@blamejs/core 0.9.49 → 0.10.2

package/lib/middleware/idempotency-key.js

@@ -161,19 +161,44 @@ function memoryStore(opts) {
  *     `SELECT k, status_code, expires_at FROM <tableName>` —
  *     non-sealed columns are forensic-queryable without unsealing.
  *
- * **Defense-in-depth defaults (since 0.9.15) — both can be opted out:**
+ * **Defense-in-depth defaults — every option below ships on by default:**
  *
- *   - `hashKeys: true` — operator-supplied keys are sha3-512
- *     namespace-hashed via `b.crypto.namespaceHash("idempotency-key",
- *     key)` before insert/lookup. The `k` column carries the hash, not
- *     the raw key. Operator keys often carry PII (order numbers,
- *     emails, vendor prefixes); the DB never sees them.
- *   - `seal: true` — `headers` and `body` columns are sealed via
- *     `b.cryptoField.sealRow` (vault-managed key, AEAD envelope) so a
- *     DB dump leaks neither cached response bodies nor headers.
- *     Requires `b.vault.init(...)` to have run; falls back to plain-
- *     text with a one-shot audit warning when vault isn't ready, so
- *     test-fixture / boot-script callers still work.
+ *   - `hashKeys: true` (since 0.9.15) — operator-supplied keys are
+ *     sha3-512 namespace-hashed via
+ *     `b.crypto.namespaceHash("idempotency-key", key)` before
+ *     insert/lookup. The `k` column carries the hash, not the raw key.
+ *     Operator keys often carry PII (order numbers, emails, vendor
+ *     prefixes); the DB never sees them.
+ *   - `seal: true` (since 0.9.15) — `headers` and `body` columns are
+ *     sealed via `b.cryptoField.sealRow` (vault-managed key, AEAD
+ *     envelope) so a DB dump leaks neither cached response bodies nor
+ *     headers. Requires `b.vault.init(...)` to have run; falls back to
+ *     plain-text with a one-shot audit warning when vault isn't ready,
+ *     so test-fixture / boot-script callers still work.
+ *   - `aad: true` (since 0.9.58 — CRYPTO-1) — sealed columns are bound
+ *     via Additional Authenticated Data to (table, k, column,
+ *     schemaVersion) so a DB-write attacker can't copy a sealed
+ *     header/body cell from one row to another (which previously
+ *     decrypted cleanly under plain `vault.seal`). Existing v0.9.15-
+ *     v0.9.57 dbStore tables continue to read because unsealRow auto-
+ *     detects the envelope shape; lazy re-seal on next `set()` upgrades
+ *     each row to AAD form. Operators wanting a one-shot migration
+ *     call `b.middleware.idempotencyKey.resealMigrate(store)`.
+ *   - `fingerprintSeal: true` (since 0.9.58 — CRYPTO-4) — the request
+ *     `fingerprint` column carries an HMAC under a vault-derived
+ *     secret instead of a bare SHA3-256 of method+path+body. The
+ *     compare path is constant-time so the column doubles as a
+ *     mismatch oracle without offline-brute-force exposure.
+ *   - `bodyFingerprintFallback: "deny"` (since 0.9.58 — SUBSTRATE-13) —
+ *     when neither `bodyFingerprint` nor `req._rawBody`/`req.body` is
+ *     populated for a body-bearing method, the middleware previously
+ *     silently degraded the fingerprint to method+path. Set to
+ *     `"deny"` (the new default) and the middleware refuses the
+ *     request with HTTP 400 `idempotency/missing-body-fingerprint`
+ *     instead. Operators with a documented "no body" use case set
+ *     `bodyFingerprintFallback: "method-path-only"` to restore the
+ *     pre-0.9.58 behavior — the audit chain still emits
+ *     `idempotency.empty_body_fingerprint` so the misorder is visible.
  *
  * Lazily-expired: `get(key)` returns `null` for any row whose
  * `expires_at` has passed. The cleanup is scoped by the observed
@@ -203,6 +228,8 @@ function memoryStore(opts) {
  *   init?:      boolean,  // default true — run CREATE TABLE IF NOT EXISTS at construction
  *   hashKeys?:  boolean,  // default true — store sha3-512 namespace-hash of the key, not the raw key
  *   seal?:      boolean,  // default true — seal headers + body via b.cryptoField when vault is ready
+ *   aad?:       boolean,  // default true — AAD-bind seal to (table,k,column) so a DB-write attacker can't cross-row swap (CRYPTO-1)
+ *   fingerprintSeal?: boolean, // default true — HMAC fingerprint under a vault-derived secret instead of bare sha3-256 (CRYPTO-4)
  *
  * @example
  *   // single-process daemon, framework's internal sqlite, both defaults on:
@@ -237,6 +264,15 @@ function dbStore(opts) {
   var doInit   = opts.init     !== false;
   var hashKeys = opts.hashKeys !== false;
   var sealReq  = opts.seal     !== false;
+  // CRYPTO-1 — AAD-bind sealing to (table, k, column) by default.
+  // Forms a defense-in-depth pair with seal: cross-row swap fails
+  // Poly1305 even when the attacker controls the DB layer.
+  var aadOn    = opts.aad      !== false;
+  // CRYPTO-4 — HMAC the fingerprint under a vault-derived secret by
+  // default. Bare SHA3-256 of method+path+body is offline-brute-
+  // forceable for any DB-dump attacker; HMAC under a vault secret
+  // forces them to break the vault first.
+  var fpSealOn = opts.fingerprintSeal !== false;
   var db = opts.db;
 
