@marcuspuchalla/nachos 0.1.4 → 0.2.0

package/CHANGELOG.md

@@ -5,6 +5,58 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.0] - 2026-06-14 - RFC 8949 audit remediation
+
+Resolves the findings of the June 2026 RFC 8949 conformance & security audit.
+All fixes verified empirically against the build and locked in by
+`src/__tests__/audit-fixes.test.ts`.
+
+### Fixed
+
+#### Security
+- **(H1) Source-map parse path stack overflow** - `decodeWithSourceMap()` now
+  enforces `maxTagDepth` (RUSTSEC-2019-0025). Deeply nested tags previously
+  overflowed the call stack with an uncatchable `RangeError`; they now raise a
+  clean `Error`, matching `decode()`.
+- **(M2) Encoder depth bypass via tags** - `maxDepth` is now tracked across the
+  tagged-value boundary, so deeply nested `{tag,value}` chains can no longer
+  bypass the limit and overflow the stack.
+- **(L3) `readUint` precision** - refuses values above `MAX_SAFE_INTEGER`
+  instead of silently losing precision; callers must use `readBigUint`.
+
+#### Correctness / Conformance
+- **(H2) Map key ordering is now explicit** - canonical mode defaults to
+  **length-first** ordering (Cardano CIP-21 / RFC 7049 §3.9) and accepts a new
+  `mapKeyOrder: 'length-first' | 'bytewise'` option. `'bytewise'` selects
+  RFC 8949 §4.2.1 core deterministic ordering. Applies to both encoding and
+  `validateCanonical` decoding.
+- **(M1) Trailing-data well-formedness** - new `allowTrailingData` option
+  (default `true`; auto-`false` in `strict` mode) makes `decode()` reject
+  bytes left over after the top-level item. Use `parseSequence` for multiple items.
+- **(M4) Shortest-form tag numbers** - `validateCanonical` now rejects
+  non-shortest tag number encodings (e.g. `d80100` instead of `c100`).
+- **(M5) Float16 subnormal encoding** - `canBeFloat16` lower bound corrected
+  from 2⁻¹⁴ (min normal) to 2⁻²⁴ (min subnormal). The encoder no longer emits
+  float32 for representable subnormals, so its output again passes its own
+  canonical validator.
+
+#### Behavior
+- **(M3) Duplicate map keys** - default `dupMapKeyMode` changed from `'allow'`
+  to `'warn'` so duplicates are never silently collapsed in the `Map` view.
+  Byte-perfect round-trips are still preserved via `ALL_ENTRIES_SYMBOL`.
+
+### Performance
+- **(L1) Source-map sequences** - `parseSequenceWithSourceMap` uses a zero-copy
+  `subarray` view per item instead of re-hex-encoding the buffer tail (O(N²) → O(N)).
+
+### Added
+- `MapKeyOrder` type, `mapKeyOrder` option (parser + encoder), `allowTrailingData`
+  option, and `compareBytesLexicographic` / `compareMapKeys` utilities.
+- Diagnostic notation (L5) now renders `CborByteString`/`CborTextString` wrappers,
+  unassigned simple values (`simple(N)`), and auto-detects indefinite-length
+  arrays/maps/strings.
+- 24 new audit-regression tests.
