@metaobjectsdev/render 0.5.0

package/dist/escapers.d.ts

@@ -0,0 +1,3 @@
+export type RenderFormat = "text" | "html" | "xml" | "csv" | "json" | "markdown" | "spreadsheet";
+export declare const ESCAPERS: Record<RenderFormat, (s: string) => string>;
+//# sourceMappingURL=escapers.d.ts.map

package/dist/escapers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"escapers.d.ts","sourceRoot":"","sources":["../src/escapers.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,YAAY,GACpB,MAAM,GACN,MAAM,GACN,KAAK,GACL,KAAK,GACL,MAAM,GACN,UAAU,GACV,aAAa,CAAC;AAsBlB,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAWhE,CAAC"}

package/dist/escapers.js

@@ -0,0 +1,34 @@
+// Format-driven escaping (FR-004 R7/R8). The render engine OWNS escaping (it does
+// not rely on the Mustache lib's HTML-only default), so behavior is identical
+// across language ports. `{{var}}` is escaped per format; `{{{var}}}` is raw.
+//
+// RenderFormat is defined here, independent of the metadata package's
+// TEMPLATE_FORMATS, to keep this engine a zero-core-dependency module. The two
+// sets are kept in lock-step by the render-conformance corpus.
+const xml = (s) => s
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+// OWASP CSV/Excel formula-injection guard: neutralize a leading active char.
+const injectionGuard = (s) => (/^[=+\-@\t\r]/.test(s) ? "'" + s : s);
+const csv = (s) => {
+    const v = injectionGuard(s);
+    return /[",\n\r]/.test(v) ? `"${v.replace(/"/g, '""')}"` : v;
+};
+const json = (s) => JSON.stringify(s).slice(1, -1);
+const raw = (s) => s;
+export const ESCAPERS = {
+    text: raw,
+    markdown: raw,
+    html: xml,
+    xml,
+    json,
+    csv,
+    // XML-escape the content first, then guard — so the guard's leading quote is a
+    // literal apostrophe in the XML (which is what tells Excel "treat as text"),
+    // not itself escaped to &#39;.
+    spreadsheet: (s) => injectionGuard(xml(s)),
+};
+//# sourceMappingURL=escapers.js.map

package/dist/escapers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"escapers.js","sourceRoot":"","sources":["../src/escapers.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,8EAA8E;AAC9E,8EAA8E;AAC9E,EAAE;AACF,sEAAsE;AACtE,+EAA+E;AAC/E,+DAA+D;AAW/D,MAAM,GAAG,GAAG,CAAC,CAAS,EAAU,EAAE,CAChC,CAAC;KACE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;KACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;KACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;KACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;KACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAE5B,6EAA6E;AAC7E,MAAM,cAAc,GAAG,CAAC,CAAS,EAAU,EAAE,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAErF,MAAM,GAAG,GAAG,CAAC,CAAS,EAAU,EAAE;IAChC,MAAM,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC,CAAC;AAEF,MAAM,IAAI,GAAG,CAAC,CAAS,EAAU,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAEnE,MAAM,GAAG,GAAG,CAAC,CAAS,EAAU,EAAE,CAAC,CAAC,CAAC;AAErC,MAAM,CAAC,MAAM,QAAQ,GAAgD;IACnE,IAAI,EAAE,GAAG;IACT,QAAQ,EAAE,GAAG;IACb,IAAI,EAAE,GAAG;IACT,GAAG;IACH,IAAI;IACJ,GAAG;IACH,+EAA+E;IAC/E,6EAA6E;IAC7E,+BAA+B;IAC/B,WAAW,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC3C,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { render, type RenderOptions } from "./render.js";
+export { type Provider, InMemoryProvider } from "./provider.js";
+export { ESCAPERS, type RenderFormat } from "./escapers.js";
+export { verify, ERR_VAR_NOT_ON_PAYLOAD, ERR_PARTIAL_UNRESOLVED, ERR_REQUIRED_SLOT_UNUSED, type PayloadField, type VerifyError, type VerifyOptions, } from "./verify.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,KAAK,QAAQ,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC;AAC5D,OAAO,EACL,MAAM,EACN,sBAAsB,EACtB,sBAAsB,EACtB,wBAAwB,EACxB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,aAAa,GACnB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,5 @@
+export { render } from "./render.js";
+export { InMemoryProvider } from "./provider.js";
+export { ESCAPERS } from "./escapers.js";
+export { verify, ERR_VAR_NOT_ON_PAYLOAD, ERR_PARTIAL_UNRESOLVED, ERR_REQUIRED_SLOT_UNUSED, } from "./verify.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAsB,MAAM,aAAa,CAAC;AACzD,OAAO,EAAiB,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAqB,MAAM,eAAe,CAAC;AAC5D,OAAO,EACL,MAAM,EACN,sBAAsB,EACtB,sBAAsB,EACtB,wBAAwB,GAIzB,MAAM,aAAa,CAAC"}

