@blamejs/core 0.14.6 → 0.14.8

package/lib/external-db.js

@@ -57,7 +57,7 @@ function _emitMetric(name, value, labels) {
   catch (_e) { /* hot-path observability sink — drop silent by design */ }
 }
 
-// Statement-class classifier for auth-failure forensics (D-M2). Inspects
+// Statement-class classifier for auth-failure forensics. Inspects
 // the leading keyword only so an attacker-controlled trailing fragment
 // can't smuggle a false classification. Skips leading whitespace plus
 // SQL line / block comments before reading the keyword.
@@ -83,8 +83,49 @@ function _classifyStatement(sql) {
   return _STATEMENT_CLASS_MAP[m[1].toUpperCase()] || "OTHER";
 }
 
+// Best-effort target-relation extractor for auth-failure forensics: the
+// table the denied role attempted to touch, so the audit row records
+// the OBJECT (SOC2 CC7.2 / NIST SP 800-53 AU-3 "what was accessed"),
+// not just the statement class. Defensive reader — returns null on
+// anything unparseable and NEVER throws: it runs in the live failure
+// path and must not mask the real 28000 / 42501 error. The extracted
+// identifier is captured into audit METADATA (a JSON string, never
+// re-executed as SQL), so the only sink risk is log-injection: any
+// segment carrying a control / NUL character is refused. Spaces and
+// ordinary punctuation inside a quoted identifier are kept so a
+// legitimately-quoted relation name still surfaces in the audit row.
+var _RELATION_RE = /\b(?:FROM|INTO|UPDATE|JOIN|TABLE|COPY)\s+((?:"[^"]+"|`[^`]+`|[A-Za-z_][\w$]*)(?:\.(?:"[^"]+"|`[^`]+`|[A-Za-z_][\w$]*))?)/ig;
+function _hasControlChar(s) {
+  for (var i = 0; i < s.length; i += 1) {
+    var c = s.charCodeAt(i);
+    if (c < 0x20 || c === 0x7f) return true;
+  }
+  return false;
+}
+function _extractTargetRelation(sql) {
+  if (typeof sql !== "string" || sql.length === 0) return null;
+  var clean = sql.replace(/--[^\n]*/g, " ").replace(/\/\*[\s\S]*?\*\//g, " ");
+  _RELATION_RE.lastIndex = 0;
+  var m = _RELATION_RE.exec(clean);
+  if (!m) return null;
+  var segs = m[1].split(".").map(function (s) { return s.replace(/^["`]|["`]$/g, ""); });
+  for (var i = 0; i < segs.length; i += 1) {
+    if (segs[i].length === 0 || _hasControlChar(segs[i])) return null;
+  }
+  return segs.join(".");
+}
+
+function _countTargetRelations(sql) {
+  if (typeof sql !== "string") return 0;
+  var clean = sql.replace(/--[^\n]*/g, " ").replace(/\/\*[\s\S]*?\*\//g, " ");
+  _RELATION_RE.lastIndex = 0;
+  var n = 0;
+  while (_RELATION_RE.exec(clean) !== null) n += 1;
+  return n;
+}
+
 // Postgres SQLSTATE classes that indicate authentication / authorization
-// failure at the DB level. SOC2 forensic gap (D-M2) — every match emits
+// failure at the DB level. SOC2 forensic gap — every match emits
 // db.auth.failed with the SQL identity attempted, the database, and
 // the statement class.
 var _AUTH_FAILURE_CODES = Object.freeze({
@@ -97,18 +138,24 @@ function _emitAuthFailureAudit(backend, role, sql, e) {
   if (!e || !e.code) return;
   var kind = _AUTH_FAILURE_CODES[e.code];
   if (!kind) return;
+  var attemptedTable = _extractTargetRelation(sql);
+  var relationCount  = _countTargetRelations(sql);
+  var resource = { kind: "db.backend", id: backend.name };
+  if (attemptedTable !== null) resource.attemptedTable = attemptedTable;
   audit().safeEmit({
     action:   "db.auth.failed",
     actor:    {},
-    resource: { kind: "db.backend", id: backend.name },
+    resource: resource,
     outcome:  "denied",
     reason:   kind,
     metadata: {
-      backend:        backend.name,
-      dialect:        backend.dialect,
-      sqlIdentity:    role || null,
-      sqlstate:       e.code,
-      statementClass: _classifyStatement(sql),
+      backend:               backend.name,
+      dialect:               backend.dialect,
+      sqlIdentity:           role || null,
+      sqlstate:              e.code,
+      statementClass:        _classifyStatement(sql),
+      attemptedTable:        attemptedTable,
+      attemptedRelationCount: relationCount,
     },
   });
   _emitMetric("db.auth.failed", 1, {
@@ -118,7 +165,7 @@ function _emitAuthFailureAudit(backend, role, sql, e) {
   });
 }
 
