@blamejs/core 0.14.26 → 0.15.0

package/lib/guard-stream-args.js

@@ -20,6 +20,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardStreamArgsError = defineClass("GuardStreamArgsError", { alwaysPermanent: true });
 
@@ -31,11 +32,14 @@ var PROFILES = Object.freeze({
   permissive: { maxBatchSize: 16384, minBatchSize: 1, maxOpenStreams: 64  },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardStreamArgsError,
+  codePrefix: "stream-args",
 });
 
 /**
@@ -90,23 +94,6 @@ function validate(args, opts) {
   return args;
 }
 
-/**
- * @primitive b.guardStreamArgs.compliancePosture
- * @signature b.guardStreamArgs.compliancePosture(posture)
- * @since     0.9.24
- * @status    stable
- *
- * Return the effective profile for a given compliance posture name.
- * Returns `null` for unknown posture names so operator typos surface
- * here instead of silently falling through to the default profile.
- *
- * @example
- *   b.guardStreamArgs.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
 function _checkCursorOpts(cursorOpts, depth) {
   depth = depth || 0;
   if (depth > 8) {                                                                                    // recursion depth cap
@@ -143,24 +130,18 @@ function _checkCursorOpts(cursorOpts, depth) {
   }
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return COMPLIANCE_POSTURES[opts.posture];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardStreamArgsError("stream-args/bad-profile",
-      "guardStreamArgs: unknown profile '" + p + "'");
-  }
-  return p;
-}
-
-module.exports = {
-  validate:              validate,
-  compliancePosture:     compliancePosture,
-  PROFILES:              PROFILES,
-  COMPLIANCE_POSTURES:   COMPLIANCE_POSTURES,
-  GuardStreamArgsError:  GuardStreamArgsError,
-  NAME:                  "streamArgs",
-  KIND:                  "stream-args",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "stream-args",
+  entry:      validate,
+  errorClass: GuardStreamArgsError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    NAME: "streamArgs",
+    KIND: "stream-args",
+  },
+});

package/lib/guard-svg.js

@@ -1093,71 +1093,53 @@ function gate(opts) {
     });
 }
 
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive b.guardSvg.compliancePosture
- * @signature b.guardSvg.compliancePosture(name)
- * @since     0.7.7
- * @status    stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related   b.guardSvg.gate, b.compliance.set
- *
- * Look up a regulatory-posture override. Returns a shallow clone
- * of the named posture's option overlay; throws
- * `GuardSvgError` (`svg.bad-posture`) on unknown names. Operators
- * pass it through `gate({ compliancePosture: "hipaa" })` rather
- * than calling this directly — exposed for introspection and
- * audit-evidence collection.
- *
- * @example
- *   var hipaa = b.guardSvg.compliancePosture("hipaa");
- *   hipaa.bidiPolicy;                // → "reject"
- *   hipaa.allowExternalRefs;         // → false
- *   hipaa.allowAnimation;            // → false
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES, _err, "svg");
-}
-
-var _svgRulePacks = gateContract.makeRulePackLoader(GuardSvgError, "svg");
-var loadRulePack = _svgRulePacks.load;
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
 
 void safeUrl;
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "svg",
-  KIND:                "content",
-  MIME_TYPES:          Object.freeze(["image/svg+xml"]),
-  EXTENSIONS:          Object.freeze([".svg", ".svgz"]),
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:         "content",
-    contentType:  "image/svg+xml",
-    extension:    ".svg",
-    benignBytes:  Buffer.from('<svg><circle r="10"/></svg>', "utf8"),
-    // Hostile: <script> inside SVG; refused regardless of profile.
-    hostileBytes: Buffer.from('<svg><script>alert(1)</script></svg>', "utf8"),
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  DANGEROUS_TAGS:      DANGEROUS_TAGS,
-  ANIMATION_TAGS:      ANIMATION_TAGS,
-  ANIMATION_SAFE_TARGETS: ANIMATION_SAFE_TARGETS,
-  STRICT_ALLOWED_TAGS: STRICT_ALLOWED_TAGS,
-  BALANCED_ALLOWED_TAGS: BALANCED_ALLOWED_TAGS,
-  PERMISSIVE_ALLOWED_TAGS: PERMISSIVE_ALLOWED_TAGS,
-  DANGEROUS_ATTRS:     DANGEROUS_ATTRS,
-  URL_ATTRS:           URL_ATTRS,
-  SAFE_SCHEMES:        SAFE_SCHEMES,
-  DANGEROUS_SCHEMES:   DANGEROUS_SCHEMES,
-  GuardSvgError:       GuardSvgError,
-};
+// ---- adaptive integration-test fixtures (consumed by layer-5 host harness) ----
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:         "content",
+  contentType:  "image/svg+xml",
+  extension:    ".svg",
+  benignBytes:  Buffer.from('<svg><circle r="10"/></svg>', "utf8"),
+  // Hostile: <script> inside SVG; refused regardless of profile.
+  hostileBytes: Buffer.from('<svg><script>alert(1)</script></svg>', "utf8"),
+});
+
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / MIME_TYPES / EXTENSIONS / INTEGRATION_FIXTURES),
+// buildProfile / compliancePosture / loadRulePack wiring, plus the
+// per-guard inspection surface (validate / sanitize / gate) and the SVG
+// tag / scheme tables passed through verbatim. The bespoke `gate` carries
+// SVG's sanitize-reserialize chain and SVGZ refuse unchanged.
+module.exports = gateContract.defineGuard({
+  name:        "svg",
+  kind:        "content",
+  errorClass:  GuardSvgError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  mimeTypes:   ["image/svg+xml"],
+  extensions:  [".svg", ".svgz"],
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+  extra: {
+    DANGEROUS_TAGS:          DANGEROUS_TAGS,
+    ANIMATION_TAGS:          ANIMATION_TAGS,
+    ANIMATION_SAFE_TARGETS:  ANIMATION_SAFE_TARGETS,
+    STRICT_ALLOWED_TAGS:     STRICT_ALLOWED_TAGS,
+    BALANCED_ALLOWED_TAGS:   BALANCED_ALLOWED_TAGS,
+    PERMISSIVE_ALLOWED_TAGS: PERMISSIVE_ALLOWED_TAGS,
+    DANGEROUS_ATTRS:         DANGEROUS_ATTRS,
+    URL_ATTRS:               URL_ATTRS,
+    SAFE_SCHEMES:            SAFE_SCHEMES,
+    DANGEROUS_SCHEMES:       DANGEROUS_SCHEMES,
+  },
+});