+
 ## [0.1.4] - 2026-02-22
 
 ### Fixed

package/dist/{chunk-RVG2BY32.cjs → chunk-3Z45RBZP.cjs}

@@ -1,6 +1,6 @@
 'use strict';
 
-var chunkPD72MVTX_cjs = require('./chunk-PD72MVTX.cjs');
+var chunkP6A2OOIY_cjs = require('./chunk-P6A2OOIY.cjs');
 
 // src/parser/utils.ts
 var hexToBytes = (hex) => {
@@ -41,6 +41,9 @@ var readUint = (buffer, offset, length) => {
   for (let i = 0; i < length; i++) {
     result = result * 256 + readByte(buffer, offset + i);
   }
+  if (result > Number.MAX_SAFE_INTEGER) {
+    throw new Error(`Value at offset ${offset} (${length} bytes) exceeds MAX_SAFE_INTEGER; use readBigUint`);
+  }
   return result;
 };
 var readBigUint = (buffer, offset, length) => {
@@ -207,6 +210,23 @@ function compareBytes(a, b) {
   }
   return 0;
 }
+function compareBytesLexicographic(a, b) {
+  if (!a || !b) {
+    throw new Error("compareBytesLexicographic: arguments cannot be null or undefined");
+  }
+  const min = Math.min(a.length, b.length);
+  for (let i = 0; i < min; i++) {
+    const byteA = a[i];
+    const byteB = b[i];
+    if (byteA !== byteB) {
+      return byteA - byteB;
+    }
+  }
+  return a.length - b.length;
+}
+function compareMapKeys(a, b, order = "length-first") {
+  return order === "bytewise" ? compareBytesLexicographic(a, b) : compareBytes(a, b);
+}
 function serializeValueForComparison(value) {
   if (value === null) return "null";
   if (value === void 0) return "undefined";
@@ -314,8 +334,8 @@ function useCborInteger() {
 
 // src/parser/composables/useCborString.ts
 function useCborString() {
-  const { create: createByteString } = chunkPD72MVTX_cjs.useCborByteString();
-  const { create: createTextString } = chunkPD72MVTX_cjs.useCborTextString();
+  const { create: createByteString } = chunkP6A2OOIY_cjs.useCborByteString();
+  const { create: createTextString } = chunkP6A2OOIY_cjs.useCborTextString();
   const parseLength = (buffer, offset, ai, options) => {
     if (ai < 24) {
       return { length: ai, bytesConsumed: 0 };
@@ -771,7 +791,7 @@ function useCborTag() {
     if (additionalInfo === 31 && !isIndefiniteAllowed) {
       throw new Error("Indefinite-length encoding is not allowed (strict/canonical mode)");
     }
-    const maxDepth = options?.limits?.maxDepth ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxDepth;
+    const maxDepth = options?.limits?.maxDepth ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxDepth;
     if (depth >= maxDepth) {
       throw new Error(`Maximum nesting depth ${maxDepth} exceeded`);
     }
@@ -828,7 +848,7 @@ function useCborTag() {
       if (!foundBreak) {
         throw new Error("Indefinite-length array missing break code (0xFF)");
       }
-      items[chunkPD72MVTX_cjs.INDEFINITE_SYMBOL] = true;
+      items[chunkP6A2OOIY_cjs.INDEFINITE_SYMBOL] = true;
     } else {
       for (let i = 0; i < length; i++) {
         if (currentOffset >= buffer.length) {
@@ -854,7 +874,7 @@ function useCborTag() {
     if (additionalInfo === 31 && !isIndefiniteAllowed) {
       throw new Error("Indefinite-length encoding is not allowed (strict/canonical mode)");
     }
-    const maxDepth = options?.limits?.maxDepth ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxDepth;
+    const maxDepth = options?.limits?.maxDepth ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxDepth;
     if (depth >= maxDepth) {
       throw new Error(`Maximum nesting depth ${maxDepth} exceeded`);
     }
@@ -913,7 +933,7 @@ function useCborTag() {
       if (!foundBreak) {
         throw new Error("Indefinite-length map missing break code (0xFF)");
       }
-      map[chunkPD72MVTX_cjs.INDEFINITE_SYMBOL] = true;
+      map[chunkP6A2OOIY_cjs.INDEFINITE_SYMBOL] = true;
     } else {
       for (let i = 0; i < length; i++) {
         if (currentOffset >= buffer.length) {
@@ -1199,11 +1219,14 @@ function useCborTag() {
     if (majorType !== 6) {
       throw new Error(`Expected major type 6 (tag), got ${majorType}`);
     }
-    const maxTagDepth = options?.limits?.maxTagDepth ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxTagDepth;
+    const maxTagDepth = options?.limits?.maxTagDepth ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxTagDepth;
     if (tagDepth >= maxTagDepth) {
       throw new Error(`Tag nesting depth ${tagDepth} exceeds limit of ${maxTagDepth}`);
     }
     const { tagNumber, bytesConsumed } = parseTagNumber(buffer, offset + 1, additionalInfo);
+    if (options?.validateCanonical) {
+      validateCanonicalInteger(tagNumber, additionalInfo);
+    }
     let currentOffset = offset + 1 + bytesConsumed;
     if (currentOffset >= buffer.length) {
       throw new Error(`Unexpected end of buffer after tag ${tagNumber}`);
@@ -1432,7 +1455,7 @@ function useCborCollection() {