package/dist/provider.d.ts

@@ -0,0 +1,11 @@
+export interface Provider {
+    /** Resolve a `group/source` reference to its text, or undefined if absent. */
+    resolve(ref: string): string | undefined;
+}
+/** Deterministic, in-memory provider (the conformance + test provider). */
+export declare class InMemoryProvider implements Provider {
+    private readonly map;
+    constructor(map: Record<string, string>);
+    resolve(ref: string): string | undefined;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../src/provider.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,QAAQ;IACvB,8EAA8E;IAC9E,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC1C;AAED,2EAA2E;AAC3E,qBAAa,gBAAiB,YAAW,QAAQ;IACnC,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IACxD,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;CAGzC"}

package/dist/provider.js

@@ -0,0 +1,14 @@
+// A provider resolves a 2-layer logical reference (`group/source`) to template
+// text. The render engine never does I/O itself — it delegates resolution to
+// the injected provider, so a fixed provider makes render() deterministic.
+/** Deterministic, in-memory provider (the conformance + test provider). */
+export class InMemoryProvider {
+    map;
+    constructor(map) {
+        this.map = map;
+    }
+    resolve(ref) {
+        return Object.prototype.hasOwnProperty.call(this.map, ref) ? this.map[ref] : undefined;
+    }
+}
+//# sourceMappingURL=provider.js.map

package/dist/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../src/provider.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,6EAA6E;AAC7E,2EAA2E;AAO3E,2EAA2E;AAC3E,MAAM,OAAO,gBAAgB;IACE;IAA7B,YAA6B,GAA2B;QAA3B,QAAG,GAAH,GAAG,CAAwB;IAAG,CAAC;IAC5D,OAAO,CAAC,GAAW;QACjB,OAAO,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACzF,CAAC;CACF"}

package/dist/render.d.ts

@@ -0,0 +1,23 @@
+import type { Provider } from "./provider.js";
+import { type RenderFormat } from "./escapers.js";
+import { type PayloadField } from "./verify.js";
+export interface RenderOptions {
+    /** Inline template text. Mutually exclusive with `ref`. */
+    template?: string;
+    /** A `group/source` reference resolved via `provider`. */
+    ref?: string;
+    /** The render payload (a plain object/array graph; pre-format primitives). */
+    payload: unknown;
+    provider: Provider;
+    /** Output format; drives escaping. Defaults to "text" (raw). */
+    format?: RenderFormat;
+    /**
+     * Fail-closed guard for dynamic/generated text: when given a payload field
+     * tree, the RESOLVED template is `verify`'d before rendering and a drifted
+     * variant throws — instead of silently rendering nothing.
+     */
+    verify?: PayloadField[];
+}
+/** Deterministic, logic-less render: (template + payload + provider) → string. */
+export declare function render(o: RenderOptions): string;
+//# sourceMappingURL=render.d.ts.map

package/dist/render.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.d.ts","sourceRoot":"","sources":["../src/render.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAY,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC;AAC5D,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAoBlF,MAAM,WAAW,aAAa;IAC5B,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,8EAA8E;IAC9E,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,gEAAgE;IAChE,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB;;;;OAIG;IACH,MAAM,CAAC,EAAE,YAAY,EAAE,CAAC;CACzB;AAED,kFAAkF;AAClF,wBAAgB,MAAM,CAAC,CAAC,EAAE,aAAa,GAAG,MAAM,CAyB/C"}

