@blamejs/core 0.14.1 → 0.14.2

package/lib/guard-cidr.js

@@ -56,30 +56,30 @@ void observability;
 
 var _err = GuardCidrError.factory;
 
-var IPV4_OCTET_MAX = 255;                                                        // allow:raw-byte-literal — RFC 791 octet ceiling
-var IPV4_MASK_MAX  = 32;                                                         // allow:raw-byte-literal — IPv4 prefix ceiling
-var IPV6_MASK_MAX  = 128;                                                        // allow:raw-byte-literal — IPv6 prefix ceiling
-var IPV4_OCTETS    = 4;                                                          // allow:raw-byte-literal — IPv4 dotted-quad count
-var IPV6_GROUPS    = 8;                                                          // allow:raw-byte-literal — IPv6 16-bit group count
+var IPV4_OCTET_MAX = 255;                                                        // RFC 791 octet ceiling
+var IPV4_MASK_MAX  = 32;                                                         // IPv4 prefix ceiling
+var IPV6_MASK_MAX  = 128;                                                        // IPv6 prefix ceiling
+var IPV4_OCTETS    = 4;                                                          // IPv4 dotted-quad count
+var IPV6_GROUPS    = 8;                                                          // IPv6 16-bit group count
 
 // ---- IPv4 reserved ranges (CIDR network, /mask) ----
 //
 // Each entry: [networkAsUint32, maskBits, label].
-function _ipv4ToUint32(o) { return ((o[0] << 24) >>> 0) + (o[1] << 16) + (o[2] << 8) + o[3]; }   // allow:raw-byte-literal — IPv4 octet shifts
+function _ipv4ToUint32(o) { return ((o[0] << 24) >>> 0) + (o[1] << 16) + (o[2] << 8) + o[3]; }   // IPv4 octet shifts
 var IPV4_RESERVED = Object.freeze([
-  { net: _ipv4ToUint32([10, 0, 0, 0]),       prefix: 8,  label: "rfc1918-private-10" },          // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([172, 16, 0, 0]),     prefix: 12, label: "rfc1918-private-172.16" },      // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([192, 168, 0, 0]),    prefix: 16, label: "rfc1918-private-192.168" },     // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([127, 0, 0, 0]),      prefix: 8,  label: "loopback" },                    // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([169, 254, 0, 0]),    prefix: 16, label: "link-local" },                  // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([224, 0, 0, 0]),      prefix: 4,  label: "multicast" },                   // allow:raw-byte-literal — IPv4 octets
+  { net: _ipv4ToUint32([10, 0, 0, 0]),       prefix: 8,  label: "rfc1918-private-10" },          // IPv4 octets
+  { net: _ipv4ToUint32([172, 16, 0, 0]),     prefix: 12, label: "rfc1918-private-172.16" },      // IPv4 octets
+  { net: _ipv4ToUint32([192, 168, 0, 0]),    prefix: 16, label: "rfc1918-private-192.168" },     // IPv4 octets
+  { net: _ipv4ToUint32([127, 0, 0, 0]),      prefix: 8,  label: "loopback" },                    // IPv4 octets
+  { net: _ipv4ToUint32([169, 254, 0, 0]),    prefix: 16, label: "link-local" },                  // IPv4 octets
+  { net: _ipv4ToUint32([224, 0, 0, 0]),      prefix: 4,  label: "multicast" },                   // IPv4 octets
   { net: _ipv4ToUint32([240, 0, 0, 0]),      prefix: 4,  label: "reserved-class-e" },            // allow:raw-byte-literal — IPv4 octets allow:raw-time-literal — 240 is an IPv4 octet not seconds
-  { net: _ipv4ToUint32([192, 0, 2, 0]),      prefix: 24, label: "documentation-test-net-1" },    // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([198, 51, 100, 0]),   prefix: 24, label: "documentation-test-net-2" },    // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([203, 0, 113, 0]),    prefix: 24, label: "documentation-test-net-3" },    // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([198, 18, 0, 0]),     prefix: 15, label: "benchmarking" },                // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([100, 64, 0, 0]),     prefix: 10, label: "cgnat" },                       // allow:raw-byte-literal — IPv4 octets
-  { net: _ipv4ToUint32([0, 0, 0, 0]),        prefix: 8,  label: "this-network" },                // allow:raw-byte-literal — IPv4 octets
+  { net: _ipv4ToUint32([192, 0, 2, 0]),      prefix: 24, label: "documentation-test-net-1" },    // IPv4 octets
+  { net: _ipv4ToUint32([198, 51, 100, 0]),   prefix: 24, label: "documentation-test-net-2" },    // IPv4 octets
+  { net: _ipv4ToUint32([203, 0, 113, 0]),    prefix: 24, label: "documentation-test-net-3" },    // IPv4 octets
+  { net: _ipv4ToUint32([198, 18, 0, 0]),     prefix: 15, label: "benchmarking" },                // IPv4 octets
+  { net: _ipv4ToUint32([100, 64, 0, 0]),     prefix: 10, label: "cgnat" },                       // IPv4 octets
+  { net: _ipv4ToUint32([0, 0, 0, 0]),        prefix: 8,  label: "this-network" },                // IPv4 octets
 ]);
 
