@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/guard-template.js

@@ -0,0 +1,490 @@
+"use strict";
+/**
+ * @module b.guardTemplate
+ * @nav    Guards
+ * @title  Guard Template
+ *
+ * @intro
+ *   Server-Side Template Injection (SSTI) content-safety guard —
+ *   refuses user-supplied strings that contain template-engine
+ *   syntax BEFORE they're rendered. Template-injection vulnerable
+ *   surfaces escape sandboxes through engine helpers (`render`,
+ *   `lookup`, `with`, `attr_filter`); the safe shape is "logic-less
+ *   templates only, untrusted strings are data not code". This
+ *   primitive enforces that boundary by refusing engine syntax in
+ *   any operator-untrusted input. Pair with logic-less Mustache
+ *   helpers, Handlebars `noEscape: false`, and Liquid's strict-
+ *   variables mode so the framework's defense-in-depth holds even
+ *   when an operator forgets to escape. KIND=`identifier`; the
+ *   gate consumes `ctx.identifier` (or `ctx.text`) and refuses on
+ *   hostile shapes.
+ *
+ *   Threat catalog (engine-shape detection): Jinja2 / Django / Twig
+ *   / Liquid / Handlebars / Mustache / AngularJS — `{{...}}`
+ *   expressions and `{%...%}` statements (CVE-2024-22195 Jinja
+ *   `xml_attr_filter`, CVE-2024-26139 Bottle, CVE-2024-23348
+ *   Pyrogram); ERB / Tornado — `<%...%>` and `<%=...%>`; Pug —
+ *   `#{...}` interpolation and `!{...}` raw-HTML interpolation
+ *   (prototype-pollution exit when the model is operator-fed);
+ *   Mako / Velocity / Tornado / JS template-literal — `${...}`
+ *   interpolation; Velocity directives (`#set`, `#if`, `#foreach`,
+ *   `#parse`, `#include`); BIDI / null / C0 control / zero-width
+ *   universal refuse.
+ *
+ *   Profiles: `strict` / `balanced` / `permissive`. Compliance
+ *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
+ *   select via `{ profile: "strict" }` or
+ *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   profile baseline. Jinja / ERB / Pug shape rejection holds at
+ *   every profile — the SSTI class is never an operator opt-in.
+ *
+ *   Template input cannot be repaired safely (stripping `{{` from
+ *   `{{name}}` produces a different document); `sanitize` either
+ *   passes through clean input or throws `GuardTemplateError`; the
+ *   gate returns `serve` / `audit-only` / `refuse` (no `sanitize`
+ *   action). The `${...}` and Velocity-directive policies default
+ *   to `audit` outside `strict` because they overlap with legitimate
+ *   JS / shell substrings, so operators tune via overrides.
+ *
+ * @card
+ *   Server-Side Template Injection (SSTI) content-safety guard — refuses user-supplied strings that contain template-engine syntax BEFORE they're rendered.
+ */
+
+var codepointClass = require("./codepoint-class");
+var lazyRequire = require("./lazy-require");
+var gateContract = require("./gate-contract");
+var C = require("./constants");
+var numericBounds = require("./numeric-bounds");
+var { GuardTemplateError } = require("./framework-error");
+
+var observability = lazyRequire(function () { return require("./observability"); });
+void observability;
+
+var _err = GuardTemplateError.factory;
+
+// Engine-shape detectors.
