@primitivedotdev/sdk 0.2.2 → 0.2.3

package/README.md

@@ -12,7 +12,7 @@ This package ships three Node.js modules:
 
 ## Requirements
 
-- Node.js `>=20`
+- Node.js `>=22`
 
 ## Installation
 

package/dist/contract/index.d.ts

@@ -1,5 +1,5 @@
-import { EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, ParsedDataComplete, ParsedDataFailed, ParsedError, RawContentDownloadOnly, RawContentInline, WebhookAttachment } from "../types-C6M6oCRS.js";
-import { SignResult, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, signWebhookPayload$1 as signWebhookPayload } from "../index-pNcbeqPI.js";
+import { EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, ParsedDataComplete, ParsedDataFailed, ParsedError, RawContentDownloadOnly, RawContentInline, WebhookAttachment } from "../types-B5IgP-Zx.js";
+import { SignResult, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, signWebhookPayload$1 as signWebhookPayload } from "../index-BdRIHaXz.js";
 
 //#region src/contract/contract.d.ts
 /** Maximum raw email size for inline inclusion (256 KB). */
@@ -86,8 +86,8 @@ interface EmailReceivedEventInput {
  * Generate a stable event ID for webhook deduplication.
  *
  * Format: `evt_{sha256_hex}` where the hash is deterministic based on the
- * event type, endpoint ID, and email ID. The same email sent
- * to the same endpoint will always get the same event ID.
+ * event type, webhook version, endpoint ID, and email ID. The same email
+ * sent to the same endpoint will always get the same event ID.
  *
  * @param endpoint_id - Webhook endpoint ID.
  * @param email_id - Primitive email ID.

package/dist/contract/index.js

@@ -1,4 +1,4 @@
-import { WEBHOOK_VERSION, signWebhookPayload, validateEmailReceivedEvent } from "../webhook-Cz3QsQnS.js";
+import { WEBHOOK_VERSION, signWebhookPayload, validateEmailReceivedEvent } from "../webhook-Be2vM0F-.js";
 import { createHash } from "node:crypto";
 
 //#region src/contract/contract.ts
@@ -31,15 +31,15 @@ function validateTimestamp(timestamp, fieldName) {
 * Generate a stable event ID for webhook deduplication.
 *
 * Format: `evt_{sha256_hex}` where the hash is deterministic based on the
-* event type, endpoint ID, and email ID. The same email sent
-* to the same endpoint will always get the same event ID.
+* event type, webhook version, endpoint ID, and email ID. The same email
+* sent to the same endpoint will always get the same event ID.
 *
 * @param endpoint_id - Webhook endpoint ID.
 * @param email_id - Primitive email ID.
 * @returns Stable event ID with `evt_` prefix.
 */
 function generateEventId(endpoint_id, email_id) {
-	const hashInput = `email.received:${endpoint_id}:${email_id}`;
+	const hashInput = `email.received:${WEBHOOK_VERSION}:${endpoint_id}:${email_id}`;
 	const hash = createHash("sha256").update(hashInput).digest("hex");
 	return `evt_${hash}`;
 }

package/dist/{index-pNcbeqPI.d.ts → index-BdRIHaXz.d.ts}

@@ -1,4 +1,4 @@
-import { EmailAuth, EmailReceivedEvent, ValidateEmailAuthResult, WebhookEvent } from "./types-C6M6oCRS.js";
+import { EmailAuth, EmailReceivedEvent, ValidateEmailAuthResult, WebhookEvent } from "./types-B5IgP-Zx.js";
 import { ErrorObject } from "ajv";
 
 //#region src/webhook/errors.d.ts
@@ -1034,11 +1034,11 @@ declare const emailReceivedEventJsonSchema: {
         };
         readonly dmarcSpfAligned: {
           readonly type: "boolean";
-          readonly description: "Whether SPF aligned with the From: domain for DMARC purposes.\n\nTrue if the envelope sender domain matches the From: domain (per alignment mode). Optional in self-hosted environments.";
+          readonly description: "Whether SPF aligned with the From: domain for DMARC purposes.\n\nTrue if the envelope sender domain matches the From: domain (per alignment mode).";
         };
         readonly dmarcDkimAligned: {
           readonly type: "boolean";
-          readonly description: "Whether DKIM aligned with the From: domain for DMARC purposes.\n\nTrue if at least one DKIM signature's domain matches the From: domain. Optional in self-hosted environments.";
+          readonly description: "Whether DKIM aligned with the From: domain for DMARC purposes.\n\nTrue if at least one DKIM signature's domain matches the From: domain.";
         };
         readonly dmarcSpfStrict: {
           readonly type: ["boolean", "null"];
@@ -1056,7 +1056,7 @@ declare const emailReceivedEventJsonSchema: {
           readonly description: "All DKIM signatures found in the email with their verification results.\n\nMay be empty if no DKIM signatures were present.";
         };
       };
-      readonly required: ["spf", "dmarc", "dmarcPolicy", "dmarcFromDomain", "dmarcSpfStrict", "dmarcDkimStrict", "dkimSignatures"];
+      readonly required: ["spf", "dmarc", "dmarcPolicy", "dmarcFromDomain", "dmarcSpfAligned", "dmarcDkimAligned", "dmarcSpfStrict", "dmarcDkimStrict", "dkimSignatures"];
       readonly description: "Email authentication results for SPF, DKIM, and DMARC.\n\nUse `validateEmailAuth()` to compute a verdict based on these results.";
     };
     readonly SpfResult: {
@@ -1099,8 +1099,8 @@ declare const emailReceivedEventJsonSchema: {
           readonly description: "Signing algorithm (e.g., \"rsa-sha256\", \"ed25519-sha256\").\n\nOptional in self-hosted environments.";
         };
       };
-      readonly required: ["domain", "result", "aligned"];
-      readonly description: "Details about a single DKIM signature found in the email.\n\nAn email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently.\n\nFields marked optional (`selector`, `keyBits`, `algo`) may be unavailable in self-hosted environments where the milter provides limited DKIM detail.";
+      readonly required: ["domain", "selector", "result", "aligned", "keyBits", "algo"];
+      readonly description: "Details about a single DKIM signature found in the email.\n\nAn email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently.";
     };
     readonly DkimResult: {
       readonly type: "string";

