@blamejs/core 0.14.17 → 0.14.19

package/lib/archive.js

@@ -33,16 +33,20 @@
  *       null bytes, and `..` segments throw `archive/bad-name`.
  *     - No symlink emission — only regular file entries are produced.
  *     - SHA3-512 fingerprint via `digest()` for operator integrity logs.
+ *     - ZIP64 (APPNOTE 6.3.10 §4.3.14 / §4.3.15 / §4.4.8 / §4.5.3) is
+ *       emitted automatically when an archive exceeds 65535 entries or
+ *       any entry's compressed/uncompressed size or local-header offset
+ *       exceeds 4 GiB: the classic field carries the 0xFFFF/0xFFFFFFFF
+ *       sentinel, a ZIP64 extended-information extra field supplies the
+ *       64-bit value, and the ZIP64 EOCD record + locator precede the
+ *       classic EOCD. Archives below those limits stay classic
+ *       byte-for-byte. `b.archive.read.zip` reads the produced ZIP64
+ *       form transparently.
  *
  *   Out of scope (v1):
- *     - ZIP64 (>4 GiB archives, >65535 files) — `toBuffer` and
- *       `toStream` throw `archive/too-many-entries` past the limit;
- *       operators at that scale bring their own toolset.
  *     - ZIP-native password encryption (broken-by-design); operators
  *       wrap the produced bytes via `b.crypto.encryptPacked` for
  *       encryption-at-rest.
- *     - Reading / extraction — write-only; operators use yauzl or
- *       `unzip` for read paths.
  *
  * @card
  *   ZIP archive creation primitive.
@@ -61,6 +65,30 @@ var ArchiveError = defineClass("ArchiveError", { alwaysPermanent: true });
 var SIG_LFH = 0x04034b50;   // local file header
 var SIG_CFH = 0x02014b50;   // central directory file header
 var SIG_EOCD = 0x06054b50;  // end of central directory
+var SIG_EOCD64         = 0x06064b50;  // APPNOTE §4.3.14 ZIP64 EOCD record
+var SIG_EOCD64_LOCATOR = 0x07064b50;  // APPNOTE §4.3.15 ZIP64 EOCD locator
+
+// ZIP64 sentinels (APPNOTE §4.4 + §4.5.3) — a classic field set to its
+// all-ones value signals that the true value lives in the ZIP64 record /
+// extended-information extra field. 16-bit fields use 0xFFFF, 32-bit
+// fields use 0xFFFFFFFF.
+var ZIP64_U16_SENTINEL = 0xffff;
+var ZIP64_U32_SENTINEL = 0xffffffff;
+// 0xFFFFFFFF as a value boundary: any size/offset > this overflows the
+// classic 32-bit field and must be carried in the ZIP64 extra field.
+var ZIP64_U32_MAX           = 0xffffffff;
+// Classic EOCD entry-count field is 16-bit (APPNOTE §4.4.21/§4.4.22);
+// more than 65535 entries forces the ZIP64 EOCD record.
+var ZIP64_MAX_CLASSIC_ENTRIES = 65535;
+// ZIP64 "version needed to extract" — 4.5 (APPNOTE §4.4.3.2).
+var ZIP64_VERSION_NEEDED    = 45;
+// ZIP64 extended-information extra field (§4.5.3): 4-byte header
+// (id(2) + dataSize(2)) then up to four fields. Each 64-bit field is
+// 8 bytes; diskStart is a 4-byte dword.
+var ZIP64_EXTRA_HEADER_ID   = 0x0001;
+var ZIP64_EXTRA_FIELD_BYTES = 8;       // one 64-bit field (uSize / cSize / lfhOffset)
+var ZIP64_EOCD64_BYTES      = 56;      // §4.3.14 fixed-size record (no extensible-data tail)
+var ZIP64_EOCD64_LOCATOR_BYTES = 20;   // §4.3.15 fixed-size locator
 
 // Compression methods (APPNOTE 4.4.5 — protocol-fixed method IDs)
 var METHOD_STORE_ID   = 0;
@@ -101,6 +129,52 @@ function _msdosDateTime(date) {
   return { time: dosTime, date: dosDate };
 }
 
