@blamejs/core 0.14.0 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (277) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/_test/crypto-fixtures.js +3 -3
  3. package/lib/a2a-tasks.js +18 -18
  4. package/lib/a2a.js +4 -4
  5. package/lib/acme.js +3 -3
  6. package/lib/agent-idempotency.js +1 -1
  7. package/lib/agent-orchestrator.js +8 -8
  8. package/lib/agent-posture-chain.js +2 -2
  9. package/lib/agent-saga.js +1 -1
  10. package/lib/agent-snapshot.js +1 -1
  11. package/lib/agent-stream.js +1 -1
  12. package/lib/agent-tenant.js +1 -1
  13. package/lib/agent-trace.js +3 -3
  14. package/lib/ai-capability.js +1 -1
  15. package/lib/ai-dp.js +4 -4
  16. package/lib/ai-input.js +3 -3
  17. package/lib/ai-model-manifest.js +7 -7
  18. package/lib/ai-pref.js +3 -3
  19. package/lib/archive-gz.js +2 -2
  20. package/lib/archive-read.js +25 -25
  21. package/lib/archive-tar-read.js +2 -2
  22. package/lib/archive-tar.js +20 -20
  23. package/lib/archive-wrap.js +10 -10
  24. package/lib/argon2-builtin.js +1 -1
  25. package/lib/asn1-der.js +45 -34
  26. package/lib/atomic-file.js +2 -2
  27. package/lib/audit-daily-review.js +3 -3
  28. package/lib/audit-sign.js +5 -5
  29. package/lib/audit-tools.js +1 -1
  30. package/lib/audit.js +2 -2
  31. package/lib/auth/acr-vocabulary.js +2 -2
  32. package/lib/auth/bot-challenge.js +3 -3
  33. package/lib/auth/ciba.js +7 -7
  34. package/lib/auth/dpop.js +3 -3
  35. package/lib/auth/fido-mds3.js +8 -8
  36. package/lib/auth/jar.js +11 -0
  37. package/lib/auth/jwt-external.js +5 -5
  38. package/lib/auth/oauth.js +7 -9
  39. package/lib/auth/oid4vci.js +10 -10
  40. package/lib/auth/oid4vp.js +2 -2
  41. package/lib/auth/openid-federation.js +2 -2
  42. package/lib/auth/passkey.js +3 -3
  43. package/lib/auth/saml.js +29 -25
  44. package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  45. package/lib/auth/sd-jwt-vc.js +4 -4
  46. package/lib/auth/status-list.js +10 -10
  47. package/lib/auth/step-up.js +1 -1
  48. package/lib/auth-bot-challenge.js +1 -1
  49. package/lib/backup/index.js +7 -7
  50. package/lib/base32.js +8 -8
  51. package/lib/budr.js +2 -2
  52. package/lib/cache-status.js +2 -2
  53. package/lib/calendar.js +23 -23
  54. package/lib/cbor.js +12 -12
  55. package/lib/cdn-cache-control.js +1 -1
  56. package/lib/cert.js +5 -5
  57. package/lib/cloud-events.js +5 -5
  58. package/lib/cms-codec.js +21 -21
  59. package/lib/codepoint-class.js +12 -12
  60. package/lib/compliance-sanctions-fuzzy.js +4 -4
  61. package/lib/compliance-sanctions.js +4 -4
  62. package/lib/compliance.js +29 -29
  63. package/lib/content-credentials.js +36 -36
  64. package/lib/cookies.js +1 -1
  65. package/lib/cose.js +13 -13
  66. package/lib/cra-report.js +1 -1
  67. package/lib/crdt.js +1 -1
  68. package/lib/crypto-field.js +2 -2
  69. package/lib/crypto-xwing.js +7 -7
  70. package/lib/crypto.js +6 -6
  71. package/lib/csp.js +2 -2
  72. package/lib/cwt.js +4 -4
  73. package/lib/dark-patterns.js +2 -2
  74. package/lib/data-act.js +2 -2
  75. package/lib/db-file-lifecycle.js +4 -4
  76. package/lib/db-query.js +1 -1
  77. package/lib/db.js +6 -6
  78. package/lib/dbsc.js +13 -13
  79. package/lib/did.js +17 -17
  80. package/lib/dora.js +4 -4
  81. package/lib/dsr.js +1 -1
  82. package/lib/early-hints.js +2 -2
  83. package/lib/eat.js +4 -4
  84. package/lib/external-db-migrate.js +1 -1
  85. package/lib/external-db.js +1 -1
  86. package/lib/flag-cache.js +1 -1
  87. package/lib/flag-evaluation-context.js +2 -2
  88. package/lib/graphql-federation.js +4 -4
  89. package/lib/guard-agent-registry.js +5 -5
  90. package/lib/guard-archive.js +24 -24
  91. package/lib/guard-cidr.js +33 -33
  92. package/lib/guard-csv.js +1 -1
  93. package/lib/guard-domain.js +10 -10
  94. package/lib/guard-dsn.js +4 -4
  95. package/lib/guard-email.js +19 -19
  96. package/lib/guard-event-bus-payload.js +4 -4
  97. package/lib/guard-event-bus-topic.js +6 -6
  98. package/lib/guard-filename.js +7 -7
  99. package/lib/guard-graphql.js +9 -9
  100. package/lib/guard-html-wcag-tagwalk.js +1 -1
  101. package/lib/guard-html-wcag.js +4 -4
  102. package/lib/guard-html.js +7 -7
  103. package/lib/guard-idempotency-key.js +6 -6
  104. package/lib/guard-image.js +4 -4
  105. package/lib/guard-imap-command.js +17 -17
  106. package/lib/guard-jmap.js +20 -20
  107. package/lib/guard-json.js +12 -12
  108. package/lib/guard-jsonpath.js +3 -3
  109. package/lib/guard-jwt.js +4 -4
  110. package/lib/guard-list-id.js +7 -7
  111. package/lib/guard-list-unsubscribe.js +8 -8
  112. package/lib/guard-mail-compose.js +4 -4
  113. package/lib/guard-mail-move.js +5 -5
  114. package/lib/guard-mail-query.js +3 -3
  115. package/lib/guard-mail-reply.js +3 -3
  116. package/lib/guard-mail-sieve.js +6 -6
  117. package/lib/guard-managesieve-command.js +25 -25
  118. package/lib/guard-markdown.js +31 -31
  119. package/lib/guard-message-id.js +5 -5
  120. package/lib/guard-mime.js +1 -1
  121. package/lib/guard-oauth.js +3 -3
  122. package/lib/guard-pdf.js +6 -6
  123. package/lib/guard-pop3-command.js +11 -11
  124. package/lib/guard-posture-chain.js +5 -5
  125. package/lib/guard-regex.js +10 -10
  126. package/lib/guard-saga-config.js +5 -5
  127. package/lib/guard-smtp-command.js +6 -6
  128. package/lib/guard-snapshot-envelope.js +3 -3
  129. package/lib/guard-stream-args.js +4 -4
  130. package/lib/guard-svg.js +11 -11
  131. package/lib/guard-tenant-id.js +5 -5
  132. package/lib/guard-time.js +15 -15
  133. package/lib/guard-trace-context.js +4 -4
  134. package/lib/guard-uuid.js +11 -11
  135. package/lib/guard-xml.js +12 -12
  136. package/lib/guard-yaml.js +16 -16
  137. package/lib/honeytoken.js +5 -5
  138. package/lib/http-client.js +1 -1
  139. package/lib/http-message-signature.js +2 -2
  140. package/lib/iab-mspa.js +3 -3
  141. package/lib/iab-tcf.js +70 -70
  142. package/lib/inbox.js +4 -4
