@blamejs/core 0.14.26 → 0.15.0

package/lib/guard-idempotency-key.js

@@ -30,6 +30,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardIdempotencyKeyError = defineClass("GuardIdempotencyKeyError", { alwaysPermanent: true });
 
@@ -41,12 +42,7 @@ var PROFILES = Object.freeze({
   permissive: { maxBytes: 2048, asciiOnly: false },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 /**
  * @primitive b.guardIdempotencyKey.validate
@@ -111,41 +107,27 @@ function validate(value, opts) {
   return value;
 }
 
-/**
- * @primitive b.guardIdempotencyKey.compliancePosture
- * @signature b.guardIdempotencyKey.compliancePosture(posture)
- * @since     0.9.22
- * @status    stable
- *
- * Return the effective profile for a given compliance posture name.
- * Returns `null` for unknown posture names so operator typos surface
- * here instead of silently falling through to the default profile.
- *
- * @example
- *   b.guardIdempotencyKey.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return COMPLIANCE_POSTURES[opts.posture];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardIdempotencyKeyError("idempotency-key/bad-profile",
-      "guardIdempotencyKey: unknown profile '" + p + "'");
-  }
-  return p;
-}
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardIdempotencyKeyError,
+  codePrefix: "idempotency-key",
+});
 
-module.exports = {
-  validate:                  validate,
-  compliancePosture:         compliancePosture,
-  PROFILES:                  PROFILES,
-  COMPLIANCE_POSTURES:       COMPLIANCE_POSTURES,
-  GuardIdempotencyKeyError:  GuardIdempotencyKeyError,
-  NAME:                      "idempotencyKey",
-  KIND:                      "idempotency-key",
-};
+module.exports = gateContract.defineParser({
+  name:       "idempotency-key",
+  entry:      validate,
+  errorClass: GuardIdempotencyKeyError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    NAME: "idempotencyKey",
+    KIND: "idempotency-key",
+  },
+});

package/lib/guard-image.js

@@ -394,12 +394,7 @@ function sanitize(input, opts) {
     throw _err("image.bad-input", "sanitize requires metadata object");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "image.refused",
-        "guardImage.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardImageError, codePrefix: "image" });
   return input;
 }
 
@@ -461,70 +456,11 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive b.guardImage.buildProfile
- * @signature b.guardImage.buildProfile(opts)
- * @since     0.7.13
- * @status    stable
- * @related   b.guardImage.compliancePosture, b.guardImage.gate
- *
- * Resolve a named profile against the guard's PROFILES catalog and
- * return the merged options bag. Throws
- * `GuardImageError("image.bad-profile")` on unknown name.
- *
- * @opts
- *   profile: "strict"|"balanced"|"permissive",
- *
- * @example
- *   var resolved = b.guardImage.buildProfile({ profile: "strict" });
- *   resolved.maxWidth;                                   // → 8192
- *   resolved.polyglotPolicy;                             // → "reject"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardImage.compliancePosture
- * @signature  b.guardImage.compliancePosture(name)
- * @since      0.7.13
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardImage.gate, b.guardImage.buildProfile
- *
- * Return the option overlay for a named compliance posture
- * (`"hipaa"` / `"pci-dss"` / `"gdpr"` / `"soc2"`). Throws
- * `GuardImageError("image.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardImage.compliancePosture("hipaa");
- *   posture.mismatchPolicy;                              // → "reject"
- *   posture.forensicSnippetBytes;                        // → 256
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "image");
-}
-
-var _imgRulePacks = gateContract.makeRulePackLoader(GuardImageError, "image");
-/**
- * @primitive b.guardImage.loadRulePack
- * @signature b.guardImage.loadRulePack(pack)
- * @since     0.7.13
- * @status    stable
- * @related   b.guardImage.gate
- *
- * Register an operator-supplied rule pack (extra MIME / dimension /
- * polyglot overrides) into the guard's private store. Throws
- * `GuardImageError("image.bad-opt")` when `pack` is missing or
- * `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardImage.loadRulePack({
- *     id: "kb-2026-image",
- *     extraMaxFrames: 30,
- *   });
- *   pack.id;                                             // → "kb-2026-image"
- */
-var loadRulePack = _imgRulePacks.load;
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
 