package/dist/render.js

@@ -0,0 +1,45 @@
+import Mustache from "mustache";
+import { ESCAPERS } from "./escapers.js";
+import { verify, ERR_REQUIRED_SLOT_UNUSED } from "./verify.js";
+const MAX_DEPTH = 32;
+const PARTIAL = /\{\{>\s*([^}\s]+)\s*\}\}/g;
+// Resolve `{{> group/source }}` partials by inlining their text, recursively,
+// BEFORE Mustache parses — giving us deterministic whitespace and true,
+// path-based cycle/depth detection (no reliance on a per-lib partial loader).
+// Inlined text still renders in the surrounding context (e.g. once per loop
+// item), exactly like a native partial, because Mustache renders the result.
+function expand(text, provider, path) {
+    return text.replace(PARTIAL, (_match, ref) => {
+        if (path.includes(ref))
+            throw new Error(`partial cycle: ${[...path, ref].join(" -> ")}`);
+        if (path.length >= MAX_DEPTH)
+            throw new Error(`partial depth exceeded ${MAX_DEPTH}: ${ref}`);
+        const t = provider.resolve(ref);
+        if (t === undefined)
+            throw new Error(`unresolved partial: ${ref}`);
+        return expand(t, provider, [...path, ref]);
+    });
+}
+/** Deterministic, logic-less render: (template + payload + provider) → string. */
+export function render(o) {
+    const body = o.template ?? (o.ref !== undefined ? o.provider.resolve(o.ref) : undefined);
+    if (body === undefined)
+        throw new Error(`unresolved ref: ${o.ref ?? "(none)"}`);
+    if (o.verify !== undefined) {
+        const drift = verify(body, o.verify, { provider: o.provider }).filter((e) => e.code !== ERR_REQUIRED_SLOT_UNUSED);
+        if (drift.length > 0) {
+            throw new Error(`render verify failed: ${drift.map((e) => `${e.code} (${e.path})`).join(", ")}`);
+        }
+    }
+    const expanded = expand(body, o.provider, o.ref !== undefined ? [o.ref] : []);
+    const escaper = ESCAPERS[o.format ?? "text"];
+    const prev = Mustache.escape;
+    Mustache.escape = (v) => escaper(typeof v === "string" ? v : String(v));
+    try {
+        return Mustache.render(expanded, o.payload, {});
+    }
+    finally {
+        Mustache.escape = prev;
+    }
+}
+//# sourceMappingURL=render.js.map

package/dist/render.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.js","sourceRoot":"","sources":["../src/render.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,UAAU,CAAC;AAEhC,OAAO,EAAE,QAAQ,EAAqB,MAAM,eAAe,CAAC;AAC5D,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAqB,MAAM,aAAa,CAAC;AAElF,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,OAAO,GAAG,2BAA2B,CAAC;AAE5C,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAC9E,4EAA4E;AAC5E,6EAA6E;AAC7E,SAAS,MAAM,CAAC,IAAY,EAAE,QAAkB,EAAE,IAAuB;IACvE,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE,GAAW,EAAE,EAAE;QACnD,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzF,IAAI,IAAI,CAAC,MAAM,IAAI,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,KAAK,GAAG,EAAE,CAAC,CAAC;QAC7F,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,CAAC,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC;AAoBD,kFAAkF;AAClF,MAAM,UAAU,MAAM,CAAC,CAAgB;IACrC,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACzF,IAAI,IAAI,KAAK,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,GAAG,IAAI,QAAQ,EAAE,CAAC,CAAC;IAEhF,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CACnE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,wBAAwB,CAC3C,CAAC;QACF,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC;IAE7C,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAU,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACjF,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAClD,CAAC;YAAS,CAAC;QACT,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC;IACzB,CAAC;AACH,CAAC"}

package/dist/verify.d.ts

@@ -0,0 +1,34 @@
+import type { Provider } from "./provider.js";
+/** A `{{var}}` references a field the (contextual) payload does not declare. */
+export declare const ERR_VAR_NOT_ON_PAYLOAD = "ERR_VAR_NOT_ON_PAYLOAD";
+/** A `{{> ref}}` partial does not resolve in the provider. */
+export declare const ERR_PARTIAL_UNRESOLVED = "ERR_PARTIAL_UNRESOLVED";
+/** A declared @requiredSlots slot is never referenced by the template (warning). */
+export declare const ERR_REQUIRED_SLOT_UNUSED = "ERR_REQUIRED_SLOT_UNUSED";
+/**
+ * A plain field-tree node mirroring an `object.value` view-object's field walk.
+ * `fields` present → a context-pushing field (object / array-of-object); absent
+ * → a scalar (string/number/boolean/scalar-array).
+ */
+export interface PayloadField {
+    name: string;
+    fields?: PayloadField[];
+}
+export interface VerifyError {
+    code: string;
+    /** The offending variable path, partial ref, or slot name. */
+    path: string;
+}
+export interface VerifyOptions {
+    /** When given, `{{> ref}}` partials are resolved + their bodies recursed. */
+    provider?: Provider;
+    /** Slots that MUST be referenced; an unused one is reported as a warning. */
+    requiredSlots?: string[];
+}
+/**
+ * Walk a Mustache template's tokens against a payload field tree, returning a
+ * list of drift errors. Context-sensitive: a section `{{#posts}}…{{/posts}}`
+ * over a container field checks its body against that field's element type.
+ */
+export declare function verify(templateText: string, fields: PayloadField[], opts?: VerifyOptions): VerifyError[];
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9C,gFAAgF;AAChF,eAAO,MAAM,sBAAsB,2BAA2B,CAAC;AAC/D,8DAA8D;AAC9D,eAAO,MAAM,sBAAsB,2BAA2B,CAAC;AAC/D,oFAAoF;AACpF,eAAO,MAAM,wBAAwB,6BAA6B,CAAC;AAEnE;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,YAAY,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,6EAA6E;IAC7E,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAqCD;;;;GAIG;AACH,wBAAgB,MAAM,CACpB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,YAAY,EAAE,EACtB,IAAI,CAAC,EAAE,aAAa,GACnB,WAAW,EAAE,CAoEf"}

