@blamejs/core 0.9.49 → 0.10.2

package/lib/auth/openid-federation.js

@@ -58,8 +58,20 @@ var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
 var nodeCrypto   = require("node:crypto");
+var C            = require("../constants");
+// Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check +
+// CVE-2026-23552 constant-time iss compare). Top-of-file per project
+// convention §3; no circular load — jwt-external requires nothing from
+// openid-federation.
+var jwtExternal  = require("./jwt-external");
 var { AuthError } = require("../framework-error");
 
+// Default federation-statement clock-skew tolerance in seconds. OIDC
+// Federation 1.0 doesn't fix a value; 60s matches the framework-wide
+// default applied to ID tokens. Operators tune via
+// verifyEntityStatement(jwt, jwks, { maxClockSkewSec }).
+var DEFAULT_FEDERATION_CLOCK_SKEW_SEC = C.TIME.minutes(1) / C.TIME.seconds(1);
+
 var httpClient = lazyRequire(function () { return require("../http-client"); });
 var audit      = lazyRequire(function () { return require("../audit"); });
 var observability = lazyRequire(function () { return require("../observability"); });
@@ -124,7 +136,7 @@ function parseEntityStatement(jwt) {
 
 /**
  * @primitive b.auth.openidFederation.verifyEntityStatement
- * @signature b.auth.openidFederation.verifyEntityStatement(jwt, jwks)
+ * @signature b.auth.openidFederation.verifyEntityStatement(jwt, jwks, vopts)
  * @since     0.8.62
  *
  * Verify a single entity statement's JWS signature using the
@@ -132,11 +144,16 @@ function parseEntityStatement(jwt) {
  * any failure (malformed / wrong typ / unsupported alg / no
  * matching kid / bad signature / iat-future / expired).
  *
+ * @opts
+ *   maxClockSkewSec: number   // tolerance for iat / exp; default: 60
+ *   now:             number   // override Date.now() for tests
+ *
  * @example
  *   var claims = b.auth.openidFederation.verifyEntityStatement(jwt, anchorJwks);
  *   // → { iss, sub, iat, exp, jwks, metadata, authority_hints, ... }
  */
-function verifyEntityStatement(jwt, jwks) {
+function verifyEntityStatement(jwt, jwks, vopts) {
+  vopts = vopts || {};
   var parsed = parseEntityStatement(jwt);
   if (!jwks || !Array.isArray(jwks.keys) || jwks.keys.length === 0) {
     throw new AuthError("auth-openid-federation/no-keys",
@@ -147,30 +164,36 @@ function verifyEntityStatement(jwt, jwks) {
     for (var i = 0; i < jwks.keys.length; i++) {
       if (jwks.keys[i].kid === parsed.header.kid) { key = jwks.keys[i]; break; }
     }
-  } else if (jwks.keys.length === 1) {
-    key = jwks.keys[0];
-  }
-  if (!key) {
-    throw new AuthError("auth-openid-federation/no-matching-kid",
-      "verifyEntityStatement: no JWKS key matches kid \"" + parsed.header.kid + "\"");
+    if (!key) {
+      throw new AuthError("auth-openid-federation/no-matching-kid",
+        "verifyEntityStatement: no JWKS key matches kid \"" + parsed.header.kid + "\"");
+    }
+  } else {
+    // AUTH-10 — refuse kid-less entity statements unless the operator
+    // explicitly opts in. JWKS rotation creates a window where the
+    // rotated-out key is still cached but the rotated-in key is already
+    // published; a kid-less statement during that window gets the
+    // lone-key path silently. Modern federations always emit kid; the
+    // gap that oauth + jwt-external closed in v0.9.4 applies here too.
+    if (jwks.keys.length === 1 && vopts.allowKidlessJwks === true) {
+      key = jwks.keys[0];
+    } else {
+      throw new AuthError("auth-openid-federation/kid-required",
+        "verifyEntityStatement: header.kid absent — framework refuses kid-less " +
+        "entity statements to defend against JWKS-rotation key-pick attacks " +
+        "(pass vopts.allowKidlessJwks: true to opt out)");
+    }
   }
 
