@blamejs/core 0.9.2 → 0.9.3

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.3 (2026-05-11) — **Audit hardening slice 3: OAuth + OID4VCI + OID4VP + CIBA + constant-time-compare migrations**. Continues the 2026-05-11 auth audit follow-through. **`b.auth.oauth.refreshAccessToken` atomic check-and-insert** — new `ropts.checkAndInsert(token, expireAtMs)` callback contract replaces the previous `ropts.seen(token)` check-then-act race. Two concurrent refresh requests on the same event-loop tick could both see `seen === false` and both POST to the token endpoint, neither flagging the replay; the new contract requires an atomic test-and-set (Redis SETNX, DB INSERT ON CONFLICT) and is the OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense surfacing the actual race window. Legacy `seen` callback continues to work for backwards-compat with operator code; the docstring documents the race + recommends migration to `checkAndInsert`. **`b.auth.oid4vci` constant-time compares** — pre-auth `tx_code` hash compare (was `!==` on sha3 hex) and proof-JWT `c_nonce` compare (was `!==` on attacker-supplied wallet payload) both route through `b.crypto.timingSafeEqual`. **`b.auth.oid4vp` per-presentation `vct` enforcement** — DCQL filters with 2+ `vct_values` entries previously bypassed vct validation entirely (the framework only set `expectedVct` when the filter pinned to a single value). Verifier now validates the presented vct against the DCQL filter list manually when length > 1; refuses with `vp_token['<id>'][<n>] vct '<presented>' is not in DCQL vct_values [...]` on over-disclosure. **`b.auth.ciba` slow_down honoring** — CIBA §11.3 requires the client to increase its polling interval by at least 5s on every `slow_down` response. Pre-v0.9.3 the framework client never bumped, leaving operators to do their own interval bookkeeping. Now `pollToken()` tracks per-`authReqId` interval state internally (Map keyed by authReqId, seeded from `startAuthentication`'s response, cleared on token issuance), bumps by `max(5s, IdP-suggested interval) <= MAX_INTERVAL_SEC` on every slow_down, and attaches the next-suggested interval to the thrown `auth-ciba/slow_down` error as `err.nextIntervalSec` so operators read a spec-correct back-off without manual bookkeeping. **`b.auth.ciba` notification-token entropy** — `clientNotificationToken` now refuses < 32 chars per CIBA §7.1.2's opaque-hard-to-guess requirement. Pre-v0.9.3 a 4-char token passed. **`b.auth.ciba.parseNotification` constant-time compare** — bearer-token hash compare migrated from `!==` to `b.crypto.timingSafeEqual` (both sides are fixed-width sha3-512 hex strings; defense-in-depth even though equal-length JS string compare is already widely understood as constant-time on V8).
 - v0.9.2 (2026-05-11) — **Audit hardening slice 2: WebAuthn + FIDO MDS3 + NIST AAL**. Continues the 2026-05-11 auth surface audit follow-through. **`b.auth.passkey.verifyAuthentication` counter-regression bypass fix** — pre-v0.9.2 the wrapper coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. **`b.auth.passkey` multi-origin support** — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Pre-v0.9.2 the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **`b.auth.passkey` prototype-pollution fix** — `ALLOWED_MEDIATION` lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-v0.9.2 a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. **`b.auth.aal.fromMethods` UV requirement for AAL3** — per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Pre-v0.9.2 `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). **`b.auth.fidoMds3.verifyAuthenticator` fail-closed default + new opts** — pre-v0.9.2 unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. **`b.auth.fidoMds3.parseBlob` stale-BLOB refusal** — refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Pre-v0.9.2 the staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. **`b.auth.fidoMds3.REFUSE_STATUS`** — added `ATTESTATION_KEY_COMPROMISE` per FIDO MDS3 §3.1.4. Pre-v0.9.2 this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key.
