@blamejs/core 0.8.16 → 0.8.18

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.18** (2026-05-08) — Database query-builder hardening on `b.db.from(...).where|whereRaw` and `b.safeSql`. **`Query.where(field, "LIKE", value)`** — now escapes SQL `%` and `_` wildcard metacharacters in operator-supplied values and emits `LIKE ? ESCAPE '\\'`. Closes the column-disclosure class where `q=%@%` enumerated the entire table. Operators who deliberately want LIKE wildcards bypass via `whereRaw()`. **`Query.where(field, "IN", [...])`** — now expands an array to `IN (?, ?, ?)` and binds each value separately. Pre-v0.8.18 the array bound to a single placeholder and silently matched zero rows (node:sqlite `?` doesn't support array-binding). Refuses non-array / empty-array inputs. **`Query.whereRaw(sql, params)`** — placeholder-counting now skips `?` characters inside SQL string literals (single + double quoted, including `''`-doubled escapes), line comments (`-- ...`), and block comments (`/* ... */`). Pre-v0.8.18 the naive regex counted literal-`?` and either threw on count mismatch OR let through fragments with masked missing real placeholders. **`b.safeSql.BANNED_IDENTIFIERS`** — extended to refuse `pragma` / `attach` / `detach` / `analyze` / `vacuum` / `reindex` as bare identifiers. Closes the SQLite-specific escape-the-parameterized-model surface (PRAGMAs disable security-relevant protections; ATTACH mounts external databases). **`b.db.declareTable`** — refuses any app schema name that begins with the framework's `_blamejs_` prefix (was an exact-match Set; an app schema entry like `_blamejs_audit_log_archive` slipped past the gate and could shadow / look-alike framework tables).
+
+- **0.8.17** (2026-05-08) — Email auth + DANE / TLS-RPT spec-conformance fixes (ARC / DMARC / SPF / A-R / DANE / TLS-RPT). Ten more RFC-cited gaps closed. **ARC (`b.mail.arc`)** — signer's AMS canonicalization now includes the current hop's `ARC-Authentication-Results` per RFC 8617 §5.1.1 (auto-prepends to `h=` unless operator passes `excludeAarFromAms: true`). Microsoft + Google receivers DO include AAR in `h=`; the prior framework default produced chains those receivers couldn't verify. Verifier counterpart: when reconstructing the AMS canonical input, only the CURRENT hop's AAR is kept (prior-hop AARs stripped). Verifier now enforces `t=` (signing time) + `x=` (expiration) time windows per RFC 8617 §5.2 with operator-tunable `clockSkewMs` (default 5 min) — pre-v0.8.17 the verifier parsed but never enforced. **DMARC (`b.mail.dmarc`)** — multiple `v=DMARC1` records on a domain now treated as having no DMARC record per RFC 7489 §6.6.3 (`_fetchDmarcRecord` returns null on multi-match). Subdomain `sp=` fallback wired: when `_dmarc.<from-domain>` returns no record, the verifier walks one label up to the (heuristic) organizational domain and applies its `sp=` (subdomain policy) — falls back to `p=` when `sp=` absent. Result includes `policyOriginDomain` + `orgDomainPolicyApplied: true` so operators can audit which record drove the verdict. (Heuristic only — operators with PSL needs supply their own `dnsLookup` for full Public Suffix List walk.) **SPF (`b.mail.spf`)** — initial query for the sender's SPF record no longer counts toward the 10-lookup limit per RFC 7208 §4.6.4. Pre-v0.8.17 was off-by-one — senders at the spec ceiling got false `permerror`. **A-R (`b.mail.authResults`)** — result vocabulary is now METHOD-SPECIFIC per RFC 8601 §2.7 (per-method `AR_RESULTS_BY_METHOD` map). The flat `AR_VALID_RESULTS` table previously accepted `hardfail` for DKIM (only valid for DMARC §2.7.4) and accepted `temperror` / `permerror` for methods that don't recognize them. **DANE (`b.network.smtp.dane`)** — `daneTlsa()` now REFUSES to return records unless the caller passes `opts.dnssecValidated: true` per RFC 7672 §1.3 (TLSA records that are not DNSSEC-validated MUST NOT be used). Pre-v0.8.17 silently used un-validated records — silent escalation class. `daneVerifyChain` enforces RFC 6698 §2.1.4 + RFC 7672 §3.1.1 chain-order: a DANE-TA match at chain position `i` is accepted only when its DER Subject equals the DER Issuer of cert at position `i-1` (i.e. it's actually the parent in the chain, not a random non-leaf cert that happens to hash-match). Chain-order is best-effort — synthetic test fixtures without ASN.1-parseable DER fall through with `chainOrderUnverified: true` flagged on the match. **TLS-RPT (`b.network.smtp.tlsRpt.fetchPolicy`)** — record without `rua=` now returns `null` (record ignored) per RFC 8460 §3. Pre-v0.8.17 returned `{ version: "TLSRPTv1", rua: [] }` which operators incorrectly treated as a valid record with no destinations. Bug fix only — no new operator-facing primitives.
+
 - **0.8.16** (2026-05-08) — Email auth + transport spec-conformance fixes (DKIM / SPF / MTA-STS / OCSP). Ten RFC-cited gaps closed against shipped primitives. **DKIM (`b.mail.dkim`)** — verifier now refuses any signature whose `h=` tag does not include `from` (RFC 6376 §3.5 cornerstone bypass — without From-coverage the signature does not bind to the visible sender; receivers were treating these as valid); refuses unrecognized `v=` tag values per RFC 6376 §3.5 (only `v=1` accepted); enforces empty `p=` as explicit key revocation per RFC 6376 §3.6.1 (verdict `fail`, not `permerror` — well-formed signature against a withdrawn key); enforces `k=` algorithm-family tag agreement with the signature's `a=` family (e.g. `k=rsa` paired with `a=ed25519-sha256` permerrors per RFC 6376 §3.6.1); selector validator now accepts multi-label selectors per RFC 6376 §3.1 ABNF (`sub-domain *("." sub-domain)` — common for time-rotated keys like `2024.s1`). **SPF (`b.mail.spf`)** — refuses domains that publish multiple `v=spf1` TXT records with `permerror` per RFC 7208 §4.5 (most operators don't realize multi-record SPF was always invalid; this surfaces the misconfig instead of silently picking the first); `include:` mechanism now permerrors when the included domain has no SPF record per RFC 7208 §5.2 (closes the silent-authorization class where `include:gone-domain.example` followed by `+all` would silently allow). **MTA-STS (`b.smtpPolicy.mtaSts.fetch`)** — now requires the `_mta-sts.<domain>` TXT precondition record per RFC 8461 §3.1 before fetching the HTTPS policy (closes the silent-escalation class where the framework would fetch policies for domains that never opted in, AND defeats operator-side rotation when the `id=` in the TXT changes); cache TTL is now bounded by the policy's `max_age` value per RFC 8461 §3.2 (clamped between 1 hour floor and 1 year ceiling) instead of the framework's hardcoded 60-min default. **OCSP (`b.network.tls.ocsp.evaluate`)** — `evaluateOcspResponse` now enforces the `thisUpdate` / `nextUpdate` time window per RFC 6960 §4.2.2.1, rejecting responses whose validity window has expired or hasn't started yet (with operator-tunable `clockSkewMs`, default 5 min). Pre-v0.8.16 a captured "good" response could replay forever even after the cert was revoked; this defeats `requireGood` posture. Bug fix only — no new operator-facing primitives, no surface change beyond the additional refusals.
 
