@blamejs/blamejs-shop 0.3.69 → 0.3.71

package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-unseal-rate-cap.test.js

@@ -0,0 +1,176 @@
+"use strict";
+/**
+ * b.cryptoField unseal-failure rate cap (CWE-307).
+ *
+ * A DB-write attacker who can write `vault:<crafted>` / `vault.aad:<…>`
+ * payloads to sealed columns can force KEM-decapsulation / AEAD-verify on
+ * attacker-controlled bytes on every read. unsealRow already nulls the
+ * field + emits system.crypto.unseal_failed, but absent a cap the oracle
+ * can be hammered indefinitely. configureUnsealRateCap adds an opt-in
+ * per-(actor, table, column) sliding-window failure cap: past `threshold`
+ * failures inside `windowMs`, further unseal attempts for that tuple are
+ * refused for `cooldownMs` with a typed CryptoFieldRateError + a distinct
+ * system.crypto.unseal_rate_exceeded audit.
+ *
+ * Every window / cooldown assertion drives an INJECTED clock — no real
+ * sleeps — so the test is deterministic on contended runners.
+ */
+
+var helpers = require("../helpers");
+var b     = helpers.b;
+var check = helpers.check;
+var fs   = require("fs");
+var os   = require("os");
+var path = require("path");
+
+// A value that is shaped like an AAD-sealed envelope but is garbage —
+// vaultAad.unseal throws on it, driving unsealRow's catch path.
+var FORGED = "vault.aad:Zm9yZ2VkLWdhcmJhZ2U=";
+
+async function run() {
+  var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-cf-ratecap-"));
+  await b.vault.init({ mode: "plaintext", dataDir: dir });
+
+  b.cryptoField.registerTable("cf_ratecap", {
+    sealedFields: ["secret", "other"], aad: true, rowIdField: "id",
+  });
+
+  // ---- config-time validation (THROW tier) ----
+  function throws(re, fn) {
+    try { fn(); return false; } catch (e) { return re.test(e.message); }
+  }
+  check("bad threshold (0) throws",
+    throws(/threshold must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: 0 }); }));
+  check("bad threshold (Infinity) throws",
+    throws(/threshold must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: Infinity }); }));
+  check("bad threshold (float) throws",
+    throws(/threshold must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: 2.5 }); }));
+  check("bad windowMs throws",
+    throws(/windowMs must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: 3, windowMs: -1 }); }));
+  check("bad cooldownMs throws",
+    throws(/cooldownMs must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: 3, cooldownMs: 0 }); }));
+  check("bad now (not a function) throws",
+    throws(/now must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: 3, now: 5 }); }));
+  check("bad onAudit (not a function) throws",
+    throws(/onAudit must be/, function () { b.cryptoField.configureUnsealRateCap({ threshold: 3, onAudit: "x" }); }));
+  check("unknown opt key throws",
+    throws(/unknown|allowed|cryptoField.configureUnsealRateCap/i,
+      function () { b.cryptoField.configureUnsealRateCap({ threshold: 3, bogus: 1 }); }));
+
+  // ---- default OFF: unconfigured unsealRow is audit-only, never throws ----
+  b.cryptoField.clearRateCapForTest();
+  var offThrew = false;
+  for (var k = 0; k < 50; k++) {
+    try { b.cryptoField.unsealRow("cf_ratecap", { id: "r1", secret: FORGED }, "attacker"); }
+    catch (_e) { offThrew = true; }
+  }
+  check("cap default-off: 50 forged unseals never throw (back-compat)", offThrew === false);
+
+  // ---- injected clock + audit sink ----
+  var nowMs = 1000000;
+  function clock() { return nowMs; }
+  var audits = [];
+  b.cryptoField.configureUnsealRateCap({
+    threshold: 3, windowMs: 60000, cooldownMs: 300000,
+    now: clock,
+    onAudit: function (ev) { audits.push(ev); },
+  });
+
+  // The first `threshold-1` forged unseals null the field but do NOT trip.
+  var r1 = { id: "r1", secret: FORGED };
+  check("forged unseal #1 nulls field, no throw",
+    b.cryptoField.unsealRow("cf_ratecap", r1, "attacker").secret === null);
+  check("forged unseal #2 nulls field, no throw",
+    b.cryptoField.unsealRow("cf_ratecap", r1, "attacker").secret === null);
+  check("no rate audit before threshold reached", audits.length === 0);
+
+  // The 3rd failure (== threshold) trips the cap: it still returns (nulls
+  // the field) AND arms the cooldown + emits the distinct audit once.
+  var third = b.cryptoField.unsealRow("cf_ratecap", r1, "attacker");
+  check("threshold-th forged unseal still returns (field nulled)", third.secret === null);
+  check("rate-exceeded audit emitted once on the trip transition", audits.length === 1);
