@blamejs/core 0.9.46 → 0.10.1

package/index.js

@@ -89,6 +89,10 @@ var safeJsonPath = require("./lib/safe-jsonpath");
 var safeMime = require("./lib/safe-mime");
 var safeDns = require("./lib/safe-dns");
 var safeSmtp = require("./lib/safe-smtp");
+var safeSieve = require("./lib/safe-sieve");
+var safeIcap = require("./lib/safe-icap");
+var safeIcal = require("./lib/safe-ical");
+var safeVcard = require("./lib/safe-vcard");
 var mailStore = require("./lib/mail-store");
 var ntpCheck = require("./lib/ntp-check");
 var auditSign = require("./lib/audit-sign");
@@ -164,6 +168,10 @@ var guardSvg = require("./lib/guard-svg");
 var guardFilename = require("./lib/guard-filename");
 var guardMessageId = require("./lib/guard-message-id");
 var guardSmtpCommand = require("./lib/guard-smtp-command");
+var guardImapCommand = require("./lib/guard-imap-command");
+var guardPop3Command = require("./lib/guard-pop3-command");
+var guardManageSieveCommand = require("./lib/guard-managesieve-command");
+var guardJmap = require("./lib/guard-jmap");
 var guardEnvelope = require("./lib/guard-envelope");
 var guardDsn = require("./lib/guard-dsn");
 var guardListUnsubscribe = require("./lib/guard-list-unsubscribe");
@@ -261,8 +269,22 @@ var mail = require("./lib/mail");
 mail.rbl = require("./lib/mail-rbl");
 mail.greylist = require("./lib/mail-greylist");
 mail.helo = require("./lib/mail-helo");
+mail.deploy = require("./lib/mail-deploy");
+mail.sieve = require("./lib/mail-sieve");
+mail.journal = require("./lib/mail-journal");
+mail.scan = require("./lib/mail-scan");
+mail.spamScore = require("./lib/mail-spam-score");
+mail.crypto = require("./lib/mail-crypto");
+mail.dav = require("./lib/mail-dav");
 mail.server = mail.server || {};
 mail.server.mx = require("./lib/mail-server-mx");
+mail.server.submission = require("./lib/mail-server-submission");
+mail.server.imap = require("./lib/mail-server-imap");
+mail.server.jmap = require("./lib/mail-server-jmap");
+mail.server.pop3 = require("./lib/mail-server-pop3");
+mail.server.managesieve = require("./lib/mail-server-managesieve");
+mail.server.tls = require("./lib/mail-server-tls");
+mail.server.rateLimit = require("./lib/mail-server-rate-limit");
 var mailArf = require("./lib/mail-arf");
 var mailBounce = require("./lib/mail-bounce");
 var mailMdn = require("./lib/mail-mdn");
@@ -437,6 +459,10 @@ module.exports = {
   guardFilename:    guardFilename,
   guardMessageId:   guardMessageId,
   guardSmtpCommand: guardSmtpCommand,
+  guardImapCommand: guardImapCommand,
+  guardPop3Command: guardPop3Command,
+  guardManageSieveCommand: guardManageSieveCommand,
+  guardJmap:        guardJmap,
   guardEnvelope:    guardEnvelope,
   guardDsn:         guardDsn,
   guardListUnsubscribe: guardListUnsubscribe,
@@ -539,6 +565,10 @@ module.exports = {
   safeMime:         safeMime,
   safeDns:          safeDns,
   safeSmtp:         safeSmtp,
+  safeSieve:        safeSieve,
+  safeIcap:         safeIcap,
+  safeIcal:         safeIcal,
+  safeVcard:        safeVcard,
   mailStore:        mailStore,
   safeSchema:       safeSchema,
   pagination:       pagination,

