@blamejs/core 0.8.9 → 0.8.10

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.10** (2026-05-07) — Five new compliance / regulatory primitives composing on v0.8.9's `b.incident.report`. **`b.cra.report`** — EU Cyber Resilience Act (Regulation (EU) 2024/2847) Article 14 §1 incident reporting wrapper. Three-stage statutory deadlines: 24h early warning / 72h incident notification / 14d final report. Required `productId` + `manufacturer` per Annex VII §1. Optional ENISA submission via `opts.enisaEndpoint` + `b.httpClient`; submission is operator-opt-in per stage call (regulators uniformly require operator review before filing). **`b.nis2.report`** — NIS2 Directive (Directive (EU) 2022/2555) Article 23 §4 incident reporting wrapper. Three-stage deadlines: 24h / 72h / 1 month. Annex I (essential) / Annex II (important) entity classification + sector codes (`I.6` drinking water / `II.6` digital providers / etc.). **`b.gdpr.ropa`** — GDPR Article 30 Records of Processing Activities registry + JSON / CSV / Markdown exporter. Validates required fields per Article 30 §1; legal-basis enum per Article 6(1); produces a regulator-friendly RoPA document for the operator's DPO to file. **`b.compliance.eaa`** — EU Accessibility Act (Directive (EU) 2019/882) Article 13 declared-conformance generator. Operators declare per-criterion conformance against WCAG 2.1/2.2 AA / EN 301 549; non-conformances ship with reason + mitigation. JSON / Markdown export for the operator's accessibility statement. **`b.middleware.botDisclose`** — California SB 1001 (Cal. Bus. & Prof. Code §17941) bot-disclosure middleware. Injects a disclosure banner into HTML responses, sets `X-Bot-Disclosure` header for API consumers, audits every conversation-initiating request. Operators wire `mountPaths` to scope and `bannerHtml` for visual customization.
+
 - **0.8.9** (2026-05-07) — `b.incident.report` — generic 3-stage incident-reporting primitive. The three stages mirror the deadline pattern that recurs across regulatory regimes: initial / early-warning notification (within 24h of detection), intermediate / status update (within 72h), final report (within 30d or per-regime deadline). Built-in per-regime deadlines for `gdpr` (Article 33), `nis2` (Article 23), `dora` (Article 19), `cra` (Article 14), `hipaa` (Breach Notification Rule); operators select via `regime: "gdpr"` and `opts.deadlines` can override per-stage. Each stage records a tamper-evident audit event (`incident.report.stage_recorded`) with a `late: bool` + `lateBy: ms` flag — late filings are recorded with `outcome: "late"` so regulator audits can distinguish on-time from late-but-eventually filings. Operator-supplied `persist(record)` writes to a DB / SIEM / SOAR system; `onStage(event)` fires for synchronous routing. `status()` returns aggregate counts (open / closed / late-per-stage) for dashboards.
 
 - **0.8.8** (2026-05-07) — `b.middleware.requireBoundKey` + `b.audit.rotateSigningKey` / `reSignAll` + `b.circuitBreaker` top-level surface + `b.htmlBalance.checkSafe` + permissions predicate-shape audit + FIPS 140-3 boundary docs + ESLint pin. **`b.middleware.requireBoundKey`** — Bearer-API-key middleware with three-axis binding: required scopes, bound-field equality (operator pulls values from headers / query / body via `getBoundField` getters; bound-fields registered on the key are checked with constant-time match), and peer-cert fingerprint allowlist (composes with v0.8.4's `b.crypto.hashCertFingerprint` / `isCertRevoked`). Operator-supplied async `resolver(apiKey)` returns the registered record `{ id, scopes, boundFields, peerCertFingerprints }` or `null` when revoked. Refusals carry structured reasons (`no-bearer-token`, `key-unknown-or-revoked`, `missing-scope`, `bound-field-missing`, `bound-field-mismatch`, `peer-cert-required`, `peer-cert-not-pinned`); audit chain captures the keyId + reason on every refusal. **`b.audit.rotateSigningKey`** — operator-callable rotation of the audit-signing keypair. Generates (or accepts BYO) a new keypair, copies the existing sealed file to a timestamped history path so historical signatures remain verifiable, re-seals with the operator's passphrase, and atomic-swaps the in-memory keys. Companion `reSignAll(iter)` walks an operator-supplied async iterable of `{ payload, signature, oldPublicKeyPem }` and re-signs each entry with the new key — the audit module's checkpoint store calls this to re-stamp historical checkpoints after a rotation. **`b.circuitBreaker`** — top-level re-export of `b.retry.CircuitBreaker` so operators discover it alongside `b.retry`; same state machine, same `wrap()` API, ergonomic `create(opts)` factory. **`b.htmlBalance.checkSafe(html, opts)`** — combines structural `balance()` check with a `b.guardHtml.gate` security pass under the same `{ profile, posture }` opt shape used by `b.fileUpload({ contentSafety })` / `b.staticServe({ contentSafety })`. **`b.permissions.policy(scope, predicate)`** — emits `permissions.policy_predicate_shape_warning` audit on register-time when the predicate's `.length < 2` (operators commonly forget the `context` argument and ship a predicate that's always-true on the actor parameter). **`SECURITY.md`** — new "FIPS 140-3 cryptographic boundary" section explaining the dual boundary (Node.js OpenSSL FIPS provider for classical primitives, vendored noble-* implementations for PQ algorithms — the latter implement FIPS-published algorithms but the *implementations themselves* are not CMVP-validated). Operator path for FIPS-mandated environments documented. **CI** — eslint pinned to `10.3.0` across `ci.yml` / `npm-publish.yml` / `release-container.yml`; `eslint@latest` was silently letting new rule additions break the publish gate on releases that had passed the day before. The pin moves on operator-confirmed bumps.

