@blamejs/core 0.7.45 → 0.7.47

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.47** (2026-05-05) — `b.guardMime` — RFC 6838 media-type identifier-safety primitive (KIND="identifier"). Validates user-supplied media type strings destined for Accept-shape comparison, content-type allowlists, and dispatch routing. Threat catalog: shape malformation (missing `/`, bad type/subtype tokens against RFC 6838 §4.2 restricted-name grammar); parameter validation against the RFC 7231 §3.1.1.1 tchar token grammar (token-only or quoted-string per RFC 7230 §3.2.6); wildcard (`type/subtype` with `*`) outside Accept context refuse; vendor tree (`vnd.*`), personal tree (`prs.*`), and unregistered (`x.*` / `x-*`) namespace audit so operators audit those slots; risky-type refuse list covering executable + script-host content types (`application/x-msdownload`, `application/x-bat`, `application/x-msdos-program`, `application/x-sh`, `application/x-csh`, `application/x-perl`, `application/x-python`, `application/javascript`, `application/x-javascript`, `text/javascript`, `text/x-javascript`, `application/x-shockwave-flash`, `application/x-msi`); BIDI / zero-width / control / null-byte universal refuse. `sanitize` lowercases type/subtype while preserving parameter case (multipart boundary tokens etc. are case-significant). Profiles: `strict` (refuse wildcard + risky-type, audit trees + parameters), `balanced` (audit most things, allow vendor tree), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+
+- **0.7.46** (2026-05-05) — `b.guardTime` — RFC 3339 / ISO 8601 datetime identifier-safety primitive (KIND="identifier"). Validates user-supplied datetime strings destined for audit timestamps, scheduling, retention windows, query ranges, and cross-system event correlation. Threat catalog: shape malformation against the RFC 3339 §5.6 grammar; year-window overflow (default `[1970, 9999]`); naive datetime (no offset) refuse; non-UTC offset policy (strict requires `Z` / `+00:00`); leap-second `60` field policy (RFC 3339 §5.6 valid but parser-panic prone); excessive fractional precision cap (default 9 digits / nanoseconds); date-only and time-only refuse for full-datetime contexts; structural range violations (month / day-in-month / hour / minute / second); BIDI / zero-width / control / null-byte universal refuse. `sanitize` normalizes a space date/time separator to `T` and uppercases the trailing `z` UTC marker. Profiles: `strict` (refuse all of the above), `balanced` (refuse naive; audit non-UTC + leap + fractional + date/time-only), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+
 - **0.7.45** (2026-05-05) — `b.guardCidr` — CIDR identifier-safety primitive (KIND="identifier"). Validates user-supplied CIDR notation strings (IPv4 + IPv6) destined for network allowlists, ACLs, security-group rules, and tenant-boundary configuration. Threat catalog: shape malformation, IPv4 octet overflow + leading-zero refuse, IPv6 zero-group ambiguity, mask out-of-range (IPv4 32 / IPv6 128 ceiling), network-address misalignment (host bits set on a non-/32 / non-/128 prefix — common typo class), reserved-range membership covering all the IPv4 RFC 1918 private blocks (`10/8`, `172.16/12`, `192.168/16`) plus loopback `127/8`, link-local `169.254/16`, multicast `224/4`, class-E `240/4`, RFC 5737 documentation `192.0.2/24` + `198.51.100/24` + `203.0.113/24`, benchmarking `198.18/15`, CGNAT `100.64/10`, this-network `0/8`, plus IPv6 loopback `::1`, unspecified `::/128`, ULA `fc00::/7`, link-local `fe80::/10`, multicast `ff00::/8`, documentation `2001:db8::/32`, teredo, deprecated 6to4 `2002::/16`. Includes IPv4-mapped IPv6 dual-stack confusion detection (`::ffff:0:0/96` — CVE-2021-22931 IPv6 variant). Bare-IP-without-mask policy (strict refuses; balanced audits; permissive allows). BIDI / zero-width / control / null-byte universal refuse. Profiles: `strict` / `balanced` / `permissive`. Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
 
 - **0.7.44** (2026-05-05) — `b.guardUuid` — UUID identifier-safety primitive (KIND="identifier"). Validates user-supplied UUID strings per RFC 9562 (May 2024, obsoletes RFC 4122). Threat catalog: shape malformation across the four canonical forms (hyphenated 8-4-4-4-12, hyphenless 32-hex, Microsoft GUID braces `{…}`, `urn:uuid:` prefix); RFC 9562 §4.2 unassigned version digits (only 1-8 are defined); non-RFC 4122 variant bits (only the `10xx` high-bits family is the canonical UUID variant); nil UUID §5.9 / max UUID §5.10 sentinel-leak refuse; format policy enforcement (strict default = `hyphenated-only`); BIDI / zero-width / control / null-byte universal refuse via `lib/codepoint-class.js`. `sanitize` returns canonical lowercase hyphenated form (strips braces / urn prefix). Profiles: `strict` (hyphenated-only, refuse all sentinels and non-canonical forms), `balanced` (accept any form, audit sentinels), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD; the adaptive integration harness picks it up automatically via the KIND="identifier" dispatcher.

