@blamejs/core 0.14.27 → 0.15.0

package/lib/guard-time.js

@@ -423,164 +423,42 @@ function sanitize(input, opts) {
     throw _err("time.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "time.refused",
-        "guardTime.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardTimeError, codePrefix: "time" });
   // Normalize: lowercase the trailing `T` separator, uppercase the
   // `Z` UTC marker.
   return input.replace(/(\d) /, "$1T").replace(/z$/, "Z");
 }
 
-/**
- * @primitive  b.guardTime.gate
- * @signature  b.guardTime.gate(opts?)
- * @since      0.7.46
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardTime.validate, b.guardTime.sanitize, b.guardAll.gate
- *
- * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
- * by `b.guardAll`, audit pipelines, scheduling primitives, and
- * retention readers. The gate reads `ctx.identifier` (or
- * `ctx.timestamp` / `ctx.time`), runs `validate`, and maps
- * severity to action: zero issues `serve`; only low/medium
- * `audit-only`; any high/critical `refuse`.
- *
- * @opts
- *   name:                   string,    // gate label for audit / observability
- *   profile:                "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   ...:                    same shape as b.guardTime.validate opts,
- *
- * @example
- *   var g = b.guardTime.gate({ profile: "strict" });
- *   var rv = await g.check({ identifier: "2026-05-05T12:34:56Z" });
- *   rv.action;                                         // → "serve"
- *
- *   var bad = await g.check({ identifier: "2026-05-05 12:34:56" });
- *   bad.action;                                        // → "refuse"
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardTime:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var identifier = ctx && (ctx.identifier || ctx.timestamp || ctx.time || "");
-      if (!identifier) return { ok: true, action: "serve" };
-      var rv = validate(identifier, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
+// gate / buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below; their wiki sections render from the
+// single-sourced @abiTemplate (defineGuard) blocks in gate-contract.js,
+// instantiated per guard by the page generator.
 
-/**
- * @primitive  b.guardTime.buildProfile
- * @signature  b.guardTime.buildProfile(opts)
- * @since      0.7.46
- * @status     stable
- * @related    b.guardTime.gate, b.guardTime.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name or array of
- * names (later entries shadow earlier ones); inline keys win last.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-time key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardTime.buildProfile({
- *     extends: "balanced",
- *     leapSecondPolicy: "audit",
- *     maxYear: 2200,
- *   });
- *   custom.naiveDatetimePolicy;                        // → "audit"
- *   custom.maxYear;                                    // → 2200
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardTime.compliancePosture
- * @signature  b.guardTime.compliancePosture(name)
- * @since      0.7.46
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardTime.gate, b.guardTime.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardTimeError("time.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardTime.compliancePosture("hipaa");
- *   posture.naiveDatetimePolicy;                       // → "reject"
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "time");
-}
-
-var _timeRulePacks = gateContract.makeRulePackLoader(GuardTimeError, "time");
-/**
- * @primitive  b.guardTime.loadRulePack
- * @signature  b.guardTime.loadRulePack(pack)
- * @since      0.7.46
- * @status     stable
- * @related    b.guardTime.gate
- *
- * Register an operator-supplied rule pack with the guard-time
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Throws
- * `GuardTimeError("time.bad-opt")` when `pack` is missing or
- * `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardTime.loadRulePack({
- *     id: "audit-window",
- *     minYear: 2020,
- *     maxYear: 2030,
- *   });
- *   pack.id;                                           // → "audit-window"
- */
-var loadRulePack = _timeRulePacks.load;
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  benignBytes:       Buffer.from("2026-05-05T12:34:56Z", "utf8"),
+  hostileBytes:      Buffer.from("2026-05-05 12:34:56", "utf8"),
+  benignIdentifier:  "2026-05-05T12:34:56Z",
+  // Hostile: naive datetime (space separator + no offset) — refused
+  // at strict (cross-region ambiguity class).
+  hostileIdentifier: "2026-05-05 12:34:56",
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "time",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    benignBytes:       Buffer.from("2026-05-05T12:34:56Z", "utf8"),
-    hostileBytes:      Buffer.from("2026-05-05 12:34:56", "utf8"),
-    benignIdentifier:  "2026-05-05T12:34:56Z",
-    // Hostile: naive datetime (space separator + no offset) — refused
-    // at strict (cross-region ambiguity class).
-    hostileIdentifier: "2026-05-05 12:34:56",
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardTimeError:      GuardTimeError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize). The gate is the factory default — the
+// standard serve -> audit-only -> refuse chain — reading
+// ctx.identifier / ctx.timestamp / ctx.time via ctxFields.
+module.exports = gateContract.defineGuard({
+  name:        "time",
+  kind:        "identifier",
+  errorClass:  GuardTimeError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  ctxFields:   ["identifier", "timestamp", "time"],
+});

