection response is already
+  // on the wire; a throwing metrics hook must not crash the endpoint.
+  function _emitReject(req, res, status, reason) {
+    if (!onReject) return;
+    try { onReject(req, res, { status: status, reason: reason }); }
+    catch (_e) { /* hook best-effort */ }
+  }
 
   return async function cspReport(req, res, _next) {
     if (req.method !== "POST") {
       res.writeHead(405, { "Allow": "POST" });                                     // HTTP 405 status
       res.end();
+      _emitReject(req, res, 405, "method-not-allowed");
       return;
     }
     var body;
     try {
-      body = await safeBuffer.boundedChunkCollector(req, { maxBytes: maxBytes });
+      body = await safeBuffer.collectStream(req, { maxBytes: maxBytes });
     } catch (_e) {
       res.writeHead(413);                                                         // HTTP 413 status
       res.end();
+      _emitReject(req, res, 413, "payload-too-large");
       return;
     }
     var parsed;
@@ -142,6 +169,7 @@ function create(opts) {
     catch (_e) {
       res.writeHead(400);                                                         // HTTP 400 status
       res.end();
+      _emitReject(req, res, 400, "invalid-json");
       return;
     }
     var reports = Array.isArray(parsed) ? parsed : [parsed];