package/lib/guard-template.js

@@ -311,180 +311,43 @@ function sanitize(input, opts) {
     throw _err("template.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "template.refused",
-        "guardTemplate.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardTemplateError, codePrefix: "template" });
   return input;
 }
 
-/**
- * @primitive  b.guardTemplate.gate
- * @signature  b.guardTemplate.gate(opts)
- * @since      0.7.13
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardTemplate.validate, b.guardTemplate.sanitize
- *
- * Build a `b.gateContract` gate that screens `ctx.identifier` (or
- * `ctx.text`) before any template engine renders the input.
- * Action chain: `serve` (no issues) → `audit-only` (warn-only) →
- * `refuse` (any `critical` or `high`). No `sanitize` action —
- * template input cannot be repaired. Compose into form handlers /
- * comment renderers / model fields fed to Mustache / Handlebars /
- * Liquid so operator-untrusted strings never reach the rendering
- * engine carrying engine syntax.
- *
- * @opts
- *   profile:                 "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   name:                    string,    // override gate name in audit emissions
- *   jinjaPolicy:             "reject"|"audit"|"allow",
- *   erbPolicy:               "reject"|"audit"|"allow",
- *   pugPolicy:               "reject"|"audit"|"allow",
- *   dollarBracePolicy:       "reject"|"audit"|"allow",
- *   velocityDirectivePolicy: "reject"|"audit"|"allow",
- *   maxBytes:                number,
- *
- * @example
- *   var gate = b.guardTemplate.gate({ profile: "strict" });
- *
- *   gate({ identifier: "Hello {{7*7}}" }).then(function (rv) {
- *     rv.ok;                                           // → false
- *     rv.action;                                       // → "refuse"
- *   });
- *
- *   gate({ identifier: "Hello world" }).then(function (rv) {
- *     rv.action;                                       // → "serve"
- *   });
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardTemplate:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var text = ctx && (ctx.identifier || ctx.text);
-      if (text === undefined || text === null) {
-        return { ok: true, action: "serve" };
-      }
-      var rv = validate(text, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
+// gate / buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below. The gate is the standard
+// serve -> audit-only -> refuse chain (template input cannot be repaired, so
+// there is no sanitize action), dispatched to ctx.identifier || ctx.text via
+// the spec's ctxFields. Its wiki section renders from the single-sourced
+// @abiTemplate (defineGuard) blocks in gate-contract.js, instantiated per
+// guard by the page generator.
 
