@blamejs/core 0.13.16 → 0.13.18

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.18 (2026-05-27) — **`bodyParser` multipart can buffer uploads in memory — no tmp directory for serverless / read-only filesystems.** The multipart/form-data sub-parser previously streamed every file part to a tmp directory on disk (os.tmpdir() by default), which fails on a read-only or ephemeral serverless filesystem. A new multipart.storage option selects where file parts land: "disk" (default, unchanged — req.files[].path points at a tmp file cleaned up on response end) or "memory" (req.files[].buffer holds the assembled bytes, with no filesystem access at all). Both modes enforce the same per-file (fileSize), per-field, and total-request (totalSize) caps, so memory mode adds no new memory-exhaustion surface. The file object shape is stable across both modes — disk sets path with buffer null, memory sets buffer with path null — so a handler branches on whichever is non-null. An invalid storage value is rejected when the middleware is constructed. **Added:** *`bodyParser` multipart `storage: "memory"` — buffer uploads in RAM instead of a tmp directory* — `b.middleware.bodyParser({ multipart: { storage: "memory" } })` buffers each uploaded file part in memory and exposes it as `req.files[].buffer` (a Buffer), with no `os.tmpdir()` write and no tmp-file cleanup — the read-only / serverless path. The default `storage: "disk"` is unchanged: file parts stream to a tmp file, `req.files[].path` points at it, and it is removed when the response finishes. Both modes apply the existing `fileSize` / per-field `maxBytes` / `totalSize` caps and SHA3-512 hash each part during streaming, so memory mode is bounded by the same limits and adds no new DoS surface. The `req.files[]` shape is stable across modes (disk: `path` set, `buffer` null; memory: `buffer` set, `path` null). A `storage` value other than `"disk"` or `"memory"` throws a `TypeError` at construction.
+
+- v0.13.17 (2026-05-27) — **Template engine can render from a string with no views directory — for serverless / read-only filesystems.** b.template.create previously required a viewsDir that exists on disk, and rendering always read the template (and its layout/partials) from that directory — unusable on a read-only or ephemeral serverless filesystem where the templates aren't on disk. The engine now accepts a source string directly: viewsDir is optional, and the returned engine exposes renderString(source, data?, opts?) and compileString(source, opts?) that compile and render from a string with no disk read. {% extends %} and {{> partial}} in a string source resolve through an operator-supplied opts.resolve(name) -> string callback (without it, an extends throws a clear error and a missing partial inlines empty, matching the file path). The same HTML-escaping, expression grammar, and extends/partial-depth caps apply. The file-backed render / compile / precompileAll still work exactly as before when a viewsDir is configured, and now refuse with a clear error when one isn't. **Added:** *`engine.renderString` / `engine.compileString` — render templates from a string, no viewsDir* — `b.template.create({})` (no `viewsDir`) returns a string-only engine; `renderString(source, data?, { resolve })` and `compileString(source, { resolve })` compile and render from a source string with zero filesystem access — the read-only / serverless path. `{% extends %}` and `{{> partial}}` resolve through `opts.resolve(name) -> string`. The HTML escaping, grammar, and depth caps are identical to the file path. When a `viewsDir` IS configured, `render`/`compile`/`precompileAll` behave exactly as before; without one they refuse with `viewsDir not configured`. `renderString(source, { resolve })` may omit the data argument — an opts object carrying a function `resolve` is recognized as opts, not data. **Security:** *Vendored `@simplewebauthn/server` refreshed 13.3.0 → 13.3.1* — The vendored WebAuthn server bundle (`b.auth.passkey`'s registration/authentication verification) is refreshed to the latest upstream patch, with the MANIFEST version, CPE, and SHA-256 integrity hashes updated and the bundle re-verified.
+
 - v0.13.16 (2026-05-27) — **`b.mail.agent` docs now describe the facade accurately, and not-yet-wired verbs point to the primitive to use.** b.mail.agent's module documentation claimed it was "the standardization contract for every mail protocol" that JMAP / IMAP / POP3 all route through — but no protocol server actually dispatches through the agent (the framework's own JMAP EmailSubmission handler composes b.mail.send.deliver directly), and the compose / send / reply / forward, sieve.list / sieve.activate, identity / vacation / mdn.* and export / job / import verbs throw mail-agent/not-implemented. The docs are corrected to describe what the agent is: a mailbox-access facade (RBAC + posture + audit + dispatch around a mail store) whose read surface plus the mailbox-mutation and Sieve-upload methods are wired, with the remaining verbs not yet routed through it. Those verbs' error message now names the underlying primitive to compose directly (b.mail.send.deliver, b.mail.sieve, b.mailMdn, …) instead of citing a version tag that had long passed. The public WIRED_AT export (a method→version map that no longer reflected reality) is replaced by COMPOSE_HINT (a method→primitive-to-compose map). No behaviour change: the same methods are wired or throw exactly as before. **Changed:** *`b.mail.agent` documentation corrected; not-implemented errors point to the primitive to compose* — The `@module` / `@card` no longer claim the agent is the universal protocol-dispatch contract — it's documented as a mailbox-access facade with a wired read + mutation + Sieve-upload surface, and the compose/send/identity/vacation/MDN/export verbs documented as not yet routed through it (compose the underlying primitive directly until a protocol server adopts the agent). The `mail-agent/not-implemented` error now names that primitive (e.g. `b.mail.send.deliver`) rather than a passed version tag. **Removed:** *`b.mail.agent.WIRED_AT` export replaced by `COMPOSE_HINT`* — The `WIRED_AT` export mapped each method to a framework version that was supposed to "light it up" — versions that have all shipped without the wiring, so the map was misleading. It is replaced by `COMPOSE_HINT`, mapping each not-yet-wired method to the primitive an operator composes directly. Operators reading `b.mail.agent.WIRED_AT` should read `b.mail.agent.COMPOSE_HINT` instead (pre-1.0: no compatibility shim).
 
