@marcuspuchalla/nachos 0.1.3 → 0.2.0

package/src/parser/__tests__/cbor-security-dos-protection.test.ts

@@ -10,9 +10,10 @@
  * These tests verify protections against known CBOR implementation vulnerabilities.
  */
 
-import { describe, it, expect } from 'vitest'
+import { describe, it, expect, vi, afterEach } from 'vitest'
 import { useCborTag } from '../composables/useCborTag'
 import { useCborParser } from '../composables/useCborParser'
+import type { TaggedValue } from '../types'
 import { useCborCollection } from '../composables/useCborCollection'
 
 describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
@@ -26,10 +27,10 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // 512 bytes of 0x00 = BigInt 0
-      expect(result.value.value).toBe(0n)
+      expect((result.value as TaggedValue).value).toBe(0n)
     })
 
     it('should reject tag 2 bignum exceeding size limit', () => {
@@ -64,11 +65,11 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // 1024 bytes of 0xff should be a large positive bigint
       // 2^(1024*8) - 1
-      expect(result.value.value > 0n).toBe(true)
+      expect(((result.value as TaggedValue).value as bigint) > 0n).toBe(true)
     })
 
     it('should reject tag 2 with 1 byte over limit', () => {
@@ -102,10 +103,10 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 4096 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // 2048 bytes of 0xbb should be a large positive bigint
-      expect(result.value.value > 0n).toBe(true)
+      expect(((result.value as TaggedValue).value as bigint) > 0n).toBe(true)
     })
 
     it('should accept empty bignum (edge case)', () => {
@@ -116,10 +117,10 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(2)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(2)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // Empty byte string = BigInt 0
-      expect(result.value.value).toBe(0n)
+      expect((result.value as TaggedValue).value).toBe(0n)
     })
   })
 
@@ -133,11 +134,11 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(bignum, { limits: { maxBignumBytes: 1024 } })
 
-      expect(result.value.tag).toBe(3)
-      expect(typeof result.value.value).toBe('bigint')
+      expect((result.value as TaggedValue).tag).toBe(3)
+      expect(typeof (result.value as TaggedValue).value).toBe('bigint')
       // Tag 3 = -1 - n, where n is the bignum value
       // 256 bytes of 0xff should be a large negative bigint
-      expect(result.value.value < 0n).toBe(true)
+      expect(((result.value as TaggedValue).value as bigint) < 0n).toBe(true)
     })
 
     it('should reject tag 3 bignum exceeding size limit', () => {
@@ -183,8 +184,8 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(epochTag, { limits: { maxBignumBytes: 100 } })
 
-      expect(result.value.tag).toBe(1)
-      expect(result.value.value).toBe(1363896240)
+      expect((result.value as TaggedValue).tag).toBe(1)
+      expect((result.value as TaggedValue).value).toBe(1363896240)
     })
 
     it('should NOT apply bignum limit to tag 24 (embedded CBOR)', () => {
@@ -195,8 +196,8 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(embeddedCBOR, { limits: { maxBignumBytes: 2 } })
 
-      expect(result.value.tag).toBe(24)
-      expect(result.value.value).toBeInstanceOf(Uint8Array)
+      expect((result.value as TaggedValue).tag).toBe(24)
+      expect((result.value as TaggedValue).value).toBeInstanceOf(Uint8Array)
     })
 
     it('should NOT apply bignum limit to tag 258 (set)', () => {
@@ -207,8 +208,8 @@ describe('CVE-2020-28491: Bignum Memory Exhaustion Protection', () => {
 
       const result = parseTag(setTag, { limits: { maxBignumBytes: 2 } })
 
-      expect(result.value.tag).toBe(258)
-      expect(result.value.value).toBeInstanceOf(Array)
+      expect((result.value as TaggedValue).tag).toBe(258)
+      expect((result.value as TaggedValue).value).toBeInstanceOf(Array)
     })
   })
 })
@@ -223,7 +224,7 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 64 } })
 
