@blamejs/core 0.12.0 → 0.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/calendar.js +14 -8
  3. package/lib/compliance.js +94 -0
  4. package/package.json +1 -1
  5. package/sbom.cdx.json +6 -6
package/CHANGELOG.md CHANGED
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.12.x
10
10
 
11
+ - v0.12.2 (2026-05-22) — **Release-process docs point at `scripts/release.js` (the orchestrator shipped in v0.12.0).** `CONTRIBUTING.md` (maintainer section) and `examples/wiki/DEPLOY.md` ("Tag-driven releases") described the old multi-step manual release flow — version bump → commit → push → tag → push tag — without mentioning the v0.12.0 orchestrator. Both docs now point at `node scripts/release.js` as the canonical release mechanism, list the eight idempotent subcommands, and call out the two pre-requisites the script enforces (release-notes JSON + signed-commit config). **Added:** *`scripts/release.js regen` — re-run artifact regeneration mid-flow* — Edits to `release-notes/v<next>.json` after `prepare` (e.g. addressing a Codex finding, fixing a leak-vocabulary refusal) previously required running `node scripts/generate-changelog-entry.js --rebuild` + `scripts/refresh-api-snapshot.js` + `scripts/check-api-snapshot.js` + `scripts/check-changelog-extract.js` manually. The new `regen` subcommand wraps all four into a single idempotent step. Safe to run any time from any branch. The `prepare` phase calls the same shared helper internally so behaviour stays consistent. **Changed:** *`CONTRIBUTING.md` maintainer section names the orchestrator* — The release-process bullet now reads `node scripts/release.js — eight idempotent subcommands (prepare → smoke → commit → push → watch → merge → tag → publish) plus all for a one-shot`. The existing DEPLOY.md link stays as a pointer for the wiki-container side of the same flow. · *`examples/wiki/DEPLOY.md` Tag-driven releases section rewritten* — Replaces the four-bullet manual flow with the orchestrator surface, including the `all` / `all --minor` one-shot, the per-phase subcommands, and the pre-requisites the script enforces (release-notes JSON present, SSH signing config in place). The downstream wiki-image deploy step on the host (pin `docker-compose.prod.yml` + `docker compose pull && up -d`) is unchanged. **Fixed:** *`scripts/release.js` signature verification uses `git verify-commit` as the canonical truth* — The v0.12.0 orchestrator's commit-signature gate parsed `git log -1 --pretty=%h %G? %GS` looking for `G` in the second column. On some platforms the `%G?` format token's `?` character can be eaten by argument resolution, returning empty stdout even when the signature is Good. The fix runs `git verify-commit HEAD` (whose exit code is the canonical signal `required_signatures` GH ruleset enforces) as the primary check; the `%G?` parse stays as a human-readable confirmation but no longer gates the script. Surfaced via dogfooding the orchestrator on this very release. · *`scripts/release.js` Docker bind-mount path handles Windows host paths with spaces* — The `push` phase's gitleaks step bind-mounted the repo root via `-v <path>:/repo`. The previous path transform produced `/C:/Users/...` on Windows, which Docker's `-v src:dst[:mode]` parser interpreted as having three colon-separated fields. Fix: transform `C:\Users\...` to `//c/Users/...` (lowercased drive letter, double-slash prefix — matches Git Bash's `$(pwd)` form Docker Desktop accepts). POSIX hosts pass through unchanged. Operators with Windows paths containing spaces, parentheses, or special characters can now run `node scripts/release.js push` without manual mount fiddling.
