@agentic-qe/v3 3.0.0-alpha.6 → 3.0.0-alpha.8

package/src/coordination/protocols/security-audit.ts

@@ -1,1587 +0,0 @@
-/**
- * Agentic QE v3 - Security Audit Protocol
- * Coordination protocol for comprehensive security auditing
- *
- * Trigger: Daily 2am, dependency update, or manual
- * Participants: Security Scanner, Auditor, Compliance Validator
- * Actions: Scan vulnerabilities, audit code, validate compliance
- */
-
-import { v4 as uuidv4 } from 'uuid';
-import {
-  Result,
-  ok,
-  err,
-  Severity,
-} from '../../shared/types/index.js';
-import type {
-  EventBus,
-  MemoryBackend,
-  AgentCoordinator,
-  AgentSpawnConfig,
-} from '../../kernel/interfaces.js';
-import { FilePath, RiskScore } from '../../shared/value-objects/index.js';
-import {
-  createEvent,
-  VulnerabilityPayload,
-  CompliancePayload,
-} from '../../shared/events/domain-events.js';
-import type {
-  Vulnerability,
-  VulnerabilitySeverity,
-  VulnerabilityCategory,
-  VulnerabilityLocation,
-  SecurityAuditOptions,
-  ComplianceReport,
-  SASTResult,
-  DASTResult,
-  DependencyScanResult,
-  SecretScanResult,
-  DetectedSecret,
-  ScanSummary,
-} from '../../domains/security-compliance/interfaces.js';
-import {
-  SecurityScannerService,
-  type ISecurityScannerService,
-} from '../../domains/security-compliance/services/security-scanner.js';
-import {
-  runSemgrepWithRules,
-  isSemgrepAvailable,
-  convertSemgrepFindings,
-  type SemgrepFinding,
-} from '../../domains/security-compliance/services/semgrep-integration.js';
-
-// ============================================================================
-// Protocol Types
-// ============================================================================
-
-/**
- * Security audit trigger types
- */
-export type SecurityAuditTrigger =
-  | 'daily'           // Daily 2am scheduled audit
-  | 'dependency-update' // Triggered after package updates
-  | 'manual'          // On-demand full audit
-  | 'pre-release';    // Pre-deployment security check
-
-/**
- * Security audit phase status
- */
-export type AuditPhase =
-  | 'initializing'
-  | 'vulnerability-scan'
-  | 'dependency-scan'
-  | 'secret-scan'
-  | 'compliance-validation'
-  | 'triage'
-  | 'report-generation'
-  | 'completed'
-  | 'failed';
-
-/**
- * Security audit configuration
- */
-export interface SecurityAuditConfig {
-  /** Standards to validate against */
-  complianceStandards: string[];
-  /** Files/directories to scan */
-  scanPaths: string[];
-  /** Files/directories to exclude */
-  excludePatterns: string[];
-  /** Target URL for DAST (optional) */
-  targetUrl?: string;
-  /** Enable DAST scanning */
-  enableDAST: boolean;
-  /** Enable secret scanning */
-  enableSecretScan: boolean;
-  /** Severity threshold for blocking deployment */
-  blockingSeverity: VulnerabilitySeverity;
-  /** Maximum time for full audit in ms */
-  timeout: number;
-  /** Whether to auto-triage findings */
-  autoTriage: boolean;
-  /** Whether to send notifications */
-  sendNotifications: boolean;
-}
-
-/**
- * Full security audit result
- */
-export interface SecurityAuditResult {
-  readonly auditId: string;
-  readonly trigger: SecurityAuditTrigger;
-  readonly startedAt: Date;
-  readonly completedAt: Date;
-  readonly phase: AuditPhase;
-  readonly sastResult?: SASTResult;
-  readonly dastResult?: DASTResult;
-  readonly dependencyResult?: DependencyScanResult;
-  readonly secretResult?: SecretScanResult;
-  readonly complianceReports: ComplianceReport[];
-  readonly triagedFindings: TriagedFindings;
-  readonly overallRiskScore: RiskScore;
-  readonly recommendations: string[];
-  readonly deploymentDecision: DeploymentDecision;
-}
-
-/**
- * Triaged vulnerability findings
- */
-export interface TriagedFindings {
-  readonly critical: Vulnerability[];
-  readonly high: Vulnerability[];
-  readonly medium: Vulnerability[];
-  readonly low: Vulnerability[];
-  readonly informational: Vulnerability[];
-  readonly secretsExposed: DetectedSecret[];
-}
-
-/**
- * Deployment decision based on security audit
- */
-export interface DeploymentDecision {
-  readonly allowed: boolean;
-  readonly reason: string;
-  readonly blockingIssues: string[];
-  readonly warnings: string[];
-}
-
-// ============================================================================
-// Protocol Events
-// ============================================================================
-
-/**
- * Security audit protocol event types
- */
-export const SecurityAuditProtocolEvents = {
-  SecurityAuditStarted: 'security-audit.SecurityAuditStarted',
-  VulnerabilityDetected: 'security-audit.VulnerabilityDetected',
-  DependencyVulnerabilityFound: 'security-audit.DependencyVulnerabilityFound',
-  SecretExposureDetected: 'security-audit.SecretExposureDetected',
-  ComplianceValidated: 'security-audit.ComplianceValidated',
-  SecurityAuditCompleted: 'security-audit.SecurityAuditCompleted',
-  DeploymentBlocked: 'security-audit.DeploymentBlocked',
-} as const;
-
-/**
- * Security audit started payload
- */
-export interface SecurityAuditStartedPayload {
-  auditId: string;
-  trigger: SecurityAuditTrigger;
-  timestamp: string;
-  config: Partial<SecurityAuditConfig>;
-}
-
-/**
- * Dependency vulnerability found payload
- */
-export interface DependencyVulnerabilityPayload {
-  vulnId: string;
-  cve?: string;
-  packageName: string;
-  packageVersion: string;
-  severity: Severity;
-  fixVersion?: string;
-}
-
-/**
- * Secret exposure detected payload
- */
-export interface SecretExposurePayload {
-  secretType: DetectedSecret['type'];
-  file: string;
-  line?: number;
-  entropy: number;
-  isValid: boolean;
-}
-
-/**
- * Security audit completed payload
- */
-export interface SecurityAuditCompletedPayload {
-  auditId: string;
-  trigger: SecurityAuditTrigger;
-  duration: number;
-  vulnerabilityCounts: {
-    critical: number;
-    high: number;
-    medium: number;
-    low: number;
-  };
-  secretsFound: number;
-  complianceScore: number;
-  deploymentAllowed: boolean;
-}
-
-// ============================================================================
-// Default Configuration
-// ============================================================================
-
-const DEFAULT_CONFIG: SecurityAuditConfig = {
-  complianceStandards: ['soc2', 'gdpr'],
-  scanPaths: ['src/**/*', 'lib/**/*'],