package/dist/verify.js

@@ -0,0 +1,121 @@
+// Template-side drift check (FR-004 Plan #3, T5). The other half of the
+// guarantee: Phase B types the payload at the CALL SITE (compile-time), while
+// `verify` parses the opaque template TEXT and cross-checks every variable
+// against the payload's declared field tree (build-time). A Mustache template
+// is a runtime string the TS compiler can't see into, so this is the only way
+// to catch "a renamed field silently broke a prompt".
+//
+// Zero core dependency by design: `verify` takes a PLAIN field tree (no
+// metadata import). The CLI derives that tree from the loaded object.value and
+// passes it in — keeping this engine a standalone, byte-portable module.
+import Mustache from "mustache";
+/** A `{{var}}` references a field the (contextual) payload does not declare. */
+export const ERR_VAR_NOT_ON_PAYLOAD = "ERR_VAR_NOT_ON_PAYLOAD";
+/** A `{{> ref}}` partial does not resolve in the provider. */
+export const ERR_PARTIAL_UNRESOLVED = "ERR_PARTIAL_UNRESOLVED";
+/** A declared @requiredSlots slot is never referenced by the template (warning). */
+export const ERR_REQUIRED_SLOT_UNUSED = "ERR_REQUIRED_SLOT_UNUSED";
+const MAX_DEPTH = 32;
+function find(fields, name) {
+    return fields.find((f) => f.name === name);
+}
+// Resolve a (possibly dotted) variable path the way Mustache does: the FIRST
+// segment is looked up through the context stack (innermost → outermost); each
+// remaining segment is a direct descent into the resolved field's `fields`.
+// Returns the resolved field, or undefined if any segment is missing.
+function resolve(stack, path) {
+    const segs = path.split(".");
+    let current;
+    for (let i = stack.length - 1; i >= 0; i--) {
+        const hit = find(stack[i], segs[0]);
+        if (hit) {
+            current = hit;
+            break;
+        }
+    }
+    for (let i = 1; current && i < segs.length; i++) {
+        current = current.fields ? find(current.fields, segs[i]) : undefined;
+    }
+    return current;
+}
+function parse(text) {
+    return Mustache.parse(text);
+}
+/**
+ * Walk a Mustache template's tokens against a payload field tree, returning a
+ * list of drift errors. Context-sensitive: a section `{{#posts}}…{{/posts}}`
+ * over a container field checks its body against that field's element type.
+ */
+export function verify(templateText, fields, opts) {
+    const errors = [];
+    const provider = opts?.provider;
+    const root = fields;
+    const referencedAtRoot = new Set();
+    function walk(tokens, stack, seen) {
+        const atRoot = stack.length === 1 && stack[0] === root;
+        for (const tok of tokens) {
+            const type = tok[0];
+            const value = tok[1];
+            switch (type) {
+                case "name": // {{x}}
+                case "&": // {{&x}}
+                case "{": {
+                    // {{{x}}} (spec); mustache.js emits "&" for it too
+                    if (value === ".")
+                        break; // implicit iterator — always valid
+                    if (atRoot)
+                        referencedAtRoot.add(value.split(".")[0]);
+                    if (!resolve(stack, value))
+                        errors.push({ code: ERR_VAR_NOT_ON_PAYLOAD, path: value });
+                    break;
+                }
+                case "#": // {{#x}}…{{/x}}
+                case "^": {
+                    // {{^x}}…{{/x}}
+                    const sub = Array.isArray(tok[4]) ? tok[4] : [];
+                    if (value === ".") {
+                        walk(sub, stack, seen);
+                        break;
+                    }
+                    if (atRoot)
+                        referencedAtRoot.add(value.split(".")[0]);
+                    const field = resolve(stack, value);
+                    if (!field) {
+                        // Unresolved section head is itself drift; skip the body (its
+                        // context is unknowable, walking it would cascade false errors).
+                        errors.push({ code: ERR_VAR_NOT_ON_PAYLOAD, path: value });
+                        break;
+                    }
+                    // `#` over a container pushes its element fields; `^` (and `#` over a
+                    // scalar, used as a conditional) keep the current context.
+                    const push = type === "#" && field.fields !== undefined;
+                    walk(sub, push ? [...stack, field.fields] : stack, seen);
+                    break;
+                }
+                case ">": {
+                    // {{> group/source}}
+                    if (!provider)
+                        break; // can't resolve without a provider
+                    if (seen.includes(value) || seen.length >= MAX_DEPTH)
+                        break; // cycle/depth guard
+                    const text = provider.resolve(value);
+                    if (text === undefined) {
+                        errors.push({ code: ERR_PARTIAL_UNRESOLVED, path: value });