package/lib/_test/crypto-fixtures.js

@@ -0,0 +1,67 @@
+"use strict";
+/**
+ * lib/_test/crypto-fixtures.js — test-only fixtures for crypto round-
+ * trip coverage. Not part of the public `b.*` surface; not loaded by
+ * `index.js`. Operator code never reaches here — the only callers are
+ * tests under `test/layer-0-primitives/crypto-*.test.js` and
+ * fuzz harnesses that exercise the legacy-envelope read path.
+ *
+ * The leading underscore in the directory name signals "internal" to
+ * downstream consumers walking the tree; the `_test` segment makes the
+ * intent explicit. `package.json#files` MUST NOT include `lib/_test/`
+ * so the published tarball doesn't ship these mints to operators.
+ */
+
+var nodeCrypto = require("node:crypto");
+var { xchacha20poly1305 } = require("../vendor/noble-ciphers.cjs");
+var C = require("../constants");
+var bCrypto = require("../crypto");
+
+/**
+ * mintLegacyEnvelope0xE1 — produce a pre-bump 0xE1-shape envelope
+ * sealing `plaintext` against `recipient = { publicKey, ecPublicKey }`.
+ * The 0xE1 wire shape matches 0xE2 except the magic byte is 0xE1 AND
+ * the KDF input concatenates only (mlkemSs || ecSs), omitting the
+ * NIST SP 800-56C r2 §4.1 FixedInfo suite-binding bytes the v0.7.16
+ * bump introduced. Used by crypto-envelope tests to round-trip a
+ * known-shape 0xE1 blob through `b.crypto.decrypt(..., { allowLegacy: true })`.
+ *
+ * Production code NEVER calls this — operators with at-rest 0xE1 data
+ * sealed those bytes pre-bump and the framework's only contract today
+ * is READING them, never producing them.
+ */
+function mintLegacyEnvelope0xE1(plaintext, recipient) {
+  var mlkemPub = nodeCrypto.createPublicKey(recipient.publicKey);
+  var kem = nodeCrypto.encapsulate(mlkemPub);
+  var ephEc = nodeCrypto.generateKeyPairSync("ec", {
+    namedCurve: "P-384",
+    publicKeyEncoding:  { type: "spki",  format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+  });
+  var ecSs = nodeCrypto.diffieHellman({
+    privateKey: nodeCrypto.createPrivateKey(ephEc.privateKey),
+    publicKey:  nodeCrypto.createPublicKey(recipient.ecPublicKey),
+  });
+  // KDF input: NO FixedInfo — that's the 0xE1 → 0xE2 difference.
+  var key = bCrypto.kdf(Buffer.concat([kem.sharedKey, ecSs]), C.BYTES.bytes(32));
+  var nonce = bCrypto.generateBytes(C.BYTES.bytes(24));
+  // Legacy 0xE1 envelope header — 4 bytes: magic, kemId, cipherId, kdfId.
+  var headerAad = Buffer.from([
+    0xE1,                                                                                            // allow:raw-byte-literal — legacy 0xE1 envelope magic byte
+    C.KEM_IDS.ML_KEM_1024_P384,
+    C.CIPHER_IDS.XCHACHA20_POLY1305,
+    C.KDF_IDS.SHAKE256,
+  ]);
+  var ct = xchacha20poly1305(key, nonce, headerAad).encrypt(Buffer.from(plaintext, "utf8"));
+  var kemCtLen = Buffer.alloc(2); kemCtLen.writeUInt16BE(kem.ciphertext.length);                     // allow:raw-byte-literal — 16-bit length-prefix field
+  var ecEphDer = ephEc.publicKey;
+  var ecEphLen = Buffer.alloc(2); ecEphLen.writeUInt16BE(ecEphDer.length);                           // allow:raw-byte-literal — 16-bit length-prefix field
+  return Buffer.concat([
+    headerAad,
+    kemCtLen, kem.ciphertext, ecEphLen, ecEphDer, nonce, Buffer.from(ct),
+  ]).toString("base64");
+}
+
+module.exports = {
+  mintLegacyEnvelope0xE1: mintLegacyEnvelope0xE1,
+};

package/lib/agent-event-bus.js

@@ -111,10 +111,11 @@ function create(opts) {
   var topics      = new Map();
 
