@connexum/ai-governance 1.0.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2917) hide show
  1. package/LICENSE.md +78 -0
  2. package/README.md +582 -0
  3. package/dist/adapters/cursor.d.ts +85 -0
  4. package/dist/adapters/cursor.d.ts.map +1 -0
  5. package/dist/adapters/cursor.js +188 -0
  6. package/dist/adapters/cursor.js.map +1 -0
  7. package/dist/adapters/index.d.ts +250 -0
  8. package/dist/adapters/index.d.ts.map +1 -0
  9. package/dist/adapters/index.js +377 -0
  10. package/dist/adapters/index.js.map +1 -0
  11. package/dist/agents/compliance-agent-templates/dora.d.ts +53 -0
  12. package/dist/agents/compliance-agent-templates/dora.d.ts.map +1 -0
  13. package/dist/agents/compliance-agent-templates/dora.js +947 -0
  14. package/dist/agents/compliance-agent-templates/dora.js.map +1 -0
  15. package/dist/agents/compliance-agent-templates/eu-ai-act.d.ts +27 -0
  16. package/dist/agents/compliance-agent-templates/eu-ai-act.d.ts.map +1 -0
  17. package/dist/agents/compliance-agent-templates/eu-ai-act.js +721 -0
  18. package/dist/agents/compliance-agent-templates/eu-ai-act.js.map +1 -0
  19. package/dist/agents/compliance-agent-templates/gdpr.d.ts +25 -0
  20. package/dist/agents/compliance-agent-templates/gdpr.d.ts.map +1 -0
  21. package/dist/agents/compliance-agent-templates/gdpr.js +688 -0
  22. package/dist/agents/compliance-agent-templates/gdpr.js.map +1 -0
  23. package/dist/agents/compliance-agent-templates/hipaa.d.ts +23 -0
  24. package/dist/agents/compliance-agent-templates/hipaa.d.ts.map +1 -0
  25. package/dist/agents/compliance-agent-templates/hipaa.js +640 -0
  26. package/dist/agents/compliance-agent-templates/hipaa.js.map +1 -0
  27. package/dist/agents/compliance-agent-templates/iso27001.d.ts +30 -0
  28. package/dist/agents/compliance-agent-templates/iso27001.d.ts.map +1 -0
  29. package/dist/agents/compliance-agent-templates/iso27001.js +805 -0
  30. package/dist/agents/compliance-agent-templates/iso27001.js.map +1 -0
  31. package/dist/agents/compliance-agent-templates/iso42001.d.ts +42 -0
  32. package/dist/agents/compliance-agent-templates/iso42001.d.ts.map +1 -0
  33. package/dist/agents/compliance-agent-templates/iso42001.js +898 -0
  34. package/dist/agents/compliance-agent-templates/iso42001.js.map +1 -0
  35. package/dist/agents/compliance-agent-templates/nist-ai-rmf.d.ts +37 -0
  36. package/dist/agents/compliance-agent-templates/nist-ai-rmf.d.ts.map +1 -0
  37. package/dist/agents/compliance-agent-templates/nist-ai-rmf.js +819 -0
  38. package/dist/agents/compliance-agent-templates/nist-ai-rmf.js.map +1 -0
  39. package/dist/agents/compliance-agent-templates/pci-dss.d.ts +25 -0
  40. package/dist/agents/compliance-agent-templates/pci-dss.d.ts.map +1 -0
  41. package/dist/agents/compliance-agent-templates/pci-dss.js +658 -0
  42. package/dist/agents/compliance-agent-templates/pci-dss.js.map +1 -0
  43. package/dist/agents/compliance-agent-templates/soc2.d.ts +24 -0
  44. package/dist/agents/compliance-agent-templates/soc2.d.ts.map +1 -0
  45. package/dist/agents/compliance-agent-templates/soc2.js +643 -0
  46. package/dist/agents/compliance-agent-templates/soc2.js.map +1 -0
  47. package/dist/agents/compliance-agent-templates/types.d.ts +93 -0
  48. package/dist/agents/compliance-agent-templates/types.d.ts.map +1 -0
  49. package/dist/agents/compliance-agent-templates/types.js +34 -0
  50. package/dist/agents/compliance-agent-templates/types.js.map +1 -0
  51. package/dist/audit/audit-integrity.d.ts +88 -0
  52. package/dist/audit/audit-integrity.d.ts.map +1 -0
  53. package/dist/audit/audit-integrity.js +284 -0
  54. package/dist/audit/audit-integrity.js.map +1 -0
  55. package/dist/audit/chain-tamper-detector.d.ts +115 -0
  56. package/dist/audit/chain-tamper-detector.d.ts.map +1 -0
  57. package/dist/audit/chain-tamper-detector.js +256 -0
  58. package/dist/audit/chain-tamper-detector.js.map +1 -0
  59. package/dist/audit/compliance-reporter.d.ts +91 -0
  60. package/dist/audit/compliance-reporter.d.ts.map +1 -0
  61. package/dist/audit/compliance-reporter.js +471 -0
  62. package/dist/audit/compliance-reporter.js.map +1 -0
  63. package/dist/audit/destinations/custom-webhook.d.ts +189 -0
  64. package/dist/audit/destinations/custom-webhook.d.ts.map +1 -0
  65. package/dist/audit/destinations/custom-webhook.js +477 -0
  66. package/dist/audit/destinations/custom-webhook.js.map +1 -0
  67. package/dist/audit/destinations/datadog-logs.d.ts +241 -0
  68. package/dist/audit/destinations/datadog-logs.d.ts.map +1 -0
  69. package/dist/audit/destinations/datadog-logs.js +576 -0
  70. package/dist/audit/destinations/datadog-logs.js.map +1 -0
  71. package/dist/audit/destinations/sentinel.d.ts +336 -0
  72. package/dist/audit/destinations/sentinel.d.ts.map +1 -0
  73. package/dist/audit/destinations/sentinel.js +927 -0
  74. package/dist/audit/destinations/sentinel.js.map +1 -0
  75. package/dist/audit/destinations/sumo-logic.d.ts +227 -0
  76. package/dist/audit/destinations/sumo-logic.d.ts.map +1 -0
  77. package/dist/audit/destinations/sumo-logic.js +572 -0
  78. package/dist/audit/destinations/sumo-logic.js.map +1 -0
  79. package/dist/audit/event-bus.d.ts +79 -0
  80. package/dist/audit/event-bus.d.ts.map +1 -0
  81. package/dist/audit/event-bus.js +256 -0
  82. package/dist/audit/event-bus.js.map +1 -0
  83. package/dist/audit/narrative-generator.d.ts +91 -0
  84. package/dist/audit/narrative-generator.d.ts.map +1 -0
  85. package/dist/audit/narrative-generator.js +538 -0
  86. package/dist/audit/narrative-generator.js.map +1 -0
  87. package/dist/audit/narrative-types.d.ts +274 -0
  88. package/dist/audit/narrative-types.d.ts.map +1 -0
  89. package/dist/audit/narrative-types.js +115 -0
  90. package/dist/audit/narrative-types.js.map +1 -0
  91. package/dist/audit/provenance-signer.d.ts +158 -0
  92. package/dist/audit/provenance-signer.d.ts.map +1 -0
  93. package/dist/audit/provenance-signer.js +315 -0
  94. package/dist/audit/provenance-signer.js.map +1 -0
  95. package/dist/audit/redis-event-bus.d.ts +103 -0
  96. package/dist/audit/redis-event-bus.d.ts.map +1 -0
  97. package/dist/audit/redis-event-bus.js +310 -0
  98. package/dist/audit/redis-event-bus.js.map +1 -0
  99. package/dist/audit/report-templates/disclosure-accounting.d.ts +131 -0
  100. package/dist/audit/report-templates/disclosure-accounting.d.ts.map +1 -0
  101. package/dist/audit/report-templates/disclosure-accounting.js +195 -0
  102. package/dist/audit/report-templates/disclosure-accounting.js.map +1 -0
  103. package/dist/audit/report-templates/dora-ict-major-incident.d.ts +39 -0
  104. package/dist/audit/report-templates/dora-ict-major-incident.d.ts.map +1 -0
  105. package/dist/audit/report-templates/dora-ict-major-incident.js +227 -0
  106. package/dist/audit/report-templates/dora-ict-major-incident.js.map +1 -0
  107. package/dist/audit/report-templates/eu-ai-act-annex-iv.d.ts +38 -0
  108. package/dist/audit/report-templates/eu-ai-act-annex-iv.d.ts.map +1 -0
  109. package/dist/audit/report-templates/eu-ai-act-annex-iv.js +267 -0
  110. package/dist/audit/report-templates/eu-ai-act-annex-iv.js.map +1 -0
  111. package/dist/audit/report-templates/gdpr-data-subject-rights.d.ts +37 -0
  112. package/dist/audit/report-templates/gdpr-data-subject-rights.d.ts.map +1 -0
  113. package/dist/audit/report-templates/gdpr-data-subject-rights.js +235 -0
  114. package/dist/audit/report-templates/gdpr-data-subject-rights.js.map +1 -0
  115. package/dist/audit/report-templates/hipaa-breach-notification.d.ts +27 -0
  116. package/dist/audit/report-templates/hipaa-breach-notification.d.ts.map +1 -0
  117. package/dist/audit/report-templates/hipaa-breach-notification.js +197 -0
  118. package/dist/audit/report-templates/hipaa-breach-notification.js.map +1 -0
  119. package/dist/audit/report-templates/hipaa-security-incident.d.ts +28 -0
  120. package/dist/audit/report-templates/hipaa-security-incident.d.ts.map +1 -0
  121. package/dist/audit/report-templates/hipaa-security-incident.js +172 -0
  122. package/dist/audit/report-templates/hipaa-security-incident.js.map +1 -0
  123. package/dist/audit/report-templates/index.d.ts +86 -0
  124. package/dist/audit/report-templates/index.d.ts.map +1 -0
  125. package/dist/audit/report-templates/index.js +114 -0
  126. package/dist/audit/report-templates/index.js.map +1 -0
  127. package/dist/audit/report-templates/iso-42001-ams.d.ts +36 -0
  128. package/dist/audit/report-templates/iso-42001-ams.d.ts.map +1 -0
  129. package/dist/audit/report-templates/iso-42001-ams.js +262 -0
  130. package/dist/audit/report-templates/iso-42001-ams.js.map +1 -0
  131. package/dist/audit/report-templates/pci-dss-annual-attestation.d.ts +33 -0
  132. package/dist/audit/report-templates/pci-dss-annual-attestation.d.ts.map +1 -0
  133. package/dist/audit/report-templates/pci-dss-annual-attestation.js +211 -0
  134. package/dist/audit/report-templates/pci-dss-annual-attestation.js.map +1 -0
  135. package/dist/audit/report-templates/prompts/base.d.ts +94 -0
  136. package/dist/audit/report-templates/prompts/base.d.ts.map +1 -0
  137. package/dist/audit/report-templates/prompts/base.js +197 -0
  138. package/dist/audit/report-templates/prompts/base.js.map +1 -0
  139. package/dist/audit/report-templates/prompts/dora.d.ts +19 -0
  140. package/dist/audit/report-templates/prompts/dora.d.ts.map +1 -0
  141. package/dist/audit/report-templates/prompts/dora.js +121 -0
  142. package/dist/audit/report-templates/prompts/dora.js.map +1 -0
  143. package/dist/audit/report-templates/prompts/euaiact.d.ts +20 -0
  144. package/dist/audit/report-templates/prompts/euaiact.d.ts.map +1 -0
  145. package/dist/audit/report-templates/prompts/euaiact.js +126 -0
  146. package/dist/audit/report-templates/prompts/euaiact.js.map +1 -0
  147. package/dist/audit/report-templates/prompts/gdpr.d.ts +20 -0
  148. package/dist/audit/report-templates/prompts/gdpr.d.ts.map +1 -0
  149. package/dist/audit/report-templates/prompts/gdpr.js +126 -0
  150. package/dist/audit/report-templates/prompts/gdpr.js.map +1 -0
  151. package/dist/audit/report-templates/prompts/hipaa.d.ts +32 -0
  152. package/dist/audit/report-templates/prompts/hipaa.d.ts.map +1 -0
  153. package/dist/audit/report-templates/prompts/hipaa.js +98 -0
  154. package/dist/audit/report-templates/prompts/hipaa.js.map +1 -0
  155. package/dist/audit/report-templates/prompts/hitech.d.ts +20 -0
  156. package/dist/audit/report-templates/prompts/hitech.d.ts.map +1 -0
  157. package/dist/audit/report-templates/prompts/hitech.js +114 -0
  158. package/dist/audit/report-templates/prompts/hitech.js.map +1 -0
  159. package/dist/audit/report-templates/prompts/index.d.ts +24 -0
  160. package/dist/audit/report-templates/prompts/index.d.ts.map +1 -0
  161. package/dist/audit/report-templates/prompts/index.js +54 -0
  162. package/dist/audit/report-templates/prompts/index.js.map +1 -0
  163. package/dist/audit/report-templates/prompts/iso27001.d.ts +19 -0
  164. package/dist/audit/report-templates/prompts/iso27001.d.ts.map +1 -0
  165. package/dist/audit/report-templates/prompts/iso27001.js +110 -0
  166. package/dist/audit/report-templates/prompts/iso27001.js.map +1 -0
  167. package/dist/audit/report-templates/prompts/pcidss.d.ts +19 -0
  168. package/dist/audit/report-templates/prompts/pcidss.d.ts.map +1 -0
  169. package/dist/audit/report-templates/prompts/pcidss.js +111 -0
  170. package/dist/audit/report-templates/prompts/pcidss.js.map +1 -0
  171. package/dist/audit/report-templates/prompts/soc2.d.ts +19 -0
  172. package/dist/audit/report-templates/prompts/soc2.d.ts.map +1 -0
  173. package/dist/audit/report-templates/prompts/soc2.js +117 -0
  174. package/dist/audit/report-templates/prompts/soc2.js.map +1 -0
  175. package/dist/audit/report-templates/soc2-type-ii.d.ts +23 -0
  176. package/dist/audit/report-templates/soc2-type-ii.d.ts.map +1 -0
  177. package/dist/audit/report-templates/soc2-type-ii.js +187 -0
  178. package/dist/audit/report-templates/soc2-type-ii.js.map +1 -0
  179. package/dist/audit/reporting-exports.d.ts +20 -0
  180. package/dist/audit/reporting-exports.d.ts.map +1 -0
  181. package/dist/audit/reporting-exports.js +39 -0
  182. package/dist/audit/reporting-exports.js.map +1 -0
  183. package/dist/audit/webhook-delivery.d.ts +119 -0
  184. package/dist/audit/webhook-delivery.d.ts.map +1 -0
  185. package/dist/audit/webhook-delivery.js +381 -0
  186. package/dist/audit/webhook-delivery.js.map +1 -0
  187. package/dist/audit-bots/dora.d.ts +59 -0
  188. package/dist/audit-bots/dora.d.ts.map +1 -0
  189. package/dist/audit-bots/dora.js +417 -0
  190. package/dist/audit-bots/dora.js.map +1 -0
  191. package/dist/audit-bots/euaiact.d.ts +56 -0
  192. package/dist/audit-bots/euaiact.d.ts.map +1 -0
  193. package/dist/audit-bots/euaiact.js +372 -0
  194. package/dist/audit-bots/euaiact.js.map +1 -0
  195. package/dist/audit-bots/evidence.d.ts +60 -0
  196. package/dist/audit-bots/evidence.d.ts.map +1 -0
  197. package/dist/audit-bots/evidence.js +190 -0
  198. package/dist/audit-bots/evidence.js.map +1 -0
  199. package/dist/audit-bots/gdpr.d.ts +40 -0
  200. package/dist/audit-bots/gdpr.d.ts.map +1 -0
  201. package/dist/audit-bots/gdpr.js +271 -0
  202. package/dist/audit-bots/gdpr.js.map +1 -0
  203. package/dist/audit-bots/hipaa.d.ts +38 -0
  204. package/dist/audit-bots/hipaa.d.ts.map +1 -0
  205. package/dist/audit-bots/hipaa.js +236 -0
  206. package/dist/audit-bots/hipaa.js.map +1 -0
  207. package/dist/audit-bots/iso27001.d.ts +61 -0
  208. package/dist/audit-bots/iso27001.d.ts.map +1 -0
  209. package/dist/audit-bots/iso27001.js +448 -0
  210. package/dist/audit-bots/iso27001.js.map +1 -0
  211. package/dist/audit-bots/iso42001.d.ts +59 -0
  212. package/dist/audit-bots/iso42001.d.ts.map +1 -0
  213. package/dist/audit-bots/iso42001.js +450 -0
  214. package/dist/audit-bots/iso42001.js.map +1 -0
  215. package/dist/audit-bots/nist-ai-rmf.d.ts +62 -0
  216. package/dist/audit-bots/nist-ai-rmf.d.ts.map +1 -0
  217. package/dist/audit-bots/nist-ai-rmf.js +467 -0
  218. package/dist/audit-bots/nist-ai-rmf.js.map +1 -0
  219. package/dist/audit-bots/pcidss.d.ts +57 -0
  220. package/dist/audit-bots/pcidss.d.ts.map +1 -0
  221. package/dist/audit-bots/pcidss.js +399 -0
  222. package/dist/audit-bots/pcidss.js.map +1 -0
  223. package/dist/audit-bots/scheduler.d.ts +111 -0
  224. package/dist/audit-bots/scheduler.d.ts.map +1 -0
  225. package/dist/audit-bots/scheduler.js +175 -0
  226. package/dist/audit-bots/scheduler.js.map +1 -0
  227. package/dist/audit-bots/soc1.d.ts +67 -0
  228. package/dist/audit-bots/soc1.d.ts.map +1 -0
  229. package/dist/audit-bots/soc1.js +491 -0
  230. package/dist/audit-bots/soc1.js.map +1 -0
  231. package/dist/audit-bots/soc2.d.ts +41 -0
  232. package/dist/audit-bots/soc2.d.ts.map +1 -0
  233. package/dist/audit-bots/soc2.js +352 -0
  234. package/dist/audit-bots/soc2.js.map +1 -0
  235. package/dist/classification/pack-driven-classifier.d.ts +409 -0
  236. package/dist/classification/pack-driven-classifier.d.ts.map +1 -0
  237. package/dist/classification/pack-driven-classifier.js +565 -0
  238. package/dist/classification/pack-driven-classifier.js.map +1 -0
  239. package/dist/cli/agent-dir-scanner.d.ts +35 -0
  240. package/dist/cli/agent-dir-scanner.d.ts.map +1 -0
  241. package/dist/cli/agent-dir-scanner.js +269 -0
  242. package/dist/cli/agent-dir-scanner.js.map +1 -0
  243. package/dist/cli/agent-signatures.d.ts +28 -0
  244. package/dist/cli/agent-signatures.d.ts.map +1 -0
  245. package/dist/cli/agent-signatures.js +241 -0
  246. package/dist/cli/agent-signatures.js.map +1 -0
  247. package/dist/cli/audit-chain-append.d.ts +47 -0
  248. package/dist/cli/audit-chain-append.d.ts.map +1 -0
  249. package/dist/cli/audit-chain-append.js +277 -0
  250. package/dist/cli/audit-chain-append.js.map +1 -0
  251. package/dist/cli/discover.d.ts +24 -0
  252. package/dist/cli/discover.d.ts.map +1 -0
  253. package/dist/cli/discover.js +179 -0
  254. package/dist/cli/discover.js.map +1 -0
  255. package/dist/cli/discover.test.d.ts +12 -0
  256. package/dist/cli/discover.test.d.ts.map +1 -0
  257. package/dist/cli/discover.test.js +192 -0
  258. package/dist/cli/discover.test.js.map +1 -0
  259. package/dist/cli/index.d.ts +201 -0
  260. package/dist/cli/index.d.ts.map +1 -0
  261. package/dist/cli/index.js +2130 -0
  262. package/dist/cli/index.js.map +1 -0
  263. package/dist/cli/pack-enforcement-bridge.d.ts +39 -0
  264. package/dist/cli/pack-enforcement-bridge.d.ts.map +1 -0
  265. package/dist/cli/pack-enforcement-bridge.js +211 -0
  266. package/dist/cli/pack-enforcement-bridge.js.map +1 -0
  267. package/dist/cli/packs.d.ts +22 -0
  268. package/dist/cli/packs.d.ts.map +1 -0
  269. package/dist/cli/packs.js +299 -0
  270. package/dist/cli/packs.js.map +1 -0
  271. package/dist/cli/preflight-report.d.ts +51 -0
  272. package/dist/cli/preflight-report.d.ts.map +1 -0
  273. package/dist/cli/preflight-report.js +143 -0
  274. package/dist/cli/preflight-report.js.map +1 -0
  275. package/dist/cli/preflight.d.ts +57 -0
  276. package/dist/cli/preflight.d.ts.map +1 -0
  277. package/dist/cli/preflight.js +375 -0
  278. package/dist/cli/preflight.js.map +1 -0
  279. package/dist/cli/shim-templates/python-anthropic.template.py.txt +54 -0
  280. package/dist/cli/shim-templates/python-bedrock.template.py.txt +55 -0
  281. package/dist/cli/shim-templates/python-google.template.py.txt +55 -0
  282. package/dist/cli/shim-templates/python-huggingface.template.py.txt +142 -0
  283. package/dist/cli/shim-templates/python-langchain-anthropic.template.py.txt +61 -0
  284. package/dist/cli/shim-templates/python-langchain-openai.template.py.txt +66 -0
  285. package/dist/cli/shim-templates/python-ollama.template.py.txt +75 -0
  286. package/dist/cli/shim-templates/python-openai.template.py.txt +54 -0
  287. package/dist/cli/shim-templates/typescript-anthropic.template.ts.txt +25 -0
  288. package/dist/cli/shim-templates/typescript-google.template.ts.txt +25 -0
  289. package/dist/cli/shim-templates/typescript-openai.template.ts.txt +25 -0
  290. package/dist/cli/wrap-shim-generator.d.ts +65 -0
  291. package/dist/cli/wrap-shim-generator.d.ts.map +1 -0
  292. package/dist/cli/wrap-shim-generator.js +245 -0
  293. package/dist/cli/wrap-shim-generator.js.map +1 -0
  294. package/dist/dashboard/api.d.ts +157 -0
  295. package/dist/dashboard/api.d.ts.map +1 -0
  296. package/dist/dashboard/api.js +347 -0
  297. package/dist/dashboard/api.js.map +1 -0
  298. package/dist/dashboard/theme.d.ts +80 -0
  299. package/dist/dashboard/theme.d.ts.map +1 -0
  300. package/dist/dashboard/theme.js +172 -0
  301. package/dist/dashboard/theme.js.map +1 -0
  302. package/dist/errors/index.d.ts +46 -0
  303. package/dist/errors/index.d.ts.map +1 -0
  304. package/dist/errors/index.js +93 -0
  305. package/dist/errors/index.js.map +1 -0
  306. package/dist/esm/adapters/cursor.js +184 -0
  307. package/dist/esm/adapters/cursor.js.map +1 -0
  308. package/dist/esm/adapters/index.js +335 -0
  309. package/dist/esm/adapters/index.js.map +1 -0
  310. package/dist/esm/agents/compliance-agent-templates/dora.js +943 -0
  311. package/dist/esm/agents/compliance-agent-templates/dora.js.map +1 -0
  312. package/dist/esm/agents/compliance-agent-templates/eu-ai-act.js +717 -0
  313. package/dist/esm/agents/compliance-agent-templates/eu-ai-act.js.map +1 -0
  314. package/dist/esm/agents/compliance-agent-templates/gdpr.js +684 -0
  315. package/dist/esm/agents/compliance-agent-templates/gdpr.js.map +1 -0
  316. package/dist/esm/agents/compliance-agent-templates/hipaa.js +636 -0
  317. package/dist/esm/agents/compliance-agent-templates/hipaa.js.map +1 -0
  318. package/dist/esm/agents/compliance-agent-templates/iso27001.js +801 -0
  319. package/dist/esm/agents/compliance-agent-templates/iso27001.js.map +1 -0
  320. package/dist/esm/agents/compliance-agent-templates/iso42001.js +894 -0
  321. package/dist/esm/agents/compliance-agent-templates/iso42001.js.map +1 -0
  322. package/dist/esm/agents/compliance-agent-templates/nist-ai-rmf.js +815 -0
  323. package/dist/esm/agents/compliance-agent-templates/nist-ai-rmf.js.map +1 -0
  324. package/dist/esm/agents/compliance-agent-templates/pci-dss.js +654 -0
  325. package/dist/esm/agents/compliance-agent-templates/pci-dss.js.map +1 -0
  326. package/dist/esm/agents/compliance-agent-templates/soc2.js +639 -0
  327. package/dist/esm/agents/compliance-agent-templates/soc2.js.map +1 -0
  328. package/dist/esm/agents/compliance-agent-templates/types.js +33 -0
  329. package/dist/esm/agents/compliance-agent-templates/types.js.map +1 -0
  330. package/dist/esm/audit/audit-integrity.js +247 -0
  331. package/dist/esm/audit/audit-integrity.js.map +1 -0
  332. package/dist/esm/audit/chain-tamper-detector.js +217 -0
  333. package/dist/esm/audit/chain-tamper-detector.js.map +1 -0
  334. package/dist/esm/audit/compliance-reporter.js +434 -0
  335. package/dist/esm/audit/compliance-reporter.js.map +1 -0
  336. package/dist/esm/audit/destinations/custom-webhook.js +436 -0
  337. package/dist/esm/audit/destinations/custom-webhook.js.map +1 -0
  338. package/dist/esm/audit/destinations/datadog-logs.js +533 -0
  339. package/dist/esm/audit/destinations/datadog-logs.js.map +1 -0
  340. package/dist/esm/audit/destinations/sentinel.js +881 -0
  341. package/dist/esm/audit/destinations/sentinel.js.map +1 -0
  342. package/dist/esm/audit/destinations/sumo-logic.js +529 -0
  343. package/dist/esm/audit/destinations/sumo-logic.js.map +1 -0
  344. package/dist/esm/audit/event-bus.js +219 -0
  345. package/dist/esm/audit/event-bus.js.map +1 -0
  346. package/dist/esm/audit/narrative-generator.js +498 -0
  347. package/dist/esm/audit/narrative-generator.js.map +1 -0
  348. package/dist/esm/audit/narrative-types.js +108 -0
  349. package/dist/esm/audit/narrative-types.js.map +1 -0
  350. package/dist/esm/audit/provenance-signer.js +273 -0
  351. package/dist/esm/audit/provenance-signer.js.map +1 -0
  352. package/dist/esm/audit/redis-event-bus.js +272 -0
  353. package/dist/esm/audit/redis-event-bus.js.map +1 -0
  354. package/dist/esm/audit/report-templates/disclosure-accounting.js +191 -0
  355. package/dist/esm/audit/report-templates/disclosure-accounting.js.map +1 -0
  356. package/dist/esm/audit/report-templates/dora-ict-major-incident.js +224 -0
  357. package/dist/esm/audit/report-templates/dora-ict-major-incident.js.map +1 -0
  358. package/dist/esm/audit/report-templates/eu-ai-act-annex-iv.js +264 -0
  359. package/dist/esm/audit/report-templates/eu-ai-act-annex-iv.js.map +1 -0
  360. package/dist/esm/audit/report-templates/gdpr-data-subject-rights.js +232 -0
  361. package/dist/esm/audit/report-templates/gdpr-data-subject-rights.js.map +1 -0
  362. package/dist/esm/audit/report-templates/hipaa-breach-notification.js +194 -0
  363. package/dist/esm/audit/report-templates/hipaa-breach-notification.js.map +1 -0
  364. package/dist/esm/audit/report-templates/hipaa-security-incident.js +169 -0
  365. package/dist/esm/audit/report-templates/hipaa-security-incident.js.map +1 -0
  366. package/dist/esm/audit/report-templates/index.js +93 -0
  367. package/dist/esm/audit/report-templates/index.js.map +1 -0
  368. package/dist/esm/audit/report-templates/iso-42001-ams.js +259 -0
  369. package/dist/esm/audit/report-templates/iso-42001-ams.js.map +1 -0
  370. package/dist/esm/audit/report-templates/pci-dss-annual-attestation.js +208 -0
  371. package/dist/esm/audit/report-templates/pci-dss-annual-attestation.js.map +1 -0
  372. package/dist/esm/audit/report-templates/prompts/base.js +189 -0
  373. package/dist/esm/audit/report-templates/prompts/base.js.map +1 -0
  374. package/dist/esm/audit/report-templates/prompts/dora.js +118 -0
  375. package/dist/esm/audit/report-templates/prompts/dora.js.map +1 -0
  376. package/dist/esm/audit/report-templates/prompts/euaiact.js +123 -0
  377. package/dist/esm/audit/report-templates/prompts/euaiact.js.map +1 -0
  378. package/dist/esm/audit/report-templates/prompts/gdpr.js +123 -0
  379. package/dist/esm/audit/report-templates/prompts/gdpr.js.map +1 -0
  380. package/dist/esm/audit/report-templates/prompts/hipaa.js +95 -0
  381. package/dist/esm/audit/report-templates/prompts/hipaa.js.map +1 -0
  382. package/dist/esm/audit/report-templates/prompts/hitech.js +111 -0
  383. package/dist/esm/audit/report-templates/prompts/hitech.js.map +1 -0
  384. package/dist/esm/audit/report-templates/prompts/index.js +43 -0
  385. package/dist/esm/audit/report-templates/prompts/index.js.map +1 -0
  386. package/dist/esm/audit/report-templates/prompts/iso27001.js +107 -0
  387. package/dist/esm/audit/report-templates/prompts/iso27001.js.map +1 -0
  388. package/dist/esm/audit/report-templates/prompts/pcidss.js +108 -0
  389. package/dist/esm/audit/report-templates/prompts/pcidss.js.map +1 -0
  390. package/dist/esm/audit/report-templates/prompts/soc2.js +114 -0
  391. package/dist/esm/audit/report-templates/prompts/soc2.js.map +1 -0
  392. package/dist/esm/audit/report-templates/soc2-type-ii.js +184 -0
  393. package/dist/esm/audit/report-templates/soc2-type-ii.js.map +1 -0
  394. package/dist/esm/audit/reporting-exports.js +19 -0
  395. package/dist/esm/audit/reporting-exports.js.map +1 -0
  396. package/dist/esm/audit/webhook-delivery.js +344 -0
  397. package/dist/esm/audit/webhook-delivery.js.map +1 -0
  398. package/dist/esm/audit-bots/dora.js +379 -0
  399. package/dist/esm/audit-bots/dora.js.map +1 -0
  400. package/dist/esm/audit-bots/euaiact.js +334 -0
  401. package/dist/esm/audit-bots/euaiact.js.map +1 -0
  402. package/dist/esm/audit-bots/evidence.js +153 -0
  403. package/dist/esm/audit-bots/evidence.js.map +1 -0
  404. package/dist/esm/audit-bots/gdpr.js +234 -0
  405. package/dist/esm/audit-bots/gdpr.js.map +1 -0
  406. package/dist/esm/audit-bots/hipaa.js +199 -0
  407. package/dist/esm/audit-bots/hipaa.js.map +1 -0
  408. package/dist/esm/audit-bots/iso27001.js +410 -0
  409. package/dist/esm/audit-bots/iso27001.js.map +1 -0
  410. package/dist/esm/audit-bots/iso42001.js +412 -0
  411. package/dist/esm/audit-bots/iso42001.js.map +1 -0
  412. package/dist/esm/audit-bots/nist-ai-rmf.js +429 -0
  413. package/dist/esm/audit-bots/nist-ai-rmf.js.map +1 -0
  414. package/dist/esm/audit-bots/pcidss.js +361 -0
  415. package/dist/esm/audit-bots/pcidss.js.map +1 -0
  416. package/dist/esm/audit-bots/scheduler.js +137 -0
  417. package/dist/esm/audit-bots/scheduler.js.map +1 -0
  418. package/dist/esm/audit-bots/soc1.js +453 -0
  419. package/dist/esm/audit-bots/soc1.js.map +1 -0
  420. package/dist/esm/audit-bots/soc2.js +315 -0
  421. package/dist/esm/audit-bots/soc2.js.map +1 -0
  422. package/dist/esm/classification/pack-driven-classifier.js +525 -0
  423. package/dist/esm/classification/pack-driven-classifier.js.map +1 -0
  424. package/dist/esm/cli/agent-dir-scanner.js +233 -0
  425. package/dist/esm/cli/agent-dir-scanner.js.map +1 -0
  426. package/dist/esm/cli/agent-signatures.js +238 -0
  427. package/dist/esm/cli/agent-signatures.js.map +1 -0
  428. package/dist/esm/cli/audit-chain-append.js +242 -0
  429. package/dist/esm/cli/audit-chain-append.js.map +1 -0
  430. package/dist/esm/cli/discover.js +143 -0
  431. package/dist/esm/cli/discover.js.map +1 -0
  432. package/dist/esm/cli/discover.test.js +157 -0
  433. package/dist/esm/cli/discover.test.js.map +1 -0
  434. package/dist/esm/cli/index.js +2083 -0
  435. package/dist/esm/cli/index.js.map +1 -0
  436. package/dist/esm/cli/pack-enforcement-bridge.js +176 -0
  437. package/dist/esm/cli/pack-enforcement-bridge.js.map +1 -0
  438. package/dist/esm/cli/packs.js +263 -0
  439. package/dist/esm/cli/packs.js.map +1 -0
  440. package/dist/esm/cli/preflight-report.js +135 -0
  441. package/dist/esm/cli/preflight-report.js.map +1 -0
  442. package/dist/esm/cli/preflight.js +339 -0
  443. package/dist/esm/cli/preflight.js.map +1 -0
  444. package/dist/esm/cli/wrap-shim-generator.js +205 -0
  445. package/dist/esm/cli/wrap-shim-generator.js.map +1 -0
  446. package/dist/esm/dashboard/api.js +310 -0
  447. package/dist/esm/dashboard/api.js.map +1 -0
  448. package/dist/esm/dashboard/theme.js +135 -0
  449. package/dist/esm/dashboard/theme.js.map +1 -0
  450. package/dist/esm/errors/index.js +84 -0
  451. package/dist/esm/errors/index.js.map +1 -0
  452. package/dist/esm/governance/action-classes.js +171 -0
  453. package/dist/esm/governance/action-classes.js.map +1 -0
  454. package/dist/esm/governance/action-isolation.js +582 -0
  455. package/dist/esm/governance/action-isolation.js.map +1 -0
  456. package/dist/esm/governance/agent-discovery.js +213 -0
  457. package/dist/esm/governance/agent-discovery.js.map +1 -0
  458. package/dist/esm/governance/agent-discovery.test.js +144 -0
  459. package/dist/esm/governance/agent-discovery.test.js.map +1 -0
  460. package/dist/esm/governance/agent-trust-report.js +149 -0
  461. package/dist/esm/governance/agent-trust-report.js.map +1 -0
  462. package/dist/esm/governance/agent-trust-report.test.js +259 -0
  463. package/dist/esm/governance/agent-trust-report.test.js.map +1 -0
  464. package/dist/esm/governance/approval-channel-adapters.js +134 -0
  465. package/dist/esm/governance/approval-channel-adapters.js.map +1 -0
  466. package/dist/esm/governance/approval-channel-adapters.test.js +163 -0
  467. package/dist/esm/governance/approval-channel-adapters.test.js.map +1 -0
  468. package/dist/esm/governance/approval-gate-enforcer.js +405 -0
  469. package/dist/esm/governance/approval-gate-enforcer.js.map +1 -0
  470. package/dist/esm/governance/approval-notifications.js +139 -0
  471. package/dist/esm/governance/approval-notifications.js.map +1 -0
  472. package/dist/esm/governance/approval-notifications.test.js +192 -0
  473. package/dist/esm/governance/approval-notifications.test.js.map +1 -0
  474. package/dist/esm/governance/approval-queue-store.js +112 -0
  475. package/dist/esm/governance/approval-queue-store.js.map +1 -0
  476. package/dist/esm/governance/approval-queue.js +291 -0
  477. package/dist/esm/governance/approval-queue.js.map +1 -0
  478. package/dist/esm/governance/approval-service.js +92 -0
  479. package/dist/esm/governance/approval-service.js.map +1 -0
  480. package/dist/esm/governance/audit-chain-emitter.js +178 -0
  481. package/dist/esm/governance/audit-chain-emitter.js.map +1 -0
  482. package/dist/esm/governance/audit-chain-emitter.test.js +190 -0
  483. package/dist/esm/governance/audit-chain-emitter.test.js.map +1 -0
  484. package/dist/esm/governance/auto-pack-generator.js +67 -0
  485. package/dist/esm/governance/auto-pack-generator.js.map +1 -0
  486. package/dist/esm/governance/auto-pack-generator.test.js +95 -0
  487. package/dist/esm/governance/auto-pack-generator.test.js.map +1 -0
  488. package/dist/esm/governance/autonomy-spectrum.js +652 -0
  489. package/dist/esm/governance/autonomy-spectrum.js.map +1 -0
  490. package/dist/esm/governance/batch-mode-governance.js +603 -0
  491. package/dist/esm/governance/batch-mode-governance.js.map +1 -0
  492. package/dist/esm/governance/bias-monitor.js +273 -0
  493. package/dist/esm/governance/bias-monitor.js.map +1 -0
  494. package/dist/esm/governance/blast-radius-enforcer.js +539 -0
  495. package/dist/esm/governance/blast-radius-enforcer.js.map +1 -0
  496. package/dist/esm/governance/build-structure-score.js +61 -0
  497. package/dist/esm/governance/build-structure-score.js.map +1 -0
  498. package/dist/esm/governance/build-structure-score.test.js +116 -0
  499. package/dist/esm/governance/build-structure-score.test.js.map +1 -0
  500. package/dist/esm/governance/capability-bundle.js +241 -0
  501. package/dist/esm/governance/capability-bundle.js.map +1 -0
  502. package/dist/esm/governance/capability-change-detector.js +701 -0
  503. package/dist/esm/governance/capability-change-detector.js.map +1 -0
  504. package/dist/esm/governance/capability-classes.js +123 -0
  505. package/dist/esm/governance/capability-classes.js.map +1 -0
  506. package/dist/esm/governance/capability-classes.test.js +171 -0
  507. package/dist/esm/governance/capability-classes.test.js.map +1 -0
  508. package/dist/esm/governance/company-pack-builder.js +71 -0
  509. package/dist/esm/governance/company-pack-builder.js.map +1 -0
  510. package/dist/esm/governance/confidence-gate.js +246 -0
  511. package/dist/esm/governance/confidence-gate.js.map +1 -0
  512. package/dist/esm/governance/council.js +268 -0
  513. package/dist/esm/governance/council.js.map +1 -0
  514. package/dist/esm/governance/cross-session-pseudonymizer.js +598 -0
  515. package/dist/esm/governance/cross-session-pseudonymizer.js.map +1 -0
  516. package/dist/esm/governance/cycle-timeout.js +212 -0
  517. package/dist/esm/governance/cycle-timeout.js.map +1 -0
  518. package/dist/esm/governance/cycle-token-budget.js +177 -0
  519. package/dist/esm/governance/cycle-token-budget.js.map +1 -0
  520. package/dist/esm/governance/data-subject-rights.js +455 -0
  521. package/dist/esm/governance/data-subject-rights.js.map +1 -0
  522. package/dist/esm/governance/demo-workspace.js +210 -0
  523. package/dist/esm/governance/demo-workspace.js.map +1 -0
  524. package/dist/esm/governance/demo-workspace.test.js +80 -0
  525. package/dist/esm/governance/demo-workspace.test.js.map +1 -0
  526. package/dist/esm/governance/discovery-cli.js +95 -0
  527. package/dist/esm/governance/discovery-cli.js.map +1 -0
  528. package/dist/esm/governance/discovery-cli.test.js +191 -0
  529. package/dist/esm/governance/discovery-cli.test.js.map +1 -0
  530. package/dist/esm/governance/gateguard.js +265 -0
  531. package/dist/esm/governance/gateguard.js.map +1 -0
  532. package/dist/esm/governance/governance-runtime.js +376 -0
  533. package/dist/esm/governance/governance-runtime.js.map +1 -0
  534. package/dist/esm/governance/hook-install-snippet.js +208 -0
  535. package/dist/esm/governance/hook-install-snippet.js.map +1 -0
  536. package/dist/esm/governance/hook-install-snippet.test.js +95 -0
  537. package/dist/esm/governance/hook-install-snippet.test.js.map +1 -0
  538. package/dist/esm/governance/hook-profile.js +474 -0
  539. package/dist/esm/governance/hook-profile.js.map +1 -0
  540. package/dist/esm/governance/improvement-recommendations.js +165 -0
  541. package/dist/esm/governance/improvement-recommendations.js.map +1 -0
  542. package/dist/esm/governance/improvement-recommendations.test.js +178 -0
  543. package/dist/esm/governance/improvement-recommendations.test.js.map +1 -0
  544. package/dist/esm/governance/incident-notifier.js +488 -0
  545. package/dist/esm/governance/incident-notifier.js.map +1 -0
  546. package/dist/esm/governance/index.js +33 -0
  547. package/dist/esm/governance/index.js.map +1 -0
  548. package/dist/esm/governance/info-action-separation.js +143 -0
  549. package/dist/esm/governance/info-action-separation.js.map +1 -0
  550. package/dist/esm/governance/info-action-separation.test.js +155 -0
  551. package/dist/esm/governance/info-action-separation.test.js.map +1 -0
  552. package/dist/esm/governance/instinct-system.js +351 -0
  553. package/dist/esm/governance/instinct-system.js.map +1 -0
  554. package/dist/esm/governance/insurance-certificate.js +116 -0
  555. package/dist/esm/governance/insurance-certificate.js.map +1 -0
  556. package/dist/esm/governance/insurance-certificate.test.js +205 -0
  557. package/dist/esm/governance/insurance-certificate.test.js.map +1 -0
  558. package/dist/esm/governance/manifest-push-emitter.js +107 -0
  559. package/dist/esm/governance/manifest-push-emitter.js.map +1 -0
  560. package/dist/esm/governance/manifest-push-emitter.test.js +215 -0
  561. package/dist/esm/governance/manifest-push-emitter.test.js.map +1 -0
  562. package/dist/esm/governance/memory/cross-session-memory.js +283 -0
  563. package/dist/esm/governance/memory/cross-session-memory.js.map +1 -0
  564. package/dist/esm/governance/memory/index.js +14 -0
  565. package/dist/esm/governance/memory/index.js.map +1 -0
  566. package/dist/esm/governance/memory/memory-chain.js +183 -0
  567. package/dist/esm/governance/memory/memory-chain.js.map +1 -0
  568. package/dist/esm/governance/memory/retrieval-allowlist.js +172 -0
  569. package/dist/esm/governance/memory/retrieval-allowlist.js.map +1 -0
  570. package/dist/esm/governance/memory/session-memory.js +215 -0
  571. package/dist/esm/governance/memory/session-memory.js.map +1 -0
  572. package/dist/esm/governance/memory-audit-chain.js +361 -0
  573. package/dist/esm/governance/memory-audit-chain.js.map +1 -0
  574. package/dist/esm/governance/memory-integrity.js +267 -0
  575. package/dist/esm/governance/memory-integrity.js.map +1 -0
  576. package/dist/esm/governance/multi-store-deletion-worker.js +263 -0
  577. package/dist/esm/governance/multi-store-deletion-worker.js.map +1 -0
  578. package/dist/esm/governance/multi-tenant.js +273 -0
  579. package/dist/esm/governance/multi-tenant.js.map +1 -0
  580. package/dist/esm/governance/onboarding-tier-router.js +109 -0
  581. package/dist/esm/governance/onboarding-tier-router.js.map +1 -0
  582. package/dist/esm/governance/onboarding-tier-router.test.js +106 -0
  583. package/dist/esm/governance/onboarding-tier-router.test.js.map +1 -0
  584. package/dist/esm/governance/org-reputation.js +88 -0
  585. package/dist/esm/governance/org-reputation.js.map +1 -0
  586. package/dist/esm/governance/org-reputation.test.js +155 -0
  587. package/dist/esm/governance/org-reputation.test.js.map +1 -0
  588. package/dist/esm/governance/owasp-agentic-scanner.js +314 -0
  589. package/dist/esm/governance/owasp-agentic-scanner.js.map +1 -0
  590. package/dist/esm/governance/owasp-agentic-scanner.test.js +128 -0
  591. package/dist/esm/governance/owasp-agentic-scanner.test.js.map +1 -0
  592. package/dist/esm/governance/pack-diff.js +78 -0
  593. package/dist/esm/governance/pack-diff.js.map +1 -0
  594. package/dist/esm/governance/pack-diff.test.js +207 -0
  595. package/dist/esm/governance/pack-diff.test.js.map +1 -0
  596. package/dist/esm/governance/pack-evaluator-prewarm.js +102 -0
  597. package/dist/esm/governance/pack-evaluator-prewarm.js.map +1 -0
  598. package/dist/esm/governance/pack-evaluator.js +324 -0
  599. package/dist/esm/governance/pack-evaluator.js.map +1 -0
  600. package/dist/esm/governance/pack-evaluator.test.js +244 -0
  601. package/dist/esm/governance/pack-evaluator.test.js.map +1 -0
  602. package/dist/esm/governance/pack-inheritance.js +173 -0
  603. package/dist/esm/governance/pack-inheritance.js.map +1 -0
  604. package/dist/esm/governance/pack-inheritance.test.js +172 -0
  605. package/dist/esm/governance/pack-inheritance.test.js.map +1 -0
  606. package/dist/esm/governance/pack-publish-workflow.js +80 -0
  607. package/dist/esm/governance/pack-publish-workflow.js.map +1 -0
  608. package/dist/esm/governance/pack-publish-workflow.test.js +176 -0
  609. package/dist/esm/governance/pack-publish-workflow.test.js.map +1 -0
  610. package/dist/esm/governance/pack-rule-validator.js +139 -0
  611. package/dist/esm/governance/pack-rule-validator.js.map +1 -0
  612. package/dist/esm/governance/pack-rule-validator.test.js +118 -0
  613. package/dist/esm/governance/pack-rule-validator.test.js.map +1 -0
  614. package/dist/esm/governance/pack-versioning.js +188 -0
  615. package/dist/esm/governance/pack-versioning.js.map +1 -0
  616. package/dist/esm/governance/pack-versioning.test.js +137 -0
  617. package/dist/esm/governance/pack-versioning.test.js.map +1 -0
  618. package/dist/esm/governance/partner-manager.js +221 -0
  619. package/dist/esm/governance/partner-manager.js.map +1 -0
  620. package/dist/esm/governance/paste-your-agent.js +151 -0
  621. package/dist/esm/governance/paste-your-agent.js.map +1 -0
  622. package/dist/esm/governance/paste-your-agent.test.js +105 -0
  623. package/dist/esm/governance/paste-your-agent.test.js.map +1 -0
  624. package/dist/esm/governance/per-agent-daily-budget.js +658 -0
  625. package/dist/esm/governance/per-agent-daily-budget.js.map +1 -0
  626. package/dist/esm/governance/per-agent-override.test.js +239 -0
  627. package/dist/esm/governance/per-agent-override.test.js.map +1 -0
  628. package/dist/esm/governance/plugin-system.js +925 -0
  629. package/dist/esm/governance/plugin-system.js.map +1 -0
  630. package/dist/esm/governance/policy-tuning.js +322 -0
  631. package/dist/esm/governance/policy-tuning.js.map +1 -0
  632. package/dist/esm/governance/post-market-monitor.js +242 -0
  633. package/dist/esm/governance/post-market-monitor.js.map +1 -0
  634. package/dist/esm/governance/post-tool-audit-enrichment.js +466 -0
  635. package/dist/esm/governance/post-tool-audit-enrichment.js.map +1 -0
  636. package/dist/esm/governance/prohibited-practices.js +230 -0
  637. package/dist/esm/governance/prohibited-practices.js.map +1 -0
  638. package/dist/esm/governance/proxy-onboarding.js +302 -0
  639. package/dist/esm/governance/proxy-onboarding.js.map +1 -0
  640. package/dist/esm/governance/proxy-onboarding.test.js +100 -0
  641. package/dist/esm/governance/proxy-onboarding.test.js.map +1 -0
  642. package/dist/esm/governance/rag-citation-enforcement.js +527 -0
  643. package/dist/esm/governance/rag-citation-enforcement.js.map +1 -0
  644. package/dist/esm/governance/rag-confidence-threshold.js +409 -0
  645. package/dist/esm/governance/rag-confidence-threshold.js.map +1 -0
  646. package/dist/esm/governance/rag-retrieval-audit.js +478 -0
  647. package/dist/esm/governance/rag-retrieval-audit.js.map +1 -0
  648. package/dist/esm/governance/rag-source-allowlist.js +495 -0
  649. package/dist/esm/governance/rag-source-allowlist.js.map +1 -0
  650. package/dist/esm/governance/rag-source-output-chain.js +641 -0
  651. package/dist/esm/governance/rag-source-output-chain.js.map +1 -0
  652. package/dist/esm/governance/replay-player.js +85 -0
  653. package/dist/esm/governance/replay-player.js.map +1 -0
  654. package/dist/esm/governance/replay-player.test.js +157 -0
  655. package/dist/esm/governance/replay-player.test.js.map +1 -0
  656. package/dist/esm/governance/retention-manager.js +529 -0
  657. package/dist/esm/governance/retention-manager.js.map +1 -0
  658. package/dist/esm/governance/runtime-event-renderer.js +129 -0
  659. package/dist/esm/governance/runtime-event-renderer.js.map +1 -0
  660. package/dist/esm/governance/runtime-event-renderer.test.js +160 -0
  661. package/dist/esm/governance/runtime-event-renderer.test.js.map +1 -0
  662. package/dist/esm/governance/sandbox-replay.js +184 -0
  663. package/dist/esm/governance/sandbox-replay.js.map +1 -0
  664. package/dist/esm/governance/sandbox-replay.test.js +82 -0
  665. package/dist/esm/governance/sandbox-replay.test.js.map +1 -0
  666. package/dist/esm/governance/self-registration-hook.js +112 -0
  667. package/dist/esm/governance/self-registration-hook.js.map +1 -0
  668. package/dist/esm/governance/self-registration-hook.test.js +114 -0
  669. package/dist/esm/governance/self-registration-hook.test.js.map +1 -0
  670. package/dist/esm/governance/session-persistence.js +339 -0
  671. package/dist/esm/governance/session-persistence.js.map +1 -0
  672. package/dist/esm/governance/signed-manifest.js +119 -0
  673. package/dist/esm/governance/signed-manifest.js.map +1 -0
  674. package/dist/esm/governance/signed-manifest.test.js +114 -0
  675. package/dist/esm/governance/signed-manifest.test.js.map +1 -0
  676. package/dist/esm/governance/skip-api-empty-queue.js +458 -0
  677. package/dist/esm/governance/skip-api-empty-queue.js.map +1 -0
  678. package/dist/esm/governance/state-manager.js +249 -0
  679. package/dist/esm/governance/state-manager.js.map +1 -0
  680. package/dist/esm/governance/tenant-provider-agreements.js +398 -0
  681. package/dist/esm/governance/tenant-provider-agreements.js.map +1 -0
  682. package/dist/esm/governance/tool-provider-health.js +650 -0
  683. package/dist/esm/governance/tool-provider-health.js.map +1 -0
  684. package/dist/esm/governance/tool-rate-limit.js +140 -0
  685. package/dist/esm/governance/tool-rate-limit.js.map +1 -0
  686. package/dist/esm/governance/transparency-injector.js +158 -0
  687. package/dist/esm/governance/transparency-injector.js.map +1 -0
  688. package/dist/esm/governance/trust-score-snapshot.js +94 -0
  689. package/dist/esm/governance/trust-score-snapshot.js.map +1 -0
  690. package/dist/esm/governance/trust-score-snapshot.test.js +152 -0
  691. package/dist/esm/governance/trust-score-snapshot.test.js.map +1 -0
  692. package/dist/esm/governance/trust-score-three-dim.js +171 -0
  693. package/dist/esm/governance/trust-score-three-dim.js.map +1 -0
  694. package/dist/esm/governance/trust-score-three-dim.test.js +186 -0
  695. package/dist/esm/governance/trust-score-three-dim.test.js.map +1 -0
  696. package/dist/esm/governance-config.js +308 -0
  697. package/dist/esm/governance-config.js.map +1 -0
  698. package/dist/esm/governed-agent.js +1278 -0
  699. package/dist/esm/governed-agent.js.map +1 -0
  700. package/dist/esm/hooks/data-classifier-bridge.js +78 -0
  701. package/dist/esm/hooks/data-classifier-bridge.js.map +1 -0
  702. package/dist/esm/ide-adapters/aider.js +706 -0
  703. package/dist/esm/ide-adapters/aider.js.map +1 -0
  704. package/dist/esm/ide-adapters/amazon-q-developer.js +682 -0
  705. package/dist/esm/ide-adapters/amazon-q-developer.js.map +1 -0
  706. package/dist/esm/ide-adapters/base.js +229 -0
  707. package/dist/esm/ide-adapters/base.js.map +1 -0
  708. package/dist/esm/ide-adapters/claude-code.js +188 -0
  709. package/dist/esm/ide-adapters/claude-code.js.map +1 -0
  710. package/dist/esm/ide-adapters/cody.js +763 -0
  711. package/dist/esm/ide-adapters/cody.js.map +1 -0
  712. package/dist/esm/ide-adapters/continue-dev.js +355 -0
  713. package/dist/esm/ide-adapters/continue-dev.js.map +1 -0
  714. package/dist/esm/ide-adapters/copilot-studio.js +1093 -0
  715. package/dist/esm/ide-adapters/copilot-studio.js.map +1 -0
  716. package/dist/esm/ide-adapters/copilot-workspace.js +372 -0
  717. package/dist/esm/ide-adapters/copilot-workspace.js.map +1 -0
  718. package/dist/esm/ide-adapters/cursor.js +269 -0
  719. package/dist/esm/ide-adapters/cursor.js.map +1 -0
  720. package/dist/esm/ide-adapters/exports.js +52 -0
  721. package/dist/esm/ide-adapters/exports.js.map +1 -0
  722. package/dist/esm/ide-adapters/gemini-code-assist.js +746 -0
  723. package/dist/esm/ide-adapters/gemini-code-assist.js.map +1 -0
  724. package/dist/esm/ide-adapters/github-copilot.js +543 -0
  725. package/dist/esm/ide-adapters/github-copilot.js.map +1 -0
  726. package/dist/esm/ide-adapters/index.js +96 -0
  727. package/dist/esm/ide-adapters/index.js.map +1 -0
  728. package/dist/esm/ide-adapters/jetbrains-ai.js +714 -0
  729. package/dist/esm/ide-adapters/jetbrains-ai.js.map +1 -0
  730. package/dist/esm/ide-adapters/notebook-ai.js +854 -0
  731. package/dist/esm/ide-adapters/notebook-ai.js.map +1 -0
  732. package/dist/esm/ide-adapters/replit-agent.js +1018 -0
  733. package/dist/esm/ide-adapters/replit-agent.js.map +1 -0
  734. package/dist/esm/ide-adapters/reviewer-tier.js +15 -0
  735. package/dist/esm/ide-adapters/reviewer-tier.js.map +1 -0
  736. package/dist/esm/ide-adapters/shared.js +267 -0
  737. package/dist/esm/ide-adapters/shared.js.map +1 -0
  738. package/dist/esm/ide-adapters/tabnine.js +717 -0
  739. package/dist/esm/ide-adapters/tabnine.js.map +1 -0
  740. package/dist/esm/ide-adapters/windsurf.js +808 -0
  741. package/dist/esm/ide-adapters/windsurf.js.map +1 -0
  742. package/dist/esm/ide-adapters/zed-ai.js +618 -0
  743. package/dist/esm/ide-adapters/zed-ai.js.map +1 -0
  744. package/dist/esm/index.js +182 -0
  745. package/dist/esm/index.js.map +1 -0
  746. package/dist/esm/license/entitlement-client.js +264 -0
  747. package/dist/esm/license/entitlement-client.js.map +1 -0
  748. package/dist/esm/license/index.js +8 -0
  749. package/dist/esm/license/index.js.map +1 -0
  750. package/dist/esm/license/jwt-issuer.js +107 -0
  751. package/dist/esm/license/jwt-issuer.js.map +1 -0
  752. package/dist/esm/license/jwt-validator.js +460 -0
  753. package/dist/esm/license/jwt-validator.js.map +1 -0
  754. package/dist/esm/license/keygen.js +65 -0
  755. package/dist/esm/license/keygen.js.map +1 -0
  756. package/dist/esm/license/subscription-gate.js +251 -0
  757. package/dist/esm/license/subscription-gate.js.map +1 -0
  758. package/dist/esm/llm-adapters/azure-openai.js +665 -0
  759. package/dist/esm/llm-adapters/azure-openai.js.map +1 -0
  760. package/dist/esm/llm-adapters/base.js +258 -0
  761. package/dist/esm/llm-adapters/base.js.map +1 -0
  762. package/dist/esm/llm-adapters/bedrock.js +713 -0
  763. package/dist/esm/llm-adapters/bedrock.js.map +1 -0
  764. package/dist/esm/llm-adapters/claude.js +236 -0
  765. package/dist/esm/llm-adapters/claude.js.map +1 -0
  766. package/dist/esm/llm-adapters/deepseek.js +716 -0
  767. package/dist/esm/llm-adapters/deepseek.js.map +1 -0
  768. package/dist/esm/llm-adapters/exports.js +36 -0
  769. package/dist/esm/llm-adapters/exports.js.map +1 -0
  770. package/dist/esm/llm-adapters/gemini.js +197 -0
  771. package/dist/esm/llm-adapters/gemini.js.map +1 -0
  772. package/dist/esm/llm-adapters/gemma.js +260 -0
  773. package/dist/esm/llm-adapters/gemma.js.map +1 -0
  774. package/dist/esm/llm-adapters/google.js +1136 -0
  775. package/dist/esm/llm-adapters/google.js.map +1 -0
  776. package/dist/esm/llm-adapters/huggingface.js +618 -0
  777. package/dist/esm/llm-adapters/huggingface.js.map +1 -0
  778. package/dist/esm/llm-adapters/index.js +87 -0
  779. package/dist/esm/llm-adapters/index.js.map +1 -0
  780. package/dist/esm/llm-adapters/ollama.js +587 -0
  781. package/dist/esm/llm-adapters/ollama.js.map +1 -0
  782. package/dist/esm/llm-adapters/openai.js +359 -0
  783. package/dist/esm/llm-adapters/openai.js.map +1 -0
  784. package/dist/esm/llm-adapters/replicate-llama.js +596 -0
  785. package/dist/esm/llm-adapters/replicate-llama.js.map +1 -0
  786. package/dist/esm/llm-adapters/shared.js +330 -0
  787. package/dist/esm/llm-adapters/shared.js.map +1 -0
