@blamejs/core 0.8.80 → 0.8.82
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/README.md +7 -3
- package/lib/compliance-ai-act.js +105 -0
- package/lib/compliance.js +245 -5
- package/lib/dsr.js +1 -0
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.8.x
|
|
10
10
|
|
|
11
|
+
- v0.8.82 (2026-05-11) — **Privacy 2026 posture sweep**. 27 new postures land in `b.compliance.KNOWN_POSTURES` (with matching `REGIME_MAP` + `POSTURE_DEFAULTS` cascade entries) closing the privacy gap surfaced by the 2026-05-11 multi-agent compliance audit. **US federal**: `coppa` + `coppa-2025` (FTC final rule 2025-04-22, effective 2026-06-23 — biometric expansion + knowing-collection-13-and-under disclosure; cascade adds backupEncryptionRequired:true + vacuum-after-erase), `glba-safeguards` (GLBA Safeguards Rule 2024 Amendment, effective 2024-05-13; cascade matches pci-dss + nydfs-500 financial tier), `gina` (Genetic Information Nondiscrimination Act), `vppa` (Video Privacy Protection Act), `can-spam`, `il-gipa` (Illinois Genetic Information Privacy Act with post-2024 private right of action), `hhs-repro-24` (HHS Reproductive Health HIPAA Amendment 2024-12-23), `nist-pf-1.1` (NIST Privacy Framework 1.1, final 2025-04-14). **UK**: `uk-duaa` (Data (Use and Access) Act 2025 — Royal Assent 2025-06-19; replaces the abandoned DPDI Bill; cascade matches GDPR floor with vacuum-after-erase). **Latin America**: `cl-pdpa` (Chile Ley 21.719, enacted 2024-12-13, effective 2026-12-01; cascade mirrors gdpr), `mx-lfpdppp` (Mexico 2025 secondary reform), `ar-pdpa` (Argentina Ley 25.326). **APAC**: `pipa-kr` (Korea PIPA 2023 major amendment, phased 2023-09-15 / 2024-03-15), `au-privacy` (Australia Privacy Act + 2024 Amendment Act — statutory tort effective 2025-06-10), `th-pdpa`, `vn-pdp` (Vietnam PDP Law effective 2026-01-01), `id-pdp` (Indonesia PDP Law effective 2024-10-17), `my-pdpa` (Malaysia 2024 amendments effective 2025-04-30). **US state child-privacy**: `ny-safe-kids` + `ny-saffe` (NY Child Data Protection Act + Stop Addictive Feeds Exploitation, both effective 2025-06-20), `md-kids-code` (Maryland Age-Appropriate Design Code), `vt-aadc` (Vermont AADC). **EU non-personal-data + adjacent**: `dsa` (Digital Services Act, fully applicable 2024-02-17), `dga` (Data Governance Act, applicable 2023-09-24), `eu-cer` (Critical Entities Resilience Directive 2022/2557, transposition 2024-10-17), `eu-cyber-sol` (Cyber Solidarity Act 2025/38, effective 2025-02-04), `eidas-2` (eIDAS 2 / EUDI Wallet, rollout 2026-2027). New REGIME_MAP `domain` values introduced: `child-privacy`, `financial-privacy`, `consumer-privacy`, `genetic-privacy`, `platform-governance`, `identity` — operators rendering compliance dashboards grouped by domain pick up the new buckets via `b.compliance.posturesByDomain(domain)` without code changes.
|
|
12
|
+
- v0.8.81 (2026-05-11) — **AI-governance compliance postures + ISO 42001/23894 cross-walk + privacy catalog drift fixes**. 18 new postures register in `b.compliance.KNOWN_POSTURES` (and the matching `REGIME_MAP` + `POSTURE_DEFAULTS` cascade): state AI governance (`co-ai`, `il-hb3773`, `tx-traiga`, `ut-aipa`, `nyc-ll144`, `ca-tfaia` — frontier AI critical-incident records cascade to `backupEncryptionRequired:true`), international AI (`kr-ai-basic`, `cn-ai-label`), AI management standards (`iso-42001`, `iso-23894`), California gen-AI content credentials (`ca-sb942`, `ca-ab853`), substrate-to-posture cleanup so existing primitives gain catalog entries (`eaa` for EU Accessibility Act + `b.compliance-eaa`, `wcag-2-2` for `b.guardHtml.wcag`, `eu-data-act` for `b.dataAct`, `hitech` extending HIPAA-tier, `ferpa` for student records), plus `fl-fdbr` (Florida Digital Bill of Rights) and the long-missing `dpdp` (India DPDP Act 2023 — was in `POSTURE_DEFAULTS` cascade table but not in `KNOWN_POSTURES`, so `b.compliance.set("dpdp")` threw `compliance/unknown-posture`). **ISO 42001 + 23894 cross-walk**: new `b.compliance.aiAct.crossWalkIso42001([aiActCitation])` and `crossWalkIso23894()` return a 15-row mapping table linking EU AI Act articles (Art. 9 risk management → Art. 73 incident reporting) to ISO/IEC 42001:2023 Annex A controls and ISO/IEC 23894:2023 risk-management clauses. Operators chasing ISO 42001 certification under AI Act high-risk scope use the table to produce one cross-walk artifact instead of hand-rolling two separate audits; the table is read-only metadata, defensive copies returned, no behavior change at deploy time. **DSR drift fix**: `b.dsr.stateRules("fl-fdbr")` / `stateRules("FL")` now resolve (45-day response window, 15-day extension, 30-day cure, profiling opt-out enabled, minor opt-in 13). **Citation drift fix**: four state-privacy posture citations corrected from "(effective 2026-MM-DD)" to "(effective 2025-MM-DD)" — `modpa`, `nh-nhpa`, `nj-njdpa`, `mn-mncdpa` all took effect during 2025; the year-late citations would have surfaced as audit-trail discrepancies under operator review.
|
|
11
13
|
- v0.8.80 (2026-05-10) — **Bug fix — `b.config.loadDbBacked` overlapping-tick race**. `cfg.refresh()` calls `_tick()` directly and the periodic poller also invokes `_tick()` independently. When two ticks overlap (two `refresh()`es back-to-back, or `refresh()` racing a poll), the older read could resolve LAST and overwrite a newer config write — so `admin-save → await cfg.refresh()` was not guaranteed to leave the latest value active when `fetchRows` latency varied across calls. Reproducible by serving a 200ms read followed by a 20ms read; without the fix, the slower (older) result clobbered the faster (newer) one. Fix: every tick claims a monotonic sequence number at start; at apply-time, ticks whose sequence is older than the last-applied sequence drop with a `config.reload.skipped` audit emission (phase `stale-tick`). The high-water mark advances ONLY after `cfg.reload` succeeds — a newer tick whose validation fails must not suppress an older in-flight tick that still has valid data (otherwise `refresh(valid)` followed by `refresh(invalid)` could silently keep stale config active even though the valid update was about to land). Fetch / transform failures short-circuit before the apply path and likewise do NOT advance the watermark.
|
|
12
14
|
- v0.8.78 (2026-05-10) — save-triggered reload for `b.config.loadDbBacked`. Admin save handlers / settings-management UIs that write a row in `_blamejs_config_overrides` now call `await cfg.refresh()` immediately after the write, so the new value is active without waiting for the poll's `intervalMs` tick. The poll stays in place as a safety-net for drift (e.g., direct DB writes outside the admin path). `refresh()` returns a `Promise<void>` of identical shape to `cfg.hydrated`: resolves after the tick settles (success OR audit-on-failure), NEVER rejects so save handlers don't deadlock on a flaky DB. The existing `cfg.subscribe(fn)` continues to fire synchronously inside every successful reload — operators reach for it to invalidate caches / recompute derived state / hot-rebuild middleware that closed over the previous config. Three-tier precedence is documented explicitly in the `@primitive` block: DB-row overlay > `opts.env` baseline > schema `default(...)`.
