@blamejs/core 0.14.5 → 0.14.7

package/lib/archive-wrap.js

@@ -272,7 +272,7 @@ function _encryptForRecipient(bytes, opts) {
     };
   }
   if (r.publicKey) {
-    // Codex P2 on v0.12.10 PR #161 — b.crypto.encrypt falls back to
+    // B.crypto.encrypt falls back to
     // ML-KEM-only when ecPublicKey is undefined (with a one-shot
     // audit). For archive-wrap's recipient contract the hybrid leg
     // (P-384 ECDH defence-in-depth backstop on top of ML-KEM-1024)
@@ -343,7 +343,7 @@ function sniffEnvelope(bytes) {
   if (!Buffer.isBuffer(bytes) && !(bytes instanceof Uint8Array)) {
     return "none";
   }
-  // Codex P2A on v0.12.14 PR #165 — `Buffer.from(uint8Array)` copies
+  // `Buffer.from(uint8Array)` copies
   // the entire input, turning a constant-time 5-byte probe into an
   // O(n) allocation. Use the zero-copy view form so the sniff is
   // truly cheap regardless of input size.
@@ -351,7 +351,7 @@ function sniffEnvelope(bytes) {
     ? bytes
     : Buffer.from(bytes.buffer, bytes.byteOffset, bytes.byteLength);
   if (buf.length < 5) return "none";
-  // Codex P2B on v0.12.14 PR #165 — match on the 5-byte ASCII magic
+  // Match on the 5-byte ASCII magic
   // alone, NOT on the full header (which requires version + saltLen
   // bytes). A truncated envelope (`BAWRP` + nothing else) is still a
   // recipient envelope; the unwrap call surfaces the truncation with
@@ -413,7 +413,7 @@ async function wrapWithPassphrase(bytes, opts) {
   // alphabet. Operators sourcing passphrases from a random-bytes
   // generator (high entropy density) pass without issue; operators
   // typing dictionary phrases trip the gate.
-  // Codex P1 on v0.12.11 PR #162 — typeof NaN === "number" passes
+  // Typeof NaN === "number" passes
   // typeof gate but bypasses downstream comparisons. Use isFinite
   // so NaN / Infinity can't slip past the entropy gate.
   var minEntropy;
@@ -516,7 +516,7 @@ async function unwrapWithPassphrase(sealed, opts) {
 }
 
 function _estimatePassphraseEntropyBits(passphrase) {
-  // Codex P2 on v0.12.11 PR #162 — Buffer passphrases (CSPRNG-
+  // Buffer passphrases (CSPRNG-
   // generated random bytes) shouldn't be UTF-8 decoded for entropy
   // estimation; the decoding artifacts (invalid sequences, BOM,
   // surrogate pairs) make the alphabet-class measure unstable and

package/lib/audit-tools.js

@@ -75,9 +75,39 @@ var FRAMEWORK_VERSION = (pkg && pkg.version) || "unknown";
 // so importing db at audit-tools' top would close the cycle. Lazy
 // keeps the load order one-way.
 var db = lazyRequire(function () { return require("./db"); });
+var audit = lazyRequire(function () { return require("./audit"); });
 
 var AuditToolsError = defineClass("AuditToolsError", { alwaysPermanent: true });
 