+  check("rate audit action is system.crypto.unseal_rate_exceeded",
+    audits[0].action === "system.crypto.unseal_rate_exceeded");
+  check("rate audit outcome is denied", audits[0].outcome === "denied");
+  check("rate audit carries the tuple + caps",
+    audits[0].metadata.table === "cf_ratecap" &&
+    audits[0].metadata.field === "secret" &&
+    audits[0].metadata.actor === "attacker" &&
+    audits[0].metadata.threshold === 3);
+
+  // Now in cooldown: the NEXT unseal of that tuple is REFUSED with the
+  // typed error (oracle no longer exercised), and re-emits the audit.
+  var refused = false, refusedCode = null;
+  try { b.cryptoField.unsealRow("cf_ratecap", { id: "r1", secret: FORGED }, "attacker"); }
+  catch (e) { refused = true; refusedCode = e.code; }
+  check("cooldown refuses further unseal with a throw", refused === true);
+  check("refusal is CryptoFieldRateError typed code",
+    refusedCode === "crypto-field/unseal-rate-exceeded");
+  check("refusal instanceof CryptoFieldRateError",
+    (function () {
+      try { b.cryptoField.unsealRow("cf_ratecap", { id: "r1", secret: FORGED }, "attacker"); return false; }
+      catch (e) { return e instanceof b.cryptoField.CryptoFieldRateError; }
+    })());
+  check("each cooldown refusal re-emits the rate audit", audits.length >= 3);
+
+  // ---- per-tuple isolation: a DIFFERENT column for the same actor is
+  // unaffected (its own window is independent). ----
+  var otherCol = b.cryptoField.unsealRow("cf_ratecap", { id: "r9", other: FORGED }, "attacker");
+  check("different column for same actor is not in cooldown (nulls, no throw)",
+    otherCol.other === null);
+
+  // A DIFFERENT actor on the same column is likewise independent.
+  var otherActor = b.cryptoField.unsealRow("cf_ratecap", { id: "r9", secret: FORGED }, "honest-user");
+  check("different actor on same column is not in cooldown (nulls, no throw)",
+    otherActor.secret === null);
+
+  // ---- cooldown expiry: advance the injected clock past cooldownMs;
+  // the tuple unseals normally again (a valid round-trip succeeds). ----
+  nowMs += 300000 + 1;
+  var validRow = b.cryptoField.sealRow("cf_ratecap", { id: "rok", secret: "plaintext-ok" });
+  check("after cooldown expiry a VALID unseal succeeds again",
+    b.cryptoField.unsealRow("cf_ratecap", validRow, "attacker").secret === "plaintext-ok");
+
+  // ---- sliding window: re-arm a fresh cap; two failures, then advance
+  // the clock past the window, then one more failure → still under
+  // threshold (the first two slid out), so NO trip. ----
+  audits.length = 0;
+  nowMs = 5000000;
+  b.cryptoField.configureUnsealRateCap({
+    threshold: 3, windowMs: 60000, cooldownMs: 300000,
+    now: clock,
+    onAudit: function (ev) { audits.push(ev); },
+  });
+  b.cryptoField.unsealRow("cf_ratecap", { id: "w1", secret: FORGED }, "slider");
+  b.cryptoField.unsealRow("cf_ratecap", { id: "w1", secret: FORGED }, "slider");
+  nowMs += 60000 + 1;                          // both prior failures slide out of the window
+  var afterSlide = b.cryptoField.unsealRow("cf_ratecap", { id: "w1", secret: FORGED }, "slider");
+  check("sliding window: failures older than windowMs do not count toward threshold",
+    afterSlide.secret === null && audits.length === 0);
+
+  // Two MORE failures inside the new window DO trip (1 surviving + 2 new
+  // = 3 == threshold).
+  b.cryptoField.unsealRow("cf_ratecap", { id: "w1", secret: FORGED }, "slider");
+  b.cryptoField.unsealRow("cf_ratecap", { id: "w1", secret: FORGED }, "slider");
+  check("three failures within one window trip the cap", audits.length === 1);
+
+  // ---- disable path: configureUnsealRateCap(null) restores audit-only ----
+  b.cryptoField.configureUnsealRateCap(null);
+  var afterDisable = false;
+  try { b.cryptoField.unsealRow("cf_ratecap", { id: "w1", secret: FORGED }, "slider"); }
+  catch (_e) { afterDisable = true; }
+  check("configureUnsealRateCap(null) turns the cap back off (no throw)", afterDisable === false);
+
+  b.cryptoField.clearRateCapForTest();
+  console.log("OK — crypto-field unseal-rate-cap tests");
+}
+
+module.exports = { run: run };
+if (require.main === module) {
+  // Rethrow on failure so Node surfaces the error and exits non-zero,
+  // instead of logging the caught error object (a taint analyzer would
+  // trace a logged error back to a fixture and raise a false clear-text-
+  // logging alert).
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.exitCode = 1; throw err; });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js