-  // Cross-check the JWK key type against the JWS `alg` header BEFORE
-  // verifying. Without this an attacker-controlled entity-config can
-  // declare `alg: "ES256"` while supplying an RSA `kty: "RSA"` JWK;
+  // CVE-2026-22817 — cross-check the JWK key type against the JWS alg
+  // BEFORE verifying. Without this an attacker-controlled entity-config
+  // can declare `alg: "ES256"` while supplying an RSA `kty: "RSA"` JWK;
   // Node will silently use the RSA key with SHA-256 and the signature
-  // verify either always-fails (if PSS) or succeeds against a payload
-  // the attacker crafted to match the wrong primitive (algorithm/key-
-  // type confusion). (Audit 2026-05-11.)
-  var expectedKty = null;
-  if (parsed.header.alg.indexOf("ES") === 0)        expectedKty = "EC";
-  else if (parsed.header.alg.indexOf("PS") === 0 || parsed.header.alg.indexOf("RS") === 0) expectedKty = "RSA";
-  else if (parsed.header.alg === "EdDSA")           expectedKty = "OKP";
-  if (expectedKty && key.kty !== expectedKty) {
-    throw new AuthError("auth-openid-federation/alg-kty-mismatch",
-      "verifyEntityStatement: JWS header alg=\"" + parsed.header.alg + "\" requires " +
-      "JWK kty=\"" + expectedKty + "\" but the resolved JWK has kty=\"" + key.kty + "\"");
-  }
+  // verify either always-fails (PSS) or succeeds against a payload the
+  // attacker crafted (alg/key-type confusion). Routed through the
+  // shared helper so every JWT verifier in the framework enforces the
+  // same check.
+  jwtExternal._assertAlgKtyMatch(parsed.header.alg, key);
 
   var keyObj;
   try { keyObj = nodeCrypto.createPublicKey({ key: key, format: "jwk" }); }
@@ -194,8 +217,12 @@ function verifyEntityStatement(jwt, jwks) {
       "verifyEntityStatement: signature verification failed");
   }
 
-  var nowSec = Math.floor(Date.now() / 1000);                                                   // allow:raw-byte-literal — ms→s
-  var skew = 60;                                                                                // allow:raw-time-literal — clock-skew tolerance 60s
+  var nowSec = Math.floor(Date.now() / C.TIME.seconds(1));
+  // AUTH-30 — operator-tunable clock skew (sibling primitives accept
+  // tunable). Default matches the prior fixed 60s.
+  var skew = (typeof vopts.maxClockSkewSec === "number" && isFinite(vopts.maxClockSkewSec) && vopts.maxClockSkewSec >= 0)
+    ? vopts.maxClockSkewSec
+    : DEFAULT_FEDERATION_CLOCK_SKEW_SEC;
   if (typeof parsed.claims.iat !== "number" || parsed.claims.iat > nowSec + skew) {
     throw new AuthError("auth-openid-federation/iat-future",
       "verifyEntityStatement: iat is in the future or missing");
@@ -409,6 +436,16 @@ async function buildTrustChain(opts) {
   var chain = [];
   var current = opts.leafEntityId;
   var depth = 0;
+  // AUTH-9 — visited-set cycle guard. The maxDepth cap alone caps the
+  // loop count but doesn't distinguish "long chain" from "cyclic
+  // chain"; a hostile authority that lists itself in authority_hints
+  // walks the verifier until depth runs out and then surfaces as
+  // chain-too-deep, masking the actual misuse pattern. Tracking
+  // visited entities + refusing on revisit surfaces the cycle as a
+  // distinct fault class so operators alerting on chain-cycle see
+  // hostile-federation probes immediately.
+  var visited = Object.create(null);
+  visited[current] = true;
   while (depth < maxDepth) {
     var entityConfigUrl = current.replace(/\/$/, "") + "/.well-known/openid-federation";
     var entityConfigJwt = await fetcher(entityConfigUrl);
@@ -476,6 +513,15 @@ async function buildTrustChain(opts) {
         chain[chain.length - 1].claims.jwks = parsedSub.claims.jwks || chain[chain.length - 1].claims.jwks;
         chain[chain.length - 1].subordinateJwt = subordinateJwt;
         chain[chain.length - 1].subordinate    = parsedSub.claims;
+        // AUTH-9 — refuse revisit. A trust anchor terminates the loop
+        // before re-entry, so a revisit here ALWAYS means a cyclic
+        // authority_hints graph.
+        if (visited[authority]) {
+          throw new AuthError("auth-openid-federation/chain-cycle",
+            "buildTrustChain: authority \"" + authority + "\" already visited — " +
+            "cyclic authority_hints graph refused");
+        }
+        visited[authority] = true;
         current = authority;
         ascended = true;
         break;

