@blamejs/blamejs-shop 0.3.5 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (353) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +3 -3
  4. package/lib/vendor/blamejs/CHANGELOG.md +14 -0
  5. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  6. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
  7. package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
  8. package/lib/vendor/blamejs/lib/a2a.js +4 -4
  9. package/lib/vendor/blamejs/lib/acme.js +3 -3
  10. package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
  11. package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
  12. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
  13. package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
  14. package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
  15. package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
  16. package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
  17. package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
  18. package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
  19. package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
  20. package/lib/vendor/blamejs/lib/ai-input.js +4 -4
  21. package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
  22. package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
  23. package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
  24. package/lib/vendor/blamejs/lib/archive-read.js +25 -25
  25. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
  26. package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
  27. package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
  28. package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
  29. package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
  30. package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
  31. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  32. package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
  33. package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
  34. package/lib/vendor/blamejs/lib/audit.js +2 -2
  35. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
  36. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
  37. package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
  38. package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
  39. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
  40. package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
  41. package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
  42. package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
  43. package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
  44. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
  45. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
  46. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  47. package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
  48. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  49. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
  50. package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
  51. package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
  52. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
  53. package/lib/vendor/blamejs/lib/backup/index.js +7 -7
  54. package/lib/vendor/blamejs/lib/base32.js +8 -8
  55. package/lib/vendor/blamejs/lib/budr.js +2 -2
  56. package/lib/vendor/blamejs/lib/cache-status.js +2 -2
  57. package/lib/vendor/blamejs/lib/calendar.js +29 -29
  58. package/lib/vendor/blamejs/lib/cbor.js +12 -12
  59. package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
  60. package/lib/vendor/blamejs/lib/cert.js +5 -5
  61. package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
  62. package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
  63. package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
  64. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
  65. package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
  66. package/lib/vendor/blamejs/lib/compliance.js +29 -29
  67. package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
  68. package/lib/vendor/blamejs/lib/cookies.js +1 -1
  69. package/lib/vendor/blamejs/lib/cose.js +13 -13
  70. package/lib/vendor/blamejs/lib/cra-report.js +1 -1
  71. package/lib/vendor/blamejs/lib/crdt.js +1 -1
  72. package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
  73. package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
  74. package/lib/vendor/blamejs/lib/crypto.js +6 -6
  75. package/lib/vendor/blamejs/lib/csp.js +2 -2
  76. package/lib/vendor/blamejs/lib/cwt.js +4 -4
  77. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
  78. package/lib/vendor/blamejs/lib/data-act.js +2 -2
  79. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
  80. package/lib/vendor/blamejs/lib/db-query.js +1 -1
  81. package/lib/vendor/blamejs/lib/db.js +6 -6
  82. package/lib/vendor/blamejs/lib/dbsc.js +13 -13
  83. package/lib/vendor/blamejs/lib/did.js +17 -17
  84. package/lib/vendor/blamejs/lib/dora.js +4 -4
  85. package/lib/vendor/blamejs/lib/dsr.js +1 -1
  86. package/lib/vendor/blamejs/lib/early-hints.js +2 -2
  87. package/lib/vendor/blamejs/lib/eat.js +4 -4
  88. package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
  89. package/lib/vendor/blamejs/lib/external-db.js +1 -1
  90. package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
  91. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
  92. package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
  93. package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
  94. package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
  95. package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
  96. package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
  97. package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
  98. package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
  99. package/lib/vendor/blamejs/lib/guard-email.js +19 -19
  100. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
  101. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
  102. package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
  103. package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
  104. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
  105. package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
  106. package/lib/vendor/blamejs/lib/guard-html.js +7 -7
  107. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
  108. package/lib/vendor/blamejs/lib/guard-image.js +4 -4
  109. package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
  110. package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
  111. package/lib/vendor/blamejs/lib/guard-json.js +12 -12
  112. package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
  113. package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
  114. package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
  115. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
  116. package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
  117. package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
  118. package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
  119. package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
  120. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
  121. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
  122. package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
  123. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
  124. package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
  125. package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
  126. package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
  127. package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
  128. package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
  129. package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
  130. package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
  131. package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
  132. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
  133. package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
  134. package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
  135. package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
  136. package/lib/vendor/blamejs/lib/guard-time.js +15 -15
  137. package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
  138. package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
  139. package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
  140. package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
  141. package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
  142. package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
  143. package/lib/vendor/blamejs/lib/http-client.js +13 -10
  144. package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
  145. package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
  146. package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
  147. package/lib/vendor/blamejs/lib/inbox.js +4 -4
  148. package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
  149. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
  150. package/lib/vendor/blamejs/lib/json-path.js +3 -3
  151. package/lib/vendor/blamejs/lib/json-schema.js +1 -1
  152. package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
  153. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  154. package/lib/vendor/blamejs/lib/link-header.js +1 -1
  155. package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
  156. package/lib/vendor/blamejs/lib/log.js +8 -3
  157. package/lib/vendor/blamejs/lib/lro.js +4 -4
  158. package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
  159. package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
  160. package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
  161. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
  162. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
  163. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
  164. package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
  165. package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
  166. package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
  167. package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
  168. package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
  169. package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
  170. package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
  171. package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
  172. package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
  173. package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
  174. package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
  175. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
  176. package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
  177. package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
  178. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
  179. package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
  180. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
  181. package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
  182. package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
  183. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
  184. package/lib/vendor/blamejs/lib/mail-store.js +8 -8
  185. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
  186. package/lib/vendor/blamejs/lib/mail.js +4 -4
  187. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
  188. package/lib/vendor/blamejs/lib/mcp.js +15 -15
  189. package/lib/vendor/blamejs/lib/mdoc.js +2 -2
  190. package/lib/vendor/blamejs/lib/metrics.js +8 -8
  191. package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
  192. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
  193. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
  194. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
  195. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
  196. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
  197. package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
  198. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
  199. package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
  200. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
  201. package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
  202. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
  203. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
  204. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
  205. package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
  206. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
  207. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
  208. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
  209. package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
  210. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
  211. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
  212. package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
  213. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
  214. package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
  215. package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
  216. package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
  217. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
  218. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
  219. package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
  220. package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
  221. package/lib/vendor/blamejs/lib/network-dns.js +29 -29
  222. package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
  223. package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
  224. package/lib/vendor/blamejs/lib/network-tls.js +100 -98
  225. package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
  226. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  227. package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
  228. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
  229. package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
  230. package/lib/vendor/blamejs/lib/observability.js +8 -8
  231. package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
  232. package/lib/vendor/blamejs/lib/openapi.js +1 -1
  233. package/lib/vendor/blamejs/lib/outbox.js +6 -6
  234. package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
  235. package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
  236. package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
  237. package/lib/vendor/blamejs/lib/problem-details.js +5 -5
  238. package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
  239. package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
  240. package/lib/vendor/blamejs/lib/queue.js +4 -2
  241. package/lib/vendor/blamejs/lib/redact.js +2 -2
  242. package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
  243. package/lib/vendor/blamejs/lib/router.js +10 -10
  244. package/lib/vendor/blamejs/lib/safe-async.js +2 -2
  245. package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
  246. package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
  247. package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
  248. package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
  249. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
  250. package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
  251. package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
  252. package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
  253. package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
  254. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  255. package/lib/vendor/blamejs/lib/safe-url.js +1 -1
  256. package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
  257. package/lib/vendor/blamejs/lib/sandbox.js +5 -5
  258. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  259. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
  260. package/lib/vendor/blamejs/lib/self-update.js +3 -3
  261. package/lib/vendor/blamejs/lib/server-timing.js +3 -3
  262. package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
  263. package/lib/vendor/blamejs/lib/session.js +8 -8
  264. package/lib/vendor/blamejs/lib/sse.js +12 -5
  265. package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
  266. package/lib/vendor/blamejs/lib/storage.js +2 -2
  267. package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
  268. package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
  269. package/lib/vendor/blamejs/lib/subject.js +1 -1
  270. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
  271. package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
  272. package/lib/vendor/blamejs/lib/test-harness.js +1 -1
  273. package/lib/vendor/blamejs/lib/tracing.js +1 -1
  274. package/lib/vendor/blamejs/lib/tsa.js +5 -5
  275. package/lib/vendor/blamejs/lib/uri-template.js +5 -5
  276. package/lib/vendor/blamejs/lib/vault/index.js +2 -2
  277. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
  278. package/lib/vendor/blamejs/lib/vc.js +2 -2
  279. package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
  280. package/lib/vendor/blamejs/lib/watcher.js +4 -4
  281. package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
  282. package/lib/vendor/blamejs/lib/webhook.js +2 -2
  283. package/lib/vendor/blamejs/lib/websocket.js +5 -5
  284. package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
  285. package/lib/vendor/blamejs/lib/ws-client.js +24 -24
  286. package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
  287. package/lib/vendor/blamejs/package.json +1 -1
  288. package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
  289. package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
  290. package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
  291. package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
  292. package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
  293. package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
  294. package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
  295. package/lib/vendor/blamejs/test/00-primitives.js +15 -0
  296. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
  298. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
  299. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
  300. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
  301. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
  302. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
  303. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
  304. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
  305. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
  306. package/package.json +1 -1
  307. package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
  308. package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
  309. package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
  310. package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
  311. package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
  312. package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
  313. package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
  314. package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
  315. package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
  316. package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
  317. package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
  318. package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
  319. package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
  320. package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
  321. package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
  322. package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
  323. package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
  324. package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
  325. package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
  326. package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
  327. package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
  328. package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
  329. package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
  330. package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
  331. package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
  332. package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
  333. package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
  334. package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
  335. package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
  336. package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
  337. package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
  338. package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
  339. package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
  340. package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
  341. package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
  342. package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
  343. package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
  344. package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
  345. package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
  346. package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
  347. package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
  348. package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
  349. package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
  350. package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
  351. package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
  352. package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
  353. package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
@@ -59,8 +59,8 @@ function _base32Encode(buf) {
59
59
  var bits = 0;
60
60
  var value = 0;
61
61
  for (var i = 0; i < buf.length; i += 1) {
62
- value = (value << 8) | buf[i]; // allow:raw-byte-literal — byte-aligned shift
63
- bits += 8; // allow:raw-byte-literal — bits-per-byte constant
62
+ value = (value << 8) | buf[i]; // byte-aligned shift
63
+ bits += 8; // bits-per-byte constant
64
64
  while (bits >= 5) {
65
65
  out += BASE32.charAt((value >>> (bits - 5)) & 31);
66
66
  bits -= 5;
@@ -72,13 +72,13 @@ function _base32Encode(buf) {
72
72
 
