@blamejs/core 0.8.24 → 0.8.26

package/index.js

@@ -101,6 +101,8 @@ var aiInput = require("./lib/ai-input");
 var a2a = require("./lib/a2a");
 var darkPatterns = require("./lib/dark-patterns");
 var budr = require("./lib/budr");
+var secCyber = require("./lib/sec-cyber");
+var iabTcf = require("./lib/iab-tcf");
 var safeUrl = require("./lib/safe-url");
 var safeRedirect = require("./lib/safe-redirect");
 var pick = require("./lib/pick");
@@ -289,6 +291,8 @@ module.exports = {
   a2a:              a2a,
   darkPatterns:     darkPatterns,
   budr:             budr,
+  secCyber:         secCyber,
+  iabTcf:           iabTcf,
   safeUrl:          safeUrl,
   safeRedirect:     safeRedirect,
   pick:             pick,

package/lib/audit.js

@@ -239,6 +239,8 @@ var FRAMEWORK_NAMESPACES = [
   "a2a",        // b.a2a (a2a.card_signed / verified / rejected)
   "darkpatterns", // b.darkPatterns (darkPatterns.attest / cancel-blocked)
   "budr",       // b.budr (budr.declared)
+  "seccyber",   // b.secCyber (seccyber.eight_k_artifact)
+  "iabtcf",     // b.iabTcf (iabtcf.refused / iabtcf.accepted)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/iab-tcf.js

@@ -0,0 +1,356 @@
+"use strict";
+/**
+ * b.iabTcf — IAB Europe Transparency & Consent Framework v2.3 consent
+ * string parser + disclosedVendors validator.
+ *
+ * Required by TCF Policy v2.3 §III.B.5 (CMP MUST signal which vendors
+ * received disclosure regardless of consent state). Deadline 2026-02-28
+ * is past — Google Ads + every major DSP rejects v2.2-shaped strings
+ * since that date. EU/UK adtech operators that didn't migrate are
+ * losing inventory.
+ *
+ * Consent-string format (TCF v2.3 spec, §A):
+ *   Base64URL-no-pad of segments separated by `.`:
+ *     Core | DisclosedVendors | (AllowedVendors) | PublisherTC
+ *
+ *   Core segment carries: cmpVersion=2, version=4 (TCF v2.3),
+ *   created/lastUpdated, cmpId, vendorListVersion, policyVersion=4,
+ *   special-feature-opts-in, purpose-consents, purpose-LIs, vendor
+ *   consents bitmap, vendor LIs bitmap, publisher restrictions.
+ *
+ *   DisclosedVendors segment (REQUIRED in v2.3): bitmap of every
+ *   vendor disclosed to the user (regardless of consent). v2.2
+ *   strings omit this segment entirely.
+ *
+ * Public API:
+ *
+ *   iabTcf.parseString(tcString) -> {
+ *     core: { version, cmpId, vendorListVersion, policyVersion,
+ *             createdAt, lastUpdatedAt, vendorConsents, vendorLIs,
+ *             ... },
+ *     disclosedVendors: { present, vendorIds: Set<int> } | null,
+ *     allowedVendors:   { present, vendorIds: Set<int> } | null,
+ *     publisherTC:      { present, ... } | null,
+ *     errors:           Array<string>,
+ *   }
+ *
+ *   iabTcf.requireV23Disclosed(tcString) -> void
+ *     Throws iabTcf.IabTcfError on:
+ *       - missing DisclosedVendors segment (v2.2 string)
+ *       - core.version !== 4 (TCF v2.3 = version 4 in the spec
+ *         encoding; v2.2 = version 2 or 3 depending on revision —
+ *         the framework refuses anything not v=4 under v2.3 posture)
+ *       - core.policyVersion !== 4 (TCF Policy v2.3 = policyVersion 4)
+ *
+ *   iabTcf.checkVendor(parsed, vendorId) -> {
+ *     consented: bool,        — vendor id in vendorConsents
+ *     legitimate: bool,       — vendor id in vendorLIs
+ *     disclosed: bool,        — vendor id in disclosedVendors
+ *   }
+ *
+ * Operator workflow:
+ *   var parsed = b.iabTcf.parseString(tcString);
+ *   b.iabTcf.requireV23Disclosed(tcString);   // refuses v2.2
+ *   var verdict = b.iabTcf.checkVendor(parsed, 755); // Google
+ *   if (!verdict.consented && !verdict.legitimate) refuseAdRequest();
+ *
+ * The framework does NOT bundle the IAB Global Vendor List (it's a
+ * versioned JSON published at https://vendor-list.consensu.org/v3/
+ * vendor-list.json that operators fetch and refresh themselves).
