@blamejs/core 0.14.0 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (277) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/_test/crypto-fixtures.js +3 -3
  3. package/lib/a2a-tasks.js +18 -18
  4. package/lib/a2a.js +4 -4
  5. package/lib/acme.js +3 -3
  6. package/lib/agent-idempotency.js +1 -1
  7. package/lib/agent-orchestrator.js +8 -8
  8. package/lib/agent-posture-chain.js +2 -2
  9. package/lib/agent-saga.js +1 -1
  10. package/lib/agent-snapshot.js +1 -1
  11. package/lib/agent-stream.js +1 -1
  12. package/lib/agent-tenant.js +1 -1
  13. package/lib/agent-trace.js +3 -3
  14. package/lib/ai-capability.js +1 -1
  15. package/lib/ai-dp.js +4 -4
  16. package/lib/ai-input.js +3 -3
  17. package/lib/ai-model-manifest.js +7 -7
  18. package/lib/ai-pref.js +3 -3
  19. package/lib/archive-gz.js +2 -2
  20. package/lib/archive-read.js +25 -25
  21. package/lib/archive-tar-read.js +2 -2
  22. package/lib/archive-tar.js +20 -20
  23. package/lib/archive-wrap.js +10 -10
  24. package/lib/argon2-builtin.js +1 -1
  25. package/lib/asn1-der.js +45 -34
  26. package/lib/atomic-file.js +2 -2
  27. package/lib/audit-daily-review.js +3 -3
  28. package/lib/audit-sign.js +5 -5
  29. package/lib/audit-tools.js +1 -1
  30. package/lib/audit.js +2 -2
  31. package/lib/auth/acr-vocabulary.js +2 -2
  32. package/lib/auth/bot-challenge.js +3 -3
  33. package/lib/auth/ciba.js +7 -7
  34. package/lib/auth/dpop.js +3 -3
  35. package/lib/auth/fido-mds3.js +8 -8
  36. package/lib/auth/jar.js +11 -0
  37. package/lib/auth/jwt-external.js +5 -5
  38. package/lib/auth/oauth.js +7 -9
  39. package/lib/auth/oid4vci.js +10 -10
  40. package/lib/auth/oid4vp.js +2 -2
  41. package/lib/auth/openid-federation.js +2 -2
  42. package/lib/auth/passkey.js +3 -3
  43. package/lib/auth/saml.js +29 -25
  44. package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  45. package/lib/auth/sd-jwt-vc.js +4 -4
  46. package/lib/auth/status-list.js +10 -10
  47. package/lib/auth/step-up.js +1 -1
  48. package/lib/auth-bot-challenge.js +1 -1
  49. package/lib/backup/index.js +7 -7
  50. package/lib/base32.js +8 -8
  51. package/lib/budr.js +2 -2
  52. package/lib/cache-status.js +2 -2
  53. package/lib/calendar.js +23 -23
  54. package/lib/cbor.js +12 -12
  55. package/lib/cdn-cache-control.js +1 -1
  56. package/lib/cert.js +5 -5
  57. package/lib/cloud-events.js +5 -5
  58. package/lib/cms-codec.js +21 -21
  59. package/lib/codepoint-class.js +12 -12
  60. package/lib/compliance-sanctions-fuzzy.js +4 -4
  61. package/lib/compliance-sanctions.js +4 -4
  62. package/lib/compliance.js +29 -29
  63. package/lib/content-credentials.js +36 -36
  64. package/lib/cookies.js +1 -1
  65. package/lib/cose.js +13 -13
  66. package/lib/cra-report.js +1 -1
  67. package/lib/crdt.js +1 -1
  68. package/lib/crypto-field.js +2 -2
  69. package/lib/crypto-xwing.js +7 -7
  70. package/lib/crypto.js +6 -6
  71. package/lib/csp.js +2 -2
  72. package/lib/cwt.js +4 -4
  73. package/lib/dark-patterns.js +2 -2
  74. package/lib/data-act.js +2 -2
  75. package/lib/db-file-lifecycle.js +4 -4
  76. package/lib/db-query.js +1 -1
  77. package/lib/db.js +6 -6
  78. package/lib/dbsc.js +13 -13
  79. package/lib/did.js +17 -17
  80. package/lib/dora.js +4 -4
  81. package/lib/dsr.js +1 -1
  82. package/lib/early-hints.js +2 -2
  83. package/lib/eat.js +4 -4
  84. package/lib/external-db-migrate.js +1 -1
  85. package/lib/external-db.js +1 -1
  86. package/lib/flag-cache.js +1 -1
  87. package/lib/flag-evaluation-context.js +2 -2
  88. package/lib/graphql-federation.js +4 -4
  89. package/lib/guard-agent-registry.js +5 -5
  90. package/lib/guard-archive.js +24 -24
  91. package/lib/guard-cidr.js +33 -33
  92. package/lib/guard-csv.js +1 -1
  93. package/lib/guard-domain.js +10 -10
  94. package/lib/guard-dsn.js +4 -4
  95. package/lib/guard-email.js +19 -19
  96. package/lib/guard-event-bus-payload.js +4 -4
  97. package/lib/guard-event-bus-topic.js +6 -6
  98. package/lib/guard-filename.js +7 -7
  99. package/lib/guard-graphql.js +9 -9
  100. package/lib/guard-html-wcag-tagwalk.js +1 -1
  101. package/lib/guard-html-wcag.js +4 -4
  102. package/lib/guard-html.js +7 -7
  103. package/lib/guard-idempotency-key.js +6 -6
  104. package/lib/guard-image.js +4 -4
  105. package/lib/guard-imap-command.js +17 -17
  106. package/lib/guard-jmap.js +20 -20
  107. package/lib/guard-json.js +12 -12
  108. package/lib/guard-jsonpath.js +3 -3
  109. package/lib/guard-jwt.js +4 -4
  110. package/lib/guard-list-id.js +7 -7
  111. package/lib/guard-list-unsubscribe.js +8 -8
  112. package/lib/guard-mail-compose.js +4 -4
  113. package/lib/guard-mail-move.js +5 -5
  114. package/lib/guard-mail-query.js +3 -3
  115. package/lib/guard-mail-reply.js +3 -3
  116. package/lib/guard-mail-sieve.js +6 -6
  117. package/lib/guard-managesieve-command.js +25 -25
  118. package/lib/guard-markdown.js +31 -31
  119. package/lib/guard-message-id.js +5 -5
  120. package/lib/guard-mime.js +1 -1
  121. package/lib/guard-oauth.js +3 -3
  122. package/lib/guard-pdf.js +6 -6
  123. package/lib/guard-pop3-command.js +11 -11
  124. package/lib/guard-posture-chain.js +5 -5
  125. package/lib/guard-regex.js +10 -10
  126. package/lib/guard-saga-config.js +5 -5
  127. package/lib/guard-smtp-command.js +6 -6
  128. package/lib/guard-snapshot-envelope.js +3 -3
  129. package/lib/guard-stream-args.js +4 -4
  130. package/lib/guard-svg.js +11 -11
  131. package/lib/guard-tenant-id.js +5 -5
  132. package/lib/guard-time.js +15 -15
  133. package/lib/guard-trace-context.js +4 -4
  134. package/lib/guard-uuid.js +11 -11
  135. package/lib/guard-xml.js +12 -12
  136. package/lib/guard-yaml.js +16 -16
  137. package/lib/honeytoken.js +5 -5
  138. package/lib/http-client.js +1 -1
  139. package/lib/http-message-signature.js +2 -2
  140. package/lib/iab-mspa.js +3 -3
  141. package/lib/iab-tcf.js +70 -70
  142. package/lib/inbox.js +4 -4
  143. package/lib/ip-utils.js +15 -15
  144. package/lib/jose-jwe-experimental.js +2 -2
  145. package/lib/json-path.js +3 -3
  146. package/lib/json-schema.js +1 -1
  147. package/lib/jsonapi.js +3 -3
  148. package/lib/jtd.js +2 -2
  149. package/lib/link-header.js +1 -1
  150. package/lib/local-db-thin.js +1 -1
  151. package/lib/log.js +1 -1
  152. package/lib/lro.js +4 -4
  153. package/lib/mail-agent.js +1 -1
  154. package/lib/mail-arc-sign.js +6 -6
  155. package/lib/mail-auth.js +43 -43
  156. package/lib/mail-bimi.js +3 -3
  157. package/lib/mail-crypto-pgp.js +53 -45
  158. package/lib/mail-crypto-smime.js +5 -5
  159. package/lib/mail-dav.js +1 -1
  160. package/lib/mail-deploy.js +39 -39
  161. package/lib/mail-dkim.js +11 -11
  162. package/lib/mail-greylist.js +12 -12
  163. package/lib/mail-helo.js +1 -1
  164. package/lib/mail-journal.js +8 -8
  165. package/lib/mail-rbl.js +7 -7
  166. package/lib/mail-scan.js +7 -7
  167. package/lib/mail-send-deliver.js +2 -2
  168. package/lib/mail-server-imap.js +12 -12
  169. package/lib/mail-server-jmap.js +16 -16
  170. package/lib/mail-server-managesieve.js +4 -4
  171. package/lib/mail-server-mx.js +17 -17
  172. package/lib/mail-server-pop3.js +4 -4
  173. package/lib/mail-server-rate-limit.js +2 -2
  174. package/lib/mail-server-submission.js +21 -21
  175. package/lib/mail-sieve.js +2 -2
  176. package/lib/mail-spam-score.js +5 -5
  177. package/lib/mail-srs.js +12 -12
  178. package/lib/mail-store-fts.js +2 -2
  179. package/lib/mail-store.js +8 -8
