npm - @blamejs/core - Versions diffs - 0.7.90 → 0.7.92 - Mend

@blamejs/core 0.7.90 → 0.7.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.7.x
+- **0.7.92** (2026-05-06) — Retention floors + observability semconv expansion. **`b.retention.complianceFloor(<posture>, candidateMs)`** now recognizes `nis2` (3 years — NIS2 Art. 23 incident reporting), `cra` (5 years — CRA Art. 14 vulnerability handling logs), `lgpd-br` (5 years — Brazil fiscal record minimum + LGPD Art. 16), `appi-jp` (3 years — Japan APPI handler-of-record), `pdpa-sg` (1 year — PDPA breach notification audit trail), and `uk-gdpr` (6 years — UK ICO guidance + statutory limit alignment). `gdpr` continues to have no fixed minimum (Art. 5(1)(e) is "no longer than necessary" — operator-driven). **`b.observability.SEMCONV`** gains RPC attributes (`RPC_SYSTEM` / `RPC_SERVICE` / `RPC_METHOD` / `RPC_GRPC_STATUS_CODE`), additional messaging keys (`MESSAGING_CLIENT_ID` / `MESSAGING_MESSAGE_ID` / `MESSAGING_DESTINATION_PARTITION_ID` / `MESSAGING_BATCH_MESSAGE_COUNT`), network transport (`NETWORK_TRANSPORT` / `NETWORK_CONNECTION_TYPE`), process / runtime identification (`PROCESS_PID` / `PROCESS_RUNTIME_NAME` / `PROCESS_RUNTIME_VERSION`), service identification (`SERVICE_NAME` / `SERVICE_VERSION` / `SERVICE_INSTANCE_ID`), and telemetry SDK self-id (`TELEMETRY_SDK_NAME` / `TELEMETRY_SDK_LANGUAGE` / `TELEMETRY_SDK_VERSION`). Operators wiring the framework's tap into a gRPC-fronted OTel collector or an outbox-fed Kafka topic now reference the canonical attribute names directly without an aliasing table on their side.
+- **0.7.91** (2026-05-06) — Compliance-posture vocabulary expanded + OpenTelemetry semantic-convention attribute table. **`b.compliance.set(<posture>)`** now accepts thirteen new posture names: `wmhmda` (Washington My Health My Data Act), `bipa` (Illinois Biometric Information Privacy Act), `ccpa` (California Consumer Privacy Act), `nis2` (EU NIS2 Directive), `cra` (EU Cyber Resilience Act), `ai-act` (EU AI Act), `lgpd-br` (Brazil LGPD), `pipl-cn` (China PIPL), `appi-jp` (Japan APPI), `pdpa-sg` (Singapore PDPA), `pipeda-ca` (Canada PIPEDA), `uk-gdpr` (UK GDPR). Existing `hipaa` / `pci-dss` / `gdpr` / `soc2` / `dora` / `sox` continue to work. Postures map to per-primitive defaults via the existing compliancePosture opt on guards, retention, dora, etc. — operators set the deployment-wide posture once and primitives that key off it pick up the right defaults. **`b.observability.SEMCONV`** — frozen attribute-name table tracking the OpenTelemetry semantic-convention stable namespace (1.27+). HTTP server attributes (`http.request.method`, `http.response.status_code`, `http.route`, `server.address`, `client.address`), URL (`url.full`, `url.path`, `url.scheme`), database (`db.system`, `db.namespace`, `db.operation.name`, `db.query.text`), messaging (`messaging.system`, `messaging.destination.name`), auth (`user.id`, `session.id`), errors (`error.type`, `exception.type`, `exception.message`). Operators wiring the framework's tap into an OTel SDK reference these constants instead of hand-rolling the names — no aliasing table on the operator side, and string typos throw at access time instead of producing mis-named span attributes that the OTel collector silently drops.
