@blamejs/core 0.8.13 → 0.8.16

package/lib/mail-auth.js

@@ -109,8 +109,12 @@ function _parseSpfRecord(text) {
   return mechanisms;
 }
 
-// Fetch the SPF TXT record for a domain. Returns the joined record
-// text or null if no v=spf1 record found.
+// Fetch the SPF TXT record for a domain. Returns:
+//   { kind: "found",    record: "<text>" }  — exactly one v=spf1 record
+//   { kind: "none" }                          — zero v=spf1 records
+//   { kind: "permerror", reason: "<msg>" }    — multiple v=spf1 records
+//                                              (RFC 7208 §4.5 — domain
+//                                              MUST publish at most one)
 async function _fetchSpfRecord(domain, dnsLookup) {
   var records;
   try {
@@ -118,17 +122,24 @@ async function _fetchSpfRecord(domain, dnsLookup) {
       ? await dnsLookup(domain, "TXT")
       : await dnsPromises.resolveTxt(domain);
   } catch (e) {
-    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
+    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return { kind: "none" };
     throw new MailAuthError("mail-auth/spf-lookup-failed",
       "SPF TXT lookup for " + domain + " failed: " +
       ((e && e.message) || String(e)));
   }
-  if (!Array.isArray(records)) return null;
+  if (!Array.isArray(records)) return { kind: "none" };
+  var matches = [];
   for (var i = 0; i < records.length; i += 1) {
     var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
-    if (typeof rec === "string" && rec.indexOf("v=spf1") === 0) return rec;
+    if (typeof rec === "string" && rec.indexOf("v=spf1") === 0) matches.push(rec);
   }
-  return null;
+  if (matches.length === 0) return { kind: "none" };
+  if (matches.length > 1) {
+    return { kind: "permerror",
+             reason: "domain " + domain + " publishes " + matches.length +
+                     " v=spf1 records; RFC 7208 §4.5 requires at most one" };
+  }
+  return { kind: "found", record: matches[0] };
 }
 
 // SPF verify — recursive include resolution + ip4/ip6/all/+a/+mx
@@ -166,17 +177,20 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
   }
   lookups.count += 1;
 
-  var record;
-  try { record = await _fetchSpfRecord(domain, dnsLookup); }
+  var fetched;
+  try { fetched = await _fetchSpfRecord(domain, dnsLookup); }
   catch (e) {
     return { verdict: "temperror", explanation: e.message };
   }
-  if (!record) {
+  if (fetched.kind === "permerror") {
+    return { verdict: "permerror", explanation: fetched.reason };
+  }
+  if (fetched.kind === "none") {
     return { verdict: "none", explanation: "no SPF record at " + domain };
   }
 
   var mechanisms;
-  try { mechanisms = _parseSpfRecord(record); }
+  try { mechanisms = _parseSpfRecord(fetched.record); }
   catch (e) {
     return { verdict: "permerror", explanation: e.message };
   }
@@ -201,6 +215,15 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
       else if (inner.verdict === "permerror" || inner.verdict === "temperror") {
         return inner;
       }
+      // RFC 7208 §5.2 — when the included domain has no SPF record at
+      // all, the include itself MUST permerror (the included policy is
+      // missing, the operator's intent is unverifiable). Without this
+      // check `include:gone-domain.example` silently authorizes whatever
+      // mechanism follows, including `+all`.
+      else if (inner.verdict === "none") {
+        return { verdict: "permerror",
+                 explanation: "include:" + m.arg + " has no SPF record (RFC 7208 §5.2)" };
+      }
     } else if (m.mechanism === "a" || m.mechanism === "mx" ||
                m.mechanism === "exists" || m.mechanism === "ptr" ||
                m.mechanism === "redirect") {

