@blamejs/core 0.14.0 → 0.14.2

package/lib/cose.js

@@ -60,12 +60,12 @@ var { defineClass } = require("./framework-error");
 
 var CoseError = defineClass("CoseError", { alwaysPermanent: true });
 
-var COSE_SIGN1_TAG = 18;                                                               // allow:raw-byte-literal — RFC 9052 COSE_Sign1 CBOR tag
+var COSE_SIGN1_TAG = 18;                                                               // RFC 9052 COSE_Sign1 CBOR tag
 var HDR_ALG = 1;                                                                       // RFC 9052 §3.1 header label: alg
 var HDR_CRIT = 2;                                                                      // header label: crit
 var HDR_CONTENT_TYPE = 3;                                                              // header label: content type
 var HDR_KID = 4;                                                                       // header label: kid
-var HDR_CWT_CLAIMS = 15;                                                               // allow:raw-byte-literal — RFC 9597 CWT Claims header label (carries SCITT iss/sub)
+var HDR_CWT_CLAIMS = 15;                                                               // RFC 9597 CWT Claims header label (carries SCITT iss/sub)
 
 // COSE algorithm identifiers. ML-DSA-87 is a NON-FINAL requested
 // assignment (draft-ietf-cose-dilithium) — pinned deliberately, re-open
@@ -73,7 +73,7 @@ var HDR_CWT_CLAIMS = 15;
 // (RFC 9053). SLH-DSA is intentionally absent (no registered COSE id).
 var ALG_NAME_TO_ID = {
   "ML-DSA-87": -50,
-  "ES256": -7, "ES384": -35, "ES512": -36, "EdDSA": -8,                                // allow:raw-byte-literal — COSE algorithm identifiers (RFC 9053), not byte sizes
+  "ES256": -7, "ES384": -35, "ES512": -36, "EdDSA": -8,                                // COSE algorithm identifiers (RFC 9053), not byte sizes
 };
 var ALG_ID_TO_NAME = {};
 Object.keys(ALG_NAME_TO_ID).forEach(function (k) { ALG_ID_TO_NAME[ALG_NAME_TO_ID[k]] = k; });
@@ -100,7 +100,7 @@ function _toKeyObject(key, kind) {
 function _algParamsFor(algId) {
   switch (algId) {
     case -50: return { nodeAlg: null };                                                // ML-DSA-87 (KeyObject specifies the hash)
-    case -8:  return { nodeAlg: null };                                                // allow:raw-byte-literal — EdDSA COSE alg id (RFC 9053), not a size
+    case -8:  return { nodeAlg: null };                                                // EdDSA COSE alg id (RFC 9053), not a size
     case -7:  return { nodeAlg: "sha256", dsaEncoding: "ieee-p1363" };                 // ES256
     case -35: return { nodeAlg: "sha384", dsaEncoding: "ieee-p1363" };                 // ES384
     case -36: return { nodeAlg: "sha512", dsaEncoding: "ieee-p1363" };                 // ES512
@@ -374,22 +374,22 @@ async function verify(coseSign1, opts) {
 
 // ---- COSE_Encrypt0 (RFC 9052 §5.2) — single-recipient AEAD ----
 
-var COSE_ENCRYPT0_TAG = 16;                                                            // allow:raw-byte-literal — RFC 9052 COSE_Encrypt0 CBOR tag
+var COSE_ENCRYPT0_TAG = 16;                                                            // RFC 9052 COSE_Encrypt0 CBOR tag
 var HDR_IV = 5;                                                                        // RFC 9052 §3.1 unprotected header label: IV
-var AEAD_TAG_LEN = 16;                                                                 // allow:raw-byte-literal — AEAD authentication tag length (bytes)
+var AEAD_TAG_LEN = 16;                                                                 // AEAD authentication tag length (bytes)
 
 // AEAD algorithm: COSE id → node cipher + key / IV sizes. ChaCha20/
 // Poly1305 (24) is the default; AES-GCM is opt-in (project hard-rule
 // #2 forbids AES-GCM as a default).
-var AEAD_NAME_TO_ID = { "ChaCha20-Poly1305": 24, "A256GCM": 3, "A128GCM": 1 };         // allow:raw-byte-literal — COSE AEAD algorithm identifiers (RFC 9053), not sizes
+var AEAD_NAME_TO_ID = { "ChaCha20-Poly1305": 24, "A256GCM": 3, "A128GCM": 1 };         // COSE AEAD algorithm identifiers (RFC 9053), not sizes
 var AEAD_ID_TO_NAME = {};
 Object.keys(AEAD_NAME_TO_ID).forEach(function (k) { AEAD_ID_TO_NAME[AEAD_NAME_TO_ID[k]] = k; });
 
 function _aeadParams(algId) {
   switch (algId) {
-    case 24: return { cipher: "chacha20-poly1305", keyLen: 32, ivLen: 12 };            // allow:raw-byte-literal — ChaCha20/Poly1305 key+IV sizes
-    case 3:  return { cipher: "aes-256-gcm",      keyLen: 32, ivLen: 12 };             // allow:raw-byte-literal — AES-256-GCM key+IV sizes
-    case 1:  return { cipher: "aes-128-gcm",      keyLen: 16, ivLen: 12 };             // allow:raw-byte-literal — AES-128-GCM key+IV sizes
+    case 24: return { cipher: "chacha20-poly1305", keyLen: 32, ivLen: 12 };            // ChaCha20/Poly1305 key+IV sizes
+    case 3:  return { cipher: "aes-256-gcm",      keyLen: 32, ivLen: 12 };             // AES-256-GCM key+IV sizes
+    case 1:  return { cipher: "aes-128-gcm",      keyLen: 16, ivLen: 12 };             // AES-128-GCM key+IV sizes
     default:
       throw new CoseError("cose/unknown-alg", "cose: unrecognized AEAD COSE alg id " + algId);
   }
@@ -552,11 +552,11 @@ function decrypt0(coseEncrypt0, opts) {
 