 - **0.7.90** (2026-05-06) — `b.outbox` — transactional outbox primitive for at-least-once event publication without distributed transactions. **`b.outbox.create({ externalDb, table, publisher, ... })`** returns an outbox instance with three core operations: `enqueue(event, txn)` writes the outbox row inside the operator's transaction (using the `txClient` returned by `b.externalDb.transaction`), `start()` spins a polling publisher worker that claims rows via `SELECT ... FOR UPDATE SKIP LOCKED` (Postgres) and dispatches to the operator-supplied async `publisher(event)` callback, `stop()` gracefully shuts the worker down. Failed publishes retry with exponential backoff (`retryBackoff: { initialMs, maxMs, factor }`); rows that exceed `maxAttempts` are marked `'dead'` for operator triage and an `system.outbox.deadletter` audit event fires. Schema is operator-managed: `outbox.declareSchema(externalDb)` runs an idempotent `CREATE TABLE IF NOT EXISTS ... (id, topic, payload, key, headers, enqueued_at, next_attempt_at, published_at, attempts, last_error, status)` + a partial index on `(next_attempt_at) WHERE status = 'pending'`. `pendingCount()` / `deadCount()` expose the queue depth + DLQ depth for operator dashboards. Observability events on every state transition (`outbox.enqueued` / `outbox.published` / `outbox.publish-failed` / `outbox.dead-letter`).
 - **0.7.89** (2026-05-06) — Three additive primitives bundled: TUS resumable uploads, WebAuthn Signal API, DPoP server-issued nonce challenge. **`b.middleware.tusUpload({ mountPath, store, ... })`** implements the [tus.io](https://tus.io) v1.0.0 resumable-upload protocol — POST creates uploads, HEAD reports offsets, PATCH appends chunks, DELETE terminates. Supported extensions: `creation`, `creation-with-upload`, `expiration`, `checksum`, `termination`. The `checksum` extension defaults to PQC-first algorithms (`sha3-512`, `shake256`) — operators add classical algorithms explicitly via `checksumAlgorithms`. A built-in `b.middleware.tusUpload.memoryStore({ maxSize })` ships for development; production operators implement the `{ create, head, append, setLength, terminate, purgeExpired, getBuffer }` shape against their object-store backend. Bounded chunk collection routes through `safeBuffer.boundedChunkCollector` (cap-enforced at push time, no 10-GiB pre-collect). Concatenation extension (parallel-chunk assembly) deferred — operators that need it compose against their store layer; re-open if a store-layer-only solution proves insufficient. **`b.auth.passkey.signalUnknownCredential` / `signalAllAcceptedCredentials` / `signalCurrentUserDetails`** add the W3C WebAuthn Signal API descriptor builders — when the browser implements `PublicKeyCredential.signal*`, operators emit the matching JSON descriptor to clean up stale passkeys, refresh user details, and surface revocations without forcing a re-registration. All three validate `rpId` / `userId` / `credentialId` shape (base64url) and refuse `name`/`displayName` longer than 256 chars. **`b.middleware.dpop({ requireNonce: true, nonceRotateSec? })`** implements RFC 9449 §8 server-issued DPoP-Nonce challenge — the middleware emits `DPoP-Nonce: <fresh>` on every 401 response, refuses proofs whose `nonce` claim isn't in the rolling current+previous pair, and refreshes the nonce on every successful response. The rolling-pair manager rotates without timers (lazy maybe-rotate on access); no operator nonce store needed. The `getNonce` callback path stays intact for operator-managed nonce flows.

