npm - @blamejs/core - Versions diffs - 0.7.92 → 0.7.94 - Mend

@blamejs/core 0.7.92 → 0.7.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.7.x
+- **0.7.94** (2026-05-06) — `b.compliance.REGIME_MAP` + `b.compliance.describe(<posture>)` — frozen lookup table mapping each posture name to its human-readable name + statutory citation + jurisdiction + domain. `b.compliance.describe("hipaa")` returns `{ name: "Health Insurance Portability and Accountability Act", citation: "Pub. L. 104-191; 45 CFR Parts 160, 162, 164", jurisdiction: "US", domain: "health" }`. Operators rendering the deployment posture in admin UI / audit logs reach for `REGIME_MAP[posture]` instead of hand-rolling a lookup table; values track the regulatory text and update with the framework rather than going stale in operator code. Covers all 19 postures shipped through v0.7.91 (hipaa / pci-dss / soc2 / sox + the v0.7.91 expansions: wmhmda / bipa / ccpa / gdpr / dora / nis2 / cra / ai-act / lgpd-br / pipl-cn / appi-jp / pdpa-sg / pipeda-ca / uk-gdpr). `domain` field categorizes the regime (privacy / health / payment / cybersecurity / financial-reporting / etc.) so operators can render compliance dashboards grouped by domain instead of alphabetical posture.
+- **0.7.93** (2026-05-06) — Adjacent-regulation incident-reporting deadline reference exported on `b.dora`. **`b.dora.DEADLINES_NIS2`** — NIS2 (Directive (EU) 2022/2555) Art. 23 deadlines: 24h early warning, 72h initial notification, 1 month final report. **`b.dora.DEADLINES_CRA`** — CRA (Regulation (EU) 2024/2847) Art. 14 deadlines: 24h early warning, 72h initial notification, 14 days final report. **`b.dora.DEADLINES_HIPAA_BREACH`** — HIPAA Breach Notification Rule (45 CFR §164.404 / §164.408) deadlines: 60 days for affected individuals, 60 days for HHS Secretary, annual aggregate report by March 1 for sub-500-individual breaches. Operators handling NIS2 / CRA / HIPAA reporting reach for these constants instead of pinning literal hour counts in their workflow code; the values track the regulatory text and update with the framework rather than going stale in operator code. The b.dora factory itself continues to enforce DORA Article 19 deadlines unchanged — operators wiring NIS2 / CRA / HIPAA workflows compose against the deadline constants directly with their own scheduler / submission code.
 - **0.7.92** (2026-05-06) — Retention floors + observability semconv expansion. **`b.retention.complianceFloor(<posture>, candidateMs)`** now recognizes `nis2` (3 years — NIS2 Art. 23 incident reporting), `cra` (5 years — CRA Art. 14 vulnerability handling logs), `lgpd-br` (5 years — Brazil fiscal record minimum + LGPD Art. 16), `appi-jp` (3 years — Japan APPI handler-of-record), `pdpa-sg` (1 year — PDPA breach notification audit trail), and `uk-gdpr` (6 years — UK ICO guidance + statutory limit alignment). `gdpr` continues to have no fixed minimum (Art. 5(1)(e) is "no longer than necessary" — operator-driven). **`b.observability.SEMCONV`** gains RPC attributes (`RPC_SYSTEM` / `RPC_SERVICE` / `RPC_METHOD` / `RPC_GRPC_STATUS_CODE`), additional messaging keys (`MESSAGING_CLIENT_ID` / `MESSAGING_MESSAGE_ID` / `MESSAGING_DESTINATION_PARTITION_ID` / `MESSAGING_BATCH_MESSAGE_COUNT`), network transport (`NETWORK_TRANSPORT` / `NETWORK_CONNECTION_TYPE`), process / runtime identification (`PROCESS_PID` / `PROCESS_RUNTIME_NAME` / `PROCESS_RUNTIME_VERSION`), service identification (`SERVICE_NAME` / `SERVICE_VERSION` / `SERVICE_INSTANCE_ID`), and telemetry SDK self-id (`TELEMETRY_SDK_NAME` / `TELEMETRY_SDK_LANGUAGE` / `TELEMETRY_SDK_VERSION`). Operators wiring the framework's tap into a gRPC-fronted OTel collector or an outbox-fed Kafka topic now reference the canonical attribute names directly without an aliasing table on their side.
 - **0.7.91** (2026-05-06) — Compliance-posture vocabulary expanded + OpenTelemetry semantic-convention attribute table. **`b.compliance.set(<posture>)`** now accepts thirteen new posture names: `wmhmda` (Washington My Health My Data Act), `bipa` (Illinois Biometric Information Privacy Act), `ccpa` (California Consumer Privacy Act), `nis2` (EU NIS2 Directive), `cra` (EU Cyber Resilience Act), `ai-act` (EU AI Act), `lgpd-br` (Brazil LGPD), `pipl-cn` (China PIPL), `appi-jp` (Japan APPI), `pdpa-sg` (Singapore PDPA), `pipeda-ca` (Canada PIPEDA), `uk-gdpr` (UK GDPR). Existing `hipaa` / `pci-dss` / `gdpr` / `soc2` / `dora` / `sox` continue to work. Postures map to per-primitive defaults via the existing compliancePosture opt on guards, retention, dora, etc. — operators set the deployment-wide posture once and primitives that key off it pick up the right defaults. **`b.observability.SEMCONV`** — frozen attribute-name table tracking the OpenTelemetry semantic-convention stable namespace (1.27+). HTTP server attributes (`http.request.method`, `http.response.status_code`, `http.route`, `server.address`, `client.address`), URL (`url.full`, `url.path`, `url.scheme`), database (`db.system`, `db.namespace`, `db.operation.name`, `db.query.text`), messaging (`messaging.system`, `messaging.destination.name`), auth (`user.id`, `session.id`), errors (`error.type`, `exception.type`, `exception.message`). Operators wiring the framework's tap into an OTel SDK reference these constants instead of hand-rolling the names — no aliasing table on the operator side, and string typos throw at access time instead of producing mis-named span attributes that the OTel collector silently drops.