@@ -38,6 +38,92 @@ async function run() {
   testOnRejectRejectsNonFunction();
   await testValidPostReachesOnReport();
   await testOversizedPostRefused();
+  await testAuditDefaultEmitsViolationRow();
+  await testAuditFalseSuppressesViolationRow();
+  testMaxBytesGarbageThrowsAtCreate();
+}
+
+// SUCCESS path for the audit side effect: a valid POST with the default
+// audit:true emits one `csp.violation` row per normalized report, AND
+// returns 204 with the report still processed (onReport reached). The
+// @opts block documents `audit: boolean, // default true`; this asserts
+// the default actually emits.
+async function testAuditDefaultEmitsViolationRow() {
+  var rows = [];
+  var origEmit = b.audit.safeEmit;
+  b.audit.safeEmit = function (rec) {
+    if (rec && rec.action === "csp.violation") rows.push(rec);
+    return origEmit.apply(b.audit, arguments);
+  };
+  var reports = [];
+  var res = _capRes();
+  try {
+    var mw = b.middleware.cspReport({ onReport: function (r) { reports.push(r); } });
+    var payload = JSON.stringify([{
+      type: "csp-violation",
+      url:  "https://app.example.com/",
+      body: { effectiveDirective: "script-src", blockedURL: "https://evil.example/x.js" },
+    }]);
+    await mw(_bodyReq("POST", { "content-type": "application/reports+json" }, payload), res, function () {});
+  } finally {
+    b.audit.safeEmit = origEmit;
+  }
+  check("cspReport: audit default returns 204 with report processed",
+        res._sent.status === 204 && reports.length === 1);
+  check("cspReport: audit default emits one csp.violation row",
+        rows.length === 1 && rows[0].metadata.effectiveDirective === "script-src");
+}
+
+// audit:false suppresses the audit emission while the report is STILL
+// processed end-to-end: no `csp.violation` row, but onReport reached and
+// 204 returned. Operators who route violations through their own metrics
+// sink shouldn't pay for the duplicate audit row.
+async function testAuditFalseSuppressesViolationRow() {
+  var rows = [];
+  var origEmit = b.audit.safeEmit;
+  b.audit.safeEmit = function (rec) {
+    if (rec && rec.action === "csp.violation") rows.push(rec);
+    return origEmit.apply(b.audit, arguments);
+  };
+  var reports = [];
+  var res = _capRes();
+  try {
+    var mw = b.middleware.cspReport({
+      audit:    false,
+      onReport: function (r) { reports.push(r); },
+    });
+    var payload = JSON.stringify([{
+      type: "csp-violation",
+      url:  "https://app.example.com/",
+      body: { effectiveDirective: "img-src" },
+    }]);
+    await mw(_bodyReq("POST", { "content-type": "application/reports+json" }, payload), res, function () {});
+  } finally {
+    b.audit.safeEmit = origEmit;
+  }
+  check("cspReport: audit:false still returns 204 with report processed",
+        res._sent.status === 204 && reports.length === 1 &&
+        reports[0].body.effectiveDirective === "img-src");
+  check("cspReport: audit:false emits no csp.violation row",
+        rows.length === 0);
+}
+
+// maxBytes is a byte count routed through validateOpts.optionalPositiveInt
+// — garbage (string / negative / NaN / fractional) throws at create()
+// rather than silently falling back to the 64 KiB default while the
+// sibling onReject one line below would have thrown.
+function testMaxBytesGarbageThrowsAtCreate() {
+  var bad = ["nope", -1, NaN, 1.5, Infinity, 0];
+  for (var i = 0; i < bad.length; i++) {
+    var threw = false;
+    try { b.middleware.cspReport({ maxBytes: bad[i] }); }
+    catch (_e) { threw = true; }
+    check("cspReport: maxBytes garbage throws at create (" + String(bad[i]) + ")", threw);
+  }
+  // A valid positive integer is accepted; absent stays the default.
+  var ok = false;
+  try { b.middleware.cspReport({ maxBytes: 1024 }); ok = true; } catch (_e) { ok = false; }
+  check("cspReport: valid maxBytes accepted at create", ok);
 }
 
