@blamejs/core 0.14.0 → 0.14.2

package/lib/auth/acr-vocabulary.js

@@ -87,7 +87,7 @@ var BUILTIN_RANKS = {
   "ial2":                              30,
   "fal2":                              30,
   "aal2":                              35,
-  "urn:mace:incommon:iap:silver":      32,    // allow:raw-byte-literal — ACR rank, not bytes
+  "urn:mace:incommon:iap:silver":      32,    // ACR rank, not bytes
 
   // Phishing-resistant multi-factor (passkey UV)
   "phrh":                              60,    // allow:raw-time-literal — ACR rank, not seconds
@@ -98,7 +98,7 @@ var BUILTIN_RANKS = {
   "ial3":                              75,
   "fal3":                              75,
   "aal3":                              75,
-  "urn:mace:incommon:iap:gold":        80,    // allow:raw-byte-literal — ACR rank, not bytes
+  "urn:mace:incommon:iap:gold":        80,    // ACR rank, not bytes
 
   // In-person identity-proofed + hardware-bound
   "loa4":                              95,

package/lib/auth/bot-challenge.js

@@ -97,7 +97,7 @@ var MAX_TOKEN_BYTES   = C.BYTES.kib(4);
 // headroom; operators can override per-call but cannot drop below
 // MIN_TIMEOUT_MS without the create() factory refusing the opts.
 var DEFAULT_TIMEOUT_MS = C.TIME.seconds(5);
-var MIN_TIMEOUT_MS     = 500; // anti-misconfiguration floor              // allow:raw-byte-literal — 500ms wall-clock floor, not a byte literal
+var MIN_TIMEOUT_MS     = 500; // anti-misconfiguration floor              // 500ms wall-clock floor, not a byte literal
 
 // Response-body cap. Provider siteverify responses are small JSON
 // (well under 4 KiB); a multi-MiB response is either a redirect to
@@ -116,7 +116,7 @@ var EXPECTED_CONTENT_TYPE_PREFIX = "application/json";
 // the surfaced bytes are not the secret token (≈ 48 bits visible vs.
 // ~2 KiB total), but large enough to cluster verifications belonging
 // to the same widget render in a debug session.
-var TOKEN_PREFIX_AUDIT_CHARS = 8;                                          // allow:raw-byte-literal — debug-prefix length, not a byte literal
+var TOKEN_PREFIX_AUDIT_CHARS = 8;                                          // debug-prefix length, not a byte literal
 
 // ---- provider catalog ----
 //
@@ -440,7 +440,7 @@ function create(opts) {
         "siteverify transport failure: " + ((e && e.message) || String(e)));
     }
 
-    if (res.statusCode < 200 || res.statusCode >= 300) {                  // allow:raw-byte-literal — HTTP 2xx range bounds
+    if (res.statusCode < 200 || res.statusCode >= 300) {                  // HTTP 2xx range bounds
       _safeAudit(safeEmit, "auth.bot_challenge.verify", "failure", {
         provider: providerKey, ok: false, reason: "non-2xx",
         statusCode: res.statusCode, prefix: tokenPrefix,