+// ZIP64 (APPNOTE 6.3.10 §4.3.14 / §4.3.15 / §4.4.8 / §4.5.3) — small
+// archives stay classic byte-for-byte; the ZIP64 trailer + per-entry
+// sentinels only appear once a size/offset overflows the classic 32-bit
+// field (or the entry count exceeds the classic 16-bit cap). The reader
+// in archive-read.js resolves these symmetrically.
+
+// True when a single size/offset overflows the classic 32-bit field.
+function _overflows32(n) { return n > ZIP64_U32_MAX; }
+
+// Does this entry need a per-record ZIP64 extra block? An entry overflows
+// when its compressed size, uncompressed size, or local-header offset
+// exceeds the 32-bit limit. `lfhOffset` is only known at central-directory
+// build time, so the local-header path passes `lfhOffset = 0` (the LFH
+// extra never carries the offset — §4.5.3).
+function _entryNeedsZip64(csize, usize, lfhOffset) {
+  return _overflows32(csize) || _overflows32(usize) || _overflows32(lfhOffset);
+}
+
+// Build the ZIP64 extended-information extra field (§4.5.3) carrying ONLY
+// the fields whose classic value overflowed, in APPNOTE order:
+// uncompressedSize, compressedSize, localHeaderOffset, diskStart. Returns
+// an empty buffer when nothing overflowed. `includeOffset` controls
+// whether localHeaderOffset is appended (the LFH variant omits it). The
+// reader keys presence off the matching classic sentinel, so a field is
+// emitted here iff the caller also writes the sentinel into the classic
+// slot. diskStart is never emitted — single-disk archives only.
+function _buildZip64Extra(csize, usize, lfhOffset, includeOffset) {
+  var needUsize  = _overflows32(usize);
+  var needCsize  = _overflows32(csize);
+  var needOffset = includeOffset && _overflows32(lfhOffset);
+  if (!needUsize && !needCsize && !needOffset) return Buffer.alloc(0);
+  var fields = 0;
+  if (needUsize)  fields += 1;
+  if (needCsize)  fields += 1;
+  if (needOffset) fields += 1;
+  var dataLen = fields * ZIP64_EXTRA_FIELD_BYTES;
+  var extra = Buffer.alloc(C.BYTES.bytes(4 + dataLen));
+  extra.writeUInt16LE(ZIP64_EXTRA_HEADER_ID, C.BYTES.bytes(0));   // §4.5.3 extra-field tag
+  extra.writeUInt16LE(dataLen, C.BYTES.bytes(2));                 // §4.5.1 data size
+  var q = 4;
+  if (needUsize)  { extra.writeBigUInt64LE(BigInt(usize),     C.BYTES.bytes(q)); q += ZIP64_EXTRA_FIELD_BYTES; }
+  if (needCsize)  { extra.writeBigUInt64LE(BigInt(csize),     C.BYTES.bytes(q)); q += ZIP64_EXTRA_FIELD_BYTES; }
+  if (needOffset) { extra.writeBigUInt64LE(BigInt(lfhOffset), C.BYTES.bytes(q)); q += ZIP64_EXTRA_FIELD_BYTES; }
+  return extra;
+}
+
 /**
  * @primitive b.archive.zip
  * @signature b.archive.zip()
@@ -223,66 +297,156 @@ function zip() {
     var nameBuf = Buffer.from(entry.name, "utf8");
     var dt = _msdosDateTime(entry.mtime);
     var flags = FLAG_UTF8_NAME | (streaming ? FLAG_DATA_DESCRIPTOR : 0);
+    // ZIP64 (§4.3.7 + §4.5.3) applies to the buffer path only — the LFH
+    // sizes are written up-front there. Streaming entries carry zeros
+    // under the data-descriptor flag (sizes unknown at header time), so
+    // they never carry an LFH ZIP64 extra; their 64-bit values ride the
+    // data descriptor + central-directory ZIP64 extra. When either size
+    // overflows the 32-bit field, the LFH carries the sentinel and a
+    // ZIP64 extra block supplies uncompressedSize + compressedSize (the
+    // offset is never in the LFH extra — §4.5.3).
+    var csize = streaming ? 0 : entry.stored.length;
+    var usize = streaming ? 0 : entry.uncompressedSize;
+    var zip64 = !streaming && _entryNeedsZip64(csize, usize, 0);
+    var zip64Extra = zip64 ? _buildZip64Extra(csize, usize, 0, false) : Buffer.alloc(0);
     // APPNOTE 4.3.7 — local file header. Offsets are byte positions
     // within the 30-byte fixed header; each route through C.BYTES.bytes
     // so the framework's byte-math discipline applies even to format-
     // fixed offsets.
     var hdr = Buffer.alloc(C.BYTES.bytes(30));
     hdr.writeUInt32LE(SIG_LFH, C.BYTES.bytes(0));
-    hdr.writeUInt16LE(20, C.BYTES.bytes(4));            // version needed
+    hdr.writeUInt16LE(zip64 ? ZIP64_VERSION_NEEDED : 20, C.BYTES.bytes(4));   // version needed
     hdr.writeUInt16LE(flags, C.BYTES.bytes(6));         // flags: bit 11 UTF-8, bit 3 data-descriptor
     hdr.writeUInt16LE(entry.method, C.BYTES.bytes(0x08));
     hdr.writeUInt16LE(dt.time, C.BYTES.bytes(10));
     hdr.writeUInt16LE(dt.date, C.BYTES.bytes(12));
     hdr.writeUInt32LE(streaming ? 0 : entry.crc, C.BYTES.bytes(14));
-    hdr.writeUInt32LE(streaming ? 0 : entry.stored.length, C.BYTES.bytes(18));
-    hdr.writeUInt32LE(streaming ? 0 : entry.uncompressedSize, C.BYTES.bytes(22));
+    hdr.writeUInt32LE(_overflows32(csize) ? ZIP64_U32_SENTINEL : csize, C.BYTES.bytes(18));
+    hdr.writeUInt32LE(_overflows32(usize) ? ZIP64_U32_SENTINEL : usize, C.BYTES.bytes(22));
     hdr.writeUInt16LE(nameBuf.length, C.BYTES.bytes(26));
-    hdr.writeUInt16LE(0, C.BYTES.bytes(28));            // extra field length
-    return Buffer.concat([hdr, nameBuf]);
+    hdr.writeUInt16LE(zip64Extra.length, C.BYTES.bytes(28));   // extra field length
+    return Buffer.concat([hdr, nameBuf, zip64Extra]);
   }
 