+// Dual-control gate constants for the audit_log physical purge. The
+// purge erases signed audit history, so when an operator has declared
+// audit_log under b.db.declareRequireDualControl the deletion requires
+// a consumed m-of-n grant whose action matches AUDIT_LOG_PURGE_ACTION —
+// the same separation-of-duties control b.db.eraseHard enforces (NIST
+// SP 800-53 AU-9 + AC-5, HIPAA 45 CFR 164.312(b), PCI-DSS v4.0 10.5.1 /
+// 10.7, SEC 17a-4(f), CWE-778).
+var AUDIT_LOG_GATE_TABLE   = "audit_log";
+var AUDIT_LOG_PURGE_ACTION = "auditTools.purge";
+
+function _resolveDualControlGate(opts) {
+  var checker = typeof opts.checkDualControlGate === "function"
+    ? opts.checkDualControlGate
+    : function (t) { return db()._checkDualControlGate(t); };
+  try { return checker(AUDIT_LOG_GATE_TABLE); }
+  catch (_e) { return null; }
+}
+
+function _emitPurgeDenied(gate, reason) {
+  try {
+    audit().safeEmit({
+      action:   "auditTools.purge.denied",
+      outcome:  "denied",
+      reason:   reason,
+      metadata: { table: AUDIT_LOG_GATE_TABLE, m: gate.m, n: gate.n, posture: gate.posture || null },
+    });
+  } catch (_e) { /* drop-silent — denial audit is best-effort */ }
+}
+
 var BUNDLE_FORMAT  = "blamejs-audit-bundle-v1";
 var KIND_ARCHIVE   = "archive";
 var KIND_EXPORT    = "export";
@@ -149,7 +179,7 @@ function _rowToWireForm(row) {
   return out;
 }
 
-// F-AUD-4 — operator-facing wire helper that surfaces recordedAt as
+// Operator-facing wire helper that surfaces recordedAt as
 // ISO-8601 / RFC 3339 alongside the existing Unix-ms integer.
 // Auditors comparing rows against external SIEM events expect ISO
 // with explicit Z; the framework's primary ms storage stays
@@ -806,10 +836,11 @@ function _defaultVerifyCheckpointSignature(checkpoint) {
  * `lastPurgedRowHash` becomes the new chain origin.
  *
  * @opts
- *   confirm:         true,                // exact `true` required
- *   archive:         string,              // path to a verified archive bundle
- *   passphrase:      Buffer|string,       // bundle decryption passphrase
- *   verifySignature: function(checkpoint),// auditor pubkey override
+ *   confirm:          true,               // exact `true` required
+ *   archive:          string,             // path to a verified archive bundle
+ *   passphrase:       Buffer|string,      // bundle decryption passphrase
+ *   verifySignature:  function(checkpoint),// auditor pubkey override
+ *   dualControlGrant: object,             // required when audit_log is declared under b.db.declareRequireDualControl — from b.dualControl.consume({ action: "auditTools.purge" })
  *
  * @example
  *   var result = await b.auditTools.purge({
@@ -846,6 +877,34 @@ async function purge(opts) {
       "purge: bundle kind is '" + v.kind + "', must be 'archive'");
   }
 
+  // Dual-control gate. When audit_log is declared under
+  // b.db.declareRequireDualControl, the physical purge requires a
+  // consumed m-of-n grant — confirm:true alone is not enough. Mirrors
+  // b.db.eraseHard, and additionally binds the grant's action so a
+  // grant minted for a different operation can't be replayed here.
+  var dcGate = _resolveDualControlGate(opts);
+  if (dcGate) {
+    var grant = opts.dualControlGrant;
+    if (!grant) {
+      _emitPurgeDenied(dcGate, "no-grant");
+      throw new AuditToolsError("audit-tools/dual-control-required",
+        "purge: audit_log is under dual control (m=" + dcGate.m + ", n=" + dcGate.n +
+        "); pass opts.dualControlGrant from b.dualControl.consume({ action: \"" +
+        AUDIT_LOG_PURGE_ACTION + "\" }).");
+    }
+    if (grant.ready !== true) {
+      _emitPurgeDenied(dcGate, "grant-not-ready");
+      throw new AuditToolsError("audit-tools/dual-control-grant-not-ready",
+        "purge: opts.dualControlGrant.ready must be true (a consumed m-of-n grant)");
+    }
+    if (grant.action !== AUDIT_LOG_PURGE_ACTION) {
+      _emitPurgeDenied(dcGate, "grant-action-mismatch");
+      throw new AuditToolsError("audit-tools/dual-control-grant-mismatch",
+        "purge: dualControlGrant.action is '" + grant.action + "', must be '" +
+        AUDIT_LOG_PURGE_ACTION + "'");
+    }
+  }
+
   // 2. Refuse if the archive doesn't start at the next purge point. Keeps
   // the chain anchor monotonic — operators can't jump-purge a middle range.
   var readAnchor = opts.readAnchor || _defaultReadPurgeAnchor;
@@ -881,6 +940,7 @@ async function purge(opts) {
     lastPurgedCounter:    Number(v.range.lastCounter),
     lastPurgedRowHash:    v.range.lastRowHash,
     archiveBundleId:      result.archiveBundleId,
+    dualControlConsumed:  !!dcGate,
   };
 }
 

