@blamejs/core 0.14.26 → 0.15.0

package/lib/router.js

@@ -42,6 +42,7 @@ var lazyRequire = require("./lazy-require");
 var safeAsync = require("./safe-async");
 var safeEnv = require("./parsers/safe-env");
 var safeUrl = require("./safe-url");
+var validateOpts = require("./validate-opts");
 var websocket = require("./websocket");
 var { boot } = require("./log");
 var { RouterError } = require("./framework-error");
@@ -301,6 +302,13 @@ class Router {
   constructor(opts) {
     opts = opts || {};
     this.routes = [];
+    // Registration-ordered middleware table. Each entry is
+    // `{ prefix, prefixSegments, fn }`: `prefix === null` is a global
+    // middleware (runs on every request); a non-null `prefix` is a
+    // path-scoped middleware that runs only when the request path
+    // matches the prefix on segment boundaries. Path-scoped and global
+    // entries interleave in registration order so a gate registered
+    // before a route still runs before it.
     this.middleware = [];
     // WebSocket routes are kept separate from HTTP routes — they're
     // matched on the upgrade / Extended CONNECT nodePath, not on a method
@@ -453,8 +461,23 @@ class Router {
     return conns.length;
   }
 
-  use(fn) {
-    this.middleware.push(fn);
+  // use(mw)                       — global middleware (runs on every request)
+  // use(mw1, mw2, ...)            — several global middlewares, in order
+  // use(prefix, mw1, mw2, ...)    — path-scoped: mw runs only when the
+  //                                 request path is at or beneath `prefix`
+  //                                 on segment boundaries ("/admin" covers
+  //                                 "/admin" + "/admin/x", not "/administrator")
+  // use([prefixA, prefixB], mw)   — scoped to any of several prefixes
+  //
+  // Bad input throws at config time (a non-string / non-array prefix, a
+  // prefix that doesn't begin with "/", a non-function middleware) so an
+  // operator wiring typo surfaces at boot instead of silently dropping a
+  // security gate or 500-ing every request.
+  use() {
+    var entries = _normalizeUseArgs(Array.prototype.slice.call(arguments));
+    for (var i = 0; i < entries.length; i++) {
+      this.middleware.push(entries[i]);
+    }
   }
 
   // Internal: split a route registration's args into { spec, handlers }.
@@ -687,8 +710,24 @@ class Router {
     }
     req.query = Object.fromEntries(queryEntries);
 
-    // Run middleware
-    for (var mw of this.middleware) {
+    // Run middleware in registration order. Global entries
+    // (prefixSegmentsList === null) run on every request; path-scoped
+    // entries run only when req.pathname is at or beneath one of the
+    // mount's prefixes (segment-boundary match). A skipped scoped
+    // middleware does NOT short-circuit the chain — the next entry
+    // still runs.
+    for (var entry of this.middleware) {
+      if (entry.prefixSegmentsList !== null) {
+        var matched = false;
+        for (var pli = 0; pli < entry.prefixSegmentsList.length; pli++) {
+          if (_pathMatchesPrefix(entry.prefixSegmentsList[pli], req.pathname)) {
+            matched = true;
+            break;
+          }
+        }
+        if (!matched) continue;
+      }
+      var mw = entry.fn;
       var next = false;
       try {
         await mw(req, res, () => (next = true));
@@ -1206,6 +1245,152 @@ class Router {
   }
 }
 
