@blamejs/blamejs-shop 0.3.5 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (353) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +3 -3
  4. package/lib/vendor/blamejs/CHANGELOG.md +14 -0
  5. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  6. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
  7. package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
  8. package/lib/vendor/blamejs/lib/a2a.js +4 -4
  9. package/lib/vendor/blamejs/lib/acme.js +3 -3
  10. package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
  11. package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
  12. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
  13. package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
  14. package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
  15. package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
  16. package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
  17. package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
  18. package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
  19. package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
  20. package/lib/vendor/blamejs/lib/ai-input.js +4 -4
  21. package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
  22. package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
  23. package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
  24. package/lib/vendor/blamejs/lib/archive-read.js +25 -25
  25. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
  26. package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
  27. package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
  28. package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
  29. package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
  30. package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
  31. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  32. package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
  33. package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
  34. package/lib/vendor/blamejs/lib/audit.js +2 -2
  35. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
  36. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
  37. package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
  38. package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
  39. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
  40. package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
  41. package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
  42. package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
  43. package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
  44. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
  45. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
  46. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  47. package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
  48. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  49. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
  50. package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
  51. package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
  52. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
  53. package/lib/vendor/blamejs/lib/backup/index.js +7 -7
  54. package/lib/vendor/blamejs/lib/base32.js +8 -8
  55. package/lib/vendor/blamejs/lib/budr.js +2 -2
  56. package/lib/vendor/blamejs/lib/cache-status.js +2 -2
  57. package/lib/vendor/blamejs/lib/calendar.js +29 -29
  58. package/lib/vendor/blamejs/lib/cbor.js +12 -12
  59. package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
  60. package/lib/vendor/blamejs/lib/cert.js +5 -5
  61. package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
  62. package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
  63. package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
  64. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
  65. package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
  66. package/lib/vendor/blamejs/lib/compliance.js +29 -29
  67. package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
  68. package/lib/vendor/blamejs/lib/cookies.js +1 -1
  69. package/lib/vendor/blamejs/lib/cose.js +13 -13
  70. package/lib/vendor/blamejs/lib/cra-report.js +1 -1
  71. package/lib/vendor/blamejs/lib/crdt.js +1 -1
  72. package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
  73. package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
  74. package/lib/vendor/blamejs/lib/crypto.js +6 -6
  75. package/lib/vendor/blamejs/lib/csp.js +2 -2
  76. package/lib/vendor/blamejs/lib/cwt.js +4 -4
  77. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
  78. package/lib/vendor/blamejs/lib/data-act.js +2 -2
  79. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
  80. package/lib/vendor/blamejs/lib/db-query.js +1 -1
  81. package/lib/vendor/blamejs/lib/db.js +6 -6
  82. package/lib/vendor/blamejs/lib/dbsc.js +13 -13
  83. package/lib/vendor/blamejs/lib/did.js +17 -17
  84. package/lib/vendor/blamejs/lib/dora.js +4 -4
  85. package/lib/vendor/blamejs/lib/dsr.js +1 -1
  86. package/lib/vendor/blamejs/lib/early-hints.js +2 -2
  87. package/lib/vendor/blamejs/lib/eat.js +4 -4
  88. package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
  89. package/lib/vendor/blamejs/lib/external-db.js +1 -1
  90. package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
  91. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
  92. package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
  93. package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
  94. package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
  95. package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
  96. package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
  97. package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
  98. package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
  99. package/lib/vendor/blamejs/lib/guard-email.js +19 -19
  100. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
  101. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
  102. package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
  103. package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
  104. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
  105. package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
  106. package/lib/vendor/blamejs/lib/guard-html.js +7 -7
  107. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
  108. package/lib/vendor/blamejs/lib/guard-image.js +4 -4
  109. package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
  110. package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
  111. package/lib/vendor/blamejs/lib/guard-json.js +12 -12
  112. package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
  113. package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
  114. package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
  115. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
  116. package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
  117. package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
  118. package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
  119. package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
  120. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
  121. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
  122. package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
  123. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
  124. package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
  125. package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
  126. package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
  127. package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
  128. package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
  129. package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
  130. package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
  131. package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
  132. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
  133. package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
  134. package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
  135. package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
  136. package/lib/vendor/blamejs/lib/guard-time.js +15 -15
  137. package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
  138. package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
  139. package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
  140. package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
  141. package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
  142. package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
  143. package/lib/vendor/blamejs/lib/http-client.js +13 -10
  144. package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
  145. package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
  146. package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
  147. package/lib/vendor/blamejs/lib/inbox.js +4 -4
  148. package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
  149. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
  150. package/lib/vendor/blamejs/lib/json-path.js +3 -3
  151. package/lib/vendor/blamejs/lib/json-schema.js +1 -1
  152. package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
  153. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  154. package/lib/vendor/blamejs/lib/link-header.js +1 -1
  155. package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
  156. package/lib/vendor/blamejs/lib/log.js +8 -3
  157. package/lib/vendor/blamejs/lib/lro.js +4 -4
  158. package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
  159. package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
  160. package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
  161. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
  162. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
  163. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
  164. package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
  165. package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
  166. package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
  167. package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
  168. package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
  169. package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
  170. package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
  171. package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
  172. package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
  173. package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
  174. package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
  175. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
  176. package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
  177. package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
  178. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
  179. package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
  180. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
  181. package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
  182. package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
  183. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
  184. package/lib/vendor/blamejs/lib/mail-store.js +8 -8
  185. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
  186. package/lib/vendor/blamejs/lib/mail.js +4 -4
  187. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
  188. package/lib/vendor/blamejs/lib/mcp.js +15 -15
  189. package/lib/vendor/blamejs/lib/mdoc.js +2 -2
  190. package/lib/vendor/blamejs/lib/metrics.js +8 -8
  191. package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
  192. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
  193. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
  194. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
  195. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
  196. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
  197. package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
  198. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
  199. package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
  200. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
  201. package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
  202. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
  203. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
  204. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
  205. package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
  206. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
  207. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
  208. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
  209. package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
  210. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
  211. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
  212. package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
  213. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
  214. package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
  215. package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
  216. package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
  217. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
  218. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
  219. package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
  220. package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
  221. package/lib/vendor/blamejs/lib/network-dns.js +29 -29
  222. package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
  223. package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
  224. package/lib/vendor/blamejs/lib/network-tls.js +100 -98
  225. package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
  226. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  227. package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
  228. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
  229. package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
  230. package/lib/vendor/blamejs/lib/observability.js +8 -8
  231. package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
  232. package/lib/vendor/blamejs/lib/openapi.js +1 -1
  233. package/lib/vendor/blamejs/lib/outbox.js +6 -6
  234. package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
  235. package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
  236. package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
  237. package/lib/vendor/blamejs/lib/problem-details.js +5 -5
  238. package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
  239. package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
  240. package/lib/vendor/blamejs/lib/queue.js +4 -2
  241. package/lib/vendor/blamejs/lib/redact.js +2 -2
  242. package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
  243. package/lib/vendor/blamejs/lib/router.js +10 -10
  244. package/lib/vendor/blamejs/lib/safe-async.js +2 -2
  245. package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
  246. package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
  247. package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
  248. package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
  249. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
  250. package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
  251. package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
  252. package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
  253. package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
  254. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  255. package/lib/vendor/blamejs/lib/safe-url.js +1 -1
  256. package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
  257. package/lib/vendor/blamejs/lib/sandbox.js +5 -5
  258. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  259. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
  260. package/lib/vendor/blamejs/lib/self-update.js +3 -3
  261. package/lib/vendor/blamejs/lib/server-timing.js +3 -3
  262. package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
  263. package/lib/vendor/blamejs/lib/session.js +8 -8
  264. package/lib/vendor/blamejs/lib/sse.js +12 -5
  265. package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
  266. package/lib/vendor/blamejs/lib/storage.js +2 -2
  267. package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
  268. package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
  269. package/lib/vendor/blamejs/lib/subject.js +1 -1
  270. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
  271. package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
  272. package/lib/vendor/blamejs/lib/test-harness.js +1 -1
  273. package/lib/vendor/blamejs/lib/tracing.js +1 -1
  274. package/lib/vendor/blamejs/lib/tsa.js +5 -5
  275. package/lib/vendor/blamejs/lib/uri-template.js +5 -5
  276. package/lib/vendor/blamejs/lib/vault/index.js +2 -2
  277. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
  278. package/lib/vendor/blamejs/lib/vc.js +2 -2
  279. package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
  280. package/lib/vendor/blamejs/lib/watcher.js +4 -4
  281. package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
  282. package/lib/vendor/blamejs/lib/webhook.js +2 -2
  283. package/lib/vendor/blamejs/lib/websocket.js +5 -5
  284. package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
  285. package/lib/vendor/blamejs/lib/ws-client.js +24 -24
  286. package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
  287. package/lib/vendor/blamejs/package.json +1 -1
  288. package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
  289. package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
  290. package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
  291. package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
  292. package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
  293. package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
  294. package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
  295. package/lib/vendor/blamejs/test/00-primitives.js +15 -0
  296. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
  298. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
  299. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
  300. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
  301. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
  302. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
  303. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
  304. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
  305. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
  306. package/package.json +1 -1
  307. package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
  308. package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
  309. package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
  310. package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
  311. package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
  312. package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
  313. package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
  314. package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
  315. package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
  316. package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
  317. package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
  318. package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
  319. package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
  320. package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
  321. package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
  322. package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
  323. package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
  324. package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
  325. package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
  326. package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
  327. package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
  328. package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
  329. package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
  330. package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
  331. package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
  332. package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
  333. package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
  334. package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
  335. package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
  336. package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
  337. package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
  338. package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
  339. package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
  340. package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
  341. package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
  342. package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
  343. package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
  344. package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
  345. package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
  346. package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
  347. package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
  348. package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
  349. package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
  350. package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
  351. package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
  352. package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
  353. package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
@@ -592,10 +592,14 @@ function create(opts) {
592
592
  var nameId = _textContent(nameIdEl);
593
593
  var nameIdFormat = _attr(nameIdEl, "Format");
594
594
 
