@blamejs/core 0.14.1 → 0.14.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (275) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/_test/crypto-fixtures.js +3 -3
  3. package/lib/a2a-tasks.js +18 -18
  4. package/lib/a2a.js +4 -4
  5. package/lib/acme.js +3 -3
  6. package/lib/agent-idempotency.js +1 -1
  7. package/lib/agent-orchestrator.js +8 -8
  8. package/lib/agent-posture-chain.js +2 -2
  9. package/lib/agent-saga.js +1 -1
  10. package/lib/agent-snapshot.js +1 -1
  11. package/lib/agent-stream.js +1 -1
  12. package/lib/agent-tenant.js +1 -1
  13. package/lib/agent-trace.js +3 -3
  14. package/lib/ai-capability.js +1 -1
  15. package/lib/ai-dp.js +4 -4
  16. package/lib/ai-input.js +3 -3
  17. package/lib/ai-model-manifest.js +7 -7
  18. package/lib/ai-pref.js +3 -3
  19. package/lib/archive-gz.js +2 -2
  20. package/lib/archive-read.js +25 -25
  21. package/lib/archive-tar-read.js +2 -2
  22. package/lib/archive-tar.js +20 -20
  23. package/lib/archive-wrap.js +10 -10
  24. package/lib/argon2-builtin.js +1 -1
  25. package/lib/asn1-der.js +34 -34
  26. package/lib/atomic-file.js +2 -2
  27. package/lib/audit-daily-review.js +3 -3
  28. package/lib/audit-sign.js +5 -5
  29. package/lib/audit-tools.js +1 -1
  30. package/lib/audit.js +2 -2
  31. package/lib/auth/acr-vocabulary.js +2 -2
  32. package/lib/auth/bot-challenge.js +3 -3
  33. package/lib/auth/ciba.js +7 -7
  34. package/lib/auth/dpop.js +3 -3
  35. package/lib/auth/fido-mds3.js +8 -8
  36. package/lib/auth/jwt-external.js +5 -5
  37. package/lib/auth/oauth.js +2 -2
  38. package/lib/auth/oid4vci.js +9 -9
  39. package/lib/auth/oid4vp.js +2 -2
  40. package/lib/auth/openid-federation.js +2 -2
  41. package/lib/auth/passkey.js +3 -3
  42. package/lib/auth/saml.js +23 -23
  43. package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  44. package/lib/auth/sd-jwt-vc.js +4 -4
  45. package/lib/auth/status-list.js +10 -10
  46. package/lib/auth/step-up.js +1 -1
  47. package/lib/auth-bot-challenge.js +1 -1
  48. package/lib/backup/index.js +7 -7
  49. package/lib/base32.js +8 -8
  50. package/lib/budr.js +2 -2
  51. package/lib/cache-status.js +2 -2
  52. package/lib/calendar.js +23 -23
  53. package/lib/cbor.js +12 -12
  54. package/lib/cdn-cache-control.js +1 -1
  55. package/lib/cert.js +5 -5
  56. package/lib/cloud-events.js +5 -5
  57. package/lib/cms-codec.js +21 -21
  58. package/lib/codepoint-class.js +12 -12
  59. package/lib/compliance-sanctions-fuzzy.js +4 -4
  60. package/lib/compliance-sanctions.js +4 -4
  61. package/lib/compliance.js +29 -29
  62. package/lib/content-credentials.js +36 -36
  63. package/lib/cookies.js +1 -1
  64. package/lib/cose.js +13 -13
  65. package/lib/cra-report.js +1 -1
  66. package/lib/crdt.js +1 -1
  67. package/lib/crypto-field.js +2 -2
  68. package/lib/crypto-xwing.js +7 -7
  69. package/lib/crypto.js +6 -6
  70. package/lib/csp.js +2 -2
  71. package/lib/cwt.js +4 -4
  72. package/lib/dark-patterns.js +2 -2
  73. package/lib/data-act.js +2 -2
  74. package/lib/db-file-lifecycle.js +4 -4
  75. package/lib/db-query.js +1 -1
  76. package/lib/db.js +6 -6
  77. package/lib/dbsc.js +13 -13
  78. package/lib/did.js +17 -17
  79. package/lib/dora.js +4 -4
  80. package/lib/dsr.js +1 -1
  81. package/lib/early-hints.js +2 -2
  82. package/lib/eat.js +4 -4
  83. package/lib/external-db-migrate.js +1 -1
  84. package/lib/external-db.js +1 -1
  85. package/lib/flag-cache.js +1 -1
  86. package/lib/flag-evaluation-context.js +2 -2
  87. package/lib/graphql-federation.js +5 -5
  88. package/lib/guard-agent-registry.js +5 -5
  89. package/lib/guard-archive.js +24 -24
  90. package/lib/guard-cidr.js +33 -33
  91. package/lib/guard-csv.js +1 -1
  92. package/lib/guard-domain.js +10 -10
  93. package/lib/guard-dsn.js +4 -4
  94. package/lib/guard-email.js +19 -19
  95. package/lib/guard-event-bus-payload.js +4 -4
  96. package/lib/guard-event-bus-topic.js +6 -6
  97. package/lib/guard-filename.js +7 -7