-// Slow-query bucket emitter (D-L7). Single-shot per query — highest
+// Slow-query bucket emitter. Single-shot per query — highest
 // matched bucket wins. Operators dashboard on the `bucket` label
 // rather than separate counters per threshold.
 var _SLOW_QUERY_BUCKETS = Object.freeze([
@@ -628,7 +675,7 @@ async function query(sql, params, opts) {
       _emitMetric("db.role.denied", 1,
         { backend: b.name, role: role || "(none)" });
     }
-    // D-M2 — DB-auth audit visibility. Every 28000 / 28P01 / 42501
+    // DB-auth audit visibility. Every 28000 / 28P01 / 42501
     // surfaces an auditable db.auth.failed row tagged with the SQL
     // identity and the statement class so SOC2 reviewers can
     // reconstruct the denial timeline.
@@ -693,13 +740,13 @@ async function transaction(fn, opts) {
   var prebuiltGucs = _buildSessionGucsStatements(opts.sessionGucs);
 
   var t0 = Date.now();
-  // D-H4 — per-statement timeout. SET LOCAL statement_timeout binds
-  // the query-cancel ceiling to this transaction; D-M7 wires
+  // Per-statement timeout. SET LOCAL statement_timeout binds
+  // the query-cancel ceiling to this transaction; this wires
   // idle_in_transaction_session_timeout from the same opt. Both
   // emit at SET LOCAL scope so the next pool checkout starts clean.
   var stmtTimeoutMs = opts.statementTimeoutMs;
   var idleTimeoutMs = opts.idleInTransactionTimeoutMs;
-  // D-M8 — deadlock-retry policy. 40P01 (deadlock_detected) and 40001
+  // Deadlock-retry policy. 40P01 (deadlock_detected) and 40001
   // (serialization_failure) are transient — retry with capped attempts
   // and a small jittered backoff. Operators tune retries via opts.deadlockRetries (default 3).
   // numeric-bounds doesn't have a non-negative-int helper; use a
@@ -756,7 +803,7 @@ async function transaction(fn, opts) {
             _emitMetric("externaldb.transaction.retry", 1,
               { backend: b.name, code: txErr.code, attempt: String(attempt) });
             var jitter = bCrypto.randomInt(0, 6);                                // 0-5ms jitter
-            await safeAsync.sleep(attempt * 5 + jitter);                           // allow:raw-time-literal — sub-second backoff
+            await safeAsync.sleep(attempt * 5 + jitter);
             continue;
           }
           var failureMs = Date.now() - t0;
@@ -771,7 +818,7 @@ async function transaction(fn, opts) {
             _emitMetric("db.role.denied", 1,
               { backend: b.name, role: role || "(none)" });
           }
-          // D-M2 — DB-auth audit visibility on transaction-shaped denials.
+          // DB-auth audit visibility on transaction-shaped denials.
           // Statement class always reads as "TX" since the failure
           // surface inside a transaction body could be any statement;
           // operators correlate via the transaction's audit row.
@@ -1017,7 +1064,7 @@ function _requireInit() {
 
 var REPLICA_UNHEALTHY_COOLDOWN_MS = C.TIME.seconds(30);
 
-// F-CBT-2 — replica residency-tag compatibility.
+// Replica residency-tag compatibility.
 //
 // A primary tagged "EU" replicating to a "US" replica is a GDPR
 // Article 46 cross-border transfer; without an explicit operator
@@ -1194,7 +1241,7 @@ async function _readQuery(sql, params, opts) {
       _emitMetric("db.role.denied", 1,
         { backend: b.name, role: role || "(none)" });
     }
-    // D-M2 — DB-auth audit visibility for read-replica denials too.
+    // DB-auth audit visibility for read-replica denials too.
     _emitAuthFailureAudit(b, role, sql, e);
     // Fallback to primary on a failed replica read when allowed.
     if (b.replicaFallbackToPrimary) {
@@ -1874,4 +1921,5 @@ module.exports = {
   migrate:        externalDbMigrate,
   Pool:           Pool,
   _resetForTest:  _resetForTest,
+  _extractTargetRelation: _extractTargetRelation,
 };

