@blamejs/core 0.14.27 → 0.15.1

package/lib/guard-agent-registry.js

@@ -23,6 +23,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var gateContract = require("./gate-contract");
 
 var GuardAgentRegistryError = defineClass("GuardAgentRegistryError", { alwaysPermanent: true });
 
@@ -34,12 +35,7 @@ var PROFILES = Object.freeze({
   permissive: { maxNameBytes: 512, maxKindBytes: 128 },
 });
 
-var COMPLIANCE_POSTURES = Object.freeze({
-  hipaa:     "strict",
-  "pci-dss": "strict",
-  gdpr:      "strict",
-  soc2:      "strict",
-});
+var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES;
 
 var RESERVED_PREFIXES = Object.freeze(["FRAMEWORK.", "ROOT.", "framework.", "root."]);
 var RESERVED_EXACT    = Object.freeze({ "ROOT": true, "FRAMEWORK": true, "*": true });
@@ -89,22 +85,10 @@ function validate(op, opts) {
   return op;
 }
 
-/**
- * @primitive b.guardAgentRegistry.compliancePosture
- * @signature b.guardAgentRegistry.compliancePosture(posture)
- * @since     0.9.21
- * @status    stable
- *
- * Return the effective profile for a given compliance posture name.
- * Returns `null` for unknown posture names so operator typos surface
- * here instead of silently falling through to the default profile.
- *
- * @example
- *   b.guardAgentRegistry.compliancePosture("hipaa");   // → "strict"
- */
-function compliancePosture(posture) {
-  return COMPLIANCE_POSTURES[posture] || null;
-}
+// compliancePosture is assembled by gateContract.defineParser below; its
+// wiki section renders from the single-sourced @abiTemplate (defineParser)
+// block in gate-contract.js, instantiated for this guard by the page
+// generator.
 
 function _checkName(name, profile) {
   if (typeof name !== "string" || name.length === 0) {
@@ -154,26 +138,24 @@ function _checkKind(kind, profile) {
   }
 }
 
-function _resolveProfile(opts) {
-  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
-    return COMPLIANCE_POSTURES[opts.posture];
-  }
-  var p = opts.profile || DEFAULT_PROFILE;
-  if (!PROFILES[p]) {
-    throw new GuardAgentRegistryError("agent-registry/bad-profile",
-      "guardAgentRegistry: unknown profile '" + p + "'");
-  }
-  return p;
-}
+var _resolveProfile = gateContract.makeProfileResolver({
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  defaults:   DEFAULT_PROFILE,
+  errorClass: GuardAgentRegistryError,
+  codePrefix: "agent-registry",
+});
 
-module.exports = {
-  validate:                  validate,
-  compliancePosture:         compliancePosture,
-  PROFILES:                  PROFILES,
-  COMPLIANCE_POSTURES:       COMPLIANCE_POSTURES,
-  RESERVED_PREFIXES:         RESERVED_PREFIXES,
-  RESERVED_EXACT:            RESERVED_EXACT,
-  GuardAgentRegistryError:   GuardAgentRegistryError,
-  NAME:                      "agentRegistry",
-  KIND:                      "agent-registry",
-};
+module.exports = gateContract.defineParser({
+  name:       "agent-registry",
+  entry:      validate,
+  errorClass: GuardAgentRegistryError,
+  profiles:   PROFILES,
+  postures:   COMPLIANCE_POSTURES,
+  extra: {
+    RESERVED_PREFIXES: RESERVED_PREFIXES,
+    RESERVED_EXACT:    RESERVED_EXACT,
+    NAME:              "agentRegistry",
+    KIND:              "agent-registry",
+  },
+});

package/lib/guard-all.js

@@ -84,6 +84,7 @@ var STANDALONE_GUARDS = [
   require("./guard-pdf"),
   require("./guard-auth"),
   require("./guard-smtp-command"),
+  require("./guard-sql"),
 ];
 
 // Framework-wide profile + posture vocabulary that every guard MUST

package/lib/guard-auth.js

@@ -335,117 +335,47 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive  b.guardAuth.buildProfile
- * @signature  b.guardAuth.buildProfile(opts)
- * @since      0.7.41
- * @status     stable
- * @related    b.guardAuth.gate, b.guardAuth.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus inline
- * overrides. `opts.extends` is a profile name (`"strict"` /
- * `"balanced"` / `"permissive"`) or an array of names; later entries
- * shadow earlier ones. Inline `opts` keys win last. Used to keep
- * operator-defined profiles traceable to a baseline rather than
- * re-typing every key.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *
- * @example
- *   var custom = b.guardAuth.buildProfile({
- *     extends: "balanced",
- *     requireAtLeastOne: true,
- *   });
- *   custom.requireAtLeastOne;                          // → true
- *   custom.bidiPolicy;                                 // → "reject"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below — their wiki sections render from the
+// single-sourced @abiTemplate blocks in gate-contract.js.
 