package/lib/audit.js

@@ -305,7 +305,7 @@ var FRAMEWORK_NAMESPACES = [
   "sandbox",    // b.sandbox (sandbox.run / sandbox.run.refused — operator-supplied transform isolation)
   "safeurl",    // b.safeUrl.parse (safeurl.idn_homograph.refused — UTS #39 mixed-script host-label refusal)
   "http",       // b.middleware.bodyParser (http.chunked.malformed.refused — RFC 9112 §7.1 chunked-decode failure with Connection: close) // RFC number in prose
-  "cryptofield", // b.cryptoField.eraseRow (cryptofield.vacuum.skipped — F-RTBF-2 vacuum-after-erase signal when DB not initialized at erase time)
+  "cryptofield", // b.cryptoField.eraseRow (cryptofield.vacuum.skipped — vacuum-after-erase signal when DB not initialized at erase time)
   "acme",       // b.acme (acme.account.registered / order.* / cert.issued / cert.renewed / cert.renew.skipped — RFC 8555 + RFC 9773 ARI workflow)
   "cert",       // b.cert (cert.account.generated / cert.issued / cert.renewed / cert.renew-failed / cert.challenge-cleanup — turnkey cert-manager lifecycle)
   "tls",        // b.router 0-RTT posture (tls.0rtt.refused / tls.0rtt.replayed) — RFC 8446 §8 anti-replay surface // RFC number in prose
@@ -1620,7 +1620,7 @@ async function assertSegregation(opts) {
   return { ok: ok, missing: missing };
 }
 
-// applyPosture — F-POSTURE-1 cascade hook. b.compliance.set(posture)
+// applyPosture — cascade hook. b.compliance.set(posture)
 // calls this to record the active posture so audit emissions can
 // surface the regulatory regime in metadata where downstream tooling
 // (forensic export, SIEM correlation) needs it. The chain itself is

package/lib/auth/ciba.js

@@ -577,7 +577,7 @@ function create(opts) {
         "ciba.parseNotification: empty bearer or no expected token configured");
     }
     // Constant-time compare on the SHA3 hash of both tokens —
-    // matches the project-wide discipline (audit 2026-05-11). Both
+    // matches the project-wide discipline. Both
     // sides are fixed-width sha3-512 hex strings; timingSafeEqual
     // adds explicit defense-in-depth over `!==` even though equal-
     // length JS string compare is already broadly understood as

package/lib/auth/dpop.js

@@ -437,7 +437,7 @@ async function verify(proof, opts) {
   }
 
   // nonce — when caller supplies expected nonce, payload MUST match.
-  // Constant-time compare (audit 2026-05-15): the nonce is a server-
+  // Constant-time compare: the nonce is a server-
   // issued secret-shaped value matched against attacker-controlled
   // payload bytes. RFC 9449 §8 mandates the value be unpredictable;
   // a leaking compare reveals prefix bytes over many attempts. ath

package/lib/auth/fal.js

@@ -179,7 +179,7 @@ function fromAssertion(opts) {
     return FAL3;
   }
 
-  // AUTH-19 — FAL2 per NIST SP 800-63C-4 §5.2 requires "injection
+  // FAL2 per NIST SP 800-63C-4 §5.2 requires "injection
   // protection" on the back-channel: either the back-channel itself is
   // encrypted-and-authenticated (mTLS / signed transport) OR the
   // assertion is encrypted to the RP. A plain HTTP back-channel with

package/lib/auth/fido-mds3.js

@@ -73,7 +73,7 @@ var REFUSE_STATUS = {
   // FIDO MDS3 §3.1.4 — attestation-key compromise means the
   // manufacturer's batch-signing key is suspect; every credential
   // attested under that key MUST be refused. Pre-v0.9.2 this token
-  // was missing from the refuse-list (audit 2026-05-11).
+  // was missing from the refuse-list.
   ATTESTATION_KEY_COMPROMISE:    1,
 };
 