   function _buildDataDescriptor(crc, csize, usize) {
-    // APPNOTE 4.3.9 — 16-byte data descriptor (with optional sig dword).
-    var dd = Buffer.alloc(C.BYTES.bytes(16));
-    dd.writeUInt32LE(SIG_DATA_DESCRIPTOR, C.BYTES.bytes(0));
-    dd.writeUInt32LE(crc, C.BYTES.bytes(4));
-    dd.writeUInt32LE(csize, C.BYTES.bytes(0x08));
-    dd.writeUInt32LE(usize, C.BYTES.bytes(12));
-    return dd;
+    // APPNOTE 4.3.9 — data descriptor (with optional sig dword). The
+    // classic form carries 4-byte csize/usize; §4.3.9.2 widens both to
+    // 8 bytes when the entry is ZIP64 (either size overflows the 32-bit
+    // field). The central directory carries the authoritative sizes, so
+    // the wide form here is for external single-pass extractors.
+    var zip64 = _overflows32(csize) || _overflows32(usize);
+    if (!zip64) {
+      var dd = Buffer.alloc(C.BYTES.bytes(16));
+      dd.writeUInt32LE(SIG_DATA_DESCRIPTOR, C.BYTES.bytes(0));
+      dd.writeUInt32LE(crc, C.BYTES.bytes(4));
+      dd.writeUInt32LE(csize, C.BYTES.bytes(0x08));
+      dd.writeUInt32LE(usize, C.BYTES.bytes(12));
+      return dd;
+    }
+    var dd64 = Buffer.alloc(C.BYTES.bytes(24));
+    dd64.writeUInt32LE(SIG_DATA_DESCRIPTOR, C.BYTES.bytes(0));
+    dd64.writeUInt32LE(crc, C.BYTES.bytes(4));
+    dd64.writeBigUInt64LE(BigInt(csize), C.BYTES.bytes(0x08));
+    dd64.writeBigUInt64LE(BigInt(usize), C.BYTES.bytes(0x10));
+    return dd64;
   }
 
   function _buildCentralDirectoryEntry(entry, lfhOffset) {
     var nameBuf = Buffer.from(entry.name, "utf8");
     var dt = _msdosDateTime(entry.mtime);
     var flags = FLAG_UTF8_NAME | (entry.kind === "stream" ? FLAG_DATA_DESCRIPTOR : 0);
+    var csize = entry.stored.length;
+    var usize = entry.uncompressedSize;
+    // ZIP64 (§4.3.12 + §4.4.8 + §4.5.3): the central-directory entry
+    // carries the offset, so its ZIP64 trigger includes localHeaderOffset
+    // overflow. Each overflowed field becomes the classic sentinel and is
+    // supplied 64-bit in the extra block, in APPNOTE order.
+    var zip64 = _entryNeedsZip64(csize, usize, lfhOffset);
+    var zip64Extra = zip64 ? _buildZip64Extra(csize, usize, lfhOffset, true) : Buffer.alloc(0);
     // APPNOTE 4.3.12 — central directory file header (46-byte fixed prefix).
     var hdr = Buffer.alloc(C.BYTES.bytes(46));
     hdr.writeUInt32LE(SIG_CFH, C.BYTES.bytes(0));
     hdr.writeUInt16LE(0x033f, C.BYTES.bytes(4));        // version made by (UNIX | 6.3)
-    hdr.writeUInt16LE(20, C.BYTES.bytes(6));            // version needed
+    hdr.writeUInt16LE(zip64 ? ZIP64_VERSION_NEEDED : 20, C.BYTES.bytes(6));   // version needed
     hdr.writeUInt16LE(flags, C.BYTES.bytes(0x08));      // flags: bit 11 UTF-8, bit 3 data-descriptor (stream)
     hdr.writeUInt16LE(entry.method, C.BYTES.bytes(10));
     hdr.writeUInt16LE(dt.time, C.BYTES.bytes(12));
     hdr.writeUInt16LE(dt.date, C.BYTES.bytes(14));
     hdr.writeUInt32LE(entry.crc, C.BYTES.bytes(0x10));
-    hdr.writeUInt32LE(entry.stored.length, C.BYTES.bytes(20));
-    hdr.writeUInt32LE(entry.uncompressedSize, C.BYTES.bytes(0x18));
+    hdr.writeUInt32LE(_overflows32(csize) ? ZIP64_U32_SENTINEL : csize, C.BYTES.bytes(20));
+    hdr.writeUInt32LE(_overflows32(usize) ? ZIP64_U32_SENTINEL : usize, C.BYTES.bytes(0x18));
     hdr.writeUInt16LE(nameBuf.length, C.BYTES.bytes(28));
-    hdr.writeUInt16LE(0, C.BYTES.bytes(30));            // extra field length
+    hdr.writeUInt16LE(zip64Extra.length, C.BYTES.bytes(30));   // extra field length
     hdr.writeUInt16LE(0, C.BYTES.bytes(0x20));          // file comment length
     hdr.writeUInt16LE(0, C.BYTES.bytes(34));            // disk number start
     hdr.writeUInt16LE(0, C.BYTES.bytes(36));            // internal file attributes
     hdr.writeUInt32LE(0, C.BYTES.bytes(38));            // external file attributes
-    hdr.writeUInt32LE(lfhOffset, C.BYTES.bytes(42));
-    return Buffer.concat([hdr, nameBuf]);
+    hdr.writeUInt32LE(_overflows32(lfhOffset) ? ZIP64_U32_SENTINEL : lfhOffset, C.BYTES.bytes(42));
+    return Buffer.concat([hdr, nameBuf, zip64Extra]);
   }
 