-      expect(result.value.tag).toBe(0)
+      expect((result.value as TaggedValue).tag).toBe(0)
       // Nested structure: tag 0 -> tag 0 -> ... -> 0
     })
 
@@ -255,7 +256,7 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 10 } })
 
-      expect(result.value.tag).toBe(0)
+      expect((result.value as TaggedValue).tag).toBe(0)
     })
 
     it('should use default tag depth limit when not specified', () => {
@@ -276,7 +277,7 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 150 } })
 
-      expect(result.value.tag).toBe(0)
+      expect((result.value as TaggedValue).tag).toBe(0)
     })
 
     it('should handle nested tags with different tag numbers', () => {
@@ -287,9 +288,9 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
 
       const result = parseTag(nested, { limits: { maxTagDepth: 5 } })
 
-      expect(result.value.tag).toBe(1)
-      expect(result.value.value.tag).toBe(2)
-      expect((result.value.value as any).value).toHaveProperty('tag', 3)
+      expect((result.value as TaggedValue).tag).toBe(1)
+      expect(((result.value as TaggedValue).value as TaggedValue).tag).toBe(2)
+      expect(((result.value as TaggedValue).value as any).value).toHaveProperty('tag', 3)
     })
 
     it('should reject deeply nested mixed tags', () => {
@@ -312,8 +313,8 @@ describe('RUSTSEC-2019-0025: Tag Nesting Stack Overflow Protection', () => {
         limits: { maxTagDepth: 5, maxDepth: 5 }
       })
 
-      expect(result.value.tag).toBe(1)
-      expect(result.value.value).toEqual([1, 2, 3])
+      expect((result.value as TaggedValue).tag).toBe(1)
+      expect((result.value as TaggedValue).value).toEqual([1, 2, 3])
     })
 
     it('should prevent stack overflow with minimal input (< 1KB)', () => {
@@ -467,7 +468,7 @@ describe('Combined Security Protections', () => {
       }
     })
 
-    expect(result.value.tag).toBe(1)
+    expect((result.value as TaggedValue).tag).toBe(1)
   })
 
   it('should reject when any single limit is exceeded', () => {
@@ -501,3 +502,135 @@ describe('Combined Security Protections', () => {
       .toThrow(/duplicate/i)
   })
 })
+
+describe('maxParseTime Timeout Protection for Standard decode() Path', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  describe('useCborCollection: parseItem timeout', () => {
+    it('should enforce maxParseTime when parsing deeply nested arrays via standard path', () => {
+      // Mock Date.now: first call returns start time, subsequent calls simulate time passing
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        // First call sets parseStartTime, subsequent calls check elapsed
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseArray } = useCborCollection()
+
+      // Build a deeply nested array: [[[[...]]]]
+      // 10 levels of nesting, innermost value is 0x00 (integer 0)
+      const nested = '81'.repeat(10) + '00'
+
+      // maxParseTime=50ms, but mocked time shows 100ms elapsed
+      expect(() => parseArray(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should enforce maxParseTime when parsing deeply nested maps via standard path', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseMap } = useCborCollection()
+
+      // Build nested map: {"a": {"a": ... 0 }}
+      const nested = 'a16161'.repeat(10) + '00'
+
+      expect(() => parseMap(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should enforce maxParseTime via the top-level decode() function', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parse } = useCborParser()
+
+      // Nested arrays through the standard parse() path
+      const nested = '81'.repeat(10) + '00'
+
+      expect(() => parse(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should NOT timeout when parsing completes quickly with generous maxParseTime', () => {
+      // Mock Date.now to always return same value (no time passes)
+      vi.spyOn(Date, 'now').mockReturnValue(1000)
+
+      const { parse } = useCborParser()
+
+      // Simple array [1, 2, 3]
+      const result = parse('83010203', { limits: { maxParseTime: 5000 } })
+      expect(result.value).toEqual([1, 2, 3])
+    })
+
+    it('should NOT timeout for simple values when maxParseTime is set', () => {
+      vi.spyOn(Date, 'now').mockReturnValue(1000)
+
+      const { parse } = useCborParser()
+
+      const result = parse('1864', { limits: { maxParseTime: 5000 } })
+      expect(result.value).toBe(100)
+    })
+  })
+
+  describe('useCborTag: parseItem timeout', () => {
+    it('should enforce maxParseTime when parsing tags containing deeply nested structures', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseTag } = useCborTag()
+
+      // Tag 1 wrapping deeply nested arrays
+      const nested = 'c1' + '81'.repeat(10) + '00'
+
+      expect(() => parseTag(nested, { limits: { maxParseTime: 50, maxDepth: 200, maxTagDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+
+    it('should enforce maxParseTime for deeply nested tags', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseTag } = useCborTag()
+
+      // 10 nested tags wrapping an integer
+      const nested = 'c0'.repeat(10) + '00'
+
+      expect(() => parseTag(nested, { limits: { maxParseTime: 50, maxTagDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+  })
+
+  describe('parseSequence timeout', () => {
+    it('should enforce maxParseTime when parsing a CBOR sequence', () => {
+      let callCount = 0
+      vi.spyOn(Date, 'now').mockImplementation(() => {
+        callCount++
+        return callCount <= 1 ? 1000 : 1100
+      })
+
+      const { parseSequence } = useCborParser()
+
+      // Sequence of nested arrays
+      const nested = '81'.repeat(10) + '00'
+
+      expect(() => parseSequence(nested, { limits: { maxParseTime: 50, maxDepth: 200 } }))
+        .toThrow(/parse timeout/i)
+    })
+  })
+})