 /**
  * @primitive b.guardImage.inspectMagic
@@ -549,36 +485,43 @@ function inspectMagic(bytes) {
   return _detectMagicMimes(bytes);
 }
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "image",
-  KIND:                "metadata",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "metadata",
-    benignBytes:       Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
-    // Hostile: declared image/png but bytes are JPEG (mime-mismatch class —
-    // drive-by content-type confusion / decoder-mux).
-    hostileBytes:      Buffer.from([0xFF, 0xD8, 0xFF]),
-    benignMetadata: {
-      bytes: Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
-      declaredMime: "image/png",
-      width: 100, height: 100, frames: 1,                                        // pixel + frame count fixture
-    },
-    hostileMetadata: {
-      bytes: Buffer.from([0xFF, 0xD8, 0xFF]),
-      declaredMime: "image/png",
-    },
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  inspectMagic:        inspectMagic,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardImageError:     GuardImageError,
-};
+// ---- adaptive integration-test fixtures (consumed by layer-5 host harness) ----
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "metadata",
+  benignBytes:       Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
+  // Hostile: declared image/png but bytes are JPEG (mime-mismatch class —
+  // drive-by content-type confusion / decoder-mux).
+  hostileBytes:      Buffer.from([0xFF, 0xD8, 0xFF]),
+  benignMetadata: {
+    bytes: Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
+    declaredMime: "image/png",
+    width: 100, height: 100, frames: 1,                                        // pixel + frame count fixture
+  },
+  hostileMetadata: {
+    bytes: Buffer.from([0xFF, 0xD8, 0xFF]),
+    declaredMime: "image/png",
+  },
+});
+
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize / gate) and the image extra (inspectMagic)
+// passed through verbatim. KIND="metadata" is a custom kind, so the bespoke
+// `gate` (operator-feeds-metadata ctx.metadata reader) is REQUIRED and
+// carries the magic-byte / polyglot / dimension chain unchanged.
+module.exports = gateContract.defineGuard({
+  name:        "image",
+  kind:        "metadata",
+  errorClass:  GuardImageError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+  extra: {
+    inspectMagic: inspectMagic,
+  },
+});

package/lib/guard-imap-command.js

@@ -82,6 +82,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardImapCommandError = defineClass("GuardImapCommandError", { alwaysPermanent: true });
 
@@ -120,12 +121,7 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // IMAP4rev2 commands per RFC 9051 §6.
 var KNOWN_VERBS = Object.freeze({
@@ -309,29 +305,19 @@ function detectLiteralSmuggling(line) {
   return LITERAL_SMUGGLE_RE.test(line);                                                               // allow:regex-no-length-cap — caller's input is already length-capped upstream by the listener's per-line cap
 }
 
-/**
- * @primitive b.guardImapCommand.compliancePosture
- * @signature b.guardImapCommand.compliancePosture(posture)
- * @since     0.9.49
- * @status    stable
- *
- * Return the effective profile for a compliance posture, or `null`
- * for unknown names.
- *
- * @example
- *   b.guardImapCommand.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
-module.exports = {
-  validate:                  validate,
-  detectLiteralSmuggling:    detectLiteralSmuggling,
-  compliancePosture:         compliancePosture,
-  PROFILES:                  PROFILES,
-  COMPLIANCE_POSTURES:       COMPLIANCE_POSTURES,
-  KNOWN_VERBS:               KNOWN_VERBS,
-  ZERO_ARG_VERBS:            ZERO_ARG_VERBS,
-  GuardImapCommandError:     GuardImapCommandError,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "imap-command",
+  entry:      validate,
+  errorClass: GuardImapCommandError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    detectLiteralSmuggling: detectLiteralSmuggling,
+    KNOWN_VERBS:            KNOWN_VERBS,
+    ZERO_ARG_VERBS:         ZERO_ARG_VERBS,
+  },
+});

package/lib/guard-jmap.js

@@ -59,6 +59,7 @@
 var { defineClass } = require("./framework-error");
 var safeJson = require("./safe-json");
 var validateOpts = require("./validate-opts");
+var gateContract = require("./gate-contract");
 
 var GuardJmapError = defineClass("GuardJmapError", { alwaysPermanent: true });
 
@@ -91,12 +92,7 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // Capability URIs the server's core JMAP implementation always supports.
 // Additional capabilities (mail / contacts / calendars / submission)
@@ -295,27 +291,17 @@ function _countBackRefs(node, depth, maxDepth) {
   return maxO;
 }
 