  143. package/lib/ip-utils.js +15 -15
  144. package/lib/jose-jwe-experimental.js +2 -2
  145. package/lib/json-path.js +3 -3
  146. package/lib/json-schema.js +1 -1
  147. package/lib/jsonapi.js +3 -3
  148. package/lib/jtd.js +2 -2
  149. package/lib/link-header.js +1 -1
  150. package/lib/local-db-thin.js +1 -1
  151. package/lib/log.js +1 -1
  152. package/lib/lro.js +4 -4
  153. package/lib/mail-agent.js +1 -1
  154. package/lib/mail-arc-sign.js +6 -6
  155. package/lib/mail-auth.js +43 -43
  156. package/lib/mail-bimi.js +3 -3
  157. package/lib/mail-crypto-pgp.js +53 -45
  158. package/lib/mail-crypto-smime.js +5 -5
  159. package/lib/mail-dav.js +1 -1
  160. package/lib/mail-deploy.js +39 -39
  161. package/lib/mail-dkim.js +11 -11
  162. package/lib/mail-greylist.js +12 -12
  163. package/lib/mail-helo.js +1 -1
  164. package/lib/mail-journal.js +8 -8
  165. package/lib/mail-rbl.js +7 -7
  166. package/lib/mail-scan.js +7 -7
  167. package/lib/mail-send-deliver.js +2 -2
  168. package/lib/mail-server-imap.js +12 -12
  169. package/lib/mail-server-jmap.js +16 -16
  170. package/lib/mail-server-managesieve.js +4 -4
  171. package/lib/mail-server-mx.js +17 -17
  172. package/lib/mail-server-pop3.js +4 -4
  173. package/lib/mail-server-rate-limit.js +2 -2
  174. package/lib/mail-server-submission.js +21 -21
  175. package/lib/mail-sieve.js +2 -2
  176. package/lib/mail-spam-score.js +5 -5
  177. package/lib/mail-srs.js +12 -12
  178. package/lib/mail-store-fts.js +2 -2
  179. package/lib/mail-store.js +8 -8
  180. package/lib/mail-unsubscribe.js +4 -4
  181. package/lib/mail.js +4 -4
  182. package/lib/mcp-tool-registry.js +4 -4
  183. package/lib/mcp.js +8 -8
  184. package/lib/mdoc.js +2 -2
  185. package/lib/metrics.js +8 -8
  186. package/lib/middleware/age-gate.js +1 -1
  187. package/lib/middleware/api-encrypt.js +7 -7
  188. package/lib/middleware/assetlinks.js +2 -2
  189. package/lib/middleware/asyncapi-serve.js +2 -2
  190. package/lib/middleware/bearer-auth.js +5 -5
  191. package/lib/middleware/body-parser.js +5 -5
  192. package/lib/middleware/compose-pipeline.js +15 -15
  193. package/lib/middleware/csp-report.js +4 -4
  194. package/lib/middleware/daily-byte-quota.js +1 -1
  195. package/lib/middleware/dpop.js +1 -1
  196. package/lib/middleware/headers.js +2 -2
  197. package/lib/middleware/host-allowlist.js +1 -1
  198. package/lib/middleware/idempotency-key.js +12 -12
  199. package/lib/middleware/nel.js +1 -1
  200. package/lib/middleware/openapi-serve.js +2 -2
  201. package/lib/middleware/protected-resource-metadata.js +2 -2
  202. package/lib/middleware/require-aal.js +1 -1
  203. package/lib/middleware/require-bound-key.js +2 -2
  204. package/lib/middleware/require-content-type.js +1 -1
  205. package/lib/middleware/require-methods.js +1 -1
  206. package/lib/middleware/require-step-up.js +2 -2
  207. package/lib/middleware/scim-server.js +1 -1
  208. package/lib/middleware/security-txt.js +3 -3
  209. package/lib/middleware/tus-upload.js +12 -12
  210. package/lib/middleware/web-app-manifest.js +2 -2
  211. package/lib/network-byte-quota.js +1 -1
  212. package/lib/network-dns-resolver.js +23 -23
  213. package/lib/network-dns.js +29 -29
  214. package/lib/network-dnssec.js +33 -33
  215. package/lib/network-smtp-policy.js +10 -10
  216. package/lib/network-tls.js +99 -94
  217. package/lib/network-tsig.js +33 -33
  218. package/lib/nis2-report.js +1 -1
  219. package/lib/ntp-check.js +3 -3
  220. package/lib/observability-otlp-exporter.js +17 -17
  221. package/lib/observability-tracer.js +6 -6
  222. package/lib/observability.js +8 -8
  223. package/lib/openapi-yaml.js +1 -1
  224. package/lib/openapi.js +1 -1
  225. package/lib/outbox.js +6 -6
  226. package/lib/pqc-agent.js +4 -4
  227. package/lib/pqc-software.js +1 -1
  228. package/lib/privacy-pass.js +5 -5
  229. package/lib/problem-details.js +5 -5
  230. package/lib/promise-pool.js +1 -1
  231. package/lib/protobuf-encoder.js +9 -1
  232. package/lib/queue.js +4 -2
  233. package/lib/redact.js +2 -2
  234. package/lib/request-helpers.js +1 -1
  235. package/lib/router.js +10 -10
  236. package/lib/safe-async.js +2 -2
  237. package/lib/safe-dns.js +71 -71
  238. package/lib/safe-ical.js +19 -19
  239. package/lib/safe-icap.js +24 -24
  240. package/lib/safe-jsonpath.js +2 -2
  241. package/lib/safe-mime.js +10 -10
  242. package/lib/safe-mount-info.js +3 -3
  243. package/lib/safe-redirect.js +1 -1
  244. package/lib/safe-sieve.js +23 -23
  245. package/lib/safe-smtp.js +1 -1
  246. package/lib/safe-vcard.js +14 -14
  247. package/lib/sandbox.js +5 -5
  248. package/lib/sec-cyber.js +1 -1
  249. package/lib/self-update-standalone-verifier.js +3 -3
  250. package/lib/self-update.js +3 -3
  251. package/lib/server-timing.js +3 -3
  252. package/lib/session-device-binding.js +7 -7
  253. package/lib/session.js +8 -8
  254. package/lib/standard-webhooks.js +4 -4
  255. package/lib/storage.js +2 -2
  256. package/lib/stream-throttle.js +1 -1
  257. package/lib/structured-fields.js +15 -15
  258. package/lib/subject.js +1 -1
  259. package/lib/tcpa-10dlc.js +1 -1
  260. package/lib/tenant-quota.js +3 -3
  261. package/lib/test-harness.js +1 -1
  262. package/lib/tracing.js +1 -1
  263. package/lib/tsa.js +5 -5
  264. package/lib/uri-template.js +5 -5
  265. package/lib/vault/index.js +2 -2
  266. package/lib/vault/seal-pem-file.js +4 -4
  267. package/lib/vc.js +2 -2
  268. package/lib/vendor-data.js +1 -1
  269. package/lib/watcher.js +4 -4
  270. package/lib/web-push-vapid.js +21 -21
  271. package/lib/webhook.js +2 -2
  272. package/lib/websocket.js +3 -3
  273. package/lib/worker-pool.js +3 -3
  274. package/lib/ws-client.js +24 -24
  275. package/lib/xml-c14n.js +2 -2
  276. package/package.json +1 -1
  277. package/sbom.cdx.json +6 -6
package/lib/cms-codec.js CHANGED
@@ -107,14 +107,14 @@ var OID = Object.freeze({
107
107
  });
108
108
 