595
- var nowSec = Math.floor((vopts.now || Date.now()) / 1000); // allow:raw-byte-literal — ms→s
595
+ var nowSec = Math.floor((vopts.now || Date.now()) / 1000); // ms→s
596
596
  var confirmations = _findAllChildren(subject, "SubjectConfirmation", SAML_NS.assertion);
597
597
  var bearerOk = false;
598
598
  var hokOk = false;
599
+ // InResponseTo of the SubjectConfirmation that actually passed bearer
600
+ // validation — captured so the returned value can't be sourced from a
601
+ // different (non-validated) confirmation when several are present.
602
+ var matchedInResponseTo = null;
599
603
  var hokFingerprint = null;
600
604
  // Holder-of-Key SubjectConfirmation per SAML 2.0 Profile §3.1
601
605
  // (urn:oasis:names:tc:SAML:2.0:cm:holder-of-key). The IdP binds
@@ -680,10 +684,10 @@ function create(opts) {
680
684
  // as Bearer (Profile §3.1 incorporates §3 by reference).
681
685
  var nbHok = _attr(scdHok, "NotBefore");
682
686
  var noaHok = _attr(scdHok, "NotOnOrAfter");
683
- if (nbHok && isFinite(Date.parse(nbHok) / 1000) && // allow:raw-byte-literal — ms→s
684
- Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue; // allow:raw-byte-literal — ms→s
685
- if (noaHok && isFinite(Date.parse(noaHok) / 1000) && // allow:raw-byte-literal — ms→s
686
- Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue; // allow:raw-byte-literal — ms→s
687
+ if (nbHok && isFinite(Date.parse(nbHok) / 1000) && // ms→s
688
+ Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue; // ms→s
689
+ if (noaHok && isFinite(Date.parse(noaHok) / 1000) && // ms→s
690
+ Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue; // ms→s
687
691
  var recipHok = _attr(scdHok, "Recipient");
688
692
  if (recipHok && recipHok !== opts.assertionConsumerServiceUrl) continue;
689
693
  hokOk = true;
@@ -694,14 +698,14 @@ function create(opts) {
694
698
  if (!scd) continue;
695
699
  var notOnOrAfter = _attr(scd, "NotOnOrAfter");
696
700
  if (notOnOrAfter) {
697
- var t = Date.parse(notOnOrAfter) / 1000; // allow:raw-byte-literal — ms→s
701
+ var t = Date.parse(notOnOrAfter) / 1000; // ms→s
698
702
  if (!isFinite(t) || t < nowSec - clockSkewSec) {
699
703
  continue; // expired confirmation — try next
700
704
  }
701
705
  }
702
706
  var notBefore = _attr(scd, "NotBefore");
703
707
  if (notBefore) {
704
- var nb = Date.parse(notBefore) / 1000; // allow:raw-byte-literal — ms→s
708
+ var nb = Date.parse(notBefore) / 1000; // ms→s
705
709
  if (isFinite(nb) && nb > nowSec + clockSkewSec) continue;
706
710
  }
707
711
  var recipient = _attr(scd, "Recipient");
@@ -721,6 +725,7 @@ function create(opts) {
721
725
  "AuthnRequest ID (replay defense)");
722
726
  }
723
727
  }
728
+ matchedInResponseTo = inResponseTo;
724
729
  bearerOk = true;
725
730
  break;
726
731
  }
@@ -736,14 +741,14 @@ function create(opts) {
736
741
  var cNotBefore = _attr(conditions, "NotBefore");
737
742
  var cNotOnOrAfter = _attr(conditions, "NotOnOrAfter");
738
743
  if (cNotBefore) {
739
- var cnb = Date.parse(cNotBefore) / 1000; // allow:raw-byte-literal — ms→s
744
+ var cnb = Date.parse(cNotBefore) / 1000; // ms→s
740
745
  if (isFinite(cnb) && cnb > nowSec + clockSkewSec) {
741
746
  throw new AuthError("auth-saml/conditions-not-yet-valid",
742
747
  "Conditions NotBefore is in the future");
743
748
  }
744
749
  }
745
750
  if (cNotOnOrAfter) {
746
- var cnoa = Date.parse(cNotOnOrAfter) / 1000; // allow:raw-byte-literal — ms→s
751
+ var cnoa = Date.parse(cNotOnOrAfter) / 1000; // ms→s
747
752
  if (isFinite(cnoa) && cnoa < nowSec - clockSkewSec) {
748
753
  throw new AuthError("auth-saml/conditions-expired",
749
754
  "Conditions NotOnOrAfter has passed");
@@ -787,8 +792,7 @@ function create(opts) {
787
792
  sessionIndex: sessionIndex,
788
793
  attributes: attributes,
789
794
  audience: audience,
790
- inResponseTo: bearerOk ? _attr(_findChild(_findChild(subject, "SubjectConfirmation", SAML_NS.assertion),
791
- "SubjectConfirmationData", SAML_NS.assertion), "InResponseTo") : null,
795
+ inResponseTo: bearerOk ? matchedInResponseTo : null,
792
796
  issuer: issuer,
793
797
  };
794
798
  }
@@ -884,7 +888,7 @@ function create(opts) {
884
888
  throw new AuthError("auth-saml/no-idp-slo",
885
889
  "buildLogoutRequest: opts.idpSloUrl (or sp.create's opts.idpSloUrl) required");
886
890
  }
887
- var id = "_" + generateToken(20); // allow:raw-byte-literal — 20-byte SAML ID token
891
