@blamejs/core 0.8.43 → 0.8.49

package/lib/guard-shell.js

@@ -1,34 +1,44 @@
 "use strict";
 /**
- * guard-shell — Shell metacharacter identifier-safety primitive
- * (b.guardShell).
+ * @module b.guardShell
+ * @nav    Guards
+ * @title  Guard Shell
  *
- * Validates user-input strings BEFORE they're handed to a
- * child-process spawn (regardless of operator's `shell:` opt). The
- * canonical defense is "use array args + shell:false", but operators
- * still receive operator-untrusted strings that flow through path-
- * arg or arg-list shapes — guardShell refuses obvious shell-injection
- * shapes before the spawn call. KIND="identifier" — consumes
- * ctx.identifier (or ctx.arg).
+ * @intro
+ *   Shell-argument content-safety guard — refuses user-supplied
+ *   strings that carry shell-injection shapes BEFORE they reach a
+ *   child-process spawn. The canonical defense is "command + literal
+ *   argv array, never `shell: true`" (route through `b.processSpawn`,
+ *   which holds that contract); guardShell layers the metacharacter
+ *   catalog on top so even operator-untrusted strings flowing through
+ *   the argv slots are screened. KIND=`identifier`; the gate consumes
+ *   `ctx.identifier` (or `ctx.arg`) and refuses on hostile shapes.
  *
- * Threat catalog:
- *   - POSIX shell metacharacters — `;`, `&`, `|`, `<`, `>`, `(`, `)`,
- *     `{`, `}`, `[`, `]`, `*`, `?`, `~`, `!`, `#`, `\`, single + double
- *     quotes.
- *   - Backtick command substitution.
- *   - `$(...)` command substitution and `${VAR}` parameter expansion.
- *   - Process substitution `<(...)` / `>(...)`.
- *   - cmd.exe metacharacters — `&`, `|`, `<`, `>`, `^`, `%`, `"`, `'`,
- *     `(`, `)`, `,`, `;`, `=`, ` `, tabs, newlines.
- *   - Newline / NUL injection (line splitting in scripts).
- *   - Variable expansion `$VAR`.
- *   - Operator may opt-in to `argHyphenPolicy` to refuse leading `-`
- *     arguments (defense against `-rf` / `--exec` / etc.).
- *   - BIDI / zero-width / control / null-byte universal refuse.
+ *   Threat catalog: POSIX shell metacharacters
+ *   (`;` `&` `|` `<` `>` `(` `)` `{` `}` `[` `]` `*` `?` `~` `!` `#`
+ *   `\` and single/double quotes); backtick command substitution;
+ *   `$(...)` command substitution and `${VAR}` parameter expansion;
+ *   process substitution `<(...)` / `>(...)`; cmd.exe metacharacters
+ *   (`&` `|` `<` `>` `^` `%` `"` `'` `(` `)` `,` `;` `=` plus
+ *   whitespace + newlines); CR / LF / NUL line-splitting; bare
+ *   `$VAR` parameter expansion; leading `-` arguments (`-rf` /
+ *   `--exec` flag-injection class) gated by `argHyphenPolicy`; BIDI
+ *   override / zero-width / C0 control / null-byte refuse at every
+ *   profile.
  *
- *   var rv = b.guardShell.validate("file with spaces.txt",
- *                                  { profile: "strict" });
- *   var g  = b.guardShell.gate({ profile: "strict" });
+ *   Profiles: `strict` / `balanced` / `permissive`. Compliance
+ *   postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
+ *   via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
+ *   postures overlay on top of the profile baseline.
+ *
+ *   Shell args cannot be repaired safely — `sanitize` either passes
+ *   through clean input or throws `GuardShellError`; the gate returns
+ *   `serve` / `audit-only` / `refuse` (no `sanitize` action). Pair
+ *   with `b.processSpawn` so the eventual `child_process.spawn` call
+ *   uses `shell: false` and the screened argv values.
+ *
+ * @card
+ *   Shell-argument content-safety guard — refuses user-supplied strings that carry shell-injection shapes BEFORE they reach a child-process spawn.
  */
 
 var codepointClass = require("./codepoint-class");
@@ -235,6 +245,46 @@ function _detectIssues(input, opts) {
   return issues;
 }
 