package/lib/compliance.js CHANGED Viewed

@@ -125,12 +125,134 @@ function _resetForTest() {
   STATE.setAt   = null;
 }
+// Posture → human-readable name + statutory citation + jurisdiction.
+// Operators rendering the deployment posture in admin UI / audit logs
+// reach for REGIME_MAP[posture] instead of hand-rolling a lookup
+// table. The values track the regulatory text and update with the
+// framework rather than going stale in operator code.
+var REGIME_MAP = Object.freeze({
+  "hipaa": {
+    name:       "Health Insurance Portability and Accountability Act",
+    citation:   "Pub. L. 104-191; 45 CFR Parts 160, 162, 164",
+    jurisdiction: "US",
+    domain:     "health",
+  },
+  "pci-dss": {
+    name:       "Payment Card Industry Data Security Standard",
+    citation:   "PCI Security Standards Council v4.0.1",
+    jurisdiction: "international",
+    domain:     "payment",
+  },
+  "soc2": {
+    name:       "System and Organization Controls 2",
+    citation:   "AICPA Trust Services Criteria",
+    jurisdiction: "US",
+    domain:     "audit-attestation",
+  },
+  "sox": {
+    name:       "Sarbanes-Oxley Act",
+    citation:   "Pub. L. 107-204; 15 U.S.C. §§7201-7266",
+    jurisdiction: "US",
+    domain:     "financial-reporting",
+  },
+  "wmhmda": {
+    name:       "Washington My Health My Data Act",
+    citation:   "RCW 19.373",
+    jurisdiction: "US-WA",
+    domain:     "health",
+  },
+  "bipa": {
+    name:       "Illinois Biometric Information Privacy Act",
+    citation:   "740 ILCS 14",
+    jurisdiction: "US-IL",
+    domain:     "biometrics",
+  },
+  "ccpa": {
+    name:       "California Consumer Privacy Act / California Privacy Rights Act",
+    citation:   "Cal. Civ. Code §§1798.100-1798.199",
+    jurisdiction: "US-CA",
+    domain:     "privacy",
+  },
+  "gdpr": {
+    name:       "General Data Protection Regulation",
+    citation:   "Regulation (EU) 2016/679",
+    jurisdiction: "EU",
+    domain:     "privacy",
+  },
+  "dora": {
+    name:       "Digital Operational Resilience Act",
+    citation:   "Regulation (EU) 2022/2554",
+    jurisdiction: "EU",
+    domain:     "financial-resilience",
+  },
+  "nis2": {
+    name:       "Network and Information Security Directive 2",
+    citation:   "Directive (EU) 2022/2555",
+    jurisdiction: "EU",
+    domain:     "cybersecurity",
+  },
+  "cra": {
+    name:       "Cyber Resilience Act",
+    citation:   "Regulation (EU) 2024/2847",
+    jurisdiction: "EU",
+    domain:     "product-cybersecurity",
+  },
+  "ai-act": {
+    name:       "Artificial Intelligence Act",
+    citation:   "Regulation (EU) 2024/1689",
+    jurisdiction: "EU",
+    domain:     "ai-governance",
+  },
+  "lgpd-br": {
+    name:       "Lei Geral de Proteção de Dados",
+    citation:   "Lei nº 13.709/2018",
+    jurisdiction: "BR",
+    domain:     "privacy",
+  },
+  "pipl-cn": {
+    name:       "Personal Information Protection Law",
+    citation:   "Adopted Aug 20, 2021; effective Nov 1, 2021",
+    jurisdiction: "CN",
+    domain:     "privacy",
+  },
+  "appi-jp": {
+    name:       "Act on Protection of Personal Information",
+    citation:   "Act No. 57 of 2003 (most recent amendment 2022)",
+    jurisdiction: "JP",
+    domain:     "privacy",
+  },
+  "pdpa-sg": {
+    name:       "Personal Data Protection Act",
+    citation:   "Act 26 of 2012",
+    jurisdiction: "SG",
+    domain:     "privacy",
+  },
+  "pipeda-ca": {
+    name:       "Personal Information Protection and Electronic Documents Act",
+    citation:   "S.C. 2000, c. 5",
+    jurisdiction: "CA",
+    domain:     "privacy",
+  },
+  "uk-gdpr": {
+    name:       "UK General Data Protection Regulation",
+    citation:   "Data Protection Act 2018 + retained EU GDPR",
+    jurisdiction: "UK",
+    domain:     "privacy",
+  },
+});
+function describe(posture) {
+  return REGIME_MAP[posture] || null;
+}
 module.exports = {
   set:              set,
   current:          current,
   assert:           assert,
   clear:            clear,
+  describe:         describe,
   KNOWN_POSTURES:   KNOWN_POSTURES,
+  REGIME_MAP:       REGIME_MAP,
   ComplianceError:  ComplianceError,
   _resetForTest:    _resetForTest,
 };