+ var id = "_" + generateToken(20); // 20-byte SAML ID token
888
892
  var issueInstant = new Date().toISOString();
889
893
  var c14n = xmlC14n();
890
894
  var nameIdFormatAttr = bopts.nameIdFormat
@@ -1085,7 +1089,7 @@ function create(opts) {
1085
1089
  validateOpts.requireNonEmptyString(bopts.inResponseTo, "inResponseTo", AuthError, "auth-saml/no-in-response-to");
1086
1090
  validateOpts.requireNonEmptyString(bopts.destination, "destination", AuthError, "auth-saml/no-destination");
1087
1091
  var statusCode = bopts.statusCode || "urn:oasis:names:tc:SAML:2.0:status:Success";
1088
- var id = "_" + generateToken(20); // allow:raw-byte-literal — 20-byte SAML ID token
1092
+ var id = "_" + generateToken(20); // 20-byte SAML ID token
1089
1093
  var issueInstant = new Date().toISOString();
1090
1094
  var c14n = xmlC14n();
1091
1095
  var xml =
@@ -1288,7 +1292,7 @@ function create(opts) {
1288
1292
  throw new AuthError("auth-saml/no-idp-slo",
1289
1293
  "buildLogoutRequestPost: opts.idpSloUrl required");
1290
1294
  }
1291
- var id = "_" + generateToken(20); // allow:raw-byte-literal — 20-byte SAML ID token
1295
+ var id = "_" + generateToken(20); // 20-byte SAML ID token
1292
1296
  var issueInstant = new Date().toISOString();
1293
1297
  var c14n = xmlC14n();
1294
1298
  var nameIdFormatAttr = bopts.nameIdFormat
@@ -1663,18 +1667,18 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
1663
1667
  var clearBytes;
1664
1668
  if (contentAlg === "http://www.w3.org/2009/xmlenc11#aes128-gcm" ||
1665
1669
  contentAlg === "http://www.w3.org/2009/xmlenc11#aes256-gcm") {
1666
- var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256; // allow:raw-byte-literal — AES key size
1667
- var expectedKeyBytes = aesBits / 8; // allow:raw-byte-literal — bits→bytes
1670
+ var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256; // AES key size
1671
+ var expectedKeyBytes = aesBits / 8; // bits→bytes
1668
1672
  if (cek.length !== expectedKeyBytes) {
1669
1673
  throw new AuthError("auth-saml/encrypted-wrong-cek-len",
1670
1674
  "AES-" + aesBits + "-GCM CEK length is " + cek.length + ", expected " + expectedKeyBytes);
1671
1675
  }
1672
- if (contentBlob.length < 28) { // allow:raw-byte-literal — 12 IV + 16 tag
1676
+ if (contentBlob.length < 28) { // 12 IV + 16 tag
1673
1677
  throw new AuthError("auth-saml/encrypted-content-too-short",
1674
1678
  "AES-GCM CipherValue too short to contain IV (12) + tag (16)");
1675
1679
  }
1676
- var iv = contentBlob.subarray(0, 12); // allow:raw-byte-literal — GCM IV size
1677
- var tag = contentBlob.subarray(contentBlob.length - 16); // allow:raw-byte-literal — GCM tag size
1680
+ var iv = contentBlob.subarray(0, 12); // GCM IV size
1681
+ var tag = contentBlob.subarray(contentBlob.length - 16); // GCM tag size
1678
1682
  var ct = contentBlob.subarray(12, contentBlob.length - 16);
1679
1683
  var decipher = nodeCrypto.createDecipheriv("aes-" + aesBits + "-gcm", cek, iv);
1680
1684
  decipher.setAuthTag(tag);
@@ -1684,16 +1688,16 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
1684
1688
  "AES-GCM authentication tag mismatch: " + ((eD && eD.message) || String(eD)));
1685
1689
  }
1686
1690
  } else if (contentAlg === "urn:blamejs:experimental:xmlenc:xchacha20-poly1305") {
1687
- if (cek.length !== 32) { // allow:raw-byte-literal — XChaCha20 key size
1691
+ if (cek.length !== 32) { // XChaCha20 key size
1688
1692
  throw new AuthError("auth-saml/encrypted-wrong-cek-len",
1689
1693
  "XChaCha20-Poly1305 CEK length is " + cek.length + ", expected 32");
1690
1694
  }
1691
- if (contentBlob.length < 40) { // allow:raw-byte-literal — 24 nonce + 16 tag
1695
+ if (contentBlob.length < 40) { // 24 nonce + 16 tag
1692
1696
  throw new AuthError("auth-saml/encrypted-content-too-short",
1693
1697
  "XChaCha20-Poly1305 CipherValue too short");
1694
1698
  }
1695
- var xnonce = contentBlob.subarray(0, 24); // allow:raw-byte-literal — XChaCha20 nonce size
1696
- var xtag = contentBlob.subarray(contentBlob.length - 16); // allow:raw-byte-literal — Poly1305 tag size
1699
+ var xnonce = contentBlob.subarray(0, 24); // XChaCha20 nonce size
1700
+ var xtag = contentBlob.subarray(contentBlob.length - 16); // Poly1305 tag size
1697
1701
  var xct = contentBlob.subarray(24, contentBlob.length - 16);
1698
1702
  try {
1699
1703
  clearBytes = bCrypto.aeadDecrypt({
@@ -1722,8 +1726,8 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
1722
1726
 
