} else {
        "scheduled after ${formatDuration(executeNanoTime - now)}"
      }
    }

    // Insert in chronological order. Always compare deltas because nanoTime() is permitted to wrap.
    var insertAt = futureTasks.indexOfFirst { it.nextExecuteNanoTime - now > delayNanos }
    if (insertAt == -1) insertAt = futureTasks.size
    futureTasks.add(insertAt, task)

   * FeatureSpecificTestSuiteBuilder.suppressing()}.
   */
  /*
   * TODO(cpovirk): or we could make HOLES_FORBIDDEN a feature. Or we could declare that
   * implementations are permitted to throw IAE if a hole is requested, and we could update
   * test*Hole to permit IAE. (But might this ignore genuine bugs?) But see the TODO above
   * testLower, which could make this all unnecessary
   */

  static final String URL_PATH_OTHER_SAFE_CHARS_LACKING_PLUS =
      "-._~" // Unreserved characters.
          + "!$'()*,;&=" // The subdelim characters (excluding '+').
          + "@:"; // The gendelim characters permitted in paths.

  /**
   * Returns an {@link Escaper} instance that escapes strings so they can be safely included in <a
   * href="https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set">URL

   *
   * <ul>
   *   <li>Any part containing non-ASCII characters is considered valid.
   *   <li>Underscores ('_') are permitted wherever dashes ('-') are permitted.
   *   <li>Parts other than the final part may start with a digit, as mandated by <a
   *       href="https://tools.ietf.org/html/rfc1123#section-2">RFC 1123</a>.
   * </ul>
   *

// governance bypass headers are set and user has governance bypass permissions.
// Objects in compliance mode can be overwritten only if retention date is being extended. No mode change is permitted.
func enforceRetentionBypassForPut(ctx context.Context, r *http.Request, oi ObjectInfo, objRetention *objectlock.ObjectRetention, cred auth.Credentials, owner bool) error {

      }

    // Read the length.
    val length0 = source.readByte().toInt() and 0xff
    val length =
      when {
        length0 == 0b1000_0000 -> {
          throw ProtocolException("indefinite length not permitted for DER")
        }
        (length0 and 0b1000_0000) == 0b1000_0000 -> {
          // Length specified over multiple bytes.
          val lengthBytes = length0 and 0b0111_1111
          if (lengthBytes > 8) {

      }

      val host = route.address.url.host
      if (!Platform.get().isCleartextTrafficPermitted(host)) {
        throw UnknownServiceException(
          "CLEARTEXT communication to $host not permitted by network security policy",
        )
      }
    } else {
      if (Protocol.H2_PRIOR_KNOWLEDGE in route.address.protocols) {
        throw UnknownServiceException("H2_PRIOR_KNOWLEDGE cannot be used with HTTPS")

   * are permitted.
   */
  var file: RandomAccessFile?,
  /**
   * Null once the file has a complete copy of the upstream bytes. Only the [upstreamReader] thread
   * may access this source.
   */
  var upstream: Source?,
  /** The number of bytes consumed from [upstream]. Guarded by this. */
  var upstreamPos: Long,
  /** User-supplied additional data persisted with the source data. */

used for authentication for any user listed in the certificate's principals list. 

Note that certificates that lack a list of principals will not be permitted for authentication using trusted-user-ca-key.

 * CompactLinkedHashSet is an implementation of a Set, which a predictable iteration order that
 * matches the insertion order. All optional operations (adding and removing) are supported. All
 * elements, including {@code null}, are permitted.
 *
 * <p>{@code contains(x)}, {@code add(x)} and {@code remove(x)}, are all (expected and amortized)
 * constant time operations. Expected in the hashtable sense (depends on the hash function doing a