@blamejs/core 0.13.23 → 0.13.25

package/lib/guard-graphql.js

@@ -458,7 +458,7 @@ function _detectIssues(req, opts) {
  * @related    b.guardGraphql.sanitize, b.guardGraphql.gate
  *
  * Apply the full guard-graphql threat catalog to a request bundle
- * (or batch array). Returns `{ ok, issues, refusal? }` per
+ * (or batch array). Returns `{ ok, issues }` per
  * `gateContract.aggregateIssues`. Detected classes include
  * `query-missing`, `query-cap`, `variables-cap`, `request-cap`,
  * `batch-size`, `introspection`, `persisted-query-missing`,
@@ -469,7 +469,7 @@ function _detectIssues(req, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   introspectionPolicy:     "reject"|"audit"|"allow",
  *   persistedQueryPolicy:    "require"|"audit"|"allow",
  *   operationNamePolicy:     "reject"|"audit"|"allow",
@@ -528,7 +528,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:        every guardGraphql.validate opt is honored,
  *
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,            // gate label for audit trails
  *   ...:        every guardGraphql.validate opt is honored,
  *
  * @example
  *   var gqlGate = b.guardGraphql.gate({ profile: "strict" });
- *   var rv = await gqlGate.run({
+ *   var rv = await gqlGate.check({
  *     graphqlRequest: {
  *       query: "{ a:me { id } b:me { id } c:me { id } d:me { id } " +
  *              "e:me { id } f:me { id } g:me { id } h:me { id } " +

package/lib/guard-html.js

@@ -1030,7 +1030,7 @@ function sanitize(input, opts) {
  * Returns a guard descriptor that plugs into the framework's
  * content-safety wiring (`b.fileUpload.contentSafety` /
  * `b.staticServe.contentSafety` / `b.guardAll`). The descriptor's
- * `inspect(ctx)` resolves to one of four actions: `serve` (no
+ * `check(ctx)` resolves to one of four actions: `serve` (no
  * issues), `audit-only` (low-severity issues observed), `sanitize`
  * (sanitized buffer attached when no policy is "reject"), or
  * `refuse` (critical issue with at least one reject-policy active).
@@ -1057,7 +1057,7 @@ function sanitize(input, opts) {
  *
  *   // Refuse on tag-budget exceeded — strict profile rejects <script>.
  *   var hostileBuf = Buffer.from("<p>hi</p><script>alert(1)</script>", "utf8");
- *   var rv = await g.inspect({ bytes: hostileBuf, contentType: "text/html" });
+ *   var rv = await g.check({ bytes: hostileBuf, contentType: "text/html" });
  *   rv.ok;       // → false
  *   rv.action;   // → "refuse"
  */

package/lib/guard-image.js

@@ -421,7 +421,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,
  *   ...:        any validate opt
  *

package/lib/guard-json.js

@@ -59,7 +59,7 @@
  *
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
- *   via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
+ *   via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
  *   postures overlay on top of the profile baseline.
  *
  *   Source files MUST be pure ASCII; threat-detection regexes
@@ -571,7 +571,7 @@ function _stripPollutionTree(value, opts, depth) {
  *
  * Inspect `input` (string of JSON source) for the full guard-json
  * threat catalog without committing to a parsed value. Returns
- * `{ ok, issues, severities }` where `issues` is the aggregated
+ * `{ ok, issues }` where `issues` is the aggregated
  * detector output — every prototype-pollution key, depth/breadth
  * cap hit, duplicate-key smuggle, JSON5-quirk match, BOM placement,
  * unicode threat, and numeric-precision-loss candidate is reported
@@ -587,7 +587,7 @@ function _stripPollutionTree(value, opts, depth) {
  *
  * @opts
  *   profile:                  "strict"|"balanced"|"permissive",
- *   compliance:               "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   pollutionPolicy:          "reject"|"strip"|"audit"|"allow",
  *   duplicateKeyPolicy:       "reject"|"audit"|"allow",
  *   nanInfinityPolicy:        "reject"|"audit"|"allow",
@@ -660,7 +660,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   pollutionPolicy: "reject"|"strip"|"audit"|"allow",
  *   bomPolicy:       "reject"|"strip"|"allow",
  *   controlPolicy:   "reject"|"strip"|"allow",
@@ -770,7 +770,7 @@ function _policyKeyForRuleId(ruleId) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example

