npm - @ccslabs/xtend - Versions diffs - 0.1.0-rc.1 - Mend

@ccslabs/xtend 0.1.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (664) hide show

package/CHANGELOG.md +65 -0
package/LICENSE +201 -0
package/README.md +184 -0
package/a11y/motion-contrast-policy.d.ts +32 -0
package/a11y/motion-contrast-policy.js +261 -0
package/a11y/runtime-a11y-contract.d.ts +44 -0
package/a11y/runtime-a11y-contract.js +385 -0
package/a11y/screenreader-signals.d.ts +32 -0
package/a11y/screenreader-signals.js +372 -0
package/api.d.ts +168 -0
package/api.js +864 -0
package/catalog/catalog-public-types.d.ts +66 -0
package/catalog/component-catalog-coverage.d.ts +20 -0
package/catalog/component-catalog-coverage.js +377 -0
package/catalog/component-long-tail-migration.d.ts +18 -0
package/catalog/component-long-tail-migration.js +305 -0
package/catalog/component-regression-priority.d.ts +20 -0
package/catalog/component-regression-priority.js +305 -0
package/catalog/enterprise-component-flex-release-handoff.d.ts +32 -0
package/catalog/enterprise-component-flex-release-handoff.js +437 -0
package/catalog/enterprise-component-style-audit.d.ts +22 -0
package/catalog/enterprise-component-style-audit.js +353 -0
package/catalog/enterprise-form-control-theme-a11y.d.ts +19 -0
package/catalog/enterprise-form-control-theme-a11y.js +220 -0
package/catalog/enterprise-icon-control-audit.d.ts +21 -0
package/catalog/enterprise-icon-control-audit.js +258 -0
package/catalog/enterprise-layout-display-media-tokenization.d.ts +20 -0
package/catalog/enterprise-layout-display-media-tokenization.js +237 -0
package/catalog/enterprise-navigation-routing-state-hardening.d.ts +20 -0
package/catalog/enterprise-navigation-routing-state-hardening.js +255 -0
package/catalog/enterprise-overlay-mode-token-parity.d.ts +15 -0
package/catalog/enterprise-overlay-mode-token-parity.js +178 -0
package/catalog/enterprise-third-party-authoring-guide.d.ts +23 -0
package/catalog/enterprise-third-party-authoring-guide.js +310 -0
package/catalog/enterprise-visual-dom-snapshot-matrix.d.ts +31 -0
package/catalog/enterprise-visual-dom-snapshot-matrix.js +357 -0
package/catalog/epic10-existing-component-metadata.d.ts +25 -0
package/catalog/epic10-existing-component-metadata.js +534 -0
package/catalog/epic10-p0-component-wave.d.ts +28 -0
package/catalog/epic10-p0-component-wave.js +688 -0
package/catalog/epic10-platform-gates.d.ts +31 -0
package/catalog/epic10-platform-gates.js +425 -0
package/catalog/epic10-release-handoff.d.ts +30 -0
package/catalog/epic10-release-handoff.js +195 -0
package/catalog/epic11-enterprise-ux-handoff.d.ts +29 -0
package/catalog/epic11-enterprise-ux-handoff.js +403 -0
package/catalog/epic12-docs-adoption.d.ts +29 -0
package/catalog/epic12-docs-adoption.js +183 -0
package/catalog/epic12-rc0-gate-matrix.d.ts +36 -0
package/catalog/epic12-rc0-gate-matrix.js +439 -0
package/catalog/epic12-rc0-handoff.d.ts +30 -0
package/catalog/epic12-rc0-handoff.js +385 -0
package/catalog/epic13-conditional-network-evidence-ci.d.ts +35 -0
package/catalog/epic13-conditional-network-evidence-ci.js +278 -0
package/catalog/epic13-conditional-network-evidence.d.ts +34 -0
package/catalog/epic13-conditional-network-evidence.js +280 -0
package/catalog/epic13-docs-rmt-production-hardening.d.ts +39 -0
package/catalog/epic13-docs-rmt-production-hardening.js +286 -0
package/catalog/epic13-hydration-performance-closure.d.ts +33 -0
package/catalog/epic13-hydration-performance-closure.js +234 -0
package/catalog/epic13-known-residual-triage.d.ts +32 -0
package/catalog/epic13-known-residual-triage.js +339 -0
package/catalog/epic13-package-export-lock.d.ts +41 -0
package/catalog/epic13-package-export-lock.js +604 -0
package/catalog/epic13-prod-browser-csp-smoke.d.ts +35 -0
package/catalog/epic13-prod-browser-csp-smoke.js +218 -0
package/catalog/epic13-rc1-gate-matrix-ci-handoff.d.ts +36 -0
package/catalog/epic13-rc1-gate-matrix-ci-handoff.js +418 -0
package/catalog/epic13-rc1-migration-notes.d.ts +36 -0
package/catalog/epic13-rc1-migration-notes.js +271 -0
package/catalog/epic13-rc1-readiness.d.ts +33 -0
package/catalog/epic13-rc1-readiness.js +487 -0
package/catalog/epic13-release-owner-acceptance.d.ts +33 -0
package/catalog/epic13-release-owner-acceptance.js +354 -0
package/catalog/epic13-release-report-pack-dry-run-evidence.d.ts +36 -0
package/catalog/epic13-release-report-pack-dry-run-evidence.js +253 -0
package/catalog/epic13-rmt-production-readiness.d.ts +35 -0
package/catalog/epic13-rmt-production-readiness.js +314 -0
package/catalog/epic13-trusted-dom-boundary.d.ts +36 -0
package/catalog/epic13-trusted-dom-boundary.js +230 -0
package/catalog/epic13-visual-owner-artifact.d.ts +35 -0
package/catalog/epic13-visual-owner-artifact.js +233 -0
package/catalog/epic14-lsp-handoff.d.ts +28 -0
package/catalog/epic14-lsp-handoff.js +312 -0
package/catalog/epic14-rmt-tooling.d.ts +33 -0
package/catalog/epic14-rmt-tooling.js +282 -0
package/catalog/surface-manager-adapter-runtime.d.ts +37 -0
package/catalog/surface-manager-adapter-runtime.js +203 -0
package/catalog/surface-manager-browser-lab.d.ts +39 -0
package/catalog/surface-manager-browser-lab.js +225 -0
package/catalog/surface-manager-controller.d.ts +43 -0
package/catalog/surface-manager-controller.js +290 -0
package/catalog/surface-manager-layout-engines.d.ts +32 -0
package/catalog/surface-manager-layout-engines.js +161 -0
package/catalog/surface-manager-lazy-loading.d.ts +35 -0
package/catalog/surface-manager-lazy-loading.js +173 -0
package/catalog/surface-manager-materialization.d.ts +37 -0
package/catalog/surface-manager-materialization.js +202 -0
package/catalog/surface-manager-native-rmt-surfaces.d.ts +48 -0
package/catalog/surface-manager-native-rmt-surfaces.js +325 -0
package/catalog/surface-manager-overlay-bridge.d.ts +42 -0
package/catalog/surface-manager-overlay-bridge.js +247 -0
package/catalog/surface-manager-persistence.d.ts +37 -0
package/catalog/surface-manager-persistence.js +178 -0
package/catalog/surface-manager-quality-gates.d.ts +48 -0
package/catalog/surface-manager-quality-gates.js +324 -0
package/catalog/surface-manager-release-handoff.d.ts +47 -0
package/catalog/surface-manager-release-handoff.js +274 -0
package/catalog/surface-manager-remote-policy.d.ts +34 -0
package/catalog/surface-manager-remote-policy.js +199 -0
package/catalog/surface-manager-rmt-authoring.d.ts +44 -0
package/catalog/surface-manager-rmt-authoring.js +368 -0
package/catalog/surface-manager-route-lifecycle.d.ts +32 -0
package/catalog/surface-manager-route-lifecycle.js +162 -0
package/catalog/surface-manager-runtime-release-handoff.d.ts +36 -0
package/catalog/surface-manager-runtime-release-handoff.js +245 -0
package/catalog/surface-manager-side-panel-runtime.d.ts +46 -0
package/catalog/surface-manager-side-panel-runtime.js +307 -0
package/catalog/surface-manager-stack-policy.d.ts +32 -0
package/catalog/surface-manager-stack-policy.js +169 -0
package/catalog/surface-manager-window-runtime.d.ts +45 -0
package/catalog/surface-manager-window-runtime.js +285 -0
package/catalog/surface-manager-workbench-fixture.d.ts +50 -0
package/catalog/surface-manager-workbench-fixture.js +315 -0