package/lib/auth/ciba.js

@@ -174,7 +174,7 @@ function create(opts) {
   // 2026-05-11). CIBA §7.1.2 requires the token be opaque + hard to
   // guess; the framework's other token-shaped primitives enforce 32
   // chars minimum. A 4-char token was previously accepted; refuse.
-  if (clientNotificationToken !== null && clientNotificationToken.length < 32) {                  // allow:raw-byte-literal — RFC 9700 §7.1.2 token char-length minimum, not bytes
+  if (clientNotificationToken !== null && clientNotificationToken.length < 32) {                  // RFC 9700 §7.1.2 token char-length minimum, not bytes
     throw new AuthError("auth-ciba/notification-token-too-short",
       "auth.ciba.client.create: clientNotificationToken must be >= 32 chars " +
       "(generate via b.crypto.generateToken(32) or stronger; CIBA §7.1.2 " +
@@ -239,7 +239,7 @@ function create(opts) {
           (cc >= 0x200b && cc <= 0x200f) ||
           (cc >= 0x202a && cc <= 0x202e) ||
           (cc >= 0x2066 && cc <= 0x2069) ||
-          cc === 0xfeff) {                                                                      // allow:raw-byte-literal — codepoint constants for control / bidi / zero-width / BOM
+          cc === 0xfeff) {                                                                      // codepoint constants for control / bidi / zero-width / BOM
         throw new AuthError("auth-ciba/binding-message-control-chars",
           "ciba: bindingMessage contains control / bidi / zero-width characters");
       }
@@ -278,7 +278,7 @@ function create(opts) {
       var err;
       try { err = safeJson.parse(bodyText, { maxBytes: MAX_RESPONSE_BYTES }); } catch (_e) { /* silent-catch: non-JSON IdP error body falls through to the bodyText snippet path below */ }
       var code = (err && err.error) || ("http-" + res.statusCode);
-      var msg = (err && (err.error_description || err.error)) || bodyText.slice(0, 200);   // allow:raw-byte-literal — error-message snippet length
+      var msg = (err && (err.error_description || err.error)) || bodyText.slice(0, 200);   // error-message snippet length
       var aerr = new AuthError("auth-ciba/" + code, "ciba: " + msg);
       aerr.cibaError = err || null;
       aerr.statusCode = res.statusCode;
@@ -355,8 +355,8 @@ function create(opts) {
     if (clientAuth === "jwt") {
       var assertion = await opts.clientAssertionSigner({
         iss: opts.clientId, sub: opts.clientId, aud: endpoint,
-        iat: Math.floor(Date.now() / 1000),                                                     // allow:raw-byte-literal — ms→s
-        exp: Math.floor(Date.now() / 1000) + 300,                                               // allow:raw-byte-literal — assertion 5m TTL
+        iat: Math.floor(Date.now() / 1000),                                                     // ms→s
+        exp: Math.floor(Date.now() / 1000) + 300,                                               // assertion 5m TTL
         jti: generateToken(16),
       });
       body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
@@ -465,8 +465,8 @@ function create(opts) {
     if (clientAuth === "jwt") {
       var assertion = await opts.clientAssertionSigner({
         iss: opts.clientId, sub: opts.clientId, aud: endpoint,
-        iat: Math.floor(Date.now() / 1000),                                                     // allow:raw-byte-literal — ms→s
-        exp: Math.floor(Date.now() / 1000) + 300,                                               // allow:raw-byte-literal — assertion 5m TTL
+        iat: Math.floor(Date.now() / 1000),                                                     // ms→s
+        exp: Math.floor(Date.now() / 1000) + 300,                                               // assertion 5m TTL
         jti: generateToken(16),
       });
       body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");

package/lib/auth/dpop.js

@@ -131,9 +131,9 @@ function _signParamsForAlg(alg) {
   if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
   if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
   if (alg === "RS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
-  if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 };  // allow:raw-byte-literal — RFC 7518 PS256 salt length
-  if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 };  // allow:raw-byte-literal — RFC 7518 PS384 salt length
-  if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 };  // allow:raw-byte-literal — RFC 7518 PS512 salt length
+  if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 };  // RFC 7518 PS256 salt length
+  if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 };  // RFC 7518 PS384 salt length
+  if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 };  // RFC 7518 PS512 salt length
   if (alg === "ES256") return { hash: "sha256", dsaEncoding: "ieee-p1363" };
   if (alg === "ES384") return { hash: "sha384", dsaEncoding: "ieee-p1363" };
   if (alg === "ES512") return { hash: "sha512", dsaEncoding: "ieee-p1363" };

package/lib/auth/fido-mds3.js

@@ -97,7 +97,7 @@ function _b64urlDecode(s) {
 // node:crypto.X509Certificate accepts it.
 function _derToPem(b64) {
   var lines = [];
-  for (var i = 0; i < b64.length; i += 64) lines.push(b64.slice(i, i + 64));      // allow:raw-byte-literal — RFC 7468 PEM line width
+  for (var i = 0; i < b64.length; i += 64) lines.push(b64.slice(i, i + 64));      // RFC 7468 PEM line width
   return "-----BEGIN CERTIFICATE-----\n" + lines.join("\n") +
          "\n-----END CERTIFICATE-----\n";
 }
@@ -145,9 +145,9 @@ function _verifyParamsForAlg(alg) {
     case "RS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
     case "RS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
     case "RS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
-    case "PS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 };  // allow:raw-byte-literal — SHA-256 hash length
-    case "PS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 };  // allow:raw-byte-literal — SHA-384 hash length
-    case "PS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 };  // allow:raw-byte-literal — SHA-512 hash length
+    case "PS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 };  // SHA-256 hash length
+    case "PS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 };  // SHA-384 hash length
+    case "PS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 };  // SHA-512 hash length
     case "ES256": return { hash: "sha256", dsaEncoding: "ieee-p1363" };
     case "ES384": return { hash: "sha384", dsaEncoding: "ieee-p1363" };
     case "ES512": return { hash: "sha512", dsaEncoding: "ieee-p1363" };
@@ -292,7 +292,7 @@ function _getCache() {
   _sharedCache = cache().create({
     namespace:  "auth-fido-mds3.blob",
     ttlMs:      MAX_CACHE_TTL_MS,
-    maxEntries: 8,                                                                 // allow:raw-byte-literal — operator-pinned URL set
+    maxEntries: 8,                                                                 // operator-pinned URL set
   });
   return _sharedCache;
 }
@@ -315,7 +315,7 @@ function _ttlFromNextUpdate(nextUpdateDate) {
 // valid future timestamp and influence the cache-TTL clamp downstream.
 function _parseNextUpdate(s) {
   if (typeof s !== "string") return null;
-  var m = s.match(/^(\d{4})-(\d{2})-(\d{2})$/);                                    // allow:raw-byte-literal — ISO-8601 date components
+  var m = s.match(/^(\d{4})-(\d{2})-(\d{2})$/);                                    // ISO-8601 date components
   if (!m) return null;
   var year  = parseInt(m[1], 10);
   var month = parseInt(m[2], 10) - 1;
@@ -464,7 +464,7 @@ async function fetch(opts) {   // allow:raw-outbound-http — function name is f
       throw new FidoMds3Error("fido-mds3/network",
         "BLOB GET " + url + " failed: " + ((e && e.message) || String(e)));
     }
-    if (rsp.statusCode < 200 || rsp.statusCode >= 300) {                            // allow:raw-byte-literal — HTTP 2xx range
+    if (rsp.statusCode < 200 || rsp.statusCode >= 300) {                            // HTTP 2xx range
       throw new FidoMds3Error("fido-mds3/bad-status",
         "BLOB GET " + url + " returned " + rsp.statusCode);
     }
@@ -539,7 +539,7 @@ function lookupAaguid(blob, aaguid) {
     throw new FidoMds3Error("fido-mds3/bad-aaguid", "aaguid must be a non-empty string");
   }
   var canon = aaguid.replace(/-/g, "").toLowerCase();
-  if (!safeBuffer.isHex(canon, 32)) {  // allow:raw-byte-literal — 32 = AAGUID hex-char count, not bytes
+  if (!safeBuffer.isHex(canon, 32)) {  // 32 = AAGUID hex-char count, not bytes
     throw new FidoMds3Error("fido-mds3/bad-aaguid",
       "aaguid must be a UUID (with or without dashes)");
   }