+ * `parsed.core.vendorListVersion` is the version the consent string
+ * was signed against — operators load that version from their cache.
+ */
+
+var audit = require("./audit");
+var { defineClass } = require("./framework-error");
+var IabTcfError = defineClass("IabTcfError", { alwaysPermanent: true });
+
+// TCF v2.3 spec values.
+var TCF_V23_CORE_VERSION   = 4;                                                                // allow:raw-byte-literal — TCF spec version, not bytes
+var TCF_V23_POLICY_VERSION = 4;                                                                // allow:raw-byte-literal — TCF policy version, not bytes
+// SEGMENT_TYPE_CORE = 0 documented but not declared as a const — the
+// core segment is identified positionally (segment[0]) not by the
+// 3-bit type prefix the secondary segments use.
+var SEGMENT_TYPE_DISCLOSED_VENDORS = 1;                                                        // allow:raw-byte-literal — TCF segment-type marker, not bytes
+var SEGMENT_TYPE_ALLOWED_VENDORS   = 2;                                                        // allow:raw-byte-literal — TCF segment-type marker, not bytes
+var SEGMENT_TYPE_PUBLISHER_TC      = 3;                                                        // allow:raw-byte-literal — TCF segment-type marker, not bytes
+var MAX_TC_STRING_BYTES = 64 * 1024;                                                           // allow:raw-byte-literal — request-payload cap
+
+// base64url decode (no padding) → Buffer.
+function _b64urlDecode(s) {
+  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
+  var pad = padded.length % 4;
+  if (pad === 2) padded += "==";
+  else if (pad === 3) padded += "=";
+  else if (pad === 1) throw IabTcfError.factory("BAD_BASE64",
+    "iabTcf: base64url segment has invalid length");
+  return Buffer.from(padded, "base64");
+}
+
+// Bit-level reader over a Buffer.
+function _bitReader(buf) {
+  var bitOffset = 0;
+  var totalBits = buf.length * 8;                                                             // allow:raw-byte-literal — bits per byte
+  function read(n) {
+    if (bitOffset + n > totalBits) {
+      throw IabTcfError.factory("BAD_LENGTH",
+        "iabTcf: read past end of segment (offset=" + bitOffset + " want=" + n + " total=" + totalBits + ")");
+    }
+    var v = 0;
+    for (var i = 0; i < n; i += 1) {
+      var byteIdx = (bitOffset + i) >> 3;
+      var bitIdx  = 7 - ((bitOffset + i) & 7);                                                  // allow:raw-byte-literal — high-bit-first ordering
+      v = (v << 1) | ((buf[byteIdx] >> bitIdx) & 1);
+    }
+    bitOffset += n;
+    return v;
+  }
+  function readBitField(n) {
+    // Returns Set<int> of 1-based positions where the bit is set.