+                        break;
+                    }
+                    walk(parse(text), stack, [...seen, value]);
+                    break;
+                }
+                default:
+                    break; // text / comment / set-delimiter
+            }
+        }
+    }
+    walk(parse(templateText), [root], []);
+    for (const slot of opts?.requiredSlots ?? []) {
+        if (!referencedAtRoot.has(slot))
+            errors.push({ code: ERR_REQUIRED_SLOT_UNUSED, path: slot });
+    }
+    return errors;
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,8EAA8E;AAC9E,2EAA2E;AAC3E,8EAA8E;AAC9E,8EAA8E;AAC9E,sDAAsD;AACtD,EAAE;AACF,wEAAwE;AACxE,+EAA+E;AAC/E,yEAAyE;AAEzE,OAAO,QAAQ,MAAM,UAAU,CAAC;AAGhC,gFAAgF;AAChF,MAAM,CAAC,MAAM,sBAAsB,GAAG,wBAAwB,CAAC;AAC/D,8DAA8D;AAC9D,MAAM,CAAC,MAAM,sBAAsB,GAAG,wBAAwB,CAAC;AAC/D,oFAAoF;AACpF,MAAM,CAAC,MAAM,wBAAwB,GAAG,0BAA0B,CAAC;AAyBnE,MAAM,SAAS,GAAG,EAAE,CAAC;AAOrB,SAAS,IAAI,CAAC,MAAsB,EAAE,IAAY;IAChD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,6EAA6E;AAC7E,+EAA+E;AAC/E,4EAA4E;AAC5E,sEAAsE;AACtE,SAAS,OAAO,CAAC,KAAY,EAAE,IAAY;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,OAAiC,CAAC;IACtC,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;QACtC,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,GAAG,GAAG,CAAC;YACd,MAAM;QACR,CAAC;IACH,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACxE,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAuB,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,MAAM,CACpB,YAAoB,EACpB,MAAsB,EACtB,IAAoB;IAEpB,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;IAChC,MAAM,IAAI,GAAG,MAAM,CAAC;IACpB,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAE3C,SAAS,IAAI,CAAC,MAAe,EAAE,KAAY,EAAE,IAAuB;QAClE,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;QACvD,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAW,CAAC;YAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAW,CAAC;YAC/B,QAAQ,IAAI,EAAE,CAAC;gBACb,KAAK,MAAM,CAAC,CAAC,QAAQ;gBACrB,KAAK,GAAG,CAAC,CAAC,SAAS;gBACnB,KAAK,GAAG,CAAC,CAAC,CAAC;oBACT,mDAAmD;oBACnD,IAAI,KAAK,KAAK,GAAG;wBAAE,MAAM,CAAC,mCAAmC;oBAC7D,IAAI,MAAM;wBAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;oBACvD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;wBAAE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;oBACvF,MAAM;gBACR,CAAC;gBACD,KAAK,GAAG,CAAC,CAAC,gBAAgB;gBAC1B,KAAK,GAAG,CAAC,CAAC,CAAC;oBACT,gBAAgB;oBAChB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC7D,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;wBAClB,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;wBACvB,MAAM;oBACR,CAAC;oBACD,IAAI,MAAM;wBAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;oBACvD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACpC,IAAI,CAAC,KAAK,EAAE,CAAC;wBACX,8DAA8D;wBAC9D,iEAAiE;wBACjE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;wBAC3D,MAAM;oBACR,CAAC;oBACD,sEAAsE;oBACtE,2DAA2D;oBAC3D,MAAM,IAAI,GAAG,IAAI,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC;oBACxD,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,MAAO,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;oBAC1D,MAAM;gBACR,CAAC;gBACD,KAAK,GAAG,CAAC,CAAC,CAAC;oBACT,qBAAqB;oBACrB,IAAI,CAAC,QAAQ;wBAAE,MAAM,CAAC,mCAAmC;oBACzD,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,IAAI,SAAS;wBAAE,MAAM,CAAC,oBAAoB;oBACjF,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;oBACrC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;wBACvB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;wBAC3D,MAAM;oBACR,CAAC;oBACD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;oBAC3C,MAAM;gBACR,CAAC;gBACD;oBACE,MAAM,CAAC,iCAAiC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;IAEtC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,aAAa,IAAI,EAAE,EAAE,CAAC;QAC7C,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,wBAAwB,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@metaobjectsdev/render",
+  "version": "0.5.0",
+  "description": "Logic-less, deterministic text render engine (Mustache) for MetaObjects templates — provider-resolved partials, format-driven escaping, zero core dependency.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "bun": "./src/index.ts",
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": ["dist", "src", "README.md", "LICENSE"],
+  "scripts": {
+    "build": "tsc -p .",
+    "typecheck": "tsc -p tsconfig.typecheck.json"
+  },
+  "license": "Apache-2.0",
+  "author": "Doug Mealing <doug@dougmealing.com>",
+  "homepage": "https://metaobjects.dev",
+  "bugs": {
+  "url": "https://github.com/metaobjectsdev/metaobjects/issues"
+},
+"repository": {
+  "type": "git",
+  "url": "https://github.com/metaobjectsdev/metaobjects.git",
+  "directory": "server/typescript/packages/render"
+},
+"keywords": ["metaobjects", "render", "mustache", "prompt", "template"],
+"publishConfig": {
+"access": "public"
+},
+"dependencies": {
+  "mustache": "^4.2.0"
+},
+"devDependencies": {
+  "@types/mustache": "^4.2.5",
+  "bun-types": "latest",
+  "typescript": "^5.6.0"
+}
+}