 // ---- IPv6 reserved prefixes ----
@@ -87,15 +87,15 @@ var IPV4_RESERVED = Object.freeze([
 // Stored as a normalized "first 32 hex chars (no colons)" prefix-byte
 // string. Match by string-prefix on the first ceil(prefix/4) hex chars.
 var IPV6_RESERVED = Object.freeze([
-  { prefix: 128, hexPrefix: "00000000000000000000000000000001", label: "loopback" },             // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 128, hexPrefix: "00000000000000000000000000000000", label: "unspecified" },          // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 7,   hexPrefix: "fc",                                 label: "ula" },                // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 10,  hexPrefix: "fe8",                                label: "link-local" },         // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 8,   hexPrefix: "ff",                                 label: "multicast" },          // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 96,  hexPrefix: "00000000000000000000ffff",           label: "ipv4-mapped" },        // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 32,  hexPrefix: "20010db8",                           label: "documentation" },      // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 32,  hexPrefix: "20010000",                           label: "teredo" },             // allow:raw-byte-literal — IPv6 hex form
-  { prefix: 16,  hexPrefix: "2002",                               label: "deprecated-6to4" },    // allow:raw-byte-literal — IPv6 hex form
+  { prefix: 128, hexPrefix: "00000000000000000000000000000001", label: "loopback" },             // IPv6 hex form
+  { prefix: 128, hexPrefix: "00000000000000000000000000000000", label: "unspecified" },          // IPv6 hex form
+  { prefix: 7,   hexPrefix: "fc",                                 label: "ula" },                // IPv6 hex form
+  { prefix: 10,  hexPrefix: "fe8",                                label: "link-local" },         // IPv6 hex form
+  { prefix: 8,   hexPrefix: "ff",                                 label: "multicast" },          // IPv6 hex form
+  { prefix: 96,  hexPrefix: "00000000000000000000ffff",           label: "ipv4-mapped" },        // IPv6 hex form
+  { prefix: 32,  hexPrefix: "20010db8",                           label: "documentation" },      // IPv6 hex form
+  { prefix: 32,  hexPrefix: "20010000",                           label: "teredo" },             // IPv6 hex form
+  { prefix: 16,  hexPrefix: "2002",                               label: "deprecated-6to4" },    // IPv6 hex form
 ]);
 
 // ---- Profile presets ----
@@ -183,7 +183,7 @@ function _parseIpv4(s) {
     var p = parts[i];
     if (!/^[0-9]+$/.test(p)) return null;
     if (p.length > 1 && p.charAt(0) === "0") return null;                        // leading-zero octal/forms refused
-    var n = parseInt(p, 10);                                                     // allow:raw-byte-literal — base-10 radix
+    var n = parseInt(p, 10);                                                     // base-10 radix
     if (n > IPV4_OCTET_MAX) return null;
     octets.push(n);
   }
@@ -221,13 +221,13 @@ function _parseIpv6(s) {
     var pad = IPV6_GROUPS - left.length - right.length;
     if (pad < 0) return null;
     var zeros = [];
-    for (var z = 0; z < pad; z += 1) zeros.push("0000");                         // allow:raw-byte-literal — IPv6 zero group
+    for (var z = 0; z < pad; z += 1) zeros.push("0000");                         // IPv6 zero group
     groups = left.concat(zeros).concat(right);
     if (groups.length !== IPV6_GROUPS) return null;
   }
   // Pad each group to 4 chars.
   for (var g = 0; g < groups.length; g += 1) {
-    while (groups[g].length < 4) groups[g] = "0" + groups[g];                    // allow:raw-byte-literal — IPv6 group width
+    while (groups[g].length < 4) groups[g] = "0" + groups[g];                    // IPv6 group width
   }
   return groups;
 }
@@ -245,8 +245,8 @@ function _hostBitsSetIpv6(groups, prefix) {
   // boundary, every remaining bit must be zero.
   var bitIdx = 0;
   for (var i = 0; i < groups.length; i += 1) {
-    var grp = parseInt(groups[i], 16);                                           // allow:raw-byte-literal — base-16 radix
-    for (var b = 15; b >= 0; b -= 1) {                                           // allow:raw-byte-literal — bits per group
+    var grp = parseInt(groups[i], 16);                                           // base-16 radix
+    for (var b = 15; b >= 0; b -= 1) {                                           // bits per group
       if (bitIdx >= prefix) {
         if ((grp >> b) & 1) return true;
       }
@@ -372,7 +372,7 @@ function _detectIssues(input, opts) {
       });
       return issues;
     }
-    prefix = parseInt(maskPart, 10);                                             // allow:raw-byte-literal — base-10 radix
+    prefix = parseInt(maskPart, 10);                                             // base-10 radix
     if (prefix > maskMax) {
       issues.push({
         kind: "mask-cap", severity: "high",

package/lib/guard-csv.js

@@ -96,7 +96,7 @@ var DANGEROUS_FUNCTIONS = Object.freeze([
 
 // ---- Codepoint helpers (proxied to lib/codepoint-class) ----
 
-var HEX_RADIX = 16;                                                 // allow:raw-byte-literal — base-16 radix, not byte size
+var HEX_RADIX = 16;                                                 // base-16 radix, not byte size
 var _hex4      = codepointClass.hex4;
 var _charClass = codepointClass.charClass;
 var _fromCp    = codepointClass.fromCp;

package/lib/guard-domain.js

@@ -67,8 +67,8 @@ var _err = GuardDomainError.factory;
 
