@blamejs/core 0.14.26 → 0.15.0

package/lib/guard-jsonpath.js

@@ -333,180 +333,47 @@ function sanitize(input, opts) {
     throw _err("jsonpath.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "jsonpath.refused",
-        "guardJsonpath.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardJsonpathError, codePrefix: "jsonpath" });
   return input;
 }
 
-/**
- * @primitive  b.guardJsonpath.gate
- * @signature  b.guardJsonpath.gate(opts)
- * @since      0.7.13
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardJsonpath.validate, b.guardJsonpath.sanitize
- *
- * Build a `b.gateContract` gate that screens `ctx.identifier` (or
- * `ctx.jsonpath`) before the path reaches a JSONPath evaluator.
- * Action chain: `serve` (no issues) → `audit-only` (warn-only) →
- * `refuse` (any `critical` or `high`). No `sanitize` action —
- * JSONPath strings cannot be repaired. Compose into query
- * endpoints / search filters / data-export flows so operator-fed
- * paths hit the guard before any evaluator dispatch.
- *
- * @opts
- *   profile:                "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   name:                   string,    // override gate name in audit emissions
- *   filterExprPolicy:       "reject"|"audit"|"allow",
- *   scriptExprPolicy:       "reject"|"audit"|"allow",
- *   dynamicHintPolicy:      "reject"|"audit"|"allow",
- *   bracketNestingPolicy:   "reject"|"audit"|"allow",
- *   recursiveDescentPolicy: "reject"|"audit"|"allow",
- *   maxRecursiveDescents:   number,
- *   maxPatternBytes:        number,
- *
- * @example
- *   var gate = b.guardJsonpath.gate({ profile: "strict" });
- *
- *   gate({ identifier: "$..[?(@.x)]" }).then(function (rv) {
- *     rv.ok;                                           // → false
- *     rv.action;                                       // → "refuse"
- *   });
- *
- *   gate({ identifier: "$.users[*].name" }).then(function (rv) {
- *     rv.action;                                       // → "serve"
- *   });
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardJsonpath:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var pattern = ctx && (ctx.identifier || ctx.jsonpath);
-      if (pattern === undefined || pattern === null) {
-        return { ok: true, action: "serve" };
-      }
-      var rv = validate(pattern, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
+// The gate is the standard serve -> audit-only -> refuse chain; it is
+// assembled by gateContract.defineGuard's default gate below. JSONPath
+// strings can't be repaired, so there's no sanitize action — the default
+// chain (no sanitize) matches exactly. The default gate reads the path
+// from ctx.identifier || ctx.jsonpath via spec.ctxFields; its
+// "guardJsonpath:<profile>" gate name and serve/audit-only/refuse
+// decisions are identical to the hand-written gate this replaced.
 
-/**
- * @primitive  b.guardJsonpath.buildProfile
- * @signature  b.guardJsonpath.buildProfile(opts)
- * @since      0.7.13
- * @status     stable
- * @related    b.guardJsonpath.gate, b.guardJsonpath.compliancePosture
- *
- * Compose a derived guardJsonpath profile from one or more named
- * bases plus inline overrides. `opts.extends` is a profile name
- * (`"strict"` / `"balanced"` / `"permissive"`) or an array of
- * names; later entries shadow earlier ones. Inline `opts` keys win
- * last. Used to keep operator-defined profiles traceable to a
- * baseline rather than re-typing every key.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guardJsonpath key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardJsonpath.buildProfile({
- *     extends: "balanced",
- *     maxRecursiveDescents: 1,
- *     recursiveDescentPolicy: "reject",
- *   });
- *   custom.maxRecursiveDescents;                       // → 1
- *   custom.filterExprPolicy;                           // → "reject"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardJsonpath.compliancePosture
- * @signature  b.guardJsonpath.compliancePosture(name)
- * @since      0.7.13
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardJsonpath.gate, b.guardJsonpath.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardJsonpathError("jsonpath.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardJsonpath.compliancePosture("hipaa");
- *   posture.filterExprPolicy;                          // → "reject"
- *   posture.forensicSnippetBytes;                      // → 256
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "jsonpath");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
 