-/**
- * @primitive  b.guardAuth.compliancePosture
- * @signature  b.guardAuth.compliancePosture(name)
- * @since      0.7.41
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardAuth.gate, b.guardAuth.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of the
- * posture object — the caller may mutate freely. Throws
- * `GuardAuthError("auth.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardAuth.compliancePosture("hipaa");
- *   posture.forensicSnippetBytes;                      // → 512
- *   posture.bidiPolicy;                                // → "reject"
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "auth");
-}
-
-var _authRulePacks = gateContract.makeRulePackLoader(GuardAuthError, "auth");
-/**
- * @primitive  b.guardAuth.loadRulePack
- * @signature  b.guardAuth.loadRulePack(pack)
- * @since      0.7.41
- * @status     stable
- * @related    b.guardAuth.gate
- *
- * Register an operator-supplied rule pack with the guard-auth
- * registry. The pack is identified by `pack.id` (non-empty string)
- * and stored for later inspection / dispatch by gates that opt in
- * via `opts.rulePackId`. Returns the pack object unchanged on
- * success; throws `GuardAuthError("auth.bad-opt")` when `pack` is
- * missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardAuth.loadRulePack({
- *     id: "tenant-bearer-prefix",
- *     rules: [
- *       { id: "tenant-prefix", severity: "high",
- *         detect: function (b2) { return b2.jwtToken && b2.jwtToken.indexOf("tenant_") !== 0; },
- *         reason: "JWT does not carry the required tenant_ prefix" },
- *     ],
- *   });
- *   pack.id;                                           // → "tenant-bearer-prefix"
- */
-var loadRulePack = _authRulePacks.load;
+// ---- adaptive integration-test fixtures (consumed by layer-5 host harness) ----
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "auth-bundle",
+  benignBytes: Buffer.from(JSON.stringify({
+    jwtToken: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
+              "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9.sig",
+    cookieHeader: "sid=abc123; theme=dark",
+  }), "utf8"),
+  hostileBytes: Buffer.from(JSON.stringify({
+    jwtToken: "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ4In0.",
+  }), "utf8"),
+  benignAuthBundle: {
+    jwtToken: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
+              "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9.sig",
+    cookieHeader: "sid=abc123; theme=dark",
+  },
+  // Hostile: alg=none JWT — universal refuse routed through guardJwt.
+  hostileAuthBundle: {
+    jwtToken: "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ4In0.",
+  },
+});
 
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "auth",
-  KIND:                "auth-bundle",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "auth-bundle",
-    benignBytes: Buffer.from(JSON.stringify({
-      jwtToken: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
-                "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9.sig",
-      cookieHeader: "sid=abc123; theme=dark",
-    }), "utf8"),
-    hostileBytes: Buffer.from(JSON.stringify({
-      jwtToken: "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ4In0.",
-    }), "utf8"),
-    benignAuthBundle: {
-      jwtToken: "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
-                "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9.sig",
-      cookieHeader: "sid=abc123; theme=dark",
-    },
-    // Hostile: alg=none JWT — universal refuse routed through guardJwt.
-    hostileAuthBundle: {
-      jwtToken: "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ4In0.",
-    },
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardAuthError:      GuardAuthError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize / bespoke gate) passed through verbatim.
+// The custom KIND ("auth-bundle") is accepted because the bespoke gate
+// reads its own ctx fields (ctx.authBundle / ctx.auth).
+module.exports = gateContract.defineGuard({
+  name:        "auth",
+  kind:        "auth-bundle",
+  errorClass:  GuardAuthError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+});

package/lib/guard-cidr.js

@@ -511,12 +511,7 @@ function sanitize(input, opts) {
     throw _err("cidr.bad-input", "sanitize requires string input");
   }
   var issues = _detectIssues(input, opts);
-  for (var i = 0; i < issues.length; i += 1) {
-    if (issues[i].severity === "critical" || issues[i].severity === "high") {
-      throw _err(issues[i].ruleId || "cidr.refused",
-        "guardCidr.sanitize: " + issues[i].snippet);
-    }
-  }
+  gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardCidrError, codePrefix: "cidr" });
   // Normalize: lowercase IPv6 groups + canonical mask form.
   var slashAt = input.indexOf("/");
   var addr = slashAt === -1 ? input : input.slice(0, slashAt);
@@ -525,152 +520,36 @@ function sanitize(input, opts) {
   return mask === null ? addr.toLowerCase() : addr.toLowerCase() + "/" + mask;
 }
 
