@blamejs/core 0.7.52 → 0.7.61

package/lib/guard-shell.js

@@ -0,0 +1,319 @@
+"use strict";
+/**
+ * guard-shell — Shell metacharacter identifier-safety primitive
+ * (b.guardShell).
+ *
+ * Validates user-input strings BEFORE they're handed to a
+ * child-process spawn (regardless of operator's `shell:` opt). The
+ * canonical defense is "use array args + shell:false", but operators
+ * still receive operator-untrusted strings that flow through path-
+ * arg or arg-list shapes — guardShell refuses obvious shell-injection
+ * shapes before the spawn call. KIND="identifier" — consumes
+ * ctx.identifier (or ctx.arg).
+ *
+ * Threat catalog:
+ *   - POSIX shell metacharacters — `;`, `&`, `|`, `<`, `>`, `(`, `)`,
+ *     `{`, `}`, `[`, `]`, `*`, `?`, `~`, `!`, `#`, `\`, single + double
+ *     quotes.
+ *   - Backtick command substitution.
+ *   - `$(...)` command substitution and `${VAR}` parameter expansion.
+ *   - Process substitution `<(...)` / `>(...)`.
+ *   - cmd.exe metacharacters — `&`, `|`, `<`, `>`, `^`, `%`, `"`, `'`,
+ *     `(`, `)`, `,`, `;`, `=`, ` `, tabs, newlines.
+ *   - Newline / NUL injection (line splitting in scripts).
+ *   - Variable expansion `$VAR`.
+ *   - Operator may opt-in to `argHyphenPolicy` to refuse leading `-`
+ *     arguments (defense against `-rf` / `--exec` / etc.).
+ *   - BIDI / zero-width / control / null-byte universal refuse.
+ *
+ *   var rv = b.guardShell.validate("file with spaces.txt",
+ *                                  { profile: "strict" });
+ *   var g  = b.guardShell.gate({ profile: "strict" });
+ */
+
+var codepointClass = require("./codepoint-class");
+var lazyRequire = require("./lazy-require");
+var gateContract = require("./gate-contract");
+var C = require("./constants");
+var numericBounds = require("./numeric-bounds");
+var { GuardShellError } = require("./framework-error");
+
+var observability = lazyRequire(function () { return require("./observability"); });
+void observability;
+
+var _err = GuardShellError.factory;
+
+// POSIX shell metachars (excluding whitespace which is per-policy).
+var POSIX_META_RE = /[;&|<>$`\\()[\]{}*?~!#'"]/;
+
+// cmd.exe metachars.
+var CMD_META_RE = /[&|<>^%"',;=]/;
+
+// $(...) and ${...} command/param substitution.
+var DOLLAR_PAREN_RE = /\$\(/;
+var DOLLAR_BRACE_RE = /\$\{/;
+
+// $VAR parameter expansion (bare).
+var DOLLAR_VAR_RE = /\$[A-Za-z_][A-Za-z0-9_]*/;
+
+// Process substitution.
+var PROCESS_SUBST_RE = /[<>]\(/;
+
+// Newline (any).