  180. package/lib/mail-unsubscribe.js +4 -4
  181. package/lib/mail.js +4 -4
  182. package/lib/mcp-tool-registry.js +4 -4
  183. package/lib/mcp.js +8 -8
  184. package/lib/mdoc.js +2 -2
  185. package/lib/metrics.js +8 -8
  186. package/lib/middleware/age-gate.js +1 -1
  187. package/lib/middleware/api-encrypt.js +7 -7
  188. package/lib/middleware/assetlinks.js +2 -2
  189. package/lib/middleware/asyncapi-serve.js +2 -2
  190. package/lib/middleware/bearer-auth.js +5 -5
  191. package/lib/middleware/body-parser.js +5 -5
  192. package/lib/middleware/compose-pipeline.js +15 -15
  193. package/lib/middleware/csp-report.js +4 -4
  194. package/lib/middleware/daily-byte-quota.js +1 -1
  195. package/lib/middleware/dpop.js +1 -1
  196. package/lib/middleware/headers.js +2 -2
  197. package/lib/middleware/host-allowlist.js +1 -1
  198. package/lib/middleware/idempotency-key.js +12 -12
  199. package/lib/middleware/nel.js +1 -1
  200. package/lib/middleware/openapi-serve.js +2 -2
  201. package/lib/middleware/protected-resource-metadata.js +2 -2
  202. package/lib/middleware/require-aal.js +1 -1
  203. package/lib/middleware/require-bound-key.js +2 -2
  204. package/lib/middleware/require-content-type.js +1 -1
  205. package/lib/middleware/require-methods.js +1 -1
  206. package/lib/middleware/require-step-up.js +2 -2
  207. package/lib/middleware/scim-server.js +1 -1
  208. package/lib/middleware/security-txt.js +3 -3
  209. package/lib/middleware/tus-upload.js +12 -12
  210. package/lib/middleware/web-app-manifest.js +2 -2
  211. package/lib/network-byte-quota.js +1 -1
  212. package/lib/network-dns-resolver.js +23 -23
  213. package/lib/network-dns.js +29 -29
  214. package/lib/network-dnssec.js +33 -33
  215. package/lib/network-smtp-policy.js +10 -10
  216. package/lib/network-tls.js +99 -94
  217. package/lib/network-tsig.js +33 -33
  218. package/lib/nis2-report.js +1 -1
  219. package/lib/ntp-check.js +3 -3
  220. package/lib/observability-otlp-exporter.js +17 -17
  221. package/lib/observability-tracer.js +6 -6
  222. package/lib/observability.js +8 -8
  223. package/lib/openapi-yaml.js +1 -1
  224. package/lib/openapi.js +1 -1
  225. package/lib/outbox.js +6 -6
  226. package/lib/pqc-agent.js +4 -4
  227. package/lib/pqc-software.js +1 -1
  228. package/lib/privacy-pass.js +5 -5
  229. package/lib/problem-details.js +5 -5
  230. package/lib/promise-pool.js +1 -1
  231. package/lib/protobuf-encoder.js +9 -1
  232. package/lib/queue.js +4 -2
  233. package/lib/redact.js +2 -2
  234. package/lib/request-helpers.js +1 -1
  235. package/lib/router.js +10 -10
  236. package/lib/safe-async.js +2 -2
  237. package/lib/safe-dns.js +71 -71
  238. package/lib/safe-ical.js +19 -19
  239. package/lib/safe-icap.js +24 -24
  240. package/lib/safe-jsonpath.js +2 -2
  241. package/lib/safe-mime.js +10 -10
  242. package/lib/safe-mount-info.js +3 -3
  243. package/lib/safe-redirect.js +1 -1
  244. package/lib/safe-sieve.js +23 -23
  245. package/lib/safe-smtp.js +1 -1
  246. package/lib/safe-vcard.js +14 -14
  247. package/lib/sandbox.js +5 -5
  248. package/lib/sec-cyber.js +1 -1
  249. package/lib/self-update-standalone-verifier.js +3 -3
  250. package/lib/self-update.js +3 -3
  251. package/lib/server-timing.js +3 -3
  252. package/lib/session-device-binding.js +7 -7
  253. package/lib/session.js +8 -8
  254. package/lib/standard-webhooks.js +4 -4
  255. package/lib/storage.js +2 -2
  256. package/lib/stream-throttle.js +1 -1
  257. package/lib/structured-fields.js +15 -15
  258. package/lib/subject.js +1 -1
  259. package/lib/tcpa-10dlc.js +1 -1
  260. package/lib/tenant-quota.js +3 -3
  261. package/lib/test-harness.js +1 -1
  262. package/lib/tracing.js +1 -1
  263. package/lib/tsa.js +5 -5
  264. package/lib/uri-template.js +5 -5
  265. package/lib/vault/index.js +2 -2
  266. package/lib/vault/seal-pem-file.js +4 -4
  267. package/lib/vc.js +2 -2
  268. package/lib/vendor-data.js +1 -1
  269. package/lib/watcher.js +4 -4
  270. package/lib/web-push-vapid.js +21 -21
  271. package/lib/webhook.js +2 -2
  272. package/lib/websocket.js +3 -3
  273. package/lib/worker-pool.js +3 -3
  274. package/lib/ws-client.js +24 -24
  275. package/lib/xml-c14n.js +2 -2
  276. package/package.json +1 -1
  277. package/sbom.cdx.json +6 -6
package/lib/guard-graphql.js CHANGED
@@ -113,9 +113,9 @@ var PROFILES = Object.freeze({
113
113
  aliasBombPolicy: "reject",
114
114
  depthPolicy: "reject",
115
115
  variableShapePolicy: "reject",
116
- maxDepth: 8, // allow:raw-byte-literal — selection-set depth ceiling
117
- maxAliasesPerSelection: 8, // allow:raw-byte-literal — alias breadth ceiling
118
- maxBatchSize: 1, // allow:raw-byte-literal — strict refuses batch
116
+ maxDepth: 8, // selection-set depth ceiling
117
+ maxAliasesPerSelection: 8, // alias breadth ceiling
118
+ maxBatchSize: 1, // strict refuses batch
119
119
  maxQueryBytes: C.BYTES.kib(8),
120
120
  maxVariableBytes: C.BYTES.kib(8),
121
121
  maxBytes: C.BYTES.kib(32),
@@ -133,9 +133,9 @@ var PROFILES = Object.freeze({
133
133
  aliasBombPolicy: "audit",
134
134
  depthPolicy: "audit",
135
135
  variableShapePolicy: "audit",
136
- maxDepth: 12, // allow:raw-byte-literal — selection-set depth ceiling
137
- maxAliasesPerSelection: 16, // allow:raw-byte-literal — alias breadth ceiling
138
- maxBatchSize: 10, // allow:raw-byte-literal — batch size ceiling
136
+ maxDepth: 12, // selection-set depth ceiling
137
+ maxAliasesPerSelection: 16, // alias breadth ceiling
138
+ maxBatchSize: 10, // batch size ceiling
139
139
  maxQueryBytes: C.BYTES.kib(16),
140
140
  maxVariableBytes: C.BYTES.kib(16),
141
141
  maxBytes: C.BYTES.kib(64),
@@ -153,9 +153,9 @@ var PROFILES = Object.freeze({
153
153
  aliasBombPolicy: "audit",
154
154
  depthPolicy: "audit",
155
155
  variableShapePolicy: "audit",
156
- maxDepth: 24, // allow:raw-byte-literal — selection-set depth ceiling
157
- maxAliasesPerSelection: 32, // allow:raw-byte-literal — alias breadth ceiling
158
- maxBatchSize: 50, // allow:raw-byte-literal — batch size ceiling
156
+ maxDepth: 24, // selection-set depth ceiling
157
+ maxAliasesPerSelection: 32, // alias breadth ceiling
158
+ maxBatchSize: 50, // batch size ceiling
159
159
  maxQueryBytes: C.BYTES.kib(64),
160
160
  maxVariableBytes: C.BYTES.kib(64),
161
161
  maxBytes: C.BYTES.kib(256),
package/lib/guard-html-wcag-tagwalk.js CHANGED
@@ -31,7 +31,7 @@ function lineColAt(html, offset) {
31
31
  var line = 1;
32
32
  var lastNl = -1;
33
33
  for (var i = 0; i < offset; i++) {
34
- if (html.charCodeAt(i) === 10) { line += 1; lastNl = i; } // allow:raw-byte-literal — ASCII LF
34
+ if (html.charCodeAt(i) === 10) { line += 1; lastNl = i; } // ASCII LF
35
35
  }
36
36
  return { line: line, column: offset - lastNl };
37
37
  }
package/lib/guard-html-wcag.js CHANGED
@@ -181,7 +181,7 @@ function _checkButtonText(html, tagOpenEnd, attrs, offset, report, opts) {
181
181
  function _checkHeadingOrder(html, attrs, tagName, offset, report, opts, ctx) {
182
182
  if (!/^h[1-6]$/.test(tagName)) return;
183
183
  if (opts.ignore.indexOf("1.3.1") !== -1) return;
184
- var level = parseInt(tagName.charAt(1), 10); // allow:raw-byte-literal — base-10 parse radix
184
+ var level = parseInt(tagName.charAt(1), 10); // base-10 parse radix
185
185
  if (ctx.headingLevels.length === 0) {
186
186
  if (level !== 1) {
187
187
  var pos = _lineColAt(html, offset);
@@ -447,9 +447,9 @@ function audit(html, opts) {
447
447
  }
448
448
 
