@blamejs/core 0.8.9 → 0.8.11

package/lib/compliance-eaa.js

@@ -0,0 +1,204 @@
+"use strict";
+/**
+ * b.compliance.eaa — EU Accessibility Act declared-conformance.
+ *
+ * Directive (EU) 2019/882 (the European Accessibility Act) requires
+ * digital products + services placed on the EU market to meet WCAG
+ * 2.1 AA accessibility requirements (extended to 2.2 by national
+ * implementing law in many member states). Operators producing a
+ * compliant deployment ship a "conformance statement" — a document
+ * declaring the product, the assessed standards (WCAG 2.1 / 2.2 /
+ * EN 301 549), the scope of testing, and any non-conforming
+ * features with operator-supplied justification.
+ *
+ *   var eaa = b.compliance.eaa.create({
+ *     audit:        b.audit,
+ *     productName:  "Acme Customer Portal",
+ *     productScope: "https://portal.acme.example",
+ *     standards:    ["WCAG 2.2 AA", "EN 301 549 v3.2.1"],
+ *   });
+ *   eaa.declareCriterion("1.1.1", { conformance: "supports", note: "..." });
+ *   eaa.declareCriterion("1.4.3", { conformance: "supports", note: "ratio >= 4.5:1" });
+ *   eaa.declareNonConformance({
+ *     criterion: "2.5.5",
+ *     reason:    "legacy desktop-only interaction, replacement Q3 2026",
+ *     mitigation: "alternative keyboard path documented",
+ *   });
+ *   var doc = eaa.export({ format: "markdown" });
+ *
+ * The exported document goes alongside the operator's product
+ * documentation and serves as the "Accessibility Statement" required
+ * by Article 13 §3.
+ */
+
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var ComplianceEaaError = defineClass("ComplianceEaaError", { alwaysPermanent: true });
+
+var VALID_CONFORMANCE = Object.freeze({
+  "supports":          1,                                                                // criterion fully met
+  "partially-supports": 1,                                                               // some content meets, gaps documented
+  "does-not-support":  1,                                                                // criterion not met (declared non-conformance)
+  "not-applicable":    1,                                                                // criterion does not apply to product
+  "not-evaluated":     1,                                                                // outside the assessed scope
+});
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "productName", "productScope", "standards",
+    "contact", "supervisoryAuthority", "now",
+  ], "compliance.eaa");
+
+  validateOpts.requireNonEmptyString(opts.productName,
+    "compliance.eaa.create: opts.productName is required (Article 13 §3 requires product identification)",
+    ComplianceEaaError, "compliance-eaa/bad-product");
+  if (!Array.isArray(opts.standards) || opts.standards.length === 0) {
+    throw new ComplianceEaaError("compliance-eaa/bad-standards",
+      "compliance.eaa.create: opts.standards is required (e.g. ['WCAG 2.2 AA', 'EN 301 549 v3.2.1'])");
+  }
+  var productName = opts.productName;
+  var productScope = opts.productScope || null;
+  var standards = opts.standards.slice();
+  var contact = opts.contact || null;
+  var supervisoryAuthority = opts.supervisoryAuthority || null;
+  var auditOn = opts.audit !== false;
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+
+  var criteria = new Map();
+  var nonConformances = [];
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "compliance.eaa." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function declareCriterion(id, decl) {
+    if (typeof id !== "string" || id.length === 0) {
+      throw new ComplianceEaaError("compliance-eaa/bad-criterion-id",
+        "compliance.eaa.declareCriterion: id must be a non-empty string (e.g. '1.1.1')");
+    }
+    if (!decl || typeof decl !== "object") {
+      throw new ComplianceEaaError("compliance-eaa/bad-decl",
+        "compliance.eaa.declareCriterion: decl must be an object with { conformance, note? }");
+    }
+    if (!VALID_CONFORMANCE[decl.conformance]) {
+      throw new ComplianceEaaError("compliance-eaa/bad-conformance",
+        "compliance.eaa.declareCriterion: conformance must be one of " + Object.keys(VALID_CONFORMANCE).join(", "));
+    }
+    criteria.set(id, {
+      criterion:   id,
+      conformance: decl.conformance,
