@blamejs/blamejs-shop 0.3.5 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (353) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +3 -3
  4. package/lib/vendor/blamejs/CHANGELOG.md +14 -0
  5. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  6. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
  7. package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
  8. package/lib/vendor/blamejs/lib/a2a.js +4 -4
  9. package/lib/vendor/blamejs/lib/acme.js +3 -3
  10. package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
  11. package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
  12. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
  13. package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
  14. package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
  15. package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
  16. package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
  17. package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
  18. package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
  19. package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
  20. package/lib/vendor/blamejs/lib/ai-input.js +4 -4
  21. package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
  22. package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
  23. package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
  24. package/lib/vendor/blamejs/lib/archive-read.js +25 -25
  25. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
  26. package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
  27. package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
  28. package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
  29. package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
  30. package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
  31. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  32. package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
  33. package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
  34. package/lib/vendor/blamejs/lib/audit.js +2 -2
  35. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
  36. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
  37. package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
  38. package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
  39. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
  40. package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
  41. package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
  42. package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
  43. package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
  44. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
  45. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
  46. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  47. package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
  48. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  49. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
  50. package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
  51. package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
  52. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
  53. package/lib/vendor/blamejs/lib/backup/index.js +7 -7
  54. package/lib/vendor/blamejs/lib/base32.js +8 -8
  55. package/lib/vendor/blamejs/lib/budr.js +2 -2
  56. package/lib/vendor/blamejs/lib/cache-status.js +2 -2
  57. package/lib/vendor/blamejs/lib/calendar.js +29 -29
  58. package/lib/vendor/blamejs/lib/cbor.js +12 -12
  59. package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
  60. package/lib/vendor/blamejs/lib/cert.js +5 -5
  61. package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
  62. package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
  63. package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
  64. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
  65. package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
  66. package/lib/vendor/blamejs/lib/compliance.js +29 -29
  67. package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
  68. package/lib/vendor/blamejs/lib/cookies.js +1 -1
  69. package/lib/vendor/blamejs/lib/cose.js +13 -13
  70. package/lib/vendor/blamejs/lib/cra-report.js +1 -1
  71. package/lib/vendor/blamejs/lib/crdt.js +1 -1
  72. package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
  73. package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
  74. package/lib/vendor/blamejs/lib/crypto.js +6 -6
  75. package/lib/vendor/blamejs/lib/csp.js +2 -2
  76. package/lib/vendor/blamejs/lib/cwt.js +4 -4
  77. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
  78. package/lib/vendor/blamejs/lib/data-act.js +2 -2
  79. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
  80. package/lib/vendor/blamejs/lib/db-query.js +1 -1
  81. package/lib/vendor/blamejs/lib/db.js +6 -6
  82. package/lib/vendor/blamejs/lib/dbsc.js +13 -13
  83. package/lib/vendor/blamejs/lib/did.js +17 -17
  84. package/lib/vendor/blamejs/lib/dora.js +4 -4
  85. package/lib/vendor/blamejs/lib/dsr.js +1 -1
  86. package/lib/vendor/blamejs/lib/early-hints.js +2 -2
  87. package/lib/vendor/blamejs/lib/eat.js +4 -4
  88. package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
  89. package/lib/vendor/blamejs/lib/external-db.js +1 -1
  90. package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
  91. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
  92. package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
  93. package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
  94. package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
  95. package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
  96. package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
  97. package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
  98. package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
  99. package/lib/vendor/blamejs/lib/guard-email.js +19 -19
  100. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
  101. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
  102. package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
  103. package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
  104. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
  105. package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
  106. package/lib/vendor/blamejs/lib/guard-html.js +7 -7
  107. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
  108. package/lib/vendor/blamejs/lib/guard-image.js +4 -4
  109. package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
  110. package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
  111. package/lib/vendor/blamejs/lib/guard-json.js +12 -12
  112. package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
  113. package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
  114. package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
  115. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
  116. package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
  117. package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
  118. package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
  119. package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
  120. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
  121. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
  122. package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
  123. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
  124. package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
  125. package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
  126. package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
  127. package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
  128. package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
  129. package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
  130. package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
  131. package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
  132. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
  133. package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
  134. package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
  135. package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
  136. package/lib/vendor/blamejs/lib/guard-time.js +15 -15
  137. package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
  138. package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
  139. package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
  140. package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
  141. package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
  142. package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
  143. package/lib/vendor/blamejs/lib/http-client.js +13 -10
  144. package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
  145. package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
  146. package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
  147. package/lib/vendor/blamejs/lib/inbox.js +4 -4
  148. package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
  149. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
  150. package/lib/vendor/blamejs/lib/json-path.js +3 -3
  151. package/lib/vendor/blamejs/lib/json-schema.js +1 -1
  152. package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
  153. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  154. package/lib/vendor/blamejs/lib/link-header.js +1 -1
  155. package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
  156. package/lib/vendor/blamejs/lib/log.js +8 -3
  157. package/lib/vendor/blamejs/lib/lro.js +4 -4
  158. package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
  159. package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
  160. package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
  161. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
  162. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
  163. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
  164. package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
  165. package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
  166. package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
  167. package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
  168. package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
  169. package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
  170. package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
  171. package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
  172. package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
  173. package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
  174. package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
  175. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
  176. package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
  177. package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
  178. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
  179. package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
  180. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
  181. package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
  182. package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
  183. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
  184. package/lib/vendor/blamejs/lib/mail-store.js +8 -8
  185. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
  186. package/lib/vendor/blamejs/lib/mail.js +4 -4
  187. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
  188. package/lib/vendor/blamejs/lib/mcp.js +15 -15
  189. package/lib/vendor/blamejs/lib/mdoc.js +2 -2
  190. package/lib/vendor/blamejs/lib/metrics.js +8 -8
  191. package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
  192. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
  193. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
  194. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
  195. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
  196. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
  197. package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
  198. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
  199. package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
  200. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
  201. package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
  202. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
  203. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
  204. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
  205. package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
  206. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
  207. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
  208. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
  209. package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
  210. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
  211. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
  212. package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
  213. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
  214. package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
  215. package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
  216. package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
  217. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
  218. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
  219. package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
  220. package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
  221. package/lib/vendor/blamejs/lib/network-dns.js +29 -29
  222. package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
  223. package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
  224. package/lib/vendor/blamejs/lib/network-tls.js +100 -98
  225. package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
  226. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  227. package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
  228. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
  229. package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
  230. package/lib/vendor/blamejs/lib/observability.js +8 -8
  231. package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
  232. package/lib/vendor/blamejs/lib/openapi.js +1 -1
  233. package/lib/vendor/blamejs/lib/outbox.js +6 -6
  234. package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
  235. package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
  236. package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
  237. package/lib/vendor/blamejs/lib/problem-details.js +5 -5
  238. package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
  239. package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
  240. package/lib/vendor/blamejs/lib/queue.js +4 -2
  241. package/lib/vendor/blamejs/lib/redact.js +2 -2
  242. package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
  243. package/lib/vendor/blamejs/lib/router.js +10 -10
  244. package/lib/vendor/blamejs/lib/safe-async.js +2 -2
  245. package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
  246. package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
  247. package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
  248. package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
  249. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
  250. package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
  251. package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
  252. package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
  253. package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
  254. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  255. package/lib/vendor/blamejs/lib/safe-url.js +1 -1
  256. package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
  257. package/lib/vendor/blamejs/lib/sandbox.js +5 -5
  258. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  259. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
  260. package/lib/vendor/blamejs/lib/self-update.js +3 -3
  261. package/lib/vendor/blamejs/lib/server-timing.js +3 -3
  262. package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
  263. package/lib/vendor/blamejs/lib/session.js +8 -8
  264. package/lib/vendor/blamejs/lib/sse.js +12 -5
  265. package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
  266. package/lib/vendor/blamejs/lib/storage.js +2 -2
  267. package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
  268. package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
  269. package/lib/vendor/blamejs/lib/subject.js +1 -1
  270. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
  271. package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
  272. package/lib/vendor/blamejs/lib/test-harness.js +1 -1
  273. package/lib/vendor/blamejs/lib/tracing.js +1 -1
  274. package/lib/vendor/blamejs/lib/tsa.js +5 -5
  275. package/lib/vendor/blamejs/lib/uri-template.js +5 -5
  276. package/lib/vendor/blamejs/lib/vault/index.js +2 -2
  277. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
  278. package/lib/vendor/blamejs/lib/vc.js +2 -2
  279. package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
  280. package/lib/vendor/blamejs/lib/watcher.js +4 -4
  281. package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
  282. package/lib/vendor/blamejs/lib/webhook.js +2 -2
  283. package/lib/vendor/blamejs/lib/websocket.js +5 -5
  284. package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
  285. package/lib/vendor/blamejs/lib/ws-client.js +24 -24
  286. package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
  287. package/lib/vendor/blamejs/package.json +1 -1
  288. package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
  289. package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
  290. package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
  291. package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
  292. package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
  293. package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
  294. package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
  295. package/lib/vendor/blamejs/test/00-primitives.js +15 -0
  296. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
  298. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
  299. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
  300. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
  301. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
  302. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
  303. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
  304. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
  305. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
  306. package/package.json +1 -1
  307. package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
  308. package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
  309. package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
  310. package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
  311. package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
  312. package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
  313. package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
  314. package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
  315. package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
  316. package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
  317. package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
  318. package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
  319. package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
  320. package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
  321. package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
  322. package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
  323. package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
  324. package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
  325. package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
  326. package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
  327. package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
  328. package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
  329. package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
  330. package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
  331. package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
  332. package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
  333. package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
  334. package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
  335. package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
  336. package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
  337. package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
  338. package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
  339. package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
  340. package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
  341. package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
  342. package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
  343. package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
  344. package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
  345. package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
  346. package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
  347. package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
  348. package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
  349. package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
  350. package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
  351. package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
  352. package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
  353. package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
@@ -50,7 +50,7 @@ var VALID_DATA_TYPES = Object.freeze({
50
50
  patch: true, platform: true, "test-case": true,
51
51
  });
52
52
  var ISO8601_RE = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z$/; // allow:duplicate-regex — ISO-8601 instant shape ships in three primitives (metrics text-render, content-credentials, mail-server-imap APPEND); each is bounded by its own caller and the regex itself is 50 bytes — extracting into a cross-module dep wouldn't carry its weight
53
- var BOM_REF_RE = /^[A-Za-z0-9._:/+-]{1,256}$/; // allow:raw-byte-literal — CycloneDX bom-ref string-length cap, not bytes
53
+ var BOM_REF_RE = /^[A-Za-z0-9._:/+-]{1,256}$/; // CycloneDX bom-ref string-length cap, not bytes
54
54
 
