@blamejs/core 0.14.0 → 0.14.2

package/lib/network-dns.js

@@ -83,7 +83,7 @@ function _ensureSecureDefault() {
   if (override === "system") { STATE.systemResolver = true; return; }
   if (override === "dot") {
     // Cloudflare 1.1.1.1 over TLS, port 853.
-    STATE.dot = { host: "1.1.1.1", port: 853, servername: "1.1.1.1", ca: null };  // allow:raw-byte-literal — IANA-assigned DoT port
+    STATE.dot = { host: "1.1.1.1", port: 853, servername: "1.1.1.1", ca: null };  // IANA-assigned DoT port
     return;
   }
   // Default: DoH via Cloudflare.
@@ -320,7 +320,7 @@ function _encodeDnsQuery(host, qtype) {
 function _skipDnsName(buf, state) {
   var endedViaPointer = false;
   while (state.off < buf.length && buf[state.off] !== 0) {
-    if ((buf[state.off] & 0xc0) === 0xc0) {                                      // allow:raw-byte-literal — RFC 1035 name-compression pointer mask
+    if ((buf[state.off] & 0xc0) === 0xc0) {                                      // RFC 1035 name-compression pointer mask
       state.off += 2;
       endedViaPointer = true;
       break;
@@ -372,7 +372,7 @@ function _decodeDnsAnswer(buf, qtype) {
 // the chain.
 function _readAdBit(buf) {
   if (!Buffer.isBuffer(buf) || buf.length < 12) return false;
-  return (buf.readUInt8(3) & 0x20) !== 0;                                        // allow:raw-byte-literal — RFC 4035 AD-bit mask
+  return (buf.readUInt8(3) & 0x20) !== 0;                                        // RFC 4035 AD-bit mask
 }
 
