@blamejs/core 0.13.3 → 0.13.5

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.5 (2026-05-26) — **`b.ai.aedtBiasAudit` — NYC Local Law 144 bias audit.** b.ai.aedtBiasAudit computes the bias-audit figures New York City Local Law 144 requires before an Automated Employment Decision Tool may screen candidates (NYC Admin. Code §20-870 et seq.; DCWP rules 6 RCNY §5-300). Given the per-category counts an independent auditor collected — selected/total for a pass-fail tool, or scored-above-the-overall-median/total for a continuous-score tool — it returns the selection (or scoring) rate, the impact ratio (each group's rate divided by the most-selected group's rate), and an adverse-impact flag (impact ratio below the EEOC four-fifths threshold of 0.8) for every group, across the sex, race/ethnicity, and intersectional dimensions, plus the most-selected group per dimension and an overall flag. Categories under 2% of the audited data are marked excluded per DCWP discretion. It is a pure calculation that produces exactly the figures the annual published summary must contain — the law mandates the calculation, not any particular remediation. The relevant compliance postures (nyc-ll144, and ca-tfaia for California SB 53) were already in the catalog. **Added:** *`b.ai.aedtBiasAudit` — Local Law 144 selection/scoring rates and four-fifths impact ratios* — `b.ai.aedtBiasAudit({ type, metadata, categories, minCategoryShare? })` where `type` is `"selection"` (group entries `{ selected, total }`) or `"scoring"` (`{ scoredAboveMedian, total }`). Returns per-group rate, impact ratio, and `adverseImpact` flag across the `sex`, `raceEthnicity`, and `intersectional` dimensions, plus the most-selected group per dimension and an `anyAdverseImpact` summary. Categories below `minCategoryShare` (2% default) are excluded from the impact-ratio basis. Throws `AedtBiasAuditError` on malformed input.
+
+- v0.13.4 (2026-05-26) — **`b.crdt` — conflict-free replicated data types.** b.crdt adds state-based Conflict-free Replicated Data Types: data structures that independent replicas update without coordination and still converge to the same value once they have exchanged state. Each type's merge is a join over a semilattice — commutative, associative, and idempotent — so replicas can merge in any order, any number of times, and agree, which makes these the substrate for active/active cluster state, offline-first clients that reconcile on reconnect, and eventually-consistent counters, sets, and maps. The release ships the full state-based family: grow-only and positive-negative counters (gCounter / pnCounter), grow-only, two-phase, and observed-remove sets (gSet / twoPSet / orSet), a last-write-wins register (lwwRegister), and an observed-remove map (orMap). Every type exposes the same contract — local mutators, merge(other) that returns a converged instance without mutating either operand, value() for the materialized value, and state() / fromState() for a JSON-serializable form to snapshot via b.archive or b.backup or ship to a peer — and carries a replicaId so per-replica contributions stay distinct. **Added:** *`b.crdt` — state-based CvRDT counters, sets, register, and map* — `b.crdt.gCounter` / `pnCounter` (grow-only and increment/decrement counters), `b.crdt.gSet` / `twoPSet` / `orSet` (grow-only, two-phase, and observed-remove sets — `orSet` supports re-add and resolves a concurrent add-vs-remove as add-wins), `b.crdt.lwwRegister` (last-write-wins with a deterministic replicaId tie-break), and `b.crdt.orMap` (observed-remove keys with last-write-wins values). Each exposes `merge` / `value` / `state` / `fromState` and converges by the CvRDT laws. `orSet` and `orMap` accept `tombstoneRetention` to bound tombstone memory against a remove flood.
+
 - v0.13.3 (2026-05-26) — **`b.crypto.xwing` — X-Wing hybrid post-quantum KEM.** b.crypto.xwing adds the X-Wing hybrid key-encapsulation mechanism (draft-connolly-cfrg-xwing-kem): it runs ML-KEM-768 and X25519 side by side and binds their shared secrets with SHA3-256, so an encapsulated key stays secure as long as either ML-KEM-768 or X25519 holds. That is the conservative shape for moving off classical ECDH today — a harvest-now-decrypt-later attacker must break the lattice KEM, and a hypothetical ML-KEM break still leaves X25519 standing. keygen() produces a 32-byte decapsulation seed and a 1216-byte public key; encapsulate(publicKey) returns a 1120-byte ciphertext and a 32-byte shared secret; decapsulate(secretKey, ciphertext) recovers it. The X-Wing combiner is frozen, but its specification is still an IETF Internet-Draft, so this primitive is marked experimental and sits beside the existing pre-RFC post-quantum HPKE drafts; it composes the framework's vendored ML-KEM-768 and X25519 with SHA3 and adds no new cryptographic core. The combiner is known-answer-tested byte-for-byte against the draft's definition. **Added:** *`b.crypto.xwing` — X-Wing hybrid PQ/T KEM (experimental)* — `keygen(seed?)` → `{ publicKey (1216 B), secretKey (32-byte seed) }`; `encapsulate(publicKey, eseed?)` → `{ ciphertext (1120 B), sharedSecret (32 B) }`; `decapsulate(secretKey, ciphertext)` → the 32-byte shared secret. Both `keygen` and `encapsulate` accept an optional seed for deterministic operation. The combiner — `SHA3-256(ssMLKEM ‖ ssX25519 ‖ ctX25519 ‖ pkX25519 ‖ label)` — is exposed as `combiner` for advanced use. Marked `experimental` while draft-connolly-cfrg-xwing-kem remains an Internet-Draft; the algorithm itself is frozen.