 // ---- COSE_Mac0 (RFC 9052 §6.2) — single shared-key MAC ----
 
-var COSE_MAC0_TAG = 17;                                                       // allow:raw-byte-literal — RFC 9052 COSE_Mac0 CBOR tag
+var COSE_MAC0_TAG = 17;                                                       // RFC 9052 COSE_Mac0 CBOR tag
 // HMAC algorithms (RFC 9053 §3.1). Only the full-length tags are offered —
 // the truncated HMAC 256/64 (id 4) is omitted. HMAC is symmetric, so its
 // post-quantum strength is fine; these are the COSE-standard MAC algs.
-var HMAC_NAME_TO_ID = { "HMAC-256/256": 5, "HMAC-384/384": 6, "HMAC-512/512": 7 };   // allow:raw-byte-literal — COSE HMAC algorithm ids (RFC 9053)
+var HMAC_NAME_TO_ID = { "HMAC-256/256": 5, "HMAC-384/384": 6, "HMAC-512/512": 7 };   // COSE HMAC algorithm ids (RFC 9053)
 var HMAC_ID_TO_NAME = {};
 Object.keys(HMAC_NAME_TO_ID).forEach(function (k) { HMAC_ID_TO_NAME[HMAC_NAME_TO_ID[k]] = k; });
 function _hmacHash(algId) {
@@ -747,7 +747,7 @@ var COSE_EC2_CRV = { 1: "P-256", 2: "P-384", 3: "P-521" };
 var COSE_EC2_CRV_ID = { "P-256": 1, "P-384": 2, "P-521": 3 };
 var COSE_KTY_OKP = 1;
 var COSE_KTY_EC2 = 2;
-var COSE_OKP_ED25519 = 6;                                                    // allow:raw-byte-literal — COSE OKP Ed25519 crv id (RFC 9053)
+var COSE_OKP_ED25519 = 6;                                                    // COSE OKP Ed25519 crv id (RFC 9053)
 // COSE_Key common-parameter labels (RFC 9052 §7.1): 1=kty, 2=kid, 3=alg.
 var COSE_KEY_LABEL_KTY = 1;
 var COSE_KEY_LABEL_KID = 2;

package/lib/cra-report.js

@@ -113,7 +113,7 @@ function create(opts) {
         body:          Buffer.from(JSON.stringify(payload), "utf8"),
         responseMode:  "always-resolve",
       });
-      var ok = res.statusCode >= 200 && res.statusCode < 300;                        // allow:raw-byte-literal — HTTP status range
+      var ok = res.statusCode >= 200 && res.statusCode < 300;                        // HTTP status range
       _emitAudit("submitted", ok ? "success" : "failure", {
         statusCode: res.statusCode, productId: productId,
       });

package/lib/crdt.js

@@ -47,7 +47,7 @@ var CrdtError = defineClass("CrdtError", { alwaysPermanent: true });
 
 function _replicaId(opts) {
   var id = opts && opts.replicaId;
-  if (id == null) return bCrypto.generateToken(8);   // allow:raw-byte-literal — random replica-id token length
+  if (id == null) return bCrypto.generateToken(8);   // random replica-id token length
   if (typeof id !== "string" || id.length === 0) throw new CrdtError("crdt/bad-replica-id", "crdt: replicaId must be a non-empty string");
   return id;
 }

package/lib/crypto-field.js

@@ -841,9 +841,9 @@ function declarePerRowKey(table, opts) {
     throw new Error("declarePerRowKey: table must be a non-empty string");
   }
   opts = opts || {};
-  var keySize = opts.keySize === undefined ? 32 : opts.keySize; // allow:raw-byte-literal — XChaCha20-Poly1305 key length in bytes
+  var keySize = opts.keySize === undefined ? 32 : opts.keySize; // XChaCha20-Poly1305 key length in bytes
   if (typeof keySize !== "number" || !isFinite(keySize) ||
-      keySize < 16 || Math.floor(keySize) !== keySize) { // allow:raw-byte-literal — minimum AES-128 key length in bytes
+      keySize < 16 || Math.floor(keySize) !== keySize) { // minimum AES-128 key length in bytes
     throw new Error("declarePerRowKey: opts.keySize must be an integer >= 16 (bytes)");
   }
   var info = opts.info || ("blamejs-per-row-key:" + table);

package/lib/crypto-xwing.js

@@ -47,15 +47,15 @@ var XWING_LABEL = Buffer.from("5c2e2f2f5e5c", "hex");
 
 // Component + composite sizes (bytes), fixed by the draft — protocol wire
 // widths, not buffer-capacity tunables.
-var ML_KEM_PK = 1184;                  // allow:raw-byte-literal — ML-KEM-768 public key
-var ML_KEM_CT = 1088;                  // allow:raw-byte-literal — ML-KEM-768 ciphertext
-var X25519_LEN = 32;                   // allow:raw-byte-literal — X25519 key/share length
-var SEED_LEN = 32;                     // allow:raw-byte-literal — X-Wing seed length
-var SS_LEN = 32;                       // allow:raw-byte-literal — shared-secret length
+var ML_KEM_PK = 1184;                  // ML-KEM-768 public key
+var ML_KEM_CT = 1088;                  // ML-KEM-768 ciphertext
+var X25519_LEN = 32;                   // X25519 key/share length
+var SEED_LEN = 32;                     // X-Wing seed length
+var SS_LEN = 32;                       // shared-secret length
 var PK_LEN = ML_KEM_PK + X25519_LEN;   // 1216
 var CT_LEN = ML_KEM_CT + X25519_LEN;   // 1120
-var MLKEM_SEED = 64;                   // allow:raw-byte-literal — d ‖ z for ML-KEM KeyGen_internal
-var EXPAND_LEN = 96;                   // allow:raw-byte-literal — SHAKE256(seed) → d ‖ z ‖ sk_X
+var MLKEM_SEED = 64;                   // d ‖ z for ML-KEM KeyGen_internal
+var EXPAND_LEN = 96;                   // SHAKE256(seed) → d ‖ z ‖ sk_X
 
