@blamejs/core 0.7.64 → 0.7.74

package/lib/middleware/security-headers.js

@@ -75,6 +75,7 @@ function create(opts) {
     "hsts", "contentTypeOptions", "frameOptions", "referrerPolicy",
     "permissionsPolicy", "coop", "coep", "corp",
     "originAgentCluster", "dnsPrefetchControl", "csp", "trustProxy",
+    "reportingEndpoints",
   ], "middleware.securityHeaders");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -89,6 +90,32 @@ function create(opts) {
   var oac   = opts.originAgentCluster === undefined ? "?1" : opts.originAgentCluster;
   var dpc   = opts.dnsPrefetchControl === undefined ? "off" : opts.dnsPrefetchControl;
   var csp   = opts.csp === undefined ? DEFAULT_CSP : opts.csp;
+  // Reporting-Endpoints (W3C Reporting API) — when operator passes a
+  // map of endpoint-name → URL, we emit `Reporting-Endpoints: name="url",
+  // name2="url2", ...` and (when default CSP is in force) append
+  // `report-to default` to the CSP so violations route to the named
+  // endpoint. Operators using a custom CSP add `report-to` to it
+  // themselves.
+  var reportingEndpoints = null;
+  if (opts.reportingEndpoints && typeof opts.reportingEndpoints === "object") {
+    var pairs = [];
+    var keys = Object.keys(opts.reportingEndpoints);
+    for (var i = 0; i < keys.length; i += 1) {
+      var k = keys[i];
+      var v = opts.reportingEndpoints[k];
+      if (typeof v !== "string" || v.length === 0) continue;
+      // Defensive — refuse CR/LF/NUL in either side (header injection).
+      if (/[\r\n\0]/.test(k) || /[\r\n\0]/.test(v)) continue;                   // allow:duplicate-regex — CR/LF/NUL header-injection rejection appears in cookies / mail / security-headers; each is the boundary primitive — extracting forces a shared module that hides the boundary check from each domain
+      pairs.push(k + '="' + v + '"');
+    }
+    if (pairs.length > 0) reportingEndpoints = pairs.join(", ");
+  }
+  // Auto-append `report-to default` to the default CSP when operator
+  // wires a `default` reporting endpoint and didn't override `csp`.
+  if (csp === DEFAULT_CSP && reportingEndpoints &&
+      opts.reportingEndpoints && opts.reportingEndpoints["default"]) {
+    csp = csp.replace(/;\s*$/, "") + "; report-to default;";
+  }
 
   return function securityHeaders(req, res, next) {
     if (typeof res.setHeader !== "function") return next();
@@ -109,7 +136,8 @@ function create(opts) {
     if (corp)       res.setHeader("Cross-Origin-Resource-Policy", corp);
     if (oac)        res.setHeader("Origin-Agent-Cluster", oac);
     if (dpc)        res.setHeader("X-DNS-Prefetch-Control", dpc);
-    if (csp)        res.setHeader("Content-Security-Policy", csp);
+    if (csp)                res.setHeader("Content-Security-Policy", csp);
+    if (reportingEndpoints) res.setHeader("Reporting-Endpoints", reportingEndpoints);
     next();
   };
 }

package/lib/network-dns.js

@@ -291,28 +291,44 @@ function _encodeDnsQuery(host, qtype) {
   return { buf: buf, id: id };
 }
 
