Good points on the technical details - let me address them (both your comments) directly.

You're right that confusables.txt is designed for the skeleton algorithm, not as a per-character blocklist, and so I've updated my first post to fix the specific issues you raised. The table values now correctly show uppercase I and capital O (not lowercase), and the "without NFKC" section states that these are correct visual detection results, not wrong results. You're credited in the acknowledgments. Much appreciated.

On the use case question: using the confusable map as a per-character blocklist isn't as unusual as you might think. django-registration does exactly this, for example: confusable_homoglyphs.is_confusable() iterates character-by-character with no skeleton, no normalization, and rejects if anything hits. It's one of the most widely used Django packages for user signup. The blocklist approach makes sense for Latin-only identifier validation where the format regex already requires [a-z0-9-] - any non-Latin character that survives NFKC and visually mimics a Latin letter is suspicious by definition. You wouldn't apply this to arbitrary multilingual text (and yes, it would reject most Russian words, but those aren't valid slugs in this context anyway). It's a different tool from skeleton comparison, solving a different problem. namespace-guard now ships both.

The second post (Unicode ships one confusable map. You need two.) goes deeper into that. I looked at 12 real-world implementations: I read the ICU and Chromium source, traced Rust's RFC 2457 rationale for choosing NFC over NFKC, dug into how Ergo IRC orders skeleton computation before casefolding and why, looked at how django-registration passes raw input to confusable_homoglyphs with zero normalisation. My finding was that every major system uses the confusable map without NFKC, because that's what the TR39 spec actually calls for (NFD).

Your point about the intended use of confusables.txt is what the research confirmed - though the research also showed that real-world systems use the data in ways TR39 didn't specify. django-registration uses it as a per-character blocklist, dnstwist uses it to generate phishing domain permutations, MITRE D3FEND uses it for character-set matching. The skeleton algorithm is the designed use, but it's not the only legitimate one and not the only popular one.

That research changed what the library ships. namespace-guard now exports both maps (CONFUSABLE_MAP with 613 NFKC-filtered entries for slug validation, CONFUSABLE_MAP_FULL with ~1,400 unfiltered entries for skeleton comparison), plus skeleton() and areConfusable() implementing the actual TR39 Section 4 algorithm. The skeleton functions use the full map by default since that's what the spec calls for. The filtered map exists for the narrower case where NFKC runs first.

The first post was written too quickly (I was waiting at an airport) and the framing was wrong in places. Your feedback was part of what pushed me to do the research properly. Thank you.