@blamejs/core 0.13.22 → 0.13.24

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.24 (2026-05-28) — **`b.guard*` docs corrected: the compliance-posture opt key, the gate API, and validate return shapes.** Documentation corrections across the b.guard* family. The most consequential: the posture-selection option was documented as `compliance:` in many guards' @opts, but the working key is `compliancePosture:` — passing the documented `{ compliance: "hipaa" }` was silently ignored, so a compliance posture (e.g. HIPAA PII redaction) never activated. If you select a posture via the gate/validate/sanitize options, use `compliancePosture:`; `compliance:` had no effect. The guard docs now name the correct key uniformly. Also corrected: gate examples and prose that invoked the gate as a callable or via `.run` / `.inspect` (the gate is an object whose method is `.check(ctx)`), and validate() return shapes that listed `severities` / `summary` / `refusal` fields the function never returned (it returns `{ ok, issues }`). **Fixed:** *guard posture option is `compliancePosture:`, not `compliance:`* — Many `b.guard*` primitives documented the compliance-posture selector as `compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2"` in their `@opts`, but the family resolver reads `compliancePosture:`. Passing `{ compliance: "hipaa" }` was accepted and silently ignored — the posture overlay (e.g. CSV `piiPolicy: "redact"` under HIPAA) never applied, leaving the default policy in force. The docs across the guard family now name `compliancePosture:` consistently (the key the resolver and `b.guardX.compliancePosture(name)` already used). Action: if you selected a posture with `compliance:`, switch to `compliancePosture:` — the posture was not taking effect before. · *guard gate is an object with `.check(ctx)`, not a callable* — Several guards' gate `@example`s and prose invoked the gate as a function (`g({...})`), via `.run(...)`, or via `.inspect(...)`, and a few described it as "an async function". `b.guardX.gate(opts)` returns an object whose async method is `.check(ctx)`; the examples and prose now use `.check`, so they run as written. · *guard validate() returns `{ ok, issues }`* — Several guards documented `validate()` as returning `{ ok, issues, severities }`, `{ ok, issues, summary }`, or `{ ok, issues, refusal? }`. The function returns `{ ok, issues }` (each issue carries its own `severity` / `kind`); the documented extra top-level fields were never present. The docs now state the actual shape.
+
+- v0.13.23 (2026-05-28) — **Documentation corrected to match actual behavior across several primitives.** A set of JSDoc / doc-comment corrections where the documented contract had drifted from what the code does. No behavior changes — the implementations already behaved as now documented; only the docs were wrong. The most operator-relevant is the JWT signer doc: an expiring token signed without an explicit jti receives an auto-minted 128-bit jti (so the replay-defense path has the jti it needs), which the sign-opts doc previously denied. Also corrected: did.resolve's unsupported-method error now names did:jwk (always supported); b.cose.verify is marked stable to match its stable sign sibling and the CWT / EAT / SCITT / mdoc verifiers built on it; b.linkHeader.serialize's doc now states every parameter value is double-quoted; b.auth.saml verifyResponse's documented return shape now lists inResponseTo and issuer (both always returned); and the rate-limit custom-backend contract drops a gc member the middleware never invoked. **Fixed:** *JWT signer doc now describes the auto-minted jti on expiring tokens* — `b.auth.jwt.sign`'s opts doc claimed that omitting `jti` adds no jti. In fact, when a token carries an `exp` and no operator-supplied `jti`, the signer auto-mints a random 128-bit `jti` so a replay-protected token always carries the identifier `verify`'s replay store requires. The doc now describes this; pass an explicit `jti` for a deterministic value. Behavior is unchanged. · *`b.did.resolve` unsupported-method error now names did:jwk* — The thrown error for an unsupported DID method listed only `did:key` and `did:web`, omitting `did:jwk`, which `resolve` fully supports. The message now reads `(did:key, did:jwk, and did:web only)`. · *`b.cose.verify` marked stable* — `b.cose.verify` carried `@status experimental` while its `b.cose.sign` sibling is stable and the CWT / EAT / SCITT / mdoc verifiers that depend on it are stable and shipped. The verifier is the same maturity as the rest of the COSE_Sign1 round-trip; its status now reflects that. · *`b.linkHeader.serialize` doc matches its quoting behavior* — The doc said parameters are token-encoded when they fit RFC 7230 token grammar and double-quoted otherwise. The serializer always double-quotes every value (valid under RFC 8288, and required for space-separated multi-rel and media-type values). The doc now states that. · *`b.auth.saml` verifyResponse documented return shape lists all fields* — The prose and the example each omitted a different field that `verifyResponse` always returns. The documented shape now lists all of `nameId`, `nameIdFormat`, `sessionIndex`, `attributes`, `audience`, `inResponseTo`, and `issuer`. · *rate-limit custom-backend contract is `{ take, reset }`* — The custom-backend opts doc listed a `gc` member that the middleware never reads or invokes (the runtime contract is `take` / `reset` / `close`, and the error message already said `{ take, reset }`). The documented shape now matches; an operator-supplied `gc` was always silently ignored. · *`b.mail.agent.create` doc no longer lists consumer as a method* — The created agent's method list named `consumer`, which is not a method on the returned object — the queue consumer is the sibling export `b.mail.agent.consumer`. The doc now says so.
+
 - v0.13.22 (2026-05-27) — **`b.archive.read.zip.fromTrustedStream` reads a ZIP from a Readable — no longer an experimental stub.** fromTrustedStream was an experimental stub whose inspect / entries / extract methods threw, forcing callers to buffer the stream themselves and use the random-access reader. It now works, with the same shape as the tar trusted-stream reader: pass b.archive.adapters.trustedStream(readable) and the bytes are collected into a size-capped buffer (1 GiB hard ceiling) and read through the same bomb-cap, path-traversal, and entry-type decode as the random-access reader — so bombPolicy, guardProfile, entryTypePolicy, and audit all apply, and inspect / entries / extract / extractEntries all return data. This is a bounded-memory reader (the archive is held in memory under the ceiling), not zero-buffer streaming; a future forward-inflate walker shared with the tar reader would lift the ceiling. **Added:** *`b.archive.read.zip.fromTrustedStream` now reads — `inspect` / `entries` / `extract` / `extractEntries`* — The ZIP trusted-stream reader is implemented (was an experimental stub that threw). Pass `b.archive.adapters.trustedStream(readable)` to read a ZIP straight from a Node Readable without buffering it yourself. The stream is collected into a size-capped buffer (1 GiB ceiling, matching `b.archive.read.tar`'s trusted-stream reader) and decoded through the same adversarial-safe path as the random-access reader, so `bombPolicy` / `guardProfile` / `entryTypePolicy` / `audit` are honored on decode. Adversarial archives remain fully bomb-capped; "trusted" refers only to the source-size bound. A non-trusted-stream adapter is refused with `archive-read/bad-adapter`.
 
