@blamejs/core 0.8.15 → 0.8.17

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.17** (2026-05-08) — Email auth + DANE / TLS-RPT spec-conformance fixes (ARC / DMARC / SPF / A-R / DANE / TLS-RPT). Ten more RFC-cited gaps closed. **ARC (`b.mail.arc`)** — signer's AMS canonicalization now includes the current hop's `ARC-Authentication-Results` per RFC 8617 §5.1.1 (auto-prepends to `h=` unless operator passes `excludeAarFromAms: true`). Microsoft + Google receivers DO include AAR in `h=`; the prior framework default produced chains those receivers couldn't verify. Verifier counterpart: when reconstructing the AMS canonical input, only the CURRENT hop's AAR is kept (prior-hop AARs stripped). Verifier now enforces `t=` (signing time) + `x=` (expiration) time windows per RFC 8617 §5.2 with operator-tunable `clockSkewMs` (default 5 min) — pre-v0.8.17 the verifier parsed but never enforced. **DMARC (`b.mail.dmarc`)** — multiple `v=DMARC1` records on a domain now treated as having no DMARC record per RFC 7489 §6.6.3 (`_fetchDmarcRecord` returns null on multi-match). Subdomain `sp=` fallback wired: when `_dmarc.<from-domain>` returns no record, the verifier walks one label up to the (heuristic) organizational domain and applies its `sp=` (subdomain policy) — falls back to `p=` when `sp=` absent. Result includes `policyOriginDomain` + `orgDomainPolicyApplied: true` so operators can audit which record drove the verdict. (Heuristic only — operators with PSL needs supply their own `dnsLookup` for full Public Suffix List walk.) **SPF (`b.mail.spf`)** — initial query for the sender's SPF record no longer counts toward the 10-lookup limit per RFC 7208 §4.6.4. Pre-v0.8.17 was off-by-one — senders at the spec ceiling got false `permerror`. **A-R (`b.mail.authResults`)** — result vocabulary is now METHOD-SPECIFIC per RFC 8601 §2.7 (per-method `AR_RESULTS_BY_METHOD` map). The flat `AR_VALID_RESULTS` table previously accepted `hardfail` for DKIM (only valid for DMARC §2.7.4) and accepted `temperror` / `permerror` for methods that don't recognize them. **DANE (`b.network.smtp.dane`)** — `daneTlsa()` now REFUSES to return records unless the caller passes `opts.dnssecValidated: true` per RFC 7672 §1.3 (TLSA records that are not DNSSEC-validated MUST NOT be used). Pre-v0.8.17 silently used un-validated records — silent escalation class. `daneVerifyChain` enforces RFC 6698 §2.1.4 + RFC 7672 §3.1.1 chain-order: a DANE-TA match at chain position `i` is accepted only when its DER Subject equals the DER Issuer of cert at position `i-1` (i.e. it's actually the parent in the chain, not a random non-leaf cert that happens to hash-match). Chain-order is best-effort — synthetic test fixtures without ASN.1-parseable DER fall through with `chainOrderUnverified: true` flagged on the match. **TLS-RPT (`b.network.smtp.tlsRpt.fetchPolicy`)** — record without `rua=` now returns `null` (record ignored) per RFC 8460 §3. Pre-v0.8.17 returned `{ version: "TLSRPTv1", rua: [] }` which operators incorrectly treated as a valid record with no destinations. Bug fix only — no new operator-facing primitives.
+
+- **0.8.16** (2026-05-08) — Email auth + transport spec-conformance fixes (DKIM / SPF / MTA-STS / OCSP). Ten RFC-cited gaps closed against shipped primitives. **DKIM (`b.mail.dkim`)** — verifier now refuses any signature whose `h=` tag does not include `from` (RFC 6376 §3.5 cornerstone bypass — without From-coverage the signature does not bind to the visible sender; receivers were treating these as valid); refuses unrecognized `v=` tag values per RFC 6376 §3.5 (only `v=1` accepted); enforces empty `p=` as explicit key revocation per RFC 6376 §3.6.1 (verdict `fail`, not `permerror` — well-formed signature against a withdrawn key); enforces `k=` algorithm-family tag agreement with the signature's `a=` family (e.g. `k=rsa` paired with `a=ed25519-sha256` permerrors per RFC 6376 §3.6.1); selector validator now accepts multi-label selectors per RFC 6376 §3.1 ABNF (`sub-domain *("." sub-domain)` — common for time-rotated keys like `2024.s1`). **SPF (`b.mail.spf`)** — refuses domains that publish multiple `v=spf1` TXT records with `permerror` per RFC 7208 §4.5 (most operators don't realize multi-record SPF was always invalid; this surfaces the misconfig instead of silently picking the first); `include:` mechanism now permerrors when the included domain has no SPF record per RFC 7208 §5.2 (closes the silent-authorization class where `include:gone-domain.example` followed by `+all` would silently allow). **MTA-STS (`b.smtpPolicy.mtaSts.fetch`)** — now requires the `_mta-sts.<domain>` TXT precondition record per RFC 8461 §3.1 before fetching the HTTPS policy (closes the silent-escalation class where the framework would fetch policies for domains that never opted in, AND defeats operator-side rotation when the `id=` in the TXT changes); cache TTL is now bounded by the policy's `max_age` value per RFC 8461 §3.2 (clamped between 1 hour floor and 1 year ceiling) instead of the framework's hardcoded 60-min default. **OCSP (`b.network.tls.ocsp.evaluate`)** — `evaluateOcspResponse` now enforces the `thisUpdate` / `nextUpdate` time window per RFC 6960 §4.2.2.1, rejecting responses whose validity window has expired or hasn't started yet (with operator-tunable `clockSkewMs`, default 5 min). Pre-v0.8.16 a captured "good" response could replay forever even after the cert was revoked; this defeats `requireGood` posture. Bug fix only — no new operator-facing primitives, no surface change beyond the additional refusals.
+
 - **0.8.15** (2026-05-08) — Transport-layer CVE absorption + AI-protocol primitives. **`b.sse`** — Server-Sent Events transport with newline-injection refusal in `event:` / `id:` / `data:` fields and the `Last-Event-ID` reconnect header (CVE-2026-33128 h3, CVE-2026-29085 Hono, CVE-2026-44217 sse-channel — three CVEs published in the same vulnerability class). Channel API: `channel.send({event,id,data,retry})` validates each field, refuses LF/CR/NUL, splits multi-line `data` into per-spec multiple `data:` lines, drives a `:keepalive` heartbeat with operator-tunable interval. `b.sse.serializeEvent({...})` exposes the encoder for buffered pipelines. **`b.mcp.serverGuard`** — Model Context Protocol server-side hardening. Bearer auth required by default (CVE-2026-33032 nginx-ui auth-bypass class), `redirect_uri` exact-match allowlist enforced per OAuth 2.1 / RFC 9700 §4.1.1 (CVE-2025-6514 mcp-remote OAuth RCE class), dynamic client-registration refused unless `allowDynamicRegister: true` with operator-supplied registration allowlist (confused-deputy class), tool/resource name allowlists at the guard layer. JSON-RPC 2.0 envelope validator. **`b.graphqlFederation.guardSdl`** — refuses `_service.sdl` / `_entities` probes without a router-token Bearer + optional single-use nonce; closes the schema-leak class where operators disable introspection thinking the schema is hidden. **`b.ai.input.classify`** — pattern-based prompt-injection classifier covering OWASP LLM01:2025 + NIST COSAIS RFI shapes: instruction-override / persona-jailbreak / role-reset markers / OpenAI system-tag templates / tool-call injection / exfil-callback / encoded-bypass (base64/rot13) / markdown+HTML smuggling / BIDI/zero-width/control char density. Severity-3 hits → `verdict: "malicious"`; 2+ severity-2 hits → `"suspicious"`; otherwise `"clean"`. Inline-on-every-request perf cost — no LLM, no network. **`b.a2a`** — A2A (Linux Foundation Agentic AI Foundation) v1.x signed agent-card primitive. `signCard` produces an envelope with a detached ML-DSA-87 signature over the SHA3-512 of the canonical-JSON serialization (RFC 8785-aligned); `verifyCard` validates signature + expiry + issuer match. Endpoints HTTPS-only (or localhost) at validation time. **`b.darkPatterns`** — FTC Negative Option Rule click-to-cancel UX-parity attestation primitive. `recordSignupFlow` / `recordCancelFlow` capture operator-attested click counts, CTA contrast / font weight, channel, confirmation steps; `assertParity` returns `{ ok, breaches }` against `ftc-2024` / `ca-sb942` / `strict` postures. `middleware({lookupAttestation, resourceIdFromReq})` refuses cancel-endpoint requests with HTTP 451 if no parity attestation is on file. **WebSocket control-frame size cap** — `lib/websocket.js` `_handleFrame` refuses any control frame (opcodes ≥ 0x8: CLOSE/PING/PONG) with payload length > 125 or `fin = false` (RFC 6455 §5.5). Closes the 2× outbound-bandwidth amplification class where a 1 MiB PING was echoed verbatim as PONG. **`b.requestHelpers.safeHeadersDistinct(req)`** — defensive accessor for `req.headersDistinct` that bypasses Node's faulty getter (Node CVE-2026-21710 — reading `__proto__` on the underlying header bag throws synchronously inside the getter, escaping handler-level try/catch). Computes the same null-prototype shape directly from `req.rawHeaders`. **TLS / SNI hardening** — `router.listen()` now wraps any operator-supplied `tlsOptions.SNICallback` so synchronous throws (Node CVE-2026-21637) become a clean async `(err, null)` callback rather than crashing the listener. Inbound TLS now defaults to `minVersion: "TLSv1.3"` when the operator's `tlsOptions` doesn't pin one (closes the gap where bare `{key, cert}` inherited Node's TLSv1.2 default). **httpClient identity decoding** — `b.httpClient` now sends `Accept-Encoding: identity` by default (h1 + h2 paths) — refuses compressed responses unless the operator explicitly opts in. Closes the undici unbounded-decompression amplification class (CVE-2026-22036). Operators that need compressed responses pass an explicit `Accept-Encoding` header. **Engine pin** — `engines.node` raised from `>=24.0.0` to `>=24.4.0` to ensure the undici fix is bundled.
 
