@blamejs/core 0.14.20 → 0.14.22

package/lib/auth/oauth.js

@@ -122,6 +122,11 @@ var lazyRequire = require("../lazy-require");
 // convention §3; no circular load — jwt-external requires nothing from
 // oauth.
 var jwtExternal = require("./jwt-external");
+// RFC 9101 request-object builder — composed by pushAuthorizationRequest
+// when the operator opts into sending a signed request object. Top-of-file
+// per convention §3; no circular load — jar requires jwt-external +
+// validate-opts only, nothing from oauth.
+var jar         = require("./jar");
 var audit       = lazyRequire(function () { return require("../audit"); });
 
 // Cap on responses parsed from upstream OAuth providers. Token /
@@ -517,97 +522,62 @@ var MAX_ATTESTATION_JWT_BYTES = C.BYTES.kib(16);
 var DEFAULT_POP_MAX_AGE_SEC = C.TIME.minutes(5) / C.TIME.seconds(1);
 
 // Sign/verify params keyed by alg — superset of _verifyParamsForAlg that
-// also covers EdDSA (used only on the attestation path; the ID-token
-// verifier keeps its own narrower table untouched).
+// also covers EdDSA (used only on the attestation verify path; the
+// ID-token verifier keeps its own narrower table untouched).
 function _attestationCryptoParams(alg) {
   if (alg === "EdDSA") return { hash: null };
   return _verifyParamsForAlg(alg);
 }
 
+// _toAttestationPrivateKey / _resolveAttestationAlg / _signAttestationJws —
+// thin wrappers over the classical-JWS signer that the jwt-external module
+// owns (b.auth.jws.sign internals). The attestation path keeps its own
+// `auth-oauth/attestation-*` error codes so operators routing alerts on
+// that class see no change; the signer BODIES (alg-from-key derivation,
+// compact-JWS assembly) live in exactly one place — the classical-JOSE
+// domain owner — rather than duplicated here. RFC 7518 §3.1 alg↔key
+// binding and the self-invalid-alg defenses are enforced by the composed
+// primitive.
+
 function _toAttestationPrivateKey(value, label) {
-  if (!value) {
-    throw new OAuthError("auth-oauth/attestation-no-key", label + ": privateKey is required");
-  }
-  if (value instanceof nodeCrypto.KeyObject) return value;
-  try {
-    if (typeof value === "string" || Buffer.isBuffer(value)) {
-      return nodeCrypto.createPrivateKey({ key: value, format: "pem" });
-    }
-    if (typeof value === "object" && value.kty) {
-      return nodeCrypto.createPrivateKey({ key: value, format: "jwk" });
-    }
-  } catch (e) {
-    throw new OAuthError("auth-oauth/attestation-bad-key",
-      label + ": private key parse failed: " + ((e && e.message) || String(e)));
+  try { return jwtExternal._toPrivateKey(value, label); }
+  catch (e) {
+    var code = (e && e.code) === "auth-jwt-external/sign-no-key"
+      ? "auth-oauth/attestation-no-key" : "auth-oauth/attestation-bad-key";
+    throw new OAuthError(code, (e && e.message) || String(e));
   }
-  throw new OAuthError("auth-oauth/attestation-bad-key",
-    label + ": privateKey must be a PEM string/Buffer, JWK object, or KeyObject");
 }
 