+// ---- Path-scoped `use()` helpers ----
+//
+// These back `Router.use(prefix, mw)`. They live after the class
+// (hoisted function declarations are visible to the methods regardless
+// of source order) so the class methods sit contiguous with the
+// route-matching helpers above.
+
+// Compile a `use(prefix, mw)` path prefix into the segment list the
+// matcher walks. A prefix is the literal-segment portion of a path
+// ("/admin", "/.well-known/jmap") — parameter segments (":id") are not
+// meaningful for a mounting prefix, so they're treated as literals.
+//
+// Normalization mirrors route-pattern handling: split on "/" and drop a
+// single trailing-slash artifact so "/admin" and "/admin/" mount the
+// same. The leading empty segment from the leading "/" is preserved so
+// the prefix anchors at the path root (a prefix that does not begin with
+// "/" is refused at the use() entry point).
+function _compilePrefix(prefix) {
+  var segments = prefix.split("/");
+  // A trailing "/" produces a final empty segment ("/admin/" → ["", "admin", ""]).
+  // Drop it so the trailing slash doesn't force an extra path segment.
+  if (segments.length > 1 && segments[segments.length - 1] === "") {
+    segments.pop();
+  }
+  return segments;
+}
+
+// True when `pathname` is at or beneath the mounting prefix, matching on
+// segment boundaries. "/admin" matches "/admin" and "/admin/x" but NOT
+// "/administrator" (Express-style segment semantics) — a substring
+// prefix that lands mid-segment is a no-match so a security gate scoped
+// to "/admin" never leaks onto a sibling path that merely shares a
+// textual prefix.
+function _pathMatchesPrefix(prefixSegments, pathname) {
+  var pathSegments = pathname.split("/");
+  if (pathSegments.length < prefixSegments.length) return false;
+  // Compare segment-for-segment. This is routing metadata (public URL
+  // path), not secret material, so an ordinary equality walk is correct
+  // — no constant-time comparison is warranted.
+  return prefixSegments.every(function (seg, i) {
+    return pathSegments[i] === seg;
+  });
+}
+
+// Classify the first `use()` argument:
+//   function          → global mount (prefixes stays null)
+//   string / string[] → path-scoped mount (one or more prefixes)
+//   anything else     → operator wiring typo, refused at config time
+// Returns the prefix array (or null for a global mount). Does not touch
+// the middleware functions — the caller validates those.
+function _usePrefixesFromFirstArg(first) {
+  if (typeof first === "function") return null;
+  if (typeof first !== "string" && !Array.isArray(first)) {
+    throw new RouterError("router/use-bad-first-arg",
+      "router.use: first argument must be a middleware function, a path " +
+      "prefix string, or an array of prefix strings (got " +
+      (first === null ? "null" : typeof first) + ")");
+  }
+  var prefixes = Array.isArray(first) ? first : [first];
+  if (prefixes.length === 0) {
+    throw new RouterError("router/use-empty-prefix-array",
+      "router.use: path-prefix array must contain at least one prefix string");
+  }
+  // Array-of-non-empty-strings shape (the index-pointing throw on a
+  // non-string / empty entry) is the shared validate-opts contract.
+  validateOpts.optionalNonEmptyStringArray(
+    prefixes, "router.use: path prefix", RouterError, "router/use-prefix-not-string");
+  // Prefix-specific grammar: anchor at "/" + bounded length.
+  for (var i = 0; i < prefixes.length; i++) {
+    var grammarErr = _prefixGrammarError(prefixes[i]);
+    if (grammarErr) throw grammarErr;
+  }
+  return prefixes;
+}
+
+// Return a RouterError describing why `prefix` is not a valid mounting
+// prefix, or null when it is valid. Split out so the per-prefix grammar
+// check is one branch, not an inline throw-block in the loop.
+function _prefixGrammarError(prefix) {
+  if (prefix.charAt(0) !== "/") {
+    return new RouterError("router/use-prefix-not-absolute",
+      "router.use: path prefix '" + prefix + "' must begin with '/'");
+  }
+  if (prefix.length > MAX_ROUTE_PATTERN_LEN) {
+    return new RouterError("router/use-prefix-too-long",
+      "router.use: path prefix exceeds " + MAX_ROUTE_PATTERN_LEN +
+      " chars (got " + prefix.length + ")");
+  }
+  return null;
+}
+
+// Index of the first non-function entry in `fns`, or -1 when all are
+// functions. Kept separate so the middleware-shape check is a scan, not
+// an inline throw inside the normalize flow.
+function _firstNonFunctionIndex(fns) {
+  for (var i = 0; i < fns.length; i++) {
+    if (typeof fns[i] !== "function") return i;
+  }
+  return -1;
+}
+
+// Validate + normalize the `use()` arguments into middleware-table
