@connexum/ai-governance 1.0.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2917) hide show
  1. package/LICENSE.md +78 -0
  2. package/README.md +582 -0
  3. package/dist/adapters/cursor.d.ts +85 -0
  4. package/dist/adapters/cursor.d.ts.map +1 -0
  5. package/dist/adapters/cursor.js +188 -0
  6. package/dist/adapters/cursor.js.map +1 -0
  7. package/dist/adapters/index.d.ts +250 -0
  8. package/dist/adapters/index.d.ts.map +1 -0
  9. package/dist/adapters/index.js +377 -0
  10. package/dist/adapters/index.js.map +1 -0
  11. package/dist/agents/compliance-agent-templates/dora.d.ts +53 -0
  12. package/dist/agents/compliance-agent-templates/dora.d.ts.map +1 -0
  13. package/dist/agents/compliance-agent-templates/dora.js +947 -0
  14. package/dist/agents/compliance-agent-templates/dora.js.map +1 -0
  15. package/dist/agents/compliance-agent-templates/eu-ai-act.d.ts +27 -0
  16. package/dist/agents/compliance-agent-templates/eu-ai-act.d.ts.map +1 -0
  17. package/dist/agents/compliance-agent-templates/eu-ai-act.js +721 -0
  18. package/dist/agents/compliance-agent-templates/eu-ai-act.js.map +1 -0
  19. package/dist/agents/compliance-agent-templates/gdpr.d.ts +25 -0
  20. package/dist/agents/compliance-agent-templates/gdpr.d.ts.map +1 -0
  21. package/dist/agents/compliance-agent-templates/gdpr.js +688 -0
  22. package/dist/agents/compliance-agent-templates/gdpr.js.map +1 -0
  23. package/dist/agents/compliance-agent-templates/hipaa.d.ts +23 -0
  24. package/dist/agents/compliance-agent-templates/hipaa.d.ts.map +1 -0
  25. package/dist/agents/compliance-agent-templates/hipaa.js +640 -0
  26. package/dist/agents/compliance-agent-templates/hipaa.js.map +1 -0
  27. package/dist/agents/compliance-agent-templates/iso27001.d.ts +30 -0
  28. package/dist/agents/compliance-agent-templates/iso27001.d.ts.map +1 -0
  29. package/dist/agents/compliance-agent-templates/iso27001.js +805 -0
  30. package/dist/agents/compliance-agent-templates/iso27001.js.map +1 -0
  31. package/dist/agents/compliance-agent-templates/iso42001.d.ts +42 -0
  32. package/dist/agents/compliance-agent-templates/iso42001.d.ts.map +1 -0
  33. package/dist/agents/compliance-agent-templates/iso42001.js +898 -0
  34. package/dist/agents/compliance-agent-templates/iso42001.js.map +1 -0
  35. package/dist/agents/compliance-agent-templates/nist-ai-rmf.d.ts +37 -0
  36. package/dist/agents/compliance-agent-templates/nist-ai-rmf.d.ts.map +1 -0
  37. package/dist/agents/compliance-agent-templates/nist-ai-rmf.js +819 -0
  38. package/dist/agents/compliance-agent-templates/nist-ai-rmf.js.map +1 -0
  39. package/dist/agents/compliance-agent-templates/pci-dss.d.ts +25 -0
  40. package/dist/agents/compliance-agent-templates/pci-dss.d.ts.map +1 -0
  41. package/dist/agents/compliance-agent-templates/pci-dss.js +658 -0
  42. package/dist/agents/compliance-agent-templates/pci-dss.js.map +1 -0
  43. package/dist/agents/compliance-agent-templates/soc2.d.ts +24 -0
  44. package/dist/agents/compliance-agent-templates/soc2.d.ts.map +1 -0
  45. package/dist/agents/compliance-agent-templates/soc2.js +643 -0
  46. package/dist/agents/compliance-agent-templates/soc2.js.map +1 -0
  47. package/dist/agents/compliance-agent-templates/types.d.ts +93 -0
  48. package/dist/agents/compliance-agent-templates/types.d.ts.map +1 -0
  49. package/dist/agents/compliance-agent-templates/types.js +34 -0
  50. package/dist/agents/compliance-agent-templates/types.js.map +1 -0
  51. package/dist/audit/audit-integrity.d.ts +88 -0
  52. package/dist/audit/audit-integrity.d.ts.map +1 -0
  53. package/dist/audit/audit-integrity.js +284 -0
  54. package/dist/audit/audit-integrity.js.map +1 -0
  55. package/dist/audit/chain-tamper-detector.d.ts +115 -0
  56. package/dist/audit/chain-tamper-detector.d.ts.map +1 -0
  57. package/dist/audit/chain-tamper-detector.js +256 -0
  58. package/dist/audit/chain-tamper-detector.js.map +1 -0
  59. package/dist/audit/compliance-reporter.d.ts +91 -0
  60. package/dist/audit/compliance-reporter.d.ts.map +1 -0
  61. package/dist/audit/compliance-reporter.js +471 -0
  62. package/dist/audit/compliance-reporter.js.map +1 -0
  63. package/dist/audit/destinations/custom-webhook.d.ts +189 -0
  64. package/dist/audit/destinations/custom-webhook.d.ts.map +1 -0
  65. package/dist/audit/destinations/custom-webhook.js +477 -0
  66. package/dist/audit/destinations/custom-webhook.js.map +1 -0
  67. package/dist/audit/destinations/datadog-logs.d.ts +241 -0
  68. package/dist/audit/destinations/datadog-logs.d.ts.map +1 -0
  69. package/dist/audit/destinations/datadog-logs.js +576 -0
  70. package/dist/audit/destinations/datadog-logs.js.map +1 -0
  71. package/dist/audit/destinations/sentinel.d.ts +336 -0
  72. package/dist/audit/destinations/sentinel.d.ts.map +1 -0
  73. package/dist/audit/destinations/sentinel.js +927 -0
  74. package/dist/audit/destinations/sentinel.js.map +1 -0
  75. package/dist/audit/destinations/sumo-logic.d.ts +227 -0
  76. package/dist/audit/destinations/sumo-logic.d.ts.map +1 -0
  77. package/dist/audit/destinations/sumo-logic.js +572 -0
  78. package/dist/audit/destinations/sumo-logic.js.map +1 -0
  79. package/dist/audit/event-bus.d.ts +79 -0
  80. package/dist/audit/event-bus.d.ts.map +1 -0
  81. package/dist/audit/event-bus.js +256 -0
  82. package/dist/audit/event-bus.js.map +1 -0
  83. package/dist/audit/narrative-generator.d.ts +91 -0
  84. package/dist/audit/narrative-generator.d.ts.map +1 -0
  85. package/dist/audit/narrative-generator.js +538 -0
  86. package/dist/audit/narrative-generator.js.map +1 -0
  87. package/dist/audit/narrative-types.d.ts +274 -0
  88. package/dist/audit/narrative-types.d.ts.map +1 -0
  89. package/dist/audit/narrative-types.js +115 -0
  90. package/dist/audit/narrative-types.js.map +1 -0
  91. package/dist/audit/provenance-signer.d.ts +158 -0
  92. package/dist/audit/provenance-signer.d.ts.map +1 -0
  93. package/dist/audit/provenance-signer.js +315 -0
  94. package/dist/audit/provenance-signer.js.map +1 -0
  95. package/dist/audit/redis-event-bus.d.ts +103 -0
  96. package/dist/audit/redis-event-bus.d.ts.map +1 -0
  97. package/dist/audit/redis-event-bus.js +310 -0
  98. package/dist/audit/redis-event-bus.js.map +1 -0
  99. package/dist/audit/report-templates/disclosure-accounting.d.ts +131 -0
  100. package/dist/audit/report-templates/disclosure-accounting.d.ts.map +1 -0
  101. package/dist/audit/report-templates/disclosure-accounting.js +195 -0
  102. package/dist/audit/report-templates/disclosure-accounting.js.map +1 -0
  103. package/dist/audit/report-templates/dora-ict-major-incident.d.ts +39 -0
  104. package/dist/audit/report-templates/dora-ict-major-incident.d.ts.map +1 -0
  105. package/dist/audit/report-templates/dora-ict-major-incident.js +227 -0
  106. package/dist/audit/report-templates/dora-ict-major-incident.js.map +1 -0
  107. package/dist/audit/report-templates/eu-ai-act-annex-iv.d.ts +38 -0
  108. package/dist/audit/report-templates/eu-ai-act-annex-iv.d.ts.map +1 -0
  109. package/dist/audit/report-templates/eu-ai-act-annex-iv.js +267 -0
  110. package/dist/audit/report-templates/eu-ai-act-annex-iv.js.map +1 -0
  111. package/dist/audit/report-templates/gdpr-data-subject-rights.d.ts +37 -0
  112. package/dist/audit/report-templates/gdpr-data-subject-rights.d.ts.map +1 -0
  113. package/dist/audit/report-templates/gdpr-data-subject-rights.js +235 -0
  114. package/dist/audit/report-templates/gdpr-data-subject-rights.js.map +1 -0
  115. package/dist/audit/report-templates/hipaa-breach-notification.d.ts +27 -0
  116. package/dist/audit/report-templates/hipaa-breach-notification.d.ts.map +1 -0
  117. package/dist/audit/report-templates/hipaa-breach-notification.js +197 -0
  118. package/dist/audit/report-templates/hipaa-breach-notification.js.map +1 -0
  119. package/dist/audit/report-templates/hipaa-security-incident.d.ts +28 -0
  120. package/dist/audit/report-templates/hipaa-security-incident.d.ts.map +1 -0
  121. package/dist/audit/report-templates/hipaa-security-incident.js +172 -0
  122. package/dist/audit/report-templates/hipaa-security-incident.js.map +1 -0
  123. package/dist/audit/report-templates/index.d.ts +86 -0
  124. package/dist/audit/report-templates/index.d.ts.map +1 -0
  125. package/dist/audit/report-templates/index.js +114 -0
  126. package/dist/audit/report-templates/index.js.map +1 -0
  127. package/dist/audit/report-templates/iso-42001-ams.d.ts +36 -0
  128. package/dist/audit/report-templates/iso-42001-ams.d.ts.map +1 -0
  129. package/dist/audit/report-templates/iso-42001-ams.js +262 -0
  130. package/dist/audit/report-templates/iso-42001-ams.js.map +1 -0
  131. package/dist/audit/report-templates/pci-dss-annual-attestation.d.ts +33 -0
  132. package/dist/audit/report-templates/pci-dss-annual-attestation.d.ts.map +1 -0
  133. package/dist/audit/report-templates/pci-dss-annual-attestation.js +211 -0
  134. package/dist/audit/report-templates/pci-dss-annual-attestation.js.map +1 -0
  135. package/dist/audit/report-templates/prompts/base.d.ts +94 -0
  136. package/dist/audit/report-templates/prompts/base.d.ts.map +1 -0
  137. package/dist/audit/report-templates/prompts/base.js +197 -0
  138. package/dist/audit/report-templates/prompts/base.js.map +1 -0
  139. package/dist/audit/report-templates/prompts/dora.d.ts +19 -0
  140. package/dist/audit/report-templates/prompts/dora.d.ts.map +1 -0
  141. package/dist/audit/report-templates/prompts/dora.js +121 -0
  142. package/dist/audit/report-templates/prompts/dora.js.map +1 -0
  143. package/dist/audit/report-templates/prompts/euaiact.d.ts +20 -0
  144. package/dist/audit/report-templates/prompts/euaiact.d.ts.map +1 -0
  145. package/dist/audit/report-templates/prompts/euaiact.js +126 -0
  146. package/dist/audit/report-templates/prompts/euaiact.js.map +1 -0
  147. package/dist/audit/report-templates/prompts/gdpr.d.ts +20 -0
  148. package/dist/audit/report-templates/prompts/gdpr.d.ts.map +1 -0
  149. package/dist/audit/report-templates/prompts/gdpr.js +126 -0
  150. package/dist/audit/report-templates/prompts/gdpr.js.map +1 -0
  151. package/dist/audit/report-templates/prompts/hipaa.d.ts +32 -0
  152. package/dist/audit/report-templates/prompts/hipaa.d.ts.map +1 -0
  153. package/dist/audit/report-templates/prompts/hipaa.js +98 -0
  154. package/dist/audit/report-templates/prompts/hipaa.js.map +1 -0
  155. package/dist/audit/report-templates/prompts/hitech.d.ts +20 -0
  156. package/dist/audit/report-templates/prompts/hitech.d.ts.map +1 -0
  157. package/dist/audit/report-templates/prompts/hitech.js +114 -0
  158. package/dist/audit/report-templates/prompts/hitech.js.map +1 -0
  159. package/dist/audit/report-templates/prompts/index.d.ts +24 -0
  160. package/dist/audit/report-templates/prompts/index.d.ts.map +1 -0
  161. package/dist/audit/report-templates/prompts/index.js +54 -0
  162. package/dist/audit/report-templates/prompts/index.js.map +1 -0
  163. package/dist/audit/report-templates/prompts/iso27001.d.ts +19 -0
  164. package/dist/audit/report-templates/prompts/iso27001.d.ts.map +1 -0
  165. package/dist/audit/report-templates/prompts/iso27001.js +110 -0
  166. package/dist/audit/report-templates/prompts/iso27001.js.map +1 -0
  167. package/dist/audit/report-templates/prompts/pcidss.d.ts +19 -0
  168. package/dist/audit/report-templates/prompts/pcidss.d.ts.map +1 -0
  169. package/dist/audit/report-templates/prompts/pcidss.js +111 -0
  170. package/dist/audit/report-templates/prompts/pcidss.js.map +1 -0
  171. package/dist/audit/report-templates/prompts/soc2.d.ts +19 -0
  172. package/dist/audit/report-templates/prompts/soc2.d.ts.map +1 -0
  173. package/dist/audit/report-templates/prompts/soc2.js +117 -0
  174. package/dist/audit/report-templates/prompts/soc2.js.map +1 -0
  175. package/dist/audit/report-templates/soc2-type-ii.d.ts +23 -0
  176. package/dist/audit/report-templates/soc2-type-ii.d.ts.map +1 -0
  177. package/dist/audit/report-templates/soc2-type-ii.js +187 -0
  178. package/dist/audit/report-templates/soc2-type-ii.js.map +1 -0
  179. package/dist/audit/reporting-exports.d.ts +20 -0
  180. package/dist/audit/reporting-exports.d.ts.map +1 -0
  181. package/dist/audit/reporting-exports.js +39 -0
  182. package/dist/audit/reporting-exports.js.map +1 -0
  183. package/dist/audit/webhook-delivery.d.ts +119 -0
  184. package/dist/audit/webhook-delivery.d.ts.map +1 -0
  185. package/dist/audit/webhook-delivery.js +381 -0
  186. package/dist/audit/webhook-delivery.js.map +1 -0
  187. package/dist/audit-bots/dora.d.ts +59 -0
  188. package/dist/audit-bots/dora.d.ts.map +1 -0
  189. package/dist/audit-bots/dora.js +417 -0
  190. package/dist/audit-bots/dora.js.map +1 -0
  191. package/dist/audit-bots/euaiact.d.ts +56 -0
  192. package/dist/audit-bots/euaiact.d.ts.map +1 -0
  193. package/dist/audit-bots/euaiact.js +372 -0
  194. package/dist/audit-bots/euaiact.js.map +1 -0
  195. package/dist/audit-bots/evidence.d.ts +60 -0
  196. package/dist/audit-bots/evidence.d.ts.map +1 -0
  197. package/dist/audit-bots/evidence.js +190 -0
  198. package/dist/audit-bots/evidence.js.map +1 -0
  199. package/dist/audit-bots/gdpr.d.ts +40 -0
  200. package/dist/audit-bots/gdpr.d.ts.map +1 -0
  201. package/dist/audit-bots/gdpr.js +271 -0
  202. package/dist/audit-bots/gdpr.js.map +1 -0
  203. package/dist/audit-bots/hipaa.d.ts +38 -0
  204. package/dist/audit-bots/hipaa.d.ts.map +1 -0
  205. package/dist/audit-bots/hipaa.js +236 -0
  206. package/dist/audit-bots/hipaa.js.map +1 -0
  207. package/dist/audit-bots/iso27001.d.ts +61 -0
  208. package/dist/audit-bots/iso27001.d.ts.map +1 -0
  209. package/dist/audit-bots/iso27001.js +448 -0
  210. package/dist/audit-bots/iso27001.js.map +1 -0
  211. package/dist/audit-bots/iso42001.d.ts +59 -0
  212. package/dist/audit-bots/iso42001.d.ts.map +1 -0
  213. package/dist/audit-bots/iso42001.js +450 -0
  214. package/dist/audit-bots/iso42001.js.map +1 -0
  215. package/dist/audit-bots/nist-ai-rmf.d.ts +62 -0
  216. package/dist/audit-bots/nist-ai-rmf.d.ts.map +1 -0
  217. package/dist/audit-bots/nist-ai-rmf.js +467 -0
  218. package/dist/audit-bots/nist-ai-rmf.js.map +1 -0
  219. package/dist/audit-bots/pcidss.d.ts +57 -0
  220. package/dist/audit-bots/pcidss.d.ts.map +1 -0
  221. package/dist/audit-bots/pcidss.js +399 -0
  222. package/dist/audit-bots/pcidss.js.map +1 -0
  223. package/dist/audit-bots/scheduler.d.ts +111 -0
  224. package/dist/audit-bots/scheduler.d.ts.map +1 -0
  225. package/dist/audit-bots/scheduler.js +175 -0
  226. package/dist/audit-bots/scheduler.js.map +1 -0
  227. package/dist/audit-bots/soc1.d.ts +67 -0
  228. package/dist/audit-bots/soc1.d.ts.map +1 -0
  229. package/dist/audit-bots/soc1.js +491 -0
  230. package/dist/audit-bots/soc1.js.map +1 -0
  231. package/dist/audit-bots/soc2.d.ts +41 -0
  232. package/dist/audit-bots/soc2.d.ts.map +1 -0
  233. package/dist/audit-bots/soc2.js +352 -0
  234. package/dist/audit-bots/soc2.js.map +1 -0
  235. package/dist/classification/pack-driven-classifier.d.ts +409 -0
  236. package/dist/classification/pack-driven-classifier.d.ts.map +1 -0
  237. package/dist/classification/pack-driven-classifier.js +565 -0
  238. package/dist/classification/pack-driven-classifier.js.map +1 -0
  239. package/dist/cli/agent-dir-scanner.d.ts +35 -0
  240. package/dist/cli/agent-dir-scanner.d.ts.map +1 -0
  241. package/dist/cli/agent-dir-scanner.js +269 -0
  242. package/dist/cli/agent-dir-scanner.js.map +1 -0
  243. package/dist/cli/agent-signatures.d.ts +28 -0
  244. package/dist/cli/agent-signatures.d.ts.map +1 -0
  245. package/dist/cli/agent-signatures.js +241 -0
  246. package/dist/cli/agent-signatures.js.map +1 -0
  247. package/dist/cli/audit-chain-append.d.ts +47 -0
  248. package/dist/cli/audit-chain-append.d.ts.map +1 -0
  249. package/dist/cli/audit-chain-append.js +277 -0
  250. package/dist/cli/audit-chain-append.js.map +1 -0
