@blamejs/core 0.14.6 → 0.14.8

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.14.x
 
+- v0.14.8 (2026-05-30) — **Source-comment and codebase-check hygiene, plus a new require-block alignment check; no API or behaviour changes.** Internal lint and comment cleanup with no operator-facing surface change. Several codebase-check comments and one stub helper name that described behaviour the check no longer has are corrected; an unused lint-suppression class and a set of stale duplicate-cluster qualifiers (functions that were since renamed or extracted) are pruned or re-pointed. Fifty-nine `// allow:` markers that named the byte-size or time-literal check on values those checks no longer flag are removed, and twenty self-negating rationales on markers the time check genuinely fires on are rewritten to say why the value coincidentally matches. A new codebase check holds top-of-file require blocks to consistent `=` column alignment, with the files that currently carry drift listed as a migration allowlist. No exported API, error code, wire format, or runtime behaviour changes. **Changed:** *Lint-suppression and codebase-check comment cleanup* — Corrected codebase-check comments that overstated their check's scope (a duplicate-code threshold described as three files when the advisory threshold is two, a narrowed byte-literal check carrying its pre-narrowing description, and a deferred-scan helper named as though it enforced a guarantee it does not yet provide). Removed an unused lint-suppression class and its one dead in-code marker, and pruned or re-pointed stale duplicate-cluster qualifiers that named functions since renamed or extracted into shared helpers. Removed fifty-nine `// allow:` markers that suppressed nothing, and rewrote twenty self-negating marker rationales (which read "not seconds" while sitting on a value the time check fires on) to explain the coincidental match. Source-comment and test hygiene only. **Detectors:** *Require-block `=` alignment check* — A new codebase check flags a top-of-file require block that mixes its `=` column alignment — a fittable line whose `=` drifts off the column the rest of the block shares. Compact single-space blocks are exempt (only blocks that declare alignment intent are checked), as are destructures and long names physically too wide to reach the column, and blank- or comment-separated tiers align independently. The files that currently carry such drift are an explicit migration allowlist, reflowed over time; new code is held to the rule.
+
+- v0.14.7 (2026-05-30) — **Storage and audit-trail hardening: queries are gated to declared columns, raw SQL refuses embedded literals, the database key is bound to its location, sealed-column lookup hashes gain a keyed mode, audit-chain purges can require dual control, and breach deadlines ship a running clock.** This release tightens the data and audit layers against a set of failure modes that were previously reachable. Database queries are now checked against the columns a table declared in its schema: a reference to an undeclared column fails closed by default instead of silently matching nothing, and the `whereRaw` escape hatch refuses an embedded string literal so values bind through placeholders. The database encryption key is sealed with its purpose, data directory, and key path as additional authenticated data, so a key file cannot be relocated to another deployment and unsealed there; an older key without that binding upgrades itself on first load. Sealed-column equality-lookup hashes can now be computed as a keyed MAC (HMAC-SHAKE256) off a per-deployment key, making the lookup hash unforgeable without that key, while the salted-SHA3 default is unchanged. Purging the tamper-evident audit chain can be placed under a two-authorizer dual-control grant so one operator cannot erase it alone, and database credential-rejection audits now record which relation the rejected credential tried to reach. Finally, breach-notification deadlines get a running clock that raises approaching and passed alerts as each regime's window elapses. One behavior change to note: the column gate defaults to reject — if a service issues queries against columns it did not declare in its schema, set `db.init({ columnGate: "warn" })` (audited, allowed) or `"off"` while the schema is reconciled. **Added:** *Column-membership gate on every query* — `b.db.from(table)` now checks each referenced column against the table's declared schema. The mode is set with `db.init({ columnGate: "reject" | "warn" | "off" })` (default `reject`), and `query.allowedColumns([...])` narrows a single query to an explicit allowlist that is always enforced. `b.db.getDeclaredColumns(table)` returns a table's declared column names (or `null` for an unknown table). This is defense in depth against typo'd or caller-influenced column names reaching the SQL layer (CWE-89). · *Keyed mode for sealed-column lookup hashes* — Equality-lookup ("derived") hashes for sealed columns can be computed as `hmac-shake256` — a keyed MAC over a per-deployment key — instead of the default `salted-sha3`. Set it per table with `cryptoField.registerTable(name, { derivedHashMode: "hmac-shake256" })` or per column with `{ from, mode: "hmac-shake256" }`. The keyed hash is unforgeable and un-correlatable without the deployment's MAC key, which raises the bar against offline lookup-table attacks on low-entropy sealed values (CWE-916). `b.vault.getDerivedHashMacKey()` exposes the 32-byte per-deployment key; it is created on first use and re-sealed across key rotation automatically. · *Dual-control gate on audit-chain purge* — `b.auditTools.purge` accepts `dualControlGrant`. When `audit_log` is placed under dual control, a verified archive and `confirm: true` are no longer sufficient: the purge additionally requires a consumed m-of-n grant whose action is bound to the purge, so a grant minted for another operation cannot be replayed and one operator cannot erase the tamper-evident chain alone (NIST SP 800-53 AU-9, separation of duties). · *Running clock for breach-notification deadlines* — `b.incident.report.createDeadlineClock({ notify, approachThresholds })` tracks open incidents and raises `deadline_approaching` and `deadline_passed` alerts as each regime's window elapses (GDPR 72h, DORA, NIS2, and the rest of the registry). Alerts are deduplicated per incident and stage, suppressed once a submission stage is acknowledged, and the clock can run on an interval or be ticked manually. **Changed:** *Queries against undeclared columns now fail closed by default* — The column gate defaults to `reject`: a query that references a column the table did not declare throws rather than silently matching nothing. A service that intentionally queries undeclared columns can set `db.init({ columnGate: "warn" })` to audit and allow, or `"off"` to disable the gate, while its schema is reconciled. Framework-declared columns (including `_id` and derived-hash columns) are always members. **Security:** *Database encryption key bound to its location* — `db.key.enc` is sealed with additional authenticated data over its purpose, resolved data directory, and resolved key path. A sealed key copied to a different deployment or path no longer unseals there — the AEAD authentication fails — which prevents silent key relocation. A legacy key sealed without this binding is detected and re-sealed in the bound format on first load, with no operator action required. · *`whereRaw` refuses embedded string literals* — `whereRaw(sql, params)` and `WhereBuilder.raw(sql, params)` reject a raw fragment containing a string literal (`'...'