 // The SUCCESS path: a valid POST with a parseable report body must reach

package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js

@@ -144,6 +144,43 @@ function testDraftFinalReport() {
         typeof draft.lessonsLearned === "string");
 }
 
+function testReportObservabilityKnob() {
+  // The `observability` opt gates the best-effort report counter.
+  // Default (omitted) emits the dora.incident.reported event; setting
+  // observability:false suppresses it. We tap the observability sink to
+  // observe the emission.
+  var events = [];
+  b.observability.setTap(function (name) {
+    if (name === "dora.incident.reported") events.push(name);
+  });
+  try {
+    var doraDefault = b.dora.create({ audit: false });
+    doraDefault.report({
+      incidentId:     "INC-obs-default",
+      classification: "major",
+      stage:          "initial",
+      detectedAt:     Date.now(),
+      description:    "obs default path",
+    });
+    check("dora.observability default: counter emitted",
+      events.indexOf("dora.incident.reported") !== -1);
+
+    events.length = 0;
+    var doraSilent = b.dora.create({ audit: false, observability: false });
+    doraSilent.report({
+      incidentId:     "INC-obs-silent",
+      classification: "major",
+      stage:          "initial",
+      detectedAt:     Date.now(),
+      description:    "obs suppressed path",
+    });
+    check("dora.observability false: no counter emitted",
+      events.length === 0);
+  } finally {
+    b.observability.setTap(null);
+  }
+}
+
 async function run() {
   testSurface();
   testClassifyMajor();
@@ -155,6 +192,7 @@ async function run() {
   testReportFinal();
   testReportBadInput();
   testDraftFinalReport();
+  testReportObservabilityKnob();
 }
 
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js

@@ -512,6 +512,35 @@ function testCreateValidation() {
     });
   } catch (_e) { threwNoIdentity = true; }
   check("dsr.create: missing identityResolver throws", threwNoIdentity);
+
+  // De-advertised create-time keys: `observability` was never read at
+  // create (the counter always fires through the module sink) and
+  // `verifyContext` is a per-call process() opt, not a create() opt.
+  // Both removed from the create allowlist → unknown-option throw.
+  function _validBase() {
+    return {
+      ticketStore:      b.dsr.memoryTicketStore(),
+      identityResolver: async function () { return { subjectId: "u" }; },
+      sources:          [{ name: "x", query: async function () { return []; } }],
+    };
+  }
+  var threwObs = false;
+  try {
+    var oObs = _validBase(); oObs.observability = true;
+    b.dsr.create(oObs);
+  } catch (e) { threwObs = /unknown option 'observability'/.test(e.message || ""); }
+  check("dsr.create: unknown 'observability' opt rejected", threwObs);
+
+  var threwVc = false;
+  try {
+    var oVc = _validBase(); oVc.verifyContext = { mfaVerified: true };
+    b.dsr.create(oVc);
+  } catch (e) { threwVc = /unknown option 'verifyContext'/.test(e.message || ""); }
+  check("dsr.create: unknown create-time 'verifyContext' opt rejected", threwVc);
+
+  // Sanity: the valid base still constructs.
+  check("dsr.create: valid base opts construct",
+        typeof b.dsr.create(_validBase()).submit === "function");
 }
 