-  function toBuffer() {
-    if (entries.length > 65535) {
-      throw new ArchiveError("archive/too-many-entries",
-        "ZIP archive cannot contain more than 65535 entries (ZIP64 unsupported in v1)");
+  // Build the end-of-central-directory trailer. Returns a Buffer that is
+  // just the classic 22-byte EOCD for archives within the classic limits,
+  // or the ZIP64 EOCD record (§4.3.14) + ZIP64 EOCD locator (§4.3.15) +
+  // the classic EOCD (with sentinels) when the entry count exceeds 65535
+  // or the central-directory size/offset exceeds the 32-bit field. The
+  // ZIP64 trailer precedes the classic EOCD exactly where the reader's
+  // locator-before-classic-EOCD walk expects it.
+  function _buildEndOfCentralDirectory(totalEntries, cdSize, cdStart) {
+    var needZip64 = totalEntries > ZIP64_MAX_CLASSIC_ENTRIES ||
+      _overflows32(cdSize) || _overflows32(cdStart);
+    if (!needZip64) {
+      // APPNOTE 4.3.16 — end of central directory record (22-byte fixed).
+      var eocdClassic = Buffer.alloc(C.BYTES.bytes(22));
+      eocdClassic.writeUInt32LE(SIG_EOCD, C.BYTES.bytes(0));
+      eocdClassic.writeUInt16LE(0, C.BYTES.bytes(4));                  // disk number
+      eocdClassic.writeUInt16LE(0, C.BYTES.bytes(6));                  // disk where CD starts
+      eocdClassic.writeUInt16LE(totalEntries, C.BYTES.bytes(0x08));    // entries on this disk
+      eocdClassic.writeUInt16LE(totalEntries, C.BYTES.bytes(10));      // total entries
+      eocdClassic.writeUInt32LE(cdSize, C.BYTES.bytes(12));            // size of central directory
+      eocdClassic.writeUInt32LE(cdStart, C.BYTES.bytes(0x10));         // offset of central directory
+      eocdClassic.writeUInt16LE(0, C.BYTES.bytes(20));                 // comment length
+      return eocdClassic;
     }
+    // ZIP64 EOCD record (§4.3.14) — fixed 56-byte form, no extensible
+    // data tail. The "size of ZIP64 EOCD record" field counts the bytes
+    // that FOLLOW it (record total minus the 12-byte sig+size prefix).
+    var eocd64 = Buffer.alloc(C.BYTES.bytes(ZIP64_EOCD64_BYTES));
+    eocd64.writeUInt32LE(SIG_EOCD64, C.BYTES.bytes(0));
+    eocd64.writeBigUInt64LE(BigInt(ZIP64_EOCD64_BYTES - 12), C.BYTES.bytes(4));
+    eocd64.writeUInt16LE(0x033f, C.BYTES.bytes(12));                   // version made by (UNIX | 6.3)
+    eocd64.writeUInt16LE(ZIP64_VERSION_NEEDED, C.BYTES.bytes(14));     // version needed
+    eocd64.writeUInt32LE(0, C.BYTES.bytes(16));                        // this disk number
+    eocd64.writeUInt32LE(0, C.BYTES.bytes(20));                        // disk with CD start
+    eocd64.writeBigUInt64LE(BigInt(totalEntries), C.BYTES.bytes(24));  // entries on this disk
+    eocd64.writeBigUInt64LE(BigInt(totalEntries), C.BYTES.bytes(32));  // total entries
