spamscanner 6.0.0 → 6.1.0

package/dist/esm/cli.js

@@ -0,0 +1,4713 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// replacement-words.json
+var replacement_words_default;
+var init_replacement_words = __esm({
+  "replacement-words.json"() {
+    replacement_words_default = [
+      "url",
+      "email",
+      "number",
+      "currency",
+      "initialism",
+      "abbreviation",
+      "emoji",
+      "hexa",
+      "mac",
+      "phone",
+      "bitcoin",
+      "cc"
+    ];
+  }
+});
+
+// replacements.js
+var replacements_exports = {};
+__export(replacements_exports, {
+  default: () => replacements_default
+});
+import { debuglog as debuglog5 } from "node:util";
+import { readFileSync } from "node:fs";
+import cryptoRandomString from "crypto-random-string";
+var debug5, randomOptions, replacements, replacements_default;
+var init_replacements = __esm({
+  "replacements.js"() {
+    init_replacement_words();
+    debug5 = debuglog5("spamscanner");
+    randomOptions = {
+      length: 10,
+      characters: "abcdefghijklmnopqrstuvwxyz"
+    };
+    replacements = {};
+    try {
+      replacements = JSON.parse(readFileSync("./replacements.json", "utf8"));
+    } catch (error) {
+      debug5(error);
+      for (const replacement of replacement_words_default) {
+        replacements[replacement] = `${replacement}${cryptoRandomString(randomOptions)}`;
+      }
+    }
+    replacements_default = replacements;
+  }
+});
+
+// get-classifier.js
+var get_classifier_exports = {};
+__export(get_classifier_exports, {
+  default: () => get_classifier_default
+});
+import { debuglog as debuglog6 } from "node:util";
+import { readFileSync as readFileSync2 } from "node:fs";
+import NaiveBayes from "@ladjs/naivebayes";
+var debug6, classifier, get_classifier_default;
+var init_get_classifier = __esm({
+  "get-classifier.js"() {
+    debug6 = debuglog6("spamscanner");
+    classifier = new NaiveBayes().toJsonObject();
+    try {
+      classifier = JSON.parse(readFileSync2("./classifier.json", "utf8"));
+    } catch (error) {
+      debug6(error);
+    }
+    get_classifier_default = classifier;
+  }
+});
+
+// src/enhanced-idn-detector.js
+var enhanced_idn_detector_exports = {};
+__export(enhanced_idn_detector_exports, {
+  default: () => enhanced_idn_detector_default
+});
+import { createHash } from "node:crypto";
+import confusables from "confusables";
+var CONFUSABLE_CHARS, LEGITIMATE_IDN_DOMAINS, POPULAR_BRANDS, EnhancedIDNDetector, enhanced_idn_detector_default;
+var init_enhanced_idn_detector = __esm({
+  "src/enhanced-idn-detector.js"() {
+    CONFUSABLE_CHARS = /* @__PURE__ */ new Map([
+      // Cyrillic to Latin confusables
+      ["\u0430", "a"],
+      ["\u0435", "e"],
+      ["\u043E", "o"],
+      ["\u0440", "p"],
+      ["\u0441", "c"],
+      ["\u0445", "x"],
+      ["\u0443", "y"],
+      ["\u0410", "A"],
+      ["\u0412", "B"],
+      ["\u0415", "E"],
+      ["\u041A", "K"],
+      ["\u041C", "M"],
+      ["\u041D", "H"],
+      ["\u041E", "O"],
+      ["\u0420", "P"],
+      ["\u0421", "C"],
+      ["\u0422", "T"],
+      ["\u0425", "X"],
+      ["\u0423", "Y"],
+      // Greek to Latin confusables
+      ["\u03B1", "a"],
+      ["\u03BF", "o"],
+      ["\u03C1", "p"],
+      ["\u03C5", "u"],
+      ["\u03BD", "v"],
+      ["\u03B9", "i"],
+      ["\u0391", "A"],
+      ["\u0392", "B"],
+      ["\u0395", "E"],
+      ["\u0396", "Z"],
+      ["\u0397", "H"],
+      ["\u0399", "I"],
+      ["\u039A", "K"],
+      ["\u039C", "M"],
+      ["\u039D", "N"],
+      ["\u039F", "O"],
+      ["\u03A1", "P"],
+      ["\u03A4", "T"],
+      ["\u03A5", "Y"],
+      // Mathematical symbols
+      ["\u{1D41A}", "a"],
+      ["\u{1D41B}", "b"],
+      ["\u{1D41C}", "c"],
+      ["\u{1D41D}", "d"],
+      ["\u{1D41E}", "e"],
+      ["\u{1D7CE}", "0"],
+      ["\u{1D7CF}", "1"],
+      ["\u{1D7D0}", "2"],
+      ["\u{1D7D1}", "3"],
+      ["\u{1D7D2}", "4"],
+      // Other common confusables
+      ["\u212F", "e"],
+      ["\u210A", "g"],
+      ["\u210E", "h"],
+      ["\u2113", "l"],
+      ["\u2134", "o"],
+      ["\u212F", "e"],
+      ["\u2170", "i"],
+      ["\u2171", "ii"],
+      ["\u2172", "iii"],
+      ["\u2173", "iv"],
+      ["\u2174", "v"]
+    ]);
+    LEGITIMATE_IDN_DOMAINS = /* @__PURE__ */ new Set([
+      "xn--fsq.xn--0zwm56d",
+      // 中国
+      "xn--fiqs8s",
+      // 中国
+      "xn--fiqz9s",
+      // 中囯
+      "xn--j6w193g",
+      // 香港
+      "xn--55qx5d",
+      // 公司
+      "xn--io0a7i"
+      // 网络
+      // Add more legitimate domains as needed
+    ]);
+    POPULAR_BRANDS = [
+      "google",
+      "facebook",
+      "amazon",
+      "apple",
+      "microsoft",
+      "twitter",
+      "instagram",
+      "linkedin",
+      "youtube",
+      "netflix",
+      "paypal",
+      "ebay",
+      "yahoo",
+      "adobe",
+      "salesforce",
+      "oracle",
+      "ibm",
+      "cisco",
+      "intel",
+      "nvidia",
+      "tesla",
+      "citibank",
+      "bankofamerica",
+      "wellsfargo",
+      "chase",
+      "americanexpress"
+    ];
+    EnhancedIDNDetector = class {
+      constructor(options = {}) {
+        this.options = {
+          strictMode: false,
+          enableWhitelist: true,
+          enableBrandProtection: true,
+          enableContextAnalysis: true,
+          maxSimilarityThreshold: 0.8,
+          minDomainAge: 30,
+          // Days
+          ...options
+        };
+        this.cache = /* @__PURE__ */ new Map();
+      }
+      /**
+       * Main detection method with comprehensive analysis
+       */
+      detectHomographAttack(domain, context = {}) {
+        const cacheKey = this.getCacheKey(domain, context);
+        if (this.cache.has(cacheKey)) {
+          return this.cache.get(cacheKey);
+        }
+        const result = this.analyzeComprehensive(domain, context);
+        this.cache.set(cacheKey, result);
+        return result;
+      }
+      /**
+       * Comprehensive analysis combining multiple detection methods
+       */
+      analyzeComprehensive(domain, context) {
+        const analysis = {
+          domain,
+          isIDN: this.isIDNDomain(domain),
+          riskScore: 0,
+          riskFactors: [],
+          recommendations: [],
+          confidence: 0
+        };
+        if (this.options.enableWhitelist && this.isWhitelisted(domain)) {
+          analysis.riskScore = 0;
+          analysis.confidence = 1;
+          analysis.recommendations.push("Domain is whitelisted as legitimate");
+          return analysis;
+        }
+        if (analysis.isIDN) {
+          analysis.riskScore += 0.3;
+          analysis.riskFactors.push("Contains non-ASCII characters");
+        }
+        const confusableAnalysis = this.analyzeConfusableCharacters(domain);
+        analysis.riskScore += confusableAnalysis.score;
+        analysis.riskFactors.push(...confusableAnalysis.factors);
+        if (this.options.enableBrandProtection) {
+          const brandAnalysis = this.analyzeBrandSimilarity(domain);
+          analysis.riskScore += brandAnalysis.score;
+          analysis.riskFactors.push(...brandAnalysis.factors);
+        }
+        const scriptAnalysis = this.analyzeScriptMixing(domain);
+        analysis.riskScore += scriptAnalysis.score;
+        analysis.riskFactors.push(...scriptAnalysis.factors);
+        if (this.options.enableContextAnalysis && context) {
+          const contextAnalysis = this.analyzeContext(domain, context);
+          analysis.riskScore += contextAnalysis.score;
+          analysis.riskFactors.push(...contextAnalysis.factors);
+        }
+        if (domain.includes("xn--")) {
+          const punycodeAnalysis = this.analyzePunycode(domain);
+          analysis.riskScore += punycodeAnalysis.score;
+          analysis.riskFactors.push(...punycodeAnalysis.factors);
+        }
+        analysis.confidence = Math.min(analysis.riskScore, 1);
+        analysis.recommendations = this.generateRecommendations(analysis);
+        return analysis;
+      }
+      /**
+       * Detect if domain contains IDN characters
+       */
+      isIDNDomain(domain) {
+        return domain.includes("xn--") || /[^\u0000-\u007F]/.test(domain);
+      }
+      /**
+       * Check if domain is in whitelist
+       */
+      isWhitelisted(domain) {
+        const normalized = domain.toLowerCase();
+        return LEGITIMATE_IDN_DOMAINS.has(normalized);
+      }
+      /**
+       * Analyze confusable characters
+       */
+      analyzeConfusableCharacters(domain) {
+        const analysis = { score: 0, factors: [] };
+        let confusableCount = 0;
+        let totalChars = 0;
+        try {
+          const normalized = confusables(domain);
+          if (normalized !== domain) {
+            for (const char of domain) {
+              totalChars++;
+              const normalizedChar = confusables(char);
+              if (normalizedChar !== char) {
+                confusableCount++;
+                analysis.factors.push(`Confusable character: ${char} \u2192 ${normalizedChar}`);
+              }
+            }
+            if (confusableCount > 0) {
+              const ratio = confusableCount / totalChars;
+              analysis.score = Math.min(ratio * 0.8, 0.6);
+              analysis.factors.push(`${confusableCount}/${totalChars} characters are confusable`, `Normalized domain: ${normalized}`);
+            }
+          }
+        } catch {
+          for (const char of domain) {
+            totalChars++;
+            if (CONFUSABLE_CHARS.has(char)) {
+              confusableCount++;
+              analysis.factors.push(`Confusable character: ${char} \u2192 ${CONFUSABLE_CHARS.get(char)}`);
+            }
+          }
+          if (confusableCount > 0) {
+            const ratio = confusableCount / totalChars;
+            analysis.score = Math.min(ratio * 0.8, 0.6);
+            analysis.factors.push(`${confusableCount}/${totalChars} characters are confusable`);
+          }
+        }
+        return analysis;
+      }
+      /**
+       * Analyze similarity to popular brands
+       */
+      analyzeBrandSimilarity(domain) {
+        const analysis = { score: 0, factors: [] };
+        const cleanDomain = this.normalizeDomain(domain);
+        for (const brand of POPULAR_BRANDS) {
+          const similarity = this.calculateSimilarity(cleanDomain, brand);
+          if (similarity > this.options.maxSimilarityThreshold) {
+            analysis.score = Math.max(analysis.score, similarity * 0.7);
+            analysis.factors.push(`High similarity to ${brand}: ${(similarity * 100).toFixed(1)}%`);
+          }
+        }
+        return analysis;
+      }
+      /**
+       * Analyze script mixing patterns
+       */
+      analyzeScriptMixing(domain) {
+        const analysis = { score: 0, factors: [] };
+        const scripts = this.detectScripts(domain);
+        if (scripts.size > 1) {
+          const scriptList = [...scripts].join(", ");
+          analysis.factors.push(`Mixed scripts detected: ${scriptList}`);
+          if (scripts.has("Latin") && (scripts.has("Cyrillic") || scripts.has("Greek"))) {
+            analysis.score += 0.4;
+            analysis.factors.push("Suspicious Latin/Cyrillic or Latin/Greek mixing");
+          } else {
+            analysis.score += 0.2;
+          }
+        }
+        return analysis;
+      }
+      /**
+       * Analyze context (email headers, content, etc.)
+       */
+      analyzeContext(domain, context) {
+        const analysis = { score: 0, factors: [] };
+        if (context.displayText && context.displayText !== domain) {
+          analysis.score += 0.3;
+          analysis.factors.push("Display text differs from actual domain");
+        }
+        if (context.senderReputation && context.senderReputation < 0.5) {
+          analysis.score += 0.2;
+          analysis.factors.push("Low sender reputation");
+        }
+        if (context.emailContent) {
+          const suspiciousPatterns = [
+            /urgent/i,
+            /verify.*account/i,
+            /suspended/i,
+            /click.*here/i,
+            /limited.*time/i,
+            /act.*now/i,
+            /confirm.*identity/i
+          ];
+          for (const pattern of suspiciousPatterns) {
+            if (pattern.test(context.emailContent)) {
+              analysis.score += 0.1;
+              analysis.factors.push(`Suspicious email pattern: ${pattern.source}`);
+            }
+          }
+        }
+        return analysis;
+      }
+      /**
+       * Analyze punycode domains
+       */
+      analyzePunycode(domain) {
+        const analysis = { score: 0, factors: [] };
+        try {
+          const decoded = this.decodePunycode(domain);
+          analysis.factors.push(`Punycode decoded: ${decoded}`);
+          const decodedAnalysis = this.analyzeConfusableCharacters(decoded);
+          analysis.score += decodedAnalysis.score * 0.8;
+          analysis.factors.push(...decodedAnalysis.factors);
+        } catch {
+          analysis.score += 0.2;
+          analysis.factors.push("Invalid punycode encoding");
+        }
+        return analysis;
+      }
+      /**
+       * Normalize domain for comparison
+       */
+      normalizeDomain(domain) {
+        let normalized = domain.toLowerCase();
+        try {
+          normalized = confusables(normalized);
+        } catch {
+          for (const [confusable, latin] of CONFUSABLE_CHARS) {
+            normalized = normalized.replaceAll(confusable, latin);
+          }
+        }
+        normalized = normalized.replace(/\.(com|org|net|edu|gov)$/, "");
+        return normalized;
+      }
+      /**
+       * Calculate string similarity using Levenshtein distance
+       */
+      calculateSimilarity(string1, string2) {
+        const matrix = [];
+        const length1 = string1.length;
+        const length2 = string2.length;
+        for (let i = 0; i <= length2; i++) {
+          matrix[i] = [i];
+        }
+        for (let j = 0; j <= length1; j++) {
+          matrix[0][j] = j;
+        }
+        for (let i = 1; i <= length2; i++) {
+          for (let j = 1; j <= length1; j++) {
+            if (string2.charAt(i - 1) === string1.charAt(j - 1)) {
+              matrix[i][j] = matrix[i - 1][j - 1];
+            } else {
+              matrix[i][j] = Math.min(
+                matrix[i - 1][j - 1] + 1,
+                matrix[i][j - 1] + 1,
+                matrix[i - 1][j] + 1
+              );
+            }
+          }
+        }
+        const maxLength = Math.max(length1, length2);
+        return maxLength === 0 ? 1 : (maxLength - matrix[length2][length1]) / maxLength;
+      }
+      /**
+       * Detect scripts used in domain
+       */
+      detectScripts(domain) {
+        const scripts = /* @__PURE__ */ new Set();
+        for (const char of domain) {
+          const code = char.codePointAt(0);
+          if (code >= 65 && code <= 90 || code >= 97 && code <= 122) {
+            scripts.add("Latin");
+          } else if (code >= 1024 && code <= 1279) {
+            scripts.add("Cyrillic");
+          } else if (code >= 880 && code <= 1023) {
+            scripts.add("Greek");
+          } else if (code >= 19968 && code <= 40959) {
+            scripts.add("CJK");
+          } else if (code >= 1424 && code <= 1535) {
+            scripts.add("Hebrew");
+          } else if (code >= 1536 && code <= 1791) {
+            scripts.add("Arabic");
+          }
+        }
+        return scripts;
+      }
+      /**
+       * Simple punycode decoder (basic implementation)
+       */
+      decodePunycode(domain) {
+        try {
+          const url = new URL(`http://${domain}`);
+          return url.hostname;
+        } catch {
+          return domain;
+        }
+      }
+      /**
+       * Generate recommendations based on analysis
+       */
+      generateRecommendations(analysis) {
+        const recommendations = [];
+        if (analysis.riskScore > 0.8) {
+          recommendations.push("HIGH RISK: Likely homograph attack - block or quarantine");
+        } else if (analysis.riskScore > 0.6) {
+          recommendations.push("MEDIUM RISK: Suspicious domain - flag for review");
+        } else if (analysis.riskScore > 0.3) {
+          recommendations.push("LOW RISK: Monitor domain activity");
+        } else {
+          recommendations.push("SAFE: Domain appears legitimate");
+        }
+        if (analysis.isIDN) {
+          recommendations.push("Consider displaying punycode representation to users");
+        }
+        if (analysis.riskFactors.some((f) => f.includes("brand"))) {
+          recommendations.push("Verify domain authenticity through official channels");
+        }
+        return recommendations;
+      }
+      /**
+       * Generate cache key
+       */
+      getCacheKey(domain, context) {
+        const contextHash = createHash("md5").update(JSON.stringify(context)).digest("hex").slice(0, 8);
+        return `${domain}:${contextHash}`;
+      }
+    };
+    enhanced_idn_detector_default = EnhancedIDNDetector;
+  }
+});
+
+// src/cli.js
+import { Buffer as Buffer4 } from "node:buffer";
+import {
+  createReadStream,
+  readFileSync as readFileSync3,
+  writeFileSync,
+  existsSync,
+  mkdirSync
+} from "node:fs";
+import { createServer } from "node:net";
+import { homedir } from "node:os";
+import path2 from "node:path";
+import process2 from "node:process";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+
+// src/index.js
+import { Buffer as Buffer3 } from "node:buffer";
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { createHash as createHash2 } from "node:crypto";
+import { debuglog as debuglog7 } from "node:util";
+import { fileURLToPath } from "node:url";
+import autoBind from "auto-bind";
+import AFHConvert from "ascii-fullwidth-halfwidth-convert";
+import ClamScan from "clamscan";
+import NaiveBayes2 from "@ladjs/naivebayes";
+import arrayJoinConjunction from "array-join-conjunction";
+import bitcoinRegex from "bitcoin-regex";
+import creditCardRegex from "credit-card-regex";
+import emailRegexSafe from "email-regex-safe";
+import escapeStringRegexp from "escape-string-regexp";
+import expandContractions from "@stdlib/nlp-expand-contractions";
+import fileExtension from "file-extension";
+import floatingPointRegex from "floating-point-regex";
+import lande from "lande";
+import hexaColorRegex from "hexa-color-regex";
+import { parse as parseTldts } from "tldts";
+import ipRegex from "ip-regex";
+import isBuffer from "is-buffer";
+import isSANB from "is-string-and-not-blank";
+import macRegex from "mac-regex";
+import natural from "natural";
+import normalizeUrl from "normalize-url";
+import phoneRegex from "phone-regex";
+import snowball from "node-snowball";
+import striptags from "striptags";
+import superagent from "superagent";
+import sw from "stopword";
+import urlRegexSafe from "url-regex-safe";
