@blamejs/core 0.14.0 → 0.14.2

package/lib/archive-read.js

@@ -58,12 +58,12 @@ var archiveAdapters = lazyRequire(function () { return require("./archive-adapte
 // Aligned with the write-side `lib/archive.js`. APPNOTE.TXT § references
 // follow each signature so a future spec bump is mechanical.
 
-var SIG_LFH                 = 0x04034b50;       // allow:raw-byte-literal — APPNOTE §4.3.7 LFH magic dword (wire-format-fixed)
-var SIG_CFH                 = 0x02014b50;       // allow:raw-byte-literal — APPNOTE §4.3.12 CFH magic dword (wire-format-fixed)
-var SIG_EOCD                = 0x06054b50;       // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD magic dword (wire-format-fixed)
-var SIG_EOCD64              = 0x06064b50;       // allow:raw-byte-literal — APPNOTE §4.3.14 ZIP64 EOCD magic dword (wire-format-fixed)
-var SIG_EOCD64_LOCATOR      = 0x07064b50;       // allow:raw-byte-literal — APPNOTE §4.3.15 ZIP64 EOCD locator magic dword (wire-format-fixed)
-var SIG_DATA_DESCRIPTOR     = 0x08074b50;       // allow:raw-byte-literal — APPNOTE §4.3.9 data-descriptor magic dword (wire-format-fixed)
+var SIG_LFH                 = 0x04034b50;       // APPNOTE §4.3.7 LFH magic dword (wire-format-fixed)
+var SIG_CFH                 = 0x02014b50;       // APPNOTE §4.3.12 CFH magic dword (wire-format-fixed)
+var SIG_EOCD                = 0x06054b50;       // APPNOTE §4.3.16 EOCD magic dword (wire-format-fixed)
+var SIG_EOCD64              = 0x06064b50;       // APPNOTE §4.3.14 ZIP64 EOCD magic dword (wire-format-fixed)
+var SIG_EOCD64_LOCATOR      = 0x07064b50;       // APPNOTE §4.3.15 ZIP64 EOCD locator magic dword (wire-format-fixed)
+var SIG_DATA_DESCRIPTOR     = 0x08074b50;       // APPNOTE §4.3.9 data-descriptor magic dword (wire-format-fixed)
 void SIG_EOCD64; void SIG_EOCD64_LOCATOR;
 
 var METHOD_STORE_ID         = 0;
@@ -94,7 +94,7 @@ var MSDOS_EPOCH_YEAR        = 1980;
 // ---- Default zip-bomb / entry caps ---------------------------------------
 
 var DEFAULT_BOMB_POLICY = Object.freeze({
-  maxEntries:                65535,                                   // allow:raw-byte-literal — APPNOTE §4.4.21 16-bit entry-count field's max (ZIP64 deferred)
+  maxEntries:                65535,                                   // APPNOTE §4.4.21 16-bit entry-count field's max (ZIP64 deferred)
   maxEntryDecompressedBytes: C.BYTES.mib(128),                  // per-entry cap
   maxTotalDecompressedBytes: C.BYTES.gib(4),                    // archive-wide cap
   maxExpansionRatio:         100,                                     // compressed → decompressed ratio cap
@@ -193,10 +193,10 @@ async function _locateEocd(adapter) {
           eocdOffset:           scanOffset + i,
           diskNumber:           tail.readUInt16LE(i + 4),
           cdDiskNumber:         tail.readUInt16LE(i + 6),
-          entriesOnThisDisk:    tail.readUInt16LE(i + 8),            // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
-          totalEntries:         tail.readUInt16LE(i + 10),           // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
-          cdSize:               tail.readUInt32LE(i + 12),           // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
-          cdOffset:             tail.readUInt32LE(i + 16),           // allow:raw-byte-literal — APPNOTE §4.3.16 EOCD field offset
+          entriesOnThisDisk:    tail.readUInt16LE(i + 8),            // APPNOTE §4.3.16 EOCD field offset
+          totalEntries:         tail.readUInt16LE(i + 10),           // APPNOTE §4.3.16 EOCD field offset
+          cdSize:               tail.readUInt32LE(i + 12),           // APPNOTE §4.3.16 EOCD field offset
+          cdOffset:             tail.readUInt32LE(i + 16),           // APPNOTE §4.3.16 EOCD field offset
           commentLength:        commentLen,
         };
       }
@@ -234,20 +234,20 @@ async function _readCentralDirectory(adapter, eocd) {
     if (cdBytes.readUInt32LE(pos) !== SIG_CFH) {
       throw new ArchiveReadError("archive-read/bad-cd-signature",
         "central directory entry " + n + " has bad signature " +
-        "0x" + cdBytes.readUInt32LE(pos).toString(16));                    // allow:raw-byte-literal — radix=16 for hex parse, not byte count
+        "0x" + cdBytes.readUInt32LE(pos).toString(16));                    // radix=16 for hex parse, not byte count
     }
-    var generalFlags     = cdBytes.readUInt16LE(pos + 8);                  // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var method           = cdBytes.readUInt16LE(pos + 10);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var dosTime          = cdBytes.readUInt16LE(pos + 12);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var dosDate          = cdBytes.readUInt16LE(pos + 14);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var crc32            = cdBytes.readUInt32LE(pos + 16);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var compressedSize   = cdBytes.readUInt32LE(pos + 20);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var uncompressedSize = cdBytes.readUInt32LE(pos + 24);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var nameLen          = cdBytes.readUInt16LE(pos + 28);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var extraLen         = cdBytes.readUInt16LE(pos + 30);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var commentLen       = cdBytes.readUInt16LE(pos + 32);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var externalAttrs    = cdBytes.readUInt32LE(pos + 38);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
-    var lfhOffset        = cdBytes.readUInt32LE(pos + 42);                 // allow:raw-byte-literal — APPNOTE §4.3.12 CFH field offset
+    var generalFlags     = cdBytes.readUInt16LE(pos + 8);                  // APPNOTE §4.3.12 CFH field offset
+    var method           = cdBytes.readUInt16LE(pos + 10);                 // APPNOTE §4.3.12 CFH field offset
+    var dosTime          = cdBytes.readUInt16LE(pos + 12);                 // APPNOTE §4.3.12 CFH field offset
+    var dosDate          = cdBytes.readUInt16LE(pos + 14);                 // APPNOTE §4.3.12 CFH field offset
+    var crc32            = cdBytes.readUInt32LE(pos + 16);                 // APPNOTE §4.3.12 CFH field offset
+    var compressedSize   = cdBytes.readUInt32LE(pos + 20);                 // APPNOTE §4.3.12 CFH field offset
+    var uncompressedSize = cdBytes.readUInt32LE(pos + 24);                 // APPNOTE §4.3.12 CFH field offset
+    var nameLen          = cdBytes.readUInt16LE(pos + 28);                 // APPNOTE §4.3.12 CFH field offset
+    var extraLen         = cdBytes.readUInt16LE(pos + 30);                 // APPNOTE §4.3.12 CFH field offset
+    var commentLen       = cdBytes.readUInt16LE(pos + 32);                 // APPNOTE §4.3.12 CFH field offset
+    var externalAttrs    = cdBytes.readUInt32LE(pos + 38);                 // APPNOTE §4.3.12 CFH field offset
+    var lfhOffset        = cdBytes.readUInt32LE(pos + 42);                 // APPNOTE §4.3.12 CFH field offset
     var nameStart        = pos + CFH_FIXED_BYTES;
     var extraStart       = nameStart + nameLen;
     var totalLen         = CFH_FIXED_BYTES + nameLen + extraLen + commentLen;
@@ -292,7 +292,7 @@ async function _verifyLfhMatchesCd(adapter, entry) {
   if (lfhPrefix.readUInt32LE(0) !== SIG_LFH) {
     throw new ArchiveReadError("archive-read/bad-lfh-signature",
       "local file header for " + JSON.stringify(entry.name) +
-      " has bad signature 0x" + lfhPrefix.readUInt32LE(0).toString(16));                    // allow:raw-byte-literal — radix=16 for hex parse, not byte count
+      " has bad signature 0x" + lfhPrefix.readUInt32LE(0).toString(16));                    // radix=16 for hex parse, not byte count
   }
   var lfhMethod  = lfhPrefix.readUInt16LE(8);
   var lfhCrc     = lfhPrefix.readUInt32LE(14);

