@blamejs/core 0.14.6 → 0.14.7

package/lib/external-db.js

@@ -57,7 +57,7 @@ function _emitMetric(name, value, labels) {
   catch (_e) { /* hot-path observability sink — drop silent by design */ }
 }
 
-// Statement-class classifier for auth-failure forensics (D-M2). Inspects
+// Statement-class classifier for auth-failure forensics. Inspects
 // the leading keyword only so an attacker-controlled trailing fragment
 // can't smuggle a false classification. Skips leading whitespace plus
 // SQL line / block comments before reading the keyword.
@@ -83,8 +83,49 @@ function _classifyStatement(sql) {
   return _STATEMENT_CLASS_MAP[m[1].toUpperCase()] || "OTHER";
 }
 
+// Best-effort target-relation extractor for auth-failure forensics: the
+// table the denied role attempted to touch, so the audit row records
+// the OBJECT (SOC2 CC7.2 / NIST SP 800-53 AU-3 "what was accessed"),
+// not just the statement class. Defensive reader — returns null on
+// anything unparseable and NEVER throws: it runs in the live failure
+// path and must not mask the real 28000 / 42501 error. The extracted
+// identifier is captured into audit METADATA (a JSON string, never
+// re-executed as SQL), so the only sink risk is log-injection: any
+// segment carrying a control / NUL character is refused. Spaces and
+// ordinary punctuation inside a quoted identifier are kept so a
+// legitimately-quoted relation name still surfaces in the audit row.
+var _RELATION_RE = /\b(?:FROM|INTO|UPDATE|JOIN|TABLE|COPY)\s+((?:"[^"]+"|`[^`]+`|[A-Za-z_][\w$]*)(?:\.(?:"[^"]+"|`[^`]+`|[A-Za-z_][\w$]*))?)/ig;
+function _hasControlChar(s) {
+  for (var i = 0; i < s.length; i += 1) {
+    var c = s.charCodeAt(i);
+    if (c < 0x20 || c === 0x7f) return true;
+  }
+  return false;
+}
+function _extractTargetRelation(sql) {
+  if (typeof sql !== "string" || sql.length === 0) return null;
+  var clean = sql.replace(/--[^\n]*/g, " ").replace(/\/\*[\s\S]*?\*\//g, " ");
+  _RELATION_RE.lastIndex = 0;
+  var m = _RELATION_RE.exec(clean);
+  if (!m) return null;
+  var segs = m[1].split(".").map(function (s) { return s.replace(/^["`]|["`]$/g, ""); });
+  for (var i = 0; i < segs.length; i += 1) {
+    if (segs[i].length === 0 || _hasControlChar(segs[i])) return null;
+  }
+  return segs.join(".");
+}
+
+function _countTargetRelations(sql) {
+  if (typeof sql !== "string") return 0;
+  var clean = sql.replace(/--[^\n]*/g, " ").replace(/\/\*[\s\S]*?\*\//g, " ");
+  _RELATION_RE.lastIndex = 0;
+  var n = 0;
+  while (_RELATION_RE.exec(clean) !== null) n += 1;
+  return n;
+}
+
 // Postgres SQLSTATE classes that indicate authentication / authorization
-// failure at the DB level. SOC2 forensic gap (D-M2) — every match emits
+// failure at the DB level. SOC2 forensic gap — every match emits
 // db.auth.failed with the SQL identity attempted, the database, and
 // the statement class.
 var _AUTH_FAILURE_CODES = Object.freeze({
@@ -97,18 +138,24 @@ function _emitAuthFailureAudit(backend, role, sql, e) {
   if (!e || !e.code) return;
   var kind = _AUTH_FAILURE_CODES[e.code];
   if (!kind) return;
+  var attemptedTable = _extractTargetRelation(sql);
+  var relationCount  = _countTargetRelations(sql);
+  var resource = { kind: "db.backend", id: backend.name };
+  if (attemptedTable !== null) resource.attemptedTable = attemptedTable;
   audit().safeEmit({
     action:   "db.auth.failed",
     actor:    {},
-    resource: { kind: "db.backend", id: backend.name },
+    resource: resource,
     outcome:  "denied",
     reason:   kind,
     metadata: {
-      backend:        backend.name,
-      dialect:        backend.dialect,
-      sqlIdentity:    role || null,
-      sqlstate:       e.code,
-      statementClass: _classifyStatement(sql),
+      backend:               backend.name,
+      dialect:               backend.dialect,
+      sqlIdentity:           role || null,
+      sqlstate:              e.code,
+      statementClass:        _classifyStatement(sql),
+      attemptedTable:        attemptedTable,
+      attemptedRelationCount: relationCount,
     },
   });
   _emitMetric("db.auth.failed", 1, {
@@ -118,7 +165,7 @@ function _emitAuthFailureAudit(backend, role, sql, e) {
   });
 }
 