`); values must bind through the `params` array. A static, operator-controlled literal can opt in with `{ allowLiterals: true }`. This closes a path where a value concatenated into a raw fragment would reintroduce SQL injection (CWE-89). · *Credential-rejection audits record the attempted relation* — A `db.auth.failed` audit row (SQLSTATE 28000 / 28P01 / 42501) now carries `attemptedTable`, the relation the rejected credential tried to reach, extracted defensively from the statement. Triage can scope the blast radius of a credential-abuse event without correlating back to the raw SQL log (CWE-778). **Detectors:** *Audit-purge dual-control gate* — A new check fails the build if a call to `purgeAuditChain` appears in a file that does not also route through the dual-control gate, so a future caller cannot physically delete chain rows without two-authorizer enforcement. · *Raw-SQL literal/interpolation guard* — A new check fails the build on a `whereRaw` / `.raw` call whose SQL argument is built by template interpolation or string concatenation, keeping the bound-params discipline enforceable in framework code. · *Hand-rolled lookup-hash guard* — A new check fails the build if a sealed-column lookup hash is derived from the per-deployment salt outside the canonical helper, so call sites cannot bypass the keyed-mode and per-column mode policy. · *Auth-audit attempted-relation guard* — A new check fails the build if a `db.auth.failed` audit is emitted in a file that does not name `attemptedTable`, so the forensic field cannot be dropped from a future emitter.
+
 - v0.14.6 (2026-05-30) — **Access-refusal middleware can return RFC 9457 problem+json or a custom response, and several documented-but-uncallable APIs are now reachable.** Every access-refusal middleware — the auth gates (bearer, DPoP, mTLS, AAL, bound-key), CSRF, CORS, rate-limit, bot-guard, age-gate, the host and network allowlists, and the method and content-type gates — now accepts two uniform options: `problemDetails: true` returns an RFC 9457 `application/problem+json` body, and `onDeny(req, res, info)` hands the response to the caller. With neither set the refusal is byte-for-byte what it was, so this is a drop-in change that lets a service standardize one error envelope across its API instead of working around each middleware's hardcoded body. Alongside that: `b.middleware.requireBoundKey` is now exported (it was documented and tested but never wired into the middleware surface), `b.middleware.bearerAuth` accepts `requiredScopes` (previously rejected at construction, which made its scope-enforcement path unreachable), API-key refusals send the RFC 6750 challenge code that matches the failure, two documented call paths that named a missing namespace segment are corrected, and the release flow now flags stale GitHub Actions and vendored bundles — with a ready-to-paste pin — before a dependency PR is needed. **Added:** *Uniform `onDeny` and `problemDetails` options on every access-refusal middleware* — Each request-lifecycle middleware that refuses a request now takes `problemDetails: true` to emit an RFC 9457 `application/problem+json` body (composing `b.problemDetails`) and `onDeny(req, res, info)` to take over the response entirely; `info` carries the status, a machine reason, and the middleware-specific fields. The deny-path response headers (`Allow`, `WWW-Authenticate`, `Retry-After`, `Accept`) survive every mode. When neither option is set the response is unchanged. Covers `requireAuth`, `requireAal`, `requireMethods`, `requireContentType`, `requireMtls`, `requireBoundKey`, `bearerAuth`, `dpop`, `csrfProtect`, `fetchMetadata`, `botGuard`, `ageGate`, `hostAllowlist`, `networkAllowlist`, `cors`, `rateLimit`, and `dailyByteQuota` (whose existing `onExceeded` keeps working as an alias of `onDeny`). **Fixed:** *`b.middleware.requireBoundKey` is now callable* — The Bearer-API-key middleware was documented (with examples and tests) but never exported on `b.middleware`, so `b.middleware.requireBoundKey(...)` threw `undefined is not a function`. It is now wired into the middleware surface. · *`b.middleware.bearerAuth` accepts `requiredScopes`* — The RFC 6750 scope-enforcement path read `opts.requiredScopes`, but the option was rejected at construction with `unknown option`, making the 403 `insufficient_scope` behavior unreachable. `requiredScopes` is now an accepted option. · *RFC 6750 challenge codes on API-key refusals* — `b.middleware.requireBoundKey` now sends the `WWW-Authenticate` error code that matches the failure: `insufficient_scope` on a 403 missing-scope, `invalid_token` on an unknown or revoked token, and no error code on a 401 that presented no credentials (RFC 6750 §3). It previously sent `invalid_request` for every refusal. · *Corrected two documented call paths* — The compliance and network references named a path that dropped a namespace segment: the conformity-assessment scaffold is at `b.cra.report.conformityAssessment` (not `b.cra.conformityAssessment`), and the per-socket tuning helper is at `b.network.socket.applyToSocket` (not `b.network.applyToSocket`). The documented signatures now match the callable paths. · *GitHub Actions pins refreshed* — `github/codeql-action` 4.35.5 to 4.36.0, and `docker/login-action`, `docker/setup-buildx-action`, and `docker/setup-qemu-action` to their latest releases. **Detectors:** *`@primitive` reachability gate* — A new check resolves every documented `b.X.Y` primitive against the actual public surface and fails the build when a documented path is not callable (factory-instance shorthands excluded). This is the gate that would have caught the `requireBoundKey` and call-path issues above. · *Deny-path composition gate* — A new check requires every access-refusal middleware to route its refusal through the shared deny-response writer, so a future middleware cannot reintroduce a hardcoded body that locks callers out of `onDeny` / `problemDetails`. · *Actions and vendor currency in the release flow* — The release flow now fails the cut when a SHA-pinned GitHub Action or a vendored bundle is behind its latest upstream release. The actions report prints a ready-to-paste `owner/repo@<sha>  # vX.Y.Z` pin and every file and line that uses it, so the bump is copy-paste rather than an after-the-fact dependency PR. Transient registry or API errors stay advisory so a flaky network response does not block an unrelated release.
 
