pending-dns 1.2.5 → 1.3.0

package/.github/codeql/codeql-config.yml

@@ -0,0 +1,11 @@
+name: "PendingDNS CodeQL config"
+
+# Exclude code that is not part of the production runtime from analysis.
+# These paths generate only false-positive noise:
+#   - the test suite intentionally disables TLS verification and resolves
+#     throwaway domains
+#   - the example scripts are developer helpers, not shipped code
+paths-ignore:
+    - test
+    - '**/test/**'
+    - example

package/.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '40 17 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Skip release-please's auto-generated release PR: it only changes CHANGELOG/version,
+    # so there is no new code to scan. (Matches the guard in test.yml.)
+    if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

package/.github/workflows/deploy.yml

@@ -5,14 +5,27 @@ on:
 
 name: Deploy instance
 
+permissions:
+    contents: read
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
 jobs:
     deploy:
         name: Deploy
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        timeout-minutes: 15
 
         steps:
             - name: Checkout
-              uses: actions/checkout@v2
+              uses: actions/checkout@v6
+
+            - name: Use Node.js 24
+              uses: actions/setup-node@v6
+              with:
+                  node-version: 24
 
             - name: Install SSH key
               uses: shimataro/ssh-key-action@v2
@@ -29,7 +42,7 @@ jobs:
               id: deploy
               run: |
                   echo $GITHUB_SHA > commit.txt
-                  npm install --production
+                  npm install --omit=dev
                   tar czf /tmp/${SERVICE_NAME}.tar.gz --exclude .git .
                   scp /tmp/${SERVICE_NAME}.tar.gz deploy@${TARGET_HOST_01}:
                   scp /tmp/${SERVICE_NAME}.tar.gz deploy@${TARGET_HOST_02}:

package/.github/workflows/release.yaml

@@ -0,0 +1,43 @@
+on:
+    push:
+        branches:
+            - master
+
+permissions:
+    contents: write
+    pull-requests: write
+    id-token: write
+
+name: Manage Release
+jobs:
+    release_please:
+        name: Create or prepare release
+        runs-on: ubuntu-24.04
+        outputs:
+            major: ${{ steps.release.outputs.major }}
+            minor: ${{ steps.release.outputs.minor }}
+            patch: ${{ steps.release.outputs.patch }}
+            release_created: ${{ steps.release.outputs.release_created }}
+        steps:
+            # Uses release-please-config.json and .release-please-manifest.json
+            # from the repository root (manifest mode).
+            - uses: googleapis/release-please-action@v4
+              id: release
+
+    publish:
+        name: Publish NPM package
+        runs-on: ubuntu-24.04
+        needs: release_please
+        if: ${{ needs.release_please.outputs.release_created }}
+        permissions:
+            contents: read
+            # Required for npm provenance / OIDC trusted publishing.
+            id-token: write
+        steps:
+            - uses: actions/checkout@v6
+            - uses: actions/setup-node@v6
+              with:
+                  node-version: 24
+                  registry-url: "https://registry.npmjs.org"
+            - run: npm ci
+            - run: npm publish --provenance --access public

package/.github/workflows/test.yml

@@ -0,0 +1,75 @@
+name: Run Tests
+
+on:
+    push:
+    pull_request:
+
+permissions:
+    contents: read
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+jobs:
+    # Skip CI for release-please's auto-generated release PR / branch: it only bumps the
+    # version + CHANGELOG (no code change), so re-running the suite is wasted work.
+    license_check:
+        name: License Compliance Check
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
+        runs-on: ubuntu-24.04
+        timeout-minutes: 10
+        steps:
+            - uses: actions/checkout@v6
+            - name: Use Node.js 24
+              uses: actions/setup-node@v6
+              with:
+                  node-version: 24
+                  cache: npm
+            - run: npm install
+            - name: Run License Checks
+              run: npm run licenses
+
+    lint:
+        name: Lint
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
+        runs-on: ubuntu-24.04
+        timeout-minutes: 10
+        steps:
+            - uses: actions/checkout@v6
+            - name: Use Node.js 24
+              uses: actions/setup-node@v6
+              with:
+                  node-version: 24
+                  cache: npm
+            - run: npm install
+            - name: Run ESLint
+              run: npm run lint
+
+    unit:
+        name: Unit Tests
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
+        runs-on: ubuntu-24.04
+        timeout-minutes: 10
+        services:
+            redis:
+                image: redis
+                options: >-
+                    --health-cmd "redis-cli ping"
+                    --health-interval 10s
+                    --health-timeout 5s
+                    --health-retries 5
+                ports:
+                    - 6379:6379
+        steps:
+            - uses: actions/checkout@v6
+            - name: Use Node.js 24
+              uses: actions/setup-node@v6
+              with:
+                  node-version: 24
+                  cache: npm
+            - run: npm install
+            - name: Run tests
+              run: npm test
+              env:
+                  NODE_ENV: test