  98. package/lib/guard-graphql.js +9 -9
  99. package/lib/guard-html-wcag-tagwalk.js +1 -1
  100. package/lib/guard-html-wcag.js +4 -4
  101. package/lib/guard-html.js +7 -7
  102. package/lib/guard-idempotency-key.js +6 -6
  103. package/lib/guard-image.js +4 -4
  104. package/lib/guard-imap-command.js +17 -17
  105. package/lib/guard-jmap.js +20 -20
  106. package/lib/guard-json.js +12 -12
  107. package/lib/guard-jsonpath.js +3 -3
  108. package/lib/guard-jwt.js +4 -4
  109. package/lib/guard-list-id.js +7 -7
  110. package/lib/guard-list-unsubscribe.js +8 -8
  111. package/lib/guard-mail-compose.js +4 -4
  112. package/lib/guard-mail-move.js +5 -5
  113. package/lib/guard-mail-query.js +3 -3
  114. package/lib/guard-mail-reply.js +3 -3
  115. package/lib/guard-mail-sieve.js +6 -6
  116. package/lib/guard-managesieve-command.js +25 -25
  117. package/lib/guard-markdown.js +31 -31
  118. package/lib/guard-message-id.js +5 -5
  119. package/lib/guard-mime.js +1 -1
  120. package/lib/guard-oauth.js +3 -3
  121. package/lib/guard-pdf.js +6 -6
  122. package/lib/guard-pop3-command.js +11 -11
  123. package/lib/guard-posture-chain.js +5 -5
  124. package/lib/guard-regex.js +10 -10
  125. package/lib/guard-saga-config.js +5 -5
  126. package/lib/guard-smtp-command.js +6 -6
  127. package/lib/guard-snapshot-envelope.js +3 -3
  128. package/lib/guard-stream-args.js +4 -4
  129. package/lib/guard-svg.js +11 -11
  130. package/lib/guard-tenant-id.js +5 -5
  131. package/lib/guard-time.js +15 -15
  132. package/lib/guard-trace-context.js +4 -4
  133. package/lib/guard-uuid.js +11 -11
  134. package/lib/guard-xml.js +12 -12
  135. package/lib/guard-yaml.js +16 -16
  136. package/lib/honeytoken.js +5 -5
  137. package/lib/http-client.js +1 -1
  138. package/lib/http-message-signature.js +2 -2
  139. package/lib/iab-mspa.js +3 -3
  140. package/lib/iab-tcf.js +70 -70
  141. package/lib/inbox.js +4 -4
  142. package/lib/ip-utils.js +15 -15
  143. package/lib/jose-jwe-experimental.js +2 -2
  144. package/lib/json-path.js +3 -3
  145. package/lib/json-schema.js +1 -1
  146. package/lib/jsonapi.js +3 -3
  147. package/lib/jtd.js +2 -2
  148. package/lib/link-header.js +1 -1
  149. package/lib/local-db-thin.js +1 -1
  150. package/lib/log.js +1 -1
  151. package/lib/lro.js +4 -4
  152. package/lib/mail-agent.js +1 -1
  153. package/lib/mail-arc-sign.js +6 -6
  154. package/lib/mail-auth.js +43 -43
  155. package/lib/mail-bimi.js +3 -3
  156. package/lib/mail-crypto-pgp.js +31 -31
  157. package/lib/mail-crypto-smime.js +5 -5
  158. package/lib/mail-dav.js +1 -1
  159. package/lib/mail-deploy.js +39 -39
  160. package/lib/mail-dkim.js +11 -11
  161. package/lib/mail-greylist.js +12 -12
  162. package/lib/mail-helo.js +1 -1
  163. package/lib/mail-journal.js +8 -8
  164. package/lib/mail-rbl.js +7 -7
  165. package/lib/mail-scan.js +7 -7
  166. package/lib/mail-send-deliver.js +2 -2
  167. package/lib/mail-server-imap.js +12 -12
  168. package/lib/mail-server-jmap.js +16 -16
  169. package/lib/mail-server-managesieve.js +4 -4
  170. package/lib/mail-server-mx.js +17 -17
  171. package/lib/mail-server-pop3.js +4 -4
  172. package/lib/mail-server-rate-limit.js +2 -2
  173. package/lib/mail-server-submission.js +21 -21
  174. package/lib/mail-sieve.js +2 -2
  175. package/lib/mail-spam-score.js +5 -5
  176. package/lib/mail-srs.js +12 -12
  177. package/lib/mail-store-fts.js +2 -2
  178. package/lib/mail-store.js +8 -8
  179. package/lib/mail-unsubscribe.js +4 -4
  180. package/lib/mail.js +4 -4
  181. package/lib/mcp-tool-registry.js +4 -4
  182. package/lib/mcp.js +9 -9
  183. package/lib/mdoc.js +2 -2
  184. package/lib/metrics.js +8 -8
  185. package/lib/middleware/age-gate.js +1 -1
  186. package/lib/middleware/api-encrypt.js +7 -7
  187. package/lib/middleware/assetlinks.js +2 -2
  188. package/lib/middleware/asyncapi-serve.js +2 -2
  189. package/lib/middleware/bearer-auth.js +5 -5
  190. package/lib/middleware/body-parser.js +5 -5