 // ---- Memory store ----

package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js

@@ -6,7 +6,8 @@
  *   - b.auth.openidFederation (entity statement parse + verify, metadata-policy operators)
  *   - b.auth.oid4vp        (DCQL validator + matcher)
  *   - b.auth.oid4vci       (issuer config validation, metadata, offer creation shape,
- *                           kid-only proof resolution via resolveKid)
+ *                           kid-only proof resolution via resolveKid, x5c leaf-cert
+ *                           proof binding + validateX5c hook, expired-c_nonce typed refusal)
  *   - b.auth.ciba          (client.create validation + binding-message rules)
  *   - b.auth.sdJwtVc       (key_attestation header surfaces through present)
  *   - b.session.isAnonymous + b.session.create({ anonymous: true })
@@ -22,6 +23,7 @@ var check          = helpers.check;
 var setupTestDb    = helpers.setupTestDb;
 var teardownTestDb = helpers.teardownTestDb;
 var nodeCrypto     = require("node:crypto");
+var asn1           = require("../../lib/asn1-der");
 
 // ---- xmlC14n ----------------------------------------------------------
 
@@ -236,6 +238,41 @@ function testDcqlMatch() {
   check("DCQL null at leaf misses empty array",         !_dcqlValid(["tags", null], { tags: [] }));
   // nested null wildcards recurse to arbitrary depth
   check("DCQL nested null wildcards match",             _dcqlValid(["a", null, "b", null], { a: [{ b: [1, 2] }] }));
+
+  // ---- numeric path segment = non-negative integer array index ----
+  // OpenID4VP 1.0 §7.1.1: a numeric claim-path segment is an array
+  // index and MUST be a non-negative integer. Config-time / entry-point
+  // tier — _validateDcql throws AuthError on the bad shape (driven here
+  // through the public matchDcql, which calls _validateDcql first).
+  function _segThrows(segment) {
+    var q = { credentials: [{ id: "c", format: "vc+sd-jwt",
+      claims: [{ path: ["arr", segment] }] }] };
+    var threw = null;
+    try { b.auth.oid4vp.matchDcql([], q); } catch (e) { threw = e; }
+    return threw;
+  }
+  function _segAccepted(segment) {
+    var q = { credentials: [{ id: "c", format: "vc+sd-jwt",
+      claims: [{ path: ["arr", segment] }] }] };
+    var threw = null;
+    try { b.auth.oid4vp.matchDcql([{ id: "c", format: "vc+sd-jwt", claims: { arr: [1, 2, 3] } }], q); }
+    catch (e) { threw = e; }
+    return threw === null;
+  }
+  var segNeg = _segThrows(-1);
+  check("DCQL: negative index segment throws AuthError",
+        !!segNeg && segNeg.code === "auth-oid4vp/bad-claim-segment");
+  var segFrac = _segThrows(1.5);
+  check("DCQL: fractional index segment throws AuthError",
+        !!segFrac && segFrac.code === "auth-oid4vp/bad-claim-segment");
+  var segNaN = _segThrows(NaN);
+  check("DCQL: NaN index segment throws AuthError",
+        !!segNaN && segNaN.code === "auth-oid4vp/bad-claim-segment");
+  var segInf = _segThrows(Infinity);
+  check("DCQL: Infinity index segment throws AuthError",
+        !!segInf && segInf.code === "auth-oid4vp/bad-claim-segment");
+  check("DCQL: zero index segment accepted",     _segAccepted(0));
+  check("DCQL: positive index segment accepted", _segAccepted(2));
 }
 
 // ---- OID4VCI issuer config -------------------------------------------
@@ -400,6 +437,202 @@ async function testOid4vciKidResolver() {
   check("OID4VCI: resolveKid failure is a typed AuthError", isAuthErr);
 }
 
