@blamejs/core 0.7.92 → 0.7.93

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.93** (2026-05-06) — Adjacent-regulation incident-reporting deadline reference exported on `b.dora`. **`b.dora.DEADLINES_NIS2`** — NIS2 (Directive (EU) 2022/2555) Art. 23 deadlines: 24h early warning, 72h initial notification, 1 month final report. **`b.dora.DEADLINES_CRA`** — CRA (Regulation (EU) 2024/2847) Art. 14 deadlines: 24h early warning, 72h initial notification, 14 days final report. **`b.dora.DEADLINES_HIPAA_BREACH`** — HIPAA Breach Notification Rule (45 CFR §164.404 / §164.408) deadlines: 60 days for affected individuals, 60 days for HHS Secretary, annual aggregate report by March 1 for sub-500-individual breaches. Operators handling NIS2 / CRA / HIPAA reporting reach for these constants instead of pinning literal hour counts in their workflow code; the values track the regulatory text and update with the framework rather than going stale in operator code. The b.dora factory itself continues to enforce DORA Article 19 deadlines unchanged — operators wiring NIS2 / CRA / HIPAA workflows compose against the deadline constants directly with their own scheduler / submission code.
+
 - **0.7.92** (2026-05-06) — Retention floors + observability semconv expansion. **`b.retention.complianceFloor(<posture>, candidateMs)`** now recognizes `nis2` (3 years — NIS2 Art. 23 incident reporting), `cra` (5 years — CRA Art. 14 vulnerability handling logs), `lgpd-br` (5 years — Brazil fiscal record minimum + LGPD Art. 16), `appi-jp` (3 years — Japan APPI handler-of-record), `pdpa-sg` (1 year — PDPA breach notification audit trail), and `uk-gdpr` (6 years — UK ICO guidance + statutory limit alignment). `gdpr` continues to have no fixed minimum (Art. 5(1)(e) is "no longer than necessary" — operator-driven). **`b.observability.SEMCONV`** gains RPC attributes (`RPC_SYSTEM` / `RPC_SERVICE` / `RPC_METHOD` / `RPC_GRPC_STATUS_CODE`), additional messaging keys (`MESSAGING_CLIENT_ID` / `MESSAGING_MESSAGE_ID` / `MESSAGING_DESTINATION_PARTITION_ID` / `MESSAGING_BATCH_MESSAGE_COUNT`), network transport (`NETWORK_TRANSPORT` / `NETWORK_CONNECTION_TYPE`), process / runtime identification (`PROCESS_PID` / `PROCESS_RUNTIME_NAME` / `PROCESS_RUNTIME_VERSION`), service identification (`SERVICE_NAME` / `SERVICE_VERSION` / `SERVICE_INSTANCE_ID`), and telemetry SDK self-id (`TELEMETRY_SDK_NAME` / `TELEMETRY_SDK_LANGUAGE` / `TELEMETRY_SDK_VERSION`). Operators wiring the framework's tap into a gRPC-fronted OTel collector or an outbox-fed Kafka topic now reference the canonical attribute names directly without an aliasing table on their side.
 
 - **0.7.91** (2026-05-06) — Compliance-posture vocabulary expanded + OpenTelemetry semantic-convention attribute table. **`b.compliance.set(<posture>)`** now accepts thirteen new posture names: `wmhmda` (Washington My Health My Data Act), `bipa` (Illinois Biometric Information Privacy Act), `ccpa` (California Consumer Privacy Act), `nis2` (EU NIS2 Directive), `cra` (EU Cyber Resilience Act), `ai-act` (EU AI Act), `lgpd-br` (Brazil LGPD), `pipl-cn` (China PIPL), `appi-jp` (Japan APPI), `pdpa-sg` (Singapore PDPA), `pipeda-ca` (Canada PIPEDA), `uk-gdpr` (UK GDPR). Existing `hipaa` / `pci-dss` / `gdpr` / `soc2` / `dora` / `sox` continue to work. Postures map to per-primitive defaults via the existing compliancePosture opt on guards, retention, dora, etc. — operators set the deployment-wide posture once and primitives that key off it pick up the right defaults. **`b.observability.SEMCONV`** — frozen attribute-name table tracking the OpenTelemetry semantic-convention stable namespace (1.27+). HTTP server attributes (`http.request.method`, `http.response.status_code`, `http.route`, `server.address`, `client.address`), URL (`url.full`, `url.path`, `url.scheme`), database (`db.system`, `db.namespace`, `db.operation.name`, `db.query.text`), messaging (`messaging.system`, `messaging.destination.name`), auth (`user.id`, `session.id`), errors (`error.type`, `exception.type`, `exception.message`). Operators wiring the framework's tap into an OTel SDK reference these constants instead of hand-rolling the names — no aliasing table on the operator side, and string typos throw at access time instead of producing mis-named span attributes that the OTel collector silently drops.