-// EC curve → the one ES* alg whose hash matches it (RFC 7518 §3.4).
-var _EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384", secp521r1: "ES512" };
-
 // Resolve the JWS alg for an attestation / PoP signature. When the caller
-// gives no `algorithm`, infer the default that matches the key type so a
-// non-EC attester key (RSA, Ed25519) yields a self-consistent JWS — header
-// alg ⇄ signature key — instead of a fixed `ES256` header signed with the
-// real key, which `verifyClientAttestation`'s alg/kty cross-check would
-// then reject. An explicit alg incompatible with the key is refused BEFORE
-// signing rather than producing a self-invalid attestation.
+// gives no `algorithm`, the composed signer infers the default that matches
+// the key type so a non-EC attester key (RSA, Ed25519) yields a
+// self-consistent JWS — header alg ⇄ signature key — instead of a fixed
+// `ES256` header signed with the real key, which `verifyClientAttestation`'s
+// alg/kty cross-check would then reject. An explicit alg incompatible with
+// the key is refused BEFORE signing. The draft additionally floors the
+// accepted set to ATTESTATION_ALGS (no HMAC / none); the composed resolver
+// already refuses those, surfaced here as the attestation-specific code.
 function _resolveAttestationAlg(explicitAlg, privateKey, label) {
-  var kty = privateKey.asymmetricKeyType;
-  var defaultAlg, compatible;
-  if (kty === "ec") {
-    var curve = (privateKey.asymmetricKeyDetails && privateKey.asymmetricKeyDetails.namedCurve) || "";
-    defaultAlg = _EC_CURVE_ALG[curve];
-    if (!defaultAlg) {
-      throw new OAuthError("auth-oauth/attestation-key-unsupported",
-        label + ": EC curve '" + curve + "' has no attestation JWS alg (use P-256 / P-384 / P-521)");
-    }
-    compatible = [defaultAlg];                       // an EC curve pins exactly one ES alg
-  } else if (kty === "rsa") {
-    defaultAlg = "RS256";
-    compatible = ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"];
-  } else if (kty === "rsa-pss") {
-    defaultAlg = "PS256";
-    compatible = ["PS256", "PS384", "PS512"];        // an RSA-PSS key cannot produce an RS* signature
-  } else if (kty === "ed25519" || kty === "ed448") {
-    defaultAlg = "EdDSA";
-    compatible = ["EdDSA"];
-  } else {
-    throw new OAuthError("auth-oauth/attestation-key-unsupported",
-      label + ": key type '" + String(kty) + "' is not a supported attestation key (EC / RSA / Ed25519 / Ed448)");
-  }
-  if (explicitAlg === undefined || explicitAlg === null) return defaultAlg;
-  if (ATTESTATION_ALGS.indexOf(explicitAlg) === -1) {
-    throw new OAuthError("auth-oauth/attestation-alg-not-accepted",
-      label + ": alg '" + explicitAlg + "' is not an accepted attestation algorithm");
-  }
-  if (compatible.indexOf(explicitAlg) === -1) {
-    throw new OAuthError("auth-oauth/attestation-alg-key-mismatch",
-      label + ": alg '" + explicitAlg + "' is incompatible with the " + kty +
-      " key (compatible: " + compatible.join(", ") + ")");
+  try {
+    return jwtExternal._resolveSignAlg(explicitAlg, privateKey, label);
+  } catch (e) {
+    var ec = (e && e.code) || "";
+    if (ec === "auth-jwt-external/sign-alg-key-mismatch") {
+      throw new OAuthError("auth-oauth/attestation-alg-key-mismatch", (e && e.message) || String(e));
+    }
+    if (ec === "auth-jwt-external/sign-alg-refused" || ec === "auth-jwt-external/sign-alg-unsupported") {
+      throw new OAuthError("auth-oauth/attestation-alg-not-accepted",
+        label + ": alg '" + explicitAlg + "' is not an accepted attestation algorithm");
+    }
+    if (ec === "auth-jwt-external/sign-key-unsupported") {
+      throw new OAuthError("auth-oauth/attestation-key-unsupported", (e && e.message) || String(e));
+    }
+    throw new OAuthError("auth-oauth/attestation-bad-key", (e && e.message) || String(e));
   }
-  return explicitAlg;
 }
 
 function _signAttestationJws(header, payload, privateKey, alg) {
-  var params = _attestationCryptoParams(alg);
-  var headerB64  = _b64urlEncode(Buffer.from(JSON.stringify(header), "utf8"));
-  var payloadB64 = _b64urlEncode(Buffer.from(JSON.stringify(payload), "utf8"));
-  var signingInput = headerB64 + "." + payloadB64;
-  var sig;
-  var input = Buffer.from(signingInput, "ascii");
-  if (params.hash === null) {
-    sig = nodeCrypto.sign(null, input, privateKey);     // EdDSA — no prehash
-  } else {
-    var keyParam = { key: privateKey };
-    if (params.padding !== undefined)     keyParam.padding     = params.padding;
-    if (params.saltLength !== undefined)  keyParam.saltLength  = params.saltLength;
-    if (params.dsaEncoding !== undefined) keyParam.dsaEncoding = params.dsaEncoding;
-    sig = nodeCrypto.sign(params.hash, input, keyParam);
-  }
-  return signingInput + "." + _b64urlEncode(sig);
+  return jwtExternal._signCompactJws(header, payload, privateKey, alg);
 }
 
