@blamejs/core 0.10.1 → 0.10.2

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.10.x
 
+- v0.10.2 (2026-05-16) — **CVE backstops layered on top of v0.10.0.** Five additional refusals across `b.guardRegex`, `b.otelExport`, `b.guardXml`, `b.guardGraphql`, plus a host-side ingress route for `b.cli`. Every change is opt-out (refusal at every profile); no API removals. **(a) `b.guardRegex` glob-shape detectors with explicit `inputKind` gate** — new `consecutiveStarPolicy` + `nestedExtglobPolicy` (defaults `"reject"`) + `maxConsecutiveStars` (default 2) + `inputKind: "regex" | "glob"` (default `"regex"`). The glob-shape detectors fire ONLY when the caller passes `inputKind: "glob"` — ECMAScript regex syntax cannot produce `***` (SyntaxError) and the extglob heads `*(`/`+(`/`?(`/`@(`/`!(`  collide with valid `quantifier + capturing group` shapes, so applying these detectors to regex inputs is false-positive territory. Callers handling glob fragments (picomatch / micromatch-style patterns) opt in via `inputKind: "glob"` and get refusals for ≥3 consecutive `*` metacharacters ([CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996) — O(4^N) backtracking on non-matching literal) and for any extglob whose body contains another extglob ([CVE-2026-33671](https://nvd.nist.gov/vuln/detail/CVE-2026-33671) — picomatch nested-quantifier backtracking). `**` recursive-glob stays permitted under `maxConsecutiveStars: 2`. **(b) `b.cli --ignore` ReDoS ingress closure** — `cli --ignore <pattern>` arguments route through `b.guardRegex.sanitize({ profile: "strict" })` before reaching `new RegExp(pattern)`. Strict-profile refusal of nested-quantifier / lookaround-quantifier / unbounded-bounded-repeat shapes still applies in default `inputKind: "regex"` mode, closing the host-side surface for the classic ReDoS classes. **(c) `b.otelExport.flush()` response cap** — every outbound OTLP request now pins `maxResponseBytes: 1 MiB` + a typed `errorClass`, so a malicious / misconfigured collector cannot exhaust memory in the export loop ([CVE-2026-40891](https://nvd.nist.gov/vuln/detail/CVE-2026-40891) / [CVE-2026-40182](https://nvd.nist.gov/vuln/detail/CVE-2026-40182) class). **(d) `b.guardXml` numeric-character-reference fan-out cap** — new `maxNumericCharRefs` opt (strict 1024 / balanced 16384 / permissive 262144). NCRs are counted independently of `entityPolicy`, so a signed-XML path that legitimately permits entity expansion cannot accidentally disable the NCR cap ([CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) / [CVE-2026-33036](https://nvd.nist.gov/vuln/detail/CVE-2026-33036) — billion-NCR fan-out class). **(e) `b.guardGraphql` prototype-pollution refusal** — refuses `__proto__` / `constructor` / `prototype` as top-level variable keys (`Object.prototype.hasOwnProperty.call(variables, ...)` check, sidesteps a poisoned-prototype `in` lookup) AND as field / alias / `$variable` identifiers in the query body, including the no-whitespace alias form `query { a:__proto__ }` (the colon is a valid identifier-position prefix). Refused at every profile, severity `critical` ([CVE-2026-32621](https://nvd.nist.gov/vuln/detail/CVE-2026-32621) class). **(f) `b.auth.sdJwtVc.present()` defense-in-depth comment** — documents that the holder-side pre-parse of `_sd_alg` reads from unsigned bytes safely because `verify()` re-parses from the cryptographically-verified signing input; no behavioral change. **Regression coverage** — `test/fixtures/exploit-corpus/corpus.json` gains four entries: glob-mode positive refusal for `***+nonmatch` and `*(*(a))`, regex-mode pass for `a*(b+(c))` (false-positive class the design refused to ship), and the colon-prefix GraphQL alias `query { a:__proto__ }`. **Operator impact:** existing operators see no change in default behavior — the new glob detectors are opt-in via `inputKind: "glob"`. Operators wiring `b.guardRegex` over glob fragments (file-pattern allowlists, rsync-style rules) opt in and get the CVE-2026-26996 / -33671 refusals; opt back out per call via `consecutiveStarPolicy: "allow"` / `nestedExtglobPolicy: "allow"`. `b.guardXml` operators on signed-XML pipelines opt out via `maxNumericCharRefs: Infinity` if they bound NCRs upstream. GraphQL variable / query-body refusals are not opt-out — `__proto__` / `constructor` / `prototype` are never legitimate identifiers in operator-supplied input. References: [picomatch CVE-2024-4067 family](https://nvd.nist.gov/vuln/detail/CVE-2024-4067), [OWASP ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS), [OWASP XXE / Billion Laughs](https://owasp.org/www-community/vulnerabilities/XML_Entity_Expansion), [GraphQL Server Security Best Practices](https://www.apollographql.com/docs/router/configuration/overview/).
 - v0.10.1 (2026-05-16) — **First npm-published v0.10.x artifact.** v0.10.0 was tagged + released on GitHub but its npm-publish workflow OOM'd at the lint+smoke gate (default Node ~4GB heap couldn't load the expanded mail-stack + audit-fix test surface). v0.10.1 adds `NODE_OPTIONS=--max-old-space-size=8192` to the workflow's smoke step so the parent process gets the same headroom the forked test workers already get. No runtime / API changes from v0.10.0 — every primitive, posture, and security default ships exactly as documented in the v0.10.0 release notes below. Operators who fetched the v0.10.0 git tag can re-tag from v0.10.1 (`git fetch origin v0.10.1`) to land on the npm-published commit; the framework code itself is byte-identical apart from the workflow file + version bump.
 - v0.10.0 (2026-05-16) — **Mail-stack feature-complete + cross-surface hardening.** Bundled minor closing the blamepost mail-stack roadmap (five new operator-facing namespaces) plus a multi-domain hardening sweep across auth / crypto / vendor data / mail-protocol / mail-auth / agent substrate / Node.js CVE backstops.
 