package/lib/guard-jsonpath.js

@@ -34,7 +34,7 @@
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
  *   select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline. Filter / script / dynamic-hint refusal holds
  *   at every profile — the RCE class is never an operator opt-in.
  *
@@ -257,7 +257,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"audit"|"allow",
  *   controlPolicy:          "reject"|"audit"|"allow",
  *   nullBytePolicy:         "reject"|"audit"|"allow",
@@ -308,7 +308,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   filterExprPolicy:       "reject"|"audit"|"allow",
  *   scriptExprPolicy:       "reject"|"audit"|"allow",
  *   dynamicHintPolicy:      "reject"|"audit"|"allow",
@@ -360,7 +360,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:                   string,    // override gate name in audit emissions
  *   filterExprPolicy:       "reject"|"audit"|"allow",
  *   scriptExprPolicy:       "reject"|"audit"|"allow",

package/lib/guard-jwt.js

@@ -441,7 +441,7 @@ function _detectIssues(input, opts) {
  * @related    b.guardJwt.sanitize, b.guardJwt.gate
  *
  * Apply the full guard-jwt threat catalog to a JWT compact-
- * serialization string. Returns `{ ok, issues, refusal? }` per
+ * serialization string. Returns `{ ok, issues }` per
  * `gateContract.aggregateIssues`. Detected classes include
  * `alg-none` (always critical), `kid-traversal` (always critical),
  * `alg-not-allowed`, `typ-confusion`, `crit-unknown`, `exp-past`,
@@ -456,7 +456,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:              "strict"|"balanced"|"permissive",
- *   compliance:           "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   allowedAlgs:          string[],
  *   requiredClaims:       string[],
  *   knownCrit:            string[],
@@ -524,7 +524,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:        every guardJwt.validate opt is honored,
  *
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,            // gate label for audit trails
  *   ...:        every guardJwt.validate opt is honored,
  *
  * @example
  *   var jwtGate = b.guardJwt.gate({ profile: "strict" });
- *   var rv = await jwtGate.run({
+ *   var rv = await jwtGate.check({
  *     identifier:
  *       "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
  *       "eyJzdWIiOiJhdHRhY2tlciJ9.",

package/lib/guard-markdown.js

@@ -505,7 +505,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -568,7 +568,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMarkdown.validate opts,
  *
  * @example
@@ -606,7 +606,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardMarkdown.validate, b.guardMarkdown.sanitize, b.guardAll.gate, b.staticServe.create
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any host
  * that ingests user-supplied markdown. The gate decodes
  * `ctx.bytes` / `ctx.bodyText`, runs `validate`, and maps
@@ -617,15 +617,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMarkdown.validate opts,
  *
  * @example
  *   var g = b.guardMarkdown.gate({ profile: "strict" });
- *   var rv = await g({ bytes: Buffer.from("# hello\n", "utf8") });
+ *   var rv = await g.check({ bytes: Buffer.from("# hello\n", "utf8") });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ bytes: Buffer.from("[x](javascript:1)", "utf8") });
+ *   var bad = await g.check({ bytes: Buffer.from("[x](javascript:1)", "utf8") });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-mime.js

@@ -369,7 +369,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -423,7 +423,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMime.validate opts,
  *
  * @example
@@ -467,7 +467,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardMime.validate, b.guardMime.sanitize, b.guardAll.gate
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any other
  * host that integrates the guard contract. The gate reads
  * `ctx.identifier` (or `ctx.mime`), runs `validate`, and maps
@@ -477,15 +477,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardMime.validate opts,
  *
  * @example
  *   var g = b.guardMime.gate({ profile: "strict" });
- *   var rv = await g({ identifier: "application/json" });
+ *   var rv = await g.check({ identifier: "application/json" });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ identifier: "application/x-msdownload" });
+ *   var bad = await g.check({ identifier: "application/x-msdownload" });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-oauth.js

@@ -352,7 +352,7 @@ function _detectIssues(flow, opts) {
  * @related    b.guardOauth.sanitize, b.guardOauth.gate
  *
  * Apply the full guard-oauth threat catalog to a flow bundle.
- * Returns `{ ok, issues, refusal? }` per
+ * Returns `{ ok, issues }` per
  * `gateContract.aggregateIssues`. Detected classes include
  * `pkce-missing`, `pkce-method` (e.g. plain under require-s256),
  * `state-missing`, `redirect-uri-not-allowed`,
@@ -365,7 +365,7 @@ function _detectIssues(flow, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   pkcePolicy:              "require-s256"|"require-any"|"audit"|"allow",
  *   statePolicy:             "require"|"audit"|"allow",
  *   redirectUriPolicy:       "require-exact-allowlist"|"audit"|"allow",
@@ -427,7 +427,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:        every guardOauth.validate opt is honored,
  *
  * @example
@@ -475,7 +475,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,            // gate label for audit trails
  *   ...:        every guardOauth.validate opt is honored,
  *
@@ -484,7 +484,7 @@ function sanitize(input, opts) {
  *     profile: "strict",
  *     allowedRedirectUris: ["https://app.example.com/callback"],
  *   });
- *   var rv = await oauthGate.run({
+ *   var rv = await oauthGate.check({
  *     oauthFlow: {
  *       response_type: "code",
  *       redirect_uri:  "https://attacker.example/callback",

