@blamejs/core 0.14.1 → 0.14.3

package/lib/compliance-sanctions-fuzzy.js

@@ -104,7 +104,7 @@ function tokenize(name) {
   return n.split(" ").filter(function (t) { return t.length > 0; });
 }
 
-var MAX_INPUT_LEN = 512;                                                           // allow:raw-byte-literal — name length sanity cap (operators can override fuzzy.create)
+var MAX_INPUT_LEN = 512;                                                           // name length sanity cap (operators can override fuzzy.create)
 
 // ---- Levenshtein with cap + early-exit ----
 
@@ -155,7 +155,7 @@ function jaro(a, b) {
   if (typeof a !== "string" || typeof b !== "string") return 0;
   if (a === b) return a.length === 0 ? 0 : 1;
   if (a.length === 0 || b.length === 0) return 0;
-  var matchWindow = Math.max(0, Math.floor(Math.max(a.length, b.length) / 2) - 1);  // allow:raw-byte-literal — Jaro match-window formula
+  var matchWindow = Math.max(0, Math.floor(Math.max(a.length, b.length) / 2) - 1);  // Jaro match-window formula
   var aMatched = new Array(a.length).fill(false);
   var bMatched = new Array(b.length).fill(false);
   var matches = 0;
@@ -183,7 +183,7 @@ function jaro(a, b) {
   }
   var transpositions = t / 2;
   return (matches / a.length + matches / b.length +
-          (matches - transpositions) / matches) / 3;                                // allow:raw-byte-literal — Jaro 3-term formula
+          (matches - transpositions) / matches) / 3;                                // Jaro 3-term formula
 }
 
 function jaroWinkler(a, b, prefixWeight) {
@@ -198,7 +198,7 @@ function jaroWinkler(a, b, prefixWeight) {
   var j = jaro(a, b);
   if (j === 0) return 0;
   // Common prefix up to 4 chars (Winkler's cap)
-  var maxPrefix = 4;                                                               // allow:raw-byte-literal — Jaro-Winkler prefix cap (Winkler 1990)
+  var maxPrefix = 4;                                                               // Jaro-Winkler prefix cap (Winkler 1990)
   var prefixLen = 0;
   var max = Math.min(a.length, b.length, maxPrefix);
   for (var i = 0; i < max; i++) {

package/lib/compliance-sanctions.js

@@ -274,7 +274,7 @@ function create(opts) {
       VALID_STRATEGIES.join(", "));
   }
   var maxLevenshtein = (typeof fuzzyOpts.maxLevenshtein === "number" && isFinite(fuzzyOpts.maxLevenshtein))
-    ? fuzzyOpts.maxLevenshtein : 3;                                                // allow:raw-byte-literal — default edit-distance cap (operator-tunable)
+    ? fuzzyOpts.maxLevenshtein : 3;                                                // default edit-distance cap (operator-tunable)
   var auditOn = opts.audit !== false;
   var ruleVersion = opts.ruleVersion || ("entries:" + opts.entries.length);
 
@@ -327,10 +327,10 @@ function create(opts) {
       }
       // Substring containment scores 0.92 (high but below exact)
       if (fuzzy.substringContains(name, qNorm)) {
-        if (0.92 > bestScore) { bestScore = 0.92; bestName = name; }                // allow:raw-byte-literal — substring-match score weight
+        if (0.92 > bestScore) { bestScore = 0.92; bestName = name; }                // substring-match score weight
       }
       if (fuzzy.substringContains(qNorm, name)) {
-        if (0.92 > bestScore) { bestScore = 0.92; bestName = name; }                // allow:raw-byte-literal — substring-match score weight
+        if (0.92 > bestScore) { bestScore = 0.92; bestName = name; }                // substring-match score weight
       }
     }
     return { score: bestScore, name: bestName };
@@ -491,7 +491,7 @@ function create(opts) {
       algorithm:    algorithm,
       ruleVersion:  ruleVersion,
       entryCount:   index.length,
-      digest:       hash.digest("hex").slice(0, 32),                                // allow:raw-byte-literal — first 32 hex chars (128 bits) of SHA-3 digest, sufficient for snapshot identity
+      digest:       hash.digest("hex").slice(0, 32),                                // first 32 hex chars (128 bits) of SHA-3 digest, sufficient for snapshot identity
       digestAlg:    "sha3-512-trunc128",
       capturedAt:   Date.now(),
     };