  251. package/dist/cli/discover.d.ts +24 -0
  252. package/dist/cli/discover.d.ts.map +1 -0
  253. package/dist/cli/discover.js +179 -0
  254. package/dist/cli/discover.js.map +1 -0
  255. package/dist/cli/discover.test.d.ts +12 -0
  256. package/dist/cli/discover.test.d.ts.map +1 -0
  257. package/dist/cli/discover.test.js +192 -0
  258. package/dist/cli/discover.test.js.map +1 -0
  259. package/dist/cli/index.d.ts +201 -0
  260. package/dist/cli/index.d.ts.map +1 -0
  261. package/dist/cli/index.js +2130 -0
  262. package/dist/cli/index.js.map +1 -0
  263. package/dist/cli/pack-enforcement-bridge.d.ts +39 -0
  264. package/dist/cli/pack-enforcement-bridge.d.ts.map +1 -0
  265. package/dist/cli/pack-enforcement-bridge.js +211 -0
  266. package/dist/cli/pack-enforcement-bridge.js.map +1 -0
  267. package/dist/cli/packs.d.ts +22 -0
  268. package/dist/cli/packs.d.ts.map +1 -0
  269. package/dist/cli/packs.js +299 -0
  270. package/dist/cli/packs.js.map +1 -0
  271. package/dist/cli/preflight-report.d.ts +51 -0
  272. package/dist/cli/preflight-report.d.ts.map +1 -0
  273. package/dist/cli/preflight-report.js +143 -0
  274. package/dist/cli/preflight-report.js.map +1 -0
  275. package/dist/cli/preflight.d.ts +57 -0
  276. package/dist/cli/preflight.d.ts.map +1 -0
  277. package/dist/cli/preflight.js +375 -0
  278. package/dist/cli/preflight.js.map +1 -0
  279. package/dist/cli/shim-templates/python-anthropic.template.py.txt +54 -0
  280. package/dist/cli/shim-templates/python-bedrock.template.py.txt +55 -0
  281. package/dist/cli/shim-templates/python-google.template.py.txt +55 -0
  282. package/dist/cli/shim-templates/python-huggingface.template.py.txt +142 -0
  283. package/dist/cli/shim-templates/python-langchain-anthropic.template.py.txt +61 -0
  284. package/dist/cli/shim-templates/python-langchain-openai.template.py.txt +66 -0
  285. package/dist/cli/shim-templates/python-ollama.template.py.txt +75 -0
  286. package/dist/cli/shim-templates/python-openai.template.py.txt +54 -0
  287. package/dist/cli/shim-templates/typescript-anthropic.template.ts.txt +25 -0
  288. package/dist/cli/shim-templates/typescript-google.template.ts.txt +25 -0
  289. package/dist/cli/shim-templates/typescript-openai.template.ts.txt +25 -0
  290. package/dist/cli/wrap-shim-generator.d.ts +65 -0
  291. package/dist/cli/wrap-shim-generator.d.ts.map +1 -0
  292. package/dist/cli/wrap-shim-generator.js +245 -0
  293. package/dist/cli/wrap-shim-generator.js.map +1 -0
  294. package/dist/dashboard/api.d.ts +157 -0
  295. package/dist/dashboard/api.d.ts.map +1 -0
  296. package/dist/dashboard/api.js +347 -0
  297. package/dist/dashboard/api.js.map +1 -0
  298. package/dist/dashboard/theme.d.ts +80 -0
  299. package/dist/dashboard/theme.d.ts.map +1 -0
  300. package/dist/dashboard/theme.js +172 -0
  301. package/dist/dashboard/theme.js.map +1 -0
  302. package/dist/errors/index.d.ts +46 -0
  303. package/dist/errors/index.d.ts.map +1 -0
  304. package/dist/errors/index.js +93 -0
  305. package/dist/errors/index.js.map +1 -0
  306. package/dist/esm/adapters/cursor.js +184 -0
  307. package/dist/esm/adapters/cursor.js.map +1 -0
  308. package/dist/esm/adapters/index.js +335 -0
  309. package/dist/esm/adapters/index.js.map +1 -0
  310. package/dist/esm/agents/compliance-agent-templates/dora.js +943 -0
  311. package/dist/esm/agents/compliance-agent-templates/dora.js.map +1 -0
  312. package/dist/esm/agents/compliance-agent-templates/eu-ai-act.js +717 -0
  313. package/dist/esm/agents/compliance-agent-templates/eu-ai-act.js.map +1 -0
  314. package/dist/esm/agents/compliance-agent-templates/gdpr.js +684 -0
  315. package/dist/esm/agents/compliance-agent-templates/gdpr.js.map +1 -0
  316. package/dist/esm/agents/compliance-agent-templates/hipaa.js +636 -0
  317. package/dist/esm/agents/compliance-agent-templates/hipaa.js.map +1 -0
  318. package/dist/esm/agents/compliance-agent-templates/iso27001.js +801 -0
  319. package/dist/esm/agents/compliance-agent-templates/iso27001.js.map +1 -0
  320. package/dist/esm/agents/compliance-agent-templates/iso42001.js +894 -0
  321. package/dist/esm/agents/compliance-agent-templates/iso42001.js.map +1 -0
  322. package/dist/esm/agents/compliance-agent-templates/nist-ai-rmf.js +815 -0
  323. package/dist/esm/agents/compliance-agent-templates/nist-ai-rmf.js.map +1 -0
  324. package/dist/esm/agents/compliance-agent-templates/pci-dss.js +654 -0
  325. package/dist/esm/agents/compliance-agent-templates/pci-dss.js.map +1 -0
  326. package/dist/esm/agents/compliance-agent-templates/soc2.js +639 -0
  327. package/dist/esm/agents/compliance-agent-templates/soc2.js.map +1 -0
  328. package/dist/esm/agents/compliance-agent-templates/types.js +33 -0
  329. package/dist/esm/agents/compliance-agent-templates/types.js.map +1 -0
  330. package/dist/esm/audit/audit-integrity.js +247 -0
  331. package/dist/esm/audit/audit-integrity.js.map +1 -0
  332. package/dist/esm/audit/chain-tamper-detector.js +217 -0
  333. package/dist/esm/audit/chain-tamper-detector.js.map +1 -0
  334. package/dist/esm/audit/compliance-reporter.js +434 -0
  335. package/dist/esm/audit/compliance-reporter.js.map +1 -0
  336. package/dist/esm/audit/destinations/custom-webhook.js +436 -0
  337. package/dist/esm/audit/destinations/custom-webhook.js.map +1 -0
  338. package/dist/esm/audit/destinations/datadog-logs.js +533 -0
  339. package/dist/esm/audit/destinations/datadog-logs.js.map +1 -0
  340. package/dist/esm/audit/destinations/sentinel.js +881 -0
  341. package/dist/esm/audit/destinations/sentinel.js.map +1 -0
  342. package/dist/esm/audit/destinations/sumo-logic.js +529 -0
  343. package/dist/esm/audit/destinations/sumo-logic.js.map +1 -0
  344. package/dist/esm/audit/event-bus.js +219 -0
  345. package/dist/esm/audit/event-bus.js.map +1 -0
  346. package/dist/esm/audit/narrative-generator.js +498 -0
  347. package/dist/esm/audit/narrative-generator.js.map +1 -0
  348. package/dist/esm/audit/narrative-types.js +108 -0
  349. package/dist/esm/audit/narrative-types.js.map +1 -0
  350. package/dist/esm/audit/provenance-signer.js +273 -0
  351. package/dist/esm/audit/provenance-signer.js.map +1 -0
  352. package/dist/esm/audit/redis-event-bus.js +272 -0
  353. package/dist/esm/audit/redis-event-bus.js.map +1 -0
  354. package/dist/esm/audit/report-templates/disclosure-accounting.js +191 -0
  355. package/dist/esm/audit/report-templates/disclosure-accounting.js.map +1 -0
  356. package/dist/esm/audit/report-templates/dora-ict-major-incident.js +224 -0
  357. package/dist/esm/audit/report-templates/dora-ict-major-incident.js.map +1 -0
  358. package/dist/esm/audit/report-templates/eu-ai-act-annex-iv.js +264 -0
  359. package/dist/esm/audit/report-templates/eu-ai-act-annex-iv.js.map +1 -0
  360. package/dist/esm/audit/report-templates/gdpr-data-subject-rights.js +232 -0
  361. package/dist/esm/audit/report-templates/gdpr-data-subject-rights.js.map +1 -0
  362. package/dist/esm/audit/report-templates/hipaa-breach-notification.js +194 -0
  363. package/dist/esm/audit/report-templates/hipaa-breach-notification.js.map +1 -0
  364. package/dist/esm/audit/report-templates/hipaa-security-incident.js +169 -0
  365. package/dist/esm/audit/report-templates/hipaa-security-incident.js.map +1 -0
  366. package/dist/esm/audit/report-templates/index.js +93 -0
  367. package/dist/esm/audit/report-templates/index.js.map +1 -0
  368. package/dist/esm/audit/report-templates/iso-42001-ams.js +259 -0
  369. package/dist/esm/audit/report-templates/iso-42001-ams.js.map +1 -0
  370. package/dist/esm/audit/report-templates/pci-dss-annual-attestation.js +208 -0
  371. package/dist/esm/audit/report-templates/pci-dss-annual-attestation.js.map +1 -0
  372. package/dist/esm/audit/report-templates/prompts/base.js +189 -0
  373. package/dist/esm/audit/report-templates/prompts/base.js.map +1 -0
  374. package/dist/esm/audit/report-templates/prompts/dora.js +118 -0
  375. package/dist/esm/audit/report-templates/prompts/dora.js.map +1 -0
  376. package/dist/esm/audit/report-templates/prompts/euaiact.js +123 -0
  377. package/dist/esm/audit/report-templates/prompts/euaiact.js.map +1 -0
  378. package/dist/esm/audit/report-templates/prompts/gdpr.js +123 -0
  379. package/dist/esm/audit/report-templates/prompts/gdpr.js.map +1 -0
  380. package/dist/esm/audit/report-templates/prompts/hipaa.js +95 -0
  381. package/dist/esm/audit/report-templates/prompts/hipaa.js.map +1 -0
  382. package/dist/esm/audit/report-templates/prompts/hitech.js +111 -0
  383. package/dist/esm/audit/report-templates/prompts/hitech.js.map +1 -0
  384. package/dist/esm/audit/report-templates/prompts/index.js +43 -0
  385. package/dist/esm/audit/report-templates/prompts/index.js.map +1 -0
  386. package/dist/esm/audit/report-templates/prompts/iso27001.js +107 -0
  387. package/dist/esm/audit/report-templates/prompts/iso27001.js.map +1 -0
  388. package/dist/esm/audit/report-templates/prompts/pcidss.js +108 -0
  389. package/dist/esm/audit/report-templates/prompts/pcidss.js.map +1 -0
  390. package/dist/esm/audit/report-templates/prompts/soc2.js +114 -0
  391. package/dist/esm/audit/report-templates/prompts/soc2.js.map +1 -0
  392. package/dist/esm/audit/report-templates/soc2-type-ii.js +184 -0
  393. package/dist/esm/audit/report-templates/soc2-type-ii.js.map +1 -0
  394. package/dist/esm/audit/reporting-exports.js +19 -0
  395. package/dist/esm/audit/reporting-exports.js.map +1 -0
  396. package/dist/esm/audit/webhook-delivery.js +344 -0
  397. package/dist/esm/audit/webhook-delivery.js.map +1 -0
  398. package/dist/esm/audit-bots/dora.js +379 -0
  399. package/dist/esm/audit-bots/dora.js.map +1 -0
  400. package/dist/esm/audit-bots/euaiact.js +334 -0
  401. package/dist/esm/audit-bots/euaiact.js.map +1 -0
  402. package/dist/esm/audit-bots/evidence.js +153 -0
  403. package/dist/esm/audit-bots/evidence.js.map +1 -0
  404. package/dist/esm/audit-bots/gdpr.js +234 -0
  405. package/dist/esm/audit-bots/gdpr.js.map +1 -0
  406. package/dist/esm/audit-bots/hipaa.js +199 -0
  407. package/dist/esm/audit-bots/hipaa.js.map +1 -0
  408. package/dist/esm/audit-bots/iso27001.js +410 -0
  409. package/dist/esm/audit-bots/iso27001.js.map +1 -0
  410. package/dist/esm/audit-bots/iso42001.js +412 -0
  411. package/dist/esm/audit-bots/iso42001.js.map +1 -0
  412. package/dist/esm/audit-bots/nist-ai-rmf.js +429 -0
  413. package/dist/esm/audit-bots/nist-ai-rmf.js.map +1 -0
  414. package/dist/esm/audit-bots/pcidss.js +361 -0
  415. package/dist/esm/audit-bots/pcidss.js.map +1 -0
  416. package/dist/esm/audit-bots/scheduler.js +137 -0
  417. package/dist/esm/audit-bots/scheduler.js.map +1 -0
  418. package/dist/esm/audit-bots/soc1.js +453 -0
  419. package/dist/esm/audit-bots/soc1.js.map +1 -0
  420. package/dist/esm/audit-bots/soc2.js +315 -0
  421. package/dist/esm/audit-bots/soc2.js.map +1 -0
  422. package/dist/esm/classification/pack-driven-classifier.js +525 -0
  423. package/dist/esm/classification/pack-driven-classifier.js.map +1 -0
  424. package/dist/esm/cli/agent-dir-scanner.js +233 -0
  425. package/dist/esm/cli/agent-dir-scanner.js.map +1 -0
  426. package/dist/esm/cli/agent-signatures.js +238 -0
  427. package/dist/esm/cli/agent-signatures.js.map +1 -0
  428. package/dist/esm/cli/audit-chain-append.js +242 -0
  429. package/dist/esm/cli/audit-chain-append.js.map +1 -0
  430. package/dist/esm/cli/discover.js +143 -0
  431. package/dist/esm/cli/discover.js.map +1 -0
  432. package/dist/esm/cli/discover.test.js +157 -0
  433. package/dist/esm/cli/discover.test.js.map +1 -0
  434. package/dist/esm/cli/index.js +2083 -0
  435. package/dist/esm/cli/index.js.map +1 -0
  436. package/dist/esm/cli/pack-enforcement-bridge.js +176 -0
  437. package/dist/esm/cli/pack-enforcement-bridge.js.map +1 -0
  438. package/dist/esm/cli/packs.js +263 -0
  439. package/dist/esm/cli/packs.js.map +1 -0
  440. package/dist/esm/cli/preflight-report.js +135 -0
  441. package/dist/esm/cli/preflight-report.js.map +1 -0
  442. package/dist/esm/cli/preflight.js +339 -0
  443. package/dist/esm/cli/preflight.js.map +1 -0
  444. package/dist/esm/cli/wrap-shim-generator.js +205 -0
  445. package/dist/esm/cli/wrap-shim-generator.js.map +1 -0
  446. package/dist/esm/dashboard/api.js +310 -0
  447. package/dist/esm/dashboard/api.js.map +1 -0
  448. package/dist/esm/dashboard/theme.js +135 -0
  449. package/dist/esm/dashboard/theme.js.map +1 -0
  450. package/dist/esm/errors/index.js +84 -0
  451. package/dist/esm/errors/index.js.map +1 -0
  452. package/dist/esm/governance/action-classes.js +171 -0
  453. package/dist/esm/governance/action-classes.js.map +1 -0
  454. package/dist/esm/governance/action-isolation.js +582 -0
  455. package/dist/esm/governance/action-isolation.js.map +1 -0
  456. package/dist/esm/governance/agent-discovery.js +213 -0
  457. package/dist/esm/governance/agent-discovery.js.map +1 -0
  458. package/dist/esm/governance/agent-discovery.test.js +144 -0
  459. package/dist/esm/governance/agent-discovery.test.js.map +1 -0
  460. package/dist/esm/governance/agent-trust-report.js +149 -0
  461. package/dist/esm/governance/agent-trust-report.js.map +1 -0
  462. package/dist/esm/governance/agent-trust-report.test.js +259 -0
  463. package/dist/esm/governance/agent-trust-report.test.js.map +1 -0
  464. package/dist/esm/governance/approval-channel-adapters.js +134 -0
  465. package/dist/esm/governance/approval-channel-adapters.js.map +1 -0
  466. package/dist/esm/governance/approval-channel-adapters.test.js +163 -0
  467. package/dist/esm/governance/approval-channel-adapters.test.js.map +1 -0
  468. package/dist/esm/governance/approval-gate-enforcer.js +405 -0
  469. package/dist/esm/governance/approval-gate-enforcer.js.map +1 -0
  470. package/dist/esm/governance/approval-notifications.js +139 -0
  471. package/dist/esm/governance/approval-notifications.js.map +1 -0
  472. package/dist/esm/governance/approval-notifications.test.js +192 -0
  473. package/dist/esm/governance/approval-notifications.test.js.map +1 -0
  474. package/dist/esm/governance/approval-queue-store.js +112 -0
  475. package/dist/esm/governance/approval-queue-store.js.map +1 -0
  476. package/dist/esm/governance/approval-queue.js +291 -0
  477. package/dist/esm/governance/approval-queue.js.map +1 -0
  478. package/dist/esm/governance/approval-service.js +92 -0
  479. package/dist/esm/governance/approval-service.js.map +1 -0
  480. package/dist/esm/governance/audit-chain-emitter.js +178 -0
  481. package/dist/esm/governance/audit-chain-emitter.js.map +1 -0
  482. package/dist/esm/governance/audit-chain-emitter.test.js +190 -0
  483. package/dist/esm/governance/audit-chain-emitter.test.js.map +1 -0
  484. package/dist/esm/governance/auto-pack-generator.js +67 -0
  485. package/dist/esm/governance/auto-pack-generator.js.map +1 -0
  486. package/dist/esm/governance/auto-pack-generator.test.js +95 -0
  487. package/dist/esm/governance/auto-pack-generator.test.js.map +1 -0
  488. package/dist/esm/governance/autonomy-spectrum.js +652 -0
  489. package/dist/esm/governance/autonomy-spectrum.js.map +1 -0
  490. package/dist/esm/governance/batch-mode-governance.js +603 -0
  491. package/dist/esm/governance/batch-mode-governance.js.map +1 -0
  492. package/dist/esm/governance/bias-monitor.js +273 -0
  493. package/dist/esm/governance/bias-monitor.js.map +1 -0
  494. package/dist/esm/governance/blast-radius-enforcer.js +539 -0
  495. package/dist/esm/governance/blast-radius-enforcer.js.map +1 -0
  496. package/dist/esm/governance/build-structure-score.js +61 -0
  497. package/dist/esm/governance/build-structure-score.js.map +1 -0
  498. package/dist/esm/governance/build-structure-score.test.js +116 -0
  499. package/dist/esm/governance/build-structure-score.test.js.map +1 -0
  500. package/dist/esm/governance/capability-bundle.js +241 -0