package/dist/index.d.ts

@@ -1,3 +1,3 @@
-import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "./types-C6M6oCRS.js";
-import { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, SignResult, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyWebhookSignature$1 as verifyWebhookSignature } from "./index-pNcbeqPI.js";
+import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "./types-B5IgP-Zx.js";
+import { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, SignResult, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyWebhookSignature$1 as verifyWebhookSignature } from "./index-BdRIHaXz.js";
 export { AuthConfidence, AuthVerdict, DecodeRawEmailOptions, DkimResult, DkimSignature, DmarcPolicy, DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict, ForwardVerification, HandleWebhookOptions, KnownWebhookEvent, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawContent, RawContentDownloadOnly, RawContentInline, RawEmailDecodeError, RawEmailDecodeErrorCode, SignResult, SpfResult, UnknownEvent, VERIFICATION_ERRORS, ValidateEmailAuthResult, VerifyOptions, WEBHOOK_VERSION, WebhookAttachment, WebhookErrorCode, WebhookEvent, WebhookHeaders, WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature };

package/dist/index.js

@@ -1,3 +1,3 @@
-import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature } from "./webhook-Cz3QsQnS.js";
+import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature } from "./webhook-Be2vM0F-.js";
 
 export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature };

package/dist/parser/index.d.ts

@@ -1,4 +1,4 @@
-import { EmailAddress, ParsedDataComplete, WebhookAttachment } from "../types-C6M6oCRS.js";
+import { EmailAddress, ParsedDataComplete, WebhookAttachment } from "../types-B5IgP-Zx.js";
 
 //#region src/parser/attachment-parser.d.ts
 interface ParsedAttachment {

package/dist/parser/index.js

@@ -1,12 +1,10 @@
 import { createHash } from "node:crypto";
 import { PassThrough } from "node:stream";
+import archiver from "archiver";
+import { simpleParser } from "mailparser";
 import DOMPurify from "isomorphic-dompurify";
 
 //#region src/parser/attachment-bundler.ts
-async function loadArchiver() {
-	const module = await import("archiver");
-	return module.default;
-}
 /**
 * Bundle downloadable attachments into a tar.gz archive.
 *
@@ -20,7 +18,6 @@ async function loadArchiver() {
 async function bundleAttachments(attachments) {
 	const downloadable = attachments.filter((att) => att.isDownloadable);
 	if (downloadable.length === 0) return null;
-	const archiver = await loadArchiver();
 	const archive = archiver("tar", {
 		gzip: true,
 		gzipOptions: { level: 6 }
@@ -181,51 +178,49 @@ const ALLOWED_ATTRS = [
 	"size",
 	"face"
 ];
-const ALLOWED_URI_REGEXP = /^(data:|mailto:|#)/i;
+const ALLOWED_URI_REGEXP = /^(https?:|data:image\/(?!svg\+xml)[a-z0-9][a-z0-9+.-]*[;,]|mailto:|cid:|#)/i;
+const SVG_DATA_URI_RE = /^data:image\/svg\+xml/i;
+DOMPurify.addHook("uponSanitizeAttribute", (_node, data) => {
+	if (data.attrName.startsWith("on")) data.keepAttr = false;
+	if (data.attrName === "style") data.keepAttr = false;
+	if ((data.attrName === "src" || data.attrName === "href") && SVG_DATA_URI_RE.test(data.attrValue)) data.keepAttr = false;
+});
+DOMPurify.addHook("afterSanitizeAttributes", (node) => {
+	if (node.tagName === "A") {
+		const target = node.getAttribute("target");
+		if (target === "_blank") node.setAttribute("rel", "noopener noreferrer");
+	}
+});
+const SANITIZE_OPTIONS = {
+	ALLOWED_TAGS,
+	ALLOWED_ATTR: ALLOWED_ATTRS,
+	ALLOW_DATA_ATTR: false,
+	ALLOW_UNKNOWN_PROTOCOLS: false,
+	ALLOWED_URI_REGEXP,
+	FORBID_TAGS: [
+		"style",
+		"script",
+		"iframe",
+		"object",
+		"embed",
+		"form",
+		"input",
+		"button",
+		"select",
+		"textarea",
+		"link",
+		"meta",
+		"base",
+		"svg",
+		"math"
+	]
+};
 function sanitizeHtml(html) {
-	DOMPurify.addHook("uponSanitizeAttribute", (_node, data) => {
-		if (data.attrName.startsWith("on")) data.keepAttr = false;
-		if (data.attrName === "style") data.keepAttr = false;
-	});
-	DOMPurify.addHook("afterSanitizeAttributes", (node) => {
-		if (node.tagName === "A") {
-			const target = node.getAttribute("target");
-			if (target === "_blank") node.setAttribute("rel", "noopener noreferrer");
-		}
-	});
-	const result = DOMPurify.sanitize(html, {
-		ALLOWED_TAGS,
-		ALLOWED_ATTR: ALLOWED_ATTRS,
-		ALLOW_DATA_ATTR: false,
-		ALLOW_UNKNOWN_PROTOCOLS: false,
-		ALLOWED_URI_REGEXP,
-		FORBID_TAGS: [
-			"style",
-			"script",
-			"iframe",
-			"object",
-			"embed",
-			"form",
-			"input",
-			"button",
-			"select",
-			"textarea",
-			"link",
-			"meta",
-			"base",
-			"svg",
-			"math"
-		]
-	});
-	DOMPurify.removeAllHooks();
-	return result;
+	return DOMPurify.sanitize(html, SANITIZE_OPTIONS);
 }
 