package/lib/guard-trace-context.js

@@ -27,6 +27,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardTraceContextError = defineClass("GuardTraceContextError", { alwaysPermanent: true });
 
@@ -38,15 +39,18 @@ var PROFILES = Object.freeze({
   permissive: { allowedVersions: ["*"],         maxTracestateEntries: 64, maxTracestateBytes: 1024 },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 var TRACEPARENT_RE = /^([0-9a-f]{2})-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/;                   // allow:regex-no-length-cap — length-bound inline before test
 
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardTraceContextError,
+  codePrefix: "trace-context",
+});
+
 /**
  * @primitive b.guardTraceContext.validate
  * @signature b.guardTraceContext.validate(ctx, opts?)
@@ -132,41 +136,18 @@ function validate(ctx, opts) {
   return ctx;
 }
 
-/**
- * @primitive b.guardTraceContext.compliancePosture
- * @signature b.guardTraceContext.compliancePosture(posture)
- * @since     0.9.29
- * @status    stable
- *
- * Return the effective profile for a given compliance posture name.
- * Returns `null` for unknown posture names so operator typos surface
- * here instead of silently falling through to the default profile.
- *
- * @example
- *   b.guardTraceContext.compliancePosture("hipaa");   // returns "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
-
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return COMPLIANCE_POSTURES[opts.posture];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardTraceContextError("trace-context/bad-profile",
-      "guardTraceContext: unknown profile '" + p + "'");
-  }
-  return p;
-}
-
-module.exports = {
-  validate:                 validate,
-  compliancePosture:        compliancePosture,
-  PROFILES:                 PROFILES,
-  COMPLIANCE_POSTURES:      COMPLIANCE_POSTURES,
-  GuardTraceContextError:   GuardTraceContextError,
-  NAME:                     "traceContext",
-  KIND:                     "trace-context",
-};
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
+module.exports = gateContract.defineParser({
+  name:       "trace-context",
+  entry:      validate,
+  errorClass: GuardTraceContextError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    NAME: "traceContext",
+    KIND: "trace-context",
+  },
+});

package/lib/guard-uuid.js

@@ -382,12 +382,7 @@ function sanitize(input, opts) {
     throw _err("uuid.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "uuid.refused",
-        "guardUuid.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardUuidError, codePrefix: "uuid" });
   // Safe transforms: lowercase + strip braces / urn prefix → canonical
   // hyphenated form.
   var form = _classifyForm(input);
@@ -398,151 +393,35 @@ function sanitize(input, opts) {
          hex.slice(20);                                                          // UUID hex slice positions
 }
 
