knowless 0.2.1 → 0.2.3

package/CHANGELOG.md

@@ -15,14 +15,143 @@ Versioning is [SemVer](https://semver.org/).
 
 ## [Unreleased]
 
-- **Turnkey Docker image** (`knowless/knowless-server:0.2.x`)
-  bundling Postfix + null-route + the binary. Now meaningfully
-  smaller and faster to build because v0.2.0 dropped the native
-  compile dep.
-- Caddy forward-auth Docker integration test (TASKS.md 6.8).
-- `knowless-server --check-null-route`: CLI probe that submits a
-  test message to `shamRecipient` and confirms the local MTA
-  discarded it.
+**v0.2.3 is feature-complete.** v1.0.0 is the planned next release —
+walk-away promotion, no API changes.
+
+## [0.2.3] — 2026-04-29
+
+**Last cosmetic gap before walk-away: From: header display name
+(AF-27).** addypin's recipients saw `From: noreply@addypin.com`
+instead of `From: addypin <noreply@addypin.com>` — most clients
+render the local-part as the sender name in inbox previews, so the
+brand "addypin" was hidden behind "noreply." The library was
+conflating the bare RFC 5321 envelope sender (MAIL FROM, no display
+name allowed) with the RFC 5322 From: header (display name allowed),
+preventing adopters from working around without forking the mailer.
+
+Also: the `bodyOverride` JSDoc (AF-26) gets an extra paragraph
+calling out typographic-punctuation traps after addypin hit the
+em-dash on a live send. Pure documentation, no API change.
+
+### Added
+
+- **`fromName` factory option (AF-27).** Optional. When set, the
+  `From:` header is rendered as `${fromName} <${from}>`; envelope
+  sender stays bare. Validated at factory startup via the new
+  `validateFromName()` helper:
+  - ≤ 60 chars
+  - ASCII only (excludes em/en dashes, smart quotes, ellipses,
+    middle dots — same trap surface as `bodyOverride`)
+  - No CR / LF (header-injection defense, matches existing
+    composeRaw invariant)
+  - No `<` / `>` / `"` (would break `name <addr>` quoting)
+
+  ```js
+  knowless({
+    secret, baseUrl,
+    from: 'noreply@addypin.com',
+    fromName: 'addypin',  // recipient sees: From: addypin <noreply@addypin.com>
+  });
+  ```
+
+  Adopters who don't pass `fromName` get the existing behavior (bare
+  address in From:). No call-site changes required.
+
+- **`validateFromName(name)` re-export.** Pure validator alongside
+  the other `validate*` helpers, for ahead-of-time tests.
+
+### Changed
+
+- **`composeRaw` accepts `fromName` arg.** Internal mailer-interface
+  change: composeRaw now takes an optional `fromName` parameter
+  threaded through from `createMailer`. Adopters with a custom
+  `mailer` injection (rare) should plumb `fromName` accordingly if
+  they want the display-name behavior; otherwise the field is
+  ignored and bare-address behavior is preserved.
+
+### Documentation
+
+- **`bodyOverride` JSDoc (AF-26)** — added a typographic-punctuation
+  paragraph listing the four common traps (em/en dashes, smart
+  quotes, ellipses, middle dots) and their ASCII alternatives.
+  Adopters writing email copy reach for these out of habit; the
+  validator error message was clear, but a heads-up before the first
+  live send saves a debugging cycle. Same paragraph applies to the
+  `fromName` validator docstring (AF-27).
+
+### Internal
+
+- 12 new tests in `test/integration/from-name.test.js` covering
+  the happy path (real + sham branches), envelope stays bare,
+  whitespace passthrough, all five validation error paths, and the
+  re-exported `validateFromName` helper. Test count: 223 → 235.
+
+## [0.2.2] — 2026-04-29
+
+**One feature add at the end of v0.2.x: per-call body customization
+for `auth.startLogin` (AF-26).** Closes the last addypin gap before
+v1.0.0 promotion — adopters with multiple Mode-A flows (pin
+confirmation, login, expiry warning) can now phrase the email body
+to match per-call subjects without re-implementing token mint /
+sham-work / SMTP submit.
+
+### Added
+
+- **`bodyOverride: ({url}) => string` arg on `auth.startLogin`
+  (AF-26).** A template function called per-call after the magic-
+  link URL is composed. knowless still owns URL composition (so the
+  v0.11 POC 7bit URL-line invariant stays in knowless's control) and
+  validates the rendered output. `bodyFooter` continues to append
+  after the override; the `lastLogin` line does NOT auto-append on
+  overridden bodies — the template owns content end-to-end.
+
+  ```js
+  await auth.startLogin({
+    email,
+    subjectOverride: `Confirm your pin: ${shortcode}`,
+    bodyOverride: ({ url }) =>
+      `Confirm your pin "${shortcode}":\n\n${url}\n\n` +
+      `Link expires in 15 minutes.\n`,
+  });
+  ```
+
+- **`validateBodyOverride(body, url)` re-export.** Pure validator
+  exposed alongside the other `validate*` re-exports. Same validation
+  knowless runs internally on the override return value:
+  - Non-empty string, ≤ 2048 chars
+  - ASCII only
+  - No CR (header-injection defense)
+  - URL appears exactly once
+  - URL is on its own line (preserves the v0.11 POC 7bit URL-line
+    invariant — QP soft-breaks would break the link)
+
+  Throws on any violation. Adopters generally don't need to call this
+  directly — knowless validates the function's return value at
+  compose time — but it's exported for ahead-of-time tests.
+
+### Why this is in scope (and not a 'forum-style' rejected addition)
+
+The body has to be composed *after* the token is minted (the URL
+contains the token), so the caller can't just "send their own email"
+without re-implementing most of knowless. Bypassing knowless to send
+a custom body would mean rebuilding token mint + token-store insert
++ sham-work timing + SMTP submit — that's most of the library. The
+ASCII / URL-line / 7bit constraints are the right place to keep
+validating, and those live in knowless. Identity-layer concern,
+mechanism stays where the policy is.
+
+Contrast with the rejected items in the v0.2.1 backlog cull
+(disposable-domain, account-age, hashcash, Docker image): each of
+those passed the "could the adopter do this themselves?" test.
+Per-call body customization fails it.
+
+### Internal
+
+- 16 new tests in `test/integration/body-override.test.js` covering
+  happy path on real submissions, sham-branch parity (FR-6),
+  bodyFooter append behavior, lastLogin non-auto-append, every
+  validation error path, undefined/null pass-through, and the
+  re-exported `validateBodyOverride` helper. Test count: 207 → 223.
 