449
449
  // Heuristic score: 1 - weighted-violations / heuristic-max
450
- var weighted = report.summary.error * 3 + report.summary.warning * 1.5 + // allow:raw-byte-literal — severity weights for heuristic score
451
- report.summary.info * 0.5; // allow:raw-byte-literal — severity weights for heuristic score
452
- var maxFor = Math.max(50, weighted * 2); // allow:raw-byte-literal — heuristic-score floor
450
+ var weighted = report.summary.error * 3 + report.summary.warning * 1.5 + // severity weights for heuristic score
451
+ report.summary.info * 0.5; // severity weights for heuristic score
452
+ var maxFor = Math.max(50, weighted * 2); // heuristic-score floor
453
453
  report.score = Math.max(0, 1 - weighted / maxFor);
454
454
 
455
455
  try { observability().safeEvent("guard-html.wcag.audited", 1, {
package/lib/guard-html.js CHANGED
@@ -105,7 +105,7 @@ var observability = lazyRequire(function () { return require("./observability");
105
105
  void observability;
106
106
 
107
107
  var _err = GuardHtmlError.factory;
108
- var HEX_RADIX = 16; // allow:raw-byte-literal — base-16 radix, not byte size
108
+ var HEX_RADIX = 16; // base-16 radix, not byte size
109
109
 
110
110
  // ---- Codepoint catalog (shared via lib/codepoint-class) ----
111
111
 
