npm - @blamejs/core - Versions diffs - 0.7.93 → 0.7.94 - Mend

@blamejs/core 0.7.93 → 0.7.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 ## v0.7.x
+- **0.7.94** (2026-05-06) — `b.compliance.REGIME_MAP` + `b.compliance.describe(<posture>)` — frozen lookup table mapping each posture name to its human-readable name + statutory citation + jurisdiction + domain. `b.compliance.describe("hipaa")` returns `{ name: "Health Insurance Portability and Accountability Act", citation: "Pub. L. 104-191; 45 CFR Parts 160, 162, 164", jurisdiction: "US", domain: "health" }`. Operators rendering the deployment posture in admin UI / audit logs reach for `REGIME_MAP[posture]` instead of hand-rolling a lookup table; values track the regulatory text and update with the framework rather than going stale in operator code. Covers all 19 postures shipped through v0.7.91 (hipaa / pci-dss / soc2 / sox + the v0.7.91 expansions: wmhmda / bipa / ccpa / gdpr / dora / nis2 / cra / ai-act / lgpd-br / pipl-cn / appi-jp / pdpa-sg / pipeda-ca / uk-gdpr). `domain` field categorizes the regime (privacy / health / payment / cybersecurity / financial-reporting / etc.) so operators can render compliance dashboards grouped by domain instead of alphabetical posture.
 - **0.7.93** (2026-05-06) — Adjacent-regulation incident-reporting deadline reference exported on `b.dora`. **`b.dora.DEADLINES_NIS2`** — NIS2 (Directive (EU) 2022/2555) Art. 23 deadlines: 24h early warning, 72h initial notification, 1 month final report. **`b.dora.DEADLINES_CRA`** — CRA (Regulation (EU) 2024/2847) Art. 14 deadlines: 24h early warning, 72h initial notification, 14 days final report. **`b.dora.DEADLINES_HIPAA_BREACH`** — HIPAA Breach Notification Rule (45 CFR §164.404 / §164.408) deadlines: 60 days for affected individuals, 60 days for HHS Secretary, annual aggregate report by March 1 for sub-500-individual breaches. Operators handling NIS2 / CRA / HIPAA reporting reach for these constants instead of pinning literal hour counts in their workflow code; the values track the regulatory text and update with the framework rather than going stale in operator code. The b.dora factory itself continues to enforce DORA Article 19 deadlines unchanged — operators wiring NIS2 / CRA / HIPAA workflows compose against the deadline constants directly with their own scheduler / submission code.
 - **0.7.92** (2026-05-06) — Retention floors + observability semconv expansion. **`b.retention.complianceFloor(<posture>, candidateMs)`** now recognizes `nis2` (3 years — NIS2 Art. 23 incident reporting), `cra` (5 years — CRA Art. 14 vulnerability handling logs), `lgpd-br` (5 years — Brazil fiscal record minimum + LGPD Art. 16), `appi-jp` (3 years — Japan APPI handler-of-record), `pdpa-sg` (1 year — PDPA breach notification audit trail), and `uk-gdpr` (6 years — UK ICO guidance + statutory limit alignment). `gdpr` continues to have no fixed minimum (Art. 5(1)(e) is "no longer than necessary" — operator-driven). **`b.observability.SEMCONV`** gains RPC attributes (`RPC_SYSTEM` / `RPC_SERVICE` / `RPC_METHOD` / `RPC_GRPC_STATUS_CODE`), additional messaging keys (`MESSAGING_CLIENT_ID` / `MESSAGING_MESSAGE_ID` / `MESSAGING_DESTINATION_PARTITION_ID` / `MESSAGING_BATCH_MESSAGE_COUNT`), network transport (`NETWORK_TRANSPORT` / `NETWORK_CONNECTION_TYPE`), process / runtime identification (`PROCESS_PID` / `PROCESS_RUNTIME_NAME` / `PROCESS_RUNTIME_VERSION`), service identification (`SERVICE_NAME` / `SERVICE_VERSION` / `SERVICE_INSTANCE_ID`), and telemetry SDK self-id (`TELEMETRY_SDK_NAME` / `TELEMETRY_SDK_LANGUAGE` / `TELEMETRY_SDK_VERSION`). Operators wiring the framework's tap into a gRPC-fronted OTel collector or an outbox-fed Kafka topic now reference the canonical attribute names directly without an aliasing table on their side.