package/index.js

@@ -98,7 +98,9 @@ var safeUrl = require("./lib/safe-url");
 var safeRedirect = require("./lib/safe-redirect");
 var pick = require("./lib/pick");
 var dora = require("./lib/dora");
-var compliance = require("./lib/compliance");
+var compliance = Object.assign({}, require("./lib/compliance"), {
+  eaa: require("./lib/compliance-eaa"),
+});
 var gateContract = require("./lib/gate-contract");
 var guardCsv = require("./lib/guard-csv");
 var guardHtml = require("./lib/guard-html");
@@ -249,6 +251,9 @@ module.exports = {
   retry:            retry,
   circuitBreaker:   require("./lib/circuit-breaker"),
   incident:         { report: require("./lib/incident-report") },
+  cra:              { report: require("./lib/cra-report") },
+  nis2:             { report: require("./lib/nis2-report") },
+  gdpr:             { ropa: require("./lib/gdpr-ropa") },
   queue:            queue,
   logStream:        logStream,
   redact:           redact,

package/lib/compliance-eaa.js

@@ -0,0 +1,204 @@
+"use strict";
+/**
+ * b.compliance.eaa — EU Accessibility Act declared-conformance.
+ *
+ * Directive (EU) 2019/882 (the European Accessibility Act) requires
+ * digital products + services placed on the EU market to meet WCAG
+ * 2.1 AA accessibility requirements (extended to 2.2 by national
+ * implementing law in many member states). Operators producing a
+ * compliant deployment ship a "conformance statement" — a document
+ * declaring the product, the assessed standards (WCAG 2.1 / 2.2 /
+ * EN 301 549), the scope of testing, and any non-conforming
+ * features with operator-supplied justification.
+ *
+ *   var eaa = b.compliance.eaa.create({
+ *     audit:        b.audit,
+ *     productName:  "Acme Customer Portal",
+ *     productScope: "https://portal.acme.example",
+ *     standards:    ["WCAG 2.2 AA", "EN 301 549 v3.2.1"],
+ *   });
+ *   eaa.declareCriterion("1.1.1", { conformance: "supports", note: "..." });
+ *   eaa.declareCriterion("1.4.3", { conformance: "supports", note: "ratio >= 4.5:1" });
+ *   eaa.declareNonConformance({
+ *     criterion: "2.5.5",
+ *     reason:    "legacy desktop-only interaction, replacement Q3 2026",
+ *     mitigation: "alternative keyboard path documented",
+ *   });
+ *   var doc = eaa.export({ format: "markdown" });
+ *
+ * The exported document goes alongside the operator's product
+ * documentation and serves as the "Accessibility Statement" required
+ * by Article 13 §3.
+ */
+
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var ComplianceEaaError = defineClass("ComplianceEaaError", { alwaysPermanent: true });
+
+var VALID_CONFORMANCE = Object.freeze({
+  "supports":          1,                                                                // criterion fully met
+  "partially-supports": 1,                                                               // some content meets, gaps documented
+  "does-not-support":  1,                                                                // criterion not met (declared non-conformance)
+  "not-applicable":    1,                                                                // criterion does not apply to product
+  "not-evaluated":     1,                                                                // outside the assessed scope
+});
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "productName", "productScope", "standards",
+    "contact", "supervisoryAuthority", "now",
+  ], "compliance.eaa");
+
+  validateOpts.requireNonEmptyString(opts.productName,
+    "compliance.eaa.create: opts.productName is required (Article 13 §3 requires product identification)",
+    ComplianceEaaError, "compliance-eaa/bad-product");
+  if (!Array.isArray(opts.standards) || opts.standards.length === 0) {
+    throw new ComplianceEaaError("compliance-eaa/bad-standards",
+      "compliance.eaa.create: opts.standards is required (e.g. ['WCAG 2.2 AA', 'EN 301 549 v3.2.1'])");
+  }
+  var productName = opts.productName;
+  var productScope = opts.productScope || null;
+  var standards = opts.standards.slice();
+  var contact = opts.contact || null;
+  var supervisoryAuthority = opts.supervisoryAuthority || null;
+  var auditOn = opts.audit !== false;
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+
+  var criteria = new Map();
+  var nonConformances = [];
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "compliance.eaa." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function declareCriterion(id, decl) {
+    if (typeof id !== "string" || id.length === 0) {
+      throw new ComplianceEaaError("compliance-eaa/bad-criterion-id",
+        "compliance.eaa.declareCriterion: id must be a non-empty string (e.g. '1.1.1')");
+    }