-// Slow-query bucket emitter (D-L7). Single-shot per query — highest
+// Slow-query bucket emitter. Single-shot per query — highest
 // matched bucket wins. Operators dashboard on the `bucket` label
 // rather than separate counters per threshold.
 var _SLOW_QUERY_BUCKETS = Object.freeze([
@@ -628,7 +675,7 @@ async function query(sql, params, opts) {
       _emitMetric("db.role.denied", 1,
         { backend: b.name, role: role || "(none)" });
     }
-    // D-M2 — DB-auth audit visibility. Every 28000 / 28P01 / 42501
+    // DB-auth audit visibility. Every 28000 / 28P01 / 42501
     // surfaces an auditable db.auth.failed row tagged with the SQL
     // identity and the statement class so SOC2 reviewers can
     // reconstruct the denial timeline.
@@ -693,13 +740,13 @@ async function transaction(fn, opts) {
   var prebuiltGucs = _buildSessionGucsStatements(opts.sessionGucs);
 
   var t0 = Date.now();
-  // D-H4 — per-statement timeout. SET LOCAL statement_timeout binds
-  // the query-cancel ceiling to this transaction; D-M7 wires
+  // Per-statement timeout. SET LOCAL statement_timeout binds
+  // the query-cancel ceiling to this transaction; this wires
   // idle_in_transaction_session_timeout from the same opt. Both
   // emit at SET LOCAL scope so the next pool checkout starts clean.
   var stmtTimeoutMs = opts.statementTimeoutMs;
   var idleTimeoutMs = opts.idleInTransactionTimeoutMs;
-  // D-M8 — deadlock-retry policy. 40P01 (deadlock_detected) and 40001
+  // Deadlock-retry policy. 40P01 (deadlock_detected) and 40001
   // (serialization_failure) are transient — retry with capped attempts
   // and a small jittered backoff. Operators tune retries via opts.deadlockRetries (default 3).
   // numeric-bounds doesn't have a non-negative-int helper; use a
@@ -771,7 +818,7 @@ async function transaction(fn, opts) {
             _emitMetric("db.role.denied", 1,
               { backend: b.name, role: role || "(none)" });
           }
-          // D-M2 — DB-auth audit visibility on transaction-shaped denials.
+          // DB-auth audit visibility on transaction-shaped denials.
           // Statement class always reads as "TX" since the failure
           // surface inside a transaction body could be any statement;
           // operators correlate via the transaction's audit row.
@@ -1017,7 +1064,7 @@ function _requireInit() {
 
 var REPLICA_UNHEALTHY_COOLDOWN_MS = C.TIME.seconds(30);
 
-// F-CBT-2 — replica residency-tag compatibility.
+// Replica residency-tag compatibility.
 //
 // A primary tagged "EU" replicating to a "US" replica is a GDPR
 // Article 46 cross-border transfer; without an explicit operator
@@ -1194,7 +1241,7 @@ async function _readQuery(sql, params, opts) {
       _emitMetric("db.role.denied", 1,
         { backend: b.name, role: role || "(none)" });
     }
-    // D-M2 — DB-auth audit visibility for read-replica denials too.
+    // DB-auth audit visibility for read-replica denials too.
     _emitAuthFailureAudit(b, role, sql, e);
     // Fallback to primary on a failed replica read when allowed.
     if (b.replicaFallbackToPrimary) {
@@ -1874,4 +1921,5 @@ module.exports = {
   migrate:        externalDbMigrate,
   Pool:           Pool,
   _resetForTest:  _resetForTest,
+  _extractTargetRelation: _extractTargetRelation,
 };