package/index.js

@@ -113,6 +113,8 @@ var guardEmail = require("./lib/guard-email");
 var guardDomain = require("./lib/guard-domain");
 var guardUuid = require("./lib/guard-uuid");
 var guardCidr = require("./lib/guard-cidr");
+var guardTime = require("./lib/guard-time");
+var guardMime = require("./lib/guard-mime");
 var guardAll = require("./lib/guard-all");
 var ssrfGuard = require("./lib/ssrf-guard");
 var authHeader = require("./lib/auth-header");
@@ -257,6 +259,8 @@ module.exports = {
   guardDomain:      guardDomain,
   guardUuid:        guardUuid,
   guardCidr:        guardCidr,
+  guardTime:        guardTime,
+  guardMime:        guardMime,
   guardAll:         guardAll,
   ssrfGuard:        ssrfGuard,
   authHeader:       authHeader,

package/lib/framework-error.js

@@ -272,6 +272,22 @@ var GuardUuidError        = defineClass("GuardUuidError",        { alwaysPermane
 // IPv6 dual-stack confusion, BIDI / zero-width / control / null-byte
 // universal refuse. alwaysPermanent.
 var GuardCidrError        = defineClass("GuardCidrError",        { alwaysPermanent: true });
+// GuardTimeError covers RFC 3339 / ISO 8601 datetime identifier
+// violations: shape malformation, year-window overflow (pre-epoch /
+// far-future), naive datetime (no offset), non-UTC offset, leap-second
+// `60` field policy, excessive fractional precision, date-only /
+// time-only refuse, BIDI / zero-width / control / null-byte universal
+// refuse, structural range violations (month / day-in-month / hour /
+// minute / second). alwaysPermanent.
+var GuardTimeError        = defineClass("GuardTimeError",        { alwaysPermanent: true });
+// GuardMimeError covers RFC 6838 media-type identifier violations:
+// shape malformation (missing `/`, bad type/subtype tokens), parameter
+// injection (multiple params, bad name/value tokens, malformed quoted-
+// string), wildcard `*/*` outside Accept context, vendor / personal /
+// unregistered tree namespaces, risky-type refuse list (executable +
+// script-host content types), BIDI / zero-width / control / null-byte
+// universal refuse. alwaysPermanent.
+var GuardMimeError        = defineClass("GuardMimeError",        { alwaysPermanent: true });
 // DoraError covers DORA Article 17 incident-reporting workflow errors
 // (classification refusal, report-shape validation, ESA-template
 // generation, audit-chain integration). Permanent — these are
@@ -334,6 +350,8 @@ module.exports = {
   GuardDomainError:       GuardDomainError,
   GuardUuidError:         GuardUuidError,
   GuardCidrError:         GuardCidrError,
+  GuardTimeError:         GuardTimeError,
+  GuardMimeError:         GuardMimeError,
   DoraError:              DoraError,
   ComplianceError:        ComplianceError,
   SmtpPolicyError:        SmtpPolicyError,

package/lib/guard-all.js

@@ -92,6 +92,8 @@ var STANDALONE_GUARDS = [
   require("./guard-domain"),
   require("./guard-uuid"),
   require("./guard-cidr"),
+  require("./guard-time"),
+  require("./guard-mime"),
 ];
 
 // Framework-wide profile + posture vocabulary that every guard MUST

package/lib/guard-mime.js

@@ -0,0 +1,444 @@
+"use strict";
+/**
+ * guard-mime — Media-type identifier-safety primitive (b.guardMime).
+ *
+ * Validates user-supplied RFC 6838 media type strings destined for
+ * Accept-shape comparison, content-type allowlists, and dispatch
+ * routing. KIND="identifier" — consumes ctx.identifier (or ctx.mime).
+ *
+ * Threat catalog:
+ *   - Shape malformation — not RFC 6838 type/subtype grammar.
+ *   - Bad token characters — RFC 6838 §4.2 restricts type and subtype
+ *     to ALPHA / DIGIT / `!#$&-^_.+`. Spaces / quotes / Unicode reject.
+ *   - Parameter injection — operators sometimes pass through user-
+ *     supplied parameters (`text/plain; charset=...`); the grammar is
+ *     permissive enough to smuggle multiple parameters or bare values.
+ *   - Wildcard `* / *` and `type / *` — only valid in Accept-header
+ *     context; refused as a content-type at strict.
+ *   - Vendor tree without operator opt-in (`application/vnd.<vendor>`)
+ *     — flag at strict so operators audit the vendor namespace.
+ *   - Personal tree (`application/prs.*`) and unregistered (`x.*`) —
+ *     same flag class.
+ *   - Risky types refuse list — `application/x-msdownload`, `.x-bat`,
+ *     `.x-msdos-program`, `.x-sh`, `.x-csh`, `.javascript`,
+ *     `.x-javascript` (when handed off to a script-host).
+ *   - BIDI / zero-width / control / null-byte universal refuse.
+ *
+ *   var rv = b.guardMime.validate("application/json",
+ *                                 { profile: "strict" });
+ *   var safe = b.guardMime.sanitize("Application/JSON; charset=UTF-8",
+ *                                   { profile: "balanced" });
+ *   var g = b.guardMime.gate({ profile: "strict" });
+ */
+
+var codepointClass = require("./codepoint-class");
+var lazyRequire = require("./lazy-require");
+var gateContract = require("./gate-contract");
+var C = require("./constants");
+var numericBounds = require("./numeric-bounds");
+var { GuardMimeError } = require("./framework-error");
+
+var observability = lazyRequire(function () { return require("./observability"); });
+void observability;
+
+var _err = GuardMimeError.factory;
+
+// RFC 6838 type / subtype grammar. The `restricted-name` allows
+// ALPHA / DIGIT first, then ALPHA / DIGIT / `!#$&-^_.+`. Length cap
+// 127 octets per token.
+var TOKEN_RE = /^[A-Za-z0-9][A-Za-z0-9!#$&\-^_.+]{0,126}$/;
+
+// Parameter token (RFC 7231 §3.1.1.1): tchar set.