73
73
  function _hashTag(secret, hashInput) {
74
74
  var mac = nodeCrypto.createHmac("sha256", secret).update(hashInput.toLowerCase(), "utf8").digest();
75
- return _base32Encode(mac.subarray(0, 4)).slice(0, 4); // allow:raw-byte-literal — SRS spec 4-char short-tag
75
+ return _base32Encode(mac.subarray(0, 4)).slice(0, 4); // SRS spec 4-char short-tag
76
76
  }
77
77
 
78
78
  function _dayStamp(nowMs) {
79
79
  // Days since epoch, mod 1024. Two-char base32 = 1024 possible values.
80
- var days = Math.floor(nowMs / 86400000) % 1024; // allow:raw-byte-literal — ms-per-day + mod-1024 SRS rotation
81
- return BASE32.charAt(days >>> 5) + BASE32.charAt(days & 31); // allow:raw-byte-literal — 5-bit base32 split
80
+ var days = Math.floor(nowMs / 86400000) % 1024; // ms-per-day + mod-1024 SRS rotation
81
+ return BASE32.charAt(days >>> 5) + BASE32.charAt(days & 31); // 5-bit base32 split
82
82
  }
83
83
 
84
84
  function _dayDiff(stamp, nowMs) {
@@ -86,11 +86,11 @@ function _dayDiff(stamp, nowMs) {
86
86
  var hi = BASE32.indexOf(stamp.charAt(0));
87
87
  var lo = BASE32.indexOf(stamp.charAt(1));
88
88
  if (hi < 0 || lo < 0) return Infinity;
89
- var stampVal = (hi << 5) | lo; // allow:raw-byte-literal — 5-bit base32 split
90
- var nowVal = Math.floor(nowMs / 86400000) % 1024; // allow:raw-byte-literal — ms-per-day + mod-1024 rotation
89
+ var stampVal = (hi << 5) | lo; // 5-bit base32 split
90
+ var nowVal = Math.floor(nowMs / 86400000) % 1024; // ms-per-day + mod-1024 rotation
91
91
  // Modular distance — assume positive (rewrites in the future are
92
92
  // refused via _dayDiff > 0 callers).
93
- var diff = (nowVal - stampVal + 1024) % 1024; // allow:raw-byte-literal — mod-1024 rotation
93
+ var diff = (nowVal - stampVal + 1024) % 1024; // mod-1024 rotation
94
94
  return diff;
95
95
  }
96
96
 