 // X25519 raw-scalar helpers via fixed PKCS8 / SPKI DER prefixes (OID
 // 1.3.101.110). Node clamps the scalar per RFC 7748 on use, matching X-Wing.

package/lib/crypto.js

@@ -319,9 +319,9 @@ function hashFilesParallel(filePaths, opts) {
   }
   var concurrency = opts.concurrency !== undefined
     ? opts.concurrency
-    : Math.min(8, Math.max(1, filePaths.length));                                                  // allow:raw-byte-literal — worker fan-out cap, not bytes
+    : Math.min(8, Math.max(1, filePaths.length));                                                  // worker fan-out cap, not bytes
   if (typeof concurrency !== "number" || !isFinite(concurrency) ||
-      concurrency < 1 || concurrency > 256 ||                                                       // allow:raw-byte-literal — concurrency upper cap
+      concurrency < 1 || concurrency > 256 ||                                                       // concurrency upper cap
       Math.floor(concurrency) !== concurrency) {
     return Promise.reject(new TypeError(
       "crypto.hashFilesParallel: opts.concurrency must be an integer in [1, 256], got " + concurrency
@@ -830,7 +830,7 @@ function fromBase64Url(s, opts) {
     // `/=+$/` CodeQL flags, where `=+` can backtrack on long input
     // ending in many `=`. Walking from end is O(n) worst-case.
     var trimEnd = s.length;
-    while (trimEnd > 0 && s.charCodeAt(trimEnd - 1) === 0x3D) trimEnd -= 1;          // allow:raw-byte-literal — '=' codepoint
+    while (trimEnd > 0 && s.charCodeAt(trimEnd - 1) === 0x3D) trimEnd -= 1;          // '=' codepoint
     var unpadded = s.slice(0, trimEnd);
     if (!_BASE64URL_STRICT_RE.test(s)) {
       throw new TypeError(
@@ -838,7 +838,7 @@ function fromBase64Url(s, opts) {
         "base64url alphabet (A-Z a-z 0-9 - _ =) — pass {strict:false} to allow non-canonical input"
       );
     }
-    if (unpadded.length % 4 === 1) {                                                                 // allow:raw-byte-literal — base64 group length, not bytes
+    if (unpadded.length % 4 === 1) {                                                                 // base64 group length, not bytes
       throw new TypeError(
         "crypto.fromBase64Url: input length %% 4 === 1 is not a valid base64url encoding " +
         "(every conforming encoder produces 0 / 2 / 3 remainder; got " + unpadded.length + " chars)"
@@ -1194,7 +1194,7 @@ function encryptMlkemOnly(plaintext, publicKeyPem) {
  */
 function decrypt(ciphertext, privateKeys, opts) {
   var packed = Buffer.from(ciphertext, "base64");
-  if (packed[0] === 0xE1) {                                                       // allow:raw-byte-literal — legacy envelope magic
+  if (packed[0] === 0xE1) {                                                       // legacy envelope magic
     if (!opts || !opts.allowLegacy) {
       throw new Error("Invalid envelope: legacy 0xE1 format predates the FixedInfo " +
         "KDF binding (NIST SP 800-56C r2 §4.1) — re-seal data under the current envelope, " +
@@ -1303,7 +1303,7 @@ function decryptEnvelope(packed, privateKeys, internalOpts) {
   // Re-derive the 4-byte envelope-header AAD from the bytes we just
   // dispatched on. A tampered header (algorithm-substitution attack)
   // surfaces here as a Poly1305 tag verification failure.
-  var headerAad = packed.subarray(0, 4);                                          // allow:raw-byte-literal — envelope-header byte slice
+  var headerAad = packed.subarray(0, 4);                                          // envelope-header byte slice
   var plainBuf = Buffer.from(
     xchacha20poly1305(symmetricKey, nonce, headerAad).decrypt(packed.subarray(pos))
   );

package/lib/csp.js

@@ -222,8 +222,8 @@ function build(directives, opts) {
  *     b.csp.build({ "script-src": ["'self'", "'nonce-" + req.cspNonce + "'"] }));
  */
 function nonce(byteLen) {
-  var n = typeof byteLen === "number" ? byteLen : 32;                                              // allow:raw-byte-literal — 256-bit nonce default
-  if (!isFinite(n) || n < 16 || n > 64) {                                                          // allow:raw-byte-literal — CSP3 §6.2.x nonce bounds
+  var n = typeof byteLen === "number" ? byteLen : 32;                                              // 256-bit nonce default
+  if (!isFinite(n) || n < 16 || n > 64) {                                                          // CSP3 §6.2.x nonce bounds
     throw new CspError("csp/bad-nonce-len",
       "csp.nonce: byteLen must be 16-64 (CSP3 §6.2 recommends ≥16 bytes)");
   }

package/lib/cwt.js

@@ -52,7 +52,7 @@ Object.keys(STD).forEach(function (k) { STD_BY_LABEL[STD[k]] = k; });
 var NUMERIC_DATE_CLAIMS = { exp: true, nbf: true, iat: true };
 