package/lib/guard-pdf.js

@@ -410,7 +410,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,
  *   ...:        any validate opt
  *

package/lib/guard-regex.js

@@ -30,7 +30,7 @@
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
  *   select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline. Nested-quantifier rejection holds at every
  *   profile — the catastrophic class is never an operator opt-in.
  *
@@ -368,7 +368,7 @@ function _detectNestedExtglob(input, opts, issues) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"audit"|"allow",
  *   controlPolicy:          "reject"|"audit"|"allow",
  *   nullBytePolicy:         "reject"|"audit"|"allow",
@@ -422,7 +422,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   nestedQuantPolicy:      "reject"|"audit"|"allow",
  *   alternationQuantPolicy: "reject"|"audit"|"allow",
  *   boundedRepeatPolicy:    "reject"|"audit"|"allow",
@@ -477,7 +477,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:                   string,    // override gate name in audit emissions
  *   nestedQuantPolicy:      "reject"|"audit"|"allow",
  *   alternationQuantPolicy: "reject"|"audit"|"allow",

package/lib/guard-shell.js

@@ -28,7 +28,7 @@
  *
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
- *   via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
+ *   via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
  *   postures overlay on top of the profile baseline.
  *
  *   Shell args cannot be repaired safely — `sanitize` either passes
@@ -262,7 +262,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:        "reject"|"audit"|"allow",
  *   controlPolicy:     "reject"|"audit"|"allow",
  *   nullBytePolicy:    "reject"|"audit"|"allow",
@@ -314,7 +314,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   posixMetaPolicy:   "reject"|"audit"|"allow",
  *   cmdMetaPolicy:     "reject"|"audit"|"allow",
  *   dollarSubstPolicy: "reject"|"audit"|"allow",
@@ -369,7 +369,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:           "strict"|"balanced"|"permissive",
- *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:              string,        // override gate name in audit emissions
  *   posixMetaPolicy:   "reject"|"audit"|"allow",
  *   cmdMetaPolicy:     "reject"|"audit"|"allow",

package/lib/guard-svg.js

@@ -1017,9 +1017,9 @@ function sanitize(input, opts) {
  * @status    stable
  * @related   b.guardSvg.validate, b.guardSvg.sanitize, b.fileUpload, b.staticServe
  *
- * Build a uniform gate over guard-* family contract. Returns an
- * async function whose verdict is `{ ok, action, issues?,
- * sanitized? }` where `action` is `serve` / `audit-only` /
+ * Build a uniform gate over the guard-* family contract. Returns a
+ * gate whose async `check(ctx)` produces a verdict `{ ok, action,
+ * issues?, sanitized? }` where `action` is `serve` / `audit-only` /
  * `sanitize` / `refuse`. SVGZ inputs always refuse — operators
  * ungzip and re-gate the inner SVG. External `xlink:href` on
  * `<use>` / `<feImage>` refuses under `strict` (SSRF + XSS chain).
@@ -1042,13 +1042,13 @@ function sanitize(input, opts) {
  *
  * @example
  *   var g = b.guardSvg.gate({ profile: "strict" });
- *   var verdict = await g({
+ *   var verdict = await g.check({
  *     bytes: Buffer.from('<svg><circle r="10"/></svg>', "utf8"),
  *   });
  *   verdict.action;                  // → "serve"
  *
  *   // Refuses external xlink:href under strict:
- *   var refuse = await g({
+ *   var refuse = await g.check({
  *     bytes: Buffer.from(
  *       '<svg><use xlink:href="https://evil.example/x.svg#a"/></svg>',
  *       "utf8"),

