npm - @endo/compartment-mapper - Versions diffs - 1.6.3 → 2.0.0 - Mend

@endo/compartment-mapper 1.6.3 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/package.json +12 -16
package/src/archive-lite.d.ts +7 -7
package/src/archive-lite.d.ts.map +1 -1
package/src/archive-lite.js +78 -27
package/src/archive.d.ts.map +1 -1
package/src/archive.js +7 -0
package/src/bundle-lite.d.ts +3 -3
package/src/bundle-lite.d.ts.map +1 -1
package/src/bundle-lite.js +19 -24
package/src/bundle.d.ts +3 -3
package/src/bundle.d.ts.map +1 -1
package/src/bundle.js +19 -24
package/src/capture-lite.d.ts +2 -2
package/src/capture-lite.d.ts.map +1 -1
package/src/capture-lite.js +217 -25
package/src/compartment-map.d.ts +9 -2
package/src/compartment-map.d.ts.map +1 -1
package/src/compartment-map.js +737 -254
package/src/digest.d.ts +22 -2
package/src/digest.d.ts.map +1 -1
package/src/digest.js +179 -56
package/src/generic-graph.d.ts.map +1 -1
package/src/generic-graph.js +8 -3
package/src/guards.d.ts +18 -0
package/src/guards.d.ts.map +1 -0
package/src/guards.js +109 -0
package/src/hooks.md +124 -0
package/src/import-archive-lite.d.ts.map +1 -1
package/src/import-archive-lite.js +15 -11
package/src/import-archive.d.ts +5 -19
package/src/import-archive.d.ts.map +1 -1
package/src/import-archive.js +7 -27
package/src/import-hook.d.ts +4 -3
package/src/import-hook.d.ts.map +1 -1
package/src/import-hook.js +138 -69
package/src/import-lite.d.ts +6 -6
package/src/import-lite.d.ts.map +1 -1
package/src/import-lite.js +8 -5
package/src/import.d.ts +3 -3
package/src/import.d.ts.map +1 -1
package/src/import.js +16 -6
package/src/infer-exports.d.ts.map +1 -1
package/src/infer-exports.js +16 -6
package/src/link.d.ts +4 -3
package/src/link.d.ts.map +1 -1
package/src/link.js +70 -58
package/src/node-modules.d.ts +4 -3
package/src/node-modules.d.ts.map +1 -1
package/src/node-modules.js +482 -114
package/src/parse-cjs-shared-export-wrapper.d.ts.map +1 -1
package/src/parse-cjs-shared-export-wrapper.js +3 -1
package/src/policy-format.d.ts +22 -5
package/src/policy-format.d.ts.map +1 -1
package/src/policy-format.js +342 -108
package/src/policy.d.ts +13 -28
package/src/policy.d.ts.map +1 -1
package/src/policy.js +161 -106
package/src/types/canonical-name.d.ts +97 -0
package/src/types/canonical-name.d.ts.map +1 -0
package/src/types/canonical-name.ts +151 -0
package/src/types/compartment-map-schema.d.ts +114 -35
package/src/types/compartment-map-schema.d.ts.map +1 -1
package/src/types/compartment-map-schema.ts +202 -37
package/src/types/external.d.ts +168 -28
package/src/types/external.d.ts.map +1 -1
package/src/types/external.ts +215 -26
package/src/types/internal.d.ts +23 -42
package/src/types/internal.d.ts.map +1 -1
package/src/types/internal.ts +51 -50
package/src/types/node-modules.d.ts +71 -10
package/src/types/node-modules.d.ts.map +1 -1
package/src/types/node-modules.ts +107 -9
package/src/types/policy-schema.d.ts +26 -11
package/src/types/policy-schema.d.ts.map +1 -1
package/src/types/policy-schema.ts +29 -16
package/src/types/policy.d.ts +6 -2
