@marcuspuchalla/nachos 0.1.3 → 0.2.0

package/src/parser/composables/useCborParser.ts

@@ -4,9 +4,9 @@
  * Auto-detects major type and dispatches to appropriate parser
  */
 
-import type { ParseResult, ParseResultWithMap, SourceMapEntry, ParseOptions, CborContext, CborValue } from '../types'
+import type { ParseResult, ParseResultWithMap, SourceMapEntry, ParseOptions, CborContext, CborValue, TaggedValue } from '../types'
 import { DEFAULT_OPTIONS, DEFAULT_LIMITS } from '../types'
-import { hexToBytes, readByte, readUint, readBigUint, extractCborHeader } from '../utils'
+import { hexToBytes, readByte, readUint, readBigUint, extractCborHeader, serializeValueForComparison, validateCanonicalInteger } from '../utils'
 import { useCborInteger } from './useCborInteger'
 import { useCborString } from './useCborString'
 import { useCborCollection } from './useCborCollection'
@@ -47,6 +47,9 @@ export function useCborParser() {
       validateSetUniqueness: options.validateSetUniqueness ?? (options.strict ? true : DEFAULT_OPTIONS.validateSetUniqueness),
       validateTagSemantics: options.validateTagSemantics ?? (options.strict ? true : DEFAULT_OPTIONS.validateTagSemantics),
       validatePlutusSemantics: options.validatePlutusSemantics ?? (options.strict ? true : DEFAULT_OPTIONS.validatePlutusSemantics),
+      mapKeyOrder: options.mapKeyOrder ?? DEFAULT_OPTIONS.mapKeyOrder,
+      // Strict mode rejects trailing data after the top-level item (well-formedness).
+      allowTrailingData: options.allowTrailingData ?? (options.strict ? false : DEFAULT_OPTIONS.allowTrailingData),
       limits: {
         maxInputSize: options.limits?.maxInputSize ?? DEFAULT_LIMITS.maxInputSize,
         maxOutputSize: options.limits?.maxOutputSize ?? DEFAULT_LIMITS.maxOutputSize,
@@ -73,11 +76,11 @@ export function useCborParser() {
     }
   }
 
-  const { parseInteger } = useCborInteger()
-  const { parseString } = useCborString()
+  const { parseInteger, parseIntegerFromBuffer: integerFromBuffer } = useCborInteger()
+  const { parseString, parseByteString: byteStringFromBuffer, parseTextString: textStringFromBuffer } = useCborString()
   const { parseArray, parseMap } = useCborCollection()
-  const { parseTag } = useCborTag()
-  const { parse: parseFloatOrSimple } = useCborFloat()
+  const { parseTag, validateTagSemantics, decodePlutusConstructor } = useCborTag()
+  const { parse: parseFloatOrSimple, parseFromBuffer: floatOrSimpleFromBuffer } = useCborFloat()
 
   /**
    * Parses a CBOR hex string, auto-detecting the type
@@ -100,9 +103,28 @@ export function useCborParser() {
    * parse('6449455446', { strict: true })
    * ```
    */
-  const parse = (hexString: string, options?: ParseOptions): ParseResult => {
-    // Remove spaces from hex string
-    const cleanHex = hexString.replace(/\s+/g, '')
+  const parse = (input: string | Uint8Array, options?: ParseOptions): ParseResult => {
+    // Merge options with defaults
+    const mergedOptions = mergeOptions(options)
+
+    // Uint8Array fast path: skip hex conversion entirely
+    if (input instanceof Uint8Array) {
+      if (input.length === 0) {
+        throw new Error('Empty input')
+      }
+
+      // Check input size limit
+      if (mergedOptions.limits?.maxInputSize && input.length > mergedOptions.limits.maxInputSize) {
+        throw new Error(`Input size ${input.length} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`)
+      }
+
+      const bufResult = dispatchFromBuffer(input, 0, mergedOptions)
+      checkTrailingData(bufResult.bytesRead, input.length, mergedOptions)
+      return bufResult
+    }
+
+    // Hex string path
+    const cleanHex = input.replace(/\s+/g, '')
 