  501. package/dist/esm/governance/capability-bundle.js.map +1 -0
  502. package/dist/esm/governance/capability-change-detector.js +701 -0
  503. package/dist/esm/governance/capability-change-detector.js.map +1 -0
  504. package/dist/esm/governance/capability-classes.js +123 -0
  505. package/dist/esm/governance/capability-classes.js.map +1 -0
  506. package/dist/esm/governance/capability-classes.test.js +171 -0
  507. package/dist/esm/governance/capability-classes.test.js.map +1 -0
  508. package/dist/esm/governance/company-pack-builder.js +71 -0
  509. package/dist/esm/governance/company-pack-builder.js.map +1 -0
  510. package/dist/esm/governance/confidence-gate.js +246 -0
  511. package/dist/esm/governance/confidence-gate.js.map +1 -0
  512. package/dist/esm/governance/council.js +268 -0
  513. package/dist/esm/governance/council.js.map +1 -0
  514. package/dist/esm/governance/cross-session-pseudonymizer.js +598 -0
  515. package/dist/esm/governance/cross-session-pseudonymizer.js.map +1 -0
  516. package/dist/esm/governance/cycle-timeout.js +212 -0
  517. package/dist/esm/governance/cycle-timeout.js.map +1 -0
  518. package/dist/esm/governance/cycle-token-budget.js +177 -0
  519. package/dist/esm/governance/cycle-token-budget.js.map +1 -0
  520. package/dist/esm/governance/data-subject-rights.js +455 -0
  521. package/dist/esm/governance/data-subject-rights.js.map +1 -0
  522. package/dist/esm/governance/demo-workspace.js +210 -0
  523. package/dist/esm/governance/demo-workspace.js.map +1 -0
  524. package/dist/esm/governance/demo-workspace.test.js +80 -0
  525. package/dist/esm/governance/demo-workspace.test.js.map +1 -0
  526. package/dist/esm/governance/discovery-cli.js +95 -0
  527. package/dist/esm/governance/discovery-cli.js.map +1 -0
  528. package/dist/esm/governance/discovery-cli.test.js +191 -0
  529. package/dist/esm/governance/discovery-cli.test.js.map +1 -0
  530. package/dist/esm/governance/gateguard.js +265 -0
  531. package/dist/esm/governance/gateguard.js.map +1 -0
  532. package/dist/esm/governance/governance-runtime.js +376 -0
  533. package/dist/esm/governance/governance-runtime.js.map +1 -0
  534. package/dist/esm/governance/hook-install-snippet.js +208 -0
  535. package/dist/esm/governance/hook-install-snippet.js.map +1 -0
  536. package/dist/esm/governance/hook-install-snippet.test.js +95 -0
  537. package/dist/esm/governance/hook-install-snippet.test.js.map +1 -0
  538. package/dist/esm/governance/hook-profile.js +474 -0
  539. package/dist/esm/governance/hook-profile.js.map +1 -0
  540. package/dist/esm/governance/improvement-recommendations.js +165 -0
  541. package/dist/esm/governance/improvement-recommendations.js.map +1 -0
  542. package/dist/esm/governance/improvement-recommendations.test.js +178 -0
  543. package/dist/esm/governance/improvement-recommendations.test.js.map +1 -0
  544. package/dist/esm/governance/incident-notifier.js +488 -0
  545. package/dist/esm/governance/incident-notifier.js.map +1 -0
  546. package/dist/esm/governance/index.js +33 -0
  547. package/dist/esm/governance/index.js.map +1 -0
  548. package/dist/esm/governance/info-action-separation.js +143 -0
  549. package/dist/esm/governance/info-action-separation.js.map +1 -0
  550. package/dist/esm/governance/info-action-separation.test.js +155 -0
  551. package/dist/esm/governance/info-action-separation.test.js.map +1 -0
  552. package/dist/esm/governance/instinct-system.js +351 -0
  553. package/dist/esm/governance/instinct-system.js.map +1 -0
  554. package/dist/esm/governance/insurance-certificate.js +116 -0
  555. package/dist/esm/governance/insurance-certificate.js.map +1 -0
  556. package/dist/esm/governance/insurance-certificate.test.js +205 -0
  557. package/dist/esm/governance/insurance-certificate.test.js.map +1 -0
  558. package/dist/esm/governance/manifest-push-emitter.js +107 -0
  559. package/dist/esm/governance/manifest-push-emitter.js.map +1 -0
  560. package/dist/esm/governance/manifest-push-emitter.test.js +215 -0
  561. package/dist/esm/governance/manifest-push-emitter.test.js.map +1 -0
  562. package/dist/esm/governance/memory/cross-session-memory.js +283 -0
  563. package/dist/esm/governance/memory/cross-session-memory.js.map +1 -0
  564. package/dist/esm/governance/memory/index.js +14 -0
  565. package/dist/esm/governance/memory/index.js.map +1 -0
  566. package/dist/esm/governance/memory/memory-chain.js +183 -0
  567. package/dist/esm/governance/memory/memory-chain.js.map +1 -0
  568. package/dist/esm/governance/memory/retrieval-allowlist.js +172 -0
  569. package/dist/esm/governance/memory/retrieval-allowlist.js.map +1 -0
  570. package/dist/esm/governance/memory/session-memory.js +215 -0
  571. package/dist/esm/governance/memory/session-memory.js.map +1 -0
  572. package/dist/esm/governance/memory-audit-chain.js +361 -0
  573. package/dist/esm/governance/memory-audit-chain.js.map +1 -0
  574. package/dist/esm/governance/memory-integrity.js +267 -0
  575. package/dist/esm/governance/memory-integrity.js.map +1 -0
  576. package/dist/esm/governance/multi-store-deletion-worker.js +263 -0
  577. package/dist/esm/governance/multi-store-deletion-worker.js.map +1 -0
  578. package/dist/esm/governance/multi-tenant.js +273 -0
  579. package/dist/esm/governance/multi-tenant.js.map +1 -0
  580. package/dist/esm/governance/onboarding-tier-router.js +109 -0
  581. package/dist/esm/governance/onboarding-tier-router.js.map +1 -0
  582. package/dist/esm/governance/onboarding-tier-router.test.js +106 -0
  583. package/dist/esm/governance/onboarding-tier-router.test.js.map +1 -0
  584. package/dist/esm/governance/org-reputation.js +88 -0
  585. package/dist/esm/governance/org-reputation.js.map +1 -0
  586. package/dist/esm/governance/org-reputation.test.js +155 -0
  587. package/dist/esm/governance/org-reputation.test.js.map +1 -0
  588. package/dist/esm/governance/owasp-agentic-scanner.js +314 -0
  589. package/dist/esm/governance/owasp-agentic-scanner.js.map +1 -0
  590. package/dist/esm/governance/owasp-agentic-scanner.test.js +128 -0
  591. package/dist/esm/governance/owasp-agentic-scanner.test.js.map +1 -0
  592. package/dist/esm/governance/pack-diff.js +78 -0
  593. package/dist/esm/governance/pack-diff.js.map +1 -0
  594. package/dist/esm/governance/pack-diff.test.js +207 -0
  595. package/dist/esm/governance/pack-diff.test.js.map +1 -0
  596. package/dist/esm/governance/pack-evaluator-prewarm.js +102 -0
  597. package/dist/esm/governance/pack-evaluator-prewarm.js.map +1 -0
  598. package/dist/esm/governance/pack-evaluator.js +324 -0
  599. package/dist/esm/governance/pack-evaluator.js.map +1 -0
  600. package/dist/esm/governance/pack-evaluator.test.js +244 -0
  601. package/dist/esm/governance/pack-evaluator.test.js.map +1 -0
  602. package/dist/esm/governance/pack-inheritance.js +173 -0
  603. package/dist/esm/governance/pack-inheritance.js.map +1 -0
  604. package/dist/esm/governance/pack-inheritance.test.js +172 -0
  605. package/dist/esm/governance/pack-inheritance.test.js.map +1 -0
  606. package/dist/esm/governance/pack-publish-workflow.js +80 -0
  607. package/dist/esm/governance/pack-publish-workflow.js.map +1 -0
  608. package/dist/esm/governance/pack-publish-workflow.test.js +176 -0
  609. package/dist/esm/governance/pack-publish-workflow.test.js.map +1 -0
  610. package/dist/esm/governance/pack-rule-validator.js +139 -0
  611. package/dist/esm/governance/pack-rule-validator.js.map +1 -0
  612. package/dist/esm/governance/pack-rule-validator.test.js +118 -0
  613. package/dist/esm/governance/pack-rule-validator.test.js.map +1 -0
  614. package/dist/esm/governance/pack-versioning.js +188 -0
  615. package/dist/esm/governance/pack-versioning.js.map +1 -0
  616. package/dist/esm/governance/pack-versioning.test.js +137 -0
  617. package/dist/esm/governance/pack-versioning.test.js.map +1 -0
  618. package/dist/esm/governance/partner-manager.js +221 -0
  619. package/dist/esm/governance/partner-manager.js.map +1 -0
  620. package/dist/esm/governance/paste-your-agent.js +151 -0
  621. package/dist/esm/governance/paste-your-agent.js.map +1 -0
  622. package/dist/esm/governance/paste-your-agent.test.js +105 -0
  623. package/dist/esm/governance/paste-your-agent.test.js.map +1 -0
  624. package/dist/esm/governance/per-agent-daily-budget.js +658 -0
  625. package/dist/esm/governance/per-agent-daily-budget.js.map +1 -0
  626. package/dist/esm/governance/per-agent-override.test.js +239 -0
  627. package/dist/esm/governance/per-agent-override.test.js.map +1 -0
  628. package/dist/esm/governance/plugin-system.js +925 -0
  629. package/dist/esm/governance/plugin-system.js.map +1 -0
  630. package/dist/esm/governance/policy-tuning.js +322 -0
  631. package/dist/esm/governance/policy-tuning.js.map +1 -0
  632. package/dist/esm/governance/post-market-monitor.js +242 -0
  633. package/dist/esm/governance/post-market-monitor.js.map +1 -0
  634. package/dist/esm/governance/post-tool-audit-enrichment.js +466 -0
  635. package/dist/esm/governance/post-tool-audit-enrichment.js.map +1 -0
  636. package/dist/esm/governance/prohibited-practices.js +230 -0
  637. package/dist/esm/governance/prohibited-practices.js.map +1 -0
  638. package/dist/esm/governance/proxy-onboarding.js +302 -0
  639. package/dist/esm/governance/proxy-onboarding.js.map +1 -0
  640. package/dist/esm/governance/proxy-onboarding.test.js +100 -0
  641. package/dist/esm/governance/proxy-onboarding.test.js.map +1 -0
  642. package/dist/esm/governance/rag-citation-enforcement.js +527 -0
  643. package/dist/esm/governance/rag-citation-enforcement.js.map +1 -0
  644. package/dist/esm/governance/rag-confidence-threshold.js +409 -0
  645. package/dist/esm/governance/rag-confidence-threshold.js.map +1 -0
  646. package/dist/esm/governance/rag-retrieval-audit.js +478 -0
  647. package/dist/esm/governance/rag-retrieval-audit.js.map +1 -0
  648. package/dist/esm/governance/rag-source-allowlist.js +495 -0
  649. package/dist/esm/governance/rag-source-allowlist.js.map +1 -0
  650. package/dist/esm/governance/rag-source-output-chain.js +641 -0
  651. package/dist/esm/governance/rag-source-output-chain.js.map +1 -0
  652. package/dist/esm/governance/replay-player.js +85 -0
  653. package/dist/esm/governance/replay-player.js.map +1 -0
  654. package/dist/esm/governance/replay-player.test.js +157 -0
  655. package/dist/esm/governance/replay-player.test.js.map +1 -0
  656. package/dist/esm/governance/retention-manager.js +529 -0
  657. package/dist/esm/governance/retention-manager.js.map +1 -0
  658. package/dist/esm/governance/runtime-event-renderer.js +129 -0
  659. package/dist/esm/governance/runtime-event-renderer.js.map +1 -0
  660. package/dist/esm/governance/runtime-event-renderer.test.js +160 -0
  661. package/dist/esm/governance/runtime-event-renderer.test.js.map +1 -0
  662. package/dist/esm/governance/sandbox-replay.js +184 -0
  663. package/dist/esm/governance/sandbox-replay.js.map +1 -0
  664. package/dist/esm/governance/sandbox-replay.test.js +82 -0
  665. package/dist/esm/governance/sandbox-replay.test.js.map +1 -0
  666. package/dist/esm/governance/self-registration-hook.js +112 -0
  667. package/dist/esm/governance/self-registration-hook.js.map +1 -0
  668. package/dist/esm/governance/self-registration-hook.test.js +114 -0
  669. package/dist/esm/governance/self-registration-hook.test.js.map +1 -0
  670. package/dist/esm/governance/session-persistence.js +339 -0
  671. package/dist/esm/governance/session-persistence.js.map +1 -0
  672. package/dist/esm/governance/signed-manifest.js +119 -0
  673. package/dist/esm/governance/signed-manifest.js.map +1 -0
  674. package/dist/esm/governance/signed-manifest.test.js +114 -0
  675. package/dist/esm/governance/signed-manifest.test.js.map +1 -0
  676. package/dist/esm/governance/skip-api-empty-queue.js +458 -0
  677. package/dist/esm/governance/skip-api-empty-queue.js.map +1 -0
  678. package/dist/esm/governance/state-manager.js +249 -0
  679. package/dist/esm/governance/state-manager.js.map +1 -0
  680. package/dist/esm/governance/tenant-provider-agreements.js +398 -0
  681. package/dist/esm/governance/tenant-provider-agreements.js.map +1 -0
  682. package/dist/esm/governance/tool-provider-health.js +650 -0
  683. package/dist/esm/governance/tool-provider-health.js.map +1 -0
  684. package/dist/esm/governance/tool-rate-limit.js +140 -0
  685. package/dist/esm/governance/tool-rate-limit.js.map +1 -0
  686. package/dist/esm/governance/transparency-injector.js +158 -0
  687. package/dist/esm/governance/transparency-injector.js.map +1 -0
  688. package/dist/esm/governance/trust-score-snapshot.js +94 -0
  689. package/dist/esm/governance/trust-score-snapshot.js.map +1 -0
  690. package/dist/esm/governance/trust-score-snapshot.test.js +152 -0
  691. package/dist/esm/governance/trust-score-snapshot.test.js.map +1 -0
  692. package/dist/esm/governance/trust-score-three-dim.js +171 -0
  693. package/dist/esm/governance/trust-score-three-dim.js.map +1 -0
  694. package/dist/esm/governance/trust-score-three-dim.test.js +186 -0
  695. package/dist/esm/governance/trust-score-three-dim.test.js.map +1 -0
  696. package/dist/esm/governance-config.js +308 -0
  697. package/dist/esm/governance-config.js.map +1 -0
  698. package/dist/esm/governed-agent.js +1278 -0
  699. package/dist/esm/governed-agent.js.map +1 -0
  700. package/dist/esm/hooks/data-classifier-bridge.js +78 -0
  701. package/dist/esm/hooks/data-classifier-bridge.js.map +1 -0
  702. package/dist/esm/ide-adapters/aider.js +706 -0
  703. package/dist/esm/ide-adapters/aider.js.map +1 -0
  704. package/dist/esm/ide-adapters/amazon-q-developer.js +682 -0
  705. package/dist/esm/ide-adapters/amazon-q-developer.js.map +1 -0
  706. package/dist/esm/ide-adapters/base.js +229 -0
  707. package/dist/esm/ide-adapters/base.js.map +1 -0
  708. package/dist/esm/ide-adapters/claude-code.js +188 -0
  709. package/dist/esm/ide-adapters/claude-code.js.map +1 -0
  710. package/dist/esm/ide-adapters/cody.js +763 -0
  711. package/dist/esm/ide-adapters/cody.js.map +1 -0
  712. package/dist/esm/ide-adapters/continue-dev.js +355 -0
  713. package/dist/esm/ide-adapters/continue-dev.js.map +1 -0
  714. package/dist/esm/ide-adapters/copilot-studio.js +1093 -0
  715. package/dist/esm/ide-adapters/copilot-studio.js.map +1 -0
  716. package/dist/esm/ide-adapters/copilot-workspace.js +372 -0
  717. package/dist/esm/ide-adapters/copilot-workspace.js.map +1 -0
  718. package/dist/esm/ide-adapters/cursor.js +269 -0
  719. package/dist/esm/ide-adapters/cursor.js.map +1 -0
  720. package/dist/esm/ide-adapters/exports.js +52 -0
  721. package/dist/esm/ide-adapters/exports.js.map +1 -0
  722. package/dist/esm/ide-adapters/gemini-code-assist.js +746 -0
  723. package/dist/esm/ide-adapters/gemini-code-assist.js.map +1 -0
  724. package/dist/esm/ide-adapters/github-copilot.js +543 -0
  725. package/dist/esm/ide-adapters/github-copilot.js.map +1 -0
  726. package/dist/esm/ide-adapters/index.js +96 -0
  727. package/dist/esm/ide-adapters/index.js.map +1 -0
  728. package/dist/esm/ide-adapters/jetbrains-ai.js +714 -0
  729. package/dist/esm/ide-adapters/jetbrains-ai.js.map +1 -0
  730. package/dist/esm/ide-adapters/notebook-ai.js +854 -0
  731. package/dist/esm/ide-adapters/notebook-ai.js.map +1 -0
  732. package/dist/esm/ide-adapters/replit-agent.js +1018 -0
  733. package/dist/esm/ide-adapters/replit-agent.js.map +1 -0
  734. package/dist/esm/ide-adapters/reviewer-tier.js +15 -0
  735. package/dist/esm/ide-adapters/reviewer-tier.js.map +1 -0
  736. package/dist/esm/ide-adapters/shared.js +267 -0
  737. package/dist/esm/ide-adapters/shared.js.map +1 -0
  738. package/dist/esm/ide-adapters/tabnine.js +717 -0
  739. package/dist/esm/ide-adapters/tabnine.js.map +1 -0
  740. package/dist/esm/ide-adapters/windsurf.js +808 -0
  741. package/dist/esm/ide-adapters/windsurf.js.map +1 -0