 
 - v0.13.2 (2026-05-26) — **`b.iabTcf.encode` — write TCF consent strings, and a TC-string timestamp fix.** b.iabTcf gains the encode half of its consent-string codec: b.iabTcf.encode(obj) serialises a parsed object back into an IAB TCF v2 TC string, and b.iabTcf.isValid(tcString) is a total never-throwing validity check. Vendor and purpose collections may be Sets, id arrays, or the parsed sections parseString returns; vendor sections are written with whichever of the bit-field and range forms is smaller, matching the reference CMP encoders, so a parsed string round-trips to an equivalent signal. parseString now fully decodes the Core publisher-restrictions list and the PublisherTC segment's publisher and custom purposes, where it previously reported only the segment's presence. The encoder is verified against the worked-example string in the IAB Tech Lab consent-string specification: it re-encodes that string's Core segment byte-for-byte. This release also fixes a TC-string parsing bug — the bit reader accumulated values with a 32-bit shift, so the 36-bit Created and LastUpdated timestamp fields were silently truncated for any real date; they now decode and round-trip exactly. **Added:** *`b.iabTcf.encode` / `b.iabTcf.isValid`* — `encode(obj)` serialises a TCF object (the shape `parseString` returns) into a TC string — Core plus optional DisclosedVendors, AllowedVendors, and PublisherTC segments — choosing the smaller of the bit-field and range vendor encodings. `isValid(tcString)` returns whether a string parses as a well-formed Core segment without throwing. `parseString` now fully decodes Core publisher restrictions and the PublisherTC purposes that were previously reported only as present. **Fixed:** *TC-string 36-bit timestamps were truncated on parse* — `b.iabTcf.parseString` read multi-bit fields with a 32-bit left-shift accumulation. The 36-bit Created and LastUpdated fields hold deciseconds-since-epoch, which exceeds 2^31 for any date after 1976, so those timestamps were silently corrupted. The reader now accumulates without the 32-bit truncation; timestamps decode correctly and round-trip through `encode`.

package/README.md

@@ -189,6 +189,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Content provenance** — C2PA 2.1 + California SB-942 / AB-853 manifest builder for AI-generated media (provider, model id + version, timestamp, content ID, signed) (`b.contentCredentials`)
 - **AI usage quotas** — per-tenant / per-model budgets metered by tokens / requests / cost-usd / compute-hours over calendar-aligned windows, with an atomic conditional reserve (no charge-then-refund race) + hard/soft/warn enforcement and an optional cross-node store; defends OWASP LLM10:2025 unbounded consumption / denial-of-wallet (`b.ai.quota`)
 - **AI capability routing** — model-capability registry (context window / modalities / tool use / reasoning tier / cost rates) + a router that picks the cheapest model satisfying a request's requirements, refusing capability mismatches before the inference call (NIST AI RMF MAP + Model Cards); composes with `b.ai.quota` cost budgets (`b.ai.capability`)
+- **AEDT bias audit** — NYC Local Law 144 bias-audit figures (`b.ai.aedtBiasAudit`): selection / scoring rates and EEOC four-fifths-rule impact ratios across sex, race/ethnicity, and their intersection, with the most-selected group and adverse-impact flags (impact ratio < 0.8) for the annual published summary; sub-2% categories excludable per DCWP §5-301
 ### Compliance regimes
 
 - **Posture coordinator** — `b.compliance` cascades operator-declared regime into retention / audit / db / cryptoField via POSTURE_DEFAULTS:
@@ -232,6 +233,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 ### Production
 
 - **Cluster + scheduling** — cluster leader election with fenced leases over Postgres/SQLite (`b.cluster`); cron + interval scheduler that runs exactly-once globally (`b.scheduler`)
+- **CRDTs** — state-based conflict-free replicated data types (`b.crdt`): grow-only / PN counters, grow-only / two-phase / observed-remove sets, a last-write-wins register, and an observed-remove map; each `merge` is commutative / associative / idempotent so replicas converge with no coordination — the substrate for active/active and offline-first state, with `state()` / `fromState()` for snapshot via `b.archive` / `b.backup`
 - **Reliability** — retry with full-jitter backoff + circuit breaker (`b.retry`); graceful shutdown (`b.appShutdown`); NTP boot check (`b.ntpCheck`)
 - **Transactional integration** — outbox + dedupe-on-receive inbox; exactly-once semantics across Postgres / SQLite (`b.outbox`, `b.inbox`); Debezium-shape change-event envelope on the outbox (`b.outbox.create({ envelope: "debezium" })`)
 - **Backup + restore** — end-to-end-encrypted bundles with pre-flush fail-closed mode + ML-DSA-87 signed manifests + scheduled backup-restore drills (`b.backup`, `b.backup.scheduleTest`, `b.backupBundle.verifyManifestSignature`); restore with pulled-bundle footprint preflight (`b.restore`); disaster-recovery runbook generator (HIPAA / PCI-DSS / GDPR / SOC 2 / DORA postures) (`b.drRunbook`)

package/index.js

@@ -374,6 +374,7 @@ var dualControl = require("./lib/dual-control");
 var retention = require("./lib/retention");
 var legalHold = require("./lib/legal-hold");
 var worm = require("./lib/worm");
+var crdt = require("./lib/crdt");
 var network = require("./lib/network");
 var cloudEvents = require("./lib/cloud-events");
 var dsr = require("./lib/dsr");
@@ -476,6 +477,7 @@ module.exports = {
     quota:           require("./lib/ai-quota"),
     capability:      require("./lib/ai-capability"),
     dp:              require("./lib/ai-dp"),
+    aedtBiasAudit:   require("./lib/ai-aedt-bias-audit"),
   },
   promisePool:      require("./lib/promise-pool"),
   sdNotify:         require("./lib/sd-notify"),
@@ -713,6 +715,7 @@ module.exports = {
   retention:        retention,
   legalHold:        legalHold,
   worm:             worm,
+  crdt:             crdt,
   network:          network,
   cloudEvents:      cloudEvents,
   dsr:              dsr,

package/lib/ai-aedt-bias-audit.js

@@ -0,0 +1,180 @@
+"use strict";
+/**
+ * @module b.ai.aedtBiasAudit
+ * @nav    Compliance
+ * @title  AEDT Bias Audit
+ *
+ * @intro
+ *   Compute the bias-audit statistics New York City Local Law 144 requires
+ *   before an Automated Employment Decision Tool (AEDT) may be used to screen
+ *   candidates or employees. The law (NYC Admin. Code §20-870 et seq., in force
+ *   since 2023-07-05; DCWP rules 6 RCNY §5-300 et seq.) requires an independent
+ *   annual audit that reports, for each demographic category, the rate at which
+ *   the tool selects (or scores above the median for) that group and the
+ *   <em>impact ratio</em> — that group's rate divided by the rate of the
+ *   most-selected group. An impact ratio below the four-fifths (0.8) threshold
+ *   from the EEOC Uniform Guidelines flags potential adverse impact; the law
+ *   requires the number to be calculated and published, not any particular
+ *   remediation.