 - v0.13.21 (2026-05-27) — **`b.cose.exportKey` — serialize a public key as a COSE_Key, the inverse of `b.cose.importKey`.** b.cose could import a COSE_Key (RFC 9052 §7) into a node:crypto key for verification, but had no way to produce one — so a key used with b.cose.sign could not be shipped to a verifier in COSE form without hand-building the CBOR map. b.cose.exportKey(keyObject, opts?) closes the round-trip: it serializes an EC2 (P-256 / P-384 / P-521) or OKP (Ed25519) public key as the CBOR-encoded COSE_Key map, with optional alg and kid common parameters. A private key has its public half exported; unsupported curves / key types are refused rather than emitting a COSE_Key no verifier here would accept. The bytes round-trip through b.cose.importKey, and feed the mdoc MSO / COSE_Key header / SCITT / C2PA verification-key paths. **Added:** *`b.cose.exportKey(keyObject, { alg?, kid? })` — KeyObject → COSE_Key (RFC 9052 §7)* — Serialize a `node:crypto` public key as the CBOR-encoded COSE_Key map — the inverse of `b.cose.importKey`. Supports EC2 (P-256 / P-384 / P-521) and OKP (Ed25519), the same key types `b.cose.verify` accepts; `opts.alg` (e.g. `"ES256"`) and `opts.kid` populate the COSE_Key alg (label 3) and kid (label 2) common parameters. A private key exports its public half; unsupported curves / key types throw rather than producing a COSE_Key no verifier would accept. `b.cose.importKey(b.cbor.decode(exportKey(k)))` round-trips, so a key signed with `b.cose.sign` can be shipped to a verifier as bytes — the mdoc MSO / COSE_Key header / SCITT / C2PA verification-key paths.

package/lib/archive-wrap.js

@@ -370,7 +370,7 @@ function sniffEnvelope(bytes) {
  * @signature b.archive.wrapWithPassphrase(bytes, opts)
  * @since     0.12.11
  * @status    stable
- * @related   b.archive.unwrapWithPassphrase, b.archive.wrap, b.backupCrypto
+ * @related   b.archive.unwrapWithPassphrase, b.archive.wrap
  *
  * Wrap archive bytes in a passphrase-derived envelope. The envelope
  * wire format is the framework's standard Argon2id (RFC 9106) +

package/lib/auth/jwt.js

@@ -48,10 +48,13 @@
  *   subject:      claims.sub override
  *   expiresInSec: relative exp (claims.exp = now + expiresInSec)
  *   notBeforeSec: relative nbf (claims.nbf = now + notBeforeSec)
- *   jti:          claims.jti override (string; if missing, no jti is added —
- *                  the framework doesn't auto-mint without an operator request
- *                  since jti has uniqueness/replay-tracking semantics that
- *                  belong at the application layer)
+ *   jti:          claims.jti override (string). When omitted, a random
+ *                  128-bit jti is auto-minted if (and only if) the token
+ *                  carries an exp — so a replay-protected token always
+ *                  has the jti the verifier's replay store requires,
+ *                  closing the silent hole where a sign without jti would
+ *                  never replay-protect. Pass an explicit jti for a
+ *                  deterministic value.
  *   now:          test-time clock injection (epoch milliseconds)
  *
  * Verify opts:

package/lib/auth/saml.js

@@ -415,7 +415,7 @@ function create(opts) {
    * (Response-level OR Assertion-level signature), the assertion's
    * SubjectConfirmation Bearer constraints, and Conditions audience
    * + time bounds. Returns `{ nameId, nameIdFormat, sessionIndex,
-   * attributes, audience, inResponseTo }`.
+   * attributes, audience, inResponseTo, issuer }`.
    *
    * @opts
    *   {
@@ -428,7 +428,7 @@ function create(opts) {
    *     var info = sp.verifyResponse(req.body.SAMLResponse, {
    *       expectedInResponseTo: req.session.samlRequestId,
    *     });
-   *     // → { nameId, nameIdFormat, sessionIndex, attributes, audience, issuer }
+   *     // → { nameId, nameIdFormat, sessionIndex, attributes, audience, inResponseTo, issuer }
    *   });
    */
   function verifyResponse(samlResponseB64, vopts) {

package/lib/cose.js

@@ -227,7 +227,7 @@ async function sign(payload, opts) {
  * @primitive b.cose.verify
  * @signature b.cose.verify(coseSign1, opts)
  * @since     0.12.33
- * @status    experimental
+ * @status    stable
  * @related   b.cose.sign, b.cbor.decode
  *
  * Verify a COSE_Sign1 (RFC 9052) and return its payload + headers.

package/lib/did.js

@@ -365,7 +365,7 @@ function resolve(did, opts) {
     return { didDocument: docW, verificationMethods: _extractVerificationMethods(docW) };
   }
 
-  throw new DidError("did/unsupported-method", "did.resolve: unsupported DID method '" + parsed.method + "' (did:key and did:web only)");
+  throw new DidError("did/unsupported-method", "did.resolve: unsupported DID method '" + parsed.method + "' (did:key, did:jwk, and did:web only)");
 }
 
 // Import a publicKeyJwk after allowlisting its kty/crv — a DID document

package/lib/guard-archive.js

@@ -650,7 +650,7 @@ function _detectIssues(entries, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   traversalPolicy:                "reject"|"audit"|"allow",
  *   absolutePathPolicy:             "reject"|"audit"|"allow",
  *   symlinkPolicy:                  "reject"|"audit"|"allow",
@@ -723,7 +723,7 @@ function validateEntries(entries, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,
  *   ...:        any validateEntries opt
  *

package/lib/guard-auth.js

@@ -34,7 +34,7 @@
  *
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance postures:
  *   `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select via
- *   `{ profile: "strict" }` or `{ compliance: "hipaa" }`; postures
+ *   `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`; postures
  *   overlay on the profile baseline.
  *
  * @card
@@ -205,7 +205,7 @@ function _detectIssues(bundle, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardAuth.sanitize, b.guardAuth.gate, b.guardJwt.validate, b.guardOauth.validate
  *
- * Inspect an auth-bundle object and return `{ ok, issues, summary }`.
+ * Inspect an auth-bundle object and return `{ ok, issues }`.
  * Each issue carries `{ kind, severity, ruleId, source, snippet }`
  * with severity in `"warn"|"high"|"critical"` and `source` tagging
  * the sub-guard that raised it (`"jwt"` / `"oauth"` / `"cookies"` /
@@ -219,7 +219,7 @@ function _detectIssues(bundle, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   childProfile:      "strict"|"balanced"|"permissive",   // forwarded to guardJwt / guardOauth
  *   requireAtLeastOne: boolean,
  *   allowedRedirectUris: string[],   // forwarded to guardOauth
@@ -256,7 +256,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *
  * @example
  *   var clean = b.guardAuth.sanitize({
@@ -300,7 +300,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *   childProfile: "strict"|"balanced"|"permissive",
  *   allowedRedirectUris: string[],

package/lib/guard-cidr.js

@@ -437,7 +437,7 @@ function _detectIssues(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardCidr.sanitize, b.guardCidr.gate
  *
- * Inspect a CIDR notation string and return `{ ok, issues, summary }`.
+ * Inspect a CIDR notation string and return `{ ok, issues }`.
  * Each issue carries `{ kind, severity, ruleId, snippet }` with
  * severity in `"warn"|"high"|"critical"`. Detected: malformed address
  * shape, octet-out-of-range, mask-out-of-range, network-address
@@ -448,7 +448,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   family:     "either"|"ipv4-only"|"ipv6-only",
  *   networkAlignmentPolicy: "reject"|"audit"|"allow",
  *   reservedRangesPolicy:   "reject"|"audit"|"allow",
@@ -496,7 +496,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *
  * @example
  *   var safe = b.guardCidr.sanitize("2001:DB8::/32", { profile: "permissive" });
@@ -542,7 +542,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *   family:     "either"|"ipv4-only"|"ipv6-only",
  *