package/lib/mail-dkim.js

@@ -216,9 +216,15 @@ function create(opts) {
     throw new DkimError("dkim/bad-domain",
       "domain must be a valid DNS name (e.g. 'example.com')");
   }
-  if (typeof opts.selector !== "string" || !/^[a-z0-9_-]+$/i.test(opts.selector)) {
+  // RFC 6376 §3.1 ABNF: selector = sub-domain *("." sub-domain). Multi-
+  // label selectors like "2024.s1" are valid (and common for time-rotated
+  // keys). Each label is the LDH set; refuse leading/trailing dots and
+  // empty labels.
+  if (typeof opts.selector !== "string" ||
+      opts.selector.length === 0 || opts.selector.length > 253 ||                            // allow:raw-byte-literal — DNS label length cap (RFC 1035)
+      !/^[a-z0-9_-]+(?:\.[a-z0-9_-]+)*$/i.test(opts.selector)) {
     throw new DkimError("dkim/bad-selector",
-      "selector must be a non-empty token of [A-Za-z0-9_-]");
+      "selector must be a non-empty LDH token, optionally dot-separated (e.g. 's1', '2024.s1') (RFC 6376 §3.1)");
   }
   if (!opts.privateKey || (typeof opts.privateKey !== "string" &&
       typeof opts.privateKey !== "object")) {
@@ -566,6 +572,14 @@ function _verifySingleSignature(rfc822, parsedHeaders, sigHeader, keyTags, sigTa
   var headerNames = (sigTags.h || "").split(":").map(function (s) {
     return s.trim().toLowerCase();
   });
+  // RFC 6376 §3.5 — "from" MUST be in h=. Without From-coverage the
+  // signature does not bind to the visible sender, and the receiver's
+  // "this domain signed for that From" claim is meaningless. Cornerstone
+  // bypass class — refuse the signature outright.
+  if (headerNames.indexOf("from") === -1) {
+    return { result: "permerror",
+             errors: ["DKIM-Signature h= tag does not include 'from' (RFC 6376 §3.5)"] };
+  }
   var lcNames = parsedHeaders.map(function (h) { return h.name.toLowerCase(); });
   var canonicalizedHeaders = "";
   for (var j = 0; j < headerNames.length; j += 1) {
@@ -659,6 +673,13 @@ async function verify(rfc822, opts) {
     var d = sigTags.d;
     var s = sigTags.s;
     var alg = sigTags.a;
+    // RFC 6376 §3.5 — v= tag is REQUIRED and MUST be "1". Unrecognized
+    // version → permerror per spec; refuse rather than guess at intent.
+    if (sigTags.v !== undefined && sigTags.v !== "1") {
+      results.push({ d: d || null, s: s || null, alg: alg || null,
+        result: "permerror", errors: ["DKIM-Signature v=" + sigTags.v + " unsupported (RFC 6376 §3.5 — only v=1)"] });
+      continue;
+    }
     if (!d || !s) {
       results.push({ d: d || null, s: s || null, alg: alg || null,
         result: "permerror", errors: ["DKIM-Signature missing d= or s="] });
@@ -671,11 +692,32 @@ async function verify(rfc822, opts) {
       results.push({ d: d, s: s, alg: alg, result: verdict, errors: [e.message] });
       continue;
     }
+    if (keyTags.p === "") {
+      // RFC 6376 §3.6.1 — empty p= explicitly revokes the key. Verdict
+      // is "fail" (not "permerror") — the signature is well-formed but
+      // the key authority intentionally withdrew it.
+      results.push({ d: d, s: s, alg: alg, result: "fail",
+        errors: ["DKIM key revoked (empty p= per RFC 6376 §3.6.1)"] });
+      continue;
+    }
     if (!keyTags.p) {
       results.push({ d: d, s: s, alg: alg, result: "permerror",
         errors: ["DKIM key record missing p="] });
       continue;
     }
+    // RFC 6376 §3.6.1 — k= tag declares the key's algorithm family.
+    // Default is "rsa" when absent. If the key's k= disagrees with the
+    // signature's a= family, the operator who published the key intends
+    // a different algorithm; refuse rather than guess.
+    if (keyTags.k !== undefined) {
+      var kFamily   = String(keyTags.k).toLowerCase();
+      var sigFamily = String(alg || "").toLowerCase().split("-")[0];
+      if (kFamily !== sigFamily) {
+        results.push({ d: d, s: s, alg: alg, result: "permerror",
+          errors: ["DKIM key k=" + kFamily + " does not match signature a=" + alg + " (RFC 6376 §3.6.1)"] });
+        continue;
+      }
+    }
     var rv = _verifySingleSignature(rfc822, parsedHeaders, sigHeaders[i], keyTags, sigTags);
     results.push(Object.assign({ d: d, s: s, alg: alg }, rv));
   }