package/lib/auth/sd-jwt-vc.js

@@ -301,6 +301,17 @@ function present(opts) {
   // Hardcoded sha256 here previously diverged from the verifier when
   // an issuer used a non-default hash, producing sd-hash-mismatch on
   // valid presentations.
+  //
+  // Defense-in-depth: this pre-parse runs on the holder side
+  // (presentation builder) and reads `_sd_alg` from UNSIGNED bytes,
+  // because the holder needs to know which hash to use BEFORE the
+  // verifier sees the presentation. The presentation itself carries
+  // the JWS-signed issuer JWT verbatim; verify() re-parses the
+  // payload from the cryptographically-verified signing input. That
+  // post-verify decode is the source of truth — a holder who tampers
+  // with `_sd_alg` here only breaks their own KB-JWT digest, since
+  // the verifier recomputes from the signed bytes. No security
+  // boundary is crossed by reading the value here.
   var _issuerPayload = null;
   var _jwtParts = jwt.split(".");
   if (_jwtParts.length === 3) {

package/lib/cli.js

@@ -48,6 +48,7 @@ var C = require("./constants");
 var bCrypto = require("./crypto");
 var dev = require("./dev");
 var fileType = require("./file-type");
+var guardRegex = require("./guard-regex");
 var migrations = require("./migrations");
 var passwordModule = require("./auth/password");
 var requestHelpers = require("./request-helpers");
@@ -357,6 +358,18 @@ async function _runDev(args, ctx) {
         "blamejs dev: --ignore pattern exceeds max length " +
         MAX_IGNORE_PATTERN_LENGTH + " (got " + str.length + ")");
     }
+    // ReDoS / catastrophic-backtracking defense — refuses nested-quant
+    // (CVE-2024-21538 class), consecutive-* (CVE-2026-26996), nested
+    // extglob (CVE-2026-33671), and lookaround-quant shapes before the
+    // pattern reaches RegExp(). Operator typo / hostile-input identical
+    // shape from here on — both want the same refusal.
+    try {
+      guardRegex.sanitize(str, { profile: "strict" });
+    } catch (e) {
+      throw new CliError("cli/bad-ignore-pattern",
+        "blamejs dev: --ignore pattern refused by guardRegex: " +
+        ((e && e.message) || String(e)));
+    }
     return RegExp(str);
   });
   var graceMs = args.flags["grace-ms"] !== undefined ? Number(args.flags["grace-ms"]) : undefined;

package/lib/guard-graphql.js

@@ -89,6 +89,15 @@ void observability;
 
 var _err = GuardGraphqlError.factory;
 