+    var ids = new Set();
+    for (var i = 0; i < n; i += 1) {
+      if (read(1) === 1) ids.add(i + 1);
+    }
+    return ids;
+  }
+  function pos() { return bitOffset; }
+  function setPos(n) { bitOffset = n; }
+  function remaining() { return totalBits - bitOffset; }
+  return { read: read, readBitField: readBitField, pos: pos, setPos: setPos, remaining: remaining, totalBits: totalBits };
+}
+
+function _parseCore(buf) {
+  var r = _bitReader(buf);
+  var version            = r.read(6);                                                          // allow:raw-byte-literal — TCF spec field width, not bytes
+  var createdRaw         = r.read(36);                                                         // allow:raw-byte-literal — TCF spec field width
+  var lastUpdatedRaw     = r.read(36);                                                         // allow:raw-byte-literal — TCF spec field width
+  var cmpId              = r.read(12);                                                         // allow:raw-byte-literal — TCF spec field width
+  var cmpVersion         = r.read(12);                                                         // allow:raw-byte-literal — TCF spec field width
+  var consentScreen      = r.read(6);                                                          // allow:raw-byte-literal — TCF spec field width
+  // ConsentLanguage (12 bits = 2 chars × 6 bits, ASCII A-Z mapped 0-25)
+  var lang0 = r.read(6);                                                                       // allow:raw-byte-literal — TCF spec field width
+  var lang1 = r.read(6);                                                                       // allow:raw-byte-literal — TCF spec field width
+  var consentLanguage = String.fromCharCode(0x41 + lang0) + String.fromCharCode(0x41 + lang1); // allow:raw-byte-literal — ASCII 'A' offset
+  var vendorListVersion  = r.read(12);                                                         // allow:raw-byte-literal — TCF spec field width
+  var policyVersion      = r.read(6);                                                          // allow:raw-byte-literal — TCF spec field width
+  var isServiceSpecific  = r.read(1) === 1;
+  var useNonStandardStacks = r.read(1) === 1;
+  var specialFeatureOptins = r.readBitField(12);                                               // allow:raw-byte-literal — TCF spec field width
+  var purposesConsent      = r.readBitField(24);                                               // allow:raw-byte-literal — TCF spec field width
+  var purposesLI           = r.readBitField(24);                                               // allow:raw-byte-literal — TCF spec field width
+  var purposeOneTreatment  = r.read(1) === 1;
+  var publisherCC          = String.fromCharCode(0x41 + r.read(6)) + String.fromCharCode(0x41 + r.read(6)); // allow:raw-byte-literal — TCF spec field width
+  // MaxVendorIdConsent + ranged fields skipped for compactness — the
+  // framework's defensive parse only extracts the top-level shape +
+  // the vendorConsents/LIs bitmaps when present.
+  var vendorConsents = _parseVendorSection(r);
+  var vendorLIs      = _parseVendorSection(r);
+  return {
+    version:               version,
+    createdAt:             createdRaw * 100,                                                   // allow:raw-time-literal — TCF spec deciseconds → ms
+    lastUpdatedAt:         lastUpdatedRaw * 100,                                               // allow:raw-time-literal — TCF spec deciseconds → ms
+    cmpId:                 cmpId,
+    cmpVersion:            cmpVersion,
+    consentScreen:         consentScreen,
+    consentLanguage:       consentLanguage,
+    vendorListVersion:     vendorListVersion,
+    policyVersion:         policyVersion,
+    isServiceSpecific:     isServiceSpecific,
+    useNonStandardStacks:  useNonStandardStacks,
+    specialFeatureOptins:  specialFeatureOptins,
+    purposesConsent:       purposesConsent,
+    purposesLI:            purposesLI,
+    purposeOneTreatment:   purposeOneTreatment,
+    publisherCC:           publisherCC,
+    vendorConsents:        vendorConsents,
+    vendorLIs:             vendorLIs,
+  };
+}
+
+// Vendor section: MaxVendorId (16 bits) + IsRangeEncoding (1 bit) +
+// either bitmap (MaxVendorId bits) or RangeEntries.
+function _parseVendorSection(r) {
+  var maxVendorId    = r.read(16);                                                             // allow:raw-byte-literal — TCF spec field width
+  var isRangeEncoding = r.read(1) === 1;
+  var ids = new Set();
+  if (isRangeEncoding) {
+    var numEntries = r.read(12);                                                               // allow:raw-byte-literal — TCF spec field width
+    for (var i = 0; i < numEntries; i += 1) {
+      var isRange = r.read(1) === 1;
+      var startVendorId = r.read(16);                                                          // allow:raw-byte-literal — TCF spec field width
+      if (isRange) {
+        var endVendorId = r.read(16);                                                          // allow:raw-byte-literal — TCF spec field width
+        for (var v = startVendorId; v <= endVendorId; v += 1) ids.add(v);
+      } else {
+        ids.add(startVendorId);
+      }
+    }
+  } else {
+    for (var b = 0; b < maxVendorId; b += 1) {
+      if (r.read(1) === 1) ids.add(b + 1);
+    }
+  }
+  return { maxVendorId: maxVendorId, ids: ids };
+}
+
+// DisclosedVendors / AllowedVendors segments share the same shape:
+// SegmentType (3 bits) + MaxVendorId + IsRangeEncoding + section.
