@blamejs/core 0.13.13 → 0.13.15

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.15 (2026-05-27) — **Corrected more source citations and made deferred/reserved options honest in their docs.** A second accuracy pass over source threat-annotations and option docs. Three citation corrections: the base64url strict-decode guard cited CVE-2022-0235 (which is actually a node-fetch cookie-leak, unrelated) — it now names the weakness class it defends (CWE-347 / CWE-1286 signature canonicalization); the glob consecutive-wildcard ReDoS cap cited the wrong library (the CVE-2026-26996 ReDoS is minimatch, not picomatch — the adjacent picomatch one is CVE-2026-33671); and CVE-2026-32178 is reframed to the CWE-138 header-injection-spoofing class the public record actually documents (and dropped from the end-of-data SMTP-smuggling list, which is a different class). Several options/statuses are now honest about not-yet-implemented surface: b.archive.read.zip.fromTrustedStream is marked experimental (its methods throw and its options aren't honored yet — the example now shows the supported buffer-then-random-access path); b.acme revokeCert's useCertKey / certPrivateKey are marked reserved (the cert-key path throws; account-key signing is the supported default); and a stale message claiming passkey break-glass factors were a future feature is removed (passkeys are a live allowed factor). No runtime behaviour changes beyond message/doc text. **Changed:** *Deferred / reserved surface now documented honestly* — `b.archive.read.zip.fromTrustedStream` is marked `experimental` — its `inspect`/`entries`/`extract` throw and its `bombPolicy`/`audit` options aren't honored yet; the documented example now shows the supported path (buffer the stream, then use the random-access reader). `b.acme` `revokeCert`'s `useCertKey` / `certPrivateKey` options are marked reserved (the cert-key-signed-revocation path throws; account-key signing, the default, covers mainstream CAs). A `b.breakGlass` policy error and comment that called passkey factors a future feature are corrected — passkeys are a live allowed factor. **Fixed:** *Corrected misattributed CVE citations in source threat-annotations* — `b.crypto.fromBase64Url`'s strict-decode guard cited CVE-2022-0235 (a node-fetch header-leak, unrelated to base64/JWT decoding); it now cites the weakness class it actually defends — CWE-347 / CWE-1286 signature canonicalization. `b.guardRegex`'s consecutive-`*` cap attributed CVE-2026-26996 to picomatch; that ReDoS is in minimatch (the picomatch ReDoS it also defends is CVE-2026-33671) — the library name is corrected. CVE-2026-32178 is reframed to the CWE-138 header-injection spoofing class the public advisory documents, and removed from the end-of-data SMTP-smuggling trio (a distinct class). No behaviour change — the defenses are unchanged.
+
+- v0.13.14 (2026-05-27) — **DNSSEC chain validation now bounds KeyTrap (CVE-2023-50387) amplification with hard caps.** b.network.dns.dnssec.verifyChain tried every DNSKEY whose 16-bit key tag matched an RRSIG, with no cap on how many candidates or total signature verifications a single response could drive. A hostile zone publishing many DNSKEYs sharing one key tag (plus matching RRSIGs) could force O(keys x signatures) full public-key verifications from one query — the KeyTrap denial-of-service (CVE-2023-50387). Validation is now bounded by non-configurable caps that match the BIND / Unbound mitigations: at most 4 same-tag candidate keys are tried per RRSIG, at most 64 DNSKEYs per zone link and 16 DS records per delegation are accepted, the chain is at most 128 links deep, and the whole response is held to a signature-validation budget that scales with chain depth (so a legitimate deep delegation is never false-rejected while bounded collisions stay bounded); exceeding any of these refuses the response rather than performing the work. Separately, a domain name that encodes to more than 255 octets is now refused at canonicalization (RFC 1035 §2.3.4), which also bounds the NSEC3 closest-encloser label enumeration, and the NSEC3 iteration ceiling is lowered from 500 to 150 to match the BIND 9.16.33+ / Unbound 1.17.1 fix for the sibling CVE-2023-50868. **Security:** *`verifyChain` caps colliding-key fan-out and total signature validations (KeyTrap / CVE-2023-50387)* — A zone advertising many same-key-tag DNSKEYs and RRSIGs can no longer drive unbounded public-key verifications. New refusals: `dnssec/too-many-colliding-keys` (>4 same-tag candidates per RRSIG), `dnssec/too-many-dnskeys` (>64 DNSKEYs per zone link), `dnssec/too-many-ds` (>16 DS records per delegation), `dnssec/too-many-links` (chain deeper than 128), and `dnssec/validation-budget-exceeded` (signature validations beyond the depth-scaled budget). The caps are intentionally non-configurable — they sit well above any legitimate zone, and the budget scales with chain depth so deep delegations validate normally. · *Domain-name octet cap + lower NSEC3 iteration ceiling* — A name that canonicalizes to more than 255 octets is refused (`dnssec/bad-name`, RFC 1035 §2.3.4), which bounds the per-label NSEC3 closest-encloser enumeration (CVE-2023-50868 class). The default NSEC3 iteration ceiling drops from 500 to 150, matching the BIND 9.16.33+ / Unbound 1.17.1 post-CVE defaults (RFC 9276 recommends 0).
+
 - v0.13.13 (2026-05-27) — **Archive extraction-path verification now refuses Windows reserved names, NTFS data streams, and trailing-dot/space per segment.** b.guardFilename.verifyExtractionPath (the per-entry gate b.archive.read.zip.extract / b.safeArchive run on every extracted file) checked traversal, absolute paths, drive-letter and UNC prefixes, null bytes, PATH_MAX overflow, and realpath containment — but not the per-segment Windows write-target hazards the disk validate / sanitize paths already reject. An archive entry named CON, NUL.txt, subdir/LPT1, file.txt:hidden, or secret.txt. stayed inside the extraction root, so the containment and realpath checks passed it, yet on Windows it would resolve to a device, write a hidden NTFS stream, or (after Windows strips the trailing dot/space) overwrite a sibling file. These are now refused: any path segment that collides with a Windows reserved device name, uses NTFS alternate-data-stream syntax (name:stream), or carries a trailing dot or leading/trailing whitespace. The checks are platform-unconditional — a verifier running on Linux still refuses names that are only dangerous on the Windows host that ultimately extracts the archive — with a per-check opt-out (reservedNamePolicy / adsPolicy / leadingTrailingPolicy: "allow") for Linux-only targets. **Security:** *`verifyExtractionPath` refuses per-segment Windows extraction hazards (reserved names / NTFS ADS / trailing dot-space)* — Closes a within-root write-target-redirection gap: an extracted entry could stay inside the destination yet, on Windows, resolve to a device (`CON` / `NUL` / `COM1` / `LPT1`), write a hidden alternate data stream (`file.txt:payload`), or overwrite a sibling after Windows strips a trailing dot/space (`config.`). The verification gate now rejects all three per path segment. Refusal is platform-unconditional (the verifier may run on a different OS than the extractor); set `reservedNamePolicy` / `adsPolicy` / `leadingTrailingPolicy` to `"allow"` to opt a check out on a Linux-only target. Single-entry, name-only residuals — 8.3 short-name aliasing, case-insensitive cross-entry collisions, and archive symlink/hardlink entry-target validation — remain the extract orchestrator's responsibility (it owns the case-folded seen-set and the link-target gate).
 
