@blamejs/core 0.12.25 → 0.12.26

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.26 (2026-05-24) — **`b.compliance` posture cascades — `eu-ai-act` + `ca-ab-853` + `cac-genai-label` POSTURE_DEFAULTS + backup encryption refusal.** Three new posture cascades wired into `b.compliance.POSTURE_DEFAULTS` + `KNOWN_POSTURES` + `REGIME_MAP` so operators globally pinning the EU AI Act / California AB-853 / China CAC GenAI postures get the right floors automatically: backupEncryptionRequired:true, auditChainSignedRequired:true, tlsMinVersion:TLSv1.3, requireVacuumAfterErase:true. `b.backup.bundleAdapterStorage` extends the encryption-required posture list to include the three new postures so `cryptoStrategy: "none"` is refused upfront under any of them (parity with HIPAA + PCI-DSS, which the operator surface has carried since v0.12.10). The canonical `eu-ai-act` posture is the production name; the legacy `ai-act` short name stays in KNOWN_POSTURES for back-compat with operators who pinned it pre-v0.12.26. **Added:** *`eu-ai-act` posture cascade — Regulation (EU) 2024/1689* — POSTURE_DEFAULTS entry: backupEncryptionRequired:true (Art. 12 logging + Art. 15 robustness/cybersecurity demand encryption-at-rest for high-risk system training logs), auditChainSignedRequired:true (Art. 12 + Art. 13 audit-chain integrity), tlsMinVersion:TLSv1.3, requireVacuumAfterErase:true (Art. 50(4) synthetic-content provenance — residual EXIF / metadata pointing at the generating model must be cleared on erase). REGIME_MAP entry under jurisdiction:"EU" domain:"ai-governance". KNOWN_POSTURES carries both `eu-ai-act` (canonical) and `ai-act` (legacy short name). · *`ca-ab-853` posture cascade — California AB-853 effective 2026* — Same encryption + audit floor as eu-ai-act; jurisdiction:"US-CA". Model-generated content watermarking + disclosure regime. Operators serving California traffic pin this posture for the AB-853 §22949.91 obligations the v0.12.12 deepfake primitive's crossWalk references. · *`cac-genai-label` posture cascade — China CAC GenAI Service Measures* — Synthetic-content labelling per Art. 12 + algorithm filing per Art. 4. Same backup encryption + signed audit chain floor. Operators serving Chinese traffic pin this posture so the bundleAdapterStorage refuses plaintext bundles and the disclosure primitive's `jurisdiction: "cn"` cross-walk produces the right legal-reference array. · *`bundleAdapterStorage` BACKUP_ENCRYPTION_REQUIRED_POSTURES extended* — `hipaa` + `pci-dss` (the v0.12.10 baseline) joined by the three AI postures. `cryptoStrategy: "none"` refused upfront under any of `eu-ai-act` / `ca-ab-853` / `cac-genai-label` with `backup/posture-requires-encryption`. Operators wiring backup storage in a regulated AI deployment now get the same posture-driven gate that the storage primitive has always applied to health + payment data.
+
 - v0.12.25 (2026-05-24) — **`b.ai.disclosure.applyAll(scenario)` — bundle Art. 50(1) / 50(3) / 50(4) disclosures for mixed-modality AI systems.** Composes the three v0.12.12 disclosure primitives (chatbot / deepfake / emotion) into a single bundled emit. Operators running mixed-modality AI systems (e.g. a chatbot that also generates images, or an emotion-recognition system embedded in a chat flow) declare which Art. 50 obligations apply via `scenario.kinds` and the primitive fans out to the per-obligation emit calls in one pass. Shared opts (jurisdiction, language, audit, correlationId) propagate to every per-kind emission so the cross-walk + audit-chain entries stay correlated across the bundle. **Added:** *`b.ai.disclosure.applyAll(scenario)` — multi-obligation bundled emit* — `scenario.kinds: ["chatbot", "deepfake", "emotion"]` (subset) selects which Art. 50 obligations to satisfy. Per-kind required fields (session for chatbot, content + contentType for deepfake) refused upfront when missing. Returns `{ disclosures: { chatbot?, deepfake?, emotion? } }` with each entry being the corresponding primitive's emission payload. Shared opts propagate: `scenario.jurisdiction` / `scenario.language` / `scenario.audit` / `scenario.correlationId` reach every per-kind call so a US-CA deployment serving chat + image gets both the AB-853 cross-walk AND the Art. 50(1) audit event under the same correlationId.
 
 - v0.12.24 (2026-05-24) — **`bundleAdapterStorage.findBundles(predicate, opts?)` — predicate-based filtering over listBundles entries.** Small helper that composes with listBundles for operators wanting to filter the bundle set without hand-rolling the walk. `storage.findBundles(predicate, opts?)` iterates listBundles + returns entries where `predicate(entry)` is truthy. Predicate sees the listBundles entry shape (`{ bundleId, format, createdAt, size }`); `opts.withStats: true` enables `createdAt` + `size` for predicates that need them. Common operator filters — by format (`b => b.format === "tar.gz"`), by age (`b => Date.parse(b.createdAt) < cutoff`), by size — now read as a single call. **Added:** *`storage.findBundles(predicate, opts?)` — predicate-based bundle filter* — Operator-supplied predicate runs against every listBundles entry; matches accumulate into the returned array. `opts.withStats: true` is forwarded to listBundles so predicates relying on `createdAt` / `size` see populated values. Non-function predicate refused upfront with `backup/bad-arg`. Predicate throws bubble up to the caller (operators see their own filter errors, not swallowed). Stable ordering is whatever listBundles produces (reverse-chronological by bundleId).

