@marcuspuchalla/nachos 0.1.3 → 0.2.0

package/dist/{chunk-5A5T56JB.js → chunk-LWNWC2O7.js}

@@ -1,7 +1,16 @@
-import { useCborByteString, useCborTextString, DEFAULT_LIMITS, INDEFINITE_SYMBOL, ALL_ENTRIES_SYMBOL, DEFAULT_OPTIONS } from './chunk-ZDZ2B5PE.js';
+import { useCborByteString, useCborTextString, DEFAULT_LIMITS, INDEFINITE_SYMBOL, ALL_ENTRIES_SYMBOL, DEFAULT_OPTIONS } from './chunk-JESIF5IF.js';
 
 // src/parser/utils.ts
 var hexToBytes = (hex) => {
+  if (hex.length === 0) {
+    return new Uint8Array(0);
+  }
+  if (hex.length % 2 !== 0) {
+    throw new Error("Hex string must have even length");
+  }
+  if (!/^[0-9a-fA-F]+$/.test(hex)) {
+    throw new Error(`Invalid hex character in: ${hex}`);
+  }
   const bytes = hex.match(/.{1,2}/g);
   if (!bytes) return new Uint8Array(0);
   return new Uint8Array(bytes.map((byte) => parseInt(byte, 16)));
@@ -30,6 +39,9 @@ var readUint = (buffer, offset, length) => {
   for (let i = 0; i < length; i++) {
     result = result * 256 + readByte(buffer, offset + i);
   }
+  if (result > Number.MAX_SAFE_INTEGER) {
+    throw new Error(`Value at offset ${offset} (${length} bytes) exceeds MAX_SAFE_INTEGER; use readBigUint`);
+  }
   return result;
 };
 var readBigUint = (buffer, offset, length) => {
@@ -196,6 +208,23 @@ function compareBytes(a, b) {
   }
   return 0;
 }
+function compareBytesLexicographic(a, b) {
+  if (!a || !b) {
+    throw new Error("compareBytesLexicographic: arguments cannot be null or undefined");
+  }
+  const min = Math.min(a.length, b.length);
+  for (let i = 0; i < min; i++) {
+    const byteA = a[i];
+    const byteB = b[i];
+    if (byteA !== byteB) {
+      return byteA - byteB;
+    }
+  }
+  return a.length - b.length;
+}
+function compareMapKeys(a, b, order = "length-first") {
+  return order === "bytewise" ? compareBytesLexicographic(a, b) : compareBytes(a, b);
+}
 function serializeValueForComparison(value) {
   if (value === null) return "null";
   if (value === void 0) return "undefined";
@@ -233,9 +262,8 @@ function hasDuplicates(items) {
 
 // src/parser/composables/useCborInteger.ts
 function useCborInteger() {
-  const parseInteger = (hexString, options) => {
-    const buffer = hexToBytes(hexString);
-    const initialByte = readByte(buffer, 0);
+  const parseIntegerFromBuffer = (buffer, offset, options) => {
+    const initialByte = readByte(buffer, offset);
     const { majorType, additionalInfo } = extractCborHeader(initialByte);
     let rawValue;
     let bytesRead;
@@ -243,16 +271,16 @@ function useCborInteger() {
       rawValue = additionalInfo;
       bytesRead = 1;
     } else if (additionalInfo === 24) {
-      rawValue = readByte(buffer, 1);
+      rawValue = readByte(buffer, offset + 1);
       bytesRead = 2;
     } else if (additionalInfo === 25) {
-      rawValue = readUint(buffer, 1, 2);
+      rawValue = readUint(buffer, offset + 1, 2);
       bytesRead = 3;
     } else if (additionalInfo === 26) {
-      rawValue = readUint(buffer, 1, 4);
+      rawValue = readUint(buffer, offset + 1, 4);
       bytesRead = 5;
     } else if (additionalInfo === 27) {
-      const bigValue = readBigUint(buffer, 1, 8);
+      const bigValue = readBigUint(buffer, offset + 1, 8);
       if (bigValue <= BigInt(Number.MAX_SAFE_INTEGER)) {
         rawValue = Number(bigValue);
       } else {
@@ -292,8 +320,13 @@ function useCborInteger() {
       bytesRead
     };
   };
+  const parseInteger = (hexString, options) => {
+    const buffer = hexToBytes(hexString);
+    return parseIntegerFromBuffer(buffer, 0, options);
+  };
   return {
-    parseInteger
+    parseInteger,
+    parseIntegerFromBuffer
   };
 }
 
@@ -702,29 +735,34 @@ function useCborFloat() {
   return {
     parse,
     parseFloat,
-    parseSimple
+    parseSimple,
+    parseFromBuffer
   };
 }
 
 // src/parser/composables/useCborTag.ts
 function useCborTag() {
-  const { parseInteger } = useCborInteger();
+  const { parseIntegerFromBuffer } = useCborInteger();
   const { parseByteString, parseTextString } = useCborString();
-  const { parseFloat, parseSimple } = useCborFloat();
+  const { parseFromBuffer: parseFloatOrSimpleFromBuffer } = useCborFloat();
+  let parseStartTime = 0;
   const parseItem = (buffer, offset, options, tagDepth = 0, collectionDepth = 0) => {
+    if (parseStartTime > 0 && options?.limits?.maxParseTime) {
+      const elapsed = Date.now() - parseStartTime;
+      if (elapsed > options.limits.maxParseTime) {
+        throw new Error(`Parse timeout: exceeded ${options.limits.maxParseTime}ms limit`);
+      }
+    }
     if (offset >= buffer.length) {
       throw new Error(`Unexpected end of buffer at offset ${offset}`);
     }
     const initialByte = readByte(buffer, offset);
-    const { majorType, additionalInfo } = extractCborHeader(initialByte);
+    const { majorType } = extractCborHeader(initialByte);
     switch (majorType) {
       case 0:
       // Unsigned integer
-      case 1: {
-        const intHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-        const result = parseInteger(intHex, options);
-        return { value: result.value, bytesRead: result.bytesRead };
-      }