package/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    ".": "1.3.0"
+}

package/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+## [1.3.0](https://github.com/postalsys/pending-dns/compare/pending-dns-v1.2.5...pending-dns-v1.3.0) (2026-06-18)
+
+
+### Features
+
+* replace Bugsnag with self-hosted Sentry error reporting ([3b374c7](https://github.com/postalsys/pending-dns/commit/3b374c737ff0a22509f79976bee18ab9d425f8bd))

package/CLAUDE.md

@@ -0,0 +1,97 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+PendingDNS is a lightweight, API-driven **authoritative** DNS server (UDP + TCP), bundled with a REST API for managing zone records, a public HTTP/HTTPS redirect/proxy server, automatic Let's Encrypt certificate generation, and periodic health checks. All state lives in Redis.
+
+## Commands
+
+```bash
+npm start          # run the whole app (node server.js)
+npm test           # run the test suite (requires a local Redis on 127.0.0.1:6379)
+npm run lint       # ESLint 9 (flat config: eslint.config.js)
+npm run licenses   # regenerate licenses.txt (license-report)
+```
+
+Running the app or tests requires a reachable Redis and a config with a valid `acme.email` (the bootstrap in `server.js` exits otherwise). For local runs, either set it in `config/development.toml` or pass `--acme.email=you@example.com`.
+
+### Tests
+
+- Built on the Node.js built-in test runner (`node:test`). `npm test` runs `NODE_ENV=test node --test --test-force-exit --test-concurrency=1 test/*.test.js`.
+- `NODE_ENV=test` loads `config/test.toml`, which points Redis at a **dedicated database (db 15)**. `test/helpers.js#flushTestDb` wipes db 15 between cases and **refuses to run unless the Redis URL ends in `/15`** — so tests never touch dev (db 2) or prod data. Always run tests with `NODE_ENV=test`.
+- `--test-concurrency=1` is required because all test files share db 15. `--test-force-exit` is required because requiring `lib/db` opens persistent ioredis connections; every test file must also call `closeDb()` in an `after()` hook or the process hangs.
+- Some `cached-resolver`/`dns-server` tests do real DNS lookups (e.g. `one.one.one.one`); they are written to skip or tolerate missing network.
+
+Run a single file or filter by test name:
+
+```bash
+NODE_ENV=test node --test --test-force-exit test/zone-store.test.js
+NODE_ENV=test node --test --test-force-exit --test-name-pattern="wildcard" test/*.test.js
+```
+
+### Building standalone executables
+
+Executables are built with `@yao-pkg/pkg` (the maintained `pkg` fork) via the `pkg` block in `package.json`, targeting node24. The org-wide `../emailengine-api/upload.sh <repo>` script installs `@yao-pkg/pkg` globally, then runs `npm run build-source` followed by `npm run build-dist` (or `build-dist-fast` for an unsigned test build) and signs/notarizes/uploads the artifacts. Output binaries are named `pending-dns-<target>` under `ee-dist/`.
+
+Because workers are loaded through **dynamic `require()` / `worker_threads`** (see below), `pkg.scripts` must list `lib/**/*.js` and `workers/**/*.js` or the worker code is missing from the snapshot. Runtime files read via `__dirname` (`lib/lua/health.lua`, `config/*.pem`) must be in `pkg.assets`. Do **not** add `pkg.options` like `max_old_space_size`: the workers forward `argv`, and an injected V8 flag leaks in as a bogus module path and crashes every worker.
+
+## Architecture
+
+### Process model (the most important thing to understand)
+
+`server.js` is the supervisor. For each enabled subsystem (`api`, `dns`, `public`, `health`) it spawns a **worker thread** running `workers/<type>.js`, and restarts it on exit. Each `workers/<type>.js` is itself a small bootstrap that:
+
+1. installs crash handlers + optional Sentry error reporting via `lib/sentry.js#initSentry` (only when `SENTRY_DSN` / `[sentry] dsn` is set; uses Sentry's uncaught-exception / unhandled-rejection integrations so crashes are reported, then `closeProcess`'s `if (!logger.errorReportingEnabled)` lets Sentry flush+exit),
+2. uses Node `cluster` to fork `config[type].workers` processes (or runs in-thread when `workers === 1` and no user/group drop is configured),
+3. dynamically `require`s the implementation: ``require(`../lib/${type}-server.js`)`` (or `-worker.js` for `health`) and calls it,
+4. drops privileges via `config.process.user`/`group` after ports are bound.
+
+So `lib/<type>-server.js` are entry points reached **only through dynamic requires** — static analysis (and `pkg`) won't find them. The implementations are: `lib/api-server.js`, `lib/dns-server.js`, `lib/public-server.js`, `lib/health-worker.js`.
+
+### Configuration (`wild-config`)
+
+Config is loaded by `wild-config` from `config/default.toml` merged with `config/<NODE_ENV>.toml`, then overridden by CLI args (`--dns.port=53`) and `appconf_*` env vars. `NODE_CONFIG_PATH` points to an external file in production (see `systemd/pending-dns.service`). Values are coerced to the type of the default (a string env var for a numeric default becomes a number). Config is read from `process.cwd()/config`, **not** from `__dirname` — relevant for packaged binaries, which need a `config/` directory next to them.
+
+### Redis data model (`lib/zone-store.js`)
+
+This is the heart of the system and is non-obvious:
+