 - v0.14.5 (2026-05-30) — **Finished cleaning up the mislabeled byte-literal lint suppressions, with no API or behavior changes.** A follow-up to the byte-literal lint tightening. The remaining suppression comments that named the byte-literal check on values that are not byte sizes — JSON-RPC error codes, HTTP status codes, octet ranges, day-in-milliseconds constants — are removed, keeping their explanatory text and any correctly-named companion suppression. Every byte-literal suppression that remains is now on genuine 1024-scale byte arithmetic. Source-comment hygiene only. **Changed:** *Remaining mislabeled byte-literal suppressions removed* — The byte-literal lint was previously a check on any multiple-of-8 integer, so suppression comments naming it were scattered across non-byte values. The last of those (in a handful of files, in mixed comment formats) are now removed — their explanatory text is retained as plain comments, and any correctly-named companion suppression is kept. The only byte-literal suppressions that remain are on genuine 1024-scale byte arithmetic. No change to any exported API, error code, wire format, or runtime behavior.

package/README.md

@@ -61,7 +61,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 ### Data layer
 
 - **SQLite with sealed-by-default columns** — `b.db`, migrations, seeders, atomic-file writes
-- **Chainable query builder** — atomic `.increment(col, delta)`, closure-form `.whereGroup` / top-level `.orWhere` OR composition, `.search(fields, term)` LIKE-OR with safe `%`/`_` ESCAPE handling, `.paginate(opts)` returning `{ items, total, page, totalPages }`
+- **Chainable query builder** — atomic `.increment(col, delta)`, closure-form `.whereGroup` / top-level `.orWhere` OR composition, `.search(fields, term)` LIKE-OR with safe `%`/`_` ESCAPE handling, `.paginate(opts)` returning `{ items, total, page, totalPages }`; a column-membership gate (`db.init({ columnGate })`, default reject) fails a query closed when it names a column the table never declared, and `whereRaw` refuses an embedded string literal so values bind through placeholders
 - **Mongo-style document-store facade** — `b.db.collection(name, opts?)` with `$set` / `$inc` / `$unset` / `$eq` / `$ne` / `$gt` / `$gte` / `$lt` / `$lte` / `$in` / `$like`; schemaless-document opts via `overflow: "<col>"` (folds unknown fields into a JSON-text column; rewrites `WHERE` on virtual fields to `JSON_EXTRACT`), `jsonColumns: [...]` (auto-stringify on write + parse via `b.safeJson` on read), `sealedFields: { email: "emailHash" }` (co-locates a `b.cryptoField` sealed-column / derived-hash declaration so plaintext lookups auto-rewrite to hash-column lookups)
 - **DB lifecycle** — in-memory encrypted snapshot via `b.db.snapshot()`; standalone encrypted-DB-file lifecycle (`b.db.fileLifecycle({ dataDir, vault })` — decrypt-to-tmpfs, periodic re-encrypt flush, graceful shutdown — same envelope as `b.db`, no schema/audit-chain coupling); `db.init` opt-outs `frameworkTables: false` / `auditSigning: false` and path overrides `encryptedDbPath` / `encryptedDbName` / `dbKeyPath`
 - **External RDBMS** — bring-your-own Postgres / MySQL with pool tuning + role-aware connect + read-replica routing (`b.externalDb`); declarative role-narrowed views and Postgres row-level-security migrations (`b.db.declareView`, `b.db.declareRowPolicy`)
@@ -98,7 +98,8 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)
 - **Power-on self-test** — `b.crypto.selfTest()` runs FIPS 140-3-style integrity checks: NIST FIPS 202 known-answer tests (SHA3-256/512, SHAKE256), AEAD round-trip + tamper-detect, and ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f pairwise-consistency + negative tests; fails closed (throws) on any mismatch
 - **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column data residency tagging + per-row keys (`K_row = HKDF(K_table, rowId)`) so erasing the per-row key makes WAL / replica residuals undecryptable (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowKey`)
-- **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`)
+- **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load
+- **Keyed lookup hashes** — sealed-column equality-lookup hashes default to salted SHA3-512 and can opt into a keyed `hmac-shake256` MAC off a per-deployment key (`cryptoField.registerTable({ derivedHashMode })`, `b.vault.getDerivedHashMacKey`), making the lookup hash unforgeable and un-correlatable across deployments
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
 - **X-Wing hybrid KEM** — `b.crypto.xwing` (draft-connolly-cfrg-xwing-kem, experimental): ML-KEM-768 + X25519 bound by SHA3-256, secure if either component holds — the conservative key-encapsulation shape for migrating off classical ECDH. `keygen` / `encapsulate` / `decapsulate` with a 1216-byte public key, 1120-byte ciphertext, and 32-byte shared secret

package/lib/a2a-tasks.js

@@ -62,17 +62,17 @@ var A2aTasksError = defineClass("A2aTasksError", { alwaysPermanent: true });
 var JSONRPC_VERSION = "2.0";
 
 // JSON-RPC 2.0 fixed error codes — A2A inherits these.
-var JSONRPC_PARSE_ERROR      = -32700;                                                             // allow:raw-time-literal — not seconds
-var JSONRPC_INVALID_REQUEST  = -32600;                                                             // allow:raw-time-literal — not seconds
-var JSONRPC_METHOD_NOT_FOUND = -32601;                                                             // allow:raw-time-literal — not seconds
-var JSONRPC_INVALID_PARAMS   = -32602;                                                             // allow:raw-time-literal — not seconds
-var JSONRPC_INTERNAL_ERROR   = -32603;                                                             // allow:raw-time-literal — not seconds
+var JSONRPC_PARSE_ERROR      = -32700;                                                             // allow:raw-time-literal — JSON-RPC error code -32700; coincidental multiple-of-60, not a time value, C.TIME N/A
+var JSONRPC_INVALID_REQUEST  = -32600;
+var JSONRPC_METHOD_NOT_FOUND = -32601;
+var JSONRPC_INVALID_PARAMS   = -32602;
+var JSONRPC_INTERNAL_ERROR   = -32603;
 