package/lib/mcp.js

@@ -0,0 +1,301 @@
+"use strict";
+/**
+ * Model Context Protocol server-guard primitive — hardens an HTTP
+ * endpoint that speaks MCP against the three CVE classes published in
+ * 2025-2026:
+ *
+ *   - CVE-2026-33032 (CVSS 9.8, nginx-ui) — auth-bypass class:
+ *     unauthenticated tool/resource invocations.
+ *   - CVE-2025-6514 (CVSS 9.6, mcp-remote) — OAuth RCE class:
+ *     consent-redirect with attacker-controlled redirect_uri.
+ *   - Confused-deputy class — static client IDs combined with
+ *     dynamic-client-registration AND opaque consent cookies.
+ *
+ * Public API:
+ *
+ *   mcp.serverGuard(opts) -> middleware(req, res, next)
+ *     opts:
+ *       requireBearer        — bool, default true.
+ *       verifyBearer         — async (token, req) -> claims | null.
+ *       redirectUriAllowlist — Array<string> exact-match URIs.
+ *       allowDynamicRegister — bool, default false.
+ *       registerClientAllowlist — function(body) -> bool.
+ *       toolAllowlist        — Array<string> | null.
+ *       resourceAllowlist    — Array<string> | null.
+ *       maxBodyBytes         — default 1 MiB.
+ *       errorClass           — McpError by default.
+ *       audit                — bool, default true.
+ *
+ *   mcp.parseRequest(body, opts) — JSON-RPC 2.0 envelope validator.
+ *   mcp.refuse(res, code, message, id) — JSON-RPC error responder.
+ *
+ * The guard is the secure-by-default front door. Every default
+ * refuses; operators opt into capabilities deliberately.
+ */
+
+var C = require("./constants");
+var nb = require("./numeric-bounds");
+var safeUrl = require("./safe-url");
+var safeJson = require("./safe-json");
+var safeBuffer = require("./safe-buffer");
+var requestHelpers = require("./request-helpers");
+var audit = require("./audit");
+var { McpError } = require("./framework-error");
+
+var TOOL_NAME_MAX     = 64;                                                                  // allow:raw-byte-literal — string-length cap, not bytes
+var RESOURCE_NAME_MAX = 256;                                                                 // allow:raw-byte-literal — string-length cap, not bytes
+var METHOD_NAME_MAX   = 256;                                                                 // allow:raw-byte-literal — string-length cap, not bytes
+// JSON-RPC 2.0 error codes (https://www.jsonrpc.org/specification#error_object).
+// Negative numerics by spec; mapped to HTTP status for the framework's
+// HTTP-shaped reply envelope.
+var JSONRPC_PARSE_ERROR     = -32700;                                                        // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
+var JSONRPC_INVALID_REQUEST = -32600;                                                        // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
+var JSONRPC_METHOD_NOT_FOUND= -32601;                                                        // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
+var JSONRPC_INVALID_PARAMS  = -32602;                                                        // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
+var JSONRPC_INTERNAL_ERROR  = -32603;                                                        // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
+var JSONRPC_AUTH_REQUIRED   = -32001;                                                        // allow:raw-byte-literal — JSON-RPC server-error reserved range / allow:raw-time-literal — not seconds
+var TOOL_NAME_RE     = /^[a-zA-Z][a-zA-Z0-9._-]{0,63}$/;