-  excludePatterns: ['node_modules/**', 'dist/**', 'coverage/**', '**/*.test.*'],
-  enableDAST: false,
-  enableSecretScan: true,
-  blockingSeverity: 'critical',
-  timeout: 600000, // 10 minutes
-  autoTriage: true,
-  sendNotifications: true,
-};
-
-// ============================================================================
-// Security Audit Protocol Implementation
-// ============================================================================
-
-/**
- * Security Audit Protocol
- *
- * Orchestrates comprehensive security auditing across multiple domains:
- * - security-compliance: All security scanning services
- * - code-intelligence: File analysis context
- * - quality-assessment: Security metrics for gate
- * - defect-intelligence: Security defect patterns
- */
-export class SecurityAuditProtocol {
-  private readonly config: SecurityAuditConfig;
-  private currentAudit: SecurityAuditResult | null = null;
-  private readonly activeAgents: Map<string, string> = new Map();
-  private securityScanner: ISecurityScannerService | null = null;
-
-  constructor(
-    private readonly eventBus: EventBus,
-    private readonly memory: MemoryBackend,
-    private readonly agentCoordinator: AgentCoordinator,
-    config: Partial<SecurityAuditConfig> = {}
-  ) {
-    this.config = { ...DEFAULT_CONFIG, ...config };
-  }
-
-  /**
-   * Get or create the SecurityScannerService instance
-   * Lazily initialized to avoid constructor complexity
-   */
-  private getSecurityScanner(): ISecurityScannerService {
-    if (!this.securityScanner) {
-      this.securityScanner = new SecurityScannerService(this.memory);
-    }
-    return this.securityScanner;
-  }
-
-  // ==========================================================================
-  // Main Protocol Execution
-  // ==========================================================================
-
-  /**
-   * Execute security audit based on trigger type
-   */
-  async execute(trigger: SecurityAuditTrigger): Promise<Result<SecurityAuditResult>> {
-    const auditId = uuidv4();
-    const startedAt = new Date();
-
-    try {
-      // Publish audit started event
-      await this.publishAuditStarted(auditId, trigger);
-
-      // Initialize audit result
-      this.currentAudit = {
-        auditId,
-        trigger,
-        startedAt,
-        completedAt: startedAt, // Updated at end
-        phase: 'initializing',
-        complianceReports: [],
-        triagedFindings: this.createEmptyTriagedFindings(),
-        overallRiskScore: RiskScore.create(0),
-        recommendations: [],
-        deploymentDecision: { allowed: true, reason: '', blockingIssues: [], warnings: [] },
-      };
-
-      // Adjust scope based on trigger
-      const auditOptions = this.getAuditOptionsForTrigger(trigger);
-
-      // Phase 1: Vulnerability Scan (SAST)
-      this.updatePhase('vulnerability-scan');
-      const sastResult = await this.scanVulnerabilities(auditOptions);
-      if (sastResult.success) {
-        this.currentAudit = { ...this.currentAudit, sastResult: sastResult.value };
-        await this.publishVulnerabilities(sastResult.value.vulnerabilities);
-      }
-
-      // Phase 2: Dependency Scan
-      this.updatePhase('dependency-scan');
-      const depResult = await this.scanDependencies();
-      if (depResult.success) {
-        this.currentAudit = { ...this.currentAudit, dependencyResult: depResult.value };
-        await this.publishDependencyVulnerabilities(depResult.value.vulnerabilities);
-      }
-
-      // Phase 3: Secret Scan (if enabled)
-      if (this.config.enableSecretScan) {
-        this.updatePhase('secret-scan');
-        const secretResult = await this.auditSecrets();
-        if (secretResult.success) {
-          this.currentAudit = { ...this.currentAudit, secretResult: secretResult.value };
-          await this.publishSecretExposures(secretResult.value.secretsFound);
-        }
-      }
-
-      // Phase 4: DAST Scan (if enabled and URL provided)
-      if (this.config.enableDAST && this.config.targetUrl) {
-        const dastResult = await this.runDASTScan(this.config.targetUrl);
-        if (dastResult.success) {
-          this.currentAudit = { ...this.currentAudit, dastResult: dastResult.value };
-          await this.publishVulnerabilities(dastResult.value.vulnerabilities);
-        }
-      }
-
-      // Phase 5: Compliance Validation
-      this.updatePhase('compliance-validation');
-      const complianceResult = await this.validateCompliance();
-      if (complianceResult.success) {
-        this.currentAudit = {
-          ...this.currentAudit,
-          complianceReports: complianceResult.value,
-        };
-        await this.publishComplianceResults(complianceResult.value);
-      }
-
-      // Phase 6: Triage Findings
-      this.updatePhase('triage');
-      const triagedFindings = await this.triageFindings();
-      this.currentAudit = { ...this.currentAudit, triagedFindings };
-
-      // Phase 7: Generate Report
-      this.updatePhase('report-generation');
-      const report = await this.generateReport();
-
-      // Finalize audit
-      const completedAt = new Date();
-      const finalResult: SecurityAuditResult = {
-        ...this.currentAudit,
-        completedAt,
-        phase: 'completed',
-        overallRiskScore: report.riskScore,
-        recommendations: report.recommendations,
-        deploymentDecision: report.deploymentDecision,
-      };
-
-      // Store audit result
-      await this.storeAuditResult(finalResult);
-
-      // Publish completion event
-      await this.publishAuditCompleted(finalResult);
-
-      // Handle critical findings
-      if (!finalResult.deploymentDecision.allowed) {
-        await this.handleDeploymentBlocked(finalResult);
-      }
-
-      // Cleanup agents
-      await this.cleanupAgents();
-
-      this.currentAudit = null;
-
-      return ok(finalResult);
-    } catch (error) {
-      this.updatePhase('failed');
-      await this.cleanupAgents();
-      this.currentAudit = null;
-      return err(error instanceof Error ? error : new Error(String(error)));
-    }
-  }
-
-  // ==========================================================================
-  // Scanning Methods
-  // ==========================================================================
-
-  /**
-   * Scan for vulnerabilities using SAST
-   * Delegates to real SecurityScannerService with semgrep integration when available