  191. package/lib/middleware/compose-pipeline.js +15 -15
  192. package/lib/middleware/csp-report.js +4 -4
  193. package/lib/middleware/daily-byte-quota.js +1 -1
  194. package/lib/middleware/dpop.js +1 -1
  195. package/lib/middleware/headers.js +2 -2
  196. package/lib/middleware/host-allowlist.js +1 -1
  197. package/lib/middleware/idempotency-key.js +12 -12
  198. package/lib/middleware/nel.js +1 -1
  199. package/lib/middleware/openapi-serve.js +2 -2
  200. package/lib/middleware/protected-resource-metadata.js +2 -2
  201. package/lib/middleware/require-aal.js +1 -1
  202. package/lib/middleware/require-bound-key.js +2 -2
  203. package/lib/middleware/require-content-type.js +1 -1
  204. package/lib/middleware/require-methods.js +1 -1
  205. package/lib/middleware/require-step-up.js +2 -2
  206. package/lib/middleware/scim-server.js +1 -1
  207. package/lib/middleware/security-txt.js +3 -3
  208. package/lib/middleware/tus-upload.js +12 -12
  209. package/lib/middleware/web-app-manifest.js +2 -2
  210. package/lib/network-byte-quota.js +1 -1
  211. package/lib/network-dns-resolver.js +23 -23
  212. package/lib/network-dns.js +29 -29
  213. package/lib/network-dnssec.js +33 -33
  214. package/lib/network-smtp-policy.js +10 -10
  215. package/lib/network-tls.js +87 -87
  216. package/lib/network-tsig.js +33 -33
  217. package/lib/nis2-report.js +1 -1
  218. package/lib/ntp-check.js +3 -3
  219. package/lib/observability-otlp-exporter.js +17 -17
  220. package/lib/observability-tracer.js +6 -6
  221. package/lib/observability.js +8 -8
  222. package/lib/openapi-yaml.js +1 -1
  223. package/lib/openapi.js +1 -1
  224. package/lib/outbox.js +6 -6
  225. package/lib/pqc-agent.js +4 -4
  226. package/lib/pqc-software.js +1 -1
  227. package/lib/privacy-pass.js +5 -5
  228. package/lib/problem-details.js +5 -5
  229. package/lib/promise-pool.js +1 -1
  230. package/lib/protobuf-encoder.js +1 -1
  231. package/lib/redact.js +2 -2
  232. package/lib/request-helpers.js +1 -1
  233. package/lib/router.js +10 -10
  234. package/lib/safe-async.js +2 -2
  235. package/lib/safe-dns.js +71 -71
  236. package/lib/safe-ical.js +19 -19
  237. package/lib/safe-icap.js +24 -24
  238. package/lib/safe-jsonpath.js +2 -2
  239. package/lib/safe-mime.js +10 -10
  240. package/lib/safe-mount-info.js +3 -3
  241. package/lib/safe-redirect.js +1 -1
  242. package/lib/safe-sieve.js +23 -23
  243. package/lib/safe-smtp.js +1 -1
  244. package/lib/safe-vcard.js +14 -14
  245. package/lib/sandbox.js +5 -5
  246. package/lib/sec-cyber.js +1 -1
  247. package/lib/self-update-standalone-verifier.js +3 -3
  248. package/lib/self-update.js +3 -3
  249. package/lib/server-timing.js +3 -3
  250. package/lib/session-device-binding.js +7 -7
  251. package/lib/session.js +8 -8
  252. package/lib/standard-webhooks.js +4 -4
  253. package/lib/storage.js +2 -2
  254. package/lib/stream-throttle.js +1 -1
  255. package/lib/structured-fields.js +15 -15
  256. package/lib/subject.js +1 -1
  257. package/lib/tcpa-10dlc.js +1 -1
  258. package/lib/tenant-quota.js +3 -3
  259. package/lib/test-harness.js +1 -1
  260. package/lib/tracing.js +1 -1
  261. package/lib/tsa.js +5 -5
  262. package/lib/uri-template.js +5 -5
  263. package/lib/vault/index.js +2 -2
  264. package/lib/vault/seal-pem-file.js +4 -4
  265. package/lib/vc.js +2 -2
  266. package/lib/vendor-data.js +1 -1
  267. package/lib/watcher.js +4 -4
  268. package/lib/web-push-vapid.js +21 -21
  269. package/lib/webhook.js +2 -2
  270. package/lib/websocket.js +3 -3
  271. package/lib/worker-pool.js +3 -3
  272. package/lib/ws-client.js +24 -24
  273. package/lib/xml-c14n.js +2 -2
  274. package/package.json +1 -1
  275. package/sbom.cdx.json +6 -6
package/lib/guard-time.js CHANGED
@@ -57,9 +57,9 @@ var _err = GuardTimeError.factory;
57
57
  // 7: fractional incl. dot (optional) 8: offset (Z or +HH:MM/-HH:MM)
58
58
  var RFC3339_RE = /^(\d{4})-(\d{2})-(\d{2})[Tt ](\d{2}):(\d{2}):(\d{2})(\.\d+)?([Zz]|[+-]\d{2}:\d{2})?$/;
59
59
 