package/lib/framework-schema.js

@@ -648,8 +648,8 @@ function _breakGlassPoliciesDDL(dialect) {
 }
 
 // _blamejs_break_glass_grants — issued grants. One row per successful
-// step-up. Default maxRowsPerGrant=1 enforces row-by-row auth per the
-// operator-confirmed shape ("each row access = its own grant").
+// step-up. Default maxRowsPerGrant=1 enforces row-by-row auth
+// ("each row access = its own grant").
 function _breakGlassGrantsDDL(dialect) {
   var t = _types(dialect);
   var name = LOCAL_TO_EXTERNAL._blamejs_break_glass_grants;
@@ -766,7 +766,7 @@ async function ensureSchema(opts) {
     created.push(d.create.match(/CREATE TABLE IF NOT EXISTS\s+(\S+)/)[1]);
   }
 
-  // D-M11 — append-only WORM enforcement on audit_log / consent_log /
+  // Append-only WORM enforcement on audit_log / consent_log /
   // audit_checkpoints in cluster mode. Local-SQLite path already
   // installs CREATE TRIGGER IF NOT EXISTS via lib/db.js's
   // _installAppendOnlyTriggers; Postgres needs equivalent rules
@@ -779,7 +779,7 @@ async function ensureSchema(opts) {
   return { tables: created };
 }
 
-// D-M11 — WORM enforcement helper. Idempotent: rebuilding triggers
+// WORM enforcement helper. Idempotent: rebuilding triggers
 // per boot is cheap and any operator-applied DROP TRIGGER is restored
 // at the next ensureSchema pass.
 async function _installWormTriggers(backend, dialect) {

package/lib/guard-list-id.js

@@ -203,8 +203,8 @@ function validate(headerValue, opts) {
   // recover the boundary without Public Suffix List awareness
   // (`team.example.com` could be label=team / ns=example.com OR
   // label=team.example / ns=com). The earlier last-2-segment
-  // heuristic produced empty `label` for 2-label IDs (Codex P1 on
-  // PR #64), which violates RFC 2919 §2's required label "."
+  // heuristic produced empty `label` for 2-label IDs
+  // which violates RFC 2919 §2's required label "."
   // namespace decomposition.
   //
   // Drop the heuristic split — surface only the raw `listId` (and

package/lib/guard-list-unsubscribe.js

@@ -349,8 +349,7 @@ function _extractUris(raw, maxUris) {
   // bracket pairs directly via String.matchAll so URIs containing
   // commas (legitimate, e.g. `<https://x/u?tags=a,b>`) parse
   // correctly. Earlier split(",")-based scan misclassified such
-  // URIs as "no <URI> elements" and refused legitimate mail
-  // (Codex P1 on PR #63).
+  // URIs as "no <URI> elements" and refused legitimate mail.
   var matches = raw.matchAll(/<([^<>]*)>/g);                                                             // allow:regex-no-length-cap — input length-bounded by maxBytes check upstream
   var uris = [];
   for (var m of matches) {