package/lib/archive-tar-read.js

@@ -38,10 +38,10 @@ var TF_PAX_GLOBAL = "g";
 void TF_CHARDEV; void TF_BLOCKDEV; void TF_FIFO; void TF_CONTIGUOUS;
 
 var DEFAULT_BOMB_POLICY = Object.freeze({
-  maxEntries:                65535,                                                  // allow:raw-byte-literal — operator-friendly default ceiling
+  maxEntries:                65535,                                                  // operator-friendly default ceiling
   maxEntryDecompressedBytes: C.BYTES.mib(128),
   maxTotalDecompressedBytes: C.BYTES.gib(4),
-  maxExpansionRatio:         100,                                                    // allow:raw-byte-literal — tar has no compression-ratio concept, but keep field for orchestrator policy parity
+  maxExpansionRatio:         100,                                                    // tar has no compression-ratio concept, but keep field for orchestrator policy parity
 });
 
 var DEFAULT_ENTRY_TYPE_POLICY = Object.freeze({

package/lib/archive-tar.js

@@ -89,7 +89,7 @@ var USTAR_VERSION = "00";                 // 2 bytes
 var NAME_MAX = C.BYTES.bytes(100);        // ustar name field cap
 var PREFIX_MAX = C.BYTES.bytes(155);      // ustar prefix field cap
 var LINKNAME_MAX = C.BYTES.bytes(100);    // ustar linkname field cap
-var USTAR_SIZE_MAX = 0o77777777777;       // allow:raw-byte-literal — 11 octal digits = 8 GiB - 1 per ustar size-field width
+var USTAR_SIZE_MAX = 0o77777777777;       // 11 octal digits = 8 GiB - 1 per ustar size-field width
 
 // Header field byte offsets (POSIX.1-1988 ustar; same in POSIX.1-2001 pax)
 var H_NAME = C.BYTES.bytes(0);
@@ -146,7 +146,7 @@ function _writeOctal(buf, value, offset, width) {
   // For width=8, that's 7 octal digits + terminator. For width=12, 11
   // digits + terminator.
   var digits = width - 1;
-  var oct = value.toString(8);                                                       // allow:raw-byte-literal — radix=8 for octal stringify per ustar field format
+  var oct = value.toString(8);                                                       // radix=8 for octal stringify per ustar field format
   if (oct.length > digits) {
     throw new TarError("archive-tar/octal-overflow",
       "value " + value + " (octal " + oct + ") exceeds field width " + digits);
@@ -154,7 +154,7 @@ function _writeOctal(buf, value, offset, width) {
   // Left-pad with '0' to fill the digits.
   while (oct.length < digits) oct = "0" + oct;
   buf.write(oct, offset, digits, "ascii");
-  buf.writeUInt8(0x20, offset + digits);     // allow:raw-byte-literal — ASCII space (' ') terminator per ustar
+  buf.writeUInt8(0x20, offset + digits);     // ASCII space (' ') terminator per ustar
 }
 