package/src/types/policy.d.ts.map +1 -1
package/src/types/policy.ts +7 -2
package/src/types/typescript.d.ts +28 -0
package/src/types/typescript.d.ts.map +1 -1
package/src/types/typescript.ts +37 -1

package/src/parse-cjs-shared-export-wrapper.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parse-cjs-shared-export-wrapper.d.ts","sourceRoot":"","sources":["parse-cjs-shared-export-wrapper.js"],"names":[],"mappings":"AA0CO,2CAPI,UAAU,GAAG,MAAM,GAAG,SAAS,YAC/B,MAAM,GACJ;IACR,QAAQ,EAAC,MAAM,GAAC,IAAI,CAAC;IACrB,OAAO,EAAE,MAAM,GAAC,IAAI,CAAA;CACrB,CAgCH;AAmBM,uGAZJ;IAAmB,uBAAuB,EAAlC,MAAM;IACU,WAAW,EAA3B,WAAW;IACgB,eAAe,EAA1C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IACX,QAAQ,EAAnB,MAAM;IAC8B,UAAU,EAA9C,MAAM,GAAG,UAAU,GAAG,SAAS;CACvC,GAAU;IACR,MAAM,EAAE;QAAE,OAAO,EAAE,GAAG,CAAA;KAAE,CAAC;IACzB,aAAa,EAAE,GAAG,CAAC;IACnB,YAAY,WAAW;IACvB,OAAO,WAAW;CACnB,~~CA+IH~~;~~gCAhOqC~~,YAAY;4BAAZ,YAAY"}
1	+ {"version":3,"file":"parse-cjs-shared-export-wrapper.d.ts","sourceRoot":"","sources":["parse-cjs-shared-export-wrapper.js"],"names":[],"mappings":"AA0CO,2CAPI,UAAU,GAAG,MAAM,GAAG,SAAS,YAC/B,MAAM,GACJ;IACR,QAAQ,EAAC,MAAM,GAAC,IAAI,CAAC;IACrB,OAAO,EAAE,MAAM,GAAC,IAAI,CAAA;CACrB,CAgCH;AAmBM,uGAZJ;IAAmB,uBAAuB,EAAlC,MAAM;IACU,WAAW,EAA3B,WAAW;IACgB,eAAe,EAA1C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IACX,QAAQ,EAAnB,MAAM;IAC8B,UAAU,EAA9C,MAAM,GAAG,UAAU,GAAG,SAAS;CACvC,GAAU;IACR,MAAM,EAAE;QAAE,OAAO,EAAE,GAAG,CAAA;KAAE,CAAC;IACzB,aAAa,EAAE,GAAG,CAAC;IACnB,YAAY,WAAW;IACvB,OAAO,WAAW;CACnB,CAiJH;gCAlOqC,YAAY;4BAAZ,YAAY"}

package/src/parse-cjs-shared-export-wrapper.js CHANGED Viewed

@@ -219,7 +219,9 @@ export const wrap = ({
       }
     } else {
       for (const prop of redefined) {
-        moduleEnvironmentRecord[prop] = moduleEnvironmentRecord.default[prop];
+        if (prop !== 'default') {
+          moduleEnvironmentRecord[prop] = moduleEnvironmentRecord.default[prop];
+        }
       }
     }
   };

package/src/policy-format.d.ts CHANGED Viewed

@@ -1,10 +1,27 @@
+/**
+ * Const string to identify the internal attenuators compartment
+ */
+export const ATTENUATORS_COMPARTMENT: "<ATTENUATORS>";
+export const ENTRY_COMPARTMENT: "$root$";
+export function generateCanonicalName({ isEntry, name, path }: PackageNamingKit): string;
 export const WILDCARD_POLICY_VALUE: "any";
-export function policyLookupHelper(packagePolicy: import("./types.js").PackagePolicy, field: "builtins" | "globals" | "packages", itemName: string): boolean | import("./types.js").AttenuationDefinition;
-export function isAllowingEverything(policyValue: unknown): policyValue is import("./types.js").WildcardPolicy;
-export function isAttenuationDefinition(allegedDefinition: unknown): allegedDefinition is import("./types.js").AttenuationDefinition;
-export function getAttenuatorFromDefinition(attenuationDefinition: import("./types.js").AttenuationDefinition): import("./types.js").UnifiedAttenuationDefinition;
-export function assertPackagePolicy(allegedPackagePolicy: unknown, path: string, url?: string): asserts allegedPackagePolicy is SomePackagePolicy | undefined;
