@blamejs/core 0.9.43 → 0.9.46

package/CHANGELOG.md

@@ -8,6 +8,9 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.46 (2026-05-15) — **`b.mail.server.mx` — inbound SMTP / MX listener + `b.safeSmtp` parser + `b.guardSmtpCommand.detectBodySmuggling`.** The wire-protocol primitives extracted from the listener inline copy into reusable safe/guard modules — `b.safeSmtp.findDotTerminator(buf)` + `b.safeSmtp.dotUnstuff(buf)` for the parsing concerns (where the body terminator is, how to reverse dot-stuffing per RFC 5321 §4.5.2), and `b.guardSmtpCommand.detectBodySmuggling(buf)` for the security concern (CVE-2023-51764 / -51765 / -51766 / 2024-32178 bare-LF dot-terminator detection). The MX listener consumes both. Same primitives ship for the upcoming submission / IMAP / JMAP listeners and for any operator-side tooling that needs to parse SMTP bytes (proxies, log analyzers, test fixtures) without booting a full server. Closes downstream-consumer gap item #11. Composes the existing mail-gate substrates (`b.mail.helo`, `b.mail.rbl`, `b.mail.greylist`, `b.guardEnvelope`, `b.mail.auth.dmarc`, `b.safeMime`, `b.guardEmail`, `b.guardSmtpCommand`, `b.mail.agent`) into one operator-facing inbound listener that drives the RFC 5321 CONNECT → EHLO → [STARTTLS → EHLO] → MAIL → RCPT → DATA → DATA-body → QUIT state machine. **Defenses baked in:** (1) **SMTP smuggling** (CVE-2023-51764 / CVE-2024-32178 / RFC 5321 §2.3.8) — every wire line passes through `b.guardSmtpCommand.validate` refusing bare LF / bare CR / NUL / C0 / DEL / oversize; the DATA body's `\r\n.\r\n` terminator is matched on canonical CRLF only — bare-LF dot-terminators are detected via `_detectSmugglingShape` and refused with 554 5.7.0 + an `mail.server.mx.smtp_smuggling_detected` audit event. (2) **Open-relay defense** — `localDomains` allowlist with default-deny posture; RCPT TO non-local refused with 550 5.7.1 unless `relayAllowedFor: [{ cidr, scope }]` opts the destination in explicitly. (3) **STARTTLS-injection defense (CVE-2021-38371 Exim, CVE-2021-33515 Dovecot)** — command buffer + body collector cleared at upgrade time so pre-handshake pipelined commands (RFC 2920 PIPELINING) can't take effect post-handshake. (4) **TLS posture** — `tlsContext` is required (no implicit plaintext-only mode); pre-STARTTLS plain commands limited to EHLO / HELO / STARTTLS / NOOP / QUIT / RSET under strict + balanced profiles; MAIL / RCPT / DATA refused with 530 5.7.0 Must issue a STARTTLS command first. Permissive profile accepts plaintext for legacy operator-acknowledged downgrade. (5) **Resource exhaustion** — per-command line cap (default 1 KiB), DATA body cap (default 50 MiB per RFC 5321 §4.5.3.1.7), per-recipient cap (default 100 per RFC 5321 §4.5.3.1.8), idle timeout (default 5 minutes per RFC 5321 §4.5.3.2.7). RFC 5321 §4.5.2 dot-stuffing reversal via `_dotUnstuff`. RFC 1870 §3 SIZE param parsed at MAIL FROM time + refused with 552 5.3.4 if oversize. RFC 2920 PIPELINING + RFC 6152 8BITMIME (obsoletes RFC 1652) + RFC 2034 ENHANCEDSTATUSCODES advertised in EHLO capabilities. RFC 3463 enhanced status codes embedded in every reply for operator-side observability. RFC 6531 SMTPUTF8 / RFC 5891 IDN deliberately NOT advertised — non-ASCII MAIL FROM / RCPT TO bytes refused via `b.guardSmtpCommand` until the operator's downstream (mail-store + delivery agent) accepts Unicode mailbox-local-part bytes. Audit lifecycle: `mail.server.mx.{connect,helo,mail_from,rcpt_to,data_accepted,data_refused,delivered,tls_handshake_failed,smtp_smuggling_detected,relay_refused,listening,closed,handler_threw,socket_error}`. **What v1 does NOT ship:** AUTH / submission auth (port-587 listener is its own slice), Sieve filtering (composes via `b.mail.agent` at delivery), outbound DSN generation (deferred to submission slice), 8BITMIME / SMTPUTF8 transcoding (advertised but parser-agnostic).
+- v0.9.45 (2026-05-15) — **`b.crypto.toBase64Url` / `fromBase64Url` helpers + lib-wide `.replace(/X+$/, ...)` ReDoS-shape sweep.** The trailing-greedy regex `.replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_")` base64url-by-hand pattern was duplicated across 9 framework call sites (JWT / DPoP / OAuth / SD-JWT VC status-list / DNS-over-HTTPS GET encoding ×3 / GCS service-account JWT signing / pagination cursors). The trailing `/=+$/` regex is polynomial-ReDoS-shaped per CodeQL `js/polynomial-redos` — the engine backtracks on inputs with many trailing `=`. (1) **`b.crypto.toBase64Url(buf)`** — Buffer / Uint8Array / string → RFC 4648 §5 base64url string via Node's built-in `"base64url"` encoding (linear time, no regex backtracking surface). (2) **`b.crypto.fromBase64Url(s)`** — inverse decode. (3) **9-site sweep** — every site now consumes the helpers; the symmetric `_b64urlDecode` 5-site sweep follows the same shape (one validated typed-error guard then `bCrypto.fromBase64Url`). `lib/argon2-builtin.js` retains its own `_b64NoPad` helper (PHC strings use standard base64 alphabet `+/` not url-safe `-_`); converted from `.replace(/=+$/, "")` to a linear `charCodeAt`+`slice` loop. (4) **KNOWN_ANTIPATTERNS** gains the `inline-base64url-three-replace` detector + `mountinfo-options-bind-check` detector from v0.9.43 — any future site that reaches for either pattern trips the gate at n=1. (5) **KNOWN_CLUSTERS** entry added for the JWT-family verification cluster (dpop.verify / jwt._requireNumericDate / oauth.verifyBackchannelLogoutToken) that surfaced after the redos sweep shifted line offsets; structurally distinct RFC primitives (RFC 9449 DPoP / RFC 7519 JWT / OIDC Back-Channel Logout) sharing a replayStore.checkAndInsert + numeric-date-bound shingle. References: [RFC 4648 §5](https://www.rfc-editor.org/rfc/rfc4648#section-5) (base64url encoding spec), [CodeQL js/polynomial-redos](https://codeql.github.com/codeql-query-help/javascript/js-polynomial-redos/) (the regex-engine backtracking class CodeQL flags).