package/catalog/type-exports-api.js +236 -0
package/catalog/type-exports-builder.js +405 -0
package/catalog/type-exports-catalog.js +394 -0
package/catalog/type-exports-loader.js +266 -0
package/catalog/type-exports-policy.js +461 -0
package/catalog/type-exports-rmt.js +407 -0
package/catalog/type-exports-vendor.js +365 -0
package/catalog/type-exports.js +574 -0
package/components/icon-packs/core.js +154 -0
package/components/icon-packs/lucide.js +136 -0
package/components/manifest.json +44 -0
package/components/prism.d.ts +73 -0
package/components/prism.js +300 -0
package/components/turndown.d.ts +34 -0
package/components/turndown.js +107 -0
package/components/x-rmt-lifecycle-demo-build.d.ts +78 -0
package/components/x-rmt-lifecycle-demo-build.js +1175 -0
package/components/x-rmt-lifecycle-demo.d.ts +83 -0
package/components/x-rmt-lifecycle-demo.js +1175 -0
package/components/xalert.d.ts +42 -0
package/components/xalert.js +538 -0
package/components/xbutton.d.ts +127 -0
package/components/xbutton.js +612 -0
package/components/xcalendar.d.ts +39 -0
package/components/xcalendar.js +338 -0
package/components/xcards.d.ts +34 -0
package/components/xcards.js +253 -0
package/components/xcheckbox.d.ts +48 -0
package/components/xcheckbox.js +448 -0
package/components/xcode.d.ts +35 -0
package/components/xcode.js +370 -0
package/components/xdialog.d.ts +48 -0
package/components/xdialog.js +763 -0
package/components/xdrawer.d.ts +61 -0
package/components/xdrawer.js +654 -0
package/components/xfooter.d.ts +41 -0
package/components/xfooter.js +351 -0
package/components/xform.d.ts +43 -0
package/components/xform.js +456 -0
package/components/xheader.d.ts +68 -0
package/components/xheader.js +1253 -0
package/components/xhero.d.ts +42 -0
package/components/xhero.js +475 -0
package/components/xicon.d.ts +146 -0
package/components/xicon.js +688 -0
package/components/xinput.d.ts +37 -0
package/components/xinput.js +444 -0
package/components/xlightbox.d.ts +48 -0
package/components/xlightbox.js +571 -0
package/components/xlink.d.ts +63 -0
package/components/xlink.js +565 -0
package/components/xmasonry.d.ts +35 -0
package/components/xmasonry.js +666 -0
package/components/xmenu.d.ts +118 -0
package/components/xmenu.js +1005 -0
package/components/xmodal.d.ts +64 -0
package/components/xmodal.js +831 -0
package/components/xplayer.d.ts +57 -0
package/components/xplayer.js +1748 -0
package/components/xpopover.d.ts +54 -0
package/components/xpopover.js +466 -0
package/components/xprogress.d.ts +40 -0
package/components/xprogress.js +345 -0
package/components/xradio.d.ts +50 -0
package/components/xradio.js +474 -0
package/components/xrouter.d.ts +244 -0
package/components/xrouter.js +1841 -0
package/components/xsection.d.ts +34 -0
package/components/xsection.js +253 -0
package/components/xselect.d.ts +46 -0
package/components/xselect.js +463 -0
package/components/xsidepanel.d.ts +56 -0
package/components/xsidepanel.js +728 -0
package/components/xspinner.d.ts +38 -0
package/components/xspinner.js +388 -0
package/components/xstate.d.ts +137 -0
package/components/xstate.js +493 -0
package/components/xstatus.d.ts +41 -0
package/components/xstatus.js +381 -0
package/components/xsummary.d.ts +43 -0
package/components/xsummary.js +293 -0
package/components/xsurfacemanager-controller.d.ts +130 -0
package/components/xsurfacemanager-controller.js +699 -0
package/components/xsurfacemanager.d.ts +452 -0
package/components/xsurfacemanager.js +3775 -0
package/components/xsurfaceoverlay-bridge.d.ts +43 -0
package/components/xsurfaceoverlay-bridge.js +238 -0
package/components/xsurfacewindow.d.ts +50 -0
package/components/xsurfacewindow.js +576 -0
package/components/xtabs.d.ts +73 -0
package/components/xtabs.js +611 -0
package/components/xtend-public-types.d.ts +208 -0
package/components/xtextarea.d.ts +46 -0
package/components/xtextarea.js +451 -0
package/components/xtheme.d.ts +253 -0
package/components/xtheme.js +1438 -0
package/components/xtoast.d.ts +39 -0
package/components/xtoast.js +389 -0
package/components/xtooltip.d.ts +53 -0
package/components/xtooltip.js +432 -0
package/components/xtype.d.ts +42 -0
package/components/xtype.js +244 -0
package/components/xutils.d.ts +164 -0
package/components/xutils.js +496 -0
package/components/xwriter.d.ts +67 -0
package/components/xwriter.js +854 -0
package/design-tokens/themes/enterprise-light.json +40 -0
package/design-tokens/themes/xtend-signature.json +126 -0
package/design-tokens/xtend-design-tokens.d.ts +95 -0
package/design-tokens/xtend-design-tokens.js +395 -0
package/design-tokens/xtheme-token-alias-layer.d.ts +84 -0
package/design-tokens/xtheme-token-alias-layer.js +423 -0
package/docs/.htaccess +51 -0
package/docs/README.md +340 -0
package/docs/XTend-ADR.md +221 -0
package/docs/a11y-keyboard-smokes.md +62 -0
package/docs/about.md +18 -0
package/docs/api.md +157 -0
package/docs/best-practices.md +76 -0
package/docs/component-catalog-coverage.md +58 -0
package/docs/component-lab.md +103 -0
package/docs/component-long-tail-migration.md +41 -0
package/docs/component-platform.md +159 -0
package/docs/component-ux-app-authoring.md +130 -0
package/docs/component-ux-authoring.md +96 -0
package/docs/component-ux-gates.md +45 -0
package/docs/components/x-rmt-lifecycle-demo-build.md +60 -0
package/docs/components/xalert.md +81 -0
package/docs/components/xbutton.md +103 -0
package/docs/components/xcalendar.md +82 -0
package/docs/components/xcards.md +128 -0
package/docs/components/xcheckbox.md +102 -0
package/docs/components/xcode.md +126 -0
package/docs/components/xdialog.md +92 -0
package/docs/components/xdrawer.md +84 -0
package/docs/components/xfooter.md +126 -0
package/docs/components/xform.md +128 -0
package/docs/components/xheader.md +308 -0
package/docs/components/xhero.md +142 -0
package/docs/components/xicon.md +125 -0
package/docs/components/xinput.md +129 -0
package/docs/components/xlightbox.md +98 -0
package/docs/components/xlink.md +109 -0
package/docs/components/xmasonry.md +124 -0
package/docs/components/xmenu.md +158 -0
package/docs/components/xmodal.md +82 -0
package/docs/components/xplayer.md +104 -0
package/docs/components/xpopover.md +67 -0
package/docs/components/xprogress.md +56 -0
package/docs/components/xradio.md +103 -0
package/docs/components/xrouter.md +260 -0
package/docs/components/xsection.md +125 -0
package/docs/components/xselect.md +105 -0
package/docs/components/xsidepanel.md +30 -0
package/docs/components/xspinner.md +102 -0
package/docs/components/xstate.md +148 -0
package/docs/components/xstatus.md +55 -0
package/docs/components/xsummary.md +78 -0
package/docs/components/xsurfacemanager.md +27 -0
package/docs/components/xsurfacewindow.md +21 -0
package/docs/components/xtabs.md +160 -0
package/docs/components/xtextarea.md +98 -0
package/docs/components/xtheme.md +167 -0
package/docs/components/xtoast.md +62 -0
package/docs/components/xtooltip.md +66 -0
package/docs/components/xtype.md +82 -0
package/docs/components/xutils.md +144 -0
package/docs/components/xwriter.md +94 -0
package/docs/components.md +117 -0
package/docs/conditional-network-evidence-ci.md +38 -0
package/docs/conditional-network-evidence.md +50 -0