-/**
- * @primitive  b.guardCidr.gate
- * @signature  b.guardCidr.gate(opts?)
- * @since      0.7.41
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardCidr.validate, b.guardCidr.sanitize
- *
- * Build a `b.gateContract` gate that consumes `ctx.identifier` (or
- * `ctx.cidr`) and dispatches `serve` (no input or clean) →
- * `audit-only` (warn-only issues) → `refuse` (any critical or high
- * issue). No `sanitize` action — CIDR sanitization is caller-driven
- * via `b.guardCidr.sanitize`; an allowlist gate that silently rewrote
- * the operator's network range would be its own bug class.
- *
- * @opts
- *   profile:    "strict"|"balanced"|"permissive",
- *   compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
- *   name:       string,    // gate identity for audit / observability
- *   family:     "either"|"ipv4-only"|"ipv6-only",
- *
- * @example
- *   var cidrGate = b.guardCidr.gate({ profile: "strict", family: "ipv4-only" });
- *   var verdict = await cidrGate.check({ identifier: "10.0.0.0/8" });
- *   verdict.action;                                    // → "refuse"
- */
-function gate(opts) {
-  opts = _resolveOpts(opts);
-  return gateContract.buildGuardGate(
-    opts.name || "guardCidr:" + (opts.profile || "default"),
-    opts,
-    async function (ctx) {
-      var identifier = ctx && (ctx.identifier || ctx.cidr || "");
-      if (!identifier) return { ok: true, action: "serve" };
-      var rv = validate(identifier, opts);
-      if (rv.issues.length === 0) return { ok: true, action: "serve" };
-      var hasCritical = rv.issues.some(function (i) {
-        return i.severity === "critical";
-      });
-      var hasHigh = rv.issues.some(function (i) {
-        return i.severity === "high";
-      });
-      if (!hasCritical && !hasHigh) {
-        return { ok: true, action: "audit-only", issues: rv.issues };
-      }
-      return { ok: false, action: "refuse", issues: rv.issues };
-    });
-}
-
-/**
- * @primitive  b.guardCidr.buildProfile
- * @signature  b.guardCidr.buildProfile(opts)
- * @since      0.7.41
- * @status     stable
- * @related    b.guardCidr.gate, b.guardCidr.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus inline
- * overrides. `opts.extends` is a profile name (`"strict"` /
- * `"balanced"` / `"permissive"`) or an array of names; later entries
- * shadow earlier ones. Inline `opts` keys win last.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *
- * @example
- *   var custom = b.guardCidr.buildProfile({
- *     extends: "balanced",
- *     reservedRangesPolicy: "reject",
- *   });
- *   custom.reservedRangesPolicy;                       // → "reject"
- *   custom.bidiPolicy;                                 // → "reject"
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardCidr.compliancePosture
- * @signature  b.guardCidr.compliancePosture(name)
- * @since      0.7.41
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardCidr.gate, b.guardCidr.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of the
- * posture object — the caller may mutate freely. Throws
- * `GuardCidrError("cidr.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardCidr.compliancePosture("hipaa");
- *   posture.reservedRangesPolicy;                      // → "reject"
- *   posture.forensicSnippetBytes;                      // → 128
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
-    _err, "cidr");
-}
+// gate / buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below; their wiki sections render from the
+// single-sourced @abiTemplate (defineGuard) blocks in gate-contract.js,
+// instantiated per guard by the page generator.
+
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:              "identifier",
+  benignBytes:       Buffer.from("8.8.8.0/24", "utf8"),
+  hostileBytes:      Buffer.from("10.0.0.0/8", "utf8"),
+  benignIdentifier:  "8.8.8.0/24",
+  // Hostile: RFC 1918 private range — refused at strict.
+  hostileIdentifier: "10.0.0.0/8",
+});
 