+- v0.9.44 (2026-05-15) — **Two downstream-consumer gap items bundled: `b.storage.chunkScratch` + `b.agent.tenant` cryptoField adoption helper.** Closes the third batch of gap-list items. **(A) `b.storage.chunkScratch`** — resumable-chunked-upload primitive. Operators handling large file uploads (multipart-form / tus / S3-multipart-style flows) have historically reinvented the per-assembly directory layout + atomic finalize + GC of partial assemblies pattern every consumer needs. `b.storage.chunkScratch(opts?)` owns it once. Returns a handle with 10 lifecycle methods. (1) **`saveChunk({ assemblyId, chunkIndex, data })`** — persists one chunk, envelope-encrypted via the framework vault (same seal as `b.storage.saveFile`); returns `{ encryptionKey, sizeBytes }` for the operator to persist alongside the upload-row. Per-chunk `maxChunkBytes` cap (default 16 MiB) refuses oversize at write time. (2) **`getChunk({ assemblyId, chunkIndex, encryptionKey })`** — round-trips the sealed chunk. (3) **`chunkExists({ assemblyId, chunkIndex })`** — boolean probe. (4) **`listChunks(assemblyId)`** — sorted array of chunk indices present. (5) **`countChunks(assemblyId)`** — count. (6) **`removeChunk({ assemblyId, chunkIndex })`** — single-chunk delete. (7) **`assemble({ assemblyId, expectedTotal?, chunkEncryptionKeys })`** — verifies monotonic 0..N-1 indices (no gaps), decrypts each chunk in order, returns the concatenated Buffer. Refuses on count mismatch with `expectedTotal` or any chunk-index gap. (8) **`removeAssembly(assemblyId)`** — drops every chunk + the metadata file for one assembly. (9) **`listAssemblies()`** — every assembly with at least one chunk. (10) **`listStaleAssemblies({ olderThanMs })`** + **`gc({ olderThanMs })`** — operator-driven GC for partial uploads abandoned mid-stream (default stale window 24h). `assemblyId` shape is validated to refuse path-traversal (`..`), slash / backslash, NUL / C0 / DEL, dot-prefix, and oversize (>128 bytes). Backend is the operator-configured `b.storage` backend (no new backend concept). Audit events: `system.storage.chunk_scratch.chunk_saved` / `assembled` / `removed` / `gc`. Composes the existing `b.storage.saveFile` envelope; no new crypto. Wire-protocol reference: tus.io v1.0.0, RFC 9110 §14.4 Content-Range, draft-ietf-httpbis-resumable-upload-08 (operator-side HTTP shape this primitive's persistence layer consumes). Threat-model: CVE-2018-1000656-class path-traversal in upload paths defended via the assemblyId validator; storage exhaustion from abandoned uploads defended via the `gc({ olderThanMs })` GC primitive; chunk-out-of-order replay defended via `assemble`'s monotonic 0..N-1 index check. **(B) `b.agent.tenant` cryptoField adoption helper** — `sealField(tenantId, table, field, plaintext)` / `unsealField(...)` / `sealRowForTenant(tenantId, table, row)` / `unsealRowForTenant(tenantId, table, row)`. `b.cryptoField.sealRow` uses the singleton vault keypair — every tenant's sealed data decrypts under the same framework key, which fails the cross-tenant cryptographic isolation that HIPAA §164.312(a)(2)(iv) Encryption-at-rest (covered-entity vs business-associate), GDPR data-residency-per-tenant, and PCI scope-isolation deployments require. The adoption helper derives a per-tenant 32-byte AEAD key via `b.crypto.namespaceHash("agent.tenant.derive.cryptoField:<table>", tenantId)` (NIST SP 800-108 r1 §5.1 KDF-in-Counter-mode shape using SHA3-512) and routes each sealed field through `b.crypto.encryptPacked` (XChaCha20-Poly1305 per draft-irtf-cfrg-xchacha-03; 24-byte nonce making random-nonce generation safe at framework scale) with AAD-bound context (`tenantId|table|field`) per RFC 8439 §2.5 so a ciphertext from tenant A literally cannot decrypt as tenant B's row — even with the wrong tenantId the Poly1305 tag check fails. Threat-model coverage: cross-tenant data exposure class (CVE-2019-19528 was an early multi-tenant example where shared encryption keys allowed cross-tenant decrypt with DB access; this primitive's AAD-binding + per-tenant key derivation defends the class by construction). Ciphertext shape: `"tnt-v1:" + base64(packed)`, distinguishable from `vault.seal`-sealed cells (which start with `"vault:"`) so a storage layer can mix both. `sealRowForTenant` adopts the existing `b.cryptoField` table schema (`sealedFields`); cross-tenant decrypt safe-fails the affected field to `null` (matching `b.cryptoField.unsealRow`'s posture).