 // Verify a compact JWS against an already-imported public KeyObject. The
@@ -751,16 +721,9 @@ function buildClientAttestation(aopts) {
   };
   if (typeof aopts.nbf === "number") payload.nbf = aopts.nbf;
   // Operator extra claims merged WITHOUT overriding the spec-required
-  // fields (no prototype-pollution: only own enumerable keys, reserved
-  // names rejected).
+  // fields (proto-pollution sentinels skipped, the spec keys reserved).
   if (aopts.extraClaims && typeof aopts.extraClaims === "object" && !Array.isArray(aopts.extraClaims)) {
-    var ck = Object.keys(aopts.extraClaims);
-    for (var i = 0; i < ck.length; i += 1) {
-      var k = ck[i];
-      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-      if (Object.prototype.hasOwnProperty.call(payload, k)) continue;   // never override spec fields
-      payload[k] = aopts.extraClaims[k];
-    }
+    validateOpts.assignOwnEnumerable(payload, aopts.extraClaims, Object.keys(payload));
   }
   return _signAttestationJws(
     { typ: "oauth-client-attestation+jwt", alg: alg }, payload, key, alg);
@@ -1996,6 +1959,13 @@ function create(opts) {
   // browser-side redirect to /authorize. Defends against parameter
   // tampering by an MITM at the user-agent + against URL-length
   // overflow on long authorization requests.
+  //
+  // RFC 9101 signed request object: pass `signedRequestObject: { key,
+  // alg?, kid?, audience?, expiresInMs? }` to push a JAR request object
+  // instead of plain form params. The authorization parameters then
+  // travel as signed claims (RFC 9126 §3 — form body carries only
+  // `request` + client auth), so the PAR endpoint can verify they
+  // arrived exactly as the client signed them. Absent → plain-form PAR.
   async function pushAuthorizationRequest(uopts) {
     uopts = uopts || {};
     var endpoint;
@@ -2006,6 +1976,20 @@ function create(opts) {
         "pushed_authorization_request_endpoint (set opts.pushedAuthorizationRequestEndpoint " +
         "on create() if the IdP doesn't publish it)");
     }
+    // RFC 9101 signed-request-object opt: when the operator supplies
+    // `signedRequestObject` (a config object carrying the client's signing
+    // key), the authorization parameters travel as claims of a JAR request
+    // object rather than as bare form params. Validated config-time; absent
+    // → the existing plain-form path sends the same key/value set
+    // (form-encoded params are unordered per the media type).
+    var sro = uopts.signedRequestObject || null;
+    if (sro) {
+      validateOpts.optionalPlainObject(sro, "pushAuthorizationRequest: signedRequestObject",
+        OAuthError, "auth-oauth/par-bad-request-object-opt",
+        "must be an object { key, alg?, kid?, audience?, expiresInMs? }");
+      validateOpts(sro, ["key", "alg", "kid", "audience", "expiresInMs"],
+        "pushAuthorizationRequest.signedRequestObject");
+    }
     // Same PKCE-downgrade gate as authorizationUrl (RFC 9700 §4.13):
     // PAR pushes the identical S256 challenge, so an OP advertising
     // code_challenge_methods_supported without S256 is refused here too.
@@ -2015,31 +1999,60 @@ function create(opts) {
     var state = uopts.state || _generateRandomToken(STATE_NONCE_BYTES);
     var nonce = uopts.nonce || (isOidc ? _generateRandomToken(STATE_NONCE_BYTES) : null);
     var pkceVals = _generatePkce();
-    var body = new URLSearchParams();
-    body.set("response_type", "code");
-    body.set("client_id",     clientId);
-    body.set("redirect_uri",  redirectUri);
-    body.set("scope",         scope.join(" "));
-    body.set("state",         state);
-    if (nonce) body.set("nonce", nonce);
-    body.set("code_challenge",        pkceVals.challenge);