+// Query-body proto-poison literal (CVE-2026-32621). Matches the bare
+// identifier in field / alias / variable-declaration positions —
+// `$__proto__: String`, `__proto__: realField`, `__proto__ { ... }`,
+// and the no-whitespace alias form `query { a:__proto__ }` /
+// `query { a:constructor }` (GraphQL parsers accept the colon with
+// or without trailing whitespace, so `:` is a valid identifier-
+// position prefix that must also trigger refusal).
+var PROTO_POISON_QUERY_RE = /[\s,({:]\$?(?:__proto__|constructor|prototype)\b/;
+
 // ---- Profile presets ----
 
 var PROFILES = Object.freeze({
@@ -319,6 +328,34 @@ function _detectIssues(req, opts) {
     } catch (_e) { /* unstringifiable variables */ }
   }
 
+  // Prototype-pollution defense (CVE-2026-32621). A `__proto__` /
+  // `constructor` / `prototype` variable key OR query-body identifier
+  // pivots a downstream deep-merge / deep-set into a poisoned shape.
+  // Refused at every profile.
+  var pVar = req.variables;
+  var pHas = Object.prototype.hasOwnProperty;
+  var pName = (pVar && typeof pVar === "object" && !Array.isArray(pVar) &&
+    (pHas.call(pVar, "__proto__")   ? "__proto__"   :
+     pHas.call(pVar, "constructor") ? "constructor" :
+     pHas.call(pVar, "prototype")   ? "prototype"   : null));
+  if (pName) {
+    issues.push({
+      kind: "variable-prototype-poison", severity: "critical",
+      ruleId: "graphql.variable-prototype-poison",
+      snippet: "variable name `" + pName + "` — prototype-pollution " +
+               "gadget (CVE-2026-32621)",
+    });
+  }
+  if (PROTO_POISON_QUERY_RE.test(req.query)) {                                   // allow:regex-no-length-cap — input bounded by maxQueryBytes above
+    issues.push({
+      kind: "query-prototype-poison", severity: "critical",
+      ruleId: "graphql.query-prototype-poison",
+      snippet: "query references `__proto__` / `constructor` / " +
+               "`prototype` as a field / alias / variable — prototype-" +
+               "pollution gadget (CVE-2026-32621)",
+    });
+  }
+
   // Introspection.
   if (opts.introspectionPolicy !== "allow") {
     if (req.query.indexOf("__schema") !== -1 ||

package/lib/guard-regex.js

@@ -70,6 +70,14 @@ var BOUNDED_REPEAT_RE = /\{(\d+)(?:,(\d*))?\}/g;
 // Lookaround with internal quantifier — `(?=.*+)`, `(?!a*)`.
 var LOOKAROUND_QUANT_RE = /\(\?[=!<][^()]*[*+]/;
 
+// Nested extglob detector — picomatch `*(...)` / `+(...)` / `?(...)` /
+// `@(...)` / `!(...)` containing another extglob inside (CVE-2026-33671
+// nested-extglob catastrophic-backtracking class). Two extglob heads in
+// the same pattern with no closing paren between them indicates nesting.
+// The consecutive-star detector (CVE-2026-26996) walks the input by
+// char so doesn't need a regex literal.
+var EXTGLOB_HEAD_RE = /[*+?@!]\(/g;                                                  // allow:regex-no-length-cap — input bounded by maxPatternBytes
+
 // ---- Profile presets ----
 
