@blamejs/core 0.14.26 → 0.15.0

package/lib/guard-markdown.js

@@ -589,12 +589,8 @@ function sanitize(input, opts) {
     throw _err("markdown.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical") {
-      throw _err(issues[i].ruleId || "markdown.refused",
-        "guardMarkdown.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues,
+    { errorClass: GuardMarkdownError, codePrefix: "markdown", severities: ["critical"] });
   return codepointClass.applyCharStripPolicies(input, opts);
 }
 
@@ -667,102 +663,39 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive  b.guardMarkdown.buildProfile
- * @signature  b.guardMarkdown.buildProfile(opts)
- * @since      0.7.16
- * @status     stable
- * @related    b.guardMarkdown.gate, b.guardMarkdown.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name or array of
- * names (later entries shadow earlier ones); inline keys win last.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-markdown key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardMarkdown.buildProfile({
- *     extends: "balanced",
- *     dangerousTagPolicy: "strip",
- *     schemeAllowlist: ["http", "https"],
- *   });
- *   custom.dangerousTagPolicy;                         // → "strip"
- *   custom.schemeAllowlist.indexOf("mailto");          // → -1
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardMarkdown.compliancePosture
- * @signature  b.guardMarkdown.compliancePosture(name)
- * @since      0.7.16
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardMarkdown.gate, b.guardMarkdown.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardMarkdownError("markdown.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardMarkdown.compliancePosture("hipaa");
- *   posture.dangerousTagPolicy;                        // → "reject"
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES, _err, "markdown");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
+
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:         "content",
+  contentType:  "text/markdown",
+  extension:    ".md",
+  benignBytes:  Buffer.from(
+    "# Title\n\nA [link](https://example.com) and *emphasis*.\n", "utf8"),
+  // Hostile: link with javascript: scheme — CVE-2025-9540 class.
+  hostileBytes: Buffer.from(
+    "# x\n\n[click](javascript:alert(1))\n", "utf8"),
+});
 
-var _markdownRulePacks = gateContract.makeRulePackLoader(GuardMarkdownError, "markdown");
-/**
- * @primitive  b.guardMarkdown.loadRulePack
- * @signature  b.guardMarkdown.loadRulePack(pack)
- * @since      0.7.16
- * @status     stable
- * @related    b.guardMarkdown.gate
- *
- * Register an operator-supplied rule pack with the guard-markdown
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Throws
- * `GuardMarkdownError("markdown.bad-opt")` when `pack` is missing
- * or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardMarkdown.loadRulePack({
- *     id: "wiki-internal",
- *     extraSchemeAllowlist: ["wiki"],
- *   });
- *   pack.id;                                           // → "wiki-internal"
- */
-var loadRulePack = _markdownRulePacks.load;
-
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "markdown",
-  KIND:                "content",
-  MIME_TYPES:          Object.freeze(["text/markdown", "text/x-markdown", "text/x-gfm"]),
-  EXTENSIONS:          Object.freeze([".md", ".markdown"]),
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:         "content",
-    contentType:  "text/markdown",
-    extension:    ".md",
-    benignBytes:  Buffer.from(
-      "# Title\n\nA [link](https://example.com) and *emphasis*.\n", "utf8"),
-    // Hostile: link with javascript: scheme — CVE-2025-9540 class.
-    hostileBytes: Buffer.from(
-      "# x\n\n[click](javascript:alert(1))\n", "utf8"),
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardMarkdownError:  GuardMarkdownError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / MIME_TYPES / EXTENSIONS / INTEGRATION_FIXTURES),
+// buildProfile / compliancePosture / loadRulePack wiring, plus the
+// per-guard inspection surface (validate / sanitize). The bespoke `gate`
+// carries markdown's sanitize-and-reemit chain unchanged.
+module.exports = gateContract.defineGuard({
+  name:        "markdown",
+  kind:        "content",
+  errorClass:  GuardMarkdownError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  mimeTypes:   ["text/markdown", "text/x-markdown", "text/x-gfm"],
+  extensions:  [".md", ".markdown"],
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+});

package/lib/guard-message-id.js

@@ -50,6 +50,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardMessageIdError = defineClass("GuardMessageIdError", { alwaysPermanent: true });
 