+var JINJA_EXPR_RE   = /\{\{[\s\S]*?\}\}/;
+var JINJA_STMT_RE   = /\{%[\s\S]*?%\}/;
+var ERB_EXPR_RE     = /<%[\s\S]*?%>/;
+var PUG_INTERP_RE   = /[#!]\{[\s\S]*?\}/;
+var DOLLAR_BRACE_RE = /\$\{[\s\S]*?\}/;
+var VELOCITY_DIR_RE = /#(?:set|if|else|elseif|end|foreach|parse|include|stop)\b/i;
+
+// ---- Profile presets ----
+
+var PROFILES = Object.freeze({
+  "strict": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    jinjaPolicy:               "reject",
+    erbPolicy:                 "reject",
+    pugPolicy:                 "reject",
+    dollarBracePolicy:         "reject",
+    velocityDirectivePolicy:   "reject",
+    maxBytes:                  C.BYTES.kib(64),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "balanced": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    jinjaPolicy:               "reject",                                          // SSTI class — refused at every profile
+    erbPolicy:                 "reject",
+    pugPolicy:                 "reject",
+    dollarBracePolicy:         "audit",                                           // ${...} can also be JS template literal — audit
+    velocityDirectivePolicy:   "reject",
+    maxBytes:                  C.BYTES.kib(128),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "permissive": {
+    bidiPolicy:               "reject",                                          // BIDI refused at every profile
+    controlPolicy:             "reject",                                          // controls refused at every profile
+    nullBytePolicy:            "reject",                                          // null refused at every profile
+    zeroWidthPolicy:           "reject",                                          // zero-width refused at every profile
+    jinjaPolicy:               "reject",                                          // SSTI class refused at every profile
+    erbPolicy:                 "reject",                                          // SSTI class refused at every profile
+    pugPolicy:                 "reject",                                          // SSTI class refused at every profile
+    dollarBracePolicy:         "audit",
+    velocityDirectivePolicy:   "audit",
+    maxBytes:                  C.BYTES.kib(512),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+});
+
+var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
+  mode: "enforce",
+}));
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  "hipaa":   Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(512),
+  }),
+  "pci-dss": Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(512),
+  }),
+  "gdpr":    Object.assign({}, PROFILES["balanced"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+  "soc2":    Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(1024),
+  }),
+});
+
+function _resolveOpts(opts) {
+  return gateContract.resolveProfileAndPosture(opts, {
+    profiles:           PROFILES,
+    compliancePostures: COMPLIANCE_POSTURES,
+    defaults:           DEFAULTS,
+    errorClass:         GuardTemplateError,
+    errCodePrefix:      "template",
+  });
+}
+
+function _detectIssues(input, opts) {
+  var issues = [];
+  if (typeof input !== "string") {
+    return [{ kind: "bad-input", severity: "high",
+              ruleId: "template.bad-input",
+              snippet: "template input is not a string" }];
+  }
+  if (input.length === 0) return [];
+  if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
+    return [{ kind: "input-cap", severity: "high",
+              ruleId: "template.input-cap",
+              snippet: "template input exceeds maxBytes " + opts.maxBytes }];
+  }
+
+  var charThreats = codepointClass.detectCharThreats(input, opts, "template");
+  for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
+
+  if (opts.jinjaPolicy !== "allow") {
+    if (JINJA_EXPR_RE.test(input)) {                                             // allow:regex-no-length-cap — input bounded by maxBytes
+      issues.push({
+        kind: "jinja-expression", severity: "high",
+        ruleId: "template.jinja-expression",
+        snippet: "input contains `{{...}}` template-engine expression " +
+                 "syntax — Jinja / Django / Twig / Liquid / Handlebars / " +
+                 "AngularJS SSTI shape (CVE-2024-22195 / 26139 / 23348 " +
+                 "class)",
+      });
+    }
+    if (JINJA_STMT_RE.test(input)) {                                             // allow:regex-no-length-cap — input bounded by maxBytes
+      issues.push({
+        kind: "jinja-statement", severity: "high",
+        ruleId: "template.jinja-statement",
+        snippet: "input contains `{%...%}` template-engine statement " +
+                 "syntax — SSTI shape",
+      });
+    }
+  }
+  if (opts.erbPolicy !== "allow" && ERB_EXPR_RE.test(input)) {                   // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "erb-expression", severity: "high",
+      ruleId: "template.erb-expression",
+      snippet: "input contains `<%...%>` template-engine expression " +
+               "syntax — ERB / Tornado SSTI shape",
+    });
+  }
+  if (opts.pugPolicy !== "allow" && PUG_INTERP_RE.test(input)) {                 // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "pug-interpolation", severity: "high",
+      ruleId: "template.pug-interpolation",
+      snippet: "input contains `#{...}` or `!{...}` template-engine " +
+               "interpolation — Pug SSTI shape",
+    });
+  }
+  if (opts.dollarBracePolicy !== "allow" && DOLLAR_BRACE_RE.test(input)) {       // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "dollar-brace",
+      severity: opts.dollarBracePolicy === "reject" ? "high" : "warn",
+      ruleId: "template.dollar-brace",
+      snippet: "input contains `${...}` interpolation — Mako / " +
+               "Velocity / Tornado / JS template-literal SSTI shape",
+    });
+  }
+  if (opts.velocityDirectivePolicy !== "allow" &&
+      VELOCITY_DIR_RE.test(input)) {                                             // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "velocity-directive",
+      severity: opts.velocityDirectivePolicy === "reject" ? "high" : "warn",
+      ruleId: "template.velocity-directive",
+      snippet: "input contains Velocity directive (`#set` / `#if` / " +
+               "`#foreach` / etc.) — SSTI shape",
+    });
+  }
+
+  return issues;
+}
+
+/**
+ * @primitive  b.guardTemplate.validate
+ * @signature  b.guardTemplate.validate(input, opts)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardTemplate.gate, b.guardTemplate.sanitize
+ *
+ * Inspect a user-supplied template-rendering input and return an
+ * aggregated issue list. Pure inspection — never throws on
+ * hostile input; caller decides what to do with the issues. The
+ * `ok` flag is `true` only when zero `critical` / `high` issues
+ * fire. Throws `GuardTemplateError("template.bad-opt")` when a
+ * numeric opt is non-finite / negative (config-time mistake by
+ * the operator).