-    body.set("code_challenge_method", "S256");
-    if (responseMode) body.set("response_mode", responseMode);
-    if (uopts.prompt)    body.set("prompt", uopts.prompt);
-    if (uopts.loginHint) body.set("login_hint", uopts.loginHint);
-    if (uopts.maxAge != null) body.set("max_age", String(uopts.maxAge));
-    if (clientSecret) body.set("client_secret", clientSecret);
+    // The authorization-request parameters. On the plain path these are set
+    // on the form body directly; on the JAR path they become request-object
+    // claims and the form body carries only `request` + client auth.
+    var authzParams = {
+      response_type:        "code",
+      client_id:            clientId,
+      redirect_uri:         redirectUri,
+      scope:                scope.join(" "),
+      state:                state,
+      code_challenge:        pkceVals.challenge,
+      code_challenge_method: "S256",
+    };
+    if (nonce)        authzParams.nonce         = nonce;
+    if (responseMode) authzParams.response_mode = responseMode;
+    if (uopts.prompt)    authzParams.prompt     = uopts.prompt;
+    if (uopts.loginHint) authzParams.login_hint = uopts.loginHint;
+    if (uopts.maxAge != null) authzParams.max_age = String(uopts.maxAge);
     // RFC 9396 — push the fine-grained authorization request through PAR
     // identically to the redirect path (validated, then JSON-serialized).
     var requestedAuthzDetails = null;
     if (uopts.authorizationDetails !== undefined) {
       requestedAuthzDetails = _validateAuthorizationDetailsArray(
         uopts.authorizationDetails, "pushAuthorizationRequest");
-      body.set("authorization_details", JSON.stringify(requestedAuthzDetails));
+      authzParams.authorization_details = JSON.stringify(requestedAuthzDetails);
     }
     if (uopts.extraParams && typeof uopts.extraParams === "object") {
       var ek = Object.keys(uopts.extraParams);
-      for (var i = 0; i < ek.length; i++) body.set(ek[i], String(uopts.extraParams[ek[i]]));
+      for (var i = 0; i < ek.length; i++) authzParams[ek[i]] = String(uopts.extraParams[ek[i]]);
+    }
+
+    var body = new URLSearchParams();
+    if (sro) {
+      // RFC 9126 §3 — when a signed request object is pushed, the
+      // authorization parameters MUST appear ONLY as claims of the JWT;
+      // the form body carries `request` plus the parameters a client
+      // authentication method requires (client_id, and client_secret for
+      // the secret-based methods) and nothing else. The JAR `aud` is the
+      // AS issuer identifier (RFC 9101 §5) — the operator may override but
+      // it defaults to the configured `issuer`.
+      var requestJwt = jar.build(authzParams, {
+        clientId:    clientId,
+        audience:    sro.audience || issuer,
+        key:         sro.key,
+        alg:         sro.alg,
+        kid:         sro.kid,
+        expiresInMs: sro.expiresInMs,
+      });
+      body.set("request",   requestJwt);
+      body.set("client_id", clientId);                 // RFC 9126 §3 — client identification
+      if (clientSecret) body.set("client_secret", clientSecret);
+    } else {
+      var ak = Object.keys(authzParams);
+      for (var ap = 0; ap < ak.length; ap++) body.set(ak[ap], authzParams[ak[ap]]);
+      if (clientSecret) body.set("client_secret", clientSecret);
     }
     var rv = await _postForm(endpoint, body);
     if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
@@ -2062,6 +2075,7 @@ function create(opts) {
       requestUri:  rv.request_uri,
       expiresIn:   typeof rv.expires_in === "number" ? rv.expires_in : null,
       authorizationDetails: requestedAuthzDetails,
+      requestObjectSent:    !!sro,
     };
   }
 