@@ -242,8 +242,8 @@ var PROFILES = Object.freeze({
242
242
  mxssHintPolicy: "reject",
243
243
  maxBytes: C.BYTES.mib(2),
244
244
  maxAttrValueBytes: C.BYTES.kib(8),
245
- maxTagDepth: 128, // allow:raw-byte-literal — tag-nesting depth count, not bytes
246
- maxAttrsPerTag: 64, // allow:raw-byte-literal — attribute count per tag, not bytes
245
+ maxTagDepth: 128, // tag-nesting depth count, not bytes
246
+ maxAttrsPerTag: 64, // attribute count per tag, not bytes
247
247
  },
248
248
  "balanced": {
249
249
  allowedTags: BALANCED_ALLOWED_TAGS,
@@ -264,8 +264,8 @@ var PROFILES = Object.freeze({
264
264
  mxssHintPolicy: "audit",
265
265
  maxBytes: C.BYTES.mib(8),
266
266
  maxAttrValueBytes: C.BYTES.kib(32),
267
- maxTagDepth: 256, // allow:raw-byte-literal — tag-nesting depth count, not bytes
268
- maxAttrsPerTag: 128, // allow:raw-byte-literal — attribute count per tag, not bytes
267
+ maxTagDepth: 256, // tag-nesting depth count, not bytes
268
+ maxAttrsPerTag: 128, // attribute count per tag, not bytes
269
269
  },
270
270
  "permissive": {
271
271
  allowedTags: PERMISSIVE_ALLOWED_TAGS,
@@ -286,8 +286,8 @@ var PROFILES = Object.freeze({
286
286
  mxssHintPolicy: "audit",
287
287
  maxBytes: C.BYTES.mib(32),
288
288
  maxAttrValueBytes: C.BYTES.kib(64),
289
- maxTagDepth: 512, // allow:raw-byte-literal — tag-nesting depth count, not bytes
290
- maxAttrsPerTag: 256, // allow:raw-byte-literal — attribute count per tag, not bytes
289
+ maxTagDepth: 512, // tag-nesting depth count, not bytes
290
+ maxAttrsPerTag: 256, // attribute count per tag, not bytes
291
291
  },
292
292
  });
293
293
 
package/lib/guard-idempotency-key.js CHANGED
@@ -36,9 +36,9 @@ var GuardIdempotencyKeyError = defineClass("GuardIdempotencyKeyError", { alwaysP
36
36
  var DEFAULT_PROFILE = "strict";
37
37
 
38
38
  var PROFILES = Object.freeze({
39
- strict: { maxBytes: 256, asciiOnly: true }, // allow:raw-byte-literal
40
- balanced: { maxBytes: 512, asciiOnly: true }, // allow:raw-byte-literal
41
- permissive: { maxBytes: 2048, asciiOnly: false }, // allow:raw-byte-literal
39
+ strict: { maxBytes: 256, asciiOnly: true },
40
+ balanced: { maxBytes: 512, asciiOnly: true },
41
+ permissive: { maxBytes: 2048, asciiOnly: false },
42
42
  });
43
43
 
44
44
  var COMPLIANCE_POSTURES = Object.freeze({
@@ -94,15 +94,15 @@ function validate(value, opts) {
94
94
  // C0 / DEL / slash refusal.
95
95
  for (var i = 0; i < value.length; i += 1) {
96
96
  var c = value.charCodeAt(i);
97
- if (c < 0x20 || c === 0x7F) { // allow:raw-byte-literal — C0 + DEL refusal
97
+ if (c < 0x20 || c === 0x7F) { // C0 + DEL refusal
98
98
  throw new GuardIdempotencyKeyError("idempotency-key/control-char",
99
99
  "guardIdempotencyKey.validate: control char 0x" + c.toString(16) + " at offset " + i);
100
100
  }
101
- if (c === 0x2F || c === 0x5C) { // allow:raw-byte-literal — / and \ refusal
101
+ if (c === 0x2F || c === 0x5C) { // / and \ refusal
102
102
  throw new GuardIdempotencyKeyError("idempotency-key/slash",
103
103
  "guardIdempotencyKey.validate: key contains '/' or '\\' at offset " + i);
104
104
  }
105
- if (profile.asciiOnly && c > 0x7F) { // allow:raw-byte-literal — ASCII-only cap
105
+ if (profile.asciiOnly && c > 0x7F) { // ASCII-only cap
106
106
  throw new GuardIdempotencyKeyError("idempotency-key/non-ascii",
107
107
  "guardIdempotencyKey.validate: non-ASCII codepoint at offset " + i +
108
108
  " (use profile='permissive' to allow)");
package/lib/guard-image.js CHANGED
@@ -82,7 +82,7 @@ var MAGIC_BYTES = Object.freeze([
82
82
  { mime: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38, 0x37, 0x61] },
83
83
  { mime: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38, 0x39, 0x61] },
84
84
  // WebP: RIFF????WEBP — check at offsets 0..3 + 8..11.
85
- { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46], tail: [0x57, 0x45, 0x42, 0x50], tailOffset: 8 }, // allow:raw-byte-literal — RIFF + WEBP magic-byte tail offset
85
+ { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46], tail: [0x57, 0x45, 0x42, 0x50], tailOffset: 8 }, // RIFF + WEBP magic-byte tail offset
86
86
  // BMP: 42 4D
87
87
  { mime: "image/bmp", bytes: [0x42, 0x4D] },
88
88
  // ICO: 00 00 01 00
@@ -124,7 +124,7 @@ var PROFILES = Object.freeze({
124
124
  framesPolicy: "audit",
125
125
  maxWidth: C.BYTES.bytes(16384),
126
126
  maxHeight: C.BYTES.bytes(16384),
127
- maxFrames: 200, // allow:raw-byte-literal — animation frame ceiling
127
+ maxFrames: 200, // animation frame ceiling
128
128
  maxBytes: C.BYTES.mib(64),
129
129
  maxRuntimeMs: C.TIME.seconds(5),
130
130
  },
@@ -137,7 +137,7 @@ var PROFILES = Object.freeze({
137
137
  framesPolicy: "audit",
138
138
  maxWidth: C.BYTES.bytes(65536),
139
139
  maxHeight: C.BYTES.bytes(65536),
140
- maxFrames: 1000, // allow:raw-byte-literal — animation frame ceiling
140
+ maxFrames: 1000, // animation frame ceiling
141
141
  maxBytes: C.BYTES.mib(256),
142
142
  maxRuntimeMs: C.TIME.seconds(5),
143
143
  },
@@ -562,7 +562,7 @@ module.exports = {
562
562
  benignMetadata: {
563
563
  bytes: Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
564
564
  declaredMime: "image/png",
565
- width: 100, height: 100, frames: 1, // allow:raw-byte-literal — pixel + frame count fixture
565
+ width: 100, height: 100, frames: 1, // pixel + frame count fixture
566
566
  },
567
567
  hostileMetadata: {
568
568
  bytes: Buffer.from([0xFF, 0xD8, 0xFF]),
package/lib/guard-imap-command.js CHANGED
@@ -89,31 +89,31 @@ var DEFAULT_PROFILE = "strict";
89
89
 