package/lib/auth/jar.js

@@ -130,6 +130,17 @@ async function parse(jar, opts) {
     audience:    opts.audience,
     clockSkewMs: opts.clockSkewMs,
   });
+  // RFC 9101 §10.8 — the request object MUST be explicitly typed so a JWT
+  // minted for another purpose (id_token / access-token / logout-token)
+  // and signed by the same client key cannot be replayed here as a request
+  // object (cross-JWT confusion). Require the registered media type, with or
+  // without the "application/" prefix; an absent or mismatched typ is refused.
+  var jarTyp = verified.header && verified.header.typ;
+  if (jarTyp !== JAR_TYP && jarTyp !== "application/" + JAR_TYP) {
+    throw new AuthJarError("auth-jar/bad-typ",
+      "jar.parse: request object header.typ must be \"" + JAR_TYP +
+      "\" (RFC 9101 §10.8 — cross-JWT-confusion defense)");
+  }
   var payload = verified.claims;
 
   // RFC 9101 §5.2 — the request object MUST carry a client_id claim,

package/lib/auth/jwt-external.js

@@ -75,9 +75,9 @@ var MAX_TOKEN_BYTES       = C.BYTES.kib(16);
 var REFUSED_ALGS = ["HS256", "HS384", "HS512", "none"];
 
 // PSS salt lengths per RFC 7518 §3.5.
-var PSS_SALT_SHA256 = 32;                                                        // allow:raw-byte-literal — RFC 7518 SHA-256 salt length
-var PSS_SALT_SHA384 = 48;                                                        // allow:raw-byte-literal — RFC 7518 SHA-384 salt length
-var PSS_SALT_SHA512 = 64;                                                        // allow:raw-byte-literal — RFC 7518 SHA-512 salt length
+var PSS_SALT_SHA256 = 32;                                                        // RFC 7518 SHA-256 salt length
+var PSS_SALT_SHA384 = 48;                                                        // RFC 7518 SHA-384 salt length
+var PSS_SALT_SHA512 = 64;                                                        // RFC 7518 SHA-512 salt length
 
 var SUPPORTED_CLASSICAL_ALGS = [
   "RS256", "RS384", "RS512",
@@ -105,7 +105,7 @@ function _b64urlDecode(s) {
     throw new AuthError("auth-jwt-external/bad-base64", "expected base64url string");
   }
   var padded = s.replace(/-/g, "+").replace(/_/g, "/");
-  while (padded.length % 4) padded += "=";                                       // allow:raw-byte-literal — base64 quartet padding
+  while (padded.length % 4) padded += "=";                                       // base64 quartet padding
   return Buffer.from(padded, "base64");
 }
 