package/lib/auth/oid4vci.js

@@ -79,15 +79,68 @@ function _b64uDecodeStr(s) {
   return Buffer.from(s, "base64url").toString("utf8");
 }
 
-async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs, resolveKid) {
+// Linear trailing-`=` strip (charCodeAt + slice) — a regex-based
+// padding strip is polynomial-ReDoS-shaped per CodeQL
+// js/polynomial-redos; mirrors lib/argon2-builtin.js. The comparison
+// below is standard base64 (RFC 7515 §4.1.6), so b.crypto.toBase64Url
+// would produce the wrong alphabet.
+function _stripBase64Pad(s) {
+  var end = s.length;
+  while (end > 0 && s.charCodeAt(end - 1) === 61) end--;                           // 61 = "="
+  return s.slice(0, end);
+}
+
+// RFC 7515 §4.1.6 — x5c is an array of base64 (NOT base64url) DER
+// certificate strings, leaf first. Parse + shape-validate the chain into
+// node:crypto X509Certificate objects; refuse a malformed array (empty,
+// non-string entries, non-base64, or a leaf that won't parse) with a
+// typed AuthError matching the module error style.
+function _parseX5cChain(x5c) {
+  if (!Array.isArray(x5c) || x5c.length === 0) {
+    throw new AuthError("auth-oid4vci/bad-x5c",
+      "credential issuance: proof JWT `x5c` must be a non-empty array of base64 DER certificate strings (RFC 7515 §4.1.6)");
+  }
+  var derBuffers = [];
+  var certs = [];
+  for (var i = 0; i < x5c.length; i++) {
+    var entry = x5c[i];
+    if (typeof entry !== "string" || entry.length === 0) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` must be a non-empty base64 string");
+    }
+    // Standard base64 (not base64url) per RFC 7515 §4.1.6. Reject
+    // entries carrying base64url-only chars or that don't round-trip.
+    if (/[^A-Za-z0-9+/=]/.test(entry)) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` is not valid base64 (RFC 7515 §4.1.6 mandates standard base64, not base64url)");
+    }
+    var der = Buffer.from(entry, "base64");
+    if (der.length === 0 || _stripBase64Pad(der.toString("base64")) !== _stripBase64Pad(entry)) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` is not valid base64 (RFC 7515 §4.1.6)");
+    }
+    var cert;
+    try { cert = new nodeCrypto.X509Certificate(der); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` is not a parseable DER certificate: " + ((e && e.message) || String(e)));
+    }
+    derBuffers.push(der);
+    certs.push(cert);
+  }
+  return { derBuffers: derBuffers, certs: certs };
+}
+
+async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs, resolveKid, validateX5c) {
   // OID4VCI §7.2.1.1: the proof JWT MUST:
   //   - typ = "openid4vci-proof+jwt"
   //   - alg in supported list (issuer publishes these)
   //   - aud = credential issuer URL (this issuer's `credential_issuer`)
   //   - iat = recent
   //   - nonce = c_nonce previously issued to the wallet
-  //   - jwk (inline) OR kid (resolved via resolveKid) in the header
-  //     pointing at the holder key to bind cnf to (RFC 7515 §4.1.3/§4.1.4)
+  //   - jwk (inline), kid (resolved via resolveKid), OR x5c (leaf-cert
+  //     SPKI) in the header pointing at the holder key to bind cnf to
+  //     (RFC 7515 §4.1.3 / §4.1.4 / §4.1.6; OID4VCI §8.2.1.1)
   if (typeof proofJwt !== "string" || proofJwt.length === 0 || proofJwt.length > MAX_PROOF_BYTES) {
     throw new AuthError("auth-oid4vci/bad-proof",
       "credential issuance: proof JWT is empty or exceeds " + MAX_PROOF_BYTES + " bytes");
@@ -135,6 +188,18 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
     throw new AuthError("auth-oid4vci/wrong-proof-aud",
       "credential issuance: proof JWT aud \"" + payload.aud + "\" mismatch (expected \"" + expectedAud + "\")");
   }
+  // c_nonce expectation has three states the caller distinguishes:
+  //   null      → no nonce check expected (caller deliberately skips it).
+  //   string    → the c_nonce the wallet must echo (compared below).
+  //   undefined → a nonce WAS expected but the store missed/expired it
+  //               (cNonceStore.get returns undefined on miss/expiry, and
+  //               the c_nonce TTL is shorter than the access token's).
+  //               Refuse with a typed code — comparing against undefined
+  //               would otherwise throw a raw TypeError from timingSafeEqual.
+  if (expectedCNonce === undefined) {
+    throw new AuthError("auth-oid4vci/c-nonce-expired",
+      "credential issuance: c_nonce expected but missing/expired — wallet must request a fresh c_nonce (the /token response's c_nonce TTL elapsed before /credential was called)");
+  }
   if (expectedCNonce !== null) {
     // Constant-time c_nonce compare — secret-shaped value vs
     // attacker-controlled wallet payload.
@@ -172,7 +237,7 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
       "credential issuance: proof JWT iss does not match the access-token client_id");
   }
 
