npm - @blamejs/core - Versions diffs - 0.14.1 → 0.14.2 - Mend

@blamejs/core 0.14.1 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (275) hide show

package/CHANGELOG.md +2 -0
package/lib/_test/crypto-fixtures.js +3 -3
package/lib/a2a-tasks.js +18 -18
package/lib/a2a.js +4 -4
package/lib/acme.js +3 -3
package/lib/agent-idempotency.js +1 -1
package/lib/agent-orchestrator.js +8 -8
package/lib/agent-posture-chain.js +2 -2
package/lib/agent-saga.js +1 -1
package/lib/agent-snapshot.js +1 -1
package/lib/agent-stream.js +1 -1
package/lib/agent-tenant.js +1 -1
package/lib/agent-trace.js +3 -3
package/lib/ai-capability.js +1 -1
package/lib/ai-dp.js +4 -4
package/lib/ai-input.js +3 -3
package/lib/ai-model-manifest.js +7 -7
package/lib/ai-pref.js +3 -3
package/lib/archive-gz.js +2 -2
package/lib/archive-read.js +25 -25
package/lib/archive-tar-read.js +2 -2
package/lib/archive-tar.js +20 -20
package/lib/archive-wrap.js +10 -10
package/lib/argon2-builtin.js +1 -1
package/lib/asn1-der.js +34 -34
package/lib/atomic-file.js +2 -2
package/lib/audit-daily-review.js +3 -3
package/lib/audit-sign.js +5 -5
package/lib/audit-tools.js +1 -1
package/lib/audit.js +2 -2
package/lib/auth/acr-vocabulary.js +2 -2
package/lib/auth/bot-challenge.js +3 -3
package/lib/auth/ciba.js +7 -7
package/lib/auth/dpop.js +3 -3
package/lib/auth/fido-mds3.js +8 -8
package/lib/auth/jwt-external.js +5 -5
package/lib/auth/oauth.js +2 -2
package/lib/auth/oid4vci.js +9 -9
package/lib/auth/oid4vp.js +2 -2
package/lib/auth/openid-federation.js +2 -2
package/lib/auth/passkey.js +3 -3
package/lib/auth/saml.js +23 -23
package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
package/lib/auth/sd-jwt-vc.js +4 -4
package/lib/auth/status-list.js +10 -10
package/lib/auth/step-up.js +1 -1
package/lib/auth-bot-challenge.js +1 -1
package/lib/backup/index.js +7 -7
package/lib/base32.js +8 -8
package/lib/budr.js +2 -2
package/lib/cache-status.js +2 -2
package/lib/calendar.js +23 -23
package/lib/cbor.js +12 -12
package/lib/cdn-cache-control.js +1 -1
package/lib/cert.js +5 -5
package/lib/cloud-events.js +5 -5
package/lib/cms-codec.js +21 -21
package/lib/codepoint-class.js +12 -12
package/lib/compliance-sanctions-fuzzy.js +4 -4
package/lib/compliance-sanctions.js +4 -4
package/lib/compliance.js +29 -29
package/lib/content-credentials.js +36 -36
package/lib/cookies.js +1 -1
package/lib/cose.js +13 -13
package/lib/cra-report.js +1 -1
package/lib/crdt.js +1 -1
package/lib/crypto-field.js +2 -2
package/lib/crypto-xwing.js +7 -7
package/lib/crypto.js +6 -6
package/lib/csp.js +2 -2
package/lib/cwt.js +4 -4
package/lib/dark-patterns.js +2 -2
package/lib/data-act.js +2 -2
package/lib/db-file-lifecycle.js +4 -4
package/lib/db-query.js +1 -1
package/lib/db.js +6 -6
package/lib/dbsc.js +13 -13
package/lib/did.js +17 -17
package/lib/dora.js +4 -4
package/lib/dsr.js +1 -1
package/lib/early-hints.js +2 -2
package/lib/eat.js +4 -4
package/lib/external-db-migrate.js +1 -1
package/lib/external-db.js +1 -1
package/lib/flag-cache.js +1 -1
package/lib/flag-evaluation-context.js +2 -2
package/lib/graphql-federation.js +4 -4
package/lib/guard-agent-registry.js +5 -5
package/lib/guard-archive.js +24 -24
package/lib/guard-cidr.js +33 -33
package/lib/guard-csv.js +1 -1
package/lib/guard-domain.js +10 -10
package/lib/guard-dsn.js +4 -4
package/lib/guard-email.js +19 -19
package/lib/guard-event-bus-payload.js +4 -4
package/lib/guard-event-bus-topic.js +6 -6
package/lib/guard-filename.js +7 -7
package/lib/guard-graphql.js +9 -9
package/lib/guard-html-wcag-tagwalk.js +1 -1
package/lib/guard-html-wcag.js +4 -4
package/lib/guard-html.js +7 -7
package/lib/guard-idempotency-key.js +6 -6
package/lib/guard-image.js +4 -4
package/lib/guard-imap-command.js +17 -17
package/lib/guard-jmap.js +20 -20
package/lib/guard-json.js +12 -12
package/lib/guard-jsonpath.js +3 -3
package/lib/guard-jwt.js +4 -4
package/lib/guard-list-id.js +7 -7
package/lib/guard-list-unsubscribe.js +8 -8
package/lib/guard-mail-compose.js +4 -4
package/lib/guard-mail-move.js +5 -5
package/lib/guard-mail-query.js +3 -3
package/lib/guard-mail-reply.js +3 -3
package/lib/guard-mail-sieve.js +6 -6
package/lib/guard-managesieve-command.js +25 -25
package/lib/guard-markdown.js +31 -31
package/lib/guard-message-id.js +5 -5
package/lib/guard-mime.js +1 -1
package/lib/guard-oauth.js +3 -3
package/lib/guard-pdf.js +6 -6
package/lib/guard-pop3-command.js +11 -11
package/lib/guard-posture-chain.js +5 -5
package/lib/guard-regex.js +10 -10
package/lib/guard-saga-config.js +5 -5
package/lib/guard-smtp-command.js +6 -6
package/lib/guard-snapshot-envelope.js +3 -3
package/lib/guard-stream-args.js +4 -4
package/lib/guard-svg.js +11 -11
package/lib/guard-tenant-id.js +5 -5
package/lib/guard-time.js +15 -15
package/lib/guard-trace-context.js +4 -4
package/lib/guard-uuid.js +11 -11
package/lib/guard-xml.js +12 -12
package/lib/guard-yaml.js +16 -16
package/lib/honeytoken.js +5 -5
package/lib/http-client.js +1 -1
package/lib/http-message-signature.js +2 -2