 // CWT CBOR tag (RFC 8392 §6) — 61, encoded as the 2-byte head 0xd8 0x3d.
-var CWT_TAG_PREFIX = Buffer.from([0xd8, 0x3d]);                                        // allow:raw-byte-literal — CBOR tag-61 head (0xd8=tag 1-byte arg, 0x3d=61)
+var CWT_TAG_PREFIX = Buffer.from([0xd8, 0x3d]);                                        // CBOR tag-61 head (0xd8=tag 1-byte arg, 0x3d=61)
 
 function _nowSec(opts) {
   var ms = (opts && typeof opts.now === "number") ? opts.now : Date.now();
@@ -62,10 +62,10 @@ function _nowSec(opts) {
 // Read a leading CBOR tag head (major type 6) in any of its encodings;
 // returns { tag, len } or null if the buffer doesn't start with a tag.
 function _readTagHead(buf) {
-  if (buf.length < 1 || (buf[0] >> 5) !== 6) return null;                               // allow:raw-byte-literal — CBOR major-type 6 (tag) shift
+  if (buf.length < 1 || (buf[0] >> 5) !== 6) return null;                               // CBOR major-type 6 (tag) shift
   var ai = buf[0] & 0x1f;
   if (ai < 24) return { tag: ai, len: 1 };
-  if (ai === 24) return buf.length >= 2 ? { tag: buf[1], len: 2 } : null;               // allow:raw-byte-literal — CBOR additional-info threshold (RFC 8949 §3), not a size
+  if (ai === 24) return buf.length >= 2 ? { tag: buf[1], len: 2 } : null;               // CBOR additional-info threshold (RFC 8949 §3), not a size
   if (ai === 25) return buf.length >= 3 ? { tag: buf.readUInt16BE(1), len: 3 } : null;
   if (ai === 26) return buf.length >= 5 ? { tag: buf.readUInt32BE(1), len: 5 } : null;
   if (ai === 27) return buf.length >= 9 ? { tag: Number(buf.readBigUInt64BE(1)), len: 9 } : null;
@@ -178,7 +178,7 @@ async function verify(cwt, opts) {
   // an external CBOR encoder may emit a non-minimal but valid tag 61.
   var coseBytes = Buffer.from(cwt);
   var head = _readTagHead(coseBytes);
-  if (head && head.tag === 61) coseBytes = coseBytes.subarray(head.len);                // allow:raw-byte-literal — CWT CBOR tag number (RFC 8392 §6)
+  if (head && head.tag === 61) coseBytes = coseBytes.subarray(head.len);                // CWT CBOR tag number (RFC 8392 §6)
 
   var verified = await cose.verify(coseBytes, {
     algorithms: opts.algorithms, publicKey: opts.publicKey,

package/lib/dark-patterns.js

@@ -28,8 +28,8 @@
 var audit = require("./audit");
 var { defineClass } = require("./framework-error");
 
-var STR_LEN_MAX     = 256;                                                                  // allow:raw-byte-literal — string-length cap, not bytes
-var FONT_WEIGHT_MAX = 1000;                                                                 // allow:raw-byte-literal — CSS font-weight ceiling (CSS Fonts L4)
+var STR_LEN_MAX     = 256;                                                                  // string-length cap, not bytes
+var FONT_WEIGHT_MAX = 1000;                                                                 // CSS font-weight ceiling (CSS Fonts L4)
 var DarkPatternsError = defineClass("DarkPatternsError", { alwaysPermanent: true });
 
 var CHANNELS = ["web", "mobile", "phone", "email", "in-person", "mail"];

package/lib/data-act.js

@@ -298,8 +298,8 @@ function recordSwitchRequest(opts) {
     throw new DataActError("dataact/no-data-slices",
       "recordSwitchRequest: dataSlices must be a non-empty array");
   }
-  var noticePeriod = typeof opts.noticePeriodDays === "number" ? opts.noticePeriodDays : 30;     // allow:raw-byte-literal — Art 28 §3 30-day cap
-  if (noticePeriod > 30) {                                                                       // allow:raw-byte-literal — Art 28 §3 30-day cap
+  var noticePeriod = typeof opts.noticePeriodDays === "number" ? opts.noticePeriodDays : 30;     // Art 28 §3 30-day cap
+  if (noticePeriod > 30) {                                                                       // Art 28 §3 30-day cap
     throw new DataActError("dataact/notice-period-too-long",
       "recordSwitchRequest: noticePeriodDays " + noticePeriod + " exceeds Art 28 §3 cap of 30 days");
   }

package/lib/db-file-lifecycle.js

@@ -74,8 +74,8 @@ var emit = validateOpts.makeNamespacedEmitters("db.fileLifecycle", { audit: audi
 var DbFileLifecycleError = defineClass("DbFileLifecycleError", { alwaysPermanent: true });
 
 var DEFAULT_FLUSH_INTERVAL_MS = C.TIME.minutes(5);
-var DB_ENC_KEY_BYTES = 32;                                                                       // allow:raw-byte-literal — 256-bit symmetric key
-var TMP_NAME_BYTES   = 16;                                                                       // allow:raw-byte-literal — random suffix
+var DB_ENC_KEY_BYTES = 32;                                                                       // 256-bit symmetric key
+var TMP_NAME_BYTES   = 16;                                                                       // random suffix
 
 var _emitAudit  = emit.audit;
 var _emitMetric = emit.metric;
@@ -212,7 +212,7 @@ function fileLifecycle(opts) {
       generateToken(TMP_NAME_BYTES) + ".db");
     if (nodeFs.existsSync(encPath)) {
       var packed = nodeFs.readFileSync(encPath);
-      if (packed.length < 26) {                                                                  // allow:raw-byte-literal — minimum envelope length
+      if (packed.length < 26) {                                                                  // minimum envelope length
         throw new DbFileLifecycleError("db-file-lifecycle/short-envelope",
           "fileLifecycle: " + encPath + " too short to be a valid envelope (" + packed.length + " bytes)");
       }
@@ -279,7 +279,7 @@ function fileLifecycle(opts) {
         "fileLifecycle.startFlushTimer: timer already running — call stop() first");
     }
     var interval = sopts.intervalMs || flushIntervalMs;
-    encTimer = setInterval(function () {                                                          // allow:setinterval-unref — .unref() called immediately below; timer doesn't pin the event loop
+    encTimer = setInterval(function () {                                                          // allow:timer-no-unref — .unref() called immediately below; timer doesn't pin the event loop
       try { flushNow(db); }
       catch (e) {
         _emitAudit("flush_failed", "failure", {

