@blamejs/core 0.8.89 → 0.9.0

package/lib/mail-require-tls.js

@@ -0,0 +1,198 @@
+"use strict";
+/**
+ * @module     b.mail.requireTls
+ * @nav        Mail
+ * @title      REQUIRETLS — RFC 8689
+ * @order      460
+ *
+ * @intro
+ *   RFC 8689 SMTP REQUIRETLS — per-message TLS-requirement signaling
+ *   between sender and receiver MTAs. The sender advertises that the
+ *   message MUST NOT be relayed over a cleartext (non-TLS) hop; if
+ *   no downstream MTA can deliver under TLS, the message bounces
+ *   instead of falling back to cleartext. Complements MTA-STS / DANE
+ *   (which are policy-side, domain-scoped) with a per-message
+ *   knob that overrides the policy when the operator wants
+ *   stricter-than-policy delivery.
+ *
+ *   Wire surface (RFC 8689 §3):
+ *
+ *     EHLO peer advertises:  250 REQUIRETLS
+ *     Client sends:          MAIL FROM:<sender> REQUIRETLS
+ *     Server replies:        250 OK             (or 550 if it can't honor)
+ *
+ *   Header surface (RFC 8689 §5):
+ *
+ *     TLS-Required: No       Explicit operator override; sender
+ *                            requests REQUIRETLS-style behavior be
+ *                            DISABLED for this message even if the
+ *                            policy infrastructure (MTA-STS / DANE)
+ *                            says otherwise. Use sparingly — primary
+ *                            use case is delivery to legacy peers
+ *                            during a controlled migration.
+ *
+ *   This module ships:
+ *
+ *     b.mail.requireTls.peerSupports(ehloLines) → boolean
+ *       Walks EHLO response lines and returns true when the peer
+ *       advertised the REQUIRETLS keyword.
+ *
+ *     b.mail.requireTls.mailFromExtension({ requireTls }) → string
+ *       Returns the trailing " REQUIRETLS" token (or empty string)
+ *       to append to a MAIL FROM line.
+ *
+ *     b.mail.requireTls.parseTlsRequiredHeader(headerValue) → "yes" | "no" | null
+ *       Parses the TLS-Required header field per §5. Returns "no"
+ *       only when the value is the literal token "no" (case-
+ *       insensitive); any other value returns "yes" (the conservative
+ *       default — operators must opt OUT explicitly, never default to
+ *       fall-back-to-cleartext). null when the header is absent.
+ *
+ * @card
+ *   RFC 8689 REQUIRETLS — per-message TLS-requirement signaling between MTAs (EHLO keyword + MAIL FROM extension + TLS-Required header parser).
+ */
+
+var structuredFields = require("./structured-fields");
+var validateOpts     = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var RequireTlsError = defineClass("RequireTlsError", { alwaysPermanent: true });
+
+var REQUIRETLS_TOKEN = "REQUIRETLS";
+
+/**
+ * @primitive b.mail.requireTls.peerSupports
+ * @signature b.mail.requireTls.peerSupports(ehloLines)
+ * @since     0.8.90
+ * @status    stable
+ *
+ * Walk a parsed EHLO response and return `true` when the peer
+ * advertised the `REQUIRETLS` keyword. `ehloLines` is the array of
+ * post-greeting capability lines returned by the SMTP transport
+ * (each entry is the capability token, e.g. `"SIZE 10485760"`,
+ * `"PIPELINING"`, `"REQUIRETLS"`). Case-insensitive match per RFC
+ * 5321 §2.4 (EHLO keywords are uppercase by convention but
+ * comparison is case-insensitive).
+ *
+ * Returns `false` for empty / non-array input — operators who can't
+ * parse the EHLO get a definitive "not supported" verdict rather
+ * than a throw, matching the "defensive request-shape reader"
+ * convention used elsewhere.
+ *
+ * @example
+ *   var ehlo = ["mail.example.com", "PIPELINING", "SIZE 10485760", "REQUIRETLS", "STARTTLS"];
+ *   b.mail.requireTls.peerSupports(ehlo);  // → true
+ *
+ *   b.mail.requireTls.peerSupports(["PIPELINING", "SIZE 10485760"]);  // → false
+ */
+function peerSupports(ehloLines) {
+  if (!Array.isArray(ehloLines)) return false;
+  for (var i = 0; i < ehloLines.length; i += 1) {
+    var line = ehloLines[i];
+    if (typeof line !== "string") continue;
+    // Keyword is everything up to the first space (RFC 5321 §4.1.1.1).
+    var sp = line.indexOf(" ");
+    var keyword = sp === -1 ? line : line.slice(0, sp);