package/lib/iab-mspa.js +3 -3
package/lib/iab-tcf.js +70 -70
package/lib/inbox.js +4 -4
package/lib/ip-utils.js +15 -15
package/lib/jose-jwe-experimental.js +2 -2
package/lib/json-path.js +3 -3
package/lib/json-schema.js +1 -1
package/lib/jsonapi.js +3 -3
package/lib/jtd.js +2 -2
package/lib/link-header.js +1 -1
package/lib/local-db-thin.js +1 -1
package/lib/log.js +1 -1
package/lib/lro.js +4 -4
package/lib/mail-agent.js +1 -1
package/lib/mail-arc-sign.js +6 -6
package/lib/mail-auth.js +43 -43
package/lib/mail-bimi.js +3 -3
package/lib/mail-crypto-pgp.js +31 -31
package/lib/mail-crypto-smime.js +5 -5
package/lib/mail-dav.js +1 -1
package/lib/mail-deploy.js +39 -39
package/lib/mail-dkim.js +11 -11
package/lib/mail-greylist.js +12 -12
package/lib/mail-helo.js +1 -1
package/lib/mail-journal.js +8 -8
package/lib/mail-rbl.js +7 -7
package/lib/mail-scan.js +7 -7
package/lib/mail-send-deliver.js +2 -2
package/lib/mail-server-imap.js +12 -12
package/lib/mail-server-jmap.js +16 -16
package/lib/mail-server-managesieve.js +4 -4
package/lib/mail-server-mx.js +17 -17
package/lib/mail-server-pop3.js +4 -4
package/lib/mail-server-rate-limit.js +2 -2
package/lib/mail-server-submission.js +21 -21
package/lib/mail-sieve.js +2 -2
package/lib/mail-spam-score.js +5 -5
package/lib/mail-srs.js +12 -12
package/lib/mail-store-fts.js +2 -2
package/lib/mail-store.js +8 -8
package/lib/mail-unsubscribe.js +4 -4
package/lib/mail.js +4 -4
package/lib/mcp-tool-registry.js +4 -4
package/lib/mcp.js +8 -8
package/lib/mdoc.js +2 -2
package/lib/metrics.js +8 -8
package/lib/middleware/age-gate.js +1 -1
package/lib/middleware/api-encrypt.js +7 -7
package/lib/middleware/assetlinks.js +2 -2
package/lib/middleware/asyncapi-serve.js +2 -2
package/lib/middleware/bearer-auth.js +5 -5
package/lib/middleware/body-parser.js +5 -5
package/lib/middleware/compose-pipeline.js +15 -15
package/lib/middleware/csp-report.js +4 -4
package/lib/middleware/daily-byte-quota.js +1 -1
package/lib/middleware/dpop.js +1 -1
package/lib/middleware/headers.js +2 -2
package/lib/middleware/host-allowlist.js +1 -1
package/lib/middleware/idempotency-key.js +12 -12
package/lib/middleware/nel.js +1 -1
package/lib/middleware/openapi-serve.js +2 -2
package/lib/middleware/protected-resource-metadata.js +2 -2
package/lib/middleware/require-aal.js +1 -1
package/lib/middleware/require-bound-key.js +2 -2
package/lib/middleware/require-content-type.js +1 -1
package/lib/middleware/require-methods.js +1 -1
package/lib/middleware/require-step-up.js +2 -2
package/lib/middleware/scim-server.js +1 -1
package/lib/middleware/security-txt.js +3 -3
package/lib/middleware/tus-upload.js +12 -12
package/lib/middleware/web-app-manifest.js +2 -2
package/lib/network-byte-quota.js +1 -1
package/lib/network-dns-resolver.js +23 -23
package/lib/network-dns.js +29 -29
package/lib/network-dnssec.js +33 -33
package/lib/network-smtp-policy.js +10 -10
package/lib/network-tls.js +87 -87
package/lib/network-tsig.js +33 -33
package/lib/nis2-report.js +1 -1
package/lib/ntp-check.js +3 -3
package/lib/observability-otlp-exporter.js +17 -17
package/lib/observability-tracer.js +6 -6
package/lib/observability.js +8 -8
package/lib/openapi-yaml.js +1 -1
package/lib/openapi.js +1 -1
package/lib/outbox.js +6 -6
package/lib/pqc-agent.js +4 -4
package/lib/pqc-software.js +1 -1
package/lib/privacy-pass.js +5 -5
package/lib/problem-details.js +5 -5
package/lib/promise-pool.js +1 -1
package/lib/protobuf-encoder.js +1 -1
package/lib/redact.js +2 -2
package/lib/request-helpers.js +1 -1
package/lib/router.js +10 -10
package/lib/safe-async.js +2 -2
package/lib/safe-dns.js +71 -71
package/lib/safe-ical.js +19 -19
package/lib/safe-icap.js +24 -24
package/lib/safe-jsonpath.js +2 -2
package/lib/safe-mime.js +10 -10
package/lib/safe-mount-info.js +3 -3
package/lib/safe-redirect.js +1 -1
package/lib/safe-sieve.js +23 -23
package/lib/safe-smtp.js +1 -1
package/lib/safe-vcard.js +14 -14
package/lib/sandbox.js +5 -5
package/lib/sec-cyber.js +1 -1
package/lib/self-update-standalone-verifier.js +3 -3
package/lib/self-update.js +3 -3
package/lib/server-timing.js +3 -3
package/lib/session-device-binding.js +7 -7
package/lib/session.js +8 -8
package/lib/standard-webhooks.js +4 -4
package/lib/storage.js +2 -2
package/lib/stream-throttle.js +1 -1
package/lib/structured-fields.js +15 -15
package/lib/subject.js +1 -1
package/lib/tcpa-10dlc.js +1 -1
package/lib/tenant-quota.js +3 -3
package/lib/test-harness.js +1 -1
package/lib/tracing.js +1 -1
package/lib/tsa.js +5 -5
package/lib/uri-template.js +5 -5
package/lib/vault/index.js +2 -2
package/lib/vault/seal-pem-file.js +4 -4
package/lib/vc.js +2 -2
package/lib/vendor-data.js +1 -1
package/lib/watcher.js +4 -4
package/lib/web-push-vapid.js +21 -21
package/lib/webhook.js +2 -2
package/lib/websocket.js +3 -3
package/lib/worker-pool.js +3 -3
package/lib/ws-client.js +24 -24
package/lib/xml-c14n.js +2 -2
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/mail-store.js CHANGED Viewed