12
+
13
+ - v0.12.1 (2026-05-22) — **`b.compliance` posture catalog coverage — 65 missing entries backfilled + drift detector.** Two posture-catalog drifts surfaced during audit: 16 postures had `POSTURE_DEFAULTS` configuration wired but weren't in `KNOWN_POSTURES`, so `b.compliance.set("42-cfr-part-2")` (and 15 others) refused with `bad-posture` despite the cascade defaults existing in the codebase. Separately, 49 `KNOWN_POSTURES` entries had no `REGIME_MAP` record, so `b.compliance.describe(posture)` returned null and admin UI / generated audit reports rendering `"running under <name> (<citation>)"` got empty strings. All 65 entries are now backfilled. New codebase-patterns detector enforces `KNOWN_POSTURES ⊇ POSTURE_DEFAULTS` and `REGIME_MAP ⊇ KNOWN_POSTURES` so the same drift class can't reappear. **Added:** *Sixteen postures promoted into `KNOWN_POSTURES`* — `42-cfr-part-2` (Confidentiality of Substance Use Disorder Patient Records), `hti-1` (ONC HTI-1 health-IT certification), `uscdi-v4` (US Core Data for Interoperability), `irs-1075` (Tax Information Security Guidelines), `nist-800-172-r3` (Enhanced CUI Security), `tlp-2.0` (FIRST Traffic Light Protocol), `soci-au` (Australia SOCI Act), `ffiec-cat-2` (FFIEC Cybersecurity Assessment Tool 2.0), `cri-profile-v2.0` (Cyber Risk Institute Profile), `m-22-09` (OMB Zero Trust Strategy), `m-22-18` (OMB Supply Chain SSDF Attestation), `nist-800-53-r5-privacy` (NIST 800-53 Privacy overlay), `nist-ai-600-1-genai` (NIST GenAI Profile), `nist-csf-2.0` (Cybersecurity Framework 2.0), `sb-53` (California Transparency in Frontier AI Act), `nyc-ll144-2024` (NYC AEDT bias audits). Operators pinning these via `b.compliance.set()` now work end-to-end. · *Forty-nine `REGIME_MAP` records backfilled* — Every `KNOWN_POSTURES` entry now has a `{ name, citation, jurisdiction, domain }` record. Spans US state privacy (vcdpa / co-cpa / ctdpa / ucpa / tdpsa / or-cpa / mt-cdpa / ia-icdpa / in-indpa / de-dpdpa / modpa / wmhmda / bipa / ccpa / nydfs-500), EU regulation (dora / nis2 / cra / ai-act / dsa), international (lgpd-br / pipl-cn / appi-jp / pdpa-sg / pipeda-ca / uk-gdpr / irap / bsi-c5 / ens-es), cybersecurity frameworks (nist-800-53 / nist-csf-2.0 / cis-controls-v8 / cwe-top-25-2024), AI (nist-ai-rmf-1.0 / iso-42001-2023 / iso-23894-2023 / owasp-llm-top-10-2025), supply-chain (slsa-v1.0-build-l3 / cyclonedx-v1.6 / spdx-v3.0 / vex-csaf-2.1 / nist-800-218-ssdf), CMMC levels, and sectoral standards (hipaa-security-rule / hitrust-csf-v11.4 / nerc-cip-007-6 / psd2-rts-sca / swift-cscf-v2026 / iec-62443-3-3 / nist-800-82-r3 / nist-800-63b-rev4 / fda-21cfr11 / fda-annex-11 / sec-1.05 / sox-404 / soc2-cc1.3 / cfpb-1033 / fapi-2.0 / staterramp / uk-g-cloud / hipaa-2026 / quebec-25 / 5 US state student-privacy postures / tcpa-10dlc / iab-tcf-v2.3 / iab-mspa). **Detectors:** *Compliance posture coverage gate* — `testCompliancePostureCoverage` enforces two invariants on every release: (1) every `POSTURE_DEFAULTS` key is in `KNOWN_POSTURES` so `b.compliance.set()` accepts it; (2) every `KNOWN_POSTURES` entry has a `REGIME_MAP` record so `b.compliance.describe()` resolves. Each violation reports the specific posture-name + file:line of the bad entry. Future operators adding a posture see the gate fire if either invariant breaks.