55
55
  function _requireString(obj, key, ownerName) {
56
56
  if (typeof obj[key] !== "string" || obj[key].length === 0) {
@@ -67,7 +67,7 @@ function _validateModelComponent(c) {
67
67
  _requireString(c, "name", "build.model");
68
68
  _requireString(c, "version", "build.model");
69
69
  if (c["bom-ref"] !== undefined) {
70
- if (typeof c["bom-ref"] !== "string" || c["bom-ref"].length > 256) { // allow:raw-byte-literal — bom-ref string-length cap, not bytes
70
+ if (typeof c["bom-ref"] !== "string" || c["bom-ref"].length > 256) { // bom-ref string-length cap, not bytes
71
71
  throw new AiModelManifestError("aibom/bad-bom-ref",
72
72
  "build.model: bom-ref must be a string of length 1-256");
73
73
  }
@@ -332,12 +332,12 @@ function verify(envelope, publicKeyPem, opts) {
332
332
  // UUIDv4 via the framework's CSPRNG path. Used for `serialNumber`
333
333
  // defaults — operators may supply their own for cross-build stability.
334
334
  function _uuidUrn() {
335
- var b = bCrypto.generateBytes(16); // allow:raw-byte-literal — RFC 9562 §4.1 UUIDv4 is a 16-byte (128-bit) primitive
336
- b[6] = (b[6] & 0x0f) | 0x40; // allow:raw-byte-literal — UUIDv4 version nibble (RFC 9562 §4.4)
337
- b[8] = (b[8] & 0x3f) | 0x80; // allow:raw-byte-literal — UUIDv4 variant nibble (RFC 9562 §4.4)
335
+ var b = bCrypto.generateBytes(16); // RFC 9562 §4.1 UUIDv4 is a 16-byte (128-bit) primitive
336
+ b[6] = (b[6] & 0x0f) | 0x40; // UUIDv4 version nibble (RFC 9562 §4.4)
337
+ b[8] = (b[8] & 0x3f) | 0x80; // UUIDv4 variant nibble (RFC 9562 §4.4)
338
338
  var h = b.toString("hex");
339
- return "urn:uuid:" + h.slice(0, 8) + "-" + h.slice(8, 12) + "-" + // allow:raw-byte-literal — RFC 9562 §4 UUID text representation hex offsets (8-4-4-4-12)
340
- h.slice(12, 16) + "-" + h.slice(16, 20) + "-" + h.slice(20); // allow:raw-byte-literal — RFC 9562 §4 UUID hex offsets
339
+ return "urn:uuid:" + h.slice(0, 8) + "-" + h.slice(8, 12) + "-" + // RFC 9562 §4 UUID text representation hex offsets (8-4-4-4-12)
340
+ h.slice(12, 16) + "-" + h.slice(16, 20) + "-" + h.slice(20); // RFC 9562 §4 UUID hex offsets
341
341
  }
342
342
 