+- **Domain names are stored label-reversed**: `www.example.com` → `com.example.www` (`domainToName`/`nameToDomain`). This lets `resolveZone` walk *up* from a name to its registered zone by progressively dropping the most-specific label. A "zone" is any name with a `d:<name>:z` set; the shortest possible zone is the 2-label boundary (e.g. `example.com`).
+- Keys: `d:<name>:z` is a **set of record keys** belonging to that zone; `d:<name>:r:<TYPE>` is a **hash** of `hid → JSON.stringify(valueArray)`. Each record's value is a positional array whose meaning depends on type (e.g. A = `[address, healthCheckUri]`, MX = `[exchange, priority]`, CAA = `[value, tag, flags]`, URL = `[url, code, proxy]`).
+- A record's public **ID is `base64url(name \x01 TYPE \x01 hid)`** (`getFullId`/`parseFullId`); `hid` is a `nanoid()`. IDs are opaque and stable only while domain+type are unchanged (an `update` that changes either deletes and re-adds, producing a new ID).
+- **Wildcards** are single-label: a record stored under subdomain `*.foo` matches `anything.foo.<zone>` only (`resolve` retries with the last label replaced by `*`).
+- **Read/write split**: reads go to `db.redisRead`, writes to `db.redisWrite` (configurable as separate master/replica URLs). The health-check Lua script `lib/lua/health.lua` is registered as a custom command `nextHealth` on the write client.
+
+### DNS request handling (`lib/dns-handler.js` + custom servers)
+
+`lib/dns-udp-server.js` and `lib/dns-tcp-server.js` are hand-rolled servers that parse/serialize with `dns2`'s `Packet` (the project does **not** use dns2's built-in server). `lib/dns-server.js` wires them to `dnsHandler` and returns the bound server handles.
+
+`processQuestion` does more than a lookup: for an A/AAAA query it also pulls `CNAME`, `ANAME`, and `URL` records; it follows CNAME chains recursively (depth-limited); A/AAAA results are health-filtered and shuffled; MX is priority-sorted. When nothing is stored it synthesizes fallbacks — `NS` from `config.ns`, a `SOA` from `config.soa`, default Let's Encrypt `CAA` records, and `version.bind`-style CHAOS TXT answers.
+
+Two pseudo-record types: **ANAME** (apex alias) is resolved to real A/AAAA at query time via `lib/cached-resolver.js` (a Redis-cached wrapper over Node's `dns.Resolver`, with soft/hard TTLs for both hits and errors). **URL** records answer A/AAAA with the redirect server IPs from `config.public.hosts`; the actual redirect/proxy happens in `lib/public-server.js`.
+
+### Certificates & the public server
+
+`lib/certs.js` issues Let's Encrypt certs via the **dns-01** challenge, using the zone store itself as the ACME DNS provider (it writes/reads the `_acme-challenge` TXT records). Concurrent issuance is guarded with an `ioredfour` Redis lock; results and a per-domain renewal lock are cached in Redis. `lib/public-server.js` uses an SNI callback to load the right cert per hostname (falling back to a bundled self-signed cert in `config/`), then serves URL-record redirects or reverse-proxies (`proxy=true`), with TLS session tickets stored in Redis.
+
+### Testability seams
+
+Production code exposes hooks used only by tests: `lib/api-server.js` exports `createServer()` (build the Hapi server without `start()`, for `server.inject()`); `lib/dns-server.js`'s `init()` awaits binding and returns `{ udpServer, tcpServer }`; `lib/dns-handler.js` and `lib/certs.js` attach a `.testables` object to their exported function.
+
+## CI / release
+
+GitHub Actions mirror the `postalsys/emailengine` conventions and run on Node 24: `test.yml` (license check + lint + tests with a Redis service), `codeql.yml`, and `release.yaml` (release-please in manifest mode — see `release-please-config.json` + `.release-please-manifest.json`; publishes to npm via OIDC trusted publishing, which must be configured registry-side). `deploy.yml` tarballs the repo and ships it to the two name servers. Security policy lives in `SECURITY.md` + a GPG-signed `SECURITY.txt`.
+
+## Commit conventions
+
+- Use **Conventional Commits** (`feat:`, `fix:`, `chore:`, `docs:`, `refactor:`, `ci:`, etc.). release-please derives the version bump and `CHANGELOG.md` from these prefixes, so `feat:`/`fix:` commits landing on `master` are what open a release PR.
+- **Do not** add Claude (or any AI assistant) as a co-author / co-contributor in commit messages.
+- For commits that do not change runtime behaviour (docs, comments, CI/workflow tweaks, formatting), append `[skip ci]` to the commit message to avoid triggering the workflows. **Exception:** never add `[skip ci]` to a `feat:`/`fix:` commit — those must run so the release workflow fires.
+- Run `npm run lint` and `npm test` before committing (the test run needs a local Redis; see the Tests section).
+- After pushing, check the workflow runs (`gh run list --branch <branch>`) and report their status. If a run fails for an unrelated infrastructure reason (auth errors, HTTP 403, "account suspended"), check <https://www.githubstatus.com/> for an active incident before assuming the change is at fault.
+
+## Code style
+
+- No emojis in code or documentation — printable ASCII only.
+- Use a single hyphen-minus (`-`) as a dash in user-facing strings and docs; never em dashes, en dashes, or double hyphens (`--`).
+- Never swallow errors at the global `uncaughtException` / `unhandledRejection` handlers to keep a worker alive — those handlers are the last line of defence and the worker is expected to exit. Fix the error at its source (add the missing `try/catch`, `.catch()`, or `error` listener at the call site) instead.