14
+
11
15
  - v0.12.0 (2026-05-22) — **`scripts/release.js` — orchestrated release flow with idempotent subcommands.** A single script automates the framework's release-flow mechanics. Eight subcommands run in sequence (`prepare` → `smoke` → `commit` → `push` → `watch` → `merge` → `tag` → `publish`), each idempotent so an operator can stop and resume at any phase. The script reads `release-notes/v<next>.json` to drive the commit body + PR body so the same operator-facing content lands in CHANGELOG + commit + PR. The judgment-requiring parts (writing release-notes content, reviewing Codex P1/P2 findings, choosing minor vs patch) stay manual — the script flags + stops on those, never silently chooses for the operator. Minor bump because this is an additive operator-facing surface (a new top-level script + workflow). **Added:** *`node scripts/release.js prepare [--minor]`* — Bumps `package.json` (patch by default, `--minor` for a minor bump), regenerates `CHANGELOG.md` from `release-notes/v<next>.json`, refreshes `api-snapshot.json`, runs `eslint` + `codebase-patterns` + `validate-source-comment-blocks` + `check-api-snapshot` + `check-changelog-extract`. Refuses if the release-notes JSON is missing — prints a stub template to stdout so the operator fills in headline + summary + sections before re-running. · *`node scripts/release.js smoke`* — Runs `SMOKE_PARALLEL=64 node test/smoke.js`. Auto-detects wiki changes via `git diff --name-only` and runs the wiki e2e suite when `examples/wiki/**` was touched; skips otherwise. · *`node scripts/release.js commit`* — Creates the `release/v<next>` branch, composes the commit body from the release-notes JSON (headline + summary + sections summarised as bullets), and creates a signed commit. Verifies the signature shows `G` (Good + trusted); refuses with a pointer to the SSH-signing setup section of the deploy docs when it shows `U` (Untrusted) or `N` (Unsigned). · *`node scripts/release.js push`* — Runs gitleaks against the whole git history. Pushes the release branch. Opens the PR with title `<version> — <headline>` and a body that includes the release-notes summary + a Test plan checklist. Mounts the working directory via the platform-appropriate Docker bind path (handles Windows Git Bash's `/$(pwd)` quirk). · *`node scripts/release.js watch`* — Runs `gh pr checks --watch` then enumerates open review threads via GraphQL. When any Codex (or human) thread is unresolved, prints the per-thread author + first line + exits non-zero so the operator addresses them in a new commit + re-runs watch. When all threads are resolved + CI is clean, the next step (`merge`) becomes the obvious continuation. · *`node scripts/release.js merge`* — Refuses unless the PR is `mergeStateStatus=CLEAN` + `mergeable=MERGEABLE` + zero unresolved review threads. Squash-merges + deletes the release branch. Pulls main. · *`node scripts/release.js tag`* — Creates the signed annotated tag `v<version>` + pushes it. Verifies the tag signature reports `Good`. Refuses if the tag already exists locally. · *`node scripts/release.js publish`* — Watches the npm-publish + release-container workflows triggered by the tag push. Cross-checks `npm view @blamejs/core version` against the expected version; warns if they don't match (workflow may still be in flight or have failed). · *`node scripts/release.js all [--minor]`* — Runs all eight subcommands in sequence. Pauses on the watch phase if any review thread is unresolved (operator addresses + re-runs `all` from `watch` onward). · *`node scripts/release.js status` + `help`* — `status` reports the current branch, working-tree cleanliness, package version, presence of `release-notes/v<version>.json`, and any open PR for the current release branch. `help` prints the subcommand banner. Both are read-only — safe to run anytime. **Changed:** *Minor bump (additive surface)* — First minor bump since v0.11.0. The release script is a new top-level operator surface — additive, no existing API breaks. Operators following the previous multi-step release flow keep working unchanged; the script is opt-in.
12
16
 
13
17
  ## v0.11.x
package/lib/calendar.js CHANGED
@@ -12,18 +12,24 @@
12
12
  * JSON-native JSCalendar surface JMAP Calendars (RFC 8984 / draft-
13
13
  * ietf-jmap-calendars) requires for cross-protocol interop.
14
14
  *
15
- * v1 scope:
16
- * - `validate(jsCal)` — assert JSCalendar Event / Task shape
17
- * - `fromIcal(text, opts?)` VCALENDAR.VEVENT JSCalendar Event
18
- * - `toIcal(jsCal, opts?)` — JSCalendar Event VCALENDAR
15
+ * Scope:
16
+ * - `validate(jsCal)` — assert JSCalendar Event / Task / Note /
17
+ * Group shape (RFC 8984 §5 / §6 / §1.4.4).
18
+ * - `fromIcal(text, opts?)` — VCALENDAR.VEVENTEvent,
19
+ * VTODO → Task, VJOURNAL → Note. Mixed-component VCALENDARs
20
+ * return an array.
21
+ * - `toIcal(jsCal, opts?)` — Event → VEVENT, Task → VTODO, Note →
22
+ * VJOURNAL. Group emits a single VCALENDAR wrapping every
23
+ * entry's component.
19
24
  * - `expandRecurrence(event, { from, to, max })` — RRULE expansion
20
25
  * for FREQ=DAILY/WEEKLY/MONTHLY/YEARLY with UNTIL/COUNT/INTERVAL
26
+ * and BYDAY/BYMONTH/BYMONTHDAY/BYWEEKNO/BYYEARDAY/BYHOUR/
27
+ * BYMINUTE/BYSECOND/BYSETPOS. Multiple `recurrenceRules`
28
+ * expand independently and UNION per RFC 8984 §4.3.2.
