@blamejs/blamejs-shop 0.3.4 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (354) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/admin.js +428 -6
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/vendor/MANIFEST.json +3 -3
  5. package/lib/vendor/blamejs/CHANGELOG.md +14 -0
  6. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  7. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
  8. package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
  9. package/lib/vendor/blamejs/lib/a2a.js +4 -4
  10. package/lib/vendor/blamejs/lib/acme.js +3 -3
  11. package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
  12. package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
  13. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
  14. package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
  15. package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
  16. package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
  17. package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
  18. package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
  19. package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
  20. package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
  21. package/lib/vendor/blamejs/lib/ai-input.js +4 -4
  22. package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
  23. package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
  24. package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
  25. package/lib/vendor/blamejs/lib/archive-read.js +25 -25
  26. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
  27. package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
  28. package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
  29. package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
  30. package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
  31. package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
  32. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  33. package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
  34. package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
  35. package/lib/vendor/blamejs/lib/audit.js +2 -2
  36. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
  37. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
  38. package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
  39. package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
  40. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
  41. package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
  42. package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
  43. package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
  44. package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
  45. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
  46. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
  47. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  48. package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
  49. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  50. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
  51. package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
  52. package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
  53. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
  54. package/lib/vendor/blamejs/lib/backup/index.js +7 -7
  55. package/lib/vendor/blamejs/lib/base32.js +8 -8
  56. package/lib/vendor/blamejs/lib/budr.js +2 -2
  57. package/lib/vendor/blamejs/lib/cache-status.js +2 -2
  58. package/lib/vendor/blamejs/lib/calendar.js +29 -29
  59. package/lib/vendor/blamejs/lib/cbor.js +12 -12
  60. package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
  61. package/lib/vendor/blamejs/lib/cert.js +5 -5
  62. package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
  63. package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
  64. package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
  65. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
  66. package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
  67. package/lib/vendor/blamejs/lib/compliance.js +29 -29
  68. package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
  69. package/lib/vendor/blamejs/lib/cookies.js +1 -1
  70. package/lib/vendor/blamejs/lib/cose.js +13 -13
  71. package/lib/vendor/blamejs/lib/cra-report.js +1 -1
  72. package/lib/vendor/blamejs/lib/crdt.js +1 -1
  73. package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
  74. package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
  75. package/lib/vendor/blamejs/lib/crypto.js +6 -6
  76. package/lib/vendor/blamejs/lib/csp.js +2 -2
  77. package/lib/vendor/blamejs/lib/cwt.js +4 -4
  78. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
  79. package/lib/vendor/blamejs/lib/data-act.js +2 -2
  80. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
  81. package/lib/vendor/blamejs/lib/db-query.js +1 -1
  82. package/lib/vendor/blamejs/lib/db.js +6 -6
  83. package/lib/vendor/blamejs/lib/dbsc.js +13 -13
  84. package/lib/vendor/blamejs/lib/did.js +17 -17
  85. package/lib/vendor/blamejs/lib/dora.js +4 -4
  86. package/lib/vendor/blamejs/lib/dsr.js +1 -1
  87. package/lib/vendor/blamejs/lib/early-hints.js +2 -2
  88. package/lib/vendor/blamejs/lib/eat.js +4 -4
  89. package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
  90. package/lib/vendor/blamejs/lib/external-db.js +1 -1
  91. package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
  92. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
  93. package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
  94. package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
  95. package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
  96. package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
  97. package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
  98. package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
  99. package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
  100. package/lib/vendor/blamejs/lib/guard-email.js +19 -19
  101. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
  102. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
  103. package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
  104. package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
  105. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
  106. package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
  107. package/lib/vendor/blamejs/lib/guard-html.js +7 -7
  108. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
  109. package/lib/vendor/blamejs/lib/guard-image.js +4 -4
  110. package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
  111. package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
  112. package/lib/vendor/blamejs/lib/guard-json.js +12 -12
  113. package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
  114. package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
  115. package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
  116. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
  117. package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
  118. package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
  119. package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
  120. package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
  121. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
  122. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
  123. package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
  124. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
  125. package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
  126. package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
  127. package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
  128. package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
  129. package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
  130. package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
  131. package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
  132. package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
  133. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
  134. package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
  135. package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
  136. package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
  137. package/lib/vendor/blamejs/lib/guard-time.js +15 -15
  138. package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
  139. package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
  140. package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
  141. package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
  142. package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
  143. package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
  144. package/lib/vendor/blamejs/lib/http-client.js +13 -10
  145. package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
  146. package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
  147. package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
  148. package/lib/vendor/blamejs/lib/inbox.js +4 -4
  149. package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
  150. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
  151. package/lib/vendor/blamejs/lib/json-path.js +3 -3
  152. package/lib/vendor/blamejs/lib/json-schema.js +1 -1
  153. package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
  154. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  155. package/lib/vendor/blamejs/lib/link-header.js +1 -1
  156. package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
  157. package/lib/vendor/blamejs/lib/log.js +8 -3
  158. package/lib/vendor/blamejs/lib/lro.js +4 -4
  159. package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
  160. package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
  161. package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
  162. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
  163. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
  164. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
  165. package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
  166. package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
  167. package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
  168. package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
  169. package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
  170. package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
  171. package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
  172. package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
  173. package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
  174. package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
  175. package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
  176. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
  177. package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
  178. package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
  179. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
  180. package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
  181. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
  182. package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
  183. package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
  184. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
  185. package/lib/vendor/blamejs/lib/mail-store.js +8 -8
  186. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
  187. package/lib/vendor/blamejs/lib/mail.js +4 -4
  188. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
  189. package/lib/vendor/blamejs/lib/mcp.js +15 -15
  190. package/lib/vendor/blamejs/lib/mdoc.js +2 -2
  191. package/lib/vendor/blamejs/lib/metrics.js +8 -8
  192. package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
  193. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
  194. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
  195. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
  196. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