@@ -131,13 +131,13 @@ function create(opts) {
131
131
  opts.secret, "srs.create.secret", SrsError, "srs/bad-secret");
132
132
  validateOpts.requireNonEmptyString(
133
133
  opts.forwarderDomain, "srs.create.forwarderDomain", SrsError, "srs/bad-forwarder");
134
- if (opts.secret.length < 16) { // allow:raw-byte-literal — minimum HMAC secret length
134
+ if (opts.secret.length < 16) { // minimum HMAC secret length
135
135
  throw new SrsError("srs/bad-secret",
136
136
  "srs.create: secret must be >= 16 chars (operator-supplied entropy floor)");
137
137
  }
138
- var expiryDays = opts.expiryDays !== undefined ? opts.expiryDays : 30; // allow:raw-byte-literal — default expiry window in days
138
+ var expiryDays = opts.expiryDays !== undefined ? opts.expiryDays : 30; // default expiry window in days
139
139
  if (typeof expiryDays !== "number" || !Number.isInteger(expiryDays) ||
140
- expiryDays < 1 || expiryDays > 1024) { // allow:raw-byte-literal — SRS rotation cycle cap
140
+ expiryDays < 1 || expiryDays > 1024) { // SRS rotation cycle cap
141
141
  throw new SrsError("srs/bad-expiry",
142
142
  "srs.create: expiryDays must be an integer 1..1024 (SRS rotation cycle)");
143
143
  }
@@ -154,7 +154,7 @@ function create(opts) {
154
154
  }
155
155
  var localPart = originalAddress.slice(0, at);
156
156
  var domain = originalAddress.slice(at + 1);
157
- if (localPart.length > 64 || domain.length > 253) { // allow:raw-byte-literal — RFC 5321 local-part / domain caps
157
+ if (localPart.length > 64 || domain.length > 253) { // RFC 5321 local-part / domain caps
158
158
  throw new SrsError("srs/bad-address",
159
159
  "srs.rewrite: localPart / domain exceeds RFC 5321 length cap");
160
160
  }
@@ -77,7 +77,7 @@ var MAX_TOKEN_LEN = 64;
77
77
  // millions of tokens; FTS5 row insert + index update must stay
78
78
  // bounded. The cap is applied AFTER stopword + length filter so the
79
79
  // surviving tokens are the highest-signal subset.
80
- var MAX_TOKENS_PER_FIELD = 8192; // allow:raw-byte-literal — token-count cap, not bytes
80
+ var MAX_TOKENS_PER_FIELD = 8192; // token-count cap, not bytes
81
81
 
82
82
  // Per-field FTS column names. Kept symmetric with the messages table
83
83
  // columns so callers can reason about which FTS column corresponds
@@ -187,7 +187,7 @@ function hashToken(table, field, token) {
187
187
  var ns = "bj-" + table + "-" + field + ":fts:";
188
188
  var salt = vault.getDerivedHashSalt();
189
189
  var saltHex = (salt && typeof salt.toString === "function") ? salt.toString("hex") : "";
190
- return bCrypto.sha3Hash(saltHex + ns + token).slice(0, 16); // allow:raw-byte-literal — 16-char hex prefix length, not bytes
190
+ return bCrypto.sha3Hash(saltHex + ns + token).slice(0, 16); // 16-char hex prefix length, not bytes
191
191
  }
192
192
 
193
193
  // Hash a token array → space-separated string suitable for FTS5
@@ -275,7 +275,7 @@ function create(opts) {
275
275
  var f = filter || {};
276
276
  var sinceModseq = f.sinceModseq || 0;
277
277
  var limit = f.limit || 100;
278
- if (limit > 1000) limit = 1000; // allow:raw-byte-literal — query row cap, not bytes
278
+ if (limit > 1000) limit = 1000; // query row cap, not bytes
279
279
 
280
280
  var matchClauses = [];
281
281
  function addMatch(filterKey, term) {
@@ -342,7 +342,7 @@ function create(opts) {
342
342
  "queryByModseq: folder '" + folderName + "' not found");
343
343
  }
344
344
  var sinceModseq = (queryOpts && queryOpts.sinceModseq) || 0;
345
- var limit = (queryOpts && queryOpts.limit) || 1000; // allow:raw-byte-literal — query row cap, not bytes
345
+ var limit = (queryOpts && queryOpts.limit) || 1000; // query row cap, not bytes
346
346
  var rows = stmtQueryByModseq.all(folder.id, sinceModseq, limit);
347
347
  return rows.map(function (r) {
348
348
  return {
@@ -373,7 +373,7 @@ function create(opts) {
373
373
  var fo = folderOpts || {};
374
374
  var role = fo.role || null;
375
375
  var parentId = fo.parentId || null;
376
- var uidvalidity = Math.floor(Date.now() / 1000); // allow:raw-byte-literal — Unix timestamp, not bytes
376
+ var uidvalidity = Math.floor(Date.now() / 1000); // Unix timestamp, not bytes
377
377
  stmtInsertFolder.run(name, role, parentId, uidvalidity);
378
378
  return stmtGetFolderByName.get(name);
379
379
  },
@@ -406,7 +406,7 @@ function create(opts) {
406
406
  });
407
407
  },
408
408
  setLegalHold: function (objectids, holdOpts) {
409
- var hold = (holdOpts && holdOpts.hold) ? 1 : 0; // allow:raw-byte-literal — boolean cast for sqlite INTEGER column
409
+ var hold = (holdOpts && holdOpts.hold) ? 1 : 0; // boolean cast for sqlite INTEGER column
410
410
  objectids.forEach(function (oid) { stmtLegalHold.run(hold, oid); });
411
411
  return { changed: objectids.length };
412
412
  },
@@ -591,7 +591,7 @@ function _appendMessage(args) {
591
591
  // token = 32-char hex = 128 bits, well above the birthday bound
592
592
  // for any plausible message corpus. The prior `.slice(0, 24)` cut
593
593
  // entropy to 96 bits; removed.
594
- var objectid = "obj_" + bCrypto.generateToken(16); // allow:raw-byte-literal — 16-byte token, 32-char hex JMAP objectid (RFC 8474 §1.5.1)
594
+ var objectid = "obj_" + bCrypto.generateToken(16); // 16-byte token, 32-char hex JMAP objectid (RFC 8474 §1.5.1)
595
595
  var modseq = (folder.modseq_max || 0) + 1;
596
596
  if (!threadRootId) threadRootId = objectid; // root of new thread
597
597
 
@@ -675,7 +675,7 @@ function _fetchByObjectId(args) {
675
675
  bodyText: unsealed.body_text,
676
676
  bodyHtml: unsealed.body_html,
677
677
  flags: flags,
678
- legalHold: row.legal_hold === 1, // allow:raw-byte-literal — sqlite INTEGER column 0|1
678
+ legalHold: row.legal_hold === 1, // sqlite INTEGER column 0|1
679
679
  };
680
680
  }
681
681
 