 // A2A-specific error codes per the spec's task-error vocabulary.
 // A2A_TASK_NOT_FOUND (-32002) + A2A_TASK_NOT_CANCELABLE (-32003) are
 // raised by operator handlers — they're reserved here for documentation
 // purposes only.
-var A2A_SCOPE_DENIED         = -32001;                                                             // allow:raw-time-literal — not seconds
+var A2A_SCOPE_DENIED         = -32001;
 
 var ALLOWED_METHODS = Object.freeze(["tasks/send", "tasks/get", "tasks/cancel"]);
 

package/lib/agent-event-bus.js

@@ -136,7 +136,7 @@ function _registerTopic(topics, name, topicOpts, auditImpl) {
     throw new AgentEventBusError("agent-event-bus/bad-schema",
       "registerTopic: schema required (flat key→type map)");
   }
-  // BUG-12 — `kind` is now captured on register so listTopics's kind
+  // `kind` is now captured on register so listTopics's kind
   // filter actually matches. Prior shape never set entry.kind, so the
   // filter at args.kind was dead. Default value derives from the
   // dotted topic name's first segment ("mail.scan.x" → "mail"), giving
@@ -164,7 +164,7 @@ function _registerTopic(topics, name, topicOpts, auditImpl) {
   });
 }
 
-// SUBSTRATE-22 — operators reloading a module (test runners between
+// Operators reloading a module (test runners between
 // runs, hot-reload tools, multi-tenant onboarding flows that
 // register-deregister topics) need a clean unregister path; without
 // it the second register throws topic-duplicate and the operator is
@@ -183,7 +183,7 @@ function _unregisterTopic(topics, name, auditImpl) {
 function _listTopics(topics, args, permissions) {
   // Permission gate: list-topics requires no special scope by default;
   // operator can wrap with their own permissions instance for stricter.
-  // BUG-12 — kind filter now matches because register captures kind.
+  // Kind filter now matches because register captures kind.
   var out = [];
   topics.forEach(function (entry) {
     if (args.kind && entry.kind !== args.kind) return;
@@ -229,7 +229,7 @@ async function _publish(topics, pubsub, name, payload, pOpts, permissions, audit
   }
   // Schema validation.
   guardEventBusPayload.validate(payload, entry.schema);
-  // SUBSTRATE-6 — when a topic is tenant-scoped, require the publisher
+  // When a topic is tenant-scoped, require the publisher
   // to declare a tenantId BEFORE the event reaches the durable bus
   // backend. Prior shape allowed `wrapped._tenantId: null` to land on
   // the bus, and the receive-side drop only fired AFTER persistence —

package/lib/agent-idempotency.js

@@ -158,7 +158,7 @@ function create(opts) {
   return {
     get:        function (method, actorId, key)                       { return _get(store, method, actorId, key, auditImpl, ttlMs, maxResultBytes); },
     put:        function (method, actorId, key, result, putOpts)      { return _put(store, method, actorId, key, result, putOpts || {}, ttlMs, maxResultBytes, fingerprintArgs, auditImpl); },
-    // SUBSTRATE-4 — putIfAbsent gates concurrent retries at the cache
+    // putIfAbsent gates concurrent retries at the cache
     // boundary so only one consumer runs the handler. Operator wraps:
     //   var claim = await idem.putIfAbsent(method, actor, key, args);
     //   if (claim.alreadyClaimed) return claim.result; // another retry won
@@ -173,7 +173,7 @@ function create(opts) {
   };
 }
 
-// SUBSTRATE-4 — atomic claim/check/run pattern. Returns one of:
+// Atomic claim/check/run pattern. Returns one of:
 //   { alreadyClaimed: false, fingerprint }          — caller runs the handler
 //   { alreadyClaimed: true,  pending: true }        — another in-flight claim holds the slot
 //   { alreadyClaimed: true,  result: <cached> }     — prior handler completed; cached result
@@ -299,7 +299,7 @@ async function _get(store, method, actorId, key, auditImpl, ttlMs, maxResultByte
     throw new AgentIdempotencyError("agent-idempotency/corrupt-result",
       "get: cached result failed to parse — " + (e && e.message ? e.message : String(e)));
   }
-  // SUBSTRATE-12 — atomic replayCount increment. The prior shape
+  // Atomic replayCount increment. The prior shape
   // (read row → mutate → put row) raced two concurrent retries: each
   // saw replayCount=N, both wrote replayCount=N+1, so the counter
   // missed bumps and the put-with-fresh-result race-clobbered prior
@@ -439,7 +439,7 @@ function _fingerprintArgs(args) {
   // unique fingerprint and defeat the args-mismatch defense. Strip
   // _traceContext (varies per-hop, doesn't change result).
   //
-  // SUBSTRATE-11 — DO NOT strip _postureChain. The prior shape ignored
+  // DO NOT strip _postureChain. The prior shape ignored
   // _postureChain.postureSet, so a request made under
   // postureSet:["hipaa","pci-dss"] cached the same result that a
   // downgrade attempt under postureSet:["pci-dss"] would replay
@@ -493,7 +493,7 @@ function _inMemoryBackend(maxEntries) {
       map.set(_k(method, actorId, hash), row);
       return Promise.resolve();
     },
-    // SUBSTRATE-4 — atomic insert. Map.set is synchronous so the
+    // Atomic insert. Map.set is synchronous so the
     // get+set pair below is naturally race-free within the in-memory
     // backend (V8 single-threaded). Returns true when inserted, false
     // when the row already exists.
@@ -503,7 +503,7 @@ function _inMemoryBackend(maxEntries) {
       map.set(k, row);
       return Promise.resolve(true);
     },
-    // SUBSTRATE-12 — atomic replayCount increment. Operators wiring
+    // Atomic replayCount increment. Operators wiring
     // a SQL backend implement this with `UPDATE ... SET
     // replay_count = replay_count + 1 WHERE keyHash = $1 RETURNING *`
     // — read-modify-write race-free. In-memory backend is naturally