 // ---- RFC 1035 §2.3.4 length caps ----
 
-var LIMIT_LABEL_OCTETS = 63;                                                     // allow:raw-byte-literal — RFC 1035 §2.3.4
-var LIMIT_DOMAIN_OCTETS = 253;                                                   // allow:raw-byte-literal — RFC 1035 §2.3.4 (255 wire minus length prefixes)
+var LIMIT_LABEL_OCTETS = 63;                                                     // RFC 1035 §2.3.4
+var LIMIT_DOMAIN_OCTETS = 253;                                                   // RFC 1035 §2.3.4 (255 wire minus length prefixes)
 
 // ---- Static patterns (built from explicit codepoint tables) ----
 
@@ -108,7 +108,7 @@ function _looksLikeIpv4Permissive(s) {
     return s.length > 0 && !/^[0-9]+$/.test(s) ? true :
            // Pure long-decimal — at least 8 digits to count as IPv4
            // representation, otherwise it's a port-shaped number.
-           s.length >= 8;                                                        // allow:raw-byte-literal — minimum digits to recognize long-decimal IPv4
+           s.length >= 8;                                                        // minimum digits to recognize long-decimal IPv4
   }
   if (s.indexOf(".") === -1) return false;
   var parts = s.split(".");
@@ -193,8 +193,8 @@ var PROFILES = Object.freeze({
     trailingDotPolicy:    "normalize",
     dgaPolicy:            "reject",
     allowedScripts:       ["latin"],
-    dgaEntropyThreshold:  3.8,                                                   // allow:raw-byte-literal — Shannon entropy bits/char threshold (DGA heuristic)
-    dgaMinLabelLen:       12,                                                    // allow:raw-byte-literal — DGA heuristic floor
+    dgaEntropyThreshold:  3.8,                                                   // Shannon entropy bits/char threshold (DGA heuristic)
+    dgaMinLabelLen:       12,                                                    // DGA heuristic floor
     maxLabelOctets:       LIMIT_LABEL_OCTETS,
     maxDomainOctets:      LIMIT_DOMAIN_OCTETS,
     maxBytes:             C.BYTES.bytes(2048),
@@ -217,8 +217,8 @@ var PROFILES = Object.freeze({
     dgaPolicy:            "audit",
     allowedScripts:       ["latin", "cyrillic", "greek", "han", "hiragana",
                            "katakana", "hangul"],
-    dgaEntropyThreshold:  3.8,                                                   // allow:raw-byte-literal — Shannon entropy bits/char threshold (DGA heuristic)
-    dgaMinLabelLen:       12,                                                    // allow:raw-byte-literal — DGA heuristic floor
+    dgaEntropyThreshold:  3.8,                                                   // Shannon entropy bits/char threshold (DGA heuristic)
+    dgaMinLabelLen:       12,                                                    // DGA heuristic floor
     maxLabelOctets:       LIMIT_LABEL_OCTETS,
     maxDomainOctets:      LIMIT_DOMAIN_OCTETS,
     maxBytes:             C.BYTES.bytes(2048),
@@ -240,8 +240,8 @@ var PROFILES = Object.freeze({
     trailingDotPolicy:    "normalize",
     dgaPolicy:            "allow",
     allowedScripts:       null,
-    dgaEntropyThreshold:  3.8,                                                   // allow:raw-byte-literal — Shannon entropy bits/char threshold (DGA heuristic)
-    dgaMinLabelLen:       12,                                                    // allow:raw-byte-literal — DGA heuristic floor
+    dgaEntropyThreshold:  3.8,                                                   // Shannon entropy bits/char threshold (DGA heuristic)
+    dgaMinLabelLen:       12,                                                    // DGA heuristic floor
     maxLabelOctets:       LIMIT_LABEL_OCTETS,
     maxDomainOctets:      LIMIT_DOMAIN_OCTETS,
     maxBytes:             C.BYTES.bytes(2048),
@@ -477,7 +477,7 @@ function _detectIssues(input, opts) {
     // ASCII LDH or Unicode label.
     var allAscii = true;
     for (var ai = 0; ai < label.length; ai += 1) {
-      if (label.charCodeAt(ai) > 0x7F) { allAscii = false; break; }              // allow:raw-byte-literal — ASCII boundary codepoint
+      if (label.charCodeAt(ai) > 0x7F) { allAscii = false; break; }              // ASCII boundary codepoint
     }
 
     if (allAscii) {

package/lib/guard-dsn.js

@@ -107,9 +107,9 @@ var GuardDsnError = defineClass("GuardDsnError", { alwaysPermanent: true });
 var DEFAULT_PROFILE = "strict";
 
 var PROFILES = Object.freeze({
-  strict:     { maxBytes: C.BYTES.kib(256), maxRecipients: 256, maxHeaderLine: 998 },                    // allow:raw-byte-literal — RFC 5322 §2.1.1 header line cap; RFC 3464 recipient count
-  balanced:   { maxBytes: C.BYTES.mib(1),   maxRecipients: 1024, maxHeaderLine: 998 },                   // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap; mailing-list blast bounces
-  permissive: { maxBytes: C.BYTES.mib(4),   maxRecipients: 4096, maxHeaderLine: 998 },                   // allow:raw-byte-literal — RFC 5322 §2.1.1 line cap; large-blast bounce class
+  strict:     { maxBytes: C.BYTES.kib(256), maxRecipients: 256, maxHeaderLine: 998 },                    // RFC 5322 §2.1.1 header line cap; RFC 3464 recipient count
+  balanced:   { maxBytes: C.BYTES.mib(1),   maxRecipients: 1024, maxHeaderLine: 998 },                   // RFC 5322 §2.1.1 line cap; mailing-list blast bounces
+  permissive: { maxBytes: C.BYTES.mib(4),   maxRecipients: 4096, maxHeaderLine: 998 },                   // RFC 5322 §2.1.1 line cap; large-blast bounce class
 });
 