+/**
+ * @primitive  b.guardShell.validate
+ * @signature  b.guardShell.validate(input, opts)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardShell.gate, b.guardShell.sanitize, b.processSpawn
+ *
+ * Inspect a single shell-argument string and return an aggregated
+ * issue list. Pure inspection — never throws on hostile input;
+ * caller decides what to do with the issues. The `ok` flag is
+ * `true` only when zero `critical` / `high` issues fire. Throws
+ * `GuardShellError("shell.bad-opt")` when a numeric opt is
+ * non-finite / negative (config-time mistake by the operator).
+ *
+ * @opts
+ *   profile:           "strict"|"balanced"|"permissive",
+ *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   bidiPolicy:        "reject"|"audit"|"allow",
+ *   controlPolicy:     "reject"|"audit"|"allow",
+ *   nullBytePolicy:    "reject"|"audit"|"allow",
+ *   zeroWidthPolicy:   "reject"|"strip"|"audit"|"allow",
+ *   posixMetaPolicy:   "reject"|"audit"|"allow",
+ *   cmdMetaPolicy:     "reject"|"audit"|"allow",
+ *   dollarSubstPolicy: "reject"|"audit"|"allow",
+ *   processSubstPolicy:"reject"|"audit"|"allow",
+ *   backtickPolicy:    "reject"|"audit"|"allow",
+ *   newlinePolicy:     "reject"|"audit"|"allow",
+ *   argHyphenPolicy:   "reject"|"audit"|"allow",
+ *   maxBytes:          number,
+ *   maxRuntimeMs:      number,
+ *
+ * @example
+ *   var clean = b.guardShell.validate("safe-arg-value", { profile: "strict" });
+ *   clean.ok;                                          // → true
+ *
+ *   var hostile = b.guardShell.validate("safe; rm -rf /", { profile: "strict" });
+ *   hostile.ok;                                        // → false
+ *   hostile.issues.some(function (i) { return i.kind === "posix-metachar"; });  // → true
+ */
 function validate(input, opts) {
   opts = _resolveOpts(opts);
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
@@ -243,6 +293,47 @@ function validate(input, opts) {
   return gateContract.aggregateIssues(_detectIssues(input, opts));
 }
 
+/**
+ * @primitive  b.guardShell.sanitize
+ * @signature  b.guardShell.sanitize(input, opts)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardShell.validate, b.guardShell.gate
+ *
+ * Pass-through-or-throw. Shell arguments cannot be safely repaired
+ * (stripping a `;` inside an arg fundamentally changes operator
+ * intent); this primitive returns the input unchanged when no
+ * `critical` or `high` issue fires, otherwise throws
+ * `GuardShellError` with the offending rule id (e.g.
+ * `shell.posix-metachar`, `shell.dollar-substitution`,
+ * `shell.backtick`, `shell.newline`). Operators that need a
+ * "best-effort cleanup" semantic should use a different argv shape
+ * (path + literal arg array) rather than trying to disarm a hostile
+ * string.
+ *
+ * @opts
+ *   profile:           "strict"|"balanced"|"permissive",
+ *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   posixMetaPolicy:   "reject"|"audit"|"allow",
+ *   cmdMetaPolicy:     "reject"|"audit"|"allow",
+ *   dollarSubstPolicy: "reject"|"audit"|"allow",
+ *   processSubstPolicy:"reject"|"audit"|"allow",
+ *   backtickPolicy:    "reject"|"audit"|"allow",
+ *   newlinePolicy:     "reject"|"audit"|"allow",
+ *   argHyphenPolicy:   "reject"|"audit"|"allow",
+ *   maxBytes:          number,
+ *
+ * @example
+ *   var arg = b.guardShell.sanitize("safe-arg-value", { profile: "strict" });
+ *   arg;                                               // → "safe-arg-value"
+ *
+ *   try {
+ *     b.guardShell.sanitize("safe; rm -rf /", { profile: "strict" });
+ *   } catch (e) {
+ *     e.code;                                          // → "shell.posix-metachar"
+ *   }
+ */
 function sanitize(input, opts) {
   opts = _resolveOpts(opts);
   if (typeof input !== "string") {
@@ -260,6 +351,49 @@ function sanitize(input, opts) {
   return input;
 }
 