package/lib/compliance.js

@@ -93,14 +93,14 @@ var KNOWN_POSTURES = Object.freeze([
   "tcpa-10dlc",      // TCPA 10DLC carrier-shaped consent + FCC 1:1 disclosure
   "fda-21cfr11",     // FDA 21 CFR Part 11 — audit-trail + electronic signatures (general-purpose subset)
   "fda-annex-11",    // EU GMP Annex 11 — computerized systems (Part-11 equivalent)
-  "sec-1.05",        // SEC Cybersecurity Disclosure Item 1.05 — material-incident 8-K filing                                  // allow:raw-byte-literal — regulatory identifier, not bytes
+  "sec-1.05",        // SEC Cybersecurity Disclosure Item 1.05 — material-incident 8-K filing                                  // regulatory identifier, not bytes
   // ---- US state student-data privacy (F5.1 posture group) ----
   "ny-2-d",          // NY Education Law §2-d
   "il-soppa",        // Illinois Student Online Personal Protection Act
   "ca-sopipa",       // California Student Online Personal Information Protection Act
   "ct-pa-5-2",       // Connecticut Public Act 5-2
-  "tx-hb-4504",      // Texas HB 4504                                                                                            // allow:raw-byte-literal — statute identifier, not bytes
-  "va-sb-1376",      // Virginia SB 1376                                                                                         // allow:raw-byte-literal — statute identifier, not bytes
+  "tx-hb-4504",      // Texas HB 4504                                                                                            // statute identifier, not bytes
+  "va-sb-1376",      // Virginia SB 1376                                                                                         // statute identifier, not bytes
   // ---- EU government / cloud-region ----
   "staterramp",      // StateRAMP / TX-RAMP / AZ-RAMP / GovRAMP family (FedRAMP-Moderate cross-walks)
   "irap",            // Australia IRAP / Essential Eight / ISM
@@ -149,7 +149,7 @@ var KNOWN_POSTURES = Object.freeze([
   "il-hb3773",       // Illinois HB 3773 — IHRA AI amendment (effective 2026-01-01)
   "tx-traiga",       // Texas Responsible AI Governance Act HB 149 (effective 2026-01-01)
   "ut-aipa",         // Utah AI Disclosure Act (UAIPA + 2025 amendments; sunset 2027-07-01)
-  "nyc-ll144",       // NYC Local Law 144 — Automated Employment Decision Tools (in force)                                    // allow:raw-byte-literal — regulatory identifier, not bytes
+  "nyc-ll144",       // NYC Local Law 144 — Automated Employment Decision Tools (in force)                                    // regulatory identifier, not bytes
   "ca-tfaia",        // California SB 53 — Transparency in Frontier AI Act (effective 2026-01-01)
   "kr-ai-basic",     // South Korea AI Basic Act (effective 2026-01-22)
   "cn-ai-label",     // China Measures for Labelling of AI-Generated Content (effective 2025-09-01)
@@ -157,8 +157,8 @@ var KNOWN_POSTURES = Object.freeze([
   "iso-42001",       // ISO/IEC 42001:2023 — AI Management System
   "iso-23894",       // ISO/IEC 23894:2023 — AI Risk Management Guidance
   // ---- v0.8.81 expansion — content-credentials posture flags ----
-  "ca-sb942",        // California SB-942 (Cal. Bus. & Prof. Code §22757) gen-AI disclosure (effective 2026-08-02)             // allow:raw-byte-literal — regulatory identifier + date, not bytes
-  "ca-ab853",        // California AB-853 platform-side gen-AI detection (effective 2026-08-02)                                // allow:raw-byte-literal — regulatory identifier + date, not bytes
+  "ca-sb942",        // California SB-942 (Cal. Bus. & Prof. Code §22757) gen-AI disclosure (effective 2026-08-02)             // regulatory identifier + date, not bytes
+  "ca-ab853",        // California AB-853 platform-side gen-AI detection (effective 2026-08-02)                                // regulatory identifier + date, not bytes
   // ---- v0.8.81 expansion — substrate-to-posture cleanup ----
   "eaa",             // EU Accessibility Act / Directive (EU) 2019/882 (effective 2025-06-28)
   "wcag-2-2",        // W3C Web Content Accessibility Guidelines 2.2 (Oct 2023 Recommendation)
@@ -170,7 +170,7 @@ var KNOWN_POSTURES = Object.freeze([
   // US federal child / financial privacy
   "coppa",           // Children's Online Privacy Protection Act (15 U.S.C. §6501)
   "coppa-2025",      // COPPA 2025 Amendment (FTC final 2025-04-22; effective 2026-06-23 — biometric expansion + knowing-collection disclosure)
-  "glba-safeguards", // GLBA Safeguards Rule 2024 Amendment (16 CFR Part 314 — effective 2024-05-13)                            // allow:raw-byte-literal — CFR title number, not bytes
+  "glba-safeguards", // GLBA Safeguards Rule 2024 Amendment (16 CFR Part 314 — effective 2024-05-13)                            // CFR title number, not bytes
   // UK
   "uk-duaa",         // UK Data (Use and Access) Act 2025 (Royal Assent 2025-06-19; replaces DPDI Bill)
   // Latin America
@@ -199,7 +199,7 @@ var KNOWN_POSTURES = Object.freeze([
   "nist-pf-1.1",     // NIST Privacy Framework 1.1 (final 2025-04-14)
   // EU non-personal-data + adjacent
   "dsa",             // EU Digital Services Act (Regulation 2022/2065; fully applicable 2024-02-17)
-  "dga",             // EU Data Governance Act (Regulation 2022/868; applicable 2023-09-24)                                     // allow:raw-byte-literal — calendar day, not bytes
+  "dga",             // EU Data Governance Act (Regulation 2022/868; applicable 2023-09-24)                                     // calendar day, not bytes
   "eu-cer",          // EU Critical Entities Resilience Directive (2022/2557; transposition 2024-10-17)
   "eu-cyber-sol",    // EU Cyber Solidarity Act (Regulation 2025/38; effective 2025-02-04)
   "eidas-2",         // eIDAS 2 / EUDI Wallet (Regulation 2024/1183; rollout 2026-2027)
@@ -211,7 +211,7 @@ var KNOWN_POSTURES = Object.freeze([
   "iso-27017",       // ISO/IEC 27017 — Cloud-services security controls
   "iso-27018",       // ISO/IEC 27018 — PII protection in public-cloud processors
   "iso-27701",       // ISO/IEC 27701 — Privacy Information Management System
-  "nist-800-66-r2",  // NIST SP 800-66 Rev 2 — HIPAA Security Rule implementation guidance                                       // allow:raw-byte-literal — NIST publication number, not bytes
+  "nist-800-66-r2",  // NIST SP 800-66 Rev 2 — HIPAA Security Rule implementation guidance                                       // NIST publication number, not bytes
   "ehds",            // EU European Health Data Space (Regulation 2025/327; phased 2027-2029)
   "circia",          // US Cyber Incident Reporting for Critical Infrastructure Act (final rule pending)
   // ---- v0.9.6 expansion — exceptd framework-control-gap closure ----
@@ -224,16 +224,16 @@ var KNOWN_POSTURES = Object.freeze([
   // the named regime's evidence expectations.
   "nist-800-53",                 // NIST SP 800-53 Rev 5 — full Moderate / High baseline
   "nist-ai-rmf-1.0",             // NIST AI Risk Management Framework 1.0
-  "iso-42001-2023",              // ISO/IEC 42001:2023 — AI management system (alias for v0.8.81 iso-42001 entry, kept for posture-vocabulary stability)                                              // allow:raw-byte-literal — standard publication year, not bytes
+  "iso-42001-2023",              // ISO/IEC 42001:2023 — AI management system (alias for v0.8.81 iso-42001 entry, kept for posture-vocabulary stability)                                              // standard publication year, not bytes
   "iso-23894-2023",              // ISO/IEC 23894:2023 — AI risk management guidance (alias)
   "owasp-llm-top-10-2025",       // OWASP Top 10 for LLM Applications 2025
   "owasp-asvs-v5.0",             // OWASP Application Security Verification Standard v5.0
-  "nist-800-218-ssdf",           // NIST SP 800-218 Secure Software Development Framework v1.1                                                                                                            // allow:raw-byte-literal — NIST pub number, not bytes
-  "nist-800-82-r3",              // NIST SP 800-82 Rev 3 — OT security guide                                                       // allow:raw-byte-literal — NIST pub number, not bytes
+  "nist-800-218-ssdf",           // NIST SP 800-218 Secure Software Development Framework v1.1                                                                                                            // NIST pub number, not bytes