     // Validate hex string
     if (!cleanHex || cleanHex.length === 0) {
@@ -117,9 +139,6 @@ export function useCborParser() {
       throw new Error(`Invalid hex character in: ${cleanHex}`)
     }
 
-    // Merge options with defaults
-    const mergedOptions = mergeOptions(options)
-
     // Check input size limit
     const inputSize = cleanHex.length / 2 // Convert hex chars to bytes
     if (mergedOptions.limits?.maxInputSize && inputSize > mergedOptions.limits.maxInputSize) {
@@ -132,30 +151,57 @@ export function useCborParser() {
     const { majorType } = extractCborHeader(initialByte)
 
     // Dispatch to appropriate parser based on major type
+    let result: ParseResult
     switch (majorType) {
       case 0: // Unsigned integer
       case 1: // Negative integer
-        return parseInteger(cleanHex, mergedOptions)
+        result = parseInteger(cleanHex, mergedOptions)
+        break
 
       case 2: // Byte string
       case 3: // Text string
-        return parseString(cleanHex, mergedOptions)
+        result = parseString(cleanHex, mergedOptions)
+        break
 
       case 4: // Array
-        return parseArray(cleanHex, mergedOptions)
+        result = parseArray(cleanHex, mergedOptions)
+        break
 
       case 5: // Map
-        return parseMap(cleanHex, mergedOptions)
+        result = parseMap(cleanHex, mergedOptions)
+        break
 
       case 6: // Tagged value
-        return parseTag(cleanHex, mergedOptions)
+        result = parseTag(cleanHex, mergedOptions)
+        break
 
       case 7: // Floating-point or simple value
-        return parseFloatOrSimple(cleanHex, mergedOptions)
+        result = parseFloatOrSimple(cleanHex, mergedOptions)
+        break
 
       default:
         throw new Error(`Unknown major type: ${majorType}`)
     }
+
+    checkTrailingData(result.bytesRead, buffer.length, mergedOptions)
+    return result
+  }
+
+  /**
+   * Rejects trailing bytes after the top-level data item when
+   * allowTrailingData is false (RFC 8949 well-formedness for a single item).
+   */
+  const checkTrailingData = (
+    bytesRead: number,
+    totalLength: number,
+    opts: Required<ParseOptions>
+  ): void => {
+    if (!opts.allowTrailingData && bytesRead < totalLength) {
+      throw new Error(
+        `Trailing data: ${totalLength - bytesRead} byte(s) remain after the top-level CBOR item ` +
+        `(bytesRead=${bytesRead}, length=${totalLength}). Use parseSequence to decode multiple items.`
+      )
+    }
   }
 
   /**
@@ -165,30 +211,46 @@ export function useCborParser() {
    * @param options - Parser options (optional)
    * @returns Parsed value, bytes read, and source map
    */
-  const parseWithSourceMap = (hexString: string, options?: ParseOptions): ParseResultWithMap => {
-    const cleanHex = hexString.replace(/\s+/g, '')
-
-    // Validate hex string
-    if (!cleanHex || cleanHex.length === 0) {
-      throw new Error('Empty hex string')
-    }
-    if (cleanHex.length % 2 !== 0) {
-      throw new Error('Hex string must have even length')
-    }
-    if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
-      throw new Error(`Invalid hex character in: ${cleanHex}`)
-    }
-
+  const parseWithSourceMap = (input: string | Uint8Array, options?: ParseOptions): ParseResultWithMap => {
     // Merge options with defaults
     const mergedOptions = mergeOptions(options)
 
-    // Check input size limit
-    const inputSize = cleanHex.length / 2
-    if (mergedOptions.limits?.maxInputSize && inputSize > mergedOptions.limits.maxInputSize) {
-      throw new Error(`Input size ${inputSize} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`)
+    let buffer: Uint8Array
+
+    if (input instanceof Uint8Array) {
+      if (input.length === 0) {
+        throw new Error('Empty input')
+      }
+
+      // Check input size limit
+      if (mergedOptions.limits?.maxInputSize && input.length > mergedOptions.limits.maxInputSize) {
+        throw new Error(`Input size ${input.length} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`)
+      }
+
+      buffer = input
+    } else {
+      const cleanHex = input.replace(/\s+/g, '')
+
+      // Validate hex string
+      if (!cleanHex || cleanHex.length === 0) {
+        throw new Error('Empty hex string')
+      }
+      if (cleanHex.length % 2 !== 0) {
+        throw new Error('Hex string must have even length')
+      }
+      if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
+        throw new Error(`Invalid hex character in: ${cleanHex}`)
+      }
+
+      // Check input size limit
+      const inputSize = cleanHex.length / 2
+      if (mergedOptions.limits?.maxInputSize && inputSize > mergedOptions.limits.maxInputSize) {
+        throw new Error(`Input size ${inputSize} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`)
+      }
+
+      buffer = hexToBytes(cleanHex)
     }
 