343
343
  // package.json read lives behind the call to dodge a circular-load
@@ -142,7 +142,7 @@ function parseHeader(value) {
142
142
  if (typeof value !== "string" || value.length === 0) {
143
143
  throw AiPrefError.factory("ai-pref/bad-header", "aiPref.parseHeader: value required");
144
144
  }
145
- if (value.length > 1024) { // allow:raw-byte-literal — header value cap, not bytes
145
+ if (value.length > 1024) { // header value cap, not bytes
146
146
  throw AiPrefError.factory("ai-pref/header-too-large",
147
147
  "aiPref.parseHeader: value exceeds 1024 chars");
148
148
  }
@@ -205,7 +205,7 @@ function parseHeader(value) {
205
205
  function robotsBlock(opts) {
206
206
  var v = _validate(opts);
207
207
  var ua = opts.userAgent || "*";
208
- if (typeof ua !== "string" || ua.length === 0 || ua.length > 256) { // allow:raw-byte-literal — UA-string cap, not bytes
208
+ if (typeof ua !== "string" || ua.length === 0 || ua.length > 256) { // UA-string cap, not bytes
209
209
  throw AiPrefError.factory("ai-pref/bad-user-agent",
210
210
  "aiPref.robotsBlock: userAgent must be 1-256 char string (or omit for *)");
211
211
  }
@@ -314,7 +314,7 @@ function refusePaidCrawl(req, res, opts) {
314
314
  res.setHeader("Content-Type", "application/json");
315
315
  res.setHeader("Cache-Control", "no-store");
316
316
  }
317
- res.statusCode = 402; // allow:raw-byte-literal — HTTP 402 Payment Required (RFC 9110)
317
+ res.statusCode = 402; // HTTP 402 Payment Required (RFC 9110)
318
318
  res.end(body);
319
319
  audit.safeEmit({
320
320
  action: "aipref.paid_crawl_refused",
@@ -25,8 +25,8 @@ var archiveRead = lazyRequire(function () { return require("./archive-read"); })
25
25
  var archiveTarRead = lazyRequire(function () { return require("./archive-tar-read"); });
26
26
 
27
27
  // gzip magic — RFC 1952 §2.2 ("ID1=0x1f, ID2=0x8b").
28
- var GZIP_MAGIC_0 = 0x1f; // allow:raw-byte-literal — RFC 1952 §2.2 ID1
29
- var GZIP_MAGIC_1 = 0x8b; // allow:raw-byte-literal — RFC 1952 §2.2 ID2
28
+ var GZIP_MAGIC_0 = 0x1f; // RFC 1952 §2.2 ID1
29
+ var GZIP_MAGIC_1 = 0x8b; // RFC 1952 §2.2 ID2
30
30
 
31
31
  var DEFAULT_MAX_OUTPUT_BYTES = C.BYTES.gib(1);
32
32
  var DEFAULT_MAX_RATIO = 100;
@@ -58,12 +58,12 @@ var archiveAdapters = lazyRequire(function () { return require("./archive-adapte
58
58
  // Aligned with the write-side `lib/archive.js`. APPNOTE.TXT § references
59
59
  // follow each signature so a future spec bump is mechanical.
60
60
 
61
- var SIG_LFH = 0x04034b50; // allow:raw-byte-literal — APPNOTE §4.3.7 LFH magic dword (wire-format-fixed)
62
- var SIG_CFH = 0x02014b50; // allow:raw-byte-literal — APPNOTE §4.3.12 CFH magic dword (wire-format-fixed)
63
- var SIG_EOCD = 0x06054b50; // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD magic dword (wire-format-fixed)
64
- var SIG_EOCD64 = 0x06064b50; // allow:raw-byte-literal — APPNOTE §4.3.14 ZIP64 EOCD magic dword (wire-format-fixed)
65
- var SIG_EOCD64_LOCATOR = 0x07064b50; // allow:raw-byte-literal — APPNOTE §4.3.15 ZIP64 EOCD locator magic dword (wire-format-fixed)
66
- var SIG_DATA_DESCRIPTOR = 0x08074b50; // allow:raw-byte-literal — APPNOTE §4.3.9 data-descriptor magic dword (wire-format-fixed)
61
+ var SIG_LFH = 0x04034b50; // APPNOTE §4.3.7 LFH magic dword (wire-format-fixed)
62
+ var SIG_CFH = 0x02014b50; // APPNOTE §4.3.12 CFH magic dword (wire-format-fixed)
63
+ var SIG_EOCD = 0x06054b50; // APPNOTE §4.3.16 EOCD magic dword (wire-format-fixed)
64
+ var SIG_EOCD64 = 0x06064b50; // APPNOTE §4.3.14 ZIP64 EOCD magic dword (wire-format-fixed)
65
+ var SIG_EOCD64_LOCATOR = 0x07064b50; // APPNOTE §4.3.15 ZIP64 EOCD locator magic dword (wire-format-fixed)
66
+ var SIG_DATA_DESCRIPTOR = 0x08074b50; // APPNOTE §4.3.9 data-descriptor magic dword (wire-format-fixed)
67
67
  void SIG_EOCD64; void SIG_EOCD64_LOCATOR;
68
68
 
69
69
  var METHOD_STORE_ID = 0;
@@ -94,7 +94,7 @@ var MSDOS_EPOCH_YEAR = 1980;
94
94
  // ---- Default zip-bomb / entry caps ---------------------------------------
95
95
 