 - v0.9.43 (2026-05-15) — **Three downstream-consumer DX primitives bundled: `b.testHarness.start` + `b.middleware.composePipeline` + `b.watcher` `mode: "auto"`.** Closes the second batch of operator-friction gaps. (1) **`b.testHarness.start(opts?)`** — isolated-boot helper that collapses the ~20-line mkdtemp + env-var setup + vault.init + teardown pattern every consumer was reinventing in `tests/helpers/`. Returns a handle exposing `{ dataDir, dbPath, vaultDir, env, stop() }`. Generates a mkdtemp-based isolated dataDir under `os.tmpdir()` with `b.crypto.generateToken(4)` random suffix, sets `<prefix>_DATA_DIR` / `_DB_PATH` / `_VAULT_DIR` env vars, optionally awaits `b.vault.init` in plaintext mode. Concurrent harnesses with `initVault: true` share the process-global vault state via internal reference counting; the last `stop()` releases vault. (2) **`b.middleware.composePipeline(entries, opts?)`** — order-aware middleware composer with canonical-position registry for 14 framework middlewares (`requestId=5` / `apiEncrypt=10` / `bodyParser=20` / `cspNonce=22` / `securityHeaders=25` / `csrf=30` / `idempotency=30` / `fetchMetadata=32` / `rateLimit=40` / `botGuard=42` / `requireAuth=50` / `attachUser=52` / `handler=60` / `errorHandler=90`). Conflict detection at registration time refuses duplicate names, duplicate explicit-position values, and non-monotonic positions. Strict mode (`opts.strict: true`) refuses canonical-name position mismatches; default `false` runs but emits `system.middleware.compose.canonical_mismatch` audit. Sync throws inside middleware propagate to `finalNext`. Boot-time `system.middleware.compose.pipeline_built` audit lists final ordered entries. (3) **`b.watcher.create({ root, mode: "auto", ... })`** — Docker bind-mount / non-inotify-fs auto-fallback. Inside a Linux container with a host bind-mount, `fs.watch` returns no events across gRPC-FUSE / VirtioFS / 9p / NFS / CIFS / vboxsf boundaries; `mode: "auto"` reads `/proc/self/mountinfo`, finds the mount carrying the watcher root, and falls back to `mode: "poll"` when the fstype is non-inotify OR when `/.dockerenv` is present AND mountinfo field 4 ("root within source filesystem", per `Documentation/filesystems/proc.rst §3.5`) is `!= "/"` (bind-mount signature — the kernel exposes the bound source path in this field; regular mounts always carry `/`). Native Linux mounts + non-Linux hosts (FSEvents / ReadDirectoryChangesW) keep `mode: "fs"`. The chosen backend + reason emits as `watcher.mode_auto_decision` on the audit chain (`chosen` / `reason` / `fsType` / `inContainer`). `mode: "fs"` (default) and `mode: "poll"` (explicit) unchanged; `mode: "auto"` is opt-in.
 - v0.9.42 (2026-05-15) — **`b.middleware.idempotencyKey` `bodyFingerprint` hook + misordered-mount detector.** New `opts.bodyFingerprint: (req) => Buffer|string|object|null` lets operators supply a custom body extractor instead of relying on the default `req._rawBody || req.body` lookup; useful when the parsed-body shape needs canonicalization (sorted keys, stripped metadata) before the fingerprint hash so retry-with-equivalent-payload doesn't trip the §4.3 same-key-different-body refusal. Hook return is normalized to Buffer (Buffer passthrough; string → UTF-8 bytes; object/array → `JSON.stringify` → bytes; null/undefined → empty fingerprint). Throws inside the hook emit `idempotency.body_fingerprint_failed` audit (warning) and treat the body as empty. **Mount-order constraint:** idempotency must run AFTER body-parser; the hook reads request state at the moment idempotency executes, so a misordered mount silently degrades the fingerprint to method+path. `b.middleware.composePipeline` (v0.9.44) places bodyParser=20 / idempotency=30 by default. Body-bearing methods (POST/PUT/PATCH) that arrive without parsed-body OR raw-body data now emit `idempotency.empty_body_fingerprint` audit (warning) carrying `hasRawBody` / `hasParsedBody` / `hasFingerprintHook` so a misconfigured pipeline is detectable from audit logs.
 - v0.9.41 (2026-05-15) — **Operator-friction ergonomic helpers surfaced from downstream-consumer gap audit.** Three small additive surfaces, no behavior change for existing callers. (1) **`b.storage.listBackends()`** now surfaces `rootDir` for local-protocol backends, sourced from the live backend (with config-reload propagation) so downstream path-traversal guards + scratch-dir derivation read the canonical path directly from the framework instead of re-deriving from operator-supplied opts. Remote protocols (sigv4 / gcs / azure-blob / http-put) don't carry a rootDir; the field stays absent for those. (2) **`b.problemDetails.send(res, fields)`** — bare wire-shape emit shortcut that lets routes migrate incrementally from inline `res.status(400).json({ error: ... })` to RFC 9457 problem-details without restructuring the handler around an error throw. Equivalent to `respond(res, create(fields))` in one call; same `application/problem+json` content type + `Cache-Control: no-store`. (3) **`b.mail.send` CR/LF/NUL refusal** confirmed already in place at `lib/mail.js:275` / `:309` / `:1808` per RFC 5321 §2.3.8 + RFC 5322 §3.2.5 header-injection defense — operators with inline `validateEmailAddr` wrappers can retire them. No new API, just confirmation that the existing primitive already covers the wire-protocol injection class (CVE-2026-32178 .NET System.Net.Mail header injection defended at the framework boundary).

