@blamejs/core 0.8.81 → 0.8.82
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1 -0
- package/README.md +4 -3
- package/lib/compliance.js +126 -0
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.8.x
|
|
10
10
|
|
|
11
|
+
- v0.8.82 (2026-05-11) — **Privacy 2026 posture sweep**. 27 new postures land in `b.compliance.KNOWN_POSTURES` (with matching `REGIME_MAP` + `POSTURE_DEFAULTS` cascade entries) closing the privacy gap surfaced by the 2026-05-11 multi-agent compliance audit. **US federal**: `coppa` + `coppa-2025` (FTC final rule 2025-04-22, effective 2026-06-23 — biometric expansion + knowing-collection-13-and-under disclosure; cascade adds backupEncryptionRequired:true + vacuum-after-erase), `glba-safeguards` (GLBA Safeguards Rule 2024 Amendment, effective 2024-05-13; cascade matches pci-dss + nydfs-500 financial tier), `gina` (Genetic Information Nondiscrimination Act), `vppa` (Video Privacy Protection Act), `can-spam`, `il-gipa` (Illinois Genetic Information Privacy Act with post-2024 private right of action), `hhs-repro-24` (HHS Reproductive Health HIPAA Amendment 2024-12-23), `nist-pf-1.1` (NIST Privacy Framework 1.1, final 2025-04-14). **UK**: `uk-duaa` (Data (Use and Access) Act 2025 — Royal Assent 2025-06-19; replaces the abandoned DPDI Bill; cascade matches GDPR floor with vacuum-after-erase). **Latin America**: `cl-pdpa` (Chile Ley 21.719, enacted 2024-12-13, effective 2026-12-01; cascade mirrors gdpr), `mx-lfpdppp` (Mexico 2025 secondary reform), `ar-pdpa` (Argentina Ley 25.326). **APAC**: `pipa-kr` (Korea PIPA 2023 major amendment, phased 2023-09-15 / 2024-03-15), `au-privacy` (Australia Privacy Act + 2024 Amendment Act — statutory tort effective 2025-06-10), `th-pdpa`, `vn-pdp` (Vietnam PDP Law effective 2026-01-01), `id-pdp` (Indonesia PDP Law effective 2024-10-17), `my-pdpa` (Malaysia 2024 amendments effective 2025-04-30). **US state child-privacy**: `ny-safe-kids` + `ny-saffe` (NY Child Data Protection Act + Stop Addictive Feeds Exploitation, both effective 2025-06-20), `md-kids-code` (Maryland Age-Appropriate Design Code), `vt-aadc` (Vermont AADC). **EU non-personal-data + adjacent**: `dsa` (Digital Services Act, fully applicable 2024-02-17), `dga` (Data Governance Act, applicable 2023-09-24), `eu-cer` (Critical Entities Resilience Directive 2022/2557, transposition 2024-10-17), `eu-cyber-sol` (Cyber Solidarity Act 2025/38, effective 2025-02-04), `eidas-2` (eIDAS 2 / EUDI Wallet, rollout 2026-2027). New REGIME_MAP `domain` values introduced: `child-privacy`, `financial-privacy`, `consumer-privacy`, `genetic-privacy`, `platform-governance`, `identity` — operators rendering compliance dashboards grouped by domain pick up the new buckets via `b.compliance.posturesByDomain(domain)` without code changes.