-var _cidrRulePacks = gateContract.makeRulePackLoader(GuardCidrError, "cidr");
-/**
- * @primitive  b.guardCidr.loadRulePack
- * @signature  b.guardCidr.loadRulePack(pack)
- * @since      0.7.41
- * @status     stable
- * @related    b.guardCidr.gate
- *
- * Register an operator-supplied rule pack with the guard-cidr
- * registry. The pack is identified by `pack.id` (non-empty string)
- * and stored for later inspection / dispatch by gates that opt in
- * via `opts.rulePackId`. Returns the pack object unchanged on
- * success; throws `GuardCidrError("cidr.bad-opt")` when `pack` is
- * missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardCidr.loadRulePack({
- *     id: "tenant-private-only",
- *     rules: [
- *       { id: "external-allowlisted", severity: "high",
- *         detect: function (cidr) { return cidr.indexOf("10.") !== 0; },
- *         reason: "tenant policy: only 10.0.0.0/8 ranges permitted" },
- *     ],
- *   });
- *   pack.id;                                           // → "tenant-private-only"
- */
-var loadRulePack = _cidrRulePacks.load;
-
-module.exports = {
-  // ---- guard-* family registry exports ----
-  NAME:                "cidr",
-  KIND:                "identifier",
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:              "identifier",
-    benignBytes:       Buffer.from("8.8.8.0/24", "utf8"),
-    hostileBytes:      Buffer.from("10.0.0.0/8", "utf8"),
-    benignIdentifier:  "8.8.8.0/24",
-    // Hostile: RFC 1918 private range — refused at strict.
-    hostileIdentifier: "10.0.0.0/8",
-  }),
-  // ---- primitive surface ----
-  validate:            validate,
-  sanitize:            sanitize,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  GuardCidrError:      GuardCidrError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
+// compliancePosture / loadRulePack wiring, plus the per-guard inspection
+// surface (validate / sanitize). The gate is the factory default — the
+// standard serve -> audit-only -> refuse chain — reading ctx.identifier ||
+// ctx.cidr via ctxFields. No sanitize action: an allowlist gate never
+// rewrites the operator's stored network range.
+module.exports = gateContract.defineGuard({
+  name:        "cidr",
+  kind:        "identifier",
+  errorClass:  GuardCidrError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  ctxFields:   ["identifier", "cidr"],
+});

package/lib/guard-csv.js

@@ -1060,117 +1060,50 @@ function gate(opts) {
     });
 }
 
-/**
- * @primitive  b.guardCsv.buildProfile
- * @signature  b.guardCsv.buildProfile(opts)
- * @since      0.7.5
- * @status     stable
- * @related    b.guardCsv.gate, b.guardCsv.compliancePosture
- *
- * Compose a derived profile from one or more named bases plus
- * inline overrides. `opts.extends` is a profile name (`"strict"`
- * / `"balanced"` / `"permissive"` / `"email-attachment"`) or an
- * array of names; later entries shadow earlier ones. Inline
- * `opts` keys win last. Used to keep operator-defined profiles
- * traceable to a baseline rather than re-typing every key.
- *
- * @opts
- *   extends: string|string[],   // base profile name(s) to compose
- *   ...:     any guard-csv key, // inline override of resolved keys
- *
- * @example
- *   var custom = b.guardCsv.buildProfile({
- *     extends: "strict",
- *     trailingWhitespacePolicy: "preserve",
- *     bomPrefix: true,
- *   });
- *   custom.formulaInjectionPolicy;                     // → "prefix-tab"
- *   custom.bomPrefix;                                  // → true
- */
-var buildProfile = gateContract.makeProfileBuilder(PROFILES);
-
-/**
- * @primitive  b.guardCsv.compliancePosture
- * @signature  b.guardCsv.compliancePosture(name)
- * @since      0.7.5
- * @status     stable
- * @compliance hipaa, pci-dss, gdpr, soc2
- * @related    b.guardCsv.gate, b.guardCsv.buildProfile
- *
- * Look up a compliance-posture overlay by name (`"hipaa"` /
- * `"pci-dss"` / `"gdpr"` / `"soc2"`). Returns a shallow clone of
- * the posture object — the caller may mutate freely. Throws
- * `GuardCsvError("csv.bad-posture")` on unknown name.
- *
- * @example
- *   var posture = b.guardCsv.compliancePosture("hipaa");
- *   posture.piiPolicy;                                 // → "redact"
- *   posture.bidiCharPolicy;                            // → "reject"
- */
-function compliancePosture(name) {
-  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES, _err, "csv");
-}
+// buildProfile / compliancePosture / loadRulePack are assembled by
+// gateContract.defineGuard below (makeProfileBuilder(PROFILES) /
+// lookupCompliancePosture(_, COMPLIANCE_POSTURES) / makeRulePackLoader).
+// Their wiki sections render from the single-sourced @abiTemplate blocks
+// in gate-contract.js, instantiated per guard by the page generator.
+
+// ---- adaptive integration-test fixtures (consumed by layer-5 host harness) ----
+var INTEGRATION_FIXTURES = Object.freeze({
+  kind:        "content",
+  contentType: "text/csv",
+  extension:   ".csv",
+  benignBytes: Buffer.from("name,age\r\nalice,30\r\n", "utf8"),
+  // Hostile: cell starts with formula trigger `=cmd|x` — strict
+  // profile prepends TAB so spreadsheets disarm at evaluation time;
+  // gate's check returns refuse for any critical/high issue.
+  hostileBytes: Buffer.from("name,formula\r\nalice,=cmd|x\r\n", "utf8"),
+});
 