package/lib/compliance.js CHANGED Viewed

@@ -38,7 +38,29 @@ var audit = lazyRequire(function () { return require("./audit"); });
 // passing an unknown name get a typo-surfacing throw at set-time, not
 // silent fall-through to no-op.
 var KNOWN_POSTURES = Object.freeze([
-  "hipaa", "pci-dss", "gdpr", "soc2", "dora", "sox",
+  // ---- US Federal / Sectoral ----
+  "hipaa",       // Health Insurance Portability and Accountability Act
+  "pci-dss",     // Payment Card Industry Data Security Standard
+  "soc2",        // System and Organization Controls 2
+  "sox",         // Sarbanes-Oxley
+  "wmhmda",      // Washington My Health My Data Act (added 2026)
+  "bipa",        // Illinois Biometric Information Privacy Act (added 2026)
+  // ---- US State Privacy ----
+  "ccpa",        // California Consumer Privacy Act / CPRA (added 2026)
+  // ---- EU / EEA ----
+  "gdpr",        // General Data Protection Regulation
+  "dora",        // EU Digital Operational Resilience Act
+  "nis2",        // EU Network and Information Security Directive 2 (added 2026)
+  "cra",         // EU Cyber Resilience Act (added 2026)
+  "ai-act",      // EU AI Act (added 2026)
+  // ---- Latin America / APAC ----
+  "lgpd-br",     // Brazil Lei Geral de Proteção de Dados (added 2026)
+  "pipl-cn",     // China Personal Information Protection Law (added 2026)
+  "appi-jp",     // Japan Act on Protection of Personal Information (added 2026)
+  "pdpa-sg",     // Singapore Personal Data Protection Act (added 2026)
+  // ---- Canada / UK ----
+  "pipeda-ca",   // Canada Personal Information Protection and Electronic Documents Act (added 2026)
+  "uk-gdpr",     // UK General Data Protection Regulation (added 2026)
 ]);
 var STATE = { posture: null, setAt: null };

package/lib/observability.js CHANGED Viewed

@@ -143,9 +143,89 @@ function safeEvent(name, value, labels) {
   catch (_e) { /* hot-path observability sink — drops silent on internal throws */ }
 }
+// OpenTelemetry semantic-convention attribute names — the operator-
+// facing canonical vocabulary the framework's b.observability /
+// b.tracing / b.metrics emitters use when building span / metric
+// attributes. Tracking the OTel semconv stable namespace (1.27+)
+// directly here means operators wiring the framework's tap into an
+// OTel SDK don't need to maintain an aliasing table — the names are
+// already correct.
+//
+// When operators call b.observability.event() / safeEvent(), they
+// pass attribute keys that should match the keys below. The map is
+// frozen — adding a new attribute requires a release.
+//
+// Reference: https://opentelemetry.io/docs/specs/semconv/general/attributes/
+var SEMCONV = Object.freeze({
+  // HTTP server (stable per OTel semconv)
+  HTTP_REQUEST_METHOD:        "http.request.method",
+  HTTP_REQUEST_BODY_SIZE:     "http.request.body.size",
+  HTTP_RESPONSE_STATUS_CODE:  "http.response.status_code",
+  HTTP_RESPONSE_BODY_SIZE:    "http.response.body.size",
+  HTTP_ROUTE:                 "http.route",
+  // Server / network
+  SERVER_ADDRESS:             "server.address",
+  SERVER_PORT:                "server.port",
+  CLIENT_ADDRESS:             "client.address",
+  CLIENT_PORT:                "client.port",
+  NETWORK_PEER_ADDRESS:       "network.peer.address",
+  NETWORK_PROTOCOL_NAME:      "network.protocol.name",
+  NETWORK_PROTOCOL_VERSION:   "network.protocol.version",
+  // URL
+  URL_FULL:                   "url.full",
+  URL_PATH:                   "url.path",
+  URL_QUERY:                  "url.query",
+  URL_SCHEME:                 "url.scheme",
+  // User agent
+  USER_AGENT_ORIGINAL:        "user_agent.original",
+  // Database
+  DB_SYSTEM:                  "db.system",
+  DB_NAMESPACE:               "db.namespace",
+  DB_OPERATION_NAME:          "db.operation.name",
+  DB_QUERY_TEXT:              "db.query.text",
+  // Messaging
+  MESSAGING_SYSTEM:           "messaging.system",
+  MESSAGING_OPERATION:        "messaging.operation",
+  MESSAGING_DESTINATION_NAME: "messaging.destination.name",
+  // Auth / session
+  USER_ID:                    "user.id",
+  SESSION_ID:                 "session.id",
+  // Errors
+  ERROR_TYPE:                 "error.type",
+  EXCEPTION_TYPE:             "exception.type",
+  EXCEPTION_MESSAGE:          "exception.message",
+  EXCEPTION_STACKTRACE:       "exception.stacktrace",
+  // RPC
+  RPC_SYSTEM:                 "rpc.system",
+  RPC_SERVICE:                "rpc.service",
+  RPC_METHOD:                 "rpc.method",
+  RPC_GRPC_STATUS_CODE:       "rpc.grpc.status_code",
+  // Messaging — additional client/server attrs
+  MESSAGING_CLIENT_ID:                "messaging.client.id",
+  MESSAGING_MESSAGE_ID:               "messaging.message.id",
+  MESSAGING_DESTINATION_PARTITION_ID: "messaging.destination.partition.id",
+  MESSAGING_BATCH_MESSAGE_COUNT:      "messaging.batch.message_count",
+  // Network — transport / connection state
+  NETWORK_TRANSPORT:          "network.transport",
+  NETWORK_CONNECTION_TYPE:    "network.connection.type",
+  // Process / runtime
+  PROCESS_PID:                "process.pid",
+  PROCESS_RUNTIME_NAME:       "process.runtime.name",
+  PROCESS_RUNTIME_VERSION:    "process.runtime.version",
+  // Service identification
+  SERVICE_NAME:               "service.name",
+  SERVICE_VERSION:             "service.version",
+  SERVICE_INSTANCE_ID:        "service.instance.id",
+  // Telemetry SDK self-identification
+  TELEMETRY_SDK_NAME:         "telemetry.sdk.name",
+  TELEMETRY_SDK_LANGUAGE:     "telemetry.sdk.language",
+  TELEMETRY_SDK_VERSION:      "telemetry.sdk.version",
+});
 module.exports = {
   tap:        tap,
   event:      event,
   safeEvent:  safeEvent,
   setTap:     setTap,
+  SEMCONV:    SEMCONV,
 };