+import { simpleParser } from "mailparser";
+import { fileTypeFromBuffer } from "file-type";
+
+// src/auth.js
+import { Buffer as Buffer2 } from "node:buffer";
+import { debuglog } from "node:util";
+import dns from "node:dns";
+var debug = debuglog("spamscanner:auth");
+var mailauth;
+var getMailauth = async () => {
+  mailauth ||= await import("mailauth");
+  return mailauth;
+};
+var createResolver = (timeout = 1e4) => {
+  const resolver = new dns.promises.Resolver();
+  resolver.setServers(["8.8.8.8", "1.1.1.1"]);
+  return async (name, type) => {
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), timeout);
+      let result;
+      switch (type) {
+        case "TXT": {
+          result = await resolver.resolveTxt(name);
+          result = result.map((r) => Array.isArray(r) ? r.join("") : r);
+          break;
+        }
+        case "MX": {
+          result = await resolver.resolveMx(name);
+          break;
+        }
+        case "A": {
+          result = await resolver.resolve4(name);
+          break;
+        }
+        case "AAAA": {
+          result = await resolver.resolve6(name);
+          break;
+        }
+        case "PTR": {
+          result = await resolver.resolvePtr(name);
+          break;
+        }
+        case "CNAME": {
+          result = await resolver.resolveCname(name);
+          break;
+        }
+        default: {
+          result = await resolver.resolve(name, type);
+        }
+      }
+      clearTimeout(timeoutId);
+      return result;
+    } catch (error) {
+      debug("DNS lookup failed for %s %s: %s", type, name, error.message);
+      throw error;
+    }
+  };
+};
+async function authenticate(message, options = {}) {
+  const {
+    ip,
+    helo,
+    mta,
+    sender,
+    resolver = createResolver(options.timeout || 1e4)
+  } = options;
+  const defaultResult = {
+    dkim: {
+      results: [],
+      status: { result: "none", comment: "No DKIM signature found" }
+    },
+    spf: {
+      status: { result: "none", comment: "SPF check not performed" },
+      domain: null
+    },
+    dmarc: {
+      status: { result: "none", comment: "DMARC check not performed" },
+      policy: null,
+      domain: null
+    },
+    arc: {
+      status: { result: "none", comment: "No ARC chain found" },
+      chain: []
+    },
+    bimi: {
+      status: { result: "none", comment: "No BIMI record found" },
+      location: null,
+      authority: null
+    },
+    receivedChain: [],
+    headers: {}
+  };
+  if (!ip) {
+    debug("No IP address provided, skipping authentication");
+    return defaultResult;
+  }
+  try {
+    const { authenticate: mailauthAuthenticate } = await getMailauth();
+    const messageBuffer = Buffer2.isBuffer(message) ? message : Buffer2.from(message);
+    const authResult = await mailauthAuthenticate(messageBuffer, {
+      ip,
+      helo: helo || "unknown",
+      mta: mta || "spamscanner",
+      sender,
+      resolver
+    });
+    debug("Authentication result: %o", authResult);
+    return {
+      dkim: normalizeResult(authResult.dkim, "dkim"),
+      spf: normalizeResult(authResult.spf, "spf"),
+      dmarc: normalizeResult(authResult.dmarc, "dmarc"),
+      arc: normalizeResult(authResult.arc, "arc"),
+      bimi: normalizeResult(authResult.bimi, "bimi"),
+      receivedChain: authResult.receivedChain || [],
+      headers: authResult.headers || {}
+    };
+  } catch (error) {
+    debug("Authentication failed: %s", error.message);
+    return defaultResult;
+  }
+}
+function normalizeResult(result, type) {
+  if (!result) {
+    return {
+      status: { result: "none", comment: `No ${type.toUpperCase()} result` }
+    };
+  }
+  switch (type) {
+    case "dkim": {
+      return {
+        results: result.results || [],
+        status: result.status || { result: "none", comment: "No DKIM signature found" }
+      };
+    }
+    case "spf": {
+      return {
+        status: result.status || { result: "none", comment: "SPF check not performed" },
+        domain: result.domain || null,
+        explanation: result.explanation || null
+      };
+    }
+    case "dmarc": {
+      return {
+        status: result.status || { result: "none", comment: "DMARC check not performed" },
+        policy: result.policy || null,
+        domain: result.domain || null,
+        p: result.p || null,
+        sp: result.sp || null,
+        pct: result.pct || null
+      };
+    }
+    case "arc": {
+      return {
+        status: result.status || { result: "none", comment: "No ARC chain found" },
+        chain: result.chain || [],
+        i: result.i || null
+      };
+    }
+    case "bimi": {
+      return {
+        status: result.status || { result: "none", comment: "No BIMI record found" },
+        location: result.location || null,
+        authority: result.authority || null,
+        selector: result.selector || null
+      };
+    }
+    default: {
+      return result;
+    }
+  }
+}
+function calculateAuthScore(authResult, weights = {}) {
+  const defaultWeights = {
+    dkimPass: -2,
+    // Reduce spam score if DKIM passes
+    dkimFail: 3,
+    // Increase spam score if DKIM fails
+    spfPass: -1,
+    spfFail: 2,
+    spfSoftfail: 1,
+    dmarcPass: -2,
+    dmarcFail: 4,
+    arcPass: -1,
+    arcFail: 1,
+    ...weights
+  };
+  let score = 0;
+  const tests = [];
+  const dkimResult = authResult.dkim?.status?.result;
+  if (dkimResult === "pass") {
+    score += defaultWeights.dkimPass;
+    tests.push(`DKIM_PASS(${defaultWeights.dkimPass})`);
+  } else if (dkimResult === "fail") {
+    score += defaultWeights.dkimFail;
+    tests.push(`DKIM_FAIL(${defaultWeights.dkimFail})`);
+  }
+  const spfResult = authResult.spf?.status?.result;
+  switch (spfResult) {
+    case "pass": {
+      score += defaultWeights.spfPass;
+      tests.push(`SPF_PASS(${defaultWeights.spfPass})`);
+      break;
+    }
+    case "fail": {
+      score += defaultWeights.spfFail;
+      tests.push(`SPF_FAIL(${defaultWeights.spfFail})`);
+      break;
+    }
+    case "softfail": {
+      score += defaultWeights.spfSoftfail;
+      tests.push(`SPF_SOFTFAIL(${defaultWeights.spfSoftfail})`);
+      break;
+    }
+  }
+  const dmarcResult = authResult.dmarc?.status?.result;
+  if (dmarcResult === "pass") {
+    score += defaultWeights.dmarcPass;
+    tests.push(`DMARC_PASS(${defaultWeights.dmarcPass})`);
+  } else if (dmarcResult === "fail") {
+    score += defaultWeights.dmarcFail;
+    tests.push(`DMARC_FAIL(${defaultWeights.dmarcFail})`);
+  }
+  const arcResult = authResult.arc?.status?.result;
+  if (arcResult === "pass") {
+    score += defaultWeights.arcPass;
+    tests.push(`ARC_PASS(${defaultWeights.arcPass})`);
+  } else if (arcResult === "fail") {
+    score += defaultWeights.arcFail;
+    tests.push(`ARC_FAIL(${defaultWeights.arcFail})`);
+  }
+  return {
+    score,
+    tests,
+    details: {
+      dkim: dkimResult || "none",
+      spf: spfResult || "none",
+      dmarc: dmarcResult || "none",
+      arc: arcResult || "none"
+    }
+  };
+}
+function formatAuthResultsHeader(authResult, hostname = "spamscanner") {
+  const parts = [hostname];
+  if (authResult.dkim?.status?.result) {
+    const dkimResult = authResult.dkim.status.result;
+    let dkimPart = `dkim=${dkimResult}`;
+    if (authResult.dkim.results?.[0]?.signingDomain) {
+      dkimPart += ` header.d=${authResult.dkim.results[0].signingDomain}`;
+    }
+    parts.push(dkimPart);
+  }
+  if (authResult.spf?.status?.result) {
+    let spfPart = `spf=${authResult.spf.status.result}`;
+    if (authResult.spf.domain) {
+      spfPart += ` smtp.mailfrom=${authResult.spf.domain}`;
+    }
+    parts.push(spfPart);
+  }
+  if (authResult.dmarc?.status?.result) {
+    let dmarcPart = `dmarc=${authResult.dmarc.status.result}`;
+    if (authResult.dmarc.domain) {
+      dmarcPart += ` header.from=${authResult.dmarc.domain}`;
+    }
+    parts.push(dmarcPart);
+  }
+  if (authResult.arc?.status?.result) {
+    parts.push(`arc=${authResult.arc.status.result}`);
+  }
+  return parts.join(";\n	");
+}
+
+// src/reputation.js
+import { debuglog as debuglog2 } from "node:util";
+var debug2 = debuglog2("spamscanner:reputation");
+var DEFAULT_API_URL = "https://api.forwardemail.net/v1/reputation";
+var cache = /* @__PURE__ */ new Map();
+var CACHE_TTL = 5 * 60 * 1e3;
+async function checkReputation(value, options = {}) {
+  const {
+    apiUrl = DEFAULT_API_URL,
+    timeout = 1e4
+  } = options;
+  if (!value || typeof value !== "string") {
+    return {
+      isTruthSource: false,
+      truthSourceValue: null,
+      isAllowlisted: false,
+      allowlistValue: null,
+      isDenylisted: false,
+      denylistValue: null
+    };
+  }
+  const cacheKey = `${apiUrl}:${value}`;
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    debug2("Cache hit for %s", value);
+    return cached.result;
+  }
+  try {
+    const url = new URL(apiUrl);
+    url.searchParams.set("q", value);
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    const response = await fetch(url.toString(), {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        "User-Agent": "SpamScanner/6.0"
+      },
+      signal: controller.signal
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      debug2("API returned status %d for %s", response.status, value);
+      return {
+        isTruthSource: false,
+        truthSourceValue: null,
+        isAllowlisted: false,
+        allowlistValue: null,
+        isDenylisted: false,
+        denylistValue: null
+      };
+    }
+    const result = await response.json();
+    const normalizedResult = {
+      isTruthSource: Boolean(result.isTruthSource),
+      truthSourceValue: result.truthSourceValue || null,
+      isAllowlisted: Boolean(result.isAllowlisted),
+      allowlistValue: result.allowlistValue || null,
+      isDenylisted: Boolean(result.isDenylisted),
+      denylistValue: result.denylistValue || null
+    };
+    cache.set(cacheKey, {
+      result: normalizedResult,
+      timestamp: Date.now()
+    });
+    debug2("Reputation check for %s: %o", value, normalizedResult);
+    return normalizedResult;
+  } catch (error) {
+    debug2("Reputation check failed for %s: %s", value, error.message);
+    return {
+      isTruthSource: false,
+      truthSourceValue: null,
+      isAllowlisted: false,
+      allowlistValue: null,
+      isDenylisted: false,
+      denylistValue: null
+    };
+  }
+}
+async function checkReputationBatch(values, options = {}) {
+  const uniqueValues = [...new Set(values.filter(Boolean))];
+  const results = await Promise.all(uniqueValues.map(async (value) => {
+    const result = await checkReputation(value, options);
+    return [value, result];
+  }));
+  return new Map(results);
+}
+function aggregateReputationResults(results) {
+  const aggregated = {
+    isTruthSource: false,
+    truthSourceValue: null,
+    isAllowlisted: false,
+    allowlistValue: null,
+    isDenylisted: false,
+    denylistValue: null
+  };
+  for (const result of results) {
+    if (result.isTruthSource) {
+      aggregated.isTruthSource = true;
+      aggregated.truthSourceValue ||= result.truthSourceValue;
+    }
+    if (result.isAllowlisted) {
+      aggregated.isAllowlisted = true;
+      aggregated.allowlistValue ||= result.allowlistValue;
+    }
+    if (result.isDenylisted) {
+      aggregated.isDenylisted = true;
+      aggregated.denylistValue ||= result.denylistValue;
+    }
+  }
+  return aggregated;
+}
+
+// src/is-arbitrary.js
+import { debuglog as debuglog3 } from "node:util";
+var debug3 = debuglog3("spamscanner:arbitrary");
+var BLOCKED_PHRASES_PATTERN = /cheecck y0ur acc0untt|recorded you|you've been hacked|account is hacked|personal data has leaked|private information has been stolen/im;
+var SYSADMIN_SUBJECT_PATTERN = /please moderate|mdadm monitoring|weekly report|wordfence|wordpress|wpforms|docker|graylog|digest|event notification|package update manager|event alert|system events|monit alert|ping|monitor|cron|yum|sendmail|exim|backup|logwatch|unattended-upgrades/im;
+var SPAM_PATTERNS = {
+  // Subject line patterns
+  subjectPatterns: [
+    // Urgency patterns
+    /\b(urgent|immediate|action required|act now|limited time|expires?|deadline)\b/i,
+    // Money patterns
+    /\b(free|winner|won|prize|lottery|million|billion|cash|money|investment|profit)\b/i,
+    // Phishing patterns
+    /\b(verify|confirm|update|suspend|locked|unusual activity|security alert)\b/i,
+    // Adult content
+    /\b(viagra|cialis|pharmacy|pills|medication|prescription)\b/i,
+    // Crypto spam
+    /\b(bitcoin|crypto|btc|eth|nft|blockchain|wallet)\b/i
+  ],
+  // Body patterns
+  bodyPatterns: [
+    // Nigerian prince / advance fee fraud
+    /\b(nigerian?|prince|inheritance|beneficiary|next of kin|deceased|unclaimed)\b/i,
+    // Lottery scams
+    /\b(congratulations.*won|you have been selected|claim your prize)\b/i,
+    // Phishing
+    /\b(click here to verify|confirm your identity|update your account|suspended.*account)\b/i,
+    // Urgency
+    /\b(act now|limited time offer|expires in \d+|only \d+ left)\b/i,
+    // Financial scams
+    /\b(wire transfer|western union|moneygram|bank transfer|routing number)\b/i,
+    // Adult/pharma spam
+    /\b(enlarge|enhancement|erectile|dysfunction|weight loss|diet pills)\b/i
+  ],
+  // Suspicious sender patterns
+  senderPatterns: [
+    // Random numbers in email
+    /^[a-z]+\d{4,}@/i,
+    // Very long local parts
+    /^.{30,}@/,
+    // Suspicious domains
+    /@.*(\.ru|\.cn|\.tk|\.ml|\.ga|\.cf|\.gq)$/i,
+    // Numeric domains
+    /@(?:\d+\.){3}\d+/
+  ]
+};
+var SUSPICIOUS_TLDS = /* @__PURE__ */ new Set([
+  "tk",
+  "ml",
+  "ga",
+  "cf",
+  "gq",
+  // Free TLDs often abused
+  "xyz",
+  "top",
+  "wang",
+  "win",
+  "bid",
+  "loan",
+  "click",
+  "link",
+  "work",
+  "date",
+  "racing",
+  "download",
+  "stream",
+  "trade"
+]);
+var SPAM_KEYWORDS = /* @__PURE__ */ new Map([
+  ["free", 1],
+  ["winner", 2],
+  ["prize", 2],
+  ["lottery", 3],
+  ["urgent", 1],
+  ["act now", 2],
+  ["limited time", 1],
+  ["click here", 1],
+  ["unsubscribe", -1],
+  // Legitimate emails often have this
+  ["verify your account", 2],
+  ["suspended", 2],
+  ["inheritance", 3],
+  ["million dollars", 3],
+  ["wire transfer", 3],
+  ["western union", 3],
+  ["nigerian", 3],
+  ["prince", 2],
+  ["beneficiary", 2],
+  ["congratulations", 1],
+  ["selected", 1],
+  ["viagra", 3],
+  ["cialis", 3],
+  ["pharmacy", 2],
+  ["bitcoin", 1],
+  ["crypto", 1],
+  ["investment opportunity", 2],
+  ["guaranteed", 1],
+  ["risk free", 2],
+  ["no obligation", 1],
+  ["dear friend", 2],
+  ["dear customer", 1],
+  ["dear user", 1]
+]);
+var PAYPAL_SPAM_TYPE_IDS = /* @__PURE__ */ new Set(["PPC001017", "RT000238", "RT000542", "RT002947"]);
+var MS_SPAM_CATEGORIES = {
+  // High-confidence threats (highest priority)
+  highConfidence: ["cat:malw", "cat:hphsh", "cat:hphish", "cat:hspm"],
+  // Impersonation attempts
+  impersonation: ["cat:bimp", "cat:dimp", "cat:gimp", "cat:uimp"],
+  // Phishing and spoofing
+  phishingAndSpoofing: ["cat:phsh", "cat:spoof"],
+  // Spam classifications
+  spam: ["cat:ospm", "cat:spm"]
+};
+var MS_SPAM_VERDICTS = ["sfv:spm", "sfv:skb", "sfv:sks"];
+function isArbitrary(parsed, options = {}) {
+  const {
+    threshold = 5,
+    checkSubject = true,
+    checkBody = true,
+    checkSender = true,
+    checkHeaders = true,
+    checkLinks = true,
+    checkMicrosoftHeaders = true,
+    checkVendorSpam = true,
+    checkSpoofing = true,
+    session = {}
+  } = options;
+  const reasons = [];
+  let score = 0;
+  let category = null;
+  const getHeader = (name) => {
+    if (parsed.headers?.get) {
+      return parsed.headers.get(name);
+    }
+    if (parsed.headerLines) {
+      const header = parsed.headerLines.find((h) => h.key.toLowerCase() === name.toLowerCase());
+      return header?.line?.split(":").slice(1).join(":").trim();
+    }
+    return null;
+  };
+  const subject = parsed.subject || getHeader("subject") || "";
+  const from = parsed.from?.value?.[0]?.address || parsed.from?.text || getHeader("from") || "";
+  const sessionInfo = buildSessionInfo(parsed, session, getHeader);
+  if (subject && BLOCKED_PHRASES_PATTERN.test(subject)) {
+    reasons.push("BLOCKED_PHRASE_IN_SUBJECT");
+    score += 10;
+    category = "SPAM";
+  }
+  if (checkMicrosoftHeaders) {
+    const msResult = checkMicrosoftExchangeHeaders(getHeader, sessionInfo);
+    if (msResult.blocked) {
+      reasons.push(...msResult.reasons);
+      score += msResult.score;
+      category = msResult.category || category;
+    }
+  }
+  if (checkVendorSpam) {
+    const vendorResult = checkVendorSpam_(parsed, sessionInfo, getHeader, subject, from);
+    if (vendorResult.blocked) {
+      reasons.push(...vendorResult.reasons);
+      score += vendorResult.score;
+      category = vendorResult.category || category;
+    }
+  }
+  if (checkSpoofing) {
+    const spoofResult = checkSpoofingAttacks(parsed, sessionInfo, getHeader, subject);
+    if (spoofResult.blocked) {
+      reasons.push(...spoofResult.reasons);
+      score += spoofResult.score;
+      category = spoofResult.category || category;
+    }
+  }
+  if (checkSubject && subject) {
+    const subjectResult = checkSubjectLine(subject);
+    score += subjectResult.score;
+    reasons.push(...subjectResult.reasons);
+  }
+  if (checkBody) {
+    const bodyText = parsed.text || "";
+    const bodyHtml = parsed.html || "";
+    const bodyResult = checkBodyContent(bodyText, bodyHtml);
+    score += bodyResult.score;
+    reasons.push(...bodyResult.reasons);
+  }
+  if (checkSender) {
+    const replyTo = parsed.replyTo?.value?.[0]?.address || parsed.replyTo?.text || "";
+    const senderResult = checkSenderPatterns(from, replyTo);
+    score += senderResult.score;
+    reasons.push(...senderResult.reasons);
+  }
+  if (checkHeaders) {
+    const headerResult = checkHeaderAnomalies(parsed, getHeader);
+    score += headerResult.score;
+    reasons.push(...headerResult.reasons);
+  }
+  if (checkLinks) {
+    const bodyHtml = parsed.html || parsed.text || "";
+    const linkResult = checkSuspiciousLinks(bodyHtml);
+    score += linkResult.score;
+    reasons.push(...linkResult.reasons);
+  }
+  const isArbitrarySpam = score >= threshold;
+  debug3(
+    "Arbitrary check result: score=%d, threshold=%d, isArbitrary=%s, category=%s, reasons=%o",
+    score,
+    threshold,
+    isArbitrarySpam,
+    category,
+    reasons
+  );
+  return {
+    isArbitrary: isArbitrarySpam,
+    reasons,
+    score,
+    category
+  };
+}
+function buildSessionInfo(parsed, session, getHeader) {
+  const info = { ...session };
+  const from = parsed.from?.value?.[0]?.address || parsed.from?.text || getHeader("from") || "";
+  if (from && !info.originalFromAddress) {
+    info.originalFromAddress = from.toLowerCase();