 - **0.8.15** (2026-05-08) — Transport-layer CVE absorption + AI-protocol primitives. **`b.sse`** — Server-Sent Events transport with newline-injection refusal in `event:` / `id:` / `data:` fields and the `Last-Event-ID` reconnect header (CVE-2026-33128 h3, CVE-2026-29085 Hono, CVE-2026-44217 sse-channel — three CVEs published in the same vulnerability class). Channel API: `channel.send({event,id,data,retry})` validates each field, refuses LF/CR/NUL, splits multi-line `data` into per-spec multiple `data:` lines, drives a `:keepalive` heartbeat with operator-tunable interval. `b.sse.serializeEvent({...})` exposes the encoder for buffered pipelines. **`b.mcp.serverGuard`** — Model Context Protocol server-side hardening. Bearer auth required by default (CVE-2026-33032 nginx-ui auth-bypass class), `redirect_uri` exact-match allowlist enforced per OAuth 2.1 / RFC 9700 §4.1.1 (CVE-2025-6514 mcp-remote OAuth RCE class), dynamic client-registration refused unless `allowDynamicRegister: true` with operator-supplied registration allowlist (confused-deputy class), tool/resource name allowlists at the guard layer. JSON-RPC 2.0 envelope validator. **`b.graphqlFederation.guardSdl`** — refuses `_service.sdl` / `_entities` probes without a router-token Bearer + optional single-use nonce; closes the schema-leak class where operators disable introspection thinking the schema is hidden. **`b.ai.input.classify`** — pattern-based prompt-injection classifier covering OWASP LLM01:2025 + NIST COSAIS RFI shapes: instruction-override / persona-jailbreak / role-reset markers / OpenAI system-tag templates / tool-call injection / exfil-callback / encoded-bypass (base64/rot13) / markdown+HTML smuggling / BIDI/zero-width/control char density. Severity-3 hits → `verdict: "malicious"`; 2+ severity-2 hits → `"suspicious"`; otherwise `"clean"`. Inline-on-every-request perf cost — no LLM, no network. **`b.a2a`** — A2A (Linux Foundation Agentic AI Foundation) v1.x signed agent-card primitive. `signCard` produces an envelope with a detached ML-DSA-87 signature over the SHA3-512 of the canonical-JSON serialization (RFC 8785-aligned); `verifyCard` validates signature + expiry + issuer match. Endpoints HTTPS-only (or localhost) at validation time. **`b.darkPatterns`** — FTC Negative Option Rule click-to-cancel UX-parity attestation primitive. `recordSignupFlow` / `recordCancelFlow` capture operator-attested click counts, CTA contrast / font weight, channel, confirmation steps; `assertParity` returns `{ ok, breaches }` against `ftc-2024` / `ca-sb942` / `strict` postures. `middleware({lookupAttestation, resourceIdFromReq})` refuses cancel-endpoint requests with HTTP 451 if no parity attestation is on file. **WebSocket control-frame size cap** — `lib/websocket.js` `_handleFrame` refuses any control frame (opcodes ≥ 0x8: CLOSE/PING/PONG) with payload length > 125 or `fin = false` (RFC 6455 §5.5). Closes the 2× outbound-bandwidth amplification class where a 1 MiB PING was echoed verbatim as PONG. **`b.requestHelpers.safeHeadersDistinct(req)`** — defensive accessor for `req.headersDistinct` that bypasses Node's faulty getter (Node CVE-2026-21710 — reading `__proto__` on the underlying header bag throws synchronously inside the getter, escaping handler-level try/catch). Computes the same null-prototype shape directly from `req.rawHeaders`. **TLS / SNI hardening** — `router.listen()` now wraps any operator-supplied `tlsOptions.SNICallback` so synchronous throws (Node CVE-2026-21637) become a clean async `(err, null)` callback rather than crashing the listener. Inbound TLS now defaults to `minVersion: "TLSv1.3"` when the operator's `tlsOptions` doesn't pin one (closes the gap where bare `{key, cert}` inherited Node's TLSv1.2 default). **httpClient identity decoding** — `b.httpClient` now sends `Accept-Encoding: identity` by default (h1 + h2 paths) — refuses compressed responses unless the operator explicitly opts in. Closes the undici unbounded-decompression amplification class (CVE-2026-22036). Operators that need compressed responses pass an explicit `Accept-Encoding` header. **Engine pin** — `engines.node` raised from `>=24.0.0` to `>=24.4.0` to ensure the undici fix is bundled.