  197. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
  198. package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
  199. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
  200. package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
  201. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
  202. package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
  203. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
  204. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
  205. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
  206. package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
  207. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
  208. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
  209. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
  210. package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
  211. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
  212. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
  213. package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
  214. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
  215. package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
  216. package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
  217. package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
  218. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
  219. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
  220. package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
  221. package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
  222. package/lib/vendor/blamejs/lib/network-dns.js +29 -29
  223. package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
  224. package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
  225. package/lib/vendor/blamejs/lib/network-tls.js +100 -98
  226. package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
  227. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  228. package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
  229. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
  230. package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
  231. package/lib/vendor/blamejs/lib/observability.js +8 -8
  232. package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
  233. package/lib/vendor/blamejs/lib/openapi.js +1 -1
  234. package/lib/vendor/blamejs/lib/outbox.js +6 -6
  235. package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
  236. package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
  237. package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
  238. package/lib/vendor/blamejs/lib/problem-details.js +5 -5
  239. package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
  240. package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
  241. package/lib/vendor/blamejs/lib/queue.js +4 -2
  242. package/lib/vendor/blamejs/lib/redact.js +2 -2
  243. package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
  244. package/lib/vendor/blamejs/lib/router.js +10 -10
  245. package/lib/vendor/blamejs/lib/safe-async.js +2 -2
  246. package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
  247. package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
  248. package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
  249. package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
  250. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
  251. package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
  252. package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
  253. package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
  254. package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
  255. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  256. package/lib/vendor/blamejs/lib/safe-url.js +1 -1
  257. package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
  258. package/lib/vendor/blamejs/lib/sandbox.js +5 -5
  259. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  260. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
  261. package/lib/vendor/blamejs/lib/self-update.js +3 -3
  262. package/lib/vendor/blamejs/lib/server-timing.js +3 -3
  263. package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
  264. package/lib/vendor/blamejs/lib/session.js +8 -8
  265. package/lib/vendor/blamejs/lib/sse.js +12 -5
  266. package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
  267. package/lib/vendor/blamejs/lib/storage.js +2 -2
  268. package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
  269. package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
  270. package/lib/vendor/blamejs/lib/subject.js +1 -1
  271. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
  272. package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
  273. package/lib/vendor/blamejs/lib/test-harness.js +1 -1
  274. package/lib/vendor/blamejs/lib/tracing.js +1 -1
  275. package/lib/vendor/blamejs/lib/tsa.js +5 -5
  276. package/lib/vendor/blamejs/lib/uri-template.js +5 -5
  277. package/lib/vendor/blamejs/lib/vault/index.js +2 -2
  278. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
  279. package/lib/vendor/blamejs/lib/vc.js +2 -2
  280. package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
  281. package/lib/vendor/blamejs/lib/watcher.js +4 -4
  282. package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
  283. package/lib/vendor/blamejs/lib/webhook.js +2 -2
  284. package/lib/vendor/blamejs/lib/websocket.js +5 -5
  285. package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
  286. package/lib/vendor/blamejs/lib/ws-client.js +24 -24
  287. package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
  288. package/lib/vendor/blamejs/package.json +1 -1
  289. package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
  290. package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
  291. package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
  292. package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
  293. package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
  294. package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
  295. package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
  296. package/lib/vendor/blamejs/test/00-primitives.js +15 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
  298. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
  299. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
  300. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
  301. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
  302. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
  303. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
  304. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
  305. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
  306. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
  307. package/package.json +1 -1
  308. package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
  309. package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
  310. package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
  311. package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
  312. package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
  313. package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
  314. package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
  315. package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
  316. package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
  317. package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
  318. package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
  319. package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
  320. package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
  321. package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
  322. package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
  323. package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
  324. package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
  325. package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
  326. package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
  327. package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
  328. package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
  329. package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
  330. package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
  331. package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
  332. package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
  333. package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
  334. package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
  335. package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
  336. package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
  337. package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
  338. package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
  339. package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
  340. package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
  341. package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
  342. package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
  343. package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
  344. package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
  345. package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
  346. package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
  347. package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
  348. package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
  349. package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
  350. package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
  351. package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
  352. package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
  353. package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
  354. package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
@@ -821,7 +821,7 @@ function _connectAndCheckOcsp(opts, requireStapled) {
821
821
  var OID_BASIC_OCSP_RESPONSE = "1.3.6.1.5.5.7.48.1.1";
822
822
  // OCSP nonce extension — id-pkix-ocsp-nonce.
823
823
  var OID_OCSP_NONCE = "1.3.6.1.5.5.7.48.1.2";
824
- var OID_SHA1 = "1.3.14.3.2.26"; // allow:raw-byte-literal — SHA-1 algorithm OID arc
824
+ var OID_SHA1 = "1.3.14.3.2.26"; // SHA-1 algorithm OID arc
825
825
  var OID_RSA_SHA256 = "1.2.840.113549.1.1.11";
826
826
  var OID_RSA_SHA384 = "1.2.840.113549.1.1.12";
827
827
  var OID_RSA_SHA512 = "1.2.840.113549.1.1.13";
@@ -834,21 +834,21 @@ function _parseTime(node) {
834
834
  // ("YYYYMMDDhhmmssZ") into ms-since-epoch.
835
835
  var s = node.value.toString("ascii");
836
836
  var year, month, day, hour, min, sec;
837
- if (s.length === 13 && s.charAt(12) === "Z") { // allow:raw-byte-literal — UTCTime length per X.690
837
+ if (s.length === 13 && s.charAt(12) === "Z") { // UTCTime length per X.690
838
838
  // UTCTime YYMMDDhhmmssZ — 50+ → 19xx, else 20xx (RFC 5280 §4.1.2.5).
839
839
  year = parseInt(s.slice(0, 2), 10);
840
- year += year >= 50 ? 1900 : 2000; // allow:raw-byte-literal allow:raw-time-literal — RFC 5280 century pivot, calendar years
840
+ year += year >= 50 ? 1900 : 2000; // allow:raw-time-literal — RFC 5280 century pivot, calendar years
841
841
  month = parseInt(s.slice(2, 4), 10);
842
842
  day = parseInt(s.slice(4, 6), 10);
843
- hour = parseInt(s.slice(6, 8), 10); // allow:raw-byte-literal — UTCTime hour-byte offsets
844
- min = parseInt(s.slice(8, 10), 10); // allow:raw-byte-literal — UTCTime minute-byte offsets
843
+ hour = parseInt(s.slice(6, 8), 10); // UTCTime hour-byte offsets
844
+ min = parseInt(s.slice(8, 10), 10); // UTCTime minute-byte offsets
845
845
  sec = parseInt(s.slice(10, 12), 10);
846
- } else if (s.length >= 15 && s.charAt(s.length - 1) === "Z") { // allow:raw-byte-literal — GeneralizedTime length per X.690
846
+ } else if (s.length >= 15 && s.charAt(s.length - 1) === "Z") { // GeneralizedTime length per X.690
847
847
  // GeneralizedTime YYYYMMDDhhmmssZ.