60
- var DEFAULT_MIN_YEAR = 1970; // allow:raw-byte-literal — Unix epoch year
61
- var DEFAULT_MAX_YEAR = 9999; // allow:raw-byte-literal — RFC 3339 4-digit year ceiling
62
- var MAX_FRACTIONAL_DIGITS = 9; // allow:raw-byte-literal — nanosecond precision cap
60
+ var DEFAULT_MIN_YEAR = 1970; // Unix epoch year
61
+ var DEFAULT_MAX_YEAR = 9999; // RFC 3339 4-digit year ceiling
62
+ var MAX_FRACTIONAL_DIGITS = 9; // nanosecond precision cap
63
63
 
64
64
  // ---- Profile presets ----
65
65
 
@@ -206,12 +206,12 @@ function _detectIssues(input, opts) {
206
206
  return issues;
207
207
  }
208
208
 
209
- var year = parseInt(match[1], 10); // allow:raw-byte-literal — base-10 radix
210
- var month = parseInt(match[2], 10); // allow:raw-byte-literal — base-10 radix
211
- var day = parseInt(match[3], 10); // allow:raw-byte-literal — base-10 radix
212
- var hour = parseInt(match[4], 10); // allow:raw-byte-literal — base-10 radix
213
- var minute = parseInt(match[5], 10); // allow:raw-byte-literal — base-10 radix
214
- var second = parseInt(match[6], 10); // allow:raw-byte-literal — base-10 radix
209
+ var year = parseInt(match[1], 10); // base-10 radix
210
+ var month = parseInt(match[2], 10); // base-10 radix
211
+ var day = parseInt(match[3], 10); // base-10 radix
212
+ var hour = parseInt(match[4], 10); // base-10 radix
213
+ var minute = parseInt(match[5], 10); // base-10 radix
214
+ var second = parseInt(match[6], 10); // base-10 radix
215
215
  var fractional = match[7] || "";
216
216
  var offset = match[8];
217
217
 
@@ -226,28 +226,28 @@ function _detectIssues(input, opts) {
226
226
  }
227
227
 
228
228
  // Month / day / hour / minute structural ranges.
229
- if (month < 1 || month > 12) { // allow:raw-byte-literal — month range
229
+ if (month < 1 || month > 12) { // month range
230
230
  issues.push({
231
231
  kind: "month-range", severity: "high",
232
232
  ruleId: "time.month-range",
233
233
  snippet: "month " + month + " outside [1, 12]",
234
234
  });
235
235
  }
236
- if (day < 1 || day > 31) { // allow:raw-byte-literal — day-of-month upper bound
236
+ if (day < 1 || day > 31) { // day-of-month upper bound
237
237
  issues.push({
238
238
  kind: "day-range", severity: "high",
239
239
  ruleId: "time.day-range",
240
240
  snippet: "day " + day + " outside [1, 31]",
241
241
  });
242
242
  }
243
- if (hour > 23) { // allow:raw-byte-literal — hour ceiling
243
+ if (hour > 23) { // hour ceiling
244
244
  issues.push({
245
245
  kind: "hour-range", severity: "high",
246
246
  ruleId: "time.hour-range",
247
247
  snippet: "hour " + hour + " > 23",
248
248
  });
249
249
  }
250
- if (minute > 59) { // allow:raw-byte-literal — minute ceiling
250
+ if (minute > 59) { // minute ceiling
251
251
  issues.push({
252
252
  kind: "minute-range", severity: "high",
253
253
  ruleId: "time.minute-range",
@@ -277,8 +277,8 @@ function _detectIssues(input, opts) {
277
277
  // Day-in-month structural sanity (light — not full Gregorian
278
278
  // rollover; the framework refuses obviously-out-of-bounds dates
279
279
  // like Feb 30 / Apr 31).
280
- var daysInMonth = [31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]; // allow:raw-byte-literal — Gregorian month-day table
281
- if (month >= 1 && month <= 12 && day > daysInMonth[month - 1]) { // allow:raw-byte-literal — month range
280
+ var daysInMonth = [31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]; // Gregorian month-day table
281
+ if (month >= 1 && month <= 12 && day > daysInMonth[month - 1]) { // month range
282
282
  issues.push({
283
283
  kind: "day-in-month", severity: "high",
284
284
  ruleId: "time.day-in-month",
package/lib/guard-trace-context.js CHANGED
@@ -33,9 +33,9 @@ var GuardTraceContextError = defineClass("GuardTraceContextError", { alwaysPerma
33
33
  var DEFAULT_PROFILE = "strict";
34
34
 