+    if (keyword.toUpperCase() === REQUIRETLS_TOKEN) return true;
+  }
+  return false;
+}
+
+/**
+ * @primitive b.mail.requireTls.mailFromExtension
+ * @signature b.mail.requireTls.mailFromExtension(opts)
+ * @since     0.8.90
+ * @status    stable
+ *
+ * Build the trailing SMTP MAIL FROM extension token for REQUIRETLS.
+ * Returns `" REQUIRETLS"` (with a leading space, ready to append)
+ * when `opts.requireTls === true`; empty string otherwise. The
+ * primitive does NOT validate the operator's address — that's the
+ * SMTP transport's job. This only emits the standard-defined token
+ * suffix.
+ *
+ * Refuses non-object opts. `requireTls` must be a boolean when
+ * provided (any other type throws `mail-require-tls/bad-flag`) so
+ * a truthy-but-wrong-shape value (e.g. `"yes"`) doesn't silently
+ * succeed.
+ *
+ * @opts
+ *   requireTls: boolean,   // true to emit " REQUIRETLS"; falsy/absent → ""
+ *
+ * @example
+ *   var line = "MAIL FROM:<alice@example.com>" +
+ *              b.mail.requireTls.mailFromExtension({ requireTls: true });
+ *   // → "MAIL FROM:<alice@example.com> REQUIRETLS"
+ */
+function mailFromExtension(opts) {
+  if (!opts || typeof opts !== "object" || Array.isArray(opts)) {
+    throw new RequireTlsError("mail-require-tls/bad-opts",
+      "mailFromExtension: opts must be a non-null object", true);
+  }
+  if (opts.requireTls === undefined || opts.requireTls === false) return "";
+  if (opts.requireTls !== true) {
+    throw new RequireTlsError("mail-require-tls/bad-flag",
+      "mailFromExtension: requireTls must be a boolean (got " + typeof opts.requireTls + ")");
+  }
+  return " " + REQUIRETLS_TOKEN;
+}
+
+/**
+ * @primitive b.mail.requireTls.parseTlsRequiredHeader
+ * @signature b.mail.requireTls.parseTlsRequiredHeader(headerValue)
+ * @since     0.8.90
+ * @status    stable
+ *
+ * Parse the RFC 8689 §5 `TLS-Required` header field. Returns:
+ *
+ *   - `"no"` when the value is the literal token `no` (case-
+ *     insensitive, ignoring surrounding whitespace) — the sender
+ *     EXPLICITLY opts out of REQUIRETLS-style behavior for this
+ *     message.
+ *   - `"yes"` for any other non-empty value — conservative default
+ *     so an operator who set a typo / malformed value still gets
+ *     the strict path (RFC 8689 §5: "if a recipient receives a
+ *     message containing a TLS-Required field with any value other
+ *     than 'No', it MUST be treated as if the field had been
+ *     absent").
+ *   - `null` when the header is absent / empty / not a string —
+ *     operator code branches on null vs "yes" / "no".
+ *
+ * Refuses CR / LF / NUL in the value (header-injection-shape inputs
+ * shouldn't reach a parser that's downstream of header splitters
+ * anyway, but a defensive check here catches operator-side mistakes).
+ *
+ * @example
+ *   b.mail.requireTls.parseTlsRequiredHeader("No");      // → "no"
+ *   b.mail.requireTls.parseTlsRequiredHeader("no");      // → "no"
+ *   b.mail.requireTls.parseTlsRequiredHeader("  no  ");  // → "no"
+ *   b.mail.requireTls.parseTlsRequiredHeader("yes");     // → "yes"
+ *   b.mail.requireTls.parseTlsRequiredHeader("anything"); // → "yes" (RFC 8689 §5 default)
+ *   b.mail.requireTls.parseTlsRequiredHeader("");        // → null
+ *   b.mail.requireTls.parseTlsRequiredHeader(undefined); // → null
+ */
+function parseTlsRequiredHeader(headerValue) {
+  if (typeof headerValue !== "string") return null;
+  structuredFields.refuseControlBytes(headerValue, {
+    ErrorClass: RequireTlsError,
+    code:       "mail-require-tls/bad-header-value",
+    label:      "parseTlsRequiredHeader",
+  });
+  var trimmed = headerValue.trim();
+  if (trimmed.length === 0) return null;
+  if (trimmed.toLowerCase() === "no") return "no";
+  // RFC 8689 §5 — any other value treated as if absent (strict path).
+  return "yes";
+}
+
+module.exports = {
+  peerSupports:            peerSupports,
+  mailFromExtension:       mailFromExtension,
+  parseTlsRequiredHeader:  parseTlsRequiredHeader,
+  REQUIRETLS_TOKEN:        REQUIRETLS_TOKEN,
+  RequireTlsError:         RequireTlsError,
+};
+
+// Reserved for future field validation paths; kept in canonical
+// require ordering.
+void validateOpts;