+    if (!decl || typeof decl !== "object") {
+      throw new ComplianceEaaError("compliance-eaa/bad-decl",
+        "compliance.eaa.declareCriterion: decl must be an object with { conformance, note? }");
+    }
+    if (!VALID_CONFORMANCE[decl.conformance]) {
+      throw new ComplianceEaaError("compliance-eaa/bad-conformance",
+        "compliance.eaa.declareCriterion: conformance must be one of " + Object.keys(VALID_CONFORMANCE).join(", "));
+    }
+    criteria.set(id, {
+      criterion:   id,
+      conformance: decl.conformance,
+      note:        decl.note || "",
+      declaredAt:  now(),
+    });
+    _emitAudit("criterion_declared", "success", { criterion: id, conformance: decl.conformance });
+  }
+
+  function declareNonConformance(decl) {
+    if (!decl || typeof decl !== "object" || !decl.criterion || !decl.reason) {
+      throw new ComplianceEaaError("compliance-eaa/bad-non-conformance",
+        "compliance.eaa.declareNonConformance: decl must include { criterion, reason, mitigation? }");
+    }
+    nonConformances.push({
+      criterion:   decl.criterion,
+      reason:      decl.reason,
+      mitigation:  decl.mitigation || null,
+      declaredAt:  now(),
+    });
+    criteria.set(decl.criterion, {
+      criterion:   decl.criterion,
+      conformance: "does-not-support",
+      note:        decl.reason + (decl.mitigation ? " (mitigation: " + decl.mitigation + ")" : ""),
+      declaredAt:  now(),
+    });
+    _emitAudit("non_conformance_declared", "warning", { criterion: decl.criterion });
+  }
+
+  function _stats() {
+    var counts = { supports: 0, "partially-supports": 0, "does-not-support": 0, "not-applicable": 0, "not-evaluated": 0 };
+    criteria.forEach(function (c) { counts[c.conformance] += 1; });
+    return counts;
+  }
+
+  function _exportJson() {
+    var c = []; criteria.forEach(function (rec) { c.push(rec); });
+    return {
+      directive:            "(EU) 2019/882",
+      article:              "13",
+      generatedAt:          new Date(now()).toISOString(),
+      product:              { name: productName, scope: productScope },
+      standards:            standards,
+      contact:              contact,
+      supervisoryAuthority: supervisoryAuthority,
+      criteria:             c,
+      nonConformances:      nonConformances,
+      stats:                _stats(),
+    };
+  }
+  function _exportMarkdown() {
+    var stats = _stats();
+    var c = []; criteria.forEach(function (rec) { c.push(rec); });
+    var md = "# Accessibility Statement — " + productName + "\n\n";
+    md += "**Standards:** " + standards.join(", ") + "\n\n";
+    if (productScope) md += "**Scope:** " + productScope + "\n\n";
+    md += "Generated: " + new Date(now()).toISOString() + "\n\n";
+    md += "## Conformance summary\n\n";
+    md += "- Supports: " + stats.supports + "\n";
+    md += "- Partially supports: " + stats["partially-supports"] + "\n";
+    md += "- Does not support: " + stats["does-not-support"] + "\n";
+    md += "- Not applicable: " + stats["not-applicable"] + "\n\n";
+    if (nonConformances.length > 0) {
+      md += "## Non-conformances\n\n";
+      for (var i = 0; i < nonConformances.length; i++) {
+        var nc = nonConformances[i];
+        md += "### " + nc.criterion + "\n\n";
+        md += "- Reason: " + nc.reason + "\n";
+        if (nc.mitigation) md += "- Mitigation: " + nc.mitigation + "\n";
+        md += "\n";
+      }
+    }
+    md += "## Per-criterion declarations\n\n";
+    for (var ci = 0; ci < c.length; ci++) {
+      md += "- **" + c[ci].criterion + "** — " + c[ci].conformance;
+      if (c[ci].note) md += " — " + c[ci].note;
+      md += "\n";
+    }
+    if (contact) md += "\n## Contact\n\n" + (contact.name || "") + " (" + (contact.email || "") + ")\n";
+    return md;
+  }
+
+  function exportEaa(eopts) {
+    eopts = eopts || {};
+    var format = (eopts.format || "json").toLowerCase();
+    _emitAudit("exported", "success", { format: format, criteriaCount: criteria.size });
+    if (format === "json")     return _exportJson();
+    if (format === "markdown") return _exportMarkdown();
+    throw new ComplianceEaaError("compliance-eaa/bad-format",
+      "compliance.eaa.export: format must be 'json' or 'markdown'");
+  }
+
+  return {
+    declareCriterion:       declareCriterion,
+    declareNonConformance:  declareNonConformance,
+    "export":               exportEaa,
+    stats:                  _stats,
+    VALID_CONFORMANCE:      Object.keys(VALID_CONFORMANCE),
+  };
+}
+
+module.exports = {
+  create:               create,
+  ComplianceEaaError:   ComplianceEaaError,
+  VALID_CONFORMANCE:    Object.keys(VALID_CONFORMANCE),
+};