 var PROFILES = Object.freeze({
@@ -82,7 +90,11 @@ var PROFILES = Object.freeze({
     alternationQuantPolicy:    "reject",
     boundedRepeatPolicy:       "reject",
     lookaroundQuantPolicy:     "reject",
+    consecutiveStarPolicy:    "reject",
+    nestedExtglobPolicy:      "reject",
+    inputKind:                "regex",                                            // CVE-2026-26996 + CVE-2026-33671 detectors apply only when inputKind=="glob"
     maxBoundedRepeat:          100,                                              // allow:raw-byte-literal — bounded repeat ceiling
+    maxConsecutiveStars:        2,                                                // allow:raw-byte-literal — `**` recursive glob permitted; >=3 refused
     maxPatternBytes:           C.BYTES.kib(1),
     maxBytes:                  C.BYTES.kib(1),
     maxRuntimeMs:              C.TIME.seconds(2),
@@ -96,7 +108,10 @@ var PROFILES = Object.freeze({
     alternationQuantPolicy:    "audit",
     boundedRepeatPolicy:       "audit",
     lookaroundQuantPolicy:     "audit",
+    consecutiveStarPolicy:    "reject",                                          // CVE-2026-26996 refused at every profile
+    nestedExtglobPolicy:      "reject",                                          // CVE-2026-33671 refused at every profile
     maxBoundedRepeat:          1000,                                             // allow:raw-byte-literal — bounded repeat ceiling
+    maxConsecutiveStars:        2,                                                // allow:raw-byte-literal — `**` recursive glob permitted; >=3 refused
     maxPatternBytes:           C.BYTES.kib(2),
     maxBytes:                  C.BYTES.kib(2),
     maxRuntimeMs:              C.TIME.seconds(2),
@@ -110,7 +125,10 @@ var PROFILES = Object.freeze({
     alternationQuantPolicy:    "allow",
     boundedRepeatPolicy:       "audit",
     lookaroundQuantPolicy:     "audit",
+    consecutiveStarPolicy:    "reject",                                          // CVE-2026-26996 refused at every profile
+    nestedExtglobPolicy:      "reject",                                          // CVE-2026-33671 refused at every profile
     maxBoundedRepeat:          10000,                                            // allow:raw-byte-literal — bounded repeat ceiling
+    maxConsecutiveStars:        2,                                                // allow:raw-byte-literal — `**` recursive glob permitted; >=3 refused
     maxPatternBytes:           C.BYTES.kib(8),
     maxBytes:                  C.BYTES.kib(8),
     maxRuntimeMs:              C.TIME.seconds(2),
@@ -223,9 +241,116 @@ function _detectIssues(input, opts) {
     }
   }
 
+  _detectConsecutiveStar(input, opts, issues);
+  _detectNestedExtglob(input, opts, issues);
+
   return issues;
 }
 