35
35
  var PROFILES = Object.freeze({
36
- strict: { allowedVersions: ["00"], maxTracestateEntries: 32, maxTracestateBytes: 512 }, // allow:raw-byte-literal
37
- balanced: { allowedVersions: ["00", "01"], maxTracestateEntries: 32, maxTracestateBytes: 512 }, // allow:raw-byte-literal
38
- permissive: { allowedVersions: ["*"], maxTracestateEntries: 64, maxTracestateBytes: 1024 }, // allow:raw-byte-literal
36
+ strict: { allowedVersions: ["00"], maxTracestateEntries: 32, maxTracestateBytes: 512 },
37
+ balanced: { allowedVersions: ["00", "01"], maxTracestateEntries: 32, maxTracestateBytes: 512 },
38
+ permissive: { allowedVersions: ["*"], maxTracestateEntries: 64, maxTracestateBytes: 1024 },
39
39
  });
40
40
 
41
41
  var COMPLIANCE_POSTURES = Object.freeze({
@@ -79,7 +79,7 @@ function validate(ctx, opts) {
79
79
  }
80
80
  // Length bound BEFORE regex test so a hostile input can't burn
81
81
  // regex-engine CPU. W3C section 3.2.1: exactly 55 chars.
82
- if (ctx.traceparent.length !== 55) { // allow:raw-byte-literal — W3C fixed length
82
+ if (ctx.traceparent.length !== 55) { // W3C fixed length
83
83
  throw new GuardTraceContextError("trace-context/bad-traceparent-length",
84
84
  "guardTraceContext.validate: traceparent must be exactly 55 chars (got " +
85
85
  ctx.traceparent.length + ")");
package/lib/guard-uuid.js CHANGED
@@ -77,7 +77,7 @@ var PROFILES = Object.freeze({
77
77
  maxPolicy: "reject",
78
78
  urnPolicy: "reject",
79
79
  bracedPolicy: "reject",
80
- allowedVersions: [1, 2, 3, 4, 5, 6, 7, 8], // allow:raw-byte-literal — UUID version digits
80
+ allowedVersions: [1, 2, 3, 4, 5, 6, 7, 8], // UUID version digits
81
81
  maxBytes: C.BYTES.bytes(64),
82
82
  maxRuntimeMs: C.TIME.seconds(2),
83
83
  },
@@ -93,7 +93,7 @@ var PROFILES = Object.freeze({
93
93
  maxPolicy: "audit",
94
94
  urnPolicy: "audit",
95
95
  bracedPolicy: "audit",
96
- allowedVersions: [1, 2, 3, 4, 5, 6, 7, 8], // allow:raw-byte-literal — UUID version digits
96
+ allowedVersions: [1, 2, 3, 4, 5, 6, 7, 8], // UUID version digits
97
97
  maxBytes: C.BYTES.bytes(64),
98
98
  maxRuntimeMs: C.TIME.seconds(2),
99
99
  },
@@ -155,8 +155,8 @@ function _classifyForm(input) {
155
155
  function _toCanonicalHex(input, form) {
156
156
  // Strips dashes / braces / urn prefix, returns 32-char lowercase hex.
157
157
  var s = input.toLowerCase();
158
- if (form === "urn") s = s.slice("urn:uuid:".length); // allow:raw-byte-literal — string-length offset
159
- if (form === "braced") s = s.slice(1, -1); // allow:raw-byte-literal — string-length offset
158
+ if (form === "urn") s = s.slice("urn:uuid:".length); // string-length offset
159
+ if (form === "braced") s = s.slice(1, -1); // string-length offset
160
160
  return s.replace(/-/g, "");
161
161
  }
162
162
 
@@ -253,8 +253,8 @@ function _detectIssues(input, opts) {
253
253
  // Version + variant inspection (skip for nil / max — those bypass the
254
254
  // version-bits check by definition).
255
255
  if (hex !== NIL_HEX && hex !== MAX_HEX) {
256
- var versionDigit = parseInt(hex.charAt(12), 16); // allow:raw-byte-literal — hex digit position 12
257
- var variantNibble = parseInt(hex.charAt(16), 16); // allow:raw-byte-literal — hex digit position 16
256
+ var versionDigit = parseInt(hex.charAt(12), 16); // hex digit position 12
257
+ var variantNibble = parseInt(hex.charAt(16), 16); // hex digit position 16
258
258
 