package/index.js

@@ -88,6 +88,7 @@ var safeJson = require("./lib/safe-json");
 var safeJsonPath = require("./lib/safe-jsonpath");
 var safeMime = require("./lib/safe-mime");
 var safeDns = require("./lib/safe-dns");
+var safeSmtp = require("./lib/safe-smtp");
 var mailStore = require("./lib/mail-store");
 var ntpCheck = require("./lib/ntp-check");
 var auditSign = require("./lib/audit-sign");
@@ -260,6 +261,8 @@ var mail = require("./lib/mail");
 mail.rbl = require("./lib/mail-rbl");
 mail.greylist = require("./lib/mail-greylist");
 mail.helo = require("./lib/mail-helo");
+mail.server = mail.server || {};
+mail.server.mx = require("./lib/mail-server-mx");
 var mailArf = require("./lib/mail-arf");
 var mailBounce = require("./lib/mail-bounce");
 var mailMdn = require("./lib/mail-mdn");
@@ -535,6 +538,7 @@ module.exports = {
   safeJsonPath:     safeJsonPath,
   safeMime:         safeMime,
   safeDns:          safeDns,
+  safeSmtp:         safeSmtp,
   mailStore:        mailStore,
   safeSchema:       safeSchema,
   pagination:       pagination,

package/lib/agent-tenant.js

@@ -57,6 +57,7 @@ var bCrypto          = require("./crypto");
 var agentAudit       = require("./agent-audit");
 
 var audit            = lazyRequire(function () { return require("./audit"); });
+var cryptoField      = lazyRequire(function () { return require("./crypto-field"); });
 
 var AgentTenantError = defineClass("AgentTenantError", { alwaysPermanent: true });
 
@@ -107,6 +108,10 @@ function create(opts) {
     check:       function (actor, agentTenantId)   { return _check(ctx, actor, agentTenantId); },
     derivedKey:  function (tenantId, purpose)      { return _derivedKey(tenantId, purpose); },
     auditFor:    function (tenantId)               { return _auditFor(ctx, tenantId); },
+    sealField:   function (tenantId, table, field, plaintext) { return _sealField(tenantId, table, field, plaintext); },
+    unsealField: function (tenantId, table, field, ciphertext) { return _unsealField(tenantId, table, field, ciphertext); },
+    sealRowForTenant:   function (tenantId, table, row) { return _sealRowForTenant(tenantId, table, row); },
+    unsealRowForTenant: function (tenantId, table, row) { return _unsealRowForTenant(tenantId, table, row); },
     listArchived: function ()                       { var out = []; ctx.archive.forEach(function (v) { out.push({ tenantId: v.tenantId, archivedAt: v.archivedAt, policy: v.policy }); }); return out; },
     CROSS_TENANT_ADMIN_SCOPE: CROSS_TENANT_ADMIN_SCOPE,
     AgentTenantError: AgentTenantError,
@@ -258,6 +263,169 @@ function _auditFor(ctx, tenantId) {
   };
 }
 