1723
1727
  // PQC SignatureMethod URIs used by the embedded XMLDSig signatures.
1724
1728
  // Standard XMLDSig vocabulary classical signing URIs (W3C XMLDSig
1725
- // Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn /
1726
- // _sigAlgFromUri. The framework adds two non-standard URNs for
1729
+ // Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn (sign
1730
+ // side) and the SUPPORTED_SIG table (verify side). The framework adds two non-standard URNs for
1727
1731
  // ML-DSA because no W3C/IETF XMLDSig URI registration exists for
1728
1732
  // post-quantum signers yet (LAMPS WG has open drafts but none final).
1729
1733
  // Operators integrating with PQC-aware IdPs that exchange those URNs
@@ -1971,7 +1975,7 @@ function _sigAlgUrn(alg) {
1971
1975
  var keyObj = (sk && typeof sk === "object" && sk.type === "private") ? sk
1972
1976
  : (typeof sk === "string" || (sk && sk.kty)) ? nodeCrypto.createPrivateKey(sk)
1973
1977
  : nodeCrypto.createPrivateKey({ key: Buffer.concat([
1974
- Buffer.from("302e020100300506032b657004220420", "hex"), // allow:raw-byte-literal — Ed25519 PKCS#8 prefix
1978
+ Buffer.from("302e020100300506032b657004220420", "hex"), // Ed25519 PKCS#8 prefix
1975
1979
  Buffer.from(sk),
1976
1980
  ]), format: "der", type: "pkcs8" });
1977
1981
  return nodeCrypto.sign(null, Buffer.from(bytes), keyObj);
@@ -1980,7 +1984,7 @@ function _sigAlgUrn(alg) {
1980
1984
  var keyObj = (pk && typeof pk === "object" && pk.type === "public") ? pk
1981
1985
  : (typeof pk === "string" || (pk && pk.kty)) ? nodeCrypto.createPublicKey(pk)
1982
1986
  : nodeCrypto.createPublicKey({ key: Buffer.concat([
1983
- Buffer.from("302a300506032b6570032100", "hex"), // allow:raw-byte-literal — Ed25519 SPKI prefix
1987
+ Buffer.from("302a300506032b6570032100", "hex"), // Ed25519 SPKI prefix
1984
1988
  Buffer.from(pk),
1985
1989
  ]), format: "der", type: "spki" });
1986
1990
  return nodeCrypto.verify(null, Buffer.from(msg), keyObj, Buffer.from(sig));
@@ -2023,22 +2027,6 @@ function _sigAlgUrn(alg) {
2023
2027
  return null;
2024
2028
  }
2025
2029
 