package/lib/db-query.js

@@ -117,6 +117,33 @@ class Query {
       value = lookup.value;
     }
     cryptoField && _validateField(field);
+    if (op === "IN") {
+      // node:sqlite ? does not support array-binding. Pre-v0.8.18
+      // `where(field, "IN", [1,2,3])` silently bound the entire
+      // array to a single placeholder and matched zero rows.
+      // Expand to (?, ?, ?) and push each value separately.
+      if (!Array.isArray(value) || value.length === 0) {
+        throw new Error("where IN requires a non-empty array of values");
+      }
+      var placeholders = value.map(function () { return "?"; }).join(", ");
+      this._where.push('"' + field + '" IN (' + placeholders + ")");
+      for (var i = 0; i < value.length; i += 1) this._whereParams.push(value[i]);
+      return this;
+    }
+    if (op === "LIKE" && typeof value === "string") {
+      // Escape SQL LIKE metacharacters %  and _ in operator-supplied
+      // input. Without this, a single `%` in untrusted input becomes
+      // a wildcard that matches everything — a column-disclosure
+      // class (`q=%@%` enumerates entire table). Use a backslash as
+      // the escape character (uniform across SQLite + Postgres) and
+      // emit the corresponding ESCAPE clause so the engine treats it
+      // as the escape token. Operators who deliberately want LIKE
+      // wildcards in their value bypass via whereRaw().
+      var escaped = value.replace(/[\\%_]/g, "\\$&");
+      this._where.push('"' + field + '" LIKE ? ESCAPE ' + "'\\\\'");
+      this._whereParams.push(escaped);
+      return this;
+    }
     this._where.push('"' + field + '" ' + op + " ?");
     this._whereParams.push(value);
     return this;
@@ -152,7 +179,14 @@ class Query {
       throw new Error("whereRaw: sql must be a non-empty string");
     }
     var p = Array.isArray(params) ? params : (params == null ? [] : [params]);
-    var holders = (sql.match(/\?/g) || []).length;
+    // Count `?` placeholders, but skip occurrences inside string
+    // literals ('...'  or "..."), line comments (-- to EOL), and
+    // block comments (/* ... */). Pre-v0.8.18 the naive regex
+    // counted `?` inside literals (e.g. `WHERE name = 'a?b' AND id
+    // = ?`) which caused mismatched-count errors OR — worse — let
+    // through fragments where the literal-`?` placebo masked a
+    // missed real placeholder.
+    var holders = _countPlaceholders(sql);
     if (holders !== p.length) {
       throw new Error("whereRaw: " + holders + " placeholder(s) in sql but " +
         p.length + " param(s) supplied");
@@ -392,6 +426,46 @@ class Query {
   }
 }
 
+// Count `?` placeholders outside string literals + comments.
+// Tracks SQL single-quoted, double-quoted, line-comment, and block-
+// comment state to avoid counting `?` characters that are part of
+// literal text the SQL engine never interprets as a binding marker.
+function _countPlaceholders(sql) {
+  var count = 0;
+  var i = 0;
+  var len = sql.length;
+  while (i < len) {
+    var ch = sql.charAt(i);
+    var next = i + 1 < len ? sql.charAt(i + 1) : "";
+    if (ch === "'" || ch === '"') {
+      var quote = ch;
+      i += 1;
+      while (i < len) {
+        if (sql.charAt(i) === quote) {
+          // SQL doubles the quote char to escape it within a literal.
+          if (sql.charAt(i + 1) === quote) { i += 2; continue; }
+          i += 1; break;
+        }
+        i += 1;
+      }
+      continue;
+    }
+    if (ch === "-" && next === "-") {
+      while (i < len && sql.charAt(i) !== "\n") i += 1;
+      continue;
+    }
+    if (ch === "/" && next === "*") {
+      i += 2;
+      while (i < len && !(sql.charAt(i) === "*" && sql.charAt(i + 1) === "/")) i += 1;
+      i += 2;
+      continue;
+    }
+    if (ch === "?") count += 1;
+    i += 1;
+  }
+  return count;
+}
+
 function _validateField(field) {
   if (typeof field !== "string" ||
       field.length === 0 ||