-/**
- * @primitive  b.guardUuid.gate
- * @signature  b.guardUuid.gate(opts?)
- * @since      0.7.44
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardUuid.validate, b.guardUuid.sanitize, b.guardAll.gate
- *
- * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
- * by `b.guardAll`, ID validators, and any host that handles
- * UUID-shaped tokens. The gate reads `ctx.identifier` (or
- * `ctx.uuid`), runs `validate`, and maps severity to action: zero
- * issues `serve`; only low/medium `audit-only`; any high/critical
- * `refuse`.
- *
- * @opts
- *   name:                   string,    // gate label for audit / observability
- *   profile:                "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   ...:                    same shape as b.guardUuid.validate opts,
- *
- * @example
- *   var g = b.guardUuid.gate({ profile: "strict" });
- *   var rv = await g.check({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
- *   rv.action;                                         // → "serve"
- *
- *   var bad = await g.check({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
- *   bad.action;                                        // → "refuse"
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardUuid:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var identifier = ctx && (ctx.identifier || ctx.uuid || "");
-      if (!identifier) return { ok: true, action: "serve" };
-      var rv = validate(identifier, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
-
-/**
- * @primitive  b.guardUuid.buildProfile
- * @signature  b.guardUuid.buildProfile(opts)
- * @since      0.7.44
- * @status     stable
- * @related    b.guardUuid.gate, b.guardUuid.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name or array of
- * names (later entries shadow earlier ones); inline keys win last.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-uuid key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardUuid.buildProfile({
- *     extends: "balanced",
- *     formatPolicy: "hyphenated-only",
- *     nilPolicy: "audit",
- *   });
- *   custom.formatPolicy;                               // → "hyphenated-only"
- *   custom.nilPolicy;                                  // → "audit"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardUuid.compliancePosture
- * @signature  b.guardUuid.compliancePosture(name)
- * @since      0.7.44
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardUuid.gate, b.guardUuid.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardUuidError("uuid.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardUuid.compliancePosture("hipaa");
- *   posture.nilPolicy;                                 // → "reject"
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "uuid");
-}
-
-var _uuidRulePacks = gateContract.makeRulePackLoader(GuardUuidError, "uuid");
-/**
- * @primitive  b.guardUuid.loadRulePack
- * @signature  b.guardUuid.loadRulePack(pack)
- * @since      0.7.44
- * @status     stable
- * @related    b.guardUuid.gate
- *
- * Register an operator-supplied rule pack with the guard-uuid
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Throws
- * `GuardUuidError("uuid.bad-opt")` when `pack` is missing or
- * `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardUuid.loadRulePack({
- *     id: "v7-only",
- *     allowedVersions: [7],
- *   });
- *   pack.id;                                           // → "v7-only"
- */
-var loadRulePack = _uuidRulePacks.load;
+// gate / buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below; their wiki sections render from the
+// single-sourced @abiTemplate (defineGuard) blocks in gate-contract.js,
+// instantiated per guard by the page generator.
+
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  benignBytes:       Buffer.from("550e8400-e29b-41d4-a716-446655440000", "utf8"),
+  hostileBytes:      Buffer.from("00000000-0000-0000-0000-000000000000", "utf8"),
+  benignIdentifier:  "550e8400-e29b-41d4-a716-446655440000",
+  // Hostile: nil UUID — refused at strict (sentinel-leak class).
+  hostileIdentifier: "00000000-0000-0000-0000-000000000000",
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "uuid",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    benignBytes:       Buffer.from("550e8400-e29b-41d4-a716-446655440000", "utf8"),
-    hostileBytes:      Buffer.from("00000000-0000-0000-0000-000000000000", "utf8"),
-    benignIdentifier:  "550e8400-e29b-41d4-a716-446655440000",
-    // Hostile: nil UUID — refused at strict (sentinel-leak class).
-    hostileIdentifier: "00000000-0000-0000-0000-000000000000",
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardUuidError:      GuardUuidError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize). The gate is the factory default — the
+// standard serve -> audit-only -> refuse chain — reading ctx.identifier ||
+// ctx.uuid via ctxFields.
+module.exports = gateContract.defineGuard({
+  name:        "uuid",
+  kind:        "identifier",
+  errorClass:  GuardUuidError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  ctxFields:   ["identifier", "uuid"],
+});