  742. package/dist/esm/ide-adapters/zed-ai.js +618 -0
  743. package/dist/esm/ide-adapters/zed-ai.js.map +1 -0
  744. package/dist/esm/index.js +182 -0
  745. package/dist/esm/index.js.map +1 -0
  746. package/dist/esm/license/entitlement-client.js +264 -0
  747. package/dist/esm/license/entitlement-client.js.map +1 -0
  748. package/dist/esm/license/index.js +8 -0
  749. package/dist/esm/license/index.js.map +1 -0
  750. package/dist/esm/license/jwt-issuer.js +107 -0
  751. package/dist/esm/license/jwt-issuer.js.map +1 -0
  752. package/dist/esm/license/jwt-validator.js +460 -0
  753. package/dist/esm/license/jwt-validator.js.map +1 -0
  754. package/dist/esm/license/keygen.js +65 -0
  755. package/dist/esm/license/keygen.js.map +1 -0
  756. package/dist/esm/license/subscription-gate.js +251 -0
  757. package/dist/esm/license/subscription-gate.js.map +1 -0
  758. package/dist/esm/llm-adapters/azure-openai.js +665 -0
  759. package/dist/esm/llm-adapters/azure-openai.js.map +1 -0
  760. package/dist/esm/llm-adapters/base.js +258 -0
  761. package/dist/esm/llm-adapters/base.js.map +1 -0
  762. package/dist/esm/llm-adapters/bedrock.js +713 -0
  763. package/dist/esm/llm-adapters/bedrock.js.map +1 -0
  764. package/dist/esm/llm-adapters/claude.js +236 -0
  765. package/dist/esm/llm-adapters/claude.js.map +1 -0
  766. package/dist/esm/llm-adapters/deepseek.js +716 -0
  767. package/dist/esm/llm-adapters/deepseek.js.map +1 -0
  768. package/dist/esm/llm-adapters/exports.js +36 -0
  769. package/dist/esm/llm-adapters/exports.js.map +1 -0
  770. package/dist/esm/llm-adapters/gemini.js +197 -0
  771. package/dist/esm/llm-adapters/gemini.js.map +1 -0
  772. package/dist/esm/llm-adapters/gemma.js +260 -0
  773. package/dist/esm/llm-adapters/gemma.js.map +1 -0
  774. package/dist/esm/llm-adapters/google.js +1136 -0
  775. package/dist/esm/llm-adapters/google.js.map +1 -0
  776. package/dist/esm/llm-adapters/huggingface.js +618 -0
  777. package/dist/esm/llm-adapters/huggingface.js.map +1 -0
  778. package/dist/esm/llm-adapters/index.js +87 -0
  779. package/dist/esm/llm-adapters/index.js.map +1 -0
  780. package/dist/esm/llm-adapters/ollama.js +587 -0
  781. package/dist/esm/llm-adapters/ollama.js.map +1 -0
  782. package/dist/esm/llm-adapters/openai.js +359 -0
  783. package/dist/esm/llm-adapters/openai.js.map +1 -0
  784. package/dist/esm/llm-adapters/replicate-llama.js +596 -0
  785. package/dist/esm/llm-adapters/replicate-llama.js.map +1 -0
  786. package/dist/esm/llm-adapters/shared.js +330 -0
  787. package/dist/esm/llm-adapters/shared.js.map +1 -0
  788. package/dist/esm/llm-adapters/supported-models-catalog.js +741 -0
  789. package/dist/esm/llm-adapters/supported-models-catalog.js.map +1 -0
  790. package/dist/esm/observability/destination-health-monitor.js +239 -0
  791. package/dist/esm/observability/destination-health-monitor.js.map +1 -0
  792. package/dist/esm/observability/health-metrics-store.js +124 -0
  793. package/dist/esm/observability/health-metrics-store.js.map +1 -0
  794. package/dist/esm/orchestrator-adapters/autogen.js +484 -0
  795. package/dist/esm/orchestrator-adapters/autogen.js.map +1 -0
  796. package/dist/esm/orchestrator-adapters/base.js +366 -0
  797. package/dist/esm/orchestrator-adapters/base.js.map +1 -0
  798. package/dist/esm/orchestrator-adapters/bedrock-agentcore.js +812 -0
  799. package/dist/esm/orchestrator-adapters/bedrock-agentcore.js.map +1 -0
  800. package/dist/esm/orchestrator-adapters/claude-agent-sdk.js +701 -0
  801. package/dist/esm/orchestrator-adapters/claude-agent-sdk.js.map +1 -0
  802. package/dist/esm/orchestrator-adapters/crewai.js +470 -0
  803. package/dist/esm/orchestrator-adapters/crewai.js.map +1 -0
  804. package/dist/esm/orchestrator-adapters/deepagents.js +345 -0
  805. package/dist/esm/orchestrator-adapters/deepagents.js.map +1 -0
  806. package/dist/esm/orchestrator-adapters/exports.js +34 -0
  807. package/dist/esm/orchestrator-adapters/exports.js.map +1 -0
  808. package/dist/esm/orchestrator-adapters/google-adk.js +775 -0
  809. package/dist/esm/orchestrator-adapters/google-adk.js.map +1 -0
  810. package/dist/esm/orchestrator-adapters/haystack.js +811 -0
  811. package/dist/esm/orchestrator-adapters/haystack.js.map +1 -0
  812. package/dist/esm/orchestrator-adapters/index.js +106 -0
  813. package/dist/esm/orchestrator-adapters/index.js.map +1 -0
  814. package/dist/esm/orchestrator-adapters/langchain.js +457 -0
  815. package/dist/esm/orchestrator-adapters/langchain.js.map +1 -0
  816. package/dist/esm/orchestrator-adapters/langgraph.js +464 -0
  817. package/dist/esm/orchestrator-adapters/langgraph.js.map +1 -0
  818. package/dist/esm/orchestrator-adapters/llamaindex.js +819 -0
  819. package/dist/esm/orchestrator-adapters/llamaindex.js.map +1 -0
  820. package/dist/esm/orchestrator-adapters/openai-agents.js +494 -0
  821. package/dist/esm/orchestrator-adapters/openai-agents.js.map +1 -0
  822. package/dist/esm/orchestrator-adapters/openclaw.js +866 -0
  823. package/dist/esm/orchestrator-adapters/openclaw.js.map +1 -0
  824. package/dist/esm/orchestrator-adapters/orchestrator-adapter.js +30 -0
  825. package/dist/esm/orchestrator-adapters/orchestrator-adapter.js.map +1 -0
  826. package/dist/esm/orchestrator-adapters/paperclip-adapter.js +366 -0
  827. package/dist/esm/orchestrator-adapters/paperclip-adapter.js.map +1 -0
  828. package/dist/esm/orchestrator-adapters/semantic-kernel.js +487 -0
  829. package/dist/esm/orchestrator-adapters/semantic-kernel.js.map +1 -0
  830. package/dist/esm/orchestrator-adapters/shared.js +121 -0
  831. package/dist/esm/orchestrator-adapters/shared.js.map +1 -0
  832. package/dist/esm/package.json +3 -0
  833. package/dist/esm/packs/_base-classifiers.js +160 -0
  834. package/dist/esm/packs/_base-classifiers.js.map +1 -0
  835. package/dist/esm/packs/aba.js +297 -0
  836. package/dist/esm/packs/aba.js.map +1 -0
  837. package/dist/esm/packs/as-9100.js +814 -0
  838. package/dist/esm/packs/as-9100.js.map +1 -0
  839. package/dist/esm/packs/au-act-hrpaa.js +290 -0
  840. package/dist/esm/packs/au-act-hrpaa.js.map +1 -0
  841. package/dist/esm/packs/au-aiethics-framework.js +341 -0
  842. package/dist/esm/packs/au-aiethics-framework.js.map +1 -0
  843. package/dist/esm/packs/au-aml-ctf.js +346 -0
  844. package/dist/esm/packs/au-aml-ctf.js.map +1 -0
  845. package/dist/esm/packs/au-asic-rg-271.js +268 -0
  846. package/dist/esm/packs/au-asic-rg-271.js.map +1 -0
  847. package/dist/esm/packs/au-asic-rg-274.js +268 -0
  848. package/dist/esm/packs/au-asic-rg-274.js.map +1 -0
  849. package/dist/esm/packs/au-cdr.js +305 -0
  850. package/dist/esm/packs/au-cdr.js.map +1 -0
  851. package/dist/esm/packs/au-cps230.js +264 -0
  852. package/dist/esm/packs/au-cps230.js.map +1 -0
  853. package/dist/esm/packs/au-cps234.js +297 -0
  854. package/dist/esm/packs/au-cps234.js.map +1 -0
  855. package/dist/esm/packs/au-mandatory-ai-guardrails.js +271 -0
  856. package/dist/esm/packs/au-mandatory-ai-guardrails.js.map +1 -0
  857. package/dist/esm/packs/au-nsw-hripa.js +363 -0
  858. package/dist/esm/packs/au-nsw-hripa.js.map +1 -0
  859. package/dist/esm/packs/au-online-safety.js +297 -0
  860. package/dist/esm/packs/au-online-safety.js.map +1 -0
  861. package/dist/esm/packs/au-privacy-act.js +361 -0
  862. package/dist/esm/packs/au-privacy-act.js.map +1 -0
  863. package/dist/esm/packs/au-soci-act.js +251 -0
  864. package/dist/esm/packs/au-soci-act.js.map +1 -0
  865. package/dist/esm/packs/au-spam-act.js +284 -0
  866. package/dist/esm/packs/au-spam-act.js.map +1 -0
  867. package/dist/esm/packs/au-tga-saimd.js +341 -0
  868. package/dist/esm/packs/au-tga-saimd.js.map +1 -0
  869. package/dist/esm/packs/au-vic-hra.js +345 -0
  870. package/dist/esm/packs/au-vic-hra.js.map +1 -0
  871. package/dist/esm/packs/bipa.js +268 -0
  872. package/dist/esm/packs/bipa.js.map +1 -0
  873. package/dist/esm/packs/bsa-aml.js +410 -0
  874. package/dist/esm/packs/bsa-aml.js.map +1 -0
  875. package/dist/esm/packs/ca-pipeda.js +217 -0
  876. package/dist/esm/packs/ca-pipeda.js.map +1 -0
  877. package/dist/esm/packs/ca-qc-law25.js +188 -0
  878. package/dist/esm/packs/ca-qc-law25.js.map +1 -0
  879. package/dist/esm/packs/caldicott-principles.js +441 -0
  880. package/dist/esm/packs/caldicott-principles.js.map +1 -0
  881. package/dist/esm/packs/california-ab2930.js +410 -0
  882. package/dist/esm/packs/california-ab2930.js.map +1 -0
  883. package/dist/esm/packs/ccpa.js +396 -0
  884. package/dist/esm/packs/ccpa.js.map +1 -0
  885. package/dist/esm/packs/cfpb-2023-03.js +282 -0
  886. package/dist/esm/packs/cfpb-2023-03.js.map +1 -0
  887. package/dist/esm/packs/check-registry.js +3337 -0
  888. package/dist/esm/packs/check-registry.js.map +1 -0
  889. package/dist/esm/packs/cjis.js +342 -0
  890. package/dist/esm/packs/cjis.js.map +1 -0
  891. package/dist/esm/packs/cma-ai-foundation-models.js +394 -0
  892. package/dist/esm/packs/cma-ai-foundation-models.js.map +1 -0
  893. package/dist/esm/packs/cmmc2.js +347 -0
  894. package/dist/esm/packs/cmmc2.js.map +1 -0
  895. package/dist/esm/packs/cms-interoperability.js +387 -0
  896. package/dist/esm/packs/cms-interoperability.js.map +1 -0
  897. package/dist/esm/packs/cn-dsl-csl.js +134 -0
  898. package/dist/esm/packs/cn-dsl-csl.js.map +1 -0
  899. package/dist/esm/packs/colorado-ai.js +376 -0
  900. package/dist/esm/packs/colorado-ai.js.map +1 -0
  901. package/dist/esm/packs/common-rule.js +470 -0
  902. package/dist/esm/packs/common-rule.js.map +1 -0
  903. package/dist/esm/packs/coppa.js +406 -0
  904. package/dist/esm/packs/coppa.js.map +1 -0
  905. package/dist/esm/packs/cyber-essentials.js +404 -0
  906. package/dist/esm/packs/cyber-essentials.js.map +1 -0
  907. package/dist/esm/packs/de-bdsg.js +413 -0
  908. package/dist/esm/packs/de-bdsg.js.map +1 -0
  909. package/dist/esm/packs/do-178c.js +723 -0
  910. package/dist/esm/packs/do-178c.js.map +1 -0
  911. package/dist/esm/packs/dora.js +358 -0
  912. package/dist/esm/packs/dora.js.map +1 -0
  913. package/dist/esm/packs/ecoa.js +386 -0
  914. package/dist/esm/packs/ecoa.js.map +1 -0
  915. package/dist/esm/packs/eu-ai-liability.js +300 -0
  916. package/dist/esm/packs/eu-ai-liability.js.map +1 -0
  917. package/dist/esm/packs/eu-cra.js +140 -0
  918. package/dist/esm/packs/eu-cra.js.map +1 -0
  919. package/dist/esm/packs/eu-data-act.js +138 -0
  920. package/dist/esm/packs/eu-data-act.js.map +1 -0
  921. package/dist/esm/packs/eu-dma.js +185 -0
  922. package/dist/esm/packs/eu-dma.js.map +1 -0
  923. package/dist/esm/packs/eu-dsa.js +176 -0
  924. package/dist/esm/packs/eu-dsa.js.map +1 -0
  925. package/dist/esm/packs/eu-lpp.js +342 -0
  926. package/dist/esm/packs/eu-lpp.js.map +1 -0
  927. package/dist/esm/packs/eu-mdr-ivdr.js +417 -0
  928. package/dist/esm/packs/eu-mdr-ivdr.js.map +1 -0
  929. package/dist/esm/packs/euaiact.js +341 -0
  930. package/dist/esm/packs/euaiact.js.map +1 -0
  931. package/dist/esm/packs/fca-consumer-duty.js +409 -0
  932. package/dist/esm/packs/fca-consumer-duty.js.map +1 -0
  933. package/dist/esm/packs/fca-op-resilience.js +350 -0
  934. package/dist/esm/packs/fca-op-resilience.js.map +1 -0
  935. package/dist/esm/packs/fcra.js +441 -0
  936. package/dist/esm/packs/fcra.js.map +1 -0
  937. package/dist/esm/packs/fda-21-cfr-820.js +606 -0
  938. package/dist/esm/packs/fda-21-cfr-820.js.map +1 -0
  939. package/dist/esm/packs/fda-samd-precert.js +863 -0
  940. package/dist/esm/packs/fda-samd-precert.js.map +1 -0
  941. package/dist/esm/packs/fda-samd.js +314 -0
  942. package/dist/esm/packs/fda-samd.js.map +1 -0
  943. package/dist/esm/packs/fedramp.js +318 -0
  944. package/dist/esm/packs/fedramp.js.map +1 -0
  945. package/dist/esm/packs/ferpa.js +309 -0
  946. package/dist/esm/packs/ferpa.js.map +1 -0
  947. package/dist/esm/packs/finra-3110.js +351 -0
  948. package/dist/esm/packs/finra-3110.js.map +1 -0
  949. package/dist/esm/packs/florida-student-privacy.js +448 -0
  950. package/dist/esm/packs/florida-student-privacy.js.map +1 -0
  951. package/dist/esm/packs/foia.js +394 -0
  952. package/dist/esm/packs/foia.js.map +1 -0
  953. package/dist/esm/packs/frcp26.js +294 -0
  954. package/dist/esm/packs/frcp26.js.map +1 -0
  955. package/dist/esm/packs/ftc5.js +290 -0
  956. package/dist/esm/packs/ftc5.js.map +1 -0
  957. package/dist/esm/packs/gdpr.js +487 -0
  958. package/dist/esm/packs/gdpr.js.map +1 -0
  959. package/dist/esm/packs/glba.js +421 -0
  960. package/dist/esm/packs/glba.js.map +1 -0
  961. package/dist/esm/packs/gxp.js +350 -0
  962. package/dist/esm/packs/gxp.js.map +1 -0
  963. package/dist/esm/packs/hipaa.js +381 -0
  964. package/dist/esm/packs/hipaa.js.map +1 -0
  965. package/dist/esm/packs/hitech.js +289 -0
  966. package/dist/esm/packs/hitech.js.map +1 -0
  967. package/dist/esm/packs/hitrust-csf.js +119 -0
  968. package/dist/esm/packs/hitrust-csf.js.map +1 -0
  969. package/dist/esm/packs/hk-pdpo.js +122 -0
  970. package/dist/esm/packs/hk-pdpo.js.map +1 -0
  971. package/dist/esm/packs/hmda.js +379 -0
  972. package/dist/esm/packs/hmda.js.map +1 -0
  973. package/dist/esm/packs/iec-62304.js +585 -0
  974. package/dist/esm/packs/iec-62304.js.map +1 -0
  975. package/dist/esm/packs/iec-62443.js +686 -0
  976. package/dist/esm/packs/iec-62443.js.map +1 -0
  977. package/dist/esm/packs/illinois-aivia.js +348 -0
  978. package/dist/esm/packs/illinois-aivia.js.map +1 -0
  979. package/dist/esm/packs/in-dpdp.js +429 -0
  980. package/dist/esm/packs/in-dpdp.js.map +1 -0
  981. package/dist/esm/packs/index.js +664 -0
  982. package/dist/esm/packs/index.js.map +1 -0
  983. package/dist/esm/packs/iso-15189.js +944 -0
  984. package/dist/esm/packs/iso-15189.js.map +1 -0
  985. package/dist/esm/packs/iso-23894.js +442 -0
  986. package/dist/esm/packs/iso-23894.js.map +1 -0
  987. package/dist/esm/packs/iso-26262.js +734 -0
  988. package/dist/esm/packs/iso-26262.js.map +1 -0
  989. package/dist/esm/packs/iso-iec-80001.js +993 -0
  990. package/dist/esm/packs/iso-iec-80001.js.map +1 -0
  991. package/dist/esm/packs/iso20022.js +344 -0
  992. package/dist/esm/packs/iso20022.js.map +1 -0
  993. package/dist/esm/packs/iso27001.js +388 -0
  994. package/dist/esm/packs/iso27001.js.map +1 -0
  995. package/dist/esm/packs/iso27701.js +390 -0
  996. package/dist/esm/packs/iso27701.js.map +1 -0
  997. package/dist/esm/packs/iso42001.js +288 -0
  998. package/dist/esm/packs/iso42001.js.map +1 -0
  999. package/dist/esm/packs/jp-appi.js +438 -0
  1000. package/dist/esm/packs/jp-appi.js.map +1 -0
  1001. package/dist/esm/packs/kr-pipa.js +442 -0
  1002. package/dist/esm/packs/kr-pipa.js.map +1 -0
  1003. package/dist/esm/packs/lgpd.js +350 -0
  1004. package/dist/esm/packs/lgpd.js.map +1 -0
  1005. package/dist/esm/packs/lpo2024.js +307 -0
  1006. package/dist/esm/packs/lpo2024.js.map +1 -0
  1007. package/dist/esm/packs/maryland-hb1202.js +338 -0
  1008. package/dist/esm/packs/maryland-hb1202.js.map +1 -0
  1009. package/dist/esm/packs/mhra-samd-ukca.js +473 -0
  1010. package/dist/esm/packs/mhra-samd-ukca.js.map +1 -0
  1011. package/dist/esm/packs/mifid2.js +381 -0
  1012. package/dist/esm/packs/mifid2.js.map +1 -0
  1013. package/dist/esm/packs/migration-manifest.js +55 -0
  1014. package/dist/esm/packs/migration-manifest.js.map +1 -0
  1015. package/dist/esm/packs/naic-mdl.js +315 -0
  1016. package/dist/esm/packs/naic-mdl.js.map +1 -0
  1017. package/dist/esm/packs/ncsc-ai-security.js +626 -0
  1018. package/dist/esm/packs/ncsc-ai-security.js.map +1 -0
  1019. package/dist/esm/packs/ncsc-caf.js +381 -0
  1020. package/dist/esm/packs/ncsc-caf.js.map +1 -0
  1021. package/dist/esm/packs/nhs-dcb0129-dcb0160.js +470 -0
  1022. package/dist/esm/packs/nhs-dcb0129-dcb0160.js.map +1 -0
  1023. package/dist/esm/packs/nhs-dspt.js +434 -0
  1024. package/dist/esm/packs/nhs-dspt.js.map +1 -0
