@blamejs/core 0.13.5 → 0.13.6

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.6 (2026-05-26) — **`b.ai.frontierModelProtocol` — California SB 53 frontier-AI obligations.** b.ai.frontierModelProtocol assesses a developer's obligations under California's Transparency in Frontier Artificial Intelligence Act — SB 53, Cal. Bus. & Prof. Code §22757.10, effective 2026-01-01 — from a model's training compute and the developer's revenue. It reports whether the model crosses the frontier threshold (more than 10^26 training FLOPs), whether the developer is a large frontier developer (prior-year revenue, with affiliates, above $500M), and the resulting obligations: every frontier developer must report critical safety incidents and publish a transparency report, and a large frontier developer must additionally publish an annual safety framework and disclose its catastrophic-risk assessment. Passing a candidate safety framework reports which required elements (risk identification, mitigation, governance, cybersecurity, standards alignment) are missing. b.ai.frontierModelProtocol.incidentReport validates a critical-incident type against the Act's four categories and computes the notification deadline to the California Office of Emergency Services — 15 days from discovery, or 24 hours when there is an imminent risk of death or serious physical injury. The ca-tfaia compliance posture was already in the catalog. **Added:** *`b.ai.frontierModelProtocol` — SB 53 threshold classification, obligations, and incident reporting* — `b.ai.frontierModelProtocol({ trainingFlops, annualRevenueUsd, framework? })` returns `isFrontierModel`, `isLargeFrontierDeveloper`, the `obligations` list, and (when a framework is supplied) its `frameworkGaps`. `b.ai.frontierModelProtocol.incidentReport({ type, discoveredAt, imminentRiskToLife? })` builds a critical-safety-incident report with the California OES recipient and a `dueAt` / `deadlineHours` computed from the 15-day (or 24-hour imminent-risk) statutory window; `type` must be one of the four categories in `INCIDENT_TYPES`. Throws `FrontierProtocolError` on malformed input.
+
 - v0.13.5 (2026-05-26) — **`b.ai.aedtBiasAudit` — NYC Local Law 144 bias audit.** b.ai.aedtBiasAudit computes the bias-audit figures New York City Local Law 144 requires before an Automated Employment Decision Tool may screen candidates (NYC Admin. Code §20-870 et seq.; DCWP rules 6 RCNY §5-300). Given the per-category counts an independent auditor collected — selected/total for a pass-fail tool, or scored-above-the-overall-median/total for a continuous-score tool — it returns the selection (or scoring) rate, the impact ratio (each group's rate divided by the most-selected group's rate), and an adverse-impact flag (impact ratio below the EEOC four-fifths threshold of 0.8) for every group, across the sex, race/ethnicity, and intersectional dimensions, plus the most-selected group per dimension and an overall flag. Categories under 2% of the audited data are marked excluded per DCWP discretion. It is a pure calculation that produces exactly the figures the annual published summary must contain — the law mandates the calculation, not any particular remediation. The relevant compliance postures (nyc-ll144, and ca-tfaia for California SB 53) were already in the catalog. **Added:** *`b.ai.aedtBiasAudit` — Local Law 144 selection/scoring rates and four-fifths impact ratios* — `b.ai.aedtBiasAudit({ type, metadata, categories, minCategoryShare? })` where `type` is `"selection"` (group entries `{ selected, total }`) or `"scoring"` (`{ scoredAboveMedian, total }`). Returns per-group rate, impact ratio, and `adverseImpact` flag across the `sex`, `raceEthnicity`, and `intersectional` dimensions, plus the most-selected group per dimension and an `anyAdverseImpact` summary. Categories below `minCategoryShare` (2% default) are excluded from the impact-ratio basis. Throws `AedtBiasAuditError` on malformed input.
 