 ## [0.2.1] — 2026-04-29
 
@@ -110,6 +239,36 @@ accessor, hashcash, `lookupMessageId()`, `onShamHit`).
   containment, and `verifyTransport()` resolve/reject paths.
   Test count: 192 → 207.
 
+### Cut from v0.2.x backlog (kept here for the record)
+
+Three items previously listed under Unreleased were stress-tested
+against walk-away-at-v1.0.0 and cut. Rationale per item, so future
+contributors see why these aren't being re-proposed:
+
+- **`knowless-server --check-null-route` CLI probe — CUT.** Operator
+  setup-correctness check, not identity layer. The same probe is
+  three commands of `swaks` + `tail /var/log/maillog`; documented in
+  GUIDE.md Step 3. Adding a knowless CLI feature for it would carry
+  maintenance burden into walk-away for something an operator can
+  already do with a one-line shell command.
+- **Caddy forward-auth Docker integration test (TASKS 6.8) — CUT.**
+  The contract under test is two HTTP responses and one header
+  (`/verify` → 200+`X-User-Handle` or 401). Every hop is already
+  covered by `forward-auth-next.test.js` + `cli.test.js`. addypin
+  runs knowless behind Caddy in production — that is the integration
+  test, with adopter signal stronger than any docker-compose CI
+  could provide. Removed as a v1.0.0 graduation criterion;
+  PRD §6.1 updated.
+- **Turnkey Docker image (`knowless/knowless-server:0.2.x`) — CUT.**
+  Doesn't actually solve the operator problem: SPF / DKIM / PTR /
+  outbound-port-25 work is still the operator's, image only saves
+  ~5 minutes of `apt install postfix && postmap`. Cost-side is
+  permanent: Postfix is on a CVE drumbeat, and a walk-away library
+  shipping a Postfix image would commit to forever-rebuilds —
+  exactly the opposite of walk-away discipline. If a self-hoster
+  builds a community Dockerfile, OPS.md will link to it; knowless
+  itself doesn't ship one.
+
 ## [0.2.0] — 2026-04-28
 
 **No native compile. One production dep.** Drops `better-sqlite3`

package/GUIDE.md

@@ -162,6 +162,25 @@ sudo postmap /etc/postfix/transport
 sudo systemctl reload postfix
 ```
 
+**Verify the null-route is catching mail.** A misconfigured
+null-route doesn't surface until the first sham submission — by
+which point you're debugging a silent-202 from a real form post.
+One-line check, no knowless code needed:
+
+```
+sudo apt install swaks   # one-time, if not present
+swaks --to null@knowless.invalid --server localhost:25 --quit-after RCPT
+sudo journalctl -u postfix --since '1 minute ago' | grep -i 'discard'
+```
+
+A `discard:` line in the postfix log confirms `transport_maps` is
+applied. If you see `relay=` / `delivered` / a queue ID with no
+discard, re-run `postmap` + `systemctl reload postfix` and try
+again. (knowless deliberately does NOT ship a `--check-null-route`
+CLI for this — operator MTA validation is operator-side, and adding
+a wrapper for a one-line `swaks` invocation would carry maintenance
+burden into the v1.0.0 walk-away window for no real value.)
+
 Then the DNS records — set on your sending domain, **not** your
 app's primary domain (typical setup: `auth.example.com` is the
 sending domain):
@@ -240,15 +259,18 @@ the form.
 
 ### Two adoption modes (Mode A vs Mode B)
 
-knowless supports two UX flows out of the box. Pick per-action,
-not per-app — both can coexist.
+In plain English: **"sign in, then do the thing"** (Mode B) and
+**"do the thing, confirm by email"** (Mode A). knowless supports
+both out of the box; pick per-action, not per-app — they coexist.
+The Mode A/B labels are used here and in the CHANGELOG so
+discussions across the docs stay unambiguous.
 
-**Mode B — register-first (the default).** User must log in before
-performing the action. Wire `auth.login` / `auth.callback` as
-above; gate your action with `auth.handleFromRequest(req)`. Use
-when the action requires a session (account settings, paid
-features, anything you want tied to an identity at the moment of
-the action).
+**Mode B — "sign in, then do the thing" (register-first, the default).**
+User must log in before performing the action. Wire `auth.login` /
+`auth.callback` as above; gate your action with
+`auth.handleFromRequest(req)`. Use when the action requires a session
+(account settings, paid features, anything you want tied to an
+identity at the moment of the action).
 
 ```js
 app.post('/api/comments', (req, res) => {
@@ -258,12 +280,12 @@ app.post('/api/comments', (req, res) => {
 });
 ```
 
-**Mode A — use-first, claim-later.** User performs the action
-without logging in; you capture their email and trigger a magic
-link. Clicking it opens a session and your callback handler
-"promotes" the deferred resource. Use for "drop a pin," "post a
-share link," "submit a paste" — patterns where forcing a login
-*before* the action would harm the UX.
+**Mode A — "do the thing, confirm by email" (use-first, claim-later).**
+User performs the action without logging in; you capture their email
+and trigger a magic link. Clicking it opens a session and your
+callback handler "promotes" the deferred resource. Use for "drop a
+pin," "post a share link," "submit a paste" — patterns where forcing
+a login *before* the action would harm the UX.
 
 ```js
 app.post('/api/pins', async (req, res) => {
@@ -277,6 +299,14 @@ app.post('/api/pins', async (req, res) => {
     // Per-call subject so the user can tell at a glance this is a
     // pin-confirmation, not a routine login. AF-9.
     subjectOverride: `Confirm your pin: ${shortcode}`,
+    // Per-call body so subject and body agree. AF-26 (v0.2.2).
+    // knowless still composes the URL and validates the rendered
+    // output (ASCII / URL on its own line / ≤2048 chars). bodyFooter
+    // still appends; the lastLogin line does NOT auto-append on
+    // overridden bodies — the template owns the content.
+    bodyOverride: ({ url }) =>
+      `Confirm your pin "${shortcode}":\n\n${url}\n\n` +
+      `This link expires in 15 minutes. If you didn't request it, ignore.\n`,
   });
   res.status(202).end();  // "we'll email you the link"
 });
@@ -601,7 +631,8 @@ Full options table:
 |---|---|---|---|
 | `secret` | yes | — | HMAC key, ≥64 hex chars (32 bytes). FR-47, FR-48. |
 | `baseUrl` | yes | — | Base URL for magic-link construction. |
-| `from` | yes | — | Sender email address. |
+| `from` | yes | — | Bare RFC 5321 sender (envelope MAIL FROM AND default From: header). |
+| `fromName` | no | — | Optional RFC 5322 display name for the From: header (AF-27, v0.2.3+). When set, recipients see `addypin <noreply@addypin.com>` instead of bare `noreply@addypin.com` — most clients display the local-part as the sender name otherwise. ASCII, ≤60 chars, no CR/LF/<>". envelope.from stays bare always. |
 | `dbPath` | no | `./knowless.db` | SQLite file path. |
 | `cookieDomain` | no | (eTLD+1 of `baseUrl`) | Session cookie scope. |
 | `cookieName` | no | `knowless_session` | Session cookie name. |
@@ -630,6 +661,24 @@ Full options table:
 