 - **0.8.14** (2026-05-07) — `b.vault.sealPemFile` — auto-resealing wrapper for at-rest PEM files. Operators with ACME / Let's Encrypt renewals get fresh certs every 30-60 days; the renewal writes plaintext PEM to disk, signals the application to reload, and leaves the cleartext file unencrypted between the renewal write and the next manual re-seal. `b.vault.sealPemFile({ source, destination })` closes that window: the framework reads the source, vault-seals it, atomically writes `<destination>` (`.tmp` + `fsync` + `rename` + `fsyncDir`), and registers an `fs.watchFile` poll on the source. Every mtime change triggers an automatic re-seal — the operator-visible `<destination>.rewriting` marker is created before the rename and removed after, giving crash recovery a signal: when `sealPemFile()` starts and the marker is present, it re-seals from source idempotently. Returns `{ stop, generation, lastResealedAt, lastError, watching, forceReseal }` so operators can wire the watcher into existing lifecycle hooks (`b.appShutdown.addPhase({ name: "pem-watcher", run: () => watcher.stop() })`). `pollInterval` defaults to 2s — ACME renewal cadence is days, so polling latency is irrelevant against the renewal interval; operators with sub-second requirements override. `fs.watchFile` (the polling backend) is used instead of `fs.watch` (inotify / kqueue) because watchFile is consistent across platforms — Linux fires multiple change events per rename, macOS doesn't fire on renamed-into files, and the polling cadence is acceptable here.

package/lib/mail-arc-sign.js

@@ -202,6 +202,20 @@ function sign(opts) {
     throw new MailAuthError("arc-sign/bad-headers",
       "sign: headersToSign must be a non-empty array of header names");
   }
+  // RFC 8617 §5.1.1 + Microsoft + Google receiver interop — the
+  // current hop's ARC-Authentication-Results MUST appear in the AMS
+  // h= list. Pre-v0.8.17 the framework default omitted it; receivers
+  // that include AAR in their canonicalization (M365, Gmail) failed
+  // to verify framework-signed chains. Auto-prepend if absent.
+  // Operators that explicitly want to opt out (deprecated, do not)
+  // pass `excludeAarFromAms: true`.
+  var hasAar = headersToSign.some(function (n) {
+    return String(n).toLowerCase() === "arc-authentication-results";
+  });
+  if (!hasAar && opts.excludeAarFromAms !== true) {
+    headersToSign = headersToSign.slice();
+    headersToSign.unshift("ARC-Authentication-Results");
+  }
   for (var hi = 0; hi < headersToSign.length; hi += 1) {
     if (typeof headersToSign[hi] !== "string" || headersToSign[hi].length === 0) {
       throw new MailAuthError("arc-sign/bad-headers",
@@ -263,8 +277,17 @@ function sign(opts) {
   amsTags.push("b=");
   var amsUnsigned = amsTags.join("; ");
 