 var COMPLIANCE_POSTURES = Object.freeze({
@@ -334,7 +334,7 @@ function _checkControlChars(line) {
   // split (e.g. backslash + literal sequence).
   for (var i = 0; i < line.length; i += 1) {
     var c = line.charCodeAt(i);
-    if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) {                                          // allow:raw-byte-literal — RFC 5322 control char + TAB allow
+    if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) {                                          // RFC 5322 control char + TAB allow
       throw new GuardDsnError("guard-dsn/control-char",
         "parse: control char 0x" + c.toString(16) + " in field line refused (header-injection defense)");
     }

package/lib/guard-email.js

@@ -49,10 +49,10 @@ var _err = GuardEmailError.factory;
 
 // ---- RFC 5321 / 5322 limits ----
 
-var LIMIT_LOCAL_PART = 64;                                                       // allow:raw-byte-literal — RFC 5321 §4.5.3.1.1
-var LIMIT_DOMAIN     = 255;                                                      // allow:raw-byte-literal — RFC 5321 §4.5.3.1.2
-var LIMIT_ADDRESS    = 320;                                                      // allow:raw-byte-literal — RFC 5321 sum (64 + 1 + 255)
-var LIMIT_LINE       = 998;                                                      // allow:raw-byte-literal — RFC 5322 §2.1.1 maximum line length
+var LIMIT_LOCAL_PART = 64;                                                       // RFC 5321 §4.5.3.1.1
+var LIMIT_DOMAIN     = 255;                                                      // RFC 5321 §4.5.3.1.2
+var LIMIT_ADDRESS    = 320;                                                      // RFC 5321 sum (64 + 1 + 255)
+var LIMIT_LINE       = 998;                                                      // RFC 5322 §2.1.1 maximum line length
 
 // ---- Source-level threat detectors ----
 
@@ -65,12 +65,12 @@ function _scanBareLineEndings(input) {
   var bareLf = false;
   for (var i = 0; i < input.length; i += 1) {
     var c = input.charCodeAt(i);
-    if (c === 13) {                                                              // allow:raw-byte-literal — CR
+    if (c === 13) {                                                              // CR
       var next = i + 1 < input.length ? input.charCodeAt(i + 1) : -1;
-      if (next !== 10) bareCr = true;                                            // allow:raw-byte-literal — LF
-    } else if (c === 10) {                                                       // allow:raw-byte-literal — LF
+      if (next !== 10) bareCr = true;                                            // LF
+    } else if (c === 10) {                                                       // LF
       var prev = i > 0 ? input.charCodeAt(i - 1) : -1;
-      if (prev !== 13) bareLf = true;                                            // allow:raw-byte-literal — CR
+      if (prev !== 13) bareLf = true;                                            // CR
     }
     if (bareCr && bareLf) break;
   }
@@ -85,7 +85,7 @@ var SMUGGLED_VERB_RE = /(?:\r(?!\n)|(?<!\r)\n)\.?\s*(?:MAIL FROM|RCPT TO|DATA|EH
 function _hasCrlfInHeaderValue(value) {
   for (var i = 0; i < value.length; i += 1) {
     var c = value.charCodeAt(i);
-    if (c === 13 || c === 10) return true;                                       // allow:raw-byte-literal — CR or LF in header value
+    if (c === 13 || c === 10) return true;                                       // CR or LF in header value
   }
   return false;
 }
@@ -125,11 +125,11 @@ var PUNYCODE_LABEL_RE = /(?:^|\.)xn--/i;
 // class.js conventions — keep numeric, no literal characters).
 var SCRIPT_RANGES = {
   latin:    [[0x0041, 0x005a], [0x0061, 0x007a],
-             [0x00c0, 0x024f], [0x1e00, 0x1eff]],                                // allow:raw-byte-literal — Unicode script ranges
-  cyrillic: [[0x0400, 0x04ff], [0x0500, 0x052f]],                                // allow:raw-byte-literal — Unicode Cyrillic + Cyrillic Supplement
-  greek:    [[0x0370, 0x03ff], [0x1f00, 0x1fff]],                                // allow:raw-byte-literal — Unicode Greek + Greek Extended
-  armenian: [[0x0530, 0x058f]],                                                  // allow:raw-byte-literal — Unicode Armenian
-  cherokee: [[0x13a0, 0x13ff], [0xab70, 0xabbf]],                                // allow:raw-byte-literal — Unicode Cherokee + Cherokee Supplement
+             [0x00c0, 0x024f], [0x1e00, 0x1eff]],                                // Unicode script ranges
+  cyrillic: [[0x0400, 0x04ff], [0x0500, 0x052f]],                                // Unicode Cyrillic + Cyrillic Supplement
+  greek:    [[0x0370, 0x03ff], [0x1f00, 0x1fff]],                                // Unicode Greek + Greek Extended
+  armenian: [[0x0530, 0x058f]],                                                  // Unicode Armenian
+  cherokee: [[0x13a0, 0x13ff], [0xab70, 0xabbf]],                                // Unicode Cherokee + Cherokee Supplement
 };
 