+ *
+ *   The audit is computed across three dimensions: sex, race/ethnicity, and
+ *   the intersection of the two, using the EEOC categories. Categories that
+ *   make up less than 2% of the audited data may be excluded from the impact-
+ *   ratio calculation at the auditor's discretion (DCWP §5-301). This primitive
+ *   takes the per-category counts — selected/total for a pass-fail tool, or
+ *   scored-above-the-overall-median/total for a continuous-score tool — and
+ *   returns the selection (or scoring) rate, impact ratio, and adverse-impact
+ *   flag per group, plus the most-selected group and an overall flag. It is a
+ *   pure calculation: the operator supplies the data an independent auditor
+ *   collected, and gets back the figures the published summary must contain.
+ *
+ * @card
+ *   NYC Local Law 144 AEDT bias audit (`b.ai.aedtBiasAudit`) — selection /
+ *   scoring rates and four-fifths-rule impact ratios across sex, race/ethnicity,
+ *   and their intersection, with the most-selected group and adverse-impact
+ *   flags for the published audit summary.
+ */
+
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var AedtBiasAuditError = defineClass("AedtBiasAuditError", { alwaysPermanent: true });
+
+var FOUR_FIFTHS = 4 / 5;         // EEOC Uniform Guidelines four-fifths adverse-impact threshold
+var DEFAULT_MIN_SHARE = 0.02;    // DCWP §5-301 — categories under 2% may be excluded
+var DIMENSIONS = ["sex", "raceEthnicity", "intersectional"];
+
+function _str(v, label) {
+  if (typeof v !== "string" || v.length === 0) throw new AedtBiasAuditError("aedt/bad-metadata", "aedtBiasAudit: metadata." + label + " must be a non-empty string");
+  return v;
+}
+function _count(v, label) {
+  if (typeof v !== "number" || !isFinite(v) || v < 0 || Math.floor(v) !== v) throw new AedtBiasAuditError("aedt/bad-count", "aedtBiasAudit: " + label + " must be a non-negative integer");
+  return v;
+}
+
+// Reduce one dimension's per-group counts to the LL-144 figures.
+function _auditDimension(groups, type, minShare) {
+  var names = Object.keys(groups);
+  var rows = [];
+  var dimensionTotal = 0;
+  var numeratorKey = type === "scoring" ? "scoredAboveMedian" : "selected";
+
+  names.forEach(function (name) {
+    var g = groups[name];
+    if (!g || typeof g !== "object") throw new AedtBiasAuditError("aedt/bad-count", "aedtBiasAudit: group '" + name + "' must be an object with " + numeratorKey + " + total");
+    var total = _count(g.total, name + ".total");
+    var num = _count(g[numeratorKey], name + "." + numeratorKey);
+    if (num > total) throw new AedtBiasAuditError("aedt/bad-count", "aedtBiasAudit: " + name + "." + numeratorKey + " (" + num + ") exceeds total (" + total + ")");
+    dimensionTotal += total;
+    rows.push({ category: name, total: total, _num: num, rate: total === 0 ? 0 : num / total });
+  });
+
+  // Exclude sub-threshold categories (auditor discretion), then find the
+  // most-selected group among those that remain.
+  var maxRate = 0;
+  var mostSelected = null;
+  rows.forEach(function (r) {
+    r.share = dimensionTotal === 0 ? 0 : r.total / dimensionTotal;
+    r.excluded = dimensionTotal > 0 && r.share < minShare;
+    if (!r.excluded && r.rate > maxRate) { maxRate = r.rate; mostSelected = r.category; }
+  });
+
+  rows.forEach(function (r) {
+    r.impactRatio = (r.excluded || maxRate === 0) ? null : r.rate / maxRate;
+    r.adverseImpact = r.impactRatio !== null && r.impactRatio < FOUR_FIFTHS;
+    delete r._num;
+  });
+  // Stable order: highest rate first, then category name.
+  rows.sort(function (a, b) { return b.rate - a.rate || (a.category < b.category ? -1 : a.category > b.category ? 1 : 0); });
+  return { rows: rows, mostSelected: mostSelected };
+}
+
+/**
+ * @primitive  b.ai.aedtBiasAudit
+ * @signature  b.ai.aedtBiasAudit(opts)
+ * @since      0.13.5
+ * @status     stable
+ * @compliance nyc-ll144, soc2
+ * @related    b.ai.disclosure.applyAll, b.ai.disclosure.chatbot
+ *
+ * Compute the NYC Local Law 144 bias-audit figures from per-category counts.