+export function policyLookupHelper(packagePolicy: PackagePolicy, field: PolicyEnforcementField, canonicalName: string): boolean | AttenuationDefinition;
+export function isAllowingEverything(policyValue: unknown): policyValue is WildcardPolicy;
+/**
+ * Type guard for `AttenuationDefinition`
+ */
+export const isAttenuationDefinition: (value: unknown) => value is FullAttenuationDefinition | ImplicitAttenuationDefinition;
+export function getAttenuatorFromDefinition(attenuationDefinition: AttenuationDefinition): UnifiedAttenuationDefinition;
+export function assertPackagePolicy(allegedPackagePolicy: unknown, keypath: string, url?: string): asserts allegedPackagePolicy is SomePackagePolicy | undefined;
 export function assertPolicy(allegedPolicy: unknown): asserts allegedPolicy is (SomePolicy | undefined);
+import type { PackageNamingKit } from './types.js';
+import type { PackagePolicy } from './types.js';
+import type { PolicyEnforcementField } from './types.js';
+import type { AttenuationDefinition } from './types.js';
+import type { WildcardPolicy } from './types.js';
+import type { FullAttenuationDefinition } from './types.js';
+import type { ImplicitAttenuationDefinition } from './types.js';
+import type { UnifiedAttenuationDefinition } from './types.js';
 import type { SomePackagePolicy } from './types.js';
 import type { SomePolicy } from './types.js';
 //# sourceMappingURL=policy-format.d.ts.map

package/src/policy-format.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"policy-format.d.ts","sourceRoot":"","sources":["policy-format.js"],"names":[],"mappings":"~~AAeA~~,~~oCAAqC~~,~~KAAK~~,CAAC;~~AAepC~~,~~kDALI~~,~~OAAO~~,~~YAAY~~,~~EAAE~~,~~aAAa~~,~~SAClC~~,~~UAAU~~,~~GAAC~~,~~SAAS~~,~~GAAC~~,~~UAAU~~,~~YAC/B~~,MAAM,GACJ,OAAO,GAAG,~~OAAO,YAAY,EAAE,~~qBAAqB,~~CAyBhE~~;AAQM,kDAHI,OAAO,GACL,WAAW,IAAI,~~OAAO,YAAY,EAAE,~~cAAc,~~CAGxB~~;~~AAOhC~~,~~2DAHI,OAAO,GACL,iBAAiB,IAAI,OAAO,YAAY,EAAE,qBAAqB,CAS3E~~;~~AAOM~~,mEAHI,~~OAAO,YAAY,EAAE,~~qBAAqB,~~GACxC~~,~~OAAO,YAAY,EAAE,~~4BAA4B,~~CAuB7D~~;~~AA0CM~~,0DALI,OAAO,~~QACP~~,MAAM,QACN,MAAM,GACJ,QAAQ,oBAAoB,IAAI,iBAAiB,GAAC,SAAS,~~CA4DvE~~;AAUM,4CAHI,OAAO,GACL,QAAQ,aAAa,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,~~CAgC7D~~;~~uCA7OgD~~,YAAY;gCAAZ,YAAY"}
1	+ {"version":3,"file":"policy-format.d.ts","sourceRoot":"","sources":["policy-format.js"],"names":[],"mappings":"AA8BA;;GAEG;AACH,sCAAuC,eAAe,CAAC;AAEvD,gCAAiC,QAAQ,CAAC;AAmBnC,+DAJI,gBAAgB,GACd,MAAM,CAWlB;AAED,oCAAqC,KAAK,CAAC;AAqEpC,kDALI,aAAa,SACb,sBAAsB,iBACtB,MAAM,GACJ,OAAO,GAAG,qBAAqB,CA2B3C;AAQM,kDAHI,OAAO,GACL,WAAW,IAAI,cAAc,CAGH;AA6EvC;;GAEG;AACH,6HAGG;AAQI,mEAHI,qBAAqB,GACnB,4BAA4B,CAwBxC;AAqGM,0DALI,OAAO,WACP,MAAM,QACN,MAAM,GACJ,QAAQ,oBAAoB,IAAI,iBAAiB,GAAC,SAAS,CA0DvE;AAUM,4CAHI,OAAO,GACL,QAAQ,aAAa,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,CAiC7D;sCAvcQ,YAAY;mCAAZ,YAAY;4CAAZ,YAAY;2CAAZ,YAAY;oCAAZ,YAAY;+CAAZ,YAAY;mDAAZ,YAAY;kDAAZ,YAAY;uCAAZ,YAAY;gCAAZ,YAAY"}

package/src/policy-format.js CHANGED Viewed