@@ -763,7 +763,7 @@ function _setFlags(args) {
763
763
  // which both leaks a prepared-statement handle per chunk and
764
764
  // doubles the SQL parse cost. Hold the stmt on a local + invoke
765
765
  // .run() directly with the bound argument list.
766
- var CHUNK = 500; // allow:raw-byte-literal — IN-clause chunk size, not bytes
766
+ var CHUNK = 500; // IN-clause chunk size, not bytes
767
767
  for (var i = 0; i < args.objectids.length; i += CHUNK) {
768
768
  var chunk = args.objectids.slice(i, i + CHUNK);
769
769
  var placeholders = chunk.map(function () { return "?"; }).join(",");
@@ -915,7 +915,7 @@ function _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts) {
915
915
  function _ensureDefaultFolders(db, qFolders) {
916
916
  var stmt = db.prepare("INSERT OR IGNORE INTO " + qFolders +
917
917
  " (name, role, parent_id, modseq_max, uidvalidity) VALUES (?, ?, NULL, 0, ?)");
918
- var uv = Math.floor(Date.now() / 1000); // allow:raw-byte-literal — Unix timestamp, not bytes
918
+ var uv = Math.floor(Date.now() / 1000); // Unix timestamp, not bytes
919
919
  DEFAULT_FOLDERS.forEach(function (f) { stmt.run(f.name, f.role, uv); });
920
920
  }
921
921
 
@@ -75,7 +75,7 @@ var HEADER_VALUE_MAX_BYTES = C.BYTES.kib(2);
75
75
  function _isLdhListLabel(label) {
76
76
  if (typeof label !== "string" || label.length === 0) return false;
77
77
  // RFC 1035 §2.3.4 — labels bounded at 63 octets.
78
- if (label.length > 63) return false; // allow:raw-byte-literal — RFC 1035 §2.3.4 hostname-label limit
78
+ if (label.length > 63) return false; // RFC 1035 §2.3.4 hostname-label limit
79
79
  var n = label.length;
80
80
  for (var i = 0; i < n; i += 1) {
81
81
  var c = label.charCodeAt(i);
@@ -108,7 +108,7 @@ function _validateListId(value, label) {
108
108
  if (bracket) inner = bracket[1];
109
109
  // Inner is dot-separated labels; each label LDH per RFC 2919 §3.
110
110
  var labels = inner.split(".");
111
- if (labels.length < 2) { // allow:raw-byte-literal — RFC 2919 §3 requires >= 2 labels
111
+ if (labels.length < 2) { // RFC 2919 §3 requires >= 2 labels
112
112
  throw new MailUnsubscribeError("mailunsubscribe/invalid-list-header-shape",
113
113
  label + " '" + value + "' must contain at least two dot-separated labels (RFC 2919 §3)");
114
114
  }
@@ -144,13 +144,13 @@ function _validateHttpsUrl(value, label) {
144
144
  } catch (e) {
145
145
  throw new MailUnsubscribeError("mailunsubscribe/invalid-list-header-shape",
146
146
  label + " must be a valid https URL (got " +
147
- JSON.stringify(value).slice(0, 200) + "): " + // allow:raw-byte-literal — diagnostic clamp characters
147
+ JSON.stringify(value).slice(0, 200) + "): " + // diagnostic clamp characters
148
148
  ((e && e.message) || String(e)));
149
149
  }
150
150
  if (!parsed) {
151
151
  throw new MailUnsubscribeError("mailunsubscribe/invalid-list-header-shape",
152
152
  label + " must be a valid https URL (got " +
153
- JSON.stringify(value).slice(0, 200) + ")"); // allow:raw-byte-literal — diagnostic clamp characters
153
+ JSON.stringify(value).slice(0, 200) + ")"); // diagnostic clamp characters
154
154
  }
155
155
  return parsed.href;
156
156
  }
@@ -1003,7 +1003,7 @@ function _smtpSend(message, cfg) {
1003
1003
  var peerSupportsSmtpUtf8 = false; // RFC 6531 — set from EHLO response
1004
1004
  var peerSupportsChunking = false; // RFC 3030 §2 CHUNKING
1005
1005
  var peerSupportsBinaryMime = false; // RFC 3030 §3 BINARYMIME
1006
- var peerSupports8BitMime = false; // RFC 6152 (eight-bit MIME) // allow:raw-byte-literal — RFC number, not a byte literal
1006
+ var peerSupports8BitMime = false; // RFC 6152 (eight-bit MIME) // RFC number, not a byte literal
1007
1007
  var peerSizeCap = -1; // RFC 1870 SIZE — -1 unset, 0 = no cap, >0 = byte limit
1008
1008
  var upgradedToTLS = false;
1009
1009
  var settled = false;
@@ -1688,7 +1688,7 @@ function create(opts) {
1688
1688
  if (country && footerHtml.indexOf(country) === -1) {
1689
1689
  throw new MailError("mail/bad-footer-html",
1690
1690
  "mail.create({ footerHtml }): override must contain the postalAddress.country '" +
1691
- country + "' (CAN-SPAM §7704(a)(5)). Got: " + footerHtml.slice(0, 200), // allow:raw-byte-literal — diagnostic clamp characters, not bytes
1691
+ country + "' (CAN-SPAM §7704(a)(5)). Got: " + footerHtml.slice(0, 200), // diagnostic clamp characters, not bytes
1692
1692
  true);
1693
1693
  }
1694
1694
  if (postalCode && footerHtml.indexOf(postalCode) === -1) {
@@ -1896,7 +1896,7 @@ function feedbackId(opts) {
1896
1896
  throw new MailError("mail/bad-feedback-id-field",
1897
1897
  "feedbackId: " + f.key + " must be a non-empty string");
1898
1898
  }
1899
- if (f.value.length > 64) { // allow:raw-byte-literal — Gmail FBL per-field cap, not byte arithmetic
1899
+ if (f.value.length > 64) { // Gmail FBL per-field cap, not byte arithmetic
1900
1900
  throw new MailError("mail/bad-feedback-id-field",
1901
1901
  "feedbackId: " + f.key + " exceeds 64 chars (Gmail FBL truncation threshold)");
1902
1902
  }
@@ -1909,7 +1909,7 @@ function feedbackId(opts) {
1909
1909
  // ranges in regex literals regardless of escape form.
1910
1910
  for (var ci = 0; ci < f.value.length; ci += 1) {
1911
1911
  var code = f.value.charCodeAt(ci);
1912
- if (code < 32 || code === 127) { // allow:raw-byte-literal — C0 + DEL codepoint range
1912
+ if (code < 32 || code === 127) { // C0 + DEL codepoint range
1913
1913
  throw new MailError("mail/bad-feedback-id-field",
1914
1914
  "feedbackId: " + f.key + " contains control characters");
1915
1915
  }
@@ -114,7 +114,7 @@ function _validateTool(tool, where) {
114
114
  where + ": tool must be a non-null object", true);
115
115
  }
116
116
  validateOpts.requireNonEmptyString(tool.name, where + ".name", McpError, "mcp/bad-tool-name");
117
- if (tool.name.length > 64 || !TOOL_NAME_RE.test(tool.name)) { // allow:raw-byte-literal — MCP tool-name length cap, not byte count
117
+ if (tool.name.length > 64 || !TOOL_NAME_RE.test(tool.name)) { // MCP tool-name length cap, not byte count
118
118
  throw new McpError("mcp/bad-tool-name",
119
119
  where + ".name '" + tool.name + "' must match " + TOOL_NAME_RE);
120
120
  }
@@ -185,7 +185,7 @@ function create(opts) {
185
185
  opts.verifyingKey, "toolRegistry.create.verifyingKey", McpError, "mcp/bad-verifying-key");
186
186
  var alg = _validateAlg(opts.alg, "toolRegistry.create.alg");
187
187
  var defaultTtlMs = opts.ttlMs !== undefined ? opts.ttlMs : C.TIME.minutes(5);
188
- if (typeof defaultTtlMs !== "number" || !isFinite(defaultTtlMs) || defaultTtlMs < 1000) { // allow:raw-byte-literal — minimum-ttl threshold (1 second), not bytes
188
+ if (typeof defaultTtlMs !== "number" || !isFinite(defaultTtlMs) || defaultTtlMs < 1000) { // minimum-ttl threshold (1 second), not bytes
189
189
  throw new McpError("mcp/bad-ttl",
190
190
  "toolRegistry.create.ttlMs must be >= 1000 ms", true);
191
191
  }
@@ -303,13 +303,13 @@ function create(opts) {
303
303
  "signCall: tool '" + callOpts.toolName + "' not registered", true);
304
304
  }
305
305
  var ttlMs = callOpts.ttlMs !== undefined ? callOpts.ttlMs : defaultTtlMs;
306
- if (typeof ttlMs !== "number" || !isFinite(ttlMs) || ttlMs < 1000) { // allow:raw-byte-literal — minimum-ttl threshold (1 second), not bytes
306
+ if (typeof ttlMs !== "number" || !isFinite(ttlMs) || ttlMs < 1000) { // minimum-ttl threshold (1 second), not bytes
307
307
  throw new McpError("mcp/bad-ttl",
308
308
  "signCall: ttlMs must be >= 1000 ms", true);
309
309
  }
310
310
  var nonce = typeof callOpts.nonce === "string" && callOpts.nonce.length > 0
311
311
  ? callOpts.nonce
312
- : bCrypto().generateToken(16); // allow:raw-byte-literal — 128-bit nonce, not byte arithmetic on a payload
312
+ : bCrypto().generateToken(16); // 128-bit nonce, not byte arithmetic on a payload
313
313
  var iat = new Date();
314
314
  var exp = new Date(iat.getTime() + ttlMs);
315
315
  var envelope = {
@@ -39,18 +39,18 @@ var requestHelpers = require("./request-helpers");
39
39
  var audit = require("./audit");
40
40
  var { McpError } = require("./framework-error");
41
41
 