@@ -362,7 +362,6 @@ function _verifyAndParseBlob(token) {
   // cache; an attacker serving an ancient signed-but-expired BLOB
   // could keep operators on a revoked-authenticator-list-frozen-at-X.
   // Refuse at parse time so neither fetch nor cache lookup honors it.
-  // (Audit 2026-05-11.)
   if (nextUpdate.getTime() < Date.now()) {
     throw new FidoMds3Error("fido-mds3/blob-stale",
       "BLOB payload nextUpdate \"" + payload.nextUpdate +
@@ -619,7 +618,7 @@ function verifyAuthenticator(blob, registrationInfo, vopts) {
   }
   var entry = lookupAaguid(blob, registrationInfo.aaguid);
   if (!entry) {
-    // Fail-CLOSED default for unknown AAGUIDs (audit 2026-05-11).
+    // Fail-CLOSED default for unknown AAGUIDs.
     // Pre-v0.9.2 default was `ok: true, reason: "aaguid-not-in-blob"`
     // — an attacker registering a credential with an AAGUID not in
     // the BLOB (rogue authenticator, fake hardware) silently passed.

package/lib/auth/jwt-external.js

@@ -271,7 +271,7 @@ function _selectKey(keys, header, vopts) {
     throw new AuthError("auth-jwt-external/no-matching-kid",
       "no JWKS key matches header.kid='" + header.kid + "'");
   }
-  // Refuse kid-less tokens by default (audit 2026-05-11). JWKS
+  // Refuse kid-less tokens by default. JWKS
   // rotation creates a window where the rotated-out key is still
   // cached but the rotated-in key is already published; an
   // attacker shipping a kid-less token gets the lone-key path
@@ -301,7 +301,7 @@ async function verifyExternal(token, opts) {
     "audience", "issuer", "subject", "clockSkewMs",
     // v0.9.4 — opt-out for the kid-less-token JWKS-of-one refusal
     // (default refuses; non-conforming IdPs that emit kid-less tokens
-    // set this true). Audit 2026-05-11.
+    // set this true).
     "allowKidlessJwks",
   ], "auth.jwt.verifyExternal");
 