package/src/escapers.ts

@@ -0,0 +1,49 @@
+// Format-driven escaping (FR-004 R7/R8). The render engine OWNS escaping (it does
+// not rely on the Mustache lib's HTML-only default), so behavior is identical
+// across language ports. `{{var}}` is escaped per format; `{{{var}}}` is raw.
+//
+// RenderFormat is defined here, independent of the metadata package's
+// TEMPLATE_FORMATS, to keep this engine a zero-core-dependency module. The two
+// sets are kept in lock-step by the render-conformance corpus.
+
+export type RenderFormat =
+  | "text"
+  | "html"
+  | "xml"
+  | "csv"
+  | "json"
+  | "markdown"
+  | "spreadsheet";
+
+const xml = (s: string): string =>
+  s
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+
+// OWASP CSV/Excel formula-injection guard: neutralize a leading active char.
+const injectionGuard = (s: string): string => (/^[=+\-@\t\r]/.test(s) ? "'" + s : s);
+
+const csv = (s: string): string => {
+  const v = injectionGuard(s);
+  return /[",\n\r]/.test(v) ? `"${v.replace(/"/g, '""')}"` : v;
+};
+
+const json = (s: string): string => JSON.stringify(s).slice(1, -1);
+
+const raw = (s: string): string => s;
+
+export const ESCAPERS: Record<RenderFormat, (s: string) => string> = {
+  text: raw,
+  markdown: raw,
+  html: xml,
+  xml,
+  json,
+  csv,
+  // XML-escape the content first, then guard — so the guard's leading quote is a
+  // literal apostrophe in the XML (which is what tells Excel "treat as text"),
+  // not itself escaped to &#39;.
+  spreadsheet: (s) => injectionGuard(xml(s)),
+};

package/src/index.ts

@@ -0,0 +1,12 @@
+export { render, type RenderOptions } from "./render.js";
+export { type Provider, InMemoryProvider } from "./provider.js";
+export { ESCAPERS, type RenderFormat } from "./escapers.js";
+export {
+  verify,
+  ERR_VAR_NOT_ON_PAYLOAD,
+  ERR_PARTIAL_UNRESOLVED,
+  ERR_REQUIRED_SLOT_UNUSED,
+  type PayloadField,
+  type VerifyError,
+  type VerifyOptions,
+} from "./verify.js";

package/src/provider.ts

@@ -0,0 +1,16 @@
+// A provider resolves a 2-layer logical reference (`group/source`) to template
+// text. The render engine never does I/O itself — it delegates resolution to
+// the injected provider, so a fixed provider makes render() deterministic.
+
+export interface Provider {
+  /** Resolve a `group/source` reference to its text, or undefined if absent. */
+  resolve(ref: string): string | undefined;
+}
+
+/** Deterministic, in-memory provider (the conformance + test provider). */
+export class InMemoryProvider implements Provider {
+  constructor(private readonly map: Record<string, string>) {}
+  resolve(ref: string): string | undefined {
+    return Object.prototype.hasOwnProperty.call(this.map, ref) ? this.map[ref] : undefined;
+  }
+}