@@ -275,7 +275,7 @@ function create(opts) {
       var f = filter || {};
       var sinceModseq = f.sinceModseq || 0;
       var limit = f.limit || 100;
-      if (limit > 1000) limit = 1000;                                                                  // allow:raw-byte-literal — query row cap, not bytes
+      if (limit > 1000) limit = 1000;                                                                  // query row cap, not bytes
       var matchClauses = [];
       function addMatch(filterKey, term) {
@@ -342,7 +342,7 @@ function create(opts) {
           "queryByModseq: folder '" + folderName + "' not found");
       }
       var sinceModseq = (queryOpts && queryOpts.sinceModseq) || 0;
-      var limit = (queryOpts && queryOpts.limit) || 1000;                                          // allow:raw-byte-literal — query row cap, not bytes
+      var limit = (queryOpts && queryOpts.limit) || 1000;                                          // query row cap, not bytes
       var rows = stmtQueryByModseq.all(folder.id, sinceModseq, limit);
       return rows.map(function (r) {
         return {
@@ -373,7 +373,7 @@ function create(opts) {
       var fo = folderOpts || {};
       var role = fo.role || null;
       var parentId = fo.parentId || null;
-      var uidvalidity = Math.floor(Date.now() / 1000);                                              // allow:raw-byte-literal — Unix timestamp, not bytes
+      var uidvalidity = Math.floor(Date.now() / 1000);                                              // Unix timestamp, not bytes
       stmtInsertFolder.run(name, role, parentId, uidvalidity);
       return stmtGetFolderByName.get(name);
     },
@@ -406,7 +406,7 @@ function create(opts) {
       });
     },
     setLegalHold:     function (objectids, holdOpts) {
-      var hold = (holdOpts && holdOpts.hold) ? 1 : 0;                                              // allow:raw-byte-literal — boolean cast for sqlite INTEGER column
+      var hold = (holdOpts && holdOpts.hold) ? 1 : 0;                                              // boolean cast for sqlite INTEGER column
       objectids.forEach(function (oid) { stmtLegalHold.run(hold, oid); });
       return { changed: objectids.length };
     },
@@ -591,7 +591,7 @@ function _appendMessage(args) {
   // token = 32-char hex = 128 bits, well above the birthday bound
   // for any plausible message corpus. The prior `.slice(0, 24)` cut
   // entropy to 96 bits; removed.
-  var objectid = "obj_" + bCrypto.generateToken(16);                                                // allow:raw-byte-literal — 16-byte token, 32-char hex JMAP objectid (RFC 8474 §1.5.1)
+  var objectid = "obj_" + bCrypto.generateToken(16);                                                // 16-byte token, 32-char hex JMAP objectid (RFC 8474 §1.5.1)
   var modseq = (folder.modseq_max || 0) + 1;
   if (!threadRootId) threadRootId = objectid;   // root of new thread
@@ -675,7 +675,7 @@ function _fetchByObjectId(args) {
     bodyText:       unsealed.body_text,
     bodyHtml:       unsealed.body_html,
     flags:          flags,
-    legalHold:      row.legal_hold === 1,                                                            // allow:raw-byte-literal — sqlite INTEGER column 0|1
+    legalHold:      row.legal_hold === 1,                                                            // sqlite INTEGER column 0|1
   };
 }
@@ -763,7 +763,7 @@ function _setFlags(args) {
     // which both leaks a prepared-statement handle per chunk and
     // doubles the SQL parse cost. Hold the stmt on a local + invoke
     // .run() directly with the bound argument list.
-    var CHUNK = 500;                                                                               // allow:raw-byte-literal — IN-clause chunk size, not bytes
+    var CHUNK = 500;                                                                               // IN-clause chunk size, not bytes
     for (var i = 0; i < args.objectids.length; i += CHUNK) {
       var chunk = args.objectids.slice(i, i + CHUNK);
       var placeholders = chunk.map(function () { return "?"; }).join(",");
@@ -915,7 +915,7 @@ function _ensureSchema(db, qMsgs, qFolders, qFlags, qQuota, qFts) {
 function _ensureDefaultFolders(db, qFolders) {
   var stmt = db.prepare("INSERT OR IGNORE INTO " + qFolders +
     " (name, role, parent_id, modseq_max, uidvalidity) VALUES (?, ?, NULL, 0, ?)");
-  var uv = Math.floor(Date.now() / 1000);                                                          // allow:raw-byte-literal — Unix timestamp, not bytes
+  var uv = Math.floor(Date.now() / 1000);                                                          // Unix timestamp, not bytes
   DEFAULT_FOLDERS.forEach(function (f) { stmt.run(f.name, f.role, uv); });
 }

package/lib/mail-unsubscribe.js CHANGED Viewed

@@ -75,7 +75,7 @@ var HEADER_VALUE_MAX_BYTES = C.BYTES.kib(2);
 function _isLdhListLabel(label) {
   if (typeof label !== "string" || label.length === 0) return false;
   // RFC 1035 §2.3.4 — labels bounded at 63 octets.
-  if (label.length > 63) return false;                                           // allow:raw-byte-literal — RFC 1035 §2.3.4 hostname-label limit
+  if (label.length > 63) return false;                                           // RFC 1035 §2.3.4 hostname-label limit
   var n = label.length;
   for (var i = 0; i < n; i += 1) {
     var c = label.charCodeAt(i);
@@ -108,7 +108,7 @@ function _validateListId(value, label) {
   if (bracket) inner = bracket[1];
   // Inner is dot-separated labels; each label LDH per RFC 2919 §3.
   var labels = inner.split(".");
-  if (labels.length < 2) {                                                                                // allow:raw-byte-literal — RFC 2919 §3 requires >= 2 labels
+  if (labels.length < 2) {                                                                                // RFC 2919 §3 requires >= 2 labels
     throw new MailUnsubscribeError("mailunsubscribe/invalid-list-header-shape",
       label + " '" + value + "' must contain at least two dot-separated labels (RFC 2919 §3)");
   }
@@ -144,13 +144,13 @@ function _validateHttpsUrl(value, label) {
   } catch (e) {
     throw new MailUnsubscribeError("mailunsubscribe/invalid-list-header-shape",
       label + " must be a valid https URL (got " +
-      JSON.stringify(value).slice(0, 200) + "): " +                                                               // allow:raw-byte-literal — diagnostic clamp characters
+      JSON.stringify(value).slice(0, 200) + "): " +                                                               // diagnostic clamp characters
       ((e && e.message) || String(e)));
   }
   if (!parsed) {
     throw new MailUnsubscribeError("mailunsubscribe/invalid-list-header-shape",
       label + " must be a valid https URL (got " +
-      JSON.stringify(value).slice(0, 200) + ")");                                                                 // allow:raw-byte-literal — diagnostic clamp characters
+      JSON.stringify(value).slice(0, 200) + ")");                                                                 // diagnostic clamp characters
   }
   return parsed.href;
 }

