@blamejs/core 0.8.90 → 0.9.0

package/lib/client-hints.js

@@ -0,0 +1,318 @@
+"use strict";
+/**
+ * @module     b.clientHints
+ * @nav        HTTP
+ * @title      Sec-CH-UA Client Hints
+ * @order      316
+ *
+ * @intro
+ *   User-Agent Client Hints parser. Browsers replacing the
+ *   freeform `User-Agent` string send a family of `Sec-CH-UA-*`
+ *   request headers carrying structured-fields data per RFC 8941:
+ *
+ *     Sec-CH-UA: "Chromium";v="124", "Not-A.Brand";v="99", "Google Chrome";v="124"
+ *     Sec-CH-UA-Mobile: ?0
+ *     Sec-CH-UA-Platform: "Windows"
+ *     Sec-CH-UA-Platform-Version: "15.0.0"
+ *     Sec-CH-UA-Arch: "x86"
+ *     Sec-CH-UA-Bitness: "64"
+ *     Sec-CH-UA-Model: ""
+ *     Sec-CH-UA-Full-Version-List: "Chromium";v="124.0.6367.91", ...
+ *     Sec-CH-UA-WoW64: ?0
+ *     Sec-CH-UA-Form-Factors: "Desktop"
+ *
+ *   `parse(headers)` walks an HTTP request's headers map and returns
+ *   a normalized object — brand list with versions, mobile boolean,
+ *   platform / platform-version / arch / bitness / model / form-
+ *   factors strings — plus the raw RFC 8941 parsed shape for any
+ *   header the operator wants to inspect verbatim.
+ *
+ *   Operators use it to:
+ *     - Replace freeform UA-string parsing (deprecated; brittle).
+ *     - Negotiate per-platform CSS / JS bundles (Sec-CH-UA-Platform).
+ *     - Detect mobile-class clients without UA-sniffing.
+ *     - Audit fingerprinting-style header negotiation.
+ *
+ *   The primitive treats every header as defensive request-shape
+ *   input — returns `null` for absent / malformed headers, throws
+ *   only on explicit control-character / header-injection-shape
+ *   input. Operators upstream of this primitive (proxies, framework
+ *   middleware) already split CRLF; the in-string control-byte
+ *   check is a defense-in-depth layer.
+ *
+ *   `acceptList()` builds the `Accept-CH` response header so the
+ *   operator advertises which client-hint headers the page wants.
+ *
+ * @card
+ *   RFC 8941 / W3C Client Hints — parse `Sec-CH-UA*` request headers
+ *   (brand list, mobile, platform, arch, model, form-factors) and
+ *   build the `Accept-CH` response header for hint negotiation.
+ */
+
+var structuredFields = require("./structured-fields");
+var { defineClass } = require("./framework-error");
+
+var ClientHintsError = defineClass("ClientHintsError",
+  { alwaysPermanent: true });
+
+// Well-known Sec-CH-UA-* header names (W3C UA-CH spec + IETF
+// draft-davidben-http-client-hint-reliability). Operators looking up
+// the canonical name for an Accept-CH response use this constant; we
+// keep it as a frozen array so a future hint addition is one-line.
+var KNOWN_HINTS = Object.freeze([
+  "Sec-CH-UA",
+  "Sec-CH-UA-Mobile",
+  "Sec-CH-UA-Platform",
+  "Sec-CH-UA-Platform-Version",
+  "Sec-CH-UA-Arch",
+  "Sec-CH-UA-Bitness",
+  "Sec-CH-UA-Model",
+  "Sec-CH-UA-Full-Version-List",
+  "Sec-CH-UA-WoW64",
+  "Sec-CH-UA-Form-Factors",
+  "Sec-CH-Prefers-Reduced-Motion",
+  "Sec-CH-Prefers-Reduced-Transparency",
+  "Sec-CH-Prefers-Color-Scheme",
+  "Sec-CH-Prefers-Contrast",
+  "Sec-CH-Save-Data",
+  "Sec-CH-Viewport-Width",
+  "Sec-CH-Viewport-Height",
+  "Sec-CH-DPR",
+  "Sec-CH-Width",
+  "Sec-CH-Downlink",
+  "Sec-CH-RTT",