   // Probe vault readiness with a sentinel seal. If vault.init() hasn't
@@ -247,6 +283,8 @@ function dbStore(opts) {
   var sealEnabled = false;
   if (sealReq) {
     try {
+      // allow:seal-without-aad — vault-readiness probe; throwaway
+      // sentinel value, not row-bound data
       vault.seal("__idempotency_seal_probe__");
       sealEnabled = true;
     } catch (_vaultErr) {
@@ -259,13 +297,42 @@ function dbStore(opts) {
 
   // Register the table with cryptoField. registerTable is idempotent
   // — subsequent dbStore() calls with the same tableName re-declare
-  // the same sealedFields and no-op.
+  // the same sealedFields and no-op. CRYPTO-1: when aad is on,
+  // (table, k, column) is threaded into the AEAD AAD so a DB-write
+  // attacker can't copy a sealed value between rows.
   if (sealEnabled) {
     cryptoField.registerTable(tableNameRaw, {
       sealedFields: ["headers", "body"],
+      aad:          aadOn,
+      rowIdField:   "k",
+      schemaVersion: "1",
     });
   }
 
+  // CRYPTO-4 — derive a per-vault HMAC secret for fingerprint sealing.
+  // The vault root key is the trust root; without it the secret is
+  // unrecoverable. Lazy: only derived when fpSealOn is enabled AND the
+  // vault is ready, so test fixtures that haven't initialized the
+  // vault still construct a dbStore (the fingerprint then falls back
+  // to bare sha3-256 with a single audit warning).
+  var fpHmacSecret = null;
+  if (fpSealOn) {
+    try {
+      // Use vault.aad.buildContextAad as a stable derivation input;
+      // the derivedHashSalt is per-deployment so the same dbStore
+      // instance across hosts converges on the same HMAC key.
+      var fpDeriveInput = "idempotency.fingerprint:" + tableNameRaw + ":" +
+        vault.getDerivedHashSalt().toString("hex");
+      fpHmacSecret = bCrypto.kdf(Buffer.from(fpDeriveInput, "utf8"), C.BYTES.bytes(32));
+    } catch (_fpErr) {
+      _emitAudit("idempotency.fingerprint_seal_skipped_no_vault",
+        { tableName: tableNameRaw,
+          reason: "vault.getDerivedHashSalt() unavailable; fingerprint falls back to plain sha3-256" },
+        "warning");
+      fpHmacSecret = null;
+    }
+  }
+
   if (doInit) {
     db.prepare("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
       "k TEXT PRIMARY KEY, " +
@@ -279,9 +346,12 @@ function dbStore(opts) {
   }
 
   // Prepared statements. status_code + expires_at stay non-sealed
-  // so audit/forensic SELECTs don't have to unseal-everything.
+  // so audit/forensic SELECTs don't have to unseal-everything. The
+  // `k` column is selected even when not strictly needed for read
+  // because cryptoField.unsealRow uses it as the rowId in AAD when
+  // the table is AAD-bound (CRYPTO-1).
   var stmtGet = db.prepare(
-    "SELECT fingerprint, status_code, headers, body, expires_at FROM " +
+    "SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
     qTable + " WHERE k = ?");
   var stmtUpsert = db.prepare(
     "INSERT INTO " + qTable +
@@ -302,6 +372,13 @@ function dbStore(opts) {
     return bCrypto.namespaceHash("idempotency-key", rawKey);
   }
 