 - v0.13.12 (2026-05-27) — **Inbound MX listener now runs the connection-level gate cascade it documented — HELO identity, DNS blocklist, and greylisting.** b.mail.server.mx.create documented helo / rbl / greylist gate options, but the listener never invoked them — an operator who wired them got silent acceptance of mail those gates would have rejected. They are now wired into the live SMTP state machine: the HELO-identity gate evaluates at HELO/EHLO and refuses a spoofed or malformed identity with 550; the DNS-blocklist gate evaluates the connecting IP once per connection and refuses a listed source with 554; the greylisting gate defers a first-seen (ip, sender, recipient) tuple with a 450 tempfail so legitimate senders retry and pass. Each gate is skipped when the operator doesn't wire it. Because these gates do DNS and store lookups, the per-connection command pump was reworked to process commands asynchronously and strictly in arrival order, so pipelined commands (RFC 2920) cannot overtake a gate still resolving and the existing SMTP-smuggling and STARTTLS-stripping defenses are unchanged. The message-authentication gate (SPF/DKIM/DMARC alignment via b.guardEnvelope) needs the inbound SPF + DKIM verification results as inputs; that inbound-auth pipeline lands as a follow-up, and the documentation no longer implies that gate is active today. **Added:** *HELO-identity / RBL / greylist gates wired into `b.mail.server.mx`* — When wired, `opts.helo` (FCrDNS / HELO-shape / self-name checks) refuses a bad HELO identity at HELO/EHLO with 550; `opts.rbl` refuses a connecting IP found on a DNS blocklist with 554 (evaluated once per connection); `opts.greylist` defers a first-seen (ip, sender, recipient) tuple with 450 4.7.1. Their verdicts surface on the `rcpt_to` event (`rblListed`, `greylist`) and the `helo` event (`heloVerdict`), with dedicated `helo_gate_refused` / `rbl_refused` / `greylist_deferred` audit events. A gate the operator doesn't supply is skipped, never synthesized. **Changed:** *MX command pump processes commands asynchronously and in arrival order* — Gate evaluation involves DNS and store lookups, so the per-connection command pump now awaits each command before the next. Pipelined commands are serialized so a gate resolving cannot let a later command answer ahead of an earlier one; reply ordering, the bare-LF SMTP-smuggling refusal, and the STARTTLS-stripping defense are unchanged. No change to the listener's external behaviour when no gates are wired. **Deprecated:** *SPF/DKIM/DMARC-alignment gate documentation corrected to match what is active* — The `envelope` (SPF/DKIM/DMARC alignment) and `dmarc` gate options were documented as wireable but require inbound SPF + DKIM verification results the listener does not yet produce. They are removed from the documented option set until the inbound-authentication pipeline (composing `b.mail.spf` + `b.mail.dmarc` + DKIM verification) lands; run those checks on the delivered message via the agent handoff in the meantime.