+// Walk a DNS-message name in-place and advance `state.off`. RFC 1035
+// §3.1 names terminate either with a single 0x00 byte OR with a
+// 2-byte compression pointer (high two bits 11). The pre-0.7.68
+// parser unconditionally executed `if (buf[off] === 0) off++`
+// after the loop, which consumed the high byte of the next field
+// when the loop had exited via the compression pointer — silently
+// breaking every DNS response that used name compression in the
+// answer section (which is most of them).
+function _skipDnsName(buf, state) {
+  var endedViaPointer = false;
+  while (state.off < buf.length && buf[state.off] !== 0) {
+    if ((buf[state.off] & 0xc0) === 0xc0) {                                      // allow:raw-byte-literal — RFC 1035 name-compression pointer mask
+      state.off += 2;
+      endedViaPointer = true;
+      break;
+    }
+    state.off += buf[state.off] + 1;
+  }
+  if (!endedViaPointer && state.off < buf.length && buf[state.off] === 0) {
+    state.off += 1;
+  }
+}
+
 function _decodeDnsAnswer(buf, qtype) {
   if (!Buffer.isBuffer(buf) || buf.length < 12) throw new DnsError("dns/bad-reply", "dns reply truncated");
   var rcode = buf.readUInt8(3) & 0x0f;
   if (rcode !== 0) throw new DnsError("dns/no-result", "dns reply rcode " + rcode);
   var qdcount = buf.readUInt16BE(4);
   var ancount = buf.readUInt16BE(6);
-  var off = 12;
+  var state = { off: 12 };
   for (var q = 0; q < qdcount; q++) {
-    while (off < buf.length && buf[off] !== 0) {
-      if ((buf[off] & 0xc0) === 0xc0) { off += 2; break; }
-      off += buf[off] + 1;
-    }
-    if (buf[off] === 0) off++;
-    off += 4;
+    _skipDnsName(buf, state);
+    state.off += 4;
   }
   var addrs = [];
   for (var a = 0; a < ancount; a++) {
-    while (off < buf.length && buf[off] !== 0) {
-      if ((buf[off] & 0xc0) === 0xc0) { off += 2; break; }
-      off += buf[off] + 1;
-    }
-    if (buf[off] === 0) off++;
+    _skipDnsName(buf, state);
+    var off = state.off;
     var rtype  = buf.readUInt16BE(off); off += 2;
     off += 2;
     off += 4;
@@ -327,10 +343,20 @@ function _decodeDnsAnswer(buf, qtype) {
       addrs.push(groups.join(":"));
     }
     off += rdlen;
+    state.off = off;
   }
   return addrs;
 }
 
+// Read the AD bit (Authenticated Data, RFC 4035) from a DNS reply
+// header. Byte 3 holds RA, Z, AD, CD, and rcode bits; AD is bit 5
+// (mask 0x20). Set when the upstream recursive resolver has validated
+// the chain.
+function _readAdBit(buf) {
+  if (!Buffer.isBuffer(buf) || buf.length < 12) return false;
+  return (buf.readUInt8(3) & 0x20) !== 0;                                        // allow:raw-byte-literal — RFC 4035 AD-bit mask
+}
+
 // DoH GET URL length cap. RFC 8484 §4.1 says clients MAY use POST when
 // the GET URL would exceed implementation limits. We pick 2048 bytes
 // (a conservative ceiling well below RFC 7230's recommended 8 KB) so
@@ -404,6 +430,98 @@ async function _dohLookup(host, family) {
   });
 }
 