 - v0.13.15 (2026-05-27) — **Corrected more source citations and made deferred/reserved options honest in their docs.** A second accuracy pass over source threat-annotations and option docs. Three citation corrections: the base64url strict-decode guard cited CVE-2022-0235 (which is actually a node-fetch cookie-leak, unrelated) — it now names the weakness class it defends (CWE-347 / CWE-1286 signature canonicalization); the glob consecutive-wildcard ReDoS cap cited the wrong library (the CVE-2026-26996 ReDoS is minimatch, not picomatch — the adjacent picomatch one is CVE-2026-33671); and CVE-2026-32178 is reframed to the CWE-138 header-injection-spoofing class the public record actually documents (and dropped from the end-of-data SMTP-smuggling list, which is a different class). Several options/statuses are now honest about not-yet-implemented surface: b.archive.read.zip.fromTrustedStream is marked experimental (its methods throw and its options aren't honored yet — the example now shows the supported buffer-then-random-access path); b.acme revokeCert's useCertKey / certPrivateKey are marked reserved (the cert-key path throws; account-key signing is the supported default); and a stale message claiming passkey break-glass factors were a future feature is removed (passkeys are a live allowed factor). No runtime behaviour changes beyond message/doc text. **Changed:** *Deferred / reserved surface now documented honestly* — `b.archive.read.zip.fromTrustedStream` is marked `experimental` — its `inspect`/`entries`/`extract` throw and its `bombPolicy`/`audit` options aren't honored yet; the documented example now shows the supported path (buffer the stream, then use the random-access reader). `b.acme` `revokeCert`'s `useCertKey` / `certPrivateKey` options are marked reserved (the cert-key-signed-revocation path throws; account-key signing, the default, covers mainstream CAs). A `b.breakGlass` policy error and comment that called passkey factors a future feature are corrected — passkeys are a live allowed factor. **Fixed:** *Corrected misattributed CVE citations in source threat-annotations* — `b.crypto.fromBase64Url`'s strict-decode guard cited CVE-2022-0235 (a node-fetch header-leak, unrelated to base64/JWT decoding); it now cites the weakness class it actually defends — CWE-347 / CWE-1286 signature canonicalization. `b.guardRegex`'s consecutive-`*` cap attributed CVE-2026-26996 to picomatch; that ReDoS is in minimatch (the picomatch ReDoS it also defends is CVE-2026-33671) — the library name is corrected. CVE-2026-32178 is reframed to the CWE-138 header-injection spoofing class the public advisory documents, and removed from the end-of-data SMTP-smuggling trio (a distinct class). No behaviour change — the defenses are unchanged.