package/lib/cra-report.js

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * b.cra.report — EU Cyber Resilience Act incident-reporting wrapper.
+ *
+ * The Cyber Resilience Act (Regulation (EU) 2024/2847) Article 14 §1
+ * mandates that manufacturers of digital products report actively-
+ * exploited vulnerabilities and severe incidents to ENISA + national
+ * authorities. The framework's b.incident.report primitive provides
+ * the generic 3-stage shape; this wrapper specializes it with the
+ * CRA-specific reporting fields, deadlines (24h early warning / 72h
+ * incident notification / 14d final report), and the ENISA single-
+ * reporting-point destination.
+ *
+ *   var cra = b.cra.report.create({
+ *     enisaEndpoint: "https://enisa-spr.europa.eu/api/incidents",
+ *     httpClient:    b.httpClient,
+ *     audit:         b.audit,
+ *     productId:     "blamejs-1.x",
+ *     manufacturer:  { name: "Acme Co", contact: "security@acme.example" },
+ *   });
+ *   var inc = await cra.open({
+ *     detectedAt:    Date.now(),
+ *     vulnerability: { cveId: "CVE-2026-99999", actively_exploited: true },
+ *     impact:        { ... },
+ *   });
+ *   await cra.earlyWarning(inc.id, { ... });        // 24h
+ *   await cra.notification(inc.id, { ... });        // 72h
+ *   await cra.finalReport(inc.id, { ... });         // 14d
+ *
+ * The wrapper composes b.incident.report so the audit chain shape,
+ * persistence hook, and status surface stay consistent across every
+ * regulatory regime. Per-regime CRA semantics:
+ *   - early warning may be terse ("incident detected, scope unknown")
+ *   - notification carries impact + mitigation + scope
+ *   - final report adds root cause + lessons learned
+ *
+ * Submission to ENISA is opt-in per call (operators may want to
+ * batch / approve before submission); pass { submit: true } on each
+ * stage call to push through the operator's b.httpClient. The
+ * primitive does NOT auto-submit on stage transitions — regulators
+ * uniformly require operator review before filing.
+ */
+
+var C = require("./constants");
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var incidentReport = lazyRequire(function () { return require("./incident-report"); });
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var CraReportError = defineClass("CraReportError", { alwaysPermanent: true });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "persist", "httpClient", "enisaEndpoint",
+    "productId", "manufacturer", "now",
+  ], "cra.report");
+
+  validateOpts.requireNonEmptyString(opts.productId,
+    "cra.report.create: opts.productId is required (CRA Annex VII §1 requires a stable product identifier)",
+    CraReportError, "cra-report/bad-product-id");
+  if (!opts.manufacturer || typeof opts.manufacturer !== "object") {
+    throw new CraReportError("cra-report/bad-manufacturer",
+      "cra.report.create: opts.manufacturer is required (CRA Annex VII §1 requires manufacturer name + contact)");
+  }
+  var productId = opts.productId;
+  var manufacturer = opts.manufacturer;
+  var enisaEndpoint = typeof opts.enisaEndpoint === "string" && opts.enisaEndpoint.length > 0
+    ? opts.enisaEndpoint : null;
+  var httpClient = opts.httpClient || null;
+  var auditOn = opts.audit !== false;
+
+  // CRA Article 14 deadlines — operators don't override these without
+  // documented regulatory justification (the deadlines are statutory,
+  // not operator preference).
+  var ir = incidentReport().create({
+    audit:    opts.audit,
+    persist:  opts.persist,
+    now:      opts.now,
+    deadlines: {
+      // initial = "early warning" per CRA Article 14 §1(a) — 24h
+      initial:      C.TIME.hours(24),
+      // intermediate = "incident notification" per CRA Article 14 §1(b) — 72h
+      intermediate: C.TIME.hours(72),
+      // final = "final report" per CRA Article 14 §1(c) — 14 days
+      final:        C.TIME.days(14),
+    },
+  });
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "cra.report." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  async function _submitToEnisa(payload) {
+    if (!enisaEndpoint || !httpClient) {
+      _emitAudit("submit_skipped", "warning", { reason: "no-endpoint-or-client" });
+      return { submitted: false, reason: "no-endpoint-or-client" };
+    }
+    try {
+      var res = await httpClient.request({
+        url:           enisaEndpoint,
+        method:        "POST",
+        headers:       { "Content-Type": "application/json" },
+        body:          Buffer.from(JSON.stringify(payload), "utf8"),
+        responseMode:  "always-resolve",
+      });
+      var ok = res.statusCode >= 200 && res.statusCode < 300;                        // allow:raw-byte-literal — HTTP status range
+      _emitAudit("submitted", ok ? "success" : "failure", {
+        statusCode: res.statusCode, productId: productId,
+      });
+      return { submitted: ok, statusCode: res.statusCode };
+    } catch (e) {
+      _emitAudit("submit_failed", "failure", { error: (e && e.message) || String(e) });
+      return { submitted: false, error: (e && e.message) || String(e) };
+    }
+  }
+
+  function _craEnvelope(stage, incident, fields) {
+    return {
+      cra_version:   "2024/2847",
+      stage:         stage,                                                            // "early-warning" / "notification" / "final"
+      product:       { id: productId },
+      manufacturer:  manufacturer,
+      incident: {
+        id:           incident.id,
+        detected_at:  new Date(incident.detectedAt).toISOString(),
+        scope:        incident.scope,
+        summary:      incident.summary,
+        impact:       incident.impact,
+      },
+      fields:        fields || {},
+    };
+  }
+
+  async function open(spec) {
+    spec = Object.assign({}, spec || {}, { regime: "cra" });
+    var rec = await ir.open(spec);
+    _emitAudit("opened", "success", { incidentId: rec.id, productId: productId });
+    return rec;
+  }
+
+  async function earlyWarning(incidentId, fields) {
+    var rec = await ir.recordInitial(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToEnisa(_craEnvelope("early-warning", rec, fields));
+    }
+    return result;
+  }
+
+  async function notification(incidentId, fields) {
+    var rec = await ir.recordIntermediate(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToEnisa(_craEnvelope("notification", rec, fields));
+    }
+    return result;
+  }
+
+  async function finalReport(incidentId, fields) {
+    var rec = await ir.recordFinal(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToEnisa(_craEnvelope("final", rec, fields));
+    }
+    return result;
+  }
+
+  return {
+    open:           open,
+    earlyWarning:   earlyWarning,
+    notification:   notification,
+    finalReport:    finalReport,
+    // Forward incident.report observability surface
+    get:            function (id) { return ir.get(id); },
+    list:           function ()   { return ir.list(); },
+    status:         function ()   { return ir.status(); },
+    productId:      productId,
+    manufacturer:   manufacturer,
+  };
+}
+
+module.exports = {
+  create:           create,
+  CraReportError:   CraReportError,
+};