package/lib/framework-schema.js

@@ -648,8 +648,8 @@ function _breakGlassPoliciesDDL(dialect) {
 }
 
 // _blamejs_break_glass_grants — issued grants. One row per successful
-// step-up. Default maxRowsPerGrant=1 enforces row-by-row auth per the
-// operator-confirmed shape ("each row access = its own grant").
+// step-up. Default maxRowsPerGrant=1 enforces row-by-row auth
+// ("each row access = its own grant").
 function _breakGlassGrantsDDL(dialect) {
   var t = _types(dialect);
   var name = LOCAL_TO_EXTERNAL._blamejs_break_glass_grants;
@@ -766,7 +766,7 @@ async function ensureSchema(opts) {
     created.push(d.create.match(/CREATE TABLE IF NOT EXISTS\s+(\S+)/)[1]);
   }
 
-  // D-M11 — append-only WORM enforcement on audit_log / consent_log /
+  // Append-only WORM enforcement on audit_log / consent_log /
   // audit_checkpoints in cluster mode. Local-SQLite path already
   // installs CREATE TRIGGER IF NOT EXISTS via lib/db.js's
   // _installAppendOnlyTriggers; Postgres needs equivalent rules
@@ -779,7 +779,7 @@ async function ensureSchema(opts) {
   return { tables: created };
 }
 
-// D-M11 — WORM enforcement helper. Idempotent: rebuilding triggers
+// WORM enforcement helper. Idempotent: rebuilding triggers
 // per boot is cheap and any operator-applied DROP TRIGGER is restored
 // at the next ensureSchema pass.
 async function _installWormTriggers(backend, dialect) {

package/lib/guard-cidr.js

@@ -73,7 +73,7 @@ var IPV4_RESERVED = Object.freeze([
   { net: _ipv4ToUint32([127, 0, 0, 0]),      prefix: 8,  label: "loopback" },                    // IPv4 octets
   { net: _ipv4ToUint32([169, 254, 0, 0]),    prefix: 16, label: "link-local" },                  // IPv4 octets
   { net: _ipv4ToUint32([224, 0, 0, 0]),      prefix: 4,  label: "multicast" },                   // IPv4 octets
-  { net: _ipv4ToUint32([240, 0, 0, 0]),      prefix: 4,  label: "reserved-class-e" },            // allow:raw-time-literal — 240 is an IPv4 octet not seconds
+  { net: _ipv4ToUint32([240, 0, 0, 0]),      prefix: 4,  label: "reserved-class-e" },            // allow:raw-time-literal — IPv4 octet 240; coincidental multiple-of-60, not a duration, C.TIME N/A
   { net: _ipv4ToUint32([192, 0, 2, 0]),      prefix: 24, label: "documentation-test-net-1" },    // IPv4 octets
   { net: _ipv4ToUint32([198, 51, 100, 0]),   prefix: 24, label: "documentation-test-net-2" },    // IPv4 octets
   { net: _ipv4ToUint32([203, 0, 113, 0]),    prefix: 24, label: "documentation-test-net-3" },    // IPv4 octets

package/lib/guard-image.js

@@ -111,7 +111,7 @@ var PROFILES = Object.freeze({
     framesPolicy:              "reject",
     maxWidth:                  C.BYTES.bytes(8192),                              // pixel cap, repurposing bytes() for clarity
     maxHeight:                 C.BYTES.bytes(8192),
-    maxFrames:                 60,                                               // allow:raw-time-literal — animation frame count, not seconds
+    maxFrames:                 60,                                               // allow:raw-time-literal — max-frame count 60; coincidental multiple-of-60, not a duration, C.TIME N/A
     maxBytes:                  C.BYTES.mib(32),
     maxRuntimeMs:              C.TIME.seconds(5),
   },

package/lib/guard-list-id.js

@@ -203,8 +203,8 @@ function validate(headerValue, opts) {
   // recover the boundary without Public Suffix List awareness
   // (`team.example.com` could be label=team / ns=example.com OR
   // label=team.example / ns=com). The earlier last-2-segment
-  // heuristic produced empty `label` for 2-label IDs (Codex P1 on
-  // PR #64), which violates RFC 2919 §2's required label "."
+  // heuristic produced empty `label` for 2-label IDs
+  // which violates RFC 2919 §2's required label "."
   // namespace decomposition.
   //
   // Drop the heuristic split — surface only the raw `listId` (and