@@ -5,51 +5,156 @@
  * @module
  */
-/** @import {SomePackagePolicy, SomePolicy} from './types.js' */
+/**
+ * @import {SomePackagePolicy,
+ *    PackagePolicy,
+ *    AttenuationDefinition,
+ *    PolicyEnforcementField,
+ *    UnifiedAttenuationDefinition,
+ *    PolicyItem,
+ *    TypeGuard,
+ *    GuardedType,
+ *    SomeTypeGuard,
+ *    ImplicitAttenuationDefinition,
+ *    FullAttenuationDefinition,
+ *    UnionToIntersection,
+ *    PackageNamingKit,
+ *    WildcardPolicy,
+ *    SomePolicy
+ *} from './types.js'
+ */
-const { entries, keys } = Object;
+const { entries, keys, hasOwn } = Object;
 const { isArray } = Array;
 const q = JSON.stringify;
+/**
+ * Const string to identify the internal attenuators compartment
+ */
+export const ATTENUATORS_COMPARTMENT = '<ATTENUATORS>';
+export const ENTRY_COMPARTMENT = '$root$';
+/**
+ * @satisfies {keyof FullAttenuationDefinition}
+ */
 const ATTENUATOR_KEY = 'attenuate';
+/**
+ * @satisfies {keyof FullAttenuationDefinition}
+ */
 const ATTENUATOR_PARAMS_KEY = 'params';
+/**
+ * Generates a string identifying a package for policy lookup purposes.
+ *
+ * @param {PackageNamingKit} namingKit
+ * @returns {string}
+ */
+export const generateCanonicalName = ({ isEntry = false, name, path }) => {
+  if (isEntry) {
+    return ENTRY_COMPARTMENT;
+  }
+  if (name === ATTENUATORS_COMPARTMENT) {
+    return ATTENUATORS_COMPARTMENT;
+  }
+  return path.join('>');
+};
 export const WILDCARD_POLICY_VALUE = 'any';
-const POLICY_FIELDS_LOOKUP = /** @type {const} */ ([
+/**
+ * @satisfies {PolicyEnforcementField[]}
+ */
+const POLICY_ENFORCEMENT_FIELDS = /** @type {const} */ ([
   'builtins',
   'globals',
   'packages',
 ]);
 /**
+ * Type guard for `undefined`
+ *
+ * @param {unknown} item
+ * @returns {item is undefined}
+ */
+const isUndefined = item => item === undefined;
+/**
+ * Type guard for a function or constructor
  *
- * @param {import('./types.js').PackagePolicy} packagePolicy
- * @param {'builtins'|'globals'|'packages'} field
- * @param {string} itemName
- * @returns {boolean | import('./types.js').AttenuationDefinition}
+ * @param {unknown} item
+ * @returns {item is ((...args: any[]) => any) | (new (...args: any[]) => any)}
+ */
+const isFunction = item => typeof item === 'function';
+/**
+ * Type guard for a plain object
+ *
+ * @param {unknown} item
+ * @returns {item is Record<PropertyKey, unknown>}
+ */
+const isPlainObject = item =>
+  Object(item) === item && !isArray(item) && !isFunction(item);
+/**
+ * Asserts that `item` is a plain object
+ *
+ * @param {unknown} item
+ * @param {string} [message]
+ * @returns {asserts item is Record<string, any>}
  */
-export const policyLookupHelper = (packagePolicy, field, itemName) => {
-  if (!POLICY_FIELDS_LOOKUP.includes(field)) {
-    throw Error(`Invalid field ${q(field)}`);
+const assertPlainObject = (item, message) => {
+  assert(
+    isPlainObject(item),
+    message ?? `Expected a plain object, got ${q(item)}`,
+  );
+};
+/**
+ * Checks if the result of `keys(item).length` is `0`.