 //#endregion
 //#region src/parser/attachment-parser.ts
-async function loadMailparser$1() {
-	return import("mailparser");
-}
 const SIGNATURE_ARTIFACTS = new Set([
 	"application/pkcs7-signature",
 	"application/x-pkcs7-signature",
@@ -251,7 +246,6 @@ const SAFE_INLINE_TYPES = new Set([
 */
 async function parseEmailWithAttachments(emlBuffer, options) {
 	const generateId = options?.generateAttachmentId ?? (() => crypto.randomUUID());
-	const { simpleParser } = await loadMailparser$1();
 	const parsed = await simpleParser(emlBuffer);
 	const attachments = [];
 	for (let i = 0; i < (parsed.attachments?.length ?? 0); i++) {
@@ -399,15 +393,11 @@ function sanitizeFilename(filename, partIndex) {
 
 //#endregion
 //#region src/parser/email-parser.ts
-async function loadMailparser() {
-	return import("mailparser");
-}
 /**
 * Parse a raw .eml file into structured data
 * Uses mailparser library for robust email parsing
 */
 async function parseEmail(emlRaw) {
-	const { simpleParser } = await loadMailparser();
 	const parsed = await simpleParser(emlRaw);
 	const headers = {};
 	parsed.headers.forEach((value, key) => {

package/dist/{types-C6M6oCRS.d.ts → types-B5IgP-Zx.d.ts}

@@ -614,15 +614,15 @@ interface EmailAuth$1 {
   /**
    * Whether SPF aligned with the From: domain for DMARC purposes.
    *
-   * True if the envelope sender domain matches the From: domain (per alignment mode). Optional in self-hosted environments.
+   * True if the envelope sender domain matches the From: domain (per alignment mode).
    */
-  dmarcSpfAligned?: boolean;
+  dmarcSpfAligned: boolean;
   /**
    * Whether DKIM aligned with the From: domain for DMARC purposes.
    *
-   * True if at least one DKIM signature's domain matches the From: domain. Optional in self-hosted environments.
+   * True if at least one DKIM signature's domain matches the From: domain.
    */
-  dmarcDkimAligned?: boolean;
+  dmarcDkimAligned: boolean;
   /**
    * Whether DMARC SPF alignment mode is strict.
    *
@@ -651,8 +651,6 @@ interface EmailAuth$1 {
  *
  * An email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently.
  *
- * Fields marked optional (`selector`, `keyBits`, `algo`) may be unavailable in self-hosted environments where the milter provides limited DKIM detail.
- *
  * This interface was referenced by `EmailReceivedEvent`'s JSON-Schema
  * via the `definition` "DkimSignature".
  */
@@ -666,7 +664,7 @@ interface DkimSignature$1 {
    *
    * Optional in self-hosted environments where the milter may not provide selector info.
    */
-  selector?: (string | null);
+  selector: (string | null);
   /**
    * Verification result for this specific signature.
    */
@@ -684,13 +682,13 @@ interface DkimSignature$1 {
    *
    * Optional in self-hosted environments.
    */
-  keyBits?: (number | null);
+  keyBits: (number | null);
   /**
    * Signing algorithm (e.g., "rsa-sha256", "ed25519-sha256").
    *
    * Optional in self-hosted environments.
    */
-  algo?: (string | null);
+  algo: (string | null);
 } //#endregion
 //#region src/types.d.ts
 

