fix: defense-in-depth bridge hardening

Three changes to lib/bridge.js, each independently low-risk and landing
as part of the v3.10.6 polish pass:

1. **AggregateError added to errorsList** (resolves GHSA-vwrp-x96c-mhwq
   doc drift). The result writeup and ATTACKS.md Cat 20 already listed
   AggregateError as protected, but it wasn't actually in the code's
   `errorsList`. Adding it makes the docs accurate, extends
   `protectedHostObjects` coverage to AggregateError.prototype +
   constructor, and extends `thisAddIdentityMapping` to its prototype.

2. **`nodejs.util.promisify.custom` added to symbol denylist**
   (defense-in-depth follow-up to GHSA-47x8-96vw-5wg6). Mirrors
   `nodejs.util.inspect.custom` and `nodejs.rejection`. No live exploit
   today, but the surface — host machinery invoking a sandbox-defined
   handler with host-realm arguments — is the same shape, so
   pre-emptive denial is cheap.

3. **`rebindHandlerConstructor` helper exposed** (closes
   GHSA-v37h-5mfm-c47c Layer-3 coverage gap). The original sentinel
   rebind covered the four core handler classes inside bridge.js but
   not subclasses defined in setup-sandbox.js (BufferHandler).

Author: patriksimek

lib/bridge.js

@@ -41,6 +41,7 @@ const errorsList = [
 	'EvalError',
 	'URIError',
 	'SuppressedError',
+	'AggregateError',
 	'Error',
 ];
 
@@ -162,9 +163,21 @@ const thisSymbolToStringTag = Symbol.toStringTag;
 const thisSymbolIterator = Symbol.iterator;
 const thisSymbolNodeJSUtilInspectCustom = Symbol.for('nodejs.util.inspect.custom');
 const thisSymbolNodeJSRejection = Symbol.for('nodejs.rejection');
+// SECURITY (post-GHSA-47x8 hardening): defense-in-depth — Node's util.promisify
+// uses Symbol.for('nodejs.util.promisify.custom') as a hook. If sandbox code
+// could ever provide a host-recognised version of this symbol on an object
+// passed to `util.promisify(...)`, Node would invoke the sandbox-defined
+// promisifier — likely with host-realm arguments. No live exploit today, but
+// the surface mirrors `nodejs.util.inspect.custom` closely enough that
+// pre-emptive denial is cheap.
+const thisSymbolNodeJSUtilPromisifyCustom = Symbol.for('nodejs.util.promisify.custom');
 
 function isDangerousCrossRealmSymbol(key) {
-	return key === thisSymbolNodeJSUtilInspectCustom || key === thisSymbolNodeJSRejection;
+	return (
+		key === thisSymbolNodeJSUtilInspectCustom ||
+		key === thisSymbolNodeJSRejection ||
+		key === thisSymbolNodeJSUtilPromisifyCustom
+	);
 }
 
 /**
@@ -2174,6 +2187,23 @@ function createBridge(otherInit, registerProxy) {
 		// token propagates up to BaseHandler.
 		return thisReflectConstruct(Subclass, [constructionToken, object]);
 	};
+	// SECURITY (post-GHSA-v37h hardening): expose the sentinel-rebind helper
+	// so that handler subclasses defined in setup-sandbox.js (e.g.
+	// BufferHandler) can also have their `.constructor` slot replaced with
+	// the throw-always sentinel. Without this, `Object.getPrototypeOf(handler).constructor`
+	// on a BufferHandler instance returned the real BufferHandler class (its
+	// `prototype.constructor` was the default `writable: true, configurable: true`
+	// data property) — Layer 1 (token check) compensated, but Layer 3 was
+	// narrower than advertised. This helper closes that gap.
+	result.rebindHandlerConstructor = function rebindHandlerConstructor(HandlerClass) {
+		thisReflectDefineProperty(HandlerClass.prototype, 'constructor', {
+			__proto__: null,
+			value: blockedHandlerConstructor,
+			writable: false,
+			enumerable: false,
+			configurable: false,
+		});
+	};
 	// SECURITY (GHSA-v37h-5mfm-c47c): We still expose ReadOnlyHandler as a
 	// superclass symbol so that setup-sandbox can declare
 	// `class BufferHandler extends ReadOnlyHandler`. The class reference