-    const buffer = hexToBytes(cleanHex)
     const sourceMap: SourceMapEntry[] = []
 
     // Create context with tracking
@@ -391,33 +453,87 @@ export function useCborParser() {
   }
 
   /**
-   * Helper to parse integer from buffer
+   * Dispatches CBOR parsing from buffer by major type
+   * Used by parseSequence and parseValueWithMap helpers
+   *
+   * @param buffer - Data buffer
+   * @param offset - Current offset
+   * @param options - Parser options
+   * @returns Parsed value and bytes read
+   */
+  const dispatchFromBuffer = (buffer: Uint8Array, offset: number, options?: ParseOptions): ParseResult => {
+    const initialByte = readByte(buffer, offset)
+    const { majorType } = extractCborHeader(initialByte)
+
+    switch (majorType) {
+      case 0: // Unsigned integer
+      case 1: // Negative integer
+        return integerFromBuffer(buffer, offset, options)
+
+      case 2: // Byte string
+        return byteStringFromBuffer(buffer, offset, options)
+
+      case 3: // Text string
+        return textStringFromBuffer(buffer, offset, options)
+
+      case 4: // Array
+        {
+          // Use parseArray via hex for now - arrays/maps already use buffer internally
+          const hexString = Array.from(buffer.slice(offset))
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('')
+          return parseArray(hexString, options)
+        }
+
+      case 5: // Map
+        {
+          const hexString = Array.from(buffer.slice(offset))
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('')
+          return parseMap(hexString, options)
+        }
+
+      case 6: // Tag
+        {
+          const hexString = Array.from(buffer.slice(offset))
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('')
+          return parseTag(hexString, options)
+        }
+
+      case 7: // Float/Simple
+        return floatOrSimpleFromBuffer(buffer, offset, options)
+
+      default:
+        throw new Error(`Unknown major type: ${majorType}`)
+    }
+  }
+
+  /**
+   * Helper to parse integer from buffer (delegates to buffer-native implementation)
    */
   const parseIntegerFromBuffer = (buffer: Uint8Array, offset: number, options?: ParseOptions): ParseResult => {
-    const hexString = Array.from(buffer.slice(offset))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('')
-    return parseInteger(hexString, options)
+    return integerFromBuffer(buffer, offset, options)
   }
 
   /**
    * Helper to parse string from buffer
+   * Dispatches to byte string or text string based on major type
    */
   const parseStringFromBuffer = (buffer: Uint8Array, offset: number, options?: ParseOptions): ParseResult => {
-    const hexString = Array.from(buffer.slice(offset))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('')
-    return parseString(hexString, options)
+    const initialByte = readByte(buffer, offset)
+    const { majorType } = extractCborHeader(initialByte)
+    if (majorType === 2) {
+      return byteStringFromBuffer(buffer, offset, options)
+    }
+    return textStringFromBuffer(buffer, offset, options)
   }
 
   /**
-   * Helper to parse float from buffer
+   * Helper to parse float/simple from buffer (delegates to buffer-native implementation)
    */
   const parseFloatFromBuffer = (buffer: Uint8Array, offset: number, options?: ParseOptions): ParseResult => {
-    const hexString = Array.from(buffer.slice(offset))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('')
-    return parseFloatOrSimple(hexString, options)
+    return floatOrSimpleFromBuffer(buffer, offset, options)
   }
 