 function _writeString(buf, value, offset, width) {
@@ -175,15 +175,15 @@ function _readOctal(buf, offset, width) {
   var s = "";
   for (var i = 0; i < width; i += 1) {
     var c = buf[offset + i];
-    if (c === 0x20 || c === 0) break;                                                // allow:raw-byte-literal — ASCII space (0x20) + NUL (0x00) field terminators
-    if (c < 0x30 || c > 0x37) {                                                      // allow:raw-byte-literal — ASCII '0' (0x30) .. '7' (0x37) octal digits
+    if (c === 0x20 || c === 0) break;                                                // ASCII space (0x20) + NUL (0x00) field terminators
+    if (c < 0x30 || c > 0x37) {                                                      // ASCII '0' (0x30) .. '7' (0x37) octal digits
       throw new TarError("archive-tar/bad-octal",
-        "non-octal byte 0x" + c.toString(16) + " at offset " + (offset + i));        // allow:raw-byte-literal — radix=16 for diagnostic hex format
+        "non-octal byte 0x" + c.toString(16) + " at offset " + (offset + i));        // radix=16 for diagnostic hex format
     }
     s += String.fromCharCode(c);
   }
   if (s.length === 0) return 0;
-  return parseInt(s, 8);                                                             // allow:raw-byte-literal — radix=8 for octal parse per ustar field format
+  return parseInt(s, 8);                                                             // radix=8 for octal parse per ustar field format
 }
 
 function _readString(buf, offset, width) {
@@ -203,7 +203,7 @@ function _computeChecksum(buf) {
   var sum = 0;
   for (var i = 0; i < BLOCK_SIZE; i += 1) {
     if (i >= H_CHKSUM && i < H_CHKSUM + W_CHKSUM) {
-      sum += 0x20;                                                                   // allow:raw-byte-literal — chksum field treated as 8 spaces per POSIX.1-1988
+      sum += 0x20;                                                                   // chksum field treated as 8 spaces per POSIX.1-1988
     } else {
       sum += buf[i];
     }
@@ -214,16 +214,16 @@ function _computeChecksum(buf) {
 function _writeChecksum(buf) {
   // Write 6 octal digits + NUL + space into the chksum field.
   var sum = _computeChecksum(buf);
-  var oct = sum.toString(8);                                                         // allow:raw-byte-literal — radix=8 for octal stringify per ustar chksum field format
-  while (oct.length < 6) oct = "0" + oct;                                            // allow:raw-byte-literal — chksum field is 6 octal digits per POSIX ustar
-  if (oct.length > 6) {                                                              // allow:raw-byte-literal — chksum field is 6 octal digits per POSIX ustar
+  var oct = sum.toString(8);                                                         // radix=8 for octal stringify per ustar chksum field format
+  while (oct.length < 6) oct = "0" + oct;                                            // chksum field is 6 octal digits per POSIX ustar
+  if (oct.length > 6) {                                                              // chksum field is 6 octal digits per POSIX ustar
     // Header is corrupt / oversized somewhere; surface a typed error.
     throw new TarError("archive-tar/chksum-overflow",
       "chksum " + sum + " (" + oct + ") exceeds 6 octal digits");
   }
-  buf.write(oct, H_CHKSUM, 6, "ascii");                                              // allow:raw-byte-literal — chksum field is 6 octal digits per POSIX ustar
-  buf.writeUInt8(0, H_CHKSUM + 6);                                                   // allow:raw-byte-literal — chksum field: 6 digits + NUL + space per POSIX ustar
-  buf.writeUInt8(0x20, H_CHKSUM + 7);                                                // allow:raw-byte-literal — chksum field: 6 digits + NUL + space per POSIX ustar
+  buf.write(oct, H_CHKSUM, 6, "ascii");                                              // chksum field is 6 octal digits per POSIX ustar
+  buf.writeUInt8(0, H_CHKSUM + 6);                                                   // chksum field: 6 digits + NUL + space per POSIX ustar
+  buf.writeUInt8(0x20, H_CHKSUM + 7);                                                // chksum field: 6 digits + NUL + space per POSIX ustar
 }
 