+ * <code>type</code> is <code>"selection"</code> for a pass-fail tool (each
+ * group entry is <code>{ selected, total }</code>) or <code>"scoring"</code>
+ * for a continuous-score tool (<code>{ scoredAboveMedian, total }</code>, where
+ * the count is candidates scoring above the <em>overall</em> median). Returns
+ * the selection/scoring rate, impact ratio (group rate ÷ most-selected group's
+ * rate), and an <code>adverseImpact</code> flag (impact ratio &lt; 0.8) per
+ * group, across the <code>sex</code>, <code>raceEthnicity</code>, and
+ * <code>intersectional</code> dimensions, plus the most-selected group per
+ * dimension. Categories under <code>minCategoryShare</code> (2% by default) are
+ * marked <code>excluded</code> and left out of the impact-ratio basis. Throws
+ * <code>AedtBiasAuditError</code> on malformed input. The result is the data an
+ * employer must publish; the law mandates the calculation, not any remediation.
+ *
+ * @opts
+ *   type:             string,   // "selection" | "scoring" (required)
+ *   metadata:         object,   // { tool, auditor, auditDate, distributionDate? } (tool/auditor/auditDate required)
+ *   categories:       object,   // { sex?, raceEthnicity?, intersectional? } → { <group>: { selected|scoredAboveMedian, total } }
+ *   minCategoryShare: number,   // default: 0.02 (DCWP §5-301 — sub-2% categories may be excluded)
+ *
+ * @example
+ *   var report = b.ai.aedtBiasAudit({
+ *     type: "selection",
+ *     metadata: { tool: "ResumeRanker v3", auditor: "Acme Audit LLC", auditDate: "2026-05-26" },
+ *     categories: { sex: { Male: { selected: 60, total: 100 }, Female: { selected: 42, total: 100 } } },
+ *   });
+ *   report.results.sex[1].impactRatio;   // → 0.7  (Female: 42% / 60%)
+ *   report.results.sex[1].adverseImpact; // → true (below the 0.8 four-fifths threshold)
+ */
+function aedtBiasAudit(opts) {
+  opts = opts || {};
+  // Surface an unknown/typoed option as this primitive's own error type rather
+  // than the generic Error validateOpts throws, so the malformed-input contract
+  // (AedtBiasAuditError / e.code) holds for every bad-config path.
+  try { validateOpts(opts, ["type", "metadata", "categories", "minCategoryShare"], "aedtBiasAudit"); }
+  catch (e) { throw new AedtBiasAuditError("aedt/bad-opts", e && e.message || "aedtBiasAudit: invalid options"); }
+  if (opts.type !== "selection" && opts.type !== "scoring") throw new AedtBiasAuditError("aedt/bad-type", "aedtBiasAudit: type must be 'selection' or 'scoring'");
+
+  var md = opts.metadata || {};
+  var metadata = {
+    tool:             _str(md.tool, "tool"),
+    auditor:          _str(md.auditor, "auditor"),
+    auditDate:        _str(md.auditDate, "auditDate"),
+    distributionDate: md.distributionDate != null ? _str(md.distributionDate, "distributionDate") : null,
+  };
+
+  var minShare = opts.minCategoryShare != null ? opts.minCategoryShare : DEFAULT_MIN_SHARE;
+  if (typeof minShare !== "number" || !isFinite(minShare) || minShare < 0 || minShare >= 1) throw new AedtBiasAuditError("aedt/bad-share", "aedtBiasAudit: minCategoryShare must be a number in [0, 1)");
+
+  var cats = opts.categories || {};
+  var present = DIMENSIONS.filter(function (d) { return cats[d] && typeof cats[d] === "object" && Object.keys(cats[d]).length > 0; });
+  if (present.length === 0) throw new AedtBiasAuditError("aedt/no-categories", "aedtBiasAudit: at least one of sex / raceEthnicity / intersectional must carry group counts");
+
+  var results = {};
+  var mostSelected = {};
+  var adverseImpactGroups = [];
+  present.forEach(function (dim) {
+    var out = _auditDimension(cats[dim], opts.type, minShare);
+    results[dim] = out.rows;
+    mostSelected[dim] = out.mostSelected;
+    out.rows.forEach(function (r) { if (r.adverseImpact) adverseImpactGroups.push({ dimension: dim, category: r.category, impactRatio: r.impactRatio }); });
+  });
+
+  return {
+    type:     opts.type,
+    metadata: metadata,
+    results:  results,
+    summary:  {
+      mostSelected:        mostSelected,
+      adverseImpactGroups: adverseImpactGroups,
+      anyAdverseImpact:    adverseImpactGroups.length > 0,
+      fourFifthsThreshold: FOUR_FIFTHS,
+    },
+  };
+}
+
+aedtBiasAudit.FOUR_FIFTHS = FOUR_FIFTHS;
+aedtBiasAudit.AedtBiasAuditError = AedtBiasAuditError;
+
+module.exports = aedtBiasAudit;

package/lib/crdt.js

@@ -0,0 +1,453 @@
+"use strict";
+/**
+ * @module b.crdt
+ * @nav    Data
+ * @title  CRDTs
+ *
+ * @intro
+ *   Conflict-free Replicated Data Types — data structures that several
+ *   replicas can update independently, with no coordination, and still
+ *   converge to the same value once they have all seen each other's state.