package/lib/incident-report.js

@@ -305,8 +305,158 @@ function create(opts) {
   };
 }
 
+// Breach detection -> notification running clock. The reporter
+// (`create`) computes the static per-stage deadlines; this clock turns
+// them into a live escalation loop: it tracks open incident records and,
+// on each tick, fires "approaching" warnings as a stage's deadline nears
+// and a "passed" alert when it elapses — once per (incident, stage,
+// state) so a busy tick interval can't storm the operator. It re-uses
+// the reporter's REGIME_DEADLINES / dueBy timestamps and re-encodes no
+// jurisdiction hour-counts (GDPR Art.33 72h, NIS2 Art.23(4) 24h, DORA
+// Art.19 + RTS 2024/1772 4h, CRA Art.14, HIPAA 45 CFR 164.404/408).
+// `approachThresholds` are unitless proportions of detected-to-due.
+function createDeadlineClock(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "notify", "approachThresholds", "intervalMs", "autoStart", "now",
+  ], "incident.report.createDeadlineClock");
+
+  var auditOn = opts.audit !== false;
+  var notify  = (opts.notify && typeof opts.notify.send === "function") ? opts.notify : null;
+  var thresholds = Array.isArray(opts.approachThresholds) ? opts.approachThresholds.slice() : [0.5, 0.75, 0.9];
+  for (var ti = 0; ti < thresholds.length; ti += 1) {
+    if (typeof thresholds[ti] !== "number" || !(thresholds[ti] > 0 && thresholds[ti] < 1)) {
+      throw new IncidentReportError("incident-report/bad-threshold",
+        "createDeadlineClock: approachThresholds must be numbers strictly between 0 and 1");
+    }
+  }
+  thresholds.sort(function (a, b) { return a - b; });
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+  var intervalMs = (typeof opts.intervalMs === "number" && isFinite(opts.intervalMs) && opts.intervalMs > 0)
+    ? opts.intervalMs : C.TIME.minutes(1);
+  var autoStart = opts.autoStart !== false;
+
+  var tracked = new Map();   // incidentId -> { detectedAt, dueBy, regime, acked, fired }
+  var timer = null;
+
+  function _emit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({ action: "incident.report.clock." + action, outcome: outcome, metadata: metadata || {} });
+    } catch (_e) { /* drop-silent — by design */ }
+  }
+  function _notify(payload) {
+    if (!notify) return;
+    try {
+      var r = notify.send(payload);
+      if (r && typeof r.then === "function") r.then(null, function () {});
+    } catch (_e) { /* drop-silent — escalation is best-effort, never crashes a tick */ }
+  }
+
+  function track(record) {
+    if (!record || typeof record !== "object" || typeof record.id !== "string" || record.id.length === 0) {
+      throw new IncidentReportError("incident-report/bad-record",
+        "createDeadlineClock.track: record must be an incident.report record with a string id");
+    }
+    if (!record.dueBy || typeof record.dueBy !== "object" ||
+        typeof record.detectedAt !== "number") {
+      throw new IncidentReportError("incident-report/bad-record",
+        "createDeadlineClock.track: record must carry detectedAt + dueBy { initial, intermediate, final }");
+    }
+    tracked.set(record.id, {
+      detectedAt: record.detectedAt,
+      dueBy:      record.dueBy,
+      regime:     record.regime || null,
+      acked:      {},
+      fired:      {},
+    });
+    return record.id;
+  }
+
+  function untrack(id) { return tracked.delete(id); }
+
+  function acknowledgeSubmission(id, stage, info) {
+    if (!VALID_STAGES[stage]) {
+      throw new IncidentReportError("incident-report/bad-stage",
+        "createDeadlineClock.acknowledgeSubmission: stage must be one of " + Object.keys(VALID_STAGES).join(", "));
+    }
+    var t = tracked.get(id);
+    if (!t) {
+      throw new IncidentReportError("incident-report/unknown-incident",
+        "createDeadlineClock.acknowledgeSubmission: no tracked incident '" + id + "'");
+    }
+    t.acked[stage] = true;
+    _emit("submission_acknowledged", "success", { incidentId: id, regime: t.regime, stage: stage, info: info || null });
+    return true;
+  }
+
+  // Pure evaluation seam — operators (and tests) can pass an explicit
+  // nowMs. Each (incident, stage, state) fires AT MOST once; a stage
+  // that has been acknowledged is skipped entirely.
+  function tick(nowMsArg) {
+    var nowMs = typeof nowMsArg === "number" ? nowMsArg : now();
+    tracked.forEach(function (t, id) {
+      var stages = ["initial", "intermediate", "final"];
+      for (var si = 0; si < stages.length; si += 1) {
+        var stage = stages[si];
+        if (t.acked[stage]) continue;
+        var due = t.dueBy[stage];
+        if (typeof due !== "number") continue;
+        var span = due - t.detectedAt;
+        if (span <= 0) continue;
+        if (nowMs >= due) {
+          var pk = stage + ":passed";
+          if (!t.fired[pk]) {
+            t.fired[pk] = true;
+            _emit("deadline_passed", "failure", { incidentId: id, regime: t.regime, stage: stage, dueBy: due });
+            _notify({ kind: "deadline_passed", incidentId: id, regime: t.regime, stage: stage, dueBy: due });
+          }
+          continue;
+        }
+        var proportion = (nowMs - t.detectedAt) / span;
+        for (var thi = thresholds.length - 1; thi >= 0; thi -= 1) {
+          if (proportion >= thresholds[thi]) {
+            var ak = stage + ":approaching:" + thresholds[thi];
+            if (!t.fired[ak]) {
+              t.fired[ak] = true;
+              _emit("deadline_approaching", "warning",
+                { incidentId: id, regime: t.regime, stage: stage, dueBy: due, threshold: thresholds[thi] });
+              _notify({ kind: "deadline_approaching", incidentId: id, regime: t.regime, stage: stage, dueBy: due, threshold: thresholds[thi] });
+            }
+            break;
+          }
+        }
+      }
+    });
+  }
+
+  function start() {
+    if (timer) return;
+    timer = setInterval(function () { tick(); }, intervalMs);
+    if (timer && typeof timer.unref === "function") timer.unref();
+  }
+  function stop() {
+    if (timer) { clearInterval(timer); timer = null; }
+  }
+  function status() {
+    return { tracked: tracked.size, running: timer !== null, intervalMs: intervalMs };
+  }
+
+  if (autoStart) start();
+  return {
+    track:                 track,
+    untrack:               untrack,
+    acknowledgeSubmission: acknowledgeSubmission,
+    tick:                  tick,
+    start:                 start,
+    stop:                  stop,
+    status:                status,
+  };
+}
+
 module.exports = {
   create:                create,
+  createDeadlineClock:   createDeadlineClock,
   IncidentReportError:   IncidentReportError,
   REGIME_DEADLINES:      REGIME_DEADLINES,
   DEFAULT_DEADLINES:     DEFAULT_DEADLINES,