|
|
11
12
|
- v0.8.81 (2026-05-11) — **AI-governance compliance postures + ISO 42001/23894 cross-walk + privacy catalog drift fixes**. 18 new postures register in `b.compliance.KNOWN_POSTURES` (and the matching `REGIME_MAP` + `POSTURE_DEFAULTS` cascade): state AI governance (`co-ai`, `il-hb3773`, `tx-traiga`, `ut-aipa`, `nyc-ll144`, `ca-tfaia` — frontier AI critical-incident records cascade to `backupEncryptionRequired:true`), international AI (`kr-ai-basic`, `cn-ai-label`), AI management standards (`iso-42001`, `iso-23894`), California gen-AI content credentials (`ca-sb942`, `ca-ab853`), substrate-to-posture cleanup so existing primitives gain catalog entries (`eaa` for EU Accessibility Act + `b.compliance-eaa`, `wcag-2-2` for `b.guardHtml.wcag`, `eu-data-act` for `b.dataAct`, `hitech` extending HIPAA-tier, `ferpa` for student records), plus `fl-fdbr` (Florida Digital Bill of Rights) and the long-missing `dpdp` (India DPDP Act 2023 — was in `POSTURE_DEFAULTS` cascade table but not in `KNOWN_POSTURES`, so `b.compliance.set("dpdp")` threw `compliance/unknown-posture`). **ISO 42001 + 23894 cross-walk**: new `b.compliance.aiAct.crossWalkIso42001([aiActCitation])` and `crossWalkIso23894()` return a 15-row mapping table linking EU AI Act articles (Art. 9 risk management → Art. 73 incident reporting) to ISO/IEC 42001:2023 Annex A controls and ISO/IEC 23894:2023 risk-management clauses. Operators chasing ISO 42001 certification under AI Act high-risk scope use the table to produce one cross-walk artifact instead of hand-rolling two separate audits; the table is read-only metadata, defensive copies returned, no behavior change at deploy time. **DSR drift fix**: `b.dsr.stateRules("fl-fdbr")` / `stateRules("FL")` now resolve (45-day response window, 15-day extension, 30-day cure, profiling opt-out enabled, minor opt-in 13). **Citation drift fix**: four state-privacy posture citations corrected from "(effective 2026-MM-DD)" to "(effective 2025-MM-DD)" — `modpa`, `nh-nhpa`, `nj-njdpa`, `mn-mncdpa` all took effect during 2025; the year-late citations would have surfaced as audit-trail discrepancies under operator review.
|
|
12
13
|
- v0.8.80 (2026-05-10) — **Bug fix — `b.config.loadDbBacked` overlapping-tick race**. `cfg.refresh()` calls `_tick()` directly and the periodic poller also invokes `_tick()` independently. When two ticks overlap (two `refresh()`es back-to-back, or `refresh()` racing a poll), the older read could resolve LAST and overwrite a newer config write — so `admin-save → await cfg.refresh()` was not guaranteed to leave the latest value active when `fetchRows` latency varied across calls. Reproducible by serving a 200ms read followed by a 20ms read; without the fix, the slower (older) result clobbered the faster (newer) one. Fix: every tick claims a monotonic sequence number at start; at apply-time, ticks whose sequence is older than the last-applied sequence drop with a `config.reload.skipped` audit emission (phase `stale-tick`). The high-water mark advances ONLY after `cfg.reload` succeeds — a newer tick whose validation fails must not suppress an older in-flight tick that still has valid data (otherwise `refresh(valid)` followed by `refresh(invalid)` could silently keep stale config active even though the valid update was about to land). Fetch / transform failures short-circuit before the apply path and likewise do NOT advance the watermark.
|
|
13
14
|
- v0.8.78 (2026-05-10) — save-triggered reload for `b.config.loadDbBacked`. Admin save handlers / settings-management UIs that write a row in `_blamejs_config_overrides` now call `await cfg.refresh()` immediately after the write, so the new value is active without waiting for the poll's `intervalMs` tick. The poll stays in place as a safety-net for drift (e.g., direct DB writes outside the admin path). `refresh()` returns a `Promise<void>` of identical shape to `cfg.hydrated`: resolves after the tick settles (success OR audit-on-failure), NEVER rejects so save handlers don't deadlock on a flaky DB. The existing `cfg.subscribe(fn)` continues to fire synchronously inside every successful reload — operators reach for it to invalidate caches / recompute derived state / hot-rebuild middleware that closed over the previous config. Three-tier precedence is documented explicitly in the `@primitive` block: DB-row overlay > `opts.env` baseline > schema `default(...)`.