package/docs/core-migration-guide.md +110 -0
package/docs/design-tokens.md +116 -0
package/docs/docs-rmt-production-hardening.md +31 -0
package/docs/enterprise-adoption.md +411 -0
package/docs/enterprise-component-flex-release-handoff.md +129 -0
package/docs/epic10-platform-gates.md +62 -0
package/docs/epic10-release-handoff.md +81 -0
package/docs/epic11-enterprise-ux-handoff.md +70 -0
package/docs/epic12-rc0-handoff.md +61 -0
package/docs/existing-component-metadata.md +67 -0
package/docs/hydration-performance-closure.md +34 -0
package/docs/hydration-policies.md +71 -0
package/docs/index.php +1625 -0
package/docs/known-residual-triage.md +22 -0
package/docs/manifest-import-policy.md +79 -0
package/docs/manifest.md +106 -0
package/docs/menu.json +1190 -0
package/docs/motion-contrast.md +67 -0
package/docs/package-export-lock.md +44 -0
package/docs/performance-measurements.md +106 -0
package/docs/performance-regression.md +89 -0
package/docs/performance.md +94 -0
package/docs/previews/README.md +17 -0
package/docs/prod-browser-csp-smokes.md +40 -0
package/docs/public-component-types.md +79 -0
package/docs/quick-start-guide.md +152 -0
package/docs/rc0-adoption-guide.md +102 -0
package/docs/rc0-gate-matrix.md +58 -0
package/docs/rc1-gate-matrix-ci-handoff.md +56 -0
package/docs/rc1-migration-notes.md +69 -0
package/docs/rc1-readiness.md +46 -0
package/docs/release-owner-acceptance.md +56 -0
package/docs/release-report-pack-dry-run-evidence.md +39 -0
package/docs/rmt-dsl-authoring-polish.md +122 -0
package/docs/rmt-first-demo-app.md +77 -0
package/docs/rmt-first-xtend-apps.md +105 -0
package/docs/rmt-kernel-panic-recovery-incident-handoff.md +61 -0
package/docs/rmt-kernel-security-hardening-migration.md +50 -0
package/docs/rmt-kernel-trusted-output-authoring.md +69 -0
package/docs/rmt-language-server.md +177 -0
package/docs/rmt-lifecycle-demo.md +25 -0
package/docs/rmt-linter.md +140 -0
package/docs/rmt-production-readiness.md +63 -0
package/docs/rmt-tooling-release-gates.md +77 -0
package/docs/rmt-vnext-authoring.md +60 -0
package/docs/rmt-vnext-cross-surface-events.md +68 -0
package/docs/rmt-vnext-enterprise-mfe-handoff.md +70 -0
package/docs/rmt-vnext-migration-notes.md +62 -0
package/docs/rmt-vnext-release-handoff.md +69 -0
package/docs/rmt-vnext-remote-surfaces.md +90 -0
package/docs/rmt-vnext-surface-registry-enterprise.md +76 -0
package/docs/screenreader-signals.md +56 -0
package/docs/supply-chain-gates.md +100 -0
package/docs/surface-manager-authoring-guide.md +94 -0
package/docs/surface-manager-browser-lab.md +45 -0
package/docs/surface-manager-component-lab.md +43 -0
package/docs/surface-manager-controller.md +66 -0
package/docs/surface-manager-layout-engines.md +32 -0
package/docs/surface-manager-lazy-hydration.md +63 -0
package/docs/surface-manager-migration-guide.md +94 -0
package/docs/surface-manager-native-rmt-surfaces.md +38 -0
package/docs/surface-manager-overlay-bridge.md +53 -0
package/docs/surface-manager-persistence.md +30 -0
package/docs/surface-manager-quality-gates.md +51 -0
package/docs/surface-manager-release-handoff.md +68 -0
package/docs/surface-manager-remote-policy.md +54 -0
package/docs/surface-manager-rmt-authoring.md +86 -0
package/docs/surface-manager-route-lifecycle.md +59 -0
package/docs/surface-manager-runtime-release-handoff.md +69 -0
package/docs/surface-manager-side-panel-runtime.md +36 -0
package/docs/surface-manager-stack-policy.md +39 -0
package/docs/surface-manager-window-runtime.md +47 -0
package/docs/surface-manager-workbench-fixture.md +43 -0
package/docs/third-party-design-authoring.md +406 -0
package/docs/trusted-dom-boundary-browser-proof.md +32 -0
package/docs/trusted-dom-sanitizing.md +110 -0
package/docs/type-exports.md +61 -0
package/docs/typescript-components.md +63 -0
package/docs/utils/fabric-runtime.js +650 -0
package/docs/utils/pageloader.js +2823 -0
package/docs/utils/parsedown.php +298 -0
package/docs/visual-browser-regression.md +83 -0
package/docs/visual-owner-artifacts.md +46 -0
package/docs/visual-snapshot-automation.md +87 -0
package/docs/xtend-api-types.md +55 -0
package/docs/xtend-builder-types.md +55 -0
package/docs/xtend-catalog-types.md +44 -0
package/docs/xtend-fabric-rmt-lane-mapping.md +143 -0
package/docs/xtend-fabric.md +474 -0
package/docs/xtend-loader-types.md +58 -0
package/docs/xtend-loader.md +265 -0
package/docs/xtend-policy-types.md +38 -0
package/docs/xtend-rmt-types.md +39 -0
package/docs/xtend-vendor-types.md +36 -0
package/docs/xtendrmt-app-dsl.md +269 -0
package/docs/xtendrmt-migration-guide.md +235 -0
package/docs/xtendrmt-native-authoring.md +337 -0
package/docs/xtendrmt-overview.md +89 -0
package/docs/xtendrmt-parsedown-docs.rmt +956 -0
package/docs/xtendrmt-parsedown-scheduling.md +301 -0
package/docs/xtendrmt-runtime-bridge.md +155 -0
package/fabric/hydration-policy.d.ts +27 -0
package/fabric/hydration-policy.js +306 -0
package/fabric/package.json +58 -0
package/fabric/rmt-lane-mapping.d.ts +47 -0
package/fabric/rmt-lane-mapping.js +504 -0
package/fabric/xtend-fabric.d.ts +81 -0
package/fabric/xtend-fabric.js +2669 -0
package/fabric/xtend-policy-public-types.d.ts +135 -0
package/package.json +8225 -0
package/security/README.md +54 -0
package/security/manifest-import-policy.d.ts +43 -0
package/security/manifest-import-policy.js +260 -0
package/security/supply-chain-gate-policy.d.ts +45 -0
package/security/supply-chain-gate-policy.js +249 -0
package/security/trusted-dom-policy.d.ts +36 -0
package/security/trusted-dom-policy.js +316 -0
package/tools/package.json +77 -0
package/tools/rmt-editor/vscode/README.md +33 -0
package/tools/rmt-editor/vscode/extension.d.ts +9 -0
package/tools/rmt-editor/vscode/extension.js +55 -0
package/tools/rmt-editor/vscode/language-configuration.json +28 -0
package/tools/rmt-editor/vscode/package.json +83 -0
package/tools/rmt-editor/vscode/snippets/rmt.code-snippets +243 -0
package/tools/rmt-editor/vscode/syntaxes/rmt.tmLanguage.json +13 -0
package/tools/rmt-editor/vscode/xtend-rmt-language-0.0.0-enterprise-readiness.vsix +0 -0
package/tools/rmt-language/code-actions.d.ts +15 -0
package/tools/rmt-language/code-actions.js +566 -0
package/tools/rmt-language/completions.d.ts +22 -0
package/tools/rmt-language/completions.js +475 -0
package/tools/rmt-language/definitions.d.ts +13 -0
package/tools/rmt-language/definitions.js +212 -0
package/tools/rmt-language/diagnostics.d.ts +23 -0
package/tools/rmt-language/diagnostics.js +486 -0
package/tools/rmt-language/format-adapter.d.ts +16 -0
package/tools/rmt-language/format-adapter.js +270 -0
package/tools/rmt-language/hover.d.ts +12 -0
package/tools/rmt-language/hover.js +326 -0
package/tools/rmt-language/kernel-escalation.d.ts +122 -0
package/tools/rmt-language/kernel-escalation.js +427 -0
package/tools/rmt-language/kernel-panic-monitor.d.ts +176 -0
package/tools/rmt-language/kernel-panic-monitor.js +674 -0
package/tools/rmt-language/kernel-policy-parity.d.ts +142 -0
package/tools/rmt-language/kernel-policy-parity.js +629 -0
package/tools/rmt-language/kernel-recovery.d.ts +173 -0
package/tools/rmt-language/kernel-recovery.js +666 -0