+ *   These are the state-based CvRDTs: each type's <code>merge</code> is a
+ *   join over a semilattice, so it is commutative, associative, and
+ *   idempotent — replicas can merge in any order, any number of times, and
+ *   land on the same result. That makes them the substrate for eventually-
+ *   consistent state across an active/active cluster, offline-first clients
+ *   that reconcile on reconnect, or any "last writer need not win, but
+ *   everyone agrees" counter / set / register / map.
+ *
+ *   Every type exposes the same contract: local mutators (e.g.
+ *   <code>inc</code>, <code>add</code>, <code>set</code>),
+ *   <code>merge(other)</code> which returns a new converged instance without
+ *   mutating either operand, <code>value()</code> for the materialized value,
+ *   and <code>state()</code> / <code>fromState()</code> for a JSON-
+ *   serializable form to snapshot (via <code>b.archive</code> /
+ *   <code>b.backup</code>) or ship to a peer. Each replica carries a
+ *   <code>replicaId</code> so per-replica contributions stay distinct.
+ *
+ *   This release covers the state-based family — grow-only and PN counters,
+ *   grow-only / two-phase / observed-remove sets, a last-write-wins register,
+ *   and an observed-remove map. Operation-based sequence CRDTs (RGA), delta-
+ *   state mutators, and a live event-bus replicator are not included; the
+ *   state-based types merge correctly without a causal channel, which is the
+ *   whole point.
+ *
+ * @card
+ *   Conflict-free Replicated Data Types (`b.crdt`) — state-based CvRDT
+ *   counters, sets, a last-write-wins register, and an observed-remove map
+ *   whose `merge` is commutative, associative, and idempotent, so replicas
+ *   converge with no coordination.
+ */
+
+var bCrypto = require("./crypto");
+var safeJson = require("./safe-json");
+var { defineClass } = require("./framework-error");
+
+var CrdtError = defineClass("CrdtError", { alwaysPermanent: true });
+
+function _replicaId(opts) {
+  var id = opts && opts.replicaId;
+  if (id == null) return bCrypto.generateToken(8);   // allow:raw-byte-literal — random replica-id token length
+  if (typeof id !== "string" || id.length === 0) throw new CrdtError("crdt/bad-replica-id", "crdt: replicaId must be a non-empty string");
+  return id;
+}
+function _posInt(n, label) {
+  if (typeof n !== "number" || !isFinite(n) || n < 0 || Math.floor(n) !== n) throw new CrdtError("crdt/bad-value", "crdt: " + label + " must be a non-negative integer");
+  return n;
+}
+function _maxMerge(a, b) {
+  var out = {};
+  var k;
+  for (k in a) if (Object.prototype.hasOwnProperty.call(a, k)) out[k] = a[k];
+  for (k in b) if (Object.prototype.hasOwnProperty.call(b, k)) out[k] = (out[k] === undefined || b[k] > out[k]) ? b[k] : out[k];
+  return out;
+}
+
+/**
+ * @primitive  b.crdt.gCounter
+ * @signature  b.crdt.gCounter(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.pnCounter, b.crdt.gSet
+ *
+ * A grow-only counter: each replica tracks its own increment-only tally, and
+ * the value is their sum. <code>merge</code> takes the per-replica maximum, so
+ * it converges no matter the order. Increments only — use
+ * <code>pnCounter</code> when you also need to decrement.
+ *
+ * @opts
+ *   replicaId: string,   // this replica's id (default: random)
+ *
+ * @example
+ *   var a = b.crdt.gCounter({ replicaId: "a" }).inc(3);
+ *   var c = b.crdt.gCounter({ replicaId: "c" }).inc(5);
+ *   a.merge(c).value();   // → 8
+ */
+function gCounter(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var counts = {};
+  if (opts._counts) { for (var k in opts._counts) if (Object.prototype.hasOwnProperty.call(opts._counts, k)) counts[k] = opts._counts[k]; }
+
+  return {
+    type: "gCounter",
+    replicaId: replicaId,
+    inc: function (n) { n = n == null ? 1 : _posInt(n, "inc"); counts[replicaId] = (counts[replicaId] || 0) + n; return this; },
+    value: function () { var s = 0; for (var k in counts) if (Object.prototype.hasOwnProperty.call(counts, k)) s += counts[k]; return s; },
+    state: function () { return { type: "gCounter", counts: Object.assign({}, counts) }; },
+    merge: function (other) { return gCounter({ replicaId: replicaId, _counts: _maxMerge(counts, _otherState(other, "gCounter").counts) }); },
+  };
+}
+gCounter.fromState = function (s, opts) { _assertState(s, "gCounter"); return gCounter(Object.assign({}, opts, { _counts: s.counts })); };
+
+/**
+ * @primitive  b.crdt.pnCounter
+ * @signature  b.crdt.pnCounter(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.gCounter, b.crdt.lwwRegister
+ *
+ * A positive-negative counter: two grow-only counters (increments and
+ * decrements) whose difference is the value, so it supports both
+ * <code>inc</code> and <code>dec</code> and still converges.