+  "Sec-CH-ECT",
+]);
+
+var KNOWN_HINTS_LC = {};
+for (var _h = 0; _h < KNOWN_HINTS.length; _h += 1) {
+  KNOWN_HINTS_LC[KNOWN_HINTS[_h].toLowerCase()] = KNOWN_HINTS[_h];
+}
+
+function _scanControlBytes(s, headerName) {
+  structuredFields.refuseControlBytes(s, {
+    ErrorClass: ClientHintsError,
+    code:       "client-hints/bad-header-value",
+    label:      "parse: " + headerName,
+  });
+}
+
+// RFC 8941 §3.3.3 sf-string — quoted-string with backslash-escape for
+// `"` and `\`. Defensive parser that tolerates unquoted bare tokens
+// (some operators forward a header whose quote-shape was already
+// stripped by an upstream proxy).
+function _parseSfString(s) {
+  var t = s.trim();
+  if (t.length === 0) return "";
+  if (t.charAt(0) === "\"") {
+    if (t.charAt(t.length - 1) !== "\"") return null;
+    return t.slice(1, -1).replace(/\\"/g, "\"").replace(/\\\\/g, "\\");
+  }
+  return t;
+}
+
+// RFC 8941 §3.3.6 sf-boolean — `?1` (true) / `?0` (false). Returns
+// null for any other shape so callers can detect malformed values.
+function _parseSfBoolean(s) {
+  var t = s.trim();
+  if (t === "?1") return true;
+  if (t === "?0") return false;
+  return null;
+}
+
+// RFC 8941 §3.1.1 sf-list — comma-separated members, each potentially
+// carrying `;key=value;flag` parameters. For Sec-CH-UA the members are
+// sf-strings with a `;v="<version>"` parameter giving the brand
+// version. Returns `[ { brand, version, params } ]` or `null` for
+// malformed input.
+function _parseSfBrandList(s) {
+  var t = s.trim();
+  if (t.length === 0) return [];
+  // Walk via the shared quote-aware top-level `,` splitter. RFC 8941
+  // sf-list members don't allow parenthesized inner-list values in
+  // the Sec-CH-UA grammar (only sf-string + parameters), so the
+  // simple top-level comma split suffices — no `depth` tracking
+  // needed (the earlier inline shape carried defensive paren
+  // tracking left over from a generic sf-list walker prototype).
+  var pieces = structuredFields.splitTopLevel(t, ",");
+  var out = [];
+  for (var i = 0; i < pieces.length; i += 1) {
+    var piece = pieces[i].trim();
+    if (piece.length === 0) continue;
+    var parsed = _parseBrandMember(piece);
+    if (parsed !== null) out.push(parsed);
+  }
+  return out;
+}
+
+function _parseBrandMember(piece) {
+  // member ::= sf-string ( ';' parameter )*
+  // RFC 8941 §4.1.1.4 — parameter values can be sf-string. A bare
+  // `piece.split(";")` would slice through `;v="1.2; 3"` and corrupt
+  // the parameter value. Use the shared quote-aware splitter so the
+  // tracking shape stays consistent across every framework parser.
+  var params = structuredFields.splitTopLevel(piece, ";");
+  if (params.length === 0) return null;
+  var brand = _parseSfString(params[0].trim());
+  if (brand === null) return null;
+  var member = { brand: brand, version: null, params: {} };
+  for (var i = 1; i < params.length; i += 1) {
+    var kv = params[i].trim();
+    if (kv.length === 0) continue;
+    var eq = kv.indexOf("=");
+    if (eq === -1) { member.params[kv.toLowerCase()] = true; continue; }
+    var k = kv.slice(0, eq).trim().toLowerCase();
+    var v = _parseSfString(kv.slice(eq + 1));
+    member.params[k] = v;
+    if (k === "v" && v !== null) member.version = v;