 - v0.13.4 (2026-05-26) — **`b.crdt` — conflict-free replicated data types.** b.crdt adds state-based Conflict-free Replicated Data Types: data structures that independent replicas update without coordination and still converge to the same value once they have exchanged state. Each type's merge is a join over a semilattice — commutative, associative, and idempotent — so replicas can merge in any order, any number of times, and agree, which makes these the substrate for active/active cluster state, offline-first clients that reconcile on reconnect, and eventually-consistent counters, sets, and maps. The release ships the full state-based family: grow-only and positive-negative counters (gCounter / pnCounter), grow-only, two-phase, and observed-remove sets (gSet / twoPSet / orSet), a last-write-wins register (lwwRegister), and an observed-remove map (orMap). Every type exposes the same contract — local mutators, merge(other) that returns a converged instance without mutating either operand, value() for the materialized value, and state() / fromState() for a JSON-serializable form to snapshot via b.archive or b.backup or ship to a peer — and carries a replicaId so per-replica contributions stay distinct. **Added:** *`b.crdt` — state-based CvRDT counters, sets, register, and map* — `b.crdt.gCounter` / `pnCounter` (grow-only and increment/decrement counters), `b.crdt.gSet` / `twoPSet` / `orSet` (grow-only, two-phase, and observed-remove sets — `orSet` supports re-add and resolves a concurrent add-vs-remove as add-wins), `b.crdt.lwwRegister` (last-write-wins with a deterministic replicaId tie-break), and `b.crdt.orMap` (observed-remove keys with last-write-wins values). Each exposes `merge` / `value` / `state` / `fromState` and converges by the CvRDT laws. `orSet` and `orMap` accept `tombstoneRetention` to bound tombstone memory against a remove flood.

package/README.md

@@ -190,6 +190,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **AI usage quotas** — per-tenant / per-model budgets metered by tokens / requests / cost-usd / compute-hours over calendar-aligned windows, with an atomic conditional reserve (no charge-then-refund race) + hard/soft/warn enforcement and an optional cross-node store; defends OWASP LLM10:2025 unbounded consumption / denial-of-wallet (`b.ai.quota`)
 - **AI capability routing** — model-capability registry (context window / modalities / tool use / reasoning tier / cost rates) + a router that picks the cheapest model satisfying a request's requirements, refusing capability mismatches before the inference call (NIST AI RMF MAP + Model Cards); composes with `b.ai.quota` cost budgets (`b.ai.capability`)
 - **AEDT bias audit** — NYC Local Law 144 bias-audit figures (`b.ai.aedtBiasAudit`): selection / scoring rates and EEOC four-fifths-rule impact ratios across sex, race/ethnicity, and their intersection, with the most-selected group and adverse-impact flags (impact ratio < 0.8) for the annual published summary; sub-2% categories excludable per DCWP §5-301
+- **Frontier AI protocol** — California SB 53 (Transparency in Frontier AI Act) obligations (`b.ai.frontierModelProtocol`): classify the frontier-model (>10²⁶ training FLOPs) and large-frontier-developer (>$500M revenue) thresholds, enumerate the resulting obligations, check a safety framework for required elements, and build a critical-safety-incident report with the 15-day / 24-hour California OES notification deadline (`.incidentReport`)
 ### Compliance regimes
 
 - **Posture coordinator** — `b.compliance` cascades operator-declared regime into retention / audit / db / cryptoField via POSTURE_DEFAULTS:

package/index.js

@@ -478,6 +478,7 @@ module.exports = {
     capability:      require("./lib/ai-capability"),
     dp:              require("./lib/ai-dp"),
     aedtBiasAudit:   require("./lib/ai-aedt-bias-audit"),
+    frontierModelProtocol: require("./lib/ai-frontier-protocol"),
   },
   promisePool:      require("./lib/promise-pool"),
   sdNotify:         require("./lib/sd-notify"),