+  // RFC 8617 §5.1.1 — the current hop's ARC-Authentication-Results
+  // is part of the AMS canonicalization input when h= covers it.
+  // Synthesize a virtual entry at the top of parsedHeaders so the
+  // header-name lookup below sees it; the canonicalizer reads
+  // parsedHeaders[idx] like any other header.
+  var amsParsedHeaders = [{
+    name:  "ARC-Authentication-Results",
+    value: " " + aarValue,
+  }].concat(parsedHeaders);
   var canonHeaders = "";
-  var headerNamesLc = parsedHeaders.map(function (h) { return h.name.toLowerCase(); });
+  var headerNamesLc = amsParsedHeaders.map(function (h) { return h.name.toLowerCase(); });
   for (var j = 0; j < headersToSign.length; j += 1) {
     var wantLc = headersToSign[j].toLowerCase();
     var idx = -1;
@@ -272,14 +295,12 @@ function sign(opts) {
       if (headerNamesLc[k] === wantLc) idx = k;
     }
     if (idx === -1) continue;
-    var h = parsedHeaders[idx];
+    var h = amsParsedHeaders[idx];
     canonHeaders += _canonRelaxedHeader(h.name, h.value);
   }
-  // Per RFC 8617 §5.1 — include the AAR for the current hop in the
-  // AMS canonicalization stream when h= covers it. Per AMS spec, h=
-  // typically does NOT include the AAR (it's a *prior* hop's
-  // attestation), so the canonical input is (h-listed headers) +
-  // (AMS with empty b=).
+  // RFC 8617 §5.1 — current-hop AAR is included via h= (prepended
+  // above); canonical input is (h-listed headers) + (AMS with empty
+  // b=).
   var amsCanonInput = canonHeaders +
     _canonRelaxedHeader("ARC-Message-Signature", amsUnsigned).replace(/\r\n$/, "");
 

package/lib/mail-auth.js

@@ -109,8 +109,12 @@ function _parseSpfRecord(text) {
   return mechanisms;
 }
 
-// Fetch the SPF TXT record for a domain. Returns the joined record
-// text or null if no v=spf1 record found.
+// Fetch the SPF TXT record for a domain. Returns:
+//   { kind: "found",    record: "<text>" }  — exactly one v=spf1 record
+//   { kind: "none" }                          — zero v=spf1 records
+//   { kind: "permerror", reason: "<msg>" }    — multiple v=spf1 records
+//                                              (RFC 7208 §4.5 — domain
+//                                              MUST publish at most one)
 async function _fetchSpfRecord(domain, dnsLookup) {
   var records;
   try {
@@ -118,17 +122,24 @@ async function _fetchSpfRecord(domain, dnsLookup) {
       ? await dnsLookup(domain, "TXT")
       : await dnsPromises.resolveTxt(domain);
   } catch (e) {
-    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
+    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return { kind: "none" };
     throw new MailAuthError("mail-auth/spf-lookup-failed",
       "SPF TXT lookup for " + domain + " failed: " +
       ((e && e.message) || String(e)));
   }
-  if (!Array.isArray(records)) return null;
+  if (!Array.isArray(records)) return { kind: "none" };
+  var matches = [];
   for (var i = 0; i < records.length; i += 1) {
     var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
-    if (typeof rec === "string" && rec.indexOf("v=spf1") === 0) return rec;
+    if (typeof rec === "string" && rec.indexOf("v=spf1") === 0) matches.push(rec);
   }
-  return null;
+  if (matches.length === 0) return { kind: "none" };
+  if (matches.length > 1) {
+    return { kind: "permerror",
+             reason: "domain " + domain + " publishes " + matches.length +
+                     " v=spf1 records; RFC 7208 §4.5 requires at most one" };
+  }
+  return { kind: "found", record: matches[0] };
 }
 
 // SPF verify — recursive include resolution + ip4/ip6/all/+a/+mx
@@ -150,8 +161,14 @@ async function spfVerify(opts) {
   }
 
   var lookups = { count: 0, limit: SPF_DNS_LOOKUP_LIMIT };
+  // RFC 7208 §4.6.4 — the initial query for the sender domain's SPF
+  // record itself does NOT count toward the 10-lookup limit. Only
+  // include / a / mx / ptr / exists / redirect mechanisms count.
+  // Pre-v0.8.17 this was off-by-one — senders at the spec ceiling
+  // got false permerror.
   var result = await _spfEvaluateDomain(domain.toLowerCase(), opts.ip,
-                                          opts.dnsLookup, lookups);
+                                          opts.dnsLookup, lookups,
+                                          { isInitial: true });
   return {
     result: result.verdict,                                                      // pass | fail | softfail | neutral | none | temperror | permerror
     domain: domain,
@@ -160,23 +177,29 @@ async function spfVerify(opts) {
   };
 }
 
-async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
+async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
+  ctx = ctx || {};
   if (lookups.count > lookups.limit) {
     return { verdict: "permerror", explanation: "DNS lookup limit exceeded (RFC 7208 §4.6.4)" };
   }
-  lookups.count += 1;
+  // Initial query for the sender's SPF record doesn't count (RFC 7208
+  // §4.6.4); only include / a / mx / ptr / exists / redirect do.
+  if (!ctx.isInitial) lookups.count += 1;
 