96
96
  var DEFAULT_BOMB_POLICY = Object.freeze({
97
- maxEntries: 65535, // allow:raw-byte-literal — APPNOTE §4.4.21 16-bit entry-count field's max (ZIP64 deferred)
97
+ maxEntries: 65535, // APPNOTE §4.4.21 16-bit entry-count field's max (ZIP64 deferred)
98
98
  maxEntryDecompressedBytes: C.BYTES.mib(128), // per-entry cap
99
99
  maxTotalDecompressedBytes: C.BYTES.gib(4), // archive-wide cap
100
100
  maxExpansionRatio: 100, // compressed → decompressed ratio cap
@@ -193,10 +193,10 @@ async function _locateEocd(adapter) {
193
193
  eocdOffset: scanOffset + i,
194
194
  diskNumber: tail.readUInt16LE(i + 4),
195
195
  cdDiskNumber: tail.readUInt16LE(i + 6),
196
- entriesOnThisDisk: tail.readUInt16LE(i + 8), // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
197
- totalEntries: tail.readUInt16LE(i + 10), // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
198
- cdSize: tail.readUInt32LE(i + 12), // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
199
- cdOffset: tail.readUInt32LE(i + 16), // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
196
+ entriesOnThisDisk: tail.readUInt16LE(i + 8), // APPNOTE §4.3.16 EOCD field offset
197
+ totalEntries: tail.readUInt16LE(i + 10), // APPNOTE §4.3.16 EOCD field offset
198
+ cdSize: tail.readUInt32LE(i + 12), // APPNOTE §4.3.16 EOCD field offset
199
+ cdOffset: tail.readUInt32LE(i + 16), // APPNOTE §4.3.16 EOCD field offset
200
200
  commentLength: commentLen,
201
201
  };
202
202
  }
@@ -234,20 +234,20 @@ async function _readCentralDirectory(adapter, eocd) {
234
234
  if (cdBytes.readUInt32LE(pos) !== SIG_CFH) {
235
235
  throw new ArchiveReadError("archive-read/bad-cd-signature",
236
236
  "central directory entry " + n + " has bad signature " +
237
- "0x" + cdBytes.readUInt32LE(pos).toString(16)); // allow:raw-byte-literal — radix=16 for hex parse, not byte count
237
+ "0x" + cdBytes.readUInt32LE(pos).toString(16)); // radix=16 for hex parse, not byte count
238
238
  }
239
- var generalFlags = cdBytes.readUInt16LE(pos + 8); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
240
- var method = cdBytes.readUInt16LE(pos + 10); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
241
- var dosTime = cdBytes.readUInt16LE(pos + 12); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
242
- var dosDate = cdBytes.readUInt16LE(pos + 14); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
243
- var crc32 = cdBytes.readUInt32LE(pos + 16); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
244
- var compressedSize = cdBytes.readUInt32LE(pos + 20); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
245
- var uncompressedSize = cdBytes.readUInt32LE(pos + 24); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
246
- var nameLen = cdBytes.readUInt16LE(pos + 28); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
247
- var extraLen = cdBytes.readUInt16LE(pos + 30); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
248
- var commentLen = cdBytes.readUInt16LE(pos + 32); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
249
- var externalAttrs = cdBytes.readUInt32LE(pos + 38); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
250
- var lfhOffset = cdBytes.readUInt32LE(pos + 42); // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
239
+ var generalFlags = cdBytes.readUInt16LE(pos + 8); // APPNOTE §4.3.12 CFH field offset
240
+ var method = cdBytes.readUInt16LE(pos + 10); // APPNOTE §4.3.12 CFH field offset
241
+ var dosTime = cdBytes.readUInt16LE(pos + 12); // APPNOTE §4.3.12 CFH field offset
242
+ var dosDate = cdBytes.readUInt16LE(pos + 14); // APPNOTE §4.3.12 CFH field offset
243
+ var crc32 = cdBytes.readUInt32LE(pos + 16); // APPNOTE §4.3.12 CFH field offset
244
+ var compressedSize = cdBytes.readUInt32LE(pos + 20); // APPNOTE §4.3.12 CFH field offset
245
+ var uncompressedSize = cdBytes.readUInt32LE(pos + 24); // APPNOTE §4.3.12 CFH field offset
246
+ var nameLen = cdBytes.readUInt16LE(pos + 28); // APPNOTE §4.3.12 CFH field offset
247
+ var extraLen = cdBytes.readUInt16LE(pos + 30); // APPNOTE §4.3.12 CFH field offset
248
+ var commentLen = cdBytes.readUInt16LE(pos + 32); // APPNOTE §4.3.12 CFH field offset
249
+ var externalAttrs = cdBytes.readUInt32LE(pos + 38); // APPNOTE §4.3.12 CFH field offset
250
+ var lfhOffset = cdBytes.readUInt32LE(pos + 42); // APPNOTE §4.3.12 CFH field offset
251
251
  var nameStart = pos + CFH_FIXED_BYTES;
252
252
  var extraStart = nameStart + nameLen;
253
253
  var totalLen = CFH_FIXED_BYTES + nameLen + extraLen + commentLen;
@@ -292,7 +292,7 @@ async function _verifyLfhMatchesCd(adapter, entry) {
292
292
  if (lfhPrefix.readUInt32LE(0) !== SIG_LFH) {
293
293
  throw new ArchiveReadError("archive-read/bad-lfh-signature",
294
294
  "local file header for " + JSON.stringify(entry.name) +
295
- " has bad signature 0x" + lfhPrefix.readUInt32LE(0).toString(16)); // allow:raw-byte-literal — radix=16 for hex parse, not byte count
295
+ " has bad signature 0x" + lfhPrefix.readUInt32LE(0).toString(16)); // radix=16 for hex parse, not byte count
296
296
  }
297
297
  var lfhMethod = lfhPrefix.readUInt16LE(8);
298
298
  var lfhCrc = lfhPrefix.readUInt32LE(14);
@@ -38,10 +38,10 @@ var TF_PAX_GLOBAL = "g";
38
38
  void TF_CHARDEV; void TF_BLOCKDEV; void TF_FIFO; void TF_CONTIGUOUS;
39
39
 
40
40
  var DEFAULT_BOMB_POLICY = Object.freeze({
41
- maxEntries: 65535, // allow:raw-byte-literal — operator-friendly default ceiling
41
+ maxEntries: 65535, // operator-friendly default ceiling
42
42
  maxEntryDecompressedBytes: C.BYTES.mib(128),
43
43
  maxTotalDecompressedBytes: C.BYTES.gib(4),
44
- maxExpansionRatio: 100, // allow:raw-byte-literal — tar has no compression-ratio concept, but keep field for orchestrator policy parity
44
+ maxExpansionRatio: 100, // tar has no compression-ratio concept, but keep field for orchestrator policy parity
45
45
  });
46
46
 
47
47
  var DEFAULT_ENTRY_TYPE_POLICY = Object.freeze({
@@ -89,7 +89,7 @@ var USTAR_VERSION = "00"; // 2 bytes
89
89
  var NAME_MAX = C.BYTES.bytes(100); // ustar name field cap
90
90
  var PREFIX_MAX = C.BYTES.bytes(155); // ustar prefix field cap
91
91
  var LINKNAME_MAX = C.BYTES.bytes(100); // ustar linkname field cap
92
- var USTAR_SIZE_MAX = 0o77777777777; // allow:raw-byte-literal — 11 octal digits = 8 GiB - 1 per ustar size-field width
92
+ var USTAR_SIZE_MAX = 0o77777777777; // 11 octal digits = 8 GiB - 1 per ustar size-field width
93
93
 
94
94
  // Header field byte offsets (POSIX.1-1988 ustar; same in POSIX.1-2001 pax)
95
95
  var H_NAME = C.BYTES.bytes(0);
@@ -146,7 +146,7 @@ function _writeOctal(buf, value, offset, width) {
146
146
  // For width=8, that's 7 octal digits + terminator. For width=12, 11
147
147
  // digits + terminator.
148
148
  var digits = width - 1;
149
- var oct = value.toString(8); // allow:raw-byte-literal — radix=8 for octal stringify per ustar field format
149
+ var oct = value.toString(8); // radix=8 for octal stringify per ustar field format
150
150
  if (oct.length > digits) {
151
151
  throw new TarError("archive-tar/octal-overflow",
152
152
  "value " + value + " (octal " + oct + ") exceeds field width " + digits);
@@ -154,7 +154,7 @@ function _writeOctal(buf, value, offset, width) {
154
154
  // Left-pad with '0' to fill the digits.
155
155
  while (oct.length < digits) oct = "0" + oct;
156
156
  buf.write(oct, offset, digits, "ascii");
157
- buf.writeUInt8(0x20, offset + digits); // allow:raw-byte-literal — ASCII space (' ') terminator per ustar
157
+ buf.writeUInt8(0x20, offset + digits); // ASCII space (' ') terminator per ustar
158
158
  }
159
159
 
160
160
  function _writeString(buf, value, offset, width) {
@@ -175,15 +175,15 @@ function _readOctal(buf, offset, width) {
175
175
  var s = "";
176
176
  for (var i = 0; i < width; i += 1) {
177
177
  var c = buf[offset + i];
178
- if (c === 0x20 || c === 0) break; // allow:raw-byte-literal — ASCII space (0x20) + NUL (0x00) field terminators
179
- if (c < 0x30 || c > 0x37) { // allow:raw-byte-literal — ASCII '0' (0x30) .. '7' (0x37) octal digits
178
+ if (c === 0x20 || c === 0) break; // ASCII space (0x20) + NUL (0x00) field terminators
179
+ if (c < 0x30 || c > 0x37) { // ASCII '0' (0x30) .. '7' (0x37) octal digits
180
180
  throw new TarError("archive-tar/bad-octal",
181
- "non-octal byte 0x" + c.toString(16) + " at offset " + (offset + i)); // allow:raw-byte-literal — radix=16 for diagnostic hex format
181
+ "non-octal byte 0x" + c.toString(16) + " at offset " + (offset + i)); // radix=16 for diagnostic hex format
182
182
  }
183
183
  s += String.fromCharCode(c);
184
184
  }
185
185
  if (s.length === 0) return 0;
186
- return parseInt(s, 8); // allow:raw-byte-literal — radix=8 for octal parse per ustar field format
186
+ return parseInt(s, 8); // radix=8 for octal parse per ustar field format
187
187
  }
188
188
 
