@blamejs/blamejs-shop 0.2.12 → 0.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +3 -3
  3. package/lib/storefront.js +1 -1
  4. package/lib/vendor/MANIFEST.json +2 -2
  5. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +71 -23
  6. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +2 -0
  7. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +2 -0
  8. package/lib/vendor/blamejs/.github/workflows/ci.yml +17 -0
  9. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +18 -10
  10. package/lib/vendor/blamejs/.github/workflows/release-container.yml +29 -16
  11. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +22 -3
  12. package/lib/vendor/blamejs/.github/zizmor.yml +29 -0
  13. package/lib/vendor/blamejs/.pinact.yaml +24 -8
  14. package/lib/vendor/blamejs/CHANGELOG.md +4 -0
  15. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  16. package/lib/vendor/blamejs/lib/archive-wrap.js +1 -1
  17. package/lib/vendor/blamejs/lib/auth/jwt.js +7 -4
  18. package/lib/vendor/blamejs/lib/auth/saml.js +2 -2
  19. package/lib/vendor/blamejs/lib/cose.js +1 -1
  20. package/lib/vendor/blamejs/lib/did.js +1 -1
  21. package/lib/vendor/blamejs/lib/guard-archive.js +2 -2
  22. package/lib/vendor/blamejs/lib/guard-auth.js +5 -5
  23. package/lib/vendor/blamejs/lib/guard-cidr.js +4 -4
  24. package/lib/vendor/blamejs/lib/guard-csv.js +6 -6
  25. package/lib/vendor/blamejs/lib/guard-domain.js +4 -4
  26. package/lib/vendor/blamejs/lib/guard-email.js +6 -5
  27. package/lib/vendor/blamejs/lib/guard-filename.js +4 -4
  28. package/lib/vendor/blamejs/lib/guard-graphql.js +5 -5
  29. package/lib/vendor/blamejs/lib/guard-html.js +2 -2
  30. package/lib/vendor/blamejs/lib/guard-image.js +1 -1
  31. package/lib/vendor/blamejs/lib/guard-json.js +5 -5
  32. package/lib/vendor/blamejs/lib/guard-jsonpath.js +4 -4
  33. package/lib/vendor/blamejs/lib/guard-jwt.js +5 -5
  34. package/lib/vendor/blamejs/lib/guard-markdown.js +6 -6
  35. package/lib/vendor/blamejs/lib/guard-mime.js +6 -6
  36. package/lib/vendor/blamejs/lib/guard-oauth.js +5 -5
  37. package/lib/vendor/blamejs/lib/guard-pdf.js +1 -1
  38. package/lib/vendor/blamejs/lib/guard-regex.js +4 -4
  39. package/lib/vendor/blamejs/lib/guard-shell.js +4 -4
  40. package/lib/vendor/blamejs/lib/guard-svg.js +5 -5
  41. package/lib/vendor/blamejs/lib/guard-template.js +4 -4
  42. package/lib/vendor/blamejs/lib/guard-time.js +6 -6
  43. package/lib/vendor/blamejs/lib/guard-uuid.js +6 -6
  44. package/lib/vendor/blamejs/lib/guard-xml.js +4 -4
  45. package/lib/vendor/blamejs/lib/guard-yaml.js +5 -5
  46. package/lib/vendor/blamejs/lib/link-header.js +3 -2
  47. package/lib/vendor/blamejs/lib/mail-agent.js +4 -2
  48. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -2
  49. package/lib/vendor/blamejs/lib/tsa.js +2 -1
  50. package/lib/vendor/blamejs/package.json +1 -1
  51. package/lib/vendor/blamejs/release-notes/v0.13.23.json +42 -0
  52. package/lib/vendor/blamejs/release-notes/v0.13.24.json +26 -0
  53. package/lib/vendor/blamejs/test/smoke.js +25 -0
  54. package/package.json +1 -1
@@ -1,17 +1,33 @@
1
1
  # pinact configuration — refuses any tag-shaped `uses:` reference EXCEPT
2
- # the documented exception below.
2
+ # the documented exceptions below.
3
3
  #
4
- # The single exception is the SLSA reusable workflow. SLSA's internal
5
- # builder-fetch step refuses non-tag `BUILDER_REF` values ("Invalid ref:
6
- # <40-hex>. Expected ref of the form refs/tags/vX.Y.Z"), so the call
7
- # MUST be tag-pinned. Mitigated by slsa-framework's upstream tag-
8
- # protection + immutable-release rules. Same suppression also appears
9
- # as a per-line `# allow:slsa-framework-action-not-sha-pinned` marker in
10
- # `.github/workflows/npm-publish.yml` for the codebase-patterns gate.
4
+ # 1. The SLSA reusable workflow. SLSA's internal builder-fetch step
5
+ # refuses non-tag `BUILDER_REF` values ("Invalid ref: <40-hex>.
6
+ # Expected ref of the form refs/tags/vX.Y.Z"), so the call MUST be
7
+ # tag-pinned. Mitigated by slsa-framework's upstream tag-protection +
8
+ # immutable-release rules. Same suppression also appears as a per-line
9
+ # `# allow:slsa-framework-action-not-sha-pinned` marker in
10
+ # `.github/workflows/npm-publish.yml` for the codebase-patterns gate.