|
|
13
15
|
- v0.8.77 (2026-05-10) — substantive additive release closing 10 audit clusters surfaced by the 8-agent compliance audit. **OAuth resource-server completeness**: `b.auth.oauth.introspectToken` (RFC 7662), `registerClient` (RFC 7591 — refuses empty redirect_uris), `deviceAuthorization` + `pollDeviceCode` (RFC 8628 with slow_down/authorization_pending handling), `exchangeToken` (RFC 8693 subject+actor delegation), new `b.middleware.protectedResourceMetadata` serving `.well-known/oauth-protected-resource` (draft-ietf-oauth-resource-metadata). **Vendored-deps SBOM**: new `scripts/build-vendored-sbom.js` emits `sbom.vendored.cdx.json` (CycloneDX 1.6) covering every `lib/vendor/*` bundle with per-file SHA-256 + purl + license metadata; wired into `npm-publish.yml` so OSV-Scanner now scans it alongside the primary `sbom.cdx.json` — closes the gap where downstream scanners couldn't see what was actually shipping. **MCP endpoint coverage**: `b.mcp.assertProtocolVersion` (MCP 2025-11-25 §4.1 header), `b.mcp.sampling.guard({ maxRequestsPerSession, maxMessagesPerRequest, maxTokensPerRequest, allowedModelHints })` (HIGH-RISK endpoint — confused-deputy class), `b.mcp.elicitation.guard` (prompt-injection scan + schema-type allowlist + size cap). **ACME completeness**: `revokeCert` (RFC 8555 §7.6), `accountKeyRollover` (§7.3.5), `deactivateAccount` (§7.3.6), `tlsAlpn01KeyAuthorization` (RFC 8737), External Account Binding opt on `newAccount` (§7.3.4 — required by ZeroSSL/Buypass/Google CA) — closes 47-day CA/B forum surface before Mar 2026 effective date. **Permissions-Policy denylist** expanded with `identity-credentials-get`, `attribution-reporting-cross-site`, `publickey-credentials-create`, `join-ad-interest-group`, `run-ad-auction`, `shared-storage`, `shared-storage-select-url`, `smartcard`, `all-screens-capture`, `deferred-fetch` (10 directives — single-file fix). **NIST control crosswalk**: new `b.nistCrosswalk` catalog mapping `800-53r5` (~50 controls), `csf-2.0` (~22 functions), `800-171r3` (~25 requirements), `800-218` (SSDF tasks) to framework primitives — used by operators producing SSPs, POAMs, ATO packages, CMMC self-assessments. **SCIM 2.0 server**: new `b.middleware.scimServer` implementing RFC 7642/7643/7644 — Users + Groups + ServiceProviderConfig + ResourceTypes + Schemas + filter parser (eq/ne/co/sw/ew/pr/gt/ge/lt/le) + GET/POST/PUT/PATCH/DELETE dispatch + bearer-auth callback hook + 1 MiB body cap; the most operator-visible federation gap before this — Okta/Entra/etc. couldn't push users without an external adapter. **CRA + EU AI Act forward-deadline templates**: `b.cra.conformityAssessment` Annex VIII technical dossier scaffold (CE marking, Module routing, vuln-handling auto-fill), `b.complianceAiAct.fundamentalRightsImpactAssessment` (Article 27 FRIA template — mandatory for Annex III §5-8 deployers), `b.complianceAiAct.gpai.trainingDataSummary` (Article 53(1)(d) AI Office template — mandatory 2026-08-02). **C2PA COSE_Sign1 wrap**: new `b.contentCredentials.signCose` produces RFC 9052 COSE_Sign1 CBOR envelope with x5chain header + ML-DSA-87 / ed25519 / es256/384/512 / SLH-DSA-SHAKE-256f algorithms — interops with c2patool / JPEG Trust / Adobe verifiers (current `sign()` ships a blamejs-internal envelope; the new `signCose()` ships the canonical wire format). **US state-law backlog**: 22 new compliance postures (`vcdpa`, `co-cpa`, `ctdpa`, `ucpa`, `tdpsa`, `or-cpa`, `mt-cdpa`, `ia-icdpa`, `in-indpa`, `de-dpdpa`, `nh-nhpa`, `nj-njdpa`, `ky-kcdpa`, `tn-tipa`, `mn-mncdpa`, `ri-ricpa`, `ne-dpa`, `nv-sb370`, `ca-aadc`, `ct-sb3`, `tx-cubi`, plus existing `modpa` + `quebec-25`) registered in `b.compliance` + per-state DSR rules via `b.dsr.stateRules(state)` / `b.dsr.listStateRules()` returning `{ responseDays, extensionDays, cureDays, profilingOptOut, minorOptIn, notes }`. **Operator hook**: `b.middleware.rateLimit` instance gains `.resetAll()` for clean-slate flushing during incident-response (in-memory backends only; cluster backend no-ops per multi-replica race-safety). Cluster backend correctly refuses lest one replica's flush race another's in-flight `take()`. **`b.config.loadDbBacked` gains `transformValue: (row) => string | Promise<string>`** — per-row transform applied between `fetchRows` and schema validation; common shape is unsealing a `b.vault`-sealed ciphertext column so canonical secrets live encrypted-at-rest in `_blamejs_config_overrides`. Per-row failures (transform throws OR returns non-string) emit `config.reload.failed` and skip the row so a single bad row can't crash the poller. **`b.cryptoField` gains `sealDoc` / `unsealDoc` doc-shaped aliases** of the existing `sealRow` / `unsealRow` — same identity, lets downstream tests reach for the document-naming convention when preparing seed objects via raw `INSERT`. **Bug fix — `b.config` reactive `value`**: `cfg.value.X` now reflects the latest validated state after every `reload()` (and every `loadDbBacked` poll). Before this fix, `cfg.value` was a captured property pinned to the create-time object, so `cfg.value.FEATURE_X` stayed stale forever and only `cfg.get("FEATURE_X")` saw updates — the published example in `@primitive b.config.loadDbBacked` was wrong against the implementation. Now backed by a `Object.defineProperty` getter; `cfg.get()` / `cfg.has()` semantics unchanged. **Bug fix — `b.config.loadDbBacked` startup hydration window**: `loadDbBacked` returned a config handle that stayed at env-only defaults for the first `intervalMs` because `safeAsync.repeating` is `setInterval`-shaped (no t=0 fire). The handle now kicks off one immediate hydration `_tick()` on construction and exposes `cfg.hydrated` — a Promise that resolves after the first tick settles. Callers awaiting it before serving traffic get a fully-hydrated config; the Promise NEVER rejects (per-tick failures route through audit, last-good value stays). **`b.middleware._modules.rateLimit.instances()` + module-level `.resetAll()`** — module now keeps a registry of every rate-limit middleware created in the process. Incident-response scripts can enumerate every limiter and flush state across the whole process without threading references through the app code. `create()` registers; `middleware.close()` deregisters. Top-level `resetAll()` returns the count of instances it walked.
|
package/README.md
CHANGED
|
@@ -156,11 +156,15 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
|
|
|
156
156
|
### Compliance regimes
|
|
157
157
|
|
|
158
158
|
- **Posture coordinator** — `b.compliance` cascades operator-declared regime into retention / audit / db / cryptoField via POSTURE_DEFAULTS:
|
|
159
|
-
- **US** — `hipaa` / `hipaa-2026` / `pci-dss` / `sox-404` / `soc2` / `soc2-cc1.3` / `sec-cyber` / `sec-17a-4` / `finra-4511` / `fda-21cfr11` / `fda-annex-11` / `modpa` / `nydfs-500` / `staterramp`
|
|
160
|
-
- **EU / UK** — `gdpr` / `dora` / `nis2` / `cra` / `uk-g-cloud`
|
|
161
|
-
- **APAC + LATAM** — `dpdp` / `pipl-cn` / `lgpd-br` / `appi-jp` / `pdpa-sg` / `quebec-25` / `irap`
|
|
159
|
+
- **US** — `hipaa` / `hipaa-2026` / `hhs-repro-24` / `hitech` / `pci-dss` / `glba-safeguards` / `sox-404` / `soc2` / `soc2-cc1.3` / `sec-cyber` / `sec-17a-4` / `finra-4511` / `fda-21cfr11` / `fda-annex-11` / `modpa` / `nydfs-500` / `staterramp` / `ferpa` / `fl-fdbr` / `coppa` / `coppa-2025` / `gina` / `vppa` / `can-spam` / `il-gipa` / `nist-pf-1.1`
|
|
160
|
+
- **EU / UK** — `gdpr` / `dora` / `nis2` / `cra` / `eu-data-act` / `eaa` / `uk-g-cloud` / `uk-duaa` / `dsa` / `dga` / `eu-cer` / `eu-cyber-sol` / `eidas-2`
|
|
161
|
+
- **APAC + LATAM** — `dpdp` / `pipl-cn` / `lgpd-br` / `appi-jp` / `pdpa-sg` / `quebec-25` / `irap` / `kr-ai-basic` / `pipa-kr` / `au-privacy` / `th-pdpa` / `vn-pdp` / `id-pdp` / `my-pdpa` / `cl-pdpa` / `mx-lfpdppp` / `ar-pdpa`
|
|
162
|
+
- **Child privacy / age-appropriate design** — `ca-aadc` / `ny-safe-kids` / `ny-saffe` / `md-kids-code` / `vt-aadc`
|
|
162
163
|
- **Financial / data-portability** — `fapi2` / `fapi-2.0-message-signing` / `fdx` / `dsr`
|
|
164
|
+
- **AI governance** — `co-ai` / `il-hb3773` / `tx-traiga` / `ut-aipa` / `nyc-ll144` / `ca-tfaia` / `ca-sb942` / `ca-ab853` / `cn-ai-label` / `iso-42001` / `iso-23894`
|
|
165
|
+
- **Accessibility** — `wcag-2-2`
|
|
163
166
|
- **Other** — `bsi-c5` / `ens-es` / etc.