package/lib/mail-crypto-smime.js

@@ -763,7 +763,7 @@ function checkCert(opts) {
   }
 
   // Validity window — refuse certs outside their notBefore / notAfter
-  // window. Codex P1: checkCert's docstring promises this throws
+  // window. checkCert's docstring promises this throws
   // `mail-crypto/smime/expired-cert` but the impl was missing, letting
   // expired or not-yet-valid signing certs pass boot-time preflight
   // and fail interop later when peers verify signatures against the

package/lib/mail-deploy.js

@@ -720,7 +720,7 @@ function _validateTlsRptReport(raw, ctx) {
       "parseTlsRptReport: report has " + policies.length +
       " policies (cap " + TLSRPT_MAX_POLICIES + ")");
   }
-  // Codex P2 (v0.10.15) — validate summary counts as finite non-negative
+  // Validate summary counts as finite non-negative
   // integers before summing. `Number(...) || 0` would accept
   // `Infinity` (from JSON literal `1e309` or string "Infinity"),
   // negative values, and arbitrary strings (coerced to NaN→0). Each
@@ -882,7 +882,7 @@ function tlsRptReportSchema() {
  *     posture-aware payload (organization-name, report-id,
  *     policy-domain set, session totals).
  *
- * Authentication discipline (Codex P2 v0.10.15):
+ * Authentication discipline:
  *   - `trustedReporters` is a CONTENT-SIDE soft filter — it compares
  *     the reporter's self-declared `organization-name` field (the
  *     report body, operator-untrusted) against the operator's
@@ -962,7 +962,7 @@ function tlsRptIngestHttp(opts) {
       res.end("RFC 8460 §6.4-6.5 media types required\n");
       return;
     }
-    // Codex P2 (v0.10.15) — real-authentication boundary BEFORE body
+    // Real-authentication boundary BEFORE body
     // collection. The operator-supplied `authenticate(req)` hook
     // routes to mTLS peer-cert / IP-allowlist / signed-header /
     // reverse-proxy header inspection. Sync-or-async; falsy → 401.

package/lib/mail-server-managesieve.js

@@ -43,7 +43,7 @@
  *     `opts.auth.mechanisms`. The framework hardcodes no defaults; an
  *     operator who omits `mechanisms` gets a listener that refuses
  *     every AUTHENTICATE attempt with "mechanism not advertised"
- *     (avoids the IMAP v0.9.49 Codex P2 class — advertising AUTH=PLAIN
+ *     (otherwise advertising AUTH=PLAIN
  *     when authConfig is null sets clients up to attempt PLAIN against
  *     a listener that hasn't wired the verifier).
  *
@@ -482,7 +482,7 @@ function create(opts) {
     }
     socket.write('"SIEVE" "' + sieveCaps.join(" ") + '"\r\n');
     // Advertise SASL mechanisms — ONLY the mechs the operator wired
-    // in opts.auth.mechanisms (Codex P2 IMAP lesson: don't hardcode).
+    // in opts.auth.mechanisms (do not hardcode the advertised mechanisms).
     if (authConfig && Array.isArray(authConfig.mechanisms) && authConfig.mechanisms.length > 0) {
       var mechs = authConfig.mechanisms.map(function (m) {
         return String(m).toUpperCase();

