fix: align security limits across all languages, correct license declarations

- Tighten JS parse.ts limits to match all other impls: depth 256→128,
  collection 10M→1M, string 500MB→10MB
- Raise Python parse.py depth from 100→128 (was 28 levels stricter than
  every other implementation, causing cross-language desync)
- Update depth overflow tests to use 129 (exceeds new canonical limit)
- Fix Rust Cargo.toml and C README license: MIT→Apache-2.0 (project is Apache-2.0)
- Fix bare except: in demo-server.py (swallowed KeyboardInterrupt)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: phenomenon0

c/glyph-codec/README.md

@@ -160,4 +160,4 @@ char *glyph = glyph_canonicalize_loose(v);
 
 ## License
 
-MIT
+Apache-2.0

demo-server.py

@@ -265,7 +265,7 @@ def do_GET(self):
 
         try:
             return super().do_GET()
-        except:
+        except Exception:
             self.send_response(404)
             self.end_headers()
 

js/src/parse.ts

@@ -21,9 +21,9 @@ export function parsePacked(input: string, schema: Schema): GValue {
   return parser.parse();
 }
 
-const MAX_PARSE_DEPTH = 256;
-const MAX_COLLECTION_LEN = 10_000_000;  // 10M elements
-const MAX_STRING_LEN = 500_000_000;     // 500MB
+const MAX_PARSE_DEPTH = 128;              // aligned with loose.ts, C, Python
+const MAX_COLLECTION_LEN = 1_000_000;     // 1M elements (aligned across all impls)
+const MAX_STRING_LEN = 10 * 1024 * 1024;  // 10MB (aligned across all impls)
 
 class PackedParser {
   private input: string;

py/glyph/parse.py

@@ -49,7 +49,7 @@ class Token:
     pos: int
 
 
-DEFAULT_MAX_DEPTH = 100
+DEFAULT_MAX_DEPTH = 128  # aligned with Go, JS, C, Rust
 MAX_COLLECTION_LEN = 1_000_000  # 1M elements
 MAX_STRING_LEN = 10 * 1024 * 1024  # 10MB
 

py/tests/test_glyph.py

@@ -289,7 +289,7 @@ def test_rejects_non_finite_and_overflow_float_literals(self, text):
             parse(text)
 
     def test_limits_nesting_depth(self):
-        deeply_nested = "[" * 101 + "0" + "]" * 101
+        deeply_nested = "[" * 129 + "0" + "]" * 129
         with pytest.raises(ValueError, match="maximum nesting depth"):
             parse(deeply_nested)
 
@@ -613,17 +613,17 @@ def test_nesting_depth_map(self):
         # Should work at depth 50
         v = parse(text)
         # Now try exceeding
-        deep = "{a=" * 101 + "1" + "}" * 101
+        deep = "{a=" * 129 + "1" + "}" * 129
         with pytest.raises(ValueError, match="maximum nesting depth"):
             parse(deep)
 
     def test_nesting_depth_struct(self):
-        deep = "S{x=" * 101 + "1" + "}" * 101
+        deep = "S{x=" * 129 + "1" + "}" * 129
         with pytest.raises(ValueError, match="maximum nesting depth"):
             parse(deep)
 
     def test_nesting_depth_sum(self):
-        deep = "T(" * 101 + "1" + ")" * 101
+        deep = "T(" * 129 + "1" + ")" * 129
         with pytest.raises(ValueError, match="maximum nesting depth"):
             parse(deep)
 

rust/glyph-codec/Cargo.toml

@@ -3,7 +3,7 @@ name = "glyph-rs"
 version = "1.0.0"
 edition = "2021"
 description = "GLYPH codec - token-efficient serialization for AI agents"
-license = "MIT"
+license = "Apache-2.0"
 repository = "https://github.com/Neumenon/glyph"
 keywords = ["serialization", "codec", "llm", "ai", "json"]
 categories = ["encoding", "parser-implementations"]