-var _jpRulePacks = gateContract.makeRulePackLoader(GuardJsonpathError, "jsonpath");
-/**
- * @primitive  b.guardJsonpath.loadRulePack
- * @signature  b.guardJsonpath.loadRulePack(pack)
- * @since      0.7.13
- * @status     stable
- * @related    b.guardJsonpath.gate
- *
- * Register an operator-supplied rule pack with the guardJsonpath
- * registry. The pack is identified by `pack.id` (non-empty string)
- * and stored for later inspection / dispatch by gates that opt in
- * via `opts.rulePackId`. Returns the pack object unchanged on
- * success; throws `GuardJsonpathError("jsonpath.bad-opt")` when
- * `pack` is missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardJsonpath.loadRulePack({
- *     id: "no-wildcards",
- *     rules: [
- *       { id: "wildcard", severity: "high",
- *         detect: function (path) { return path.indexOf("[*]") !== -1; },
- *         reason: "wildcard index forbidden in this context" },
- *     ],
- *   });
- *   pack.id;                                           // → "no-wildcards"
- */
-var loadRulePack = _jpRulePacks.load;
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  benignBytes:       Buffer.from("$.users[*].name", "utf8"),
+  hostileBytes:      Buffer.from("$..[?(@.x)]", "utf8"),
+  benignIdentifier:  "$.users[*].name",
+  hostileIdentifier: "$..[?(@.x)]",
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "jsonpath",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    benignBytes:       Buffer.from("$.users[*].name", "utf8"),
-    hostileBytes:      Buffer.from("$..[?(@.x)]", "utf8"),
-    benignIdentifier:  "$.users[*].name",
-    hostileIdentifier: "$..[?(@.x)]",
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardJsonpathError:  GuardJsonpathError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize). The gate is the factory default
+// serve/audit-only/refuse chain, reading the path from
+// `ctx.identifier` || `ctx.jsonpath` via `ctxFields`.
+module.exports = gateContract.defineGuard({
+  name:        "jsonpath",
+  kind:        "identifier",
+  errorClass:  GuardJsonpathError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  ctxFields:   ["identifier", "jsonpath"],
+});

package/lib/guard-jwt.js

@@ -545,152 +545,17 @@ function sanitize(input, opts) {
   // JWT shape can't be repaired — sanitize either passes through
   // valid input or throws.
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "jwt.refused",
-        "guardJwt.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardJwtError, codePrefix: "jwt" });
   return input;
 }
 