package/src/parser/__tests__/cbor-standard-tags.test.ts

@@ -20,11 +20,9 @@
 
 import { describe, it, expect } from 'vitest'
 import { useCborParser } from '../composables/useCborParser'
-import { useCborTag } from '../composables/useCborTag'
 
 describe('CBOR Standard Tags (RFC 8949)', () => {
   const { parse } = useCborParser()
-  const { parseTag } = useCborTag()
 
   describe('Tag 0: Date/Time String (RFC 3339)', () => {
     it('should parse valid ISO 8601 date/time string', () => {
@@ -149,17 +147,57 @@ describe('CBOR Standard Tags (RFC 8949)', () => {
     })
 
     it('should reject non-integer exponent in strict mode', () => {
-      // Tag 4 + [3.14, 500] (invalid - exponent must be integer)
+      // Tag 4 + [3.14, 500] (invalid - exponent must be integer per RFC 8949)
       // fb 40091eb851eb851f = float64 3.14
       // 1901f4 = uint 500
       const hex = 'c482fb40091eb851eb851f1901f4' // [3.14, 500]
 
-      // Note: The parser validates that exponent is number|bigint, and 3.14 is a number
-      // So this passes parsing but semantically the exponent should be integer
-      // The current implementation accepts floats as exponents, which is RFC-compliant
-      // (RFC says "integer" but implementations often accept any number)
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/exponent must be an integer/)
+    })
+
+    it('should reject non-integer mantissa in strict mode', () => {
+      // Tag 4 + [-2, 3.14] (invalid - mantissa must be integer per RFC 8949)
+      // 21 = -2
+      // fb 40091eb851eb851f = float64 3.14
+      const hex = 'c48221fb40091eb851eb851f' // [-2, 3.14]
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/mantissa must be an integer/)
+    })
+
+    it('should accept integer exponent and mantissa values', () => {
+      // Tag 4 + [0, 42]
+      // 00 = 0, 1829 = 42 (wrong, 182a = 42)
+      // Actually: 00 = 0, 18 2a = 42
+      const hex = 'c48200182a' // [0, 42]
+      const result = parse(hex, { strict: true, validateTagSemantics: true })
+      expect(result.value).toMatchObject({ tag: 4 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(0)
+      expect(arr[1]).toBe(42)
+    })
+
+    it('should accept negative integer exponent', () => {
+      // Tag 4 + [-1, 500]
+      // 20 = -1, 1901f4 = 500
+      const hex = 'c482201901f4' // [-1, 500]
+      const result = parse(hex, { strict: true, validateTagSemantics: true })
+      expect(result.value).toMatchObject({ tag: 4 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(-1)
+      expect(arr[1]).toBe(500)
+    })
+
+    it('should accept zero exponent and large mantissa', () => {
+      // Tag 4 + [0, 12345]
+      // 00 = 0, 193039 = 12345
+      const hex = 'c48200193039'
       const result = parse(hex, { strict: true, validateTagSemantics: true })
       expect(result.value).toMatchObject({ tag: 4 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(0)
+      expect(arr[1]).toBe(12345)
     })
   })
 