 function _scriptFor(cp) {
@@ -200,7 +200,7 @@ var PROFILES = Object.freeze({
     maxDomainBytes:               LIMIT_DOMAIN,
     maxAddressBytes:              LIMIT_ADDRESS,
     maxHeaderLineBytes:           LIMIT_LINE,
-    maxHeaders:                   128,                                           // allow:raw-byte-literal — header count cap
+    maxHeaders:                   128,                                           // header count cap
     maxBytes:                     C.BYTES.mib(8),
   },
   "balanced": {
@@ -224,7 +224,7 @@ var PROFILES = Object.freeze({
     maxDomainBytes:               LIMIT_DOMAIN,
     maxAddressBytes:              LIMIT_ADDRESS,
     maxHeaderLineBytes:           LIMIT_LINE,
-    maxHeaders:                   512,                                           // allow:raw-byte-literal — header count cap
+    maxHeaders:                   512,                                           // header count cap
     maxBytes:                     C.BYTES.mib(32),
   },
   "permissive": {
@@ -248,7 +248,7 @@ var PROFILES = Object.freeze({
     maxDomainBytes:               LIMIT_DOMAIN,
     maxAddressBytes:              LIMIT_ADDRESS,
     maxHeaderLineBytes:           LIMIT_LINE,
-    maxHeaders:                   2048,                                          // allow:raw-byte-literal — header count cap
+    maxHeaders:                   2048,                                          // header count cap
     maxBytes:                     C.BYTES.mib(128),
   },
 });
@@ -503,7 +503,7 @@ function _detectMessageIssues(input, opts) {
 
   // BOM at start of message — header-injection prelude.
   if (opts.bomPolicy !== "allow") {
-    if (input.charCodeAt(0) === 0xfeff) {                                        // allow:raw-byte-literal — Unicode BOM
+    if (input.charCodeAt(0) === 0xfeff) {                                        // Unicode BOM
       issues.push({
         kind: "bom",
         severity: opts.bomPolicy === "reject" ? "high" : "warn",
@@ -671,7 +671,7 @@ function _checkAddressHeaderValue(value, opts, headerName) {
           severity: opts.displayNameSpoofPolicy === "reject" ? "critical" : "high",
           ruleId: "email.display-name-spoof",
           snippet: headerName + ": display name `" +
-                   parsed.display.slice(0, 64) + "` includes an @-address that " + // allow:raw-byte-literal — snippet truncation
+                   parsed.display.slice(0, 64) + "` includes an @-address that " + // snippet truncation
                    "doesn't match the envelope domain `" + envDomain + "`",
         });
       }

package/lib/guard-event-bus-payload.js

@@ -46,9 +46,9 @@ var GuardEventBusPayloadError = defineClass("GuardEventBusPayloadError", { alway
 var DEFAULT_PROFILE = "strict";
 
 var PROFILES = Object.freeze({
-  strict:     { maxBytes: 65536 },                                                                    // allow:raw-byte-literal — 64 KiB metadata cap
-  balanced:   { maxBytes: 262144 },                                                                   // allow:raw-byte-literal — 256 KiB
-  permissive: { maxBytes: 1048576 },                                                                  // allow:raw-byte-literal — 1 MiB
+  strict:     { maxBytes: 65536 },                                                                    // 64 KiB metadata cap
+  balanced:   { maxBytes: 262144 },                                                                   // 256 KiB
+  permissive: { maxBytes: 1048576 },                                                                  // 1 MiB
 });
 
 var COMPLIANCE_POSTURES = Object.freeze({
@@ -175,7 +175,7 @@ function _checkType(value, type, fieldName) {
     // burn regex-engine CPU. RFC 3339 ISO-8601 dateTime is bounded by
     // ~40 chars even with fractional seconds + numeric offset; cap at 64
     // for safety. The payload-level maxBytes cap also bounds the field.
-    if (typeof value !== "string" || value.length > 64 || !ISO_DATETIME_RE.test(value)) {             // allow:raw-byte-literal — ISO-8601 dateTime max length
+    if (typeof value !== "string" || value.length > 64 || !ISO_DATETIME_RE.test(value)) {             // ISO-8601 dateTime max length
       throw new GuardEventBusPayloadError("event-bus-payload/type-mismatch",
         "field '" + fieldName + "' expected ISO-8601 dateTime string");
     }

package/lib/guard-event-bus-topic.js

@@ -31,9 +31,9 @@ var GuardEventBusTopicError = defineClass("GuardEventBusTopicError", { alwaysPer
 var DEFAULT_PROFILE = "strict";
 
 var PROFILES = Object.freeze({
-  strict:     { maxBytes: 128, minDots: 2 },                                                          // allow:raw-byte-literal
-  balanced:   { maxBytes: 256, minDots: 2 },                                                          // allow:raw-byte-literal
-  permissive: { maxBytes: 512, minDots: 1 },                                                          // allow:raw-byte-literal
+  strict:     { maxBytes: 128, minDots: 2 },
+  balanced:   { maxBytes: 256, minDots: 2 },
+  permissive: { maxBytes: 512, minDots: 1 },
 });
 