+ *
+ * @opts
+ *   profile:                 "strict"|"balanced"|"permissive",
+ *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   bidiPolicy:              "reject"|"audit"|"allow",
+ *   controlPolicy:           "reject"|"audit"|"allow",
+ *   nullBytePolicy:          "reject"|"audit"|"allow",
+ *   zeroWidthPolicy:         "reject"|"strip"|"audit"|"allow",
+ *   jinjaPolicy:             "reject"|"audit"|"allow",
+ *   erbPolicy:               "reject"|"audit"|"allow",
+ *   pugPolicy:               "reject"|"audit"|"allow",
+ *   dollarBracePolicy:       "reject"|"audit"|"allow",
+ *   velocityDirectivePolicy: "reject"|"audit"|"allow",
+ *   maxBytes:                number,
+ *   maxRuntimeMs:            number,
+ *
+ * @example
+ *   var clean = b.guardTemplate.validate("Hello world", { profile: "strict" });
+ *   clean.ok;                                          // → true
+ *
+ *   var hostile = b.guardTemplate.validate("Hello {{7*7}}", { profile: "strict" });
+ *   hostile.ok;                                        // → false
+ *   hostile.issues.some(function (i) { return i.kind === "jinja-expression"; });  // → true
+ */
+function validate(input, opts) {
+  opts = _resolveOpts(opts);
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxBytes"],
+    "guardTemplate.validate", GuardTemplateError, "template.bad-opt");
+  return gateContract.aggregateIssues(_detectIssues(input, opts));
+}
+
+/**
+ * @primitive  b.guardTemplate.sanitize
+ * @signature  b.guardTemplate.sanitize(input, opts)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardTemplate.validate, b.guardTemplate.gate
+ *
+ * Pass-through-or-throw. Template-input strings cannot be safely
+ * repaired (stripping `{{` from `{{name}}` produces a different
+ * document and silently changes operator intent); this primitive
+ * returns the input unchanged when no `critical` or `high` issue
+ * fires, otherwise throws `GuardTemplateError` with the offending
+ * rule id (e.g. `template.jinja-expression`,
+ * `template.erb-expression`, `template.pug-interpolation`,
+ * `template.velocity-directive`). Operators that need a "best-
+ * effort cleanup" semantic should pre-escape the input through
+ * the rendering engine's own escape helper instead.
+ *
+ * @opts
+ *   profile:                 "strict"|"balanced"|"permissive",
+ *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   jinjaPolicy:             "reject"|"audit"|"allow",
+ *   erbPolicy:               "reject"|"audit"|"allow",
+ *   pugPolicy:               "reject"|"audit"|"allow",
+ *   dollarBracePolicy:       "reject"|"audit"|"allow",
+ *   velocityDirectivePolicy: "reject"|"audit"|"allow",
+ *   maxBytes:                number,
+ *
+ * @example
+ *   var safe = b.guardTemplate.sanitize("Hello world", { profile: "strict" });
+ *   safe;                                              // → "Hello world"
+ *
+ *   try {
+ *     b.guardTemplate.sanitize("Hello {{7*7}}", { profile: "strict" });
+ *   } catch (e) {
+ *     e.code;                                          // → "template.jinja-expression"
+ *   }
+ */
+function sanitize(input, opts) {
+  opts = _resolveOpts(opts);
+  if (typeof input !== "string") {
+    throw _err("template.bad-input", "sanitize requires string input");
+  }
+  var issues = _detectIssues(input, opts);
+  for (var i = 0; i < issues.length; i += 1) {
+    if (issues[i].severity === "critical" || issues[i].severity === "high") {
+      throw _err(issues[i].ruleId || "template.refused",
+        "guardTemplate.sanitize: " + issues[i].snippet);
+    }
+  }
+  return input;
+}
+
+/**
+ * @primitive  b.guardTemplate.gate
+ * @signature  b.guardTemplate.gate(opts)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardTemplate.validate, b.guardTemplate.sanitize
+ *
+ * Build a `b.gateContract` gate that screens `ctx.identifier` (or
+ * `ctx.text`) before any template engine renders the input.