@@ -187,6 +225,36 @@ describe('CBOR Standard Tags (RFC 8949)', () => {
       expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
         .toThrow(/exactly 2 elements/i)
     })
+
+    it('should reject non-integer exponent in strict mode', () => {
+      // Tag 5 + [3.14, 500] (invalid - exponent must be integer per RFC 8949)
+      // fb 40091eb851eb851f = float64 3.14
+      // 1901f4 = uint 500
+      const hex = 'c582fb40091eb851eb851f1901f4' // [3.14, 500]
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/exponent must be an integer/)
+    })
+
+    it('should reject non-integer mantissa in strict mode', () => {
+      // Tag 5 + [-2, 3.14] (invalid - mantissa must be integer per RFC 8949)
+      // 21 = -2
+      // fb 40091eb851eb851f = float64 3.14
+      const hex = 'c58221fb40091eb851eb851f' // [-2, 3.14]
+
+      expect(() => parse(hex, { strict: true, validateTagSemantics: true }))
+        .toThrow(/mantissa must be an integer/)
+    })
+
+    it('should accept integer exponent and mantissa values', () => {
+      // Tag 5 + [-2, 500]
+      const hex = 'c5822119 01f4'.replace(/\s/g, '')
+      const result = parse(hex, { strict: true, validateTagSemantics: true })
+      expect(result.value).toMatchObject({ tag: 5 })
+      const arr = (result.value as any).value as number[]
+      expect(arr[0]).toBe(-2)
+      expect(arr[1]).toBe(500)
+    })
   })
 