package/tools/rmt-language/kernel-scheduler-failure.d.ts +136 -0
package/tools/rmt-language/kernel-scheduler-failure.js +486 -0
package/tools/rmt-language/kernel-security-regression.d.ts +154 -0
package/tools/rmt-language/kernel-security-regression.js +465 -0
package/tools/rmt-language/kernel-trust-authority.d.ts +120 -0
package/tools/rmt-language/kernel-trust-authority.js +549 -0
package/tools/rmt-language/parser.d.ts +14 -0
package/tools/rmt-language/parser.js +111 -0
package/tools/rmt-language/rmt-tooling-public-types.d.ts +179 -0
package/tools/rmt-language/rules/boundary-policy.js +81 -0
package/tools/rmt-language/rules/document-policy.js +65 -0
package/tools/rmt-language/rules/index.js +29 -0
package/tools/rmt-language/rules/route-policy.js +81 -0
package/tools/rmt-language/rules/scheduler-policy.js +66 -0
package/tools/rmt-language/rules/template-policy.js +130 -0
package/tools/rmt-language/semantic-graph.d.ts +18 -0
package/tools/rmt-language/semantic-graph.js +827 -0
package/tools/rmt-language/snippets/README.md +17 -0
package/tools/rmt-language/snippets/index.d.ts +17 -0
package/tools/rmt-language/snippets/index.js +417 -0
package/tools/rmt-language/snippets/rmt.code-snippets +243 -0
package/tools/rmt-language/source-model.d.ts +14 -0
package/tools/rmt-language/source-model.js +731 -0
package/tools/rmt-language/symbols.d.ts +13 -0
package/tools/rmt-language/symbols.js +183 -0
package/tools/rmt-language/vnext-compatibility.d.ts +28 -0
package/tools/rmt-language/vnext-compatibility.js +675 -0
package/tools/rmt-language/vnext-compiler.d.ts +17 -0
package/tools/rmt-language/vnext-compiler.js +716 -0
package/tools/rmt-language/vnext-composition.d.ts +30 -0
package/tools/rmt-language/vnext-composition.js +595 -0
package/tools/rmt-language/vnext-conditions.d.ts +25 -0
package/tools/rmt-language/vnext-conditions.js +474 -0
package/tools/rmt-language/vnext-cross-surface-events.d.ts +30 -0
package/tools/rmt-language/vnext-cross-surface-events.js +607 -0
package/tools/rmt-language/vnext-degradation.d.ts +23 -0
package/tools/rmt-language/vnext-degradation.js +428 -0
package/tools/rmt-language/vnext-enterprise-fixtures.d.ts +28 -0
package/tools/rmt-language/vnext-enterprise-fixtures.js +487 -0
package/tools/rmt-language/vnext-enterprise-registry.d.ts +21 -0
package/tools/rmt-language/vnext-enterprise-registry.js +495 -0
package/tools/rmt-language/vnext-enterprise-release.d.ts +44 -0
package/tools/rmt-language/vnext-enterprise-release.js +472 -0
package/tools/rmt-language/vnext-event-governance.d.ts +29 -0
package/tools/rmt-language/vnext-event-governance.js +488 -0
package/tools/rmt-language/vnext-events.d.ts +44 -0
package/tools/rmt-language/vnext-events.js +680 -0
package/tools/rmt-language/vnext-import-resolver.d.ts +28 -0
package/tools/rmt-language/vnext-import-resolver.js +642 -0
package/tools/rmt-language/vnext-lifecycle.d.ts +22 -0
package/tools/rmt-language/vnext-lifecycle.js +404 -0
package/tools/rmt-language/vnext-parser.d.ts +21 -0
package/tools/rmt-language/vnext-parser.js +1391 -0
package/tools/rmt-language/vnext-regression.d.ts +25 -0
package/tools/rmt-language/vnext-regression.js +394 -0
package/tools/rmt-language/vnext-release.d.ts +29 -0
package/tools/rmt-language/vnext-release.js +293 -0
package/tools/rmt-language/vnext-remote-compatibility.d.ts +33 -0
package/tools/rmt-language/vnext-remote-compatibility.js +892 -0
package/tools/rmt-language/vnext-remote-compiler.d.ts +14 -0
package/tools/rmt-language/vnext-remote-compiler.js +520 -0
package/tools/rmt-language/vnext-remote-manifest.d.ts +33 -0
package/tools/rmt-language/vnext-remote-manifest.js +538 -0
package/tools/rmt-language/vnext-remote-security.d.ts +27 -0
package/tools/rmt-language/vnext-remote-security.js +380 -0
package/tools/rmt-language/vnext-remote-tooling.d.ts +25 -0
package/tools/rmt-language/vnext-remote-tooling.js +805 -0
package/tools/rmt-language/vnext-scheduler.d.ts +24 -0
package/tools/rmt-language/vnext-scheduler.js +469 -0
package/tools/rmt-language/vnext-security.d.ts +28 -0
package/tools/rmt-language/vnext-security.js +597 -0
package/tools/rmt-language/vnext-streaming.d.ts +28 -0
package/tools/rmt-language/vnext-streaming.js +593 -0
package/tools/rmt-language/vnext-surfaces.d.ts +24 -0
package/tools/rmt-language/vnext-surfaces.js +406 -0
package/tools/rmt-language/vnext-tooling.d.ts +25 -0
package/tools/rmt-language/vnext-tooling.js +728 -0
package/tools/rmt-language-server/protocol.d.ts +22 -0
package/tools/rmt-language-server/protocol.js +352 -0
package/tools/rmt-language-server/server.d.ts +15 -0
package/tools/rmt-language-server/server.js +622 -0
package/tools/rmt-linter/cli.d.ts +14 -0
package/tools/rmt-linter/cli.js +450 -0
package/tools/rmt-linter/reporter.d.ts +16 -0
package/tools/rmt-linter/reporter.js +472 -0
package/xtend-builder/README.md +83 -0
package/xtend-builder/a11y/README.md +42 -0
package/xtend-builder/a11y/component-a11y-profile.d.ts +14 -0
package/xtend-builder/a11y/component-a11y-profile.js +314 -0
package/xtend-builder/blueprints/README.md +105 -0
package/xtend-builder/blueprints/component-blueprint.contract.d.ts +16 -0
package/xtend-builder/blueprints/component-blueprint.contract.js +343 -0
package/xtend-builder/builder-public-types.d.ts +234 -0
package/xtend-builder/extensions/README.md +26 -0
package/xtend-builder/extensions/component-extension-points.d.ts +11 -0
package/xtend-builder/extensions/component-extension-points.js +277 -0
package/xtend-builder/generators/README.md +149 -0
package/xtend-builder/generators/component-files.d.ts +5 -0
package/xtend-builder/generators/component-files.js +769 -0
package/xtend-builder/generators/component-plan.d.ts +4 -0
package/xtend-builder/generators/component-plan.js +104 -0
package/xtend-builder/generators/registry.d.ts +6 -0
package/xtend-builder/generators/registry.js +118 -0
package/xtend-builder/generators/rmt-build.js +738 -0
package/xtend-builder/generators/rmt-lifecycle-demo.js +922 -0
package/xtend-builder/lib/cli.d.ts +9 -0
package/xtend-builder/lib/cli.js +543 -0
package/xtend-builder/lib/layout.d.ts +6 -0
package/xtend-builder/lib/layout.js +153 -0
package/xtend-builder/lib/package-resolver.js +25 -0
package/xtend-builder/package.json +90 -0
package/xtend-builder/performance/README.md +31 -0
package/xtend-builder/performance/component-performance-profile.d.ts +11 -0
package/xtend-builder/performance/component-performance-profile.js +347 -0
package/xtend-builder/performance/component-ux-performance-contract.d.ts +27 -0
package/xtend-builder/performance/component-ux-performance-contract.js +424 -0
package/xtend-builder/preview/README.md +61 -0
package/xtend-builder/preview/component-lab-ux-inspector.d.ts +20 -0
package/xtend-builder/preview/component-lab-ux-inspector.js +448 -0
package/xtend-builder/preview/component-lab.d.ts +14 -0
package/xtend-builder/preview/component-lab.js +278 -0
package/xtend-builder/preview/component-preview.d.ts +5 -0
package/xtend-builder/preview/component-preview.js +160 -0
package/xtend-builder/scaffold.config.d.ts +4 -0
package/xtend-builder/scaffold.config.js +2056 -0
package/xtend-builder/scaffold.d.ts +3 -0
package/xtend-builder/scaffold.js +11 -0