|
|
167
|
+
- **AI Act ⇄ ISO cross-walk** — `b.compliance.aiAct.crossWalkIso42001()` + `crossWalkIso23894()` map every AI Act article (Art. 9 risk management → Art. 73 incident reporting) to the matching ISO/IEC 42001:2023 Annex A controls and ISO/IEC 23894:2023 risk-management clauses for ISO-certification audit packs
|
|
164
168
|
- **EU Data Act** — Regulation 2023/2854 connected-product data access workflow with DMA-gatekeeper share refusal (Art 32 §1) and 30-day switch-request notice cap (Art 28 §3) (`b.dataAct`)
|
|
165
169
|
- **Audit + segregation** — 21 CFR Part 11 §11.10(e) audit-content gate + §11.50(b) electronicSignature (`b.fda21cfr11`); PCI DSS 4.0 Req 10.4.1.1 daily-review automation (`b.auditDailyReview`); SOX §404 + SOC 2 CC1.3 segregation-of-duties via Postgres trigger DDL (`b.audit.bindActor`, `b.audit.assertSegregation`)
|
|
166
170
|
- **Change control + WORM** — m-of-n approver DDL change-control with maintenance-window + ML-DSA-87 signed proposals (`b.ddlChangeControl`); row-level WORM triggers boot-asserted under `sec-17a-4` / `finra-4511` / `fda-21cfr11` (`b.db.declareWorm`); dual-control physical delete + crypto-erase + REINDEX in one transaction (`b.db.declareRequireDualControl`, `b.db.eraseHard`)
|
package/lib/compliance-ai-act.js
CHANGED
|
@@ -693,6 +693,108 @@ function trainingDataSummary(opts) {
|
|
|
693
693
|
};
|
|
694
694
|
}
|
|
695
695
|
|
|
696
|
+
// ---- ISO/IEC 42001:2023 + ISO/IEC 23894:2023 cross-walk ----
|
|
697
|
+
//
|
|
698
|
+
// Voluntary AI-management-system + AI-risk-management standards;
|
|
699
|
+
// audit conformance against EU AI Act Annex IV technical documentation
|
|
700
|
+
// overlaps ~70% with ISO 42001 Annex A controls. Operators chasing
|
|
701
|
+
// ISO certification while running under the AI Act use these tables
|
|
702
|
+
// to map each Annex IV / Article-9..15 requirement to the matching
|
|
703
|
+
// ISO control. Pure metadata — no behavior change at deploy time.
|
|
704
|
+
|
|
705
|
+
// AI Act → ISO/IEC 42001 Annex A control mapping. Each entry pairs
|
|
706
|
+
// an AI Act citation with the ISO control(s) that cover the same
|
|
707
|
+
// obligation.
|
|
708
|
+
var ISO_42001_CROSSWALK = Object.freeze([
|
|
709
|
+
Object.freeze({ aiAct: "Art. 9 (Risk management system)", iso42001: ["A.6.1.1 AI risk-management process", "A.6.1.2 AI risk assessment", "A.6.1.3 AI risk treatment"], iso23894: ["Clause 5 (Risk management process)", "Clause 6 (Risk assessment)"] }),
|
|
710
|
+
Object.freeze({ aiAct: "Art. 10 (Data and data governance)", iso42001: ["A.7.2 Data quality for AI systems", "A.7.3 Data provenance", "A.7.4 Data preparation"], iso23894: ["Clause 6.4.2 (Data-related risks)"] }),
|
|
711
|
+
Object.freeze({ aiAct: "Art. 11 (Technical documentation)", iso42001: ["A.4.5 AI system documentation", "A.6.2.5 AI system records"], iso23894: ["Clause 6.6 (Recording and reporting)"] }),
|
|
712
|
+
Object.freeze({ aiAct: "Art. 12 (Record-keeping / logs)", iso42001: ["A.6.2.5 AI system records", "A.9.4 Event logging"], iso23894: ["Clause 6.6 (Recording and reporting)"] }),
|
|
713
|
+
Object.freeze({ aiAct: "Art. 13 (Transparency / instructions for use)", iso42001: ["A.4.5 AI system documentation", "A.8.2 User information"], iso23894: ["Clause 6.5.3 (Communication of risk)"] }),
|
|
714
|
+
Object.freeze({ aiAct: "Art. 14 (Human oversight)", iso42001: ["A.4.2 AI system objectives", "A.6.2.6 Human oversight"], iso23894: ["Clause 6.4.6 (Human-AI interaction risks)"] }),
|
|
715
|
+
Object.freeze({ aiAct: "Art. 15 (Accuracy, robustness, cybersecurity)", iso42001: ["A.6.2.3 AI verification + validation", "A.10.2 AI security controls"], iso23894: ["Clause 6.4.4 (Security risks)", "Clause 6.4.5 (Robustness risks)"] }),
|
|
716
|
+
Object.freeze({ aiAct: "Art. 17 (Quality management system)", iso42001: ["A.4 Leadership", "A.5 Planning", "A.6 Operation"], iso23894: ["Clause 4 (Context of the organization)"] }),
|
|
717
|
+
Object.freeze({ aiAct: "Art. 18 (Logs retention 6 months min)", iso42001: ["A.6.2.5 AI system records", "A.9.4 Event logging"], iso23894: ["Clause 6.6.3 (Records retention)"] }),
|
|
718
|
+
Object.freeze({ aiAct: "Art. 23 (Conformity assessment)", iso42001: ["A.6.2.4 AI conformity assessment"], iso23894: [] }),
|
|
719
|
+
Object.freeze({ aiAct: "Art. 27 (Fundamental rights impact assessment)", iso42001: ["A.6.1.4 AI impact assessment", "A.10.3 Societal impact controls"], iso23894: ["Clause 6.4.7 (Ethical risks)", "Clause 6.4.8 (Fundamental rights risks)"] }),
|
|
720
|
+
Object.freeze({ aiAct: "Art. 50 (Transparency obligations)", iso42001: ["A.4.5 AI system documentation", "A.8.2 User information"], iso23894: ["Clause 6.5.3 (Risk communication)"] }),
|
|
721
|
+
Object.freeze({ aiAct: "Art. 51-55 (GPAI obligations)", iso42001: ["A.4.5 AI system documentation", "A.7.3 Data provenance", "A.10.3 Societal impact controls"], iso23894: ["Clause 6.4 (AI-specific risk categories)"] }),
|
|
722
|
+
Object.freeze({ aiAct: "Art. 72 (Post-market monitoring)", iso42001: ["A.9.2 Performance monitoring", "A.9.3 Improvement actions"], iso23894: ["Clause 7 (Monitoring and review)"] }),
|
|
723
|
+
Object.freeze({ aiAct: "Art. 73 (Serious incident reporting)", iso42001: ["A.9.4 Event logging", "A.10.4 Incident response"], iso23894: ["Clause 6.5.4 (Risk treatment plan — incidents)"] }),
|
|
724
|
+
]);
|
|
725
|
+
|
|
726
|
+
/**
|
|
727
|
+
* @primitive b.compliance.aiAct.crossWalkIso42001
|
|
728
|
+
* @signature b.compliance.aiAct.crossWalkIso42001(aiActCitation?)