package/lib/guard-list-unsubscribe.js

@@ -349,8 +349,7 @@ function _extractUris(raw, maxUris) {
   // bracket pairs directly via String.matchAll so URIs containing
   // commas (legitimate, e.g. `<https://x/u?tags=a,b>`) parse
   // correctly. Earlier split(",")-based scan misclassified such
-  // URIs as "no <URI> elements" and refused legitimate mail
-  // (Codex P1 on PR #63).
+  // URIs as "no <URI> elements" and refused legitimate mail.
   var matches = raw.matchAll(/<([^<>]*)>/g);                                                             // allow:regex-no-length-cap — input length-bounded by maxBytes check upstream
   var uris = [];
   for (var m of matches) {
@@ -372,7 +371,7 @@ function _hasControlChar(s) {
 
 function _trunc(s) {
   if (s.length <= 64) return s;                                                                          // error-message truncation
-  return s.slice(0, 60) + "…";                                                                          // allow:raw-time-literal — char count for error-message truncation, not seconds
+  return s.slice(0, 60) + "…";                                                                          // allow:raw-time-literal — truncation char-count 60; coincidental multiple-of-60, not a duration, C.TIME N/A
 }
 
 function _verdict(action, reason, extra) {

package/lib/guard-time.js

@@ -254,7 +254,7 @@ function _detectIssues(input, opts) {
       snippet: "minute " + minute + " > 59",
     });
   }
-  if (second > 60) {                                                             // allow:raw-time-literal — leap-second ceiling, RFC 3339 §5.6 (not seconds-of-time)
+  if (second > 60) {                                                             // allow:raw-time-literal — leap-second ceiling literal 60 (RFC 3339 5.6); coincidental multiple-of-60, not a duration, C.TIME N/A
     issues.push({
       kind: "second-range", severity: "high",
       ruleId: "time.second-range",

package/lib/guard-xml.js

@@ -303,7 +303,7 @@ function _detectIssues(input, opts) {
   // get the NCR cap disabled with them. The `maxNumericCharRefs` opt
   // is validated by `numericBounds.requireAllPositiveFiniteIntIfPresent`
   // at the public-surface boundary above.
-  var ncrCap = opts.maxNumericCharRefs;                                          // allow:numeric-opt-no-bounds-check — validated at public boundary
+  var ncrCap = opts.maxNumericCharRefs;
   if (ncrCap !== undefined && ncrCap !== null) {
     var ncrMatches = input.match(NUMERIC_CHAR_REF_RE);                           // allow:regex-no-length-cap — input bounded by maxBytes above
     var ncrCount = ncrMatches === null ? 0 : ncrMatches.length;

package/lib/http-client-cache.js

@@ -66,7 +66,7 @@ var HEURISTIC_MAX_AGE_MS = C.TIME.hours(24);
 // Statuses RFC 9110 designates as heuristically cacheable. (Plus 200/206
 // which are universally cacheable when a freshness lifetime is given.)
 var CACHEABLE_STATUSES = new Set([
-  200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 414, 501,                                  // allow:raw-time-literal — same line, status codes not seconds
+  200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 414, 501,                                  // allow:raw-time-literal — RFC 9111 cacheable status-code set; coincidental multiple-of-60 entries, not durations, C.TIME N/A
 ]);
 
 // Headers that MUST not be forwarded when serving a 304-updated entry.

package/lib/iab-tcf.js

@@ -108,7 +108,7 @@ var TCF_V23_POLICY_VERSION = 4;
 var SEGMENT_TYPE_DISCLOSED_VENDORS = 1;                                                        // TCF segment-type marker, not bytes
 var SEGMENT_TYPE_ALLOWED_VENDORS   = 2;                                                        // TCF segment-type marker, not bytes
 var SEGMENT_TYPE_PUBLISHER_TC      = 3;                                                        // TCF segment-type marker, not bytes
-var MAX_TC_STRING_BYTES = 64 * 1024;                                                           // allow:raw-byte-literal — request-payload cap
+var MAX_TC_STRING_BYTES = 64 * 1024;
 