package/lib/auth/oauth.js

@@ -621,7 +621,7 @@ function create(opts) {
     // constrained tokens (DPoP / mTLS) can opt out by NOT supplying
     // a seen callback.
     //
-    // Atomic check-and-insert (audit 2026-05-11) — pre-v0.9.3 the
+    // Atomic check-and-insert — pre-v0.9.3 the
     // check ran via `ropts.seen(token)` which was a check-then-act
     // race: two concurrent refresh requests landed on the same
     // event-loop tick could both see `seen === false` and both POST
@@ -648,7 +648,7 @@ function create(opts) {
       // Spec contract: inserted===true → first sighting (OK);
       // inserted===false → replay. v0.9.3 had this inverted, which
       // broke every first refresh attempt for operators reusing an
-      // existing b.nonceStore-style backend. (Reported 2026-05-12.)
+      // existing b.nonceStore-style backend.
       alreadySeen = inserted === false;
     } else if (typeof ropts.seen === "function") {
       // Legacy non-atomic path. Documented as a check-then-act race;
@@ -773,7 +773,7 @@ function create(opts) {
       // Constant-time compare on the CSRF state token. Project
       // discipline (auth/dpop.js, mail-srs.js, webhook.js) is
       // timingSafeEqual for any secret-shaped value compared
-      // against attacker-controlled input. (Audit 2026-05-11.)
+      // against attacker-controlled input.
       if (typeof query.state !== "string" ||
           !cryptoTimingSafeEqual(query.state, popts.expectedState)) {
         throw new OAuthError("auth-oauth/state-mismatch",
@@ -971,7 +971,7 @@ function create(opts) {
       // surface as `["admin", "read"]` and the operator's scope
       // allowlist saw two distinct scopes. Spec-strict split on
       // single-space + reject scope tokens that contain non-token
-      // chars. (Audit 2026-05-11.)
+      // chars.
       scope:        raw.scope ? raw.scope.split(" ").filter(function (s) { return s.length > 0; }) : scope.slice(),
       raw:          raw,
     };
@@ -1052,7 +1052,7 @@ function create(opts) {
     // verifier in the framework (jwt.js, jwt-external.js, dpop.js)
     // refuses; verifyIdToken previously silently ignored, letting an
     // attacker-controlled OP ship critical extensions the verifier
-    // doesn't understand. (Audit 2026-05-11.)
+    // doesn't understand.
     if (header.crit !== undefined && header.crit !== null) {
       throw new OAuthError("auth-oauth/crit-not-supported",
         "ID token JWS header carries 'crit' extension list; this verifier does not " +
@@ -1072,7 +1072,7 @@ function create(opts) {
     // key was still cached at the IdP but the rotated-in key is
     // already published. Refuse kid-less tokens unconditionally —
     // every modern IdP includes kid; absent kid is a spec smell.
-    // (Audit 2026-05-11.) Operators with non-conforming IdPs that
+    // Operators with non-conforming IdPs that
     // genuinely emit kid-less tokens can opt out via
     // vopts.allowKidlessJwks = true with a logged warning.
     if (!match) {
@@ -1117,7 +1117,7 @@ function create(opts) {
     // ES256 signature attempted against an RS256 key returned by a
     // hostile or buggy IdP with duplicate kids). Wrap so the panic
     // becomes a typed AuthError, matching the discipline in
-    // jwt-external.js + dpop.js. (Audit 2026-05-11.)
+    // jwt-external.js + dpop.js.
     var verified;
     try {
       verified = nodeCrypto.verify(params.hash, Buffer.from(signingInput, "ascii"), verifyOpts, sig);
@@ -1179,7 +1179,7 @@ function create(opts) {
     }
     if (vopts.nonce && !vopts.skipNonceCheck) {
       // Constant-time nonce compare — secret-shaped value matched
-      // against attacker-controlled payload. (Audit 2026-05-11.)
+      // against attacker-controlled payload.
       if (typeof payload.nonce !== "string" ||
           !cryptoTimingSafeEqual(payload.nonce, vopts.nonce)) {
         throw new OAuthError("auth-oauth/nonce-mismatch",
@@ -1212,7 +1212,7 @@ function create(opts) {
       // supplied; an operator typo could ship `http://` or
       // `javascript:`. Route through the framework's URL gate before
       // emitting so the URL is validated the same way as every other
-      // operator-supplied OAuth URL (audit 2026-05-15).
+      // operator-supplied OAuth URL.
       _validateUrl(uopts.postLogoutRedirectUri, allowHttp, "postLogoutRedirectUri");
       params.set("post_logout_redirect_uri", uopts.postLogoutRedirectUri);
     }