+/**
+ * @primitive  b.guardShell.gate
+ * @signature  b.guardShell.gate(opts)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardShell.validate, b.guardShell.sanitize, b.processSpawn
+ *
+ * Build a `b.gateContract` gate that screens `ctx.identifier` (or
+ * `ctx.arg`) before each spawn. Action chain: `serve` (no issues)
+ * → `audit-only` (warn-only) → `refuse` (any `critical` or `high`).
+ * No `sanitize` action — shell args cannot be repaired. Compose
+ * with `b.processSpawn` so each argv slot is gated before reaching
+ * the OS (the spawn primitive itself enforces `shell: false`; the
+ * gate enforces metacharacter cleanliness).
+ *
+ * @opts
+ *   profile:           "strict"|"balanced"|"permissive",
+ *   compliance:        "hipaa"|"pci-dss"|"gdpr"|"soc2",
+ *   name:              string,        // override gate name in audit emissions
+ *   posixMetaPolicy:   "reject"|"audit"|"allow",
+ *   cmdMetaPolicy:     "reject"|"audit"|"allow",
+ *   dollarSubstPolicy: "reject"|"audit"|"allow",
+ *   processSubstPolicy:"reject"|"audit"|"allow",
+ *   backtickPolicy:    "reject"|"audit"|"allow",
+ *   newlinePolicy:     "reject"|"audit"|"allow",
+ *   argHyphenPolicy:   "reject"|"audit"|"allow",
+ *   maxBytes:          number,
+ *
+ * @example
+ *   var gate = b.guardShell.gate({ profile: "strict" });
+ *
+ *   // Hostile arg — gate refuses before spawn.
+ *   gate({ identifier: "safe; rm -rf /" }).then(function (rv) {
+ *     rv.ok;                                           // → false
+ *     rv.action;                                       // → "refuse"
+ *   });
+ *
+ *   // Benign arg — gate serves.
+ *   gate({ identifier: "safe-arg-value" }).then(function (rv) {
+ *     rv.action;                                       // → "serve"
+ *   });
+ */
 function gate(opts) {
   opts = _resolveOpts(opts);
   return gateContract.buildGuardGate(
@@ -283,14 +417,83 @@ function gate(opts) {
     });
 }
 
+/**
+ * @primitive  b.guardShell.buildProfile
+ * @signature  b.guardShell.buildProfile(opts)
+ * @since      0.7.13
+ * @status     stable
+ * @related    b.guardShell.gate, b.guardShell.compliancePosture
+ *
+ * Compose a derived guardShell profile from one or more named bases
+ * plus inline overrides. `opts.extends` is a profile name
+ * (`"strict"` / `"balanced"` / `"permissive"`) or an array of
+ * names; later entries shadow earlier ones. Inline `opts` keys win
+ * last. Used to keep operator-defined profiles traceable to a
+ * baseline rather than re-typing every key.
+ *
+ * @opts
+ *   extends: string|string[],   // base profile name(s) to compose
+ *   ...:     any guardShell key, // inline override of resolved keys
+ *
+ * @example
+ *   var custom = b.guardShell.buildProfile({
+ *     extends: "balanced",
+ *     argHyphenPolicy: "reject",
+ *   });
+ *   custom.argHyphenPolicy;                            // → "reject"
+ *   custom.dollarSubstPolicy;                          // → "reject"
+ */
 var buildProfile = gateContract.makeProfileBuilder(PROFILES);
 