package/lib/retention.js CHANGED Viewed

@@ -445,11 +445,17 @@ function create(opts) {
 //   SOC 2 (CC1–CC9)              — 1 year typical; auditor-driven
 //   DORA Art. 17 (incident logs) — 5 years
 var COMPLIANCE_RETENTION_FLOOR_MS = Object.freeze({
-  "pci-dss":  C.TIME.days(365),       // 12 months
-  "hipaa":    C.TIME.days(365 * 6),   // 6 years
-  "sox":      C.TIME.days(365 * 7),   // 7 years
-  "soc2":     C.TIME.days(365),       // 1 year
-  "dora":     C.TIME.days(365 * 5),   // 5 years (Article 17 incident logs)
+  "pci-dss":  C.TIME.days(365),        // 12 months — PCI-DSS §10.7.1
+  "hipaa":    C.TIME.days(365 * 6),    // 6 years — 45 CFR §164.316(b)(2)(i)
+  "sox":      C.TIME.days(365 * 7),    // 7 years — Sarbanes-Oxley §802
+  "soc2":     C.TIME.days(365),        // 1 year — typical SOC 2 audit window
+  "dora":     C.TIME.days(365 * 5),    // 5 years — DORA Article 17 incident logs
+  "nis2":     C.TIME.days(365 * 3),    // 3 years — NIS2 Art. 23 incident reporting
+  "cra":      C.TIME.days(365 * 5),    // 5 years — CRA Art. 14 vulnerability handling logs
+  "lgpd-br":  C.TIME.days(365 * 5),    // 5 years — Brazil LGPD Art. 16 + fiscal-record minimum
+  "appi-jp":  C.TIME.days(365 * 3),    // 3 years — Japan APPI handler-of-record requirement
+  "pdpa-sg":  C.TIME.days(365 * 1),    // 1 year — PDPA breach-notification audit trail
+  "uk-gdpr":  C.TIME.days(365 * 6),    // 6 years — UK ICO guidance, statutory limit alignment
 });
 // Operator passes a posture name + a candidate ttlMs; returns the

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.90",
+  "version": "0.7.92",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ea6013b4-0103-48ac-8789-54d7054c2b77",
+  "serialNumber": "urn:uuid:3879cfe5-c335-4b6c-9133-99b33bbd5666",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T07:47:56.714Z",
+    "timestamp": "2026-05-06T08:05:33.048Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.90",
+      "bom-ref": "@blamejs/core@0.7.92",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.90",
+      "version": "0.7.92",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.90",
+      "purl": "pkg:npm/%40blamejs/core@0.7.92",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.90",
+      "ref": "@blamejs/core@0.7.92",
       "dependsOn": []
     }
   ]