+// _dohLookupSecure — DNSSEC-aware DoH lookup. Returns `{ rrs, ad }`
+// where `ad` is the AD bit (RFC 4035) set by the upstream resolver
+// after chain validation. Internal — operators reach for
+// `resolveSecure` instead.
+async function _dohLookupSecure(host, family) {
+  var qtype = family === 6 ? 28 : 1;                                             // allow:raw-byte-literal — DNS QTYPE values for A / AAAA
+  var enc = _encodeDnsQuery(host, qtype);
+  var b64 = enc.buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  var getUrl = STATE.doh.url + (STATE.doh.url.indexOf("?") === -1 ? "?" : "&") + "dns=" + b64;
+  var forcedMethod = STATE.doh.method;
+  var usePost = forcedMethod === "POST" || (!forcedMethod && getUrl.length > DOH_GET_URL_MAX_BYTES);
+  var u = safeUrl.parse(STATE.doh.url, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
+  return new Promise(function (resolve, reject) {
+    var reqOpts = {
+      hostname:   u.hostname,
+      port:       u.port || 443,                                                 // allow:raw-byte-literal — HTTPS default port
+      path:       u.pathname + u.search,
+      method:     usePost ? "POST" : "GET",
+      headers:    { "accept": "application/dns-message" },
+      minVersion: "TLSv1.3",
+      ecdhCurve:  C.TLS_GROUP_CURVE_STR,
+    };
+    if (STATE.doh.ca) reqOpts.ca = STATE.doh.ca;
+    if (usePost) {
+      reqOpts.headers["content-type"]   = "application/dns-message";
+      reqOpts.headers["content-length"] = enc.buf.length;
+    } else {
+      var parsedGet = safeUrl.parse(getUrl, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
+      reqOpts.path = parsedGet.pathname + parsedGet.search;
+    }
+    var req = https.request(reqOpts, function (res) {
+      var collector = safeBuffer.boundedChunkCollector({
+        maxBytes:    C.BYTES.kib(256),
+        errorClass:  DnsError,
+        sizeCode:    "dns/doh-too-large",
+        sizeMessage: "DoH response exceeds 256 KiB",
+      });
+      var pushFailed = null;
+      res.on("data", function (c) {
+        if (pushFailed) return;
+        try { collector.push(c); }
+        catch (e) { pushFailed = e; }
+      });
+      res.on("end", function () {
+        try {
+          if (pushFailed) { reject(pushFailed); return; }
+          var body = collector.result();
+          if (res.statusCode !== 200) {                                          // allow:raw-byte-literal — HTTP 200 OK
+            reject(new DnsError("dns/doh-http", "DoH HTTP " + res.statusCode + " for " + host));
+            return;
+          }
+          resolve({ rrs: _decodeDnsAnswer(body, qtype), ad: _readAdBit(body) });
+        } catch (e) { reject(e); }
+      });
+    });
+    req.on("error", function (e) { reject(new DnsError("dns/doh-failed", "DoH request failed: " + e.message)); });
+    if (usePost) req.write(enc.buf);
+    req.end();
+  });
+}
+
+// resolveSecure — DNSSEC-aware resolution. Returns `{ rrs, ad }`
+// where `ad` is the AD bit (RFC 4035) set by the upstream DoH
+// resolver after chain validation, and `rrs` is the answer-record
+// list (IPv4 / IPv6 string addresses for A / AAAA queries).
+//
+// Operators wiring DANE / TLSA validation (RFC 7672 SMTP DANE)
+// require `ad === true` to honor the DANE security claim per RFC
+// 7672 §1.3 — without DNSSEC validation the TLSA records can't be
+// authenticated and the chain check is meaningless.
+//
+// Only available over DoH transport. The system resolver and DoT
+// transports don't surface the AD bit through Node's API today.
+async function resolveSecure(host, type) {
+  type = type || "A";
+  if (!STATE.doh) {
+    throw new DnsError("dns/secure-requires-doh",
+      "resolveSecure requires DoH transport (call useDnsOverHttps " +
+      "or rely on the default-on DoH posture)");
+  }
+  if (typeof host !== "string" || host.length === 0 || host.length > 253) {     // allow:raw-byte-literal — RFC 1035 hostname octet ceiling
+    throw new DnsError("dns/bad-host",
+      "resolveSecure host is malformed");
+  }
+  var family;
+  if (type === "A")    family = 4;
+  else if (type === "AAAA") family = 6;
+  else throw new DnsError("dns/secure-unsupported-type",
+    "resolveSecure currently supports A and AAAA; got " + type);
+  return _dohLookupSecure(host, family);
+}
+
 // DoT connection pool. Per-(host:port) cached TLS socket so successive
 // lookups amortize the handshake. Sockets idle past the timeout are
 // closed and removed; first lookup after expiry rebuilds. Each socket
@@ -695,6 +813,7 @@ module.exports = {
   resolve4:          resolve4,
   resolve6:          resolve6,
   resolveAaaa:       resolveAaaa,
+  resolveSecure:     resolveSecure,
   nodeLookup:        nodeLookup,
   clearCache:        _clearCache,
   DnsError:          DnsError,

package/lib/network-smtp-policy.js

@@ -42,9 +42,13 @@
  *   - Full DANE certificate-chain verification per RFC 6698 (needs
  *     ASN.1 cert parsing). Operators today verify policy presence +
  *     match the leaf SHA-256 themselves.
- *   - DNSSEC-validated DANE lookups (node:dns doesn't expose
- *     DNSSEC ad-bit; operators pin to a DNSSEC-validating resolver
- *     externally).
+ *   - DNSSEC-validated DANE lookups: the framework now exposes the
+ *     AD bit via `b.network.dns.resolveSecure(name, type) → { rrs,
+ *     ad }`. Operators wiring strict RFC 7672 §1.3 compliance pass
+ *     a DNSSEC-aware resolver via opts and refuse the chain when
+ *     ad === false. The default `tlsa()` lookup path stays on
+ *     `node:dns` for compatibility with operators on system
+ *     resolvers.
  */
 
 var dns = require("node:dns");
@@ -56,6 +60,7 @@ var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var crypto = require("./crypto");
 var safeUrl = require("./safe-url");
+var safeJson = require("./safe-json");
 var C = require("./constants");
 var { SmtpPolicyError } = require("./framework-error");
 
@@ -531,6 +536,115 @@ async function tlsRptSubmit(report, opts) {
   return { submitted: results.length, results: results };
 }
 
