Developer preview. Vela, Facet, and Quire are pre-release and in active development — syntax, APIs, and availability may change, and they are not yet generally available.
SStretch Dev Docs
Quire

Hardening & Threat Model

Fuzz containment, round-trip properties, safe IR checks, schema constraints, and runtime boundaries.

Quire hardening protects the language invariant: source compiles only to declarative stretchpress.blocks.v1 data.

Fuzz containment

The hardening test suite runs deterministic lexer and parser fuzz inputs through validateQuire(). Malformed buffers are expected to produce diagnostics and not crash the language service path.

Scale safety fuzzing uses the same containment principle:

quire bench-safety --cases 1000 --json

Its output format is quire.scale-safety, with counts for cases, compiled documents, diagnostics, and whether the run remained contained.

Property round trip

The hardening suite generates valid Quire programs that include formatter pipes, i18n expressions, token references, partial and include expansion, named slots, regions, conditionals, repeats, and capability descriptors.

Generated source is compiled, validated against the IR JSON Schema, imported back to .quire, recompiled, and compared on semantic IR: view, bindings, and blocks.

From examples/site/docs.quire, this kind of valid source includes imports, localization descriptors, includes, slots, regions, repeats, and token references:

  include Hero hero {
    eyebrow page.eyebrow
    title page.title
    body page.heroBody
    media page.heroImage
    ctaLabel page.primaryLabel
    ctaUrl page.primaryUrl
    slot secondaryAction {
      button secondaryAction {
        label page.secondaryLabel
        action navigation.open(page.secondaryUrl)
        variant token("action.hero.secondary")
      }
    }
  }

  region quickStart {
    variant token("site.docs.quickstart")

Safe IR contract

assertBlockContract() calls assertSafeBlockDocument(). The safe IR check rejects executable escape-hatch keys such as raw HTML, raw CSS, raw JavaScript, script/style/eval/code fields, DOM HTML injection fields, event-handler keys, and prototype-pollution keys anywhere in emitted IR.

The compiler and type checker also reject raw escape-hatch attributes because they are not schema-defined block props.

Schema constraints

Project schemas, live-schema feeds, and capability registries constrain type specs to declarative identifier, list, optional, and union syntax. Executable-looking type strings and unsupported descriptor fields are rejected before they enter compiler metadata.

Threat model boundary

The source threat model covers trust boundaries, no-execution controls, capability descriptor limits, migration risks, and residual host-runtime responsibilities. Quire can constrain source and emitted IR, but host runtimes remain responsible for honoring only supported capabilities and safely rendering compiled descriptors.