+ *
+ * Not a "real" type guard; probably needs to be used with a type assertion.
+ *
+ * @param {object} item
+ * @returns {item is object}
+ */
+const isEmpty = item => keys(item).length === 0;
+/**
+ * Helps find a value in `field` of {@link PackagePolicy} `packagePolicy`
+ * matching `itemNameOrPath`.
+ *
+ * @param {PackagePolicy} packagePolicy Package policy
+ * @param {PolicyEnforcementField} field Package policy field to look up
+ * @param {string} canonicalName A canonical name
+ * @returns {boolean | AttenuationDefinition}
+ */
+export const policyLookupHelper = (packagePolicy, field, canonicalName) => {
+  assert(
+    POLICY_ENFORCEMENT_FIELDS.includes(field),
+    `Unknown or unsupported policy field ${q(field)}`,
+  );
+  if (!isPlainObject(packagePolicy)) {
+    return false;
   }
-  if (
-    typeof packagePolicy !== 'object' ||
-    packagePolicy === null ||
-    !packagePolicy[field]
-  ) {
+  const policyDefinition = packagePolicy[field];
+  if (!policyDefinition) {
     return false;
   }
-  if (packagePolicy[field] === WILDCARD_POLICY_VALUE) {
+  if (policyDefinition === WILDCARD_POLICY_VALUE) {
     return true;
   }
-  const value = /** @type {import('./types.js').AttenuationDefinition} */ (
-    packagePolicy[field]
-  );
-  if (itemName in value) {
-    return value[itemName];
+  if (hasOwn(policyDefinition, canonicalName)) {
+    return policyDefinition[canonicalName];
   }
   return false;
 };
@@ -57,61 +162,140 @@ export const policyLookupHelper = (packagePolicy, field, itemName) => {
  * Type guard; checks if the policy value is set to the wildcard value to allow everything
  *
  * @param {unknown} policyValue
- * @returns {policyValue is import('./types.js').WildcardPolicy}
+ * @returns {policyValue is WildcardPolicy}
  */
 export const isAllowingEverything = policyValue =>
   policyValue === WILDCARD_POLICY_VALUE;
 /**
- * Type guard for `AttenuationDefinition`
+ * Type guard for a {@link ImplicitAttenuationDefinition}
+ */
+const isImplicitAttenuationDefinition =
+  /** @type {TypeGuard<unknown, ImplicitAttenuationDefinition>} */ (isArray);
+/**
+ * Combine multiple type guards with a logical "OR" operation.
+ *
+ * @template {SomeTypeGuard} T Any type guard function
+ * @overload
+ * @param {T[]} guards Array of type guard functions
+ * @returns {[T] extends [TypeGuard<infer U, any>] ? (value: U) => value is GuardedType<T> : never} Type guard that returns a union of the types checked by the guards
+ */
+/**
+ * Combine two type guards with a logical "OR" operation.
+ *
+ * Note the overload here is due to TS' inflexibility w/r/t using conditional return types.
+ * @template {SomeTypeGuard} T
+ * @param {T[]} guards
+ */
+const or =
+  guards =>
+  /** @param {any} item */
+  item =>
+    guards.some(guard => guard(item));
+/**
+ * Combine multiple type guards with a logical "AND" operation.