 var COMPLIANCE_POSTURES = Object.freeze({
@@ -75,7 +75,7 @@ function validate(name, opts) {
   }
   // Dot-count check — `<domain>.<source>.<event>` shape.
   var dots = 0;
-  for (var d = 0; d < name.length; d += 1) if (name.charCodeAt(d) === 0x2E) dots += 1;                // allow:raw-byte-literal — '.' codepoint
+  for (var d = 0; d < name.length; d += 1) if (name.charCodeAt(d) === 0x2E) dots += 1;                // '.' codepoint
   if (dots < profile.minDots) {
     throw new GuardEventBusTopicError("event-bus-topic/insufficient-dots",
       "guardEventBusTopic.validate: name '" + name + "' has " + dots +
@@ -97,11 +97,11 @@ function validate(name, opts) {
   // C0 / DEL / slash / non-ASCII refusal.
   for (var i = 0; i < name.length; i += 1) {
     var c = name.charCodeAt(i);
-    if (c > 0x7F) {                                                                                   // allow:raw-byte-literal — ASCII-only cap
+    if (c > 0x7F) {                                                                                   // ASCII-only cap
       throw new GuardEventBusTopicError("event-bus-topic/non-ascii",
         "guardEventBusTopic.validate: name contains non-ASCII codepoint at offset " + i);
     }
-    if (c < 0x20 || c === 0x7F || c === 0x2F || c === 0x5C) {                                         // allow:raw-byte-literal — C0/DEL/slash/backslash
+    if (c < 0x20 || c === 0x7F || c === 0x2F || c === 0x5C) {                                         // C0/DEL/slash/backslash
       throw new GuardEventBusTopicError("event-bus-topic/bad-char",
         "guardEventBusTopic.validate: forbidden char 0x" + c.toString(16) + " at offset " + i);
     }

package/lib/guard-filename.js

@@ -121,7 +121,7 @@ var SHELL_EXEC_EXTS = Object.freeze([
   ".reg", ".cpl", ".inf", ".hta", ".chm", ".scf",
 ]);
 
-var HEX_RADIX = 16;                                                 // allow:raw-byte-literal — base-16 radix, not byte size
+var HEX_RADIX = 16;                                                 // base-16 radix, not byte size
 
 // Visual-confusable letter ranges that homoglyph against ASCII —
 // Cyrillic / Greek / fullwidth Latin. Only flagged when mixed with
@@ -149,8 +149,8 @@ var PROFILES = Object.freeze({
     requireAscii:         true,
     extensionAllowlist:   null,             // null = any single extension
     requireSingleDot:     true,             // ".tar.gz" not allowed
-    maxBytes:             64,               // allow:raw-byte-literal — leaf-name byte cap, not byte size
-    maxComponents:        1,                // allow:raw-byte-literal — single leaf only, not bytes
+    maxBytes:             64,               // leaf-name byte cap, not byte size
+    maxComponents:        1,                // single leaf only, not bytes
   },
   "balanced": {
     bidiPolicy:           "reject",
@@ -169,8 +169,8 @@ var PROFILES = Object.freeze({
     requireAscii:         false,
     extensionAllowlist:   null,
     requireSingleDot:     false,            // ".tar.gz" allowed
-    maxBytes:             255,              // allow:raw-byte-literal — POSIX max-component, not byte size
-    maxComponents:        1,                // allow:raw-byte-literal — single leaf only, not bytes
+    maxBytes:             255,              // POSIX max-component, not byte size
+    maxComponents:        1,                // single leaf only, not bytes
   },
   "permissive": {
     bidiPolicy:           "reject",
@@ -189,8 +189,8 @@ var PROFILES = Object.freeze({
     requireAscii:         false,
     extensionAllowlist:   null,
     requireSingleDot:     false,
-    maxBytes:             255,              // allow:raw-byte-literal — POSIX max-component, not byte size
-    maxComponents:        16,               // allow:raw-byte-literal — multi-component path cap, not bytes
+    maxBytes:             255,              // POSIX max-component, not byte size
+    maxComponents:        16,               // multi-component path cap, not bytes
   },
 });
 