109
109
  // Refusal ceilings.
110
- var MAX_DEPTH = 32; // allow:raw-byte-literal — ASN.1 recursion ceiling
110
+ var MAX_DEPTH = 32; // ASN.1 recursion ceiling
111
111
  var DEFAULT_MAX_LEN = 64 * 1024 * 1024; // allow:raw-byte-literal — 64 MiB default decode cap
112
112
 
113
113
  // Universal-tag bytes used in encode helpers.
114
- var TAG_SEQUENCE = 0x30; // allow:raw-byte-literal — ASN.1 SEQUENCE constructed
115
- var TAG_SET = 0x31; // allow:raw-byte-literal — ASN.1 SET constructed
116
- var TAG_UTCTIME = 0x17; // allow:raw-byte-literal — UTCTime universal
117
- var TAG_GENTIME = 0x18; // allow:raw-byte-literal — GeneralizedTime universal
114
+ var TAG_SEQUENCE = 0x30; // ASN.1 SEQUENCE constructed
115
+ var TAG_SET = 0x31; // ASN.1 SET constructed
116
+ var TAG_UTCTIME = 0x17; // UTCTime universal
117
+ var TAG_GENTIME = 0x18; // GeneralizedTime universal
118
118
 
119
119
  /**
120
120
  * @primitive b.cms.encodeSignedData
@@ -197,7 +197,7 @@ function encodeSignedData(opts) {
197
197
 
198
198
  // SignedData SEQUENCE per §5.1.
199
199
  var signedDataSeq = asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
200
- asn1.writeInteger(Buffer.from([1])), // allow:raw-byte-literal — CMSVersion 1 per §5.1
200
+ asn1.writeInteger(Buffer.from([1])), // CMSVersion 1 per §5.1
201
201
  digestAlgs,
202
202
  encapInfo,
203
203
  certsBlock,
@@ -258,7 +258,7 @@ function encodeEnvelopedData(opts) {
258
258
  "encodeEnvelopedData: opts.recipients must be a non-empty array");
259
259
  }
260
260
  // Fresh ChaCha20-Poly1305 content key.
261
- var contentKey = bCrypto.generateBytes(32); // allow:raw-byte-literal — 256-bit ChaCha20 key
261
+ var contentKey = bCrypto.generateBytes(32); // 256-bit ChaCha20 key
262
262
 
263
263
  // recipientInfos SET — one KEMRecipientInfo per recipient.
264
264
  var ris = opts.recipients.map(function (r) {
@@ -272,7 +272,7 @@ function encodeEnvelopedData(opts) {
272
272
  // EnvelopedData SEQUENCE per §6.1. CMSVersion 4 (RFC 9629 §3 — when
273
273
  // any RecipientInfo is OtherRecipientInfo, here KEMRecipientInfo).
274
274
  var envelopedSeq = asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
275
- asn1.writeInteger(Buffer.from([4])), // allow:raw-byte-literal — CMSVersion 4 per RFC 9629 §3
275
+ asn1.writeInteger(Buffer.from([4])), // CMSVersion 4 per RFC 9629 §3
276
276
  recipientInfosSet,
277
277
  encContent,
278
278
  ]));
@@ -334,7 +334,7 @@ function decode(buf, opts) {
334
334
  }
335
335
  if (!(node.tag === asn1.TAG.SEQUENCE && node.constructed)) {
336
336
  throw new CmsCodecError("cms/bad-content-info",
337
- "decode: top-level must be SEQUENCE (got tag 0x" + node.tag.toString(16) + ")"); // allow:raw-byte-literal — hex radix for error-message formatting
337
+ "decode: top-level must be SEQUENCE (got tag 0x" + node.tag.toString(16) + ")"); // hex radix for error-message formatting
338
338
  }
339
339
  // ContentInfo SEQUENCE children: { contentType OID, [0] EXPLICIT ANY }.
340
340
  var children;
@@ -399,7 +399,7 @@ function _writeImplicitConstructed(tagNumber, payload) {
399
399
  // [N] IMPLICIT context-specific CONSTRUCTED — for wrapping SEQUENCE /
400
400
  // SET payloads (e.g. certificates [0], crls [1], OtherRecipientInfo
401
401
  // value).
402
- var tagByte = 0xa0 | (tagNumber & 0x1f); // allow:raw-byte-literal — context-specific constructed mask
402
+ var tagByte = 0xa0 | (tagNumber & 0x1f); // context-specific constructed mask
403
403
  return asn1.writeNode(tagByte, payload);
404
404
  }
405
405
 
@@ -410,7 +410,7 @@ function _writeImplicitPrimitive(tagNumber, value) {
410
410
  // reject the structure (Codex P1 finding on PR #102 — RecipientIdentifier
411
411
  // CHOICE's SubjectKeyIdentifier alternative is `[0] IMPLICIT OCTET STRING`,
412
412
  // a primitive type).
413
- var tagByte = 0x80 | (tagNumber & 0x1f); // allow:raw-byte-literal — context-specific primitive mask
413
+ var tagByte = 0x80 | (tagNumber & 0x1f); // context-specific primitive mask
414
414
  return asn1.writeNode(tagByte, value);
415
415
  }
416
416
 
@@ -459,7 +459,7 @@ function _signerInfo(signer, msgDigest, digestOid) {
459
459
  // SignerInfo, and use the original `31 LL VV...` form as the signature
460
460
  // input.
461
461
  var signatureInput = signedAttrs;
462
- var signedAttrsImplicit = Buffer.concat([Buffer.from([0xa0]), // allow:raw-byte-literal — IMPLICIT [0] tag per RFC 5652 §5.3
462
+ var signedAttrsImplicit = Buffer.concat([Buffer.from([0xa0]), // IMPLICIT [0] tag per RFC 5652 §5.3
463
463
  signedAttrs.slice(1)]);
464
464
 
465
465
  var signature;
@@ -474,7 +474,7 @@ function _signerInfo(signer, msgDigest, digestOid) {
474
474
 
475
475
  // SignerInfo SEQUENCE per §5.3 (issuerAndSerialNumber variant — CMSVersion 1).
476
476
  return asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
477
- asn1.writeInteger(Buffer.from([1])), // allow:raw-byte-literal — CMSVersion 1 for issuerAndSerialNumber
477
+ asn1.writeInteger(Buffer.from([1])), // CMSVersion 1 for issuerAndSerialNumber
478
478
  _issuerAndSerialNumber(signer.certificate),
479
479
  _algorithmIdentifier(digestOid),
480
480
  signedAttrsImplicit,
@@ -576,9 +576,9 @@ function _reEncodeNode(node) {
576
576
  // TLV. writeNode rebuilds canonical DER from the original tag byte +
577
577
  // value bytes; the tag byte is reconstructed from tagClass + constructed +
578
578
  // tag number.
579
- var classBits = (node.tagClass & 0x03) << 6; // allow:raw-byte-literal — tag-class shift
580
- var consBit = node.constructed ? 0x20 : 0x00; // allow:raw-byte-literal — constructed bit
581
- var tagBits = node.tag & 0x1f; // allow:raw-byte-literal — short-form tag
579
+ var classBits = (node.tagClass & 0x03) << 6; // tag-class shift
580
+ var consBit = node.constructed ? 0x20 : 0x00; // constructed bit
581
+ var tagBits = node.tag & 0x1f; // short-form tag
582
582
  var tagByte = classBits | consBit | tagBits;
583
583
  return asn1.writeNode(tagByte, node.value);
584
584
  }
@@ -620,7 +620,7 @@ function _recipientInfo(recipient, contentKey) {
620
620
  // composition path.
621
621
  var infoLabel = Buffer.from("cms/kemri/chacha20-poly1305", "ascii");
622
622
  var kdfInput = Buffer.concat([Buffer.from(encap.sharedSecret), infoLabel]);
623
- var kek = bCrypto.kdf(kdfInput, 32); // allow:raw-byte-literal — 256-bit KEK
623
+ var kek = bCrypto.kdf(kdfInput, 32); // 256-bit KEK
624
624
  // Wrap the content key under the KEK using ChaCha20-Poly1305.
625
625
  var wrapped;
626
626
  try { wrapped = bCrypto.encryptPacked(contentKey, kek); }
@@ -631,7 +631,7 @@ function _recipientInfo(recipient, contentKey) {
631
631
  // KEMRecipientInfo SEQUENCE.
632
632
  // Simplified ordering, version 0 per RFC 9629 §3.
633
633
  var kemRi = asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
634
- asn1.writeInteger(Buffer.from([0])), // allow:raw-byte-literal — KEMRecipientInfo version 0
634
+ asn1.writeInteger(Buffer.from([0])), // KEMRecipientInfo version 0
635
635
  // rid CHOICE per RFC 9629 §3: this module ships the [0] IMPLICIT
636
636
  // SubjectKeyIdentifier alternative — SKI is `[0] IMPLICIT OCTET
637
637
  // STRING` (PRIMITIVE per RFC 5652 §10.2.4). The constructed form
@@ -642,7 +642,7 @@ function _recipientInfo(recipient, contentKey) {
642
642
  _algorithmIdentifier(OID.mlkem1024), // kem
643
643
  asn1.writeOctetString(Buffer.from(encap.cipherText)), // kemct
644
644
  _algorithmIdentifier(OID.shake256), // kdf
645
- asn1.writeInteger(Buffer.from([32])), // allow:raw-byte-literal — kekLength = 32 bytes
645
+ asn1.writeInteger(Buffer.from([32])), // kekLength = 32 bytes
646
646
  _algorithmIdentifier(OID.chacha20Poly1305), // wrap (also used as content-encryption AlgId; same OID)
647
647
  asn1.writeOctetString(wrapped), // encryptedKey
648
648
  ]));
@@ -653,7 +653,7 @@ function _recipientInfo(recipient, contentKey) {
653
653
  asn1.writeOid(OID.kemri),
654
654
  kemRi,
655
655
  ]);
656
- return asn1.writeNode(0xa4, oriValue); // allow:raw-byte-literal — [4] IMPLICIT context-specific constructed (ori CHOICE)
656
+ return asn1.writeNode(0xa4, oriValue); // [4] IMPLICIT context-specific constructed (ori CHOICE)
657
657
  }
658
658
 