+ *
+ * @template {SomeTypeGuard} T Any type guard function
+ * @overload
+ * @param {T[]} guards Array of type guard functions
+ * @returns {[T] extends [TypeGuard<infer U, any>] ? (value: U) => value is Extract<UnionToIntersection<GuardedType<T>>, U> : never} Type guard that returns an intesection of the types checked by the guards
+ */
+/**
+ * @template {SomeTypeGuard} T
+ * @param {T[]} guards
+ */
+const and = guards => /** @param {any} item */ item =>
+  guards.every(guard => guard(item));
+/**
+ * @template {SomeTypeGuard} T
+ * @overload
+ * @param {T} guard
+ * @returns {[T] extends [TypeGuard<infer U, any>] ? (value: U) => value is GuardedType<T> & never : never}
+ */
+/**
+ * @template {SomeTypeGuard} T
+ * @param {T} guard
+ */
+const not = guard => /** @param {any} item */ item => !guard(item);
+/**
+ * Type guard for a string
+ *
+ * @param {unknown} item
+ * @returns {item is string}
+ */
+const isString = item => typeof item === 'string';
+/**
+ * Type guard for a {@link FullAttenuationDefinition}
  * @param {unknown} allegedDefinition
- * @returns {allegedDefinition is import('./types.js').AttenuationDefinition}
- */
-export const isAttenuationDefinition = allegedDefinition => {
-  return Boolean(
-    (allegedDefinition &&
-      typeof allegedDefinition === 'object' &&
-      typeof allegedDefinition[ATTENUATOR_KEY] === 'string') || // object with attenuator name
-      isArray(allegedDefinition), // params for default attenuator
-  );
-};
+ * @returns {allegedDefinition is FullAttenuationDefinition}
+ */
+const isFullAttenuationDefinition = allegedDefinition =>
+  isPlainObject(allegedDefinition) &&
+  isString(allegedDefinition[ATTENUATOR_KEY]) &&
+  (isUndefined(allegedDefinition[ATTENUATOR_PARAMS_KEY]) ||
+    isArray(allegedDefinition[ATTENUATOR_PARAMS_KEY]));
+/**
+ * Type guard for `AttenuationDefinition`
+ */
+export const isAttenuationDefinition = or([
+  isImplicitAttenuationDefinition,
+  isFullAttenuationDefinition,
+]);
 /**
+ * Converts a {@link ImplicitAttenuationDefinition} or {@link FullAttenuationDefinition} to a {@link UnifiedAttenuationDefinition}
  *
- * @param {import('./types.js').AttenuationDefinition} attenuationDefinition
- * @returns {import('./types.js').UnifiedAttenuationDefinition}
+ * @param {AttenuationDefinition} attenuationDefinition
+ * @returns {UnifiedAttenuationDefinition}
  */
 export const getAttenuatorFromDefinition = attenuationDefinition => {
-  if (!isAttenuationDefinition(attenuationDefinition)) {
-    throw Error(
-      `Invalid attenuation ${q(
-        attenuationDefinition,
-      )}, must be an array of params for default attenuator or an object with an attenuator key`,
-    );
-  }
-  if (isArray(attenuationDefinition)) {
+  if (isImplicitAttenuationDefinition(attenuationDefinition)) {
     return {
       displayName: '<default attenuator>',
       specifier: null,
       params: attenuationDefinition,
     };
-  } else {
+  }
+  if (isFullAttenuationDefinition(attenuationDefinition)) {
     return {
       displayName: attenuationDefinition[ATTENUATOR_KEY],
       specifier: attenuationDefinition[ATTENUATOR_KEY],
       params: attenuationDefinition[ATTENUATOR_PARAMS_KEY],
     };
   }
-};
-// TODO: should be a type guard
-const isRecordOf = (item, predicate) => {
-  if (typeof item !== 'object' || item === null || isArray(item)) {
-    return false;
-  }
-  return entries(item).every(([key, value]) => predicate(value, key));
+  throw TypeError(
+    `Invalid attenuation ${q(
+      attenuationDefinition,
+    )}, must be an array of params for default attenuator or an object with an attenuator key`,
+  );
 };
+/**
+ * Type guard for a `Record` of items with enumerable keys of type `string` and
+ * values of a type defined by a type guard.