+var PARAM_TOKEN_RE = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
+
+// Quoted-string body (between double quotes) per RFC 7230 §3.2.6.
+var QUOTED_STRING_BODY_RE = /^[\t\x20-\x7e]*$/;                                   // allow:raw-byte-literal — printable ASCII range
+
+// Risky-type refuse list (operator-supplied scripts handed to a host).
+var RISKY_TYPES = Object.freeze([
+  "application/x-msdownload",
+  "application/x-bat",
+  "application/x-msdos-program",
+  "application/x-sh",
+  "application/x-csh",
+  "application/x-perl",
+  "application/x-python",
+  "application/javascript",
+  "application/x-javascript",
+  "text/javascript",
+  "text/x-javascript",
+  "application/x-shockwave-flash",
+  "application/x-msi",
+]);
+
+// ---- Profile presets ----
+
+var PROFILES = Object.freeze({
+  "strict": {
+    bidiPolicy:           "reject",
+    controlPolicy:        "reject",
+    nullBytePolicy:       "reject",
+    zeroWidthPolicy:      "reject",
+    wildcardPolicy:       "reject",
+    vendorTreePolicy:     "audit",
+    personalTreePolicy:   "audit",
+    unregisteredTreePolicy: "audit",
+    riskyTypePolicy:      "reject",
+    parameterPolicy:      "audit",
+    maxBytes:             C.BYTES.bytes(255),
+    maxRuntimeMs:         C.TIME.seconds(2),
+  },
+  "balanced": {
+    bidiPolicy:           "reject",
+    controlPolicy:        "reject",
+    nullBytePolicy:       "reject",
+    zeroWidthPolicy:      "reject",
+    wildcardPolicy:       "audit",
+    vendorTreePolicy:     "allow",
+    personalTreePolicy:   "audit",
+    unregisteredTreePolicy: "audit",
+    riskyTypePolicy:      "audit",
+    parameterPolicy:      "audit",
+    maxBytes:             C.BYTES.bytes(255),
+    maxRuntimeMs:         C.TIME.seconds(2),
+  },
+  "permissive": {
+    bidiPolicy:           "reject",                                              // BIDI refused at every profile
+    controlPolicy:        "reject",                                              // controls refused at every profile
+    nullBytePolicy:       "reject",                                              // null refused at every profile
+    zeroWidthPolicy:      "reject",                                              // zero-width refused at every profile
+    wildcardPolicy:       "allow",
+    vendorTreePolicy:     "allow",
+    personalTreePolicy:   "allow",
+    unregisteredTreePolicy: "allow",
+    riskyTypePolicy:      "audit",
+    parameterPolicy:      "allow",
+    maxBytes:             C.BYTES.bytes(255),
+    maxRuntimeMs:         C.TIME.seconds(2),
+  },
+});
+
+var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
+  mode: "enforce",
+}));
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  "hipaa":   Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(128),
+  }),
+  "pci-dss": Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(128),
+  }),
+  "gdpr":    Object.assign({}, PROFILES["balanced"], {
+    forensicSnippetBytes: C.BYTES.bytes(64),
+  }),
+  "soc2":    Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+});
+
+function _resolveOpts(opts) {
+  return gateContract.resolveProfileAndPosture(opts, {
+    profiles:           PROFILES,
+    compliancePostures: COMPLIANCE_POSTURES,
+    defaults:           DEFAULTS,
+    errorClass:         GuardMimeError,
+    errCodePrefix:      "mime",
+  });
+}
+
+// ---- Parser ----
+
+function _splitTopLevel(input) {
+  // Returns { typeSubtype, params: [{name, value}], errors: [string] }.
+  // Splits on `;` outside quoted-strings.
+  var parts = [];
+  var inQuote = false;
+  var start = 0;
+  for (var i = 0; i < input.length; i += 1) {
+    var c = input.charAt(i);
+    if (c === '"' && (i === 0 || input.charAt(i - 1) !== "\\")) inQuote = !inQuote;
+    else if (!inQuote && c === ";") {
+      parts.push(input.slice(start, i));
+      start = i + 1;
+    }
+  }
+  parts.push(input.slice(start));
+  parts = parts.map(function (p) { return p.trim(); });
+  return parts;
+}
+
+function _detectIssues(input, opts) {
+  var issues = [];
+  if (typeof input !== "string") {
+    return [{ kind: "bad-input", severity: "high",
+              ruleId: "mime.bad-input",
+              snippet: "mime is not a string" }];
+  }
+  if (input.length === 0) {
+    return [{ kind: "empty", severity: "high",
+              ruleId: "mime.empty",
+              snippet: "mime is empty" }];
+  }
+  if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
+    return [{ kind: "mime-cap", severity: "high",
+              ruleId: "mime.mime-cap",
+              snippet: "mime input exceeds maxBytes " + opts.maxBytes }];
+  }
+
+  var charThreats = codepointClass.detectCharThreats(input, opts, "mime");
+  for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
+
+  var parts = _splitTopLevel(input);
+  var typeSubtype = parts[0];
+  var paramParts = parts.slice(1).filter(function (p) { return p.length > 0; });
+
+  // Type/subtype shape.
+  var slashAt = typeSubtype.indexOf("/");
+  if (slashAt === -1) {
+    issues.push({
+      kind: "mime-shape", severity: "high",
+      ruleId: "mime.mime-shape",
+      snippet: "missing `/` between type and subtype",
+    });
+    return issues;
+  }
+  var type = typeSubtype.slice(0, slashAt);
+  var subtype = typeSubtype.slice(slashAt + 1);
+
+  // Wildcard policy.