@@ -61,12 +62,7 @@ var PROFILES = Object.freeze({
   permissive: { requireBrackets: false, maxBytes: 4096 },                                         // permissive cap, not bytes-as-storage
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 // Bidi codepoints refused — same set the framework's address-bidi
 // defense uses (RFC 5322 §3.6.4 doesn't speak EAI codepoints, but RTL
@@ -225,43 +221,28 @@ function validateList(value, opts) {
   return ids;
 }
 
-/**
- * @primitive b.guardMessageId.compliancePosture
- * @signature b.guardMessageId.compliancePosture(posture)
- * @since     0.9.19
- * @status    stable
- *
- * Return the effective profile for a given compliance posture.
- * Composed by `b.compliance.set` to surface "what posture is active
- * for which guard" in audit rows.
- *
- * @example
- *   b.guardMessageId.compliancePosture("hipaa");      // → "strict"
- *   b.guardMessageId.compliancePosture("unknown");    // → null
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return COMPLIANCE_POSTURES[opts.posture];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardMessageIdError("message-id/bad-profile",
-      "guardMessageId: unknown profile '" + p + "' (use strict / balanced / permissive)");
-  }
-  return p;
-}
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardMessageIdError,
+  codePrefix: "message-id",
+});
 
-module.exports = {
-  validate:           validate,
-  validateList:       validateList,
-  compliancePosture:  compliancePosture,
-  PROFILES:           PROFILES,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardMessageIdError: GuardMessageIdError,
-  NAME:               "messageId",
-  KIND:               "identifier",
-};
+module.exports = gateContract.defineParser({
+  name:       "message-id",
+  entry:      validate,
+  errorClass: GuardMessageIdError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    validateList: validateList,
+    NAME:         "messageId",
+    KIND:         "identifier",
+  },
+});

package/lib/guard-mime.js

@@ -443,12 +443,9 @@ function sanitize(input, opts) {
     throw _err("mime.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "mime.refused",
-        "guardMime.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, {
+    errorClass: GuardMimeError, codePrefix: "mime",
+  });
   // Normalize: lowercase the type/subtype; preserve parameter case
   // because some parameter values are case-significant (e.g. boundary
   // tokens in multipart/form-data).
@@ -459,151 +456,42 @@ function sanitize(input, opts) {
   }, canonical);
 }
 
-/**
- * @primitive  b.guardMime.gate
- * @signature  b.guardMime.gate(opts?)
- * @since      0.7.47
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardMime.validate, b.guardMime.sanitize, b.guardAll.gate
- *
- * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
- * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any other
- * host that integrates the guard contract. The gate reads
- * `ctx.identifier` (or `ctx.mime`), runs `validate`, and maps
- * severity to action: zero issues `serve`; only low/medium
- * `audit-only`; any high/critical `refuse`.
- *
- * @opts
- *   name:                   string,    // gate label for audit / observability
- *   profile:                "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   ...:                    same shape as b.guardMime.validate opts,
- *
- * @example
- *   var g = b.guardMime.gate({ profile: "strict" });
- *   var rv = await g.check({ identifier: "application/json" });
- *   rv.action;                                         // → "serve"
- *
- *   var bad = await g.check({ identifier: "application/x-msdownload" });
- *   bad.action;                                        // → "refuse"
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardMime:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var identifier = ctx && (ctx.identifier || ctx.mime || "");
-      if (!identifier) return { ok: true, action: "serve" };
-      var rv = validate(identifier, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
-
-/**
- * @primitive  b.guardMime.buildProfile
- * @signature  b.guardMime.buildProfile(opts)
- * @since      0.7.47
- * @status     stable
- * @related    b.guardMime.gate, b.guardMime.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name or array of
- * names (later entries shadow earlier ones); inline keys win last.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-mime key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardMime.buildProfile({
- *     extends: "balanced",
- *     vendorTreePolicy: "audit",
- *   });
- *   custom.bidiPolicy;                                 // → "reject"
- *   custom.vendorTreePolicy;                           // → "audit"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+// The request-boundary gate is the gate-contract factory default: it reads
+// `ctx.identifier` (or `ctx.mime`), runs `validate`, and maps severity to
+// action — `serve` (no issue) / `audit-only` (info / warn) / `refuse` (any
+// high / critical). Its wiki section renders from the single-sourced
+// `@abiTemplate gate` block in gate-contract.js.
 