   /**
@@ -429,6 +545,13 @@ export function useCborParser() {
     path: string,
     sourceMap: SourceMapEntry[]
   ): ParseResult => {
+    const previousDepth = ctx.currentDepth ?? 0
+    const maxDepth = ctx.options?.limits?.maxDepth
+    if (maxDepth !== undefined && previousDepth >= maxDepth) {
+      throw new Error(`Maximum nesting depth ${maxDepth} exceeded`)
+    }
+    ctx.currentDepth = previousDepth + 1
+
     const startOffset = offset
     const initialByte = readByte(ctx.buffer, offset)
     const { additionalInfo } = extractCborHeader(initialByte)
@@ -459,6 +582,10 @@ export function useCborParser() {
       length = Number(bigLength)
       currentOffset += 8
     } else if (additionalInfo === 31) {
+      const isIndefiniteAllowed = ctx.options?.allowIndefinite ?? !(ctx.options?.validateCanonical || ctx.options?.strict)
+      if (!isIndefiniteAllowed) {
+        throw new Error('Indefinite-length encoding is not allowed (strict/canonical mode)')
+      }
       isIndefinite = true
       length = 0
     } else {
@@ -480,56 +607,71 @@ export function useCborParser() {
       headerEnd
     })
 
-    // Parse array elements
-    const childPaths: string[] = []
-    if (isIndefinite) {
-      let index = 0
-      while (currentOffset < ctx.buffer.length) {
-        const nextByte = readByte(ctx.buffer, currentOffset)
-        if (nextByte === 0xff) {
-          currentOffset++
-          break
+    try {
+      // Parse array elements
+      const childPaths: string[] = []
+      if (isIndefinite) {
+        let index = 0
+        let foundBreak = false
+        while (currentOffset < ctx.buffer.length) {
+          const nextByte = readByte(ctx.buffer, currentOffset)
+          if (nextByte === 0xff) {
+            currentOffset++
+            foundBreak = true
+            break
+          }
+          if (ctx.options?.limits?.maxArrayLength && index >= ctx.options.limits.maxArrayLength) {
+            throw new Error(`Array length exceeds limit of ${ctx.options.limits.maxArrayLength}`)
+          }
+          const elementPath = `${path}[${index}]`
+          childPaths.push(elementPath)
+          const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap)
+          items.push(elementResult.value)
+          currentOffset += elementResult.bytesRead
+
+          // Mark element as child of this array
+          const elementEntry = sourceMap.find(e => e.path === elementPath)
+          if (elementEntry) {
+            elementEntry.parent = path
+          }
+
+          index++
         }
-        const elementPath = `${path}[${index}]`
-        childPaths.push(elementPath)
-        const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap)
-        items.push(elementResult.value)
-        currentOffset += elementResult.bytesRead
-
-        // Mark element as child of this array
-        const elementEntry = sourceMap.find(e => e.path === elementPath)
-        if (elementEntry) {
-          elementEntry.parent = path
+        if (!foundBreak) {
+          throw new Error('Indefinite-length array missing break code (0xFF)')
         }
-
-        index++
-      }
-    } else {
-      for (let i = 0; i < length; i++) {
-        const elementPath = `${path}[${i}]`
-        childPaths.push(elementPath)
-        const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap)
-        items.push(elementResult.value)
-        currentOffset += elementResult.bytesRead
-
-        // Mark element as child of this array
-        const elementEntry = sourceMap.find(e => e.path === elementPath)
-        if (elementEntry) {
-          elementEntry.parent = path
+      } else {
+        if (ctx.options?.limits?.maxArrayLength && length > ctx.options.limits.maxArrayLength) {
+          throw new Error(`Array length ${length} exceeds limit of ${ctx.options.limits.maxArrayLength}`)
+        }
+        for (let i = 0; i < length; i++) {
+          const elementPath = `${path}[${i}]`
+          childPaths.push(elementPath)
+          const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap)
+          items.push(elementResult.value)
+          currentOffset += elementResult.bytesRead
+
+          // Mark element as child of this array
+          const elementEntry = sourceMap.find(e => e.path === elementPath)
+          if (elementEntry) {
+            elementEntry.parent = path
+          }
         }
       }
-    }
 
-    const bytesRead = currentOffset - offset
+      const bytesRead = currentOffset - offset
 