 function _verifyChecksum(buf) {
@@ -349,11 +349,11 @@ function _buildUstarHeader(entry) {
   _writeOctal(buf, entry.mtime || 0, H_MTIME, W_MTIME);
   // chksum field — written as 8 spaces during computation, then
   // replaced with the computed value below.
-  buf.fill(0x20, H_CHKSUM, H_CHKSUM + W_CHKSUM);                                     // allow:raw-byte-literal — pre-fill chksum field with spaces per POSIX
+  buf.fill(0x20, H_CHKSUM, H_CHKSUM + W_CHKSUM);                                     // pre-fill chksum field with spaces per POSIX
   buf.write(entry.typeflag || TF_REGULAR, H_TYPEFLAG, 1, "ascii");
   if (entry.linkname) _writeString(buf, entry.linkname, H_LINKNAME, LINKNAME_MAX);
-  buf.write(USTAR_MAGIC, H_MAGIC, 6, "ascii");                                       // allow:raw-byte-literal — ustar magic is 6 bytes per POSIX
-  buf.write(USTAR_VERSION, H_VERSION, 2, "ascii");                                   // allow:raw-byte-literal — ustar version is 2 bytes per POSIX
+  buf.write(USTAR_MAGIC, H_MAGIC, 6, "ascii");                                       // ustar magic is 6 bytes per POSIX
+  buf.write(USTAR_VERSION, H_VERSION, 2, "ascii");                                   // ustar version is 2 bytes per POSIX
   if (entry.uname) _writeString(buf, entry.uname, H_UNAME, W_UNAME);
   if (entry.gname) _writeString(buf, entry.gname, H_GNAME, W_GNAME);
   if (prefix) _writeString(buf, prefix, H_PREFIX, PREFIX_MAX);
@@ -444,7 +444,7 @@ function tarBuilder() {
     }
     var pieces = [];
     if (paxRecords.length > 0) {
-      pieces.push(_buildPaxExtendedHeader(paxRecords, "PaxHeader/" + entry.name.slice(0, 80)));  // allow:raw-byte-literal — pax header name fits in ustar 100-char field with 20-char prefix budget
+      pieces.push(_buildPaxExtendedHeader(paxRecords, "PaxHeader/" + entry.name.slice(0, 80)));  // pax header name fits in ustar 100-char field with 20-char prefix budget
     }
     var hdr = _buildUstarHeader({
       name:      entry.name,
@@ -471,7 +471,7 @@ function tarBuilder() {
       pieces.push(_entryBytes(entries[i]));
     }
     // Two zero blocks terminate the archive (POSIX requirement).
-    pieces.push(Buffer.alloc(BLOCK_SIZE * 2));                                       // allow:raw-byte-literal — POSIX requires 2 trailing zero blocks
+    pieces.push(Buffer.alloc(BLOCK_SIZE * 2));                                       // POSIX requires 2 trailing zero blocks
     return Buffer.concat(pieces);
   }
 
@@ -483,7 +483,7 @@ function tarBuilder() {
     for (var i = 0; i < entries.length; i += 1) {
       await adapter.write(_entryBytes(entries[i]));
     }
-    await adapter.write(Buffer.alloc(BLOCK_SIZE * 2));                               // allow:raw-byte-literal — 2 trailing zero blocks
+    await adapter.write(Buffer.alloc(BLOCK_SIZE * 2));                               // 2 trailing zero blocks
     if (typeof adapter.end === "function") await adapter.end();
   }
 

package/lib/archive-wrap.js

@@ -36,14 +36,14 @@ var agentTenant = lazyRequire(function () { return require("./agent-tenant"); })
 // recognises. Distinct from b.crypto.encrypt's base64 envelope so
 // archive-wrap output can carry an unambiguous "this is an archive
 // wrap envelope" magic before the operator-controlled payload.
-var ARCH_WRAP_MAGIC = "BAWRP";                                                       // allow:raw-byte-literal — 5-byte ASCII archive-wrap recipient envelope magic
-var ARCH_WRAP_VERSION = 0x01;                                                        // allow:raw-byte-literal — recipient version byte (hybrid-KEM envelope)
+var ARCH_WRAP_MAGIC = "BAWRP";                                                       // 5-byte ASCII archive-wrap recipient envelope magic
+var ARCH_WRAP_VERSION = 0x01;                                                        // recipient version byte (hybrid-KEM envelope)
 // Tenant strategy uses the same BAWRP magic with a distinct version
 // byte: the body is a symmetric XChaCha20-Poly1305 packed ciphertext
 // (b.crypto.encryptPacked) keyed by the tenant's vault-derived key,
 // not a hybrid-KEM envelope. unwrap dispatches on the version byte so
 // a tenant envelope is never fed to the KEM decrypt path.
-var ARCH_WRAP_VERSION_TENANT = 0x02;                                                 // allow:raw-byte-literal — tenant symmetric-seal version byte
+var ARCH_WRAP_VERSION_TENANT = 0x02;                                                 // tenant symmetric-seal version byte
 // Purpose label for the per-tenant key derivation (domain-separates
 // the archive-wrap key from a tenant's seal / audit / session keys).
 var TENANT_KEY_PURPOSE = "archive-wrap";
@@ -53,8 +53,8 @@ var ARCH_WRAP_HEADER_BYTES = C.BYTES.bytes(6);
 // from backup-crypto encryptWithPassphrase). The salt-prefix shape
 // lets the framework rotate KDF parameters in future minors without
 // per-envelope version bumps (each envelope carries its own salt).
-var ARCH_PASSPHRASE_MAGIC = "BAWPP";                                                 // allow:raw-byte-literal — 5-byte passphrase-wrap envelope magic
-var ARCH_PASSPHRASE_VERSION = 0x01;                                                  // allow:raw-byte-literal — passphrase version byte
+var ARCH_PASSPHRASE_MAGIC = "BAWPP";                                                 // 5-byte passphrase-wrap envelope magic
+var ARCH_PASSPHRASE_VERSION = 0x01;                                                  // passphrase version byte
 var ARCH_PASSPHRASE_HEADER_BYTES = C.BYTES.bytes(7);                                  // magic(5) + version(1) + saltLen(1)
 