package/lib/guard-xml.js

@@ -478,12 +478,8 @@ function sanitize(input, opts) {
   // shapes (DOCTYPE / ENTITY / external / parameter-entity) have no
   // safe sanitization; throw.
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical") {
-      throw _err(issues[i].ruleId || "xml.refused",
-        "guardXml.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues,
+    { errorClass: GuardXmlError, codePrefix: "xml", severities: ["critical"] });
   // Strip character-class threats per policy via the shared helper.
   return codepointClass.applyCharStripPolicies(input, opts);
 }
@@ -556,111 +552,40 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive  b.guardXml.buildProfile
- * @signature  b.guardXml.buildProfile(opts)
- * @since      0.7.15
- * @status     stable
- * @related    b.guardXml.gate, b.guardXml.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name (`"strict"` /
- * `"balanced"` / `"permissive"`) or an array of names; later entries
- * shadow earlier ones. Inline `opts` keys win last. Used to keep
- * operator-defined profiles traceable to a baseline rather than re-
- * typing every key.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-xml key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardXml.buildProfile({
- *     extends: "balanced",
- *     cdataPolicy: "reject",
- *     maxElements: 4096,
- *   });
- *   custom.cdataPolicy;                                 // → "reject"
- *   custom.maxElements;                                 // → 4096
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardXml.compliancePosture
- * @signature  b.guardXml.compliancePosture(name)
- * @since      0.7.15
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardXml.gate, b.guardXml.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of the
- * posture object — the caller may mutate freely. Throws
- * `GuardXmlError("xml.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardXml.compliancePosture("hipaa");
- *   posture.doctypePolicy;                              // → "reject"
- *   posture.forensicSnippetBytes;                       // → 256
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES, _err, "xml");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below; their wiki sections render from the
+// single-sourced @abiTemplate (defineGuard) blocks in gate-contract.js,
+// instantiated per guard by the page generator.
+
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:         "content",
+  contentType:  "application/xml",
+  extension:    ".xml",
+  benignBytes:  Buffer.from('<?xml version="1.0"?><root><x>1</x></root>', "utf8"),
+  // Hostile: DOCTYPE with internal-subset entity declaration (XXE +
+  // billion-laughs vector — CVE-2026-24400 / CVE-2024-25062 class).
+  hostileBytes: Buffer.from(
+    '<?xml version="1.0"?>\n<!DOCTYPE root [<!ENTITY xx "yy">]>\n<root/>',
+    "utf8"),
+});
 
-var _xmlRulePacks = gateContract.makeRulePackLoader(GuardXmlError, "xml");
-/**
- * @primitive  b.guardXml.loadRulePack
- * @signature  b.guardXml.loadRulePack(pack)
- * @since      0.7.15
- * @status     stable
- * @related    b.guardXml.gate
- *
- * Register an operator-supplied rule pack with the guard-xml
- * registry. The pack is identified by `pack.id` (non-empty string)
- * and stored for later inspection / dispatch by gates that opt in
- * via `opts.rulePackId`. Returns the pack object unchanged on
- * success; throws `GuardXmlError("xml.bad-opt")` when `pack` is
- * missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardXml.loadRulePack({
- *     id: "soap-envelope",
- *     rules: [
- *       { id: "must-have-envelope", severity: "high",
- *         detect: function (text) { return text.indexOf("<soap:Envelope") === -1; },
- *         reason: "SOAP request missing soap:Envelope root" },
- *     ],
- *   });
- *   pack.id;                                            // → "soap-envelope"
- */
-var loadRulePack = _xmlRulePacks.load;
-
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "xml",
-  KIND:                "content",
-  MIME_TYPES:          Object.freeze(["application/xml", "text/xml"]),
-  EXTENSIONS:          Object.freeze([".xml"]),
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:         "content",
-    contentType:  "application/xml",
-    extension:    ".xml",
-    benignBytes:  Buffer.from('<?xml version="1.0"?><root><x>1</x></root>', "utf8"),
-    // Hostile: DOCTYPE with internal-subset entity declaration (XXE +
-    // billion-laughs vector — CVE-2026-24400 / CVE-2024-25062 class).
-    hostileBytes: Buffer.from(
-      '<?xml version="1.0"?>\n<!DOCTYPE root [<!ENTITY xx "yy">]>\n<root/>',
-      "utf8"),
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardXmlError:       GuardXmlError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / MIME_TYPES / EXTENSIONS / INTEGRATION_FIXTURES),
+// buildProfile / compliancePosture / loadRulePack wiring, plus the
+// per-guard inspection surface (validate / sanitize / bespoke gate)
+// passed through verbatim. The bespoke `gate` carries XML's
+// per-policy canSanitize matrix unchanged.
+module.exports = gateContract.defineGuard({
+  name:        "xml",
+  kind:        "content",
+  errorClass:  GuardXmlError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  mimeTypes:   ["application/xml", "text/xml"],
+  extensions:  [".xml"],
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+});