-    // Only set children if array is non-empty
-    if (childPaths.length > 0 && sourceMap[arrayEntryIndex]) {
-      sourceMap[arrayEntryIndex].children = childPaths
-    }
+      // Only set children if array is non-empty
+      if (childPaths.length > 0 && sourceMap[arrayEntryIndex]) {
+        sourceMap[arrayEntryIndex].children = childPaths
+      }
 
-    return {
-      value: items,
-      bytesRead
+      return {
+        value: items,
+        bytesRead
+      }
+    } finally {
+      ctx.currentDepth = previousDepth
     }
   }
 
@@ -542,6 +684,13 @@ export function useCborParser() {
     path: string,
     sourceMap: SourceMapEntry[]
   ): ParseResult => {
+    const previousDepth = ctx.currentDepth ?? 0
+    const maxDepth = ctx.options?.limits?.maxDepth
+    if (maxDepth !== undefined && previousDepth >= maxDepth) {
+      throw new Error(`Maximum nesting depth ${maxDepth} exceeded`)
+    }
+    ctx.currentDepth = previousDepth + 1
+
     const startOffset = offset
     const initialByte = readByte(ctx.buffer, offset)
     const { additionalInfo } = extractCborHeader(initialByte)
@@ -572,6 +721,10 @@ export function useCborParser() {
       length = Number(bigLength)
       currentOffset += 8
     } else if (additionalInfo === 31) {
+      const isIndefiniteAllowed = ctx.options?.allowIndefinite ?? !(ctx.options?.validateCanonical || ctx.options?.strict)
+      if (!isIndefiniteAllowed) {
+        throw new Error('Indefinite-length encoding is not allowed (strict/canonical mode)')
+      }
       isIndefinite = true
       length = 0
     } else {
@@ -593,100 +746,122 @@ export function useCborParser() {
       headerEnd
     })
 
-    // Parse map entries
-    const childPaths: string[] = []
-    const seenKeys = new Set<string>()
-
-    if (isIndefinite) {
-      while (currentOffset < ctx.buffer.length) {
-        const nextByte = readByte(ctx.buffer, currentOffset)
-        if (nextByte === 0xff) {
-          currentOffset++
-          break
-        }
+    try {
+      // Parse map entries
+      const childPaths: string[] = []
+      const seenKeys = new Set<string>()
+
+      if (isIndefinite) {
+        let count = 0
+        let foundBreak = false
+        while (currentOffset < ctx.buffer.length) {
+          const nextByte = readByte(ctx.buffer, currentOffset)
+          if (nextByte === 0xff) {
+            currentOffset++
+            foundBreak = true
+            break
+          }
+          if (ctx.options?.limits?.maxMapSize && count >= ctx.options.limits.maxMapSize) {
+            throw new Error(`Map size exceeds limit of ${ctx.options.limits.maxMapSize}`)
+          }
 