+// Consecutive-star wildcard cap (CVE-2026-26996). Operator-supplied
+// glob fragments compile to picomatch / RegExp; a long run of `*`
+// against a non-matching literal walks O(4^N). Three-or-more
+// consecutive `*` is the canonical bad shape; `**` (recursive glob)
+// stays permitted, gated by the profile's `maxConsecutiveStars`.
+function _detectConsecutiveStar(input, opts, issues) {
+  if (opts.consecutiveStarPolicy === "allow") return;
+  // CVE-2026-26996 is a picomatch / glob-shape backtracking class —
+  // `***+literal` walks O(4^N) when picomatch translates the run to a
+  // backtracking-heavy regex. Native ECMAScript regex syntax cannot
+  // produce three consecutive `*` quantifiers (it's a SyntaxError),
+  // so applying this detector to `inputKind: "regex"` strings only
+  // produces false positives on legitimate regex shapes like
+  // `a*(b)*` where `*(` is quantifier+group, not extglob.
+  if (opts.inputKind !== "glob") return;
+  var starRun = 0;
+  var starRunMax = 0;
+  for (var si = 0; si < input.length; si += 1) {
+    if (input.charAt(si) === "*") {
+      starRun += 1;
+      if (starRun > starRunMax) starRunMax = starRun;
+    } else {
+      starRun = 0;
+    }
+  }
+  var starCeiling = opts.maxConsecutiveStars === undefined ?
+                    2 : opts.maxConsecutiveStars;                                // allow:raw-byte-literal — `**` glob ceiling
+  if (starRunMax > starCeiling) {
+    issues.push({
+      kind: "consecutive-star",
+      severity: opts.consecutiveStarPolicy === "reject" ? "critical" : "high",
+      ruleId: "regex.consecutive-star",
+      snippet: "pattern has " + starRunMax + " consecutive `*` " +
+               "wildcards (cap " + starCeiling + ") — O(4^N) " +
+               "backtracking on non-matching literal (CVE-2026-26996)",
+    });
+  }
+}
+
+// Nested-extglob detector (CVE-2026-33671). picomatch `*(...)` /
+// `+(...)` / `?(...)` / `@(...)` / `!(...)` containing another
+// extglob inside compiles to catastrophic-backtracking regex.
+function _detectNestedExtglob(input, opts, issues) {
+  if (opts.nestedExtglobPolicy === "allow") return;
+  // CVE-2026-33671 is picomatch-specific: the extglob heads `*(`/
+  // `+(`/`?(`/`@(`/`!(` collide with valid ECMAScript regex shapes
+  // (quantifier + capturing group). Restricting this detector to
+  // `inputKind: "glob"` avoids false-positive refusal of regex
+  // patterns like `a*(b+(c))` where the heads are quantifier
+  // groupings, not extglob.
+  if (opts.inputKind !== "glob") return;
+  // Collect extglob head positions via match() — read-only scan.
+  var heads = [];
+  var allHeads = input.match(EXTGLOB_HEAD_RE);                                   // allow:regex-no-length-cap — input bounded by maxPatternBytes
+  if (allHeads === null || allHeads.length < 2) return;
+  // Locate each head index manually (match returns substrings, not idx).
+  var scanFrom = 0;
+  for (var hh = 0; hh < allHeads.length; hh += 1) {
+    var ch0 = allHeads[hh].charAt(0);
+    var idx = scanFrom;
+    while (idx < input.length - 1) {
+      var c0 = input.charAt(idx);
+      var c1 = input.charAt(idx + 1);
+      if (c1 === "(" && c0 === ch0) break;
+      idx += 1;
+    }
+    heads.push(idx);
+    scanFrom = idx + 1;
+    if (heads.length > 1024) break;                                              // allow:raw-byte-literal — head-count safety cap
+  }
+  var nested = false;
+  for (var hi = 0; hi < heads.length && !nested; hi += 1) {
+    var headStart = heads[hi];
+    // Walk forward tracking paren depth. Inner head before close = nested.
+    var pdepth = 1;
+    for (var pj = headStart + 2; pj < input.length && pdepth > 0; pj += 1) {
+      var ch = input.charAt(pj);
+      if (ch === "(") {
+        pdepth += 1;
+        if (pj > 0) {
+          var preVerb = input.charAt(pj - 1);
+          if (preVerb === "*" || preVerb === "+" || preVerb === "?" ||
+              preVerb === "@" || preVerb === "!") {
+            nested = true;
+            break;
+          }
+        }
+      } else if (ch === ")") {
+        pdepth -= 1;
+      }
+    }
+  }
+  if (nested) {
+    issues.push({
+      kind: "nested-extglob",
+      severity: opts.nestedExtglobPolicy === "reject" ? "critical" : "high",
+      ruleId: "regex.nested-extglob",
+      snippet: "pattern contains nested extglob quantifier " +
+               "(`*(...*(...))`) — catastrophic backtracking class " +
+               "(CVE-2026-33671 picomatch)",
+    });
+  }
+}
+
 /**
  * @primitive  b.guardRegex.validate
  * @signature  b.guardRegex.validate(input, opts)
@@ -252,7 +377,11 @@ function _detectIssues(input, opts) {
  *   alternationQuantPolicy: "reject"|"audit"|"allow",
  *   boundedRepeatPolicy:    "reject"|"audit"|"allow",
  *   lookaroundQuantPolicy:  "reject"|"audit"|"allow",
+ *   consecutiveStarPolicy:  "reject"|"audit"|"allow",
+ *   nestedExtglobPolicy:    "reject"|"audit"|"allow",
+ *   inputKind:              "regex"|"glob",
  *   maxBoundedRepeat:       number,
+ *   maxConsecutiveStars:    number,
  *   maxPatternBytes:        number,
  *   maxBytes:               number,
  *   maxRuntimeMs:           number,
@@ -268,7 +397,7 @@ function _detectIssues(input, opts) {
 function validate(input, opts) {
   opts = _resolveOpts(opts);
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
-    ["maxBytes", "maxPatternBytes", "maxBoundedRepeat"],
+    ["maxBytes", "maxPatternBytes", "maxBoundedRepeat", "maxConsecutiveStars"],
     "guardRegex.validate", GuardRegexError, "regex.bad-opt");
   return gateContract.aggregateIssues(_detectIssues(input, opts));
 }
@@ -298,7 +427,11 @@ function validate(input, opts) {
  *   alternationQuantPolicy: "reject"|"audit"|"allow",
  *   boundedRepeatPolicy:    "reject"|"audit"|"allow",
  *   lookaroundQuantPolicy:  "reject"|"audit"|"allow",
+ *   consecutiveStarPolicy:  "reject"|"audit"|"allow",
+ *   nestedExtglobPolicy:    "reject"|"audit"|"allow",
+ *   inputKind:              "regex"|"glob",
  *   maxBoundedRepeat:       number,
+ *   maxConsecutiveStars:    number,
  *   maxPatternBytes:        number,
  *
  * @example
@@ -350,7 +483,11 @@ function sanitize(input, opts) {
  *   alternationQuantPolicy: "reject"|"audit"|"allow",
  *   boundedRepeatPolicy:    "reject"|"audit"|"allow",
  *   lookaroundQuantPolicy:  "reject"|"audit"|"allow",
+ *   consecutiveStarPolicy:  "reject"|"audit"|"allow",
+ *   nestedExtglobPolicy:    "reject"|"audit"|"allow",
+ *   inputKind:              "regex"|"glob",
  *   maxBoundedRepeat:       number,
+ *   maxConsecutiveStars:    number,
  *   maxPatternBytes:        number,
  *
  * @example