package/dist/webhook/index.d.ts

@@ -1,3 +1,3 @@
-import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "../types-C6M6oCRS.js";
-import { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, SignResult, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyWebhookSignature$1 as verifyWebhookSignature } from "../index-pNcbeqPI.js";
+import { AuthConfidence$1 as AuthConfidence, AuthVerdict$1 as AuthVerdict, DkimResult$1 as DkimResult, DkimSignature, DmarcPolicy$1 as DmarcPolicy, DmarcResult$1 as DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType$1 as EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict$1 as ForwardVerdict, ForwardVerification, KnownWebhookEvent, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus$1 as ParsedStatus, RawContent, RawContentDownloadOnly, RawContentInline, SpfResult$1 as SpfResult, UnknownEvent, ValidateEmailAuthResult, WebhookAttachment, WebhookEvent } from "../types-B5IgP-Zx.js";
+import { DecodeRawEmailOptions, HandleWebhookOptions, LEGACY_CONFIRMED_HEADER$1 as LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER$1 as LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS$1 as PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER$1 as PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER$1 as PRIMITIVE_SIGNATURE_HEADER, PrimitiveWebhookError$1 as PrimitiveWebhookError, RAW_EMAIL_ERRORS$1 as RAW_EMAIL_ERRORS, RawEmailDecodeError$1 as RawEmailDecodeError, RawEmailDecodeErrorCode, SignResult, VERIFICATION_ERRORS$1 as VERIFICATION_ERRORS, VerifyOptions, WEBHOOK_VERSION$1 as WEBHOOK_VERSION, WebhookErrorCode, WebhookHeaders, WebhookPayloadError$1 as WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError$1 as WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError$1 as WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders$1 as confirmedHeaders, decodeRawEmail$1 as decodeRawEmail, emailReceivedEventJsonSchema$1 as emailReceivedEventJsonSchema, getDownloadTimeRemaining$1 as getDownloadTimeRemaining, handleWebhook$1 as handleWebhook, isDownloadExpired$1 as isDownloadExpired, isEmailReceivedEvent$1 as isEmailReceivedEvent, isRawIncluded$1 as isRawIncluded, parseWebhookEvent$1 as parseWebhookEvent, safeValidateEmailReceivedEvent$1 as safeValidateEmailReceivedEvent, signWebhookPayload$1 as signWebhookPayload, validateEmailAuth$1 as validateEmailAuth, validateEmailReceivedEvent$1 as validateEmailReceivedEvent, verifyRawEmailDownload$1 as verifyRawEmailDownload, verifyWebhookSignature$1 as verifyWebhookSignature } from "../index-BdRIHaXz.js";
 export { AuthConfidence, AuthVerdict, DecodeRawEmailOptions, DkimResult, DkimSignature, DmarcPolicy, DmarcResult, EmailAddress, EmailAnalysis, EmailAuth, EmailReceivedEvent, EventType, ForwardAnalysis, ForwardOriginalSender, ForwardResult, ForwardResultAttachmentAnalyzed, ForwardResultAttachmentSkipped, ForwardResultInline, ForwardVerdict, ForwardVerification, HandleWebhookOptions, KnownWebhookEvent, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedData, ParsedDataComplete, ParsedDataFailed, ParsedError, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawContent, RawContentDownloadOnly, RawContentInline, RawEmailDecodeError, RawEmailDecodeErrorCode, SignResult, SpfResult, UnknownEvent, VERIFICATION_ERRORS, ValidateEmailAuthResult, VerifyOptions, WEBHOOK_VERSION, WebhookAttachment, WebhookErrorCode, WebhookEvent, WebhookHeaders, WebhookPayloadError, WebhookPayloadErrorCode, WebhookValidationError, WebhookValidationErrorCode, WebhookVerificationError, WebhookVerificationErrorCode, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature };

package/dist/webhook/index.js

@@ -1,3 +1,3 @@
-import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature } from "../webhook-Cz3QsQnS.js";
+import { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature } from "../webhook-Be2vM0F-.js";
 
 export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyRawEmailDownload, verifyWebhookSignature };