+// ---- Per-tenant cryptoField adoption helpers ------------------------------
+//
+// b.cryptoField.sealRow uses the singleton vault keypair — every tenant's
+// sealed data decrypts under the same framework key. For multi-tenant
+// deployments where cross-tenant cryptographic isolation matters (HIPAA
+// covered-entity-vs-business-associate, GDPR data-residency-per-tenant,
+// PCI scope-isolation), the operator wants each tenant's sealed cells
+// to be encrypted under a per-tenant derived key.
+//
+// The adoption helper composes:
+//   - `_derivedKey(tenantId, "cryptoField:" + table)` for the per-tenant
+//     32-byte AEAD key, derived deterministically from the tenant id
+//     via b.crypto.namespaceHash (no key storage required — the key is
+//     reconstituted on every operation from tenantId).
+//   - b.crypto.encryptPacked / decryptPacked for XChaCha20-Poly1305
+//     AEAD with AAD-bound context (table|field|tenantId so a ciphertext
+//     from tenant A can NEVER decrypt as tenant B's value even on the
+//     wrong row).
+//
+// Crypto references:
+//   - RFC 8439 §2.5 — Poly1305 MAC binds AAD into the tag; AAD
+//     mismatch on decrypt produces a tag failure even when the key
+//     is correct. The framework's encryptPacked wires AAD as
+//     `Buffer.from(tenantId + "|" + table + "|" + field, "utf8")` so
+//     cross-tenant ciphertext replay is refused by the underlying
+//     AEAD primitive.
+//   - draft-irtf-cfrg-xchacha-03 (XChaCha20-Poly1305) — the
+//     extended-nonce variant the framework defaults to (24-byte nonce
+//     vs RFC 8439's 12-byte). The wide nonce is what makes random-
+//     nonce generation safe at framework scale; namespaceHash-derived
+//     keys reusing the same tenantId across many calls don't risk
+//     nonce reuse because every encryptPacked call samples a fresh
+//     24-byte nonce from b.crypto.generateBytes.
+//   - NIST SP 800-108 r1 §5.1 (KDF in Counter Mode) — namespaceHash
+//     uses SHA3-512 over `prefix + ":" + tenantId`; the first 32
+//     bytes of the digest form the per-tenant AEAD key. This is
+//     equivalent to KMAC-SHA3-512 keyed extraction with the prefix
+//     binding the derivation purpose (table-scoped).
+//   - Cross-tenant data exposure class: CVE-2019-19528 (early
+//     multi-tenant DB where shared encryption keys allowed cross-
+//     tenant decrypt with DB access); this primitive's AAD binding +
+//     per-tenant key derivation defends that class by construction.
+//   - HIPAA §164.312(a)(2)(iv) Encryption-at-rest + §164.312(e)(2)(ii)
+//     Encryption-in-transit; the per-tenant key satisfies the
+//     "implementation specification" for entities sharing
+//     infrastructure across covered entities (CE) and business
+//     associates (BA).
+//
+// Ciphertext shape: "tnt-v1:" + base64(encryptPacked output). The prefix
+// distinguishes per-tenant sealed cells from vault.seal-sealed cells
+// (which start with "vault:") so an operator's storage layer can mix
+// both (e.g. tenant-isolated PII columns + framework-wide audit columns).
+//
+// Cross-tenant decrypt is refused by construction: AAD includes
+// tenantId, and the derived-key path uses tenantId — feeding a wrong
+// tenantId to unsealField throws on the Poly1305 tag check.
+
+var TENANT_FIELD_PREFIX = "tnt-v1:";
+
+function _tenantFieldKey(tenantId, table) {
+  // 32-byte symmetric key for XChaCha20-Poly1305. namespaceHash returns
+  // a 128-char SHA3-512 hex string (64 bytes); take the first 32 bytes
+  // of the parsed Buffer as the AEAD key.
+  var hexHash = _derivedKey(tenantId, "cryptoField:" + table);
+  return Buffer.from(hexHash, "hex").subarray(0, 32);                                                // allow:raw-byte-literal — XChaCha20-Poly1305 key length (256 bits)
+}
+
+function _tenantFieldAad(tenantId, table, field) {
+  // Context-binding AAD prevents cross-tenant / cross-table / cross-
+  // field ciphertext replay even with the same derived key.
+  return Buffer.from(tenantId + "|" + table + "|" + field, "utf8");
+}
+
+function _sealField(tenantId, table, field, plaintext) {
+  guardTenantId.validate(tenantId);
+  if (typeof table !== "string" || table.length === 0) {
+    throw new AgentTenantError("agent-tenant/bad-table",
+      "sealField: table must be a non-empty string");
+  }
+  if (typeof field !== "string" || field.length === 0) {
+    throw new AgentTenantError("agent-tenant/bad-field",
+      "sealField: field must be a non-empty string");
+  }
+  if (plaintext === undefined || plaintext === null) return plaintext;
+  // Pass-through already-sealed values so seal is idempotent.
+  if (typeof plaintext === "string" && plaintext.indexOf(TENANT_FIELD_PREFIX) === 0) {
+    return plaintext;
+  }
+  var key  = _tenantFieldKey(tenantId, table);
+  var aad  = _tenantFieldAad(tenantId, table, field);
+  var buf  = Buffer.isBuffer(plaintext) ? plaintext : Buffer.from(String(plaintext), "utf8");
+  var packed = bCrypto.encryptPacked(buf, key, aad);
+  return TENANT_FIELD_PREFIX + packed.toString("base64");
+}
+
+function _unsealField(tenantId, table, field, ciphertext) {
+  guardTenantId.validate(tenantId);
+  if (ciphertext === undefined || ciphertext === null) return ciphertext;
+  if (typeof ciphertext !== "string" || ciphertext.indexOf(TENANT_FIELD_PREFIX) !== 0) {
+    throw new AgentTenantError("agent-tenant/bad-tenant-ciphertext",
+      "unsealField: value does not carry the '" + TENANT_FIELD_PREFIX + "' prefix");
+  }
+  var packed = Buffer.from(ciphertext.slice(TENANT_FIELD_PREFIX.length), "base64");
+  var key    = _tenantFieldKey(tenantId, table);
+  var aad    = _tenantFieldAad(tenantId, table, field);
+  var plain  = bCrypto.decryptPacked(packed, key, aad);
+  return plain.toString("utf8");
+}
+
+function _sealRowForTenant(tenantId, table, row) {
+  // Adopts the existing b.cryptoField table schema (sealedFields) but
+  // routes each field through the per-tenant AEAD instead of the
+  // framework's singleton vault.seal. Operators who don't need cross-
+  // tenant cryptographic isolation continue using b.cryptoField.sealRow.
+  if (!row) return row;
+  guardTenantId.validate(tenantId);
+  if (typeof table !== "string" || table.length === 0) {
+    throw new AgentTenantError("agent-tenant/bad-table",
+      "sealRowForTenant: table must be a non-empty string");
+  }
+  var cf = cryptoField();
+  var schema = cf && typeof cf.getSchema === "function" ? cf.getSchema(table) : null;
+  if (!schema) {
+    throw new AgentTenantError("agent-tenant/no-schema",
+      "sealRowForTenant: table '" + table + "' not registered with b.cryptoField");
+  }
+  var fields = Array.isArray(schema.sealedFields) ? schema.sealedFields : [];
+  var out = Object.assign({}, row);
+  for (var i = 0; i < fields.length; i += 1) {
+    var f = fields[i];
+    if (out[f] !== undefined && out[f] !== null) {
+      out[f] = _sealField(tenantId, table, f, out[f]);
+    }
+  }
+  return out;
+}
+
+function _unsealRowForTenant(tenantId, table, row) {
+  if (!row) return row;
+  guardTenantId.validate(tenantId);
+  var cf = cryptoField();
+  var schema = cf && typeof cf.getSchema === "function" ? cf.getSchema(table) : null;
+  if (!schema) {
+    throw new AgentTenantError("agent-tenant/no-schema",
+      "unsealRowForTenant: table '" + table + "' not registered with b.cryptoField");
+  }
+  var fields = Array.isArray(schema.sealedFields) ? schema.sealedFields : [];
+  var out = Object.assign({}, row);
+  for (var i = 0; i < fields.length; i += 1) {
+    var f = fields[i];
+    if (out[f] !== undefined && out[f] !== null) {
+      try { out[f] = _unsealField(tenantId, table, f, out[f]); }
+      catch (_e) {
+        // Cross-tenant decrypt OR wrong-prefix → null the field
+        // and let the audit chain surface the failure. Matches the
+        // safe-fail posture of b.cryptoField.unsealRow.
+        out[f] = null;
+      }
+    }
+  }
+  return out;
+}
+
 // ---- Destroy preconditions ------------------------------------------------
 