+  // CRYPTO-4 — emit / compare HMAC-shape fingerprints. The store
+  // round-trips the column as plain text (no transformation per-get);
+  // sealing happens at MINT time (when the middleware builds the
+  // fingerprint and hands it to set()). The store's responsibility is
+  // pass-through. The middleware's `_fingerprintRequest` consults
+  // `store.fingerprintMode` to know whether to HMAC.
+
   return {
     get: function (rawKey) {
       var row = stmtGet.get(_k(rawKey));
@@ -314,16 +391,26 @@ function dbStore(opts) {
       if (sealEnabled) {
         try { liveRow = cryptoField.unsealRow(tableNameRaw, row); }
         catch (_unsealErr) {
-          // Decryption failed (key rotation gap / corrupt envelope).
-          // Treat as miss + drop the row so the handler runs fresh
-          // and we capture a re-sealable replacement.
-          stmtDeleteStale.run(_k(rawKey), row.expires_at);
+          // CRYPTO-13 — decryption failure used to delete the row,
+          // which let an attacker probe key presence via a "tamper +
+          // observe subsequent SELECT" oracle. The fix: emit audit,
+          // return null, do NOT delete. TTL sweeps stale rows out
+          // bounded by ttlMs; an out-of-band sweeper handles the
+          // corrupt-but-not-yet-expired case.
+          _emitAudit("idempotency.unseal_failed",
+            { tableName: tableNameRaw,
+              keyHash:   _hashKey(rawKey),
+              reason:    String(_unsealErr && _unsealErr.message || _unsealErr) },
+            "warning");
           return null;
         }
       }
       var headersObj;
       try {
-        headersObj = safeJson.parse(liveRow.headers, { maxBytes: 4 * 1024 * 1024 });               // allow:raw-byte-literal — 4 MiB headers ceiling
+        // CRYPTO-22 — route through C.BYTES.mib(4); raw `4 * 1024 * 1024`
+        // was a drift smell flagged by codebase-patterns. 4 MiB ceiling
+        // unchanged.
+        headersObj = safeJson.parse(liveRow.headers, { maxBytes: C.BYTES.mib(4) });
       } catch (_jsonErr) {
         // Parse failure has two distinct causes:
         //   1. Genuine corruption (truncated row, encoding mishap) — drop.
@@ -336,7 +423,8 @@ function dbStore(opts) {
         //      execution. Treat as miss + LEAVE the row in place.
         //      Per Codex P1 on PR #45.
         var lookedSealed = typeof liveRow.headers === "string" &&
-          liveRow.headers.indexOf("vault:") === 0;
+          (liveRow.headers.indexOf("vault:") === 0 ||
+           liveRow.headers.indexOf("vault.aad:") === 0);
         if (!lookedSealed) {
           stmtDeleteStale.run(_k(rawKey), row.expires_at);
         }
@@ -368,9 +456,56 @@ function dbStore(opts) {
     delete: function (rawKey) {
       stmtDelete.run(_k(rawKey));
     },
+    // CRYPTO-4 — the middleware consults this hook to HMAC the
+    // method+path+body digest under a vault-derived secret before
+    // insert + compare. Returns null when fpSeal is disabled OR the
+    // vault wasn't ready at construction; the middleware then falls
+    // back to bare sha3-256.
+    fingerprintHmac: function (preimageBytes) {
+      if (!fpSealOn || !fpHmacSecret) return null;
+      return nodeCrypto.createHmac("sha3-256", fpHmacSecret)
+        .update(preimageBytes).digest("hex");
+    },
+    // CRYPTO-1 — operator helper: walk the table and reseal every row
+    // under the AAD form. Existing v0.9.15-v0.9.57 rows continue to
+    // read on a per-row basis (unsealRow auto-detects shape), but
+    // operators wanting an explicit migration step call this once.
+    // Idempotent; rows already AAD-sealed pass through unchanged.
+    resealMigrate: function () {
+      if (!sealEnabled || !aadOn) {
+        return { migrated: 0, skipped: 0, reason: "aad-or-seal-disabled" };
+      }
+      var migrated = 0;
+      var skipped = 0;
+      var rows = db.prepare("SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
+        qTable).all();
+      for (var i = 0; i < rows.length; i += 1) {
+        var r = rows[i];
+        // If headers/body already start with vault.aad: this row is
+        // already migrated.
+        var alreadyAad = typeof r.headers === "string" &&
+          r.headers.indexOf("vault.aad:") === 0 &&
+          typeof r.body === "string" &&
+          r.body.indexOf("vault.aad:") === 0;
+        if (alreadyAad) { skipped += 1; continue; }
+        var unsealed;
+        try { unsealed = cryptoField.unsealRow(tableNameRaw, r); }
+        catch (_e) { skipped += 1; continue; }
+        var resealed = cryptoField.sealRow(tableNameRaw, unsealed);
+        stmtUpsert.run(
+          resealed.k, resealed.fingerprint, resealed.status_code,
+          resealed.headers, resealed.body, resealed.expires_at);
+        migrated += 1;
+      }
+      _emitAudit("idempotency.reseal_migrate_complete",
+        { tableName: tableNameRaw, migrated: migrated, skipped: skipped });
+      return { migrated: migrated, skipped: skipped, reason: null };
+    },
     _tableName:   tableNameRaw,
     _hashKeys:    hashKeys,
     _sealEnabled: sealEnabled,
+    _aadOn:       aadOn,
+    _fpSealOn:    fpSealOn && fpHmacSecret !== null,
   };
 }
 