11
+ #
12
+ # 2. aquasecurity/trivy-action. The aquasecurity org enables a GitHub
13
+ # org-level IP allow-list that returns 403 to GitHub Actions runner
14
+ # IPs on the commits API, so `pinact run --verify`'s online tag
15
+ # re-resolution cannot complete from CI (it succeeds from
16
+ # unrestricted IPs). The action stays SHA-pinned in the workflow
17
+ # (auditable inline); this entry only exempts it from the online
18
+ # re-verification that the upstream org makes impossible from a
19
+ # runner.
11
20
  #
12
21
  # See npm-publish.yml comment block + memory/specs/release-v0.10.19-plan.md.
13
22
 
14
23
  version: 3
15
24
 
16
25
  ignore_actions:
26
+ # pinact v3 treats both `name` and `ref` as regular expressions, and
27
+ # both are required (a name-only entry fails config load with
28
+ # "initialize ignore_action: ref is required"). `ref: .*` matches the
29
+ # tag-pinned ref this single exception carries (currently v2.1.0).
17
30
  - name: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml
31
+ ref: .*
32
+ - name: aquasecurity/trivy-action
33
+ ref: .*
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.13.x
10
10
 
11
+ - v0.13.24 (2026-05-28) — **`b.guard*` docs corrected: the compliance-posture opt key, the gate API, and validate return shapes.** Documentation corrections across the b.guard* family. The most consequential: the posture-selection option was documented as `compliance:` in many guards' @opts, but the working key is `compliancePosture:` — passing the documented `{ compliance: "hipaa" }` was silently ignored, so a compliance posture (e.g. HIPAA PII redaction) never activated. If you select a posture via the gate/validate/sanitize options, use `compliancePosture:`; `compliance:` had no effect. The guard docs now name the correct key uniformly. Also corrected: gate examples and prose that invoked the gate as a callable or via `.run` / `.inspect` (the gate is an object whose method is `.check(ctx)`), and validate() return shapes that listed `severities` / `summary` / `refusal` fields the function never returned (it returns `{ ok, issues }`). **Fixed:** *guard posture option is `compliancePosture:`, not `compliance:`* — Many `b.guard*` primitives documented the compliance-posture selector as `compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2"` in their `@opts`, but the family resolver reads `compliancePosture:`. Passing `{ compliance: "hipaa" }` was accepted and silently ignored — the posture overlay (e.g. CSV `piiPolicy: "redact"` under HIPAA) never applied, leaving the default policy in force. The docs across the guard family now name `compliancePosture:` consistently (the key the resolver and `b.guardX.compliancePosture(name)` already used). Action: if you selected a posture with `compliance:`, switch to `compliancePosture:` — the posture was not taking effect before. · *guard gate is an object with `.check(ctx)`, not a callable* — Several guards' gate `@example`s and prose invoked the gate as a function (`g({...})`), via `.run(...)`, or via `.inspect(...)`, and a few described it as "an async function". `b.guardX.gate(opts)` returns an object whose async method is `.check(ctx)`; the examples and prose now use `.check`, so they run as written. · *guard validate() returns `{ ok, issues }`* — Several guards documented `validate()` as returning `{ ok, issues, severities }`, `{ ok, issues, summary }`, or `{ ok, issues, refusal? }`. The function returns `{ ok, issues }` (each issue carries its own `severity` / `kind`); the documented extra top-level fields were never present. The docs now state the actual shape.
12
+
13
+ - v0.13.23 (2026-05-28) — **Documentation corrected to match actual behavior across several primitives.** A set of JSDoc / doc-comment corrections where the documented contract had drifted from what the code does. No behavior changes — the implementations already behaved as now documented; only the docs were wrong. The most operator-relevant is the JWT signer doc: an expiring token signed without an explicit jti receives an auto-minted 128-bit jti (so the replay-defense path has the jti it needs), which the sign-opts doc previously denied. Also corrected: did.resolve's unsupported-method error now names did:jwk (always supported); b.cose.verify is marked stable to match its stable sign sibling and the CWT / EAT / SCITT / mdoc verifiers built on it; b.linkHeader.serialize's doc now states every parameter value is double-quoted; b.auth.saml verifyResponse's documented return shape now lists inResponseTo and issuer (both always returned); and the rate-limit custom-backend contract drops a gc member the middleware never invoked. **Fixed:** *JWT signer doc now describes the auto-minted jti on expiring tokens* — `b.auth.jwt.sign`'s opts doc claimed that omitting `jti` adds no jti. In fact, when a token carries an `exp` and no operator-supplied `jti`, the signer auto-mints a random 128-bit `jti` so a replay-protected token always carries the identifier `verify`'s replay store requires. The doc now describes this; pass an explicit `jti` for a deterministic value. Behavior is unchanged. · *`b.did.resolve` unsupported-method error now names did:jwk* — The thrown error for an unsupported DID method listed only `did:key` and `did:web`, omitting `did:jwk`, which `resolve` fully supports. The message now reads `(did:key, did:jwk, and did:web only)`. · *`b.cose.verify` marked stable* — `b.cose.verify` carried `@status experimental` while its `b.cose.sign` sibling is stable and the CWT / EAT / SCITT / mdoc verifiers that depend on it are stable and shipped. The verifier is the same maturity as the rest of the COSE_Sign1 round-trip; its status now reflects that. · *`b.linkHeader.serialize` doc matches its quoting behavior* — The doc said parameters are token-encoded when they fit RFC 7230 token grammar and double-quoted otherwise. The serializer always double-quotes every value (valid under RFC 8288, and required for space-separated multi-rel and media-type values). The doc now states that. · *`b.auth.saml` verifyResponse documented return shape lists all fields* — The prose and the example each omitted a different field that `verifyResponse` always returns. The documented shape now lists all of `nameId`, `nameIdFormat`, `sessionIndex`, `attributes`, `audience`, `inResponseTo`, and `issuer`. · *rate-limit custom-backend contract is `{ take, reset }`* — The custom-backend opts doc listed a `gc` member that the middleware never reads or invokes (the runtime contract is `take` / `reset` / `close`, and the error message already said `{ take, reset }`). The documented shape now matches; an operator-supplied `gc` was always silently ignored. · *`b.mail.agent.create` doc no longer lists consumer as a method* — The created agent's method list named `consumer`, which is not a method on the returned object — the queue consumer is the sibling export `b.mail.agent.consumer`. The doc now says so.