package/dist/{webhook-Cz3QsQnS.js → webhook-Be2vM0F-.js}

@@ -4042,11 +4042,11 @@ const schema38 = {
 		},
 		"dmarcSpfAligned": {
 			"type": "boolean",
-			"description": "Whether SPF aligned with the From: domain for DMARC purposes.\n\nTrue if the envelope sender domain matches the From: domain (per alignment mode). Optional in self-hosted environments."
+			"description": "Whether SPF aligned with the From: domain for DMARC purposes.\n\nTrue if the envelope sender domain matches the From: domain (per alignment mode)."
 		},
 		"dmarcDkimAligned": {
 			"type": "boolean",
-			"description": "Whether DKIM aligned with the From: domain for DMARC purposes.\n\nTrue if at least one DKIM signature's domain matches the From: domain. Optional in self-hosted environments."
+			"description": "Whether DKIM aligned with the From: domain for DMARC purposes.\n\nTrue if at least one DKIM signature's domain matches the From: domain."
 		},
 		"dmarcSpfStrict": {
 			"type": ["boolean", "null"],
@@ -4067,6 +4067,8 @@ const schema38 = {
 		"dmarc",
 		"dmarcPolicy",
 		"dmarcFromDomain",
+		"dmarcSpfAligned",
+		"dmarcDkimAligned",
 		"dmarcSpfStrict",
 		"dmarcDkimStrict",
 		"dkimSignatures"
@@ -4129,10 +4131,13 @@ const schema42 = {
 	},
 	"required": [
 		"domain",
+		"selector",
 		"result",
-		"aligned"
+		"aligned",
+		"keyBits",
+		"algo"
 	],
-	"description": "Details about a single DKIM signature found in the email.\n\nAn email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently.\n\nFields marked optional (`selector`, `keyBits`, `algo`) may be unavailable in self-hosted environments where the milter provides limited DKIM detail."
+	"description": "Details about a single DKIM signature found in the email.\n\nAn email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently."
 };
 const schema43 = {
 	"type": "string",
@@ -4160,117 +4165,153 @@ function validate34(data, { instancePath = "", parentData, parentDataProperty, r
 			else vErrors.push(err0);
 			errors++;
 		}
-		if (data.result === void 0) {
+		if (data.selector === void 0) {
 			const err1 = {
 				instancePath,
 				schemaPath: "#/required",
 				keyword: "required",
-				params: { missingProperty: "result" },
-				message: "must have required property 'result'"
+				params: { missingProperty: "selector" },
+				message: "must have required property 'selector'"
 			};
 			if (vErrors === null) vErrors = [err1];
 			else vErrors.push(err1);
 			errors++;
 		}
-		if (data.aligned === void 0) {
+		if (data.result === void 0) {
 			const err2 = {
 				instancePath,
 				schemaPath: "#/required",
 				keyword: "required",
-				params: { missingProperty: "aligned" },
-				message: "must have required property 'aligned'"
+				params: { missingProperty: "result" },
+				message: "must have required property 'result'"
 			};
 			if (vErrors === null) vErrors = [err2];
 			else vErrors.push(err2);
 			errors++;
 		}
+		if (data.aligned === void 0) {
+			const err3 = {
+				instancePath,
+				schemaPath: "#/required",
+				keyword: "required",
+				params: { missingProperty: "aligned" },
+				message: "must have required property 'aligned'"
+			};
+			if (vErrors === null) vErrors = [err3];
+			else vErrors.push(err3);
+			errors++;
+		}
+		if (data.keyBits === void 0) {
+			const err4 = {
+				instancePath,
+				schemaPath: "#/required",
+				keyword: "required",
+				params: { missingProperty: "keyBits" },
+				message: "must have required property 'keyBits'"
+			};
+			if (vErrors === null) vErrors = [err4];
+			else vErrors.push(err4);
+			errors++;
+		}
+		if (data.algo === void 0) {
+			const err5 = {
+				instancePath,
+				schemaPath: "#/required",
+				keyword: "required",
+				params: { missingProperty: "algo" },
+				message: "must have required property 'algo'"
+			};
+			if (vErrors === null) vErrors = [err5];
+			else vErrors.push(err5);
+			errors++;
+		}
 		if (data.domain !== void 0) {
 			if (typeof data.domain !== "string") {
-				const err3 = {
+				const err6 = {
 					instancePath: instancePath + "/domain",
 					schemaPath: "#/properties/domain/type",
 					keyword: "type",
 					params: { type: "string" },
 					message: "must be string"
 				};
-				if (vErrors === null) vErrors = [err3];
-				else vErrors.push(err3);
+				if (vErrors === null) vErrors = [err6];
+				else vErrors.push(err6);
 				errors++;
 			}
 		}
 		if (data.selector !== void 0) {
 			let data1 = data.selector;
 			if (typeof data1 !== "string" && data1 !== null) {
-				const err4 = {
+				const err7 = {
 					instancePath: instancePath + "/selector",
 					schemaPath: "#/properties/selector/type",
 					keyword: "type",
 					params: { type: schema42.properties.selector.type },
 					message: "must be string,null"
 				};
-				if (vErrors === null) vErrors = [err4];
-				else vErrors.push(err4);
+				if (vErrors === null) vErrors = [err7];
+				else vErrors.push(err7);
 				errors++;
 			}
 		}
 		if (data.result !== void 0) {
 			let data2 = data.result;
 			if (typeof data2 !== "string") {
-				const err5 = {
+				const err8 = {
 					instancePath: instancePath + "/result",
 					schemaPath: "#/definitions/DkimResult/type",
 					keyword: "type",
 					params: { type: "string" },
 					message: "must be string"
 				};