+var RESOURCE_NAME_RE = /^[a-zA-Z][a-zA-Z0-9._/-]{0,255}$/;
+
+function parseRequest(body, opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || McpError;
+  var parsed;
+  try {
+    parsed = typeof body === "string" ? safeJson.parse(body, { maxBytes: C.BYTES.mib(1) }) : body;                                  // allow:JSON.parse — routed via safeJson.parse
+  } catch (_e) {
+    throw errorClass.factory("BAD_JSON",
+      "mcp.parseRequest: body is not valid JSON");
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw errorClass.factory("BAD_ENVELOPE",
+      "mcp.parseRequest: request must be a JSON-RPC object");
+  }
+  if (parsed.jsonrpc !== "2.0") {
+    throw errorClass.factory("BAD_VERSION",
+      "mcp.parseRequest: jsonrpc must be \"2.0\"");
+  }
+  if (typeof parsed.method !== "string" || parsed.method.length === 0 ||
+      parsed.method.length > METHOD_NAME_MAX) {
+    throw errorClass.factory("BAD_METHOD",
+      "mcp.parseRequest: method must be a non-empty string under 256 bytes");
+  }
+  if (parsed.id !== undefined && parsed.id !== null &&
+      typeof parsed.id !== "string" && typeof parsed.id !== "number") {
+    throw errorClass.factory("BAD_ID",
+      "mcp.parseRequest: id must be string, number, or null");
+  }
+  if (parsed.params !== undefined && parsed.params !== null &&
+      typeof parsed.params !== "object") {
+    throw errorClass.factory("BAD_PARAMS",
+      "mcp.parseRequest: params must be object or array");
+  }
+  return parsed;
+}
+
+function refuse(res, code, message, id) {
+  var body = JSON.stringify({
+    jsonrpc: "2.0",
+    error:   { code: code, message: message },
+    id:      id === undefined ? null : id,
+  });
+  if (typeof res.setHeader === "function") {
+    res.setHeader("Content-Type", "application/json");
+  }
+  // HTTP status mapping for the JSON-RPC error code we reply with.
+  res.statusCode = code === JSONRPC_PARSE_ERROR || code === JSONRPC_INVALID_REQUEST ? 400 :  // allow:raw-byte-literal — HTTP status code (RFC 9110)
+                   code === JSONRPC_METHOD_NOT_FOUND ? 404 :                                  // allow:raw-byte-literal — HTTP status code (RFC 9110)
+                   code === JSONRPC_INTERNAL_ERROR ? 500 : 400;                              // allow:raw-byte-literal — HTTP status code (RFC 9110)
+  res.end(body);
+}
+
+function _readBearer(req) {
+  var h = req.headers && req.headers.authorization;
+  if (typeof h !== "string") return null;
+  if (h.length > C.BYTES.kib(8)) return null;
+  var m = /^Bearer\s+([A-Za-z0-9._~+/=-]+)$/.exec(h.trim());
+  return m ? m[1] : null;
+}
+
+function _readBodyBuffered(req, maxBytes, errorClass) {
+  if (req.body !== undefined && req.body !== null) {
+    return Promise.resolve(req.body);
+  }
+  return new Promise(function (resolve, reject) {
+    var collector = safeBuffer.boundedChunkCollector({ maxBytes: maxBytes });
+    req.on("data", function (chunk) {
+      try { collector.push(chunk); }
+      catch (_e) {
+        req.destroy();
+        reject(errorClass.factory("BODY_TOO_LARGE",
+          "mcp: request body exceeds " + maxBytes + " bytes"));
+      }
+    });
+    req.on("end",  function () { resolve(collector.result().toString("utf8")); });
+    req.on("error", reject);
+  });
+}
+
+function _checkRedirectUri(uri, allowlist, errorClass) {
+  if (typeof uri !== "string") {
+    throw errorClass.factory("BAD_REDIRECT_URI",
+      "mcp: redirect_uri must be a string");
+  }
+  if (!Array.isArray(allowlist) || allowlist.indexOf(uri) === -1) {