+      case 1:
+        return parseIntegerFromBuffer(buffer, offset, options);
       case 2:
         return parseByteString(buffer, offset, options);
       case 3:
@@ -735,16 +773,8 @@ function useCborTag() {
         return parseMapInternal(buffer, offset, options, collectionDepth);
       case 6:
         return parseTagFromBuffer(buffer, offset, options, tagDepth);
-      case 7: {
-        const simpleHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-        if (additionalInfo >= 25 && additionalInfo <= 27) {
-          const result = parseFloat(simpleHex, options);
-          return { value: result.value, bytesRead: result.bytesRead };
-        } else {
-          const result = parseSimple(simpleHex, options);
-          return { value: result.value, bytesRead: result.bytesRead };
-        }
-      }
+      case 7:
+        return parseFloatOrSimpleFromBuffer(buffer, offset, options);
       default:
         throw new Error(`Unknown major type: ${majorType}`);
     }
@@ -1008,11 +1038,11 @@ function useCborTag() {
         if (value.length !== 2) {
           throw new Error(`Tag 4 (decimal fraction) array must have exactly 2 elements [exponent, mantissa], got ${value.length}`);
         }
-        if (typeof value[0] !== "number" && typeof value[0] !== "bigint") {
-          throw new Error(`Tag 4 (decimal fraction) exponent must be an integer, got ${typeof value[0]}`);
+        if (typeof value[0] !== "number" && typeof value[0] !== "bigint" || typeof value[0] === "number" && !Number.isInteger(value[0])) {
+          throw new Error(`Tag 4 (decimal fraction) exponent must be an integer, got ${value[0]}`);
         }
-        if (typeof value[1] !== "number" && typeof value[1] !== "bigint") {
-          throw new Error(`Tag 4 (decimal fraction) mantissa must be an integer, got ${typeof value[1]}`);
+        if (typeof value[1] !== "number" && typeof value[1] !== "bigint" || typeof value[1] === "number" && !Number.isInteger(value[1])) {
+          throw new Error(`Tag 4 (decimal fraction) mantissa must be an integer, got ${value[1]}`);
         }
         break;
       case 5:
@@ -1023,11 +1053,11 @@ function useCborTag() {
         if (value.length !== 2) {
           throw new Error(`Tag 5 (bigfloat) array must have exactly 2 elements [exponent, mantissa], got ${value.length}`);
         }
-        if (typeof value[0] !== "number" && typeof value[0] !== "bigint") {
-          throw new Error(`Tag 5 (bigfloat) exponent must be an integer, got ${typeof value[0]}`);
+        if (typeof value[0] !== "number" && typeof value[0] !== "bigint" || typeof value[0] === "number" && !Number.isInteger(value[0])) {
+          throw new Error(`Tag 5 (bigfloat) exponent must be an integer, got ${value[0]}`);
         }
-        if (typeof value[1] !== "number" && typeof value[1] !== "bigint") {
-          throw new Error(`Tag 5 (bigfloat) mantissa must be an integer, got ${typeof value[1]}`);
+        if (typeof value[1] !== "number" && typeof value[1] !== "bigint" || typeof value[1] === "number" && !Number.isInteger(value[1])) {
+          throw new Error(`Tag 5 (bigfloat) mantissa must be an integer, got ${value[1]}`);
         }
         break;
       case 32:
@@ -1192,6 +1222,9 @@ function useCborTag() {
       throw new Error(`Tag nesting depth ${tagDepth} exceeds limit of ${maxTagDepth}`);
     }
     const { tagNumber, bytesConsumed } = parseTagNumber(buffer, offset + 1, additionalInfo);
+    if (options?.validateCanonical) {
+      validateCanonicalInteger(tagNumber, additionalInfo);
+    }
     let currentOffset = offset + 1 + bytesConsumed;
     if (currentOffset >= buffer.length) {
       throw new Error(`Unexpected end of buffer after tag ${tagNumber}`);
@@ -1231,12 +1264,25 @@ function useCborTag() {
   const parseTag = (hexString, options) => {
     const cleanHex = hexString.replace(/\s+/g, "");
     const buffer = hexToBytes(cleanHex);
-    return parseTagFromBuffer(buffer, 0, options);
+    const isTopLevel = parseStartTime === 0;
+    if (isTopLevel && options?.limits?.maxParseTime) {
+      parseStartTime = Date.now();
+    }
+    try {
+      return parseTagFromBuffer(buffer, 0, options);
+    } finally {
+      if (isTopLevel) {
+        parseStartTime = 0;
+      }
+    }
   };
   const parse = parseTag;
   return {
     parseTag,
-    parse
+    parse,
+    parseTagFromBuffer,
+    validateTagSemantics,
+    decodePlutusConstructor
   };
 }
 
@@ -1295,17 +1341,18 @@ var logger = {
 
 // src/parser/composables/useCborCollection.ts
 function useCborCollection() {
-  const { parseInteger } = useCborInteger();
+  const { parseIntegerFromBuffer } = useCborInteger();
   const { parseByteString, parseTextString } = useCborString();
-  const { parse: parseFloatOrSimple } = useCborFloat();
-  const { parseTag } = useCborTag();
-  const convertKeyToString = (key) => {
-    if (key instanceof Uint8Array) {
-      return bytesToHex(key);
-    }
-    return String(key);
-  };
+  const { parseFromBuffer: parseFloatOrSimpleFromBuffer } = useCborFloat();
+  const { parseTagFromBuffer } = useCborTag();
+  let parseStartTime = 0;