-        // Parse key with path suffix to indicate it's a key
-        const keyPath = `${path}${path ? '.' : ''}#key`
-        const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap)
-        currentOffset += keyResult.bytesRead
-
-        // For duplicate detection and path generation, stringify the key
-        const keyString = keyResult.value instanceof Uint8Array
-          ? Array.from(keyResult.value).map(b => b.toString(16).padStart(2, '0')).join('')
-          : String(keyResult.value)
-
-        // Check for duplicate keys based on dupMapKeyMode
-        if (seenKeys.has(keyString)) {
-          const mode = ctx.options?.dupMapKeyMode || 'allow'
-          if (mode === 'reject') {
-            throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
-          } else if (mode === 'warn') {
-            logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
+          // Parse key with path suffix to indicate it's a key
+          const keyPath = `${path}${path ? '.' : ''}#key`
+          const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap)
+          currentOffset += keyResult.bytesRead
+
+          // For duplicate detection, use semantic comparison (RFC 8949 Section 5.6)
+          const keyForDupCheck = serializeValueForComparison(keyResult.value)
+          // For path generation, use display-friendly stringification
+          const keyString = keyResult.value instanceof Uint8Array
+            ? Array.from(keyResult.value).map(b => b.toString(16).padStart(2, '0')).join('')
+            : String(keyResult.value)
+
+          // Check for duplicate keys based on dupMapKeyMode
+          if (seenKeys.has(keyForDupCheck)) {
+            const mode = ctx.options?.dupMapKeyMode || 'allow'
+            if (mode === 'reject') {
+              throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
+            } else if (mode === 'warn') {
+              logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
+            }
           }
+          seenKeys.add(keyForDupCheck)
+
+          // Parse value
+          const valuePath = path ? `${path}.${keyString}` : `.${keyString}`
+          childPaths.push(valuePath)
+          const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap)
+          map.set(keyResult.value, valueResult.value)
+          currentOffset += valueResult.bytesRead
+
+          // Mark value entry as child of this map
+          const valueEntry = sourceMap.find(e => e.path === valuePath)
+          if (valueEntry) {
+            valueEntry.parent = path
+          }
+
+          count++
         }
-        seenKeys.add(keyString)
-
-        // Parse value
-        const valuePath = path ? `${path}.${keyString}` : `.${keyString}`
-        childPaths.push(valuePath)
-        const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap)
-        map.set(keyResult.value, valueResult.value)
-        currentOffset += valueResult.bytesRead
-
-        // Mark value entry as child of this map
-        const valueEntry = sourceMap.find(e => e.path === valuePath)
-        if (valueEntry) {
-          valueEntry.parent = path
+        if (!foundBreak) {
+          throw new Error('Indefinite-length map missing break code (0xFF)')
         }
-      }
-    } else {
-      for (let i = 0; i < length; i++) {
-        // Parse key with path suffix to indicate it's a key
-        const keyPath = `${path}${path ? '.' : ''}#key${i}`
-        const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap)
-        currentOffset += keyResult.bytesRead
-
-        // For duplicate detection and path generation, stringify the key
-        const keyString = keyResult.value instanceof Uint8Array
-          ? Array.from(keyResult.value).map(b => b.toString(16).padStart(2, '0')).join('')
-          : String(keyResult.value)
-
-        // Check for duplicate keys based on dupMapKeyMode
-        if (seenKeys.has(keyString)) {
-          const mode = ctx.options?.dupMapKeyMode || 'allow'
-          if (mode === 'reject') {
-            throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
-          } else if (mode === 'warn') {
-            logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
-          }
+      } else {
+        if (ctx.options?.limits?.maxMapSize && length > ctx.options.limits.maxMapSize) {
+          throw new Error(`Map size ${length} exceeds limit of ${ctx.options.limits.maxMapSize}`)
         }
-        seenKeys.add(keyString)
-
-        // Parse value
-        const valuePath = path ? `${path}.${keyString}` : `.${keyString}`
-        childPaths.push(valuePath)
-        const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap)
-        map.set(keyResult.value, valueResult.value)
-        currentOffset += valueResult.bytesRead
-
-        // Mark value entry as child of this map
-        const valueEntry = sourceMap.find(e => e.path === valuePath)
-        if (valueEntry) {
-          valueEntry.parent = path
+        for (let i = 0; i < length; i++) {
+          // Parse key with path suffix to indicate it's a key
+          const keyPath = `${path}${path ? '.' : ''}#key${i}`
+          const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap)
+          currentOffset += keyResult.bytesRead
+
+          // For duplicate detection, use semantic comparison (RFC 8949 Section 5.6)
+          const keyForDupCheck = serializeValueForComparison(keyResult.value)
+          // For path generation, use display-friendly stringification
+          const keyString = keyResult.value instanceof Uint8Array
+            ? Array.from(keyResult.value).map(b => b.toString(16).padStart(2, '0')).join('')
+            : String(keyResult.value)
+
+          // Check for duplicate keys based on dupMapKeyMode
+          if (seenKeys.has(keyForDupCheck)) {
+            const mode = ctx.options?.dupMapKeyMode || 'allow'
+            if (mode === 'reject') {
+              throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
+            } else if (mode === 'warn') {
+              logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`)
+            }
+          }
+          seenKeys.add(keyForDupCheck)
+
+          // Parse value
+          const valuePath = path ? `${path}.${keyString}` : `.${keyString}`
+          childPaths.push(valuePath)
+          const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap)
+          map.set(keyResult.value, valueResult.value)
+          currentOffset += valueResult.bytesRead
+
+          // Mark value entry as child of this map
+          const valueEntry = sourceMap.find(e => e.path === valuePath)
+          if (valueEntry) {
+            valueEntry.parent = path
+          }
         }
       }
-    }
 