package/xtend-builder/templates/README.md +33 -0
package/xtend-builder/templates/component/a11y.template.ts +11 -0
package/xtend-builder/templates/component/component-suite.template.d.ts +2 -0
package/xtend-builder/templates/component/component-suite.template.js +108 -0
package/xtend-builder/templates/component/contract.template.ts +10 -0
package/xtend-builder/templates/component/demo-plan.template.md +73 -0
package/xtend-builder/templates/component/docs.template.md +301 -0
package/xtend-builder/templates/component/fixture-data.template.ts +28 -0
package/xtend-builder/templates/component/fixture.template.html +37 -0
package/xtend-builder/templates/component/manifest-plan.template.json +22 -0
package/xtend-builder/templates/component/performance.template.ts +13 -0
package/xtend-builder/templates/component/rmt.template.ts +12 -0
package/xtend-builder/templates/component/source.template.d.ts +2 -0
package/xtend-builder/templates/component/source.template.js +137 -0
package/xtend-builder/templates/component/source.template.ts +110 -0
package/xtend-builder/templates/component/types.template.d.ts +423 -0
package/xtend-builder/templates/loader.d.ts +4 -0
package/xtend-builder/templates/loader.js +51 -0
package/xtend-builder/templates/registry.d.ts +6 -0
package/xtend-builder/templates/registry.js +119 -0
package/xtend-builder/typing/README.md +130 -0
package/xtend-builder/typing/component-contract-v2.d.ts +15 -0
package/xtend-builder/typing/component-contract-v2.js +248 -0
package/xtend-builder/typing/component-network-contract.d.ts +22 -0
package/xtend-builder/typing/component-network-contract.js +478 -0
package/xtend-builder/typing/component-shell-contract.d.ts +21 -0
package/xtend-builder/typing/component-shell-contract.js +312 -0
package/xtend-builder/typing/component-styling-contract.d.ts +22 -0
package/xtend-builder/typing/component-styling-contract.js +301 -0
package/xtend-builder/typing/component-types.d.ts +10 -0
package/xtend-builder/typing/component-types.js +551 -0
package/xtend-builder/typing/enterprise-component-flex-hardening-contract.d.ts +20 -0
package/xtend-builder/typing/enterprise-component-flex-hardening-contract.js +332 -0
package/xtend-builder/typing/feedback-status-ux-contract.d.ts +25 -0
package/xtend-builder/typing/feedback-status-ux-contract.js +347 -0
package/xtend-builder/typing/form-controls-ux-contract.d.ts +25 -0
package/xtend-builder/typing/form-controls-ux-contract.js +357 -0
package/xtend-builder/typing/layout-display-media-ux-contract.d.ts +25 -0
package/xtend-builder/typing/layout-display-media-ux-contract.js +420 -0
package/xtend-builder/typing/navigation-routing-ux-contract.d.ts +17 -0
package/xtend-builder/typing/navigation-routing-ux-contract.js +297 -0
package/xtend-builder/typing/overlay-interaction-ux-contract.d.ts +25 -0
package/xtend-builder/typing/overlay-interaction-ux-contract.js +383 -0
package/xtend-builder/typing/rmt-dsl-authoring-polish.d.ts +27 -0
package/xtend-builder/typing/rmt-dsl-authoring-polish.js +419 -0
package/xtend-builder/typing/rmt-shell-authoring-contract.d.ts +26 -0
package/xtend-builder/typing/rmt-shell-authoring-contract.js +315 -0
package/xtend-builder/utils/README.md +8 -0
package/xtend-builder/utils/naming.d.ts +7 -0
package/xtend-builder/utils/naming.js +36 -0
package/xtend-builder/utils/validation.d.ts +5 -0
package/xtend-builder/utils/validation.js +95 -0
package/xtend-builder/wiring/README.md +46 -0
package/xtend-builder/wiring/features.d.ts +5 -0
package/xtend-builder/wiring/features.js +165 -0
package/xtend-builder/wiring/hydration.d.ts +4 -0
package/xtend-builder/wiring/hydration.js +44 -0
package/xtend-builder/wiring/manifest.d.ts +5 -0
package/xtend-builder/wiring/manifest.js +48 -0
package/xtend-builder/workflows/README.md +47 -0
package/xtend-builder/workflows/developer-workflow.d.ts +6 -0
package/xtend-builder/workflows/developer-workflow.js +125 -0
package/xtend-builder/writing/manifest-patcher.d.ts +49 -0
package/xtend-builder/writing/manifest-patcher.js +391 -0
package/xtend-builder/writing/write-plan.d.ts +148 -0
package/xtend-builder/writing/write-plan.js +646 -0
package/xtend-dev.d.ts +23 -0
package/xtend-dev.js +4 -0
package/xtend-loader.d.ts +201 -0
package/xtend-loader.js +1704 -0
package/xtend.css +402 -0
package/xtendrmt/package.json +64 -0
package/xtendrmt/rmt-core.d.ts +4452 -0
package/xtendrmt/rmt-core.esm.js +25793 -0
package/xtendrmt/rmt-first-demo-app.js +265 -0
package/xtendrmt/rmt-first-demo-app.rmt +737 -0
package/xtendrmt/rmt-lifecycle-demo.app.js +493 -0
package/xtendrmt/rmt-lifecycle-demo.core.json +810 -0
package/xtendrmt/rmt-lifecycle-demo.rmt +35 -0
package/xtendrmt/rmt-lifecycle-demo.rmt-build.app.js +153 -0
package/xtendrmt/rmt-lifecycle-demo.rmt-build.core.json +810 -0
package/xtendrmt/rmt-lifecycle-demo.rmt-build.scaffold.json +202 -0
package/xtendrmt/rmt-lifecycle-demo.scaffold.json +187 -0
package/xtendrmt/rmt-manifest.json +548 -0
package/xtendrmt/rmt-runtime.browser.js +26183 -0
package/xtendrmt/rmt-runtime.esm.js +26214 -0
package/xtendrmt/rmt-vnext-enterprise-mfe-demo.core.json +849 -0
package/xtendrmt/rmt-vnext-enterprise-mfe-demo.rmt +50 -0
package/xtendrmt/rmt-vnext-reference-demo.core.json +1069 -0
package/xtendrmt/rmt-vnext-reference-demo.rmt +50 -0
package/xtendrmt/rmt.schema.json +3145 -0
package/xtendrmt/surface-workbench.js +316 -0
package/xtendrmt/surface-workbench.rmt +762 -0
package/xtendrmt/xtendrmt-bestcase-demo.core.json +1187 -0
package/xtendrmt/xtendrmt-bestcase-demo.js +1728 -0
package/xtendrmt/xtendrmt-bestcase-demo.rmt +57 -0

package/security/README.md ADDED Viewed

@@ -0,0 +1,54 @@
+# XTend Security Contracts
+Status: introduced with ER-WP-29 and extended with ER-WP-30 and ER-WP-28
+## Purpose
+`security/` holds repo-local, machine-readable security contracts. These modules are policy surfaces, not runtime sanitizers.
+## Manifest Import Policy
+`manifest-import-policy.js` exposes:
+- `xtend.security.loader-policy.v1`
+- `xtend.security.manifest-policy.v1`
+- `xtend.security.import-policy.v1`
+- `xtend.security.manifest-import-gate.v1`
+The policy classifies Manifest URLs, Manifest Records and dynamic module URLs as local allowed imports or refused security boundaries. It is mirrored by `xtend-loader.js` for runtime Refusals and by `tests/security/manifest_import_policy_suite.js` for local gates.
+## Trusted DOM
+`trusted-dom-policy.js` exposes:
+- `xtend.security.trusted-dom-policy.v1`
+- `xtend.security.sanitizing-boundary.v1`
+- `xtend.security.markup-classification.v1`
+- `xtend.security.trusted-dom-sink.v1`
+The policy classifies text, attributes, structured templates, RMT `html_fragment` and Parsedown HTML, then maps them to allowed, restricted or forbidden DOM sinks.
+## Supply Chain
+`supply-chain-gate-policy.js` exposes:
+- `xtend.security.supply-chain-gate-plan.v1`
+- `xtend.security.dependency-audit-gate.v1`
+- `xtend.security.license-policy.v1`
+- `xtend.security.vulnerability-policy.v1`
+- `xtend.security.release-supply-chain-gate.v1`
+The policy defines the offline local gate, planned CI audit commands, license rules, vulnerability thresholds and publish boundary for later release automation.