+ *
+ * @opts
+ *   replicaId: string,   // this replica's id (default: random)
+ *
+ * @example
+ *   var a = b.crdt.pnCounter({ replicaId: "a" }).inc(5).dec(2);
+ *   var c = b.crdt.pnCounter({ replicaId: "c" }).inc(1);
+ *   a.merge(c).value();   // → 4
+ */
+function pnCounter(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var p = gCounter({ replicaId: replicaId, _counts: opts._p });
+  var n = gCounter({ replicaId: replicaId, _counts: opts._n });
+
+  return {
+    type: "pnCounter",
+    replicaId: replicaId,
+    inc: function (by) { p.inc(by); return this; },
+    dec: function (by) { n.inc(by); return this; },
+    value: function () { return p.value() - n.value(); },
+    state: function () { return { type: "pnCounter", p: p.state().counts, n: n.state().counts }; },
+    merge: function (other) {
+      var o = _otherState(other, "pnCounter");
+      return pnCounter({ replicaId: replicaId, _p: _maxMerge(p.state().counts, o.p), _n: _maxMerge(n.state().counts, o.n) });
+    },
+  };
+}
+pnCounter.fromState = function (s, opts) { _assertState(s, "pnCounter"); return pnCounter(Object.assign({}, opts, { _p: s.p, _n: s.n })); };
+
+/**
+ * @primitive  b.crdt.gSet
+ * @signature  b.crdt.gSet(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.twoPSet, b.crdt.orSet
+ *
+ * A grow-only set: elements can be added but never removed; <code>merge</code>
+ * is set union. The simplest convergent set — reach for <code>orSet</code>
+ * when removal is needed. Elements may be strings or JSON-serializable values.
+ *
+ * @opts
+ *   replicaId: string,   // this replica's id (default: random)
+ *
+ * @example
+ *   var a = b.crdt.gSet().add("x");
+ *   var c = b.crdt.gSet().add("y");
+ *   a.merge(c).value();   // → ["x", "y"]
+ */
+function gSet(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var els = new Set(opts._els || []);
+
+  return {
+    type: "gSet",
+    replicaId: replicaId,
+    add: function (x) { els.add(_key(x)); return this; },
+    has: function (x) { return els.has(_key(x)); },
+    value: function () { return _decodeKeys(els); },
+    state: function () { return { type: "gSet", els: Array.from(els) }; },
+    merge: function (other) { var o = _otherState(other, "gSet"); var u = new Set(els); o.els.forEach(function (e) { u.add(e); }); return gSet({ replicaId: replicaId, _els: u }); },
+  };
+}
+gSet.fromState = function (s, opts) { _assertState(s, "gSet"); return gSet(Object.assign({}, opts, { _els: s.els })); };
+
+/**
+ * @primitive  b.crdt.twoPSet
+ * @signature  b.crdt.twoPSet(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.gSet, b.crdt.orSet
+ *
+ * A two-phase set: an add-set and a remove-set (tombstones). An element can be
+ * added and removed, but once removed it can never be re-added — remove wins
+ * permanently. When re-adding must work, use <code>orSet</code>.
+ *
+ * @opts
+ *   replicaId: string,   // this replica's id (default: random)
+ *
+ * @example
+ *   var s = b.crdt.twoPSet().add("a").add("b").remove("a");
+ *   s.value();   // → ["b"]
+ */
+function twoPSet(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var adds = new Set(opts._adds || []);
+  var removes = new Set(opts._removes || []);
+
+  return {
+    type: "twoPSet",
+    replicaId: replicaId,
+    add: function (x) { adds.add(_key(x)); return this; },
+    remove: function (x) { var k = _key(x); if (adds.has(k)) removes.add(k); return this; },
+    has: function (x) { var k = _key(x); return adds.has(k) && !removes.has(k); },
+    value: function () { var live = new Set(); adds.forEach(function (k) { if (!removes.has(k)) live.add(k); }); return _decodeKeys(live); },
+    state: function () { return { type: "twoPSet", adds: Array.from(adds), removes: Array.from(removes) }; },
+    merge: function (other) {
+      var o = _otherState(other, "twoPSet");
+      var a = new Set(adds), r = new Set(removes);
+      o.adds.forEach(function (e) { a.add(e); });
+      o.removes.forEach(function (e) { r.add(e); });
+      return twoPSet({ replicaId: replicaId, _adds: a, _removes: r });
+    },
+  };
+}
+twoPSet.fromState = function (s, opts) { _assertState(s, "twoPSet"); return twoPSet(Object.assign({}, opts, { _adds: s.adds, _removes: s.removes })); };
+
+/**
+ * @primitive  b.crdt.orSet
+ * @signature  b.crdt.orSet(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.gSet, b.crdt.twoPSet, b.crdt.orMap
+ *
+ * An observed-remove set: each add stamps a unique tag, and remove tombstones
+ * the tags it has observed for that element, so an element survives if any
+ * concurrent add was not seen by the remove — re-adding works, and a
+ * concurrent add-vs-remove resolves add-wins. <code>tombstoneRetention</code>
+ * optionally caps the tombstone set to bound memory against a remove flood; it
+ * drops the oldest tombstones, which can resurrect a concurrently-removed
+ * element, so leave it unset unless that trade-off is acceptable.
+ *
+ * Each add stamps a unique tag; remove tombstones the tags currently observed
+ * for that element. An element is present if it has a live (un-tombstoned) tag.
+ *
+ * @opts
+ *   replicaId:          string,   // this replica's id (default: random)
+ *   tombstoneRetention: number,   // optional cap on retained tombstones (default: unbounded)
+ *
+ * @example
+ *   var a = b.crdt.orSet().add("x");
+ *   var c = b.crdt.orSet.fromState(a.state()).add("x");  // re-add elsewhere
+ *   a.remove("x");
+ *   a.merge(c).value();   // → ["x"]  (concurrent re-add survives)
+ */
+function orSet(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var tombstoneRetention = opts.tombstoneRetention;
+  if (tombstoneRetention != null) _posInt(tombstoneRetention, "tombstoneRetention");
+  // elems: key -> array of tags ; tombstones: Set of removed tags
+  var elems = {};
+  if (opts._elems) { for (var k in opts._elems) if (Object.prototype.hasOwnProperty.call(opts._elems, k)) elems[k] = opts._elems[k].slice(); }
+  var tombstones = new Set(opts._tombstones || []);
+  var seq = 0;
+
+  function _tag() { return replicaId + ":" + (++seq) + ":" + bCrypto.generateToken(4); }
+  function _liveTags(key) { return (elems[key] || []).filter(function (t) { return !tombstones.has(t); }); }
+  function _gcTombstones() {
+    if (tombstoneRetention == null || tombstones.size <= tombstoneRetention) return;
+    // Bounded-memory tradeoff (opt-in): drop oldest tombstones. Documented to
+    // possibly resurrect a concurrently-removed element — full causal GC ships
+    // with the replicator slice.