package/lib/gdpr-ropa.js

@@ -0,0 +1,261 @@
+"use strict";
+/**
+ * b.gdpr.ropa — GDPR Article 30 Records of Processing Activities.
+ *
+ * Article 30 §1 (controller) + §2 (processor) require a written
+ * record of processing activities. The framework's existing audit
+ * chain captures *what happened* on each request; the RoPA captures
+ * *what processing the operator does in general* — purposes, data
+ * categories, retention periods, recipients, transfers outside the
+ * EEA, security measures.
+ *
+ * The primitive is a registry + exporter:
+ *   - register(activity)          — add a processing-activity record
+ *   - update(id, patch)           — modify an existing record
+ *   - remove(id)                  — soft-delete (operator audit trail)
+ *   - export({ format })          — emit RoPA as JSON / CSV / Markdown
+ *
+ *   var ropa = b.gdpr.ropa.create({
+ *     audit:        b.audit,
+ *     controller:   { name: "Acme Co", contact: "dpo@acme.example" },
+ *   });
+ *   ropa.register({
+ *     id:                  "sales-funnel-tracking",
+ *     name:                "Sales-funnel CRM tracking",
+ *     purposes:            ["lead-tracking", "sales-attribution"],
+ *     legalBasis:          "legitimate-interests",
+ *     dataCategories:      ["contact-info", "engagement-history"],
+ *     dataSubjectCategories: ["prospects", "customers"],
+ *     recipients:          ["analytics-vendor", "sales-team"],
+ *     thirdCountryTransfers: [{ country: "US", safeguard: "scc-2021" }],
+ *     retentionPeriod:     "5 years post-relationship",
+ *     securityMeasures:    ["encrypted-at-rest", "tls-13", "access-control"],
+ *   });
+ *   var json = ropa.export({ format: "json" });
+ */
+
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var GdprRopaError = defineClass("GdprRopaError", { alwaysPermanent: true });
+
+var REQUIRED_ACTIVITY_FIELDS = Object.freeze([
+  "id", "name", "purposes", "legalBasis", "dataCategories",
+]);
+
+var VALID_LEGAL_BASES = Object.freeze({
+  "consent":               1,                                                            // Art 6(1)(a)
+  "contract":              1,                                                            // Art 6(1)(b)
+  "legal-obligation":      1,                                                            // Art 6(1)(c)
+  "vital-interests":       1,                                                            // Art 6(1)(d)
+  "public-task":           1,                                                            // Art 6(1)(e)
+  "legitimate-interests":  1,                                                            // Art 6(1)(f)
+});
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "controller", "dpo", "supervisoryAuthority", "now",
+  ], "gdpr.ropa");
+
+  if (!opts.controller || typeof opts.controller !== "object") {
+    throw new GdprRopaError("gdpr-ropa/bad-controller",
+      "gdpr.ropa.create: opts.controller is required (Article 30 §1(a) requires controller name + contact)");
+  }
+  var controller = opts.controller;
+  var dpo = opts.dpo || null;
+  var supervisoryAuthority = opts.supervisoryAuthority || null;
+  var auditOn = opts.audit !== false;
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+
+  var activities = new Map();
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "gdpr.ropa." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function _validateActivity(activity, op) {
+    if (!activity || typeof activity !== "object") {
+      throw new GdprRopaError("gdpr-ropa/bad-activity",
+        "gdpr.ropa." + op + ": activity must be an object");
+    }
+    for (var i = 0; i < REQUIRED_ACTIVITY_FIELDS.length; i++) {
+      var f = REQUIRED_ACTIVITY_FIELDS[i];
+      if (activity[f] === undefined) {
+        throw new GdprRopaError("gdpr-ropa/missing-field",
+          "gdpr.ropa." + op + ": activity is missing required field '" + f + "' (per Article 30 §1)");
+      }
+    }
+    if (typeof activity.id !== "string" || activity.id.length === 0) {
+      throw new GdprRopaError("gdpr-ropa/bad-id",
+        "gdpr.ropa." + op + ": activity.id must be a non-empty string");
+    }
+    if (!VALID_LEGAL_BASES[activity.legalBasis]) {
+      throw new GdprRopaError("gdpr-ropa/bad-legal-basis",
+        "gdpr.ropa." + op + ": activity.legalBasis must be one of " + Object.keys(VALID_LEGAL_BASES).join(", "));
+    }
+  }
+
+  function register(activity) {
+    _validateActivity(activity, "register");
+    if (activities.has(activity.id)) {
+      throw new GdprRopaError("gdpr-ropa/duplicate-id",
+        "gdpr.ropa.register: activity '" + activity.id + "' already registered");
+    }
+    var rec = Object.assign({}, activity, {
+      registeredAt: now(),
+      lastUpdatedAt: now(),
+    });
+    activities.set(activity.id, rec);
+    _emitAudit("registered", "success", { id: activity.id, purposes: activity.purposes });
+    return rec;
+  }
+
+  function update(id, patch) {
+    var existing = activities.get(id);
+    if (!existing) {
+      throw new GdprRopaError("gdpr-ropa/not-found",
+        "gdpr.ropa.update: no activity with id '" + id + "'");
+    }
+    if (!patch || typeof patch !== "object") {
+      throw new GdprRopaError("gdpr-ropa/bad-patch",
+        "gdpr.ropa.update: patch must be an object");