  788. package/dist/esm/llm-adapters/supported-models-catalog.js +741 -0
  789. package/dist/esm/llm-adapters/supported-models-catalog.js.map +1 -0
  790. package/dist/esm/observability/destination-health-monitor.js +239 -0
  791. package/dist/esm/observability/destination-health-monitor.js.map +1 -0
  792. package/dist/esm/observability/health-metrics-store.js +124 -0
  793. package/dist/esm/observability/health-metrics-store.js.map +1 -0
  794. package/dist/esm/orchestrator-adapters/autogen.js +484 -0
  795. package/dist/esm/orchestrator-adapters/autogen.js.map +1 -0
  796. package/dist/esm/orchestrator-adapters/base.js +366 -0
  797. package/dist/esm/orchestrator-adapters/base.js.map +1 -0
  798. package/dist/esm/orchestrator-adapters/bedrock-agentcore.js +812 -0
  799. package/dist/esm/orchestrator-adapters/bedrock-agentcore.js.map +1 -0
  800. package/dist/esm/orchestrator-adapters/claude-agent-sdk.js +701 -0
  801. package/dist/esm/orchestrator-adapters/claude-agent-sdk.js.map +1 -0
  802. package/dist/esm/orchestrator-adapters/crewai.js +470 -0
  803. package/dist/esm/orchestrator-adapters/crewai.js.map +1 -0
  804. package/dist/esm/orchestrator-adapters/deepagents.js +345 -0
  805. package/dist/esm/orchestrator-adapters/deepagents.js.map +1 -0
  806. package/dist/esm/orchestrator-adapters/exports.js +34 -0
  807. package/dist/esm/orchestrator-adapters/exports.js.map +1 -0
  808. package/dist/esm/orchestrator-adapters/google-adk.js +775 -0
  809. package/dist/esm/orchestrator-adapters/google-adk.js.map +1 -0
  810. package/dist/esm/orchestrator-adapters/haystack.js +811 -0
  811. package/dist/esm/orchestrator-adapters/haystack.js.map +1 -0
  812. package/dist/esm/orchestrator-adapters/index.js +106 -0
  813. package/dist/esm/orchestrator-adapters/index.js.map +1 -0
  814. package/dist/esm/orchestrator-adapters/langchain.js +457 -0
  815. package/dist/esm/orchestrator-adapters/langchain.js.map +1 -0
  816. package/dist/esm/orchestrator-adapters/langgraph.js +464 -0
  817. package/dist/esm/orchestrator-adapters/langgraph.js.map +1 -0
  818. package/dist/esm/orchestrator-adapters/llamaindex.js +819 -0
  819. package/dist/esm/orchestrator-adapters/llamaindex.js.map +1 -0
  820. package/dist/esm/orchestrator-adapters/openai-agents.js +494 -0
  821. package/dist/esm/orchestrator-adapters/openai-agents.js.map +1 -0
  822. package/dist/esm/orchestrator-adapters/openclaw.js +866 -0
  823. package/dist/esm/orchestrator-adapters/openclaw.js.map +1 -0
  824. package/dist/esm/orchestrator-adapters/orchestrator-adapter.js +30 -0
  825. package/dist/esm/orchestrator-adapters/orchestrator-adapter.js.map +1 -0
  826. package/dist/esm/orchestrator-adapters/paperclip-adapter.js +366 -0
  827. package/dist/esm/orchestrator-adapters/paperclip-adapter.js.map +1 -0
  828. package/dist/esm/orchestrator-adapters/semantic-kernel.js +487 -0
  829. package/dist/esm/orchestrator-adapters/semantic-kernel.js.map +1 -0
  830. package/dist/esm/orchestrator-adapters/shared.js +121 -0
  831. package/dist/esm/orchestrator-adapters/shared.js.map +1 -0
  832. package/dist/esm/package.json +3 -0
  833. package/dist/esm/packs/_base-classifiers.js +160 -0
  834. package/dist/esm/packs/_base-classifiers.js.map +1 -0
  835. package/dist/esm/packs/aba.js +297 -0
  836. package/dist/esm/packs/aba.js.map +1 -0
  837. package/dist/esm/packs/as-9100.js +814 -0
  838. package/dist/esm/packs/as-9100.js.map +1 -0
  839. package/dist/esm/packs/au-act-hrpaa.js +290 -0
  840. package/dist/esm/packs/au-act-hrpaa.js.map +1 -0
  841. package/dist/esm/packs/au-aiethics-framework.js +341 -0
  842. package/dist/esm/packs/au-aiethics-framework.js.map +1 -0
  843. package/dist/esm/packs/au-aml-ctf.js +346 -0
  844. package/dist/esm/packs/au-aml-ctf.js.map +1 -0
  845. package/dist/esm/packs/au-asic-rg-271.js +268 -0
  846. package/dist/esm/packs/au-asic-rg-271.js.map +1 -0
  847. package/dist/esm/packs/au-asic-rg-274.js +268 -0
  848. package/dist/esm/packs/au-asic-rg-274.js.map +1 -0
  849. package/dist/esm/packs/au-cdr.js +305 -0
  850. package/dist/esm/packs/au-cdr.js.map +1 -0
  851. package/dist/esm/packs/au-cps230.js +264 -0
  852. package/dist/esm/packs/au-cps230.js.map +1 -0
  853. package/dist/esm/packs/au-cps234.js +297 -0
  854. package/dist/esm/packs/au-cps234.js.map +1 -0
  855. package/dist/esm/packs/au-mandatory-ai-guardrails.js +271 -0
  856. package/dist/esm/packs/au-mandatory-ai-guardrails.js.map +1 -0
  857. package/dist/esm/packs/au-nsw-hripa.js +363 -0
  858. package/dist/esm/packs/au-nsw-hripa.js.map +1 -0
  859. package/dist/esm/packs/au-online-safety.js +297 -0
  860. package/dist/esm/packs/au-online-safety.js.map +1 -0
  861. package/dist/esm/packs/au-privacy-act.js +361 -0
  862. package/dist/esm/packs/au-privacy-act.js.map +1 -0
  863. package/dist/esm/packs/au-soci-act.js +251 -0
  864. package/dist/esm/packs/au-soci-act.js.map +1 -0
  865. package/dist/esm/packs/au-spam-act.js +284 -0
  866. package/dist/esm/packs/au-spam-act.js.map +1 -0
  867. package/dist/esm/packs/au-tga-saimd.js +341 -0
  868. package/dist/esm/packs/au-tga-saimd.js.map +1 -0
  869. package/dist/esm/packs/au-vic-hra.js +345 -0
  870. package/dist/esm/packs/au-vic-hra.js.map +1 -0
  871. package/dist/esm/packs/bipa.js +268 -0
  872. package/dist/esm/packs/bipa.js.map +1 -0
  873. package/dist/esm/packs/bsa-aml.js +410 -0
  874. package/dist/esm/packs/bsa-aml.js.map +1 -0
  875. package/dist/esm/packs/ca-pipeda.js +217 -0
  876. package/dist/esm/packs/ca-pipeda.js.map +1 -0
  877. package/dist/esm/packs/ca-qc-law25.js +188 -0
  878. package/dist/esm/packs/ca-qc-law25.js.map +1 -0
  879. package/dist/esm/packs/caldicott-principles.js +441 -0
  880. package/dist/esm/packs/caldicott-principles.js.map +1 -0
  881. package/dist/esm/packs/california-ab2930.js +410 -0
  882. package/dist/esm/packs/california-ab2930.js.map +1 -0
  883. package/dist/esm/packs/ccpa.js +396 -0
  884. package/dist/esm/packs/ccpa.js.map +1 -0
  885. package/dist/esm/packs/cfpb-2023-03.js +282 -0
  886. package/dist/esm/packs/cfpb-2023-03.js.map +1 -0
  887. package/dist/esm/packs/check-registry.js +3337 -0
  888. package/dist/esm/packs/check-registry.js.map +1 -0
  889. package/dist/esm/packs/cjis.js +342 -0
  890. package/dist/esm/packs/cjis.js.map +1 -0
  891. package/dist/esm/packs/cma-ai-foundation-models.js +394 -0
  892. package/dist/esm/packs/cma-ai-foundation-models.js.map +1 -0
  893. package/dist/esm/packs/cmmc2.js +347 -0
  894. package/dist/esm/packs/cmmc2.js.map +1 -0
  895. package/dist/esm/packs/cms-interoperability.js +387 -0
  896. package/dist/esm/packs/cms-interoperability.js.map +1 -0
  897. package/dist/esm/packs/cn-dsl-csl.js +134 -0
  898. package/dist/esm/packs/cn-dsl-csl.js.map +1 -0
  899. package/dist/esm/packs/colorado-ai.js +376 -0
  900. package/dist/esm/packs/colorado-ai.js.map +1 -0
  901. package/dist/esm/packs/common-rule.js +470 -0
  902. package/dist/esm/packs/common-rule.js.map +1 -0
  903. package/dist/esm/packs/coppa.js +406 -0
  904. package/dist/esm/packs/coppa.js.map +1 -0
  905. package/dist/esm/packs/cyber-essentials.js +404 -0
  906. package/dist/esm/packs/cyber-essentials.js.map +1 -0
  907. package/dist/esm/packs/de-bdsg.js +413 -0
  908. package/dist/esm/packs/de-bdsg.js.map +1 -0
  909. package/dist/esm/packs/do-178c.js +723 -0
  910. package/dist/esm/packs/do-178c.js.map +1 -0
  911. package/dist/esm/packs/dora.js +358 -0
  912. package/dist/esm/packs/dora.js.map +1 -0
  913. package/dist/esm/packs/ecoa.js +386 -0
  914. package/dist/esm/packs/ecoa.js.map +1 -0
  915. package/dist/esm/packs/eu-ai-liability.js +300 -0
  916. package/dist/esm/packs/eu-ai-liability.js.map +1 -0
  917. package/dist/esm/packs/eu-cra.js +140 -0
  918. package/dist/esm/packs/eu-cra.js.map +1 -0
  919. package/dist/esm/packs/eu-data-act.js +138 -0
  920. package/dist/esm/packs/eu-data-act.js.map +1 -0
  921. package/dist/esm/packs/eu-dma.js +185 -0
  922. package/dist/esm/packs/eu-dma.js.map +1 -0
  923. package/dist/esm/packs/eu-dsa.js +176 -0
  924. package/dist/esm/packs/eu-dsa.js.map +1 -0
  925. package/dist/esm/packs/eu-lpp.js +342 -0
  926. package/dist/esm/packs/eu-lpp.js.map +1 -0
  927. package/dist/esm/packs/eu-mdr-ivdr.js +417 -0
  928. package/dist/esm/packs/eu-mdr-ivdr.js.map +1 -0
  929. package/dist/esm/packs/euaiact.js +341 -0
  930. package/dist/esm/packs/euaiact.js.map +1 -0
  931. package/dist/esm/packs/fca-consumer-duty.js +409 -0
  932. package/dist/esm/packs/fca-consumer-duty.js.map +1 -0
  933. package/dist/esm/packs/fca-op-resilience.js +350 -0
  934. package/dist/esm/packs/fca-op-resilience.js.map +1 -0
  935. package/dist/esm/packs/fcra.js +441 -0
  936. package/dist/esm/packs/fcra.js.map +1 -0
  937. package/dist/esm/packs/fda-21-cfr-820.js +606 -0
  938. package/dist/esm/packs/fda-21-cfr-820.js.map +1 -0
  939. package/dist/esm/packs/fda-samd-precert.js +863 -0
  940. package/dist/esm/packs/fda-samd-precert.js.map +1 -0
  941. package/dist/esm/packs/fda-samd.js +314 -0
  942. package/dist/esm/packs/fda-samd.js.map +1 -0
  943. package/dist/esm/packs/fedramp.js +318 -0
  944. package/dist/esm/packs/fedramp.js.map +1 -0
  945. package/dist/esm/packs/ferpa.js +309 -0
  946. package/dist/esm/packs/ferpa.js.map +1 -0
  947. package/dist/esm/packs/finra-3110.js +351 -0
  948. package/dist/esm/packs/finra-3110.js.map +1 -0
  949. package/dist/esm/packs/florida-student-privacy.js +448 -0
  950. package/dist/esm/packs/florida-student-privacy.js.map +1 -0
  951. package/dist/esm/packs/foia.js +394 -0
  952. package/dist/esm/packs/foia.js.map +1 -0
  953. package/dist/esm/packs/frcp26.js +294 -0
  954. package/dist/esm/packs/frcp26.js.map +1 -0
  955. package/dist/esm/packs/ftc5.js +290 -0
  956. package/dist/esm/packs/ftc5.js.map +1 -0
  957. package/dist/esm/packs/gdpr.js +487 -0
  958. package/dist/esm/packs/gdpr.js.map +1 -0
  959. package/dist/esm/packs/glba.js +421 -0
  960. package/dist/esm/packs/glba.js.map +1 -0
  961. package/dist/esm/packs/gxp.js +350 -0
  962. package/dist/esm/packs/gxp.js.map +1 -0
  963. package/dist/esm/packs/hipaa.js +381 -0
  964. package/dist/esm/packs/hipaa.js.map +1 -0
  965. package/dist/esm/packs/hitech.js +289 -0
  966. package/dist/esm/packs/hitech.js.map +1 -0
  967. package/dist/esm/packs/hitrust-csf.js +119 -0
  968. package/dist/esm/packs/hitrust-csf.js.map +1 -0
  969. package/dist/esm/packs/hk-pdpo.js +122 -0
  970. package/dist/esm/packs/hk-pdpo.js.map +1 -0
  971. package/dist/esm/packs/hmda.js +379 -0
  972. package/dist/esm/packs/hmda.js.map +1 -0
  973. package/dist/esm/packs/iec-62304.js +585 -0
  974. package/dist/esm/packs/iec-62304.js.map +1 -0
  975. package/dist/esm/packs/iec-62443.js +686 -0
  976. package/dist/esm/packs/iec-62443.js.map +1 -0
  977. package/dist/esm/packs/illinois-aivia.js +348 -0
  978. package/dist/esm/packs/illinois-aivia.js.map +1 -0
  979. package/dist/esm/packs/in-dpdp.js +429 -0
  980. package/dist/esm/packs/in-dpdp.js.map +1 -0
  981. package/dist/esm/packs/index.js +664 -0
  982. package/dist/esm/packs/index.js.map +1 -0
  983. package/dist/esm/packs/iso-15189.js +944 -0
  984. package/dist/esm/packs/iso-15189.js.map +1 -0
  985. package/dist/esm/packs/iso-23894.js +442 -0
  986. package/dist/esm/packs/iso-23894.js.map +1 -0
  987. package/dist/esm/packs/iso-26262.js +734 -0
  988. package/dist/esm/packs/iso-26262.js.map +1 -0
  989. package/dist/esm/packs/iso-iec-80001.js +993 -0
  990. package/dist/esm/packs/iso-iec-80001.js.map +1 -0
  991. package/dist/esm/packs/iso20022.js +344 -0
  992. package/dist/esm/packs/iso20022.js.map +1 -0
  993. package/dist/esm/packs/iso27001.js +388 -0
  994. package/dist/esm/packs/iso27001.js.map +1 -0
  995. package/dist/esm/packs/iso27701.js +390 -0
  996. package/dist/esm/packs/iso27701.js.map +1 -0
  997. package/dist/esm/packs/iso42001.js +288 -0
  998. package/dist/esm/packs/iso42001.js.map +1 -0
  999. package/dist/esm/packs/jp-appi.js +438 -0
  1000. package/dist/esm/packs/jp-appi.js.map +1 -0
  1001. package/dist/esm/packs/kr-pipa.js +442 -0
  1002. package/dist/esm/packs/kr-pipa.js.map +1 -0
  1003. package/dist/esm/packs/lgpd.js +350 -0
  1004. package/dist/esm/packs/lgpd.js.map +1 -0
  1005. package/dist/esm/packs/lpo2024.js +307 -0
  1006. package/dist/esm/packs/lpo2024.js.map +1 -0
  1007. package/dist/esm/packs/maryland-hb1202.js +338 -0
  1008. package/dist/esm/packs/maryland-hb1202.js.map +1 -0
  1009. package/dist/esm/packs/mhra-samd-ukca.js +473 -0
  1010. package/dist/esm/packs/mhra-samd-ukca.js.map +1 -0
  1011. package/dist/esm/packs/mifid2.js +381 -0
  1012. package/dist/esm/packs/mifid2.js.map +1 -0
  1013. package/dist/esm/packs/migration-manifest.js +55 -0
  1014. package/dist/esm/packs/migration-manifest.js.map +1 -0
  1015. package/dist/esm/packs/naic-mdl.js +315 -0
  1016. package/dist/esm/packs/naic-mdl.js.map +1 -0
  1017. package/dist/esm/packs/ncsc-ai-security.js +626 -0
  1018. package/dist/esm/packs/ncsc-ai-security.js.map +1 -0
  1019. package/dist/esm/packs/ncsc-caf.js +381 -0
  1020. package/dist/esm/packs/ncsc-caf.js.map +1 -0
  1021. package/dist/esm/packs/nhs-dcb0129-dcb0160.js +470 -0
  1022. package/dist/esm/packs/nhs-dcb0129-dcb0160.js.map +1 -0
  1023. package/dist/esm/packs/nhs-dspt.js +434 -0
  1024. package/dist/esm/packs/nhs-dspt.js.map +1 -0
  1025. package/dist/esm/packs/nhs-dtac.js +399 -0
  1026. package/dist/esm/packs/nhs-dtac.js.map +1 -0
  1027. package/dist/esm/packs/nhs-psirf.js +414 -0
  1028. package/dist/esm/packs/nhs-psirf.js.map +1 -0
  1029. package/dist/esm/packs/ni-equality.js +436 -0
  1030. package/dist/esm/packs/ni-equality.js.map +1 -0
  1031. package/dist/esm/packs/ni-hscni.js +415 -0
  1032. package/dist/esm/packs/ni-hscni.js.map +1 -0
  1033. package/dist/esm/packs/ni-mental-capacity.js +130 -0
  1034. package/dist/esm/packs/ni-mental-capacity.js.map +1 -0
  1035. package/dist/esm/packs/nice-esf-dht.js +404 -0
  1036. package/dist/esm/packs/nice-esf-dht.js.map +1 -0
  1037. package/dist/esm/packs/nis2.js +422 -0
  1038. package/dist/esm/packs/nis2.js.map +1 -0
  1039. package/dist/esm/packs/nist-800-53.js +126 -0
  1040. package/dist/esm/packs/nist-800-53.js.map +1 -0
  1041. package/dist/esm/packs/nist-ai-rmf.js +367 -0
  1042. package/dist/esm/packs/nist-ai-rmf.js.map +1 -0
  1043. package/dist/esm/packs/nist-csf.js +131 -0
  1044. package/dist/esm/packs/nist-csf.js.map +1 -0
  1045. package/dist/esm/packs/nist-sp-800-82.js +721 -0
  1046. package/dist/esm/packs/nist-sp-800-82.js.map +1 -0
  1047. package/dist/esm/packs/nyc-ll-144.js +288 -0
  1048. package/dist/esm/packs/nyc-ll-144.js.map +1 -0
  1049. package/dist/esm/packs/nydfs500.js +285 -0
  1050. package/dist/esm/packs/nydfs500.js.map +1 -0
  1051. package/dist/esm/packs/nz-privacy.js +465 -0
  1052. package/dist/esm/packs/nz-privacy.js.map +1 -0
  1053. package/dist/esm/packs/part11.js +329 -0
  1054. package/dist/esm/packs/part11.js.map +1 -0
  1055. package/dist/esm/packs/part2.js +355 -0
  1056. package/dist/esm/packs/part2.js.map +1 -0
  1057. package/dist/esm/packs/pcidss.js +466 -0
  1058. package/dist/esm/packs/pcidss.js.map +1 -0
  1059. package/dist/esm/packs/pipl.js +205 -0
  1060. package/dist/esm/packs/pipl.js.map +1 -0
  1061. package/dist/esm/packs/reg-e.js +359 -0
  1062. package/dist/esm/packs/reg-e.js.map +1 -0
  1063. package/dist/esm/packs/registry-expanded.js +2347 -0
  1064. package/dist/esm/packs/registry-expanded.js.map +1 -0
  1065. package/dist/esm/packs/scotland-awi.js +405 -0
  1066. package/dist/esm/packs/scotland-awi.js.map +1 -0
  1067. package/dist/esm/packs/scotland-procurement-reform.js +122 -0
  1068. package/dist/esm/packs/scotland-procurement-reform.js.map +1 -0
  1069. package/dist/esm/packs/scotland-psed.js +369 -0
  1070. package/dist/esm/packs/scotland-psed.js.map +1 -0
  1071. package/dist/esm/packs/sg-model-ai-gov.js +393 -0
  1072. package/dist/esm/packs/sg-model-ai-gov.js.map +1 -0
  1073. package/dist/esm/packs/soc1.js +305 -0
  1074. package/dist/esm/packs/soc1.js.map +1 -0
  1075. package/dist/esm/packs/soc2.js +337 -0
  1076. package/dist/esm/packs/soc2.js.map +1 -0
  1077. package/dist/esm/packs/sox404.js +295 -0
  1078. package/dist/esm/packs/sox404.js.map +1 -0
  1079. package/dist/esm/packs/sr117.js +342 -0
  1080. package/dist/esm/packs/sr117.js.map +1 -0
  1081. package/dist/esm/packs/stateramp.js +324 -0
  1082. package/dist/esm/packs/stateramp.js.map +1 -0
  1083. package/dist/esm/packs/tennessee-elvis.js +417 -0
  1084. package/dist/esm/packs/tennessee-elvis.js.map +1 -0
  1085. package/dist/esm/packs/texas-hb4.js +393 -0
  1086. package/dist/esm/packs/texas-hb4.js.map +1 -0
  1087. package/dist/esm/packs/th-pdpa.js +125 -0
  1088. package/dist/esm/packs/th-pdpa.js.map +1 -0
  1089. package/dist/esm/packs/title-ix.js +444 -0
  1090. package/dist/esm/packs/title-ix.js.map +1 -0
  1091. package/dist/esm/packs/uk-ai-framework.js +352 -0
  1092. package/dist/esm/packs/uk-ai-framework.js.map +1 -0
  1093. package/dist/esm/packs/uk-cma-1990.js +403 -0
  1094. package/dist/esm/packs/uk-cma-1990.js.map +1 -0
  1095. package/dist/esm/packs/uk-equality-act-ai-bias.js +681 -0
  1096. package/dist/esm/packs/uk-equality-act-ai-bias.js.map +1 -0
  1097. package/dist/esm/packs/uk-equality-act.js +406 -0
  1098. package/dist/esm/packs/uk-equality-act.js.map +1 -0
  1099. package/dist/esm/packs/uk-future-ai-legislation.js +209 -0
  1100. package/dist/esm/packs/uk-future-ai-legislation.js.map +1 -0
  1101. package/dist/esm/packs/uk-gdpr.js +374 -0
  1102. package/dist/esm/packs/uk-gdpr.js.map +1 -0
  1103. package/dist/esm/packs/uk-ico-open-case.js +396 -0
  1104. package/dist/esm/packs/uk-ico-open-case.js.map +1 -0
  1105. package/dist/esm/packs/uk-nis-regs.js +363 -0
  1106. package/dist/esm/packs/uk-nis-regs.js.map +1 -0
  1107. package/dist/esm/packs/uk-online-safety-act.js +410 -0
  1108. package/dist/esm/packs/uk-online-safety-act.js.map +1 -0
  1109. package/dist/esm/packs/uk-procurement-act.js +431 -0
  1110. package/dist/esm/packs/uk-procurement-act.js.map +1 -0
  1111. package/dist/esm/packs/us-fda-21cfr56.js +364 -0
  1112. package/dist/esm/packs/us-fda-21cfr56.js.map +1 -0
  1113. package/dist/esm/packs/us-nih-coc.js +203 -0
  1114. package/dist/esm/packs/us-nih-coc.js.map +1 -0
  1115. package/dist/esm/packs/us-nih-dms.js +241 -0
  1116. package/dist/esm/packs/us-nih-dms.js.map +1 -0
  1117. package/dist/esm/packs/us-nih-gds.js +355 -0
  1118. package/dist/esm/packs/us-nih-gds.js.map +1 -0
  1119. package/dist/esm/packs/us-nih-it-security.js +203 -0
  1120. package/dist/esm/packs/us-nih-it-security.js.map +1 -0
  1121. package/dist/esm/packs/us-respa.js +361 -0
  1122. package/dist/esm/packs/us-respa.js.map +1 -0
  1123. package/dist/esm/packs/us-tila.js +350 -0
  1124. package/dist/esm/packs/us-tila.js.map +1 -0
  1125. package/dist/esm/packs/us-trid.js +342 -0
  1126. package/dist/esm/packs/us-trid.js.map +1 -0
  1127. package/dist/esm/packs/utah-ai-policy.js +337 -0
  1128. package/dist/esm/packs/utah-ai-policy.js.map +1 -0
  1129. package/dist/esm/packs/vn-pdpd.js +122 -0
  1130. package/dist/esm/packs/vn-pdpd.js.map +1 -0
  1131. package/dist/esm/packs/wales-future-generations.js +393 -0
  1132. package/dist/esm/packs/wales-future-generations.js.map +1 -0
  1133. package/dist/esm/reporting/governance-reporter.js +405 -0
  1134. package/dist/esm/reporting/governance-reporter.js.map +1 -0
  1135. package/dist/esm/retention/backup-retention-adapter.js +66 -0
  1136. package/dist/esm/retention/backup-retention-adapter.js.map +1 -0
  1137. package/dist/esm/retention/classification-rules.js +182 -0
  1138. package/dist/esm/retention/classification-rules.js.map +1 -0
  1139. package/dist/esm/retention/classifier.js +243 -0
  1140. package/dist/esm/retention/classifier.js.map +1 -0
  1141. package/dist/esm/retention/data-class.js +44 -0
  1142. package/dist/esm/retention/data-class.js.map +1 -0
  1143. package/dist/esm/retention/enforcement-log-store.js +145 -0
  1144. package/dist/esm/retention/enforcement-log-store.js.map +1 -0
  1145. package/dist/esm/retention/index.js +31 -0
  1146. package/dist/esm/retention/index.js.map +1 -0
  1147. package/dist/esm/retention/ingest-classifier.js +123 -0
  1148. package/dist/esm/retention/ingest-classifier.js.map +1 -0
  1149. package/dist/esm/retention/legal-hold-errors.js +92 -0
  1150. package/dist/esm/retention/legal-hold-errors.js.map +1 -0
  1151. package/dist/esm/retention/legal-hold-store.js +394 -0
  1152. package/dist/esm/retention/legal-hold-store.js.map +1 -0
  1153. package/dist/esm/retention/legal-hold.js +17 -0
  1154. package/dist/esm/retention/legal-hold.js.map +1 -0
  1155. package/dist/esm/retention/log-aggregators/datadog.js +153 -0
  1156. package/dist/esm/retention/log-aggregators/datadog.js.map +1 -0
  1157. package/dist/esm/retention/log-aggregators/index.js +10 -0
  1158. package/dist/esm/retention/log-aggregators/index.js.map +1 -0
  1159. package/dist/esm/retention/log-aggregators/log-aggregator.js +20 -0
  1160. package/dist/esm/retention/log-aggregators/log-aggregator.js.map +1 -0
  1161. package/dist/esm/retention/log-aggregators/noop.js +26 -0
  1162. package/dist/esm/retention/log-aggregators/noop.js.map +1 -0
  1163. package/dist/esm/retention/log-aggregators/sentinel.js +216 -0
  1164. package/dist/esm/retention/log-aggregators/sentinel.js.map +1 -0
  1165. package/dist/esm/retention/log-aggregators/splunk.js +147 -0
  1166. package/dist/esm/retention/log-aggregators/splunk.js.map +1 -0
  1167. package/dist/esm/retention/policy-matrix-errors.js +127 -0
  1168. package/dist/esm/retention/policy-matrix-errors.js.map +1 -0
  1169. package/dist/esm/retention/policy-matrix.js +580 -0
  1170. package/dist/esm/retention/policy-matrix.js.map +1 -0
  1171. package/dist/esm/scanner/gap-report.js +333 -0
  1172. package/dist/esm/scanner/gap-report.js.map +1 -0
  1173. package/dist/esm/scanner/index.js +414 -0
  1174. package/dist/esm/scanner/index.js.map +1 -0
  1175. package/dist/esm/scanner/manifest-integrity.js +151 -0
  1176. package/dist/esm/scanner/manifest-integrity.js.map +1 -0
  1177. package/dist/esm/scanner/remediation.js +255 -0
  1178. package/dist/esm/scanner/remediation.js.map +1 -0
  1179. package/dist/esm/security/access-review.js +235 -0
  1180. package/dist/esm/security/access-review.js.map +1 -0
  1181. package/dist/esm/security/agent-auth.js +253 -0
  1182. package/dist/esm/security/agent-auth.js.map +1 -0
  1183. package/dist/esm/security/anomaly-auto-suspend.js +345 -0
  1184. package/dist/esm/security/anomaly-auto-suspend.js.map +1 -0
  1185. package/dist/esm/security/anomaly-correlator.js +279 -0
  1186. package/dist/esm/security/anomaly-correlator.js.map +1 -0
  1187. package/dist/esm/security/anomaly-detector.js +261 -0
  1188. package/dist/esm/security/anomaly-detector.js.map +1 -0
  1189. package/dist/esm/security/anomaly-self-reflection.js +292 -0
  1190. package/dist/esm/security/anomaly-self-reflection.js.map +1 -0
  1191. package/dist/esm/security/built-in-llm-providers.js +80 -0
  1192. package/dist/esm/security/built-in-llm-providers.js.map +1 -0
  1193. package/dist/esm/security/circuit-breaker.js +146 -0
  1194. package/dist/esm/security/circuit-breaker.js.map +1 -0
  1195. package/dist/esm/security/data-classifier.js +446 -0
  1196. package/dist/esm/security/data-classifier.js.map +1 -0
  1197. package/dist/esm/security/encrypted-storage.js +220 -0
  1198. package/dist/esm/security/encrypted-storage.js.map +1 -0
  1199. package/dist/esm/security/encryption-layer.js +337 -0
  1200. package/dist/esm/security/encryption-layer.js.map +1 -0
  1201. package/dist/esm/security/external-cross-check.js +451 -0
  1202. package/dist/esm/security/external-cross-check.js.map +1 -0
  1203. package/dist/esm/security/hash-manifest.js +229 -0
  1204. package/dist/esm/security/hash-manifest.js.map +1 -0
  1205. package/dist/esm/security/http-interceptor.js +594 -0
  1206. package/dist/esm/security/http-interceptor.js.map +1 -0
  1207. package/dist/esm/security/key-manager.js +289 -0
  1208. package/dist/esm/security/key-manager.js.map +1 -0
  1209. package/dist/esm/security/nonce-store.js +133 -0
  1210. package/dist/esm/security/nonce-store.js.map +1 -0
  1211. package/dist/esm/security/operator-roles.js +241 -0
  1212. package/dist/esm/security/operator-roles.js.map +1 -0
  1213. package/dist/esm/security/plugin-integrity.js +153 -0
  1214. package/dist/esm/security/plugin-integrity.js.map +1 -0
  1215. package/dist/esm/security/prompt-injection-detector.js +466 -0
  1216. package/dist/esm/security/prompt-injection-detector.js.map +1 -0
  1217. package/dist/esm/security/provider-compliance-boot.js +102 -0
  1218. package/dist/esm/security/provider-compliance-boot.js.map +1 -0
  1219. package/dist/esm/security/provider-compliance.js +707 -0
  1220. package/dist/esm/security/provider-compliance.js.map +1 -0
  1221. package/dist/esm/security/secret-leak-detector.js +176 -0
  1222. package/dist/esm/security/secret-leak-detector.js.map +1 -0
  1223. package/dist/esm/security/session-timeout.js +254 -0
  1224. package/dist/esm/security/session-timeout.js.map +1 -0
  1225. package/dist/esm/security/ssrf-guard.js +222 -0
  1226. package/dist/esm/security/ssrf-guard.js.map +1 -0
  1227. package/dist/esm/security/supply-chain.js +283 -0
  1228. package/dist/esm/security/supply-chain.js.map +1 -0
  1229. package/dist/esm/security/vendor-registry.js +256 -0
  1230. package/dist/esm/security/vendor-registry.js.map +1 -0
  1231. package/dist/esm/tenant/index.js +14 -0
  1232. package/dist/esm/tenant/index.js.map +1 -0
  1233. package/dist/esm/tenant/policy-inheritance.js +342 -0
  1234. package/dist/esm/tenant/policy-inheritance.js.map +1 -0
  1235. package/dist/esm/tenant/rbac.js +178 -0
  1236. package/dist/esm/tenant/rbac.js.map +1 -0
  1237. package/dist/esm/tenant/workspace.js +274 -0
  1238. package/dist/esm/tenant/workspace.js.map +1 -0
  1239. package/dist/esm/trust-passport/index.js +119 -0
  1240. package/dist/esm/trust-passport/index.js.map +1 -0
  1241. package/dist/esm/util/async-io.js +164 -0
  1242. package/dist/esm/util/async-io.js.map +1 -0
  1243. package/dist/esm/util/fs.js +165 -0
  1244. package/dist/esm/util/fs.js.map +1 -0
  1245. package/dist/esm/util/log-rotation.js +175 -0
  1246. package/dist/esm/util/log-rotation.js.map +1 -0
  1247. package/dist/esm/util/log.js +77 -0
  1248. package/dist/esm/util/log.js.map +1 -0
  1249. package/dist/esm/util/sigv4.js +113 -0
  1250. package/dist/esm/util/sigv4.js.map +1 -0
  1251. package/dist/esm/util/storage-backend.js +167 -0
  1252. package/dist/esm/util/storage-backend.js.map +1 -0
  1253. package/dist/governance/action-classes.d.ts +153 -0
  1254. package/dist/governance/action-classes.d.ts.map +1 -0
  1255. package/dist/governance/action-classes.js +177 -0
  1256. package/dist/governance/action-classes.js.map +1 -0
  1257. package/dist/governance/action-isolation.d.ts +317 -0
  1258. package/dist/governance/action-isolation.d.ts.map +1 -0
  1259. package/dist/governance/action-isolation.js +623 -0
  1260. package/dist/governance/action-isolation.js.map +1 -0
  1261. package/dist/governance/agent-discovery.d.ts +33 -0
  1262. package/dist/governance/agent-discovery.d.ts.map +1 -0
  1263. package/dist/governance/agent-discovery.js +249 -0
  1264. package/dist/governance/agent-discovery.js.map +1 -0
  1265. package/dist/governance/agent-discovery.test.d.ts +7 -0
  1266. package/dist/governance/agent-discovery.test.d.ts.map +1 -0
  1267. package/dist/governance/agent-discovery.test.js +179 -0
  1268. package/dist/governance/agent-discovery.test.js.map +1 -0
  1269. package/dist/governance/agent-trust-report.d.ts +124 -0
  1270. package/dist/governance/agent-trust-report.d.ts.map +1 -0
  1271. package/dist/governance/agent-trust-report.js +155 -0
  1272. package/dist/governance/agent-trust-report.js.map +1 -0
  1273. package/dist/governance/agent-trust-report.test.d.ts +7 -0
  1274. package/dist/governance/agent-trust-report.test.d.ts.map +1 -0
  1275. package/dist/governance/agent-trust-report.test.js +294 -0
  1276. package/dist/governance/agent-trust-report.test.js.map +1 -0
  1277. package/dist/governance/approval-channel-adapters.d.ts +45 -0
  1278. package/dist/governance/approval-channel-adapters.d.ts.map +1 -0
  1279. package/dist/governance/approval-channel-adapters.js +173 -0
  1280. package/dist/governance/approval-channel-adapters.js.map +1 -0
  1281. package/dist/governance/approval-channel-adapters.test.d.ts +7 -0
  1282. package/dist/governance/approval-channel-adapters.test.d.ts.map +1 -0
  1283. package/dist/governance/approval-channel-adapters.test.js +198 -0
  1284. package/dist/governance/approval-channel-adapters.test.js.map +1 -0
  1285. package/dist/governance/approval-gate-enforcer.d.ts +224 -0
  1286. package/dist/governance/approval-gate-enforcer.d.ts.map +1 -0
  1287. package/dist/governance/approval-gate-enforcer.js +443 -0
  1288. package/dist/governance/approval-gate-enforcer.js.map +1 -0
  1289. package/dist/governance/approval-notifications.d.ts +101 -0
  1290. package/dist/governance/approval-notifications.d.ts.map +1 -0
  1291. package/dist/governance/approval-notifications.js +143 -0
  1292. package/dist/governance/approval-notifications.js.map +1 -0
  1293. package/dist/governance/approval-notifications.test.d.ts +15 -0
  1294. package/dist/governance/approval-notifications.test.d.ts.map +1 -0
  1295. package/dist/governance/approval-notifications.test.js +227 -0
  1296. package/dist/governance/approval-notifications.test.js.map +1 -0
  1297. package/dist/governance/approval-queue-store.d.ts +114 -0
  1298. package/dist/governance/approval-queue-store.d.ts.map +1 -0
  1299. package/dist/governance/approval-queue-store.js +149 -0
  1300. package/dist/governance/approval-queue-store.js.map +1 -0
  1301. package/dist/governance/approval-queue.d.ts +172 -0
  1302. package/dist/governance/approval-queue.d.ts.map +1 -0
  1303. package/dist/governance/approval-queue.js +329 -0
  1304. package/dist/governance/approval-queue.js.map +1 -0
  1305. package/dist/governance/approval-service.d.ts +79 -0
  1306. package/dist/governance/approval-service.d.ts.map +1 -0
  1307. package/dist/governance/approval-service.js +129 -0
  1308. package/dist/governance/approval-service.js.map +1 -0
  1309. package/dist/governance/audit-chain-emitter.d.ts +103 -0
  1310. package/dist/governance/audit-chain-emitter.d.ts.map +1 -0
  1311. package/dist/governance/audit-chain-emitter.js +220 -0
  1312. package/dist/governance/audit-chain-emitter.js.map +1 -0
  1313. package/dist/governance/audit-chain-emitter.test.d.ts +7 -0
  1314. package/dist/governance/audit-chain-emitter.test.d.ts.map +1 -0
  1315. package/dist/governance/audit-chain-emitter.test.js +225 -0
  1316. package/dist/governance/audit-chain-emitter.test.js.map +1 -0
  1317. package/dist/governance/auto-pack-generator.d.ts +56 -0
  1318. package/dist/governance/auto-pack-generator.d.ts.map +1 -0
  1319. package/dist/governance/auto-pack-generator.js +70 -0
  1320. package/dist/governance/auto-pack-generator.js.map +1 -0
  1321. package/dist/governance/auto-pack-generator.test.d.ts +7 -0
  1322. package/dist/governance/auto-pack-generator.test.d.ts.map +1 -0
  1323. package/dist/governance/auto-pack-generator.test.js +130 -0
  1324. package/dist/governance/auto-pack-generator.test.js.map +1 -0
  1325. package/dist/governance/autonomy-spectrum.d.ts +253 -0
  1326. package/dist/governance/autonomy-spectrum.d.ts.map +1 -0
  1327. package/dist/governance/autonomy-spectrum.js +697 -0
  1328. package/dist/governance/autonomy-spectrum.js.map +1 -0
  1329. package/dist/governance/batch-mode-governance.d.ts +337 -0
  1330. package/dist/governance/batch-mode-governance.d.ts.map +1 -0
  1331. package/dist/governance/batch-mode-governance.js +651 -0
  1332. package/dist/governance/batch-mode-governance.js.map +1 -0
  1333. package/dist/governance/bias-monitor.d.ts +100 -0
  1334. package/dist/governance/bias-monitor.d.ts.map +1 -0
  1335. package/dist/governance/bias-monitor.js +310 -0
  1336. package/dist/governance/bias-monitor.js.map +1 -0
  1337. package/dist/governance/blast-radius-enforcer.d.ts +308 -0
  1338. package/dist/governance/blast-radius-enforcer.d.ts.map +1 -0
  1339. package/dist/governance/blast-radius-enforcer.js +579 -0
  1340. package/dist/governance/blast-radius-enforcer.js.map +1 -0
  1341. package/dist/governance/build-structure-score.d.ts +38 -0
  1342. package/dist/governance/build-structure-score.d.ts.map +1 -0
  1343. package/dist/governance/build-structure-score.js +64 -0
  1344. package/dist/governance/build-structure-score.js.map +1 -0
  1345. package/dist/governance/build-structure-score.test.d.ts +8 -0
  1346. package/dist/governance/build-structure-score.test.d.ts.map +1 -0
  1347. package/dist/governance/build-structure-score.test.js +151 -0
  1348. package/dist/governance/build-structure-score.test.js.map +1 -0
  1349. package/dist/governance/capability-bundle.d.ts +58 -0
  1350. package/dist/governance/capability-bundle.d.ts.map +1 -0
  1351. package/dist/governance/capability-bundle.js +277 -0
  1352. package/dist/governance/capability-bundle.js.map +1 -0
  1353. package/dist/governance/capability-change-detector.d.ts +335 -0
  1354. package/dist/governance/capability-change-detector.d.ts.map +1 -0
  1355. package/dist/governance/capability-change-detector.js +743 -0
  1356. package/dist/governance/capability-change-detector.js.map +1 -0
  1357. package/dist/governance/capability-classes.d.ts +42 -0
  1358. package/dist/governance/capability-classes.d.ts.map +1 -0
  1359. package/dist/governance/capability-classes.js +133 -0
  1360. package/dist/governance/capability-classes.js.map +1 -0
  1361. package/dist/governance/capability-classes.test.d.ts +23 -0
  1362. package/dist/governance/capability-classes.test.d.ts.map +1 -0
  1363. package/dist/governance/capability-classes.test.js +206 -0
  1364. package/dist/governance/capability-classes.test.js.map +1 -0
  1365. package/dist/governance/company-pack-builder.d.ts +46 -0
  1366. package/dist/governance/company-pack-builder.d.ts.map +1 -0
  1367. package/dist/governance/company-pack-builder.js +74 -0
  1368. package/dist/governance/company-pack-builder.js.map +1 -0
  1369. package/dist/governance/confidence-gate.d.ts +129 -0
  1370. package/dist/governance/confidence-gate.d.ts.map +1 -0
  1371. package/dist/governance/confidence-gate.js +253 -0
  1372. package/dist/governance/confidence-gate.js.map +1 -0
  1373. package/dist/governance/council.d.ts +99 -0
  1374. package/dist/governance/council.d.ts.map +1 -0
  1375. package/dist/governance/council.js +305 -0
  1376. package/dist/governance/council.js.map +1 -0
  1377. package/dist/governance/cross-session-pseudonymizer.d.ts +286 -0
  1378. package/dist/governance/cross-session-pseudonymizer.d.ts.map +1 -0
  1379. package/dist/governance/cross-session-pseudonymizer.js +639 -0
  1380. package/dist/governance/cross-session-pseudonymizer.js.map +1 -0
  1381. package/dist/governance/cycle-timeout.d.ts +120 -0
  1382. package/dist/governance/cycle-timeout.d.ts.map +1 -0
  1383. package/dist/governance/cycle-timeout.js +217 -0
  1384. package/dist/governance/cycle-timeout.js.map +1 -0
  1385. package/dist/governance/cycle-token-budget.d.ts +122 -0
  1386. package/dist/governance/cycle-token-budget.d.ts.map +1 -0
  1387. package/dist/governance/cycle-token-budget.js +182 -0
  1388. package/dist/governance/cycle-token-budget.js.map +1 -0
  1389. package/dist/governance/data-subject-rights.d.ts +155 -0
  1390. package/dist/governance/data-subject-rights.d.ts.map +1 -0
  1391. package/dist/governance/data-subject-rights.js +492 -0
  1392. package/dist/governance/data-subject-rights.js.map +1 -0
  1393. package/dist/governance/demo-workspace.d.ts +35 -0
  1394. package/dist/governance/demo-workspace.d.ts.map +1 -0
  1395. package/dist/governance/demo-workspace.js +214 -0
  1396. package/dist/governance/demo-workspace.js.map +1 -0
  1397. package/dist/governance/demo-workspace.test.d.ts +12 -0
  1398. package/dist/governance/demo-workspace.test.d.ts.map +1 -0
  1399. package/dist/governance/demo-workspace.test.js +115 -0
  1400. package/dist/governance/demo-workspace.test.js.map +1 -0
  1401. package/dist/governance/discovery-cli.d.ts +63 -0
  1402. package/dist/governance/discovery-cli.d.ts.map +1 -0
  1403. package/dist/governance/discovery-cli.js +99 -0
  1404. package/dist/governance/discovery-cli.js.map +1 -0
  1405. package/dist/governance/discovery-cli.test.d.ts +7 -0
  1406. package/dist/governance/discovery-cli.test.d.ts.map +1 -0
  1407. package/dist/governance/discovery-cli.test.js +226 -0
  1408. package/dist/governance/discovery-cli.test.js.map +1 -0
  1409. package/dist/governance/gateguard.d.ts +103 -0
  1410. package/dist/governance/gateguard.d.ts.map +1 -0
  1411. package/dist/governance/gateguard.js +302 -0
  1412. package/dist/governance/gateguard.js.map +1 -0
  1413. package/dist/governance/governance-runtime.d.ts +148 -0
  1414. package/dist/governance/governance-runtime.d.ts.map +1 -0
  1415. package/dist/governance/governance-runtime.js +414 -0
  1416. package/dist/governance/governance-runtime.js.map +1 -0
  1417. package/dist/governance/hook-install-snippet.d.ts +42 -0
  1418. package/dist/governance/hook-install-snippet.d.ts.map +1 -0
  1419. package/dist/governance/hook-install-snippet.js +212 -0
  1420. package/dist/governance/hook-install-snippet.js.map +1 -0
  1421. package/dist/governance/hook-install-snippet.test.d.ts +7 -0
  1422. package/dist/governance/hook-install-snippet.test.d.ts.map +1 -0
  1423. package/dist/governance/hook-install-snippet.test.js +130 -0
  1424. package/dist/governance/hook-install-snippet.test.js.map +1 -0
  1425. package/dist/governance/hook-profile.d.ts +215 -0
  1426. package/dist/governance/hook-profile.d.ts.map +1 -0
  1427. package/dist/governance/hook-profile.js +515 -0
  1428. package/dist/governance/hook-profile.js.map +1 -0
  1429. package/dist/governance/improvement-recommendations.d.ts +101 -0
  1430. package/dist/governance/improvement-recommendations.d.ts.map +1 -0
  1431. package/dist/governance/improvement-recommendations.js +171 -0
  1432. package/dist/governance/improvement-recommendations.js.map +1 -0
  1433. package/dist/governance/improvement-recommendations.test.d.ts +11 -0
  1434. package/dist/governance/improvement-recommendations.test.d.ts.map +1 -0
  1435. package/dist/governance/improvement-recommendations.test.js +213 -0
  1436. package/dist/governance/improvement-recommendations.test.js.map +1 -0
  1437. package/dist/governance/incident-notifier.d.ts +195 -0
  1438. package/dist/governance/incident-notifier.d.ts.map +1 -0
  1439. package/dist/governance/incident-notifier.js +527 -0
  1440. package/dist/governance/incident-notifier.js.map +1 -0
  1441. package/dist/governance/index.d.ts +24 -0
  1442. package/dist/governance/index.d.ts.map +1 -0
  1443. package/dist/governance/index.js +67 -0
  1444. package/dist/governance/index.js.map +1 -0
  1445. package/dist/governance/info-action-separation.d.ts +98 -0
  1446. package/dist/governance/info-action-separation.d.ts.map +1 -0
  1447. package/dist/governance/info-action-separation.js +148 -0
  1448. package/dist/governance/info-action-separation.js.map +1 -0
  1449. package/dist/governance/info-action-separation.test.d.ts +20 -0
  1450. package/dist/governance/info-action-separation.test.d.ts.map +1 -0
  1451. package/dist/governance/info-action-separation.test.js +190 -0
  1452. package/dist/governance/info-action-separation.test.js.map +1 -0
  1453. package/dist/governance/instinct-system.d.ts +141 -0
  1454. package/dist/governance/instinct-system.d.ts.map +1 -0
  1455. package/dist/governance/instinct-system.js +388 -0
  1456. package/dist/governance/instinct-system.js.map +1 -0
  1457. package/dist/governance/insurance-certificate.d.ts +88 -0
  1458. package/dist/governance/insurance-certificate.d.ts.map +1 -0
  1459. package/dist/governance/insurance-certificate.js +155 -0
  1460. package/dist/governance/insurance-certificate.js.map +1 -0
  1461. package/dist/governance/insurance-certificate.test.d.ts +7 -0
  1462. package/dist/governance/insurance-certificate.test.d.ts.map +1 -0
  1463. package/dist/governance/insurance-certificate.test.js +240 -0
  1464. package/dist/governance/insurance-certificate.test.js.map +1 -0
  1465. package/dist/governance/manifest-push-emitter.d.ts +51 -0
  1466. package/dist/governance/manifest-push-emitter.d.ts.map +1 -0
  1467. package/dist/governance/manifest-push-emitter.js +111 -0
  1468. package/dist/governance/manifest-push-emitter.js.map +1 -0
  1469. package/dist/governance/manifest-push-emitter.test.d.ts +7 -0
  1470. package/dist/governance/manifest-push-emitter.test.d.ts.map +1 -0
  1471. package/dist/governance/manifest-push-emitter.test.js +250 -0
  1472. package/dist/governance/manifest-push-emitter.test.js.map +1 -0
  1473. package/dist/governance/memory/cross-session-memory.d.ts +100 -0
  1474. package/dist/governance/memory/cross-session-memory.d.ts.map +1 -0
  1475. package/dist/governance/memory/cross-session-memory.js +319 -0
  1476. package/dist/governance/memory/cross-session-memory.js.map +1 -0
  1477. package/dist/governance/memory/index.d.ts +14 -0
  1478. package/dist/governance/memory/index.d.ts.map +1 -0
  1479. package/dist/governance/memory/index.js +27 -0
  1480. package/dist/governance/memory/index.js.map +1 -0
  1481. package/dist/governance/memory/memory-chain.d.ts +109 -0
  1482. package/dist/governance/memory/memory-chain.d.ts.map +1 -0
  1483. package/dist/governance/memory/memory-chain.js +221 -0
  1484. package/dist/governance/memory/memory-chain.js.map +1 -0
  1485. package/dist/governance/memory/retrieval-allowlist.d.ts +120 -0
  1486. package/dist/governance/memory/retrieval-allowlist.d.ts.map +1 -0
  1487. package/dist/governance/memory/retrieval-allowlist.js +177 -0
  1488. package/dist/governance/memory/retrieval-allowlist.js.map +1 -0
  1489. package/dist/governance/memory/session-memory.d.ts +105 -0
  1490. package/dist/governance/memory/session-memory.d.ts.map +1 -0
  1491. package/dist/governance/memory/session-memory.js +220 -0
  1492. package/dist/governance/memory/session-memory.js.map +1 -0
  1493. package/dist/governance/memory-audit-chain.d.ts +218 -0
  1494. package/dist/governance/memory-audit-chain.d.ts.map +1 -0
  1495. package/dist/governance/memory-audit-chain.js +400 -0
  1496. package/dist/governance/memory-audit-chain.js.map +1 -0
  1497. package/dist/governance/memory-integrity.d.ts +82 -0
  1498. package/dist/governance/memory-integrity.d.ts.map +1 -0
  1499. package/dist/governance/memory-integrity.js +304 -0
  1500. package/dist/governance/memory-integrity.js.map +1 -0
  1501. package/dist/governance/multi-store-deletion-worker.d.ts +163 -0
  1502. package/dist/governance/multi-store-deletion-worker.d.ts.map +1 -0
  1503. package/dist/governance/multi-store-deletion-worker.js +300 -0
  1504. package/dist/governance/multi-store-deletion-worker.js.map +1 -0
  1505. package/dist/governance/multi-tenant.d.ts +105 -0
  1506. package/dist/governance/multi-tenant.d.ts.map +1 -0
  1507. package/dist/governance/multi-tenant.js +312 -0
  1508. package/dist/governance/multi-tenant.js.map +1 -0
  1509. package/dist/governance/onboarding-tier-router.d.ts +51 -0
  1510. package/dist/governance/onboarding-tier-router.d.ts.map +1 -0
  1511. package/dist/governance/onboarding-tier-router.js +112 -0
  1512. package/dist/governance/onboarding-tier-router.js.map +1 -0
  1513. package/dist/governance/onboarding-tier-router.test.d.ts +7 -0
  1514. package/dist/governance/onboarding-tier-router.test.d.ts.map +1 -0
  1515. package/dist/governance/onboarding-tier-router.test.js +141 -0
  1516. package/dist/governance/onboarding-tier-router.test.js.map +1 -0
  1517. package/dist/governance/org-reputation.d.ts +54 -0
  1518. package/dist/governance/org-reputation.d.ts.map +1 -0
  1519. package/dist/governance/org-reputation.js +91 -0
  1520. package/dist/governance/org-reputation.js.map +1 -0
  1521. package/dist/governance/org-reputation.test.d.ts +7 -0
  1522. package/dist/governance/org-reputation.test.d.ts.map +1 -0
  1523. package/dist/governance/org-reputation.test.js +190 -0
  1524. package/dist/governance/org-reputation.test.js.map +1 -0
  1525. package/dist/governance/owasp-agentic-scanner.d.ts +100 -0
  1526. package/dist/governance/owasp-agentic-scanner.d.ts.map +1 -0
  1527. package/dist/governance/owasp-agentic-scanner.js +318 -0
  1528. package/dist/governance/owasp-agentic-scanner.js.map +1 -0
  1529. package/dist/governance/owasp-agentic-scanner.test.d.ts +8 -0
  1530. package/dist/governance/owasp-agentic-scanner.test.d.ts.map +1 -0
  1531. package/dist/governance/owasp-agentic-scanner.test.js +163 -0
  1532. package/dist/governance/owasp-agentic-scanner.test.js.map +1 -0
  1533. package/dist/governance/pack-diff.d.ts +61 -0
  1534. package/dist/governance/pack-diff.d.ts.map +1 -0
  1535. package/dist/governance/pack-diff.js +82 -0
  1536. package/dist/governance/pack-diff.js.map +1 -0
  1537. package/dist/governance/pack-diff.test.d.ts +7 -0
  1538. package/dist/governance/pack-diff.test.d.ts.map +1 -0
  1539. package/dist/governance/pack-diff.test.js +242 -0
  1540. package/dist/governance/pack-diff.test.js.map +1 -0
  1541. package/dist/governance/pack-evaluator-prewarm.d.ts +66 -0
  1542. package/dist/governance/pack-evaluator-prewarm.d.ts.map +1 -0
  1543. package/dist/governance/pack-evaluator-prewarm.js +139 -0
  1544. package/dist/governance/pack-evaluator-prewarm.js.map +1 -0
  1545. package/dist/governance/pack-evaluator.d.ts +110 -0
  1546. package/dist/governance/pack-evaluator.d.ts.map +1 -0
  1547. package/dist/governance/pack-evaluator.js +328 -0
  1548. package/dist/governance/pack-evaluator.js.map +1 -0
  1549. package/dist/governance/pack-evaluator.test.d.ts +7 -0
  1550. package/dist/governance/pack-evaluator.test.d.ts.map +1 -0
  1551. package/dist/governance/pack-evaluator.test.js +279 -0
  1552. package/dist/governance/pack-evaluator.test.js.map +1 -0
  1553. package/dist/governance/pack-inheritance.d.ts +121 -0
  1554. package/dist/governance/pack-inheritance.d.ts.map +1 -0
  1555. package/dist/governance/pack-inheritance.js +178 -0
  1556. package/dist/governance/pack-inheritance.js.map +1 -0
  1557. package/dist/governance/pack-inheritance.test.d.ts +17 -0
  1558. package/dist/governance/pack-inheritance.test.d.ts.map +1 -0
  1559. package/dist/governance/pack-inheritance.test.js +207 -0
  1560. package/dist/governance/pack-inheritance.test.js.map +1 -0
  1561. package/dist/governance/pack-publish-workflow.d.ts +60 -0
  1562. package/dist/governance/pack-publish-workflow.d.ts.map +1 -0
  1563. package/dist/governance/pack-publish-workflow.js +85 -0
  1564. package/dist/governance/pack-publish-workflow.js.map +1 -0
  1565. package/dist/governance/pack-publish-workflow.test.d.ts +7 -0
  1566. package/dist/governance/pack-publish-workflow.test.d.ts.map +1 -0
  1567. package/dist/governance/pack-publish-workflow.test.js +211 -0
  1568. package/dist/governance/pack-publish-workflow.test.js.map +1 -0
  1569. package/dist/governance/pack-rule-validator.d.ts +40 -0
  1570. package/dist/governance/pack-rule-validator.d.ts.map +1 -0
  1571. package/dist/governance/pack-rule-validator.js +142 -0
  1572. package/dist/governance/pack-rule-validator.js.map +1 -0
  1573. package/dist/governance/pack-rule-validator.test.d.ts +7 -0
  1574. package/dist/governance/pack-rule-validator.test.d.ts.map +1 -0
  1575. package/dist/governance/pack-rule-validator.test.js +153 -0
  1576. package/dist/governance/pack-rule-validator.test.js.map +1 -0
  1577. package/dist/governance/pack-versioning.d.ts +75 -0
  1578. package/dist/governance/pack-versioning.d.ts.map +1 -0
  1579. package/dist/governance/pack-versioning.js +192 -0
  1580. package/dist/governance/pack-versioning.js.map +1 -0
  1581. package/dist/governance/pack-versioning.test.d.ts +7 -0
  1582. package/dist/governance/pack-versioning.test.d.ts.map +1 -0
  1583. package/dist/governance/pack-versioning.test.js +172 -0
  1584. package/dist/governance/pack-versioning.test.js.map +1 -0
  1585. package/dist/governance/partner-manager.d.ts +185 -0
  1586. package/dist/governance/partner-manager.d.ts.map +1 -0
  1587. package/dist/governance/partner-manager.js +258 -0
  1588. package/dist/governance/partner-manager.js.map +1 -0
  1589. package/dist/governance/paste-your-agent.d.ts +30 -0
  1590. package/dist/governance/paste-your-agent.d.ts.map +1 -0
  1591. package/dist/governance/paste-your-agent.js +154 -0
  1592. package/dist/governance/paste-your-agent.js.map +1 -0
  1593. package/dist/governance/paste-your-agent.test.d.ts +7 -0
  1594. package/dist/governance/paste-your-agent.test.d.ts.map +1 -0
  1595. package/dist/governance/paste-your-agent.test.js +140 -0
  1596. package/dist/governance/paste-your-agent.test.js.map +1 -0
  1597. package/dist/governance/per-agent-daily-budget.d.ts +329 -0
  1598. package/dist/governance/per-agent-daily-budget.d.ts.map +1 -0
  1599. package/dist/governance/per-agent-daily-budget.js +699 -0
  1600. package/dist/governance/per-agent-daily-budget.js.map +1 -0
  1601. package/dist/governance/per-agent-override.test.d.ts +21 -0
  1602. package/dist/governance/per-agent-override.test.d.ts.map +1 -0
  1603. package/dist/governance/per-agent-override.test.js +274 -0
  1604. package/dist/governance/per-agent-override.test.js.map +1 -0
  1605. package/dist/governance/plugin-system.d.ts +519 -0
  1606. package/dist/governance/plugin-system.d.ts.map +1 -0
  1607. package/dist/governance/plugin-system.js +964 -0
  1608. package/dist/governance/plugin-system.js.map +1 -0
  1609. package/dist/governance/policy-tuning.d.ts +190 -0
  1610. package/dist/governance/policy-tuning.d.ts.map +1 -0
  1611. package/dist/governance/policy-tuning.js +359 -0
  1612. package/dist/governance/policy-tuning.js.map +1 -0
  1613. package/dist/governance/post-market-monitor.d.ts +114 -0
  1614. package/dist/governance/post-market-monitor.d.ts.map +1 -0