package/lib/agent-orchestrator.js

@@ -119,7 +119,7 @@ function _unsealRegistryRow(row) {
 var DEFAULT_DRAIN_TIMEOUT_MS = C.TIME.minutes(2);
 var STREAM_ID_RAND_BYTES     = 8;                                                                     // stream-id random-suffix byte length, not a size cap
 var DEFAULT_PER_CONSUMER_STOP_MS = C.TIME.seconds(5);
-// SUBSTRATE-20 — FNV-1a offset basis salted with the first 32 bits of
+// FNV-1a offset basis salted with the first 32 bits of
 // SHA3-512(vault master). Attackers who don't have read access to the
 // vault keypair can't compute the salt, so they can't engineer
 // tenantIds that all map to one shard. Cached per-process; rotation
@@ -183,7 +183,7 @@ function create(opts) {
     // operator-supplied metadata (kind / tenantId / posture / ...);
     // every consuming process holds its own runtime map of name → agent.
     liveAgents:  new Map(),
-    // SUBSTRATE-8 — drain quiesce wiring. Operator passes
+    // Drain quiesce wiring. Operator passes
     // { outbox, sagaInFlightCount, pubsubFlush } via create() so the
     // drain phase can quiesce real in-flight work, not just stop
     // consumers. Optional — operators with no outbox / saga / pubsub
@@ -192,7 +192,7 @@ function create(opts) {
     sagaInFlightCount: typeof opts.sagaInFlightCount === "function" ? opts.sagaInFlightCount : null,
     pubsubFlush:      typeof opts.pubsubFlush === "function" ? opts.pubsubFlush : null,
     perConsumerStopMs: typeof opts.perConsumerStopMs === "number" ? opts.perConsumerStopMs : DEFAULT_PER_CONSUMER_STOP_MS,
-    // SUBSTRATE-9 — onTransition handler invalidates election cache
+    // onTransition handler invalidates election cache
     // on lease-lost / acquired / released. Operator opts out via
     // { cacheElections: false } to always re-query b.cluster.
     cacheElections:   opts.cacheElections !== false,
@@ -205,7 +205,7 @@ function create(opts) {
     });
   }
 
-  // SUBSTRATE-9 — subscribe to cluster lease transitions so cached
+  // Subscribe to cluster lease transitions so cached
   // election state can't go stale after a partition. b.cluster
   // .onTransition fires for every lease-acquired / lease-lost / lease-
   // released event; we invalidate the affected resource's cached
@@ -254,7 +254,7 @@ function create(opts) {
  * @status    stable
  * @related   b.agent.orchestrator.create
  *
- * SUBSTRATE-3 — attach an in-process live agent reference to a row
+ * Attach an in-process live agent reference to a row
  * that already exists in the persistent registry backend. The
  * canonical boot-phase contract: the *first* process to start a new
  * agent calls `register()` (writes the backend row + holds the live
@@ -499,7 +499,7 @@ function _spawnSingleConsumer(ctx, agent, queue, topic, maxConcurrency) {
  *   // → integer in [0, 8)
  */
 function _saltedFnvBasis() {
-  // SUBSTRATE-20 — salt FNV-1a offset basis with the vault master so
+  // Salt FNV-1a offset basis with the vault master so
   // an attacker can't engineer tenantIds that all hash to one shard.
   // Vault-less path (single-process tests / dev) falls back to the
   // standard FNV offset basis; production deployments with vault
@@ -561,7 +561,7 @@ async function _elect(ctx, args) {
     });
     return elec;
   }
-  // SUBSTRATE-9 — cluster mode: ALWAYS query truth from b.cluster.
+  // Cluster mode: ALWAYS query truth from b.cluster.
   // The onTransition handler installed in create() invalidates the
   // cache on every lease event, so a cache hit here is safe (it
   // means no lease event has fired since the last query). But the
@@ -600,10 +600,10 @@ async function _drain(ctx, args) {
   var drained = 0;
   var startedAt = Date.now();
   var perConsumerMs = ctx.perConsumerStopMs;
-  // SUBSTRATE-8 — drain phases:
+  // Drain phases:
   //   1. set ctx.draining so streams emit drain-markers + new task
   //      dispatches refuse (consumers re-check on every envelope).
-  //   2. stop each consumer with BUG-6 per-consumer timeout race —
+  //   2. stop each consumer with a per-consumer timeout race —
   //      one hung consumer can't block the full drain budget.
   //   3. quiesce in-flight: poll outbox.pendingCount + sagaInFlightCount
   //      until 0 OR remaining-budget-ms elapses.

package/lib/agent-posture-chain.js

@@ -65,7 +65,7 @@ var AgentPostureChainError = defineClass("AgentPostureChainError", { alwaysPerma
 
 var BUILTIN_REGIMES = Object.freeze(["hipaa", "pci-dss", "gdpr", "soc2"]);
 
-// SUBSTRATE-10 — envelope MAC vocabulary. Cross-process envelope
+// Envelope MAC vocabulary. Cross-process envelope
 // integrity: an attacker with queue / event-bus write access who
 // strips postureSet to [] and re-sends a saga / sub-agent envelope
 // can bypass the downgrade refusal in _validate (which only checks
@@ -73,7 +73,7 @@ var BUILTIN_REGIMES = Object.freeze(["hipaa", "pci-dss", "gdpr", "soc2"]);
 // envelope bytes, computed at appendHop and verified at validate.
 var ENVELOPE_MAC_LABEL = "blamejs.agent.postureChain/v1";
 var ENVELOPE_MAC_KEY_BYTES = 32;                                                                        // HMAC-SHA3-512 keyed bytes
-// SUBSTRATE-21 — hop count cap defends infinite recursion across
+// Hop count cap defends infinite recursion across
 // agent delegation. 16 is the spec default; operators can lower via
 // opts.maxHopCount but never raise (audit fan-out without a cap is a
 // DoS class).
@@ -111,7 +111,7 @@ function _resolveMacKey() {
 
 function _envelopeMacBytes(envelope) {
   // Sign every field that downstream consumers verify off the wire,
-  // except the `_mac` field itself. SUBSTRATE-21 — also includes
+  // except the `_mac` field itself. Also includes
   // hopCount + chainTrail so a hostile rewriter can't roll back the
   // trail to evade the cap.
   var payload = {
@@ -163,8 +163,8 @@ function create(opts) {
                     opts.maxHopCount <= DEFAULT_MAX_HOP_COUNT
                       ? Math.floor(opts.maxHopCount)
                       : DEFAULT_MAX_HOP_COUNT;
-  // SUBSTRATE-10 escape hatch — only operator-confirmed single-process
-  // unit tests should opt out of envelope MAC. Production / multi-
+  // Escape hatch — only single-process unit tests should opt out of
+  // envelope MAC. Production / multi-
   // process / queue-spanning deployments leave the default on; the
   // gate audit-emits when bypassed so the posture is visible.
   var requireMac = opts.requireMac !== false;
@@ -257,7 +257,7 @@ function _appendHop(ctx, envelope, hopName) {
       "appendHop: hopName must be a non-empty string");
   }
   var trail = Array.isArray(envelope.chainTrail) ? envelope.chainTrail.slice() : [];
-  // SUBSTRATE-21 — cap enforced BEFORE the push so the hop-cap throw
+  // Cap enforced BEFORE the push so the hop-cap throw
   // fires consistently regardless of whether the operator inspects
   // trail.length first. Cap is a hard refusal (no truncation) because
   // a silently-dropped hop loses audit provenance for the call.
@@ -279,8 +279,8 @@ function _appendHop(ctx, envelope, hopName) {
     hopCount:   trail.length,
   });
   guardPostureChain.validate(newEnvelope);
-  // SUBSTRATE-10 — sign at every hop. Verify-side enforces requireMac.
-  // ctx.requireMac=false (operator-confirmed test escape hatch) skips
+  // Sign at every hop. Verify-side enforces requireMac.
+  // ctx.requireMac=false (test escape hatch) skips
   // the sign so a vault-less test path still works.
   if (ctx.requireMac) {
     try {
@@ -301,7 +301,7 @@ function _appendHop(ctx, envelope, hopName) {
 