+ * Action chain: `serve` (no issues) → `audit-only` (warn-only) →
+ * `refuse` (any `critical` or `high`). No `sanitize` action —
+ * template input cannot be repaired. Compose into form handlers /
+ * comment renderers / model fields fed to Mustache / Handlebars /
+ * Liquid so operator-untrusted strings never reach the rendering
+ * engine carrying engine syntax.
+ *
+ * @opts
+ *   profile:                 "strict"|"balanced"|"permissive",
+ *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   name:                    string,    // override gate name in audit emissions
+ *   jinjaPolicy:             "reject"|"audit"|"allow",
+ *   erbPolicy:               "reject"|"audit"|"allow",
+ *   pugPolicy:               "reject"|"audit"|"allow",
+ *   dollarBracePolicy:       "reject"|"audit"|"allow",
+ *   velocityDirectivePolicy: "reject"|"audit"|"allow",
+ *   maxBytes:                number,
+ *
+ * @example
+ *   var gate = b.guardTemplate.gate({ profile: "strict" });
+ *
+ *   gate({ identifier: "Hello {{7*7}}" }).then(function (rv) {
+ *     rv.ok;                                           // → false
+ *     rv.action;                                       // → "refuse"
+ *   });
+ *
+ *   gate({ identifier: "Hello world" }).then(function (rv) {
+ *     rv.action;                                       // → "serve"
+ *   });
+ */
+function gate(opts) {
+  opts = _resolveOpts(opts);
+  return gateContract.buildGuardGate(
+    opts.name || "guardTemplate:" + (opts.profile || "default"),
+    opts,
+    async function (ctx) {
+      var text = ctx && (ctx.identifier || ctx.text);
+      if (text === undefined || text === null) {
+        return { ok: true, action: "serve" };
+      }
+      var rv = validate(text, opts);
+      if (rv.issues.length === 0) return { ok: true, action: "serve" };
+      var hasCritical = rv.issues.some(function (i) {
+        return i.severity === "critical";
+      });
+      var hasHigh = rv.issues.some(function (i) {
+        return i.severity === "high";
+      });
+      if (!hasCritical && !hasHigh) {
+        return { ok: true, action: "audit-only", issues: rv.issues };
+      }
+      return { ok: false, action: "refuse", issues: rv.issues };
+    });
+}
+
+/**
+ * @primitive  b.guardTemplate.buildProfile
+ * @signature  b.guardTemplate.buildProfile(opts)
+ * @since      0.7.13
+ * @status     stable
+ * @related    b.guardTemplate.gate, b.guardTemplate.compliancePosture
+ *
+ * Compose a derived guardTemplate profile from one or more named
+ * bases plus inline overrides. `opts.extends` is a profile name
+ * (`"strict"` / `"balanced"` / `"permissive"`) or an array of
+ * names; later entries shadow earlier ones. Inline `opts` keys win
+ * last. Used to keep operator-defined profiles traceable to a
+ * baseline rather than re-typing every key.
+ *
+ * @opts
+ *   extends: string|string[],   // base profile name(s) to compose
+ *   ...:     any guardTemplate key, // inline override of resolved keys
+ *
+ * @example
+ *   var custom = b.guardTemplate.buildProfile({
+ *     extends: "balanced",
+ *     dollarBracePolicy: "reject",
+ *   });
+ *   custom.dollarBracePolicy;                          // → "reject"
+ *   custom.jinjaPolicy;                                // → "reject"
+ */
+var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+
+/**
+ * @primitive  b.guardTemplate.compliancePosture
+ * @signature  b.guardTemplate.compliancePosture(name)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardTemplate.gate, b.guardTemplate.buildProfile
+ *
+ * Look up a compliance-posture overlay by name (`"hipaa"` /
+ * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
+ * the posture object — the caller may mutate freely. Throws
+ * `GuardTemplateError("template.bad-posture")` on unknown name.