package/lib/acme.js

@@ -1079,14 +1079,17 @@ function create(opts) {
    * the DER-encoded cert (base64url-encoded automatically) plus an
    * optional `reason` code per RFC 5280 §5.3.1 (0=unspecified,
    * 1=keyCompromise, 3=affiliationChanged, 4=superseded, 5=cessationOfOperation).
-   * Signs with the account key by default; pass `useCertKey:true`
-   * + the cert's private key to authorize via the cert's own key
-   * when the account key is unavailable.
+   * Signs with the account key — the only supported path today, and
+   * sufficient for mainstream CAs. (The cert-key-signed variant —
+   * `useCertKey` / `certPrivateKey` — is reserved and not yet
+   * implemented; passing `useCertKey:true` throws.)
    *
    * @opts
    *   reason:          number,    // RFC 5280 §5.3.1 reason code; default 0 (unspecified)
-   *   useCertKey:      boolean,   // sign with the cert's own key instead of account key
-   *   certPrivateKey:  KeyObject, // required when useCertKey:true
+   *   useCertKey:      boolean,   // RESERVED — cert-key-signed revocation is not yet
+   *                               //   implemented; account-key signing (the default)
+   *                               //   covers mainstream CAs. Passing true throws.
+   *   certPrivateKey:  KeyObject, // RESERVED — consumed only by the cert-key path above
    *
    * @example
    *   await acme.revokeCert(certDerBuffer, { reason: 4 });   // 4 = superseded

package/lib/archive-read.js

@@ -772,7 +772,7 @@ function zip(adapter, opts) {
  * @primitive b.archive.read.zip.fromTrustedStream
  * @signature b.archive.read.zip.fromTrustedStream(adapter, opts?)
  * @since     0.12.7
- * @status    stable
+ * @status    experimental
  * @related   b.archive.read.zip, b.archive.adapters.trustedStream
  *
  * Forward-scan-only ZIP reader for trusted Readable sources. No
@@ -781,20 +781,23 @@ function zip(adapter, opts) {
  * `b.archive.zip().toStream()` output back into a reader for round-trip
  * verification).
  *
- * Adversarial input MUST use the random-access entry point with an
- * `fs` / `buffer` / `objectStore` / `http` adapter.
+ * NOT YET IMPLEMENTED: the streaming LFH walker is not built —
+ * `inspect()` / `entries()` / `extract()` throw
+ * `archive-read/trusted-stream-*-deferred`, and `bombPolicy` / `audit`
+ * are accepted but not yet honored. Re-opens when a streaming
+ * consumer needs it. Until then, collect the stream into a buffer and
+ * use the random-access reader, which is the supported path for both
+ * trusted round-trip verification and adversarial input.
  *
  * @opts
- *   bombPolicy:       { maxEntries, maxEntryDecompressedBytes,
- *                       maxTotalDecompressedBytes, maxExpansionRatio },
- *   audit:            b.audit,
+ *   bombPolicy:       { ... },   // reserved — not yet honored
+ *   audit:            b.audit,   // reserved — not yet honored
  *
  * @example
- *   var produced = fs.createReadStream("./own-export.zip");
- *   var reader   = b.archive.read.zip.fromTrustedStream(
- *     b.archive.adapters.trustedStream(produced)
- *   );
- *   for await (var e of reader.entries()) console.log(e.name, e.size);
+ *   // Supported path: buffer the stream, then read random-access.
+ *   var bytes  = await someStreamToBuffer(producedZipStream);
+ *   var reader = b.archive.read.zip(b.archive.adapters.buffer(bytes));
+ *   var entries = await reader.inspect();
  */
 function fromTrustedStream(adapter, opts) {
   if (!adapter || adapter.kind !== "trusted-sequential") {
@@ -805,25 +808,26 @@ function fromTrustedStream(adapter, opts) {
   var bombPolicy = _normalizeBombPolicy(opts.bombPolicy);
   void bombPolicy;
 