 // base64url decode (no padding) → Buffer.
 function _b64urlDecode(s) {
@@ -186,8 +186,8 @@ function _parseCore(buf) {
   var publisherRestrictions = _parsePublisherRestrictions(r);
   return {
     version:               version,
-    createdAt:             createdRaw * 100,                                                   // allow:raw-time-literal — TCF spec deciseconds → ms
-    lastUpdatedAt:         lastUpdatedRaw * 100,                                               // allow:raw-time-literal — TCF spec deciseconds → ms
+    createdAt:             createdRaw * 100,
+    lastUpdatedAt:         lastUpdatedRaw * 100,
     cmpId:                 cmpId,
     cmpVersion:            cmpVersion,
     consentScreen:         consentScreen,
@@ -545,7 +545,7 @@ function _idRuns(ids) {
 function _decisec(t) {
   var ms = t instanceof Date ? t.getTime() : (t == null ? Date.now() : Number(t));
   if (!isFinite(ms) || ms < 0) throw IabTcfError.factory("iab-tcf/bad-value", "iabTcf.encode: timestamp must be a Date or non-negative epoch-ms");
-  return Math.round(ms / 100);                                                                  // allow:raw-time-literal — ms → TCF deciseconds
+  return Math.round(ms / 100);
 }
 
 // Bit writer mirroring _bitReader: bits are packed high-bit-first, then the

package/lib/incident-report.js

@@ -305,8 +305,158 @@ function create(opts) {
   };
 }
 
+// Breach detection -> notification running clock. The reporter
+// (`create`) computes the static per-stage deadlines; this clock turns
+// them into a live escalation loop: it tracks open incident records and,
+// on each tick, fires "approaching" warnings as a stage's deadline nears
+// and a "passed" alert when it elapses — once per (incident, stage,
+// state) so a busy tick interval can't storm the operator. It re-uses
+// the reporter's REGIME_DEADLINES / dueBy timestamps and re-encodes no
+// jurisdiction hour-counts (GDPR Art.33 72h, NIS2 Art.23(4) 24h, DORA
+// Art.19 + RTS 2024/1772 4h, CRA Art.14, HIPAA 45 CFR 164.404/408).
+// `approachThresholds` are unitless proportions of detected-to-due.
+function createDeadlineClock(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "notify", "approachThresholds", "intervalMs", "autoStart", "now",
+  ], "incident.report.createDeadlineClock");
+
+  var auditOn = opts.audit !== false;
+  var notify  = (opts.notify && typeof opts.notify.send === "function") ? opts.notify : null;
+  var thresholds = Array.isArray(opts.approachThresholds) ? opts.approachThresholds.slice() : [0.5, 0.75, 0.9];
+  for (var ti = 0; ti < thresholds.length; ti += 1) {
+    if (typeof thresholds[ti] !== "number" || !(thresholds[ti] > 0 && thresholds[ti] < 1)) {
+      throw new IncidentReportError("incident-report/bad-threshold",
+        "createDeadlineClock: approachThresholds must be numbers strictly between 0 and 1");
+    }
+  }
+  thresholds.sort(function (a, b) { return a - b; });
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+  var intervalMs = (typeof opts.intervalMs === "number" && isFinite(opts.intervalMs) && opts.intervalMs > 0)
+    ? opts.intervalMs : C.TIME.minutes(1);
+  var autoStart = opts.autoStart !== false;
+
+  var tracked = new Map();   // incidentId -> { detectedAt, dueBy, regime, acked, fired }
+  var timer = null;
+
+  function _emit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({ action: "incident.report.clock." + action, outcome: outcome, metadata: metadata || {} });
+    } catch (_e) { /* drop-silent — by design */ }
+  }
+  function _notify(payload) {
+    if (!notify) return;
+    try {
+      var r = notify.send(payload);
+      if (r && typeof r.then === "function") r.then(null, function () {});
+    } catch (_e) { /* drop-silent — escalation is best-effort, never crashes a tick */ }
+  }
+
+  function track(record) {
+    if (!record || typeof record !== "object" || typeof record.id !== "string" || record.id.length === 0) {
+      throw new IncidentReportError("incident-report/bad-record",
+        "createDeadlineClock.track: record must be an incident.report record with a string id");
+    }
+    if (!record.dueBy || typeof record.dueBy !== "object" ||
+        typeof record.detectedAt !== "number") {
+      throw new IncidentReportError("incident-report/bad-record",
+        "createDeadlineClock.track: record must carry detectedAt + dueBy { initial, intermediate, final }");
+    }
+    tracked.set(record.id, {