+ *
+ * @template {SomeTypeGuard} T Some type guard function
+ * @param {T} guard Type guard function
+ */
+const isRecordOf =
+  guard =>
+  /**
+   * @param {unknown} item
+   * @returns {item is Record<string, GuardedType<T>>}
+   */ item =>
+    isPlainObject(item) &&
+    entries(item).every(([key, value]) => isString(key) && guard(value));
 /**
  * Type guard for `boolean`
  * @param {unknown} item
@@ -119,20 +303,71 @@ const isRecordOf = (item, predicate) => {
  */
 const isBoolean = item => typeof item === 'boolean';
-// TODO: should be a type guard
-const predicateOr =
-  (...predicates) =>
-  item =>
-    predicates.some(p => p(item));
+/**
+ * Type guard for a `Record<string, boolean>`
+ */
+const isRecordOfBoolean = isRecordOf(isBoolean);
 /**
+ * Type guard for {@link PolicyItem}
+ *
  * @param {unknown} item
- * @returns {item is import('./types.js').PolicyItem}
+ * @returns {item is PolicyItem|undefined}
  */
 const isPolicyItem = item =>
-  item === undefined ||
+  isUndefined(item) ||
   item === WILDCARD_POLICY_VALUE ||
-  isRecordOf(item, isBoolean);
+  isRecordOfBoolean(item);
+/**
+ * Type guard for {@link PackagePolicy.globals}
+ */
+const isGlobals = or([isPolicyItem, isAttenuationDefinition]);
+/**
+ * Type guard for {@link PackagePolicy.noGlobalFreeze}
+ */
+const isNoGlobalFreeze = or([isUndefined, isBoolean]);
+/**
+ * Type guard for {@link PackagePolicy.builtins}
+ */
+const isBuiltins = or([
+  isPolicyItem,
+  isRecordOf(or([isBoolean, isAttenuationDefinition])),
+]);
+/**
+ * Type guard for an empty object
+ *
+ * TODO: Shouldn't need type assertions here
+ */
+const isEmptyObject =
+  /** @type {TypeGuard<unknown, Record<PropertyKey, never>>} */ (
+    and([
+      isPlainObject,
+      /**
+       * @type {TypeGuard<any, Record<PropertyKey, never>>}
+       */
+      value => isEmpty(value),
+    ])
+  );
+/**
+ * Type guard for an empty string
+ */
+const isEmptyString = and([
+  isString,
+  /** @type {TypeGuard<unknown, {length: 0}>} */ (isEmpty),
+]);
+/**
+ * Type guard for {@link PackagePolicy.defaultAttenuator}
+ */
+const isDefaultAttenuator = or([
+  isUndefined,
+  and([isString, not(isEmptyString)]),
+]);
 /**
  * This asserts (i.e., throws) that `allegedPackagePolicy` is a valid `PackagePolicy`.
@@ -140,68 +375,66 @@ const isPolicyItem = item =>
  * Mild-mannered during the day, but fights crime at night as a type guard.
  *
  * @param {unknown} allegedPackagePolicy - Alleged `PackagePolicy` to test
- * @param {string} path - Path in the `Policy` object; used for error messages only
+ * @param {string} keypath - Keypath in the `Policy` object; used for error messages only
  * @param {string} [url] - URL of the policy file; used for error messages only
  * @returns {asserts allegedPackagePolicy is SomePackagePolicy|undefined}
  */
-export const assertPackagePolicy = (allegedPackagePolicy, path, url) => {
-  if (allegedPackagePolicy === undefined) {
+export const assertPackagePolicy = (allegedPackagePolicy, keypath, url) => {
+  if (isUndefined(allegedPackagePolicy)) {
     return;
   }
   const inUrl = url ? ` in ${q(url)}` : '';
-  const packagePolicy = Object(allegedPackagePolicy);
-  assert(
-    allegedPackagePolicy === packagePolicy && !isArray(allegedPackagePolicy),
-    `${path} must be an object, got ${q(allegedPackagePolicy)}${inUrl}`,
+  assertPlainObject(
+    allegedPackagePolicy,
+    `${keypath} must be an object, got ${q(allegedPackagePolicy)}${inUrl}`,
   );
   const {
     packages,
     builtins,
     globals,