   const parseItem = (buffer, offset, options, depth = 0) => {
+    if (parseStartTime > 0 && options?.limits?.maxParseTime) {
+      const elapsed = Date.now() - parseStartTime;
+      if (elapsed > options.limits.maxParseTime) {
+        throw new Error(`Parse timeout: exceeded ${options.limits.maxParseTime}ms limit`);
+      }
+    }
     if (offset >= buffer.length) {
       throw new Error(`Unexpected end of buffer at offset ${offset}`);
     }
@@ -1314,11 +1361,8 @@ function useCborCollection() {
     switch (majorType) {
       case 0:
       // Unsigned integer
-      case 1: {
-        const intHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-        const result = parseInteger(intHex, options);
-        return { value: result.value, bytesRead: result.bytesRead };
-      }
+      case 1:
+        return parseIntegerFromBuffer(buffer, offset, options);
       case 2:
         return parseByteString(buffer, offset, options);
       case 3:
@@ -1327,16 +1371,10 @@ function useCborCollection() {
         return parseArrayFromBuffer(buffer, offset, options, depth);
       case 5:
         return parseMapFromBuffer(buffer, offset, options, depth);
-      case 6: {
-        const tagHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-        const result = parseTag(tagHex, options);
-        return { value: result.value, bytesRead: result.bytesRead };
-      }
-      case 7: {
-        const floatHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-        const result = parseFloatOrSimple(floatHex, options);
-        return { value: result.value, bytesRead: result.bytesRead };
-      }
+      case 6:
+        return parseTagFromBuffer(buffer, offset, options);
+      case 7:
+        return parseFloatOrSimpleFromBuffer(buffer, offset, options);
       default:
         throw new Error(`Unknown major type: ${majorType}`);
     }
@@ -1478,7 +1516,7 @@ function useCborCollection() {
         }
         const valueResult = parseItem(buffer, currentOffset, options, depth + 1);
         currentOffset += valueResult.bytesRead;
-        const keyString = convertKeyToString(keyResult.value);
+        const keyString = serializeValueForComparison(keyResult.value);
         if (seenKeys.has(keyString)) {
           const mode = options?.dupMapKeyMode || "allow";
           if (mode === "reject") {
@@ -1516,7 +1554,7 @@ function useCborCollection() {
         }
         const valueResult = parseItem(buffer, currentOffset, options, depth + 1);
         currentOffset += valueResult.bytesRead;
-        const keyString = convertKeyToString(keyResult.value);
+        const keyString = serializeValueForComparison(keyResult.value);
         if (seenKeys.has(keyString)) {
           const mode = options?.dupMapKeyMode || "allow";
           if (mode === "reject") {
@@ -1532,14 +1570,15 @@ function useCborCollection() {
     }
     map[ALL_ENTRIES_SYMBOL] = allEntries;
     if (options?.validateCanonical && keyBytes.length > 1) {
+      const keyOrder = options?.mapKeyOrder ?? "length-first";
       for (let i = 1; i < keyBytes.length; i++) {
         const prevKey = keyBytes[i - 1];
         const currKey = keyBytes[i];
         if (prevKey && currKey) {
-          const cmp = compareBytes(prevKey, currKey);
+          const cmp = compareMapKeys(prevKey, currKey, keyOrder);
           if (cmp > 0) {
             throw new Error(
-              `Map keys are not in canonical order: key at index ${i} should come before key at index ${i - 1}`
+              `Map keys are not in canonical order (${keyOrder}): key at index ${i} should come before key at index ${i - 1}`
             );
           }
           if (cmp === 0) {
@@ -1556,12 +1595,26 @@ function useCborCollection() {
   const parseArray = (hexString, options) => {
     const cleanHex = hexString.replace(/\s+/g, "");
     const buffer = hexToBytes(cleanHex);
-    return parseArrayFromBuffer(buffer, 0, options, 0);
+    if (options?.limits?.maxParseTime) {
+      parseStartTime = Date.now();
+    }
+    try {
+      return parseArrayFromBuffer(buffer, 0, options, 0);
+    } finally {
+      parseStartTime = 0;
+    }
   };
   const parseMap = (hexString, options) => {
     const cleanHex = hexString.replace(/\s+/g, "");
     const buffer = hexToBytes(cleanHex);
-    return parseMapFromBuffer(buffer, 0, options, 0);
+    if (options?.limits?.maxParseTime) {
+      parseStartTime = Date.now();
+    }
+    try {
+      return parseMapFromBuffer(buffer, 0, options, 0);
+    } finally {
+      parseStartTime = 0;
+    }
   };
   return {
     parseArray,
@@ -1585,6 +1638,9 @@ function useCborParser() {
       validateSetUniqueness: options.validateSetUniqueness ?? (options.strict ? true : DEFAULT_OPTIONS.validateSetUniqueness),
       validateTagSemantics: options.validateTagSemantics ?? (options.strict ? true : DEFAULT_OPTIONS.validateTagSemantics),
       validatePlutusSemantics: options.validatePlutusSemantics ?? (options.strict ? true : DEFAULT_OPTIONS.validatePlutusSemantics),
+      mapKeyOrder: options.mapKeyOrder ?? DEFAULT_OPTIONS.mapKeyOrder,
+      // Strict mode rejects trailing data after the top-level item (well-formedness).