package/README.md

@@ -125,7 +125,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - Rate-limit
   - Security headers with `Permissions-Policy` defaults denying storage-access / browsing-topics / private-aggregation / controlled-frame
   - CSP nonce
-  - Body parser
+  - Body parser — JSON / urlencoded / text / multipart; multipart file parts stream to a tmp dir or buffer in memory (`storage: "memory"`) for read-only / serverless filesystems
   - Compression
   - SSE
   - Request log

package/lib/middleware/body-parser.js

@@ -37,7 +37,8 @@
  *     text:        { limit: b.constants.BYTES.mib(1), charset: "utf-8" },
  *     raw:         { limit: b.constants.BYTES.mib(10), contentTypes: ["application/octet-stream"] },
  *     multipart: {
- *       tmpDir:       os.tmpdir(),
+ *       storage:      "disk",                // "disk" → req.files[].path; "memory" → req.files[].buffer (serverless / read-only fs)
+ *       tmpDir:       os.tmpdir(),           // disk mode only
  *       fileSize:     b.constants.BYTES.mib(10),
  *       totalSize:    b.constants.BYTES.mib(50),
  *       fileCount:    20,
@@ -184,7 +185,8 @@ var DEFAULTS = Object.freeze({
     contentTypes: ["application/octet-stream"],
   },
   multipart: {
-    tmpDir:        null,             // resolved per-instance from os.tmpdir()
+    storage:       "disk",           // "disk" (tmp files) | "memory" (req.files[].buffer)
+    tmpDir:        null,             // resolved per-instance from os.tmpdir() (disk mode only)
     fileSize:      C.BYTES.mib(10),
     totalSize:     C.BYTES.mib(50),
     fileCount:     20,
@@ -680,16 +682,23 @@ async function _parseMultipart(req, opts, ctParams) {
       true, HTTP_STATUS.BAD_REQUEST
     );
   }
+  // storage: "memory" buffers file parts in RAM (capped by fileSize ×
+  // fileCount, the same DoS bound as disk mode) and exposes each file as
+  // req.files[].buffer with no filesystem touch — the read-only /
+  // serverless path. "disk" (default) streams to tmp files as before.
+  var useMemory = opts.storage === "memory";
   // Resolve tmpDir per-request so directory-creation failure surfaces as a
-  // structured error rather than a deferred fs throw.
-  var tmpDir = opts.tmpDir || nodePath.join(os.tmpdir(), "blamejs-uploads");
-  try { atomicFile.ensureDir(tmpDir, 0o700); }
-  catch (e) {
-    throw new BodyParserError(
-      "body-parser/multipart-tmpdir",
-      "could not create multipart tmp dir '" + tmpDir + "': " + ((e && e.message) || String(e)),
-      true, 500
-    );
+  // structured error rather than a deferred fs throw (disk mode only).
+  var tmpDir = useMemory ? null : (opts.tmpDir || nodePath.join(os.tmpdir(), "blamejs-uploads"));
+  if (!useMemory) {
+    try { atomicFile.ensureDir(tmpDir, 0o700); }
+    catch (e) {
+      throw new BodyParserError(
+        "body-parser/multipart-tmpdir",
+        "could not create multipart tmp dir '" + tmpDir + "': " + ((e && e.message) || String(e)),
+        true, 500
+      );
+    }
   }
 
   var boundaryBuf      = Buffer.from("--" + boundary);
@@ -721,7 +730,8 @@ async function _parseMultipart(req, opts, ctParams) {
   var currentFd = null;
   var currentSize = 0;
   var currentHash = null;
-  var currentBuf = null; // for fields (in-memory accumulator)
+  var currentBuf = null; // in-memory accumulator (text fields always; file parts when useMemory)
+  var currentIsFile = false; // file part (has a filename) vs text field — drives finalize shape
   var currentDiscarded = false; // true when fileFilter rejected the part — body bytes are
                                 // still consumed (we have to read past them to find the next
                                 // boundary) but never written to disk.
@@ -737,6 +747,7 @@ async function _parseMultipart(req, opts, ctParams) {
     currentSize = 0;
     currentHash = null;
     currentBuf = null;
+    currentIsFile = false;
     currentDiscarded = false;
     currentEffectiveLimit = 0;
   }
@@ -765,7 +776,8 @@ async function _parseMultipart(req, opts, ctParams) {
     if (currentFd !== null) { try { nodeFs.closeSync(currentFd); } catch (_e) { /* fd already closed */ } currentFd = null; }
     if (currentTmpPath) { try { nodeFs.unlinkSync(currentTmpPath); } catch (_e) { /* tmp file already removed */ } }
     for (var i = 0; i < files.length; i++) {
-      try { nodeFs.unlinkSync(files[i].path); } catch (_e) { /* tmp file already removed */ }
+      // Memory-mode files have no path (buffer only) — nothing to unlink.
+      if (files[i].path) { try { nodeFs.unlinkSync(files[i].path); } catch (_e) { /* tmp file already removed */ } }
     }
   }
 