 // DoH GET URL length cap. RFC 8484 §4.1 says clients MAY use POST when
@@ -453,7 +453,7 @@ async function _dohLookup(host, family) {
 // after chain validation. Internal — operators reach for
 // `resolveSecure` instead.
 async function _dohLookupSecure(host, family) {
-  var qtype = family === 6 ? 28 : 1;                                             // allow:raw-byte-literal — DNS QTYPE values for A / AAAA
+  var qtype = family === 6 ? 28 : 1;                                             // DNS QTYPE values for A / AAAA
   var enc = _encodeDnsQuery(host, qtype);
   var b64 = bCrypto.toBase64Url(enc.buf);
   var getUrl = STATE.doh.url + (STATE.doh.url.indexOf("?") === -1 ? "?" : "&") + "dns=" + b64;
@@ -463,7 +463,7 @@ async function _dohLookupSecure(host, family) {
   return new Promise(function (resolve, reject) {
     var reqOpts = {
       hostname:   u.hostname,
-      port:       u.port || 443,                                                 // allow:raw-byte-literal — HTTPS default port
+      port:       u.port || 443,                                                 // HTTPS default port
       path:       u.pathname + u.search,
       method:     usePost ? "POST" : "GET",
       headers:    { "accept": "application/dns-message" },
@@ -495,7 +495,7 @@ async function _dohLookupSecure(host, family) {
         try {
           if (pushFailed) { reject(pushFailed); return; }
           var body = collector.result();
-          if (res.statusCode !== 200) {                                          // allow:raw-byte-literal — HTTP 200 OK
+          if (res.statusCode !== 200) {                                          // HTTP 200 OK
             reject(new DnsError("dns/doh-http", "DoH HTTP " + res.statusCode + " for " + host));
             return;
           }
@@ -528,7 +528,7 @@ async function resolveSecure(host, type) {
       "resolveSecure requires DoH transport (call useDnsOverHttps " +
       "or rely on the default-on DoH posture)");
   }
-  if (typeof host !== "string" || host.length === 0 || host.length > 253) {     // allow:raw-byte-literal — RFC 1035 hostname octet ceiling
+  if (typeof host !== "string" || host.length === 0 || host.length > 253) {     // RFC 1035 hostname octet ceiling
     throw new DnsError("dns/bad-host",
       "resolveSecure host is malformed");
   }
@@ -541,7 +541,7 @@ async function resolveSecure(host, type) {
   var labels = host.split(".");
   for (var li = 0; li < labels.length; li += 1) {
     var label = labels[li];
-    if (label.length === 0 || label.length > 63) {                                            // allow:raw-byte-literal — RFC 1035 max label length
+    if (label.length === 0 || label.length > 63) {                                            // RFC 1035 max label length
       throw new DnsError("dns/bad-host",
         "resolveSecure host has invalid label (length 1..63 required, got " + label.length + ")");
     }
@@ -720,7 +720,7 @@ function _readDnsName(buf, start) {
   var off = start;
   var nextOff = -1;
   var iterations = 0;
-  var ITER_CAP = 256;                                                            // allow:raw-byte-literal — DNS name pointer-loop safeguard
+  var ITER_CAP = 256;                                                            // DNS name pointer-loop safeguard
   while (off < buf.length && iterations < ITER_CAP) {
     iterations += 1;
     var len = buf[off];
@@ -728,13 +728,13 @@ function _readDnsName(buf, start) {
       if (nextOff === -1) nextOff = off + 1;
       break;
     }
-    if ((len & 0xc0) === 0xc0) {                                                 // allow:raw-byte-literal — RFC 1035 name-compression pointer mask
+    if ((len & 0xc0) === 0xc0) {                                                 // RFC 1035 name-compression pointer mask
       if (off + 1 >= buf.length) {
         throw new DnsError("dns/svcb-malformed",
           "DNS name truncated at compression pointer");
       }
       if (nextOff === -1) nextOff = off + 2;
-      var ptr = ((len & 0x3f) << 8) | buf[off + 1];                              // allow:raw-byte-literal — RFC 1035 pointer offset mask
+      var ptr = ((len & 0x3f) << 8) | buf[off + 1];                              // RFC 1035 pointer offset mask
       if (ptr >= buf.length || ptr === off) {
         throw new DnsError("dns/svcb-malformed",
           "DNS name pointer out of bounds or self-referential");
@@ -742,7 +742,7 @@ function _readDnsName(buf, start) {
       off = ptr;
       continue;
     }
-    if ((len & 0xc0) !== 0) {                                                    // allow:raw-byte-literal — RFC 1035 reserved label-type bits
+    if ((len & 0xc0) !== 0) {                                                    // RFC 1035 reserved label-type bits
       throw new DnsError("dns/svcb-malformed",
         "DNS name has reserved label type 0x" + len.toString(HEX_RADIX));
     }
@@ -770,7 +770,7 @@ function _decodeDnsAnswerRaw(buf) {
   if (!Buffer.isBuffer(buf) || buf.length < 12) {
     throw new DnsError("dns/bad-reply", "dns reply truncated");
   }
-  var rcode = buf.readUInt8(3) & 0x0f;                                           // allow:raw-byte-literal — RFC 1035 RCODE nibble mask
+  var rcode = buf.readUInt8(3) & 0x0f;                                           // RFC 1035 RCODE nibble mask
   if (rcode !== 0) {
     throw new DnsError("dns/no-result", "dns reply rcode " + rcode);
   }
@@ -818,7 +818,7 @@ async function _dohRawQuery(host, qtype) {
   return new Promise(function (resolve, reject) {
     var reqOpts = {
       hostname:   u.hostname,
-      port:       u.port || 443,                                                 // allow:raw-byte-literal — HTTPS default port
+      port:       u.port || 443,                                                 // HTTPS default port
       path:       u.pathname + u.search,
       method:     usePost ? "POST" : "GET",
       headers:    { "accept": "application/dns-message" },
@@ -849,7 +849,7 @@ async function _dohRawQuery(host, qtype) {
       res.on("end", function () {
         try {
           if (pushFailed) { reject(pushFailed); return; }
-          if (res.statusCode !== 200) {                                          // allow:raw-byte-literal — HTTP 200 OK
+          if (res.statusCode !== 200) {                                          // HTTP 200 OK
             reject(new DnsError("dns/doh-http", "DoH HTTP " + res.statusCode + " for " + host));
             return;
           }
@@ -950,15 +950,15 @@ async function _systemRawQuery(host, qtype) {
   }
   var serverEntry = servers[0];
   var serverHost = serverEntry;
-  var serverPort = 53;                                                           // allow:raw-byte-literal — IANA-assigned DNS port
+  var serverPort = 53;                                                           // IANA-assigned DNS port
   var bracketEnd = serverEntry.lastIndexOf("]:");
   if (bracketEnd !== -1) {
     serverHost = serverEntry.slice(1, bracketEnd);
-    serverPort = parseInt(serverEntry.slice(bracketEnd + 2), 10) || 53;          // allow:raw-byte-literal — IANA-assigned DNS port
+    serverPort = parseInt(serverEntry.slice(bracketEnd + 2), 10) || 53;          // IANA-assigned DNS port
   } else if (serverEntry.indexOf(":") !== -1 && net.isIP(serverEntry) === 0) {
     var colonIdx = serverEntry.lastIndexOf(":");
     serverHost = serverEntry.slice(0, colonIdx);
-    serverPort = parseInt(serverEntry.slice(colonIdx + 1), 10) || 53;            // allow:raw-byte-literal — IANA-assigned DNS port
+    serverPort = parseInt(serverEntry.slice(colonIdx + 1), 10) || 53;            // IANA-assigned DNS port
   }
   var enc = _encodeDnsQuery(host, qtype);
   return new Promise(function (resolve, reject) {
@@ -1029,8 +1029,8 @@ async function _rawQuery(host, qtype, forceTransport) {
 