42
- var TOOL_NAME_MAX = 64; // allow:raw-byte-literal — string-length cap, not bytes
43
- var RESOURCE_NAME_MAX = 256; // allow:raw-byte-literal — string-length cap, not bytes
44
- var METHOD_NAME_MAX = 256; // allow:raw-byte-literal — string-length cap, not bytes
42
+ var TOOL_NAME_MAX = 64; // string-length cap, not bytes
43
+ var RESOURCE_NAME_MAX = 256; // string-length cap, not bytes
44
+ var METHOD_NAME_MAX = 256; // string-length cap, not bytes
45
45
  // JSON-RPC 2.0 error codes (https://www.jsonrpc.org/specification#error_object).
46
46
  // Negative numerics by spec; mapped to HTTP status for the framework's
47
47
  // HTTP-shaped reply envelope.
48
- var JSONRPC_PARSE_ERROR = -32700; // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
49
- var JSONRPC_INVALID_REQUEST = -32600; // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
50
- var JSONRPC_METHOD_NOT_FOUND= -32601; // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
51
- var JSONRPC_INVALID_PARAMS = -32602; // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
52
- var JSONRPC_INTERNAL_ERROR = -32603; // allow:raw-byte-literal — JSON-RPC 2.0 fixed error code / allow:raw-time-literal — not seconds
53
- var JSONRPC_AUTH_REQUIRED = -32001; // allow:raw-byte-literal — JSON-RPC server-error reserved range / allow:raw-time-literal — not seconds
48
+ var JSONRPC_PARSE_ERROR = -32700; // allow:raw-time-literal — not seconds
49
+ var JSONRPC_INVALID_REQUEST = -32600; // allow:raw-time-literal — not seconds
50
+ var JSONRPC_METHOD_NOT_FOUND= -32601; // allow:raw-time-literal — not seconds
51
+ var JSONRPC_INVALID_PARAMS = -32602; // allow:raw-time-literal — not seconds
52
+ var JSONRPC_INTERNAL_ERROR = -32603; // allow:raw-time-literal — not seconds
53
+ var JSONRPC_AUTH_REQUIRED = -32001; // allow:raw-time-literal — not seconds
54
54
  var TOOL_NAME_RE = /^[a-zA-Z][a-zA-Z0-9._-]{0,63}$/;
55
55
  var RESOURCE_NAME_RE = /^[a-zA-Z][a-zA-Z0-9._/-]{0,255}$/;
56
56
 
@@ -79,7 +79,7 @@ function parseRequest(body, opts) {
79
79
  var errorClass = opts.errorClass || McpError;
80
80
  var parsed;
81
81
  try {
82
- parsed = typeof body === "string" ? safeJson.parse(body, { maxBytes: C.BYTES.mib(1) }) : body; // allow:JSON.parse — routed via safeJson.parse
82
+ parsed = typeof body === "string" ? safeJson.parse(body, { maxBytes: C.BYTES.mib(1) }) : body; // routed via safeJson.parse
83
83
  } catch (_e) {
84
84
  throw errorClass.factory("mcp/bad-json",
85
85
  "mcp.parseRequest: body is not valid JSON");
@@ -143,9 +143,9 @@ function refuse(res, code, message, id) {
143
143
  res.setHeader("Content-Type", "application/json");
144
144
  }
145
145
  // HTTP status mapping for the JSON-RPC error code we reply with.
146
- res.statusCode = code === JSONRPC_PARSE_ERROR || code === JSONRPC_INVALID_REQUEST ? 400 : // allow:raw-byte-literal — HTTP status code (RFC 9110)
147
- code === JSONRPC_METHOD_NOT_FOUND ? 404 : // allow:raw-byte-literal — HTTP status code (RFC 9110)
148
- code === JSONRPC_INTERNAL_ERROR ? 500 : 400; // allow:raw-byte-literal — HTTP status code (RFC 9110)
146
+ res.statusCode = code === JSONRPC_PARSE_ERROR || code === JSONRPC_INVALID_REQUEST ? 400 : // HTTP status code (RFC 9110)
147
+ code === JSONRPC_METHOD_NOT_FOUND ? 404 : // HTTP status code (RFC 9110)
148
+ code === JSONRPC_INTERNAL_ERROR ? 500 : 400; // HTTP status code (RFC 9110)
149
149
  res.end(body);
150
150
  }
151
151
 