package/lib/mail.js

@@ -1818,11 +1818,13 @@ function feedbackId(opts) {
   return parts.join(":");
 }
 
-var mailSrs = require("./mail-srs");
+var mailRequireTls = require("./mail-require-tls");
+var mailSrs        = require("./mail-srs");
 
 module.exports = {
   create:      create,
   feedbackId:  feedbackId,
+  requireTls:  mailRequireTls,
   srs:         mailSrs,
   MailError:   MailError,
   unsubscribe: mailUnsubscribe,

package/lib/middleware/body-parser.js

@@ -112,13 +112,14 @@ var fs = require("fs");
 var os = require("os");
 var path = require("path");
 var nodeCrypto = require("node:crypto");
-var atomicFile = require("../atomic-file");
-var crypto = require("../crypto");
-var lazyRequire = require("../lazy-require");
-var requestHelpers = require("../request-helpers");
-var safeBuffer = require("../safe-buffer");
-var safeJson = require("../safe-json");
-var validateOpts = require("../validate-opts");
+var atomicFile      = require("../atomic-file");
+var crypto          = require("../crypto");
+var lazyRequire     = require("../lazy-require");
+var requestHelpers  = require("../request-helpers");
+var safeBuffer      = require("../safe-buffer");
+var safeJson        = require("../safe-json");
+var structuredFields = require("../structured-fields");
+var validateOpts    = require("../validate-opts");
 var C = require("../constants");
 var { defineClass } = require("../framework-error");
 