package/lib/ai-frontier-protocol.js

@@ -0,0 +1,196 @@
+"use strict";
+/**
+ * @module b.ai.frontierModelProtocol
+ * @nav    Compliance
+ * @title  Frontier AI Protocol
+ *
+ * @intro
+ *   Assess a developer's obligations under California's Transparency in
+ *   Frontier Artificial Intelligence Act — SB 53, Cal. Bus. & Prof. Code
+ *   §22757.10 et seq., signed 2025-09-29 and effective 2026-01-01 — and build
+ *   the critical-safety-incident report the law requires. SB 53 attaches
+ *   obligations by two thresholds: a <em>frontier model</em> is one trained
+ *   with more than 10<sup>26</sup> floating-point operations (including
+ *   cumulative fine-tuning), and a <em>large frontier developer</em> is a
+ *   frontier developer whose annual revenue, with affiliates, exceeded
+ *   $500,000,000 in the prior calendar year. Frontier developers must report
+ *   critical safety incidents; large frontier developers must additionally
+ *   publish an annual frontier-AI safety framework.
+ *
+ *   <code>frontierModelProtocol(opts)</code> takes the model's training compute
+ *   and the developer's revenue and returns which thresholds are crossed and
+ *   the resulting obligations, optionally checking that a supplied safety
+ *   framework carries the elements the Act expects (risk identification,
+ *   mitigation, governance, cybersecurity, and alignment with a recognized
+ *   standard such as the NIST AI RMF or ISO/IEC 42001).
+ *   <code>frontierModelProtocol.incidentReport(opts)</code> validates a
+ *   critical-incident type against the Act's four definitions and computes the
+ *   notification deadline: a routine report goes to the California Office of
+ *   Emergency Services within 15 days of discovery; an imminent risk of death
+ *   or serious physical injury is reported to an applicable authority within 24
+ *   hours.
+ *
+ * @card
+ *   California SB 53 frontier-AI protocol (`b.ai.frontierModelProtocol`) —
+ *   classify frontier-model / large-developer thresholds (10²⁶ FLOPs, $500M
+ *   revenue), enumerate obligations, and build the critical-safety-incident
+ *   report with the 15-day / 24-hour OES notification deadline.
+ */
+
+var C = require("./constants");
+var { defineClass } = require("./framework-error");
+
+var FrontierProtocolError = defineClass("FrontierProtocolError", { alwaysPermanent: true });
+
+// SB 53 thresholds.
+var FRONTIER_FLOP_THRESHOLD = 1e26;          // > 10^26 training FLOPs → frontier model
+var LARGE_DEVELOPER_REVENUE_USD = 5e8;       // > $500,000,000 prior-year revenue → large developer
+var INCIDENT_DEADLINE_MS = C.TIME.days(15);  // report to CA OES within 15 days of discovery
+var IMMINENT_DEADLINE_MS = C.TIME.hours(24); // within 24 hours if imminent risk to life
+
+// The four critical safety incident categories (Cal. Bus. & Prof. Code §22757.10).
+var CRITICAL_INCIDENT_TYPES = {
+  "weights-exfiltration-harm":         "Unauthorized access, modification, or exfiltration of frontier-model weights resulting in death or bodily injury",
+  "catastrophic-risk-materialization": "Harm resulting from the materialization of a catastrophic risk (including loss of life or property from a dangerous capability)",
+  "loss-of-control-harm":              "Loss of control of a frontier model causing death or bodily injury",
+  "deceptive-control-subversion":      "A frontier model using deceptive techniques to subvert developer controls, demonstrating materially increased catastrophic risk",
+};
+
+// Elements a large frontier developer's published safety framework must address.
+var REQUIRED_FRAMEWORK_ELEMENTS = ["riskIdentification", "riskMitigation", "governance", "cybersecurity", "standardsAlignment"];
+
+function _posNum(v, label) {