package/lib/mail.js CHANGED Viewed

@@ -1003,7 +1003,7 @@ function _smtpSend(message, cfg) {
     var peerSupportsSmtpUtf8 = false;     // RFC 6531 — set from EHLO response
     var peerSupportsChunking = false;     // RFC 3030 §2 CHUNKING
     var peerSupportsBinaryMime = false;   // RFC 3030 §3 BINARYMIME
-    var peerSupports8BitMime = false;     // RFC 6152 (eight-bit MIME)                                            // allow:raw-byte-literal — RFC number, not a byte literal
+    var peerSupports8BitMime = false;     // RFC 6152 (eight-bit MIME)                                            // RFC number, not a byte literal
     var peerSizeCap = -1;                 // RFC 1870 SIZE — -1 unset, 0 = no cap, >0 = byte limit
     var upgradedToTLS = false;
     var settled = false;
@@ -1688,7 +1688,7 @@ function create(opts) {
     if (country && footerHtml.indexOf(country) === -1) {
       throw new MailError("mail/bad-footer-html",
         "mail.create({ footerHtml }): override must contain the postalAddress.country '" +
-        country + "' (CAN-SPAM §7704(a)(5)). Got: " + footerHtml.slice(0, 200),                                   // allow:raw-byte-literal — diagnostic clamp characters, not bytes
+        country + "' (CAN-SPAM §7704(a)(5)). Got: " + footerHtml.slice(0, 200),                                   // diagnostic clamp characters, not bytes
         true);
     }
     if (postalCode && footerHtml.indexOf(postalCode) === -1) {
@@ -1896,7 +1896,7 @@ function feedbackId(opts) {
       throw new MailError("mail/bad-feedback-id-field",
         "feedbackId: " + f.key + " must be a non-empty string");
     }
-    if (f.value.length > 64) {                                                                     // allow:raw-byte-literal — Gmail FBL per-field cap, not byte arithmetic
+    if (f.value.length > 64) {                                                                     // Gmail FBL per-field cap, not byte arithmetic
       throw new MailError("mail/bad-feedback-id-field",
         "feedbackId: " + f.key + " exceeds 64 chars (Gmail FBL truncation threshold)");
     }
@@ -1909,7 +1909,7 @@ function feedbackId(opts) {
     // ranges in regex literals regardless of escape form.
     for (var ci = 0; ci < f.value.length; ci += 1) {
       var code = f.value.charCodeAt(ci);
-      if (code < 32 || code === 127) {                                                             // allow:raw-byte-literal — C0 + DEL codepoint range
+      if (code < 32 || code === 127) {                                                             // C0 + DEL codepoint range
         throw new MailError("mail/bad-feedback-id-field",
           "feedbackId: " + f.key + " contains control characters");
       }

package/lib/mcp-tool-registry.js CHANGED Viewed

@@ -114,7 +114,7 @@ function _validateTool(tool, where) {
       where + ": tool must be a non-null object", true);
   }
   validateOpts.requireNonEmptyString(tool.name, where + ".name", McpError, "mcp/bad-tool-name");
-  if (tool.name.length > 64 || !TOOL_NAME_RE.test(tool.name)) {                                    // allow:raw-byte-literal — MCP tool-name length cap, not byte count
+  if (tool.name.length > 64 || !TOOL_NAME_RE.test(tool.name)) {                                    // MCP tool-name length cap, not byte count
     throw new McpError("mcp/bad-tool-name",
       where + ".name '" + tool.name + "' must match " + TOOL_NAME_RE);
   }
@@ -185,7 +185,7 @@ function create(opts) {
     opts.verifyingKey, "toolRegistry.create.verifyingKey", McpError, "mcp/bad-verifying-key");
   var alg = _validateAlg(opts.alg, "toolRegistry.create.alg");
   var defaultTtlMs = opts.ttlMs !== undefined ? opts.ttlMs : C.TIME.minutes(5);
-  if (typeof defaultTtlMs !== "number" || !isFinite(defaultTtlMs) || defaultTtlMs < 1000) {        // allow:raw-byte-literal — minimum-ttl threshold (1 second), not bytes
+  if (typeof defaultTtlMs !== "number" || !isFinite(defaultTtlMs) || defaultTtlMs < 1000) {        // minimum-ttl threshold (1 second), not bytes
     throw new McpError("mcp/bad-ttl",
       "toolRegistry.create.ttlMs must be >= 1000 ms", true);
   }
@@ -303,13 +303,13 @@ function create(opts) {
         "signCall: tool '" + callOpts.toolName + "' not registered", true);
     }
     var ttlMs = callOpts.ttlMs !== undefined ? callOpts.ttlMs : defaultTtlMs;
-    if (typeof ttlMs !== "number" || !isFinite(ttlMs) || ttlMs < 1000) {                          // allow:raw-byte-literal — minimum-ttl threshold (1 second), not bytes
+    if (typeof ttlMs !== "number" || !isFinite(ttlMs) || ttlMs < 1000) {                          // minimum-ttl threshold (1 second), not bytes
       throw new McpError("mcp/bad-ttl",
         "signCall: ttlMs must be >= 1000 ms", true);
     }
     var nonce = typeof callOpts.nonce === "string" && callOpts.nonce.length > 0
       ? callOpts.nonce
-      : bCrypto().generateToken(16);                                                                // allow:raw-byte-literal — 128-bit nonce, not byte arithmetic on a payload
+      : bCrypto().generateToken(16);                                                                // 128-bit nonce, not byte arithmetic on a payload
     var iat = new Date();
     var exp = new Date(iat.getTime() + ttlMs);
     var envelope = {