@@ -387,21 +522,27 @@ function _validateStore(store, where) {
   }
 }
 
-function _fingerprintRequest(req, bodyBytes) {
-  // Fingerprint = method + path + body sha3-256. Per the draft §4.3,
-  // a key+body mismatch is a client-side mistake; our fingerprint
-  // covers method + path so a client reusing a key across different
-  // endpoints is also caught. Body hash uses SHA3-256 to match the
-  // framework's PQC-first crypto posture (SHA-256 is fine for
-  // collision-resistance here but we use SHA3 for codebase
-  // uniformity).
-  var hash = nodeCrypto.createHash("sha3-256");
-  hash.update((req.method || "GET") + "\n");
-  hash.update((req.url || "/") + "\n");
-  if (bodyBytes && bodyBytes.length > 0) {
-    hash.update(bodyBytes);
+function _fingerprintRequest(req, bodyBytes, store) {
+  // Fingerprint preimage = method + path + body. Per the draft §4.3,
+  // a key+body mismatch is a client-side mistake; our preimage covers
+  // method + path so a client reusing a key across different
+  // endpoints is also caught. CRYPTO-4: when the store exposes a
+  // `fingerprintHmac` hook (dbStore with fingerprintSeal:true + vault
+  // ready), the preimage is HMAC'd under a vault-derived secret so a
+  // DB dump leaks neither the preimage nor a brute-forceable digest.
+  // The middleware then compares the HMAC'd column directly; both
+  // sides of the compare use the same secret so the equality is
+  // exact, no key-recovery is performed on the dump side.
+  var preimage = Buffer.concat([
+    Buffer.from((req.method || "GET") + "\n", "utf8"),
+    Buffer.from((req.url || "/") + "\n", "utf8"),
+    bodyBytes && bodyBytes.length > 0 ? bodyBytes : Buffer.alloc(0),
+  ]);
+  if (store && typeof store.fingerprintHmac === "function") {
+    var hmacOut = store.fingerprintHmac(preimage);
+    if (hmacOut !== null) return hmacOut;
   }
-  return hash.digest("hex");
+  return nodeCrypto.createHash("sha3-256").update(preimage).digest("hex");
 }
 
 function _emitAudit(action, metadata, outcome) {
@@ -461,6 +602,15 @@ function _emitAudit(action, metadata, outcome) {
  *   requireIdempotencyKey: boolean,  // default: false — refuse missing-key
  *   bodyFingerprint:       function, // (req) => Buffer|string|object|null — operator-supplied body extractor
  *   maxBodyBytes:          number,   // default: 1 MiB — replay-cache body cap
+ *   bodyFingerprintFallback: string, // default "deny" (SUBSTRATE-13) — when neither
+ *                                    // bodyFingerprint nor req._rawBody / req.body is
+ *                                    // available for POST/PUT/PATCH, refuse with HTTP 400
+ *                                    // idempotency/missing-body-fingerprint instead of
+ *                                    // silently degrading the fingerprint to method+path.
+ *                                    // Set to "method-path-only" to restore the pre-0.9.58
+ *                                    // behavior (the audit chain still logs
+ *                                    // idempotency.empty_body_fingerprint so the
+ *                                    // misorder is visible in operator review).
  *
  * **Mount order — idempotency MUST run AFTER body-parser.** The hook
  * (and the default `req._rawBody||req.body` lookup) reads request
@@ -519,6 +669,22 @@ function create(opts) {
     opts.bodyFingerprint, "idempotencyKey.bodyFingerprint",
     IdempotencyError, "idempotency/bad-body-fingerprint"
   ) || null;
+  // SUBSTRATE-13 — default "deny" refuses body-bearing requests that
+  // arrive with neither req._rawBody / req.body NOR an operator-
+  // supplied bodyFingerprint hook. The silent-degrade-to-method+path
+  // path was a §4.3 violation (same key + different body returned
+  // false replays); the runtime now refuses with HTTP 400 instead.
+  // Operators with a documented "method-path-only" use case opt in.
+  var bodyFpFallback = "deny";
+  if (opts.bodyFingerprintFallback !== undefined) {
+    if (opts.bodyFingerprintFallback !== "deny" &&
+        opts.bodyFingerprintFallback !== "method-path-only") {
+      throw new IdempotencyError("idempotency/bad-body-fingerprint-fallback",
+        "idempotencyKey: opts.bodyFingerprintFallback must be \"deny\" or \"method-path-only\", got " +
+        JSON.stringify(opts.bodyFingerprintFallback), true);
+    }
+    bodyFpFallback = opts.bodyFingerprintFallback;
+  }
 