+  "nist-800-82-r3",              // NIST SP 800-82 Rev 3 — OT security guide                                                       // NIST pub number, not bytes
   "nist-800-63b-rev4",           // NIST SP 800-63B Rev 4 — Digital Identity (AAL/IAL/FAL)
   "iec-62443-3-3",               // IEC 62443-3-3 — IACS system security
   "fedramp-rev5-moderate",       // FedRAMP Rev 5 Moderate baseline
-  "hipaa-security-rule",         // HIPAA Security Rule 45 CFR §164.312 (technical safeguards)                                     // allow:raw-byte-literal — CFR section, not bytes
+  "hipaa-security-rule",         // HIPAA Security Rule 45 CFR §164.312 (technical safeguards)                                     // CFR section, not bytes
   "hitrust-csf-v11.4",           // HITRUST CSF v11.4
   "nerc-cip-007-6",              // NERC CIP-007-6 — BES Cyber System Security Management
   "psd2-rts-sca",                // EU PSD2 RTS on Strong Customer Authentication (Commission Delegated Regulation 2018/389)
@@ -244,10 +244,10 @@ var KNOWN_POSTURES = Object.freeze([
   "spdx-v3.0",                   // SPDX v3.0 SBOM — framework ships sbom.spdx.json (v0.9.6+)
   "owasp-wstg-v5",               // OWASP Web Security Testing Guide v5
   "ptes",                        // Penetration Testing Execution Standard
-  "nist-800-115",                // NIST SP 800-115 Technical Guide to Information Security Testing                               // allow:raw-byte-literal — NIST pub number, not bytes
+  "nist-800-115",                // NIST SP 800-115 Technical Guide to Information Security Testing                               // NIST pub number, not bytes
   "cwe-top-25-2024",             // CWE Top 25 Most Dangerous Software Weaknesses (2024)
   "cis-controls-v8",             // CIS Controls v8
-  "cmmc-2.0-level-2",            // CMMC 2.0 Level 2 (Advanced) — 110 NIST 800-171 Rev 2 controls                                                                                                          // allow:raw-byte-literal — NIST pub number / level, not bytes
+  "cmmc-2.0-level-2",            // CMMC 2.0 Level 2 (Advanced) — 110 NIST 800-171 Rev 2 controls                                                                                                          // NIST pub number / level, not bytes
   // ---- v0.9.57 — granular CMMC level distinction ----
   // CMMC 2.0 maturity levels carry distinct control-mapping
   // expectations: Level 1 = 15 controls (FAR 52.204-21), Level 2 =
@@ -255,29 +255,29 @@ var KNOWN_POSTURES = Object.freeze([
   // 800-172 enhanced controls. The umbrella "cmmc-2.0" posture
   // remains for back-compat with existing operators; the explicit
   // L1/L2/L3 postures are the recommended pin for new deployments.
-  "cmmc-2.0-level-1",            // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data        // allow:raw-byte-literal — regulatory identifier, not bytes
-  "cmmc-2.0-level-3",            // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2       // allow:raw-byte-literal — regulatory identifier, not bytes
+  "cmmc-2.0-level-1",            // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data        // regulatory identifier, not bytes
+  "cmmc-2.0-level-3",            // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2       // regulatory identifier, not bytes
   // ---- v0.12.1 — promote POSTURE_DEFAULTS-only entries into the
   // canonical KNOWN_POSTURES surface so operators can actually
   // `b.compliance.set(...)` them. Each entry had cascade
   // configuration wired but couldn't be pinned because set()'s
   // KNOWN_POSTURES check refused unknown strings.
-  "42-cfr-part-2",               // 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (HHS final rule 2024-02-08)                                                                                  // allow:raw-byte-literal — CFR section identifier, not bytes
+  "42-cfr-part-2",               // 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (HHS final rule 2024-02-08)                                                                                  // CFR section identifier, not bytes
   "hti-1",                       // ONC HTI-1 — Health IT certification + algorithm transparency (45 CFR Part 170; effective 2024-12-31)
-  "uscdi-v4",                    // USCDI v4 — US Core Data for Interoperability v4 (ONC; 2024-01)                                          // allow:raw-byte-literal — version identifier, not bytes
-  "irs-1075",                    // IRS Publication 1075 — Tax Information Security Guidelines (Rev. 11-2023)                              // allow:raw-byte-literal — publication number, not bytes
-  "nist-800-172-r3",             // NIST SP 800-172 Rev 3 — Enhanced Security Requirements for CUI                                          // allow:raw-byte-literal — publication number, not bytes
+  "uscdi-v4",                    // USCDI v4 — US Core Data for Interoperability v4 (ONC; 2024-01)                                          // version identifier, not bytes
+  "irs-1075",                    // IRS Publication 1075 — Tax Information Security Guidelines (Rev. 11-2023)                              // publication number, not bytes
+  "nist-800-172-r3",             // NIST SP 800-172 Rev 3 — Enhanced Security Requirements for CUI                                          // publication number, not bytes
   "tlp-2.0",                     // FIRST Traffic Light Protocol 2.0 — information-sharing classifications (TLP:CLEAR / GREEN / AMBER / AMBER+STRICT / RED)
   "soci-au",                     // Australia Security of Critical Infrastructure Act (SOCI 2018) + 2022 amendments
-  "ffiec-cat-2",                 // FFIEC Cybersecurity Assessment Tool 2.0 (federal financial institution exam)                            // allow:raw-byte-literal — tool version, not bytes
-  "cri-profile-v2.0",            // Cyber Risk Institute Profile v2.0 — financial-services framework mapping (NIST CSF cross-walk)         // allow:raw-byte-literal — version identifier, not bytes
+  "ffiec-cat-2",                 // FFIEC Cybersecurity Assessment Tool 2.0 (federal financial institution exam)                            // tool version, not bytes
+  "cri-profile-v2.0",            // Cyber Risk Institute Profile v2.0 — financial-services framework mapping (NIST CSF cross-walk)         // version identifier, not bytes
   "m-22-09",                     // OMB M-22-09 — Federal Zero Trust Architecture Strategy
   "m-22-18",                     // OMB M-22-18 — Enhancing Software Supply Chain Security (SSDF attestation)
-  "nist-800-53-r5-privacy",      // NIST SP 800-53 Rev 5 — Privacy Control Family overlay                                                   // allow:raw-byte-literal — publication number, not bytes
-  "nist-ai-600-1-genai",         // NIST AI 600-1 — Generative AI Profile (companion to AI RMF 1.0)                                          // allow:raw-byte-literal — publication number, not bytes
-  "nist-csf-2.0",                // NIST Cybersecurity Framework 2.0 (Feb 2024)                                                              // allow:raw-byte-literal — framework version, not bytes
-  "sb-53",                       // California SB-53 — Transparency in Frontier AI Act (effective 2025-09-29)                                // allow:raw-byte-literal — statute identifier, not bytes
-  "nyc-ll144-2024",              // NYC Local Law 144 — Automated Employment Decision Tool bias audits (2024 enforcement update)             // allow:raw-byte-literal — statute identifier, not bytes
+  "nist-800-53-r5-privacy",      // NIST SP 800-53 Rev 5 — Privacy Control Family overlay                                                   // publication number, not bytes
+  "nist-ai-600-1-genai",         // NIST AI 600-1 — Generative AI Profile (companion to AI RMF 1.0)                                          // publication number, not bytes
+  "nist-csf-2.0",                // NIST Cybersecurity Framework 2.0 (Feb 2024)                                                              // framework version, not bytes
+  "sb-53",                       // California SB-53 — Transparency in Frontier AI Act (effective 2025-09-29)                                // statute identifier, not bytes
+  "nyc-ll144-2024",              // NYC Local Law 144 — Automated Employment Decision Tool bias audits (2024 enforcement update)             // statute identifier, not bytes
 ]);
 