+ *
+ * @example
+ *   var posture = b.guardTemplate.compliancePosture("hipaa");
+ *   posture.jinjaPolicy;                               // → "reject"
+ *   posture.forensicSnippetBytes;                      // → 512
+ */
+function compliancePosture(name) {
+  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
+    _err, "template");
+}
+
+var _tplRulePacks = gateContract.makeRulePackLoader(GuardTemplateError, "template");
+/**
+ * @primitive  b.guardTemplate.loadRulePack
+ * @signature  b.guardTemplate.loadRulePack(pack)
+ * @since      0.7.13
+ * @status     stable
+ * @related    b.guardTemplate.gate
+ *
+ * Register an operator-supplied rule pack with the guardTemplate
+ * registry. The pack is identified by `pack.id` (non-empty string)
+ * and stored for later inspection / dispatch by gates that opt in
+ * via `opts.rulePackId`. Returns the pack object unchanged on
+ * success; throws `GuardTemplateError("template.bad-opt")` when
+ * `pack` is missing or `pack.id` is not a non-empty string.
+ *
+ * @example
+ *   var pack = b.guardTemplate.loadRulePack({
+ *     id: "no-prototype-keys",
+ *     rules: [
+ *       { id: "proto-key", severity: "critical",
+ *         detect: function (text) { return /__proto__|constructor/.test(text); },
+ *         reason: "input references prototype-pollution sink" },
+ *     ],
+ *   });
+ *   pack.id;                                           // → "no-prototype-keys"
+ */
+var loadRulePack = _tplRulePacks.load;
+
+module.exports = {
+  // ---- guard-* family registry exports ----
+  NAME:                "template",
+  KIND:                "identifier",
+  INTEGRATION_FIXTURES: Object.freeze({
+    kind:              "identifier",
+    benignBytes:       Buffer.from("Hello world", "utf8"),
+    hostileBytes:      Buffer.from("Hello {{7*7}}", "utf8"),
+    benignIdentifier:  "Hello world",
+    // Hostile: Jinja-shape SSTI probe.
+    hostileIdentifier: "Hello {{7*7}}",
+  }),
+  // ---- primitive surface ----
+  validate:             validate,
+  sanitize:             sanitize,
+  gate:                 gate,
+  buildProfile:         buildProfile,
+  compliancePosture:    compliancePosture,
+  loadRulePack:         loadRulePack,
+  PROFILES:             PROFILES,
+  DEFAULTS:             DEFAULTS,
+  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
+  GuardTemplateError:   GuardTemplateError,
+};

package/lib/vendor/blamejs/lib/guard-tenant-id.js

@@ -0,0 +1,138 @@
+"use strict";
+/**
+ * @module     b.guardTenantId
+ * @nav        Guards
+ * @title      Guard Tenant Id
+ * @order      440
+ *
+ * @intro
+ *   Tenant-id shape validator. Tenant ids surface in audit log lines,
+ *   sealed registry rows, derived-key context labels, and routing
+ *   keys — they have to be ASCII-greppable across the whole framework
+ *   stack. Refuses:
+ *
+ *     - non-ASCII (NFC + ASCII-only)
+ *     - path-traversal shapes (`..` / `/` / `\` / NUL / C0 / DEL)
+ *     - oversized (default 64 bytes)
+ *     - reserved `ROOT` / `FRAMEWORK` / `*` / empty
+ *     - leading `.` (hidden-folder shape)
+ *
+ * @card
+ *   Validates tenant-id strings. ASCII-only, bounded, no path-
+ *   traversal, no reserved names.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var GuardTenantIdError = defineClass("GuardTenantIdError", { alwaysPermanent: true });
+
+var DEFAULT_PROFILE = "strict";
+
+var PROFILES = Object.freeze({
+  strict:     { maxBytes: 64  },                                                                      // allow:raw-byte-literal
+  balanced:   { maxBytes: 128 },                                                                      // allow:raw-byte-literal
+  permissive: { maxBytes: 512 },                                                                      // allow:raw-byte-literal
+});
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  hipaa:     "strict",
+  "pci-dss": "strict",
+  gdpr:      "strict",
+  soc2:      "strict",
+});
+
+var RESERVED = Object.freeze({ "ROOT": true, "FRAMEWORK": true, "*": true });
+
+/**
+ * @primitive b.guardTenantId.validate
+ * @signature b.guardTenantId.validate(tenantId, opts?)