189
189
  function _readString(buf, offset, width) {
@@ -203,7 +203,7 @@ function _computeChecksum(buf) {
203
203
  var sum = 0;
204
204
  for (var i = 0; i < BLOCK_SIZE; i += 1) {
205
205
  if (i >= H_CHKSUM && i < H_CHKSUM + W_CHKSUM) {
206
- sum += 0x20; // allow:raw-byte-literal — chksum field treated as 8 spaces per POSIX.1-1988
206
+ sum += 0x20; // chksum field treated as 8 spaces per POSIX.1-1988
207
207
  } else {
208
208
  sum += buf[i];
209
209
  }
@@ -214,16 +214,16 @@ function _computeChecksum(buf) {
214
214
  function _writeChecksum(buf) {
215
215
  // Write 6 octal digits + NUL + space into the chksum field.
216
216
  var sum = _computeChecksum(buf);
217
- var oct = sum.toString(8); // allow:raw-byte-literal — radix=8 for octal stringify per ustar chksum field format
218
- while (oct.length < 6) oct = "0" + oct; // allow:raw-byte-literal — chksum field is 6 octal digits per POSIX ustar
219
- if (oct.length > 6) { // allow:raw-byte-literal — chksum field is 6 octal digits per POSIX ustar
217
+ var oct = sum.toString(8); // radix=8 for octal stringify per ustar chksum field format
218
+ while (oct.length < 6) oct = "0" + oct; // chksum field is 6 octal digits per POSIX ustar
219
+ if (oct.length > 6) { // chksum field is 6 octal digits per POSIX ustar
220
220
  // Header is corrupt / oversized somewhere; surface a typed error.
221
221
  throw new TarError("archive-tar/chksum-overflow",
222
222
  "chksum " + sum + " (" + oct + ") exceeds 6 octal digits");
223
223
  }
224
- buf.write(oct, H_CHKSUM, 6, "ascii"); // allow:raw-byte-literal — chksum field is 6 octal digits per POSIX ustar
225
- buf.writeUInt8(0, H_CHKSUM + 6); // allow:raw-byte-literal — chksum field: 6 digits + NUL + space per POSIX ustar
226
- buf.writeUInt8(0x20, H_CHKSUM + 7); // allow:raw-byte-literal — chksum field: 6 digits + NUL + space per POSIX ustar
224
+ buf.write(oct, H_CHKSUM, 6, "ascii"); // chksum field is 6 octal digits per POSIX ustar
225
+ buf.writeUInt8(0, H_CHKSUM + 6); // chksum field: 6 digits + NUL + space per POSIX ustar
226
+ buf.writeUInt8(0x20, H_CHKSUM + 7); // chksum field: 6 digits + NUL + space per POSIX ustar
227
227
  }
228
228
 
229
229
  function _verifyChecksum(buf) {
@@ -349,11 +349,11 @@ function _buildUstarHeader(entry) {
349
349
  _writeOctal(buf, entry.mtime || 0, H_MTIME, W_MTIME);
350
350
  // chksum field — written as 8 spaces during computation, then
351
351
  // replaced with the computed value below.
352
- buf.fill(0x20, H_CHKSUM, H_CHKSUM + W_CHKSUM); // allow:raw-byte-literal — pre-fill chksum field with spaces per POSIX
352
+ buf.fill(0x20, H_CHKSUM, H_CHKSUM + W_CHKSUM); // pre-fill chksum field with spaces per POSIX
353
353
  buf.write(entry.typeflag || TF_REGULAR, H_TYPEFLAG, 1, "ascii");
354
354
  if (entry.linkname) _writeString(buf, entry.linkname, H_LINKNAME, LINKNAME_MAX);
355
- buf.write(USTAR_MAGIC, H_MAGIC, 6, "ascii"); // allow:raw-byte-literal — ustar magic is 6 bytes per POSIX
356
- buf.write(USTAR_VERSION, H_VERSION, 2, "ascii"); // allow:raw-byte-literal — ustar version is 2 bytes per POSIX
355
+ buf.write(USTAR_MAGIC, H_MAGIC, 6, "ascii"); // ustar magic is 6 bytes per POSIX
356
+ buf.write(USTAR_VERSION, H_VERSION, 2, "ascii"); // ustar version is 2 bytes per POSIX
357
357
  if (entry.uname) _writeString(buf, entry.uname, H_UNAME, W_UNAME);
358
358
  if (entry.gname) _writeString(buf, entry.gname, H_GNAME, W_GNAME);
359
359
  if (prefix) _writeString(buf, prefix, H_PREFIX, PREFIX_MAX);
@@ -444,7 +444,7 @@ function tarBuilder() {
444
444
  }
445
445
  var pieces = [];
446
446
  if (paxRecords.length > 0) {
447
- pieces.push(_buildPaxExtendedHeader(paxRecords, "PaxHeader/" + entry.name.slice(0, 80))); // allow:raw-byte-literal — pax header name fits in ustar 100-char field with 20-char prefix budget
447
+ pieces.push(_buildPaxExtendedHeader(paxRecords, "PaxHeader/" + entry.name.slice(0, 80))); // pax header name fits in ustar 100-char field with 20-char prefix budget
448
448
  }
449
449
  var hdr = _buildUstarHeader({
450
450
  name: entry.name,
@@ -471,7 +471,7 @@ function tarBuilder() {
471
471
  pieces.push(_entryBytes(entries[i]));
472
472
  }
473
473
  // Two zero blocks terminate the archive (POSIX requirement).
474
- pieces.push(Buffer.alloc(BLOCK_SIZE * 2)); // allow:raw-byte-literal — POSIX requires 2 trailing zero blocks
474
+ pieces.push(Buffer.alloc(BLOCK_SIZE * 2)); // POSIX requires 2 trailing zero blocks
475
475
  return Buffer.concat(pieces);
476
476
  }
477
477
 
@@ -483,7 +483,7 @@ function tarBuilder() {
483
483
  for (var i = 0; i < entries.length; i += 1) {
484
484
  await adapter.write(_entryBytes(entries[i]));
485
485
  }
486
- await adapter.write(Buffer.alloc(BLOCK_SIZE * 2)); // allow:raw-byte-literal — 2 trailing zero blocks
486
+ await adapter.write(Buffer.alloc(BLOCK_SIZE * 2)); // 2 trailing zero blocks
487
487
  if (typeof adapter.end === "function") await adapter.end();
488
488
  }
489
489
 