-				if (vErrors === null) vErrors = [err5];
-				else vErrors.push(err5);
+				if (vErrors === null) vErrors = [err8];
+				else vErrors.push(err8);
 				errors++;
 			}
 			if (!(data2 === "pass" || data2 === "fail" || data2 === "temperror" || data2 === "permerror")) {
-				const err6 = {
+				const err9 = {
 					instancePath: instancePath + "/result",
 					schemaPath: "#/definitions/DkimResult/enum",
 					keyword: "enum",
 					params: { allowedValues: schema43.enum },
 					message: "must be equal to one of the allowed values"
 				};
-				if (vErrors === null) vErrors = [err6];
-				else vErrors.push(err6);
+				if (vErrors === null) vErrors = [err9];
+				else vErrors.push(err9);
 				errors++;
 			}
 		}
 		if (data.aligned !== void 0) {
 			if (typeof data.aligned !== "boolean") {
-				const err7 = {
+				const err10 = {
 					instancePath: instancePath + "/aligned",
 					schemaPath: "#/properties/aligned/type",
 					keyword: "type",
 					params: { type: "boolean" },
 					message: "must be boolean"
 				};
-				if (vErrors === null) vErrors = [err7];
-				else vErrors.push(err7);
+				if (vErrors === null) vErrors = [err10];
+				else vErrors.push(err10);
 				errors++;
 			}
 		}
 		if (data.keyBits !== void 0) {
 			let data4 = data.keyBits;
 			if (!(typeof data4 == "number" && !(data4 % 1) && !isNaN(data4)) && data4 !== null) {
-				const err8 = {
+				const err11 = {
 					instancePath: instancePath + "/keyBits",
 					schemaPath: "#/properties/keyBits/type",
 					keyword: "type",
 					params: { type: schema42.properties.keyBits.type },
 					message: "must be integer,null"
 				};
-				if (vErrors === null) vErrors = [err8];
-				else vErrors.push(err8);
+				if (vErrors === null) vErrors = [err11];
+				else vErrors.push(err11);
 				errors++;
 			}
 			if (typeof data4 == "number") {
 				if (data4 > 16384 || isNaN(data4)) {
-					const err9 = {
+					const err12 = {
 						instancePath: instancePath + "/keyBits",
 						schemaPath: "#/properties/keyBits/maximum",
 						keyword: "maximum",
@@ -4280,12 +4321,12 @@ function validate34(data, { instancePath = "", parentData, parentDataProperty, r
 						},
 						message: "must be <= 16384"
 					};
-					if (vErrors === null) vErrors = [err9];
-					else vErrors.push(err9);
+					if (vErrors === null) vErrors = [err12];
+					else vErrors.push(err12);
 					errors++;
 				}
 				if (data4 < 1 || isNaN(data4)) {
-					const err10 = {
+					const err13 = {
 						instancePath: instancePath + "/keyBits",
 						schemaPath: "#/properties/keyBits/minimum",
 						keyword: "minimum",
@@ -4295,8 +4336,8 @@ function validate34(data, { instancePath = "", parentData, parentDataProperty, r
 						},
 						message: "must be >= 1"
 					};
-					if (vErrors === null) vErrors = [err10];
-					else vErrors.push(err10);
+					if (vErrors === null) vErrors = [err13];
+					else vErrors.push(err13);
 					errors++;
 				}
 			}
@@ -4304,28 +4345,28 @@ function validate34(data, { instancePath = "", parentData, parentDataProperty, r
 		if (data.algo !== void 0) {
 			let data5 = data.algo;
 			if (typeof data5 !== "string" && data5 !== null) {
-				const err11 = {
+				const err14 = {
 					instancePath: instancePath + "/algo",
 					schemaPath: "#/properties/algo/type",
 					keyword: "type",
 					params: { type: schema42.properties.algo.type },
 					message: "must be string,null"
 				};
-				if (vErrors === null) vErrors = [err11];
-				else vErrors.push(err11);
+				if (vErrors === null) vErrors = [err14];
+				else vErrors.push(err14);
 				errors++;
 			}
 		}
 	} else {
-		const err12 = {
+		const err15 = {
 			instancePath,
 			schemaPath: "#/type",
 			keyword: "type",
 			params: { type: "object" },
 			message: "must be object"
 		};
-		if (vErrors === null) vErrors = [err12];
-		else vErrors.push(err12);
+		if (vErrors === null) vErrors = [err15];
+		else vErrors.push(err15);
 		errors++;
 	}
 	validate34.errors = vErrors;
@@ -4383,193 +4424,217 @@ function validate33(data, { instancePath = "", parentData, parentDataProperty, r
 			else vErrors.push(err3);
 			errors++;
 		}
-		if (data.dmarcSpfStrict === void 0) {
+		if (data.dmarcSpfAligned === void 0) {
 			const err4 = {
 				instancePath,
 				schemaPath: "#/required",
 				keyword: "required",
-				params: { missingProperty: "dmarcSpfStrict" },
-				message: "must have required property 'dmarcSpfStrict'"
+				params: { missingProperty: "dmarcSpfAligned" },
+				message: "must have required property 'dmarcSpfAligned'"
 			};
 			if (vErrors === null) vErrors = [err4];
 			else vErrors.push(err4);
 			errors++;
 		}
-		if (data.dmarcDkimStrict === void 0) {
+		if (data.dmarcDkimAligned === void 0) {
 			const err5 = {
 				instancePath,
 				schemaPath: "#/required",
 				keyword: "required",
-				params: { missingProperty: "dmarcDkimStrict" },
-				message: "must have required property 'dmarcDkimStrict'"
+				params: { missingProperty: "dmarcDkimAligned" },
+				message: "must have required property 'dmarcDkimAligned'"
 			};
 			if (vErrors === null) vErrors = [err5];
 			else vErrors.push(err5);
 			errors++;
 		}
-		if (data.dkimSignatures === void 0) {
+		if (data.dmarcSpfStrict === void 0) {
 			const err6 = {
 				instancePath,
 				schemaPath: "#/required",
 				keyword: "required",