+      note:        decl.note || "",
+      declaredAt:  now(),
+    });
+    _emitAudit("criterion_declared", "success", { criterion: id, conformance: decl.conformance });
+  }
+
+  function declareNonConformance(decl) {
+    if (!decl || typeof decl !== "object" || !decl.criterion || !decl.reason) {
+      throw new ComplianceEaaError("compliance-eaa/bad-non-conformance",
+        "compliance.eaa.declareNonConformance: decl must include { criterion, reason, mitigation? }");
+    }
+    nonConformances.push({
+      criterion:   decl.criterion,
+      reason:      decl.reason,
+      mitigation:  decl.mitigation || null,
+      declaredAt:  now(),
+    });
+    criteria.set(decl.criterion, {
+      criterion:   decl.criterion,
+      conformance: "does-not-support",
+      note:        decl.reason + (decl.mitigation ? " (mitigation: " + decl.mitigation + ")" : ""),
+      declaredAt:  now(),
+    });
+    _emitAudit("non_conformance_declared", "warning", { criterion: decl.criterion });
+  }
+
+  function _stats() {
+    var counts = { supports: 0, "partially-supports": 0, "does-not-support": 0, "not-applicable": 0, "not-evaluated": 0 };
+    criteria.forEach(function (c) { counts[c.conformance] += 1; });
+    return counts;
+  }
+
+  function _exportJson() {
+    var c = []; criteria.forEach(function (rec) { c.push(rec); });
+    return {
+      directive:            "(EU) 2019/882",
+      article:              "13",
+      generatedAt:          new Date(now()).toISOString(),
+      product:              { name: productName, scope: productScope },
+      standards:            standards,
+      contact:              contact,
+      supervisoryAuthority: supervisoryAuthority,
+      criteria:             c,
+      nonConformances:      nonConformances,
+      stats:                _stats(),
+    };
+  }
+  function _exportMarkdown() {
+    var stats = _stats();
+    var c = []; criteria.forEach(function (rec) { c.push(rec); });
+    var md = "# Accessibility Statement — " + productName + "\n\n";
+    md += "**Standards:** " + standards.join(", ") + "\n\n";
+    if (productScope) md += "**Scope:** " + productScope + "\n\n";
+    md += "Generated: " + new Date(now()).toISOString() + "\n\n";
+    md += "## Conformance summary\n\n";
+    md += "- Supports: " + stats.supports + "\n";
+    md += "- Partially supports: " + stats["partially-supports"] + "\n";
+    md += "- Does not support: " + stats["does-not-support"] + "\n";
+    md += "- Not applicable: " + stats["not-applicable"] + "\n\n";
+    if (nonConformances.length > 0) {
+      md += "## Non-conformances\n\n";
+      for (var i = 0; i < nonConformances.length; i++) {
+        var nc = nonConformances[i];
+        md += "### " + nc.criterion + "\n\n";
+        md += "- Reason: " + nc.reason + "\n";
+        if (nc.mitigation) md += "- Mitigation: " + nc.mitigation + "\n";
+        md += "\n";
+      }
+    }
+    md += "## Per-criterion declarations\n\n";
+    for (var ci = 0; ci < c.length; ci++) {
+      md += "- **" + c[ci].criterion + "** — " + c[ci].conformance;
+      if (c[ci].note) md += " — " + c[ci].note;
+      md += "\n";
+    }
+    if (contact) md += "\n## Contact\n\n" + (contact.name || "") + " (" + (contact.email || "") + ")\n";
+    return md;
+  }
+
+  function exportEaa(eopts) {
+    eopts = eopts || {};
+    var format = (eopts.format || "json").toLowerCase();
+    _emitAudit("exported", "success", { format: format, criteriaCount: criteria.size });
+    if (format === "json")     return _exportJson();
+    if (format === "markdown") return _exportMarkdown();
+    throw new ComplianceEaaError("compliance-eaa/bad-format",
+      "compliance.eaa.export: format must be 'json' or 'markdown'");
+  }
+
+  return {
+    declareCriterion:       declareCriterion,
+    declareNonConformance:  declareNonConformance,
+    "export":               exportEaa,
+    stats:                  _stats,
+    VALID_CONFORMANCE:      Object.keys(VALID_CONFORMANCE),
+  };
+}
+
+module.exports = {
+  create:               create,
+  ComplianceEaaError:   ComplianceEaaError,
+  VALID_CONFORMANCE:    Object.keys(VALID_CONFORMANCE),
+};

package/lib/cra-report.js

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * b.cra.report — EU Cyber Resilience Act incident-reporting wrapper.