@@ -241,7 +241,7 @@ async function _fetchJwks(uri, cacheMs) {
       maxBytes:      MAX_JWKS_BYTES,
       timeoutMs:     C.TIME.seconds(10),
     });
-    if (res.statusCode < 200 || res.statusCode >= 300) {                         // allow:raw-byte-literal — HTTP 2xx range
+    if (res.statusCode < 200 || res.statusCode >= 300) {                         // HTTP 2xx range
       throw new AuthError("auth-jwt-external/jwks-fetch-failed",
         "JWKS endpoint " + uri + " returned " + res.statusCode);
     }

package/lib/auth/oauth.js

@@ -836,10 +836,10 @@ function create(opts) {
     // only in claim validation (no nonce, audience = clientId, no
     // ID-token-specific claims). We wrap verifyIdToken with the
     // skip-nonce flag and apply JARM-specific claim checks below.
+    // verifyIdToken applies the create()-level accepted algorithms / JWKS /
+    // clock-skew; only the JARM-specific skip-nonce flag is passed here.
     var verified = await verifyIdToken(responseJwt, {
       skipNonceCheck: true,
-      acceptedAlgs:   jopts.acceptedAlgs,
-      maxClockSkewMs: jopts.maxClockSkewMs,
     });
     var c = verified.claims;
     // Per JARM §4: `iss` MUST match the OP issuer; `aud` MUST contain
@@ -1297,7 +1297,7 @@ function create(opts) {
     if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
       throw new OAuthError("auth-oauth/par-bad-response",
         "pushAuthorizationRequest: IdP did not return a request_uri (got " +
-        JSON.stringify(rv).slice(0, 200) + ")");                                 // allow:raw-byte-literal — error-message snippet length
+        JSON.stringify(rv).slice(0, 200) + ")");                                 // error-message snippet length
     }
     // Build the browser-side redirect URL: /authorize?client_id=...&request_uri=...
     var authzEndpoint = await _resolveEndpoint("authorizationEndpoint");
@@ -1419,12 +1419,10 @@ function create(opts) {
     }
     // Reuse verifyIdToken's signature-verification path. It looks up
     // the IdP JWKS and checks the JWS — same trust anchor.
+    // verifyIdToken applies the create()-level issuer / clientId / accepted
+    // algorithms / JWKS / clock-skew — the same trust anchor as id_tokens.
+    // Only the per-call logout-token semantics are passed here.
     var verified = await verifyIdToken(logoutToken, {
-      issuer:         issuer,
-      clientId:       clientId,
-      acceptedAlgs:   vopts.acceptedAlgs,
-      jwksUri:        vopts.jwksUri,
-      maxClockSkewMs: vopts.maxClockSkewMs,
       // Logout tokens have no nonce — disable the nonce check that
       // verifyIdToken would otherwise enforce on id_tokens.
       skipNonceCheck: true,
@@ -1953,7 +1951,7 @@ function create(opts) {
       }
       // Terminal errors.
       throw new OAuthError("auth-oauth/device-" + (err || "unknown"),
-        "pollDeviceCode: " + (parsed && parsed.error_description ? parsed.error_description : text.slice(0, 200)));   // allow:raw-byte-literal — 200-char error-snippet cap, not bytes
+        "pollDeviceCode: " + (parsed && parsed.error_description ? parsed.error_description : text.slice(0, 200)));   // 200-char error-snippet cap, not bytes
     }
     throw new OAuthError("auth-oauth/device-poll-timeout",
       "pollDeviceCode: exceeded maxWaitMs " + (popts.maxWaitMs || C.TIME.minutes(10)));

package/lib/auth/oid4vci.js

@@ -98,7 +98,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
   }
   var header, payload;
   try {
-    header  = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 });                     // allow:raw-byte-literal — proof header cap
+    header  = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 });                     // proof header cap
     payload = safeJson.parse(_b64uDecodeStr(parts[1]), { maxBytes: MAX_PROOF_BYTES });
   } catch (e) {
     throw new AuthError("auth-oid4vci/bad-proof-decode",
@@ -240,7 +240,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
  *     tokenEndpoint:              string,                // public URL for /token (re-used by the pre-auth flow)
  *     sdJwtIssuer:                <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
- *     proofAlgorithms:            string[],              // default ["ES256", "ES384"]
+ *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m
@@ -367,7 +367,7 @@ function create(opts) {
           "createCredentialOffer: credentialId \"" + id + "\" not in supportedCredentials");
       }
     });
-    var preAuthCode = generateToken(32);                                                         // allow:raw-byte-literal — 256-bit single-use pre-auth code
+    var preAuthCode = generateToken(32);                                                         // 256-bit single-use pre-auth code
     var txCode = coOpts.txCode || null;
     if (txCode !== null) {
       if (typeof txCode !== "object" || typeof txCode.value !== "string") {
@@ -388,7 +388,7 @@ function create(opts) {
         "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
           "pre-authorized_code": preAuthCode,
           tx_code: txCode ? {
-            length:     typeof txCode.length === "number" ? txCode.length : 4,                  // allow:raw-byte-literal — default tx-code 4 digits
+            length:     typeof txCode.length === "number" ? txCode.length : 4,                  // default tx-code 4 digits
             input_mode: txCode.input_mode || "numeric",
             description: txCode.description || undefined,
           } : undefined,
@@ -467,8 +467,8 @@ function create(opts) {
       }
     }
     await codeStore.delete(eopts.preAuthCode);
-    var accessToken = generateToken(32);                                                         // allow:raw-byte-literal — 256-bit access token
-    var cNonce = generateToken(16);                                                              // allow:raw-byte-literal — 128-bit c_nonce
+    var accessToken = generateToken(32);                                                         // 256-bit access token
+    var cNonce = generateToken(16);                                                              // 128-bit c_nonce
     var record = {
       subject:       entry.subject,
       credentialIds: entry.credentialIds,
@@ -485,9 +485,9 @@ function create(opts) {
     return {
       access_token:  accessToken,
       token_type:    "Bearer",
-      expires_in:    Math.floor(accessTokenTtl / 1000),                                          // allow:raw-byte-literal — ms→s
+      expires_in:    Math.floor(accessTokenTtl / 1000),                                          // ms→s
       c_nonce:       cNonce,
-      c_nonce_expires_in: Math.floor(cNonceTtl / 1000),                                          // allow:raw-byte-literal — ms→s
+      c_nonce_expires_in: Math.floor(cNonceTtl / 1000),                                          // ms→s
       authorization_details: entry.credentialIds.map(function (id) {
         return {
           type:                          "openid_credential",
@@ -572,7 +572,7 @@ function create(opts) {
 