+    const atIndex = from.indexOf("@");
+    if (atIndex > 0) {
+      info.originalFromAddressDomain = from.slice(atIndex + 1).toLowerCase();
+      info.originalFromAddressRootDomain = getRootDomain(info.originalFromAddressDomain);
+    }
+  }
+  if (!info.resolvedClientHostname) {
+    info.resolvedClientHostname = extractClientHostname(parsed);
+    if (info.resolvedClientHostname) {
+      info.resolvedRootClientHostname = getRootDomain(info.resolvedClientHostname);
+    }
+  }
+  info.remoteAddress ||= extractRemoteIp(parsed);
+  return info;
+}
+function checkMicrosoftExchangeHeaders(getHeader, sessionInfo) {
+  const result = {
+    blocked: false,
+    reasons: [],
+    score: 0,
+    category: null
+  };
+  const isFromMicrosoft = sessionInfo.resolvedClientHostname && sessionInfo.resolvedClientHostname.endsWith(".outbound.protection.outlook.com");
+  if (!isFromMicrosoft) {
+    return result;
+  }
+  const msAuthHeader = getHeader("x-ms-exchange-authentication-results");
+  const forefrontHeader = getHeader("x-forefront-antispam-report");
+  if (forefrontHeader) {
+    const lowerForefront = forefrontHeader.toLowerCase();
+    const sclMatch = lowerForefront.match(/scl:(\d+)/);
+    const scl = sclMatch ? Number.parseInt(sclMatch[1], 10) : null;
+    const sfvNotSpam = lowerForefront.includes("sfv:nspm");
+    const microsoftSaysNotSpam = sfvNotSpam || scl !== null && scl <= 2;
+    if (!microsoftSaysNotSpam && msAuthHeader) {
+      const lowerMsAuth = msAuthHeader.toLowerCase();
+      const spfPass = lowerMsAuth.includes("spf=pass");
+      const dkimPass = lowerMsAuth.includes("dkim=pass");
+      const dmarcPass = lowerMsAuth.includes("dmarc=pass");
+      if (!spfPass && !dkimPass && !dmarcPass) {
+        const spfFailed = lowerMsAuth.includes("spf=fail");
+        const dkimFailed = lowerMsAuth.includes("dkim=fail");
+        const dmarcFailed = lowerMsAuth.includes("dmarc=fail");
+        if (spfFailed || dkimFailed || dmarcFailed) {
+          result.blocked = true;
+          result.reasons.push("MS_EXCHANGE_AUTH_FAILURE");
+          result.score += 10;
+          result.category = "AUTHENTICATION_FAILURE";
+          return result;
+        }
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.highConfidence) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_HIGH_CONFIDENCE_THREAT: ${cat.toUpperCase()}`);
+        result.score += 15;
+        result.category = cat.includes("malw") ? "MALWARE" : cat.includes("phish") || cat.includes("phsh") ? "PHISHING" : "HIGH_CONFIDENCE_SPAM";
+        return result;
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.impersonation) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_IMPERSONATION: ${cat.toUpperCase()}`);
+        result.score += 12;
+        result.category = "IMPERSONATION";
+        return result;
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.phishingAndSpoofing) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_PHISHING_SPOOF: ${cat.toUpperCase()}`);
+        result.score += 12;
+        result.category = cat.includes("phsh") ? "PHISHING" : "SPOOFING";
+        return result;
+      }
+    }
+    for (const verdict of MS_SPAM_VERDICTS) {
+      if (lowerForefront.includes(verdict)) {
+        result.blocked = true;
+        result.reasons.push(`MS_SPAM_VERDICT: ${verdict.toUpperCase()}`);
+        result.score += 10;
+        result.category = "SPAM";
+        return result;
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.spam) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_SPAM_CATEGORY: ${cat.toUpperCase()}`);
+        result.score += 10;
+        result.category = "SPAM";
+        return result;
+      }
+    }
+    if (scl !== null && scl >= 5) {
+      result.blocked = true;
+      result.reasons.push(`MS_HIGH_SCL: ${scl}`);
+      result.score += 8;
+      result.category = "SPAM";
+      return result;
+    }
+  } else if (msAuthHeader) {
+    const lowerMsAuth = msAuthHeader.toLowerCase();
+    const spfPass = lowerMsAuth.includes("spf=pass");
+    const dkimPass = lowerMsAuth.includes("dkim=pass");
+    const dmarcPass = lowerMsAuth.includes("dmarc=pass");
+    if (!spfPass && !dkimPass && !dmarcPass) {
+      const spfFailed = lowerMsAuth.includes("spf=fail");
+      const dkimFailed = lowerMsAuth.includes("dkim=fail");
+      const dmarcFailed = lowerMsAuth.includes("dmarc=fail");
+      if (spfFailed || dkimFailed || dmarcFailed) {
+        result.blocked = true;
+        result.reasons.push("MS_EXCHANGE_AUTH_FAILURE");
+        result.score += 10;
+        result.category = "AUTHENTICATION_FAILURE";
+      }
+    }
+  }
+  return result;
+}
+function checkVendorSpam_(parsed, sessionInfo, getHeader, subject, from) {
+  const result = {
+    blocked: false,
+    reasons: [],
+    score: 0,
+    category: null
+  };
+  const fromLower = from.toLowerCase();
+  if (sessionInfo.originalFromAddressRootDomain === "paypal.com" && getHeader("x-email-type-id")) {
+    const typeId = getHeader("x-email-type-id");
+    if (PAYPAL_SPAM_TYPE_IDS.has(typeId)) {
+      result.blocked = true;
+      result.reasons.push(`PAYPAL_INVOICE_SPAM: ${typeId}`);
+      result.score += 15;
+      result.category = "VENDOR_SPAM";
+      return result;
+    }
+  }
+  if (sessionInfo.originalFromAddress === "invoice@authorize.net" && sessionInfo.resolvedRootClientHostname === "visa.com") {
+    result.blocked = true;
+    result.reasons.push("AUTHORIZE_VISA_PHISHING");
+    result.score += 15;
+    result.category = "PHISHING";
+    return result;
+  }
+  if (fromLower.includes("amazon.co.jp") && (!sessionInfo.resolvedRootClientHostname || !sessionInfo.resolvedRootClientHostname.startsWith("amazon."))) {
+    result.blocked = true;
+    result.reasons.push("AMAZON_JP_IMPERSONATION");
+    result.score += 12;
+    result.category = "IMPERSONATION";
+    return result;
+  }
+  if (subject && subject.includes("pCloud") && sessionInfo.originalFromAddressRootDomain !== "pcloud.com" && fromLower.includes("pcloud")) {
+    result.blocked = true;
+    result.reasons.push("PCLOUD_IMPERSONATION");
+    result.score += 12;
+    result.category = "IMPERSONATION";
+    return result;
+  }
+  if ((sessionInfo.originalFromAddress === "postmaster@outlook.com" || sessionInfo.resolvedClientHostname && sessionInfo.resolvedClientHostname.endsWith(".outbound.protection.outlook.com") || sessionInfo.originalFromAddress?.startsWith("postmaster@") && sessionInfo.originalFromAddress?.endsWith(".onmicrosoft.com")) && isAutoReply(getHeader) && subject && (subject.startsWith("Undeliverable: ") || subject.startsWith("No se puede entregar: "))) {
+    result.blocked = true;
+    result.reasons.push("MS_BOUNCE_SPAM");
+    result.score += 10;
+    result.category = "BOUNCE_SPAM";
+    return result;
+  }
+  if (sessionInfo.originalFromAddress === "postmaster@163.com" && subject && subject.includes("\u7CFB\u7EDF\u9000\u4FE1")) {
+    result.blocked = true;
+    result.reasons.push("163_BOUNCE_SPAM");
+    result.score += 10;
+    result.category = "BOUNCE_SPAM";
+    return result;
+  }
+  if (sessionInfo.originalFromAddress === "dse_na4@docusign.net" && sessionInfo.spf?.domain && (sessionInfo.spf.domain.endsWith(".onmicrosoft.com") || sessionInfo.spf.domain === "onmicrosoft.com")) {
+    result.blocked = true;
+    result.reasons.push("DOCUSIGN_MS_SCAM");
+    result.score += 12;
+    result.category = "PHISHING";
+    return result;
+  }
+  return result;
+}
+function checkSpoofingAttacks(parsed, sessionInfo, getHeader, subject) {
+  const result = {
+    blocked: false,
+    reasons: [],
+    score: 0,
+    category: null
+  };
+  if (sessionInfo.hadAlignedAndPassingDKIM || sessionInfo.isAllowlisted) {
+    return result;
+  }
+  if (sessionInfo.hasSameHostnameAsFrom) {
+    return result;
+  }
+  const rcptTo = sessionInfo.envelope?.rcptTo || [];
+  const fromRootDomain = sessionInfo.originalFromAddressRootDomain;
+  if (!fromRootDomain || rcptTo.length === 0) {
+    return result;
+  }
+  const hasSameRcptToAsFrom = rcptTo.some((to) => {
+    if (!to.address) {
+      return false;
+    }
+    const toRootDomain = getRootDomain(parseHostFromAddress(to.address));
+    return toRootDomain === fromRootDomain;
+  });
+  if (!hasSameRcptToAsFrom) {
+    return result;
+  }
+  const spfResult = sessionInfo.spfFromHeader?.status?.result;
+  if (spfResult === "pass") {
+    return result;
+  }
+  sessionInfo.isPotentialPhishing = true;
+  const xPhpScript = getHeader("x-php-script");
+  const xMailer = getHeader("x-mailer");
+  if (xPhpScript) {
+    return result;
+  }
+  if (xMailer) {
+    const mailerLower = xMailer.toLowerCase();
+    if (mailerLower.includes("php") || mailerLower.includes("drupal")) {
+      return result;
+    }
+  }
+  if (subject && SYSADMIN_SUBJECT_PATTERN.test(subject)) {
+    return result;
+  }
+  result.blocked = true;
+  result.reasons.push("SPOOFING_ATTACK");
+  result.score += 12;
+  result.category = "SPOOFING";
+  return result;
+}
+function isAutoReply(getHeader) {
+  const autoSubmitted = getHeader("auto-submitted");
+  if (autoSubmitted && autoSubmitted !== "no") {
+    return true;
+  }
+  const autoResponseSuppress = getHeader("x-auto-response-suppress");
+  if (autoResponseSuppress) {
+    return true;
+  }
+  const precedence = getHeader("precedence");
+  if (precedence && ["bulk", "junk", "list", "auto_reply"].includes(precedence.toLowerCase())) {
+    return true;
+  }
+  if (getHeader("list-unsubscribe")) {
+    return true;
+  }
+  return false;
+}
+function checkSubjectLine(subject) {
+  const reasons = [];
+  let score = 0;
+  for (const pattern of SPAM_PATTERNS.subjectPatterns) {
+    if (pattern.test(subject)) {
+      const match = subject.match(pattern);
+      reasons.push(`SUBJECT_SPAM_PATTERN: ${match[0]}`);
+      score += 1;
+    }
+  }
+  const upperCount = (subject.match(/[A-Z]/g) || []).length;
+  const letterCount = (subject.match(/[a-zA-Z]/g) || []).length;
+  if (letterCount > 10 && upperCount / letterCount > 0.7) {
+    reasons.push("SUBJECT_ALL_CAPS");
+    score += 2;
+  }
+  const punctCount = (subject.match(/[!?$]/g) || []).length;
+  if (punctCount >= 3) {
+    reasons.push("SUBJECT_EXCESSIVE_PUNCTUATION");
+    score += 1;
+  }
+  if (/^(re|fw|fwd):/i.test(subject) && subject.length < 20) {
+    reasons.push("SUBJECT_FAKE_REPLY");
+    score += 1;
+  }
+  return { score, reasons };
+}
+function checkBodyContent(text, html) {
+  const reasons = [];
+  let score = 0;
+  const content = text || html || "";
+  const contentLower = content.toLowerCase();
+  for (const pattern of SPAM_PATTERNS.bodyPatterns) {
+    if (pattern.test(content)) {
+      const match = content.match(pattern);
+      reasons.push(`BODY_SPAM_PATTERN: ${match[0].slice(0, 50)}`);
+      score += 1;
+    }
+  }
+  for (const [keyword, weight] of SPAM_KEYWORDS) {
+    if (contentLower.includes(keyword.toLowerCase())) {
+      reasons.push(`SPAM_KEYWORD: ${keyword}`);
+      score += weight;
+    }
+  }
+  if (html) {
+    if (/color:\s*#fff|color:\s*white|font-size:\s*[01]px/i.test(html)) {
+      reasons.push("HIDDEN_TEXT");
+      score += 3;
+    }
+    const imgCount = (html.match(/<img/gi) || []).length;
+    const textLength = (text || "").length;
+    if (imgCount > 5 && textLength < 100) {
+      reasons.push("IMAGE_HEAVY_LOW_TEXT");
+      score += 2;
+    }
+  }
+  if (/data:image\/[^;]+;base64,/i.test(html || "")) {
+    reasons.push("BASE64_IMAGES");
+    score += 1;
+  }
+  const shortenerPatterns = /\b(bit\.ly|tinyurl|goo\.gl|t\.co|ow\.ly|is\.gd|buff\.ly|adf\.ly|j\.mp)\b/i;
+  if (shortenerPatterns.test(content)) {
+    reasons.push("URL_SHORTENER");
+    score += 2;
+  }
+  return { score, reasons };
+}
+function checkSenderPatterns(from, replyTo) {
+  const reasons = [];
+  let score = 0;
+  if (!from) {
+    reasons.push("MISSING_FROM");
+    score += 2;
+    return { score, reasons };
+  }
+  for (const pattern of SPAM_PATTERNS.senderPatterns) {
+    if (pattern.test(from)) {
+      reasons.push("SUSPICIOUS_SENDER_PATTERN");
+      score += 2;
+      break;
+    }
+  }
+  const tldMatch = from.match(/@[^.]+\.([a-z]+)$/i);
+  if (tldMatch && SUSPICIOUS_TLDS.has(tldMatch[1].toLowerCase())) {
+    reasons.push(`SUSPICIOUS_TLD: ${tldMatch[1]}`);
+    score += 2;
+  }
+  if (replyTo && from) {
+    const fromDomain = from.split("@")[1]?.toLowerCase();
+    const replyDomain = replyTo.split("@")[1]?.toLowerCase();
+    if (fromDomain && replyDomain && fromDomain !== replyDomain) {
+      reasons.push("FROM_REPLY_TO_MISMATCH");
+      score += 2;
+    }
+  }
+  const spoofPatterns = /^(paypal|amazon|apple|microsoft|google|bank|security)/i;
+  if (spoofPatterns.test(from) && !/@(paypal|amazon|apple|microsoft|google)\.com$/i.test(from)) {
+    reasons.push("DISPLAY_NAME_SPOOFING");
+    score += 3;
+  }
+  return { score, reasons };
+}
+function checkHeaderAnomalies(parsed, getHeader) {
+  const reasons = [];
+  let score = 0;
+  if (!parsed.messageId && !getHeader("message-id")) {
+    reasons.push("MISSING_MESSAGE_ID");
+    score += 1;
+  }
+  if (parsed.date) {
+    const messageDate = new Date(parsed.date);
+    const now = /* @__PURE__ */ new Date();
+    if (messageDate > now) {
+      const hoursDiff = (messageDate - now) / (1e3 * 60 * 60);
+      if (hoursDiff > 24) {
+        reasons.push("FUTURE_DATE");
+        score += 2;
+      }
+    }
+    const daysDiff = (now - messageDate) / (1e3 * 60 * 60 * 24);
+    if (daysDiff > 365) {
+      reasons.push("VERY_OLD_DATE");
+      score += 1;
+    }
+  } else {
+    reasons.push("MISSING_DATE");
+    score += 1;
+  }
+  const xMailer = getHeader("x-mailer") || "";
+  if (xMailer) {
+    const suspiciousMailers = /mass mail|bulk mail|email blast/i;
+    if (suspiciousMailers.test(xMailer)) {
+      reasons.push("SUSPICIOUS_MAILER");
+      score += 1;
+    }
+  }
+  const mimeVersion = getHeader("mime-version");
+  if (!mimeVersion && (parsed.html || parsed.attachments?.length > 0)) {
+    reasons.push("MISSING_MIME_VERSION");
+    score += 1;
+  }
+  const toCount = parsed.to?.value?.length || 0;
+  const ccCount = parsed.cc?.value?.length || 0;
+  if (toCount + ccCount > 50) {
+    reasons.push("EXCESSIVE_RECIPIENTS");
+    score += 2;
+  }
+  return { score, reasons };
+}
+function checkSuspiciousLinks(content) {
+  const reasons = [];
+  let score = 0;
+  const urlPattern = /https?:\/\/[^\s<>"']+/gi;
+  const urls = content.match(urlPattern) || [];
+  if (urls.length === 0) {
+    return { score, reasons };
+  }
+  const suspiciousUrls = /* @__PURE__ */ new Set();
+  for (const url of urls) {
+    try {
+      const parsed = new URL(url);
+      const hostname = parsed.hostname.toLowerCase();
+      if (/^(?:\d+\.){3}\d+$/.test(hostname)) {
+        suspiciousUrls.add("IP_ADDRESS_URL");
+      }
+      const tld = hostname.split(".").pop();
+      if (SUSPICIOUS_TLDS.has(tld)) {
+        suspiciousUrls.add(`SUSPICIOUS_URL_TLD: ${tld}`);
+      }
+      if (parsed.port && !["80", "443", ""].includes(parsed.port)) {
+        suspiciousUrls.add("URL_WITH_PORT");
+      }
+      if (url.length > 200) {
+        suspiciousUrls.add("VERY_LONG_URL");
+      }
+      const subdomainCount = hostname.split(".").length - 2;
+      if (subdomainCount > 3) {
+        suspiciousUrls.add("EXCESSIVE_SUBDOMAINS");
+      }
+      if (/%[\da-f]{2}/i.test(url) && /%[\da-f]{2}.*%[\da-f]{2}/i.test(url)) {
+        suspiciousUrls.add("URL_OBFUSCATION");
+      }
+    } catch {
+      suspiciousUrls.add("INVALID_URL");
+    }
+  }
+  for (const reason of suspiciousUrls) {
+    reasons.push(reason);
+    score += 1;
+  }
+  const linkPattern = /<a[^>]+href=["']([^"']+)["'][^>]*>([^<]+)<\/a>/gi;
+  let match;
+  while ((match = linkPattern.exec(content)) !== null) {
+    const href = match[1];
+    const text = match[2];
+    if (/^https?:\/\//i.test(text)) {
+      try {
+        const textUrl = new URL(text);
+        const hrefUrl = new URL(href);
+        if (textUrl.hostname.toLowerCase() !== hrefUrl.hostname.toLowerCase()) {
+          reasons.push("LINK_TEXT_URL_MISMATCH");
+          score += 3;
+          break;
+        }
+      } catch {
+      }
+    }
+  }
+  return { score, reasons };
+}
+function getRootDomain(hostname) {
+  if (!hostname) {
+    return "";
+  }
+  const parts = hostname.toLowerCase().split(".");
+  if (parts.length <= 2) {
+    return hostname.toLowerCase();
+  }
+  const multiPartTlds = ["co.uk", "com.au", "co.nz", "co.jp", "com.br", "co.in"];
+  const lastTwo = parts.slice(-2).join(".");
+  if (multiPartTlds.includes(lastTwo)) {
+    return parts.slice(-3).join(".");
+  }
+  return parts.slice(-2).join(".");
+}
+function parseHostFromAddress(address) {
+  if (!address) {
+    return "";
+  }
+  const atIndex = address.indexOf("@");
+  if (atIndex === -1) {
+    return "";
+  }
+  return address.slice(atIndex + 1).toLowerCase();
+}
+function extractClientHostname(parsed) {
+  let receivedHeaders = null;
+  if (parsed.headers?.get) {
+    receivedHeaders = parsed.headers.get("received");
+  } else if (parsed.headerLines) {
+    const headers = parsed.headerLines.filter((h) => h.key.toLowerCase() === "received");
+    receivedHeaders = headers.map((h) => h.line?.split(":").slice(1).join(":").trim());
+  }
+  if (!receivedHeaders) {
+    return null;
+  }
+  const received = Array.isArray(receivedHeaders) ? receivedHeaders[0] : receivedHeaders;
+  if (!received) {
+    return null;
+  }
+  const fromMatch = received.match(/from\s+([^\s(]+)/i);
+  if (fromMatch) {
+    return fromMatch[1].toLowerCase();
+  }
+  return null;
+}
+function extractRemoteIp(parsed) {
+  let receivedHeaders = null;
+  if (parsed.headers?.get) {
+    receivedHeaders = parsed.headers.get("received");
+  } else if (parsed.headerLines) {
+    const headers = parsed.headerLines.filter((h) => h.key.toLowerCase() === "received");
+    receivedHeaders = headers.map((h) => h.line?.split(":").slice(1).join(":").trim());
+  }
+  if (!receivedHeaders) {
+    return null;
+  }
+  const received = Array.isArray(receivedHeaders) ? receivedHeaders[0] : receivedHeaders;
+  if (!received) {
+    return null;
+  }
+  const ipv4Match = received.match(/\[((?:\d+\.){3}\d+)]/);
+  if (ipv4Match) {
+    return ipv4Match[1];
+  }
+  const ipv6Match = received.match(/\[([a-f\d:]+)]/i);
+  if (ipv6Match) {
+    return ipv6Match[1];
+  }
+  return null;
+}
+
+// src/get-attributes.js
+import { debuglog as debuglog4 } from "node:util";
+var debug4 = debuglog4("spamscanner:attributes");
+function checkSRS(address) {
+  if (!address) {
+    return "";
+  }
+  const srs0Match = address.match(/^srs0=[^=]+=([^=]+)=([^=]+)=([^@]+)@/i);
+  if (srs0Match) {
+    return `${srs0Match[3]}@${srs0Match[2]}`;
+  }
+  const srs1Match = address.match(/^srs1=[^=]+=[^=]+==[^=]+=([^=]+)=([^=]+)=([^@]+)@/i);
+  if (srs1Match) {
+    return `${srs1Match[3]}@${srs1Match[2]}`;