848
848
  year = parseInt(s.slice(0, 4), 10);
849
849
  month = parseInt(s.slice(4, 6), 10);
850
- day = parseInt(s.slice(6, 8), 10); // allow:raw-byte-literal — GeneralizedTime day-byte offsets
851
- hour = parseInt(s.slice(8, 10), 10); // allow:raw-byte-literal — GeneralizedTime hour-byte offsets
850
+ day = parseInt(s.slice(6, 8), 10); // GeneralizedTime day-byte offsets
851
+ hour = parseInt(s.slice(8, 10), 10); // GeneralizedTime hour-byte offsets
852
852
  min = parseInt(s.slice(10, 12), 10);
853
853
  sec = parseInt(s.slice(12, 14), 10);
854
854
  } else {
@@ -913,7 +913,7 @@ function parseOcspResponse(der) {
913
913
  "BasicOCSPResponse is not a SEQUENCE");
914
914
  }
915
915
  var basicChildren = asn1.readSequence(basic.value);
916
- if (basicChildren.length < 3) { // allow:raw-byte-literal — minimum BasicOCSPResponse fields (tbs + alg + sig)
916
+ if (basicChildren.length < 3) { // minimum BasicOCSPResponse fields (tbs + alg + sig)
917
917
  throw new TlsTrustError("tls/ocsp-bad-shape",
918
918
  "BasicOCSPResponse needs tbsResponseData + signatureAlgorithm + signature");
919
919
  }
@@ -994,7 +994,7 @@ function parseOcspResponse(der) {
994
994
  var responses = [];
995
995
  for (var sri = 0; sri < singleResponses.length; sri += 1) {
996
996
  var sr = asn1.readSequence(singleResponses[sri].value);
997
- if (sr.length < 3) continue; // allow:raw-byte-literal — minimum SingleResponse fields
997
+ if (sr.length < 3) continue; // minimum SingleResponse fields
998
998
  // sr[0] = certID SEQUENCE, sr[1] = certStatus CHOICE, sr[2] = thisUpdate.
999
999
  var certIdChildren = asn1.readSequence(sr[0].value);
1000
1000
  // certID = SEQUENCE { hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber }
@@ -1232,12 +1232,12 @@ function _extractIssuerNameDerAndKeyBitString(certDer) {
1232
1232
  var idx = 0;
1233
1233
  if (tbsKids.length > 0 &&
1234
1234
  tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
1235
- tbsKids[0].tag === 0) { // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
1235
+ tbsKids[0].tag === 0) { // X.509 [0] EXPLICIT version tag
1236
1236
  idx = 1;
1237
1237
  }
1238
1238
  // After version: serialNumber, signature, issuer, validity, subject, SPKI.
1239
- var subjectIdx = idx + 4; // allow:raw-byte-literal — X.509 TBSCertificate field count
1240
- var spkiIdx = idx + 5; // allow:raw-byte-literal — X.509 TBSCertificate field count
1239
+ var subjectIdx = idx + 4; // X.509 TBSCertificate field count
1240
+ var spkiIdx = idx + 5; // X.509 TBSCertificate field count
1241
1241
  if (spkiIdx >= tbsKids.length) {
1242
1242
  throw new TlsTrustError("tls/ocsp-bad-issuer-cert", "issuer cert lacks SPKI field");
1243
1243
  }
@@ -1245,7 +1245,7 @@ function _extractIssuerNameDerAndKeyBitString(certDer) {
1245
1245
  var spki = tbsKids[spkiIdx];
1246
1246
  // Within SPKI: SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }
1247
1247
  var spkiKids = asn1.readSequence(spki.value);
1248
- if (spkiKids.length < 2) { // allow:raw-byte-literal — minimum SPKI fields
1248
+ if (spkiKids.length < 2) { // minimum SPKI fields
1249
1249
  throw new TlsTrustError("tls/ocsp-bad-issuer-cert", "SPKI missing subjectPublicKey BIT STRING");
1250
1250
  }
1251
1251
  var keyBytes = asn1.readBitString(spkiKids[1]);
@@ -1266,7 +1266,7 @@ function _extractLeafSerial(leafCertDer) {
1266
1266
  var idx = 0;
1267
1267
  if (tbsKids.length > 0 &&
1268
1268
  tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
1269
- tbsKids[0].tag === 0) { // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
1269
+ tbsKids[0].tag === 0) { // X.509 [0] EXPLICIT version tag
1270
1270
  idx = 1;
1271
1271
  }
1272
1272
  // serialNumber is the next field after the optional version.
@@ -1323,8 +1323,8 @@ function buildOcspRequest(opts) {
1323
1323
  // talking to a responder that ignores nonces opt out via nonce: false.
1324
1324
  var includeNonce = opts.nonce !== false;
1325
1325
  if (includeNonce) {
1326
- var nonceLen = typeof opts.nonceLen === "number" ? opts.nonceLen : 16; // allow:raw-byte-literal — RFC 8954 §2.1 nonce length floor
1327
- if (nonceLen < 1 || nonceLen > 32) { // allow:raw-byte-literal — RFC 8954 §2.1 nonce length ceiling
1326
+ var nonceLen = typeof opts.nonceLen === "number" ? opts.nonceLen : 16; // RFC 8954 §2.1 nonce length floor
1327
+ if (nonceLen < 1 || nonceLen > 32) { // RFC 8954 §2.1 nonce length ceiling
1328
1328
  throw new TlsTrustError("tls/ocsp-bad-nonce-len",
1329
1329
  "nonce length out of RFC 8954 range (1..32)");
1330
1330
  }
@@ -1548,7 +1548,7 @@ function _extractSctExtensionFromCert(certDer) {
1548
1548
  var extensionsNode = null;
1549
1549
  for (var i = 0; i < tbsChildren.length; i += 1) {
1550
1550
  var ch = tbsChildren[i];
1551
- if (ch.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ch.tag === 3) { // allow:raw-byte-literal — X.509 [3] EXPLICIT extensions tag
1551
+ if (ch.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ch.tag === 3) { // X.509 [3] EXPLICIT extensions tag
1552
1552
  extensionsNode = asn1.readNode(ch.value, 0);
1553
1553
  break;
1554
1554
  }
@@ -1605,7 +1605,7 @@ function _extractTlsFeatureExtensionFromCert(certDer) {
1605
1605
  var extensionsNode = null;
1606
1606
  for (var i = 0; i < tbsChildren.length; i += 1) {
1607
1607
  var ch = tbsChildren[i];
1608
- if (ch.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ch.tag === 3) { // allow:raw-byte-literal — X.509 [3] EXPLICIT extensions tag
1608
+ if (ch.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ch.tag === 3) { // X.509 [3] EXPLICIT extensions tag
1609
1609
  extensionsNode = asn1.readNode(ch.value, 0);
1610
1610
  break;
1611
1611
  }
@@ -1646,17 +1646,17 @@ function _extractTlsFeatureExtensionFromCert(certDer) {
1646
1646
  // Format: 2-byte length + concatenation of individual SCTs, each
1647
1647
  // itself prefixed by a 2-byte length.