-  // Trusted stream walks LFH-by-LFH. v0.12.7 ships the API surface +
-  // a basic LFH walker for round-trip verification of the framework's
-  // own emitted archives. The full feature parity (extraction via
-  // streaming inflate, data-descriptor scanning) is intentionally
-  // deferred to v0.12.8 alongside the tar reader's sequential mode.
+  // The streaming LFH walker is not built — only the API surface +
+  // adapter validation exist. Extraction via streaming inflate +
+  // data-descriptor scanning re-opens when a streaming consumer needs
+  // it; until then the supported path is to buffer the stream and use
+  // the random-access reader (which handles both trusted round-trip
+  // verification and adversarial input).
   async function inspect() {
     throw new ArchiveReadError("archive-read/trusted-stream-inspect-deferred",
-      "fromTrustedStream.inspect() is deferred to v0.12.8 — use the random-access entry " +
-      "point with b.archive.adapters.buffer(await collect(readable)) for v0.12.7");
+      "fromTrustedStream.inspect() is not implemented — collect the stream into a buffer and " +
+      "use b.archive.read.zip(b.archive.adapters.buffer(bytes))");
   }
 
   async function* entries() {
     throw new ArchiveReadError("archive-read/trusted-stream-entries-deferred",
-      "fromTrustedStream.entries() is deferred to v0.12.8 — collect into buffer for v0.12.7");
+      "fromTrustedStream.entries() is not implemented — collect into a buffer and use the random-access reader");
   }
 
   async function extract() {
     throw new ArchiveReadError("archive-read/trusted-stream-extract-deferred",
-      "fromTrustedStream.extract() is deferred to v0.12.8 — collect into buffer for v0.12.7");
+      "fromTrustedStream.extract() is not implemented — collect into a buffer and use the random-access reader");
   }
 
   return {

package/lib/break-glass.js

@@ -130,9 +130,9 @@ function _ensureFactorLockout() {
 // keys + encryption-context binding (cross-cell tampering / accidental
 // row-swap fails closed). It does NOT defend against vault-key
 // compromise alone — the DEK is still vault-recoverable. True
-// second-factor cryptographic gating ships in v0.5.2 with passkey
-// integration (the passkey private key lives on the YubiKey, not in
-// the framework, so a vault leak alone can't unwrap).
+// second-factor cryptographic gating uses passkey integration (the
+// passkey private key lives on the YubiKey, not in the framework, so a
+// vault leak alone can't unwrap).
 
 // In-memory DEK cache. Keyed by table name. Cleared on _resetForTest.
 var dekCache = new Map();
@@ -520,8 +520,7 @@ function _validatePolicySet(table, opts) {
     if (ALLOWED_FACTORS.indexOf(opts.factors[j]) === -1) {
       throw new BreakGlassError("breakglass/bad-policy",
         "policy.set: factors[" + j + "] '" + opts.factors[j] +
-        "' not in v0.5.0 allowed factors [" + ALLOWED_FACTORS.join(",") + "]" +
-        " (passkey lands in v0.5.2)");
+        "' not in allowed factors [" + ALLOWED_FACTORS.join(",") + "]");
     }
   }
   // Model B (cryptographic mode) ships in v0.5.1. When enabled,