2026
- // Reverse lookup — SignatureMethod URI on the inbound wire → alg
2027
- // shorthand for _sigAlgUrn dispatch. Used by _verifyEmbeddedXmlDsig
2028
- // to pick the right verifier when an IdP signs with a classical alg.
2029
- function _sigAlgFromUri(uri) {
2030
- if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-65") return "ml-dsa-65";
2031
- if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-87") return "ml-dsa-87";
2032
- if (uri === "http://www.w3.org/2021/04/xmldsig-more#ed25519") return "ed25519";
2033
- if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") return "rsa-sha256";
2034
- if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") return "rsa-sha384";
2035
- if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") return "rsa-sha512";
2036
- if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256") return "ecdsa-sha256";
2037
- if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384") return "ecdsa-sha384";
2038
- if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512") return "ecdsa-sha512";
2039
- return null;
2040
- }
2041
-
2042
2030
  /**
2043
2031
  * @primitive b.auth.saml.fetchMdq
2044
2032
  * @signature b.auth.saml.fetchMdq(opts)
@@ -17,7 +17,7 @@ var nodeCrypto = require("node:crypto");
17
17
  var safeJson = require("../safe-json");
18
18
  var { AuthError } = require("../framework-error");
19
19
 
20
- var DEFAULT_SALT_BYTES = 16; // allow:raw-byte-literal — 128-bit salt per spec recommendation
20
+ var DEFAULT_SALT_BYTES = 16; // 128-bit salt per spec recommendation
21
21
 
22
22
  function _newSalt(opts) {
23
23
  if (opts && opts.saltSource && typeof opts.saltSource === "function") {
@@ -239,8 +239,8 @@ function issue(opts) {
239
239
  sdDigests.sort();
240
240
 
241
241
  var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
242
- ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // allow:raw-byte-literal — ms→s conversion factor
243
- var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60; // allow:raw-byte-literal — ms→s conversion + 30-day default in seconds
242
+ ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
243
+ var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60; // ms→s conversion + 30-day default in seconds
244
244
 
245
245
  var payload = Object.assign({}, plainClaims, {
246
246
  iss: opts.issuer,
@@ -355,7 +355,7 @@ function present(opts) {
355
355
  "present: algorithm must be one of " + SUPPORTED_ALGS.join(", "));
356
356
  }
357
357
  var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
358
- ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // allow:raw-byte-literal — ms→s conversion factor
358
+ ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
359
359
  // The KB-JWT's hash binds it to the specific SD-JWT + presentation
360
360
  var kbHashInput = presentation; // jwt~d1~d2~ (without KB)
361
361
  // sd_hash uses the SAME hash algorithm the credential's _sd
@@ -505,7 +505,7 @@ async function verify(presentation, opts) {
505
505
 