     // Rotate c_nonce so a replayed proof-JWT for a follow-up
     // batch_credential request is rejected.
-    var newCNonce = generateToken(16);                                                           // allow:raw-byte-literal — 128-bit c_nonce
+    var newCNonce = generateToken(16);                                                           // 128-bit c_nonce
     await cNonceStore.set(iopts.accessToken, newCNonce);
 
     // AUTH-6 — when single-use is on (default), DELETE the access token
@@ -600,7 +600,7 @@ function create(opts) {
       format:      spec.format,
       credential:  sdJwtToken.token,
       c_nonce:     newCNonce,
-      c_nonce_expires_in: Math.floor(cNonceTtl / 1000),                                          // allow:raw-byte-literal — ms→s
+      c_nonce_expires_in: Math.floor(cNonceTtl / 1000),                                          // ms→s
     };
   }
 

package/lib/auth/oid4vp.js

@@ -348,8 +348,8 @@ function create(opts) {
         "createRequest: dcql is required");
     }
     _validateDcql(ropts.dcql);
-    var nonce = ropts.nonce || generateToken(16);                                                // allow:raw-byte-literal — 128-bit nonce
-    var state = ropts.state || generateToken(16);                                                // allow:raw-byte-literal — 128-bit state
+    var nonce = ropts.nonce || generateToken(16);                                                // 128-bit nonce
+    var state = ropts.state || generateToken(16);                                                // 128-bit state
     var request = {
       response_type:     "vp_token",
       response_mode:     ropts.responseMode || "direct_post",

package/lib/auth/openid-federation.js

@@ -82,7 +82,7 @@ var _emitMetric = emit.metric;
 
 var SUPPORTED_ALGS = ["ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "EdDSA"];
 var MAX_STATEMENT_BYTES = 64 * 1024;                                                            // allow:raw-byte-literal — entity-statement size cap
-var MAX_CHAIN_DEPTH = 10;                                                                       // allow:raw-byte-literal — federation chain depth ceiling
+var MAX_CHAIN_DEPTH = 10;                                                                       // federation chain depth ceiling
 
 function _b64uDecodeStr(s) { return Buffer.from(s, "base64url").toString("utf8"); }
 
@@ -117,7 +117,7 @@ function parseEntityStatement(jwt) {
   }
   var header, payload;
   try {
-    header  = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 });                     // allow:raw-byte-literal — header cap
+    header  = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 });                     // header cap
     payload = safeJson.parse(_b64uDecodeStr(parts[1]), { maxBytes: MAX_STATEMENT_BYTES });
   } catch (e) {
     throw new AuthError("auth-openid-federation/bad-decode",

package/lib/auth/passkey.js

@@ -64,7 +64,7 @@ var { AuthError } = require("../framework-error");
 // W3C WebAuthn name field cap — same as the rpName/userName ceiling in
 // the spec's CredentialUserEntity / PublicKeyCredentialEntity dictionaries
 // (no normative limit but RPs broadly cap at 256 to defeat DOM cost).
-var MAX_NAME_LEN = 256;                                                            // allow:raw-byte-literal — UTF-16 codepoint count, not bytes
+var MAX_NAME_LEN = 256;                                                            // UTF-16 codepoint count, not bytes
 
 function _vendor() {
   return _wa;
@@ -306,7 +306,7 @@ async function conditionalAuthOptions(opts) {
 