       if (!foundBreak) {
         throw new Error("Indefinite-length array missing break code (0xFF)");
       }
-      items[chunkPD72MVTX_cjs.INDEFINITE_SYMBOL] = true;
+      items[chunkP6A2OOIY_cjs.INDEFINITE_SYMBOL] = true;
     } else {
       if (options?.limits?.maxArrayLength && length > options.limits.maxArrayLength) {
         throw new Error(`Array length ${length} exceeds limit of ${options.limits.maxArrayLength}`);
@@ -1512,7 +1535,7 @@ function useCborCollection() {
       if (!foundBreak) {
         throw new Error("Indefinite-length map missing break code (0xFF)");
       }
-      map[chunkPD72MVTX_cjs.INDEFINITE_SYMBOL] = true;
+      map[chunkP6A2OOIY_cjs.INDEFINITE_SYMBOL] = true;
     } else {
       if (options?.limits?.maxMapSize && length > options.limits.maxMapSize) {
         throw new Error(`Map size ${length} exceeds limit of ${options.limits.maxMapSize}`);
@@ -1547,16 +1570,17 @@ function useCborCollection() {
         allEntries.push([keyResult.value, valueResult.value]);
       }
     }
-    map[chunkPD72MVTX_cjs.ALL_ENTRIES_SYMBOL] = allEntries;
+    map[chunkP6A2OOIY_cjs.ALL_ENTRIES_SYMBOL] = allEntries;
     if (options?.validateCanonical && keyBytes.length > 1) {
+      const keyOrder = options?.mapKeyOrder ?? "length-first";
       for (let i = 1; i < keyBytes.length; i++) {
         const prevKey = keyBytes[i - 1];
         const currKey = keyBytes[i];
         if (prevKey && currKey) {
-          const cmp = compareBytes(prevKey, currKey);
+          const cmp = compareMapKeys(prevKey, currKey, keyOrder);
           if (cmp > 0) {
             throw new Error(
-              `Map keys are not in canonical order: key at index ${i} should come before key at index ${i - 1}`
+              `Map keys are not in canonical order (${keyOrder}): key at index ${i} should come before key at index ${i - 1}`
             );
           }
           if (cmp === 0) {
@@ -1603,29 +1627,32 @@ function useCborCollection() {
 // src/parser/composables/useCborParser.ts
 function useCborParser() {
   const mergeOptions = (options) => {
-    if (!options) return chunkPD72MVTX_cjs.DEFAULT_OPTIONS;
+    if (!options) return chunkP6A2OOIY_cjs.DEFAULT_OPTIONS;
     const isCanonical = options.validateCanonical ?? (options.strict ? true : false);
     return {
-      strict: options.strict ?? chunkPD72MVTX_cjs.DEFAULT_OPTIONS.strict,
+      strict: options.strict ?? chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.strict,
       validateCanonical: isCanonical,
       // RFC 8949 Section 4.2: Deterministic encoding MUST NOT use indefinite-length
-      allowIndefinite: options.allowIndefinite ?? (isCanonical || options.strict ? false : chunkPD72MVTX_cjs.DEFAULT_OPTIONS.allowIndefinite),
+      allowIndefinite: options.allowIndefinite ?? (isCanonical || options.strict ? false : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.allowIndefinite),
       // Auto-enable duplicate key rejection for canonical or strict mode
-      dupMapKeyMode: options.dupMapKeyMode ?? (isCanonical || options.strict ? "reject" : chunkPD72MVTX_cjs.DEFAULT_OPTIONS.dupMapKeyMode),
-      validateUtf8Strict: options.validateUtf8Strict ?? (options.strict ? true : chunkPD72MVTX_cjs.DEFAULT_OPTIONS.validateUtf8Strict),
-      validateSetUniqueness: options.validateSetUniqueness ?? (options.strict ? true : chunkPD72MVTX_cjs.DEFAULT_OPTIONS.validateSetUniqueness),
-      validateTagSemantics: options.validateTagSemantics ?? (options.strict ? true : chunkPD72MVTX_cjs.DEFAULT_OPTIONS.validateTagSemantics),
-      validatePlutusSemantics: options.validatePlutusSemantics ?? (options.strict ? true : chunkPD72MVTX_cjs.DEFAULT_OPTIONS.validatePlutusSemantics),
+      dupMapKeyMode: options.dupMapKeyMode ?? (isCanonical || options.strict ? "reject" : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.dupMapKeyMode),
+      validateUtf8Strict: options.validateUtf8Strict ?? (options.strict ? true : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.validateUtf8Strict),
+      validateSetUniqueness: options.validateSetUniqueness ?? (options.strict ? true : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.validateSetUniqueness),
+      validateTagSemantics: options.validateTagSemantics ?? (options.strict ? true : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.validateTagSemantics),
+      validatePlutusSemantics: options.validatePlutusSemantics ?? (options.strict ? true : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.validatePlutusSemantics),
+      mapKeyOrder: options.mapKeyOrder ?? chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.mapKeyOrder,
+      // Strict mode rejects trailing data after the top-level item (well-formedness).