-/**
- * @primitive  b.guardJwt.gate
- * @signature  b.guardJwt.gate(opts?)
- * @since      0.7.49
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardJwt.validate, b.guardJwt.sanitize, b.middleware.bearerAuth
- *
- * Build a `gateContract.buildGuardGate`-shaped gate that pulls
- * `ctx.identifier` (or `ctx.token` / `ctx.jwt`) and dispatches to
- * `validate`. Returns `{ ok: true, action: "serve" }` when the
- * issue list is empty, `{ ok: true, action: "audit-only", issues }`
- * when only low-severity issues fire, and `{ ok: false, action:
- * "refuse", issues }` on any `critical` / `high` issue. Compose
- * into auth pipelines via `b.middleware.bearerAuth` so every
- * bearer token is shape-checked before signature verification.
- *
- * @opts
- *   profile:    "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   name:       string,            // gate label for audit trails
- *   ...:        every guardJwt.validate opt is honored,
- *
- * @example
- *   var jwtGate = b.guardJwt.gate({ profile: "strict" });
- *   var rv = await jwtGate.check({
- *     identifier:
- *       "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
- *       "eyJzdWIiOiJhdHRhY2tlciJ9.",
- *   });
- *   rv.action;                                          // → "refuse"
- *   rv.issues[0].ruleId;                                // → "jwt.alg-none"
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardJwt:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var identifier = ctx && (ctx.identifier || ctx.token || ctx.jwt || "");
-      if (!identifier) return { ok: true, action: "serve" };
-      var rv = validate(identifier, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
-
-/**
- * @primitive  b.guardJwt.buildProfile
- * @signature  b.guardJwt.buildProfile(opts)
- * @since      0.7.49
- * @status     stable
- * @related    b.guardJwt.gate, b.guardJwt.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name (`"strict"` /
- * `"balanced"` / `"permissive"`) or an array of names; later
- * entries shadow earlier ones, and inline `opts` keys win last.
- * Operators stage profile overlays here so the final shape is
- * traceable to a baseline rather than a hand-typed dictionary.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guardJwt key,  // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardJwt.buildProfile({
- *     extends: "balanced",
- *     algAllowlistPolicy: "reject",
- *     allowedAlgs: ["ES256", "EdDSA"],
- *   });
- *   custom.algAllowlistPolicy;                          // → "reject"
- *   custom.allowedAlgs.indexOf("ES256");                // → 0
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardJwt.compliancePosture
- * @signature  b.guardJwt.compliancePosture(name)
- * @since      0.7.49
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardJwt.gate, b.guardJwt.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardJwtError("jwt.bad-posture")` on unknown name. Postures
- * extend the strict profile (or balanced for `gdpr`) with a
- * `forensicSnippetBytes` cap appropriate to the regime.
- *
- * @example
- *   var posture = b.guardJwt.compliancePosture("hipaa");
- *   posture.algNonePolicy;                              // → "reject"
- *   posture.forensicSnippetBytes;                       // → 256
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "jwt");
-}
-
-var _jwtRulePacks = gateContract.makeRulePackLoader(GuardJwtError, "jwt");
-/**
- * @primitive  b.guardJwt.loadRulePack
- * @signature  b.guardJwt.loadRulePack(pack)
- * @since      0.7.49
- * @status     stable
- * @related    b.guardJwt.gate
- *
- * Register an operator-supplied rule pack with the guard-jwt
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Returns the pack object
- * unchanged on success; throws `GuardJwtError("jwt.bad-opt")`
- * when `pack` is missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardJwt.loadRulePack({
- *     id: "tenant-issuer-pin",
- *     rules: [
- *       { id: "iss-pin", severity: "high",
- *         detect: function (claims) { return claims.iss !== "https://idp.example/"; },
- *         reason: "tenant pins iss to a single IdP" },
- *     ],
- *   });
- *   pack.id;                                            // → "tenant-issuer-pin"
- */
-var loadRulePack = _jwtRulePacks.load;
+// gate is the standard serve -> audit-only -> refuse chain over
+// ctx.identifier || ctx.token || ctx.jwt (the KIND "identifier" ctx
+// fields); gateContract.defineGuard supplies it as the default gate.
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below; their wiki sections render from the
+// single-sourced @abiTemplate blocks in gate-contract.js, instantiated
+// per guard by the page generator.
 
 /**
  * @primitive  b.guardJwt.kidSafe
@@ -735,39 +600,44 @@ function kidSafe(kid) {
   return kid;
 }
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "jwt",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    // Benign: minimal v4 token with alg=ES256, valid JSON header / payload.
-    benignBytes: Buffer.from(
-      "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
-      "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
-      "sig", "utf8"),
-    benignIdentifier:
-      "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
-      "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
-      "sig",
-    // Hostile: alg=none — universal refuse class.
-    hostileBytes: Buffer.from(
-      "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
-      "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.", "utf8"),
-    hostileIdentifier:
-      "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
-      "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.",
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  kidSafe:             kidSafe,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardJwtError:       GuardJwtError,
-};
+// ---- guard-* family registry exports ----
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  // Benign: minimal v4 token with alg=ES256, valid JSON header / payload.
+  benignBytes: Buffer.from(
+    "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
+    "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
+    "sig", "utf8"),
+  benignIdentifier:
+    "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
+    "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
+    "sig",
+  // Hostile: alg=none — universal refuse class.
+  hostileBytes: Buffer.from(
+    "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
+    "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.", "utf8"),
+  hostileIdentifier:
+    "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
+    "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.",
+});
+
+// Assembled from the gate-contract guard factory. KIND "identifier"; the
+// gate is the standard serve -> audit-only -> refuse chain over
+// ctx.identifier || ctx.token || ctx.jwt, so the guard takes the factory
+// default gate (no bespoke `gate` passed) and the factory supplies the
+// error class, registry exports, buildProfile / compliancePosture /
+// loadRulePack wiring, and the kidSafe extra.
+module.exports = gateContract.defineGuard({
+  name:        "jwt",
+  kind:        "identifier",
+  errorClass:  GuardJwtError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  extra: {
+    kidSafe: kidSafe,
+  },
+});

package/lib/guard-list-id.js

@@ -73,6 +73,7 @@
 
 var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
+var gateContract       = require("./gate-contract");
 
 var GuardListIdError = defineClass("GuardListIdError", { alwaysPermanent: true });
 