package/README.md

@@ -25,13 +25,13 @@ Lightweight API driven Authoritative DNS server.
 
 ## Requirements
 
--   **Node.js**, preferrably v12+
+-   **Node.js**, v18 or newer
 -   **Redis**, any version should do as only basic commands are used
 
 ## Usage
 
 ```
-$ npm install --production
+$ npm install --omit=dev
 $ npm start
 ```
 
@@ -45,9 +45,9 @@ As root run the following commands to set up PendingDNS:
 
 ```
 $ cd /opt
-$ git clone git://github.com/postalsys/pending-dns.git
+$ git clone https://github.com/postalsys/pending-dns.git
 $ cd pending-dns
-$ npm install --production
+$ npm install --omit=dev
 $ cp systemd/pending-dns.service /etc/systemd/system
 $ cp config/default.toml /etc/pending-dns.toml
 ```
@@ -110,6 +110,28 @@ Without proper setup domain registrars do not allow your name server domain name
 
 ![](https://cldup.com/l0U6jc5pfM.png)
 
+## Development
+
+Install all dependencies (including dev dependencies):
+
+```
+$ npm install
+```
+
+### Tests
+
+The test suite runs with the built-in Node.js test runner and needs a **local Redis** instance listening on `127.0.0.1:6379`. Tests use a dedicated database (`db 15`) which is flushed between runs, so it does not touch development or production data.
+
+```
+$ npm test
+```
+
+### Linting
+
+```
+$ npm run lint
+```
+
 ## API
 
 You can see the entire API docs from the swagger page at http://127.0.0.1:5080/docs
@@ -203,7 +225,8 @@ All record types have the following properties
 **CAA**
 
 -   **value** is the domain name of the provider, eg. `letsencrypt.org`
--   **tag** is the CAA tag, eg. `issue` or `issuewild`
+-   **tag** is the CAA tag, one of `issue`, `issuewild` or `iodef`
+-   **flags** (Number, default is `0`) is the CAA flags octet (0-255)
 