+    throw errorClass.factory("REDIRECT_URI_REFUSED",
+      "mcp: redirect_uri not in allowlist (OAuth 2.1 / RFC 9700 sec 4.1.1)");
+  }
+  var parsed;
+  try { parsed = safeUrl.parse(uri); }
+  catch (_e) {
+    throw errorClass.factory("BAD_REDIRECT_URI",
+      "mcp: redirect_uri did not parse");
+  }
+  var isHttps = parsed.protocol === "https:";
+  var isLocal = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" ||
+                parsed.hostname === "::1";
+  if (!isHttps && !isLocal) {
+    throw errorClass.factory("INSECURE_REDIRECT_URI",
+      "mcp: redirect_uri must be HTTPS (or localhost; RFC 9700 sec 4.1.1)");
+  }
+}
+
+function serverGuard(opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || McpError;
+  var requireBearer = opts.requireBearer !== false;
+  var verifyBearer  = opts.verifyBearer || null;
+  if (requireBearer && typeof verifyBearer !== "function") {
+    throw errorClass.factory("BAD_OPTS",
+      "mcp.serverGuard: verifyBearer required when requireBearer=true");
+  }
+  var redirectUriAllowlist = Array.isArray(opts.redirectUriAllowlist)
+    ? opts.redirectUriAllowlist.slice() : [];
+  var allowDynamicRegister = opts.allowDynamicRegister === true;
+  var registerClientAllowlist = typeof opts.registerClientAllowlist === "function"
+    ? opts.registerClientAllowlist : null;
+  if (allowDynamicRegister && !registerClientAllowlist) {
+    throw errorClass.factory("BAD_OPTS",
+      "mcp.serverGuard: allowDynamicRegister=true requires registerClientAllowlist function");
+  }
+  var toolAllowlist     = Array.isArray(opts.toolAllowlist)     ? opts.toolAllowlist     : null;
+  var resourceAllowlist = Array.isArray(opts.resourceAllowlist) ? opts.resourceAllowlist : null;
+  nb.requirePositiveFiniteIntIfPresent(opts.maxBodyBytes, "mcp.serverGuard: opts.maxBodyBytes", errorClass, "BAD_MAX_BYTES");
+  var maxBodyBytes = opts.maxBodyBytes || C.BYTES.mib(1);
+  var auditOn = opts.audit !== false;
+
+  function _emitDenied(req, action, reason, metadata) {
+    if (!auditOn) return;
+    audit.safeEmit({
+      action:   action,
+      outcome:  "denied",
+      reason:   reason,
+      metadata: Object.assign({
+        ip: requestHelpers.clientIp(req),
+        path: req && req.url,
+      }, metadata || {}),
+    });
+  }
+
+  return function mcpGuard(req, res, next) {
+    Promise.resolve().then(function () {
+      var token = _readBearer(req);
+      if (requireBearer) {
+        if (!token) {
+          _emitDenied(req, "mcp.auth.missing-bearer", "no bearer", {});
+          if (typeof res.setHeader === "function") {
+            res.setHeader("WWW-Authenticate",
+              "Bearer realm=\"mcp\", error=\"invalid_request\"");
+          }
+          return refuse(res, JSONRPC_AUTH_REQUIRED, "authentication required");
+        }
+      }
+      var claimsPromise = token && verifyBearer
+        ? Promise.resolve(verifyBearer(token, req))
+        : Promise.resolve(null);
+
+      return claimsPromise.then(function (claims) {
+        if (requireBearer && !claims) {
+          _emitDenied(req, "mcp.auth.invalid-bearer", "bearer rejected", {});
+          if (typeof res.setHeader === "function") {
+            res.setHeader("WWW-Authenticate",
+              "Bearer realm=\"mcp\", error=\"invalid_token\"");
+          }
+          return refuse(res, JSONRPC_AUTH_REQUIRED, "authentication failed");
+        }
+        req.mcpClaims = claims || null;
+
+        var path = String(req.url || "").split("?")[0];
+        if (path === "/register" || path.endsWith("/register")) {