package/lib/mcp.js CHANGED Viewed

@@ -39,9 +39,9 @@ var requestHelpers = require("./request-helpers");
 var audit = require("./audit");
 var { McpError } = require("./framework-error");
-var TOOL_NAME_MAX     = 64;                                                                  // allow:raw-byte-literal — string-length cap, not bytes
-var RESOURCE_NAME_MAX = 256;                                                                 // allow:raw-byte-literal — string-length cap, not bytes
-var METHOD_NAME_MAX   = 256;                                                                 // allow:raw-byte-literal — string-length cap, not bytes
+var TOOL_NAME_MAX     = 64;                                                                  // string-length cap, not bytes
+var RESOURCE_NAME_MAX = 256;                                                                 // string-length cap, not bytes
+var METHOD_NAME_MAX   = 256;                                                                 // string-length cap, not bytes
 // JSON-RPC 2.0 error codes (https://www.jsonrpc.org/specification#error_object).
 // Negative numerics by spec; mapped to HTTP status for the framework's
 // HTTP-shaped reply envelope.
@@ -143,9 +143,9 @@ function refuse(res, code, message, id) {
     res.setHeader("Content-Type", "application/json");
   }
   // HTTP status mapping for the JSON-RPC error code we reply with.
-  res.statusCode = code === JSONRPC_PARSE_ERROR || code === JSONRPC_INVALID_REQUEST ? 400 :  // allow:raw-byte-literal — HTTP status code (RFC 9110)
-                   code === JSONRPC_METHOD_NOT_FOUND ? 404 :                                  // allow:raw-byte-literal — HTTP status code (RFC 9110)
-                   code === JSONRPC_INTERNAL_ERROR ? 500 : 400;                              // allow:raw-byte-literal — HTTP status code (RFC 9110)
+  res.statusCode = code === JSONRPC_PARSE_ERROR || code === JSONRPC_INVALID_REQUEST ? 400 :  // HTTP status code (RFC 9110)
+                   code === JSONRPC_METHOD_NOT_FOUND ? 404 :                                  // HTTP status code (RFC 9110)
+                   code === JSONRPC_INTERNAL_ERROR ? 500 : 400;                              // HTTP status code (RFC 9110)
   res.end(body);
 }
@@ -617,7 +617,7 @@ function _validateValueAgainstSchema(value, schema, path) {
       // time, not request-controlled. Cap value length first per the
       // codebase-patterns regex-bound rule so a 10MB string doesn't
       // ReDoS the validator.
-      if (value.length > 4096) return path + ": value exceeds 4 KiB cap before regex test";    // allow:raw-byte-literal — 4 KiB regex-input cap
+      if (value.length > 4096) return path + ": value exceeds 4 KiB cap before regex test";    // 4 KiB regex-input cap
       try {
         var pat = new RegExp(schema.pattern);                                                    // allow:dynamic-regex — schema.pattern from registered tool author, not request input; bounded above
         if (!pat.test(value)) return path + ": does not match pattern";
@@ -752,7 +752,7 @@ function _assertProtocolVersion(req, opts) {
 var SAMPLING_DEFAULTS = {
   maxRequestsPerSession:   10,
   maxMessagesPerRequest:   20,
-  maxTokensPerRequest:     4096,                  // allow:raw-byte-literal — LLM token count, not bytes
+  maxTokensPerRequest:     4096,                  // LLM token count, not bytes
   allowedModelHint:        null,    // null = allow all
   refuseStopSequences:     false,
 };

package/lib/mdoc.js CHANGED Viewed

@@ -58,8 +58,8 @@ var { defineClass } = require("./framework-error");
 var MdocError = defineClass("MdocError", { alwaysPermanent: true });
-var HDR_X5CHAIN = 33;                                  // allow:raw-byte-literal allow:raw-time-literal — x5chain COSE header label (RFC 9360 is a spec number, not a size/duration)
-var TAG_ENCODED_CBOR = 24;                             // allow:raw-byte-literal — RFC 8949 §3.4.5.1 embedded-CBOR tag
+var HDR_X5CHAIN = 33;                                  // allow:raw-time-literal — x5chain COSE header label (RFC 9360 is a spec number, not a size/duration)
+var TAG_ENCODED_CBOR = 24;                             // RFC 8949 §3.4.5.1 embedded-CBOR tag
 // Tags ISO 18013-5 uses in issuer data: tdate(0), epoch(1), embedded
 // CBOR(24), full-date(1004, RFC 8943). Bounded — others are refused.
 var ALLOWED_TAGS = [0, 1, TAG_ENCODED_CBOR, 1004];

package/lib/metrics.js CHANGED Viewed

@@ -161,8 +161,8 @@ function _normalizeLabelArg(callLabels, value, defaultValue) {
 //     a heuristic fallback so unknown-issuer tokens still get caught
 var _CRED_PREFIX_RE = /^(?:Bearer|Basic|Negotiate|Token|Digest)\s+\S/i;
 var _CRED_ISSUER_RE = /^(?:sk-|pk-|rk-|ghp_|ghs_|gho_|github_pat_|xoxb-|xoxa-|xoxp-|xoxr-|xapp-)/;
-var _CRED_JWT_RE    = /^[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}$/;                   // allow:raw-byte-literal — JWT segment min length
-var _CRED_ENTROPY_RE = /^[A-Za-z0-9_+/=-]{40,}$/;                                                    // allow:raw-byte-literal — high-entropy length floor
+var _CRED_JWT_RE    = /^[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}$/;                   // JWT segment min length
+var _CRED_ENTROPY_RE = /^[A-Za-z0-9_+/=-]{40,}$/;                                                    // high-entropy length floor
 // CRED_MAX_SCAN — upper bound on the byte slice the credential
 // detector inspects. Operator-supplied label values longer than this
@@ -170,11 +170,11 @@ var _CRED_ENTROPY_RE = /^[A-Za-z0-9_+/=-]{40,}$/;
 // still a credential), but the regex tests run on the prefix slice so
 // a 1 GB string can't ReDoS the scanner. Counter cardinality stays
 // stable: the same long string always maps to the same prefix slice.
-var CRED_MAX_SCAN = 256;                                                                             // allow:raw-byte-literal — prefix-scan length cap
+var CRED_MAX_SCAN = 256;                                                                             // prefix-scan length cap
 function _looksLikeCredential(str) {
   if (typeof str !== "string") return false;
-  if (str.length < 8) return false;                                                                  // allow:raw-byte-literal — minimum credential length floor
+  if (str.length < 8) return false;                                                                  // minimum credential length floor
   // Clamp to the prefix slice so a hostile label value can't push the
   // regex into superlinear time. All four credential shapes have
   // signature in the first ~256 bytes; Stripe / GitHub / OpenAI tokens
@@ -185,7 +185,7 @@ function _looksLikeCredential(str) {
   // enough entropy to be real tokens; hoisted to a named constant so
   // every test() has its length floor visible at the call site
   // (testFormatValidatorLengthCap convention).
-  var CRED_MIN_LEN = 8;                                                                              // allow:raw-byte-literal — minimum credential length floor
+  var CRED_MIN_LEN = 8;                                                                              // minimum credential length floor
   if (clamped.length >= CRED_MIN_LEN && _CRED_PREFIX_RE.test(clamped)) return true;
   if (clamped.length >= CRED_MIN_LEN && _CRED_ISSUER_RE.test(clamped)) return true;
   if (clamped.length >= CRED_MIN_LEN && _CRED_JWT_RE.test(clamped)) return true;
@@ -990,7 +990,7 @@ function snapshotStartWriter(opts) {
   // (owner rw, group r, world none). Operators with a sidecar
   // reader in a different group override to 0o644; multi-tenant
   // hosts may even tighten to 0o600.
-  var fileMode = opts.fileMode !== undefined ? opts.fileMode : 0o640;                                // allow:raw-byte-literal — POSIX file mode octal
+  var fileMode = opts.fileMode !== undefined ? opts.fileMode : 0o640;                                // POSIX file mode octal
   if (typeof fileMode !== "number" || !isFinite(fileMode) ||
       fileMode < 0 || fileMode > 0o777 || Math.floor(fileMode) !== fileMode) {
     throw new MetricsError("metrics-snapshot/bad-file-mode",
@@ -1263,7 +1263,7 @@ function snapshotRender(snap, opts) {
       var kd = keys2[jd];
       var vd = fields[kd];
       if (typeof vd !== "string") continue;
-      if (vd.length > 64) continue;                                                                  // allow:raw-byte-literal — ISO 8601 max length cap, not bytes
+      if (vd.length > 64) continue;                                                                  // ISO 8601 max length cap, not bytes
       if (!ISO_DATE_RE.test(vd)) continue;                                                           // allow:regex-no-length-cap — length-bounded immediately above
       if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(kd)) continue;                                            // allow:regex-no-length-cap — field-name shape, length-bounded by snap field naming
       var ms = Date.parse(vd);
@@ -1311,7 +1311,7 @@ function snapshotRender(snap, opts) {
  *   shadow.set("queue_depth", 42);
  *   shadow.snapshot();
  */
-var SHADOW_DEFAULT_CARDINALITY = 10000;                                                              // allow:raw-byte-literal — cardinality cap, not bytes
+var SHADOW_DEFAULT_CARDINALITY = 10000;                                                              // cardinality cap, not bytes
 function shadowRegistry(opts) {
   if (!opts || typeof opts !== "object") {
     throw new MetricsError("metrics-shadow/bad-opts",