14
+
11
15
  - v0.13.22 (2026-05-27) — **`b.archive.read.zip.fromTrustedStream` reads a ZIP from a Readable — no longer an experimental stub.** fromTrustedStream was an experimental stub whose inspect / entries / extract methods threw, forcing callers to buffer the stream themselves and use the random-access reader. It now works, with the same shape as the tar trusted-stream reader: pass b.archive.adapters.trustedStream(readable) and the bytes are collected into a size-capped buffer (1 GiB hard ceiling) and read through the same bomb-cap, path-traversal, and entry-type decode as the random-access reader — so bombPolicy, guardProfile, entryTypePolicy, and audit all apply, and inspect / entries / extract / extractEntries all return data. This is a bounded-memory reader (the archive is held in memory under the ceiling), not zero-buffer streaming; a future forward-inflate walker shared with the tar reader would lift the ceiling. **Added:** *`b.archive.read.zip.fromTrustedStream` now reads — `inspect` / `entries` / `extract` / `extractEntries`* — The ZIP trusted-stream reader is implemented (was an experimental stub that threw). Pass `b.archive.adapters.trustedStream(readable)` to read a ZIP straight from a Node Readable without buffering it yourself. The stream is collected into a size-capped buffer (1 GiB ceiling, matching `b.archive.read.tar`'s trusted-stream reader) and decoded through the same adversarial-safe path as the random-access reader, so `bombPolicy` / `guardProfile` / `entryTypePolicy` / `audit` are honored on decode. Adversarial archives remain fully bomb-capped; "trusted" refers only to the source-size bound. A non-trusted-stream adapter is refused with `archive-read/bad-adapter`.
12
16
 
13
17
  - v0.13.21 (2026-05-27) — **`b.cose.exportKey` — serialize a public key as a COSE_Key, the inverse of `b.cose.importKey`.** b.cose could import a COSE_Key (RFC 9052 §7) into a node:crypto key for verification, but had no way to produce one — so a key used with b.cose.sign could not be shipped to a verifier in COSE form without hand-building the CBOR map. b.cose.exportKey(keyObject, opts?) closes the round-trip: it serializes an EC2 (P-256 / P-384 / P-521) or OKP (Ed25519) public key as the CBOR-encoded COSE_Key map, with optional alg and kid common parameters. A private key has its public half exported; unsupported curves / key types are refused rather than emitting a COSE_Key no verifier here would accept. The bytes round-trip through b.cose.importKey, and feed the mdoc MSO / COSE_Key header / SCITT / C2PA verification-key paths. **Added:** *`b.cose.exportKey(keyObject, { alg?, kid? })` — KeyObject → COSE_Key (RFC 9052 §7)* — Serialize a `node:crypto` public key as the CBOR-encoded COSE_Key map — the inverse of `b.cose.importKey`. Supports EC2 (P-256 / P-384 / P-521) and OKP (Ed25519), the same key types `b.cose.verify` accepts; `opts.alg` (e.g. `"ES256"`) and `opts.kid` populate the COSE_Key alg (label 3) and kid (label 2) common parameters. A private key exports its public half; unsupported curves / key types throw rather than producing a COSE_Key no verifier would accept. `b.cose.importKey(b.cbor.decode(exportKey(k)))` round-trips, so a key signed with `b.cose.sign` can be shipped to a verifier as bytes — the mdoc MSO / COSE_Key header / SCITT / C2PA verification-key paths.
