@blamejs/core 0.13.6 → 0.13.7

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.7 (2026-05-26) — **Documentation accuracy — several primitives described shipped features as deferred.** A documentation sweep corrected primitive descriptions that still called features deferred after they shipped, so the wiki and inline docs now match the code. b.mdoc documents that device authentication (the ISO 18013-5 §9.1.3 signature variant, verifyDeviceAuth) is verified, not deferred — only the COSE_Mac0 device-auth variant remains refused. b.network.dns.dnssec documents that the root-to-zone chain walk against the IANA trust anchors (verifyChain) and NSEC / NSEC3 denial of existence (verifyDenial / nsec3Hash) ship, where the card previously said they were deferred. b.cose lists COSE_Mac0 and COSE_Encrypt0 among what it ships. The JMAP server documents its push channel, blob upload/download, and EmailSubmission handlers as present, and the submission server documents CHUNKING / BDAT as supported. A new test detector keeps this class of drift from recurring: it fails the build when a comment promises a feature lands in a version that has already shipped. **Fixed:** *Corrected `deferred`/`does-not-ship` docs for features that have shipped* — `b.mdoc` (device authentication, §9.1.3), `b.network.dns.dnssec` (chain walk + NSEC/NSEC3), `b.cose` (COSE_Mac0 + COSE_Encrypt0), the JMAP server (push, blob, EmailSubmission), and the submission server (BDAT/CHUNKING) all carried `@card`/`@intro` text describing shipped capabilities as deferred or not-shipped. The descriptions now match the implemented surface; genuinely-deferred items (the mdoc MAC variant, DNSSEC in-RDATA name canonicalization, COSE multi-signer/multi-recipient) remain documented as such. **Detectors:** *Overdue-defer detector in the codebase-pattern gate* — A new check fails the build when a comment promises a feature "lands in" / is "deferred to" / is "not supported in" a version that the package has already reached — catching stale deferral notes (a feature that shipped but whose comment still says otherwise, or a missed deadline) before they reach a release. An allowlist records the deliberate defer-with-condition exceptions.
+
 - v0.13.6 (2026-05-26) — **`b.ai.frontierModelProtocol` — California SB 53 frontier-AI obligations.** b.ai.frontierModelProtocol assesses a developer's obligations under California's Transparency in Frontier Artificial Intelligence Act — SB 53, Cal. Bus. & Prof. Code §22757.10, effective 2026-01-01 — from a model's training compute and the developer's revenue. It reports whether the model crosses the frontier threshold (more than 10^26 training FLOPs), whether the developer is a large frontier developer (prior-year revenue, with affiliates, above $500M), and the resulting obligations: every frontier developer must report critical safety incidents and publish a transparency report, and a large frontier developer must additionally publish an annual safety framework and disclose its catastrophic-risk assessment. Passing a candidate safety framework reports which required elements (risk identification, mitigation, governance, cybersecurity, standards alignment) are missing. b.ai.frontierModelProtocol.incidentReport validates a critical-incident type against the Act's four categories and computes the notification deadline to the California Office of Emergency Services — 15 days from discovery, or 24 hours when there is an imminent risk of death or serious physical injury. The ca-tfaia compliance posture was already in the catalog. **Added:** *`b.ai.frontierModelProtocol` — SB 53 threshold classification, obligations, and incident reporting* — `b.ai.frontierModelProtocol({ trainingFlops, annualRevenueUsd, framework? })` returns `isFrontierModel`, `isLargeFrontierDeveloper`, the `obligations` list, and (when a framework is supplied) its `frameworkGaps`. `b.ai.frontierModelProtocol.incidentReport({ type, discoveredAt, imminentRiskToLife? })` builds a critical-safety-incident report with the California OES recipient and a `dueAt` / `deadlineHours` computed from the 15-day (or 24-hour imminent-risk) statutory window; `type` must be one of the four categories in `INCIDENT_TYPES`. Throws `FrontierProtocolError` on malformed input.
 