package/lib/dora.js

@@ -96,6 +96,39 @@ var INITIAL_REPORT_DEADLINE_MS      = C.TIME.hours(24);
 var INTERMEDIATE_REPORT_DEADLINE_MS = C.TIME.hours(72);
 var FINAL_REPORT_DEADLINE_MS        = C.TIME.days(30);
 
+// Adjacent-regulation incident-reporting deadlines — operators wiring
+// NIS2 / CRA / HIPAA breach notification reach for these constants
+// rather than the b.dora-specific deadlines. The b.dora factory only
+// uses INITIAL/INTERMEDIATE/FINAL above; these are reference data so
+// operators don't pin literal hour counts in their code.
+//
+// NIS2 (Directive (EU) 2022/2555) Art. 23:
+//   24h early warning  → 72h initial notification → 1 month final
+// CRA (Regulation (EU) 2024/2847) Art. 14:
+//   24h early warning  → 72h initial notification → 14 days final
+// HIPAA Breach Notification Rule (45 CFR §164.404 / §164.408):
+//   60 days to notify affected individuals
+//   60 days to notify HHS Secretary (or "without unreasonable delay" if
+//   500+ individuals — operator-driven, no hard deadline below 60 days)
+//   Annual report by Mar 1 for breaches of <500 individuals
+var DEADLINES_NIS2 = Object.freeze({
+  earlyWarningMs:   C.TIME.hours(24),
+  initialReportMs:  C.TIME.hours(72),
+  finalReportMs:    C.TIME.days(30),
+});
+var DEADLINES_CRA = Object.freeze({
+  earlyWarningMs:   C.TIME.hours(24),
+  initialReportMs:  C.TIME.hours(72),
+  finalReportMs:    C.TIME.days(14),
+});
+var DEADLINES_HIPAA_BREACH = Object.freeze({
+  individualNoticeMs:  C.TIME.days(60),
+  secretaryNoticeMs:   C.TIME.days(60),
+  // Annual aggregate report due by March 1 of the year following any
+  // calendar year in which breaches affecting <500 individuals occurred.
+  annualAggregateMs:   null,
+});
+
 var VALID_DATA_AFFECTED = ["phi", "financial", "personal", "operational", "none"];
 var VALID_SEVERITY      = ["critical", "high", "medium", "low"];
 var VALID_REPUTATIONAL  = ["media", "internal", "none"];
@@ -343,5 +376,8 @@ module.exports = {
   INITIAL_REPORT_DEADLINE_MS:          INITIAL_REPORT_DEADLINE_MS,
   INTERMEDIATE_REPORT_DEADLINE_MS:     INTERMEDIATE_REPORT_DEADLINE_MS,
   FINAL_REPORT_DEADLINE_MS:            FINAL_REPORT_DEADLINE_MS,
+  DEADLINES_NIS2:                      DEADLINES_NIS2,
+  DEADLINES_CRA:                       DEADLINES_CRA,
+  DEADLINES_HIPAA_BREACH:              DEADLINES_HIPAA_BREACH,
   DoraError:                           DoraError,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.92",
+  "version": "0.7.93",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3879cfe5-c335-4b6c-9133-99b33bbd5666",
+  "serialNumber": "urn:uuid:1c2e15ca-bff7-43a5-ae92-d24199759193",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T08:05:33.048Z",
+    "timestamp": "2026-05-06T08:15:13.953Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.92",
+      "bom-ref": "@blamejs/core@0.7.93",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.92",
+      "version": "0.7.93",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.92",
+      "purl": "pkg:npm/%40blamejs/core@0.7.93",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.92",
+      "ref": "@blamejs/core@0.7.93",
       "dependsOn": []
     }
   ]