  1025. package/dist/esm/packs/nhs-dtac.js +399 -0
  1026. package/dist/esm/packs/nhs-dtac.js.map +1 -0
  1027. package/dist/esm/packs/nhs-psirf.js +414 -0
  1028. package/dist/esm/packs/nhs-psirf.js.map +1 -0
  1029. package/dist/esm/packs/ni-equality.js +436 -0
  1030. package/dist/esm/packs/ni-equality.js.map +1 -0
  1031. package/dist/esm/packs/ni-hscni.js +415 -0
  1032. package/dist/esm/packs/ni-hscni.js.map +1 -0
  1033. package/dist/esm/packs/ni-mental-capacity.js +130 -0
  1034. package/dist/esm/packs/ni-mental-capacity.js.map +1 -0
  1035. package/dist/esm/packs/nice-esf-dht.js +404 -0
  1036. package/dist/esm/packs/nice-esf-dht.js.map +1 -0
  1037. package/dist/esm/packs/nis2.js +422 -0
  1038. package/dist/esm/packs/nis2.js.map +1 -0
  1039. package/dist/esm/packs/nist-800-53.js +126 -0
  1040. package/dist/esm/packs/nist-800-53.js.map +1 -0
  1041. package/dist/esm/packs/nist-ai-rmf.js +367 -0
  1042. package/dist/esm/packs/nist-ai-rmf.js.map +1 -0
  1043. package/dist/esm/packs/nist-csf.js +131 -0
  1044. package/dist/esm/packs/nist-csf.js.map +1 -0
  1045. package/dist/esm/packs/nist-sp-800-82.js +721 -0
  1046. package/dist/esm/packs/nist-sp-800-82.js.map +1 -0
  1047. package/dist/esm/packs/nyc-ll-144.js +288 -0
  1048. package/dist/esm/packs/nyc-ll-144.js.map +1 -0
  1049. package/dist/esm/packs/nydfs500.js +285 -0
  1050. package/dist/esm/packs/nydfs500.js.map +1 -0
  1051. package/dist/esm/packs/nz-privacy.js +465 -0
  1052. package/dist/esm/packs/nz-privacy.js.map +1 -0
  1053. package/dist/esm/packs/part11.js +329 -0
  1054. package/dist/esm/packs/part11.js.map +1 -0
  1055. package/dist/esm/packs/part2.js +355 -0
  1056. package/dist/esm/packs/part2.js.map +1 -0
  1057. package/dist/esm/packs/pcidss.js +466 -0
  1058. package/dist/esm/packs/pcidss.js.map +1 -0
  1059. package/dist/esm/packs/pipl.js +205 -0
  1060. package/dist/esm/packs/pipl.js.map +1 -0
  1061. package/dist/esm/packs/reg-e.js +359 -0
  1062. package/dist/esm/packs/reg-e.js.map +1 -0
  1063. package/dist/esm/packs/registry-expanded.js +2347 -0
  1064. package/dist/esm/packs/registry-expanded.js.map +1 -0
  1065. package/dist/esm/packs/scotland-awi.js +405 -0
  1066. package/dist/esm/packs/scotland-awi.js.map +1 -0
  1067. package/dist/esm/packs/scotland-procurement-reform.js +122 -0
  1068. package/dist/esm/packs/scotland-procurement-reform.js.map +1 -0
  1069. package/dist/esm/packs/scotland-psed.js +369 -0
  1070. package/dist/esm/packs/scotland-psed.js.map +1 -0
  1071. package/dist/esm/packs/sg-model-ai-gov.js +393 -0
  1072. package/dist/esm/packs/sg-model-ai-gov.js.map +1 -0
  1073. package/dist/esm/packs/soc1.js +305 -0
  1074. package/dist/esm/packs/soc1.js.map +1 -0
  1075. package/dist/esm/packs/soc2.js +337 -0
  1076. package/dist/esm/packs/soc2.js.map +1 -0
  1077. package/dist/esm/packs/sox404.js +295 -0
  1078. package/dist/esm/packs/sox404.js.map +1 -0
  1079. package/dist/esm/packs/sr117.js +342 -0
  1080. package/dist/esm/packs/sr117.js.map +1 -0
  1081. package/dist/esm/packs/stateramp.js +324 -0
  1082. package/dist/esm/packs/stateramp.js.map +1 -0
  1083. package/dist/esm/packs/tennessee-elvis.js +417 -0
  1084. package/dist/esm/packs/tennessee-elvis.js.map +1 -0
  1085. package/dist/esm/packs/texas-hb4.js +393 -0
  1086. package/dist/esm/packs/texas-hb4.js.map +1 -0
  1087. package/dist/esm/packs/th-pdpa.js +125 -0
  1088. package/dist/esm/packs/th-pdpa.js.map +1 -0
  1089. package/dist/esm/packs/title-ix.js +444 -0
  1090. package/dist/esm/packs/title-ix.js.map +1 -0
  1091. package/dist/esm/packs/uk-ai-framework.js +352 -0
  1092. package/dist/esm/packs/uk-ai-framework.js.map +1 -0
  1093. package/dist/esm/packs/uk-cma-1990.js +403 -0
  1094. package/dist/esm/packs/uk-cma-1990.js.map +1 -0
  1095. package/dist/esm/packs/uk-equality-act-ai-bias.js +681 -0
  1096. package/dist/esm/packs/uk-equality-act-ai-bias.js.map +1 -0
  1097. package/dist/esm/packs/uk-equality-act.js +406 -0
  1098. package/dist/esm/packs/uk-equality-act.js.map +1 -0
  1099. package/dist/esm/packs/uk-future-ai-legislation.js +209 -0
  1100. package/dist/esm/packs/uk-future-ai-legislation.js.map +1 -0
  1101. package/dist/esm/packs/uk-gdpr.js +374 -0
  1102. package/dist/esm/packs/uk-gdpr.js.map +1 -0
  1103. package/dist/esm/packs/uk-ico-open-case.js +396 -0
  1104. package/dist/esm/packs/uk-ico-open-case.js.map +1 -0
  1105. package/dist/esm/packs/uk-nis-regs.js +363 -0
  1106. package/dist/esm/packs/uk-nis-regs.js.map +1 -0
  1107. package/dist/esm/packs/uk-online-safety-act.js +410 -0
  1108. package/dist/esm/packs/uk-online-safety-act.js.map +1 -0
  1109. package/dist/esm/packs/uk-procurement-act.js +431 -0
  1110. package/dist/esm/packs/uk-procurement-act.js.map +1 -0
  1111. package/dist/esm/packs/us-fda-21cfr56.js +364 -0
  1112. package/dist/esm/packs/us-fda-21cfr56.js.map +1 -0
  1113. package/dist/esm/packs/us-nih-coc.js +203 -0
  1114. package/dist/esm/packs/us-nih-coc.js.map +1 -0
  1115. package/dist/esm/packs/us-nih-dms.js +241 -0
  1116. package/dist/esm/packs/us-nih-dms.js.map +1 -0
  1117. package/dist/esm/packs/us-nih-gds.js +355 -0
  1118. package/dist/esm/packs/us-nih-gds.js.map +1 -0
  1119. package/dist/esm/packs/us-nih-it-security.js +203 -0
  1120. package/dist/esm/packs/us-nih-it-security.js.map +1 -0
  1121. package/dist/esm/packs/us-respa.js +361 -0
  1122. package/dist/esm/packs/us-respa.js.map +1 -0
  1123. package/dist/esm/packs/us-tila.js +350 -0
  1124. package/dist/esm/packs/us-tila.js.map +1 -0
  1125. package/dist/esm/packs/us-trid.js +342 -0
  1126. package/dist/esm/packs/us-trid.js.map +1 -0
  1127. package/dist/esm/packs/utah-ai-policy.js +337 -0
  1128. package/dist/esm/packs/utah-ai-policy.js.map +1 -0
  1129. package/dist/esm/packs/vn-pdpd.js +122 -0
  1130. package/dist/esm/packs/vn-pdpd.js.map +1 -0
  1131. package/dist/esm/packs/wales-future-generations.js +393 -0
  1132. package/dist/esm/packs/wales-future-generations.js.map +1 -0
  1133. package/dist/esm/reporting/governance-reporter.js +405 -0
  1134. package/dist/esm/reporting/governance-reporter.js.map +1 -0
  1135. package/dist/esm/retention/backup-retention-adapter.js +66 -0
  1136. package/dist/esm/retention/backup-retention-adapter.js.map +1 -0
  1137. package/dist/esm/retention/classification-rules.js +182 -0
  1138. package/dist/esm/retention/classification-rules.js.map +1 -0
  1139. package/dist/esm/retention/classifier.js +243 -0
  1140. package/dist/esm/retention/classifier.js.map +1 -0
  1141. package/dist/esm/retention/data-class.js +44 -0
  1142. package/dist/esm/retention/data-class.js.map +1 -0
  1143. package/dist/esm/retention/enforcement-log-store.js +145 -0
  1144. package/dist/esm/retention/enforcement-log-store.js.map +1 -0
  1145. package/dist/esm/retention/index.js +31 -0
  1146. package/dist/esm/retention/index.js.map +1 -0
  1147. package/dist/esm/retention/ingest-classifier.js +123 -0
  1148. package/dist/esm/retention/ingest-classifier.js.map +1 -0
  1149. package/dist/esm/retention/legal-hold-errors.js +92 -0
  1150. package/dist/esm/retention/legal-hold-errors.js.map +1 -0
  1151. package/dist/esm/retention/legal-hold-store.js +394 -0
  1152. package/dist/esm/retention/legal-hold-store.js.map +1 -0
  1153. package/dist/esm/retention/legal-hold.js +17 -0
  1154. package/dist/esm/retention/legal-hold.js.map +1 -0
  1155. package/dist/esm/retention/log-aggregators/datadog.js +153 -0
  1156. package/dist/esm/retention/log-aggregators/datadog.js.map +1 -0
  1157. package/dist/esm/retention/log-aggregators/index.js +10 -0
  1158. package/dist/esm/retention/log-aggregators/index.js.map +1 -0
  1159. package/dist/esm/retention/log-aggregators/log-aggregator.js +20 -0
  1160. package/dist/esm/retention/log-aggregators/log-aggregator.js.map +1 -0
  1161. package/dist/esm/retention/log-aggregators/noop.js +26 -0
  1162. package/dist/esm/retention/log-aggregators/noop.js.map +1 -0
  1163. package/dist/esm/retention/log-aggregators/sentinel.js +216 -0
  1164. package/dist/esm/retention/log-aggregators/sentinel.js.map +1 -0
  1165. package/dist/esm/retention/log-aggregators/splunk.js +147 -0
  1166. package/dist/esm/retention/log-aggregators/splunk.js.map +1 -0
  1167. package/dist/esm/retention/policy-matrix-errors.js +127 -0
  1168. package/dist/esm/retention/policy-matrix-errors.js.map +1 -0
  1169. package/dist/esm/retention/policy-matrix.js +580 -0
  1170. package/dist/esm/retention/policy-matrix.js.map +1 -0
  1171. package/dist/esm/scanner/gap-report.js +333 -0
  1172. package/dist/esm/scanner/gap-report.js.map +1 -0
  1173. package/dist/esm/scanner/index.js +414 -0
  1174. package/dist/esm/scanner/index.js.map +1 -0
  1175. package/dist/esm/scanner/manifest-integrity.js +151 -0
  1176. package/dist/esm/scanner/manifest-integrity.js.map +1 -0
  1177. package/dist/esm/scanner/remediation.js +255 -0
  1178. package/dist/esm/scanner/remediation.js.map +1 -0
  1179. package/dist/esm/security/access-review.js +235 -0
  1180. package/dist/esm/security/access-review.js.map +1 -0
  1181. package/dist/esm/security/agent-auth.js +253 -0
  1182. package/dist/esm/security/agent-auth.js.map +1 -0
  1183. package/dist/esm/security/anomaly-auto-suspend.js +345 -0
  1184. package/dist/esm/security/anomaly-auto-suspend.js.map +1 -0
  1185. package/dist/esm/security/anomaly-correlator.js +279 -0
  1186. package/dist/esm/security/anomaly-correlator.js.map +1 -0
  1187. package/dist/esm/security/anomaly-detector.js +261 -0
  1188. package/dist/esm/security/anomaly-detector.js.map +1 -0
  1189. package/dist/esm/security/anomaly-self-reflection.js +292 -0
  1190. package/dist/esm/security/anomaly-self-reflection.js.map +1 -0
  1191. package/dist/esm/security/built-in-llm-providers.js +80 -0
  1192. package/dist/esm/security/built-in-llm-providers.js.map +1 -0
  1193. package/dist/esm/security/circuit-breaker.js +146 -0
  1194. package/dist/esm/security/circuit-breaker.js.map +1 -0
  1195. package/dist/esm/security/data-classifier.js +446 -0
  1196. package/dist/esm/security/data-classifier.js.map +1 -0
  1197. package/dist/esm/security/encrypted-storage.js +220 -0
  1198. package/dist/esm/security/encrypted-storage.js.map +1 -0
  1199. package/dist/esm/security/encryption-layer.js +337 -0
  1200. package/dist/esm/security/encryption-layer.js.map +1 -0
  1201. package/dist/esm/security/external-cross-check.js +451 -0
  1202. package/dist/esm/security/external-cross-check.js.map +1 -0
  1203. package/dist/esm/security/hash-manifest.js +229 -0
  1204. package/dist/esm/security/hash-manifest.js.map +1 -0
  1205. package/dist/esm/security/http-interceptor.js +594 -0
  1206. package/dist/esm/security/http-interceptor.js.map +1 -0
  1207. package/dist/esm/security/key-manager.js +289 -0
  1208. package/dist/esm/security/key-manager.js.map +1 -0
  1209. package/dist/esm/security/nonce-store.js +133 -0
  1210. package/dist/esm/security/nonce-store.js.map +1 -0
  1211. package/dist/esm/security/operator-roles.js +241 -0
  1212. package/dist/esm/security/operator-roles.js.map +1 -0
  1213. package/dist/esm/security/plugin-integrity.js +153 -0
  1214. package/dist/esm/security/plugin-integrity.js.map +1 -0
  1215. package/dist/esm/security/prompt-injection-detector.js +466 -0
  1216. package/dist/esm/security/prompt-injection-detector.js.map +1 -0
  1217. package/dist/esm/security/provider-compliance-boot.js +102 -0
  1218. package/dist/esm/security/provider-compliance-boot.js.map +1 -0
  1219. package/dist/esm/security/provider-compliance.js +707 -0
  1220. package/dist/esm/security/provider-compliance.js.map +1 -0
  1221. package/dist/esm/security/secret-leak-detector.js +176 -0
  1222. package/dist/esm/security/secret-leak-detector.js.map +1 -0
  1223. package/dist/esm/security/session-timeout.js +254 -0
  1224. package/dist/esm/security/session-timeout.js.map +1 -0
  1225. package/dist/esm/security/ssrf-guard.js +222 -0
  1226. package/dist/esm/security/ssrf-guard.js.map +1 -0
  1227. package/dist/esm/security/supply-chain.js +283 -0
  1228. package/dist/esm/security/supply-chain.js.map +1 -0
  1229. package/dist/esm/security/vendor-registry.js +256 -0
  1230. package/dist/esm/security/vendor-registry.js.map +1 -0
  1231. package/dist/esm/tenant/index.js +14 -0
  1232. package/dist/esm/tenant/index.js.map +1 -0
  1233. package/dist/esm/tenant/policy-inheritance.js +342 -0
  1234. package/dist/esm/tenant/policy-inheritance.js.map +1 -0
  1235. package/dist/esm/tenant/rbac.js +178 -0
  1236. package/dist/esm/tenant/rbac.js.map +1 -0
  1237. package/dist/esm/tenant/workspace.js +274 -0
  1238. package/dist/esm/tenant/workspace.js.map +1 -0
  1239. package/dist/esm/trust-passport/index.js +119 -0
  1240. package/dist/esm/trust-passport/index.js.map +1 -0
  1241. package/dist/esm/util/async-io.js +164 -0
  1242. package/dist/esm/util/async-io.js.map +1 -0
  1243. package/dist/esm/util/fs.js +165 -0
  1244. package/dist/esm/util/fs.js.map +1 -0
  1245. package/dist/esm/util/log-rotation.js +175 -0
  1246. package/dist/esm/util/log-rotation.js.map +1 -0
  1247. package/dist/esm/util/log.js +77 -0
  1248. package/dist/esm/util/log.js.map +1 -0
  1249. package/dist/esm/util/sigv4.js +113 -0
  1250. package/dist/esm/util/sigv4.js.map +1 -0
  1251. package/dist/esm/util/storage-backend.js +167 -0
  1252. package/dist/esm/util/storage-backend.js.map +1 -0
  1253. package/dist/governance/action-classes.d.ts +153 -0
  1254. package/dist/governance/action-classes.d.ts.map +1 -0
  1255. package/dist/governance/action-classes.js +177 -0
  1256. package/dist/governance/action-classes.js.map +1 -0
  1257. package/dist/governance/action-isolation.d.ts +317 -0
  1258. package/dist/governance/action-isolation.d.ts.map +1 -0
  1259. package/dist/governance/action-isolation.js +623 -0
  1260. package/dist/governance/action-isolation.js.map +1 -0
  1261. package/dist/governance/agent-discovery.d.ts +33 -0
  1262. package/dist/governance/agent-discovery.d.ts.map +1 -0
  1263. package/dist/governance/agent-discovery.js +249 -0
  1264. package/dist/governance/agent-discovery.js.map +1 -0
  1265. package/dist/governance/agent-discovery.test.d.ts +7 -0
  1266. package/dist/governance/agent-discovery.test.d.ts.map +1 -0
  1267. package/dist/governance/agent-discovery.test.js +179 -0
  1268. package/dist/governance/agent-discovery.test.js.map +1 -0
  1269. package/dist/governance/agent-trust-report.d.ts +124 -0
  1270. package/dist/governance/agent-trust-report.d.ts.map +1 -0
  1271. package/dist/governance/agent-trust-report.js +155 -0
  1272. package/dist/governance/agent-trust-report.js.map +1 -0
  1273. package/dist/governance/agent-trust-report.test.d.ts +7 -0
  1274. package/dist/governance/agent-trust-report.test.d.ts.map +1 -0
  1275. package/dist/governance/agent-trust-report.test.js +294 -0
  1276. package/dist/governance/agent-trust-report.test.js.map +1 -0
  1277. package/dist/governance/approval-channel-adapters.d.ts +45 -0
  1278. package/dist/governance/approval-channel-adapters.d.ts.map +1 -0
  1279. package/dist/governance/approval-channel-adapters.js +173 -0
  1280. package/dist/governance/approval-channel-adapters.js.map +1 -0
  1281. package/dist/governance/approval-channel-adapters.test.d.ts +7 -0
  1282. package/dist/governance/approval-channel-adapters.test.d.ts.map +1 -0
  1283. package/dist/governance/approval-channel-adapters.test.js +198 -0
  1284. package/dist/governance/approval-channel-adapters.test.js.map +1 -0
  1285. package/dist/governance/approval-gate-enforcer.d.ts +224 -0
  1286. package/dist/governance/approval-gate-enforcer.d.ts.map +1 -0
  1287. package/dist/governance/approval-gate-enforcer.js +443 -0
  1288. package/dist/governance/approval-gate-enforcer.js.map +1 -0
  1289. package/dist/governance/approval-notifications.d.ts +101 -0
  1290. package/dist/governance/approval-notifications.d.ts.map +1 -0