 ## FAQ
 
+### Is there an official knowless Docker image?
+
+No. knowless does not ship a turnkey image with Postfix + null-route
++ the binary pre-baked. The reasoning: a Docker image bundling
+Postfix wouldn't actually save the operator from the work that
+matters (SPF / DKIM / PTR records on your sending domain, outbound
+port 25 unblocked at your hosting provider, reverse DNS pointed at
+your sending hostname — all done outside the container regardless),
+and shipping a Postfix image would commit a walk-away library to a
+permanent CVE-rebuild cadence. The OPS.md walkthrough is the
+canonical install path; a fresh VPS to working forward-auth takes
+30–60 minutes of one-time setup, and then it stays put.
+
+If a community Dockerfile emerges (open invitation — knowless is
+Apache-2.0), OPS.md will link to it. Until then, run
+`knowless-server` as a systemd unit alongside Postfix as the OPS
+walkthrough lays out.
+
 ### Why doesn't knowless block disposable email domains?
 
 Disposable-domain blocking (mailinator.com, throwaway.email, etc.) is

package/README.md

@@ -7,198 +7,146 @@ that don't need to email their users for anything but the sign-in link.
 npm install knowless
 ```
 
-> v0.2.1 | Node.js >= 22.5 | **1 production dep (nodemailer)** | Apache-2.0
+> v0.2.3 | Node.js >= 22.5 | **1 production dep (nodemailer)** | Apache-2.0
 
-## Why this exists
+## Where to go next
 
-Most auth libraries (Auth0, Clerk, Magic, Firebase Auth) default to
-maximum identity collection: full email stored in plaintext, profile
-fields, recovery email, federation. Even nominally privacy-focused
-options store enough that a breach is materially harmful.
+Two docs live alongside this README. They serve different readers; pick
+the one that matches yours.
 
-knowless is the simpler answer that always worked: **magic link in,
-session cookie out, nothing else stored.** Email is HMAC-hashed at the
+| You are | Read this | What's there |
+|---|---|---|
+| **A human integrating for the first time** | [`GUIDE.md`](GUIDE.md) | Step-by-step walkthrough — install, generate the secret, set up Postfix, mount handlers, both modes worked end-to-end. Configuration reference, FAQ, troubleshooting. |
+| **An AI agent, or reading in a hurry** | [`knowless.context.md`](knowless.context.md) | Dense single-file reference. Public API table, every option with defaults, 19 gotchas, lifecycle diagrams, the sham-work pattern, threat model, "what's NOT in knowless and why." Designed to fit one context window. |
+| **Deploying to a real server** | [`OPS.md`](OPS.md) | Postfix install, SPF/DKIM/PTR/DMARC, null-route, systemd, Caddy/nginx/Traefik forward-auth, MailHog dev, fail2ban, multi-process. |
+| **Tracking what changed** | [`CHANGELOG.md`](CHANGELOG.md) | Version history. |
+
+## What it does
+
+The simpler answer that always worked: **magic link in, session
+cookie out, nothing else stored.** Email is HMAC-hashed at the
 boundary and discarded. The library refuses, by API shape, to send
 anything but the sign-in link or store anything identifying.
 
+Most auth libraries default to maximum identity collection: full email
+in plaintext, profile fields, recovery email, federation. Even
+nominally privacy-focused options store enough that a breach is
+materially harmful. knowless inverts the default.
+
 The thesis: most services have ten layers of auth tooling where they
 need two.
 
-## Two modes — pick per action
-
-Same library, two flows. They coexist in one app; choose per-endpoint
-based on whether forcing a login *before* the action would harm UX.
+## How it works
 
-### Mode B — register-first (the form)
+```
+email  →  HMAC-SHA256(secret, normalize(email))  →  opaque handle
+            |                                         |
+            v                                         v
+       magic-link token (256-bit, single-use)    sessions, tokens
+            |                                         |
+            v                                         v
+       submitted via localhost SMTP             stored as SHA-256 hashes
+            |
+            v
+       user clicks  →  handle resolved  →  signed cookie set
+```
 
-User must log in before performing the action. Standard "sign in to
-continue" flow.
+- **Plaintext email is never persisted.** Only the salted hash
+  (`HMAC-SHA256(secret, normalized_email)`).
+- **Only the magic link is ever sent.** No welcome, no digest, no
+  notification. There is no API to send anything else.
+- **All outbound mail goes via your localhost MTA.** No vendor SDKs,
+  no API tokens.
+- **Tokens are SHA-256 at rest, single-use, 15-min TTL.** Raw token
+  never persisted.
+- **Session cookies are HMAC-signed.** No JWT, no algorithm confusion.
+- **Sham work on every miss.** Unknown emails do the same work as
+  registered ones (compose, submit, log) but the SMTP recipient is a
+  null-route. Times equivalent within 1ms — measured in CI.
 
-- User hits `/login`, types email
-- Magic link arrives, click → session cookie
-- Your protected endpoints call `auth.handleFromRequest(req)` to gate
-  access
+## Two modes
 
-Use for: account settings, paid features, anything that requires an
-identified user at the moment of the action.
+Same library, two flows. They coexist in one app — pick per action.
 
-### Mode A — use-first, claim-later (programmatic)
+- **"Sign in, then do the thing"** — a normal login.
+- **"Do the thing, confirm by email"** — drop a pin, post a comment,
+  share a link without an account, and the email confirmation creates
+  the account in the background.
 
-User performs the action *without* being logged in. You capture their
-email along with the action, fire a magic link via
-`auth.startLogin({email, nextUrl, ...})`, and clicking it opens a
-session and "promotes" the deferred resource.
+The same sham-work flow runs underneath either mode, so unknown
+emails, rate-limit hits, and real sends look identical to an external
+observer.
 
-Use for: drop-a-pin / submit-a-paste / share-a-link / disposable
-resources / anywhere logging in first kills the UX.
+Worked code for both in [`GUIDE.md`](GUIDE.md).
 
-The same 12-step sham-work flow runs underneath either mode, so
-unknown emails, rate-limit hits, and real sends look identical to an
-external observer (the FR-6 timing-equivalence guarantee). Pick per
-action; the two coexist.
+## Two deployment shapes
 
-Worked code for both modes is in [`GUIDE.md`](GUIDE.md). The dense
-API reference is [`knowless.context.md`](knowless.context.md).
+| Shape | When |
+|---|---|
+| **Library mode** | Mount the five handlers (`login`, `callback`, `verify`, `logout`, `loginForm`) in your existing Node app. |
+| **Standalone server** (`npx knowless-server`) | Forward-auth gateway behind Caddy / nginx / Traefik for self-hosters gating Uptime Kuma / AdGuard / Pi-hole / Sonarr / Jellyfin / etc. One auth subdomain, SSO across services via the parent-domain cookie. |
 