+    var arr = Array.from(tombstones);
+    tombstones = new Set(arr.slice(arr.length - tombstoneRetention));
+  }
+
+  return {
+    type: "orSet",
+    replicaId: replicaId,
+    add: function (x) { var key = _key(x); (elems[key] = elems[key] || []).push(_tag()); return this; },
+    remove: function (x) { var key = _key(x); _liveTags(key).forEach(function (t) { tombstones.add(t); }); _gcTombstones(); return this; },
+    has: function (x) { return _liveTags(_key(x)).length > 0; },
+    value: function () { var live = []; for (var key in elems) if (Object.prototype.hasOwnProperty.call(elems, key) && _liveTags(key).length > 0) live.push(key); return _decodeKeys(new Set(live)); },
+    state: function () { var e = {}; for (var key in elems) if (Object.prototype.hasOwnProperty.call(elems, key)) e[key] = elems[key].slice(); return { type: "orSet", elems: e, tombstones: Array.from(tombstones) }; },
+    merge: function (other) {
+      var o = _otherState(other, "orSet");
+      var e = {};
+      var key;
+      for (key in elems) if (Object.prototype.hasOwnProperty.call(elems, key)) e[key] = elems[key].slice();
+      for (key in o.elems) if (Object.prototype.hasOwnProperty.call(o.elems, key)) {
+        var merged = (e[key] || []).concat(o.elems[key]);
+        e[key] = Array.from(new Set(merged));   // union of tags, dedup
+      }
+      var ts = new Set(tombstones);
+      o.tombstones.forEach(function (t) { ts.add(t); });
+      return orSet({ replicaId: replicaId, tombstoneRetention: tombstoneRetention, _elems: e, _tombstones: ts });
+    },
+  };
+}
+orSet.fromState = function (s, opts) { _assertState(s, "orSet"); return orSet(Object.assign({}, opts, { _elems: s.elems, _tombstones: s.tombstones })); };
+
+/**
+ * @primitive  b.crdt.lwwRegister
+ * @signature  b.crdt.lwwRegister(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.pnCounter, b.crdt.orMap
+ *
+ * A last-write-wins register: holds a single value with a timestamp;
+ * <code>merge</code> keeps the higher-timestamped write, breaking ties by the
+ * higher <code>replicaId</code> so the outcome is deterministic. Pass an
+ * explicit timestamp to <code>set</code> for a logical clock, or omit it to
+ * use wall-clock milliseconds.
+ *
+ * @opts
+ *   replicaId: string,   // this replica's id (default: random)
+ *
+ * @example
+ *   var a = b.crdt.lwwRegister({ replicaId: "a" }).set("first", 1);
+ *   var c = b.crdt.lwwRegister({ replicaId: "c" }).set("second", 2);
+ *   a.merge(c).value();   // → "second"
+ */
+function lwwRegister(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var current = opts._current || { value: null, ts: -1, replicaId: "" };
+
+  function _beats(a, b) { return a.ts > b.ts || (a.ts === b.ts && a.replicaId > b.replicaId); }
+  return {
+    type: "lwwRegister",
+    replicaId: replicaId,
+    set: function (v, ts) { ts = ts == null ? Date.now() : _posInt(ts, "ts"); var cand = { value: v, ts: ts, replicaId: replicaId }; if (_beats(cand, current)) current = cand; return this; },
+    value: function () { return current.value; },
+    timestamp: function () { return current.ts; },
+    state: function () { return { type: "lwwRegister", current: { value: current.value, ts: current.ts, replicaId: current.replicaId } }; },
+    merge: function (other) { var o = _otherState(other, "lwwRegister"); var win = _beats(o.current, current) ? o.current : current; return lwwRegister({ replicaId: replicaId, _current: { value: win.value, ts: win.ts, replicaId: win.replicaId } }); },
+  };
+}
+lwwRegister.fromState = function (s, opts) { _assertState(s, "lwwRegister"); return lwwRegister(Object.assign({}, opts, { _current: s.current })); };
+
+/**
+ * @primitive  b.crdt.orMap
+ * @signature  b.crdt.orMap(opts?)
+ * @since      0.13.4
+ * @status     stable
+ * @compliance soc2
+ * @related    b.crdt.orSet, b.crdt.lwwRegister
+ *
+ * An observed-remove map: key presence follows observed-remove-set semantics
+ * (a key can be set, removed, and set again), and each key's value is a
+ * last-write-wins register, so concurrent writes to a live key converge by
+ * timestamp (higher wins, ties by replicaId). Removing a key clears its value
+ * register locally, so a re-add on the same replica starts clean; across
+ * replicas the value is strictly last-write-wins by timestamp — supply
+ * monotonic timestamps (the default wall-clock does) for re-add to win. Keys
+ * are non-empty strings.
+ *
+ * Keys follow OR-Set add/remove semantics; each key's value is an LWW register,
+ * so concurrent writes to the same key converge by last-write-wins.