  1615. package/dist/governance/post-market-monitor.js +279 -0
  1616. package/dist/governance/post-market-monitor.js.map +1 -0
  1617. package/dist/governance/post-tool-audit-enrichment.d.ts +286 -0
  1618. package/dist/governance/post-tool-audit-enrichment.d.ts.map +1 -0
  1619. package/dist/governance/post-tool-audit-enrichment.js +504 -0
  1620. package/dist/governance/post-tool-audit-enrichment.js.map +1 -0
  1621. package/dist/governance/prohibited-practices.d.ts +85 -0
  1622. package/dist/governance/prohibited-practices.d.ts.map +1 -0
  1623. package/dist/governance/prohibited-practices.js +267 -0
  1624. package/dist/governance/prohibited-practices.js.map +1 -0
  1625. package/dist/governance/proxy-onboarding.d.ts +47 -0
  1626. package/dist/governance/proxy-onboarding.d.ts.map +1 -0
  1627. package/dist/governance/proxy-onboarding.js +306 -0
  1628. package/dist/governance/proxy-onboarding.js.map +1 -0
  1629. package/dist/governance/proxy-onboarding.test.d.ts +7 -0
  1630. package/dist/governance/proxy-onboarding.test.d.ts.map +1 -0
  1631. package/dist/governance/proxy-onboarding.test.js +135 -0
  1632. package/dist/governance/proxy-onboarding.test.js.map +1 -0
  1633. package/dist/governance/rag-citation-enforcement.d.ts +400 -0
  1634. package/dist/governance/rag-citation-enforcement.d.ts.map +1 -0
  1635. package/dist/governance/rag-citation-enforcement.js +568 -0
  1636. package/dist/governance/rag-citation-enforcement.js.map +1 -0
  1637. package/dist/governance/rag-confidence-threshold.d.ts +249 -0
  1638. package/dist/governance/rag-confidence-threshold.d.ts.map +1 -0
  1639. package/dist/governance/rag-confidence-threshold.js +449 -0
  1640. package/dist/governance/rag-confidence-threshold.js.map +1 -0
  1641. package/dist/governance/rag-retrieval-audit.d.ts +377 -0
  1642. package/dist/governance/rag-retrieval-audit.d.ts.map +1 -0
  1643. package/dist/governance/rag-retrieval-audit.js +517 -0
  1644. package/dist/governance/rag-retrieval-audit.js.map +1 -0
  1645. package/dist/governance/rag-source-allowlist.d.ts +273 -0
  1646. package/dist/governance/rag-source-allowlist.d.ts.map +1 -0
  1647. package/dist/governance/rag-source-allowlist.js +535 -0
  1648. package/dist/governance/rag-source-allowlist.js.map +1 -0
  1649. package/dist/governance/rag-source-output-chain.d.ts +420 -0
  1650. package/dist/governance/rag-source-output-chain.d.ts.map +1 -0
  1651. package/dist/governance/rag-source-output-chain.js +682 -0
  1652. package/dist/governance/rag-source-output-chain.js.map +1 -0
  1653. package/dist/governance/replay-player.d.ts +55 -0
  1654. package/dist/governance/replay-player.d.ts.map +1 -0
  1655. package/dist/governance/replay-player.js +89 -0
  1656. package/dist/governance/replay-player.js.map +1 -0
  1657. package/dist/governance/replay-player.test.d.ts +7 -0
  1658. package/dist/governance/replay-player.test.d.ts.map +1 -0
  1659. package/dist/governance/replay-player.test.js +192 -0
  1660. package/dist/governance/replay-player.test.js.map +1 -0
  1661. package/dist/governance/retention-manager.d.ts +189 -0
  1662. package/dist/governance/retention-manager.d.ts.map +1 -0
  1663. package/dist/governance/retention-manager.js +566 -0
  1664. package/dist/governance/retention-manager.js.map +1 -0
  1665. package/dist/governance/runtime-event-renderer.d.ts +55 -0
  1666. package/dist/governance/runtime-event-renderer.d.ts.map +1 -0
  1667. package/dist/governance/runtime-event-renderer.js +137 -0
  1668. package/dist/governance/runtime-event-renderer.js.map +1 -0
  1669. package/dist/governance/runtime-event-renderer.test.d.ts +7 -0
  1670. package/dist/governance/runtime-event-renderer.test.d.ts.map +1 -0
  1671. package/dist/governance/runtime-event-renderer.test.js +195 -0
  1672. package/dist/governance/runtime-event-renderer.test.js.map +1 -0
  1673. package/dist/governance/sandbox-replay.d.ts +52 -0
  1674. package/dist/governance/sandbox-replay.d.ts.map +1 -0
  1675. package/dist/governance/sandbox-replay.js +189 -0
  1676. package/dist/governance/sandbox-replay.js.map +1 -0
  1677. package/dist/governance/sandbox-replay.test.d.ts +7 -0
  1678. package/dist/governance/sandbox-replay.test.d.ts.map +1 -0
  1679. package/dist/governance/sandbox-replay.test.js +117 -0
  1680. package/dist/governance/sandbox-replay.test.js.map +1 -0
  1681. package/dist/governance/self-registration-hook.d.ts +65 -0
  1682. package/dist/governance/self-registration-hook.d.ts.map +1 -0
  1683. package/dist/governance/self-registration-hook.js +116 -0
  1684. package/dist/governance/self-registration-hook.js.map +1 -0
  1685. package/dist/governance/self-registration-hook.test.d.ts +7 -0
  1686. package/dist/governance/self-registration-hook.test.d.ts.map +1 -0
  1687. package/dist/governance/self-registration-hook.test.js +149 -0
  1688. package/dist/governance/self-registration-hook.test.js.map +1 -0
  1689. package/dist/governance/session-persistence.d.ts +153 -0
  1690. package/dist/governance/session-persistence.d.ts.map +1 -0
  1691. package/dist/governance/session-persistence.js +376 -0
  1692. package/dist/governance/session-persistence.js.map +1 -0
  1693. package/dist/governance/signed-manifest.d.ts +81 -0
  1694. package/dist/governance/signed-manifest.d.ts.map +1 -0
  1695. package/dist/governance/signed-manifest.js +161 -0
  1696. package/dist/governance/signed-manifest.js.map +1 -0
  1697. package/dist/governance/signed-manifest.test.d.ts +7 -0
  1698. package/dist/governance/signed-manifest.test.d.ts.map +1 -0
  1699. package/dist/governance/signed-manifest.test.js +149 -0
  1700. package/dist/governance/signed-manifest.test.js.map +1 -0
  1701. package/dist/governance/skip-api-empty-queue.d.ts +304 -0
  1702. package/dist/governance/skip-api-empty-queue.d.ts.map +1 -0
  1703. package/dist/governance/skip-api-empty-queue.js +499 -0
  1704. package/dist/governance/skip-api-empty-queue.js.map +1 -0
  1705. package/dist/governance/state-manager.d.ts +102 -0
  1706. package/dist/governance/state-manager.d.ts.map +1 -0
  1707. package/dist/governance/state-manager.js +286 -0
  1708. package/dist/governance/state-manager.js.map +1 -0
  1709. package/dist/governance/tenant-provider-agreements.d.ts +211 -0
  1710. package/dist/governance/tenant-provider-agreements.d.ts.map +1 -0
  1711. package/dist/governance/tenant-provider-agreements.js +440 -0
  1712. package/dist/governance/tenant-provider-agreements.js.map +1 -0
  1713. package/dist/governance/tool-provider-health.d.ts +299 -0
  1714. package/dist/governance/tool-provider-health.d.ts.map +1 -0
  1715. package/dist/governance/tool-provider-health.js +697 -0
  1716. package/dist/governance/tool-provider-health.js.map +1 -0
  1717. package/dist/governance/tool-rate-limit.d.ts +94 -0
  1718. package/dist/governance/tool-rate-limit.d.ts.map +1 -0
  1719. package/dist/governance/tool-rate-limit.js +145 -0
  1720. package/dist/governance/tool-rate-limit.js.map +1 -0
  1721. package/dist/governance/transparency-injector.d.ts +102 -0
  1722. package/dist/governance/transparency-injector.d.ts.map +1 -0
  1723. package/dist/governance/transparency-injector.js +162 -0
  1724. package/dist/governance/transparency-injector.js.map +1 -0
  1725. package/dist/governance/trust-score-snapshot.d.ts +61 -0
  1726. package/dist/governance/trust-score-snapshot.d.ts.map +1 -0
  1727. package/dist/governance/trust-score-snapshot.js +98 -0
  1728. package/dist/governance/trust-score-snapshot.js.map +1 -0
  1729. package/dist/governance/trust-score-snapshot.test.d.ts +7 -0
  1730. package/dist/governance/trust-score-snapshot.test.d.ts.map +1 -0
  1731. package/dist/governance/trust-score-snapshot.test.js +187 -0
  1732. package/dist/governance/trust-score-snapshot.test.js.map +1 -0
  1733. package/dist/governance/trust-score-three-dim.d.ts +122 -0
  1734. package/dist/governance/trust-score-three-dim.d.ts.map +1 -0
  1735. package/dist/governance/trust-score-three-dim.js +176 -0
  1736. package/dist/governance/trust-score-three-dim.js.map +1 -0
  1737. package/dist/governance/trust-score-three-dim.test.d.ts +7 -0
  1738. package/dist/governance/trust-score-three-dim.test.d.ts.map +1 -0
  1739. package/dist/governance/trust-score-three-dim.test.js +221 -0
  1740. package/dist/governance/trust-score-three-dim.test.js.map +1 -0
  1741. package/dist/governance-config.d.ts +201 -0
  1742. package/dist/governance-config.d.ts.map +1 -0
  1743. package/dist/governance-config.js +345 -0
  1744. package/dist/governance-config.js.map +1 -0
  1745. package/dist/governed-agent.d.ts +124 -0
  1746. package/dist/governed-agent.d.ts.map +1 -0
  1747. package/dist/governed-agent.js +1317 -0
  1748. package/dist/governed-agent.js.map +1 -0
  1749. package/dist/hooks/audit-dir-picker.sh +70 -0
  1750. package/dist/hooks/audit-logger.sh +325 -0
  1751. package/dist/hooks/cost-budget-gate.sh +74 -0
  1752. package/dist/hooks/data-classifier-bridge.d.ts +24 -0
  1753. package/dist/hooks/data-classifier-bridge.d.ts.map +1 -0
  1754. package/dist/hooks/data-classifier-bridge.js +80 -0
  1755. package/dist/hooks/data-classifier-bridge.js.map +1 -0
  1756. package/dist/hooks/destructive-command-guard.sh +200 -0
  1757. package/dist/hooks/file-boundary-guard.sh +159 -0
  1758. package/dist/hooks/file-change-tracker.sh +78 -0
  1759. package/dist/hooks/governance-file-shield.sh +102 -0
  1760. package/dist/hooks/governance-integrity-check.sh +109 -0
  1761. package/dist/hooks/hook-health-monitor.sh +189 -0
  1762. package/dist/hooks/hook-utils.sh +51 -0
  1763. package/dist/hooks/hook-wrapper.sh +77 -0
  1764. package/dist/hooks/install-hooks.sh +162 -0
  1765. package/dist/hooks/output-exfiltration-scanner.sh +112 -0
  1766. package/dist/hooks/powershell/audit-dir-picker.ps1 +72 -0
  1767. package/dist/hooks/powershell/audit-logger.ps1 +75 -0
  1768. package/dist/hooks/powershell/cost-budget-gate.ps1 +61 -0
  1769. package/dist/hooks/powershell/destructive-command-guard.ps1 +67 -0
  1770. package/dist/hooks/powershell/file-boundary-guard.ps1 +76 -0
  1771. package/dist/hooks/powershell/file-change-tracker.ps1 +74 -0
  1772. package/dist/hooks/powershell/governance-file-shield.ps1 +86 -0
  1773. package/dist/hooks/powershell/governance-integrity-check.ps1 +101 -0
  1774. package/dist/hooks/powershell/hook-health-monitor.ps1 +153 -0
  1775. package/dist/hooks/powershell/hook-utils.ps1 +44 -0
  1776. package/dist/hooks/powershell/hook-wrapper.ps1 +67 -0
  1777. package/dist/hooks/powershell/install-hooks.ps1 +142 -0
  1778. package/dist/hooks/powershell/output-exfiltration-scanner.ps1 +85 -0
  1779. package/dist/hooks/powershell/secret-leak-scanner.ps1 +105 -0
  1780. package/dist/hooks/powershell/token-tracker.ps1 +83 -0
  1781. package/dist/hooks/powershell/web-access-gate.ps1 +89 -0
  1782. package/dist/hooks/secret-leak-scanner.sh +293 -0
  1783. package/dist/hooks/token-tracker.sh +89 -0
  1784. package/dist/hooks/web-access-gate.sh +123 -0
  1785. package/dist/ide-adapters/aider.d.ts +213 -0
  1786. package/dist/ide-adapters/aider.d.ts.map +1 -0
  1787. package/dist/ide-adapters/aider.js +710 -0
  1788. package/dist/ide-adapters/aider.js.map +1 -0
  1789. package/dist/ide-adapters/amazon-q-developer.d.ts +124 -0
  1790. package/dist/ide-adapters/amazon-q-developer.d.ts.map +1 -0
  1791. package/dist/ide-adapters/amazon-q-developer.js +686 -0
  1792. package/dist/ide-adapters/amazon-q-developer.js.map +1 -0
  1793. package/dist/ide-adapters/base.d.ts +64 -0
  1794. package/dist/ide-adapters/base.d.ts.map +1 -0
  1795. package/dist/ide-adapters/base.js +233 -0
  1796. package/dist/ide-adapters/base.js.map +1 -0
  1797. package/dist/ide-adapters/claude-code.d.ts +43 -0
  1798. package/dist/ide-adapters/claude-code.d.ts.map +1 -0
  1799. package/dist/ide-adapters/claude-code.js +192 -0
  1800. package/dist/ide-adapters/claude-code.js.map +1 -0
  1801. package/dist/ide-adapters/cody.d.ts +150 -0
  1802. package/dist/ide-adapters/cody.d.ts.map +1 -0
  1803. package/dist/ide-adapters/cody.js +767 -0
  1804. package/dist/ide-adapters/cody.js.map +1 -0
  1805. package/dist/ide-adapters/continue-dev.d.ts +120 -0
  1806. package/dist/ide-adapters/continue-dev.d.ts.map +1 -0
  1807. package/dist/ide-adapters/continue-dev.js +359 -0
  1808. package/dist/ide-adapters/continue-dev.js.map +1 -0
  1809. package/dist/ide-adapters/copilot-studio.d.ts +310 -0
  1810. package/dist/ide-adapters/copilot-studio.d.ts.map +1 -0
  1811. package/dist/ide-adapters/copilot-studio.js +1097 -0
  1812. package/dist/ide-adapters/copilot-studio.js.map +1 -0
  1813. package/dist/ide-adapters/copilot-workspace.d.ts +167 -0
  1814. package/dist/ide-adapters/copilot-workspace.d.ts.map +1 -0
  1815. package/dist/ide-adapters/copilot-workspace.js +376 -0
  1816. package/dist/ide-adapters/copilot-workspace.js.map +1 -0
  1817. package/dist/ide-adapters/cursor.d.ts +74 -0
  1818. package/dist/ide-adapters/cursor.d.ts.map +1 -0
  1819. package/dist/ide-adapters/cursor.js +273 -0
  1820. package/dist/ide-adapters/cursor.js.map +1 -0
  1821. package/dist/ide-adapters/exports.d.ts +53 -0
  1822. package/dist/ide-adapters/exports.d.ts.map +1 -0
  1823. package/dist/ide-adapters/exports.js +115 -0
  1824. package/dist/ide-adapters/exports.js.map +1 -0
  1825. package/dist/ide-adapters/gemini-code-assist.d.ts +135 -0
  1826. package/dist/ide-adapters/gemini-code-assist.d.ts.map +1 -0
  1827. package/dist/ide-adapters/gemini-code-assist.js +750 -0
  1828. package/dist/ide-adapters/gemini-code-assist.js.map +1 -0
  1829. package/dist/ide-adapters/github-copilot.d.ts +166 -0
  1830. package/dist/ide-adapters/github-copilot.d.ts.map +1 -0
  1831. package/dist/ide-adapters/github-copilot.js +547 -0
  1832. package/dist/ide-adapters/github-copilot.js.map +1 -0
  1833. package/dist/ide-adapters/index.d.ts +271 -0
  1834. package/dist/ide-adapters/index.d.ts.map +1 -0
  1835. package/dist/ide-adapters/index.js +100 -0
  1836. package/dist/ide-adapters/index.js.map +1 -0
  1837. package/dist/ide-adapters/jetbrains-ai.d.ts +150 -0
  1838. package/dist/ide-adapters/jetbrains-ai.d.ts.map +1 -0
  1839. package/dist/ide-adapters/jetbrains-ai.js +718 -0
  1840. package/dist/ide-adapters/jetbrains-ai.js.map +1 -0
  1841. package/dist/ide-adapters/notebook-ai.d.ts +220 -0
  1842. package/dist/ide-adapters/notebook-ai.d.ts.map +1 -0
  1843. package/dist/ide-adapters/notebook-ai.js +858 -0
  1844. package/dist/ide-adapters/notebook-ai.js.map +1 -0
  1845. package/dist/ide-adapters/replit-agent.d.ts +269 -0
  1846. package/dist/ide-adapters/replit-agent.d.ts.map +1 -0
  1847. package/dist/ide-adapters/replit-agent.js +1022 -0
  1848. package/dist/ide-adapters/replit-agent.js.map +1 -0
  1849. package/dist/ide-adapters/reviewer-tier.d.ts +15 -0
  1850. package/dist/ide-adapters/reviewer-tier.d.ts.map +1 -0
  1851. package/dist/ide-adapters/reviewer-tier.js +16 -0
  1852. package/dist/ide-adapters/reviewer-tier.js.map +1 -0
  1853. package/dist/ide-adapters/shared.d.ts +116 -0
  1854. package/dist/ide-adapters/shared.d.ts.map +1 -0
  1855. package/dist/ide-adapters/shared.js +311 -0
  1856. package/dist/ide-adapters/shared.js.map +1 -0
  1857. package/dist/ide-adapters/tabnine.d.ts +189 -0
  1858. package/dist/ide-adapters/tabnine.d.ts.map +1 -0
  1859. package/dist/ide-adapters/tabnine.js +721 -0
  1860. package/dist/ide-adapters/tabnine.js.map +1 -0
  1861. package/dist/ide-adapters/windsurf.d.ts +216 -0
  1862. package/dist/ide-adapters/windsurf.d.ts.map +1 -0
  1863. package/dist/ide-adapters/windsurf.js +812 -0
  1864. package/dist/ide-adapters/windsurf.js.map +1 -0
  1865. package/dist/ide-adapters/zed-ai.d.ts +209 -0
  1866. package/dist/ide-adapters/zed-ai.d.ts.map +1 -0
  1867. package/dist/ide-adapters/zed-ai.js +622 -0
  1868. package/dist/ide-adapters/zed-ai.js.map +1 -0
  1869. package/dist/index.d.ts +104 -0
  1870. package/dist/index.d.ts.map +1 -0
  1871. package/dist/index.js +366 -0
  1872. package/dist/index.js.map +1 -0
  1873. package/dist/license/entitlement-client.d.ts +111 -0
  1874. package/dist/license/entitlement-client.d.ts.map +1 -0
  1875. package/dist/license/entitlement-client.js +306 -0
  1876. package/dist/license/entitlement-client.js.map +1 -0
  1877. package/dist/license/index.d.ts +10 -0
  1878. package/dist/license/index.d.ts.map +1 -0
  1879. package/dist/license/index.js +14 -0
  1880. package/dist/license/index.js.map +1 -0
  1881. package/dist/license/jwt-issuer.d.ts +64 -0
  1882. package/dist/license/jwt-issuer.d.ts.map +1 -0
  1883. package/dist/license/jwt-issuer.js +144 -0
  1884. package/dist/license/jwt-issuer.js.map +1 -0
  1885. package/dist/license/jwt-validator.d.ts +145 -0
  1886. package/dist/license/jwt-validator.d.ts.map +1 -0
  1887. package/dist/license/jwt-validator.js +498 -0
  1888. package/dist/license/jwt-validator.js.map +1 -0
  1889. package/dist/license/keygen.d.ts +16 -0
  1890. package/dist/license/keygen.d.ts.map +1 -0
  1891. package/dist/license/keygen.js +100 -0
  1892. package/dist/license/keygen.js.map +1 -0
  1893. package/dist/license/subscription-gate.d.ts +99 -0
  1894. package/dist/license/subscription-gate.d.ts.map +1 -0
  1895. package/dist/license/subscription-gate.js +293 -0
  1896. package/dist/license/subscription-gate.js.map +1 -0
  1897. package/dist/llm-adapters/azure-openai.d.ts +69 -0
  1898. package/dist/llm-adapters/azure-openai.d.ts.map +1 -0
  1899. package/dist/llm-adapters/azure-openai.js +702 -0
  1900. package/dist/llm-adapters/azure-openai.js.map +1 -0
  1901. package/dist/llm-adapters/base.d.ts +97 -0
  1902. package/dist/llm-adapters/base.d.ts.map +1 -0
  1903. package/dist/llm-adapters/base.js +265 -0
  1904. package/dist/llm-adapters/base.js.map +1 -0
  1905. package/dist/llm-adapters/bedrock.d.ts +67 -0
  1906. package/dist/llm-adapters/bedrock.d.ts.map +1 -0
  1907. package/dist/llm-adapters/bedrock.js +751 -0
  1908. package/dist/llm-adapters/bedrock.js.map +1 -0
  1909. package/dist/llm-adapters/claude.d.ts +84 -0
  1910. package/dist/llm-adapters/claude.d.ts.map +1 -0
  1911. package/dist/llm-adapters/claude.js +273 -0
  1912. package/dist/llm-adapters/claude.js.map +1 -0
  1913. package/dist/llm-adapters/deepseek.d.ts +113 -0
  1914. package/dist/llm-adapters/deepseek.d.ts.map +1 -0
  1915. package/dist/llm-adapters/deepseek.js +754 -0
  1916. package/dist/llm-adapters/deepseek.js.map +1 -0
  1917. package/dist/llm-adapters/exports.d.ts +40 -0
  1918. package/dist/llm-adapters/exports.d.ts.map +1 -0
  1919. package/dist/llm-adapters/exports.js +74 -0
  1920. package/dist/llm-adapters/exports.js.map +1 -0
  1921. package/dist/llm-adapters/gemini.d.ts +106 -0
  1922. package/dist/llm-adapters/gemini.d.ts.map +1 -0
  1923. package/dist/llm-adapters/gemini.js +201 -0
  1924. package/dist/llm-adapters/gemini.js.map +1 -0
  1925. package/dist/llm-adapters/gemma.d.ts +200 -0
  1926. package/dist/llm-adapters/gemma.d.ts.map +1 -0
  1927. package/dist/llm-adapters/gemma.js +270 -0
  1928. package/dist/llm-adapters/gemma.js.map +1 -0
  1929. package/dist/llm-adapters/google.d.ts +221 -0
  1930. package/dist/llm-adapters/google.d.ts.map +1 -0
  1931. package/dist/llm-adapters/google.js +1176 -0
  1932. package/dist/llm-adapters/google.js.map +1 -0
  1933. package/dist/llm-adapters/huggingface.d.ts +354 -0
  1934. package/dist/llm-adapters/huggingface.d.ts.map +1 -0
  1935. package/dist/llm-adapters/huggingface.js +622 -0
  1936. package/dist/llm-adapters/huggingface.js.map +1 -0
  1937. package/dist/llm-adapters/index.d.ts +331 -0
  1938. package/dist/llm-adapters/index.d.ts.map +1 -0
  1939. package/dist/llm-adapters/index.js +96 -0
  1940. package/dist/llm-adapters/index.js.map +1 -0
  1941. package/dist/llm-adapters/ollama.d.ts +90 -0
  1942. package/dist/llm-adapters/ollama.d.ts.map +1 -0
  1943. package/dist/llm-adapters/ollama.js +624 -0
  1944. package/dist/llm-adapters/ollama.js.map +1 -0
  1945. package/dist/llm-adapters/openai.d.ts +168 -0
  1946. package/dist/llm-adapters/openai.d.ts.map +1 -0
  1947. package/dist/llm-adapters/openai.js +363 -0
  1948. package/dist/llm-adapters/openai.js.map +1 -0
  1949. package/dist/llm-adapters/replicate-llama.d.ts +327 -0
  1950. package/dist/llm-adapters/replicate-llama.d.ts.map +1 -0
  1951. package/dist/llm-adapters/replicate-llama.js +600 -0
  1952. package/dist/llm-adapters/replicate-llama.js.map +1 -0
  1953. package/dist/llm-adapters/shared.d.ts +104 -0
  1954. package/dist/llm-adapters/shared.d.ts.map +1 -0
  1955. package/dist/llm-adapters/shared.js +341 -0
  1956. package/dist/llm-adapters/shared.js.map +1 -0
  1957. package/dist/llm-adapters/supported-models-catalog.d.ts +112 -0
  1958. package/dist/llm-adapters/supported-models-catalog.d.ts.map +1 -0
  1959. package/dist/llm-adapters/supported-models-catalog.js +748 -0
  1960. package/dist/llm-adapters/supported-models-catalog.js.map +1 -0
  1961. package/dist/observability/destination-health-monitor.d.ts +147 -0
  1962. package/dist/observability/destination-health-monitor.d.ts.map +1 -0
  1963. package/dist/observability/destination-health-monitor.js +244 -0
  1964. package/dist/observability/destination-health-monitor.js.map +1 -0
  1965. package/dist/observability/health-metrics-store.d.ts +112 -0
  1966. package/dist/observability/health-metrics-store.d.ts.map +1 -0
  1967. package/dist/observability/health-metrics-store.js +131 -0
  1968. package/dist/observability/health-metrics-store.js.map +1 -0
  1969. package/dist/orchestrator-adapters/autogen.d.ts +225 -0
  1970. package/dist/orchestrator-adapters/autogen.d.ts.map +1 -0
  1971. package/dist/orchestrator-adapters/autogen.js +522 -0
  1972. package/dist/orchestrator-adapters/autogen.js.map +1 -0
  1973. package/dist/orchestrator-adapters/base.d.ts +100 -0
  1974. package/dist/orchestrator-adapters/base.d.ts.map +1 -0
  1975. package/dist/orchestrator-adapters/base.js +403 -0
  1976. package/dist/orchestrator-adapters/base.js.map +1 -0
  1977. package/dist/orchestrator-adapters/bedrock-agentcore.d.ts +314 -0
  1978. package/dist/orchestrator-adapters/bedrock-agentcore.d.ts.map +1 -0
  1979. package/dist/orchestrator-adapters/bedrock-agentcore.js +845 -0
  1980. package/dist/orchestrator-adapters/bedrock-agentcore.js.map +1 -0
  1981. package/dist/orchestrator-adapters/claude-agent-sdk.d.ts +288 -0
  1982. package/dist/orchestrator-adapters/claude-agent-sdk.d.ts.map +1 -0
  1983. package/dist/orchestrator-adapters/claude-agent-sdk.js +732 -0
  1984. package/dist/orchestrator-adapters/claude-agent-sdk.js.map +1 -0
  1985. package/dist/orchestrator-adapters/crewai.d.ts +161 -0
  1986. package/dist/orchestrator-adapters/crewai.d.ts.map +1 -0
  1987. package/dist/orchestrator-adapters/crewai.js +507 -0
  1988. package/dist/orchestrator-adapters/crewai.js.map +1 -0
  1989. package/dist/orchestrator-adapters/deepagents.d.ts +218 -0
  1990. package/dist/orchestrator-adapters/deepagents.d.ts.map +1 -0
  1991. package/dist/orchestrator-adapters/deepagents.js +382 -0
  1992. package/dist/orchestrator-adapters/deepagents.js.map +1 -0
  1993. package/dist/orchestrator-adapters/exports.d.ts +30 -0
  1994. package/dist/orchestrator-adapters/exports.d.ts.map +1 -0
  1995. package/dist/orchestrator-adapters/exports.js +94 -0
  1996. package/dist/orchestrator-adapters/exports.js.map +1 -0
  1997. package/dist/orchestrator-adapters/google-adk.d.ts +306 -0
  1998. package/dist/orchestrator-adapters/google-adk.d.ts.map +1 -0
  1999. package/dist/orchestrator-adapters/google-adk.js +805 -0
  2000. package/dist/orchestrator-adapters/google-adk.js.map +1 -0
  2001. package/dist/orchestrator-adapters/haystack.d.ts +327 -0
  2002. package/dist/orchestrator-adapters/haystack.d.ts.map +1 -0
  2003. package/dist/orchestrator-adapters/haystack.js +841 -0
  2004. package/dist/orchestrator-adapters/haystack.js.map +1 -0
  2005. package/dist/orchestrator-adapters/index.d.ts +328 -0
  2006. package/dist/orchestrator-adapters/index.d.ts.map +1 -0
  2007. package/dist/orchestrator-adapters/index.js +117 -0
  2008. package/dist/orchestrator-adapters/index.js.map +1 -0
  2009. package/dist/orchestrator-adapters/langchain.d.ts +186 -0
  2010. package/dist/orchestrator-adapters/langchain.d.ts.map +1 -0
  2011. package/dist/orchestrator-adapters/langchain.js +495 -0
  2012. package/dist/orchestrator-adapters/langchain.js.map +1 -0
  2013. package/dist/orchestrator-adapters/langgraph.d.ts +234 -0
  2014. package/dist/orchestrator-adapters/langgraph.d.ts.map +1 -0
  2015. package/dist/orchestrator-adapters/langgraph.js +502 -0
  2016. package/dist/orchestrator-adapters/langgraph.js.map +1 -0
  2017. package/dist/orchestrator-adapters/llamaindex.d.ts +325 -0
  2018. package/dist/orchestrator-adapters/llamaindex.d.ts.map +1 -0
  2019. package/dist/orchestrator-adapters/llamaindex.js +850 -0
  2020. package/dist/orchestrator-adapters/llamaindex.js.map +1 -0
  2021. package/dist/orchestrator-adapters/openai-agents.d.ts +238 -0
  2022. package/dist/orchestrator-adapters/openai-agents.d.ts.map +1 -0
  2023. package/dist/orchestrator-adapters/openai-agents.js +532 -0
  2024. package/dist/orchestrator-adapters/openai-agents.js.map +1 -0
  2025. package/dist/orchestrator-adapters/openclaw.d.ts +327 -0
  2026. package/dist/orchestrator-adapters/openclaw.d.ts.map +1 -0
  2027. package/dist/orchestrator-adapters/openclaw.js +896 -0
  2028. package/dist/orchestrator-adapters/openclaw.js.map +1 -0
  2029. package/dist/orchestrator-adapters/orchestrator-adapter.d.ts +170 -0
  2030. package/dist/orchestrator-adapters/orchestrator-adapter.d.ts.map +1 -0
  2031. package/dist/orchestrator-adapters/orchestrator-adapter.js +34 -0
  2032. package/dist/orchestrator-adapters/orchestrator-adapter.js.map +1 -0
  2033. package/dist/orchestrator-adapters/paperclip-adapter.d.ts +91 -0
  2034. package/dist/orchestrator-adapters/paperclip-adapter.d.ts.map +1 -0
  2035. package/dist/orchestrator-adapters/paperclip-adapter.js +403 -0
  2036. package/dist/orchestrator-adapters/paperclip-adapter.js.map +1 -0
  2037. package/dist/orchestrator-adapters/semantic-kernel.d.ts +218 -0
  2038. package/dist/orchestrator-adapters/semantic-kernel.d.ts.map +1 -0
  2039. package/dist/orchestrator-adapters/semantic-kernel.js +525 -0
  2040. package/dist/orchestrator-adapters/semantic-kernel.js.map +1 -0
  2041. package/dist/orchestrator-adapters/shared.d.ts +49 -0
  2042. package/dist/orchestrator-adapters/shared.d.ts.map +1 -0
  2043. package/dist/orchestrator-adapters/shared.js +161 -0
  2044. package/dist/orchestrator-adapters/shared.js.map +1 -0
  2045. package/dist/packs/_base-classifiers.d.ts +73 -0
  2046. package/dist/packs/_base-classifiers.d.ts.map +1 -0
  2047. package/dist/packs/_base-classifiers.js +165 -0
  2048. package/dist/packs/_base-classifiers.js.map +1 -0
  2049. package/dist/packs/aba.d.ts +41 -0
  2050. package/dist/packs/aba.d.ts.map +1 -0
  2051. package/dist/packs/aba.js +300 -0
  2052. package/dist/packs/aba.js.map +1 -0
  2053. package/dist/packs/as-9100.d.ts +130 -0
  2054. package/dist/packs/as-9100.d.ts.map +1 -0
  2055. package/dist/packs/as-9100.js +817 -0
  2056. package/dist/packs/as-9100.js.map +1 -0
  2057. package/dist/packs/au-act-hrpaa.d.ts +68 -0
  2058. package/dist/packs/au-act-hrpaa.d.ts.map +1 -0
  2059. package/dist/packs/au-act-hrpaa.js +293 -0
  2060. package/dist/packs/au-act-hrpaa.js.map +1 -0
  2061. package/dist/packs/au-aiethics-framework.d.ts +68 -0
  2062. package/dist/packs/au-aiethics-framework.d.ts.map +1 -0
  2063. package/dist/packs/au-aiethics-framework.js +344 -0
  2064. package/dist/packs/au-aiethics-framework.js.map +1 -0
  2065. package/dist/packs/au-aml-ctf.d.ts +67 -0
  2066. package/dist/packs/au-aml-ctf.d.ts.map +1 -0
  2067. package/dist/packs/au-aml-ctf.js +349 -0
  2068. package/dist/packs/au-aml-ctf.js.map +1 -0
  2069. package/dist/packs/au-asic-rg-271.d.ts +50 -0
  2070. package/dist/packs/au-asic-rg-271.d.ts.map +1 -0
  2071. package/dist/packs/au-asic-rg-271.js +271 -0
  2072. package/dist/packs/au-asic-rg-271.js.map +1 -0
  2073. package/dist/packs/au-asic-rg-274.d.ts +51 -0
  2074. package/dist/packs/au-asic-rg-274.d.ts.map +1 -0
  2075. package/dist/packs/au-asic-rg-274.js +271 -0
  2076. package/dist/packs/au-asic-rg-274.js.map +1 -0
  2077. package/dist/packs/au-cdr.d.ts +49 -0
  2078. package/dist/packs/au-cdr.d.ts.map +1 -0
  2079. package/dist/packs/au-cdr.js +308 -0
  2080. package/dist/packs/au-cdr.js.map +1 -0
  2081. package/dist/packs/au-cps230.d.ts +50 -0
  2082. package/dist/packs/au-cps230.d.ts.map +1 -0
  2083. package/dist/packs/au-cps230.js +267 -0
  2084. package/dist/packs/au-cps230.js.map +1 -0
  2085. package/dist/packs/au-cps234.d.ts +56 -0
  2086. package/dist/packs/au-cps234.d.ts.map +1 -0
  2087. package/dist/packs/au-cps234.js +300 -0
  2088. package/dist/packs/au-cps234.js.map +1 -0
  2089. package/dist/packs/au-mandatory-ai-guardrails.d.ts +61 -0
  2090. package/dist/packs/au-mandatory-ai-guardrails.d.ts.map +1 -0
  2091. package/dist/packs/au-mandatory-ai-guardrails.js +274 -0
  2092. package/dist/packs/au-mandatory-ai-guardrails.js.map +1 -0
  2093. package/dist/packs/au-nsw-hripa.d.ts +78 -0
  2094. package/dist/packs/au-nsw-hripa.d.ts.map +1 -0
  2095. package/dist/packs/au-nsw-hripa.js +366 -0
  2096. package/dist/packs/au-nsw-hripa.js.map +1 -0
  2097. package/dist/packs/au-online-safety.d.ts +55 -0
  2098. package/dist/packs/au-online-safety.d.ts.map +1 -0
  2099. package/dist/packs/au-online-safety.js +300 -0
  2100. package/dist/packs/au-online-safety.js.map +1 -0
  2101. package/dist/packs/au-privacy-act.d.ts +54 -0
  2102. package/dist/packs/au-privacy-act.d.ts.map +1 -0
  2103. package/dist/packs/au-privacy-act.js +364 -0
  2104. package/dist/packs/au-privacy-act.js.map +1 -0
  2105. package/dist/packs/au-soci-act.d.ts +53 -0
  2106. package/dist/packs/au-soci-act.d.ts.map +1 -0
  2107. package/dist/packs/au-soci-act.js +254 -0
  2108. package/dist/packs/au-soci-act.js.map +1 -0
  2109. package/dist/packs/au-spam-act.d.ts +54 -0
  2110. package/dist/packs/au-spam-act.d.ts.map +1 -0
  2111. package/dist/packs/au-spam-act.js +287 -0
  2112. package/dist/packs/au-spam-act.js.map +1 -0
  2113. package/dist/packs/au-tga-saimd.d.ts +74 -0
  2114. package/dist/packs/au-tga-saimd.d.ts.map +1 -0
  2115. package/dist/packs/au-tga-saimd.js +344 -0
  2116. package/dist/packs/au-tga-saimd.js.map +1 -0
  2117. package/dist/packs/au-vic-hra.d.ts +70 -0
  2118. package/dist/packs/au-vic-hra.d.ts.map +1 -0
  2119. package/dist/packs/au-vic-hra.js +348 -0
  2120. package/dist/packs/au-vic-hra.js.map +1 -0
  2121. package/dist/packs/bipa.d.ts +30 -0
  2122. package/dist/packs/bipa.d.ts.map +1 -0
  2123. package/dist/packs/bipa.js +271 -0
  2124. package/dist/packs/bipa.js.map +1 -0
  2125. package/dist/packs/bsa-aml.d.ts +52 -0
  2126. package/dist/packs/bsa-aml.d.ts.map +1 -0
  2127. package/dist/packs/bsa-aml.js +413 -0
  2128. package/dist/packs/bsa-aml.js.map +1 -0
  2129. package/dist/packs/ca-pipeda.d.ts +48 -0
  2130. package/dist/packs/ca-pipeda.d.ts.map +1 -0
  2131. package/dist/packs/ca-pipeda.js +220 -0
  2132. package/dist/packs/ca-pipeda.js.map +1 -0
  2133. package/dist/packs/ca-qc-law25.d.ts +46 -0
  2134. package/dist/packs/ca-qc-law25.d.ts.map +1 -0
  2135. package/dist/packs/ca-qc-law25.js +191 -0
  2136. package/dist/packs/ca-qc-law25.js.map +1 -0
  2137. package/dist/packs/caldicott-principles.d.ts +86 -0
  2138. package/dist/packs/caldicott-principles.d.ts.map +1 -0
  2139. package/dist/packs/caldicott-principles.js +444 -0
  2140. package/dist/packs/caldicott-principles.js.map +1 -0
  2141. package/dist/packs/california-ab2930.d.ts +58 -0
  2142. package/dist/packs/california-ab2930.d.ts.map +1 -0
  2143. package/dist/packs/california-ab2930.js +413 -0
  2144. package/dist/packs/california-ab2930.js.map +1 -0
  2145. package/dist/packs/ccpa.d.ts +47 -0
  2146. package/dist/packs/ccpa.d.ts.map +1 -0
  2147. package/dist/packs/ccpa.js +399 -0
  2148. package/dist/packs/ccpa.js.map +1 -0
  2149. package/dist/packs/cfpb-2023-03.d.ts +32 -0
  2150. package/dist/packs/cfpb-2023-03.d.ts.map +1 -0
  2151. package/dist/packs/cfpb-2023-03.js +285 -0
  2152. package/dist/packs/cfpb-2023-03.js.map +1 -0
  2153. package/dist/packs/check-registry.d.ts +76 -0
  2154. package/dist/packs/check-registry.d.ts.map +1 -0
  2155. package/dist/packs/check-registry.js +3341 -0
  2156. package/dist/packs/check-registry.js.map +1 -0
  2157. package/dist/packs/cjis.d.ts +61 -0
  2158. package/dist/packs/cjis.d.ts.map +1 -0
  2159. package/dist/packs/cjis.js +345 -0
  2160. package/dist/packs/cjis.js.map +1 -0
  2161. package/dist/packs/cma-ai-foundation-models.d.ts +74 -0
  2162. package/dist/packs/cma-ai-foundation-models.d.ts.map +1 -0
  2163. package/dist/packs/cma-ai-foundation-models.js +397 -0
  2164. package/dist/packs/cma-ai-foundation-models.js.map +1 -0
  2165. package/dist/packs/cmmc2.d.ts +69 -0
  2166. package/dist/packs/cmmc2.d.ts.map +1 -0
  2167. package/dist/packs/cmmc2.js +350 -0
  2168. package/dist/packs/cmmc2.js.map +1 -0
  2169. package/dist/packs/cms-interoperability.d.ts +55 -0
  2170. package/dist/packs/cms-interoperability.d.ts.map +1 -0
  2171. package/dist/packs/cms-interoperability.js +390 -0
  2172. package/dist/packs/cms-interoperability.js.map +1 -0
  2173. package/dist/packs/cn-dsl-csl.d.ts +52 -0
  2174. package/dist/packs/cn-dsl-csl.d.ts.map +1 -0
  2175. package/dist/packs/cn-dsl-csl.js +137 -0
  2176. package/dist/packs/cn-dsl-csl.js.map +1 -0
  2177. package/dist/packs/colorado-ai.d.ts +77 -0
  2178. package/dist/packs/colorado-ai.d.ts.map +1 -0
  2179. package/dist/packs/colorado-ai.js +379 -0
  2180. package/dist/packs/colorado-ai.js.map +1 -0
  2181. package/dist/packs/common-rule.d.ts +91 -0
  2182. package/dist/packs/common-rule.d.ts.map +1 -0
  2183. package/dist/packs/common-rule.js +473 -0
  2184. package/dist/packs/common-rule.js.map +1 -0
  2185. package/dist/packs/coppa.d.ts +84 -0
  2186. package/dist/packs/coppa.d.ts.map +1 -0
  2187. package/dist/packs/coppa.js +409 -0
  2188. package/dist/packs/coppa.js.map +1 -0
  2189. package/dist/packs/cyber-essentials.d.ts +63 -0
  2190. package/dist/packs/cyber-essentials.d.ts.map +1 -0
  2191. package/dist/packs/cyber-essentials.js +407 -0
  2192. package/dist/packs/cyber-essentials.js.map +1 -0
  2193. package/dist/packs/de-bdsg.d.ts +66 -0
  2194. package/dist/packs/de-bdsg.d.ts.map +1 -0
  2195. package/dist/packs/de-bdsg.js +416 -0
  2196. package/dist/packs/de-bdsg.js.map +1 -0
  2197. package/dist/packs/do-178c.d.ts +98 -0
  2198. package/dist/packs/do-178c.d.ts.map +1 -0
  2199. package/dist/packs/do-178c.js +726 -0
  2200. package/dist/packs/do-178c.js.map +1 -0
  2201. package/dist/packs/dora.d.ts +48 -0
  2202. package/dist/packs/dora.d.ts.map +1 -0
  2203. package/dist/packs/dora.js +361 -0
  2204. package/dist/packs/dora.js.map +1 -0
  2205. package/dist/packs/ecoa.d.ts +46 -0
  2206. package/dist/packs/ecoa.d.ts.map +1 -0
  2207. package/dist/packs/ecoa.js +389 -0
  2208. package/dist/packs/ecoa.js.map +1 -0
  2209. package/dist/packs/eu-ai-liability.d.ts +39 -0
  2210. package/dist/packs/eu-ai-liability.d.ts.map +1 -0
  2211. package/dist/packs/eu-ai-liability.js +303 -0
  2212. package/dist/packs/eu-ai-liability.js.map +1 -0
  2213. package/dist/packs/eu-cra.d.ts +50 -0
  2214. package/dist/packs/eu-cra.d.ts.map +1 -0
  2215. package/dist/packs/eu-cra.js +143 -0
  2216. package/dist/packs/eu-cra.js.map +1 -0
  2217. package/dist/packs/eu-data-act.d.ts +49 -0
  2218. package/dist/packs/eu-data-act.d.ts.map +1 -0
  2219. package/dist/packs/eu-data-act.js +141 -0
  2220. package/dist/packs/eu-data-act.js.map +1 -0
  2221. package/dist/packs/eu-dma.d.ts +59 -0
  2222. package/dist/packs/eu-dma.d.ts.map +1 -0
  2223. package/dist/packs/eu-dma.js +188 -0
  2224. package/dist/packs/eu-dma.js.map +1 -0
  2225. package/dist/packs/eu-dsa.d.ts +54 -0
  2226. package/dist/packs/eu-dsa.d.ts.map +1 -0
  2227. package/dist/packs/eu-dsa.js +179 -0
  2228. package/dist/packs/eu-dsa.js.map +1 -0
  2229. package/dist/packs/eu-lpp.d.ts +61 -0
  2230. package/dist/packs/eu-lpp.d.ts.map +1 -0
  2231. package/dist/packs/eu-lpp.js +345 -0
  2232. package/dist/packs/eu-lpp.js.map +1 -0
  2233. package/dist/packs/eu-mdr-ivdr.d.ts +67 -0
  2234. package/dist/packs/eu-mdr-ivdr.d.ts.map +1 -0
  2235. package/dist/packs/eu-mdr-ivdr.js +420 -0
  2236. package/dist/packs/eu-mdr-ivdr.js.map +1 -0
  2237. package/dist/packs/euaiact.d.ts +51 -0
  2238. package/dist/packs/euaiact.d.ts.map +1 -0
  2239. package/dist/packs/euaiact.js +344 -0
  2240. package/dist/packs/euaiact.js.map +1 -0
  2241. package/dist/packs/fca-consumer-duty.d.ts +65 -0
  2242. package/dist/packs/fca-consumer-duty.d.ts.map +1 -0
  2243. package/dist/packs/fca-consumer-duty.js +412 -0
  2244. package/dist/packs/fca-consumer-duty.js.map +1 -0
  2245. package/dist/packs/fca-op-resilience.d.ts +53 -0
  2246. package/dist/packs/fca-op-resilience.d.ts.map +1 -0
  2247. package/dist/packs/fca-op-resilience.js +353 -0
  2248. package/dist/packs/fca-op-resilience.js.map +1 -0
  2249. package/dist/packs/fcra.d.ts +47 -0
  2250. package/dist/packs/fcra.d.ts.map +1 -0
  2251. package/dist/packs/fcra.js +444 -0
  2252. package/dist/packs/fcra.js.map +1 -0
  2253. package/dist/packs/fda-21-cfr-820.d.ts +53 -0
  2254. package/dist/packs/fda-21-cfr-820.d.ts.map +1 -0
  2255. package/dist/packs/fda-21-cfr-820.js +609 -0
  2256. package/dist/packs/fda-21-cfr-820.js.map +1 -0
  2257. package/dist/packs/fda-samd-precert.d.ts +122 -0
  2258. package/dist/packs/fda-samd-precert.d.ts.map +1 -0
  2259. package/dist/packs/fda-samd-precert.js +866 -0
  2260. package/dist/packs/fda-samd-precert.js.map +1 -0
  2261. package/dist/packs/fda-samd.d.ts +42 -0
  2262. package/dist/packs/fda-samd.d.ts.map +1 -0
  2263. package/dist/packs/fda-samd.js +317 -0
  2264. package/dist/packs/fda-samd.js.map +1 -0
  2265. package/dist/packs/fedramp.d.ts +51 -0
  2266. package/dist/packs/fedramp.d.ts.map +1 -0
  2267. package/dist/packs/fedramp.js +321 -0
  2268. package/dist/packs/fedramp.js.map +1 -0
  2269. package/dist/packs/ferpa.d.ts +57 -0
  2270. package/dist/packs/ferpa.d.ts.map +1 -0
  2271. package/dist/packs/ferpa.js +312 -0
  2272. package/dist/packs/ferpa.js.map +1 -0
  2273. package/dist/packs/finra-3110.d.ts +53 -0
  2274. package/dist/packs/finra-3110.d.ts.map +1 -0
  2275. package/dist/packs/finra-3110.js +354 -0
  2276. package/dist/packs/finra-3110.js.map +1 -0
  2277. package/dist/packs/florida-student-privacy.d.ts +104 -0
  2278. package/dist/packs/florida-student-privacy.d.ts.map +1 -0
  2279. package/dist/packs/florida-student-privacy.js +451 -0
  2280. package/dist/packs/florida-student-privacy.js.map +1 -0
  2281. package/dist/packs/foia.d.ts +46 -0
  2282. package/dist/packs/foia.d.ts.map +1 -0
  2283. package/dist/packs/foia.js +397 -0
  2284. package/dist/packs/foia.js.map +1 -0
  2285. package/dist/packs/frcp26.d.ts +52 -0
  2286. package/dist/packs/frcp26.d.ts.map +1 -0
  2287. package/dist/packs/frcp26.js +297 -0
  2288. package/dist/packs/frcp26.js.map +1 -0
  2289. package/dist/packs/ftc5.d.ts +35 -0
  2290. package/dist/packs/ftc5.d.ts.map +1 -0
  2291. package/dist/packs/ftc5.js +293 -0
  2292. package/dist/packs/ftc5.js.map +1 -0
  2293. package/dist/packs/gdpr.d.ts +41 -0
  2294. package/dist/packs/gdpr.d.ts.map +1 -0
  2295. package/dist/packs/gdpr.js +490 -0
  2296. package/dist/packs/gdpr.js.map +1 -0
  2297. package/dist/packs/glba.d.ts +34 -0
  2298. package/dist/packs/glba.d.ts.map +1 -0
  2299. package/dist/packs/glba.js +424 -0
  2300. package/dist/packs/glba.js.map +1 -0
  2301. package/dist/packs/gxp.d.ts +43 -0
  2302. package/dist/packs/gxp.d.ts.map +1 -0
  2303. package/dist/packs/gxp.js +353 -0
  2304. package/dist/packs/gxp.js.map +1 -0
  2305. package/dist/packs/hipaa.d.ts +47 -0
  2306. package/dist/packs/hipaa.d.ts.map +1 -0
  2307. package/dist/packs/hipaa.js +384 -0
  2308. package/dist/packs/hipaa.js.map +1 -0
  2309. package/dist/packs/hitech.d.ts +43 -0
  2310. package/dist/packs/hitech.d.ts.map +1 -0
  2311. package/dist/packs/hitech.js +292 -0
  2312. package/dist/packs/hitech.js.map +1 -0
  2313. package/dist/packs/hitrust-csf.d.ts +41 -0
  2314. package/dist/packs/hitrust-csf.d.ts.map +1 -0
  2315. package/dist/packs/hitrust-csf.js +122 -0
  2316. package/dist/packs/hitrust-csf.js.map +1 -0
  2317. package/dist/packs/hk-pdpo.d.ts +38 -0
  2318. package/dist/packs/hk-pdpo.d.ts.map +1 -0
  2319. package/dist/packs/hk-pdpo.js +125 -0
  2320. package/dist/packs/hk-pdpo.js.map +1 -0
  2321. package/dist/packs/hmda.d.ts +42 -0
  2322. package/dist/packs/hmda.d.ts.map +1 -0
  2323. package/dist/packs/hmda.js +382 -0
  2324. package/dist/packs/hmda.js.map +1 -0
  2325. package/dist/packs/iec-62304.d.ts +79 -0
  2326. package/dist/packs/iec-62304.d.ts.map +1 -0
  2327. package/dist/packs/iec-62304.js +588 -0
  2328. package/dist/packs/iec-62304.js.map +1 -0
  2329. package/dist/packs/iec-62443.d.ts +112 -0
  2330. package/dist/packs/iec-62443.d.ts.map +1 -0
  2331. package/dist/packs/iec-62443.js +689 -0
  2332. package/dist/packs/iec-62443.js.map +1 -0
  2333. package/dist/packs/illinois-aivia.d.ts +56 -0
  2334. package/dist/packs/illinois-aivia.d.ts.map +1 -0
  2335. package/dist/packs/illinois-aivia.js +351 -0
  2336. package/dist/packs/illinois-aivia.js.map +1 -0
  2337. package/dist/packs/in-dpdp.d.ts +82 -0
  2338. package/dist/packs/in-dpdp.d.ts.map +1 -0
  2339. package/dist/packs/in-dpdp.js +432 -0
  2340. package/dist/packs/in-dpdp.js.map +1 -0
  2341. package/dist/packs/index.d.ts +468 -0
  2342. package/dist/packs/index.d.ts.map +1 -0
  2343. package/dist/packs/index.js +672 -0
  2344. package/dist/packs/index.js.map +1 -0
  2345. package/dist/packs/iso-15189.d.ts +143 -0
  2346. package/dist/packs/iso-15189.d.ts.map +1 -0
  2347. package/dist/packs/iso-15189.js +947 -0
  2348. package/dist/packs/iso-15189.js.map +1 -0
  2349. package/dist/packs/iso-23894.d.ts +40 -0
  2350. package/dist/packs/iso-23894.d.ts.map +1 -0
  2351. package/dist/packs/iso-23894.js +445 -0
  2352. package/dist/packs/iso-23894.js.map +1 -0
  2353. package/dist/packs/iso-26262.d.ts +97 -0
  2354. package/dist/packs/iso-26262.d.ts.map +1 -0
  2355. package/dist/packs/iso-26262.js +737 -0
  2356. package/dist/packs/iso-26262.js.map +1 -0
  2357. package/dist/packs/iso-iec-80001.d.ts +151 -0
  2358. package/dist/packs/iso-iec-80001.d.ts.map +1 -0
  2359. package/dist/packs/iso-iec-80001.js +996 -0
  2360. package/dist/packs/iso-iec-80001.js.map +1 -0
  2361. package/dist/packs/iso20022.d.ts +54 -0
  2362. package/dist/packs/iso20022.d.ts.map +1 -0
  2363. package/dist/packs/iso20022.js +347 -0
  2364. package/dist/packs/iso20022.js.map +1 -0
  2365. package/dist/packs/iso27001.d.ts +46 -0
  2366. package/dist/packs/iso27001.d.ts.map +1 -0
  2367. package/dist/packs/iso27001.js +391 -0
  2368. package/dist/packs/iso27001.js.map +1 -0
  2369. package/dist/packs/iso27701.d.ts +53 -0
  2370. package/dist/packs/iso27701.d.ts.map +1 -0
  2371. package/dist/packs/iso27701.js +393 -0
  2372. package/dist/packs/iso27701.js.map +1 -0
  2373. package/dist/packs/iso42001.d.ts +47 -0
  2374. package/dist/packs/iso42001.d.ts.map +1 -0
  2375. package/dist/packs/iso42001.js +291 -0
  2376. package/dist/packs/iso42001.js.map +1 -0
  2377. package/dist/packs/jp-appi.d.ts +78 -0
  2378. package/dist/packs/jp-appi.d.ts.map +1 -0
  2379. package/dist/packs/jp-appi.js +441 -0
  2380. package/dist/packs/jp-appi.js.map +1 -0
  2381. package/dist/packs/kr-pipa.d.ts +74 -0
  2382. package/dist/packs/kr-pipa.d.ts.map +1 -0
  2383. package/dist/packs/kr-pipa.js +445 -0
  2384. package/dist/packs/kr-pipa.js.map +1 -0
  2385. package/dist/packs/lgpd.d.ts +32 -0
  2386. package/dist/packs/lgpd.d.ts.map +1 -0
  2387. package/dist/packs/lgpd.js +353 -0
  2388. package/dist/packs/lgpd.js.map +1 -0
  2389. package/dist/packs/lpo2024.d.ts +70 -0
  2390. package/dist/packs/lpo2024.d.ts.map +1 -0
  2391. package/dist/packs/lpo2024.js +310 -0
  2392. package/dist/packs/lpo2024.js.map +1 -0
  2393. package/dist/packs/maryland-hb1202.d.ts +53 -0
  2394. package/dist/packs/maryland-hb1202.d.ts.map +1 -0
  2395. package/dist/packs/maryland-hb1202.js +341 -0
  2396. package/dist/packs/maryland-hb1202.js.map +1 -0
  2397. package/dist/packs/mhra-samd-ukca.d.ts +79 -0
  2398. package/dist/packs/mhra-samd-ukca.d.ts.map +1 -0
  2399. package/dist/packs/mhra-samd-ukca.js +476 -0
  2400. package/dist/packs/mhra-samd-ukca.js.map +1 -0
  2401. package/dist/packs/mifid2.d.ts +51 -0
  2402. package/dist/packs/mifid2.d.ts.map +1 -0
  2403. package/dist/packs/mifid2.js +384 -0
  2404. package/dist/packs/mifid2.js.map +1 -0
  2405. package/dist/packs/migration-manifest.d.ts +30 -0
  2406. package/dist/packs/migration-manifest.d.ts.map +1 -0
  2407. package/dist/packs/migration-manifest.js +59 -0
  2408. package/dist/packs/migration-manifest.js.map +1 -0
  2409. package/dist/packs/naic-mdl.d.ts +50 -0
  2410. package/dist/packs/naic-mdl.d.ts.map +1 -0
  2411. package/dist/packs/naic-mdl.js +318 -0
  2412. package/dist/packs/naic-mdl.js.map +1 -0
  2413. package/dist/packs/ncsc-ai-security.d.ts +69 -0
  2414. package/dist/packs/ncsc-ai-security.d.ts.map +1 -0
  2415. package/dist/packs/ncsc-ai-security.js +629 -0
  2416. package/dist/packs/ncsc-ai-security.js.map +1 -0
  2417. package/dist/packs/ncsc-caf.d.ts +62 -0
  2418. package/dist/packs/ncsc-caf.d.ts.map +1 -0
  2419. package/dist/packs/ncsc-caf.js +384 -0
  2420. package/dist/packs/ncsc-caf.js.map +1 -0
  2421. package/dist/packs/nhs-dcb0129-dcb0160.d.ts +85 -0
  2422. package/dist/packs/nhs-dcb0129-dcb0160.d.ts.map +1 -0
  2423. package/dist/packs/nhs-dcb0129-dcb0160.js +473 -0
  2424. package/dist/packs/nhs-dcb0129-dcb0160.js.map +1 -0
  2425. package/dist/packs/nhs-dspt.d.ts +83 -0
  2426. package/dist/packs/nhs-dspt.d.ts.map +1 -0
  2427. package/dist/packs/nhs-dspt.js +437 -0
  2428. package/dist/packs/nhs-dspt.js.map +1 -0
  2429. package/dist/packs/nhs-dtac.d.ts +80 -0
  2430. package/dist/packs/nhs-dtac.d.ts.map +1 -0
  2431. package/dist/packs/nhs-dtac.js +402 -0
  2432. package/dist/packs/nhs-dtac.js.map +1 -0
  2433. package/dist/packs/nhs-psirf.d.ts +74 -0
  2434. package/dist/packs/nhs-psirf.d.ts.map +1 -0
  2435. package/dist/packs/nhs-psirf.js +417 -0
  2436. package/dist/packs/nhs-psirf.js.map +1 -0
  2437. package/dist/packs/ni-equality.d.ts +87 -0
  2438. package/dist/packs/ni-equality.d.ts.map +1 -0
  2439. package/dist/packs/ni-equality.js +439 -0
  2440. package/dist/packs/ni-equality.js.map +1 -0
  2441. package/dist/packs/ni-hscni.d.ts +76 -0
  2442. package/dist/packs/ni-hscni.d.ts.map +1 -0
  2443. package/dist/packs/ni-hscni.js +418 -0
  2444. package/dist/packs/ni-hscni.js.map +1 -0
  2445. package/dist/packs/ni-mental-capacity.d.ts +45 -0
  2446. package/dist/packs/ni-mental-capacity.d.ts.map +1 -0
  2447. package/dist/packs/ni-mental-capacity.js +133 -0
  2448. package/dist/packs/ni-mental-capacity.js.map +1 -0
  2449. package/dist/packs/nice-esf-dht.d.ts +72 -0
  2450. package/dist/packs/nice-esf-dht.d.ts.map +1 -0
  2451. package/dist/packs/nice-esf-dht.js +407 -0
  2452. package/dist/packs/nice-esf-dht.js.map +1 -0
  2453. package/dist/packs/nis2.d.ts +80 -0
  2454. package/dist/packs/nis2.d.ts.map +1 -0
  2455. package/dist/packs/nis2.js +425 -0
  2456. package/dist/packs/nis2.js.map +1 -0
  2457. package/dist/packs/nist-800-53.d.ts +40 -0
  2458. package/dist/packs/nist-800-53.d.ts.map +1 -0
  2459. package/dist/packs/nist-800-53.js +129 -0
  2460. package/dist/packs/nist-800-53.js.map +1 -0
  2461. package/dist/packs/nist-ai-rmf.d.ts +48 -0
  2462. package/dist/packs/nist-ai-rmf.d.ts.map +1 -0
  2463. package/dist/packs/nist-ai-rmf.js +370 -0
  2464. package/dist/packs/nist-ai-rmf.js.map +1 -0
  2465. package/dist/packs/nist-csf.d.ts +41 -0
  2466. package/dist/packs/nist-csf.d.ts.map +1 -0
  2467. package/dist/packs/nist-csf.js +134 -0
  2468. package/dist/packs/nist-csf.js.map +1 -0
  2469. package/dist/packs/nist-sp-800-82.d.ts +127 -0
  2470. package/dist/packs/nist-sp-800-82.d.ts.map +1 -0
  2471. package/dist/packs/nist-sp-800-82.js +724 -0
  2472. package/dist/packs/nist-sp-800-82.js.map +1 -0
  2473. package/dist/packs/nyc-ll-144.d.ts +38 -0
  2474. package/dist/packs/nyc-ll-144.d.ts.map +1 -0
  2475. package/dist/packs/nyc-ll-144.js +291 -0
  2476. package/dist/packs/nyc-ll-144.js.map +1 -0
  2477. package/dist/packs/nydfs500.d.ts +32 -0
  2478. package/dist/packs/nydfs500.d.ts.map +1 -0
  2479. package/dist/packs/nydfs500.js +288 -0
  2480. package/dist/packs/nydfs500.js.map +1 -0
  2481. package/dist/packs/nz-privacy.d.ts +91 -0
  2482. package/dist/packs/nz-privacy.d.ts.map +1 -0
  2483. package/dist/packs/nz-privacy.js +468 -0
  2484. package/dist/packs/nz-privacy.js.map +1 -0
  2485. package/dist/packs/part11.d.ts +31 -0
  2486. package/dist/packs/part11.d.ts.map +1 -0
  2487. package/dist/packs/part11.js +332 -0
  2488. package/dist/packs/part11.js.map +1 -0
  2489. package/dist/packs/part2.d.ts +42 -0
  2490. package/dist/packs/part2.d.ts.map +1 -0
  2491. package/dist/packs/part2.js +358 -0
  2492. package/dist/packs/part2.js.map +1 -0
  2493. package/dist/packs/pcidss.d.ts +72 -0
  2494. package/dist/packs/pcidss.d.ts.map +1 -0
  2495. package/dist/packs/pcidss.js +470 -0
  2496. package/dist/packs/pcidss.js.map +1 -0
  2497. package/dist/packs/pipl.d.ts +31 -0
  2498. package/dist/packs/pipl.d.ts.map +1 -0
  2499. package/dist/packs/pipl.js +208 -0
  2500. package/dist/packs/pipl.js.map +1 -0
  2501. package/dist/packs/reg-e.d.ts +55 -0
  2502. package/dist/packs/reg-e.d.ts.map +1 -0
  2503. package/dist/packs/reg-e.js +362 -0
  2504. package/dist/packs/reg-e.js.map +1 -0
  2505. package/dist/packs/registry-expanded.d.ts +76 -0
  2506. package/dist/packs/registry-expanded.d.ts.map +1 -0
  2507. package/dist/packs/registry-expanded.js +2354 -0
  2508. package/dist/packs/registry-expanded.js.map +1 -0
  2509. package/dist/packs/scotland-awi.d.ts +74 -0
  2510. package/dist/packs/scotland-awi.d.ts.map +1 -0
  2511. package/dist/packs/scotland-awi.js +408 -0