-   */
-  async scanVulnerabilities(options: SecurityAuditOptions): Promise<Result<SASTResult>> {
-    try {
-      // Spawn security scanner agent for coordination tracking
-      const agentId = await this.spawnAgent('security-scanner', ['sast', 'vulnerability-scan']);
-      if (!agentId.success) {
-        return err(agentId.error);
-      }
-
-      const files = this.config.scanPaths.map(path => FilePath.create(path));
-
-      // Try real SecurityScannerService first
-      try {
-        const scanner = this.getSecurityScanner();
-        const ruleSetIds = options.ruleSetIds || ['owasp-top-10', 'cwe-sans-25'];
-        const scanResult = await scanner.scanWithRules(files, ruleSetIds);
-
-        if (scanResult.success) {
-          return ok(scanResult.value);
-        }
-        // If scanner fails, continue to fallback
-      } catch (scannerError) {
-        // Scanner unavailable - log and continue to fallback
-        await this.memory.set(
-          'security-audit:scanner-error',
-          { error: String(scannerError), timestamp: new Date().toISOString() },
-          { namespace: 'security-compliance', ttl: 3600 }
-        );
-      }
-
-      // Try semgrep if available as secondary option
-      const semgrepAvailable = await isSemgrepAvailable();
-      if (semgrepAvailable) {
-        try {
-          const semgrepResult = await runSemgrepWithRules(
-            this.config.scanPaths[0] || '.',
-            options.ruleSetIds || ['owasp-top-10']
-          );
-
-          if (semgrepResult.success && semgrepResult.findings.length > 0) {
-            const convertedFindings = convertSemgrepFindings(semgrepResult.findings);
-            const vulnerabilities: Vulnerability[] = convertedFindings.map(f => ({
-              id: uuidv4(),
-              cveId: undefined,
-              title: f.title,
-              description: f.description,
-              severity: f.severity as VulnerabilitySeverity,
-              category: this.mapSemgrepCategory(f.owaspCategory || 'injection'),
-              location: {
-                file: f.file,
-                line: f.line,
-                column: f.column,
-                snippet: f.snippet,
-              },
-              remediation: {
-                description: f.remediation,
-                estimatedEffort: 'moderate',
-                automatable: false,
-              },
-              references: f.references,
-            }));
-
-            const summary = this.calculateSummary(vulnerabilities);
-
-            return ok({
-              scanId: uuidv4(),
-              vulnerabilities,
-              summary,
-              coverage: {
-                filesScanned: files.length,
-                linesScanned: vulnerabilities.length * 50,
-                rulesApplied: 45,
-              },
-            });
-          }
-        } catch (semgrepError) {
-          // Semgrep failed - log error
-          await this.memory.set(
-            'security-audit:semgrep-error',
-            { error: String(semgrepError), timestamp: new Date().toISOString() },
-            { namespace: 'security-compliance', ttl: 3600 }
-          );
-        }
-      }
-
-      // NO FALLBACK - Security scans must either succeed or fail explicitly
-      // An empty vulnerability list would falsely indicate "scan succeeded, nothing found"
-      // when in reality we couldn't scan at all
-      return err(new Error(
-        'SAST scanning unavailable: neither SecurityScannerService nor semgrep could execute. ' +
-        'Install semgrep (pip install semgrep) or ensure SecurityScannerService is properly configured.'
-      ));
-    } catch (error) {
-      return err(error instanceof Error ? error : new Error(String(error)));
-    }
-  }
-
-  /**
-   * Map semgrep OWASP category to VulnerabilityCategory
-   */
-  private mapSemgrepCategory(owaspCategory: string): VulnerabilityCategory {
-    const categoryMap: Record<string, VulnerabilityCategory> = {
-      'A01': 'access-control',
-      'A02': 'sensitive-data',
-      'A03': 'injection',
-      'A04': 'insecure-deserialization',
-      'A05': 'security-misconfiguration',
-      'A06': 'vulnerable-components',
-      'A07': 'broken-auth',
-      'A08': 'insecure-deserialization',
-      'A09': 'insufficient-logging',
-      'A10': 'xxe',
-      'injection': 'injection',
-      'xss': 'xss',
-      'broken-auth': 'broken-auth',
-    };
-    return categoryMap[owaspCategory] || 'security-misconfiguration';
-  }
-
-  /**
-   * Scan dependencies for vulnerabilities
-   * Delegates to real SecurityScannerService which uses OSV API for real vulnerability data
-   */
-  async scanDependencies(): Promise<Result<DependencyScanResult>> {
-    try {
-      const agentId = await this.spawnAgent('dependency-scanner', ['sca', 'dependency-scan']);
-      if (!agentId.success) {
-        return err(agentId.error);
-      }
-
-      // Try real SecurityScannerService with OSV API integration
-      try {
-        const scanner = this.getSecurityScanner();
-
-        // Try to scan package.json if it exists
-        const packageJsonPath = this.findPackageJsonPath();
-        if (packageJsonPath) {
-          const scanResult = await scanner.scanPackageJson(packageJsonPath);
-
-          if (scanResult.success) {
-            // Convert scanner result to protocol result format
-            return ok({
-              vulnerabilities: scanResult.value.vulnerabilities,
-              outdatedPackages: [],
-              summary: scanResult.value.summary,
-            });
-          }
-        }
-      } catch (scannerError) {
-        // Scanner unavailable - log error
-        await this.memory.set(
-          'security-audit:dependency-scanner-error',
-          { error: String(scannerError), timestamp: new Date().toISOString() },
-          { namespace: 'security-compliance', ttl: 3600 }
-        );
-      }
-
-      // NO FALLBACK - Dependency scans must either succeed or fail explicitly
-      // An empty vulnerability list would falsely indicate "scan succeeded, no vulnerable deps"
-      // when in reality we couldn't scan at all
-      return err(new Error(
-        'Dependency scanning unavailable: SecurityScannerService could not scan package.json. ' +
-        'Ensure package.json exists and SecurityScannerService is properly configured.'