+      allowTrailingData: options.allowTrailingData ?? (options.strict ? false : DEFAULT_OPTIONS.allowTrailingData),
       limits: {
         maxInputSize: options.limits?.maxInputSize ?? DEFAULT_LIMITS.maxInputSize,
         maxOutputSize: options.limits?.maxOutputSize ?? DEFAULT_LIMITS.maxOutputSize,
@@ -1605,13 +1661,25 @@ function useCborParser() {
       throw new Error(`Parse timeout: exceeded ${ctx.options.limits.maxParseTime}ms limit (elapsed: ${elapsed}ms)`);
     }
   };
-  const { parseInteger } = useCborInteger();
-  const { parseString } = useCborString();
+  const { parseInteger, parseIntegerFromBuffer: integerFromBuffer } = useCborInteger();
+  const { parseString, parseByteString: byteStringFromBuffer, parseTextString: textStringFromBuffer } = useCborString();
   const { parseArray, parseMap } = useCborCollection();
-  const { parseTag } = useCborTag();
-  const { parse: parseFloatOrSimple } = useCborFloat();
-  const parse = (hexString, options) => {
-    const cleanHex = hexString.replace(/\s+/g, "");
+  const { parseTag, validateTagSemantics, decodePlutusConstructor } = useCborTag();
+  const { parse: parseFloatOrSimple, parseFromBuffer: floatOrSimpleFromBuffer } = useCborFloat();
+  const parse = (input, options) => {
+    const mergedOptions = mergeOptions(options);
+    if (input instanceof Uint8Array) {
+      if (input.length === 0) {
+        throw new Error("Empty input");
+      }
+      if (mergedOptions.limits?.maxInputSize && input.length > mergedOptions.limits.maxInputSize) {
+        throw new Error(`Input size ${input.length} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`);
+      }
+      const bufResult = dispatchFromBuffer(input, 0, mergedOptions);
+      checkTrailingData(bufResult.bytesRead, input.length, mergedOptions);
+      return bufResult;
+    }
+    const cleanHex = input.replace(/\s+/g, "");
     if (!cleanHex || cleanHex.length === 0) {
       throw new Error("Empty hex string");
     }
@@ -1621,7 +1689,6 @@ function useCborParser() {
     if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
       throw new Error(`Invalid hex character in: ${cleanHex}`);
     }
-    const mergedOptions = mergeOptions(options);
     const inputSize = cleanHex.length / 2;
     if (mergedOptions.limits?.maxInputSize && inputSize > mergedOptions.limits.maxInputSize) {
       throw new Error(`Input size ${inputSize} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`);
@@ -1629,47 +1696,77 @@ function useCborParser() {
     const buffer = hexToBytes(cleanHex);
     const initialByte = readByte(buffer, 0);
     const { majorType } = extractCborHeader(initialByte);
+    let result;
     switch (majorType) {
       case 0:
       // Unsigned integer
       case 1:
-        return parseInteger(cleanHex, mergedOptions);
+        result = parseInteger(cleanHex, mergedOptions);
+        break;
       case 2:
       // Byte string
       case 3:
-        return parseString(cleanHex, mergedOptions);
+        result = parseString(cleanHex, mergedOptions);
+        break;
       case 4:
-        return parseArray(cleanHex, mergedOptions);
+        result = parseArray(cleanHex, mergedOptions);
+        break;
       case 5:
-        return parseMap(cleanHex, mergedOptions);
+        result = parseMap(cleanHex, mergedOptions);
+        break;
       case 6:
-        return parseTag(cleanHex, mergedOptions);
+        result = parseTag(cleanHex, mergedOptions);
+        break;
       case 7:
-        return parseFloatOrSimple(cleanHex, mergedOptions);
+        result = parseFloatOrSimple(cleanHex, mergedOptions);
+        break;
       default:
         throw new Error(`Unknown major type: ${majorType}`);
     }
+    checkTrailingData(result.bytesRead, buffer.length, mergedOptions);
+    return result;
   };
-  const parseWithSourceMap = (hexString, options) => {
-    const cleanHex = hexString.replace(/\s+/g, "");
-    if (!cleanHex || cleanHex.length === 0) {
-      throw new Error("Empty hex string");
-    }
-    if (cleanHex.length % 2 !== 0) {
-      throw new Error("Hex string must have even length");
-    }
-    if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
-      throw new Error(`Invalid hex character in: ${cleanHex}`);
+  const checkTrailingData = (bytesRead, totalLength, opts) => {
+    if (!opts.allowTrailingData && bytesRead < totalLength) {
+      throw new Error(
+        `Trailing data: ${totalLength - bytesRead} byte(s) remain after the top-level CBOR item (bytesRead=${bytesRead}, length=${totalLength}). Use parseSequence to decode multiple items.`
+      );
     }
+  };
+  const parseWithSourceMap = (input, options) => {
     const mergedOptions = mergeOptions(options);
-    const inputSize = cleanHex.length / 2;
-    if (mergedOptions.limits?.maxInputSize && inputSize > mergedOptions.limits.maxInputSize) {
-      throw new Error(`Input size ${inputSize} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`);
+    let buffer;
+    if (input instanceof Uint8Array) {
+      if (input.length === 0) {
+        throw new Error("Empty input");
+      }
+      if (mergedOptions.limits?.maxInputSize && input.length > mergedOptions.limits.maxInputSize) {
+        throw new Error(`Input size ${input.length} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`);
+      }
+      buffer = input;