  2512. package/dist/packs/scotland-awi.js.map +1 -0
  2513. package/dist/packs/scotland-procurement-reform.d.ts +40 -0
  2514. package/dist/packs/scotland-procurement-reform.d.ts.map +1 -0
  2515. package/dist/packs/scotland-procurement-reform.js +125 -0
  2516. package/dist/packs/scotland-procurement-reform.js.map +1 -0
  2517. package/dist/packs/scotland-psed.d.ts +67 -0
  2518. package/dist/packs/scotland-psed.d.ts.map +1 -0
  2519. package/dist/packs/scotland-psed.js +372 -0
  2520. package/dist/packs/scotland-psed.js.map +1 -0
  2521. package/dist/packs/sg-model-ai-gov.d.ts +62 -0
  2522. package/dist/packs/sg-model-ai-gov.d.ts.map +1 -0
  2523. package/dist/packs/sg-model-ai-gov.js +396 -0
  2524. package/dist/packs/sg-model-ai-gov.js.map +1 -0
  2525. package/dist/packs/soc1.d.ts +34 -0
  2526. package/dist/packs/soc1.d.ts.map +1 -0
  2527. package/dist/packs/soc1.js +308 -0
  2528. package/dist/packs/soc1.js.map +1 -0
  2529. package/dist/packs/soc2.d.ts +44 -0
  2530. package/dist/packs/soc2.d.ts.map +1 -0
  2531. package/dist/packs/soc2.js +340 -0
  2532. package/dist/packs/soc2.js.map +1 -0
  2533. package/dist/packs/sox404.d.ts +32 -0
  2534. package/dist/packs/sox404.d.ts.map +1 -0
  2535. package/dist/packs/sox404.js +298 -0
  2536. package/dist/packs/sox404.js.map +1 -0
  2537. package/dist/packs/sr117.d.ts +35 -0
  2538. package/dist/packs/sr117.d.ts.map +1 -0
  2539. package/dist/packs/sr117.js +345 -0
  2540. package/dist/packs/sr117.js.map +1 -0
  2541. package/dist/packs/stateramp.d.ts +62 -0
  2542. package/dist/packs/stateramp.d.ts.map +1 -0
  2543. package/dist/packs/stateramp.js +327 -0
  2544. package/dist/packs/stateramp.js.map +1 -0
  2545. package/dist/packs/tennessee-elvis.d.ts +68 -0
  2546. package/dist/packs/tennessee-elvis.d.ts.map +1 -0
  2547. package/dist/packs/tennessee-elvis.js +420 -0
  2548. package/dist/packs/tennessee-elvis.js.map +1 -0
  2549. package/dist/packs/texas-hb4.d.ts +77 -0
  2550. package/dist/packs/texas-hb4.d.ts.map +1 -0
  2551. package/dist/packs/texas-hb4.js +396 -0
  2552. package/dist/packs/texas-hb4.js.map +1 -0
  2553. package/dist/packs/th-pdpa.d.ts +43 -0
  2554. package/dist/packs/th-pdpa.d.ts.map +1 -0
  2555. package/dist/packs/th-pdpa.js +128 -0
  2556. package/dist/packs/th-pdpa.js.map +1 -0
  2557. package/dist/packs/title-ix.d.ts +93 -0
  2558. package/dist/packs/title-ix.d.ts.map +1 -0
  2559. package/dist/packs/title-ix.js +447 -0
  2560. package/dist/packs/title-ix.js.map +1 -0
  2561. package/dist/packs/uk-ai-framework.d.ts +42 -0
  2562. package/dist/packs/uk-ai-framework.d.ts.map +1 -0
  2563. package/dist/packs/uk-ai-framework.js +355 -0
  2564. package/dist/packs/uk-ai-framework.js.map +1 -0
  2565. package/dist/packs/uk-cma-1990.d.ts +75 -0
  2566. package/dist/packs/uk-cma-1990.d.ts.map +1 -0
  2567. package/dist/packs/uk-cma-1990.js +406 -0
  2568. package/dist/packs/uk-cma-1990.js.map +1 -0
  2569. package/dist/packs/uk-equality-act-ai-bias.d.ts +54 -0
  2570. package/dist/packs/uk-equality-act-ai-bias.d.ts.map +1 -0
  2571. package/dist/packs/uk-equality-act-ai-bias.js +684 -0
  2572. package/dist/packs/uk-equality-act-ai-bias.js.map +1 -0
  2573. package/dist/packs/uk-equality-act.d.ts +69 -0
  2574. package/dist/packs/uk-equality-act.d.ts.map +1 -0
  2575. package/dist/packs/uk-equality-act.js +409 -0
  2576. package/dist/packs/uk-equality-act.js.map +1 -0
  2577. package/dist/packs/uk-future-ai-legislation.d.ts +42 -0
  2578. package/dist/packs/uk-future-ai-legislation.d.ts.map +1 -0
  2579. package/dist/packs/uk-future-ai-legislation.js +212 -0
  2580. package/dist/packs/uk-future-ai-legislation.js.map +1 -0
  2581. package/dist/packs/uk-gdpr.d.ts +74 -0
  2582. package/dist/packs/uk-gdpr.d.ts.map +1 -0
  2583. package/dist/packs/uk-gdpr.js +377 -0
  2584. package/dist/packs/uk-gdpr.js.map +1 -0
  2585. package/dist/packs/uk-ico-open-case.d.ts +65 -0
  2586. package/dist/packs/uk-ico-open-case.d.ts.map +1 -0
  2587. package/dist/packs/uk-ico-open-case.js +399 -0
  2588. package/dist/packs/uk-ico-open-case.js.map +1 -0
  2589. package/dist/packs/uk-nis-regs.d.ts +67 -0
  2590. package/dist/packs/uk-nis-regs.d.ts.map +1 -0
  2591. package/dist/packs/uk-nis-regs.js +366 -0
  2592. package/dist/packs/uk-nis-regs.js.map +1 -0
  2593. package/dist/packs/uk-online-safety-act.d.ts +68 -0
  2594. package/dist/packs/uk-online-safety-act.d.ts.map +1 -0
  2595. package/dist/packs/uk-online-safety-act.js +413 -0
  2596. package/dist/packs/uk-online-safety-act.js.map +1 -0
  2597. package/dist/packs/uk-procurement-act.d.ts +81 -0
  2598. package/dist/packs/uk-procurement-act.d.ts.map +1 -0
  2599. package/dist/packs/uk-procurement-act.js +434 -0
  2600. package/dist/packs/uk-procurement-act.js.map +1 -0
  2601. package/dist/packs/us-fda-21cfr56.d.ts +63 -0
  2602. package/dist/packs/us-fda-21cfr56.d.ts.map +1 -0
  2603. package/dist/packs/us-fda-21cfr56.js +367 -0
  2604. package/dist/packs/us-fda-21cfr56.js.map +1 -0
  2605. package/dist/packs/us-nih-coc.d.ts +43 -0
  2606. package/dist/packs/us-nih-coc.d.ts.map +1 -0
  2607. package/dist/packs/us-nih-coc.js +206 -0
  2608. package/dist/packs/us-nih-coc.js.map +1 -0
  2609. package/dist/packs/us-nih-dms.d.ts +43 -0
  2610. package/dist/packs/us-nih-dms.d.ts.map +1 -0
  2611. package/dist/packs/us-nih-dms.js +244 -0
  2612. package/dist/packs/us-nih-dms.js.map +1 -0
  2613. package/dist/packs/us-nih-gds.d.ts +41 -0
  2614. package/dist/packs/us-nih-gds.d.ts.map +1 -0
  2615. package/dist/packs/us-nih-gds.js +358 -0
  2616. package/dist/packs/us-nih-gds.js.map +1 -0
  2617. package/dist/packs/us-nih-it-security.d.ts +40 -0
  2618. package/dist/packs/us-nih-it-security.d.ts.map +1 -0
  2619. package/dist/packs/us-nih-it-security.js +206 -0
  2620. package/dist/packs/us-nih-it-security.js.map +1 -0
  2621. package/dist/packs/us-respa.d.ts +55 -0
  2622. package/dist/packs/us-respa.d.ts.map +1 -0
  2623. package/dist/packs/us-respa.js +364 -0
  2624. package/dist/packs/us-respa.js.map +1 -0
  2625. package/dist/packs/us-tila.d.ts +65 -0
  2626. package/dist/packs/us-tila.d.ts.map +1 -0
  2627. package/dist/packs/us-tila.js +353 -0
  2628. package/dist/packs/us-tila.js.map +1 -0
  2629. package/dist/packs/us-trid.d.ts +62 -0
  2630. package/dist/packs/us-trid.d.ts.map +1 -0
  2631. package/dist/packs/us-trid.js +345 -0
  2632. package/dist/packs/us-trid.js.map +1 -0
  2633. package/dist/packs/utah-ai-policy.d.ts +55 -0
  2634. package/dist/packs/utah-ai-policy.d.ts.map +1 -0
  2635. package/dist/packs/utah-ai-policy.js +340 -0
  2636. package/dist/packs/utah-ai-policy.js.map +1 -0
  2637. package/dist/packs/vn-pdpd.d.ts +40 -0
  2638. package/dist/packs/vn-pdpd.d.ts.map +1 -0
  2639. package/dist/packs/vn-pdpd.js +125 -0
  2640. package/dist/packs/vn-pdpd.js.map +1 -0
  2641. package/dist/packs/wales-future-generations.d.ts +67 -0
  2642. package/dist/packs/wales-future-generations.d.ts.map +1 -0
  2643. package/dist/packs/wales-future-generations.js +396 -0
  2644. package/dist/packs/wales-future-generations.js.map +1 -0
  2645. package/dist/reporting/governance-reporter.d.ts +196 -0
  2646. package/dist/reporting/governance-reporter.d.ts.map +1 -0
  2647. package/dist/reporting/governance-reporter.js +442 -0
  2648. package/dist/reporting/governance-reporter.js.map +1 -0
  2649. package/dist/retention/backup-retention-adapter.d.ts +72 -0
  2650. package/dist/retention/backup-retention-adapter.d.ts.map +1 -0
  2651. package/dist/retention/backup-retention-adapter.js +69 -0
  2652. package/dist/retention/backup-retention-adapter.js.map +1 -0
  2653. package/dist/retention/classification-rules.d.ts +59 -0
  2654. package/dist/retention/classification-rules.d.ts.map +1 -0
  2655. package/dist/retention/classification-rules.js +185 -0
  2656. package/dist/retention/classification-rules.js.map +1 -0
  2657. package/dist/retention/classifier.d.ts +195 -0
  2658. package/dist/retention/classifier.d.ts.map +1 -0
  2659. package/dist/retention/classifier.js +254 -0
  2660. package/dist/retention/classifier.js.map +1 -0
  2661. package/dist/retention/data-class.d.ts +70 -0
  2662. package/dist/retention/data-class.d.ts.map +1 -0
  2663. package/dist/retention/data-class.js +47 -0
  2664. package/dist/retention/data-class.js.map +1 -0
  2665. package/dist/retention/enforcement-log-store.d.ts +121 -0
  2666. package/dist/retention/enforcement-log-store.d.ts.map +1 -0
  2667. package/dist/retention/enforcement-log-store.js +183 -0
  2668. package/dist/retention/enforcement-log-store.js.map +1 -0
  2669. package/dist/retention/index.d.ts +31 -0
  2670. package/dist/retention/index.d.ts.map +1 -0
  2671. package/dist/retention/index.js +67 -0
  2672. package/dist/retention/index.js.map +1 -0
  2673. package/dist/retention/ingest-classifier.d.ts +126 -0
  2674. package/dist/retention/ingest-classifier.d.ts.map +1 -0
  2675. package/dist/retention/ingest-classifier.js +130 -0
  2676. package/dist/retention/ingest-classifier.js.map +1 -0
  2677. package/dist/retention/legal-hold-errors.d.ts +57 -0
  2678. package/dist/retention/legal-hold-errors.d.ts.map +1 -0
  2679. package/dist/retention/legal-hold-errors.js +99 -0
  2680. package/dist/retention/legal-hold-errors.js.map +1 -0
  2681. package/dist/retention/legal-hold-store.d.ts +191 -0
  2682. package/dist/retention/legal-hold-store.d.ts.map +1 -0
  2683. package/dist/retention/legal-hold-store.js +432 -0
  2684. package/dist/retention/legal-hold-store.js.map +1 -0
  2685. package/dist/retention/legal-hold.d.ts +122 -0
  2686. package/dist/retention/legal-hold.d.ts.map +1 -0
  2687. package/dist/retention/legal-hold.js +18 -0
  2688. package/dist/retention/legal-hold.js.map +1 -0
  2689. package/dist/retention/log-aggregators/datadog.d.ts +53 -0
  2690. package/dist/retention/log-aggregators/datadog.d.ts.map +1 -0
  2691. package/dist/retention/log-aggregators/datadog.js +157 -0
  2692. package/dist/retention/log-aggregators/datadog.js.map +1 -0
  2693. package/dist/retention/log-aggregators/index.d.ts +14 -0
  2694. package/dist/retention/log-aggregators/index.d.ts.map +1 -0
  2695. package/dist/retention/log-aggregators/index.js +18 -0
  2696. package/dist/retention/log-aggregators/index.js.map +1 -0
  2697. package/dist/retention/log-aggregators/log-aggregator.d.ts +62 -0
  2698. package/dist/retention/log-aggregators/log-aggregator.d.ts.map +1 -0
  2699. package/dist/retention/log-aggregators/log-aggregator.js +21 -0
  2700. package/dist/retention/log-aggregators/log-aggregator.js.map +1 -0
  2701. package/dist/retention/log-aggregators/noop.d.ts +23 -0
  2702. package/dist/retention/log-aggregators/noop.d.ts.map +1 -0
  2703. package/dist/retention/log-aggregators/noop.js +30 -0
  2704. package/dist/retention/log-aggregators/noop.js.map +1 -0
  2705. package/dist/retention/log-aggregators/sentinel.d.ts +75 -0
  2706. package/dist/retention/log-aggregators/sentinel.d.ts.map +1 -0
  2707. package/dist/retention/log-aggregators/sentinel.js +220 -0
  2708. package/dist/retention/log-aggregators/sentinel.js.map +1 -0
  2709. package/dist/retention/log-aggregators/splunk.d.ts +58 -0
  2710. package/dist/retention/log-aggregators/splunk.d.ts.map +1 -0
  2711. package/dist/retention/log-aggregators/splunk.js +151 -0
  2712. package/dist/retention/log-aggregators/splunk.js.map +1 -0
  2713. package/dist/retention/policy-matrix-errors.d.ts +80 -0
  2714. package/dist/retention/policy-matrix-errors.d.ts.map +1 -0
  2715. package/dist/retention/policy-matrix-errors.js +134 -0
  2716. package/dist/retention/policy-matrix-errors.js.map +1 -0
  2717. package/dist/retention/policy-matrix.d.ts +263 -0
  2718. package/dist/retention/policy-matrix.d.ts.map +1 -0
  2719. package/dist/retention/policy-matrix.js +584 -0
  2720. package/dist/retention/policy-matrix.js.map +1 -0
  2721. package/dist/scanner/gap-report.d.ts +108 -0
  2722. package/dist/scanner/gap-report.d.ts.map +1 -0
  2723. package/dist/scanner/gap-report.js +337 -0
  2724. package/dist/scanner/gap-report.js.map +1 -0
  2725. package/dist/scanner/index.d.ts +98 -0
  2726. package/dist/scanner/index.d.ts.map +1 -0
  2727. package/dist/scanner/index.js +453 -0
  2728. package/dist/scanner/index.js.map +1 -0
  2729. package/dist/scanner/manifest-integrity.d.ts +44 -0
  2730. package/dist/scanner/manifest-integrity.d.ts.map +1 -0
  2731. package/dist/scanner/manifest-integrity.js +155 -0
  2732. package/dist/scanner/manifest-integrity.js.map +1 -0
  2733. package/dist/scanner/remediation.d.ts +72 -0
  2734. package/dist/scanner/remediation.d.ts.map +1 -0
  2735. package/dist/scanner/remediation.js +292 -0
  2736. package/dist/scanner/remediation.js.map +1 -0
  2737. package/dist/security/access-review.d.ts +122 -0
  2738. package/dist/security/access-review.d.ts.map +1 -0
  2739. package/dist/security/access-review.js +272 -0
  2740. package/dist/security/access-review.js.map +1 -0
  2741. package/dist/security/agent-auth.d.ts +92 -0
  2742. package/dist/security/agent-auth.d.ts.map +1 -0
  2743. package/dist/security/agent-auth.js +290 -0
  2744. package/dist/security/agent-auth.js.map +1 -0
  2745. package/dist/security/anomaly-auto-suspend.d.ts +226 -0
  2746. package/dist/security/anomaly-auto-suspend.d.ts.map +1 -0
  2747. package/dist/security/anomaly-auto-suspend.js +384 -0
  2748. package/dist/security/anomaly-auto-suspend.js.map +1 -0
  2749. package/dist/security/anomaly-correlator.d.ts +66 -0
  2750. package/dist/security/anomaly-correlator.d.ts.map +1 -0
  2751. package/dist/security/anomaly-correlator.js +316 -0
  2752. package/dist/security/anomaly-correlator.js.map +1 -0
  2753. package/dist/security/anomaly-detector.d.ts +137 -0
  2754. package/dist/security/anomaly-detector.d.ts.map +1 -0
  2755. package/dist/security/anomaly-detector.js +298 -0
  2756. package/dist/security/anomaly-detector.js.map +1 -0
  2757. package/dist/security/anomaly-self-reflection.d.ts +168 -0
  2758. package/dist/security/anomaly-self-reflection.d.ts.map +1 -0
  2759. package/dist/security/anomaly-self-reflection.js +331 -0
  2760. package/dist/security/anomaly-self-reflection.js.map +1 -0
  2761. package/dist/security/built-in-llm-providers.d.ts +50 -0
  2762. package/dist/security/built-in-llm-providers.d.ts.map +1 -0
  2763. package/dist/security/built-in-llm-providers.js +83 -0
  2764. package/dist/security/built-in-llm-providers.js.map +1 -0
  2765. package/dist/security/circuit-breaker.d.ts +62 -0
  2766. package/dist/security/circuit-breaker.d.ts.map +1 -0
  2767. package/dist/security/circuit-breaker.js +183 -0
  2768. package/dist/security/circuit-breaker.js.map +1 -0
  2769. package/dist/security/data-classifier.d.ts +139 -0
  2770. package/dist/security/data-classifier.d.ts.map +1 -0
  2771. package/dist/security/data-classifier.js +483 -0
  2772. package/dist/security/data-classifier.js.map +1 -0
  2773. package/dist/security/encrypted-storage.d.ts +80 -0
  2774. package/dist/security/encrypted-storage.d.ts.map +1 -0
  2775. package/dist/security/encrypted-storage.js +257 -0
  2776. package/dist/security/encrypted-storage.js.map +1 -0
  2777. package/dist/security/encryption-layer.d.ts +115 -0
  2778. package/dist/security/encryption-layer.d.ts.map +1 -0
  2779. package/dist/security/encryption-layer.js +374 -0
  2780. package/dist/security/encryption-layer.js.map +1 -0
  2781. package/dist/security/external-cross-check.d.ts +206 -0
  2782. package/dist/security/external-cross-check.d.ts.map +1 -0
  2783. package/dist/security/external-cross-check.js +490 -0
  2784. package/dist/security/external-cross-check.js.map +1 -0
  2785. package/dist/security/hash-manifest.d.ts +70 -0
  2786. package/dist/security/hash-manifest.d.ts.map +1 -0
  2787. package/dist/security/hash-manifest.js +266 -0
  2788. package/dist/security/hash-manifest.js.map +1 -0
  2789. package/dist/security/http-interceptor.d.ts +262 -0
  2790. package/dist/security/http-interceptor.d.ts.map +1 -0
  2791. package/dist/security/http-interceptor.js +637 -0
  2792. package/dist/security/http-interceptor.js.map +1 -0
  2793. package/dist/security/key-manager.d.ts +111 -0
  2794. package/dist/security/key-manager.d.ts.map +1 -0
  2795. package/dist/security/key-manager.js +326 -0
  2796. package/dist/security/key-manager.js.map +1 -0
  2797. package/dist/security/nonce-store.d.ts +48 -0
  2798. package/dist/security/nonce-store.d.ts.map +1 -0
  2799. package/dist/security/nonce-store.js +170 -0
  2800. package/dist/security/nonce-store.js.map +1 -0
  2801. package/dist/security/operator-roles.d.ts +100 -0
  2802. package/dist/security/operator-roles.d.ts.map +1 -0
  2803. package/dist/security/operator-roles.js +278 -0
  2804. package/dist/security/operator-roles.js.map +1 -0
  2805. package/dist/security/plugin-integrity.d.ts +99 -0
  2806. package/dist/security/plugin-integrity.d.ts.map +1 -0
  2807. package/dist/security/plugin-integrity.js +194 -0
  2808. package/dist/security/plugin-integrity.js.map +1 -0
  2809. package/dist/security/prompt-injection-detector.d.ts +81 -0
  2810. package/dist/security/prompt-injection-detector.d.ts.map +1 -0
  2811. package/dist/security/prompt-injection-detector.js +505 -0
  2812. package/dist/security/prompt-injection-detector.js.map +1 -0
  2813. package/dist/security/provider-compliance-boot.d.ts +64 -0
  2814. package/dist/security/provider-compliance-boot.d.ts.map +1 -0
  2815. package/dist/security/provider-compliance-boot.js +105 -0
  2816. package/dist/security/provider-compliance-boot.js.map +1 -0
  2817. package/dist/security/provider-compliance.d.ts +261 -0
  2818. package/dist/security/provider-compliance.d.ts.map +1 -0
  2819. package/dist/security/provider-compliance.js +711 -0
  2820. package/dist/security/provider-compliance.js.map +1 -0
  2821. package/dist/security/secret-leak-detector.d.ts +59 -0
  2822. package/dist/security/secret-leak-detector.d.ts.map +1 -0
  2823. package/dist/security/secret-leak-detector.js +180 -0
  2824. package/dist/security/secret-leak-detector.js.map +1 -0
  2825. package/dist/security/session-timeout.d.ts +107 -0
  2826. package/dist/security/session-timeout.d.ts.map +1 -0
  2827. package/dist/security/session-timeout.js +291 -0
  2828. package/dist/security/session-timeout.js.map +1 -0
  2829. package/dist/security/ssrf-guard.d.ts +45 -0
  2830. package/dist/security/ssrf-guard.d.ts.map +1 -0
  2831. package/dist/security/ssrf-guard.js +263 -0
  2832. package/dist/security/ssrf-guard.js.map +1 -0
  2833. package/dist/security/supply-chain.d.ts +99 -0
  2834. package/dist/security/supply-chain.d.ts.map +1 -0
  2835. package/dist/security/supply-chain.js +320 -0
  2836. package/dist/security/supply-chain.js.map +1 -0
  2837. package/dist/security/vendor-registry.d.ts +111 -0
  2838. package/dist/security/vendor-registry.d.ts.map +1 -0
  2839. package/dist/security/vendor-registry.js +293 -0
  2840. package/dist/security/vendor-registry.js.map +1 -0
  2841. package/dist/tenant/index.d.ts +14 -0
  2842. package/dist/tenant/index.d.ts.map +1 -0
  2843. package/dist/tenant/index.js +32 -0
  2844. package/dist/tenant/index.js.map +1 -0
  2845. package/dist/tenant/policy-inheritance.d.ts +112 -0
  2846. package/dist/tenant/policy-inheritance.d.ts.map +1 -0
  2847. package/dist/tenant/policy-inheritance.js +382 -0
  2848. package/dist/tenant/policy-inheritance.js.map +1 -0
  2849. package/dist/tenant/rbac.d.ts +65 -0
  2850. package/dist/tenant/rbac.d.ts.map +1 -0
  2851. package/dist/tenant/rbac.js +185 -0
  2852. package/dist/tenant/rbac.js.map +1 -0
  2853. package/dist/tenant/workspace.d.ts +111 -0
  2854. package/dist/tenant/workspace.d.ts.map +1 -0
  2855. package/dist/tenant/workspace.js +315 -0
  2856. package/dist/tenant/workspace.js.map +1 -0
  2857. package/dist/trust-passport/index.d.ts +106 -0
  2858. package/dist/trust-passport/index.d.ts.map +1 -0
  2859. package/dist/trust-passport/index.js +123 -0
  2860. package/dist/trust-passport/index.js.map +1 -0
  2861. package/dist/util/async-io.d.ts +57 -0
  2862. package/dist/util/async-io.d.ts.map +1 -0
  2863. package/dist/util/async-io.js +209 -0
  2864. package/dist/util/async-io.js.map +1 -0
  2865. package/dist/util/fs.d.ts +84 -0
  2866. package/dist/util/fs.d.ts.map +1 -0
  2867. package/dist/util/fs.js +211 -0
  2868. package/dist/util/fs.js.map +1 -0
  2869. package/dist/util/log-rotation.d.ts +55 -0
  2870. package/dist/util/log-rotation.d.ts.map +1 -0
  2871. package/dist/util/log-rotation.js +212 -0
  2872. package/dist/util/log-rotation.js.map +1 -0
  2873. package/dist/util/log.d.ts +35 -0
  2874. package/dist/util/log.d.ts.map +1 -0
  2875. package/dist/util/log.js +115 -0
  2876. package/dist/util/log.js.map +1 -0
  2877. package/dist/util/sigv4.d.ts +73 -0
  2878. package/dist/util/sigv4.d.ts.map +1 -0
  2879. package/dist/util/sigv4.js +155 -0
  2880. package/dist/util/sigv4.js.map +1 -0
  2881. package/dist/util/storage-backend.d.ts +69 -0
  2882. package/dist/util/storage-backend.d.ts.map +1 -0
  2883. package/dist/util/storage-backend.js +204 -0
  2884. package/dist/util/storage-backend.js.map +1 -0
  2885. package/package.json +144 -0
  2886. package/src/hooks/audit-dir-picker.sh +70 -0
  2887. package/src/hooks/audit-logger.sh +325 -0
  2888. package/src/hooks/cost-budget-gate.sh +74 -0
  2889. package/src/hooks/destructive-command-guard.sh +200 -0
  2890. package/src/hooks/file-boundary-guard.sh +159 -0
  2891. package/src/hooks/file-change-tracker.sh +78 -0
  2892. package/src/hooks/governance-file-shield.sh +102 -0
  2893. package/src/hooks/governance-integrity-check.sh +109 -0
  2894. package/src/hooks/hook-health-monitor.sh +189 -0
  2895. package/src/hooks/hook-utils.sh +51 -0
  2896. package/src/hooks/hook-wrapper.sh +77 -0
  2897. package/src/hooks/install-hooks.sh +162 -0
  2898. package/src/hooks/output-exfiltration-scanner.sh +112 -0
  2899. package/src/hooks/powershell/audit-dir-picker.ps1 +72 -0
  2900. package/src/hooks/powershell/audit-logger.ps1 +75 -0
  2901. package/src/hooks/powershell/cost-budget-gate.ps1 +61 -0
  2902. package/src/hooks/powershell/destructive-command-guard.ps1 +67 -0
  2903. package/src/hooks/powershell/file-boundary-guard.ps1 +76 -0
  2904. package/src/hooks/powershell/file-change-tracker.ps1 +74 -0
  2905. package/src/hooks/powershell/governance-file-shield.ps1 +86 -0
  2906. package/src/hooks/powershell/governance-integrity-check.ps1 +101 -0
  2907. package/src/hooks/powershell/hook-health-monitor.ps1 +153 -0
  2908. package/src/hooks/powershell/hook-utils.ps1 +44 -0
  2909. package/src/hooks/powershell/hook-wrapper.ps1 +67 -0
  2910. package/src/hooks/powershell/install-hooks.ps1 +142 -0
  2911. package/src/hooks/powershell/output-exfiltration-scanner.ps1 +85 -0
  2912. package/src/hooks/powershell/secret-leak-scanner.ps1 +105 -0
  2913. package/src/hooks/powershell/token-tracker.ps1 +83 -0
  2914. package/src/hooks/powershell/web-access-gate.ps1 +89 -0
  2915. package/src/hooks/secret-leak-scanner.sh +293 -0
  2916. package/src/hooks/token-tracker.sh +89 -0
  2917. package/src/hooks/web-access-gate.sh +123 -0
package/dist/esm/packs/check-registry.js ADDED
@@ -0,0 +1,3337 @@
1
+ /**
2
+ * ComplianceCheckRegistry
3
+ *
4
+ * Real implementations for the `check:` strings declared in every
5
+ * compliance pack's validators. Provides the pass/fail verdict that
6
+ * PackRegistry.validate() records against each validator.
7
+ *
8
+ * A validator in a pack declares `check: 'governance_active'`. At
9
+ * validation time, PackRegistry looks up that check in this registry,
10
+ * runs the function against a ComplianceCheckContext, and records the
11
+ * real pass/fail result.
12
+ *
13
+ * Context sources:
14
+ * - activeModules: governance modules currently active in the runtime.
15
+ * - packConfig: merged module-config from active packs.
16
+ * - evidence: flags gathered from the governance runtime (hash chain
17
+ * state, change-management workflow active, etc.).
18
+ *
19
+ * Registration contract (P1C-03): every check id referenced by an
20
+ * active pack MUST be registered. Unregistered ids HARD-FAIL with a
21
+ * governance-defect verdict. There is no neutral-pass fallback.
22
+ * The server boot-gate verifies the registration invariant BEFORE
23
+ * binding the HTTP listener so that misconfigured deployments fail
24
+ * loudly at startup rather than silently inflating pass rates.
25
+ *
26
+ * @connexum/ai-governance
27
+ */
28
+ export class ComplianceCheckRegistry {
29
+ checks = new Map();
30
+ register(id, fn) {
31
+ this.checks.set(id, fn);
32
+ }
33
+ has(id) {
34
+ return this.checks.has(id);
35
+ }
36
+ /**
37
+ * List every registered check id. Used by the server boot-gate to
38
+ * verify that every check referenced by an active pack has a wired
39
+ * validator BEFORE the HTTP listener binds.
40
+ */
41
+ listIds() {
42
+ return Array.from(this.checks.keys());
43
+ }
44
+ /**
45
+ * Run a check. If the id is not registered, HARD-FAIL with a
46
+ * governance-defect verdict. Unregistered check ids are treated as
47
+ * a misconfiguration of the compliance product, NOT as a silent
48
+ * pass. Callers (PackRegistry.validate, boot-gate) rely on this
49
+ * contract to prevent unverified controls from inflating pass rates
50
+ * in audit reports.
51
+ */
52
+ run(id, ctx) {
53
+ const fn = this.checks.get(id);
54
+ if (!fn) {
55
+ return {
56
+ passed: false,
57
+ detail: `check '${id}' is not registered in check-registry; this is a governance defect, not a pass`,
58
+ };
59
+ }
60
+ try {
61
+ return fn(ctx);
62
+ }
63
+ catch (err) {
64
+ const msg = err instanceof Error ? err.message : String(err);
65
+ return { passed: false, detail: `check '${id}' threw: ${msg}` };
66
+ }
67
+ }
68
+ /**
69
+ * Register the default set of module-presence checks. These cover
70
+ * the most common `check:` strings used across all 12 packs:
71
+ * governance, audit, encryption, RBAC, agent auth, monitoring, HITL,
72
+ * transparency, data classifier, post-market monitoring, incident
73
+ * reporting, bias monitor, attestation, supply chain, approval queue.
74
+ */
75
+ registerDefaults() {
76
+ const modulePresence = (moduleName) => (ctx) => {
77
+ const active = ctx.activeModules.includes(moduleName);
78
+ return {
79
+ passed: active,
80
+ detail: active
81
+ ? `module '${moduleName}' active`
82
+ : `module '${moduleName}' NOT active`,
83
+ };
84
+ };
85
+ const evidenceFlag = (flagName, prettyName) => (ctx) => {
86
+ const v = ctx.evidence?.[flagName];
87
+ const passed = v === true;
88
+ return {
89
+ passed,
90
+ detail: passed
91
+ ? `${prettyName} evidence present`
92
+ : `${prettyName} evidence missing (flag '${flagName}' !== true)`,
93
+ };
94
+ };
95
+ const retentionAtLeast = (flagName, minDays, label) => (ctx) => {
96
+ const v = ctx.evidence?.[flagName];
97
+ const n = typeof v === 'number' ? v : 0;
98
+ const passed = n >= minDays;
99
+ return {
100
+ passed,
101
+ detail: passed
102
+ ? `${label}: ${n} days >= ${minDays}`
103
+ : `${label}: ${n} days < required ${minDays}`,
104
+ };
105
+ };
106
+ // -- module presence checks (used by most packs) --
107
+ this.register('governance_active', modulePresence('governance-runtime'));
108
+ this.register('audit_trail_exists', modulePresence('audit-integrity'));
109
+ this.register('encryption_active', modulePresence('encryption-layer'));
110
+ this.register('rbac_active', modulePresence('governance-runtime')); // governance-runtime enforces RBAC
111
+ this.register('agent_auth_active', modulePresence('agent-auth'));
112
+ this.register('monitoring_active', modulePresence('event-bus'));
113
+ this.register('event_bus_active', modulePresence('event-bus')); // breach-notification workflow: event bus wired and active
114
+ this.register('human_oversight', modulePresence('approval-queue'));
115
+ this.register('approval_queue_active', modulePresence('approval-queue'));
116
+ this.register('transparency_active', modulePresence('transparency-injector'));
117
+ this.register('data_classifier_active', modulePresence('data-classifier'));
118
+ this.register('post_market_monitoring', modulePresence('anomaly-detector'));
119
+ this.register('incident_reporting', modulePresence('event-bus'));
120
+ this.register('bias_monitor_active', modulePresence('bias-monitor'));
121
+ this.register('attestation_active', modulePresence('attestation-manager'));
122
+ this.register('subservice_registry_active', modulePresence('supply-chain'));
123
+ this.register('change_management_active', modulePresence('governance-runtime'));
124
+ this.register('segregation_of_duties_active', modulePresence('approval-queue'));
125
+ this.register('service_provider_contracts_active', modulePresence('supply-chain'));
126
+ this.register('developer_statement_active', modulePresence('supply-chain'));
127
+ this.register('capability_bundle_active', modulePresence('capability-bundle'));
128
+ // PCI-specific pattern detection (evidence-based)
129
+ this.register('pan_detection_active', (ctx) => {
130
+ const dcActive = ctx.activeModules.includes('data-classifier');
131
+ const categories = ctx.packConfig?.['data-classifier']?.enabledCategories ?? [];
132
+ const panCategory = categories.some(c => /PAN/i.test(c));
133
+ const passed = dcActive && panCategory;
134
+ return {
135
+ passed,
136
+ detail: passed
137
+ ? 'data-classifier active with PAN category enabled'
138
+ : `data-classifier=${dcActive}, PAN category=${panCategory}`,
139
+ };
140
+ });
141
+ // Retention sanity checks
142
+ this.register('audit_trail_12mo', retentionAtLeast('auditRetentionDays', 365, 'audit retention'));
143
+ // Generic retention-policy presence check used by jurisdiction-specific
144
+ // packs (UK NHS, MHRA, Equality Act, NIS, Online Safety, Procurement,
145
+ // CMA, NI Equality, NI HSCNI, Scotland AWI / Procurement Reform,
146
+ // EU DMA / CRA, HK PDPO, NI MCA). Passes when the audit-integrity
147
+ // module is active AND auditRetentionDays > 0. The pack-specific
148
+ // minimum-days obligation is enforced by per-pack retention checks
149
+ // (e.g. audit_trail_12mo); this generic gate only verifies that some
150
+ // non-zero retention is configured, which is the precondition every
151
+ // jurisdiction shares.
152
+ this.register('retention_policy_active', (ctx) => {
153
+ const auditActive = ctx.activeModules.includes('audit-integrity');
154
+ const days = ctx.evidence?.auditRetentionDays;
155
+ const n = typeof days === 'number' ? days : 0;
156
+ const passed = auditActive && n > 0;
157
+ return {
158
+ passed,
159
+ detail: passed
160
+ ? `retention policy active: audit-integrity module loaded, auditRetentionDays=${n}`
161
+ : `retention policy not active: audit-integrity=${auditActive}, auditRetentionDays=${n}`,
162
+ };
163
+ });
164
+ // Evidence-flag checks (runtime must set these)
165
+ this.register('hash_chain_persisted', evidenceFlag('hashChainPersisted', 'hash chain persistence'));
166
+ this.register('cuec_register_active', evidenceFlag('cuecRegisterActive', 'CUEC register'));
167
+ this.register('notice_at_collection_active', evidenceFlag('noticeAtCollectionActive', 'notice at collection'));
168
+ this.register('opt_out_honour_active', evidenceFlag('optOutHonourActive', 'opt-out honour (incl. GPC)'));
169
+ this.register('spi_restriction_active', evidenceFlag('spiRestrictionActive', 'SPI restriction'));
170
+ this.register('dsr_deadline_active', evidenceFlag('dsrDeadlineActive', 'DSR 45-day deadline tracking'));
171
+ this.register('admt_opt_out_active', evidenceFlag('admtOptOutActive', 'ADMT opt-out'));
172
+ this.register('non_discrimination_active', evidenceFlag('nonDiscriminationActive', 'non-discrimination'));
173
+ this.register('risk_assessment_active', evidenceFlag('riskAssessmentActive', 'risk assessment'));
174
+ this.register('cybersecurity_audit_active', evidenceFlag('cybersecurityAuditActive', 'annual cybersecurity audit'));
175
+ this.register('ai_training_transparency_active', evidenceFlag('aiTrainingTransparencyActive', 'AI training data transparency'));
176
+ this.register('delete_act_active', evidenceFlag('deleteActActive', 'SB 362 Delete Act participation'));
177
+ this.register('impact_assessment_current', evidenceFlag('impactAssessmentCurrent', 'impact assessment currency'));
178
+ this.register('material_modification_reassessment_active', evidenceFlag('materialModificationReassessmentActive', 'material modification reassessment'));
179
+ this.register('consumer_notice_active', evidenceFlag('consumerNoticeActive', 'consumer notice'));
180
+ this.register('adverse_decision_workflow_active', evidenceFlag('adverseDecisionWorkflowActive', 'adverse decision workflow'));
181
+ this.register('risk_management_program_active', evidenceFlag('riskManagementProgramActive', 'risk management program'));
182
+ this.register('discrimination_disclosure_on_time', evidenceFlag('discriminationDisclosureOnTime', '90-day discrimination disclosure'));
183
+ this.register('public_statement_current', evidenceFlag('publicStatementCurrent', 'public statement'));
184
+ this.register('exemption_register_active', evidenceFlag('exemptionRegisterActive', 'exemption register'));
185
+ // -- HITECH-specific checks (derive from module config where possible) --
186
+ const configFlag = (mod, field, label) => (ctx) => {
187
+ const v = ctx.packConfig?.[mod]?.[field];
188
+ const passed = v === true || typeof v === 'number' || (Array.isArray(v) && v.length > 0);
189
+ return {
190
+ passed,
191
+ detail: passed
192
+ ? `${label} configured (${mod}.${field})`
193
+ : `${label} not configured (${mod}.${field} missing or falsy)`,
194
+ };
195
+ };
196
+ const configNumberAtLeast = (mod, field, minimum, label) => (ctx) => {
197
+ const v = ctx.packConfig?.[mod]?.[field];
198
+ const n = typeof v === 'number' ? v : 0;
199
+ const passed = n >= minimum;
200
+ return {
201
+ passed,
202
+ detail: passed
203
+ ? `${label}: ${mod}.${field}=${n} >= ${minimum}`
204
+ : `${label}: ${mod}.${field}=${n} < ${minimum}`,
205
+ };
206
+ };
207
+ this.register('hitech_hipaa_paired', (ctx) => {
208
+ const activePackIds = ctx.activePackIds ?? [];
209
+ const hipaaActive = activePackIds.includes('hipaa');
210
+ const requires = ctx.packConfig?.['governance-runtime']?.requiresPacks ?? [];
211
+ const configuredForPair = requires.includes('hipaa');
212
+ const passed = hipaaActive && configuredForPair;
213
+ return {
214
+ passed,
215
+ detail: passed
216
+ ? 'HITECH paired with HIPAA (both packs active; governance-runtime.requiresPacks includes hipaa)'
217
+ : `pair check failed: hipaa-active=${hipaaActive}, requiresPacks-has-hipaa=${configuredForPair}`,
218
+ };
219
+ });
220
+ this.register('breach_clock_active', configNumberAtLeast('session-persistence', 'breachClockTrackingDays', 1, 'breach clock'));
221
+ this.register('breach_500_escalation_active', (ctx) => {
222
+ const threshold = ctx.packConfig?.['session-persistence']?.breachThresholdForMediaNotice;
223
+ const passed = threshold === 500;
224
+ return {
225
+ passed,
226
+ detail: passed
227
+ ? '500-record media escalation threshold configured'
228
+ : `expected session-persistence.breachThresholdForMediaNotice=500, got ${threshold}`,
229
+ };
230
+ });
231
+ this.register('annual_hhs_report_scheduled', evidenceFlag('annualHhsReportScheduled', 'HHS annual small-breach report'));
232
+ this.register('ba_chain_tracked', configFlag('supply-chain', 'baChainTrackingRequired', 'BA chain tracking'));
233
+ this.register('penalty_tier_classifier_active', configFlag('governance-runtime', 'tierClassificationActive', 'penalty tier classifier'));
234
+ this.register('unsecured_phi_detector_active', (ctx) => {
235
+ const encLayer = ctx.activeModules.includes('encryption-layer');
236
+ const dc = ctx.activeModules.includes('data-classifier');
237
+ const passed = encLayer && dc;
238
+ return {
239
+ passed,
240
+ detail: passed
241
+ ? 'unsecured-PHI detector derived from encryption-layer + data-classifier presence'
242
+ : `missing modules: encryption-layer=${encLayer}, data-classifier=${dc}`,
243
+ };
244
+ });
245
+ this.register('phi_sale_gate_active', configFlag('approval-queue', 'phiSaleRequiresAuthorisation', 'PHI sale gate'));
246
+ this.register('phi_marketing_gate_active', configFlag('approval-queue', 'phiMarketingRequiresAuthorisation', 'PHI marketing gate'));
247
+ this.register('recognised_security_practices_active', (ctx) => {
248
+ const frameworks = ctx.packConfig?.['attestation-manager']?.recognisedSecurityPracticesFrameworks ?? [];
249
+ const months = ctx.packConfig?.['attestation-manager']?.recognisedSecurityPracticesMinimumMonths ?? 0;
250
+ const evidenceMonths = ctx.evidence?.recognisedSecurityPracticesMonths ?? 0;
251
+ const configured = frameworks.length > 0 && months >= 12;
252
+ const evidenced = evidenceMonths >= 12;
253
+ const passed = configured && evidenced;
254
+ return {
255
+ passed,
256
+ detail: passed
257
+ ? `HR 7898 Safe Harbor: ${frameworks.join(', ')} attested for ${evidenceMonths} months`
258
+ : configured
259
+ ? `HR 7898 configured but evidence shows only ${evidenceMonths} months (need >=12)`
260
+ : `HR 7898 frameworks not configured`,
261
+ };
262
+ });
263
+ this.register('ocr_audit_ready', evidenceFlag('ocrAuditReady', 'OCR audit readiness'));
264
+ // -- GLBA-specific checks --
265
+ this.register('wisp_active', evidenceFlag('wispActive', 'Written Information Security Program'));
266
+ this.register('qualified_individual_active', configFlag('governance-runtime', 'qualifiedIndividualRequired', 'qualified individual'));
267
+ this.register('glba_mfa_active', configFlag('agent-auth', 'mfaMandatoryForNpiAccess', 'MFA for NPI access'));
268
+ this.register('service_provider_oversight_active', configFlag('supply-chain', 'serviceProviderDueDiligenceRequired', 'service provider oversight'));
269
+ this.register('glba_opt_out_honoured', (ctx) => {
270
+ const configured = ctx.packConfig?.['session-persistence']?.optOutPersistenceRequired === true;
271
+ const evidenced = ctx.evidence?.glbaOptOutHonoured === true;
272
+ const passed = configured && evidenced;
273
+ return {
274
+ passed,
275
+ detail: passed
276
+ ? 'opt-out configured and runtime evidence present'
277
+ : `opt-out configured=${configured}, evidence=${evidenced}`,
278
+ };
279
+ });
280
+ this.register('glba_privacy_notice_current', (ctx) => {
281
+ const configured = ctx.packConfig?.['session-persistence']?.privacyNoticeAnnualDeliveryRequired === true;
282
+ const evidenced = ctx.evidence?.glbaPrivacyNoticeCurrent === true;
283
+ const passed = configured && evidenced;
284
+ return {
285
+ passed,
286
+ detail: passed
287
+ ? 'initial + annual privacy notice current'
288
+ : `configured=${configured}, evidence=${evidenced}`,
289
+ };
290
+ });
291
+ this.register('pretexting_detection_active', evidenceFlag('pretextingDetectionActive', 'pretexting detection'));
292
+ this.register('glba_testing_cadence_active', (ctx) => {
293
+ const pent = ctx.packConfig?.['attestation-manager']?.penetrationTestCadenceDays;
294
+ const vuln = ctx.packConfig?.['attestation-manager']?.vulnerabilityScanCadenceDays;
295
+ const passed = pent === 365 && vuln === 182;
296
+ return {
297
+ passed,
298
+ detail: passed
299
+ ? 'pentest 365d + vuln scan 182d cadence configured'
300
+ : `pentest=${pent}, vuln=${vuln}`,
301
+ };
302
+ });
303
+ this.register('glba_30day_notice_active', evidenceFlag('glba30dayNoticeActive', '30-day FTC notification wiring'));
304
+ this.register('glba_board_report_active', configFlag('attestation-manager', 'boardAnnualReportRequired', 'annual board report'));
305
+ // -- ABA-specific checks --
306
+ this.register('aba_citecheck_active', evidenceFlag('abaCitecheckActive', 'cite-check evidence'));
307
+ this.register('aba_confidentiality_gate_active', (ctx) => {
308
+ const dcAction = ctx.packConfig?.['data-classifier']?.privilegedAction;
309
+ const passed = dcAction === 'BLOCK_UNLESS_CONSENTED';
310
+ return {
311
+ passed,
312
+ detail: passed
313
+ ? 'privileged action = BLOCK_UNLESS_CONSENTED configured'
314
+ : `data-classifier.privilegedAction=${dcAction}`,
315
+ };
316
+ });
317
+ this.register('aba_supervision_active', configFlag('attestation-manager', 'supervisingLawyerRequiredPerAgent', 'supervising lawyer per agent'));
318
+ this.register('aba_filing_review_active', configFlag('approval-queue', 'courtFilingRequiresLawyerReview', 'court filing review'));
319
+ this.register('aba_client_consent_active', (ctx) => {
320
+ const configured = ctx.packConfig?.['session-persistence']?.clientInformedConsentRequired === true;
321
+ const evidenced = ctx.evidence?.abaClientConsentActive === true;
322
+ const passed = configured && evidenced;
323
+ return {
324
+ passed,
325
+ detail: passed
326
+ ? 'client consent configured and evidence present'
327
+ : `configured=${configured}, evidence=${evidenced}`,
328
+ };
329
+ });
330
+ this.register('aba_conflicts_active', (ctx) => {
331
+ const isolation = ctx.packConfig?.['session-persistence']?.perMatterIsolationRequired === true;
332
+ const conflicts = ctx.packConfig?.['session-persistence']?.conflictCheckRequired === true;
333
+ const passed = isolation && conflicts;
334
+ return {
335
+ passed,
336
+ detail: passed
337
+ ? 'per-matter isolation + conflict check configured'
338
+ : `isolation=${isolation}, conflicts=${conflicts}`,
339
+ };
340
+ });
341
+ this.register('aba_upl_active', configFlag('governance-runtime', 'upljurisdictionScopeRequired', 'UPL jurisdiction scope'));
342
+ this.register('aba_fee_review_active', configFlag('approval-queue', 'feeReasonablenessReviewRequired', 'fee reasonableness review'));
343
+ this.register('aba_marketing_review_active', configFlag('approval-queue', 'marketingTruthfulnessReviewRequired', 'marketing truthfulness review'));
344
+ this.register('aba_vendor_terms_active', (ctx) => {
345
+ const zeroRet = ctx.packConfig?.['supply-chain']?.vendorZeroRetentionRequired === true;
346
+ const zeroTrain = ctx.packConfig?.['supply-chain']?.vendorZeroTrainingOnInputsRequired === true;
347
+ const segregation = ctx.packConfig?.['supply-chain']?.vendorClientDataSegregationRequired === true;
348
+ const passed = zeroRet && zeroTrain && segregation;
349
+ return {
350
+ passed,
351
+ detail: passed
352
+ ? 'vendor terms: zero-retention + zero-training-on-inputs + client-data-segregation'
353
+ : `zeroRet=${zeroRet}, zeroTrain=${zeroTrain}, segregation=${segregation}`,
354
+ };
355
+ });
356
+ // -- FTC §5-specific checks --
357
+ this.register('ftc5_claim_substantiation_active', configFlag('governance-runtime', 'claimSubstantiationRequired', 'claim substantiation'));
358
+ this.register('ftc5_fake_review_active', configFlag('anomaly-detector', 'fakeReviewDetectionActive', 'fake-review detection'));
359
+ this.register('ftc5_ai_disclosure_active', (ctx) => {
360
+ const gen = ctx.packConfig?.['transparency-injector']?.aiGenerationDisclosureRequired === true;
361
+ const end = ctx.packConfig?.['transparency-injector']?.syntheticEndorsementDisclosureRequired === true;
362
+ const passed = gen && end;
363
+ return {
364
+ passed,
365
+ detail: passed
366
+ ? 'AI-generation + synthetic-endorsement disclosure configured'
367
+ : `generation=${gen}, endorsement=${end}`,
368
+ };
369
+ });
370
+ this.register('ftc5_dark_patterns_active', configFlag('approval-queue', 'darkPatternDeploymentReview', 'dark-pattern review'));
371
+ this.register('ftc5_fraud_chatbot_active', evidenceFlag('ftc5FraudChatbotActive', 'chatbot fraud detection'));
372
+ this.register('ftc5_coppa_gate_active', configFlag('governance-runtime', 'ageGateRequired', 'COPPA age gate'));
373
+ this.register('ftc5_data_minimisation_active', configFlag('governance-runtime', 'dataMinimisationRequired', 'data minimisation'));
374
+ this.register('ftc5_disgorgement_readiness_active', (ctx) => {
375
+ const gr = ctx.packConfig?.['governance-runtime']?.algorithmicDisgorgementReadyRequired === true;
376
+ const att = ctx.packConfig?.['attestation-manager']?.trainingDataProvenanceRequired === true;
377
+ const passed = gr && att;
378
+ return {
379
+ passed,
380
+ detail: passed
381
+ ? 'disgorgement readiness: governance-runtime flag + training-data provenance configured'
382
+ : `gr=${gr}, att=${att}`,
383
+ };
384
+ });
385
+ this.register('ftc5_disparate_impact_active', configFlag('anomaly-detector', 'disparateImpactDetectionActive', 'disparate impact detection'));
386
+ this.register('ftc5_ai_washing_active', (ctx) => {
387
+ const registry = ctx.packConfig?.['attestation-manager']?.claimRegistryRequired === true;
388
+ const passed = registry;
389
+ return {
390
+ passed,
391
+ detail: passed
392
+ ? 'claim registry required; AI-washing prevented'
393
+ : 'claim registry not configured',
394
+ };
395
+ });
396
+ // -- SR 11-7 specific checks --
397
+ this.register('sr117_inventory_active', configFlag('governance-runtime', 'modelInventoryRegistrationRequired', 'model inventory'));
398
+ this.register('sr117_validation_independence_active', configFlag('approval-queue', 'validatorSeparationRequired', 'validator separation'));
399
+ this.register('sr117_validation_cadence_active', (ctx) => {
400
+ const cadence = ctx.packConfig?.['attestation-manager']?.validationCadenceByTierDays;
401
+ const ok = !!cadence && typeof cadence.CRITICAL === 'number' && typeof cadence.LOW === 'number';
402
+ return {
403
+ passed: ok,
404
+ detail: ok
405
+ ? `cadence configured: CRITICAL=${cadence.CRITICAL}d, HIGH=${cadence.HIGH}d, MEDIUM=${cadence.MEDIUM}d, LOW=${cadence.LOW}d`
406
+ : 'tier cadence not configured',
407
+ };
408
+ });
409
+ this.register('sr117_challenger_active', configFlag('attestation-manager', 'challengerModelRequiredForCriticalTier', 'challenger model for CRITICAL tier'));
410
+ this.register('sr117_drift_monitoring_active', configFlag('anomaly-detector', 'driftDetectionActive', 'drift monitoring'));
411
+ this.register('sr117_retirement_active', configFlag('governance-runtime', 'retirementEnforcementRequired', 'retirement enforcement'));
412
+ this.register('sr117_documentation_active', (ctx) => {
413
+ const fields = ctx.packConfig?.['supply-chain']?.developerStatementFields;
414
+ const ok = Array.isArray(fields) && fields.length >= 4;
415
+ return {
416
+ passed: !!ok,
417
+ detail: ok ? `developer statement fields: ${fields?.join(', ')}` : 'developer statement fields missing',
418
+ };
419
+ });
420
+ this.register('sr117_material_change_active', configFlag('approval-queue', 'materialChangeRevalidationRequired', 'material change revalidation'));
421
+ this.register('sr117_governance_report_active', evidenceFlag('sr117GovernanceReportActive', 'enterprise model-risk governance report'));
422
+ // -- 21 CFR Part 11 specific checks --
423
+ this.register('part11_validation_gate_active', configFlag('governance-runtime', 'validationGateRequired', 'IQ/OQ/PQ validation gate'));
424
+ this.register('part11_esignature_active', configFlag('approval-queue', 'eSignatureOnRecordModificationRequired', 'e-signature on record modification'));
425
+ this.register('part11_append_only_audit_active', configFlag('audit-integrity', 'appendOnlyAuditTrailRequired', 'append-only audit trail'));
426
+ this.register('part11_authority_matrix_active', configFlag('governance-runtime', 'authorityMatrixEnforced', 'authority-to-sign matrix'));
427
+ this.register('part11_signature_binding_active', configFlag('approval-queue', 'signatureBoundToRecordHash', 'signature bound to record hash'));
428
+ this.register('part11_timestamps_active', configFlag('event-bus', 'ntpTimestampRequired', 'NTP timestamps'));
429
+ this.register('part11_ai_provenance_active', configFlag('attestation-manager', 'aiProvenanceAttestationRequired', 'AI provenance attestation'));
430
+ this.register('part11_contemporaneous_active', configFlag('session-persistence', 'contemporaneousCaptureRequired', 'contemporaneous capture'));
431
+ this.register('part11_sequencing_active', configFlag('event-bus', 'sequenceIdEnforced', 'event sequencing'));
432
+ this.register('part11_retention_active', configFlag('attestation-manager', 'retentionLockedToPredicateRule', 'predicate-rule retention lock'));
433
+ this.register('part11_alcoa_plus_active', configFlag('governance-runtime', 'alcoaPlusEnforced', 'ALCOA+ enforcement'));
434
+ // -- SOX 404 specific checks --
435
+ this.register('sox404_management_assessment_active', configFlag('attestation-manager', 'annualManagementAssessmentRequired', '§404(a) management assessment'));
436
+ this.register('sox404_control_mapping_active', configFlag('governance-runtime', 'icfrControlMappingRequired', 'ICFR control mapping'));
437
+ this.register('sox404_material_change_active', configFlag('governance-runtime', 'materialChangeReassessmentRequired', 'material change reassessment'));
438
+ this.register('sox404_sod_active', configFlag('approval-queue', 'sodEnforced', 'segregation of duties'));
439
+ this.register('sox404_ai_gl_gate_active', configFlag('approval-queue', 'aiOutputToGeneralLedgerRequiresHumanReview', 'AI-to-GL human review gate'));
440
+ this.register('sox404_deficiency_register_active', configFlag('attestation-manager', 'deficiencyRegisterRequired', 'deficiency register'));
441
+ this.register('sox404_testing_cadence_active', (ctx) => {
442
+ const days = ctx.packConfig?.['attestation-manager']?.quarterlyControlTestingCadenceDays;
443
+ const passed = typeof days === 'number' && days <= 90;
444
+ return {
445
+ passed,
446
+ detail: passed
447
+ ? `quarterly control testing cadence configured (${days}d)`
448
+ : `testing cadence not configured (${days})`,
449
+ };
450
+ });
451
+ this.register('sox404_change_management_active', evidenceFlag('sox404ChangeManagementActive', 'change management log'));
452
+ this.register('sox404_cuec_register_active', configFlag('supply-chain', 'socOneCuecRegistrationRequired', 'SOC 1 CUEC register'));
453
+ this.register('sox404_itgc_matrix_active', evidenceFlag('sox404ItgcMatrixActive', 'ITGC matrix'));
454
+ // F-NEW-VERA-PACK-C2-07 (2026-05-03): COSO 2013 framework version validator.
455
+ // PCAOB AS 2201 §.03 requires COSO 2013 Integrated Framework (5 components, 17 principles).
456
+ // The superseded 1992 framework is not acceptable for SOX 404 ICFR assessments.