+  if (typeof v !== "number" || !isFinite(v) || v < 0) throw new FrontierProtocolError("frontier/bad-value", "frontierModelProtocol: " + label + " must be a non-negative finite number");
+  return v;
+}
+
+/**
+ * @primitive  b.ai.frontierModelProtocol
+ * @signature  b.ai.frontierModelProtocol(opts)
+ * @since      0.13.6
+ * @status     stable
+ * @compliance ca-tfaia, soc2
+ * @related    b.ai.aedtBiasAudit, b.ai.disclosure.applyAll
+ *
+ * Determine SB 53 obligations from a model's training compute and the
+ * developer's revenue. Returns <code>isFrontierModel</code> (training FLOPs
+ * above 10<sup>26</sup>), <code>isLargeFrontierDeveloper</code> (a frontier
+ * developer with revenue above $500M), and the resulting
+ * <code>obligations</code>. When <code>framework</code> is supplied, its
+ * required elements are checked and reported in <code>frameworkGaps</code>.
+ * Throws <code>FrontierProtocolError</code> on malformed input.
+ *
+ * @opts
+ *   trainingFlops:    number,   // total training FLOPs incl. fine-tuning (required)
+ *   annualRevenueUsd: number,   // developer prior-year revenue with affiliates (default: 0)
+ *   framework:        object,   // optional safety framework to check for required elements
+ *
+ * @example
+ *   var p = b.ai.frontierModelProtocol({ trainingFlops: 5e26, annualRevenueUsd: 1e9 });
+ *   p.isFrontierModel;           // → true
+ *   p.isLargeFrontierDeveloper;  // → true
+ *   p.obligations;               // → ["report-critical-safety-incidents", "publish-annual-safety-framework", ...]
+ */
+function frontierModelProtocol(opts) {
+  opts = opts || {};
+  if (typeof opts !== "object") throw new FrontierProtocolError("frontier/bad-opts", "frontierModelProtocol: opts must be an object");
+  var allowed = { trainingFlops: 1, annualRevenueUsd: 1, framework: 1 };
+  Object.keys(opts).forEach(function (k) { if (!allowed[k]) throw new FrontierProtocolError("frontier/bad-opts", "frontierModelProtocol: unknown option '" + k + "'"); });
+
+  var flops = _posNum(opts.trainingFlops, "trainingFlops");
+  var revenue = opts.annualRevenueUsd != null ? _posNum(opts.annualRevenueUsd, "annualRevenueUsd") : 0;
+
+  var isFrontierModel = flops > FRONTIER_FLOP_THRESHOLD;
+  var isLargeFrontierDeveloper = isFrontierModel && revenue > LARGE_DEVELOPER_REVENUE_USD;
+
+  var obligations = [];
+  if (isFrontierModel) {
+    obligations.push("report-critical-safety-incidents");
+    obligations.push("publish-transparency-report");
+  }
+  if (isLargeFrontierDeveloper) {
+    obligations.push("publish-annual-safety-framework");
+    obligations.push("disclose-catastrophic-risk-assessment");
+  }
+
+  var out = {
+    isFrontierModel: isFrontierModel,
+    isLargeFrontierDeveloper: isLargeFrontierDeveloper,
+    thresholds: { frontierFlops: FRONTIER_FLOP_THRESHOLD, largeDeveloperRevenueUsd: LARGE_DEVELOPER_REVENUE_USD },
+    obligations: obligations,
+  };
+
+  if (opts.framework != null) {
+    if (typeof opts.framework !== "object") throw new FrontierProtocolError("frontier/bad-value", "frontierModelProtocol: framework must be an object");
+    var gaps = REQUIRED_FRAMEWORK_ELEMENTS.filter(function (el) { return !opts.framework[el]; });
+    out.frameworkGaps = gaps;
+    out.frameworkComplete = gaps.length === 0;
+  }
+  return out;
+}
+
+/**
+ * @primitive  b.ai.frontierModelProtocol.incidentReport
+ * @signature  b.ai.frontierModelProtocol.incidentReport(opts)
+ * @since      0.13.6
+ * @status     stable
+ * @compliance ca-tfaia, soc2
+ * @related    b.ai.frontierModelProtocol, b.ai.aedtBiasAudit
+ *
+ * Build a critical-safety-incident report and compute its notification
+ * deadline to the California Office of Emergency Services. <code>type</code>
+ * must be one of the Act's four categories; <code>discoveredAt</code> is when
+ * the incident was discovered. The deadline is 15 days from discovery, or 24