package/lib/db-query.js

@@ -629,7 +629,7 @@ class Query {
     opts = opts || {};
     var limit = opts.limit === undefined ? 25 : opts.limit;
     var offset = opts.offset === undefined ? 0 : opts.offset;
-    if (!Number.isInteger(limit) || limit <= 0 || limit > 1000) {                          // allow:raw-byte-literal — paginate page-size cap, not bytes
+    if (!Number.isInteger(limit) || limit <= 0 || limit > 1000) {                          // paginate page-size cap, not bytes
       throw new Error("paginate: limit must be a positive integer ≤ 1000 (default 25)");
     }
     if (!Number.isInteger(offset) || offset < 0) {

package/lib/db.js

@@ -158,7 +158,7 @@ var tableMetadata = {};     // table name → metadata snapshot (PK/FK/sealed/de
 // generous-but-bounded 1M rows so an accidentally-unbounded export
 // surfaces a thrown error instead of OOM. v0.7.67's maxRowsPerQuery
 // bounds .all() / .first() — this is its streaming counterpart.
-var streamLimit = C.BYTES.bytes(1000000);                                                              // allow:raw-byte-literal — row-count ceiling, not bytes
+var streamLimit = C.BYTES.bytes(1000000);                                                              // row-count ceiling, not bytes
 
 // ---- Framework-baked tables ----
 //
@@ -1501,7 +1501,7 @@ function from(tableName) {
 // the same SQL string returns the cached Statement (the canonical
 // node:sqlite-style win); previously this was ad-hoc and operators
 // re-preparing in a hot path leaked fds.
-var PREPARE_CACHE_MAX = 256;                                                       // allow:raw-byte-literal — distinct-statement cache cap
+var PREPARE_CACHE_MAX = 256;                                                       // distinct-statement cache cap
 var _prepareCache = new Map();                                                     // sql → Statement (insertion order = LRU)
 
 /**
@@ -1688,7 +1688,7 @@ function _reportSlowSqlite(durationMs, statement) {
           backend:        "sqlite",
           bucket:         bucket.label,
           statementClass: _classifyStatementLocal(statement),
-          "db.statement": String(statement || "").slice(0, 256),                                       // allow:raw-byte-literal — log-truncation length, not bytes
+          "db.statement": String(statement || "").slice(0, 256),                                       // log-truncation length, not bytes
         });
       } catch (_e) { /* hot-path observability sink — drop-silent by design */ }
       return;
@@ -1717,7 +1717,7 @@ function execRaw(sql) {
           // OTel can correlate without an adapter.
           "db.system":     "sqlite",
           "db.operation":  String(sql).match(DDL_RE)[1].toUpperCase(),
-          "db.statement":  String(sql).slice(0, 256),                                          // allow:raw-byte-literal — log-truncation length, not bytes
+          "db.statement":  String(sql).slice(0, 256),                                          // log-truncation length, not bytes
           durationMs:      durationMs,
         },
       });
@@ -1734,7 +1734,7 @@ function execRaw(sql) {
         metadata: {
           "db.system":     "sqlite",
           "db.operation":  String(sql).match(DDL_RE)[1].toUpperCase(),
-          "db.statement":  String(sql).slice(0, 256),                                          // allow:raw-byte-literal — log-truncation length, not bytes
+          "db.statement":  String(sql).slice(0, 256),                                          // log-truncation length, not bytes
           durationMs:      failureMs,
         },
       });
@@ -2684,7 +2684,7 @@ function vacuumAfterErase(opts) {
   } else {
     require("./numeric-bounds").requirePositiveFiniteIntIfPresent(
       opts.pages, "pages", DbError, "db/bad-vacuum-pages");
-    var pages = (opts.pages == null) ? 1000                                       // allow:raw-byte-literal — incremental_vacuum default page count
+    var pages = (opts.pages == null) ? 1000                                       // incremental_vacuum default page count
       : Math.floor(opts.pages);
     sqlStmt = "PRAGMA incremental_vacuum(" + pages + ");";
   }

package/lib/dbsc.js

@@ -69,14 +69,14 @@ var DEFAULT_CHALLENGE_TTL_MS = C.TIME.minutes(5);
 function challenge(opts) {
   opts = validateOpts.requireObject(opts, "dbsc.challenge", DbscError, "dbsc/bad-opts");
   validateOpts(opts, ["secretKey", "ttlMs", "nonce"], "dbsc.challenge");
-  if (!Buffer.isBuffer(opts.secretKey) || opts.secretKey.length < 32) {                               // allow:raw-byte-literal — 32-byte HMAC secret floor
+  if (!Buffer.isBuffer(opts.secretKey) || opts.secretKey.length < 32) {                               // 32-byte HMAC secret floor
     throw new DbscError("dbsc/bad-secret",
       "challenge: opts.secretKey must be a Buffer (>= 32 bytes)");
   }
   validateOpts.optionalPositiveFinite(opts.ttlMs, "dbsc.challenge: ttlMs",
     DbscError, "dbsc/bad-ttl");
   var ttlMs     = opts.ttlMs || DEFAULT_CHALLENGE_TTL_MS;
-  var nonceBuf  = opts.nonce ? Buffer.from(String(opts.nonce), "utf8") : bCrypto.generateBytes(32);   // allow:raw-byte-literal — 32-byte nonce
+  var nonceBuf  = opts.nonce ? Buffer.from(String(opts.nonce), "utf8") : bCrypto.generateBytes(32);   // 32-byte nonce
   var expiresAt = Date.now() + ttlMs;
   var msg = nonceBuf.toString("base64") + "." + expiresAt;
   var mac = nodeCrypto.createHmac("sha3-512", opts.secretKey).update(msg).digest("base64");
@@ -110,7 +110,7 @@ function verifyChallenge(challengeStr, opts) {
     throw new DbscError("dbsc/bad-challenge",
       "verifyChallenge: challenge must be a string");
   }
-  if (!Buffer.isBuffer(opts.secretKey) || opts.secretKey.length < 32) {                               // allow:raw-byte-literal — 32-byte HMAC secret floor
+  if (!Buffer.isBuffer(opts.secretKey) || opts.secretKey.length < 32) {                               // 32-byte HMAC secret floor
     throw new DbscError("dbsc/bad-secret",
       "verifyChallenge: opts.secretKey must be a Buffer (>= 32 bytes)");
   }
@@ -209,7 +209,7 @@ function verifyBindingAssertion(assertion, opts) {
   var ok;
   if (headerJson.alg === "ES256") {
     // JWT raw r||s → DER for nodeCrypto.verify.
-    if (sigBytes.length !== 64) {                                                                     // allow:raw-byte-literal — P-256 r||s shape
+    if (sigBytes.length !== 64) {                                                                     // P-256 r||s shape
       throw new DbscError("dbsc/bad-sig", "ES256 signature must be 64 bytes raw");
     }
     var derSig = _ecdsaRawToDer(sigBytes);
@@ -237,8 +237,8 @@ function verifyBindingAssertion(assertion, opts) {
       "or 'challenge' (server-nonce-bound); without freshness material the " +
       "assertion replays indefinitely");
   }
-  var maxAge = (opts.maxAgeSec || 300) * 1000;                                                        // allow:raw-byte-literal allow:raw-time-literal — 5min default
-  if (typeof payloadJson.iat === "number" && Date.now() - payloadJson.iat * 1000 > maxAge) {          // allow:raw-byte-literal allow:raw-time-literal — sec→ms
+  var maxAge = (opts.maxAgeSec || 300) * 1000;                                                        // allow:raw-time-literal — 5min default
+  if (typeof payloadJson.iat === "number" && Date.now() - payloadJson.iat * 1000 > maxAge) {          // allow:raw-time-literal — sec→ms
     throw new DbscError("dbsc/stale",
       "verifyBindingAssertion: iat is more than " + opts.maxAgeSec + "s old");
   }
@@ -252,23 +252,23 @@ function verifyBindingAssertion(assertion, opts) {
 }
 