+ *
+ * @opts
+ *   replicaId: string,   // this replica's id (default: random)
+ *
+ * @example
+ *   var a = b.crdt.orMap({ replicaId: "a" }).set("k", "v1", 1);
+ *   var c = b.crdt.orMap({ replicaId: "c" }).set("k", "v2", 2);
+ *   a.merge(c).value();   // → { k: "v2" }
+ */
+function orMap(opts) {
+  opts = opts || {};
+  var replicaId = _replicaId(opts);
+  var keys = orSet({ replicaId: replicaId, _elems: opts._keyElems, _tombstones: opts._keyTombstones });
+  var vals = {};   // key -> lwwRegister state
+  if (opts._vals) { for (var k in opts._vals) if (Object.prototype.hasOwnProperty.call(opts._vals, k)) vals[k] = opts._vals[k]; }
+
+  function _reg(key) { return lwwRegister.fromState(vals[key] || { type: "lwwRegister", current: { value: null, ts: -1, replicaId: "" } }, { replicaId: replicaId }); }
+  // Keys pass to the OR-Set raw (it encodes internally) and index `vals`
+  // directly, so the materialized value is keyed by the plain string.
+  return {
+    type: "orMap",
+    replicaId: replicaId,
+    set: function (key, v, ts) { key = _mapKey(key); keys.add(key); vals[key] = _reg(key).set(v, ts).state(); return this; },
+    // Removing a key clears its value register, so re-adding the key on this
+    // replica starts from a clean last-write-wins state rather than reusing the
+    // pre-remove value. (Across replicas the value still follows last-write-wins
+    // by timestamp — a concurrent, un-removed higher-timestamped write wins;
+    // making a re-add causally supersede needs vector clocks, which ship with
+    // the replicator slice.)
+    remove: function (key) { key = _mapKey(key); keys.remove(key); delete vals[key]; return this; },
+    has: function (key) { return keys.has(_mapKey(key)); },
+    get: function (key) { key = _mapKey(key); return keys.has(key) ? _reg(key).value() : undefined; },
+    value: function () { var out = {}; keys.value().forEach(function (key) { out[key] = _reg(key).value(); }); return out; },
+    state: function () { var ks = keys.state(); return { type: "orMap", keyElems: ks.elems, keyTombstones: ks.tombstones, vals: Object.assign({}, vals) }; },
+    merge: function (other) {
+      var o = _otherState(other, "orMap");
+      var mergedKeys = keys.merge({ state: function () { return { type: "orSet", elems: o.keyElems, tombstones: o.keyTombstones }; } }).state();
+      var v = {};
+      var key;
+      for (key in vals) if (Object.prototype.hasOwnProperty.call(vals, key)) v[key] = vals[key];
+      for (key in o.vals) if (Object.prototype.hasOwnProperty.call(o.vals, key)) {
+        if (!v[key]) { v[key] = o.vals[key]; }
+        else {
+          var merged = lwwRegister.fromState(v[key], { replicaId: replicaId }).merge({ state: function () { return o.vals[key]; } });
+          v[key] = merged.state();
+        }
+      }
+      return orMap({ replicaId: replicaId, _keyElems: mergedKeys.elems, _keyTombstones: mergedKeys.tombstones, _vals: v });
+    },
+  };
+}
+orMap.fromState = function (s, opts) { _assertState(s, "orMap"); return orMap(Object.assign({}, opts, { _keyElems: s.keyElems, _keyTombstones: s.keyTombstones, _vals: s.vals })); };
+
+// ---- shared helpers --------------------------------------------------------
+
+// Set/map elements are keyed by a reversible string so structured values work.
+function _key(x) {
+  if (typeof x === "string") return "s:" + x;
+  return "j:" + JSON.stringify(x);
+}
+function _mapKey(k) {
+  if (typeof k !== "string" || k.length === 0) throw new CrdtError("crdt/bad-key", "crdt.orMap: keys must be non-empty strings");
+  return k;
+}
+function _decodeKeys(set) {
+  // Sort by the encoded key (a deterministic, unique string for every element,
+  // including structured ones) BEFORE decoding, so the materialized array order
+  // is identical regardless of merge order — structured elements would all
+  // collapse to "[object Object]" if sorted by their decoded value.
+  return Array.from(set).sort().map(function (k) {
+    return k.charAt(0) === "s" ? k.slice(2) : safeJson.parse(k.slice(2));
+  });
+}
+function _otherState(other, expected) {
+  var s = other && typeof other.state === "function" ? other.state() : other;
+  _assertState(s, expected);
+  return s;
+}
+function _assertState(s, expected) {
+  if (!s || typeof s !== "object") throw new CrdtError("crdt/bad-state", "crdt: expected a " + expected + " state object");
+  if (s.type !== expected) throw new CrdtError("crdt/type-mismatch", "crdt: expected a " + expected + " state, got '" + s.type + "'");
+}
+
+module.exports = {
+  gCounter:    gCounter,
+  pnCounter:   pnCounter,
+  gSet:        gSet,
+  twoPSet:     twoPSet,
+  orSet:       orSet,
+  lwwRegister: lwwRegister,
+  orMap:       orMap,
+  CrdtError:   CrdtError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.3",
+  "version": "0.13.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4dae8994-eae5-41f2-9afe-f4d18c950644",
+  "serialNumber": "urn:uuid:6a334753-7eb6-4d7f-8dbb-f70506773504",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T00:14:33.058Z",
+    "timestamp": "2026-05-27T02:26:01.865Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.3",
+      "bom-ref": "@blamejs/core@0.13.5",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.3",
+      "version": "0.13.5",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.3",
+      "purl": "pkg:npm/%40blamejs/core@0.13.5",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.3",
+      "ref": "@blamejs/core@0.13.5",
       "dependsOn": []
     }
   ]