package/lib/middleware/age-gate.js CHANGED Viewed

@@ -169,7 +169,7 @@ function create(opts) {
       if (!hasConsent) {
         _emitAudit("refused", "denied", { age: age, classification: classification, requireAge: requireAge });
         if (!res.writableEnded && typeof res.writeHead === "function") {
-          res.writeHead(451, {                                                            // allow:raw-byte-literal — HTTP 451 Unavailable For Legal Reasons
+          res.writeHead(451, {                                                            // HTTP 451 Unavailable For Legal Reasons
             "Content-Type":  "application/json; charset=utf-8",
             "Cache-Control": "no-store, private",
           });

package/lib/middleware/api-encrypt.js CHANGED Viewed

@@ -855,18 +855,18 @@ function client(opts) {
 // _generateUuidV4 — UUID v4 from 16 random bytes, formatted dash-separated.
 // Used for client-side session-id generation in per-session keying.
 // Slice offsets are RFC 4122 UUID hex-byte boundaries (`xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx`)
-// — protocol-fixed values, not byte sizes. allow:raw-byte-literal
+// — protocol-fixed values, not byte sizes.
 function _generateUuidV4() {
-  var b = bCrypto.generateBytes(16);                     // allow:raw-byte-literal — UUID is exactly 16 bytes
+  var b = bCrypto.generateBytes(16);                     // UUID is exactly 16 bytes
   // Set version (4) and variant (10x) bits per RFC 4122.
   b[6] = (b[6] & 0x0f) | 0x40;
   b[8] = (b[8] & 0x3f) | 0x80;
   var hex = b.toString("hex");
-  return hex.slice(0, 8) + "-" +                        // allow:raw-byte-literal — RFC 4122 hex offsets
-         hex.slice(8, 12) + "-" +                       // allow:raw-byte-literal
-         hex.slice(12, 16) + "-" +                      // allow:raw-byte-literal
-         hex.slice(16, 20) + "-" +                      // allow:raw-byte-literal
-         hex.slice(20, 32);                             // allow:raw-byte-literal
+  return hex.slice(0, 8) + "-" +                        // RFC 4122 hex offsets
+         hex.slice(8, 12) + "-" +
+         hex.slice(12, 16) + "-" +
+         hex.slice(16, 20) + "-" +
+         hex.slice(20, 32);
 }
 // ---- Server-to-server convenience ----

package/lib/middleware/assetlinks.js CHANGED Viewed

@@ -109,7 +109,7 @@ function create(opts) {
     if (path !== "/.well-known/assetlinks.json") return next();
     if (req.method !== "GET" && req.method !== "HEAD") {
       var bodyMsg = "Method Not Allowed";
-      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+      res.writeHead(405, {                                                       // HTTP 405 status
         "Allow":          "GET, HEAD",
         "Content-Type":   "text/plain; charset=utf-8",
         "Content-Length": Buffer.byteLength(bodyMsg),
@@ -117,7 +117,7 @@ function create(opts) {
       res.end(bodyMsg);
       return;
     }
-    res.writeHead(200, {                                                         // allow:raw-byte-literal — HTTP 200 status
+    res.writeHead(200, {                                                         // HTTP 200 status
       "Content-Type":     "application/json; charset=utf-8",
       "Content-Length":   bodyBuf.length,
       "Cache-Control":    "public, max-age=86400",

package/lib/middleware/asyncapi-serve.js CHANGED Viewed

@@ -107,7 +107,7 @@ function create(opts) {
   function _writeBody(req, res, body, etag, contentType) {
     var requestEtag = (req.headers && req.headers["if-none-match"]) || null;
     if (requestEtag && requestEtag === etag) {
-      res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl });           // allow:raw-byte-literal — HTTP 304
+      res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl });           // HTTP 304
       res.end();
       return;
     }
@@ -120,7 +120,7 @@ function create(opts) {
     if (accessControl === "public") {
       headers["Access-Control-Allow-Origin"] = "*";
     }
-    res.writeHead(200, headers);                                                     // allow:raw-byte-literal — HTTP 200
+    res.writeHead(200, headers);                                                     // HTTP 200
     res.end(body);
   }