+## Gates
+```bash
+node --check security/trusted-dom-policy.js
+node --check security/supply-chain-gate-policy.js
+node --check security/manifest-import-policy.js
+node scripts/verify_manifest_import_policy.js --json
+node scripts/verify_supply_chain_policy.js --json
+node scripts/run_xtend_tests.js manifest-import-policy --json
+node scripts/run_xtend_tests.js supply-chain --json
+node scripts/run_xtend_tests.js references --json
+```

package/security/manifest-import-policy.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+export * from '../fabric/xtend-policy-public-types';
+import type {
+  XtendPolicyConstant,
+  XtendPolicyOptions,
+  XtendSecurityClassification
+} from '../fabric/xtend-policy-public-types';
+export interface XtendManifestImportPolicy {
+  schema: string;
+  loaderPolicy: string;
+  manifestPolicy: string;
+  importPolicy: string;
+  mode: string;
+  allowedProtocols: string[];
+  refusedProtocols: string[];
+  localHosts: string[];
+  manifestExtensions: string[];
+  moduleExtensions: string[];
+  reservedBootstrapKeys: string[];
+  diagnostics: string[];
+  rules: Record<string, string>;
+}
+export interface XtendNormalizedManifest extends XtendSecurityClassification {
+  entries: Record<string, string>;
+}
+export declare const ALLOWED_IMPORT_PROTOCOLS: XtendPolicyConstant<string[]>;
+export declare const ALLOWED_MANIFEST_EXTENSIONS: XtendPolicyConstant<string[]>;
+export declare const ALLOWED_MODULE_EXTENSIONS: XtendPolicyConstant<string[]>;
+export declare const CUSTOM_ELEMENT_NAME_PATTERN: XtendPolicyConstant<RegExp>;
+export declare const IMPORT_POLICY_CONTRACT: XtendPolicyConstant<string>;
+export declare const LOADER_POLICY_CONTRACT: XtendPolicyConstant<string>;
+export declare const LOCAL_HOSTS: XtendPolicyConstant<string[]>;
+export declare const MANIFEST_IMPORT_GATE_CONTRACT: XtendPolicyConstant<string>;
+export declare const MANIFEST_POLICY_CONTRACT: XtendPolicyConstant<string>;
+export declare const REFUSED_PROTOCOLS: XtendPolicyConstant<string[]>;
+export declare const RESERVED_BOOTSTRAP_KEYS: XtendPolicyConstant<string[]>;
+export declare function classifyManifestRecord(key: string, record: unknown, options?: XtendPolicyOptions): XtendSecurityClassification;
+export declare function classifyPolicyUrl(value: string, options?: XtendPolicyOptions): XtendSecurityClassification;
+export declare function createManifestImportPolicy(options?: XtendPolicyOptions): XtendManifestImportPolicy;
+export declare function isAllowedManifestKey(key: string): boolean;
+export declare function normalizeManifest(rawManifest?: Record<string, unknown>, options?: XtendPolicyOptions): XtendNormalizedManifest;

package/security/manifest-import-policy.js ADDED Viewed

@@ -0,0 +1,260 @@
+const LOADER_POLICY_CONTRACT = 'xtend.security.loader-policy.v1';
+const MANIFEST_POLICY_CONTRACT = 'xtend.security.manifest-policy.v1';
+const IMPORT_POLICY_CONTRACT = 'xtend.security.import-policy.v1';
+const MANIFEST_IMPORT_GATE_CONTRACT = 'xtend.security.manifest-import-gate.v1';
+const LOCAL_HOSTS = ['localhost', '127.0.0.1', '0.0.0.0', '::1'];
+const ALLOWED_IMPORT_PROTOCOLS = ['http:', 'https:', 'file:'];
+const REFUSED_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'blob:'];
+const ALLOWED_MANIFEST_EXTENSIONS = ['.json'];
+const ALLOWED_MODULE_EXTENSIONS = ['.js', '.mjs'];
+const RESERVED_BOOTSTRAP_KEYS = ['xstate'];
+const CUSTOM_ELEMENT_NAME_PATTERN = /^[a-z][a-z0-9]*-[a-z0-9-]*[a-z0-9]$/;
+function clone(value) {
+  return JSON.parse(JSON.stringify(value));
+}
+function normalizeHostname(hostname = '') {
+  return String(hostname).replace(/^\[|\]$/g, '').toLowerCase();
+}
+function isLocalHost(hostname) {
+  return LOCAL_HOSTS.includes(normalizeHostname(hostname));
+}
+function createUrl(value, baseUrl) {
+  try {
+    return new URL(String(value), baseUrl);
+  } catch (_) {
+    return null;
+  }
+}
+function hasPathTraversal(url) {
+  try {
+    return decodeURIComponent(url.pathname).split('/').includes('..');
+  } catch (_) {
+    return true;
+  }
+}
+function hasTraversalLikeInput(value) {
+  try {
+    const pathPart = decodeURIComponent(String(value)).split(/[?#]/)[0];
+    return pathPart === '..' ||
+      pathPart.startsWith('../') ||
+      pathPart.includes('/../') ||
+      pathPart.endsWith('/..');
+  } catch (_) {
+    return true;
+  }
+}
+function hasAllowedExtension(url, kind) {
+  const pathname = url.pathname.toLowerCase();
+  const extensions = kind === 'manifest'
+    ? ALLOWED_MANIFEST_EXTENSIONS
+    : ALLOWED_MODULE_EXTENSIONS;
+  return extensions.some((extension) => pathname.endsWith(extension));
+}
+function classifyPolicyUrl(value, options = {}) {
+  const kind = options.kind || 'module';
+  const baseUrl = options.baseUrl || options.currentUrl || 'http://127.0.0.1/';
+  const currentUrl = createUrl(options.currentUrl || baseUrl, baseUrl);
+  const targetUrl = createUrl(value, baseUrl);
+  const diagnostics = [];
+  const source = options.source || kind;
+  if (!targetUrl || !currentUrl) {
+    diagnostics.push('xtend.security.import.refused.invalid_url');
+  } else if (hasTraversalLikeInput(value)) {
+    diagnostics.push('xtend.security.import.refused.path_traversal');
+  } else if (REFUSED_PROTOCOLS.includes(targetUrl.protocol)) {
+    diagnostics.push('xtend.security.import.refused.protocol');
+  } else if (!ALLOWED_IMPORT_PROTOCOLS.includes(targetUrl.protocol)) {
+    diagnostics.push('xtend.security.import.refused.protocol');
+  } else if (hasPathTraversal(targetUrl)) {
+    diagnostics.push('xtend.security.import.refused.path_traversal');
+  } else if (!hasAllowedExtension(targetUrl, kind)) {
+    diagnostics.push(kind === 'manifest'
+      ? 'xtend.security.manifest.invalid.extension'
+      : 'xtend.security.import.refused.extension');
+  } else {
+    const sameOrigin = targetUrl.origin === currentUrl.origin;
+    const localLoopback = isLocalHost(targetUrl.hostname) && (
+      isLocalHost(currentUrl.hostname) ||
+      currentUrl.protocol === 'file:'
+    );
+    const localFile = targetUrl.protocol === 'file:' && currentUrl.protocol === 'file:';
+    if (!sameOrigin && !localLoopback && !localFile) {
+      diagnostics.push(kind === 'manifest'
+        ? 'xtend.security.loader.refused.external_manifest'
+        : 'xtend.security.import.refused.external_module');
+    }
+  }
+  return {
+    schema: IMPORT_POLICY_CONTRACT,
+    ok: diagnostics.length === 0,
+    kind,
+    source,
+    input: String(value),
+    url: targetUrl ? targetUrl.href : null,
+    local: targetUrl && currentUrl
+      ? targetUrl.origin === currentUrl.origin || isLocalHost(targetUrl.hostname) || targetUrl.protocol === 'file:'
+      : false,
+    diagnostics
+  };
+}
+function isAllowedManifestKey(key) {
+  if (RESERVED_BOOTSTRAP_KEYS.includes(key)) {
+    return true;
+  }
+  return CUSTOM_ELEMENT_NAME_PATTERN.test(key);
+}
+function getManifestRecordUrl(record) {
+  if (typeof record === 'string') {
+    return record;
+  }
+  if (record && typeof record === 'object') {
+    if (typeof record.url === 'string') return record.url;
+    if (typeof record.path === 'string') return record.path;
+  }
+  return null;
+}
+function dependenciesAreComponentIds(record) {
+  if (!record || typeof record !== 'object' || !Array.isArray(record.dependencies)) {
+    return true;
+  }
+  return record.dependencies.every((dependency) => (
+    typeof dependency === 'string' &&
+    isAllowedManifestKey(dependency) &&
+    !dependency.includes('/') &&
+    !dependency.includes(':')
+  ));
+}
+function classifyManifestRecord(key, record, options = {}) {
+  const diagnostics = [];
+  const normalizedKey = typeof key === 'string' ? key.trim() : '';
+  const recordUrl = getManifestRecordUrl(record);
+  if (!normalizedKey || normalizedKey !== normalizedKey.toLowerCase() || !isAllowedManifestKey(normalizedKey)) {
+    diagnostics.push('xtend.security.manifest.invalid.tag');
+  }
+  if (!recordUrl) {
+    diagnostics.push('xtend.security.manifest.invalid.url');
+  }
+  if (!dependenciesAreComponentIds(record)) {
+    diagnostics.push('xtend.security.manifest.invalid.dependencies');
+  }
+  const urlPolicy = recordUrl
+    ? classifyPolicyUrl(recordUrl, {
+      ...options,
+      kind: 'module',
+      source: normalizedKey || 'manifest-record'
+    })
+    : null;
+  if (urlPolicy && !urlPolicy.ok) {
+    diagnostics.push(...urlPolicy.diagnostics);
+  }
+  return {
+    schema: MANIFEST_POLICY_CONTRACT,
+    ok: diagnostics.length === 0,
+    key: normalizedKey,
+    url: urlPolicy ? urlPolicy.url : null,
+    source: 'manifest-record',
+    diagnostics
+  };
+}
+function normalizeManifest(rawManifest, options = {}) {
+  const diagnostics = [];
+  const entries = {};
+  if (!rawManifest || typeof rawManifest !== 'object' || Array.isArray(rawManifest)) {
+    return {
+      schema: MANIFEST_POLICY_CONTRACT,
+      ok: false,
+      entries,
+      diagnostics: ['xtend.security.manifest.invalid.shape']
+    };
+  }
+  Object.entries(rawManifest).forEach(([key, record]) => {
+    const classification = classifyManifestRecord(key, record, options);
+    if (classification.ok) {
+      entries[classification.key] = classification.url;
+    } else {
+      diagnostics.push({
+        key,
+        codes: classification.diagnostics
+      });
+    }
+  });
+  return {
+    schema: MANIFEST_POLICY_CONTRACT,
+    ok: diagnostics.length === 0,
+    entries,
+    diagnostics
+  };
+}
+function createManifestImportPolicy(options = {}) {
+  return {
+    schema: MANIFEST_IMPORT_GATE_CONTRACT,
+    loaderPolicy: LOADER_POLICY_CONTRACT,
+    manifestPolicy: MANIFEST_POLICY_CONTRACT,
+    importPolicy: IMPORT_POLICY_CONTRACT,
+    mode: options.mode || 'local-self-and-loopback-only',
+    allowedProtocols: clone(ALLOWED_IMPORT_PROTOCOLS),
+    refusedProtocols: clone(REFUSED_PROTOCOLS),
+    localHosts: clone(LOCAL_HOSTS),
+    manifestExtensions: clone(ALLOWED_MANIFEST_EXTENSIONS),
+    moduleExtensions: clone(ALLOWED_MODULE_EXTENSIONS),
+    reservedBootstrapKeys: clone(RESERVED_BOOTSTRAP_KEYS),
+    diagnostics: [
+      'xtend.security.loader.refused',
+      'xtend.security.manifest.invalid',
+      'xtend.security.import.refused'
+    ],
+    rules: {
+      manifestUrl: 'Must be same-origin, file-local or loopback-local JSON.',
+      moduleUrl: 'Must be same-origin, file-local or loopback-local JavaScript module.',
+      preload: 'Component IDs only; no free URLs.',
+      dependencies: 'Component IDs only; no URL-like dependency values.',
+      cdn: 'External CDN URLs are refused by default.'
