npm - @adukiorg/anza - Versions diffs - 0.2.0 - Mend

@adukiorg/anza 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (349) hide show

package/CHANGELOG.md +137 -0
package/README.md +215 -0
package/bin/anza.js +63 -0
package/bin/create.js +150 -0
package/importmap.json +72 -0
package/package.json +100 -0
package/src/core/animations/index.js +55 -0
package/src/core/animations/play.js +111 -0
package/src/core/animations/registry.js +54 -0
package/src/core/animations/scroll.js +50 -0
package/src/core/animations/tokens.js +58 -0
package/src/core/animations/usage.md +301 -0
package/src/core/animations/waapi.js +86 -0
package/src/core/api/cache.js +120 -0
package/src/core/api/caches/glob.js +24 -0
package/src/core/api/caches/index.js +118 -0
package/src/core/api/events/index.js +75 -0
package/src/core/api/fetch.js +99 -0
package/src/core/api/index.js +158 -0
package/src/core/api/pipeline.js +98 -0
package/src/core/api/plan.md +209 -0
package/src/core/api/prefixes/index.js +66 -0
package/src/core/api/retry.js +69 -0
package/src/core/api/stream.js +127 -0
package/src/core/api/upload.js +180 -0
package/src/core/api/usage.md +206 -0
package/src/core/events/bus.js +38 -0
package/src/core/events/delegate.js +79 -0
package/src/core/events/index.js +26 -0
package/src/core/events/listen.js +50 -0
package/src/core/events/missing.md +103 -0
package/src/core/events/once.js +49 -0
package/src/core/events/plan.md +177 -0
package/src/core/events/types/index.js +34 -0
package/src/core/events/usage.md +107 -0
package/src/core/offline/bridge.js +51 -0
package/src/core/offline/clock.js +100 -0
package/src/core/offline/connectivity.js +116 -0
package/src/core/offline/index.js +41 -0
package/src/core/offline/missing.md +89 -0
package/src/core/offline/plan.md +143 -0
package/src/core/offline/queue.js +168 -0
package/src/core/offline/state.js +18 -0
package/src/core/offline/sync.js +106 -0
package/src/core/offline/usage.md +273 -0
package/src/core/platform/guard.js +104 -0
package/src/core/platform/index.js +42 -0
package/src/core/platform/missing.md +119 -0
package/src/core/platform/platform.d.ts +88 -0
package/src/core/platform/polyfills/anchor.js +79 -0
package/src/core/platform/polyfills/navigation.js +142 -0
package/src/core/platform/polyfills/popover.js +142 -0
package/src/core/platform/polyfills/scheduler.js +194 -0
package/src/core/platform/polyfills/shadow.js +35 -0
package/src/core/platform/polyfills/urlpattern.js +119 -0
package/src/core/platform/supports.js +186 -0
package/src/core/platform/usage.md +287 -0
package/src/core/router/cache.js +95 -0
package/src/core/router/container.js +146 -0
package/src/core/router/handler.js +52 -0
package/src/core/router/history.js +120 -0
package/src/core/router/index.js +158 -0
package/src/core/router/intercept.js +376 -0
package/src/core/router/match.js +145 -0
package/src/core/router/missing.md +716 -0
package/src/core/router/outlet.js +139 -0
package/src/core/router/plan.md +370 -0
package/src/core/router/sync/index.js +16 -0
package/src/core/router/sync/tab.js +115 -0
package/src/core/router/sync/transport.js +139 -0
package/src/core/router/transitions.js +59 -0
package/src/core/router/usage.md +773 -0
package/src/core/security/crypto.js +159 -0
package/src/core/security/index.js +49 -0
package/src/core/security/missing.md +97 -0
package/src/core/security/permissions.js +64 -0
package/src/core/security/sanitize.js +100 -0
package/src/core/security/usage.md +283 -0
package/src/core/state/derived.js +117 -0
package/src/core/state/index.js +23 -0
package/src/core/state/missing.md +165 -0
package/src/core/state/persist.js +284 -0
package/src/core/state/store.js +308 -0
package/src/core/state/sync.js +46 -0
package/src/core/state/usage.md +440 -0
package/src/core/storage/cache.js +83 -0
package/src/core/storage/idb.js +196 -0
package/src/core/storage/index.js +373 -0
package/src/core/storage/lru.js +107 -0
package/src/core/storage/missing.md +165 -0
package/src/core/storage/opfs.js +190 -0