-  var record;
-  try { record = await _fetchSpfRecord(domain, dnsLookup); }
+  var fetched;
+  try { fetched = await _fetchSpfRecord(domain, dnsLookup); }
   catch (e) {
     return { verdict: "temperror", explanation: e.message };
   }
-  if (!record) {
+  if (fetched.kind === "permerror") {
+    return { verdict: "permerror", explanation: fetched.reason };
+  }
+  if (fetched.kind === "none") {
     return { verdict: "none", explanation: "no SPF record at " + domain };
   }
 
   var mechanisms;
-  try { mechanisms = _parseSpfRecord(record); }
+  try { mechanisms = _parseSpfRecord(fetched.record); }
   catch (e) {
     return { verdict: "permerror", explanation: e.message };
   }
@@ -201,6 +224,15 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
       else if (inner.verdict === "permerror" || inner.verdict === "temperror") {
         return inner;
       }
+      // RFC 7208 §5.2 — when the included domain has no SPF record at
+      // all, the include itself MUST permerror (the included policy is
+      // missing, the operator's intent is unverifiable). Without this
+      // check `include:gone-domain.example` silently authorizes whatever
+      // mechanism follows, including `+all`.
+      else if (inner.verdict === "none") {
+        return { verdict: "permerror",
+                 explanation: "include:" + m.arg + " has no SPF record (RFC 7208 §5.2)" };
+      }
     } else if (m.mechanism === "a" || m.mechanism === "mx" ||
                m.mechanism === "exists" || m.mechanism === "ptr" ||
                m.mechanism === "redirect") {
@@ -242,11 +274,16 @@ async function _fetchDmarcRecord(domain, dnsLookup) {
       ((e && e.message) || String(e)));
   }
   if (!Array.isArray(records)) return null;
+  var matches = [];
   for (var i = 0; i < records.length; i += 1) {
     var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
-    if (typeof rec === "string" && rec.indexOf("v=DMARC1") === 0) return rec;
+    if (typeof rec === "string" && rec.indexOf("v=DMARC1") === 0) matches.push(rec);
   }
-  return null;
+  if (matches.length === 0) return null;
+  // RFC 7489 §6.6.3 — when multiple v=DMARC1 records are published,
+  // the receiver MUST treat the domain as having no DMARC record.
+  if (matches.length > 1) return null;
+  return matches[0];
 }
 
 function _parseDmarcRecord(text) {
@@ -300,10 +337,40 @@ async function dmarcEvaluate(opts) {
       "dmarc.evaluate: opts.from is missing the @domain part");
   }
 
-  var policy;
-  try { var rec = await _fetchDmarcRecord(fromDomain, opts.dnsLookup);
-        policy = rec ? _parseDmarcRecord(rec) : null; }
-  catch (e) {
+  var policy = null;
+  var policyOriginDomain = null;
+  var orgDomainPolicyApplied = false;
+  try {
+    var rec = await _fetchDmarcRecord(fromDomain, opts.dnsLookup);
+    if (rec) {
+      policy = _parseDmarcRecord(rec);
+      policyOriginDomain = fromDomain;
+    } else {
+      // RFC 7489 §6.6.3 — when no DMARC record exists at the From
+      // domain, the receiver MUST walk to the organizational domain
+      // and query for a record there, then apply that record's `sp=`
+      // subdomain policy (or fall back to `p=`). Without a PSL we
+      // approximate the org domain by dropping one label at a time —
+      // covers the common one-level-subdomain case (mail.example.com
+      // → example.com) but not multi-label public suffixes (.co.uk).
+      // Operators with PSL-aware needs override `dnsLookup` and
+      // implement the full lookup themselves.
+      var labels = fromDomain.split(".");
+      if (labels.length >= 3) {
+        var parent = labels.slice(1).join(".");
+        var parentRec = await _fetchDmarcRecord(parent, opts.dnsLookup);
+        if (parentRec) {
+          var parentPolicy = _parseDmarcRecord(parentRec);
+          // Apply sp= if set, else fall back to p=. The result is the
+          // policy the receiver applies to mail from this subdomain.
+          parentPolicy.p = parentPolicy.sp || parentPolicy.p;
+          policy = parentPolicy;
+          policyOriginDomain = parent;
+          orgDomainPolicyApplied = true;
+        }
+      }
+    }
+  } catch (e) {
     return { result: "temperror", explanation: e.message,
              policy: null, alignment: { spf: false, dkim: false } };
   }
@@ -336,6 +403,8 @@ async function dmarcEvaluate(opts) {
   return {
     result:     pass ? "pass" : "fail",
     policy:     policy,
+    policyOriginDomain:    policyOriginDomain,
+    orgDomainPolicyApplied: orgDomainPolicyApplied,
     alignment:  { spf: spfAligned, dkim: dkimAligned },
     recommendedAction: recommendedAction,
     explanation: pass
@@ -479,19 +548,45 @@ async function arcVerify(rfc822, opts) {
   // 3. Per-hop AMS + AS verification.
   var perHop = [];
   var anyFail = false;
+  // RFC 8617 §5.2 — operator-tunable clock skew on t= (signing
+  // timestamp) and x= (expiration) tags. Default 5 min.
+  var arcClockSkewMs = typeof opts.clockSkewMs === "number" && opts.clockSkewMs >= 0           // allow:numeric-opt-Infinity — operator-supplied skew, default 5 min
+    ? opts.clockSkewMs : C.TIME.minutes(5);
+  var nowSec = Math.floor(Date.now() / 1000);                                                  // allow:raw-byte-literal — Unix epoch seconds divisor
 
   for (var hopIdx = 0; hopIdx < hops.length; hopIdx += 1) {
     var hop = hops[hopIdx];
 
+    // RFC 8617 §5.2 — verifier MUST reject AMS or AS with t= timestamp
+    // in the future or x= expiration in the past (with operator skew
+    // tolerance). Pre-v0.8.17 the verifier parsed t= but never
+    // enforced it.
+    var amsTags = _parseArcTagList(hop["arc-message-signature"]);
+    var asTags  = _parseArcTagList(hop["arc-seal"]);
+    var amsT = amsTags.t ? parseInt(amsTags.t, 10) : null;
+    var amsX = amsTags.x ? parseInt(amsTags.x, 10) : null;
+    var asT  = asTags.t  ? parseInt(asTags.t, 10)  : null;
+    var asX  = asTags.x  ? parseInt(asTags.x, 10)  : null;
+    var skewSec = Math.floor(arcClockSkewMs / 1000);                                          // allow:raw-byte-literal — sec divisor
+    var timeFault = null;
+    if (amsT && isFinite(amsT) && amsT - skewSec > nowSec) timeFault = "ams-t-future";
+    if (amsX && isFinite(amsX) && amsX + skewSec < nowSec) timeFault = "ams-x-expired";
+    if (asT  && isFinite(asT)  && asT  - skewSec > nowSec) timeFault = "as-t-future";
+    if (asX  && isFinite(asX)  && asX  + skewSec < nowSec) timeFault = "as-x-expired";
+
     // AMS — RFC 8617 §5.1.1. Same shape as a DKIM-Signature; reuses
     // the DKIM verifier by injecting a temporary message that has
     // the AMS as the signing header.
-    var amsResult = await _verifyArc(rfc822, hop, hops, "ams", opts.dnsLookup, dkim);
+    var amsResult = timeFault
+      ? { result: "fail", errors: ["ams: " + timeFault + " (RFC 8617 §5.2)"] }
+      : await _verifyArc(rfc822, hop, hops, "ams", opts.dnsLookup, dkim);
 