@@ -617,7 +617,7 @@ function _validateValueAgainstSchema(value, schema, path) {
617
617
  // time, not request-controlled. Cap value length first per the
618
618
  // codebase-patterns regex-bound rule so a 10MB string doesn't
619
619
  // ReDoS the validator.
620
- if (value.length > 4096) return path + ": value exceeds 4 KiB cap before regex test"; // allow:raw-byte-literal — 4 KiB regex-input cap
620
+ if (value.length > 4096) return path + ": value exceeds 4 KiB cap before regex test"; // 4 KiB regex-input cap
621
621
  try {
622
622
  var pat = new RegExp(schema.pattern); // allow:dynamic-regex — schema.pattern from registered tool author, not request input; bounded above
623
623
  if (!pat.test(value)) return path + ": does not match pattern";
@@ -752,7 +752,7 @@ function _assertProtocolVersion(req, opts) {
752
752
  var SAMPLING_DEFAULTS = {
753
753
  maxRequestsPerSession: 10,
754
754
  maxMessagesPerRequest: 20,
755
- maxTokensPerRequest: 4096, // allow:raw-byte-literal — LLM token count, not bytes
755
+ maxTokensPerRequest: 4096, // LLM token count, not bytes
756
756
  allowedModelHint: null, // null = allow all
757
757
  refuseStopSequences: false,
758
758
  };
@@ -58,8 +58,8 @@ var { defineClass } = require("./framework-error");
58
58
 
59
59
  var MdocError = defineClass("MdocError", { alwaysPermanent: true });
60
60
 
61
- var HDR_X5CHAIN = 33; // allow:raw-byte-literal allow:raw-time-literal — x5chain COSE header label (RFC 9360 is a spec number, not a size/duration)
62
- var TAG_ENCODED_CBOR = 24; // allow:raw-byte-literal — RFC 8949 §3.4.5.1 embedded-CBOR tag
61
+ var HDR_X5CHAIN = 33; // allow:raw-time-literal — x5chain COSE header label (RFC 9360 is a spec number, not a size/duration)
62
+ var TAG_ENCODED_CBOR = 24; // RFC 8949 §3.4.5.1 embedded-CBOR tag
63
63
  // Tags ISO 18013-5 uses in issuer data: tdate(0), epoch(1), embedded
64
64
  // CBOR(24), full-date(1004, RFC 8943). Bounded — others are refused.
65
65
  var ALLOWED_TAGS = [0, 1, TAG_ENCODED_CBOR, 1004];
@@ -161,8 +161,8 @@ function _normalizeLabelArg(callLabels, value, defaultValue) {
161
161
  // a heuristic fallback so unknown-issuer tokens still get caught
162
162
  var _CRED_PREFIX_RE = /^(?:Bearer|Basic|Negotiate|Token|Digest)\s+\S/i;
163
163
  var _CRED_ISSUER_RE = /^(?:sk-|pk-|rk-|ghp_|ghs_|gho_|github_pat_|xoxb-|xoxa-|xoxp-|xoxr-|xapp-)/;
164
- var _CRED_JWT_RE = /^[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}$/; // allow:raw-byte-literal — JWT segment min length
165
- var _CRED_ENTROPY_RE = /^[A-Za-z0-9_+/=-]{40,}$/; // allow:raw-byte-literal — high-entropy length floor
164
+ var _CRED_JWT_RE = /^[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}$/; // JWT segment min length
165
+ var _CRED_ENTROPY_RE = /^[A-Za-z0-9_+/=-]{40,}$/; // high-entropy length floor
166
166
 
167
167
  // CRED_MAX_SCAN — upper bound on the byte slice the credential
168
168
  // detector inspects. Operator-supplied label values longer than this
@@ -170,11 +170,11 @@ var _CRED_ENTROPY_RE = /^[A-Za-z0-9_+/=-]{40,}$/;
170
170
  // still a credential), but the regex tests run on the prefix slice so
171
171
  // a 1 GB string can't ReDoS the scanner. Counter cardinality stays
172
172
  // stable: the same long string always maps to the same prefix slice.
173
- var CRED_MAX_SCAN = 256; // allow:raw-byte-literal — prefix-scan length cap
173
+ var CRED_MAX_SCAN = 256; // prefix-scan length cap
174
174
 
175
175
  function _looksLikeCredential(str) {
176
176
  if (typeof str !== "string") return false;
177
- if (str.length < 8) return false; // allow:raw-byte-literal — minimum credential length floor
177
+ if (str.length < 8) return false; // minimum credential length floor
178
178
  // Clamp to the prefix slice so a hostile label value can't push the
179
179
  // regex into superlinear time. All four credential shapes have
180
180
  // signature in the first ~256 bytes; Stripe / GitHub / OpenAI tokens
@@ -185,7 +185,7 @@ function _looksLikeCredential(str) {
185
185
  // enough entropy to be real tokens; hoisted to a named constant so
186
186
  // every test() has its length floor visible at the call site
187
187
  // (testFormatValidatorLengthCap convention).
188
- var CRED_MIN_LEN = 8; // allow:raw-byte-literal — minimum credential length floor
188
+ var CRED_MIN_LEN = 8; // minimum credential length floor
189
189
  if (clamped.length >= CRED_MIN_LEN && _CRED_PREFIX_RE.test(clamped)) return true;
190
190
  if (clamped.length >= CRED_MIN_LEN && _CRED_ISSUER_RE.test(clamped)) return true;
191
191
  if (clamped.length >= CRED_MIN_LEN && _CRED_JWT_RE.test(clamped)) return true;
@@ -990,7 +990,7 @@ function snapshotStartWriter(opts) {
990
990
  // (owner rw, group r, world none). Operators with a sidecar
991
991
  // reader in a different group override to 0o644; multi-tenant
992
992
  // hosts may even tighten to 0o600.
993
- var fileMode = opts.fileMode !== undefined ? opts.fileMode : 0o640; // allow:raw-byte-literal — POSIX file mode octal
993
+ var fileMode = opts.fileMode !== undefined ? opts.fileMode : 0o640; // POSIX file mode octal
994
994
  if (typeof fileMode !== "number" || !isFinite(fileMode) ||
995
995
  fileMode < 0 || fileMode > 0o777 || Math.floor(fileMode) !== fileMode) {
996
996
  throw new MetricsError("metrics-snapshot/bad-file-mode",
@@ -1263,7 +1263,7 @@ function snapshotRender(snap, opts) {
1263
1263
  var kd = keys2[jd];
1264
1264
  var vd = fields[kd];
1265
1265
  if (typeof vd !== "string") continue;
1266
- if (vd.length > 64) continue; // allow:raw-byte-literal — ISO 8601 max length cap, not bytes
1266
+ if (vd.length > 64) continue; // ISO 8601 max length cap, not bytes
1267
1267
  if (!ISO_DATE_RE.test(vd)) continue; // allow:regex-no-length-cap — length-bounded immediately above
1268
1268
  if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(kd)) continue; // allow:regex-no-length-cap — field-name shape, length-bounded by snap field naming
1269
1269
  var ms = Date.parse(vd);
@@ -1311,7 +1311,7 @@ function snapshotRender(snap, opts) {
1311
1311
  * shadow.set("queue_depth", 42);
1312
1312
  * shadow.snapshot();
1313
1313
  */
1314
- var SHADOW_DEFAULT_CARDINALITY = 10000; // allow:raw-byte-literal — cardinality cap, not bytes
1314
+ var SHADOW_DEFAULT_CARDINALITY = 10000; // cardinality cap, not bytes
1315
1315
  function shadowRegistry(opts) {
1316
1316
  if (!opts || typeof opts !== "object") {
1317
1317
  throw new MetricsError("metrics-shadow/bad-opts",
@@ -70,6 +70,7 @@ var AgeGateError = defineClass("AgeGateError", { alwaysPermanent: true });
70
70
  * hasParentalConsent: function(req): boolean,
71
71
  * skipPaths: string[],
72
72
  * errorMessage: string,
73
+ * privacyPostureHeader: string, // default "X-Privacy-Posture"; null/false to suppress
73
74
  * audit: boolean, // default true
74
75
  * }
75
76
  *
@@ -87,7 +88,7 @@ function create(opts) {
87
88
  opts = opts || {};
88
89
  validateOpts(opts, [
89
90
  "audit", "getAge", "requireAge", "consentRequired",
90
- "hasParentalConsent", "skipPaths", "errorMessage",
91
+ "hasParentalConsent", "skipPaths", "errorMessage", "privacyPostureHeader",
91
92
  ], "middleware.ageGate");
92
93
 