package/src/core/storage/plan.md +69 -0
package/src/core/storage/quota.js +69 -0
package/src/core/storage/usage.md +226 -0
package/src/core/ui/base.js +50 -0
package/src/core/ui/define/container.js +82 -0
package/src/core/ui/define/define.js +12 -0
package/src/core/ui/define/element.js +390 -0
package/src/core/ui/define/index.js +9 -0
package/src/core/ui/define/orchestrator.js +105 -0
package/src/core/ui/define/proxy.js +644 -0
package/src/core/ui/define/state.js +6 -0
package/src/core/ui/define/utils.js +134 -0
package/src/core/ui/implementation.md +170 -0
package/src/core/ui/index.js +41 -0
package/src/core/ui/observe.js +117 -0
package/src/core/ui/plan.md +510 -0
package/src/core/ui/schedule.js +60 -0
package/src/core/ui/template.js +37 -0
package/src/core/ui/transitions.js +37 -0
package/src/core/ui/ui.types.md +890 -0
package/src/core/ui/usage.md +1124 -0
package/src/core/ui/watch.md +346 -0
package/src/core/workers/broadcast.js +138 -0
package/src/core/workers/dedicated.js +153 -0
package/src/core/workers/index.js +169 -0
package/src/core/workers/locks.js +160 -0
package/src/core/workers/offscreen.js +166 -0
package/src/core/workers/plan.md +381 -0
package/src/core/workers/pool.js +267 -0
package/src/core/workers/shared.js +137 -0
package/src/core/workers/usage.md +622 -0
package/src/elements/base.js +12 -0
package/src/elements/data/card/index.html +9 -0
package/src/elements/data/card/index.js +19 -0
package/src/elements/data/card/index.tags.json +1 -0
package/src/elements/data/card/style.css +46 -0
package/src/elements/data/chart/index.html +1 -0
package/src/elements/data/chart/index.js +143 -0
package/src/elements/data/chart/index.tags.json +1 -0
package/src/elements/data/chart/style.css +13 -0
package/src/elements/data/list/index.html +3 -0
package/src/elements/data/list/index.js +19 -0
package/src/elements/data/list/index.tags.json +1 -0
package/src/elements/data/list/style.css +39 -0
package/src/elements/data/stat/index.html +9 -0
package/src/elements/data/stat/index.js +19 -0
package/src/elements/data/stat/index.tags.json +1 -0
package/src/elements/data/stat/style.css +50 -0
package/src/elements/data/table/index.html +1 -0
package/src/elements/data/table/index.js +16 -0
package/src/elements/data/table/index.tags.json +1 -0
package/src/elements/data/table/style.css +50 -0
package/src/elements/feedback/alert/index.html +11 -0
package/src/elements/feedback/alert/index.js +28 -0
package/src/elements/feedback/alert/index.tags.json +1 -0
package/src/elements/feedback/alert/style.css +75 -0
package/src/elements/feedback/empty/index.html +13 -0
package/src/elements/feedback/empty/index.js +34 -0
package/src/elements/feedback/empty/index.tags.json +1 -0
package/src/elements/feedback/empty/style.css +45 -0
package/src/elements/feedback/progress/index.html +7 -0
package/src/elements/feedback/progress/index.js +46 -0
package/src/elements/feedback/progress/index.tags.json +1 -0
package/src/elements/feedback/progress/style.css +36 -0
package/src/elements/feedback/skeleton/index.html +1 -0
package/src/elements/feedback/skeleton/index.js +78 -0
package/src/elements/feedback/skeleton/index.tags.json +1 -0
package/src/elements/feedback/skeleton/style.css +28 -0
package/src/elements/feedback/toast/index.html +3 -0
package/src/elements/feedback/toast/index.js +65 -0
package/src/elements/feedback/toast/index.tags.json +1 -0
package/src/elements/feedback/toast/style.css +36 -0
package/src/elements/forms/checkbox/index.html +7 -0
package/src/elements/forms/checkbox/index.js +104 -0
package/src/elements/forms/checkbox/index.tags.json +1 -0
package/src/elements/forms/checkbox/style.css +86 -0
package/src/elements/forms/field/index.html +13 -0
package/src/elements/forms/field/index.js +42 -0
package/src/elements/forms/field/index.tags.json +1 -0
package/src/elements/forms/field/style.css +42 -0
package/src/elements/forms/form/index.html +3 -0
package/src/elements/forms/form/index.js +122 -0
package/src/elements/forms/form/index.tags.json +1 -0