   // Per-response collector cap. Idempotency replay only makes sense
   // for response bodies that fit in memory; the cap is operator-
@@ -595,11 +761,11 @@ function create(opts) {
 
     // Misordered-mount detector — body-bearing method reached us
     // with neither a parsed body nor a raw-body buffer. Most likely
-    // body-parser hasn't run yet, which silently degrades the
-    // fingerprint to method+path. Emit a warning so the audit log
-    // surfaces the misconfiguration. (Genuinely empty POST bodies
-    // also trip this — acceptable cost; the audit field captures the
-    // distinction via `hasRawBody`/`hasParsedBody`.)
+    // body-parser hasn't run yet, which used to silently degrade the
+    // fingerprint to method+path; SUBSTRATE-13 (v0.9.58) makes that
+    // case refuse with HTTP 400 by default. The audit emit fires in
+    // both fallback modes so operator review surfaces the
+    // misconfiguration regardless of the chosen fallback.
     if (!bodyBytes && (method === "POST" || method === "PUT" || method === "PATCH")) {
       _emitAudit("idempotency.empty_body_fingerprint",
         {
@@ -608,11 +774,24 @@ function create(opts) {
           hasRawBody:      Boolean(req._rawBody),
           hasParsedBody:   req.body !== undefined && req.body !== null,
           hasFingerprintHook: Boolean(bodyFingerprintFn),
+          fallback:        bodyFpFallback,
         },
-        "warning");
+        bodyFpFallback === "deny" ? "denied" : "warning");
+      if (bodyFpFallback === "deny") {
+        var missingBody = problemDetails().create({
+          type:   problemDetails().getBase() + "/idempotency/missing-body-fingerprint",
+          title:  "Idempotency body fingerprint unavailable",
+          status: 400,                                                                               // allow:raw-byte-literal — HTTP status 400 Bad Request
+          detail: "The idempotency middleware could not derive a body fingerprint for this " +
+                  "request. Mount body-parser BEFORE the idempotency middleware, OR provide an " +
+                  "opts.bodyFingerprint(req) hook. To restore the pre-0.9.58 method+path-only " +
+                  "behavior, set opts.bodyFingerprintFallback=\"method-path-only\".",
+        });
+        return problemDetails().respond(res, missingBody);
+      }
     }
 
-    var fingerprint = _fingerprintRequest(req, bodyBytes);
+    var fingerprint = _fingerprintRequest(req, bodyBytes, opts.store);
 
     var cached = null;
     try { cached = opts.store.get(key); }
@@ -743,9 +922,43 @@ function _redactKey(key) {
   return key.slice(0, 4) + "..." + key.slice(-2) + " (len=" + key.length + ")";                    // allow:raw-byte-literal — log-redaction prefix/suffix lengths
 }
 