-var _csvRulePacks = gateContract.makeRulePackLoader(GuardCsvError, "csv");
-/**
- * @primitive  b.guardCsv.loadRulePack
- * @signature  b.guardCsv.loadRulePack(pack)
- * @since      0.7.5
- * @status     stable
- * @related    b.guardCsv.gate
- *
- * Register an operator-supplied rule pack with the guard-csv
- * registry. The pack is identified by `pack.id` (non-empty
- * string) and stored for later inspection / dispatch by gates
- * that opt in via `opts.rulePackId`. Returns the pack object
- * unchanged on success; throws `GuardCsvError("csv.bad-opt")`
- * when `pack` is missing or `pack.id` is not a non-empty string.
- *
- * @example
- *   var pack = b.guardCsv.loadRulePack({
- *     id: "pii-extra",
- *     rules: [
- *       { id: "ssn-cell", severity: "critical",
- *         detect: function (cell) { return /^\d{3}-\d{2}-\d{4}$/.test(cell); },
- *         reason: "US SSN-shaped value in CSV cell" },
- *     ],
- *   });
- *   pack.id;                                           // → "pii-extra"
- */
-var loadRulePack = _csvRulePacks.load;
-
-module.exports = {
-  // ---- guard-* family registry exports (consumed by b.guardAll) ----
-  NAME:                "csv",
-  KIND:                "content",                                                 // content-bytes guard (consumes ctx.bytes)
-  MIME_TYPES:          Object.freeze(["text/csv"]),
-  EXTENSIONS:          Object.freeze([".csv"]),
-  // ---- adaptive integration-test fixtures (consumed by layer-5 host harness) ----
-  INTEGRATION_FIXTURES: Object.freeze({
-    kind:        "content",
-    contentType: "text/csv",
-    extension:   ".csv",
-    benignBytes: Buffer.from("name,age\r\nalice,30\r\n", "utf8"),
-    // Hostile: cell starts with formula trigger `=cmd|x` — strict
-    // profile prepends TAB so spreadsheets disarm at evaluation time;
-    // gate's check returns refuse for any critical/high issue.
-    hostileBytes: Buffer.from("name,formula\r\nalice,=cmd|x\r\n", "utf8"),
-  }),
-  // ---- primitive surface ----
-  serialize:           serialize,
-  validate:            validate,
-  sanitize:            sanitize,
-  escapeCell:          escapeCell,
-  detect:              detect,
-  schema:              schema,
-  gate:                gate,
-  buildProfile:        buildProfile,
-  compliancePosture:   compliancePosture,
-  loadRulePack:        loadRulePack,
-  PROFILES:            PROFILES,
-  DEFAULTS:            DEFAULTS,
-  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
-  FORMULA_PREFIXES:    FORMULA_PREFIXES,
-  DANGEROUS_FUNCTIONS: DANGEROUS_FUNCTIONS,
-  GuardCsvError:       GuardCsvError,
-};
+// Assembled from the gate-contract guard factory: error class, registry
+// exports (NAME / KIND / MIME_TYPES / EXTENSIONS / INTEGRATION_FIXTURES),
+// buildProfile / compliancePosture / loadRulePack wiring, plus the
+// per-guard inspection surface (validate / sanitize / gate) and CSV
+// extras (serialize / escapeCell / detect / schema / FORMULA_PREFIXES /
+// DANGEROUS_FUNCTIONS) passed through verbatim. The bespoke `gate` carries
+// CSV's sanitize-reparse-reserialize chain unchanged.
+module.exports = gateContract.defineGuard({
+  name:        "csv",
+  kind:        "content",
+  errorClass:  GuardCsvError,
+  profiles:    PROFILES,
+  defaults:    DEFAULTS,
+  postures:    COMPLIANCE_POSTURES,
+  mimeTypes:   ["text/csv"],
+  extensions:  [".csv"],
+  integrationFixtures: INTEGRATION_FIXTURES,
+  validate:    validate,
+  sanitize:    sanitize,
+  gate:        gate,
+  extra: {
+    serialize:           serialize,
+    escapeCell:          escapeCell,
+    detect:              detect,
+    schema:              schema,
+    FORMULA_PREFIXES:    FORMULA_PREFIXES,
+    DANGEROUS_FUNCTIONS: DANGEROUS_FUNCTIONS,
+  },
+});