@@ -214,14 +215,20 @@ function _contentType(req) {
   var params = {};
   if (idx !== -1) {
     var rest = ct.slice(idx + 1);
-    var parts = rest.split(";");
+    // RFC 9110 §8.3 + §5.6.6 — parameter values may be quoted-string
+    // (e.g. `boundary="foo;bar"`, `charset="x;y"`). Bare `.split(";")`
+    // would slice through quoted commas/semicolons and corrupt the
+    // multipart boundary. Use the shared quote-aware splitter that
+    // tracks RFC 8941 §3.3.3 quoted-string state with backslash-escape.
+    var parts = structuredFields.splitTopLevel(rest, ";");
     for (var i = 0; i < parts.length; i++) {
       var p = parts[i].trim();
       var eq = p.indexOf("=");
       if (eq === -1) continue;
       var k = p.slice(0, eq).trim().toLowerCase();
       var v = p.slice(eq + 1).trim();
-      if (v.length >= 2 && v[0] === '"' && v[v.length - 1] === '"') v = v.slice(1, -1);
+      var _unq = structuredFields.unquoteSfString(v);
+      if (_unq !== null) v = _unq;
       params[k] = v;
     }
   }
@@ -305,7 +312,7 @@ function _detectSmuggling(req) {
   //    (RFC 9112 §6.1). Anything else is a smuggling vector or
   //    server-side decode error.
   if (typeof te === "string" && te.length > 0) {
-    var tokens = te.toLowerCase().split(",").map(function (t) { return t.trim(); });
+    var tokens = te.toLowerCase().split(",").map(function (t) { return t.trim(); });               // allow:bare-split-on-quoted-header — RFC 9112 §6.1 Transfer-Encoding values (chunked / gzip / deflate / identity) are token-only; no quoted-string in the grammar
     var last = tokens[tokens.length - 1];
     if (last !== "chunked") {
       return {
@@ -621,7 +628,11 @@ function _parseHeaderParams(headerValue) {
   // `filename` so downstream consumers don't need parser-aware code.
   var out = { _value: "" };
   if (!headerValue) return out;
-  var parts = headerValue.split(";");
+  // RFC 6266 §4.1 + RFC 9110 §5.6.6 — parameter values may be
+  // quoted-string (e.g. `filename="weird;name.txt"`). Bare
+  // `.split(";")` would slice through the quoted semicolon and
+  // corrupt the filename. Quote-aware shared splitter.
+  var parts = structuredFields.splitTopLevel(headerValue, ";");
   out._value = parts[0].trim().toLowerCase();
   var extName = null;
   for (var i = 1; i < parts.length; i++) {
@@ -630,7 +641,8 @@ function _parseHeaderParams(headerValue) {
     if (eq === -1) continue;
     var k = p.slice(0, eq).trim().toLowerCase();
     var v = p.slice(eq + 1).trim();
-    if (v.length >= 2 && v[0] === '"' && v[v.length - 1] === '"') v = v.slice(1, -1);
+    var _unq = structuredFields.unquoteSfString(v);
+    if (_unq !== null) v = _unq;
     if (k.charAt(k.length - 1) === "*") {
       var decoded = _decodeRfc5987(v);
       if (decoded !== null) {

package/lib/middleware/scim-server.js

@@ -177,8 +177,8 @@ async function _dispatch(req, res, basePath, bearer, opts, maxPageSize) {
       count:              pageSize,
       sortBy:             query.sortBy || null,
       sortOrder:          query.sortOrder || null,
-      attributes:         query.attributes ? query.attributes.split(",") : null,
-      excludedAttributes: query.excludedAttributes ? query.excludedAttributes.split(",") : null,
+      attributes:         query.attributes ? query.attributes.split(",") : null,                  // allow:bare-split-on-quoted-header — RFC 7644 §3.9 attributes/excludedAttributes are SCIM attribute paths (URN-ish identifiers); grammar excludes DQUOTE
+      excludedAttributes: query.excludedAttributes ? query.excludedAttributes.split(",") : null,    // allow:bare-split-on-quoted-header — same SCIM attribute-name grammar
     }, ctx);
     _writeJson(res, H.OK, {
       schemas:      [SCIM_MESSAGE_LIST],

package/lib/middleware/tus-upload.js

@@ -40,13 +40,14 @@
  * cannot satisfy.
  */
 
-var nodeCrypto = require("crypto");                                                // for createHash() in checksum extension
-var C = require("../constants");
-var bCrypto = require("../crypto");
-var lazyRequire = require("../lazy-require");
-var safeAsync = require("../safe-async");
-var safeBuffer = require("../safe-buffer");
-var validateOpts = require("../validate-opts");
+var nodeCrypto       = require("crypto");                                          // for createHash() in checksum extension
+var C                = require("../constants");
+var bCrypto          = require("../crypto");
+var lazyRequire      = require("../lazy-require");
+var safeAsync        = require("../safe-async");
+var safeBuffer       = require("../safe-buffer");
+var structuredFields = require("../structured-fields");
+var validateOpts     = require("../validate-opts");
 var { defineClass } = require("../framework-error");
 