|
|
729
|
+
* @since 0.8.81
|
|
730
|
+
* @status stable
|
|
731
|
+
* @related b.compliance.aiAct.crossWalkIso23894, b.compliance.describe
|
|
732
|
+
*
|
|
733
|
+
* Map AI Act articles to ISO/IEC 42001:2023 Annex A controls (and the
|
|
734
|
+
* matching ISO/IEC 23894:2023 risk-management clauses where they
|
|
735
|
+
* overlap). Returns the full cross-walk table when called with no
|
|
736
|
+
* arguments, or the entry for a specific AI Act citation when passed
|
|
737
|
+
* a string. Returns `null` for unknown citations. Useful for
|
|
738
|
+
* operators chasing ISO 42001 certification while running under the
|
|
739
|
+
* AI Act — the table tracks the regulatory text and updates with
|
|
740
|
+
* the framework rather than going stale in operator code.
|
|
741
|
+
*
|
|
742
|
+
* @example
|
|
743
|
+
* var rows = b.compliance.aiAct.crossWalkIso42001();
|
|
744
|
+
* rows[0].aiAct; // → "Art. 9 (Risk management system)"
|
|
745
|
+
* rows[0].iso42001; // → ["A.6.1.1 AI risk-management process", ...]
|
|
746
|
+
*
|
|
747
|
+
* var art10 = b.compliance.aiAct.crossWalkIso42001("Art. 10 (Data and data governance)");
|
|
748
|
+
* art10.iso42001; // → ["A.7.2 Data quality for AI systems", ...]
|
|
749
|
+
*
|
|
750
|
+
* b.compliance.aiAct.crossWalkIso42001("not-a-real-citation");
|
|
751
|
+
* // → null
|
|
752
|
+
*/
|
|
753
|
+
function crossWalkIso42001(aiActCitation) {
|
|
754
|
+
if (arguments.length === 0 || aiActCitation === undefined || aiActCitation === null) {
|
|
755
|
+
return ISO_42001_CROSSWALK.map(function (r) {
|
|
756
|
+
return { aiAct: r.aiAct, iso42001: r.iso42001.slice(), iso23894: r.iso23894.slice() };
|
|
757
|
+
});
|
|
758
|
+
}
|
|
759
|
+
if (typeof aiActCitation !== "string") return null;
|
|
760
|
+
for (var i = 0; i < ISO_42001_CROSSWALK.length; i += 1) {
|
|
761
|
+
if (ISO_42001_CROSSWALK[i].aiAct === aiActCitation) {
|
|
762
|
+
return {
|
|
763
|
+
aiAct: ISO_42001_CROSSWALK[i].aiAct,
|
|
764
|
+
iso42001: ISO_42001_CROSSWALK[i].iso42001.slice(),
|
|
765
|
+
iso23894: ISO_42001_CROSSWALK[i].iso23894.slice(),
|
|
766
|
+
};
|
|
767
|
+
}
|
|
768
|
+
}
|
|
769
|
+
return null;
|
|
770
|
+
}
|
|
771
|
+
|
|
772
|
+
/**
|
|
773
|
+
* @primitive b.compliance.aiAct.crossWalkIso23894
|
|
774
|
+
* @signature b.compliance.aiAct.crossWalkIso23894()
|
|
775
|
+
* @since 0.8.81
|
|
776
|
+
* @status stable
|
|
777
|
+
* @related b.compliance.aiAct.crossWalkIso42001
|
|
778
|
+
*
|
|
779
|
+
* Same cross-walk shape filtered to entries that map to an ISO/IEC
|
|
780
|
+
* 23894:2023 clause. Used by operators whose audit scope is the
|
|
781
|
+
* AI-risk-management standard specifically (ISO 23894 is the
|
|
782
|
+
* companion to ISO 42001 focused purely on risk).
|
|
783
|
+
*
|
|
784
|
+
* @example
|
|
785
|
+
* var rows = b.compliance.aiAct.crossWalkIso23894();
|
|
786
|
+
* rows.forEach(function (r) {
|
|
787
|
+
* console.log(r.aiAct, "→", r.iso23894);
|
|
788
|
+
* });
|
|
789
|
+
*/
|
|
790
|
+
function crossWalkIso23894() {
|
|
791
|
+
return ISO_42001_CROSSWALK
|
|
792
|
+
.filter(function (r) { return r.iso23894.length > 0; })
|
|
793
|
+
.map(function (r) {
|
|
794
|
+
return { aiAct: r.aiAct, iso42001: r.iso42001.slice(), iso23894: r.iso23894.slice() };
|
|
795
|
+
});
|
|
796
|
+
}
|
|
797
|
+
|
|
696
798
|
module.exports = {
|
|
697
799
|
classify: classify,
|
|
698
800
|
deployerChecklist: deployerChecklist,
|
|
@@ -713,4 +815,7 @@ module.exports = {
|
|
|
713
815
|
emitClassificationAudit: emitClassificationAudit,
|
|
714
816
|
annexIVScaffold: annexIVScaffold,
|
|
715
817
|
fundamentalRightsImpactAssessment: fundamentalRightsImpactAssessment,
|
|
818
|
+
crossWalkIso42001: crossWalkIso42001,
|
|
819
|
+
crossWalkIso23894: crossWalkIso23894,
|
|
820
|
+
ISO_42001_CROSSWALK: ISO_42001_CROSSWALK,
|
|
716
821
|
};
|
package/lib/compliance.js
CHANGED
|
@@ -106,7 +106,7 @@ var KNOWN_POSTURES = Object.freeze([
|
|
|
106
106
|
"ens-es", // Spain Esquema Nacional de Seguridad
|
|
107
107
|
"uk-g-cloud", // UK G-Cloud
|
|
108
108
|
// ---- v0.8.70 expansion — 2026 effective deadlines ----
|
|
109
|
-
"modpa", // Maryland Online Data Privacy Act (effective
|
|
109
|
+
"modpa", // Maryland Online Data Privacy Act (effective 2025-10-01) — strict data-min
|
|
110
110
|
"nydfs-500", // NYDFS 23 NYCRR 500 Amendment 2 — financial cybersecurity (multi-factor + asset inventory + governance)
|
|
111
111
|
"hipaa-2026", // HHS HIPAA Security Rule 2026-Q4 final — extends hipaa with mandatory MFA + asset inventory + 72h restoration testing
|
|
112
112
|
"quebec-25", // Quebec Law 25 final phase (effective 2026-09-22) — DPIA + automated-decision opt-out
|
|
@@ -136,6 +136,71 @@ var KNOWN_POSTURES = Object.freeze([
|
|
|
136
136
|
"ca-aadc", // California Age-Appropriate Design Code (partial preliminary injunction; track for re-enforcement)
|
|
137
137
|
"ct-sb3", // Connecticut SB 3 Consumer Health Data
|
|
138
138
|
"tx-cubi", // Texas Capture or Use of Biometric Identifier
|
|
139
|
+
"fl-fdbr", // Florida Digital Bill of Rights (SB 262, effective 2024-07-01) — narrow scope ($1B+ revenue threshold)
|
|
140
|
+
// ---- v0.8.81 expansion — AI-governance postures ----
|
|
141
|
+
// State + sectoral AI regulations crystallizing through 2026. Each
|
|
142
|
+
// posture is a flag that operators pin alongside their base
|
|
143
|
+
// privacy/sectoral posture; the floors enforce audit-chain signing
|
|
144
|
+
// and posture-cascade visibility so AI-decision audit trails meet
|
|
145
|
+
// regulator expectations even when the base posture is unregulated.