-/**
- * @primitive b.guardJmap.compliancePosture
- * @signature b.guardJmap.compliancePosture(posture)
- * @since     0.9.50
- * @status    stable
- *
- * Return the effective profile for a compliance posture, or `null`
- * for unknown names.
- *
- * @example
- *   b.guardJmap.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
-module.exports = {
-  validate:              validate,
-  compliancePosture:     compliancePosture,
-  PROFILES:              PROFILES,
-  COMPLIANCE_POSTURES:   COMPLIANCE_POSTURES,
-  CORE_CAPABILITIES:     CORE_CAPABILITIES,
-  GuardJmapError:        GuardJmapError,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "jmap",
+  entry:      validate,
+  errorClass: GuardJmapError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    CORE_CAPABILITIES: CORE_CAPABILITIES,
+  },
+});

package/lib/guard-json.js

@@ -820,115 +820,45 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive  b.guardJson.buildProfile
- * @signature  b.guardJson.buildProfile(opts)
- * @since      0.7.13
- * @status     stable
- * @related    b.guardJson.gate, b.guardJson.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name (`"strict"` /
- * `"balanced"` / `"permissive"`) or an array of names; later entries
- * shadow earlier ones. Inline `opts` keys win last. Used to keep
- * operator-defined profiles traceable to a baseline rather than re-
- * typing every key.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-json key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardJson.buildProfile({
- *     extends: "balanced",
- *     pollutionPolicy: "reject",
- *     maxDepth: 16,
- *   });
- *   custom.pollutionPolicy;                             // → "reject"
- *   custom.maxDepth;                                    // → 16
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardJson.compliancePosture
- * @signature  b.guardJson.compliancePosture(name)
- * @since      0.7.13
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardJson.gate, b.guardJson.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of the
- * posture object — the caller may mutate freely. Throws
- * `GuardJsonError("json.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardJson.compliancePosture("hipaa");
- *   posture.pollutionPolicy;                            // → "reject"
- *   posture.forensicSnippetBytes;                       // → 256
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES, _err, "json");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
+
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:         "content",
+  contentType:  "application/json",
+  extension:    ".json",
+  benignBytes:  Buffer.from('{"name":"alice","age":30}', "utf8"),
+  // Hostile: prototype-pollution payload (CVE-2025-55182 React Server
+  // Functions class; CVE-2025-57820 Svelte devalue class).
+  hostileBytes: Buffer.from('{"__proto__":{"polluted":true}}', "utf8"),
+});
 
-var _jsonRulePacks = gateContract.makeRulePackLoader(GuardJsonError, "json");
-/**
- * @primitive  b.guardJson.loadRulePack
- * @signature  b.guardJson.loadRulePack(pack)
- * @since      0.7.13
- * @status     stable
- * @related    b.guardJson.gate
- *
- * Register an operator-supplied rule pack with the guard-json
- * registry. The pack is identified by `pack.id` (non-empty string)
- * and stored for later inspection / dispatch by gates that opt in
- * via `opts.rulePackId`. Returns the pack object unchanged on
- * success; throws `GuardJsonError("json.bad-opt")` when `pack` is
- * missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardJson.loadRulePack({
- *     id: "tenant-keys",
- *     rules: [
- *       { id: "tenant-id-shape", severity: "high",
- *         detect: function (tree) { return !tree || typeof tree.tenantId !== "string"; },
- *         reason: "tenantId must be a string at top level" },
- *     ],
- *   });
- *   pack.id;                                            // → "tenant-keys"
- */
-var loadRulePack = _jsonRulePacks.load;
-
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "json",
-  KIND:                "content",
-  MIME_TYPES:          Object.freeze([
-    "application/json", "application/ld+json", "application/vnd.api+json",
-  ]),
-  EXTENSIONS:          Object.freeze([".json", ".jsonld"]),
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:         "content",
-    contentType:  "application/json",
-    extension:    ".json",
-    benignBytes:  Buffer.from('{"name":"alice","age":30}', "utf8"),
-    // Hostile: prototype-pollution payload (CVE-2025-55182 React Server
-    // Functions class; CVE-2025-57820 Svelte devalue class).
-    hostileBytes: Buffer.from('{"__proto__":{"polluted":true}}', "utf8"),
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  parse:               parse,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  POLLUTION_KEYS:      POLLUTION_KEYS,
-  GuardJsonError:      GuardJsonError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / MIME_TYPES / EXTENSIONS / INTEGRATION_FIXTURES),
+// buildProfile / compliancePosture / loadRulePack wiring, plus the
+// per-guard inspection surface (validate / parse) and JSON extras
+// (POLLUTION_KEYS) passed through verbatim. The bespoke `gate` carries
+// JSON's sanitize-reparse-reserialize chain unchanged.
+module.exports = gateContract.defineGuard({
+  name:        "json",
+  kind:        "content",
+  errorClass:  GuardJsonError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  mimeTypes:   ["application/json", "application/ld+json", "application/vnd.api+json"],
+  extensions:  [".json", ".jsonld"],
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  gate:        gate,
+  extra: {
+    parse:          parse,
+    POLLUTION_KEYS: POLLUTION_KEYS,
+  },
+});
 
 void BIDI_RE;       // referenced via codepointClass.detectCharThreats; binding kept for clarity
 void C0_CTRL_RE;