package/lib/db.js

@@ -744,13 +744,20 @@ async function init(opts) {
     }
   }
 
-  // Refuse app schema entries that collide with framework-reserved names
+  // Refuse app schema entries that collide with framework-reserved names.
+  // Pre-v0.8.18 this was an exact-match Set; an app could ship
+  // `_blamejs_audit_log_archive` (or similar prefix-collision) and the
+  // framework would silently provision it next to the reserved
+  // namespace, allowing a row-by-row look-alike attack against audit
+  // archive tooling.
   for (var ri = 0; ri < opts.schema.length; ri++) {
-    if (RESERVED_TABLE_NAMES.has(opts.schema[ri].name)) {
+    var appName = opts.schema[ri].name;
+    if (RESERVED_TABLE_NAMES.has(appName) ||
+        (typeof appName === "string" && appName.indexOf("_blamejs_") === 0)) {
       throw new DbError("db/reserved-table-name",
-        "table name '" + opts.schema[ri].name + "' is reserved by the framework. " +
+        "table name '" + appName + "' is reserved by the framework. " +
         "Pick a different name (the framework provisions audit_log, consent_log, " +
-        "and _blamejs_* tables automatically).");
+        "and any '_blamejs_*'-prefixed tables automatically).");
     }
   }
 

package/lib/mail-arc-sign.js

@@ -202,6 +202,20 @@ function sign(opts) {
     throw new MailAuthError("arc-sign/bad-headers",
       "sign: headersToSign must be a non-empty array of header names");
   }
+  // RFC 8617 §5.1.1 + Microsoft + Google receiver interop — the
+  // current hop's ARC-Authentication-Results MUST appear in the AMS
+  // h= list. Pre-v0.8.17 the framework default omitted it; receivers
+  // that include AAR in their canonicalization (M365, Gmail) failed
+  // to verify framework-signed chains. Auto-prepend if absent.
+  // Operators that explicitly want to opt out (deprecated, do not)
+  // pass `excludeAarFromAms: true`.
+  var hasAar = headersToSign.some(function (n) {
+    return String(n).toLowerCase() === "arc-authentication-results";
+  });
+  if (!hasAar && opts.excludeAarFromAms !== true) {
+    headersToSign = headersToSign.slice();
+    headersToSign.unshift("ARC-Authentication-Results");
+  }
   for (var hi = 0; hi < headersToSign.length; hi += 1) {
     if (typeof headersToSign[hi] !== "string" || headersToSign[hi].length === 0) {
       throw new MailAuthError("arc-sign/bad-headers",
@@ -263,8 +277,17 @@ function sign(opts) {
   amsTags.push("b=");
   var amsUnsigned = amsTags.join("; ");
 
+  // RFC 8617 §5.1.1 — the current hop's ARC-Authentication-Results
+  // is part of the AMS canonicalization input when h= covers it.
+  // Synthesize a virtual entry at the top of parsedHeaders so the
+  // header-name lookup below sees it; the canonicalizer reads
+  // parsedHeaders[idx] like any other header.
+  var amsParsedHeaders = [{
+    name:  "ARC-Authentication-Results",
+    value: " " + aarValue,
+  }].concat(parsedHeaders);
   var canonHeaders = "";
-  var headerNamesLc = parsedHeaders.map(function (h) { return h.name.toLowerCase(); });
+  var headerNamesLc = amsParsedHeaders.map(function (h) { return h.name.toLowerCase(); });
   for (var j = 0; j < headersToSign.length; j += 1) {
     var wantLc = headersToSign[j].toLowerCase();
     var idx = -1;
@@ -272,14 +295,12 @@ function sign(opts) {
       if (headerNamesLc[k] === wantLc) idx = k;
     }
     if (idx === -1) continue;
-    var h = parsedHeaders[idx];
+    var h = amsParsedHeaders[idx];
     canonHeaders += _canonRelaxedHeader(h.name, h.value);
   }
-  // Per RFC 8617 §5.1 — include the AAR for the current hop in the
-  // AMS canonicalization stream when h= covers it. Per AMS spec, h=
-  // typically does NOT include the AAR (it's a *prior* hop's
-  // attestation), so the canonical input is (h-listed headers) +
-  // (AMS with empty b=).
+  // RFC 8617 §5.1 — current-hop AAR is included via h= (prepended
+  // above); canonical input is (h-listed headers) + (AMS with empty
+  // b=).
   var amsCanonInput = canonHeaders +
     _canonRelaxedHeader("ARC-Message-Signature", amsUnsigned).replace(/\r\n$/, "");
 

package/lib/mail-auth.js

@@ -161,8 +161,14 @@ async function spfVerify(opts) {
   }
 
   var lookups = { count: 0, limit: SPF_DNS_LOOKUP_LIMIT };
+  // RFC 7208 §4.6.4 — the initial query for the sender domain's SPF
+  // record itself does NOT count toward the 10-lookup limit. Only
+  // include / a / mx / ptr / exists / redirect mechanisms count.
+  // Pre-v0.8.17 this was off-by-one — senders at the spec ceiling
+  // got false permerror.
   var result = await _spfEvaluateDomain(domain.toLowerCase(), opts.ip,
-                                          opts.dnsLookup, lookups);
+                                          opts.dnsLookup, lookups,
+                                          { isInitial: true });
   return {
     result: result.verdict,                                                      // pass | fail | softfail | neutral | none | temperror | permerror
     domain: domain,
@@ -171,11 +177,14 @@ async function spfVerify(opts) {
   };
 }
 