 ## What's opinionated (locked by design)
 
-These are deliberate trade-offs, documented as `NO-GO` in
-[`docs/01-product/PRD.md`](docs/01-product/PRD.md) §14.
-The library refuses, by API shape, to grow into them.
+Deliberate trade-offs. The library refuses, by API shape, to grow
+into them.
 
-- **Localhost SMTP only.** No Mailgun/Postmark/SES/Resend. The
-  operator runs Postfix (or another MTA) on the same host, in
-  outbound-only mode.
-- **One mail purpose: the sign-in link.** No welcome message, no
-  digest, no notification. There is no `sendNotification()` to be
-  tempted by.
+- **Localhost SMTP only.** No Mailgun / Postmark / SES / Resend.
+- **One mail purpose: the sign-in link.** No `sendNotification()` to
+  be tempted by.
 - **Plain-text 7-bit email.** No HTML, no tracking pixels, no
   click-rewriting, no read-receipts.
 - **No OAuth / OIDC / SAML.** Different audience.
 - **No 2FA / WebAuthn / TOTP / passkeys.** Compose with a separate
   library if you need them.
 - **No admin UI.** `sqlite3 knowless.db` is the admin UI.
-- **Hardcoded login form.** No template overrides; fork or live
-  with it.
-- **No telemetry, analytics, or error reporting.** Self-hostable end
-  to end. No phone-home of any kind.
+- **Hardcoded login form.** No template overrides; fork or live with
+  it.
+- **No telemetry, analytics, or error reporting.** No phone-home of
+  any kind.
 - **Walks away at v1.0.0.** Maintenance mode after that — only
   security fixes.
 
-## What's swappable
+If any of those break your case, knowless isn't the right tool. Look
+at [Lucia](https://lucia-auth.com/), [Auth.js](https://authjs.dev/),
+or commercial offerings.
 
-Everything that *isn't* identity-shape or threat-model essential is
-config or injection.
-
-| Knob | Default | Common reasons to change |
-|---|---|---|
-| `dbPath` | `./knowless.db` | Move to `/var/lib/knowless/...` for systemd; share across processes |
-| `smtpHost`, `smtpPort` | `localhost`, `25` | Point at MailHog (`localhost:1025`) for dev mail inspection |
-| `cookieDomain` | hostname of `baseUrl` | Set to your eTLD+1 for SSO across subdomains |
-| `cookieSecure` | `true` | `false` only for `http://localhost` dev (logs a warning) |
-| `tokenTtlSeconds`, `sessionTtlSeconds` | `900`, `2592000` | Tighten for high-security uses; loosen at your peril |
-| `openRegistration` | `false` | `true` to let any new email auto-register on first link |
-| `subject` | `Sign in` | Match your brand; per-call override on `startLogin` (`subjectOverride`) |
-| `bodyFooter` | none | Append a constant brand/legal/feedback line to every magic-link mail |
-| `confirmationMessage` | (default copy) | Replace the post-submit "we'll email you" text |
-| `maxLoginRequestsPerIpPerHour`, `maxNewHandlesPerIpPerHour` | `30`, `3` | Raise for genuinely shared NATs; `0` to disable in dev |
-| `trustedProxies` | `[127.0.0.1, ::1]` | Plain IPs **and** CIDRs (`10.0.0.0/8`) for k8s/docker/cgnat |
-| `bypassRateLimit` (per-call) | `false` | Trusted CLI/cron callers via `auth.startLogin` |
-| `store` | built-in `node:sqlite` | Inject your own store (Postgres, etc.) |
-| `mailer` | built-in nodemailer | Inject your own mailer |
-| `transportOverride` | none | Pass a custom `nodemailer.createTransport` |
-| `onSweepError(err)` | none | Operator alerting hook for sweeper failures |
-| `devLogMagicLinks` | `false` | `true` in dev: print magic-link URLs (or silent-miss hints) to stderr when SMTP fails |
-
-Full table with defaults, types, and validation rules:
-[`GUIDE.md`](GUIDE.md) → "Configuration reference."
-
-## Two deployment shapes (one codebase)
-
-| Mode | Status | When |
-|---|---|---|
-| **Library mode** | shipped (v0.1.0) | Mount handlers in your existing Node app |
-| **Standalone server** (forward-auth) | shipped (v0.1.3) | Self-hosters gating Uptime Kuma / AdGuard / Pi-hole / Sonarr / etc. behind Caddy / nginx / Traefik |
-
-Library mode is the six-line example in [`GUIDE.md`](GUIDE.md).
-Standalone server is `npx knowless-server` — full Postfix + DNS +
-reverse-proxy walkthrough in [`OPS.md`](OPS.md).
+## Operator commitments
 
-## First customer: addypin
+By choosing knowless, you commit to running:
 
-[`addypin`](https://github.com/hamr0/addypin) — location-sharing
-service in the same hermit-architecture lineage — adopted knowless
-as its auth+mail layer. The integration delta:
+- **Postfix** (or another MTA) on the same host, outbound-only
+- **SPF, DKIM, PTR** records for your sending domain
+- **Outbound port 25** open (some clouds block it)
+- A **null-route** for the configured `shamRecipient` so silent-miss
+  sham mail drops, not bounces
 
-- **~1,150 lines of bespoke auth/mail code removed** (custom mailer,
-  inbound CLI, login plumbing, pin-confirmation state machine, email
-  fingerprinting helpers, the matching test files)
-- **~35 lines of knowless wiring added**
-- **~33× reduction** on the auth/mail surface
-- **One production dep** (`nodemailer` only; v0.2.0 dropped
-  `better-sqlite3` for `node:sqlite`, the stdlib SQLite driver — no
-  C++ toolchain, no native compile, ~40 transitive packages → 2)
+Step-by-step in [`OPS.md`](OPS.md).
 
-The integration round produced the audit findings AF-7 through AF-17
-that drove v0.1.5 → v0.1.10. See [`docs/01-product/PRD.md`](docs/01-product/PRD.md)
-§17 for the full backlog.
+## Threat model — one paragraph
 
-## Operator commitments
+**Defends well:** DB-only leaks (handles are HMAC-salted),
+plaintext-email exfiltration (none persisted), password reuse (no
+passwords), silent email enumeration via the login form (timing-
+equivalent + same response shape), email-bombing a target (per-handle
+token cap), naive bots (honeypot), account-creation spam (per-IP
+caps), replay attacks (atomic mark-token-used), open redirects
+(`next_url` whitelist), CSRF on POST endpoints (Origin/Referer
+whitelist).
 
-By choosing knowless, you commit to:
-
-- Running your own server with **Postfix** (or another MTA) installed
-  for outbound-only mail
-- Setting up **SPF, DKIM, and PTR** for your sending domain
-- Verifying **outbound port 25** is open (some clouds block it)
-- A **null-route entry** for the configured `shamRecipient` so
-  silent-miss sham mail is dropped, not bounced
-- Accepting that the magic link is the **only email** your service
-  ever sends
-
-Step-by-step in [`OPS.md`](OPS.md): Postfix install, null-route,
-SPF/DKIM/PTR/DMARC, systemd unit, Caddy / nginx / Traefik
-forward-auth examples, Tailscale pattern, reverse-proxy rate
-limiting, fail2ban / Turnstile, multi-process deployments, MailHog
-dev workflow, backups.
-
-## Documentation
-
-- [**`GUIDE.md`**](GUIDE.md) — start here. Adopter walkthrough,
-  install, six-line example, both modes worked end-to-end,
-  configuration reference, FAQ, troubleshooting.
-- [**`knowless.context.md`**](knowless.context.md) — dense reference