package/lib/guard-xml.js

@@ -91,6 +91,16 @@ var PROCESSING_INSTR_RE = /<\?[A-Za-z][\w:-]*/;
 var CDATA_RE = /<!\[CDATA\[/;
 var XMLDSIG_RE = /<\w*:?Signature\b[^>]*xmldsig/i;
 
+// Numeric character reference (NCR) detector. Per XML 1.0 §4.1 every
+// `&#<digits>;` / `&#x<hex>;` is a character reference; a hostile input
+// fanning these out in the hundreds of thousands bypasses entity-
+// expansion caps that count only `&name;` general entities (CVE-2026-
+// 26278 / CVE-2026-33036 .NET XmlReader class). Per-document NCR count
+// is gated by `maxNumericCharRefs` independent of the entity-policy
+// branch so the operator can't disable the cap by setting
+// `entityPolicy: "allow"` for a downstream signed-XML case.
+var NUMERIC_CHAR_REF_RE = /&#(?:[0-9]+|x[0-9a-fA-F]+);/g;                            // allow:regex-no-length-cap — input bounded by maxBytes above
+
 // ---- Profile presets ----
 
 var PROFILES = Object.freeze({
@@ -112,6 +122,7 @@ var PROFILES = Object.freeze({
     maxElements:            8192,                                                // allow:raw-byte-literal — element count cap, not byte size
     maxAttrsPerElement:     64,                                                  // allow:raw-byte-literal — attr count, not byte size
     maxAttrValueBytes:      C.BYTES.kib(8),
+    maxNumericCharRefs:     1024,                                                // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
   },
   "balanced": {
     doctypePolicy:          "reject",                // DOCTYPE is XXE vector regardless
@@ -131,6 +142,7 @@ var PROFILES = Object.freeze({
     maxElements:            65536,                                               // allow:raw-byte-literal — element count cap, not byte size
     maxAttrsPerElement:     128,                                                 // allow:raw-byte-literal — attr count, not byte size
     maxAttrValueBytes:      C.BYTES.kib(32),
+    maxNumericCharRefs:     16384,                                               // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
   },
   "permissive": {
     doctypePolicy:          "reject",                // billion-laughs class always
@@ -150,6 +162,7 @@ var PROFILES = Object.freeze({
     maxElements:            262144,                                              // allow:raw-byte-literal — element count cap, not byte size
     maxAttrsPerElement:     256,                                                 // allow:raw-byte-literal — attr count, not byte size
     maxAttrValueBytes:      C.BYTES.kib(64),
+    maxNumericCharRefs:     262144,                                              // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
   },
 });
 