package/lib/guard-graphql.js

@@ -113,9 +113,9 @@ var PROFILES = Object.freeze({
     aliasBombPolicy:            "reject",
     depthPolicy:                "reject",
     variableShapePolicy:        "reject",
-    maxDepth:                   8,                                               // allow:raw-byte-literal — selection-set depth ceiling
-    maxAliasesPerSelection:     8,                                               // allow:raw-byte-literal — alias breadth ceiling
-    maxBatchSize:               1,                                               // allow:raw-byte-literal — strict refuses batch
+    maxDepth:                   8,                                               // selection-set depth ceiling
+    maxAliasesPerSelection:     8,                                               // alias breadth ceiling
+    maxBatchSize:               1,                                               // strict refuses batch
     maxQueryBytes:              C.BYTES.kib(8),
     maxVariableBytes:           C.BYTES.kib(8),
     maxBytes:                   C.BYTES.kib(32),
@@ -133,9 +133,9 @@ var PROFILES = Object.freeze({
     aliasBombPolicy:            "audit",
     depthPolicy:                "audit",
     variableShapePolicy:        "audit",
-    maxDepth:                   12,                                              // allow:raw-byte-literal — selection-set depth ceiling
-    maxAliasesPerSelection:     16,                                              // allow:raw-byte-literal — alias breadth ceiling
-    maxBatchSize:               10,                                              // allow:raw-byte-literal — batch size ceiling
+    maxDepth:                   12,                                              // selection-set depth ceiling
+    maxAliasesPerSelection:     16,                                              // alias breadth ceiling
+    maxBatchSize:               10,                                              // batch size ceiling
     maxQueryBytes:              C.BYTES.kib(16),
     maxVariableBytes:           C.BYTES.kib(16),
     maxBytes:                   C.BYTES.kib(64),
@@ -153,9 +153,9 @@ var PROFILES = Object.freeze({
     aliasBombPolicy:            "audit",
     depthPolicy:                "audit",
     variableShapePolicy:        "audit",
-    maxDepth:                   24,                                              // allow:raw-byte-literal — selection-set depth ceiling
-    maxAliasesPerSelection:     32,                                              // allow:raw-byte-literal — alias breadth ceiling
-    maxBatchSize:               50,                                              // allow:raw-byte-literal — batch size ceiling
+    maxDepth:                   24,                                              // selection-set depth ceiling
+    maxAliasesPerSelection:     32,                                              // alias breadth ceiling
+    maxBatchSize:               50,                                              // batch size ceiling
     maxQueryBytes:              C.BYTES.kib(64),
     maxVariableBytes:           C.BYTES.kib(64),
     maxBytes:                   C.BYTES.kib(256),

package/lib/guard-html-wcag-tagwalk.js

@@ -31,7 +31,7 @@ function lineColAt(html, offset) {
   var line = 1;
   var lastNl = -1;
   for (var i = 0; i < offset; i++) {
-    if (html.charCodeAt(i) === 10) { line += 1; lastNl = i; }                      // allow:raw-byte-literal — ASCII LF
+    if (html.charCodeAt(i) === 10) { line += 1; lastNl = i; }                      // ASCII LF
   }
   return { line: line, column: offset - lastNl };
 }

package/lib/guard-html-wcag.js

@@ -181,7 +181,7 @@ function _checkButtonText(html, tagOpenEnd, attrs, offset, report, opts) {
 function _checkHeadingOrder(html, attrs, tagName, offset, report, opts, ctx) {
   if (!/^h[1-6]$/.test(tagName)) return;
   if (opts.ignore.indexOf("1.3.1") !== -1) return;
-  var level = parseInt(tagName.charAt(1), 10);                                     // allow:raw-byte-literal — base-10 parse radix
+  var level = parseInt(tagName.charAt(1), 10);                                     // base-10 parse radix
   if (ctx.headingLevels.length === 0) {
     if (level !== 1) {
       var pos = _lineColAt(html, offset);
@@ -447,9 +447,9 @@ function audit(html, opts) {
   }
 
   // Heuristic score: 1 - weighted-violations / heuristic-max
-  var weighted = report.summary.error * 3 + report.summary.warning * 1.5 +        // allow:raw-byte-literal — severity weights for heuristic score
-                 report.summary.info * 0.5;                                        // allow:raw-byte-literal — severity weights for heuristic score
-  var maxFor = Math.max(50, weighted * 2);                                         // allow:raw-byte-literal — heuristic-score floor
+  var weighted = report.summary.error * 3 + report.summary.warning * 1.5 +        // severity weights for heuristic score
+                 report.summary.info * 0.5;                                        // severity weights for heuristic score
+  var maxFor = Math.max(50, weighted * 2);                                         // heuristic-score floor
   report.score = Math.max(0, 1 - weighted / maxFor);
 
   try { observability().safeEvent("guard-html.wcag.audited", 1, {

package/lib/guard-html.js

@@ -105,7 +105,7 @@ var observability = lazyRequire(function () { return require("./observability");
 void observability;
 
 var _err = GuardHtmlError.factory;
-var HEX_RADIX = 16;                                                 // allow:raw-byte-literal — base-16 radix, not byte size
+var HEX_RADIX = 16;                                                 // base-16 radix, not byte size
 
 // ---- Codepoint catalog (shared via lib/codepoint-class) ----
 
@@ -242,8 +242,8 @@ var PROFILES = Object.freeze({
     mxssHintPolicy:     "reject",
     maxBytes:           C.BYTES.mib(2),
     maxAttrValueBytes:  C.BYTES.kib(8),
-    maxTagDepth:        128,                                          // allow:raw-byte-literal — tag-nesting depth count, not bytes
-    maxAttrsPerTag:     64,                                           // allow:raw-byte-literal — attribute count per tag, not bytes
+    maxTagDepth:        128,                                          // tag-nesting depth count, not bytes
+    maxAttrsPerTag:     64,                                           // attribute count per tag, not bytes
   },
   "balanced": {
     allowedTags:        BALANCED_ALLOWED_TAGS,
@@ -264,8 +264,8 @@ var PROFILES = Object.freeze({
     mxssHintPolicy:     "audit",
     maxBytes:           C.BYTES.mib(8),
     maxAttrValueBytes:  C.BYTES.kib(32),
-    maxTagDepth:        256,                                          // allow:raw-byte-literal — tag-nesting depth count, not bytes
-    maxAttrsPerTag:     128,                                          // allow:raw-byte-literal — attribute count per tag, not bytes
+    maxTagDepth:        256,                                          // tag-nesting depth count, not bytes
+    maxAttrsPerTag:     128,                                          // attribute count per tag, not bytes
   },
   "permissive": {
     allowedTags:        PERMISSIVE_ALLOWED_TAGS,
@@ -286,8 +286,8 @@ var PROFILES = Object.freeze({
     mxssHintPolicy:     "audit",
     maxBytes:           C.BYTES.mib(32),
     maxAttrValueBytes:  C.BYTES.kib(64),
-    maxTagDepth:        512,                                          // allow:raw-byte-literal — tag-nesting depth count, not bytes
-    maxAttrsPerTag:     256,                                          // allow:raw-byte-literal — attribute count per tag, not bytes
+    maxTagDepth:        512,                                          // tag-nesting depth count, not bytes
+    maxAttrsPerTag:     256,                                          // attribute count per tag, not bytes
   },
 });
 