 function _ecdsaRawToDer(raw) {
-  if (raw.length !== 64) throw new DbscError("dbsc/bad-sig", "raw r||s must be 64 bytes");            // allow:raw-byte-literal — P-256 r||s shape
-  var r = _trimLeadingZeros(raw.slice(0, 32));                                                        // allow:raw-byte-literal — 32-byte r
-  var s = _trimLeadingZeros(raw.slice(32));                                                           // allow:raw-byte-literal — 32-byte s offset
+  if (raw.length !== 64) throw new DbscError("dbsc/bad-sig", "raw r||s must be 64 bytes");            // P-256 r||s shape
+  var r = _trimLeadingZeros(raw.slice(0, 32));                                                        // 32-byte r
+  var s = _trimLeadingZeros(raw.slice(32));                                                           // 32-byte s offset
   function _intDer(buf) {
     // Prepend 0x00 if high bit set (positive INTEGER per DER).
-    if (buf[0] & 0x80) buf = Buffer.concat([Buffer.from([0x00]), buf]);                               // allow:raw-byte-literal — DER sign-bit pad
-    return Buffer.concat([Buffer.from([0x02, buf.length]), buf]);                                      // allow:raw-byte-literal — ASN.1 INTEGER tag
+    if (buf[0] & 0x80) buf = Buffer.concat([Buffer.from([0x00]), buf]);                               // DER sign-bit pad
+    return Buffer.concat([Buffer.from([0x02, buf.length]), buf]);                                      // ASN.1 INTEGER tag
   }
   var rDer = _intDer(r);
   var sDer = _intDer(s);
   var seqBody = Buffer.concat([rDer, sDer]);
-  return Buffer.concat([Buffer.from([0x30, seqBody.length]), seqBody]);                               // allow:raw-byte-literal — ASN.1 SEQUENCE tag
+  return Buffer.concat([Buffer.from([0x30, seqBody.length]), seqBody]);                               // ASN.1 SEQUENCE tag
 }
 
 function _trimLeadingZeros(buf) {
   var i = 0;
-  while (i < buf.length - 1 && buf[i] === 0x00) i += 1;                                                // allow:raw-byte-literal — leading zero byte
+  while (i < buf.length - 1 && buf[i] === 0x00) i += 1;                                                // leading zero byte
   return buf.slice(i);
 }
 

package/lib/did.js

@@ -58,15 +58,15 @@ var B58_MAP = (function () {
   for (var i = 0; i < B58_ALPHABET.length; i += 1) m[B58_ALPHABET[i]] = i;
   return m;
 })();
-var MAX_MULTIBASE_CHARS = 1024;                        // allow:raw-byte-literal — bounded did:key multibase length (DoS cap)
-var MAX_JWK_B64_CHARS = 8192;                          // allow:raw-byte-literal — bounded did:jwk encoded-JWK length (DoS cap)
+var MAX_MULTIBASE_CHARS = 1024;                        // bounded did:key multibase length (DoS cap)
+var MAX_JWK_B64_CHARS = 8192;                          // bounded did:jwk encoded-JWK length (DoS cap)
 