+    eocd64.writeBigUInt64LE(BigInt(cdSize), C.BYTES.bytes(40));        // central directory size
+    eocd64.writeBigUInt64LE(BigInt(cdStart), C.BYTES.bytes(48));       // central directory offset
+    var eocd64Offset = cdStart + cdSize;
+    // ZIP64 EOCD locator (§4.3.15) — fixed 20 bytes.
+    var locator = Buffer.alloc(C.BYTES.bytes(ZIP64_EOCD64_LOCATOR_BYTES));
+    locator.writeUInt32LE(SIG_EOCD64_LOCATOR, C.BYTES.bytes(0));
+    locator.writeUInt32LE(0, C.BYTES.bytes(4));                        // disk with ZIP64 EOCD
+    locator.writeBigUInt64LE(BigInt(eocd64Offset), C.BYTES.bytes(0x08));
+    locator.writeUInt32LE(1, C.BYTES.bytes(16));                       // total number of disks
+    // Classic EOCD (§4.3.16) with ZIP64 sentinels for any overflowed
+    // field — readers that don't grok ZIP64 see the sentinel, ZIP64-aware
+    // readers follow the locator.
+    var eocd = Buffer.alloc(C.BYTES.bytes(22));
+    eocd.writeUInt32LE(SIG_EOCD, C.BYTES.bytes(0));
+    eocd.writeUInt16LE(0, C.BYTES.bytes(4));
+    eocd.writeUInt16LE(0, C.BYTES.bytes(6));
+    eocd.writeUInt16LE(totalEntries > ZIP64_MAX_CLASSIC_ENTRIES
+      ? ZIP64_U16_SENTINEL : totalEntries, C.BYTES.bytes(0x08));
+    eocd.writeUInt16LE(totalEntries > ZIP64_MAX_CLASSIC_ENTRIES
+      ? ZIP64_U16_SENTINEL : totalEntries, C.BYTES.bytes(10));
+    eocd.writeUInt32LE(_overflows32(cdSize) ? ZIP64_U32_SENTINEL : cdSize, C.BYTES.bytes(12));
+    eocd.writeUInt32LE(_overflows32(cdStart) ? ZIP64_U32_SENTINEL : cdStart, C.BYTES.bytes(0x10));
+    eocd.writeUInt16LE(0, C.BYTES.bytes(20));
+    return Buffer.concat([eocd64, locator, eocd]);
+  }
+
+  function toBuffer() {
     for (var k = 0; k < entries.length; k++) {
       if (entries[k].kind === "stream") {
         throw new ArchiveError("archive/streaming-entry",
@@ -307,17 +471,7 @@ function zip() {
       pieces.push(cdh);
       cdSize += cdh.length;
     }
-    // APPNOTE 4.3.16 — end of central directory record (22-byte fixed).
-    var eocd = Buffer.alloc(C.BYTES.bytes(22));
-    eocd.writeUInt32LE(SIG_EOCD, C.BYTES.bytes(0));
-    eocd.writeUInt16LE(0, C.BYTES.bytes(4));                    // disk number
-    eocd.writeUInt16LE(0, C.BYTES.bytes(6));                    // disk where CD starts
-    eocd.writeUInt16LE(entries.length, C.BYTES.bytes(0x08));    // entries on this disk
-    eocd.writeUInt16LE(entries.length, C.BYTES.bytes(10));      // total entries
-    eocd.writeUInt32LE(cdSize, C.BYTES.bytes(12));              // size of central directory
-    eocd.writeUInt32LE(cdStart, C.BYTES.bytes(0x10));           // offset of central directory
-    eocd.writeUInt16LE(0, C.BYTES.bytes(20));                   // comment length
-    pieces.push(eocd);
+    pieces.push(_buildEndOfCentralDirectory(entries.length, cdSize, cdStart));
     return Buffer.concat(pieces);
   }
 