+function _parseSecondaryVendorSegment(buf, expectedType) {
+  var r = _bitReader(buf);
+  var segType = r.read(3);                                                                     // allow:raw-byte-literal — TCF spec field width
+  if (segType !== expectedType) {
+    throw IabTcfError.factory("BAD_SEGMENT_TYPE",
+      "iabTcf: expected segment type " + expectedType + ", got " + segType);
+  }
+  return _parseVendorSection(r);
+}
+
+function parseString(tcString) {
+  if (typeof tcString !== "string" || tcString.length === 0) {
+    throw IabTcfError.factory("BAD_INPUT",
+      "iabTcf.parseString: tcString must be a non-empty string");
+  }
+  if (tcString.length > MAX_TC_STRING_BYTES) {
+    throw IabTcfError.factory("INPUT_TOO_LARGE",
+      "iabTcf.parseString: tcString exceeds " + MAX_TC_STRING_BYTES + " bytes");
+  }
+  var segments = tcString.split(".");
+  var coreBuf;
+  try { coreBuf = _b64urlDecode(segments[0]); }
+  catch (e) {
+    throw IabTcfError.factory("BAD_CORE",
+      "iabTcf.parseString: core segment base64url decode failed: " + e.message);
+  }
+  var core = _parseCore(coreBuf);
+
+  var disclosedVendors = null;
+  var allowedVendors   = null;
+  var publisherTC      = null;
+  var errors           = [];
+
+  for (var i = 1; i < segments.length; i += 1) {
+    var segBuf;
+    try { segBuf = _b64urlDecode(segments[i]); }
+    catch (e) {
+      errors.push("segment[" + i + "] base64 decode: " + e.message);
+      continue;
+    }
+    if (segBuf.length === 0) continue;
+    var segType = (segBuf[0] >> 5) & 0x07;                                                     // allow:raw-byte-literal — TCF segment-type lives in top 3 bits
+    try {
+      if (segType === SEGMENT_TYPE_DISCLOSED_VENDORS) {
+        disclosedVendors = { present: true, vendorIds: _parseSecondaryVendorSegment(segBuf, SEGMENT_TYPE_DISCLOSED_VENDORS).ids };
+      } else if (segType === SEGMENT_TYPE_ALLOWED_VENDORS) {
+        allowedVendors = { present: true, vendorIds: _parseSecondaryVendorSegment(segBuf, SEGMENT_TYPE_ALLOWED_VENDORS).ids };
+      } else if (segType === SEGMENT_TYPE_PUBLISHER_TC) {
+        publisherTC = { present: true };
+      } else {
+        errors.push("segment[" + i + "] unknown type: " + segType);
+      }
+    } catch (e) {
+      errors.push("segment[" + i + "] parse: " + e.message);
+    }
+  }
+
+  return {
+    core:             core,
+    disclosedVendors: disclosedVendors,
+    allowedVendors:   allowedVendors,
+    publisherTC:      publisherTC,
+    errors:           errors,
+  };
+}
+
+function requireV23Disclosed(tcString, opts) {
+  opts = opts || {};
+  var auditOn = opts.audit !== false;
+  var parsed;
+  try { parsed = parseString(tcString); }
+  catch (e) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "parse_failure",
+        metadata: { error: e.message },
+      });
+    }
+    throw e;
+  }
+  if (parsed.core.version !== TCF_V23_CORE_VERSION) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "wrong_core_version",
+        metadata: { coreVersion: parsed.core.version, required: TCF_V23_CORE_VERSION },
+      });
+    }
+    throw IabTcfError.factory("WRONG_CORE_VERSION",
+      "iabTcf: core version " + parsed.core.version + " not v2.3 (required " +
+      TCF_V23_CORE_VERSION + ")");
+  }
+  if (parsed.core.policyVersion !== TCF_V23_POLICY_VERSION) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "wrong_policy_version",
+        metadata: { policyVersion: parsed.core.policyVersion, required: TCF_V23_POLICY_VERSION },
+      });
+    }
+    throw IabTcfError.factory("WRONG_POLICY_VERSION",
+      "iabTcf: policy version " + parsed.core.policyVersion + " not v2.3 (required " +
+      TCF_V23_POLICY_VERSION + ")");
+  }
+  if (!parsed.disclosedVendors || !parsed.disclosedVendors.present) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "missing_disclosed_vendors",
+        metadata: {},
+      });
+    }
+    throw IabTcfError.factory("MISSING_DISCLOSED_VENDORS",