     // AS — RFC 8617 §5.1.2. Signs the catenation of all prior
     // ARC-{AAR,AMS,AS} headers plus current AAR + AMS, then the AS
     // itself with empty b=.
-    var asResult = await _verifyArc(rfc822, hop, hops, "as", opts.dnsLookup, dkim);
+    var asResult = timeFault
+      ? { result: "fail", errors: ["as: " + timeFault + " (RFC 8617 §5.2)"] }
+      : await _verifyArc(rfc822, hop, hops, "as", opts.dnsLookup, dkim);
 
     perHop.push({
       instance:                 hop.instance,
@@ -660,11 +755,17 @@ async function _verifyAmsViaDkim(rfc822, hop, sigValue, tags, dkim, dnsLookup) {
     var name = line.slice(0, colonAt).trim().toLowerCase();
     if (name === "arc-message-signature" ||
         name === "arc-seal" ||
-        name === "arc-authentication-results" ||
         name === "dkim-signature") {
-      // Drop pre-existing ARC + DKIM headers from the synthetic.
       continue;
     }
+    if (name === "arc-authentication-results") {
+      // RFC 8617 §5.1.1 — keep only the CURRENT hop's AAR (signer
+      // canonicalizes it via h=). Pre-v0.8.17 stripped every AAR
+      // unconditionally, breaking verification on chains that
+      // included AAR in h= (Microsoft + Google interop).
+      var instMatch = /\bi\s*=\s*(\d+)/.exec(line.slice(colonAt + 1));
+      if (!instMatch || parseInt(instMatch[1], 10) !== hop.instance) continue;
+    }
     rebuilt.push(line);
   }
   rebuilt.unshift(renamedHeader);
@@ -839,15 +940,39 @@ async function arcEvaluate(rfc822, opts) {
 //   });
 //   // → "Authentication-Results: mx.example.com;\r\n  spf=pass smtp.mailfrom=user@sender.example;\r\n  dkim=pass header.d=sender.example;\r\n  dmarc=pass header.from=user@sender.example;\r\n  arc=pass"
 
-var AR_VALID_RESULTS = {
-  pass: 1, fail: 1, neutral: 1, none: 1, softfail: 1, policy: 1,
-  permerror: 1, temperror: 1, hardfail: 1, bestguesspass: 1,
-};
-var AR_VALID_METHODS = {
-  auth: 1, dkim: 1, "dkim-adsp": 1, dmarc: 1, "domainkeys": 1,
-  "iprev": 1, "sender-id": 1, spf: 1, arc: 1, "smime": 1, dane: 1,
-  "vbr": 1, "dnswl": 1, "x-original-authentication-results": 1,
+// RFC 8601 §2.7 — result vocabulary is METHOD-SPECIFIC, not a flat
+// allowlist. The flat AR_VALID_RESULTS table previously accepted
+// `hardfail` for DKIM (only valid for DMARC §2.7.4) and `temperror` /
+// `permerror` for methods that don't recognize them. Per-method maps
+// match the spec sections cited.
+var AR_RESULTS_BY_METHOD = {
+  // §2.7.1 — auth
+  auth:           { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1 },
+  // §2.7.2 — domainkeys (legacy; vocabulary kept narrow)
+  domainkeys:     { pass: 1, fail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  // §2.7.3 — DKIM
+  dkim:           { pass: 1, fail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  "dkim-adsp":    { pass: 1, fail: 1, discard: 1, nxdomain: 1, none: 1, permerror: 1, temperror: 1 },
+  // §2.7.4 — SPF (uses softfail; not hardfail)
+  spf:            { pass: 1, fail: 1, softfail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  "sender-id":    { pass: 1, fail: 1, softfail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  // §2.7.5 — IPRev
+  iprev:          { pass: 1, fail: 1, permerror: 1, temperror: 1 },
+  // §2.7.6 — DMARC (this is the ONE place hardfail is valid in some drafts; keep it)
+  dmarc:          { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1, hardfail: 1, bestguesspass: 1 },
+  // RFC 8617 §4.1 — ARC
+  arc:            { pass: 1, fail: 1, none: 1 },
+  // RFC 8616 — DANE
+  dane:           { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1 },
+  // VBR + DNSWL + S/MIME — vocabulary kept conservative
+  smime:          { pass: 1, fail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  vbr:            { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1 },
+  dnswl:          { pass: 1, none: 1, temperror: 1 },
+  "x-original-authentication-results": { pass: 1, fail: 1, neutral: 1, none: 1, softfail: 1, hardfail: 1, policy: 1, permerror: 1, temperror: 1, bestguesspass: 1, discard: 1, nxdomain: 1 },
 };
+var AR_VALID_METHODS = Object.keys(AR_RESULTS_BY_METHOD).reduce(function (acc, m) {
+  acc[m] = 1; return acc;
+}, {});
 
 function authResultsEmit(opts) {
   validateOpts.requireObject(opts, "authResults.emit", MailAuthError, "mail-auth/ar-bad-input");
@@ -885,9 +1010,10 @@ function authResultsEmit(opts) {
       throw new MailAuthError("mail-auth/ar-bad-method",
         "authResults.emit: unknown method '" + r.method + "'");
     }
-    if (!AR_VALID_RESULTS[result]) {
+    var methodResults = AR_RESULTS_BY_METHOD[method];
+    if (!methodResults || !methodResults[result]) {
       throw new MailAuthError("mail-auth/ar-bad-result",
-        "authResults.emit: unknown result '" + r.result + "' for method '" + method + "'");
+        "authResults.emit: result '" + r.result + "' is not in the RFC 8601 §2.7 vocabulary for method '" + method + "'");
     }
     var clause = method + "=" + result;
     if (r.reason && typeof r.reason === "string" && !/[\r\n\0;]/.test(r.reason)) {