+ *
+ * The Cyber Resilience Act (Regulation (EU) 2024/2847) Article 14 §1
+ * mandates that manufacturers of digital products report actively-
+ * exploited vulnerabilities and severe incidents to ENISA + national
+ * authorities. The framework's b.incident.report primitive provides
+ * the generic 3-stage shape; this wrapper specializes it with the
+ * CRA-specific reporting fields, deadlines (24h early warning / 72h
+ * incident notification / 14d final report), and the ENISA single-
+ * reporting-point destination.
+ *
+ *   var cra = b.cra.report.create({
+ *     enisaEndpoint: "https://enisa-spr.europa.eu/api/incidents",
+ *     httpClient:    b.httpClient,
+ *     audit:         b.audit,
+ *     productId:     "blamejs-1.x",
+ *     manufacturer:  { name: "Acme Co", contact: "security@acme.example" },
+ *   });
+ *   var inc = await cra.open({
+ *     detectedAt:    Date.now(),
+ *     vulnerability: { cveId: "CVE-2026-99999", actively_exploited: true },
+ *     impact:        { ... },
+ *   });
+ *   await cra.earlyWarning(inc.id, { ... });        // 24h
+ *   await cra.notification(inc.id, { ... });        // 72h
+ *   await cra.finalReport(inc.id, { ... });         // 14d
+ *
+ * The wrapper composes b.incident.report so the audit chain shape,
+ * persistence hook, and status surface stay consistent across every
+ * regulatory regime. Per-regime CRA semantics:
+ *   - early warning may be terse ("incident detected, scope unknown")
+ *   - notification carries impact + mitigation + scope
+ *   - final report adds root cause + lessons learned
+ *
+ * Submission to ENISA is opt-in per call (operators may want to
+ * batch / approve before submission); pass { submit: true } on each
+ * stage call to push through the operator's b.httpClient. The
+ * primitive does NOT auto-submit on stage transitions — regulators
+ * uniformly require operator review before filing.
+ */
+
+var C = require("./constants");
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var incidentReport = lazyRequire(function () { return require("./incident-report"); });
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var CraReportError = defineClass("CraReportError", { alwaysPermanent: true });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "persist", "httpClient", "enisaEndpoint",
+    "productId", "manufacturer", "now",
+  ], "cra.report");
+
+  validateOpts.requireNonEmptyString(opts.productId,
+    "cra.report.create: opts.productId is required (CRA Annex VII §1 requires a stable product identifier)",
+    CraReportError, "cra-report/bad-product-id");
+  if (!opts.manufacturer || typeof opts.manufacturer !== "object") {
+    throw new CraReportError("cra-report/bad-manufacturer",
+      "cra.report.create: opts.manufacturer is required (CRA Annex VII §1 requires manufacturer name + contact)");
+  }
+  var productId = opts.productId;
+  var manufacturer = opts.manufacturer;
+  var enisaEndpoint = typeof opts.enisaEndpoint === "string" && opts.enisaEndpoint.length > 0
+    ? opts.enisaEndpoint : null;
+  var httpClient = opts.httpClient || null;
+  var auditOn = opts.audit !== false;
+
+  // CRA Article 14 deadlines — operators don't override these without
+  // documented regulatory justification (the deadlines are statutory,
+  // not operator preference).
+  var ir = incidentReport().create({
+    audit:    opts.audit,
+    persist:  opts.persist,
+    now:      opts.now,
+    deadlines: {
+      // initial = "early warning" per CRA Article 14 §1(a) — 24h
+      initial:      C.TIME.hours(24),
+      // intermediate = "incident notification" per CRA Article 14 §1(b) — 72h
+      intermediate: C.TIME.hours(72),
+      // final = "final report" per CRA Article 14 §1(c) — 14 days
+      final:        C.TIME.days(14),
+    },
+  });
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "cra.report." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  async function _submitToEnisa(payload) {
+    if (!enisaEndpoint || !httpClient) {
+      _emitAudit("submit_skipped", "warning", { reason: "no-endpoint-or-client" });
+      return { submitted: false, reason: "no-endpoint-or-client" };
+    }
+    try {
+      var res = await httpClient.request({
+        url:           enisaEndpoint,
+        method:        "POST",
+        headers:       { "Content-Type": "application/json" },
+        body:          Buffer.from(JSON.stringify(payload), "utf8"),
+        responseMode:  "always-resolve",
+      });
+      var ok = res.statusCode >= 200 && res.statusCode < 300;                        // allow:raw-byte-literal — HTTP status range
+      _emitAudit("submitted", ok ? "success" : "failure", {