+      "iabTcf: TC string lacks DisclosedVendors segment (TCF v2.3 §III.B.5 — REQUIRED since 2026-02-28)");
+  }
+  if (auditOn) {
+    audit.safeEmit({
+      action:   "iabtcf.accepted",
+      outcome:  "success",
+      metadata: {
+        cmpId:               parsed.core.cmpId,
+        vendorListVersion:   parsed.core.vendorListVersion,
+        disclosedVendorCount: parsed.disclosedVendors.vendorIds.size,
+      },
+    });
+  }
+  return parsed;
+}
+
+function checkVendor(parsed, vendorId) {
+  if (!parsed || !parsed.core) {
+    throw IabTcfError.factory("BAD_PARSED",
+      "iabTcf.checkVendor: parsed object required (call parseString first)");
+  }
+  if (typeof vendorId !== "number" || !isFinite(vendorId) || vendorId < 1 ||
+      Math.floor(vendorId) !== vendorId) {
+    throw IabTcfError.factory("BAD_VENDOR_ID",
+      "iabTcf.checkVendor: vendorId must be a positive integer");
+  }
+  return {
+    consented:   parsed.core.vendorConsents.ids.has(vendorId),
+    legitimate:  parsed.core.vendorLIs.ids.has(vendorId),
+    disclosed:   parsed.disclosedVendors && parsed.disclosedVendors.vendorIds.has(vendorId) || false,
+  };
+}
+
+module.exports = {
+  parseString:           parseString,
+  requireV23Disclosed:   requireV23Disclosed,
+  checkVendor:           checkVendor,
+  IabTcfError:           IabTcfError,
+  TCF_V23_CORE_VERSION:  TCF_V23_CORE_VERSION,
+  TCF_V23_POLICY_VERSION: TCF_V23_POLICY_VERSION,
+};

package/lib/sec-cyber.js

@@ -0,0 +1,214 @@
+"use strict";
+/**
+ * b.secCyber — SEC Cybersecurity Disclosure Item 1.05 (Form 8-K)
+ * artifact generator.
+ *
+ * Required by 17 CFR §229.106 / Form 8-K Item 1.05 (final rule
+ * effective 2023-12-18). When a registrant determines that a
+ * cybersecurity incident is material, it MUST file a Form 8-K within
+ * 4 business days of the materiality determination, describing:
+ *
+ *   - The material aspects of the nature, scope, and timing
+ *   - The material impact or reasonably likely material impact on
+ *     the registrant (financial condition + results of operations)
+ *
+ * Materiality determination MUST be made "without unreasonable
+ * delay." The Attorney General can authorize a delay (when public
+ * disclosure would pose substantial risk to national security or
+ * public safety) — registrant requests the delay before the 4-day
+ * window elapses.
+ *
+ * The framework can't decide materiality (that's a fact-and-circum-
+ * stances judgment). What it CAN do:
+ *
+ *   - Structure the operator's materiality finding into a
+ *     tamper-evident audit-chain row (the regulator-facing record).
+ *   - Generate the 8-K Item 1.05 narrative skeleton with the
+ *     operator's content slotted in.
+ *   - Compute the 4-business-day deadline so the operator's
+ *     filing-system gate refuses to slip past it.
+ *   - Emit an AG-delay-request artifact when the operator asserts
+ *     national-security / public-safety risk.
+ *
+ * Public API:
+ *
+ *   b.secCyber.eightKArtifact(opts) -> { artifact, deadline, audit }
+ *     opts:
+ *       incidentId:        operator-supplied incident reference (string).
+ *       registrant:        { name, cik, filer }
+ *       detectedAt:        Unix-ms when the incident was detected.
+ *       materialityDeterminedAt: Unix-ms when materiality was determined.
+ *       materialityFinding:      "material" | "not-material" | "pending".
+ *       materialityReasoning:    operator-provided narrative
+ *                                explaining the materiality call.
+ *       nature:            string describing the incident's nature.
+ *       scope:             string describing the scope.
+ *       timing:            string describing the timing.
+ *       impact:            string describing material/likely-material
+ *                          impact on financial condition + operations.
+ *       agDelayRequested:  bool. When true, the artifact includes the
+ *                          AG-delay-request template and the 4-day
+ *                          deadline is suspended pending DOJ response.