 // SUPPLY-34 — Artifact standards (SBOM / VEX format families) are NOT
@@ -965,7 +965,7 @@ var POSTURE_DEFAULTS = Object.freeze({
     requireVacuumAfterErase:  false,
   }),
   "gdpr": Object.freeze({
-    backupEncryptionRequired: false,           // GDPR Art. 32 says "appropriate" — not mandatory floor // allow:protocol-constant — regulatory article number in prose
+    backupEncryptionRequired: false,           // GDPR Art. 32 says "appropriate" — not mandatory floor
     auditChainSignedRequired: true,
     tlsMinVersion:            "TLSv1.3",
     // GDPR Art. 17 — "right to erasure" includes residual indexes; B-tree

package/lib/content-credentials.js

@@ -36,11 +36,11 @@ var audit = require("./audit");
 var { defineClass } = require("./framework-error");
 var ContentCredentialsError = defineClass("ContentCredentialsError", { alwaysPermanent: true });
 
-var STR_LEN_MAX = 256;                                                                        // allow:raw-byte-literal — string-length cap, not bytes
-var ID_LEN_MAX  = 128;                                                                        // allow:raw-byte-literal — string-length cap, not bytes
+var STR_LEN_MAX = 256;                                                                        // string-length cap, not bytes
+var ID_LEN_MAX  = 128;                                                                        // string-length cap, not bytes
 var SEMVER_RE = /^[0-9]+\.[0-9]+(?:\.[0-9]+)?(?:[-+][A-Za-z0-9.-]+)?$/;
 var ID_RE     = /^[a-zA-Z0-9._:/-]{1,128}$/;
-var SHA3_HEX_LEN = 128;                                                                       // allow:raw-byte-literal — SHA3-512 hex length, not bytes
+var SHA3_HEX_LEN = 128;                                                                       // SHA3-512 hex length, not bytes
 
 // Required fields per SB-942 §22757(a) — every AI-generated asset
 // must disclose provider + system + timestamp + contentId.
@@ -64,7 +64,7 @@ function _validateBuildOpts(opts) {
     throw ContentCredentialsError.factory("content-credentials/bad-system",
       "system must match " + ID_RE);
   }
-  if (opts.systemVersion.length > 64 || !SEMVER_RE.test(opts.systemVersion)) {                // allow:raw-byte-literal — semver length cap, not bytes
+  if (opts.systemVersion.length > 64 || !SEMVER_RE.test(opts.systemVersion)) {                // semver length cap, not bytes
     throw ContentCredentialsError.factory("content-credentials/bad-version",
       "systemVersion must be semver");
   }
@@ -347,35 +347,35 @@ function verify(envelope, publicKeyPem, opts) {
 // libraries (jose-py / c2pa-rs / etc.).
 
 // COSE algorithm registry codepoints (RFC 9053 §2.1 + draft-ietf-cose-* for PQ).
-// allow:raw-byte-literal — IANA registry IDs, not byte counts.
+// IANA registry IDs, not byte counts.
 var COSE_ALGS = {
-  "ed25519":    -8,    // allow:raw-byte-literal — COSE alg id
-  "es256":      -7,    // allow:raw-byte-literal — COSE alg id
-  "es384":      -35,   // allow:raw-byte-literal — COSE alg id
-  "es512":      -36,   // allow:raw-byte-literal — COSE alg id
-  "ml-dsa-44":  -48,   // allow:raw-byte-literal — COSE alg id (draft)
-  "ml-dsa-65":  -49,   // allow:raw-byte-literal — COSE alg id (draft)
-  "ml-dsa-87":  -50,   // allow:raw-byte-literal — COSE alg id (draft)
-  "slh-dsa-sha2-128s":   -51,   // allow:raw-byte-literal — COSE alg id (draft)
-  "slh-dsa-shake-256f":  -56,   // allow:raw-byte-literal — COSE alg id (draft)
+  "ed25519":    -8,    // COSE alg id
+  "es256":      -7,    // COSE alg id
+  "es384":      -35,   // COSE alg id
+  "es512":      -36,   // COSE alg id
+  "ml-dsa-44":  -48,   // COSE alg id (draft)
+  "ml-dsa-65":  -49,   // COSE alg id (draft)
+  "ml-dsa-87":  -50,   // COSE alg id (draft)
+  "slh-dsa-sha2-128s":   -51,   // COSE alg id (draft)
+  "slh-dsa-shake-256f":  -56,   // COSE alg id (draft)
 };
 