package/src/elements/forms/form/style.css +11 -0
package/src/elements/forms/input/index.html +4 -0
package/src/elements/forms/input/index.js +103 -0
package/src/elements/forms/input/index.tags.json +1 -0
package/src/elements/forms/input/style.css +39 -0
package/src/elements/forms/radio/index.html +4 -0
package/src/elements/forms/radio/index.js +109 -0
package/src/elements/forms/radio/index.tags.json +1 -0
package/src/elements/forms/radio/style.css +65 -0
package/src/elements/forms/select/index.html +9 -0
package/src/elements/forms/select/index.js +114 -0
package/src/elements/forms/select/index.tags.json +1 -0
package/src/elements/forms/select/style.css +95 -0
package/src/elements/forms/textarea/index.html +4 -0
package/src/elements/forms/textarea/index.js +115 -0
package/src/elements/forms/textarea/index.tags.json +1 -0
package/src/elements/forms/textarea/style.css +46 -0
package/src/elements/forms/toggle/index.html +4 -0
package/src/elements/forms/toggle/index.js +89 -0
package/src/elements/forms/toggle/index.tags.json +1 -0
package/src/elements/forms/toggle/style.css +63 -0
package/src/elements/forms/upload/index.html +13 -0
package/src/elements/forms/upload/index.js +120 -0
package/src/elements/forms/upload/index.tags.json +1 -0
package/src/elements/forms/upload/style.css +61 -0
package/src/elements/index.js +71 -0
package/src/elements/layout/app/index.html +7 -0
package/src/elements/layout/app/index.js +16 -0
package/src/elements/layout/app/index.tags.json +1 -0
package/src/elements/layout/app/style.css +41 -0
package/src/elements/layout/grid/index.html +3 -0
package/src/elements/layout/grid/index.js +41 -0
package/src/elements/layout/grid/index.tags.json +1 -0
package/src/elements/layout/grid/style.css +12 -0
package/src/elements/layout/header/index.html +8 -0
package/src/elements/layout/header/index.js +16 -0
package/src/elements/layout/header/index.tags.json +1 -0
package/src/elements/layout/header/style.css +28 -0
package/src/elements/layout/scroll/index.html +3 -0
package/src/elements/layout/scroll/index.js +19 -0
package/src/elements/layout/scroll/index.tags.json +1 -0
package/src/elements/layout/scroll/style.css +24 -0
package/src/elements/layout/sidebar/index.html +3 -0
package/src/elements/layout/sidebar/index.js +24 -0
package/src/elements/layout/sidebar/index.tags.json +1 -0
package/src/elements/layout/sidebar/style.css +30 -0
package/src/elements/layout/split/index.html +3 -0
package/src/elements/layout/split/index.js +18 -0
package/src/elements/layout/split/index.tags.json +1 -0
package/src/elements/layout/split/style.css +28 -0
package/src/elements/layout/stack/index.html +3 -0
package/src/elements/layout/stack/index.js +31 -0
package/src/elements/layout/stack/index.tags.json +1 -0
package/src/elements/layout/stack/style.css +15 -0
package/src/elements/layout/surface/index.html +3 -0
package/src/elements/layout/surface/index.js +19 -0
package/src/elements/layout/surface/index.tags.json +1 -0
package/src/elements/layout/surface/style.css +29 -0
package/src/elements/navigation/breadcrumb/index.html +5 -0
package/src/elements/navigation/breadcrumb/index.js +16 -0
package/src/elements/navigation/breadcrumb/index.tags.json +1 -0
package/src/elements/navigation/breadcrumb/style.css +36 -0
package/src/elements/navigation/nav/index.html +3 -0
package/src/elements/navigation/nav/index.js +24 -0
package/src/elements/navigation/nav/index.tags.json +1 -0
package/src/elements/navigation/nav/style.css +38 -0
package/src/elements/navigation/pagination/index.html +3 -0
package/src/elements/navigation/pagination/index.js +94 -0
package/src/elements/navigation/pagination/index.tags.json +1 -0
package/src/elements/navigation/pagination/style.css +39 -0
package/src/elements/navigation/steps/index.html +6 -0
package/src/elements/navigation/steps/index.js +64 -0
package/src/elements/navigation/steps/index.tags.json +1 -0
package/src/elements/navigation/steps/style.css +78 -0