+  }
+  return address;
+}
+function parseHostFromDomainOrAddress(addressOrDomain) {
+  if (!addressOrDomain) {
+    return "";
+  }
+  const atIndex = addressOrDomain.indexOf("@");
+  if (atIndex !== -1) {
+    return addressOrDomain.slice(atIndex + 1).toLowerCase();
+  }
+  return addressOrDomain.toLowerCase();
+}
+function parseRootDomain(hostname) {
+  if (!hostname) {
+    return "";
+  }
+  const parts = hostname.toLowerCase().split(".");
+  if (parts.length <= 2) {
+    return hostname.toLowerCase();
+  }
+  const multiPartTlds = /* @__PURE__ */ new Set([
+    "co.uk",
+    "com.au",
+    "co.nz",
+    "co.jp",
+    "com.br",
+    "co.in",
+    "org.uk",
+    "net.au",
+    "com.mx",
+    "com.cn",
+    "com.tw",
+    "com.hk",
+    "co.za",
+    "com.sg"
+  ]);
+  const lastTwo = parts.slice(-2).join(".");
+  if (multiPartTlds.has(lastTwo)) {
+    return parts.slice(-3).join(".");
+  }
+  return parts.slice(-2).join(".");
+}
+function parseAddresses(headerValue) {
+  if (!headerValue) {
+    return [];
+  }
+  if (Array.isArray(headerValue)) {
+    return headerValue.flatMap((item) => {
+      if (typeof item === "string") {
+        return item;
+      }
+      if (item.address) {
+        return item.address;
+      }
+      if (item.value && Array.isArray(item.value)) {
+        return item.value.map((v) => v.address).filter(Boolean);
+      }
+      return null;
+    }).filter(Boolean);
+  }
+  if (headerValue.value && Array.isArray(headerValue.value)) {
+    return headerValue.value.map((v) => v.address).filter(Boolean);
+  }
+  if (typeof headerValue === "string") {
+    const emailPattern = /[\w.+-]+@[\w.-]+\.[a-z]{2,}/gi;
+    return headerValue.match(emailPattern) || [];
+  }
+  return [];
+}
+function getHeaders(headers, name) {
+  if (!headers) {
+    return null;
+  }
+  if (headers.get) {
+    const value = headers.get(name);
+    if (value) {
+      if (typeof value === "string") {
+        return value;
+      }
+      if (value.text) {
+        return value.text;
+      }
+      if (value.value && Array.isArray(value.value)) {
+        return value.value.map((v) => v.address || v.text || v).join(", ");
+      }
+    }
+    return null;
+  }
+  if (headers.headerLines) {
+    const header = headers.headerLines.find((h) => h.key.toLowerCase() === name.toLowerCase());
+    if (header) {
+      return header.line?.split(":").slice(1).join(":").trim();
+    }
+  }
+  if (typeof headers === "object") {
+    const key = Object.keys(headers).find((k) => k.toLowerCase() === name.toLowerCase());
+    if (key) {
+      const value = headers[key];
+      if (typeof value === "string") {
+        return value;
+      }
+      if (Array.isArray(value)) {
+        return value[0];
+      }
+    }
+  }
+  return null;
+}
+async function getAttributes(parsed, session = {}, options = {}) {
+  const { isAligned = false, authResults = null } = options;
+  const headers = parsed.headers || parsed;
+  const replyToHeader = getHeaders(headers, "reply-to");
+  const replyToAddresses = parseAddresses(parsed.replyTo || (replyToHeader ? { value: [{ address: replyToHeader }] } : null));
+  const array = [
+    session.resolvedClientHostname,
+    session.resolvedRootClientHostname,
+    session.remoteAddress
+  ];
+  const from = [
+    session.originalFromAddress,
+    session.originalFromAddressDomain,
+    session.originalFromAddressRootDomain
+  ];
+  const replyTo = [];
+  for (const addr of replyToAddresses) {
+    const checked = checkSRS(addr);
+    replyTo.push(
+      checked.toLowerCase(),
+      parseHostFromDomainOrAddress(checked),
+      parseRootDomain(parseHostFromDomainOrAddress(checked))
+    );
+  }
+  const mailFrom = [];
+  const mailFromAddress = session.envelope?.mailFrom?.address;
+  if (mailFromAddress) {
+    const checked = checkSRS(mailFromAddress);
+    mailFrom.push(
+      checked.toLowerCase(),
+      parseHostFromDomainOrAddress(checked),
+      parseRootDomain(parseHostFromDomainOrAddress(checked))
+    );
+  }
+  if (isAligned) {
+    const signingDomains = session.signingDomains || /* @__PURE__ */ new Set();
+    const spfResult = session.spfFromHeader?.status?.result;
+    const fromHasSpfPass = spfResult === "pass";
+    const fromHasDkimAlignment = signingDomains.size > 0 && (signingDomains.has(session.originalFromAddressDomain) || signingDomains.has(session.originalFromAddressRootDomain));
+    if (fromHasSpfPass || fromHasDkimAlignment) {
+      array.push(...from);
+    }
+    let hasAlignedReplyTo = false;
+    for (const addr of replyToAddresses) {
+      const checked = checkSRS(addr);
+      const domain = parseHostFromDomainOrAddress(checked);
+      const rootDomain = parseRootDomain(domain);
+      if (signingDomains.size > 0 && (signingDomains.has(domain) || signingDomains.has(rootDomain))) {
+        hasAlignedReplyTo = true;
+        break;
+      }
+      if (authResults?.spf) {
+        const spfForReplyTo = authResults.spf.find((r) => r.domain === domain || r.domain === rootDomain);
+        if (spfForReplyTo?.result === "pass") {
+          hasAlignedReplyTo = true;
+          break;
+        }
+      }
+    }
+    if (hasAlignedReplyTo) {
+      array.push(...replyTo);
+    }
+    if (mailFromAddress) {
+      const checked = checkSRS(mailFromAddress);
+      const domain = parseHostFromDomainOrAddress(checked);
+      const rootDomain = parseRootDomain(domain);
+      const mailFromHasDkimAlignment = signingDomains.size > 0 && (signingDomains.has(domain) || signingDomains.has(rootDomain));
+      let mailFromHasSpfPass = false;
+      if (authResults?.spf) {
+        const spfForMailFrom = authResults.spf.find((r) => r.domain === domain || r.domain === rootDomain);
+        mailFromHasSpfPass = spfForMailFrom?.result === "pass";
+      }
+      if (mailFromHasDkimAlignment || mailFromHasSpfPass) {
+        array.push(...mailFrom);
+      }
+    }
+  } else {
+    array.push(...from, ...replyTo, ...mailFrom);
+  }
+  const normalized = array.filter((string_) => typeof string_ === "string" && string_.length > 0).map((string_) => {
+    try {
+      return string_.toLowerCase().trim();
+    } catch {
+      return string_.toLowerCase().trim();
+    }
+  });
+  const unique = [...new Set(normalized)];
+  debug4("Extracted %d unique attributes (isAligned=%s): %o", unique.length, isAligned, unique);
+  return unique;
+}
+function buildSessionFromParsed(parsed, existingSession = {}) {
+  const session = { ...existingSession };
+  const headers = parsed.headers || parsed;
+  const fromHeader = getHeaders(headers, "from");
+  const fromAddresses = parseAddresses(parsed.from || fromHeader);
+  const fromAddress = fromAddresses[0];
+  if (fromAddress && !session.originalFromAddress) {
+    session.originalFromAddress = checkSRS(fromAddress).toLowerCase();
+    session.originalFromAddressDomain = parseHostFromDomainOrAddress(session.originalFromAddress);
+    session.originalFromAddressRootDomain = parseRootDomain(session.originalFromAddressDomain);
+  }
+  if (!session.resolvedClientHostname) {
+    const receivedHeader = getHeaders(headers, "received");
+    if (receivedHeader) {
+      const received = Array.isArray(receivedHeader) ? receivedHeader[0] : receivedHeader;
+      const fromMatch = received?.match(/from\s+([^\s(]+)/i);
+      if (fromMatch) {
+        session.resolvedClientHostname = fromMatch[1].toLowerCase();
+        session.resolvedRootClientHostname = parseRootDomain(session.resolvedClientHostname);
+      }
+    }
+  }
+  if (!session.remoteAddress) {
+    const receivedHeader = getHeaders(headers, "received");
+    if (receivedHeader) {
+      const received = Array.isArray(receivedHeader) ? receivedHeader[0] : receivedHeader;
+      const ipv4Match = received?.match(/\[((?:\d+\.){3}\d+)]/);
+      if (ipv4Match) {
+        session.remoteAddress = ipv4Match[1];
+      } else {
+        const ipv6Match = received?.match(/\[([a-f\d:]+)]/i);
+        if (ipv6Match) {
+          session.remoteAddress = ipv6Match[1];
+        }
+      }
+    }
+  }
+  if (!session.envelope) {
+    session.envelope = {
+      mailFrom: { address: session.originalFromAddress || "" },
+      rcptTo: []
+    };
+    const toAddresses = parseAddresses(parsed.to || getHeaders(headers, "to"));
+    const ccAddresses = parseAddresses(parsed.cc || getHeaders(headers, "cc"));
+    for (const addr of [...toAddresses, ...ccAddresses]) {
+      if (addr) {
+        session.envelope.rcptTo.push({ address: addr });
+      }
+    }
+  }
+  return session;
+}
+async function extractAttributes(parsed, options = {}) {
+  const { isAligned = false, senderIp, senderHostname, authResults } = options;
+  const session = buildSessionFromParsed(parsed, {
+    remoteAddress: senderIp,
+    resolvedClientHostname: senderHostname,
+    resolvedRootClientHostname: senderHostname ? parseRootDomain(senderHostname) : void 0
+  });
+  if (authResults?.dkim) {
+    session.signingDomains = /* @__PURE__ */ new Set();
+    for (const dkimResult of authResults.dkim) {
+      if (dkimResult.result === "pass" && dkimResult.domain) {
+        session.signingDomains.add(dkimResult.domain);
+        session.signingDomains.add(parseRootDomain(dkimResult.domain));
+      }
+    }
+    session.hadAlignedAndPassingDKIM = session.signingDomains.has(session.originalFromAddressDomain) || session.signingDomains.has(session.originalFromAddressRootDomain);
+  }
+  if (authResults?.spf) {
+    const spfForFrom = authResults.spf.find((r) => r.domain === session.originalFromAddressDomain || r.domain === session.originalFromAddressRootDomain);
+    if (spfForFrom) {
+      session.spfFromHeader = {
+        status: { result: spfForFrom.result }
+      };
+    }
+  }
+  const attributes = await getAttributes(parsed, session, { isAligned, authResults });
+  return { attributes, session };
+}
+
+// src/index.js
+var __filename = import.meta.url ? fileURLToPath(import.meta.url) : "";
+var __dirname = __filename ? path.dirname(__filename) : process.cwd();
+var findPackageRoot = (startDir) => {
+  let dir = startDir;
+  while (dir !== path.dirname(dir)) {
+    if (fs.existsSync(path.join(dir, "package.json"))) {
+      return dir;
+    }
+    dir = path.dirname(dir);
+  }
+  return startDir;
+};
+var packageRoot = findPackageRoot(__dirname);
+var executablesData = JSON.parse(fs.readFileSync(path.join(packageRoot, "executables.json"), "utf8"));
+var EXECUTABLES = new Set(executablesData);
+var getReplacements = async () => {
+  const { default: replacements2 } = await Promise.resolve().then(() => (init_replacements(), replacements_exports));
+  return replacements2;
+};
+var getClassifier = async () => {
+  const { default: classifier2 } = await Promise.resolve().then(() => (init_get_classifier(), get_classifier_exports));
+  return classifier2;
+};
+var debug7 = debuglog7("spamscanner");
+var GENERIC_TOKENIZER = /[^a-zá-úÁ-Úà-úÀ-Úñü\dа-яёæøåàáảãạăắằẳẵặâấầẩẫậéèẻẽẹêếềểễệíìỉĩịóòỏõọôốồổỗộơớờởỡợúùủũụưứừửữựýỳỷỹỵđäöëïîûœçążśźęćńł-]+/i;
+var converter = new AFHConvert();
+var chineseTokenizer = { tokenize: (text) => text.split(/\s+/) };
+var stopwordsMap = /* @__PURE__ */ new Map([
+  ["ar", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ar || []])],
+  ["bg", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.bg || []])],
+  ["bn", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.bn || []])],
+  ["ca", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ca || []])],
+  ["cs", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.cs || []])],
+  ["da", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.da || []])],
+  ["de", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.de || []])],
+  ["el", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.el || []])],
+  ["en", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.en || []])],
+  ["es", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.es || []])],
+  ["fa", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.fa || []])],
+  ["fi", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.fi || []])],
+  ["fr", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.fr || []])],
+  ["ga", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ga || []])],
+  ["gl", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.gl || []])],
+  ["gu", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.gu || []])],
+  ["he", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.he || []])],
+  ["hi", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.hi || []])],
+  ["hr", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.hr || []])],
+  ["hu", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.hu || []])],
+  ["hy", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.hy || []])],
+  ["it", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.it || []])],
+  ["ja", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ja || []])],
+  ["ko", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ko || []])],
+  ["la", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.la || []])],
+  ["lt", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.lt || []])],
+  ["lv", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.lv || []])],
+  ["mr", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.mr || []])],
+  ["nl", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.nl || []])],
+  ["no", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.nob || []])],
+  ["pl", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.pl || []])],
+  ["pt", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.pt || []])],
+  ["ro", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ro || []])],
+  ["ru", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.ru || []])],
+  ["sk", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.sk || []])],
+  ["sl", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.sl || []])],
+  ["sv", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.sv || []])],
+  ["th", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.th || []])],
+  ["tr", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.tr || []])],
+  ["uk", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.uk || []])],
+  ["vi", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.vi || []])],
+  ["zh", /* @__PURE__ */ new Set([...natural.stopwords || [], ...sw.zh || []])]
+]);
+var URL_ENDING_RESERVED_CHARS = /[).,;!?]+$/;
+var DATE_PATTERNS = [
+  /\b(?:\d{1,2}[/-]){2}\d{2,4}\b/g,
+  // MM/DD/YYYY or DD/MM/YYYY
+  /\b\d{4}(?:[/-]\d{1,2}){2}\b/g,
+  // YYYY/MM/DD
+  /\b\d{1,2}\s+(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+\d{2,4}\b/gi,
+  // DD MMM YYYY
+  /\b(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+\d{1,2},?\s+\d{2,4}\b/gi
+  // MMM DD, YYYY
+];
+var FILE_PATH_PATTERNS = [
+  /[a-z]:\\\\[^\\s<>:"|?*]+/gi,
+  // Windows paths
+  /\/[^\\s<>:"|?*]+/g,
+  // Unix paths
+  /~\/[^\\s<>:"|?*]+/g
+  // Home directory paths
+];
+var CREDIT_CARD_PATTERN = creditCardRegex({ exact: false });
+var PHONE_PATTERN = phoneRegex({ exact: false });
+var EMAIL_PATTERN = emailRegexSafe({ exact: false });
+var IP_PATTERN = ipRegex({ exact: false });
+var URL_PATTERN = urlRegexSafe({ exact: false });
+var BITCOIN_PATTERN = bitcoinRegex({ exact: false });
+var MAC_PATTERN = macRegex({ exact: false });
+var HEX_COLOR_PATTERN = hexaColorRegex({ exact: false });
+var FLOATING_POINT_PATTERN = floatingPointRegex;
+var SpamScanner = class {
+  constructor(options = {}) {
+    this.config = {
+      // Enhanced configuration options
+      enableMacroDetection: true,
+      enablePerformanceMetrics: false,
+      timeout: 3e4,
+      supportedLanguages: ["en"],
+      enableMixedLanguageDetection: false,
+      enableAdvancedPatternRecognition: true,
+      // Authentication options (mailauth)
+      enableAuthentication: false,
+      authOptions: {
+        ip: null,
+        // Remote IP address (required for auth)
+        helo: null,
+        // HELO/EHLO hostname
+        mta: "spamscanner",
+        // MTA hostname
+        sender: null,
+        // Envelope sender (MAIL FROM)
+        timeout: 1e4
+        // DNS lookup timeout
+      },
+      authScoreWeights: {
+        dkimPass: -2,
+        dkimFail: 3,
+        spfPass: -1,
+        spfFail: 2,
+        spfSoftfail: 1,
+        dmarcPass: -2,
+        dmarcFail: 4,
+        arcPass: -1,
+        arcFail: 1
+      },
+      // Reputation API options (Forward Email)
+      enableReputation: false,
+      reputationOptions: {
+        apiUrl: "https://api.forwardemail.net/v1/reputation",
+        timeout: 1e4,
+        onlyAligned: true
+      },
+      // Arbitrary spam detection options
+      enableArbitraryDetection: true,
+      arbitraryThreshold: 5,
+      // Existing options
+      debug: false,
+      logger: console,
+      clamscan: {
+        removeInfected: false,
+        quarantineInfected: false,
+        scanLog: null,
+        debugMode: false,
+        fileList: null,
+        scanRecursively: true,
+        clamscanPath: "/usr/bin/clamscan",
+        clamdscanPath: "/usr/bin/clamdscan",
+        preference: "clamdscan"
+      },
+      classifier: null,
+      replacements: null,
+      ...options
+    };
+    this.classifier = null;
+    this.clamscan = null;
+    this.isInitialized = false;
+    this.replacements = /* @__PURE__ */ new Map();
+    this.metrics = {
+      totalScans: 0,
+      averageTime: 0,
+      lastScanTime: 0
+    };
+    autoBind(this);
+  }
+  async initializeClassifier() {
+    if (this.classifier) {
+      return;
+    }
+    try {
+      if (this.config.classifier) {
+        this.classifier = new NaiveBayes2(this.config.classifier);
+      } else {
+        const classifierData = await getClassifier();
+        this.classifier = new NaiveBayes2(classifierData);
+      }
+      this.classifier.tokenizer = function(tokens) {
+        if (typeof tokens === "string") {
+          return tokens.split(/\s+/);
+        }
+        return Array.isArray(tokens) ? tokens : [];
+      };
+    } catch (error) {
+      debug7("Failed to initialize classifier:", error);
+      this.classifier = new NaiveBayes2();
+    }
+  }
+  // Initialize replacements
+  async initializeReplacements() {
+    if (this.replacements && this.replacements.size > 0) {
+      return;
+    }
+    try {
+      const replacements2 = this.config.replacements || await getReplacements();
+      if (replacements2 instanceof Map) {
+        this.replacements = replacements2;
+      } else if (typeof replacements2 === "object" && replacements2 !== null) {
+        this.replacements = new Map(Object.entries(replacements2));
+      } else {
+        throw new Error("Invalid replacements format");
+      }
+    } catch (error) {
+      debug7("Failed to initialize replacements:", error);
+      this.replacements = /* @__PURE__ */ new Map();
+      const basicReplacements = {