+/**
+ * @primitive b.middleware.idempotencyKey.resealMigrate
+ * @signature b.middleware.idempotencyKey.resealMigrate(store)
+ * @since     0.9.58
+ * @related   b.middleware.idempotencyKey.dbStore
+ *
+ * One-shot operator helper that walks a dbStore's table and reseals
+ * every row under the AAD-bound envelope shape introduced in v0.9.58
+ * (CRYPTO-1). Existing v0.9.15-v0.9.57 rows continue to read on a
+ * per-row basis (unsealRow auto-detects shape) so a deploy without
+ * this call is correct, but operators who want to upgrade in bulk
+ * call this once after upgrading.
+ *
+ * Returns `{ migrated, skipped, reason }`. `migrated` counts rows
+ * rewritten with AAD-bound ciphertext; `skipped` counts rows already
+ * AAD-shaped or that failed unseal under the current key (those rows
+ * stay in place and surface via the standard
+ * `idempotency.unseal_failed` audit on next read). `reason` is null
+ * on success; populated when the store doesn't support migration
+ * (in-memory store, custom operator-supplied store, etc.).
+ *
+ * @example
+ *   var store = b.middleware.idempotencyKey.dbStore({ db: myDb });
+ *   var info  = b.middleware.idempotencyKey.resealMigrate(store);
+ *   logger.info("idempotency migration", info);
+ */
+function resealMigrate(store) {
+  if (!store || typeof store.resealMigrate !== "function") {
+    return { migrated: 0, skipped: 0, reason: "store-does-not-support-reseal" };
+  }
+  return store.resealMigrate();
+}
+
 module.exports = create;
 module.exports.create     = create;
 module.exports.memoryStore = memoryStore;
 module.exports.dbStore     = dbStore;
+module.exports.resealMigrate = resealMigrate;
 module.exports.DEFAULT_METHODS = DEFAULT_METHODS;
 module.exports.IdempotencyError = IdempotencyError;

package/lib/middleware/protected-resource-metadata.js

@@ -26,6 +26,8 @@
 var framework_error = require("../framework-error");
 var validateOpts    = require("../validate-opts");
 var requestHelpers  = require("../request-helpers");
+var safeUrl         = require("../safe-url");
+var nodeCrypto      = require("node:crypto");
 
 var H = requestHelpers.HTTP_STATUS;
 
@@ -36,6 +38,15 @@ var ProtectedResourceMetadataError = framework_error.defineClass(
 
 var ALLOWED_BEARER_METHODS  = ["header", "body", "query"];
 var ALLOWED_DPOP_ALGS       = ["ES256", "ES384", "RS256", "PS256", "EdDSA", "ML-DSA-65", "ML-DSA-87"];
+// RFC 9728 §3.2 — signed_metadata signing algs. PQC-first per the
+// framework's hard rule §2 (ML-DSA-* preferred); classical algs
+// available for backwards-interop with relying parties without PQC
+// libraries on hand.
+var ALLOWED_SIGNED_METADATA_ALGS = ["ML-DSA-87", "ML-DSA-65", "EdDSA", "ES256", "ES384", "PS256", "PS384"];
+
+function _b64url(buf) {
+  return Buffer.from(buf).toString("base64url");
+}
 
 /**
  * @primitive b.middleware.protectedResourceMetadata
@@ -83,12 +94,30 @@ function create(opts) {
       "middleware/protected-resource-metadata/no-as",
       "authorizationServers must be a non-empty array of issuer URLs");
   }
+  // AUTH-17 — RFC 9728 §3 + RFC 8414 §3.1: authorizationServers entries
+  // are issuer URLs and MUST be https://. Pre-v0.9.x only required
+  // non-empty string, so an operator typo could ship `http://idp.test`
+  // (or, worse, `javascript:` / `data:`) to clients via the well-known
+  // document. allowHttp opts.allowHttp passes the framework's
+  // safe-url loopback exception through (matches b.auth.oauth's
+  // _validateUrl shape).
+  var allowHttp = opts.allowHttp === true;
   opts.authorizationServers.forEach(function (u, i) {
     if (typeof u !== "string" || u.length === 0) {
       throw new ProtectedResourceMetadataError(
         "middleware/protected-resource-metadata/bad-as",
         "authorizationServers[" + i + "] must be a non-empty string");
     }
+    try {
+      safeUrl.parse(u, {
+        allowedProtocols: allowHttp ? safeUrl.ALLOW_HTTP_ALL : safeUrl.ALLOW_HTTP_TLS,
+      });
+    } catch (_e) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-as-url",
+        "authorizationServers[" + i + "] = '" + u + "' is not a valid " +
+        (allowHttp ? "http(s)" : "https") + " URL (RFC 9728 §3 / RFC 8414 §3.1)");
+    }
   });
 
   var bearerMethods = opts.bearerMethodsSupported || ["header"];
@@ -127,8 +156,73 @@ function create(opts) {
   if (opts.dpopBoundAccessTokensRequired === true) doc.dpop_bound_access_tokens_required = true;
   if (opts.mtlsBoundAccessTokensRequired === true) doc.tls_client_certificate_bound_access_tokens = true;
 