package/src/elements/navigation/tabs/index.html +6 -0
package/src/elements/navigation/tabs/index.js +132 -0
package/src/elements/navigation/tabs/index.tags.json +1 -0
package/src/elements/navigation/tabs/style.css +52 -0
package/src/elements/overlay/dialog/index.html +5 -0
package/src/elements/overlay/dialog/index.js +57 -0
package/src/elements/overlay/dialog/index.tags.json +1 -0
package/src/elements/overlay/dialog/style.css +31 -0
package/src/elements/overlay/drawer/index.html +3 -0
package/src/elements/overlay/drawer/index.js +56 -0
package/src/elements/overlay/drawer/index.tags.json +1 -0
package/src/elements/overlay/drawer/style.css +48 -0
package/src/elements/overlay/menu/index.html +3 -0
package/src/elements/overlay/menu/index.js +107 -0
package/src/elements/overlay/menu/index.tags.json +1 -0
package/src/elements/overlay/menu/style.css +43 -0
package/src/elements/overlay/popover/index.html +3 -0
package/src/elements/overlay/popover/index.js +44 -0
package/src/elements/overlay/popover/index.tags.json +1 -0
package/src/elements/overlay/popover/style.css +21 -0
package/src/elements/overlay/sheet/index.html +8 -0
package/src/elements/overlay/sheet/index.js +105 -0
package/src/elements/overlay/sheet/index.tags.json +1 -0
package/src/elements/overlay/sheet/style.css +64 -0
package/src/elements/overlay/tooltip/index.html +6 -0
package/src/elements/overlay/tooltip/index.js +16 -0
package/src/elements/overlay/tooltip/index.tags.json +1 -0
package/src/elements/overlay/tooltip/style.css +41 -0
package/src/elements/primitives/avatar/index.html +2 -0
package/src/elements/primitives/avatar/index.js +79 -0
package/src/elements/primitives/avatar/index.tags.json +1 -0
package/src/elements/primitives/avatar/style.css +36 -0
package/src/elements/primitives/badge/index.html +3 -0
package/src/elements/primitives/badge/index.js +20 -0
package/src/elements/primitives/badge/index.tags.json +1 -0
package/src/elements/primitives/badge/style.css +67 -0
package/src/elements/primitives/button/index.html +3 -0
package/src/elements/primitives/button/index.js +61 -0
package/src/elements/primitives/button/index.tags.json +1 -0
package/src/elements/primitives/button/style.css +66 -0
package/src/elements/primitives/divider/index.html +1 -0
package/src/elements/primitives/divider/index.js +43 -0
package/src/elements/primitives/divider/index.tags.json +1 -0
package/src/elements/primitives/divider/style.css +39 -0
package/src/elements/primitives/icon/index.html +3 -0
package/src/elements/primitives/icon/index.js +66 -0
package/src/elements/primitives/icon/index.tags.json +1 -0
package/src/elements/primitives/icon/style.css +20 -0
package/src/elements/primitives/link/index.html +3 -0
package/src/elements/primitives/link/index.js +129 -0
package/src/elements/primitives/link/index.tags.json +1 -0
package/src/elements/primitives/link/style.css +40 -0
package/src/elements/primitives/spinner/index.html +1 -0
package/src/elements/primitives/spinner/index.js +62 -0
package/src/elements/primitives/spinner/index.tags.json +1 -0
package/src/elements/primitives/spinner/style.css +20 -0
package/src/elements/primitives/text/index.html +1 -0
package/src/elements/primitives/text/index.js +79 -0
package/src/elements/primitives/text/index.tags.json +1 -0
package/src/elements/primitives/text/style.css +25 -0
package/src/index.js +23 -0
package/src/styles/base.css +66 -0
package/src/styles/index.css +10 -0
package/src/styles/layers.css +9 -0
package/src/styles/reset.css +66 -0
package/src/sw/activate.js +51 -0
package/src/sw/expire.js +47 -0
package/src/sw/index.js +28 -0
package/src/sw/install.js +35 -0
package/src/sw/push.js +58 -0
package/src/sw/queue.js +60 -0
package/src/sw/routes.js +71 -0
package/src/sw/strategies.js +247 -0
package/src/sw/sync.js +80 -0
package/src/tokens/index.css +26 -0
package/src/tokens/primitives/colors.css +54 -0
package/src/tokens/primitives/motion.css +34 -0
package/src/tokens/primitives/radius.css +16 -0
package/src/tokens/primitives/shadow.css +34 -0