package/src/render.ts

@@ -0,0 +1,68 @@
+import Mustache from "mustache";
+import type { Provider } from "./provider.js";
+import { ESCAPERS, type RenderFormat } from "./escapers.js";
+import { verify, ERR_REQUIRED_SLOT_UNUSED, type PayloadField } from "./verify.js";
+
+const MAX_DEPTH = 32;
+const PARTIAL = /\{\{>\s*([^}\s]+)\s*\}\}/g;
+
+// Resolve `{{> group/source }}` partials by inlining their text, recursively,
+// BEFORE Mustache parses — giving us deterministic whitespace and true,
+// path-based cycle/depth detection (no reliance on a per-lib partial loader).
+// Inlined text still renders in the surrounding context (e.g. once per loop
+// item), exactly like a native partial, because Mustache renders the result.
+function expand(text: string, provider: Provider, path: readonly string[]): string {
+  return text.replace(PARTIAL, (_match, ref: string) => {
+    if (path.includes(ref)) throw new Error(`partial cycle: ${[...path, ref].join(" -> ")}`);
+    if (path.length >= MAX_DEPTH) throw new Error(`partial depth exceeded ${MAX_DEPTH}: ${ref}`);
+    const t = provider.resolve(ref);
+    if (t === undefined) throw new Error(`unresolved partial: ${ref}`);
+    return expand(t, provider, [...path, ref]);
+  });
+}
+
+export interface RenderOptions {
+  /** Inline template text. Mutually exclusive with `ref`. */
+  template?: string;
+  /** A `group/source` reference resolved via `provider`. */
+  ref?: string;
+  /** The render payload (a plain object/array graph; pre-format primitives). */
+  payload: unknown;
+  provider: Provider;
+  /** Output format; drives escaping. Defaults to "text" (raw). */
+  format?: RenderFormat;
+  /**
+   * Fail-closed guard for dynamic/generated text: when given a payload field
+   * tree, the RESOLVED template is `verify`'d before rendering and a drifted
+   * variant throws — instead of silently rendering nothing.
+   */
+  verify?: PayloadField[];
+}
+
+/** Deterministic, logic-less render: (template + payload + provider) → string. */
+export function render(o: RenderOptions): string {
+  const body = o.template ?? (o.ref !== undefined ? o.provider.resolve(o.ref) : undefined);
+  if (body === undefined) throw new Error(`unresolved ref: ${o.ref ?? "(none)"}`);
+
+  if (o.verify !== undefined) {
+    const drift = verify(body, o.verify, { provider: o.provider }).filter(
+      (e) => e.code !== ERR_REQUIRED_SLOT_UNUSED,
+    );
+    if (drift.length > 0) {
+      throw new Error(
+        `render verify failed: ${drift.map((e) => `${e.code} (${e.path})`).join(", ")}`,
+      );
+    }
+  }
+
+  const expanded = expand(body, o.provider, o.ref !== undefined ? [o.ref] : []);
+  const escaper = ESCAPERS[o.format ?? "text"];
+
+  const prev = Mustache.escape;
+  Mustache.escape = (v: unknown) => escaper(typeof v === "string" ? v : String(v));
+  try {
+    return Mustache.render(expanded, o.payload, {});
+  } finally {
+    Mustache.escape = prev;
+  }
+}