 // ---- SVCB / HTTPS RR (RFC 9460) --------------------------------------
 
-var DNS_QTYPE_SVCB  = 64;                                                        // allow:raw-byte-literal — RFC 9460 §14.1 SVCB record type code
-var DNS_QTYPE_HTTPS = 65;                                                        // allow:raw-byte-literal — RFC 9460 §14.1 HTTPS record type code
+var DNS_QTYPE_SVCB  = 64;                                                        // RFC 9460 §14.1 SVCB record type code
+var DNS_QTYPE_HTTPS = 65;                                                        // RFC 9460 §14.1 HTTPS record type code
 
 // SvcParamKey assignments (RFC 9460 §14.3.2 + IANA registry). Keys
 // past 7 are operator-extensible; we recognize the IETF-blessed set
@@ -1042,7 +1042,7 @@ var SVCB_KEY_PORT         = 3;
 var SVCB_KEY_IPV4HINT     = 4;
 var SVCB_KEY_ECH          = 5;
 var SVCB_KEY_IPV6HINT     = 6;
-var SVCB_KEY_DOHPATH      = 7;                                                   // allow:raw-byte-literal — RFC 9461 SvcParamKey
+var SVCB_KEY_DOHPATH      = 7;                                                   // RFC 9461 SvcParamKey
 
 function _readCharString(buf, off, end) {
   if (off >= end) {
@@ -1149,7 +1149,7 @@ function _parseSvcbRdata(msg, rdataOff, rdlen) {
 }
 
 function _validateLdh(host, primitive) {
-  if (typeof host !== "string" || host.length === 0 || host.length > 253) {     // allow:raw-byte-literal — RFC 1035 hostname octet ceiling
+  if (typeof host !== "string" || host.length === 0 || host.length > 253) {     // RFC 1035 hostname octet ceiling
     throw new DnsError("dns/bad-host",
       primitive + ": host must be a non-empty RFC 1035 LDH name (length 1..253)");
   }
@@ -1158,7 +1158,7 @@ function _validateLdh(host, primitive) {
   var labels = host.split(".");
   for (var li = 0; li < labels.length; li += 1) {
     var label = labels[li];
-    if (label.length === 0 || label.length > 63) {                                            // allow:raw-byte-literal — RFC 1035 max label length
+    if (label.length === 0 || label.length > 63) {                                            // RFC 1035 max label length
       throw new DnsError("dns/bad-host",
         primitive + ": host label length must be 1..63");
     }
@@ -1352,7 +1352,7 @@ async function discoverEncrypted(opts) {
       alpn:      alpn,
       target:    rec.target,
       port:      (rec.params && rec.params.port) ||
-                 (transportKind === "dot" ? 853 : 443),                          // allow:raw-byte-literal — IANA-assigned DoT/HTTPS ports
+                 (transportKind === "dot" ? 853 : 443),                          // IANA-assigned DoT/HTTPS ports
       dohpath:   (rec.params && rec.params.dohpath) || null,
       ipv4hint:  (rec.params && rec.params.ipv4hint) || [],
       ipv6hint:  (rec.params && rec.params.ipv6hint) || [],
@@ -1448,7 +1448,7 @@ function useDesignatedResolvers(list) {
       } else {
         useDnsOverTls({
           host:       v.host,
-          port:       v.port || 853,                                             // allow:raw-byte-literal — IANA-assigned DoT port
+          port:       v.port || 853,                                             // IANA-assigned DoT port
           servername: v.servername || v.host,
           ca:         v.ca || null,
         });
@@ -1533,7 +1533,7 @@ async function lookup(host, opts) {
     } else {
       // System resolver (operator explicit opt-out via useSystemResolver).
       var nodeOpts = { all: true };
-      if (family === 4 || family === 6) nodeOpts.family = family;                // allow:raw-byte-literal — IPv4/IPv6 family literals
+      if (family === 4 || family === 6) nodeOpts.family = family;                // IPv4/IPv6 family literals
       addrs = await _withTimeout(dnsPromises.lookup(host, nodeOpts), STATE.lookupTimeoutMs, host);
       if (!Array.isArray(addrs)) addrs = [addrs];
     }
@@ -1797,7 +1797,7 @@ var DNSKEY_ALGORITHMS = Object.freeze({
   5:   { name: "RSASHA1",            deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §3)" },
   6:   { name: "DSA-NSEC3-SHA1",     deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §3); DSA deprecated (RFC 8624 §3.1)" },
   7:   { name: "RSASHA1-NSEC3-SHA1", deprecated: true,  reason: "SHA-1 deprecated (RFC 9905 §3)" },
-  8:   { name: "RSASHA256",          deprecated: false, reason: "current — RFC 5702" },                                  // allow:raw-byte-literal — IANA DNSKEY algorithm number
+  8:   { name: "RSASHA256",          deprecated: false, reason: "current — RFC 5702" },                                  // IANA DNSKEY algorithm number
   9:   { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 5155) — not for production use" },
   10:  { name: "RSASHA512",          deprecated: false, reason: "current — RFC 5702" },
   11:  { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 5155) — not for production use" },
@@ -1805,13 +1805,13 @@ var DNSKEY_ALGORITHMS = Object.freeze({
   13:  { name: "ECDSAP256SHA256",    deprecated: false, reason: "current — RFC 6605" },
   14:  { name: "ECDSAP384SHA384",    deprecated: false, reason: "current — RFC 6605" },
   15:  { name: "ED25519",            deprecated: false, reason: "current — RFC 8080" },
-  16:  { name: "ED448",              deprecated: false, reason: "current — RFC 8080" },                                  // allow:raw-byte-literal — IANA DNSKEY algorithm number
+  16:  { name: "ED448",              deprecated: false, reason: "current — RFC 8080" },                                  // IANA DNSKEY algorithm number
   // 17-122: Unassigned per IANA. Operators that see one of these
   // get known: false from classifyDnskeyAlgorithm() — the entry
   // is not a typo against the framework table, it's a value the
   // registry hasn't allocated yet.
   // 123-251: Reserved per IANA.
-  252: { name: "INDIRECT",           deprecated: true,  reason: "Reserved indirect-keys placeholder (RFC 4034 §A.1) — not usable for signing/verification" },                                      // allow:raw-byte-literal — IANA DNSKEY algorithm number
+  252: { name: "INDIRECT",           deprecated: true,  reason: "Reserved indirect-keys placeholder (RFC 4034 §A.1) — not usable for signing/verification" },                                      // IANA DNSKEY algorithm number
   253: { name: "PRIVATEDNS",         deprecated: false, reason: "Private algorithm identified by domain name (RFC 4034 §A.1.1) — operators using this assume the private algorithm itself is acceptable" },
   254: { name: "PRIVATEOID",         deprecated: false, reason: "Private algorithm identified by OID (RFC 4034 §A.1.2) — operators using this assume the private algorithm itself is acceptable" },
   255: { name: "Reserved",           deprecated: true,  reason: "Reserved (RFC 4034 §A.1) — not for production use" },