|
package/README.md
CHANGED
|
@@ -156,9 +156,10 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
|
|
|
156
156
|
### Compliance regimes
|
|
157
157
|
|
|
158
158
|
- **Posture coordinator** — `b.compliance` cascades operator-declared regime into retention / audit / db / cryptoField via POSTURE_DEFAULTS:
|
|
159
|
-
- **US** — `hipaa` / `hipaa-2026` / `hitech` / `pci-dss` / `sox-404` / `soc2` / `soc2-cc1.3` / `sec-cyber` / `sec-17a-4` / `finra-4511` / `fda-21cfr11` / `fda-annex-11` / `modpa` / `nydfs-500` / `staterramp` / `ferpa` / `fl-fdbr`
|
|
160
|
-
- **EU / UK** — `gdpr` / `dora` / `nis2` / `cra` / `eu-data-act` / `eaa` / `uk-g-cloud`
|
|
161
|
-
- **APAC + LATAM** — `dpdp` / `pipl-cn` / `lgpd-br` / `appi-jp` / `pdpa-sg` / `quebec-25` / `irap` / `kr-ai-basic`
|
|
159
|
+
- **US** — `hipaa` / `hipaa-2026` / `hhs-repro-24` / `hitech` / `pci-dss` / `glba-safeguards` / `sox-404` / `soc2` / `soc2-cc1.3` / `sec-cyber` / `sec-17a-4` / `finra-4511` / `fda-21cfr11` / `fda-annex-11` / `modpa` / `nydfs-500` / `staterramp` / `ferpa` / `fl-fdbr` / `coppa` / `coppa-2025` / `gina` / `vppa` / `can-spam` / `il-gipa` / `nist-pf-1.1`
|
|
160
|
+
- **EU / UK** — `gdpr` / `dora` / `nis2` / `cra` / `eu-data-act` / `eaa` / `uk-g-cloud` / `uk-duaa` / `dsa` / `dga` / `eu-cer` / `eu-cyber-sol` / `eidas-2`
|
|
161
|
+
- **APAC + LATAM** — `dpdp` / `pipl-cn` / `lgpd-br` / `appi-jp` / `pdpa-sg` / `quebec-25` / `irap` / `kr-ai-basic` / `pipa-kr` / `au-privacy` / `th-pdpa` / `vn-pdp` / `id-pdp` / `my-pdpa` / `cl-pdpa` / `mx-lfpdppp` / `ar-pdpa`
|
|
162
|
+
- **Child privacy / age-appropriate design** — `ca-aadc` / `ny-safe-kids` / `ny-saffe` / `md-kids-code` / `vt-aadc`
|
|
162
163
|
- **Financial / data-portability** — `fapi2` / `fapi-2.0-message-signing` / `fdx` / `dsr`
|
|
163
164
|
- **AI governance** — `co-ai` / `il-hb3773` / `tx-traiga` / `ut-aipa` / `nyc-ll144` / `ca-tfaia` / `ca-sb942` / `ca-ab853` / `cn-ai-label` / `iso-42001` / `iso-23894`
|
|
164
165
|
- **Accessibility** — `wcag-2-2`
|
package/lib/compliance.js
CHANGED
|
@@ -164,6 +164,43 @@ var KNOWN_POSTURES = Object.freeze([
|
|
|
164
164
|
"hitech", // Health Information Technology for Economic and Clinical Health Act (2009)
|
|
165
165
|
"ferpa", // Family Educational Rights and Privacy Act (20 U.S.C. §1232g)
|
|
166
166
|
"dpdp", // India Digital Personal Data Protection Act 2023 (rules-pending; cascade tier exists)
|
|
167
|
+
// ---- v0.8.82 expansion — privacy 2026 sweep ----
|
|
168
|
+
// US federal child / financial privacy
|
|
169
|
+
"coppa", // Children's Online Privacy Protection Act (15 U.S.C. §6501)
|
|
170
|
+
"coppa-2025", // COPPA 2025 Amendment (FTC final 2025-04-22; effective 2026-06-23 — biometric expansion + knowing-collection disclosure)
|
|
171
|
+
"glba-safeguards", // GLBA Safeguards Rule 2024 Amendment (16 CFR Part 314 — effective 2024-05-13) // allow:raw-byte-literal — CFR title number, not bytes
|
|
172
|
+
// UK
|
|
173
|
+