|
|
146
|
+
"co-ai", // Colorado AI Act SB24-205 (postponed to 2026-06-30; stay pending)
|
|
147
|
+
"il-hb3773", // Illinois HB 3773 — IHRA AI amendment (effective 2026-01-01)
|
|
148
|
+
"tx-traiga", // Texas Responsible AI Governance Act HB 149 (effective 2026-01-01)
|
|
149
|
+
"ut-aipa", // Utah AI Disclosure Act (UAIPA + 2025 amendments; sunset 2027-07-01)
|
|
150
|
+
"nyc-ll144", // NYC Local Law 144 — Automated Employment Decision Tools (in force) // allow:raw-byte-literal — regulatory identifier, not bytes
|
|
151
|
+
"ca-tfaia", // California SB 53 — Transparency in Frontier AI Act (effective 2026-01-01)
|
|
152
|
+
"kr-ai-basic", // South Korea AI Basic Act (effective 2026-01-22)
|
|
153
|
+
"cn-ai-label", // China Measures for Labelling of AI-Generated Content (effective 2025-09-01)
|
|
154
|
+
// ---- v0.8.81 expansion — AI management cross-walks ----
|
|
155
|
+
"iso-42001", // ISO/IEC 42001:2023 — AI Management System
|
|
156
|
+
"iso-23894", // ISO/IEC 23894:2023 — AI Risk Management Guidance
|
|
157
|
+
// ---- v0.8.81 expansion — content-credentials posture flags ----
|
|
158
|
+
"ca-sb942", // California SB-942 (Cal. Bus. & Prof. Code §22757) gen-AI disclosure (effective 2026-08-02) // allow:raw-byte-literal — regulatory identifier + date, not bytes
|
|
159
|
+
"ca-ab853", // California AB-853 platform-side gen-AI detection (effective 2026-08-02) // allow:raw-byte-literal — regulatory identifier + date, not bytes
|
|
160
|
+
// ---- v0.8.81 expansion — substrate-to-posture cleanup ----
|
|
161
|
+
"eaa", // EU Accessibility Act / Directive (EU) 2019/882 (effective 2025-06-28)
|
|
162
|
+
"wcag-2-2", // W3C Web Content Accessibility Guidelines 2.2 (Oct 2023 Recommendation)
|
|
163
|
+
"eu-data-act", // EU Data Act / Regulation (EU) 2023/2854 (effective 2025-09-12)
|
|
164
|
+
"hitech", // Health Information Technology for Economic and Clinical Health Act (2009)
|
|
165
|
+
"ferpa", // Family Educational Rights and Privacy Act (20 U.S.C. §1232g)
|
|
166
|
+
"dpdp", // India Digital Personal Data Protection Act 2023 (rules-pending; cascade tier exists)
|
|
167
|
+
// ---- v0.8.82 expansion — privacy 2026 sweep ----
|
|
168
|
+
// US federal child / financial privacy
|
|
169
|
+
"coppa", // Children's Online Privacy Protection Act (15 U.S.C. §6501)
|
|
170
|
+
"coppa-2025", // COPPA 2025 Amendment (FTC final 2025-04-22; effective 2026-06-23 — biometric expansion + knowing-collection disclosure)
|
|
171
|
+
"glba-safeguards", // GLBA Safeguards Rule 2024 Amendment (16 CFR Part 314 — effective 2024-05-13) // allow:raw-byte-literal — CFR title number, not bytes
|
|
172
|
+
// UK
|
|
173
|
+
"uk-duaa", // UK Data (Use and Access) Act 2025 (Royal Assent 2025-06-19; replaces DPDI Bill)
|
|
174
|
+
// Latin America
|
|
175
|
+
"cl-pdpa", // Chile Ley 21.719 (enacted 2024-12-13; effective 2026-12-01)
|
|
176
|
+
"mx-lfpdppp", // Mexico LFPDPPP + 2025 secondary reform
|
|
177
|
+
"ar-pdpa", // Argentina PDPA (Ley 25.326 + 2024 modernization bill)
|
|
178
|
+
// APAC
|
|
179
|
+
"pipa-kr", // South Korea Personal Information Protection Act (2023 major amendment)
|
|
180
|
+
"au-privacy", // Australia Privacy Act + 2024 Amendment Act (first tranche 2024-12-10; statutory tort 2025-06-10)
|
|
181
|
+
"th-pdpa", // Thailand PDPA (effective 2022-06-01)
|
|
182
|
+
"vn-pdp", // Vietnam PDP Decree 13/2023 + 2025 PDP Law (effective 2026-01-01)
|
|
183
|
+
"id-pdp", // Indonesia Personal Data Protection Law (effective 2024-10-17)
|
|
184
|
+
"my-pdpa", // Malaysia PDPA + 2024 amendments (effective 2025-04-30)
|
|
185
|
+
// US state child privacy / age-appropriate design codes
|
|
186
|
+
"ny-safe-kids", // NY Child Data Protection Act / SAFE for Kids Act (effective 2025-06-20)
|
|
187
|
+
"ny-saffe", // NY Stop Addictive Feeds Exploitation for Kids Act (effective 2025-06-20)
|
|
188
|
+
"md-kids-code", // Maryland Age-Appropriate Design Code (enacted 2024)
|
|
189
|
+
"vt-aadc", // Vermont Age-Appropriate Design Code (enacted 2024)
|
|
190
|
+
// US cross-cutting privacy / sectoral
|
|
191
|
+
"gina", // Genetic Information Nondiscrimination Act (effective 2009-11-21)
|
|
192
|
+
"vppa", // Video Privacy Protection Act (1988; class-action pixel-tracking surface)
|
|
193
|
+
"can-spam", // CAN-SPAM Act (effective 2004-01-01)
|
|
194
|
+
"il-gipa", // Illinois Genetic Information Privacy Act (post-2024 amendment private right of action)
|
|
195
|
+
"hhs-repro-24", // HHS Reproductive Health HIPAA Amendment (effective 2024-12-23)
|
|
196
|
+
// NIST cross-walks
|
|
197
|
+
"nist-pf-1.1", // NIST Privacy Framework 1.1 (final 2025-04-14)
|
|
198
|
+
// EU non-personal-data + adjacent
|
|
199
|
+
"dsa", // EU Digital Services Act (Regulation 2022/2065; fully applicable 2024-02-17)
|
|
200
|
+
"dga", // EU Data Governance Act (Regulation 2022/868; applicable 2023-09-24) // allow:raw-byte-literal — calendar day, not bytes
|
|
201
|
+
"eu-cer", // EU Critical Entities Resilience Directive (2022/2557; transposition 2024-10-17)
|
|
202
|
+
"eu-cyber-sol", // EU Cyber Solidarity Act (Regulation 2025/38; effective 2025-02-04)
|
|
203
|
+
"eidas-2", // eIDAS 2 / EUDI Wallet (Regulation 2024/1183; rollout 2026-2027)
|
|
139
204
|
]);
|
|
140
205
|
|
|
141
206
|
var STATE = { posture: null, setAt: null };
|
|
@@ -497,7 +562,7 @@ var REGIME_MAP = Object.freeze({
|
|
|
497
562
|
},
|
|
498
563
|
"modpa": {
|
|
499
564
|
name: "Maryland Online Data Privacy Act",
|
|
500
|
-
citation: "Md. Code Ann., Com. Law §§14-4601 et seq. (effective
|
|
565
|
+
citation: "Md. Code Ann., Com. Law §§14-4601 et seq. (effective 2025-10-01)",
|
|
501
566
|
jurisdiction: "US-MD",
|
|
502
567
|
domain: "privacy",
|
|
503
568
|
},
|
|
@@ -530,17 +595,76 @@ var REGIME_MAP = Object.freeze({
|
|
|
530
595
|
"ia-icdpa": { name: "Iowa Consumer Data Protection Act", citation: "Iowa Code §715D (effective 2025-01-01)", jurisdiction: "US-IA", domain: "privacy" },
|
|
531
596
|
"in-indpa": { name: "Indiana Consumer Data Protection Act", citation: "Ind. Code §24-15 (effective 2026-01-01)", jurisdiction: "US-IN", domain: "privacy" },
|
|
532
597
|
"de-dpdpa": { name: "Delaware Personal Data Privacy Act", citation: "6 Del. Code Ch. 12D (effective 2026-01-01)", jurisdiction: "US-DE", domain: "privacy" },
|
|
533
|
-
"nh-nhpa": { name: "New Hampshire SB 255 Consumer Privacy Act", citation: "NH RSA Chapter 507-H (effective
|
|
534
|
-