+    }
+  };
+}
+module.exports = {
+  ALLOWED_IMPORT_PROTOCOLS,
+  ALLOWED_MANIFEST_EXTENSIONS,
+  ALLOWED_MODULE_EXTENSIONS,
+  CUSTOM_ELEMENT_NAME_PATTERN,
+  IMPORT_POLICY_CONTRACT,
+  LOADER_POLICY_CONTRACT,
+  LOCAL_HOSTS,
+  MANIFEST_IMPORT_GATE_CONTRACT,
+  MANIFEST_POLICY_CONTRACT,
+  REFUSED_PROTOCOLS,
+  RESERVED_BOOTSTRAP_KEYS,
+  classifyManifestRecord,
+  classifyPolicyUrl,
+  createManifestImportPolicy,
+  isAllowedManifestKey,
+  normalizeManifest
+};

package/security/supply-chain-gate-policy.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+export * from '../fabric/xtend-policy-public-types';
+import type {
+  XtendPolicyConstant,
+  XtendPolicyReport
+} from '../fabric/xtend-policy-public-types';
+export interface XtendSupplyChainGatePlan {
+  schema: string;
+  releaseGate: string;
+  localGate: string;
+  localCommands: string[];
+  ciNetworkGates: string[];
+  gates: Record<string, unknown>;
+  dependencySections: string[];
+  lockfileCandidates: string[];
+  scopedReleasePackages: Array<{ name: string; path: string; manifest: string; scope: string }>;
+  license: Record<string, unknown>;
+  vulnerabilities: Record<string, unknown>;
+  publishBoundary: Record<string, unknown>;
+}
+export interface XtendPackageSupplyChainReport extends XtendPolicyReport {
+  dependencyCount: number;
+  dependencies: Array<{ section: string; name: string; version: string }>;
+  lockfiles: string[];
+  hasLockfile: boolean;
+  privatePackage: boolean;
+  publicRcPackage: boolean;
+  packageLicense: string | null;
+}
+export declare const DEPENDENCY_AUDIT_GATE_CONTRACT: XtendPolicyConstant<string>;
+export declare const DEPENDENCY_SECTIONS: XtendPolicyConstant<string[]>;
+export declare const LICENSE_POLICY: XtendPolicyConstant<Record<string, unknown>>;
+export declare const LICENSE_POLICY_CONTRACT: XtendPolicyConstant<string>;
+export declare const LOCKFILE_CANDIDATES: XtendPolicyConstant<string[]>;
+export declare const SCOPED_RELEASE_PACKAGES: XtendPolicyConstant<Array<{ name: string; path: string; manifest: string; scope: string }>>;
+export declare const RELEASE_SUPPLY_CHAIN_GATE_CONTRACT: XtendPolicyConstant<string>;
+export declare const SUPPLY_CHAIN_GATE_PLAN_CONTRACT: XtendPolicyConstant<string>;
+export declare const SUPPLY_CHAIN_GATES: XtendPolicyConstant<Record<string, unknown>>;
+export declare const VULNERABILITY_POLICY: XtendPolicyConstant<Record<string, unknown>>;
+export declare const VULNERABILITY_POLICY_CONTRACT: XtendPolicyConstant<string>;
+export declare function classifyPackageSupplyChain(packageManifest?: Record<string, unknown>, lockfiles?: string[]): XtendPackageSupplyChainReport;
+export declare function createSupplyChainGatePlan(): XtendSupplyChainGatePlan;
+export declare function listDependencies(packageManifest?: Record<string, unknown>): Array<{ section: string; name: string; version: string }>;

package/security/supply-chain-gate-policy.js ADDED Viewed

@@ -0,0 +1,249 @@
+const SUPPLY_CHAIN_GATE_PLAN_CONTRACT = 'xtend.security.supply-chain-gate-plan.v1';
+const DEPENDENCY_AUDIT_GATE_CONTRACT = 'xtend.security.dependency-audit-gate.v1';
+const LICENSE_POLICY_CONTRACT = 'xtend.security.license-policy.v1';
+const VULNERABILITY_POLICY_CONTRACT = 'xtend.security.vulnerability-policy.v1';
+const RELEASE_SUPPLY_CHAIN_GATE_CONTRACT = 'xtend.security.release-supply-chain-gate.v1';
+const DEPENDENCY_SECTIONS = [
+  'dependencies',
+  'devDependencies',
+  'optionalDependencies',
+  'peerDependencies'
+];
+const LOCKFILE_CANDIDATES = [
+  'package-lock.json',
+  'npm-shrinkwrap.json',
+  'pnpm-lock.yaml',
+  'yarn.lock'
+];
+const SCOPED_RELEASE_PACKAGES = Object.freeze([
+  {
+    name: '@ccslabs/xtend',
+    path: '.',
+    manifest: 'package.json',
+    scope: 'complete-stack'
+  },
+  {
+    name: '@ccslabs/xtend-rmt',
+    path: 'xtendrmt',
+    manifest: 'xtendrmt/package.json',
+    scope: 'rmt-runtime'
+  },
+  {
+    name: '@ccslabs/xtend-fabric',
+    path: 'fabric',
+    manifest: 'fabric/package.json',
+    scope: 'fabric-runtime'
+  },
+  {
+    name: '@ccslabs/xtend-cli',
+    path: 'xtend-builder',
+    manifest: 'xtend-builder/package.json',
+    scope: 'builder-cli'
+  },
+  {
+    name: '@ccslabs/xtend-compiler',
+    path: 'tools',
+    manifest: 'tools/package.json',
+    scope: 'rmt-compiler-tooling'
+  }
+]);
+const LICENSE_POLICY = {
+  currentPackageLicense: 'Apache-2.0',
+  projectLicenseDecision: 'accepted-apache-2.0',
+  privatePackageAllowedLicenses: ['Apache-2.0'],
+  publicReleaseRequiresLicenseDecision: false,
+  publicReleaseLicenseDecision: 'accepted-apache-2.0',
+  allowedDependencyLicenses: [
+    'Apache-2.0',
+    'BSD-2-Clause',
+    'BSD-3-Clause',
+    'ISC',
+    'MIT',
+    'MPL-2.0',
+    'Unicode-DFS-2016'
+  ],
+  reviewRequiredLicenses: [
+    'BlueOak-1.0.0',
+    'CC-BY-4.0',
+    'CC0-1.0',
+    'LGPL-2.1-only',
+    'LGPL-2.1-or-later',
+    'LGPL-3.0-only',
+    'LGPL-3.0-or-later'
+  ],
+  forbiddenDependencyLicenses: [
+    'AGPL-1.0-only',
+    'AGPL-1.0-or-later',
+    'AGPL-3.0-only',
+    'AGPL-3.0-or-later',
+    'GPL-2.0-only',
+    'GPL-2.0-or-later',
+    'GPL-3.0-only',
+    'GPL-3.0-or-later',
+    'UNLICENSED'
+  ]
+};
+const VULNERABILITY_POLICY = {
+  productionAuditLevel: 'moderate',
+  developmentAuditLevel: 'high',
+  publishBlockingSeverities: ['critical', 'high'],
+  zeroCriticalForAnyRelease: true,
+  noKnownExploitForReleaseCandidate: true,
+  networkAuditStage: 'ci-release-gate',
+  localGateMode: 'offline-policy-and-inventory'
+};
+const SUPPLY_CHAIN_GATES = [
+  {
+    id: 'dependency-inventory',
+    contract: DEPENDENCY_AUDIT_GATE_CONTRACT,
+    stage: 'local',
+    command: 'node scripts/verify_supply_chain_policy.js --json',
+    mode: 'offline-static',
+    blocksPublish: true
+  },
+  {
+    id: 'license-policy',
+    contract: LICENSE_POLICY_CONTRACT,
+    stage: 'local',
+    command: 'node scripts/verify_supply_chain_policy.js --json',
+    mode: 'offline-static',
+    blocksPublish: true
+  },
+  {
+    id: 'vulnerability-policy',
+    contract: VULNERABILITY_POLICY_CONTRACT,