+  if ((type === "*" || subtype === "*") &&
+      opts.wildcardPolicy !== "allow") {
+    issues.push({
+      kind: "wildcard",
+      severity: opts.wildcardPolicy === "reject" ? "high" : "warn",
+      ruleId: "mime.wildcard",
+      snippet: "wildcard `" + typeSubtype + "` only valid in Accept " +
+               "headers; refused as content-type at strict",
+    });
+  }
+
+  // Token validation per type / subtype.
+  if (type !== "*") {
+    if (!TOKEN_RE.test(type)) {                                                  // allow:regex-no-length-cap — input bounded by maxBytes
+      issues.push({
+        kind: "type-shape", severity: "high",
+        ruleId: "mime.type-shape",
+        snippet: "type `" + type + "` is not a valid RFC 6838 " +
+                 "restricted-name token",
+      });
+    }
+  }
+  if (subtype !== "*") {
+    if (!TOKEN_RE.test(subtype)) {                                               // allow:regex-no-length-cap — input bounded by maxBytes
+      issues.push({
+        kind: "subtype-shape", severity: "high",
+        ruleId: "mime.subtype-shape",
+        snippet: "subtype `" + subtype + "` is not a valid RFC 6838 " +
+                 "restricted-name token",
+      });
+    }
+  }
+
+  // Tree-prefix detection.
+  var subtypeLower = subtype.toLowerCase();
+  if (subtypeLower.indexOf("vnd.") === 0 &&
+      opts.vendorTreePolicy !== "allow") {
+    issues.push({
+      kind: "vendor-tree",
+      severity: opts.vendorTreePolicy === "reject" ? "high" : "warn",
+      ruleId: "mime.vendor-tree",
+      snippet: "subtype `" + subtype + "` is in the vendor tree " +
+               "(`vnd.*`); audit the vendor namespace",
+    });
+  }
+  if (subtypeLower.indexOf("prs.") === 0 &&
+      opts.personalTreePolicy !== "allow") {
+    issues.push({
+      kind: "personal-tree",
+      severity: opts.personalTreePolicy === "reject" ? "high" : "warn",
+      ruleId: "mime.personal-tree",
+      snippet: "subtype `" + subtype + "` is in the personal tree " +
+               "(`prs.*`)",
+    });
+  }
+  if ((subtypeLower.indexOf("x.") === 0 || subtypeLower.indexOf("x-") === 0) &&
+      opts.unregisteredTreePolicy !== "allow") {
+    issues.push({
+      kind: "unregistered-tree",
+      severity: opts.unregisteredTreePolicy === "reject" ? "high" : "warn",
+      ruleId: "mime.unregistered-tree",
+      snippet: "subtype `" + subtype + "` is in the unregistered tree " +
+               "(`x.*` / `x-*`)",
+    });
+  }
+
+  // Risky-type refuse list (use lowercased canonical compare).
+  var canonical = (type + "/" + subtype).toLowerCase();
+  if (RISKY_TYPES.indexOf(canonical) !== -1 &&
+      opts.riskyTypePolicy !== "allow") {
+    issues.push({
+      kind: "risky-type",
+      severity: opts.riskyTypePolicy === "reject" ? "high" : "warn",
+      ruleId: "mime.risky-type",
+      snippet: "media type `" + canonical + "` is on the risky-type " +
+               "refuse list (executable / script-host class)",
+    });
+  }
+
+  // Parameter validation (all params at once — covers injection class).
+  if (paramParts.length > 0 && opts.parameterPolicy !== "allow") {
+    for (var pi = 0; pi < paramParts.length; pi += 1) {
+      var pp = paramParts[pi];
+      var eqAt = pp.indexOf("=");
+      if (eqAt === -1) {
+        issues.push({
+          kind: "param-shape",
+          severity: opts.parameterPolicy === "reject" ? "high" : "warn",
+          ruleId: "mime.param-shape",
+          snippet: "parameter `" + pp + "` missing `=` value separator",
+        });
+        continue;
+      }
+      var pname = pp.slice(0, eqAt).trim();
+      var pvalue = pp.slice(eqAt + 1).trim();
+      if (!PARAM_TOKEN_RE.test(pname)) {                                         // allow:regex-no-length-cap — name bounded by parameter length within maxBytes
+        issues.push({
+          kind: "param-name",
+          severity: opts.parameterPolicy === "reject" ? "high" : "warn",
+          ruleId: "mime.param-name",
+          snippet: "parameter name `" + pname + "` is not a valid " +
+                   "RFC 7231 §3.1.1.1 tchar token",
+        });
+      }
+      // Value: either a token or a quoted-string.