"nj-njdpa": { name: "New Jersey Data Privacy Act", citation: "N.J. Rev. Stat. §56:8-166.4 et seq. (effective
|
|
598
|
+
"nh-nhpa": { name: "New Hampshire SB 255 Consumer Privacy Act", citation: "NH RSA Chapter 507-H (effective 2025-01-01)", jurisdiction: "US-NH", domain: "privacy" },
|
|
599
|
+
"nj-njdpa": { name: "New Jersey Data Privacy Act", citation: "N.J. Rev. Stat. §56:8-166.4 et seq. (effective 2025-01-15)", jurisdiction: "US-NJ", domain: "privacy" },
|
|
535
600
|
"ky-kcdpa": { name: "Kentucky Consumer Data Protection Act", citation: "Ky. Rev. Stat. §367.3611 et seq. (effective 2026-01-01)", jurisdiction: "US-KY", domain: "privacy" },
|
|
536
601
|
"tn-tipa": { name: "Tennessee Information Protection Act", citation: "Tenn. Code §47-18-3201 et seq. (effective 2025-07-01)", jurisdiction: "US-TN", domain: "privacy" },
|
|
537
|
-
"mn-mncdpa": { name: "Minnesota Consumer Data Privacy Act", citation: "Minn. Stat. §325O (effective
|
|
602
|
+
"mn-mncdpa": { name: "Minnesota Consumer Data Privacy Act", citation: "Minn. Stat. §325O (effective 2025-07-31)", jurisdiction: "US-MN", domain: "privacy" },
|
|
538
603
|
"ri-ricpa": { name: "Rhode Island Consumer Privacy Act", citation: "R.I. Gen. Laws §6-48.1 (effective 2026-01-01)", jurisdiction: "US-RI", domain: "privacy" },
|
|
539
604
|
"ne-dpa": { name: "Nebraska Data Privacy Act", citation: "Neb. Rev. Stat. §87-1101 et seq. (effective 2025-01-01)", jurisdiction: "US-NE", domain: "privacy" },
|
|
540
605
|
"nv-sb370": { name: "Nevada SB 370 Consumer Health Data Privacy", citation: "Nev. Rev. Stat. §603A (consumer-health amendments, effective 2024-03-31)", jurisdiction: "US-NV", domain: "health" },
|
|
541
606
|
"ca-aadc": { name: "California Age-Appropriate Design Code Act", citation: "Cal. Civ. Code §1798.99.28 et seq. (partial preliminary injunction NetChoice v. Bonta)", jurisdiction: "US-CA", domain: "privacy" },
|
|
542
607
|
"ct-sb3": { name: "Connecticut SB 3 Consumer Health Data", citation: "Conn. P.A. 23-56 (effective 2023-07-01)", jurisdiction: "US-CT", domain: "health" },
|
|
543
608
|
"tx-cubi": { name: "Texas Capture or Use of Biometric Identifier", citation: "Tex. Bus. & Com. Code §503.001 (effective 2009-09-01)", jurisdiction: "US-TX", domain: "biometric" },
|
|
609
|
+
"fl-fdbr": { name: "Florida Digital Bill of Rights", citation: "Fla. Stat. §501.701 et seq. SB 262 (effective 2024-07-01)", jurisdiction: "US-FL", domain: "privacy" },
|
|
610
|
+
// ---- v0.8.81 — AI governance ----
|
|
611
|
+
"co-ai": { name: "Colorado AI Act", citation: "C.R.S. §6-1-1701 et seq. SB24-205 (postponed to 2026-06-30; enforcement stayed)", jurisdiction: "US-CO", domain: "ai-governance" },
|
|
612
|
+
"il-hb3773": { name: "Illinois HB 3773 — AI in Employment", citation: "775 ILCS 5 IHRA AI amendment (effective 2026-01-01)", jurisdiction: "US-IL", domain: "ai-governance" },
|
|
613
|
+
"tx-traiga": { name: "Texas Responsible AI Governance Act", citation: "Tex. Bus. & Com. Code Ch. 552 HB 149 (effective 2026-01-01)", jurisdiction: "US-TX", domain: "ai-governance" },
|
|
614
|
+
"ut-aipa": { name: "Utah AI Disclosure Act (UAIPA)", citation: "Utah Code §13-2-12 SB149 + 2025 amendments (sunset 2027-07-01)", jurisdiction: "US-UT", domain: "ai-governance" },
|
|
615
|
+
"nyc-ll144": { name: "NYC Automated Employment Decision Tools Law", citation: "NYC Admin. Code §20-870 et seq. Local Law 144 (in force 2023-07-05)", jurisdiction: "US-NY-NYC", domain: "ai-governance" },
|
|
616
|
+
"ca-tfaia": { name: "California Transparency in Frontier AI Act", citation: "Cal. Bus. & Prof. Code §22757.10 et seq. SB 53 (effective 2026-01-01)", jurisdiction: "US-CA", domain: "ai-governance" },
|
|
617
|
+
"kr-ai-basic": { name: "South Korea AI Basic Act", citation: "Framework Act on Development of AI (effective 2026-01-22)", jurisdiction: "KR", domain: "ai-governance" },
|
|
618
|
+
"cn-ai-label": { name: "China — Measures for Labelling AI-Generated Content", citation: "CAC + MIIT + Ministry of Public Security + NRTA Order (effective 2025-09-01)", jurisdiction: "CN", domain: "ai-governance" },
|
|
619
|
+
// ---- v0.8.81 — AI management cross-walks ----
|
|
620
|
+
"iso-42001": { name: "ISO/IEC 42001 — AI Management System", citation: "ISO/IEC 42001:2023", jurisdiction: "international", domain: "ai-governance" },
|
|
621
|
+
"iso-23894": { name: "ISO/IEC 23894 — AI Risk Management", citation: "ISO/IEC 23894:2023", jurisdiction: "international", domain: "ai-governance" },
|
|
622
|
+
// ---- v0.8.81 — content-credentials posture flags ----
|
|
623
|
+
"ca-sb942": { name: "California Gen-AI Provenance Disclosure", citation: "Cal. Bus. & Prof. Code §22757 SB-942 (effective 2026-08-02)", jurisdiction: "US-CA", domain: "content-credentials" },
|
|
624
|
+
"ca-ab853": { name: "California Platform Gen-AI Detection", citation: "Cal. Bus. & Prof. Code §22757 AB-853 (effective 2026-08-02)", jurisdiction: "US-CA", domain: "content-credentials" },
|
|
625
|
+
// ---- v0.8.81 — substrate-to-posture cleanup ----
|
|
626
|
+
"eaa": { name: "EU Accessibility Act", citation: "Directive (EU) 2019/882 (effective 2025-06-28)", jurisdiction: "EU", domain: "accessibility" },
|
|
627
|
+
"wcag-2-2": { name: "W3C Web Content Accessibility Guidelines 2.2", citation: "W3C Recommendation (Oct 2023)", jurisdiction: "international", domain: "accessibility" },
|
|
628
|
+
"eu-data-act": { name: "EU Data Act", citation: "Regulation (EU) 2023/2854 (effective 2025-09-12)", jurisdiction: "EU", domain: "data-sharing" },
|
|
629
|
+
"hitech": { name: "Health Information Technology for Economic and Clinical Health Act", citation: "Pub. L. 111-5, Title XIII, Subtitle D (2009)", jurisdiction: "US", domain: "health" },
|
|
630
|
+
"ferpa": { name: "Family Educational Rights and Privacy Act", citation: "20 U.S.C. §1232g; 34 CFR Part 99", jurisdiction: "US", domain: "student-records" },
|
|
631
|
+
"dpdp": { name: "Digital Personal Data Protection Act 2023", citation: "Act 22 of 2023 (India; rules pending)", jurisdiction: "IN", domain: "privacy" },
|
|
632
|
+
// ---- v0.8.82 — privacy 2026 sweep ----
|
|
633
|
+
// US federal
|
|
634
|
+
"coppa": { name: "Children's Online Privacy Protection Act", citation: "15 U.S.C. §§6501-6506; 16 CFR Part 312 (effective 2000-04-21)", jurisdiction: "US", domain: "child-privacy" },
|
|
635
|
+
