feat: add seal-only mode to the seal CLI command#119
Open
hathaway wants to merge 1 commit into
Open
Conversation
Add --auth-results, --auth-results-file, --cv and --instance options to the seal CLI command. When an Authentication-Results value is provided, the message is sealed with it as-is via sealMessage() instead of being re-authenticated, performing no DNS lookups. Useful when the message was authenticated at an edge MTA and modified before sealing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The library already supports the documented "authenticate first, modify, then seal" pattern via
sealMessage(message, { ..., authResults, cv }), but thesealCLI command always re-authenticates the message internally viaauthenticate(). That recomputed verdict is wrong when the message has been modified after the original authentication (e.g. an MTA that verified the pristine inbound message, then injected banners or rewrote MIME before relaying).This PR exposes the existing library capability on the CLI: new opt-in options let
mailauth sealembed a caller-providedAuthentication-Resultsvalue and seal without performing any authentication checks or DNS lookups.New options on
mailauth seal--auth-results <value>—Authentication-Resultsvalue to embed inARC-Authentication-Results(the part afteri=N;), used as-is--auth-results-file <path>— same, read from a file (convenient for long/folded values); conflicts with--auth-results--cv <none|pass|fail>— chain validation status for theARC-Sealcv=tag, defaults tonone--instance <n>— explicit ARC instance number; defaults to the next instance from any existing chain, or 1When either auth-results option is set, the handler calls
sealMessage()directly. The stdout contract is unchanged: the threeARC-*headers, then the message body unless--headers-onlyis set. All new flags are long-only to avoid clashing with the existing short aliases.Backward compatibility
Without the new options the command runs the existing
authenticate()-and-seal path unchanged — the new mode is strictly opt-in. No library code is touched; onlylib/commands/seal.js, the yargs builder inbin/mailauth.js, andcli.md.Tests
New CLI tests (
test/commands/seal-test.js) spawn the real binary with a preload script (test/fixtures/deny-dns.js) that intercepts everydns.promisesresolver and reports any lookup, proving the seal-only path is fully offline:ARC-Authentication-Resultsechoes the supplied value verbatim (inline and from file) with zero DNS lookupsauthenticate()with a mock resolver validates the chain asarc=passcv=pass--instanceis honored--auth-resultsand--auth-results-filetogether is rejected--dns-cache)Full suite passes (682 tests), lint clean.
🤖 Generated with Claude Code