package/lib/auth/passkey.js

@@ -77,6 +77,50 @@ function _requireString(v, name) {
   }
 }
 
+// AUTH-28 — WebAuthn extensions allowlist. Pre-v0.9.x `opts.extensions`
+// was forwarded verbatim to the vendor, letting an operator (or a
+// caller threading user-input through opts) ship arbitrary extension
+// keys to the authenticator. Restrict to the framework-supported
+// extension surface (`prf` / `largeBlob` / `credBlob`) and route every
+// value through the matching `extensions.<name>(args)` builder so the
+// shape is validated. Operators with custom extensions opt in via
+// { allowUnknownExtensions: true } with a documented reason.
+var ALLOWED_EXTENSION_KEYS = Object.freeze({
+  prf:        1,
+  largeBlob:  1,
+  credBlob:   1,
+});
+function _validateExtensions(extensions, allowUnknown) {
+  if (extensions === undefined || extensions === null) return undefined;
+  if (typeof extensions !== "object" || Array.isArray(extensions)) {
+    throw new AuthError("auth-passkey/bad-extensions",
+      "opts.extensions must be a plain object");
+  }
+  var out = {};
+  var keys = Object.keys(extensions);
+  for (var i = 0; i < keys.length; i++) {
+    var k = keys[i];
+    if (!Object.prototype.hasOwnProperty.call(ALLOWED_EXTENSION_KEYS, k)) {
+      if (allowUnknown === true) {
+        out[k] = extensions[k];
+        continue;
+      }
+      throw new AuthError("auth-passkey/unknown-extension",
+        "opts.extensions['" + k + "'] not in the framework-supported set " +
+        "(allowed: " + Object.keys(ALLOWED_EXTENSION_KEYS).join(", ") +
+        "). Pass `allowUnknownExtensions: true` to opt out.");
+    }
+    // Route every recognised extension through its builder so the
+    // shape is validated (PRF eval salt length, largeBlob support
+    // values, credBlob ≤ 32 bytes). Builder output replaces the raw
+    // input so the wire shape is always the spec-correct one.
+    if (k === "prf")       Object.assign(out, _prfExt(extensions.prf));
+    if (k === "largeBlob") Object.assign(out, _largeBlobExt(extensions.largeBlob));
+    if (k === "credBlob")  Object.assign(out, _credBlobExt(extensions.credBlob));
+  }
+  return out;
+}
+
 // ---- Registration ----
 
 async function startRegistration(opts) {
@@ -86,6 +130,7 @@ async function startRegistration(opts) {
   _requireString(opts.userName, "userName");
 
   var sel = opts.authenticatorSelection || {};
+  var safeExtensions = _validateExtensions(opts.extensions, opts.allowUnknownExtensions === true);
   var options = await _vendor().generateRegistrationOptions({
     rpName:               opts.rpName,
     rpID:                 opts.rpId,
@@ -100,7 +145,7 @@ async function startRegistration(opts) {
       requireResidentKey:        sel.requireResidentKey,
     },
     timeout:              opts.timeout,
-    extensions:           opts.extensions,
+    extensions:           safeExtensions,
   });
   // Hint the browser to surface platform + cross-device authenticators
   // (Touch ID / Windows Hello AND 1Password / Bitwarden / phone-as-key).
@@ -202,12 +247,13 @@ async function startAuthentication(opts) {
       "mediation must be one of silent/optional/required/conditional");
   }
 
+  var safeAuthExtensions = _validateExtensions(opts.extensions, opts.allowUnknownExtensions === true);
   var options = await _vendor().generateAuthenticationOptions({
     rpID:               opts.rpId,
     userVerification:   opts.userVerification || "preferred",
     allowCredentials:   opts.allowCredentials || [],
     timeout:            opts.timeout,
-    extensions:         opts.extensions,
+    extensions:         safeAuthExtensions,
   });
   if (!opts.hints) {
     options.hints = ["client-device", "hybrid"];
@@ -230,6 +276,7 @@ async function conditionalAuthOptions(opts) {
   if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
   _requireString(opts.rpId, "rpId");
 