1648
1648
  function _parseSctList(sctListRaw) {
1649
- if (!Buffer.isBuffer(sctListRaw) || sctListRaw.length < 2) { // allow:raw-byte-literal — outer 2-byte length prefix
1649
+ if (!Buffer.isBuffer(sctListRaw) || sctListRaw.length < 2) { // outer 2-byte length prefix
1650
1650
  throw new TlsTrustError("tls/ct-bad-list",
1651
1651
  "SCT list shorter than the outer length prefix");
1652
1652
  }
1653
1653
  var totalLen = sctListRaw.readUInt16BE(0);
1654
- if (totalLen + 2 !== sctListRaw.length) { // allow:raw-byte-literal — outer length prefix
1654
+ if (totalLen + 2 !== sctListRaw.length) { // outer length prefix
1655
1655
  throw new TlsTrustError("tls/ct-bad-list",
1656
1656
  "SCT list outer length " + totalLen + " does not match buffer " +
1657
1657
  (sctListRaw.length - 2));
1658
1658
  }
1659
- var pos = 2; // allow:raw-byte-literal — past the outer prefix
1659
+ var pos = 2; // past the outer prefix
1660
1660
  var scts = [];
1661
1661
  while (pos < sctListRaw.length) {
1662
1662
  var sctLen = sctListRaw.readUInt16BE(pos);
@@ -1680,7 +1680,7 @@ function _parseSctList(sctListRaw) {
1680
1680
  // ct_extensions (2-byte len + N) — usually empty
1681
1681
  // signature DigitallySigned (hash + sig algo + 2-byte len + N)
1682
1682
  function _parseSct(sctBuf) {
1683
- if (sctBuf.length < 1 + 32 + 8 + 2 + 4) { // allow:raw-byte-literal — minimum SCT v1 byte total
1683
+ if (sctBuf.length < 1 + 32 + 8 + 2 + 4) { // minimum SCT v1 byte total
1684
1684
  throw new TlsTrustError("tls/ct-sct-too-short",
1685
1685
  "SCT is shorter than the minimum v1 layout (" + sctBuf.length + " bytes)");
1686
1686
  }
@@ -1689,21 +1689,21 @@ function _parseSct(sctBuf) {
1689
1689
  throw new TlsTrustError("tls/ct-sct-bad-version",
1690
1690
  "SCT version is not 0 (v1): got " + version);
1691
1691
  }
1692
- var logId = sctBuf.slice(1, 1 + 32); // allow:raw-byte-literal — RFC 6962 32-byte LogID
1693
- var timestamp = Number(sctBuf.readBigUInt64BE(1 + 32)); // allow:raw-byte-literal — past LogID
1694
- var extLen = sctBuf.readUInt16BE(1 + 32 + 8); // allow:raw-byte-literal — past LogID + timestamp
1695
- var pos = 1 + 32 + 8 + 2; // allow:raw-byte-literal — past extLen field
1692
+ var logId = sctBuf.slice(1, 1 + 32); // RFC 6962 32-byte LogID
1693
+ var timestamp = Number(sctBuf.readBigUInt64BE(1 + 32)); // past LogID
1694
+ var extLen = sctBuf.readUInt16BE(1 + 32 + 8); // past LogID + timestamp
1695
+ var pos = 1 + 32 + 8 + 2; // past extLen field
1696
1696
  var extensions = sctBuf.slice(pos, pos + extLen);
1697
1697
  pos += extLen;
1698
- if (pos + 4 > sctBuf.length) { // allow:raw-byte-literal — DigitallySigned header (hash + alg + len)
1698
+ if (pos + 4 > sctBuf.length) { // DigitallySigned header (hash + alg + len)
1699
1699
  throw new TlsTrustError("tls/ct-sct-truncated",
1700
1700
  "SCT truncated before DigitallySigned");
1701
1701
  }
1702
1702
  var hashAlgo = sctBuf[pos];
1703
1703
  var sigAlgo = sctBuf[pos + 1];
1704
- pos += 2; // allow:raw-byte-literal — past hash+alg pair
1704
+ pos += 2; // past hash+alg pair
1705
1705
  var sigLen = sctBuf.readUInt16BE(pos);
1706
- pos += 2; // allow:raw-byte-literal — past sig length
1706
+ pos += 2; // past sig length
1707
1707
  if (pos + sigLen !== sctBuf.length) {
1708
1708
  throw new TlsTrustError("tls/ct-sct-truncated",
1709
1709
  "SCT signature length " + sigLen + " does not match remaining bytes " +
@@ -1729,18 +1729,18 @@ function _parseSct(sctBuf) {
1729
1729
  // signed_entry (3-byte length || ASN.1 cert without SCT extension) ||
1730
1730
  // ct_extensions (2-byte length || N)
1731
1731
  function _buildSctSignedEntry(certWithoutSctDer, sct) {
1732
- var head = Buffer.alloc(1 + 1 + 8 + 2); // allow:raw-byte-literal — fixed-shape header bytes
1732
+ var head = Buffer.alloc(1 + 1 + 8 + 2); // fixed-shape header bytes
1733
1733
  head[0] = sct.version;
1734
1734
  head[1] = 0; // signature_type = certificate_timestamp
1735
- head.writeBigUInt64BE(BigInt(sct.timestamp), 2); // allow:raw-byte-literal — past version+sig-type
1736
- head.writeUInt16BE(0, 10); // allow:raw-byte-literal — entry_type = x509_entry (2 bytes; high byte = 0, low byte = 0)
1735
+ head.writeBigUInt64BE(BigInt(sct.timestamp), 2); // past version+sig-type
1736
+ head.writeUInt16BE(0, 10); // entry_type = x509_entry (2 bytes; high byte = 0, low byte = 0)
1737
1737
  // signed_entry: 3-byte length prefix + cert DER.
1738
- var lenBytes = Buffer.alloc(3); // allow:raw-byte-literal — RFC 6962 24-bit length prefix
1739
- lenBytes[0] = (certWithoutSctDer.length >> 16) & 0xff; // allow:raw-byte-literal — base-256 length high byte
1740
- lenBytes[1] = (certWithoutSctDer.length >> 8) & 0xff; // allow:raw-byte-literal — base-256 length mid byte
1741
- lenBytes[2] = certWithoutSctDer.length & 0xff; // allow:raw-byte-literal — base-256 length low byte
1738
+ var lenBytes = Buffer.alloc(3); // RFC 6962 24-bit length prefix
1739
+ lenBytes[0] = (certWithoutSctDer.length >> 16) & 0xff; // base-256 length high byte
1740
+ lenBytes[1] = (certWithoutSctDer.length >> 8) & 0xff; // base-256 length mid byte
1741
+ lenBytes[2] = certWithoutSctDer.length & 0xff; // base-256 length low byte
1742
1742
  // ct_extensions: 2-byte length + bytes.