-    const bytesRead = currentOffset - offset
+      const bytesRead = currentOffset - offset
 
-    // Set children for the map entry
-    if (sourceMap[mapEntryIndex]) {
-      sourceMap[mapEntryIndex].children = childPaths
-    }
+      // Set children for the map entry
+      if (sourceMap[mapEntryIndex]) {
+        sourceMap[mapEntryIndex].children = childPaths
+      }
 
-    return {
-      value: map,
-      bytesRead
+      return {
+        value: map,
+        bytesRead
+      }
+    } finally {
+      ctx.currentDepth = previousDepth
     }
   }
 
@@ -738,6 +913,17 @@ export function useCborParser() {
     path: string,
     sourceMap: SourceMapEntry[]
   ): ParseResult => {
+    // Enforce tag nesting depth (RUSTSEC-2019-0025). The source-map path
+    // previously lacked this guard, allowing a deeply nested tag chain to
+    // overflow the call stack with an uncatchable RangeError instead of a
+    // clean error — matching the decode() path's behaviour here.
+    const previousTagDepth = ctx.currentTagDepth ?? 0
+    const maxTagDepth = ctx.options?.limits?.maxTagDepth ?? DEFAULT_LIMITS.maxTagDepth
+    if (previousTagDepth >= maxTagDepth) {
+      throw new Error(`Tag nesting depth ${previousTagDepth} exceeds limit of ${maxTagDepth}`)
+    }
+    ctx.currentTagDepth = previousTagDepth + 1
+
     const startOffset = offset
     const initialByte = readByte(ctx.buffer, offset)
     const { additionalInfo } = extractCborHeader(initialByte)
@@ -749,6 +935,11 @@ export function useCborParser() {
       additionalInfo
     )
 
+    // Enforce canonical (shortest-form) tag number encoding when requested.
+    if (ctx.options?.validateCanonical) {
+      validateCanonicalInteger(tagNumber, additionalInfo)
+    }
+
     let currentOffset = offset + 1 + bytesConsumed
     const headerEnd = currentOffset
 
@@ -781,14 +972,46 @@ export function useCborParser() {
       valueEntry.parent = path
     }
 
-    // Build TaggedValue object (call parseTag to get validation and plutus decoding)
-    const hexString = Array.from(ctx.buffer.slice(startOffset, currentOffset))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('')
-    const tagResult = parseTag(hexString, ctx.options)
+    // Build TaggedValue directly from already-parsed value (no re-parsing)
+    // This avoids O(D^2) complexity for nested tags (Task 2-B fix)
+    let finalValue = valueResult.value
+
+    // Handle bignum conversion (tags 2 and 3) - mirrors parseTagFromBuffer logic
+    if ((tagNumber === 2 || tagNumber === 3) && finalValue instanceof Uint8Array) {
+      const maxBignumBytes = ctx.options?.limits?.maxBignumBytes ?? DEFAULT_LIMITS.maxBignumBytes
+      if (finalValue.length > maxBignumBytes) {
+        throw new Error(
+          `Bignum (tag ${tagNumber}) size ${finalValue.length} bytes exceeds limit of ${maxBignumBytes} bytes`
+        )
+      }
+
+      // Convert bytes to BigInt (big-endian)
+      let bigintValue = 0n
+      for (let i = 0; i < finalValue.length; i++) {
+        bigintValue = (bigintValue << 8n) | BigInt(finalValue[i]!)
+      }
+
+      // Tag 2: Positive bignum, Tag 3: Negative bignum (-1 - n)
+      finalValue = tagNumber === 2 ? bigintValue : -1n - bigintValue
+    }
+
+    // Validate semantic constraints for specific tags
+    validateTagSemantics(tagNumber, finalValue, ctx.options)
+
+    // Decode Plutus constructor if applicable
+    const plutusConstr = decodePlutusConstructor(tagNumber, finalValue)
+
+    const taggedValue: TaggedValue = {
+      tag: tagNumber,
+      value: finalValue,
+      ...(plutusConstr && { plutus: plutusConstr })
+    }
+
+    // Restore tag depth so sibling tags don't accumulate against the limit.
+    ctx.currentTagDepth = previousTagDepth
 