+// ---- TLS-RPT receive-side report parsing (RFC 8460 §4) ----
+//
+// MTAs that publish a TLS-RPT rua endpoint receive `application/
+// tlsrpt+gzip` (or `application/json`) HTTPS POSTs from peers. The
+// receiver parses the report, attributes failures to the right policy/
+// MX-host pair, and feeds the data into the operator's observability
+// stack. This primitive is the receive-side counterpart to
+// tlsRpt.recordShape / tlsRpt.submit on the send side.
+
+var TLS_RPT_MAX_REPORT_BYTES = C.BYTES.mib(8);
+var TLS_RPT_MAX_POLICIES_PER_REPORT = 1024;                                       // allow:raw-byte-literal allow:raw-time-literal — count cap, not seconds
+
+function tlsRptParseReport(body, opts) {
+  opts = opts || {};
+  if (body === null || body === undefined) {
+    throw new SmtpPolicyError("smtp/tls-rpt-bad-input",
+      "tlsRpt.parseReport: body is required (Buffer | string)");
+  }
+  var bodyBuf;
+  if (Buffer.isBuffer(body)) bodyBuf = body;
+  else if (typeof body === "string") bodyBuf = Buffer.from(body, "utf8");
+  else {
+    throw new SmtpPolicyError("smtp/tls-rpt-bad-input",
+      "tlsRpt.parseReport: body must be a Buffer or string");
+  }
+  if (bodyBuf.length > TLS_RPT_MAX_REPORT_BYTES) {
+    throw new SmtpPolicyError("smtp/tls-rpt-too-large",
+      "tlsRpt.parseReport: report exceeds " + TLS_RPT_MAX_REPORT_BYTES + " bytes");
+  }
+
+  // Decompress if the operator passes contentType: "application/tlsrpt+gzip"
+  // OR if the body sniffs as gzip (magic 0x1f 0x8b).
+  var contentType = (opts.contentType || "").toLowerCase();
+  var looksGzip = bodyBuf.length >= 2 && bodyBuf[0] === 0x1f && bodyBuf[1] === 0x8b;
+  if (contentType.indexOf("gzip") !== -1 || looksGzip) {
+    try { bodyBuf = zlib.gunzipSync(bodyBuf, { maxOutputLength: TLS_RPT_MAX_REPORT_BYTES }); }
+    catch (e) {
+      throw new SmtpPolicyError("smtp/tls-rpt-gunzip-failed",
+        "tlsRpt.parseReport: gunzip failed: " + ((e && e.message) || String(e)));
+    }
+  }
+
+  var report;
+  try { report = safeJson.parse(bodyBuf.toString("utf8"), { maxBytes: TLS_RPT_MAX_REPORT_BYTES }); }
+  catch (e) {
+    throw new SmtpPolicyError("smtp/tls-rpt-bad-json",
+      "tlsRpt.parseReport: JSON parse failed: " + ((e && e.message) || String(e)));
+  }
+  if (!report || typeof report !== "object") {
+    throw new SmtpPolicyError("smtp/tls-rpt-bad-shape",
+      "tlsRpt.parseReport: report must be an object");
+  }
+
+  // Validate the RFC 8460 §4.4 required fields. Optional fields are
+  // surfaced as-is when present (some operators ship `contact-info`,
+  // some don't).
+  var requiredKeys = ["organization-name", "date-range", "report-id", "policies"];
+  for (var ri = 0; ri < requiredKeys.length; ri += 1) {
+    if (!Object.prototype.hasOwnProperty.call(report, requiredKeys[ri])) {
+      throw new SmtpPolicyError("smtp/tls-rpt-missing-field",
+        "tlsRpt.parseReport: report missing required field '" + requiredKeys[ri] + "' (RFC 8460 §4.4)");
+    }
+  }
+  if (!report["date-range"] ||
+      typeof report["date-range"]["start-datetime"] !== "string" ||
+      typeof report["date-range"]["end-datetime"] !== "string") {
+    throw new SmtpPolicyError("smtp/tls-rpt-bad-date-range",
+      "tlsRpt.parseReport: date-range must have start-datetime + end-datetime");
+  }
+  if (!Array.isArray(report.policies)) {
+    throw new SmtpPolicyError("smtp/tls-rpt-bad-policies",
+      "tlsRpt.parseReport: policies must be an array");
+  }
+  if (report.policies.length > TLS_RPT_MAX_POLICIES_PER_REPORT) {
+    throw new SmtpPolicyError("smtp/tls-rpt-too-many-policies",
+      "tlsRpt.parseReport: report has " + report.policies.length +
+      " policies (cap " + TLS_RPT_MAX_POLICIES_PER_REPORT + ")");
+  }
+
+  // Aggregate counters operators most commonly want surfaced.
+  var totalSuccess = 0;
+  var totalFailure = 0;
+  for (var pi = 0; pi < report.policies.length; pi += 1) {
+    var entry = report.policies[pi];
+    if (entry && entry.summary) {
+      var s = entry.summary["total-successful-session-count"];
+      var f = entry.summary["total-failure-session-count"];
+      if (typeof s === "number" && isFinite(s)) totalSuccess += s;
+      if (typeof f === "number" && isFinite(f)) totalFailure += f;
+    }
+  }
+
+  return {
+    organization:    report["organization-name"],
+    contact:         report["contact-info"] || null,
+    reportId:        report["report-id"],
+    dateRange: {
+      start: report["date-range"]["start-datetime"],
+      end:   report["date-range"]["end-datetime"],
+    },
+    policies:        report.policies,
+    totals: {
+      successful:    totalSuccess,
+      failure:       totalFailure,
+    },
+    raw:             report,
+  };
+}
+
 module.exports = {
   mtaSts: Object.freeze({
     fetch:   mtaStsFetch,
@@ -546,6 +660,7 @@ module.exports = {
     recordShape: tlsRptRecordShape,
     fetchPolicy: tlsRptFetchPolicy,
     submit:      tlsRptSubmit,
+    parseReport: tlsRptParseReport,
   }),
   SmtpPolicyError: SmtpPolicyError,
 };