+ *       agDelayJustification: string explaining the national-security
+ *                          / public-safety risk that justifies delay
+ *                          (REQUIRED when agDelayRequested = true).
+ *       audit:             bool, default true.
+ *
+ *   Returns:
+ *       artifact:          structured 8-K Item 1.05 content (markdown
+ *                          + JSON for downstream EDGAR filing).
+ *       deadline:          Unix-ms 4-business-day deadline (null when
+ *                          AG-delay-requested).
+ *       deadlineBusinessDays: business-day count (4 by default; spec
+ *                          gives no exception).
+ *
+ * The framework does NOT submit to EDGAR — operators wire the
+ * artifact into their existing filer-attorney workflow.
+ */
+
+var audit = require("./audit");
+var C = require("./constants");
+var validateOpts = require("./validate-opts");
+var nb = require("./numeric-bounds");
+var { defineClass } = require("./framework-error");
+var SecCyberError = defineClass("SecCyberError", { alwaysPermanent: true });
+
+var FINDINGS = ["material", "not-material", "pending"];
+
+function _addBusinessDays(startMs, days) {
+  // Walk forward N business days (Mon-Fri). Doesn't honor US federal
+  // holidays — operators with a calendar-aware filing system override
+  // by reading deadlineBusinessDays and computing themselves.
+  var t = new Date(startMs);
+  var added = 0;
+  while (added < days) {
+    t = new Date(t.getTime() + C.TIME.days(1));
+    var dow = t.getUTCDay();
+    if (dow !== 0 && dow !== 6) added += 1;
+  }
+  return t.getTime();
+}
+
+function eightKArtifact(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw SecCyberError.factory("BAD_OPTS",
+      "secCyber.eightKArtifact: opts required");
+  }
+  validateOpts.requireNonEmptyString(opts.incidentId,
+    "secCyber.eightKArtifact: incidentId", SecCyberError, "BAD_INCIDENT_ID");
+  if (!opts.registrant || typeof opts.registrant !== "object") {
+    throw SecCyberError.factory("BAD_REGISTRANT",
+      "secCyber.eightKArtifact: registrant object required");
+  }
+  validateOpts.requireNonEmptyString(opts.registrant.name,
+    "secCyber.eightKArtifact: registrant.name", SecCyberError, "BAD_REGISTRANT_NAME");
+  validateOpts.requireNonEmptyString(opts.registrant.cik,
+    "secCyber.eightKArtifact: registrant.cik", SecCyberError, "BAD_CIK");
+  nb.requirePositiveFiniteIntIfPresent(opts.detectedAt,
+    "secCyber.eightKArtifact: detectedAt", SecCyberError, "BAD_DETECTED_AT");
+  nb.requirePositiveFiniteIntIfPresent(opts.materialityDeterminedAt,
+    "secCyber.eightKArtifact: materialityDeterminedAt", SecCyberError, "BAD_MAT_AT");
+
+  if (FINDINGS.indexOf(opts.materialityFinding) === -1) {
+    throw SecCyberError.factory("BAD_FINDING",
+      "secCyber.eightKArtifact: materialityFinding must be one of " + FINDINGS.join(", "));
+  }
+  validateOpts.requireNonEmptyString(opts.materialityReasoning,
+    "secCyber.eightKArtifact: materialityReasoning", SecCyberError, "BAD_REASONING");
+
+  if (opts.materialityFinding === "material") {
+    validateOpts.requireNonEmptyString(opts.nature,
+      "secCyber.eightKArtifact: nature", SecCyberError, "BAD_NATURE");
+    validateOpts.requireNonEmptyString(opts.scope,
+      "secCyber.eightKArtifact: scope", SecCyberError, "BAD_SCOPE");
+    validateOpts.requireNonEmptyString(opts.timing,
+      "secCyber.eightKArtifact: timing", SecCyberError, "BAD_TIMING");
+    validateOpts.requireNonEmptyString(opts.impact,
+      "secCyber.eightKArtifact: impact", SecCyberError, "BAD_IMPACT");
+  }
+
+  var agDelayRequested = opts.agDelayRequested === true;
+  if (agDelayRequested) {
+    validateOpts.requireNonEmptyString(opts.agDelayJustification,
+      "secCyber.eightKArtifact: agDelayJustification (required when agDelayRequested=true)",
+      SecCyberError, "BAD_AG_JUSTIFICATION");
+  }
+
+  var matAt = opts.materialityDeterminedAt || Date.now();