+ * @since     0.9.26
+ * @status    stable
+ * @related   b.agent.tenant.create
+ *
+ * Validate a tenant-id string. Returns the id on success; throws
+ * `GuardTenantIdError` on refusal.
+ *
+ * @opts
+ *   profile:   "strict" | "balanced" | "permissive",
+ *   posture:   "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *
+ * @example
+ *   b.guardTenantId.validate("acme-clinic");
+ */
+function validate(tenantId, opts) {
+  opts = opts || {};
+  var profile = PROFILES[_resolveProfile(opts)];
+  if (typeof tenantId !== "string" || tenantId.length === 0) {
+    throw new GuardTenantIdError("tenant-id/bad-input",
+      "guardTenantId.validate: tenantId must be a non-empty string");
+  }
+  if (Buffer.byteLength(tenantId, "utf8") > profile.maxBytes) {
+    throw new GuardTenantIdError("tenant-id/oversize",
+      "guardTenantId.validate: tenantId exceeds maxBytes=" + profile.maxBytes);
+  }
+  if (RESERVED[tenantId]) {
+    throw new GuardTenantIdError("tenant-id/reserved",
+      "guardTenantId.validate: tenantId '" + tenantId + "' is framework-reserved");
+  }
+  if (tenantId.charAt(0) === ".") {
+    throw new GuardTenantIdError("tenant-id/hidden",
+      "guardTenantId.validate: tenantId cannot start with '.'");
+  }
+  if (tenantId.indexOf("..") >= 0) {
+    throw new GuardTenantIdError("tenant-id/path-traversal",
+      "guardTenantId.validate: tenantId contains '..'");
+  }
+  for (var i = 0; i < tenantId.length; i += 1) {
+    var c = tenantId.charCodeAt(i);
+    if (c > 0x7F) {                                                                                   // allow:raw-byte-literal — ASCII-only cap
+      throw new GuardTenantIdError("tenant-id/non-ascii",
+        "guardTenantId.validate: non-ASCII codepoint at offset " + i);
+    }
+    if (c < 0x20 || c === 0x7F || c === 0x2F || c === 0x5C) {                                         // allow:raw-byte-literal — C0/DEL/slash/backslash
+      throw new GuardTenantIdError("tenant-id/bad-char",
+        "guardTenantId.validate: forbidden char 0x" + c.toString(16) + " at offset " + i);
+    }
+  }
+  return tenantId;
+}
+
+/**
+ * @primitive b.guardTenantId.compliancePosture
+ * @signature b.guardTenantId.compliancePosture(posture)
+ * @since     0.9.26
+ * @status    stable
+ *
+ * Return the effective profile for a given compliance posture name.
+ * Returns `null` for unknown posture names so operator typos surface
+ * here instead of silently falling through to the default profile.
+ *
+ * @example
+ *   b.guardTenantId.compliancePosture("hipaa");   // → "strict"
+ */
+function compliancePosture(posture) {
+  return COMPLIANCE_POSTURES[posture] || null;
+}
+
+function _resolveProfile(opts) {
+  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
+    return COMPLIANCE_POSTURES[opts.posture];
+  }
+  var p = opts.profile || DEFAULT_PROFILE;
+  if (!PROFILES[p]) {
+    throw new GuardTenantIdError("tenant-id/bad-profile",
+      "guardTenantId: unknown profile '" + p + "'");
+  }
+  return p;
+}
+
+module.exports = {
+  validate:               validate,
+  compliancePosture:      compliancePosture,
+  PROFILES:               PROFILES,
+  COMPLIANCE_POSTURES:    COMPLIANCE_POSTURES,
+  RESERVED:               RESERVED,
+  GuardTenantIdError:     GuardTenantIdError,
+  NAME:                   "tenantId",
+  KIND:                   "tenant-id",
+};