package/lib/middleware/bearer-auth.js CHANGED Viewed

@@ -46,7 +46,7 @@ function _writeUnauthorized(res, scheme, message, realm) {
   if (res.headersSent) return;
   var body = JSON.stringify({ error: message });
   var challenge = scheme + (realm ? ' realm="' + realm + '"' : "");
-  res.writeHead(401, {                                                           // allow:raw-byte-literal — HTTP 401 status
+  res.writeHead(401, {                                                           // HTTP 401 status
     "Content-Type":     "application/json; charset=utf-8",
     "Content-Length":   Buffer.byteLength(body),
     "WWW-Authenticate": challenge,
@@ -146,7 +146,7 @@ function create(opts) {
     }
     for (var ri = 0; ri < realm.length; ri += 1) {
       var rcode = realm.charCodeAt(ri);
-      if (rcode < 32 || rcode === 127) {                                  // allow:raw-byte-literal — ASCII control codepoints
+      if (rcode < 32 || rcode === 127) {                                  // ASCII control codepoints
         throw new AuthError("auth-bearer/bad-realm",
           "realm contains control character at index " + ri);
       }
@@ -198,7 +198,7 @@ function create(opts) {
         var malformedChallenge = scheme + ' error="invalid_request"' +
           (realm ? ', realm="' + realm + '"' : "");
         var malformedBody = JSON.stringify({ error: errorMessage });
-        res.writeHead(401, {                                                     // allow:raw-byte-literal — HTTP 401 status
+        res.writeHead(401, {                                                     // HTTP 401 status
           "Content-Type":     "application/json; charset=utf-8",
           "Content-Length":   Buffer.byteLength(malformedBody),
           "WWW-Authenticate": malformedChallenge,
@@ -222,7 +222,7 @@ function create(opts) {
         (realm ? ', realm="' + realm + '"' : "");
       if (!res.headersSent) {
         var body = JSON.stringify({ error: errorMessage });
-        res.writeHead(401, {                                                     // allow:raw-byte-literal — HTTP 401 status
+        res.writeHead(401, {                                                     // HTTP 401 status
           "Content-Type":     "application/json; charset=utf-8",
           "Content-Length":   Buffer.byteLength(body),
           "WWW-Authenticate": challenge,
@@ -264,7 +264,7 @@ function create(opts) {
             error: "insufficient_scope",
             required: opts.requiredScopes.slice(),
           });
-          res.writeHead(403, {                                                     // allow:raw-byte-literal — HTTP 403 status
+          res.writeHead(403, {                                                     // HTTP 403 status
             "Content-Type":     "application/json; charset=utf-8",
             "Content-Length":   Buffer.byteLength(scopeBody),
             "WWW-Authenticate": scopeChallenge,

package/lib/middleware/body-parser.js CHANGED Viewed

@@ -574,7 +574,7 @@ function _parseMultipartHeaders(rawHeaders) {
     var line = lines[i];
     if (!line) continue;
     var first = line.charCodeAt(0);
-    if (first === 32 || first === 9) {                                            // allow:raw-byte-literal — SP/HTAB obs-fold sentinels
+    if (first === 32 || first === 9) {                                            // SP/HTAB obs-fold sentinels
       throw new BodyParserError(
         "body-parser/multipart-obs-fold",
         "multipart part header uses obsolete line folding (RFC 9112 §5.2)",
@@ -587,7 +587,7 @@ function _parseMultipartHeaders(rawHeaders) {
     var v = line.slice(idx + 1).trim();
     for (var j = 0; j < v.length; j++) {
       var c = v.charCodeAt(j);
-      if (c === 0 || c === 10 || c === 13) {                                      // allow:raw-byte-literal — NUL/LF/CR forbidden in field-value (RFC 9110 §5.5)
+      if (c === 0 || c === 10 || c === 13) {                                      // NUL/LF/CR forbidden in field-value (RFC 9110 §5.5)
         throw new BodyParserError(
           "body-parser/multipart-bad-header-value",
           "multipart part header `" + k + "` contains CR/LF/NUL (RFC 9110 §5.5)",
@@ -674,8 +674,8 @@ async function _parseMultipart(req, opts, ctParams) {
   // newlines) drive quadratic match cost in scanners. Refuse at
   // the parse boundary so the rest of the engine doesn't have to
   // defend against them.
-  if (boundary.length > 70 ||                                                                  // allow:raw-byte-literal — RFC 2046 §5.1.1 boundary length cap
-      !/^[A-Za-z0-9'()+_,\-./:=?]{1,70}$/.test(boundary)) {                                   // allow:raw-byte-literal — RFC 2046 §5.1.1 bchars + cap
+  if (boundary.length > 70 ||                                                                  // RFC 2046 §5.1.1 boundary length cap
+      !/^[A-Za-z0-9'()+_,\-./:=?]{1,70}$/.test(boundary)) {                                   // RFC 2046 §5.1.1 bchars + cap
     throw new BodyParserError(
       "body-parser/multipart-bad-boundary",
       "multipart boundary violates RFC 2046 §5.1.1 (1-70 chars, bcharsnospace grammar)",
@@ -1353,7 +1353,7 @@ function create(opts) {
             outcome: "denied",
             metadata: {
               code:    e.code || null,
-              message: (e && e.message) ? String(e.message).slice(0, 256) : "",                                  // allow:raw-byte-literal — diagnostic-message clamp characters, not bytes
+              message: (e && e.message) ? String(e.message).slice(0, 256) : "",                                  // diagnostic-message clamp characters, not bytes
             },
           });
         } catch (_e) { /* audit best-effort */ }