506
506
  // 2. Validate iss / iat / exp / vct
507
507
  var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
508
- ? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000); // allow:raw-byte-literal — ms→s conversion factor
508
+ ? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
509
509
  var skew = (typeof opts.maxClockSkewSec === "number") ? opts.maxClockSkewSec : 60; // allow:raw-time-literal — default 60s clock-skew tolerance
510
510
  if (typeof jwtParsed.payload.iat === "number" && jwtParsed.payload.iat > nowSec + skew) {
511
511
  throw new AuthError("auth-sd-jwt-vc/iat-future",
@@ -597,7 +597,7 @@ async function verify(presentation, opts) {
597
597
  }
598
598
  // Verify KB-JWT signature
599
599
  var kbHeaderObj;
600
- try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies // allow:raw-byte-literal — kb-header cap (4 KB)
600
+ try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
601
601
  catch (e) {
602
602
  throw new AuthError("auth-sd-jwt-vc/bad-kb-header",
603
603
  "verify: malformed KB-JWT header: " + e.message);
@@ -55,7 +55,7 @@ var { defineClass } = require("../framework-error");
55
55
 
56
56
  var StatusListError = defineClass("StatusListError", { alwaysPermanent: true });
57
57
 
58
- var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 }; // allow:raw-byte-literal — bit-size enum (1/2/4/8 bits per status), not bytes
58
+ var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 }; // bit-size enum (1/2/4/8 bits per status), not bytes
59
59
  var STATUS_VALID = 0;
60
60
  var STATUS_INVALID = 1;
61
61
  var STATUS_SUSPENDED = 2;
@@ -107,7 +107,7 @@ function create(opts) {
107
107
  var bits = opts.bits === undefined ? 1 : opts.bits;
108
108
  _validateBits(bits);
109
109
  // Allocate the bit-packed buffer up front. byteCount = ceil(size*bits/8).
110
- var bitBytes = Math.ceil((size * bits) / 8); // allow:raw-byte-literal — bits-per-byte conversion
110
+ var bitBytes = Math.ceil((size * bits) / 8); // bits-per-byte conversion
111
111
  var bytes = Buffer.alloc(bitBytes);
112
112
  if (opts.fill !== undefined && opts.fill !== 0) {
113
113
  _validateStatus(opts.fill, bits);
@@ -184,19 +184,19 @@ function create(opts) {
184
184
  // ---- bit-packed helpers ----
185
185
 
186
186
  function _setAt(bytes, bits, idx, status) {
187
- if (bits === 8) { bytes[idx] = status & 0xff; return; } // allow:raw-byte-literal — byte mask
187
+ if (bits === 8) { bytes[idx] = status & 0xff; return; } // byte mask
188
188
  var bitOffset = idx * bits;
189
- var byteIdx = Math.floor(bitOffset / 8); // allow:raw-byte-literal — bits-per-byte
190
- var bitInByte = bitOffset % 8; // allow:raw-byte-literal — bits-per-byte
189
+ var byteIdx = Math.floor(bitOffset / 8); // bits-per-byte
190
+ var bitInByte = bitOffset % 8; // bits-per-byte
191
191
  var mask = ((1 << bits) - 1) << bitInByte;
192
192
  bytes[byteIdx] = (bytes[byteIdx] & ~mask) | ((status << bitInByte) & mask);
193
193
  }
194
194
 