+  // AUTH-18 — RFC 9728 §3.2 signed_metadata. Operators with an
+  // anti-tamper requirement pass `signMetadata: { key, alg, kid }`;
+  // the middleware emits `application/jwt` carrying the JWS-signed
+  // metadata. Default output remains cleartext `application/json`.
+  var signedJwt = null;
+  var signedDoc = null;
+  if (opts.signMetadata) {
+    var sm = opts.signMetadata;
+    if (!sm || typeof sm !== "object") {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign",
+        "signMetadata must be an object { key, alg, kid? }");
+    }
+    if (!sm.alg || ALLOWED_SIGNED_METADATA_ALGS.indexOf(sm.alg) === -1) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign-alg",
+        "signMetadata.alg '" + sm.alg + "' not in allowlist: " +
+        ALLOWED_SIGNED_METADATA_ALGS.join(", "));
+    }
+    if (!sm.key) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign-key",
+        "signMetadata.key is required (KeyObject, PEM string/Buffer, or JWK object)");
+    }
+    var signingKey;
+    try {
+      if (sm.key instanceof nodeCrypto.KeyObject) {
+        signingKey = sm.key;
+      } else if (typeof sm.key === "string" || Buffer.isBuffer(sm.key)) {
+        signingKey = nodeCrypto.createPrivateKey({ key: sm.key, format: "pem" });
+      } else if (typeof sm.key === "object") {
+        signingKey = nodeCrypto.createPrivateKey({ key: sm.key, format: "jwk" });
+      } else {
+        throw new ProtectedResourceMetadataError(
+          "middleware/protected-resource-metadata/bad-sign-key",
+          "signMetadata.key must be KeyObject, PEM string/Buffer, or JWK object");
+      }
+    } catch (e) {
+      if (e instanceof ProtectedResourceMetadataError) throw e;
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-sign-key",
+        "signMetadata.key parse failed: " + ((e && e.message) || String(e)));
+    }
+    // RFC 9728 §3.2 — signed_metadata is a JWS carrying the same
+    // metadata claims as the cleartext document plus iss + sub
+    // (resource URI) for identification at consume-side.
+    signedDoc = Object.assign({}, doc, { iss: opts.resource, sub: opts.resource });
+    var jwsHeader = { alg: sm.alg, typ: "oauth-protected-resource+jwt" };
+    if (sm.kid) jwsHeader.kid = sm.kid;
+    var headerEnc  = _b64url(JSON.stringify(jwsHeader));
+    var payloadEnc = _b64url(JSON.stringify(signedDoc));
+    var input      = headerEnc + "." + payloadEnc;
+    // PQC algs (ML-DSA-*) + EdDSA pass null hash; ES* / PS* / RS* use
+    // their RFC 7518 hash + dsaEncoding shape.
+    var signParams = { key: signingKey };
+    var signAlgo   = null;
+    if (sm.alg === "ES256") { signAlgo = "sha256"; signParams.dsaEncoding = "ieee-p1363"; }
+    else if (sm.alg === "ES384") { signAlgo = "sha384"; signParams.dsaEncoding = "ieee-p1363"; }
+    else if (sm.alg === "PS256") { signAlgo = "sha256"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 32; }   // allow:raw-byte-literal — RFC 7518 PS256 salt
+    else if (sm.alg === "PS384") { signAlgo = "sha384"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 48; }   // allow:raw-byte-literal — RFC 7518 PS384 salt
+    var sig = nodeCrypto.sign(signAlgo, Buffer.from(input, "ascii"), signParams);
+    signedJwt = input + "." + _b64url(sig);
+  }
+
   var bodyText  = JSON.stringify(doc);
   var bodyBytes = Buffer.byteLength(bodyText, "utf8");
+  var signedBytes = signedJwt ? Buffer.byteLength(signedJwt, "utf8") : 0;
 
   function middleware(req, res, next) {
     if (req.url !== path && req.url.split("?")[0] !== path) {
@@ -143,6 +237,22 @@ function create(opts) {
       res.end();
       return;
     }
+    // RFC 9728 §3.2 — operators that wired signMetadata serve the JWS
+    // form when the client advertises Accept: application/jwt (or via
+    // the *.jwt path suffix). The cleartext document is still served
+    // on the default path / Accept: application/json.
+    var accept = (req.headers && req.headers.accept) || "";
+    var wantsSigned = signedJwt && (accept.indexOf("application/jwt") !== -1);
+    if (wantsSigned) {
+      res.writeHead(H.OK, {
+        "Content-Type":   "application/jwt",
+        "Content-Length": String(signedBytes),
+        "Cache-Control":  "public, max-age=3600",
+      });
+      if (req.method === "HEAD") { res.end(); return; }
+      res.end(signedJwt);
+      return;
+    }
     res.writeHead(H.OK, {
       "Content-Type":   "application/json",
       "Content-Length": String(bodyBytes),
@@ -152,8 +262,9 @@ function create(opts) {
     res.end(bodyText);
   }
 