package/lib/auth/oid4vci.js

@@ -117,7 +117,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
       "credential issuance: proof JWT alg \"" + header.alg + "\" not in issuer-supported set " +
       "(alg-allowlist gate — refused before key lookup)");
   }
-  // AUTH-5 / RFC 7515 §4.1.11 — refuse non-empty `crit`. Pre-v0.9.x
+  // RFC 7515 §4.1.11 — refuse non-empty `crit`. Pre-v0.9.x
   // silently ignored, letting an attacker-controlled wallet declare
   // critical extensions the verifier doesn't understand.
   if (header.crit !== undefined && header.crit !== null) {
@@ -136,7 +136,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
   }
   if (expectedCNonce !== null) {
     // Constant-time c_nonce compare — secret-shaped value vs
-    // attacker-controlled wallet payload. (Audit 2026-05-11.)
+    // attacker-controlled wallet payload.
     if (typeof payload.nonce !== "string" ||
         !timingSafeEqual(payload.nonce, expectedCNonce)) {
       throw new AuthError("auth-oid4vci/wrong-proof-nonce",
@@ -148,14 +148,14 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
       "credential issuance: proof JWT must include iat");
   }
   var nowSec = Math.floor(Date.now() / C.TIME.seconds(1));
-  // AUTH-34 — use C.TIME for the 60s skew tolerance rather than a bare
+  // Use C.TIME for the 60s skew tolerance rather than a bare
   // 60 literal; matches the framework's constants discipline.
   var iatSkewSec = C.TIME.seconds(60) / C.TIME.seconds(1);
   if (payload.iat > nowSec + iatSkewSec) {
     throw new AuthError("auth-oid4vci/proof-iat-future",
       "credential issuance: proof JWT iat is in the future");
   }
-  // AUTH-26 — operator-tunable proof max-age. Default 10 minutes per
+  // Operator-tunable proof max-age. Default 10 minutes per
   // OID4VCI §7.2.1.1; operators with longer-lived wallet flows raise.
   var effectiveMaxAgeMs = (typeof proofMaxAgeMs === "number" && isFinite(proofMaxAgeMs) && proofMaxAgeMs > 0)
     ? proofMaxAgeMs
@@ -304,12 +304,12 @@ function create(opts) {
   var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
   var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
   var cNonceTtl = opts.cNonceTtlMs || DEFAULT_C_NONCE_TTL_MS;
-  // AUTH-26 — operator-tunable proof iat-too-old window. Default 10
+  // Operator-tunable proof iat-too-old window. Default 10
   // minutes per OID4VCI §7.2.1.1.
   var proofMaxAgeMs = (typeof opts.proofMaxAgeMs === "number" && isFinite(opts.proofMaxAgeMs) && opts.proofMaxAgeMs > 0)
     ? opts.proofMaxAgeMs
     : C.TIME.minutes(10);
-  // AUTH-6 — access-token single-use. OID4VCI §7's credential endpoint
+  // Access-token single-use. OID4VCI §7's credential endpoint
   // does NOT inherently make the access token single-use; pre-v0.9.x
   // c_nonce rotation alone defended against proof replay, but a stolen
   // access token combined with a fresh proof could re-mint
@@ -575,7 +575,7 @@ function create(opts) {
     var newCNonce = generateToken(16);                                                           // 128-bit c_nonce
     await cNonceStore.set(iopts.accessToken, newCNonce);
 
-    // AUTH-6 — when single-use is on (default), DELETE the access token
+    // When single-use is on (default), DELETE the access token
     // after successful credential mint. A stolen access token paired
     // with a fresh proof would otherwise re-mint credentials; the
     // c_nonce rotation alone defends against proof replay but not

package/lib/auth/oid4vp.js

@@ -452,7 +452,7 @@ function create(opts) {
           continue;
         }
         try {
-          // Per-presentation vct enforcement (audit 2026-05-11): when
+          // Per-presentation vct enforcement: when
           // DCQL's `vct_values` has 1 entry, `expectedVct` pins it.
           // With 2+ entries the verifier's expectedVct opt can't hold
           // a list, so we verify-without-expected and then validate

package/lib/auth/openid-federation.js

@@ -169,7 +169,7 @@ function verifyEntityStatement(jwt, jwks, vopts) {
         "verifyEntityStatement: no JWKS key matches kid \"" + parsed.header.kid + "\"");
     }
   } else {
-    // AUTH-10 — refuse kid-less entity statements unless the operator
+    // Refuse kid-less entity statements unless the operator
     // explicitly opts in. JWKS rotation creates a window where the
     // rotated-out key is still cached but the rotated-in key is already
     // published; a kid-less statement during that window gets the
@@ -218,7 +218,7 @@ function verifyEntityStatement(jwt, jwks, vopts) {
   }
 