90
90
  var PROFILES = Object.freeze({
91
91
  strict: {
92
- maxLineBytes: 8192, // allow:raw-byte-literal — 8 KiB command-line cap
93
- maxLiteralBytes: 67108864, // allow:raw-byte-literal — 64 MiB per-literal cap
94
- maxMailboxBytes: 1024, // allow:raw-byte-literal — RFC 9051 §5.1 mailbox cap
95
- maxSequenceSetItems: 10000, // allow:raw-byte-literal — FETCH/STORE sequence-set element cap
96
- maxSearchDepth: 32, // allow:raw-byte-literal — SEARCH AND/OR/NOT nesting cap
92
+ maxLineBytes: 8192, // 8 KiB command-line cap
93
+ maxLiteralBytes: 67108864, // 64 MiB per-literal cap
94
+ maxMailboxBytes: 1024, // RFC 9051 §5.1 mailbox cap
95
+ maxSequenceSetItems: 10000, // FETCH/STORE sequence-set element cap
96
+ maxSearchDepth: 32, // SEARCH AND/OR/NOT nesting cap
97
97
  allowBareLf: false,
98
98
  allowLiteralPlus: false, // LITERAL+ (RFC 7888) only post-AUTH; the listener flips this
99
99
  allowLegacyMUtf7: false, // RFC 3501 §5.1.3 modified-UTF7 mailbox names — legacy MUA escape hatch
100
100
  },
101
101
  balanced: {
102
- maxLineBytes: 16384, // allow:raw-byte-literal — 16 KiB command-line cap
103
- maxLiteralBytes: 134217728, // allow:raw-byte-literal — 128 MiB per-literal cap
104
- maxMailboxBytes: 2048, // allow:raw-byte-literal — balanced mailbox cap
105
- maxSequenceSetItems: 50000, // allow:raw-byte-literal — balanced sequence-set cap
106
- maxSearchDepth: 48, // allow:raw-byte-literal — balanced SEARCH-depth cap
102
+ maxLineBytes: 16384, // 16 KiB command-line cap
103
+ maxLiteralBytes: 134217728, // 128 MiB per-literal cap
104
+ maxMailboxBytes: 2048, // balanced mailbox cap
105
+ maxSequenceSetItems: 50000, // balanced sequence-set cap
106
+ maxSearchDepth: 48, // balanced SEARCH-depth cap
107
107
  allowBareLf: false,
108
108
  allowLiteralPlus: true,
109
109
  allowLegacyMUtf7: true,
110
110
  },
111
111
  permissive: {
112
- maxLineBytes: 65536, // allow:raw-byte-literal — 64 KiB command-line cap (legacy peers)
113
- maxLiteralBytes: 268435456, // allow:raw-byte-literal — 256 MiB per-literal cap
114
- maxMailboxBytes: 4096, // allow:raw-byte-literal — permissive mailbox cap
115
- maxSequenceSetItems: 100000, // allow:raw-byte-literal — permissive sequence-set cap
116
- maxSearchDepth: 64, // allow:raw-byte-literal — permissive SEARCH-depth cap
112
+ maxLineBytes: 65536, // 64 KiB command-line cap (legacy peers)
113
+ maxLiteralBytes: 268435456, // 256 MiB per-literal cap
114
+ maxMailboxBytes: 4096, // permissive mailbox cap
115
+ maxSequenceSetItems: 100000, // permissive sequence-set cap
116
+ maxSearchDepth: 64, // permissive SEARCH-depth cap
117
117
  allowBareLf: true,
118
118
  allowLiteralPlus: true,
119
119
  allowLegacyMUtf7: true,
@@ -224,10 +224,10 @@ function validate(line, opts) {
224
224
  // shape.
225
225
  for (var i = 0; i < line.length; i += 1) {
226
226
  var c = line.charCodeAt(i);
227
- if (c === 0x00 || c === 0x7F || (c < 0x20 && c !== 0x09)) { // allow:raw-byte-literal — control-byte refusal
227
+ if (c === 0x00 || c === 0x7F || (c < 0x20 && c !== 0x09)) { // control-byte refusal
228
228
  if (c === 0x0A && caps.allowBareLf) continue;
229
229
  throw new GuardImapCommandError("guard-imap-command/bad-byte",
230
- "guardImapCommand.validate: control byte 0x" + c.toString(16) + " at offset " + i); // allow:raw-byte-literal — hex format literal in error message
230
+ "guardImapCommand.validate: control byte 0x" + c.toString(16) + " at offset " + i); // hex format literal in error message
231
231
  }
232
232
  }
233
233
 
package/lib/guard-jmap.js CHANGED
@@ -66,28 +66,28 @@ var DEFAULT_PROFILE = "strict";
66
66
 
67
67
  var PROFILES = Object.freeze({
68
68
  strict: {
69
- maxCallsInRequest: 32, // allow:raw-byte-literal — RFC 8620 §3.6 default
70
- maxObjectsInGet: 500, // allow:raw-byte-literal — RFC 8620 §3.6 default
71
- maxObjectsInSet: 500, // allow:raw-byte-literal — RFC 8620 §3.6 default
72
- maxSizeRequest: 10485760, // allow:raw-byte-literal — 10 MiB request body cap
69
+ maxCallsInRequest: 32, // RFC 8620 §3.6 default
70
+ maxObjectsInGet: 500, // RFC 8620 §3.6 default
71
+ maxObjectsInSet: 500, // RFC 8620 §3.6 default
72
+ maxSizeRequest: 10485760, // 10 MiB request body cap
73
73
  maxBackRefDepth: 8,
74
- maxUsingCapabilities: 32, // allow:raw-byte-literal — `using` array length cap
74
+ maxUsingCapabilities: 32, // `using` array length cap
75
75
  },
76
76
  balanced: {
77
- maxCallsInRequest: 128, // allow:raw-byte-literal — balanced call cap
78
- maxObjectsInGet: 1000, // allow:raw-byte-literal — balanced object cap
79
- maxObjectsInSet: 1000, // allow:raw-byte-literal — balanced object cap
80
- maxSizeRequest: 52428800, // allow:raw-byte-literal — 50 MiB balanced
81
- maxBackRefDepth: 16, // allow:raw-byte-literal — balanced depth
82
- maxUsingCapabilities: 64, // allow:raw-byte-literal — balanced using cap
77
+ maxCallsInRequest: 128, // balanced call cap
78
+ maxObjectsInGet: 1000, // balanced object cap
79
+ maxObjectsInSet: 1000, // balanced object cap
80
+ maxSizeRequest: 52428800, // 50 MiB balanced
81
+ maxBackRefDepth: 16, // balanced depth
82
+ maxUsingCapabilities: 64, // balanced using cap
83
83
  },
84
84
  permissive: {
85
- maxCallsInRequest: 512, // allow:raw-byte-literal — permissive call cap
86
- maxObjectsInGet: 5000, // allow:raw-byte-literal — permissive object cap
87
- maxObjectsInSet: 5000, // allow:raw-byte-literal — permissive object cap
88
- maxSizeRequest: 104857600, // allow:raw-byte-literal — 100 MiB permissive
89
- maxBackRefDepth: 32, // allow:raw-byte-literal — permissive depth
90
- maxUsingCapabilities: 128, // allow:raw-byte-literal — permissive using cap
85
+ maxCallsInRequest: 512, // permissive call cap
86
+ maxObjectsInGet: 5000, // permissive object cap
87
+ maxObjectsInSet: 5000, // permissive object cap
88
+ maxSizeRequest: 104857600, // 100 MiB permissive
89
+ maxBackRefDepth: 32, // permissive depth
90
+ maxUsingCapabilities: 128, // permissive using cap
91
91
  },
92
92
  });
93
93
 