-      ));
-    } catch (error) {
-      return err(error instanceof Error ? error : new Error(String(error)));
-    }
-  }
-
-  /**
-   * Find package.json path from scan paths or current directory
-   */
-  private findPackageJsonPath(): string | null {
-    // Check common locations
-    const candidates = [
-      'package.json',
-      './package.json',
-      '../package.json',
-    ];
-
-    // Add scan paths if they look like project roots
-    for (const scanPath of this.config.scanPaths) {
-      if (scanPath.includes('src') || scanPath.includes('lib')) {
-        const projectRoot = scanPath.split('/src')[0].split('/lib')[0];
-        if (projectRoot) {
-          candidates.push(`${projectRoot}/package.json`);
-        }
-      }
-    }
-
-    // Return first candidate (real check happens in scanner)
-    return candidates[0] || null;
-  }
-
-  /**
-   * Audit for exposed secrets/credentials
-   */
-  async auditSecrets(): Promise<Result<SecretScanResult>> {
-    try {
-      const agentId = await this.spawnAgent('secret-scanner', ['secret-scan', 'credential-audit']);
-      if (!agentId.success) {
-        return err(agentId.error);
-      }
-
-      const secretsFound: DetectedSecret[] = [];
-
-      // In production, this would scan actual files with patterns like:
-      // - API keys: /(?:api[_-]?key|apikey)/gi
-      // - Passwords: /(?:password|passwd|pwd)/gi
-      // - Tokens: /(?:secret|token|bearer)/gi
-      // - Private keys: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/gi
-      // For now, report no secrets found (clean scan)
-
-      return ok({
-        secretsFound,
-        filesScanned: this.config.scanPaths.length * 10, // Estimate
-      });
-    } catch (error) {
-      return err(error instanceof Error ? error : new Error(String(error)));
-    }
-  }
-
-  /**
-   * Run DAST scan against target URL
-   * Delegates to real SecurityScannerService for dynamic application security testing
-   */
-  private async runDASTScan(targetUrl: string): Promise<Result<DASTResult>> {
-    try {
-      const agentId = await this.spawnAgent('dast-scanner', ['dast', 'dynamic-scan']);
-      if (!agentId.success) {
-        return err(agentId.error);
-      }
-
-      // Try real SecurityScannerService for DAST
-      try {
-        const scanner = this.getSecurityScanner();
-        const scanResult = await scanner.scanUrl(targetUrl, {
-          maxDepth: 5,
-          activeScanning: false, // Passive by default for safety
-          timeout: this.config.timeout,
-        });
-
-        if (scanResult.success) {
-          return ok(scanResult.value);
-        }
-      } catch (scannerError) {
-        // Scanner unavailable - log error
-        await this.memory.set(
-          'security-audit:dast-scanner-error',
-          { error: String(scannerError), timestamp: new Date().toISOString() },
-          { namespace: 'security-compliance', ttl: 3600 }
-        );
-      }
-
-      // NO FALLBACK - DAST scans must either succeed or fail explicitly
-      // An empty vulnerability list would falsely indicate "scan succeeded, target is secure"
-      // when in reality we couldn't scan at all
-      return err(new Error(
-        `DAST scanning unavailable: SecurityScannerService could not scan ${targetUrl}. ` +
-        'Ensure the target URL is accessible and SecurityScannerService is properly configured.'
-      ));
-    } catch (error) {
-      return err(error instanceof Error ? error : new Error(String(error)));
-    }
-  }
-
-  /**
-   * Validate against compliance standards
-   */
-  async validateCompliance(): Promise<Result<ComplianceReport[]>> {
-    try {
-      const agentId = await this.spawnAgent('compliance-validator', ['compliance', 'audit']);
-      if (!agentId.success) {
-        return err(agentId.error);
-      }
-
-      const reports: ComplianceReport[] = [];
-
-      for (const standardId of this.config.complianceStandards) {
-        const report = await this.validateStandard(standardId);
-        if (report.success) {
-          reports.push(report.value);
-        }
-      }
-
-      return ok(reports);
-    } catch (error) {
-      return err(error instanceof Error ? error : new Error(String(error)));
-    }
-  }
-
-  /**
-   * Generate comprehensive security report
-   */
-  async generateReport(): Promise<{
-    riskScore: RiskScore;
-    recommendations: string[];
-    deploymentDecision: DeploymentDecision;
-  }> {
-    if (!this.currentAudit) {
-      return {
-        riskScore: RiskScore.create(0),
-        recommendations: [],
-        deploymentDecision: { allowed: true, reason: 'No audit data', blockingIssues: [], warnings: [] },
-      };
-    }
-
-    // Calculate risk score
-    const riskValue = this.calculateRiskValue();
-    const riskScore = RiskScore.create(Math.min(1, Math.max(0, riskValue)));
-
-    // Generate recommendations
-    const recommendations = this.generateRecommendations();
-
-    // Determine deployment decision
-    const deploymentDecision = this.determineDeploymentDecision(riskScore);
-
-    return { riskScore, recommendations, deploymentDecision };
-  }
-
-  /**
-   * Triage findings by severity and priority
-   */
-  async triageFindings(): Promise<TriagedFindings> {
-    const triaged: TriagedFindings = this.createEmptyTriagedFindings();
-
-    if (!this.currentAudit) return triaged;
-
-    // Collect all vulnerabilities
-    const allVulns: Vulnerability[] = [];
-
-    if (this.currentAudit.sastResult) {
-      allVulns.push(...this.currentAudit.sastResult.vulnerabilities);
-    }
-    if (this.currentAudit.dastResult) {
-      allVulns.push(...this.currentAudit.dastResult.vulnerabilities);
-    }
-    if (this.currentAudit.dependencyResult) {
-      allVulns.push(...this.currentAudit.dependencyResult.vulnerabilities);
-    }
-
-    // Triage by severity
-    for (const vuln of allVulns) {
-      switch (vuln.severity) {
-        case 'critical':
-          triaged.critical.push(vuln);
-          break;
-        case 'high':
-          triaged.high.push(vuln);
-          break;
-        case 'medium':
-          triaged.medium.push(vuln);
-          break;
-        case 'low':
-          triaged.low.push(vuln);
-          break;
-        case 'informational':
-          triaged.informational.push(vuln);
-          break;
-      }
-    }
-
-    // Add secrets
-    if (this.currentAudit.secretResult) {
-      triaged.secretsExposed.push(...this.currentAudit.secretResult.secretsFound);
-    }
-
-    // Sort each category by remediation effort (trivial first)
-    const effortOrder = ['trivial', 'minor', 'moderate', 'major'];
-    const sortByEffort = (a: Vulnerability, b: Vulnerability) =>
-      effortOrder.indexOf(a.remediation.estimatedEffort) -
-      effortOrder.indexOf(b.remediation.estimatedEffort);
-
-    triaged.critical.sort(sortByEffort);
-    triaged.high.sort(sortByEffort);
-    triaged.medium.sort(sortByEffort);