   var nowSec = Math.floor(Date.now() / C.TIME.seconds(1));
-  // AUTH-30 — operator-tunable clock skew (sibling primitives accept
+  // Operator-tunable clock skew (sibling primitives accept
   // tunable). Default matches the prior fixed 60s.
   var skew = (typeof vopts.maxClockSkewSec === "number" && isFinite(vopts.maxClockSkewSec) && vopts.maxClockSkewSec >= 0)
     ? vopts.maxClockSkewSec
@@ -436,7 +436,7 @@ async function buildTrustChain(opts) {
   var chain = [];
   var current = opts.leafEntityId;
   var depth = 0;
-  // AUTH-9 — visited-set cycle guard. The maxDepth cap alone caps the
+  // Visited-set cycle guard. The maxDepth cap alone caps the
   // loop count but doesn't distinguish "long chain" from "cyclic
   // chain"; a hostile authority that lists itself in authority_hints
   // walks the verifier until depth runs out and then surfaces as
@@ -486,7 +486,7 @@ async function buildTrustChain(opts) {
     // operators with multiple federations usually have one anchor
     // active; we walk in order and pick the first success.
     // Track every per-authority failure reason and surface them on
-    // `no-ascent` rather than masking. Audit 2026-05-11 — silently
+    // `no-ascent` rather than masking — silently
     // swallowing `catch (_e) {}` lets a hostile intermediate that
     // serves a malformed-then-valid pair shape-walk the verifier.
     // We continue past 404 / fetch errors but refuse on
@@ -513,7 +513,7 @@ async function buildTrustChain(opts) {
         chain[chain.length - 1].claims.jwks = parsedSub.claims.jwks || chain[chain.length - 1].claims.jwks;
         chain[chain.length - 1].subordinateJwt = subordinateJwt;
         chain[chain.length - 1].subordinate    = parsedSub.claims;
-        // AUTH-9 — refuse revisit. A trust anchor terminates the loop
+        // Refuse revisit. A trust anchor terminates the loop
         // before re-entry, so a revisit here ALWAYS means a cyclic
         // authority_hints graph.
         if (visited[authority]) {

package/lib/auth/passkey.js

@@ -77,7 +77,7 @@ function _requireString(v, name) {
   }
 }
 
-// AUTH-28 — WebAuthn extensions allowlist. Pre-v0.9.x `opts.extensions`
+// WebAuthn extensions allowlist. Pre-v0.9.x `opts.extensions`
 // was forwarded verbatim to the vendor, letting an operator (or a
 // caller threading user-input through opts) ship arbitrary extension
 // keys to the authenticator. Restrict to the framework-supported
@@ -234,7 +234,7 @@ async function verifyRegistration(opts) {
 // <input autocomplete="webauthn">.
 // Null-prototype map so `opts.mediation === "__proto__"` /
 // `"constructor"` can't truthy-match an inherited property and slip
-// past the allowlist (audit 2026-05-11).
+// past the allowlist.
 var ALLOWED_MEDIATION = Object.assign(Object.create(null),
   { silent: 1, optional: 1, required: 1, conditional: 1 });
 
@@ -314,7 +314,7 @@ function _b64urlExtInput(value, name, maxBytes) {
   // browser turns it into an ArrayBuffer before passing to the
   // authenticator).
   //
-  // AUTH-29 — when `maxBytes` is set, refuse decoded inputs longer than
+  // When `maxBytes` is set, refuse decoded inputs longer than
   // the cap. Per CTAP2.1 §6.5 PRF salts are 32 bytes; pre-v0.9.x the
   // framework accepted arbitrary length, which is undefined behavior on
   // authenticators that may truncate / reject / behave inconsistently.
@@ -364,7 +364,7 @@ function _prfExt(args) {
     throw new AuthError("auth-passkey/missing-prf-first",
       "extensions.prf eval.first is required");
   }
-  // AUTH-29 — CTAP2.1 §6.5 caps PRF salts at 32 bytes.
+  // CTAP2.1 §6.5 caps PRF salts at 32 bytes.
   var out = { prf: { eval: { first: _b64urlExtInput(args.eval.first, "eval.first", MAX_EXT_INPUT_BYTES) } } };
   if (args.eval.second !== undefined && args.eval.second !== null) {
     out.prf.eval.second = _b64urlExtInput(args.eval.second, "eval.second", MAX_EXT_INPUT_BYTES);
@@ -461,7 +461,7 @@ async function verifyAuthentication(opts) {
     throw new AuthError("auth-passkey/missing-credential",
       "opts.credential { id, publicKey, counter? } is required");
   }
-  // Counter regression bypass fix (audit 2026-05-11) — pre-v0.9.2
+  // Counter regression bypass fix — pre-v0.9.2
   // shape `opts.credential.counter || 0` silently zeroed an
   // undefined / null / NaN counter, defeating CTAP 2.1 clone-
   // detection on credentials whose stored counter is > 0. An
@@ -525,7 +525,7 @@ async function verifyAuthentication(opts) {
  * @signature b.auth.passkey.compareBackupState(prev, current)
  * @since     0.9.57
  *
- * AUTH-27 — WebAuthn L3 §6.1.3. Inspect the credential's persisted BE
+ * WebAuthn L3 §6.1.3. Inspect the credential's persisted BE
  * (backupEligible) + BS (backupState) flags against the values
  * surfaced on a fresh assertion. Returns a normalized verdict the
  * operator routes into audit / step-up decisions:

package/lib/auth/saml.js

@@ -717,7 +717,7 @@ function create(opts) {
         // Constant-time compare against the AuthnRequest ID the
         // operator stored — protects against timing-based InResponseTo
         // probing. timingSafeEqual returns false for missing /
-        // length-mismatch without leaking. (Audit 2026-05-11.)
+        // length-mismatch without leaking.
         if (inResponseTo === null || inResponseTo === undefined ||
             !timingSafeEqual(inResponseTo, vopts.expectedInResponseTo)) {
           throw new AuthError("auth-saml/bad-in-response-to",

package/lib/auth/sd-jwt-vc.js

@@ -492,7 +492,7 @@ async function verify(presentation, opts) {
     jwtExternal._assertAlgKtyMatch(alg, issuerKey);
   }
   var jwtParsed = _verifyJwt(jwt, issuerKey, alg);
-  // AUTH-25 — post-verify header compare. Pre-verify we parsed the
+  // Post-verify header compare. Pre-verify we parsed the
   // header bytes to look up the key; _verifyJwt parses again from the
   // cryptographically-verified signing input. Both decodes MUST yield
   // the same JSON; a mismatch indicates a JWS-canonicalization or
@@ -538,7 +538,6 @@ async function verify(presentation, opts) {
   // selective-disclosure-jwt §4.1.1). Earlier the framework defaulted
   // to its own DEFAULT_HASH_ALG (`sha3-512`) which broke verification
   // against spec-conformant issuers when `_sd_alg` was omitted.
-  // (Audit 2026-05-11.)
   var hashAlg = jwtParsed.payload._sd_alg || "sha-256";
   if (!SUPPORTED_HASH_ALGS[hashAlg]) {
     throw new AuthError("auth-sd-jwt-vc/bad-hash",
@@ -566,7 +565,7 @@ async function verify(presentation, opts) {
     // Disclosure-replay defense — a holder presenting the same _sd
     // digest twice (with the same or different values) is malformed
     // per spec and is the shape of a partial-disclosure smuggling
-    // attack. Refuse on duplicate digest. (Audit 2026-05-11.)
+    // attack. Refuse on duplicate digest.
     if (seenDigests[digest]) {
       throw new AuthError("auth-sd-jwt-vc/disclosure-replay",
         "verify: disclosure digest \"" + digest.slice(0, 12) +
@@ -622,9 +621,7 @@ async function verify(presentation, opts) {
         "verify: KB-JWT nonce mismatch (replay defense)");
     }
     // Validate KB-JWT sd_hash matches the presentation, using the
-    // credential's declared `_sd_alg` (audit 2026-05-11 — was
-    // hardcoded sha256 regardless of issuer's choice, breaking
-    // verification when issuer used sha3-512).
+    // credential's declared `_sd_alg`.
     var kbHashInput = jwt + "~";
     if (disclosureParts.length > 0) kbHashInput += disclosureParts.join("~") + "~";
     var kbNodeHash = SUPPORTED_HASH_ALGS[hashAlg];