package/lib/crypto.js

@@ -789,10 +789,12 @@ function toBase64Url(buf) {
  *
  * Strict mode (default) refuses non-canonical input — chars outside
  * the RFC 4648 §5 alphabet, length-mod-4-of-1, mixed `+/` from
- * standard base64, trailing garbage. Defends a CVE-2022-0235 class
- * footgun where Node's permissive decoder silently tolerated
- * tampered JWT signatures. Operators with a documented lossy legacy
- * payload opt out per call via `{ strict: false }`.
+ * standard base64, trailing garbage. Defends the CWE-347 /
+ * CWE-1286 signature-canonicalization footgun where a permissive
+ * base64url decoder silently tolerates a tampered JWS / JWT signature
+ * (non-canonical bytes decoding to the same buffer). Operators with a
+ * documented lossy legacy payload opt out per call via
+ * `{ strict: false }`.
  *
  * @opts
  *   strict: boolean   // default: true — refuse non-canonical input
@@ -817,7 +819,8 @@ function fromBase64Url(s, opts) {
   // OAuth `state` round-tripping) MUST reject non-canonical / malformed
   // input. The Node base64url decoder silently tolerates trailing
   // garbage, mixed `+/` from standard base64, missing padding errors,
-  // and length-mod-4 shapes — CVE-2022-0235 class footgun. Strict mode
+  // and length-mod-4 shapes — the CWE-347 / CWE-1286 signature-
+  // canonicalization footgun. Strict mode
   // (the default) refuses anything outside the RFC 4648 §5 alphabet +
   // length rules. Operators with a known-lossy legacy payload pass
   // `{ strict: false }` to opt out per call.

package/lib/guard-dsn.js

@@ -84,8 +84,9 @@
  *     generating a DSN (the existing `b.mail.bounce` primitive does
  *     this); this guard parses INBOUND DSNs and gates the parse
  *     surface bounds, not the bounce-generation policy.
- *   - **DSN header-injection class** (CVE-2026-32178 .NET
- *     System.Net.Mail at outbound; the inbound parse path here)
+ *   - **DSN header-injection class** (CVE-2026-32178 — .NET CWE-138
+ *     special-element / header-injection spoofing, the System.Net.Mail
+ *     vector per MSRC, at outbound; the inbound parse path here)
  *     — refuses CR/LF/NUL/C0 in header lines.
  *   - **CSAF / iSchedule prose tampering** — operator inspecting
  *     the prose part for the original recipient runs into the

package/lib/guard-list-id.js

@@ -37,8 +37,9 @@
  *     octets. Total header value capped at 998 bytes per RFC 5322
  *     §2.1.1 line cap.
  *   - **CRLF + control-char refusal** — header-injection defense
- *     (CVE-2026-32178 .NET System.Net.Mail class on the wire-protocol
- *     surface; this primitive's job is the SEMANTIC shape).
+ *     (CVE-2026-32178 — .NET CWE-138 header-injection spoofing, the
+ *     System.Net.Mail vector per MSRC, on the wire-protocol surface;
+ *     this primitive's job is the SEMANTIC shape).
  *   - **Phrase-injection refusal** — Operator-supplied display
  *     phrase mustn't carry CRLF / `<` / `>` outside the angle
  *     brackets (a separate Bcc/Cc header smuggled into the phrase

package/lib/guard-regex.js

@@ -248,14 +248,14 @@ function _detectIssues(input, opts) {
 }
 
 // Consecutive-star wildcard cap (CVE-2026-26996). Operator-supplied
-// glob fragments compile to picomatch / RegExp; a long run of `*`
-// against a non-matching literal walks O(4^N). Three-or-more
+// glob fragments compile to minimatch / picomatch / RegExp; a long run
+// of `*` against a non-matching literal walks O(4^N). Three-or-more
 // consecutive `*` is the canonical bad shape; `**` (recursive glob)
 // stays permitted, gated by the profile's `maxConsecutiveStars`.
 function _detectConsecutiveStar(input, opts, issues) {
   if (opts.consecutiveStarPolicy === "allow") return;
-  // CVE-2026-26996 is a picomatch / glob-shape backtracking class —
-  // `***+literal` walks O(4^N) when picomatch translates the run to a
+  // CVE-2026-26996 is a minimatch glob-shape backtracking class —
+  // `***+literal` walks O(4^N) when minimatch translates the run to a
   // backtracking-heavy regex. Native ECMAScript regex syntax cannot
   // produce three consecutive `*` quantifiers (it's a SyntaxError),
   // so applying this detector to `inputKind: "regex"` strings only