93
94
  if (typeof opts.getAge !== "function") {
@@ -104,6 +105,17 @@ function create(opts) {
104
105
  var auditOn = opts.audit !== false;
105
106
  var errorMessage = typeof opts.errorMessage === "string" && opts.errorMessage.length > 0
106
107
  ? opts.errorMessage : "service unavailable without parental consent";
108
+ // privacyPostureHeader (default "X-Privacy-Posture") names the response
109
+ // header carrying the below-threshold classification. Pass null/false to
110
+ // suppress it, or a string to rename it for a downstream convention.
111
+ var privacyPostureHeader;
112
+ if (opts.privacyPostureHeader === null || opts.privacyPostureHeader === false) {
113
+ privacyPostureHeader = null;
114
+ } else if (typeof opts.privacyPostureHeader === "string" && opts.privacyPostureHeader.length > 0) {
115
+ privacyPostureHeader = opts.privacyPostureHeader;
116
+ } else {
117
+ privacyPostureHeader = "X-Privacy-Posture";
118
+ }
107
119
 
108
120
  function _shouldSkip(req) {
109
121
  if (skipPaths.length === 0) return false;
@@ -148,7 +160,7 @@ function create(opts) {
148
160
  if (typeof res.setHeader === "function") {
149
161
  res.setHeader("Cache-Control", "private, no-store");
150
162
  res.setHeader("Referrer-Policy", "no-referrer");
151
- res.setHeader("X-Privacy-Posture", classification);
163
+ if (privacyPostureHeader) res.setHeader(privacyPostureHeader, classification);
152
164
  }
153
165
  }
154
166
 
@@ -157,7 +169,7 @@ function create(opts) {
157
169
  if (!hasConsent) {
158
170
  _emitAudit("refused", "denied", { age: age, classification: classification, requireAge: requireAge });
159
171
  if (!res.writableEnded && typeof res.writeHead === "function") {
160
- res.writeHead(451, { // allow:raw-byte-literal — HTTP 451 Unavailable For Legal Reasons
172
+ res.writeHead(451, { // HTTP 451 Unavailable For Legal Reasons
161
173
  "Content-Type": "application/json; charset=utf-8",
162
174
  "Cache-Control": "no-store, private",
163
175
  });
@@ -66,6 +66,7 @@ var audit = lazyRequire(function () { return require("../audit"); });
66
66
  * mode: "header"|"html", // default "header"
67
67
  * lang: string, // default "en"
68
68
  * skipHeader: string, // default "x-skip-ai-act"
69
+ * headerPrefix: string, // default "AI-Act-" — prefixes the Notice/Article/Policy disclosure headers
69
70
  * audit: boolean, // default true
70
71
  * }
71
72
  *
@@ -83,7 +84,7 @@ function create(opts) {
83
84
  opts = opts || {};
84
85
  validateOpts(opts, [
85
86
  "kind", "deployerName", "policyUri", "mode",
86
- "audit", "lang", "skipHeader",
87
+ "audit", "lang", "skipHeader", "headerPrefix",
87
88
  ], "middleware.aiActDisclosure");
88
89
 
89
90
  var mode = (opts.mode === "html") ? "html" : "header";
@@ -99,6 +100,12 @@ function create(opts) {
99
100
  var skipHeader = (typeof opts.skipHeader === "string" && opts.skipHeader.length > 0)
100
101
  ? opts.skipHeader.toLowerCase()
101
102
  : "x-skip-ai-act";
103
+ // headerPrefix (default "AI-Act-") names the emitted disclosure headers as
104
+ // <prefix>Notice / <prefix>Article / <prefix>Policy. The EU AI Act mandates
105
+ // the disclosure, not the HTTP spelling — operators matching a downstream
106
+ // convention pass their own prefix (e.g. "X-AI-").
107
+ var headerPrefix = (typeof opts.headerPrefix === "string" && opts.headerPrefix.length > 0)
108
+ ? opts.headerPrefix : "AI-Act-";
102
109
 