 - v0.13.5 (2026-05-26) — **`b.ai.aedtBiasAudit` — NYC Local Law 144 bias audit.** b.ai.aedtBiasAudit computes the bias-audit figures New York City Local Law 144 requires before an Automated Employment Decision Tool may screen candidates (NYC Admin. Code §20-870 et seq.; DCWP rules 6 RCNY §5-300). Given the per-category counts an independent auditor collected — selected/total for a pass-fail tool, or scored-above-the-overall-median/total for a continuous-score tool — it returns the selection (or scoring) rate, the impact ratio (each group's rate divided by the most-selected group's rate), and an adverse-impact flag (impact ratio below the EEOC four-fifths threshold of 0.8) for every group, across the sex, race/ethnicity, and intersectional dimensions, plus the most-selected group per dimension and an overall flag. Categories under 2% of the audited data are marked excluded per DCWP discretion. It is a pure calculation that produces exactly the figures the annual published summary must contain — the law mandates the calculation, not any particular remediation. The relevant compliance postures (nyc-ll144, and ca-tfaia for California SB 53) were already in the catalog. **Added:** *`b.ai.aedtBiasAudit` — Local Law 144 selection/scoring rates and four-fifths impact ratios* — `b.ai.aedtBiasAudit({ type, metadata, categories, minCategoryShare? })` where `type` is `"selection"` (group entries `{ selected, total }`) or `"scoring"` (`{ scoredAboveMedian, total }`). Returns per-group rate, impact ratio, and `adverseImpact` flag across the `sex`, `raceEthnicity`, and `intersectional` dimensions, plus the most-selected group per dimension and an `anyAdverseImpact` summary. Categories below `minCategoryShare` (2% default) are excluded from the impact-ratio basis. Throws `AedtBiasAuditError` on malformed input.

package/lib/ai-disclosure.js

@@ -187,9 +187,8 @@ function chatbot(session, opts) {
  * machine-readable manner. This primitive returns the disclosure
  * payload (visible label + structured metadata) the operator wires
  * into the encoder / response pipeline. C2PA manifest emission is
- * deferred to v0.12.21 `b.contentCredentials` — this primitive
- * supplies the label markup and the metadata schema that the C2PA
- * adapter consumes when it lands.
+ * handled by `b.contentCredentials`; this primitive supplies the label
+ * markup and the metadata schema that the C2PA adapter consumes.
  *
  * @opts
  *   contentType:   "image" | "audio" | "video" | "text",        // required

package/lib/archive-tar.js

@@ -56,11 +56,10 @@
  *     - CVE-2024-12905 / CVE-2025-48387 (tar-fs path traversal).
  *     - CVE-2025-4138 / 4330 (Python tarfile data filter bypass).
  *
- *   Out of scope (v1):
+ *   Compression is via `b.archive.gz` composition (tar.gz). Out of scope
+ *   (v1):
  *     - Sparse-file emission (read reconstructs them; write doesn't
  *       produce sparse).
- *     - Compression (tar.gz lands v0.12.9 via `b.archive.gz`
- *       composition).
  *     - BSD-tar extensions beyond pax.
  *
  * @card

package/lib/backup/index.js

@@ -1028,9 +1028,8 @@ module.exports = {
  * Adapter-driven storage backend. Wraps the bundle directory's file
  * tree into per-file key-value pairs routed through an operator-
  * supplied byte-store adapter so backup bundles can land anywhere
- * that exposes the contract (local fs is the v0.12.7 default; tar
- * folding lands v0.12.8, tar.gz v0.12.9, S3/MinIO/Azure/GCS
- * objectStore v0.12.11).
+ * that exposes the contract: local fs (the default), tar / tar.gz
+ * folding, and S3 / MinIO / Azure / GCS objectStore adapters.
  *
  * The adapter contract (small surface; an `fs` implementation is the
  * default + ships in `lib/backup/_adapter-fs.js`):