   describe('Tags 21-23: Expected Encoding', () => {

package/src/parser/__tests__/cbor-tag-reparse-fix.test.ts

@@ -0,0 +1,268 @@
+/**
+ * Tests for eliminating exponential re-parsing in source-map tag handling
+ * Task 2-B: parseTagWithMap should NOT re-parse the entire tag subtree
+ *
+ * The fix ensures that parseTagWithMap uses already-parsed values plus
+ * direct calls to validateTagSemantics and decodePlutusConstructor,
+ * instead of calling parseTag(hexString) which re-parses everything.
+ */
+
+import { describe, it, expect, vi } from 'vitest'
+import { useCborParser } from '../composables/useCborParser'
+import { useCborTag } from '../composables/useCborTag'
+
+describe('Tag Source Map Re-parse Elimination (Task 2-B)', () => {
+  describe('Correctness: parseWithSourceMap still produces correct values', () => {
+    it('should correctly decode tag 121 with array', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d87983010203') // Tag 121, [1, 2, 3]
+
+      expect(result.value).toEqual({
+        tag: 121,
+        value: [1, 2, 3],
+        plutus: { constructor: 0, fields: [1, 2, 3] }
+      })
+    })
+
+    it('should correctly decode tag 122 with array', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d87a81182a') // Tag 122, [42]
+
+      expect(result.value).toEqual({
+        tag: 122,
+        value: [42],
+        plutus: { constructor: 1, fields: [42] }
+      })
+    })
+
+    it('should correctly decode tag 102 alternative constructor', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d8668218c8811863') // Tag 102, [200, [99]]
+
+      expect(result.value).toEqual({
+        tag: 102,
+        value: [200, [99]],
+        plutus: { constructor: 200, fields: [99] }
+      })
+    })
+
+    it('should correctly decode extended constructor tag 1283', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d9050383010203') // Tag 1283, [1, 2, 3]
+
+      expect(result.value).toEqual({
+        tag: 1283,
+        value: [1, 2, 3],
+        plutus: { constructor: 10, fields: [1, 2, 3] }
+      })
+    })
+
+    it('should correctly decode bignum tag 2 (positive)', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 2, byte string 0x01 0x00 (= 256)
+      const result = parseWithSourceMap('c2420100')
+
+      expect(result.value).toEqual({
+        tag: 2,
+        value: 256n
+      })
+    })
+
+    it('should correctly decode bignum tag 3 (negative)', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 3, byte string 0x01 0x00 (= -1 - 256 = -257)
+      const result = parseWithSourceMap('c3420100')
+
+      expect(result.value).toEqual({
+        tag: 3,
+        value: -257n
+      })
+    })
+
+    it('should correctly handle tag 0 (date/time string)', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 0 containing "2013-03-21T20:04:00Z"
+      const result = parseWithSourceMap('c074323031332d30332d32315432303a30343a30305a')
+
+      const value = result.value as any
+      expect(value.tag).toBe(0)
+      expect(value.value).toBe('2013-03-21T20:04:00Z')
+    })
+
+    it('should correctly handle tag 1 (epoch time)', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 1 containing 1363896240
+      const result = parseWithSourceMap('c11a514b67b0')
+
+      expect(result.value).toEqual({
+        tag: 1,
+        value: 1363896240
+      })
+    })
+
+    it('should correctly handle nested tags', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 121 -> [Tag 121 -> []]
+      const result = parseWithSourceMap('d87981d87980')
+
+      const outer = result.value as any
+      expect(outer.tag).toBe(121)
+      expect(outer.plutus).toEqual({ constructor: 0, fields: [{ tag: 121, value: [], plutus: { constructor: 0, fields: [] } }] })
+    })
+
+    it('should correctly handle tag 121 with empty array', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d87980')
+
+      expect(result.value).toEqual({
+        tag: 121,
+        value: [],
+        plutus: { constructor: 0, fields: [] }
+      })
+    })
+
+    it('should correctly handle self-describe tag 55799', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 55799 wrapping integer 42
+      const result = parseWithSourceMap('d9d9f7182a')
+
+      expect(result.value).toEqual({
+        tag: 55799,
+        value: 42
+      })
+    })
+
+    it('should correctly handle non-Plutus tag with non-array value', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 1 containing 0
+      const result = parseWithSourceMap('c100')
+
+      expect(result.value).toEqual({
+        tag: 1,
+        value: 0
+      })
+    })
+  })
+
+  describe('Correctness: source maps remain identical', () => {