package/lib/network-dnssec.js

@@ -53,9 +53,9 @@ var DnssecError = defineClass("DnssecError", { alwaysPermanent: true });
 
 // DNSSEC algorithm numbers (IANA DNSSEC Algorithm Numbers) → verify params.
 var ALGS = {
-  8:  { name: "RSASHA256",        kind: "rsa",   hash: "sha256" },                          // allow:raw-byte-literal — IANA DNSSEC algorithm number
-  13: { name: "ECDSAP256SHA256",  kind: "ec",    hash: "sha256", crv: "P-256", coord: 32 },   // allow:raw-byte-literal — P-256 coordinate size
-  14: { name: "ECDSAP384SHA384",  kind: "ec",    hash: "sha384", crv: "P-384", coord: 48 },   // allow:raw-byte-literal — P-384 coordinate size
+  8:  { name: "RSASHA256",        kind: "rsa",   hash: "sha256" },                          // IANA DNSSEC algorithm number
+  13: { name: "ECDSAP256SHA256",  kind: "ec",    hash: "sha256", crv: "P-256", coord: 32 },   // P-256 coordinate size
+  14: { name: "ECDSAP384SHA384",  kind: "ec",    hash: "sha384", crv: "P-384", coord: 48 },   // P-384 coordinate size
   15: { name: "ED25519",          kind: "okp",   hash: null,     crv: "Ed25519" },
 };
 
@@ -72,10 +72,10 @@ var DS_DIGESTS = { 2: "sha256", 4: "sha384" };
 // (type numbers IANA): A 1, AAAA 28, TXT 16, DNSKEY 48, DS 43, CAA 257,
 // TLSA 52, SSHFP 44, HINFO 13, CDS 59, CDNSKEY 60, OPENPGPKEY 61, SMIMEA
 // 53, NSEC 47, NSEC3 50.
-var NAME_FREE_TYPE_NUMS = [1, 28, 16, 48, 43, 257, 52, 44, 13, 59, 60, 61, 53, 47, 50];  // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers (no downcased embedded names)
+var NAME_FREE_TYPE_NUMS = [1, 28, 16, 48, 43, 257, 52, 44, 13, 59, 60, 61, 53, 47, 50];  // allow:raw-time-literal — IANA DNS type numbers (no downcased embedded names)
 var TYPE_NUM = {
   A: 1, NS: 2, CNAME: 5, SOA: 6, PTR: 12, MX: 15, TXT: 16, AAAA: 28, SRV: 33,
-  DS: 43, SSHFP: 44, RRSIG: 46, NSEC: 47, DNSKEY: 48, NSEC3: 50, TLSA: 52,            // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers
+  DS: 43, SSHFP: 44, RRSIG: 46, NSEC: 47, DNSKEY: 48, NSEC3: 50, TLSA: 52,            // allow:raw-time-literal — IANA DNS type numbers
   SMIMEA: 53, CDS: 59, CDNSKEY: 60, OPENPGPKEY: 61, CAA: 257, HINFO: 13,
 };
 