+// entries. Config-time entry-point tier: a non-string / non-array-of-
+// strings prefix or a non-function middleware is an operator wiring
+// typo and throws so it surfaces at boot, not as a silent dropped gate
+// or a request-time 500. Returns one entry per middleware function:
+//   { prefix: null,        prefixSegmentsList: null,        fn }  — global
+//   { prefix: "/admin",    prefixSegmentsList: [[...], ...], fn }  — scoped
+// A scoped entry matches when ANY of its prefixes match the request
+// path on segment boundaries; the fn runs at most once per request even
+// when two of its prefixes both match (nested prefixes), so a gate never
+// double-executes.
+function _normalizeUseArgs(args) {
+  if (args.length === 0) {
+    throw new RouterError("router/use-no-args",
+      "router.use: requires at least one middleware function");
+  }
+  var prefixes = _usePrefixesFromFirstArg(args[0]);
+  // Global mount uses every arg as a middleware; a scoped mount drops the
+  // leading prefix arg and uses the rest.
+  var fns = (prefixes === null) ? args : args.slice(1);
+  if (fns.length === 0) {
+    throw new RouterError("router/use-no-middleware",
+      "router.use: path-scoped mount requires at least one middleware " +
+      "function after the prefix");
+  }
+  var nonFn = _firstNonFunctionIndex(fns);
+  if (nonFn !== -1) {
+    throw new RouterError("router/use-middleware-not-function",
+      "router.use: middleware at position " + nonFn +
+      " must be a function (got " +
+      (fns[nonFn] === null ? "null" : typeof fns[nonFn]) + ")");
+  }
+  // Pre-compile each prefix to its segment list once at registration so
+  // dispatch only walks segments, never re-splits the prefix per request.
+  var segmentsList = (prefixes === null) ? null : prefixes.map(_compilePrefix);
+  var label = (prefixes === null) ? null
+            : (prefixes.length === 1 ? prefixes[0] : prefixes.slice());
+  // One entry per fn, preserving the order each middleware was passed —
+  // a path-scoped mount with two middlewares interleaves them in
+  // registration order just like two separate use() calls would.
+  return fns.map(function (fn) {
+    return { prefix: label, prefixSegmentsList: segmentsList, fn: fn };
+  });
+}
+
 /**
  * @primitive b.router.serveStatic
  * @signature b.router.serveStatic(dir)
@@ -1266,7 +1451,7 @@ function serveStatic(dir) {
  *
  * Builds a `Router` instance with the framework's security-on-by-
  * default posture. Returned object exposes `get / post / put / patch
- * / delete` for route registration, `use(fn)` for global middleware,
+ * / delete` for route registration, `use(...)` for middleware,
  * `ws(path, handler, opts?)` for WebSocket routes, `onNotFound(fn)`
  * and `onError(fn)` for fallthrough hooks, `inspectRoutes()` and
  * `openapi()` for introspection, `closeWebSockets({ timeoutMs })`
@@ -1274,6 +1459,21 @@ function serveStatic(dir) {
  * which boots an HTTP/2-capable TLS server (ALPN h2 + http/1.1) when
  * `tlsOptions` is provided, an HTTP/1.1 server otherwise.
  *
+ * `use` has two forms. `use(mw)` (and `use(mw1, mw2, ...)`) mounts
+ * global middleware that runs on every request. `use(prefix, mw1,
+ * mw2, ...)` mounts path-scoped middleware that runs only when the
+ * request path is at or beneath `prefix`, matched on segment
+ * boundaries — `"/admin"` covers `"/admin"` and `"/admin/x"` but not
+ * `"/administrator"`. The prefix may be an array of strings to scope a
+ * gate to several path roots at once. Global and scoped middleware
+ * interleave in registration order, so a gate registered before a
+ * route still runs before it. A non-string / non-array prefix, a
+ * prefix not beginning with `"/"`, or a non-function middleware throws
+ * at registration time rather than dropping the gate or 500-ing every
+ * request — scope a security middleware (`csrf`, `bearerAuth`,
+ * `requireAal`, `requireMtls`) to a path with confidence it runs
+ * exactly where mounted.
+ *
  * @opts
  *   tls0Rtt:                "refuse" | "replay-cache",  // RFC 8446 §8 anti-replay; default "refuse"
  *   allowedRedirectOrigins: string[],                    // exact-match HTTPS origins for cross-origin res.redirect()
@@ -1286,6 +1486,13 @@ function serveStatic(dir) {
  *   router.get("/users/:id", function (req, res) {
  *     res.json({ id: req.params.id });
  *   });
+ *
+ *   // Global middleware — runs on every request.
+ *   router.use(b.middleware.securityHeaders());
+ *
+ *   // Path-scoped middleware — the step-up gate runs only under /admin.
+ *   router.use("/admin", b.middleware.requireAal({ minimum: "AAL2" }));
+ *
  *   router.listen(3000);
  */
 function create(opts) {