package/lib/guard-smtp-command.js

@@ -15,8 +15,7 @@
  *   ## Smuggling defense — bare-CR / bare-LF refusal
  *
  *   The SMTP smuggling class (`CVE-2023-51764` Postfix, `CVE-2023-51765`
- *   Sendmail, `CVE-2023-51766` Exim, `CVE-2026-32178` .NET
- *   `System.Net.Mail`) exploits implementations that accept the
+ *   Sendmail, `CVE-2023-51766` Exim) exploits implementations that accept the
  *   non-standard end-of-data sequence `<LF>.<LF>` or `<LF>.<CR><LF>`
  *   instead of the standard `<CR><LF>.<CR><LF>`. The introduced break-
  *   out lets a malicious peer inject a second message past SPF / DMARC

package/lib/network-dnssec.js

@@ -101,7 +101,16 @@ function _canonicalName(name) {
     parts.push(Buffer.from([lab.length]), lab);
   }
   parts.push(Buffer.from([0]));
-  return Buffer.concat(parts);
+  var wire = Buffer.concat(parts);
+  // RFC 1035 §2.3.4 — a domain name is at most 255 octets on the wire.
+  // Enforcing it here also bounds the per-label count (and thus the NSEC3
+  // closest-encloser candidate enumeration, CVE-2023-50868 class), since
+  // each label costs at least 2 octets.
+  if (wire.length > 255) {                                                               // allow:raw-byte-literal — RFC 1035 total-name octet cap
+    throw new DnssecError("dnssec/bad-name",
+      "dnssec: name '" + name + "' encodes to " + wire.length + " octets, exceeds RFC 1035 cap of 255");
+  }
+  return wire;
 }
 
 function _u16(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); }                    // allow:raw-byte-literal — 16-bit big-endian split
@@ -340,7 +349,28 @@ var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";          // allow:raw-byte-l
 var TYPE_DS = 43;                                            // allow:raw-byte-literal — IANA RR type DS
 var TYPE_CNAME = 5;
 var NSEC3_HASH_SHA1 = 1;                                     // RFC 5155 §5 — the only registered NSEC3 hash
-var DEFAULT_MAX_NSEC3_ITERATIONS = 500;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1 (RFC 9276 wants 0; deployed zones still use >0)
+var DEFAULT_MAX_NSEC3_ITERATIONS = 150;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1; matches BIND 9.16.33+/Unbound 1.17.1 post-CVE-2023-50868 (RFC 9276 wants 0; deployed zones still use >0)
+
+// KeyTrap (CVE-2023-50387) amplification caps. A hostile zone can publish
+// many DNSKEYs sharing one 16-bit key tag and many RRSIGs, forcing a
+// validator into O(keys x sigs) full signature verifications from a single
+// query. Bound both factors: the colliding-candidate fan-out per RRSIG, and
+// the total signature-validation work. Matches the BIND
+// `max-key-tag-collisions` + Unbound validation-budget mitigations.
+//
+// The per-response budget SCALES with declared chain depth so a legitimate
+// deep delegation isn't false-rejected: a valid N-link chain does ~2N-1
+// signature verifies (1 root DNSKEY + parent-DS + child-DNSKEY per child),
+// so the budget is links.length * MAX_VALIDATIONS_PER_LINK (= 2 RRSIGs/link
+// x MAX_COLLIDING_KEYS candidates), which always covers the legitimate work
+// while still bounding the bounded-collision amplification. Chain length
+// itself is capped (a delegation can't be deeper than a DNS name's label
+// count, RFC 1035), so the scaled budget can't be inflated arbitrarily.
+var MAX_COLLIDING_KEYS       = 4;                            // allow:raw-byte-literal — same-tag DNSKEY candidates tried per RRSIG
+var MAX_VALIDATIONS_PER_LINK = 8;                            // allow:raw-byte-literal — 2 RRSIGs/link x MAX_COLLIDING_KEYS; budget = links.length x this
+var MAX_CHAIN_LINKS          = 128;                          // allow:raw-byte-literal — max delegation depth (>= RFC 1035 max label count)
+var MAX_DNSKEYS_PER_ZONE     = 64;                           // allow:raw-byte-literal — DNSKEY RRset size cap per zone link
+var MAX_DS_RECORDS           = 16;                           // allow:raw-byte-literal — DS RRset size cap (parent-supplied)
 