@@ -102,11 +103,15 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardListIdError,
+  codePrefix: "guard-list-id",
+  byObject:   true,
 });
 
 // RFC 5322 §3.2.3 dot-atom-text shape — alphanumeric + select
@@ -261,21 +266,10 @@ function validate(headerValue, opts) {
   };
 }
 
-/**
- * @primitive b.guardListId.compliancePosture
- * @signature b.guardListId.compliancePosture(posture)
- * @since     0.9.40
- * @status    stable
- *
- * Return the effective profile name for a compliance posture, or
- * `null` for unknown posture names.
- *
- * @example
- *   b.guardListId.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
 
 function _hasControlChar(s) {
   for (var i = 0; i < s.length; i += 1) {
@@ -296,24 +290,14 @@ function _refuse(reason) {
   };
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardListIdError("guard-list-id/bad-profile",
-      "guardListId: unknown profile '" + p + "'");
-  }
-  return PROFILES[p];
-}
-
-module.exports = {
-  validate:               validate,
-  compliancePosture:      compliancePosture,
-  PROFILES:               PROFILES,
-  COMPLIANCE_POSTURES:    COMPLIANCE_POSTURES,
-  GuardListIdError:       GuardListIdError,
-  NAME:                   "listId",
-  KIND:                   "list-id",
-};
+module.exports = gateContract.defineParser({
+  name:       "listId",
+  entry:      validate,
+  errorClass: GuardListIdError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    NAME: "listId",
+    KIND: "list-id",
+  },
+});

package/lib/guard-list-unsubscribe.js

@@ -79,6 +79,7 @@
 var C                  = require("./constants");
 var { defineClass }    = require("./framework-error");
 var safeUrl            = require("./safe-url");
+var gateContract       = require("./gate-contract");
 
 var GuardListUnsubscribeError = defineClass("GuardListUnsubscribeError", { alwaysPermanent: true });
 
@@ -111,11 +112,15 @@ var PROFILES = Object.freeze({
   },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardListUnsubscribeError,
+  codePrefix: "guard-list-unsubscribe",
+  byObject:   true,
 });
 
 // RFC 8058 §2: Post header value MUST be exactly
@@ -328,21 +333,10 @@ function validate(headers, opts) {
     { uris: classified, hasHttpsUri: hasHttpsUri, hasMailtoUri: hasMailtoUri, postHeaderOk: postHeaderOk });
 }
 
-/**
- * @primitive b.guardListUnsubscribe.compliancePosture
- * @signature b.guardListUnsubscribe.compliancePosture(posture)
- * @since     0.9.39
- * @status    stable
- *
- * Return the effective profile name for a compliance posture, or
- * `null` for unknown posture names.
- *
- * @example
- *   b.guardListUnsubscribe.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
 
 function _extractUris(raw, maxUris) {
   // RFC 2369 §3.1 — comma-separated `<URI>` items. Walk angle-
@@ -386,26 +380,16 @@ function _verdict(action, reason, extra) {
   };
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return PROFILES[COMPLIANCE_POSTURES[opts.posture]];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardListUnsubscribeError("guard-list-unsubscribe/bad-profile",
-      "guardListUnsubscribe: unknown profile '" + p + "'");
-  }
-  return PROFILES[p];
-}
-
-module.exports = {
-  validate:                       validate,
-  compliancePosture:              compliancePosture,
-  PROFILES:                       PROFILES,
-  COMPLIANCE_POSTURES:            COMPLIANCE_POSTURES,
-  ONE_CLICK_POST_VALUE:           ONE_CLICK_POST_VALUE,
-  DANGEROUS_SCHEMES:              DANGEROUS_SCHEMES,
-  GuardListUnsubscribeError:      GuardListUnsubscribeError,
-  NAME:                           "listUnsubscribe",
-  KIND:                           "list-unsubscribe",
-};
+module.exports = gateContract.defineParser({
+  name:       "listUnsubscribe",
+  entry:      validate,
+  errorClass: GuardListUnsubscribeError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    ONE_CLICK_POST_VALUE: ONE_CLICK_POST_VALUE,
+    DANGEROUS_SCHEMES:    DANGEROUS_SCHEMES,
+    NAME:                 "listUnsubscribe",
+    KIND:                 "list-unsubscribe",
+  },
+});