+var NEWLINE_RE = /[\r\n]/;
+
+// ---- Profile presets ----
+
+var PROFILES = Object.freeze({
+  "strict": {
+    bidiPolicy:           "reject",
+    controlPolicy:         "reject",
+    nullBytePolicy:        "reject",
+    zeroWidthPolicy:       "reject",
+    posixMetaPolicy:       "reject",
+    cmdMetaPolicy:         "reject",
+    dollarSubstPolicy:     "reject",
+    processSubstPolicy:    "reject",
+    backtickPolicy:        "reject",
+    newlinePolicy:         "reject",
+    argHyphenPolicy:       "reject",
+    maxBytes:              C.BYTES.kib(2),
+    maxRuntimeMs:          C.TIME.seconds(2),
+  },
+  "balanced": {
+    bidiPolicy:           "reject",
+    controlPolicy:         "reject",
+    nullBytePolicy:        "reject",
+    zeroWidthPolicy:       "reject",
+    posixMetaPolicy:       "audit",
+    cmdMetaPolicy:         "audit",
+    dollarSubstPolicy:     "reject",
+    processSubstPolicy:    "reject",
+    backtickPolicy:        "reject",
+    newlinePolicy:         "reject",
+    argHyphenPolicy:       "audit",
+    maxBytes:              C.BYTES.kib(2),
+    maxRuntimeMs:          C.TIME.seconds(2),
+  },
+  "permissive": {
+    bidiPolicy:           "reject",                                              // BIDI refused at every profile
+    controlPolicy:         "reject",                                              // controls refused at every profile
+    nullBytePolicy:        "reject",                                              // null refused at every profile
+    zeroWidthPolicy:       "reject",                                              // zero-width refused at every profile
+    posixMetaPolicy:       "audit",
+    cmdMetaPolicy:         "audit",
+    dollarSubstPolicy:     "reject",                                              // command substitution refused at every profile
+    processSubstPolicy:    "reject",                                              // process substitution refused at every profile
+    backtickPolicy:        "reject",                                              // backtick substitution refused at every profile
+    newlinePolicy:         "reject",                                              // newline refused at every profile
+    argHyphenPolicy:       "allow",
+    maxBytes:              C.BYTES.kib(8),
+    maxRuntimeMs:          C.TIME.seconds(2),
+  },
+});
+
+var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
+  mode: "enforce",
+}));
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  "hipaa":   Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+  "pci-dss": Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+  "gdpr":    Object.assign({}, PROFILES["balanced"], {
+    forensicSnippetBytes: C.BYTES.bytes(128),
+  }),
+  "soc2":    Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(512),
+  }),
+});
+
+function _resolveOpts(opts) {
+  return gateContract.resolveProfileAndPosture(opts, {
+    profiles:           PROFILES,
+    compliancePostures: COMPLIANCE_POSTURES,
+    defaults:           DEFAULTS,
+    errorClass:         GuardShellError,
+    errCodePrefix:      "shell",
+  });
+}
+
+function _detectIssues(input, opts) {
+  var issues = [];
+  if (typeof input !== "string") {
+    return [{ kind: "bad-input", severity: "high",
+              ruleId: "shell.bad-input",
+              snippet: "shell arg is not a string" }];
+  }
+  if (input.length === 0) {
+    // Empty arg is not necessarily a threat (legit blank args exist).
+    return [];
+  }
+  if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
+    return [{ kind: "shell-cap", severity: "high",
+              ruleId: "shell.shell-cap",
+              snippet: "shell arg exceeds maxBytes " + opts.maxBytes }];
+  }
+
+  var charThreats = codepointClass.detectCharThreats(input, opts, "shell");
+  for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
+
+  // $(...) / ${...} / backtick — universal refuse.
+  if (opts.dollarSubstPolicy !== "allow" &&
+      (DOLLAR_PAREN_RE.test(input) || DOLLAR_BRACE_RE.test(input))) {            // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "dollar-substitution", severity: "critical",
+      ruleId: "shell.dollar-substitution",
+      snippet: "argument contains `$(` or `${` — POSIX shell command / " +
+               "parameter substitution",
+    });
+  }
+  if (opts.backtickPolicy !== "allow" && input.indexOf("`") !== -1) {
+    issues.push({
+      kind: "backtick", severity: "critical",
+      ruleId: "shell.backtick",
+      snippet: "argument contains backtick — POSIX shell command " +
+               "substitution",
+    });
+  }