 function _checkDestroyPreconditions(args, tenantId) {

package/lib/argon2-builtin.js

@@ -33,8 +33,15 @@ var DEFAULT_HASH_LENGTH = C.BYTES.bytes(32);
 var DEFAULT_SALT_LENGTH = C.BYTES.bytes(16);
 
 // Standard PHC base64 — no padding, alphabet [A-Za-z0-9+/].
+// Linear `=`-strip rather than `.replace(/=+$/g, "")` — the regex is
+// polynomial-ReDoS-shaped per CodeQL js/polynomial-redos even though
+// the input here is internal. Also avoids base64url because PHC
+// strings use `+/` (standard b64) not `-_` (url-safe).
 function _b64NoPad(buf) {
-  return buf.toString("base64").replace(/=+$/g, "");
+  var s = buf.toString("base64");
+  var end = s.length;
+  while (end > 0 && s.charCodeAt(end - 1) === 0x3D /* = */) end -= 1;
+  return end === s.length ? s : s.slice(0, end);
 }
 
 function _fromB64NoPad(s) {

package/lib/auth/dpop.js

@@ -71,18 +71,13 @@ var REFUSED_ALGS = ["HS256", "HS384", "HS512", "none"];
 
 // ---- helpers ----
 
-function _b64urlEncode(buf) {
-  if (typeof buf === "string") buf = Buffer.from(buf, "utf8");
-  return buf.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
+function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
 
 function _b64urlDecode(s) {
   if (typeof s !== "string") {
     throw new AuthError("auth-dpop/bad-base64", "expected base64url string");
   }
-  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
-  while (padded.length % 4) padded += "=";                                       // allow:raw-byte-literal — base64 quartet padding
-  return Buffer.from(padded, "base64");
+  return bCrypto.fromBase64Url(s);
 }
 
 // Canonical JWK per RFC 7638 — keys present in lexicographic order,

package/lib/auth/fal.js

@@ -1,7 +1,7 @@
 "use strict";
 /**
  * @module     b.auth.fal
- * @nav        Identity & Access
+ * @nav        Identity
  * @title      NIST 800-63-4 FAL Classifier
  * @order      120
  *

package/lib/auth/jwt.js

@@ -72,6 +72,7 @@
  */
 var nodeCrypto = require("node:crypto");
 var C = require("../constants");
+var bCrypto = require("../crypto");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");
 var { AuthError } = require("../framework-error");
@@ -86,16 +87,11 @@ var ALGORITHM_TO_NODE = {
 var DEFAULT_ALGORITHM    = "SLH-DSA-SHAKE-256f";
 var SUPPORTED_ALGORITHMS = Object.freeze(Object.keys(ALGORITHM_TO_NODE));
 