-  // Resolve the holder key the proof is signed with. Two paths:
+  // Resolve the holder key the proof is signed with. Three paths:
   //   - inline `jwk` (RFC 7515 §4.1.3) — the wallet ships the public
   //     key in the header; bind `cnf` to it directly.
   //   - `kid` (RFC 7515 §4.1.4) without inline `jwk` — the wallet
@@ -181,6 +246,15 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
   //     supplies `resolveKid(kid, header)` to map the kid → public key.
   //     With no resolver configured the issuer keeps the clear refusal
   //     (back-compat): a kid-only proof can't be verified without one.
+  //   - `x5c` (RFC 7515 §4.1.6) without inline `jwk`/`kid` — the wallet
+  //     ships a base64 DER certificate chain; the LEAF cert's SPKI is
+  //     the holder key (OID4VCI §8.2.1.1). Like inline `jwk`, the chain
+  //     is self-asserted, so leaf-SPKI extraction at the same trust
+  //     level is the correct parity — the proof signature check binds
+  //     the key. Chain trust beyond that is operator policy: an optional
+  //     `validateX5c(chainDerBuffers, header)` callback may throw to
+  //     refuse (PKI anchoring, EKU checks, revocation, attestation-CA
+  //     allowlist) before the SPKI is trusted.
   var holderKeyJwk = header.jwk || null;
   var keyObj;
   if (!holderKeyJwk && header.kid) {
@@ -228,6 +302,42 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
       throw new AuthError("auth-oid4vci/bad-resolved-key",
         "credential issuance: resolveKid-returned key is not importable as a public key: " + ((e && e.message) || String(e)));
     }
+  } else if (!holderKeyJwk && header.x5c) {
+    // RFC 7515 §4.1.6 / OID4VCI §8.2.1.1 — the wallet ships a base64 DER
+    // certificate chain; the LEAF (first) cert's SPKI is the holder key.
+    var chain = _parseX5cChain(header.x5c);
+    // Operator chain-trust policy runs BEFORE the SPKI is trusted. A
+    // throw refuses the proof (wrapped in a stable AuthError code so the
+    // /credential handler returns a typed refusal rather than an
+    // unhandled rejection; the callback is operator code, so its own
+    // message is allowed through for operator-side debugging).
+    if (typeof validateX5c === "function") {
+      try {
+        await validateX5c(chain.derBuffers.slice(), header);
+      } catch (e) {
+        if (e instanceof AuthError) throw e;
+        throw new AuthError("auth-oid4vci/x5c-rejected",
+          "credential issuance: validateX5c rejected the proof JWT certificate chain: " + ((e && e.message) || String(e)));
+      }
+    }
+    // Extract the leaf SPKI as a JWK to use as the holder key, exactly
+    // parallel to the inline-jwk path. publicKey is a node:crypto
+    // KeyObject; export to JWK for the cnf binding sdJwtIssuer.issue
+    // expects.
+    try { holderKeyJwk = chain.certs[0].publicKey.export({ format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c` leaf certificate public key does not export to JWK: " + ((e && e.message) || String(e)));
+    }
+    // CVE-2026-22817 — same alg/kty cross-check the inline path applies.
+    // A leaf cert holding an RSA key against a proof declaring an HMAC
+    // alg would otherwise be verified as an HMAC secret.
+    jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
+    try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c` leaf public key is not importable: " + ((e && e.message) || String(e)));
+    }
   } else {
     if (!holderKeyJwk) {
       throw new AuthError("auth-oid4vci/no-jwk-in-header",
@@ -292,6 +402,7 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
  *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
  *     resolveKid?:                function(kid, header), // resolve a kid-only proof's holder key (JWK | KeyObject); without it, kid-only proofs are refused
+ *     validateX5c?:               function(chainDerBuffers, header), // x5c (RFC 7515 §4.1.6) chain-trust policy; throw to refuse. Absent → leaf-cert SPKI binds at the same self-asserted trust as inline `jwk`
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m
@@ -358,6 +469,14 @@ function create(opts) {
   var resolveKid = validateOpts.optionalFunction(opts.resolveKid,
     "issuer.create: resolveKid", AuthError, "auth-oid4vci/bad-resolve-kid");
 