 // Observability metric prefix for the TUS middleware. The framework
@@ -145,6 +146,10 @@ function _serializeMetadata(metaObj) {
 function _parseChecksumHeader(headerValue, allowedSet) {
   // tus.io 1.0.0 §3.5: `Upload-Checksum: <algo> <base64-digest>`.
   if (typeof headerValue !== "string") return null;
+  // The tus.io grammar implicitly excludes C0 / DEL (token + base64
+  // alphabet); refuse those on the RAW value BEFORE the slice/trim
+  // normalisation (same v0.8.90 trim-before-validate bug class).
+  if (structuredFields.containsControlBytes(headerValue)) return { error: "malformed" };
   var sp = headerValue.indexOf(" ");
   if (sp === -1) return { error: "malformed" };
   var algo = headerValue.slice(0, sp).trim().toLowerCase();

package/lib/network-dns.js

@@ -1708,9 +1708,187 @@ function isNullMx(mxRecords) {
   return only.exchange === "" || only.exchange === ".";
 }
 
+// RFC 9905 — Deprecating DNSSEC SHA-1 Usage. The IANA DNSSEC Algorithm
+// Numbers registry classifies SHA-1-based DNSKEY algorithms (5
+// RSASHA1, 7 RSASHA1-NSEC3-SHA1, 10 RSASHA512-using-SHA1-NSEC3) and
+// SHA-1 DS digest type 1 as "MUST NOT be used" / "MUST NOT be
+// supported". Operators auditing inbound DNSSEC chain-of-trust data
+// classify a record's algorithm number to decide whether to refuse
+// the validation as deprecated.
+//
+// Returns the classification verdict object:
+//   {
+//     deprecated:  boolean,  // true when SHA-1 family per RFC 9905 §3-§4
+//     algorithm:   number,   // echo of input
+//     name:        string,   // human-readable label
+//     reason:      string,   // citation
+//   }
+// for any IANA DNSKEY algorithm number, or null for unknown / non-
+// numeric input. Defensive request-shape reader — never throws.
+
+/**
+ * @primitive b.network.dns.classifyDnskeyAlgorithm
+ * @signature b.network.dns.classifyDnskeyAlgorithm(algorithm)
+ * @since     0.8.91
+ * @status    stable
+ * @related   b.network.dns.classifyDsDigestType, b.network.dns.isNullMx
+ *
+ * Classify a DNSKEY / RRSIG algorithm number against the IANA DNS
+ * Security Algorithm Numbers registry, flagging SHA-1-based and
+ * other deprecated algorithms per RFC 9905 (Deprecating DNSSEC
+ * SHA-1 Usage), RFC 8624 (Algorithm Implementation Requirements),
+ * and RFC 6944 / RFC 6725 (RSAMD5 deprecation).
+ *
+ * Returns `{ algorithm, name, deprecated, reason, known }` for any
+ * IANA-assigned number; `known: false` for unassigned numbers
+ * (operators decide whether unassigned == deprecated for their
+ * threat model). Returns `null` for non-integer / non-finite input.
+ *
+ * Operators auditing inbound DNSSEC chain-of-trust evidence call
+ * this on each link's algorithm number and refuse the validation
+ * when `deprecated === true`. Defensive request-shape reader —
+ * never throws.
+ *
+ * @example
+ *   var v = b.network.dns.classifyDnskeyAlgorithm(5);
+ *   // → { algorithm: 5, name: "RSASHA1", deprecated: true,
+ *   //     reason: "SHA-1 deprecated (RFC 9905 §3)", known: true }
+ *   if (v && v.deprecated) throw new Error("refuse DNSSEC algo " + v.name);
+ *
+ *   b.network.dns.classifyDnskeyAlgorithm(13);
+ *   // → { algorithm: 13, name: "ECDSAP256SHA256", deprecated: false, ... }
+ */
+
+// Canonical DNSKEY algorithm vocabulary (IANA DNS Security Algorithm
+// Numbers registry — https://www.iana.org/assignments/dns-sec-alg-numbers).
+// Operators looking up the human-readable label or computing whether
+// the framework's own DNSSEC paths use a deprecated algorithm walk