package/lib/cose.js

@@ -41,9 +41,10 @@
  *   2) listing a header label the verifier does not understand is
  *   refused (RFC 9052 §3.1) — a crit-bypass defense.
  *
- *   v1 ships COSE_Sign1 (single-signer) with an attached payload.
- *   Detached payload, COSE_Sign (multi-signer), COSE_Mac0, and
- *   COSE_Encrypt are deferred-with-condition (operator demand).
+ *   Ships COSE_Sign1 (single-signer, attached payload), COSE_Mac0, and
+ *   COSE_Encrypt0 (single-recipient AEAD). Detached payload, COSE_Sign
+ *   (multi-signer), and COSE_Encrypt (multi-recipient) are
+ *   deferred-with-condition (operator demand).
  *
  * @card
  *   COSE_Sign1 sign / verify (RFC 9052) over the in-tree CBOR codec —

package/lib/mail-server-jmap.js

@@ -95,17 +95,17 @@
  *     - `urn:ietf:params:jmap:error:accountNotFound`
  *     - `urn:ietf:params:jmap:error:serverFail` (opaque last-resort)
  *
+ *   ## Beyond Core + Mail, this also ships
+ *
+ *   - **Push channel (RFC 8887)** — `eventSourceHandler` (SSE) and
+ *     `webSocketHandler` (WebSocket, with `StateChange` push).
+ *   - **Blob upload/download (RFC 8620 §6)** — `uploadHandler` /
+ *     `downloadHandler`, routing uploads through the guard-* family.
+ *   - **EmailSubmission/set (RFC 8621 §7.5)** — `emailSubmissionSetHandler`,
+ *     composing `b.mail.send.deliver`.
+ *
  *   ## What v1 does NOT ship
  *
- *   - **Push channel (SSE + WebSocket per RFC 8887)** — operator wires
- *     `b.sse` or `b.websocket` to the `pushSubscribe` hook. v1.5
- *     bundles a turnkey push handler.
- *   - **Blob upload/download endpoints** — operator wires their own
- *     `/jmap/upload` / `/jmap/download` handlers; the framework
- *     supplies `b.storage` + `b.objectStore` + the guard-* family
- *     for the actual upload path.
- *   - **EmailSubmission (RFC 8621 §7)** — operator wires the bridge
- *     to `b.mail.server.submission`'s outbound agent.
  *   - **Calendars / Contacts (RFC 9610)**, **Sieve (RFC 9404)**,
  *     **MDN (RFC 9007)** — opt-in capabilities.
  *

package/lib/mail-server-submission.js

@@ -79,11 +79,12 @@
  *
  *   - **DKIM signing pre-relay** — operator wires `b.mail.dkim.sign`
  *     in their outbound agent.
- *   - **CHUNKING (BDAT) extension** — RFC 3030 BDAT not yet
- *     supported on submission; clients use DATA instead.
  *   - **Per-actor outbound quota** — operator implements via
  *     `b.dailyByteQuota` against the authenticated actor.
  *
+ *   (CHUNKING / BDAT, RFC 3030, IS supported — advertised in EHLO and
+ *   handled alongside DATA.)
+ *
  *   ## Composition contract
  *
  *   Every gate is a primitive that already exists. Submission listener