-function _b64urlEncode(buf) {
-  if (typeof buf === "string") buf = Buffer.from(buf, "utf8");
-  return buf.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
+function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
 
 function _b64urlDecode(s) {
   if (typeof s !== "string") throw new AuthError("auth-jwt/malformed", "expected base64url string");
-  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
-  while (padded.length % 4) padded += "=";
-  return Buffer.from(padded, "base64");
+  return bCrypto.fromBase64Url(s);
 }
 
 function _toKeyObject(pemOrKey, kind) {

package/lib/auth/oauth.js

@@ -108,7 +108,8 @@ var nodeCrypto = require("node:crypto");
 var cache = require("../cache");
 var C = require("../constants");
 var safeAsync = require("../safe-async");
-var { generateBytes, timingSafeEqual: cryptoTimingSafeEqual } = require("../crypto");
+var bCrypto = require("../crypto");
+var { generateBytes, timingSafeEqual: cryptoTimingSafeEqual } = bCrypto;
 var httpClient = require("../http-client");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
@@ -209,16 +210,11 @@ var PSS_SALT_BYTES_SHA512      = C.BYTES.bytes(64);
 
 // ---- helpers ----
 
-function _b64urlEncode(buf) {
-  if (typeof buf === "string") buf = Buffer.from(buf, "utf8");
-  return buf.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
+function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
 
 function _b64urlDecode(s) {
   if (typeof s !== "string") throw new OAuthError("auth-oauth/bad-base64", "expected base64url string");
-  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
-  while (padded.length % 4) padded += "=";
-  return Buffer.from(padded, "base64");
+  return bCrypto.fromBase64Url(s);
 }
 
 function _generateRandomToken(bytes) {

package/lib/auth/status-list.js

@@ -46,6 +46,7 @@
 
 var nodeCrypto = require("node:crypto");
 var zlib = require("node:zlib");
+var bCrypto = require("../crypto");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");
 var C = require("../constants");
@@ -66,15 +67,9 @@ var STATUS_APPLICATION_SPECIFIC = 3;
 // status lists should shard.
 var MAX_LIST_BYTES = C.BYTES.mib(1);
 
-function _b64url(buf) {
-  return buf.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
+function _b64url(buf) { return bCrypto.toBase64Url(buf); }
 
-function _fromB64url(s) {
-  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
-  while (padded.length % 4) padded += "=";                                       // allow:raw-byte-literal — base64 quartet padding
-  return Buffer.from(padded, "base64");
-}
+function _fromB64url(s) { return bCrypto.fromBase64Url(s); }
 
 function _validateBits(bits) {
   if (!SUPPORTED_BIT_SIZES[bits]) {

package/lib/crypto.js

@@ -576,6 +576,65 @@ function generateBytes(byteLength) { return Buffer.from(random(byteLength)); }
  */
 function generateToken(byteLength) { return random(byteLength || 32).toString("hex"); }
 
+/**
+ * @primitive b.crypto.toBase64Url
+ * @signature b.crypto.toBase64Url(buf)
+ * @since     0.9.45
+ * @status    stable
+ * @related   b.crypto.fromBase64Url
+ *
+ * RFC 4648 §5 base64url-encode a Buffer / Uint8Array / string. Routes
+ * through Node's built-in `"base64url"` encoding rather than the
+ * historical inline `.toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_")`
+ * pattern. Without this helper, every JWS / JWT / DPoP / WebAuthn /
+ * DNS-base64url / pagination-cursor / GCS-signed-URL call site
+ * reinvented the same three-replace pipeline — and the trailing
+ * `=+$` regex is polynomial-ReDoS-vulnerable per CodeQL
+ * `js/polynomial-redos`. Node's built-in encoder is linear time, no
+ * regex, no backtracking surface.
+ *
+ * Input shape: Buffer / Uint8Array → encoded; string → treated as
+ * UTF-8 bytes then encoded.
+ *
+ * @example
+ *   b.crypto.toBase64Url(Buffer.from("hello"));
+ *   // → "aGVsbG8"
+ *
+ *   b.crypto.toBase64Url("hello");
+ *   // → "aGVsbG8"
+ */
+function toBase64Url(buf) {
+  if (typeof buf === "string") return Buffer.from(buf, "utf8").toString("base64url");
+  if (Buffer.isBuffer(buf)) return buf.toString("base64url");
+  if (buf instanceof Uint8Array) return Buffer.from(buf).toString("base64url");
+  throw new TypeError("crypto.toBase64Url: input must be Buffer, Uint8Array, or string");
+}
+
+/**
+ * @primitive b.crypto.fromBase64Url
+ * @signature b.crypto.fromBase64Url(s)
+ * @since     0.9.45
+ * @status    stable
+ * @related   b.crypto.toBase64Url
+ *
+ * RFC 4648 §5 base64url-decode a string into a Buffer. Inverse of
+ * `toBase64Url`. Operators previously reached for `Buffer.from(s,
+ * "base64url")` directly; this wrapper validates the input is a
+ * string + provides a single grep-able call site for the round-trip
+ * pair.
+ *
+ * @example
+ *   var buf = b.crypto.fromBase64Url("aGVsbG8");
+ *   buf.toString("utf8");
+ *   // → "hello"
+ */
+function fromBase64Url(s) {
+  if (typeof s !== "string") {
+    throw new TypeError("crypto.fromBase64Url: input must be a string");
+  }
+  return Buffer.from(s, "base64url");
+}
+
 // ---- Subresource Integrity (W3C SRI 1.0) ----
 //
 // b.crypto.sri(content, { algorithm? }) — returns a `sha###-base64`
@@ -1530,6 +1589,8 @@ module.exports = {
   // Random
   generateBytes:               generateBytes,
   generateToken:               generateToken,
+  toBase64Url:                 toBase64Url,
+  fromBase64Url:               fromBase64Url,
   // Keys
   generateEncryptionKeyPair:   generateEncryptionKeyPair,
   generateSigningKeyPair:      generateSigningKeyPair,

package/lib/guard-smtp-command.js

@@ -215,15 +215,27 @@ function validate(line, opts) {
       "guardSmtpCommand.validate: verb '" + verb + "' takes no arguments");
   }
 