-  middleware.document = doc;
-  middleware.path     = path;
+  middleware.document      = doc;
+  middleware.signedMetadata = signedJwt;
+  middleware.path          = path;
   return middleware;
 }
 
@@ -162,4 +273,5 @@ module.exports = {
   ProtectedResourceMetadataError: ProtectedResourceMetadataError,
   ALLOWED_BEARER_METHODS:        ALLOWED_BEARER_METHODS,
   ALLOWED_DPOP_ALGS:             ALLOWED_DPOP_ALGS,
+  ALLOWED_SIGNED_METADATA_ALGS:  ALLOWED_SIGNED_METADATA_ALGS,
 };

package/lib/network-dns-resolver.js

@@ -127,6 +127,13 @@ var DEFAULT_MAX_TTL_MS    = C.TIME.hours(24);
 var DEFAULT_MIN_TTL_MS    = C.TIME.seconds(60);
 var DEFAULT_STALE_WINDOW  = C.TIME.hours(6);
 var DEFAULT_PROFILE       = "strict";
+// BUG-1 / MAIL-26 — CWE-400/770. Bound the cache so a hostile peer
+// that can drive query-name selection (e.g. inbound SMTP forwarding
+// DKIM `s=` / `d=` tag-controlled lookups) cannot inflate the Map to
+// OOM. Default 5000 entries: a parsed-response object ~100 bytes ×
+// 5000 ≈ 500 KiB, several orders below operator-relevant memory
+// pressure. LRU eviction picks the oldest accessed entry on overflow.
+var DEFAULT_MAX_CACHE_ENTRIES = 5000;                                                                  // allow:raw-byte-literal — cache-entry count, not a byte/time value
 
 var QTYPE_BY_NAME = Object.freeze({
   A:      1,
@@ -200,9 +207,33 @@ function create(opts) {
     throw new ResolverError("resolver/bad-input",
       "create: serveStale must be a non-negative finite number or false");
   }
+  var maxCacheEntries = typeof opts.maxCacheEntries === "number"
+    ? opts.maxCacheEntries : DEFAULT_MAX_CACHE_ENTRIES;
+  if (!isFinite(maxCacheEntries) || maxCacheEntries < 1 ||
+      Math.floor(maxCacheEntries) !== maxCacheEntries) {
+    throw new ResolverError("resolver/bad-input",
+      "create: maxCacheEntries must be a positive integer");
+  }
 
   var cache = new Map();                  // key → { response, parsed, ttl, expiresAt, staleUntil }
 
+  // CWE-400/770 / BUG-1 — LRU eviction on insert when the cache is at
+  // capacity. v8 Map preserves insertion order; oldest key is the
+  // first entry returned by Map.keys().next().
+  function _evictIfFull() {
+    while (cache.size >= maxCacheEntries) {
+      var oldest = cache.keys().next();
+      if (oldest.done) break;
+      cache.delete(oldest.value);
+    }
+  }
+  // Touching a hit moves it to the LRU tail — delete-then-set keeps
+  // active queries hot under cache pressure.
+  function _touch(key, entry) {
+    cache.delete(key);
+    cache.set(key, entry);
+  }
+
   function _key(name, qtype) {
     return name.toLowerCase() + "|" + qtype;
   }
@@ -244,6 +275,7 @@ function create(opts) {
           "query: validate: true but cached response was AD=0 for " +
           name + "/" + qtype);
       }
+      _touch(key, hit);                     // LRU bump
       return _result(hit.parsed, hit.ttl, true, false, hit.validated);
     }
 
@@ -297,6 +329,7 @@ function create(opts) {
     var ttlMs = Math.max(minTtlMs, Math.min(maxTtlMs, rrTtl * C.TIME.seconds(1)));
     var expiresAt  = now + ttlMs;
     var staleUntil = serveStale > 0 ? expiresAt + serveStale : expiresAt;
+    _evictIfFull();
     cache.set(key, {
       parsed:     parsed,
       ttl:        ttlMs,