@blamejs/core 0.8.76 → 0.8.78

package/lib/content-credentials.js

@@ -327,11 +327,238 @@ function verify(envelope, publicKeyPem, opts) {
   return { valid: true, claims: envelope.manifest, reason: null };
 }
 
+// ---- C2PA 2.x COSE_Sign1 interop wrapper -------------------------
+//
+// Framework's `sign()` produces a JCS-canonicalized + ML-DSA-87/SLH-DSA
+// signature shape — fine for blamejs-internal verifiers but does NOT
+// interop with the c2patool / JPEG Trust / Adobe verifiers, which
+// expect COSE_Sign1 (RFC 9052) per C2PA spec §11.
+//
+// `signCose` wraps the same manifest payload in a minimal COSE_Sign1
+// CBOR structure with:
+//   - protected header { 1: alg }  (RFC 9052 §3.1)
+//   - unprotected header { 33: x5chain } if certChain supplied
+//   - payload: the JCS-canonicalized manifest bytes
+//   - signature: the ML-DSA-87 / Ed25519 signature
+//
+// The CBOR is hand-encoded — keeps the framework's "zero npm runtime
+// deps" rule intact. Verifiers consume the bytes via standard COSE
+// libraries (jose-py / c2pa-rs / etc.).
+
+// COSE algorithm registry codepoints (RFC 9053 §2.1 + draft-ietf-cose-* for PQ).
+// allow:raw-byte-literal — IANA registry IDs, not byte counts.
+var COSE_ALGS = {
+  "ed25519":    -8,    // allow:raw-byte-literal — COSE alg id
+  "es256":      -7,    // allow:raw-byte-literal — COSE alg id
+  "es384":      -35,   // allow:raw-byte-literal — COSE alg id
+  "es512":      -36,   // allow:raw-byte-literal — COSE alg id
+  "ml-dsa-44":  -48,   // allow:raw-byte-literal — COSE alg id (draft)
+  "ml-dsa-65":  -49,   // allow:raw-byte-literal — COSE alg id (draft)
+  "ml-dsa-87":  -50,   // allow:raw-byte-literal — COSE alg id (draft)
+  "slh-dsa-sha2-128s":   -51,   // allow:raw-byte-literal — COSE alg id (draft)
+  "slh-dsa-shake-256f":  -56,   // allow:raw-byte-literal — COSE alg id (draft)
+};
+
+// CBOR encoder (RFC 8949 §3). The integer thresholds 24/256/65536/4294967296
+// are CBOR-spec length-encoding boundaries — not byte counts.
+// allow:raw-byte-literal — CBOR encoding thresholds, not byte counts.
+function _cborUint(n) {
+  if (n < 24)         return Buffer.from([n]);                                                                                                // allow:raw-byte-literal — CBOR threshold
+  if (n < 256)        return Buffer.from([0x18, n]);                                                                                          // allow:raw-byte-literal — CBOR threshold
+  if (n < 65536)      return Buffer.from([0x19, (n >> 8) & 0xFF, n & 0xFF]);                                                                  // allow:raw-byte-literal — CBOR threshold
+  if (n < 4294967296) return Buffer.from([0x1A, (n >> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]);                              // allow:raw-byte-literal — CBOR threshold
+  throw ContentCredentialsError.factory("CBOR_OVERFLOW", "cbor uint too large: " + n);
+}
+
+function _cborNint(n) {
+  var v = -1 - n;
+  if (v < 24)    return Buffer.from([0x20 | v]);                                                                                              // allow:raw-byte-literal — CBOR threshold
+  if (v < 256)   return Buffer.from([0x38, v]);                                                                                               // allow:raw-byte-literal — CBOR threshold
+  if (v < 65536) return Buffer.from([0x39, (v >> 8) & 0xFF, v & 0xFF]);                                                                       // allow:raw-byte-literal — CBOR threshold
+  return Buffer.from([0x3A, (v >> 24) & 0xFF, (v >> 16) & 0xFF, (v >> 8) & 0xFF, v & 0xFF]);
+}
+
+function _cborInt(n) {
+  return n >= 0 ? _cborUint(n) : _cborNint(n);
+}
+
+function _cborBytes(buf) {
+  var n = buf.length;
+  var head;
+  if (n < 24)         head = Buffer.from([0x40 | n]);                                                                                          // allow:raw-byte-literal — CBOR threshold