195
195
  function _getAt(bytes, bits, idx) {
196
- if (bits === 8) return bytes[idx]; // allow:raw-byte-literal — 8-bit fast path
196
+ if (bits === 8) return bytes[idx]; // 8-bit fast path
197
197
  var bitOffset = idx * bits;
198
- var byteIdx = Math.floor(bitOffset / 8); // allow:raw-byte-literal — bits-per-byte
199
- var bitInByte = bitOffset % 8; // allow:raw-byte-literal — bits-per-byte
198
+ var byteIdx = Math.floor(bitOffset / 8); // bits-per-byte
199
+ var bitInByte = bitOffset % 8; // bits-per-byte
200
200
  var mask = (1 << bits) - 1;
201
201
  return (bytes[byteIdx] >> bitInByte) & mask;
202
202
  }
@@ -238,13 +238,13 @@ async function fromJwt(token, opts) {
238
238
  "statusList.fromJwt: compressed list exceeds " + MAX_LIST_BYTES + " bytes");
239
239
  }
240
240
  var inflated;
241
- try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); } // allow:raw-byte-literal — 8x compression-ratio cap
241
+ try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); } // 8x compression-ratio cap
242
242
  catch (e) {
243
243
  throw new StatusListError("status-list/inflate-failed",
244
244
  "statusList.fromJwt: zlib inflate failed: " + ((e && e.message) || String(e)));
245
245
  }
246
246
  // Reconstruct the list object pointing at the inflated bytes.
247
- var size = (inflated.length * 8) / bits; // allow:raw-byte-literal — bits-per-byte
247
+ var size = (inflated.length * 8) / bits; // bits-per-byte
248
248
  return {
249
249
  list: {
250
250
  size: size,
@@ -86,7 +86,7 @@ function _quote(value) {
86
86
  // Reject CTLs and quote-injecting characters.
87
87
  for (var i = 0; i < value.length; i += 1) {
88
88
  var code = value.charCodeAt(i);
89
- if (code < 32 || code === 127) { // allow:raw-byte-literal — ASCII control codepoints
89
+ if (code < 32 || code === 127) { // ASCII control codepoints
90
90
  throw new AuthError("auth-step-up/bad-challenge",
91
91
  "challenge value contains control character at index " + i);
92
92
  }
@@ -270,7 +270,7 @@ function create(opts) {
270
270
  function _runBotGuardCheck(req) {
271
271
  return new Promise(function (resolve) {
272
272
  var capturedRes = {
273
- statusCode: 200, // allow:raw-byte-literal — HTTP 200 status code, not bytes
273
+ statusCode: 200, // HTTP 200 status code, not bytes
274
274
  writableEnded: false,
275
275
  writeHead: function (status) { capturedRes.statusCode = status; },
276
276
  end: function () { capturedRes.writableEnded = true; },
@@ -1118,7 +1118,7 @@ function bundleAdapterStorage(opts) {
1118
1118
  var passphraseMinEntropyBits;
1119
1119
  if (opts.passphraseMinEntropyBits === undefined ||
1120
1120
  opts.passphraseMinEntropyBits === null) {
1121
- passphraseMinEntropyBits = 80; // allow:raw-byte-literal — entropy-bits default floor, not byte count
1121
+ passphraseMinEntropyBits = 80; // entropy-bits default floor, not byte count
1122
1122
  } else if (Number.isFinite(opts.passphraseMinEntropyBits) &&
1123
1123
  opts.passphraseMinEntropyBits >= 0) {
1124
1124
  passphraseMinEntropyBits = Math.floor(opts.passphraseMinEntropyBits);
@@ -1164,8 +1164,8 @@ function bundleAdapterStorage(opts) {
1164
1164
  // v0.12.11 — passphrase strategy under HIPAA / PCI-DSS raises
1165
1165
  // the entropy floor to 128 bits (matches the framework's
1166
1166
  // existing crypto-grade-password discipline for sealed-storage).
1167
- if (cryptoStrategy === "passphrase" && passphraseMinEntropyBits < 128) { // allow:raw-byte-literal — entropy-bits floor, not byte count
1168
- passphraseMinEntropyBits = 128; // allow:raw-byte-literal — entropy-bits floor, not byte count
1167
+ if (cryptoStrategy === "passphrase" && passphraseMinEntropyBits < 128) { // entropy-bits floor, not byte count
1168
+ passphraseMinEntropyBits = 128; // entropy-bits floor, not byte count
1169
1169
  }
1170
1170
  }
1171
1171
  // Codex P2 on v0.12.8 PR #159 — tar mode builds the whole archive
@@ -1754,7 +1754,7 @@ function bundleAdapterStorage(opts) {
1754
1754
  // per-bundle rewrap.
1755
1755
  async rewrapAllBundles(opts) {
1756
1756
  opts = opts || {};
1757
- var concurrency = 4; // allow:raw-byte-literal — default fan-out, not byte count
1757
+ var concurrency = 4; // default fan-out, not byte count
1758
1758
  if (typeof opts.concurrency === "number" && Number.isFinite(opts.concurrency) &&
1759
1759
  opts.concurrency > 0) {
1760
1760
  concurrency = Math.max(1, Math.floor(opts.concurrency));
@@ -1855,7 +1855,7 @@ function bundleAdapterStorage(opts) {
1855
1855
  // a silent ok=0/failed=0 report on non-empty storage. Default
1856
1856
  // 4; minimum 1; non-finite / non-positive falls back to
1857
1857
  // default.
1858
- var concurrency = 4; // allow:raw-byte-literal — default fan-out, not byte count
1858
+ var concurrency = 4; // default fan-out, not byte count
1859
1859
  if (typeof vOpts.concurrency === "number" && Number.isFinite(vOpts.concurrency) &&
1860
1860
  vOpts.concurrency > 0) {
1861
1861
  concurrency = Math.max(1, Math.floor(vOpts.concurrency));
@@ -2096,7 +2096,7 @@ function bundleAdapterStorage(opts) {
2096
2096
  // capped 16-byte readFile via the fallback path (still
2097
2097
  // bounded; better than full payload).
2098
2098
  if (typeof adapter.readPartial === "function") {
2099
- var probe = await adapter.readPartial(payloadKey, 16); // allow:raw-byte-literal — 16-byte probe head, magic comparison
2099
+ var probe = await adapter.readPartial(payloadKey, 16); // 16-byte probe head, magic comparison
2100
2100
  envelopeKind = archiveLazy().sniffEnvelope(probe);
2101
2101
  } else {
2102
2102
  // Legacy adapter — readPartial missing. Operators using
@@ -2389,7 +2389,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
2389
2389
  // is consumed. PAGINATION_CAP guards against a runaway
2390
2390
  // server returning truncated:true forever (defense-in-depth;
2391
2391
  // shipped backends honour the contract).
2392
- var PAGINATION_CAP = 1000; // allow:raw-byte-literal — page count cap, not byte count
2392
+ var PAGINATION_CAP = 1000; // page count cap, not byte count
2393
2393
  var out = [];
2394
2394
  var token = null;
2395
2395
  var pages = 0;
@@ -42,7 +42,7 @@ Object.keys(ALPHABETS).forEach(function (v) {
42
42
  LOOKUPS[v] = map;
43
43
  });
44
44
 