+        u: "you",
+        ur: "your",
+        r: "are",
+        n: "and",
+        "w/": "with",
+        b4: "before",
+        2: "to",
+        4: "for"
+      };
+      for (const [word, replacement] of Object.entries(basicReplacements)) {
+        this.replacements.set(word, replacement);
+      }
+    }
+  }
+  // Initialize regex helpers
+  initializeRegex() {
+    this.regexCache = /* @__PURE__ */ new Map();
+    this.urlCache = /* @__PURE__ */ new Map();
+  }
+  // Enhanced virus scanning with timeout protection
+  async getVirusResults(mail) {
+    if (!this.clamscan) {
+      try {
+        this.clamscan = await new ClamScan().init(this.config.clamscan);
+      } catch (error) {
+        debug7("ClamScan initialization failed:", error);
+        return [];
+      }
+    }
+    const results = [];
+    const attachments = mail.attachments || [];
+    for (const attachment of attachments) {
+      try {
+        if (attachment.content && isBuffer(attachment.content)) {
+          const scanResult = await Promise.race([
+            this.clamscan.scanBuffer(attachment.content),
+            new Promise((_resolve, reject) => {
+              setTimeout(() => reject(new Error("Virus scan timeout")), this.config.timeout);
+            })
+          ]);
+          if (scanResult.isInfected) {
+            results.push({
+              filename: attachment.filename || "unknown",
+              virus: scanResult.viruses || ["Unknown virus"],
+              type: "virus"
+            });
+          }
+        }
+      } catch (error) {
+        debug7("Virus scan error:", error);
+      }
+    }
+    return results;
+  }
+  // Macro detection (DONE)
+  async getMacroResults(mail) {
+    const results = [];
+    const attachments = mail.attachments || [];
+    const textContent = mail.text || "";
+    const htmlContent = mail.html || "";
+    const vbaPatterns = [
+      /sub\s+\w+\s*\(/gi,
+      /function\s+\w+\s*\(/gi,
+      /dim\s+\w+\s+as\s+\w+/gi,
+      /application\.run/gi,
+      /shell\s*\(/gi
+    ];
+    const powershellPatterns = [
+      /powershell/gi,
+      /invoke-expression/gi,
+      /iex\s*\(/gi,
+      /start-process/gi,
+      /new-object\s+system\./gi
+    ];
+    const jsPatterns = [
+      /eval\s*\(/gi,
+      /document\.write/gi,
+      /activexobject/gi,
+      /wscript\./gi,
+      /new\s+activexobject/gi
+    ];
+    const batchPatterns = [/@echo\s+off/gi, /cmd\s*\/c/gi, /start\s+\/b/gi, /for\s+\/[lrf]/gi];
+    let allContent = textContent + " " + htmlContent;
+    if (mail.headerLines && Array.isArray(mail.headerLines)) {
+      for (const headerLine of mail.headerLines) {
+        if (headerLine.line) {
+          allContent += " " + headerLine.line;
+        }
+      }
+    }
+    for (const pattern of vbaPatterns) {
+      if (pattern.test(allContent)) {
+        results.push({
+          type: "macro",
+          subtype: "vba",
+          description: "VBA macro detected"
+        });
+        break;
+      }
+    }
+    for (const pattern of powershellPatterns) {
+      if (pattern.test(allContent)) {
+        results.push({
+          type: "macro",
+          subtype: "powershell",
+          description: "PowerShell script detected"
+        });
+        break;
+      }
+    }
+    for (const pattern of jsPatterns) {
+      if (pattern.test(allContent)) {
+        results.push({
+          type: "macro",
+          subtype: "javascript",
+          description: "JavaScript macro detected"
+        });
+        break;
+      }
+    }
+    for (const pattern of batchPatterns) {
+      if (pattern.test(allContent)) {
+        results.push({
+          type: "macro",
+          subtype: "batch",
+          description: "Batch script detected"
+        });
+        break;
+      }
+    }
+    for (const attachment of attachments) {
+      if (attachment.filename) {
+        const extension = fileExtension(attachment.filename).toLowerCase();
+        const macroExtensions = ["vbs", "vba", "ps1", "bat", "cmd", "scr", "pif"];
+        const officeMacroExtensions = ["docm", "xlsm", "pptm", "xlam", "dotm", "xltm", "potm"];
+        const legacyOfficeExtensions = ["doc", "xls", "ppt", "dot", "xlt", "pot", "xla", "ppa"];
+        if (macroExtensions.includes(extension)) {
+          results.push({
+            type: "macro",
+            subtype: "script",
+            filename: attachment.filename,
+            description: `Macro script attachment detected: ${extension}`
+          });
+        } else if (officeMacroExtensions.includes(extension)) {
+          results.push({
+            type: "macro",
+            subtype: "office_document",
+            filename: attachment.filename,
+            description: `Office document with macro capability: ${extension}`
+          });
+        } else if (legacyOfficeExtensions.includes(extension)) {
+          results.push({
+            type: "macro",
+            subtype: "legacy_office",
+            filename: attachment.filename,
+            description: `Legacy Office document (macro-capable): ${extension}`,
+            risk: "high"
+          });
+        }
+        if (extension === "pdf" && attachment.content && isBuffer(attachment.content)) {
+          try {
+            const pdfContent = attachment.content.toString("latin1");
+            if (pdfContent.includes("/JavaScript") || pdfContent.includes("/JS")) {
+              results.push({
+                type: "macro",
+                subtype: "pdf_javascript",
+                filename: attachment.filename,
+                description: "PDF with embedded JavaScript detected",
+                risk: "medium"
+              });
+            }
+          } catch (error) {
+            debug7("PDF JavaScript detection error:", error);
+          }
+        }
+      }
+    }
+    return results;
+  }
+  // File path detection (DONE)
+  async getFilePathResults(mail) {
+    const results = [];
+    const textContent = mail.text || "";
+    const htmlContent = mail.html || "";
+    const allContent = textContent + " " + htmlContent;
+    for (const pattern of FILE_PATH_PATTERNS) {
+      const matches = allContent.match(pattern);
+      if (matches) {
+        for (const match of matches) {
+          if (this.isValidFilePath(match)) {
+            results.push({
+              type: "file_path",
+              path: match,
+              description: "Suspicious file path detected"
+            });
+          }
+        }
+      }
+    }
+    return results;
+  }
+  // Check if a path is a valid file path (not HTML tag or false positive)
+  isValidFilePath(path3) {
+    const htmlTags = [
+      "a",
+      "abbr",
+      "address",
+      "area",
+      "article",
+      "aside",
+      "audio",
+      "b",
+      "base",
+      "bdi",
+      "bdo",
+      "blockquote",
+      "body",
+      "br",
+      "button",
+      "canvas",
+      "caption",
+      "cite",
+      "code",
+      "col",
+      "colgroup",
+      "data",
+      "datalist",
+      "dd",
+      "del",
+      "details",
+      "dfn",
+      "dialog",
+      "div",
+      "dl",
+      "dt",
+      "em",
+      "embed",
+      "fieldset",
+      "figcaption",
+      "figure",
+      "footer",
+      "form",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "head",
+      "header",
+      "hr",
+      "html",
+      "i",
+      "iframe",
+      "img",
+      "input",
+      "ins",
+      "kbd",
+      "label",
+      "legend",
+      "li",
+      "link",
+      "main",
+      "map",
+      "mark",
+      "meta",
+      "meter",
+      "nav",
+      "noscript",
+      "object",
+      "ol",
+      "optgroup",
+      "option",
+      "output",
+      "p",
+      "param",
+      "picture",
+      "pre",
+      "progress",
+      "q",
+      "rp",
+      "rt",
+      "ruby",
+      "s",
+      "samp",
+      "script",
+      "section",
+      "select",
+      "small",
+      "source",
+      "span",
+      "strong",
+      "style",
+      "sub",
+      "summary",
+      "sup",
+      "svg",
+      "table",
+      "tbody",
+      "td",
+      "template",
+      "textarea",
+      "tfoot",
+      "th",
+      "thead",
+      "time",
+      "title",
+      "tr",
+      "track",
+      "u",
+      "ul",
+      "var",
+      "video",
+      "wbr"
+    ];
+    const tagMatch = path3.match(/^\/([a-z\d]+)$/i);
+    if (tagMatch && htmlTags.includes(tagMatch[1].toLowerCase())) {
+      return false;
+    }
+    if (path3.length < 4) {
+      return false;
+    }
+    if (/^\/\/[a-z\d.-]+$/i.test(path3)) {
+      return false;
+    }
+    if (!path3.includes(".") && !path3.includes("/")) {
+      return false;
+    }
+    return true;
+  }
+  // Optimize URL parsing with timeout protection (DONE)
+  async optimizeUrlParsing(url) {
+    try {
+      return await Promise.race([
+        normalizeUrl(url, {
+          stripHash: true,
+          stripWWW: false,
+          removeQueryParameters: false
+        }),
+        new Promise((_resolve, reject) => {
+          setTimeout(() => reject(new Error("URL parsing timeout")), 5e3);
+        })
+      ]);
+    } catch {
+      return url;
+    }
+  }
+  // Enhanced Cloudflare blocked domain checking with timeout
+  async isCloudflareBlocked(hostname) {
+    try {
+      const response = await Promise.race([
+        superagent.get(`https://1.1.1.3/dns-query?name=${hostname}&type=A`).set("Accept", "application/dns-json").timeout(5e3),
+        new Promise((_resolve, reject) => {
+          setTimeout(() => reject(new Error("DNS timeout")), 5e3);
+        })
+      ]);
+      return response.body?.Status === 3;
+    } catch {
+      return false;
+    }
+  }
+  // Extract URLs from all possible sources
+  extractAllUrls(mail, originalSource) {
+    let allText = "";
+    allText += (mail.text || "") + " " + (mail.html || "");
+    if (mail.headerLines && Array.isArray(mail.headerLines)) {
+      for (const headerLine of mail.headerLines) {
+        if (headerLine.line) {
+          allText += " " + headerLine.line;
+        }
+      }
+    }
+    if (typeof originalSource === "string") {
+      allText += " " + originalSource;
+    }
+    return this.getUrls(allText);
+  }
+  // Enhanced URL extraction with improved parsing using tldts
+  getUrls(string_) {
+    if (!isSANB(string_)) {
+      return [];
+    }
+    const urls = [];
+    const matches = string_.match(URL_PATTERN);
+    if (matches) {
+      for (let url of matches) {
+        url = url.replace(URL_ENDING_RESERVED_CHARS, "");
+        try {
+          const normalizedUrl = normalizeUrl(url, {
+            stripHash: false,
+            stripWWW: false
+          });
+          urls.push(normalizedUrl);
+        } catch {
+          urls.push(url);
+        }
+      }
+    }
+    return [...new Set(urls)];
+  }
+  // Parse URL using tldts for accurate domain extraction
+  parseUrlWithTldts(url) {
+    try {
+      const parsed = parseTldts(url, { allowPrivateDomains: true });
+      return {
+        domain: parsed.domain,
+        domainWithoutSuffix: parsed.domainWithoutSuffix,
+        hostname: parsed.hostname,
+        publicSuffix: parsed.publicSuffix,
+        subdomain: parsed.subdomain,
+        isIp: parsed.isIp,
+        isIcann: parsed.isIcann,
+        isPrivate: parsed.isPrivate
+      };
+    } catch (error) {
+      debug7("tldts parsing error:", error);
+      return null;
+    }
+  }
+  // Enhanced tokenization with language detection
+  async getTokens(string_, locale = "en", isHtml = false) {
+    if (!isSANB(string_)) {
+      return [];
+    }
+    let text = string_;
+    if (isHtml) {
+      text = striptags(text);
+    }
+    if (!locale || this.config.enableMixedLanguageDetection) {
+      try {
+        const detected = lande(text);
+        if (detected && detected.length > 0) {
+          locale = detected[0][0];
+        }
+      } catch {
+        locale ||= "en";
+      }
+    }
+    locale = this.parseLocale(locale);
+    text = converter.toHalfWidth(text);
+    try {
+      text = expandContractions(text);
+    } catch {
+    }
+    let tokens = [];
+    if (locale === "ja") {
+      try {
+        tokens = chineseTokenizer.tokenize(text);
+      } catch {
+        tokens = text.split(GENERIC_TOKENIZER);
+      }
+    } else if (locale === "zh") {
+      try {
+        tokens = chineseTokenizer.tokenize(text);
+      } catch {
+        tokens = text.split(GENERIC_TOKENIZER);
+      }
+    } else {
+      tokens = text.split(GENERIC_TOKENIZER);
+    }
+    let processedTokens = tokens.map((token) => token.toLowerCase().trim()).filter((token) => token.length > 0 && token.length <= 50);
+    const stopwordSet = stopwordsMap.get(locale) || stopwordsMap.get("en");
+    if (stopwordSet) {
+      processedTokens = processedTokens.filter((token) => !stopwordSet.has(token));
+    }
+    try {
+      if (["en", "es", "fr", "de", "it", "pt", "ru"].includes(locale)) {
+        processedTokens = processedTokens.map((token) => {
+          try {
+            return snowball.stemword(token, locale);
+          } catch {
+            return token;
+          }
+        });
+      }
+    } catch {
+    }
+    if (this.config.hashTokens) {
+      processedTokens = processedTokens.map((token) => createHash2("sha256").update(token).digest("hex").slice(0, 16));
+    }
+    return processedTokens;
+  }
+  // Enhanced text preprocessing with pattern recognition
+  async preprocessText(string_) {
+    if (!isSANB(string_)) {
+      return "";
+    }
+    let text = string_;
+    if (this.replacements) {
+      for (const [original, replacement] of this.replacements) {
+        text = text.replaceAll(new RegExp(escapeStringRegexp(original), "gi"), replacement);
+      }
+    }
+    if (this.config.enableAdvancedPatternRecognition) {
+      text = text.replaceAll(DATE_PATTERNS[0], " DATE_PATTERN ");
+      text = text.replace(CREDIT_CARD_PATTERN, " CREDIT_CARD ");
+      text = text.replace(PHONE_PATTERN, " PHONE_NUMBER ");
+      text = text.replace(EMAIL_PATTERN, " EMAIL_ADDRESS ");
+      text = text.replace(IP_PATTERN, " IP_ADDRESS ");
+      text = text.replace(URL_PATTERN, " URL_LINK ");
+      text = text.replace(BITCOIN_PATTERN, " BITCOIN_ADDRESS ");
+      text = text.replace(MAC_PATTERN, " MAC_ADDRESS ");
+      text = text.replace(HEX_COLOR_PATTERN, " HEX_COLOR ");
+      text = text.replace(FLOATING_POINT_PATTERN, " FLOATING_POINT ");
+    }
+    return text;
+  }
+  // Main scan method - enhanced with performance metrics, auth, and reputation
+  async scan(source, scanOptions = {}) {
+    const startTime = Date.now();
+    try {
+      await this.initializeClassifier();
+      await this.initializeReplacements();
+      const { tokens, mail } = await this.getTokensAndMailFromSource(source);
+      const authOptions = { ...this.config.authOptions, ...scanOptions.authOptions };
+      const reputationOptions = { ...this.config.reputationOptions, ...scanOptions.reputationOptions };
+      const detectionPromises = [
+        this.getClassification(tokens),
+        this.getPhishingResults(mail),
+        this.getExecutableResults(mail),
+        this.config.enableMacroDetection ? this.getMacroResults(mail) : [],
+        this.config.enableArbitraryDetection ? this.getArbitraryResults(mail, { remoteAddress: authOptions.ip, resolvedClientHostname: authOptions.hostname }) : [],
+        this.getVirusResults(mail),
+        this.getPatternResults(mail),
+        this.getIDNHomographResults(mail),
+        this.getToxicityResults(mail),
+        this.getNSFWResults(mail)
+      ];
+      const enableAuth = scanOptions.enableAuthentication ?? this.config.enableAuthentication;
+      if (enableAuth && authOptions.ip) {
+        detectionPromises.push(this.getAuthenticationResults(source, mail, authOptions));
+      } else {
+        detectionPromises.push(Promise.resolve(null));
+      }
+      const enableReputation = scanOptions.enableReputation ?? this.config.enableReputation;
+      if (enableReputation) {
+        detectionPromises.push(this.getReputationResults(mail, authOptions, reputationOptions));
+      } else {
+        detectionPromises.push(Promise.resolve(null));
+      }
+      const [
+        classification,
+        phishing,
+        executables,
+        macros,
+        arbitrary,
+        viruses,
+        patterns,
+        idnHomographAttack,
+        toxicity,
+        nsfw,
+        authResult,
+        reputationResult
+      ] = await Promise.all(detectionPromises);
+      let isSpam = classification.category === "spam" || phishing.length > 0 || executables.length > 0 || macros.length > 0 || arbitrary.length > 0 || viruses.length > 0 || patterns.length > 0 || idnHomographAttack && idnHomographAttack.detected || toxicity.length > 0 || nsfw.length > 0;
+      if (reputationResult && reputationResult.isDenylisted) {
+        isSpam = true;
+      }
+      let message = "Ham";
+      if (isSpam) {
+        const reasons = [];
+        if (classification.category === "spam") {
+          reasons.push("spam classification");
+        }
+        if (phishing.length > 0) {
+          reasons.push("phishing detected");
+        }
+        if (executables.length > 0) {
+          reasons.push("executable content");
+        }
+        if (macros.length > 0) {
+          reasons.push("macro detected");
+        }
+        if (arbitrary.length > 0) {
+          reasons.push("arbitrary patterns");
+        }
+        if (viruses.length > 0) {
+          reasons.push("virus detected");
+        }
+        if (patterns.length > 0) {
+          reasons.push("suspicious patterns");
+        }
+        if (idnHomographAttack && idnHomographAttack.detected) {
+          reasons.push("IDN homograph attack");
+        }
+        if (toxicity.length > 0) {
+          reasons.push("toxic content");
+        }
+        if (nsfw.length > 0) {
+          reasons.push("NSFW content");
+        }
+        if (reputationResult?.isDenylisted) {
+          reasons.push("denylisted sender");
+        }
+        message = `Spam (${arrayJoinConjunction(reasons)})`;
+      } else if (reputationResult?.isTruthSource) {
+        message = "Ham (truth source)";
+      } else if (reputationResult?.isAllowlisted) {
+        message = "Ham (allowlisted)";
+      }
+      const endTime = Date.now();
+      const processingTime = endTime - startTime;
+      this.metrics.totalScans++;
+      this.metrics.lastScanTime = processingTime;
+      this.metrics.averageTime = (this.metrics.averageTime * (this.metrics.totalScans - 1) + processingTime) / this.metrics.totalScans;
+      const result = {
+        isSpam,
+        message,
+        results: {
+          classification,
+          phishing,
+          executables,
+          macros,
+          arbitrary,
+          viruses,
+          patterns,
+          idnHomographAttack,
+          toxicity,
