@blamejs/core 0.13.4 → 0.13.5

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.5 (2026-05-26) — **`b.ai.aedtBiasAudit` — NYC Local Law 144 bias audit.** b.ai.aedtBiasAudit computes the bias-audit figures New York City Local Law 144 requires before an Automated Employment Decision Tool may screen candidates (NYC Admin. Code §20-870 et seq.; DCWP rules 6 RCNY §5-300). Given the per-category counts an independent auditor collected — selected/total for a pass-fail tool, or scored-above-the-overall-median/total for a continuous-score tool — it returns the selection (or scoring) rate, the impact ratio (each group's rate divided by the most-selected group's rate), and an adverse-impact flag (impact ratio below the EEOC four-fifths threshold of 0.8) for every group, across the sex, race/ethnicity, and intersectional dimensions, plus the most-selected group per dimension and an overall flag. Categories under 2% of the audited data are marked excluded per DCWP discretion. It is a pure calculation that produces exactly the figures the annual published summary must contain — the law mandates the calculation, not any particular remediation. The relevant compliance postures (nyc-ll144, and ca-tfaia for California SB 53) were already in the catalog. **Added:** *`b.ai.aedtBiasAudit` — Local Law 144 selection/scoring rates and four-fifths impact ratios* — `b.ai.aedtBiasAudit({ type, metadata, categories, minCategoryShare? })` where `type` is `"selection"` (group entries `{ selected, total }`) or `"scoring"` (`{ scoredAboveMedian, total }`). Returns per-group rate, impact ratio, and `adverseImpact` flag across the `sex`, `raceEthnicity`, and `intersectional` dimensions, plus the most-selected group per dimension and an `anyAdverseImpact` summary. Categories below `minCategoryShare` (2% default) are excluded from the impact-ratio basis. Throws `AedtBiasAuditError` on malformed input.
+
 - v0.13.4 (2026-05-26) — **`b.crdt` — conflict-free replicated data types.** b.crdt adds state-based Conflict-free Replicated Data Types: data structures that independent replicas update without coordination and still converge to the same value once they have exchanged state. Each type's merge is a join over a semilattice — commutative, associative, and idempotent — so replicas can merge in any order, any number of times, and agree, which makes these the substrate for active/active cluster state, offline-first clients that reconcile on reconnect, and eventually-consistent counters, sets, and maps. The release ships the full state-based family: grow-only and positive-negative counters (gCounter / pnCounter), grow-only, two-phase, and observed-remove sets (gSet / twoPSet / orSet), a last-write-wins register (lwwRegister), and an observed-remove map (orMap). Every type exposes the same contract — local mutators, merge(other) that returns a converged instance without mutating either operand, value() for the materialized value, and state() / fromState() for a JSON-serializable form to snapshot via b.archive or b.backup or ship to a peer — and carries a replicaId so per-replica contributions stay distinct. **Added:** *`b.crdt` — state-based CvRDT counters, sets, register, and map* — `b.crdt.gCounter` / `pnCounter` (grow-only and increment/decrement counters), `b.crdt.gSet` / `twoPSet` / `orSet` (grow-only, two-phase, and observed-remove sets — `orSet` supports re-add and resolves a concurrent add-vs-remove as add-wins), `b.crdt.lwwRegister` (last-write-wins with a deterministic replicaId tie-break), and `b.crdt.orMap` (observed-remove keys with last-write-wins values). Each exposes `merge` / `value` / `state` / `fromState` and converges by the CvRDT laws. `orSet` and `orMap` accept `tombstoneRetention` to bound tombstone memory against a remove flood.
 
 - v0.13.3 (2026-05-26) — **`b.crypto.xwing` — X-Wing hybrid post-quantum KEM.** b.crypto.xwing adds the X-Wing hybrid key-encapsulation mechanism (draft-connolly-cfrg-xwing-kem): it runs ML-KEM-768 and X25519 side by side and binds their shared secrets with SHA3-256, so an encapsulated key stays secure as long as either ML-KEM-768 or X25519 holds. That is the conservative shape for moving off classical ECDH today — a harvest-now-decrypt-later attacker must break the lattice KEM, and a hypothetical ML-KEM break still leaves X25519 standing. keygen() produces a 32-byte decapsulation seed and a 1216-byte public key; encapsulate(publicKey) returns a 1120-byte ciphertext and a 32-byte shared secret; decapsulate(secretKey, ciphertext) recovers it. The X-Wing combiner is frozen, but its specification is still an IETF Internet-Draft, so this primitive is marked experimental and sits beside the existing pre-RFC post-quantum HPKE drafts; it composes the framework's vendored ML-KEM-768 and X25519 with SHA3 and adds no new cryptographic core. The combiner is known-answer-tested byte-for-byte against the draft's definition. **Added:** *`b.crypto.xwing` — X-Wing hybrid PQ/T KEM (experimental)* — `keygen(seed?)` → `{ publicKey (1216 B), secretKey (32-byte seed) }`; `encapsulate(publicKey, eseed?)` → `{ ciphertext (1120 B), sharedSecret (32 B) }`; `decapsulate(secretKey, ciphertext)` → the 32-byte shared secret. Both `keygen` and `encapsulate` accept an optional seed for deterministic operation. The combiner — `SHA3-256(ssMLKEM ‖ ssX25519 ‖ ctX25519 ‖ pkX25519 ‖ label)` — is exposed as `combiner` for advanced use. Marked `experimental` while draft-connolly-cfrg-xwing-kem remains an Internet-Draft; the algorithm itself is frozen.