 **URL**
 

package/SECURITY.md

@@ -0,0 +1,88 @@
+# Security Policy
+
+PendingDNS is a lightweight, API-driven authoritative DNS server. It also runs a
+public HTTP/HTTPS redirect/proxy server and generates Let's Encrypt certificates
+over an ACME flow, and it stores all zone data in Redis. Because it is exposed to
+untrusted DNS and HTTP traffic and handles certificate private keys, we take
+security reports seriously and aim to respond quickly.
+
+## Supported Versions
+
+Security fixes are released only against the latest version. We do not backport
+patches to older releases - upgrading to the current release line is the
+supported way to receive security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x     | :white_check_mark: |
+| < 1.0   | :x:                |
+
+If you are on an older version, please upgrade. See the release notes at
+<https://github.com/postalsys/pending-dns/releases> before updating.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues,
+pull requests, or discussions.**
+
+Report privately through one of the following channels:
+
+1. **GitHub Security Advisories (preferred).** Open a private report at
+   <https://github.com/postalsys/pending-dns/security/advisories/new>. This keeps
+   the discussion private until a fix is published and lets us credit you.
+2. **Email.** Send details to **andris@postalsys.com** (the contact listed in
+   [`SECURITY.txt`](SECURITY.txt)). Encrypt sensitive details if possible using
+   the key referenced there.
+
+When reporting, please include as much of the following as you can:
+
+- The affected version(s) and environment (PendingDNS version, Node.js version,
+  OS, deployment method - npm or prebuilt binary).
+- The component involved (e.g. the UDP/TCP DNS server, the REST API, the public
+  HTTP/HTTPS redirect and proxy server, ACME certificate generation, health
+  checks, or the Redis-backed zone store).
+- A clear description of the issue and its impact (e.g. cache poisoning, DNS
+  amplification, request smuggling, SSRF via the URL/proxy records or health
+  checks, certificate mis-issuance, credential or private-key disclosure,
+  injection, information disclosure, denial of service).
+- A minimal proof of concept or reproduction steps.
+- Any suggested remediation, if you have one.
+
+We are a small team, so there is no guaranteed response time - sometimes reports
+are handled within hours, sometimes they take longer. Accepted issues are fixed
+in a new release and coordinated through a GitHub Security Advisory, and
+reporters who wish to be named are credited.
+
+## CVEs
+
+We track and disclose vulnerabilities through GitHub Security Advisories. We do
+not request or manage CVE identifiers ourselves. If you need a CVE assigned for a
+reported issue, please request one yourself - for example, through GitHub's own
+CVE request flow on the published advisory, or another CNA.
+
+## Scope
+
+In scope: the PendingDNS application source in this repository - the
+authoritative DNS server (UDP and TCP), the REST API for managing zone records,
+the public HTTP/HTTPS redirect and proxy server, ACME/Let's Encrypt certificate
+generation and storage, the health-check subsystem, and the Redis-backed zone
+store.
+
+Out of scope:
+
+- Vulnerabilities in your own application code or automation that integrates
+  with the PendingDNS API.
+- Misconfiguration of your deployment - for example, exposing the management API
+  to untrusted networks, an unauthenticated or publicly reachable Redis instance,
+  binding the DNS server in a way that enables open-resolver-style abuse, or
+  missing TLS on the API.
+- The inherent properties of plain DNS over UDP/TCP without DNSSEC (PendingDNS
+  does not implement DNSSEC, DoH, or DoT by design).
+- Issues that require an already-compromised host or pre-existing administrator
+  access.
+- Vulnerabilities in third-party services PendingDNS connects to (Let's Encrypt,
+  upstream resolvers, health-check targets).
+- Social-engineering reports and missing security headers without a
+  demonstrated, concrete impact.
+
+Thank you for helping keep PendingDNS and its users safe.