 /**
@@ -418,7 +418,7 @@ async function wrapWithPassphrase(bytes, opts) {
   // so NaN / Infinity can't slip past the entropy gate.
   var minEntropy;
   if (opts.minEntropyBits === undefined || opts.minEntropyBits === null) {
-    minEntropy = 80;                                                                  // allow:raw-byte-literal — entropy-bits default, not byte count
+    minEntropy = 80;                                                                  // entropy-bits default, not byte count
   } else if (Number.isFinite(opts.minEntropyBits) && opts.minEntropyBits >= 0) {
     minEntropy = Math.floor(opts.minEntropyBits);
   } else {
@@ -550,10 +550,10 @@ function _estimatePassphraseEntropyBits(passphrase) {
     else hasSpecial = true;
   }
   var alphabet = 0;
-  if (hasLower) alphabet += 26;                                                       // allow:raw-byte-literal — alphabet-size term, not byte count
-  if (hasUpper) alphabet += 26;                                                       // allow:raw-byte-literal — alphabet-size term, not byte count
-  if (hasDigit) alphabet += 10;                                                       // allow:raw-byte-literal — alphabet-size term, not byte count
-  if (hasSpecial) alphabet += 32;                                                     // allow:raw-byte-literal — alphabet-size term, not byte count
+  if (hasLower) alphabet += 26;                                                       // alphabet-size term, not byte count
+  if (hasUpper) alphabet += 26;                                                       // alphabet-size term, not byte count
+  if (hasDigit) alphabet += 10;                                                       // alphabet-size term, not byte count
+  if (hasSpecial) alphabet += 32;                                                     // alphabet-size term, not byte count
   if (alphabet === 0) return 0;
   return Math.floor(s.length * Math.log2(alphabet));
 }

package/lib/argon2-builtin.js

@@ -27,7 +27,7 @@ var C = require("./constants");
 var ARGON2ID = "argon2id";
 
 // Argon2 v1.3 — the only version current implementations emit.
-var ARGON2_VERSION = 0x13;                                                       // allow:raw-byte-literal — argon2 algorithm version
+var ARGON2_VERSION = 0x13;                                                       // argon2 algorithm version
 
 var DEFAULT_HASH_LENGTH = C.BYTES.bytes(32);
 var DEFAULT_SALT_LENGTH = C.BYTES.bytes(16);

package/lib/asn1-der.js

@@ -31,10 +31,10 @@ var Asn1Error = defineClass("Asn1Error", { alwaysPermanent: true });
 
 // ASN.1 tag classes per ITU-T X.690 §8.1.2.
 var TAG_CLASS = Object.freeze({
-  UNIVERSAL:        0,                                                          // allow:raw-byte-literal — ASN.1 tag class
-  APPLICATION:      1,                                                          // allow:raw-byte-literal — ASN.1 tag class
-  CONTEXT_SPECIFIC: 2,                                                          // allow:raw-byte-literal — ASN.1 tag class
-  PRIVATE:          3,                                                          // allow:raw-byte-literal — ASN.1 tag class
+  UNIVERSAL:        0,                                                          // ASN.1 tag class
+  APPLICATION:      1,                                                          // ASN.1 tag class
+  CONTEXT_SPECIFIC: 2,                                                          // ASN.1 tag class
+  PRIVATE:          3,                                                          // ASN.1 tag class
 });
 
 // Universal tag numbers used by the framework.
@@ -70,9 +70,9 @@ function readNode(buf, offset) {
   }
 
   var b0 = buf[offset];
-  var tagClass   = (b0 >> 6) & 0x03;                                            // allow:raw-byte-literal — tag-class extraction
-  var constructed = (b0 & 0x20) !== 0;                                          // allow:raw-byte-literal — constructed bit
-  var tag         = b0 & 0x1f;                                                  // allow:raw-byte-literal — short-form tag
+  var tagClass   = (b0 >> 6) & 0x03;                                            // tag-class extraction
+  var constructed = (b0 & 0x20) !== 0;                                          // constructed bit
+  var tag         = b0 & 0x1f;                                                  // short-form tag
 
   var headerLen = 1;
   if (tag === 0x1f) {
@@ -85,8 +85,8 @@ function readNode(buf, offset) {
       }
       var byte = buf[offset + headerLen];
       headerLen += 1;
-      tag = (tag << 7) | (byte & 0x7f);                                         // allow:raw-byte-literal — base-128 tag bits
-      if ((byte & 0x80) === 0) break;                                           // allow:raw-byte-literal — continuation bit
+      tag = (tag << 7) | (byte & 0x7f);                                         // base-128 tag bits
+      if ((byte & 0x80) === 0) break;                                           // continuation bit
     }
   }
 
@@ -107,7 +107,7 @@ function readNode(buf, offset) {
       throw new Asn1Error("asn1/indefinite-length",
         "indefinite-length form is not allowed in DER");
     }
-    if (lenOctets > 4) {                                                        // allow:raw-byte-literal — DER length cap (>4 GiB)
+    if (lenOctets > 4) {                                                        // DER length cap (>4 GiB)
       throw new Asn1Error("asn1/bad-length",
         "length octets " + lenOctets + " exceeds 4 — refusing >4 GiB structure");
     }
@@ -116,7 +116,7 @@ function readNode(buf, offset) {
     }
     length = 0;
     for (var i = 0; i < lenOctets; i += 1) {
-      length = (length * 256) + buf[offset + headerLen + i];                    // allow:raw-byte-literal — base-256 length bytes
+      length = (length * 256) + buf[offset + headerLen + i];                    // base-256 length bytes
     }
     headerLen += lenOctets;
   }
@@ -162,10 +162,10 @@ function readOid(node) {
     throw new Asn1Error("asn1/oid-empty", "OID value is empty");
   }
   // First two arcs are encoded as `40*X + Y`.
-  var first = Math.floor(bytes[0] / 40);                                        // allow:raw-byte-literal — OID encoding constant
-  var second = bytes[0] % 40;                                                   // allow:raw-byte-literal — OID encoding constant
+  var first = Math.floor(bytes[0] / 40);                                        // OID encoding constant
+  var second = bytes[0] % 40;                                                   // OID encoding constant
   // Per X.690, when first byte >= 80 the first arc is 2 and second is byte-80.
-  if (first > 2) { first = 2; second = bytes[0] - 80; }                         // allow:raw-byte-literal — OID encoding constant
+  if (first > 2) { first = 2; second = bytes[0] - 80; }                         // OID encoding constant
   var arcs = [String(first), String(second)];
 