package/lib/middleware/compose-pipeline.js CHANGED Viewed

@@ -85,20 +85,20 @@ var ComposePipelineError = defineClass("ComposePipelineError", { alwaysPermanent
 //   60-89 : application handlers
 //   >= 90 : error-handler (must be last; trailing catch)
 var CANONICAL_POSITIONS = Object.freeze({
-  requestId:     5,                                                                                       // allow:raw-byte-literal — canonical position bucket
-  apiEncrypt:    10,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  bodyParser:    20,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  cspNonce:      22,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  securityHeaders: 25,                                                                                    // allow:raw-byte-literal — canonical position bucket
-  csrf:          30,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  idempotency:   30,                                                                                      // allow:raw-byte-literal — canonical position bucket (same as csrf)
-  fetchMetadata: 32,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  rateLimit:     40,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  botGuard:      42,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  requireAuth:   50,                                                                                      // allow:raw-byte-literal — canonical position bucket
-  attachUser:    52,                                                                                      // allow:raw-byte-literal — canonical position bucket
+  requestId:     5,                                                                                       // canonical position bucket
+  apiEncrypt:    10,                                                                                      // canonical position bucket
+  bodyParser:    20,                                                                                      // canonical position bucket
+  cspNonce:      22,                                                                                      // canonical position bucket
+  securityHeaders: 25,                                                                                    // canonical position bucket
+  csrf:          30,                                                                                      // canonical position bucket
+  idempotency:   30,                                                                                      // canonical position bucket (same as csrf)
+  fetchMetadata: 32,                                                                                      // canonical position bucket
+  rateLimit:     40,                                                                                      // canonical position bucket
+  botGuard:      42,                                                                                      // canonical position bucket
+  requireAuth:   50,                                                                                      // canonical position bucket
+  attachUser:    52,                                                                                      // canonical position bucket
   handler:       60,                                                                                      // allow:raw-byte-literal — canonical position bucket // allow:raw-time-literal — pipeline position int, not seconds
-  errorHandler:  90,                                                                                      // allow:raw-byte-literal — canonical position bucket
+  errorHandler:  90,                                                                                      // canonical position bucket
 });
 /**
@@ -154,7 +154,7 @@ function composePipeline(entries, opts) {
       throw new ComposePipelineError("compose-pipeline/bad-entry",
         "composePipeline: entry at index " + i + " must be an object");
     }
-    if (typeof e.name !== "string" || e.name.length === 0 || e.name.length > 64) {                       // allow:raw-byte-literal — middleware-name cap
+    if (typeof e.name !== "string" || e.name.length === 0 || e.name.length > 64) {                       // middleware-name cap
       throw new ComposePipelineError("compose-pipeline/bad-entry",
         "composePipeline: entries[" + i + "].name must be a non-empty string ≤ 64 bytes");
     }
@@ -187,7 +187,7 @@ function composePipeline(entries, opts) {
       // natural sequential flow. Use 100 so canonical positions
       // (5..90) can interleave without colliding when an operator
       // mixes named + unnamed entries.
-      position = (i + 1) * 100;                                                                          // allow:raw-byte-literal — index→position scale; canonical-pos ceiling is 90
+      position = (i + 1) * 100;                                                                          // index→position scale; canonical-pos ceiling is 90
     }
     if (Object.prototype.hasOwnProperty.call(seenPositions, position)) {

package/lib/middleware/csp-report.js CHANGED Viewed

@@ -125,7 +125,7 @@ function create(opts) {
   return async function cspReport(req, res, _next) {
     if (req.method !== "POST") {
-      res.writeHead(405, { "Allow": "POST" });                                     // allow:raw-byte-literal — HTTP 405 status
+      res.writeHead(405, { "Allow": "POST" });                                     // HTTP 405 status
       res.end();
       return;
     }
@@ -133,14 +133,14 @@ function create(opts) {
     try {
       body = await safeBuffer.boundedChunkCollector(req, { maxBytes: maxBytes });
     } catch (_e) {
-      res.writeHead(413);                                                         // allow:raw-byte-literal — HTTP 413 status
+      res.writeHead(413);                                                         // HTTP 413 status
       res.end();
       return;
     }
     var parsed;
     try { parsed = safeJson.parse(body.toString("utf8")); }
     catch (_e) {
-      res.writeHead(400);                                                         // allow:raw-byte-literal — HTTP 400 status
+      res.writeHead(400);                                                         // HTTP 400 status
       res.end();
       return;
     }
@@ -159,7 +159,7 @@ function create(opts) {
         try { onReport(normalized); } catch (_e) { /* hook best-effort */ }
       }
     }
-    res.writeHead(204);                                                           // allow:raw-byte-literal — HTTP 204 status
+    res.writeHead(204);                                                           // HTTP 204 status
     res.end();
   };
 }

package/lib/middleware/daily-byte-quota.js CHANGED Viewed

@@ -199,7 +199,7 @@ function create(opts) {
       var keys = Object.keys(req.headers);
       for (var hi = 0; hi < keys.length; hi++) {
         var v = req.headers[keys[hi]];
-        inboundBytes += keys[hi].length + 2 + (typeof v === "string" ? v.length : 0) + 2;        // allow:raw-byte-literal — ": " + "\r\n" overhead
+        inboundBytes += keys[hi].length + 2 + (typeof v === "string" ? v.length : 0) + 2;        // ": " + "\r\n" overhead
       }
     }
     if (req.headers && req.headers["content-length"]) {

package/lib/middleware/dpop.js CHANGED Viewed

@@ -55,7 +55,7 @@ function _writeUnauthorized(res, errorCode, description, freshNonce) {
   // RFC 9449 §7 — error code is invalid_dpop_proof OR use_dpop_nonce.
   var challenge = 'DPoP error="' + errorCode + '", error_description="' +
                   description.replace(/"/g, "'") + '"';
-  var headers = {                                                                  // allow:raw-byte-literal — HTTP 401 status
+  var headers = {                                                                  // HTTP 401 status
     "Content-Type":     "application/json; charset=utf-8",
     "Content-Length":   Buffer.byteLength(body),
     "WWW-Authenticate": challenge,

package/lib/middleware/headers.js CHANGED Viewed

@@ -104,7 +104,7 @@ function _detectIssues(headers, opts) {
       }
       for (var ci = 0; ci < v.length; ci += 1) {
         var cc = v.charCodeAt(ci);
-        if (cc === 0x0D || cc === 0x0A || cc === 0x00) {                         // allow:raw-byte-literal — CR / LF / NUL forbidden in header value
+        if (cc === 0x0D || cc === 0x0A || cc === 0x00) {                         // CR / LF / NUL forbidden in header value
           issues.push({
             kind: "header-value-control-byte", severity: "high", header: name,
             snippet: "header `" + name + "` value contains CR / LF / NUL " +
@@ -200,7 +200,7 @@ function create(opts) {
   var refuseOnHigh = opts.refuseOnHigh !== false && mode === "enforce";
   var audit = opts.audit || null;
   var resolved = {
-    maxHeaderCount: opts.maxHeaderCount || 100,                                  // allow:raw-byte-literal — header count ceiling
+    maxHeaderCount: opts.maxHeaderCount || 100,                                  // header count ceiling
     maxValueBytes:  opts.maxValueBytes  || 8 * 1024,                             // allow:raw-byte-literal — header value cap (8 KiB)
     trustProxy:     !!opts.trustProxy,
   };

package/lib/middleware/host-allowlist.js CHANGED Viewed

@@ -131,7 +131,7 @@ function create(opts) {
     hosts.push(n);
   }
-  var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421;  // allow:raw-byte-literal — HTTP 421 status
+  var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421;  // HTTP 421 status
   var denyBody = typeof opts.denyBody === "string" ? opts.denyBody : "Misdirected Request";
   var auditOn = opts.audit !== false;