21
29
  *
22
30
  * Deferred-with-condition (no operator demand yet):
23
- * - BYSETPOS / BYWEEKNO / BYYEARDAY (RFC 5545 §3.3.10) — RFC 7529
24
- * non-Gregorian calendars; floating timezone resolution.
25
- * - VTODO / VJOURNAL → Task / Note objects (RFC 8984 §5/§6).
26
- * - JSCalendar Group objects (RFC 8984 §1.4.4).
31
+ * - RFC 7529 non-Gregorian calendars.
32
+ * - Floating-timezone resolution against IANA TZDB.
27
33
  *
28
34
  * @card
29
35
  * JSCalendar (RFC 8984) ↔ iCalendar (RFC 5545) bridge — validate,
package/lib/compliance.js CHANGED
@@ -254,6 +254,27 @@ var KNOWN_POSTURES = Object.freeze([
254
254
  // L1/L2/L3 postures are the recommended pin for new deployments.
255
255
  "cmmc-2.0-level-1", // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data // allow:raw-byte-literal — regulatory identifier, not bytes
256
256
  "cmmc-2.0-level-3", // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2 // allow:raw-byte-literal — regulatory identifier, not bytes
257
+ // ---- v0.12.1 — promote POSTURE_DEFAULTS-only entries into the
258
+ // canonical KNOWN_POSTURES surface so operators can actually
259
+ // `b.compliance.set(...)` them. Each entry had cascade
260
+ // configuration wired but couldn't be pinned because set()'s
261
+ // KNOWN_POSTURES check refused unknown strings.
262
+ "42-cfr-part-2", // 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (HHS final rule 2024-02-08) // allow:raw-byte-literal — CFR section identifier, not bytes
263
+ "hti-1", // ONC HTI-1 — Health IT certification + algorithm transparency (45 CFR Part 170; effective 2024-12-31)
264
+ "uscdi-v4", // USCDI v4 — US Core Data for Interoperability v4 (ONC; 2024-01) // allow:raw-byte-literal — version identifier, not bytes
265
+ "irs-1075", // IRS Publication 1075 — Tax Information Security Guidelines (Rev. 11-2023) // allow:raw-byte-literal — publication number, not bytes
266
+ "nist-800-172-r3", // NIST SP 800-172 Rev 3 — Enhanced Security Requirements for CUI // allow:raw-byte-literal — publication number, not bytes
267
+ "tlp-2.0", // FIRST Traffic Light Protocol 2.0 — information-sharing classifications (TLP:CLEAR / GREEN / AMBER / AMBER+STRICT / RED)
268
+ "soci-au", // Australia Security of Critical Infrastructure Act (SOCI 2018) + 2022 amendments
269
+ "ffiec-cat-2", // FFIEC Cybersecurity Assessment Tool 2.0 (federal financial institution exam) // allow:raw-byte-literal — tool version, not bytes
270
+ "cri-profile-v2.0", // Cyber Risk Institute Profile v2.0 — financial-services framework mapping (NIST CSF cross-walk) // allow:raw-byte-literal — version identifier, not bytes
271
+ "m-22-09", // OMB M-22-09 — Federal Zero Trust Architecture Strategy
272
+ "m-22-18", // OMB M-22-18 — Enhancing Software Supply Chain Security (SSDF attestation)
273
+ "nist-800-53-r5-privacy", // NIST SP 800-53 Rev 5 — Privacy Control Family overlay // allow:raw-byte-literal — publication number, not bytes
274
+ "nist-ai-600-1-genai", // NIST AI 600-1 — Generative AI Profile (companion to AI RMF 1.0) // allow:raw-byte-literal — publication number, not bytes
275
+ "nist-csf-2.0", // NIST Cybersecurity Framework 2.0 (Feb 2024) // allow:raw-byte-literal — framework version, not bytes
276
+ "sb-53", // California SB-53 — Transparency in Frontier AI Act (effective 2025-09-29) // allow:raw-byte-literal — statute identifier, not bytes
277
+ "nyc-ll144-2024", // NYC Local Law 144 — Automated Employment Decision Tool bias audits (2024 enforcement update) // allow:raw-byte-literal — statute identifier, not bytes
257
278
  ]);
258
279
 
259
280
  // SUPPLY-34 — Artifact standards (SBOM / VEX format families) are NOT
@@ -784,6 +805,79 @@ var REGIME_MAP = Object.freeze({
784
805
  "nist-800-66-r2": { name: "NIST SP 800-66 Rev 2 — HIPAA Security Rule Guidance", citation: "NIST SP 800-66 Rev 2 (Feb 2024)", jurisdiction: "US", domain: "health" },
785
806
  "ehds": { name: "European Health Data Space", citation: "Regulation (EU) 2025/327 (phased 2027-2029)", jurisdiction: "EU", domain: "health" },
786
807
  "circia": { name: "Cyber Incident Reporting for Critical Infrastructure Act", citation: "6 U.S.C. §681 et seq. (final rule pending)", jurisdiction: "US", domain: "cybersecurity" },
808
+ // ---- v0.12.1 — REGIME_MAP backfill for KNOWN_POSTURES without
809
+ // describe() coverage. Each entry resolves `b.compliance.describe
810
+ // (posture)` → { name, citation, jurisdiction, domain } so admin
811
+ // UI / generated audit reports rendering "running under <name>
812
+ // (<citation>)" stops getting null.