"coppa-2025": { name: "COPPA 2025 Amendment", citation: "FTC final rule (2025-04-22; effective 2026-06-23) — biometric expansion + knowing-collection-13-and-under disclosure", jurisdiction: "US", domain: "child-privacy" },
|
|
636
|
+
"glba-safeguards": { name: "GLBA Safeguards Rule 2024 Amendment", citation: "16 CFR Part 314 (effective 2024-05-13)", jurisdiction: "US", domain: "financial-privacy" },
|
|
637
|
+
"gina": { name: "Genetic Information Nondiscrimination Act", citation: "Pub. L. 110-233; 42 U.S.C. §2000ff et seq. (effective 2009-11-21)", jurisdiction: "US", domain: "genetic-privacy" },
|
|
638
|
+
"vppa": { name: "Video Privacy Protection Act", citation: "18 U.S.C. §2710 (effective 1988-11-05)", jurisdiction: "US", domain: "consumer-privacy" },
|
|
639
|
+
"can-spam": { name: "CAN-SPAM Act", citation: "15 U.S.C. §§7701-7713; 16 CFR Part 316 (effective 2004-01-01)", jurisdiction: "US", domain: "consumer-privacy" },
|
|
640
|
+
"il-gipa": { name: "Illinois Genetic Information Privacy Act", citation: "410 ILCS 513 (private right of action post-2024 amendment)", jurisdiction: "US-IL", domain: "genetic-privacy" },
|
|
641
|
+
"hhs-repro-24": { name: "HHS Reproductive Health HIPAA Amendment 2024", citation: "45 CFR Parts 160, 164 — Final Rule (effective 2024-12-23)", jurisdiction: "US", domain: "health" },
|
|
642
|
+
// NIST cross-walk
|
|
643
|
+
"nist-pf-1.1": { name: "NIST Privacy Framework 1.1", citation: "NIST PF 1.1 (final 2025-04-14)", jurisdiction: "US", domain: "privacy" },
|
|
644
|
+
// UK
|
|
645
|
+
"uk-duaa": { name: "UK Data (Use and Access) Act 2025", citation: "DUAA c. 26 (Royal Assent 2025-06-19; replaces DPDI Bill)", jurisdiction: "UK", domain: "privacy" },
|
|
646
|
+
// Latin America
|
|
647
|
+
"cl-pdpa": { name: "Chile Ley 21.719 Protección de Datos Personales", citation: "Ley 21.719 (enacted 2024-12-13; effective 2026-12-01)", jurisdiction: "CL", domain: "privacy" },
|
|
648
|
+
"mx-lfpdppp": { name: "Mexico LFPDPPP + 2025 reform", citation: "Ley Federal de Protección de Datos Personales en Posesión de los Particulares (2010 + 2025 secondary reform)", jurisdiction: "MX", domain: "privacy" },
|
|
649
|
+
"ar-pdpa": { name: "Argentina Personal Data Protection Act", citation: "Ley 25.326 + 2024 modernization bill (pending)", jurisdiction: "AR", domain: "privacy" },
|
|
650
|
+
// APAC
|
|
651
|
+
"pipa-kr": { name: "South Korea Personal Information Protection Act", citation: "PIPA 2011 + 2023 major amendment (phased 2023-09-15 / 2024-03-15)", jurisdiction: "KR", domain: "privacy" },
|
|
652
|
+
"au-privacy": { name: "Australia Privacy Act + 2024 Amendment Act", citation: "Privacy Act 1988 + Privacy and Other Legislation Amendment Act 2024 (first tranche 2024-12-10; statutory tort 2025-06-10)", jurisdiction: "AU", domain: "privacy" },
|
|
653
|
+
"th-pdpa": { name: "Thailand Personal Data Protection Act", citation: "PDPA B.E. 2562 (2019; full effect 2022-06-01)", jurisdiction: "TH", domain: "privacy" },
|
|
654
|
+
"vn-pdp": { name: "Vietnam Personal Data Protection Law", citation: "Decree 13/2023 + PDP Law (effective 2026-01-01)", jurisdiction: "VN", domain: "privacy" },
|
|
655
|
+
"id-pdp": { name: "Indonesia Personal Data Protection Law", citation: "Law 27 of 2022 (effective 2024-10-17)", jurisdiction: "ID", domain: "privacy" },
|
|
656
|
+
"my-pdpa": { name: "Malaysia Personal Data Protection Act", citation: "PDPA 2010 + 2024 amendments (effective 2025-04-30)", jurisdiction: "MY", domain: "privacy" },
|
|
657
|
+
// US state child privacy
|
|
658
|
+
"ny-safe-kids": { name: "NY Child Data Protection Act / SAFE for Kids Act", citation: "N.Y. Gen. Bus. Law §899-ff et seq. (effective 2025-06-20)", jurisdiction: "US-NY", domain: "child-privacy" },
|
|
659
|
+
"ny-saffe": { name: "NY Stop Addictive Feeds Exploitation for Kids Act", citation: "N.Y. Gen. Bus. Law §1500 et seq. (effective 2025-06-20)", jurisdiction: "US-NY", domain: "child-privacy" },
|
|
660
|
+
"md-kids-code": { name: "Maryland Age-Appropriate Design Code", citation: "Md. Code Ann., Com. Law §14-4901 et seq. (enacted 2024)", jurisdiction: "US-MD", domain: "child-privacy" },
|
|
661
|
+
"vt-aadc": { name: "Vermont Age-Appropriate Design Code", citation: "Vt. Stat. Ann. tit. 9 §2447 et seq. (enacted 2024)", jurisdiction: "US-VT", domain: "child-privacy" },
|
|
662
|
+
// EU non-personal-data + adjacent
|
|
663
|
+
"dsa": { name: "EU Digital Services Act", citation: "Regulation (EU) 2022/2065 (fully applicable 2024-02-17)", jurisdiction: "EU", domain: "platform-governance" },
|
|
664
|
+
"dga": { name: "EU Data Governance Act", citation: "Regulation (EU) 2022/868 (applicable 2023-09-24)", jurisdiction: "EU", domain: "data-sharing" },
|
|
665
|
+
"eu-cer": { name: "EU Critical Entities Resilience Directive", citation: "Directive (EU) 2022/2557 (transposition 2024-10-17)", jurisdiction: "EU", domain: "cybersecurity" },
|
|
666
|
+
"eu-cyber-sol": { name: "EU Cyber Solidarity Act", citation: "Regulation (EU) 2025/38 (effective 2025-02-04)", jurisdiction: "EU", domain: "cybersecurity" },
|
|
667
|
+
"eidas-2": { name: "eIDAS 2 / EUDI Wallet", citation: "Regulation (EU) 2024/1183 (rollout 2026-2027)", jurisdiction: "EU", domain: "identity" },
|
|
544
668
|
});
|
|
545
669
|
|
|
546
670
|
/**
|
|
@@ -688,6 +812,122 @@ var POSTURE_DEFAULTS = Object.freeze({
|
|
|
688
812
|
tlsMinVersion: "TLSv1.3",
|
|
689
813
|
requireVacuumAfterErase: true,
|
|
690
814
|
}),
|
|
815
|
+
// v0.8.81 — Florida Digital Bill of Rights SB 262 (effective
|
|
816
|
+
// 2024-07-01). Narrow scope ($1B+ revenue threshold); privacy-tier
|
|
817
|
+
// floor matching peer state consumer-privacy postures.
|
|
818
|
+
"fl-fdbr": Object.freeze({
|
|
819
|
+
backupEncryptionRequired: false,
|
|
820
|
+
auditChainSignedRequired: true,
|
|
821
|
+
tlsMinVersion: "TLSv1.3",
|
|
822
|
+
requireVacuumAfterErase: true,
|
|
823
|
+
}),
|
|
824
|
+
// v0.8.81 — HITECH Act extends HIPAA; treat as HIPAA-tier floor
|
|
825
|
+
// (encrypted backups, signed audit chain, vacuum-after-erase).
|
|
826
|
+
"hitech": Object.freeze({
|
|
827
|
+
backupEncryptionRequired: true,
|
|
828
|
+
auditChainSignedRequired: true,
|
|
829
|
+
tlsMinVersion: "TLSv1.3",
|
|
830
|
+
requireVacuumAfterErase: true,
|
|
831
|
+
}),
|
|
832
|
+
// v0.8.81 — FERPA covers student educational records; treat as
|
|
833
|
+
// privacy-tier with full erasure-residue cleanup (record-purge
|
|
834
|
+
// workflows for transferred students).