1743
- var extHead = Buffer.alloc(2); // allow:raw-byte-literal — RFC 6962 2-byte ct_extensions length prefix
1743
+ var extHead = Buffer.alloc(2); // RFC 6962 2-byte ct_extensions length prefix
1744
1744
  extHead.writeUInt16BE(sct.extensions.length, 0);
1745
1745
  return Buffer.concat([head, lenBytes, certWithoutSctDer, extHead, sct.extensions]);
1746
1746
  }
@@ -1781,7 +1781,7 @@ function _stripSctExtensionFromCert(certDer) {
1781
1781
  var foundExtensions = false;
1782
1782
  for (var i = 0; i < tbsChildren.length; i += 1) {
1783
1783
  var ch = tbsChildren[i];
1784
- if (ch.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ch.tag === 3) { // allow:raw-byte-literal — [3] EXPLICIT extensions tag
1784
+ if (ch.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ch.tag === 3) { // [3] EXPLICIT extensions tag
1785
1785
  foundExtensions = true;
1786
1786
  // Inner SEQUENCE OF Extensions.
1787
1787
  var inner = asn1.readNode(ch.value, 0);
@@ -1797,11 +1797,8 @@ function _stripSctExtensionFromCert(certDer) {
1797
1797
  if (oid === OID_CT_SCT_LIST) continue; // drop the SCT extension
1798
1798
  } catch (_e) { /* not an OID — keep the extension as-is */ }
1799
1799
  }
1800
- // Re-encode this extension verbatim (we have the original bytes).
1801
- var origExt = certDer.slice(0, 0); // placeholder; we rebuild from the parsed node below
1802
- void origExt;
1800
+ // Re-encode this extension verbatim from its parsed bytes.
1803
1801
  keptExtBytes.push(_encodeAsn1(asn1.TAG.SEQUENCE, true, extBytes));
1804
- void extBytes;
1805
1802
  }
1806
1803
  var newExtSeq = _encodeAsn1(asn1.TAG.SEQUENCE, true, Buffer.concat(keptExtBytes));
1807
1804
  var newExplicit3 = _encodeContextExplicit(3, newExtSeq);
@@ -1828,22 +1825,22 @@ function _stripSctExtensionFromCert(certDer) {
1828
1825
  // SCT extension. Tag class is universal for SEQUENCE; constructed
1829
1826
  // flag wired explicitly.
1830
1827
  function _encodeLength(len) {
1831
- if (len < 0x80) return Buffer.from([len]); // allow:raw-byte-literal — DER short-form length threshold
1828
+ if (len < 0x80) return Buffer.from([len]); // DER short-form length threshold
1832
1829
  var tmp = [];
1833
1830
  var n = len;
1834
1831
  while (n > 0) {
1835
- tmp.unshift(n & 0xff); // allow:raw-byte-literal — base-256 byte
1836
- n = n >>> 8; // allow:raw-byte-literal — byte shift
1832
+ tmp.unshift(n & 0xff); // base-256 byte
1833
+ n = n >>> 8; // byte shift
1837
1834
  }
1838
- return Buffer.concat([Buffer.from([0x80 | tmp.length]), Buffer.from(tmp)]); // allow:raw-byte-literal — DER long-form length flag
1835
+ return Buffer.concat([Buffer.from([0x80 | tmp.length]), Buffer.from(tmp)]); // DER long-form length flag
1839
1836
  }
1840
1837
  function _encodeAsn1(tag, constructed, value) {
1841
- var tagByte = (constructed ? 0x20 : 0x00) | tag; // allow:raw-byte-literal — DER constructed bit + universal tag
1838
+ var tagByte = (constructed ? 0x20 : 0x00) | tag; // DER constructed bit + universal tag
1842
1839
  return Buffer.concat([Buffer.from([tagByte]), _encodeLength(value.length), value]);
1843
1840
  }
1844
1841
  function _encodeContextExplicit(num, value) {
1845
1842
  // Context-specific class (10) + constructed (20) | tag.
1846
- var tagByte = 0xa0 | num; // allow:raw-byte-literal — DER context-specific + constructed
1843
+ var tagByte = 0xa0 | num; // DER context-specific + constructed
1847
1844
  return Buffer.concat([Buffer.from([tagByte]), _encodeLength(value.length), value]);
1848
1845
  }
1849
1846
  function _encodeAsn1FromNode(node) {
@@ -1854,10 +1851,10 @@ function _encodeAsn1FromNode(node) {
1854
1851
  // restored directly. This works for the simple shapes we walk.
1855
1852
  var tagByte;
1856
1853
  if (node.tagClass === asn1.TAG_CLASS.UNIVERSAL) {
1857
- tagByte = (node.constructed ? 0x20 : 0x00) | (node.tag & 0x1f); // allow:raw-byte-literal — DER constructed bit + universal tag
1854
+ tagByte = (node.constructed ? 0x20 : 0x00) | (node.tag & 0x1f); // DER constructed bit + universal tag
1858
1855
  } else {
1859
- var classBits = (node.tagClass & 0x03) << 6; // allow:raw-byte-literal — DER tag-class bits
1860
- tagByte = classBits | (node.constructed ? 0x20 : 0x00) | (node.tag & 0x1f); // allow:raw-byte-literal — DER constructed bit + low-tag
1856
+ var classBits = (node.tagClass & 0x03) << 6; // DER tag-class bits
1857
+ tagByte = classBits | (node.constructed ? 0x20 : 0x00) | (node.tag & 0x1f); // DER constructed bit + low-tag
1861
1858
  }
1862
1859
  return Buffer.concat([Buffer.from([tagByte]), _encodeLength(node.value.length), node.value]);
1863
1860
  }
@@ -1874,7 +1871,7 @@ function verifyScts(certDer, opts) {
1874
1871
  "verifyScts: certDer must be a Buffer");
1875
1872
  }
1876
1873
  var logKeys = opts.logKeys || {};
1877
- var minScts = typeof opts.minScts === "number" ? opts.minScts : 2; // allow:raw-byte-literal — Chrome CT policy min-2-SCTs
1874
+ var minScts = typeof opts.minScts === "number" ? opts.minScts : 2; // Chrome CT policy min-2-SCTs
1878
1875
  var ext = _extractSctExtensionFromCert(certDer);
1879
1876
  if (!ext.sctListRaw) {
1880
1877
  return { ok: false, reason: "no-sct-extension", scts: [] };
@@ -1910,9 +1907,9 @@ function verifyScts(certDer, opts) {
1910
1907
  error: (e && e.message) || String(e) });
1911
1908
  continue;
1912
1909
  }
1913
- var nodeAlgo = sct.hashAlgo === 4 ? "sha256" : // allow:raw-byte-literal — TLS 1.2 HashAlgorithm enum sha256
1914
- sct.hashAlgo === 5 ? "sha384" : // allow:raw-byte-literal — TLS 1.2 HashAlgorithm enum sha384
1915
- sct.hashAlgo === 6 ? "sha512" : // allow:raw-byte-literal — TLS 1.2 HashAlgorithm enum sha512
1910
+ var nodeAlgo = sct.hashAlgo === 4 ? "sha256" : // TLS 1.2 HashAlgorithm enum sha256
1911
+ sct.hashAlgo === 5 ? "sha384" : // TLS 1.2 HashAlgorithm enum sha384
1912
+ sct.hashAlgo === 6 ? "sha512" : // TLS 1.2 HashAlgorithm enum sha512
1916
1913
  null;
1917
1914
  if (nodeAlgo === null) {
1918
1915
  perSctResults.push({ logIdHex: sct.logIdHex, verified: false,
@@ -1934,8 +1931,8 @@ function verifyScts(certDer, opts) {
1934
1931
  // under one algorithm against a key registered under another.