package/lib/backup/index.js

@@ -76,8 +76,19 @@ var BackupError = defineClass("BackupError");
 // and encrypted") and HIPAA §164.310(d)(2)(iv) ("create a retrievable,
 // exact copy of ePHI" — encryption strongly implied by §164.312(a)(2)
 // (iv) addressable encryption standard).
+// v0.12.26 — the AI Act / AB-853 / CAC postures all carry
+// `backupEncryptionRequired: true` in POSTURE_DEFAULTS (per
+// compliance.js); list them here so bundleAdapterStorage's
+// posture check refuses plaintext bundles under these regimes
+// alongside the long-standing HIPAA + PCI-DSS pair.
+// Codex P1 on v0.12.26 PR #177 — the legacy `ai-act` short
+// name MUST appear in the backup encryption-required list too,
+// otherwise a deployment pinned to `posture: "ai-act"` (the
+// stated back-compat path) bypasses the cryptoStrategy refusal
+// and writes plaintext bundles under what should be an EU AI
+// Act gate. Both names share the cascade.
 var BACKUP_ENCRYPTION_REQUIRED_POSTURES = Object.freeze([
-  "hipaa", "pci-dss",
+  "hipaa", "pci-dss", "ai-act", "eu-ai-act", "ca-ab-853", "cac-genai-label",
 ]);
 
 // "2026-04-27T14-00-00-123Z-a8f30b21" — atomicFile.pathTimestamp() form

package/lib/compliance.js

@@ -72,7 +72,10 @@ var KNOWN_POSTURES = Object.freeze([
   "dora",        // EU Digital Operational Resilience Act
   "nis2",        // EU Network and Information Security Directive 2 (added 2026)
   "cra",         // EU Cyber Resilience Act (added 2026)
-  "ai-act",      // EU AI Act (added 2026)
+  "ai-act",      // EU AI Act (added 2026 — legacy short name)
+  "eu-ai-act",   // EU AI Act (canonical name; v0.12.26 added with Art. 50 cascade)
+  "ca-ab-853",   // California AB-853 model-generated content watermarking (effective 2026; v0.12.26)
+  "cac-genai-label", // China CAC GenAI Service Measures synthetic-content labelling (v0.12.26)
   // ---- Latin America / APAC ----
   "lgpd-br",     // Brazil Lei Geral de Proteção de Dados (added 2026)
   "pipl-cn",     // China Personal Information Protection Law (added 2026)
@@ -647,6 +650,24 @@ var REGIME_MAP = Object.freeze({
     jurisdiction: "EU",
     domain:     "ai-governance",
   },
+  "eu-ai-act": {
+    name:       "Artificial Intelligence Act",
+    citation:   "Regulation (EU) 2024/1689",
+    jurisdiction: "EU",
+    domain:     "ai-governance",
+  },
+  "ca-ab-853": {
+    name:       "Model-Generated Content Disclosure Act",
+    citation:   "California AB-853 (effective 2026)",
+    jurisdiction: "US-CA",
+    domain:     "ai-governance",
+  },
+  "cac-genai-label": {
+    name:       "Generative AI Service Measures (synthetic-content labelling)",
+    citation:   "China CAC Order; effective 2023-08, 2024 labelling amendment",
+    jurisdiction: "CN",
+    domain:     "ai-governance",
+  },
   "lgpd-br": {
     name:       "Lei Geral de Proteção de Dados",
     citation:   "Lei nº 13.709/2018",
@@ -1294,6 +1315,32 @@ var POSTURE_DEFAULTS = Object.freeze({
   // present as "nyc-ll144"); 2024 amendment adds annual re-audit
   // signing.
   "nyc-ll144-2024":          Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // Regulation (EU) 2024/1689 (EU AI Act) — Art. 50 transparency
+  // obligations enter force 2026-08-02 (v0.12.12 disclosure
+  // primitives). High-risk system providers must audit-chain
+  // every model-training + deployment event (Art. 12 logging) +
+  // sign the chain (Art. 15 cybersecurity / accuracy /
+  // robustness). Vacuum-after-erase covers Art. 50(4) synthetic-
+  // content provenance — when a model-generated image is
+  // erased from a system's storage, the residual EXIF / metadata
+  // entries pointing at the model must be cleared too.
+  "eu-ai-act":               Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // Codex P1 on v0.12.26 PR #177 — the legacy `ai-act` short
+  // name carries the SAME cascade as `eu-ai-act` so deployments
+  // pinned to the legacy alias get the new encryption / audit /
+  // TLS / vacuum floors instead of falling through to null. The
+  // back-compat KNOWN_POSTURES entry exists; the POSTURE_DEFAULTS
+  // row was missing.
+  "ai-act":                  Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // California AB-853 (effective 2026) — model-generated content
+  // watermarking + provenance. Same encryption + audit posture
+  // as eu-ai-act (these regimes line up); requireVacuumAfterErase
+  // tracks the erase-of-watermarked-content invariant.
+  "ca-ab-853":               Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // China CAC Generative AI Service Measures (effective 2023-08;
+  // 2024 mandatory-labelling amendment). Synthetic-content
+  // labelling per Art. 12 + algorithm filing per Art. 4.
+  "cac-genai-label":         Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
 });
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.25",
+  "version": "0.12.26",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:aa862c44-8a5c-4f04-a375-88786c3e2443",
+  "serialNumber": "urn:uuid:f16ae992-0fc9-4ad6-b05b-b6dfd629e058",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T10:04:34.547Z",
+    "timestamp": "2026-05-24T10:57:05.537Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.25",
+      "bom-ref": "@blamejs/core@0.12.26",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.25",
+      "version": "0.12.26",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.25",
+      "purl": "pkg:npm/%40blamejs/core@0.12.26",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.25",
+      "ref": "@blamejs/core@0.12.26",
       "dependsOn": []
     }
   ]