  1291. package/dist/governance/approval-notifications.js +143 -0
  1292. package/dist/governance/approval-notifications.js.map +1 -0
  1293. package/dist/governance/approval-notifications.test.d.ts +15 -0
  1294. package/dist/governance/approval-notifications.test.d.ts.map +1 -0
  1295. package/dist/governance/approval-notifications.test.js +227 -0
  1296. package/dist/governance/approval-notifications.test.js.map +1 -0
  1297. package/dist/governance/approval-queue-store.d.ts +114 -0
  1298. package/dist/governance/approval-queue-store.d.ts.map +1 -0
  1299. package/dist/governance/approval-queue-store.js +149 -0
  1300. package/dist/governance/approval-queue-store.js.map +1 -0
  1301. package/dist/governance/approval-queue.d.ts +172 -0
  1302. package/dist/governance/approval-queue.d.ts.map +1 -0
  1303. package/dist/governance/approval-queue.js +329 -0
  1304. package/dist/governance/approval-queue.js.map +1 -0
  1305. package/dist/governance/approval-service.d.ts +79 -0
  1306. package/dist/governance/approval-service.d.ts.map +1 -0
  1307. package/dist/governance/approval-service.js +129 -0
  1308. package/dist/governance/approval-service.js.map +1 -0
  1309. package/dist/governance/audit-chain-emitter.d.ts +103 -0
  1310. package/dist/governance/audit-chain-emitter.d.ts.map +1 -0
  1311. package/dist/governance/audit-chain-emitter.js +220 -0
  1312. package/dist/governance/audit-chain-emitter.js.map +1 -0
  1313. package/dist/governance/audit-chain-emitter.test.d.ts +7 -0
  1314. package/dist/governance/audit-chain-emitter.test.d.ts.map +1 -0
  1315. package/dist/governance/audit-chain-emitter.test.js +225 -0
  1316. package/dist/governance/audit-chain-emitter.test.js.map +1 -0
  1317. package/dist/governance/auto-pack-generator.d.ts +56 -0
  1318. package/dist/governance/auto-pack-generator.d.ts.map +1 -0
  1319. package/dist/governance/auto-pack-generator.js +70 -0
  1320. package/dist/governance/auto-pack-generator.js.map +1 -0
  1321. package/dist/governance/auto-pack-generator.test.d.ts +7 -0
  1322. package/dist/governance/auto-pack-generator.test.d.ts.map +1 -0
  1323. package/dist/governance/auto-pack-generator.test.js +130 -0
  1324. package/dist/governance/auto-pack-generator.test.js.map +1 -0
  1325. package/dist/governance/autonomy-spectrum.d.ts +253 -0
  1326. package/dist/governance/autonomy-spectrum.d.ts.map +1 -0
  1327. package/dist/governance/autonomy-spectrum.js +697 -0
  1328. package/dist/governance/autonomy-spectrum.js.map +1 -0
  1329. package/dist/governance/batch-mode-governance.d.ts +337 -0
  1330. package/dist/governance/batch-mode-governance.d.ts.map +1 -0
  1331. package/dist/governance/batch-mode-governance.js +651 -0
  1332. package/dist/governance/batch-mode-governance.js.map +1 -0
  1333. package/dist/governance/bias-monitor.d.ts +100 -0
  1334. package/dist/governance/bias-monitor.d.ts.map +1 -0
  1335. package/dist/governance/bias-monitor.js +310 -0
  1336. package/dist/governance/bias-monitor.js.map +1 -0
  1337. package/dist/governance/blast-radius-enforcer.d.ts +308 -0
  1338. package/dist/governance/blast-radius-enforcer.d.ts.map +1 -0
  1339. package/dist/governance/blast-radius-enforcer.js +579 -0
  1340. package/dist/governance/blast-radius-enforcer.js.map +1 -0
  1341. package/dist/governance/build-structure-score.d.ts +38 -0
  1342. package/dist/governance/build-structure-score.d.ts.map +1 -0
  1343. package/dist/governance/build-structure-score.js +64 -0
  1344. package/dist/governance/build-structure-score.js.map +1 -0
  1345. package/dist/governance/build-structure-score.test.d.ts +8 -0
  1346. package/dist/governance/build-structure-score.test.d.ts.map +1 -0
  1347. package/dist/governance/build-structure-score.test.js +151 -0
  1348. package/dist/governance/build-structure-score.test.js.map +1 -0
  1349. package/dist/governance/capability-bundle.d.ts +58 -0
  1350. package/dist/governance/capability-bundle.d.ts.map +1 -0
  1351. package/dist/governance/capability-bundle.js +277 -0
  1352. package/dist/governance/capability-bundle.js.map +1 -0
  1353. package/dist/governance/capability-change-detector.d.ts +335 -0
  1354. package/dist/governance/capability-change-detector.d.ts.map +1 -0
  1355. package/dist/governance/capability-change-detector.js +743 -0
  1356. package/dist/governance/capability-change-detector.js.map +1 -0
  1357. package/dist/governance/capability-classes.d.ts +42 -0
  1358. package/dist/governance/capability-classes.d.ts.map +1 -0
  1359. package/dist/governance/capability-classes.js +133 -0
  1360. package/dist/governance/capability-classes.js.map +1 -0
  1361. package/dist/governance/capability-classes.test.d.ts +23 -0
  1362. package/dist/governance/capability-classes.test.d.ts.map +1 -0
  1363. package/dist/governance/capability-classes.test.js +206 -0
  1364. package/dist/governance/capability-classes.test.js.map +1 -0
  1365. package/dist/governance/company-pack-builder.d.ts +46 -0
  1366. package/dist/governance/company-pack-builder.d.ts.map +1 -0
  1367. package/dist/governance/company-pack-builder.js +74 -0
  1368. package/dist/governance/company-pack-builder.js.map +1 -0
  1369. package/dist/governance/confidence-gate.d.ts +129 -0
  1370. package/dist/governance/confidence-gate.d.ts.map +1 -0
  1371. package/dist/governance/confidence-gate.js +253 -0
  1372. package/dist/governance/confidence-gate.js.map +1 -0
  1373. package/dist/governance/council.d.ts +99 -0
  1374. package/dist/governance/council.d.ts.map +1 -0
  1375. package/dist/governance/council.js +305 -0
  1376. package/dist/governance/council.js.map +1 -0
  1377. package/dist/governance/cross-session-pseudonymizer.d.ts +286 -0
  1378. package/dist/governance/cross-session-pseudonymizer.d.ts.map +1 -0
  1379. package/dist/governance/cross-session-pseudonymizer.js +639 -0
  1380. package/dist/governance/cross-session-pseudonymizer.js.map +1 -0
  1381. package/dist/governance/cycle-timeout.d.ts +120 -0
  1382. package/dist/governance/cycle-timeout.d.ts.map +1 -0
  1383. package/dist/governance/cycle-timeout.js +217 -0
  1384. package/dist/governance/cycle-timeout.js.map +1 -0
  1385. package/dist/governance/cycle-token-budget.d.ts +122 -0
  1386. package/dist/governance/cycle-token-budget.d.ts.map +1 -0
  1387. package/dist/governance/cycle-token-budget.js +182 -0
  1388. package/dist/governance/cycle-token-budget.js.map +1 -0
  1389. package/dist/governance/data-subject-rights.d.ts +155 -0
  1390. package/dist/governance/data-subject-rights.d.ts.map +1 -0
  1391. package/dist/governance/data-subject-rights.js +492 -0
  1392. package/dist/governance/data-subject-rights.js.map +1 -0
  1393. package/dist/governance/demo-workspace.d.ts +35 -0
  1394. package/dist/governance/demo-workspace.d.ts.map +1 -0
  1395. package/dist/governance/demo-workspace.js +214 -0
  1396. package/dist/governance/demo-workspace.js.map +1 -0
  1397. package/dist/governance/demo-workspace.test.d.ts +12 -0
  1398. package/dist/governance/demo-workspace.test.d.ts.map +1 -0
  1399. package/dist/governance/demo-workspace.test.js +115 -0
  1400. package/dist/governance/demo-workspace.test.js.map +1 -0
  1401. package/dist/governance/discovery-cli.d.ts +63 -0
  1402. package/dist/governance/discovery-cli.d.ts.map +1 -0
  1403. package/dist/governance/discovery-cli.js +99 -0
  1404. package/dist/governance/discovery-cli.js.map +1 -0
  1405. package/dist/governance/discovery-cli.test.d.ts +7 -0
  1406. package/dist/governance/discovery-cli.test.d.ts.map +1 -0
  1407. package/dist/governance/discovery-cli.test.js +226 -0
  1408. package/dist/governance/discovery-cli.test.js.map +1 -0
  1409. package/dist/governance/gateguard.d.ts +103 -0
  1410. package/dist/governance/gateguard.d.ts.map +1 -0
  1411. package/dist/governance/gateguard.js +302 -0
  1412. package/dist/governance/gateguard.js.map +1 -0
  1413. package/dist/governance/governance-runtime.d.ts +148 -0
  1414. package/dist/governance/governance-runtime.d.ts.map +1 -0
  1415. package/dist/governance/governance-runtime.js +414 -0
  1416. package/dist/governance/governance-runtime.js.map +1 -0
  1417. package/dist/governance/hook-install-snippet.d.ts +42 -0
  1418. package/dist/governance/hook-install-snippet.d.ts.map +1 -0
  1419. package/dist/governance/hook-install-snippet.js +212 -0
  1420. package/dist/governance/hook-install-snippet.js.map +1 -0
  1421. package/dist/governance/hook-install-snippet.test.d.ts +7 -0
  1422. package/dist/governance/hook-install-snippet.test.d.ts.map +1 -0
  1423. package/dist/governance/hook-install-snippet.test.js +130 -0
  1424. package/dist/governance/hook-install-snippet.test.js.map +1 -0
  1425. package/dist/governance/hook-profile.d.ts +215 -0
  1426. package/dist/governance/hook-profile.d.ts.map +1 -0
  1427. package/dist/governance/hook-profile.js +515 -0
  1428. package/dist/governance/hook-profile.js.map +1 -0
  1429. package/dist/governance/improvement-recommendations.d.ts +101 -0
  1430. package/dist/governance/improvement-recommendations.d.ts.map +1 -0
  1431. package/dist/governance/improvement-recommendations.js +171 -0
  1432. package/dist/governance/improvement-recommendations.js.map +1 -0
  1433. package/dist/governance/improvement-recommendations.test.d.ts +11 -0
  1434. package/dist/governance/improvement-recommendations.test.d.ts.map +1 -0
  1435. package/dist/governance/improvement-recommendations.test.js +213 -0
  1436. package/dist/governance/improvement-recommendations.test.js.map +1 -0
  1437. package/dist/governance/incident-notifier.d.ts +195 -0
  1438. package/dist/governance/incident-notifier.d.ts.map +1 -0
  1439. package/dist/governance/incident-notifier.js +527 -0
  1440. package/dist/governance/incident-notifier.js.map +1 -0
  1441. package/dist/governance/index.d.ts +24 -0
  1442. package/dist/governance/index.d.ts.map +1 -0
  1443. package/dist/governance/index.js +67 -0
  1444. package/dist/governance/index.js.map +1 -0
  1445. package/dist/governance/info-action-separation.d.ts +98 -0
  1446. package/dist/governance/info-action-separation.d.ts.map +1 -0
  1447. package/dist/governance/info-action-separation.js +148 -0
  1448. package/dist/governance/info-action-separation.js.map +1 -0
  1449. package/dist/governance/info-action-separation.test.d.ts +20 -0
  1450. package/dist/governance/info-action-separation.test.d.ts.map +1 -0
  1451. package/dist/governance/info-action-separation.test.js +190 -0
  1452. package/dist/governance/info-action-separation.test.js.map +1 -0
  1453. package/dist/governance/instinct-system.d.ts +141 -0
  1454. package/dist/governance/instinct-system.d.ts.map +1 -0
  1455. package/dist/governance/instinct-system.js +388 -0
  1456. package/dist/governance/instinct-system.js.map +1 -0
  1457. package/dist/governance/insurance-certificate.d.ts +88 -0
  1458. package/dist/governance/insurance-certificate.d.ts.map +1 -0
  1459. package/dist/governance/insurance-certificate.js +155 -0
  1460. package/dist/governance/insurance-certificate.js.map +1 -0
  1461. package/dist/governance/insurance-certificate.test.d.ts +7 -0
  1462. package/dist/governance/insurance-certificate.test.d.ts.map +1 -0
  1463. package/dist/governance/insurance-certificate.test.js +240 -0
  1464. package/dist/governance/insurance-certificate.test.js.map +1 -0
  1465. package/dist/governance/manifest-push-emitter.d.ts +51 -0
  1466. package/dist/governance/manifest-push-emitter.d.ts.map +1 -0
  1467. package/dist/governance/manifest-push-emitter.js +111 -0
  1468. package/dist/governance/manifest-push-emitter.js.map +1 -0
  1469. package/dist/governance/manifest-push-emitter.test.d.ts +7 -0
  1470. package/dist/governance/manifest-push-emitter.test.d.ts.map +1 -0
  1471. package/dist/governance/manifest-push-emitter.test.js +250 -0
  1472. package/dist/governance/manifest-push-emitter.test.js.map +1 -0
  1473. package/dist/governance/memory/cross-session-memory.d.ts +100 -0
  1474. package/dist/governance/memory/cross-session-memory.d.ts.map +1 -0
  1475. package/dist/governance/memory/cross-session-memory.js +319 -0
  1476. package/dist/governance/memory/cross-session-memory.js.map +1 -0
  1477. package/dist/governance/memory/index.d.ts +14 -0
  1478. package/dist/governance/memory/index.d.ts.map +1 -0
  1479. package/dist/governance/memory/index.js +27 -0
  1480. package/dist/governance/memory/index.js.map +1 -0
  1481. package/dist/governance/memory/memory-chain.d.ts +109 -0
  1482. package/dist/governance/memory/memory-chain.d.ts.map +1 -0
  1483. package/dist/governance/memory/memory-chain.js +221 -0
  1484. package/dist/governance/memory/memory-chain.js.map +1 -0
  1485. package/dist/governance/memory/retrieval-allowlist.d.ts +120 -0
  1486. package/dist/governance/memory/retrieval-allowlist.d.ts.map +1 -0
  1487. package/dist/governance/memory/retrieval-allowlist.js +177 -0
  1488. package/dist/governance/memory/retrieval-allowlist.js.map +1 -0
  1489. package/dist/governance/memory/session-memory.d.ts +105 -0
  1490. package/dist/governance/memory/session-memory.d.ts.map +1 -0
  1491. package/dist/governance/memory/session-memory.js +220 -0
  1492. package/dist/governance/memory/session-memory.js.map +1 -0
  1493. package/dist/governance/memory-audit-chain.d.ts +218 -0
  1494. package/dist/governance/memory-audit-chain.d.ts.map +1 -0
  1495. package/dist/governance/memory-audit-chain.js +400 -0
  1496. package/dist/governance/memory-audit-chain.js.map +1 -0
  1497. package/dist/governance/memory-integrity.d.ts +82 -0
  1498. package/dist/governance/memory-integrity.d.ts.map +1 -0
  1499. package/dist/governance/memory-integrity.js +304 -0
  1500. package/dist/governance/memory-integrity.js.map +1 -0
  1501. package/dist/governance/multi-store-deletion-worker.d.ts +163 -0
  1502. package/dist/governance/multi-store-deletion-worker.d.ts.map +1 -0
  1503. package/dist/governance/multi-store-deletion-worker.js +300 -0
  1504. package/dist/governance/multi-store-deletion-worker.js.map +1 -0
  1505. package/dist/governance/multi-tenant.d.ts +105 -0
  1506. package/dist/governance/multi-tenant.d.ts.map +1 -0
  1507. package/dist/governance/multi-tenant.js +312 -0
  1508. package/dist/governance/multi-tenant.js.map +1 -0
  1509. package/dist/governance/onboarding-tier-router.d.ts +51 -0
  1510. package/dist/governance/onboarding-tier-router.d.ts.map +1 -0
  1511. package/dist/governance/onboarding-tier-router.js +112 -0
  1512. package/dist/governance/onboarding-tier-router.js.map +1 -0
  1513. package/dist/governance/onboarding-tier-router.test.d.ts +7 -0
  1514. package/dist/governance/onboarding-tier-router.test.d.ts.map +1 -0
  1515. package/dist/governance/onboarding-tier-router.test.js +141 -0
  1516. package/dist/governance/onboarding-tier-router.test.js.map +1 -0
  1517. package/dist/governance/org-reputation.d.ts +54 -0
  1518. package/dist/governance/org-reputation.d.ts.map +1 -0
  1519. package/dist/governance/org-reputation.js +91 -0
  1520. package/dist/governance/org-reputation.js.map +1 -0
  1521. package/dist/governance/org-reputation.test.d.ts +7 -0
  1522. package/dist/governance/org-reputation.test.d.ts.map +1 -0
  1523. package/dist/governance/org-reputation.test.js +190 -0
  1524. package/dist/governance/org-reputation.test.js.map +1 -0
  1525. package/dist/governance/owasp-agentic-scanner.d.ts +100 -0
  1526. package/dist/governance/owasp-agentic-scanner.d.ts.map +1 -0
  1527. package/dist/governance/owasp-agentic-scanner.js +318 -0
  1528. package/dist/governance/owasp-agentic-scanner.js.map +1 -0
  1529. package/dist/governance/owasp-agentic-scanner.test.d.ts +8 -0
  1530. package/dist/governance/owasp-agentic-scanner.test.d.ts.map +1 -0
  1531. package/dist/governance/owasp-agentic-scanner.test.js +163 -0
  1532. package/dist/governance/owasp-agentic-scanner.test.js.map +1 -0
  1533. package/dist/governance/pack-diff.d.ts +61 -0
  1534. package/dist/governance/pack-diff.d.ts.map +1 -0
