@blamejs/core 0.11.42 → 0.11.44

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.11.x
 
+- v0.11.44 (2026-05-22) — **Fix wiki container build — release-container smoke step still hit port 8080.** The v0.11.40 wiki port swap (8080 → 3008) missed `.github/workflows/release-container.yml`'s post-publish smoke step. The smoke ran `docker run -p 8080:8080` + curled `localhost:8080/healthz`, but the v0.11.40+ wiki container listens on 3008 — so the smoke failed and the wiki container was NOT pushed to GHCR for v0.11.40, v0.11.42, or v0.11.43. The npm package was unaffected (publish completes on a different job). Operators pulling `ghcr.io/blamejs/blamejs-wiki:latest` were getting the v0.11.39 build until this fix. This release fixes the workflow + adds a codebase-patterns detector that gates the Dockerfile's `WIKI_PORT` against the workflow's port map + curl host so the same silent-deploy failure can't recur. **Fixed:** *release-container.yml smoke step uses port 3008* — Three locations updated: comment header references port 3008; `-p 3008:3008` host port mapping; `curl http://localhost:3008/healthz` health check. Tagging v0.11.44 triggers a fresh container build + push that lands the v0.11.40 / v0.11.42 / v0.11.43 changes (port 3008 default, JSCalendar Group, BYSETPOS, multi-rule recurrence union, JMAP EmailSubmission/set, wiki nav alphabetical) in GHCR for the first time. **Detectors:** *Wiki-port cross-artifact agreement gate* — `testWikiPortAgreesAcrossArtifacts` reads `WIKI_PORT=<n>` from `examples/wiki/Dockerfile` and asserts every `docker run -p X:X` mapping + every `curl http://localhost:X/healthz` reference in `.github/workflows/release-container.yml` matches. Smoke-tested by introducing a deliberate mismatch — detector fires with file:line + the conflicting values. Prevents the v0.11.40 silent-deploy failure class from recurring on any future port change.
+
+- v0.11.43 (2026-05-22) — **Wiki nav: alphabetical sidebar + dedup drifted category labels.** The wiki sidebar now lists categories alphabetically (case-insensitive) instead of in editorial order. Welcome remains pinned first (landing page); Other and Reference remain pinned last (catch-all groups). Three category-label dups are also consolidated at the source comment-blocks: `Agent Protocols` (one entry — `a2a-tasks`) joins `Agent` with the rest of the agent substrate; `Networking` (two entries — `stream-throttle`, `web-push-vapid`) joins `Network`; `Audit & Compliance` (one entry — `nist-crosswalk`) joins `Compliance`. New `@nav` categories now land in their alphabetical slot automatically without a site.config edit. **Changed:** *Wiki sidebar group order alphabetical* — Replaces the curated `GROUP_ORDER` editorial list in `examples/wiki/site.config.js` with an alphabetical sort. Pinning preserved: `Welcome` always first; `Other` and `Reference` always last. Adding a new `@nav` category to any `lib/*.js` `@module` block now slots into its alphabetical position automatically — no separate site.config update required. · *Category consolidation: Agent Protocols → Agent* — `a2a-tasks` was the sole entry under `Agent Protocols`. Moved to `Agent` to live alongside the orchestrator / saga / idempotency / event-bus / posture-chain / stream / trace / tenant / snapshot / fsm primitives — the W3C A2A task surface is part of the same agent-substrate concern. · *Category consolidation: Networking → Network* — `stream-throttle` and `web-push-vapid` were tagged `Networking` while every other network-layer primitive used `Network`. Drift cleanup — both now live under `Network`. · *Category consolidation: Audit & Compliance → Compliance* — `nist-crosswalk` was the sole entry under `Audit & Compliance`. Moved to `Compliance` alongside the other regulatory primitives. **Detectors:** *Nav-category allowlist gate* — `testNavCategoryAllowlist` in the codebase-patterns runner walks every `lib/*.js` `@module` block and refuses any `@nav` value not in the canonical category list. Adding a new sidebar category is a deliberate edit — it lands in `NAV_ALLOWLIST` + the operator-facing `FIRST_GROUPS` / `LAST_GROUPS` pin list in `examples/wiki/site.config.js` at the same time. Prevents the Networking-vs-Network and Agent-vs-Agent-Protocols dup classes from re-emerging silently.
+
 - v0.11.42 (2026-05-22) — **`b.calendar` JSCalendar Group objects (RFC 8984 §1.4.4).** Closes the v0.11.31 deferral on JSCalendar Group. `b.calendar.validate` now recognises `@type: "Group"` as a container envelope for multiple Event / Task / Note entries that share a logical name + categories. `b.calendar.toIcal` emits a single VCALENDAR wrap containing every entry's component in declared order (VEVENT for Event, VTODO for Task, VJOURNAL for Note). Group is JSCalendar-only — iCalendar has no envelope-level metadata for Group.name / Group.categories, so a Group's metadata is dropped on the iCal-side of a round-trip; operators preserving Group state across systems use the JSON-native surface. **Added:** *`@type: "Group"` envelope (RFC 8984 §1.4.4)* — A Group carries `uid`, `updated`, `entries` (required non-empty array), and optional `name`, `description`, `categories` (String-keyed Boolean set), and `source` (URI string). Entries are validated recursively — each entry must be a valid Event / Task / Note per its own type rules. Groups nesting Groups is refused (RFC 8984 does not define a nesting semantic). · *`b.calendar.toIcal` emits single VCALENDAR for Group* — When `@type === "Group"`, toIcal emits one BEGIN:VCALENDAR / END:VCALENDAR envelope containing every entry's component in declared order. The Group's own uid / updated / name / description / categories are NOT round-tripped to iCalendar (RFC 5545 has no envelope-level metadata for these); operators preserving Group state across a round-trip use the JSON-native JSCalendar surface. · *Refusal vocabulary* — New structured `CalendarError` codes: `calendar/bad-entries` (entries missing, empty, non-array, or any entry malformed / Group-typed), `calendar/bad-group` (entry-specific field like start / duration / due / progress / recurrenceRules set on the Group envelope), `calendar/bad-categories` (non-object categories or non-`true` value), `calendar/bad-source` (non-string source). · *`JSCAL_TYPES.Group` export* — `b.calendar.JSCAL_TYPES.Group === "Group"` exposes the discriminator string for operator-side type-dispatch. **References:** [RFC 8984 §1.4.4 (JSCalendar Group)](https://www.rfc-editor.org/rfc/rfc8984.html#section-1.4.4) · [RFC 5545 §3.4 (VCALENDAR envelope)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.4)
 