package/lib/safe-dns.js

@@ -57,6 +57,7 @@
 
 var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
+var gateContract       = require("./gate-contract");
 
 var SafeDnsError = defineClass("SafeDnsError", { alwaysPermanent: true });
 
@@ -153,11 +154,15 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: SafeDnsError,
+  codePrefix: "safe-dns",
+  byObject:   true,
 });
 
 /**
@@ -349,22 +354,6 @@ function checkCnameChainDepth(depth, opts) {
   }
 }
 
-/**
- * @primitive b.safeDns.compliancePosture
- * @signature b.safeDns.compliancePosture(posture)
- * @since     0.9.31
- * @status    stable
- *
- * Return the effective profile name for a compliance posture, or
- * `null` for unknown posture names (operator typo surfaces here).
- *
- * @example
- *   b.safeDns.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
 function _readName(state, pointerDepth) {
   if (pointerDepth > state.caps.maxPointerDepth) {
     throw new SafeDnsError("safe-dns/oversize-pointer-depth",
@@ -639,27 +628,22 @@ function _decodeOpt(rr, caps) {
   };
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new SafeDnsError("safe-dns/bad-profile",
-      "safeDns: unknown profile '" + p + "' (valid: strict / balanced / permissive)");
-  }
-  return PROFILES[p];
-}
-
-module.exports = {
-  parseResponse:        parseResponse,
-  boundEdns0:           boundEdns0,
-  checkCnameChainDepth: checkCnameChainDepth,
-  compliancePosture:    compliancePosture,
-  PROFILES:             PROFILES,
-  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
-  RTYPE_NAMES:          RTYPE_NAMES,
-  SafeDnsError:         SafeDnsError,
-  NAME:                 "dns",
-  KIND:                 "dns-response",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "dns",
+  entry:      parseResponse,
+  entryName:  "parseResponse",
+  errorClass: SafeDnsError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    boundEdns0:           boundEdns0,
+    checkCnameChainDepth: checkCnameChainDepth,
+    RTYPE_NAMES:          RTYPE_NAMES,
+    NAME:                 "dns",
+    KIND:                 "dns-response",
+  },
+});

package/lib/safe-ical.js

@@ -81,6 +81,7 @@
 
 var C = require("./constants");
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var SafeIcalError = defineClass("SafeIcalError", { alwaysPermanent: true });
 
@@ -116,12 +117,7 @@ var PROFILES = Object.freeze({
   }),
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // Property-name allowlist per RFC 5545 §8.7 (Property Registry) +
 // RFC 5546 §4.3 (iTIP additions) + RFC 7986 §5 (new calendar
@@ -273,24 +269,6 @@ function parse(text, opts) {
     : { vcalendar: vcalendars[0], vcalendars: vcalendars };
 }
 
-/**
- * @primitive b.safeIcal.compliancePosture
- * @signature b.safeIcal.compliancePosture(name)
- * @since     0.9.81
- * @status    stable
- * @related   b.safeIcal.parse
- *
- * Map a compliance-posture name to its profile. Returns the profile
- * string for a known posture, `null` for unknown names.
- *
- * @example
- *   b.safeIcal.compliancePosture("hipaa");   // → "strict"
- *   b.safeIcal.compliancePosture("loose");   // → null
- */
-function compliancePosture(name) {
-  return COMPLIANCE_POSTURES[name] || null;
-}
-
 // ---- Profile / opt resolution ----
 
 function _resolveCaps(opts) {
@@ -623,12 +601,19 @@ function _preview(s) {
   return s.length > 64 ? s.slice(0, 64) + "..." : s;                                                       // log-preview length cap
 }
 