1935
1932
  var keyType = keyObj.asymmetricKeyType;
1936
1933
  var sctSigAlgo = sct.signatureAlgo;
1937
- var algoOk = (sctSigAlgo === 1 && keyType === "rsa") || // allow:raw-byte-literal — TLS 1.2 SignatureAlgorithm rsa
1938
- (sctSigAlgo === 3 && (keyType === "ec" || keyType === "ecdsa")); // allow:raw-byte-literal — TLS 1.2 SignatureAlgorithm ecdsa
1934
+ var algoOk = (sctSigAlgo === 1 && keyType === "rsa") || // TLS 1.2 SignatureAlgorithm rsa
1935
+ (sctSigAlgo === 3 && (keyType === "ec" || keyType === "ecdsa")); // TLS 1.2 SignatureAlgorithm ecdsa
1939
1936
  if (!algoOk) {
1940
1937
  perSctResults.push({ logIdHex: sct.logIdHex, verified: false,
1941
1938
  reason: "log-key-algo-mismatch",
@@ -2025,7 +2022,7 @@ function _ctLargestPowerOf2LessThan(n) {
2025
2022
  // returns: Buffer (32 bytes) — computed root hash to compare
2026
2023
  // throws: TlsTrustError on shape errors
2027
2024
  function _ctVerifyInclusionPath(leafHash, leafIndex, treeSize, auditPath) {
2028
- if (!Buffer.isBuffer(leafHash) || leafHash.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2025
+ if (!Buffer.isBuffer(leafHash) || leafHash.length !== 32) { // RFC 9162 SHA-256 digest length
2029
2026
  throw new TlsTrustError("tls/ct-bad-leaf-hash",
2030
2027
  "ct.verifyInclusion: leafHash must be a 32-byte Buffer");
2031
2028
  }
@@ -2056,7 +2053,7 @@ function _ctVerifyInclusionPath(leafHash, leafIndex, treeSize, auditPath) {
2056
2053
  "ct.verifyInclusion: audit path exhausted before tree root reached");
2057
2054
  }
2058
2055
  var sibling = auditPath[pathPos++];
2059
- if (!Buffer.isBuffer(sibling) || sibling.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2056
+ if (!Buffer.isBuffer(sibling) || sibling.length !== 32) { // RFC 9162 SHA-256 digest length
2060
2057
  throw new TlsTrustError("tls/ct-bad-audit-path",
2061
2058
  "ct.verifyInclusion: audit path entry " + (pathPos - 1) + " is not a 32-byte Buffer");
2062
2059
  }
@@ -2092,7 +2089,7 @@ function _ctVerifyConsistencyPath(m, n, consistencyProof, firstHash) {
2092
2089
  throw new TlsTrustError("tls/ct-bad-second-size",
2093
2090
  "ct.verifyConsistency: n (second tree size) must be an integer >= m");
2094
2091
  }
2095
- if (!Buffer.isBuffer(firstHash) || firstHash.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2092
+ if (!Buffer.isBuffer(firstHash) || firstHash.length !== 32) { // RFC 9162 SHA-256 digest length
2096
2093
  throw new TlsTrustError("tls/ct-bad-first-hash",
2097
2094
  "ct.verifyConsistency: firstHash must be a 32-byte Buffer");
2098
2095
  }
@@ -2127,7 +2124,7 @@ function _ctVerifyConsistencyPath(m, n, consistencyProof, firstHash) {
2127
2124
  "ct.verifyConsistency: consistency proof exhausted before second-tree root");
2128
2125
  }
2129
2126
  var sibling = path.shift();
2130
- if (!Buffer.isBuffer(sibling) || sibling.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2127
+ if (!Buffer.isBuffer(sibling) || sibling.length !== 32) { // RFC 9162 SHA-256 digest length
2131
2128
  throw new TlsTrustError("tls/ct-bad-consistency-entry",
2132
2129
  "ct.verifyConsistency: consistency-proof entry is not a 32-byte Buffer");
2133
2130
  }
@@ -2249,13 +2246,13 @@ var ct = Object.freeze({
2249
2246
  if (typeof ts !== "number" && typeof ts !== "bigint") {
2250
2247
  return { valid: false, reason: "bad-sct-timestamp" };
2251
2248
  }
2252
- var tsBuf = Buffer.alloc(8); // allow:raw-byte-literal — TLS uint64 width
2249
+ var tsBuf = Buffer.alloc(8); // TLS uint64 width
2253
2250
  var tsBig = typeof ts === "bigint" ? ts : BigInt(Math.floor(ts));
2254
2251
  tsBuf.writeBigUInt64BE(tsBig);
2255
2252
  var entryTypeBuf = Buffer.from([0x00, 0x00]);
2256
- var lenBuf = Buffer.alloc(3); // allow:raw-byte-literal — TLS uint24 length prefix
2253
+ var lenBuf = Buffer.alloc(3); // TLS uint24 length prefix
2257
2254
  lenBuf.writeUIntBE(signedEntryDer.length, 0, 3);
2258
- var extensionsBuf = Buffer.from([0x00, 0x00]); // allow:raw-byte-literal — empty extensions vector
2255
+ var extensionsBuf = Buffer.from([0x00, 0x00]); // empty extensions vector
2259
2256
  var leafBytes = Buffer.concat([
2260
2257
  Buffer.from([0x00]), // version v1
2261
2258
  Buffer.from([0x00]), // leaf_type timestamped_entry
@@ -2281,7 +2278,7 @@ var ct = Object.freeze({
2281
2278
  try { sthRoot = Buffer.from(sthRoot, "hex"); }
2282
2279
  catch (_e) { return { valid: false, reason: "bad-sth-root-encoding" }; }
2283
2280
  }
2284
- if (!Buffer.isBuffer(sthRoot) || sthRoot.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2281
+ if (!Buffer.isBuffer(sthRoot) || sthRoot.length !== 32) { // RFC 9162 SHA-256 digest length
2285
2282
  return { valid: false, reason: "bad-sth-root" };
2286
2283
  }
2287
2284
  if (!bCrypto.timingSafeEqual(computedRoot, sthRoot)) {
@@ -2344,10 +2341,10 @@ var ct = Object.freeze({
2344
2341
  try { secondRoot = Buffer.from(secondRoot, "hex"); }
2345
2342
  catch (_e) { return { valid: false, reason: "bad-second-root-encoding" }; }
2346
2343
  }
2347
- if (!Buffer.isBuffer(firstRoot) || firstRoot.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2344
+ if (!Buffer.isBuffer(firstRoot) || firstRoot.length !== 32) { // RFC 9162 SHA-256 digest length
2348
2345
  return { valid: false, reason: "bad-first-root" };
2349
2346