 // RFC 4648 §7 base32hex decode (no padding, case-insensitive) — the
 // label encoding of an NSEC3 owner-name hash.
@@ -757,12 +787,31 @@ function _keysByTag(dnskeys, tag) {
 // returning the key that validated. A wrong colliding key yields
 // `dnssec/bad-signature` — that is not terminal, the next candidate is
 // tried; any other error (expired, alg) is terminal. RFC 4035 §5.3.1.
-function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg) {
+function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMsg, budget) {
   if (candidates.length === 0) throw new DnssecError(noKeyCode, noKeyMsg);
+  // KeyTrap (CVE-2023-50387): refuse an absurd same-tag fan-out outright —
+  // legitimate zones have 1-2 keys per tag; hundreds is an amplification
+  // attack, not a real collision.
+  if (candidates.length > MAX_COLLIDING_KEYS) {
+    throw new DnssecError("dnssec/too-many-colliding-keys",
+      "dnssec.verifyChain: " + candidates.length + " DNSKEYs share key tag " +
+      rrsig.keyTag + " (cap " + MAX_COLLIDING_KEYS +
+      ") — refused as a KeyTrap (CVE-2023-50387) amplification vector");
+  }
   var lastErr = null;
   for (var i = 0; i < candidates.length; i++) {
     var kp = _dnskeyParts(candidates[i]);
     if (kp.algorithm !== rrsig.algorithm) { lastErr = new DnssecError("dnssec/alg-mismatch", "dnssec.verifyChain: candidate key algorithm does not match the RRSIG"); continue; }
+    // Per-response signature-validation budget — bound the total expensive
+    // pubkey verifies across the whole chain walk, not just per RRSIG.
+    if (budget) {
+      if (budget.remaining <= 0) {
+        throw new DnssecError("dnssec/validation-budget-exceeded",
+          "dnssec.verifyChain: per-response signature-validation budget " +
+          "exhausted — refused as a KeyTrap (CVE-2023-50387) amplification vector");
+      }
+      budget.remaining -= 1;
+    }
     try {
       verifyRrset(Object.assign({}, rrsetBase, { rrsig: rrsig, dnskey: { algorithm: kp.algorithm, publicKey: kp.publicKey } }));
       return candidates[i];
@@ -795,6 +844,20 @@ function _verifyRrsetWithAnyKey(rrsetBase, rrsig, candidates, noKeyCode, noKeyMs
  * passes to <code>verifyRrset</code> / <code>verifyDenial</code> for the
  * actual answer.
  *
+ * KeyTrap (CVE-2023-50387) amplification is bounded with non-configurable
+ * caps: at most 4 same-tag DNSKEY candidates are tried per RRSIG, at most
+ * 64 DNSKEYs per zone link and 16 DS records per delegation are accepted,
+ * the chain is at most 128 links deep, and the whole response is held to a
+ * signature-validation budget that scales with chain depth (so a
+ * legitimate deep delegation always fits while bounded collisions stay
+ * bounded). A hostile zone publishing many colliding keys / signatures is
+ * refused with <code>dnssec/too-many-colliding-keys</code> /
+ * <code>dnssec/too-many-dnskeys</code> / <code>dnssec/too-many-ds</code> /
+ * <code>dnssec/too-many-links</code> /
+ * <code>dnssec/validation-budget-exceeded</code> rather than driving
+ * O(keys x sigs) verifications. (NSEC3 iteration counts are separately
+ * capped at 150 per RFC 9276 / the CVE-2023-50868 fix.)
+ *
  * @opts
  *   {
  *     links: [ {                        // ordered root-first
@@ -816,14 +879,35 @@ function verifyChain(opts) {
   validateOpts.requireObject(opts, "dnssec.verifyChain", DnssecError);
   validateOpts(opts, ["links", "trustAnchors", "at"], "dnssec.verifyChain");
   if (!Array.isArray(opts.links) || opts.links.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.links must be a non-empty array");
+  // Cap delegation depth — a real chain can't be deeper than a DNS name's
+  // label count (RFC 1035), and the per-response validation budget below
+  // scales with this, so it must be bounded.
+  if (opts.links.length > MAX_CHAIN_LINKS) {
+    throw new DnssecError("dnssec/too-many-links",
+      "dnssec.verifyChain: " + opts.links.length + " chain links (cap " +
+      MAX_CHAIN_LINKS + ") — refused as an amplification vector");
+  }
   var anchors = opts.trustAnchors !== undefined ? opts.trustAnchors : DEFAULT_ROOT_ANCHORS;
   if (!Array.isArray(anchors) || anchors.length === 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyChain: opts.trustAnchors must be a non-empty array");
 