-module.exports = {
-  parse:               parse,
-  compliancePosture:   compliancePosture,
-  PROFILES:            PROFILES,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  KNOWN_PROPERTIES:    KNOWN_PROPERTIES,
-  KNOWN_COMPONENTS:    KNOWN_COMPONENTS,
-  SafeIcalError:       SafeIcalError,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "ical",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeIcalError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    KNOWN_PROPERTIES: KNOWN_PROPERTIES,
+    KNOWN_COMPONENTS: KNOWN_COMPONENTS,
+  },
+});

package/lib/safe-icap.js

@@ -77,6 +77,7 @@
 
 var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
+var gateContract       = require("./gate-contract");
 
 var SafeIcapError = defineClass("SafeIcapError", { alwaysPermanent: true });
 
@@ -131,11 +132,15 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: SafeIcapError,
+  codePrefix: "safe-icap",
+  byObject:   true,
 });
 
 /**
@@ -257,22 +262,6 @@ function parse(buf, opts) {
   };
 }
 
-/**
- * @primitive b.safeIcap.compliancePosture
- * @signature b.safeIcap.compliancePosture(posture)
- * @since     0.9.81
- * @status    stable
- *
- * Return the effective profile name for a compliance posture, or
- * `null` for unknown posture names.
- *
- * @example
- *   b.safeIcap.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
 // ---- internals ----
 
 function _findHeaderEnd(buf, maxHeaderBytes) {
@@ -479,25 +468,20 @@ function _detectThreat(statusCode, headers) {
   return { found: found, name: name };
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new SafeIcapError("safe-icap/bad-profile",
-      "safeIcap: unknown profile '" + p + "' (valid: strict / balanced / permissive)");
-  }
-  return PROFILES[p];
-}
-
-module.exports = {
-  parse:                parse,
-  compliancePosture:    compliancePosture,
-  PROFILES:             PROFILES,
-  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
-  ALLOWED_STATUS:       ALLOWED_STATUS,
-  SafeIcapError:        SafeIcapError,
-  NAME:                 "icap",
-  KIND:                 "icap-response",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "icap",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeIcapError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    ALLOWED_STATUS: ALLOWED_STATUS,
+    NAME:           "icap",
+    KIND:           "icap-response",
+  },
+});

package/lib/safe-sieve.js

@@ -49,6 +49,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var SafeSieveError = defineClass("SafeSieveError", { alwaysPermanent: true });
 
@@ -82,12 +83,7 @@ var PROFILES = Object.freeze({
   }),
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // RFC 5228 §1.2 capability identifiers. Each entry lists whether the
 // framework's v0.9.55 interpreter implements the capability. Unknown
@@ -648,37 +644,22 @@ function validate(script, opts) {
   }
 }
 
-/**
- * @primitive  b.safeSieve.compliancePosture
- * @signature  b.safeSieve.compliancePosture(name)
- * @since      0.9.55
- * @status     stable
- * @related    b.safeSieve.parse, b.safeSieve.validate
- *
- * Look up the recommended profile name for a compliance posture
- * (`hipaa` / `pci-dss` / `gdpr` / `soc2`). Returns `"strict"` for any
- * known posture, `null` for unknown names. Operator-facing primitives
- * that thread `compliancePosture` opt through to safeSieve compose
- * this for the explicit-cast pattern when they need the name string
- * (rather than relying on `_resolveOpts` to do the lookup).
- *
- * @example
- *   b.safeSieve.compliancePosture("hipaa");            // → "strict"
- *   b.safeSieve.compliancePosture("loose");            // → null
- */
-function compliancePosture(name) {
-  return COMPLIANCE_POSTURES[name] || null;
-}
-
-module.exports = {
-  parse:              parse,
-  validate:           validate,
-  compliancePosture:  compliancePosture,
-  KNOWN_CAPABILITIES: KNOWN_CAPABILITIES,
-  PROFILES:           PROFILES,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  SafeSieveError:     SafeSieveError,
-  // Internal exports for the interpreter at lib/mail-sieve.js.
-  _tokenize:          _tokenize,
-  _resolveCaps:       _resolveCaps,
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "sieve",
+  entry:      parse,
+  entryName:  "parse",
+  errorClass: SafeSieveError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    validate:           validate,
+    KNOWN_CAPABILITIES: KNOWN_CAPABILITIES,
+    // Internal exports for the interpreter at lib/mail-sieve.js.
+    _tokenize:          _tokenize,
+    _resolveCaps:       _resolveCaps,
+  },
+});