package/lib/mail-dkim.js

@@ -216,9 +216,15 @@ function create(opts) {
     throw new DkimError("dkim/bad-domain",
       "domain must be a valid DNS name (e.g. 'example.com')");
   }
-  if (typeof opts.selector !== "string" || !/^[a-z0-9_-]+$/i.test(opts.selector)) {
+  // RFC 6376 §3.1 ABNF: selector = sub-domain *("." sub-domain). Multi-
+  // label selectors like "2024.s1" are valid (and common for time-rotated
+  // keys). Each label is the LDH set; refuse leading/trailing dots and
+  // empty labels.
+  if (typeof opts.selector !== "string" ||
+      opts.selector.length === 0 || opts.selector.length > 253 ||                            // allow:raw-byte-literal — DNS label length cap (RFC 1035)
+      !/^[a-z0-9_-]+(?:\.[a-z0-9_-]+)*$/i.test(opts.selector)) {
     throw new DkimError("dkim/bad-selector",
-      "selector must be a non-empty token of [A-Za-z0-9_-]");
+      "selector must be a non-empty LDH token, optionally dot-separated (e.g. 's1', '2024.s1') (RFC 6376 §3.1)");
   }
   if (!opts.privateKey || (typeof opts.privateKey !== "string" &&
       typeof opts.privateKey !== "object")) {
@@ -566,6 +572,14 @@ function _verifySingleSignature(rfc822, parsedHeaders, sigHeader, keyTags, sigTa
   var headerNames = (sigTags.h || "").split(":").map(function (s) {
     return s.trim().toLowerCase();
   });
+  // RFC 6376 §3.5 — "from" MUST be in h=. Without From-coverage the
+  // signature does not bind to the visible sender, and the receiver's
+  // "this domain signed for that From" claim is meaningless. Cornerstone
+  // bypass class — refuse the signature outright.
+  if (headerNames.indexOf("from") === -1) {
+    return { result: "permerror",
+             errors: ["DKIM-Signature h= tag does not include 'from' (RFC 6376 §3.5)"] };
+  }
   var lcNames = parsedHeaders.map(function (h) { return h.name.toLowerCase(); });
   var canonicalizedHeaders = "";
   for (var j = 0; j < headerNames.length; j += 1) {
@@ -659,6 +673,13 @@ async function verify(rfc822, opts) {
     var d = sigTags.d;
     var s = sigTags.s;
     var alg = sigTags.a;
+    // RFC 6376 §3.5 — v= tag is REQUIRED and MUST be "1". Unrecognized
+    // version → permerror per spec; refuse rather than guess at intent.
+    if (sigTags.v !== undefined && sigTags.v !== "1") {
+      results.push({ d: d || null, s: s || null, alg: alg || null,
+        result: "permerror", errors: ["DKIM-Signature v=" + sigTags.v + " unsupported (RFC 6376 §3.5 — only v=1)"] });
+      continue;
+    }
     if (!d || !s) {
       results.push({ d: d || null, s: s || null, alg: alg || null,
         result: "permerror", errors: ["DKIM-Signature missing d= or s="] });
@@ -671,11 +692,32 @@ async function verify(rfc822, opts) {
       results.push({ d: d, s: s, alg: alg, result: verdict, errors: [e.message] });
       continue;
     }
+    if (keyTags.p === "") {
+      // RFC 6376 §3.6.1 — empty p= explicitly revokes the key. Verdict
+      // is "fail" (not "permerror") — the signature is well-formed but
+      // the key authority intentionally withdrew it.
+      results.push({ d: d, s: s, alg: alg, result: "fail",
+        errors: ["DKIM key revoked (empty p= per RFC 6376 §3.6.1)"] });
+      continue;
+    }
     if (!keyTags.p) {
       results.push({ d: d, s: s, alg: alg, result: "permerror",
         errors: ["DKIM key record missing p="] });
       continue;
     }
+    // RFC 6376 §3.6.1 — k= tag declares the key's algorithm family.
+    // Default is "rsa" when absent. If the key's k= disagrees with the
+    // signature's a= family, the operator who published the key intends
+    // a different algorithm; refuse rather than guess.
+    if (keyTags.k !== undefined) {
+      var kFamily   = String(keyTags.k).toLowerCase();
+      var sigFamily = String(alg || "").toLowerCase().split("-")[0];
+      if (kFamily !== sigFamily) {
+        results.push({ d: d, s: s, alg: alg, result: "permerror",
+          errors: ["DKIM key k=" + kFamily + " does not match signature a=" + alg + " (RFC 6376 §3.6.1)"] });
+        continue;
+      }
+    }
     var rv = _verifySingleSignature(rfc822, parsedHeaders, sigHeaders[i], keyTags, sigTags);
     results.push(Object.assign({ d: d, s: s, alg: alg }, rv));
   }