-  for AI agents and humans-in-a-hurry. Public API table, all options,
-  18 gotchas, lifecycles, the sham-work pattern, threat model
-  summary.
-- [`OPS.md`](OPS.md) — operator setup, fresh VPS to working forward-auth.
-- [`CHANGELOG.md`](CHANGELOG.md) — version history.
-- [`docs/01-product/PRD.md`](docs/01-product/PRD.md) — product
-  requirements, threat model, decisions log, NO-GO table, audit
-  findings backlog.
-- [`docs/02-design/SPEC.md`](docs/02-design/SPEC.md) — wire formats,
-  algorithms, byte layouts (reimplementation-grade).
-
-## Threat model (one-paragraph)
-
-Honest version (full detail in [PRD §12](docs/01-product/PRD.md)):
-
-**Defends well:** DB-only leaks, plaintext-email exfiltration, password
-reuse / credential stuffing, silent email enumeration (timing-
-equivalent within 1ms locally), email-bombing a target, naive bot
-traffic, account-creation spam, replay attacks, open redirects, CSRF
-on `POST /login` / `POST /logout` (Origin/Referer whitelist).
-
-**Defends partially:** HMAC-secret-only leak (allows targeted
-existence checks but not session forgery), phishing (no password to
-type into a fake site, but a phished mailbox still receives links).
+**Partially:** HMAC-secret-only leak (allows targeted existence
+checks but not session forgery), phishing (no password to type into a
+fake site, but a phished mailbox still receives links).
 
 **Does NOT defend against:** sophisticated bots that bypass the
 honeypot, distributed floods from many IPs, full server compromise,
-compromised email accounts, social engineering, insider threat at
-the operator. Layer-2 defences (Cloudflare, fail2ban, reverse-proxy
-rate-limits) belong above the library; [`OPS.md`](OPS.md) §9–§10
-covers the patterns.
+compromised email accounts, social engineering, insider threat at the
+operator. Layer-2 defences (Cloudflare, fail2ban, reverse-proxy
+rate-limits) belong above the library — patterns in
+[`OPS.md`](OPS.md).
+
+Full detail in [`knowless.context.md`](knowless.context.md) §
+"Threat model summary."
 
 ## Sibling projects
 
@@ -207,14 +155,6 @@ covers the patterns.
 - [`gitdone`](https://github.com/hamr0/gitdone) — verified email
   actions via DKIM/SPF inbound
 
-## Contributing
-
-Issues and PRs welcome at <https://github.com/hamr0/knowless>.
-
-Per the v1.0.0 walk-away framing in PRD §6.3: feature requests after
-v1.0.0 ships will be deflected to the [§14 NO-GO table](docs/01-product/PRD.md)
-or to sibling projects. The library being "done" is a feature.
-
 ## License
 
 [Apache 2.0](LICENSE) with [`NOTICE`](NOTICE) preservation. Forks

package/knowless.context.md

@@ -1,7 +1,7 @@
 # knowless -- Integration Guide
 
 > For AI assistants and developers wiring knowless into a project.
-> v0.2.1 | Node.js >= 22.5 | 1 dep (nodemailer) | Apache-2.0
+> v0.2.3 | Node.js >= 22.5 | 1 dep (nodemailer) | Apache-2.0
 
 ## What this is
 
@@ -70,7 +70,15 @@ const auth = knowless({
   // --- Required ---
   secret: '...',                      // 64-char hex; HMAC + cookie sig key
   baseUrl: 'https://app.example.com', // base for magic-link URL construction
-  from: 'auth@app.example.com',       // sender address
+  from: 'auth@app.example.com',       // bare RFC 5321 sender (envelope MAIL FROM
+                                      //   AND default From: header value)
+
+  // --- Optional sender display name (AF-27, v0.2.3) ---
+  fromName: 'addypin',                // optional. When set, From: header is
+                                      //   `<fromName> <from>` (e.g. `addypin
+                                      //   <noreply@addypin.com>`); envelope.from
+                                      //   stays bare. Validated at startup:
+                                      //   ASCII, ≤60 chars, no CR/LF, no <>".
 
   // --- Storage ---
   dbPath: './knowless.db',            // SQLite file; ':memory:' for tests
@@ -160,7 +168,7 @@ const auth = knowless({
 | `handleFromRequest` | (req) | string \| null | Programmatic session resolver for in-process middleware. Returns the handle if the cookie is valid, else null. SPEC §9.4. |
 | `deleteHandle` | (handle: string) | void | Atomic delete of handle + tokens + sessions (FR-37a, GDPR) |
 | `revokeSessions` | (handle: string) | number | Drops every session for `handle` without deleting the account ("log out everywhere"). Returns rows removed. AF-6.1. |
-| `startLogin` | ({email, nextUrl?, sourceIp?, subjectOverride?, bypassRateLimit?}) | Promise\<{handle, submitted: true}\> | Programmatic magic-link send for "use first, claim later" flows. Same 12-step sham-work as form. `subjectOverride` (AF-9) replaces `cfg.subject` per call. `bypassRateLimit: true` (AF-10) opts trusted server-side callers (CLI, cron, worker) out of IP-rate-limit accounting. SPEC §7.3a. AF-7.3. |
+| `startLogin` | ({email, nextUrl?, sourceIp?, subjectOverride?, bodyOverride?, bypassRateLimit?}) | Promise\<{handle, submitted: true}\> | Programmatic magic-link send for "use first, claim later" flows. Same 12-step sham-work as form. `subjectOverride` (AF-9) replaces `cfg.subject` per call. `bodyOverride` (AF-26, v0.2.2) is a `({url}) => string` template fn that replaces the default body — knowless still composes the URL and validates the rendered output (ASCII, URL on its own line, ≤2048 chars); `bodyFooter` still appends. `bypassRateLimit: true` (AF-10) opts trusted server-side callers (CLI, cron, worker) out of IP-rate-limit accounting. SPEC §7.3a. AF-7.3. |
 | `deriveHandle` | (email: string) | string | `HMAC-SHA256(secret, normalize(email))` using the configured secret. Normalizes input (lowercase + trim) so `Alice@X.com` and `alice@x.com` produce the same handle. Match what `startLogin` and `POST /login` compute. AF-7.4 / AF-13. |
 | `_sweep` | -- | void | Trigger one sweep tick on demand (tests, operator scripts). AF-5.3. |
 | `verifyTransport` | -- | Promise\<true\> | Probe the configured SMTP transport (v0.2.1). Resolves true on success, rejects with the underlying error. Adopters call this explicitly when they want fail-fast on misconfigured SMTP at boot — no auto-on-boot variant by design (k8s readiness probes / docker-compose ordering would fail boot for the wrong reason). AF-20. |
@@ -178,6 +186,8 @@ import {
   composeBody,      // pure: build the mail body
   validateSubject,  // pure: validate operator-supplied subject
   validateBodyFooter, // pure: validate operator-supplied footer (AF-8.2)
+  validateBodyOverride, // pure: validate per-call body override (AF-26)
+  validateFromName, // pure: validate operator-supplied From: display name (AF-27)
   renderLoginForm,  // pure: HTML5 page rendering
   normalize,        // pure: email normalization
   deriveHandle,     // pure: HMAC-SHA256(hex-decoded secret, email)
@@ -363,6 +373,21 @@ transport_maps = hash:/etc/postfix/transport
 postmap /etc/postfix/transport && systemctl reload postfix
 ```
 