-/**
- * @primitive  b.guardMime.compliancePosture
- * @signature  b.guardMime.compliancePosture(name)
- * @since      0.7.47
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardMime.gate, b.guardMime.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardMimeError("mime.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardMime.compliancePosture("pci-dss");
- *   posture.riskyTypesPolicy;                          // → "reject"
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "mime");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
 
-var _mimeRulePacks = gateContract.makeRulePackLoader(GuardMimeError, "mime");
-/**
- * @primitive  b.guardMime.loadRulePack
- * @signature  b.guardMime.loadRulePack(pack)
- * @since      0.7.47
- * @status     stable
- * @related    b.guardMime.gate
- *
- * Register an operator-supplied rule pack with the guard-mime
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Returns the pack object
- * unchanged on success; throws `GuardMimeError("mime.bad-opt")`
- * when `pack` is missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardMime.loadRulePack({
- *     id: "operator-deny-flash",
- *     deny: ["application/x-shockwave-flash"],
- *   });
- *   pack.id;                                           // → "operator-deny-flash"
- */
-var loadRulePack = _mimeRulePacks.load;
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  benignBytes:       Buffer.from("application/json", "utf8"),
+  hostileBytes:      Buffer.from("application/x-msdownload", "utf8"),
+  benignIdentifier:  "application/json",
+  // Hostile: risky-type — refused at strict (executable script-host
+  // class).
+  hostileIdentifier: "application/x-msdownload",
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "mime",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    benignBytes:       Buffer.from("application/json", "utf8"),
-    hostileBytes:      Buffer.from("application/x-msdownload", "utf8"),
-    benignIdentifier:  "application/json",
-    // Hostile: risky-type — refused at strict (executable script-host
-    // class).
-    hostileIdentifier: "application/x-msdownload",
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardMimeError:      GuardMimeError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize). The gate is the factory default chain,
+// dispatched to `ctx.identifier` / `ctx.mime` via ctxFields.
+module.exports = gateContract.defineGuard({
+  name:        "mime",
+  kind:        "identifier",
+  errorClass:  GuardMimeError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  ctxFields:   ["identifier", "mime"],
+});

package/lib/guard-oauth.js

@@ -89,8 +89,6 @@ var { GuardOauthError } = require("./framework-error");
 var observability = lazyRequire(function () { return require("./observability"); });
 void observability;
 
-var _err = GuardOauthError.factory;
-
 var SCOPE_TOKEN_RE = /^[\x21\x23-\x5b\x5d-\x7e]+$/;                              // RFC 6749 §3.3 scope-token charset
 var DEFAULT_RESPONSE_TYPES = Object.freeze(["code"]);
 
@@ -446,12 +444,7 @@ function sanitize(input, opts) {
   // OAuth flows can't be repaired — sanitize either passes through
   // valid input or throws.
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "oauth.refused",
-        "guardOauth.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardOauthError, codePrefix: "oauth" });
   return input;
 }
 
@@ -519,132 +512,58 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive  b.guardOauth.buildProfile
- * @signature  b.guardOauth.buildProfile(opts)
- * @since      0.7.49
- * @status     stable
- * @related    b.guardOauth.gate, b.guardOauth.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name (`"strict"` /
- * `"balanced"` / `"permissive"`) or an array of names; later
- * entries shadow earlier ones, and inline `opts` keys win last.
- * Operators stage profile overlays here so the final shape is
- * traceable to a baseline rather than a hand-typed dictionary.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guardOauth key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardOauth.buildProfile({
- *     extends: "balanced",
- *     pkcePolicy: "require-s256",
- *     allowedResponseTypes: ["code"],
- *   });
- *   custom.pkcePolicy;                                  // → "require-s256"
- *   custom.allowedResponseTypes.length;                 // → 1
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardOauth.compliancePosture
- * @signature  b.guardOauth.compliancePosture(name)
- * @since      0.7.49
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardOauth.gate, b.guardOauth.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardOauthError("oauth.bad-posture")` on unknown name.
- * Postures extend the strict profile (or balanced for `gdpr`)
- * with a `forensicSnippetBytes` cap appropriate to the regime.
- *
- * @example
- *   var posture = b.guardOauth.compliancePosture("pci-dss");
- *   posture.pkcePolicy;                                 // → "require-s256"
- *   posture.forensicSnippetBytes;                       // → 256
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "oauth");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below — their wiki sections render from the
+// single-sourced @abiTemplate blocks in gate-contract.js.
 