package/SECURITY.txt

@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: https://github.com/postalsys/pending-dns/security/advisories/new
+Contact: mailto:andris@postalsys.com
+Expires: 2027-06-01T00:00:00.000Z
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/5D952A46E1D8C931F6364E01DC6C83F4D584D364
+Preferred-Languages: en, et
+Canonical: https://github.com/postalsys/pending-dns/blob/master/SECURITY.txt
+Policy: https://github.com/postalsys/pending-dns/blob/master/SECURITY.md
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCAA5FiEEXZUqRuHYyTH2Nk4B3GyD9NWE02QFAmozqqUbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJENxsg/TVhNNkUlUQAL8mZHOiH2ZVgsrJanW6
+58YQ5DTNfLL0CO5Qwo1j9XijmvF7dMwDsNTvQ2hDBV+Okz7mSfDBUaofgT6kIBQz
+Qk0yMyOp1Um+l4rF7/J2d/9ABBnsu4Le59Mu87qIgziLCu3YarheThiPCQvFzRfH
+A/vmGOu3/+gcHdF2GrlEk8xfFNdIqwdhuW8oTiR18WqUARe3S+wQdfumDX41gVRL
+y0Q8eGXb3j8jLXp9E21ePlPdxtIQC4fZSexd64IEKv7kuVp9vDpai0jdi5SQSmCA
+gOPp5f9jR0B6GCbRfCRYUHsrQlwOZPtCq46IGKCnrCd2wI7RHTeCUwtzOQsqod7n
+u+GE/YAZZuck9OI6oDZ3klGXUNAi5RO16ix80rybFfVA2MmNdCDHDwTmlysHli8E
+9FjakLcnF/5eH5NlH579IhQIx1exmE9Q+ZyCwaNQ2uGIujxy6bay3cxvXXeecrJM
+c0MMNgyh7CCfmHShoXfQ2JnFTlVycgqZetLySBxGzkgj5mczLKHviAjaoM3Hw2K6
+znct7z4aE0yY+tCItdIHTdPV5NxR319HZRE980h2yxt92aWmhZn/dW/4fAEwqzFU
+C6Ghu37qs9JwvyBZImH92fc9+27Xgx0Ahfb9RoXM/+TulXAdrQxcK+th9ye40GfJ
+otvIQGxzLN1kyCWhQCqusEJ4
+=QK6n
+-----END PGP SIGNATURE-----

package/bin/pending-dns.js

@@ -36,7 +36,7 @@ function run() {
 
         case 'version':
             // Show version
-            console.log(`EmailEngine v${packageData.version} (${packageData.license})`);
+            console.log(`PendingDNS v${packageData.version} (${packageData.license})`);
             return process.exit();
 
         default:

package/config/default.toml

@@ -2,6 +2,11 @@
 [log]
 level = "trace"
 
+[sentry]
+# Error reporting DSN for the self-hosted Sentry server. Leave empty to disable.
+# The production value is set via the SENTRY_DSN environment variable.
+dsn = ""
+
 [dbs]
 
 # By default all redis commands are sent against the same instance

package/config/test.toml

@@ -0,0 +1,25 @@
+# Configuration used by the automated test suite (NODE_ENV=test).
+# It is never loaded in production/development and keeps tests isolated
+# from real data by pointing Redis at a dedicated database that the test
+# setup is free to flush.
+
+[log]
+level = "silent"
+
+[dbs]
+# Dedicated Redis database for tests. The test bootstrap flushes this DB,
+# so it must not be shared with development (db 2) or production data.
+redis = "redis://127.0.0.1:6379/15"
+
+[acme]
+# A syntactically valid address is required for the server bootstrap check.
+email = "test@example.com"
+
+[dns]
+# Avoid clashing with a locally running instance if the DNS server is started.
+port = 15353
+host = "127.0.0.1"
+
+[api]
+port = 15080
+host = "127.0.0.1"

package/eslint.config.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { FlatCompat } = require('@eslint/eslintrc');
+const js = require('@eslint/js');
+const prettier = require('eslint-config-prettier');
+
+const compat = new FlatCompat({
+    baseDirectory: __dirname,
+    recommendedConfig: js.configs.recommended,
+    allConfig: js.configs.all
+});
+
+module.exports = [
+    {
+        ignores: ['node_modules/', 'ee-dist/', 'coverage/', 'views/', '.prettierrc.js']
+    },
+
+    // Shared Nodemailer ESLint rules (eslintrc format, wrapped for flat config)
+    ...compat.extends('eslint-config-nodemailer'),
+
+    // Disable stylistic rules that conflict with Prettier
+    prettier,
+
+    {
+        languageOptions: {
+            ecmaVersion: 2023,
+            sourceType: 'commonjs'
+        },
+        rules: {
+            indent: 'off',
+            'no-await-in-loop': 'off',
+            'require-atomic-updates': 'off',
+            // Preserve the long-standing project convention of `catch (err) { /* ignore */ }`.
+            // ESLint 9 changed the no-unused-vars `caughtErrors` default to 'all'.
+            'no-unused-vars': ['error', { caughtErrors: 'none' }]
+        }
+    }
+];