package/lib/guard-csv.js

@@ -43,7 +43,7 @@
  *   Profiles: `strict` / `balanced` / `permissive` /
  *   `email-attachment`. Compliance postures: `hipaa` / `pci-dss` /
  *   `gdpr` / `soc2`. Operators select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline.
  *
  *   Threat-detection regex literals are composed programmatically
@@ -696,7 +696,7 @@ function schema(spec) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive"|"email-attachment",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   headers:    string[]|false,    // explicit column order; false suppresses header row
  *   delimiter:  string,            // default ","
  *   lineEnding: string,            // default "\r\n"
@@ -802,7 +802,7 @@ function serialize(rows, opts) {
  * @related    b.guardCsv.sanitize, b.guardCsv.gate
  *
  * Inspect `input` (string or Buffer of CSV text) and return
- * `{ ok, issues, summary }`. Each issue carries `{ kind, severity,
+ * `{ ok, issues }`. Each issue carries `{ kind, severity,
  * ruleId, location, snippet }` with severity in
  * `"warn"|"high"|"critical"`. Detected: BOM mid-stream, Unicode
  * bidi override (CVE-2021-42574), C0 control char, null byte,
@@ -813,7 +813,7 @@ function serialize(rows, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive"|"email-attachment",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiCharPolicy:        "reject"|"strip"|"audit"|"allow",
  *   controlCharPolicy:     "reject"|"strip"|"allow",
  *   nullByteHandling:      "reject"|"strip"|"allow",
@@ -860,7 +860,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive"|"email-attachment",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiCharPolicy:    "reject"|"strip"|"audit"|"allow",
  *   controlCharPolicy: "reject"|"strip"|"allow",
  *   nullByteHandling:  "reject"|"strip"|"allow",
@@ -981,7 +981,7 @@ function detect(input) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive"|"email-attachment",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *   operatorRules: [{ id: string, severity: "warn"|"high"|"critical",
  *                    detect: function, reason: string }],

package/lib/guard-domain.js

@@ -563,7 +563,7 @@ function _detectIssues(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardDomain.sanitize, b.guardDomain.gate
  *
- * Inspect a domain-name string and return `{ ok, issues, summary }`.
+ * Inspect a domain-name string and return `{ ok, issues }`.
  * Each issue carries `{ kind, severity, ruleId, snippet }` with
  * severity in `"warn"|"high"|"critical"`. Detected: domain/label
  * length cap (RFC 1035 §2.3.4), LDH violation, IDN A-label
@@ -575,7 +575,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ldhPolicy:           "reject"|"audit"|"allow",
  *   punycodePolicy:      "reject"|"audit"|"allow",
  *   mixedScriptPolicy:   "reject"|"audit"|"allow",
@@ -635,7 +635,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *
  * @example
  *   var safe = b.guardDomain.sanitize("Example.Com.", { profile: "balanced" });
@@ -677,7 +677,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example

package/lib/guard-email.js

@@ -840,9 +840,10 @@ function sanitize(input, opts) {
  * @status    stable
  * @related   b.guardEmail.validateMessage, b.guardEmail.sanitize, b.guardAll.gate
  *
- * Build a guard gate function compatible with the `b.guardAll` family
- * dispatch. The returned async gate accepts a request-shaped context,
- * runs `validateMessage` against the extracted bytes, and returns
+ * Build a guard gate compatible with the `b.guardAll` family
+ * dispatch. The returned gate's async `check(ctx)` method accepts a
+ * request-shaped context, runs `validateMessage` against the extracted
+ * bytes, and returns
  * `{ ok, action, issues? }` where `action` is `serve` (no issues),
  * `audit-only` (warn-level), or `refuse` (high / critical severity).
  *
@@ -854,11 +855,11 @@ function sanitize(input, opts) {
  * @example
  *   var guardEmail = require("./lib/guard-email");
  *   var g = guardEmail.gate({ profile: "strict" });
- *   typeof g;               // → "function"
+ *   typeof g.check;         // → "function"
  *
  *   var msg = "From: alice@example.com\r\nTo: bob@example.com\r\n" +
  *             "Subject: hi\r\nDate: Mon, 5 May 2026 10:00:00 +0000\r\n\r\nbody\r\n";
- *   g({ body: Buffer.from(msg, "utf8") }).then(function (rv) {
+ *   g.check({ body: Buffer.from(msg, "utf8") }).then(function (rv) {
  *     rv.action;            // → "serve"
  *   });
  */

package/lib/guard-filename.js

@@ -634,7 +634,7 @@ function _sanitize(input, opts) {
  * @related    b.guardFilename.sanitize, b.guardFilename.gate
  *
  * Inspect a filename (string or Buffer) and return
- * `{ ok, issues, summary }`. Each issue carries
+ * `{ ok, issues }`. Each issue carries
  * `{ kind, severity, ruleId, location, snippet }` with severity in
  * `"warn"|"high"|"critical"`. Detected: path-traversal raw and
  * percent-encoded, null-byte truncation, NTFS ADS, UNC path,
@@ -647,7 +647,7 @@ function _sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:           "reject"|"strip"|"allow",
  *   controlPolicy:        "reject"|"strip"|"allow",
  *   nullBytePolicy:       "reject",                       // always reject
@@ -759,7 +759,7 @@ function _sanitizeStripMode(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   mode:       "enforce"|"strip",
  *   audit:      { safeEmit: function },     // optional sink for strip mode
  *   unicodeNormalization: "NFC"|null,
@@ -820,7 +820,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example