+  }
+  return member;
+}
+
+/**
+ * @primitive b.clientHints.parse
+ * @signature b.clientHints.parse(headers)
+ * @since     0.8.91
+ * @status    stable
+ * @related   b.clientHints.acceptList, b.clientHints.isKnownHint
+ *
+ * Parse the Sec-CH-UA-* family from an HTTP request's headers object.
+ * `headers` is the Node `req.headers` shape (header names are
+ * already lowercased per Node convention). Returns a normalized
+ * `{ brands, mobile, platform, platformVersion, arch, bitness, model,
+ *    fullVersionList, wow64, formFactors, raw }` shape:
+ *
+ *   - `brands`: `[ { brand, version, params } ]` from `Sec-CH-UA`
+ *   - `mobile`: boolean from `Sec-CH-UA-Mobile` (?1/?0) — null if absent / malformed
+ *   - `platform`: sf-string from `Sec-CH-UA-Platform`
+ *   - `platformVersion`: sf-string from `Sec-CH-UA-Platform-Version`
+ *   - `arch`: sf-string from `Sec-CH-UA-Arch`
+ *   - `bitness`: sf-string from `Sec-CH-UA-Bitness`
+ *   - `model`: sf-string from `Sec-CH-UA-Model`
+ *   - `fullVersionList`: brand-list from `Sec-CH-UA-Full-Version-List`
+ *   - `wow64`: boolean from `Sec-CH-UA-WoW64`
+ *   - `formFactors`: brand-list from `Sec-CH-UA-Form-Factors`
+ *   - `raw`: `{ "<header-name-lc>": "<raw-value>" }` for every Sec-CH-*
+ *     header in the input, so operators can audit the full set without
+ *     re-walking `req.headers`.
+ *
+ * Returns `null` when `headers` is not an object. Individual fields
+ * are `null` when the corresponding header is absent or malformed
+ * (defensive request-shape reader). Refuses control characters in
+ * any present Sec-CH-* value (header-injection defense).
+ *
+ * @example
+ *   var ch = b.clientHints.parse(req.headers);
+ *   if (ch && ch.mobile === true) renderMobilePage(req, res);
+ *   else if (ch && ch.platform === "Windows") renderWindowsPage(req, res);
+ *   else renderDefaultPage(req, res);
+ */
+function parse(headers) {
+  if (!headers || typeof headers !== "object" || Array.isArray(headers)) return null;
+  var raw = {};
+  var keys = Object.keys(headers);
+  for (var k = 0; k < keys.length; k += 1) {
+    var name = keys[k].toLowerCase();
+    if (name.indexOf("sec-ch-") !== 0) continue;
+    var val = headers[keys[k]];
+    if (val === undefined || val === null) continue;
+    if (typeof val !== "string") val = String(val);
+    _scanControlBytes(val, name);
+    raw[name] = val;
+  }
+
+  return {
+    brands:           raw["sec-ch-ua"] ? _parseSfBrandList(raw["sec-ch-ua"]) : null,
+    mobile:           raw["sec-ch-ua-mobile"] !== undefined ? _parseSfBoolean(raw["sec-ch-ua-mobile"]) : null,
+    platform:         raw["sec-ch-ua-platform"] !== undefined ? _parseSfString(raw["sec-ch-ua-platform"]) : null,
+    platformVersion:  raw["sec-ch-ua-platform-version"] !== undefined ? _parseSfString(raw["sec-ch-ua-platform-version"]) : null,
+    arch:             raw["sec-ch-ua-arch"] !== undefined ? _parseSfString(raw["sec-ch-ua-arch"]) : null,
+    bitness:          raw["sec-ch-ua-bitness"] !== undefined ? _parseSfString(raw["sec-ch-ua-bitness"]) : null,
+    model:            raw["sec-ch-ua-model"] !== undefined ? _parseSfString(raw["sec-ch-ua-model"]) : null,
+    fullVersionList:  raw["sec-ch-ua-full-version-list"] ? _parseSfBrandList(raw["sec-ch-ua-full-version-list"]) : null,