   var i = 1;
@@ -174,9 +174,9 @@ function readOid(node) {
     var j = i;
     while (j < bytes.length) {
       var b = bytes[j];
-      arc = (arc * 128) + (b & 0x7f);                                           // allow:raw-byte-literal — base-128 OID arc
+      arc = (arc * 128) + (b & 0x7f);                                           // base-128 OID arc
       j += 1;
-      if ((b & 0x80) === 0) break;                                              // allow:raw-byte-literal — continuation bit
+      if ((b & 0x80) === 0) break;                                              // continuation bit
     }
     if (j === i) {
       throw new Asn1Error("asn1/oid-malformed", "OID arc never terminated");
@@ -207,15 +207,15 @@ function readUnsignedInt(node) {
   if (bytes.length === 0) {
     throw new Asn1Error("asn1/int-empty", "INTEGER value is empty");
   }
-  if (bytes.length > 8) {                                                       // allow:raw-byte-literal — JS safe-int byte cap
+  if (bytes.length > 8) {                                                       // JS safe-int byte cap
     // Caller wanted an unsigned int — for big serials they want the raw
     // bytes instead. Surface as hex string so caller decides.
     return { hex: bytes.toString("hex") };
   }
   var n = 0;
-  var start = (bytes[0] === 0 && bytes.length > 1) ? 1 : 0;                     // allow:raw-byte-literal — DER zero-pad
+  var start = (bytes[0] === 0 && bytes.length > 1) ? 1 : 0;                     // DER zero-pad
   for (var k = start; k < bytes.length; k += 1) {
-    n = (n * 256) + bytes[k];                                                   // allow:raw-byte-literal — base-256 byte
+    n = (n * 256) + bytes[k];                                                   // base-256 byte
   }
   return n;
 }
@@ -259,13 +259,13 @@ function unwrapExplicit(node, expectedTag) {
 // All length fields use the standard X.690 short / long-form encoding.
 
 function _encodeLength(n) {
-  if (n < 128) return Buffer.from([n]);                                          // allow:raw-byte-literal — X.690 short-form length boundary
+  if (n < 128) return Buffer.from([n]);                                          // X.690 short-form length boundary
   // Long-form: first byte is 0x80 | numLengthOctets, then the length
   // big-endian.
   var bytes = [];
   while (n > 0) {
-    bytes.unshift(n & 0xff);                                                     // allow:raw-byte-literal — base-256 length encoding mask
-    n = n >>> 8;                                                                 // allow:raw-byte-literal — base-256 length encoding shift
+    bytes.unshift(n & 0xff);                                                     // base-256 length encoding mask
+    n = n >>> 8;                                                                 // base-256 length encoding shift
   }
   return Buffer.concat([Buffer.from([0x80 | bytes.length]), Buffer.from(bytes)]);
 }
@@ -276,7 +276,7 @@ function writeNode(tagByte, value) {
 
 function writeSequence(children) {
   // children: Array<Buffer> of already-encoded child nodes.
-  return writeNode(TAG.SEQUENCE | 0x20, Buffer.concat(children));                // allow:raw-byte-literal — DER constructed bit
+  return writeNode(TAG.SEQUENCE | 0x20, Buffer.concat(children));                // DER constructed bit
 }
 
 function writeOctetString(value) {
@@ -292,7 +292,7 @@ function writeInteger(buf) {
   // and the value is positive (cert serials always are here), prepend
   // 0x00 to disambiguate from a negative two's complement.
   if (buf.length === 0) return writeNode(TAG.INTEGER, Buffer.from([0]));
-  if (buf[0] & 0x80) {                                                           // allow:raw-byte-literal — sign-bit disambiguation
+  if (buf[0] & 0x80) {                                                           // sign-bit disambiguation
     return writeNode(TAG.INTEGER, Buffer.concat([Buffer.from([0]), buf]));
   }
   return writeNode(TAG.INTEGER, buf);
@@ -304,16 +304,16 @@ function writeOid(dotted) {
   if (parts.length < 2) {
     throw new Asn1Error("asn1/oid-too-short", "OID needs at least 2 arcs");
   }
-  var bytes = [parts[0] * 40 + parts[1]];                                        // allow:raw-byte-literal — OID first-arc encoding
+  var bytes = [parts[0] * 40 + parts[1]];                                        // OID first-arc encoding
   for (var i = 2; i < parts.length; i += 1) {
     var arc = parts[i];
     if (arc === 0) { bytes.push(0); continue; }
     var stack = [];
     while (arc > 0) {
-      stack.unshift(arc & 0x7f);                                                 // allow:raw-byte-literal — base-128 mask
-      arc = arc >>> 7;                                                           // allow:raw-byte-literal — base-128 shift
+      stack.unshift(arc & 0x7f);                                                 // base-128 mask
+      arc = arc >>> 7;                                                           // base-128 shift
     }
-    for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80;              // allow:raw-byte-literal — continuation bit
+    for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80;              // continuation bit
     for (var k = 0; k < stack.length; k += 1) bytes.push(stack[k]);
   }
   return writeNode(TAG.OID, Buffer.from(bytes));
@@ -321,7 +321,14 @@ function writeOid(dotted) {
 