+Verify the null-route is actually discarding (one-line operator
+check, no knowless code involved):
+
+```
+swaks --to null@knowless.invalid --server localhost:25 --quit-after RCPT
+journalctl -u postfix --since '1 minute ago' | grep 'discard'
+```
+
+A `discard:` line in the postfix log confirms the null-route caught
+the message. If you see `relay=` or `delivered`, the
+`transport_maps` entry isn't being applied — re-run `postmap` and
+`systemctl reload postfix`. (No `--check-null-route` CLI in
+knowless: an operator's MTA validation lives with the MTA, not
+inside a walk-away library.)
+
 ## FR-6: timing equivalence (the testable property)
 
 The library ships a CI test (`test/integration/timing.test.js`)
@@ -619,12 +644,12 @@ rate-limits) belongs above the library.
     `console.warn` if it sees `Content-Length > 0` with an empty
     body. AF-7.1.
 
-16. **Two adoption modes — Mode B (register-first) and Mode A
-    (use-first claim-later).** Mode B is the form (`auth.login`).
-    Mode A is `auth.startLogin({email, nextUrl, sourceIp})` for
-    "drop a pin, claim by email click" patterns. Both run the
-    identical 12-step sham-work flow; same FR-6 guarantee. Pick
-    per-action, not per-app.
+16. **Two adoption modes — "sign in, then do" (Mode B) and "do
+    then confirm by email" (Mode A).** Mode B is the form
+    (`auth.login`). Mode A is `auth.startLogin({email, nextUrl,
+    sourceIp})` for "drop a pin, claim by email click" patterns.
+    Both run the identical 12-step sham-work flow; same FR-6
+    guarantee. Pick per-action, not per-app.
 
 17. **Secret is hex-decoded (AF-8.1, since v0.1.6).** Pass a
     64-char lowercase hex string; knowless decodes to 32 raw bytes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "knowless",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Small, opinionated, full-stack passwordless auth for Node.js services that don't need to email their users for anything but the sign-in link.",
   "type": "module",
   "main": "./src/index.js",

package/src/handlers.js

@@ -2,7 +2,7 @@ import crypto from 'node:crypto';
 import { normalize, deriveHandle } from './handle.js';
 import { issueToken, hashToken } from './token.js';
 import { newSid, signSession, verifySessionSignature } from './session.js';
-import { composeBody, validateSubject } from './mailer.js';
+import { composeBody, validateSubject, validateBodyOverride } from './mailer.js';
 import { renderLoginForm } from './form.js';
 import {
   buildTrustedPeers,
@@ -256,7 +256,14 @@ export function createHandlers({ store, mailer, config, events }) {
    *   handle is null only when the email failed to normalize (programmer
    *   bug for startLogin; same-shape silent for /login).
    */
-  async function runSendLink({ emailRaw, nextRaw, sourceIp, subject, bypassRateLimit = false }) {
+  async function runSendLink({
+    emailRaw,
+    nextRaw,
+    sourceIp,
+    subject,
+    bodyOverride,
+    bypassRateLimit = false,
+  }) {
     // Step 1: parse + normalize
     let emailNorm;
     try {
@@ -343,13 +350,31 @@ export function createHandlers({ store, mailer, config, events }) {
     // hammering of a single handle without per-event identity leakage.
     if (evicted > 0) ev.rateLimitHit();
 