package/lib/mail-server-pop3.js

@@ -368,8 +368,8 @@ function create(opts) {
     socket.write("UIDL\r\n");
     socket.write("RESP-CODES\r\n");
     if (!state.tls) socket.write("STLS\r\n");
-    // Advertise AUTH mechanisms ONLY when wired (Codex P2 IMAP lesson:
-    // don't hardcode SASL mechs in caps).
+    // Advertise AUTH mechanisms ONLY when wired
+    // (do not hardcode SASL mechs in caps).
     if (authConfig && Array.isArray(authConfig.mechanisms) && authConfig.mechanisms.length > 0) {
       var mechs = authConfig.mechanisms.map(function (m) {
         return String(m).toUpperCase();

package/lib/mail-store.js

@@ -753,7 +753,7 @@ function _setFlags(args) {
   // Per-message modseq bump — without this, queryByModseq filters
   // `messages.modseq > sinceModseq` and misses the flag change. CONDSTORE
   // (RFC 7162) / JMAP Email/changes both depend on the per-message
-  // modseq being current. Per Codex P1 on PR #49.
+  // modseq being current.
   if (args.objectids.length > 0 && (setFlags.length > 0 || unsetFlags.length > 0)) {
     // Bulk-update via IN-clause. SQLite caps IN-clause at 32766 (max
     // bound parameters); chunk for very large operands.

package/lib/metrics.js

@@ -143,7 +143,7 @@ function _normalizeLabelArg(callLabels, value, defaultValue) {
   };
 }
 
-// CRYPTO-18 — credential-shape detector. Operators routinely tap their
+// Credential-shape detector. Operators routinely tap their
 // own observability with `{ token: req.headers.authorization }` or
 // `{ apiKey: req.headers["x-api-key"] }`, which then leak through the
 // /metrics scrape surface to any reader of the metrics endpoint. The
@@ -199,7 +199,7 @@ function _validateLabelValue(value) {
   // counters indexed by various input types still work.
   if (value === null || value === undefined) return "";
   var coerced = String(value);
-  // CRYPTO-18 — credential-shape detector. Operators who tap their
+  // Credential-shape detector. Operators who tap their
   // observability with raw header values leak bearer tokens / API
   // keys through /metrics to every scrape reader. Refuse the value
   // and surface a redaction marker so the metric still labels (so
@@ -642,8 +642,8 @@ function create(opts) {
       // `Accept: application/openmetrics-text; version=1.0.0`. The
       // handler returns the OpenMetrics-1.0 wire format when that
       // media type has the highest q-value among supported types;
-      // defaults to Prometheus 0.0.4 otherwise. Codex P1 v0.12.5 —
-      // honor RFC 9110 §12.5.1 weighted negotiation: a client that
+      // defaults to Prometheus 0.0.4 otherwise.
+      // Honor RFC 9110 §12.5.1 weighted negotiation: a client that
       // sends `Accept: text/plain;q=1.0, application/openmetrics-
       // text;q=0.5` (or `;q=0`) gets text/plain back, even though
       // both media types are supported.
@@ -719,7 +719,7 @@ function create(opts) {
         // (Prometheus 2.x, Grafana exemplar-renderer) can pivot
         // from a slow-request bucket to the trace that produced it.
         //
-        // Codex P2 v0.12.5 — the span_id MUST be the server-handling
+        // The span_id MUST be the server-handling
         // span (created by b.middleware.spanHttpServer + stamped on
         // req.span), not the upstream `traceparent`'s parent-id.
         // The parent-id points at the CALLER's span (or nothing for
@@ -986,7 +986,7 @@ function snapshotStartWriter(opts) {
   var fieldsFn   = opts.fields;
   var registry   = opts.registry || null;
   var intervalMs = opts.intervalMs;
-  // CRYPTO-6 — file mode for the atomic write. Default 0o640
+  // File mode for the atomic write. Default 0o640
   // (owner rw, group r, world none). Operators with a sidecar
   // reader in a different group override to 0o644; multi-tenant
   // hosts may even tighten to 0o600.
@@ -1019,7 +1019,7 @@ function snapshotStartWriter(opts) {
       catch (e2) { log("snapshot.metrics serialize failed: " + ((e2 && e2.message) || String(e2))); }
     }
     try {
-      // CRYPTO-6 — default 0o640 (owner rw, group r, world none) so
+      // Default 0o640 (owner rw, group r, world none) so
       // operator-supplied snapshot fields aren't world-readable on a
       // multi-tenant host. Operators with a sidecar reader running as
       // a different group override via opts.fileMode at startWriter
@@ -1078,7 +1078,7 @@ function snapshotRead(p) {
   // is well above the framework's expected snapshot size (~5-50 KiB)
   // and the safeJson absolute cap stays within reach.
   try {
-    // CRYPTO-21 — route through C.BYTES.mib(4); the raw byte literal
+    // Route through C.BYTES.mib(4); the raw byte literal
     // was a drift smell flagged by codebase-patterns.
     parsed = safeJson.parse(raw, { maxBytes: C.BYTES.mib(4) });
   } catch (e) {