 - v0.9.1 (2026-05-11) — **Audit hardening, slice 1 of N: federation auth + OAuth ID-token verifier**. Audit run after v0.9.0 across OAuth / SAML / OIDC federation / SD-JWT VC / WebAuthn / FIDO MDS3 / constant-time-compare surfaces; this slice closes the highest-severity SAML + OIDC + SD-JWT + OAuth findings. **SAML SP** (`b.auth.saml.sp.create({...}).buildAuthnRequest` + `.metadata`): every operator-supplied URL / ID interpolated into the emitted XML now routes through `b.xmlC14n.escapeAttrValue` / `escapeText`. Pre-v0.9.1 a `"` or `<` in `idpSsoUrl` / `assertionConsumerServiceUrl` / `entityId` / `nameIdFormat` broke out of attribute / element context and produced unsigned-XML breakout into the IdP redirect. Newly exported `b.xmlC14n.escapeAttrValue(s)` and `b.xmlC14n.escapeText(s)` — RFC 3741 §1.3.x compliant; available for any operator emitting XML alongside the framework's own SAML / canonicalization paths. **SAML SP `verifyResponse`**: digest compare on `Reference DigestValue` and `SubjectConfirmation InResponseTo` now use `b.crypto.timingSafeEqual` instead of `Buffer.compare` / `!==`. **SAML XSW defense**: refuses Response payloads that carry duplicate `<Status>`, `<StatusCode>`, `<Assertion>`, `<Subject>`, or `<NameID>` children — XML signature wrapping attacks ferry an unsigned sibling next to a signed element and exploit first-match parsers; the verifier now asserts single-child cardinality on every security-critical element via `_findAllChildren(...).length === 1`. **OIDC federation** (`b.auth.openidFederation.verifyEntityStatement`): JWK key-type cross-check against the JWS `alg` header BEFORE `nodeCrypto.createPublicKey` — an attacker-controlled entity-config declaring `alg: "ES256"` while supplying an RSA JWK would previously load through Node's silent algorithm-vs-key coercion path. Now refuses with `auth-openid-federation/alg-kty-mismatch` for any `alg=ES*` not paired with `kty=EC`, `alg=PS*`/`RS*` not paired with `RSA`, or `alg=EdDSA` not paired with `OKP`. **`b.auth.openidFederation.buildTrustChain` error-masking**: trust-chain ascent previously swallowed every per-authority failure via `catch (_e) {}` and continued to the next `authority_hint`; signature-failure errors from one authority no longer mask, the chain now refuses on cryptographic refusal (`bad-jwk`, `alg-kty-mismatch`, `bad-signature`, `signature-failed`). Network / 404 / iss-sub-mismatch errors still continue to the next hint but are collected and surfaced in the `no-ascent` failure shape. **SD-JWT VC verify** (`b.auth.sdJwtVc.verify`): three correctness fixes. (1) `_sd_alg` default switched from `sha3-512` to `sha-256` per IETF draft §4.1.1 — prior default broke verification against spec-conformant issuers when the issuer omitted `_sd_alg`. (2) Disclosure-replay defense: every disclosure digest tracked in a Set; second occurrence of the same digest refuses with `auth-sd-jwt-vc/disclosure-replay`. (3) Claim-shadowing defense: holder-supplied disclosures whose name collides with an issuer-signed top-level claim (`iss`, `sub`, `aud`, `iat`, `nbf`, `exp`, `jti`, `vct`, `cnf`, `_sd`, `_sd_alg`, `status`) refuse with `auth-sd-jwt-vc/protected-claim-shadow` instead of silently overwriting the signed value. (4) KB-JWT `sd_hash` now uses the credential's declared `_sd_alg` (was hardcoded sha256, breaking against issuers using sha3-512); `sd_hash` compare routed through `b.crypto.timingSafeEqual`. **OAuth `verifyIdToken`** (`b.auth.oauth.verifyIdToken`): three hardening fixes that bring the verifier to parity with the framework's other JWS verifiers. (1) `nodeCrypto.verify` wrapped in try/catch — previously panicked on key/sig shape mismatch (e.g. ES256 sig against an RS256 key returned by a buggy IdP with duplicate kids), bubbling a raw `Error` to the operator's handler instead of an `OAuthError`. (2) RFC 7515 §4.1.11 `crit` header refusal — every sibling verifier (`b.auth.jwt`, `b.auth.jwt.verifyExternal`, `b.auth.dpop`) refuses; verifyIdToken previously silently ignored, letting an attacker-controlled OP ship critical extensions the verifier doesn't understand. (3) `state` and `nonce` claim compares routed through `b.crypto.timingSafeEqual` — these are CSRF / replay tokens compared against attacker-controlled callback / payload data.