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 1,
3
- "frameworkVersion": "0.13.22",
4
- "createdAt": "2026-05-27T23:32:55.833Z",
3
+ "frameworkVersion": "0.13.24",
4
+ "createdAt": "2026-05-28T08:46:52.303Z",
5
5
  "exports": {
6
6
  "a2a": {
7
7
  "type": "object",
@@ -370,7 +370,7 @@ function sniffEnvelope(bytes) {
370
370
  * @signature b.archive.wrapWithPassphrase(bytes, opts)
371
371
  * @since 0.12.11
372
372
  * @status stable
373
- * @related b.archive.unwrapWithPassphrase, b.archive.wrap, b.backupCrypto
373
+ * @related b.archive.unwrapWithPassphrase, b.archive.wrap
374
374
  *
375
375
  * Wrap archive bytes in a passphrase-derived envelope. The envelope
376
376
  * wire format is the framework's standard Argon2id (RFC 9106) +
@@ -48,10 +48,13 @@
48
48
  * subject: claims.sub override
49
49
  * expiresInSec: relative exp (claims.exp = now + expiresInSec)
50
50
  * notBeforeSec: relative nbf (claims.nbf = now + notBeforeSec)
51
- * jti: claims.jti override (string; if missing, no jti is added —
52
- * the framework doesn't auto-mint without an operator request
53
- * since jti has uniqueness/replay-tracking semantics that
54
- * belong at the application layer)
51
+ * jti: claims.jti override (string). When omitted, a random
52
+ * 128-bit jti is auto-minted if (and only if) the token
53
+ * carries an exp — so a replay-protected token always
54
+ * has the jti the verifier's replay store requires,
55
+ * closing the silent hole where a sign without jti would
56
+ * never replay-protect. Pass an explicit jti for a
57
+ * deterministic value.
55
58
  * now: test-time clock injection (epoch milliseconds)
56
59
  *
57
60
  * Verify opts:
@@ -415,7 +415,7 @@ function create(opts) {
415
415
  * (Response-level OR Assertion-level signature), the assertion's
416
416
  * SubjectConfirmation Bearer constraints, and Conditions audience
417
417
  * + time bounds. Returns `{ nameId, nameIdFormat, sessionIndex,
418
- * attributes, audience, inResponseTo }`.
418
+ * attributes, audience, inResponseTo, issuer }`.
419
419
  *
420
420
  * @opts
421
421
  * {
@@ -428,7 +428,7 @@ function create(opts) {
428
428
  * var info = sp.verifyResponse(req.body.SAMLResponse, {
429
429
  * expectedInResponseTo: req.session.samlRequestId,
430
430
  * });
431
- * // → { nameId, nameIdFormat, sessionIndex, attributes, audience, issuer }
431
+ * // → { nameId, nameIdFormat, sessionIndex, attributes, audience, inResponseTo, issuer }
432
432
  * });
433
433
  */
434
434
  function verifyResponse(samlResponseB64, vopts) {
@@ -227,7 +227,7 @@ async function sign(payload, opts) {
227
227
  * @primitive b.cose.verify
228
228
  * @signature b.cose.verify(coseSign1, opts)
229
229
  * @since 0.12.33
230
- * @status experimental
230
+ * @status stable
231
231
  * @related b.cose.sign, b.cbor.decode
232
232
  *
233
233
  * Verify a COSE_Sign1 (RFC 9052) and return its payload + headers.
@@ -365,7 +365,7 @@ function resolve(did, opts) {
365
365
  return { didDocument: docW, verificationMethods: _extractVerificationMethods(docW) };
366
366
  }
367
367
 
368
- throw new DidError("did/unsupported-method", "did.resolve: unsupported DID method '" + parsed.method + "' (did:key and did:web only)");
368
+ throw new DidError("did/unsupported-method", "did.resolve: unsupported DID method '" + parsed.method + "' (did:key, did:jwk, and did:web only)");
369
369
  }
370
370
 
371
371
  // Import a publicKeyJwk after allowlisting its kty/crv — a DID document
@@ -650,7 +650,7 @@ function _detectIssues(entries, opts) {
650
650
  *
651
651
  * @opts
652
652
  * profile: "strict"|"balanced"|"permissive",
653
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
653
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
654
654
  * traversalPolicy: "reject"|"audit"|"allow",
655
655
  * absolutePathPolicy: "reject"|"audit"|"allow",
656
656
  * symlinkPolicy: "reject"|"audit"|"allow",
@@ -723,7 +723,7 @@ function validateEntries(entries, opts) {
723
723
  *
724
724
  * @opts
725
725
  * profile: "strict"|"balanced"|"permissive",
726
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
726
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
727
727
  * name: string,
728
728
  * ...: any validateEntries opt
729
729
  *
@@ -34,7 +34,7 @@
34
34
  *
35
35
  * Profiles: `strict` / `balanced` / `permissive`. Compliance postures:
36
36
  * `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select via
37
- * `{ profile: "strict" }` or `{ compliance: "hipaa" }`; postures
37
+ * `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`; postures
38
38
  * overlay on the profile baseline.
39
39
  *
40
40
  * @card
@@ -205,7 +205,7 @@ function _detectIssues(bundle, opts) {
205
205
  * @compliance hipaa, pci-dss, gdpr, soc2
206
206
  * @related b.guardAuth.sanitize, b.guardAuth.gate, b.guardJwt.validate, b.guardOauth.validate
207
207
  *
208
- * Inspect an auth-bundle object and return `{ ok, issues, summary }`.
208
+ * Inspect an auth-bundle object and return `{ ok, issues }`.