 // multicodec public-key codes (unsigned-varint) → curve descriptor.
 // keyLen is the multicodec payload: Ed25519 raw 32; EC compressed point.
 var MULTICODEC = {
   0xed:   { name: "Ed25519",   kind: "okp" },                                    // ed25519-pub
-  0x1200: { name: "P-256",     kind: "ec", curveOid: "1.2.840.10045.3.1.7" },    // allow:raw-byte-literal allow:raw-time-literal — p256-pub multicodec code + OID dotted-form
-  0x1201: { name: "P-384",     kind: "ec", curveOid: "1.3.132.0.34" },           // allow:raw-byte-literal — p384-pub multicodec code
+  0x1200: { name: "P-256",     kind: "ec", curveOid: "1.2.840.10045.3.1.7" },    // allow:raw-time-literal — p256-pub multicodec code + OID dotted-form
+  0x1201: { name: "P-384",     kind: "ec", curveOid: "1.3.132.0.34" },           // p384-pub multicodec code
   0xe7:   { name: "secp256k1", kind: "ec", curveOid: "1.3.132.0.10" },           // secp256k1-pub
 };
 var NAME_TO_CODE = {};
@@ -86,9 +86,9 @@ function _b58decode(str) {
     for (var j = 0; j < bytes.length; j += 1) {
       carry += bytes[j] * 58;
       bytes[j] = carry & 0xff;
-      carry >>= 8;                                     // allow:raw-byte-literal — base-256 carry
+      carry >>= 8;                                     // base-256 carry
     }
-    while (carry > 0) { bytes.push(carry & 0xff); carry >>= 8; }   // allow:raw-byte-literal — base-256 carry
+    while (carry > 0) { bytes.push(carry & 0xff); carry >>= 8; }   // base-256 carry
   }
   // Leading '1's are leading zero bytes.
   for (var k = 0; k < str.length && str[k] === "1"; k += 1) bytes.push(0);
@@ -100,7 +100,7 @@ function _b58encode(buf) {
   for (var i = 0; i < buf.length; i += 1) {
     var carry = buf[i];
     for (var j = 0; j < digits.length; j += 1) {
-      carry += digits[j] << 8;                         // allow:raw-byte-literal — base-256 shift
+      carry += digits[j] << 8;                         // base-256 shift
       digits[j] = carry % 58;
       carry = (carry / 58) | 0;
     }
@@ -115,19 +115,19 @@ function _b58encode(buf) {
 // Read an unsigned LEB128 varint (multicodec code). Bounded to 4 bytes.
 function _readVarint(buf) {
   var value = 0, shift = 0, len = 0;
-  for (var i = 0; i < buf.length && i < 4; i += 1) {   // allow:raw-byte-literal — multicodec varint ≤ 4 bytes
+  for (var i = 0; i < buf.length && i < 4; i += 1) {   // multicodec varint ≤ 4 bytes
     var b = buf[i];
     value |= (b & 0x7f) << shift;
     len += 1;
     if ((b & 0x80) === 0) return { value: value >>> 0, length: len };
-    shift += 7;                                        // allow:raw-byte-literal — 7 bits per varint byte
+    shift += 7;                                        // 7 bits per varint byte
   }
   throw new DidError("did/bad-multicodec", "did: multicodec varint did not terminate");
 }
 function _encodeVarint(code) {
   var out = [];
   var n = code;
-  do { var b = n & 0x7f; n >>>= 7; if (n > 0) b |= 0x80; out.push(b); } while (n > 0);   // allow:raw-byte-literal — LEB128 7-bit groups
+  do { var b = n & 0x7f; n >>>= 7; if (n > 0) b |= 0x80; out.push(b); } while (n > 0);   // LEB128 7-bit groups
   return Buffer.from(out);
 }
 
@@ -137,9 +137,9 @@ var ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex");   // R
 
 function _keyObjectFromMulticodec(code, keyBytes) {
   var desc = MULTICODEC[code];
-  if (!desc) throw new DidError("did/unsupported-key", "did: unsupported multicodec key code 0x" + code.toString(16));   // allow:raw-byte-literal — hex radix
+  if (!desc) throw new DidError("did/unsupported-key", "did: unsupported multicodec key code 0x" + code.toString(16));   // hex radix
   if (desc.kind === "okp") {
-    if (keyBytes.length !== 32) {                      // allow:raw-byte-literal — Ed25519 public key is 32 bytes
+    if (keyBytes.length !== 32) {                      // Ed25519 public key is 32 bytes
       throw new DidError("did/bad-key", "did: Ed25519 key must be 32 bytes (got " + keyBytes.length + ")");
     }
     return nodeCrypto.createPublicKey({ key: Buffer.concat([ED25519_SPKI_PREFIX, keyBytes]), format: "der", type: "spki" });
@@ -152,25 +152,25 @@ function _keyObjectFromMulticodec(code, keyBytes) {
   var algid = _ecAlgId(desc.curveOid);
   var bitstr = Buffer.concat([Buffer.from([0x03, keyBytes.length + 1, 0x00]), keyBytes]);
   var body = Buffer.concat([algid, bitstr]);
-  var spki = Buffer.concat([Buffer.from([0x30, body.length]), body]);      // allow:raw-byte-literal — SEQUENCE tag; single-byte DER length holds for these curves
+  var spki = Buffer.concat([Buffer.from([0x30, body.length]), body]);      // SEQUENCE tag; single-byte DER length holds for these curves
   try { return nodeCrypto.createPublicKey({ key: spki, format: "der", type: "spki" }); }
   catch (e) { throw new DidError("did/bad-key", "did: could not import EC key: " + ((e && e.message) || e)); }
 }
 
 // AlgorithmIdentifier SEQUENCE { id-ecPublicKey, namedCurve OID }.
 function _ecAlgId(curveOid) {
-  var idEcPublicKey = Buffer.from("06072a8648ce3d0201", "hex");            // allow:raw-byte-literal allow:raw-time-literal — DER OID for id-ecPublicKey
+  var idEcPublicKey = Buffer.from("06072a8648ce3d0201", "hex");            // allow:raw-time-literal — DER OID for id-ecPublicKey
   var curve = _oidDer(curveOid);
   var inner = Buffer.concat([idEcPublicKey, curve]);
   return Buffer.concat([Buffer.from([0x30, inner.length]), inner]);
 }
 function _oidDer(dotted) {
   var parts = dotted.split(".").map(Number);
-  var bytes = [parts[0] * 40 + parts[1]];                                  // allow:raw-byte-literal — X.690 first-arc encoding
+  var bytes = [parts[0] * 40 + parts[1]];                                  // X.690 first-arc encoding
   for (var i = 2; i < parts.length; i += 1) {
     var arc = parts[i], stack = [];
-    do { stack.unshift(arc & 0x7f); arc >>>= 7; } while (arc > 0);        // allow:raw-byte-literal — base-128 OID arc
-    for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80;       // allow:raw-byte-literal — continuation bit
+    do { stack.unshift(arc & 0x7f); arc >>>= 7; } while (arc > 0);        // base-128 OID arc
+    for (var j = 0; j < stack.length - 1; j += 1) stack[j] |= 0x80;       // continuation bit
     bytes = bytes.concat(stack);
   }
   return Buffer.concat([Buffer.from([0x06, bytes.length]), Buffer.from(bytes)]);