package/lib/dora.js CHANGED Viewed

@@ -96,6 +96,39 @@ var INITIAL_REPORT_DEADLINE_MS      = C.TIME.hours(24);
 var INTERMEDIATE_REPORT_DEADLINE_MS = C.TIME.hours(72);
 var FINAL_REPORT_DEADLINE_MS        = C.TIME.days(30);
+// Adjacent-regulation incident-reporting deadlines — operators wiring
+// NIS2 / CRA / HIPAA breach notification reach for these constants
+// rather than the b.dora-specific deadlines. The b.dora factory only
+// uses INITIAL/INTERMEDIATE/FINAL above; these are reference data so
+// operators don't pin literal hour counts in their code.
+//
+// NIS2 (Directive (EU) 2022/2555) Art. 23:
+//   24h early warning  → 72h initial notification → 1 month final
+// CRA (Regulation (EU) 2024/2847) Art. 14:
+//   24h early warning  → 72h initial notification → 14 days final
+// HIPAA Breach Notification Rule (45 CFR §164.404 / §164.408):
+//   60 days to notify affected individuals
+//   60 days to notify HHS Secretary (or "without unreasonable delay" if
+//   500+ individuals — operator-driven, no hard deadline below 60 days)
+//   Annual report by Mar 1 for breaches of <500 individuals
+var DEADLINES_NIS2 = Object.freeze({
+  earlyWarningMs:   C.TIME.hours(24),
+  initialReportMs:  C.TIME.hours(72),
+  finalReportMs:    C.TIME.days(30),
+});
+var DEADLINES_CRA = Object.freeze({
+  earlyWarningMs:   C.TIME.hours(24),
+  initialReportMs:  C.TIME.hours(72),
+  finalReportMs:    C.TIME.days(14),
+});
+var DEADLINES_HIPAA_BREACH = Object.freeze({
+  individualNoticeMs:  C.TIME.days(60),
+  secretaryNoticeMs:   C.TIME.days(60),
+  // Annual aggregate report due by March 1 of the year following any
+  // calendar year in which breaches affecting <500 individuals occurred.
+  annualAggregateMs:   null,
+});
 var VALID_DATA_AFFECTED = ["phi", "financial", "personal", "operational", "none"];
 var VALID_SEVERITY      = ["critical", "high", "medium", "low"];
 var VALID_REPUTATIONAL  = ["media", "internal", "none"];
@@ -343,5 +376,8 @@ module.exports = {
   INITIAL_REPORT_DEADLINE_MS:          INITIAL_REPORT_DEADLINE_MS,
   INTERMEDIATE_REPORT_DEADLINE_MS:     INTERMEDIATE_REPORT_DEADLINE_MS,
   FINAL_REPORT_DEADLINE_MS:            FINAL_REPORT_DEADLINE_MS,
+  DEADLINES_NIS2:                      DEADLINES_NIS2,
+  DEADLINES_CRA:                       DEADLINES_CRA,
+  DEADLINES_HIPAA_BREACH:              DEADLINES_HIPAA_BREACH,
   DoraError:                           DoraError,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.92",
+  "version": "0.7.94",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3879cfe5-c335-4b6c-9133-99b33bbd5666",
+  "serialNumber": "urn:uuid:4a206dc4-5c8b-485f-8557-d266d9ad6730",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T08:05:33.048Z",
+    "timestamp": "2026-05-06T08:24:52.645Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.92",
+      "bom-ref": "@blamejs/core@0.7.94",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.92",
+      "version": "0.7.94",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.92",
+      "purl": "pkg:npm/%40blamejs/core@0.7.94",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.92",
+      "ref": "@blamejs/core@0.7.94",
       "dependsOn": []
     }
   ]