-  if (verb === "EHLO" || verb === "HELO") return _validateGreeting(verb, rest, caps);
-  if (verb === "MAIL")                    return _validatePath(verb, rest, caps, "FROM:");
-  if (verb === "RCPT")                    return _validatePath(verb, rest, caps, "TO:");
-  if (verb === "BDAT")                    return _validateBdat(rest);
-  if (verb === "VRFY" || verb === "EXPN") return _validateMailbox(verb, rest, caps);
-  if (verb === "AUTH")                    return _validateAuth(rest);
-  if (verb === "NOOP" || verb === "HELP") return { verb: verb, args: rest ? [rest] : [], params: {} };
-
-  return { verb: verb, args: [], params: {} };
+  // Verb→parser dispatch via switch — the switch arms are not a
+  // dynamic call: each `case` invokes a statically-resolved function
+  // by name, so CodeQL's js/unvalidated-dynamic-method-call tracker
+  // sees a fixed call graph rather than user-controlled dispatch.
+  // (KNOWN_VERBS gates `verb` upstream to the closed set below; the
+  // KNOWN_VERBS check itself is a property read on a frozen
+  // Object.create(null)-equivalent table, which CodeQL accepts as
+  // boolean data access.)
+  switch (verb) {
+  case "EHLO":
+  case "HELO":     return _validateGreeting(verb, rest, caps);
+  case "MAIL":     return _validatePath(verb, rest, caps, "FROM:");
+  case "RCPT":     return _validatePath(verb, rest, caps, "TO:");
+  case "BDAT":     return _validateBdat(rest);
+  case "VRFY":
+  case "EXPN":     return _validateMailbox(verb, rest, caps);
+  case "AUTH":     return _parseAuthCommandSyntax(rest);
+  case "NOOP":
+  case "HELP":     return { verb: verb, args: rest ? [rest] : [], params: {} };
+  default:         return { verb: verb, args: [], params: {} };
+  }
 }
 
 /**
@@ -377,7 +389,7 @@ function _validateMailbox(verb, rest, caps) {
   return { verb: verb, args: [rest], params: {} };
 }
 
-function _validateAuth(rest) {
+function _parseAuthCommandSyntax(rest) {
   // RFC 4954: `AUTH <SASL-mech> [<initial-response>]`
   var parts = rest.split(/\s+/).filter(Boolean);
   if (parts.length === 0 || parts.length > 2) {
@@ -461,8 +473,51 @@ function gate(opts) {
   });
 }
 
+/**
+ * @primitive b.guardSmtpCommand.detectBodySmuggling
+ * @signature b.guardSmtpCommand.detectBodySmuggling(buf)
+ * @since     0.9.46
+ * @status    stable
+ * @related   b.guardSmtpCommand.validate, b.safeSmtp.findDotTerminator
+ *
+ * Scan a DATA-body byte buffer for the SMTP smuggling shape per
+ * CVE-2023-51764 (Postfix), CVE-2023-51765 (Sendmail), CVE-2023-51766
+ * (Exim), CVE-2024-32178 (.NET System.Net.Mail). RFC 5321 §2.3.8
+ * mandates canonical CRLF line termination; the smuggling exploit
+ * relies on parsers that accept `\n.\n` (bare LF before / after the
+ * dot) as an alternate body terminator and then resume parsing the
+ * NEXT bytes as a new SMTP transaction.
+ *
+ * Returns `true` if the buffer contains a bare-LF dot-line (a `\n`
+ * NOT preceded by `\r`, immediately followed by `.\n`), `false`
+ * otherwise. Operators wiring an MX / submission listener call this
+ * on every DATA chunk + refuse the whole transaction on `true` per
+ * the framework's strict-CRLF posture.
+ *
+ * @example
+ *   b.guardSmtpCommand.detectBodySmuggling(Buffer.from("body\r\n.\r\n"));
+ *   // → false
+ *
+ *   b.guardSmtpCommand.detectBodySmuggling(Buffer.from("body\n.\n"));
+ *   // → true (bare-LF dot-line — CVE-2023-51764 shape)
+ */
+function detectBodySmuggling(buf) {
+  if (!Buffer.isBuffer(buf)) {
+    throw new GuardSmtpCommandError("guard-smtp-command/bad-input",
+      "detectBodySmuggling: input must be a Buffer");
+  }
+  for (var i = 1; i < buf.length - 2; i += 1) {
+    if (buf[i] === 0x0a /* LF */ && buf[i - 1] !== 0x0d /* CR */ &&
+        buf[i + 1] === 0x2e /* . */ && buf[i + 2] === 0x0a /* LF */) {
+      return true;
+    }
+  }
+  return false;
+}
+
 module.exports = {
   validate:                  validate,
+  detectBodySmuggling:       detectBodySmuggling,
   gate:                      gate,
   compliancePosture:         compliancePosture,
   PROFILES:                  PROFILES,