@@ -943,17 +955,24 @@ async function _parseMultipart(req, opts, ctParams) {
                 }
               }
 
-              // Generate the tmp path — never derived from the
-              // operator-supplied filename.
-              var unique = bCrypto.generateToken(C.BYTES.bytes(16));
-              currentTmpPath = nodePath.join(tmpDir, "blamejs-up-" + unique);
-              try {
-                currentFd = nodeFs.openSync(currentTmpPath, "wx", 0o600);
-              } catch (e) {
-                done(new BodyParserError("body-parser/multipart-tmp-open",
-                  "could not open multipart tmp file: " + ((e && e.message) || String(e)),
-                  true, 500));
-                return;
+              currentIsFile = true;
+              if (useMemory) {
+                // Buffer the file in RAM — no filesystem touch. Bounded by
+                // currentEffectiveLimit (per-file) and totalSize (per-request).
+                currentBuf = [];
+              } else {
+                // Generate the tmp path — never derived from the
+                // operator-supplied filename.
+                var unique = bCrypto.generateToken(C.BYTES.bytes(16));
+                currentTmpPath = nodePath.join(tmpDir, "blamejs-up-" + unique);
+                try {
+                  currentFd = nodeFs.openSync(currentTmpPath, "wx", 0o600);
+                } catch (e) {
+                  done(new BodyParserError("body-parser/multipart-tmp-open",
+                    "could not open multipart tmp file: " + ((e && e.message) || String(e)),
+                    true, 500));
+                  return;
+                }
               }
               currentHash = nodeCrypto.createHash("sha3-512");
               currentSize = 0;
@@ -1004,8 +1023,10 @@ async function _parseMultipart(req, opts, ctParams) {
                     true, 413));
                   return;
                 }
-              } else if (currentFd !== null) {
-                // File part — write to disk.
+              } else if (currentIsFile) {
+                // File part — write to disk (currentFd) or accumulate in
+                // memory (useMemory). Same per-file + total-request caps
+                // either way, so memory mode adds no new DoS surface.
                 currentSize += bodyChunk.length;
                 if (currentSize > currentEffectiveLimit) {
                   var perFieldFile = (perField && perField[currentField] &&
@@ -1024,16 +1045,20 @@ async function _parseMultipart(req, opts, ctParams) {
                     true, 413));
                   return;
                 }
-                try {
-                  var written = 0;
-                  while (written < bodyChunk.length) {
-                    written += nodeFs.writeSync(currentFd, bodyChunk, written, bodyChunk.length - written);
+                if (currentFd !== null) {
+                  try {
+                    var written = 0;
+                    while (written < bodyChunk.length) {
+                      written += nodeFs.writeSync(currentFd, bodyChunk, written, bodyChunk.length - written);
+                    }
+                  } catch (e) {
+                    done(new BodyParserError("body-parser/multipart-tmp-write",
+                      "multipart tmp write failed: " + ((e && e.message) || String(e)),
+                      true, 500));
+                    return;
                   }
-                } catch (e) {
-                  done(new BodyParserError("body-parser/multipart-tmp-write",
-                    "multipart tmp write failed: " + ((e && e.message) || String(e)),
-                    true, 500));
-                  return;
+                } else {
+                  currentBuf.push(bodyChunk);
                 }
                 currentHash.update(bodyChunk);
               } else {
@@ -1067,17 +1092,27 @@ async function _parseMultipart(req, opts, ctParams) {
             if (currentDiscarded) {
               // fileFilter rejected — already recorded in filesRejected; no
               // tmp file was opened, nothing to clean up here.
-            } else if (currentFd !== null) {
-              try { nodeFs.closeSync(currentFd); } catch (_e) { /* fd already closed */ }
-              currentFd = null;
-              files.push({
+            } else if (currentIsFile) {
+              // Stable shape across both modes: disk gets path (buffer null),
+              // memory gets buffer (path null). Operators branch on whichever
+              // is non-null.
+              var fileEntry = {
                 field:    currentField,
                 filename: currentFilename,
                 mimeType: currentMime,
-                path:     currentTmpPath,
+                path:     null,
+                buffer:   null,
                 size:     currentSize,
                 hash:     currentHash.digest("hex"),
-              });
+              };
+              if (currentFd !== null) {
+                try { nodeFs.closeSync(currentFd); } catch (_e) { /* fd already closed */ }
+                currentFd = null;
+                fileEntry.path = currentTmpPath;
+              } else {
+                fileEntry.buffer = Buffer.concat(currentBuf);
+              }
+              files.push(fileEntry);
             } else {
               // Field part — flatten + decode UTF-8.
               var fbuf = Buffer.concat(currentBuf);
@@ -1106,6 +1141,7 @@ async function _parseMultipart(req, opts, ctParams) {
             currentSize = 0;
             currentHash = null;
             currentBuf = null;
+            currentIsFile = false;
             currentDiscarded = false;
             currentEffectiveLimit = 0;
             state = MP_AFTER_BD;
@@ -1159,11 +1195,13 @@ async function _parseMultipart(req, opts, ctParams) {
  * sub-parsers ship: JSON (via `safe-json` — POISONED_KEYS stripped,
  * depth + size caps), urlencoded, text, raw octet-stream, and
  * multipart/form-data. Multipart streams file parts to a tmp dir
- * with per-file + total-request size caps, filename sanitization,
- * SHA3-512 hashing during streaming, and tmp-file cleanup on
- * response end. Defends against RFC 9112 §6.1 request smuggling
- * before any body bytes are read. Each sub-parser can be disabled
- * by passing `false` in its slot.
+ * (`storage: "disk"`, default) or buffers them in RAM
+ * (`storage: "memory"` — for read-only / serverless filesystems,
+ * exposing `req.files[].buffer` instead of `.path`), with per-file +
+ * total-request size caps, filename sanitization, SHA3-512 hashing
+ * during streaming, and tmp-file cleanup on response end. Defends
+ * against RFC 9112 §6.1 request smuggling before any body bytes are
+ * read. Each sub-parser can be disabled by passing `false` in its slot.
  *
  * @opts
  *   {
@@ -1172,8 +1210,8 @@ async function _parseMultipart(req, opts, ctParams) {
  *     text:        false | { limit, charset, contentTypes },
  *     raw:         false | { limit, contentTypes },
  *     multipart:   false | {
- *       tmpDir, fileSize, totalSize, fileCount, fieldCount, fieldSize,
- *       mimeAllowlist, fileFilter, fields, audit, contentTypes,
+ *       storage, tmpDir, fileSize, totalSize, fileCount, fieldCount,
+ *       fieldSize, mimeAllowlist, fileFilter, fields, audit, contentTypes,
  *     },
  *     keepRawBody: boolean,    // expose req.bodyRaw for webhook signing
  *   }
@@ -1202,6 +1240,11 @@ function create(opts) {
   var textOpts        = _resolve("text");
   var rawOpts         = _resolve("raw");
   var multipartOpts   = _resolve("multipart");
+  if (multipartOpts && multipartOpts.storage !== "disk" && multipartOpts.storage !== "memory") {
+    throw new TypeError(
+      "middleware.bodyParser: multipart.storage must be \"disk\" or \"memory\" (got " +
+      JSON.stringify(multipartOpts.storage) + ")");
+  }
   var keepRawBody     = !!opts.keepRawBody;
 