package/src/tokens/primitives/spacing.css +27 -0
package/src/tokens/primitives/typography.css +46 -0
package/src/tokens/primitives/zindex.css +18 -0
package/src/tokens/registered/colors.css +133 -0
package/src/tokens/registered/dimensions.css +31 -0
package/src/tokens/semantic/components.css +125 -0
package/src/tokens/semantic/contrast.css +33 -0
package/src/tokens/semantic/dark.css +61 -0
package/src/tokens/semantic/light.css +64 -0
package/types/core/animations/index.d.ts +52 -0
package/types/core/api/index.d.ts +68 -0
package/types/core/events/index.d.ts +50 -0
package/types/core/offline/index.d.ts +68 -0
package/types/core/platform/index.d.ts +60 -0
package/types/core/router/index.d.ts +203 -0
package/types/core/security/index.d.ts +33 -0
package/types/core/state/index.d.ts +68 -0
package/types/core/storage/index.d.ts +40 -0
package/types/core/ui/index.d.ts +446 -0
package/types/core/workers/index.d.ts +221 -0
package/types/elements/index.d.ts +150 -0
package/types/index.d.ts +18 -0

package/src/core/security/crypto.js ADDED Viewed

@@ -0,0 +1,159 @@
+/**
+ * src/core/security/crypto.js
+ *
+ * Web Cryptography Facade.
+ * Offloads all cryptographic functions to standard async SubtleCrypto thread pools,
+ * generating fresh IVs for AES-GCM and enforcing robust key derivation iterations.
+ *
+ * Source: doc 15 — Security Architecture §3
+ */
+/**
+ * Returns a cryptographically secure random UUID string.
+ */
+export function uuid() {
+  return crypto.randomUUID();
+}
+/**
+ * Digests data into an ArrayBuffer hash using a specified algorithm.
+ */
+export async function hash(data, algo = 'SHA-256') {
+  const buf = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+  return crypto.subtle.digest(algo, buf);
+}
+/**
+ * Generates a non-extractable CryptoKey default.
+ */
+export async function generateKey(algo = 'AES-GCM', usages = ['encrypt', 'decrypt'], extractable = false) {
+  let param;
+  if (algo === 'AES-GCM') {
+    param = { name: 'AES-GCM', length: 256 };
+  } else if (algo === 'HMAC') {
+    param = { name: 'HMAC', hash: { name: 'SHA-256' } };
+  } else {
+    param = algo;
+  }
+  return crypto.subtle.generateKey(param, extractable, usages);
+}
+/**
+ * Derives an AES-GCM key from a password and salt using PBKDF2 with 600,000 iterations.
+ */
+export async function deriveKey(password, salt, iterations = 600000) {
+  const enc = new TextEncoder();
+  const passwordKey = await crypto.subtle.importKey(
+    'raw',
+    enc.encode(password),
+    'PBKDF2',
+    false,
+    ['deriveBits', 'deriveKey']
+  );
+  const saltBuf = typeof salt === 'string' ? enc.encode(salt) : salt;
+  return crypto.subtle.deriveKey(
+    {
+      name: 'PBKDF2',
+      salt: saltBuf,
+      iterations,
+      hash: 'SHA-256'
+    },
+    passwordKey,
+    { name: 'AES-GCM', length: 256 },
+    false, // non-extractable by default
+    ['encrypt', 'decrypt']
+  );
+}
+/**
+ * Encrypts data using AES-GCM with a fresh 12-byte IV, prepending it to the ciphertext.
+ */
+export async function encrypt(key, data) {
+  const buf = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv },
+    key,
+    buf
+  );
+  // Combine IV and Ciphertext for simple storage transit
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return combined.buffer;
+}
+/**
+ * Decrypts a combined IV-ciphertext payload.
+ */
+export async function decrypt(key, combinedData) {
+  const view = new Uint8Array(combinedData);
+  const iv = view.slice(0, 12);
+  const ciphertext = view.slice(12);
+  return crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv },
+    key,
+    ciphertext
+  );
+}
+function toBase64(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = '';
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+function fromBase64(b64) {
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes.buffer;
+}
+/**
+ * String convenience over `encrypt`: encrypts text and returns a base64 string
+ * (IV + ciphertext) ready for storage or transit.