@@ -95,7 +95,7 @@ function _canonicalName(name) {
   var parts = [];
   for (var i = 0; i < labels.length; i++) {
     var lab = Buffer.from(labels[i].toLowerCase(), "ascii");
-    if (lab.length === 0 || lab.length > 63) {                                          // allow:raw-byte-literal — DNS label length cap (RFC 1035)
+    if (lab.length === 0 || lab.length > 63) {                                          // DNS label length cap (RFC 1035)
       throw new DnssecError("dnssec/bad-name", "dnssec: invalid label in '" + name + "'");
     }
     parts.push(Buffer.from([lab.length]), lab);
@@ -106,14 +106,14 @@ function _canonicalName(name) {
   // Enforcing it here also bounds the per-label count (and thus the NSEC3
   // closest-encloser candidate enumeration, CVE-2023-50868 class), since
   // each label costs at least 2 octets.
-  if (wire.length > 255) {                                                               // allow:raw-byte-literal — RFC 1035 total-name octet cap
+  if (wire.length > 255) {                                                               // RFC 1035 total-name octet cap
     throw new DnssecError("dnssec/bad-name",
       "dnssec: name '" + name + "' encodes to " + wire.length + " octets, exceeds RFC 1035 cap of 255");
   }
   return wire;
 }
 
-function _u16(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); }                    // allow:raw-byte-literal — 16-bit big-endian split
+function _u16(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); }                    // 16-bit big-endian split
 function _u32(n) {
   var b = Buffer.alloc(4);
   b.writeUInt32BE(n >>> 0, 0);
@@ -138,7 +138,7 @@ function _dnskeyToKey(algId, publicKey) {
     // next 2 bytes; then exponent, then modulus.
     var off = 0, explen = pk[0];
     off = 1;
-    if (explen === 0) { explen = (pk[1] << 8) | pk[2]; off = 3; }                        // allow:raw-byte-literal — RFC 3110 3-byte exponent length
+    if (explen === 0) { explen = (pk[1] << 8) | pk[2]; off = 3; }                        // RFC 3110 3-byte exponent length
     if (explen === 0 || off + explen >= pk.length) {
       throw new DnssecError("dnssec/bad-key", "dnssec: malformed RSA DNSKEY public key");
     }
@@ -153,7 +153,7 @@ function _dnskeyToKey(algId, publicKey) {
     return _jwkKey({ kty: "EC", crv: alg.crv, x: pk.slice(0, alg.coord).toString("base64url"), y: pk.slice(alg.coord).toString("base64url") });
   }
   // Ed25519
-  if (pk.length !== 32) throw new DnssecError("dnssec/bad-key", "dnssec: Ed25519 key must be 32 bytes");   // allow:raw-byte-literal — Ed25519 key size
+  if (pk.length !== 32) throw new DnssecError("dnssec/bad-key", "dnssec: Ed25519 key must be 32 bytes");   // Ed25519 key size
   return _jwkKey({ kty: "OKP", crv: "Ed25519", x: pk.toString("base64url") });
 }
 function _jwkKey(jwk) {
@@ -179,10 +179,10 @@ function keyTag(dnskeyRdata) {
   var rd = _bytes(dnskeyRdata, "dnskeyRdata");
   var acc = 0;
   for (var i = 0; i < rd.length; i++) {
-    acc += (i & 1) ? rd[i] : (rd[i] << 8);                                               // allow:raw-byte-literal — RFC 4034 App B key-tag accumulation
+    acc += (i & 1) ? rd[i] : (rd[i] << 8);                                               // RFC 4034 App B key-tag accumulation
   }
-  acc += (acc >> 16) & 0xffff;                                                           // allow:raw-byte-literal — App B fold
-  return acc & 0xffff;                                                                   // allow:raw-byte-literal — App B 16-bit tag
+  acc += (acc >> 16) & 0xffff;                                                           // App B fold
+  return acc & 0xffff;                                                                   // App B 16-bit tag
 }
 