   return async function bodyParser(req, res, next) {
@@ -1255,7 +1298,10 @@ function create(opts) {
           if (cleanedUp) return;
           cleanedUp = true;
           for (var i = 0; i < mpResult.files.length; i++) {
-            try { nodeFs.unlinkSync(mpResult.files[i].path); } catch (_e) { /* tmp file already removed */ }
+            // Memory-mode files (storage: "memory") have no path — nothing to unlink.
+            if (mpResult.files[i].path) {
+              try { nodeFs.unlinkSync(mpResult.files[i].path); } catch (_e) { /* tmp file already removed */ }
+            }
           }
         }
         res.on("finish", cleanup);

package/lib/template.js

@@ -105,6 +105,13 @@ var sandboxModule = lazyRequire(function () { return require("./sandbox"); });
 // never hits it, low enough to bound a malicious / misconfigured cycle.
 var MAX_TEMPLATE_DEPTH = 0x10;
 
+// Byte cap for STRING-sourced templates (compileString / renderString),
+// which accept operator-supplied — potentially untrusted — source. The
+// file path renders trusted files on disk and is uncapped. The cap bounds
+// the tokenizer / parser cost (and any pathological tag stream) on hostile
+// string input; operators override per call with `opts.maxBytes`.
+var DEFAULT_STRING_TEMPLATE_BYTES = require("./constants").BYTES.kib(256);
+
 // ============================================================
 // HTML escape (exported)
 // ============================================================
@@ -176,11 +183,44 @@ function _resolvePartialPath(viewsDir, partialName) {
 // ============================================================
 