+        statusCode: res.statusCode, productId: productId,
+      });
+      return { submitted: ok, statusCode: res.statusCode };
+    } catch (e) {
+      _emitAudit("submit_failed", "failure", { error: (e && e.message) || String(e) });
+      return { submitted: false, error: (e && e.message) || String(e) };
+    }
+  }
+
+  function _craEnvelope(stage, incident, fields) {
+    return {
+      cra_version:   "2024/2847",
+      stage:         stage,                                                            // "early-warning" / "notification" / "final"
+      product:       { id: productId },
+      manufacturer:  manufacturer,
+      incident: {
+        id:           incident.id,
+        detected_at:  new Date(incident.detectedAt).toISOString(),
+        scope:        incident.scope,
+        summary:      incident.summary,
+        impact:       incident.impact,
+      },
+      fields:        fields || {},
+    };
+  }
+
+  async function open(spec) {
+    spec = Object.assign({}, spec || {}, { regime: "cra" });
+    var rec = await ir.open(spec);
+    _emitAudit("opened", "success", { incidentId: rec.id, productId: productId });
+    return rec;
+  }
+
+  async function earlyWarning(incidentId, fields) {
+    var rec = await ir.recordInitial(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToEnisa(_craEnvelope("early-warning", rec, fields));
+    }
+    return result;
+  }
+
+  async function notification(incidentId, fields) {
+    var rec = await ir.recordIntermediate(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToEnisa(_craEnvelope("notification", rec, fields));
+    }
+    return result;
+  }
+
+  async function finalReport(incidentId, fields) {
+    var rec = await ir.recordFinal(incidentId, fields || {});
+    var result = { record: rec, submitted: null };
+    if (fields && fields.submit === true) {
+      result.submitted = await _submitToEnisa(_craEnvelope("final", rec, fields));
+    }
+    return result;
+  }
+
+  return {
+    open:           open,
+    earlyWarning:   earlyWarning,
+    notification:   notification,
+    finalReport:    finalReport,
+    // Forward incident.report observability surface
+    get:            function (id) { return ir.get(id); },
+    list:           function ()   { return ir.list(); },
+    status:         function ()   { return ir.status(); },
+    productId:      productId,
+    manufacturer:   manufacturer,
+  };
+}
+
+module.exports = {
+  create:           create,
+  CraReportError:   CraReportError,
+};

package/lib/gdpr-ropa.js

@@ -0,0 +1,261 @@
+"use strict";
+/**
+ * b.gdpr.ropa — GDPR Article 30 Records of Processing Activities.
+ *
+ * Article 30 §1 (controller) + §2 (processor) require a written
+ * record of processing activities. The framework's existing audit
+ * chain captures *what happened* on each request; the RoPA captures
+ * *what processing the operator does in general* — purposes, data
+ * categories, retention periods, recipients, transfers outside the
+ * EEA, security measures.
+ *
+ * The primitive is a registry + exporter:
+ *   - register(activity)          — add a processing-activity record
+ *   - update(id, patch)           — modify an existing record
+ *   - remove(id)                  — soft-delete (operator audit trail)
+ *   - export({ format })          — emit RoPA as JSON / CSV / Markdown
+ *
+ *   var ropa = b.gdpr.ropa.create({
+ *     audit:        b.audit,
+ *     controller:   { name: "Acme Co", contact: "dpo@acme.example" },
+ *   });
+ *   ropa.register({
+ *     id:                  "sales-funnel-tracking",
+ *     name:                "Sales-funnel CRM tracking",
+ *     purposes:            ["lead-tracking", "sales-attribution"],
+ *     legalBasis:          "legitimate-interests",
+ *     dataCategories:      ["contact-info", "engagement-history"],
+ *     dataSubjectCategories: ["prospects", "customers"],
+ *     recipients:          ["analytics-vendor", "sales-team"],
+ *     thirdCountryTransfers: [{ country: "US", safeguard: "scc-2021" }],
+ *     retentionPeriod:     "5 years post-relationship",
+ *     securityMeasures:    ["encrypted-at-rest", "tls-13", "access-control"],
+ *   });
+ *   var json = ropa.export({ format: "json" });
+ */
+
+var defineClass = require("./framework-error").defineClass;
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var GdprRopaError = defineClass("GdprRopaError", { alwaysPermanent: true });
+
+var REQUIRED_ACTIVITY_FIELDS = Object.freeze([
+  "id", "name", "purposes", "legalBasis", "dataCategories",
+]);
+
+var VALID_LEGAL_BASES = Object.freeze({
+  "consent":               1,                                                            // Art 6(1)(a)