659
659
  function _encryptedContentInfo(plaintext, contentKey) {
@@ -797,7 +797,7 @@ function _readSignerInfo(siNode) {
797
797
  var signedAttrsRaw = null;
798
798
  if (c[idx] && c[idx].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && c[idx].tag === 0) {
799
799
  var implicitRaw = _reEncodeNode(c[idx]);
800
- signedAttrsRaw = Buffer.concat([Buffer.from([0x31]), implicitRaw.slice(1)]); // allow:raw-byte-literal — universal SET tag per RFC 5652 §5.4
800
+ signedAttrsRaw = Buffer.concat([Buffer.from([0x31]), implicitRaw.slice(1)]); // universal SET tag per RFC 5652 §5.4
801
801
  idx += 1;
802
802
  }
803
803
  var sigAlgOid = _readAlgIdOid(c[idx]); idx += 1;
package/lib/codepoint-class.js CHANGED
@@ -50,7 +50,7 @@
50
50
  * WJ U+2060 BOM U+FEFF
51
51
  */
52
52
 
53
- var HEX_RADIX = 16; // allow:raw-byte-literal — base-16 radix, not byte size
53
+ var HEX_RADIX = 16; // base-16 radix, not byte size
54
54
 
55
55
  function hex4(cp) {
56
56
  var s = cp.toString(HEX_RADIX).toUpperCase();
@@ -94,17 +94,17 @@ var BOM_CHAR = fromCp(0xFEFF);
94
94
  // is a single edit.
95
95
  var SCRIPT_RANGES = {
96
96
  latin: [[0x0041, 0x005A], [0x0061, 0x007A],
97
- [0x00C0, 0x024F], [0x1E00, 0x1EFF]], // allow:raw-byte-literal — Unicode script ranges
98
- cyrillic: [[0x0400, 0x04FF], [0x0500, 0x052F]], // allow:raw-byte-literal — Unicode Cyrillic + Cyrillic Supplement
99
- greek: [[0x0370, 0x03FF], [0x1F00, 0x1FFF]], // allow:raw-byte-literal — Unicode Greek + Greek Extended
100
- armenian: [[0x0530, 0x058F]], // allow:raw-byte-literal — Unicode Armenian
101
- cherokee: [[0x13A0, 0x13FF], [0xAB70, 0xABBF]], // allow:raw-byte-literal — Unicode Cherokee + Cherokee Supplement
102
- han: [[0x4E00, 0x9FFF]], // allow:raw-byte-literal — CJK Unified Ideographs
103
- hiragana: [[0x3040, 0x309F]], // allow:raw-byte-literal — Hiragana
104
- katakana: [[0x30A0, 0x30FF]], // allow:raw-byte-literal — Katakana
105
- hangul: [[0xAC00, 0xD7AF]], // allow:raw-byte-literal — Hangul Syllables
106
- arabic: [[0x0600, 0x06FF]], // allow:raw-byte-literal — Arabic
107
- hebrew: [[0x0590, 0x05FF]], // allow:raw-byte-literal — Hebrew
97
+ [0x00C0, 0x024F], [0x1E00, 0x1EFF]], // Unicode script ranges
98
+ cyrillic: [[0x0400, 0x04FF], [0x0500, 0x052F]], // Unicode Cyrillic + Cyrillic Supplement
99
+ greek: [[0x0370, 0x03FF], [0x1F00, 0x1FFF]], // Unicode Greek + Greek Extended
100
+ armenian: [[0x0530, 0x058F]], // Unicode Armenian
101
+ cherokee: [[0x13A0, 0x13FF], [0xAB70, 0xABBF]], // Unicode Cherokee + Cherokee Supplement
102
+ han: [[0x4E00, 0x9FFF]], // CJK Unified Ideographs
103
+ hiragana: [[0x3040, 0x309F]], // Hiragana
104
+ katakana: [[0x30A0, 0x30FF]], // Katakana
105
+ hangul: [[0xAC00, 0xD7AF]], // Hangul Syllables
106
+ arabic: [[0x0600, 0x06FF]], // Arabic
107
+ hebrew: [[0x0590, 0x05FF]], // Hebrew
108
108
  };
109
109
 
110
110
  // scriptFor(cp) — returns the script-name string for a codepoint, or
package/lib/compliance-sanctions-fuzzy.js CHANGED
@@ -104,7 +104,7 @@ function tokenize(name) {
104
104
  return n.split(" ").filter(function (t) { return t.length > 0; });
105
105
  }
106
106
 
107
- var MAX_INPUT_LEN = 512; // allow:raw-byte-literal — name length sanity cap (operators can override fuzzy.create)
107
+ var MAX_INPUT_LEN = 512; // name length sanity cap (operators can override fuzzy.create)
108
108
 
109
109
  // ---- Levenshtein with cap + early-exit ----
110
110
 
@@ -155,7 +155,7 @@ function jaro(a, b) {
155
155
  if (typeof a !== "string" || typeof b !== "string") return 0;
156
156
  if (a === b) return a.length === 0 ? 0 : 1;
157
157
  if (a.length === 0 || b.length === 0) return 0;
158
- var matchWindow = Math.max(0, Math.floor(Math.max(a.length, b.length) / 2) - 1); // allow:raw-byte-literal — Jaro match-window formula
158
+ var matchWindow = Math.max(0, Math.floor(Math.max(a.length, b.length) / 2) - 1); // Jaro match-window formula
159
159
  var aMatched = new Array(a.length).fill(false);
160
160
  var bMatched = new Array(b.length).fill(false);
161
161
  var matches = 0;
@@ -183,7 +183,7 @@ function jaro(a, b) {
183
183
  }
184
184
  var transpositions = t / 2;
185
185
  return (matches / a.length + matches / b.length +
186
- (matches - transpositions) / matches) / 3; // allow:raw-byte-literal — Jaro 3-term formula
186
+ (matches - transpositions) / matches) / 3; // Jaro 3-term formula
187
187
  }
188
188
 
189
189
  function jaroWinkler(a, b, prefixWeight) {
@@ -198,7 +198,7 @@ function jaroWinkler(a, b, prefixWeight) {
198
198
  var j = jaro(a, b);
199
199
  if (j === 0) return 0;
200
200
  // Common prefix up to 4 chars (Winkler's cap)
201
- var maxPrefix = 4; // allow:raw-byte-literal — Jaro-Winkler prefix cap (Winkler 1990)
201
+ var maxPrefix = 4; // Jaro-Winkler prefix cap (Winkler 1990)
202
202
  var prefixLen = 0;
203
203
  var max = Math.min(a.length, b.length, maxPrefix);
204
204
  for (var i = 0; i < max; i++) {
package/lib/compliance-sanctions.js CHANGED
@@ -274,7 +274,7 @@ function create(opts) {
274
274
  VALID_STRATEGIES.join(", "));
275
275
  }
276
276
  var maxLevenshtein = (typeof fuzzyOpts.maxLevenshtein === "number" && isFinite(fuzzyOpts.maxLevenshtein))
277
- ? fuzzyOpts.maxLevenshtein : 3; // allow:raw-byte-literal — default edit-distance cap (operator-tunable)
277
+ ? fuzzyOpts.maxLevenshtein : 3; // default edit-distance cap (operator-tunable)
278
278
  var auditOn = opts.audit !== false;
279
279
  var ruleVersion = opts.ruleVersion || ("entries:" + opts.entries.length);
280
280
 