813
+ // ---- POSTURE_DEFAULTS-orphan postures promoted into KNOWN_POSTURES ----
814
+ "42-cfr-part-2": { name: "Confidentiality of Substance Use Disorder Patient Records", citation: "42 CFR Part 2 (HHS final rule effective 2024-02-08)", jurisdiction: "US", domain: "health" },
815
+ "hti-1": { name: "ONC HTI-1 Final Rule — Health IT Certification + Algorithm Transparency", citation: "45 CFR Part 170 / 89 FR 1192 (effective 2024-12-31)", jurisdiction: "US", domain: "health" },
816
+ "uscdi-v4": { name: "US Core Data for Interoperability v4", citation: "ONC USCDI v4 (Jan 2024)", jurisdiction: "US", domain: "health" },
817
+ "irs-1075": { name: "IRS Publication 1075 — Tax Information Security Guidelines", citation: "IRS Pub 1075 (Rev. 11-2023)", jurisdiction: "US", domain: "tax" },
818
+ "nist-800-172-r3": { name: "NIST SP 800-172 Rev 3 — Enhanced CUI Security Requirements", citation: "NIST SP 800-172 Rev 3", jurisdiction: "US", domain: "cybersecurity" },
819
+ "tlp-2.0": { name: "FIRST Traffic Light Protocol 2.0", citation: "FIRST TLP v2.0 (Aug 2022)", jurisdiction: "international", domain: "information-sharing" },
820
+ "soci-au": { name: "Australia Security of Critical Infrastructure Act", citation: "SOCI 2018 + 2022 amendments", jurisdiction: "AU", domain: "critical-infrastructure" },
821
+ "ffiec-cat-2": { name: "FFIEC Cybersecurity Assessment Tool 2.0", citation: "FFIEC CAT v2.0", jurisdiction: "US", domain: "financial" },
822
+ "cri-profile-v2.0":{ name: "Cyber Risk Institute Profile v2.0", citation: "CRI Profile v2.0 (financial-services NIST CSF cross-walk)", jurisdiction: "US", domain: "financial" },
823
+ "m-22-09": { name: "OMB M-22-09 — Federal Zero Trust Architecture Strategy", citation: "OMB Memorandum M-22-09 (2022-01-26)", jurisdiction: "US", domain: "cybersecurity" },
824
+ "m-22-18": { name: "OMB M-22-18 — Software Supply Chain Security", citation: "OMB Memorandum M-22-18 (2022-09-14)", jurisdiction: "US", domain: "supply-chain" },
825
+ "nist-800-53-r5-privacy": { name: "NIST SP 800-53 Rev 5 — Privacy Control Family", citation: "NIST SP 800-53 Rev 5 (Privacy overlay)", jurisdiction: "US", domain: "privacy" },
826
+ "nist-ai-600-1-genai": { name: "NIST AI 600-1 — Generative AI Profile", citation: "NIST AI 600-1 (Jul 2024) — companion to AI RMF 1.0", jurisdiction: "US", domain: "ai" },
827
+ "nist-csf-2.0": { name: "NIST Cybersecurity Framework 2.0", citation: "NIST CSF 2.0 (Feb 2024)", jurisdiction: "US", domain: "cybersecurity" },
828
+ "sb-53": { name: "California SB-53 — Transparency in Frontier AI Act", citation: "Cal. Health & Safety Code §22757 et seq. (effective 2025-09-29)", jurisdiction: "US-CA", domain: "ai" },
829
+ "nyc-ll144-2024": { name: "NYC Local Law 144 — Automated Employment Decision Tool Bias Audits", citation: "NYC Local Law 144 of 2021 + 2024 DCWP enforcement update", jurisdiction: "US-NY", domain: "ai" },
830
+ // ---- Pre-existing KNOWN_POSTURES that lacked REGIME_MAP records ----
831
+ "sox-404": { name: "Sarbanes-Oxley §404 — Internal Controls over Financial Reporting", citation: "15 U.S.C. §7262", jurisdiction: "US", domain: "financial-reporting" },
832