+    wow64:            raw["sec-ch-ua-wow64"] !== undefined ? _parseSfBoolean(raw["sec-ch-ua-wow64"]) : null,
+    formFactors:      raw["sec-ch-ua-form-factors"] ? _parseSfBrandList(raw["sec-ch-ua-form-factors"]) : null,
+    raw:              raw,
+  };
+}
+
+/**
+ * @primitive b.clientHints.acceptList
+ * @signature b.clientHints.acceptList(hintNames)
+ * @since     0.8.91
+ * @status    stable
+ * @related   b.clientHints.parse, b.clientHints.isKnownHint
+ *
+ * Build the `Accept-CH` response header value advertising which
+ * client-hint request headers the operator wants the browser to
+ * include on subsequent requests. `hintNames` is an array of
+ * canonical Sec-CH-* header names; the primitive refuses unknown
+ * hint names (typo defense — `accept-ch: Sec-CH-UA-Plateform`
+ * silently neuters the negotiation).
+ *
+ * Operators set `Accept-CH` on the HTML document response. The
+ * browser sends the listed hints on every subsequent same-origin
+ * navigation / sub-resource request.
+ *
+ * @example
+ *   res.setHeader("Accept-CH", b.clientHints.acceptList([
+ *     "Sec-CH-UA-Platform",
+ *     "Sec-CH-UA-Platform-Version",
+ *     "Sec-CH-UA-Mobile",
+ *   ]));
+ *   // → "Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile"
+ */
+function acceptList(hintNames) {
+  if (!Array.isArray(hintNames) || hintNames.length === 0) {
+    throw new ClientHintsError("client-hints/bad-hint-list",
+      "acceptList: hintNames must be a non-empty array of Sec-CH-* names");
+  }
+  var seen = {};
+  var out = [];
+  for (var i = 0; i < hintNames.length; i += 1) {
+    var n = hintNames[i];
+    if (typeof n !== "string" || n.length === 0) {
+      throw new ClientHintsError("client-hints/bad-hint-name",
+        "acceptList: hintNames[" + i + "] must be a non-empty string");
+    }
+    var canonical = KNOWN_HINTS_LC[n.toLowerCase()];
+    if (!canonical) {
+      throw new ClientHintsError("client-hints/unknown-hint",
+        "acceptList: '" + n + "' is not a known client-hint header " +
+        "(see b.clientHints.KNOWN_HINTS for the list)");
+    }
+    if (seen[canonical]) continue;
+    seen[canonical] = true;
+    out.push(canonical);
+  }
+  return out.join(", ");
+}
+
+/**
+ * @primitive b.clientHints.isKnownHint
+ * @signature b.clientHints.isKnownHint(headerName)
+ * @since     0.8.91
+ * @status    stable
+ *
+ * Returns `true` when `headerName` matches one of the well-known
+ * Sec-CH-* hint headers (case-insensitive). Operators auditing
+ * inbound headers walk the request and call this to identify
+ * negotiation-related hints without keyword-matching.
+ *
+ * @example
+ *   b.clientHints.isKnownHint("Sec-CH-UA-Mobile");    // → true
+ *   b.clientHints.isKnownHint("sec-ch-ua-platform");  // → true
+ *   b.clientHints.isKnownHint("X-Custom");            // → false
+ */
+function isKnownHint(headerName) {
+  if (typeof headerName !== "string" || headerName.length === 0) return false;
+  return Object.prototype.hasOwnProperty.call(KNOWN_HINTS_LC, headerName.toLowerCase());
+}
+
+module.exports = {
+  parse:            parse,
+  acceptList:       acceptList,
+  isKnownHint:      isKnownHint,
+  KNOWN_HINTS:      KNOWN_HINTS,
+  ClientHintsError: ClientHintsError,
+};