 - v0.9.0 (2026-05-11) — **Minor: 3 new RFC primitives + `b.structuredFields` shared substrate + full audit-derived hardening sweep + 5 new bug-class detectors**. **`b.structuredFields`** consolidates the quote-aware top-level splitter (`splitTopLevel(s, sep)`), the raw-value control-byte refusal scan (`refuseControlBytes` / `containsControlBytes`), and the sf-string unquote (`unquoteSfString`) used by every RFC 8941 / RFC 9110 / RFC 9111 / RFC 9213 / RFC 9421 / RFC 6266 / RFC 6265 / RFC 6455 parser in the framework — replaces the per-file open-coded copies that were drifting site-by-site. **8 audit-surfaced bug-class sites fixed in this same patch** (no deferred follow-up): (1) `b.middleware.bodyParser._contentType` + `_parseHeaderParams` — RFC 9110 Content-Type / RFC 6266 Content-Disposition parameters can carry quoted-string values (`boundary="foo;bar"` / `filename="weird;name.txt"`); bare `.split(";")` previously sliced through quoted semicolons and corrupted multipart boundaries. (2) `b.requestHelpers.parseListHeader({ strictToken: true })` — control-byte scan now runs on the RAW value before `.trim()` so a leading `\n<token>` no longer slips past `RFC_9110_TOKEN_RE` (same v0.8.90 bug class; used by webhook signature parsing and WS subprotocol negotiation). (3) `b.middleware.tusUpload._parseChecksumHeader` — same trim-before-validate fix. (4) `b.httpClient.cache._parseCacheControl` — quote-aware `,` splitter (RFC 9111 §5.2 + RFC 9110 §5.6.4 directive values may be quoted-string). (5) `b.httpClient.cookieJar._parseSetCookie` — quote-aware `;` splitter defends RFC 7230 quoted-string attribute values (`SameSite="Strict"` from interop-imperfect upstreams). (6) `b.websocket._parseExtensionHeader` — quote-aware `;` and `,` splitters defend RFC 6455 §9.1 + RFC 7230 token-or-quoted-string parameter values against forward-compat extensions shipping quoted params. (7) `b.aiPref.parseHeader` — control-byte refusal added on the RAW value before split + trim. (8) `b.auth.stepUp.parseChallenge` — same trim-before-validate fix (returns `null` per defensive-reader contract instead of throwing). Also: `b.logStream.init({ minLevel })` now validates the level vocabulary at config time so a typo'd `"infos"` (which previously produced `LEVEL_PRIORITY["infos"] === undefined` and silently dropped every log record) throws at boot. `b.crypto.httpSig`'s RFC 9421 Signature-Input parameter parser uses the quote-aware `;` splitter (RFC 8941 §3.1.2 sf-string parameter values). `b.security.assertProductionPosture({ minTlsVersion })` validates `minTlsVersion` against the canonical TLS vocabulary BEFORE the rank comparison (a typo previously silently passed because `indexOf` returned `-1` — same bug class as v0.8.88 `b.auth.fal.meets`). **3 new RFC primitives**: **`b.cdnCacheControl`** ships an RFC 9213 directive list builder + parser shared across `Cache-Control`, `CDN-Cache-Control`, `Surrogate-Control`, and the operator-specific `Cloudflare-` / `Vercel-` / `Fastly-` / `Akamai-` / `Netlify-CDN-Cache-Control` variants. `build({...})` emits the directive list string (numeric directives non-negative-integer-only; refuses Infinity / NaN / floats / negatives; full RFC 9111 boolean directive set; `extensions` for non-standard directives with RFC 7234 §5.2 token-shape enforcement); refuses `public + private` conflict per RFC 9111 §5.2.2.5/§5.2.2.6. `parse(headerValue)` decodes any targeted header into `{ public, private, noStore, maxAge, sMaxAge, ..., directives, fields }` with **qualified-form support** (`private="Authorization"` flag stays enabled, field-name list under `.fields[camel]` per RFC 9111 §5.2.2.4 / §5.2.2.6 — presence == enabled, the argument narrows scope), **bare `max-stale` parses as `Infinity`** per RFC 9111 §5.2.1.2 (instead of buggy `Number(true) === 1`), and a quote-aware top-level `,` splitter so a `, ` inside a quoted directive value doesn't fake-split. `isTargetedHeader(name)` + curated `TARGETED_HEADERS` allowlist. **`b.clientHints`** ships a Sec-CH-UA-* request-header family parser per W3C UA Client Hints + IETF draft-davidben-http-client-hint-reliability. `parse(req.headers)` returns `{ brands, mobile, platform, platformVersion, arch, bitness, model, fullVersionList, wow64, formFactors, raw }`; quote-aware splitters at brand-list and brand-member-parameter level (RFC 8941 §4.1.1.4 parameter values may be sf-string); refuses control characters in any Sec-CH-* value. `acceptList(hintNames)` builds `Accept-CH` with typo-defense (unknown hint name throws `client-hints/unknown-hint`); dedupes case-variant duplicates; canonicalizes to W3C mixed-case spelling. `KNOWN_HINTS` exports the well-known 22-name list. **`b.network.dns.classifyDnskeyAlgorithm(algorithm)` / `classifyDsDigestType(digestType)`** — RFC 9905 DNSSEC SHA-1 deprecation classifier. Covers every IANA-assigned DNSKEY algorithm (including PRIVATEDNS/PRIVATEOID/INDIRECT/Reserved entries) and RFC 9558 §3 DS digest types 5 (GOST R 34.11-2012) + 6 (SM3); operators auditing inbound DNSSEC chain-of-trust evidence refuse validations where `deprecated === true`. Inline `allow:bare-split-on-quoted-header` markers added across `mail-auth.js` (DKIM / DMARC / ARC tag-list grammar — token-only), `network-smtp-policy.js` (TLS-RPT — token-only), `middleware/scim-server.js` (RFC 7644 §3.9 SCIM attribute paths), `http-client-cache.js` (RFC 9110 §12.5.5 Vary field-names), `http-message-signature.js` (RFC 9421 component-id covered list), `middleware/body-parser.js` (RFC 9112 §6.1 Transfer-Encoding token-only), each citing the controlling RFC clause showing why quoted-string is not a legal value in that grammar. **5 new bug-class detectors** in `test/layer-0-primitives/codebase-patterns.test.js` so the same shapes can't drift back in: (a) `trim-before-validate` — control-byte refusal scans must run on the RAW header value BEFORE `.trim()` strips leading/trailing C0/DEL bytes; detector now catches BOTH the `charCodeAt` codepoint-loop shape AND the `<NAME>_RE.test(<trimmed>)` grammar-regex shape; (b) `enum-rank-without-validation` — `_rankFn(X) >= _rankFn(Y)` arithmetic comparisons must have a preceding `isValid*` / `KNOWN_*` membership check on both inputs (catches `b.auth.fal.meets` bug shape); (c) `bool-string-coerce-shape` — boolean directive parsing must NOT use `val === "" || val === "true"` coercion (catches `b.cdnCacheControl.parse` qualified-form bug shape); (d) `bare-split-on-quoted-header` — RFC structured-fields parsers in files that ALSO handle sf-string unquote regex must use the shared quote-aware `b.structuredFields.splitTopLevel`, not bare `.split(",") / .split(";")`; (e) `scoped-context-binding-unused` — scope-named factory bindings (`forwarderDomain` / `realm` / `origin` / `audience` / `issuer`) captured in the factory must be compared against the inbound value's embedded scope in the `verify` / `reverse` / `decode` path (catches the v0.8.89 SRS forwarder-domain bug shape). Operators upgrade `0.8.90` → `0.9.0`; v0.8.91 was never tagged (its surface is folded into v0.9.0 with the audit-derived hardening).

package/lib/auth/ciba.js

@@ -55,7 +55,7 @@ var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
 var safeUrl      = require("../safe-url");
-var { generateToken, sha3Hash } = require("../crypto");
+var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var httpClient    = lazyRequire(function () { return require("../http-client"); });
@@ -169,6 +169,16 @@ function create(opts) {
     throw new AuthError("auth-ciba/no-notification-token",
       "auth.ciba.client.create: clientNotificationToken required for ping/push delivery modes");
   }
+  // Minimum-entropy guard on the client_notification_token (audit
+  // 2026-05-11). CIBA §7.1.2 requires the token be opaque + hard to
+  // guess; the framework's other token-shaped primitives enforce 32
+  // chars minimum. A 4-char token was previously accepted; refuse.