+    } else {
+      const cleanHex = input.replace(/\s+/g, "");
+      if (!cleanHex || cleanHex.length === 0) {
+        throw new Error("Empty hex string");
+      }
+      if (cleanHex.length % 2 !== 0) {
+        throw new Error("Hex string must have even length");
+      }
+      if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
+        throw new Error(`Invalid hex character in: ${cleanHex}`);
+      }
+      const inputSize = cleanHex.length / 2;
+      if (mergedOptions.limits?.maxInputSize && inputSize > mergedOptions.limits.maxInputSize) {
+        throw new Error(`Input size ${inputSize} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`);
+      }
+      buffer = hexToBytes(cleanHex);
     }
-    const buffer = hexToBytes(cleanHex);
     const sourceMap = [];
     const ctx = {
       buffer,
+      offset: 0,
+      sourceMap,
+      currentDepth: 0,
       startTime: Date.now(),
       bytesAllocated: 0,
       options: mergedOptions
@@ -1812,19 +1909,57 @@ function useCborParser() {
     }
     return result;
   };
+  const dispatchFromBuffer = (buffer, offset, options) => {
+    const initialByte = readByte(buffer, offset);
+    const { majorType } = extractCborHeader(initialByte);
+    switch (majorType) {
+      case 0:
+      // Unsigned integer
+      case 1:
+        return integerFromBuffer(buffer, offset, options);
+      case 2:
+        return byteStringFromBuffer(buffer, offset, options);
+      case 3:
+        return textStringFromBuffer(buffer, offset, options);
+      case 4: {
+        const hexString = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
+        return parseArray(hexString, options);
+      }
+      case 5: {
+        const hexString = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
+        return parseMap(hexString, options);
+      }
+      case 6: {
+        const hexString = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
+        return parseTag(hexString, options);
+      }
+      case 7:
+        return floatOrSimpleFromBuffer(buffer, offset, options);
+      default:
+        throw new Error(`Unknown major type: ${majorType}`);
+    }
+  };
   const parseIntegerFromBuffer = (buffer, offset, options) => {
-    const hexString = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-    return parseInteger(hexString, options);
+    return integerFromBuffer(buffer, offset, options);
   };
   const parseStringFromBuffer = (buffer, offset, options) => {
-    const hexString = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-    return parseString(hexString, options);
+    const initialByte = readByte(buffer, offset);
+    const { majorType } = extractCborHeader(initialByte);
+    if (majorType === 2) {
+      return byteStringFromBuffer(buffer, offset, options);
+    }
+    return textStringFromBuffer(buffer, offset, options);
   };
   const parseFloatFromBuffer = (buffer, offset, options) => {
-    const hexString = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-    return parseFloatOrSimple(hexString, options);
+    return floatOrSimpleFromBuffer(buffer, offset, options);
   };
   const parseArrayWithMap = (ctx, offset, path, sourceMap) => {
+    const previousDepth = ctx.currentDepth ?? 0;
+    const maxDepth = ctx.options?.limits?.maxDepth;
+    if (maxDepth !== void 0 && previousDepth >= maxDepth) {
+      throw new Error(`Maximum nesting depth ${maxDepth} exceeded`);
+    }
+    ctx.currentDepth = previousDepth + 1;
     const startOffset = offset;
     const initialByte = readByte(ctx.buffer, offset);
     const { additionalInfo } = extractCborHeader(initialByte);
@@ -1851,6 +1986,10 @@ function useCborParser() {
       length = Number(bigLength);
       currentOffset += 8;
     } else if (additionalInfo === 31) {
+      const isIndefiniteAllowed = ctx.options?.allowIndefinite ?? !(ctx.options?.validateCanonical || ctx.options?.strict);
+      if (!isIndefiniteAllowed) {
+        throw new Error("Indefinite-length encoding is not allowed (strict/canonical mode)");
+      }
       isIndefinite = true;
       length = 0;
     } else {
@@ -1867,49 +2006,70 @@ function useCborParser() {
       isHeader: true,
       headerEnd
     });
-    const childPaths = [];
-    if (isIndefinite) {
-      let index = 0;
-      while (currentOffset < ctx.buffer.length) {
-        const nextByte = readByte(ctx.buffer, currentOffset);
-        if (nextByte === 255) {
-          currentOffset++;
-          break;
+    try {
+      const childPaths = [];
+      if (isIndefinite) {
+        let index = 0;
+        let foundBreak = false;
+        while (currentOffset < ctx.buffer.length) {
+          const nextByte = readByte(ctx.buffer, currentOffset);
+          if (nextByte === 255) {
+            currentOffset++;
+            foundBreak = true;
+            break;
+          }
+          if (ctx.options?.limits?.maxArrayLength && index >= ctx.options.limits.maxArrayLength) {
+            throw new Error(`Array length exceeds limit of ${ctx.options.limits.maxArrayLength}`);
+          }
+          const elementPath = `${path}[${index}]`;
+          childPaths.push(elementPath);
+          const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap);
+          items.push(elementResult.value);
+          currentOffset += elementResult.bytesRead;