 function writeContextExplicit(tagNumber, child) {
   // [N] EXPLICIT — context-specific class (0xA0 | tag) + constructed.
-  var tagByte = 0xa0 | (tagNumber & 0x1f);                                       // allow:raw-byte-literal — context-specific constructed mask
+  // Tag numbers > 30 need the multi-byte high-tag-number form, which this
+  // single-byte encoder does not emit — refuse rather than silently
+  // truncate via `& 0x1f`.
+  if (tagNumber < 0 || tagNumber > 30) {
+    throw new RangeError("asn1: context tag number " + tagNumber +
+      " out of range (0..30); high-tag-number form is not supported");
+  }
+  var tagByte = 0xa0 | (tagNumber & 0x1f);                                       // context-specific constructed mask
   return writeNode(tagByte, child);
 }
 
@@ -331,8 +338,12 @@ function writeContextImplicit(tagNumber, value, opts) {
   // wrapping a structured value (e.g. IMPLICIT [0] OCTET STRING vs
   // IMPLICIT [0] SEQUENCE OF). Value is the raw inner bytes (already
   // encoded for constructed cases).
-  var tagByte = 0x80 | (tagNumber & 0x1f);                                       // allow:raw-byte-literal — context-specific primitive mask
-  if (opts && opts.constructed) tagByte |= 0x20;                                 // allow:raw-byte-literal — constructed bit
+  if (tagNumber < 0 || tagNumber > 30) {
+    throw new RangeError("asn1: context tag number " + tagNumber +
+      " out of range (0..30); high-tag-number form is not supported");
+  }
+  var tagByte = 0x80 | (tagNumber & 0x1f);                                       // context-specific primitive mask
+  if (opts && opts.constructed) tagByte |= 0x20;                                 // constructed bit
   return writeNode(tagByte, value);
 }
 
@@ -340,7 +351,7 @@ function writeBitString(value, unusedBits) {
   // BIT STRING — first content byte is `unusedBits` (0..7), then the
   // bit string bytes. `unusedBits` is 0 for byte-aligned content
   // (RSA / ECDSA signatures, SubjectPublicKeyInfo bit strings).
-  var unused = typeof unusedBits === "number" ? (unusedBits & 0x07) : 0;         // allow:raw-byte-literal — 3-bit unused-bits count
+  var unused = typeof unusedBits === "number" ? (unusedBits & 0x07) : 0;         // 3-bit unused-bits count
   return writeNode(TAG.BIT_STRING, Buffer.concat([Buffer.from([unused]), value]));
 }
 
@@ -348,7 +359,7 @@ function writeSet(children) {
   // children: Array<Buffer> of already-encoded child nodes.
   // DER requires SET-OF children to be sorted by their encoded bytes.
   var sorted = children.slice().sort(Buffer.compare);
-  return writeNode(TAG.SET | 0x20, Buffer.concat(sorted));                       // allow:raw-byte-literal — DER constructed bit
+  return writeNode(TAG.SET | 0x20, Buffer.concat(sorted));                       // DER constructed bit
 }
 
 function writeUtf8String(s) {
@@ -383,7 +394,7 @@ function writeIa5String(s) {
 }
 
 function writeBoolean(b) {
-  return writeNode(TAG.BOOLEAN, Buffer.from([b ? 0xff : 0x00]));                 // allow:raw-byte-literal — DER true=0xff, false=0x00
+  return writeNode(TAG.BOOLEAN, Buffer.from([b ? 0xff : 0x00]));                 // DER true=0xff, false=0x00
 }
 
 // Find a child node of a SEQUENCE / SET by predicate. Returns null if

package/lib/atomic-file.js

@@ -328,7 +328,7 @@ function conflictPath(originalPath, opts) {
   }
   opts = opts || {};
   var tag = typeof opts.tag === "string" && opts.tag.length > 0 ? opts.tag : "conflict";
-  if (typeof tag !== "string" || tag.length === 0 || tag.length > 64) {                          // allow:raw-byte-literal — tag length cap, not bytes
+  if (typeof tag !== "string" || tag.length === 0 || tag.length > 64) {                          // tag length cap, not bytes
     throw new TypeError("b.atomicFile.conflictPath: tag must be a 1-64 char string");
   }
   if (!IDENT_RE.test(tag)) {                                                                     // allow:regex-no-length-cap — length-bounded immediately above
@@ -338,7 +338,7 @@ function conflictPath(originalPath, opts) {
   var suffix = "";
   if (opts.suffix !== undefined) {
     if (typeof opts.suffix !== "string" || opts.suffix.length === 0 ||
-        opts.suffix.length > 64) {                                                               // allow:raw-byte-literal — suffix length cap, not bytes
+        opts.suffix.length > 64) {                                                               // suffix length cap, not bytes
       throw new TypeError("b.atomicFile.conflictPath: suffix must be a 1-64 char string");
     }
     if (!IDENT_RE.test(opts.suffix)) {                                                           // allow:regex-no-length-cap — length-bounded immediately above

package/lib/audit-daily-review.js

@@ -181,7 +181,7 @@ function create(opts) {
 
   // lookbackHours — default 24 per PCI DSS 4.0 daily cadence. Caller can
   // pass weekly / monthly via larger numbers.
-  var lookbackHours = 24; // allow:raw-byte-literal — lookback in HOURS, not bytes
+  var lookbackHours = 24; // lookback in HOURS, not bytes
   if (opts.lookbackHours !== undefined) {
     if (typeof opts.lookbackHours !== "number" || !isFinite(opts.lookbackHours) ||
         opts.lookbackHours <= 0) {
@@ -206,8 +206,8 @@ function create(opts) {
   }
 