|
|
835
|
+
"ferpa": Object.freeze({
|
|
836
|
+
backupEncryptionRequired: false,
|
|
837
|
+
auditChainSignedRequired: true,
|
|
838
|
+
tlsMinVersion: "TLSv1.3",
|
|
839
|
+
requireVacuumAfterErase: true,
|
|
840
|
+
}),
|
|
841
|
+
// v0.8.81 — AI-governance postures share an audit-chain-signed
|
|
842
|
+
// floor so AI-decision audit trails survive forensic challenge
|
|
843
|
+
// (NYC LL144 annual bias audit, IL HB 3773 employment notice
|
|
844
|
+
// chain, Colorado AI Act impact-assessment records, Utah UAIPA
|
|
845
|
+
// disclosure ledger). TLS-1.3 minimum + signed chain only; no
|
|
846
|
+
// vacuum-after-erase mandate at this tier.
|
|
847
|
+
"co-ai": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
848
|
+
"il-hb3773": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
849
|
+
"tx-traiga": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
850
|
+
"ut-aipa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
851
|
+
"nyc-ll144": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
852
|
+
"ca-tfaia": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }), // Frontier-AI critical-incident records: encrypted at rest, residue-clean on erasure
|
|
853
|
+
"kr-ai-basic": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
854
|
+
"cn-ai-label": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
855
|
+
// v0.8.81 — ISO/IEC 42001 + 23894 — voluntary AI management
|
|
856
|
+
// certifications. Cascade matches the strictest peer (audit-chain
|
|
857
|
+
// signed + TLS 1.3); operators chasing ISO certification under a
|
|
858
|
+
// base regulated posture get strict cumulative floors via
|
|
859
|
+
// postureDefault() reads.
|
|
860
|
+
"iso-42001": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
861
|
+
"iso-23894": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
862
|
+
// v0.8.81 — California SB-942 + AB-853 are content-credentials
|
|
863
|
+
// posture flags, not data-floor regulations. Cascade leaves
|
|
864
|
+
// operator-controlled defaults in place (no backup encryption
|
|
865
|
+
// mandate, no residue-vacuum mandate); the meaningful effect rides
|
|
866
|
+
// through b.contentCredentials manifest emission, not the data
|
|
867
|
+
// tier. TLS 1.3 retained as the framework-wide floor.
|
|
868
|
+
"ca-sb942": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
869
|
+
"ca-ab853": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
870
|
+
// v0.8.81 — EAA + WCAG 2.2 are accessibility postures; no data-
|
|
871
|
+
// floor cascade. The meaningful effect rides through
|
|
872
|
+
// b.guardHtml.wcag + b.compliance-eaa primitives.
|
|
873
|
+
"eaa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
874
|
+
"wcag-2-2": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
875
|
+
// v0.8.81 — EU Data Act covers B2G + IoT-data sharing; cascade
|
|
876
|
+
// floor matches GDPR-tier audit signing + TLS 1.3.
|
|
877
|
+
"eu-data-act": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
878
|
+
// v0.8.82 — COPPA + 2025 Amendment: child-data deletion + age-verification
|
|
879
|
+
// floor (operator-facing rule: when a covered child is identified, knowing-
|
|
880
|
+
// collection beyond age 13 requires verifiable parental consent; on
|
|
881
|
+
// withdrawal, full residue cleanup applies). Cascade: signed audit chain
|
|
882
|
+
// + vacuum-after-erase + TLS 1.3.
|
|
883
|
+
"coppa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
884
|
+
"coppa-2025": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
885
|
+
// v0.8.82 — GLBA Safeguards 2024 Amendment: financial-tier cascade
|
|
886
|
+
// matching pci-dss + nydfs-500 floor (encrypted backups + signed audit +
|
|
887
|
+
// TLS 1.3). No vacuum-after-erase mandate at this tier.
|
|
888
|
+
"glba-safeguards": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
889
|
+
// v0.8.82 — UK DUAA 2025: privacy-tier with GDPR-equivalent floor
|
|
890
|
+
// (signed audit + TLS 1.3 + vacuum-after-erase per UK GDPR Art. 17).
|
|
891
|
+
"uk-duaa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
892
|
+
// v0.8.82 — Chile Ley 21.719: GDPR-equivalent privacy floor with
|
|
893
|
+
// strict effective-erasure obligation under the right-to-erasure
|
|
894
|
+
// article (Art. 8). Cascade mirrors gdpr.
|
|
895
|
+
"cl-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
896
|
+
// v0.8.82 — Korea PIPA: privacy-tier with full erasure-residue cleanup
|
|
897
|
+
// under the right-to-erasure article. Cascade matches gdpr/lgpd-br tier.
|
|
898
|
+
"pipa-kr": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
899
|
+
// v0.8.82 — Australia Privacy Act 2024 Amendment: privacy-tier with
|
|
900
|
+
// statutory-tort exposure. Encrypted backups + signed audit + vacuum-
|
|
901
|
+
// after-erase per statutory right-to-erasure.
|
|
902
|
+
"au-privacy": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
903
|
+
// v0.8.82 — Other LATAM + APAC postures share the GDPR-equivalent
|
|
904
|
+
// privacy floor.
|
|
905
|
+
"mx-lfpdppp": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
906
|
+
"ar-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
907
|
+
"th-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
908
|
+
"vn-pdp": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
909
|
+
"id-pdp": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
910
|
+
"my-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
911
|
+
// v0.8.82 — US state child-privacy + cross-cutting US statutes.
|
|
912
|
+
"ny-safe-kids": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
913
|
+
"ny-saffe": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
914
|
+
"md-kids-code": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
915
|
+
"vt-aadc": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
916
|
+
"gina": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
917
|
+
"vppa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
918
|
+
"can-spam": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
919
|
+
"il-gipa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
920
|
+
"hhs-repro-24": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
921
|
+
// v0.8.82 — NIST Privacy Framework 1.1 cross-walk posture; cascade
|
|
922
|
+
// matches gdpr-tier audit signing.
|
|
923
|
+
"nist-pf-1.1": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
924
|
+
// v0.8.82 — EU platform/data/cyber adjacent: audit-chain signed,
|
|
925
|
+
// TLS 1.3, no special data-tier mandate at this layer.
|
|
926
|
+
"dsa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
927
|
+
"dga": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
928
|
+
"eu-cer": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
929
|
+
"eu-cyber-sol": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
930
|
+
"eidas-2": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
691
931
|
});
|
|
692
932
|
|
|
693
933
|
/**
|
package/lib/dsr.js
CHANGED
|
@@ -1112,6 +1112,7 @@ var STATE_RULES = Object.freeze({
|
|
|
1112
1112
|
"tx-cubi": { posture: "tx-cubi", state: "TX", responseDays: 0, extensionDays: 0, cureDays: 0, profilingOptOut: false, minorOptIn: null, notes: "Biometric-only; private-right-of-action absent" }, // allow:raw-time-literal
|
|
1113
1113
|
"modpa": { posture: "modpa", state: "MD", responseDays: 45, extensionDays: 45, cureDays: 60, profilingOptOut: true, minorOptIn: 13, notes: "Strict data-minimization; effective 2026-10-01" }, // allow:raw-time-literal
|
|
1114
1114
|
"quebec-25": { posture: "quebec-25", state: "QC", responseDays: 30, extensionDays: 30, cureDays: 0, profilingOptOut: true, minorOptIn: 14, notes: "DPIA + automated-decision opt-out; FR-language obligations" }, // allow:raw-time-literal
|
|
1115
|
+
"fl-fdbr": { posture: "fl-fdbr", state: "FL", responseDays: 45, extensionDays: 15, cureDays: 30, profilingOptOut: true, minorOptIn: 13, notes: "Narrow scope ($1B+ revenue threshold); effective 2024-07-01; AG-only enforcement" }, // allow:raw-time-literal
|
|
1115
1116
|
});
|
|
1116
1117
|
|
|
1117
1118
|
/**
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.6",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:309a8ed5-6be3-41c5-b29a-f23cdc9a41ca",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-05-
|
|
8
|
+
"timestamp": "2026-05-11T15:08:03.856Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.8.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.8.82",
|
|
23
23
|
"type": "library",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.8.
|
|
25
|
+
"version": "0.8.82",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.8.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.8.82",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.8.
|
|
57
|
+
"ref": "@blamejs/core@0.8.82",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|