 var EXTENDS_RE = /^\s*\{%\s*extends\s+"([^"]+)"\s*%\}\s*/;
-var BLOCK_FULL_RE = /\{%\s*block\s+([A-Za-z_][A-Za-z0-9_-]*)\s*%\}([\s\S]*?)\{%\s*endblock\s*%\}/g;
+// Block open / endblock as one alternation of two fixed-shape tags (no
+// nested quantifiers, disjoint character classes → linear). The prior
+// single `{% block %}…{% endblock %}` regex used a lazy `[\s\S]*?` span
+// under the global flag, which is polynomial (O(n^2)) on input with many
+// unclosed block-opens — a ReDoS now that `renderString` feeds untrusted
+// string templates through here. Group 1 (the block name) is present only
+// on the open branch, which distinguishes open from close in the walk.
+var BLOCK_TAG_RE = /\{%\s*block\s+([A-Za-z_][A-Za-z0-9_-]*)\s*%\}|\{%\s*endblock\s*%\}/g;
+
+// Single linear left-to-right pass: pair each {% block NAME %} with the
+// next {% endblock %} (no nesting — the first endblock closes, matching
+// the prior lazy semantics) and replace the span with replacer(name,
+// content). `matchAll` walks the tag stream once; no backtracking.
+function _replaceBlocks(source, replacer) {
+  var out = "";
+  var pos = 0;
+  var openMatch = null;
+  var iter = source.matchAll(BLOCK_TAG_RE);
+  var m = iter.next();
+  while (!m.done) {
+    var tag = m.value;
+    if (tag[1] !== undefined) {           // open tag (block name captured)
+      if (!openMatch) openMatch = tag;    // ignore nested opens until the close
+    } else if (openMatch) {               // close tag with an open pending
+      var contentStart = openMatch.index + openMatch[0].length;
+      out += source.slice(pos, openMatch.index) +
+             replacer(openMatch[1], source.slice(contentStart, tag.index));
+      pos = tag.index + tag[0].length;
+      openMatch = null;
+    }
+    m = iter.next();
+  }
+  return out + source.slice(pos);
+}
 
 function _extractBlocks(source) {
   var blocks = {};
-  var rest = source.replace(BLOCK_FULL_RE, function (_match, name, content) {
+  var rest = _replaceBlocks(source, function (name, content) {
     blocks[name] = content;
     return "";
   });
@@ -188,14 +228,16 @@ function _extractBlocks(source) {
 }
 
 function _substituteBlocks(parentSource, childBlocks) {
-  return parentSource.replace(BLOCK_FULL_RE, function (_match, name, defaultContent) {
+  return _replaceBlocks(parentSource, function (name, defaultContent) {
     return Object.prototype.hasOwnProperty.call(childBlocks, name)
       ? childBlocks[name]
       : defaultContent;
   });
 }
 
-function _resolveExtends(viewsDir, source) {
+// `loadView(name)` returns the source string for a parent layout (the
+// file path reads it from viewsDir; the string path calls opts.resolve).
+function _resolveExtends(loadView, source) {
   // Walk UP the extends chain accumulating block overrides. Closer-to-
   // leaf overrides win; each parent's blocks fill in only the names the
   // chain hasn't already set. When the chain hits a template with no
@@ -226,8 +268,10 @@ function _resolveExtends(viewsDir, source) {
         allOverrides[k] = extracted.blocks[k];
       }
     }
-    var parentPath = _resolveViewPath(viewsDir, parentName);
-    current = nodeFs.readFileSync(parentPath, "utf8");
+    current = loadView(parentName);
+    if (typeof current !== "string") {
+      throw new Error("template: {% extends \"" + parentName + "\" %} could not be resolved");
+    }
     depth++;
   }
   return _substituteBlocks(current, allOverrides);
@@ -237,15 +281,18 @@ function _resolveExtends(viewsDir, source) {
 // Partial inlining (post-extends, pre-tokenize)
 // ============================================================
 
-function _inlinePartials(viewsDir, source, depth) {
+// `loadPartial(name)` returns the partial source string, or null/undefined
+// when the partial is absent (the file path resolves <viewsDir>/partials;
+// the string path calls opts.resolve).
+function _inlinePartials(loadPartial, source, depth) {
   if (depth > MAX_TEMPLATE_DEPTH) {
     throw new Error("template: partial recursion depth exceeded " + MAX_TEMPLATE_DEPTH +
       " — possible cycle");
   }
   return source.replace(/\{\{>\s*([A-Za-z_][A-Za-z0-9_-]*)\s*\}\}/g, function (_, name) {
-    var p = _resolvePartialPath(viewsDir, name);
-    if (!p) return "";   // missing partial → silent empty so a stale `{{> name}}` reference doesn't crash the render
-    return _inlinePartials(viewsDir, nodeFs.readFileSync(p, "utf8"), depth + 1);
+    var sub = loadPartial(name);
+    if (typeof sub !== "string") return "";   // missing partial → silent empty so a stale `{{> name}}` reference doesn't crash the render
+    return _inlinePartials(loadPartial, sub, depth + 1);
   });
 }
 