 // CBOR encoder (RFC 8949 §3). The integer thresholds 24/256/65536/4294967296
 // are CBOR-spec length-encoding boundaries — not byte counts.
-// allow:raw-byte-literal — CBOR encoding thresholds, not byte counts.
+// CBOR encoding thresholds, not byte counts.
 function _cborUint(n) {
-  if (n < 24)         return Buffer.from([n]);                                                                                                // allow:raw-byte-literal — CBOR threshold
-  if (n < 256)        return Buffer.from([0x18, n]);                                                                                          // allow:raw-byte-literal — CBOR threshold
-  if (n < 65536)      return Buffer.from([0x19, (n >> 8) & 0xFF, n & 0xFF]);                                                                  // allow:raw-byte-literal — CBOR threshold
-  if (n < 4294967296) return Buffer.from([0x1A, (n >> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]);                              // allow:raw-byte-literal — CBOR threshold
+  if (n < 24)         return Buffer.from([n]);                                                                                                // CBOR threshold
+  if (n < 256)        return Buffer.from([0x18, n]);                                                                                          // CBOR threshold
+  if (n < 65536)      return Buffer.from([0x19, (n >> 8) & 0xFF, n & 0xFF]);                                                                  // CBOR threshold
+  if (n < 4294967296) return Buffer.from([0x1A, (n >> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]);                              // CBOR threshold
   throw ContentCredentialsError.factory("content-credentials/cbor-overflow", "cbor uint too large: " + n);
 }
 
 function _cborNint(n) {
   var v = -1 - n;
-  if (v < 24)    return Buffer.from([0x20 | v]);                                                                                              // allow:raw-byte-literal — CBOR threshold
-  if (v < 256)   return Buffer.from([0x38, v]);                                                                                               // allow:raw-byte-literal — CBOR threshold
-  if (v < 65536) return Buffer.from([0x39, (v >> 8) & 0xFF, v & 0xFF]);                                                                       // allow:raw-byte-literal — CBOR threshold
+  if (v < 24)    return Buffer.from([0x20 | v]);                                                                                              // CBOR threshold
+  if (v < 256)   return Buffer.from([0x38, v]);                                                                                               // CBOR threshold
+  if (v < 65536) return Buffer.from([0x39, (v >> 8) & 0xFF, v & 0xFF]);                                                                       // CBOR threshold
   return Buffer.from([0x3A, (v >> 24) & 0xFF, (v >> 16) & 0xFF, (v >> 8) & 0xFF, v & 0xFF]);
 }
 
@@ -386,30 +386,30 @@ function _cborInt(n) {
 function _cborBytes(buf) {
   var n = buf.length;
   var head;
-  if (n < 24)         head = Buffer.from([0x40 | n]);                                                                                          // allow:raw-byte-literal — CBOR threshold
-  else if (n < 256)   head = Buffer.from([0x58, n]);                                                                                           // allow:raw-byte-literal — CBOR threshold
-  else if (n < 65536) head = Buffer.from([0x59, (n >> 8) & 0xFF, n & 0xFF]);                                                                   // allow:raw-byte-literal — CBOR threshold
+  if (n < 24)         head = Buffer.from([0x40 | n]);                                                                                          // CBOR threshold
+  else if (n < 256)   head = Buffer.from([0x58, n]);                                                                                           // CBOR threshold
+  else if (n < 65536) head = Buffer.from([0x59, (n >> 8) & 0xFF, n & 0xFF]);                                                                   // CBOR threshold
   else                head = Buffer.from([0x5A, (n >>> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]);
   return Buffer.concat([head, buf]);
 }
 
 function _cborArrayHeader(n) {
-  if (n < 24)    return Buffer.from([0x80 | n]);                                                                                               // allow:raw-byte-literal — CBOR threshold
-  if (n < 256)   return Buffer.from([0x98, n]);                                                                                                // allow:raw-byte-literal — CBOR threshold
-  if (n < 65536) return Buffer.from([0x99, (n >> 8) & 0xFF, n & 0xFF]);                                                                        // allow:raw-byte-literal — CBOR threshold
+  if (n < 24)    return Buffer.from([0x80 | n]);                                                                                               // CBOR threshold
+  if (n < 256)   return Buffer.from([0x98, n]);                                                                                                // CBOR threshold
+  if (n < 65536) return Buffer.from([0x99, (n >> 8) & 0xFF, n & 0xFF]);                                                                        // CBOR threshold
   throw ContentCredentialsError.factory("content-credentials/cbor-overflow", "cbor array too large: " + n);
 }
 
 function _cborMapHeader(n) {
-  if (n < 24)    return Buffer.from([0xA0 | n]);                                                                                               // allow:raw-byte-literal — CBOR threshold
-  if (n < 256)   return Buffer.from([0xB8, n]);                                                                                                // allow:raw-byte-literal — CBOR threshold
+  if (n < 24)    return Buffer.from([0xA0 | n]);                                                                                               // CBOR threshold
+  if (n < 256)   return Buffer.from([0xB8, n]);                                                                                                // CBOR threshold
   throw ContentCredentialsError.factory("content-credentials/cbor-overflow", "cbor map too large: " + n);
 }
 
 function _cborTag(tag) {
-  if (tag < 24)         return Buffer.from([0xC0 | tag]);                                                                                      // allow:raw-byte-literal — CBOR threshold
-  if (tag < 256)        return Buffer.from([0xD8, tag]);                                                                                       // allow:raw-byte-literal — CBOR threshold
-  if (tag < 65536)      return Buffer.from([0xD9, (tag >> 8) & 0xFF, tag & 0xFF]);                                                             // allow:raw-byte-literal — CBOR threshold
+  if (tag < 24)         return Buffer.from([0xC0 | tag]);                                                                                      // CBOR threshold
+  if (tag < 256)        return Buffer.from([0xD8, tag]);                                                                                       // CBOR threshold
+  if (tag < 65536)      return Buffer.from([0xD9, (tag >> 8) & 0xFF, tag & 0xFF]);                                                             // CBOR threshold
   return Buffer.from([0xDA, (tag >> 24) & 0xFF, (tag >> 16) & 0xFF, (tag >> 8) & 0xFF, tag & 0xFF]);
 }
 