+      if (pvalue.length === 0) {
+        issues.push({
+          kind: "param-value-empty",
+          severity: opts.parameterPolicy === "reject" ? "high" : "warn",
+          ruleId: "mime.param-value-empty",
+          snippet: "parameter `" + pname + "` has empty value",
+        });
+      } else if (pvalue.charAt(0) === '"' &&
+                 pvalue.charAt(pvalue.length - 1) === '"') {
+        var inner = pvalue.slice(1, -1);
+        if (!QUOTED_STRING_BODY_RE.test(inner)) {                                // allow:regex-no-length-cap — value bounded within maxBytes
+          issues.push({
+            kind: "param-value-shape",
+            severity: opts.parameterPolicy === "reject" ? "high" : "warn",
+            ruleId: "mime.param-value-shape",
+            snippet: "parameter `" + pname + "` quoted-string contains " +
+                     "non-printable bytes (RFC 7230 §3.2.6)",
+          });
+        }
+      } else if (!PARAM_TOKEN_RE.test(pvalue)) {                                 // allow:regex-no-length-cap — value bounded within maxBytes
+        issues.push({
+          kind: "param-value-shape",
+          severity: opts.parameterPolicy === "reject" ? "high" : "warn",
+          ruleId: "mime.param-value-shape",
+          snippet: "parameter `" + pname + "` value `" + pvalue + "` " +
+                   "is not a valid token or quoted-string",
+        });
+      }
+    }
+  }
+
+  return issues;
+}
+
+function validate(input, opts) {
+  opts = _resolveOpts(opts);
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxBytes"],
+    "guardMime.validate", GuardMimeError, "mime.bad-opt");
+  if (typeof input !== "string") {
+    return {
+      ok: false,
+      issues: [{ kind: "bad-input", severity: "high",
+                 ruleId: "mime.bad-input",
+                 snippet: "mime is not a string" }],
+    };
+  }
+  return gateContract.aggregateIssues(_detectIssues(input, opts));
+}
+
+function sanitize(input, opts) {
+  opts = _resolveOpts(opts);
+  if (typeof input !== "string") {
+    throw _err("mime.bad-input", "sanitize requires string input");
+  }
+  var issues = _detectIssues(input, opts);
+  for (var i = 0; i < issues.length; i += 1) {
+    if (issues[i].severity === "critical" || issues[i].severity === "high") {
+      throw _err(issues[i].ruleId || "mime.refused",
+        "guardMime.sanitize: " + issues[i].snippet);
+    }
+  }
+  // Normalize: lowercase the type/subtype; preserve parameter case
+  // because some parameter values are case-significant (e.g. boundary
+  // tokens in multipart/form-data).
+  var parts = _splitTopLevel(input);
+  var canonical = parts[0].toLowerCase();
+  return parts.slice(1).reduce(function (acc, p) {
+    return acc + "; " + p;
+  }, canonical);
+}
+
+function gate(opts) {
+  opts = _resolveOpts(opts);
+  return gateContract.buildGuardGate(
+    opts.name || "guardMime:" + (opts.profile || "default"),
+    opts,
+    async function (ctx) {
+      var identifier = ctx && (ctx.identifier || ctx.mime || "");
+      if (!identifier) return { ok: true, action: "serve" };
+      var rv = validate(identifier, opts);
+      if (rv.issues.length === 0) return { ok: true, action: "serve" };
+      var hasCritical = rv.issues.some(function (i) {
+        return i.severity === "critical";
+      });
+      var hasHigh = rv.issues.some(function (i) {
+        return i.severity === "high";
+      });
+      if (!hasCritical && !hasHigh) {
+        return { ok: true, action: "audit-only", issues: rv.issues };
+      }
+      return { ok: false, action: "refuse", issues: rv.issues };
+    });
+}
+
+var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+
+function compliancePosture(name) {
+  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
+    _err, "mime");
+}
+
+var _mimeRulePacks = gateContract.makeRulePackLoader(GuardMimeError, "mime");
+var loadRulePack = _mimeRulePacks.load;
+
+module.exports = {
+  // ---- guard-* family registry exports ----
+  NAME:                "mime",
+  KIND:                "identifier",
+  INTEGRATION_FIXTURES: Object.freeze({
+    kind:              "identifier",
+    benignBytes:       Buffer.from("application/json", "utf8"),
+    hostileBytes:      Buffer.from("application/x-msdownload", "utf8"),
+    benignIdentifier:  "application/json",
+    // Hostile: risky-type — refused at strict (executable script-host
+    // class).
+    hostileIdentifier: "application/x-msdownload",
+  }),
+  // ---- primitive surface ----
+  validate:            validate,
+  sanitize:            sanitize,
+  gate:                gate,
+  buildProfile:        buildProfile,
+  compliancePosture:   compliancePosture,
+  loadRulePack:        loadRulePack,
+  PROFILES:            PROFILES,
+  DEFAULTS:            DEFAULTS,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  GuardMimeError:      GuardMimeError,
+};

package/lib/guard-time.js

@@ -0,0 +1,420 @@
+"use strict";
+/**
+ * guard-time — RFC 3339 / ISO 8601 datetime identifier-safety primitive
+ * (b.guardTime).
+ *
+ * Validates user-supplied datetime strings destined for audit
+ * timestamps, scheduling, retention windows, query ranges, and
+ * cross-system event correlation. KIND="identifier" — consumes
+ * ctx.identifier (or ctx.timestamp).
+ *
+ * Threat catalog:
+ *   - Shape malformation — not RFC 3339 / ISO 8601 datetime.
+ *   - Pre-epoch / far-future — year before 1970 or after the
+ *     operator's far-future ceiling (default 9999); often a parsing
+ *     bug or sentinel-leak shape.
+ *   - Naive datetime (no offset) — strict refuses; downstream
+ *     interpretation depends on local timezone, breaks
+ *     cross-region equality.
+ *   - Non-UTC offset — strict accepts only `Z` / `+00:00`; balanced
+ *     accepts any offset; permissive allows naive too.
+ *   - Leap-second `60` in seconds field — RFC 3339 §5.6 explicitly
+ *     valid (`23:59:60Z` is a real wall-clock time); most parsers
+ *     panic. Flagged-by-default with operator policy.
+ *   - Excessive fractional precision — RFC 3339 allows any digits
+ *     after the dot but every consuming system has a cap; flag > 9
+ *     fractional digits.