@@ -239,7 +239,7 @@ function validate(rawBody, opts) {
239
239
  throw new GuardJmapError("urn:ietf:params:jmap:error:invalidArguments",
240
240
  "guardJmap.validate: methodCalls[" + ci + "][2] (clientId) must be a string");
241
241
  }
242
- if (call[2].length === 0 || call[2].length > 256) { // allow:raw-byte-literal — clientId length cap
242
+ if (call[2].length === 0 || call[2].length > 256) { // clientId length cap
243
243
  throw new GuardJmapError("urn:ietf:params:jmap:error:invalidArguments",
244
244
  "guardJmap.validate: methodCalls[" + ci + "][2] (clientId) length must be 1..256");
245
245
  }
@@ -283,11 +283,11 @@ function _countBackRefs(node, depth, maxDepth) {
283
283
  return maxA;
284
284
  }
285
285
  var keys = Object.keys(node);
286
- if (keys.length > 1000) return -1; // allow:raw-byte-literal — per-object key cap
286
+ if (keys.length > 1000) return -1; // per-object key cap
287
287
  var maxO = depth;
288
288
  for (var k = 0; k < keys.length; k += 1) {
289
289
  var key = keys[k];
290
- var inc = (key === "resultOf" || key.charCodeAt(0) === 0x23) ? 1 : 0; // allow:raw-byte-literal — `#` (0x23) is the JMAP back-ref prefix
290
+ var inc = (key === "resultOf" || key.charCodeAt(0) === 0x23) ? 1 : 0; // `#` (0x23) is the JMAP back-ref prefix
291
291
  var d2 = _countBackRefs(node[key], depth + inc, maxDepth);
292
292
  if (d2 === -1) return -1;
293
293
  if (d2 > maxO) maxO = d2;
package/lib/guard-json.js CHANGED
@@ -140,11 +140,11 @@ var PROFILES = Object.freeze({
140
140
  requireTopLevelKeyAllowlist: false, // operator opts in via topLevelKeyAllowlist
141
141
  topLevelKeyAllowlist: null,
142
142
  maxBytes: C.BYTES.mib(2),
143
- maxDepth: 8, // allow:raw-byte-literal — recursion depth, not byte size
144
- maxKeysPerObject: 256, // allow:raw-byte-literal — key count cap, not byte size
145
- maxArrayLength: 1024, // allow:raw-byte-literal — array length cap, not byte size
143
+ maxDepth: 8, // recursion depth, not byte size
144
+ maxKeysPerObject: 256, // key count cap, not byte size
145
+ maxArrayLength: 1024, // array length cap, not byte size
146
146
  maxStringLength: C.BYTES.kib(8),
147
- maxTotalNodes: 0x2000, // allow:raw-byte-literal — node count cap, not byte size
147
+ maxTotalNodes: 0x2000, // node count cap, not byte size
148
148
  },
149
149
  "balanced": {
150
150
  pollutionPolicy: "strip", // remove __proto__ keys silently
@@ -162,11 +162,11 @@ var PROFILES = Object.freeze({
162
162
  requireTopLevelKeyAllowlist: false,
163
163
  topLevelKeyAllowlist: null,
164
164
  maxBytes: C.BYTES.mib(8),
165
- maxDepth: 32, // allow:raw-byte-literal — recursion depth, not byte size
166
- maxKeysPerObject: 4096, // allow:raw-byte-literal — key count cap, not byte size
167
- maxArrayLength: 65536, // allow:raw-byte-literal — array length cap, not byte size
165
+ maxDepth: 32, // recursion depth, not byte size
166
+ maxKeysPerObject: 4096, // key count cap, not byte size
167
+ maxArrayLength: 65536, // array length cap, not byte size
168
168
  maxStringLength: C.BYTES.kib(64),
169
- maxTotalNodes: 0x10000, // allow:raw-byte-literal — node count cap, not byte size
169
+ maxTotalNodes: 0x10000, // node count cap, not byte size
170
170
  },
171
171
  "permissive": {
172
172
  pollutionPolicy: "audit",
@@ -184,11 +184,11 @@ var PROFILES = Object.freeze({
184
184
  requireTopLevelKeyAllowlist: false,
185
185
  topLevelKeyAllowlist: null,
186
186
  maxBytes: C.BYTES.mib(64),
187
- maxDepth: 64, // allow:raw-byte-literal — recursion depth, not byte size
188
- maxKeysPerObject: 65536, // allow:raw-byte-literal — key count cap, not byte size
189
- maxArrayLength: 1048576, // allow:raw-byte-literal — array length cap, not byte size
187
+ maxDepth: 64, // recursion depth, not byte size
188
+ maxKeysPerObject: 65536, // key count cap, not byte size
189
+ maxArrayLength: 1048576, // array length cap, not byte size
190
190
  maxStringLength: C.BYTES.kib(256),
191
- maxTotalNodes: 0x40000, // allow:raw-byte-literal — node count cap, not byte size
191
+ maxTotalNodes: 0x40000, // node count cap, not byte size
192
192
  },
193
193
  });
194
194
 
package/lib/guard-jsonpath.js CHANGED
@@ -90,7 +90,7 @@ var PROFILES = Object.freeze({
90
90
  dynamicHintPolicy: "reject",
91
91
  bracketNestingPolicy: "reject",
92
92
  recursiveDescentPolicy: "reject",
93
- maxRecursiveDescents: 2, // allow:raw-byte-literal — recursion depth ceiling
93
+ maxRecursiveDescents: 2, // recursion depth ceiling
94
94
  maxPatternBytes: C.BYTES.kib(1),
95
95
  maxBytes: C.BYTES.kib(1),
96
96
  maxRuntimeMs: C.TIME.seconds(2),
@@ -105,7 +105,7 @@ var PROFILES = Object.freeze({
105
105
  dynamicHintPolicy: "reject", // RCE class — refused at every profile
106
106
  bracketNestingPolicy: "audit",
107
107
  recursiveDescentPolicy: "audit",
108
- maxRecursiveDescents: 4, // allow:raw-byte-literal — recursion depth ceiling
108
+ maxRecursiveDescents: 4, // recursion depth ceiling
109
109
  maxPatternBytes: C.BYTES.kib(2),
110
110
  maxBytes: C.BYTES.kib(2),
111
111
  maxRuntimeMs: C.TIME.seconds(2),
@@ -120,7 +120,7 @@ var PROFILES = Object.freeze({
120
120
  dynamicHintPolicy: "reject", // RCE class refused at every profile
121
121
  bracketNestingPolicy: "audit",
122
122
  recursiveDescentPolicy: "allow",
123
- maxRecursiveDescents: 16, // allow:raw-byte-literal — recursion depth ceiling
123
+ maxRecursiveDescents: 16, // recursion depth ceiling
124
124
  maxPatternBytes: C.BYTES.kib(8),
125
125
  maxBytes: C.BYTES.kib(8),
126
126
  maxRuntimeMs: C.TIME.seconds(2),
package/lib/guard-jwt.js CHANGED
@@ -368,7 +368,7 @@ function _detectIssues(input, opts) {
368
368
  // Payload claim sanity (only if payload is decodable).
369
369
  var payload = _b64urlDecodeJson(payloadSeg);
370
370
  if (payload && typeof payload === "object") {
371
- var nowSec = Math.floor(Date.now() / 1000); // allow:raw-byte-literal — seconds-per-millisecond conversion
371
+ var nowSec = Math.floor(Date.now() / 1000); // seconds-per-millisecond conversion
372
372
 