 // CTAP2.1 §6.5 — PRF eval inputs are 32-byte salts. Caps every
 // extension input that ships through the binary normalizer.
-var MAX_EXT_INPUT_BYTES = 32;                                                                    // allow:raw-byte-literal — CTAP2.1 §6.5 PRF salt length
+var MAX_EXT_INPUT_BYTES = 32;                                                                    // CTAP2.1 §6.5 PRF salt length
 
 function _b64urlExtInput(value, name, maxBytes) {
   // Accept a base64url string OR a Buffer / Uint8Array. Normalize the
@@ -436,7 +436,7 @@ function _credBlobExt(args) {
     throw new AuthError("auth-passkey/bad-credblob",
       "extensions.credBlob blob must be a Uint8Array / Buffer");
   }
-  if (buf.length === 0 || buf.length > 32) {                                       // allow:raw-byte-literal — CTAP2.1 §11.1 credBlob max
+  if (buf.length === 0 || buf.length > 32) {                                       // CTAP2.1 §11.1 credBlob max
     throw new AuthError("auth-passkey/credblob-bad-length",
       "extensions.credBlob blob must be 1-32 bytes (CTAP2.1 §11.1)");
   }

package/lib/auth/saml.js

@@ -592,10 +592,14 @@ function create(opts) {
     var nameId = _textContent(nameIdEl);
     var nameIdFormat = _attr(nameIdEl, "Format");
 