+    stage: 'ci',
+    command: 'npm audit --audit-level=moderate',
+    mode: 'network-audit',
+    blocksPublish: true
+  },
+  {
+    id: 'release-report',
+    contract: RELEASE_SUPPLY_CHAIN_GATE_CONTRACT,
+    stage: 'local',
+    command: 'npm run release:report',
+    mode: 'offline-test-report',
+    blocksPublish: true
+  },
+  {
+    id: 'pack-provenance-dry-run',
+    contract: RELEASE_SUPPLY_CHAIN_GATE_CONTRACT,
+    stage: 'local',
+    command: 'npm run pack:dry-run',
+    mode: 'offline-package-surface',
+    blocksPublish: true
+  }
+];
+function clone(value) {
+  return JSON.parse(JSON.stringify(value));
+}
+function listDependencies(packageManifest = {}) {
+  return DEPENDENCY_SECTIONS.flatMap((section) => {
+    const entries = packageManifest[section] && typeof packageManifest[section] === 'object'
+      ? Object.entries(packageManifest[section])
+      : [];
+    return entries.map(([name, version]) => ({
+      name,
+      version,
+      section
+    }));
+  });
+}
+function createSupplyChainGatePlan(options = {}) {
+  return {
+    schema: SUPPLY_CHAIN_GATE_PLAN_CONTRACT,
+    dependencyAuditGate: DEPENDENCY_AUDIT_GATE_CONTRACT,
+    licensePolicy: LICENSE_POLICY_CONTRACT,
+    vulnerabilityPolicy: VULNERABILITY_POLICY_CONTRACT,
+    releaseGate: RELEASE_SUPPLY_CHAIN_GATE_CONTRACT,
+    mode: options.mode || 'plan-and-offline-local-gate',
+    localGate: 'node scripts/verify_supply_chain_policy.js --json',
+    packageScript: 'npm run test:supply-chain',
+    releaseScripts: [
+      'npm test',
+      'npm run test:supply-chain',
+      'npm run release:report',
+      'npm run pack:dry-run'
+    ],
+    ciNetworkGates: [
+      'npm audit --audit-level=moderate',
+      'npm sbom --sbom-format=cyclonedx --json'
+    ],
+    gates: clone(SUPPLY_CHAIN_GATES),
+    dependencySections: clone(DEPENDENCY_SECTIONS),
+    lockfileCandidates: clone(LOCKFILE_CANDIDATES),
+    scopedReleasePackages: clone(SCOPED_RELEASE_PACKAGES),
+    license: clone(LICENSE_POLICY),
+    vulnerabilities: clone(VULNERABILITY_POLICY),
+    publishBoundary: {
+      privateUntil: ['ER-WP-30', 'ER-WP-36', 'ER-WP-38'],
+      currentPublishState: 'owner-approved-public-rc-boundary',
+      provenanceRequired: true,
+      publicReleaseRequiresLicenseDecision: false,
+      licenseDecision: 'accepted-apache-2.0'
+    }
+  };
+}
+function classifyPackageSupplyChain(packageManifest = {}, lockfiles = []) {
+  const dependencies = listDependencies(packageManifest);
+  const hasDependencies = dependencies.length > 0;
+  const hasLockfile = Array.isArray(lockfiles) && lockfiles.length > 0;
+  const diagnostics = [];
+  if (hasDependencies && !hasLockfile) {
+    diagnostics.push('xtend.security.supply_chain.lockfile.missing');
+  }
+  if (packageManifest.private !== false) {
+    diagnostics.push('xtend.security.supply_chain.private_boundary.missing');
+  }
+  if (packageManifest.license === 'UNLICENSED' && packageManifest.private !== true) {
+    diagnostics.push('xtend.security.supply_chain.public_license.missing');
+  }
+  if (!packageManifest.publishConfig || packageManifest.publishConfig.provenance !== true) {
+    diagnostics.push('xtend.security.supply_chain.provenance.missing');
+  }
+  return {
+    schema: DEPENDENCY_AUDIT_GATE_CONTRACT,
+    ok: diagnostics.length === 0,
+    dependencyCount: dependencies.length,
+    dependencies,
+    lockfiles,
+    hasLockfile,
+    privatePackage: packageManifest.private === true,
+    publicRcPackage: packageManifest.private === false,
+    packageLicense: packageManifest.license || null,
+    diagnostics
+  };
+}
+module.exports = {
+  DEPENDENCY_AUDIT_GATE_CONTRACT,
+  DEPENDENCY_SECTIONS,
+  LICENSE_POLICY,
+  LICENSE_POLICY_CONTRACT,
+  LOCKFILE_CANDIDATES,
+  SCOPED_RELEASE_PACKAGES,
+  RELEASE_SUPPLY_CHAIN_GATE_CONTRACT,
+  SUPPLY_CHAIN_GATE_PLAN_CONTRACT,
+  SUPPLY_CHAIN_GATES,
+  VULNERABILITY_POLICY,
+  VULNERABILITY_POLICY_CONTRACT,
+  classifyPackageSupplyChain,
+  createSupplyChainGatePlan,
+  listDependencies
+};

package/security/trusted-dom-policy.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+export * from '../fabric/xtend-policy-public-types';
+import type {
+  XtendPolicyConstant,
+  XtendPolicyOptions,
+  XtendSecurityClassification
+} from '../fabric/xtend-policy-public-types';
+export interface XtendTrustedDomPolicy {
+  schema: string;
+  trustedDomPolicy: string;
+  sanitizerPolicy: string;
+  parsedownDocsPolicy: string;
+  rmtTemplatePolicy: string;
+  sinks: Record<string, unknown>;
+  markupClasses: Record<string, unknown>;
+  urlAttributes: Record<string, unknown>;
+  [key: string]: unknown;
+}
+export declare const DOM_SINKS: XtendPolicyConstant<Record<string, unknown>>;
+export declare const MARKUP_CLASSES: XtendPolicyConstant<Record<string, unknown>>;
+export declare const MARKUP_CLASSIFICATION_CONTRACT: XtendPolicyConstant<string>;
+export declare const PARSEDOWN_DOCS_POLICY: XtendPolicyConstant<string>;
+export declare const RMT_TEMPLATE_POLICY: XtendPolicyConstant<string>;
+export declare const SANITIZING_BOUNDARY_CONTRACT: XtendPolicyConstant<string>;
+export declare const TRUSTED_DOM_SANITIZER_CONTRACT: XtendPolicyConstant<string>;
+export declare const TRUSTED_DOM_SANITIZER_POLICY: XtendPolicyConstant<string>;
+export declare const TRUSTED_DOM_POLICY_CONTRACT: XtendPolicyConstant<string>;
+export declare const TRUSTED_DOM_SINK_CONTRACT: XtendPolicyConstant<string>;
+export declare const URL_ATTRIBUTE_POLICY: XtendPolicyConstant<string>;
+export declare function classifyTrustedDomUse(input?: XtendPolicyOptions): XtendSecurityClassification;
+export declare function getMarkupClass(markupClass: string): Record<string, unknown> | null;
+export declare function getSinkPolicy(sink: string): Record<string, unknown> | null;
+export declare function getTrustedDomPolicy(options?: XtendPolicyOptions): XtendTrustedDomPolicy;
+export declare function isAllowedTrustedDomUrl(value: string, options?: XtendPolicyOptions): boolean;
+export declare function sanitizeTrustedDomHtml(value: string, options?: XtendPolicyOptions): string;