+ "soc2-cc1.3": { name: "SOC 2 Trust Services Criterion CC1.3 — Segregation of Duties", citation: "AICPA Trust Services Criteria CC1.3", jurisdiction: "US", domain: "audit-attestation" },
833
+ "fapi-2.0": { name: "Financial-grade API 2.0 Final", citation: "OpenID Foundation FAPI 2.0 Final (Feb 2025)", jurisdiction: "international", domain: "financial" },
834
+ "cfpb-1033": { name: "CFPB §1033 — Personal Financial Data Rights", citation: "12 CFR Part 1033 (Final Rule 2024-10-22; tiered effective dates from 2026-04-01)", jurisdiction: "US", domain: "financial" },
835
+ "iab-tcf-v2.3": { name: "IAB Transparency & Consent Framework v2.3", citation: "IAB Europe TCF v2.3 (Sep 2024)", jurisdiction: "EU", domain: "advertising" },
836
+ "iab-mspa": { name: "IAB Multi-State Privacy Agreement", citation: "IAB Tech Lab MSPA + Global Privacy Platform", jurisdiction: "US", domain: "privacy" },
837
+ "tcpa-10dlc": { name: "TCPA 10DLC Messaging Compliance", citation: "47 U.S.C. §227 + CTIA 10DLC + FCC 1:1 disclosure rule", jurisdiction: "US", domain: "telecommunications" },
838
+ "fda-21cfr11": { name: "FDA 21 CFR Part 11 — Electronic Records / Signatures", citation: "21 CFR Part 11", jurisdiction: "US", domain: "life-sciences" },
839
+ "fda-annex-11": { name: "EU GMP Annex 11 — Computerized Systems", citation: "EudraLex Vol. 4 Annex 11", jurisdiction: "EU", domain: "life-sciences" },
840
+ "sec-1.05": { name: "SEC Cybersecurity Risk Management — Item 1.05 Form 8-K", citation: "17 CFR §229.106 + Item 1.05 (effective 2023-12-18)", jurisdiction: "US", domain: "financial-reporting" },
841
+ "ny-2-d": { name: "NY Education Law §2-d — Student Privacy", citation: "N.Y. Educ. Law §2-d", jurisdiction: "US-NY", domain: "education" },
842
+ "il-soppa": { name: "Illinois Student Online Personal Protection Act", citation: "105 ILCS 85", jurisdiction: "US-IL", domain: "education" },
843
+ "ca-sopipa": { name: "California Student Online Personal Information Protection Act", citation: "Cal. Bus. & Prof. Code §22584", jurisdiction: "US-CA", domain: "education" },
844
+ "ct-pa-5-2": { name: "Connecticut Public Act 5-2 — Student Data Privacy", citation: "Conn. Public Act No. 16-189", jurisdiction: "US-CT", domain: "education" },
845
+ "tx-hb-4504": { name: "Texas HB 4504 — Student Data Privacy", citation: "Tex. Educ. Code §32.151", jurisdiction: "US-TX", domain: "education" },
846
+ "va-sb-1376": { name: "Virginia SB 1376 — Student Data Privacy", citation: "Va. Code §22.1-289.01", jurisdiction: "US-VA", domain: "education" },
847
+ "staterramp": { name: "StateRAMP / TX-RAMP / AZ-RAMP / GovRAMP Family", citation: "StateRAMP Program (FedRAMP-Moderate cross-walk)", jurisdiction: "US", domain: "cybersecurity" },
848
+ "irap": { name: "Australia Information Security Registered Assessors Program / Essential Eight / ISM", citation: "ASD IRAP + ISM", jurisdiction: "AU", domain: "cybersecurity" },
849
+ "bsi-c5": { name: "Germany BSI C5 — Cloud Computing Compliance Catalogue", citation: "BSI Cloud Computing Compliance Criteria Catalogue (C5:2020)", jurisdiction: "DE", domain: "cybersecurity" },
850
+ "ens-es": { name: "Spain Esquema Nacional de Seguridad", citation: "Real Decreto 311/2022", jurisdiction: "ES", domain: "cybersecurity" },