+// ---- OID4VCI x5c proof (RFC 7515 §4.1.6 / OID4VCI §8.2.1.1) -----------
+
+// Build a self-signed P-256 EC leaf certificate (the holder cert the
+// wallet ships in `x5c`). The cert's private key signs the proof JWT;
+// the leaf SPKI is the holder key the issuer binds cnf to. Returns the
+// raw DER + the EC private key. Mirrors content-credentials.test.js's
+// in-tree DER cert minting (no openssl dependency).
+function _makeEcLeafCert(cn) {
+  var kp = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var spki = kp.publicKey.export({ type: "spki", format: "der" });        // full EC SubjectPublicKeyInfo (alg id + curve + point)
+  var name = asn1.writeSequence([asn1.writeSet([asn1.writeSequence([
+    asn1.writeOid("2.5.4.3"), asn1.writeUtf8String(cn)])])]);             // CN=<cn>
+  var sigAlgId = asn1.writeSequence([asn1.writeOid("1.2.840.10045.4.3.2")]); // ecdsa-with-SHA256
+  var version  = asn1.writeContextExplicit(0, asn1.writeInteger(Buffer.from([2])));
+  var serial   = asn1.writeInteger(Buffer.from([0x2c]));
+  var now = Date.now();
+  function _utc(d) { var s = d.toISOString().replace(/[-:T]/g, "").slice(2, 14) + "Z"; return asn1.writeNode(0x17, Buffer.from(s, "ascii")); }
+  var validity = asn1.writeSequence([_utc(new Date(now - 86400000)), _utc(new Date(now + 86400000 * 3650))]);
+  var tbs = asn1.writeSequence([version, serial, sigAlgId, name, validity, name, spki]);
+  var tbsSig = nodeCrypto.sign("sha256", tbs, kp.privateKey);             // ECDSA sig is DER-encoded (X509 default)
+  var certDer = asn1.writeSequence([tbs, sigAlgId, asn1.writeBitString(tbsSig, 0)]);
+  return { certDer: certDer, privateKey: kp.privateKey };
+}
+
+// Build a holder-signed openid4vci-proof+jwt carrying an `x5c` chain
+// (standard base64, leaf first) and no inline jwk/kid. ES256 over the
+// leaf cert's EC private key.
+function _signX5cProof(leafPrivKey, x5cArray, aud, nonce) {
+  var header  = { typ: "openid4vci-proof+jwt", alg: "ES256", x5c: x5cArray };
+  var payload = { aud: aud, nonce: nonce, iat: Math.floor(Date.now() / 1000) };
+  var signingInput = _b64url(JSON.stringify(header)) + "." + _b64url(JSON.stringify(payload));
+  var sig = nodeCrypto.sign("sha256", Buffer.from(signingInput, "ascii"),
+    { key: leafPrivKey, dsaEncoding: "ieee-p1363" });
+  return signingInput + "." + _b64url(sig);
+}
+
+async function testOid4vciX5cProof() {
+  var aud  = "https://issuer.example";
+  var leaf = _makeEcLeafCert("Holder Wallet Leaf");
+  var leafB64 = leaf.certDer.toString("base64");                          // standard base64 (RFC 7515 §4.1.6)
+  var leafPubJwk = nodeCrypto.createPublicKey(leaf.privateKey).export({ format: "jwk" });
+
+  // SUCCESS PATH — x5c-only proof, no operator validateX5c hook. The
+  // leaf SPKI binds at the same self-asserted trust as inline jwk; the
+  // proof signature proves the holder controls the key. End-to-end:
+  // offer → token → credential issued, cnf bound to the leaf SPKI.
+  var ok = await _runIssuanceWithProof(
+    {},
+    function (nonce) { return _signX5cProof(leaf.privateKey, [leafB64], aud, nonce); });
+  check("OID4VCI: x5c-only proof issues credential (success path)",
+        ok.rv && ok.rv.credential === "fake-sd-jwt");
+  check("OID4VCI: x5c leaf SPKI bound to cnf",
+        ok.captured.holderKey && ok.captured.holderKey.kty === "EC" &&
+        ok.captured.holderKey.x === leafPubJwk.x);
+
+  // SUCCESS PATH — operator validateX5c hook receives the leaf DER + the
+  // header and may pass. Confirms the chain buffers + header reach the hook.
+  var seen = { chainLen: 0, headerAlg: null, leafIsBuffer: false };
