## Fix Summary
The fix prevents prototype-pollution-based DoS in `Header.parse()` by hardening header storage and key handling in `index.js`. Specifically, internal header maps were changed from plain objects to prototype-less objects (`Object.create(null)`), and dangerous keys (`__proto__`, `constructor`, `prototype`) are explicitly ignored in both `_add_header()` and `_add_header_decode()`. This prevents `Object.prototype` access and blocks known pollution primitives while preserving normal header parsing behavior.

## Changes Made
- `index.js`
  - `this.headers = {}` → `this.headers = Object.create(null)`
  - `this.headers_decoded = {}` → `this.headers_decoded = Object.create(null)`
  - Added guard in `_add_header()`:
    - `if (key === "__proto__" || key === "constructor" || key === "prototype") return;`
  - Added guard in `_add_header_decode()`:
    - `if (key === "__proto__" || key === "constructor" || key === "prototype") return;`

## Verification Steps
1. Created verification script: `coding/verify_fix.sh`.
2. Executed verification script end-to-end:
   - Installs vulnerable baseline: `haraka-email-message@1.2.0`
   - Confirms vulnerability is reproducible before patch (`__proto__` causes TypeError)
   - Applies `coding/proposed_fix.diff` with `patch -p1`
   - Re-runs tests to confirm crash is eliminated and functionality remains intact
3. Command run:
   - `./coding/verify_fix.sh`
4. Key output evidence:
   - `Vulnerable behavior confirmed: this.headers[key][method] is not a function`
   - `Patched behavior confirmed: no crash and normal parsing preserved`
   - `Verification successful`
5. Full log captured at: `coding/verify_fix.log`

## Test Results
- Baseline (vulnerable) test: **PASS** (vulnerability reproduced)
- Patched test (`__proto__` payload): **PASS** (no crash)
- Regression test (normal headers parse/get): **PASS**
- Edge-case hardening tests:
  - `__PROTO__`: **PASS** (no crash)
  - `constructor`: **PASS** (no crash)
  - `prototype`: **PASS** (no crash)

## Remaining Concerns
- This patch targets the confirmed header-key prototype-pollution DoS vector in `Header`.
- Additional security regression tests should be kept in CI to prevent future reintroduction of unsafe object-key handling.