+/**
+ * @primitive  b.guardShell.compliancePosture
+ * @signature  b.guardShell.compliancePosture(name)
+ * @since      0.7.13
+ * @status     stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.guardShell.gate, b.guardShell.buildProfile
+ *
+ * Look up a compliance-posture overlay by name (`"hipaa"` /
+ * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
+ * the posture object — the caller may mutate freely. Throws
+ * `GuardShellError("shell.bad-posture")` on unknown name.
+ *
+ * @example
+ *   var posture = b.guardShell.compliancePosture("hipaa");
+ *   posture.posixMetaPolicy;                           // → "reject"
+ *   posture.forensicSnippetBytes;                      // → 256
+ */
 function compliancePosture(name) {
   return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
     _err, "shell");
 }
 
 var _shellRulePacks = gateContract.makeRulePackLoader(GuardShellError, "shell");
+/**
+ * @primitive  b.guardShell.loadRulePack
+ * @signature  b.guardShell.loadRulePack(pack)
+ * @since      0.7.13
+ * @status     stable
+ * @related    b.guardShell.gate
+ *
+ * Register an operator-supplied rule pack with the guardShell
+ * registry. The pack is identified by `pack.id` (non-empty string)
+ * and stored for later inspection / dispatch by gates that opt in
+ * via `opts.rulePackId`. Returns the pack object unchanged on
+ * success; throws `GuardShellError("shell.bad-opt")` when `pack`
+ * is missing or `pack.id` is not a non-empty string.
+ *
+ * @example
+ *   var pack = b.guardShell.loadRulePack({
+ *     id: "no-leading-dash",
+ *     rules: [
+ *       { id: "leading-dash", severity: "high",
+ *         detect: function (arg) { return arg.charAt(0) === "-"; },
+ *         reason: "argument starts with `-` flag prefix" },
+ *     ],
+ *   });
+ *   pack.id;                                           // → "no-leading-dash"
+ */
 var loadRulePack = _shellRulePacks.load;
 
 module.exports = {

package/lib/guard-svg.js

@@ -1,17 +1,30 @@
 "use strict";
 /**
- * guard-svg — SVG content-safety primitive (b.guardSvg).
+ * @module b.guardSvg
+ * @nav    Guards
+ * @title  Guard Svg
  *
- * Threat catalog grounded in current SVG attack-surface research
- * (Fortinet anatomy of SVG attack surface; Angular GHSA-jrmj-c5cx-3cw6
- * + GHSA-v4hv-rgfq-gp49 SVG animation/href XSS; SVGO CVE-2026-29074
- * billion laughs DoS; siyuan-note GHSA-5hc8-qmg8-pw27 animate-element
- * sanitizer bypass; cure53/DOMPurify issue #233 xlink:href filtering;
- * insertScript SVG fun-time series; svg2raster-cheatsheet SSRF guide).
+ * @intro
+ *   SVG content-safety primitive — defends against XXE / billion-laughs
+ *   entity expansion, SSRF via `xlink:href`, animation-href injection
+ *   (the `<animate attributeName="href" ...>` retroactive-poisoning
+ *   class), embedded `<script>` / `<foreignObject>` namespace-shift
+ *   escape hatches, dangerous URL schemes, CSS injection in style
+ *   attributes, SVGZ compressed payloads, and Trojan-Source bidi /
+ *   zero-width / null-byte threats.
  *
- *   var rv = b.guardSvg.validate(input, { profile: "strict" });
- *   var safe = b.guardSvg.sanitize(input, { profile: "balanced" });
- *   var g = b.guardSvg.gate({ profile: "strict" });
+ *   Element + attribute allowlist with strict default (text + shape
+ *   primitives only). Profiles `strict` / `balanced` / `permissive`
+ *   compose with compliance postures `hipaa` / `pci-dss` / `gdpr` /
+ *   `soc2`. Integrates with `b.fileUpload` and `b.staticServe`'s
+ *   contentSafety hook by default.
+ *
+ *   Source-of-truth references: Fortinet anatomy of SVG attack
+ *   surface; Angular GHSA-jrmj-c5cx-3cw6 + GHSA-v4hv-rgfq-gp49 SVG
+ *   animation/href XSS; SVGO CVE-2026-29074 billion-laughs DoS;
+ *   siyuan-note GHSA-5hc8-qmg8-pw27 animate-element sanitizer bypass;
+ *   cure53/DOMPurify issue #233 xlink:href filtering; insertScript
+ *   SVG fun-time series; svg2raster-cheatsheet SSRF guide.
  *
  * Threat catalog covered:
  *
@@ -88,6 +101,9 @@
  * Threat-detection regex literals are composed PROGRAMMATICALLY from
  * numeric codepoint range tables. Source file never embeds attack
  * characters themselves.
+ *
+ * @card
+ *   SVG content-safety primitive — defends against XXE / billion-laughs entity expansion, SSRF via `xlink:href`, animation-href injection (the `<animate attributeName="href" ...>` retroactive-poisoning class), embedded `<script>` / `<foreignObject>` namespace-shift escape hatches,...
  */
 