package/lib/mdoc.js

@@ -30,22 +30,22 @@
  *   <code>opts.trustAnchorsPem</code> additionally verifies the issuer
  *   certificate chain and its validity at the asserted time.
  *
- *   <strong>Scope.</strong> This is issuer-data authentication
- *   (ISO 18013-5 §9.1.2.4) — the data is genuine and issuer-signed. The
- *   mdoc <em>device authentication</em> half (DeviceSigned / the
- *   SessionTranscript-bound holder-binding proof, §9.1.3) is deferred:
- *   it needs the live session transcript a verifier negotiates, so it is
- *   a presentation-protocol concern rather than a credential check.
- *   Composes <code>b.cose</code> + <code>b.cbor</code>; no new runtime
- *   dependency. Distinct from W3C VCDM (<code>b.vc</code>) and IETF
- *   SD-JWT VC (<code>b.auth.sdJwtVc</code>) — the three credential
- *   ecosystems.
+ *   <strong>Scope.</strong> Two halves are verified: issuer-data
+ *   authentication (ISO 18013-5 §9.1.2.4 — the data is genuine and
+ *   issuer-signed, via <code>verifyIssuerSigned</code>) and mdoc device
+ *   authentication (§9.1.3 — holder binding over the verifier's
+ *   <code>SessionTranscript</code>, via <code>verifyDeviceAuth</code>).
+ *   Device auth covers the COSE_Sign1 signature variant; the COSE_Mac0
+ *   (deviceMac) variant is refused rather than mis-verified. Composes
+ *   <code>b.cose</code> + <code>b.cbor</code>; no new runtime dependency.
+ *   Distinct from W3C VCDM (<code>b.vc</code>) and IETF SD-JWT VC
+ *   (<code>b.auth.sdJwtVc</code>) — the three credential ecosystems.
  *
  * @card
- *   ISO 18013-5 mdoc / mDL issuer-data verification — checks the
- *   COSE_Sign1 IssuerAuth, the MSO validity window, and every disclosed
- *   element's digest against the Mobile Security Object. Composes
- *   b.cose + b.cbor; device-auth holder-binding deferred.
+ *   ISO 18013-5 mdoc / mDL verification — issuer-data (COSE_Sign1
+ *   IssuerAuth, MSO validity window, disclosed-element digests) plus
+ *   device-auth holder binding (§9.1.3 signature variant over the session
+ *   transcript). Composes b.cose + b.cbor.
  */
 
 var nodeCrypto = require("node:crypto");

package/lib/network-dnssec.js

@@ -30,16 +30,18 @@
  *   <code>dnssec/uncanonicalizable-type</code> rather than mis-validated
  *   — the security-critical DNSKEY / DS and the name-free address /
  *   text types (A, AAAA, TXT, …) are fully supported. The recursive
- *   chain-walk (root → TLD → zone), NSEC / NSEC3 denial-of-existence,
- *   and the IANA root trust-anchor bundle are deferred: these primitives
- *   are the per-RRset building blocks a chain-walker composes.
+ *   chain-walk (root → TLD → zone via <code>verifyChain</code> against the
+ *   bundled IANA root trust anchors) and NSEC / NSEC3 denial-of-existence
+ *   (<code>verifyDenial</code> / <code>nsec3Hash</code>) ship alongside the
+ *   per-RRset verification core.
  *
  * @card
- *   Local DNSSEC verification (RFC 4035) — verify an RRSIG over a
- *   canonicalised RRset against a DNSKEY (RSA / ECDSA P-256·P-384 /
- *   Ed25519), plus DS-digest + key-tag. Don't trust the upstream AD bit;
- *   verify the signature. Name-bearing RR types are refused, not
- *   mis-validated; chain-walk + NSEC3 deferred.
+ *   Local DNSSEC verification (RFC 4035 / 4034 / 5155) — verify an RRSIG
+ *   over a canonicalised RRset against a DNSKEY (RSA / ECDSA P-256·P-384 /
+ *   Ed25519) + DS-digest + key-tag, walk the root→zone chain to the IANA
+ *   trust anchors, and check NSEC / NSEC3 denial of existence. Don't trust
+ *   the upstream AD bit; verify the signature. Name-bearing RR types are
+ *   refused, not mis-validated.
  */
 
 var nodeCrypto = require("node:crypto");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.6",
+  "version": "0.13.7",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4234e2f1-7c10-42c0-8f19-b429101d42d1",
+  "serialNumber": "urn:uuid:22a52afe-2217-4e18-a7a1-15e6a137ec0c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T03:23:03.075Z",
+    "timestamp": "2026-05-27T04:39:38.785Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.6",
+      "bom-ref": "@blamejs/core@0.13.7",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.6",
+      "version": "0.13.7",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.6",
+      "purl": "pkg:npm/%40blamejs/core@0.13.7",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.6",
+      "ref": "@blamejs/core@0.13.7",
       "dependsOn": []
     }
   ]