+ */
+export async function seal(key, text) {
+  const buffer = await encrypt(key, String(text));
+  return toBase64(buffer);
+}
+/**
+ * String convenience over `decrypt`: takes a base64 string produced by `seal`
+ * and returns the decoded plaintext string.
+ */
+export async function unseal(key, b64) {
+  const buffer = await decrypt(key, fromBase64(b64));
+  return new TextDecoder().decode(buffer);
+}
+/**
+ * Signs data using HMAC or ECDSA signatures.
+ */
+export async function sign(key, data) {
+  const buf = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+  const alg = key.algorithm.name === 'HMAC'
+    ? { name: 'HMAC' }
+    : { name: 'ECDSA', hash: { name: 'SHA-256' } };
+  return crypto.subtle.sign(alg, key, buf);
+}
+/**
+ * Verifies a signature using HMAC or ECDSA.
+ */
+export async function verify(key, signature, data) {
+  const buf = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+  const alg = key.algorithm.name === 'HMAC'
+    ? { name: 'HMAC' }
+    : { name: 'ECDSA', hash: { name: 'SHA-256' } };
+  return crypto.subtle.verify(alg, key, signature, buf);
+}

package/src/core/security/index.js ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * src/core/security/index.js
+ *
+ * Public security entry point.
+ * Aggregates SubtleCrypto operations, HTML sanitizations, and Permissions API queries.
+ *
+ * Source: doc 15 — Security Architecture §1, §3
+ */
+import {
+  uuid,
+  hash,
+  generateKey,
+  deriveKey,
+  encrypt,
+  decrypt,
+  sign,
+  verify
+} from './crypto.js';
+import { sanitize } from './sanitize.js';
+import { query, watch } from './permissions.js';
+export const security = {
+  uuid,
+  hash,
+  generateKey,
+  deriveKey,
+  encrypt,
+  decrypt,
+  sign,
+  verify,
+  sanitize,
+  permission: query,
+  watchPermission: watch
+};
+export {
+  uuid,
+  hash,
+  generateKey,
+  deriveKey,
+  encrypt,
+  decrypt,
+  sign,
+  verify,
+  sanitize,
+  query as permission,
+  watch as watchPermission
+};

package/src/core/security/missing.md ADDED Viewed

@@ -0,0 +1,97 @@
+# Security Missing Support
+This document tracks remaining support, runtime gaps, type mismatches, and storage/offline synchronization improvements for `src/core/security`. Implemented behavior belongs in `usage.md`; unsupported, under-tested, or performance-gated behavior belongs here until it is built and verified.
+---
+## 0. Toolchain and Naming Rules
+Heavy compilation, static analysis, and code generation belong in `tools/`, not in browser runtime modules.
+Current toolchain security requirements:
+- Ensure strict CSP conformance checking at build time.
+- Validate that all HTML insertion sites (sinks) in templates are wrapped in `sanitize` or Trusted Types.
+Naming rules for security support:
+- Prefer one-word files: `crypto.js`, `sanitize.js`, `permissions.js`, `index.js`.
+- Plural folders: `tests/`, `types/`.
+- Single-word methods where possible: `uuid`, `hash`, `encrypt`, `decrypt`, `sign`, `verify`, `sanitize`, `permission`.
+---
+## 1. Critical Runtime and Type Gaps
+### 1.1. Missing Trusted Types Integration in Sanitizer
+- **Status**: Runtime gap.
+- **Files**:
+  - `src/core/security/sanitize.js`
+- **Problem**:
+  The `sanitize()` function returns a raw string. When a strict CSP enforces `require-trusted-types-for 'script'`, writing this string to DOM sinks like `innerHTML` throws a `TypeError`. The HTML sanitizer must yield a `TrustedHTML` object wrapped in a named policy (`core-sanitize`) rather than a plain string when Trusted Types are supported by the environment.
+- **Expected Support**:
+  - Create a named Trusted Types policy `core-sanitize` inside `sanitize.js`.
+  - Wrap the sanitized HTML string using the policy to return a `TrustedHTML` object (or fall back to a plain string if the browser does not support Trusted Types).