+  var safeCondExtensions = _validateExtensions(opts.extensions, opts.allowUnknownExtensions === true);
   var options = await _vendor().generateAuthenticationOptions({
     rpID:               opts.rpId,
     // For conditional UI the spec mandates an empty allowCredentials
@@ -238,7 +285,7 @@ async function conditionalAuthOptions(opts) {
     allowCredentials:   [],
     userVerification:   opts.userVerification || "preferred",
     timeout:            opts.timeout,
-    extensions:         opts.extensions,
+    extensions:         safeCondExtensions,
   });
   options.mediation = "conditional";
   if (!opts.hints) {
@@ -257,22 +304,46 @@ async function conditionalAuthOptions(opts) {
 // contract. Validation tier: throw at config-time. Misuse here is a
 // coding bug, not a request-shape thing.
 
-function _b64urlExtInput(value, name) {
+// CTAP2.1 §6.5 — PRF eval inputs are 32-byte salts. Caps every
+// extension input that ships through the binary normalizer.
+var MAX_EXT_INPUT_BYTES = 32;                                                                    // allow:raw-byte-literal — CTAP2.1 §6.5 PRF salt length
+
+function _b64urlExtInput(value, name, maxBytes) {
   // Accept a base64url string OR a Buffer / Uint8Array. Normalize the
   // wire shape to base64url (the JSON descriptor ships base64url; the
   // browser turns it into an ArrayBuffer before passing to the
   // authenticator).
+  //
+  // AUTH-29 — when `maxBytes` is set, refuse decoded inputs longer than
+  // the cap. Per CTAP2.1 §6.5 PRF salts are 32 bytes; pre-v0.9.x the
+  // framework accepted arbitrary length, which is undefined behavior on
+  // authenticators that may truncate / reject / behave inconsistently.
   if (typeof value === "string") {
     if (value.length === 0 || !safeBuffer.BASE64URL_RE.test(value)) {
       throw new AuthError("auth-passkey/bad-extension-input",
         name + " must be base64url (no padding) when string");
     }
+    if (typeof maxBytes === "number") {
+      var decoded = Buffer.from(value, "base64url");
+      if (decoded.length > maxBytes) {
+        throw new AuthError("auth-passkey/extension-input-too-large",
+          name + " decoded length " + decoded.length + " exceeds " + maxBytes + " bytes");
+      }
+    }
     return value;
   }
   if (Buffer.isBuffer(value)) {
+    if (typeof maxBytes === "number" && value.length > maxBytes) {
+      throw new AuthError("auth-passkey/extension-input-too-large",
+        name + " length " + value.length + " exceeds " + maxBytes + " bytes");
+    }
     return value.toString("base64url");
   }
   if (value instanceof Uint8Array) {
+    if (typeof maxBytes === "number" && value.length > maxBytes) {
+      throw new AuthError("auth-passkey/extension-input-too-large",
+        name + " length " + value.length + " exceeds " + maxBytes + " bytes");
+    }
     return Buffer.from(value).toString("base64url");
   }
   throw new AuthError("auth-passkey/bad-extension-input",
@@ -293,9 +364,10 @@ function _prfExt(args) {
     throw new AuthError("auth-passkey/missing-prf-first",
       "extensions.prf eval.first is required");
   }
-  var out = { prf: { eval: { first: _b64urlExtInput(args.eval.first, "eval.first") } } };
+  // AUTH-29 — CTAP2.1 §6.5 caps PRF salts at 32 bytes.
+  var out = { prf: { eval: { first: _b64urlExtInput(args.eval.first, "eval.first", MAX_EXT_INPUT_BYTES) } } };
   if (args.eval.second !== undefined && args.eval.second !== null) {
-    out.prf.eval.second = _b64urlExtInput(args.eval.second, "eval.second");
+    out.prf.eval.second = _b64urlExtInput(args.eval.second, "eval.second", MAX_EXT_INPUT_BYTES);
   }
   return out;
 }
@@ -448,6 +520,66 @@ async function verifyAuthentication(opts) {
   return rv;
 }
 