package/lib/guard-template.js

@@ -34,7 +34,7 @@
  *   Profiles: `strict` / `balanced` / `permissive`. Compliance
  *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
  *   select via `{ profile: "strict" }` or
- *   `{ compliance: "hipaa" }`; postures overlay on top of the
+ *   `{ compliancePosture: "hipaa" }`; postures overlay on top of the
  *   profile baseline. Jinja / ERB / Pug shape rejection holds at
  *   every profile — the SSTI class is never an operator opt-in.
  *
@@ -237,7 +237,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:              "reject"|"audit"|"allow",
  *   controlPolicy:           "reject"|"audit"|"allow",
  *   nullBytePolicy:          "reject"|"audit"|"allow",
@@ -287,7 +287,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   jinjaPolicy:             "reject"|"audit"|"allow",
  *   erbPolicy:               "reject"|"audit"|"allow",
  *   pugPolicy:               "reject"|"audit"|"allow",
@@ -339,7 +339,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:                 "strict"|"balanced"|"permissive",
- *   compliance:              "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:                    string,    // override gate name in audit emissions
  *   jinjaPolicy:             "reject"|"audit"|"allow",
  *   erbPolicy:               "reject"|"audit"|"allow",

package/lib/guard-time.js

@@ -347,7 +347,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -403,7 +403,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardTime.validate opts,
  *
  * @example
@@ -442,7 +442,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardTime.validate, b.guardTime.sanitize, b.guardAll.gate
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, audit pipelines, scheduling primitives, and
  * retention readers. The gate reads `ctx.identifier` (or
  * `ctx.timestamp` / `ctx.time`), runs `validate`, and maps
@@ -452,15 +452,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardTime.validate opts,
  *
  * @example
  *   var g = b.guardTime.gate({ profile: "strict" });
- *   var rv = await g({ identifier: "2026-05-05T12:34:56Z" });
+ *   var rv = await g.check({ identifier: "2026-05-05T12:34:56Z" });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ identifier: "2026-05-05 12:34:56" });
+ *   var bad = await g.check({ identifier: "2026-05-05 12:34:56" });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-uuid.js

@@ -307,7 +307,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:             "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:          "reject"|"strip"|"allow",
  *   nullBytePolicy:         "reject"|"strip"|"allow",
@@ -361,7 +361,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardUuid.validate opts,
  *
  * @example
@@ -406,7 +406,7 @@ function sanitize(input, opts) {
  * @compliance hipaa, pci-dss, gdpr, soc2
  * @related    b.guardUuid.validate, b.guardUuid.sanitize, b.guardAll.gate
  *
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
  * by `b.guardAll`, ID validators, and any host that handles
  * UUID-shaped tokens. The gate reads `ctx.identifier` (or
  * `ctx.uuid`), runs `validate`, and maps severity to action: zero
@@ -416,15 +416,15 @@ function sanitize(input, opts) {
  * @opts
  *   name:                   string,    // gate label for audit / observability
  *   profile:                "strict"|"balanced"|"permissive",
- *   compliance:             "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   ...:                    same shape as b.guardUuid.validate opts,
  *
  * @example
  *   var g = b.guardUuid.gate({ profile: "strict" });
- *   var rv = await g({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
+ *   var rv = await g.check({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
  *   rv.action;                                         // → "serve"
  *
- *   var bad = await g({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
+ *   var bad = await g.check({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
  *   bad.action;                                        // → "refuse"
  */
 function gate(opts) {

package/lib/guard-xml.js

@@ -371,7 +371,7 @@ function _detectIssues(input, opts) {
  *
  * Inspect `input` (string of XML source) for the full guard-xml
  * threat catalog without invoking a parser. Returns
- * `{ ok, issues, severities }` where `issues` enumerates every
+ * `{ ok, issues }` where `issues` enumerates every
  * DOCTYPE declaration, `<!ENTITY>` definition (including parameter
  * entities), SYSTEM/PUBLIC external-entity reference, XInclude
  * directive, xsi:schemaLocation hint, processing instruction (after
@@ -388,7 +388,7 @@ function _detectIssues(input, opts) {
  *
  * @opts
  *   profile:               "strict"|"balanced"|"permissive",
- *   compliance:            "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   doctypePolicy:         "reject"|"audit"|"allow",
  *   entityPolicy:          "reject"|"audit"|"allow",
  *   externalEntityPolicy:  "reject"|"audit"|"allow",
@@ -455,7 +455,7 @@ function validate(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   bidiPolicy:      "reject"|"strip"|"audit"|"allow",
  *   controlPolicy:   "reject"|"strip"|"allow",
  *   nullBytePolicy:  "reject"|"strip"|"allow",
@@ -514,7 +514,7 @@ function sanitize(input, opts) {
  *
  * @opts
  *   profile:    "strict"|"balanced"|"permissive",
- *   compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
  *   name:       string,    // gate identity for audit / observability
  *
  * @example