+      detectedAt: record.detectedAt,
+      dueBy:      record.dueBy,
+      regime:     record.regime || null,
+      acked:      {},
+      fired:      {},
+    });
+    return record.id;
+  }
+
+  function untrack(id) { return tracked.delete(id); }
+
+  function acknowledgeSubmission(id, stage, info) {
+    if (!VALID_STAGES[stage]) {
+      throw new IncidentReportError("incident-report/bad-stage",
+        "createDeadlineClock.acknowledgeSubmission: stage must be one of " + Object.keys(VALID_STAGES).join(", "));
+    }
+    var t = tracked.get(id);
+    if (!t) {
+      throw new IncidentReportError("incident-report/unknown-incident",
+        "createDeadlineClock.acknowledgeSubmission: no tracked incident '" + id + "'");
+    }
+    t.acked[stage] = true;
+    _emit("submission_acknowledged", "success", { incidentId: id, regime: t.regime, stage: stage, info: info || null });
+    return true;
+  }
+
+  // Pure evaluation seam — operators (and tests) can pass an explicit
+  // nowMs. Each (incident, stage, state) fires AT MOST once; a stage
+  // that has been acknowledged is skipped entirely.
+  function tick(nowMsArg) {
+    var nowMs = typeof nowMsArg === "number" ? nowMsArg : now();
+    tracked.forEach(function (t, id) {
+      var stages = ["initial", "intermediate", "final"];
+      for (var si = 0; si < stages.length; si += 1) {
+        var stage = stages[si];
+        if (t.acked[stage]) continue;
+        var due = t.dueBy[stage];
+        if (typeof due !== "number") continue;
+        var span = due - t.detectedAt;
+        if (span <= 0) continue;
+        if (nowMs >= due) {
+          var pk = stage + ":passed";
+          if (!t.fired[pk]) {
+            t.fired[pk] = true;
+            _emit("deadline_passed", "failure", { incidentId: id, regime: t.regime, stage: stage, dueBy: due });
+            _notify({ kind: "deadline_passed", incidentId: id, regime: t.regime, stage: stage, dueBy: due });
+          }
+          continue;
+        }
+        var proportion = (nowMs - t.detectedAt) / span;
+        for (var thi = thresholds.length - 1; thi >= 0; thi -= 1) {
+          if (proportion >= thresholds[thi]) {
+            var ak = stage + ":approaching:" + thresholds[thi];
+            if (!t.fired[ak]) {
+              t.fired[ak] = true;
+              _emit("deadline_approaching", "warning",
+                { incidentId: id, regime: t.regime, stage: stage, dueBy: due, threshold: thresholds[thi] });
+              _notify({ kind: "deadline_approaching", incidentId: id, regime: t.regime, stage: stage, dueBy: due, threshold: thresholds[thi] });
+            }
+            break;
+          }
+        }
+      }
+    });
+  }
+
+  function start() {
+    if (timer) return;
+    timer = setInterval(function () { tick(); }, intervalMs);
+    if (timer && typeof timer.unref === "function") timer.unref();
+  }
+  function stop() {
+    if (timer) { clearInterval(timer); timer = null; }
+  }
+  function status() {
+    return { tracked: tracked.size, running: timer !== null, intervalMs: intervalMs };
+  }
+
+  if (autoStart) start();
+  return {
+    track:                 track,
+    untrack:               untrack,
+    acknowledgeSubmission: acknowledgeSubmission,
+    tick:                  tick,
+    start:                 start,
+    stop:                  stop,
+    status:                status,
+  };
+}
+
 module.exports = {
   create:                create,
+  createDeadlineClock:   createDeadlineClock,
   IncidentReportError:   IncidentReportError,
   REGIME_DEADLINES:      REGIME_DEADLINES,
   DEFAULT_DEADLINES:     DEFAULT_DEADLINES,

package/lib/json-schema.js

@@ -487,7 +487,7 @@ function _typeMatches(typeKw, instance, actual) {
 function _checkNumber(schema, n, emit) {
   if (typeof schema.multipleOf === "number") {
     var q = n / schema.multipleOf;
-    if (!isFinite(q) || Math.abs(q - Math.round(q)) > 1e-9 * Math.max(1, Math.abs(q))) {   // allow:raw-time-literal — float tolerance for multipleOf
+    if (!isFinite(q) || Math.abs(q - Math.round(q)) > 1e-9 * Math.max(1, Math.abs(q))) {
       // Exact check for integers; tolerance only bridges float error.
       if (n % schema.multipleOf !== 0) emit("multipleOf", "value is not a multiple of " + schema.multipleOf);
     }

package/lib/jtd.js

@@ -33,7 +33,7 @@ var rfc3339 = require("./rfc3339");
 
 var JtdError = defineClass("JtdError", { alwaysPermanent: true });
 