"uk-duaa", // UK Data (Use and Access) Act 2025 (Royal Assent 2025-06-19; replaces DPDI Bill)
|
|
174
|
+
// Latin America
|
|
175
|
+
"cl-pdpa", // Chile Ley 21.719 (enacted 2024-12-13; effective 2026-12-01)
|
|
176
|
+
"mx-lfpdppp", // Mexico LFPDPPP + 2025 secondary reform
|
|
177
|
+
"ar-pdpa", // Argentina PDPA (Ley 25.326 + 2024 modernization bill)
|
|
178
|
+
// APAC
|
|
179
|
+
"pipa-kr", // South Korea Personal Information Protection Act (2023 major amendment)
|
|
180
|
+
"au-privacy", // Australia Privacy Act + 2024 Amendment Act (first tranche 2024-12-10; statutory tort 2025-06-10)
|
|
181
|
+
"th-pdpa", // Thailand PDPA (effective 2022-06-01)
|
|
182
|
+
"vn-pdp", // Vietnam PDP Decree 13/2023 + 2025 PDP Law (effective 2026-01-01)
|
|
183
|
+
"id-pdp", // Indonesia Personal Data Protection Law (effective 2024-10-17)
|
|
184
|
+
"my-pdpa", // Malaysia PDPA + 2024 amendments (effective 2025-04-30)
|
|
185
|
+
// US state child privacy / age-appropriate design codes
|
|
186
|
+
"ny-safe-kids", // NY Child Data Protection Act / SAFE for Kids Act (effective 2025-06-20)
|
|
187
|
+
"ny-saffe", // NY Stop Addictive Feeds Exploitation for Kids Act (effective 2025-06-20)
|
|
188
|
+
"md-kids-code", // Maryland Age-Appropriate Design Code (enacted 2024)
|
|
189
|
+
"vt-aadc", // Vermont Age-Appropriate Design Code (enacted 2024)
|
|
190
|
+
// US cross-cutting privacy / sectoral
|
|
191
|
+
"gina", // Genetic Information Nondiscrimination Act (effective 2009-11-21)
|
|
192
|
+
"vppa", // Video Privacy Protection Act (1988; class-action pixel-tracking surface)
|
|
193
|
+
"can-spam", // CAN-SPAM Act (effective 2004-01-01)
|
|
194
|
+
"il-gipa", // Illinois Genetic Information Privacy Act (post-2024 amendment private right of action)
|
|
195
|
+
"hhs-repro-24", // HHS Reproductive Health HIPAA Amendment (effective 2024-12-23)
|
|
196
|
+
// NIST cross-walks
|
|
197
|
+
"nist-pf-1.1", // NIST Privacy Framework 1.1 (final 2025-04-14)
|
|
198
|
+
// EU non-personal-data + adjacent
|
|
199
|
+
"dsa", // EU Digital Services Act (Regulation 2022/2065; fully applicable 2024-02-17)
|
|
200
|
+
"dga", // EU Data Governance Act (Regulation 2022/868; applicable 2023-09-24) // allow:raw-byte-literal — calendar day, not bytes
|
|
201
|
+
"eu-cer", // EU Critical Entities Resilience Directive (2022/2557; transposition 2024-10-17)
|
|
202
|
+
"eu-cyber-sol", // EU Cyber Solidarity Act (Regulation 2025/38; effective 2025-02-04)
|
|
203
|
+
"eidas-2", // eIDAS 2 / EUDI Wallet (Regulation 2024/1183; rollout 2026-2027)
|
|
167
204
|
]);
|
|
168
205
|
|
|
169
206
|
var STATE = { posture: null, setAt: null };
|
|
@@ -592,6 +629,42 @@ var REGIME_MAP = Object.freeze({
|
|
|
592
629
|
"hitech": { name: "Health Information Technology for Economic and Clinical Health Act", citation: "Pub. L. 111-5, Title XIII, Subtitle D (2009)", jurisdiction: "US", domain: "health" },
|
|
593
630
|
"ferpa": { name: "Family Educational Rights and Privacy Act", citation: "20 U.S.C. §1232g; 34 CFR Part 99", jurisdiction: "US", domain: "student-records" },