209
209
  * Each issue carries `{ kind, severity, ruleId, source, snippet }`
210
210
  * with severity in `"warn"|"high"|"critical"` and `source` tagging
211
211
  * the sub-guard that raised it (`"jwt"` / `"oauth"` / `"cookies"` /
@@ -219,7 +219,7 @@ function _detectIssues(bundle, opts) {
219
219
  *
220
220
  * @opts
221
221
  * profile: "strict"|"balanced"|"permissive",
222
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
222
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
223
223
  * childProfile: "strict"|"balanced"|"permissive", // forwarded to guardJwt / guardOauth
224
224
  * requireAtLeastOne: boolean,
225
225
  * allowedRedirectUris: string[], // forwarded to guardOauth
@@ -256,7 +256,7 @@ function validate(input, opts) {
256
256
  *
257
257
  * @opts
258
258
  * profile: "strict"|"balanced"|"permissive",
259
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
259
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
260
260
  *
261
261
  * @example
262
262
  * var clean = b.guardAuth.sanitize({
@@ -300,7 +300,7 @@ function sanitize(input, opts) {
300
300
  *
301
301
  * @opts
302
302
  * profile: "strict"|"balanced"|"permissive",
303
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
303
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
304
304
  * name: string, // gate identity for audit / observability
305
305
  * childProfile: "strict"|"balanced"|"permissive",
306
306
  * allowedRedirectUris: string[],
@@ -437,7 +437,7 @@ function _detectIssues(input, opts) {
437
437
  * @compliance hipaa, pci-dss, gdpr, soc2
438
438
  * @related b.guardCidr.sanitize, b.guardCidr.gate
439
439
  *
440
- * Inspect a CIDR notation string and return `{ ok, issues, summary }`.
440
+ * Inspect a CIDR notation string and return `{ ok, issues }`.
441
441
  * Each issue carries `{ kind, severity, ruleId, snippet }` with
442
442
  * severity in `"warn"|"high"|"critical"`. Detected: malformed address
443
443
  * shape, octet-out-of-range, mask-out-of-range, network-address
@@ -448,7 +448,7 @@ function _detectIssues(input, opts) {
448
448
  *
449
449
  * @opts
450
450
  * profile: "strict"|"balanced"|"permissive",
451
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
451
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
452
452
  * family: "either"|"ipv4-only"|"ipv6-only",
453
453
  * networkAlignmentPolicy: "reject"|"audit"|"allow",
454
454
  * reservedRangesPolicy: "reject"|"audit"|"allow",
@@ -496,7 +496,7 @@ function validate(input, opts) {
496
496
  *
497
497
  * @opts
498
498
  * profile: "strict"|"balanced"|"permissive",
499
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
499
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
500
500
  *
501
501
  * @example
502
502
  * var safe = b.guardCidr.sanitize("2001:DB8::/32", { profile: "permissive" });
@@ -542,7 +542,7 @@ function sanitize(input, opts) {
542
542
  *
543
543
  * @opts
544
544
  * profile: "strict"|"balanced"|"permissive",
545
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
545
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
546
546
  * name: string, // gate identity for audit / observability
547
547
  * family: "either"|"ipv4-only"|"ipv6-only",
548
548
  *
@@ -43,7 +43,7 @@
43
43
  * Profiles: `strict` / `balanced` / `permissive` /
44
44
  * `email-attachment`. Compliance postures: `hipaa` / `pci-dss` /
45
45
  * `gdpr` / `soc2`. Operators select via `{ profile: "strict" }` or
46
- * `{ compliance: "hipaa" }`; postures overlay on top of the
46
+ * `{ compliancePosture: "hipaa" }`; postures overlay on top of the
47
47
  * profile baseline.
48
48
  *
49
49
  * Threat-detection regex literals are composed programmatically
@@ -696,7 +696,7 @@ function schema(spec) {
696
696
  *
697
697
  * @opts
698
698
  * profile: "strict"|"balanced"|"permissive"|"email-attachment",
699
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
699
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
700
700
  * headers: string[]|false, // explicit column order; false suppresses header row
701
701
  * delimiter: string, // default ","
702
702
  * lineEnding: string, // default "\r\n"
@@ -802,7 +802,7 @@ function serialize(rows, opts) {
802
802
  * @related b.guardCsv.sanitize, b.guardCsv.gate
803
803
  *
804
804
  * Inspect `input` (string or Buffer of CSV text) and return
805
- * `{ ok, issues, summary }`. Each issue carries `{ kind, severity,
805
+ * `{ ok, issues }`. Each issue carries `{ kind, severity,
806
806
  * ruleId, location, snippet }` with severity in
807
807
  * `"warn"|"high"|"critical"`. Detected: BOM mid-stream, Unicode
808
808
  * bidi override (CVE-2021-42574), C0 control char, null byte,
@@ -813,7 +813,7 @@ function serialize(rows, opts) {
813
813
  *
814
814
  * @opts
815
815
  * profile: "strict"|"balanced"|"permissive"|"email-attachment",
816
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
816
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
817
817
  * bidiCharPolicy: "reject"|"strip"|"audit"|"allow",
818
818
  * controlCharPolicy: "reject"|"strip"|"allow",
819
819
  * nullByteHandling: "reject"|"strip"|"allow",
@@ -860,7 +860,7 @@ function validate(input, opts) {
860
860
  *
861
861
  * @opts
862
862
  * profile: "strict"|"balanced"|"permissive"|"email-attachment",
863
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
863
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
864
864
  * bidiCharPolicy: "reject"|"strip"|"audit"|"allow",
865
865
  * controlCharPolicy: "reject"|"strip"|"allow",
866
866
  * nullByteHandling: "reject"|"strip"|"allow",
@@ -981,7 +981,7 @@ function detect(input) {
981
981
  *
982
982
  * @opts
983
983
  * profile: "strict"|"balanced"|"permissive"|"email-attachment",
984
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
984
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
985
985
  * name: string, // gate identity for audit / observability
986
986
  * operatorRules: [{ id: string, severity: "warn"|"high"|"critical",
987
987
  * detect: function, reason: string }],
@@ -563,7 +563,7 @@ function _detectIssues(input, opts) {
563
563
  * @compliance hipaa, pci-dss, gdpr, soc2
564
564
  * @related b.guardDomain.sanitize, b.guardDomain.gate
565
565
  *
566
- * Inspect a domain-name string and return `{ ok, issues, summary }`.