259
259
  if (opts.versionPolicy !== "allow") {
260
260
  var allowed = opts.allowedVersions;
@@ -274,13 +274,13 @@ function _detectIssues(input, opts) {
274
274
  if (opts.variantPolicy !== "allow") {
275
275
  // RFC 4122 / 9562 variant: high two bits of the variant nibble are
276
276
  // 10xx (i.e. nibble in 8/9/a/b).
277
- var isRfcVariant = (variantNibble & 0xC) === 0x8; // allow:raw-byte-literal — variant-bit mask
277
+ var isRfcVariant = (variantNibble & 0xC) === 0x8; // variant-bit mask
278
278
  if (!isRfcVariant) {
279
279
  issues.push({
280
280
  kind: "variant-non-rfc",
281
281
  severity: opts.variantPolicy === "reject-non-rfc" ? "high" : "warn",
282
282
  ruleId: "uuid.variant-non-rfc",
283
- snippet: "uuid variant nibble `" + hex.charAt(16) + "` is not " + // allow:raw-byte-literal — hex digit position 16
283
+ snippet: "uuid variant nibble `" + hex.charAt(16) + "` is not " + // hex digit position 16
284
284
  "the RFC 4122 / 9562 variant (10xx — nibble 8-b)",
285
285
  });
286
286
  }
@@ -393,9 +393,9 @@ function sanitize(input, opts) {
393
393
  var form = _classifyForm(input);
394
394
  if (!form) return input;
395
395
  var hex = _toCanonicalHex(input, form);
396
- return hex.slice(0, 8) + "-" + hex.slice(8, 12) + "-" + // allow:raw-byte-literal — UUID hex slice positions
397
- hex.slice(12, 16) + "-" + hex.slice(16, 20) + "-" + // allow:raw-byte-literal — UUID hex slice positions
398
- hex.slice(20); // allow:raw-byte-literal — UUID hex slice positions
396
+ return hex.slice(0, 8) + "-" + hex.slice(8, 12) + "-" + // UUID hex slice positions
397
+ hex.slice(12, 16) + "-" + hex.slice(16, 20) + "-" + // UUID hex slice positions
398
+ hex.slice(20); // UUID hex slice positions
399
399
  }
400
400
 
401
401
  /**
package/lib/guard-xml.js CHANGED
@@ -118,11 +118,11 @@ var PROFILES = Object.freeze({
118
118
  nullBytePolicy: "reject",
119
119
  zeroWidthPolicy: "reject",
120
120
  maxBytes: C.BYTES.mib(2),
121
- maxDepth: 64, // allow:raw-byte-literal — recursion depth, not byte size
122
- maxElements: 8192, // allow:raw-byte-literal — element count cap, not byte size
123
- maxAttrsPerElement: 64, // allow:raw-byte-literal — attr count, not byte size
121
+ maxDepth: 64, // recursion depth, not byte size
122
+ maxElements: 8192, // element count cap, not byte size
123
+ maxAttrsPerElement: 64, // attr count, not byte size
124
124
  maxAttrValueBytes: C.BYTES.kib(8),
125
- maxNumericCharRefs: 1024, // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
125
+ maxNumericCharRefs: 1024, // NCR fan-out cap (CVE-2026-26278)
126
126
  },
127
127
  "balanced": {
128
128
  doctypePolicy: "reject", // DOCTYPE is XXE vector regardless
@@ -138,11 +138,11 @@ var PROFILES = Object.freeze({
138
138
  nullBytePolicy: "strip",
139
139
  zeroWidthPolicy: "strip",
140
140
  maxBytes: C.BYTES.mib(8),
141
- maxDepth: 256, // allow:raw-byte-literal — recursion depth, not byte size
142
- maxElements: 65536, // allow:raw-byte-literal — element count cap, not byte size
143
- maxAttrsPerElement: 128, // allow:raw-byte-literal — attr count, not byte size
141
+ maxDepth: 256, // recursion depth, not byte size
142
+ maxElements: 65536, // element count cap, not byte size
143
+ maxAttrsPerElement: 128, // attr count, not byte size
144
144
  maxAttrValueBytes: C.BYTES.kib(32),
145
- maxNumericCharRefs: 16384, // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
145
+ maxNumericCharRefs: 16384, // NCR fan-out cap (CVE-2026-26278)
146
146
  },
147
147
  "permissive": {
148
148
  doctypePolicy: "reject", // billion-laughs class always
@@ -158,11 +158,11 @@ var PROFILES = Object.freeze({
158
158
  nullBytePolicy: "reject",
159
159
  zeroWidthPolicy: "strip",
160
160
  maxBytes: C.BYTES.mib(64),
161
- maxDepth: 1024, // allow:raw-byte-literal — recursion depth, not byte size
162
- maxElements: 262144, // allow:raw-byte-literal — element count cap, not byte size
163
- maxAttrsPerElement: 256, // allow:raw-byte-literal — attr count, not byte size
161
+ maxDepth: 1024, // recursion depth, not byte size
162
+ maxElements: 262144, // element count cap, not byte size
163
+ maxAttrsPerElement: 256, // attr count, not byte size
164
164
  maxAttrValueBytes: C.BYTES.kib(64),
165
- maxNumericCharRefs: 262144, // allow:raw-byte-literal — NCR fan-out cap (CVE-2026-26278)
165
+ maxNumericCharRefs: 262144, // NCR fan-out cap (CVE-2026-26278)
166
166
  },
167
167
  });
168
168
 