-    const mailBody = composeBody({
-      tokenRaw: token.raw,
-      baseUrl: cfg.baseUrl,
-      linkPath: cfg.linkPath,
-      lastLoginAt,
-      bodyFooter: cfg.bodyFooter,
-    });
+    // AF-26: per-call body override for startLogin (Mode A). When
+    // provided, the adopter's template function receives the composed
+    // magic-link URL and returns the full body text. Same submit path,
+    // same sham work, same FR-6 timing equivalence — just lets adopters
+    // phrase the body to match per-call subjects (pin confirmation,
+    // login, expiry warning). bodyFooter still appends; lastLogin line
+    // does not (override is full-content replacement).
+    let mailBody;
+    if (typeof bodyOverride === 'function') {
+      const url = `${cfg.baseUrl}${cfg.linkPath}?t=${token.raw}`;
+      const rendered = bodyOverride({ url });
+      validateBodyOverride(rendered, url); // throws on invalid
+      mailBody = rendered;
+      if (cfg.bodyFooter) {
+        mailBody += `\n-- \n${cfg.bodyFooter}\n`;
+      }
+    } else {
+      mailBody = composeBody({
+        tokenRaw: token.raw,
+        baseUrl: cfg.baseUrl,
+        linkPath: cfg.linkPath,
+        lastLoginAt,
+        bodyFooter: cfg.bodyFooter,
+      });
+    }
 
     // AF-9: programmatic callers may override the subject per call
     // (addypin sends confirmation / login / expiry-warning all via
@@ -454,6 +479,7 @@ export function createHandlers({ store, mailer, config, events }) {
     nextUrl,
     sourceIp = '',
     subjectOverride,
+    bodyOverride,
     bypassRateLimit = false,
   } = {}) {
     // Programmer-error guards (AF-7.3). These DO throw; they're not
@@ -480,11 +506,20 @@ export function createHandlers({ store, mailer, config, events }) {
       validateSubject(subjectOverride); // throws on invalid
       subject = subjectOverride;
     }
+    // AF-26: per-call body override. The function is called inside
+    // runSendLink with the composed magic-link URL; its return value
+    // is validated by validateBodyOverride(). The arg-type check
+    // happens here at the API edge so a non-function bodyOverride
+    // fails fast, before any token is minted.
+    if (bodyOverride !== undefined && bodyOverride !== null && typeof bodyOverride !== 'function') {
+      throw new Error('startLogin: bodyOverride must be a function when provided');
+    }
     const { handle } = await runSendLink({
       emailRaw: email,
       nextRaw: nextUrl ?? null,
       sourceIp,
       subject,
+      bodyOverride,
       bypassRateLimit,
     });
     // Same-shape return: rate-limit / sham / real all collapse here.

package/src/index.js

@@ -34,7 +34,13 @@ function safeHook(fn, label) {
  * @typedef {Object} KnowlessOptions
  * @property {string} secret           HMAC secret, ≥64 hex chars (32 bytes). FR-47, FR-48.
  * @property {string} baseUrl          Public base URL for magic links.
- * @property {string} from             Sender email address.
+ * @property {string} from             Sender email address (bare RFC 5321
+ *   MAIL FROM and default From: header value).
+ * @property {string} [fromName]       Optional RFC 5322 display name for
+ *   the From: header (AF-27, v0.2.3). When set, recipients see
+ *   `<fromName> <from>` in the From: header (e.g. `addypin
+ *   <noreply@addypin.com>`); SMTP envelope sender stays bare.
+ *   Validated at factory startup (ASCII, ≤60 chars, no CR/LF/<>).
  * @property {string} [dbPath='./knowless.db']
  * @property {string} [cookieDomain]   Defaults to baseUrl's hostname.
  * @property {number} [tokenTtlSeconds=900]
@@ -136,6 +142,7 @@ export function knowless(options = {}) {
     options.mailer ??
     createMailer({
       from: options.from,
+      fromName: options.fromName,
       smtpHost: options.smtpHost,
       smtpPort: options.smtpPort,
       transportOverride: options.transportOverride,
@@ -273,7 +280,14 @@ export function knowless(options = {}) {
 }
 
 export { createStore } from './store.js';
-export { createMailer, composeBody, validateSubject, validateBodyFooter } from './mailer.js';
+export {
+  createMailer,
+  composeBody,
+  validateSubject,
+  validateBodyFooter,
+  validateBodyOverride,
+  validateFromName,
+} from './mailer.js';
 export { createHandlers } from './handlers.js';
 export { renderLoginForm } from './form.js';
 export { normalize, deriveHandle, secretBytes } from './handle.js';

package/src/mailer.js

@@ -12,13 +12,17 @@ const ASCII_RE = /^[\x00-\x7f]*$/;
  * the SMTP submission transport.
  *
  * @param {object} args
- * @param {string} args.from
+ * @param {string} args.from               bare RFC 5321 MAIL FROM address
+ * @param {string} [args.fromName]         optional RFC 5322 display name
+ *   (AF-27). When set, the From: header is `name <addr>`; when null/
+ *   undefined, the From: header is the bare `addr`. envelope.from
+ *   (caller-side) always uses the bare address.
  * @param {string} args.to
  * @param {string} args.subject
  * @param {string} args.body  ASCII-only plain text
  * @returns {string} RFC822 message with CRLF line endings
  */
-function composeRaw({ from, to, subject, body }) {
+function composeRaw({ from, fromName, to, subject, body }) {
   // AF-2.1: header-injection defense in depth. normalize() upstream
   // already rejects \r and \n in email addresses, but the mailer
   // shouldn't trust its callers — this is the layer that emits the
@@ -35,11 +39,19 @@ function composeRaw({ from, to, subject, body }) {
       throw new Error(`mailer: ${name} contains CR/LF — header injection blocked`);
     }
   }
+  // AF-27: defensive re-check on fromName (createMailer already validated
+  // at startup, but composeRaw owns the wire-format invariant).
+  if (fromName != null && fromName !== '') {
+    if (typeof fromName !== 'string' || /[\r\n<>"]/.test(fromName)) {
+      throw new Error('mailer: fromName contains forbidden characters');
+    }
+  }
   const fromDomain = from.includes('@') ? from.split('@').pop() : 'localhost';
   const messageId = `<${crypto.randomUUID()}@${fromDomain}>`;
   const date = new Date().toUTCString();
+  const fromHeader = fromName ? `${fromName} <${from}>` : from;
   const headers = [
-    `From: ${from}`,
+    `From: ${fromHeader}`,
     `To: ${to}`,
     `Subject: ${subject}`,
     `Date: ${date}`,
@@ -139,6 +151,111 @@ export function composeBody({ tokenRaw, baseUrl, linkPath, lastLoginAt, bodyFoot
   return body;
 }
 