-    var nowSec = Math.floor((vopts.now || Date.now()) / 1000);                                  // allow:raw-byte-literal — ms→s
+    var nowSec = Math.floor((vopts.now || Date.now()) / 1000);                                  // ms→s
     var confirmations = _findAllChildren(subject, "SubjectConfirmation", SAML_NS.assertion);
     var bearerOk = false;
     var hokOk = false;
+    // InResponseTo of the SubjectConfirmation that actually passed bearer
+    // validation — captured so the returned value can't be sourced from a
+    // different (non-validated) confirmation when several are present.
+    var matchedInResponseTo = null;
     var hokFingerprint = null;
     // Holder-of-Key SubjectConfirmation per SAML 2.0 Profile §3.1
     // (urn:oasis:names:tc:SAML:2.0:cm:holder-of-key). The IdP binds
@@ -680,10 +684,10 @@ function create(opts) {
         // as Bearer (Profile §3.1 incorporates §3 by reference).
         var nbHok = _attr(scdHok, "NotBefore");
         var noaHok = _attr(scdHok, "NotOnOrAfter");
-        if (nbHok && isFinite(Date.parse(nbHok) / 1000) &&                                          // allow:raw-byte-literal — ms→s
-            Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue;                             // allow:raw-byte-literal — ms→s
-        if (noaHok && isFinite(Date.parse(noaHok) / 1000) &&                                        // allow:raw-byte-literal — ms→s
-            Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue;                            // allow:raw-byte-literal — ms→s
+        if (nbHok && isFinite(Date.parse(nbHok) / 1000) &&                                          // ms→s
+            Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue;                             // ms→s
+        if (noaHok && isFinite(Date.parse(noaHok) / 1000) &&                                        // ms→s
+            Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue;                            // ms→s
         var recipHok = _attr(scdHok, "Recipient");
         if (recipHok && recipHok !== opts.assertionConsumerServiceUrl) continue;
         hokOk = true;
@@ -694,14 +698,14 @@ function create(opts) {
       if (!scd) continue;
       var notOnOrAfter = _attr(scd, "NotOnOrAfter");
       if (notOnOrAfter) {
-        var t = Date.parse(notOnOrAfter) / 1000;                                                // allow:raw-byte-literal — ms→s
+        var t = Date.parse(notOnOrAfter) / 1000;                                                // ms→s
         if (!isFinite(t) || t < nowSec - clockSkewSec) {
           continue; // expired confirmation — try next
         }
       }
       var notBefore = _attr(scd, "NotBefore");
       if (notBefore) {
-        var nb = Date.parse(notBefore) / 1000;                                                  // allow:raw-byte-literal — ms→s
+        var nb = Date.parse(notBefore) / 1000;                                                  // ms→s
         if (isFinite(nb) && nb > nowSec + clockSkewSec) continue;
       }
       var recipient = _attr(scd, "Recipient");
@@ -721,6 +725,7 @@ function create(opts) {
             "AuthnRequest ID (replay defense)");
         }
       }
+      matchedInResponseTo = inResponseTo;
       bearerOk = true;
       break;
     }
@@ -736,14 +741,14 @@ function create(opts) {
       var cNotBefore = _attr(conditions, "NotBefore");
       var cNotOnOrAfter = _attr(conditions, "NotOnOrAfter");
       if (cNotBefore) {
-        var cnb = Date.parse(cNotBefore) / 1000;                                                // allow:raw-byte-literal — ms→s
+        var cnb = Date.parse(cNotBefore) / 1000;                                                // ms→s
         if (isFinite(cnb) && cnb > nowSec + clockSkewSec) {
           throw new AuthError("auth-saml/conditions-not-yet-valid",
             "Conditions NotBefore is in the future");
         }
       }
       if (cNotOnOrAfter) {
-        var cnoa = Date.parse(cNotOnOrAfter) / 1000;                                            // allow:raw-byte-literal — ms→s
+        var cnoa = Date.parse(cNotOnOrAfter) / 1000;                                            // ms→s
         if (isFinite(cnoa) && cnoa < nowSec - clockSkewSec) {
           throw new AuthError("auth-saml/conditions-expired",
             "Conditions NotOnOrAfter has passed");
@@ -787,8 +792,7 @@ function create(opts) {
       sessionIndex:    sessionIndex,
       attributes:      attributes,
       audience:        audience,
-      inResponseTo:    bearerOk ? _attr(_findChild(_findChild(subject, "SubjectConfirmation", SAML_NS.assertion),
-                                       "SubjectConfirmationData", SAML_NS.assertion), "InResponseTo") : null,
+      inResponseTo:    bearerOk ? matchedInResponseTo : null,
       issuer:          issuer,
     };
   }
@@ -884,7 +888,7 @@ function create(opts) {
       throw new AuthError("auth-saml/no-idp-slo",
         "buildLogoutRequest: opts.idpSloUrl (or sp.create's opts.idpSloUrl) required");
     }
-    var id = "_" + generateToken(20);                                                                 // allow:raw-byte-literal — 20-byte SAML ID token
+    var id = "_" + generateToken(20);                                                                 // 20-byte SAML ID token
     var issueInstant = new Date().toISOString();
     var c14n = xmlC14n();
     var nameIdFormatAttr = bopts.nameIdFormat
@@ -1085,7 +1089,7 @@ function create(opts) {
     validateOpts.requireNonEmptyString(bopts.inResponseTo, "inResponseTo", AuthError, "auth-saml/no-in-response-to");
     validateOpts.requireNonEmptyString(bopts.destination, "destination", AuthError, "auth-saml/no-destination");
     var statusCode = bopts.statusCode || "urn:oasis:names:tc:SAML:2.0:status:Success";
-    var id = "_" + generateToken(20);                                                                 // allow:raw-byte-literal — 20-byte SAML ID token
+    var id = "_" + generateToken(20);                                                                 // 20-byte SAML ID token
     var issueInstant = new Date().toISOString();
     var c14n = xmlC14n();
     var xml =
@@ -1288,7 +1292,7 @@ function create(opts) {
       throw new AuthError("auth-saml/no-idp-slo",
         "buildLogoutRequestPost: opts.idpSloUrl required");
     }
-    var id = "_" + generateToken(20);                                                                 // allow:raw-byte-literal — 20-byte SAML ID token
+    var id = "_" + generateToken(20);                                                                 // 20-byte SAML ID token
     var issueInstant = new Date().toISOString();
     var c14n = xmlC14n();
     var nameIdFormatAttr = bopts.nameIdFormat
@@ -1663,18 +1667,18 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
   var clearBytes;
   if (contentAlg === "http://www.w3.org/2009/xmlenc11#aes128-gcm" ||
       contentAlg === "http://www.w3.org/2009/xmlenc11#aes256-gcm") {
-    var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256;                                // allow:raw-byte-literal — AES key size
-    var expectedKeyBytes = aesBits / 8;                                                            // allow:raw-byte-literal — bits→bytes
+    var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256;                                // AES key size
+    var expectedKeyBytes = aesBits / 8;                                                            // bits→bytes
     if (cek.length !== expectedKeyBytes) {
       throw new AuthError("auth-saml/encrypted-wrong-cek-len",
         "AES-" + aesBits + "-GCM CEK length is " + cek.length + ", expected " + expectedKeyBytes);
     }
-    if (contentBlob.length < 28) {                                                                 // allow:raw-byte-literal — 12 IV + 16 tag
+    if (contentBlob.length < 28) {                                                                 // 12 IV + 16 tag
       throw new AuthError("auth-saml/encrypted-content-too-short",
         "AES-GCM CipherValue too short to contain IV (12) + tag (16)");
     }
-    var iv  = contentBlob.subarray(0, 12);                                                          // allow:raw-byte-literal — GCM IV size
-    var tag = contentBlob.subarray(contentBlob.length - 16);                                       // allow:raw-byte-literal — GCM tag size
+    var iv  = contentBlob.subarray(0, 12);                                                          // GCM IV size
+    var tag = contentBlob.subarray(contentBlob.length - 16);                                       // GCM tag size
     var ct  = contentBlob.subarray(12, contentBlob.length - 16);
     var decipher = nodeCrypto.createDecipheriv("aes-" + aesBits + "-gcm", cek, iv);
     decipher.setAuthTag(tag);
@@ -1684,16 +1688,16 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
         "AES-GCM authentication tag mismatch: " + ((eD && eD.message) || String(eD)));
     }
   } else if (contentAlg === "urn:blamejs:experimental:xmlenc:xchacha20-poly1305") {
-    if (cek.length !== 32) {                                                                       // allow:raw-byte-literal — XChaCha20 key size
+    if (cek.length !== 32) {                                                                       // XChaCha20 key size
       throw new AuthError("auth-saml/encrypted-wrong-cek-len",
         "XChaCha20-Poly1305 CEK length is " + cek.length + ", expected 32");
     }
-    if (contentBlob.length < 40) {                                                                 // allow:raw-byte-literal — 24 nonce + 16 tag
+    if (contentBlob.length < 40) {                                                                 // 24 nonce + 16 tag
       throw new AuthError("auth-saml/encrypted-content-too-short",
         "XChaCha20-Poly1305 CipherValue too short");
     }
-    var xnonce = contentBlob.subarray(0, 24);                                                       // allow:raw-byte-literal — XChaCha20 nonce size
-    var xtag   = contentBlob.subarray(contentBlob.length - 16);                                    // allow:raw-byte-literal — Poly1305 tag size
+    var xnonce = contentBlob.subarray(0, 24);                                                       // XChaCha20 nonce size
+    var xtag   = contentBlob.subarray(contentBlob.length - 16);                                    // Poly1305 tag size
     var xct    = contentBlob.subarray(24, contentBlob.length - 16);
     try {
       clearBytes = bCrypto.aeadDecrypt({
@@ -1971,7 +1975,7 @@ function _sigAlgUrn(alg) {
         var keyObj = (sk && typeof sk === "object" && sk.type === "private") ? sk
           : (typeof sk === "string" || (sk && sk.kty)) ? nodeCrypto.createPrivateKey(sk)
           : nodeCrypto.createPrivateKey({ key: Buffer.concat([
-              Buffer.from("302e020100300506032b657004220420", "hex"),                                 // allow:raw-byte-literal — Ed25519 PKCS#8 prefix
+              Buffer.from("302e020100300506032b657004220420", "hex"),                                 // Ed25519 PKCS#8 prefix
               Buffer.from(sk),
             ]), format: "der", type: "pkcs8" });
         return nodeCrypto.sign(null, Buffer.from(bytes), keyObj);
@@ -1980,7 +1984,7 @@ function _sigAlgUrn(alg) {
         var keyObj = (pk && typeof pk === "object" && pk.type === "public") ? pk
           : (typeof pk === "string" || (pk && pk.kty)) ? nodeCrypto.createPublicKey(pk)
           : nodeCrypto.createPublicKey({ key: Buffer.concat([
-              Buffer.from("302a300506032b6570032100", "hex"),                                         // allow:raw-byte-literal — Ed25519 SPKI prefix
+              Buffer.from("302a300506032b6570032100", "hex"),                                         // Ed25519 SPKI prefix
               Buffer.from(pk),
             ]), format: "der", type: "spki" });
         return nodeCrypto.verify(null, Buffer.from(msg), keyObj, Buffer.from(sig));