+  "contract":              1,                                                            // Art 6(1)(b)
+  "legal-obligation":      1,                                                            // Art 6(1)(c)
+  "vital-interests":       1,                                                            // Art 6(1)(d)
+  "public-task":           1,                                                            // Art 6(1)(e)
+  "legitimate-interests":  1,                                                            // Art 6(1)(f)
+});
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "audit", "controller", "dpo", "supervisoryAuthority", "now",
+  ], "gdpr.ropa");
+
+  if (!opts.controller || typeof opts.controller !== "object") {
+    throw new GdprRopaError("gdpr-ropa/bad-controller",
+      "gdpr.ropa.create: opts.controller is required (Article 30 §1(a) requires controller name + contact)");
+  }
+  var controller = opts.controller;
+  var dpo = opts.dpo || null;
+  var supervisoryAuthority = opts.supervisoryAuthority || null;
+  var auditOn = opts.audit !== false;
+  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
+
+  var activities = new Map();
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "gdpr.ropa." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function _validateActivity(activity, op) {
+    if (!activity || typeof activity !== "object") {
+      throw new GdprRopaError("gdpr-ropa/bad-activity",
+        "gdpr.ropa." + op + ": activity must be an object");
+    }
+    for (var i = 0; i < REQUIRED_ACTIVITY_FIELDS.length; i++) {
+      var f = REQUIRED_ACTIVITY_FIELDS[i];
+      if (activity[f] === undefined) {
+        throw new GdprRopaError("gdpr-ropa/missing-field",
+          "gdpr.ropa." + op + ": activity is missing required field '" + f + "' (per Article 30 §1)");
+      }
+    }
+    if (typeof activity.id !== "string" || activity.id.length === 0) {
+      throw new GdprRopaError("gdpr-ropa/bad-id",
+        "gdpr.ropa." + op + ": activity.id must be a non-empty string");
+    }
+    if (!VALID_LEGAL_BASES[activity.legalBasis]) {
+      throw new GdprRopaError("gdpr-ropa/bad-legal-basis",
+        "gdpr.ropa." + op + ": activity.legalBasis must be one of " + Object.keys(VALID_LEGAL_BASES).join(", "));
+    }
+  }
+
+  function register(activity) {
+    _validateActivity(activity, "register");
+    if (activities.has(activity.id)) {
+      throw new GdprRopaError("gdpr-ropa/duplicate-id",
+        "gdpr.ropa.register: activity '" + activity.id + "' already registered");
+    }
+    var rec = Object.assign({}, activity, {
+      registeredAt: now(),
+      lastUpdatedAt: now(),
+    });
+    activities.set(activity.id, rec);
+    _emitAudit("registered", "success", { id: activity.id, purposes: activity.purposes });
+    return rec;
+  }
+
+  function update(id, patch) {
+    var existing = activities.get(id);
+    if (!existing) {
+      throw new GdprRopaError("gdpr-ropa/not-found",
+        "gdpr.ropa.update: no activity with id '" + id + "'");
+    }
+    if (!patch || typeof patch !== "object") {
+      throw new GdprRopaError("gdpr-ropa/bad-patch",
+        "gdpr.ropa.update: patch must be an object");
+    }
+    var merged = Object.assign({}, existing, patch, {
+      id: id,                                                                            // id is immutable on update
+      registeredAt: existing.registeredAt,
+      lastUpdatedAt: now(),
+    });
+    if (patch.legalBasis && !VALID_LEGAL_BASES[merged.legalBasis]) {
+      throw new GdprRopaError("gdpr-ropa/bad-legal-basis",
+        "gdpr.ropa.update: legalBasis must be one of " + Object.keys(VALID_LEGAL_BASES).join(", "));
+    }
+    activities.set(id, merged);
+    _emitAudit("updated", "success", { id: id, fields: Object.keys(patch) });
+    return merged;
+  }
+
+  function remove(id, info) {
+    var existing = activities.get(id);
+    if (!existing) {
+      throw new GdprRopaError("gdpr-ropa/not-found",
+        "gdpr.ropa.remove: no activity with id '" + id + "'");
+    }
+    activities.delete(id);
+    _emitAudit("removed", "success", {
+      id: id,
+      reason: (info && info.reason) || null,
+      actor:  (info && info.actor) || null,
+    });
+    return { removed: true, id: id };
+  }
+
+  function get(id) { return activities.get(id) || null; }
+  function list() {
+    var out = [];
+    activities.forEach(function (rec) { out.push(rec); });
+    return out;
+  }
+
+  // Operator-facing exporter — JSON for API integrations / SCC, CSV
+  // for spreadsheet handoff to legal, Markdown for human-readable
+  // operator documentation. Each shape carries the same fields per
+  // Article 30 §1(a-h) / §2(a-d).