+  else if (n < 256)   head = Buffer.from([0x58, n]);                                                                                           // allow:raw-byte-literal — CBOR threshold
+  else if (n < 65536) head = Buffer.from([0x59, (n >> 8) & 0xFF, n & 0xFF]);                                                                   // allow:raw-byte-literal — CBOR threshold
+  else                head = Buffer.from([0x5A, (n >>> 24) & 0xFF, (n >> 16) & 0xFF, (n >> 8) & 0xFF, n & 0xFF]);
+  return Buffer.concat([head, buf]);
+}
+
+function _cborArrayHeader(n) {
+  if (n < 24)    return Buffer.from([0x80 | n]);                                                                                               // allow:raw-byte-literal — CBOR threshold
+  if (n < 256)   return Buffer.from([0x98, n]);                                                                                                // allow:raw-byte-literal — CBOR threshold
+  if (n < 65536) return Buffer.from([0x99, (n >> 8) & 0xFF, n & 0xFF]);                                                                        // allow:raw-byte-literal — CBOR threshold
+  throw ContentCredentialsError.factory("CBOR_OVERFLOW", "cbor array too large: " + n);
+}
+
+function _cborMapHeader(n) {
+  if (n < 24)    return Buffer.from([0xA0 | n]);                                                                                               // allow:raw-byte-literal — CBOR threshold
+  if (n < 256)   return Buffer.from([0xB8, n]);                                                                                                // allow:raw-byte-literal — CBOR threshold
+  throw ContentCredentialsError.factory("CBOR_OVERFLOW", "cbor map too large: " + n);
+}
+
+function _cborTag(tag) {
+  if (tag < 24)         return Buffer.from([0xC0 | tag]);                                                                                      // allow:raw-byte-literal — CBOR threshold
+  if (tag < 256)        return Buffer.from([0xD8, tag]);                                                                                       // allow:raw-byte-literal — CBOR threshold
+  if (tag < 65536)      return Buffer.from([0xD9, (tag >> 8) & 0xFF, tag & 0xFF]);                                                             // allow:raw-byte-literal — CBOR threshold
+  return Buffer.from([0xDA, (tag >> 24) & 0xFF, (tag >> 16) & 0xFF, (tag >> 8) & 0xFF, tag & 0xFF]);
+}
+
+/**
+ * @primitive b.contentCredentials.signCose
+ * @signature b.contentCredentials.signCose(manifest, opts)
+ * @since     0.8.77
+ * @related   b.contentCredentials.sign
+ *
+ * C2PA 2.x interop sign — wraps the manifest in a COSE_Sign1 CBOR
+ * envelope (RFC 9052) so the result interops with c2patool / JPEG
+ * Trust / Adobe / external C2PA verifiers. The simpler `sign()`
+ * primitive ships a blamejs-internal envelope shape; this one ships
+ * COSE bytes.
+ *
+ * Returns `{ manifest, coseSign1: Buffer, alg }`. Operators embed
+ * the `coseSign1` Buffer in the image's C2PA box (JPEG XT marker,
+ * PNG iTXt chunk, MP4 'jumb' box per C2PA §13).
+ *
+ * @opts
+ *   {
+ *     privateKeyPem: string,            // required
+ *     alg?:          "ed25519" | "es256" | "es384" | "es512" |
+ *                    "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87" |
+ *                    "slh-dsa-shake-256f",   // default "ml-dsa-87"
+ *     certChain?:    Buffer[],          // X.509 DER buffers; emitted as x5chain (header label 33)
+ *     audit?:        boolean,           // default true
+ *   }
+ *
+ * @example
+ *   var pair = b.crypto.generateSigningKeyPair("ml-dsa-87");
+ *   var manifest = b.contentCredentials.build({
+ *     provider: "Acme AI", system: "acme-v3",
+ *     systemVersion: "3.2.1", contentId: "img-001",
+ *   });
+ *   var cose = b.contentCredentials.signCose(manifest, {
+ *     privateKeyPem: pair.privateKey,
+ *     alg:           "ml-dsa-87",
+ *   });
+ *   // cose.coseSign1 is the CBOR bytes to embed in the image's C2PA box.