+          const elementEntry = sourceMap.find((e) => e.path === elementPath);
+          if (elementEntry) {
+            elementEntry.parent = path;
+          }
+          index++;
         }
-        const elementPath = `${path}[${index}]`;
-        childPaths.push(elementPath);
-        const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap);
-        items.push(elementResult.value);
-        currentOffset += elementResult.bytesRead;
-        const elementEntry = sourceMap.find((e) => e.path === elementPath);
-        if (elementEntry) {
-          elementEntry.parent = path;
+        if (!foundBreak) {
+          throw new Error("Indefinite-length array missing break code (0xFF)");
         }
-        index++;
-      }
-    } else {
-      for (let i = 0; i < length; i++) {
-        const elementPath = `${path}[${i}]`;
-        childPaths.push(elementPath);
-        const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap);
-        items.push(elementResult.value);
-        currentOffset += elementResult.bytesRead;
-        const elementEntry = sourceMap.find((e) => e.path === elementPath);
-        if (elementEntry) {
-          elementEntry.parent = path;
+      } else {
+        if (ctx.options?.limits?.maxArrayLength && length > ctx.options.limits.maxArrayLength) {
+          throw new Error(`Array length ${length} exceeds limit of ${ctx.options.limits.maxArrayLength}`);
+        }
+        for (let i = 0; i < length; i++) {
+          const elementPath = `${path}[${i}]`;
+          childPaths.push(elementPath);
+          const elementResult = parseValueWithMap(ctx, currentOffset, elementPath, sourceMap);
+          items.push(elementResult.value);
+          currentOffset += elementResult.bytesRead;
+          const elementEntry = sourceMap.find((e) => e.path === elementPath);
+          if (elementEntry) {
+            elementEntry.parent = path;
+          }
         }
       }
+      const bytesRead = currentOffset - offset;
+      if (childPaths.length > 0 && sourceMap[arrayEntryIndex]) {
+        sourceMap[arrayEntryIndex].children = childPaths;
+      }
+      return {
+        value: items,
+        bytesRead
+      };
+    } finally {
+      ctx.currentDepth = previousDepth;
     }
-    const bytesRead = currentOffset - offset;
-    if (childPaths.length > 0 && sourceMap[arrayEntryIndex]) {
-      sourceMap[arrayEntryIndex].children = childPaths;
-    }
-    return {
-      value: items,
-      bytesRead
-    };
   };
   const parseMapWithMap = (ctx, offset, path, sourceMap) => {
+    const previousDepth = ctx.currentDepth ?? 0;
+    const maxDepth = ctx.options?.limits?.maxDepth;
+    if (maxDepth !== void 0 && previousDepth >= maxDepth) {
+      throw new Error(`Maximum nesting depth ${maxDepth} exceeded`);
+    }
+    ctx.currentDepth = previousDepth + 1;
     const startOffset = offset;
     const initialByte = readByte(ctx.buffer, offset);
     const { additionalInfo } = extractCborHeader(initialByte);
@@ -1936,6 +2096,10 @@ function useCborParser() {
       length = Number(bigLength);
       currentOffset += 8;
     } else if (additionalInfo === 31) {
+      const isIndefiniteAllowed = ctx.options?.allowIndefinite ?? !(ctx.options?.validateCanonical || ctx.options?.strict);
+      if (!isIndefiniteAllowed) {
+        throw new Error("Indefinite-length encoding is not allowed (strict/canonical mode)");
+      }
       isIndefinite = true;
       length = 0;
     } else {
@@ -1952,72 +2116,91 @@ function useCborParser() {
       isHeader: true,
       headerEnd
     });
-    const childPaths = [];
-    const seenKeys = /* @__PURE__ */ new Set();
-    if (isIndefinite) {
-      while (currentOffset < ctx.buffer.length) {
-        const nextByte = readByte(ctx.buffer, currentOffset);
-        if (nextByte === 255) {
-          currentOffset++;
-          break;
-        }
-        const keyPath = `${path}${path ? "." : ""}#key`;
-        const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap);
-        currentOffset += keyResult.bytesRead;
-        const keyString = keyResult.value instanceof Uint8Array ? Array.from(keyResult.value).map((b) => b.toString(16).padStart(2, "0")).join("") : String(keyResult.value);
-        if (seenKeys.has(keyString)) {
-          const mode = ctx.options?.dupMapKeyMode || "allow";
-          if (mode === "reject") {
-            throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
-          } else if (mode === "warn") {
-            logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
+    try {
+      const childPaths = [];
+      const seenKeys = /* @__PURE__ */ new Set();
+      if (isIndefinite) {
+        let count = 0;
+        let foundBreak = false;
+        while (currentOffset < ctx.buffer.length) {
+          const nextByte = readByte(ctx.buffer, currentOffset);
+          if (nextByte === 255) {
+            currentOffset++;
+            foundBreak = true;
+            break;
+          }
+          if (ctx.options?.limits?.maxMapSize && count >= ctx.options.limits.maxMapSize) {
+            throw new Error(`Map size exceeds limit of ${ctx.options.limits.maxMapSize}`);
+          }
+          const keyPath = `${path}${path ? "." : ""}#key`;
+          const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap);
+          currentOffset += keyResult.bytesRead;