package/src/verify.ts

@@ -0,0 +1,157 @@
+// Template-side drift check (FR-004 Plan #3, T5). The other half of the
+// guarantee: Phase B types the payload at the CALL SITE (compile-time), while
+// `verify` parses the opaque template TEXT and cross-checks every variable
+// against the payload's declared field tree (build-time). A Mustache template
+// is a runtime string the TS compiler can't see into, so this is the only way
+// to catch "a renamed field silently broke a prompt".
+//
+// Zero core dependency by design: `verify` takes a PLAIN field tree (no
+// metadata import). The CLI derives that tree from the loaded object.value and
+// passes it in — keeping this engine a standalone, byte-portable module.
+
+import Mustache from "mustache";
+import type { Provider } from "./provider.js";
+
+/** A `{{var}}` references a field the (contextual) payload does not declare. */
+export const ERR_VAR_NOT_ON_PAYLOAD = "ERR_VAR_NOT_ON_PAYLOAD";
+/** A `{{> ref}}` partial does not resolve in the provider. */
+export const ERR_PARTIAL_UNRESOLVED = "ERR_PARTIAL_UNRESOLVED";
+/** A declared @requiredSlots slot is never referenced by the template (warning). */
+export const ERR_REQUIRED_SLOT_UNUSED = "ERR_REQUIRED_SLOT_UNUSED";
+
+/**
+ * A plain field-tree node mirroring an `object.value` view-object's field walk.
+ * `fields` present → a context-pushing field (object / array-of-object); absent
+ * → a scalar (string/number/boolean/scalar-array).
+ */
+export interface PayloadField {
+  name: string;
+  fields?: PayloadField[];
+}
+
+export interface VerifyError {
+  code: string;
+  /** The offending variable path, partial ref, or slot name. */
+  path: string;
+}
+
+export interface VerifyOptions {
+  /** When given, `{{> ref}}` partials are resolved + their bodies recursed. */
+  provider?: Provider;
+  /** Slots that MUST be referenced; an unused one is reported as a warning. */
+  requiredSlots?: string[];
+}
+
+const MAX_DEPTH = 32;
+
+// A Mustache parse token: [type, value, start, end, subTokens?, ...].
+type Token = readonly unknown[];
+// The context stack — innermost context last, mirroring Mustache lookup order.
+type Stack = readonly PayloadField[][];
+
+function find(fields: PayloadField[], name: string): PayloadField | undefined {
+  return fields.find((f) => f.name === name);
+}
+
+// Resolve a (possibly dotted) variable path the way Mustache does: the FIRST
+// segment is looked up through the context stack (innermost → outermost); each
+// remaining segment is a direct descent into the resolved field's `fields`.
+// Returns the resolved field, or undefined if any segment is missing.
+function resolve(stack: Stack, path: string): PayloadField | undefined {
+  const segs = path.split(".");
+  let current: PayloadField | undefined;
+  for (let i = stack.length - 1; i >= 0; i--) {
+    const hit = find(stack[i]!, segs[0]!);
+    if (hit) {
+      current = hit;
+      break;
+    }
+  }
+  for (let i = 1; current && i < segs.length; i++) {
+    current = current.fields ? find(current.fields, segs[i]!) : undefined;
+  }
+  return current;
+}
+
+function parse(text: string): Token[] {
+  return Mustache.parse(text) as unknown as Token[];
+}
+
+/**
+ * Walk a Mustache template's tokens against a payload field tree, returning a
+ * list of drift errors. Context-sensitive: a section `{{#posts}}…{{/posts}}`
+ * over a container field checks its body against that field's element type.
+ */
+export function verify(
+  templateText: string,
+  fields: PayloadField[],
+  opts?: VerifyOptions,
+): VerifyError[] {
+  const errors: VerifyError[] = [];
+  const provider = opts?.provider;
+  const root = fields;
+  const referencedAtRoot = new Set<string>();
+
+  function walk(tokens: Token[], stack: Stack, seen: readonly string[]): void {
+    const atRoot = stack.length === 1 && stack[0] === root;
+    for (const tok of tokens) {
+      const type = tok[0] as string;
+      const value = tok[1] as string;
+      switch (type) {
+        case "name": // {{x}}
+        case "&": // {{&x}}
+        case "{": {
+          // {{{x}}} (spec); mustache.js emits "&" for it too
+          if (value === ".") break; // implicit iterator — always valid
+          if (atRoot) referencedAtRoot.add(value.split(".")[0]!);
+          if (!resolve(stack, value)) errors.push({ code: ERR_VAR_NOT_ON_PAYLOAD, path: value });
+          break;
+        }
+        case "#": // {{#x}}…{{/x}}
+        case "^": {
+          // {{^x}}…{{/x}}
+          const sub = Array.isArray(tok[4]) ? (tok[4] as Token[]) : [];
+          if (value === ".") {
+            walk(sub, stack, seen);
+            break;
+          }
+          if (atRoot) referencedAtRoot.add(value.split(".")[0]!);
+          const field = resolve(stack, value);
+          if (!field) {
+            // Unresolved section head is itself drift; skip the body (its
+            // context is unknowable, walking it would cascade false errors).
+            errors.push({ code: ERR_VAR_NOT_ON_PAYLOAD, path: value });
+            break;
+          }
+          // `#` over a container pushes its element fields; `^` (and `#` over a
+          // scalar, used as a conditional) keep the current context.
+          const push = type === "#" && field.fields !== undefined;
+          walk(sub, push ? [...stack, field.fields!] : stack, seen);
+          break;
+        }
+        case ">": {
+          // {{> group/source}}
+          if (!provider) break; // can't resolve without a provider
+          if (seen.includes(value) || seen.length >= MAX_DEPTH) break; // cycle/depth guard
+          const text = provider.resolve(value);
+          if (text === undefined) {
+            errors.push({ code: ERR_PARTIAL_UNRESOLVED, path: value });
+            break;
+          }
+          walk(parse(text), stack, [...seen, value]);
+          break;
+        }
+        default:
+          break; // text / comment / set-delimiter
+      }
+    }
+  }
+
+  walk(parse(templateText), [root], []);
+
+  for (const slot of opts?.requiredSlots ?? []) {
+    if (!referencedAtRoot.has(slot)) errors.push({ code: ERR_REQUIRED_SLOT_UNUSED, path: slot });
+  }
+
+  return errors;
+}