+ *   - Date-only / time-only — refused for full-datetime contexts.
+ *   - Whitespace / control / null-byte / BIDI universal refuse.
+ *
+ *   var rv = b.guardTime.validate("2026-05-05T12:34:56Z",
+ *                                 { profile: "strict" });
+ *   var safe = b.guardTime.sanitize("2026-05-05T12:34:56.123+05:30",
+ *                                   { profile: "balanced" });
+ *   var g = b.guardTime.gate({ profile: "strict" });
+ */
+
+var codepointClass = require("./codepoint-class");
+var lazyRequire = require("./lazy-require");
+var gateContract = require("./gate-contract");
+var C = require("./constants");
+var numericBounds = require("./numeric-bounds");
+var { GuardTimeError } = require("./framework-error");
+
+var observability = lazyRequire(function () { return require("./observability"); });
+void observability;
+
+var _err = GuardTimeError.factory;
+
+// RFC 3339 §5.6 full-date + full-time grammar — anchored.
+//
+// Capture groups:
+//   1: year (4 digits)         2: month (2)         3: day (2)
+//   4: hour (2)                5: minute (2)        6: second (2; allows 60 for leap-second)
+//   7: fractional incl. dot (optional)              8: offset (Z or +HH:MM/-HH:MM)
+var RFC3339_RE = /^(\d{4})-(\d{2})-(\d{2})[Tt ](\d{2}):(\d{2}):(\d{2})(\.\d+)?([Zz]|[+-]\d{2}:\d{2})?$/;
+
+var DEFAULT_MIN_YEAR = 1970;                                                     // allow:raw-byte-literal — Unix epoch year
+var DEFAULT_MAX_YEAR = 9999;                                                     // allow:raw-byte-literal — RFC 3339 4-digit year ceiling
+var MAX_FRACTIONAL_DIGITS = 9;                                                   // allow:raw-byte-literal — nanosecond precision cap
+
+// ---- Profile presets ----
+
+var PROFILES = Object.freeze({
+  "strict": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    naiveDatetimePolicy:       "reject",
+    nonUtcOffsetPolicy:        "reject",
+    leapSecondPolicy:          "reject",
+    fractionalDigitsPolicy:    "reject",
+    dateOnlyPolicy:            "reject",
+    timeOnlyPolicy:            "reject",
+    minYear:                   DEFAULT_MIN_YEAR,
+    maxYear:                   DEFAULT_MAX_YEAR,
+    maxFractionalDigits:       MAX_FRACTIONAL_DIGITS,
+    maxBytes:                  C.BYTES.bytes(64),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "balanced": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    naiveDatetimePolicy:       "reject",
+    nonUtcOffsetPolicy:        "audit",
+    leapSecondPolicy:          "audit",
+    fractionalDigitsPolicy:    "audit",
+    dateOnlyPolicy:            "audit",
+    timeOnlyPolicy:            "audit",
+    minYear:                   DEFAULT_MIN_YEAR,
+    maxYear:                   DEFAULT_MAX_YEAR,
+    maxFractionalDigits:       MAX_FRACTIONAL_DIGITS,
+    maxBytes:                  C.BYTES.bytes(64),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "permissive": {
+    bidiPolicy:               "reject",                                          // BIDI refused at every profile
+    controlPolicy:             "reject",                                          // controls refused at every profile
+    nullBytePolicy:            "reject",                                          // null refused at every profile
+    zeroWidthPolicy:           "reject",                                          // zero-width refused at every profile
+    naiveDatetimePolicy:       "audit",
+    nonUtcOffsetPolicy:        "allow",
+    leapSecondPolicy:          "allow",
+    fractionalDigitsPolicy:    "allow",
+    dateOnlyPolicy:            "allow",
+    timeOnlyPolicy:            "allow",
+    minYear:                   DEFAULT_MIN_YEAR,
+    maxYear:                   DEFAULT_MAX_YEAR,
+    maxFractionalDigits:       MAX_FRACTIONAL_DIGITS,
+    maxBytes:                  C.BYTES.bytes(64),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+});
+
+var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
+  mode: "enforce",
+}));
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  "hipaa":   Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(128),
+  }),
+  "pci-dss": Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(128),
+  }),
+  "gdpr":    Object.assign({}, PROFILES["balanced"], {
+    forensicSnippetBytes: C.BYTES.bytes(64),
+  }),
+  "soc2":    Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+});
+
+function _resolveOpts(opts) {
+  return gateContract.resolveProfileAndPosture(opts, {
+    profiles:           PROFILES,
+    compliancePostures: COMPLIANCE_POSTURES,
+    defaults:           DEFAULTS,
+    errorClass:         GuardTimeError,
+    errCodePrefix:      "time",
+  });
+}
+
+// ---- Detection ----
+
+function _detectIssues(input, opts) {
+  var issues = [];
+  if (typeof input !== "string") {
+    return [{ kind: "bad-input", severity: "high",
+              ruleId: "time.bad-input",
+              snippet: "time is not a string" }];
+  }
+  if (input.length === 0) {
+    return [{ kind: "empty", severity: "high",
+              ruleId: "time.empty",
+              snippet: "time is empty" }];
+  }
+  if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
+    return [{ kind: "time-cap", severity: "high",
+              ruleId: "time.time-cap",
+              snippet: "time input exceeds maxBytes " + opts.maxBytes }];
+  }
+
+  var charThreats = codepointClass.detectCharThreats(input, opts, "time");
+  for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
+
+  // Date-only / time-only quick checks BEFORE the full RFC 3339 regex
+  // so the operator gets a more actionable diagnosis.