@@ -36,14 +36,14 @@ var agentTenant = lazyRequire(function () { return require("./agent-tenant"); })
36
36
  // recognises. Distinct from b.crypto.encrypt's base64 envelope so
37
37
  // archive-wrap output can carry an unambiguous "this is an archive
38
38
  // wrap envelope" magic before the operator-controlled payload.
39
- var ARCH_WRAP_MAGIC = "BAWRP"; // allow:raw-byte-literal — 5-byte ASCII archive-wrap recipient envelope magic
40
- var ARCH_WRAP_VERSION = 0x01; // allow:raw-byte-literal — recipient version byte (hybrid-KEM envelope)
39
+ var ARCH_WRAP_MAGIC = "BAWRP"; // 5-byte ASCII archive-wrap recipient envelope magic
40
+ var ARCH_WRAP_VERSION = 0x01; // recipient version byte (hybrid-KEM envelope)
41
41
  // Tenant strategy uses the same BAWRP magic with a distinct version
42
42
  // byte: the body is a symmetric XChaCha20-Poly1305 packed ciphertext
43
43
  // (b.crypto.encryptPacked) keyed by the tenant's vault-derived key,
44
44
  // not a hybrid-KEM envelope. unwrap dispatches on the version byte so
45
45
  // a tenant envelope is never fed to the KEM decrypt path.
46
- var ARCH_WRAP_VERSION_TENANT = 0x02; // allow:raw-byte-literal — tenant symmetric-seal version byte
46
+ var ARCH_WRAP_VERSION_TENANT = 0x02; // tenant symmetric-seal version byte
47
47
  // Purpose label for the per-tenant key derivation (domain-separates
48
48
  // the archive-wrap key from a tenant's seal / audit / session keys).
49
49
  var TENANT_KEY_PURPOSE = "archive-wrap";
@@ -53,8 +53,8 @@ var ARCH_WRAP_HEADER_BYTES = C.BYTES.bytes(6);
53
53
  // from backup-crypto encryptWithPassphrase). The salt-prefix shape
54
54
  // lets the framework rotate KDF parameters in future minors without
55
55
  // per-envelope version bumps (each envelope carries its own salt).
56
- var ARCH_PASSPHRASE_MAGIC = "BAWPP"; // allow:raw-byte-literal — 5-byte passphrase-wrap envelope magic
57
- var ARCH_PASSPHRASE_VERSION = 0x01; // allow:raw-byte-literal — passphrase version byte
56
+ var ARCH_PASSPHRASE_MAGIC = "BAWPP"; // 5-byte passphrase-wrap envelope magic
57
+ var ARCH_PASSPHRASE_VERSION = 0x01; // passphrase version byte
58
58
  var ARCH_PASSPHRASE_HEADER_BYTES = C.BYTES.bytes(7); // magic(5) + version(1) + saltLen(1)
59
59
 
60
60
  /**
@@ -418,7 +418,7 @@ async function wrapWithPassphrase(bytes, opts) {
418
418
  // so NaN / Infinity can't slip past the entropy gate.
419
419
  var minEntropy;
420
420
  if (opts.minEntropyBits === undefined || opts.minEntropyBits === null) {
421
- minEntropy = 80; // allow:raw-byte-literal — entropy-bits default, not byte count
421
+ minEntropy = 80; // entropy-bits default, not byte count
422
422
  } else if (Number.isFinite(opts.minEntropyBits) && opts.minEntropyBits >= 0) {
423
423
  minEntropy = Math.floor(opts.minEntropyBits);
424
424
  } else {
@@ -550,10 +550,10 @@ function _estimatePassphraseEntropyBits(passphrase) {
550
550
  else hasSpecial = true;
551
551
  }
552
552
  var alphabet = 0;
553
- if (hasLower) alphabet += 26; // allow:raw-byte-literal — alphabet-size term, not byte count
554
- if (hasUpper) alphabet += 26; // allow:raw-byte-literal — alphabet-size term, not byte count
555
- if (hasDigit) alphabet += 10; // allow:raw-byte-literal — alphabet-size term, not byte count
556
- if (hasSpecial) alphabet += 32; // allow:raw-byte-literal — alphabet-size term, not byte count
553
+ if (hasLower) alphabet += 26; // alphabet-size term, not byte count
554
+ if (hasUpper) alphabet += 26; // alphabet-size term, not byte count
555
+ if (hasDigit) alphabet += 10; // alphabet-size term, not byte count
556
+ if (hasSpecial) alphabet += 32; // alphabet-size term, not byte count
557
557
  if (alphabet === 0) return 0;
558
558
  return Math.floor(s.length * Math.log2(alphabet));
559
559
  }
@@ -27,7 +27,7 @@ var C = require("./constants");
27
27
  var ARGON2ID = "argon2id";
28
28
 
29
29
  // Argon2 v1.3 — the only version current implementations emit.
30
- var ARGON2_VERSION = 0x13; // allow:raw-byte-literal — argon2 algorithm version
30
+ var ARGON2_VERSION = 0x13; // argon2 algorithm version
31
31
 
32
32
  var DEFAULT_HASH_LENGTH = C.BYTES.bytes(32);
33
33
  var DEFAULT_SALT_LENGTH = C.BYTES.bytes(16);
@@ -31,10 +31,10 @@ var Asn1Error = defineClass("Asn1Error", { alwaysPermanent: true });
31
31
 
32
32
  // ASN.1 tag classes per ITU-T X.690 §8.1.2.
33
33
  var TAG_CLASS = Object.freeze({
34
- UNIVERSAL: 0, // allow:raw-byte-literal — ASN.1 tag class
35
- APPLICATION: 1, // allow:raw-byte-literal — ASN.1 tag class
36
- CONTEXT_SPECIFIC: 2, // allow:raw-byte-literal — ASN.1 tag class
37
- PRIVATE: 3, // allow:raw-byte-literal — ASN.1 tag class
34
+ UNIVERSAL: 0, // ASN.1 tag class
35
+ APPLICATION: 1, // ASN.1 tag class
36
+ CONTEXT_SPECIFIC: 2, // ASN.1 tag class
37
+ PRIVATE: 3, // ASN.1 tag class
38
38
  });
39
39
 
40
40
  // Universal tag numbers used by the framework.
@@ -70,9 +70,9 @@ function readNode(buf, offset) {
70
70
  }
71
71
 
72
72
  var b0 = buf[offset];
73
- var tagClass = (b0 >> 6) & 0x03; // allow:raw-byte-literal — tag-class extraction
74
- var constructed = (b0 & 0x20) !== 0; // allow:raw-byte-literal — constructed bit
75
- var tag = b0 & 0x1f; // allow:raw-byte-literal — short-form tag
73
+ var tagClass = (b0 >> 6) & 0x03; // tag-class extraction
74
+ var constructed = (b0 & 0x20) !== 0; // constructed bit
75
+ var tag = b0 & 0x1f; // short-form tag
76
76
 
77
77
  var headerLen = 1;
78
78
  if (tag === 0x1f) {
@@ -85,8 +85,8 @@ function readNode(buf, offset) {
85
85
  }
86
86
  var byte = buf[offset + headerLen];
87
87
  headerLen += 1;
88
- tag = (tag << 7) | (byte & 0x7f); // allow:raw-byte-literal — base-128 tag bits
89
- if ((byte & 0x80) === 0) break; // allow:raw-byte-literal — continuation bit
88
+ tag = (tag << 7) | (byte & 0x7f); // base-128 tag bits
89
+ if ((byte & 0x80) === 0) break; // continuation bit
90
90
  }
91
91
  }
92
92
 
