Right now the way to programatically detect these tests is to look at the comment key. It'd be great if there were a flag for this.

I'll add flags.
Since the size of the flags and the size of nonce is encoded using 3 bits each in the block B0
encryption with invalid values is essentially undefined.

For what it's worth, the reason this is desired by us is that we use a different error type for bad nonce length than we do for other failures, since bad nonce length is generally a programming bug, as opposed to bad data.