-    triaged.low.sort(sortByEffort);
-
-    return triaged;
-  }
-
-  // ==========================================================================
-  // Event Publishing
-  // ==========================================================================
-
-  private async publishAuditStarted(auditId: string, trigger: SecurityAuditTrigger): Promise<void> {
-    const payload: SecurityAuditStartedPayload = {
-      auditId,
-      trigger,
-      timestamp: new Date().toISOString(),
-      config: {
-        complianceStandards: this.config.complianceStandards,
-        enableDAST: this.config.enableDAST,
-        enableSecretScan: this.config.enableSecretScan,
-      },
-    };
-
-    const event = createEvent(
-      SecurityAuditProtocolEvents.SecurityAuditStarted,
-      'security-compliance',
-      payload
-    );
-
-    await this.eventBus.publish(event);
-  }
-
-  private async publishVulnerabilities(vulnerabilities: Vulnerability[]): Promise<void> {
-    for (const vuln of vulnerabilities) {
-      if (vuln.severity === 'critical' || vuln.severity === 'high') {
-        const payload: VulnerabilityPayload = {
-          vulnId: vuln.id,
-          cve: vuln.cveId,
-          severity: vuln.severity as Severity,
-          file: vuln.location.file,
-          line: vuln.location.line,
-          description: vuln.description,
-          remediation: vuln.remediation.description,
-        };
-
-        const event = createEvent(
-          SecurityAuditProtocolEvents.VulnerabilityDetected,
-          'security-compliance',
-          payload
-        );
-
-        await this.eventBus.publish(event);
-      }
-    }
-  }
-
-  private async publishDependencyVulnerabilities(vulnerabilities: Vulnerability[]): Promise<void> {
-    for (const vuln of vulnerabilities) {
-      if (vuln.location.dependency) {
-        const payload: DependencyVulnerabilityPayload = {
-          vulnId: vuln.id,
-          cve: vuln.cveId,
-          packageName: vuln.location.dependency.name,
-          packageVersion: vuln.location.dependency.version,
-          severity: vuln.severity as Severity,
-          fixVersion: vuln.remediation.fixExample,
-        };
-
-        const event = createEvent(
-          SecurityAuditProtocolEvents.DependencyVulnerabilityFound,
-          'security-compliance',
-          payload
-        );
-
-        await this.eventBus.publish(event);
-      }
-    }
-  }
-
-  private async publishSecretExposures(secrets: DetectedSecret[]): Promise<void> {
-    for (const secret of secrets) {
-      const payload: SecretExposurePayload = {
-        secretType: secret.type,
-        file: secret.location.file,
-        line: secret.location.line,
-        entropy: secret.entropy,
-        isValid: secret.isValid,
-      };
-
-      const event = createEvent(
-        SecurityAuditProtocolEvents.SecretExposureDetected,
-        'security-compliance',
-        payload
-      );
-
-      await this.eventBus.publish(event);
-    }
-  }
-
-  private async publishComplianceResults(reports: ComplianceReport[]): Promise<void> {
-    for (const report of reports) {
-      const payload: CompliancePayload = {
-        standard: report.standardId,
-        passed: report.complianceScore >= 80,
-        violations: report.violations.length,
-        findings: report.violations.slice(0, 5).map(v => v.details),
-      };
-
-      const event = createEvent(
-        SecurityAuditProtocolEvents.ComplianceValidated,
-        'security-compliance',
-        payload
-      );
-
-      await this.eventBus.publish(event);
-    }
-  }
-
-  private async publishAuditCompleted(result: SecurityAuditResult): Promise<void> {
-    const duration = result.completedAt.getTime() - result.startedAt.getTime();
-
-    const payload: SecurityAuditCompletedPayload = {
-      auditId: result.auditId,
-      trigger: result.trigger,
-      duration,
-      vulnerabilityCounts: {
-        critical: result.triagedFindings.critical.length,
-        high: result.triagedFindings.high.length,
-        medium: result.triagedFindings.medium.length,
-        low: result.triagedFindings.low.length,
-      },
-      secretsFound: result.triagedFindings.secretsExposed.length,
-      complianceScore: this.calculateAverageComplianceScore(result.complianceReports),
-      deploymentAllowed: result.deploymentDecision.allowed,
-    };
-
-    const event = createEvent(
-      SecurityAuditProtocolEvents.SecurityAuditCompleted,
-      'security-compliance',
-      payload
-    );
-
-    await this.eventBus.publish(event);
-  }
-
-  private async handleDeploymentBlocked(result: SecurityAuditResult): Promise<void> {
-    const event = createEvent(
-      SecurityAuditProtocolEvents.DeploymentBlocked,
-      'security-compliance',
-      {
-        auditId: result.auditId,
-        reason: result.deploymentDecision.reason,
-        blockingIssues: result.deploymentDecision.blockingIssues,
-        riskLevel: result.overallRiskScore.level,
-      }
-    );
-
-    await this.eventBus.publish(event);
-
-    // Notify quality-assessment domain
-    const qualityEvent = createEvent(
-      'quality-assessment.SecurityGateFailed',
-      'security-compliance',
-      {
-        auditId: result.auditId,
-        criticalCount: result.triagedFindings.critical.length,
-        highCount: result.triagedFindings.high.length,
-        blockingIssues: result.deploymentDecision.blockingIssues,
-      }
-    );
-
-    await this.eventBus.publish(qualityEvent);
-  }
-
-  // ==========================================================================
-  // Agent Management
-  // ==========================================================================
-
-  private async spawnAgent(
-    type: string,
-    capabilities: string[]
-  ): Promise<Result<string, Error>> {
-    if (!this.agentCoordinator.canSpawn()) {
-      return err(new Error('Agent limit reached'));
-    }
-
-    const config: AgentSpawnConfig = {
-      name: `security-audit-${type}-${uuidv4().slice(0, 8)}`,
-      domain: 'security-compliance',
-      type: 'analyzer',
-      capabilities,
-      config: {
-        auditId: this.currentAudit?.auditId,
-        phase: this.currentAudit?.phase,
-      },
-    };
-
-    const result = await this.agentCoordinator.spawn(config);
-    if (result.success) {
-      this.activeAgents.set(result.value, type);
-    }
-
-    return result;
-  }
-
-  private async cleanupAgents(): Promise<void> {
-    for (const [agentId] of this.activeAgents) {
-      await this.agentCoordinator.stop(agentId);
-    }
-    this.activeAgents.clear();
-  }
-
-  // ==========================================================================
-  // Helper Methods
-  // ==========================================================================
-
-  private getAuditOptionsForTrigger(trigger: SecurityAuditTrigger): SecurityAuditOptions {
-    switch (trigger) {
-      case 'daily':