package/lib/compliance.js CHANGED Viewed

@@ -125,12 +125,134 @@ function _resetForTest() {
   STATE.setAt   = null;
 }
+// Posture → human-readable name + statutory citation + jurisdiction.
+// Operators rendering the deployment posture in admin UI / audit logs
+// reach for REGIME_MAP[posture] instead of hand-rolling a lookup
+// table. The values track the regulatory text and update with the
+// framework rather than going stale in operator code.
+var REGIME_MAP = Object.freeze({
+  "hipaa": {
+    name:       "Health Insurance Portability and Accountability Act",
+    citation:   "Pub. L. 104-191; 45 CFR Parts 160, 162, 164",
+    jurisdiction: "US",
+    domain:     "health",
+  },
+  "pci-dss": {
+    name:       "Payment Card Industry Data Security Standard",
+    citation:   "PCI Security Standards Council v4.0.1",
+    jurisdiction: "international",
+    domain:     "payment",
+  },
+  "soc2": {
+    name:       "System and Organization Controls 2",
+    citation:   "AICPA Trust Services Criteria",
+    jurisdiction: "US",
+    domain:     "audit-attestation",
+  },
+  "sox": {
+    name:       "Sarbanes-Oxley Act",
+    citation:   "Pub. L. 107-204; 15 U.S.C. §§7201-7266",
+    jurisdiction: "US",
+    domain:     "financial-reporting",
+  },
+  "wmhmda": {
+    name:       "Washington My Health My Data Act",
+    citation:   "RCW 19.373",
+    jurisdiction: "US-WA",
+    domain:     "health",
+  },
+  "bipa": {
+    name:       "Illinois Biometric Information Privacy Act",
+    citation:   "740 ILCS 14",
+    jurisdiction: "US-IL",
+    domain:     "biometrics",
+  },
+  "ccpa": {
+    name:       "California Consumer Privacy Act / California Privacy Rights Act",
+    citation:   "Cal. Civ. Code §§1798.100-1798.199",
+    jurisdiction: "US-CA",
+    domain:     "privacy",
+  },
+  "gdpr": {
+    name:       "General Data Protection Regulation",
+    citation:   "Regulation (EU) 2016/679",
+    jurisdiction: "EU",
+    domain:     "privacy",
+  },
+  "dora": {
+    name:       "Digital Operational Resilience Act",
+    citation:   "Regulation (EU) 2022/2554",
+    jurisdiction: "EU",
+    domain:     "financial-resilience",
+  },
+  "nis2": {
+    name:       "Network and Information Security Directive 2",
+    citation:   "Directive (EU) 2022/2555",
+    jurisdiction: "EU",
+    domain:     "cybersecurity",
+  },
+  "cra": {
+    name:       "Cyber Resilience Act",
+    citation:   "Regulation (EU) 2024/2847",
+    jurisdiction: "EU",
+    domain:     "product-cybersecurity",
+  },
+  "ai-act": {
+    name:       "Artificial Intelligence Act",
+    citation:   "Regulation (EU) 2024/1689",
+    jurisdiction: "EU",
+    domain:     "ai-governance",
+  },
+  "lgpd-br": {
+    name:       "Lei Geral de Proteção de Dados",
+    citation:   "Lei nº 13.709/2018",
+    jurisdiction: "BR",
+    domain:     "privacy",
+  },
+  "pipl-cn": {
+    name:       "Personal Information Protection Law",
+    citation:   "Adopted Aug 20, 2021; effective Nov 1, 2021",
+    jurisdiction: "CN",
+    domain:     "privacy",
+  },
+  "appi-jp": {
+    name:       "Act on Protection of Personal Information",
+    citation:   "Act No. 57 of 2003 (most recent amendment 2022)",
+    jurisdiction: "JP",
+    domain:     "privacy",
+  },
+  "pdpa-sg": {
+    name:       "Personal Data Protection Act",
+    citation:   "Act 26 of 2012",
+    jurisdiction: "SG",
+    domain:     "privacy",
+  },
+  "pipeda-ca": {
+    name:       "Personal Information Protection and Electronic Documents Act",
+    citation:   "S.C. 2000, c. 5",
+    jurisdiction: "CA",
+    domain:     "privacy",
+  },
+  "uk-gdpr": {
+    name:       "UK General Data Protection Regulation",
+    citation:   "Data Protection Act 2018 + retained EU GDPR",
+    jurisdiction: "UK",
+    domain:     "privacy",
+  },
+});
+function describe(posture) {
+  return REGIME_MAP[posture] || null;
+}
 module.exports = {
   set:              set,
   current:          current,
   assert:           assert,
   clear:            clear,
+  describe:         describe,
   KNOWN_POSTURES:   KNOWN_POSTURES,
+  REGIME_MAP:       REGIME_MAP,
   ComplianceError:  ComplianceError,
   _resetForTest:    _resetForTest,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.93",
+  "version": "0.7.94",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:1c2e15ca-bff7-43a5-ae92-d24199759193",
+  "serialNumber": "urn:uuid:4a206dc4-5c8b-485f-8557-d266d9ad6730",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T08:15:13.953Z",
+    "timestamp": "2026-05-06T08:24:52.645Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.93",
+      "bom-ref": "@blamejs/core@0.7.94",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.93",
+      "version": "0.7.94",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.93",
+      "purl": "pkg:npm/%40blamejs/core@0.7.94",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.93",
+      "ref": "@blamejs/core@0.7.94",
       "dependsOn": []
     }
   ]