+  // Optional x5c chain-trust policy for x5c proofs (RFC 7515 §4.1.6 /
+  // OID4VCI §8.2.1.1). Config-time throw if supplied but not a function.
+  // Absent → the leaf-cert SPKI binds at the same self-asserted trust
+  // level as an inline `jwk` (the proof signature binds the key); chain
+  // anchoring beyond that is the operator's to enforce via this callback.
+  var validateX5c = validateOpts.optionalFunction(opts.validateX5c,
+    "issuer.create: validateX5c", AuthError, "auth-oid4vci/bad-validate-x5c");
+
   var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
   var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
   var cNonceTtl = opts.cNonceTtlMs || DEFAULT_C_NONCE_TTL_MS;
@@ -612,7 +731,7 @@ function create(opts) {
     }
 
     var expectedCNonce = await cNonceStore.get(iopts.accessToken);
-    var verified = await _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs, resolveKid);
+    var verified = await _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs, resolveKid, validateX5c);
 
     if (!iopts.claims || typeof iopts.claims !== "object") {
       throw new AuthError("auth-oid4vci/no-claims",

package/lib/auth/oid4vp.js

@@ -65,10 +65,11 @@ var _emitMetric = emit.metric;
 
 /**
  * Validate a DCQL query against the spec shape. Refuses unknown
- * top-level keys, missing credential id, missing claim paths, or
- * malformed credential_sets options. Throws AuthError on first
- * failure (config-time validation — the verifier author is the one
- * who needs to see the error).
+ * top-level keys, missing credential id, missing claim paths,
+ * numeric claim-path segments that are not non-negative integer
+ * array indices (OpenID4VP 1.0 §7.1.1), or malformed credential_sets
+ * options. Throws AuthError on first failure (config-time validation
+ * — the verifier author is the one who needs to see the error).
  */
 function _validateDcql(dcql) {
   if (!dcql || typeof dcql !== "object" || Array.isArray(dcql)) {
@@ -113,6 +114,15 @@ function _validateDcql(dcql) {
             throw new AuthError("auth-oid4vp/bad-claim-segment",
               "DCQL: claim path segments must be string|number|null");
           }
+          // OpenID4VP 1.0 §7.1.1 — a numeric segment is an array index;
+          // it MUST be a non-negative integer. Reject -1 / 1.5 / NaN /
+          // Infinity here (config-time / entry-point tier) so the
+          // verifier author sees the typo at build, not a silent
+          // non-match at verify time.
+          if (typeof segment === "number" && (!Number.isInteger(segment) || segment < 0)) {
+            throw new AuthError("auth-oid4vp/bad-claim-segment",
+              "DCQL: numeric claim path segment must be a non-negative integer (OpenID4VP 1.0 §7.1.1)");
+          }
         });
         if (claim.values !== undefined && !Array.isArray(claim.values)) {
           throw new AuthError("auth-oid4vp/bad-claim-values",

package/lib/break-glass.js

@@ -425,7 +425,6 @@ async function migrate(table, opts) {
  * has run.
  *
  * @opts
- *   now:        number,    // testing-only override of Date.now (fixtures)
  *   trustProxy: boolean,   // honor X-Forwarded-For when populating grant.ip (default false)
  *
  * @example
@@ -434,7 +433,7 @@ async function migrate(table, opts) {
  */
 function init(opts) {
   opts = opts || {};
-  validateOpts(opts, ["now", "trustProxy"], "breakGlass.init");
+  validateOpts(opts, ["trustProxy"], "breakGlass.init");
   initialized = true;
   policyCache.clear();
   _factorLockout = null;