103
110
  return function aiActDisclosureMiddleware(req, res, next) {
104
111
  var headers = req.headers || {};
@@ -118,10 +125,10 @@ function create(opts) {
118
125
  return origWriteHead.apply(res, arguments);
119
126
  }
120
127
  var article = _articleFor(opts.kind || "ai-interaction");
121
- _setHeader(res, "AI-Act-Notice", opts.kind || "ai-interaction");
122
- _setHeader(res, "AI-Act-Article", article);
128
+ _setHeader(res, headerPrefix + "Notice", opts.kind || "ai-interaction");
129
+ _setHeader(res, headerPrefix + "Article", article);
123
130
  if (typeof opts.policyUri === "string" && opts.policyUri.length > 0) {
124
- _setHeader(res, "AI-Act-Policy", opts.policyUri);
131
+ _setHeader(res, headerPrefix + "Policy", opts.policyUri);
125
132
  }
126
133
  injected = true;
127
134
  return origWriteHead.apply(res, arguments);
@@ -855,18 +855,18 @@ function client(opts) {
855
855
  // _generateUuidV4 — UUID v4 from 16 random bytes, formatted dash-separated.
856
856
  // Used for client-side session-id generation in per-session keying.
857
857
  // Slice offsets are RFC 4122 UUID hex-byte boundaries (`xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx`)
858
- // — protocol-fixed values, not byte sizes. allow:raw-byte-literal
858
+ // — protocol-fixed values, not byte sizes.
859
859
  function _generateUuidV4() {
860
- var b = bCrypto.generateBytes(16); // allow:raw-byte-literal — UUID is exactly 16 bytes
860
+ var b = bCrypto.generateBytes(16); // UUID is exactly 16 bytes
861
861
  // Set version (4) and variant (10x) bits per RFC 4122.
862
862
  b[6] = (b[6] & 0x0f) | 0x40;
863
863
  b[8] = (b[8] & 0x3f) | 0x80;
864
864
  var hex = b.toString("hex");
865
- return hex.slice(0, 8) + "-" + // allow:raw-byte-literal — RFC 4122 hex offsets
866
- hex.slice(8, 12) + "-" + // allow:raw-byte-literal
867
- hex.slice(12, 16) + "-" + // allow:raw-byte-literal
868
- hex.slice(16, 20) + "-" + // allow:raw-byte-literal
869
- hex.slice(20, 32); // allow:raw-byte-literal
865
+ return hex.slice(0, 8) + "-" + // RFC 4122 hex offsets
866
+ hex.slice(8, 12) + "-" +
867
+ hex.slice(12, 16) + "-" +
868
+ hex.slice(16, 20) + "-" +
869
+ hex.slice(20, 32);
870
870
  }
871
871
 
872
872
  // ---- Server-to-server convenience ----
@@ -109,7 +109,7 @@ function create(opts) {
109
109
  if (path !== "/.well-known/assetlinks.json") return next();
110
110
  if (req.method !== "GET" && req.method !== "HEAD") {
111
111
  var bodyMsg = "Method Not Allowed";
112
- res.writeHead(405, { // allow:raw-byte-literal — HTTP 405 status
112
+ res.writeHead(405, { // HTTP 405 status
113
113
  "Allow": "GET, HEAD",
114
114
  "Content-Type": "text/plain; charset=utf-8",
115
115
  "Content-Length": Buffer.byteLength(bodyMsg),
@@ -117,7 +117,7 @@ function create(opts) {
117
117
  res.end(bodyMsg);
118
118
  return;
119
119
  }
120
- res.writeHead(200, { // allow:raw-byte-literal — HTTP 200 status
120
+ res.writeHead(200, { // HTTP 200 status
121
121
  "Content-Type": "application/json; charset=utf-8",
122
122
  "Content-Length": bodyBuf.length,
123
123
  "Cache-Control": "public, max-age=86400",
@@ -107,7 +107,7 @@ function create(opts) {
107
107
  function _writeBody(req, res, body, etag, contentType) {
108
108
  var requestEtag = (req.headers && req.headers["if-none-match"]) || null;
109
109
  if (requestEtag && requestEtag === etag) {
110
- res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl }); // allow:raw-byte-literal — HTTP 304
110
+ res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl }); // HTTP 304
111
111
  res.end();
112
112
  return;
113
113
  }
@@ -120,7 +120,7 @@ function create(opts) {
120
120
  if (accessControl === "public") {
121
121
  headers["Access-Control-Allow-Origin"] = "*";
122
122
  }
123
- res.writeHead(200, headers); // allow:raw-byte-literal — HTTP 200
123
+ res.writeHead(200, headers); // HTTP 200
124
124
  res.end(body);
125
125
  }
126
126
 
@@ -46,7 +46,7 @@ function _writeUnauthorized(res, scheme, message, realm) {
46
46
  if (res.headersSent) return;
47
47
  var body = JSON.stringify({ error: message });
48
48
  var challenge = scheme + (realm ? ' realm="' + realm + '"' : "");
49
- res.writeHead(401, { // allow:raw-byte-literal — HTTP 401 status
49
+ res.writeHead(401, { // HTTP 401 status
50
50
  "Content-Type": "application/json; charset=utf-8",
51
51
  "Content-Length": Buffer.byteLength(body),
52
52
  "WWW-Authenticate": challenge,
@@ -146,7 +146,7 @@ function create(opts) {
146
146
  }
147
147
  for (var ri = 0; ri < realm.length; ri += 1) {
148
148
  var rcode = realm.charCodeAt(ri);
149
- if (rcode < 32 || rcode === 127) { // allow:raw-byte-literal — ASCII control codepoints
149
+ if (rcode < 32 || rcode === 127) { // ASCII control codepoints
150
150
  throw new AuthError("auth-bearer/bad-realm",
151
151
  "realm contains control character at index " + ri);
152
152
  }
@@ -198,7 +198,7 @@ function create(opts) {
198
198
  var malformedChallenge = scheme + ' error="invalid_request"' +
199
199
  (realm ? ', realm="' + realm + '"' : "");
200
200
  var malformedBody = JSON.stringify({ error: errorMessage });
201
- res.writeHead(401, { // allow:raw-byte-literal — HTTP 401 status
201
+ res.writeHead(401, { // HTTP 401 status
202
202
  "Content-Type": "application/json; charset=utf-8",
203
203
  "Content-Length": Buffer.byteLength(malformedBody),
204
204
  "WWW-Authenticate": malformedChallenge,
@@ -222,7 +222,7 @@ function create(opts) {
222
222
  (realm ? ', realm="' + realm + '"' : "");
223
223
  if (!res.headersSent) {
224
224
  var body = JSON.stringify({ error: errorMessage });
225
- res.writeHead(401, { // allow:raw-byte-literal — HTTP 401 status
225
+ res.writeHead(401, { // HTTP 401 status
226
226
  "Content-Type": "application/json; charset=utf-8",
227
227
  "Content-Length": Buffer.byteLength(body),
228
228
  "WWW-Authenticate": challenge,
@@ -264,7 +264,7 @@ function create(opts) {
264
264
  error: "insufficient_scope",
265
265
  required: opts.requiredScopes.slice(),
266
266
  });
267
- res.writeHead(403, { // allow:raw-byte-literal — HTTP 403 status
267
+ res.writeHead(403, { // HTTP 403 status
268
268
  "Content-Type": "application/json; charset=utf-8",
269
269
  "Content-Length": Buffer.byteLength(scopeBody),
270
270
  "WWW-Authenticate": scopeChallenge,