-var MAX_DEPTH = 10000;                                       // allow:raw-time-literal — recursion cap for self-referential refs
+var MAX_DEPTH = 10000;
 
 var TYPES = {
   boolean: 1, string: 1, timestamp: 1, float32: 1, float64: 1,

package/lib/mail-auth.js

@@ -1819,7 +1819,7 @@ function authResultsEmit(opts) {
 //   //   }
 
 var DMARC_RUA_MAX_REPORT_BYTES = C.BYTES.mib(8);
-var DMARC_RUA_MAX_RECORDS_PER_REPORT = 10000;                                     // allow:raw-time-literal — record cap, not seconds
+var DMARC_RUA_MAX_RECORDS_PER_REPORT = 10000;
 
 function _arrayOf(value) {
   if (value === undefined || value === null) return [];

package/lib/mail-bimi.js

@@ -444,7 +444,7 @@ function validateTinyPsSvg(svgBytes) {
         if (lname === "href" || lname === "xlink:href") {
           if (aval.length > 0 && aval.charAt(0) !== "#") {
             _vio("external-ref-forbidden",
-              "external reference in `" + aname + "='" + aval.slice(0, 60) /* allow:raw-time-literal — display truncation chars, not seconds */ + "...'` " +
+              "external reference in `" + aname + "='" + aval.slice(0, 60) /* allow:raw-time-literal — display truncation char-count 60; coincidental multiple-of-60, not a duration, C.TIME N/A */ + "...'` " +
               "is forbidden in Tiny-PS (only `#fragment` permitted)");
           }
         }

package/lib/mail-crypto-smime.js

@@ -754,7 +754,7 @@ function checkCert(opts) {
   if (pub && pub.asymmetricKeyType === "rsa") {
     var jwk = pub.export({ format: "jwk" });
     var nBytes = Buffer.from(jwk.n, "base64url");
-    var bits = nBytes.length * 8;                                                                     // allow:raw-time-literal — RFC 5280 in comment, not seconds
+    var bits = nBytes.length * 8;                                                                     // allow:raw-time-literal — byte-length*8 bit count; coincidental multiple-of-60 product, not a duration, C.TIME N/A
     if (bits < RSA_MIN_BITS) {
       throw new MailCryptoError("mail-crypto/smime/rsa-too-small",
         "cert public key is " + bits + " RSA bits; minimum is " + RSA_MIN_BITS +
@@ -763,7 +763,7 @@ function checkCert(opts) {
   }
 
   // Validity window — refuse certs outside their notBefore / notAfter
-  // window. Codex P1: checkCert's docstring promises this throws
+  // window. checkCert's docstring promises this throws
   // `mail-crypto/smime/expired-cert` but the impl was missing, letting
   // expired or not-yet-valid signing certs pass boot-time preflight
   // and fail interop later when peers verify signatures against the

package/lib/mail-deploy.js

@@ -720,7 +720,7 @@ function _validateTlsRptReport(raw, ctx) {
       "parseTlsRptReport: report has " + policies.length +
       " policies (cap " + TLSRPT_MAX_POLICIES + ")");
   }
-  // Codex P2 (v0.10.15) — validate summary counts as finite non-negative
+  // Validate summary counts as finite non-negative
   // integers before summing. `Number(...) || 0` would accept
   // `Infinity` (from JSON literal `1e309` or string "Infinity"),
   // negative values, and arbitrary strings (coerced to NaN→0). Each
@@ -882,7 +882,7 @@ function tlsRptReportSchema() {
  *     posture-aware payload (organization-name, report-id,
  *     policy-domain set, session totals).
  *
- * Authentication discipline (Codex P2 v0.10.15):
+ * Authentication discipline:
  *   - `trustedReporters` is a CONTENT-SIDE soft filter — it compares
  *     the reporter's self-declared `organization-name` field (the
  *     report body, operator-untrusted) against the operator's
@@ -962,7 +962,7 @@ function tlsRptIngestHttp(opts) {
       res.end("RFC 8460 §6.4-6.5 media types required\n");
       return;
     }
-    // Codex P2 (v0.10.15) — real-authentication boundary BEFORE body
+    // Real-authentication boundary BEFORE body
     // collection. The operator-supplied `authenticate(req)` hook
     // routes to mTLS peer-cert / IP-allowlist / signed-header /
     // reverse-proxy header inspection. Sync-or-async; falsy → 401.