 function _validate(ctx, envelope, agentPostureSet) {
   guardPostureChain.validate(envelope);
-  // SUBSTRATE-10 — MAC verification BEFORE any field-based decision so
+  // MAC verification BEFORE any field-based decision so
   // the wire-rewrite attack (postureSet:[] downgrade with valid SHAPE
   // but no integrity binding) is refused. ctx.requireMac=false skips
   // verification and emits an audit so the bypass is visible.
@@ -326,7 +326,7 @@ function _validate(ctx, envelope, agentPostureSet) {
       chainTrail: envelope.chainTrail,
     });
   }
-  // SUBSTRATE-21 — hop cap also enforced at validate-time. A hostile
+  // Hop cap also enforced at validate-time. A hostile
   // envelope might arrive with hopCount > cap if a prior hop's
   // requireMac was off; refuse here regardless.
   if (Array.isArray(envelope.chainTrail) && envelope.chainTrail.length > ctx.maxHopCount) {

package/lib/agent-saga.js

@@ -58,8 +58,7 @@
  *
  *   ## No saga-level retry
  *
- *   Per the substrate playbook decision (operator-confirmed
- *   2026-05-14): saga's value-add is compensation, not retry. If a
+ *   Saga's value-add is compensation, not retry. If a
  *   step needs retry-with-backoff, the operator wraps `step.run`
  *   with `b.retry` inside the step body. With v0.9.22 idempotency
  *   available, internal retry inside step.run is side-effect-safe.
@@ -109,7 +108,7 @@ var SAGA_ID_RAND_BYTES = 8;
 function create(config) {
   guardSagaConfig.validate(config);
   var auditImpl = config.audit || audit();
-  // SUBSTRATE-7 — operator wires a stateStore for crash-safe resume.
+  // Operator wires a stateStore for crash-safe resume.
   // Interface: { saveStep, loadResumePoint, markCompleted, markFailed }.
   // saveStep({sagaId, stepIndex, stepName, state, status}) commits
   // after each step.run; loadResumePoint(sagaId) returns the resume
@@ -189,7 +188,7 @@ async function _runFrom(config, auditImpl, stateStore, ctx, state, opts, sagaId,
       });
       await step.run(ctx, state);
       completedSteps.push({ step: step, index: i });
-      // SUBSTRATE-7 — checkpoint after the step.run returns. saveStep
+      // Checkpoint after the step.run returns. saveStep
       // commits the post-step state so a crash before the NEXT step
       // resumes from i+1. The audit chain records the checkpoint
       // independently of the operator's stateStore — operator can
@@ -232,7 +231,7 @@ async function _runFrom(config, auditImpl, stateStore, ctx, state, opts, sagaId,
         message: (stepErr && stepErr.message) || String(stepErr),
       });
       var compensationError = null;
-      // BUG-5 — capture the compensation step that ACTUALLY failed,
+      // Capture the compensation step that ACTUALLY failed,
       // not "completedSteps[completedSteps.length-1].name" which
       // names the last-COMPLETED step regardless of which compensation
       // threw. CWE-209-adjacent (information disclosure via wrong
@@ -278,7 +277,7 @@ async function _runFrom(config, auditImpl, stateStore, ctx, state, opts, sagaId,
           });
         } catch (_e) { /* drop-silent — audit already records */ }
       }
-      // SUBSTRATE-15 — attach cause:stepErr so the original step
+      // Attach cause:stepErr so the original step
       // error stack survives. ES2022 Error.cause is the standard
       // mechanism; the framework's defineClass-built AgentSagaError
       // accepts cause via the third arg.
@@ -290,7 +289,7 @@ async function _runFrom(config, auditImpl, stateStore, ctx, state, opts, sagaId,
                      ((compensationError.message) || String(compensationError));
       }
       var sagaErr = new AgentSagaError("agent-saga/failed", detailMsg);
-      // SUBSTRATE-15 — ES2022 Error.cause attaches the originating
+      // ES2022 Error.cause attaches the originating
       // stepErr so operator stack-trace tooling can walk the chain.
       // defineClass({alwaysPermanent:true}) doesn't accept cause in
       // its constructor signature; the property assignment after

package/lib/agent-snapshot.js

@@ -60,7 +60,7 @@ var vault                 = lazyRequire(function () { return require("./vault");
 
 var AgentSnapshotError = defineClass("AgentSnapshotError", { alwaysPermanent: true });
 