   return {
-    registerTopic: function (name, topicOpts)    { return _registerTopic(topics, name, topicOpts || {}, auditImpl); },
-    publish:       function (name, payload, pOpts) { return _publish(topics, opts.pubsub, name, payload, pOpts || {}, permissions, auditImpl); },
-    subscribe:     function (name, handler, sOpts) { return _subscribe(topics, opts.pubsub, name, handler, sOpts || {}, permissions, auditImpl); },
-    listTopics:    function (args)                { return _listTopics(topics, args || {}, permissions); },
+    registerTopic:   function (name, topicOpts)    { return _registerTopic(topics, name, topicOpts || {}, auditImpl); },
+    unregisterTopic: function (name)               { return _unregisterTopic(topics, name, auditImpl); },
+    publish:         function (name, payload, pOpts) { return _publish(topics, opts.pubsub, name, payload, pOpts || {}, permissions, auditImpl); },
+    subscribe:       function (name, handler, sOpts) { return _subscribe(topics, opts.pubsub, name, handler, sOpts || {}, permissions, auditImpl); },
+    listTopics:      function (args)                { return _listTopics(topics, args || {}, permissions); },
     AgentEventBusError: AgentEventBusError,
     guards: {
       topic:   guardEventBusTopic,
@@ -135,8 +136,17 @@ function _registerTopic(topics, name, topicOpts, auditImpl) {
     throw new AgentEventBusError("agent-event-bus/bad-schema",
       "registerTopic: schema required (flat key→type map)");
   }
+  // BUG-12 — `kind` is now captured on register so listTopics's kind
+  // filter actually matches. Prior shape never set entry.kind, so the
+  // filter at args.kind was dead. Default value derives from the
+  // dotted topic name's first segment ("mail.scan.x" → "mail"), giving
+  // operators a free-by-default grouping without explicit annotation.
+  var kind = typeof topicOpts.kind === "string" && topicOpts.kind.length > 0
+    ? topicOpts.kind
+    : (name.indexOf(".") > 0 ? name.split(".")[0] : name);
   var entry = {
     name:        name,
+    kind:        kind,
     schema:      Object.freeze(Object.assign({}, topicOpts.schema)),
     posture:     topicOpts.posture || null,
     tenantScope: topicOpts.tenantScope === true,
@@ -150,18 +160,36 @@ function _registerTopic(topics, name, topicOpts, auditImpl) {
   };
   topics.set(name, entry);
   _safeAudit(auditImpl, "agent.event_bus.topic_registered", null, {
-    name: name, posture: entry.posture, tenantScope: entry.tenantScope,
+    name: name, kind: kind, posture: entry.posture, tenantScope: entry.tenantScope,
   });
 }
 
+// SUBSTRATE-22 — operators reloading a module (test runners between
+// runs, hot-reload tools, multi-tenant onboarding flows that
+// register-deregister topics) need a clean unregister path; without
+// it the second register throws topic-duplicate and the operator is
+// stuck. The reverse audit emit pairs with topic_registered for
+// lifecycle traceability.
+function _unregisterTopic(topics, name, auditImpl) {
+  guardEventBusTopic.validate(name);
+  if (!topics.has(name)) {
+    throw new AgentEventBusError("agent-event-bus/unknown-topic",
+      "unregisterTopic: '" + name + "' not registered");
+  }
+  topics.delete(name);
+  _safeAudit(auditImpl, "agent.event_bus.topic_unregistered", null, { name: name });
+}
+
 function _listTopics(topics, args, permissions) {
   // Permission gate: list-topics requires no special scope by default;
   // operator can wrap with their own permissions instance for stricter.
+  // BUG-12 — kind filter now matches because register captures kind.
   var out = [];
   topics.forEach(function (entry) {
-    if (args.kind && entry.kind && entry.kind !== args.kind) return;
+    if (args.kind && entry.kind !== args.kind) return;
     out.push({
       name:        entry.name,
+      kind:        entry.kind,
       schema:      entry.schema,
       posture:     entry.posture,
       tenantScope: entry.tenantScope,
@@ -201,6 +229,24 @@ async function _publish(topics, pubsub, name, payload, pOpts, permissions, audit
   }
   // Schema validation.
   guardEventBusPayload.validate(payload, entry.schema);
+  // SUBSTRATE-6 — when a topic is tenant-scoped, require the publisher
+  // to declare a tenantId BEFORE the event reaches the durable bus
+  // backend. Prior shape allowed `wrapped._tenantId: null` to land on
+  // the bus, and the receive-side drop only fired AFTER persistence —
+  // every tenant's queue / topic / Kafka log accumulated entries from
+  // unknown-tenant publishers. Refuse here so the durable record is
+  // always tagged with a real tenant.
+  if (entry.tenantScope) {
+    if (!pOpts.actor || !pOpts.actor.tenantId) {
+      _safeAudit(auditImpl, "agent.event_bus.publish_denied", pOpts.actor || null, {
+        topic: name, reason: "tenant-scoped-topic-requires-publisher-tenant-id",
+      });
+      throw new AgentEventBusError("agent-event-bus/publish-denied",
+        "publish: tenant-scoped topic '" + name +
+        "' requires actor.tenantId at publish time — refusing to write " +
+        "untenanted entries to a durable backend");
+    }
+  }
   // Wrap the payload with topic metadata so subscribers can see the
   // posture + tenantScope at delivery (re-validation).
   var wrapped = {