package/lib/guard-yaml.js CHANGED
@@ -126,11 +126,11 @@ var PROFILES = Object.freeze({
126
126
  zeroWidthPolicy: "reject",
127
127
  safeCoreTagsAllowed: false,
128
128
  maxBytes: C.BYTES.mib(2),
129
- maxDepth: 8, // allow:raw-byte-literal — recursion depth, not byte size
130
- maxAnchors: 16, // allow:raw-byte-literal — anchor count cap, not byte size
131
- maxAliasDepth: 1, // allow:raw-byte-literal — alias chain cap, not byte size
132
- maxDocuments: 1, // allow:raw-byte-literal — doc count cap, not byte size
133
- maxNodes: 1024, // allow:raw-byte-literal — node count cap, not byte size
129
+ maxDepth: 8, // recursion depth, not byte size
130
+ maxAnchors: 16, // anchor count cap, not byte size
131
+ maxAliasDepth: 1, // alias chain cap, not byte size
132
+ maxDocuments: 1, // doc count cap, not byte size
133
+ maxNodes: 1024, // node count cap, not byte size
134
134
  maxScalarLength: C.BYTES.kib(8),
135
135
  },
136
136
  "balanced": {
@@ -147,11 +147,11 @@ var PROFILES = Object.freeze({
147
147
  zeroWidthPolicy: "strip",
148
148
  safeCoreTagsAllowed: true,
149
149
  maxBytes: C.BYTES.mib(8),
150
- maxDepth: 32, // allow:raw-byte-literal — recursion depth, not byte size
151
- maxAnchors: 64, // allow:raw-byte-literal — anchor count cap, not byte size
152
- maxAliasDepth: 3, // allow:raw-byte-literal — alias chain cap, not byte size
153
- maxDocuments: 16, // allow:raw-byte-literal — doc count cap, not byte size
154
- maxNodes: 16384, // allow:raw-byte-literal — node count cap, not byte size
150
+ maxDepth: 32, // recursion depth, not byte size
151
+ maxAnchors: 64, // anchor count cap, not byte size
152
+ maxAliasDepth: 3, // alias chain cap, not byte size
153
+ maxDocuments: 16, // doc count cap, not byte size
154
+ maxNodes: 16384, // node count cap, not byte size
155
155
  maxScalarLength: C.BYTES.kib(64),
156
156
  },
157
157
  "permissive": {
@@ -168,11 +168,11 @@ var PROFILES = Object.freeze({
168
168
  zeroWidthPolicy: "strip",
169
169
  safeCoreTagsAllowed: true,
170
170
  maxBytes: C.BYTES.mib(64),
171
- maxDepth: 64, // allow:raw-byte-literal — recursion depth, not byte size
172
- maxAnchors: 1024, // allow:raw-byte-literal — anchor count cap, not byte size
173
- maxAliasDepth: 8, // allow:raw-byte-literal — alias chain cap, not byte size
174
- maxDocuments: 256, // allow:raw-byte-literal — doc count cap, not byte size
175
- maxNodes: 65536, // allow:raw-byte-literal — node count cap, not byte size
171
+ maxDepth: 64, // recursion depth, not byte size
172
+ maxAnchors: 1024, // anchor count cap, not byte size
173
+ maxAliasDepth: 8, // alias chain cap, not byte size
174
+ maxDocuments: 256, // doc count cap, not byte size
175
+ maxNodes: 65536, // node count cap, not byte size
176
176
  maxScalarLength: C.BYTES.kib(256),
177
177
  },
178
178
  });
@@ -314,7 +314,7 @@ function _detectIssues(input, opts) {
314
314
  // is ratio >= 8. Independent of maxAnchors absolute cap (which is
315
315
  // about overall load); ratio is about exponential expansion shape.
316
316
  var ampRatio = aliases.length / Math.max(anchors.length, 1);
317
- if (anchors.length >= 1 && ampRatio >= 8) { // allow:raw-byte-literal — multiplier ratio, not byte size
317
+ if (anchors.length >= 1 && ampRatio >= 8) { // multiplier ratio, not byte size
318
318
  issues.push({
319
319
  kind: "alias-explosion", severity: "critical",
320
320
  ruleId: "yaml.alias-explosion",
package/lib/honeytoken.js CHANGED
@@ -40,10 +40,10 @@ var audit = lazyRequire(function () { return require("./audit"); });
40
40
  var HoneytokenError = defineClass("HoneytokenError", { alwaysPermanent: true });
41
41
 