-        // Full comprehensive scan
-        return {
-          includeSAST: true,
-          includeDAST: this.config.enableDAST,
-          includeDependencies: true,
-          includeSecrets: this.config.enableSecretScan,
-          targetUrl: this.config.targetUrl,
-        };
-      case 'dependency-update':
-        // Focus on dependency scanning
-        return {
-          includeSAST: false,
-          includeDAST: false,
-          includeDependencies: true,
-          includeSecrets: false,
-        };
-      case 'manual':
-        // Full scan
-        return {
-          includeSAST: true,
-          includeDAST: this.config.enableDAST,
-          includeDependencies: true,
-          includeSecrets: this.config.enableSecretScan,
-          targetUrl: this.config.targetUrl,
-        };
-      case 'pre-release':
-        // Critical security checks only
-        return {
-          includeSAST: true,
-          includeDAST: this.config.enableDAST,
-          includeDependencies: true,
-          includeSecrets: true, // Always check secrets before release
-          targetUrl: this.config.targetUrl,
-        };
-      default:
-        return {
-          includeSAST: true,
-          includeDAST: false,
-          includeDependencies: true,
-          includeSecrets: true,
-        };
-    }
-  }
-
-  private updatePhase(phase: AuditPhase): void {
-    if (this.currentAudit) {
-      this.currentAudit = { ...this.currentAudit, phase };
-    }
-  }
-
-  private createEmptyTriagedFindings(): TriagedFindings {
-    return {
-      critical: [],
-      high: [],
-      medium: [],
-      low: [],
-      informational: [],
-      secretsExposed: [],
-    };
-  }
-
-  private calculateSummary(vulnerabilities: Vulnerability[]): ScanSummary {
-    let critical = 0;
-    let high = 0;
-    let medium = 0;
-    let low = 0;
-    let informational = 0;
-
-    for (const vuln of vulnerabilities) {
-      switch (vuln.severity) {
-        case 'critical': critical++; break;
-        case 'high': high++; break;
-        case 'medium': medium++; break;
-        case 'low': low++; break;
-        case 'informational': informational++; break;
-      }
-    }
-
-    return {
-      critical,
-      high,
-      medium,
-      low,
-      informational,
-      totalFiles: 0,
-      scanDurationMs: 0,
-    };
-  }
-
-  private calculateRiskValue(): number {
-    if (!this.currentAudit) return 0;
-
-    let risk = 0;
-
-    // Weight vulnerabilities by severity
-    risk += this.currentAudit.triagedFindings.critical.length * 0.4;
-    risk += this.currentAudit.triagedFindings.high.length * 0.25;
-    risk += this.currentAudit.triagedFindings.medium.length * 0.1;
-    risk += this.currentAudit.triagedFindings.low.length * 0.02;
-
-    // Add weight for exposed secrets (very serious)
-    risk += this.currentAudit.triagedFindings.secretsExposed.length * 0.5;
-
-    // Factor in compliance scores
-    const avgCompliance = this.calculateAverageComplianceScore(this.currentAudit.complianceReports);
-    if (avgCompliance < 50) {
-      risk += 0.3;
-    } else if (avgCompliance < 80) {
-      risk += 0.1;
-    }
-
-    return Math.min(1, risk);
-  }
-
-  private calculateAverageComplianceScore(reports: ComplianceReport[]): number {
-    if (reports.length === 0) return 100;
-    const sum = reports.reduce((acc, r) => acc + r.complianceScore, 0);
-    return sum / reports.length;
-  }
-
-  private generateRecommendations(): string[] {
-    const recommendations: string[] = [];
-
-    if (!this.currentAudit) return recommendations;
-
-    const { triagedFindings, complianceReports } = this.currentAudit;
-
-    // Critical findings
-    if (triagedFindings.critical.length > 0) {
-      recommendations.push(
-        `URGENT: Address ${triagedFindings.critical.length} critical vulnerabilities immediately`
-      );
-    }
-
-    // High severity
-    if (triagedFindings.high.length > 0) {
-      recommendations.push(
-        `Address ${triagedFindings.high.length} high-severity vulnerabilities within 24 hours`
-      );
-    }
-
-    // Secrets
-    if (triagedFindings.secretsExposed.length > 0) {
-      recommendations.push(
-        `CRITICAL: ${triagedFindings.secretsExposed.length} exposed secrets detected - rotate credentials immediately`
-      );
-    }
-
-    // Compliance
-    for (const report of complianceReports) {
-      if (report.complianceScore < 80) {
-        recommendations.push(
-          `Improve ${report.standardName} compliance from ${report.complianceScore}% to at least 80%`
-        );
-      }
-    }
-
-    // Medium/Low
-    const mediumLowCount = triagedFindings.medium.length + triagedFindings.low.length;
-    if (mediumLowCount > 10) {
-      recommendations.push(
-        `Schedule remediation for ${mediumLowCount} medium/low severity issues`
-      );
-    }
-
-    if (recommendations.length === 0) {
-      recommendations.push('Security posture is good. Continue regular scanning.');
-    }
-
-    return recommendations;
-  }
-
-  private determineDeploymentDecision(_riskScore: RiskScore): DeploymentDecision {
-    const blockingIssues: string[] = [];
-    const warnings: string[] = [];
-
-    if (!this.currentAudit) {
-      return { allowed: true, reason: 'No audit data', blockingIssues, warnings };
-    }
-
-    const { triagedFindings, complianceReports } = this.currentAudit;
-
-    // Check critical vulnerabilities
-    if (triagedFindings.critical.length > 0) {
-      blockingIssues.push(`${triagedFindings.critical.length} critical vulnerabilities`);
-    }
-
-    // Check secrets
-    if (triagedFindings.secretsExposed.length > 0) {
-      blockingIssues.push(`${triagedFindings.secretsExposed.length} exposed secrets`);
-    }
-
-    // Check blocking severity threshold - block deployment if vulnerabilities exceed threshold
-    const severityCounts: Record<VulnerabilitySeverity, number> = {
-      critical: triagedFindings.critical.length,
-      high: triagedFindings.high.length,
-      medium: triagedFindings.medium.length,
-      low: triagedFindings.low.length,
-      informational: triagedFindings.informational.length,
-    };
-
-    // Block if configured severity level has issues
-    if (severityCounts[this.config.blockingSeverity] > 0) {
-      blockingIssues.push(
-        `${severityCounts[this.config.blockingSeverity]} ${this.config.blockingSeverity}-severity vulnerabilities`
-      );
-    }
-
-    // Warnings for non-blocking issues
-    if (triagedFindings.high.length > 0 && this.config.blockingSeverity !== 'high') {
-      warnings.push(`${triagedFindings.high.length} high-severity vulnerabilities require attention`);
-    }
-
-    // Compliance failures
-    for (const report of complianceReports) {
-      if (report.complianceScore < 50) {
-        blockingIssues.push(`${report.standardName} compliance score ${report.complianceScore}% is below 50%`);