  }
2350
- if (!Buffer.isBuffer(secondRoot) || secondRoot.length !== 32) { // allow:raw-byte-literal — RFC 9162 SHA-256 digest length
2347
+ if (!Buffer.isBuffer(secondRoot) || secondRoot.length !== 32) { // RFC 9162 SHA-256 digest length
2351
2348
  return { valid: false, reason: "bad-second-root" };
2352
2349
  }
2353
2350
  var computed;
@@ -2416,7 +2413,7 @@ var ct = Object.freeze({
2416
2413
  // each (uint16 kdf_id, uint16
2417
2414
  // aead_id) — 4 bytes apiece)
2418
2415
 
2419
- var ECH_CONFIG_VERSION_DRAFT_22 = 0xfe0d; // allow:raw-byte-literal — draft-ietf-tls-esni-22 ECH version codepoint
2416
+ var ECH_CONFIG_VERSION_DRAFT_22 = 0xfe0d; // draft-ietf-tls-esni-22 ECH version codepoint
2420
2417
 
2421
2418
  function _echReadU8(buf, off) {
2422
2419
  if (off + 1 > buf.length) {
@@ -2426,7 +2423,7 @@ function _echReadU8(buf, off) {
2426
2423
  return buf[off];
2427
2424
  }
2428
2425
  function _echReadU16(buf, off) {
2429
- if (off + 2 > buf.length) { // allow:raw-byte-literal — uint16 width
2426
+ if (off + 2 > buf.length) { // uint16 width
2430
2427
  throw new NetworkTlsError("tls/ech-config-malformed",
2431
2428
  "ECHConfigList: truncated reading uint16 at offset " + off);
2432
2429
  }
@@ -2434,7 +2431,7 @@ function _echReadU16(buf, off) {
2434
2431
  }
2435
2432
  function _echReadVarOpaqueU16(buf, off) {
2436
2433
  var len = _echReadU16(buf, off);
2437
- off += 2; // allow:raw-byte-literal — uint16 length-prefix width
2434
+ off += 2; // uint16 length-prefix width
2438
2435
  if (off + len > buf.length) {
2439
2436
  throw new NetworkTlsError("tls/ech-config-malformed",
2440
2437
  "ECHConfigList: opaque vector overflows buffer (declared " + len +
@@ -2500,20 +2497,20 @@ function parseEchConfigList(raw) {
2500
2497
  throw new NetworkTlsError("tls/ech-config-malformed",
2501
2498
  "parseEchConfigList: input must be a non-empty Buffer or base64 string");
2502
2499
  }
2503
- if (raw.length < 2) { // allow:raw-byte-literal — uint16 outer length prefix
2500
+ if (raw.length < 2) { // uint16 outer length prefix
2504
2501
  throw new NetworkTlsError("tls/ech-config-malformed",
2505
2502
  "ECHConfigList: too short for outer length prefix");
2506
2503
  }
2507
2504
  var totalLen = raw.readUInt16BE(0);
2508
- if (2 + totalLen !== raw.length) { // allow:raw-byte-literal — uint16 prefix width
2505
+ if (2 + totalLen !== raw.length) { // uint16 prefix width
2509
2506
  throw new NetworkTlsError("tls/ech-config-malformed",
2510
2507
  "ECHConfigList: outer length " + totalLen + " does not match buffer " +
2511
2508
  "tail length " + (raw.length - 2));
2512
2509
  }
2513
- var off = 2; // allow:raw-byte-literal — uint16 prefix width
2510
+ var off = 2; // uint16 prefix width
2514
2511
  var configs = [];
2515
2512
  while (off < raw.length) {
2516
- if (off + 4 > raw.length) { // allow:raw-byte-literal — uint16 ver + uint16 len
2513
+ if (off + 4 > raw.length) { // uint16 ver + uint16 len
2517
2514
  throw new NetworkTlsError("tls/ech-config-malformed",
2518
2515
  "ECHConfig: truncated header at offset " + off);
2519
2516
  }
@@ -2530,19 +2527,19 @@ function parseEchConfigList(raw) {
2530
2527
  var p = bodyOff;
2531
2528
  // HpkeKeyConfig
2532
2529
  var configId = _echReadU8(raw, p); p += 1;
2533
- var kemId = _echReadU16(raw, p); p += 2; // allow:raw-byte-literal — uint16 KEM id width
2530
+ var kemId = _echReadU16(raw, p); p += 2; // uint16 KEM id width
2534
2531
  var pkOpaque = _echReadVarOpaqueU16(raw, p); p = pkOpaque.nextOff;
2535
- var suitesLen = _echReadU16(raw, p); p += 2; // allow:raw-byte-literal — uint16 length prefix width
2532
+ var suitesLen = _echReadU16(raw, p); p += 2; // uint16 length prefix width
2536
2533
  if (p + suitesLen > bodyEnd) {
2537
2534
  throw new NetworkTlsError("tls/ech-config-malformed",
2538
2535
  "ECHConfig: cipher_suites vector overflows config body");
2539
2536
  }
2540
- if (suitesLen % 4 !== 0 || suitesLen < 4) { // allow:raw-byte-literal — kdf+aead = 4 bytes per suite
2537
+ if (suitesLen % 4 !== 0 || suitesLen < 4) { // kdf+aead = 4 bytes per suite
2541
2538
  throw new NetworkTlsError("tls/ech-config-malformed",
2542
2539
  "ECHConfig: cipher_suites length must be a positive multiple of 4");
2543
2540
  }
2544
2541
  var suites = [];
2545
- for (var sp = p; sp < p + suitesLen; sp += 4) { // allow:raw-byte-literal — 4-byte cipher suite stride
2542
+ for (var sp = p; sp < p + suitesLen; sp += 4) { // 4-byte cipher suite stride
2546
2543
  suites.push({
2547
2544
  kdfId: raw.readUInt16BE(sp),
2548
2545
  aeadId: raw.readUInt16BE(sp + 2),
@@ -2552,7 +2549,7 @@ function parseEchConfigList(raw) {
2552
2549
  // remainder of contents
2553
2550
  var maxNameLen = _echReadU8(raw, p); p += 1;
2554
2551
  var publicName = _echReadVarOpaqueU8(raw, p); p = publicName.nextOff;
2555
- var extLen = _echReadU16(raw, p); p += 2; // allow:raw-byte-literal — uint16 length prefix width
2552
+ var extLen = _echReadU16(raw, p); p += 2; // uint16 length prefix width
2556
2553
  if (p + extLen !== bodyEnd) {
2557
2554
  throw new NetworkTlsError("tls/ech-config-malformed",
2558
2555
  "ECHConfig: extensions vector does not consume remaining body " +
@@ -2561,7 +2558,7 @@ function parseEchConfigList(raw) {
2561
2558
  var extensions = [];