|
|
594
631
|
"dpdp": { name: "Digital Personal Data Protection Act 2023", citation: "Act 22 of 2023 (India; rules pending)", jurisdiction: "IN", domain: "privacy" },
|
|
632
|
+
// ---- v0.8.82 — privacy 2026 sweep ----
|
|
633
|
+
// US federal
|
|
634
|
+
"coppa": { name: "Children's Online Privacy Protection Act", citation: "15 U.S.C. §§6501-6506; 16 CFR Part 312 (effective 2000-04-21)", jurisdiction: "US", domain: "child-privacy" },
|
|
635
|
+
"coppa-2025": { name: "COPPA 2025 Amendment", citation: "FTC final rule (2025-04-22; effective 2026-06-23) — biometric expansion + knowing-collection-13-and-under disclosure", jurisdiction: "US", domain: "child-privacy" },
|
|
636
|
+
"glba-safeguards": { name: "GLBA Safeguards Rule 2024 Amendment", citation: "16 CFR Part 314 (effective 2024-05-13)", jurisdiction: "US", domain: "financial-privacy" },
|
|
637
|
+
"gina": { name: "Genetic Information Nondiscrimination Act", citation: "Pub. L. 110-233; 42 U.S.C. §2000ff et seq. (effective 2009-11-21)", jurisdiction: "US", domain: "genetic-privacy" },
|
|
638
|
+
"vppa": { name: "Video Privacy Protection Act", citation: "18 U.S.C. §2710 (effective 1988-11-05)", jurisdiction: "US", domain: "consumer-privacy" },
|
|
639
|
+
"can-spam": { name: "CAN-SPAM Act", citation: "15 U.S.C. §§7701-7713; 16 CFR Part 316 (effective 2004-01-01)", jurisdiction: "US", domain: "consumer-privacy" },
|
|
640
|
+
"il-gipa": { name: "Illinois Genetic Information Privacy Act", citation: "410 ILCS 513 (private right of action post-2024 amendment)", jurisdiction: "US-IL", domain: "genetic-privacy" },
|
|
641
|
+
"hhs-repro-24": { name: "HHS Reproductive Health HIPAA Amendment 2024", citation: "45 CFR Parts 160, 164 — Final Rule (effective 2024-12-23)", jurisdiction: "US", domain: "health" },
|
|
642
|
+
// NIST cross-walk
|
|
643
|
+
"nist-pf-1.1": { name: "NIST Privacy Framework 1.1", citation: "NIST PF 1.1 (final 2025-04-14)", jurisdiction: "US", domain: "privacy" },
|
|
644
|
+
// UK
|
|
645
|
+
"uk-duaa": { name: "UK Data (Use and Access) Act 2025", citation: "DUAA c. 26 (Royal Assent 2025-06-19; replaces DPDI Bill)", jurisdiction: "UK", domain: "privacy" },
|
|
646
|
+
// Latin America
|
|
647
|
+
"cl-pdpa": { name: "Chile Ley 21.719 Protección de Datos Personales", citation: "Ley 21.719 (enacted 2024-12-13; effective 2026-12-01)", jurisdiction: "CL", domain: "privacy" },
|
|
648
|
+
"mx-lfpdppp": { name: "Mexico LFPDPPP + 2025 reform", citation: "Ley Federal de Protección de Datos Personales en Posesión de los Particulares (2010 + 2025 secondary reform)", jurisdiction: "MX", domain: "privacy" },
|
|
649
|
+
"ar-pdpa": { name: "Argentina Personal Data Protection Act", citation: "Ley 25.326 + 2024 modernization bill (pending)", jurisdiction: "AR", domain: "privacy" },
|
|
650
|
+
// APAC
|
|
651
|
+
"pipa-kr": { name: "South Korea Personal Information Protection Act", citation: "PIPA 2011 + 2023 major amendment (phased 2023-09-15 / 2024-03-15)", jurisdiction: "KR", domain: "privacy" },