+/**
+ * Validate a body produced by `startLogin`'s `bodyOverride` template
+ * function (AF-26). The override lets adopters phrase the email body
+ * to match per-call subjects (pin confirmation, login, etc.) without
+ * losing knowless's URL-composition / sham-work / 7bit invariants.
+ *
+ * Constraints (deliberately strict to preserve the v0.11 POC URL-line
+ * invariant — QP soft-breaks WILL break the magic link):
+ *   - non-empty string
+ *   - ≤ 2048 chars (operator-side overflow guard)
+ *   - ASCII only (0x00–0x7F). This excludes typographic punctuation
+ *     that adopters reach for out of habit:
+ *       em/en dashes (— –)        → use - or --
+ *       smart quotes (" " ' ')    → use " and '
+ *       ellipses (…)              → use ...
+ *       middle dots (·)           → use | or -
+ *     The constraint preserves 7bit transfer encoding; non-ASCII
+ *     would force quoted-printable, which can soft-break the URL
+ *     line and break the link.
+ *   - no CR (LF allowed; defense-in-depth header-injection guard)
+ *   - the magic-link URL appears EXACTLY ONCE
+ *   - that occurrence is on its own line (no leading or trailing
+ *     non-newline characters on the same line)
+ *
+ * Throws on any violation. Adopter is responsible for the rest of
+ * the body content (security advice, expiry hint, etc.); knowless
+ * does not enforce semantic content.
+ *
+ * @param {unknown} body
+ * @param {string} url  the magic-link URL knowless composed
+ * @returns {void} throws on invalid
+ */
+export function validateBodyOverride(body, url) {
+  if (typeof body !== 'string' || body.length === 0) {
+    throw new Error('bodyOverride must return a non-empty string');
+  }
+  if (body.length > 2048) {
+    throw new Error('bodyOverride must return ≤ 2048 chars');
+  }
+  if (!ASCII_RE.test(body)) {
+    throw new Error('bodyOverride must return ASCII');
+  }
+  if (body.includes('\r')) {
+    throw new Error('bodyOverride must not contain CR (header-injection defense)');
+  }
+  const occurrences = body.split(url).length - 1;
+  if (occurrences === 0) {
+    throw new Error('bodyOverride must include the magic-link URL exactly once');
+  }
+  if (occurrences > 1) {
+    throw new Error('bodyOverride must include the magic-link URL exactly once');
+  }
+  const lines = body.split('\n');
+  const ownLineCount = lines.filter((l) => l === url).length;
+  if (ownLineCount !== 1) {
+    throw new Error(
+      'bodyOverride must place the magic-link URL on its own line ' +
+        '(preserves the 7bit URL-line invariant; QP soft-breaks would break the link)',
+    );
+  }
+}
+
+/**
+ * Validate the operator-supplied display name for the `From:` header
+ * (AF-27, v0.2.3). knowless splits the bare envelope sender (RFC 5321
+ * MAIL FROM) from the RFC 5322 `From:` header, allowing operators to
+ * brand the inbox preview as `addypin <noreply@addypin.com>` rather
+ * than the bare `noreply@addypin.com` (which most clients display as
+ * the local-part "noreply").
+ *
+ * Constraints (deliberately strict — same trap as bodyOverride for
+ * typographic punctuation):
+ *   - ≤ 60 chars (same ballpark as Subject)
+ *   - ASCII only (0x00–0x7F). Excludes em/en dashes, smart quotes,
+ *     ellipses, middle dots. Use plain ASCII equivalents.
+ *   - No CR / LF (header-injection defense; same invariant as
+ *     composeRaw enforces on `from` / `to` / `subject`)
+ *   - No `<` / `>` / `"` (would break the `name <addr>` quoting)
+ *
+ * Returns the validated string (or `null` for null/empty input, so
+ * callers can pass through). Throws on violation.
+ *
+ * @param {unknown} name
+ * @returns {string|null}
+ */
+export function validateFromName(name) {
+  if (name == null || name === '') return null;
+  if (typeof name !== 'string') {
+    throw new Error('fromName must be a string when provided');
+  }
+  if (name.length > 60) {
+    throw new Error('fromName must be ≤ 60 chars');
+  }
+  if (!ASCII_RE.test(name)) {
+    throw new Error('fromName must be ASCII (no em-dashes, smart quotes, ellipses, etc.)');
+  }
+  if (/[\r\n]/.test(name)) {
+    throw new Error('fromName must not contain CR/LF (header-injection defense)');
+  }
+  if (/[<>"]/.test(name)) {
+    throw new Error('fromName must not contain < > or " (would break From: header quoting)');
+  }
+  return name;
+}
+
 /**
  * Validate operator-overridden subject per SPEC §12.5.
  * Throws on invalid; warns (returns warnings array) on suspicious-but-allowed.
@@ -171,18 +288,24 @@ export function validateSubject(subject) {
  * with streamTransport:true) to capture the raw bytes without an MTA.
  *
  * @param {object} cfg
- * @param {string} cfg.from           sender, e.g. 'auth@app.example.com'
+ * @param {string} cfg.from           bare RFC 5321 sender address (envelope
+ *   MAIL FROM AND default From: header value when fromName is unset)
+ * @param {string} [cfg.fromName]     AF-27 (v0.2.3). Optional RFC 5322
+ *   display name. When set, the From: header is `name <addr>`; envelope
+ *   sender stays bare. Validated by validateFromName() at startup.
  * @param {string} [cfg.smtpHost='localhost']
  * @param {number} [cfg.smtpPort=25]
  * @param {object} [cfg.transportOverride] for tests
- * @returns {{ submit(args: {to:string, subject:string, body:string}): Promise<any>, close(): void }}
+ * @returns {{ submit(args: {to:string, subject:string, body:string}): Promise<any>, verify(): Promise<true>, close(): void }}
  */
 export function createMailer(cfg) {
-  const { from, smtpHost = 'localhost', smtpPort = 25, transportOverride } = cfg;
+  const { from, fromName, smtpHost = 'localhost', smtpPort = 25, transportOverride } = cfg;
   if (typeof from !== 'string' || from.length === 0) {
     throw new Error('mailer: from is required');
   }
   if (!ASCII_RE.test(from)) throw new Error('mailer: from must be ASCII');
+  // AF-27: validate display name at startup; fail-fast.
+  const validatedFromName = validateFromName(fromName);
 
   const transport =
     transportOverride ??
@@ -215,7 +338,9 @@ export function createMailer(cfg) {
       if (!ASCII_RE.test(body)) {
         throw new Error('mailer: body must be ASCII');
       }
-      const raw = composeRaw({ from, to, subject, body });
+      // AF-27: From: header may include display name; envelope.from
+      // stays bare (RFC 5321 MAIL FROM doesn't allow display names).
+      const raw = composeRaw({ from, fromName: validatedFromName, to, subject, body });
       return transport.sendMail({
         envelope: { from, to: [to] },
         raw,