 var codepointClass = require("./codepoint-class");
@@ -890,6 +906,51 @@ function _sanitize(input, opts) {
 
 // ---- Public surface ----
 
+/**
+ * @primitive b.guardSvg.validate
+ * @signature b.guardSvg.validate(input, opts)
+ * @since     0.7.7
+ * @status    stable
+ * @related   b.guardSvg.sanitize, b.guardSvg.gate
+ *
+ * Inspect an SVG payload (string or Buffer) and return
+ * `{ ok, issues }` describing every threat the parser found. Never
+ * throws on hostile input — callers see the full issue list and
+ * decide whether to refuse, sanitize, or audit.
+ *
+ * Issues carry `kind` / `severity` / `ruleId` / `location` /
+ * `snippet`. Severities `critical` and `high` are the gate's
+ * refuse / sanitize signal; `warn` is audit-only.
+ *
+ * @opts
+ *   profile:           "strict" | "balanced" | "permissive",
+ *   compliancePosture: "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *   allowedTags:       Array<string>,
+ *   allowedAttrs:      Array<string>,
+ *   urlSchemes:        Array<string>,
+ *   allowImageData:    boolean,
+ *   allowExternalRefs: boolean,
+ *   allowAnimation:    boolean,
+ *   maxBytes:          number,
+ *   maxAttrValueBytes: number,
+ *   maxElementCount:   number,
+ *   maxUseDepth:       number,
+ *   maxAttrsPerTag:    number,
+ *
+ * @example
+ *   var rv = b.guardSvg.validate(
+ *     '<svg><script>alert(1)</script></svg>',
+ *     { profile: "strict" });
+ *   rv.ok;                           // → false
+ *   rv.issues[0].kind;               // → "dangerous-tag"
+ *   rv.issues[0].severity;           // → "critical"
+ *
+ *   var clean = b.guardSvg.validate(
+ *     '<svg><circle r="10"/></svg>',
+ *     { profile: "strict" });
+ *   clean.ok;                        // → true
+ *   clean.issues.length;             // → 0
+ */
 function validate(input, opts) {
   opts = _resolveOpts(opts);
   numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
@@ -901,6 +962,46 @@ function validate(input, opts) {
   return gateContract.aggregateIssues(_detectIssues(input, opts));
 }
 
+/**
+ * @primitive b.guardSvg.sanitize
+ * @signature b.guardSvg.sanitize(input, opts)
+ * @since     0.7.7
+ * @status    stable
+ * @related   b.guardSvg.validate, b.guardSvg.gate
+ *
+ * Best-effort sanitizer. Strips dangerous tags (`<script>`,
+ * `<foreignObject>`, plugin embeds, animation elements when the
+ * profile forbids them), event-handler attributes (every
+ * `/^on[a-z]/`), URL attributes carrying `javascript:` /
+ * `vbscript:` / non-allowlisted schemes, CSS injection inside
+ * `style="..."`, DOCTYPE / `<!ENTITY>` / processing instructions /
+ * CDATA, bidi / control / null-byte / zero-width threats per the
+ * profile's char policies. Throws `GuardSvgError` (`svg.svgz`) on
+ * SVGZ input — operators must ungzip first then re-sanitize.
+ *
+ * @opts
+ *   profile:           "strict" | "balanced" | "permissive",
+ *   compliancePosture: "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *   allowedTags:       Array<string>,
+ *   urlSchemes:        Array<string>,
+ *   allowImageData:    boolean,
+ *   allowExternalRefs: boolean,
+ *   allowAnimation:    boolean,
+ *   maxBytes:          number,
+ *
+ * @example
+ *   var safe = b.guardSvg.sanitize(
+ *     '<svg><script>alert(1)</script><circle r="10"/></svg>',
+ *     { profile: "balanced" });
+ *   safe;
+ *   // → '<svg><circle r="10"></circle></svg>'
+ *
+ *   // Event-handler attributes are stripped:
+ *   var clean = b.guardSvg.sanitize(
+ *     '<svg onload="x()"><rect width="10" height="10"/></svg>',
+ *     { profile: "strict" });
+ *   /onload/.test(clean);            // → false
+ */
 function sanitize(input, opts) {
   opts = _resolveOpts(opts);
   if (typeof input !== "string" && !Buffer.isBuffer(input)) {
@@ -909,6 +1010,51 @@ function sanitize(input, opts) {
   return _sanitize(input, opts);
 }
 