package/lib/guard-graphql.js

@@ -458,7 +458,7 @@ function _detectIssues(req, opts) {
  * @related    b.guardGraphql.sanitize, b.guardGraphql.gate
  *
  * Apply the full guard-graphql threat catalog to a request bundle
- * (or batch array). Returns `{ ok, issues, refusal? }` per
+ * (or batch array). Returns `{ ok, issues }` per
  * `gateContract.aggregateIssues`. Detected classes include
  * `query-missing`, `query-cap`, `variables-cap`, `request-cap`,
  * `batch-size`, `introspection`, `persisted-query-missing`,
@@ -469,7 +469,7 @@ function _detectIssues(req, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   introspectionPolicy:     "reject"|"audit"|"allow",
  *   persistedQueryPolicy:    "require"|"audit"|"allow",
  *   operationNamePolicy:     "reject"|"audit"|"allow",
@@ -528,7 +528,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:        every guardGraphql.validate opt is honored,
  *
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,            // gate label for audit trails
  *   ...:        every guardGraphql.validate opt is honored,
  *
  * @example
  *   var gqlGate = b.guardGraphql.gate({ profile: "strict" });
- *   var rv = await gqlGate.run({
+ *   var rv = await gqlGate.check({
  *     graphqlRequest: {
  *       query: "{ a:me { id } b:me { id } c:me { id } d:me { id } " +
  *              "e:me { id } f:me { id } g:me { id } h:me { id } " +

package/lib/guard-html.js

@@ -1030,7 +1030,7 @@ function sanitize(input, opts) {
  * Returns a guard descriptor that plugs into the framework's
  * content-safety wiring (`b.fileUpload.contentSafety` /
  * `b.staticServe.contentSafety` / `b.guardAll`). The descriptor's
- * `inspect(ctx)` resolves to one of four actions: `serve` (no
+ * `check(ctx)` resolves to one of four actions: `serve` (no
  * issues), `audit-only` (low-severity issues observed), `sanitize`
  * (sanitized buffer attached when no policy is "reject"), or
  * `refuse` (critical issue with at least one reject-policy active).
@@ -1057,7 +1057,7 @@ function sanitize(input, opts) {
  *
  *   // Refuse on tag-budget exceeded — strict profile rejects <script>.
  *   var hostileBuf = Buffer.from("<p>hi</p><script>alert(1)</script>", "utf8");
- *   var rv = await g.inspect({ bytes: hostileBuf, contentType: "text/html" });
+ *   var rv = await g.check({ bytes: hostileBuf, contentType: "text/html" });
  *   rv.ok;       // → false
  *   rv.action;   // → "refuse"
  */

package/lib/guard-image.js

@@ -421,7 +421,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,
  *   ...:        any validate opt
  *

package/lib/guard-json.js

@@ -59,7 +59,7 @@
  *
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
- *   via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
+ *   via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
  *   postures overlay on top of the profile baseline.
  *
  *   Source files MUST be pure ASCII; threat-detection regexes
@@ -571,7 +571,7 @@ function _stripPollutionTree(value, opts, depth) {
  *
  * Inspect `input` (string of JSON source) for the full guard-json
  * threat catalog without committing to a parsed value. Returns
- * `{ ok, issues, severities }` where `issues` is the aggregated
+ * `{ ok, issues }` where `issues` is the aggregated
  * detector output — every prototype-pollution key, depth/breadth
  * cap hit, duplicate-key smuggle, JSON5-quirk match, BOM placement,
  * unicode threat, and numeric-precision-loss candidate is reported
@@ -587,7 +587,7 @@ function _stripPollutionTree(value, opts, depth) {
  *
  * @opts
  *   profile:                  "strict"|"balanced"|"permissive",
- *   compliance:               "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   pollutionPolicy:          "reject"|"strip"|"audit"|"allow",
  *   duplicateKeyPolicy:       "reject"|"audit"|"allow",
  *   nanInfinityPolicy:        "reject"|"audit"|"allow",
@@ -660,7 +660,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   pollutionPolicy: "reject"|"strip"|"audit"|"allow",
  *   bomPolicy:       "reject"|"strip"|"allow",
  *   controlPolicy:   "reject"|"strip"|"allow",
@@ -770,7 +770,7 @@ function _policyKeyForRuleId(ruleId) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example

package/lib/guard-jsonpath.js

@@ -34,7 +34,7 @@
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
  *   select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline. Filter / script / dynamic-hint refusal holds
  *   at every profile — the RCE class is never an operator opt-in.
  *
@@ -257,7 +257,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"audit"|"allow",
  *   controlPolicy:          "reject"|"audit"|"allow",
  *   nullBytePolicy:         "reject"|"audit"|"allow",
@@ -308,7 +308,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   filterExprPolicy:       "reject"|"audit"|"allow",
  *   scriptExprPolicy:       "reject"|"audit"|"allow",
  *   dynamicHintPolicy:      "reject"|"audit"|"allow",
@@ -360,7 +360,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:                   string,    // override gate name in audit emissions
  *   filterExprPolicy:       "reject"|"audit"|"allow",
  *   scriptExprPolicy:       "reject"|"audit"|"allow",

package/lib/guard-jwt.js

@@ -441,7 +441,7 @@ function _detectIssues(input, opts) {
  * @related    b.guardJwt.sanitize, b.guardJwt.gate
  *
  * Apply the full guard-jwt threat catalog to a JWT compact-
- * serialization string. Returns `{ ok, issues, refusal? }` per
+ * serialization string. Returns `{ ok, issues }` per
  * `gateContract.aggregateIssues`. Detected classes include
  * `alg-none` (always critical), `kid-traversal` (always critical),
  * `alg-not-allowed`, `typ-confusion`, `crit-unknown`, `exp-past`,
@@ -456,7 +456,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:              "strict"|"balanced"|"permissive",
- *   compliance:           "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   allowedAlgs:          string[],
  *   requiredClaims:       string[],
  *   knownCrit:            string[],
@@ -524,7 +524,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:        every guardJwt.validate opt is honored,
  *
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,            // gate label for audit trails
  *   ...:        every guardJwt.validate opt is honored,
  *
  * @example
  *   var jwtGate = b.guardJwt.gate({ profile: "strict" });
- *   var rv = await jwtGate.run({
+ *   var rv = await jwtGate.check({
  *     identifier:
  *       "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
  *       "eyJzdWIiOiJhdHRhY2tlciJ9.",