@@ -739,20 +786,28 @@ function _evalBlock(nodes, scopes, escFn) {
  * @since     0.1.0
  * @related   b.template.render, b.template.escapeHtml
  *
- * Builds an engine instance bound to `opts.viewsDir`. The returned
- * object exposes `render(viewName, data?)` for one-shot rendering,
+ * Builds an engine instance. With `opts.viewsDir` the returned object
+ * exposes `render(viewName, data?)` for one-shot rendering,
  * `compile(viewName)` for AST-only access (caches under viewName),
  * `precompileAll()` for boot-time validation of every `.html` file
  * under `viewsDir`, and `reset()` to drop the AST cache (useful in
  * live-reload workflows).
  *
+ * `viewsDir` is optional: an engine created without it serves from a
+ * source STRING via `renderString(source, data?, opts?)` and
+ * `compileString(source, opts?)` — the read-only / serverless path with
+ * no disk read. `{% extends %}` and `{{> partial}}` in a string source
+ * resolve through `opts.resolve(name) -> string` (without it, an extends
+ * throws and a missing partial inlines empty). The file-backed
+ * render/compile/precompileAll refuse when no `viewsDir` is configured.
+ *
  * View names are resolved against `viewsDir`; names containing `..`
  * or NUL are refused, and resolved paths outside `viewsDir` throw.
  * Layout-extends and partial-inclusion recursion are bounded at
  * depth 16 to defend against accidental cycles.
  *
  * @opts
- *   viewsDir:        string,                       // required — absolute or cwd-relative directory of .html templates
+ *   viewsDir:        string,                       // optional — directory of .html templates; omit for string-only (renderString) use
  *   cache:           boolean,                      // default true; set false for live-reload
  *   escapeHtml:      function (value) → string,    // override the default 5-character HTML escape
  *   sandbox:         boolean,                      // when true, sandboxHelpers run through b.sandbox.run
@@ -768,13 +823,16 @@ function _evalBlock(nodes, scopes, escFn) {
 function create(opts) {
   opts = opts || {};
   validateOpts(opts, ["viewsDir", "cache", "escapeHtml", "sandbox", "sandboxHelpers", "sandboxOpts"], "b.template");
-  if (!opts.viewsDir) {
-    throw new Error("template.create({ viewsDir }) is required");
-  }
-  if (!nodeFs.existsSync(opts.viewsDir)) {
-    throw new Error("template: viewsDir does not exist: " + opts.viewsDir);
+  // viewsDir is optional: an engine created without it serves string
+  // sources via renderString / compileString (the serverless / read-only-FS
+  // path) — the file-backed render / compile / precompileAll then refuse.
+  var viewsDir = null;
+  if (opts.viewsDir) {
+    if (!nodeFs.existsSync(opts.viewsDir)) {
+      throw new Error("template: viewsDir does not exist: " + opts.viewsDir);
+    }
+    viewsDir = nodePath.resolve(opts.viewsDir);
   }
-  var viewsDir = nodePath.resolve(opts.viewsDir);
   var cacheOn = opts.cache !== false;
   var customEscape = typeof opts.escapeHtml === "function" ? opts.escapeHtml : escapeHtml;
   var astCache = {};
@@ -820,12 +878,23 @@ function create(opts) {
     }
   }
 
+  // File-backed load callbacks for the extends/partial resolvers.
+  function _loadViewFile(name) {
+    return nodeFs.readFileSync(_resolveViewPath(viewsDir, name), "utf8");
+  }
+  function _loadPartialFile(name) {
+    var p = _resolvePartialPath(viewsDir, name);
+    return p ? nodeFs.readFileSync(p, "utf8") : null;
+  }
+
   function compile(viewName) {
+    if (!viewsDir) {
+      throw new Error("template: viewsDir not configured — use renderString/compileString for string sources");
+    }
     if (cacheOn && astCache[viewName]) return astCache[viewName];
-    var viewPath = _resolveViewPath(viewsDir, viewName);
-    var source = nodeFs.readFileSync(viewPath, "utf8");
-    source = _resolveExtends(viewsDir, source);
-    source = _inlinePartials(viewsDir, source, 0);
+    var source = nodeFs.readFileSync(_resolveViewPath(viewsDir, viewName), "utf8");
+    source = _resolveExtends(_loadViewFile, source);
+    source = _inlinePartials(_loadPartialFile, source, 0);
     var tokens = _tokenize(source);
     var ast = _parseTokens(tokens);
     if (cacheOn) astCache[viewName] = ast;
@@ -837,6 +906,68 @@ function create(opts) {
     return _evalBlock(ast.body, [data || {}], customEscape);
   }
 