851
+ "uk-g-cloud": { name: "UK G-Cloud Framework", citation: "UK Crown Commercial Service G-Cloud 14", jurisdiction: "UK", domain: "cybersecurity" },
852
+ // ---- v0.9.6 expansion REGIME_MAP backfill (cybersecurity / AI / supply-chain frameworks) ----
853
+ "nist-800-53": { name: "NIST SP 800-53 Rev 5 — Security & Privacy Controls", citation: "NIST SP 800-53 Rev 5", jurisdiction: "US", domain: "cybersecurity" },
854
+ "nist-ai-rmf-1.0": { name: "NIST AI Risk Management Framework 1.0", citation: "NIST AI 100-1 (Jan 2023)", jurisdiction: "US", domain: "ai" },
855
+ "iso-42001-2023": { name: "ISO/IEC 42001:2023 — AI Management System", citation: "ISO/IEC 42001:2023", jurisdiction: "international", domain: "ai" },
856
+ "iso-23894-2023": { name: "ISO/IEC 23894:2023 — AI Risk Management", citation: "ISO/IEC 23894:2023", jurisdiction: "international", domain: "ai" },
857
+ "owasp-llm-top-10-2025": { name: "OWASP Top 10 for LLM Applications 2025", citation: "OWASP LLM Top 10 v2025", jurisdiction: "international", domain: "ai" },
858
+ "owasp-asvs-v5.0": { name: "OWASP Application Security Verification Standard v5.0", citation: "OWASP ASVS v5.0", jurisdiction: "international", domain: "cybersecurity" },
859
+ "nist-800-218-ssdf": { name: "NIST SP 800-218 — Secure Software Development Framework", citation: "NIST SP 800-218 v1.1", jurisdiction: "US", domain: "supply-chain" },
860
+ "nist-800-82-r3": { name: "NIST SP 800-82 Rev 3 — OT Security Guide", citation: "NIST SP 800-82 Rev 3", jurisdiction: "US", domain: "operational-technology" },
861
+ "nist-800-63b-rev4": { name: "NIST SP 800-63B Rev 4 — Digital Identity Authentication", citation: "NIST SP 800-63B Rev 4", jurisdiction: "US", domain: "identity" },
862
+ "iec-62443-3-3": { name: "IEC 62443-3-3 — IACS System Security", citation: "IEC 62443-3-3:2013", jurisdiction: "international", domain: "operational-technology" },
863
+ "fedramp-rev5-moderate": { name: "FedRAMP Rev 5 Moderate Baseline", citation: "GSA FedRAMP Rev 5 (Moderate baseline)", jurisdiction: "US", domain: "cybersecurity" },
864
+ "hipaa-security-rule": { name: "HIPAA Security Rule — Technical Safeguards", citation: "45 CFR §164.312", jurisdiction: "US", domain: "health" },
865
+ "hitrust-csf-v11.4": { name: "HITRUST Common Security Framework v11.4", citation: "HITRUST CSF v11.4", jurisdiction: "US", domain: "health" },
866
+ "nerc-cip-007-6": { name: "NERC CIP-007-6 — BES Cyber System Security Management", citation: "NERC CIP-007-6", jurisdiction: "US", domain: "energy" },
867
+ "psd2-rts-sca": { name: "EU PSD2 RTS on Strong Customer Authentication", citation: "Commission Delegated Regulation 2018/389", jurisdiction: "EU", domain: "financial" },
868
+ "swift-cscf-v2026": { name: "SWIFT Customer Security Controls Framework v2026", citation: "SWIFT CSCF v2026", jurisdiction: "international", domain: "financial" },
869
+ "slsa-v1.0-build-l3": { name: "SLSA v1.0 Build Track Level 3", citation: "SLSA Specification v1.0", jurisdiction: "international", domain: "supply-chain" },
870
+ "vex-csaf-2.1": { name: "OASIS CSAF 2.1 — VEX", citation: "OASIS CSAF 2.1", jurisdiction: "international", domain: "supply-chain" },