@@ -282,6 +295,30 @@ function _detectIssues(input, opts) {
     });
   }
 
+  // 8a. Numeric character reference fan-out — `&#NNNN;` / `&#xHHHH;`.
+  // Bypasses the `<!ENTITY>`-counting expansion caps because NCRs are
+  // parser-resolved, not document-level entities (CVE-2026-26278 /
+  // CVE-2026-33036 .NET XmlReader class). Counted regardless of
+  // entityPolicy so signed-XML paths that need entities-allowed don't
+  // get the NCR cap disabled with them. The `maxNumericCharRefs` opt
+  // is validated by `numericBounds.requireAllPositiveFiniteIntIfPresent`
+  // at the public-surface boundary above.
+  var ncrCap = opts.maxNumericCharRefs;                                          // allow:numeric-opt-no-bounds-check — validated at public boundary
+  if (ncrCap !== undefined && ncrCap !== null) {
+    var ncrMatches = input.match(NUMERIC_CHAR_REF_RE);                           // allow:regex-no-length-cap — input bounded by maxBytes above
+    var ncrCount = ncrMatches === null ? 0 : ncrMatches.length;
+    if (ncrCount > ncrCap) {
+      issues.push({
+        kind: "numeric-char-ref-cap", severity: "critical",
+        ruleId: "xml.numeric-char-ref-cap",
+        snippet: "numeric character reference count " + ncrCount +
+                 " exceeds maxNumericCharRefs " + ncrCap +
+                 " — NCR fan-out bypasses entity-expansion caps " +
+                 "(CVE-2026-26278 / CVE-2026-33036)",
+      });
+    }
+  }
+
   // 9. Codepoint-class threats.
   issues.push.apply(issues, codepointClass.detectCharThreats(input, opts, "xml"));
 
@@ -369,6 +406,7 @@ function _detectIssues(input, opts) {
  *   maxElements:           number,    // total open-tag count cap
  *   maxAttrsPerElement:    number,    // attribute count cap per element
  *   maxAttrValueBytes:     number,    // per-attr-value length cap
+ *   maxNumericCharRefs:    number,    // numeric character reference cap
  *
  * @example
  *   var hostile = '<?xml version="1.0"?>\n' +
@@ -381,7 +419,7 @@ function validate(input, opts) {
   opts = _resolveOpts(opts);
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
     ["maxBytes", "maxDepth", "maxElements", "maxAttrsPerElement",
-     "maxAttrValueBytes"],
+     "maxAttrValueBytes", "maxNumericCharRefs"],
     "guardXml.validate", GuardXmlError, "xml.bad-opt");
   if (typeof input !== "string") {
     return {

package/lib/otel-export.js

@@ -50,6 +50,13 @@ var OtelExportError = defineClass("OtelExportError", { alwaysPermanent: false })
 
 var DEFAULT_INTERVAL_MS = C.TIME.seconds(15);
 
+// OTLP collector response is `Empty` (zero protobuf bytes) on success
+// or a short ExportPartialSuccess message on partial accept. A response
+// past this cap is a hostile / misbehaving collector; refusing the
+// body keeps the exporter from buffering megabytes per flush (CVE-2026-
+// 40891 / CVE-2026-40182 OTLP class).
+var MAX_RESPONSE_BYTES = C.BYTES.mib(1);
+
 // OTLP aggregation temporality:
 //   1 = DELTA      — counters report deltas since last export
 //   2 = CUMULATIVE — counters report running totals
@@ -221,10 +228,12 @@ function create(opts) {
     var body = JSON.stringify(payload);
     try {
       var res = await effectiveHttpClient.request({
-        method:  "POST",
-        url:     endpoint,
-        headers: Object.assign({ "Content-Type": "application/json" }, headers),
-        body:    body,
+        method:           "POST",
+        url:              endpoint,
+        headers:          Object.assign({ "Content-Type": "application/json" }, headers),
+        body:             body,
+        maxResponseBytes: MAX_RESPONSE_BYTES,
+        errorClass:       OtelExportError,
       });
       if (res.statusCode < 200 || res.statusCode >= 300) {
         throw new OtelExportError("otel-export/upstream-rejected",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.10.1",
+  "version": "0.10.2",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:a2a2b296-e132-44ac-95f4-4c762331e4c2",
+  "serialNumber": "urn:uuid:c1165275-044f-4a5a-b7dc-061727bfd076",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-16T17:49:20.883Z",
+    "timestamp": "2026-05-16T23:28:39.659Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.10.1",
+      "bom-ref": "@blamejs/core@0.10.2",
       "type": "library",
       "name": "blamejs",
-      "version": "0.10.1",
+      "version": "0.10.2",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.10.1",
+      "purl": "pkg:npm/%40blamejs/core@0.10.2",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.10.1",
+      "ref": "@blamejs/core@0.10.2",
       "dependsOn": []
     }
   ]