373
373
  // exp in the past.
374
374
  if (typeof payload.exp === "number" &&
@@ -387,7 +387,7 @@ function _detectIssues(input, opts) {
387
387
  // nbf far-future.
388
388
  if (typeof payload.nbf === "number" &&
389
389
  opts.nbfSanityPolicy !== "allow") {
390
- var nbfSlackSec = Math.floor(opts.nbfFutureSlackMs / 1000); // allow:raw-byte-literal — seconds-per-millisecond conversion
390
+ var nbfSlackSec = Math.floor(opts.nbfFutureSlackMs / 1000); // seconds-per-millisecond conversion
391
391
  if (payload.nbf > nowSec + nbfSlackSec) {
392
392
  issues.push({
393
393
  kind: "nbf-far-future",
@@ -402,7 +402,7 @@ function _detectIssues(input, opts) {
402
402
  // iat far-future.
403
403
  if (typeof payload.iat === "number" &&
404
404
  opts.iatSanityPolicy !== "allow") {
405
- var iatSlackSec = Math.floor(opts.iatFutureSlackMs / 1000); // allow:raw-byte-literal — seconds-per-millisecond conversion
405
+ var iatSlackSec = Math.floor(opts.iatFutureSlackMs / 1000); // seconds-per-millisecond conversion
406
406
  if (payload.iat > nowSec + iatSlackSec) {
407
407
  issues.push({
408
408
  kind: "iat-far-future",
@@ -727,7 +727,7 @@ function kidSafe(kid) {
727
727
  }
728
728
  for (var i = 0; i < kid.length; i += 1) {
729
729
  var cc = kid.charCodeAt(i);
730
- if (cc < 0x20 || cc === 0x7F) { // allow:raw-byte-literal — control-byte boundary check
730
+ if (cc < 0x20 || cc === 0x7F) { // control-byte boundary check
731
731
  throw _err("jwt.kid-control",
732
732
  "kid contains control byte at index " + i);
733
733
  }
package/lib/guard-list-id.js CHANGED
@@ -80,22 +80,22 @@ var DEFAULT_PROFILE = "strict";
80
80
 
81
81
  var PROFILES = Object.freeze({
82
82
  strict: {
83
- maxBytes: 998, // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
84
- maxListIdBytes: 255, // allow:raw-byte-literal — RFC 2919 §3 cap
83
+ maxBytes: 998, // RFC 5322 §2.1.1 line cap
84
+ maxListIdBytes: 255, // RFC 2919 §3 cap
85
85
  requireFqdn: true,
86
86
  requireRandomForLocalhost: true,
87
87
  allowPhrase: true,
88
88
  },
89
89
  balanced: {
90
- maxBytes: 998, // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap
91
- maxListIdBytes: 255, // allow:raw-byte-literal — RFC 2919 §3 cap
90
+ maxBytes: 998, // RFC 5322 §2.1.1 line cap
91
+ maxListIdBytes: 255, // RFC 2919 §3 cap
92
92
  requireFqdn: true,
93
93
  requireRandomForLocalhost: false,
94
94
  allowPhrase: true,
95
95
  },
96
96
  permissive: {
97
97
  maxBytes: C.BYTES.kib(4),
98
- maxListIdBytes: 512, // allow:raw-byte-literal — permissive max
98
+ maxListIdBytes: 512, // permissive max
99
99
  requireFqdn: false,
100
100
  requireRandomForLocalhost: false,
101
101
  allowPhrase: true,
@@ -238,7 +238,7 @@ function validate(headerValue, opts) {
238
238
  // grammar). No trailing-dot bypass surface here.
239
239
  var isLocalScopeTld = lastLabel === "localhost" || lastLabel === "local" || lastLabel === "lan"; // allow:hostname-compare-trailing-dot — see comment above; List-Id parts already split on `.` so trailing-dot label is empty and refused upstream
240
240
  if (caps.requireFqdn) {
241
- if (parts.length < 3 && !isLocalScopeTld) { // allow:raw-byte-literal — FQDN requires ≥ 3 labels for non-local-scope namespace
241
+ if (parts.length < 3 && !isLocalScopeTld) { // FQDN requires ≥ 3 labels for non-local-scope namespace
242
242
  return _refuse("list-id has < 3 labels for non-local-scope namespace (FQDN required under '" +
243
243
  (opts.profile || DEFAULT_PROFILE) + "')");
244
244
  }
@@ -280,7 +280,7 @@ function compliancePosture(posture) {
280
280
  function _hasControlChar(s) {
281
281
  for (var i = 0; i < s.length; i += 1) {
282
282
  var c = s.charCodeAt(i);
283
- if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // allow:raw-byte-literal — RFC 5322 control + TAB allow
283
+ if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // RFC 5322 control + TAB allow
284
284
  return true;
285
285
  }
286
286
  }
package/lib/guard-list-unsubscribe.js CHANGED
@@ -87,24 +87,24 @@ var DEFAULT_PROFILE = "strict";
87
87
  var PROFILES = Object.freeze({
88
88
  strict: {
89
89
  maxBytes: C.BYTES.kib(4),
90
- maxUris: 4, // allow:raw-byte-literal — URI-count cap
91
- maxUriBytes: 2048, // allow:raw-byte-literal — per-URI byte cap
90
+ maxUris: 4, // URI-count cap
91
+ maxUriBytes: 2048, // per-URI byte cap
92
92
  requireHttpsUri: true,
93
93
  requirePostHeader: true,
94
94
  refuseHttp: true,
95
95
  },
96
96
  balanced: {
97
97
  maxBytes: C.BYTES.kib(4),
98
- maxUris: 8, // allow:raw-byte-literal — URI-count cap
99
- maxUriBytes: 2048, // allow:raw-byte-literal — per-URI byte cap
98
+ maxUris: 8, // URI-count cap
99
+ maxUriBytes: 2048, // per-URI byte cap
100
100
  requireHttpsUri: false,
101
101
  requirePostHeader: false,
102
102
  refuseHttp: true,
103
103
  },
104
104
  permissive: {
105
105
  maxBytes: C.BYTES.kib(8),
106
- maxUris: 16, // allow:raw-byte-literal — URI-count cap
107
- maxUriBytes: 4096, // allow:raw-byte-literal — per-URI byte cap
106
+ maxUris: 16, // URI-count cap
107
+ maxUriBytes: 4096, // per-URI byte cap
108
108
  requireHttpsUri: false,
109
109
  requirePostHeader: false,
110
110
  refuseHttp: false,
@@ -363,7 +363,7 @@ function _extractUris(raw, maxUris) {
363
363
  function _hasControlChar(s) {
364
364
  for (var i = 0; i < s.length; i += 1) {
365
365
  var c = s.charCodeAt(i);
366
- if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // allow:raw-byte-literal — RFC 5322 control + TAB allow
366
+ if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // RFC 5322 control + TAB allow
367
367
  return true;
368
368
  }
369
369
  }
@@ -371,7 +371,7 @@ function _hasControlChar(s) {
371
371
  }
372
372
 