+  var okHook = await _runIssuanceWithProof(
+    { validateX5c: function (chainDerBuffers, header) {
+        seen.chainLen     = chainDerBuffers.length;
+        seen.headerAlg    = header.alg;
+        seen.leafIsBuffer = Buffer.isBuffer(chainDerBuffers[0]);
+      } },
+    function (nonce) { return _signX5cProof(leaf.privateKey, [leafB64], aud, nonce); });
+  check("OID4VCI: validateX5c hook passing issues credential",
+        okHook.rv && okHook.rv.credential === "fake-sd-jwt");
+  check("OID4VCI: validateX5c hook receives leaf DER buffer + header.alg",
+        seen.chainLen === 1 && seen.headerAlg === "ES256" && seen.leafIsBuffer === true);
+
+  // REFUSAL — operator validateX5c throws → typed AuthError refusal, not
+  // an unhandled rejection.
+  var threw = false, isAuthErr = false;
+  try {
+    await _runIssuanceWithProof(
+      { validateX5c: function () { throw new Error("untrusted-attestation-ca"); } },
+      function (nonce) { return _signX5cProof(leaf.privateKey, [leafB64], aud, nonce); });
+  } catch (e) {
+    threw = /x5c-rejected/.test(e.code) && /untrusted-attestation-ca/.test(e.message);
+    isAuthErr = e instanceof b.frameworkError.AuthError;
+  }
+  check("OID4VCI: validateX5c throwing yields typed x5c-rejected", threw);
+  check("OID4VCI: validateX5c refusal is a typed AuthError", isAuthErr);
+
+  // REFUSAL — wrong leaf key (proof signed by a DIFFERENT EC key than the
+  // cert carries) → signature verification fails cleanly.
+  var otherLeaf = _makeEcLeafCert("Imposter Leaf");
+  threw = false;
+  try {
+    await _runIssuanceWithProof(
+      {},
+      function (nonce) { return _signX5cProof(otherLeaf.privateKey, [leafB64], aud, nonce); });
+  } catch (e) { threw = /proof-bad-signature/.test(e.code) || /signature verification failed/.test(e.message); }
+  check("OID4VCI: x5c proof signed by non-leaf key fails signature", threw);
+
+  // MALFORMED x5c — each shape refused with a typed code (not a crash).
+  function _refusedX5c(x5cVal, label) {
+    var t = false, typed = false;
+    return _runIssuanceWithProof(
+      {},
+      function (nonce) {
+        // Build a proof whose header carries the malformed x5c; the proof
+        // never reaches signature verification — it's refused at parse.
+        var header  = { typ: "openid4vci-proof+jwt", alg: "ES256", x5c: x5cVal };
+        var payload = { aud: aud, nonce: nonce, iat: Math.floor(Date.now() / 1000) };
+        var input = _b64url(JSON.stringify(header)) + "." + _b64url(JSON.stringify(payload));
+        var sig = nodeCrypto.sign("sha256", Buffer.from(input, "ascii"),
+          { key: leaf.privateKey, dsaEncoding: "ieee-p1363" });
+        return input + "." + _b64url(sig);
+      }
+    ).then(
+      function () { check("OID4VCI: malformed x5c (" + label + ") refused", false); },
+      function (e) {
+        t = /bad-x5c/.test(e.code);
+        typed = e instanceof b.frameworkError.AuthError;
+        check("OID4VCI: malformed x5c (" + label + ") refused typed", t && typed);
+      });
+  }
+  await _refusedX5c([], "empty array");
+  await _refusedX5c([""], "empty string entry");
+  await _refusedX5c(["@@@not-base64@@@"], "non-base64 entry");
+  // base64url chars (- / _) are invalid for x5c (standard base64 only).
+  await _refusedX5c([leafB64.replace(/[+/]/, "-")], "base64url-charset entry");
+  // valid base64 but not a parseable DER certificate.
+  await _refusedX5c([Buffer.from("not a certificate").toString("base64")], "non-DER-cert entry");
+
+  // non-array x5c — header.x5c truthy-but-not-array. _parseX5cChain