+ */
+function signCose(manifest, opts) {
+  opts = opts || {};
+  if (!manifest || typeof manifest !== "object") {
+    throw ContentCredentialsError.factory("BAD_MANIFEST",
+      "contentCredentials.signCose: manifest required");
+  }
+  validateOpts.requireNonEmptyString(opts.privateKeyPem,
+    "contentCredentials.signCose: privateKeyPem", ContentCredentialsError, "BAD_KEY");
+  var algName = (opts.alg || "ml-dsa-87").toLowerCase();
+  if (!(algName in COSE_ALGS)) {
+    throw ContentCredentialsError.factory("BAD_ALG",
+      "contentCredentials.signCose: alg '" + algName +
+      "' not in COSE alg registry. Known: " + Object.keys(COSE_ALGS).join(", "));
+  }
+  var algId = COSE_ALGS[algName];
+
+  // Protected header: map { 1: alg }
+  var protBytes = Buffer.concat([
+    _cborMapHeader(1),
+    _cborInt(1),               // key: 1 (alg)
+    _cborInt(algId),           // value: COSE alg id
+  ]);
+  var protectedBstr = _cborBytes(protBytes);
+
+  // Unprotected header: map { 33: x5chain } when cert chain supplied;
+  // else empty map {}.
+  var unprotectedHdr;
+  if (Array.isArray(opts.certChain) && opts.certChain.length > 0) {
+    var chainArray;
+    if (opts.certChain.length === 1) {
+      // Single-cert form: header value is the DER bytes directly.
+      chainArray = _cborBytes(opts.certChain[0]);
+    } else {
+      var chainBufs = [_cborArrayHeader(opts.certChain.length)];
+      opts.certChain.forEach(function (der) {
+        chainBufs.push(_cborBytes(der));
+      });
+      chainArray = Buffer.concat(chainBufs);
+    }
+    unprotectedHdr = Buffer.concat([
+      _cborMapHeader(1),
+      _cborInt(33),             // allow:raw-byte-literal allow:raw-time-literal — RFC 9360 x5chain header label, not a duration
+      chainArray,
+    ]);
+  } else {
+    unprotectedHdr = _cborMapHeader(0);                // empty {}
+  }
+
+  // Payload — canonicalized manifest bytes.
+  var canonicalPayload = Buffer.from(canonicalJson.stringify(manifest), "utf8");
+  var payloadBstr      = _cborBytes(canonicalPayload);
+
+  // Sig_structure per RFC 9052 §4.4: ["Signature1", protected, external_aad="", payload]
+  var sigStructureBufs = [
+    _cborArrayHeader(4),
+    Buffer.concat([_cborBytes(Buffer.from("Signature1", "utf8"))]),
+    protectedBstr,
+    _cborBytes(Buffer.alloc(0)),                       // external_aad (empty)
+    payloadBstr,
+  ];
+  // First entry is the text string "Signature1" — major-type 3
+  var sigText = Buffer.from("Signature1", "utf8");
+  var sigTextBstr;
+  if (sigText.length < 24)      sigTextBstr = Buffer.concat([Buffer.from([0x60 | sigText.length]), sigText]);                                 // allow:raw-byte-literal — CBOR text-string threshold
+  else                          sigTextBstr = Buffer.concat([Buffer.from([0x78, sigText.length]), sigText]);
+  sigStructureBufs[1] = sigTextBstr;
+  var toBeSigned = Buffer.concat(sigStructureBufs);
+
+  // Sign with framework's b.crypto.sign — algorithm picked from the PEM.