package/lib/http-client-cache.js

@@ -42,10 +42,11 @@
  *   stale-while-revalidate / stale-if-error.
  */
 
-var C = require("./constants");
-var canonicalJson = require("./canonical-json");
-var safeUrl = require("./safe-url");
-var validateOpts = require("./validate-opts");
+var C                = require("./constants");
+var canonicalJson    = require("./canonical-json");
+var safeUrl          = require("./safe-url");
+var structuredFields = require("./structured-fields");
+var validateOpts     = require("./validate-opts");
 var { HttpClientError } = require("./framework-error");
 
 // ---- Tunables ----------------------------------------------------------
@@ -90,7 +91,13 @@ function _hcErr(code, message) {
 function _parseCacheControl(value) {
   var out = Object.create(null);
   if (typeof value !== "string" || value.length === 0) return out;
-  var parts = value.split(",");
+  // RFC 9111 §5.2 + RFC 9110 §5.6.4 — directive arguments may be
+  // quoted-string. A bare `value.split(",")` would slice through
+  // `no-cache="Authorization, Cookie"` and `private="set-cookie,
+  // x-foo"` and emit fake directives. Quote-aware splitter mirrors
+  // cdn-cache-control's _splitTopLevelCommas (RFC 8941 §3.3.3 with
+  // backslash-escape).
+  var parts = structuredFields.splitTopLevel(value, ",");
   for (var i = 0; i < parts.length; i++) {
     var p = parts[i].trim();
     if (!p) continue;
@@ -100,7 +107,7 @@ function _parseCacheControl(value) {
     else { k = p.slice(0, eq).trim(); v = p.slice(eq + 1).trim(); }
     // Strip surrounding quotes from value.
     if (v.length >= 2 && v.charAt(0) === '"' && v.charAt(v.length - 1) === '"') {
-      v = v.slice(1, v.length - 1);
+      v = v.slice(1, v.length - 1).replace(/\\"/g, "\"").replace(/\\\\/g, "\\");
     }
     out[k.toLowerCase()] = v;
   }
@@ -202,7 +209,7 @@ function _buildCacheKey(method, url, varyHeaderValues) {
 // uncacheable.
 function _extractVaryValues(varyHeader, requestHeaders) {
   if (typeof varyHeader !== "string" || varyHeader.length === 0) return [];
-  var names = varyHeader.split(",").map(function (s) {
+  var names = varyHeader.split(",").map(function (s) {                                          // allow:bare-split-on-quoted-header — RFC 9110 §12.5.5 Vary is a comma-list of field-names (token grammar); no quoted-string
     return s.trim().toLowerCase();
   }).filter(function (s) { return s.length > 0; });
   if (names.indexOf("*") !== -1) return null;  // sentinel: "uncacheable"
@@ -252,7 +259,7 @@ function _evaluateStorage(method, statusCode, responseHeaders, sharedCache) {
 
   // Vary: * is uncacheable per RFC 9110 §12.5.5.
   if (typeof varyHeader === "string" && varyHeader.indexOf("*") !== -1) {
-    var trimmed = varyHeader.split(",").map(function (s) { return s.trim(); });
+    var trimmed = varyHeader.split(",").map(function (s) { return s.trim(); });                  // allow:bare-split-on-quoted-header — RFC 9110 §12.5.5 Vary field-names; token grammar only
     if (trimmed.indexOf("*") !== -1) {
       return { cacheable: false, reason: "vary-star", freshnessMs: -1, directives: directives, varyHeader: varyHeader };
     }