|
|
652
|
+
"au-privacy": { name: "Australia Privacy Act + 2024 Amendment Act", citation: "Privacy Act 1988 + Privacy and Other Legislation Amendment Act 2024 (first tranche 2024-12-10; statutory tort 2025-06-10)", jurisdiction: "AU", domain: "privacy" },
|
|
653
|
+
"th-pdpa": { name: "Thailand Personal Data Protection Act", citation: "PDPA B.E. 2562 (2019; full effect 2022-06-01)", jurisdiction: "TH", domain: "privacy" },
|
|
654
|
+
"vn-pdp": { name: "Vietnam Personal Data Protection Law", citation: "Decree 13/2023 + PDP Law (effective 2026-01-01)", jurisdiction: "VN", domain: "privacy" },
|
|
655
|
+
"id-pdp": { name: "Indonesia Personal Data Protection Law", citation: "Law 27 of 2022 (effective 2024-10-17)", jurisdiction: "ID", domain: "privacy" },
|
|
656
|
+
"my-pdpa": { name: "Malaysia Personal Data Protection Act", citation: "PDPA 2010 + 2024 amendments (effective 2025-04-30)", jurisdiction: "MY", domain: "privacy" },
|
|
657
|
+
// US state child privacy
|
|
658
|
+
"ny-safe-kids": { name: "NY Child Data Protection Act / SAFE for Kids Act", citation: "N.Y. Gen. Bus. Law §899-ff et seq. (effective 2025-06-20)", jurisdiction: "US-NY", domain: "child-privacy" },
|
|
659
|
+
"ny-saffe": { name: "NY Stop Addictive Feeds Exploitation for Kids Act", citation: "N.Y. Gen. Bus. Law §1500 et seq. (effective 2025-06-20)", jurisdiction: "US-NY", domain: "child-privacy" },
|
|
660
|
+
"md-kids-code": { name: "Maryland Age-Appropriate Design Code", citation: "Md. Code Ann., Com. Law §14-4901 et seq. (enacted 2024)", jurisdiction: "US-MD", domain: "child-privacy" },
|
|
661
|
+
"vt-aadc": { name: "Vermont Age-Appropriate Design Code", citation: "Vt. Stat. Ann. tit. 9 §2447 et seq. (enacted 2024)", jurisdiction: "US-VT", domain: "child-privacy" },
|
|
662
|
+
// EU non-personal-data + adjacent
|
|
663
|
+
"dsa": { name: "EU Digital Services Act", citation: "Regulation (EU) 2022/2065 (fully applicable 2024-02-17)", jurisdiction: "EU", domain: "platform-governance" },
|
|
664
|
+
"dga": { name: "EU Data Governance Act", citation: "Regulation (EU) 2022/868 (applicable 2023-09-24)", jurisdiction: "EU", domain: "data-sharing" },
|
|
665
|
+
"eu-cer": { name: "EU Critical Entities Resilience Directive", citation: "Directive (EU) 2022/2557 (transposition 2024-10-17)", jurisdiction: "EU", domain: "cybersecurity" },
|
|
666
|
+
"eu-cyber-sol": { name: "EU Cyber Solidarity Act", citation: "Regulation (EU) 2025/38 (effective 2025-02-04)", jurisdiction: "EU", domain: "cybersecurity" },
|
|
667
|
+
"eidas-2": { name: "eIDAS 2 / EUDI Wallet", citation: "Regulation (EU) 2024/1183 (rollout 2026-2027)", jurisdiction: "EU", domain: "identity" },
|
|
595
668
|
});
|
|
596
669
|
|
|
597
670
|
/**
|
|
@@ -802,6 +875,59 @@ var POSTURE_DEFAULTS = Object.freeze({
|
|
|
802
875
|
// v0.8.81 — EU Data Act covers B2G + IoT-data sharing; cascade
|
|
803
876
|
// floor matches GDPR-tier audit signing + TLS 1.3.