+          nsfw,
+          authentication: authResult,
+          reputation: reputationResult
+        },
+        links: this.extractAllUrls(mail, source),
+        tokens,
+        mail
+      };
+      if (this.config.enablePerformanceMetrics) {
+        result.metrics = {
+          totalTime: processingTime,
+          classificationTime: 0,
+          // Would need to measure individually
+          phishingTime: 0,
+          executableTime: 0,
+          macroTime: 0,
+          virusTime: 0,
+          patternTime: 0,
+          idnTime: 0,
+          memoryUsage: process.memoryUsage()
+        };
+      }
+      return result;
+    } catch (error) {
+      debug7("Scan error:", error);
+      throw error;
+    }
+  }
+  // Get authentication results using mailauth
+  async getAuthenticationResults(source, mail, options = {}) {
+    try {
+      const messageBuffer = typeof source === "string" ? Buffer3.from(source) : source;
+      const sender = options.sender || mail.from?.value?.[0]?.address || mail.from?.text;
+      const authResult = await authenticate(messageBuffer, {
+        ip: options.ip,
+        helo: options.helo,
+        mta: options.mta || "spamscanner",
+        sender,
+        timeout: options.timeout || 1e4
+      });
+      const scoreResult = calculateAuthScore(authResult, this.config.authScoreWeights);
+      return {
+        ...authResult,
+        score: scoreResult,
+        authResultsHeader: formatAuthResultsHeader(authResult, options.mta || "spamscanner")
+      };
+    } catch (error) {
+      debug7("Authentication error:", error);
+      return null;
+    }
+  }
+  // Get reputation results from Forward Email API
+  // Uses get-attributes module to extract comprehensive attributes for checking
+  async getReputationResults(mail, authOptions = {}, reputationOptions = {}) {
+    try {
+      const { attributes, session } = await extractAttributes(mail, {
+        isAligned: reputationOptions.onlyAligned ?? true,
+        senderIp: authOptions.ip,
+        senderHostname: authOptions.hostname,
+        authResults: authOptions.authResults
+      });
+      const valuesToCheck = [...attributes];
+      if (authOptions.sender) {
+        const senderLower = authOptions.sender.toLowerCase();
+        if (!valuesToCheck.includes(senderLower)) {
+          valuesToCheck.push(senderLower);
+        }
+        const envelopeDomain = senderLower.split("@")[1];
+        if (envelopeDomain && !valuesToCheck.includes(envelopeDomain)) {
+          valuesToCheck.push(envelopeDomain);
+        }
+      }
+      const replyTo = mail.replyTo?.value || [];
+      for (const addr of replyTo) {
+        if (addr.address) {
+          const addrLower = addr.address.toLowerCase();
+          if (!valuesToCheck.includes(addrLower)) {
+            valuesToCheck.push(addrLower);
+          }
+          const domain = addrLower.split("@")[1];
+          if (domain && !valuesToCheck.includes(domain)) {
+            valuesToCheck.push(domain);
+          }
+        }
+      }
+      if (valuesToCheck.length === 0) {
+        return null;
+      }
+      debug7("Checking reputation for %d attributes: %o", valuesToCheck.length, valuesToCheck);
+      const resultsMap = await checkReputationBatch(valuesToCheck, reputationOptions);
+      const aggregated = aggregateReputationResults([...resultsMap.values()]);
+      return {
+        ...aggregated,
+        checkedValues: valuesToCheck,
+        details: Object.fromEntries(resultsMap),
+        session
+        // Include session info for debugging
+      };
+    } catch (error) {
+      debug7("Reputation check error:", error);
+      return null;
+    }
+  }
+  // Get pattern recognition results
+  async getPatternResults(mail) {
+    const results = [];
+    const textContent = mail.text || "";
+    const htmlContent = mail.html || "";
+    const allContent = textContent + " " + htmlContent;
+    for (const pattern of DATE_PATTERNS) {
+      const matches = allContent.match(pattern);
+      if (matches && matches.length > 5) {
+        results.push({
+          type: "pattern",
+          subtype: "date_spam",
+          count: matches.length,
+          description: "Excessive date patterns detected"
+        });
+      }
+    }
+    const filePathResults = await this.getFilePathResults(mail);
+    results.push(...filePathResults);
+    return results;
+  }
+  // Enhanced mail parsing with better error handling
+  async getTokensAndMailFromSource(source) {
+    let mail;
+    if (typeof source === "string" && fs.existsSync(source)) {
+      source = fs.readFileSync(source);
+    }
+    if (isBuffer(source)) {
+      source = source.toString();
+    }
+    if (!source || typeof source !== "string") {
+      source = "";
+    }
+    try {
+      mail = await simpleParser(source);
+    } catch (error) {
+      debug7("Mail parsing error:", error);
+      mail = {
+        text: source,
+        html: "",
+        subject: "",
+        from: {},
+        to: [],
+        attachments: []
+      };
+    }
+    const textContent = await this.preprocessText(mail.text || "");
+    const htmlContent = await this.preprocessText(striptags(mail.html || ""));
+    const subjectContent = await this.preprocessText(mail.subject || "");
+    const allContent = [textContent, htmlContent, subjectContent].join(" ");
+    const tokens = await this.getTokens(allContent, "en");
+    return { tokens, mail };
+  }
+  // Enhanced classification with better error handling
+  async getClassification(tokens) {
+    if (!this.classifier) {
+      await this.initializeClassifier();
+    }
+    try {
+      const text = Array.isArray(tokens) ? tokens.join(" ") : String(tokens);
+      const result = this.classifier.categorize(text);
+      return {
+        category: result,
+        probability: 0.5
+        // Default probability
+      };
+    } catch (error) {
+      debug7("Classification error:", error);
+      return {
+        category: "ham",
+        probability: 0.5
+      };
+    }
+  }
+  // Enhanced phishing detection
+  async getPhishingResults(mail) {
+    const results = [];
+    const links = this.getUrls(mail.text || "");
+    for (const url of links) {
+      try {
+        const normalizedUrl = await this.optimizeUrlParsing(url);
+        const parsed = new URL(normalizedUrl);
+        const isBlocked = await this.isCloudflareBlocked(parsed.hostname);
+        if (isBlocked) {
+          results.push({
+            type: "phishing",
+            url: normalizedUrl,
+            description: "Blocked by security filters"
+          });
+        }
+        const idnDetector = await this.getIDNDetector();
+        if (idnDetector && parsed.hostname) {
+          const context = {
+            emailContent: mail.text || mail.html || "",
+            displayText: url === normalizedUrl ? null : url,
+            senderReputation: 0.5
+            // Default neutral reputation
+          };
+          const idnAnalysis = idnDetector.detectHomographAttack(parsed.hostname, context);
+          if (idnAnalysis.riskScore > 0.6) {
+            results.push({
+              type: "phishing",
+              url: normalizedUrl,
+              description: `IDN homograph attack detected (risk: ${(idnAnalysis.riskScore * 100).toFixed(1)}%)`,
+              details: {
+                riskFactors: idnAnalysis.riskFactors,
+                recommendations: idnAnalysis.recommendations,
+                confidence: idnAnalysis.confidence
+              }
+            });
+          } else if (idnAnalysis.riskScore > 0.3) {
+            results.push({
+              type: "suspicious",
+              url: normalizedUrl,
+              description: `Suspicious IDN domain (risk: ${(idnAnalysis.riskScore * 100).toFixed(1)}%)`,
+              details: {
+                riskFactors: idnAnalysis.riskFactors,
+                recommendations: idnAnalysis.recommendations
+              }
+            });
+          }
+        }
+      } catch (error) {
+        debug7("Phishing check error:", error);
+      }
+    }
+    return results;
+  }
+  // Enhanced executable detection
+  async getExecutableResults(mail) {
+    const results = [];
+    const attachments = mail.attachments || [];
+    for (const attachment of attachments) {
+      if (attachment.filename) {
+        const extension = fileExtension(attachment.filename).toLowerCase();
+        if (EXECUTABLES.has(extension)) {
+          results.push({
+            type: "executable",
+            filename: attachment.filename,
+            extension,
+            description: "Executable file attachment"
+          });
+        }
+        const archiveExtensions = ["zip", "rar", "7z", "tar", "gz", "bz2", "xz", "arj", "cab", "lzh", "ace", "iso"];
+        if (archiveExtensions.includes(extension)) {
+          results.push({
+            type: "archive",
+            filename: attachment.filename,
+            extension,
+            description: "Archive attachment (contents not scanned)",
+            risk: "medium",
+            warning: "Archive contents should be extracted and scanned separately"
+          });
+        }
+      }
+      if (attachment.content && isBuffer(attachment.content)) {
+        try {
+          const fileType = await fileTypeFromBuffer(attachment.content);
+          if (fileType && EXECUTABLES.has(fileType.ext)) {
+            results.push({
+              type: "executable",
+              filename: attachment.filename || "unknown",
+              detectedType: fileType.ext,
+              description: "Executable content detected"
+            });
+          }
+        } catch (error) {
+          debug7("File type detection error:", error);
+        }
+      }
+    }
+    return results;
+  }
+  // Arbitrary results (GTUBE, spam patterns, etc.)
+  // Updated to use session info for Microsoft Exchange spam detection
+  async getArbitraryResults(mail, sessionInfo = {}) {
+    const results = [];
+    let content = (mail.text || "") + (mail.html || "");
+    if (mail.headerLines && Array.isArray(mail.headerLines)) {
+      for (const headerLine of mail.headerLines) {
+        if (headerLine.line) {
+          content += " " + headerLine.line;
+        }
+      }
+    }
+    if (content.includes("XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X")) {
+      results.push({
+        type: "arbitrary",
+        subtype: "gtube",
+        description: "GTUBE spam test pattern detected",
+        score: 100
+      });
+    }
+    try {
+      const session = buildSessionInfo(mail, sessionInfo);
+      const arbitraryResult = isArbitrary(mail, {
+        threshold: this.config.arbitraryThreshold || 5,
+        checkSubject: true,
+        checkBody: true,
+        checkSender: true,
+        checkHeaders: true,
+        checkLinks: true,
+        checkMicrosoftHeaders: true,
+        // Enable Microsoft Exchange spam detection
+        checkVendorSpam: true,
+        // Enable vendor-specific spam detection
+        checkSpoofing: true,
+        // Enable spoofing attack detection
+        session
+        // Pass session info for advanced checks
+      });
+      if (arbitraryResult.isArbitrary) {
+        results.push({
+          type: "arbitrary",
+          subtype: arbitraryResult.category ? arbitraryResult.category.toLowerCase() : "pattern",
+          description: `Arbitrary spam patterns detected (score: ${arbitraryResult.score})`,
+          score: arbitraryResult.score,
+          reasons: arbitraryResult.reasons,
+          category: arbitraryResult.category
+        });
+      }
+    } catch (error) {
+      debug7("Arbitrary detection error:", error);
+    }
+    return results;
+  }
+  // Parse and normalize locale
+  parseLocale(locale) {
+    if (!locale || typeof locale !== "string") {
+      return "en";
+    }
+    const normalized = locale.toLowerCase().split("-")[0];
+    const localeMap = {
+      nb: "no",
+      // Norwegian Bokmål
+      nn: "no",
+      // Norwegian Nynorsk
+      "zh-cn": "zh",
+      "zh-tw": "zh"
+    };
+    return localeMap[normalized] || normalized;
+  }
+  // Get IDN homograph attack results
+  async getIDNHomographResults(mail) {
+    const result = {
+      detected: false,
+      domains: [],
+      riskScore: 0,
+      details: []
+    };
+    try {
+      const idnDetector = await this.getIDNDetector();
+      if (!idnDetector) {
+        return result;
+      }
+      const textContent = mail.text || "";
+      const htmlContent = mail.html || "";
+      const allContent = textContent + " " + htmlContent;
+      const urls = this.getUrls(allContent);
+      for (const url of urls) {
+        try {
+          const normalizedUrl = await this.optimizeUrlParsing(url);
+          const parsed = new URL(normalizedUrl);
+          const domain = parsed.hostname;
+          if (!domain) {
+            continue;
+          }
+          const context = {
+            emailContent: allContent,
+            displayText: url === normalizedUrl ? null : url,
+            senderReputation: 0.5,
+            // Default neutral reputation
+            emailHeaders: mail.headers || {}
+          };
+          const analysis = idnDetector.detectHomographAttack(domain, context);
+          if (analysis.riskScore > 0.3) {
+            result.detected = true;
+            result.domains.push({
+              domain,
+              originalUrl: url,
+              normalizedUrl,
+              riskScore: analysis.riskScore,
+              riskFactors: analysis.riskFactors,
+              recommendations: analysis.recommendations,
+              confidence: analysis.confidence
+            });
+            result.riskScore = Math.max(result.riskScore, analysis.riskScore);
+          }
+        } catch (error) {
+          debug7("IDN analysis error for URL:", url, error);
+        }
+      }
+      if (result.detected) {
+        result.details.push(
+          `Found ${result.domains.length} suspicious domain(s)`,
+          `Highest risk score: ${(result.riskScore * 100).toFixed(1)}%`
+        );
+        const allRiskFactors = /* @__PURE__ */ new Set();
+        for (const domain of result.domains) {
+          for (const factor of domain.riskFactors) {
+            allRiskFactors.add(factor);
+          }
+        }
+        result.details.push(...allRiskFactors);
+      }
+    } catch (error) {
+      debug7("IDN homograph detection error:", error);
+    }
+    return result;
+  }
+  // Get IDN detector instance
+  async getIDNDetector() {
+    if (!this.idnDetector) {
+      try {
+        const { default: EnhancedIDNDetector2 } = await Promise.resolve().then(() => (init_enhanced_idn_detector(), enhanced_idn_detector_exports));
+        this.idnDetector = new EnhancedIDNDetector2({
+          strictMode: this.config.strictIDNDetection || false,
+          enableWhitelist: true,
+          enableBrandProtection: true,
+          enableContextAnalysis: true
+        });
+      } catch (error) {
+        debug7("Failed to load IDN detector:", error);
+        return null;
+      }
+    }
+    return this.idnDetector;
+  }
+  // Hybrid language detection using both lande and franc
+  async detectLanguageHybrid(text) {
+    if (!text || typeof text !== "string" || text.length < 3) {
+      return "en";
+    }
+    const cleanText = text.trim();
+    if (!cleanText || /^[\d\s\W]+$/.test(cleanText)) {
+      return "en";
+    }
+    try {
+      if (text.length < 50) {
+        const landeResult = lande(text);
+        if (landeResult && landeResult.length > 0) {
+          const detected2 = landeResult[0][0];
+          const normalized = this.normalizeLanguageCode(detected2);
+          if (this.isValidShortTextDetection(text, normalized)) {
+            if (this.config.supportedLanguages && this.config.supportedLanguages.length > 0) {
+              if (this.config.supportedLanguages.includes(normalized)) {
+                return normalized;
+              }
+              return this.config.supportedLanguages[0];
+            }
+            return normalized;
+          }
+          return "en";
+        }
+        return "en";
+      }
+      const { franc } = await import("franc");
+      const francResult = franc(text);
+      if (francResult === "und") {
+        const landeResult = lande(text);
+        if (landeResult && landeResult.length > 0) {
+          return this.normalizeLanguageCode(landeResult[0][0]);
+        }
+        return "en";
+      }
+      const detected = this.normalizeLanguageCode(francResult);
+      if (this.config.supportedLanguages && this.config.supportedLanguages.length > 0) {
+        if (this.config.supportedLanguages.includes(detected)) {
+          return detected;
+        }
+        return this.config.supportedLanguages[0];
+      }
+      return detected;
+    } catch (error) {
+      debug7("Language detection error:", error);
+      try {
+        const landeResult = lande(text);
+        if (landeResult && landeResult.length > 0) {
+          return this.normalizeLanguageCode(landeResult[0][0]);
+        }
+        return "en";
+      } catch {
+        return "en";
+      }
+    }
+  }
+  // Validate short text language detection
+  isValidShortTextDetection(text, detectedLang) {
+    const hasNonLatin = /[^\u0000-\u024F\u1E00-\u1EFF]/.test(text);
+    if (hasNonLatin) {
+      return true;
+    }
+    if (text.length < 7 && detectedLang !== "en") {
+      return false;
+    }
+    return true;
+  }
+  // Get toxicity detection results
+  async getToxicityResults(mail) {
+    const results = [];
+    try {
+      if (!this.toxicityModel) {
+        const _tf = await import("@tensorflow/tfjs-node");
+        const toxicity = await import("@tensorflow-models/toxicity");
+        const threshold = this.config.toxicityThreshold || 0.7;
+        this.toxicityModel = await toxicity.load(threshold);
+      }
+      const textContent = mail.text || "";
+      const htmlContent = striptags(mail.html || "");
+      const subjectContent = mail.subject || "";
+      const allContent = [subjectContent, textContent, htmlContent].filter((text) => text && text.trim().length > 0).join(" ").slice(0, 5e3);
+      if (!allContent || allContent.trim().length < 10) {
+        return results;
+      }
+      const predictions = await Promise.race([
+        this.toxicityModel.classify([allContent]),
+        new Promise((_resolve, reject) => {
+          setTimeout(() => reject(new Error("Toxicity detection timeout")), this.config.timeout);
+        })
+      ]);
+      for (const prediction of predictions) {
+        const { label } = prediction;
+        const matches = prediction.results[0].match;
+        if (matches) {
+          const { probabilities } = prediction.results[0];
+          const toxicProbability = probabilities[1];
+          results.push({
+            type: "toxicity",