package/lib/guard-markdown.js

@@ -505,7 +505,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -568,7 +568,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMarkdown.validate opts,
  *
  * @example
@@ -606,7 +606,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardMarkdown.validate, b.guardMarkdown.sanitize, b.guardAll.gate, b.staticServe.create
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any host
  * that ingests user-supplied markdown. The gate decodes
  * `ctx.bytes` / `ctx.bodyText`, runs `validate`, and maps
@@ -617,15 +617,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMarkdown.validate opts,
  *
  * @example
  *   var g = b.guardMarkdown.gate({ profile: "strict" });
- *   var rv = await g({ bytes: Buffer.from("# hello\n", "utf8") });
+ *   var rv = await g.check({ bytes: Buffer.from("# hello\n", "utf8") });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ bytes: Buffer.from("[x](javascript:1)", "utf8") });
+ *   var bad = await g.check({ bytes: Buffer.from("[x](javascript:1)", "utf8") });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-mime.js

@@ -369,7 +369,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -423,7 +423,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMime.validate opts,
  *
  * @example
@@ -467,7 +467,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardMime.validate, b.guardMime.sanitize, b.guardAll.gate
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any other
  * host that integrates the guard contract. The gate reads
  * `ctx.identifier` (or `ctx.mime`), runs `validate`, and maps
@@ -477,15 +477,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMime.validate opts,
  *
  * @example
  *   var g = b.guardMime.gate({ profile: "strict" });
- *   var rv = await g({ identifier: "application/json" });
+ *   var rv = await g.check({ identifier: "application/json" });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ identifier: "application/x-msdownload" });
+ *   var bad = await g.check({ identifier: "application/x-msdownload" });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-oauth.js

@@ -352,7 +352,7 @@ function _detectIssues(flow, opts) {
  * @related    b.guardOauth.sanitize, b.guardOauth.gate
  *
  * Apply the full guard-oauth threat catalog to a flow bundle.
- * Returns `{ ok, issues, refusal? }` per
+ * Returns `{ ok, issues }` per
  * `gateContract.aggregateIssues`. Detected classes include
  * `pkce-missing`, `pkce-method` (e.g. plain under require-s256),
  * `state-missing`, `redirect-uri-not-allowed`,
@@ -365,7 +365,7 @@ function _detectIssues(flow, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   pkcePolicy:              "require-s256"|"require-any"|"audit"|"allow",
  *   statePolicy:             "require"|"audit"|"allow",
  *   redirectUriPolicy:       "require-exact-allowlist"|"audit"|"allow",
@@ -427,7 +427,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:        every guardOauth.validate opt is honored,
  *
  * @example
@@ -475,7 +475,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,            // gate label for audit trails
  *   ...:        every guardOauth.validate opt is honored,
  *
@@ -484,7 +484,7 @@ function sanitize(input, opts) {
  *     profile: "strict",
  *     allowedRedirectUris: ["https://app.example.com/callback"],
  *   });
- *   var rv = await oauthGate.run({
+ *   var rv = await oauthGate.check({
  *     oauthFlow: {
  *       response_type: "code",
  *       redirect_uri:  "https://attacker.example/callback",

package/lib/guard-pdf.js

@@ -410,7 +410,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,
  *   ...:        any validate opt
  *

package/lib/guard-regex.js

@@ -30,7 +30,7 @@
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
  *   select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline. Nested-quantifier rejection holds at every
  *   profile — the catastrophic class is never an operator opt-in.
  *
@@ -368,7 +368,7 @@ function _detectNestedExtglob(input, opts, issues) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"audit"|"allow",
  *   controlPolicy:          "reject"|"audit"|"allow",
  *   nullBytePolicy:         "reject"|"audit"|"allow",
@@ -422,7 +422,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   nestedQuantPolicy:      "reject"|"audit"|"allow",
  *   alternationQuantPolicy: "reject"|"audit"|"allow",
  *   boundedRepeatPolicy:    "reject"|"audit"|"allow",
@@ -477,7 +477,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:                   string,    // override gate name in audit emissions
  *   nestedQuantPolicy:      "reject"|"audit"|"allow",
  *   alternationQuantPolicy: "reject"|"audit"|"allow",

package/lib/guard-shell.js

@@ -28,7 +28,7 @@
  *
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
- *   via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
+ *   via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
  *   postures overlay on top of the profile baseline.
  *
  *   Shell args cannot be repaired safely — `sanitize` either passes
@@ -262,7 +262,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:        "reject"|"audit"|"allow",
  *   controlPolicy:     "reject"|"audit"|"allow",
  *   nullBytePolicy:    "reject"|"audit"|"allow",
@@ -314,7 +314,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   posixMetaPolicy:   "reject"|"audit"|"allow",
  *   cmdMetaPolicy:     "reject"|"audit"|"allow",
  *   dollarSubstPolicy: "reject"|"audit"|"allow",
@@ -369,7 +369,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:              string,        // override gate name in audit emissions
  *   posixMetaPolicy:   "reject"|"audit"|"allow",
  *   cmdMetaPolicy:     "reject"|"audit"|"allow",