package/lib/http-client-cookie-jar.js

@@ -62,12 +62,13 @@
 
 var fs = require("node:fs");
 var path = require("node:path");
-var C = require("./constants");
-var numericBounds = require("./numeric-bounds");
-var safeAsync = require("./safe-async");
-var safeJson = require("./safe-json");
-var safeUrl = require("./safe-url");
-var validateOpts = require("./validate-opts");
+var C                = require("./constants");
+var numericBounds    = require("./numeric-bounds");
+var safeAsync        = require("./safe-async");
+var safeJson         = require("./safe-json");
+var safeUrl          = require("./safe-url");
+var structuredFields = require("./structured-fields");
+var validateOpts     = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 
 var CookieJarError = defineClass("CookieJarError", { alwaysPermanent: true });
@@ -102,7 +103,12 @@ function _parseSetCookie(line) {
   var attrs = {};
   if (semi !== -1) {
     var rest = line.slice(semi + 1);
-    var parts = rest.split(";");
+    // RFC 6265 §4.1 attribute values are token-only by spec, but
+    // interop reality is that some servers emit quoted attr values
+    // (e.g. `; SameSite="Strict"` from older middleware). Quote-aware
+    // split preserves a quoted `;` inside an attr value if anyone
+    // ever sends one — defensive, not bug-fixing.
+    var parts = structuredFields.splitTopLevel(rest, ";");
     for (var i = 0; i < parts.length; i++) {
       var p = parts[i].trim();
       if (!p) continue;
@@ -110,6 +116,11 @@ function _parseSetCookie(line) {
       var k, v;
       if (pi === -1) { k = p; v = ""; }
       else { k = p.slice(0, pi).trim(); v = p.slice(pi + 1).trim(); }
+      // Strip surrounding quotes from attribute value when present
+      // (defensive against interop). RFC 6265 §4.1 does not require
+      // this, but doesn't forbid the operator's parser absorbing it.
+      var _unq = structuredFields.unquoteSfString(v);
+      if (_unq !== null) v = _unq;
       attrs[k.toLowerCase()] = v;
     }
   }

package/lib/http-message-signature.js

@@ -59,12 +59,13 @@
  *   // → { valid, label, keyid, alg, covered, reason? }
  */
 
-var nodeCrypto = require("crypto");
-var safeUrl = require("./safe-url");
-var safeBuffer = require("./safe-buffer");
-var C = require("./constants");
-var lazyRequire = require("./lazy-require");
-var validateOpts = require("./validate-opts");
+var nodeCrypto       = require("crypto");
+var safeUrl          = require("./safe-url");
+var safeBuffer       = require("./safe-buffer");
+var C                = require("./constants");
+var lazyRequire      = require("./lazy-require");
+var structuredFields = require("./structured-fields");
+var validateOpts     = require("./validate-opts");
 var { HttpSigError } = require("./framework-error");
 
 var _err = HttpSigError.factory;
@@ -317,7 +318,7 @@ function sign(msg, opts) {
   // header isn't already supplied. Operators wanting to use the
   // RFC 9530 "sha-512" identifier (SHA-512 instead of SHA3-512) supply
   // the header themselves; the framework emits SHA3-512.
-  var coveredLower = opts.covered.map(function (c) { return c.split(";")[0].toLowerCase(); });
+  var coveredLower = opts.covered.map(function (c) { return c.split(";")[0].toLowerCase(); });  // allow:bare-split-on-quoted-header — opts.covered is operator-supplied component-id list (e.g. "content-digest;sf"); component identifiers are RFC 9421 §2.1 derived-field names with token-only grammar; no quoted-string
   if (coveredLower.indexOf("content-digest") !== -1 &&
       _resolveHeader(m.headers, "content-digest") === null) {
     if (m.body == null) {
@@ -416,7 +417,12 @@ function _parseSignatureInput(headerValue) {
 