+          if (!allowDynamicRegister) {
+            _emitDenied(req, "mcp.register.refused-static", "dynamic registration disabled", { path: path });
+            return refuse(res, JSONRPC_METHOD_NOT_FOUND, "dynamic client registration is not permitted");
+          }
+        }
+
+        return _readBodyBuffered(req, maxBodyBytes, errorClass).then(function (rawBody) {
+          var parsed;
+          try { parsed = parseRequest(rawBody, { errorClass: errorClass }); }
+          catch (e) {
+            _emitDenied(req, "mcp.envelope.refused", e.message, {});
+            return refuse(res, JSONRPC_PARSE_ERROR, e.message);
+          }
+          var method = parsed.method;
+          var params = parsed.params || {};
+
+          if (params && typeof params === "object" && params.redirect_uri !== undefined) {
+            try { _checkRedirectUri(params.redirect_uri, redirectUriAllowlist, errorClass); }
+            catch (e) {
+              _emitDenied(req, "mcp.redirect-uri.refused", e.message,
+                { redirectUri: params.redirect_uri });
+              return refuse(res, JSONRPC_INVALID_PARAMS, e.message, parsed.id);
+            }
+          }
+
+          if (method === "tools/call") {
+            var toolName = params && typeof params === "object" ? params.name : null;
+            if (typeof toolName !== "string" || toolName.length > TOOL_NAME_MAX || !TOOL_NAME_RE.test(toolName)) {
+              _emitDenied(req, "mcp.tool.bad-name", "tool name shape", { toolName: toolName });
+              return refuse(res, JSONRPC_INVALID_PARAMS, "tool name malformed", parsed.id);
+            }
+            if (toolAllowlist && toolAllowlist.indexOf(toolName) === -1) {
+              _emitDenied(req, "mcp.tool.refused", "not in allowlist", { toolName: toolName });
+              return refuse(res, JSONRPC_METHOD_NOT_FOUND, "tool not permitted", parsed.id);
+            }
+          }
+          if (method === "resources/read") {
+            var resourceUri = params && typeof params === "object" ? params.uri : null;
+            if (typeof resourceUri !== "string" || resourceUri.length > RESOURCE_NAME_MAX || !RESOURCE_NAME_RE.test(resourceUri)) {
+              _emitDenied(req, "mcp.resource.bad-uri", "resource uri shape", { resourceUri: resourceUri });
+              return refuse(res, JSONRPC_INVALID_PARAMS, "resource uri malformed", parsed.id);
+            }
+            if (resourceAllowlist && resourceAllowlist.indexOf(resourceUri) === -1) {
+              _emitDenied(req, "mcp.resource.refused", "not in allowlist", { resourceUri: resourceUri });
+              return refuse(res, JSONRPC_METHOD_NOT_FOUND, "resource not permitted", parsed.id);
+            }
+          }
+
+          req.mcpRequest = parsed;
+          if (auditOn) {
+            audit.safeEmit({
+              action:   "mcp.request",
+              outcome:  "success",
+              metadata: { method: method, hasClaims: !!claims },
+            });
+          }
+          if (typeof next === "function") next();
+          else if (!res.writableEnded) refuse(res, JSONRPC_METHOD_NOT_FOUND, "handler not wired");
+        });
+      });
+    }).catch(function (err) {
+      _emitDenied(req, "mcp.guard.error", err.message || "guard error", {});
+      if (!res.writableEnded) refuse(res, JSONRPC_INTERNAL_ERROR, "internal guard error");
+    });
+  };
+}
+
+module.exports = {
+  serverGuard:    serverGuard,
+  parseRequest:   parseRequest,
+  refuse:         refuse,
+};