+  if (clientNotificationToken !== null && clientNotificationToken.length < 32) {                  // allow:raw-byte-literal — RFC 9700 §7.1.2 token char-length minimum, not bytes
+    throw new AuthError("auth-ciba/notification-token-too-short",
+      "auth.ciba.client.create: clientNotificationToken must be >= 32 chars " +
+      "(generate via b.crypto.generateToken(32) or stronger; CIBA §7.1.2 " +
+      "requires opaque hard-to-guess token).");
+  }
 
   // Each backchannel-authentication request mints a fresh
   // `client_notification_token` per the spec? No — the RP registers
@@ -368,6 +378,10 @@ function create(opts) {
       ? rv.interval : DEFAULT_INTERVAL_SEC;
     var expiresIn = typeof rv.expires_in === "number" && rv.expires_in > 0
       ? rv.expires_in : DEFAULT_EXPIRES_SEC;
+    // Seed the per-authReqId interval tracker so pollToken's
+    // slow_down handler bumps from the IdP-supplied starting point
+    // (CIBA §11.3 minimum-5s bump on every slow_down response).
+    _registerInitialInterval(rv.auth_req_id, interval);
 
     _emitAudit("start", "success", {
       authReqIdHash: sha3Hash("auth-ciba:" + rv.auth_req_id),
@@ -399,6 +413,17 @@ function create(opts) {
    *   var tokens = await ciba.pollToken({ authReqId: ticket.authReqId });
    *   // → { accessToken, idToken, refreshToken, tokenType, scope, expiresIn, raw }
    */
+  // Per-authReqId interval tracking — CIBA §11.3 requires the client
+  // to increase its polling interval by at least 5s on every
+  // `slow_down` response. The framework client now maintains this
+  // state internally so operators reading `err.nextIntervalSec` get
+  // a spec-correct back-off without rolling their own counter.
+  var _intervalState = new Map();   // authReqId → current interval sec
+
+  function _registerInitialInterval(authReqId, intervalSec) {
+    _intervalState.set(authReqId, intervalSec);
+  }
+
   async function pollToken(popts) {
     popts = popts || {};
     if (typeof popts.authReqId !== "string" || popts.authReqId.length === 0) {
@@ -421,7 +446,33 @@ function create(opts) {
       body.set("client_id", opts.clientId);
     }
     if (clientAuth === "mtls") body.set("client_id", opts.clientId);
-    var rv = await _postForm(endpoint, body);
+    var rv;
+    try {
+      rv = await _postForm(endpoint, body);
+    } catch (err) {
+      // CIBA §11.3 — on slow_down response, increase polling
+      // interval by at least 5s. Attach the next-suggested-interval
+      // to the error so the operator's poll loop reads a spec-
+      // correct back-off without manual bookkeeping. The IdP MAY
+      // optionally return its own `interval` value in the 400 body;
+      // honor that when >= current + 5, otherwise enforce the
+      // minimum 5s bump.
+      if (err && err.code === "auth-ciba/slow_down") {
+        var current = _intervalState.get(popts.authReqId) || DEFAULT_INTERVAL_SEC;
+        var idpSuggested = err.cibaError && typeof err.cibaError.interval === "number"
+          ? err.cibaError.interval : null;
+        var next = current + 5;                                                                 // allow:raw-time-literal — §11.3 mandates +5s minimum
+        if (idpSuggested !== null && idpSuggested > next && idpSuggested <= MAX_INTERVAL_SEC) {
+          next = idpSuggested;
+        }
+        if (next > MAX_INTERVAL_SEC) next = MAX_INTERVAL_SEC;
+        _intervalState.set(popts.authReqId, next);
+        err.nextIntervalSec = next;
+      }
+      throw err;
+    }
+    // Token issued — clear interval tracking for this authReqId.
+    _intervalState.delete(popts.authReqId);
     _emitAudit("token_received", "success", {
       authReqIdHash: sha3Hash("auth-ciba:" + popts.authReqId),
     });
@@ -479,13 +530,15 @@ function create(opts) {
       throw new AuthError("auth-ciba/bad-bearer",
         "ciba.parseNotification: empty bearer or no expected token configured");
     }
-    // Constant-time compare via the framework's primitive shape —
-    // sha3-of-each + ===-of-hash is constant-time over equal-length
-    // hashes regardless of presented length, so a length-side-channel
-    // probe can't enumerate the prefix.