566
+ * Inspect a domain-name string and return `{ ok, issues }`.
567
567
  * Each issue carries `{ kind, severity, ruleId, snippet }` with
568
568
  * severity in `"warn"|"high"|"critical"`. Detected: domain/label
569
569
  * length cap (RFC 1035 §2.3.4), LDH violation, IDN A-label
@@ -575,7 +575,7 @@ function _detectIssues(input, opts) {
575
575
  *
576
576
  * @opts
577
577
  * profile: "strict"|"balanced"|"permissive",
578
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
578
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
579
579
  * ldhPolicy: "reject"|"audit"|"allow",
580
580
  * punycodePolicy: "reject"|"audit"|"allow",
581
581
  * mixedScriptPolicy: "reject"|"audit"|"allow",
@@ -635,7 +635,7 @@ function validate(input, opts) {
635
635
  *
636
636
  * @opts
637
637
  * profile: "strict"|"balanced"|"permissive",
638
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
638
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
639
639
  *
640
640
  * @example
641
641
  * var safe = b.guardDomain.sanitize("Example.Com.", { profile: "balanced" });
@@ -677,7 +677,7 @@ function sanitize(input, opts) {
677
677
  *
678
678
  * @opts
679
679
  * profile: "strict"|"balanced"|"permissive",
680
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
680
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
681
681
  * name: string, // gate identity for audit / observability
682
682
  *
683
683
  * @example
@@ -840,9 +840,10 @@ function sanitize(input, opts) {
840
840
  * @status stable
841
841
  * @related b.guardEmail.validateMessage, b.guardEmail.sanitize, b.guardAll.gate
842
842
  *
843
- * Build a guard gate function compatible with the `b.guardAll` family
844
- * dispatch. The returned async gate accepts a request-shaped context,
845
- * runs `validateMessage` against the extracted bytes, and returns
843
+ * Build a guard gate compatible with the `b.guardAll` family
844
+ * dispatch. The returned gate's async `check(ctx)` method accepts a
845
+ * request-shaped context, runs `validateMessage` against the extracted
846
+ * bytes, and returns
846
847
  * `{ ok, action, issues? }` where `action` is `serve` (no issues),
847
848
  * `audit-only` (warn-level), or `refuse` (high / critical severity).
848
849
  *
@@ -854,11 +855,11 @@ function sanitize(input, opts) {
854
855
  * @example
855
856
  * var guardEmail = require("./lib/guard-email");
856
857
  * var g = guardEmail.gate({ profile: "strict" });
857
- * typeof g; // → "function"
858
+ * typeof g.check; // → "function"
858
859
  *
859
860
  * var msg = "From: alice@example.com\r\nTo: bob@example.com\r\n" +
860
861
  * "Subject: hi\r\nDate: Mon, 5 May 2026 10:00:00 +0000\r\n\r\nbody\r\n";
861
- * g({ body: Buffer.from(msg, "utf8") }).then(function (rv) {
862
+ * g.check({ body: Buffer.from(msg, "utf8") }).then(function (rv) {
862
863
  * rv.action; // → "serve"
863
864
  * });
864
865
  */
@@ -634,7 +634,7 @@ function _sanitize(input, opts) {
634
634
  * @related b.guardFilename.sanitize, b.guardFilename.gate
635
635
  *
636
636
  * Inspect a filename (string or Buffer) and return
637
- * `{ ok, issues, summary }`. Each issue carries
637
+ * `{ ok, issues }`. Each issue carries
638
638
  * `{ kind, severity, ruleId, location, snippet }` with severity in
639
639
  * `"warn"|"high"|"critical"`. Detected: path-traversal raw and
640
640
  * percent-encoded, null-byte truncation, NTFS ADS, UNC path,
@@ -647,7 +647,7 @@ function _sanitize(input, opts) {
647
647
  *
648
648
  * @opts
649
649
  * profile: "strict"|"balanced"|"permissive",
650
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
650
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
651
651
  * bidiPolicy: "reject"|"strip"|"allow",
652
652
  * controlPolicy: "reject"|"strip"|"allow",
653
653
  * nullBytePolicy: "reject", // always reject
@@ -759,7 +759,7 @@ function _sanitizeStripMode(input, opts) {
759
759
  *
760
760
  * @opts
761
761
  * profile: "strict"|"balanced"|"permissive",
762
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
762
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
763
763
  * mode: "enforce"|"strip",
764
764
  * audit: { safeEmit: function }, // optional sink for strip mode
765
765