+  var signature = crypto.sign(toBeSigned, opts.privateKeyPem);
+
+  // COSE_Sign1 = tagged-18 array [protected, unprotected, payload, signature]
+  var coseSign1 = Buffer.concat([
+    _cborTag(18),                                      // CBOR tag 18 = COSE_Sign1
+    _cborArrayHeader(4),
+    protectedBstr,
+    unprotectedHdr,
+    payloadBstr,
+    _cborBytes(signature),
+  ]);
+
+  if (opts.audit !== false) {
+    audit.safeEmit({
+      action:   "contentcredentials.signed_cose",
+      outcome:  "success",
+      metadata: {
+        provider:   manifest.provider && manifest.provider.name,
+        system:     manifest.system   && manifest.system.id,
+        contentId:  manifest.content  && manifest.content.id,
+        alg:        algName,
+        bytes:      coseSign1.length,
+      },
+    });
+  }
+
+  return {
+    manifest:  manifest,
+    coseSign1: coseSign1,
+    alg:       algName,
+  };
+}
+
 module.exports = {
   build:      build,
   sign:       sign,
+  signCose:   signCose,
   verify:     verify,
   required:   required,
   REQUIRED_FIELDS: REQUIRED_FIELDS.slice(),
+  COSE_ALGS:  Object.assign({}, COSE_ALGS),
   ContentCredentialsError: ContentCredentialsError,
 };

package/lib/cra-report.js

@@ -189,7 +189,111 @@ function create(opts) {
   };
 }
 
+/**
+ * @primitive b.cra.conformityAssessment
+ * @signature b.cra.conformityAssessment(opts)
+ * @since     0.8.77
+ *
+ * EU Cyber Resilience Act (Regulation 2024/2847) — Annex VIII
+ * conformity-assessment dossier scaffold. Returns the structured
+ * JSON document operators submit to the notified body (Module B/C/D/H
+ * route per Annex VII) or self-attest under Annex VI (default for
+ * non-critical products). The framework auto-fills sections it can
+ * derive from the runtime — SBOM (`sbom.cdx.json` + `sbom.vendored.cdx.json`),
+ * vulnerability-handling process (CVD per RFC 9116 + SECURITY.md),
+ * security-by-design defaults (cite SECURITY.md threat-model
+ * section), end-of-life schedule (operator-supplied) — and leaves
+ * Annex I Part II essential-cybersecurity-requirements mapping for
+ * the operator to fill (it's product-specific).
+ *
+ * Enforcement: products placed on the EU market on/after 2027-12-11
+ * require a CE marking that depends on this dossier. Notified-body
+ * review takes 60-90 days for self-certifying products. Run this
+ * primitive at release time + commit the output under `compliance/cra/`.
+ *
+ * @opts
+ *   {
+ *     manufacturer:    { name, address, contact },
+ *     product:         { name, identifier, version, description },
+ *     classification:  "default" | "important-class-I" | "important-class-II" | "critical",
+ *     sbomPaths:       string[],     // paths to attached SBOMs
+ *     supportEnd:      string,       // ISO date — manufacturer support cessation
+ *     vulnDisclosurePolicy?: string,  // URL to /.well-known/security.txt or VDP
+ *     essentialReqMapping?: object,   // operator-supplied Annex I Part II mapping
+ *   }
+ *
+ * @example
+ *   var dossier = b.cra.conformityAssessment({
+ *     manufacturer: { name: "Acme Inc.", address: "1 St", contact: "ce@acme.example" },
+ *     product:      { name: "Widget Pro", identifier: "WID-001", version: "1.0", description: "..." },
+ *     classification: "default",
+ *     supportEnd:    "2032-12-31",
+ *   });
+ */
+function conformityAssessment(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new CraReportError("cra-report/bad-conformity-opts",
+      "conformityAssessment: opts required");
+  }
+  if (!opts.manufacturer || typeof opts.manufacturer.name !== "string") {
+    throw new CraReportError("cra-report/no-manufacturer",
+      "conformityAssessment: opts.manufacturer.name required");
+  }
+  if (!opts.product || typeof opts.product.name !== "string") {
+    throw new CraReportError("cra-report/no-product",
+      "conformityAssessment: opts.product.name required");
+  }