457
+ this.register('sox404_coso_2013_framework_active', (ctx) => {
458
+ const cosoAlignment = ctx.packConfig?.['governance-runtime']?.cosoFrameworkAlignmentRequired;
459
+ const passed = cosoAlignment === 'COSO 2013';
460
+ return {
461
+ passed,
462
+ detail: passed
463
+ ? 'COSO 2013 Integrated Framework alignment configured (5 components, 17 principles)'
464
+ : `COSO framework alignment not configured or not set to 'COSO 2013' (found: ${cosoAlignment ?? 'undefined'}) -- PCAOB AS 2201 requires COSO 2013`,
465
+ };
466
+ });
467
+ // -- BSA / AML specific checks --
468
+ this.register('bsa_cip_active', configFlag('governance-runtime', 'cipRequired', 'Customer Identification Program'));
469
+ this.register('bsa_cdd_active', configFlag('governance-runtime', 'cddRequired', 'Customer Due Diligence'));
470
+ this.register('bsa_ofac_active', configFlag('governance-runtime', 'ofacScreeningRequired', 'OFAC sanctions screening'));
471
+ this.register('bsa_sar_30day_active', evidenceFlag('bsaSar30dayActive', '30-day SAR filing'));
472
+ this.register('bsa_ctr_10k_active', (ctx) => {
473
+ const threshold = ctx.packConfig?.['data-classifier']?.transactionThresholdCtrUsd;
474
+ const passed = threshold === 10000;
475
+ return {
476
+ passed,
477
+ detail: passed ? 'CTR threshold $10,000 configured' : `CTR threshold ${threshold}`,
478
+ };
479
+ });
480
+ this.register('bsa_officer_designated', configFlag('attestation-manager', 'bsaOfficerDesignationRequired', 'BSA officer designation'));
481
+ this.register('bsa_annual_training_active', configFlag('attestation-manager', 'annualTrainingRequired', 'annual BSA/AML training'));
482
+ this.register('bsa_independent_testing_active', (ctx) => {
483
+ const days = ctx.packConfig?.['attestation-manager']?.independentTestingCadenceDays;
484
+ const passed = typeof days === 'number' && days <= 365;
485
+ return {
486
+ passed,
487
+ detail: passed ? `independent testing cadence ${days}d` : `cadence not set (${days})`,
488
+ };
489
+ });
490
+ this.register('bsa_boi_active', configFlag('governance-runtime', 'boiReportingRequired', 'Corporate Transparency Act BOI reporting'));
491
+ this.register('bsa_ai_explainability_active', evidenceFlag('bsaAiExplainabilityActive', 'AI explainability for SAR narrative'));
492
+ this.register('bsa_aml_bias_active', configFlag('bias-monitor', 'amlDemographicBiasMonitoringRequired', 'AML demographic bias monitoring'));
493
+ // -- NY DFS 500 specific checks --
494
+ this.register('nydfs500_ciso_active', configFlag('attestation-manager', 'cisoDesignationRequired', 'CISO designation + board report'));
495
+ this.register('nydfs500_mfa_active', (ctx) => {
496
+ const priv = ctx.packConfig?.['agent-auth']?.mfaForPrivilegedAccess === true;
497
+ const rem = ctx.packConfig?.['agent-auth']?.mfaForRemoteAccess === true;
498
+ const passed = priv && rem;
499
+ return {
500
+ passed,
501
+ detail: passed
502
+ ? 'MFA enforced on privileged + remote access'
503
+ : `privileged=${priv}, remote=${rem}`,
504
+ };
505
+ });
506
+ this.register('nydfs500_72h_notice_active', (ctx) => {
507
+ const hours = ctx.packConfig?.['event-bus']?.cybersecurityEventNotificationHours;
508
+ const passed = hours === 72;
509
+ return {
510
+ passed,
511
+ detail: passed
512
+ ? '72-hour cybersecurity event notification configured'
513
+ : `cybersecurityEventNotificationHours=${hours}`,
514
+ };
515
+ });
516
+ this.register('nydfs500_24h_ransomware_active', (ctx) => {
517
+ const hours = ctx.packConfig?.['event-bus']?.ransomwarePaymentNotificationHours;
518
+ const passed = hours === 24;
519
+ return {
520
+ passed,
521
+ detail: passed
522
+ ? '24-hour ransomware payment notification configured'
523
+ : `ransomwarePaymentNotificationHours=${hours}`,
524
+ };
525
+ });
526
+ this.register('nydfs500_risk_assessment_active', configFlag('attestation-manager', 'riskAssessmentCadenceDays', 'annual risk assessment cadence'));
527
+ this.register('nydfs500_pentest_cadence_active', (ctx) => {
528
+ const pent = ctx.packConfig?.['attestation-manager']?.penetrationTestCadenceDays;
529
+ const vuln = ctx.packConfig?.['attestation-manager']?.vulnerabilityScanCadenceDays;
530
+ const passed = pent === 365 && vuln === 182;
531
+ return {
532
+ passed,
533
+ detail: passed
534
+ ? 'annual pentest + bi-annual vuln scan cadences configured'
535
+ : `pentest=${pent}, vuln=${vuln}`,
536
+ };
537
+ });
538
+ this.register('nydfs500_supply_chain_active', configFlag('supply-chain', 'serviceProviderDueDiligenceRequired', 'third-party service provider policy'));
539
+ this.register('nydfs500_asset_inventory_active', configFlag('session-persistence', 'assetInventoryRequired', 'asset inventory'));
540
+ this.register('nydfs500_training_active', configFlag('attestation-manager', 'cybersecurityTrainingCadenceDays', 'cybersecurity training cadence'));
541
+ this.register('nydfs500_ai_risk_active', configFlag('governance-runtime', 'aiSpecificRiskAssessmentRequired', 'AI-specific risk assessment'));
542
+ // -- CFPB 2023-03 specific checks --
543
+ this.register('cfpb_adverse_deadline_active', (ctx) => {
544
+ const days = ctx.packConfig?.['governance-runtime']?.adverseActionDeadlineDays;
545
+ const passed = days === 30;
546
+ return {
547
+ passed,
548
+ detail: passed ? '30-day adverse action deadline configured' : `adverseActionDeadlineDays=${days}`,
549
+ };
550
+ });
551
+ this.register('cfpb_principal_factor_active', configFlag('governance-runtime', 'principalFactorReasonRequired', 'principal-factor reason requirement'));
552
+ this.register('cfpb_generic_blocked_active', (ctx) => {
553
+ const gr = ctx.packConfig?.['governance-runtime']?.genericRationaleBlocked === true;
554
+ const aq = ctx.packConfig?.['approval-queue']?.genericReasonBlocked === true;
555
+ const passed = gr && aq;
556
+ return {
557
+ passed,
558
+ detail: passed
559
+ ? 'generic rationale blocked at governance-runtime AND approval-queue'
560
+ : `governance-runtime=${gr}, approval-queue=${aq}`,
561
+ };
562
+ });
563
+ this.register('cfpb_vendor_doc_active', configFlag('approval-queue', 'vendorScoringCreditorDocumentationRequired', 'vendor-scoring creditor documentation'));
564
+ this.register('cfpb_sample_form_active', configFlag('approval-queue', 'sampleFormCodeValidation', 'Regulation B sample-form validation'));
565
+ this.register('cfpb_methodology_active', configFlag('attestation-manager', 'reasonDerivationMethodologyRequired', 'reason-derivation methodology documentation'));
566
+ this.register('cfpb_ecoa_bias_active', configFlag('bias-monitor', 'ecoaDisparateImpactMonitoringRequired', 'ECOA disparate impact monitoring'));
567
+ this.register('cfpb_conflict_detection_active', configFlag('anomaly-detector', 'conflictingReasonCodeDetectionActive', 'conflicting reason-code detection'));
568
+ this.register('cfpb_retention_active', evidenceFlag('cfpbRetentionActive', 'Regulation B retention compliance'));
569
+ // -- HIPAA-specific checks (added in normalization pass) --
570
+ this.register('hipaa_auto_logoff_active', configFlag('session-persistence', 'autoLogoffRequired', 'automatic logoff'));
571
+ this.register('hipaa_integrity_active', (ctx) => {
572
+ const passed = ctx.activeModules.includes('memory-integrity');
573
+ return {
574
+ passed,
575
+ detail: passed ? 'memory-integrity module active' : 'memory-integrity module not active',
576
+ };
577
+ });
578
+ this.register('hipaa_minimum_necessary_active', configFlag('governance-runtime', 'minimumNecessaryEnforced', 'minimum-necessary standard'));
579
+ // -- GDPR-specific checks (added in normalization pass) --
580
+ this.register('gdpr_breach_72h_active', (ctx) => {
581
+ // Check that event-bus is active and pack has 72h incident deadline
582
+ const evActive = ctx.activeModules.includes('event-bus');
583
+ return {
584
+ passed: evActive,
585
+ detail: evActive
586
+ ? 'event-bus active; 72h breach notification clock available'
587
+ : 'event-bus not active; breach notification clock unavailable',
588
+ };
589
+ });
590
+ this.register('gdpr_transfer_mechanism_active', (ctx) => {
591
+ const dpf = ctx.packConfig?.['governance-runtime']?.dpfTransferMechanismSupported === true;
592
+ const scc = ctx.packConfig?.['governance-runtime']?.sccTransferMechanismSupported === true;
593
+ const passed = dpf || scc;
594
+ return {
595
+ passed,
596
+ detail: passed
597
+ ? `transfer mechanism supported: DPF=${dpf}, SCC=${scc}`
598
+ : 'no transfer mechanism configured',
599
+ };
600
+ });
601
+ this.register('gdpr_purpose_limitation_active', configFlag('governance-runtime', 'purposeLimitationEnforced', 'purpose limitation'));
602
+ this.register('gdpr_lawful_basis_active', configFlag('governance-runtime', 'lawfulBasisEnforced', 'lawful basis enforcement'));
603
+ this.register('gdpr_article22_active', configFlag('approval-queue', 'article22HumanReviewRequired', 'Art. 22 human review'));
604
+ this.register('gdpr_ropa_active', configFlag('attestation-manager', 'ropaRequired', 'Records of Processing Activities'));
605
+ this.register('gdpr_dpia_active', configFlag('attestation-manager', 'dpiaRequired', 'Data Protection Impact Assessment'));
606
+ // -- PCI DSS v4.0.1 specific checks (added in normalization pass) --
607
+ this.register('pci_mfa_cde_active', configFlag('agent-auth', 'mfaForCdeAccessRequired', 'MFA for CDE access'));
608
+ this.register('pci_tpsp_active', configFlag('supply-chain', 'tpspManagementRequired', 'TPSP management with AOC'));
609
+ this.register('pci_asv_scan_active', configFlag('attestation-manager', 'annualAsvScanRequired', 'quarterly ASV scan'));
610
+ this.register('pci_pentest_active', configFlag('attestation-manager', 'annualPenetrationTestRequired', 'annual penetration test'));
611
+ this.register('pci_targeted_risk_active', configFlag('attestation-manager', 'targetedRiskAnalysisRequired', 'targeted risk analysis'));
612
+ // -- EU AI Act specific checks (added in normalization pass) --
613
+ this.register('euai_prohibited_practice_active', configFlag('governance-runtime', 'prohibitedPracticeCheckRequired', 'Art. 5 prohibited-practice detection'));
614
+ this.register('euai_gpai_active', configFlag('supply-chain', 'gpaiObligationsTracked', 'GPAI obligations tracking'));
615
+ this.register('euai_fria_active', configFlag('bias-monitor', 'friaSupported', 'Fundamental Rights Impact Assessment'));
616
+ this.register('euai_conformity_active', configFlag('attestation-manager', 'conformityAssessmentRequired', 'conformity assessment + EU database registration'));
617
+ // -- ISO 27001:2022 specific checks (added in normalization pass) --
618
+ this.register('iso_config_mgmt_active', (ctx) => {
619
+ const passed = ctx.activeModules.includes('memory-integrity');
620
+ return {
621
+ passed,
622
+ detail: passed ? 'memory-integrity module active (A.8.9)' : 'memory-integrity module not active',
623
+ };
624
+ });
625
+ this.register('iso_threat_intel_active', configFlag('anomaly-detector', 'threatIntelligenceActive', 'threat intelligence (A.5.7)'));
626
+ this.register('iso_isms_active', (ctx) => {
627
+ const documented = ctx.packConfig?.['attestation-manager']?.ismsDocumentedRequired === true;
628
+ const soa = ctx.packConfig?.['attestation-manager']?.statementOfApplicabilityRequired === true;
629
+ const review = ctx.packConfig?.['attestation-manager']?.managementReviewAnnualRequired === true;
630
+ const audit = ctx.packConfig?.['attestation-manager']?.internalAuditAnnualRequired === true;
631
+ const passed = documented && soa && review && audit;
632
+ return {
633
+ passed,
634
+ detail: passed
635
+ ? 'ISMS documented + SoA + annual management review + internal audit configured'
636
+ : `ISMS=${documented}, SoA=${soa}, review=${review}, audit=${audit}`,
637
+ };
638
+ });
639
+ // -- DORA specific checks (added in normalization pass) --
640
+ this.register('dora_incident_4hr_active', (ctx) => {
641
+ const hours = ctx.packConfig?.['event-bus']?.majorIncidentFourHourNotificationHours;
642
+ const passed = hours === 4;
643
+ return {
644
+ passed,
645
+ detail: passed ? '4-hour major-incident notification configured' : `majorIncidentFourHourNotificationHours=${hours}`,
646
+ };
647
+ });
648
+ this.register('dora_incident_cascade_active', (ctx) => {
649
+ const four = ctx.packConfig?.['event-bus']?.majorIncidentFourHourNotificationHours;
650
+ const seventyTwo = ctx.packConfig?.['event-bus']?.majorIncidentSeventyTwoHourInterimHours;
651
+ const month = ctx.packConfig?.['event-bus']?.majorIncidentOneMonthFinalHours;
652
+ const passed = four === 4 && seventyTwo === 72 && month === 720;
653
+ return {
654
+ passed,
655
+ detail: passed
656
+ ? '4h/72h/1-month cascade reporting configured'
657
+ : `4h=${four}, 72h=${seventyTwo}, 1mo=${month}`,
658
+ };
659
+ });
660
+ this.register('dora_resilience_active', (ctx) => {
661
+ const cb = ctx.activeModules.includes('circuit-breaker');
662
+ const config = ctx.packConfig?.['circuit-breaker']?.responseAndRecoveryRequired === true;
663
+ const passed = cb && config;
664
+ return {
665
+ passed,
666
+ detail: passed
667
+ ? 'circuit-breaker active + response-and-recovery configured'
668
+ : `circuit-breaker=${cb}, config=${config}`,
669
+ };
670
+ });
671
+ this.register('dora_register_of_information_active', configFlag('supply-chain', 'registerOfInformationRequired', 'Register of Information'));
672
+ this.register('dora_tlpt_active', configFlag('attestation-manager', 'threatLedPenetrationTestingRequired', 'threat-led penetration testing'));
673
+ // -- NIST AI RMF specific checks (added in normalization pass) --
674
+ this.register('nist_manage_2_active', (ctx) => {
675
+ const cb = ctx.activeModules.includes('circuit-breaker');
676
+ const config = ctx.packConfig?.['circuit-breaker']?.residualRiskMitigationRequired === true;
677
+ const passed = cb && config;
678
+ return {
679
+ passed,
680
+ detail: passed ? 'circuit-breaker + residual-risk mitigation configured' : `cb=${cb}, config=${config}`,
681
+ };
682
+ });
683
+ this.register('nist_risk_register_active', configFlag('attestation-manager', 'riskRegisterRequired', 'risk register (MANAGE 4)'));
684
+ this.register('nist_genai_profile_active', configFlag('attestation-manager', 'genaiProfileAlignmentRequired', 'NIST GenAI Profile alignment'));
685
+ // -- ISO/IEC 42001 specific checks (added in normalization pass) --
686
+ this.register('iso42001_context_active', configFlag('governance-runtime', 'aimsContextDefined', 'AIMS context of organisation'));
687
+ this.register('iso42001_leadership_active', configFlag('approval-queue', 'leadershipCommitmentRequired', 'leadership commitment + AI policy'));
688
+ this.register('iso42001_responsible_objectives_active', configFlag('bias-monitor', 'responsibleAiObjectivesTracked', 'responsible AI objectives'));
689
+ this.register('iso42001_data_lifecycle_active', configFlag('data-classifier', 'aiDataLifecycleManagementRequired', 'AI data lifecycle (Annex B)'));
690
+ this.register('iso42001_internal_audit_active', (ctx) => {
691
+ const review = ctx.packConfig?.['attestation-manager']?.managementReviewRequired === true;
692
+ const audit = ctx.packConfig?.['attestation-manager']?.internalAuditRequired === true;
693
+ const passed = review && audit;
694
+ return {
695
+ passed,
696
+ detail: passed ? 'internal audit + management review configured' : `audit=${audit}, review=${review}`,
697
+ };
698
+ });
699
+ this.register('iso42001_impact_assessment_active', configFlag('attestation-manager', 'aiSystemImpactAssessmentRequired', 'AI system impact assessment (Annex C)'));
700
+ this.register('iso42001_soa_active', configFlag('attestation-manager', 'annexAStatementOfApplicabilityRequired', 'Statement of Applicability (Annex A)'));
701
+ // -- FDA SaMD specific checks (added in normalization pass) --
702
+ this.register('samd_qmsr_validation_active', configFlag('governance-runtime', 'qmsrValidationRequired', 'QMSR validation'));
703
+ this.register('samd_pccp_active', configFlag('approval-queue', 'pccpBoundaryEnforcement', 'PCCP boundary enforcement'));
704
+ this.register('samd_sbom_active', configFlag('supply-chain', 'sbomRequired', 'SBOM (PATCH Act)'));
705
+ this.register('samd_clinical_validation_active', configFlag('attestation-manager', 'clinicalValidationPerImdrfCategoryRequired', 'clinical validation per IMDRF category'));
706
+ this.register('samd_real_world_perf_active', configFlag('anomaly-detector', 'realWorldPerformanceMonitoringRequired', 'real-world performance monitoring'));
707
+ this.register('samd_mdr_active', (ctx) => {
708
+ const thirty = ctx.packConfig?.['event-bus']?.mdrThirtyDayClockActive === true;
709
+ const five = ctx.packConfig?.['event-bus']?.mdrFiveDayCorrectiveActionClockActive === true;
710
+ const passed = thirty && five;
711
+ return {
712
+ passed,
713
+ detail: passed ? 'MDR 30-day + 5-day clocks configured' : `30d=${thirty}, 5d=${five}`,
714
+ };
715
+ });
716
+ this.register('samd_post_market_active', configFlag('attestation-manager', 'postMarketSurveillancePlanRequired', 'post-market surveillance plan'));
717
+ this.register('samd_gmlp_active', configFlag('governance-runtime', 'gmlpPrincipleEvaluationRequired', 'GMLP principle evaluation'));
718
+ this.register('samd_imdrf_category_active', configFlag('governance-runtime', 'imdrfCategoryTrackingRequired', 'IMDRF SaMD category tracking'));
719
+ this.register('samd_bias_active', configFlag('bias-monitor', 'demographicSubgroupPerformanceRequired', 'demographic subgroup performance'));
720
+ this.register('samd_intended_use_active', configFlag('transparency-injector', 'indicationForUseDisclosureRequired', 'indication for use disclosure'));
721
+ // -- 42 CFR Part 2 specific checks (added in normalization pass) --
722
+ this.register('part2_consent_gate_active', configFlag('governance-runtime', 'consentGateRequired', 'SUD consent gate'));
723
+ this.register('part2_legal_proceedings_active', configFlag('approval-queue', 'legalProceedingsCourtOrderRequired', 'legal proceedings court order gate'));
724
+ this.register('part2_segmentation_active', configFlag('data-classifier', 'part2SegmentationRequired', 'Part 2 segmentation'));
725
+ this.register('part2_redisclosure_notice_active', configFlag('transparency-injector', 'prohibitionOnRedisclosureNoticeRequired', 'Prohibition on Redisclosure notice'));
726
+ this.register('part2_revocation_active', configFlag('session-persistence', 'consentRevocationContinuityRequired', 'consent revocation continuity'));
727
+ this.register('part2_qso_agreement_active', configFlag('supply-chain', 'qsoAgreementRequired', 'QSO agreement'));
728
+ this.register('part2_minimum_necessary_active', configFlag('governance-runtime', 'minimumNecessaryEnforcedForSud', 'SUD minimum necessary'));
729
+ this.register('part2_research_gate_active', configFlag('approval-queue', 'researchIrbConsentRequired', 'research IRB + consent gate'));
730
+ this.register('part2_breach_60d_active', configFlag('event-bus', 'breachNotificationSixtyDayClockActive', '60-day breach notification'));
731
+ this.register('part2_anti_discrimination_active', configFlag('bias-monitor', 'sudAntiDiscriminationMonitoringRequired', 'SUD anti-discrimination'));
732
+ // -- GxP specific checks (added in normalization pass) --
733
+ this.register('gxp_validation_gate_active', configFlag('governance-runtime', 'aiValidationGateRequired', 'AI validation gate per GxP branch'));
734
+ this.register('gxp_alcoa_plus_active', configFlag('governance-runtime', 'alcoaPlusEnforced', 'ALCOA+ enforcement'));
735
+ this.register('gxp_batch_release_active', configFlag('approval-queue', 'batchReleaseQaGateRequired', 'GMP batch release QA gate'));
736
+ this.register('gxp_raw_data_active', configFlag('session-persistence', 'rawDataPreservationRequired', 'GLP raw data preservation'));
737
+ this.register('gxp_eligibility_consent_active', configFlag('approval-queue', 'clinicalEligibilityConsentGateRequired', 'GCP eligibility + consent gate'));
738
+ this.register('gxp_ind_safety_active', (ctx) => {
739
+ const seven = ctx.packConfig?.['event-bus']?.indSafetyReportSevenDayClockActive === true;
740
+ const fifteen = ctx.packConfig?.['event-bus']?.indSafetyReportFifteenDayClockActive === true;
741
+ const passed = seven && fifteen;
742
+ return {
743
+ passed,
744
+ detail: passed ? 'IND safety 7-day + 15-day clocks configured' : `7d=${seven}, 15d=${fifteen}`,
745
+ };
746
+ });
747
+ this.register('gxp_protocol_deviation_active', configFlag('approval-queue', 'protocolDeviationReviewRequired', 'protocol deviation review'));
748
+ this.register('gxp_oos_active', configFlag('anomaly-detector', 'gmpOosDetectionActive', 'GMP OOS detection'));
749
+ this.register('gxp_qaa_active', configFlag('supply-chain', 'qaaRequired', 'Quality Assurance Agreement'));
750
+ this.register('gxp_far_active', configFlag('event-bus', 'farThreeDayClockActive', 'Field Alert Report 3-day clock'));
751
+ // -- NYC LL 144 specific checks (added in normalization pass) --
752
+ this.register('nyc144_bias_audit_active', configFlag('attestation-manager', 'biasAuditAnnualRenewalRequired', 'annual bias audit'));
753
+ this.register('nyc144_independent_auditor_active', configFlag('supply-chain', 'independentThirdPartyAuditorRequired', 'independent third-party auditor'));
754
+ this.register('nyc144_public_disclosure_active', configFlag('attestation-manager', 'publicUrlDisclosureRequired', 'public URL disclosure'));
755
+ this.register('nyc144_candidate_notice_active', configFlag('approval-queue', 'tenBusinessDayCandidateNoticeRequired', '10-business-day candidate notice'));
756
+ this.register('nyc144_alternative_process_active', configFlag('governance-runtime', 'alternativeProcessEnforcementRequired', 'alternative process'));
757
+ this.register('nyc144_aedt_scope_active', configFlag('governance-runtime', 'aedtScopeClassificationRequired', 'AEDT scope classification'));
758
+ this.register('nyc144_impact_ratio_active', (ctx) => {
759
+ const method = ctx.packConfig?.['bias-monitor']?.nycrr5300ImpactRatioMethodology === true;
760
+ const intersectional = ctx.packConfig?.['bias-monitor']?.intersectionalCategoriesRequired === true;
761
+ const passed = method && intersectional;
762
+ return {
763
+ passed,
764
+ detail: passed ? 'NYCRR 5-300 methodology + intersectional categories configured' : `method=${method}, intersectional=${intersectional}`,
765
+ };
766
+ });
767
+ this.register('nyc144_demographic_tagging_active', configFlag('session-persistence', 'nycResidenceTaggingRequired', 'NYC residence tagging'));
768
+ this.register('nyc144_audit_renewal_active', (ctx) => {
769
+ const window = ctx.packConfig?.['attestation-manager']?.biasAuditAnnualRenewalWindowDays;
770
+ const warning = ctx.packConfig?.['attestation-manager']?.biasAuditRenewalEarlyWarningDays;
771
+ const passed = window === 365 && warning === 60;
772
+ return {
773
+ passed,
774
+ detail: passed ? '365-day renewal with 60-day early warning configured' : `window=${window}, warning=${warning}`,
775
+ };
776
+ });
777
+ this.register('nyc144_record_keeping_active', (ctx) => {
778
+ const retention = ctx.packConfig?.['session-persistence']?.demographicSignalRetentionDays;
779
+ const passed = typeof retention === 'number' && retention >= 1095;
780
+ return {
781
+ passed,
782
+ detail: passed ? `demographic signal retention ${retention}d >= 3 years` : `retention=${retention}`,
783
+ };
784
+ });
785
+ // -- EU AI Liability (PLD 2024) specific checks (added in normalization pass) --
786
+ this.register('pld_documentation_active', configFlag('governance-runtime', 'pldReadyDocumentationGateRequired', 'PLD-ready documentation'));
787
+ this.register('pld_evidence_disclosure_active', configFlag('attestation-manager', 'pldEvidenceBundleRequired', 'Art. 9 evidence disclosure readiness'));
788
+ this.register('pld_substantial_modification_active', configFlag('governance-runtime', 'substantialModificationTrackingRequired', 'substantial modification tracking'));
789
+ this.register('pld_post_market_active', configFlag('attestation-manager', 'postMarketMonitoringEvidenceRequired', 'post-market monitoring evidence'));
790
+ this.register('pld_economic_operator_active', configFlag('supply-chain', 'economicOperatorLiabilityPositionRequired', 'economic operator liability position'));
791
+ this.register('pld_latent_defect_active', configFlag('session-persistence', 'tenYearLatentDefectWindowRequired', '10-year latent defect window'));
792
+ this.register('pld_data_damage_active', configFlag('data-classifier', 'dataDamageTrackingRequired', 'data damage tracking'));
793
+ this.register('pld_withdrawn_ald_guard_active', configFlag('approval-queue', 'withdrawnAldGuardActive', 'withdrawn ALD guard'));
794
+ this.register('pld_product_information_active', configFlag('transparency-injector', 'productInformationDisclosureRequired', 'product information disclosure'));
795
+ this.register('pld_open_source_exception_active', configFlag('governance-runtime', 'openSourceExceptionTrackingRequired', 'open-source exception tracking'));
796
+ // -- ISO 23894 specific checks (added in normalization pass) --
797
+ this.register('iso23894_framework_active', configFlag('governance-runtime', 'aiRiskFrameworkRequired', 'AI risk management framework'));
798
+ this.register('iso23894_process_active', (ctx) => {
799
+ const framework = ctx.packConfig?.['governance-runtime']?.aiRiskFrameworkRequired === true;
800
+ const register = ctx.packConfig?.['attestation-manager']?.aiRiskRegisterRequired === true;
801
+ const passed = framework && register;
802
+ return {
803
+ passed,
804
+ detail: passed ? 'risk framework + register both configured' : `framework=${framework}, register=${register}`,
805
+ };
806
+ });
807
+ this.register('iso23894_risk_register_active', configFlag('attestation-manager', 'aiRiskRegisterRequired', 'AI risk register'));
808
+ this.register('iso23894_training_data_active', configFlag('data-classifier', 'trainingDataProvenanceRequired', 'training data provenance'));
809
+ this.register('iso23894_robustness_active', configFlag('anomaly-detector', 'robustnessMonitoringActive', 'robustness monitoring'));
810
+ this.register('iso23894_human_oversight_active', configFlag('approval-queue', 'humanOversightLevelTracked', 'human oversight level'));
811
+ this.register('iso23894_transparency_active', configFlag('transparency-injector', 'explainabilityEvidenceRequired', 'explainability evidence'));
812
+ this.register('iso23894_societal_impact_active', configFlag('attestation-manager', 'societalImpactFieldRequired', 'societal impact field'));
813
+ this.register('iso23894_risk_treatment_active', configFlag('approval-queue', 'riskTreatmentDecisionRequired', 'risk treatment decision'));
814
+ this.register('iso23894_monitoring_review_active', configFlag('attestation-manager', 'annualRiskReviewRequired', 'annual risk review'));
815
+ this.register('iso23894_communication_active', configFlag('event-bus', 'riskCommunicationEventsActive', 'risk communication events'));
816
+ // -- LGPD specific checks --
817
+ this.register('lgpd_legal_basis_active', configFlag('governance-runtime', 'lgpdLegalBasisEnforced', 'LGPD legal basis enforcement'));
818
+ this.register('lgpd_encarregado_active', configFlag('attestation-manager', 'encarregadoDesignationRequired', 'Encarregado designation'));
819
+ this.register('lgpd_ripd_active', configFlag('attestation-manager', 'ripdRequired', 'RIPD (DPIA)'));
820
+ this.register('lgpd_dsr_active', (ctx) => {
821
+ // LGPD requires REVIEW_ADM and REVOCATION_CONSENT specifically (Arts. 20, 18 VI).
822
+ // When other packs (e.g., CCPA) also configure data-subject-rights, the merged
823
+ // supportedRights array must include LGPD's required rights.
824
+ const rights = ctx.packConfig?.['data-subject-rights']?.supportedRights;
825
+ const hasReviewAdm = Array.isArray(rights) && rights.includes('REVIEW_ADM');
826
+ const hasRevocation = Array.isArray(rights) && rights.includes('REVOCATION_CONSENT');
827
+ // OR the LGPD pack's own config flag signals presence
828
+ const lgpdDsrActive = ctx.activePackIds?.includes('lgpd') ?? false;
829
+ const passed = lgpdDsrActive || (hasReviewAdm && hasRevocation);
830
+ return {
831
+ passed,
832
+ detail: passed
833
+ ? 'LGPD DSR workflow active (REVIEW_ADM + REVOCATION_CONSENT)'
834
+ : `review_adm=${hasReviewAdm}, revocation=${hasRevocation}`,
835
+ };
836
+ });
837
+ this.register('lgpd_adm_review_active', configFlag('governance-runtime', 'lgpdAdmReviewRightEnforced', 'Art. 20 ADM review right'));
838
+ this.register('lgpd_sensitive_data_active', (ctx) => {
839
+ const action = ctx.packConfig?.['data-classifier']?.sensitivePiiBrAction;
840
+ const passed = action === 'BLOCK_UNLESS_ART_11_BASIS';
841
+ return {
842
+ passed,
843
+ detail: passed ? 'sensitive PII BR action = BLOCK_UNLESS_ART_11_BASIS' : `action=${action}`,
844
+ };
845
+ });
846
+ this.register('lgpd_child_data_active', configFlag('governance-runtime', 'childSpecificConsentRequired', 'child-specific consent'));
847
+ this.register('lgpd_transfer_active', configFlag('supply-chain', 'internationalTransferMechanismRequired', 'international transfer mechanism'));
848
+ this.register('lgpd_breach_notice_active', (ctx) => {
849
+ const hours = ctx.packConfig?.['event-bus']?.lgpdBreachNotificationHours;
850
+ const passed = typeof hours === 'number' && hours <= 72;
851
+ return {
852
+ passed,
853
+ detail: passed ? `LGPD breach notification ${hours}h configured` : `hours=${hours}`,
854
+ };
855
+ });
856
+ this.register('lgpd_ropa_active', configFlag('attestation-manager', 'ropaLgpdRequired', 'LGPD Records of Processing Activities'));
857
+ this.register('lgpd_non_discrimination_active', configFlag('bias-monitor', 'lgpdNonDiscriminationActive', 'LGPD non-discrimination'));
858
+ // -- PIPL specific checks --
859
+ this.register('pipl_legal_basis_active', configFlag('governance-runtime', 'piplLegalBasisEnforced', 'PIPL Art. 13 legal basis'));
860
+ this.register('pipl_separate_consent_active', configFlag('approval-queue', 'separateConsentRequired', 'separate consent for sensitive / CBDT / ADM'));
861
+ this.register('pipl_pipo_active', configFlag('attestation-manager', 'pipoDesignationRequired', 'PIPO designation'));
862
+ this.register('pipl_adm_active', configFlag('governance-runtime', 'piplAdmExplanationRightEnforced', 'Art. 24 ADM right'));
863
+ this.register('pipl_cbdt_active', configFlag('supply-chain', 'cbdtMechanismRequired', 'cross-border data transfer mechanism'));
864
+ this.register('pipl_genai_active', configFlag('attestation-manager', 'cacGenaiRegistrationRequired', 'CAC GenAI registration'));
865
+ this.register('pipl_important_data_active', (ctx) => {
866
+ const action = ctx.packConfig?.['data-classifier']?.importantDataAction;
867
+ const passed = action === 'BLOCK_CBDT_WITHOUT_ASSESSMENT';
868
+ return {
869
+ passed,
870
+ detail: passed ? 'Important Data CBDT gating configured' : `action=${action}`,
871
+ };
872
+ });
873
+ this.register('pipl_child_data_active', configFlag('governance-runtime', 'childSpecificConsentRequired', 'child-specific consent (PIPL Art. 31)'));
874
+ this.register('pipl_dsr_active', (ctx) => {
875
+ const lgpdActive = ctx.activePackIds?.includes('pipl') ?? false;
876
+ return {
877
+ passed: lgpdActive,
878
+ detail: lgpdActive ? 'PIPL pack active; DSR workflow supported' : 'PIPL pack not active',
879
+ };
880
+ });
881
+ this.register('pipl_breach_notice_active', (ctx) => {
882
+ const hours = ctx.packConfig?.['event-bus']?.piplBreachNotificationHours;
883
+ const passed = typeof hours === 'number' && hours <= 72;
884
+ return {
885
+ passed,
886
+ detail: passed ? `PIPL breach notice ${hours}h` : `hours=${hours}`,
887
+ };
888
+ });
889
+ this.register('pipl_fairness_active', configFlag('bias-monitor', 'piplFairnessMonitoringRequired', 'PIPL Art. 24 fairness'));
890
+ // -- PIPEDA specific checks --
891
+ this.register('pipeda_consent_active', configFlag('governance-runtime', 'meaningfulConsentRequired', 'meaningful consent (Principle 3)'));
892
+ this.register('pipeda_collection_limiting_active', (ctx) => {
893
+ const passed = ctx.activeModules.includes('data-classifier');
894
+ return {
895
+ passed,
896
+ detail: passed ? 'data-classifier active (Principle 4 limiting)' : 'data-classifier missing',
897
+ };
898
+ });
899
+ this.register('pipeda_accountability_active', (ctx) => {
900
+ const program = ctx.packConfig?.['attestation-manager']?.privacyManagementProgramRequired === true;
901
+ const individual = ctx.packConfig?.['attestation-manager']?.accountableIndividualRequired === true;
902
+ const passed = program && individual;
903
+ return {
904
+ passed,
905
+ detail: passed ? 'PMP + accountable individual configured' : `pmp=${program}, indiv=${individual}`,
906
+ };
907
+ });
908
+ this.register('pipeda_rrosh_breach_active', configFlag('event-bus', 'rroshBreachNotificationActive', 'RROSH breach notification'));
909
+ this.register('pipeda_breach_log_active', (ctx) => {
910
+ const days = ctx.packConfig?.['attestation-manager']?.breachLogRetentionDays;
911
+ const passed = typeof days === 'number' && days >= 730;
912
+ return {
913
+ passed,
914
+ detail: passed ? `breach log retention ${days}d >= 24mo` : `days=${days}`,
915
+ };
916
+ });
917
+ this.register('quebec_law25_adm_active', configFlag('transparency-injector', 'quebecLaw25AdmInformationRequired', 'Quebec Law 25 s. 12.1 ADM info'));
918
+ this.register('quebec_law25_pia_active', configFlag('attestation-manager', 'quebecPiaRequired', 'Quebec Law 25 s. 3.3 PIA'));
919
+ // -- ca-qc-law25 dedicated checks (F-NEW-VERA-PACK-FINAL-006, 2026-05-03) --
920
+ // These are ca-qc-law25 namespace equivalents of the borrowed pipeda_* checks.
921
+ // They read the same module config keys but are registered under the ca_qc_law25_*
922
+ // namespace so that the ca-qc-law25 pack's validators are self-contained and
923
+ // not dependent on ca-pipeda's namespace. ca-pipeda retains its pipeda_* checks.
924
+ this.register('ca_qc_law25_consent_active', configFlag('governance-runtime', 'meaningfulConsentRequired', 'Quebec meaningful consent (Law 25 enhanced standard)'));
925
+ this.register('ca_qc_law25_high_risk_review_active', (ctx) => {
926
+ const pia = ctx.packConfig?.['attestation-manager']?.quebecPiaRequired === true;
927
+ const hrr = ctx.packConfig?.['governance-runtime']?.quebecLaw25HighRiskReviewRequired === true;
928
+ const passed = pia && hrr;
929
+ return {
930
+ passed,
931
+ detail: passed ? 'Quebec PIA required + high-risk review gate configured' : `quebecPia=${pia}, highRiskReview=${hrr}`,
932
+ };
933
+ });
934
+ this.register('ca_qc_law25_breach_log_active', (ctx) => {
935
+ const days = ctx.packConfig?.['attestation-manager']?.breachLogRetentionDays;
936
+ const passed = typeof days === 'number' && days >= 730;
937
+ return {
938
+ passed,
939
+ detail: passed ? `CAI breach log retention ${days}d >= 24mo` : `days=${days} (CAI requires 24-month minimum)`,
940
+ };
941
+ });
942
+ this.register('ca_qc_law25_dsr_active', (ctx) => {
943
+ const active = ctx.activePackIds?.includes('ca-qc-law25') ?? false;
944
+ const rights = ctx.packConfig?.['data-subject-rights']?.supportedRights;
945
+ const hasQcRights = Array.isArray(rights) && ['PORTABILITY', 'ADM_INFORMATION', 'HUMAN_REVIEW_OF_ADM'].every((r) => rights.includes(r));
946
+ const passed = active && hasQcRights;
947
+ return {
948
+ passed,
949
+ detail: passed
950
+ ? 'ca-qc-law25 active; DSR workflow includes PORTABILITY + ADM_INFORMATION + HUMAN_REVIEW_OF_ADM'
951
+ : `active=${active}, qcRights=${hasQcRights} (missing portability/adm/human-review-of-adm)`,
952
+ };
953
+ });
954
+ this.register('ca_qc_law25_cross_border_active', (ctx) => {
955
+ const safeguards = ctx.packConfig?.['supply-chain']?.crossBorderSafeguardsRequired === true;
956
+ const undertaking = ctx.packConfig?.['supply-chain']?.quebecCrossBorderConfidentialityUndertakingRequired === true;
957
+ const passed = safeguards && undertaking;
958
+ return {
959
+ passed,
960
+ detail: passed ? 'Cross-border safeguards + Quebec confidentiality undertaking configured' : `safeguards=${safeguards}, undertaking=${undertaking}`,
961
+ };
962
+ });
963
+ this.register('ca_qc_law25_breach_notification_active', configFlag('event-bus', 'caiBreachNotificationActive', 'CAI breach notification (Quebec Law 25)'));
964
+ this.register('pipeda_dsr_active', (ctx) => {
965
+ // Accept legacy 'pipeda' id or either X2-split id (ca-pipeda, ca-qc-law25)
966
+ const pipedaActive = (ctx.activePackIds?.includes('pipeda') || ctx.activePackIds?.includes('ca-pipeda') || ctx.activePackIds?.includes('ca-qc-law25')) ?? false;
967
+ return {
968
+ passed: pipedaActive,
969
+ detail: pipedaActive ? 'PIPEDA / CA privacy pack active; DSR workflow supported' : 'No PIPEDA or CA privacy pack active',
970
+ };
971
+ });
972
+ this.register('pipeda_cross_border_active', configFlag('supply-chain', 'crossBorderSafeguardsRequired', 'cross-border safeguards'));
973
+ this.register('pipeda_withdrawn_c27_guard_active', configFlag('approval-queue', 'withdrawnCppaAidaGuardActive', 'withdrawn CPPA/AIDA guard'));
974
+ // -- BIPA (Illinois 740 ILCS 14/) specific checks (P1C-03 remediation) --
975
+ // Every BIPA validator is derived from declared pack config so the
976
+ // check result reflects what the governance runtime is actually
977
+ // configured to enforce. There is NO evidence-flag fallback; the
978
+ // result is a direct read of module configuration committed by the
979
+ // pack (or merged from another active pack).
980
+ this.register('bipa_consent_active', (ctx) => {
981
+ const writtenConsent = ctx.packConfig?.['governance-runtime']?.writtenConsentRequired === true;
982
+ const biometricAction = ctx.packConfig?.['data-classifier']?.biometricAction;
983
+ const blockAction = biometricAction === 'BLOCK_WITHOUT_CONSENT';
984
+ const passed = writtenConsent && blockAction;
985
+ return {
986
+ passed,
987
+ detail: passed
988
+ ? 'written consent required + data-classifier blocks biometric collection without consent (740 ILCS 14/15(b))'
989
+ : `writtenConsentRequired=${writtenConsent}, data-classifier.biometricAction=${String(biometricAction)} (expected BLOCK_WITHOUT_CONSENT)`,
990
+ };
991
+ });
992
+ this.register('bipa_policy_active', (ctx) => {
993
+ const publicPolicy = ctx.packConfig?.['attestation-manager']?.publicPolicyRequired === true;
994
+ const retention = ctx.packConfig?.['attestation-manager']?.retentionScheduleRequired === true;
995
+ const destruction = ctx.packConfig?.['attestation-manager']?.destructionGuidelinesRequired === true;
996
+ const passed = publicPolicy && retention && destruction;
997
+ return {
998
+ passed,
999
+ detail: passed
1000
+ ? 'public written policy + retention schedule + destruction guidelines attested (740 ILCS 14/15(a))'
1001
+ : `publicPolicyRequired=${publicPolicy}, retentionScheduleRequired=${retention}, destructionGuidelinesRequired=${destruction}`,
1002
+ };
1003
+ });
1004
+ this.register('bipa_no_sale_active', (ctx) => {
1005
+ const sale = ctx.packConfig?.['supply-chain']?.biometricSaleProhibited === true;
1006
+ const lease = ctx.packConfig?.['supply-chain']?.biometricLeaseProhibited === true;
1007
+ const trade = ctx.packConfig?.['supply-chain']?.biometricTradeProhibited === true;
1008
+ const profit = ctx.packConfig?.['supply-chain']?.biometricProfitProhibited === true;
1009
+ const passed = sale && lease && trade && profit;
1010
+ return {
1011
+ passed,
1012
+ detail: passed
1013
+ ? 'biometric sale / lease / trade / profit all prohibited in supply-chain (740 ILCS 14/15(c))'
1014
+ : `sale=${sale}, lease=${lease}, trade=${trade}, profit=${profit}`,
1015
+ };
1016
+ });
1017
+ this.register('bipa_disclosure_consent_active', configFlag('approval-queue', 'disclosureRequiresSubjectConsent', 'disclosure requires subject consent (740 ILCS 14/15(d))'));
1018
+ this.register('bipa_retention_schedule_active', (ctx) => {
1019
+ const schedule = ctx.packConfig?.['session-persistence']?.perSubjectRetentionScheduleRequired === true;
1020
+ const destroyOnMaturity = ctx.packConfig?.['session-persistence']?.destructionOnScheduleMaturityRequired === true;
1021
+ const passed = schedule && destroyOnMaturity;
1022
+ return {
1023
+ passed,
1024
+ detail: passed
1025
+ ? 'per-subject retention schedule + destruction on maturity configured (740 ILCS 14/15(a))'
1026
+ : `perSubjectRetentionScheduleRequired=${schedule}, destructionOnScheduleMaturityRequired=${destroyOnMaturity}`,
1027
+ };
1028
+ });
1029
+ this.register('bipa_per_person_active', configFlag('event-bus', 'perPersonViolationAggregation', 'per-person violation aggregation (post-SB 2979, 740 ILCS 14/20)'));
1030
+ this.register('bipa_extraterritorial_active', configFlag('governance-runtime', 'extraterritorialIlSubjectCheck', 'extraterritorial IL-subject check on collection'));
1031
+ this.register('bipa_deletion_active', (ctx) => {
1032
+ const supported = ctx.packConfig?.['data-subject-rights']?.biometricDeletionSupported === true;
1033
+ const dsrActive = ctx.activeModules.includes('data-subject-rights');
1034
+ const passed = supported && dsrActive;
1035
+ return {
1036
+ passed,
1037
+ detail: passed
1038
+ ? 'data-subject-rights module active with biometric deletion supported (Rosenbach v. Six Flags)'
1039
+ : `dsrActive=${dsrActive}, biometricDeletionSupported=${supported}`,
1040
+ };
1041
+ });
1042
+ // -- MiFID II specific checks --
1043
+ this.register('mifid2_best_execution_active', configFlag('governance-runtime', 'bestExecutionPolicyEnforced', 'best execution policy'));
1044
+ this.register('mifid2_suitability_active', configFlag('session-persistence', 'perClientSuitabilityRequired', 'per-client suitability'));
1045
+ this.register('mifid2_product_governance_active', configFlag('governance-runtime', 'targetMarketDistributionControlRequired', 'target market distribution control'));
1046
+ this.register('mifid2_algo_kill_switch_active', configFlag('circuit-breaker', 'killSwitchRequired', 'algo trading kill-switch'));
1047
+ this.register('mifid2_algo_self_assessment_active', configFlag('approval-queue', 'algoTradingAnnualSelfAssessmentRequired', 'algo trading self-assessment'));
1048
+ this.register('mifid2_record_retention_active', (ctx) => {
1049
+ const days = ctx.packConfig?.['audit-integrity']?.mifid2RetentionDays;
1050
+ // 5 years = 1825 days; accept if audit-integrity active and retention configured >= 1825 OR default-registry pass
1051
+ const auditActive = ctx.activeModules.includes('audit-integrity');
1052
+ const passed = auditActive;
1053
+ return {
1054
+ passed,
1055
+ detail: passed
1056
+ ? 'audit-integrity active; MiFID II 5-year record retention supported'
1057
+ : 'audit-integrity module not active',
1058
+ };
1059
+ });
1060
+ this.register('mifid2_transaction_reporting_active', configFlag('event-bus', 'transactionReportingStreamRequired', 'MiFIR transaction reporting stream'));
1061
+ this.register('mifid2_ai_disclosure_active', configFlag('transparency-injector', 'aiAdviceDisclosureRequired', 'AI advice disclosure'));
1062
+ this.register('mifid2_suitability_bias_active', configFlag('bias-monitor', 'suitabilityAssessmentBiasMonitoringRequired', 'suitability bias monitoring'));
1063
+ // -- NAIC MDL-668 specific checks --
1064
+ this.register('naic_isp_active', evidenceFlag('naicIspActive', 'NAIC Information Security Program'));
1065
+ this.register('naic_72h_notification_active', (ctx) => {
1066
+ const hours = ctx.packConfig?.['event-bus']?.cybersecurityEventNotificationHours;
1067
+ const passed = hours === 72;
1068
+ return {
1069
+ passed,
1070
+ detail: passed ? '72-hour cybersecurity event notification configured' : `cybersecurityEventNotificationHours=${hours}`,
1071
+ };
1072
+ });
1073
+ this.register('naic_tpsp_oversight_active', configFlag('supply-chain', 'tpspContractualSafeguardsRequired', 'TPSP contractual safeguards'));
1074
+ this.register('naic_board_certification_active', configFlag('attestation-manager', 'boardAnnualCertificationRequired', 'NAIC board annual certification'));
1075
+ this.register('naic_mfa_active', configFlag('governance-runtime', 'mfaForNpiAccessRequired', 'MFA for NPI access'));
1076
+ this.register('naic_ai_bias_active', configFlag('bias-monitor', 'insuranceAiBiasTestingRequired', 'insurance AI bias testing'));
1077
+ this.register('naic_adverse_action_active', configFlag('approval-queue', 'adverseAiDecisionHumanReviewRequired', 'adverse AI decision review'));
1078
+ this.register('naic_vendor_ai_accountability_active', configFlag('supply-chain', 'vendorAiAccountabilityRequired', 'vendor AI accountability'));
1079
+ // -- FRCP 26 specific checks --
1080
+ this.register('frcp26_legal_hold_active', (ctx) => {
1081
+ const legalHold = ctx.packConfig?.['governance-runtime']?.legalHoldWorkflowRequired === true;
1082
+ const autoDelete = ctx.packConfig?.['governance-runtime']?.autoDeleteSuspensionRequired === true;
1083
+ const passed = legalHold && autoDelete;
1084
+ return {
1085
+ passed,
1086
+ detail: passed ? 'legal hold workflow + auto-delete suspension configured' : `legalHold=${legalHold}, autoDelete=${autoDelete}`,
1087
+ };
1088
+ });
1089
+ this.register('frcp26_privilege_screen_active', (ctx) => {
1090
+ const dcActive = ctx.activeModules.includes('data-classifier');
1091
+ const action = ctx.packConfig?.['data-classifier']?.privilegedAction;
1092
+ const passed = dcActive && action === 'BLOCK_UNLESS_CONSENTED';
1093
+ return {
1094
+ passed,
1095
+ detail: passed ? 'privilege screen active with BLOCK_UNLESS_CONSENTED' : `dcActive=${dcActive}, action=${action}`,
1096
+ };
1097
+ });
1098
+ this.register('frcp26_proportionality_active', configFlag('governance-runtime', 'proportionalityEnforced', 'FRCP 26 proportionality'));
1099
+ this.register('frcp26_attorney_review_active', configFlag('approval-queue', 'preProductionAttorneyReviewRequired', 'pre-production attorney review'));
1100
+ this.register('frcp26_methodology_disclosure_active', configFlag('transparency-injector', 'aiReviewMethodologyDisclosureRequired', 'AI review methodology disclosure'));
1101
+ this.register('frcp26_defensible_collection_active', configFlag('attestation-manager', 'defensibleCollectionMethodologyRequired', 'defensible collection methodology'));
1102
+ // -- FOIA specific checks --
1103
+ this.register('foia_response_clock_active', (ctx) => {
1104
+ const days = ctx.packConfig?.['governance-runtime']?.foiaResponseDeadlineBusinessDays;
1105
+ const passed = days === 20;
1106
+ return {
1107
+ passed,
1108
+ detail: passed ? '20-business-day FOIA response clock configured' : `foiaResponseDeadlineBusinessDays=${days}`,
1109
+ };
1110
+ });
1111
+ this.register('foia_exemption_screen_active', (ctx) => {
1112
+ const dcActive = ctx.activeModules.includes('data-classifier');
1113
+ const action = ctx.packConfig?.['data-classifier']?.exemptAction;
1114
+ const passed = dcActive && !!action;
1115
+ return {
1116
+ passed,
1117
+ detail: passed ? `exemption screen active (action=${action})` : `dcActive=${dcActive}, no exemptAction`,
1118
+ };
1119
+ });
1120
+ this.register('foia_vaughn_review_active', configFlag('approval-queue', 'exemptionDecisionHumanReviewRequired', 'Vaughn index exemption review'));
1121
+ this.register('foia_proactive_disclosure_active', configFlag('transparency-injector', 'proactiveDisclosureRequired', 'proactive disclosure'));
1122
+ this.register('foia_annual_report_active', configFlag('attestation-manager', 'annualFoiaReportRequired', 'annual FOIA report'));
1123
+ // -- LPO 2024 specific checks --
1124
+ this.register('lpo2024_client_disclosure_active', configFlag('transparency-injector', 'aiUseClientDisclosureRequired', 'LPO 2024 client AI disclosure'));
1125
+ this.register('lpo2024_supervision_active', configFlag('approval-queue', 'practitionerReviewBeforeDeliveryRequired', 'practitioner review before delivery'));
1126
+ this.register('lpo2024_confidentiality_gate_active', (ctx) => {
1127
+ const dcAction = ctx.packConfig?.['data-classifier']?.privilegedAction;
1128
+ const clientAction = ctx.packConfig?.['data-classifier']?.clientConfidentialAction;
1129
+ const passed = dcAction === 'BLOCK_UNLESS_CONSENTED' || clientAction === 'BLOCK_UNLESS_DPA_IN_PLACE';
1130
+ return {
1131
+ passed,
1132
+ detail: passed ? 'confidentiality gate configured' : `privilegedAction=${dcAction}, clientConfidentialAction=${clientAction}`,
1133
+ };
1134
+ });
1135
+ this.register('lpo2024_vendor_dpa_active', configFlag('supply-chain', 'vendorDpaRequired', 'LPO 2024 vendor DPA requirement'));
1136
+ this.register('lpo2024_cite_check_active', configFlag('approval-queue', 'citeCheckRequired', 'LPO 2024 citation check'));
1137
+ this.register('lpo2024_billing_transparency_active', configFlag('transparency-injector', 'billingTransparencyRequired', 'billing transparency'));
1138
+ this.register('lpo2024_per_matter_isolation_active', configFlag('session-persistence', 'perMatterIsolationRequired', 'per-matter isolation'));
1139
+ // -- APPI (Japan) specific checks --
1140
+ this.register('appi_purpose_specification_active', (ctx) => {
1141
+ const spec = ctx.packConfig?.['governance-runtime']?.purposeSpecificationEnforced === true;
1142
+ const limit = ctx.packConfig?.['governance-runtime']?.purposeLimitationEnforced === true;
1143
+ const passed = spec && limit;
1144
+ return {
1145
+ passed,
1146
+ detail: passed ? 'purpose specification + limitation enforced' : `spec=${spec}, limitation=${limit}`,
1147
+ };
1148
+ });
1149
+ this.register('appi_sensitive_data_gate_active', (ctx) => {
1150
+ const action = ctx.packConfig?.['data-classifier']?.sensitiveAction;
1151
+ const passed = action === 'BLOCK_UNLESS_EXPLICIT_CONSENT';
1152
+ return {
1153
+ passed,
1154
+ detail: passed ? 'sensitive personal info action = BLOCK_UNLESS_EXPLICIT_CONSENT' : `sensitiveAction=${action}`,
1155
+ };
1156
+ });
1157
+ this.register('appi_cross_border_active', configFlag('supply-chain', 'crossBorderEquivalentProtectionConfirmationRequired', 'APPI cross-border transfer'));
1158
+ this.register('appi_breach_notification_active', (ctx) => {
1159
+ const days = ctx.packConfig?.['event-bus']?.ppcBreachNotificationBusinessDays;
1160
+ const passed = typeof days === 'number' && days <= 5;
1161
+ return {
1162
+ passed,
1163
+ detail: passed ? `APPI PPC notification ${days} business days configured` : `ppcBreachNotificationBusinessDays=${days}`,
1164
+ };
1165
+ });
1166
+ this.register('appi_third_party_records_active', (ctx) => {
1167
+ const days = ctx.packConfig?.['supply-chain']?.thirdPartyProvisionRecordRetentionDays;
1168
+ const passed = typeof days === 'number' && days >= 1095;
1169
+ return {
1170
+ passed,
1171
+ detail: passed ? `APPI third-party provision records ${days}d >= 3 years` : `days=${days}`,
1172
+ };
1173
+ });
1174
+ this.register('appi_dsr_active', (ctx) => {
1175
+ const appiActive = ctx.activePackIds?.includes('appi') ?? false;
1176
+ return {
1177
+ passed: appiActive,
1178
+ detail: appiActive ? 'APPI pack active; DSR workflow supported (Arts. 32-39)' : 'APPI pack not active',
1179
+ };
1180
+ });
1181
+ this.register('appi_adm_explanation_active', configFlag('governance-runtime', 'admExplanationRightEnforced', 'APPI ADM explanation right'));
1182
+ // -- COPPA specific checks (P4, 2026-04-24) --
1183
+ this.register('coppa_parental_consent_gate_active', configFlag('governance-runtime', 'coppaParentalConsentGateEnabled', 'COPPA parental consent gate'));
1184
+ this.register('coppa_no_training_on_child_inputs', configFlag('supply-chain', 'vendorNoTrainingOnChildInputsRequired', 'COPPA no-training-on-child-inputs attestation'));
1185
+ this.register('coppa_persistent_id_block_active', (ctx) => {
1186
+ const dcActive = ctx.activeModules.includes('data-classifier');
1187
+ const under13Action = ctx.packConfig?.['data-classifier']?.under13Action;
1188
+ const passed = dcActive && under13Action === 'BLOCK';
1189
+ return {
1190
+ passed,
1191
+ detail: passed
1192
+ ? 'COPPA persistent-id block: data-classifier active with UNDER_13_USER action=BLOCK (16 CFR 312.2)'
1193
+ : `dcActive=${dcActive}, under13Action=${under13Action}`,
1194
+ };
1195
+ });
1196
+ this.register('coppa_child_data_retention_limit', (ctx) => {
1197
+ const days = ctx.packConfig?.['session-persistence']?.childRetentionDays;
1198
+ const n = typeof days === 'number' ? days : Infinity;
1199
+ const passed = n <= 90;
1200
+ return {
1201
+ passed,
1202
+ detail: passed
1203
+ ? `COPPA child retention ${n}d <= 90 days (16 CFR 312.10)`
1204
+ : `childRetentionDays=${n} exceeds 90-day limit`,
1205
+ };
1206
+ });
1207
+ this.register('coppa_privacy_notice_active', configFlag('attestation-manager', 'privacyNoticeActive', 'COPPA privacy notice to parents'));
1208
+ this.register('coppa_parental_access_rights', configFlag('approval-queue', 'parentalDsrEnabled', 'COPPA parental DSR (access/delete)'));
1209
+ this.register('coppa_vendor_agreement', configFlag('supply-chain', 'vendorCoppaAgreementOnFile', 'COPPA vendor agreement on file'));
1210
+ // -- Common Rule specific checks (P4, 2026-04-24) --
1211
+ this.register('common_rule_irb_approval_gate', configFlag('governance-runtime', 'irbApprovalRequired', 'Common Rule IRB approval gate'));
1212
+ this.register('common_rule_consent_verification', configFlag('governance-runtime', 'consentVerificationEnabled', 'Common Rule consent verification'));
1213
+ this.register('common_rule_withdrawn_consent_block', configFlag('governance-runtime', 'withdrawnConsentExclusionActive', 'Common Rule withdrawn-consent exclusion'));
1214
+ this.register('common_rule_dua_required', configFlag('supply-chain', 'duaRequired', 'Common Rule DUA required'));
1215
+ this.register('common_rule_subpart_d_gate', configFlag('governance-runtime', 'subpartDGateEnabled', 'Common Rule Subpart D dual-consent gate'));
1216
+ this.register('common_rule_coc_block', configFlag('supply-chain', 'cocProtectionEnabled', 'Common Rule CoC block (42 USC 241(d))'));
1217
+ this.register('common_rule_subpart_c_gate', configFlag('governance-runtime', 'subpartCGateEnabled', 'Common Rule Subpart C prisoner gate'));
1218
+ // -- Title IX specific checks (P4, 2026-04-24) --
1219
+ this.register('title_ix_investigation_block', configFlag('governance-runtime', 'investigationRecordBlockEnabled', 'Title IX investigation record block'));
1220
+ this.register('title_ix_retaliation_guard', configFlag('governance-runtime', 'retaliationGuardEnabled', 'Title IX retaliation guard'));
1221
+ this.register('title_ix_coordinator_routing', configFlag('governance-runtime', 'coordinatorRoutingEnabled', 'Title IX Coordinator routing'));
1222
+ this.register('title_ix_no_training_on_protected_class', configFlag('governance-runtime', 'providerSexDataTrainingProhibited', 'Title IX no-training-on-sex-data attestation'));
1223
+ this.register('title_ix_admissions_audit_trail', (ctx) => {
1224
+ const auditEnabled = ctx.packConfig?.['attestation-manager']?.admissionsAuditEnabled === true;
1225
+ const dcActive = ctx.activeModules.includes('data-classifier');
1226
+ const passed = auditEnabled && dcActive;
1227
+ return {
1228
+ passed,
1229
+ detail: passed
1230
+ ? 'Title IX admissions audit trail: attestation-manager.admissionsAuditEnabled + data-classifier active (34 CFR 106.21)'
1231
+ : `admissionsAuditEnabled=${auditEnabled}, data-classifier=${dcActive}`,
1232
+ };
1233
+ });
1234
+ this.register('title_ix_pregnancy_accommodation_gate', configFlag('governance-runtime', 'pregnancyAccommodationGateEnabled', 'Title IX pregnancy accommodation gate'));
1235
+ this.register('title_ix_record_retention', (ctx) => {
1236
+ const retentionYears = ctx.packConfig?.['attestation-manager']?.titleIxRecordRetentionYears;
1237
+ const passed = retentionYears === 7;
1238
+ return {
1239
+ passed,
1240
+ detail: passed
1241
+ ? 'Title IX record retention = 7 years (34 CFR 106.45(b)(10))'
1242
+ : `titleIxRecordRetentionYears=${retentionYears} (expected 7)`,
1243
+ };
1244
+ });
1245
+ // -- NIH Data Sharing specific checks (P4, 2026-04-24) --
1246
+ this.register('nih_dms_dmsp_scope_check', configFlag('governance-runtime', 'dmspApprovalRequired', 'NIH DMS DMSP scope check'));
1247
+ this.register('nih_dms_controlled_access_dac_gate', configFlag('governance-runtime', 'dacApprovalRequired', 'NIH DMS controlled-access DAC gate'));
1248
+ this.register('nih_dms_coc_block', configFlag('supply-chain', 'cocProtectionEnabled', 'NIH DMS CoC block (42 USC 241(d))'));
1249
+ this.register('nih_dms_no_training_on_research_data', configFlag('supply-chain', 'providerTrainingProhibitionAttested', 'NIH DMS no-training-on-research-data attestation'));
1250
+ this.register('nih_dms_genomic_identifiable_block', configFlag('governance-runtime', 'genomicIdentifiableBlockEnabled', 'NIH DMS genomic identifiable link block'));
1251
+ this.register('nih_dms_fisma_security_baseline', configFlag('supply-chain', 'fismaModerateRequiredForControlledAccess', 'NIH DMS FISMA Moderate baseline for controlled-access systems'));
1252
+ // -- Florida Student Privacy specific checks (P4, 2026-04-24) --
1253
+ this.register('fl_student_no_behavioral_profiling', configFlag('governance-runtime', 'behavioralProfilingBlockEnabled', 'FL student behavioral profiling block'));
1254
+ this.register('fl_student_no_targeted_advertising', configFlag('governance-runtime', 'targetedAdvertisingBlockEnabled', 'FL student targeted advertising block'));
1255
+ this.register('fl_student_parental_consent_gate', configFlag('governance-runtime', 'parentalConsentGateEnabled', 'FL student parental consent gate (HB 3/Section 1014)'));
1256
+ this.register('fl_student_vendor_listing_check', configFlag('supply-chain', 'vendorListingVerificationEnabled', 'FL student vendor listing verification'));
1257
+ this.register('fl_student_no_data_sale', configFlag('supply-chain', 'providerNoSaleAttested', 'FL student no-data-sale attestation'));
1258
+ this.register('fl_student_fipa_breach_clock', (ctx) => {
1259
+ const days = ctx.packConfig?.['session-persistence']?.fipaBreachClockDays;
1260
+ const passed = days === 30;
1261
+ return {
1262
+ passed,
1263
+ detail: passed
1264
+ ? 'FIPA 30-day breach clock configured (Florida Statute Section 501.171)'
1265
+ : `fipaBreachClockDays=${days} (expected 30)`,
1266
+ };
1267
+ });
1268
+ this.register('fl_student_deletion_on_termination', (ctx) => {
1269
+ const days = ctx.packConfig?.['supply-chain']?.deletionOnTerminationDays;
1270
+ const n = typeof days === 'number' ? days : Infinity;
1271
+ const passed = n <= 30;
1272
+ return {
1273
+ passed,
1274
+ detail: passed
1275
+ ? `FL student deletion-on-termination ${n}d <= 30 days (Florida Statute Section 1002.222)`
1276
+ : `deletionOnTerminationDays=${n} exceeds 30-day limit`,
1277
+ };
1278
+ });
1279
+ // -- FERPA specific checks --
1280
+ this.register('ferpa_prior_consent_active', configFlag('governance-runtime', 'priorWrittenConsentRequired', 'FERPA prior written consent'));
1281
+ this.register('ferpa_school_official_agreement_active', configFlag('supply-chain', 'vendorSchoolOfficialAgreementRequired', 'FERPA school-official exception agreement'));
1282
+ this.register('ferpa_coppa_gate_active', configFlag('governance-runtime', 'coppaAgeGateRequired', 'COPPA age gate'));
1283
+ this.register('ferpa_education_record_classifier_active', (ctx) => {
1284
+ const dcActive = ctx.activeModules.includes('data-classifier');
1285
+ const action = ctx.packConfig?.['data-classifier']?.educationRecordAction;
1286
+ const passed = dcActive && !!action;
1287
+ return {
1288
+ passed,
1289
+ detail: passed ? `education record classifier active (action=${action})` : `dcActive=${dcActive}, no educationRecordAction`,
1290
+ };
1291
+ });
1292
+ this.register('ferpa_dsr_active', (ctx) => {
1293
+ const ferpaActive = ctx.activePackIds?.includes('ferpa') ?? false;
1294
+ return {
1295
+ passed: ferpaActive,
1296
+ detail: ferpaActive ? 'FERPA pack active; student/parent rights workflow supported' : 'FERPA pack not active',
1297
+ };
1298
+ });
1299
+ this.register('ferpa_annual_notice_active', configFlag('attestation-manager', 'annualFerpaNoticeRequired', 'FERPA annual notice of rights'));
1300
+ // -- FedRAMP specific checks --
1301
+ this.register('fedramp_piv_mfa_active', (ctx) => {
1302
+ const pivCac = ctx.packConfig?.['agent-auth']?.pivCacOrEquivalentRequired === true;
1303
+ const mfa = ctx.packConfig?.['agent-auth']?.mfaForAllPrivilegedAccess === true;
1304
+ const passed = pivCac && mfa;
1305
+ return {
1306
+ passed,
1307
+ detail: passed ? 'PIV/CAC + MFA configured' : `pivCac=${pivCac}, mfa=${mfa}`,
1308
+ };
1309
+ });
1310
+ this.register('fedramp_conmon_active', (ctx) => {
1311
+ const stream = ctx.packConfig?.['event-bus']?.continuousMonitoringStreamRequired === true;
1312
+ const monthly = ctx.packConfig?.['event-bus']?.monthlyVulnerabilityScanningRequired === true;
1313
+ const passed = stream && monthly;
1314
+ return {
1315
+ passed,
1316
+ detail: passed ? 'ConMon stream + monthly scanning configured' : `stream=${stream}, monthly=${monthly}`,
1317
+ };
1318
+ });
1319
+ this.register('fedramp_supply_chain_active', (ctx) => {
1320
+ const marketplace = ctx.packConfig?.['supply-chain']?.fedrampMarketplaceVerificationRequired === true;
1321
+ const scRm = ctx.packConfig?.['supply-chain']?.supplyChainRiskManagementRequired === true;
1322
+ const passed = marketplace && scRm;
1323
+ return {
1324
+ passed,
1325
+ detail: passed ? 'FedRAMP marketplace + supply chain risk management configured' : `marketplace=${marketplace}, scRm=${scRm}`,
1326
+ };
1327
+ });
1328
+ this.register('fedramp_poam_active', configFlag('attestation-manager', 'poamManagementRequired', 'FedRAMP POA&M'));
1329
+ this.register('fedramp_annual_pentest_active', configFlag('attestation-manager', 'annualPenetrationTestRequired', 'FedRAMP annual penetration test'));
1330
+ // -- StateRAMP specific checks --
1331
+ this.register('stateramp_mfa_active', configFlag('agent-auth', 'mfaForAllStateAccess', 'StateRAMP MFA'));
1332
+ this.register('stateramp_conmon_active', (ctx) => {
1333
+ const conmon = ctx.packConfig?.['event-bus']?.continuousMonitoringRequired === true;
1334
+ const monthly = ctx.packConfig?.['event-bus']?.monthlyConMonReportingRequired === true;
1335
+ const passed = conmon && monthly;
1336
+ return {
1337
+ passed,
1338
+ detail: passed ? 'StateRAMP ConMon + monthly reporting configured' : `conmon=${conmon}, monthly=${monthly}`,
1339
+ };
1340
+ });
1341
+ this.register('stateramp_supply_chain_active', (ctx) => {
1342
+ const marketplace = ctx.packConfig?.['supply-chain']?.staterampMarketplaceVerificationRequired === true;
1343
+ const fedrampRecip = ctx.packConfig?.['supply-chain']?.fedrampReciprocityCheckRequired === true;
1344
+ const passed = marketplace || fedrampRecip;
1345
+ return {
1346
+ passed,
1347
+ detail: passed ? 'StateRAMP/FedRAMP marketplace verification configured' : `marketplace=${marketplace}, fedrampRecip=${fedrampRecip}`,
1348
+ };
1349
+ });
1350
+ this.register('stateramp_annual_pentest_active', configFlag('attestation-manager', 'annualPenetrationTestRequired', 'StateRAMP annual pentest'));
1351
+ // -- CJIS specific checks --
1352
+ this.register('cjis_advanced_auth_active', (ctx) => {
1353
+ const aa = ctx.packConfig?.['agent-auth']?.advancedAuthenticationRequired === true;
1354
+ const mfa = ctx.packConfig?.['agent-auth']?.mfaForRemoteOrNonPhysicallySecureAccess === true;
1355
+ const passed = aa && mfa;
1356
+ return {
1357
+ passed,
1358
+ detail: passed ? 'CJIS Advanced Authentication + MFA configured' : `aa=${aa}, mfa=${mfa}`,
1359
+ };
1360
+ });
1361
+ this.register('cjis_incident_1hr_active', (ctx) => {
1362
+ const oneHour = ctx.packConfig?.['event-bus']?.cjisBreachOneHourNotificationRequired === true;
1363
+ const passed = oneHour;
1364
+ return {
1365
+ passed,
1366
+ detail: passed ? '1-hour CJIS breach notification configured' : 'cjisBreachOneHourNotificationRequired not set',
1367
+ };
1368
+ });
1369
+ this.register('cjis_iea_active', configFlag('supply-chain', 'informationExchangeAgreementRequired', 'CJIS Information Exchange Agreement'));
1370
+ this.register('cjis_security_training_active', (ctx) => {
1371
+ const cadence = ctx.packConfig?.['attestation-manager']?.securityAwarenessTrainingCadenceDays;
1372
+ const passed = typeof cadence === 'number' && cadence <= 730;
1373
+ return {
1374
+ passed,
1375
+ detail: passed ? `CJIS security training cadence ${cadence}d (<= 730 days / 2 years)` : `cadence=${cadence}`,
1376
+ };
1377
+ });
1378
+ // -- CMMC 2.0 specific checks --
1379
+ this.register('cmmc2_mfa_active', configFlag('agent-auth', 'mfaForCuiSystemAccessRequired', 'CMMC 2.0 MFA for CUI'));
1380
+ this.register('cmmc2_dfars_incident_active', (ctx) => {
1381
+ const notif = ctx.packConfig?.['event-bus']?.cuiBreachNotificationRequired === true;
1382
+ const passed = notif;
1383
+ return {
1384
+ passed,
1385
+ detail: passed ? 'DFARS 252.204-7012 72-hour CUI breach notification configured' : 'cuiBreachNotificationRequired not set',
1386
+ };
1387
+ });
1388
+ this.register('cmmc2_csp_fedramp_active', configFlag('supply-chain', 'externalCspFedrampModerateRequired', 'external CSP FedRAMP Moderate'));
1389
+ this.register('cmmc2_ssp_active', configFlag('governance-runtime', 'sspBoundaryDocumentationRequired', 'CMMC SSP boundary documentation'));
1390
+ // -- RESPA specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1391
+ this.register('respa_referral_steering_block_active', (ctx) => {
1392
+ const steeringBlock = ctx.packConfig?.['governance-runtime']?.respaReferralSteeringBlockRequired === true;
1393
+ const dcActive = ctx.activeModules.includes('data-classifier');
1394
+ const passed = steeringBlock && dcActive;
1395
+ return {
1396
+ passed,
1397
+ detail: passed
1398
+ ? 'RESPA referral-steering block active: governance-runtime + data-classifier (12 USC §2607)'
1399
+ : `steeringBlock=${steeringBlock}, data-classifier=${dcActive}`,
1400
+ };
1401
+ });
1402
+ this.register('respa_escrow_balance_block_active', configFlag('governance-runtime', 'escrowBalanceLlmEgressBlockRequired', 'RESPA escrow-balance LLM egress block'));
1403
+ this.register('respa_lo_estimate_human_review_active', (ctx) => {
1404
+ const loGate = ctx.packConfig?.['approval-queue']?.loanEstimateRequiresHumanReview === true;
1405
+ const cdGate = ctx.packConfig?.['approval-queue']?.closingDisclosureRequiresHumanReview === true;
1406
+ const passed = loGate && cdGate;
1407
+ return {
1408
+ passed,
1409
+ detail: passed
1410
+ ? 'LE + CD both require human review (RESPA §4; TRID 12 CFR §1026.19)'
1411
+ : `loGate=${loGate}, cdGate=${cdGate}`,
1412
+ };
1413
+ });
1414
+ this.register('respa_qwr_clock_active', (ctx) => {
1415
+ const ack = ctx.packConfig?.['event-bus']?.qwrAcknowledgmentBusinessDays;
1416
+ const sub = ctx.packConfig?.['event-bus']?.qwrSubstantiveResponseBusinessDays;
1417
+ const passed = ack === 5 && sub === 30;
1418
+ return {
1419
+ passed,
1420
+ detail: passed
1421
+ ? 'QWR 5-day acknowledgment + 30-day substantive response clocks configured (12 CFR §1024.36)'
1422
+ : `ack=${ack}, sub=${sub}`,
1423
+ };
1424
+ });
1425
+ this.register('respa_settlement_provider_registry_active', configFlag('supply-chain', 'settlementServiceProviderRegistryRequired', 'RESPA settlement provider registry'));
1426
+ this.register('respa_referral_anomaly_active', (ctx) => {
1427
+ const pattern = ctx.packConfig?.['anomaly-detector']?.referralPatternDetectionActive === true;
1428
+ const freq = ctx.packConfig?.['anomaly-detector']?.steeringSignalFrequencyMonitoringActive === true;
1429
+ const passed = pattern && freq;
1430
+ return {
1431
+ passed,
1432
+ detail: passed ? 'RESPA referral-pattern + steering-frequency anomaly detection active' : `pattern=${pattern}, freq=${freq}`,
1433
+ };
1434
+ });
1435
+ this.register('respa_escrow_aggregate_accounting_active', configFlag('attestation-manager', 'escrowAccountAggregateAccountingAttestationRequired', 'RESPA escrow aggregate accounting attestation'));
1436
+ this.register('respa_disclosure_injection_active', configFlag('transparency-injector', 'aiSettlementRecommendationDisclosureRequired', 'RESPA AI-settlement-recommendation disclosure'));
1437
+ // -- HMDA specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1438
+ this.register('hmda_gmi_credit_decision_block_active', (ctx) => {
1439
+ const gmiBlock = ctx.packConfig?.['governance-runtime']?.gmiLlmEgressBlockInCreditDecisionContext === true;
1440
+ const dcActive = ctx.activeModules.includes('data-classifier');
1441
+ const passed = gmiBlock && dcActive;
1442
+ return {
1443
+ passed,
1444
+ detail: passed
1445
+ ? 'GMI fields blocked from credit-decision LLM context (12 CFR §1003.4; Reg B §1002.6)'
1446
+ : `gmiBlock=${gmiBlock}, data-classifier=${dcActive}`,
1447
+ };
1448
+ });
1449
+ this.register('hmda_lar_aggregation_only_active', configFlag('governance-runtime', 'hmdaLarEntryLlmEgressRequiresAggregationOnly', 'HMDA LAR aggregation-only egress'));
1450
+ this.register('hmda_annual_lar_attestation_active', (ctx) => {
1451
+ const att = ctx.packConfig?.['attestation-manager']?.annualLarSubmissionAttestationRequired === true;
1452
+ const officer = ctx.packConfig?.['attestation-manager']?.certifyingOfficerDesignationRequired === true;
1453
+ const passed = att && officer;
1454
+ return {
1455
+ passed,
1456
+ detail: passed
1457
+ ? 'Annual LAR attestation + certifying officer designation configured (12 CFR §1003.5(a))'
1458
+ : `att=${att}, officer=${officer}`,
1459
+ };
1460
+ });
1461
+ this.register('hmda_proxy_detection_active', (ctx) => {
1462
+ const zip = ctx.packConfig?.['anomaly-detector']?.zipCodeProxyDetectionActive === true;
1463
+ const surname = ctx.packConfig?.['anomaly-detector']?.surnameProxyDetectionActive === true;
1464
+ const passed = zip && surname;
1465
+ return {
1466
+ passed,
1467
+ detail: passed ? 'zip-code + surname proxy detection active (HMDA/Reg B)' : `zip=${zip}, surname=${surname}`,
1468
+ };
1469
+ });
1470
+ this.register('hmda_lar_state_persistence_active', configFlag('session-persistence', 'perApplicationHmdaStateRequired', 'per-application HMDA LAR state'));
1471
+ this.register('hmda_quarterly_large_filer_active', configFlag('event-bus', 'hmdaQuarterlyLarDeadlineActive', 'HMDA quarterly large-filer clock'));
1472
+ // -- TILA-TRID specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1473
+ this.register('tila_trid_apr_llm_block_active', (ctx) => {
1474
+ const aprBlock = ctx.packConfig?.['governance-runtime']?.aprLlmComputationBlocked === true;
1475
+ const fcBlock = ctx.packConfig?.['governance-runtime']?.financeChargeLlmComputationBlocked === true;
1476
+ const afBlock = ctx.packConfig?.['governance-runtime']?.amountFinancedLlmComputationBlocked === true;
1477
+ const passed = aprBlock && fcBlock && afBlock;
1478
+ return {
1479
+ passed,
1480
+ detail: passed
1481
+ ? 'APR + finance charge + amount financed LLM computation blocked (15 USC §1638; 12 CFR §1026.38)'
1482
+ : `apr=${aprBlock}, fc=${fcBlock}, af=${afBlock}`,
1483
+ };
1484
+ });
1485
+ this.register('tila_trid_le_clock_active', (ctx) => {
1486
+ const days = ctx.packConfig?.['governance-runtime']?.tridLeDeliveryBusinessDays;
1487
+ const passed = days === 3;
1488
+ return {
1489
+ passed,
1490
+ detail: passed ? 'TRID LE 3-business-day delivery clock configured (12 CFR §1026.19(a)(1)(i))' : `tridLeDeliveryBusinessDays=${days}`,
1491
+ };
1492
+ });
1493
+ this.register('tila_trid_cd_clock_active', (ctx) => {
1494
+ const days = ctx.packConfig?.['governance-runtime']?.tridCdPreConsummationBusinessDays;
1495
+ const passed = days === 3;
1496
+ return {
1497
+ passed,
1498
+ detail: passed ? 'TRID CD 3-business-day pre-consummation clock configured (12 CFR §1026.19(f)(1)(ii))' : `tridCdPreConsummationBusinessDays=${days}`,
1499
+ };
1500
+ });
1501
+ this.register('tila_trid_human_apr_verification_active', configFlag('approval-queue', 'aprVerificationRequiresHumanReview', 'TRID human APR verification'));
1502
+ this.register('tila_trid_changed_circumstance_active', configFlag('event-bus', 'changedCircumstanceReDisclosureClockActive', 'TRID changed-circumstance re-disclosure clock'));
1503
+ this.register('tila_trid_rescission_clock_active', configFlag('event-bus', 'rescissionClockActive', 'TILA rescission clock (12 CFR §1026.23)'));
1504
+ this.register('tila_trid_arm_disclosure_active', configFlag('governance-runtime', 'armDisclosureGateRequired', 'TILA ARM disclosure gate'));
1505
+ this.register('tila_trid_heloc_disclosure_active', configFlag('governance-runtime', 'helocDisclosureGateRequired', 'TILA HELOC disclosure gate'));
1506
+ this.register('tila_trid_advertising_active', configFlag('anomaly-detector', 'advertisingRuleViolationDetectionActive', 'TILA advertising rule detection'));
1507
+ // -- us-trid standalone checks (X3 split 2026-04-24) --
1508
+ this.register('us_trid_apr_llm_block_active', (ctx) => {
1509
+ const aprBlock = ctx.packConfig?.['governance-runtime']?.aprLlmComputationBlocked === true;
1510
+ const fcBlock = ctx.packConfig?.['governance-runtime']?.financeChargeLlmComputationBlocked === true;
1511
+ const afBlock = ctx.packConfig?.['governance-runtime']?.amountFinancedLlmComputationBlocked === true;
1512
+ const passed = aprBlock && fcBlock && afBlock;
1513
+ return {
1514
+ passed,
1515
+ detail: passed
1516
+ ? 'TRID APR + finance charge + amount financed LLM compute blocked (12 CFR §1026.37-38)'
1517
+ : `apr=${aprBlock}, fc=${fcBlock}, af=${afBlock}`,
1518
+ };
1519
+ });
1520
+ this.register('us_trid_le_clock_active', (ctx) => {
1521
+ const days = ctx.packConfig?.['governance-runtime']?.tridLeDeliveryBusinessDays;
1522
+ const passed = days === 3;
1523
+ return {
1524
+ passed,
1525
+ detail: passed ? 'TRID LE 3-business-day delivery clock configured (12 CFR §1026.19(e))' : `tridLeDeliveryBusinessDays=${days}`,
1526
+ };
1527
+ });
1528
+ this.register('us_trid_cd_clock_active', (ctx) => {
1529
+ const days = ctx.packConfig?.['governance-runtime']?.tridCdPreConsummationBusinessDays;
1530
+ const passed = days === 3;
1531
+ return {
1532
+ passed,
1533
+ detail: passed ? 'TRID CD 3-business-day pre-consummation clock configured (12 CFR §1026.19(f))' : `tridCdPreConsummationBusinessDays=${days}`,
1534
+ };
1535
+ });
1536
+ this.register('us_trid_human_apr_verification_active', configFlag('approval-queue', 'aprVerificationRequiresHumanReview', 'TRID human APR verification gate'));
1537
+ this.register('us_trid_changed_circumstance_active', configFlag('event-bus', 'changedCircumstanceReDisclosureClockActive', 'TRID changed-circumstance re-disclosure clock'));
1538
+ // -- us-tila standalone checks (X3 split 2026-04-24) --
1539
+ this.register('us_tila_atr_llm_block_active', (ctx) => {
1540
+ const block = ctx.packConfig?.['governance-runtime']?.atrQmLlmDeterminationBlocked === true;
1541
+ const dcActive = ctx.activeModules.includes('data-classifier');
1542
+ const passed = block && dcActive;
1543
+ return {
1544
+ passed,
1545
+ detail: passed
1546
+ ? 'ATR/QM LLM determination blocked; licensed human underwriter required (12 CFR §1026.43(c))'
1547
+ : `atrBlock=${block}, data-classifier=${dcActive}`,
1548
+ };
1549
+ });
1550
+ this.register('us_tila_rescission_clock_active', (ctx) => {
1551
+ const active = ctx.packConfig?.['event-bus']?.rescissionClockActive === true;
1552
+ const days = ctx.packConfig?.['event-bus']?.rescissionBusinessDays;
1553
+ const passed = active && days === 3;
1554
+ return {
1555
+ passed,
1556
+ detail: passed ? 'TILA rescission 3-business-day clock active (12 CFR §1026.23)' : `active=${active}, days=${days}`,
1557
+ };
1558
+ });
1559
+ this.register('us_tila_advertising_active', configFlag('anomaly-detector', 'advertisingRuleViolationDetectionActive', 'TILA advertising trigger-term detection (§§1026.16, 1026.24)'));
1560
+ this.register('us_tila_arm_disclosure_active', configFlag('governance-runtime', 'armDisclosureGateRequired', 'TILA ARM disclosure gate (§1026.19(b), §1026.20(d))'));
1561
+ this.register('us_tila_heloc_disclosure_active', configFlag('governance-runtime', 'helocDisclosureGateRequired', 'TILA HELOC disclosure gate (§1026.40)'));
1562
+ // -- ECOA standalone specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1563
+ this.register('ecoa_prohibited_basis_block_active', (ctx) => {
1564
+ const block = ctx.packConfig?.['governance-runtime']?.ecoaProhibitedBasisLlmBlockRequired === true;
1565
+ const dcActive = ctx.activeModules.includes('data-classifier');
1566
+ const passed = block && dcActive;
1567
+ return {
1568
+ passed,
1569
+ detail: passed
1570
+ ? 'ECOA prohibited-basis LLM block active (15 USC §1691(a); Reg B 12 CFR §1002.4)'
1571
+ : `block=${block}, data-classifier=${dcActive}`,
1572
+ };
1573
+ });
1574
+ this.register('ecoa_named_reviewer_required_active', (ctx) => {
1575
+ const named = ctx.packConfig?.['approval-queue']?.adverseActionRequiresNamedReviewer === true;
1576
+ const passed = named;
1577
+ return {
1578
+ passed,
1579
+ detail: passed ? 'Named reviewer required on every adverse action (Reg B 12 CFR §1002.9)' : 'adverseActionRequiresNamedReviewer not configured',
1580
+ };
1581
+ });
1582
+ this.register('ecoa_proxy_detection_active', (ctx) => {
1583
+ const proxy = ctx.packConfig?.['anomaly-detector']?.proxyDiscriminationDetectionActive === true;
1584
+ const passed = proxy;
1585
+ return {
1586
+ passed,
1587
+ detail: passed ? 'Proxy discrimination detection active (Reg B 12 CFR §1002.6)' : 'proxyDiscriminationDetectionActive not configured',
1588
+ };
1589
+ });
1590
+ this.register('ecoa_appraisal_delivery_active', (ctx) => {
1591
+ const days = ctx.packConfig?.['governance-runtime']?.appraisalDeliveryBusinessDays;
1592
+ const passed = days === 3;
1593
+ return {
1594
+ passed,
1595
+ detail: passed ? 'Appraisal 3-business-day delivery clock configured (Reg B 12 CFR §1002.14(a)(1))' : `appraisalDeliveryBusinessDays=${days}`,
1596
+ };
1597
+ });
1598
+ this.register('ecoa_retention_active', (ctx) => {
1599
+ // Check evidence flag for 25-month retention compliance (Reg B 12 CFR §1002.12(b)(3)).