+  // KeyTrap budget shared across every signature-validation in this
+  // response, scaled to the declared chain depth so a legitimate deep
+  // delegation (2N-1 verifies) always fits while bounded collisions stay
+  // bounded. Chain length is capped above, so this can't be inflated.
+  var budget = { remaining: opts.links.length * MAX_VALIDATIONS_PER_LINK };
+
   var trustedKeys = null, path = [];
   for (var i = 0; i < opts.links.length; i++) {
     var link = opts.links[i];
     if (!link || typeof link.zone !== "string" || link.zone === "") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].zone is required");
     if (!Array.isArray(link.dnskeys) || link.dnskeys.length === 0) throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeys must be a non-empty array");
+    // KeyTrap: bound the DNSKEY RRset size per zone so a giant key set
+    // can't blow up the key-tag scan / candidate fan-out.
+    if (link.dnskeys.length > MAX_DNSKEYS_PER_ZONE) {
+      throw new DnssecError("dnssec/too-many-dnskeys",
+        "dnssec.verifyChain: links[" + i + "] has " + link.dnskeys.length +
+        " DNSKEYs (cap " + MAX_DNSKEYS_PER_ZONE + ") — refused as a KeyTrap (CVE-2023-50387) amplification vector");
+    }
     if (!link.dnskeyRrsig || typeof link.dnskeyRrsig !== "object") throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "].dnskeyRrsig is required");
 
     // 1. The DNSKEY RRset is self-signed by one of its own keys (trying
@@ -832,7 +916,8 @@ function verifyChain(opts) {
       { name: link.zone, type: "DNSKEY", rdatas: link.dnskeys, at: opts.at },
       link.dnskeyRrsig,
       _keysByTag(link.dnskeys, link.dnskeyRrsig.keyTag),
-      "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG"
+      "dnssec/chain-no-signing-key", "dnssec.verifyChain: no DNSKEY in '" + link.zone + "' verifies the DNSKEY RRSIG",
+      budget
     );
 
     // 2. Establish trust in the signing key.
@@ -851,11 +936,19 @@ function verifyChain(opts) {
       if (!Array.isArray(link.dsRdatas) || link.dsRdatas.length === 0 || !link.dsRrsig || typeof link.dsRrsig !== "object") {
         throw new DnssecError("dnssec/bad-link", "dnssec.verifyChain: links[" + i + "] needs dsRdatas + dsRrsig (DS served by the parent)");
       }
+      // Bound the parent-supplied DS RRset — the DS-match loop below
+      // iterates it, and an oversize set is an amplification vector.
+      if (link.dsRdatas.length > MAX_DS_RECORDS) {
+        throw new DnssecError("dnssec/too-many-ds",
+          "dnssec.verifyChain: links[" + i + "] has " + link.dsRdatas.length +
+          " DS records (cap " + MAX_DS_RECORDS + ") — refused as an amplification vector");
+      }
       _verifyRrsetWithAnyKey(
         { name: link.zone, type: "DS", rdatas: link.dsRdatas, at: opts.at },
         link.dsRrsig,
         _keysByTag(trustedKeys, link.dsRrsig.keyTag),
-        "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'"
+        "dnssec/chain-no-parent-key", "dnssec.verifyChain: no trusted parent key verifies the DS RRSIG for '" + link.zone + "'",
+        budget
       );
       var dsMatched = false;
       for (var d = 0; d < link.dsRdatas.length; d++) {

package/lib/parsers/safe-toml.js

@@ -681,6 +681,14 @@ function parse(input, opts) {
               "toml/redefine");
           }
           t = sub[sub.length - 1];
+          // The array's last element must itself be a table to descend
+          // into. A plain VALUE array (e.g. `a = [3]` then `[a.s]`) has a
+          // scalar last element — descending would set a property on a
+          // number and throw a raw TypeError; refuse it cleanly instead.
+          if (t === null || typeof t !== "object" || Array.isArray(t)) {
+            throw _err("cannot descend into '" + seg +
+              "' — it is a value array, not an array of tables", "toml/redefine");
+          }
           continue;
         }
         if (typeof sub !== "object" || sub === null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.13",
+  "version": "0.13.15",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:b3c8f3dc-4ada-41d3-9b05-66ce6774c125",
+  "serialNumber": "urn:uuid:f4f503eb-ba54-47ab-8286-d7c3e006249e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T12:37:28.862Z",
+    "timestamp": "2026-05-27T16:53:17.354Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.13",
+      "bom-ref": "@blamejs/core@0.13.15",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.13",
+      "version": "0.13.15",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.13",
+      "purl": "pkg:npm/%40blamejs/core@0.13.15",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.13",
+      "ref": "@blamejs/core@0.13.15",
       "dependsOn": []
     }
   ]