 - v0.11.41 (2026-05-21) — **`b.calendar.expandRecurrence` picks up BYSETPOS (RFC 5545 §3.3.10).** Closes the v0.11.31 deferral on BYSETPOS — the recurrence filter that picks the Nth candidate from a BY*-filtered set within a FREQ interval. Common operator patterns now work directly: `FREQ=MONTHLY;BYDAY=FR;BYSETPOS=-1` for last Friday of each month, `FREQ=MONTHLY;BYDAY=TU;BYSETPOS=2` for second Tuesday, `FREQ=YEARLY;BYMONTH=10;BYDAY=SU;BYSETPOS=1` for first Sunday of October (the DST-end announcement pattern). Supported for `FREQ=MONTHLY` / `YEARLY` / `WEEKLY` at day-granularity (time-of-day inherited from `start`). `FREQ=DAILY` + BYSETPOS is refused with `calendar/bad-recurrence` since the semantics aren't meaningful at sub-day frequency. **Added:** *`bySetPos` filter on RecurrenceRule* — `recurrenceRules[i].bySetPos: [1, -1, 2]` picks the listed positions from the BY*-filtered candidate set within each FREQ interval. Positive values are 1-indexed from the start of the period; negative values count from the end. Multiple positions emit per period (e.g. `[1, -1]` emits both the first and last matching day of each month). Out-of-range positions silently drop per RFC 5545's tolerant grammar. · *MONTHLY / YEARLY / WEEKLY support* — BYSETPOS expands within month / year / WKST-aligned-week boundaries. For each period, all day-level candidates that pass the existing BY* filters (byDay / byMonth / byMonthDay / byWeekNo / byYearDay) are enumerated, sorted ascending, then indexed by `bySetPos`. The expand loop's step budget (`MAX_EXPAND_INSTANCES * 366`) is shared across periods so the BYSETPOS path can't outrun the v0.11.31 DoS bound. · *DAILY frequency refused* — `FREQ=DAILY` + BYSETPOS throws `calendar/bad-recurrence` at expand time. The combination has no meaningful per-period set semantics (a day has no sub-day BY* set to pick from in the v1 day-granularity model). Operators with a sub-day BYSETPOS use case use `FREQ=HOURLY` semantics directly without BYSETPOS, or open an issue with the use case. **Security:** *Step budget shared with non-BYSETPOS path* — BYSETPOS enumeration decrements the same `MAX_EXPAND_INSTANCES * 366` step budget the non-BYSETPOS path uses, and the per-period day-loop has a hard 400-iteration safety cap (covers max-366-days in a leap year + slack). Adversarial events combining many rules + sparse BY* filters + BYSETPOS can't outpace the original single-rule DoS bound. **References:** [RFC 5545 §3.3.10 (RRULE — BYSETPOS)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.3.10) · [RFC 8984 §4.3.2 (JSCalendar RecurrenceRule)](https://www.rfc-editor.org/rfc/rfc8984.html#section-4.3.2)

package/lib/a2a-tasks.js

@@ -1,7 +1,7 @@
 "use strict";
 /**
  * @module     b.a2a
- * @nav        Agent Protocols
+ * @nav        Agent
  * @title      A2A Tasks
  * @order      600
  *

package/lib/nist-crosswalk.js

@@ -1,7 +1,7 @@
 "use strict";
 /**
  * @module     b.nistCrosswalk
- * @nav        Audit & Compliance
+ * @nav        Compliance
  * @title      NIST control crosswalk
  * @order      150
  * @slug       nist-crosswalk

package/lib/stream-throttle.js

@@ -1,7 +1,7 @@
 "use strict";
 /**
  * @module     b.streamThrottle
- * @nav        Networking
+ * @nav        Network
  * @title      Stream Throttle
  * @order      130
  * @slug       stream-throttle

package/lib/web-push-vapid.js

@@ -1,7 +1,7 @@
 "use strict";
 /**
  * @module b.webPush
- * @nav    Networking
+ * @nav    Network
  * @title  Web Push (VAPID)
  * @order  240
  *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.11.42",
+  "version": "0.11.44",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:7f569328-85b0-4395-b846-ba8cf2a95b3b",
+  "serialNumber": "urn:uuid:00af8785-3be8-4ebb-bfb1-eb210256dc39",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-22T02:30:35.680Z",
+    "timestamp": "2026-05-22T06:19:00.045Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.11.42",
+      "bom-ref": "@blamejs/core@0.11.44",
       "type": "application",
       "name": "blamejs",
-      "version": "0.11.42",
+      "version": "0.11.44",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.11.42",
+      "purl": "pkg:npm/%40blamejs/core@0.11.44",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.11.42",
+      "ref": "@blamejs/core@0.11.44",
       "dependsOn": []
     }
   ]