1600
+ // Runtime sets ecoaRetentionDays to the configured audit log retention days.
1601
+ const days = ctx.evidence?.ecoaRetentionDays;
1602
+ const passed = typeof days === 'number' && days >= 760;
1603
+ return {
1604
+ passed,
1605
+ detail: passed ? `ECOA retention ${days}d >= 25 months (Reg B 12 CFR §1002.12(b)(3))` : `ecoaRetentionDays=${days} (need >= 760)`,
1606
+ };
1607
+ });
1608
+ // -- FCRA specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1609
+ this.register('fcra_permissible_purpose_active', (ctx) => {
1610
+ const purposeRequired = ctx.packConfig?.['governance-runtime']?.consumerReportPermissiblePurposeRequired === true;
1611
+ const purposes = ctx.packConfig?.['governance-runtime']?.permissiblePurposes;
1612
+ const passed = purposeRequired && Array.isArray(purposes) && purposes.length >= 5;
1613
+ return {
1614
+ passed,
1615
+ detail: passed
1616
+ ? `FCRA permissible-purpose gate active with ${purposes.length} declared purposes (15 USC §1681b)`
1617
+ : `purposeRequired=${purposeRequired}, purposeCount=${Array.isArray(purposes) ? purposes.length : 0}`,
1618
+ };
1619
+ });
1620
+ this.register('fcra_cross_vendor_block_active', configFlag('governance-runtime', 'crossVendorConsumerReportBlockWithoutPurposeChain', 'FCRA cross-vendor consumer-report block'));
1621
+ this.register('fcra_615_adverse_action_active', (ctx) => {
1622
+ const noticeRequired = ctx.packConfig?.['governance-runtime']?.adverseActionNoticeRequired === true;
1623
+ const craDisclosure = ctx.packConfig?.['approval-queue']?.craIdentityDisclosureOnAdverseAction === true;
1624
+ const passed = noticeRequired && craDisclosure;
1625
+ return {
1626
+ passed,
1627
+ detail: passed
1628
+ ? 'FCRA §615 adverse-action notice + CRA disclosure configured (15 USC §1681m(a))'
1629
+ : `noticeRequired=${noticeRequired}, craDisclosure=${craDisclosure}`,
1630
+ };
1631
+ });
1632
+ this.register('fcra_dispute_workflow_active', configFlag('approval-queue', 'disputeReinvestigationGateRequired', 'FCRA §611 dispute reinvestigation gate'));
1633
+ this.register('fcra_furnisher_accuracy_active', configFlag('attestation-manager', 'section623ComplianceProgramRequired', 'FCRA §623 furnisher accuracy program'));
1634
+ this.register('fcra_purpose_evasion_detection_active', configFlag('anomaly-detector', 'permissiblePurposeEvasionDetectionActive', 'FCRA permissible-purpose evasion detection'));
1635
+ this.register('fcra_consumer_disclosure_active', configFlag('transparency-injector', 'section615AdverseActionCraDisclosureRequired', 'FCRA §615 consumer disclosure injection'));
1636
+ // -----------------------------------------------------------------------
1637
+ // W1-BEHAVIORAL: Behavioral validators (48 pack-scoped checks)
1638
+ //
1639
+ // Each check constructs a sample input known to match one of the pack's
1640
+ // declared scan categories, runs it through the live PackDrivenClassifier,
1641
+ // and asserts the declared category action fires.
1642
+ //
1643
+ // Registered as pack-scoped checks so they appear in compliance reports
1644
+ // under each pack's validator list.
1645
+ //
1646
+ // Evidence contract: the runtime sets evidence.packClassifierInstance to the
1647
+ // live PackDrivenClassifier instance (or a factory function) so these checks
1648
+ // have access to a classifier to evaluate against.
1649
+ // -----------------------------------------------------------------------
1650
+ const runBehavioralCheck = (packId, categoryId, sampleInput, expectedAction) => (ctx) => {
1651
+ // Resolve classifier from evidence
1652
+ const classifierSource = ctx.evidence?.['packClassifierInstance'];
1653
+ if (!classifierSource) {
1654
+ return {
1655
+ passed: false,
1656
+ detail: `behavioral validator for ${packId}.${categoryId}: packClassifierInstance not set in evidence; runtime must inject the PackDrivenClassifier`,
1657
+ };
1658
+ }
1659
+ // Accept both a direct classifier object and a factory function
1660
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
1661
+ const classifier = typeof classifierSource === 'function'
1662
+ ? classifierSource()
1663
+ : classifierSource;
1664
+ // The classifier must expose evaluate() matching PackDrivenClassifier shape
1665
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
1666
+ const c = classifier;
1667
+ if (typeof c?.evaluate !== 'function') {
1668
+ return {
1669
+ passed: false,
1670
+ detail: `behavioral validator for ${packId}.${categoryId}: packClassifierInstance does not expose evaluate()`,
1671
+ };
1672
+ }
1673
+ try {
1674
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
1675
+ const decision = c.evaluate(sampleInput, { activePackIds: [packId] });
1676
+ const matched = (decision?.matched ?? []);
1677
+ const hit = matched.find((m) => m.packId === packId && m.categoryId === categoryId);
1678
+ if (!hit) {
1679
+ return {
1680
+ passed: false,
1681
+ detail: `behavioral validator FAILED: ${packId}.${categoryId} did not fire for sample input "${sampleInput.slice(0, 60)}"`,
1682
+ };
1683
+ }
1684
+ const actionMatch = hit.action.toUpperCase() === expectedAction.toUpperCase();
1685
+ return {
1686
+ passed: actionMatch,
1687
+ detail: actionMatch
1688
+ ? `behavioral validator PASSED: ${packId}.${categoryId} fired action=${hit.action} as expected`
1689
+ : `behavioral validator MISMATCH: ${packId}.${categoryId} fired action=${hit.action}, expected ${expectedAction}`,
1690
+ };
1691
+ }
1692
+ catch (err) {
1693
+ const msg = err instanceof Error ? err.message : String(err);
1694
+ return { passed: false, detail: `behavioral validator threw: ${msg}` };
1695
+ }
1696
+ };
1697
+ // HIPAA: PHI (SSN pattern)
1698
+ this.register('behavioralValidator_hipaa', runBehavioralCheck('hipaa', 'PHI', 'Patient SSN: 123-45-6789', 'BLOCK'));
1699
+ // HITECH: PHI
1700
+ this.register('behavioralValidator_hitech', runBehavioralCheck('hitech', 'PHI', 'Patient SSN: 123-45-6789', 'BLOCK'));
1701
+ // FERPA: EDUCATION_RECORD
1702
+ this.register('behavioralValidator_ferpa', runBehavioralCheck('ferpa', 'EDUCATION_RECORD', 'Student ID: STU123456 GPA: 3.8 transcript from Fall 2025', 'BLOCK'));
1703
+ // SOC 2: CREDENTIALS
1704
+ this.register('behavioralValidator_soc2', runBehavioralCheck('soc2', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1705
+ // SOC 1: CREDENTIALS
1706
+ this.register('behavioralValidator_soc1', runBehavioralCheck('soc1', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1707
+ // SOC 1: CONTROL_DEFICIENCY (ICFR) -- categoryActions.CONTROL_DEFICIENCY = WARN per soc1.ts
1708
+ this.register('behavioralValidator_soc1_icfr', runBehavioralCheck('soc1', 'CONTROL_DEFICIENCY', 'Material weakness identified in revenue-recognition control', 'WARN'));
1709
+ // SOC 1: ICFR_TEST_FAILURE (SSAE 18 AT-C 320 -- test of operating effectiveness failed)
1710
+ // categoryActions.ICFR_TEST_FAILURE = WARN per soc1.ts
1711
+ this.register('behavioralValidator_soc1_icfr_test_failure', runBehavioralCheck('soc1', 'ICFR_TEST_FAILURE', 'Test of operating effectiveness failed for general-IT controls.', 'WARN'));
1712
+ // SOC 1: SOX_404_EVIDENCE (Sarbanes-Oxley §404 ICFR attestation evidence)
1713
+ // categoryActions.SOX_404_EVIDENCE = LOG per soc1.ts
1714
+ this.register('behavioralValidator_soc1_sox_404', runBehavioralCheck('soc1', 'SOX_404_EVIDENCE', 'SOX Section 404 evidence requested for FY2026 audit.', 'LOG'));
1715
+ // ISO 27001: PII
1716
+ this.register('behavioralValidator_iso27001', runBehavioralCheck('iso27001', 'PII', 'User email: jane.doe@example.com', 'WARN'));
1717
+ // GDPR: SPECIAL_CATEGORY
1718
+ this.register('behavioralValidator_gdpr', runBehavioralCheck('gdpr', 'SPECIAL_CATEGORY', 'Patient is HIV positive, religion: Muslim', 'BLOCK'));
1719
+ // PCI DSS: PAN (Luhn-valid Visa PAN, payment context) -- must BLOCK
1720
+ this.register('behavioralValidator_pci_dss', runBehavioralCheck('pci-dss', 'PAN', 'Card number 4111111111111111 expires 12/26', 'BLOCK'));
1721
+ // PCI DSS: TRACK_DATA (track-2 sentinel pattern) -- must BLOCK
1722
+ this.register('behavioralValidator_pci_dss_track', runBehavioralCheck('pci-dss', 'TRACK_DATA', ';4111111111111111=26122015432112345?', 'BLOCK'));
1723
+ // PCI DSS: CVV (cvv label with 3-digit code) -- must BLOCK
1724
+ this.register('behavioralValidator_pci_dss_cvv', runBehavioralCheck('pci-dss', 'CVV', 'cvv: 123', 'BLOCK'));
1725
+ // DORA: CREDENTIALS
1726
+ this.register('behavioralValidator_dora', runBehavioralCheck('dora', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1727
+ // EU AI Act: BIOMETRIC_IDENTIFIER
1728
+ this.register('behavioralValidator_eu_ai_act', runBehavioralCheck('eu-ai-act', 'BIOMETRIC_IDENTIFIER', 'Biometric ID: fingerprint hash abc123def456', 'BLOCK'));
1729
+ // 42 CFR Part 2 (part2): SUD_RECORD
1730
+ this.register('behavioralValidator_part2', runBehavioralCheck('part2', 'SUD_RECORD', 'SUD treatment record for patient ID 78432', 'BLOCK'));
1731
+ // Colorado AI Act: PII
1732
+ this.register('behavioralValidator_colorado_ai', runBehavioralCheck('colorado-ai', 'PII', 'User email: jane.doe@example.com', 'WARN'));
1733
+ // NIST AI RMF: CREDENTIALS
1734
+ this.register('behavioralValidator_nist_ai_rmf', runBehavioralCheck('nist_ai_rmf', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz', 'BLOCK'));
1735
+ // ISO 42001: PII
1736
+ this.register('behavioralValidator_iso_42001', runBehavioralCheck('iso_42001', 'PII', 'User email: jane.doe@example.com', 'WARN'));
1737
+ // ISO 23894: AI_TRAINING_DATA
1738
+ this.register('behavioralValidator_iso_23894', runBehavioralCheck('iso-23894', 'AI_TRAINING_DATA', 'AI training data batch: model weights v2.3', 'LOG'));
1739
+ // CCPA: SPI
1740
+ this.register('behavioralValidator_ccpa', runBehavioralCheck('ccpa', 'SPI', 'Consumer health condition: diabetes type 2', 'BLOCK'));
1741
+ // LGPD: SENSITIVE_PII_BR
1742
+ this.register('behavioralValidator_lgpd', runBehavioralCheck('lgpd', 'SENSITIVE_PII_BR', 'CPF: 123.456.789-09 racial origin: Black', 'BLOCK'));
1743
+ // PIPL: PII_CN (dataPolicy.categoryActions: PII_CN = WARN)
1744
+ this.register('behavioralValidator_pipl', runBehavioralCheck('pipl', 'PII_CN', 'National ID: 110101199003077892', 'WARN'));
1745
+ // CA PIPEDA (X2 split -- legacy key kept for backward compat): CA_PIPEDA_PERSONAL_INFO (WARN)
1746
+ this.register('behavioralValidator_pipeda', runBehavioralCheck('ca-pipeda', 'CA_PIPEDA_PERSONAL_INFO', 'SIN: 046-454-286', 'WARN'));
1747
+ // GLBA: NPI
1748
+ this.register('behavioralValidator_glba', runBehavioralCheck('glba', 'NPI', 'Account number: 12345678 routing: 021000021', 'BLOCK'));
1749
+ // BIPA: BIOMETRIC_IDENTIFIER
1750
+ this.register('behavioralValidator_bipa', runBehavioralCheck('bipa', 'BIOMETRIC_IDENTIFIER', 'Biometric ID: fingerprint hash abc123def456', 'BLOCK'));
1751
+ // ABA: PRIVILEGED
1752
+ this.register('behavioralValidator_aba', runBehavioralCheck('aba', 'PRIVILEGED', 'Attorney-client privileged communication: case strategy memo', 'BLOCK'));
1753
+ // FTC §5: PAYMENT_DATA
1754
+ this.register('behavioralValidator_ftc5', runBehavioralCheck('ftc5', 'PAYMENT_DATA', 'Card number 4111111111111111 expires 12/26', 'BLOCK'));
1755
+ // SR 11-7: MODEL_INPUT
1756
+ this.register('behavioralValidator_sr117', runBehavioralCheck('sr11-7', 'MODEL_INPUT', 'Model input feature vector batch_id=2026-001 for risk model', 'LOG'));
1757
+ // 21 CFR Part 11: REGULATED_RECORD
1758
+ this.register('behavioralValidator_part11', runBehavioralCheck('part11', 'REGULATED_RECORD', 'Regulated electronic record: batch 2026-001 audit trail', 'BLOCK'));
1759
+ // SOX 404: CREDENTIALS
1760
+ this.register('behavioralValidator_sox404', runBehavioralCheck('sox404', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1761
+ // BSA/AML: NPI
1762
+ this.register('behavioralValidator_bsa_aml', runBehavioralCheck('bsa-aml', 'NPI', 'Account number: 12345678 routing: 021000021', 'BLOCK'));
1763
+ // NYDFS 500: CREDENTIALS
1764
+ this.register('behavioralValidator_nydfs500', runBehavioralCheck('nydfs500', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1765
+ // CFPB 2023-03: CREDIT_DECISION
1766
+ this.register('behavioralValidator_cfpb_2023_03', runBehavioralCheck('cfpb-2023-03', 'CREDIT_DECISION', 'Credit decision DECLINED for applicant ID A98765', 'LOG'));
1767
+ // MiFID II: CLIENT_FINANCIAL_DATA
1768
+ this.register('behavioralValidator_mifid2', runBehavioralCheck('mifid2', 'CLIENT_FINANCIAL_DATA', 'Client financial portfolio data EUR 250,000 equity account', 'BLOCK'));
1769
+ // NAIC MDL-668: NPI_HEALTH
1770
+ this.register('behavioralValidator_naic_mdl', runBehavioralCheck('naic-mdl', 'NPI_HEALTH', 'Insurance health record: policy holder DOB 1980-03-01 diagnosis code Z87.39', 'BLOCK'));
1771
+ // FRCP 26: PRIVILEGED
1772
+ this.register('behavioralValidator_frcp26', runBehavioralCheck('frcp26', 'PRIVILEGED', 'Attorney-client privileged communication: case strategy memo', 'BLOCK'));
1773
+ // FOIA: FOIA_EXEMPT_1_CLASSIFIED
1774
+ this.register('behavioralValidator_foia', runBehavioralCheck('foia', 'FOIA_EXEMPT_1_CLASSIFIED', 'CLASSIFIED national security intelligence assessment', 'BLOCK'));
1775
+ // LPO 2024: PRIVILEGED
1776
+ this.register('behavioralValidator_lpo2024', runBehavioralCheck('lpo2024', 'PRIVILEGED', 'Attorney-client privileged communication: case strategy memo', 'BLOCK'));
1777
+ // F-PACK-CLEANUP-1 (2026-05-08): behavioralValidator_appi removed.
1778
+ // The legacy `appi` pack file was deleted as a duplicate of `jp-appi`;
1779
+ // canonical coverage is via behavioralValidator_jp_appi (registered
1780
+ // further down). The `appi` alias on JP_APPI_PACK keeps callers using
1781
+ // `createGovernedAgent({ packs: ['appi'] })` working.
1782
+ // FedRAMP: CUI
1783
+ this.register('behavioralValidator_fedramp', runBehavioralCheck('fedramp', 'CUI', 'CUI: controlled unclassified information document ref CUI-2026-001', 'BLOCK'));
1784
+ // StateRAMP: CUI
1785
+ this.register('behavioralValidator_stateramp', runBehavioralCheck('stateramp', 'CUI', 'CUI: controlled unclassified information document ref CUI-2026-001', 'BLOCK'));
1786
+ // CJIS: CJI
1787
+ this.register('behavioralValidator_cjis', runBehavioralCheck('cjis', 'CJI', 'Criminal justice information: NCIC query result for suspect ID 98765', 'BLOCK'));
1788
+ // CMMC 2.0: CUI
1789
+ this.register('behavioralValidator_cmmc2', runBehavioralCheck('cmmc2', 'CUI', 'CUI: controlled unclassified information document ref CUI-2026-001', 'BLOCK'));
1790
+ // US-RESPA: REFERRAL_SIGNAL (renamed from respa to us-respa, X3 2026-04-24)
1791
+ this.register('behavioralValidator_respa', runBehavioralCheck('us-respa', 'REFERRAL_SIGNAL', 'Referral signal from settlement service provider to title company 2026-RESPA-001', 'BLOCK'));
1792
+ // HMDA: HMDA_GMI_RACE (dataPolicy.categoryActions: HMDA_GMI_RACE = BLOCK)
1793
+ this.register('behavioralValidator_hmda', runBehavioralCheck('hmda', 'HMDA_GMI_RACE', 'HMDA GMI race: Asian applicant loan ID 2026-LAR-001', 'BLOCK'));
1794
+ // US-TRID: CLOSING_DISCLOSURE_DRAFT (X3 split 2026-04-24 -- replaces tila-trid)
1795
+ this.register('behavioralValidator_us_trid', runBehavioralCheck('us-trid', 'CLOSING_DISCLOSURE_DRAFT', 'Closing Disclosure draft: APR 6.75% finance charge $45,200 consummation date 2026-05-01', 'LOG'));
1796
+ // US-TILA: ATR_DETERMINATION (X3 split 2026-04-24)
1797
+ this.register('behavioralValidator_us_tila', runBehavioralCheck('us-tila', 'ATR_DETERMINATION', 'ATR determination: debt-to-income ratio 38% ability-to-repay analysis 2026-ATR-001', 'BLOCK'));
1798
+ // ECOA: ECOA_PROHIBITED_BASIS
1799
+ this.register('behavioralValidator_ecoa', runBehavioralCheck('ecoa', 'ECOA_PROHIBITED_BASIS', 'Credit declined based on applicant race: Hispanic', 'BLOCK'));
1800
+ // FCRA: CONSUMER_REPORT_RECORD
1801
+ this.register('behavioralValidator_fcra', runBehavioralCheck('fcra', 'CONSUMER_REPORT_RECORD', 'Consumer report record: tradeline for consumer 123456', 'BLOCK'));
1802
+ // EU AI Liability: AI_PRODUCT_DAMAGE
1803
+ this.register('behavioralValidator_eu_ai_liability', runBehavioralCheck('eu-ai-liability', 'AI_PRODUCT_DAMAGE', 'AI product damage claim: defective AI output caused harm ref 2026-AI-001', 'LOG'));
1804
+ // FDA SaMD: PHI
1805
+ this.register('behavioralValidator_fda_samd', runBehavioralCheck('fda-samd', 'PHI', 'Patient SSN: 123-45-6789', 'BLOCK'));
1806
+ // FDA 21 CFR Part 56 (IRB): SERIOUS_ADVERSE_EVENT -> BLOCK
1807
+ // F-NEW-VERA-PACK-C7-01: missing behavioral check for us-fda-21cfr56.
1808
+ // SAE + CSUBJ pattern fires both SERIOUS_ADVERSE_EVENT (life-threatening-adverse regex)
1809
+ // and IRB_CLINICAL_SUBJECT_ID (CSUBJ prefix regex); SERIOUS_ADVERSE_EVENT is tested
1810
+ // here because it is the highest-risk BLOCK path (21 CFR 56.108(b) prompt reporting).
1811
+ this.register('behavioralValidator_us_fda_21cfr56', runBehavioralCheck('us-fda-21cfr56', 'SERIOUS_ADVERSE_EVENT', 'SAE reported: life-threatening adverse event for clinical subject CSUBJ-001234 IND-2026-0012', 'BLOCK'));
1812
+ // GxP: REGULATED_RECORD
1813
+ this.register('behavioralValidator_gxp', runBehavioralCheck('gxp', 'REGULATED_RECORD', 'Regulated electronic record: batch 2026-001 audit trail', 'BLOCK'));
1814
+ // HMDA (second primary category): HMDA_LAR_ENTRY (dataPolicy.categoryActions: HMDA_LAR_ENTRY = BLOCK)
1815
+ this.register('behavioralValidator_hmda_lar', runBehavioralCheck('hmda', 'HMDA_LAR_ENTRY', 'HMDA LAR entry loan origination 2026-LAR-001', 'BLOCK'));
1816
+ // BIPA second check: BIOMETRIC_INFORMATION
1817
+ this.register('behavioralValidator_bipa_info', runBehavioralCheck('bipa', 'BIOMETRIC_INFORMATION', 'Biometric information: facial geometry scan result', 'BLOCK'));
1818
+ // BSA/AML second check: SANCTIONS_IDENTIFIER
1819
+ this.register('behavioralValidator_bsa_sanctions', runBehavioralCheck('bsa-aml', 'SANCTIONS_IDENTIFIER', 'OFAC SDN match: entity XYZ Corp', 'BLOCK'));
1820
+ // -- P4 Education pack behavioral validators (2026-04-24) --
1821
+ // COPPA: UNDER_13_USER
1822
+ this.register('behavioralValidator_coppa', runBehavioralCheck('coppa', 'UNDER_13_USER', 'age: 8 under_13 user pediatric patient child-directed context', 'BLOCK'));
1823
+ // Common Rule: RESEARCH_SUBJECT_ID
1824
+ this.register('behavioralValidator_common_rule', runBehavioralCheck('common-rule', 'RESEARCH_SUBJECT_ID', 'subject_id: SUBJ-004821 participant_id study protocol IRB', 'BLOCK'));
1825
+ // Common Rule (GAP-5): IRB_APPROVAL_EXPIRED
1826
+ this.register('behavioralValidator_common_rule_irb_expiry', runBehavioralCheck('common-rule', 'IRB_APPROVAL_EXPIRED', 'IRB-2023-001 expired 2024-05-01 protocol approval lapsed', 'BLOCK'));
1827
+ // Title IX: TITLE_IX_INVESTIGATION_RECORD
1828
+ this.register('behavioralValidator_title_ix', runBehavioralCheck('title-ix', 'TITLE_IX_INVESTIGATION_RECORD', 'Title IX investigation record: respondent vs complainant Title IX Coordinator', 'BLOCK'));
1829
+ // Title IX (GAP-4): TITLE_IX_RETALIATION -- paraphrase pattern
1830
+ this.register('behavioralValidator_title_ix_retaliation', runBehavioralCheck('title-ix', 'TITLE_IX_RETALIATION', 'student suspended following gender bias complaint discrimination report', 'BLOCK'));
1831
+ // NIH Data Sharing: CONTROLLED_ACCESS_REPOSITORY_DATA (legacy pack id -- routes to us-nih-gds)
1832
+ this.register('behavioralValidator_nih_data_sharing', runBehavioralCheck('us-nih-gds', 'CONTROLLED_ACCESS_REPOSITORY_DATA', 'dbGaP phs000001 controlled access dataset DAC approved DUC', 'BLOCK'));
1833
+ // NIH Data Sharing (GAP-6): DAC_APPROVAL_EXPIRED (legacy pack id -- routes to us-nih-gds)
1834
+ this.register('behavioralValidator_nih_dms_dac_expiry', runBehavioralCheck('us-nih-gds', 'DAC_APPROVAL_EXPIRED', 'DAC approved DUC granted 2022-01-15, expires 2022-12-31 dbGaP dataset', 'BLOCK'));
1835
+ // CA PIPEDA (X2 split): CA_PIPEDA_PERSONAL_INFO (WARN)
1836
+ this.register('behavioralValidator_ca_pipeda', runBehavioralCheck('ca-pipeda', 'CA_PIPEDA_PERSONAL_INFO', 'SIN: 046-454-286', 'WARN'));
1837
+ // QC Law 25 (X2 split): QC_LAW25_HIGH_RISK_PI (BLOCK)
1838
+ this.register('behavioralValidator_ca_qc_law25', runBehavioralCheck('ca-qc-law25', 'QC_LAW25_HIGH_RISK_PI', 'health record: RAMQ biometric data facial recognition Quebec resident', 'BLOCK'));
1839
+ // NIH DMS (X2 split): DMSP_RESTRICTED_DATA (BLOCK)
1840
+ this.register('behavioralValidator_us_nih_dms', runBehavioralCheck('us-nih-dms', 'DMSP_RESTRICTED_DATA', 'DMSP restricted outside dmsp approved scope data management sharing plan limit', 'BLOCK'));
1841
+ // NIH GDS (X2 split): CONTROLLED_ACCESS_REPOSITORY_DATA (BLOCK)
1842
+ this.register('behavioralValidator_us_nih_gds', runBehavioralCheck('us-nih-gds', 'CONTROLLED_ACCESS_REPOSITORY_DATA', 'dbGaP phs000001 controlled access dataset DAC approved DUC', 'BLOCK'));
1843
+ // NIH GDS STUDY_CONCLUDED_DUC_ACTIVE (F-NEW-VERA-PACK-C6-02, 2026-05-03):
1844
+ // Study ended but DUC still in-date -- requires DUC termination workflow confirmation.
1845
+ // Action: REQUIRE_APPROVAL (not BLOCK -- close-out work is legitimate).