package/README.md

@@ -189,6 +189,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Content provenance** — C2PA 2.1 + California SB-942 / AB-853 manifest builder for AI-generated media (provider, model id + version, timestamp, content ID, signed) (`b.contentCredentials`)
 - **AI usage quotas** — per-tenant / per-model budgets metered by tokens / requests / cost-usd / compute-hours over calendar-aligned windows, with an atomic conditional reserve (no charge-then-refund race) + hard/soft/warn enforcement and an optional cross-node store; defends OWASP LLM10:2025 unbounded consumption / denial-of-wallet (`b.ai.quota`)
 - **AI capability routing** — model-capability registry (context window / modalities / tool use / reasoning tier / cost rates) + a router that picks the cheapest model satisfying a request's requirements, refusing capability mismatches before the inference call (NIST AI RMF MAP + Model Cards); composes with `b.ai.quota` cost budgets (`b.ai.capability`)
+- **AEDT bias audit** — NYC Local Law 144 bias-audit figures (`b.ai.aedtBiasAudit`): selection / scoring rates and EEOC four-fifths-rule impact ratios across sex, race/ethnicity, and their intersection, with the most-selected group and adverse-impact flags (impact ratio < 0.8) for the annual published summary; sub-2% categories excludable per DCWP §5-301
 ### Compliance regimes
 
 - **Posture coordinator** — `b.compliance` cascades operator-declared regime into retention / audit / db / cryptoField via POSTURE_DEFAULTS:

package/index.js

@@ -477,6 +477,7 @@ module.exports = {
     quota:           require("./lib/ai-quota"),
     capability:      require("./lib/ai-capability"),
     dp:              require("./lib/ai-dp"),
+    aedtBiasAudit:   require("./lib/ai-aedt-bias-audit"),
   },
   promisePool:      require("./lib/promise-pool"),
   sdNotify:         require("./lib/sd-notify"),