+  - Implement a `createScriptURL(input)` policy rule to restrict dynamic script source URLs to safe origins.
+---
+## 2. Storage & Offline Integration Gaps
+### 2.1. Direct crypto.randomUUID() Usage in Storage and Offline
+- **Status**: Consistency & synchronization gap.
+- **Files**:
+  - `src/core/offline/clock.js`
+  - `src/core/offline/queue.js`
+  - `src/core/storage/opfs.js`
+- **Problem**:
+  Multiple components call the browser's global `crypto.randomUUID()` directly instead of importing and consuming the centralized `uuid()` utility exported by `core/security`. This prevents unified mocking/stubbing of UUID generation during unit testing and breaks consistency.
+- **Expected Support**:
+  - Refactor `clock.js` to import and use `uuid` from `core/security`.
+  - Refactor `queue.js` to import and use `uuid` from `core/security`.
+  - Refactor `storage/opfs.js` to import and use `uuid` from `core/security`.
+### 2.2. Transparent Storage Encryption Interface
+- **Status**: Feature gap.
+- **Files**:
+  - `src/core/storage/index.js`
+  - `src/core/security/crypto.js`
+- **Problem**:
+  Sensitive keys or offline sync payloads stored in IndexedDB or OPFS are written as raw plaintext. A secure offline synchronization layer requires a way to transparently encrypt and decrypt values before they cross the storage boundary.
+- **Expected Support**:
+  - Expose helper utilities in `crypto.js` to securely encrypt and decrypt objects using derived AES-GCM keys.
+---
+## 3. Test Coverage Gaps
+### 3.1. Missing Permissions Watcher Testing
+- **Status**: Test gap.
+- **Files**:
+  - `tests/core/security/permissions.test.js` [NEW]
+- **Needed Coverage**:
+  - Verify that `permission()` queries return states like `'granted'`, `'denied'`, or `'prompt'`.
+  - Verify that `watchPermission()` registers a listener on permission changes, respects AbortSignal abort triggers, and cleans up event listeners correctly.
+### 3.2. Missing Signature Verification Testing
+- **Status**: Test gap.
+- **Files**:
+  - `tests/core/security/crypto.test.js`
+- **Needed Coverage**:
+  - Test HMAC and ECDSA key generation, message signing, and signature verification via `sign()` and `verify()`.
+---
+## 4. Suggested Implementation Order
+1. Implement the `core-sanitize` Trusted Types policy inside `src/core/security/sanitize.js`.
+2. Refactor direct `crypto.randomUUID()` calls in `clock.js`, `queue.js`, and `storage/opfs.js` to use `uuid` from `core/security`.
+3. Add permission query/watcher tests in a new file `tests/core/security/permissions.test.js`.
+4. Add sign/verify tests in `tests/core/security/crypto.test.js`.
+---
+## 5. Done Criteria
+This missing-support list is complete when:
+- `sanitize()` returns a `TrustedHTML` object (when supported).
+- Direct `crypto.randomUUID()` calls are replaced with `uuid()` imports.
+- Permission query/watching and cryptographically signing/verifying features are fully tested.

package/src/core/security/permissions.js ADDED Viewed

@@ -0,0 +1,64 @@
+/**
+ * src/core/security/permissions.js
+ *
+ * Permissions API Facade.
+ * Queries, requests, and watches native browser permission changes,
+ * implementing AbortSignal-gated status change listeners.
+ *
+ * Source: doc 15 — Security Architecture §5
+ */
+/**
+ * Queries the browser permission status for a given capability name.
+ */
+export async function query(permissionName) {
+  if (typeof navigator !== 'undefined' && navigator.permissions?.query) {
+    try {
+      // Standard descriptor format (some APIs may require additional fields, handled by consumer)
+      const status = await navigator.permissions.query({ name: permissionName });
+      return status.state; // 'granted' | 'denied' | 'prompt'
+    } catch {
+      return 'denied';
+    }
+  }
+  return 'denied';
+}
+/**
+ * Subscribes to changes in a specific permission status.