45
- var GROUP = 8; // allow:raw-byte-literal — Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
45
+ var GROUP = 8; // Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
46
46
  var BITS = 5; // 5 bits per Base32 symbol
47
47
 
48
48
  function _alphabet(variant) {
@@ -82,14 +82,14 @@ function encode(input, opts) {
82
82
  var out = "";
83
83
  var value = 0, bits = 0;
84
84
  for (var i = 0; i < buf.length; i++) {
85
- value = (value << 8) | buf[i]; // allow:raw-byte-literal — shift in one input byte
86
- bits += 8; // allow:raw-byte-literal — eight bits per input byte
85
+ value = (value << 8) | buf[i]; // shift in one input byte
86
+ bits += 8; // eight bits per input byte
87
87
  while (bits >= BITS) {
88
- out += alphabet.charAt((value >>> (bits - BITS)) & 31); // allow:raw-byte-literal — low 5 bits mask (2^5 - 1)
88
+ out += alphabet.charAt((value >>> (bits - BITS)) & 31); // low 5 bits mask (2^5 - 1)
89
89
  bits -= BITS;
90
90
  }
91
91
  }
92
- if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31); // allow:raw-byte-literal — final partial group, low 5 bits
92
+ if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31); // final partial group, low 5 bits
93
93
  if (pad) while (out.length % GROUP !== 0) out += "=";
94
94
  return out;
95
95
  }
@@ -138,9 +138,9 @@ function decode(str, opts) {
138
138
  if (idx === undefined) throw new Base32Error("base32/bad-char", "base32.decode: invalid Base32 character '" + str.charAt(i) + "' at index " + i);
139
139
  value = (value << BITS) | idx;
140
140
  bits += BITS;
141
- if (bits >= 8) { // allow:raw-byte-literal — emit a full output byte
142
- bytes.push((value >>> (bits - 8)) & 0xff); // allow:raw-byte-literal — eight-bit output byte mask
143
- bits -= 8; // allow:raw-byte-literal — consumed eight bits
141
+ if (bits >= 8) { // emit a full output byte
142
+ bytes.push((value >>> (bits - 8)) & 0xff); // eight-bit output byte mask
143
+ bits -= 8; // consumed eight bits
144
144
  }
145
145
  }
146
146
  return Buffer.from(bytes);
@@ -30,8 +30,8 @@ var audit = require("./audit");
30
30
  var { defineClass } = require("./framework-error");
31
31
  var BudrError = defineClass("BudrError", { alwaysPermanent: true });
32
32
 
33
- var SERVICE_MAX = 128; // allow:raw-byte-literal — string-length cap, not bytes
34
- var SERVICE_RE = /^[a-zA-Z0-9._:/-]{1,128}$/; // allow:raw-byte-literal — string-length cap; not bytes
33
+ var SERVICE_MAX = 128; // string-length cap, not bytes
34
+ var SERVICE_RE = /^[a-zA-Z0-9._:/-]{1,128}$/; // string-length cap; not bytes
35
35
  var TIERS = ["platinum", "gold", "silver", "bronze"];
36
36
  var CRITICALITIES = ["critical", "high", "medium", "low"];
37
37
 
@@ -47,7 +47,7 @@ var CacheStatusError = defineClass("CacheStatusError", { alwaysPermanent: true }
47
47
  // per RFC 8941: starts with ALPHA or "*", continues with tchar / ":"
48
48
  // / "/". tchar excludes `, ; " \ space and all controls.
49
49
  var CACHE_NAME_RE = /^[A-Za-z*][!#$%&'*+\-.^_`|~0-9A-Za-z:/]*$/; // allow:duplicate-regex — sf-token shape per RFC 8941 §3.3.4
50
- var CACHE_NAME_MAX = 128; // allow:raw-byte-literal — cache-name length cap, not bytes
50
+ var CACHE_NAME_MAX = 128; // cache-name length cap, not bytes
51
51
  var FWD_VALUES = Object.freeze(["bypass", "method", "uri-miss", "vary-miss", "miss", "request", "stale", "partial"]);
52
52
  var BOOLEAN_PARAMS = Object.freeze(["hit", "stored", "collapsed"]);
53
53
  // Reserved parameter names per RFC 9211 §2 — the framework knows their
@@ -153,7 +153,7 @@ function entryString(entry) {
153
153
  }
154
154
  if (entry.fwdStatus !== undefined && entry.fwdStatus !== null) {
155
155
  if (typeof entry.fwdStatus !== "number" || !Number.isInteger(entry.fwdStatus) ||
156
- entry.fwdStatus < 100 || entry.fwdStatus > 599) { // allow:raw-byte-literal — HTTP status range
156
+ entry.fwdStatus < 100 || entry.fwdStatus > 599) { // HTTP status range
157
157
  throw new CacheStatusError("cache-status/bad-fwd-status",
158
158
  "entry.fwdStatus must be an integer 100..599");
159
159
  }