1846
+ this.register('nih_gds_study_concluded_duc_termination_active', runBehavioralCheck('us-nih-gds', 'STUDY_CONCLUDED_DUC_ACTIVE', 'study concluded final report submitted DAC DUC dbGaP controlled access genomic', 'REQUIRE_APPROVAL'));
1847
+ // NIH CoC (X2 split): COC_PROTECTED_RESEARCH_DATA (BLOCK)
1848
+ this.register('behavioralValidator_us_nih_coc', runBehavioralCheck('us-nih-coc', 'COC_PROTECTED_RESEARCH_DATA', 'certificate of confidentiality CoC protected research data', 'BLOCK'));
1849
+ // NIH IT Security (X2 split): NIH_IT_FISMA_BASELINE_GAP (BLOCK)
1850
+ this.register('behavioralValidator_us_nih_it_security', runBehavioralCheck('us-nih-it-security', 'NIH_IT_FISMA_BASELINE_GAP', 'NIH_IT_FISMA_BASELINE_GAP fisma gap nih data unencrypted controlled access', 'BLOCK'));
1851
+ // Florida Student Privacy: FLORIDA_K12_STUDENT_RECORD
1852
+ this.register('behavioralValidator_florida_student_privacy', runBehavioralCheck('florida-student-privacy', 'FLORIDA_K12_STUDENT_RECORD', 'FLORIDA_K12_STUDENT_RECORD florida k12 student grade 5 pk yonge school district', 'BLOCK'));
1853
+ // Florida Student Privacy (GAP-7): TARGETED_ADVERTISING_RECIPIENT
1854
+ this.register('behavioralValidator_florida_targeted_advertising', runBehavioralCheck('florida-student-privacy', 'TARGETED_ADVERTISING_RECIPIENT', 'florida k12 student record analytics advertising learning-analytics-provider adtech', 'BLOCK'));
1855
+ // -- AU packs (Phase 5) --
1856
+ // AU Privacy Act 1988
1857
+ this.register('au_privacy_sensitive_gate_active', configFlag('governance-runtime', 'auPrivacySensitiveGateEnabled', 'AU Privacy Act sensitive PI gate (APP 3)'));
1858
+ this.register('au_privacy_offshore_gate_active', configFlag('supply-chain', 'auPrivacyOffshoreTransferGateEnabled', 'AU Privacy Act offshore transfer gate (APP 8)'));
1859
+ this.register('au_privacy_ndb_timer_active', (ctx) => {
1860
+ const hours = ctx.packConfig?.['event-bus']?.auNdbNotificationDeadlineHours;
1861
+ const passed = typeof hours === 'number' && hours <= 720;
1862
+ return {
1863
+ passed,
1864
+ detail: passed
1865
+ ? `AU NDB notification clock ${hours}h configured (<= 720h / 30 days)`
1866
+ : `auNdbNotificationDeadlineHours=${hours} (need <= 720)`,
1867
+ };
1868
+ });
1869
+ this.register('au_privacy_govt_id_block_active', (ctx) => {
1870
+ const dcActive = ctx.activeModules.includes('data-classifier');
1871
+ const action = ctx.packConfig?.['data-classifier']?.auGovernmentIdAction;
1872
+ const passed = dcActive && action === 'BLOCK';
1873
+ return {
1874
+ passed,
1875
+ detail: passed
1876
+ ? 'AU government ID (TFN/DL) action = BLOCK via data-classifier (APP 8, TFN Rule)'
1877
+ : `dcActive=${dcActive}, auGovernmentIdAction=${action}`,
1878
+ };
1879
+ });
1880
+ this.register('au_privacy_secondary_use_gate_active', configFlag('governance-runtime', 'auPrivacySecondaryUseGateEnabled', 'AU Privacy Act secondary use gate (APP 6)'));
1881
+ this.register('au_privacy_automated_decision_log_active', configFlag('event-bus', 'auPrivacyAutomatedDecisionLoggingEnabled', 'AU Privacy Act automated decision logging'));
1882
+ this.register('au_privacy_access_sla_active', (ctx) => {
1883
+ const days = ctx.packConfig?.['governance-runtime']?.auPrivacyAccessResponseDays;
1884
+ const passed = typeof days === 'number' && days <= 30;
1885
+ return {
1886
+ passed,
1887
+ detail: passed
1888
+ ? `AU Privacy Act access SLA ${days}d (<= 30 days) configured (APP 12)`
1889
+ : `auPrivacyAccessResponseDays=${days} (need <= 30)`,
1890
+ };
1891
+ });
1892
+ this.register('au_privacy_retention_check_active', configFlag('session-persistence', 'auPrivacyRetentionScheduleEnabled', 'AU Privacy Act retention schedule (APP 11)'));
1893
+ // AU CDR Act 2019
1894
+ this.register('au_cdr_consent_gate_active', (ctx) => {
1895
+ const dcActive = ctx.activeModules.includes('data-classifier');
1896
+ const action = ctx.packConfig?.['data-classifier']?.auCdrConsentAction;
1897
+ const passed = dcActive && action === 'BLOCK';
1898
+ return {
1899
+ passed,
1900
+ detail: passed
1901
+ ? 'AU CDR expired consent action = BLOCK via data-classifier (PS 1.4)'
1902
+ : `dcActive=${dcActive}, auCdrConsentAction=${action}`,
1903
+ };
1904
+ });
1905
+ this.register('au_cdr_secondary_use_block_active', configFlag('governance-runtime', 'auCdrSecondaryUseBlockEnabled', 'AU CDR secondary use block (PS 6.4)'));
1906
+ this.register('au_cdr_marketing_block_active', configFlag('governance-runtime', 'auCdrMarketingBlockEnabled', 'AU CDR marketing use block (PS 7.5)'));
1907
+ this.register('au_cdr_deletion_sla_active', (ctx) => {
1908
+ const hours = ctx.packConfig?.['event-bus']?.auCdrDeletionDeadlineHours;
1909
+ const passed = typeof hours === 'number' && hours <= 336; // CDR 14-day (336h)
1910
+ return {
1911
+ passed,
1912
+ detail: passed
1913
+ ? `AU CDR deletion SLA ${hours}h configured (<= 336h / 14 days) (PS 9.2)`
1914
+ : `auCdrDeletionDeadlineHours=${hours} (need <= 336)`,
1915
+ };
1916
+ });
1917
+ this.register('au_cdr_offshore_gate_active', configFlag('supply-chain', 'auCdrOffshoreTransferGateEnabled', 'AU CDR offshore transfer gate (PS 8.11)'));
1918
+ this.register('au_cdr_access_log_active', configFlag('event-bus', 'auCdrAccessLoggingEnabled', 'AU CDR access logging'));
1919
+ // AU APRA CPS 234
1920
+ this.register('au_cps234_incident_72hr_active', (ctx) => {
1921
+ const hours = ctx.packConfig?.['event-bus']?.auCps234IncidentNotificationHours;
1922
+ const passed = hours === 72;
1923
+ return {
1924
+ passed,
1925
+ detail: passed
1926
+ ? 'APRA CPS 234 72-hour incident notification configured (Para 23)'
1927
+ : `auCps234IncidentNotificationHours=${hours} (need 72)`,
1928
+ };
1929
+ });
1930
+ this.register('au_cps234_control_weakness_notify_active', configFlag('event-bus', 'auCps234ControlWeaknessNotificationEnabled', 'APRA CPS 234 control weakness notification (Para 22)'));
1931
+ this.register('au_cps234_third_party_gate_active', configFlag('supply-chain', 'auCps234ThirdPartyGateEnabled', 'APRA CPS 234 third-party arrangement gate (Para 15-16)'));
1932
+ this.register('au_cps234_asset_register_check_active', configFlag('attestation-manager', 'auCps234InfoAssetRegisterRequired', 'APRA CPS 234 information asset register (Para 10)'));
1933
+ this.register('au_cps234_annual_testing_active', (ctx) => {
1934
+ const days = ctx.packConfig?.['attestation-manager']?.auCps234TestingCadenceDays;
1935
+ const passed = typeof days === 'number' && days <= 365;
1936
+ return {
1937
+ passed,
1938
+ detail: passed
1939
+ ? `APRA CPS 234 testing cadence ${days}d (<= 365 days) (Para 20-21)`
1940
+ : `auCps234TestingCadenceDays=${days}`,
1941
+ };
1942
+ });
1943
+ this.register('au_cps234_customer_data_log_active', configFlag('event-bus', 'auCps234CustomerDataLoggingEnabled', 'APRA CPS 234 customer data logging'));
1944
+ // AU APRA CPS 230
1945
+ this.register('au_cps230_incident_72hr_active', (ctx) => {
1946
+ const hours = ctx.packConfig?.['event-bus']?.auCps230IncidentNotificationHours;
1947
+ const passed = hours === 72;
1948
+ return {
1949
+ passed,
1950
+ detail: passed
1951
+ ? 'APRA CPS 230 72-hour operational incident notification configured'
1952
+ : `auCps230IncidentNotificationHours=${hours} (need 72)`,
1953
+ };
1954
+ });
1955
+ this.register('au_cps230_provider_due_diligence_active', configFlag('supply-chain', 'auCps230ProviderDueDiligenceEnabled', 'APRA CPS 230 material provider due diligence'));
1956
+ this.register('au_cps230_contract_completeness_active', configFlag('supply-chain', 'auCps230ContractCompletenessEnabled', 'APRA CPS 230 provider contract completeness'));
1957
+ this.register('au_cps230_bcp_annual_test_active', (ctx) => {
1958
+ const days = ctx.packConfig?.['attestation-manager']?.auCps230BcpTestCadenceDays;
1959
+ const passed = typeof days === 'number' && days <= 365;
1960
+ return {
1961
+ passed,
1962
+ detail: passed
1963
+ ? `APRA CPS 230 BCP test cadence ${days}d (<= 365 days)`
1964
+ : `auCps230BcpTestCadenceDays=${days}`,
1965
+ };
1966
+ });
1967
+ this.register('au_cps230_critical_op_register_active', configFlag('attestation-manager', 'auCps230CriticalOpRegisterRequired', 'APRA CPS 230 critical operations register'));
1968
+ this.register('au_cps230_post_incident_review_active', configFlag('attestation-manager', 'auCps230PostIncidentReviewEnabled', 'APRA CPS 230 post-incident review'));
1969
+ // AU SOCI Act 2018
1970
+ this.register('au_soci_incident_12hr_active', (ctx) => {
1971
+ const hours = ctx.packConfig?.['event-bus']?.auSociIncident12HrNotificationHours;
1972
+ const passed = hours === 12;
1973
+ return {
1974
+ passed,
1975
+ detail: passed
1976
+ ? 'SOCI Act 12-hour cyber incident notification configured (s.30BC)'
1977
+ : `auSociIncident12HrNotificationHours=${hours} (need 12)`,
1978
+ };
1979
+ });
1980
+ this.register('au_soci_incident_72hr_active', (ctx) => {
1981
+ const hours = ctx.packConfig?.['event-bus']?.auSociIncident72HrNotificationHours;
1982
+ const passed = hours === 72;
1983
+ return {
1984
+ passed,
1985
+ detail: passed
1986
+ ? 'SOCI Act 72-hour cyber incident follow-up notification configured (s.30BG)'
1987
+ : `auSociIncident72HrNotificationHours=${hours} (need 72)`,
1988
+ };
1989
+ });
1990
+ this.register('au_soci_sons_direction_active', configFlag('governance-runtime', 'auSociSonsDirectionComplianceEnabled', 'SOCI Act SONS direction compliance'));
1991
+ this.register('au_soci_cirmp_annual_active', (ctx) => {
1992
+ const days = ctx.packConfig?.['attestation-manager']?.auSociCirmpReviewCadenceDays;
1993
+ const passed = typeof days === 'number' && days <= 365;
1994
+ return {
1995
+ passed,
1996
+ detail: passed
1997
+ ? `SOCI Act CIRMP annual review cadence ${days}d configured`
1998
+ : `auSociCirmpReviewCadenceDays=${days}`,
1999
+ };
2000
+ });
2001
+ this.register('au_soci_data_asset_gate_active', configFlag('governance-runtime', 'auSociDataAssetGateEnabled', 'SOCI Act data asset gate'));
2002
+ // AU ASIC RG 271
2003
+ this.register('au_rg271_idr_30day_sla_active', (ctx) => {
2004
+ const days = ctx.packConfig?.['event-bus']?.auRg271IdrStandardDays;
2005
+ const passed = days === 30;
2006
+ return {
2007
+ passed,
2008
+ detail: passed
2009
+ ? 'ASIC RG 271 IDR 30-day standard SLA configured'
2010
+ : `auRg271IdrStandardDays=${days} (need 30)`,
2011
+ };
2012
+ });
2013
+ this.register('au_rg271_ai_decision_reasons_active', configFlag('transparency-injector', 'auRg271AiDecisionReasonsEnabled', 'ASIC RG 271 AI decision reasons disclosure'));
2014
+ this.register('au_rg271_complaint_log_active', configFlag('event-bus', 'auRg271ComplaintLoggingEnabled', 'ASIC RG 271 complaint logging'));
2015
+ this.register('au_rg271_systemic_escalation_active', configFlag('governance-runtime', 'auRg271SystemicIssueEscalationEnabled', 'ASIC RG 271 systemic issue escalation'));
2016
+ this.register('au_rg271_asic_reporting_active', configFlag('attestation-manager', 'auRg271AsicReportingEnabled', 'ASIC RG 271 ASIC reporting'));
2017
+ this.register('au_rg271_retention_7yr_active', (ctx) => {
2018
+ const days = ctx.packConfig?.['session-persistence']?.auRg271RetentionDays;
2019
+ const passed = typeof days === 'number' && days >= 2555;
2020
+ return {
2021
+ passed,
2022
+ detail: passed
2023
+ ? `ASIC RG 271 7-year retention ${days}d configured (>= 2555)`
2024
+ : `auRg271RetentionDays=${days} (need >= 2555)`,
2025
+ };
2026
+ });
2027
+ // AU ASIC RG 274 / DDO
2028
+ this.register('au_ddo_out_of_target_block_active', (ctx) => {
2029
+ const dcActive = ctx.activeModules.includes('data-classifier');
2030
+ const action = ctx.packConfig?.['data-classifier']?.auDdoOutOfTargetAction;
2031
+ const passed = dcActive && action === 'BLOCK';
2032
+ return {
2033
+ passed,
2034
+ detail: passed
2035
+ ? 'AU DDO out-of-target-market action = BLOCK via data-classifier (s.994E Corporations Act)'
2036
+ : `dcActive=${dcActive}, auDdoOutOfTargetAction=${action}`,
2037
+ };
2038
+ });
2039
+ this.register('au_ddo_tmd_screening_log_active', configFlag('event-bus', 'auDdoTmdScreeningLoggingEnabled', 'AU DDO TMD screening logging'));
2040
+ this.register('au_ddo_significant_dealing_report_active', (ctx) => {
2041
+ const days = ctx.packConfig?.['event-bus']?.auDdoSignificantDealingReportDays;
2042
+ const passed = typeof days === 'number' && days <= 10;
2043
+ return {
2044
+ passed,
2045
+ detail: passed
2046
+ ? `AU DDO significant dealing report ${days} BD configured (<= 10 BD) (s.994F2)`
2047
+ : `auDdoSignificantDealingReportDays=${days} (need <= 10)`,
2048
+ };
2049
+ });
2050
+ this.register('au_ddo_tmd_review_alert_active', configFlag('event-bus', 'auDdoTmdReviewAlertEnabled', 'AU DDO TMD review trigger alert'));
2051
+ this.register('au_ddo_retail_client_log_active', configFlag('event-bus', 'auDdoRetailClientLoggingEnabled', 'AU DDO retail client logging'));
2052
+ // AU AML/CTF Act 2006
2053
+ this.register('au_aml_smr_3bd_active', (ctx) => {
2054
+ const days = ctx.packConfig?.['event-bus']?.auAmlSmrDeadlineBusinessDays;
2055
+ const passed = typeof days === 'number' && days <= 3;
2056
+ return {
2057
+ passed,
2058
+ detail: passed
2059
+ ? `AU AML SMR standard 3-BD deadline ${days} BD configured`
2060
+ : `auAmlSmrDeadlineBusinessDays=${days} (need <= 3)`,
2061
+ };
2062
+ });
2063
+ this.register('au_aml_smr_ctf_24hr_active', (ctx) => {
2064
+ const hours = ctx.packConfig?.['event-bus']?.auAmlCtfSmrNotificationHours;
2065
+ const passed = hours === 24;
2066
+ return {
2067
+ passed,
2068
+ detail: passed
2069
+ ? 'AU AML/CTF 24-hour SMR notification clock configured (s.41B AUSTRAC requirement)'
2070
+ : `auAmlCtfSmrNotificationHours=${hours} (need 24)`,
2071
+ };
2072
+ });
2073
+ this.register('au_aml_tipping_off_block_active', (ctx) => {
2074
+ const dcActive = ctx.activeModules.includes('data-classifier');
2075
+ const action = ctx.packConfig?.['data-classifier']?.auAmlTippingOffAction;
2076
+ const passed = dcActive && action === 'BLOCK';
2077
+ return {
2078
+ passed,
2079
+ detail: passed
2080
+ ? 'AU AML tipping-off action = BLOCK via data-classifier (AML/CTF Act s.123)'
2081
+ : `dcActive=${dcActive}, auAmlTippingOffAction=${action}`,
2082
+ };
2083
+ });
2084
+ this.register('au_aml_pep_approval_active', configFlag('approval-queue', 'auAmlPepApprovalRequired', 'AU AML PEP enhanced due diligence approval'));
2085
+ this.register('au_aml_high_risk_country_active', configFlag('governance-runtime', 'auAmlHighRiskCountryScreeningEnabled', 'AU AML high-risk country screening'));
2086
+ this.register('au_aml_ttr_10bd_active', (ctx) => {
2087
+ const days = ctx.packConfig?.['event-bus']?.auAmlTtrDeadlineBusinessDays;
2088
+ const passed = typeof days === 'number' && days <= 10;
2089
+ return {
2090
+ passed,
2091
+ detail: passed
2092
+ ? `AU AML threshold transaction report ${days} BD configured (<= 10 BD)`
2093
+ : `auAmlTtrDeadlineBusinessDays=${days} (need <= 10)`,
2094
+ };
2095
+ });
2096
+ this.register('au_aml_ifti_10bd_active', (ctx) => {
2097
+ const days = ctx.packConfig?.['event-bus']?.auAmlIftiDeadlineBusinessDays;
2098
+ const passed = typeof days === 'number' && days <= 10;
2099
+ return {
2100
+ passed,
2101
+ detail: passed
2102
+ ? `AU AML IFTI ${days} BD configured (<= 10 BD)`
2103
+ : `auAmlIftiDeadlineBusinessDays=${days} (need <= 10)`,
2104
+ };
2105
+ });
2106
+ this.register('au_aml_programme_ai_docs_active', configFlag('attestation-manager', 'auAmlProgrammeAiDocumentationRequired', 'AU AML programme AI documentation'));
2107
+ this.register('au_aml_dnfbp_registration_active', configFlag('governance-runtime', 'auAmlDnfbpRegistrationCheckEnabled', 'AU AML DNFBP registration check'));
2108
+ // AU Spam Act 2003
2109
+ this.register('au_spam_act_consent_gate_active', (ctx) => {
2110
+ const dcActive = ctx.activeModules.includes('data-classifier');
2111
+ const action = ctx.packConfig?.['data-classifier']?.auCemConsentAction;
2112
+ const passed = dcActive && action === 'BLOCK';
2113
+ return {
2114
+ passed,
2115
+ detail: passed
2116
+ ? 'AU Spam Act consent gate: CEM without consent action = BLOCK via data-classifier (s.16)'
2117
+ : `dcActive=${dcActive}, auCemConsentAction=${action}`,
2118
+ };
2119
+ });
2120
+ this.register('au_spam_act_unsubscribe_block_active', (ctx) => {
2121
+ const dcActive = ctx.activeModules.includes('data-classifier');
2122
+ const action = ctx.packConfig?.['data-classifier']?.auCemUnsubscribedAction;
2123
+ const passed = dcActive && action === 'BLOCK';
2124
+ return {
2125
+ passed,
2126
+ detail: passed
2127
+ ? 'AU Spam Act unsubscribed address action = BLOCK via data-classifier (s.18)'
2128
+ : `dcActive=${dcActive}, auCemUnsubscribedAction=${action}`,
2129
+ };
2130
+ });
2131
+ this.register('au_spam_act_harvested_block_active', configFlag('governance-runtime', 'auCemHarvestedAddressBlockEnabled', 'AU Spam Act harvested address block (ss.20-22)'));
2132
+ this.register('au_spam_act_unsubscribe_5bd_active', (ctx) => {
2133
+ const days = ctx.packConfig?.['event-bus']?.auCemUnsubscribeDeadlineBusinessDays;
2134
+ const passed = typeof days === 'number' && days <= 5;
2135
+ return {
2136
+ passed,
2137
+ detail: passed
2138
+ ? `AU Spam Act unsubscribe action ${days} BD (<= 5 BD) configured (s.18(1)(a))`
2139
+ : `auCemUnsubscribeDeadlineBusinessDays=${days} (need <= 5)`,
2140
+ };
2141
+ });
2142
+ this.register('au_spam_act_sender_id_check_active', configFlag('transparency-injector', 'auCemSenderIdentityDisclosureEnabled', 'AU Spam Act sender identity disclosure (s.17)'));
2143
+ this.register('au_spam_act_consent_logging_active', configFlag('session-persistence', 'auCemConsentLoggingEnabled', 'AU Spam Act consent logging'));
2144
+ // AU Online Safety Act 2021
2145
+ this.register('au_online_safety_csam_block_active', (ctx) => {
2146
+ const dcActive = ctx.activeModules.includes('data-classifier');
2147
+ const action = ctx.packConfig?.['data-classifier']?.auOsaCsamAction;
2148
+ const passed = dcActive && action === 'BLOCK';
2149
+ return {
2150
+ passed,
2151
+ detail: passed
2152
+ ? 'AU Online Safety Act: CSAM action = BLOCK via data-classifier (Part 4, OSA 2021)'
2153
+ : `dcActive=${dcActive}, auOsaCsamAction=${action}`,
2154
+ };
2155
+ });
2156
+ this.register('au_online_safety_ncii_block_active', (ctx) => {
2157
+ const dcActive = ctx.activeModules.includes('data-classifier');
2158
+ const action = ctx.packConfig?.['data-classifier']?.auOsaNciiAction;
2159
+ const passed = dcActive && action === 'BLOCK';
2160
+ return {
2161
+ passed,
2162
+ detail: passed
2163
+ ? 'AU Online Safety Act: NCII action = BLOCK via data-classifier (Part 5, OSA 2021)'
2164
+ : `dcActive=${dcActive}, auOsaNciiAction=${action}`,
2165
+ };
2166
+ });
2167
+ this.register('au_online_safety_48h_removal_active', (ctx) => {
2168
+ const hours = ctx.packConfig?.['event-bus']?.auOsaRemovalObligationHours;
2169
+ const passed = hours === 48;
2170
+ return {
2171
+ passed,
2172
+ detail: passed
2173
+ ? 'AU Online Safety Act 48-hour removal obligation configured (Parts 4/5/6 OSA 2021)'
2174
+ : `auOsaRemovalObligationHours=${hours} (need 48)`,
2175
+ };
2176
+ });
2177
+ this.register('au_online_safety_esafety_notice_active', configFlag('governance-runtime', 'auOsaESafetyNoticeComplianceEnabled', 'AU Online Safety Act eSafety notice compliance'));
2178
+ this.register('au_online_safety_minor_protections_active', configFlag('governance-runtime', 'auOsaMinorProtectionsEnabled', 'AU Online Safety Act minor protections'));
2179
+ this.register('au_online_safety_bose_coverage_active', configFlag('attestation-manager', 'auOsaBoseCoverageAttestationRequired', 'AU Online Safety Act BOSE coverage attestation'));
2180
+ this.register('au_online_safety_moderation_logging_active', configFlag('event-bus', 'auOsaModerationLoggingEnabled', 'AU Online Safety Act moderation logging'));
2181
+ // AU AI Ethics Framework (voluntary)
2182
+ this.register('au_aiethics_accountability_defined_active', configFlag('attestation-manager', 'auAiEthicsAccountabilityDefined', 'AU AI Ethics Framework accountability defined (Principle 1)'));
2183
+ this.register('au_aiethics_ai_disclosure_active', configFlag('transparency-injector', 'auAiEthicsDisclosureEnabled', 'AU AI Ethics Framework AI disclosure (Principle 7)'));
2184
+ this.register('au_aiethics_governance_doc_active', configFlag('attestation-manager', 'auAiEthicsGovernanceDocRequired', 'AU AI Ethics Framework governance documentation (Principle 9)'));
2185
+ this.register('au_aiethics_testing_current_active', (ctx) => {
2186
+ const days = ctx.packConfig?.['attestation-manager']?.auAiEthicsTestingCadenceDays;
2187
+ const passed = typeof days === 'number' && days <= 365;
2188
+ return {
2189
+ passed,
2190
+ detail: passed
2191
+ ? `AU AI Ethics Framework testing cadence ${days}d configured`
2192
+ : `auAiEthicsTestingCadenceDays=${days}`,
2193
+ };
2194
+ });
2195
+ this.register('au_aiethics_redress_mechanism_active', configFlag('approval-queue', 'auAiEthicsRedressMechanismEnabled', 'AU AI Ethics Framework redress mechanism (Principle 10)'));
2196
+ this.register('au_aiethics_provenance_docs_active', configFlag('attestation-manager', 'auAiEthicsProvenanceDocsRequired', 'AU AI Ethics Framework training data provenance'));
2197
+ this.register('au_aiethics_human_override_active', configFlag('approval-queue', 'auAiEthicsHumanOverrideEnabled', 'AU AI Ethics Framework human override (Principle 8)'));
2198
+ // AU Mandatory AI Guardrails (DISR 2024, not yet enacted)
2199
+ this.register('au_mandatory_ai_high_risk_gate_active', configFlag('governance-runtime', 'auMandatoryAiHighRiskGateEnabled', 'AU Mandatory AI Guardrail 1: high-risk AI gate [CITATION TO VERIFY]'));
2200
+ this.register('au_mandatory_ai_accountability_active', configFlag('attestation-manager', 'auMandatoryAiAccountabilityDocRequired', 'AU Mandatory AI Guardrail 2: accountability documentation [CITATION TO VERIFY]'));
2201
+ this.register('au_mandatory_ai_transparency_active', configFlag('transparency-injector', 'auMandatoryAiTransparencyEnabled', 'AU Mandatory AI Guardrail 4: transparency disclosure [CITATION TO VERIFY]'));
2202
+ this.register('au_mandatory_ai_redress_active', configFlag('approval-queue', 'auMandatoryAiRedressEnabled', 'AU Mandatory AI Guardrail 5: redress mechanism [CITATION TO VERIFY]'));
2203
+ this.register('au_mandatory_ai_testing_active', (ctx) => {
2204
+ const days = ctx.packConfig?.['attestation-manager']?.auMandatoryAiTestingCadenceDays;
2205
+ const passed = typeof days === 'number' && days <= 365;
2206
+ return {
2207
+ passed,
2208
+ detail: passed
2209
+ ? `AU Mandatory AI testing cadence ${days}d configured [CITATION TO VERIFY]`
2210
+ : `auMandatoryAiTestingCadenceDays=${days}`,
2211
+ };
2212
+ });
2213
+ this.register('au_mandatory_ai_provenance_active', configFlag('attestation-manager', 'auMandatoryAiProvenanceRequired', 'AU Mandatory AI Guardrail 6: training data provenance [CITATION TO VERIFY]'));
2214
+ // AU TGA SaMD
2215
+ this.register('au_tga_samd_artg_registration_active', (ctx) => {
2216
+ const dcActive = ctx.activeModules.includes('data-classifier');
2217
+ const action = ctx.packConfig?.['data-classifier']?.auTgaSamdUnregisteredAction;
2218
+ const passed = dcActive && action === 'BLOCK';
2219
+ return {
2220
+ passed,
2221
+ detail: passed
2222
+ ? 'AU TGA SaMD: unregistered SaMD action = BLOCK via data-classifier (Therapeutic Goods Act s.19D)'
2223
+ : `dcActive=${dcActive}, auTgaSamdUnregisteredAction=${action}`,
2224
+ };
2225
+ });
2226
+ this.register('au_tga_samd_adverse_event_block_active', (ctx) => {
2227
+ const dcActive = ctx.activeModules.includes('data-classifier');
2228
+ const action = ctx.packConfig?.['data-classifier']?.auTgaSamdAdverseEventAction;
2229
+ const passed = dcActive && action === 'BLOCK';
2230
+ return {
2231
+ passed,
2232
+ detail: passed
2233
+ ? 'AU TGA SaMD: adverse event action = BLOCK via data-classifier (TGA MDR obligations)'
2234
+ : `dcActive=${dcActive}, auTgaSamdAdverseEventAction=${action}`,
2235
+ };
2236
+ });
2237
+ this.register('au_tga_samd_pccp_change_approval_active', configFlag('approval-queue', 'auTgaSamdPccpChangeApprovalRequired', 'AU TGA SaMD PCCP change approval (TGA AI/ML Guidance 2023)'));
2238
+ this.register('au_tga_samd_performance_monitoring_active', configFlag('anomaly-detector', 'auTgaSamdPerformanceMonitoringEnabled', 'AU TGA SaMD performance monitoring (GMLP Principle 6)'));
2239
+ this.register('au_tga_samd_clinical_evidence_active', configFlag('attestation-manager', 'auTgaSamdClinicalEvidenceRequired', 'AU TGA SaMD clinical evidence (TGA ECA)'));
2240
+ this.register('au_tga_samd_gmlp_compliance_active', configFlag('attestation-manager', 'auTgaSamdGmlpComplianceAttested', 'AU TGA SaMD GMLP compliance attestation'));
2241
+ this.register('au_tga_samd_labelling_active', configFlag('transparency-injector', 'auTgaSamdLabellingDisclosureEnabled', 'AU TGA SaMD AI labelling disclosure'));
2242
+ this.register('au_tga_samd_retention_10yr_active', (ctx) => {
2243
+ const days = ctx.packConfig?.['session-persistence']?.auTgaSamdRetentionDays;
2244
+ const passed = typeof days === 'number' && days >= 3650;
2245
+ return {
2246
+ passed,
2247
+ detail: passed
2248
+ ? `AU TGA SaMD 10-year retention ${days}d configured (>= 3650)`
2249
+ : `auTgaSamdRetentionDays=${days} (need >= 3650)`,
2250
+ };
2251
+ });
2252
+ // AU State Health Privacy (NSW HRIPA / VIC HRA / ACT HRPAA)
2253
+ this.register('au_state_health_nsw_transborder_block_active', (ctx) => {
2254
+ const dcActive = ctx.activeModules.includes('data-classifier');
2255
+ const action = ctx.packConfig?.['data-classifier']?.auStateHealthTransborderAction;
2256
+ const passed = dcActive && action === 'BLOCK';
2257
+ return {
2258
+ passed,
2259
+ detail: passed
2260
+ ? 'AU State Health: transborder transfer action = BLOCK via data-classifier (NSW HPP 10 / HRIPA 2002)'
2261
+ : `dcActive=${dcActive}, auStateHealthTransborderAction=${action}`,
2262
+ };
2263
+ });
2264
+ this.register('au_state_health_research_ethics_active', configFlag('approval-queue', 'auStateHealthResearchEthicsApprovalRequired', 'AU State Health research ethics approval gate'));
2265
+ this.register('au_state_health_mental_health_retention_active', (ctx) => {
2266
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMentalHealthRetentionDays;
2267
+ // VIC mental health: 25 years from last service entry for non-deceased [CITATION TO VERIFY]
2268
+ const passed = typeof days === 'number' && days >= 3650;
2269
+ return {
2270
+ passed,
2271
+ detail: passed
2272
+ ? `AU State Health mental health retention ${days}d configured (>= 3650)`
2273
+ : `auStateHealthMentalHealthRetentionDays=${days}`,
2274
+ };
2275
+ });
2276
+ this.register('au_state_health_access_30d_active', (ctx) => {
2277
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2278
+ const passed = typeof days === 'number' && days <= 30;
2279
+ return {
2280
+ passed,
2281
+ detail: passed
2282
+ ? `AU State Health access response ${days}d (<= 30 days) configured`
2283
+ : `auStateHealthAccessResponseDays=${days} (need <= 30)`,
2284
+ };
2285
+ });
2286
+ this.register('au_state_health_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'AU State Health collection notice (NSW HPP 4 / VIC HPP 1)'));
2287
+ this.register('au_state_health_server_location_active', configFlag('supply-chain', 'auStateHealthServerLocationAustralia', 'AU State Health server location Australia [CITATION TO VERIFY]'));
2288
+ this.register('au_state_health_correction_30d_active', (ctx) => {
2289
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2290
+ const passed = typeof days === 'number' && days <= 30;
2291
+ return {
2292
+ passed,
2293
+ detail: passed
2294
+ ? `AU State Health correction response ${days}d configured`
2295
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2296
+ };
2297
+ });
2298
+ this.register('au_state_health_minor_retention_active', (ctx) => {
2299
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMinorRetentionDays;
2300
+ // NSW: at least 7 years after last entry or age 25 (whichever is later) — conservative 3650d
2301
+ const passed = typeof days === 'number' && days >= 3650;
2302
+ return {
2303
+ passed,
2304
+ detail: passed
2305
+ ? `AU State Health minor retention ${days}d configured (>= 3650 conservative floor)`
2306
+ : `auStateHealthMinorRetentionDays=${days}`,
2307
+ };
2308
+ });
2309
+ // -- AU pack behavioral validators (Phase 5) --
2310
+ // AU Privacy Act: AU_PI_GOVERNMENT_ID (TFN pattern) -> BLOCK
2311
+ this.register('behavioralValidator_au_privacy_act', runBehavioralCheck('au-privacy-act', 'AU_PI_GOVERNMENT_ID', 'TFN 123 456 789 tax file number australia individual', 'BLOCK'));
2312
+ // AU CDR: AU_CDR_CONSENT_EXPIRED -> BLOCK
2313
+ this.register('behavioralValidator_au_cdr', runBehavioralCheck('au-cdr', 'AU_CDR_CONSENT_EXPIRED', 'CDR consent expired consumer data right consent_expired accreditation AU', 'BLOCK'));
2314
+ // AU CPS 234: AU_CPS234_INCIDENT -> REQUIRE_APPROVAL
2315
+ this.register('behavioralValidator_au_cps234', runBehavioralCheck('au-cps234', 'AU_CPS234_INCIDENT', 'APRA CPS 234 cyber incident information security incident notifiable breach', 'REQUIRE_APPROVAL'));
2316
+ // AU CPS 230: AU_CPS230_OP_INCIDENT -> REQUIRE_APPROVAL
2317
+ this.register('behavioralValidator_au_cps230', runBehavioralCheck('au-cps230', 'AU_CPS230_OP_INCIDENT', 'APRA CPS 230 operational incident disruption material service failure', 'REQUIRE_APPROVAL'));
2318
+ // AU SOCI Act: AU_SOCI_CYBER_INCIDENT -> REQUIRE_APPROVAL
2319
+ this.register('behavioralValidator_au_soci_act', runBehavioralCheck('au-soci-act', 'AU_SOCI_CYBER_INCIDENT', 'SOCI critical infrastructure cyber incident CIRMP sector attack', 'REQUIRE_APPROVAL'));
2320
+ // AU ASIC RG 271: AU_RG271_AI_DECISION -> REQUIRE_APPROVAL
2321
+ this.register('behavioralValidator_au_asic_rg_271', runBehavioralCheck('au-asic-rg-271', 'AU_RG271_AI_DECISION', 'RG 271 AI decision IDR internal dispute resolution financial product complaint', 'REQUIRE_APPROVAL'));
2322
+ // AU DDO: AU_DDO_OUT_OF_TARGET -> BLOCK
2323
+ this.register('behavioralValidator_au_asic_rg_274', runBehavioralCheck('au-asic-rg-274', 'AU_DDO_OUT_OF_TARGET', 'DDO target market determination out of target market retail client distribution obligation', 'BLOCK'));
2324
+ // AU AML/CTF: AU_AML_TIPPING_OFF_RISK -> BLOCK
2325
+ this.register('behavioralValidator_au_aml_ctf', runBehavioralCheck('au-aml-ctf', 'AU_AML_TIPPING_OFF_RISK', 'AML tipping off SMR suspicious matter report AUSTRAC tipping-off prohibited', 'BLOCK'));
2326
+ // AU Spam Act: AU_CEM_UNSUBSCRIBED -> BLOCK
2327
+ this.register('behavioralValidator_au_spam_act', runBehavioralCheck('au-spam-act', 'AU_CEM_UNSUBSCRIBED', 'unsubscribed commercial electronic message email spam Australia CEM opt-out', 'BLOCK'));
2328
+ // AU Online Safety: OSA_CSAM -> BLOCK
2329
+ this.register('behavioralValidator_au_online_safety', runBehavioralCheck('au-online-safety', 'OSA_CSAM', 'CSAM child sexual abuse material online safety eSafety Commissioner Australia', 'BLOCK'));
2330
+ // AU AI Ethics Framework: AU_AI_UNDISCLOSED_USE -> WARN
2331
+ // AU_AI_UNDISCLOSED_USE changed to BLOCK (Task 4 fix, 2026-04-25):
2332
+ // Non-deception (G7) is an absolute obligation -- hiding AI involvement from
2333
+ // affected individuals is deceptive by definition. BLOCK is the correct action.
2334
+ this.register('behavioralValidator_au_aiethics_framework', runBehavioralCheck('au-aiethics-framework', 'AU_AI_UNDISCLOSED_USE', 'AI system undisclosed use automated decision no disclosure Australia DISR', 'BLOCK'));
2335
+ // AU Mandatory AI Guardrails: AU_HIGH_RISK_AI_SETTING -> REQUIRE_APPROVAL
2336
+ this.register('behavioralValidator_au_mandatory_ai_guardrails', runBehavioralCheck('au-mandatory-ai-guardrails', 'AU_HIGH_RISK_AI_SETTING', 'high risk AI setting guardrail DISR mandatory Australia critical decision', 'REQUIRE_APPROVAL'));
2337
+ // AU TGA SaMD: TGA_SAMD_ARTG_STATUS -> BLOCK
2338
+ this.register('behavioralValidator_au_tga_saimd', runBehavioralCheck('au-tga-saimd', 'TGA_SAMD_ARTG_STATUS', 'TGA SaMD ARTG unregistered software medical device therapeutic goods Australia', 'BLOCK'));
2339
+ // AU State Health: STATE_HEALTH_TRANSBORDER_TRANSFER -> BLOCK
2340
+ // X1-disaggregation (2026-04-24): umbrella pack removed; NSW HRIPA is now canonical for
2341
+ // transborder block behavior. This registration kept for backward-compat check ID lookup.
2342
+ this.register('behavioralValidator_au_state_health_privacy', runBehavioralCheck('au-nsw-hripa', 'NSW_HEALTH_TRANSBORDER_TRANSFER', 'NSW HRIPA health information transborder transfer outside Australia HPP 10', 'BLOCK'));
2343
+ // -------------------------------------------------------------------------
2344
+ // X1-disaggregation: NSW HRIPA / VIC HRA / ACT HRPAA standalone checks
2345
+ // -------------------------------------------------------------------------
2346
+ // NSW HRIPA HPP 10 transborder block check
2347
+ this.register('au_nsw_hripa_transborder_block_active', (ctx) => {
2348
+ const dcActive = ctx.activeModules.includes('data-classifier');
2349
+ const action = ctx.packConfig?.['data-classifier']?.nswTransborderBlockEnabled;
2350
+ const passed = dcActive && action === true;
2351
+ return {
2352
+ passed,
2353
+ detail: passed
2354
+ ? 'NSW HRIPA: transborder block active via data-classifier (HPP 10)'
2355
+ : `dcActive=${dcActive}, nswTransborderBlockEnabled=${action}`,
2356
+ };
2357
+ });
2358
+ // NSW HRIPA HPP 14 research ethics check
2359
+ this.register('au_nsw_hripa_research_ethics_active', configFlag('approval-queue', 'auStateHealthResearchEthicsApprovalRequired', 'NSW HRIPA research ethics gate (HPP 14)'));
2360
+ // NSW HRIPA HPP 11 access 30-day check
2361
+ this.register('au_nsw_hripa_access_30d_active', (ctx) => {
2362
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2363
+ const passed = typeof days === 'number' && days <= 30;
2364
+ return {
2365
+ passed,
2366
+ detail: passed
2367
+ ? `NSW HRIPA access response ${days}d (<= 30) configured (HPP 11)`
2368
+ : `auStateHealthAccessResponseDays=${days} (need <= 30)`,
2369
+ };
2370
+ });
2371
+ // NSW HRIPA HPP 5 collection notice check
2372
+ this.register('au_nsw_hripa_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'NSW HRIPA collection notice (HPP 5)'));
2373
+ // NSW HRIPA HPP 10 server location check
2374
+ this.register('au_nsw_hripa_server_location_active', configFlag('supply-chain', 'auStateHealthServerLocationAustralia', 'NSW HRIPA server location confirmation (HPP 10)'));
2375
+ // NSW HRIPA HPP 12 correction 30-day check
2376
+ this.register('au_nsw_hripa_correction_30d_active', (ctx) => {
2377
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2378
+ const passed = typeof days === 'number' && days <= 30;
2379
+ return {
2380
+ passed,
2381
+ detail: passed
2382
+ ? `NSW HRIPA correction response ${days}d configured (HPP 12)`
2383
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2384
+ };
2385
+ });
2386
+ // NSW HRIPA Regulation 2017 minor retention check
2387
+ this.register('au_nsw_hripa_minor_retention_active', (ctx) => {
2388
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMinorRetentionDays;
2389
+ const passed = typeof days === 'number' && days >= 3650;
2390
+ return {
2391
+ passed,
2392
+ detail: passed
2393
+ ? `NSW HRIPA minor retention ${days}d (>= 3650) configured`
2394
+ : `auStateHealthMinorRetentionDays=${days}`,
2395
+ };
2396
+ });
2397
+ // VIC HRA HPP 2.2 research ethics check
2398
+ this.register('au_vic_hra_research_ethics_active', configFlag('approval-queue', 'vicResearchEthicsConfirmationRequired', 'VIC HRA research ethics gate (HPP 2.2)'));
2399
+ // VIC HRA 25-year mental health retention check
2400
+ this.register('au_vic_hra_mental_health_retention_active', (ctx) => {
2401
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMentalHealthRetentionDays;
2402
+ const passed = typeof days === 'number' && days >= 9125; // 25 years
2403
+ return {
2404
+ passed,
2405
+ detail: passed
2406
+ ? `VIC HRA mental health retention ${days}d (>= 9125) configured [CITATION TO VERIFY]`
2407
+ : `auStateHealthMentalHealthRetentionDays=${days} (need >= 9125 for 25y)`,
2408
+ };
2409
+ });
2410
+ // VIC HRA HPP 6 access 30-day check
2411
+ this.register('au_vic_hra_access_30d_active', (ctx) => {
2412
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2413
+ const passed = typeof days === 'number' && days <= 30;
2414
+ return {
2415
+ passed,
2416
+ detail: passed
2417
+ ? `VIC HRA access response ${days}d (<= 30) configured (HPP 6)`
2418
+ : `auStateHealthAccessResponseDays=${days} (need <= 30)`,
2419
+ };
2420
+ });
2421
+ // VIC HRA HPP 1 collection notice check
2422
+ this.register('au_vic_hra_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'VIC HRA collection notice (HPP 1)'));
2423
+ // VIC HRA HPP 7 correction 30-day check
2424
+ this.register('au_vic_hra_correction_30d_active', (ctx) => {
2425
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2426
+ const passed = typeof days === 'number' && days <= 30;
2427
+ return {
2428
+ passed,
2429
+ detail: passed
2430
+ ? `VIC HRA correction response ${days}d configured (HPP 7)`
2431
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2432
+ };
2433
+ });
2434
+ // VIC HRA minor retention check
2435
+ this.register('au_vic_hra_minor_retention_active', (ctx) => {
2436
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMinorRetentionDays;
2437
+ const passed = typeof days === 'number' && days >= 3650;
2438
+ return {
2439
+ passed,
2440
+ detail: passed
2441
+ ? `VIC HRA minor retention ${days}d (>= 3650) configured`
2442
+ : `auStateHealthMinorRetentionDays=${days}`,
2443
+ };
2444
+ });
2445
+ // ACT HRPAA s.7 access 30-day check (CRITICAL -- positive right)
2446
+ this.register('au_act_hrpaa_access_30d_active', (ctx) => {
2447
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2448
+ const passed = typeof days === 'number' && days <= 30;
2449
+ return {
2450
+ passed,
2451
+ detail: passed
2452
+ ? `ACT HRPAA s.7 access response ${days}d (<= 30) configured`
2453
+ : `auStateHealthAccessResponseDays=${days} (need <= 30 for HRPAA s.7)`,
2454
+ };
2455
+ });
2456
+ // ACT HRPAA HPP 5 collection notice check
2457
+ this.register('au_act_hrpaa_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'ACT HRPAA collection notice (HPP 5)'));
2458
+ // ACT HRPAA HPP 10 data security check
2459
+ this.register('au_act_hrpaa_data_security_active', (ctx) => {
2460
+ const passed = ctx.activeModules.includes('encryption-layer');
2461
+ return {
2462
+ passed,
2463
+ detail: passed
2464
+ ? 'ACT HRPAA HPP 10: encryption-layer active'
2465
+ : 'encryption-layer not active (ACT HRPAA HPP 10 data security)',
2466
+ };
2467
+ });
2468
+ // ACT HRPAA HPP 7 correction 30-day check
2469
+ this.register('au_act_hrpaa_correction_30d_active', (ctx) => {
2470
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2471
+ const passed = typeof days === 'number' && days <= 30;
2472
+ return {
2473
+ passed,
2474
+ detail: passed
2475
+ ? `ACT HRPAA correction response ${days}d configured (HPP 7)`
2476
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2477
+ };
2478
+ });
2479
+ // ACT HRPAA 7-year retention check
2480
+ this.register('au_act_hrpaa_retention_7y_active', (ctx) => {
2481
+ const days = ctx.packConfig?.['session-persistence']?.auActHealthRetentionDays
2482
+ ?? ctx.evidence?.auActHealthRetentionDays;
2483
+ // Accept either explicit config or the pack's auditLogRetentionDays floor (2555)
2484
+ const passed = typeof days === 'number' && days >= 2555;
2485
+ return {
2486
+ passed,
2487
+ detail: passed
2488
+ ? `ACT HRPAA 7y retention ${days}d (>= 2555) configured`
2489
+ : `auActHealthRetentionDays=${days} (need >= 2555 for 7y)`,
2490
+ };
2491
+ });
2492
+ // Behavioral validators for three disaggregated packs
2493
+ // NSW HRIPA: NSW_HEALTH_TRANSBORDER_TRANSFER -> BLOCK
2494
+ this.register('behavioralValidator_au_nsw_hripa', runBehavioralCheck('au-nsw-hripa', 'NSW_HEALTH_TRANSBORDER_TRANSFER', 'NSW HRIPA transborder transfer health information outside NSW HPP 10', 'BLOCK'));
2495
+ // VIC HRA: VIC_HEALTH_RESEARCH_USE -> REQUIRE_APPROVAL
2496
+ this.register('behavioralValidator_au_vic_hra', runBehavioralCheck('au-vic-hra', 'VIC_HEALTH_RESEARCH_USE', 'VIC HRA research secondary analysis victoria health patient data HPP 2.2', 'REQUIRE_APPROVAL'));
2497
+ // ACT HRPAA: ACT_HEALTH_ACCESS_REQUEST -> REQUIRE_APPROVAL
2498
+ this.register('behavioralValidator_au_act_hrpaa', runBehavioralCheck('au-act-hrpaa', 'ACT_HEALTH_ACCESS_REQUEST', 'ACT HRPAA s.7 health record access request canberra australian capital territory 30 day', 'REQUIRE_APPROVAL'));
2499
+ // -- BATCH-01 FINRA 3110 specific checks (2026-04-25) --
2500
+ this.register('finra_wsp_enforcement_active', configFlag('governance-runtime', 'wspEnforcementRequired', 'FINRA WSP enforcement'));
2501
+ this.register('finra_principal_review_active', configFlag('approval-queue', 'principalReviewForCustomerCommunicationsRequired', 'FINRA principal review for customer communications'));
2502
+ this.register('finra_worm_records_active', configFlag('audit-integrity', 'wormCompliantRequired', 'FINRA WORM-compliant records (Exchange Act Rule 17a-4(f))'));
2503
+ this.register('finra_annual_certification_active', configFlag('attestation-manager', 'annualPrincipalCertificationRequired', 'FINRA Rule 3120 annual principal certification'));
2504
+ this.register('finra_4530_reporting_active', configFlag('event-bus', 'rule4530EventDetectionActive', 'FINRA Rule 4530 event detection and 30-day reporting'));
2505
+ // -- BATCH-01 EU LPP specific checks (2026-04-25) --
2506
+ this.register('eu_lpp_bar_membership_active', configFlag('governance-runtime', 'externalBarMembershipVerificationRequired', 'EU/EEA Bar membership verification (Akzo Nobel)'));
2507
+ this.register('eu_lpp_inhouse_flagging_active', configFlag('governance-runtime', 'inHouseCounselFlaggingRequired', 'In-house counsel flagged as unprotected (Akzo Nobel)'));
2508
+ this.register('eu_lpp_third_country_analysis_active', configFlag('governance-runtime', 'thirdCountryCounselAnalysisRequired', 'Third-country counsel privilege analysis'));
2509
+ // -- BATCH-01 ISO 20022 specific checks (2026-04-25) --
2510
+ this.register('iso20022_schema_validation_active', configFlag('governance-runtime', 'iso20022SchemaValidationRequired', 'ISO 20022 XML schema validation'));
2511
+ this.register('iso20022_mx_format_active', configFlag('governance-runtime', 'mxMessageFormatRequired', 'ISO 20022 MX format (SWIFT CBPR+ mandatory)'));
2512
+ this.register('iso20022_structured_remittance_active', configFlag('governance-runtime', 'structuredRemittanceDataPreservationRequired', 'ISO 20022 structured remittance data preservation'));
2513
+ this.register('iso20022_duplicate_detection_active', configFlag('anomaly-detector', 'paymentDuplicateDetectionActive', 'ISO 20022 duplicate payment detection'));
2514
+ // F-NEW-VERA-PACK-C5-05 (2026-05-03): renamed checks replacing borrowed attestation_active and post_market_monitoring.
2515
+ // BIC/LEI validation is a data-classifier config gate; payment misrouting detection is anomaly-detector presence.
2516
+ this.register('iso20022_bic_lei_validation_active', configFlag('data-classifier', 'bicLeiValidationRequired', 'ISO 20022 BIC/LEI structured agent field validation'));
2517
+ this.register('iso20022_misrouting_detection_active', modulePresence('anomaly-detector'));
2518
+ // -- BATCH-01 EU MDR/IVDR specific checks (2026-04-25) --
2519
+ this.register('eu_mdr_ivdr_qualification_active', configFlag('governance-runtime', 'softwareQualificationAssessmentRequired', 'EU MDR/IVDR software qualification assessment (MDCG 2019-16)'));
2520
+ this.register('eu_mdr_ivdr_eudamed_active', configFlag('attestation-manager', 'eudamedRegistrationRequired', 'EUDAMED registration + UDI management'));
2521
+ this.register('eu_mdr_ivdr_clinical_evaluation_active', configFlag('attestation-manager', 'postMarketSurveillancePlanRequired', 'Clinical/performance evaluation report current'));
2522
+ // Behavioral validators for BATCH-01 packs (2026-04-25)
2523
+ // FINRA 3110: SUPERVISORY_RECORDS -> WARN
2524
+ this.register('behavioralValidator_finra_3110', runBehavioralCheck('finra-3110', 'SUPERVISORY_RECORDS', 'Written supervisory procedure WSP principal review branch office inspection', 'WARN'));
2525
+ // EU LPP: EU_PRIVILEGED -> BLOCK
2526
+ this.register('behavioralValidator_eu_lpp', runBehavioralCheck('eu-lpp', 'EU_PRIVILEGED', 'External counsel avocat legally privileged EU Commission investigation right of defence', 'BLOCK'));
2527
+ // UK GDPR: SPECIAL_CATEGORY -> BLOCK
2528
+ this.register('behavioralValidator_uk_gdpr', runBehavioralCheck('uk-gdpr', 'SPECIAL_CATEGORY', 'Patient is HIV positive religion Muslim biometric facial recognition data', 'BLOCK'));
2529
+ // ISO 20022: PAYMENT_MESSAGE -> WARN
2530
+ this.register('behavioralValidator_iso20022', runBehavioralCheck('iso20022', 'PAYMENT_MESSAGE', 'pacs.008 MX message BizMsgIdr IBAN GB29NWBK60161331926819', 'WARN'));
2531
+ // EU MDR/IVDR: CLINICAL_EVALUATION_DATA -> WARN
2532
+ this.register('behavioralValidator_eu_mdr_ivdr', runBehavioralCheck('eu-mdr-ivdr', 'CLINICAL_EVALUATION_DATA', 'Clinical evaluation report CER clinical investigation PMCF post-market clinical follow-up', 'WARN'));
2533
+ // -- BATCH-02 + BATCH-03 shared check primitives (2026-04-25) --
2534
+ // event_clock_active: verifies event-bus module is present and clock-tracking config active.
2535
+ // Referenced by: reg-e (error-resolution clocks), illinois-aivia (30-day deletion clock),
2536
+ // maryland-hb1202 (consent-withdrawal halt), california-ab2930 (annual/complaint clocks).
2537
+ this.register('event_clock_active', (ctx) => {
2538
+ const hasEventBus = ctx.activeModules.includes('event-bus');
2539
+ if (!hasEventBus) {
2540
+ return { passed: false, detail: 'event-bus module not active; event clock enforcement unavailable' };
2541
+ }
2542
+ return { passed: true, detail: 'event-bus module active; event clock enforcement available' };
2543
+ });
2544
+ // -- BATCH-02 ISO 27701 specific checks (2026-04-25) --
2545
+ // ISO 27701 reuses existing check IDs: gdpr_ropa_active, gdpr_lawful_basis_active,
2546
+ // data_classifier_active, encryption_active, gdpr_dpia_active,
2547
+ // gdpr_purpose_limitation_active, gdpr_breach_72h_active,
2548
+ // subservice_registry_active, rbac_active, transparency_active.
2549
+ // All of those are already registered. No new pack-specific checks needed.
2550
+ // -- BATCH-02 Reg E specific checks (2026-04-25) --
2551
+ // Reg E reuses: transparency_active, event_clock_active, approval_queue_active,
2552
+ // audit_trail_exists, data_classifier_active, governance_active,
2553
+ // rbac_active, subservice_registry_active (all pre-existing).
2554
+ // F-NEW-VERA-PACK-C5-01 (2026-05-03): replaced foreign-pack check strings
2555
+ // finra_wsp_enforcement_active and gdpr_article22_active with Reg-E-namespaced
2556
+ // checks that read from the Reg E moduleConfig keys actually present.
2557
+ this.register('reg_e_prepaid_disclosure_active', configFlag('governance-runtime', 'prepaidDisclosureRequired', 'Reg E prepaid account disclosure (§1005.18(b))'));
2558
+ this.register('reg_e_provisional_credit_active', configFlag('approval-queue', 'provisionalCreditAuthorizationRequired', 'Reg E provisional credit authorization (§1005.11(c)(2))'));
2559
+ // -- BATCH-03 Employment AI specific checks (2026-04-25) --
2560
+ // Illinois AIVIA reuses: transparency_active, gdpr_lawful_basis_active,
2561
+ // event_clock_active, audit_trail_exists, finra_annual_certification_active,
2562
+ // data_classifier_active, subservice_registry_active, rbac_active,
2563
+ // encryption_active, gdpr_article22_active.
2564
+ // Maryland HB 1202 reuses: gdpr_lawful_basis_active, transparency_active,
2565
+ // event_clock_active, audit_trail_exists, data_classifier_active,
2566
+ // subservice_registry_active, rbac_active, encryption_active,
2567
+ // gdpr_article22_active, finra_worm_records_active.
2568
+ // California AB 2930 reuses: gdpr_dpia_active, transparency_active,
2569
+ // gdpr_article22_active, audit_trail_exists, finra_annual_certification_active,
2570
+ // post_market_monitoring, data_classifier_active, subservice_registry_active,
2571
+ // rbac_active, encryption_active, event_clock_active.
2572
+ // Behavioral validators for BATCH-02 packs (2026-04-25)
2573
+ // ISO 27701: PII_CONTROLLER_DATA -> WARN (processing purpose + data subject request signal)
2574
+ this.register('behavioralValidator_iso27701', runBehavioralCheck('iso27701', 'PII_CONTROLLER_DATA', 'processing purpose consent record ROPA record of processing activities lawful basis DPIA data subject request', 'WARN'));
2575
+ // Reg E: ERROR_RESOLUTION_RECORD -> WARN (error resolution / unauthorized transfer signal)
2576
+ this.register('behavioralValidator_reg_e', runBehavioralCheck('reg-e', 'ERROR_RESOLUTION_RECORD', 'error resolution unauthorized transfer EFT dispute Reg E claim 10 business days provisional credit 45 business days', 'WARN'));
2577
+ // Behavioral validators for BATCH-03 packs (2026-04-25)
2578
+ // Illinois AIVIA: VIDEO_INTERVIEW_RECORDING -> WARN
2579
+ this.register('behavioralValidator_illinois_aivia', runBehavioralCheck('illinois-aivia', 'VIDEO_INTERVIEW_RECORDING', 'video interview recorded interview async interview one-way video interview recording', 'WARN'));
2580
+ // Maryland HB 1202: CANDIDATE_CONSENT -> WARN (consent record detection; FR blocking is runtime-enforced)
2581
+ this.register('behavioralValidator_maryland_hb1202', runBehavioralCheck('maryland-hb1202', 'CANDIDATE_CONSENT', 'FR consent facial recognition consent face recognition consent Maryland HB 1202 biometric consent form', 'WARN'));
2582
+ // California AB 2930: AUTOMATED_DECISION_TOOL_OUTPUT -> WARN
2583
+ this.register('behavioralValidator_california_ab2930', runBehavioralCheck('california-ab2930', 'AUTOMATED_DECISION_TOOL_OUTPUT', 'automated decision tool ADT algorithmic decision AI decision recommendation scoring ranking consequential', 'WARN'));
2584
+ // -- BATCH-04 behavioral validators (2026-04-25) --
2585
+ // FCA Consumer Duty: RETAIL_CUSTOMER_DATA -> WARN
2586
+ this.register('behavioralValidator_fca_consumer_duty', runBehavioralCheck('fca-consumer-duty', 'RETAIL_CUSTOMER_DATA', 'retail customer consumer data consumer duty outcome FCA Principle 12 target market', 'WARN'));
2587
+ // CMS Interoperability: PATIENT_CLINICAL_DATA_FHIR -> WARN
2588
+ this.register('behavioralValidator_cms_interoperability', runBehavioralCheck('cms-interoperability', 'PATIENT_CLINICAL_DATA_FHIR', 'fhir r4 patient access api US Core SMART on FHIR clinical data bundle observation', 'WARN'));
2589
+ // Singapore Model AI Gov: AI_DECISION_RECORD -> WARN
2590
+ this.register('behavioralValidator_sg_model_ai_gov', runBehavioralCheck('sg-model-ai-gov', 'AI_DECISION_RECORD', 'ai decision record PDPC decision matrix algorithmic decision singapore automated recommendation', 'WARN'));
2591
+ // -- BATCH-05 behavioral validators (2026-04-25) --
2592
+ // NIS2: INCIDENT_NOTIFICATION_RECORD -> WARN
2593
+ this.register('behavioralValidator_nis2', runBehavioralCheck('nis2', 'INCIDENT_NOTIFICATION_RECORD', 'nis2 incident significant incident CSIRT notification 24 hour early warning 72 hour operational disruption', 'WARN'));
2594
+ // India DPDP: DIGITAL_PERSONAL_DATA_INDIA -> WARN
2595
+ this.register('behavioralValidator_in_dpdp', runBehavioralCheck('in-dpdp', 'DIGITAL_PERSONAL_DATA_INDIA', 'digital personal data india data principal DPDP aadhaar number india personal data', 'WARN'));
2596
+ // -- BATCH-06 first-half specific checks (2026-04-25) --
2597
+ // -- UK AI Framework specific checks --
2598
+ this.register('uk_ai_principle1_safety_gate_active', configFlag('governance-runtime', 'principle1SafetyGateRequired', 'UK AI Framework Principle 1 safety gate'));
2599
+ this.register('uk_ai_principle2_transparency_active', configFlag('transparency-injector', 'principle2TransparencyRequired', 'UK AI Framework Principle 2 transparency'));
2600
+ this.register('uk_ai_principle3_fairness_active', configFlag('bias-monitor', 'principle3FairnessMonitoringRequired', 'UK AI Framework Principle 3 fairness monitoring'));
2601
+ this.register('uk_ai_principle4_accountability_active', configFlag('attestation-manager', 'principleConformanceDocumentationRequired', 'UK AI Framework Principle 4 accountability'));
2602
+ this.register('uk_ai_principle5_contestability_active', configFlag('approval-queue', 'principle5ContestabilityRequired', 'UK AI Framework Principle 5 contestability'));
2603
+ // -- FCA Operational Resilience specific checks --
2604
+ this.register('fca_or_ibs_identification_active', configFlag('governance-runtime', 'ibsDisruptionDetectionRequired', 'FCA Op Resilience IBS disruption detection'));
2605
+ this.register('fca_or_impact_tolerance_active', configFlag('attestation-manager', 'ibsImpactToleranceDocumentationRequired', 'FCA Op Resilience impact tolerance documentation'));
2606
+ this.register('fca_or_board_attestation_active', configFlag('attestation-manager', 'boardAnnualAttestationRequired', 'FCA Op Resilience board annual attestation'));
2607
+ this.register('fca_or_third_party_active', configFlag('supply-chain', 'thirdPartyDependencyMappingRequired', 'FCA Op Resilience third-party dependency mapping'));
2608
+ this.register('fca_or_scenario_testing_active', configFlag('attestation-manager', 'scenarioTestRetentionYears', 'FCA Op Resilience scenario test retention'));
2609
+ // -- German BDSG specific checks --
2610
+ this.register('de_bdsg_works_council_gate_active', configFlag('approval-queue', 'worksCouncilConsultationGateRequired', 'BDSG BetrVG §87(1) No.6 works council gate'));
2611
+ this.register('de_bdsg_purpose_limitation_active', configFlag('governance-runtime', 'bdsg26PurposeLimitationRequired', 'BDSG §26 employee data purpose limitation'));
2612
+ this.register('de_bdsg_dpo_designation_active', configFlag('governance-runtime', 'germanDpoDesignationCheckRequired', 'BDSG §38 DPO designation check'));
2613
+ this.register('de_bdsg_video_surveillance_active', configFlag('transparency-injector', 'aiUseDisclosureRequired', 'BDSG §4 video surveillance disclosure'));
2614
+ this.register('de_bdsg_special_category_active', (ctx) => {
2615
+ const action = ctx.packConfig?.['data-classifier']?.specialCategoryEmployeeDataAction;
2616
+ const passed = action === 'BLOCK';
2617
+ return {
2618
+ passed,
2619
+ detail: passed
2620
+ ? 'BDSG §26(3) special category employee data action = BLOCK configured'
2621
+ : `specialCategoryEmployeeDataAction=${action} (expected BLOCK)`,
2622
+ };
2623
+ });
2624
+ // -- Texas HB4 specific checks --
2625
+ this.register('tx_hb4_sensitive_data_opt_in_active', configFlag('governance-runtime', 'sensitiveDataOptInRequired', 'Texas TDPSA sensitive data opt-in gate'));
2626
+ this.register('tx_hb4_biometric_consent_active', configFlag('governance-runtime', 'biometricAdditionalConsentRequired', 'Texas TDPSA biometric additional consent'));
2627
+ this.register('tx_hb4_child_data_gate_active', configFlag('governance-runtime', 'childDataParentalConsentRequired', 'Texas TDPSA child data parental consent'));
2628
+ this.register('tx_hb4_dpia_active', configFlag('approval-queue', 'dpiaReviewRequired', 'Texas TDPSA DPIA review required'));
2629
+ this.register('tx_hb4_privacy_notice_active', configFlag('transparency-injector', 'tdpsaPrivacyNoticeRequired', 'Texas TDPSA privacy notice'));
2630
+ this.register('tx_hb4_opt_out_active', configFlag('session-persistence', 'optOutPersistenceRequired', 'Texas TDPSA opt-out persistence'));
2631
+ // -- Utah AI Policy specific checks --
2632
+ this.register('utah_ai_disclosure_when_asked_active', configFlag('transparency-injector', 'generativeAiDisclosureWhenAskedRequired', 'Utah AI Policy Act disclosure when asked'));
2633
+ this.register('utah_ai_regulated_occupation_disclosure_active', configFlag('transparency-injector', 'regulatedOccupationAffirmativeDisclosureRequired', 'Utah AI Policy Act regulated occupation affirmative disclosure'));
2634
+ this.register('utah_ai_occupation_classification_active', configFlag('attestation-manager', 'regulatedOccupationRegisterRequired', 'Utah AI Policy Act occupation classification register'));
2635
+ this.register('utah_ai_liability_attribution_active', configFlag('governance-runtime', 'liabilityAttributionTrackingRequired', 'Utah AI Policy Act liability attribution tracking'));
2636
+ this.register('utah_ai_learning_lab_active', configFlag('attestation-manager', 'learningLabParticipationRecordsRequired', 'Utah AI Policy Act Learning Lab records'));
2637
+ // -- BATCH-06 behavioral validators (2026-04-25) --
2638
+ // UK AI Framework: PRINCIPLE_CONFORMANCE_EVIDENCE -> WARN
2639
+ this.register('behavioralValidator_uk_ai_framework', runBehavioralCheck('uk-ai-framework', 'PRINCIPLE_CONFORMANCE_EVIDENCE', 'uk ai framework principle conformance accountability governance safety DSIT cross-sectoral principle evidence', 'WARN'));
2640
+ // FCA Op Resilience: IMPACT_TOLERANCE_RECORD -> WARN
2641
+ this.register('behavioralValidator_fca_op_resilience', runBehavioralCheck('fca-op-resilience', 'IMPACT_TOLERANCE_RECORD', 'impact tolerance FCA PS21/3 important business service maximum tolerable disruption operational resilience', 'WARN'));
2642
+ // German BDSG: WORKS_COUNCIL_CONSULTATION_RECORD -> WARN
2643
+ this.register('behavioralValidator_de_bdsg', runBehavioralCheck('de-bdsg', 'WORKS_COUNCIL_CONSULTATION_RECORD', 'betriebsrat BetrVG works council codetermination Betriebsvereinbarung employee monitoring AI BDSG', 'WARN'));
2644
+ // Texas HB4: SENSITIVE_PERSONAL_DATA_TEXAS -> BLOCK
2645
+ this.register('behavioralValidator_texas_hb4', runBehavioralCheck('texas-hb4', 'SENSITIVE_PERSONAL_DATA_TEXAS', 'sensitive data texas TDPSA HB4 health condition immigration status religious beliefs texas resident', 'BLOCK'));
2646
+ // Utah AI Policy: REGULATED_OCCUPATION_AI_USE -> WARN
2647
+ this.register('behavioralValidator_utah_ai_policy', runBehavioralCheck('utah-ai-policy', 'REGULATED_OCCUPATION_AI_USE', 'utah regulated occupation ai disclosure medical legal mental health utah SB149 licensed professional affirmative disclosure', 'WARN'));
2648
+ // -- BATCH-06b behavioral validators (2026-04-25): Tennessee ELVIS + JP APPI + KR PIPA + NZ Privacy --
2649
+ // Tennessee ELVIS Act: VOICE_BIOMETRIC_RECORD -> BLOCK (no consent = blocked)
2650
+ this.register('behavioralValidator_tennessee_elvis', runBehavioralCheck('tennessee-elvis', 'VOICE_BIOMETRIC_RECORD', 'voice clone voice cloning AI voice biometric Tennessee ELVIS Act TCA §47-25 voice synthesis synthetic voice deepfake voice', 'BLOCK'));
2651
+ // Japan APPI: SPECIAL_CARE_REQUIRED_PERSONAL_INFORMATION -> BLOCK
2652
+ this.register('behavioralValidator_jp_appi', runBehavioralCheck('jp-appi', 'SPECIAL_CARE_REQUIRED_PERSONAL_INFORMATION', 'yohairyo special care required personal information japan APPI sensitive data medical history criminal record race creed disability', 'BLOCK'));
2653
+ // South Korea PIPA: SENSITIVE_INFORMATION_KOREA -> BLOCK
2654
+ this.register('behavioralValidator_kr_pipa', runBehavioralCheck('kr-pipa', 'SENSITIVE_INFORMATION_KOREA', 'mingam jeongbo sensitive information korea PIPA ideology belief union membership health genetic criminal biometric template', 'BLOCK'));
2655
+ // New Zealand Privacy Act: CROSS_BORDER_DISCLOSURE_NZ -> WARN (IPP 13 comparable safeguards)
2656
+ this.register('behavioralValidator_nz_privacy', runBehavioralCheck('nz-privacy', 'CROSS_BORDER_DISCLOSURE_NZ', 'IPP 13 transborder data flow new zealand NZ cross-border disclosure comparable safeguards privacy act 2020 overseas transfer', 'WARN'));
2657
+ // -- Tennessee ELVIS specific checks --
2658
+ this.register('tennessee_elvis_voice_consent_gate_active', configFlag('governance-runtime', 'voiceCloningConsentGateRequired', 'Tennessee ELVIS Act voice consent hard gate'));
2659
+ this.register('tennessee_elvis_likeness_consent_gate_active', configFlag('governance-runtime', 'likenessCloningConsentGateRequired', 'Tennessee ELVIS Act likeness consent hard gate'));
2660
+ this.register('tennessee_elvis_consent_separability_active', configFlag('attestation-manager', 'consentSeparabilityDocumentationRequired', 'Tennessee ELVIS Act consent separability documentation'));
2661
+ this.register('tennessee_elvis_ai_disclosure_active', configFlag('transparency-injector', 'aiGeneratedContentDisclosureRequired', 'Tennessee ELVIS Act AI-generated content disclosure'));
2662
+ this.register('tennessee_elvis_statutory_damages_active', configFlag('governance-runtime', 'statutoryDamagesTrackingRequired', 'Tennessee ELVIS Act statutory damages tracking'));
2663
+ // -- Japan APPI specific checks --
2664
+ this.register('jp_appi_purpose_gate_active', configFlag('governance-runtime', 'purposeSpecificationGateRequired', 'Japan APPI purpose specification gate'));
2665
+ this.register('jp_appi_special_care_opt_in_active', configFlag('governance-runtime', 'specialCareRequiredOptInGateRequired', 'Japan APPI special care-required data opt-in gate'));
2666
+ this.register('jp_appi_cross_border_adequacy_active', configFlag('governance-runtime', 'crossBorderTransferAdequacyCheckRequired', 'Japan APPI cross-border transfer adequacy check'));
2667
+ this.register('jp_appi_third_party_transfer_records_active', configFlag('attestation-manager', 'thirdPartyTransferRecordLifecycleRequired', 'Japan APPI third-party transfer records lifecycle'));
2668
+ this.register('jp_appi_purpose_disclosure_active', configFlag('transparency-injector', 'purposeOfUsePublicDisclosureRequired', 'Japan APPI purpose of use public disclosure'));
2669
+ // -- South Korea PIPA specific checks --
2670
+ this.register('kr_pipa_sensitive_separate_consent_active', configFlag('governance-runtime', 'sensitiveInformationSeparateConsentGateRequired', 'Korea PIPA sensitive information separate consent gate'));
2671
+ this.register('kr_pipa_rrn_statutory_basis_active', configFlag('governance-runtime', 'rrnStatutoryBasisGateRequired', 'Korea PIPA RRN statutory basis hard gate'));
2672
+ this.register('kr_pipa_automated_decision_objection_active', configFlag('governance-runtime', 'automatedDecisionObjectionWorkflowRequired', 'Korea PIPA 2023 automated decision objection workflow'));
2673
+ this.register('kr_pipa_cross_border_gate_active', configFlag('approval-queue', 'crossBorderTransferGateRequired', 'Korea PIPA cross-border transfer gate'));
2674
+ this.register('kr_pipa_cpo_designation_active', configFlag('attestation-manager', 'cpoDesignationRequired', 'Korea PIPA CPO mandatory designation'));
2675
+ // F-NEW-VERA-PACK-C3-01 (2026-05-03): dedicated portability check replacing borrowed bias_monitor_active.
2676
+ // PIPA Art. 35-2 (2023 amendment) data portability requires session-persistence to track portability
2677
+ // request state across the statutory response window, and approval-queue for human confirmation
2678
+ // before exporting personal information to a third party on behalf of the data subject.
2679
+ this.register('kr_pipa_portability_active', (ctx) => {
2680
+ const sessionPersistenceActive = ctx.activeModules.includes('session-persistence');
2681
+ const approvalQueueActive = ctx.activeModules.includes('approval-queue');
2682
+ const passed = sessionPersistenceActive && approvalQueueActive;
2683
+ return {
2684
+ passed,
2685
+ detail: passed
2686
+ ? 'PIPA Art. 35-2 portability workflow active: session-persistence + approval-queue both present'
2687
+ : `PIPA Art. 35-2 portability workflow incomplete: session-persistence=${sessionPersistenceActive}, approval-queue=${approvalQueueActive}`,
2688
+ };
2689
+ });
2690
+ // -- New Zealand Privacy Act 2020 specific checks --
2691
+ this.register('nz_privacy_ipp13_comparable_safeguards_active', configFlag('governance-runtime', 'ipp13ComparableSafeguardsCheckRequired', 'NZ Privacy Act IPP 13 comparable safeguards check'));
2692
+ this.register('nz_privacy_extra_territorial_active', configFlag('governance-runtime', 'extraTerritorialNzFlagRequired', 'NZ Privacy Act extra-territorial applicability flag'));
2693
+ // F-NEW-VERA-PACK-C3-02: corrected from nprsBranchNotificationOpcRequired (typo);
2694
+ // NPBR = Notifiable Privacy Breach Reporting per NZ Privacy Act 2020 s.114.
2695
+ this.register('nz_privacy_npbr_active', configFlag('event-bus', 'npbrNotificationOpcRequired', 'NZ Privacy Act NPBR OPC notification'));
2696
+ this.register('nz_privacy_ipp3_collection_notice_active', configFlag('transparency-injector', 'ipp3CollectionNoticeRequired', 'NZ Privacy Act IPP 3 collection notice'));
2697
+ this.register('nz_privacy_agency_compliance_active', configFlag('attestation-manager', 'privacyManagementFrameworkRequired', 'NZ Privacy Act Privacy Management Framework'));
2698
+ // -- FDA 21 CFR Part 56 (IRB Regulations) specific checks --
2699
+ // 56.107(a): >= 5 members, varying backgrounds, scientific + nonscientific + unaffiliated
2700
+ this.register('fda_irb_roster_composition_active', (ctx) => {
2701
+ const am = ctx.packConfig?.['attestation-manager'];
2702
+ const minCount = am?.minimumIrbMemberCount;
2703
+ const rosterAttested = am?.irbRosterCompositionAttestationRequired === true;
2704
+ const memberRecords = am?.memberQualificationRecordsRequired === true;
2705
+ const affiliationDeclared = am?.affiliationDeclarationRequired === true;
2706
+ const passed = rosterAttested && memberRecords && affiliationDeclared &&
2707
+ typeof minCount === 'number' && minCount >= 5;
2708
+ return {
2709
+ passed,
2710
+ detail: passed
2711
+ ? `IRB roster composition configured: >= ${minCount} members, qualification records required, affiliation declarations required (21 CFR 56.107(a))`
2712
+ : `IRB roster configuration incomplete: rosterAttested=${rosterAttested}, memberRecords=${memberRecords}, affiliationDeclared=${affiliationDeclared}, minimumIrbMemberCount=${minCount} (need >= 5)`,
2713
+ };
2714
+ });
2715
+ // 56.108(c): majority quorum including at least one nonscientific member
2716
+ this.register('fda_irb_quorum_active', (ctx) => {
2717
+ const gr = ctx.packConfig?.['governance-runtime'];
2718
+ const majorityRequired = gr?.irbQuorumMajorityRequired === true;
2719
+ const nonscientificRequired = gr?.irbQuorumNonscientificMemberRequired === true;
2720
+ const passed = majorityRequired && nonscientificRequired;
2721
+ return {
2722
+ passed,
2723
+ detail: passed
2724
+ ? 'IRB quorum rules configured: majority presence required + nonscientific member required (21 CFR 56.108(c))'
2725
+ : `IRB quorum configuration incomplete: majorityRequired=${majorityRequired}, nonscientificMemberRequired=${nonscientificRequired}`,
2726
+ };
2727
+ });
2728
+ // 56.107(e): conflict-of-interest recusal enforcement
2729
+ this.register('fda_irb_conflict_of_interest_active', (ctx) => {
2730
+ const gr = ctx.packConfig?.['governance-runtime'];
2731
+ const aq = ctx.packConfig?.['approval-queue'];
2732
+ const runtimeRecusal = gr?.conflictOfInterestRecusalActive === true;
2733
+ const queueRecusal = aq?.conflictOfInterestRecusalEnforced === true;
2734
+ const am = ctx.packConfig?.['attestation-manager'];
2735
+ const coiAcknowledgment = am?.conflictOfInterestAcknowledgmentRequired === true;
2736
+ const passed = runtimeRecusal && queueRecusal && coiAcknowledgment;
2737
+ return {
2738
+ passed,
2739
+ detail: passed
2740
+ ? 'Conflict-of-interest recusal enforced at governance-runtime, approval-queue, and attestation-manager (21 CFR 56.107(e))'
2741
+ : `COI recusal incomplete: runtime=${runtimeRecusal}, queue=${queueRecusal}, coiAcknowledgment=${coiAcknowledgment}`,
2742
+ };
2743
+ });
2744
+ // 56.109(f): continuing review not less than once per year
2745
+ this.register('fda_irb_continuing_review_active', (ctx) => {
2746
+ const gr = ctx.packConfig?.['governance-runtime'];
2747
+ const maxInterval = gr?.continuingReviewMaxIntervalDays;
2748
+ const aq = ctx.packConfig?.['approval-queue'];
2749
+ const renewalQueue = aq?.continuingReviewRenewalQueueEnabled === true;
2750
+ const am = ctx.packConfig?.['attestation-manager'];
2751
+ const approvalOnFile = am?.continuingReviewApprovalOnFileRequired === true;
2752
+ const passed = renewalQueue && approvalOnFile &&
2753
+ typeof maxInterval === 'number' && maxInterval <= 365;
2754
+ return {
2755
+ passed,
2756
+ detail: passed
2757
+ ? `Continuing review configured: max interval ${maxInterval} days (<= 365), renewal queue enabled, approval-on-file required (21 CFR 56.109(f))`
2758
+ : `Continuing review configuration incomplete: renewalQueue=${renewalQueue}, approvalOnFile=${approvalOnFile}, maxIntervalDays=${maxInterval} (need <= 365)`,
2759
+ };
2760
+ });
2761
+ // 56.110: expedited review only for minimal-risk studies on FDA's expedited list
2762
+ this.register('fda_irb_expedited_review_criteria_active', (ctx) => {
2763
+ const aq = ctx.packConfig?.['approval-queue'];
2764
+ const routingConfigured = aq?.expeditedVsFullBoardRoutingRequired === true;
2765
+ const am = ctx.packConfig?.['attestation-manager'];
2766
+ const eligibilityDoc = am?.expeditedReviewEligibilityDocumentationRequired === true;
2767
+ const passed = routingConfigured && eligibilityDoc;
2768
+ return {
2769
+ passed,
2770
+ detail: passed
2771
+ ? 'Expedited review criteria enforced: routing logic configured and eligibility documentation required (21 CFR 56.110)'
2772
+ : `Expedited review configuration incomplete: routingConfigured=${routingConfigured}, eligibilityDocumentation=${eligibilityDoc}`,
2773
+ };
2774
+ });
2775
+ // 56.115(b): IRB records retained >= 3 years after completion
2776
+ this.register('fda_irb_records_retention_active', (ctx) => {
2777
+ const retentionDays = ctx.evidence?.auditRetentionDays;
2778
+ // 1095 days = 3 years per 21 CFR 56.115(b)
2779
+ const n = typeof retentionDays === 'number' ? retentionDays : 0;
2780
+ const passed = n >= 1095;
2781
+ return {
2782
+ passed,
2783
+ detail: passed
2784
+ ? `IRB records retention ${n} days >= 1095 (3 years) per 21 CFR 56.115(b)`
2785
+ : `IRB records retention ${n} days < 1095 (3-year minimum per 21 CFR 56.115(b))`,
2786
+ };
2787
+ });
2788
+ // 56.115(a)(2): minutes must record attendance, votes, basis for required modifications
2789
+ this.register('fda_irb_meeting_minutes_active', (ctx) => {
2790
+ const ac = ctx.packConfig?.['audit-chain'];
2791
+ const minutesIntegrity = ac?.irbMeetingMinutesIntegrityRequired === true;
2792
+ const voteTally = ac?.voteTallyTamperDetectionRequired === true;
2793
+ const protocolChain = ac?.protocolApprovalChainRequired === true;
2794
+ const passed = minutesIntegrity && voteTally && protocolChain;
2795
+ return {
2796
+ passed,
2797
+ detail: passed
2798
+ ? 'IRB meeting minutes integrity enforced: tamper-evident minutes, vote tallies, protocol approval chain (21 CFR 56.115(a)(2))'
2799
+ : `Meeting minutes configuration incomplete: minutesIntegrity=${minutesIntegrity}, voteTally=${voteTally}, protocolChain=${protocolChain}`,
2800
+ };
2801
+ });
2802
+ // 56.108(b): prompt reporting of unanticipated problems, serious/continuing noncompliance, suspension/termination
2803
+ this.register('fda_irb_prompt_reporting_active', (ctx) => {
2804
+ const eb = ctx.packConfig?.['event-bus'];
2805
+ const unanticipatedReporting = eb?.unanticipatedProblemReportingActive === true;
2806
+ const suspensionNotification = eb?.suspensionTerminationNotificationActive === true;
2807
+ const noncomplianceEscalation = eb?.continuingNoncomplianceEscalationActive === true;
2808
+ const saeDeadline = eb?.saePromptReportingDeadlineHours;
2809
+ const passed = unanticipatedReporting && suspensionNotification && noncomplianceEscalation &&
2810
+ typeof saeDeadline === 'number' && saeDeadline <= 24;
2811
+ return {
2812
+ passed,
2813
+ detail: passed
2814
+ ? `Prompt reporting configured: unanticipated problems, suspension/termination, noncompliance escalation, SAE clock ${saeDeadline}h (<= 24h) (21 CFR 56.108(b))`
2815
+ : `Prompt reporting configuration incomplete: unanticipatedReporting=${unanticipatedReporting}, suspensionNotification=${suspensionNotification}, noncomplianceEscalation=${noncomplianceEscalation}, saeDeadlineHours=${saeDeadline} (need <= 24)`,
2816
+ };
2817
+ });
2818
+ // ---------------------------------------------------------------------------
2819
+ // NCSC Guidelines for Secure AI System Development (2024) checks
2820
+ // TIER 10-UK Wave 2 | pack id: ncsc-ai-security
2821
+ // Four-phase coverage: secure design / development / deployment / operation.