 /**
@@ -311,7 +311,7 @@ function verifyRrset(opts) {
 
   // RRSIG RDATA without the signature (RFC 4034 §3.1.8.1).
   var rrsigPrefix = Buffer.concat([
-    _u16(typeNum), Buffer.from([rrsig.algorithm & 0xff, rrsig.labels & 0xff]),           // allow:raw-byte-literal — single-octet alg + labels fields
+    _u16(typeNum), Buffer.from([rrsig.algorithm & 0xff, rrsig.labels & 0xff]),           // single-octet alg + labels fields
     _u32(rrsig.originalTtl), _u32(rrsig.expiration), _u32(rrsig.inception),
     _u16(rrsig.keyTag), _canonicalName(rrsig.signerName),
   ]);
@@ -345,8 +345,8 @@ function verifyRrset(opts) {
 // signature check. Passing unverified records proves nothing.
 // ---------------------------------------------------------------------------
 
-var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";          // allow:raw-byte-literal — RFC 4648 §7 extended-hex alphabet (RFC number in comment)
-var TYPE_DS = 43;                                            // allow:raw-byte-literal — IANA RR type DS
+var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";          // RFC 4648 §7 extended-hex alphabet (RFC number in comment)
+var TYPE_DS = 43;                                            // IANA RR type DS
 var TYPE_CNAME = 5;
 var NSEC3_HASH_SHA1 = 1;                                     // RFC 5155 §5 — the only registered NSEC3 hash
 var DEFAULT_MAX_NSEC3_ITERATIONS = 150;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1; matches BIND 9.16.33+/Unbound 1.17.1 post-CVE-2023-50868 (RFC 9276 wants 0; deployed zones still use >0)
@@ -366,11 +366,11 @@ var DEFAULT_MAX_NSEC3_ITERATIONS = 150;                      // allow:raw-time-l
 // while still bounding the bounded-collision amplification. Chain length
 // itself is capped (a delegation can't be deeper than a DNS name's label
 // count, RFC 1035), so the scaled budget can't be inflated arbitrarily.
-var MAX_COLLIDING_KEYS       = 4;                            // allow:raw-byte-literal — same-tag DNSKEY candidates tried per RRSIG
-var MAX_VALIDATIONS_PER_LINK = 8;                            // allow:raw-byte-literal — 2 RRSIGs/link x MAX_COLLIDING_KEYS; budget = links.length x this
-var MAX_CHAIN_LINKS          = 128;                          // allow:raw-byte-literal — max delegation depth (>= RFC 1035 max label count)
-var MAX_DNSKEYS_PER_ZONE     = 64;                           // allow:raw-byte-literal — DNSKEY RRset size cap per zone link
-var MAX_DS_RECORDS           = 16;                           // allow:raw-byte-literal — DS RRset size cap (parent-supplied)
+var MAX_COLLIDING_KEYS       = 4;                            // same-tag DNSKEY candidates tried per RRSIG
+var MAX_VALIDATIONS_PER_LINK = 8;                            // 2 RRSIGs/link x MAX_COLLIDING_KEYS; budget = links.length x this
+var MAX_CHAIN_LINKS          = 128;                          // max delegation depth (>= RFC 1035 max label count)
+var MAX_DNSKEYS_PER_ZONE     = 64;                           // DNSKEY RRset size cap per zone link
+var MAX_DS_RECORDS           = 16;                           // DS RRset size cap (parent-supplied)
 