+  if (opts.processSubstPolicy !== "allow" && PROCESS_SUBST_RE.test(input)) {     // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "process-substitution", severity: "critical",
+      ruleId: "shell.process-substitution",
+      snippet: "argument contains `<(` or `>(` — Bash process " +
+               "substitution",
+    });
+  }
+  if (opts.dollarSubstPolicy !== "allow" && DOLLAR_VAR_RE.test(input)) {         // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "dollar-var",
+      severity: opts.dollarSubstPolicy === "reject" ? "high" : "warn",
+      ruleId: "shell.dollar-var",
+      snippet: "argument contains `$VAR` parameter expansion",
+    });
+  }
+  if (opts.newlinePolicy !== "allow" && NEWLINE_RE.test(input)) {                // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "newline", severity: "high",
+      ruleId: "shell.newline",
+      snippet: "argument contains CR / LF — line-splitting in shell " +
+               "scripts",
+    });
+  }
+  if (opts.posixMetaPolicy !== "allow" && POSIX_META_RE.test(input)) {           // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "posix-metachar",
+      severity: opts.posixMetaPolicy === "reject" ? "high" : "warn",
+      ruleId: "shell.posix-metachar",
+      snippet: "argument contains POSIX shell metacharacter " +
+               "(`;|&<>()[]{}*?~!#`'\"\\`)",
+    });
+  }
+  if (opts.cmdMetaPolicy !== "allow" && CMD_META_RE.test(input)) {               // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "cmd-metachar",
+      severity: opts.cmdMetaPolicy === "reject" ? "high" : "warn",
+      ruleId: "shell.cmd-metachar",
+      snippet: "argument contains cmd.exe metacharacter " +
+               "(`&|<>^%\"',;=`)",
+    });
+  }
+  if (opts.argHyphenPolicy !== "allow" && input.charAt(0) === "-") {
+    issues.push({
+      kind: "arg-hyphen-leading",
+      severity: opts.argHyphenPolicy === "reject" ? "high" : "warn",
+      ruleId: "shell.arg-hyphen-leading",
+      snippet: "argument begins with `-` — would be parsed as an " +
+               "option flag by the target binary (`-rf` / `--exec` " +
+               "class)",
+    });
+  }
+
+  return issues;
+}
+
+function validate(input, opts) {
+  opts = _resolveOpts(opts);
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxBytes"],
+    "guardShell.validate", GuardShellError, "shell.bad-opt");
+  return gateContract.aggregateIssues(_detectIssues(input, opts));
+}
+
+function sanitize(input, opts) {
+  opts = _resolveOpts(opts);
+  if (typeof input !== "string") {
+    throw _err("shell.bad-input", "sanitize requires string input");
+  }
+  // Shell args can't be repaired — sanitize either passes through
+  // valid input or throws.
+  var issues = _detectIssues(input, opts);
+  for (var i = 0; i < issues.length; i += 1) {
+    if (issues[i].severity === "critical" || issues[i].severity === "high") {
+      throw _err(issues[i].ruleId || "shell.refused",
+        "guardShell.sanitize: " + issues[i].snippet);
+    }
+  }
+  return input;
+}
+
+function gate(opts) {
+  opts = _resolveOpts(opts);
+  return gateContract.buildGuardGate(
+    opts.name || "guardShell:" + (opts.profile || "default"),
+    opts,
+    async function (ctx) {
+      var arg = ctx && (ctx.identifier || ctx.arg);
+      if (arg === undefined || arg === null) return { ok: true, action: "serve" };
+      var rv = validate(arg, opts);
+      if (rv.issues.length === 0) return { ok: true, action: "serve" };
+      var hasCritical = rv.issues.some(function (i) {
+        return i.severity === "critical";
+      });
+      var hasHigh = rv.issues.some(function (i) {
+        return i.severity === "high";
+      });
+      if (!hasCritical && !hasHigh) {
+        return { ok: true, action: "audit-only", issues: rv.issues };
+      }
+      return { ok: false, action: "refuse", issues: rv.issues };
+    });
+}
+
+var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+
+function compliancePosture(name) {
+  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
+    _err, "shell");
+}
+
+var _shellRulePacks = gateContract.makeRulePackLoader(GuardShellError, "shell");
+var loadRulePack = _shellRulePacks.load;
+
+module.exports = {
+  // ---- guard-* family registry exports ----
+  NAME:                "shell",
+  KIND:                "identifier",
+  INTEGRATION_FIXTURES: Object.freeze({
+    kind:              "identifier",
+    benignBytes:       Buffer.from("safe-arg-value", "utf8"),
+    hostileBytes:      Buffer.from("safe; rm -rf /", "utf8"),
+    benignIdentifier:  "safe-arg-value",
+    // Hostile: command-injection via metacharacter chain.