+// this table. Every IANA-assigned number gets an entry (including
+// Reserved / Private-use values) so `classifyDnskeyAlgorithm()`
+// returns `known: true` for the full assigned space; the "Unassigned"
+// range (17-122, 124-251) is the only set that surfaces as
+// `known: false`. Marked-deprecated entries cite the controlling
+// RFC; Reserved / Private-use entries are flagged so operators
+// auditing DNSSEC chain-of-trust evidence know they cannot validate
+// the entry against a public algorithm registry.
+var DNSKEY_ALGORITHMS = Object.freeze({
+  1:   { name: "RSAMD5",             deprecated: true,  reason: "MD5 broken (RFC 6944 §2.1, RFC 6725)" },
+  2:   { name: "DH",                 deprecated: true,  reason: "Diffie-Hellman key (RFC 2539) — never widely deployed; superseded by signature algorithms" },
+  3:   { name: "DSA",                deprecated: true,  reason: "DSA deprecated (RFC 8624 §3.1)" },
+  4:   { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 4034 §A.1) — not for production use" },
+  5:   { name: "RSASHA1",            deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §3)" },
+  6:   { name: "DSA-NSEC3-SHA1",     deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §3); DSA deprecated (RFC 8624 §3.1)" },
+  7:   { name: "RSASHA1-NSEC3-SHA1", deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §3)" },
+  8:   { name: "RSASHA256",          deprecated: false, reason: "current — RFC 5702" },                                  // allow:raw-byte-literal — IANA DNSKEY algorithm number
+  9:   { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 5155) — not for production use" },
+  10:  { name: "RSASHA512",          deprecated: false, reason: "current — RFC 5702" },
+  11:  { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 5155) — not for production use" },
+  12:  { name: "ECC-GOST",           deprecated: true,  reason: "deprecated (RFC 8624 §3.1)" },
+  13:  { name: "ECDSAP256SHA256",    deprecated: false, reason: "current — RFC 6605" },
+  14:  { name: "ECDSAP384SHA384",    deprecated: false, reason: "current — RFC 6605" },
+  15:  { name: "ED25519",            deprecated: false, reason: "current — RFC 8080" },
+  16:  { name: "ED448",              deprecated: false, reason: "current — RFC 8080" },                                  // allow:raw-byte-literal — IANA DNSKEY algorithm number
+  // 17-122: Unassigned per IANA. Operators that see one of these
+  // get known: false from classifyDnskeyAlgorithm() — the entry
+  // is not a typo against the framework table, it's a value the
+  // registry hasn't allocated yet.
+  // 123-251: Reserved per IANA.
+  252: { name: "INDIRECT",           deprecated: true,  reason: "Reserved indirect-keys placeholder (RFC 4034 §A.1) — not usable for signing/verification" },                                      // allow:raw-byte-literal — IANA DNSKEY algorithm number
+  253: { name: "PRIVATEDNS",         deprecated: false, reason: "Private algorithm identified by domain name (RFC 4034 §A.1.1) — operators using this assume the private algorithm itself is acceptable" },
+  254: { name: "PRIVATEOID",         deprecated: false, reason: "Private algorithm identified by OID (RFC 4034 §A.1.2) — operators using this assume the private algorithm itself is acceptable" },
+  255: { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 4034 §A.1) — not for production use" },
+});
+
+/**
+ * @primitive b.network.dns.classifyDsDigestType
+ * @signature b.network.dns.classifyDsDigestType(digestType)