@@ -107,7 +107,7 @@ function readNode(buf, offset) {
107
107
  throw new Asn1Error("asn1/indefinite-length",
108
108
  "indefinite-length form is not allowed in DER");
109
109
  }
110
- if (lenOctets > 4) { // allow:raw-byte-literal — DER length cap (>4 GiB)
110
+ if (lenOctets > 4) { // DER length cap (>4 GiB)
111
111
  throw new Asn1Error("asn1/bad-length",
112
112
  "length octets " + lenOctets + " exceeds 4 — refusing >4 GiB structure");
113
113
  }
@@ -116,7 +116,7 @@ function readNode(buf, offset) {
116
116
  }
117
117
  length = 0;
118
118
  for (var i = 0; i < lenOctets; i += 1) {
119
- length = (length * 256) + buf[offset + headerLen + i]; // allow:raw-byte-literal — base-256 length bytes
119
+ length = (length * 256) + buf[offset + headerLen + i]; // base-256 length bytes
120
120
  }
121
121
  headerLen += lenOctets;
122
122
  }
@@ -162,10 +162,10 @@ function readOid(node) {
162
162
  throw new Asn1Error("asn1/oid-empty", "OID value is empty");
163
163
  }
164
164
  // First two arcs are encoded as `40*X + Y`.
165
- var first = Math.floor(bytes[0] / 40); // allow:raw-byte-literal — OID encoding constant
166
- var second = bytes[0] % 40; // allow:raw-byte-literal — OID encoding constant
165
+ var first = Math.floor(bytes[0] / 40); // OID encoding constant
166
+ var second = bytes[0] % 40; // OID encoding constant
167
167
  // Per X.690, when first byte >= 80 the first arc is 2 and second is byte-80.
168
- if (first > 2) { first = 2; second = bytes[0] - 80; } // allow:raw-byte-literal — OID encoding constant
168
+ if (first > 2) { first = 2; second = bytes[0] - 80; } // OID encoding constant
169
169
  var arcs = [String(first), String(second)];
170
170
 
171
171
  var i = 1;
@@ -174,9 +174,9 @@ function readOid(node) {
174
174
  var j = i;
175
175
  while (j < bytes.length) {
176
176
  var b = bytes[j];
177
- arc = (arc * 128) + (b & 0x7f); // allow:raw-byte-literal — base-128 OID arc
177
+ arc = (arc * 128) + (b & 0x7f); // base-128 OID arc
178
178
  j += 1;
179
- if ((b & 0x80) === 0) break; // allow:raw-byte-literal — continuation bit
179
+ if ((b & 0x80) === 0) break; // continuation bit
180
180
  }
181
181
  if (j === i) {
182
182
  throw new Asn1Error("asn1/oid-malformed", "OID arc never terminated");
@@ -207,15 +207,15 @@ function readUnsignedInt(node) {
207
207
  if (bytes.length === 0) {
208
208
  throw new Asn1Error("asn1/int-empty", "INTEGER value is empty");
209
209
  }
210
- if (bytes.length > 8) { // allow:raw-byte-literal — JS safe-int byte cap
210
+ if (bytes.length > 8) { // JS safe-int byte cap
211
211
  // Caller wanted an unsigned int — for big serials they want the raw
212
212
  // bytes instead. Surface as hex string so caller decides.
213
213
  return { hex: bytes.toString("hex") };
214
214
  }
215
215
  var n = 0;
216
- var start = (bytes[0] === 0 && bytes.length > 1) ? 1 : 0; // allow:raw-byte-literal — DER zero-pad
216
+ var start = (bytes[0] === 0 && bytes.length > 1) ? 1 : 0; // DER zero-pad
217
217
  for (var k = start; k < bytes.length; k += 1) {
218
- n = (n * 256) + bytes[k]; // allow:raw-byte-literal — base-256 byte
218
+ n = (n * 256) + bytes[k]; // base-256 byte
219
219
  }
220
220
  return n;
221
221
  }
@@ -259,13 +259,13 @@ function unwrapExplicit(node, expectedTag) {
259
259
  // All length fields use the standard X.690 short / long-form encoding.
260
260
 
261
261
  function _encodeLength(n) {
262
- if (n < 128) return Buffer.from([n]); // allow:raw-byte-literal — X.690 short-form length boundary
262
+ if (n < 128) return Buffer.from([n]); // X.690 short-form length boundary
263
263
  // Long-form: first byte is 0x80 | numLengthOctets, then the length
264
264
  // big-endian.
265
265
  var bytes = [];
266
266
  while (n > 0) {
267
- bytes.unshift(n & 0xff); // allow:raw-byte-literal — base-256 length encoding mask
268
- n = n >>> 8; // allow:raw-byte-literal — base-256 length encoding shift
267
+ bytes.unshift(n & 0xff); // base-256 length encoding mask
268
+ n = n >>> 8; // base-256 length encoding shift
269
269
  }
270
270
  return Buffer.concat([Buffer.from([0x80 | bytes.length]), Buffer.from(bytes)]);
271
271
  }
@@ -276,7 +276,7 @@ function writeNode(tagByte, value) {
276
276
 
277
277
  function writeSequence(children) {
278
278
  // children: Array<Buffer> of already-encoded child nodes.
279
- return writeNode(TAG.SEQUENCE | 0x20, Buffer.concat(children)); // allow:raw-byte-literal — DER constructed bit
279
+ return writeNode(TAG.SEQUENCE | 0x20, Buffer.concat(children)); // DER constructed bit
280
280
  }
281
281
 
282
282
  function writeOctetString(value) {
@@ -292,7 +292,7 @@ function writeInteger(buf) {
292
292
  // and the value is positive (cert serials always are here), prepend
293
293
  // 0x00 to disambiguate from a negative two's complement.
294
294
  if (buf.length === 0) return writeNode(TAG.INTEGER, Buffer.from([0]));
295
- if (buf[0] & 0x80) { // allow:raw-byte-literal — sign-bit disambiguation
295
+ if (buf[0] & 0x80) { // sign-bit disambiguation
296
296
  return writeNode(TAG.INTEGER, Buffer.concat([Buffer.from([0]), buf]));
297
297
  }
298
298
  return writeNode(TAG.INTEGER, buf);
@@ -304,16 +304,16 @@ function writeOid(dotted) {
304
304
  if (parts.length < 2) {
305
305
  throw new Asn1Error("asn1/oid-too-short", "OID needs at least 2 arcs");
306
306
  }
307
- var bytes = [parts[0] * 40 + parts[1]]; // allow:raw-byte-literal — OID first-arc encoding
307
+ var bytes = [parts[0] * 40 + parts[1]]; // OID first-arc encoding
308
308
  for (var i = 2; i < parts.length; i += 1) {
309
309
  var arc = parts[i];
310
310
  if (arc === 0) { bytes.push(0); continue; }
311
311
  var stack = [];
312
312
  while (arc > 0) {
313
- stack.unshift(arc & 0x7f); // allow:raw-byte-literal — base-128 mask
314
- arc = arc >>> 7; // allow:raw-byte-literal — base-128 shift
313
+ stack.unshift(arc & 0x7f); // base-128 mask
314
+ arc = arc >>> 7; // base-128 shift
315
315
  }
316
- for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80; // allow:raw-byte-literal — continuation bit
316
+ for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80; // continuation bit
317
317
  for (var k = 0; k < stack.length; k += 1) bytes.push(stack[k]);
318
318
  }
319
319
  return writeNode(TAG.OID, Buffer.from(bytes));
@@ -321,7 +321,14 @@ function writeOid(dotted) {
321
321
 