-async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
+async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups, ctx) {
+  ctx = ctx || {};
   if (lookups.count > lookups.limit) {
     return { verdict: "permerror", explanation: "DNS lookup limit exceeded (RFC 7208 §4.6.4)" };
   }
-  lookups.count += 1;
+  // Initial query for the sender's SPF record doesn't count (RFC 7208
+  // §4.6.4); only include / a / mx / ptr / exists / redirect do.
+  if (!ctx.isInitial) lookups.count += 1;
 
   var fetched;
   try { fetched = await _fetchSpfRecord(domain, dnsLookup); }
@@ -265,11 +274,16 @@ async function _fetchDmarcRecord(domain, dnsLookup) {
       ((e && e.message) || String(e)));
   }
   if (!Array.isArray(records)) return null;
+  var matches = [];
   for (var i = 0; i < records.length; i += 1) {
     var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
-    if (typeof rec === "string" && rec.indexOf("v=DMARC1") === 0) return rec;
+    if (typeof rec === "string" && rec.indexOf("v=DMARC1") === 0) matches.push(rec);
   }
-  return null;
+  if (matches.length === 0) return null;
+  // RFC 7489 §6.6.3 — when multiple v=DMARC1 records are published,
+  // the receiver MUST treat the domain as having no DMARC record.
+  if (matches.length > 1) return null;
+  return matches[0];
 }
 
 function _parseDmarcRecord(text) {
@@ -323,10 +337,40 @@ async function dmarcEvaluate(opts) {
       "dmarc.evaluate: opts.from is missing the @domain part");
   }
 
-  var policy;
-  try { var rec = await _fetchDmarcRecord(fromDomain, opts.dnsLookup);
-        policy = rec ? _parseDmarcRecord(rec) : null; }
-  catch (e) {
+  var policy = null;
+  var policyOriginDomain = null;
+  var orgDomainPolicyApplied = false;
+  try {
+    var rec = await _fetchDmarcRecord(fromDomain, opts.dnsLookup);
+    if (rec) {
+      policy = _parseDmarcRecord(rec);
+      policyOriginDomain = fromDomain;
+    } else {
+      // RFC 7489 §6.6.3 — when no DMARC record exists at the From
+      // domain, the receiver MUST walk to the organizational domain
+      // and query for a record there, then apply that record's `sp=`
+      // subdomain policy (or fall back to `p=`). Without a PSL we
+      // approximate the org domain by dropping one label at a time —
+      // covers the common one-level-subdomain case (mail.example.com
+      // → example.com) but not multi-label public suffixes (.co.uk).
+      // Operators with PSL-aware needs override `dnsLookup` and
+      // implement the full lookup themselves.
+      var labels = fromDomain.split(".");
+      if (labels.length >= 3) {
+        var parent = labels.slice(1).join(".");
+        var parentRec = await _fetchDmarcRecord(parent, opts.dnsLookup);
+        if (parentRec) {
+          var parentPolicy = _parseDmarcRecord(parentRec);
+          // Apply sp= if set, else fall back to p=. The result is the
+          // policy the receiver applies to mail from this subdomain.
+          parentPolicy.p = parentPolicy.sp || parentPolicy.p;
+          policy = parentPolicy;
+          policyOriginDomain = parent;
+          orgDomainPolicyApplied = true;
+        }
+      }
+    }
+  } catch (e) {
     return { result: "temperror", explanation: e.message,
              policy: null, alignment: { spf: false, dkim: false } };
   }
@@ -359,6 +403,8 @@ async function dmarcEvaluate(opts) {
   return {
     result:     pass ? "pass" : "fail",
     policy:     policy,
+    policyOriginDomain:    policyOriginDomain,
+    orgDomainPolicyApplied: orgDomainPolicyApplied,
     alignment:  { spf: spfAligned, dkim: dkimAligned },
     recommendedAction: recommendedAction,
     explanation: pass
@@ -502,19 +548,45 @@ async function arcVerify(rfc822, opts) {
   // 3. Per-hop AMS + AS verification.
   var perHop = [];
   var anyFail = false;
+  // RFC 8617 §5.2 — operator-tunable clock skew on t= (signing
+  // timestamp) and x= (expiration) tags. Default 5 min.
+  var arcClockSkewMs = typeof opts.clockSkewMs === "number" && opts.clockSkewMs >= 0           // allow:numeric-opt-Infinity — operator-supplied skew, default 5 min
+    ? opts.clockSkewMs : C.TIME.minutes(5);
+  var nowSec = Math.floor(Date.now() / 1000);                                                  // allow:raw-byte-literal — Unix epoch seconds divisor
 
   for (var hopIdx = 0; hopIdx < hops.length; hopIdx += 1) {
     var hop = hops[hopIdx];
 