@@ -327,10 +327,10 @@ function create(opts) {
327
327
  }
328
328
  // Substring containment scores 0.92 (high but below exact)
329
329
  if (fuzzy.substringContains(name, qNorm)) {
330
- if (0.92 > bestScore) { bestScore = 0.92; bestName = name; } // allow:raw-byte-literal — substring-match score weight
330
+ if (0.92 > bestScore) { bestScore = 0.92; bestName = name; } // substring-match score weight
331
331
  }
332
332
  if (fuzzy.substringContains(qNorm, name)) {
333
- if (0.92 > bestScore) { bestScore = 0.92; bestName = name; } // allow:raw-byte-literal — substring-match score weight
333
+ if (0.92 > bestScore) { bestScore = 0.92; bestName = name; } // substring-match score weight
334
334
  }
335
335
  }
336
336
  return { score: bestScore, name: bestName };
@@ -491,7 +491,7 @@ function create(opts) {
491
491
  algorithm: algorithm,
492
492
  ruleVersion: ruleVersion,
493
493
  entryCount: index.length,
494
- digest: hash.digest("hex").slice(0, 32), // allow:raw-byte-literal — first 32 hex chars (128 bits) of SHA-3 digest, sufficient for snapshot identity
494
+ digest: hash.digest("hex").slice(0, 32), // first 32 hex chars (128 bits) of SHA-3 digest, sufficient for snapshot identity
495
495
  digestAlg: "sha3-512-trunc128",
496
496
  capturedAt: Date.now(),
497
497
  };
package/lib/compliance.js CHANGED
@@ -93,14 +93,14 @@ var KNOWN_POSTURES = Object.freeze([
93
93
  "tcpa-10dlc", // TCPA 10DLC carrier-shaped consent + FCC 1:1 disclosure
94
94
  "fda-21cfr11", // FDA 21 CFR Part 11 — audit-trail + electronic signatures (general-purpose subset)
95
95
  "fda-annex-11", // EU GMP Annex 11 — computerized systems (Part-11 equivalent)
96
- "sec-1.05", // SEC Cybersecurity Disclosure Item 1.05 — material-incident 8-K filing // allow:raw-byte-literal — regulatory identifier, not bytes
96
+ "sec-1.05", // SEC Cybersecurity Disclosure Item 1.05 — material-incident 8-K filing // regulatory identifier, not bytes
97
97
  // ---- US state student-data privacy (F5.1 posture group) ----
98
98
  "ny-2-d", // NY Education Law §2-d
99
99
  "il-soppa", // Illinois Student Online Personal Protection Act
100
100
  "ca-sopipa", // California Student Online Personal Information Protection Act
101
101
  "ct-pa-5-2", // Connecticut Public Act 5-2
102
- "tx-hb-4504", // Texas HB 4504 // allow:raw-byte-literal — statute identifier, not bytes
103
- "va-sb-1376", // Virginia SB 1376 // allow:raw-byte-literal — statute identifier, not bytes
102
+ "tx-hb-4504", // Texas HB 4504 // statute identifier, not bytes
103
+ "va-sb-1376", // Virginia SB 1376 // statute identifier, not bytes
104
104
  // ---- EU government / cloud-region ----
105
105
  "staterramp", // StateRAMP / TX-RAMP / AZ-RAMP / GovRAMP family (FedRAMP-Moderate cross-walks)
106
106
  "irap", // Australia IRAP / Essential Eight / ISM
@@ -149,7 +149,7 @@ var KNOWN_POSTURES = Object.freeze([
149
149
  "il-hb3773", // Illinois HB 3773 — IHRA AI amendment (effective 2026-01-01)
150
150
  "tx-traiga", // Texas Responsible AI Governance Act HB 149 (effective 2026-01-01)
151
151
  "ut-aipa", // Utah AI Disclosure Act (UAIPA + 2025 amendments; sunset 2027-07-01)
152
- "nyc-ll144", // NYC Local Law 144 — Automated Employment Decision Tools (in force) // allow:raw-byte-literal — regulatory identifier, not bytes
152
+ "nyc-ll144", // NYC Local Law 144 — Automated Employment Decision Tools (in force) // regulatory identifier, not bytes
153
153
  "ca-tfaia", // California SB 53 — Transparency in Frontier AI Act (effective 2026-01-01)
154
154
  "kr-ai-basic", // South Korea AI Basic Act (effective 2026-01-22)
155
155
  "cn-ai-label", // China Measures for Labelling of AI-Generated Content (effective 2025-09-01)
@@ -157,8 +157,8 @@ var KNOWN_POSTURES = Object.freeze([
157
157
  "iso-42001", // ISO/IEC 42001:2023 — AI Management System
158
158
  "iso-23894", // ISO/IEC 23894:2023 — AI Risk Management Guidance
159
159
  // ---- v0.8.81 expansion — content-credentials posture flags ----
160
- "ca-sb942", // California SB-942 (Cal. Bus. & Prof. Code §22757) gen-AI disclosure (effective 2026-08-02) // allow:raw-byte-literal — regulatory identifier + date, not bytes
161
- "ca-ab853", // California AB-853 platform-side gen-AI detection (effective 2026-08-02) // allow:raw-byte-literal — regulatory identifier + date, not bytes
160
+ "ca-sb942", // California SB-942 (Cal. Bus. & Prof. Code §22757) gen-AI disclosure (effective 2026-08-02) // regulatory identifier + date, not bytes
161
+ "ca-ab853", // California AB-853 platform-side gen-AI detection (effective 2026-08-02) // regulatory identifier + date, not bytes
162
162
  // ---- v0.8.81 expansion — substrate-to-posture cleanup ----
163
163
  "eaa", // EU Accessibility Act / Directive (EU) 2019/882 (effective 2025-06-28)
164
164
  "wcag-2-2", // W3C Web Content Accessibility Guidelines 2.2 (Oct 2023 Recommendation)
@@ -170,7 +170,7 @@ var KNOWN_POSTURES = Object.freeze([
170
170
  // US federal child / financial privacy
171
171
  "coppa", // Children's Online Privacy Protection Act (15 U.S.C. §6501)
172
172
  "coppa-2025", // COPPA 2025 Amendment (FTC final 2025-04-22; effective 2026-06-23 — biometric expansion + knowing-collection disclosure)
173
- "glba-safeguards", // GLBA Safeguards Rule 2024 Amendment (16 CFR Part 314 — effective 2024-05-13) // allow:raw-byte-literal — CFR title number, not bytes
173
+ "glba-safeguards", // GLBA Safeguards Rule 2024 Amendment (16 CFR Part 314 — effective 2024-05-13) // CFR title number, not bytes
174
174
  // UK
175
175
  "uk-duaa", // UK Data (Use and Access) Act 2025 (Royal Assent 2025-06-19; replaces DPDI Bill)
176
176
  // Latin America
@@ -199,7 +199,7 @@ var KNOWN_POSTURES = Object.freeze([
199
199
  "nist-pf-1.1", // NIST Privacy Framework 1.1 (final 2025-04-14)
200
200
  // EU non-personal-data + adjacent
201
201
  "dsa", // EU Digital Services Act (Regulation 2022/2065; fully applicable 2024-02-17)
202
- "dga", // EU Data Governance Act (Regulation 2022/868; applicable 2023-09-24) // allow:raw-byte-literal — calendar day, not bytes
202
+ "dga", // EU Data Governance Act (Regulation 2022/868; applicable 2023-09-24) // calendar day, not bytes
203
203
  "eu-cer", // EU Critical Entities Resilience Directive (2022/2557; transposition 2024-10-17)
204
204
  "eu-cyber-sol", // EU Cyber Solidarity Act (Regulation 2025/38; effective 2025-02-04)
205
205
  "eidas-2", // eIDAS 2 / EUDI Wallet (Regulation 2024/1183; rollout 2026-2027)
@@ -211,7 +211,7 @@ var KNOWN_POSTURES = Object.freeze([
211
211
  "iso-27017", // ISO/IEC 27017 — Cloud-services security controls
212
212
  "iso-27018", // ISO/IEC 27018 — PII protection in public-cloud processors
213
213
  "iso-27701", // ISO/IEC 27701 — Privacy Information Management System
214
- "nist-800-66-r2", // NIST SP 800-66 Rev 2 — HIPAA Security Rule implementation guidance // allow:raw-byte-literal — NIST publication number, not bytes
214
+ "nist-800-66-r2", // NIST SP 800-66 Rev 2 — HIPAA Security Rule implementation guidance // NIST publication number, not bytes
215
215
  "ehds", // EU European Health Data Space (Regulation 2025/327; phased 2027-2029)
216
216
  "circia", // US Cyber Incident Reporting for Critical Infrastructure Act (final rule pending)
217
217
  // ---- v0.9.6 expansion — exceptd framework-control-gap closure ----
@@ -224,16 +224,16 @@ var KNOWN_POSTURES = Object.freeze([
224
224
  // the named regime's evidence expectations.
225
225
  "nist-800-53", // NIST SP 800-53 Rev 5 — full Moderate / High baseline
226
226
  "nist-ai-rmf-1.0", // NIST AI Risk Management Framework 1.0
227
- "iso-42001-2023", // ISO/IEC 42001:2023 — AI management system (alias for v0.8.81 iso-42001 entry, kept for posture-vocabulary stability) // allow:raw-byte-literal — standard publication year, not bytes