+            category: label,
+            probability: toxicProbability,
+            description: `Toxic content detected: ${label} (${(toxicProbability * 100).toFixed(1)}%)`
+          });
+        }
+      }
+    } catch (error) {
+      debug7("Toxicity detection error:", error);
+    }
+    return results;
+  }
+  // Get NSFW image detection results
+  async getNSFWResults(mail) {
+    const results = [];
+    try {
+      if (!this.nsfwModel) {
+        const _tf = await import("@tensorflow/tfjs-node");
+        const nsfw = await import("nsfwjs");
+        this.nsfwModel = await nsfw.load();
+      }
+      const attachments = mail.attachments || [];
+      for (const attachment of attachments) {
+        try {
+          if (!attachment.content || !isBuffer(attachment.content)) {
+            continue;
+          }
+          const fileType = await fileTypeFromBuffer(attachment.content);
+          if (!fileType || !fileType.mime.startsWith("image/")) {
+            continue;
+          }
+          const sharp = (await import("sharp")).default;
+          const processedImage = await sharp(attachment.content).resize(224, 224).raw().toBuffer();
+          const _tf = await import("@tensorflow/tfjs-node");
+          const imageTensor = _tf.tensor3d(
+            new Uint8Array(processedImage),
+            [224, 224, 3]
+          );
+          const predictions = await Promise.race([
+            this.nsfwModel.classify(imageTensor),
+            new Promise((_resolve, reject) => {
+              setTimeout(() => reject(new Error("NSFW detection timeout")), this.config.timeout);
+            })
+          ]);
+          imageTensor.dispose();
+          const nsfwThreshold = this.config.nsfwThreshold || 0.6;
+          for (const prediction of predictions) {
+            if ((prediction.className === "Porn" || prediction.className === "Hentai" || prediction.className === "Sexy") && prediction.probability > nsfwThreshold) {
+              results.push({
+                type: "nsfw",
+                filename: attachment.filename || "unknown",
+                category: prediction.className,
+                probability: prediction.probability,
+                description: `NSFW image detected: ${prediction.className} (${(prediction.probability * 100).toFixed(1)}%)`
+              });
+            }
+          }
+        } catch (error) {
+          debug7("NSFW detection error for attachment:", attachment.filename, error);
+        }
+      }
+    } catch (error) {
+      debug7("NSFW detection error:", error);
+    }
+    return results;
+  }
+  // Normalize language codes from 3-letter to 2-letter format
+  normalizeLanguageCode(code) {
+    if (!code || typeof code !== "string") {
+      return "en";
+    }
+    if (code.length === 2) {
+      return code.toLowerCase();
+    }
+    const codeMap = {
+      // Common language mappings
+      eng: "en",
+      // English
+      fra: "fr",
+      // French
+      fre: "fr",
+      // French (alternative)
+      spa: "es",
+      // Spanish
+      deu: "de",
+      // German
+      ger: "de",
+      // German (alternative)
+      ita: "it",
+      // Italian
+      por: "pt",
+      // Portuguese
+      rus: "ru",
+      // Russian
+      jpn: "ja",
+      // Japanese
+      kor: "ko",
+      // Korean
+      cmn: "zh",
+      // Chinese (Mandarin)
+      zho: "zh",
+      // Chinese
+      chi: "zh",
+      // Chinese (alternative)
+      ara: "ar",
+      // Arabic
+      hin: "hi",
+      // Hindi
+      ben: "bn",
+      // Bengali
+      urd: "ur",
+      // Urdu
+      tur: "tr",
+      // Turkish
+      pol: "pl",
+      // Polish
+      nld: "nl",
+      // Dutch
+      dut: "nl",
+      // Dutch (alternative)
+      swe: "sv",
+      // Swedish
+      nor: "no",
+      // Norwegian
+      dan: "da",
+      // Danish
+      fin: "fi",
+      // Finnish
+      hun: "hu",
+      // Hungarian
+      ces: "cs",
+      // Czech
+      cze: "cs",
+      // Czech (alternative)
+      slk: "sk",
+      // Slovak
+      slo: "sk",
+      // Slovak (alternative)
+      slv: "sl",
+      // Slovenian
+      hrv: "hr",
+      // Croatian
+      srp: "sr",
+      // Serbian
+      bul: "bg",
+      // Bulgarian
+      ron: "ro",
+      // Romanian
+      rum: "ro",
+      // Romanian (alternative)
+      ell: "el",
+      // Greek
+      gre: "el",
+      // Greek (alternative)
+      heb: "he",
+      // Hebrew
+      tha: "th",
+      // Thai
+      vie: "vi",
+      // Vietnamese
+      ind: "id",
+      // Indonesian
+      msa: "ms",
+      // Malay
+      may: "ms",
+      // Malay (alternative)
+      tgl: "tl",
+      // Tagalog
+      ukr: "uk",
+      // Ukrainian
+      bel: "be",
+      // Belarusian
+      lit: "lt",
+      // Lithuanian
+      lav: "lv",
+      // Latvian
+      est: "et",
+      // Estonian
+      cat: "ca",
+      // Catalan
+      eus: "eu",
+      // Basque
+      baq: "eu",
+      // Basque (alternative)
+      glg: "gl",
+      // Galician
+      gle: "ga",
+      // Irish
+      gla: "gd",
+      // Scottish Gaelic
+      cym: "cy",
+      // Welsh
+      wel: "cy",
+      // Welsh (alternative)
+      isl: "is",
+      // Icelandic
+      ice: "is",
+      // Icelandic (alternative)
+      mlt: "mt",
+      // Maltese
+      afr: "af",
+      // Afrikaans
+      swa: "sw",
+      // Swahili
+      amh: "am",
+      // Amharic
+      hau: "ha",
+      // Hausa
+      yor: "yo",
+      // Yoruba
+      ibo: "ig",
+      // Igbo
+      som: "so",
+      // Somali
+      orm: "om",
+      // Oromo
+      tig: "ti",
+      // Tigrinya
+      mlg: "mg",
+      // Malagasy
+      nya: "ny",
+      // Chichewa
+      sna: "sn",
+      // Shona
+      xho: "xh",
+      // Xhosa
+      zul: "zu",
+      // Zulu
+      nso: "nso",
+      // Northern Sotho
+      sot: "st",
+      // Southern Sotho
+      tsn: "tn",
+      // Tswana
+      ven: "ve",
+      // Venda
+      tso: "ts",
+      // Tsonga
+      ssw: "ss",
+      // Swati
+      nde: "nr",
+      // Southern Ndebele
+      nbl: "nd"
+      // Northern Ndebele
+    };
+    const normalized = code.toLowerCase();
+    return codeMap[normalized] || "en";
+  }
+};
+var index_default = SpamScanner;
+
+// src/cli.js
+var __filename2 = fileURLToPath2(import.meta.url);
+var __dirname2 = path2.dirname(__filename2);
+var SUPPORTED_LANGUAGES = {
+  en: "English",
+  fr: "French",
+  es: "Spanish",
+  de: "German",
+  it: "Italian",
+  pt: "Portuguese",
+  ru: "Russian",
+  ja: "Japanese",
+  ko: "Korean",
+  zh: "Chinese",
+  ar: "Arabic",
+  hi: "Hindi",
+  bn: "Bengali",
+  ur: "Urdu",
+  tr: "Turkish",
+  pl: "Polish",
+  nl: "Dutch",
+  sv: "Swedish",
+  no: "Norwegian",
+  da: "Danish",
+  fi: "Finnish",
+  hu: "Hungarian",
+  cs: "Czech",
+  sk: "Slovak",
+  sl: "Slovenian",
+  hr: "Croatian",
+  sr: "Serbian",
+  bg: "Bulgarian",
+  ro: "Romanian",
+  el: "Greek",
+  he: "Hebrew",
+  th: "Thai",
+  vi: "Vietnamese",
+  id: "Indonesian",
+  ms: "Malay",
+  tl: "Tagalog",
+  uk: "Ukrainian",
+  be: "Belarusian",
+  lt: "Lithuanian",
+  lv: "Latvian",
+  et: "Estonian",
+  ca: "Catalan",
+  eu: "Basque",
+  gl: "Galician",
+  ga: "Irish",
+  gd: "Scottish Gaelic",
+  cy: "Welsh",
+  is: "Icelandic",
+  mt: "Maltese",
+  af: "Afrikaans",
+  sw: "Swahili",
+  am: "Amharic",
+  ha: "Hausa",
+  yo: "Yoruba",
+  ig: "Igbo",
+  so: "Somali",
+  om: "Oromo",
+  ti: "Tigrinya",
+  mg: "Malagasy",
+  ny: "Chichewa",
+  sn: "Shona",
+  xh: "Xhosa",
+  zu: "Zulu",
+  st: "Southern Sotho",
+  tn: "Tswana"
+};
+var DEFAULT_SCORES = {
+  classifier: 5,
+  // Base score when classifier says spam
+  phishing: 5,
+  // Per phishing issue detected
+  executable: 10,
+  // Per dangerous executable detected
+  macro: 5,
+  // Per macro detected
+  virus: 100,
+  // Per virus detected
+  nsfw: 3,
+  // Per NSFW content detected
+  toxicity: 3
+  // Per toxic content detected
+};
+var UPDATE_CACHE_DIR = path2.join(homedir(), ".spamscanner");
+var UPDATE_CACHE_FILE = path2.join(UPDATE_CACHE_DIR, "update-check.json");
+var UPDATE_CHECK_INTERVAL = 24 * 60 * 60 * 1e3;
+function getVersion() {
+  const possiblePaths = [
+    path2.join(__dirname2, "..", "package.json"),
+    path2.join(__dirname2, "..", "..", "package.json"),
+    path2.join(__dirname2, "..", "..", "..", "package.json")
+  ];
+  for (const pkgPath of possiblePaths) {
+    try {
+      const content = readFileSync3(pkgPath, "utf8");
+      const pkg = JSON.parse(content);
+      if (pkg.name === "spamscanner" && pkg.version) {
+        return pkg.version;
+      }
+    } catch {
+    }
+  }
+  return "unknown";
+}
+var VERSION = getVersion();
+function compareVersions(v1, v2) {
+  const parts1 = v1.replace(/^v/, "").split(".").map(Number);
+  const parts2 = v2.replace(/^v/, "").split(".").map(Number);
+  for (let i = 0; i < Math.max(parts1.length, parts2.length); i++) {
+    const p1 = parts1[i] || 0;
+    const p2 = parts2[i] || 0;
+    if (p1 < p2) {
+      return -1;
+    }
+    if (p1 > p2) {
+      return 1;
+    }
+  }
+  return 0;
+}
+function getBinaryName() {
+  const { platform } = process2;
+  const { arch } = process2;
+  if (platform === "win32") {
+    return "spamscanner-win-x64.exe";
+  }
+  if (platform === "darwin") {
+    return arch === "arm64" ? "spamscanner-darwin-arm64" : "spamscanner-darwin-x64";
+  }
+  return "spamscanner-linux-x64";
+}
+async function checkForUpdates(force = false) {
+  try {
+    if (!force && existsSync(UPDATE_CACHE_FILE)) {
+      const cache2 = JSON.parse(readFileSync3(UPDATE_CACHE_FILE, "utf8"));
+      const age = Date.now() - cache2.timestamp;
+      if (age < UPDATE_CHECK_INTERVAL) {
+        if (cache2.latestVersion && compareVersions(cache2.latestVersion, VERSION) > 0) {
+          return {
+            currentVersion: VERSION,
+            latestVersion: cache2.latestVersion,
+            releaseUrl: cache2.releaseUrl,
+            downloadUrl: cache2.downloadUrl,
+            cached: true
+          };
+        }
+        return null;
+      }
+    }
+    const response = await fetch("https://api.github.com/repos/spamscanner/spamscanner/releases/latest", {
+      headers: {
+        Accept: "application/vnd.github.v3+json",
+        "User-Agent": `spamscanner-cli/${VERSION}`
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    const release = await response.json();
+    const latestVersion = release.tag_name.replace(/^v/, "");
+    const binaryName = getBinaryName();
+    const asset = release.assets.find((a) => a.name === binaryName);
+    const downloadUrl = asset?.browser_download_url;
+    const cacheData = {
+      timestamp: Date.now(),
+      latestVersion,
+      releaseUrl: release.html_url,
+      downloadUrl
+    };
+    try {
+      if (!existsSync(UPDATE_CACHE_DIR)) {
+        mkdirSync(UPDATE_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(UPDATE_CACHE_FILE, JSON.stringify(cacheData, null, 2));
+    } catch {
+    }
+    if (compareVersions(latestVersion, VERSION) > 0) {
+      return {
+        currentVersion: VERSION,
+        latestVersion,
+        releaseUrl: release.html_url,
+        downloadUrl,
+        cached: false
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function printUpdateNotification(force = false) {
+  const update = await checkForUpdates(force);
+  if (update) {
+    const { platform } = process2;
+    console.error("");
+    console.error("\u256D\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256E");
+    console.error(`\u2502  Update available: ${update.currentVersion} \u2192 ${update.latestVersion.padEnd(37)}\u2502`);
+    console.error("\u2502                                                             \u2502");
+    if (update.downloadUrl) {
+      console.error("\u2502  To update, run one of:                                     \u2502");
+      if (platform === "darwin") {
+        console.error("\u2502    curl -fsSL https://spamscanner.net/install.sh | sh      \u2502");
+      } else if (platform === "win32") {
+        console.error("\u2502    irm https://spamscanner.net/install.ps1 | iex           \u2502");
+      } else {
+        console.error("\u2502    curl -fsSL https://spamscanner.net/install.sh | sh      \u2502");
+      }
+      console.error("\u2502                                                             \u2502");
+      console.error("\u2502  Or download manually from:                                 \u2502");
+    } else {
+      console.error("\u2502  Download from:                                             \u2502");
+    }
+    console.error("\u2502    https://github.com/spamscanner/spamscanner/releases      \u2502");
+    console.error("\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256F");
+    console.error("");
+  }
+}
+function formatLanguageList() {
+  const entries = Object.entries(SUPPORTED_LANGUAGES);
+  const lines = [];
+  for (let i = 0; i < entries.length; i += 4) {
+    const chunk = entries.slice(i, i + 4);
+    const formatted = chunk.map(([code, name]) => `${code} (${name})`).join(", ");
+    lines.push(`    ${formatted}`);
+  }
+  return lines.join("\n");
+}
+var HELP_TEXT = `
+SpamScanner CLI v${VERSION}
+
+Usage:
+  spamscanner <command> [options]
+
+Commands:
+  scan <file>     Scan an email file for spam
+  scan -          Scan email from stdin
+  server          Start TCP server mode
+  update          Check for updates
+  help            Show this help message
+  version         Show version number
+
+General Options:
+  -h, --help      Show help
+  -v, --version   Show version
+  -j, --json      Output results as JSON
+  --verbose       Show detailed output
+  --debug         Enable debug mode
+  --timeout <ms>  Scan timeout in milliseconds (default: 30000)
+  --no-update-check  Disable automatic update check
+
+Spam Detection Options:
+  --threshold <score>     Spam score threshold (default: 5.0)
+  --check-classifier      Include Bayesian classifier in scoring (default: true)
+  --check-phishing        Include phishing detection in scoring (default: true)
+  --check-executables     Include executable detection in scoring (default: true)
+  --check-macros          Include macro detection in scoring (default: true)
+  --check-virus           Include virus detection in scoring (default: true)
+  --check-nsfw            Include NSFW detection in scoring (default: false)
+  --check-toxicity        Include toxicity detection in scoring (default: false)
+  --no-classifier         Disable Bayesian classifier scoring
+  --no-phishing           Disable phishing scoring
+  --no-executables        Disable executable scoring
+  --no-macros             Disable macro scoring
+  --no-virus              Disable virus scoring
+
+Score Weights (customize scoring):
+  --score-classifier <n>  Classifier spam score weight (default: 5.0)
+  --score-phishing <n>    Phishing score per issue (default: 5.0)
+  --score-executable <n>  Executable score per file (default: 10.0)
+  --score-macro <n>       Macro score per detection (default: 5.0)
+  --score-virus <n>       Virus score per detection (default: 100.0)
+  --score-nsfw <n>        NSFW score per detection (default: 3.0)
+  --score-toxicity <n>    Toxicity score per detection (default: 3.0)
+
+Scanner Configuration Options:
+  --languages <list>      Comma-separated list of supported language codes (default: all)
+                          Use empty string or 'all' for all languages
+  --mixed-language        Enable mixed language detection in emails
+  --no-macro-detection    Disable macro detection in attachments
+  --no-pattern-recognition  Disable advanced pattern recognition
+  --strict-idn            Enable strict IDN/homograph detection
+  --nsfw-threshold <n>    NSFW detection threshold 0.0-1.0 (default: 0.6)
+  --toxicity-threshold <n>  Toxicity detection threshold 0.0-1.0 (default: 0.7)
+  --clamscan-path <path>  Path to clamscan binary (default: /usr/bin/clamscan)
+  --clamdscan-path <path> Path to clamdscan binary (default: /usr/bin/clamdscan)
+
+Authentication Options (mailauth):
+  --enable-auth           Enable DKIM/SPF/ARC/DMARC/BIMI authentication
+  --sender-ip <ip>        Remote IP address of the sender (required for auth)
+  --sender-hostname <host>  Resolved hostname of the sender (from reverse DNS)
+  --helo <hostname>       HELO/EHLO hostname
+  --sender <email>        Envelope sender (MAIL FROM)
+  --mta <hostname>        MTA hostname for auth headers (default: spamscanner)
+  --auth-timeout <ms>     DNS lookup timeout for auth (default: 10000)
+
+Reputation Options (Forward Email API):
+  --enable-reputation     Enable Forward Email reputation checking
+  --reputation-url <url>  Custom reputation API URL
+  --reputation-timeout <ms>  Reputation API timeout (default: 10000)
+  --only-aligned          Only check aligned/authenticated attributes for reputation (default: true)
+  --no-only-aligned       Check all attributes regardless of alignment
+
+Header Options:
+  --add-headers           Add X-Spam-* headers to output (for mail server integration)
+  --add-auth-headers      Add Authentication-Results header to output
+  --prepend-subject       Prepend [SPAM] to subject if spam detected
+  --subject-tag <tag>     Custom subject tag (default: [SPAM])
+
+Server Options:
+  --port <port>   TCP server port (default: 7830)
+  --host <host>   TCP server host (default: 127.0.0.1)
+
+Supported Languages (use ISO 639-1 codes with --languages):
+${formatLanguageList()}
+
+Examples:
+  # Scan a file
+  spamscanner scan email.eml
+
+  # Scan from stdin (for Postfix integration)
+  cat email.eml | spamscanner scan -
+
+  # Scan with JSON output
+  spamscanner scan email.eml --json
+
+  # Scan with custom threshold
+  spamscanner scan email.eml --threshold 3.0
+
+  # Scan with only classifier and phishing checks
+  spamscanner scan email.eml --no-executables --no-macros --no-virus
+
+  # Scan and add spam headers (for mail server integration)
+  spamscanner scan email.eml --add-headers --prepend-subject
+
+  # Scan with specific language support
+  spamscanner scan email.eml --languages en,es,fr
+
+  # Scan with mixed language detection
+  spamscanner scan email.eml --mixed-language
+
+  # Start TCP server
+  spamscanner server --port 7830
+
+  # Scan with authentication (DKIM/SPF/DMARC)
+  spamscanner scan email.eml --enable-auth --sender-ip 192.168.1.1 --sender user@example.com
+
+  # Scan with reputation checking
+  spamscanner scan email.eml --enable-reputation
+
+  # Full mail server integration
+  spamscanner scan email.eml --enable-auth --enable-reputation --sender-ip 192.168.1.1 --add-headers --add-auth-headers
+
+  # Check for updates
+  spamscanner update
+
+Exit Codes:
+  0 - Clean (not spam)
+  1 - Spam detected
+  2 - Error occurred
+
+X-Spam Headers (when --add-headers is used):
+  X-Spam-Status: Yes/No, score=X.X required=Y.Y tests=TEST1,TEST2,...