+          const keyForDupCheck = serializeValueForComparison(keyResult.value);
+          const keyString = keyResult.value instanceof Uint8Array ? Array.from(keyResult.value).map((b) => b.toString(16).padStart(2, "0")).join("") : String(keyResult.value);
+          if (seenKeys.has(keyForDupCheck)) {
+            const mode = ctx.options?.dupMapKeyMode || "allow";
+            if (mode === "reject") {
+              throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
+            } else if (mode === "warn") {
+              logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
+            }
           }
+          seenKeys.add(keyForDupCheck);
+          const valuePath = path ? `${path}.${keyString}` : `.${keyString}`;
+          childPaths.push(valuePath);
+          const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap);
+          map.set(keyResult.value, valueResult.value);
+          currentOffset += valueResult.bytesRead;
+          const valueEntry = sourceMap.find((e) => e.path === valuePath);
+          if (valueEntry) {
+            valueEntry.parent = path;
+          }
+          count++;
         }
-        seenKeys.add(keyString);
-        const valuePath = path ? `${path}.${keyString}` : `.${keyString}`;
-        childPaths.push(valuePath);
-        const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap);
-        map.set(keyResult.value, valueResult.value);
-        currentOffset += valueResult.bytesRead;
-        const valueEntry = sourceMap.find((e) => e.path === valuePath);
-        if (valueEntry) {
-          valueEntry.parent = path;
+        if (!foundBreak) {
+          throw new Error("Indefinite-length map missing break code (0xFF)");
         }
-      }
-    } else {
-      for (let i = 0; i < length; i++) {
-        const keyPath = `${path}${path ? "." : ""}#key${i}`;
-        const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap);
-        currentOffset += keyResult.bytesRead;
-        const keyString = keyResult.value instanceof Uint8Array ? Array.from(keyResult.value).map((b) => b.toString(16).padStart(2, "0")).join("") : String(keyResult.value);
-        if (seenKeys.has(keyString)) {
-          const mode = ctx.options?.dupMapKeyMode || "allow";
-          if (mode === "reject") {
-            throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
-          } else if (mode === "warn") {
-            logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
+      } else {
+        if (ctx.options?.limits?.maxMapSize && length > ctx.options.limits.maxMapSize) {
+          throw new Error(`Map size ${length} exceeds limit of ${ctx.options.limits.maxMapSize}`);
+        }
+        for (let i = 0; i < length; i++) {
+          const keyPath = `${path}${path ? "." : ""}#key${i}`;
+          const keyResult = parseValueWithMap(ctx, currentOffset, keyPath, sourceMap);
+          currentOffset += keyResult.bytesRead;
+          const keyForDupCheck = serializeValueForComparison(keyResult.value);
+          const keyString = keyResult.value instanceof Uint8Array ? Array.from(keyResult.value).map((b) => b.toString(16).padStart(2, "0")).join("") : String(keyResult.value);
+          if (seenKeys.has(keyForDupCheck)) {
+            const mode = ctx.options?.dupMapKeyMode || "allow";
+            if (mode === "reject") {
+              throw new Error(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
+            } else if (mode === "warn") {
+              logger.warn(`Duplicate map key detected: ${keyString} at offset ${currentOffset}`);
+            }
+          }
+          seenKeys.add(keyForDupCheck);
+          const valuePath = path ? `${path}.${keyString}` : `.${keyString}`;
+          childPaths.push(valuePath);
+          const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap);
+          map.set(keyResult.value, valueResult.value);
+          currentOffset += valueResult.bytesRead;
+          const valueEntry = sourceMap.find((e) => e.path === valuePath);
+          if (valueEntry) {
+            valueEntry.parent = path;
           }
-        }
-        seenKeys.add(keyString);
-        const valuePath = path ? `${path}.${keyString}` : `.${keyString}`;
-        childPaths.push(valuePath);
-        const valueResult = parseValueWithMap(ctx, currentOffset, valuePath, sourceMap);
-        map.set(keyResult.value, valueResult.value);
-        currentOffset += valueResult.bytesRead;
-        const valueEntry = sourceMap.find((e) => e.path === valuePath);
-        if (valueEntry) {
-          valueEntry.parent = path;
         }
       }
+      const bytesRead = currentOffset - offset;
+      if (sourceMap[mapEntryIndex]) {
+        sourceMap[mapEntryIndex].children = childPaths;
+      }
+      return {
+        value: map,
+        bytesRead
+      };
+    } finally {
+      ctx.currentDepth = previousDepth;
     }
-    const bytesRead = currentOffset - offset;
-    if (sourceMap[mapEntryIndex]) {
-      sourceMap[mapEntryIndex].children = childPaths;
-    }
-    return {
-      value: map,
-      bytesRead
-    };
   };
   const parseTagNumberHelper = (buffer, offset, ai) => {
     if (ai < 24) {
@@ -2045,6 +2228,12 @@ function useCborParser() {
     }
   };
   const parseTagWithMap = (ctx, offset, path, sourceMap) => {
+    const previousTagDepth = ctx.currentTagDepth ?? 0;