+  if (/^\d{4}-\d{2}-\d{2}$/.test(input)) {                                       // allow:regex-no-length-cap — input bounded by maxBytes; allow:duplicate-regex — same RFC 3339 full-date shape used by safe-json + safe-schema; not consolidatable across module boundaries
+    if (opts.dateOnlyPolicy !== "allow") {
+      issues.push({
+        kind: "date-only",
+        severity: opts.dateOnlyPolicy === "reject" ? "high" : "warn",
+        ruleId: "time.date-only",
+        snippet: "input is RFC 3339 full-date only — full datetime " +
+                 "(date + time + offset) required",
+      });
+      return issues;
+    }
+  }
+  if (/^\d{2}:\d{2}:\d{2}(\.\d+)?(Z|[+-]\d{2}:\d{2})?$/.test(input)) {           // allow:regex-no-length-cap — input bounded by maxBytes
+    if (opts.timeOnlyPolicy !== "allow") {
+      issues.push({
+        kind: "time-only",
+        severity: opts.timeOnlyPolicy === "reject" ? "high" : "warn",
+        ruleId: "time.time-only",
+        snippet: "input is RFC 3339 partial-time only — full datetime " +
+                 "(date + time + offset) required",
+      });
+      return issues;
+    }
+  }
+
+  var match = input.match(RFC3339_RE);                                           // allow:regex-no-length-cap — input bounded by maxBytes
+  if (!match) {
+    issues.push({
+      kind: "datetime-shape", severity: "high",
+      ruleId: "time.datetime-shape",
+      snippet: "input does not match RFC 3339 §5.6 date-time grammar",
+    });
+    return issues;
+  }
+
+  var year = parseInt(match[1], 10);                                             // allow:raw-byte-literal — base-10 radix
+  var month = parseInt(match[2], 10);                                            // allow:raw-byte-literal — base-10 radix
+  var day = parseInt(match[3], 10);                                              // allow:raw-byte-literal — base-10 radix
+  var hour = parseInt(match[4], 10);                                             // allow:raw-byte-literal — base-10 radix
+  var minute = parseInt(match[5], 10);                                           // allow:raw-byte-literal — base-10 radix
+  var second = parseInt(match[6], 10);                                           // allow:raw-byte-literal — base-10 radix
+  var fractional = match[7] || "";
+  var offset = match[8];
+
+  // Year window.
+  if (year < opts.minYear || year > opts.maxYear) {
+    issues.push({
+      kind: "year-window", severity: "high",
+      ruleId: "time.year-window",
+      snippet: "year " + year + " outside operator window [" +
+               opts.minYear + ", " + opts.maxYear + "]",
+    });
+  }
+
+  // Month / day / hour / minute structural ranges.
+  if (month < 1 || month > 12) {                                                 // allow:raw-byte-literal — month range
+    issues.push({
+      kind: "month-range", severity: "high",
+      ruleId: "time.month-range",
+      snippet: "month " + month + " outside [1, 12]",
+    });
+  }
+  if (day < 1 || day > 31) {                                                     // allow:raw-byte-literal — day-of-month upper bound
+    issues.push({
+      kind: "day-range", severity: "high",
+      ruleId: "time.day-range",
+      snippet: "day " + day + " outside [1, 31]",
+    });
+  }
+  if (hour > 23) {                                                               // allow:raw-byte-literal — hour ceiling
+    issues.push({
+      kind: "hour-range", severity: "high",
+      ruleId: "time.hour-range",
+      snippet: "hour " + hour + " > 23",
+    });
+  }
+  if (minute > 59) {                                                             // allow:raw-byte-literal — minute ceiling
+    issues.push({
+      kind: "minute-range", severity: "high",
+      ruleId: "time.minute-range",
+      snippet: "minute " + minute + " > 59",
+    });
+  }
+  if (second > 60) {                                                             // allow:raw-time-literal — leap-second ceiling, RFC 3339 §5.6 (not seconds-of-time)
+    issues.push({
+      kind: "second-range", severity: "high",
+      ruleId: "time.second-range",
+      snippet: "second " + second + " > 60 (RFC 3339 §5.6 ceiling " +
+               "including leap)",
+    });
+  }
+
+  // Leap-second flag.
+  if (second === 60 && opts.leapSecondPolicy !== "allow") {                      // allow:raw-time-literal — leap-second sentinel, RFC 3339 §5.6
+    issues.push({
+      kind: "leap-second",
+      severity: opts.leapSecondPolicy === "reject" ? "high" : "warn",
+      ruleId: "time.leap-second",
+      snippet: "second field is 60 (leap second; RFC 3339 §5.6 valid " +
+               "but most parsers panic)",
+    });
+  }
+
+  // Day-in-month structural sanity (light — not full Gregorian
+  // rollover; the framework refuses obviously-out-of-bounds dates
+  // like Feb 30 / Apr 31).
+  var daysInMonth = [31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];            // allow:raw-byte-literal — Gregorian month-day table
+  if (month >= 1 && month <= 12 && day > daysInMonth[month - 1]) {               // allow:raw-byte-literal — month range
+    issues.push({
+      kind: "day-in-month", severity: "high",
+      ruleId: "time.day-in-month",
+      snippet: "day " + day + " not valid in month " + month,
+    });
+  }
+
+  // Fractional digits cap.