+    // Constant-time compare on the SHA3 hash of both tokens —
+    // matches the project-wide discipline (audit 2026-05-11). Both
+    // sides are fixed-width sha3-512 hex strings; timingSafeEqual
+    // adds explicit defense-in-depth over `!==` even though equal-
+    // length JS string compare is already broadly understood as
+    // constant-time on V8.
     var presentedHash = sha3Hash(presented);
     var expectedHash  = sha3Hash(clientNotificationToken);
-    if (presentedHash !== expectedHash) {
+    if (!timingSafeEqual(presentedHash, expectedHash)) {
       _emitAudit("notification_token_mismatch", "failure", {});
       throw new AuthError("auth-ciba/wrong-bearer",
         "ciba.parseNotification: client_notification_token does not match");

package/lib/auth/oauth.js

@@ -561,20 +561,45 @@ function create(opts) {
     // constrained confidential clients. Operators with sender-
     // constrained tokens (DPoP / mTLS) can opt out by NOT supplying
     // a seen callback.
-    if (typeof ropts.seen === "function") {
-      var alreadySeen;
+    //
+    // Atomic check-and-insert (audit 2026-05-11) — pre-v0.9.3 the
+    // check ran via `ropts.seen(token)` which was a check-then-act
+    // race: two concurrent refresh requests landed on the same
+    // event-loop tick could both see `seen === false` and both POST
+    // to the token endpoint, neither flagging the replay. The new
+    // contract is `ropts.checkAndInsert(token, expireAtMs)` which
+    // MUST atomically test-and-set: returns true if the token was
+    // ALREADY in the store (replay) and false if it just inserted
+    // the token. The legacy `seen` callback continues to work for
+    // backward compatibility but emits a deprecation warning.
+    var alreadySeen = false;
+    if (typeof ropts.checkAndInsert === "function") {
+      var nowMs = Date.now();
+      // 24h max refresh-token TTL — operators with shorter TTLs
+      // should configure their store's own expiry policy.
+      var expireAtMs = nowMs + C.TIME.hours(24);
+      try { alreadySeen = await ropts.checkAndInsert(refreshToken, expireAtMs); }
+      catch (e) {
+        throw new OAuthError("auth-oauth/seen-callback-failed",
+          "refreshAccessToken: checkAndInsert() callback threw: " + ((e && e.message) || String(e)));
+      }
+    } else if (typeof ropts.seen === "function") {
+      // Legacy non-atomic path. Documented as a check-then-act race;
+      // operators sharing a single-writer store (Redis SETNX, DB
+      // INSERT ON CONFLICT) MUST migrate to checkAndInsert. Stays
+      // here for backwards-compat with existing operator code.
       try { alreadySeen = await ropts.seen(refreshToken); }
       catch (e) {
         throw new OAuthError("auth-oauth/seen-callback-failed",
           "refreshAccessToken: seen() callback threw: " + ((e && e.message) || String(e)));
       }
-      if (alreadySeen === true) {
-        throw new OAuthError("auth-oauth/refresh-token-replay",
-          "refreshAccessToken: refresh token has been presented before — refused " +
-          "(OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense). The operator MUST " +
-          "treat this as a token-theft signal: revoke the refresh-token family + force " +
-          "the user to re-authenticate.");
-      }
+    }
+    if (alreadySeen === true) {
+      throw new OAuthError("auth-oauth/refresh-token-replay",
+        "refreshAccessToken: refresh token has been presented before — refused " +
+        "(OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense). The operator MUST " +
+        "treat this as a token-theft signal: revoke the refresh-token family + force " +
+        "the user to re-authenticate.");
     }
     var endpoint = await _resolveEndpoint("tokenEndpoint");
     var body = new URLSearchParams();

package/lib/auth/oid4vci.js

@@ -54,7 +54,7 @@ var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
 var nodeCrypto   = require("node:crypto");
-var { generateToken, sha3Hash } = require("../crypto");
+var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var cache       = lazyRequire(function () { return require("../cache"); });
@@ -116,9 +116,14 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/wrong-proof-aud",
       "credential issuance: proof JWT aud \"" + payload.aud + "\" mismatch (expected \"" + expectedAud + "\")");
   }
-  if (expectedCNonce !== null && payload.nonce !== expectedCNonce) {
-    throw new AuthError("auth-oid4vci/wrong-proof-nonce",
-      "credential issuance: proof JWT nonce mismatch (replay defense — wallet must use the c_nonce from the most recent issuer response)");
+  if (expectedCNonce !== null) {
+    // Constant-time c_nonce compare — secret-shaped value vs
+    // attacker-controlled wallet payload. (Audit 2026-05-11.)