-				params: { missingProperty: "dkimSignatures" },
-				message: "must have required property 'dkimSignatures'"
+				params: { missingProperty: "dmarcSpfStrict" },
+				message: "must have required property 'dmarcSpfStrict'"
 			};
 			if (vErrors === null) vErrors = [err6];
 			else vErrors.push(err6);
 			errors++;
 		}
+		if (data.dmarcDkimStrict === void 0) {
+			const err7 = {
+				instancePath,
+				schemaPath: "#/required",
+				keyword: "required",
+				params: { missingProperty: "dmarcDkimStrict" },
+				message: "must have required property 'dmarcDkimStrict'"
+			};
+			if (vErrors === null) vErrors = [err7];
+			else vErrors.push(err7);
+			errors++;
+		}
+		if (data.dkimSignatures === void 0) {
+			const err8 = {
+				instancePath,
+				schemaPath: "#/required",
+				keyword: "required",
+				params: { missingProperty: "dkimSignatures" },
+				message: "must have required property 'dkimSignatures'"
+			};
+			if (vErrors === null) vErrors = [err8];
+			else vErrors.push(err8);
+			errors++;
+		}
 		if (data.spf !== void 0) {
 			let data0 = data.spf;
 			if (typeof data0 !== "string") {
-				const err7 = {
+				const err9 = {
 					instancePath: instancePath + "/spf",
 					schemaPath: "#/definitions/SpfResult/type",
 					keyword: "type",
 					params: { type: "string" },
 					message: "must be string"
 				};
-				if (vErrors === null) vErrors = [err7];
-				else vErrors.push(err7);
+				if (vErrors === null) vErrors = [err9];
+				else vErrors.push(err9);
 				errors++;
 			}
 			if (!(data0 === "pass" || data0 === "fail" || data0 === "softfail" || data0 === "neutral" || data0 === "none" || data0 === "temperror" || data0 === "permerror")) {
-				const err8 = {
+				const err10 = {
 					instancePath: instancePath + "/spf",
 					schemaPath: "#/definitions/SpfResult/enum",
 					keyword: "enum",
 					params: { allowedValues: schema39.enum },
 					message: "must be equal to one of the allowed values"
 				};
-				if (vErrors === null) vErrors = [err8];
-				else vErrors.push(err8);
+				if (vErrors === null) vErrors = [err10];
+				else vErrors.push(err10);
 				errors++;
 			}
 		}
 		if (data.dmarc !== void 0) {
 			let data1 = data.dmarc;
 			if (typeof data1 !== "string") {
-				const err9 = {
+				const err11 = {
 					instancePath: instancePath + "/dmarc",
 					schemaPath: "#/definitions/DmarcResult/type",
 					keyword: "type",
 					params: { type: "string" },
 					message: "must be string"
 				};
-				if (vErrors === null) vErrors = [err9];
-				else vErrors.push(err9);
+				if (vErrors === null) vErrors = [err11];
+				else vErrors.push(err11);
 				errors++;
 			}
 			if (!(data1 === "pass" || data1 === "fail" || data1 === "none" || data1 === "temperror" || data1 === "permerror")) {
-				const err10 = {
+				const err12 = {
 					instancePath: instancePath + "/dmarc",
 					schemaPath: "#/definitions/DmarcResult/enum",
 					keyword: "enum",
 					params: { allowedValues: schema40.enum },
 					message: "must be equal to one of the allowed values"
 				};
-				if (vErrors === null) vErrors = [err10];
-				else vErrors.push(err10);
+				if (vErrors === null) vErrors = [err12];
+				else vErrors.push(err12);
 				errors++;
 			}
 		}
 		if (data.dmarcPolicy !== void 0) {
 			let data2 = data.dmarcPolicy;
 			if (typeof data2 !== "string" && data2 !== null) {
-				const err11 = {
+				const err13 = {
 					instancePath: instancePath + "/dmarcPolicy",
 					schemaPath: "#/definitions/DmarcPolicy/type",
 					keyword: "type",
 					params: { type: schema34.type },
 					message: "must be string,null"
 				};
-				if (vErrors === null) vErrors = [err11];
-				else vErrors.push(err11);
+				if (vErrors === null) vErrors = [err13];
+				else vErrors.push(err13);
 				errors++;
 			}
 			if (!(data2 === "reject" || data2 === "quarantine" || data2 === "none" || data2 === null)) {
-				const err12 = {
+				const err14 = {
 					instancePath: instancePath + "/dmarcPolicy",
 					schemaPath: "#/definitions/DmarcPolicy/enum",
 					keyword: "enum",
 					params: { allowedValues: schema34.enum },
 					message: "must be equal to one of the allowed values"
 				};
-				if (vErrors === null) vErrors = [err12];
-				else vErrors.push(err12);
+				if (vErrors === null) vErrors = [err14];
+				else vErrors.push(err14);
 				errors++;
 			}
 		}
 		if (data.dmarcFromDomain !== void 0) {
 			let data3 = data.dmarcFromDomain;
 			if (typeof data3 !== "string" && data3 !== null) {
-				const err13 = {
+				const err15 = {
 					instancePath: instancePath + "/dmarcFromDomain",
 					schemaPath: "#/properties/dmarcFromDomain/type",
 					keyword: "type",
 					params: { type: schema38.properties.dmarcFromDomain.type },
 					message: "must be string,null"
 				};
-				if (vErrors === null) vErrors = [err13];
-				else vErrors.push(err13);
+				if (vErrors === null) vErrors = [err15];
+				else vErrors.push(err15);
 				errors++;
 			}
 		}
 		if (data.dmarcSpfAligned !== void 0) {
 			if (typeof data.dmarcSpfAligned !== "boolean") {
-				const err14 = {
+				const err16 = {
 					instancePath: instancePath + "/dmarcSpfAligned",
 					schemaPath: "#/properties/dmarcSpfAligned/type",
 					keyword: "type",
 					params: { type: "boolean" },
 					message: "must be boolean"
 				};