package/lib/network-smtp-policy.js

@@ -117,13 +117,51 @@ function _parseStsPolicy(text) {
   return policy;
 }
 
-async function mtaStsFetch(domain) {
+// RFC 8461 §3.1 precondition. The TXT record at _mta-sts.<domain> is
+// the rotation signal: receivers re-fetch the HTTPS policy when the
+// `id=` value changes. Without it the fetcher would re-pull the same
+// cached policy forever (defeating operator rotation), and would also
+// fetch policies from domains that don't publish one.
+async function _fetchStsTxt(domain, dnsLookup) {
+  var records;
+  try {
+    records = dnsLookup
+      ? await dnsLookup("_mta-sts." + domain, "TXT")
+      : await dnsPromises.resolveTxt("_mta-sts." + domain);
+  } catch (e) {
+    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
+    throw new SmtpPolicyError("smtp/mta-sts-txt-lookup-failed",
+      "_mta-sts." + domain + " TXT lookup failed: " +
+      ((e && e.message) || String(e)));
+  }
+  if (!Array.isArray(records)) return null;
+  for (var i = 0; i < records.length; i += 1) {
+    var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
+    if (typeof rec !== "string") continue;
+    if (rec.indexOf("v=STSv1") === -1) continue;
+    var idMatch = /\bid=([A-Za-z0-9]{1,32})/.exec(rec);
+    return { record: rec, id: idMatch ? idMatch[1] : null };
+  }
+  return null;
+}
+
+async function mtaStsFetch(domain, opts) {
   if (typeof domain !== "string" || domain.length === 0) {
     throw new SmtpPolicyError("smtp/bad-domain",
       "mtaSts.fetch: domain must be a non-empty string");
   }
+  opts = opts || {};
   var lcDomain = domain.toLowerCase();
-  return await _getStsCache().wrap(lcDomain, async function () {
+  // RFC 8461 §3.1 — refuse to fetch the HTTPS policy if the
+  // _mta-sts TXT record is absent. Closes the silent-escalation
+  // class.
+  var txt = await _fetchStsTxt(lcDomain, opts.dnsLookup);
+  if (!txt) return null;
+
+  // Cache key includes the policy id so operator-side rotations (id
+  // changes) invalidate the cached policy without operator action.
+  var cacheKey = lcDomain + "|" + (txt.id || "noid");
+  return await _getStsCache().wrap(cacheKey, async function () {
     var url = "https://mta-sts." + lcDomain + "/.well-known/mta-sts.txt";
     safeUrl.parse(url, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
     var res;
@@ -135,8 +173,6 @@ async function mtaStsFetch(domain) {
         timeoutMs: C.TIME.seconds(10),
       });
     } catch (_e) {
-      // Domain doesn't publish MTA-STS — return null (not an error;
-      // operators decide policy via their own gate).
       return null;
     }
     if (res.statusCode === 404) return null;                                     // allow:raw-byte-literal — HTTP 404
@@ -144,7 +180,23 @@ async function mtaStsFetch(domain) {
       throw new SmtpPolicyError("smtp/mta-sts-fetch-failed",
         "MTA-STS fetch returned " + res.statusCode + " for " + url);
     }
-    return _parseStsPolicy(res.body.toString("utf8"));
+    var parsed = _parseStsPolicy(res.body.toString("utf8"));
+    parsed.id = txt.id || null;
+    parsed.fetchedAt = Date.now();
+    // RFC 8461 §3.2 — max_age caps the cache TTL. Bound between 1 hour
+    // (floor — operators using shorter values are below the spec
+    // recommended floor) and 31557600 seconds (RFC 8461 ceiling). When
+    // max_age is missing, fall back to the framework default.
+    var maxAgeSec = parsed.max_age;
+    if (typeof maxAgeSec === "number" && isFinite(maxAgeSec) && maxAgeSec > 0) {
+      var hourSec = C.TIME.hours(1) / C.TIME.seconds(1);
+      var ceilingSec = C.TIME.weeks(52) / C.TIME.seconds(1);                                   // RFC 8461 §3.2 — ~1 year ceiling
+      var clamped = Math.max(hourSec, Math.min(ceilingSec, maxAgeSec));
+      parsed._cacheTtlMs = clamped * C.TIME.seconds(1);
+    } else {
+      parsed._cacheTtlMs = DEFAULT_POLICY_CACHE_MS;
+    }
+    return parsed;
   });
 }
 
@@ -169,11 +221,12 @@ function mtaStsMatchMx(mxHost, mxList) {
 
 // ---- DANE TLSA (RFC 6698) ----
 
-async function daneTlsa(domain, port) {
+async function daneTlsa(domain, port, opts) {
   if (typeof domain !== "string" || domain.length === 0) {
     throw new SmtpPolicyError("smtp/bad-domain",
       "dane.tlsa: domain must be a non-empty string");
   }
+  opts = opts || {};
   var p = typeof port === "number" ? port : 25;                                  // allow:raw-byte-literal — IANA SMTP port
   var qname = "_" + p + "._tcp." + domain.toLowerCase();
   // node:dns has resolveTlsa() since Node 18.16.0.
@@ -188,6 +241,20 @@ async function daneTlsa(domain, port) {
     throw new SmtpPolicyError("smtp/dane-lookup-failed",
       "TLSA lookup for " + qname + " failed: " + ((e && e.message) || String(e)));
   }
+  // RFC 7672 §1.3 — TLSA records that are NOT DNSSEC-validated MUST
+  // NOT be used. node:dns.resolveTlsa does not surface the AD bit
+  // through its high-level API, so the framework requires the caller
+  // to assert via opts.dnssecValidated when running on a non-DNSSEC-
+  // aware resolver. The default REFUSES to use the records — operators
+  // MUST opt in explicitly. Pre-v0.8.17 this was silently used.
+  // Operators with a DNSSEC-validating resolver (Unbound, dnsmasq with
+  // DNSSEC, etc.) pass `dnssecValidated: true`; those without should
+  // not use DANE at all (RFC 7672 §1.3 explicit).
+  if (opts.dnssecValidated !== true) {
+    throw new SmtpPolicyError("smtp/dane-no-dnssec",
+      "dane.tlsa: TLSA records must be DNSSEC-validated before use (RFC 7672 §1.3); " +
+      "pass opts.dnssecValidated: true to acknowledge the resolver's DNSSEC posture");
+  }
   // Normalize node's response shape to { usage, selector, mtype, dataHex }.
   return (records || []).map(function (r) {
     return {
@@ -233,6 +300,60 @@ function daneRecordShape(rec) {
 // SMTP DANE surface (operators relying on PKIX modes pair this with
 // b.network.tls's CA store + Node's TLSSocket validation).
 