+      allowTrailingData: options.allowTrailingData ?? (options.strict ? false : chunkP6A2OOIY_cjs.DEFAULT_OPTIONS.allowTrailingData),
       limits: {
-        maxInputSize: options.limits?.maxInputSize ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxInputSize,
-        maxOutputSize: options.limits?.maxOutputSize ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxOutputSize,
-        maxStringLength: options.limits?.maxStringLength ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxStringLength,
-        maxArrayLength: options.limits?.maxArrayLength ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxArrayLength,
-        maxMapSize: options.limits?.maxMapSize ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxMapSize,
-        maxDepth: options.limits?.maxDepth ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxDepth,
-        maxTagDepth: options.limits?.maxTagDepth ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxTagDepth,
-        maxBignumBytes: options.limits?.maxBignumBytes ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxBignumBytes,
-        maxParseTime: options.limits?.maxParseTime ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxParseTime
+        maxInputSize: options.limits?.maxInputSize ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxInputSize,
+        maxOutputSize: options.limits?.maxOutputSize ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxOutputSize,
+        maxStringLength: options.limits?.maxStringLength ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxStringLength,
+        maxArrayLength: options.limits?.maxArrayLength ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxArrayLength,
+        maxMapSize: options.limits?.maxMapSize ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxMapSize,
+        maxDepth: options.limits?.maxDepth ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxDepth,
+        maxTagDepth: options.limits?.maxTagDepth ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxTagDepth,
+        maxBignumBytes: options.limits?.maxBignumBytes ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxBignumBytes,
+        maxParseTime: options.limits?.maxParseTime ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxParseTime
       }
     };
   };
@@ -1650,7 +1677,9 @@ function useCborParser() {
       if (mergedOptions.limits?.maxInputSize && input.length > mergedOptions.limits.maxInputSize) {
         throw new Error(`Input size ${input.length} bytes exceeds limit of ${mergedOptions.limits.maxInputSize} bytes`);
       }
-      return dispatchFromBuffer(input, 0, mergedOptions);
+      const bufResult = dispatchFromBuffer(input, 0, mergedOptions);
+      checkTrailingData(bufResult.bytesRead, input.length, mergedOptions);
+      return bufResult;
     }
     const cleanHex = input.replace(/\s+/g, "");
     if (!cleanHex || cleanHex.length === 0) {
@@ -1669,26 +1698,42 @@ function useCborParser() {
     const buffer = hexToBytes(cleanHex);
     const initialByte = readByte(buffer, 0);
     const { majorType } = extractCborHeader(initialByte);
+    let result;
     switch (majorType) {
       case 0:
       // Unsigned integer
       case 1:
-        return parseInteger(cleanHex, mergedOptions);
+        result = parseInteger(cleanHex, mergedOptions);
+        break;
       case 2:
       // Byte string
       case 3:
-        return parseString(cleanHex, mergedOptions);
+        result = parseString(cleanHex, mergedOptions);
+        break;
       case 4:
-        return parseArray(cleanHex, mergedOptions);
+        result = parseArray(cleanHex, mergedOptions);
+        break;
       case 5:
-        return parseMap(cleanHex, mergedOptions);
+        result = parseMap(cleanHex, mergedOptions);