+  var deadline = agDelayRequested ? null : _addBusinessDays(matAt, 4);
+
+  var markdown = "# Form 8-K — Item 1.05 Material Cybersecurity Incident\n\n" +
+    "**Registrant:** " + opts.registrant.name + " (CIK: " + opts.registrant.cik + ")\n\n" +
+    "**Incident ID:** " + opts.incidentId + "\n\n" +
+    "**Materiality determination date:** " + new Date(matAt).toISOString() + "\n\n" +
+    "**Materiality finding:** " + opts.materialityFinding + "\n\n" +
+    "**Reasoning:**\n\n" + opts.materialityReasoning + "\n\n";
+
+  if (opts.materialityFinding === "material") {
+    markdown +=
+      "## Item 1.05(a) — Material aspects\n\n" +
+      "**Nature.** " + opts.nature + "\n\n" +
+      "**Scope.** " + opts.scope + "\n\n" +
+      "**Timing.** " + opts.timing + "\n\n" +
+      "## Item 1.05(b) — Material impact\n\n" + opts.impact + "\n\n";
+  }
+
+  if (agDelayRequested) {
+    markdown += "## AG-delay request (17 CFR §229.106(c)(1)(ii))\n\n" +
+      "Registrant asserts that disclosure of this incident would pose a substantial " +
+      "risk to national security or public safety. Pursuant to the rule, registrant " +
+      "requests that the Attorney General authorize a delay of disclosure.\n\n" +
+      "**Justification:** " + opts.agDelayJustification + "\n\n";
+  }
+
+  markdown += "**Filing deadline:** " +
+    (deadline ? new Date(deadline).toISOString() + " (4 business days from materiality determination)" :
+                "suspended pending DOJ response to AG-delay request") + "\n";
+
+  var artifactJson = {
+    form:         "8-K",
+    item:         "1.05",
+    incidentId:   opts.incidentId,
+    registrant:   { name: opts.registrant.name, cik: opts.registrant.cik },
+    detectedAt:   opts.detectedAt || null,
+    materialityDeterminedAt: matAt,
+    materialityFinding: opts.materialityFinding,
+    materialityReasoning: opts.materialityReasoning,
+    items: opts.materialityFinding === "material" ? {
+      "1.05(a)": {
+        nature: opts.nature, scope: opts.scope, timing: opts.timing,
+      },
+      "1.05(b)": { impact: opts.impact },
+    } : null,
+    agDelayRequested:     agDelayRequested,
+    agDelayJustification: agDelayRequested ? opts.agDelayJustification : null,
+    deadlineMs:           deadline,
+  };
+
+  if (opts.audit !== false) {
+    audit.safeEmit({
+      action:   "seccyber.eight_k_artifact",
+      outcome:  "success",
+      metadata: {
+        incidentId:           opts.incidentId,
+        registrant:           opts.registrant.name,
+        cik:                  opts.registrant.cik,
+        materialityFinding:   opts.materialityFinding,
+        deadlineMs:           deadline,
+        agDelayRequested:     agDelayRequested,
+      },
+    });
+  }
+
+  return {
+    artifact: { markdown: markdown, json: artifactJson },
+    deadline: deadline,
+    deadlineBusinessDays: agDelayRequested ? null : 4,                                       // allow:raw-byte-literal — SEC Item 1.05 4-business-day deadline (17 CFR §229.106(c)(1))
+  };
+}
+
+module.exports = {
+  eightKArtifact: eightKArtifact,
+  FINDINGS:       FINDINGS.slice(),
+  SecCyberError:  SecCyberError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.24",
+  "version": "0.8.26",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:05943c33-3381-4aac-9f4b-b0f06a2a3caf",
+  "serialNumber": "urn:uuid:cbce5737-d9f9-4793-b198-266fc75eb98e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T13:14:30.419Z",
+    "timestamp": "2026-05-07T13:46:19.961Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.24",
+      "bom-ref": "@blamejs/core@0.8.26",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.24",
+      "version": "0.8.26",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.24",
+      "purl": "pkg:npm/%40blamejs/core@0.8.26",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.24",
+      "ref": "@blamejs/core@0.8.26",
       "dependsOn": []
     }
   ]