+    // RFC 8617 §5.2 — verifier MUST reject AMS or AS with t= timestamp
+    // in the future or x= expiration in the past (with operator skew
+    // tolerance). Pre-v0.8.17 the verifier parsed t= but never
+    // enforced it.
+    var amsTags = _parseArcTagList(hop["arc-message-signature"]);
+    var asTags  = _parseArcTagList(hop["arc-seal"]);
+    var amsT = amsTags.t ? parseInt(amsTags.t, 10) : null;
+    var amsX = amsTags.x ? parseInt(amsTags.x, 10) : null;
+    var asT  = asTags.t  ? parseInt(asTags.t, 10)  : null;
+    var asX  = asTags.x  ? parseInt(asTags.x, 10)  : null;
+    var skewSec = Math.floor(arcClockSkewMs / 1000);                                          // allow:raw-byte-literal — sec divisor
+    var timeFault = null;
+    if (amsT && isFinite(amsT) && amsT - skewSec > nowSec) timeFault = "ams-t-future";
+    if (amsX && isFinite(amsX) && amsX + skewSec < nowSec) timeFault = "ams-x-expired";
+    if (asT  && isFinite(asT)  && asT  - skewSec > nowSec) timeFault = "as-t-future";
+    if (asX  && isFinite(asX)  && asX  + skewSec < nowSec) timeFault = "as-x-expired";
+
     // AMS — RFC 8617 §5.1.1. Same shape as a DKIM-Signature; reuses
     // the DKIM verifier by injecting a temporary message that has
     // the AMS as the signing header.
-    var amsResult = await _verifyArc(rfc822, hop, hops, "ams", opts.dnsLookup, dkim);
+    var amsResult = timeFault
+      ? { result: "fail", errors: ["ams: " + timeFault + " (RFC 8617 §5.2)"] }
+      : await _verifyArc(rfc822, hop, hops, "ams", opts.dnsLookup, dkim);
 
     // AS — RFC 8617 §5.1.2. Signs the catenation of all prior
     // ARC-{AAR,AMS,AS} headers plus current AAR + AMS, then the AS
     // itself with empty b=.
-    var asResult = await _verifyArc(rfc822, hop, hops, "as", opts.dnsLookup, dkim);
+    var asResult = timeFault
+      ? { result: "fail", errors: ["as: " + timeFault + " (RFC 8617 §5.2)"] }
+      : await _verifyArc(rfc822, hop, hops, "as", opts.dnsLookup, dkim);
 
     perHop.push({
       instance:                 hop.instance,
@@ -683,11 +755,17 @@ async function _verifyAmsViaDkim(rfc822, hop, sigValue, tags, dkim, dnsLookup) {
     var name = line.slice(0, colonAt).trim().toLowerCase();
     if (name === "arc-message-signature" ||
         name === "arc-seal" ||
-        name === "arc-authentication-results" ||
         name === "dkim-signature") {
-      // Drop pre-existing ARC + DKIM headers from the synthetic.
       continue;
     }
+    if (name === "arc-authentication-results") {
+      // RFC 8617 §5.1.1 — keep only the CURRENT hop's AAR (signer
+      // canonicalizes it via h=). Pre-v0.8.17 stripped every AAR
+      // unconditionally, breaking verification on chains that
+      // included AAR in h= (Microsoft + Google interop).
+      var instMatch = /\bi\s*=\s*(\d+)/.exec(line.slice(colonAt + 1));
+      if (!instMatch || parseInt(instMatch[1], 10) !== hop.instance) continue;
+    }
     rebuilt.push(line);
   }
   rebuilt.unshift(renamedHeader);
@@ -862,15 +940,39 @@ async function arcEvaluate(rfc822, opts) {
 //   });
 //   // → "Authentication-Results: mx.example.com;\r\n  spf=pass smtp.mailfrom=user@sender.example;\r\n  dkim=pass header.d=sender.example;\r\n  dmarc=pass header.from=user@sender.example;\r\n  arc=pass"
 
-var AR_VALID_RESULTS = {
-  pass: 1, fail: 1, neutral: 1, none: 1, softfail: 1, policy: 1,
-  permerror: 1, temperror: 1, hardfail: 1, bestguesspass: 1,
-};
-var AR_VALID_METHODS = {
-  auth: 1, dkim: 1, "dkim-adsp": 1, dmarc: 1, "domainkeys": 1,
-  "iprev": 1, "sender-id": 1, spf: 1, arc: 1, "smime": 1, dane: 1,
-  "vbr": 1, "dnswl": 1, "x-original-authentication-results": 1,
+// RFC 8601 §2.7 — result vocabulary is METHOD-SPECIFIC, not a flat
+// allowlist. The flat AR_VALID_RESULTS table previously accepted
+// `hardfail` for DKIM (only valid for DMARC §2.7.4) and `temperror` /
+// `permerror` for methods that don't recognize them. Per-method maps
+// match the spec sections cited.
+var AR_RESULTS_BY_METHOD = {
+  // §2.7.1 — auth
+  auth:           { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1 },
+  // §2.7.2 — domainkeys (legacy; vocabulary kept narrow)
+  domainkeys:     { pass: 1, fail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  // §2.7.3 — DKIM
+  dkim:           { pass: 1, fail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  "dkim-adsp":    { pass: 1, fail: 1, discard: 1, nxdomain: 1, none: 1, permerror: 1, temperror: 1 },
+  // §2.7.4 — SPF (uses softfail; not hardfail)
+  spf:            { pass: 1, fail: 1, softfail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  "sender-id":    { pass: 1, fail: 1, softfail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  // §2.7.5 — IPRev
+  iprev:          { pass: 1, fail: 1, permerror: 1, temperror: 1 },
+  // §2.7.6 — DMARC (this is the ONE place hardfail is valid in some drafts; keep it)
+  dmarc:          { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1, hardfail: 1, bestguesspass: 1 },
+  // RFC 8617 §4.1 — ARC
+  arc:            { pass: 1, fail: 1, none: 1 },
+  // RFC 8616 — DANE
+  dane:           { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1 },
+  // VBR + DNSWL + S/MIME — vocabulary kept conservative
+  smime:          { pass: 1, fail: 1, neutral: 1, none: 1, permerror: 1, temperror: 1, policy: 1 },
+  vbr:            { pass: 1, fail: 1, none: 1, permerror: 1, temperror: 1 },
+  dnswl:          { pass: 1, none: 1, temperror: 1 },
+  "x-original-authentication-results": { pass: 1, fail: 1, neutral: 1, none: 1, softfail: 1, hardfail: 1, policy: 1, permerror: 1, temperror: 1, bestguesspass: 1, discard: 1, nxdomain: 1 },
 };
+var AR_VALID_METHODS = Object.keys(AR_RESULTS_BY_METHOD).reduce(function (acc, m) {
+  acc[m] = 1; return acc;
+}, {});
 