package/lib/middleware/sse.js

@@ -38,32 +38,30 @@
 var C = require("../constants");
 var requestHelpers = require("../request-helpers");
 var safeBuffer = require("../safe-buffer");
+var sse = require("../sse");
 var validateOpts = require("../validate-opts");
 
 var DEFAULT_HEARTBEAT_MS = C.TIME.seconds(15);
 
+// _formatEvent — REFUSES on CRLF/NUL injection in event/id (CVE-2026-
+// 33128 / 29085 / 44217 class). Pre-v0.8.15 this stripped CRLF
+// silently; the strip-instead-of-refuse behavior was the
+// vulnerability. The framework now refuses at the source, returning
+// the operator a clear error code so the caller knows the event was
+// rejected. Validation routes through b.sse.serializeEvent so the
+// middleware surface and the low-level surface share one policy.
 function _formatEvent(msg) {
-  // RFC 6455... wait, that's WebSocket. SSE: WHATWG HTML §9.2.5.
-  // Lines: "id: <n>\n", "event: <name>\n", "data: <line>\n" (multi-line
-  // data is multiple "data: " lines), "retry: <ms>\n", blank line ends.
-  var out = "";
-  if (msg.id !== undefined && msg.id !== null) out += "id: " + safeBuffer.stripCrlf(String(msg.id)) + "\n";
-  if (msg.event)                                out += "event: " + safeBuffer.stripCrlf(String(msg.event)) + "\n";
-  if (msg.retry !== undefined && msg.retry !== null) {
-    if (typeof msg.retry !== "number" || !isFinite(msg.retry) || msg.retry < 0) {
-      throw new Error("sse: retry must be a non-negative finite number of milliseconds");
-    }
-    out += "retry: " + Math.floor(msg.retry) + "\n";
-  }
+  var coerced = msg || {};
   var dataStr;
-  if (msg.data === undefined || msg.data === null) dataStr = "";
-  else if (typeof msg.data === "string")           dataStr = msg.data;
-  else                                              dataStr = JSON.stringify(msg.data);
-  // Multi-line data → one `data:` line per source line (per spec).
-  var lines = dataStr.split(/\r?\n/);
-  for (var i = 0; i < lines.length; i++) out += "data: " + lines[i] + "\n";
-  out += "\n";  // dispatch
-  return out;
+  if (coerced.data === undefined || coerced.data === null) dataStr = "";
+  else if (typeof coerced.data === "string")               dataStr = coerced.data;
+  else                                                      dataStr = JSON.stringify(coerced.data);
+  return sse.serializeEvent({
+    id:    coerced.id !== undefined && coerced.id !== null ? String(coerced.id) : undefined,
+    event: coerced.event !== undefined && coerced.event !== null ? String(coerced.event) : undefined,
+    retry: coerced.retry,
+    data:  dataStr,
+  });
 }
 