+    }
+    var merged = Object.assign({}, existing, patch, {
+      id: id,                                                                            // id is immutable on update
+      registeredAt: existing.registeredAt,
+      lastUpdatedAt: now(),
+    });
+    if (patch.legalBasis && !VALID_LEGAL_BASES[merged.legalBasis]) {
+      throw new GdprRopaError("gdpr-ropa/bad-legal-basis",
+        "gdpr.ropa.update: legalBasis must be one of " + Object.keys(VALID_LEGAL_BASES).join(", "));
+    }
+    activities.set(id, merged);
+    _emitAudit("updated", "success", { id: id, fields: Object.keys(patch) });
+    return merged;
+  }
+
+  function remove(id, info) {
+    var existing = activities.get(id);
+    if (!existing) {
+      throw new GdprRopaError("gdpr-ropa/not-found",
+        "gdpr.ropa.remove: no activity with id '" + id + "'");
+    }
+    activities.delete(id);
+    _emitAudit("removed", "success", {
+      id: id,
+      reason: (info && info.reason) || null,
+      actor:  (info && info.actor) || null,
+    });
+    return { removed: true, id: id };
+  }
+
+  function get(id) { return activities.get(id) || null; }
+  function list() {
+    var out = [];
+    activities.forEach(function (rec) { out.push(rec); });
+    return out;
+  }
+
+  // Operator-facing exporter — JSON for API integrations / SCC, CSV
+  // for spreadsheet handoff to legal, Markdown for human-readable
+  // operator documentation. Each shape carries the same fields per
+  // Article 30 §1(a-h) / §2(a-d).
+  function _exportJson() {
+    return {
+      controller:           controller,
+      dpo:                  dpo,
+      supervisoryAuthority: supervisoryAuthority,
+      generatedAt:          new Date(now()).toISOString(),
+      article:              "30",
+      regulation:           "(EU) 2016/679 (GDPR)",
+      activities:           list(),
+    };
+  }
+  function _exportCsv() {
+    var headers = [
+      "id", "name", "purposes", "legalBasis", "dataCategories",
+      "dataSubjectCategories", "recipients", "thirdCountryTransfers",
+      "retentionPeriod", "securityMeasures",
+    ];
+    var rows = [headers.join(",")];
+    var entries = list();
+    for (var i = 0; i < entries.length; i++) {
+      var e = entries[i];
+      var row = headers.map(function (h) {
+        var v = e[h];
+        if (v === undefined || v === null) return "";
+        if (Array.isArray(v)) return JSON.stringify(v).replace(/"/g, "\"\"");
+        return String(v).replace(/"/g, "\"\"");
+      });
+      rows.push(row.map(function (c) { return '"' + c + '"'; }).join(","));
+    }
+    return rows.join("\n");
+  }
+  function _exportMarkdown() {
+    var entries = list();
+    var md = "# GDPR Article 30 Records of Processing Activities\n\n";
+    md += "Generated: " + new Date(now()).toISOString() + "\n\n";
+    md += "Controller: " + (controller.name || "(unspecified)") + "\n";
+    md += "Contact: " + (controller.contact || "(unspecified)") + "\n\n";
+    if (dpo) md += "DPO: " + (dpo.name || "(unspecified)") + " (" + (dpo.contact || "") + ")\n\n";
+    md += "## Activities (" + entries.length + ")\n\n";
+    for (var i = 0; i < entries.length; i++) {
+      var e = entries[i];
+      md += "### " + (e.name || e.id) + " (`" + e.id + "`)\n\n";
+      md += "- Purposes: " + (e.purposes || []).join(", ") + "\n";
+      md += "- Legal basis: " + e.legalBasis + "\n";
+      md += "- Data categories: " + (e.dataCategories || []).join(", ") + "\n";
+      if (e.dataSubjectCategories) md += "- Data subjects: " + e.dataSubjectCategories.join(", ") + "\n";
+      if (e.recipients) md += "- Recipients: " + e.recipients.join(", ") + "\n";
+      if (e.retentionPeriod) md += "- Retention: " + e.retentionPeriod + "\n";
+      if (e.securityMeasures) md += "- Security: " + e.securityMeasures.join(", ") + "\n";
+      if (e.thirdCountryTransfers && e.thirdCountryTransfers.length > 0) {
+        md += "- Third-country transfers:\n";
+        for (var ti = 0; ti < e.thirdCountryTransfers.length; ti++) {
+          var t = e.thirdCountryTransfers[ti];
+          md += "  - " + t.country + " (safeguard: " + (t.safeguard || "n/a") + ")\n";
+        }
+      }
+      md += "\n";
+    }
+    return md;
+  }
+  function exportRopa(eopts) {
+    eopts = eopts || {};
+    var format = (eopts.format || "json").toLowerCase();
+    _emitAudit("exported", "success", { format: format, count: activities.size });
+    if (format === "csv")      return _exportCsv();
+    if (format === "markdown") return _exportMarkdown();
+    if (format === "json")     return _exportJson();
+    throw new GdprRopaError("gdpr-ropa/bad-format",
+      "gdpr.ropa.export: format must be 'json' / 'csv' / 'markdown'");
+  }
+
+  return {
+    register: register,
+    update:   update,
+    remove:   remove,
+    get:      get,
+    list:     list,
+    "export": exportRopa,                                                                // explicit string-key — `export` is reserved
+    VALID_LEGAL_BASES: Object.keys(VALID_LEGAL_BASES),
+  };
+}
+
+module.exports = {
+  create:                  create,
+  GdprRopaError:           GdprRopaError,
+  VALID_LEGAL_BASES:       Object.keys(VALID_LEGAL_BASES),
+  REQUIRED_ACTIVITY_FIELDS: REQUIRED_ACTIVITY_FIELDS,
+};