package/lib/agent-idempotency.js

@@ -121,6 +121,13 @@ function create(opts) {
   return {
     get:        function (method, actorId, key)                       { return _get(store, method, actorId, key, auditImpl, ttlMs, maxResultBytes); },
     put:        function (method, actorId, key, result, putOpts)      { return _put(store, method, actorId, key, result, putOpts || {}, ttlMs, maxResultBytes, fingerprintArgs, auditImpl); },
+    // SUBSTRATE-4 — putIfAbsent gates concurrent retries at the cache
+    // boundary so only one consumer runs the handler. Operator wraps:
+    //   var claim = await idem.putIfAbsent(method, actor, key, args);
+    //   if (claim.alreadyClaimed) return claim.result; // another retry won
+    //   var result = await agent[method](args);
+    //   await idem.put(method, actor, key, result, { args });
+    putIfAbsent: function (method, actorId, key, putOpts)             { return _putIfAbsent(store, method, actorId, key, putOpts || {}, ttlMs, maxResultBytes, fingerprintArgs, auditImpl); },
     invalidate: function (method, actorId, key)                       { return _invalidate(store, method, actorId, key, auditImpl); },
     gc:         function (gcOpts)                                     { return _gc(store, gcOpts || {}, auditImpl); },
     fingerprintArgs: _fingerprintArgs,
@@ -129,6 +136,97 @@ function create(opts) {
   };
 }
 
+// SUBSTRATE-4 — atomic claim/check/run pattern. Returns one of:
+//   { alreadyClaimed: false, fingerprint }          — caller runs the handler
+//   { alreadyClaimed: true,  pending: true }        — another in-flight claim holds the slot
+//   { alreadyClaimed: true,  result: <cached> }     — prior handler completed; cached result
+//
+// Per JMAP §3.7 + draft-ietf-httpapi-idempotency-key §5, exactly-once
+// semantics require an atomic claim BEFORE running the handler — the
+// prior get→put pattern raced when two consumers picked the same
+// envelope off the queue at the same instant. Operators with a SQL/
+// Redis backend implement `store.putIfAbsent(key, value) → boolean`
+// (true on insert, false on existing row); the in-memory fallback
+// emulates via a synchronous Map check.
+async function _putIfAbsent(store, method, actorId, key, putOpts, ttlMs, maxResultBytes, fingerprintArgs, auditImpl) {
+  _checkArgs(method, actorId, key);
+  guardIdempotencyKey.validate(key);
+  var hash = _keyHash(method, actorId, key);
+  var requestFingerprint = putOpts.requestFingerprint ||
+    (fingerprintArgs && putOpts.args ? _fingerprintArgs(putOpts.args) : null);
+  var now = Date.now();
+  var pendingRow = {
+    method:             method,
+    actorIdHash:        _actorIdHash(actorId),
+    keyHash:            hash,
+    requestFingerprint: requestFingerprint,
+    resultBlob:         null,
+    firstAt:            now,
+    lastWrittenAt:      now,
+    replayCount:        0,
+    expiresAt:          now + ttlMs,
+    status:             "pending",
+  };
+  // Operator-supplied putIfAbsent path. Returns truthy when the row
+  // was inserted (we won the claim); falsy when the row already
+  // existed (another retry won OR a completed result is cached).
+  var inserted = false;
+  if (typeof store.putIfAbsent === "function") {
+    inserted = await store.putIfAbsent(method, actorId, hash, pendingRow);
+  } else {
+    // Backends without atomic putIfAbsent fall back to optimistic-
+    // get-then-put. The race window is narrow but real; operators
+    // with strict exactly-once requirements wire the atomic store.
+    var existing0 = await store.get(method, actorId, hash);
+    if (!existing0) {
+      await store.put(method, actorId, hash, pendingRow);
+      inserted = true;
+    }
+  }
+  if (inserted) {
+    _safeAudit(auditImpl, "agent.idempotency.claimed", null, {
+      method: method, actorIdHash: _truncHash(pendingRow.actorIdHash),
+    });
+    return { alreadyClaimed: false, fingerprint: requestFingerprint };
+  }
+  // We lost the claim — load the existing row.
+  var existing = await store.get(method, actorId, hash);
+  if (!existing) {
+    // Race: insert+immediate-delete. Tell the caller it's safe to
+    // retry; the caller's retry policy decides whether to back off.
+    return { alreadyClaimed: false, fingerprint: requestFingerprint };
+  }
+  // Defense-in-depth: caller's args must match. Operator MAY pass a
+  // different result type than originally cached only if the
+  // fingerprint matches — protects against logic-bug downgrade.
+  if (existing.requestFingerprint && requestFingerprint &&
+      existing.requestFingerprint !== requestFingerprint) {
+    _safeAudit(auditImpl, "agent.idempotency.key_reuse_different_args", null, {
+      method: method, actorIdHash: _truncHash(existing.actorIdHash),
+    });
+    throw new AgentIdempotencyError("agent-idempotency/key-reuse-different-args",
+      "putIfAbsent: key '" + key + "' reused with different args for method '" + method +
+      "' — refused per JMAP §3.7 semantics");
+  }
+  if (existing.status === "pending") {
+    return { alreadyClaimed: true, pending: true, firstAt: existing.firstAt };
+  }
+  // Completed cached result.
+  var result;
+  try { result = safeJson.parse(existing.resultBlob, { maxBytes: maxResultBytes }); }
+  catch (e) {
+    throw new AgentIdempotencyError("agent-idempotency/corrupt-result",
+      "putIfAbsent: cached result failed to parse — " + (e && e.message ? e.message : String(e)));
+  }
+  return {
+    alreadyClaimed: true,
+    pending:        false,
+    result:         result,
+    firstAt:        existing.firstAt,
+    replayCount:    existing.replayCount || 0,
+  };
+}
+
 // ---- Core API -------------------------------------------------------------
 