+    hostileIdentifier: "safe; rm -rf /",
+  }),
+  // ---- primitive surface ----
+  validate:            validate,
+  sanitize:            sanitize,
+  gate:                gate,
+  buildProfile:        buildProfile,
+  compliancePosture:   compliancePosture,
+  loadRulePack:        loadRulePack,
+  PROFILES:            PROFILES,
+  DEFAULTS:            DEFAULTS,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  GuardShellError:     GuardShellError,
+};

package/lib/guard-template.js

@@ -0,0 +1,279 @@
+"use strict";
+/**
+ * guard-template — Template-injection identifier-safety primitive
+ * (b.guardTemplate).
+ *
+ * Detects Server-Side Template Injection (SSTI) shapes in user-input
+ * strings before they're rendered through any template engine. Refused
+ * by default at every profile — operator-untrusted input rarely
+ * legitimately contains template-engine syntax. KIND="identifier" —
+ * consumes ctx.identifier (or ctx.text).
+ *
+ * Threat catalog (engine-shape detection):
+ *   - Jinja2 / Django / Twig / Liquid — `{{...}}` and `{%...%}`.
+ *     Recent CVEs: CVE-2024-22195 (Jinja xml_attr filter),
+ *     CVE-2024-26139 (Bottle), CVE-2024-23348 (Pyrogram).
+ *   - Handlebars — `{{...}}` (same shape as Jinja; flagged together).
+ *   - ERB / Tornado — `<%...%>` and `<%=...%>`.
+ *   - Pug — `#{...}` interpolation, `!{...}` raw-HTML interpolation.
+ *   - Mako / Velocity / Tornado — `${...}` interpolation.
+ *   - Velocity directive — `#set(...)`, `#if(...)`, `#foreach(...)`.
+ *   - AngularJS — `{{...}}` (covered by Jinja shape; legacy).
+ *   - BIDI / null / control / zero-width universal refuse.
+ *
+ *   var rv = b.guardTemplate.validate("Hello {{ name }}",
+ *                                     { profile: "strict" });
+ *   var g  = b.guardTemplate.gate({ profile: "strict" });
+ */
+
+var codepointClass = require("./codepoint-class");
+var lazyRequire = require("./lazy-require");
+var gateContract = require("./gate-contract");
+var C = require("./constants");
+var numericBounds = require("./numeric-bounds");
+var { GuardTemplateError } = require("./framework-error");
+
+var observability = lazyRequire(function () { return require("./observability"); });
+void observability;
+
+var _err = GuardTemplateError.factory;
+
+// Engine-shape detectors.
+var JINJA_EXPR_RE   = /\{\{[\s\S]*?\}\}/;
+var JINJA_STMT_RE   = /\{%[\s\S]*?%\}/;
+var ERB_EXPR_RE     = /<%[\s\S]*?%>/;
+var PUG_INTERP_RE   = /[#!]\{[\s\S]*?\}/;
+var DOLLAR_BRACE_RE = /\$\{[\s\S]*?\}/;
+var VELOCITY_DIR_RE = /#(?:set|if|else|elseif|end|foreach|parse|include|stop)\b/i;
+
+// ---- Profile presets ----
+
+var PROFILES = Object.freeze({
+  "strict": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    jinjaPolicy:               "reject",
+    erbPolicy:                 "reject",
+    pugPolicy:                 "reject",
+    dollarBracePolicy:         "reject",
+    velocityDirectivePolicy:   "reject",
+    maxBytes:                  C.BYTES.kib(64),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "balanced": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    jinjaPolicy:               "reject",                                          // SSTI class — refused at every profile
+    erbPolicy:                 "reject",
+    pugPolicy:                 "reject",
+    dollarBracePolicy:         "audit",                                           // ${...} can also be JS template literal — audit
+    velocityDirectivePolicy:   "reject",
+    maxBytes:                  C.BYTES.kib(128),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "permissive": {
+    bidiPolicy:               "reject",                                          // BIDI refused at every profile
+    controlPolicy:             "reject",                                          // controls refused at every profile
+    nullBytePolicy:            "reject",                                          // null refused at every profile
+    zeroWidthPolicy:           "reject",                                          // zero-width refused at every profile