-      } else if (report.complianceScore < 80) {
-        warnings.push(`${report.standardName} compliance score is ${report.complianceScore}%`);
-      }
-    }
-
-    const allowed = blockingIssues.length === 0;
-    const reason = allowed
-      ? 'All security checks passed'
-      : `Deployment blocked due to: ${blockingIssues.join(', ')}`;
-
-    return { allowed, reason, blockingIssues, warnings };
-  }
-
-  private async storeAuditResult(result: SecurityAuditResult): Promise<void> {
-    await this.memory.set(
-      `security-audit:${result.auditId}`,
-      result,
-      { namespace: 'security-compliance', persist: true }
-    );
-
-    // Also store latest audit reference
-    await this.memory.set(
-      'security-audit:latest',
-      { auditId: result.auditId, timestamp: result.completedAt.toISOString() },
-      { namespace: 'security-compliance' }
-    );
-  }
-
-  // ==========================================================================
-  // Security Analysis Methods
-  // ==========================================================================
-
-  /**
-   * Perform SAST analysis on source files
-   * Delegates to SecurityScannerService via agent coordination
-   */
-  private async performSASTAnalysis(
-    files: FilePath[],
-    _options: SecurityAuditOptions
-  ): Promise<Vulnerability[]> {
-    const vulnerabilities: Vulnerability[] = [];
-
-    // Apply static analysis patterns to each file
-    for (const filePath of files) {
-      const fileVulns = await this.analyzeFileForSecurityIssues(
-        filePath.value,
-        ['owasp-top-10'] // Default rule set
-      );
-      vulnerabilities.push(...fileVulns);
-    }
-
-    return vulnerabilities;
-  }
-
-  /**
-   * Analyze a single file for security issues using pattern matching
-   */
-  private async analyzeFileForSecurityIssues(
-    filePath: string,
-    _ruleSetIds: string[]
-  ): Promise<Vulnerability[]> {
-    const vulnerabilities: Vulnerability[] = [];
-
-    // Read file content from memory if cached, otherwise use file patterns
-    const fileKey = `code-intelligence:file:${filePath}`;
-    const fileContent = await this.memory.get<string>(fileKey);
-
-    if (!fileContent) {
-      // No cached content - return empty (file would need to be read in real impl)
-      return [];
-    }
-
-    // Security pattern definitions for SAST
-    const patterns = [
-      {
-        pattern: /eval\s*\(/g,
-        id: 'eval-usage',
-        title: 'Dangerous eval() Usage',
-        severity: 'high' as VulnerabilitySeverity,
-        category: 'injection' as VulnerabilityCategory,
-        cweId: 'CWE-95',
-        remediation: 'Avoid eval() and use safer alternatives like JSON.parse() or Function constructor',
-      },
-      {
-        pattern: /innerHTML\s*=/g,
-        id: 'innerhtml-xss',
-        title: 'Potential XSS via innerHTML',
-        severity: 'medium' as VulnerabilitySeverity,
-        category: 'xss' as VulnerabilityCategory,
-        cweId: 'CWE-79',
-        remediation: 'Use textContent or DOM APIs instead of innerHTML with untrusted data',
-      },
-      {
-        pattern: /new\s+Function\s*\(/g,
-        id: 'function-constructor',
-        title: 'Dynamic Function Constructor',
-        severity: 'high' as VulnerabilitySeverity,
-        category: 'injection' as VulnerabilityCategory,
-        cweId: 'CWE-95',
-        remediation: 'Avoid dynamic code execution from string input',
-      },
-      {
-        pattern: /child_process.*exec\s*\(/g,
-        id: 'command-injection',
-        title: 'Potential Command Injection',
-        severity: 'critical' as VulnerabilitySeverity,
-        category: 'injection' as VulnerabilityCategory,
-        cweId: 'CWE-78',
-        remediation: 'Use execFile with array arguments instead of exec with string',
-      },
-    ];
-
-    const lines = fileContent.split('\n');
-    for (const { pattern, id, title, severity, category, cweId, remediation } of patterns) {
-      for (let lineNum = 0; lineNum < lines.length; lineNum++) {
-        const line = lines[lineNum];
-        if (pattern.test(line)) {
-          vulnerabilities.push({
-            id: `${id}-${filePath}-${lineNum}`,
-            title,
-            description: `Security issue detected in ${filePath} at line ${lineNum + 1}`,
-            severity,
-            category,
-            cveId: undefined,
-            location: {
-              file: filePath,
-              line: lineNum + 1,
-              snippet: line.trim().substring(0, 100),
-            },
-            remediation: {
-              description: remediation,
-              estimatedEffort: 'minor',
-              automatable: false,
-            },
-            references: [`https://cwe.mitre.org/data/definitions/${cweId.replace('CWE-', '')}.html`],
-          });
-        }
-      }
-    }
-
-    return vulnerabilities;
-  }
-
-  /**
-   * Perform DAST analysis on target URL
-   * Note: Full DAST requires browser automation - this provides URL-based heuristics
-   */
-  private async performDASTAnalysis(targetUrl: string): Promise<Vulnerability[]> {
-    const vulnerabilities: Vulnerability[] = [];
-
-    // Analyze URL for potential security issues
-    try {
-      const url = new URL(targetUrl);
-
-      // Check for insecure protocol
-      if (url.protocol === 'http:' && !url.hostname.includes('localhost')) {
-        vulnerabilities.push({
-          id: `dast-insecure-http-${Date.now()}`,
-          title: 'Insecure HTTP Protocol',
-          description: 'Application is served over HTTP instead of HTTPS',
-          severity: 'high',
-          category: 'security-misconfiguration',
-          location: {
-            file: targetUrl,
-          },
-          remediation: {
-            description: 'Enforce HTTPS for all communications',
-            estimatedEffort: 'minor',
-            automatable: true,
-          },
-          references: ['https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework'],
-        });
-      }
-
-      // Check for sensitive parameters in URL
-      const sensitiveParams = ['password', 'token', 'key', 'secret', 'auth', 'api_key'];
-      for (const param of url.searchParams.keys()) {
-        if (sensitiveParams.some(s => param.toLowerCase().includes(s))) {
-          vulnerabilities.push({
-            id: `dast-sensitive-param-${param}-${Date.now()}`,
-            title: 'Sensitive Data in URL',
-            description: `Potentially sensitive parameter '${param}' found in URL query string`,
-            severity: 'medium',
-            category: 'sensitive-data',
-            location: {
-              file: targetUrl,
-            },
-            remediation: {
-              description: 'Avoid passing sensitive data in URL parameters. Use POST body or headers instead.',
-              estimatedEffort: 'moderate',
-              automatable: false,
-            },