package/lib/middleware/csrf-protect.js

@@ -316,7 +316,7 @@ function create(opts) {
   // refuse before the token check.
   //
   // Default: enabled (defense-in-depth — same shape as bot-guard /
-  // rate-limit / CSP nonce — every default ON per Core Rule §3).
+  // rate-limit / CSP nonce — every default ON).
   // Operator opt-out: opts.checkOrigin = false.
   // Operator allowlist: opts.allowedOrigins = ["https://app.example.com"].
   var checkOrigin = opts.checkOrigin !== false;

package/lib/middleware/dpop.js

@@ -119,7 +119,7 @@ function _nonceManager(rotateSec) {
       if (previous && bCrypto.timingSafeEqual(n, previous.nonce)) return true;
       return false;
     },
-    // AUTH-36 — hot-reload coexistence. Operators redeploying without
+    // Hot-reload coexistence. Operators redeploying without
     // a clean process restart need a way to drain in-flight clients
     // before swapping the middleware instance. shutdown() returns no
     // fresh nonces and refuses every presented nonce, so the
@@ -156,7 +156,7 @@ function _reconstructHtu(req, mopts) {
   //
   // Default: ignore X-Forwarded-* and derive proto/host from the
   // socket. Operators with a confirmed-trusted front proxy opt in
-  // via opts.trustForwardedHeaders: true. (Audit 2026-05-11.)
+  // via opts.trustForwardedHeaders: true.
   mopts = mopts || {};
   var trustForwarded = mopts.trustForwardedHeaders === true;
   var proto;
@@ -229,7 +229,7 @@ function create(opts) {
     "getAccessToken", "getNonce", "getHtu", "audit",
     "nonceStore", "nonceWindowSec", "nonceRotateSec", "requireNonce",
     // v0.9.4 — opt-in trust gate for X-Forwarded-Proto/Host when
-    // reconstructing htu. Default off (audit 2026-05-11); operators
+    // reconstructing htu. Default off; operators
     // with a confirmed-trusted front proxy set this to `true`.
     "trustForwardedHeaders", "onDeny", "problemDetails",
   ], "middleware.dpop");
@@ -287,7 +287,7 @@ function create(opts) {
       return _writeUnauthorized(req, res, "invalid_dpop_proof",
         "multiple DPoP headers are not allowed", null, onDeny, problemMode);
     }
-    // AUTH-15 — RFC 9449 §4.1 single-value invariant. node:http
+    // RFC 9449 §4.1 single-value invariant. node:http
     // collapses repeated headers into a comma-joined string when the
     // client ships `DPoP: proof1, DPoP: proof2`; the Array.isArray
     // check above catches the multi-value array shape but a
@@ -399,7 +399,7 @@ function create(opts) {
     return next();
   };
 
-  // AUTH-36 — surface the nonce manager's lifecycle hooks on the
+  // Surface the nonce manager's lifecycle hooks on the
   // returned middleware so hot-reload deploys can drain in-flight
   // clients before swapping instances. shutdown() refuses every
   // subsequent proof + issues no fresh nonces; revoke() rotates the