322
322
  function writeContextExplicit(tagNumber, child) {
323
323
  // [N] EXPLICIT — context-specific class (0xA0 | tag) + constructed.
324
- var tagByte = 0xa0 | (tagNumber & 0x1f); // allow:raw-byte-literal context-specific constructed mask
324
+ // Tag numbers > 30 need the multi-byte high-tag-number form, which this
325
+ // single-byte encoder does not emit — refuse rather than silently
326
+ // truncate via `& 0x1f`.
327
+ if (tagNumber < 0 || tagNumber > 30) {
328
+ throw new RangeError("asn1: context tag number " + tagNumber +
329
+ " out of range (0..30); high-tag-number form is not supported");
330
+ }
331
+ var tagByte = 0xa0 | (tagNumber & 0x1f); // context-specific constructed mask
325
332
  return writeNode(tagByte, child);
326
333
  }
327
334
 
@@ -331,8 +338,12 @@ function writeContextImplicit(tagNumber, value, opts) {
331
338
  // wrapping a structured value (e.g. IMPLICIT [0] OCTET STRING vs
332
339
  // IMPLICIT [0] SEQUENCE OF). Value is the raw inner bytes (already
333
340
  // encoded for constructed cases).
334
- var tagByte = 0x80 | (tagNumber & 0x1f); // allow:raw-byte-literal — context-specific primitive mask
335
- if (opts && opts.constructed) tagByte |= 0x20; // allow:raw-byte-literal — constructed bit
341
+ if (tagNumber < 0 || tagNumber > 30) {
342
+ throw new RangeError("asn1: context tag number " + tagNumber +
343
+ " out of range (0..30); high-tag-number form is not supported");
344
+ }
345
+ var tagByte = 0x80 | (tagNumber & 0x1f); // context-specific primitive mask
346
+ if (opts && opts.constructed) tagByte |= 0x20; // constructed bit
336
347
  return writeNode(tagByte, value);
337
348
  }
338
349
 
@@ -340,7 +351,7 @@ function writeBitString(value, unusedBits) {
340
351
  // BIT STRING — first content byte is `unusedBits` (0..7), then the
341
352
  // bit string bytes. `unusedBits` is 0 for byte-aligned content
342
353
  // (RSA / ECDSA signatures, SubjectPublicKeyInfo bit strings).
343
- var unused = typeof unusedBits === "number" ? (unusedBits & 0x07) : 0; // allow:raw-byte-literal — 3-bit unused-bits count
354
+ var unused = typeof unusedBits === "number" ? (unusedBits & 0x07) : 0; // 3-bit unused-bits count
344
355
  return writeNode(TAG.BIT_STRING, Buffer.concat([Buffer.from([unused]), value]));
345
356
  }
346
357
 
@@ -348,7 +359,7 @@ function writeSet(children) {
348
359
  // children: Array<Buffer> of already-encoded child nodes.
349
360
  // DER requires SET-OF children to be sorted by their encoded bytes.
350
361
  var sorted = children.slice().sort(Buffer.compare);
351
- return writeNode(TAG.SET | 0x20, Buffer.concat(sorted)); // allow:raw-byte-literal — DER constructed bit
362
+ return writeNode(TAG.SET | 0x20, Buffer.concat(sorted)); // DER constructed bit
352
363
  }
353
364
 
354
365
  function writeUtf8String(s) {
@@ -383,7 +394,7 @@ function writeIa5String(s) {
383
394
  }
384
395
 
385
396
  function writeBoolean(b) {
386
- return writeNode(TAG.BOOLEAN, Buffer.from([b ? 0xff : 0x00])); // allow:raw-byte-literal — DER true=0xff, false=0x00
397
+ return writeNode(TAG.BOOLEAN, Buffer.from([b ? 0xff : 0x00])); // DER true=0xff, false=0x00
387
398
  }
388
399
 
389
400
  // Find a child node of a SEQUENCE / SET by predicate. Returns null if
@@ -328,7 +328,7 @@ function conflictPath(originalPath, opts) {
328
328
  }
329
329
  opts = opts || {};
330
330
  var tag = typeof opts.tag === "string" && opts.tag.length > 0 ? opts.tag : "conflict";
331
- if (typeof tag !== "string" || tag.length === 0 || tag.length > 64) { // allow:raw-byte-literal — tag length cap, not bytes
331
+ if (typeof tag !== "string" || tag.length === 0 || tag.length > 64) { // tag length cap, not bytes
332
332
  throw new TypeError("b.atomicFile.conflictPath: tag must be a 1-64 char string");
333
333
  }
334
334
  if (!IDENT_RE.test(tag)) { // allow:regex-no-length-cap — length-bounded immediately above
@@ -338,7 +338,7 @@ function conflictPath(originalPath, opts) {
338
338
  var suffix = "";
339
339
  if (opts.suffix !== undefined) {
340
340
  if (typeof opts.suffix !== "string" || opts.suffix.length === 0 ||
341
- opts.suffix.length > 64) { // allow:raw-byte-literal — suffix length cap, not bytes
341
+ opts.suffix.length > 64) { // suffix length cap, not bytes
342
342
  throw new TypeError("b.atomicFile.conflictPath: suffix must be a 1-64 char string");
343
343
  }
344
344
  if (!IDENT_RE.test(opts.suffix)) { // allow:regex-no-length-cap — length-bounded immediately above
@@ -181,7 +181,7 @@ function create(opts) {
181
181
 
182
182
  // lookbackHours — default 24 per PCI DSS 4.0 daily cadence. Caller can
183
183
  // pass weekly / monthly via larger numbers.
184
- var lookbackHours = 24; // allow:raw-byte-literal — lookback in HOURS, not bytes
184
+ var lookbackHours = 24; // lookback in HOURS, not bytes
185
185
  if (opts.lookbackHours !== undefined) {
186
186
  if (typeof opts.lookbackHours !== "number" || !isFinite(opts.lookbackHours) ||
187
187
  opts.lookbackHours <= 0) {
@@ -206,8 +206,8 @@ function create(opts) {
206
206
  }
207
207
 
208
208
  var cron = opts.cron || "0 6 * * *"; // 06:00 UTC daily
209
- var queryLimit = opts.queryLimit || 10000; // allow:raw-byte-literal — operator-tunable result cap, count not bytes
210
- var historyLimit = opts.historyLimit || 30; // allow:raw-byte-literal — bounded history buffer (count, not bytes)
209
+ var queryLimit = opts.queryLimit || 10000; // operator-tunable result cap, count not bytes
210
+ var historyLimit = opts.historyLimit || 30; // bounded history buffer (count, not bytes)
211
211
  var classify = typeof opts.classify === "function" ? opts.classify : _defaultClassify;
212
212
  var now = typeof opts.now === "function" ? opts.now : Date.now;
213
213
  var auditMod = opts.audit;