+    if (typeof payload.nonce !== "string" ||
+        !timingSafeEqual(payload.nonce, expectedCNonce)) {
+      throw new AuthError("auth-oid4vci/wrong-proof-nonce",
+        "credential issuance: proof JWT nonce mismatch (replay defense — wallet must use the c_nonce from the most recent issuer response)");
+    }
   }
   if (typeof payload.iat !== "number") {
     throw new AuthError("auth-oid4vci/no-proof-iat",
@@ -400,8 +405,11 @@ function create(opts) {
           "exchangePreAuthorizedCode: tx_code required (offer mandates it)");
       }
       var txHash = sha3Hash("oid4vci-tx:" + eopts.txCode);
-      // Constant-time-ish compare via fixed-size sha3 hash equality.
-      if (txHash !== entry.txCodeHash) {
+      // Constant-time compare on the hashed tx_code (audit 2026-05-11
+      // — was `!==` on fixed-width sha3 hex; per CLAUDE.md rule §5
+      // every framework-internal compare against attacker-controlled
+      // input routes through timingSafeEqual).
+      if (!timingSafeEqual(txHash, entry.txCodeHash)) {
         // Don't consume on failure — wallet may be retrying. Operator
         // attaches their own attempt counter / lockout via b.auth.lockout.
         _emitAudit("tx_code_mismatch", "failure", {

package/lib/auth/oid4vp.js

@@ -452,6 +452,16 @@ function create(opts) {
           continue;
         }
         try {
+          // Per-presentation vct enforcement (audit 2026-05-11): when
+          // DCQL's `vct_values` has 1 entry, `expectedVct` pins it.
+          // With 2+ entries the verifier's expectedVct opt can't hold
+          // a list, so we verify-without-expected and then validate
+          // the actual vct against the DCQL list manually — over-
+          // disclosure defense (a holder presenting a vct outside
+          // the DCQL filter would previously slip through).
+          var dcqlVctValues = cq.meta && Array.isArray(cq.meta.vct_values) ? cq.meta.vct_values : null;
+          var expectedVct = dcqlVctValues && dcqlVctValues.length === 1
+            ? dcqlVctValues[0] : undefined;
           var verified = await sdJwtVcCore().verify(t, {
             issuerKeyResolver:      opts.issuerKeyResolver,
             audience:               audience,
@@ -459,9 +469,16 @@ function create(opts) {
             requireKeyBinding:      true,
             requireKeyAttestation:  vopts.requireKeyAttestation === true,
             keyAttestationVerifier: opts.keyAttestationVerifier || null,
-            expectedVct:            cq.meta && cq.meta.vct_values && cq.meta.vct_values.length === 1
-                                      ? cq.meta.vct_values[0] : undefined,
+            expectedVct:            expectedVct,
           });
+          if (dcqlVctValues && dcqlVctValues.length > 1) {
+            if (!verified.claims || dcqlVctValues.indexOf(verified.claims.vct) === -1) {
+              verifyErrors.push("vp_token['" + id + "'][" + ti + "] vct '" +
+                ((verified.claims && verified.claims.vct) || "<missing>") +
+                "' is not in DCQL vct_values [" + dcqlVctValues.join(", ") + "]");
+              continue;
+            }
+          }
           presentations.push({
             id:                   id,
             format:               cq.format,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.2",
+  "version": "0.9.3",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:1fccffd9-4415-43af-8e59-a1b496768581",
+  "serialNumber": "urn:uuid:f34cb19c-6c49-42cb-80d5-8727b4fb0f86",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T23:52:18.846Z",
+    "timestamp": "2026-05-12T00:20:11.455Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.2",
+      "bom-ref": "@blamejs/core@0.9.3",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.2",
+      "version": "0.9.3",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.2",
+      "purl": "pkg:npm/%40blamejs/core@0.9.3",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.2",
+      "ref": "@blamejs/core@0.9.3",
       "dependsOn": []
     }
   ]