 async function _get(store, method, actorId, key, auditImpl, ttlMs, maxResultBytes) {
@@ -144,11 +242,6 @@ async function _get(store, method, actorId, key, auditImpl, ttlMs, maxResultByte
       { method: method, actorIdHash: _truncHash(_actorIdHash(actorId)) });
     return null;
   }
-  var nextReplayCount = (row.replayCount || 0) + 1;
-  _safeAudit(auditImpl, "agent.idempotency.replay", null, {
-    method: method, actorIdHash: _truncHash(_actorIdHash(actorId)),
-    firstAt: row.firstAt, replayCount: nextReplayCount,
-  });
   // Deserialize the sealed result blob. v0.9.22 ships a simple
   // safeJson re-parse since the result was JSON-stringified at put().
   // v0.9.25 tenant integration will swap this for per-tenant sealRow
@@ -164,17 +257,38 @@ async function _get(store, method, actorId, key, auditImpl, ttlMs, maxResultByte
     throw new AgentIdempotencyError("agent-idempotency/corrupt-result",
       "get: cached result failed to parse — " + (e && e.message ? e.message : String(e)));
   }
-  // Persist the incremented replayCount + lastReplayedAt so subsequent
-  // gets see the updated state. Operator audit pipelines rely on
-  // replayCount to surface retry storms.
-  row.replayCount    = nextReplayCount;
-  row.lastReplayedAt = Date.now();
-  await store.put(method, actorId, hash, row);
+  // SUBSTRATE-12 — atomic replayCount increment. The prior shape
+  // (read row → mutate → put row) raced two concurrent retries: each
+  // saw replayCount=N, both wrote replayCount=N+1, so the counter
+  // missed bumps and the put-with-fresh-result race-clobbered prior
+  // increments. Operators wire `store.incrementReplayCount` with
+  // `UPDATE ... SET replay_count = replay_count + 1 RETURNING *`
+  // (atomic at the DB layer); in-memory backend is naturally atomic.
+  // When the store doesn't expose the helper, fall back to read-
+  // modify-write with an audit emit so operators know the posture.
+  var updatedReplayCount;
+  if (typeof store.incrementReplayCount === "function") {
+    var updated = await store.incrementReplayCount(method, actorId, hash);
+    updatedReplayCount = updated && updated.replayCount ? updated.replayCount : (row.replayCount || 0) + 1;
+  } else {
+    _safeAudit(auditImpl, "agent.idempotency.non_atomic_increment", null, {
+      method: method, actorIdHash: _truncHash(_actorIdHash(actorId)),
+      warning: "store lacks incrementReplayCount — counter may race under concurrent retries",
+    });
+    updatedReplayCount = (row.replayCount || 0) + 1;
+    row.replayCount    = updatedReplayCount;
+    row.lastReplayedAt = Date.now();
+    await store.put(method, actorId, hash, row);
+  }
+  _safeAudit(auditImpl, "agent.idempotency.replay", null, {
+    method: method, actorIdHash: _truncHash(_actorIdHash(actorId)),
+    firstAt: row.firstAt, replayCount: updatedReplayCount,
+  });
   return {
     result:               result,
     firstAt:              row.firstAt,
-    lastReplayedAt:       row.lastReplayedAt,
-    replayCount:          nextReplayCount,
+    lastReplayedAt:       row.lastReplayedAt || Date.now(),
+    replayCount:          updatedReplayCount,
     requestFingerprint:   row.requestFingerprint,
   };
 }
@@ -272,12 +386,26 @@ function _truncHash(hash) {
 function _fingerprintArgs(args) {