package/lib/guard-idempotency-key.js

@@ -36,9 +36,9 @@ var GuardIdempotencyKeyError = defineClass("GuardIdempotencyKeyError", { alwaysP
 var DEFAULT_PROFILE = "strict";
 
 var PROFILES = Object.freeze({
-  strict:     { maxBytes: 256,  asciiOnly: true  },                                                   // allow:raw-byte-literal
-  balanced:   { maxBytes: 512,  asciiOnly: true  },                                                   // allow:raw-byte-literal
-  permissive: { maxBytes: 2048, asciiOnly: false },                                                   // allow:raw-byte-literal
+  strict:     { maxBytes: 256,  asciiOnly: true  },
+  balanced:   { maxBytes: 512,  asciiOnly: true  },
+  permissive: { maxBytes: 2048, asciiOnly: false },
 });
 
 var COMPLIANCE_POSTURES = Object.freeze({
@@ -94,15 +94,15 @@ function validate(value, opts) {
   // C0 / DEL / slash refusal.
   for (var i = 0; i < value.length; i += 1) {
     var c = value.charCodeAt(i);
-    if (c < 0x20 || c === 0x7F) {                                                                     // allow:raw-byte-literal — C0 + DEL refusal
+    if (c < 0x20 || c === 0x7F) {                                                                     // C0 + DEL refusal
       throw new GuardIdempotencyKeyError("idempotency-key/control-char",
         "guardIdempotencyKey.validate: control char 0x" + c.toString(16) + " at offset " + i);
     }
-    if (c === 0x2F || c === 0x5C) {                                                                   // allow:raw-byte-literal — / and \ refusal
+    if (c === 0x2F || c === 0x5C) {                                                                   // / and \ refusal
       throw new GuardIdempotencyKeyError("idempotency-key/slash",
         "guardIdempotencyKey.validate: key contains '/' or '\\' at offset " + i);
     }
-    if (profile.asciiOnly && c > 0x7F) {                                                              // allow:raw-byte-literal — ASCII-only cap
+    if (profile.asciiOnly && c > 0x7F) {                                                              // ASCII-only cap
       throw new GuardIdempotencyKeyError("idempotency-key/non-ascii",
         "guardIdempotencyKey.validate: non-ASCII codepoint at offset " + i +
         " (use profile='permissive' to allow)");

package/lib/guard-image.js

@@ -82,7 +82,7 @@ var MAGIC_BYTES = Object.freeze([
   { mime: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38, 0x37, 0x61] },
   { mime: "image/gif", bytes: [0x47, 0x49, 0x46, 0x38, 0x39, 0x61] },
   // WebP: RIFF????WEBP — check at offsets 0..3 + 8..11.
-  { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46], tail: [0x57, 0x45, 0x42, 0x50], tailOffset: 8 }, // allow:raw-byte-literal — RIFF + WEBP magic-byte tail offset
+  { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46], tail: [0x57, 0x45, 0x42, 0x50], tailOffset: 8 }, // RIFF + WEBP magic-byte tail offset
   // BMP: 42 4D
   { mime: "image/bmp", bytes: [0x42, 0x4D] },
   // ICO: 00 00 01 00
@@ -124,7 +124,7 @@ var PROFILES = Object.freeze({
     framesPolicy:              "audit",
     maxWidth:                  C.BYTES.bytes(16384),
     maxHeight:                 C.BYTES.bytes(16384),
-    maxFrames:                 200,                                              // allow:raw-byte-literal — animation frame ceiling
+    maxFrames:                 200,                                              // animation frame ceiling
     maxBytes:                  C.BYTES.mib(64),
     maxRuntimeMs:              C.TIME.seconds(5),
   },
@@ -137,7 +137,7 @@ var PROFILES = Object.freeze({
     framesPolicy:              "audit",
     maxWidth:                  C.BYTES.bytes(65536),
     maxHeight:                 C.BYTES.bytes(65536),
-    maxFrames:                 1000,                                             // allow:raw-byte-literal — animation frame ceiling
+    maxFrames:                 1000,                                             // animation frame ceiling
     maxBytes:                  C.BYTES.mib(256),
     maxRuntimeMs:              C.TIME.seconds(5),
   },
@@ -562,7 +562,7 @@ module.exports = {
     benignMetadata: {
       bytes: Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
       declaredMime: "image/png",
-      width: 100, height: 100, frames: 1,                                        // allow:raw-byte-literal — pixel + frame count fixture
+      width: 100, height: 100, frames: 1,                                        // pixel + frame count fixture
     },
     hostileMetadata: {
       bytes: Buffer.from([0xFF, 0xD8, 0xFF]),