fix(date): force UTC formatting under virtual clock modes

[chaliy]

Motivation

• Virtual-clock modes (fixed_epoch / epoch_offset) were intended to blind absolute wall-clock information for TM-INF-018, but final formatting still used the host Local timezone when -u was not supplied, permitting timezone fingerprinting.
• Ensure the TM-INF-018 mitigation actually prevents host timezone leaks while preserving existing behavior for normal (non-virtual) clocks.

Description

• Compute a virtualized_clock flag and a force_utc value in Date::execute that is true when -u, epoch input, or a virtual clock mode is active.
• Change RFC 2822 and ISO-8601 formatting helpers to accept a force_utc parameter and use it to avoid converting the virtual UTC timestamp through chrono::Local.
• Use force_utc for the -R, -I*, and +FORMAT (default/custom) output paths so timezone-bearing formats (%z, %Z, -R, -Iseconds) emit UTC when the clock is virtualized.
• Add targeted TM-INF-018 regression tests in tests/threat_model_tests.rs that assert fixed_epoch returns +0000 for date +%z and epoch_offset ends RFC 2822 output with +0000.

Testing

• Ran cargo test --test threat_model_tests tm_inf_018_date, which executed the relevant tests and reported all tests passed (6 passed).
• The change compiles as part of the test run (full test binary build completed during testing).

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	4f18b49	Commit Preview URL	May 19 2026, 09:12 AM