871
+ "cyclonedx-v1.6": { name: "CycloneDX v1.6 SBOM", citation: "OWASP CycloneDX v1.6", jurisdiction: "international", domain: "supply-chain" },
872
+ "spdx-v3.0": { name: "SPDX v3.0 SBOM", citation: "Linux Foundation SPDX v3.0", jurisdiction: "international", domain: "supply-chain" },
873
+ "owasp-wstg-v5": { name: "OWASP Web Security Testing Guide v5", citation: "OWASP WSTG v5", jurisdiction: "international", domain: "cybersecurity" },
874
+ "ptes": { name: "Penetration Testing Execution Standard", citation: "PTES (community standard)", jurisdiction: "international", domain: "cybersecurity" },
875
+ "nist-800-115": { name: "NIST SP 800-115 — Technical Guide to Information Security Testing", citation: "NIST SP 800-115", jurisdiction: "US", domain: "cybersecurity" },
876
+ "cwe-top-25-2024": { name: "CWE Top 25 Most Dangerous Software Weaknesses (2024)", citation: "MITRE CWE Top 25 (2024)", jurisdiction: "international", domain: "cybersecurity" },
877
+ "cis-controls-v8": { name: "CIS Controls v8", citation: "Center for Internet Security CIS Controls v8", jurisdiction: "international", domain: "cybersecurity" },
878
+ "cmmc-2.0-level-2": { name: "CMMC 2.0 Level 2 — Advanced", citation: "32 CFR Part 170 + NIST SP 800-171 Rev 2", jurisdiction: "US", domain: "cybersecurity" },
879
+ "cmmc-2.0-level-1": { name: "CMMC 2.0 Level 1 — Foundational", citation: "32 CFR Part 170 + FAR 52.204-21", jurisdiction: "US", domain: "cybersecurity" },
880
+ "cmmc-2.0-level-3": { name: "CMMC 2.0 Level 3 — Expert", citation: "32 CFR Part 170 + NIST SP 800-172 enhanced", jurisdiction: "US", domain: "cybersecurity" },
787
881
  });
788
882
 
789
883
  /**
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/core",
3
- "version": "0.12.0",
3
+ "version": "0.12.2",
4
4
  "description": "The Node framework that owns its stack.",
5
5
  "license": "Apache-2.0",
6
6
  "author": "blamejs contributors",
package/sbom.cdx.json CHANGED
@@ -2,10 +2,10 @@
2
2
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
3
3
  "bomFormat": "CycloneDX",
4
4
  "specVersion": "1.5",
5
- "serialNumber": "urn:uuid:8c4e3f98-d5b0-4b97-a108-7ea2093527b5",
5
+ "serialNumber": "urn:uuid:2087d993-70be-4b42-a8e8-bd0ba88a46b0",
6
6
  "version": 1,
7
7
  "metadata": {
8
- "timestamp": "2026-05-22T16:44:43.720Z",
8
+ "timestamp": "2026-05-22T19:02:03.888Z",
9
9
  "lifecycles": [
10
10
  {
11
11
  "phase": "build"
@@ -19,14 +19,14 @@
19
19
  }
20
20
  ],
21
21
  "component": {
22
- "bom-ref": "@blamejs/core@0.12.0",
22
+ "bom-ref": "@blamejs/core@0.12.2",
23
23
  "type": "application",
24
24
  "name": "blamejs",
25
- "version": "0.12.0",
25
+ "version": "0.12.2",
26
26
  "scope": "required",
27
27
  "author": "blamejs contributors",
28
28
  "description": "The Node framework that owns its stack.",
29
- "purl": "pkg:npm/%40blamejs/core@0.12.0",
29
+ "purl": "pkg:npm/%40blamejs/core@0.12.2",
30
30
  "properties": [],
31
31
  "externalReferences": [
32
32
  {
@@ -54,7 +54,7 @@
54
54
  "components": [],
55
55
  "dependencies": [
56
56
  {
57
- "ref": "@blamejs/core@0.12.0",
57
+ "ref": "@blamejs/core@0.12.2",
58
58
  "dependsOn": []
59
59
  }
60
60
  ]