+ * hours when <code>imminentRiskToLife</code> is set. Returns the structured
+ * report with <code>dueAt</code> and <code>deadlineHours</code>. Throws
+ * <code>FrontierProtocolError</code> on an unknown type or bad timestamp.
+ *
+ * @opts
+ *   type:               string,   // one of b.ai.frontierModelProtocol.INCIDENT_TYPES (required)
+ *   discoveredAt:       Date,     // discovery time (Date or epoch-ms; default: now)
+ *   imminentRiskToLife: boolean,  // true → 24-hour deadline (default: false → 15 days)
+ *   description:        string,   // free-text incident description (optional)
+ *
+ * @example
+ *   var r = b.ai.frontierModelProtocol.incidentReport({
+ *     type: "loss-of-control-harm", discoveredAt: new Date("2026-06-01T00:00:00Z"),
+ *   });
+ *   r.deadlineHours;   // → 360  (15 days)
+ *   r.recipient;       // → "California Office of Emergency Services"
+ */
+function incidentReport(opts) {
+  opts = opts || {};
+  if (typeof opts !== "object") throw new FrontierProtocolError("frontier/bad-opts", "incidentReport: opts must be an object");
+  if (!CRITICAL_INCIDENT_TYPES[opts.type]) throw new FrontierProtocolError("frontier/bad-incident-type", "incidentReport: type must be one of " + Object.keys(CRITICAL_INCIDENT_TYPES).join(", "));
+
+  var discoveredMs;
+  if (opts.discoveredAt == null) discoveredMs = Date.now();
+  else if (opts.discoveredAt instanceof Date) discoveredMs = opts.discoveredAt.getTime();
+  else discoveredMs = Number(opts.discoveredAt);
+  if (!isFinite(discoveredMs) || discoveredMs < 0) throw new FrontierProtocolError("frontier/bad-value", "incidentReport: discoveredAt must be a Date or non-negative epoch-ms");
+
+  var imminent = opts.imminentRiskToLife === true;
+  var windowMs = imminent ? IMMINENT_DEADLINE_MS : INCIDENT_DEADLINE_MS;
+
+  return {
+    type:               opts.type,
+    typeDescription:    CRITICAL_INCIDENT_TYPES[opts.type],
+    description:        typeof opts.description === "string" ? opts.description : null,
+    imminentRiskToLife: imminent,
+    discoveredAt:       new Date(discoveredMs).toISOString(),
+    dueAt:              new Date(discoveredMs + windowMs).toISOString(),
+    deadlineHours:      windowMs / C.TIME.hours(1),
+    // §22757.13: the routine report goes to OES within 15 days; an imminent
+    // risk of death or serious physical injury is reported to an applicable
+    // authority within 24 hours, which the operator selects for the incident.
+    recipient:          imminent ? "An applicable authority with jurisdiction (e.g. law enforcement or a public-safety agency)" : "California Office of Emergency Services",
+    citation:           "Cal. Bus. & Prof. Code §22757.13 (SB 53)",
+  };
+}
+
+frontierModelProtocol.incidentReport = incidentReport;
+frontierModelProtocol.INCIDENT_TYPES = Object.keys(CRITICAL_INCIDENT_TYPES);
+frontierModelProtocol.REQUIRED_FRAMEWORK_ELEMENTS = REQUIRED_FRAMEWORK_ELEMENTS;
+frontierModelProtocol.FrontierProtocolError = FrontierProtocolError;
+
+module.exports = frontierModelProtocol;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.5",
+  "version": "0.13.6",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:6a334753-7eb6-4d7f-8dbb-f70506773504",
+  "serialNumber": "urn:uuid:4234e2f1-7c10-42c0-8f19-b429101d42d1",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T02:26:01.865Z",
+    "timestamp": "2026-05-27T03:23:03.075Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.5",
+      "bom-ref": "@blamejs/core@0.13.6",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.5",
+      "version": "0.13.6",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.5",
+      "purl": "pkg:npm/%40blamejs/core@0.13.6",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.5",
+      "ref": "@blamejs/core@0.13.6",
       "dependsOn": []
     }
   ]