package/lib/vendor/MANIFEST.json

@@ -13,7 +13,10 @@
         "server": "lib/vendor/noble-ciphers.cjs"
       },
       "bundler": "esbuild --format=cjs --minify --platform=node",
-      "bundledAt": "2026-04-25"
+      "bundledAt": "2026-04-25",
+      "hashes": {
+        "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
+      }
     },
     "argon2": {
       "version": "0.44.0",
@@ -39,7 +42,11 @@
         "win32-x64"
       ],
       "bundler": "esbuild --format=cjs --platform=node (inlines @phc/format + node-gyp-build)",
-      "bundledAt": "2026-04-25"
+      "bundledAt": "2026-04-25",
+      "hashes": {
+        "server": "sha256:93b8d2fb7f24dc1b3304dc9420844d5e1afc199c41ab1f9a90c8de48cc7c2359",
+        "prebuilds": "sha256-tree:65921b7cf331e0a9430a1b52440da8f26cdf9d215a4cd490edbc4804dd713df3"
+      }
     },
     "@simplewebauthn/server": {
       "version": "13.3.0",
@@ -57,7 +64,10 @@
         "server": "lib/vendor/simplewebauthn-server.cjs"
       },
       "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
-      "bundledAt": "2026-04-26"
+      "bundledAt": "2026-04-26",
+      "hashes": {
+        "server": "sha256:a9777dca582095d67f17ca24e19a0791de29928555b6b779c2233429175eb3f0"
+      }
     },
     "SecLists-common-passwords-top-10000": {
       "version": "10k-most-common (master)",
@@ -69,7 +79,10 @@
         "server": "lib/vendor/common-passwords-top-10000.txt"
       },
       "bundler": "curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt",
-      "bundledAt": "2026-05-02"
+      "bundledAt": "2026-05-02",
+      "hashes": {
+        "server": "sha256:4adb3f0afb4a10cf19ebe48d8c69a46f934bbc8d77c694c210564f9583e7f4ba"
+      }
     },
     "peculiar-pki": {
       "version": "2.0.0+pkijs-3.4.0",
@@ -90,7 +103,10 @@
         "server": "lib/vendor/pki.cjs"
       },
       "bundler": "esbuild --format=cjs --minify --platform=node --external:crypto --external:node:crypto",
-      "bundledAt": "2026-04-29"
+      "bundledAt": "2026-04-29",
+      "hashes": {
+        "server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
+      }
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.64",
+  "version": "0.7.74",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:186ac1cf-f222-4ea2-81b9-ad8a89f1849e",
+  "serialNumber": "urn:uuid:a82c1893-13c0-448e-a951-71bc3d182da3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T00:58:07.750Z",
+    "timestamp": "2026-05-06T03:56:40.534Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.64",
+      "bom-ref": "@blamejs/core@0.7.74",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.64",
+      "version": "0.7.74",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.64",
+      "purl": "pkg:npm/%40blamejs/core@0.7.74",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.64",
+      "ref": "@blamejs/core@0.7.74",
       "dependsOn": []
     }
   ]