227
+ "iso-42001-2023", // ISO/IEC 42001:2023 — AI management system (alias for v0.8.81 iso-42001 entry, kept for posture-vocabulary stability) // standard publication year, not bytes
228
228
  "iso-23894-2023", // ISO/IEC 23894:2023 — AI risk management guidance (alias)
229
229
  "owasp-llm-top-10-2025", // OWASP Top 10 for LLM Applications 2025
230
230
  "owasp-asvs-v5.0", // OWASP Application Security Verification Standard v5.0
231
- "nist-800-218-ssdf", // NIST SP 800-218 Secure Software Development Framework v1.1 // allow:raw-byte-literal — NIST pub number, not bytes
232
- "nist-800-82-r3", // NIST SP 800-82 Rev 3 — OT security guide // allow:raw-byte-literal — NIST pub number, not bytes
231
+ "nist-800-218-ssdf", // NIST SP 800-218 Secure Software Development Framework v1.1 // NIST pub number, not bytes
232
+ "nist-800-82-r3", // NIST SP 800-82 Rev 3 — OT security guide // NIST pub number, not bytes
233
233
  "nist-800-63b-rev4", // NIST SP 800-63B Rev 4 — Digital Identity (AAL/IAL/FAL)
234
234
  "iec-62443-3-3", // IEC 62443-3-3 — IACS system security
235
235
  "fedramp-rev5-moderate", // FedRAMP Rev 5 Moderate baseline
236
- "hipaa-security-rule", // HIPAA Security Rule 45 CFR §164.312 (technical safeguards) // allow:raw-byte-literal — CFR section, not bytes
236
+ "hipaa-security-rule", // HIPAA Security Rule 45 CFR §164.312 (technical safeguards) // CFR section, not bytes
237
237
  "hitrust-csf-v11.4", // HITRUST CSF v11.4
238
238
  "nerc-cip-007-6", // NERC CIP-007-6 — BES Cyber System Security Management
239
239
  "psd2-rts-sca", // EU PSD2 RTS on Strong Customer Authentication (Commission Delegated Regulation 2018/389)
@@ -244,10 +244,10 @@ var KNOWN_POSTURES = Object.freeze([
244
244
  "spdx-v3.0", // SPDX v3.0 SBOM — framework ships sbom.spdx.json (v0.9.6+)
245
245
  "owasp-wstg-v5", // OWASP Web Security Testing Guide v5
246
246
  "ptes", // Penetration Testing Execution Standard
247
- "nist-800-115", // NIST SP 800-115 Technical Guide to Information Security Testing // allow:raw-byte-literal — NIST pub number, not bytes
247
+ "nist-800-115", // NIST SP 800-115 Technical Guide to Information Security Testing // NIST pub number, not bytes
248
248
  "cwe-top-25-2024", // CWE Top 25 Most Dangerous Software Weaknesses (2024)
249
249
  "cis-controls-v8", // CIS Controls v8
250
- "cmmc-2.0-level-2", // CMMC 2.0 Level 2 (Advanced) — 110 NIST 800-171 Rev 2 controls // allow:raw-byte-literal — NIST pub number / level, not bytes
250
+ "cmmc-2.0-level-2", // CMMC 2.0 Level 2 (Advanced) — 110 NIST 800-171 Rev 2 controls // NIST pub number / level, not bytes
251
251
  // ---- v0.9.57 — granular CMMC level distinction ----
252
252
  // CMMC 2.0 maturity levels carry distinct control-mapping
253
253
  // expectations: Level 1 = 15 controls (FAR 52.204-21), Level 2 =
@@ -255,29 +255,29 @@ var KNOWN_POSTURES = Object.freeze([
255
255
  // 800-172 enhanced controls. The umbrella "cmmc-2.0" posture
256
256
  // remains for back-compat with existing operators; the explicit
257
257
  // L1/L2/L3 postures are the recommended pin for new deployments.
258
- "cmmc-2.0-level-1", // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data // allow:raw-byte-literal — regulatory identifier, not bytes
259
- "cmmc-2.0-level-3", // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2 // allow:raw-byte-literal — regulatory identifier, not bytes
258
+ "cmmc-2.0-level-1", // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data // regulatory identifier, not bytes
259
+ "cmmc-2.0-level-3", // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2 // regulatory identifier, not bytes
260
260
  // ---- v0.12.1 — promote POSTURE_DEFAULTS-only entries into the
261
261
  // canonical KNOWN_POSTURES surface so operators can actually
262
262
  // `b.compliance.set(...)` them. Each entry had cascade
263
263
  // configuration wired but couldn't be pinned because set()'s
264
264
  // KNOWN_POSTURES check refused unknown strings.
265
- "42-cfr-part-2", // 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (HHS final rule 2024-02-08) // allow:raw-byte-literal — CFR section identifier, not bytes
265
+ "42-cfr-part-2", // 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (HHS final rule 2024-02-08) // CFR section identifier, not bytes
266
266
  "hti-1", // ONC HTI-1 — Health IT certification + algorithm transparency (45 CFR Part 170; effective 2024-12-31)
267
- "uscdi-v4", // USCDI v4 — US Core Data for Interoperability v4 (ONC; 2024-01) // allow:raw-byte-literal — version identifier, not bytes
268
- "irs-1075", // IRS Publication 1075 — Tax Information Security Guidelines (Rev. 11-2023) // allow:raw-byte-literal — publication number, not bytes
269
- "nist-800-172-r3", // NIST SP 800-172 Rev 3 — Enhanced Security Requirements for CUI // allow:raw-byte-literal — publication number, not bytes
267
+ "uscdi-v4", // USCDI v4 — US Core Data for Interoperability v4 (ONC; 2024-01) // version identifier, not bytes
268
+ "irs-1075", // IRS Publication 1075 — Tax Information Security Guidelines (Rev. 11-2023) // publication number, not bytes
269
+ "nist-800-172-r3", // NIST SP 800-172 Rev 3 — Enhanced Security Requirements for CUI // publication number, not bytes
270
270
  "tlp-2.0", // FIRST Traffic Light Protocol 2.0 — information-sharing classifications (TLP:CLEAR / GREEN / AMBER / AMBER+STRICT / RED)
271
271
  "soci-au", // Australia Security of Critical Infrastructure Act (SOCI 2018) + 2022 amendments
272
- "ffiec-cat-2", // FFIEC Cybersecurity Assessment Tool 2.0 (federal financial institution exam) // allow:raw-byte-literal — tool version, not bytes
273
- "cri-profile-v2.0", // Cyber Risk Institute Profile v2.0 — financial-services framework mapping (NIST CSF cross-walk) // allow:raw-byte-literal — version identifier, not bytes
272
+ "ffiec-cat-2", // FFIEC Cybersecurity Assessment Tool 2.0 (federal financial institution exam) // tool version, not bytes
273
+ "cri-profile-v2.0", // Cyber Risk Institute Profile v2.0 — financial-services framework mapping (NIST CSF cross-walk) // version identifier, not bytes
274
274
  "m-22-09", // OMB M-22-09 — Federal Zero Trust Architecture Strategy
275
275
  "m-22-18", // OMB M-22-18 — Enhancing Software Supply Chain Security (SSDF attestation)
276
- "nist-800-53-r5-privacy", // NIST SP 800-53 Rev 5 — Privacy Control Family overlay // allow:raw-byte-literal — publication number, not bytes
277
- "nist-ai-600-1-genai", // NIST AI 600-1 — Generative AI Profile (companion to AI RMF 1.0) // allow:raw-byte-literal — publication number, not bytes
278
- "nist-csf-2.0", // NIST Cybersecurity Framework 2.0 (Feb 2024) // allow:raw-byte-literal — framework version, not bytes
279
- "sb-53", // California SB-53 — Transparency in Frontier AI Act (effective 2025-09-29) // allow:raw-byte-literal — statute identifier, not bytes
280
- "nyc-ll144-2024", // NYC Local Law 144 — Automated Employment Decision Tool bias audits (2024 enforcement update) // allow:raw-byte-literal — statute identifier, not bytes
276
+ "nist-800-53-r5-privacy", // NIST SP 800-53 Rev 5 — Privacy Control Family overlay // publication number, not bytes
277
+ "nist-ai-600-1-genai", // NIST AI 600-1 — Generative AI Profile (companion to AI RMF 1.0) // publication number, not bytes
278
+ "nist-csf-2.0", // NIST Cybersecurity Framework 2.0 (Feb 2024) // framework version, not bytes
279
+ "sb-53", // California SB-53 — Transparency in Frontier AI Act (effective 2025-09-29) // statute identifier, not bytes
280
+ "nyc-ll144-2024", // NYC Local Law 144 — Automated Employment Decision Tool bias audits (2024 enforcement update) // statute identifier, not bytes
281
281
  ]);
282
282
 