+/**
+ * @primitive b.auth.passkey.compareBackupState
+ * @signature b.auth.passkey.compareBackupState(prev, current)
+ * @since     0.9.57
+ *
+ * AUTH-27 — WebAuthn L3 §6.1.3. Inspect the credential's persisted BE
+ * (backupEligible) + BS (backupState) flags against the values
+ * surfaced on a fresh assertion. Returns a normalized verdict the
+ * operator routes into audit / step-up decisions:
+ *
+ *   - `ok` — flags unchanged
+ *   - `be-flipped-on` — credential newly backup-eligible (the
+ *     authenticator manufacturer enabled cloud-backup on a previously
+ *     single-device credential; suspicious — operator surfaces
+ *     step-up)
+ *   - `be-flipped-off` — credential lost backup eligibility (rare;
+ *     authenticator firmware downgrade or vendor policy change)
+ *   - `bs-flipped-on` — credential is now backed up (user enrolled
+ *     in cloud-sync after initial registration; legitimate but
+ *     audit-worthy)
+ *   - `bs-flipped-off` — credential no longer backed up (user
+ *     disabled cloud-sync; legitimate but audit-worthy)
+ *
+ * Operators wire this against the credential row's persisted
+ * `backupEligible` / `backupState` fields and the corresponding
+ * fields on `verifyAuthentication`'s return value.
+ *
+ * @example
+ *   var rv   = await b.auth.passkey.verifyAuthentication(opts);
+ *   var diff = b.auth.passkey.compareBackupState(stored, rv);
+ *   if (diff.verdict !== "ok") {
+ *     await audit.emit({ event: "passkey.backup-state-changed", metadata: diff });
+ *     if (diff.verdict === "be-flipped-on") { requireStepUp(); }
+ *   }
+ */
+function compareBackupState(prev, current) {
+  if (!prev || typeof prev !== "object") {
+    throw new AuthError("auth-passkey/bad-compare-backup",
+      "compareBackupState: prev must be an object with { backupEligible, backupState }");
+  }
+  if (!current || typeof current !== "object") {
+    throw new AuthError("auth-passkey/bad-compare-backup",
+      "compareBackupState: current must be an object with { backupEligible, backupState }");
+  }
+  var pBE = prev.backupEligible === true;
+  var pBS = prev.backupState    === true;
+  var cBE = current.backupEligible === true;
+  var cBS = current.backupState    === true;
+  var verdict = "ok";
+  if (pBE !== cBE) verdict = cBE ? "be-flipped-on"  : "be-flipped-off";
+  else if (pBS !== cBS) verdict = cBS ? "bs-flipped-on" : "bs-flipped-off";
+  return {
+    verdict:                verdict,
+    prevBackupEligible:     pBE,
+    prevBackupState:        pBS,
+    currentBackupEligible:  cBE,
+    currentBackupState:     cBS,
+  };
+}
+
 // ---- WebAuthn Signal API (W3C draft, 2024) ----
 //
 // The signal* methods build the JSON descriptor that the operator
@@ -539,4 +671,6 @@ module.exports = {
   signalUnknownCredential:      signalUnknownCredential,
   signalAllAcceptedCredentials: signalAllAcceptedCredentials,
   signalCurrentUserDetails:     signalCurrentUserDetails,
+  compareBackupState:           compareBackupState,
+  ALLOWED_EXTENSION_KEYS:       ALLOWED_EXTENSION_KEYS,
 };

package/lib/auth/sd-jwt-vc.js

@@ -73,6 +73,11 @@ function _timingSafeEqStr(a, b) {
 var disclosure = require("./sd-jwt-vc-disclosure");
 var sdJwtVcIssuer = require("./sd-jwt-vc-issuer");
 var sdJwtVcHolder = require("./sd-jwt-vc-holder");
+// Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check +
+// CVE-2026-23552 constant-time iss compare). Top-of-file per project
+// convention §3; no circular load — jwt-external requires nothing from
+// sd-jwt-vc.
+var jwtExternal = require("./jwt-external");
 var { AuthError } = require("../framework-error");
 