+ */
+export function watch(permissionName, fn, signal) {
+  if (signal?.aborted) return () => {};
+  let activeStatus = null;
+  const listener = () => {
+    if (activeStatus) {
+      fn(activeStatus.state);
+    }
+  };
+  const dispose = () => {
+    if (activeStatus) {
+      activeStatus.removeEventListener('change', listener);
+    }
+  };
+  if (typeof navigator !== 'undefined' && navigator.permissions?.query) {
+    navigator.permissions
+      .query({ name: permissionName })
+      .then((status) => {
+        if (signal?.aborted) return;
+        activeStatus = status;
+        activeStatus.addEventListener('change', listener);
+      })
+      .catch((err) => {
+        console.warn(`Unable to query permissions watch for "${permissionName}":`, err);
+      });
+  }
+  if (signal) {
+    signal.addEventListener('abort', dispose);
+  }
+  return dispose;
+}

package/src/core/security/sanitize.js ADDED Viewed

@@ -0,0 +1,100 @@
+/**
+ * src/core/security/sanitize.js
+ *
+ * HTML Sanitizer wrapper.
+ * Transparently targets browser Sanitizer APIs if available, falling back to a
+ * high-performance DOMParser-based secure sanitization tree that strips unapproved
+ * elements, JavaScript links, and dynamic scripting attributes.
+ *
+ * Source: doc 15 — Security Architecture §2, §4
+ */
+const ALLOWED_TAGS = new Set([
+  'a', 'abbr', 'b', 'bdi', 'bdo', 'blockquote', 'br', 'caption', 'cite', 'code',
+  'col', 'colgroup', 'data', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'figcaption',
+  'figure', 'footer', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'header', 'hr', 'i', 'img',
+  'ins', 'kbd', 'li', 'mark', 'ol', 'p', 'pre', 'q', 'rp', 'rt', 'ruby', 's', 'samp',
+  'section', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot',
+  'th', 'thead', 'time', 'tr', 'u', 'ul', 'var', 'wbr'
+]);
+const ALLOWED_ATTRS = new Set([
+  'href', 'title', 'src', 'alt', 'width', 'height', 'class', 'id', 'target', 'rel', 'style'
+]);
+let policy = null;
+if (typeof window !== 'undefined' && window.trustedTypes) {
+  try {
+    policy = window.trustedTypes.createPolicy('core-sanitize', {
+      createHTML: (html) => html
+    });
+  } catch (err) {
+    console.warn('Trusted Types policy "core-sanitize" registration failed or already registered:', err);
+  }
+}
+/**
+ * Sanitizes an HTML string to mitigate XSS vulnerabilities.
+ */
+export function sanitize(html, config = {}) {
+  if (typeof window === 'undefined') return html;
+  let sanitized = html;
+  // Use experimental browser-native Sanitizer if supported
+  if (typeof globalThis.Sanitizer !== 'undefined') {
+    const sanitizer = new globalThis.Sanitizer(config);
+    const div = document.createElement('div');
+    div.setHTML(html, { sanitizer });
+    sanitized = div.innerHTML;
+  } else {
+    // Resilient fallback utilizing native Document.parseHTMLUnsafe or DOMParser
+    let doc;
+    if (typeof Document !== 'undefined' && typeof Document.parseHTMLUnsafe === 'function') {
+      doc = Document.parseHTMLUnsafe(html);
+    } else {
+      const parser = new DOMParser();
+      doc = parser.parseFromString(html, 'text/html');
+    }
+    const filter = (node) => {
+      if (node.nodeType === Node.TEXT_NODE) return;
+      if (node.nodeType === Node.ELEMENT_NODE) {
+        const tag = node.tagName.toLowerCase();
+        if (!ALLOWED_TAGS.has(tag)) {
+          node.replaceWith(document.createTextNode(''));
+          return;
+        }
+        // Purge dynamic or script attributes
+        for (const attr of [...node.attributes]) {
+          const name = attr.name.toLowerCase();
+          const value = attr.value.trim().toLowerCase();
+          // Evict unapproved attributes or javascript: scheme injection vectors
+          if (
+            !ALLOWED_ATTRS.has(name) ||
+            name.startsWith('on') ||
+            (name === 'href' && value.startsWith('javascript:'))
+          ) {
+            node.removeAttribute(attr.name);
+          }
+        }
+        // Recursively filter descendants
+        for (const child of [...node.childNodes]) {
+          filter(child);
+        }
+      }
+    };
+    for (const child of [...doc.body.childNodes]) {
+      filter(child);
+    }
+    sanitized = doc.body.innerHTML;
+  }
+  return policy ? policy.createHTML(sanitized) : sanitized;
+}