+  // refuses. (header.jwk/kid absent so the x5c branch is taken.)
+  await _refusedX5c({ "0": leafB64 }, "object not array");
+}
+
+// ---- OID4VCI expired c_nonce (typed refusal, not TypeError) ----------
+
+async function testOid4vciCNonceExpired() {
+  var aud = "https://issuer.example";
+  var holderKp  = nodeCrypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var holderJwk = holderKp.publicKey.export({ format: "jwk" });
+
+  // A cNonceStore whose get() always returns undefined simulates the
+  // c_nonce TTL (5m) elapsing before /credential is called while the
+  // access token (15m) is still live — cNonceStore.get returns undefined
+  // on miss/expiry. set/del are accepted no-ops so issuance can proceed
+  // up to the proof check.
+  var expiredCNonceStore = {
+    set: async function () {},
+    get: async function () { return undefined; },
+    del: async function () {},
+  };
+
+  var iss = b.auth.oid4vci.issuer.create({
+    credentialIssuerUrl: aud,
+    credentialEndpoint:  aud + "/credential",
+    tokenEndpoint:       aud + "/token",
+    sdJwtIssuer:         { issue: async function () { return { token: "fake-sd-jwt" }; } },
+    supportedCredentials: {
+      "id-card-1": { format: "vc+sd-jwt", vct: "https://example.com/vct/identity",
+                     claims: { given_name: {} } },
+    },
+    cNonceStore: expiredCNonceStore,
+  });
+  var offer  = await iss.createCredentialOffer({ subject: "user-9", credentialIds: ["id-card-1"] });
+  var tokens = await iss.exchangePreAuthorizedCode({ preAuthCode: offer.preAuthCode });
+
+  // The proof carries SOME nonce (the wallet's last-seen c_nonce), but
+  // the store has expired the expected value → undefined. Pre-fix this
+  // crashed with a raw TypeError from timingSafeEqual(nonce, undefined);
+  // now it must refuse with the typed c-nonce-expired code. Use an
+  // inline-jwk proof so the key path succeeds and the ONLY failure is
+  // the expired c_nonce.
+  function _signJwkProof(priv, jwk, a, nonce) {
+    var header  = { typ: "openid4vci-proof+jwt", alg: "ES256", jwk: jwk };
+    var payload = { aud: a, nonce: nonce, iat: Math.floor(Date.now() / 1000) };
+    var input = _b64url(JSON.stringify(header)) + "." + _b64url(JSON.stringify(payload));
+    var sig = nodeCrypto.sign("sha256", Buffer.from(input, "ascii"), { key: priv, dsaEncoding: "ieee-p1363" });
+    return input + "." + _b64url(sig);
+  }
+  var proof = _signJwkProof(holderKp.privateKey, holderJwk, aud, "stale-nonce");
+
+  var threw = false, isAuthErr = false, isTypeError = false;
+  try {
+    await iss.issueCredential({
+      accessToken:          tokens.access_token,
+      credentialIdentifier: "id-card-1",
+      proof:                proof,
+      claims:               { given_name: "Alice" },
+    });
+  } catch (e) {
+    threw = /c-nonce-expired/.test(e.code || "");
+    isAuthErr = e instanceof b.frameworkError.AuthError;
+    isTypeError = e instanceof TypeError;
+  }
+  check("OID4VCI: expired c_nonce (store miss) refused with c-nonce-expired", threw);
+  check("OID4VCI: expired c_nonce refusal is a typed AuthError", isAuthErr);
+  check("OID4VCI: expired c_nonce does NOT throw a raw TypeError", !isTypeError);
+}
+
 // ---- CIBA client config ----------------------------------------------
 
 function testCibaConfig() {
@@ -560,6 +793,8 @@ async function run() {
   testDcqlMatch();
   testOid4vciIssuerConfig();
   await testOid4vciKidResolver();
+  await testOid4vciX5cProof();
+  await testOid4vciCNonceExpired();
   testCibaConfig();
   await testSdJwtKeyAttestationStorage();
   await testAnonymousSessions();