@@ -492,7 +492,7 @@ function signCose(manifest, opts) {
     }
     unprotectedHdr = Buffer.concat([
       _cborMapHeader(1),
-      _cborInt(33),             // allow:raw-byte-literal allow:raw-time-literal — RFC 9360 x5chain header label, not a duration
+      _cborInt(33),             // allow:raw-time-literal — RFC 9360 x5chain header label, not a duration
       chainArray,
     ]);
   } else {
@@ -514,7 +514,7 @@ function signCose(manifest, opts) {
   // First entry is the text string "Signature1" — major-type 3
   var sigText = Buffer.from("Signature1", "utf8");
   var sigTextBstr;
-  if (sigText.length < 24)      sigTextBstr = Buffer.concat([Buffer.from([0x60 | sigText.length]), sigText]);                                 // allow:raw-byte-literal — CBOR text-string threshold
+  if (sigText.length < 24)      sigTextBstr = Buffer.concat([Buffer.from([0x60 | sigText.length]), sigText]);                                 // CBOR text-string threshold
   else                          sigTextBstr = Buffer.concat([Buffer.from([0x78, sigText.length]), sigText]);
   sigStructureBufs[1] = sigTextBstr;
   var toBeSigned = Buffer.concat(sigStructureBufs);
@@ -612,7 +612,7 @@ function cacImplicitLabel(opts) {
       "(统一社会信用代码 per GB 32100-2015 / GB 45438-2025)");
   }
   if (typeof opts.contentId !== "string" || opts.contentId.length === 0 ||
-      opts.contentId.length > 128) {                                                             // allow:raw-byte-literal — contentId char cap, not bytes
+      opts.contentId.length > 128) {                                                             // contentId char cap, not bytes
     throw new ContentCredentialsError("cac-implicit-label/bad-content-id",
       "cacImplicitLabel: contentId must be 1-128 chars");
   }

package/lib/cookies.js

@@ -485,7 +485,7 @@ function parseSafe(cookieHeader, opts) {
   }
   for (var hi = 0; hi < cookieHeader.length; hi += 1) {
     var ch = cookieHeader.charCodeAt(hi);
-    if (ch === 0x0D || ch === 0x0A || ch === 0x00) {                             // allow:raw-byte-literal — CR / LF / NUL forbidden in cookie header
+    if (ch === 0x0D || ch === 0x0A || ch === 0x00) {                             // CR / LF / NUL forbidden in cookie header
       issues.push({
         kind: "header-control-byte", severity: "high",
         snippet: "Cookie header contains CR / LF / NUL — proxy-side " +

package/lib/cose.js

@@ -60,12 +60,12 @@ var { defineClass } = require("./framework-error");
 
 var CoseError = defineClass("CoseError", { alwaysPermanent: true });
 
-var COSE_SIGN1_TAG = 18;                                                               // allow:raw-byte-literal — RFC 9052 COSE_Sign1 CBOR tag
+var COSE_SIGN1_TAG = 18;                                                               // RFC 9052 COSE_Sign1 CBOR tag
 var HDR_ALG = 1;                                                                       // RFC 9052 §3.1 header label: alg
 var HDR_CRIT = 2;                                                                      // header label: crit
 var HDR_CONTENT_TYPE = 3;                                                              // header label: content type
 var HDR_KID = 4;                                                                       // header label: kid
-var HDR_CWT_CLAIMS = 15;                                                               // allow:raw-byte-literal — RFC 9597 CWT Claims header label (carries SCITT iss/sub)
+var HDR_CWT_CLAIMS = 15;                                                               // RFC 9597 CWT Claims header label (carries SCITT iss/sub)
 
 // COSE algorithm identifiers. ML-DSA-87 is a NON-FINAL requested
 // assignment (draft-ietf-cose-dilithium) — pinned deliberately, re-open
@@ -73,7 +73,7 @@ var HDR_CWT_CLAIMS = 15;
 // (RFC 9053). SLH-DSA is intentionally absent (no registered COSE id).
 var ALG_NAME_TO_ID = {
   "ML-DSA-87": -50,
-  "ES256": -7, "ES384": -35, "ES512": -36, "EdDSA": -8,                                // allow:raw-byte-literal — COSE algorithm identifiers (RFC 9053), not byte sizes
+  "ES256": -7, "ES384": -35, "ES512": -36, "EdDSA": -8,                                // COSE algorithm identifiers (RFC 9053), not byte sizes
 };
 var ALG_ID_TO_NAME = {};
 Object.keys(ALG_NAME_TO_ID).forEach(function (k) { ALG_ID_TO_NAME[ALG_NAME_TO_ID[k]] = k; });
@@ -100,7 +100,7 @@ function _toKeyObject(key, kind) {
 function _algParamsFor(algId) {
   switch (algId) {
     case -50: return { nodeAlg: null };                                                // ML-DSA-87 (KeyObject specifies the hash)
-    case -8:  return { nodeAlg: null };                                                // allow:raw-byte-literal — EdDSA COSE alg id (RFC 9053), not a size
+    case -8:  return { nodeAlg: null };                                                // EdDSA COSE alg id (RFC 9053), not a size
     case -7:  return { nodeAlg: "sha256", dsaEncoding: "ieee-p1363" };                 // ES256
     case -35: return { nodeAlg: "sha384", dsaEncoding: "ieee-p1363" };                 // ES384
     case -36: return { nodeAlg: "sha512", dsaEncoding: "ieee-p1363" };                 // ES512
@@ -374,22 +374,22 @@ async function verify(coseSign1, opts) {
 
 // ---- COSE_Encrypt0 (RFC 9052 §5.2) — single-recipient AEAD ----
 
-var COSE_ENCRYPT0_TAG = 16;                                                            // allow:raw-byte-literal — RFC 9052 COSE_Encrypt0 CBOR tag
+var COSE_ENCRYPT0_TAG = 16;                                                            // RFC 9052 COSE_Encrypt0 CBOR tag
 var HDR_IV = 5;                                                                        // RFC 9052 §3.1 unprotected header label: IV
-var AEAD_TAG_LEN = 16;                                                                 // allow:raw-byte-literal — AEAD authentication tag length (bytes)
+var AEAD_TAG_LEN = 16;                                                                 // AEAD authentication tag length (bytes)
 