 function create(handler, opts) {

package/lib/network-smtp-policy.js

@@ -117,13 +117,51 @@ function _parseStsPolicy(text) {
   return policy;
 }
 
-async function mtaStsFetch(domain) {
+// RFC 8461 §3.1 precondition. The TXT record at _mta-sts.<domain> is
+// the rotation signal: receivers re-fetch the HTTPS policy when the
+// `id=` value changes. Without it the fetcher would re-pull the same
+// cached policy forever (defeating operator rotation), and would also
+// fetch policies from domains that don't publish one.
+async function _fetchStsTxt(domain, dnsLookup) {
+  var records;
+  try {
+    records = dnsLookup
+      ? await dnsLookup("_mta-sts." + domain, "TXT")
+      : await dnsPromises.resolveTxt("_mta-sts." + domain);
+  } catch (e) {
+    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
+    throw new SmtpPolicyError("smtp/mta-sts-txt-lookup-failed",
+      "_mta-sts." + domain + " TXT lookup failed: " +
+      ((e && e.message) || String(e)));
+  }
+  if (!Array.isArray(records)) return null;
+  for (var i = 0; i < records.length; i += 1) {
+    var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
+    if (typeof rec !== "string") continue;
+    if (rec.indexOf("v=STSv1") === -1) continue;
+    var idMatch = /\bid=([A-Za-z0-9]{1,32})/.exec(rec);
+    return { record: rec, id: idMatch ? idMatch[1] : null };
+  }
+  return null;
+}
+
+async function mtaStsFetch(domain, opts) {
   if (typeof domain !== "string" || domain.length === 0) {
     throw new SmtpPolicyError("smtp/bad-domain",
       "mtaSts.fetch: domain must be a non-empty string");
   }
+  opts = opts || {};
   var lcDomain = domain.toLowerCase();
-  return await _getStsCache().wrap(lcDomain, async function () {
+  // RFC 8461 §3.1 — refuse to fetch the HTTPS policy if the
+  // _mta-sts TXT record is absent. Closes the silent-escalation
+  // class.
+  var txt = await _fetchStsTxt(lcDomain, opts.dnsLookup);
+  if (!txt) return null;
+
+  // Cache key includes the policy id so operator-side rotations (id
+  // changes) invalidate the cached policy without operator action.
+  var cacheKey = lcDomain + "|" + (txt.id || "noid");
+  return await _getStsCache().wrap(cacheKey, async function () {
     var url = "https://mta-sts." + lcDomain + "/.well-known/mta-sts.txt";
     safeUrl.parse(url, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
     var res;
@@ -135,8 +173,6 @@ async function mtaStsFetch(domain) {
         timeoutMs: C.TIME.seconds(10),
       });
     } catch (_e) {
-      // Domain doesn't publish MTA-STS — return null (not an error;
-      // operators decide policy via their own gate).
       return null;
     }
     if (res.statusCode === 404) return null;                                     // allow:raw-byte-literal — HTTP 404
@@ -144,7 +180,23 @@ async function mtaStsFetch(domain) {
       throw new SmtpPolicyError("smtp/mta-sts-fetch-failed",
         "MTA-STS fetch returned " + res.statusCode + " for " + url);
     }
-    return _parseStsPolicy(res.body.toString("utf8"));
+    var parsed = _parseStsPolicy(res.body.toString("utf8"));
+    parsed.id = txt.id || null;
+    parsed.fetchedAt = Date.now();
+    // RFC 8461 §3.2 — max_age caps the cache TTL. Bound between 1 hour
+    // (floor — operators using shorter values are below the spec
+    // recommended floor) and 31557600 seconds (RFC 8461 ceiling). When
+    // max_age is missing, fall back to the framework default.
+    var maxAgeSec = parsed.max_age;
+    if (typeof maxAgeSec === "number" && isFinite(maxAgeSec) && maxAgeSec > 0) {
+      var hourSec = C.TIME.hours(1) / C.TIME.seconds(1);
+      var ceilingSec = C.TIME.weeks(52) / C.TIME.seconds(1);                                   // RFC 8461 §3.2 — ~1 year ceiling
+      var clamped = Math.max(hourSec, Math.min(ceilingSec, maxAgeSec));
+      parsed._cacheTtlMs = clamped * C.TIME.seconds(1);
+    } else {
+      parsed._cacheTtlMs = DEFAULT_POLICY_CACHE_MS;
+    }
+    return parsed;
   });
 }
 

package/lib/network-tls.js

@@ -882,6 +882,39 @@ function evaluateOcspResponse(ocspDer, opts) {
   } else if (parsed.basic.nonce) {
     nonceCheck = "present-not-checked";
   }
+  // RFC 6960 §4.2.2.1 — time-window enforcement. A "good" response is
+  // valid only between thisUpdate and nextUpdate (with operator-tunable
+  // skew). Without this check a stapled response is replayable forever:
+  // an attacker captures a pre-revocation "good" reply, the cert later
+  // gets revoked, the attacker keeps presenting the cached "good" and
+  // the framework keeps accepting it. requireGood postures depend on
+  // freshness — reject expired or future-dated responses outright.
+  var clockSkewMs = typeof opts.clockSkewMs === "number" && opts.clockSkewMs >= 0           // allow:numeric-opt-Infinity — operator-supplied skew, default 5 min if absent or invalid
+    ? opts.clockSkewMs : C.TIME.minutes(5);
+  var now = typeof opts.now === "number" ? opts.now : Date.now();
+  var thisUpdateMs = match.thisUpdate ? Date.parse(match.thisUpdate) : NaN;
+  var nextUpdateMs = match.nextUpdate ? Date.parse(match.nextUpdate) : NaN;
+  if (!isFinite(thisUpdateMs)) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP response missing thisUpdate (RFC 6960 §4.2.2.1)"] };
+  }
+  if (thisUpdateMs - clockSkewMs > now) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP thisUpdate is in the future (RFC 6960 §4.2.2.1 — possible clock skew or response replay)"] };
+  }
+  if (isFinite(nextUpdateMs) && nextUpdateMs + clockSkewMs < now) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP response is past nextUpdate (RFC 6960 §4.2.2.1 — stale response, possible replay)"] };
+  }
   return {
     ok:             match.certStatus === "good",
     status:         parsed.status,