  * unicodeNormalization: "NFC"|null,
@@ -820,7 +820,7 @@ function sanitize(input, opts) {
820
820
  *
821
821
  * @opts
822
822
  * profile: "strict"|"balanced"|"permissive",
823
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
823
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
824
824
  * name: string, // gate identity for audit / observability
825
825
  *
826
826
  * @example
@@ -458,7 +458,7 @@ function _detectIssues(req, opts) {
458
458
  * @related b.guardGraphql.sanitize, b.guardGraphql.gate
459
459
  *
460
460
  * Apply the full guard-graphql threat catalog to a request bundle
461
- * (or batch array). Returns `{ ok, issues, refusal? }` per
461
+ * (or batch array). Returns `{ ok, issues }` per
462
462
  * `gateContract.aggregateIssues`. Detected classes include
463
463
  * `query-missing`, `query-cap`, `variables-cap`, `request-cap`,
464
464
  * `batch-size`, `introspection`, `persisted-query-missing`,
@@ -469,7 +469,7 @@ function _detectIssues(req, opts) {
469
469
  *
470
470
  * @opts
471
471
  * profile: "strict"|"balanced"|"permissive",
472
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
472
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
473
473
  * introspectionPolicy: "reject"|"audit"|"allow",
474
474
  * persistedQueryPolicy: "require"|"audit"|"allow",
475
475
  * operationNamePolicy: "reject"|"audit"|"allow",
@@ -528,7 +528,7 @@ function validate(input, opts) {
528
528
  *
529
529
  * @opts
530
530
  * profile: "strict"|"balanced"|"permissive",
531
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
531
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
532
532
  * ...: every guardGraphql.validate opt is honored,
533
533
  *
534
534
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
573
573
  *
574
574
  * @opts
575
575
  * profile: "strict"|"balanced"|"permissive",
576
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
576
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
577
577
  * name: string, // gate label for audit trails
578
578
  * ...: every guardGraphql.validate opt is honored,
579
579
  *
580
580
  * @example
581
581
  * var gqlGate = b.guardGraphql.gate({ profile: "strict" });
582
- * var rv = await gqlGate.run({
582
+ * var rv = await gqlGate.check({
583
583
  * graphqlRequest: {
584
584
  * query: "{ a:me { id } b:me { id } c:me { id } d:me { id } " +
585
585
  * "e:me { id } f:me { id } g:me { id } h:me { id } " +
@@ -1030,7 +1030,7 @@ function sanitize(input, opts) {
1030
1030
  * Returns a guard descriptor that plugs into the framework's
1031
1031
  * content-safety wiring (`b.fileUpload.contentSafety` /
1032
1032
  * `b.staticServe.contentSafety` / `b.guardAll`). The descriptor's
1033
- * `inspect(ctx)` resolves to one of four actions: `serve` (no
1033
+ * `check(ctx)` resolves to one of four actions: `serve` (no
1034
1034
  * issues), `audit-only` (low-severity issues observed), `sanitize`
1035
1035
  * (sanitized buffer attached when no policy is "reject"), or
1036
1036
  * `refuse` (critical issue with at least one reject-policy active).
@@ -1057,7 +1057,7 @@ function sanitize(input, opts) {
1057
1057
  *
1058
1058
  * // Refuse on tag-budget exceeded — strict profile rejects <script>.
1059
1059
  * var hostileBuf = Buffer.from("<p>hi</p><script>alert(1)</script>", "utf8");
1060
- * var rv = await g.inspect({ bytes: hostileBuf, contentType: "text/html" });
1060
+ * var rv = await g.check({ bytes: hostileBuf, contentType: "text/html" });
1061
1061
  * rv.ok; // → false
1062
1062
  * rv.action; // → "refuse"
1063
1063
  */
@@ -421,7 +421,7 @@ function sanitize(input, opts) {
421
421
  *
422
422
  * @opts
423
423
  * profile: "strict"|"balanced"|"permissive",
424
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
424
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
425
425
  * name: string,
426
426
  * ...: any validate opt
427
427
  *
@@ -59,7 +59,7 @@
59
59
  *
60
60
  * Profiles: `strict` / `balanced` / `permissive`. Compliance
61
61
  * postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
62
- * via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
62
+ * via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
63
63
  * postures overlay on top of the profile baseline.