+  var classification = opts.classification || "default";
+  var validClasses = ["default", "important-class-I", "important-class-II", "critical"];
+  if (validClasses.indexOf(classification) === -1) {
+    throw new CraReportError("cra-report/bad-classification",
+      "conformityAssessment: classification must be one of " + validClasses.join(", "));
+  }
+  return {
+    "$schema":      "https://blamejs.com/schema/cra-conformity-assessment-v1.json",
+    regulation:     "EU 2024/2847 (Cyber Resilience Act)",
+    annex:          "Annex VIII (technical documentation)",
+    generatedAt:    new Date().toISOString(),
+    manufacturer:   opts.manufacturer,
+    product:        opts.product,
+    classification: classification,
+    assessmentRoute:
+      classification === "default"             ? "Module A (Annex VI — internal control)" :
+      classification === "important-class-I"   ? "Module B+C (Annex VII — EU-type examination)" :
+      classification === "important-class-II"  ? "Module H (Annex VII — full quality assurance)" :
+                                                  "Module H + notified-body for critical (Annex VII)",
+    sections: {
+      annexI_part1_essentialRequirements: {
+        status: "operator-supplied",
+        mapping: opts.essentialReqMapping || null,
+        note:    "Annex I Part I essential cybersecurity requirements — operator supplies the mapping",
+      },
+      annexI_part2_vulnerabilityHandling: {
+        status: "framework-derived",
+        sbomAttached: Array.isArray(opts.sbomPaths) ? opts.sbomPaths : ["sbom.cdx.json", "sbom.vendored.cdx.json"],
+        vulnDisclosurePolicy: opts.vulnDisclosurePolicy || "https://blamejs.com/.well-known/security.txt",
+        cvdProcess:           "Coordinated Vulnerability Disclosure per ISO/IEC 29147 + 30111",
+        incidentReporter:     "b.cra (24h early warning + 14d intermediate + 1m final per Art 14)",
+      },
+      annexII_userInformation: {
+        status: "operator-supplied",
+        note:   "Operator emits per-product handover docs",
+      },
+      supportPeriod: {
+        end:  opts.supportEnd || null,
+        note: "Manufacturer support-cessation date triggers end-of-life obligations per Art 13(8)",
+      },
+    },
+    declarations: {
+      ceMarking:           classification === "critical" ? "requires notified body" : "self-attest eligible",
+      eolNotification:     "Manufacturer commits to 60-day pre-EOL notification per Art 13(8)",
+      vulnReporting:       "Active exploitation reported within 24h to ENISA per Art 14(2)",
+    },
+  };
+}
+
 module.exports = {
-  create:           create,
-  CraReportError:   CraReportError,
+  create:                 create,
+  conformityAssessment:   conformityAssessment,
+  CraReportError:         CraReportError,
 };

package/lib/crypto-field.js

@@ -895,6 +895,11 @@ module.exports = {
   getSealedFields:  getSealedFields,
   sealRow:          sealRow,
   unsealRow:        unsealRow,
+  // Doc-shaped aliases — operators / tests preparing a JS document
+  // object (vs. a SQL row) reach for sealDoc / unsealDoc naming. Same
+  // function, identical shape, returns a new object (input untouched).
+  sealDoc:          sealRow,
+  unsealDoc:        unsealRow,
   eraseRow:         eraseRow,
   applyPosture:     applyPosture,
   getActivePosture: getActivePosture,

package/lib/dsr.js

@@ -1071,6 +1071,100 @@ function dbTicketStore(opts) {
   };
 }
 
+// ---- v0.8.77 — US state-law DSR drift registry -------------------
+//
+// Each US state consumer-privacy law expresses the same DSR core
+// (access / deletion / correction / portability) but with per-state
+// drift on three knobs: cure-period (days between operator-receipt
+// and statutory-deadline-to-respond), profiling-opt-out
+// (right-to-limit-automated-decision-making variants), and minor-
+// consent (age threshold + opt-in vs. opt-out vs. parental-VPC).