package/lib/mail-server-managesieve.js

@@ -43,7 +43,7 @@
  *     `opts.auth.mechanisms`. The framework hardcodes no defaults; an
  *     operator who omits `mechanisms` gets a listener that refuses
  *     every AUTHENTICATE attempt with "mechanism not advertised"
- *     (avoids the IMAP v0.9.49 Codex P2 class — advertising AUTH=PLAIN
+ *     (otherwise advertising AUTH=PLAIN
  *     when authConfig is null sets clients up to attempt PLAIN against
  *     a listener that hasn't wired the verifier).
  *
@@ -482,7 +482,7 @@ function create(opts) {
     }
     socket.write('"SIEVE" "' + sieveCaps.join(" ") + '"\r\n');
     // Advertise SASL mechanisms — ONLY the mechs the operator wired
-    // in opts.auth.mechanisms (Codex P2 IMAP lesson: don't hardcode).
+    // in opts.auth.mechanisms (do not hardcode the advertised mechanisms).
     if (authConfig && Array.isArray(authConfig.mechanisms) && authConfig.mechanisms.length > 0) {
       var mechs = authConfig.mechanisms.map(function (m) {
         return String(m).toUpperCase();

package/lib/mail-server-mx.js

@@ -998,7 +998,7 @@ function create(opts) {
     });
     var deadline = Date.now() + timeoutMs;
     while (connections.size > 0 && Date.now() < deadline) {
-      await safeAsync.sleep(100);                                                                    // allow:raw-time-literal — close-drain poll interval (sub-second; operator-bounded by timeoutMs)
+      await safeAsync.sleep(100);
     }
     connections.forEach(function (sock) {
       try { sock.destroy(); } catch (_e) { /* best-effort */ }

package/lib/mail-server-pop3.js

@@ -368,8 +368,8 @@ function create(opts) {
     socket.write("UIDL\r\n");
     socket.write("RESP-CODES\r\n");
     if (!state.tls) socket.write("STLS\r\n");
-    // Advertise AUTH mechanisms ONLY when wired (Codex P2 IMAP lesson:
-    // don't hardcode SASL mechs in caps).
+    // Advertise AUTH mechanisms ONLY when wired
+    // (do not hardcode SASL mechs in caps).
     if (authConfig && Array.isArray(authConfig.mechanisms) && authConfig.mechanisms.length > 0) {
       var mechs = authConfig.mechanisms.map(function (m) {
         return String(m).toUpperCase();

package/lib/mail-server-rate-limit.js

@@ -96,7 +96,7 @@ var MailServerRateLimitError = defineClass("MailServerRateLimitError", { alwaysP
 
 var DEFAULTS = Object.freeze({
   maxConcurrentConnectionsPerIp: 10,
-  connectionsPerIpPerMinute:     60,                                                                  // allow:raw-time-literal — connection count, not a time value
+  connectionsPerIpPerMinute:     60,                                                                  // allow:raw-time-literal — per-minute connection rate 60; time-derived (per-minute) single source of truth, C.TIME N/A as a count
   authFailuresPerIpPer15Min:     10,
   minBytesPerSecond:             100,                                                                 // slow-loris byte-rate floor
   // RCPT-TO recipient-failure cap defends against the 550-vs-250

package/lib/mail-server-submission.js

@@ -1347,7 +1347,7 @@ function create(opts) {
     });
     var deadline = Date.now() + timeoutMs;
     while (connections.size > 0 && Date.now() < deadline) {
-      await safeAsync.sleep(100);                                                                    // allow:raw-time-literal — sub-second drain poll
+      await safeAsync.sleep(100);
     }
     connections.forEach(function (sock) {
       try { sock.destroy(); } catch (_e) { /* best-effort */ }

package/lib/mail-store.js

@@ -753,7 +753,7 @@ function _setFlags(args) {
   // Per-message modseq bump — without this, queryByModseq filters
   // `messages.modseq > sinceModseq` and misses the flag change. CONDSTORE
   // (RFC 7162) / JMAP Email/changes both depend on the per-message
-  // modseq being current. Per Codex P1 on PR #49.
+  // modseq being current.
   if (args.objectids.length > 0 && (setFlags.length > 0 || unsetFlags.length > 0)) {
     // Bulk-update via IN-clause. SQLite caps IN-clause at 32766 (max
     // bound parameters); chunk for very large operands.