     return {
-      value: tagResult.value,
+      value: taggedValue,
       bytesRead: currentOffset - startOffset
     }
   }
@@ -824,40 +1047,58 @@ export function useCborParser() {
    * parseSequence('')              // [] - empty sequence
    * ```
    */
-  const parseSequence = (hexString: string, options?: ParseOptions): CborValue[] => {
-    const cleanHex = hexString.replace(/\s+/g, '')
+  const parseSequence = (input: string | Uint8Array, options?: ParseOptions): CborValue[] => {
+    const mergedOptions = mergeOptions(options)
+    let buffer: Uint8Array
 
-    // Empty sequence is valid
-    if (!cleanHex || cleanHex.length === 0) {
-      return []
-    }
+    if (input instanceof Uint8Array) {
+      // Empty sequence is valid
+      if (input.length === 0) {
+        return []
+      }
+      buffer = input
+    } else {
+      const cleanHex = input.replace(/\s+/g, '')
 
-    if (cleanHex.length % 2 !== 0) {
-      throw new Error('Hex string must have even length')
-    }
+      // Empty sequence is valid
+      if (!cleanHex || cleanHex.length === 0) {
+        return []
+      }
 
-    if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
-      throw new Error(`Invalid hex character in: ${cleanHex}`)
+      if (cleanHex.length % 2 !== 0) {
+        throw new Error('Hex string must have even length')
+      }
+
+      if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
+        throw new Error(`Invalid hex character in: ${cleanHex}`)
+      }
+
+      buffer = hexToBytes(cleanHex)
     }
 
-    const mergedOptions = mergeOptions(options)
-    const buffer = hexToBytes(cleanHex)
     const results: CborValue[] = []
     let offset = 0
 
+    // Track start time for timeout enforcement across the entire sequence
+    const sequenceStartTime = mergedOptions.limits?.maxParseTime ? Date.now() : 0
+
     while (offset < buffer.length) {
+      // Check timeout on each sequence item
+      if (sequenceStartTime > 0 && mergedOptions.limits?.maxParseTime) {
+        const elapsed = Date.now() - sequenceStartTime
+        if (elapsed > mergedOptions.limits.maxParseTime) {
+          throw new Error(`Parse timeout: exceeded ${mergedOptions.limits.maxParseTime}ms limit`)
+        }
+      }
+
       // Check for break code outside indefinite context (invalid in sequence)
       const byte = readByte(buffer, offset)
       if (byte === 0xff) {
         throw new Error(`Unexpected break code (0xff) at offset ${offset} - not inside indefinite-length item`)
       }
 
-      // Parse next item from remaining hex
-      const remainingHex = Array.from(buffer.slice(offset))
-        .map(b => b.toString(16).padStart(2, '0'))
-        .join('')
-
-      const result = parse(remainingHex, mergedOptions)
+      // Parse next item directly from buffer (no hex conversion)
+      const result = dispatchFromBuffer(buffer, offset, mergedOptions)
       results.push(result.value)
       offset += result.bytesRead
     }
@@ -902,11 +1143,10 @@ export function useCborParser() {
         throw new Error(`Unexpected break code (0xff) at offset ${offset}`)
       }
 
-      const remainingHex = Array.from(buffer.slice(offset))
-        .map(b => b.toString(16).padStart(2, '0'))
-        .join('')
-
-      const result = parseWithSourceMap(remainingHex, mergedOptions)
+      // Zero-copy view of the remaining bytes (parseWithSourceMap accepts
+      // Uint8Array). Avoids the previous O(N^2) per-item hex re-encode that
+      // re-stringified the whole tail of the buffer on every sequence item.
+      const result = parseWithSourceMap(buffer.subarray(offset), mergedOptions)
 
       // Adjust source map offsets to account for sequence position
       const adjustedSourceMap = result.sourceMap.map(entry => ({