42
42
  var KINDS = Object.freeze({
43
- apiKey: function () { return "bk_canary_" + bCrypto.generateToken(16); }, // allow:raw-byte-literal — 16-byte (128-bit) canary entropy
44
- session: function () { return "bks_canary_" + bCrypto.generateToken(24); }, // allow:raw-byte-literal — 24-byte (192-bit) canary entropy
45
- url: function () { return "/admin/canary-" + bCrypto.generateToken(16); }, // allow:raw-byte-literal — 16-byte canary entropy
46
- rowId: function () { return "ht_canary_" + bCrypto.generateToken(16); }, // allow:raw-byte-literal — 16-byte canary entropy
43
+ apiKey: function () { return "bk_canary_" + bCrypto.generateToken(16); }, // 16-byte (128-bit) canary entropy
44
+ session: function () { return "bks_canary_" + bCrypto.generateToken(24); }, // 24-byte (192-bit) canary entropy
45
+ url: function () { return "/admin/canary-" + bCrypto.generateToken(16); }, // 16-byte canary entropy
46
+ rowId: function () { return "ht_canary_" + bCrypto.generateToken(16); }, // 16-byte canary entropy
47
47
  });
48
48
 
49
49
  /**
@@ -102,7 +102,7 @@ function create(opts) {
102
102
  "(supported: " + Object.keys(KINDS).join(", ") + ")");
103
103
  }
104
104
  var value = KINDS[kind]();
105
- var id = "ht_" + bCrypto.generateToken(8); // allow:raw-byte-literal — 8-byte registry id
105
+ var id = "ht_" + bCrypto.generateToken(8); // 8-byte registry id
106
106
  var record = Object.freeze({
107
107
  id: id,
108
108
  kind: kind,
package/lib/http-client.js CHANGED
@@ -1035,7 +1035,7 @@ function _revalidate(cache, method, opts, entry, requestHeaders) {
1035
1035
 
1036
1036
  return p.then(function (boxed) {
1037
1037
  var res = boxed.res;
1038
- if (res.statusCode === 304) { // allow:raw-byte-literal — HTTP 304 Not Modified status code, not bytes
1038
+ if (res.statusCode === 304) { // HTTP 304 Not Modified status code, not bytes
1039
1039
  // Merge 304 headers into the stored entry.
1040
1040
  var refreshed;
1041
1041
  try { refreshed = cache._refreshFrom304(entry, res.headers); }
package/lib/http-message-signature.js CHANGED
@@ -91,7 +91,7 @@ function _sfQuotedString(s) {
91
91
  // information.
92
92
  for (var i = 0; i < s.length; i++) {
93
93
  var c = s.charCodeAt(i);
94
- if (c < 0x20 || c > 0x7E) { // allow:raw-byte-literal — RFC 8941 §3.3.3 printable-ASCII range
94
+ if (c < 0x20 || c > 0x7E) { // RFC 8941 §3.3.3 printable-ASCII range
95
95
  throw _err("BAD_PARAM",
96
96
  "httpSig: parameter string contains non-printable byte at offset " + i);
97
97
  }
@@ -539,7 +539,7 @@ function verify(msg, opts) {
539
539
  var sigB64;
540
540
  try { sigB64 = _parseSignature(sig, parsedInput.label); }
541
541
  catch (e) { return { valid: false, reason: "bad-signature-header", error: e.message }; }
542
- if (!safeBuffer.BASE64URL_RE && typeof sigB64 !== "string") { // allow:raw-byte-literal — defensive base64 shape check
542
+ if (!safeBuffer.BASE64URL_RE && typeof sigB64 !== "string") { // defensive base64 shape check
543
543
  return { valid: false, reason: "bad-signature-encoding" };
544
544
  }
545
545
  var sigBuf;
package/lib/iab-mspa.js CHANGED
@@ -35,7 +35,7 @@ var IabMspaError = defineClass("IabMspaError", { alwaysPermanent: true });
35
35
  // https://iabtechlab.com/standards/global-privacy-platform/sections).
36
36
  var SECTION_IDS = {
37
37
  7: "usnat", // US National Privacy
38
- 8: "usca", // California (CCPA / CPRA) // allow:raw-byte-literal — IAB GPP section ID, not bytes
38
+ 8: "usca", // California (CCPA / CPRA) // IAB GPP section ID, not bytes
39
39
  9: "usva", // Virginia
40
40
  10: "usco", // Colorado
41
41
  11: "usut", // Utah
@@ -43,7 +43,7 @@ var SECTION_IDS = {
43
43
  13: "usnv", // Nevada
44
44
  14: "usia", // Iowa
45
45
  15: "usde", // Delaware
46
- 16: "usnj", // New Jersey // allow:raw-byte-literal — IAB GPP section ID, not bytes
46
+ 16: "usnj", // New Jersey // IAB GPP section ID, not bytes
47
47
  17: "ustx", // Texas (TDPSA)
48
48
  18: "usor", // Oregon
49
49
  19: "usmt", // Montana
@@ -77,7 +77,7 @@ function parseGpp(gppString) {
77
77
  throw IabMspaError.factory("iab-mspa/bad-input",
78
78
  "iabMspa.parseGpp: gppString required");
79
79
  }
80
- if (gppString.length > 8192) { // allow:raw-byte-literal — GPP string cap, not bytes
80
+ if (gppString.length > 8192) { // GPP string cap, not bytes
81
81
  throw IabMspaError.factory("iab-mspa/input-too-large",
82
82
  "iabMspa.parseGpp: gppString exceeds 8192 chars");
83
83
  }