-var _oauthRulePacks = gateContract.makeRulePackLoader(GuardOauthError, "oauth");
-/**
- * @primitive  b.guardOauth.loadRulePack
- * @signature  b.guardOauth.loadRulePack(pack)
- * @since      0.7.49
- * @status     stable
- * @related    b.guardOauth.gate
- *
- * Register an operator-supplied rule pack with the guard-oauth
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Returns the pack object
- * unchanged on success; throws `GuardOauthError("oauth.bad-opt")`
- * when `pack` is missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardOauth.loadRulePack({
- *     id: "scope-narrow",
- *     rules: [
- *       { id: "no-admin", severity: "high",
- *         detect: function (flow) { return /\badmin\b/.test(flow.scope || ""); },
- *         reason: "tenant forbids admin scope on user-flow callbacks" },
- *     ],
- *   });
- *   pack.id;                                            // → "scope-narrow"
- */
-var loadRulePack = _oauthRulePacks.load;
+// ---- adaptive integration-test fixtures (consumed by layer-5 host harness) ----
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "oauth-flow",
+  benignBytes:       Buffer.from(JSON.stringify({
+    response_type: "code",
+    redirect_uri:  "https://app.example.com/callback",
+    state:         "csrf-rand-1",
+    scope:         "openid profile",
+    code_challenge: "abc123def456ghi789jkl012mno345pqr678",                   // base64url-shaped fixture
+    code_challenge_method: "S256",
+  }), "utf8"),
+  hostileBytes:      Buffer.from(JSON.stringify({
+    response_type: "code",
+    redirect_uri:  "https://attacker.example/callback",
+    // state missing — CSRF class
+    scope:         "openid",
+  }), "utf8"),
+  benignOauthFlow: {
+    response_type: "code",
+    redirect_uri:  "https://app.example.com/callback",
+    state:         "csrf-rand-1",
+    scope:         "openid profile",
+    code_challenge: "abc123def456ghi789jkl012mno345pqr678",                   // base64url-shaped fixture
+    code_challenge_method: "S256",
+  },
+  hostileOauthFlow: {
+    response_type: "code",
+    redirect_uri:  "https://attacker.example/callback",
+    // state missing → state-missing refuse
+    scope:         "openid",
+  },
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "oauth",
-  KIND:                "oauth-flow",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "oauth-flow",
-    benignBytes:       Buffer.from(JSON.stringify({
-      response_type: "code",
-      redirect_uri:  "https://app.example.com/callback",
-      state:         "csrf-rand-1",
-      scope:         "openid profile",
-      code_challenge: "abc123def456ghi789jkl012mno345pqr678",                   // base64url-shaped fixture
-      code_challenge_method: "S256",
-    }), "utf8"),
-    hostileBytes:      Buffer.from(JSON.stringify({
-      response_type: "code",
-      redirect_uri:  "https://attacker.example/callback",
-      // state missing — CSRF class
-      scope:         "openid",
-    }), "utf8"),
-    benignOauthFlow: {
-      response_type: "code",
-      redirect_uri:  "https://app.example.com/callback",
-      state:         "csrf-rand-1",
-      scope:         "openid profile",
-      code_challenge: "abc123def456ghi789jkl012mno345pqr678",                   // base64url-shaped fixture
-      code_challenge_method: "S256",
-    },
-    hostileOauthFlow: {
-      response_type: "code",
-      redirect_uri:  "https://attacker.example/callback",
-      // state missing → state-missing refuse
-      scope:         "openid",
-    },
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardOauthError:     GuardOauthError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize / bespoke gate) passed through verbatim.
+// The custom KIND ("oauth-flow") is accepted because the bespoke gate
+// reads its own ctx fields (ctx.oauthFlow / ctx.flow).
+module.exports = gateContract.defineGuard({
+  name:        "oauth",
+  kind:        "oauth-flow",
+  errorClass:  GuardOauthError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+});