package/lib/middleware/bot-disclose.js

@@ -0,0 +1,149 @@
+"use strict";
+/**
+ * botDisclose middleware — California SB 1001 bot-disclosure.
+ *
+ * Cal. Bus. & Prof. Code §17941 (SB 1001, effective 2019) requires
+ * that any "bot" used to communicate with persons in California for
+ * the purpose of incentivizing a sale or influencing an election
+ * disclose its non-human nature. Operators serving an automated
+ * conversation surface (LLM-backed chat / IVR / SMS) wire this
+ * middleware to:
+ *
+ *   1. Inject a disclosure banner into HTML responses (server-rendered)
+ *   2. Set an X-Bot-Disclosure header for API consumers
+ *   3. Emit an audit event for every conversation-initiating request
+ *
+ *   var bot = b.middleware.botDisclose({
+ *     audit:        b.audit,
+ *     mountPaths:   ["/chat", "/api/chat"],
+ *     bannerHtml:   '<div role="status">You are interacting with an automated assistant.</div>',
+ *     bannerJson:   { _bot: true, disclosure: "automated-assistant" },
+ *   });
+ *   router.use(bot);
+ *
+ * Per SB 1001 §17941(a), the disclosure must be "clear, conspicuous,
+ * and reasonably designed to inform"; operators with custom UI wire
+ * `bannerHtml` to match their visual design.
+ */
+
+var defineClass = require("../framework-error").defineClass;
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+
+var audit = lazyRequire(function () { return require("../audit"); });
+
+var BotDiscloseError = defineClass("BotDiscloseError", { alwaysPermanent: true });
+
+var DEFAULT_BANNER_HTML = '<div role="status" data-bot-disclosure="true" ' +
+  'style="border:1px solid #888;padding:8px;margin:8px 0;background:#fff8e1;font-size:14px;">' +
+  '<strong>Automated assistant.</strong> ' +
+  'You are interacting with an automated agent. ' +
+  'For California users: this disclosure is provided per Cal. Bus. &amp; Prof. Code §17941.' +
+  '</div>';
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "mountPaths", "bannerHtml", "bannerJson",
+    "headerName", "auditAction",
+  ], "middleware.botDisclose");
+
+  var mountPaths = Array.isArray(opts.mountPaths) ? opts.mountPaths.slice() : null;
+  var bannerHtml = typeof opts.bannerHtml === "string" ? opts.bannerHtml : DEFAULT_BANNER_HTML;
+  var bannerJson = (opts.bannerJson && typeof opts.bannerJson === "object")
+    ? opts.bannerJson : { _bot: true, disclosure: "automated-assistant" };
+  var headerName = typeof opts.headerName === "string" && opts.headerName.length > 0
+    ? opts.headerName : "X-Bot-Disclosure";
+  var auditOn = opts.audit !== false;
+  var actionBase = typeof opts.auditAction === "string" && opts.auditAction.length > 0
+    ? opts.auditAction : "middleware.bot_disclose";
+
+  function _matches(req) {
+    if (!mountPaths) return true;                                                        // null = match every path
+    var p = req.url || "";
+    var qpos = p.indexOf("?");
+    if (qpos !== -1) p = p.slice(0, qpos);
+    for (var i = 0; i < mountPaths.length; i++) {
+      var m = mountPaths[i];
+      if (typeof m === "string" && (p === m || p.indexOf(m + "/") === 0)) return true;
+      if (m instanceof RegExp && m.test(p)) return true;
+    }
+    return false;
+  }
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   actionBase + "." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  return function botDiscloseMiddleware(req, res, next) {
+    if (!_matches(req)) return next();
+
+    // Always set the header (cheap; API consumers see the disclosure
+    // even on JSON endpoints).
+    if (typeof res.setHeader === "function") {
+      res.setHeader(headerName, "automated-assistant");
+    }
+    _emitAudit("disclosed", "success", { method: req.method, path: req.url });
+
+    // Patch res.write / res.end so the first text/html response gets
+    // the banner injected before <body>'s first child. Operators
+    // wanting deeper integration override bannerHtml or set
+    // mountPaths to scope where injection happens.
+    var origWrite = res.write && res.write.bind(res);
+    var origEnd = res.end && res.end.bind(res);
+    var injected = false;
+
+    function _maybeInject(chunk, encoding) {
+      if (injected) return chunk;
+      var ct = typeof res.getHeader === "function" ? res.getHeader("content-type") : "";
+      if (typeof ct !== "string" || ct.indexOf("text/html") === -1) return chunk;
+      var body = Buffer.isBuffer(chunk) ? chunk.toString("utf8") :
+        (typeof chunk === "string" ? chunk : "");
+      // Inject after <body> opening tag if present, else after <html>
+      // opening tag, else prepend.
+      var bodyMatch = body.match(/<body[^>]*>/i);
+      if (bodyMatch) {
+        var idx = bodyMatch.index + bodyMatch[0].length;
+        body = body.slice(0, idx) + "\n" + bannerHtml + "\n" + body.slice(idx);
+      } else {
+        body = bannerHtml + "\n" + body;
+      }
+      injected = true;
+      return Buffer.from(body, "utf8");
+    }
+
+    if (origWrite) {
+      res.write = function (chunk, encoding, cb) {
+        return origWrite(_maybeInject(chunk, encoding), encoding, cb);
+      };
+    }
+    if (origEnd) {
+      res.end = function (chunk, encoding, cb) {
+        if (chunk) chunk = _maybeInject(chunk, encoding);
+        return origEnd(chunk, encoding, cb);
+      };
+    }
+
+    // For JSON responses, attach the disclosure to res.locals so
+    // operator handlers building JSON via res.json(...) can include
+    // it explicitly. We don't auto-merge into the JSON body — the
+    // header + audit are the load-bearing disclosure surfaces.
+    if (res.locals && typeof res.locals === "object") {
+      res.locals.botDisclosure = bannerJson;
+    }
+    return next();
+  };
+}
+
+module.exports = {
+  create:               create,
+  BotDiscloseError:     BotDiscloseError,
+  DEFAULT_BANNER_HTML:  DEFAULT_BANNER_HTML,
+};

package/lib/middleware/index.js

@@ -25,6 +25,7 @@ var assetlinks = require("./assetlinks");
 var attachUser = require("./attach-user");
 var bearerAuth = require("./bearer-auth");
 var bodyParser = require("./body-parser");
+var botDisclose = require("./bot-disclose");
 var botGuard = require("./bot-guard");
 var compression = require("./compression");
 var cookies = require("./cookies");
@@ -63,6 +64,7 @@ module.exports = {
   requestId:        requestId.create,
   securityHeaders:  securityHeaders.create,
   errorHandler:     errorHandler.create,
+  botDisclose:      botDisclose.create,
   botGuard:         botGuard.create,
   cors:             cors.create,
   dailyByteQuota:   dailyByteQuota.create,
@@ -108,6 +110,7 @@ module.exports = {
     requestId:        requestId,
     securityHeaders:  securityHeaders,
     errorHandler:     errorHandler,
+    botDisclose:      botDisclose,
     botGuard:         botGuard,
     cors:             cors,
     dailyByteQuota:   dailyByteQuota,