package/lib/guard-svg.js

@@ -1017,9 +1017,9 @@ function sanitize(input, opts) {
  * @status    stable
  * @related   b.guardSvg.validate, b.guardSvg.sanitize, b.fileUpload, b.staticServe
  *
- * Build a uniform gate over guard-* family contract. Returns an
- * async function whose verdict is `{ ok, action, issues?,
- * sanitized? }` where `action` is `serve` / `audit-only` /
+ * Build a uniform gate over the guard-* family contract. Returns a
+ * gate whose async `check(ctx)` produces a verdict `{ ok, action,
+ * issues?, sanitized? }` where `action` is `serve` / `audit-only` /
  * `sanitize` / `refuse`. SVGZ inputs always refuse — operators
  * ungzip and re-gate the inner SVG. External `xlink:href` on
  * `<use>` / `<feImage>` refuses under `strict` (SSRF + XSS chain).
@@ -1042,13 +1042,13 @@ function sanitize(input, opts) {
  *
  * @example
  *   var g = b.guardSvg.gate({ profile: "strict" });
- *   var verdict = await g({
+ *   var verdict = await g.check({
  *     bytes: Buffer.from('<svg><circle r="10"/></svg>', "utf8"),
  *   });
  *   verdict.action;                  // → "serve"
  *
  *   // Refuses external xlink:href under strict:
- *   var refuse = await g({
+ *   var refuse = await g.check({
  *     bytes: Buffer.from(
  *       '<svg><use xlink:href="https://evil.example/x.svg#a"/></svg>',
  *       "utf8"),

package/lib/guard-template.js

@@ -34,7 +34,7 @@
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
  *   select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline. Jinja / ERB / Pug shape rejection holds at
  *   every profile — the SSTI class is never an operator opt-in.
  *
@@ -237,7 +237,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:              "reject"|"audit"|"allow",
  *   controlPolicy:           "reject"|"audit"|"allow",
  *   nullBytePolicy:          "reject"|"audit"|"allow",
@@ -287,7 +287,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   jinjaPolicy:             "reject"|"audit"|"allow",
  *   erbPolicy:               "reject"|"audit"|"allow",
  *   pugPolicy:               "reject"|"audit"|"allow",
@@ -339,7 +339,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:                    string,    // override gate name in audit emissions
  *   jinjaPolicy:             "reject"|"audit"|"allow",
  *   erbPolicy:               "reject"|"audit"|"allow",

package/lib/guard-time.js

@@ -347,7 +347,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -403,7 +403,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardTime.validate opts,
  *
  * @example
@@ -442,7 +442,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardTime.validate, b.guardTime.sanitize, b.guardAll.gate
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, audit pipelines, scheduling primitives, and
  * retention readers. The gate reads `ctx.identifier` (or
  * `ctx.timestamp` / `ctx.time`), runs `validate`, and maps
@@ -452,15 +452,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardTime.validate opts,
  *
  * @example
  *   var g = b.guardTime.gate({ profile: "strict" });
- *   var rv = await g({ identifier: "2026-05-05T12:34:56Z" });
+ *   var rv = await g.check({ identifier: "2026-05-05T12:34:56Z" });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ identifier: "2026-05-05 12:34:56" });
+ *   var bad = await g.check({ identifier: "2026-05-05 12:34:56" });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-uuid.js

@@ -307,7 +307,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -361,7 +361,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardUuid.validate opts,
  *
  * @example
@@ -406,7 +406,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardUuid.validate, b.guardUuid.sanitize, b.guardAll.gate
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, ID validators, and any host that handles
  * UUID-shaped tokens. The gate reads `ctx.identifier` (or
  * `ctx.uuid`), runs `validate`, and maps severity to action: zero
@@ -416,15 +416,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardUuid.validate opts,
  *
  * @example
  *   var g = b.guardUuid.gate({ profile: "strict" });
- *   var rv = await g({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
+ *   var rv = await g.check({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
+ *   var bad = await g.check({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-xml.js

@@ -371,7 +371,7 @@ function _detectIssues(input, opts) {
  *
  * Inspect `input` (string of XML source) for the full guard-xml
  * threat catalog without invoking a parser. Returns
- * `{ ok, issues, severities }` where `issues` enumerates every
+ * `{ ok, issues }` where `issues` enumerates every
  * DOCTYPE declaration, `<!ENTITY>` definition (including parameter
  * entities), SYSTEM/PUBLIC external-entity reference, XInclude
  * directive, xsi:schemaLocation hint, processing instruction (after
@@ -388,7 +388,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:               "strict"|"balanced"|"permissive",
- *   compliance:            "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   doctypePolicy:         "reject"|"audit"|"allow",
  *   entityPolicy:          "reject"|"audit"|"allow",
  *   externalEntityPolicy:  "reject"|"audit"|"allow",
@@ -455,7 +455,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:      "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:   "reject"|"strip"|"allow",
  *   nullBytePolicy:  "reject"|"strip"|"allow",
@@ -514,7 +514,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example