+//
+// `b.dsr.stateRules(state)` returns the metadata; operators feed it
+// into their own DSR ticket-routing layer to surface "this VA
+// resident's correction request must be acknowledged within 45 days
+// with one 45-day extension".
+
+// State DSR rule table — `responseDays` / `extensionDays` / `cureDays`
+// are integer day-counts from per-state statutes (not durations in
+// seconds/ms). allow:raw-time-literal — statute-defined day counts.
+var STATE_RULES = Object.freeze({
+  "vcdpa":     { posture: "vcdpa",     state: "VA", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 13,  notes: "Cure right sunset 2025-01-01" },                                                                          // allow:raw-time-literal
+  "co-cpa":    { posture: "co-cpa",    state: "CO", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Cure right sunset 2025-01-01; UOOM (GPC) mandatory" },                                                    // allow:raw-time-literal
+  "ctdpa":     { posture: "ctdpa",     state: "CT", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Cure right sunset 2025-01-01; GPC mandatory" },                                                           // allow:raw-time-literal
+  "ucpa":      { posture: "ucpa",      state: "UT", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: false, minorOptIn: 13,  notes: "Narrowest scope; no cure-period sunset" },                                                                // allow:raw-time-literal
+  "tdpsa":     { posture: "tdpsa",     state: "TX", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 13,  notes: "Small-business carve-out applies" },                                                                      // allow:raw-time-literal
+  "or-cpa":    { posture: "or-cpa",    state: "OR", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Specific-third-party-name DSR enhancement" },                                                             // allow:raw-time-literal
+  "mt-cdpa":   { posture: "mt-cdpa",   state: "MT", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Cure period sunsets 2026-04-01" },                                                                        // allow:raw-time-literal
+  "ia-icdpa":  { posture: "ia-icdpa",  state: "IA", responseDays: 90, extensionDays: 45, cureDays: 90,  profilingOptOut: false, minorOptIn: null, notes: "Weakest framework — longest response, no profiling opt-out" },                                            // allow:raw-time-literal
+  "in-indpa":  { posture: "in-indpa",  state: "IN", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2026-01-01" },                                                                                  // allow:raw-time-literal
+  "de-dpdpa":  { posture: "de-dpdpa",  state: "DE", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2026-01-01" },                                                                                  // allow:raw-time-literal
+  "nh-nhpa":   { posture: "nh-nhpa",   state: "NH", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2026-01-01; cure right sunset 2026-01-01" },                                                    // allow:raw-time-literal
+  "nj-njdpa":  { posture: "nj-njdpa",  state: "NJ", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 17,  notes: "Under-17 opt-in default" },                                                                                // allow:raw-time-literal
+  "ky-kcdpa":  { posture: "ky-kcdpa",  state: "KY", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2026-01-01" },                                                                                  // allow:raw-time-literal
+  "tn-tipa":   { posture: "tn-tipa",   state: "TN", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "NIST CSF safe-harbor available" },                                                                        // allow:raw-time-literal
+  "mn-mncdpa": { posture: "mn-mncdpa", state: "MN", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2026-07-31; profiling opt-out for consequential decisions" },                                   // allow:raw-time-literal