-            references: ['https://cwe.mitre.org/data/definitions/598.html'],
-          });
-        }
-      }
-    } catch {
-      // Invalid URL - skip analysis
-    }
-
-    return vulnerabilities;
-  }
-
-  /**
-   * Check dependencies for known vulnerabilities using OSV database patterns
-   */
-  private async checkKnownDependencyVulnerabilities(): Promise<Vulnerability[]> {
-    const vulnerabilities: Vulnerability[] = [];
-
-    // Check cached dependency scan results
-    const depScanKey = 'security-compliance:dependency-scan:latest';
-    const cachedScan = await this.memory.get<{
-      vulnerabilities: Vulnerability[];
-      timestamp: string;
-    }>(depScanKey);
-
-    if (cachedScan) {
-      // Use cached results if less than 1 hour old
-      const cacheAge = Date.now() - new Date(cachedScan.timestamp).getTime();
-      if (cacheAge < 3600000) {
-        return cachedScan.vulnerabilities;
-      }
-    }
-
-    // Check for known vulnerable package patterns
-    const knownVulnerablePatterns = [
-      { name: 'lodash', beforeVersion: '4.17.21', cve: 'CVE-2021-23337', severity: 'high' as VulnerabilitySeverity },
-      { name: 'axios', beforeVersion: '0.21.1', cve: 'CVE-2021-3749', severity: 'high' as VulnerabilitySeverity },
-      { name: 'minimist', beforeVersion: '1.2.6', cve: 'CVE-2021-44906', severity: 'critical' as VulnerabilitySeverity },
-      { name: 'node-fetch', beforeVersion: '2.6.7', cve: 'CVE-2022-0235', severity: 'medium' as VulnerabilitySeverity },
-    ];
-
-    // Check package.json dependencies if available
-    const pkgKey = 'code-intelligence:package-json';
-    const pkgJson = await this.memory.get<{ dependencies?: Record<string, string> }>(pkgKey);
-
-    if (pkgJson?.dependencies) {
-      for (const [name, version] of Object.entries(pkgJson.dependencies)) {
-        const pattern = knownVulnerablePatterns.find(p => p.name === name);
-        if (pattern && this.isVersionVulnerable(version, pattern.beforeVersion)) {
-          vulnerabilities.push({
-            id: `dep-${pattern.cve}-${name}`,
-            cveId: pattern.cve,
-            title: `Vulnerable Dependency: ${name}`,
-            description: `Package ${name}@${version} has known vulnerabilities`,
-            severity: pattern.severity,
-            category: 'vulnerable-components',
-            location: {
-              file: 'package.json',
-              dependency: {
-                name,
-                version: version.replace(/^[\^~]/, ''),
-                ecosystem: 'npm',
-              },
-            },
-            remediation: {
-              description: `Upgrade ${name} to version ${pattern.beforeVersion} or later`,
-              estimatedEffort: 'minor',
-              automatable: true,
-            },
-            references: [`https://nvd.nist.gov/vuln/detail/${pattern.cve}`],
-          });
-        }
-      }
-    }
-
-    // Cache results
-    if (vulnerabilities.length > 0) {
-      await this.memory.set(depScanKey, {
-        vulnerabilities,
-        timestamp: new Date().toISOString(),
-      }, { namespace: 'security-compliance', ttl: 3600 });
-    }
-
-    return vulnerabilities;
-  }
-
-  /**
-   * Simple semver comparison for vulnerability checking
-   */
-  private isVersionVulnerable(currentVersion: string, fixedVersion: string): boolean {
-    const current = currentVersion.replace(/^[\^~>=<]/, '').split('.').map(Number);
-    const fixed = fixedVersion.split('.').map(Number);
-
-    for (let i = 0; i < Math.max(current.length, fixed.length); i++) {
-      const c = current[i] || 0;
-      const f = fixed[i] || 0;
-      if (c < f) return true;
-      if (c > f) return false;
-    }
-    return false;
-  }
-
-  /**
-   * Validate compliance against a specific standard
-   */
-  private async validateStandard(standardId: string): Promise<Result<ComplianceReport>> {
-    // Define compliance rules for common standards
-    const standardRules: Record<string, Array<{
-      id: string;
-      title: string;
-      check: () => Promise<boolean>;
-    }>> = {
-      'soc2': [
-        { id: 'soc2-access-control', title: 'Access Control Policy', check: async () => true },
-        { id: 'soc2-encryption', title: 'Data Encryption', check: async () => {
-          const hasHttps = this.config.targetUrl?.startsWith('https://') ?? true;
-          return hasHttps;
-        }},
-        { id: 'soc2-logging', title: 'Security Logging', check: async () => true },
-        { id: 'soc2-incident-response', title: 'Incident Response Plan', check: async () => true },
-      ],
-      'gdpr': [
-        { id: 'gdpr-data-minimization', title: 'Data Minimization', check: async () => true },
-        { id: 'gdpr-consent', title: 'User Consent Mechanisms', check: async () => true },
-        { id: 'gdpr-data-portability', title: 'Data Portability', check: async () => true },
-        { id: 'gdpr-right-to-erasure', title: 'Right to Erasure', check: async () => true },
-      ],
-      'owasp': [
-        { id: 'owasp-injection', title: 'Injection Prevention', check: async () => true },
-        { id: 'owasp-auth', title: 'Broken Authentication', check: async () => true },
-        { id: 'owasp-xss', title: 'Cross-Site Scripting', check: async () => true },
-        { id: 'owasp-access-control', title: 'Broken Access Control', check: async () => true },
-      ],
-    };
-
-    const rules = standardRules[standardId.toLowerCase()] || [];
-    const passedRules: string[] = [];
-    const violations: { ruleId: string; ruleName: string; location: VulnerabilityLocation; details: string; remediation: string }[] = [];
-
-    for (const rule of rules) {
-      const passed = await rule.check();
-      if (passed) {
-        passedRules.push(rule.id);
-      } else {
-        violations.push({
-          ruleId: rule.id,
-          ruleName: rule.title,
-          location: { file: 'application' },
-          details: `${rule.title} check failed`,
-          remediation: `Review and implement ${rule.title} requirements`,
-        });
-      }
-    }
-
-    const complianceScore = rules.length > 0
-      ? Math.round((passedRules.length / rules.length) * 100)
-      : 100;
-
-    return ok({
-      standardId,
-      standardName: standardId.toUpperCase(),
-      violations,
-      passedRules,
-      skippedRules: [],
-      complianceScore,
-      generatedAt: new Date(),
-    });
-  }
-}
-
-// ============================================================================
-// Factory Function
-// ============================================================================
-
-/**
- * Create a new SecurityAuditProtocol instance
- */
-export function createSecurityAuditProtocol(
-  eventBus: EventBus,
-  memory: MemoryBackend,
-  agentCoordinator: AgentCoordinator,
-  config?: Partial<SecurityAuditConfig>
-): SecurityAuditProtocol {
-  return new SecurityAuditProtocol(eventBus, memory, agentCoordinator, config);
-}