+ * @since     0.8.91
+ * @status    stable
+ * @related   b.network.dns.classifyDnskeyAlgorithm, b.network.dns.isNullMx
+ *
+ * Classify a DS-record digest type against the IANA DNSSEC Delegation
+ * Signer (DS) Resource Record (RR) Type Digest Algorithms registry,
+ * flagging SHA-1 (digest type 1) as deprecated per RFC 9905 §4.
+ *
+ * Returns `{ digestType, name, deprecated, reason, known }` for any
+ * IANA-assigned number; `null` for non-integer input.
+ *
+ * @example
+ *   var v = b.network.dns.classifyDsDigestType(1);
+ *   // → { digestType: 1, name: "SHA-1", deprecated: true,
+ *   //     reason: "SHA-1 deprecated (RFC 9905 §4)", known: true }
+ *
+ *   b.network.dns.classifyDsDigestType(2);
+ *   // → { digestType: 2, name: "SHA-256", deprecated: false, ... }
+ */
+
+// DS digest-type vocabulary (RFC 4034 §5.1 + RFC 6605 §6 + RFC 8624
+// §3.2 + RFC 9558). Digest type 1 = SHA-1 is deprecated per RFC 9905
+// §4. Digest types 5 (GOST R 34.11-2012) and 6 (SM3) added by RFC
+// 9558. Reserved value 0 surfaced for completeness.
+var DS_DIGEST_TYPES = Object.freeze({
+  0: { name: "Reserved",            deprecated: true,  reason: "Reserved (RFC 3658) — not for production use" },
+  1: { name: "SHA-1",               deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §4)" },
+  2: { name: "SHA-256",             deprecated: false, reason: "current — RFC 4509" },
+  3: { name: "GOST R 34.11-94",     deprecated: true,  reason: "deprecated (RFC 8624 §3.2; superseded by GOST 2012 in RFC 9558)" },
+  4: { name: "SHA-384",             deprecated: false, reason: "current — RFC 6605 §6" },
+  5: { name: "GOST R 34.11-2012",   deprecated: false, reason: "current — RFC 9558 §3" },
+  6: { name: "SM3",                 deprecated: false, reason: "current — RFC 9558 §3 (Chinese national standard)" },
+});
+
+function classifyDnskeyAlgorithm(algorithm) {
+  if (typeof algorithm !== "number" || !isFinite(algorithm) || Math.floor(algorithm) !== algorithm) {
+    return null;
+  }
+  var row = DNSKEY_ALGORITHMS[algorithm];
+  if (!row) {
+    return {
+      algorithm:  algorithm,
+      name:       "unassigned",
+      deprecated: false,
+      reason:     "no IANA assignment for algorithm " + algorithm,
+      known:      false,
+    };
+  }
+  return {
+    algorithm:  algorithm,
+    name:       row.name,
+    deprecated: row.deprecated,
+    reason:     row.reason,
+    known:      true,
+  };
+}
+
+function classifyDsDigestType(digestType) {
+  if (typeof digestType !== "number" || !isFinite(digestType) || Math.floor(digestType) !== digestType) {
+    return null;
+  }
+  var row = DS_DIGEST_TYPES[digestType];
+  if (!row) {
+    return {
+      digestType: digestType,
+      name:       "unassigned",
+      deprecated: false,
+      reason:     "no IANA assignment for digest type " + digestType,
+      known:      false,
+    };
+  }
+  return {
+    digestType: digestType,
+    name:       row.name,
+    deprecated: row.deprecated,
+    reason:     row.reason,
+    known:      true,
+  };
+}
+
 module.exports = {
   setServers:                  setServers,
   isNullMx:                    isNullMx,
+  classifyDnskeyAlgorithm:     classifyDnskeyAlgorithm,
+  classifyDsDigestType:        classifyDsDigestType,
+  DNSKEY_ALGORITHMS:           DNSKEY_ALGORITHMS,
+  DS_DIGEST_TYPES:             DS_DIGEST_TYPES,
   getServers:                  getServers,
   setResultOrder:              setResultOrder,
   setFamily:                   setFamily,