@@ -451,11 +605,6 @@ function zip() {
         "toStream: writable must be a Writable (or omit to receive a Readable)");
     }
 
-    if (entries.length > 65535) {
-      throw new ArchiveError("archive/too-many-entries",
-        "ZIP archive cannot contain more than 65535 entries (ZIP64 unsupported in v1)");
-    }
-
     var run = (async function () {
       var offsets = [];
       var totalLocalBytes = 0;
@@ -480,15 +629,7 @@ function zip() {
           await _writeChunk(dest, cdh);
           cdSize += cdh.length;
         }
-        var eocd = Buffer.alloc(C.BYTES.bytes(22));
-        eocd.writeUInt32LE(SIG_EOCD, C.BYTES.bytes(0));
-        eocd.writeUInt16LE(0, C.BYTES.bytes(4));
-        eocd.writeUInt16LE(0, C.BYTES.bytes(6));
-        eocd.writeUInt16LE(entries.length, C.BYTES.bytes(0x08));
-        eocd.writeUInt16LE(entries.length, C.BYTES.bytes(10));
-        eocd.writeUInt32LE(cdSize, C.BYTES.bytes(12));
-        eocd.writeUInt32LE(cdStart, C.BYTES.bytes(0x10));
-        eocd.writeUInt16LE(0, C.BYTES.bytes(20));
+        var eocd = _buildEndOfCentralDirectory(entries.length, cdSize, cdStart);
         await _writeChunk(dest, eocd);
         if (typeof dest.end === "function") dest.end();
         _emitAudit(opts, "archive.zip.streamed.completed", "success", {
@@ -574,4 +715,17 @@ module.exports = {
   // Test-only export — operators don't call this; it's here for unit-testing
   // the CRC implementation against known vectors.
   _crc32ForTest: _crc32,
+  // Test-only export — exercises the per-entry ZIP64 extended-information
+  // extra-field builder (§4.5.3) at logical sizes/offsets that exceed the
+  // 32-bit field, which the buffer path can only reach with multi-GiB
+  // payloads. The entry-count and EOCD64 paths are covered by full
+  // round-trips through the random-access reader.
+  _zip64ForTest: {
+    entryNeedsZip64: _entryNeedsZip64,
+    buildExtra:      _buildZip64Extra,
+    U16_SENTINEL:    ZIP64_U16_SENTINEL,
+    U32_SENTINEL:    ZIP64_U32_SENTINEL,
+    U32_MAX:         ZIP64_U32_MAX,
+    EXTRA_HEADER_ID: ZIP64_EXTRA_HEADER_ID,
+  },
 };

package/lib/auth/oauth.js

@@ -497,6 +497,55 @@ function create(opts) {
     });
   }
 
+  // PKCE downgrade defense (RFC 9700 §4.13 / OAuth 2.1 §6.2.4 +
+  // RFC 7636). The client always sends code_challenge_method=S256 (the
+  // plain method and pkce:false are refused). A network attacker who
+  // can tamper with discovery metadata can advertise an OP that only
+  // supports the `plain` method (or omits S256), nudging a permissive
+  // client into a weaker exchange. We don't downgrade — but if the OP's
+  // published `code_challenge_methods_supported` is PRESENT and does not
+  // list "S256", the redirect we'd build sends an S256 challenge the OP
+  // claims it cannot verify, which is the signature of a stripped-S256
+  // MITM. Refuse rather than emit an authorization request the metadata
+  // says will fail.
+  //
+  // Back-compat: an OP that does not publish the field at all keeps
+  // today's behavior (S256 is still sent — RFC 7636 §4.2 lets the OP
+  // accept S256 without advertising it). The check is a non-fetching
+  // peek at the already-resolved discovery document: it never forces a
+  // network round-trip, so static-endpoint clients (no discovery) are
+  // unaffected. Config-time refusal — throw so the operator sees the
+  // mismatch instead of a silently-doomed redirect.
+  function _assertS256Supported(config) {
+    if (!config || typeof config !== "object") return;
+    var methods = config.code_challenge_methods_supported;
+    if (!Array.isArray(methods)) return;       // field absent → keep behavior
+    var hasS256 = false;
+    for (var i = 0; i < methods.length; i++) {
+      if (methods[i] === "S256") { hasS256 = true; break; }
+    }
+    if (!hasS256) {
+      throw new OAuthError("auth-oauth/pkce-downgrade",
+        "OP discovery advertises code_challenge_methods_supported " +
+        JSON.stringify(methods) + " without 'S256'. The framework sends " +
+        "S256 (RFC 7636) and refuses to emit an authorization request the " +
+        "OP claims it cannot verify — a stripped-S256 / plain-only " +
+        "discovery is the signature of a PKCE downgrade (RFC 9700 §4.13). " +
+        "Fix the OP metadata or, on a genuinely S256-incapable IdP, " +
+        "front it with a conforming gateway.");
+    }
+  }
+
+  // Peek the cached discovery document WITHOUT triggering a fetch, so
+  // the PKCE-downgrade gate only inspects metadata the client already
+  // resolved on the discovery path. Returns null when no discovery has
+  // occurred (static endpoints / non-OIDC) — back-compat preserved.
+  async function _peekDiscovery() {
+    if (!isOidc || !issuer) return null;
+    try { return (await _discoveryCache.get("config")) || null; }
+    catch (_e) { return null; }
+  }
+
   async function _resolveEndpoint(name) {
     if (staticEndpoints[name]) return staticEndpoints[name];
     var config = await _discover();
@@ -530,6 +579,11 @@ function create(opts) {
   async function authorizationUrl(uopts) {
     uopts = uopts || {};
     var endpoint = await _resolveEndpoint("authorizationEndpoint");
+    // RFC 9700 §4.13 — refuse an OP whose discovery metadata advertises
+    // code_challenge_methods_supported without S256 (PKCE downgrade /
+    // stripped-S256 MITM). _resolveEndpoint already populated the
+    // discovery cache on the OIDC path; this peek never fetches.
+    _assertS256Supported(await _peekDiscovery());
     // CVE-2026-34511 — PKCE verifier leak via state. The state token is
     // an opaque CSPRNG output; the PKCE verifier is generated separately
     // and returned in its own field for the caller to store. The
@@ -1270,6 +1324,10 @@ function create(opts) {
         "pushed_authorization_request_endpoint (set opts.pushedAuthorizationRequestEndpoint " +
         "on create() if the IdP doesn't publish it)");
     }
+    // Same PKCE-downgrade gate as authorizationUrl (RFC 9700 §4.13):
+    // PAR pushes the identical S256 challenge, so an OP advertising
+    // code_challenge_methods_supported without S256 is refused here too.
+    _assertS256Supported(await _peekDiscovery());
     // Build the same param set authorizationUrl would emit, then POST
     // it to PAR instead of putting it in the redirect URL.
     var state = uopts.state || _generateRandomToken(STATE_NONCE_BYTES);