+  function _exportJson() {
+    return {
+      controller:           controller,
+      dpo:                  dpo,
+      supervisoryAuthority: supervisoryAuthority,
+      generatedAt:          new Date(now()).toISOString(),
+      article:              "30",
+      regulation:           "(EU) 2016/679 (GDPR)",
+      activities:           list(),
+    };
+  }
+  function _exportCsv() {
+    var headers = [
+      "id", "name", "purposes", "legalBasis", "dataCategories",
+      "dataSubjectCategories", "recipients", "thirdCountryTransfers",
+      "retentionPeriod", "securityMeasures",
+    ];
+    var rows = [headers.join(",")];
+    var entries = list();
+    for (var i = 0; i < entries.length; i++) {
+      var e = entries[i];
+      var row = headers.map(function (h) {
+        var v = e[h];
+        if (v === undefined || v === null) return "";
+        if (Array.isArray(v)) return JSON.stringify(v).replace(/"/g, "\"\"");
+        return String(v).replace(/"/g, "\"\"");
+      });
+      rows.push(row.map(function (c) { return '"' + c + '"'; }).join(","));
+    }
+    return rows.join("\n");
+  }
+  function _exportMarkdown() {
+    var entries = list();
+    var md = "# GDPR Article 30 Records of Processing Activities\n\n";
+    md += "Generated: " + new Date(now()).toISOString() + "\n\n";
+    md += "Controller: " + (controller.name || "(unspecified)") + "\n";
+    md += "Contact: " + (controller.contact || "(unspecified)") + "\n\n";
+    if (dpo) md += "DPO: " + (dpo.name || "(unspecified)") + " (" + (dpo.contact || "") + ")\n\n";
+    md += "## Activities (" + entries.length + ")\n\n";
+    for (var i = 0; i < entries.length; i++) {
+      var e = entries[i];
+      md += "### " + (e.name || e.id) + " (`" + e.id + "`)\n\n";
+      md += "- Purposes: " + (e.purposes || []).join(", ") + "\n";
+      md += "- Legal basis: " + e.legalBasis + "\n";
+      md += "- Data categories: " + (e.dataCategories || []).join(", ") + "\n";
+      if (e.dataSubjectCategories) md += "- Data subjects: " + e.dataSubjectCategories.join(", ") + "\n";
+      if (e.recipients) md += "- Recipients: " + e.recipients.join(", ") + "\n";
+      if (e.retentionPeriod) md += "- Retention: " + e.retentionPeriod + "\n";
+      if (e.securityMeasures) md += "- Security: " + e.securityMeasures.join(", ") + "\n";
+      if (e.thirdCountryTransfers && e.thirdCountryTransfers.length > 0) {
+        md += "- Third-country transfers:\n";
+        for (var ti = 0; ti < e.thirdCountryTransfers.length; ti++) {
+          var t = e.thirdCountryTransfers[ti];
+          md += "  - " + t.country + " (safeguard: " + (t.safeguard || "n/a") + ")\n";
+        }
+      }
+      md += "\n";
+    }
+    return md;
+  }
+  function exportRopa(eopts) {
+    eopts = eopts || {};
+    var format = (eopts.format || "json").toLowerCase();
+    _emitAudit("exported", "success", { format: format, count: activities.size });
+    if (format === "csv")      return _exportCsv();
+    if (format === "markdown") return _exportMarkdown();
+    if (format === "json")     return _exportJson();
+    throw new GdprRopaError("gdpr-ropa/bad-format",
+      "gdpr.ropa.export: format must be 'json' / 'csv' / 'markdown'");
+  }
+
+  return {
+    register: register,
+    update:   update,
+    remove:   remove,
+    get:      get,
+    list:     list,
+    "export": exportRopa,                                                                // explicit string-key — `export` is reserved
+    VALID_LEGAL_BASES: Object.keys(VALID_LEGAL_BASES),
+  };
+}
+
+module.exports = {
+  create:                  create,
+  GdprRopaError:           GdprRopaError,
+  VALID_LEGAL_BASES:       Object.keys(VALID_LEGAL_BASES),
+  REQUIRED_ACTIVITY_FIELDS: REQUIRED_ACTIVITY_FIELDS,
+};