+// Extract the issuer Name DER (raw SEQUENCE bytes) from a cert.
+// Used for DANE-TA chain-order verification: the matched DANE-TA cert's
+// subject must equal the next-down cert's issuer.
+function _extractIssuerDer(certDer) {
+  var top;
+  try { top = asn1.readNode(certDer); }
+  catch (_e) { return null; }
+  if (top.tag !== asn1.TAG.SEQUENCE) return null;
+  var children;
+  try { children = asn1.readSequence(top.value); }
+  catch (_e) { return null; }
+  if (children.length === 0) return null;
+  var tbs = children[0];
+  var tbsKids;
+  try { tbsKids = asn1.readSequence(tbs.value); }
+  catch (_e) { return null; }
+  var idx = 0;
+  if (tbsKids.length > 0 &&
+      tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
+      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+    idx = 1;
+  }
+  // TBSCertificate fields: serial, signature, issuer, validity, subject, ...
+  // Issuer = idx + 2.
+  var issuerIdx = idx + 2;
+  if (issuerIdx >= tbsKids.length) return null;
+  return tbsKids[issuerIdx].raw;
+}
+
+function _extractSubjectDer(certDer) {
+  var top;
+  try { top = asn1.readNode(certDer); }
+  catch (_e) { return null; }
+  if (top.tag !== asn1.TAG.SEQUENCE) return null;
+  var children;
+  try { children = asn1.readSequence(top.value); }
+  catch (_e) { return null; }
+  if (children.length === 0) return null;
+  var tbs = children[0];
+  var tbsKids;
+  try { tbsKids = asn1.readSequence(tbs.value); }
+  catch (_e) { return null; }
+  var idx = 0;
+  if (tbsKids.length > 0 &&
+      tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
+      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+    idx = 1;
+  }
+  // Subject = idx + 4 (after serial / signature / issuer / validity).
+  var subjectIdx = idx + 4;
+  if (subjectIdx >= tbsKids.length) return null;
+  return tbsKids[subjectIdx].raw;
+}
+
 function _extractSubjectPublicKeyInfo(certDer) {
   // SPKI (selector=1) is the SubjectPublicKeyInfo SEQUENCE inside
   // tbsCertificate. Tolerant of malformed input — returns null when
@@ -324,10 +445,36 @@ function daneVerifyChain(certChain, tlsaRecords, opts) {
   for (var t = 0; t < tlsaRecords.length; t += 1) {
     var rec = tlsaRecords[t];
     var usage = rec.usage;
-    if (usage === 2) {                                                           // DANE-TA — match against any non-leaf cert (TA in chain)
+    if (usage === 2) {                                                           // allow:raw-byte-literal — TLSA cert-usage code (RFC 6698 §2.1.1) — DANE-TA: match against trust anchor IN the chain (RFC 7672 §3.1.1).
+      // The framework now enforces chain order: the matched DANE-TA
+      // cert at position i must have its Subject equal to the Issuer
+      // of cert at position i-1 (i.e. it must actually be the parent
+      // in the chain, not a random non-leaf cert that happens to
+      // hash-match the TLSA record).
       for (var i = 1; i < certChain.length; i += 1) {
         var rv = _matchTlsaAgainstCert(rec, certChain[i]);
-        if (rv) { matches.push({ tlsaIndex: t, certIndex: i, usage: "DANE-TA", mtype: rv.mtype }); break; }
+        if (!rv) continue;
+        var taSubject = _extractSubjectDer(certChain[i]);
+        var childIssuer = _extractIssuerDer(certChain[i - 1]);
+        if (!taSubject || !childIssuer) {
+          // ASN.1 extraction failed (non-DER buffer or malformed).
+          // Accept the match but flag it — real-world peerCertificate
+          // chains are always DER, so this branch is reached only for
+          // synthetic / test-fixture inputs.
+          matches.push({ tlsaIndex: t, certIndex: i, usage: "DANE-TA",
+            mtype: rv.mtype, chainOrderUnverified: true });
+          break;
+        }
+        if (taSubject.equals(childIssuer)) {
+          matches.push({ tlsaIndex: t, certIndex: i, usage: "DANE-TA", mtype: rv.mtype });
+          break;
+        }
+        // Match found at this index but the chain isn't ordered — keep
+        // looking up the chain in case a later cert is the genuine
+        // trust anchor and the matching cert was a misconfiguration.
+        errors.push({ tlsaIndex: t, certIndex: i,
+          reason: "dane-ta-chain-order-mismatch",
+          note: "TLSA record matched cert[" + i + "] but its Subject does not equal the Issuer of cert[" + (i - 1) + "] (RFC 7672 §3.1.1 chain-order check)" });
       }
     } else if (usage === 3) {                                                    // DANE-EE — match against the leaf cert only
       var rvEe = _matchTlsaAgainstCert(rec, certChain[0]);
@@ -460,6 +607,11 @@ async function tlsRptFetchPolicy(domain, opts) {
       }
     }
   }
+  // RFC 8460 §3 — `rua=` is REQUIRED. A v=TLSRPTv1 record without `rua=`
+  // is malformed and MUST be ignored. Pre-v0.8.17 the framework
+  // returned `{ rua: [] }` which operators (incorrectly) treated as a
+  // valid record with no destinations.
+  if (rua.length === 0) return null;
   return { version: "TLSRPTv1", rua: rua };
 }
 

package/lib/network-tls.js

@@ -882,6 +882,39 @@ function evaluateOcspResponse(ocspDer, opts) {
   } else if (parsed.basic.nonce) {
     nonceCheck = "present-not-checked";
   }
+  // RFC 6960 §4.2.2.1 — time-window enforcement. A "good" response is
+  // valid only between thisUpdate and nextUpdate (with operator-tunable
+  // skew). Without this check a stapled response is replayable forever:
+  // an attacker captures a pre-revocation "good" reply, the cert later
+  // gets revoked, the attacker keeps presenting the cached "good" and
+  // the framework keeps accepting it. requireGood postures depend on
+  // freshness — reject expired or future-dated responses outright.
+  var clockSkewMs = typeof opts.clockSkewMs === "number" && opts.clockSkewMs >= 0           // allow:numeric-opt-Infinity — operator-supplied skew, default 5 min if absent or invalid
+    ? opts.clockSkewMs : C.TIME.minutes(5);
+  var now = typeof opts.now === "number" ? opts.now : Date.now();
+  var thisUpdateMs = match.thisUpdate ? Date.parse(match.thisUpdate) : NaN;
+  var nextUpdateMs = match.nextUpdate ? Date.parse(match.nextUpdate) : NaN;
+  if (!isFinite(thisUpdateMs)) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP response missing thisUpdate (RFC 6960 §4.2.2.1)"] };
+  }
+  if (thisUpdateMs - clockSkewMs > now) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP thisUpdate is in the future (RFC 6960 §4.2.2.1 — possible clock skew or response replay)"] };
+  }
+  if (isFinite(nextUpdateMs) && nextUpdateMs + clockSkewMs < now) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP response is past nextUpdate (RFC 6960 §4.2.2.1 — stale response, possible replay)"] };
+  }
   return {
     ok:             match.certStatus === "good",
     status:         parsed.status,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.15",
+  "version": "0.8.17",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4f393a0e-4209-4c8e-8e7b-be64de2e522f",
+  "serialNumber": "urn:uuid:d988e730-a00b-4cd0-990a-763f21f74dd3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T07:06:37.437Z",
+    "timestamp": "2026-05-07T07:32:59.512Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.15",
+      "bom-ref": "@blamejs/core@0.8.17",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.15",
+      "version": "0.8.17",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.15",
+      "purl": "pkg:npm/%40blamejs/core@0.8.17",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.15",
+      "ref": "@blamejs/core@0.8.17",
       "dependsOn": []
     }
   ]