package/lib/auth/oid4vci.js

@@ -79,14 +79,15 @@ function _b64uDecodeStr(s) {
   return Buffer.from(s, "base64url").toString("utf8");
 }
 
-function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs) {
+async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs, resolveKid) {
   // OID4VCI §7.2.1.1: the proof JWT MUST:
   //   - typ = "openid4vci-proof+jwt"
   //   - alg in supported list (issuer publishes these)
   //   - aud = credential issuer URL (this issuer's `credential_issuer`)
   //   - iat = recent
   //   - nonce = c_nonce previously issued to the wallet
-  //   - jwk OR kid in header pointing at the key to bind cnf to
+  //   - jwk (inline) OR kid (resolved via resolveKid) in the header
+  //     pointing at the holder key to bind cnf to (RFC 7515 §4.1.3/§4.1.4)
   if (typeof proofJwt !== "string" || proofJwt.length === 0 || proofJwt.length > MAX_PROOF_BYTES) {
     throw new AuthError("auth-oid4vci/bad-proof",
       "credential issuance: proof JWT is empty or exceeds " + MAX_PROOF_BYTES + " bytes");
@@ -171,29 +172,78 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
       "credential issuance: proof JWT iss does not match the access-token client_id");
   }
 
-  // Verify the JWS signature using the key embedded in the header.
+  // Resolve the holder key the proof is signed with. Two paths:
+  //   - inline `jwk` (RFC 7515 §4.1.3) — the wallet ships the public
+  //     key in the header; bind `cnf` to it directly.
+  //   - `kid` (RFC 7515 §4.1.4) without inline `jwk` — the wallet
+  //     references a key by identifier (EUDI-Wallet attested-key flow,
+  //     OID4VCI §8.2.1.1 `key_attestation` proof). The operator
+  //     supplies `resolveKid(kid, header)` to map the kid → public key.
+  //     With no resolver configured the issuer keeps the clear refusal
+  //     (back-compat): a kid-only proof can't be verified without one.
   var holderKeyJwk = header.jwk || null;
-  if (!holderKeyJwk && header.kid) {
-    // Operators with kid-only proofs supply a resolver; until then,
-    // require jwk inline. Refuse rather than silently downgrade.
-    throw new AuthError("auth-oid4vci/kid-resolver-not-supported",
-      "credential issuance: proof JWT used `kid` without inline `jwk` — supply { jwk } in the header for inline binding (kid-resolver path is operator-side)");
-  }
-  if (!holderKeyJwk) {
-    throw new AuthError("auth-oid4vci/no-jwk-in-header",
-      "credential issuance: proof JWT must carry `jwk` for inline holder-key binding");
-  }
-  // CVE-2026-22817 — cross-check alg/kty before importing the holder
-  // JWK. Without this an attacker-controlled `alg: "HS256"` against an
-  // RSA holder JWK would have node:crypto.verify treat the RSA public
-  // key as an HMAC secret. Routed through the shared helper so every
-  // JWT verifier in the framework enforces the same check.
-  jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
   var keyObj;
-  try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
-  catch (e) {
-    throw new AuthError("auth-oid4vci/bad-jwk",
-      "credential issuance: proof JWT jwk is not parseable: " + ((e && e.message) || String(e)));
+  if (!holderKeyJwk && header.kid) {
+    if (typeof resolveKid !== "function") {
+      throw new AuthError("auth-oid4vci/kid-resolver-not-supported",
+        "credential issuance: proof JWT used `kid` without inline `jwk` — supply { jwk } in the header for inline binding, or configure issuer.create({ resolveKid }) to resolve kid-referenced holder keys");
+    }
+    var resolved;
+    try {
+      resolved = await resolveKid(header.kid, header);
+    } catch (e) {
+      // Wrap a resolver exception in a stable AuthError code so the
+      // /credential handler returns a typed refusal instead of an
+      // unhandled rejection. resolveKid is operator code, so its own
+      // message is allowed through for operator-side debugging.
+      throw new AuthError("auth-oid4vci/kid-resolver-failed",
+        "credential issuance: resolveKid threw while resolving the proof JWT kid: " + ((e && e.message) || String(e)));
+    }
+    if (!resolved) {
+      throw new AuthError("auth-oid4vci/kid-unresolved",
+        "credential issuance: resolveKid returned no key for the proof JWT kid — refused");
+    }
+    // Normalize to (verify KeyObject) + (cnf JWK). A KeyObject verifies
+    // the signature directly; the cnf binding sdJwtIssuer.issue expects
+    // a JWK, so a resolved KeyObject is exported to one. A resolved JWK