+  "ri-ricpa":  { posture: "ri-ricpa",  state: "RI", responseDays: 45, extensionDays: 45, cureDays: 0,   profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2026-01-01; no cure period" },                                                                  // allow:raw-time-literal
+  "ne-dpa":    { posture: "ne-dpa",    state: "NE", responseDays: 45, extensionDays: 45, cureDays: 30,  profilingOptOut: true,  minorOptIn: 13,  notes: "Effective 2025-01-01" },                                                                                  // allow:raw-time-literal
+  "nv-sb370":  { posture: "nv-sb370",  state: "NV", responseDays: 60, extensionDays: 30, cureDays: 0,   profilingOptOut: false, minorOptIn: null, notes: "Consumer-health data only" },                                                                            // allow:raw-time-literal
+  "ca-aadc":   { posture: "ca-aadc",   state: "CA", responseDays: 0,  extensionDays: 0,  cureDays: 90,  profilingOptOut: true,  minorOptIn: 18,  notes: "Under-18 default-high-privacy; partial preliminary injunction NetChoice v. Bonta" },                       // allow:raw-time-literal
+  "ct-sb3":    { posture: "ct-sb3",    state: "CT", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: false, minorOptIn: null, notes: "Consumer-health data only" },                                                                            // allow:raw-time-literal
+  "tx-cubi":   { posture: "tx-cubi",   state: "TX", responseDays: 0,  extensionDays: 0,  cureDays: 0,   profilingOptOut: false, minorOptIn: null, notes: "Biometric-only; private-right-of-action absent" },                                                       // allow:raw-time-literal
+  "modpa":     { posture: "modpa",     state: "MD", responseDays: 45, extensionDays: 45, cureDays: 60,  profilingOptOut: true,  minorOptIn: 13,  notes: "Strict data-minimization; effective 2026-10-01" },                                                       // allow:raw-time-literal
+  "quebec-25": { posture: "quebec-25", state: "QC", responseDays: 30, extensionDays: 30, cureDays: 0,   profilingOptOut: true,  minorOptIn: 14,  notes: "DPIA + automated-decision opt-out; FR-language obligations" },                                            // allow:raw-time-literal
+});
+
+/**
+ * @primitive b.dsr.stateRules
+ * @signature b.dsr.stateRules(state)
+ * @since     0.8.77
+ * @related   b.compliance.describe
+ *
+ * Returns per-state DSR rules: response window, extension period,
+ * cure period (statutory grace before enforcement attaches),
+ * profiling-opt-out availability, and minor-consent age threshold.
+ * `state` accepts either the posture name (`"vcdpa"`) or the
+ * 2-letter state abbreviation (`"VA"`). Returns null when unknown.
+ *
+ * @example
+ *   var rules = b.dsr.stateRules("vcdpa");
+ *   // rules.responseDays    → 45
+ *   // rules.cureDays        → 30
+ *   // rules.profilingOptOut → true
+ */
+function stateRules(state) {
+  if (typeof state !== "string" || state.length === 0) return null;
+  // Direct posture-name lookup first
+  if (STATE_RULES[state]) return Object.assign({}, STATE_RULES[state]);
+  // 2-letter state abbreviation lookup (case-insensitive)
+  var u = state.toUpperCase();
+  var keys = Object.keys(STATE_RULES);
+  for (var i = 0; i < keys.length; i++) {
+    if (STATE_RULES[keys[i]].state === u) {
+      return Object.assign({}, STATE_RULES[keys[i]]);
+    }
+  }
+  return null;
+}
+
+/**
+ * @primitive b.dsr.listStateRules
+ * @signature b.dsr.listStateRules()
+ * @since     0.8.77
+ *
+ * Returns every state-rule entry as an array (useful for admin UI
+ * cure-period dashboards / operator-facing matrices).
+ *
+ * @example
+ *   var all = b.dsr.listStateRules();
+ *   // → [{ posture: "vcdpa", state: "VA", responseDays: 45, ... }, ...]
+ */
+function listStateRules() {
+  return Object.keys(STATE_RULES).map(function (k) {
+    return Object.assign({}, STATE_RULES[k]);
+  });
+}
+
 module.exports = {
   create:                    create,
   memoryTicketStore:         memoryTicketStore,
@@ -1080,5 +1174,7 @@ module.exports = {
   VALID_VERIFICATION_LEVELS: VALID_VERIFICATION_LEVELS,
   TYPE_MIN_VERIFICATION:     TYPE_MIN_VERIFICATION,
   POSTURE_DEADLINE_MS:       POSTURE_DEADLINE_MS,
+  stateRules:                stateRules,
+  listStateRules:            listStateRules,
   DsrError:                  DsrError,
 };