+        break;
       case 6:
-        return parseTag(cleanHex, mergedOptions);
+        result = parseTag(cleanHex, mergedOptions);
+        break;
       case 7:
-        return parseFloatOrSimple(cleanHex, mergedOptions);
+        result = parseFloatOrSimple(cleanHex, mergedOptions);
+        break;
       default:
         throw new Error(`Unknown major type: ${majorType}`);
     }
+    checkTrailingData(result.bytesRead, buffer.length, mergedOptions);
+    return result;
+  };
+  const checkTrailingData = (bytesRead, totalLength, opts) => {
+    if (!opts.allowTrailingData && bytesRead < totalLength) {
+      throw new Error(
+        `Trailing data: ${totalLength - bytesRead} byte(s) remain after the top-level CBOR item (bytesRead=${bytesRead}, length=${totalLength}). Use parseSequence to decode multiple items.`
+      );
+    }
   };
   const parseWithSourceMap = (input, options) => {
     const mergedOptions = mergeOptions(options);
@@ -2185,6 +2230,12 @@ function useCborParser() {
     }
   };
   const parseTagWithMap = (ctx, offset, path, sourceMap) => {
+    const previousTagDepth = ctx.currentTagDepth ?? 0;
+    const maxTagDepth = ctx.options?.limits?.maxTagDepth ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxTagDepth;
+    if (previousTagDepth >= maxTagDepth) {
+      throw new Error(`Tag nesting depth ${previousTagDepth} exceeds limit of ${maxTagDepth}`);
+    }
+    ctx.currentTagDepth = previousTagDepth + 1;
     const startOffset = offset;
     const initialByte = readByte(ctx.buffer, offset);
     const { additionalInfo } = extractCborHeader(initialByte);
@@ -2193,6 +2244,9 @@ function useCborParser() {
       offset + 1,
       additionalInfo
     );
+    if (ctx.options?.validateCanonical) {
+      validateCanonicalInteger(tagNumber, additionalInfo);
+    }
     let currentOffset = offset + 1 + bytesConsumed;
     const headerEnd = currentOffset;
     const tagEntryIndex = sourceMap.length;
@@ -2218,7 +2272,7 @@ function useCborParser() {
     }
     let finalValue = valueResult.value;
     if ((tagNumber === 2 || tagNumber === 3) && finalValue instanceof Uint8Array) {
-      const maxBignumBytes = ctx.options?.limits?.maxBignumBytes ?? chunkPD72MVTX_cjs.DEFAULT_LIMITS.maxBignumBytes;
+      const maxBignumBytes = ctx.options?.limits?.maxBignumBytes ?? chunkP6A2OOIY_cjs.DEFAULT_LIMITS.maxBignumBytes;
       if (finalValue.length > maxBignumBytes) {
         throw new Error(
           `Bignum (tag ${tagNumber}) size ${finalValue.length} bytes exceeds limit of ${maxBignumBytes} bytes`
@@ -2237,6 +2291,7 @@ function useCborParser() {
       value: finalValue,
       ...plutusConstr && { plutus: plutusConstr }
     };
+    ctx.currentTagDepth = previousTagDepth;
     return {
       value: taggedValue,
       bytesRead: currentOffset - startOffset
@@ -2315,8 +2370,7 @@ function useCborParser() {
       if (byte === 255) {
         throw new Error(`Unexpected break code (0xff) at offset ${offset}`);
       }
-      const remainingHex = Array.from(buffer.slice(offset)).map((b) => b.toString(16).padStart(2, "0")).join("");
-      const result = parseWithSourceMap(remainingHex, mergedOptions);
+      const result = parseWithSourceMap(buffer.subarray(offset), mergedOptions);
       const adjustedSourceMap = result.sourceMap.map((entry) => ({
         ...entry,
         start: entry.start + offset,
@@ -2349,5 +2403,5 @@ exports.useCborParser = useCborParser;
 exports.useCborString = useCborString;
 exports.useCborTag = useCborTag;
 exports.validateUtf8Strict = validateUtf8Strict;
-//# sourceMappingURL=chunk-RVG2BY32.cjs.map
-//# sourceMappingURL=chunk-RVG2BY32.cjs.map
+//# sourceMappingURL=chunk-3Z45RBZP.cjs.map
+//# sourceMappingURL=chunk-3Z45RBZP.cjs.map