-/**
- * @primitive  b.guardTemplate.buildProfile
- * @signature  b.guardTemplate.buildProfile(opts)
- * @since      0.7.13
- * @status     stable
- * @related    b.guardTemplate.gate, b.guardTemplate.compliancePosture
- *
- * Compose a derived guardTemplate profile from one or more named
- * bases plus inline overrides. `opts.extends` is a profile name
- * (`"strict"` / `"balanced"` / `"permissive"`) or an array of
- * names; later entries shadow earlier ones. Inline `opts` keys win
- * last. Used to keep operator-defined profiles traceable to a
- * baseline rather than re-typing every key.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guardTemplate key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardTemplate.buildProfile({
- *     extends: "balanced",
- *     dollarBracePolicy: "reject",
- *   });
- *   custom.dollarBracePolicy;                          // → "reject"
- *   custom.jinjaPolicy;                                // → "reject"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardTemplate.compliancePosture
- * @signature  b.guardTemplate.compliancePosture(name)
- * @since      0.7.13
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardTemplate.gate, b.guardTemplate.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardTemplateError("template.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardTemplate.compliancePosture("hipaa");
- *   posture.jinjaPolicy;                               // → "reject"
- *   posture.forensicSnippetBytes;                      // → 512
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "template");
-}
-
-var _tplRulePacks = gateContract.makeRulePackLoader(GuardTemplateError, "template");
-/**
- * @primitive  b.guardTemplate.loadRulePack
- * @signature  b.guardTemplate.loadRulePack(pack)
- * @since      0.7.13
- * @status     stable
- * @related    b.guardTemplate.gate
- *
- * Register an operator-supplied rule pack with the guardTemplate
- * registry. The pack is identified by `pack.id` (non-empty string)
- * and stored for later inspection / dispatch by gates that opt in
- * via `opts.rulePackId`. Returns the pack object unchanged on
- * success; throws `GuardTemplateError("template.bad-opt")` when
- * `pack` is missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardTemplate.loadRulePack({
- *     id: "no-prototype-keys",
- *     rules: [
- *       { id: "proto-key", severity: "critical",
- *         detect: function (text) { return /__proto__|constructor/.test(text); },
- *         reason: "input references prototype-pollution sink" },
- *     ],
- *   });
- *   pack.id;                                           // → "no-prototype-keys"
- */
-var loadRulePack = _tplRulePacks.load;
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  benignBytes:       Buffer.from("Hello world", "utf8"),
+  hostileBytes:      Buffer.from("Hello {{7*7}}", "utf8"),
+  benignIdentifier:  "Hello world",
+  // Hostile: Jinja-shape SSTI probe.
+  hostileIdentifier: "Hello {{7*7}}",
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "template",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    benignBytes:       Buffer.from("Hello world", "utf8"),
-    hostileBytes:      Buffer.from("Hello {{7*7}}", "utf8"),
-    benignIdentifier:  "Hello world",
-    // Hostile: Jinja-shape SSTI probe.
-    hostileIdentifier: "Hello {{7*7}}",
-  }),
-  // ---- primitive surface ----
-  validate:             validate,
-  sanitize:             sanitize,
-  gate:                 gate,
-  buildProfile:         buildProfile,
-  compliancePosture:    compliancePosture,
-  loadRulePack:         loadRulePack,
-  PROFILES:             PROFILES,
-  DEFAULTS:             DEFAULTS,
-  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
-  GuardTemplateError:   GuardTemplateError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), the default gate, buildProfile
+// / compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize) passed through verbatim. The gate is the
+// factory default serve -> audit-only -> refuse chain; ctxFields names the
+// ctx fields it reads (ctx.identifier, then ctx.text) so untrusted strings on
+// either field reach the SSTI validator before any engine renders them.
+module.exports = gateContract.defineGuard({
+  name:        "template",
+  kind:        "identifier",
+  errorClass:  GuardTemplateError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  ctxFields:   ["identifier", "text"],
+});

package/lib/guard-tenant-id.js

@@ -23,6 +23,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardTenantIdError = defineClass("GuardTenantIdError", { alwaysPermanent: true });
 
@@ -34,15 +35,18 @@ var PROFILES = Object.freeze({
   permissive: { maxBytes: 512 },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 var RESERVED = Object.freeze({ "ROOT": true, "FRAMEWORK": true, "*": true });
 
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardTenantIdError,
+  codePrefix: "tenant-id",
+});
+
 /**
  * @primitive b.guardTenantId.validate
  * @signature b.guardTenantId.validate(tenantId, opts?)
@@ -97,42 +101,19 @@ function validate(tenantId, opts) {
   return tenantId;
 }
 
-/**
- * @primitive b.guardTenantId.compliancePosture
- * @signature b.guardTenantId.compliancePosture(posture)
- * @since     0.9.26
- * @status    stable
- *
- * Return the effective profile for a given compliance posture name.
- * Returns `null` for unknown posture names so operator typos surface
- * here instead of silently falling through to the default profile.
- *
- * @example
- *   b.guardTenantId.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return COMPLIANCE_POSTURES[opts.posture];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardTenantIdError("tenant-id/bad-profile",
-      "guardTenantId: unknown profile '" + p + "'");
-  }
-  return p;
-}
-
-module.exports = {
-  validate:               validate,
-  compliancePosture:      compliancePosture,
-  PROFILES:               PROFILES,
-  COMPLIANCE_POSTURES:    COMPLIANCE_POSTURES,
-  RESERVED:               RESERVED,
-  GuardTenantIdError:     GuardTenantIdError,
-  NAME:                   "tenantId",
-  KIND:                   "tenant-id",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "tenant-id",
+  entry:      validate,
+  errorClass: GuardTenantIdError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    RESERVED: RESERVED,
+    NAME:     "tenantId",
+    KIND:     "tenant-id",
+  },
+});