283
283
  // SUPPLY-34 — Artifact standards (SBOM / VEX format families) are NOT
@@ -965,7 +965,7 @@ var POSTURE_DEFAULTS = Object.freeze({
965
965
  requireVacuumAfterErase: false,
966
966
  }),
967
967
  "gdpr": Object.freeze({
968
- backupEncryptionRequired: false, // GDPR Art. 32 says "appropriate" — not mandatory floor // allow:protocol-constant — regulatory article number in prose
968
+ backupEncryptionRequired: false, // GDPR Art. 32 says "appropriate" — not mandatory floor
969
969
  auditChainSignedRequired: true,
970
970
  tlsMinVersion: "TLSv1.3",
971
971
  // GDPR Art. 17 — "right to erasure" includes residual indexes; B-tree
package/lib/content-credentials.js CHANGED
@@ -36,11 +36,11 @@ var audit = require("./audit");
36
36
  var { defineClass } = require("./framework-error");
37
37
  var ContentCredentialsError = defineClass("ContentCredentialsError", { alwaysPermanent: true });
38
38
 
39
- var STR_LEN_MAX = 256; // allow:raw-byte-literal — string-length cap, not bytes
40
- var ID_LEN_MAX = 128; // allow:raw-byte-literal — string-length cap, not bytes
39
+ var STR_LEN_MAX = 256; // string-length cap, not bytes
40
+ var ID_LEN_MAX = 128; // string-length cap, not bytes
41
41
  var SEMVER_RE = /^[0-9]+\.[0-9]+(?:\.[0-9]+)?(?:[-+][A-Za-z0-9.-]+)?$/;
42
42
  var ID_RE = /^[a-zA-Z0-9._:/-]{1,128}$/;
43
- var SHA3_HEX_LEN = 128; // allow:raw-byte-literal — SHA3-512 hex length, not bytes
43
+ var SHA3_HEX_LEN = 128; // SHA3-512 hex length, not bytes
44
44
 
45
45
  // Required fields per SB-942 §22757(a) — every AI-generated asset
46
46
  // must disclose provider + system + timestamp + contentId.
@@ -64,7 +64,7 @@ function _validateBuildOpts(opts) {
64
64
  throw ContentCredentialsError.factory("content-credentials/bad-system",
65
65
  "system must match " + ID_RE);
66
66
  }
67
- if (opts.systemVersion.length > 64 || !SEMVER_RE.test(opts.systemVersion)) { // allow:raw-byte-literal — semver length cap, not bytes
67
+ if (opts.systemVersion.length > 64 || !SEMVER_RE.test(opts.systemVersion)) { // semver length cap, not bytes
68
68
  throw ContentCredentialsError.factory("content-credentials/bad-version",
69
69
  "systemVersion must be semver");
70
70
  }
@@ -347,35 +347,35 @@ function verify(envelope, publicKeyPem, opts) {
347
347
  // libraries (jose-py / c2pa-rs / etc.).
348
348
 
349
349
  // COSE algorithm registry codepoints (RFC 9053 §2.1 + draft-ietf-cose-* for PQ).
350
- // allow:raw-byte-literal — IANA registry IDs, not byte counts.
350
+ // IANA registry IDs, not byte counts.
351
351
  var COSE_ALGS = {
352
- "ed25519": -8, // allow:raw-byte-literal — COSE alg id
353
- "es256": -7, // allow:raw-byte-literal — COSE alg id
354
- "es384": -35, // allow:raw-byte-literal — COSE alg id
355
- "es512": -36, // allow:raw-byte-literal — COSE alg id
356
- "ml-dsa-44": -48, // allow:raw-byte-literal — COSE alg id (draft)
357
- "ml-dsa-65": -49, // allow:raw-byte-literal — COSE alg id (draft)
358
- "ml-dsa-87": -50, // allow:raw-byte-literal — COSE alg id (draft)
359
- "slh-dsa-sha2-128s": -51, // allow:raw-byte-literal — COSE alg id (draft)
360
- "slh-dsa-shake-256f": -56, // allow:raw-byte-literal — COSE alg id (draft)
352
+ "ed25519": -8, // COSE alg id
353
+ "es256": -7, // COSE alg id
354
+ "es384": -35, // COSE alg id
355
+ "es512": -36, // COSE alg id
356
+ "ml-dsa-44": -48, // COSE alg id (draft)
357
+ "ml-dsa-65": -49, // COSE alg id (draft)
358
+ "ml-dsa-87": -50, // COSE alg id (draft)
359
+ "slh-dsa-sha2-128s": -51, // COSE alg id (draft)
360
+ "slh-dsa-shake-256f": -56, // COSE alg id (draft)
361
361
  };
362
362
 
363
363
  // CBOR encoder (RFC 8949 §3). The integer thresholds 24/256/65536/4294967296
364
364
  // are CBOR-spec length-encoding boundaries — not byte counts.
365
- // allow:raw-byte-literal — CBOR encoding thresholds, not byte counts.
365
+ // CBOR encoding thresholds, not byte counts.
366
366
  function _cborUint(n) {
367
- if (n < 24) return Buffer.from([n]); // allow:raw-byte-literal — CBOR threshold
368
- if (n < 256) return Buffer.from([0x18, n]); // allow:raw-byte-literal — CBOR threshold
369
- if (n < 65536) return Buffer.from([0x19, (n >> 8) & 0xFF, n & 0xFF]); // allow:raw-byte-literal — CBOR threshold
370
- if (n < 4294967296) return Buffer.from([0x1A, (n >> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]); // allow:raw-byte-literal — CBOR threshold
367
+ if (n < 24) return Buffer.from([n]); // CBOR threshold
368
+ if (n < 256) return Buffer.from([0x18, n]); // CBOR threshold
369
+ if (n < 65536) return Buffer.from([0x19, (n >> 8) & 0xFF, n & 0xFF]); // CBOR threshold
370
+ if (n < 4294967296) return Buffer.from([0x1A, (n >> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]); // CBOR threshold
371
371
  throw ContentCredentialsError.factory("content-credentials/cbor-overflow", "cbor uint too large: " + n);
372
372
  }
373
373
 