+    it('should produce same source map for simple tagged value', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d879182a') // Tag 121, 42
+
+      expect(result.sourceMap).toHaveLength(2)
+      expect(result.sourceMap[0]).toMatchObject({
+        path: '',
+        majorType: 6,
+        type: 'tag(121)',
+        children: ['.value']
+      })
+      expect(result.sourceMap[1]).toMatchObject({
+        path: '.value',
+        majorType: 0,
+        parent: ''
+      })
+    })
+
+    it('should produce same source map for nested tags', () => {
+      const { parseWithSourceMap } = useCborParser()
+      const result = parseWithSourceMap('d87981d87980')
+
+      const outerTag = result.sourceMap.find(e => e.path === '')
+      expect(outerTag?.majorType).toBe(6)
+      expect(outerTag?.children).toEqual(['.value'])
+
+      const array = result.sourceMap.find(e => e.path === '.value')
+      expect(array?.majorType).toBe(4)
+      expect(array?.parent).toBe('')
+
+      const innerTag = result.sourceMap.find(e => e.path === '.value[0]')
+      expect(innerTag?.majorType).toBe(6)
+      expect(innerTag?.parent).toBe('.value')
+    })
+  })
+
+  describe('Validation still works through source-map path', () => {
+    it('should validate tag 2/3 bignum byte limit', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 2 with a byte string exceeding the limit
+      // Create a very long byte string (> default 1024 bytes)
+      const longByteString = '59' + '0401' + 'ff'.repeat(1025)
+      const hex = 'c2' + longByteString
+
+      expect(() => parseWithSourceMap(hex)).toThrow(/bignum/i)
+    })
+
+    it('should validate tag semantics in strict mode', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 0 (date/time) with integer value (should be text string)
+      // c0 00 = tag(0) + integer(0)
+      expect(() => parseWithSourceMap('c000', { strict: true })).toThrow(/tag 0/i)
+    })
+
+    it('should validate Plutus semantics in strict mode', () => {
+      const { parseWithSourceMap } = useCborParser()
+      // Tag 121 with non-array value (should be array)
+      // d8 79 00 = tag(121) + integer(0)
+      expect(() => parseWithSourceMap('d87900', { strict: true })).toThrow(/Plutus/i)
+    })
+  })
+
+  describe('Performance: no exponential re-parsing', () => {
+    it('should parse deeply nested tags in linear time', () => {
+      const { parseWithSourceMap } = useCborParser()
+
+      // Build a deeply nested tag: tag(121) -> [tag(121) -> [tag(121) -> ... -> []]]
+      // At depth D, the old code would do O(D^2) work due to re-parsing.
+      // With the fix, it should be O(D).
+      const buildNestedTagHex = (depth: number): string => {
+        // Each level: d8 79 81 (tag 121, 1-element array)
+        // Innermost: d8 79 80 (tag 121, empty array)
+        let hex = ''
+        for (let i = 0; i < depth - 1; i++) {
+          hex += 'd87981' // tag(121), array(1)
+        }
+        hex += 'd87980' // tag(121), array(0)
+        return hex
+      }
+
+      // Time a moderate depth (20 levels)
+      const hex20 = buildNestedTagHex(20)
+      const start20 = performance.now()
+      const result20 = parseWithSourceMap(hex20)
+      const time20 = performance.now() - start20
+
+      // Time a deeper nesting (40 levels)
+      const hex40 = buildNestedTagHex(40)
+      const start40 = performance.now()
+      const result40 = parseWithSourceMap(hex40)
+      const time40 = performance.now() - start40
+
+      // With O(D^2), doubling depth quadruples time: time40/time20 ~ 4
+      // With O(D), doubling depth doubles time: time40/time20 ~ 2
+      // Use a generous bound: if fixed, ratio should be < 3
+      // If unfixed (quadratic), ratio tends toward 4+
+      //
+      // Note: for small absolute times, jitter can dominate.
+      // The real test is that 40-deep should still complete quickly (< 100ms).
+      expect(time40).toBeLessThan(100) // Should be very fast with fix
+
+      // Both should parse successfully
+      expect((result20.value as any).tag).toBe(121)
+      expect((result40.value as any).tag).toBe(121)
+    })
+  })
+
+  describe('useCborTag exports', () => {
+    it('should export validateTagSemantics function', () => {
+      const tag = useCborTag()
+      expect(tag.validateTagSemantics).toBeDefined()
+      expect(typeof tag.validateTagSemantics).toBe('function')
+    })
+
+    it('should export decodePlutusConstructor function', () => {
+      const tag = useCborTag()
+      expect(tag.decodePlutusConstructor).toBeDefined()
+      expect(typeof tag.decodePlutusConstructor).toBe('function')
+    })
+  })
+})