  1535. package/dist/governance/pack-diff.js +82 -0
  1536. package/dist/governance/pack-diff.js.map +1 -0
  1537. package/dist/governance/pack-diff.test.d.ts +7 -0
  1538. package/dist/governance/pack-diff.test.d.ts.map +1 -0
  1539. package/dist/governance/pack-diff.test.js +242 -0
  1540. package/dist/governance/pack-diff.test.js.map +1 -0
  1541. package/dist/governance/pack-evaluator-prewarm.d.ts +66 -0
  1542. package/dist/governance/pack-evaluator-prewarm.d.ts.map +1 -0
  1543. package/dist/governance/pack-evaluator-prewarm.js +139 -0
  1544. package/dist/governance/pack-evaluator-prewarm.js.map +1 -0
  1545. package/dist/governance/pack-evaluator.d.ts +110 -0
  1546. package/dist/governance/pack-evaluator.d.ts.map +1 -0
  1547. package/dist/governance/pack-evaluator.js +328 -0
  1548. package/dist/governance/pack-evaluator.js.map +1 -0
  1549. package/dist/governance/pack-evaluator.test.d.ts +7 -0
  1550. package/dist/governance/pack-evaluator.test.d.ts.map +1 -0
  1551. package/dist/governance/pack-evaluator.test.js +279 -0
  1552. package/dist/governance/pack-evaluator.test.js.map +1 -0
  1553. package/dist/governance/pack-inheritance.d.ts +121 -0
  1554. package/dist/governance/pack-inheritance.d.ts.map +1 -0
  1555. package/dist/governance/pack-inheritance.js +178 -0
  1556. package/dist/governance/pack-inheritance.js.map +1 -0
  1557. package/dist/governance/pack-inheritance.test.d.ts +17 -0
  1558. package/dist/governance/pack-inheritance.test.d.ts.map +1 -0
  1559. package/dist/governance/pack-inheritance.test.js +207 -0
  1560. package/dist/governance/pack-inheritance.test.js.map +1 -0
  1561. package/dist/governance/pack-publish-workflow.d.ts +60 -0
  1562. package/dist/governance/pack-publish-workflow.d.ts.map +1 -0
  1563. package/dist/governance/pack-publish-workflow.js +85 -0
  1564. package/dist/governance/pack-publish-workflow.js.map +1 -0
  1565. package/dist/governance/pack-publish-workflow.test.d.ts +7 -0
  1566. package/dist/governance/pack-publish-workflow.test.d.ts.map +1 -0
  1567. package/dist/governance/pack-publish-workflow.test.js +211 -0
  1568. package/dist/governance/pack-publish-workflow.test.js.map +1 -0
  1569. package/dist/governance/pack-rule-validator.d.ts +40 -0
  1570. package/dist/governance/pack-rule-validator.d.ts.map +1 -0
  1571. package/dist/governance/pack-rule-validator.js +142 -0
  1572. package/dist/governance/pack-rule-validator.js.map +1 -0
  1573. package/dist/governance/pack-rule-validator.test.d.ts +7 -0
  1574. package/dist/governance/pack-rule-validator.test.d.ts.map +1 -0
  1575. package/dist/governance/pack-rule-validator.test.js +153 -0
  1576. package/dist/governance/pack-rule-validator.test.js.map +1 -0
  1577. package/dist/governance/pack-versioning.d.ts +75 -0
  1578. package/dist/governance/pack-versioning.d.ts.map +1 -0
  1579. package/dist/governance/pack-versioning.js +192 -0
  1580. package/dist/governance/pack-versioning.js.map +1 -0
  1581. package/dist/governance/pack-versioning.test.d.ts +7 -0
  1582. package/dist/governance/pack-versioning.test.d.ts.map +1 -0
  1583. package/dist/governance/pack-versioning.test.js +172 -0
  1584. package/dist/governance/pack-versioning.test.js.map +1 -0
  1585. package/dist/governance/partner-manager.d.ts +185 -0
  1586. package/dist/governance/partner-manager.d.ts.map +1 -0
  1587. package/dist/governance/partner-manager.js +258 -0
  1588. package/dist/governance/partner-manager.js.map +1 -0
  1589. package/dist/governance/paste-your-agent.d.ts +30 -0
  1590. package/dist/governance/paste-your-agent.d.ts.map +1 -0
  1591. package/dist/governance/paste-your-agent.js +154 -0
  1592. package/dist/governance/paste-your-agent.js.map +1 -0
  1593. package/dist/governance/paste-your-agent.test.d.ts +7 -0
  1594. package/dist/governance/paste-your-agent.test.d.ts.map +1 -0
  1595. package/dist/governance/paste-your-agent.test.js +140 -0
  1596. package/dist/governance/paste-your-agent.test.js.map +1 -0
  1597. package/dist/governance/per-agent-daily-budget.d.ts +329 -0
  1598. package/dist/governance/per-agent-daily-budget.d.ts.map +1 -0
  1599. package/dist/governance/per-agent-daily-budget.js +699 -0
  1600. package/dist/governance/per-agent-daily-budget.js.map +1 -0
  1601. package/dist/governance/per-agent-override.test.d.ts +21 -0
  1602. package/dist/governance/per-agent-override.test.d.ts.map +1 -0
  1603. package/dist/governance/per-agent-override.test.js +274 -0
  1604. package/dist/governance/per-agent-override.test.js.map +1 -0
  1605. package/dist/governance/plugin-system.d.ts +519 -0
  1606. package/dist/governance/plugin-system.d.ts.map +1 -0
  1607. package/dist/governance/plugin-system.js +964 -0
  1608. package/dist/governance/plugin-system.js.map +1 -0
  1609. package/dist/governance/policy-tuning.d.ts +190 -0
  1610. package/dist/governance/policy-tuning.d.ts.map +1 -0
  1611. package/dist/governance/policy-tuning.js +359 -0
  1612. package/dist/governance/policy-tuning.js.map +1 -0
  1613. package/dist/governance/post-market-monitor.d.ts +114 -0
  1614. package/dist/governance/post-market-monitor.d.ts.map +1 -0
  1615. package/dist/governance/post-market-monitor.js +279 -0
  1616. package/dist/governance/post-market-monitor.js.map +1 -0
  1617. package/dist/governance/post-tool-audit-enrichment.d.ts +286 -0
  1618. package/dist/governance/post-tool-audit-enrichment.d.ts.map +1 -0
  1619. package/dist/governance/post-tool-audit-enrichment.js +504 -0
  1620. package/dist/governance/post-tool-audit-enrichment.js.map +1 -0
  1621. package/dist/governance/prohibited-practices.d.ts +85 -0
  1622. package/dist/governance/prohibited-practices.d.ts.map +1 -0
  1623. package/dist/governance/prohibited-practices.js +267 -0
  1624. package/dist/governance/prohibited-practices.js.map +1 -0
  1625. package/dist/governance/proxy-onboarding.d.ts +47 -0
  1626. package/dist/governance/proxy-onboarding.d.ts.map +1 -0
  1627. package/dist/governance/proxy-onboarding.js +306 -0
  1628. package/dist/governance/proxy-onboarding.js.map +1 -0
  1629. package/dist/governance/proxy-onboarding.test.d.ts +7 -0
  1630. package/dist/governance/proxy-onboarding.test.d.ts.map +1 -0
  1631. package/dist/governance/proxy-onboarding.test.js +135 -0
  1632. package/dist/governance/proxy-onboarding.test.js.map +1 -0
  1633. package/dist/governance/rag-citation-enforcement.d.ts +400 -0
  1634. package/dist/governance/rag-citation-enforcement.d.ts.map +1 -0
  1635. package/dist/governance/rag-citation-enforcement.js +568 -0
  1636. package/dist/governance/rag-citation-enforcement.js.map +1 -0
  1637. package/dist/governance/rag-confidence-threshold.d.ts +249 -0
  1638. package/dist/governance/rag-confidence-threshold.d.ts.map +1 -0
  1639. package/dist/governance/rag-confidence-threshold.js +449 -0
  1640. package/dist/governance/rag-confidence-threshold.js.map +1 -0
  1641. package/dist/governance/rag-retrieval-audit.d.ts +377 -0
  1642. package/dist/governance/rag-retrieval-audit.d.ts.map +1 -0
  1643. package/dist/governance/rag-retrieval-audit.js +517 -0
  1644. package/dist/governance/rag-retrieval-audit.js.map +1 -0
  1645. package/dist/governance/rag-source-allowlist.d.ts +273 -0
  1646. package/dist/governance/rag-source-allowlist.d.ts.map +1 -0
  1647. package/dist/governance/rag-source-allowlist.js +535 -0
  1648. package/dist/governance/rag-source-allowlist.js.map +1 -0
  1649. package/dist/governance/rag-source-output-chain.d.ts +420 -0
  1650. package/dist/governance/rag-source-output-chain.d.ts.map +1 -0
  1651. package/dist/governance/rag-source-output-chain.js +682 -0
  1652. package/dist/governance/rag-source-output-chain.js.map +1 -0
  1653. package/dist/governance/replay-player.d.ts +55 -0
  1654. package/dist/governance/replay-player.d.ts.map +1 -0
  1655. package/dist/governance/replay-player.js +89 -0
  1656. package/dist/governance/replay-player.js.map +1 -0
  1657. package/dist/governance/replay-player.test.d.ts +7 -0
  1658. package/dist/governance/replay-player.test.d.ts.map +1 -0
  1659. package/dist/governance/replay-player.test.js +192 -0
  1660. package/dist/governance/replay-player.test.js.map +1 -0
  1661. package/dist/governance/retention-manager.d.ts +189 -0
  1662. package/dist/governance/retention-manager.d.ts.map +1 -0
  1663. package/dist/governance/retention-manager.js +566 -0
  1664. package/dist/governance/retention-manager.js.map +1 -0
  1665. package/dist/governance/runtime-event-renderer.d.ts +55 -0
  1666. package/dist/governance/runtime-event-renderer.d.ts.map +1 -0
  1667. package/dist/governance/runtime-event-renderer.js +137 -0
  1668. package/dist/governance/runtime-event-renderer.js.map +1 -0
  1669. package/dist/governance/runtime-event-renderer.test.d.ts +7 -0
  1670. package/dist/governance/runtime-event-renderer.test.d.ts.map +1 -0
  1671. package/dist/governance/runtime-event-renderer.test.js +195 -0
  1672. package/dist/governance/runtime-event-renderer.test.js.map +1 -0
  1673. package/dist/governance/sandbox-replay.d.ts +52 -0
  1674. package/dist/governance/sandbox-replay.d.ts.map +1 -0
  1675. package/dist/governance/sandbox-replay.js +189 -0
  1676. package/dist/governance/sandbox-replay.js.map +1 -0
  1677. package/dist/governance/sandbox-replay.test.d.ts +7 -0
  1678. package/dist/governance/sandbox-replay.test.d.ts.map +1 -0
  1679. package/dist/governance/sandbox-replay.test.js +117 -0
  1680. package/dist/governance/sandbox-replay.test.js.map +1 -0
  1681. package/dist/governance/self-registration-hook.d.ts +65 -0
  1682. package/dist/governance/self-registration-hook.d.ts.map +1 -0
  1683. package/dist/governance/self-registration-hook.js +116 -0
  1684. package/dist/governance/self-registration-hook.js.map +1 -0
  1685. package/dist/governance/self-registration-hook.test.d.ts +7 -0
  1686. package/dist/governance/self-registration-hook.test.d.ts.map +1 -0
  1687. package/dist/governance/self-registration-hook.test.js +149 -0
  1688. package/dist/governance/self-registration-hook.test.js.map +1 -0
  1689. package/dist/governance/session-persistence.d.ts +153 -0
  1690. package/dist/governance/session-persistence.d.ts.map +1 -0
  1691. package/dist/governance/session-persistence.js +376 -0
  1692. package/dist/governance/session-persistence.js.map +1 -0
  1693. package/dist/governance/signed-manifest.d.ts +81 -0
  1694. package/dist/governance/signed-manifest.d.ts.map +1 -0
  1695. package/dist/governance/signed-manifest.js +161 -0
  1696. package/dist/governance/signed-manifest.js.map +1 -0
  1697. package/dist/governance/signed-manifest.test.d.ts +7 -0
  1698. package/dist/governance/signed-manifest.test.d.ts.map +1 -0
  1699. package/dist/governance/signed-manifest.test.js +149 -0
  1700. package/dist/governance/signed-manifest.test.js.map +1 -0
  1701. package/dist/governance/skip-api-empty-queue.d.ts +304 -0
  1702. package/dist/governance/skip-api-empty-queue.d.ts.map +1 -0
  1703. package/dist/governance/skip-api-empty-queue.js +499 -0
  1704. package/dist/governance/skip-api-empty-queue.js.map +1 -0
  1705. package/dist/governance/state-manager.d.ts +102 -0
  1706. package/dist/governance/state-manager.d.ts.map +1 -0
  1707. package/dist/governance/state-manager.js +286 -0
  1708. package/dist/governance/state-manager.js.map +1 -0
  1709. package/dist/governance/tenant-provider-agreements.d.ts +211 -0
  1710. package/dist/governance/tenant-provider-agreements.d.ts.map +1 -0
  1711. package/dist/governance/tenant-provider-agreements.js +440 -0
  1712. package/dist/governance/tenant-provider-agreements.js.map +1 -0
  1713. package/dist/governance/tool-provider-health.d.ts +299 -0
  1714. package/dist/governance/tool-provider-health.d.ts.map +1 -0
  1715. package/dist/governance/tool-provider-health.js +697 -0
  1716. package/dist/governance/tool-provider-health.js.map +1 -0
  1717. package/dist/governance/tool-rate-limit.d.ts +94 -0
  1718. package/dist/governance/tool-rate-limit.d.ts.map +1 -0
  1719. package/dist/governance/tool-rate-limit.js +145 -0
  1720. package/dist/governance/tool-rate-limit.js.map +1 -0
  1721. package/dist/governance/transparency-injector.d.ts +102 -0
  1722. package/dist/governance/transparency-injector.d.ts.map +1 -0
  1723. package/dist/governance/transparency-injector.js +162 -0
  1724. package/dist/governance/transparency-injector.js.map +1 -0
  1725. package/dist/governance/trust-score-snapshot.d.ts +61 -0
  1726. package/dist/governance/trust-score-snapshot.d.ts.map +1 -0
  1727. package/dist/governance/trust-score-snapshot.js +98 -0
  1728. package/dist/governance/trust-score-snapshot.js.map +1 -0
  1729. package/dist/governance/trust-score-snapshot.test.d.ts +7 -0
  1730. package/dist/governance/trust-score-snapshot.test.d.ts.map +1 -0
  1731. package/dist/governance/trust-score-snapshot.test.js +187 -0
  1732. package/dist/governance/trust-score-snapshot.test.js.map +1 -0
  1733. package/dist/governance/trust-score-three-dim.d.ts +122 -0
  1734. package/dist/governance/trust-score-three-dim.d.ts.map +1 -0
  1735. package/dist/governance/trust-score-three-dim.js +176 -0
  1736. package/dist/governance/trust-score-three-dim.js.map +1 -0
  1737. package/dist/governance/trust-score-three-dim.test.d.ts +7 -0
  1738. package/dist/governance/trust-score-three-dim.test.d.ts.map +1 -0
  1739. package/dist/governance/trust-score-three-dim.test.js +221 -0
  1740. package/dist/governance/trust-score-three-dim.test.js.map +1 -0
  1741. package/dist/governance-config.d.ts +201 -0
  1742. package/dist/governance-config.d.ts.map +1 -0
  1743. package/dist/governance-config.js +345 -0
  1744. package/dist/governance-config.js.map +1 -0
  1745. package/dist/governed-agent.d.ts +124 -0
  1746. package/dist/governed-agent.d.ts.map +1 -0
  1747. package/dist/governed-agent.js +1317 -0
  1748. package/dist/governed-agent.js.map +1 -0
  1749. package/dist/hooks/audit-dir-picker.sh +70 -0
  1750. package/dist/hooks/audit-logger.sh +325 -0
  1751. package/dist/hooks/cost-budget-gate.sh +74 -0
  1752. package/dist/hooks/data-classifier-bridge.d.ts +24 -0
  1753. package/dist/hooks/data-classifier-bridge.d.ts.map +1 -0
  1754. package/dist/hooks/data-classifier-bridge.js +80 -0
  1755. package/dist/hooks/data-classifier-bridge.js.map +1 -0
  1756. package/dist/hooks/destructive-command-guard.sh +200 -0
  1757. package/dist/hooks/file-boundary-guard.sh +159 -0
  1758. package/dist/hooks/file-change-tracker.sh +78 -0
  1759. package/dist/hooks/governance-file-shield.sh +102 -0
  1760. package/dist/hooks/governance-integrity-check.sh +109 -0
  1761. package/dist/hooks/hook-health-monitor.sh +189 -0
  1762. package/dist/hooks/hook-utils.sh +51 -0
  1763. package/dist/hooks/hook-wrapper.sh +77 -0
  1764. package/dist/hooks/install-hooks.sh +162 -0
  1765. package/dist/hooks/output-exfiltration-scanner.sh +112 -0
  1766. package/dist/hooks/powershell/audit-dir-picker.ps1 +72 -0
  1767. package/dist/hooks/powershell/audit-logger.ps1 +75 -0
  1768. package/dist/hooks/powershell/cost-budget-gate.ps1 +61 -0
  1769. package/dist/hooks/powershell/destructive-command-guard.ps1 +67 -0
  1770. package/dist/hooks/powershell/file-boundary-guard.ps1 +76 -0
  1771. package/dist/hooks/powershell/file-change-tracker.ps1 +74 -0
  1772. package/dist/hooks/powershell/governance-file-shield.ps1 +86 -0
  1773. package/dist/hooks/powershell/governance-integrity-check.ps1 +101 -0
  1774. package/dist/hooks/powershell/hook-health-monitor.ps1 +153 -0
  1775. package/dist/hooks/powershell/hook-utils.ps1 +44 -0
  1776. package/dist/hooks/powershell/hook-wrapper.ps1 +67 -0
  1777. package/dist/hooks/powershell/install-hooks.ps1 +142 -0
  1778. package/dist/hooks/powershell/output-exfiltration-scanner.ps1 +85 -0
  1779. package/dist/hooks/powershell/secret-leak-scanner.ps1 +105 -0
  1780. package/dist/hooks/powershell/token-tracker.ps1 +83 -0