package/lib/config.js

@@ -258,7 +258,8 @@ function create(opts) {
  *                   Rows whose transform throws or returns a non-string
  *                   are skipped with a `config.reload.failed` audit so a
  *                   single bad row never crashes the poller),
- *   audit:          boolean  (default true; reserved for future per-poll audit),
+ *   audit:          boolean  (default true; set false to silence the
+ *                   per-poll config.reload.* audit emissions),
  *
  * @example
  *   var s = b.safeSchema;
@@ -322,6 +323,12 @@ function loadDbBacked(opts) {
   var transformValue = validateOpts.optionalFunction(
     opts.transformValue, "loadDbBacked: opts.transformValue",
     ConfigError, "config/bad-transform-value") || null;
+  var auditOn = opts.audit !== false;
+  function _emitReloadAudit(record) {
+    if (!auditOn) return;
+    try { audit().safeEmit(record); }
+    catch (_e) { /* audit best-effort */ }
+  }
   var cfg = create({ schema: opts.schema, env: opts.env, redactKeys: opts.redactKeys });
   var stopped = false;
   // Concurrency guard. _tick() runs `await opts.fetchRows()` + per-row
@@ -348,12 +355,10 @@ function loadDbBacked(opts) {
     var rows;
     try { rows = await opts.fetchRows(); }
     catch (e) {
-      try {
-        audit().safeEmit({
-          action: "config.reload.failed", outcome: "failure",
-          metadata: { phase: "fetch", reason: e && e.message },
-        });
-      } catch (_e) { /* audit best-effort */ }
+      _emitReloadAudit({
+        action: "config.reload.failed", outcome: "failure",
+        metadata: { phase: "fetch", reason: e && e.message },
+      });
       return;
     }
     if (!Array.isArray(rows)) return;
@@ -366,21 +371,17 @@ function loadDbBacked(opts) {
         try {
           value = await transformValue(row);
         } catch (e) {
-          try {
-            audit().safeEmit({
-              action: "config.reload.failed", outcome: "failure",
-              metadata: { phase: "transform", key: row.key, reason: e && e.message },
-            });
-          } catch (_e) { /* audit best-effort */ }
+          _emitReloadAudit({
+            action: "config.reload.failed", outcome: "failure",
+            metadata: { phase: "transform", key: row.key, reason: e && e.message },
+          });
           continue;
         }
         if (typeof value !== "string") {
-          try {
-            audit().safeEmit({
-              action: "config.reload.failed", outcome: "failure",
-              metadata: { phase: "transform", key: row.key, reason: "transformValue did not return a string" },
-            });
-          } catch (_e) { /* audit best-effort */ }
+          _emitReloadAudit({
+            action: "config.reload.failed", outcome: "failure",
+            metadata: { phase: "transform", key: row.key, reason: "transformValue did not return a string" },
+          });
           continue;
         }
       }
@@ -389,12 +390,10 @@ function loadDbBacked(opts) {
     // Drop-stale: a tick that started after me has already finished and
     // applied its newer fetch — my overlay would clobber fresher data.
     if (mySeq <= ticksAppliedMax) {
-      try {
-        audit().safeEmit({
-          action: "config.reload.skipped", outcome: "success",
-          metadata: { phase: "stale-tick", mySeq: mySeq, appliedMax: ticksAppliedMax },
-        });
-      } catch (_e) { /* audit best-effort */ }
+      _emitReloadAudit({
+        action: "config.reload.skipped", outcome: "success",
+        metadata: { phase: "stale-tick", mySeq: mySeq, appliedMax: ticksAppliedMax },
+      });
       return;
     }
     // Advance the watermark ONLY after a successful reload. A newer
@@ -407,12 +406,10 @@ function loadDbBacked(opts) {
       ticksAppliedMax = mySeq;
     }
     catch (e) {
-      try {
-        audit().safeEmit({
-          action: "config.reload.failed", outcome: "failure",
-          metadata: { phase: "validate", reason: e && e.message },
-        });
-      } catch (_e) { /* audit best-effort */ }
+      _emitReloadAudit({
+        action: "config.reload.failed", outcome: "failure",
+        metadata: { phase: "validate", reason: e && e.message },
+      });
     }
   }
   // Fire one immediate hydration before the interval kicks in so