package/lib/nis2-report.js

@@ -0,0 +1,181 @@
+"use strict";
+/**
+ * b.nis2.report — NIS2 Directive incident-reporting wrapper.
+ *
+ * Directive (EU) 2022/2555 (NIS2) Article 23 mandates that essential
+ * + important entities report significant incidents to the national
+ * CSIRT or competent authority. Three-stage pattern with statutory
+ * deadlines:
+ *   - early warning within 24h of becoming aware (Art. 23 §4(a))
+ *   - incident notification within 72h, including initial assessment
+ *     of severity + impact + indicators of compromise (Art. 23 §4(b))
+ *   - final report within 1 month, with detailed root cause +
+ *     remediation + cross-border implications (Art. 23 §4(d))
+ *
+ *   var nis2 = b.nis2.report.create({
+ *     audit:        b.audit,
+ *     entityId:     "acme-cloud-1",
+ *     entityType:   "essential",                  // "essential" | "important"
+ *     sectorAnnex:  "I.6",                        // NIS2 Annex I/II row id
+ *     csirtEndpoint: "https://csirt.example/api",
+ *     httpClient:   b.httpClient,
+ *   });
+ *
+ * Sector annex codes follow NIS2's two annexes:
+ *   - Annex I (essential): I.1 energy / I.2 transport / I.3 banking /
+ *     I.4 financial-market-infrastructures / I.5 health /
+ *     I.6 drinking-water / I.7 wastewater / I.8 digital-infrastructure /
+ *     I.9 ICT-service-management / I.10 public-administration /
+ *     I.11 space
+ *   - Annex II (important): II.1 postal / II.2 waste-management /
+ *     II.3 chemicals / II.4 food / II.5 manufacturing /
+ *     II.6 digital-providers / II.7 research
+ */
+
+var C = require("./constants");
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var incidentReport = lazyRequire(function () { return require("./incident-report"); });
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var Nis2ReportError = defineClass("Nis2ReportError", { alwaysPermanent: true });
+
+var VALID_ENTITY_TYPES = Object.freeze({ essential: 1, important: 1 });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "persist", "httpClient", "csirtEndpoint",
+    "entityId", "entityType", "sectorAnnex", "now",
+  ], "nis2.report");
+
+  validateOpts.requireNonEmptyString(opts.entityId,
+    "nis2.report.create: opts.entityId is required (NIS2 registration ID)",
+    Nis2ReportError, "nis2-report/bad-entity-id");
+  if (!VALID_ENTITY_TYPES[opts.entityType]) {
+    throw new Nis2ReportError("nis2-report/bad-entity-type",
+      "nis2.report.create: opts.entityType must be 'essential' or 'important' (NIS2 Article 3 classification)");
+  }
+  validateOpts.requireNonEmptyString(opts.sectorAnnex,
+    "nis2.report.create: opts.sectorAnnex is required (e.g. 'I.6' for drinking water, 'II.6' for digital-providers)",
+    Nis2ReportError, "nis2-report/bad-sector");
+  var entityId = opts.entityId;
+  var entityType = opts.entityType;
+  var sectorAnnex = opts.sectorAnnex;
+  var csirtEndpoint = opts.csirtEndpoint || null;
+  var httpClient = opts.httpClient || null;
+  var auditOn = opts.audit !== false;
+
+  var ir = incidentReport().create({
+    audit:    opts.audit,
+    persist:  opts.persist,
+    now:      opts.now,
+    deadlines: {
+      initial:      C.TIME.hours(24),                                                     // NIS2 Art. 23 §4(a) — early warning
+      intermediate: C.TIME.hours(72),                                                     // NIS2 Art. 23 §4(b) — incident notification
+      final:        C.TIME.days(30),                                                      // NIS2 Art. 23 §4(d) — final report (1 month)
+    },
+  });
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "nis2.report." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  async function _submitToCsirt(payload) {
+    if (!csirtEndpoint || !httpClient) {
+      _emitAudit("submit_skipped", "warning", { reason: "no-endpoint-or-client" });
+      return { submitted: false, reason: "no-endpoint-or-client" };
+    }
+    try {
+      var res = await httpClient.request({
+        url: csirtEndpoint, method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: Buffer.from(JSON.stringify(payload), "utf8"),
+        responseMode: "always-resolve",
+      });
+      var ok = res.statusCode >= 200 && res.statusCode < 300;                            // allow:raw-byte-literal — HTTP status range
+      _emitAudit("submitted", ok ? "success" : "failure", { statusCode: res.statusCode });
+      return { submitted: ok, statusCode: res.statusCode };
+    } catch (e) {
+      _emitAudit("submit_failed", "failure", { error: (e && e.message) || String(e) });
+      return { submitted: false, error: (e && e.message) || String(e) };
+    }
+  }
+
+  function _envelope(stage, incident, fields) {
+    return {
+      directive:    "(EU) 2022/2555",
+      article:      "23",
+      stage:        stage,                                                                // "early-warning" / "notification" / "final"
+      entity:       { id: entityId, type: entityType, sector: sectorAnnex },
+      incident: {
+        id:          incident.id,
+        detected_at: new Date(incident.detectedAt).toISOString(),
+        scope:       incident.scope,
+        summary:     incident.summary,
+        impact:      incident.impact,
+      },
+      fields: fields || {},
+    };
+  }
+
+  async function open(spec) {
+    spec = Object.assign({}, spec || {}, { regime: "nis2" });
+    var rec = await ir.open(spec);
+    _emitAudit("opened", "success", { incidentId: rec.id, entityId: entityId, entityType: entityType });
+    return rec;
+  }
+
+  async function earlyWarning(incidentId, fields) {
+    var rec = await ir.recordInitial(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToCsirt(_envelope("early-warning", rec, fields));
+    }
+    return result;
+  }
+  async function notification(incidentId, fields) {
+    var rec = await ir.recordIntermediate(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToCsirt(_envelope("notification", rec, fields));
+    }
+    return result;
+  }
+  async function finalReport(incidentId, fields) {
+    var rec = await ir.recordFinal(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToCsirt(_envelope("final", rec, fields));
+    }
+    return result;
+  }
+
+  return {
+    open:           open,
+    earlyWarning:   earlyWarning,
+    notification:   notification,
+    finalReport:    finalReport,
+    get:            function (id) { return ir.get(id); },
+    list:           function ()   { return ir.list(); },
+    status:         function ()   { return ir.status(); },
+    entityId:       entityId,
+    entityType:     entityType,
+    sectorAnnex:    sectorAnnex,
+  };
+}
+
+module.exports = {
+  create:             create,
+  Nis2ReportError:    Nis2ReportError,
+  VALID_ENTITY_TYPES: Object.keys(VALID_ENTITY_TYPES),
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.9",
+  "version": "0.8.10",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:b2addb57-b40a-4a44-9c34-7f7bd7d741c3",
+  "serialNumber": "urn:uuid:4c9e2f2f-795d-4920-a093-90770087d324",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T02:18:24.599Z",
+    "timestamp": "2026-05-07T02:38:14.544Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.9",
+      "bom-ref": "@blamejs/core@0.8.10",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.9",
+      "version": "0.8.10",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.9",
+      "purl": "pkg:npm/%40blamejs/core@0.8.10",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.9",
+      "ref": "@blamejs/core@0.8.10",
       "dependsOn": []
     }
   ]