 var SUPPORTED_ALGS = Object.freeze([
@@ -296,6 +301,17 @@ function present(opts) {
   // Hardcoded sha256 here previously diverged from the verifier when
   // an issuer used a non-default hash, producing sd-hash-mismatch on
   // valid presentations.
+  //
+  // Defense-in-depth: this pre-parse runs on the holder side
+  // (presentation builder) and reads `_sd_alg` from UNSIGNED bytes,
+  // because the holder needs to know which hash to use BEFORE the
+  // verifier sees the presentation. The presentation itself carries
+  // the JWS-signed issuer JWT verbatim; verify() re-parses the
+  // payload from the cryptographically-verified signing input. That
+  // post-verify decode is the source of truth — a holder who tampers
+  // with `_sd_alg` here only breaks their own KB-JWT digest, since
+  // the verifier recomputes from the signed bytes. No security
+  // boundary is crossed by reading the value here.
   var _issuerPayload = null;
   var _jwtParts = jwt.split(".");
   if (_jwtParts.length === 3) {
@@ -425,14 +441,39 @@ async function verify(presentation, opts) {
       "verify: malformed JWT header: " + e.message);
   }
   var alg = headerObj.alg;
-  if (SUPPORTED_ALGS.indexOf(alg) === -1) {
+  // CVE-2026-23993 — refuse unknown / unsupported alg BEFORE any key
+  // resolution. The shared `_assertAlgKtyMatch` helper repeats this
+  // check after the issuer key is resolved; doing it here too closes
+  // the gap where an issuerKeyResolver with side effects (network
+  // fetch, audit emit) would run even when the alg is unsupported.
+  if (typeof alg !== "string" || SUPPORTED_ALGS.indexOf(alg) === -1) {
     throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
-      "verify: header alg \"" + alg + "\" not in supported set");
-  }
+      "verify: header alg \"" + alg + "\" not in supported set " +
+      "(CVE-2026-23993 — refused before key lookup)");
+  }
+  // draft-ietf-oauth-sd-jwt-vc §3.1 — typ MUST be `vc+sd-jwt` (or
+  // `dc+sd-jwt` for digital-credential profile). Pre-v0.9.x the absent-
+  // typ short-circuit accepted any token without typ, contradicting
+  // the spec MUST. Refuse absent typ; drop the legacy JWT allowance —
+  // verifyExternal handles generic JWT, sd-jwt-vc handles only the
+  // typ'd shape.
   var typ = headerObj.typ;
-  if (typ && typ !== "vc+sd-jwt" && typ !== "JWT") {
+  if (typeof typ !== "string" || (typ !== "vc+sd-jwt" && typ !== "dc+sd-jwt")) {
     throw new AuthError("auth-sd-jwt-vc/bad-typ",
-      "verify: header typ must be \"vc+sd-jwt\" (got \"" + typ + "\")");
+      "verify: header typ must be \"vc+sd-jwt\" or \"dc+sd-jwt\" (got " +
+      (typ === undefined ? "<absent>" : "\"" + typ + "\"") +
+      ") — draft-ietf-oauth-sd-jwt-vc §3.1 MUST");
+  }
+  // RFC 7515 §4.1.11 — refuse non-empty `crit` header. Every other
+  // verifier in the framework refuses critical extensions; sd-jwt-vc
+  // previously silently ignored, letting an attacker-controlled issuer
+  // declare critical extensions the verifier doesn't understand.
+  if (headerObj.crit !== undefined && headerObj.crit !== null) {
+    if (!Array.isArray(headerObj.crit) || headerObj.crit.length > 0) {
+      throw new AuthError("auth-sd-jwt-vc/unknown-crit",
+        "verify: header carries 'crit' extension list — sd-jwt-vc does not " +
+        "support any critical extensions and refuses per RFC 7515 §4.1.11");
+    }
   }
 
   var issuerKey = await opts.issuerKeyResolver(headerObj);
@@ -440,7 +481,27 @@ async function verify(presentation, opts) {
     throw new AuthError("auth-sd-jwt-vc/key-not-found",
       "verify: issuerKeyResolver returned no key");
   }
+  // CVE-2026-22817 — when issuerKeyResolver returns a JWK object,
+  // cross-check alg/kty BEFORE handing it to node:crypto.verify.
+  // KeyObject / PEM shapes can't surface kty so the check happens at
+  // JWK resolution only.
+  if (typeof issuerKey === "object" &&
+      !(issuerKey instanceof nodeCrypto.KeyObject) &&
+      !Buffer.isBuffer(issuerKey) &&
+      typeof issuerKey.kty === "string") {
+    jwtExternal._assertAlgKtyMatch(alg, issuerKey);
+  }
   var jwtParsed = _verifyJwt(jwt, issuerKey, alg);
+  // AUTH-25 — post-verify header compare. Pre-verify we parsed the
+  // header bytes to look up the key; _verifyJwt parses again from the
+  // cryptographically-verified signing input. Both decodes MUST yield
+  // the same JSON; a mismatch indicates a JWS-canonicalization or
+  // duplicate-key issue and refuses defense-in-depth.
+  if (safeJson.stringify(headerObj) !== safeJson.stringify(jwtParsed.header)) {
+    throw new AuthError("auth-sd-jwt-vc/header-roundtrip-mismatch",
+      "verify: pre-verify header bytes do not round-trip equal to post-verify " +
+      "header bytes — refusing potential JWS canonicalization smuggle");
+  }
 