 // AEAD algorithm: COSE id → node cipher + key / IV sizes. ChaCha20/
 // Poly1305 (24) is the default; AES-GCM is opt-in (project hard-rule
 // #2 forbids AES-GCM as a default).
-var AEAD_NAME_TO_ID = { "ChaCha20-Poly1305": 24, "A256GCM": 3, "A128GCM": 1 };         // allow:raw-byte-literal — COSE AEAD algorithm identifiers (RFC 9053), not sizes
+var AEAD_NAME_TO_ID = { "ChaCha20-Poly1305": 24, "A256GCM": 3, "A128GCM": 1 };         // COSE AEAD algorithm identifiers (RFC 9053), not sizes
 var AEAD_ID_TO_NAME = {};
 Object.keys(AEAD_NAME_TO_ID).forEach(function (k) { AEAD_ID_TO_NAME[AEAD_NAME_TO_ID[k]] = k; });
 
 function _aeadParams(algId) {
   switch (algId) {
-    case 24: return { cipher: "chacha20-poly1305", keyLen: 32, ivLen: 12 };            // allow:raw-byte-literal — ChaCha20/Poly1305 key+IV sizes
-    case 3:  return { cipher: "aes-256-gcm",      keyLen: 32, ivLen: 12 };             // allow:raw-byte-literal — AES-256-GCM key+IV sizes
-    case 1:  return { cipher: "aes-128-gcm",      keyLen: 16, ivLen: 12 };             // allow:raw-byte-literal — AES-128-GCM key+IV sizes
+    case 24: return { cipher: "chacha20-poly1305", keyLen: 32, ivLen: 12 };            // ChaCha20/Poly1305 key+IV sizes
+    case 3:  return { cipher: "aes-256-gcm",      keyLen: 32, ivLen: 12 };             // AES-256-GCM key+IV sizes
+    case 1:  return { cipher: "aes-128-gcm",      keyLen: 16, ivLen: 12 };             // AES-128-GCM key+IV sizes
     default:
       throw new CoseError("cose/unknown-alg", "cose: unrecognized AEAD COSE alg id " + algId);
   }
@@ -552,11 +552,11 @@ function decrypt0(coseEncrypt0, opts) {
 
 // ---- COSE_Mac0 (RFC 9052 §6.2) — single shared-key MAC ----
 
-var COSE_MAC0_TAG = 17;                                                       // allow:raw-byte-literal — RFC 9052 COSE_Mac0 CBOR tag
+var COSE_MAC0_TAG = 17;                                                       // RFC 9052 COSE_Mac0 CBOR tag
 // HMAC algorithms (RFC 9053 §3.1). Only the full-length tags are offered —
 // the truncated HMAC 256/64 (id 4) is omitted. HMAC is symmetric, so its
 // post-quantum strength is fine; these are the COSE-standard MAC algs.
-var HMAC_NAME_TO_ID = { "HMAC-256/256": 5, "HMAC-384/384": 6, "HMAC-512/512": 7 };   // allow:raw-byte-literal — COSE HMAC algorithm ids (RFC 9053)
+var HMAC_NAME_TO_ID = { "HMAC-256/256": 5, "HMAC-384/384": 6, "HMAC-512/512": 7 };   // COSE HMAC algorithm ids (RFC 9053)
 var HMAC_ID_TO_NAME = {};
 Object.keys(HMAC_NAME_TO_ID).forEach(function (k) { HMAC_ID_TO_NAME[HMAC_NAME_TO_ID[k]] = k; });
 function _hmacHash(algId) {
@@ -747,7 +747,7 @@ var COSE_EC2_CRV = { 1: "P-256", 2: "P-384", 3: "P-521" };
 var COSE_EC2_CRV_ID = { "P-256": 1, "P-384": 2, "P-521": 3 };
 var COSE_KTY_OKP = 1;
 var COSE_KTY_EC2 = 2;
-var COSE_OKP_ED25519 = 6;                                                    // allow:raw-byte-literal — COSE OKP Ed25519 crv id (RFC 9053)
+var COSE_OKP_ED25519 = 6;                                                    // COSE OKP Ed25519 crv id (RFC 9053)
 // COSE_Key common-parameter labels (RFC 9052 §7.1): 1=kty, 2=kid, 3=alg.
 var COSE_KEY_LABEL_KTY = 1;
 var COSE_KEY_LABEL_KID = 2;

package/lib/cra-report.js

@@ -113,7 +113,7 @@ function create(opts) {
         body:          Buffer.from(JSON.stringify(payload), "utf8"),
         responseMode:  "always-resolve",
       });
-      var ok = res.statusCode >= 200 && res.statusCode < 300;                        // allow:raw-byte-literal — HTTP status range
+      var ok = res.statusCode >= 200 && res.statusCode < 300;                        // HTTP status range
       _emitAudit("submitted", ok ? "success" : "failure", {
         statusCode: res.statusCode, productId: productId,
       });

package/lib/crdt.js

@@ -47,7 +47,7 @@ var CrdtError = defineClass("CrdtError", { alwaysPermanent: true });
 
 function _replicaId(opts) {
   var id = opts && opts.replicaId;
-  if (id == null) return bCrypto.generateToken(8);   // allow:raw-byte-literal — random replica-id token length
+  if (id == null) return bCrypto.generateToken(8);   // random replica-id token length
   if (typeof id !== "string" || id.length === 0) throw new CrdtError("crdt/bad-replica-id", "crdt: replicaId must be a non-empty string");
   return id;
 }

package/lib/crypto-field.js

@@ -841,9 +841,9 @@ function declarePerRowKey(table, opts) {
     throw new Error("declarePerRowKey: table must be a non-empty string");
   }
   opts = opts || {};
-  var keySize = opts.keySize === undefined ? 32 : opts.keySize; // allow:raw-byte-literal — XChaCha20-Poly1305 key length in bytes
+  var keySize = opts.keySize === undefined ? 32 : opts.keySize; // XChaCha20-Poly1305 key length in bytes
   if (typeof keySize !== "number" || !isFinite(keySize) ||
-      keySize < 16 || Math.floor(keySize) !== keySize) { // allow:raw-byte-literal — minimum AES-128 key length in bytes
+      keySize < 16 || Math.floor(keySize) !== keySize) { // minimum AES-128 key length in bytes
     throw new Error("declarePerRowKey: opts.keySize must be an integer >= 16 (bytes)");
   }
   var info = opts.info || ("blamejs-per-row-key:" + table);

package/lib/crypto-xwing.js

@@ -47,15 +47,15 @@ var XWING_LABEL = Buffer.from("5c2e2f2f5e5c", "hex");
 