-// SUBSTRATE-2 — sealed envelopes start with this prefix on disk; the
+// Sealed envelopes start with this prefix on disk; the
 // loader sniffs it and routes through unseal before guardSnapshotEnvelope
 // validation. Compatible with operator backends that store the value
 // as a string (JSON DBs, k/v stores) or wrap it in `{ value: "..." }`.
@@ -113,19 +113,19 @@ function create(opts) {
   var snapshotIntervalMs = typeof policy.snapshotIntervalMs === "number" ? policy.snapshotIntervalMs : DEFAULT_SNAPSHOT_INTERVAL_MS;
   var maxSnapshotBytes   = typeof policy.maxSnapshotBytes === "number" ? policy.maxSnapshotBytes : DEFAULT_MAX_SNAPSHOT_BYTES;
   var auditImpl = opts.audit || audit();
-  // SUBSTRATE-1 — operator may inject `signer` (interface
+  // Operator may inject `signer` (interface
   // `{ sign(bytes) → Buffer, verify(bytes, sig, pubKey?) → boolean }`)
   // for testing / alternate key custody. Default = b.auditSign when
   // initialized at boot; refuses persist() with a clear error if
   // neither is wired so secure-by-default holds.
   var signer = opts.signer || null;
-  // SUBSTRATE-2 — operator may inject `sealer` (interface
+  // Operator may inject `sealer` (interface
   // `{ seal(plaintext, aadParts) → string, unseal(value, aadParts) → string }`)
   // for alternate KMS integration. Default = b.vault.aad. Refused if
   // neither is wired AND opts.allowPlaintext is not explicitly true
   // (operator-justified dev / single-tenant deployments only).
   var sealer = opts.sealer || null;
-  // SUBSTRATE-18 — operator-supplied restoreHandlers walk the
+  // Operator-supplied restoreHandlers walk the
   // snapshot inFlight + idempotencyCache + orchestratorState segments
   // and hydrate the corresponding consumer module. Map shape:
   //   { streams, sagas, outboxJobs, busSubscribers, pendingDeliveries,
@@ -300,7 +300,7 @@ async function _takeSnapshot(ctx, snapshotOpts) {
 
 async function _persist(ctx, snap) {
   guardSnapshotEnvelope.validate(snap);
-  // SUBSTRATE-1 — sign first so a backend that mutates on put() (very
+  // Sign first so a backend that mutates on put() (very
   // common for k/v stores adding metadata) doesn't poison the signed
   // bytes downstream readers verify.
   var signer = _resolveSigner(ctx);
@@ -314,7 +314,7 @@ async function _persist(ctx, snap) {
   // pubkey at verify time).
   snap.sigPubKey = (typeof signer.getPublicKey === "function" && signer.getPublicKey()) || null;
 
-  // SUBSTRATE-2 — seal the entire envelope under AAD that pins
+  // Seal the entire envelope under AAD that pins
   // snapshotId + schemaVersion + tenantId. AAD mismatch on unseal (a
   // copy-paste attack from one snapshotId's row into another) fails
   // the Poly1305 tag check; tampered bytes also fail. The sealed
@@ -405,7 +405,7 @@ async function _unwrapAndVerify(ctx, raw, expectedId) {
     throw new AgentSnapshotError("agent-snapshot/snapshot-id-mismatch",
       "load: wrapper snapshotId='" + expectedId + "' does not match envelope='" + snap.snapshotId + "'");
   }
-  // SUBSTRATE-1 — verify the signature before returning the envelope
+  // Verify the signature before returning the envelope
   // to the caller. Restore-side trust derives from this gate. The
   // allowPlaintext escape hatch (operator-acknowledged dev mode)
   // also waives signature verification because there's no key custody
@@ -496,7 +496,7 @@ async function _restore(ctx, snap, restoreOpts) {
       affectedStreams:       (snap.inFlight && snap.inFlight.streams || []).length,
     });
   }
-  // SUBSTRATE-18 — invoke operator-supplied restoreHandlers across
+  // Invoke operator-supplied restoreHandlers across
   // every segment the snapshot envelope carries. Handlers are
   // declared at create() time; the snapshot primitive owns ordering
   // (orchestratorState first so live agents register before consumers

package/lib/agent-stream.js

@@ -138,7 +138,7 @@ function _makeIterator(ctx) {
   var done       = false;
   var closed     = false;
   var drained    = false;
-  // SUBSTRATE-14 — track the cursor of the LAST row actually yielded
+  // Track the cursor of the LAST row actually yielded
   // to the consumer. The prior shape called cursor.lastSeenCursor()
   // at drain-marker emit, which returned the position of the last
   // FETCHED batch — clients resuming from that cursor SKIPPED every
@@ -167,7 +167,7 @@ function _makeIterator(ctx) {
       try {
         if (buffer.length > 0) {
           var row = buffer.shift();
-          // SUBSTRATE-14 — record the cursor for this yielded row so a
+          // Record the cursor for this yielded row so a
           // drain that fires BETWEEN buffered yields emits a marker
           // whose lastSeenCursor matches what the client actually
           // received. The cursor extraction shape mirrors the
@@ -248,7 +248,7 @@ function _safeAudit(auditImpl, action, actor, metadata) {
   agentAudit.safeAudit(auditImpl, action, actor, metadata);
 }
 
-// SUBSTRATE-14 — resolve the resume cursor for a row about to be
+// Resolve the resume cursor for a row about to be
 // yielded. Operators may attach the cursor per-row (`row._cursor` /
 // `row.cursor`) OR rely on the cursor's own per-row tracker
 // (`cursor.cursorForRow(row)`) — both shapes supported.

package/lib/agent-tenant.js

@@ -222,7 +222,7 @@ async function _unregister(ctx, tenantId, args) {
   }
   // Archive default — retain the key + metadata for retention-mandated
   // restoration. Operator's compliance regime drives archivePolicy.
-  // SUBSTRATE-19 — persist as a `status: "archived"` row in the same
+  // Persist as a `status: "archived"` row in the same
   // backend rather than only the process-local Map. GDPR Art. 17 +
   // HIPAA §164.530(j) require the archived state to survive process
   // restart (auditor pulls a deleted tenant's archival record years
@@ -373,7 +373,7 @@ function _check(ctx, actor, agentTenantId) {
 
 // ---- Per-tenant derived key -----------------------------------------------
 //
-// SUBSTRATE-5 — `namespaceHash(label, tenantId)` is a PUBLIC function
+// `namespaceHash(label, tenantId)` is a PUBLIC function
 // over PUBLIC inputs; an attacker who learns `tenantId` (an account id
 // surfaced in URLs / API responses) reconstructs every per-tenant key
 // without any secret material. The defense the docstring promises —
@@ -555,7 +555,7 @@ var TENANT_FIELD_PREFIX = "tnt-v1:";
 function _tenantFieldKey(tenantId, table) {
   // 32-byte symmetric key for XChaCha20-Poly1305. _deriveTenantKeyBytes
   // returns the raw key bound to the vault master + tenantId + purpose
-  // — see SUBSTRATE-5 commentary above _derivedKey for the threat
+  // — see the commentary above _derivedKey for the threat
   // model that drove this away from public-input-only derivation.
   return _deriveTenantKeyBytes(tenantId, "cryptoField:" + table);
 }
@@ -646,7 +646,7 @@ function _unsealRowForTenant(ctx, tenantId, table, row) {
     if (out[f] !== undefined && out[f] !== null) {
       try { out[f] = _unsealField(tenantId, table, f, out[f]); }
       catch (e) {
-        // BUG-4 — null-on-decrypt-failure was silent; the docstring
+        // Null-on-decrypt-failure was silent; the docstring
         // promised "audit chain surfaces the failure" but no emit ever
         // ran. Cross-tenant ciphertext replay / tampered row / wrong-
         // prefix all hit this path; operator audit pipelines need the

package/lib/agent-trace.js

@@ -70,7 +70,7 @@ var audit              = lazyRequire(function () { return require("./audit"); })
 
 var AgentTraceError = defineClass("AgentTraceError", { alwaysPermanent: true });
 