64
64
  *
65
65
  * Source files MUST be pure ASCII; threat-detection regexes
@@ -571,7 +571,7 @@ function _stripPollutionTree(value, opts, depth) {
571
571
  *
572
572
  * Inspect `input` (string of JSON source) for the full guard-json
573
573
  * threat catalog without committing to a parsed value. Returns
574
- * `{ ok, issues, severities }` where `issues` is the aggregated
574
+ * `{ ok, issues }` where `issues` is the aggregated
575
575
  * detector output — every prototype-pollution key, depth/breadth
576
576
  * cap hit, duplicate-key smuggle, JSON5-quirk match, BOM placement,
577
577
  * unicode threat, and numeric-precision-loss candidate is reported
@@ -587,7 +587,7 @@ function _stripPollutionTree(value, opts, depth) {
587
587
  *
588
588
  * @opts
589
589
  * profile: "strict"|"balanced"|"permissive",
590
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
590
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
591
591
  * pollutionPolicy: "reject"|"strip"|"audit"|"allow",
592
592
  * duplicateKeyPolicy: "reject"|"audit"|"allow",
593
593
  * nanInfinityPolicy: "reject"|"audit"|"allow",
@@ -660,7 +660,7 @@ function validate(input, opts) {
660
660
  *
661
661
  * @opts
662
662
  * profile: "strict"|"balanced"|"permissive",
663
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
663
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
664
664
  * pollutionPolicy: "reject"|"strip"|"audit"|"allow",
665
665
  * bomPolicy: "reject"|"strip"|"allow",
666
666
  * controlPolicy: "reject"|"strip"|"allow",
@@ -770,7 +770,7 @@ function _policyKeyForRuleId(ruleId) {
770
770
  *
771
771
  * @opts
772
772
  * profile: "strict"|"balanced"|"permissive",
773
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
773
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
774
774
  * name: string, // gate identity for audit / observability
775
775
  *
776
776
  * @example
@@ -34,7 +34,7 @@
34
34
  * Profiles: `strict` / `balanced` / `permissive`. Compliance
35
35
  * postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
36
36
  * select via `{ profile: "strict" }` or
37
- * `{ compliance: "hipaa" }`; postures overlay on top of the
37
+ * `{ compliancePosture: "hipaa" }`; postures overlay on top of the
38
38
  * profile baseline. Filter / script / dynamic-hint refusal holds
39
39
  * at every profile — the RCE class is never an operator opt-in.
40
40
  *
@@ -257,7 +257,7 @@ function _detectIssues(input, opts) {
257
257
  *
258
258
  * @opts
259
259
  * profile: "strict"|"balanced"|"permissive",
260
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
260
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
261
261
  * bidiPolicy: "reject"|"audit"|"allow",
262
262
  * controlPolicy: "reject"|"audit"|"allow",
263
263
  * nullBytePolicy: "reject"|"audit"|"allow",
@@ -308,7 +308,7 @@ function validate(input, opts) {
308
308
  *
309
309
  * @opts
310
310
  * profile: "strict"|"balanced"|"permissive",
311
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
311
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
312
312
  * filterExprPolicy: "reject"|"audit"|"allow",
313
313
  * scriptExprPolicy: "reject"|"audit"|"allow",
314
314
  * dynamicHintPolicy: "reject"|"audit"|"allow",
@@ -360,7 +360,7 @@ function sanitize(input, opts) {
360
360
  *
361
361
  * @opts
362
362
  * profile: "strict"|"balanced"|"permissive",
363
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
363
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
364
364
  * name: string, // override gate name in audit emissions
365
365
  * filterExprPolicy: "reject"|"audit"|"allow",
366
366
  * scriptExprPolicy: "reject"|"audit"|"allow",
@@ -441,7 +441,7 @@ function _detectIssues(input, opts) {
441
441
  * @related b.guardJwt.sanitize, b.guardJwt.gate
442
442
  *
443
443
  * Apply the full guard-jwt threat catalog to a JWT compact-
444
- * serialization string. Returns `{ ok, issues, refusal? }` per
444
+ * serialization string. Returns `{ ok, issues }` per
445
445
  * `gateContract.aggregateIssues`. Detected classes include
446
446
  * `alg-none` (always critical), `kid-traversal` (always critical),
447
447
  * `alg-not-allowed`, `typ-confusion`, `crit-unknown`, `exp-past`,
@@ -456,7 +456,7 @@ function _detectIssues(input, opts) {
456
456
  *
457
457
  * @opts
458
458
  * profile: "strict"|"balanced"|"permissive",
459
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
459
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
460
460
  * allowedAlgs: string[],
461
461
  * requiredClaims: string[],
462
462
  * knownCrit: string[],
@@ -524,7 +524,7 @@ function validate(input, opts) {
524
524
  *
525
525
  * @opts
526
526
  * profile: "strict"|"balanced"|"permissive",
527
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
527
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
528
528
  * ...: every guardJwt.validate opt is honored,
529
529
  *
530
530
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
573
573
  *
574
574
  * @opts
575
575
  * profile: "strict"|"balanced"|"permissive",
576
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
576
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
577
577
  * name: string, // gate label for audit trails
578
578
  * ...: every guardJwt.validate opt is honored,
579
579
  *
580
580
  * @example
581
581
  * var jwtGate = b.guardJwt.gate({ profile: "strict" });
582
- * var rv = await jwtGate.run({
582
+ * var rv = await jwtGate.check({
583
583
  * identifier:
584
584
  * "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
585
585
  * "eyJzdWIiOiJhdHRhY2tlciJ9.",