-				if (vErrors === null) vErrors = [err14];
-				else vErrors.push(err14);
+				if (vErrors === null) vErrors = [err16];
+				else vErrors.push(err16);
 				errors++;
 			}
 		}
 		if (data.dmarcDkimAligned !== void 0) {
 			if (typeof data.dmarcDkimAligned !== "boolean") {
-				const err15 = {
+				const err17 = {
 					instancePath: instancePath + "/dmarcDkimAligned",
 					schemaPath: "#/properties/dmarcDkimAligned/type",
 					keyword: "type",
 					params: { type: "boolean" },
 					message: "must be boolean"
 				};
-				if (vErrors === null) vErrors = [err15];
-				else vErrors.push(err15);
+				if (vErrors === null) vErrors = [err17];
+				else vErrors.push(err17);
 				errors++;
 			}
 		}
 		if (data.dmarcSpfStrict !== void 0) {
 			let data6 = data.dmarcSpfStrict;
 			if (typeof data6 !== "boolean" && data6 !== null) {
-				const err16 = {
+				const err18 = {
 					instancePath: instancePath + "/dmarcSpfStrict",
 					schemaPath: "#/properties/dmarcSpfStrict/type",
 					keyword: "type",
 					params: { type: schema38.properties.dmarcSpfStrict.type },
 					message: "must be boolean,null"
 				};
-				if (vErrors === null) vErrors = [err16];
-				else vErrors.push(err16);
+				if (vErrors === null) vErrors = [err18];
+				else vErrors.push(err18);
 				errors++;
 			}
 		}
 		if (data.dmarcDkimStrict !== void 0) {
 			let data7 = data.dmarcDkimStrict;
 			if (typeof data7 !== "boolean" && data7 !== null) {
-				const err17 = {
+				const err19 = {
 					instancePath: instancePath + "/dmarcDkimStrict",
 					schemaPath: "#/properties/dmarcDkimStrict/type",
 					keyword: "type",
 					params: { type: schema38.properties.dmarcDkimStrict.type },
 					message: "must be boolean,null"
 				};
-				if (vErrors === null) vErrors = [err17];
-				else vErrors.push(err17);
+				if (vErrors === null) vErrors = [err19];
+				else vErrors.push(err19);
 				errors++;
 			}
 		}
@@ -4587,28 +4652,28 @@ function validate33(data, { instancePath = "", parentData, parentDataProperty, r
 					errors = vErrors.length;
 				}
 			} else {
-				const err18 = {
+				const err20 = {
 					instancePath: instancePath + "/dkimSignatures",
 					schemaPath: "#/properties/dkimSignatures/type",
 					keyword: "type",
 					params: { type: "array" },
 					message: "must be array"
 				};
-				if (vErrors === null) vErrors = [err18];
-				else vErrors.push(err18);
+				if (vErrors === null) vErrors = [err20];
+				else vErrors.push(err20);
 				errors++;
 			}
 		}
 	} else {
-		const err19 = {
+		const err21 = {
 			instancePath,
 			schemaPath: "#/type",
 			keyword: "type",
 			params: { type: "object" },
 			message: "must be object"
 		};
-		if (vErrors === null) vErrors = [err19];
-		else vErrors.push(err19);
+		if (vErrors === null) vErrors = [err21];
+		else vErrors.push(err21);
 		errors++;
 	}
 	validate33.errors = vErrors;
@@ -6956,11 +7021,11 @@ const emailReceivedEventJsonSchema = {
 				},
 				"dmarcSpfAligned": {
 					"type": "boolean",
-					"description": "Whether SPF aligned with the From: domain for DMARC purposes.\n\nTrue if the envelope sender domain matches the From: domain (per alignment mode). Optional in self-hosted environments."
+					"description": "Whether SPF aligned with the From: domain for DMARC purposes.\n\nTrue if the envelope sender domain matches the From: domain (per alignment mode)."
 				},
 				"dmarcDkimAligned": {
 					"type": "boolean",
-					"description": "Whether DKIM aligned with the From: domain for DMARC purposes.\n\nTrue if at least one DKIM signature's domain matches the From: domain. Optional in self-hosted environments."
+					"description": "Whether DKIM aligned with the From: domain for DMARC purposes.\n\nTrue if at least one DKIM signature's domain matches the From: domain."
 				},
 				"dmarcSpfStrict": {
 					"type": ["boolean", "null"],
@@ -6981,6 +7046,8 @@ const emailReceivedEventJsonSchema = {
 				"dmarc",
 				"dmarcPolicy",
 				"dmarcFromDomain",
+				"dmarcSpfAligned",
+				"dmarcDkimAligned",
 				"dmarcSpfStrict",
 				"dmarcDkimStrict",
 				"dkimSignatures"
@@ -7043,10 +7110,13 @@ const emailReceivedEventJsonSchema = {
 			},
 			"required": [
 				"domain",
+				"selector",
 				"result",
-				"aligned"
+				"aligned",
+				"keyBits",
+				"algo"
 			],
-			"description": "Details about a single DKIM signature found in the email.\n\nAn email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently.\n\nFields marked optional (`selector`, `keyBits`, `algo`) may be unavailable in self-hosted environments where the milter provides limited DKIM detail."
+			"description": "Details about a single DKIM signature found in the email.\n\nAn email may have multiple DKIM signatures (e.g., one from the sending domain and one from the ESP). Each signature is verified independently."
 		},
 		"DkimResult": {
 			"type": "string",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/sdk",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Official Primitive Node.js SDK — webhook, contract, and parser modules",
   "type": "module",
   "module": "./dist/index.js",
@@ -66,7 +66,6 @@
   },
   "dependencies": {
     "ajv": "^8.17.1",
-    "ajv-formats": "^3.0.1",
     "archiver": "^7.0.1",
     "isomorphic-dompurify": "^3.8.0",
     "mailparser": "^3.9.0"