+    // is used for both.
+    if (resolved instanceof nodeCrypto.KeyObject) {
+      try { holderKeyJwk = resolved.export({ format: "jwk" }); }
+      catch (e) {
+        throw new AuthError("auth-oid4vci/bad-resolved-key",
+          "credential issuance: resolveKid returned a KeyObject that does not export to JWK: " + ((e && e.message) || String(e)));
+      }
+    } else if (typeof resolved === "object" && typeof resolved.kty === "string") {
+      holderKeyJwk = resolved;
+    } else {
+      throw new AuthError("auth-oid4vci/bad-resolved-key",
+        "credential issuance: resolveKid must return a JWK object (with kty) or a node:crypto KeyObject");
+    }
+    // CVE-2026-22817 — same alg/kty cross-check the inline path applies.
+    // A resolver that returns an RSA key for a proof declaring an HMAC
+    // alg would otherwise be verified as an HMAC secret.
+    jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
+    try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-resolved-key",
+        "credential issuance: resolveKid-returned key is not importable as a public key: " + ((e && e.message) || String(e)));
+    }
+  } else {
+    if (!holderKeyJwk) {
+      throw new AuthError("auth-oid4vci/no-jwk-in-header",
+        "credential issuance: proof JWT must carry `jwk` for inline holder-key binding");
+    }
+    // CVE-2026-22817 — cross-check alg/kty before importing the holder
+    // JWK. Without this an attacker-controlled `alg: "HS256"` against an
+    // RSA holder JWK would have node:crypto.verify treat the RSA public
+    // key as an HMAC secret. Routed through the shared helper so every
+    // JWT verifier in the framework enforces the same check.
+    jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
+    try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-jwk",
+        "credential issuance: proof JWT jwk is not parseable: " + ((e && e.message) || String(e)));
+    }
   }
 
   var signingInput = parts[0] + "." + parts[1];
@@ -241,6 +291,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
  *     sdJwtIssuer:                <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
  *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
+ *     resolveKid?:                function(kid, header), // resolve a kid-only proof's holder key (JWK | KeyObject); without it, kid-only proofs are refused
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m
@@ -301,6 +352,12 @@ function create(opts) {
   var proofAlgs = Array.isArray(opts.proofAlgorithms) && opts.proofAlgorithms.length > 0
     ? opts.proofAlgorithms : ["ES256", "ES384", "EdDSA"];
 
+  // Optional kid-resolver for kid-only proofs (EUDI-Wallet attested-key
+  // flow). Config-time throw if supplied but not a function. Absent →
+  // kid-only proofs keep the clear refusal (back-compat).
+  var resolveKid = validateOpts.optionalFunction(opts.resolveKid,
+    "issuer.create: resolveKid", AuthError, "auth-oid4vci/bad-resolve-kid");
+
   var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
   var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
   var cNonceTtl = opts.cNonceTtlMs || DEFAULT_C_NONCE_TTL_MS;
@@ -466,7 +523,7 @@ function create(opts) {
           "exchangePreAuthorizedCode: tx_code does not match");
       }
     }
-    await codeStore.delete(eopts.preAuthCode);
+    await codeStore.del(eopts.preAuthCode);
     var accessToken = generateToken(32);                                                         // 256-bit access token
     var cNonce = generateToken(16);                                                              // 128-bit c_nonce
     var record = {
@@ -555,7 +612,7 @@ function create(opts) {
     }
 
     var expectedCNonce = await cNonceStore.get(iopts.accessToken);
-    var verified = _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs);
+    var verified = await _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs, resolveKid);
 
     if (!iopts.claims || typeof iopts.claims !== "object") {
       throw new AuthError("auth-oid4vci/no-claims",
@@ -584,8 +641,8 @@ function create(opts) {
     // explicitly tightens cleanup.
     if (accessTokenSingleUse) {
       try {
-        await atStore.delete(iopts.accessToken);
-        await cNonceStore.delete(iopts.accessToken);
+        await atStore.del(iopts.accessToken);
+        await cNonceStore.del(iopts.accessToken);
       } catch (_e) { /* drop-silent — cleanup is best-effort */ }
     }