-// SUBSTRATE-24 — once-per-process audit emit on the first tracer
+// Once-per-process audit emit on the first tracer
 // failure each install fires. Operators get the signal even when
 // individual span calls are best-effort suppressed.
 var _failureAuditEmittedFor = Object.create(null);
@@ -122,7 +122,7 @@ function create(opts) {
     injectIntoEnvelope:  function (envelope, span)          { return _injectIntoEnvelope(opts.tracing, envelope, span); },
     extractFromEnvelope: function (envelope)                { return _extractFromEnvelope(envelope); },
     recordResult:        function (span, result, error)     { return _recordResult(span, result, error, auditImpl); },
-    // SUBSTRATE-17 — `shouldSample` now takes a traceId so the same
+    // `shouldSample` now takes a traceId so the same
     // trace gets the same decision across hops. Operator-supplied
     // traceId comes from the W3C `traceparent` header at request-
     // entry; absent that, falls back to Math.random (start of trace).
@@ -150,7 +150,7 @@ function _startSpan(tracing, name, sopts, auditImpl) {
       return tracing.startSpan(name, sopts);
     }
   } catch (e) {
-    // SUBSTRATE-24 — tracer failures should not crash the agent's
+    // Tracer failures should not crash the agent's
     // method call; surface the first failure to the audit chain
     // (rate-limited) so operators get the signal.
     _emitFirstFailureAudit(auditImpl, "startSpan", e && e.message);
@@ -206,7 +206,7 @@ function _extractFromEnvelope(envelope) {
 
 function _recordResult(span, result, error, auditImpl) {
   if (!span || typeof span !== "object") return;
-  // SUBSTRATE-24 — surface first occurrence of each span-op failure
+  // Surface first occurrence of each span-op failure
   // via audit so the operator gets the signal. Subsequent failures
   // stay silent (best-effort) per the operational spec.
   if (error) {
@@ -228,7 +228,7 @@ function _recordResult(span, result, error, auditImpl) {
   }
 }
 
-// SUBSTRATE-17 — deterministic sampling per W3C Trace Context §3.2.3.1.
+// Deterministic sampling per W3C Trace Context §3.2.3.1.
 // `Math.random` makes child-vs-parent sampling decisions non-coherent:
 // a parent span sampled OUT can still have child spans sampled IN,
 // producing orphaned spans operators can't correlate. Hashing the

package/lib/ai-disclosure.js

@@ -133,7 +133,7 @@ function chatbot(session, opts) {
   var text = typeof opts.text === "string" && opts.text.length > 0
     ? opts.text
     : DEFAULT_CHATBOT_TEXT;
-  // Codex P1A on v0.12.12 PR #163 — "on-request" placement gates on
+  // "on-request" placement gates on
   // the operator's explicit `opts.requested: true` signal. Without
   // it, "on-request" collapsed into "always" semantics and emitted
   // every call. The operator wires this from an explicit user
@@ -155,7 +155,7 @@ function chatbot(session, opts) {
     regulation:     "Regulation (EU) 2024/1689",
   };
   if (shouldEmit) {
-    // Codex P1B on v0.12.12 PR #163 — mark the session so subsequent
+    // Mark the session so subsequent
     // calls with the same session under "first-message" placement
     // see `aiDisclosureEmitted: true` and return shouldEmit=false.
     // Without this mutation operators had to remember to flip the
@@ -385,7 +385,7 @@ function applyAll(scenario) {
       "applyAll: scenario.kinds must be a non-empty array of " +
       "\"chatbot\" / \"deepfake\" / \"emotion\"");
   }
-  // Codex P1 on v0.12.25 PR #176 — validate every kind +
+  // Validate every kind +
   // per-kind required field UP FRONT, before any emission.
   // Previously a later-kind failure (e.g. deepfake missing
   // contentType, unknown trailing kind) ran AFTER earlier kinds

package/lib/ai-input.js

@@ -26,7 +26,7 @@ var audit = require("./audit");
 var { AiInputError } = require("./framework-error");
 
 var SAMPLE_TRUNC = 80;                                                                       // sample truncation length, not bytes
-var CONFIDENCE_BASE = 60;                                                                    // allow:raw-time-literal — not seconds
+var CONFIDENCE_BASE = 60;                                                                    // allow:raw-time-literal — confidence-score base 60; coincidental multiple-of-60, not a duration, C.TIME N/A
 
 var PATTERNS = [
   { id: "ignore-prior-instructions", severity: 3, re:

package/lib/app.js

@@ -113,7 +113,7 @@ function _resolveMiddlewareOpt(value, allowDefault, name) {
   if (value === false) {
     // Operator explicitly disabled this middleware. When it's one of the
     // security-on-by-default layers (allowDefault), leave an audit trace
-    // so the weakened posture is visible — Core Rule §3 security defaults
+    // so the weakened posture is visible — security defaults
     // shouldn't be silently opt-out-able. Drop-silent observability sink.
     if (allowDefault && name) {
       try {
@@ -227,7 +227,7 @@ async function createApp(opts) {
   var rateLimitOpts = _resolveMiddlewareOpt(mwConfig.rateLimit, false, "rateLimit");
   if (rateLimitOpts) router.use(middleware.rateLimit(rateLimitOpts));
 
-  // Security middleware wired ON by default (Core Rule §3). Each reads its
+  // Security middleware wired ON by default. Each reads its
   // config from opts.middleware.<name>: pass `false` to opt out (audited
   // via _resolveMiddlewareOpt), or an object to customize — operator cookie
   // / field names flow straight through, nothing static is baked in.