package/lib/guard-yaml.js

@@ -58,7 +58,7 @@
  *
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
- *   via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
+ *   via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
  *   postures overlay on top of the profile baseline.
  *
  * @card
@@ -452,7 +452,7 @@ function _detectDuplicateKeysYaml(text) {
  *
  * Inspect `input` (string of YAML source) for the full guard-yaml
  * threat catalog without committing to a parsed value. Returns
- * `{ ok, issues, severities }` where `issues` is the aggregated
+ * `{ ok, issues }` where `issues` is the aggregated
  * detector output — every dangerous-tag prefix, custom-tag use,
  * anchor / alias amplification, multi-document split, Norway-
  * problem implicit boolean, leading-zero octal, merge-key chain,
@@ -468,7 +468,7 @@ function _detectDuplicateKeysYaml(text) {
  *
  * @opts
  *   profile:             "strict"|"balanced"|"permissive",
- *   compliance:          "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   tagPolicy:           "reject"|"audit"|"allow",
  *   aliasPolicy:         "reject"|"audit"|"allow",
  *   multiDocPolicy:      "reject"|"audit"|"allow",
@@ -535,7 +535,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   tagPolicy:    "reject"|"audit"|"allow",
  *   aliasPolicy:  "reject"|"audit"|"allow",
  *   maxBytes:     number, maxDepth: number, maxNodes: number,
@@ -586,7 +586,7 @@ function parse(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example

package/lib/link-header.js

@@ -125,8 +125,9 @@ function _serParam(name, value) {
  * Build an HTTP <code>Link</code> header value from an array of
  * <code>{ uri, rel, params? }</code> (or a single such object). The URI
  * is angle-bracketed, <code>rel</code> (string or array) is emitted
- * first, and parameters are token-valued when they fit RFC 7230 token
- * grammar or double-quoted otherwise. Useful for emitting standard REST
+ * first, and every parameter value is double-quoted (always valid under
+ * RFC 8288, and required for space-separated multi-rel and media-type
+ * values like <code>text/html</code>). Useful for emitting standard REST
  * pagination links.
  *
  * @example

package/lib/mail-agent.js

@@ -156,8 +156,10 @@ var COMPOSE_HINT = Object.freeze({
  * @related   b.mailStore, b.mail.agent.consumer
  *
  * Create the agent facade. Returns an object with read / write / sieve
- * / identity / mdn / export / import / consumer methods. Reads stay
- * synchronous-shaped via promises; writes audit on completion.
+ * / identity / mdn / export / import methods. Reads stay
+ * synchronous-shaped via promises; writes audit on completion. (The
+ * queue consumer is the sibling export <code>b.mail.agent.consumer</code>,
+ * not a method on this object.)
  *
  * @opts
  *   store:        b.mailStore instance,    // required

package/lib/middleware/rate-limit.js

@@ -36,7 +36,7 @@
  *     header:          true                    // set X-RateLimit-* response headers
  *     skipPaths:       []                      // string-prefix or regex matchers
  *     scope:           'global' | 'per-route'  (default 'global')
- *     backend:         'memory' (default) | 'cluster' | { take, reset, gc? }
+ *     backend:         'memory' (default) | 'cluster' | { take, reset }
  *     algorithm:       'token-bucket' (default) | 'fixed-window'
  *                                              // memory backend only; ignored
  *                                              // for cluster backend (which is
@@ -366,7 +366,7 @@ function _resolveBackend(opts) {
  *     header:          boolean,          // default true
  *     skipPaths:       Array<string|RegExp>,
  *     scope:           "global"|"per-route",
- *     backend:         "memory"|"cluster"|{ take, reset, gc },
+ *     backend:         "memory"|"cluster"|{ take, reset },
  *     algorithm:       "token-bucket"|"fixed-window",
  *     burst:           number,
  *     refillPerSecond: number,

package/lib/tsa.js

@@ -183,7 +183,8 @@ function buildRequest(data, opts) {
     nonce = Buffer.isBuffer(opts.nonce) ? opts.nonce : nodeCrypto.randomBytes(8);  // allow:raw-byte-literal — RFC 3161 nonce: 64-bit random
     children.push(asn1.writeInteger(nonce));
   }
-  // certReq DEFAULT FALSE — only encode when true (the default we want).
+  // certReq DEFAULTS TRUE (RFC 3161 §2.4.1) — encode the boolean unless
+  // the caller explicitly opts out with certReq:false.
   var certReq = opts.certReq !== false;
   if (certReq) children.push(asn1.writeBoolean(true));
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.22",
+  "version": "0.13.24",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:81d23e48-6a96-4d2b-ac47-bada0b15cf1f",
+  "serialNumber": "urn:uuid:be8cbd49-821e-4e0e-92d5-ea42e8aff583",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-28T00:00:09.259Z",
+    "timestamp": "2026-05-28T11:47:50.484Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.22",
+      "bom-ref": "@blamejs/core@0.13.24",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.22",
+      "version": "0.13.24",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.22",
+      "purl": "pkg:npm/%40blamejs/core@0.13.24",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.22",
+      "ref": "@blamejs/core@0.13.24",
       "dependsOn": []
     }
   ]