+    jinjaPolicy:               "reject",                                          // SSTI class refused at every profile
+    erbPolicy:                 "reject",                                          // SSTI class refused at every profile
+    pugPolicy:                 "reject",                                          // SSTI class refused at every profile
+    dollarBracePolicy:         "audit",
+    velocityDirectivePolicy:   "audit",
+    maxBytes:                  C.BYTES.kib(512),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+});
+
+var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
+  mode: "enforce",
+}));
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  "hipaa":   Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(512),
+  }),
+  "pci-dss": Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(512),
+  }),
+  "gdpr":    Object.assign({}, PROFILES["balanced"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+  "soc2":    Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(1024),
+  }),
+});
+
+function _resolveOpts(opts) {
+  return gateContract.resolveProfileAndPosture(opts, {
+    profiles:           PROFILES,
+    compliancePostures: COMPLIANCE_POSTURES,
+    defaults:           DEFAULTS,
+    errorClass:         GuardTemplateError,
+    errCodePrefix:      "template",
+  });
+}
+
+function _detectIssues(input, opts) {
+  var issues = [];
+  if (typeof input !== "string") {
+    return [{ kind: "bad-input", severity: "high",
+              ruleId: "template.bad-input",
+              snippet: "template input is not a string" }];
+  }
+  if (input.length === 0) return [];
+  if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
+    return [{ kind: "input-cap", severity: "high",
+              ruleId: "template.input-cap",
+              snippet: "template input exceeds maxBytes " + opts.maxBytes }];
+  }
+
+  var charThreats = codepointClass.detectCharThreats(input, opts, "template");
+  for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
+
+  if (opts.jinjaPolicy !== "allow") {
+    if (JINJA_EXPR_RE.test(input)) {                                             // allow:regex-no-length-cap — input bounded by maxBytes
+      issues.push({
+        kind: "jinja-expression", severity: "high",
+        ruleId: "template.jinja-expression",
+        snippet: "input contains `{{...}}` template-engine expression " +
+                 "syntax — Jinja / Django / Twig / Liquid / Handlebars / " +
+                 "AngularJS SSTI shape (CVE-2024-22195 / 26139 / 23348 " +
+                 "class)",
+      });
+    }
+    if (JINJA_STMT_RE.test(input)) {                                             // allow:regex-no-length-cap — input bounded by maxBytes
+      issues.push({
+        kind: "jinja-statement", severity: "high",
+        ruleId: "template.jinja-statement",
+        snippet: "input contains `{%...%}` template-engine statement " +
+                 "syntax — SSTI shape",
+      });
+    }
+  }
+  if (opts.erbPolicy !== "allow" && ERB_EXPR_RE.test(input)) {                   // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "erb-expression", severity: "high",
+      ruleId: "template.erb-expression",
+      snippet: "input contains `<%...%>` template-engine expression " +
+               "syntax — ERB / Tornado SSTI shape",
+    });
+  }
+  if (opts.pugPolicy !== "allow" && PUG_INTERP_RE.test(input)) {                 // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "pug-interpolation", severity: "high",
+      ruleId: "template.pug-interpolation",
+      snippet: "input contains `#{...}` or `!{...}` template-engine " +
+               "interpolation — Pug SSTI shape",
+    });
+  }
+  if (opts.dollarBracePolicy !== "allow" && DOLLAR_BRACE_RE.test(input)) {       // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "dollar-brace",
+      severity: opts.dollarBracePolicy === "reject" ? "high" : "warn",
+      ruleId: "template.dollar-brace",
+      snippet: "input contains `${...}` interpolation — Mako / " +
+               "Velocity / Tornado / JS template-literal SSTI shape",
+    });
+  }
+  if (opts.velocityDirectivePolicy !== "allow" &&