+    const maxTagDepth = ctx.options?.limits?.maxTagDepth ?? DEFAULT_LIMITS.maxTagDepth;
+    if (previousTagDepth >= maxTagDepth) {
+      throw new Error(`Tag nesting depth ${previousTagDepth} exceeds limit of ${maxTagDepth}`);
+    }
+    ctx.currentTagDepth = previousTagDepth + 1;
     const startOffset = offset;
     const initialByte = readByte(ctx.buffer, offset);
     const { additionalInfo } = extractCborHeader(initialByte);
@@ -2053,6 +2242,9 @@ function useCborParser() {
       offset + 1,
       additionalInfo
     );
+    if (ctx.options?.validateCanonical) {
+      validateCanonicalInteger(tagNumber, additionalInfo);
+    }
     let currentOffset = offset + 1 + bytesConsumed;
     const headerEnd = currentOffset;
     const tagEntryIndex = sourceMap.length;
@@ -2076,10 +2268,30 @@ function useCborParser() {
     if (valueEntry) {
       valueEntry.parent = path;
     }
-    const hexString = Array.from(ctx.buffer.slice(startOffset, currentOffset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-    const tagResult = parseTag(hexString, ctx.options);
+    let finalValue = valueResult.value;
+    if ((tagNumber === 2 || tagNumber === 3) && finalValue instanceof Uint8Array) {
+      const maxBignumBytes = ctx.options?.limits?.maxBignumBytes ?? DEFAULT_LIMITS.maxBignumBytes;
+      if (finalValue.length > maxBignumBytes) {
+        throw new Error(
+          `Bignum (tag ${tagNumber}) size ${finalValue.length} bytes exceeds limit of ${maxBignumBytes} bytes`
+        );
+      }
+      let bigintValue = 0n;
+      for (let i = 0; i < finalValue.length; i++) {
+        bigintValue = bigintValue << 8n | BigInt(finalValue[i]);
+      }
+      finalValue = tagNumber === 2 ? bigintValue : -1n - bigintValue;
+    }
+    validateTagSemantics(tagNumber, finalValue, ctx.options);
+    const plutusConstr = decodePlutusConstructor(tagNumber, finalValue);
+    const taggedValue = {
+      tag: tagNumber,
+      value: finalValue,
+      ...plutusConstr && { plutus: plutusConstr }
+    };
+    ctx.currentTagDepth = previousTagDepth;
     return {
-      value: tagResult.value,
+      value: taggedValue,
       bytesRead: currentOffset - startOffset
     };
   };
@@ -2094,28 +2306,42 @@ function useCborParser() {
     if (ai < 20) return `Simple Value ${ai}`;
     return "Simple Value";
   };
-  const parseSequence = (hexString, options) => {
-    const cleanHex = hexString.replace(/\s+/g, "");
-    if (!cleanHex || cleanHex.length === 0) {
-      return [];
-    }
-    if (cleanHex.length % 2 !== 0) {
-      throw new Error("Hex string must have even length");
-    }
-    if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
-      throw new Error(`Invalid hex character in: ${cleanHex}`);
-    }
+  const parseSequence = (input, options) => {
     const mergedOptions = mergeOptions(options);
-    const buffer = hexToBytes(cleanHex);
+    let buffer;
+    if (input instanceof Uint8Array) {
+      if (input.length === 0) {
+        return [];
+      }
+      buffer = input;
+    } else {
+      const cleanHex = input.replace(/\s+/g, "");
+      if (!cleanHex || cleanHex.length === 0) {
+        return [];
+      }
+      if (cleanHex.length % 2 !== 0) {
+        throw new Error("Hex string must have even length");
+      }
+      if (!/^[0-9a-fA-F]+$/.test(cleanHex)) {
+        throw new Error(`Invalid hex character in: ${cleanHex}`);
+      }
+      buffer = hexToBytes(cleanHex);
+    }
     const results = [];
     let offset = 0;
+    const sequenceStartTime = mergedOptions.limits?.maxParseTime ? Date.now() : 0;
     while (offset < buffer.length) {
+      if (sequenceStartTime > 0 && mergedOptions.limits?.maxParseTime) {
+        const elapsed = Date.now() - sequenceStartTime;
+        if (elapsed > mergedOptions.limits.maxParseTime) {
+          throw new Error(`Parse timeout: exceeded ${mergedOptions.limits.maxParseTime}ms limit`);
+        }
+      }
       const byte = readByte(buffer, offset);
       if (byte === 255) {
         throw new Error(`Unexpected break code (0xff) at offset ${offset} - not inside indefinite-length item`);
       }
-      const remainingHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-      const result = parse(remainingHex, mergedOptions);
+      const result = dispatchFromBuffer(buffer, offset, mergedOptions);
       results.push(result.value);
       offset += result.bytesRead;
     }
@@ -2142,8 +2368,7 @@ function useCborParser() {
       if (byte === 255) {
         throw new Error(`Unexpected break code (0xff) at offset ${offset}`);
       }
-      const remainingHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-      const result = parseWithSourceMap(remainingHex, mergedOptions);
+      const result = parseWithSourceMap(buffer.subarray(offset), mergedOptions);
       const adjustedSourceMap = result.sourceMap.map((entry) => ({
         ...entry,
         start: entry.start + offset,
@@ -2164,5 +2389,5 @@ function useCborParser() {
 }
 
 export { bytesToHex, extractCborHeader, hexToBytes, readBigUint, readByte, readUint, useCborCollection, useCborFloat, useCborInteger, useCborParser, useCborString, useCborTag, validateUtf8Strict };
-//# sourceMappingURL=chunk-5A5T56JB.js.map
-//# sourceMappingURL=chunk-5A5T56JB.js.map
+//# sourceMappingURL=chunk-LWNWC2O7.js.map
+//# sourceMappingURL=chunk-LWNWC2O7.js.map