 function authResultsEmit(opts) {
   validateOpts.requireObject(opts, "authResults.emit", MailAuthError, "mail-auth/ar-bad-input");
@@ -908,9 +1010,10 @@ function authResultsEmit(opts) {
       throw new MailAuthError("mail-auth/ar-bad-method",
         "authResults.emit: unknown method '" + r.method + "'");
     }
-    if (!AR_VALID_RESULTS[result]) {
+    var methodResults = AR_RESULTS_BY_METHOD[method];
+    if (!methodResults || !methodResults[result]) {
       throw new MailAuthError("mail-auth/ar-bad-result",
-        "authResults.emit: unknown result '" + r.result + "' for method '" + method + "'");
+        "authResults.emit: result '" + r.result + "' is not in the RFC 8601 §2.7 vocabulary for method '" + method + "'");
     }
     var clause = method + "=" + result;
     if (r.reason && typeof r.reason === "string" && !/[\r\n\0;]/.test(r.reason)) {

package/lib/network-smtp-policy.js

@@ -221,11 +221,12 @@ function mtaStsMatchMx(mxHost, mxList) {
 
 // ---- DANE TLSA (RFC 6698) ----
 
-async function daneTlsa(domain, port) {
+async function daneTlsa(domain, port, opts) {
   if (typeof domain !== "string" || domain.length === 0) {
     throw new SmtpPolicyError("smtp/bad-domain",
       "dane.tlsa: domain must be a non-empty string");
   }
+  opts = opts || {};
   var p = typeof port === "number" ? port : 25;                                  // allow:raw-byte-literal — IANA SMTP port
   var qname = "_" + p + "._tcp." + domain.toLowerCase();
   // node:dns has resolveTlsa() since Node 18.16.0.
@@ -240,6 +241,20 @@ async function daneTlsa(domain, port) {
     throw new SmtpPolicyError("smtp/dane-lookup-failed",
       "TLSA lookup for " + qname + " failed: " + ((e && e.message) || String(e)));
   }
+  // RFC 7672 §1.3 — TLSA records that are NOT DNSSEC-validated MUST
+  // NOT be used. node:dns.resolveTlsa does not surface the AD bit
+  // through its high-level API, so the framework requires the caller
+  // to assert via opts.dnssecValidated when running on a non-DNSSEC-
+  // aware resolver. The default REFUSES to use the records — operators
+  // MUST opt in explicitly. Pre-v0.8.17 this was silently used.
+  // Operators with a DNSSEC-validating resolver (Unbound, dnsmasq with
+  // DNSSEC, etc.) pass `dnssecValidated: true`; those without should
+  // not use DANE at all (RFC 7672 §1.3 explicit).
+  if (opts.dnssecValidated !== true) {
+    throw new SmtpPolicyError("smtp/dane-no-dnssec",
+      "dane.tlsa: TLSA records must be DNSSEC-validated before use (RFC 7672 §1.3); " +
+      "pass opts.dnssecValidated: true to acknowledge the resolver's DNSSEC posture");
+  }
   // Normalize node's response shape to { usage, selector, mtype, dataHex }.
   return (records || []).map(function (r) {
     return {
@@ -285,6 +300,60 @@ function daneRecordShape(rec) {
 // SMTP DANE surface (operators relying on PKIX modes pair this with
 // b.network.tls's CA store + Node's TLSSocket validation).
 