 // RFC 4648 §7 base32hex decode (no padding, case-insensitive) — the
 // label encoding of an NSEC3 owner-name hash.
@@ -380,9 +380,9 @@ function _base32hexDecode(s, label) {
   for (var i = 0; i < up.length; i++) {
     var idx = BASE32HEX.indexOf(up[i]);
     if (idx === -1) throw new DnssecError("dnssec/bad-nsec3", "dnssec: " + label + " is not valid base32hex");
-    value = (value << 5) | idx;                              // allow:raw-byte-literal — base32 5-bit group
-    bits += 5;                                               // allow:raw-byte-literal — base32 5-bit group
-    if (bits >= 8) { bits -= 8; out.push((value >> bits) & 0xff); }   // allow:raw-byte-literal — emit a full octet
+    value = (value << 5) | idx;                              // base32 5-bit group
+    bits += 5;                                               // base32 5-bit group
+    if (bits >= 8) { bits -= 8; out.push((value >> bits) & 0xff); }   // emit a full octet
   }
   return Buffer.from(out);
 }
@@ -394,13 +394,13 @@ function _parseTypeBitmaps(buf, off, end) {
   while (i + 2 <= end) {
     var win = buf[i], len = buf[i + 1];
     i += 2;
-    if (len < 1 || len > 32 || i + len > end) {              // allow:raw-byte-literal — bitmap window ≤ 256 bits = 32 octets (RFC 4034 §4.1.2)
+    if (len < 1 || len > 32 || i + len > end) {              // bitmap window ≤ 256 bits = 32 octets (RFC 4034 §4.1.2)
       throw new DnssecError("dnssec/bad-bitmap", "dnssec: malformed NSEC type bitmap");
     }
     for (var j = 0; j < len; j++) {
       var octet = buf[i + j];
-      for (var bit = 0; bit < 8; bit++) {                    // allow:raw-byte-literal — 8 bits per octet
-        if (octet & (0x80 >> bit)) types.add(win * 256 + j * 8 + bit);   // allow:raw-byte-literal — bit→type-number (window*256 + octet*8 + bit)
+      for (var bit = 0; bit < 8; bit++) {                    // 8 bits per octet
+        if (octet & (0x80 >> bit)) types.add(win * 256 + j * 8 + bit);   // bit→type-number (window*256 + octet*8 + bit)
       }
     }
     i += len;
@@ -417,7 +417,7 @@ function _readWireName(buf, off) {
     if (i >= buf.length) throw new DnssecError("dnssec/bad-name", "dnssec: truncated name in RDATA");
     var len = buf[i];
     if (len === 0) { i++; break; }
-    if ((len & 0xc0) !== 0) throw new DnssecError("dnssec/bad-name", "dnssec: compression pointer in signed RDATA");   // allow:raw-byte-literal — RFC 1035 label-length top-two-bits flag
+    if ((len & 0xc0) !== 0) throw new DnssecError("dnssec/bad-name", "dnssec: compression pointer in signed RDATA");   // RFC 1035 label-length top-two-bits flag
     i++;
     labels.push(buf.slice(i, i + len).toString("ascii"));
     i += len;
@@ -426,7 +426,7 @@ function _readWireName(buf, off) {
 }
 
 function _parseNsec3Rdata(rd) {
-  if (rd.length < 6) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 RDATA too short");   // allow:raw-byte-literal — fixed NSEC3 header octets
+  if (rd.length < 6) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 RDATA too short");   // fixed NSEC3 header octets
   var hashAlg = rd[0], flags = rd[1], iterations = rd.readUInt16BE(2), saltLen = rd[4];
   var off = 5 + saltLen;
   if (off + 1 > rd.length) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 salt overruns RDATA");
@@ -762,17 +762,17 @@ function _commonSuffixLen(a, b) {
 // KSK-2024 (tag 38696), published at data.iana.org/root-anchors. An
 // operator pins their own via opts.trustAnchors.
 var DEFAULT_ROOT_ANCHORS = [
-  { keyTag: 20326, algorithm: 8, digestType: 2, digest: Buffer.from("E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D", "hex") },   // allow:raw-byte-literal — IANA root KSK-2017 DS
-  { keyTag: 38696, algorithm: 8, digestType: 2, digest: Buffer.from("683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16", "hex") },   // allow:raw-byte-literal — IANA root KSK-2024 DS
+  { keyTag: 20326, algorithm: 8, digestType: 2, digest: Buffer.from("E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D", "hex") },   // IANA root KSK-2017 DS
+  { keyTag: 38696, algorithm: 8, digestType: 2, digest: Buffer.from("683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16", "hex") },   // IANA root KSK-2024 DS
 ];
 
 function _dnskeyParts(rdata, what) {
   var rd = _bytes(rdata, what || "dnskey rdata");
-  if (rd.length < 4) throw new DnssecError("dnssec/bad-key", "dnssec: DNSKEY RDATA too short");   // allow:raw-byte-literal — DNSKEY fixed header octets
+  if (rd.length < 4) throw new DnssecError("dnssec/bad-key", "dnssec: DNSKEY RDATA too short");   // DNSKEY fixed header octets
   return { flags: rd.readUInt16BE(0), algorithm: rd[3], publicKey: rd.slice(4) };
 }
 function _parseDsRdata(rd) {
-  if (rd.length < 5) throw new DnssecError("dnssec/bad-ds", "dnssec: DS RDATA too short");   // allow:raw-byte-literal — DS fixed header octets
+  if (rd.length < 5) throw new DnssecError("dnssec/bad-ds", "dnssec: DS RDATA too short");   // DS fixed header octets
   return { keyTag: rd.readUInt16BE(0), algorithm: rd[2], digestType: rd[3], digest: rd.slice(4) };
 }
 // ALL DNSKEYs whose key tag matches — 16-bit key tags collide (RFC 4034