373
373
  function _trunc(s) {
374
- if (s.length <= 64) return s; // allow:raw-byte-literal — error-message truncation
374
+ if (s.length <= 64) return s; // error-message truncation
375
375
  return s.slice(0, 60) + "…"; // allow:raw-time-literal — char count for error-message truncation, not seconds
376
376
  }
377
377
 
package/lib/guard-mail-compose.js CHANGED
@@ -42,9 +42,9 @@ var GuardMailComposeError = defineClass("GuardMailComposeError", { alwaysPermane
42
42
  var DEFAULT_PROFILE = "strict";
43
43
 
44
44
  var PROFILES = Object.freeze({
45
- strict: { maxRecipients: 100, maxAttachmentBytes: 26214400, maxSubjectBytes: 998 }, // allow:raw-byte-literal — 25 MiB, RFC 5322 §2.1.1 line cap
46
- balanced: { maxRecipients: 500, maxAttachmentBytes: 52428800, maxSubjectBytes: 998 }, // allow:raw-byte-literal — 50 MiB
47
- permissive: { maxRecipients: 2000, maxAttachmentBytes: 104857600, maxSubjectBytes: 998 }, // allow:raw-byte-literal — 100 MiB
45
+ strict: { maxRecipients: 100, maxAttachmentBytes: 26214400, maxSubjectBytes: 998 }, // 25 MiB, RFC 5322 §2.1.1 line cap
46
+ balanced: { maxRecipients: 500, maxAttachmentBytes: 52428800, maxSubjectBytes: 998 }, // 50 MiB
47
+ permissive: { maxRecipients: 2000, maxAttachmentBytes: 104857600, maxSubjectBytes: 998 }, // 100 MiB
48
48
  });
49
49
 
50
50
  var COMPLIANCE_POSTURES = Object.freeze({
@@ -239,7 +239,7 @@ function _checkBody(body, profile, allowAlt) {
239
239
  function _checkHeaderValue(v, label) {
240
240
  for (var i = 0; i < v.length; i += 1) {
241
241
  var c = v.charCodeAt(i);
242
- if ((c < 0x20 && c !== 0x09) || c === 0x7F) { // allow:raw-byte-literal — C0 + DEL refusal in header
242
+ if ((c < 0x20 && c !== 0x09) || c === 0x7F) { // C0 + DEL refusal in header
243
243
  throw new GuardMailComposeError("mail-compose/control-char-in-header",
244
244
  "guardMailCompose.validate: control char 0x" + c.toString(16) + " in " + label);
245
245
  }
package/lib/guard-mail-move.js CHANGED
@@ -40,9 +40,9 @@ var GuardMailMoveError = defineClass("GuardMailMoveError", { alwaysPermanent: tr
40
40
  var DEFAULT_PROFILE = "strict";
41
41
 
42
42
  var PROFILES = Object.freeze({
43
- strict: { maxObjectIds: 1000, maxFolderNameBytes: 255 }, // allow:raw-byte-literal
44
- balanced: { maxObjectIds: 5000, maxFolderNameBytes: 255 }, // allow:raw-byte-literal
45
- permissive: { maxObjectIds: 50000, maxFolderNameBytes: 1024 }, // allow:raw-byte-literal
43
+ strict: { maxObjectIds: 1000, maxFolderNameBytes: 255 },
44
+ balanced: { maxObjectIds: 5000, maxFolderNameBytes: 255 },
45
+ permissive: { maxObjectIds: 50000, maxFolderNameBytes: 1024 },
46
46
  });
47
47
 
48
48
  var COMPLIANCE_POSTURES = Object.freeze({
@@ -167,11 +167,11 @@ function _checkFolderName(name, label, profile) {
167
167
  }
168
168
  for (var i = 0; i < name.length; i += 1) {
169
169
  var c = name.charCodeAt(i);
170
- if (c < 0x20 || c === 0x7F) { // allow:raw-byte-literal — C0 + DEL refusal
170
+ if (c < 0x20 || c === 0x7F) { // C0 + DEL refusal
171
171
  throw new GuardMailMoveError("mail-move/control-char-in-name",
172
172
  "guardMailMove.validate: " + label + " contains control char 0x" + c.toString(16));
173
173
  }
174
- if (c === 0x2F) { // allow:raw-byte-literal — '/' refusal
174
+ if (c === 0x2F) { // '/' refusal
175
175
  throw new GuardMailMoveError("mail-move/slash-in-name",
176
176
  "guardMailMove.validate: " + label + " contains '/' (use IMAP '.' hierarchy separator)");
177
177
  }
package/lib/guard-mail-query.js CHANGED
@@ -33,9 +33,9 @@ var GuardMailQueryError = defineClass("GuardMailQueryError", { alwaysPermanent:
33
33
  var DEFAULT_PROFILE = "strict";
34
34
 
35
35
  var PROFILES = Object.freeze({
36
- strict: { maxDepth: 8, maxKeys: 64, maxStringBytes: 8192, maxArrayLen: 256 }, // allow:raw-byte-literal — caps for filter spec
37
- balanced: { maxDepth: 16, maxKeys: 128, maxStringBytes: 16384, maxArrayLen: 1024 }, // allow:raw-byte-literal
38
- permissive: { maxDepth: 24, maxKeys: 512, maxStringBytes: 65536, maxArrayLen: 4096 }, // allow:raw-byte-literal
36
+ strict: { maxDepth: 8, maxKeys: 64, maxStringBytes: 8192, maxArrayLen: 256 }, // caps for filter spec
37
+ balanced: { maxDepth: 16, maxKeys: 128, maxStringBytes: 16384, maxArrayLen: 1024 },
38
+ permissive: { maxDepth: 24, maxKeys: 512, maxStringBytes: 65536, maxArrayLen: 4096 },
39
39
  });
40
40
 
41
41
  var COMPLIANCE_POSTURES = Object.freeze({
package/lib/guard-mail-reply.js CHANGED
@@ -36,9 +36,9 @@ var GuardMailReplyError = defineClass("GuardMailReplyError", { alwaysPermanent:
36
36
  var DEFAULT_PROFILE = "strict";
37
37
 
38
38
  var PROFILES = Object.freeze({
39
- strict: { maxChainLength: 100, maxQuotedBytes: 524288, maxForwardedAttachments: 32 }, // allow:raw-byte-literal — chain count + 512 KiB
40
- balanced: { maxChainLength: 500, maxQuotedBytes: 2097152, maxForwardedAttachments: 128 }, // allow:raw-byte-literal — chain count + 2 MiB
41
- permissive: { maxChainLength: 2000, maxQuotedBytes: 10485760, maxForwardedAttachments: 512 }, // allow:raw-byte-literal — chain count + 10 MiB
39
+ strict: { maxChainLength: 100, maxQuotedBytes: 524288, maxForwardedAttachments: 32 }, // chain count + 512 KiB
40
+ balanced: { maxChainLength: 500, maxQuotedBytes: 2097152, maxForwardedAttachments: 128 }, // chain count + 2 MiB
41
+ permissive: { maxChainLength: 2000, maxQuotedBytes: 10485760, maxForwardedAttachments: 512 }, // chain count + 10 MiB
42
42
  });
43
43
 
44
44
  var COMPLIANCE_POSTURES = Object.freeze({