|
|
804
877
|
"eu-data-act": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
878
|
+
// v0.8.82 — COPPA + 2025 Amendment: child-data deletion + age-verification
|
|
879
|
+
// floor (operator-facing rule: when a covered child is identified, knowing-
|
|
880
|
+
// collection beyond age 13 requires verifiable parental consent; on
|
|
881
|
+
// withdrawal, full residue cleanup applies). Cascade: signed audit chain
|
|
882
|
+
// + vacuum-after-erase + TLS 1.3.
|
|
883
|
+
"coppa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
884
|
+
"coppa-2025": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
885
|
+
// v0.8.82 — GLBA Safeguards 2024 Amendment: financial-tier cascade
|
|
886
|
+
// matching pci-dss + nydfs-500 floor (encrypted backups + signed audit +
|
|
887
|
+
// TLS 1.3). No vacuum-after-erase mandate at this tier.
|
|
888
|
+
"glba-safeguards": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
889
|
+
// v0.8.82 — UK DUAA 2025: privacy-tier with GDPR-equivalent floor
|
|
890
|
+
// (signed audit + TLS 1.3 + vacuum-after-erase per UK GDPR Art. 17).
|
|
891
|
+
"uk-duaa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
892
|
+
// v0.8.82 — Chile Ley 21.719: GDPR-equivalent privacy floor with
|
|
893
|
+
// strict effective-erasure obligation under the right-to-erasure
|
|
894
|
+
// article (Art. 8). Cascade mirrors gdpr.
|
|
895
|
+
"cl-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
896
|
+
// v0.8.82 — Korea PIPA: privacy-tier with full erasure-residue cleanup
|
|
897
|
+
// under the right-to-erasure article. Cascade matches gdpr/lgpd-br tier.
|
|
898
|
+
"pipa-kr": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
899
|
+
// v0.8.82 — Australia Privacy Act 2024 Amendment: privacy-tier with
|
|
900
|
+
// statutory-tort exposure. Encrypted backups + signed audit + vacuum-
|
|
901
|
+
// after-erase per statutory right-to-erasure.
|
|
902
|
+
"au-privacy": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
903
|
+
// v0.8.82 — Other LATAM + APAC postures share the GDPR-equivalent
|
|
904
|
+
// privacy floor.
|
|
905
|
+
"mx-lfpdppp": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
906
|
+
"ar-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
907
|
+
"th-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
908
|
+
"vn-pdp": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
909
|
+
"id-pdp": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
910
|
+
"my-pdpa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
911
|
+
// v0.8.82 — US state child-privacy + cross-cutting US statutes.
|
|
912
|
+
"ny-safe-kids": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
913
|
+
"ny-saffe": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
914
|
+
"md-kids-code": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
915
|
+
"vt-aadc": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
916
|
+
"gina": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
917
|
+
"vppa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
918
|
+
"can-spam": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
919
|
+
"il-gipa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
920
|
+
"hhs-repro-24": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
921
|
+
// v0.8.82 — NIST Privacy Framework 1.1 cross-walk posture; cascade
|
|
922
|
+
// matches gdpr-tier audit signing.
|
|
923
|
+
"nist-pf-1.1": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
924
|
+
// v0.8.82 — EU platform/data/cyber adjacent: audit-chain signed,
|
|
925
|
+
// TLS 1.3, no special data-tier mandate at this layer.
|
|
926
|
+
"dsa": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
927
|
+
"dga": Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
928
|
+
"eu-cer": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
929
|
+
"eu-cyber-sol": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
|
|
930
|
+
"eidas-2": Object.freeze({ backupEncryptionRequired: true, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true }),
|
|
805
931
|
});
|
|
806
932
|
|
|
807
933
|
/**
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.6",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:309a8ed5-6be3-41c5-b29a-f23cdc9a41ca",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-05-
|
|
8
|
+
"timestamp": "2026-05-11T15:08:03.856Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.8.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.8.82",
|
|
23
23
|
"type": "library",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.8.
|
|
25
|
+
"version": "0.8.82",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.8.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.8.82",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.8.
|
|
57
|
+
"ref": "@blamejs/core@0.8.82",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|