+  X-Spam-Score: X.X
+  X-Spam-Flag: YES/NO
+  X-Spam-Tests: Comma-separated list of triggered tests
+`;
+function parseArgs(args) {
+  const result = {
+    command: null,
+    file: null,
+    json: false,
+    verbose: false,
+    debug: false,
+    port: 7830,
+    host: "127.0.0.1",
+    timeout: 3e4,
+    help: false,
+    version: false,
+    noUpdateCheck: false,
+    // Spam detection options
+    threshold: 5,
+    checkClassifier: true,
+    checkPhishing: true,
+    checkExecutables: true,
+    checkMacros: true,
+    checkVirus: true,
+    checkNsfw: false,
+    checkToxicity: false,
+    // Score weights
+    scores: { ...DEFAULT_SCORES },
+    // Header options
+    addHeaders: false,
+    prependSubject: false,
+    subjectTag: "[SPAM]",
+    // Scanner configuration options
+    supportedLanguages: [],
+    // Empty = all languages
+    enableMixedLanguageDetection: false,
+    enableMacroDetection: true,
+    enableAdvancedPatternRecognition: true,
+    strictIdnDetection: false,
+    nsfwThreshold: 0.6,
+    toxicityThreshold: 0.7,
+    clamscanPath: "/usr/bin/clamscan",
+    clamdscanPath: "/usr/bin/clamdscan",
+    // Authentication options
+    enableAuth: false,
+    senderIp: null,
+    senderHostname: null,
+    helo: null,
+    sender: null,
+    mta: "spamscanner",
+    authTimeout: 1e4,
+    // Reputation options
+    enableReputation: false,
+    reputationUrl: "https://api.forwardemail.net/v1/reputation",
+    reputationTimeout: 1e4,
+    onlyAligned: true,
+    // Additional header options
+    addAuthHeaders: false
+  };
+  for (let index = 0; index < args.length; index++) {
+    const arg = args[index];
+    switch (arg) {
+      case "scan":
+      case "server":
+      case "help":
+      case "version":
+      case "update": {
+        result.command = arg;
+        break;
+      }
+      case "-h":
+      case "--help": {
+        result.help = true;
+        break;
+      }
+      case "-v":
+      case "--version": {
+        result.version = true;
+        break;
+      }
+      case "-j":
+      case "--json": {
+        result.json = true;
+        break;
+      }
+      case "--verbose": {
+        result.verbose = true;
+        break;
+      }
+      case "--debug": {
+        result.debug = true;
+        break;
+      }
+      case "--no-update-check": {
+        result.noUpdateCheck = true;
+        break;
+      }
+      case "--port": {
+        result.port = Number.parseInt(args[++index], 10);
+        break;
+      }
+      case "--host": {
+        result.host = args[++index];
+        break;
+      }
+      case "--timeout": {
+        result.timeout = Number.parseInt(args[++index], 10);
+        break;
+      }
+      // Spam detection options
+      case "--threshold": {
+        result.threshold = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--check-classifier": {
+        result.checkClassifier = true;
+        break;
+      }
+      case "--check-phishing": {
+        result.checkPhishing = true;
+        break;
+      }
+      case "--check-executables": {
+        result.checkExecutables = true;
+        break;
+      }
+      case "--check-macros": {
+        result.checkMacros = true;
+        break;
+      }
+      case "--check-virus": {
+        result.checkVirus = true;
+        break;
+      }
+      case "--check-nsfw": {
+        result.checkNsfw = true;
+        break;
+      }
+      case "--check-toxicity": {
+        result.checkToxicity = true;
+        break;
+      }
+      case "--no-classifier": {
+        result.checkClassifier = false;
+        break;
+      }
+      case "--no-phishing": {
+        result.checkPhishing = false;
+        break;
+      }
+      case "--no-executables": {
+        result.checkExecutables = false;
+        break;
+      }
+      case "--no-macros": {
+        result.checkMacros = false;
+        break;
+      }
+      case "--no-virus": {
+        result.checkVirus = false;
+        break;
+      }
+      // Score weights
+      case "--score-classifier": {
+        result.scores.classifier = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--score-phishing": {
+        result.scores.phishing = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--score-executable": {
+        result.scores.executable = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--score-macro": {
+        result.scores.macro = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--score-virus": {
+        result.scores.virus = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--score-nsfw": {
+        result.scores.nsfw = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--score-toxicity": {
+        result.scores.toxicity = Number.parseFloat(args[++index]);
+        break;
+      }
+      // Header options
+      case "--add-headers": {
+        result.addHeaders = true;
+        break;
+      }
+      case "--prepend-subject": {
+        result.prependSubject = true;
+        break;
+      }
+      case "--subject-tag": {
+        result.subjectTag = args[++index];
+        break;
+      }
+      // Scanner configuration options
+      case "--languages": {
+        const langArg = args[++index];
+        result.supportedLanguages = langArg && langArg !== "all" && langArg !== "" ? langArg.split(",").map((l) => l.trim().toLowerCase()) : [];
+        break;
+      }
+      case "--mixed-language": {
+        result.enableMixedLanguageDetection = true;
+        break;
+      }
+      case "--no-macro-detection": {
+        result.enableMacroDetection = false;
+        break;
+      }
+      case "--no-pattern-recognition": {
+        result.enableAdvancedPatternRecognition = false;
+        break;
+      }
+      case "--strict-idn": {
+        result.strictIdnDetection = true;
+        break;
+      }
+      case "--nsfw-threshold": {
+        result.nsfwThreshold = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--toxicity-threshold": {
+        result.toxicityThreshold = Number.parseFloat(args[++index]);
+        break;
+      }
+      case "--clamscan-path": {
+        result.clamscanPath = args[++index];
+        break;
+      }
+      case "--clamdscan-path": {
+        result.clamdscanPath = args[++index];
+        break;
+      }
+      // Authentication options
+      case "--enable-auth": {
+        result.enableAuth = true;
+        break;
+      }
+      case "--sender-ip": {
+        result.senderIp = args[++index];
+        break;
+      }
+      case "--sender-hostname": {
+        result.senderHostname = args[++index];
+        break;
+      }
+      case "--helo": {
+        result.helo = args[++index];
+        break;
+      }
+      case "--sender": {
+        result.sender = args[++index];
+        break;
+      }
+      case "--mta": {
+        result.mta = args[++index];
+        break;
+      }
+      case "--auth-timeout": {
+        result.authTimeout = Number.parseInt(args[++index], 10);
+        break;
+      }
+      // Reputation options
+      case "--enable-reputation": {
+        result.enableReputation = true;
+        break;
+      }
+      case "--reputation-url": {
+        result.reputationUrl = args[++index];
+        break;
+      }
+      case "--reputation-timeout": {
+        result.reputationTimeout = Number.parseInt(args[++index], 10);
+        break;
+      }
+      case "--only-aligned": {
+        result.onlyAligned = true;
+        break;
+      }
+      case "--no-only-aligned": {
+        result.onlyAligned = false;
+        break;
+      }
+      // Additional header options
+      case "--add-auth-headers": {
+        result.addAuthHeaders = true;
+        break;
+      }
+      default: {
+        if (!result.file && result.command === "scan" && (arg === "-" || !arg.startsWith("-"))) {
+          result.file = arg;
+        }
+      }
+    }
+  }
+  return result;
+}
+async function readEmail(file) {
+  if (file === "-") {
+    const chunks2 = [];
+    for await (const chunk of process2.stdin) {
+      chunks2.push(chunk);
+    }
+    return Buffer4.concat(chunks2);
+  }
+  const chunks = [];
+  const stream = createReadStream(file);
+  for await (const chunk of stream) {
+    chunks.push(chunk);
+  }
+  return Buffer4.concat(chunks);
+}
+function calculateScore(result, options) {
+  const { scores } = options;
+  const tests = [];
+  let totalScore = 0;
+  if (options.checkClassifier && result.results?.classification) {
+    const { category, probability } = result.results.classification;
+    if (category === "spam") {
+      const scaledScore = scores.classifier * Math.max(0, (probability - 0.5) * 2);
+      totalScore += scaledScore;
+      tests.push(`BAYES_SPAM(${scaledScore.toFixed(1)})`);
+    } else if (category === "ham" && probability > 0.8) {
+      const hamBonus = -1 * (probability - 0.8) * 5;
+      totalScore += hamBonus;
+      tests.push(`BAYES_HAM(${hamBonus.toFixed(1)})`);
+    }
+  }
+  if (options.checkPhishing && result.results?.phishing?.length > 0) {
+    const phishingScore = result.results.phishing.length * scores.phishing;
+    totalScore += phishingScore;
+    tests.push(`PHISHING_DETECTED(${phishingScore.toFixed(1)})`);
+  }
+  if (options.checkExecutables && result.results?.executables?.length > 0) {
+    const execScore = result.results.executables.length * scores.executable;
+    totalScore += execScore;
+    tests.push(`EXECUTABLE_ATTACHMENT(${execScore.toFixed(1)})`);
+  }
+  if (options.checkMacros && result.results?.macros?.length > 0) {
+    const macroScore = result.results.macros.length * scores.macro;
+    totalScore += macroScore;
+    tests.push(`MACRO_DETECTED(${macroScore.toFixed(1)})`);
+  }
+  if (options.checkVirus && result.results?.viruses?.length > 0) {
+    const virusScore = result.results.viruses.length * scores.virus;
+    totalScore += virusScore;
+    tests.push(`VIRUS_DETECTED(${virusScore.toFixed(1)})`);
+  }
+  if (options.checkNsfw && result.results?.nsfw?.length > 0) {
+    const nsfwScore = result.results.nsfw.length * scores.nsfw;
+    totalScore += nsfwScore;
+    tests.push(`NSFW_CONTENT(${nsfwScore.toFixed(1)})`);
+  }
+  if (options.checkToxicity && result.results?.toxicity?.length > 0) {
+    const toxicScore = result.results.toxicity.length * scores.toxicity;
+    totalScore += toxicScore;
+    tests.push(`TOXIC_CONTENT(${toxicScore.toFixed(1)})`);
+  }
+  if (result.results?.authentication?.score) {
+    const authScore = result.results.authentication.score;
+    totalScore += authScore.score;
+    tests.push(...authScore.tests);
+  }
+  if (result.results?.reputation) {
+    const rep = result.results.reputation;
+    if (rep.isDenylisted) {
+      totalScore += 10;
+      tests.push("DENYLISTED(10.0)");
+    }
+    if (rep.isTruthSource) {
+      totalScore -= 5;
+      tests.push("TRUTH_SOURCE(-5.0)");
+    } else if (rep.isAllowlisted) {
+      totalScore -= 3;
+      tests.push("ALLOWLISTED(-3.0)");
+    }
+  }
+  let isSpam = totalScore >= options.threshold;
+  if (result.results?.reputation) {
+    const rep = result.results.reputation;
+    if (rep.isDenylisted) {
+      isSpam = true;
+    } else if ((rep.isTruthSource || rep.isAllowlisted) && !result.results?.viruses?.length && !result.results?.executables?.length) {
+      isSpam = false;
+    }
+  }
+  return {
+    score: totalScore,
+    threshold: options.threshold,
+    isSpam,
+    tests
+  };
+}
+function generateSpamHeaders(scoreDetails) {
+  const { score, threshold, isSpam, tests } = scoreDetails;
+  const status = isSpam ? "Yes" : "No";
+  const flag = isSpam ? "YES" : "NO";
+  return {
+    "X-Spam-Status": `${status}, score=${score.toFixed(1)} required=${threshold.toFixed(1)} tests=${tests.join(",")} version=${VERSION}`,
+    "X-Spam-Score": score.toFixed(1),
+    "X-Spam-Flag": flag,
+    "X-Spam-Tests": tests.join(", ")
+  };
+}
+function modifyEmail(emailContent, options, scoreDetails, authResultsHeader = null) {
+  const emailString = emailContent.toString("utf8");
+  const headers = generateSpamHeaders(scoreDetails);
+  if (options.addAuthHeaders && authResultsHeader) {
+    headers["Authentication-Results"] = authResultsHeader;
+  }
+  const headerEndMatch = emailString.match(/\r?\n\r?\n/);
+  if (!headerEndMatch) {
+    return emailString + "\r\n" + Object.entries(headers).map(([key, value]) => `${key}: ${value}`).join("\r\n");
+  }
+  const headerEndIndex = headerEndMatch.index;
+  const lineEnding = headerEndMatch[0].startsWith("\r\n") ? "\r\n" : "\n";
+  const headerPart = emailString.slice(0, headerEndIndex);
+  const bodyPart = emailString.slice(headerEndIndex);
+  let newHeaders = headerPart;
+  if (options.addHeaders) {
+    const headerLines = Object.entries(headers).map(([key, value]) => `${key}: ${value}`).join(lineEnding);
+    newHeaders = headerPart + lineEnding + headerLines;
+  }
+  if (options.prependSubject && scoreDetails.isSpam) {
+    const subjectMatch = newHeaders.match(/^(subject:\s*)(.*)$/im);
+    if (subjectMatch) {
+      const [fullMatch, prefix, subject] = subjectMatch;
+      if (!subject.startsWith(options.subjectTag)) {
+        const newSubject = `${prefix}${options.subjectTag} ${subject}`;
+        newHeaders = newHeaders.replace(fullMatch, newSubject);
+      }
+    }
+  }
+  return newHeaders + bodyPart;
+}
+function formatResult(result, scoreDetails, verbose) {
+  const lines = [];
+  const { score, threshold, isSpam, tests } = scoreDetails;
+  if (isSpam) {
+    lines.push(`SPAM DETECTED (score: ${score.toFixed(1)}, threshold: ${threshold.toFixed(1)})`);
+  } else {
+    lines.push(`Clean (score: ${score.toFixed(1)}, threshold: ${threshold.toFixed(1)})`);
+  }
+  if (tests.length > 0) {
+    lines.push(`Tests: ${tests.join(", ")}`);
+  }
+  if (verbose) {
+    lines.push("", "Details:");
+    if (result.results?.classification) {
+      const prob = (result.results.classification.probability * 100).toFixed(1);
+      lines.push(`  Classification: ${result.results.classification.category} (${prob}%)`);
+    }
+    if (result.results?.phishing?.length > 0) {
+      lines.push(`  Phishing: ${result.results.phishing.length} issue(s) detected`);
+      for (const issue of result.results.phishing) {
+        lines.push(`    - ${issue.type}: ${issue.description || issue.message || "N/A"}`);
+      }
+    }
+    if (result.results?.executables?.length > 0) {
+      lines.push(`  Executables: ${result.results.executables.length} dangerous file(s) detected`);
+      for (const exec of result.results.executables) {
+        lines.push(`    - ${exec.filename || exec.extension || "Unknown"}`);
+      }
+    }
+    if (result.results?.viruses?.length > 0) {
+      lines.push(`  Viruses: ${result.results.viruses.length} virus(es) detected`);
+      for (const virus of result.results.viruses) {
+        lines.push(`    - ${virus.name || virus.message || "Unknown"}`);
+      }
+    }
+    if (result.results?.macros?.length > 0) {
+      lines.push(`  Macros: ${result.results.macros.length} macro(s) detected`);
+    }
+    if (result.results?.toxicity?.length > 0) {
+      lines.push(`  Toxicity: ${result.results.toxicity.length} toxic content detected`);
+    }
+    if (result.results?.nsfw?.length > 0) {
+      lines.push(`  NSFW: ${result.results.nsfw.length} NSFW content detected`);
+    }
+    if (result.results?.authentication) {
+      const auth = result.results.authentication;
+      lines.push("", "  Authentication:");
+      if (auth.dkim?.status?.result) {
+        lines.push(`    DKIM: ${auth.dkim.status.result}`);
+      }
+      if (auth.spf?.status?.result) {
+        lines.push(`    SPF: ${auth.spf.status.result}`);
+      }
+      if (auth.dmarc?.status?.result) {
+        lines.push(`    DMARC: ${auth.dmarc.status.result}`);
+      }
+      if (auth.arc?.status?.result) {
+        lines.push(`    ARC: ${auth.arc.status.result}`);
+      }
+    }
+    if (result.results?.reputation) {
+      const rep = result.results.reputation;
+      lines.push("", "  Reputation:");
+      if (rep.isTruthSource) {
+        lines.push("    Status: Truth Source");
+      } else if (rep.isAllowlisted) {
+        lines.push(`    Status: Allowlisted (${rep.allowlistValue || "N/A"})`);
+      } else if (rep.isDenylisted) {
+        lines.push(`    Status: DENYLISTED (${rep.denylistValue || "N/A"})`);
+      } else {
+        lines.push("    Status: Unknown");
+      }
+      if (rep.checkedValues?.length > 0) {
+        lines.push(`    Checked: ${rep.checkedValues.join(", ")}`);
+      }
+    }
+  }
+  return lines.join("\n");
+}
+function buildScannerConfig(options) {
+  return {
+    debug: options.debug,
+    timeout: options.timeout,
+    supportedLanguages: options.supportedLanguages,
+    enableMixedLanguageDetection: options.enableMixedLanguageDetection,
+    enableMacroDetection: options.enableMacroDetection,
+    enableAdvancedPatternRecognition: options.enableAdvancedPatternRecognition,
+    strictIDNDetection: options.strictIdnDetection,
+    nsfwThreshold: options.nsfwThreshold,
+    toxicityThreshold: options.toxicityThreshold,
+    clamscan: {
+      clamscanPath: options.clamscanPath,
+      clamdscanPath: options.clamdscanPath
+    },
+    // Authentication options
+    enableAuthentication: options.enableAuth,
+    authOptions: {
+      ip: options.senderIp,
+      hostname: options.senderHostname,
+      helo: options.helo,
+      mta: options.mta,
+      sender: options.sender,
+      timeout: options.authTimeout
+    },
+    // Reputation options
+    enableReputation: options.enableReputation,
+    reputationOptions: {
+      apiUrl: options.reputationUrl,
+      timeout: options.reputationTimeout,
+      onlyAligned: options.onlyAligned
+    }
+  };
+}
+async function scanCommand(options) {
+  const { file, json, verbose, addHeaders, prependSubject } = options;
+  if (!file) {
+    console.error('Error: No file specified. Use "spamscanner scan <file>" or "spamscanner scan -" for stdin.');
+    process2.exit(2);
+  }
+  try {
+    if (file !== "-") {
+      try {
+        readFileSync3(file);
+      } catch {
+        console.error(`Error: File not found: ${file}`);
+        process2.exit(2);
+      }
+    }
+    const scannerConfig = buildScannerConfig(options);
+    const scanner = new index_default(scannerConfig);
+    const emailContent = await readEmail(file);
+    const result = await scanner.scan(emailContent);
+    const scoreDetails = calculateScore(result, options);
+    const output = {
+      isSpam: scoreDetails.isSpam,
+      score: scoreDetails.score,
+      threshold: scoreDetails.threshold,
+      tests: scoreDetails.tests,
+      message: result.message,
+      results: result.results,
+      links: result.links,
+      tokens: result.tokens,
+      mail: result.mail
+    };
+    if (addHeaders || prependSubject || options.addAuthHeaders) {
+      output.headers = generateSpamHeaders(scoreDetails);
+      const authResultsHeader = result.results?.authentication?.authResultsHeader || null;
+      output.modifiedEmail = modifyEmail(emailContent, options, scoreDetails, authResultsHeader);
+    }
+    if (json) {
+      console.log(JSON.stringify(output, null, 2));
+    } else if (addHeaders || prependSubject || options.addAuthHeaders) {
+      console.log(output.modifiedEmail);
+    } else {
+      console.log(formatResult(result, scoreDetails, verbose));
+    }
+    process2.exit(scoreDetails.isSpam ? 1 : 0);
+  } catch (error) {
+    console.error(`Error scanning email: ${error.message}`);
+    if (options.debug) {
+      console.error(error.stack);
+    }
+    process2.exit(2);
+  }
+}
+async function serverCommand(options) {
+  const { port, host, json, verbose, debug: debug8 } = options;
+  const scannerConfig = buildScannerConfig(options);
+  const scanner = new index_default(scannerConfig);
+  const server = createServer((socket) => {
+    const chunks = [];
+    socket.on("data", (chunk) => {
+      chunks.push(chunk);
+    });
+    socket.on("end", async () => {
+      try {
+        const emailContent = Buffer4.concat(chunks);
+        const result = await scanner.scan(emailContent);
+        const scoreDetails = calculateScore(result, options);
+        const output = {
+          isSpam: scoreDetails.isSpam,
+          score: scoreDetails.score,
+          threshold: scoreDetails.threshold,
+          tests: scoreDetails.tests,
+          message: result.message
+        };
+        if (options.addHeaders) {
+          output.headers = generateSpamHeaders(scoreDetails);
+        }
+        if (json) {
+          socket.write(JSON.stringify(output));
+        } else {
+          socket.write(formatResult(result, scoreDetails, verbose));
+        }
+      } catch (error) {
+        const errorResponse = json ? JSON.stringify({ error: error.message }) : `Error: ${error.message}`;
+        socket.write(errorResponse);
+        if (debug8) {
+          console.error(error.stack);
+        }
+      }
+      socket.end();
+    });
+    socket.on("error", (error) => {
+      console.error(`Socket error: ${error.message}`);
+    });
+  });
+  server.listen(port, host, () => {
+    console.log(`SpamScanner TCP server listening on ${host}:${port}`);
+    console.log("Send email content to scan, close connection to receive results.");
+    console.log("Press Ctrl+C to stop.");
+  });
+  server.on("error", (error) => {
+    console.error(`Server error: ${error.message}`);
+    process2.exit(2);
+  });
+}
+async function main() {
+  const args = process2.argv.slice(2);
+  const options = parseArgs(args);
+  if (options.help) {
+    console.log(HELP_TEXT);
+    process2.exit(0);
+  }
+  if (options.version) {
+    console.log(`SpamScanner v${VERSION}`);
+    process2.exit(0);
+  }
+  if (!options.noUpdateCheck && options.command !== "update") {
+    void printUpdateNotification().catch(() => {
+    });
+  }
+  switch (options.command) {
+    case "scan": {
+      await scanCommand(options);
+      break;
+    }
+    case "server": {
+      await serverCommand(options);
+      break;
+    }
+    case "update": {
+      console.log(`SpamScanner v${VERSION}`);
+      console.log("Checking for updates...");
+      const update = await checkForUpdates(true);
+      if (update) {
+        console.log(`New version available: ${update.latestVersion}`);
+        console.log(`Download from: ${update.releaseUrl}`);
+        if (update.downloadUrl) {
+          console.log(`Direct download: ${update.downloadUrl}`);
+        }
+      } else {
+        console.log("You are running the latest version.");
+      }
+      process2.exit(0);
+      break;
+    }
+    case "help": {
+      console.log(HELP_TEXT);
+      process2.exit(0);
+      break;
+    }
+    case "version": {
+      console.log(`SpamScanner v${VERSION}`);
+      process2.exit(0);
+      break;
+    }
+    default: {
+      console.error('Unknown command. Use "spamscanner help" for usage information.');
+      process2.exit(2);
+    }
+  }
+}
+main().catch((error) => {
+  console.error(`Fatal error: ${error.message}`);
+  process2.exit(2);
+});
+//# sourceMappingURL=cli.js.map