package/lib/network-smtp-policy.js

@@ -598,7 +598,7 @@ async function tlsRptFetchPolicy(domain, opts) {
     if (/^v=TLSRPTv1\b/i.test(s)) { joined = s; break; }
   }
   if (joined.length === 0) return null;
-  var parts = joined.split(";");
+  var parts = joined.split(";");                                                              // allow:bare-split-on-quoted-header — allow:raw-time-literal — TLS-RPT record grammar (RFC 8460 §3): `tlsrpt-record = "v=TLSRPTv1;" *(WSP) tlsrpt-rua` with token-only values; no quoted-string
   var rua = [];
   for (var p = 0; p < parts.length; p += 1) {
     var t = parts[p].trim();
@@ -607,7 +607,7 @@ async function tlsRptFetchPolicy(domain, opts) {
     var k = t.slice(0, eq).trim().toLowerCase();
     var v = t.slice(eq + 1).trim();
     if (k === "rua") {
-      var uris = v.split(",");
+      var uris = v.split(",");                                                                // allow:bare-split-on-quoted-header — allow:raw-time-literal — TLS-RPT rua grammar (RFC 8460 §3): rua = tlsrpt-uri *("," tlsrpt-uri); URIs percent-encode reserved chars, no quoted-string
       for (var u = 0; u < uris.length; u += 1) {
         var uri = uris[u].trim();
         if (uri.length > 0) rua.push(uri);

package/lib/request-helpers.js

@@ -41,6 +41,8 @@
 // values (RFC 9110), not byte sizes. Names are RFC 9110 reason phrases;
 // every consumer reads HTTP_STATUS.<NAME> rather than the underlying
 // integer, so the hex form is purely an internal storage detail.
+var structuredFields = require("./structured-fields");
+
 var HTTP_STATUS = Object.freeze({
   OK:                            0xC8,
   PARTIAL_CONTENT:               0xCE,
@@ -354,6 +356,19 @@ function parseListHeader(value, opts) {
   opts = opts || {};
   var s = typeof value === "string" ? value : String(value);
   if (s.length === 0) return [];
+  if (opts.strictToken) {
+    // RFC 9110 §5.6.2 token grammar excludes C0 / DEL. Scan the RAW
+    // value BEFORE the comma split + trim so a leading/trailing
+    // `\r\n\t` byte can't slip through (the trim() below would strip
+    // it before RFC_9110_TOKEN_RE saw it, matching the v0.8.90
+    // `parseTlsRequiredHeader` bug class).
+    structuredFields.refuseControlBytes(s, {
+      ErrorClass:     TypeError,
+      code:           "parseListHeader/control-character",
+      label:          "parseListHeader",
+      useNativeError: true,
+    });
+  }
   var parts = s.split(",");
   var out = [];
   for (var i = 0; i < parts.length; i++) {

package/lib/security-assert.js

@@ -202,7 +202,29 @@ async function assertProduction(opts) {
       var want = opts.minTlsVersion;
       // Compare TLSv1.3 > TLSv1.2 > TLSv1.1 > TLSv1.0 by string.
       var order = ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"];
-      if (order.indexOf(got) < order.indexOf(want)) {
+      // Validate BOTH the operator-supplied required version AND the
+      // currently-active version against the known-vocabulary BEFORE
+      // the rank compare. A typo'd `want` (e.g. "TLS1.3" or "TLSv1.4")
+      // maps to indexOf === -1; without this check, the comparison
+      // `3 < -1 === false` silently passes even though the operator
+      // asked for a version the framework doesn't recognize.
+      // Throw at config time — this is a production-posture entry
+      // point and operator typos must be loud at boot, not deferred
+      // to per-request audit.
+      if (order.indexOf(want) === -1) {
+        throw new TypeError(
+          "assertProductionPosture: opts.minTlsVersion '" + want +
+          "' is not one of " + order.join(" / "));
+      }
+      if (order.indexOf(got) === -1) {
+        // Node's DEFAULT_MIN_VERSION shouldn't ever drift outside the
+        // canonical 4-value vocabulary, but if it does (future Node
+        // version, monkey-patched runtime), surface the failure
+        // rather than silently treating it as "below required".
+        failures.push({ ok: false, code: "security/tls-min-version",
+          message: "Node TLS DEFAULT_MIN_VERSION is an unrecognized value '" + got +
+            "' (expected one of " + order.join(" / ") + "); required '" + want + "'" });
+      } else if (order.indexOf(got) < order.indexOf(want)) {
         failures.push({ ok: false, code: "security/tls-min-version",
           message: "Node TLS DEFAULT_MIN_VERSION is '" + got + "', required '" + want + "'" });
       }