+  // ---- String-source variants (serverless / read-only FS): compile and
+  // render from a source STRING with no viewsDir disk read. `{% extends %}`
+  // and `{{> partial}}` resolve through an operator-supplied
+  // `sopts.resolve(name) -> string` callback; without it, an extends in
+  // the source throws and a missing partial inlines empty (same as the
+  // file path). No caching — string sources are ad-hoc.
+  function _stringLoaders(sopts, maxBytes) {
+    var resolve = sopts && sopts.resolve;
+    if (resolve !== undefined && typeof resolve !== "function") {
+      throw new Error("template.compileString: opts.resolve must be a function (name) => string");
+    }
+    function _capped(s, what) {
+      if (typeof s === "string" && Buffer.byteLength(s, "utf8") > maxBytes) {
+        throw new Error("template.compileString: " + what + " exceeds maxBytes=" + maxBytes);
+      }
+      return s;
+    }
+    var loadView = function (name) {
+      var s = resolve ? resolve(name) : undefined;
+      if (typeof s !== "string") {
+        throw new Error("template.compileString: {% extends \"" + name +
+          "\" %} needs opts.resolve(name) to return the layout source");
+      }
+      return _capped(s, "resolved layout '" + name + "'");
+    };
+    var loadPartial = function (name) {
+      var s = resolve ? resolve(name) : null;
+      return typeof s === "string" ? _capped(s, "resolved partial '" + name + "'") : null;
+    };
+    return { loadView: loadView, loadPartial: loadPartial };
+  }
+
+  function compileString(source, sopts) {
+    if (typeof source !== "string") {
+      throw new Error("template.compileString(source): source must be a string");
+    }
+    var maxBytes = (sopts && typeof sopts.maxBytes === "number") ? sopts.maxBytes : DEFAULT_STRING_TEMPLATE_BYTES;
+    if (Buffer.byteLength(source, "utf8") > maxBytes) {
+      throw new Error("template.compileString: source exceeds maxBytes=" + maxBytes +
+        " — string templates are bounded against hostile input; raise opts.maxBytes if intentional");
+    }
+    var ld = _stringLoaders(sopts, maxBytes);
+    var resolved = _resolveExtends(ld.loadView, source);
+    resolved = _inlinePartials(ld.loadPartial, resolved, 0);
+    return _parseTokens(_tokenize(resolved));
+  }
+
+  function renderString(source, data, sopts) {
+    // Disambiguate the optional middle arg: `renderString(source, { resolve })`
+    // — a 2nd arg carrying a function-valued `resolve` and no 3rd arg is the
+    // opts object, not render data (template data values are rendered, not
+    // called, so a function `resolve` is unambiguously the resolver). This
+    // lets a layout/partial template with no data omit the data placeholder.
+    if (sopts === undefined && data && typeof data === "object" &&
+        typeof data.resolve === "function") {
+      sopts = data;
+      data = undefined;
+    }
+    var ast = compileString(source, sopts);
+    return _evalBlock(ast.body, [data || {}], customEscape);
+  }
+
   function reset() { astCache = {}; }
 
   // Walk viewsDir, compile every .html file. Surfaces parse errors at
@@ -845,6 +976,9 @@ function create(opts) {
   // a typo like `{% if not foo %}` fails the deploy, not the user.
   // Returns the list of view names compiled.
   function precompileAll() {
+    if (!viewsDir) {
+      throw new Error("template: viewsDir not configured — precompileAll requires a views directory");
+    }
     var compiled = [];
     function walk(dir, prefix) {
       var entries = nodeFs.readdirSync(dir, { withFileTypes: true });
@@ -878,6 +1012,8 @@ function create(opts) {
   return {
     compile:        compile,
     render:         render,
+    compileString:  compileString,
+    renderString:   renderString,
     reset:          reset,
     precompileAll:  precompileAll,
     viewsDir:       viewsDir,