   var params = {};
   if (paramsRaw.length > 0) {
-    var paramParts = paramsRaw.split(";");
+    // RFC 9421 §2.3 + RFC 8941 §3.1.2 — parameter values may be
+    // sf-string. A bare `paramsRaw.split(";")` would slice through a
+    // legitimate `;tag="x;y"` parameter. Quote-aware splitter
+    // mirrors cdn-cache-control._splitTopLevelCommas (RFC 8941
+    // §3.3.3 quoted-string state with backslash-escape).
+    var paramParts = structuredFields.splitTopLevel(paramsRaw, ";");
     for (var j = 0; j < paramParts.length; j++) {
       var part = paramParts[j].trim();
       if (part.length === 0) continue;
@@ -425,7 +431,8 @@ function _parseSignatureInput(headerValue) {
       var k = part.slice(0, pEq).trim();
       var vv = part.slice(pEq + 1).trim();
       if (vv.charAt(0) === "\"" && vv.charAt(vv.length - 1) === "\"") {
-        params[k] = vv.slice(1, -1);
+        var _unq = structuredFields.unquoteSfString(vv);
+        params[k] = _unq === null ? vv : _unq;
       } else {
         var num = Number(vv);
         params[k] = isFinite(num) ? num : vv;
@@ -441,7 +448,7 @@ function _parseSignature(headerValue, label) {
   if (headerValue.indexOf(prefix) !== 0) {
     // Multiple signature labels can appear; comma-separated. Find the
     // matching label.
-    var parts = headerValue.split(",");
+    var parts = headerValue.split(",");                                                        // allow:bare-split-on-quoted-header — RFC 9421 §2.4 Signature header values are `label=:b64:` form; base64 alphabet excludes `,` and the label tokens are RFC 8941 §3.3.4 sf-token (no DQUOTE in practice)
     for (var i = 0; i < parts.length; i++) {
       var p = parts[i].trim();
       if (p.indexOf(prefix) === 0) {
@@ -509,7 +516,7 @@ function verify(msg, opts) {
   // If content-digest is covered, recompute and compare. RFC 9421 §B.2.5
   // mandates that verifiers re-run the digest over the body — a stale
   // header from a proxy would otherwise verify trivially.
-  var coveredLower = parsedInput.covered.map(function (c) { return c.split(";")[0].toLowerCase(); });
+  var coveredLower = parsedInput.covered.map(function (c) { return c.split(";")[0].toLowerCase(); });  // allow:bare-split-on-quoted-header — same as sign() above: covered items are RFC 9421 §2.1 component-ids, token grammar
   if (coveredLower.indexOf("content-digest") !== -1) {
     if (m.body == null) {
       return { valid: false, reason: "content-digest-no-body" };

package/lib/log-stream.js

@@ -133,15 +133,39 @@ function init(opts) {
   if (initialized) return;
   if (!opts || !opts.sinks) throw new Error("logStream.init({ sinks }) is required");
 
+  // Validate top-level minLevel at config time so a typo (`"infos"`)
+  // doesn't silently produce `LEVEL_PRIORITY["infos"] === undefined`
+  // and drop every record at runtime (an `X >= undefined` compare
+  // is always false). Throw rather than fall back to a default —
+  // operators want a loud failure at boot, not silent log loss.
+  if (opts.minLevel !== undefined && opts.minLevel !== null) {
+    var topLevel = String(opts.minLevel).toLowerCase();
+    if (LEVELS.indexOf(topLevel) === -1) {
+      throw _err("INVALID_LEVEL",
+        "logStream.init: opts.minLevel '" + opts.minLevel +
+        "' must be one of " + LEVELS.join(", "), true);
+    }
+  }
+
   sinks = {};
   for (var name in opts.sinks) {
     var cfg = opts.sinks[name];
     var proto = dispatcher.resolve(cfg.protocol);
+    // Same gate per-sink so a misconfigured filter doesn't silently
+    // drop records from a single sink while every other sink works.
+    if (cfg.minLevel !== undefined && cfg.minLevel !== null) {
+      var sinkLvl = String(cfg.minLevel).toLowerCase();
+      if (LEVELS.indexOf(sinkLvl) === -1) {
+        throw _err("INVALID_LEVEL",
+          "logStream.init: sink '" + name + "' minLevel '" + cfg.minLevel +
+          "' must be one of " + LEVELS.join(", "), true);
+      }
+    }
     sinks[name] = {
       name:     name,
       protocol: cfg.protocol,
       raw:      proto.create(cfg),
-      levelFilter: cfg.minLevel || null,
+      levelFilter: cfg.minLevel ? String(cfg.minLevel).toLowerCase() : null,
     };
   }
 