package/lib/ai-aedt-bias-audit.js

@@ -0,0 +1,180 @@
+"use strict";
+/**
+ * @module b.ai.aedtBiasAudit
+ * @nav    Compliance
+ * @title  AEDT Bias Audit
+ *
+ * @intro
+ *   Compute the bias-audit statistics New York City Local Law 144 requires
+ *   before an Automated Employment Decision Tool (AEDT) may be used to screen
+ *   candidates or employees. The law (NYC Admin. Code §20-870 et seq., in force
+ *   since 2023-07-05; DCWP rules 6 RCNY §5-300 et seq.) requires an independent
+ *   annual audit that reports, for each demographic category, the rate at which
+ *   the tool selects (or scores above the median for) that group and the
+ *   <em>impact ratio</em> — that group's rate divided by the rate of the
+ *   most-selected group. An impact ratio below the four-fifths (0.8) threshold
+ *   from the EEOC Uniform Guidelines flags potential adverse impact; the law
+ *   requires the number to be calculated and published, not any particular
+ *   remediation.
+ *
+ *   The audit is computed across three dimensions: sex, race/ethnicity, and
+ *   the intersection of the two, using the EEOC categories. Categories that
+ *   make up less than 2% of the audited data may be excluded from the impact-
+ *   ratio calculation at the auditor's discretion (DCWP §5-301). This primitive
+ *   takes the per-category counts — selected/total for a pass-fail tool, or
+ *   scored-above-the-overall-median/total for a continuous-score tool — and
+ *   returns the selection (or scoring) rate, impact ratio, and adverse-impact
+ *   flag per group, plus the most-selected group and an overall flag. It is a
+ *   pure calculation: the operator supplies the data an independent auditor
+ *   collected, and gets back the figures the published summary must contain.
+ *
+ * @card
+ *   NYC Local Law 144 AEDT bias audit (`b.ai.aedtBiasAudit`) — selection /
+ *   scoring rates and four-fifths-rule impact ratios across sex, race/ethnicity,
+ *   and their intersection, with the most-selected group and adverse-impact
+ *   flags for the published audit summary.
+ */
+
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var AedtBiasAuditError = defineClass("AedtBiasAuditError", { alwaysPermanent: true });
+
+var FOUR_FIFTHS = 4 / 5;         // EEOC Uniform Guidelines four-fifths adverse-impact threshold
+var DEFAULT_MIN_SHARE = 0.02;    // DCWP §5-301 — categories under 2% may be excluded
+var DIMENSIONS = ["sex", "raceEthnicity", "intersectional"];
+
+function _str(v, label) {
+  if (typeof v !== "string" || v.length === 0) throw new AedtBiasAuditError("aedt/bad-metadata", "aedtBiasAudit: metadata." + label + " must be a non-empty string");
+  return v;
+}
+function _count(v, label) {
+  if (typeof v !== "number" || !isFinite(v) || v < 0 || Math.floor(v) !== v) throw new AedtBiasAuditError("aedt/bad-count", "aedtBiasAudit: " + label + " must be a non-negative integer");
+  return v;
+}
+
+// Reduce one dimension's per-group counts to the LL-144 figures.
+function _auditDimension(groups, type, minShare) {
+  var names = Object.keys(groups);
+  var rows = [];
+  var dimensionTotal = 0;
+  var numeratorKey = type === "scoring" ? "scoredAboveMedian" : "selected";
+
+  names.forEach(function (name) {
+    var g = groups[name];
+    if (!g || typeof g !== "object") throw new AedtBiasAuditError("aedt/bad-count", "aedtBiasAudit: group '" + name + "' must be an object with " + numeratorKey + " + total");
+    var total = _count(g.total, name + ".total");
+    var num = _count(g[numeratorKey], name + "." + numeratorKey);
+    if (num > total) throw new AedtBiasAuditError("aedt/bad-count", "aedtBiasAudit: " + name + "." + numeratorKey + " (" + num + ") exceeds total (" + total + ")");
+    dimensionTotal += total;
+    rows.push({ category: name, total: total, _num: num, rate: total === 0 ? 0 : num / total });
+  });
+
+  // Exclude sub-threshold categories (auditor discretion), then find the
+  // most-selected group among those that remain.
+  var maxRate = 0;
+  var mostSelected = null;
+  rows.forEach(function (r) {
+    r.share = dimensionTotal === 0 ? 0 : r.total / dimensionTotal;
+    r.excluded = dimensionTotal > 0 && r.share < minShare;
+    if (!r.excluded && r.rate > maxRate) { maxRate = r.rate; mostSelected = r.category; }
+  });
+
+  rows.forEach(function (r) {
+    r.impactRatio = (r.excluded || maxRate === 0) ? null : r.rate / maxRate;
+    r.adverseImpact = r.impactRatio !== null && r.impactRatio < FOUR_FIFTHS;
+    delete r._num;
+  });
+  // Stable order: highest rate first, then category name.
+  rows.sort(function (a, b) { return b.rate - a.rate || (a.category < b.category ? -1 : a.category > b.category ? 1 : 0); });
+  return { rows: rows, mostSelected: mostSelected };
+}
+
+/**
+ * @primitive  b.ai.aedtBiasAudit
+ * @signature  b.ai.aedtBiasAudit(opts)
+ * @since      0.13.5
+ * @status     stable
+ * @compliance nyc-ll144, soc2
+ * @related    b.ai.disclosure.applyAll, b.ai.disclosure.chatbot
+ *
+ * Compute the NYC Local Law 144 bias-audit figures from per-category counts.
+ * <code>type</code> is <code>"selection"</code> for a pass-fail tool (each