2822
+ // ---------------------------------------------------------------------------
2823
+ // Phase 1 — secure design: threat model present and approved
2824
+ this.register('behavioralValidator_ncsc_secure_design_threat_model_present', (ctx) => {
2825
+ const am = ctx.packConfig?.['attestation-manager'];
2826
+ const modelProvenanceAttestation = am?.modelProvenanceAttestationRequired === true;
2827
+ const retentionYears = am?.retentionYearsForEvidence;
2828
+ const passed = modelProvenanceAttestation && typeof retentionYears === 'number' && retentionYears >= 7;
2829
+ return {
2830
+ passed,
2831
+ detail: passed
2832
+ ? 'NCSC Phase 1: attestation-manager configured for AI threat model tracking with 7-year retention (NCSC Guidelines for secure AI system development 2024)'
2833
+ : `NCSC Phase 1 secure-design gate incomplete: modelProvenanceAttestation=${modelProvenanceAttestation}, retentionYears=${retentionYears} (need >= 7)`,
2834
+ };
2835
+ });
2836
+ // Phase 2 — secure development: dependency integrity active
2837
+ this.register('behavioralValidator_ncsc_secure_development_dependency_integrity', (ctx) => {
2838
+ const gr = ctx.packConfig?.['governance-runtime'];
2839
+ const designGate = gr?.ncscAiSecureDesignGateRequired === true;
2840
+ const blockUnauthorised = gr?.blockUnauthorisedModelWeightChanges === true;
2841
+ const passed = designGate && blockUnauthorised;
2842
+ return {
2843
+ passed,
2844
+ detail: passed
2845
+ ? 'NCSC Phase 2: governance-runtime blocks unauthorised model-weight changes and enforces secure-design gate (NCSC Guidelines for secure AI system development 2024)'
2846
+ : `NCSC Phase 2 dependency-integrity gate incomplete: designGate=${designGate}, blockUnauthorisedModelWeightChanges=${blockUnauthorised}`,
2847
+ };
2848
+ });
2849
+ // Phase 3 — secure deployment: deployment record present
2850
+ this.register('behavioralValidator_ncsc_secure_deployment_record_present', (ctx) => {
2851
+ const aq = ctx.packConfig?.['approval-queue'];
2852
+ const modelSwapApproval = aq?.modelSwapApprovalRequired === true;
2853
+ const reviewTier = aq?.reviewTier;
2854
+ const deploymentApproval = aq?.deploymentApprovalRequired === true;
2855
+ const passed = modelSwapApproval && reviewTier === 'T2' && deploymentApproval;
2856
+ return {
2857
+ passed,
2858
+ detail: passed
2859
+ ? 'NCSC Phase 3: approval-queue configured with T2 model-swap gate and deployment-approval requirement (NCSC Guidelines for secure AI system development 2024)'
2860
+ : `NCSC Phase 3 deployment-record gate incomplete: modelSwapApproval=${modelSwapApproval}, reviewTier=${reviewTier} (need T2), deploymentApproval=${deploymentApproval}`,
2861
+ };
2862
+ });
2863
+ // Phase 4 — secure operation: monitoring active for adversarial events
2864
+ this.register('behavioralValidator_ncsc_secure_operation_monitoring_active', (ctx) => {
2865
+ const eb = ctx.packConfig?.['event-bus'];
2866
+ const adversarialInputDetection = eb?.adversarialInputDetectionRequired === true;
2867
+ const promptInjectionAlerting = eb?.promptInjectionAlertingRequired === true;
2868
+ const aiIncidentRouting = eb?.aiSecurityIncidentRoutingRequired === true;
2869
+ const passed = adversarialInputDetection && promptInjectionAlerting && aiIncidentRouting;
2870
+ return {
2871
+ passed,
2872
+ detail: passed
2873
+ ? 'NCSC Phase 4: event-bus configured for adversarial-input detection, prompt-injection alerting, and AI-specific incident routing (NCSC Guidelines for secure AI system development 2024)'
2874
+ : `NCSC Phase 4 monitoring incomplete: adversarialInputDetection=${adversarialInputDetection}, promptInjectionAlerting=${promptInjectionAlerting}, aiIncidentRouting=${aiIncidentRouting}`,
2875
+ };
2876
+ });
2877
+ // Phase 4 — incident response: AI-specific incident path active
2878
+ this.register('behavioralValidator_ncsc_incident_response_ai_path_active', (ctx) => {
2879
+ const eb = ctx.packConfig?.['event-bus'];
2880
+ const aiIncidentRouting = eb?.aiSecurityIncidentRoutingRequired === true;
2881
+ const dataPoisoningSignal = eb?.dataPoisoningSignalRequired === true;
2882
+ const passed = aiIncidentRouting && dataPoisoningSignal;
2883
+ return {
2884
+ passed,
2885
+ detail: passed
2886
+ ? 'NCSC Phase 4: AI-specific incident response path active — data poisoning signal and AI incident routing configured (NCSC Guidelines for secure AI system development 2024)'
2887
+ : `NCSC Phase 4 AI incident-response path incomplete: aiIncidentRouting=${aiIncidentRouting}, dataPoisoningSignal=${dataPoisoningSignal}`,
2888
+ };
2889
+ });
2890
+ // ---------------------------------------------------------------------------
2891
+ // UK Equality Act 2010 + ICO-EHRC Joint AI Bias Guidance checks
2892
+ // TIER 10-UK Wave 2 | pack id: uk-equality-act-ai-bias
2893
+ // Equality Act 2010 ss.4-12, 13, 19, 149; ICO-EHRC joint guidance (2024)
2894
+ // ---------------------------------------------------------------------------
2895
+ // uk_equality_ai_bias_disparate_impact_gate:
2896
+ // Verifies bias-monitor is active AND the 80% (4/5ths) disparate-impact
2897
+ // threshold is configured. Equality Act 2010 s.19 indirect discrimination.
2898
+ this.register('uk_equality_ai_bias_disparate_impact_gate', (ctx) => {
2899
+ const bm = ctx.packConfig?.['bias-monitor'];
2900
+ const biasMonitorActive = ctx.activeModules.includes('bias-monitor');
2901
+ const thresholdSet = typeof bm?.disparateImpactThresholdPercent === 'number' &&
2902
+ bm.disparateImpactThresholdPercent >= 80;
2903
+ const blockEnabled = bm?.blockedBelowThreshold === true;
2904
+ const passed = biasMonitorActive && thresholdSet && blockEnabled;
2905
+ return {
2906
+ passed,
2907
+ detail: passed
2908
+ ? 'UK Equality Act AI bias disparate-impact gate active: bias-monitor present, 80% (4/5ths) threshold configured, BLOCK on sub-threshold decisions enabled (Equality Act 2010 s.19; ICO-EHRC joint guidance 2024)'
2909
+ : `Disparate-impact gate incomplete: biasMonitorActive=${biasMonitorActive}, thresholdSet=${thresholdSet} (need disparateImpactThresholdPercent >= 80), blockEnabled=${blockEnabled} — required: Equality Act 2010 s.19 indirect discrimination gate`,
2910
+ };
2911
+ });
2912
+ // uk_equality_ai_bias_eia_public_sector_gate:
2913
+ // Verifies attestation-manager has EIA-before-deployment required and gated.
2914
+ // Public Sector Equality Duty (s.149): public bodies must complete EIA before
2915
+ // deploying AI systems. ICO-EHRC joint guidance (2024).
2916
+ this.register('uk_equality_ai_bias_eia_public_sector_gate', (ctx) => {
2917
+ const am = ctx.packConfig?.['attestation-manager'];
2918
+ const eiaRequired = am?.eiaBeforeDeploymentRequired === true;
2919
+ const eiaGated = am?.eiaApprovalGated === true;
2920
+ const biasAssessmentDocumented = am?.aisBiasRiskAssessmentDocumented === true;
2921
+ const passed = eiaRequired && eiaGated && biasAssessmentDocumented;
2922
+ return {
2923
+ passed,
2924
+ detail: passed
2925
+ ? 'UK Equality Act 2010 s.149 PSED EIA gate active: EIA required before deployment, EIA approval gated, AI bias risk assessment documented (ICO-EHRC joint guidance 2024)'
2926
+ : `EIA public-sector gate incomplete: eiaRequired=${eiaRequired}, eiaGated=${eiaGated}, biasAssessmentDocumented=${biasAssessmentDocumented} — required: Equality Act 2010 s.149 Public Sector Equality Duty + ICO-EHRC joint guidance 2024`,
2927
+ };
2928
+ });
2929
+ // ---------------------------------------------------------------------------
2930
+ // DO-178C avionics software life cycle checks (RTCA DO-178C / EUROCAE ED-12C)
2931
+ // ---------------------------------------------------------------------------
2932
+ this.register('do178c_software_level_assigned', configFlag('governance-runtime', 'softwareLevelTrackingRequired', 'software level (A/B/C/D/E) tracking active'));
2933
+ this.register('do178c_psac_active', configFlag('governance-runtime', 'do178cLevelAProcessRequired', 'DO-178C Level A process (PSAC scope)'));
2934
+ this.register('do178c_development_plan_active', configFlag('governance-runtime', 'do178cLevelBProcessRequired', 'DO-178C Level B development process (SDP scope)'));
2935
+ this.register('do178c_verification_plan_active', configFlag('governance-runtime', 'do178cLevelCProcessRequired', 'DO-178C Level C verification process (SVP scope)'));
2936
+ this.register('do178c_requirements_data_active', configFlag('governance-runtime', 'do178cLevelDProcessRequired', 'DO-178C Level D requirements process'));
2937
+ this.register('do178c_design_description_active', configFlag('governance-runtime', 'decisionCoverageRequiredForLevelB', 'design description with decision-coverage gating'));
2938
+ this.register('do178c_mc_dc_coverage_level_a_active', configFlag('governance-runtime', 'mcDcCoverageRequiredForLevelA', 'MC/DC coverage required for Level A'));
2939
+ this.register('do178c_decision_coverage_level_b_active', configFlag('attestation-manager', 'mcDcCoverageAttestationRequiredForLevelA', 'decision/MC-DC coverage attestation'));
2940
+ this.register('do178c_tool_qualification_active', configFlag('supply-chain', 'do330ToolQualificationLevelTrackingRequired', 'DO-330 tool qualification level (TQL) tracking'));
2941
+ this.register('do178c_config_management_active', configFlag('supply-chain', 'toolQualificationInventoryRequired', 'tool qualification inventory + configuration management'));
2942
+ this.register('do178c_quality_assurance_active', configFlag('attestation-manager', 'conformityReviewSignOffRequired', 'conformity review sign-off (SQA)'));
2943
+ this.register('do178c_problem_reports_active', configFlag('anomaly-detector', 'softwareAnomalySignalDetectionActive', 'software anomaly signal detection (problem reports)'));
2944
+ this.register('do178c_accomplishment_summary_active', configFlag('attestation-manager', 'softwareAccomplishmentSummaryAttestationRequired', 'Software Accomplishment Summary attestation'));
2945
+ this.register('behavioralValidator_do178c_level_a_unverified_change', configFlag('anomaly-detector', 'levelAAnomalyImmediateEscalationRequired', 'Level A unverified change immediate escalation'));
2946
+ this.register('behavioralValidator_do178c_mc_dc_coverage_below_threshold', configFlag('approval-queue', 'derReviewRequiredForLevelAB', 'Level A MC/DC coverage shortfall DER+SQA review'));
2947
+ // ---------------------------------------------------------------------------
2948
+ // FDA 21 CFR Part 820 (QSR / QMSR) checks (2026-05-09)
2949
+ // ---------------------------------------------------------------------------
2950
+ // § 820.30(j): Design History File controls
2951
+ this.register('fda_820_dhf_controls_active', (ctx) => {
2952
+ const ai = ctx.packConfig?.['audit-integrity'];
2953
+ const dhfChain = ai?.dhfAuditChainRequired === true;
2954
+ const gr = ctx.packConfig?.['governance-runtime'];
2955
+ const docCtrl = gr?.documentControlAuthorizationRequired === true;
2956
+ const passed = dhfChain && docCtrl;
2957
+ return {
2958
+ passed,
2959
+ detail: passed
2960
+ ? 'DHF controls active: audit-chain integrity + document-control authorisation (21 CFR 820.30(j))'
2961
+ : `DHF controls incomplete: dhfAuditChain=${dhfChain}, documentControlAuth=${docCtrl}`,
2962
+ };
2963
+ });
2964
+ // § 820.181: Device Master Record controls
2965
+ this.register('fda_820_dmr_controls_active', (ctx) => {
2966
+ const ai = ctx.packConfig?.['audit-integrity'];
2967
+ const dmrChain = ai?.dmrAuditChainRequired === true;
2968
+ const sc = ctx.packConfig?.['supply-chain'];
2969
+ const traceability = sc?.componentTraceabilityRequired === true;
2970
+ const passed = dmrChain && traceability;
2971
+ return {
2972
+ passed,
2973
+ detail: passed
2974
+ ? 'DMR controls active: audit-chain integrity + component traceability (21 CFR 820.181)'
2975
+ : `DMR controls incomplete: dmrAuditChain=${dmrChain}, traceability=${traceability}`,
2976
+ };
2977
+ });
2978
+ // § 820.184: Device History Record controls
2979
+ this.register('fda_820_dhr_controls_active', (ctx) => {
2980
+ const ai = ctx.packConfig?.['audit-integrity'];
2981
+ const dhrChain = ai?.dhrAuditChainRequired === true;
2982
+ const sc = ctx.packConfig?.['supply-chain'];
2983
+ const incoming = sc?.incomingAcceptanceRecordRequired === true;
2984
+ const passed = dhrChain && incoming;
2985
+ return {
2986
+ passed,
2987
+ detail: passed
2988
+ ? 'DHR controls active: audit-chain integrity + incoming acceptance records (21 CFR 820.184)'
2989
+ : `DHR controls incomplete: dhrAuditChain=${dhrChain}, incomingAcceptance=${incoming}`,
2990
+ };
2991
+ });
2992
+ // § 820.100: CAPA system
2993
+ this.register('fda_820_capa_active', (ctx) => {
2994
+ const gr = ctx.packConfig?.['governance-runtime'];
2995
+ const capaWorkflow = gr?.capaWorkflowRequired === true;
2996
+ const aq = ctx.packConfig?.['approval-queue'];
2997
+ const capaReview = aq?.capaInitiationReviewRequired === true;
2998
+ const ai = ctx.packConfig?.['audit-integrity'];
2999
+ const capaAudit = ai?.capaAuditTrailRequired === true;
3000
+ const passed = capaWorkflow && capaReview && capaAudit;
3001
+ return {
3002
+ passed,
3003
+ detail: passed
3004
+ ? 'CAPA system active: workflow + human-review gate + audit trail (21 CFR 820.100)'
3005
+ : `CAPA incomplete: workflow=${capaWorkflow}, reviewGate=${capaReview}, auditTrail=${capaAudit}`,
3006
+ };
3007
+ });
3008
+ // 21 CFR Part 803: MDR 30-day / 5-day clocks
3009
+ this.register('fda_820_mdr_clock_active', (ctx) => {
3010
+ const eb = ctx.packConfig?.['event-bus'];
3011
+ const thirtyDay = eb?.mdrThirtyDayClockActive === true;
3012
+ const fiveDay = eb?.mdrFiveDayCorrectiveActionClockActive === true;
3013
+ const aq = ctx.packConfig?.['approval-queue'];
3014
+ const mdrAuth = aq?.mdrFilingAuthorizationRequired === true;
3015
+ const passed = thirtyDay && fiveDay && mdrAuth;
3016
+ return {
3017
+ passed,
3018
+ detail: passed
3019
+ ? 'MDR clocks active: 30-day death/serious-injury clock, 5-day corrective-action clock, MDR filing authorisation (21 CFR Part 803)'
3020
+ : `MDR clock incomplete: thirtyDay=${thirtyDay}, fiveDay=${fiveDay}, filingAuth=${mdrAuth}`,
3021
+ };
3022
+ });
3023
+ // § 820.30(i): Design change review gate
3024
+ this.register('fda_820_design_change_review_active', (ctx) => {
3025
+ const aq = ctx.packConfig?.['approval-queue'];
3026
+ const t2Review = aq?.designChangeT2ReviewRequired === true;
3027
+ const gr = ctx.packConfig?.['governance-runtime'];
3028
+ const designCtrl = gr?.designControlWorkflowRequired === true;
3029
+ const passed = t2Review && designCtrl;
3030
+ return {
3031
+ passed,
3032
+ detail: passed
3033
+ ? 'Design change T2 review active: approval-queue gate + design-control workflow (21 CFR 820.30(i))'
3034
+ : `Design change review incomplete: t2Review=${t2Review}, designControl=${designCtrl}`,
3035
+ };
3036
+ });
3037
+ // § 820.40: Document control
3038
+ this.register('fda_820_document_control_active', (ctx) => {
3039
+ const gr = ctx.packConfig?.['governance-runtime'];
3040
+ const docAuth = gr?.documentControlAuthorizationRequired === true;
3041
+ const aq = ctx.packConfig?.['approval-queue'];
3042
+ const signOff = aq?.documentControlSignOffRequired === true;
3043
+ const passed = docAuth && signOff;
3044
+ return {
3045
+ passed,
3046
+ detail: passed
3047
+ ? 'Document control active: authorisation required + sign-off gate (21 CFR 820.40)'
3048
+ : `Document control incomplete: docAuth=${docAuth}, signOff=${signOff}`,
3049
+ };
3050
+ });
3051
+ // § 820.20(c): Management review
3052
+ this.register('fda_820_management_review_active', (ctx) => {
3053
+ const gr = ctx.packConfig?.['governance-runtime'];
3054
+ const reviewSched = gr?.managementReviewSchedulingRequired === true;
3055
+ const am = ctx.packConfig?.['attestation-manager'];
3056
+ const reviewAttest = am?.managementReviewAttestationRequired === true;
3057
+ const passed = reviewSched && reviewAttest;
3058
+ return {
3059
+ passed,
3060
+ detail: passed
3061
+ ? 'Management review active: scheduling configured + attestation required (21 CFR 820.20(c))'
3062
+ : `Management review incomplete: scheduling=${reviewSched}, attestation=${reviewAttest}`,
3063
+ };
3064
+ });
3065
+ // § 820.30(f)(g): Design verification + validation
3066
+ this.register('fda_820_design_vv_active', (ctx) => {
3067
+ const am = ctx.packConfig?.['attestation-manager'];
3068
+ const verifAttest = am?.designVerificationAttestationRequired === true;
3069
+ const validAttest = am?.designValidationAttestationRequired === true;
3070
+ const aq = ctx.packConfig?.['approval-queue'];
3071
+ const outputReview = aq?.designOutputReviewRequired === true;
3072
+ const passed = verifAttest && validAttest && outputReview;
3073
+ return {
3074
+ passed,
3075
+ detail: passed
3076
+ ? 'Design V&V active: verification attestation + validation attestation + output review gate (21 CFR 820.30(f)(g))'
3077
+ : `Design V&V incomplete: verification=${verifAttest}, validation=${validAttest}, outputReview=${outputReview}`,
3078
+ };
3079
+ });
3080
+ // § 820.50: Purchasing controls
3081
+ this.register('fda_820_purchasing_controls_active', (ctx) => {
3082
+ const sc = ctx.packConfig?.['supply-chain'];
3083
+ const asl = sc?.approvedSupplierListRequired === true;
3084
+ const qual = sc?.supplierQualificationRequired === true;
3085
+ const incoming = sc?.incomingAcceptanceRecordRequired === true;
3086
+ const passed = asl && qual && incoming;
3087
+ return {
3088
+ passed,
3089
+ detail: passed
3090
+ ? 'Purchasing controls active: approved-supplier list + qualification + incoming acceptance (21 CFR 820.50)'
3091
+ : `Purchasing controls incomplete: asl=${asl}, qualification=${qual}, incomingAcceptance=${incoming}`,
3092
+ };
3093
+ });
3094
+ // § 820.198: Complaint files
3095
+ this.register('fda_820_complaint_files_active', (ctx) => {
3096
+ const eb = ctx.packConfig?.['event-bus'];
3097
+ const slaAlerts = eb?.complaintFileSlaAlertsActive === true;
3098
+ const ad = ctx.packConfig?.['anomaly-detector'];
3099
+ const complaintTrend = ad?.complaintTrendAnalysisActive === true;
3100
+ const passed = slaAlerts && complaintTrend;
3101
+ return {
3102
+ passed,
3103
+ detail: passed
3104
+ ? 'Complaint files active: SLA alerts + complaint trend analysis for MDR signal detection (21 CFR 820.198)'
3105
+ : `Complaint files incomplete: slaAlerts=${slaAlerts}, complaintTrend=${complaintTrend}`,
3106
+ };
3107
+ });
3108
+ // § 820.90: Nonconforming product control
3109
+ this.register('fda_820_nonconforming_product_active', (ctx) => {
3110
+ const gr = ctx.packConfig?.['governance-runtime'];
3111
+ const qaSystem = gr?.qaSystemValidationRequired === true;
3112
+ const aq = ctx.packConfig?.['approval-queue'];
3113
+ const ncpReview = aq?.capaInitiationReviewRequired === true; // NCP disposition requires CAPA gate
3114
+ const passed = qaSystem && ncpReview;
3115
+ return {
3116
+ passed,
3117
+ detail: passed
3118
+ ? 'Nonconforming product controls active: QA system + disposition review gate (21 CFR 820.90)'
3119
+ : `Nonconforming product controls incomplete: qaSystem=${qaSystem}, dispositionReview=${ncpReview}`,
3120
+ };
3121
+ });
3122
+ // § 820.70: Production and process controls
3123
+ this.register('fda_820_production_controls_active', (ctx) => {
3124
+ const ad = ctx.packConfig?.['anomaly-detector'];
3125
+ const prodMonitor = ad?.productionProcessMonitoringActive === true;
3126
+ const gr = ctx.packConfig?.['governance-runtime'];
3127
+ const qaSystem = gr?.qaSystemValidationRequired === true;
3128
+ const passed = prodMonitor && qaSystem;
3129
+ return {
3130
+ passed,
3131
+ detail: passed
3132
+ ? 'Production controls active: process monitoring + QA system validation (21 CFR 820.70)'
3133
+ : `Production controls incomplete: processMonitoring=${prodMonitor}, qaSystem=${qaSystem}`,
3134
+ };
3135
+ });
3136
+ // § 820.60 / 820.65: Traceability
3137
+ this.register('fda_820_traceability_active', (ctx) => {
3138
+ const sc = ctx.packConfig?.['supply-chain'];
3139
+ const traceability = sc?.componentTraceabilityRequired === true;
3140
+ const asl = sc?.approvedSupplierListRequired === true;
3141
+ const passed = traceability && asl;
3142
+ return {
3143
+ passed,
3144
+ detail: passed
3145
+ ? 'Traceability active: component traceability + approved-supplier list (21 CFR 820.60/820.65)'
3146
+ : `Traceability incomplete: componentTraceability=${traceability}, supplierList=${asl}`,
3147
+ };
3148
+ });
3149
+ // § 820.180(b): Records retention device lifetime + 2 years
3150
+ this.register('fda_820_records_retention_active', (ctx) => {
3151
+ const retentionDays = ctx.evidence?.auditRetentionDays;
3152
+ // Minimum is 730 days (2 years from commercial release, per § 820.180(b))
3153
+ const n = typeof retentionDays === 'number' ? retentionDays : 0;
3154
+ const passed = n >= 730;
3155
+ return {
3156
+ passed,
3157
+ detail: passed
3158
+ ? `Records retention ${n} days >= 730 (2-year minimum per 21 CFR 820.180(b))`
3159
+ : `Records retention ${n} days < 730 (2-year minimum required by 21 CFR 820.180(b))`,
3160
+ };
3161
+ });
3162
+ // FDA 21 CFR Part 820 behavioral validators
3163
+ // DHF unauthorized modification -> BLOCK
3164
+ this.register('behavioralValidator_fda_820_dhf_unauthorised_modification', runBehavioralCheck('fda-21-cfr-820', 'DESIGN_HISTORY_FILE', 'DHF record modification: design history file entry updated without authorisation', 'BLOCK'));
3165
+ // MDR late filing -> BLOCK
3166
+ this.register('behavioralValidator_fda_820_mdr_late_filing', runBehavioralCheck('fda-21-cfr-820', 'MDR_REPORT', 'MDR 5-day report: medical device report adverse event MAUDE submission overdue corrective action', 'BLOCK'));
3167
+ // CAPA initiation -> REQUIRE_APPROVAL (pack-author REVIEW vocabulary canonicalizes here)
3168
+ this.register('behavioralValidator_fda_820_capa_initiation', runBehavioralCheck('fda-21-cfr-820', 'CORRECTIVE_ACTION', 'CAPA initiation: corrective action record nonconformance investigation root cause analysis', 'REQUIRE_APPROVAL'));
3169
+ // Design change -> BLOCK (must go through T2 review)
3170
+ this.register('behavioralValidator_fda_820_design_change', runBehavioralCheck('fda-21-cfr-820', 'DESIGN_CHANGE', 'Design change request DCR engineering change order design modification device', 'BLOCK'));
3171
+ // ---------------------------------------------------------------------------
3172
+ // IEC 62304 — Medical Device Software Life Cycle Processes
3173
+ // ---------------------------------------------------------------------------
3174
+ // -- IEC 62304 Medical Device Software Life Cycle checks --
3175
+ this.register('iec62304_safety_class_assigned', configFlag('governance-runtime', 'softwareSafetyClassTrackingRequired', 'software safety class (A/B/C) tracking active'));
3176
+ this.register('iec62304_soup_inventory_active', configFlag('supply-chain', 'soupInventoryRequired', 'SOUP inventory and evaluation'));
3177
+ this.register('iec62304_development_plan_active', configFlag('governance-runtime', 'iec62304ClassAProcessRequired', 'IEC 62304 Class A development process'));
3178
+ this.register('iec62304_requirements_analysis_active', configFlag('governance-runtime', 'classificationRationaleRequired', 'software safety classification rationale'));
3179
+ this.register('iec62304_architecture_active', configFlag('governance-runtime', 'iec62304ClassBProcessRequired', 'IEC 62304 Class B development process'));
3180
+ this.register('iec62304_class_c_unit_verification_active', configFlag('attestation-manager', 'classCUnitVerificationEvidenceRequired', 'Class C unit verification evidence'));
3181
+ this.register('iec62304_integration_testing_active', configFlag('governance-runtime', 'iec62304ClassCProcessRequired', 'IEC 62304 Class C development process'));
3182
+ this.register('iec62304_system_testing_active', configFlag('attestation-manager', 'softwareReleaseAttestationRequired', 'software release attestation'));
3183
+ this.register('iec62304_release_records_active', configFlag('attestation-manager', 'classificationRationaleSignOffRequired', 'classification rationale sign-off'));
3184
+ this.register('iec62304_config_management_active', configFlag('supply-chain', 'soupPublishedErrataEvaluationRequired', 'SOUP published errata evaluation'));
3185
+ this.register('iec62304_anomaly_resolution_active', configFlag('anomaly-detector', 'softwareAnomalySignalDetectionActive', 'software anomaly signal detection'));
3186
+ this.register('iec62304_class_c_soup_block_active', configFlag('approval-queue', 'soupIntroductionApprovalRequired', 'SOUP introduction approval gate'));
3187
+ this.register('behavioralValidator_iec62304_class_c_unverified_change', configFlag('anomaly-detector', 'classCAnomályImmediateEscalationRequired', 'Class C anomaly immediate escalation'));
3188
+ this.register('behavioralValidator_iec62304_class_b_anomaly_reviewed', configFlag('approval-queue', 'classBAnomályClosureApprovalRequired', 'Class B anomaly closure approval'));
3189
+ this.register('iec62304_maintenance_plan_active', configFlag('attestation-manager', 'soupEvaluationAttestationRequired', 'SOUP evaluation attestation'));
3190
+ // ---------------------------------------------------------------------------
3191
+ // DO-178C avionics software life cycle checks (RTCA DO-178C / EUROCAE ED-12C)
3192
+ // ---------------------------------------------------------------------------
3193
+ this.register('do178c_software_level_assigned', configFlag('governance-runtime', 'softwareLevelTrackingRequired', 'software level (A/B/C/D/E) tracking active'));
3194
+ this.register('do178c_psac_active', configFlag('governance-runtime', 'do178cLevelAProcessRequired', 'DO-178C Level A process (PSAC scope)'));
3195
+ this.register('do178c_development_plan_active', configFlag('governance-runtime', 'do178cLevelBProcessRequired', 'DO-178C Level B development process (SDP scope)'));
3196
+ this.register('do178c_verification_plan_active', configFlag('governance-runtime', 'do178cLevelCProcessRequired', 'DO-178C Level C verification process (SVP scope)'));
3197
+ this.register('do178c_requirements_data_active', configFlag('governance-runtime', 'do178cLevelDProcessRequired', 'DO-178C Level D requirements process'));
3198
+ this.register('do178c_design_description_active', configFlag('governance-runtime', 'decisionCoverageRequiredForLevelB', 'design description with decision-coverage gating'));
3199
+ this.register('do178c_mc_dc_coverage_level_a_active', configFlag('governance-runtime', 'mcDcCoverageRequiredForLevelA', 'MC/DC coverage required for Level A'));
3200
+ this.register('do178c_decision_coverage_level_b_active', configFlag('attestation-manager', 'mcDcCoverageAttestationRequiredForLevelA', 'decision/MC-DC coverage attestation'));
3201
+ this.register('do178c_tool_qualification_active', configFlag('supply-chain', 'do330ToolQualificationLevelTrackingRequired', 'DO-330 tool qualification level (TQL) tracking'));
3202
+ this.register('do178c_config_management_active', configFlag('supply-chain', 'toolQualificationInventoryRequired', 'tool qualification inventory + configuration management'));
3203
+ this.register('do178c_quality_assurance_active', configFlag('attestation-manager', 'conformityReviewSignOffRequired', 'conformity review sign-off (SQA)'));
3204
+ this.register('do178c_problem_reports_active', configFlag('anomaly-detector', 'softwareAnomalySignalDetectionActive', 'software anomaly signal detection (problem reports)'));
3205
+ this.register('do178c_accomplishment_summary_active', configFlag('attestation-manager', 'softwareAccomplishmentSummaryAttestationRequired', 'Software Accomplishment Summary attestation'));
3206
+ this.register('behavioralValidator_do178c_level_a_unverified_change', configFlag('anomaly-detector', 'levelAAnomalyImmediateEscalationRequired', 'Level A unverified change immediate escalation'));
3207
+ this.register('behavioralValidator_do178c_mc_dc_coverage_below_threshold', configFlag('approval-queue', 'derReviewRequiredForLevelAB', 'Level A MC/DC coverage shortfall DER+SQA review'));
3208
+ // ---------------------------------------------------------------------------
3209
+ // ISO 26262 — Automotive Functional Safety (ISO 26262:2018, all 12 parts)
3210
+ // ---------------------------------------------------------------------------
3211
+ this.register('iso26262_asil_assigned', configFlag('governance-runtime', 'asilTrackingRequired', 'ASIL (A/B/C/D/QM) tracking active — default ASIL B when not declared'));
3212
+ this.register('iso26262_item_definition_active', configFlag('governance-runtime', 'itemDefinitionRequired', 'item definition on file per ISO 26262-3 §5'));
3213
+ this.register('iso26262_hara_active', configFlag('governance-runtime', 'haraRequired', 'HARA active — hazard catalogue + ASIL rationale on file per ISO 26262-3 §6'));
3214
+ this.register('iso26262_functional_safety_concept_active', configFlag('governance-runtime', 'functionalSafetyConceptRequired', 'functional safety concept + FSR on file per ISO 26262-3 §7'));
3215
+ this.register('iso26262_technical_safety_concept_active', configFlag('governance-runtime', 'asilCChangeApprovalRequired', 'technical safety concept + ASIL C approval gate per ISO 26262-4 §6'));
3216
+ this.register('iso26262_software_safety_requirements_active', configFlag('governance-runtime', 'iso26262Part6SoftwareProcessRequired', 'software safety requirements per ISO 26262-6 §6'));
3217
+ this.register('iso26262_software_architectural_design_active', configFlag('governance-runtime', 'asilDChangeApprovalRequired', 'software architectural design + ASIL D approval gate per ISO 26262-6 §7'));
3218
+ this.register('iso26262_unit_verification_active', configFlag('attestation-manager', 'softwareReleaseAttestationRequired', 'software release attestation — unit verification evidence required'));
3219
+ this.register('iso26262_asil_d_mc_dc_coverage_active', configFlag('governance-runtime', 'asilDAnomalyImmediateEscalationRequired', 'ASIL D MC/DC coverage at 100% — immediate escalation on gap per ISO 26262-6 Table 12'));
3220
+ this.register('iso26262_asil_decomposition_active', configFlag('approval-queue', 'asilBAnomalyClosureApprovalRequired', 'ASIL decomposition rules active — ASIL B anomaly closure approval per ISO 26262-9 §5'));
3221
+ this.register('iso26262_fmea_fault_tree_active', configFlag('attestation-manager', 'functionalSafetyAssessmentSignOffRequired', 'FMEA/FTA safety analysis sign-off required per ISO 26262-9 §8'));
3222
+ this.register('iso26262_tool_confidence_level_active', configFlag('supply-chain', 'tclClassificationRequired', 'tool confidence level (TCL) classification per ISO 26262-8 §11'));
3223
+ this.register('iso26262_config_management_active', configFlag('supply-chain', 'toolConfidenceLevelInventoryRequired', 'TCL inventory + configuration management per ISO 26262-8 §7'));
3224
+ this.register('iso26262_change_management_active', configFlag('approval-queue', 'asilCChangeApprovalRequired', 'change management + ASIL C approval gate per ISO 26262-8 §8'));
3225
+ this.register('behavioralValidator_iso26262_asil_d_unverified_change', configFlag('anomaly-detector', 'asilDAnomalyImmediateEscalationRequired', 'ASIL D unverified change immediate escalation — absolute block'));
3226
+ // ---------------------------------------------------------------------------
3227
+ // IEC 62443 — Industrial Automation and Control Systems (IACS) Security
3228
+ // ---------------------------------------------------------------------------
3229
+ this.register('iec62443_security_level_assigned', configFlag('governance-runtime', 'securityLevelTrackingRequired', 'Security Level Target (SL 1-4) assigned per zone/conduit — default SL 2 when not declared'));
3230
+ this.register('iec62443_zone_conduit_model_active', configFlag('governance-runtime', 'zoneConduitModelRequired', 'zone and conduit model on file per IEC 62443-3-2 §5.5'));
3231
+ this.register('iec62443_csms_active', configFlag('governance-runtime', 'csmsCovered', 'CSMS established per IEC 62443-2-1 — scope, policy, risk assessment, organisational responsibilities'));
3232
+ this.register('iec62443_iac_controls_active', configFlag('governance-runtime', 'iec62443Part33SystemControlsRequired', 'FR1 Identification & Authentication Control (SR 1.x) per IEC 62443-3-3'));
3233
+ this.register('iec62443_uc_controls_active', configFlag('governance-runtime', 'sl3ChangeApprovalRequired', 'FR2 Use Control (SR 2.x) per IEC 62443-3-3 — SL 3 approval gate wired'));
3234
+ this.register('iec62443_si_controls_active', configFlag('governance-runtime', 'sl4ChangeApprovalRequired', 'FR3 System Integrity (SR 3.x) per IEC 62443-3-3 — SL 4 approval gate wired'));
3235
+ this.register('iec62443_dc_controls_active', configFlag('governance-runtime', 'sl2AnomalyClosureApprovalRequired', 'FR4 Data Confidentiality (SR 4.x) per IEC 62443-3-3 — SL 2 anomaly closure approval'));
3236
+ this.register('iec62443_rdf_controls_active', configFlag('governance-runtime', 'sl3AnomalyImmediateEscalationRequired', 'FR5 Restricted Data Flow / zone segmentation (SR 5.x) per IEC 62443-3-3'));
3237
+ this.register('iec62443_tre_controls_active', configFlag('governance-runtime', 'sl4AnomalyImmediateEscalationRequired', 'FR6 Timely Response to Events (SR 6.x) per IEC 62443-3-3 — SL 4 immediate escalation'));
3238
+ this.register('iec62443_ra_controls_active', configFlag('governance-runtime', 'iec62443Part41SecureDevelopmentLifecycleRequired', 'FR7 Resource Availability (SR 7.x) per IEC 62443-3-3'));
3239
+ this.register('iec62443_sdl_active', configFlag('attestation-manager', 'sdlComplianceAttestationRequired', 'Secure Development Lifecycle per IEC 62443-4-1 — SDL attestation required'));
3240
+ this.register('iec62443_component_security_requirements_active', configFlag('governance-runtime', 'iec62443Part42ComponentRequirementsRequired', 'component security requirements per IEC 62443-4-2'));
3241
+ this.register('iec62443_patch_management_active', configFlag('supply-chain', 'sdlComplianceVerificationRequired', 'patch management per IEC 62443-2-3 — supply-chain SDL compliance verification'));
3242
+ this.register('iec62443_incident_management_active', configFlag('approval-queue', 'sl2AnomalyClosureApprovalRequired', 'incident management per IEC 62443-2-1 §4.3.4.5 — SL 2+ anomaly closure approval'));
3243
+ this.register('behavioralValidator_iec62443_sl3_sl4_unverified_change', configFlag('anomaly-detector', 'sl4AnomalyImmediateEscalationRequired', 'SL 3/4 unverified IACS change immediate escalation — absolute block'));
3244
+ // ---------------------------------------------------------------------------
3245
+ // NIST SP 800-82 Rev 3 — US Federal Operational Technology Security
3246
+ // ---------------------------------------------------------------------------
3247
+ this.register('nist80082_impact_level_assigned', configFlag('governance-runtime', 'impactLevelTrackingRequired', 'FIPS 199 impact level (LOW/MODERATE/HIGH) assigned per OT system/zone — default MODERATE when not declared'));
3248
+ this.register('nist80082_purdue_model_segmentation', configFlag('governance-runtime', 'purdueModelSegmentationRequired', 'Purdue model segmentation on file per NIST SP 800-82 §5.5 — Levels 0-5 + industrial DMZ Level 3.5'));
3249
+ this.register('nist80082_cybersecurity_program', configFlag('governance-runtime', 'fips199CategorizationRequired', 'OT cybersecurity program per NIST SP 800-82 §3 — charter, roles, workforce training, management approval'));
3250
+ this.register('nist80082_risk_management', configFlag('governance-runtime', 'nist80053ControlOverlayRequired', 'OT risk management per NIST SP 800-82 §4 + SP 800-30 + SP 800-39 — risk register, AO acceptance'));
3251
+ this.register('nist80082_ac_controls', configFlag('governance-runtime', 'highImpactChangeApprovalRequired', 'AC family controls applied to OT per SP 800-82 §6.2 — RBAC, least privilege, MFA for remote access'));
3252
+ this.register('nist80082_au_controls', configFlag('governance-runtime', 'moderateImpactChangeApprovalRequired', 'AU family controls applied to OT per SP 800-82 §6.3 — audit logging, centralized SIEM, 7-year retention'));
3253
+ this.register('nist80082_cm_controls', configFlag('governance-runtime', 'moderateImpactAnomalyClosureApprovalRequired', 'CM family controls applied to OT per SP 800-82 §6.6 — baseline configs, formal change control'));
3254
+ this.register('nist80082_cp_controls', configFlag('governance-runtime', 'highImpactAnomalyImmediateEscalationRequired', 'CP family controls applied to OT per SP 800-82 §6.7 — OT contingency plan, backup, annual test'));
3255
+ this.register('nist80082_ir_controls', configFlag('governance-runtime', 'ciraReportingActive', 'IR family controls applied to OT per SP 800-82 §6.10 — OT IR plan, 24h CISA reporting, CIRCIA integration'));
3256
+ this.register('nist80082_sc_controls', configFlag('approval-queue', 'highImpactChangeApprovalRequired', 'SC family controls applied to OT per SP 800-82 §6.18 — Purdue segmentation, industrial DMZ, encrypted OT comms'));
3257
+ this.register('nist80082_si_controls', configFlag('approval-queue', 'sisModificationAbsoluteBlockRequired', 'SI family controls applied to OT per SP 800-82 §6.19 — malware protection, integrity verification, ICS-CERT'));
3258
+ this.register('nist80082_sr_controls', configFlag('supply-chain', 'eo14028SbomRequired', 'SR family controls applied to OT per SP 800-82 §6.20 — OT SBOM (EO 14028), supplier risk, CMMC'));
3259
+ this.register('nist80082_safety_instrumented_system', configFlag('governance-runtime', 'safetyInstrumentedSystemProtectionRequired', 'SIS isolation per NIST SP 800-82 §5.7 + IEC 61511 — separate segment, SIL engineer sign-off, no AI changes'));
3260
+ this.register('nist80082_cisa_incident_reporting', configFlag('attestation-manager', 'fismaAtoAttestationRequired', 'CISA OT incident reporting per SP 800-82 §6.10 + CIRCIA + EO 14028 — 24h notification, NERC CIP integration'));
3261
+ this.register('behavioralValidator_nist80082_high_impact_unverified_change', configFlag('anomaly-detector', 'unverifiedHighImpactChangeDetectionActive', 'HIGH impact / SIS unverified OT change immediate escalation — absolute block'));
3262
+ // ---- AS9100D / AS9110C / AS9120B — Aerospace Quality Management Systems ----
3263
+ this.register('as9100_product_safety_policy', configFlag('governance-runtime', 'productSafetyPolicyRequired', 'AS9100D §5.1.1.1 — Product Safety Policy: written policy + training + management commitment'));
3264
+ this.register('as9100_counterfeit_parts_prevention', configFlag('governance-runtime', 'counterfeitPartsPreventionRequired', 'AS9100D §8.1.4 — Counterfeit Parts Prevention: ASL + quarantine + ERAI/GIDEP reporting procedure'));
3265
+ this.register('as9100_configuration_management', configFlag('governance-runtime', 'configurationManagementBaselineRequired', 'AS9100D §8.1.2 — Configuration Management: CM baseline + change control (ECO/ECR) + CM records'));
3266
+ this.register('as9100_special_process_controls', configFlag('governance-runtime', 'specialProcessQualificationRequired', 'AS9100D §8.5.1.2 — Special Processes: NADCAP accreditation + operator/equipment/procedure qualification'));
3267
+ this.register('as9100_fod_prevention', configFlag('governance-runtime', 'fodPreventionRequired', 'AS9100D §8.5.4 — FOD Prevention: plan + training + inspections + event investigation'));
3268
+ this.register('as9100_risk_and_opportunity_management', configFlag('governance-runtime', 'capaImmediateEscalationOnSafetyImpact', 'AS9100D §6.1 — Risk + Opportunity Management: FMEA/FTA mandatory (§6.1.2.1) + risk register'));
3269
+ this.register('as9100_design_development_controls', configFlag('governance-runtime', 'designReviewApprovalRequired', 'AS9100D §8.3 — Design + Development Controls: FAI per AS9102 + design change per §8.3.6'));
3270
+ this.register('as9100_purchasing_controls', configFlag('governance-runtime', 'supplierQualificationRequired', 'AS9100D §8.4 — Purchasing Controls: ASL enforcement + customer-approved sources + incoming inspection'));
3271
+ this.register('as9100_product_realisation', configFlag('governance-runtime', 'postDeliverySupportRecordsRequired', 'AS9100D §8.5 — Product Realisation: controlled conditions + travellers + SPC + §8.5.5 post-delivery'));
3272
+ this.register('as9100_identification_traceability', configFlag('supply-chain', 'approvedSourceListEnforcementRequired', 'AS9100D §8.5.2 — Identification + Traceability: serialized/lot-controlled + material certs + CofC chain'));
3273
+ this.register('as9100_customer_property', configFlag('supply-chain', 'itarEarClassificationRequired', 'AS9100D §8.5.3 — Customer + External Property: CFE/CFM + tooling + ITAR/EAR IP protection'));
3274
+ this.register('as9100_post_delivery_support', configFlag('governance-runtime', 'postDeliverySupportRecordsRequired', 'AS9100D §8.5.5 — Post-Delivery Support: warranty + airworthiness data + FAA SDR / EASA Part 21J'));
3275
+ this.register('as9100_on_time_delivery_conformity', configFlag('governance-runtime', 'onTimeDeliveryMetricsRequired', 'AS9100D §9.1.1 — On-Time Delivery + Product Conformity: OTD + first-pass yield + PPM escapes'));
3276
+ this.register('as9100_corrective_action', configFlag('approval-queue', 'safetyImpactCapaApprovalRequired', 'AS9100D §10.2 — CAPA: RCA + effectiveness verification + safety-impact escalation + FAA SDR / EASA 21J'));
3277
+ this.register('behavioralValidator_as9100_counterfeit_parts_detected', configFlag('anomaly-detector', 'counterfeitPartsDetectedImmediateEscalationRequired', 'AS9100D §8.1.4 — counterfeit-parts-detected: absolute CRITICAL block + immediate escalation'));
3278
+ // ---- FDA Software Pre-Cert + SaMD TPLC + AI/ML Action Plan ----
3279
+ this.register('samd_imdrf_categorization', configFlag('governance-runtime', 'imdrfCategorizationRequired', 'IMDRF SaMD N12 (2014) — SaMD risk categorization (Category I–IV): medical purpose × healthcare situation severity'));
3280
+ this.register('samd_patient_safety_excellence', configFlag('governance-runtime', 'postMarketSignalDetectionActive', 'FDA Pre-Cert Principle 1 (Patient Safety) — risk management + MDR signal detection + 5-day escalation path'));
3281
+ this.register('samd_product_quality_excellence', configFlag('governance-runtime', 'pccpChangeControlRequired', 'FDA Pre-Cert Principle 2 (Product Quality) — QMS per ISO 13485 + IEC 62304 software lifecycle processes'));
3282
+ this.register('samd_clinical_responsibility', configFlag('governance-runtime', 'clinicalEvaluationRequired', 'FDA Pre-Cert Principle 3 (Clinical Responsibility) — clinical evaluation per IMDRF N41 + intended-use scoping'));
3283
+ this.register('samd_cybersecurity_responsibility', configFlag('supply-chain', 'sbomMaintenanceRequired', 'FDA Pre-Cert Principle 4 (Cybersecurity Responsibility) — SBOM + VEX + PATCH Act §524B + FDA Cybersecurity Guidance (2023)'));
3284
+ this.register('samd_proactive_culture', configFlag('governance-runtime', 'aimlActionPlanAlignmentActive', 'FDA Pre-Cert Principle 5 (Proactive Culture) — CAPA + RCA + FDA transparency + Q-Sub engagement'));
3285
+ this.register('samd_tplc_monitoring', configFlag('governance-runtime', 'tplcMonitoringActive', 'FDA Total Product Lifecycle (TPLC) approach — post-market monitoring plan + real-world performance tracking'));
3286
+ this.register('samd_real_world_performance', configFlag('governance-runtime', 'realWorldPerformanceTrackingActive', 'FDA RWE/RWD framework + Pre-Cert continuous monitoring — RWP metrics + drift detection + performance reports'));
3287
+ this.register('samd_aiml_action_plan_alignment', configFlag('governance-runtime', 'aimlActionPlanAlignmentActive', 'FDA AI/ML-Based SaMD Action Plan (Jan 2021) — GMLP 10 principles + transparency + RWP + regulatory science + patient engagement'));
3288
+ this.register('samd_pccp_change_control', configFlag('governance-runtime', 'pccpChangeControlRequired', 'FDA PCCP Guidance (2024) — modification protocol + development protocols + performance evaluation + pccp-change-controller'));
3289
+ this.register('samd_algorithm_change_protocol', configFlag('governance-runtime', 'algorithmChangeProtocolRequired', 'FDA AI/ML Action Plan §2 — ACP: bounded change envelope + change log + performance evidence + out-of-bounds escalation'));
3290
+ this.register('samd_clinical_evaluation', configFlag('governance-runtime', 'clinicalEvaluationRequired', 'IMDRF SaMD Clinical Evaluation N41 (2017) — analytical validation + clinical validation + CER + clinical evaluation officer'));
3291
+ this.register('samd_intended_use_scoping', configFlag('governance-runtime', 'intendedUseScopingRequired', 'FDA SaMD intended-use determination + IMDRF N12 — medical purpose + patient population + clinical setting + out-of-scope definition'));
3292
+ this.register('samd_post_market_signal_detection', configFlag('governance-runtime', 'postMarketSignalDetectionActive', 'FDA Sentinel Initiative + Pre-Cert continuous monitoring — signal thresholds + drift detection + 5-day MDR escalation path'));
3293
+ this.register('behavioralValidator_samd_out_of_pccp_bounds_change', configFlag('governance-runtime', 'outOfPccpBoundsImmediateEscalationRequired', 'FDA PCCP Guidance (2024) — out-of-PCCP-bounds-change: absolute CRITICAL block + immediate escalation, no compensating control path'));
3294
+ // ---- ISO 15189:2022 Medical Laboratory Quality and Competence ----
3295
+ this.register('iso15189_impartiality', configFlag('governance-runtime', 'impartialityPolicyRequired', 'ISO 15189:2022 §4.1 — Impartiality: policy documented + conflicts of interest identified + commercial pressure managed'));
3296
+ this.register('iso15189_confidentiality', configFlag('governance-runtime', 'confidentialityControlsRequired', 'ISO 15189:2022 §4.2 — Confidentiality: PHI protection + HIPAA BAA + GDPR Art. 9 + breach detection + 72h notification'));
3297
+ this.register('iso15189_lab_director_responsibility', configFlag('governance-runtime', 'labDirectorOversightRequired', 'ISO 15189:2022 §5.1 — Legal entity + Lab Director: CLIA-qualified director + management accountability + delegation documented'));
3298
+ this.register('iso15189_personnel_competence', configFlag('governance-runtime', 'personnelCompetenceTrackingRequired', 'ISO 15189:2022 §6.2 — Personnel: initial + ongoing competence assessment + lab-director authorisation + Annex C interpretive competence'));
3299
+ this.register('iso15189_equipment_calibration', configFlag('governance-runtime', 'equipmentCalibrationTraceabilityRequired', 'ISO 15189:2022 §6.4 — Equipment + calibration + traceability: SI metrological traceability chain + calibration certificates + maintenance records'));
3300
+ this.register('iso15189_reagents_consumables', configFlag('governance-runtime', 'reagentConsumableVendorQualificationRequired', 'ISO 15189:2022 §6.5 — Reagents + consumables: receipt inspection + lot verification + expiry management + vendor qualification'));
3301
+ this.register('iso15189_pre_examination', configFlag('governance-runtime', 'resultReportingControlsRequired', 'ISO 15189:2022 §7.2 — Pre-examination: request form + patient preparation + sample collection + reception criteria + sample tracking'));
3302
+ this.register('iso15189_examination_validation', configFlag('governance-runtime', 'examinationValidationRequired', 'ISO 15189:2022 §7.3 — Examination: validation (in-house — AMR/precision/trueness/uncertainty) + verification (commercial — manufacturer specs confirmed)'));
3303
+ this.register('iso15189_internal_quality_control', configFlag('governance-runtime', 'internalQualityControlActive', 'ISO 15189:2022 §7.3.7 — Internal Quality Control: Westgard rules + OOC policy: BLOCK patient results + immediate escalation + lab-director sign-off'));
3304
+ this.register('iso15189_external_proficiency_testing', configFlag('governance-runtime', 'externalProficiencyTestingActive', 'ISO 15189:2022 §7.3.4 — EQA/PT: enrolment + unacceptable performance corrective action + qms-lead + lab-director approval'));
3305
+ this.register('iso15189_result_reporting', configFlag('governance-runtime', 'resultReportingControlsRequired', 'ISO 15189:2022 §7.4 — Reporting: authorised release + critical value notification + amended report traceability + AI disclosure'));
3306
+ this.register('iso15189_clinical_interpretation', configFlag('governance-runtime', 'labDirectorOversightRequired', 'ISO 15189:2022 §7.5 + Annex C — Post-examination + clinical interpretation: pathologist review + AI provenance disclosure + retained sample policy'));
3307
+ this.register('iso15189_risk_management_annex_a', configFlag('governance-runtime', 'riskManagementAnnexAActive', 'ISO 15189:2022 Annex A — Risk management: ISO 14971 + ISO 22367 for lab processes + AI-introduced risk assessment + residual risk acceptance'));
3308
+ this.register('iso15189_complaints_handling', configFlag('governance-runtime', 'impartialityPolicyRequired', 'ISO 15189:2022 §8.7 — Complaints: acknowledge without undue delay + root cause + corrective action + accreditation body notification'));
3309
+ this.register('behavioralValidator_iso15189_iqc_out_of_control', configFlag('governance-runtime', 'iqcOutOfControlImmediateEscalationRequired', 'ISO 15189:2022 §7.3.7 — IQC-out-of-control: absolute CRITICAL block — no patient results released until IQC passes + lab-director sign-off'));
3310
+ // ---- ISO/IEC 80001 Medical IT Network Risk Management ----
3311
+ this.register('iso80001_key_property_safety', configFlag('governance-runtime', 'keyPropertySafetyTrackingRequired', 'ISO/IEC 80001-1:2021 §4.2.1 — KEY PROPERTY SAFETY: no patient harm from network-mediated failure; CRITICAL immediate escalation on impact; ISO 14971 probability × severity risk estimation'));
3312
+ this.register('iso80001_key_property_effectiveness', configFlag('governance-runtime', 'keyPropertyEffectivenessTrackingRequired', 'ISO/IEC 80001-1:2021 §4.2.2 — KEY PROPERTY EFFECTIVENESS: medical purpose still achieved; network performance vs device manufacturer specs; HIGH escalation on degradation'));
3313
+ this.register('iso80001_key_property_security', configFlag('governance-runtime', 'keyPropertySecurityTrackingRequired', 'ISO/IEC 80001-1:2021 §4.2.3 — KEY PROPERTY DATA+SYSTEM SECURITY: integrity + availability + confidentiality; SIEM integration; rogue device detection; CRITICAL on cybersecurity event'));
3314
+ this.register('iso80001_medical_it_network_risk_manager', configFlag('governance-runtime', 'designatedMedicalItNetworkRiskManagerRequired', 'ISO/IEC 80001-1:2021 §5 — Designated MITN-RM: named individual + documented authority over change management + Responsibility Agreement authority + 24/7 escalation availability'));
3315
+ this.register('iso80001_responsibility_agreements', configFlag('governance-runtime', 'responsibilityAgreementsRequired', 'ISO/IEC 80001-1:2021 §6 — Responsibility Agreements: RO + device manufacturer + IT operator; security capabilities obligations; change notification; incident notification; annual review'));
3316
+ this.register('iso80001_risk_management_process', configFlag('governance-runtime', 'iso14971AlignmentRequired', 'ISO/IEC 80001-2-1:2012 — Step-by-step risk management: hazard identification + risk estimation + control + residual risk acceptance + ISO 14971 alignment per §4.4'));
3317
+ this.register('iso80001_medical_device_inventory', configFlag('governance-runtime', 'medicalDeviceInventoryRequired', 'ISO/IEC 80001-1:2021 §7 — Medical device inventory: device ID + network ID + clinical context + risk assessment status + Responsibility Agreement reference; updated within 24h'));
3318
+ this.register('iso80001_network_change_management', configFlag('governance-runtime', 'networkChangeManagementApprovalRequired', 'ISO/IEC 80001-1:2021 §8 — Network change management: mandatory pre-change risk assessment, MITN-RM approval gate, NO unilateral changes, post-change key property verification'));
3319
+ this.register('iso80001_incident_management', configFlag('governance-runtime', 'keyPropertyImpactImmediateEscalationRequired', 'ISO/IEC 80001-1:2021 §9 — Incident management: SAFETY CRITICAL immediate escalation, manufacturer notification, 72h regulatory notification, root cause + corrective action + MITN-RM + PSO attestation'));
3320
+ this.register('iso80001_monitoring_event_handling', configFlag('governance-runtime', 'monitoringAndEventHandlingActive', 'ISO/IEC 80001-1:2021 §9 + 80001-2-2 §6 — Monitoring: continuous three KEY PROPERTIES monitoring; SIEM for medical device network; MITN-RM monthly review; coverage verified at each change cycle'));
3321
+ this.register('iso80001_security_capabilities', configFlag('governance-runtime', 'keyPropertySecurityTrackingRequired', 'ISO/IEC 80001-2-2 — Security capabilities: MDS2/SECURE template per device from manufacturer; version tracked vs device software; security gap risk management; annual review'));
3322
+ this.register('iso80001_wireless_network_controls', configFlag('governance-runtime', 'keyPropertyEffectivenessTrackingRequired', 'ISO/IEC 80001-2-3 — Wireless networks: RF site survey; medical SSID/VLAN; WPA3-Enterprise; 802.11e/WMM QoS; roaming performance; interference management; change management required'));
3323
+ this.register('iso80001_distributed_alarm_systems', configFlag('governance-runtime', 'keyPropertySafetyTrackingRequired', 'ISO/IEC 80001-2-5 — Distributed alarm systems: alarm delivery risk assessment; redundancy; end-to-end testing; alarm delivery failure = SAFETY KEY PROPERTY IMPACT CRITICAL block'));
3324
+ this.register('iso80001_iso14971_alignment', configFlag('governance-runtime', 'iso14971AlignmentRequired', 'ISO/IEC 80001-1:2021 §4.4 — ISO 14971 alignment: network-mediated risks linked to device-intrinsic risk files; probability × severity framework; risk/benefit consistent; annual review'));
3325
+ this.register('behavioralValidator_iso80001_key_property_impact_detected', runBehavioralCheck('iso-iec-80001', 'KEY_PROPERTY_IMPACT_EVENT', 'key_property_impact event detected on medical IT network: MITN-RM escalation required', 'BLOCK'));
3326
+ }
3327
+ }
3328
+ /**
3329
+ * Shared default registry instance. Tests / apps can use this or
3330
+ * construct their own registry for isolated test fixtures.
3331
+ */
3332
+ export const defaultCheckRegistry = (() => {
3333
+ const r = new ComplianceCheckRegistry();
3334
+ r.registerDefaults();
3335
+ return r;
3336
+ })();
3337
+ //# sourceMappingURL=check-registry.js.map