+      VELOCITY_DIR_RE.test(input)) {                                             // allow:regex-no-length-cap — input bounded by maxBytes
+    issues.push({
+      kind: "velocity-directive",
+      severity: opts.velocityDirectivePolicy === "reject" ? "high" : "warn",
+      ruleId: "template.velocity-directive",
+      snippet: "input contains Velocity directive (`#set` / `#if` / " +
+               "`#foreach` / etc.) — SSTI shape",
+    });
+  }
+
+  return issues;
+}
+
+function validate(input, opts) {
+  opts = _resolveOpts(opts);
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxBytes"],
+    "guardTemplate.validate", GuardTemplateError, "template.bad-opt");
+  return gateContract.aggregateIssues(_detectIssues(input, opts));
+}
+
+function sanitize(input, opts) {
+  opts = _resolveOpts(opts);
+  if (typeof input !== "string") {
+    throw _err("template.bad-input", "sanitize requires string input");
+  }
+  var issues = _detectIssues(input, opts);
+  for (var i = 0; i < issues.length; i += 1) {
+    if (issues[i].severity === "critical" || issues[i].severity === "high") {
+      throw _err(issues[i].ruleId || "template.refused",
+        "guardTemplate.sanitize: " + issues[i].snippet);
+    }
+  }
+  return input;
+}
+
+function gate(opts) {
+  opts = _resolveOpts(opts);
+  return gateContract.buildGuardGate(
+    opts.name || "guardTemplate:" + (opts.profile || "default"),
+    opts,
+    async function (ctx) {
+      var text = ctx && (ctx.identifier || ctx.text);
+      if (text === undefined || text === null) {
+        return { ok: true, action: "serve" };
+      }
+      var rv = validate(text, opts);
+      if (rv.issues.length === 0) return { ok: true, action: "serve" };
+      var hasCritical = rv.issues.some(function (i) {
+        return i.severity === "critical";
+      });
+      var hasHigh = rv.issues.some(function (i) {
+        return i.severity === "high";
+      });
+      if (!hasCritical && !hasHigh) {
+        return { ok: true, action: "audit-only", issues: rv.issues };
+      }
+      return { ok: false, action: "refuse", issues: rv.issues };
+    });
+}
+
+var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+
+function compliancePosture(name) {
+  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
+    _err, "template");
+}
+
+var _tplRulePacks = gateContract.makeRulePackLoader(GuardTemplateError, "template");
+var loadRulePack = _tplRulePacks.load;
+
+module.exports = {
+  // ---- guard-* family registry exports ----
+  NAME:                "template",
+  KIND:                "identifier",
+  INTEGRATION_FIXTURES: Object.freeze({
+    kind:              "identifier",
+    benignBytes:       Buffer.from("Hello world", "utf8"),
+    hostileBytes:      Buffer.from("Hello {{7*7}}", "utf8"),
+    benignIdentifier:  "Hello world",
+    // Hostile: Jinja-shape SSTI probe.
+    hostileIdentifier: "Hello {{7*7}}",
+  }),
+  // ---- primitive surface ----
+  validate:             validate,
+  sanitize:             sanitize,
+  gate:                 gate,
+  buildProfile:         buildProfile,
+  compliancePosture:    compliancePosture,
+  loadRulePack:         loadRulePack,
+  PROFILES:             PROFILES,
+  DEFAULTS:             DEFAULTS,
+  COMPLIANCE_POSTURES:  COMPLIANCE_POSTURES,
+  GuardTemplateError:   GuardTemplateError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.52",
+  "version": "0.7.61",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:5f6f1fab-e230-4b2c-ad06-d5b9143d8fe2",
+  "serialNumber": "urn:uuid:a193a2a6-fe98-4457-b5e9-e5ffa6a1d0ab",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-05T22:47:38.526Z",
+    "timestamp": "2026-05-06T00:18:55.633Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.52",
+      "bom-ref": "@blamejs/core@0.7.61",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.52",
+      "version": "0.7.61",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.52",
+      "purl": "pkg:npm/%40blamejs/core@0.7.61",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.52",
+      "ref": "@blamejs/core@0.7.61",
       "dependsOn": []
     }
   ]