 // Component + composite sizes (bytes), fixed by the draft — protocol wire
 // widths, not buffer-capacity tunables.
-var ML_KEM_PK = 1184;                  // allow:raw-byte-literal — ML-KEM-768 public key
-var ML_KEM_CT = 1088;                  // allow:raw-byte-literal — ML-KEM-768 ciphertext
-var X25519_LEN = 32;                   // allow:raw-byte-literal — X25519 key/share length
-var SEED_LEN = 32;                     // allow:raw-byte-literal — X-Wing seed length
-var SS_LEN = 32;                       // allow:raw-byte-literal — shared-secret length
+var ML_KEM_PK = 1184;                  // ML-KEM-768 public key
+var ML_KEM_CT = 1088;                  // ML-KEM-768 ciphertext
+var X25519_LEN = 32;                   // X25519 key/share length
+var SEED_LEN = 32;                     // X-Wing seed length
+var SS_LEN = 32;                       // shared-secret length
 var PK_LEN = ML_KEM_PK + X25519_LEN;   // 1216
 var CT_LEN = ML_KEM_CT + X25519_LEN;   // 1120
-var MLKEM_SEED = 64;                   // allow:raw-byte-literal — d ‖ z for ML-KEM KeyGen_internal
-var EXPAND_LEN = 96;                   // allow:raw-byte-literal — SHAKE256(seed) → d ‖ z ‖ sk_X
+var MLKEM_SEED = 64;                   // d ‖ z for ML-KEM KeyGen_internal
+var EXPAND_LEN = 96;                   // SHAKE256(seed) → d ‖ z ‖ sk_X
 
 // X25519 raw-scalar helpers via fixed PKCS8 / SPKI DER prefixes (OID
 // 1.3.101.110). Node clamps the scalar per RFC 7748 on use, matching X-Wing.

package/lib/crypto.js

@@ -319,9 +319,9 @@ function hashFilesParallel(filePaths, opts) {
   }
   var concurrency = opts.concurrency !== undefined
     ? opts.concurrency
-    : Math.min(8, Math.max(1, filePaths.length));                                                  // allow:raw-byte-literal — worker fan-out cap, not bytes
+    : Math.min(8, Math.max(1, filePaths.length));                                                  // worker fan-out cap, not bytes
   if (typeof concurrency !== "number" || !isFinite(concurrency) ||
-      concurrency < 1 || concurrency > 256 ||                                                       // allow:raw-byte-literal — concurrency upper cap
+      concurrency < 1 || concurrency > 256 ||                                                       // concurrency upper cap
       Math.floor(concurrency) !== concurrency) {
     return Promise.reject(new TypeError(
       "crypto.hashFilesParallel: opts.concurrency must be an integer in [1, 256], got " + concurrency
@@ -830,7 +830,7 @@ function fromBase64Url(s, opts) {
     // `/=+$/` CodeQL flags, where `=+` can backtrack on long input
     // ending in many `=`. Walking from end is O(n) worst-case.
     var trimEnd = s.length;
-    while (trimEnd > 0 && s.charCodeAt(trimEnd - 1) === 0x3D) trimEnd -= 1;          // allow:raw-byte-literal — '=' codepoint
+    while (trimEnd > 0 && s.charCodeAt(trimEnd - 1) === 0x3D) trimEnd -= 1;          // '=' codepoint
     var unpadded = s.slice(0, trimEnd);
     if (!_BASE64URL_STRICT_RE.test(s)) {
       throw new TypeError(
@@ -838,7 +838,7 @@ function fromBase64Url(s, opts) {
         "base64url alphabet (A-Z a-z 0-9 - _ =) — pass {strict:false} to allow non-canonical input"
       );
     }
-    if (unpadded.length % 4 === 1) {                                                                 // allow:raw-byte-literal — base64 group length, not bytes
+    if (unpadded.length % 4 === 1) {                                                                 // base64 group length, not bytes
       throw new TypeError(
         "crypto.fromBase64Url: input length %% 4 === 1 is not a valid base64url encoding " +
         "(every conforming encoder produces 0 / 2 / 3 remainder; got " + unpadded.length + " chars)"
@@ -1194,7 +1194,7 @@ function encryptMlkemOnly(plaintext, publicKeyPem) {
  */
 function decrypt(ciphertext, privateKeys, opts) {
   var packed = Buffer.from(ciphertext, "base64");
-  if (packed[0] === 0xE1) {                                                       // allow:raw-byte-literal — legacy envelope magic
+  if (packed[0] === 0xE1) {                                                       // legacy envelope magic
     if (!opts || !opts.allowLegacy) {
       throw new Error("Invalid envelope: legacy 0xE1 format predates the FixedInfo " +
         "KDF binding (NIST SP 800-56C r2 §4.1) — re-seal data under the current envelope, " +
@@ -1303,7 +1303,7 @@ function decryptEnvelope(packed, privateKeys, internalOpts) {
   // Re-derive the 4-byte envelope-header AAD from the bytes we just
   // dispatched on. A tampered header (algorithm-substitution attack)
   // surfaces here as a Poly1305 tag verification failure.
-  var headerAad = packed.subarray(0, 4);                                          // allow:raw-byte-literal — envelope-header byte slice
+  var headerAad = packed.subarray(0, 4);                                          // envelope-header byte slice
   var plainBuf = Buffer.from(
     xchacha20poly1305(symmetricKey, nonce, headerAad).decrypt(packed.subarray(pos))
   );

package/lib/csp.js

@@ -222,8 +222,8 @@ function build(directives, opts) {
  *     b.csp.build({ "script-src": ["'self'", "'nonce-" + req.cspNonce + "'"] }));
  */
 function nonce(byteLen) {
-  var n = typeof byteLen === "number" ? byteLen : 32;                                              // allow:raw-byte-literal — 256-bit nonce default
-  if (!isFinite(n) || n < 16 || n > 64) {                                                          // allow:raw-byte-literal — CSP3 §6.2.x nonce bounds
+  var n = typeof byteLen === "number" ? byteLen : 32;                                              // 256-bit nonce default
+  if (!isFinite(n) || n < 16 || n > 64) {                                                          // CSP3 §6.2.x nonce bounds
     throw new CspError("csp/bad-nonce-len",
       "csp.nonce: byteLen must be 16-64 (CSP3 §6.2 recommends ≥16 bytes)");
   }