package/lib/network-smtp-policy.js

@@ -182,8 +182,8 @@ async function mtaStsFetch(domain, opts) {
     } catch (_e) {
       return null;
     }
-    if (res.statusCode === 404) return null;                                     // allow:raw-byte-literal — HTTP 404
-    if (res.statusCode < 200 || res.statusCode >= 300) {                         // allow:raw-byte-literal — HTTP 2xx range
+    if (res.statusCode === 404) return null;                                     // HTTP 404
+    if (res.statusCode < 200 || res.statusCode >= 300) {                         // HTTP 2xx range
       throw new SmtpPolicyError("smtp/mta-sts-fetch-failed",
         "MTA-STS fetch returned " + res.statusCode + " for " + url);
     }
@@ -234,7 +234,7 @@ async function daneTlsa(domain, port, opts) {
       "dane.tlsa: domain must be a non-empty string");
   }
   opts = opts || {};
-  var p = typeof port === "number" ? port : 25;                                  // allow:raw-byte-literal — IANA SMTP port
+  var p = typeof port === "number" ? port : 25;                                  // IANA SMTP port
   var qname = "_" + p + "._tcp." + domain.toLowerCase();
   // node:dns has resolveTlsa() since Node 18.16.0.
   if (typeof dnsPromises.resolveTlsa !== "function") {
@@ -326,7 +326,7 @@ function _extractIssuerDer(certDer) {
   var idx = 0;
   if (tbsKids.length > 0 &&
       tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
-      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+      tbsKids[0].tag === 0) {                                                    // X.509 [0] EXPLICIT version tag
     idx = 1;
   }
   // TBSCertificate fields: serial, signature, issuer, validity, subject, ...
@@ -352,7 +352,7 @@ function _extractSubjectDer(certDer) {
   var idx = 0;
   if (tbsKids.length > 0 &&
       tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
-      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+      tbsKids[0].tag === 0) {                                                    // X.509 [0] EXPLICIT version tag
     idx = 1;
   }
   // Subject = idx + 4 (after serial / signature / issuer / validity).
@@ -386,11 +386,11 @@ function _extractSubjectPublicKeyInfo(certDer) {
   var idx = 0;
   if (tbsKids.length > 0 &&
       tbsKids[0].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC &&
-      tbsKids[0].tag === 0) {                                                    // allow:raw-byte-literal — X.509 [0] EXPLICIT version tag
+      tbsKids[0].tag === 0) {                                                    // X.509 [0] EXPLICIT version tag
     idx = 1;
   }
   // Skip serialNumber / signature / issuer / validity / subject — five fields.
-  var spkiIdx = idx + 5;                                                         // allow:raw-byte-literal — X.509 TBSCertificate field count
+  var spkiIdx = idx + 5;                                                         // X.509 TBSCertificate field count
   if (spkiIdx >= tbsKids.length) return null;
   var spki = tbsKids[spkiIdx];
   if (spki.tag !== asn1.TAG.SEQUENCE) return null;
@@ -452,7 +452,7 @@ function daneVerifyChain(certChain, tlsaRecords, opts) {
   for (var t = 0; t < tlsaRecords.length; t += 1) {
     var rec = tlsaRecords[t];
     var usage = rec.usage;
-    if (usage === 2) {                                                           // allow:raw-byte-literal — TLSA cert-usage code (RFC 6698 §2.1.1) — DANE-TA: match against trust anchor IN the chain (RFC 7672 §3.1.1).
+    if (usage === 2) {                                                           // TLSA cert-usage code (RFC 6698 §2.1.1) — DANE-TA: match against trust anchor IN the chain (RFC 7672 §3.1.1).
       // The framework now enforces chain order: the matched DANE-TA
       // cert at position i must have its Subject equal to the Issuer
       // of cert at position i-1 (i.e. it must actually be the parent
@@ -668,7 +668,7 @@ async function tlsRptSubmit(report, opts) {
           timeoutMs: timeoutMs,
         });
         entry.status = rv && rv.status;
-        entry.ok = entry.status >= 200 && entry.status < 300;                  // allow:raw-byte-literal — HTTP 2xx range
+        entry.ok = entry.status >= 200 && entry.status < 300;                  // HTTP 2xx range
         if (!entry.ok) entry.error = "HTTP " + entry.status;
       } else if (/^mailto:/i.test(uri)) {
         // Operator-side transport. Surface the prepared body so the
@@ -716,7 +716,7 @@ async function tlsRptSubmit(report, opts) {
 // tlsRpt.recordShape / tlsRpt.submit on the send side.
 
 var TLS_RPT_MAX_REPORT_BYTES = C.BYTES.mib(8);
-var TLS_RPT_MAX_POLICIES_PER_REPORT = 1024;                                       // allow:raw-byte-literal allow:raw-time-literal — count cap, not seconds
+var TLS_RPT_MAX_POLICIES_PER_REPORT = 1024;                                       // allow:raw-time-literal — count cap, not seconds
 
 function tlsRptParseReport(body, opts) {
   opts = opts || {};