374
374
  function _cborNint(n) {
375
375
  var v = -1 - n;
376
- if (v < 24) return Buffer.from([0x20 | v]); // allow:raw-byte-literal — CBOR threshold
377
- if (v < 256) return Buffer.from([0x38, v]); // allow:raw-byte-literal — CBOR threshold
378
- if (v < 65536) return Buffer.from([0x39, (v >> 8) & 0xFF, v & 0xFF]); // allow:raw-byte-literal — CBOR threshold
376
+ if (v < 24) return Buffer.from([0x20 | v]); // CBOR threshold
377
+ if (v < 256) return Buffer.from([0x38, v]); // CBOR threshold
378
+ if (v < 65536) return Buffer.from([0x39, (v >> 8) & 0xFF, v & 0xFF]); // CBOR threshold
379
379
  return Buffer.from([0x3A, (v >> 24) & 0xFF, (v >> 16) & 0xFF, (v >> 8) & 0xFF, v & 0xFF]);
380
380
  }
381
381
 
@@ -386,30 +386,30 @@ function _cborInt(n) {
386
386
  function _cborBytes(buf) {
387
387
  var n = buf.length;
388
388
  var head;
389
- if (n < 24) head = Buffer.from([0x40 | n]); // allow:raw-byte-literal — CBOR threshold
390
- else if (n < 256) head = Buffer.from([0x58, n]); // allow:raw-byte-literal — CBOR threshold
391
- else if (n < 65536) head = Buffer.from([0x59, (n >> 8) & 0xFF, n & 0xFF]); // allow:raw-byte-literal — CBOR threshold
389
+ if (n < 24) head = Buffer.from([0x40 | n]); // CBOR threshold
390
+ else if (n < 256) head = Buffer.from([0x58, n]); // CBOR threshold
391
+ else if (n < 65536) head = Buffer.from([0x59, (n >> 8) & 0xFF, n & 0xFF]); // CBOR threshold
392
392
  else head = Buffer.from([0x5A, (n >>> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]);
393
393
  return Buffer.concat([head, buf]);
394
394
  }
395
395
 
396
396
  function _cborArrayHeader(n) {
397
- if (n < 24) return Buffer.from([0x80 | n]); // allow:raw-byte-literal — CBOR threshold
398
- if (n < 256) return Buffer.from([0x98, n]); // allow:raw-byte-literal — CBOR threshold
399
- if (n < 65536) return Buffer.from([0x99, (n >> 8) & 0xFF, n & 0xFF]); // allow:raw-byte-literal — CBOR threshold
397
+ if (n < 24) return Buffer.from([0x80 | n]); // CBOR threshold
398
+ if (n < 256) return Buffer.from([0x98, n]); // CBOR threshold
399
+ if (n < 65536) return Buffer.from([0x99, (n >> 8) & 0xFF, n & 0xFF]); // CBOR threshold
400
400
  throw ContentCredentialsError.factory("content-credentials/cbor-overflow", "cbor array too large: " + n);
401
401
  }
402
402
 
403
403
  function _cborMapHeader(n) {
404
- if (n < 24) return Buffer.from([0xA0 | n]); // allow:raw-byte-literal — CBOR threshold
405
- if (n < 256) return Buffer.from([0xB8, n]); // allow:raw-byte-literal — CBOR threshold
404
+ if (n < 24) return Buffer.from([0xA0 | n]); // CBOR threshold
405
+ if (n < 256) return Buffer.from([0xB8, n]); // CBOR threshold
406
406
  throw ContentCredentialsError.factory("content-credentials/cbor-overflow", "cbor map too large: " + n);
407
407
  }
408
408
 
409
409
  function _cborTag(tag) {
410
- if (tag < 24) return Buffer.from([0xC0 | tag]); // allow:raw-byte-literal — CBOR threshold
411
- if (tag < 256) return Buffer.from([0xD8, tag]); // allow:raw-byte-literal — CBOR threshold
412
- if (tag < 65536) return Buffer.from([0xD9, (tag >> 8) & 0xFF, tag & 0xFF]); // allow:raw-byte-literal — CBOR threshold
410
+ if (tag < 24) return Buffer.from([0xC0 | tag]); // CBOR threshold
411
+ if (tag < 256) return Buffer.from([0xD8, tag]); // CBOR threshold
412
+ if (tag < 65536) return Buffer.from([0xD9, (tag >> 8) & 0xFF, tag & 0xFF]); // CBOR threshold
413
413
  return Buffer.from([0xDA, (tag >> 24) & 0xFF, (tag >> 16) & 0xFF, (tag >> 8) & 0xFF, tag & 0xFF]);
414
414
  }
415
415
 
@@ -492,7 +492,7 @@ function signCose(manifest, opts) {
492
492
  }
493
493
  unprotectedHdr = Buffer.concat([
494
494
  _cborMapHeader(1),
495
- _cborInt(33), // allow:raw-byte-literal allow:raw-time-literal — RFC 9360 x5chain header label, not a duration
495
+ _cborInt(33), // allow:raw-time-literal — RFC 9360 x5chain header label, not a duration
496
496
  chainArray,
497
497
  ]);
498
498
  } else {
@@ -514,7 +514,7 @@ function signCose(manifest, opts) {
514
514
  // First entry is the text string "Signature1" — major-type 3
515
515
  var sigText = Buffer.from("Signature1", "utf8");
516
516
  var sigTextBstr;
517
- if (sigText.length < 24) sigTextBstr = Buffer.concat([Buffer.from([0x60 | sigText.length]), sigText]); // allow:raw-byte-literal — CBOR text-string threshold
517
+ if (sigText.length < 24) sigTextBstr = Buffer.concat([Buffer.from([0x60 | sigText.length]), sigText]); // CBOR text-string threshold
518
518
  else sigTextBstr = Buffer.concat([Buffer.from([0x78, sigText.length]), sigText]);
519
519
  sigStructureBufs[1] = sigTextBstr;
520
520
  var toBeSigned = Buffer.concat(sigStructureBufs);
@@ -612,7 +612,7 @@ function cacImplicitLabel(opts) {
612
612
  "(统一社会信用代码 per GB 32100-2015 / GB 45438-2025)");
613
613
  }
614
614
  if (typeof opts.contentId !== "string" || opts.contentId.length === 0 ||
615
- opts.contentId.length > 128) { // allow:raw-byte-literal — contentId char cap, not bytes
615
+ opts.contentId.length > 128) { // contentId char cap, not bytes
616
616
  throw new ContentCredentialsError("cac-implicit-label/bad-content-id",
617
617
  "cacImplicitLabel: contentId must be 1-128 chars");
618
618
  }
package/lib/cookies.js CHANGED
@@ -485,7 +485,7 @@ function parseSafe(cookieHeader, opts) {
485
485
  }
486
486
  for (var hi = 0; hi < cookieHeader.length; hi += 1) {
487
487
  var ch = cookieHeader.charCodeAt(hi);
488
- if (ch === 0x0D || ch === 0x0A || ch === 0x00) { // allow:raw-byte-literal — CR / LF / NUL forbidden in cookie header
488
+ if (ch === 0x0D || ch === 0x0A || ch === 0x00) { // CR / LF / NUL forbidden in cookie header
489
489
  issues.push({
490
490
  kind: "header-control-byte", severity: "high",
491
491
  snippet: "Cookie header contains CR / LF / NUL — proxy-side " +