+ * group entry is <code>{ selected, total }</code>) or <code>"scoring"</code>
+ * for a continuous-score tool (<code>{ scoredAboveMedian, total }</code>, where
+ * the count is candidates scoring above the <em>overall</em> median). Returns
+ * the selection/scoring rate, impact ratio (group rate ÷ most-selected group's
+ * rate), and an <code>adverseImpact</code> flag (impact ratio &lt; 0.8) per
+ * group, across the <code>sex</code>, <code>raceEthnicity</code>, and
+ * <code>intersectional</code> dimensions, plus the most-selected group per
+ * dimension. Categories under <code>minCategoryShare</code> (2% by default) are
+ * marked <code>excluded</code> and left out of the impact-ratio basis. Throws
+ * <code>AedtBiasAuditError</code> on malformed input. The result is the data an
+ * employer must publish; the law mandates the calculation, not any remediation.
+ *
+ * @opts
+ *   type:             string,   // "selection" | "scoring" (required)
+ *   metadata:         object,   // { tool, auditor, auditDate, distributionDate? } (tool/auditor/auditDate required)
+ *   categories:       object,   // { sex?, raceEthnicity?, intersectional? } → { <group>: { selected|scoredAboveMedian, total } }
+ *   minCategoryShare: number,   // default: 0.02 (DCWP §5-301 — sub-2% categories may be excluded)
+ *
+ * @example
+ *   var report = b.ai.aedtBiasAudit({
+ *     type: "selection",
+ *     metadata: { tool: "ResumeRanker v3", auditor: "Acme Audit LLC", auditDate: "2026-05-26" },
+ *     categories: { sex: { Male: { selected: 60, total: 100 }, Female: { selected: 42, total: 100 } } },
+ *   });
+ *   report.results.sex[1].impactRatio;   // → 0.7  (Female: 42% / 60%)
+ *   report.results.sex[1].adverseImpact; // → true (below the 0.8 four-fifths threshold)
+ */
+function aedtBiasAudit(opts) {
+  opts = opts || {};
+  // Surface an unknown/typoed option as this primitive's own error type rather
+  // than the generic Error validateOpts throws, so the malformed-input contract
+  // (AedtBiasAuditError / e.code) holds for every bad-config path.
+  try { validateOpts(opts, ["type", "metadata", "categories", "minCategoryShare"], "aedtBiasAudit"); }
+  catch (e) { throw new AedtBiasAuditError("aedt/bad-opts", e && e.message || "aedtBiasAudit: invalid options"); }
+  if (opts.type !== "selection" && opts.type !== "scoring") throw new AedtBiasAuditError("aedt/bad-type", "aedtBiasAudit: type must be 'selection' or 'scoring'");
+
+  var md = opts.metadata || {};
+  var metadata = {
+    tool:             _str(md.tool, "tool"),
+    auditor:          _str(md.auditor, "auditor"),
+    auditDate:        _str(md.auditDate, "auditDate"),
+    distributionDate: md.distributionDate != null ? _str(md.distributionDate, "distributionDate") : null,
+  };
+
+  var minShare = opts.minCategoryShare != null ? opts.minCategoryShare : DEFAULT_MIN_SHARE;
+  if (typeof minShare !== "number" || !isFinite(minShare) || minShare < 0 || minShare >= 1) throw new AedtBiasAuditError("aedt/bad-share", "aedtBiasAudit: minCategoryShare must be a number in [0, 1)");
+
+  var cats = opts.categories || {};
+  var present = DIMENSIONS.filter(function (d) { return cats[d] && typeof cats[d] === "object" && Object.keys(cats[d]).length > 0; });
+  if (present.length === 0) throw new AedtBiasAuditError("aedt/no-categories", "aedtBiasAudit: at least one of sex / raceEthnicity / intersectional must carry group counts");
+
+  var results = {};
+  var mostSelected = {};
+  var adverseImpactGroups = [];
+  present.forEach(function (dim) {
+    var out = _auditDimension(cats[dim], opts.type, minShare);
+    results[dim] = out.rows;
+    mostSelected[dim] = out.mostSelected;
+    out.rows.forEach(function (r) { if (r.adverseImpact) adverseImpactGroups.push({ dimension: dim, category: r.category, impactRatio: r.impactRatio }); });
+  });
+
+  return {
+    type:     opts.type,
+    metadata: metadata,
+    results:  results,
+    summary:  {
+      mostSelected:        mostSelected,
+      adverseImpactGroups: adverseImpactGroups,
+      anyAdverseImpact:    adverseImpactGroups.length > 0,
+      fourFifthsThreshold: FOUR_FIFTHS,
+    },
+  };
+}
+
+aedtBiasAudit.FOUR_FIFTHS = FOUR_FIFTHS;
+aedtBiasAudit.AedtBiasAuditError = AedtBiasAuditError;
+
+module.exports = aedtBiasAudit;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.4",
+  "version": "0.13.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:832111fb-8b91-4fb8-bb5f-c491bae476c5",
+  "serialNumber": "urn:uuid:6a334753-7eb6-4d7f-8dbb-f70506773504",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T01:19:38.243Z",
+    "timestamp": "2026-05-27T02:26:01.865Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.4",
+      "bom-ref": "@blamejs/core@0.13.5",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.4",
+      "version": "0.13.5",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.4",
+      "purl": "pkg:npm/%40blamejs/core@0.13.5",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.4",
+      "ref": "@blamejs/core@0.13.5",
       "dependsOn": []
     }
   ]