package/lib/auth/sd-jwt-vc-disclosure.js

@@ -17,7 +17,7 @@ var nodeCrypto = require("node:crypto");
 var safeJson = require("../safe-json");
 var { AuthError } = require("../framework-error");
 
-var DEFAULT_SALT_BYTES = 16;          // allow:raw-byte-literal — 128-bit salt per spec recommendation
+var DEFAULT_SALT_BYTES = 16;          // 128-bit salt per spec recommendation
 
 function _newSalt(opts) {
   if (opts && opts.saltSource && typeof opts.saltSource === "function") {

package/lib/auth/sd-jwt-vc.js

@@ -239,8 +239,8 @@ function issue(opts) {
   sdDigests.sort();
 
   var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
-    ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);             // allow:raw-byte-literal — ms→s conversion factor
-  var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60;       // allow:raw-byte-literal — ms→s conversion + 30-day default in seconds
+    ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);             // ms→s conversion factor
+  var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60;       // ms→s conversion + 30-day default in seconds
 
   var payload = Object.assign({}, plainClaims, {
     iss:       opts.issuer,
@@ -355,7 +355,7 @@ function present(opts) {
         "present: algorithm must be one of " + SUPPORTED_ALGS.join(", "));
     }
     var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
-      ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);           // allow:raw-byte-literal — ms→s conversion factor
+      ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);           // ms→s conversion factor
     // The KB-JWT's hash binds it to the specific SD-JWT + presentation
     var kbHashInput = presentation;     // jwt~d1~d2~ (without KB)
     // sd_hash uses the SAME hash algorithm the credential's _sd
@@ -505,7 +505,7 @@ async function verify(presentation, opts) {
 
   // 2. Validate iss / iat / exp / vct
   var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
-    ? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000);                  // allow:raw-byte-literal — ms→s conversion factor
+    ? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000);                  // ms→s conversion factor
   var skew = (typeof opts.maxClockSkewSec === "number") ? opts.maxClockSkewSec : 60; // allow:raw-time-literal — default 60s clock-skew tolerance
   if (typeof jwtParsed.payload.iat === "number" && jwtParsed.payload.iat > nowSec + skew) {
     throw new AuthError("auth-sd-jwt-vc/iat-future",