2562
2559
  var extEnd = p + extLen;
2563
2560
  while (p < extEnd) {
2564
- var extType = _echReadU16(raw, p); p += 2; // allow:raw-byte-literal — uint16 ext type
2561
+ var extType = _echReadU16(raw, p); p += 2; // uint16 ext type
2565
2562
  var extData = _echReadVarOpaqueU16(raw, p); p = extData.nextOff;
2566
2563
  extensions.push({ type: extType, data: extData.value });
2567
2564
  }
@@ -2685,9 +2682,9 @@ function connectWithEch(opts) {
2685
2682
  "network.tls.connectWithEch");
2686
2683
  validateOpts.requireNonEmptyString(opts.host, "connectWithEch: host",
2687
2684
  NetworkTlsError, "tls/ech-bad-opts");
2688
- var port = opts.port === undefined ? 443 : opts.port; // allow:raw-byte-literal — HTTPS default port
2685
+ var port = opts.port === undefined ? 443 : opts.port; // HTTPS default port
2689
2686
  if (typeof port !== "number" || !isFinite(port) ||
2690
- port <= 0 || port > 65535 || Math.floor(port) !== port) { // allow:raw-byte-literal — TCP port range
2687
+ port <= 0 || port > 65535 || Math.floor(port) !== port) { // TCP port range
2691
2688
  throw new NetworkTlsError("tls/ech-bad-opts",
2692
2689
  "connectWithEch: port must be an integer in 1..65535");
2693
2690
  }
@@ -2874,7 +2871,7 @@ function _normalizeAsciiHost(host) {
2874
2871
  if (typeof host !== "string" || host.length === 0) return null;
2875
2872
  for (var i = 0; i < host.length; i += 1) {
2876
2873
  var cc = host.charCodeAt(i);
2877
- if (cc > 0x7f) return null; // allow:raw-byte-literal — ASCII upper bound codepoint
2874
+ if (cc > 0x7f) return null; // ASCII upper bound codepoint
2878
2875
  }
2879
2876
  // Strip a trailing dot (FQDN absolute form) for matching.
2880
2877
  var h = host.toLowerCase();
@@ -2975,17 +2972,17 @@ function _ipv6ToBytes(addr) {
2975
2972
  ];
2976
2973
  }
2977
2974
  var left = halves[0], right = halves[1];
2978
- var fillCount = 8 - (left.length + right.length); // allow:raw-byte-literal — IPv6 has 8 hextets
2975
+ var fillCount = 8 - (left.length + right.length); // IPv6 has 8 hextets
2979
2976
  if (fillCount < 0) return null;
2980
2977
  var hextets = left.concat(new Array(fillCount).fill("0")).concat(right);
2981
- if (hextets.length !== 8) return null; // allow:raw-byte-literal — IPv6 hextet count
2982
- var bytes = Buffer.alloc(16); // allow:raw-byte-literal — IPv6 = 16 bytes
2983
- for (var i = 0; i < 8; i += 1) { // allow:raw-byte-literal — IPv6 hextet count
2978
+ if (hextets.length !== 8) return null; // IPv6 hextet count
2979
+ var bytes = Buffer.alloc(16); // IPv6 = 16 bytes
2980
+ for (var i = 0; i < 8; i += 1) { // IPv6 hextet count
2984
2981
  var h = hextets[i];
2985
2982
  if (!safeBuffer.IPV6_HEXTET_RE.test(h)) return null;
2986
- var v = parseInt(h, 16); // allow:raw-byte-literal — hex radix
2987
- bytes[i * 2] = (v >> 8) & 0xff; // allow:raw-byte-literal — uint8 mask + uint16-half shift
2988
- bytes[i * 2 + 1] = v & 0xff; // allow:raw-byte-literal — uint8 mask
2983
+ var v = parseInt(h, 16); // hex radix
2984
+ bytes[i * 2] = (v >> 8) & 0xff; // uint8 mask + uint16-half shift
2985
+ bytes[i * 2 + 1] = v & 0xff; // uint8 mask
2989
2986
  }
2990
2987
  return bytes;
2991
2988
  }
@@ -3066,9 +3063,13 @@ function checkServerIdentity9525(host, cert) {
3066
3063
  }
3067
3064
  var rawSan = cert.subjectaltname;
3068
3065
  if (typeof rawSan !== "string" || rawSan.length === 0) {
3069
- // RFC 9525 §6.4.4 forbids CN fallback. If there's no SAN we refuse,
3070
- // never inspect cert.subject.CN a CN-only cert violates the
3071
- // modern PKIX baseline and the operator chose the strict checker.
3066
+ // RFC 9525 §6.4.4 forbids CN fallback. A CN-only legacy cert (CN
3067
+ // present, no SAN) surfaces the distinct `tls/pkix-cn-fallback-refused`
3068
+ // code so audit logs can tell it apart from a cert carrying neither;
3069
+ // a cert with no SAN and no CN falls through to `tls/pkix-san-required`.
3070
+ // Both refuse — we never fall back to matching on the Common Name.
3071
+ var cnRefusal = _refuseCnFallback(host, cert);
3072
+ if (cnRefusal) return cnRefusal;
3072
3073
  return new NetworkTlsError("tls/pkix-san-required",
3073
3074
  "checkServerIdentity9525: certificate has no subjectAltName " +
3074
3075
  "extension (RFC 9525 §6.4.4 forbids Common Name fallback)");
@@ -3117,10 +3118,11 @@ function _refuseCnFallback(host, cert) {
3117
3118
  return null;
3118
3119
  }
3119
3120
 
3120
- // Public combined verifier applies both the SAN-required check and
3121
- // the CN-fallback explicit refusal so operators get the more specific
3122
- // of the two error codes when applicable. checkServerIdentity9525 is
3123
- // the drop-in name; this internal helper is what `connect` wires in.
3121
+ // Explicit combined verifier kept for tests + callers that want the
3122
+ // CN-fallback / SAN-required split spelled out. The exported drop-in
3123
+ // `checkServerIdentity9525` already performs the CN-fallback refusal in
3124
+ // its no-SAN branch, so the `_refuseCnFallback` call here is a redundant
3125
+ // (idempotent) belt-and-suspenders; the more specific code wins either way.
3124
3126
  function _checkServerIdentityStrict(host, cert) {
3125
3127
  var cnRefusal = _refuseCnFallback(host, cert);
3126
3128
  if (cnRefusal) return cnRefusal;