+  var fracLen = fractional.length > 0 ? fractional.length - 1 : 0;
+  if (fracLen > opts.maxFractionalDigits &&
+      opts.fractionalDigitsPolicy !== "allow") {
+    issues.push({
+      kind: "fractional-digits",
+      severity: opts.fractionalDigitsPolicy === "reject" ? "high" : "warn",
+      ruleId: "time.fractional-digits",
+      snippet: "fractional precision " + fracLen + " exceeds " +
+               opts.maxFractionalDigits + " digits — downstream " +
+               "consumers may truncate or reject",
+    });
+  }
+
+  // Naive datetime (no offset).
+  if (!offset) {
+    if (opts.naiveDatetimePolicy !== "allow") {
+      issues.push({
+        kind: "naive-datetime",
+        severity: opts.naiveDatetimePolicy === "reject" ? "high" : "warn",
+        ruleId: "time.naive-datetime",
+        snippet: "datetime has no offset (`Z` or `+HH:MM`) — naive " +
+                 "datetimes break cross-region equality",
+      });
+    }
+  } else {
+    // Non-UTC offset.
+    var isUtc = offset === "Z" || offset === "z" ||
+                offset === "+00:00" || offset === "-00:00";
+    if (!isUtc && opts.nonUtcOffsetPolicy !== "allow") {
+      issues.push({
+        kind: "non-utc-offset",
+        severity: opts.nonUtcOffsetPolicy === "reject" ? "high" : "warn",
+        ruleId: "time.non-utc-offset",
+        snippet: "datetime offset `" + offset + "` is not UTC — " +
+                 "strict requires `Z` or `+00:00` for unambiguous " +
+                 "cross-system comparison",
+      });
+    }
+  }
+
+  return issues;
+}
+
+function validate(input, opts) {
+  opts = _resolveOpts(opts);
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxBytes", "minYear", "maxYear", "maxFractionalDigits"],
+    "guardTime.validate", GuardTimeError, "time.bad-opt");
+  if (typeof input !== "string") {
+    return {
+      ok: false,
+      issues: [{ kind: "bad-input", severity: "high",
+                 ruleId: "time.bad-input",
+                 snippet: "time is not a string" }],
+    };
+  }
+  return gateContract.aggregateIssues(_detectIssues(input, opts));
+}
+
+function sanitize(input, opts) {
+  opts = _resolveOpts(opts);
+  if (typeof input !== "string") {
+    throw _err("time.bad-input", "sanitize requires string input");
+  }
+  var issues = _detectIssues(input, opts);
+  for (var i = 0; i < issues.length; i += 1) {
+    if (issues[i].severity === "critical" || issues[i].severity === "high") {
+      throw _err(issues[i].ruleId || "time.refused",
+        "guardTime.sanitize: " + issues[i].snippet);
+    }
+  }
+  // Normalize: lowercase the trailing `T` separator, uppercase the
+  // `Z` UTC marker.
+  return input.replace(/(\d) /, "$1T").replace(/z$/, "Z");
+}
+
+function gate(opts) {
+  opts = _resolveOpts(opts);
+  return gateContract.buildGuardGate(
+    opts.name || "guardTime:" + (opts.profile || "default"),
+    opts,
+    async function (ctx) {
+      var identifier = ctx && (ctx.identifier || ctx.timestamp || ctx.time || "");
+      if (!identifier) return { ok: true, action: "serve" };
+      var rv = validate(identifier, opts);
+      if (rv.issues.length === 0) return { ok: true, action: "serve" };
+      var hasCritical = rv.issues.some(function (i) {
+        return i.severity === "critical";
+      });
+      var hasHigh = rv.issues.some(function (i) {
+        return i.severity === "high";
+      });
+      if (!hasCritical && !hasHigh) {
+        return { ok: true, action: "audit-only", issues: rv.issues };
+      }
+      return { ok: false, action: "refuse", issues: rv.issues };
+    });
+}
+
+var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+
+function compliancePosture(name) {
+  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
+    _err, "time");
+}
+
+var _timeRulePacks = gateContract.makeRulePackLoader(GuardTimeError, "time");
+var loadRulePack = _timeRulePacks.load;
+
+module.exports = {
+  // ---- guard-* family registry exports ----
+  NAME:                "time",
+  KIND:                "identifier",
+  INTEGRATION_FIXTURES: Object.freeze({
+    kind:              "identifier",
+    benignBytes:       Buffer.from("2026-05-05T12:34:56Z", "utf8"),
+    hostileBytes:      Buffer.from("2026-05-05 12:34:56", "utf8"),
+    benignIdentifier:  "2026-05-05T12:34:56Z",
+    // Hostile: naive datetime (space separator + no offset) — refused
+    // at strict (cross-region ambiguity class).
+    hostileIdentifier: "2026-05-05 12:34:56",
+  }),
+  // ---- primitive surface ----
+  validate:            validate,
+  sanitize:            sanitize,
+  gate:                gate,
+  buildProfile:        buildProfile,
+  compliancePosture:   compliancePosture,
+  loadRulePack:        loadRulePack,
+  PROFILES:            PROFILES,
+  DEFAULTS:            DEFAULTS,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  GuardTimeError:      GuardTimeError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.45",
+  "version": "0.7.47",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:94d573bc-862b-4efb-98b3-c7a31895edf2",
+  "serialNumber": "urn:uuid:49f1481c-f876-4567-878c-2f709b99fd4f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-05T21:17:15.705Z",
+    "timestamp": "2026-05-05T21:48:20.338Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.45",
+      "bom-ref": "@blamejs/core@0.7.47",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.45",
+      "version": "0.7.47",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.45",
+      "purl": "pkg:npm/%40blamejs/core@0.7.47",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.45",
+      "ref": "@blamejs/core@0.7.47",
       "dependsOn": []
     }
   ]