package/lib/dora.js

@@ -46,9 +46,9 @@ var observability = lazyRequire(function () { return require("./observability");
 //   - Critical-process disruption >= 8h
 //   - Reputational impact (media coverage)
 var MAJOR_INCIDENT_THRESHOLDS = Object.freeze({
-  affectedClientsAbsolute:      100000,                                          // allow:raw-byte-literal — RTS 2024/1772 Art. 1(1)(a) regulator-fixed cap (100k clients)
+  affectedClientsAbsolute:      100000,                                          // RTS 2024/1772 Art. 1(1)(a) regulator-fixed cap (100k clients)
   affectedClientsPercentile:    0.10,                                            // RTS Art. 1(1)(a) — 10% client base
-  economicImpactEur:            100000,                                          // allow:raw-byte-literal — RTS 2024/1772 Art. 1(1)(c) regulator-fixed cap (100k EUR)
+  economicImpactEur:            100000,                                          // RTS 2024/1772 Art. 1(1)(c) regulator-fixed cap (100k EUR)
   geographicMemberStates:       2,                                               // RTS Art. 1(1)(d) — 2+ member states
   durationCriticalProcessMs:    C.TIME.hours(8),                                 // RTS Art. 1(1)(e) — 8h
 });
@@ -56,9 +56,9 @@ var MAJOR_INCIDENT_THRESHOLDS = Object.freeze({
 // Article 8 — significant incident (one threshold below major).
 // Default threshold values per ESA guidelines.
 var SIGNIFICANT_INCIDENT_THRESHOLDS = Object.freeze({
-  affectedClientsAbsolute:      10000,                                           // allow:raw-byte-literal — ESA-guideline regulator-fixed cap (10k clients)
+  affectedClientsAbsolute:      10000,                                           // ESA-guideline regulator-fixed cap (10k clients)
   affectedClientsPercentile:    0.01,                                            // 1% client base
-  economicImpactEur:            10000,                                           // allow:raw-byte-literal — ESA-guideline regulator-fixed cap (10k EUR)
+  economicImpactEur:            10000,                                           // ESA-guideline regulator-fixed cap (10k EUR)
   durationCriticalProcessMs:    C.TIME.hours(2),                                 // 2h
 });
 

package/lib/dsr.js

@@ -368,7 +368,7 @@ function create(opts) {
   }
 
   function _newTicketId() {
-    var ts = String(Date.now()).slice(-7);                                         // allow:raw-byte-literal — last 7 chars of unix-ms timestamp; collision-resistant when paired with the random suffix
+    var ts = String(Date.now()).slice(-7);                                         // last 7 chars of unix-ms timestamp; collision-resistant when paired with the random suffix
     var rnd = bCrypto.generateBytes(C.BYTES.bytes(6)).toString("hex").toUpperCase();
     return "DSR-" + ts + "-" + rnd;
   }

package/lib/early-hints.js

@@ -67,7 +67,7 @@ var REFUSED_HEADERS = Object.freeze([
 ]);
 
 var LINK_RELATION_RE = /^(preload|preconnect|prefetch|dns-prefetch|modulepreload|prerender|next|prev)$/i;
-var LINK_MAX_BYTES = 4096;                                                                         // allow:raw-byte-literal — per-link length cap, not bytes
+var LINK_MAX_BYTES = 4096;                                                                         // per-link length cap, not bytes
 
 /**
  * @primitive b.earlyHints.send
@@ -194,7 +194,7 @@ function _validateLink(linkValue, idx) {
     throw new EarlyHintsError("early-hints/bad-link",
       "link[" + idx + "] missing rel= parameter (RFC 8288)");
   }
-  if (relMatch[1].length > 32 || !LINK_RELATION_RE.test(relMatch[1])) {                            // allow:raw-byte-literal — rel-token length cap, not bytes
+  if (relMatch[1].length > 32 || !LINK_RELATION_RE.test(relMatch[1])) {                            // rel-token length cap, not bytes
     throw new EarlyHintsError("early-hints/bad-link",
       "link[" + idx + "].rel '" + relMatch[1] + "' must be one of: " +
       "preload, preconnect, prefetch, dns-prefetch, modulepreload, prerender, next, prev");

package/lib/eat.js

@@ -54,10 +54,10 @@ var { defineClass } = require("./framework-error");
 var EatError = defineClass("EatError", { alwaysPermanent: true });
 
 // RFC 9711 / IANA CWT Claims registry claim keys.
-var EAT = {                                                                            // allow:raw-byte-literal — RFC 9711 / IANA CWT claim-key labels, not byte sizes
-  nonce: 10, ueid: 256, sueids: 257, oemid: 258, hwmodel: 259, hwversion: 260,         // allow:raw-byte-literal — CWT claim keys
-  uptime: 261, oemboot: 262, dbgstat: 263, location: 264, eat_profile: 265,            // allow:raw-byte-literal — CWT claim keys
-  submods: 266, swname: 270, swversion: 271, manifests: 272, measurements: 273,        // allow:raw-byte-literal — CWT claim keys
+var EAT = {                                                                            // RFC 9711 / IANA CWT claim-key labels, not byte sizes
+  nonce: 10, ueid: 256, sueids: 257, oemid: 258, hwmodel: 259, hwversion: 260,         // CWT claim keys
+  uptime: 261, oemboot: 262, dbgstat: 263, location: 264, eat_profile: 265,            // CWT claim keys
+  submods: 266, swname: 270, swversion: 271, manifests: 272, measurements: 273,        // CWT claim keys
 };
 var EAT_BY_LABEL = {};
 Object.keys(EAT).forEach(function (k) { EAT_BY_LABEL[EAT[k]] = k; });