   var cron = opts.cron || "0 6 * * *";   // 06:00 UTC daily
-  var queryLimit = opts.queryLimit || 10000;                                    // allow:raw-byte-literal — operator-tunable result cap, count not bytes
-  var historyLimit = opts.historyLimit || 30;                                   // allow:raw-byte-literal — bounded history buffer (count, not bytes)
+  var queryLimit = opts.queryLimit || 10000;                                    // operator-tunable result cap, count not bytes
+  var historyLimit = opts.historyLimit || 30;                                   // bounded history buffer (count, not bytes)
   var classify = typeof opts.classify === "function" ? opts.classify : _defaultClassify;
   var now = typeof opts.now === "function" ? opts.now : Date.now;
   var auditMod = opts.audit;

package/lib/audit-sign.js

@@ -668,11 +668,11 @@ async function rotateSigningKey(rotOpts) {
   // small (a few KB) and signed audit checkpoints can be decades old.
   var iso = new Date().toISOString().replace(/[:.]/g, "-");
   if (currentMode === "wrapped" && paths && paths.sealed) {
-    var historyPath = paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */;
+    var historyPath = paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* fingerprint hex truncation count */;
     try { await atomicFile.copy(paths.sealed, historyPath); }
     catch (_e) { /* history copy is best-effort; the in-memory rotation still proceeds */ }
   } else if (currentMode === "plaintext" && paths && paths.plaintext) {
-    var historyPathP = paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */;
+    var historyPathP = paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* fingerprint hex truncation count */;
     try { await atomicFile.copy(paths.plaintext, historyPathP); }
     catch (_e) { /* history copy is best-effort */ }
   }
@@ -707,7 +707,7 @@ async function rotateSigningKey(rotOpts) {
     algorithm:  newAlg,
     fingerprint: newFingerprint,
   };
-  log("audit-signing keypair rotated (alg=" + newAlg + ", fp=" + newFingerprint.slice(0, 16) + "...)");                       /* allow:raw-byte-literal — fingerprint hex truncation count */
+  log("audit-signing keypair rotated (alg=" + newAlg + ", fp=" + newFingerprint.slice(0, 16) + "...)");                       /* fingerprint hex truncation count */
 
   return {
     previousFingerprint: prevFingerprint,
@@ -717,9 +717,9 @@ async function rotateSigningKey(rotOpts) {
     algorithm:           newAlg,
     rotatedAt:           new Date().toISOString(),
     historyPath:         (currentMode === "wrapped" && paths && paths.sealed)
-                          ? paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */
+                          ? paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* fingerprint hex truncation count */
                           : (currentMode === "plaintext" && paths && paths.plaintext)
-                            ? paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* allow:raw-byte-literal — fingerprint hex truncation count */
+                            ? paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16)                                       /* fingerprint hex truncation count */
                             : null,
   };
 }

package/lib/audit-tools.js

@@ -1083,7 +1083,7 @@ function _toCadfEvent(row) {
       name:    "blamejs.audit",
     },
     reason: row.reason ? {
-      reasonCode: String(row.reason).slice(0, 256),                                // allow:raw-byte-literal — reason cap
+      reasonCode: String(row.reason).slice(0, 256),                                // reason cap
       policyType: "blamejs.audit-chain",
     } : undefined,
     attachments: meta ? [{

package/lib/audit.js

@@ -304,11 +304,11 @@ var FRAMEWORK_NAMESPACES = [
   "session",    // b.sessionDeviceBinding (session.device.bound / drift / refused)
   "sandbox",    // b.sandbox (sandbox.run / sandbox.run.refused — operator-supplied transform isolation)
   "safeurl",    // b.safeUrl.parse (safeurl.idn_homograph.refused — UTS #39 mixed-script host-label refusal)
-  "http",       // b.middleware.bodyParser (http.chunked.malformed.refused — RFC 9112 §7.1 chunked-decode failure with Connection: close) // allow:raw-byte-literal — RFC number in prose
+  "http",       // b.middleware.bodyParser (http.chunked.malformed.refused — RFC 9112 §7.1 chunked-decode failure with Connection: close) // RFC number in prose
   "cryptofield", // b.cryptoField.eraseRow (cryptofield.vacuum.skipped — F-RTBF-2 vacuum-after-erase signal when DB not initialized at erase time)
   "acme",       // b.acme (acme.account.registered / order.* / cert.issued / cert.renewed / cert.renew.skipped — RFC 8555 + RFC 9773 ARI workflow)
   "cert",       // b.cert (cert.account.generated / cert.issued / cert.renewed / cert.renew-failed / cert.challenge-cleanup — turnkey cert-manager lifecycle)
-  "tls",        // b.router 0-RTT posture (tls.0rtt.refused / tls.0rtt.replayed) — RFC 8446 §8 anti-replay surface // allow:raw-byte-literal — RFC number in prose
+  "tls",        // b.router 0-RTT posture (tls.0rtt.refused / tls.0rtt.replayed) — RFC 8446 §8 anti-replay surface // RFC number in prose
   "workerpool", // b.workerPool (workerpool.created / terminated / task.completed / task.failed / task.timeout / spawn.failed — generic worker_threads pool)
   "jwt",        // b.auth.jwt-external (jwt.jwe.refused — RFC 7516 5-segment JWE refusal)
   "dr",         // b.drRunbook (dr.runbook.emitted)