+// Extract the issuer Name DER (raw SEQUENCE bytes) from a cert.
+// Used for DANE-TA chain-order verification: the matched DANE-TA cert's
+// subject must equal the next-down cert's issuer.
+function _extractIssuerDer(certDer) {
+  var top;
+  try { top = asn1.readNode(certDer); }
+  catch (_e) { return null; }
+  if (top.tag !== asn1.TAG.SEQUENCE) return null;
+  var children;
+  try { children = asn1.readSequence(top.value); }
+  catch (_e) { return null; }
+  if (children.length === 0) return null;
+  var tbs = children[0];
+  var tbsKids;
+  try { tbsKids = asn1.readSequence(tbs.value); }
+  catch (_e) { return null; }
+  var idx = 0;
+  if (tbsKids.length > 0 &&
+      tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
+      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+    idx = 1;
+  }
+  // TBSCertificate fields: serial, signature, issuer, validity, subject, ...
+  // Issuer = idx + 2.
+  var issuerIdx = idx + 2;
+  if (issuerIdx >= tbsKids.length) return null;
+  return tbsKids[issuerIdx].raw;
+}
+
+function _extractSubjectDer(certDer) {
+  var top;
+  try { top = asn1.readNode(certDer); }
+  catch (_e) { return null; }
+  if (top.tag !== asn1.TAG.SEQUENCE) return null;
+  var children;
+  try { children = asn1.readSequence(top.value); }
+  catch (_e) { return null; }
+  if (children.length === 0) return null;
+  var tbs = children[0];
+  var tbsKids;
+  try { tbsKids = asn1.readSequence(tbs.value); }
+  catch (_e) { return null; }
+  var idx = 0;
+  if (tbsKids.length > 0 &&
+      tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
+      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+    idx = 1;
+  }
+  // Subject = idx + 4 (after serial / signature / issuer / validity).
+  var subjectIdx = idx + 4;
+  if (subjectIdx >= tbsKids.length) return null;
+  return tbsKids[subjectIdx].raw;
+}
+
 function _extractSubjectPublicKeyInfo(certDer) {
   // SPKI (selector=1) is the SubjectPublicKeyInfo SEQUENCE inside
   // tbsCertificate. Tolerant of malformed input — returns null when
@@ -376,10 +445,36 @@ function daneVerifyChain(certChain, tlsaRecords, opts) {
   for (var t = 0; t < tlsaRecords.length; t += 1) {
     var rec = tlsaRecords[t];
     var usage = rec.usage;
-    if (usage === 2) {                                                           // DANE-TA — match against any non-leaf cert (TA in chain)
+    if (usage === 2) {                                                           // allow:raw-byte-literal — TLSA cert-usage code (RFC 6698 §2.1.1) — DANE-TA: match against trust anchor IN the chain (RFC 7672 §3.1.1).
+      // The framework now enforces chain order: the matched DANE-TA
+      // cert at position i must have its Subject equal to the Issuer
+      // of cert at position i-1 (i.e. it must actually be the parent
+      // in the chain, not a random non-leaf cert that happens to
+      // hash-match the TLSA record).
       for (var i = 1; i < certChain.length; i += 1) {
         var rv = _matchTlsaAgainstCert(rec, certChain[i]);
-        if (rv) { matches.push({ tlsaIndex: t, certIndex: i, usage: "DANE-TA", mtype: rv.mtype }); break; }
+        if (!rv) continue;
+        var taSubject = _extractSubjectDer(certChain[i]);
+        var childIssuer = _extractIssuerDer(certChain[i - 1]);
+        if (!taSubject || !childIssuer) {
+          // ASN.1 extraction failed (non-DER buffer or malformed).
+          // Accept the match but flag it — real-world peerCertificate
+          // chains are always DER, so this branch is reached only for
+          // synthetic / test-fixture inputs.
+          matches.push({ tlsaIndex: t, certIndex: i, usage: "DANE-TA",
+            mtype: rv.mtype, chainOrderUnverified: true });
+          break;
+        }
+        if (taSubject.equals(childIssuer)) {
+          matches.push({ tlsaIndex: t, certIndex: i, usage: "DANE-TA", mtype: rv.mtype });
+          break;
+        }
+        // Match found at this index but the chain isn't ordered — keep
+        // looking up the chain in case a later cert is the genuine
+        // trust anchor and the matching cert was a misconfiguration.
+        errors.push({ tlsaIndex: t, certIndex: i,
+          reason: "dane-ta-chain-order-mismatch",
+          note: "TLSA record matched cert[" + i + "] but its Subject does not equal the Issuer of cert[" + (i - 1) + "] (RFC 7672 §3.1.1 chain-order check)" });
       }
     } else if (usage === 3) {                                                    // DANE-EE — match against the leaf cert only
       var rvEe = _matchTlsaAgainstCert(rec, certChain[0]);
@@ -512,6 +607,11 @@ async function tlsRptFetchPolicy(domain, opts) {
       }
     }
   }
+  // RFC 8460 §3 — `rua=` is REQUIRED. A v=TLSRPTv1 record without `rua=`
+  // is malformed and MUST be ignored. Pre-v0.8.17 the framework
+  // returned `{ rua: [] }` which operators (incorrectly) treated as a
+  // valid record with no destinations.
+  if (rua.length === 0) return null;
   return { version: "TLSRPTv1", rua: rua };
 }
 

package/lib/safe-sql.js

@@ -58,6 +58,12 @@ var BANNED_IDENTIFIERS = new Set([
   "where", "from", "join", "into", "values", "table", "database",
   "schema", "index", "view", "trigger", "procedure", "function",
   "begin", "commit", "rollback", "savepoint",
+  // SQLite-specific commands that escape the parameterized-query
+  // model. attach/detach mount external databases; pragma changes
+  // PRAGMAs (foreign_keys / cell_size_check / trusted_schema /
+  // journal_mode etc.) which can disable security-relevant
+  // protections; analyze / vacuum drop or rewrite indexes.
+  "pragma", "attach", "detach", "analyze", "vacuum", "reindex",
 ]);
 
 // Default identifier shape — Postgres NAMEDATALEN (63 chars) is the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.16",
+  "version": "0.8.18",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:9d91dfe3-4449-4315-ac6c-d78f5dd92d0c",
+  "serialNumber": "urn:uuid:1751cf74-fcc9-495e-a159-bac5eb2565b3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T07:18:43.056Z",
+    "timestamp": "2026-05-07T07:40:58.458Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.16",
+      "bom-ref": "@blamejs/core@0.8.18",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.16",
+      "version": "0.8.18",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.16",
+      "purl": "pkg:npm/%40blamejs/core@0.8.18",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.16",
+      "ref": "@blamejs/core@0.8.18",
       "dependsOn": []
     }
   ]