   // Strip the idempotencyKey itself out of fingerprint computation —
   // the key IS the cache lookup; including it would make every key a
-  // unique fingerprint and defeat the args-mismatch defense. Also
-  // strip framework-internal cross-cutting fields that vary per-hop.
+  // unique fingerprint and defeat the args-mismatch defense. Strip
+  // _traceContext (varies per-hop, doesn't change result).
+  //
+  // SUBSTRATE-11 — DO NOT strip _postureChain. The prior shape ignored
+  // _postureChain.postureSet, so a request made under
+  // postureSet:["hipaa","pci-dss"] cached the same result that a
+  // downgrade attempt under postureSet:["pci-dss"] would replay
+  // (elevated-posture cached output returned to a less-privileged
+  // caller). Including the sorted postureSet in the fingerprint binds
+  // the cached result to its compliance context — defense-in-depth
+  // alongside the boundary-time downgrade refusal in
+  // b.agent.postureChain._validate.
   var argsClone = Object.assign({}, args);
   delete argsClone.idempotencyKey;
-  delete argsClone._postureChain;
   delete argsClone._traceContext;
+  if (argsClone._postureChain && typeof argsClone._postureChain === "object" &&
+      Array.isArray(argsClone._postureChain.postureSet)) {
+    argsClone._postureSet = argsClone._postureChain.postureSet.slice().sort();
+  }
+  delete argsClone._postureChain;                                                                        // chainTrail + enteredAt vary per-hop; postureSet binds via _postureSet
   // Canonicalize via RFC 8785 JCS (key-sorted) so two semantically
   // identical args objects with different key insertion order produce
   // the same fingerprint. Cross-producer / cross-runtime retries (JMAP
@@ -313,6 +441,31 @@ function _inMemoryBackend() {
       map.set(_k(method, actorId, hash), row);
       return Promise.resolve();
     },
+    // SUBSTRATE-4 — atomic insert. Map.set is synchronous so the
+    // get+set pair below is naturally race-free within the in-memory
+    // backend (V8 single-threaded). Returns true when inserted, false
+    // when the row already exists.
+    putIfAbsent: function (method, actorId, hash, row) {
+      var k = _k(method, actorId, hash);
+      if (map.has(k)) return Promise.resolve(false);
+      map.set(k, row);
+      return Promise.resolve(true);
+    },
+    // SUBSTRATE-12 — atomic replayCount increment. Operators wiring
+    // a SQL backend implement this with `UPDATE ... SET
+    // replay_count = replay_count + 1 WHERE keyHash = $1 RETURNING *`
+    // — read-modify-write race-free. In-memory backend is naturally
+    // race-free; returns a SNAPSHOT of the row at the moment of
+    // increment so two concurrent callers each see their own
+    // replayCount (operator's SQL backend RETURNING * does the same).
+    incrementReplayCount: function (method, actorId, hash) {
+      var k = _k(method, actorId, hash);
+      var row = map.get(k);
+      if (!row) return Promise.resolve(null);
+      row.replayCount    = (row.replayCount || 0) + 1;
+      row.lastReplayedAt = Date.now();
+      return Promise.resolve(Object.assign({}, row));
+    },
     delete: function (method, actorId, hash) {
       map.delete(_k(method, actorId, hash));
       return Promise.resolve();