     noGlobalFreeze,
-    defaultAttenuator: _ignore, // a carve out for the default attenuator in compartment map
-    // eslint-disable-next-line no-unused-vars
-    options, // any extra options
+    defaultAttenuator: _defaultAttenuator, // a carve out for the default attenuator in compartment map
+    options: _options, // any extra options
     ...extra
-  } = /** @type {SomePackagePolicy} */ (packagePolicy);
+  } = allegedPackagePolicy;
   assert(
-    keys(extra).length === 0,
-    `${path} must not have extra properties, got ${q(keys(extra))}${inUrl}`,
+    isEmptyObject(extra),
+    `${keypath} must not have extra properties, got ${q(keys(extra))}${inUrl}`,
   );
   assert(
-    noGlobalFreeze === undefined || typeof noGlobalFreeze === 'boolean',
-    `${path}.noGlobalFreeze must be a boolean, got ${q({
+    isNoGlobalFreeze(noGlobalFreeze),
+    `${keypath}.noGlobalFreeze must be a boolean, got ${q({
       noGlobalFreeze,
     })}${inUrl}`,
   );
-  isPolicyItem(packages) ||
-    assert.fail(
-      `${path}.packages must be a record of booleans, got ${q({
-        packages,
-      })}${inUrl}`,
-    );
-  isPolicyItem(globals) ||
-    isAttenuationDefinition(globals) ||
-    assert.fail(
-      `${path}.globals must be a record of booleans or a single attenuation, got ${q(
-        {
-          globals,
-        },
-      )}${inUrl}`,
-    );
-  isPolicyItem(builtins) ||
-    isRecordOf(builtins, predicateOr(isBoolean, isAttenuationDefinition)) ||
-    assert.fail(
-      `${path}.builtins must be a record of booleans or attenuations, got ${q({
-        builtins,
-      })}${inUrl}`,
-    );
+  assert(
+    isPolicyItem(packages),
+    `${keypath}.packages must be a record of booleans, got ${q({
+      packages,
+    })}${inUrl}`,
+  );
+  assert(
+    isGlobals(globals),
+    `${keypath}.globals must be a record of booleans or a single attenuation, got ${q(
+      {
+        globals,
+      },
+    )}${inUrl}`,
+  );
+  assert(
+    isBuiltins(builtins),
+    `${keypath}.builtins must be a record of booleans or attenuations, got ${q({
+      builtins,
+    })}${inUrl}`,
+  );
 };
 /**
@@ -213,28 +446,29 @@ export const assertPackagePolicy = (allegedPackagePolicy, path, url) => {
  * @returns {asserts allegedPolicy is (SomePolicy | undefined)}
  */
 export const assertPolicy = allegedPolicy => {
-  if (allegedPolicy === undefined) {
+  if (isUndefined(allegedPolicy)) {
     return;
   }
-  const policy = Object(allegedPolicy);
-  assert(
-    allegedPolicy === policy && !Array.isArray(policy),
-    `policy must be an object, got ${allegedPolicy}`,
+  assertPlainObject(
+    allegedPolicy,
+    `policy must be an object, got ${q(allegedPolicy)}`,
   );
+  const { resources, entry, defaultAttenuator, ...extra } = allegedPolicy;
-  const { resources, entry, defaultAttenuator, ...extra } = policy;
   assert(
-    keys(extra).length === 0,
+    isEmptyObject(extra),
     `policy must not have extra properties, got ${q(keys(extra))}`,
   );
   assert(
-    typeof resources === 'object' && resources !== null && !isArray(resources),
+    isPlainObject(resources),
     `policy.resources must be an object, got ${q(resources)}`,
   );
   assert(
-    !defaultAttenuator || typeof defaultAttenuator === 'string',
-    `policy.defaultAttenuator must be a string, got ${q(defaultAttenuator)}`,
+    isDefaultAttenuator(defaultAttenuator),
+    `policy.defaultAttenuator must be a nonempty string, got ${q(defaultAttenuator)}`,
   );
   assertPackagePolicy(entry, `policy.entry`);