   // 2. Validate iss / iat / exp / vct
   var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
@@ -459,6 +520,18 @@ async function verify(presentation, opts) {
       "verify: vct mismatch (got \"" + jwtParsed.payload.vct +
       "\", expected \"" + opts.expectedVct + "\")");
   }
+  // CVE-2026-23552 — optional explicit iss check with constant-time
+  // compare. Operators with a known-issuer trust scope pass
+  // `opts.expectedIssuer`; absence preserves the existing
+  // issuerKeyResolver-only trust model.
+  if (opts.expectedIssuer) {
+    if (typeof jwtParsed.payload.iss !== "string" ||
+        !jwtExternal._issuerMatches(jwtParsed.payload.iss, opts.expectedIssuer)) {
+      throw new AuthError("auth-sd-jwt-vc/iss-mismatch",
+        "verify: iss '" + jwtParsed.payload.iss + "' does not match expected '" +
+        opts.expectedIssuer + "' (CVE-2026-23552 — cross-realm refused)");
+    }
+  }
 
   // 3. Reconstruct disclosed claims from disclosures
   // IETF SD-JWT default `_sd_alg` is `sha-256` (draft-ietf-oauth-

package/lib/circuit-breaker.js

@@ -78,9 +78,17 @@ function create(opts) {
   // The factory's documented shape is `create({ name, ...opts })`;
   // split the name out of opts before invoking the constructor.
   // Caught by hermitstash-sync operator review against v0.9.12.
+  //
+  // CRYPTO-19 — the previous empty-string fallback was unreachable
+  // (retryHelper.CircuitBreaker validator throws on "" first) AND
+  // produced a confusing error message ("name must be a non-empty
+  // string, got string \"\"") that obscured the real opt-shape
+  // problem. Pass opts.name through directly so the validator's
+  // error message reports the exact opt-shape error (missing name,
+  // non-string name, etc.) — the operator can act on it without
+  // tracing through the factory.
   opts = opts || {};
-  var name = (opts && typeof opts.name === "string") ? opts.name : "";
-  return new retryHelper.CircuitBreaker(name, opts);
+  return new retryHelper.CircuitBreaker(opts.name, opts);
 }
 
 module.exports = {

package/lib/cli.js

@@ -48,6 +48,7 @@ var C = require("./constants");
 var bCrypto = require("./crypto");
 var dev = require("./dev");
 var fileType = require("./file-type");
+var guardRegex = require("./guard-regex");
 var migrations = require("./migrations");
 var passwordModule = require("./auth/password");
 var requestHelpers = require("./request-helpers");
@@ -357,6 +358,18 @@ async function _runDev(args, ctx) {
         "blamejs dev: --ignore pattern exceeds max length " +
         MAX_IGNORE_PATTERN_LENGTH + " (got " + str.length + ")");
     }
+    // ReDoS / catastrophic-backtracking defense — refuses nested-quant
+    // (CVE-2024-21538 class), consecutive-* (CVE-2026-26996), nested
+    // extglob (CVE-2026-33671), and lookaround-quant shapes before the
+    // pattern reaches RegExp(). Operator typo / hostile-input identical
+    // shape from here on — both want the same refusal.
+    try {
+      guardRegex.sanitize(str, { profile: "strict" });
+    } catch (e) {
+      throw new CliError("cli/bad-ignore-pattern",
+        "blamejs dev: --ignore pattern refused by guardRegex: " +
+        ((e && e.message) || String(e)));
+    }
     return RegExp(str);
   });
   var graceMs = args.flags["grace-ms"] !== undefined ? Number(args.flags["grace-ms"]) : undefined;