+/**
+ * @primitive b.guardSvg.gate
+ * @signature b.guardSvg.gate(opts)
+ * @since     0.7.7
+ * @status    stable
+ * @related   b.guardSvg.validate, b.guardSvg.sanitize, b.fileUpload, b.staticServe
+ *
+ * Build a uniform gate over guard-* family contract. Returns an
+ * async function whose verdict is `{ ok, action, issues?,
+ * sanitized? }` where `action` is `serve` / `audit-only` /
+ * `sanitize` / `refuse`. SVGZ inputs always refuse — operators
+ * ungzip and re-gate the inner SVG. External `xlink:href` on
+ * `<use>` / `<feImage>` refuses under `strict` (SSRF + XSS chain).
+ * Sanitize path is taken when no policy is set to `reject` and the
+ * issue set is repairable.
+ *
+ * @opts
+ *   profile:           "strict" | "balanced" | "permissive",
+ *   compliancePosture: "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *   mode:              "enforce" | "audit-only",
+ *   audit:             AuditEmitter,
+ *   observability:     ObservabilityEmitter,
+ *   forensicEvidenceStore: ForensicStore,
+ *   allowedTags:       Array<string>,
+ *   urlSchemes:        Array<string>,
+ *   allowExternalRefs: boolean,
+ *   allowAnimation:    boolean,
+ *   maxBytes:          number,
+ *   maxRuntimeMs:      number,
+ *
+ * @example
+ *   var g = b.guardSvg.gate({ profile: "strict" });
+ *   var verdict = await g({
+ *     bytes: Buffer.from('<svg><circle r="10"/></svg>', "utf8"),
+ *   });
+ *   verdict.action;                  // → "serve"
+ *
+ *   // Refuses external xlink:href under strict:
+ *   var refuse = await g({
+ *     bytes: Buffer.from(
+ *       '<svg><use xlink:href="https://evil.example/x.svg#a"/></svg>',
+ *       "utf8"),
+ *   });
+ *   refuse.action;                   // → "refuse"
+ */
 function gate(opts) {
   opts = _resolveOpts(opts);
   return gateContract.buildGuardGate(
@@ -949,6 +1095,27 @@ function gate(opts) {
 
 var buildProfile = gateContract.makeProfileBuilder(PROFILES);
 
+/**
+ * @primitive b.guardSvg.compliancePosture
+ * @signature b.guardSvg.compliancePosture(name)
+ * @since     0.7.7
+ * @status    stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related   b.guardSvg.gate, b.compliance.set
+ *
+ * Look up a regulatory-posture override. Returns a shallow clone
+ * of the named posture's option overlay; throws
+ * `GuardSvgError` (`svg.bad-posture`) on unknown names. Operators
+ * pass it through `gate({ compliancePosture: "hipaa" })` rather
+ * than calling this directly — exposed for introspection and
+ * audit-evidence collection.
+ *
+ * @example
+ *   var hipaa = b.guardSvg.compliancePosture("hipaa");
+ *   hipaa.bidiPolicy;                // → "reject"
+ *   hipaa.allowExternalRefs;         // → false
+ *   hipaa.allowAnimation;            // → false
+ */
 function compliancePosture(name) {
   return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES, _err, "svg");
 }