package/lib/mail-auth.js

@@ -379,7 +379,7 @@ var DMARCBIS_VALID_PSD = { y: 1, n: 1, u: 1 };
 function _parseDmarcRecord(text) {
   var policy = { v: null, p: null, sp: null, np: null, psd: null,
                  pct: 100, adkim: "r", aspf: "r" };                              // allow:raw-byte-literal — RFC 7489 default pct
-  var pairs = text.split(";");
+  var pairs = text.split(";");                                                              // allow:bare-split-on-quoted-header — RFC 7489 §6.4 DMARC tag-list grammar: `tag-spec *( ";" tag-spec )` with tag-value = 0*( tval *( WSP / FWS ) ); NO quoted-string allowed
   for (var i = 0; i < pairs.length; i += 1) {
     var kv = pairs[i].trim();
     if (kv.length === 0) continue;
@@ -950,7 +950,8 @@ async function _verifyAmsViaDkim(rfc822, hop, sigValue, tags, dkim, dnsLookup) {
 
 function _parseArcTagList(value) {
   var tags = {};
-  var parts = String(value).split(";");
+  var parts = String(value).split(";");                                                          // allow:bare-split-on-quoted-header — allow:raw-byte-literal — RFC 8617 §4 ARC tag-list grammar (same as the DKIM RFC's): `tag-spec *( ";" tag-spec )`, tag-value contains no DQUOTE
+
   for (var i = 0; i < parts.length; i += 1) {
     var p = parts[i].trim();
     if (p.length === 0) continue;

package/lib/mail-require-tls.js

@@ -52,7 +52,8 @@
  *   RFC 8689 REQUIRETLS — per-message TLS-requirement signaling between MTAs (EHLO keyword + MAIL FROM extension + TLS-Required header parser).
  */
 
-var validateOpts = require("./validate-opts");
+var structuredFields = require("./structured-fields");
+var validateOpts     = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 
 var RequireTlsError = defineClass("RequireTlsError", { alwaysPermanent: true });
@@ -172,23 +173,11 @@ function mailFromExtension(opts) {
  */
 function parseTlsRequiredHeader(headerValue) {
   if (typeof headerValue !== "string") return null;
-  // Refuse control characters defensively on the RAW value — scanning
-  // after trim() would strip leading/trailing \r\n\t etc. before the
-  // check ran, letting a header-injection-shape input like "\nno" or
-  // "no\r" slip past as the literal "no" token. Validate the original
-  // string so the contract ("control bytes are refused") holds for any
-  // position in the value.
-  for (var i = 0; i < headerValue.length; i += 1) {
-    var code = headerValue.charCodeAt(i);
-    // ASCII HT (0x09) is structural folding whitespace in HTTP/email
-    // headers — strip-equivalent at the parser layer, so the trim()
-    // below absorbs it. Everything else in C0 + DEL is rejected.
-    if (code === 9) continue;                                                                       // allow:raw-byte-literal — ASCII HT codepoint
-    if (code < 32 || code === 127) {                                                               // allow:raw-byte-literal — C0 + DEL codepoint range
-      throw new RequireTlsError("mail-require-tls/bad-header-value",
-        "parseTlsRequiredHeader: value contains control characters");
-    }
-  }
+  structuredFields.refuseControlBytes(headerValue, {
+    ErrorClass: RequireTlsError,
+    code:       "mail-require-tls/bad-header-value",
+    label:      "parseTlsRequiredHeader",
+  });
   var trimmed = headerValue.trim();
   if (trimmed.length === 0) return null;
   if (trimmed.toLowerCase() === "no") return "no";