  1781. package/dist/hooks/powershell/web-access-gate.ps1 +89 -0
  1782. package/dist/hooks/secret-leak-scanner.sh +293 -0
  1783. package/dist/hooks/token-tracker.sh +89 -0
  1784. package/dist/hooks/web-access-gate.sh +123 -0
  1785. package/dist/ide-adapters/aider.d.ts +213 -0
  1786. package/dist/ide-adapters/aider.d.ts.map +1 -0
  1787. package/dist/ide-adapters/aider.js +710 -0
  1788. package/dist/ide-adapters/aider.js.map +1 -0
  1789. package/dist/ide-adapters/amazon-q-developer.d.ts +124 -0
  1790. package/dist/ide-adapters/amazon-q-developer.d.ts.map +1 -0
  1791. package/dist/ide-adapters/amazon-q-developer.js +686 -0
  1792. package/dist/ide-adapters/amazon-q-developer.js.map +1 -0
  1793. package/dist/ide-adapters/base.d.ts +64 -0
  1794. package/dist/ide-adapters/base.d.ts.map +1 -0
  1795. package/dist/ide-adapters/base.js +233 -0
  1796. package/dist/ide-adapters/base.js.map +1 -0
  1797. package/dist/ide-adapters/claude-code.d.ts +43 -0
  1798. package/dist/ide-adapters/claude-code.d.ts.map +1 -0
  1799. package/dist/ide-adapters/claude-code.js +192 -0
  1800. package/dist/ide-adapters/claude-code.js.map +1 -0
  1801. package/dist/ide-adapters/cody.d.ts +150 -0
  1802. package/dist/ide-adapters/cody.d.ts.map +1 -0
  1803. package/dist/ide-adapters/cody.js +767 -0
  1804. package/dist/ide-adapters/cody.js.map +1 -0
  1805. package/dist/ide-adapters/continue-dev.d.ts +120 -0
  1806. package/dist/ide-adapters/continue-dev.d.ts.map +1 -0
  1807. package/dist/ide-adapters/continue-dev.js +359 -0
  1808. package/dist/ide-adapters/continue-dev.js.map +1 -0
  1809. package/dist/ide-adapters/copilot-studio.d.ts +310 -0
  1810. package/dist/ide-adapters/copilot-studio.d.ts.map +1 -0
  1811. package/dist/ide-adapters/copilot-studio.js +1097 -0
  1812. package/dist/ide-adapters/copilot-studio.js.map +1 -0
  1813. package/dist/ide-adapters/copilot-workspace.d.ts +167 -0
  1814. package/dist/ide-adapters/copilot-workspace.d.ts.map +1 -0
  1815. package/dist/ide-adapters/copilot-workspace.js +376 -0
  1816. package/dist/ide-adapters/copilot-workspace.js.map +1 -0
  1817. package/dist/ide-adapters/cursor.d.ts +74 -0
  1818. package/dist/ide-adapters/cursor.d.ts.map +1 -0
  1819. package/dist/ide-adapters/cursor.js +273 -0
  1820. package/dist/ide-adapters/cursor.js.map +1 -0
  1821. package/dist/ide-adapters/exports.d.ts +53 -0
  1822. package/dist/ide-adapters/exports.d.ts.map +1 -0
  1823. package/dist/ide-adapters/exports.js +115 -0
  1824. package/dist/ide-adapters/exports.js.map +1 -0
  1825. package/dist/ide-adapters/gemini-code-assist.d.ts +135 -0
  1826. package/dist/ide-adapters/gemini-code-assist.d.ts.map +1 -0
  1827. package/dist/ide-adapters/gemini-code-assist.js +750 -0
  1828. package/dist/ide-adapters/gemini-code-assist.js.map +1 -0
  1829. package/dist/ide-adapters/github-copilot.d.ts +166 -0
  1830. package/dist/ide-adapters/github-copilot.d.ts.map +1 -0
  1831. package/dist/ide-adapters/github-copilot.js +547 -0
  1832. package/dist/ide-adapters/github-copilot.js.map +1 -0
  1833. package/dist/ide-adapters/index.d.ts +271 -0
  1834. package/dist/ide-adapters/index.d.ts.map +1 -0
  1835. package/dist/ide-adapters/index.js +100 -0
  1836. package/dist/ide-adapters/index.js.map +1 -0
  1837. package/dist/ide-adapters/jetbrains-ai.d.ts +150 -0
  1838. package/dist/ide-adapters/jetbrains-ai.d.ts.map +1 -0
  1839. package/dist/ide-adapters/jetbrains-ai.js +718 -0
  1840. package/dist/ide-adapters/jetbrains-ai.js.map +1 -0
  1841. package/dist/ide-adapters/notebook-ai.d.ts +220 -0
  1842. package/dist/ide-adapters/notebook-ai.d.ts.map +1 -0
  1843. package/dist/ide-adapters/notebook-ai.js +858 -0
  1844. package/dist/ide-adapters/notebook-ai.js.map +1 -0
  1845. package/dist/ide-adapters/replit-agent.d.ts +269 -0
  1846. package/dist/ide-adapters/replit-agent.d.ts.map +1 -0
  1847. package/dist/ide-adapters/replit-agent.js +1022 -0
  1848. package/dist/ide-adapters/replit-agent.js.map +1 -0
  1849. package/dist/ide-adapters/reviewer-tier.d.ts +15 -0
  1850. package/dist/ide-adapters/reviewer-tier.d.ts.map +1 -0
  1851. package/dist/ide-adapters/reviewer-tier.js +16 -0
  1852. package/dist/ide-adapters/reviewer-tier.js.map +1 -0
  1853. package/dist/ide-adapters/shared.d.ts +116 -0
  1854. package/dist/ide-adapters/shared.d.ts.map +1 -0
  1855. package/dist/ide-adapters/shared.js +311 -0
  1856. package/dist/ide-adapters/shared.js.map +1 -0
  1857. package/dist/ide-adapters/tabnine.d.ts +189 -0
  1858. package/dist/ide-adapters/tabnine.d.ts.map +1 -0
  1859. package/dist/ide-adapters/tabnine.js +721 -0
  1860. package/dist/ide-adapters/tabnine.js.map +1 -0
  1861. package/dist/ide-adapters/windsurf.d.ts +216 -0
  1862. package/dist/ide-adapters/windsurf.d.ts.map +1 -0
  1863. package/dist/ide-adapters/windsurf.js +812 -0
  1864. package/dist/ide-adapters/windsurf.js.map +1 -0
  1865. package/dist/ide-adapters/zed-ai.d.ts +209 -0
  1866. package/dist/ide-adapters/zed-ai.d.ts.map +1 -0
  1867. package/dist/ide-adapters/zed-ai.js +622 -0
  1868. package/dist/ide-adapters/zed-ai.js.map +1 -0
  1869. package/dist/index.d.ts +104 -0
  1870. package/dist/index.d.ts.map +1 -0
  1871. package/dist/index.js +366 -0
  1872. package/dist/index.js.map +1 -0
  1873. package/dist/license/entitlement-client.d.ts +111 -0
  1874. package/dist/license/entitlement-client.d.ts.map +1 -0
  1875. package/dist/license/entitlement-client.js +306 -0
  1876. package/dist/license/entitlement-client.js.map +1 -0
  1877. package/dist/license/index.d.ts +10 -0
  1878. package/dist/license/index.d.ts.map +1 -0
  1879. package/dist/license/index.js +14 -0
  1880. package/dist/license/index.js.map +1 -0
  1881. package/dist/license/jwt-issuer.d.ts +64 -0
  1882. package/dist/license/jwt-issuer.d.ts.map +1 -0
  1883. package/dist/license/jwt-issuer.js +144 -0
  1884. package/dist/license/jwt-issuer.js.map +1 -0
  1885. package/dist/license/jwt-validator.d.ts +145 -0
  1886. package/dist/license/jwt-validator.d.ts.map +1 -0
  1887. package/dist/license/jwt-validator.js +498 -0
  1888. package/dist/license/jwt-validator.js.map +1 -0
  1889. package/dist/license/keygen.d.ts +16 -0
  1890. package/dist/license/keygen.d.ts.map +1 -0
  1891. package/dist/license/keygen.js +100 -0
  1892. package/dist/license/keygen.js.map +1 -0
  1893. package/dist/license/subscription-gate.d.ts +99 -0
  1894. package/dist/license/subscription-gate.d.ts.map +1 -0
  1895. package/dist/license/subscription-gate.js +293 -0
  1896. package/dist/license/subscription-gate.js.map +1 -0
  1897. package/dist/llm-adapters/azure-openai.d.ts +69 -0
  1898. package/dist/llm-adapters/azure-openai.d.ts.map +1 -0
  1899. package/dist/llm-adapters/azure-openai.js +702 -0
  1900. package/dist/llm-adapters/azure-openai.js.map +1 -0
  1901. package/dist/llm-adapters/base.d.ts +97 -0
  1902. package/dist/llm-adapters/base.d.ts.map +1 -0
  1903. package/dist/llm-adapters/base.js +265 -0
  1904. package/dist/llm-adapters/base.js.map +1 -0
  1905. package/dist/llm-adapters/bedrock.d.ts +67 -0
  1906. package/dist/llm-adapters/bedrock.d.ts.map +1 -0
  1907. package/dist/llm-adapters/bedrock.js +751 -0
  1908. package/dist/llm-adapters/bedrock.js.map +1 -0
  1909. package/dist/llm-adapters/claude.d.ts +84 -0
  1910. package/dist/llm-adapters/claude.d.ts.map +1 -0
  1911. package/dist/llm-adapters/claude.js +273 -0
  1912. package/dist/llm-adapters/claude.js.map +1 -0
  1913. package/dist/llm-adapters/deepseek.d.ts +113 -0
  1914. package/dist/llm-adapters/deepseek.d.ts.map +1 -0
  1915. package/dist/llm-adapters/deepseek.js +754 -0
  1916. package/dist/llm-adapters/deepseek.js.map +1 -0
  1917. package/dist/llm-adapters/exports.d.ts +40 -0
  1918. package/dist/llm-adapters/exports.d.ts.map +1 -0
  1919. package/dist/llm-adapters/exports.js +74 -0
  1920. package/dist/llm-adapters/exports.js.map +1 -0
  1921. package/dist/llm-adapters/gemini.d.ts +106 -0
  1922. package/dist/llm-adapters/gemini.d.ts.map +1 -0
  1923. package/dist/llm-adapters/gemini.js +201 -0
  1924. package/dist/llm-adapters/gemini.js.map +1 -0
  1925. package/dist/llm-adapters/gemma.d.ts +200 -0
  1926. package/dist/llm-adapters/gemma.d.ts.map +1 -0
  1927. package/dist/llm-adapters/gemma.js +270 -0
  1928. package/dist/llm-adapters/gemma.js.map +1 -0
  1929. package/dist/llm-adapters/google.d.ts +221 -0
  1930. package/dist/llm-adapters/google.d.ts.map +1 -0
  1931. package/dist/llm-adapters/google.js +1176 -0
  1932. package/dist/llm-adapters/google.js.map +1 -0
  1933. package/dist/llm-adapters/huggingface.d.ts +354 -0
  1934. package/dist/llm-adapters/huggingface.d.ts.map +1 -0
  1935. package/dist/llm-adapters/huggingface.js +622 -0
  1936. package/dist/llm-adapters/huggingface.js.map +1 -0
  1937. package/dist/llm-adapters/index.d.ts +331 -0
  1938. package/dist/llm-adapters/index.d.ts.map +1 -0
  1939. package/dist/llm-adapters/index.js +96 -0
  1940. package/dist/llm-adapters/index.js.map +1 -0
  1941. package/dist/llm-adapters/ollama.d.ts +90 -0
  1942. package/dist/llm-adapters/ollama.d.ts.map +1 -0
  1943. package/dist/llm-adapters/ollama.js +624 -0
  1944. package/dist/llm-adapters/ollama.js.map +1 -0
  1945. package/dist/llm-adapters/openai.d.ts +168 -0
  1946. package/dist/llm-adapters/openai.d.ts.map +1 -0
  1947. package/dist/llm-adapters/openai.js +363 -0
  1948. package/dist/llm-adapters/openai.js.map +1 -0
  1949. package/dist/llm-adapters/replicate-llama.d.ts +327 -0
  1950. package/dist/llm-adapters/replicate-llama.d.ts.map +1 -0
  1951. package/dist/llm-adapters/replicate-llama.js +600 -0
  1952. package/dist/llm-adapters/replicate-llama.js.map +1 -0
  1953. package/dist/llm-adapters/shared.d.ts +104 -0
  1954. package/dist/llm-adapters/shared.d.ts.map +1 -0
  1955. package/dist/llm-adapters/shared.js +341 -0
  1956. package/dist/llm-adapters/shared.js.map +1 -0
  1957. package/dist/llm-adapters/supported-models-catalog.d.ts +112 -0
  1958. package/dist/llm-adapters/supported-models-catalog.d.ts.map +1 -0
  1959. package/dist/llm-adapters/supported-models-catalog.js +748 -0
  1960. package/dist/llm-adapters/supported-models-catalog.js.map +1 -0
  1961. package/dist/observability/destination-health-monitor.d.ts +147 -0
  1962. package/dist/observability/destination-health-monitor.d.ts.map +1 -0
  1963. package/dist/observability/destination-health-monitor.js +244 -0
  1964. package/dist/observability/destination-health-monitor.js.map +1 -0
  1965. package/dist/observability/health-metrics-store.d.ts +112 -0
  1966. package/dist/observability/health-metrics-store.d.ts.map +1 -0
  1967. package/dist/observability/health-metrics-store.js +131 -0
  1968. package/dist/observability/health-metrics-store.js.map +1 -0
  1969. package/dist/orchestrator-adapters/autogen.d.ts +225 -0
  1970. package/dist/orchestrator-adapters/autogen.d.ts.map +1 -0
  1971. package/dist/orchestrator-adapters/autogen.js +522 -0
  1972. package/dist/orchestrator-adapters/autogen.js.map +1 -0
  1973. package/dist/orchestrator-adapters/base.d.ts +100 -0
  1974. package/dist/orchestrator-adapters/base.d.ts.map +1 -0
  1975. package/dist/orchestrator-adapters/base.js +403 -0
  1976. package/dist/orchestrator-adapters/base.js.map +1 -0
  1977. package/dist/orchestrator-adapters/bedrock-agentcore.d.ts +314 -0
  1978. package/dist/orchestrator-adapters/bedrock-agentcore.d.ts.map +1 -0
  1979. package/dist/orchestrator-adapters/bedrock-agentcore.js +845 -0
  1980. package/dist/orchestrator-adapters/bedrock-agentcore.js.map +1 -0
  1981. package/dist/orchestrator-adapters/claude-agent-sdk.d.ts +288 -0
  1982. package/dist/orchestrator-adapters/claude-agent-sdk.d.ts.map +1 -0
  1983. package/dist/orchestrator-adapters/claude-agent-sdk.js +732 -0
  1984. package/dist/orchestrator-adapters/claude-agent-sdk.js.map +1 -0
  1985. package/dist/orchestrator-adapters/crewai.d.ts +161 -0
  1986. package/dist/orchestrator-adapters/crewai.d.ts.map +1 -0
  1987. package/dist/orchestrator-adapters/crewai.js +507 -0
  1988. package/dist/orchestrator-adapters/crewai.js.map +1 -0
  1989. package/dist/orchestrator-adapters/deepagents.d.ts +218 -0
  1990. package/dist/orchestrator-adapters/deepagents.d.ts.map +1 -0
  1991. package/dist/orchestrator-adapters/deepagents.js +382 -0
  1992. package/dist/orchestrator-adapters/deepagents.js.map +1 -0
  1993. package/dist/orchestrator-adapters/exports.d.ts +30 -0
  1994. package/dist/orchestrator-adapters/exports.d.ts.map +1 -0
  1995. package/dist/orchestrator-adapters/exports.js +94 -0
  1996. package/dist/orchestrator-adapters/exports.js.map +1 -0
  1997. package/dist/orchestrator-adapters/google-adk.d.ts +306 -0
  1998. package/dist/orchestrator-adapters/google-adk.d.ts.map +1 -0
  1999. package/dist/orchestrator-adapters/google-adk.js +805 -0
  2000. package/dist/orchestrator-adapters/google-adk.js.map +1 -0
  2001. package/dist/orchestrator-adapters/haystack.d.ts +327 -0
  2002. package/dist/orchestrator-adapters/haystack.d.ts.map +1 -0
  2003. package/dist/orchestrator-adapters/haystack.js +841 -0
  2004. package/dist/orchestrator-adapters/haystack.js.map +1 -0
  2005. package/dist/orchestrator-adapters/index.d.ts +328 -0
  2006. package/dist/orchestrator-adapters/index.d.ts.map +1 -0
  2007. package/dist/orchestrator-adapters/index.js +117 -0
  2008. package/dist/orchestrator-adapters/index.js.map +1 -0
  2009. package/dist/orchestrator-adapters/langchain.d.ts +186 -0
  2010. package/dist/orchestrator-adapters/langchain.d.ts.map +1 -0
  2011. package/dist/orchestrator-adapters/langchain.js +495 -0
  2012. package/dist/orchestrator-adapters/langchain.js.map +1 -0
  2013. package/dist/orchestrator-adapters/langgraph.d.ts +234 -0
  2014. package/dist/orchestrator-adapters/langgraph.d.ts.map +1 -0
  2015. package/dist/orchestrator-adapters/langgraph.js +502 -0
  2016. package/dist/orchestrator-adapters/langgraph.js.map +1 -0
  2017. package/dist/orchestrator-adapters/llamaindex.d.ts +325 -0
  2018. package/dist/orchestrator-adapters/llamaindex.d.ts.map +1 -0
  2019. package/dist/orchestrator-adapters/llamaindex.js +850 -0
  2020. package/dist/orchestrator-adapters/llamaindex.js.map +1 -0
  2021. package/dist/orchestrator-adapters/openai-agents.d.ts +238 -0
  2022. package/dist/orchestrator-adapters/openai-agents.d.ts.map +1 -0
  2023. package/dist/orchestrator-adapters/openai-agents.js +532 -0
  2024. package/dist/orchestrator-adapters/openai-agents.js.map +1 -0
  2025. package/dist/orchestrator-adapters/openclaw.d.ts +327 -0
  2026. package/dist/orchestrator-adapters/openclaw.d.ts.map +1 -0
  2027. package/dist/orchestrator-adapters/openclaw.js +896 -0
  2028. package/dist/orchestrator-adapters/openclaw.js.map +1 -0
  2029. package/dist/orchestrator-adapters/orchestrator-adapter.d.ts +170 -0
  2030. package/dist/orchestrator-adapters/orchestrator-adapter.d.ts.map +1 -0
  2031. package/dist/orchestrator-adapters/orchestrator-adapter.js +34 -0
  2032. package/dist/orchestrator-adapters/orchestrator-adapter.js.map +1 -0
  2033. package/dist/orchestrator-adapters/paperclip-adapter.d.ts +91 -0
  2034. package/dist/orchestrator-adapters/paperclip-adapter.d.ts.map +1 -0
  2035. package/dist/orchestrator-adapters/paperclip-adapter.js +403 -0
  2036. package/dist/orchestrator-adapters/paperclip-adapter.js.map +1 -0
  2037. package/dist/orchestrator-adapters/semantic-kernel.d.ts +218 -0
  2038. package/dist/orchestrator-adapters/semantic-kernel.d.ts.map +1 -0
  2039. package/dist/orchestrator-adapters/semantic-kernel.js +525 -0
  2040. package/dist/orchestrator-adapters/semantic-kernel.js.map +1 -0
  2041. package/dist/orchestrator-adapters/shared.d.ts +49 -0
  2042. package/dist/orchestrator-adapters/shared.d.ts.map +1 -0
  2043. package/dist/orchestrator-adapters/shared.js +161 -0
  2044. package/dist/orchestrator-adapters/shared.js.map +1 -0
  2045. package/dist/packs/_base-classifiers.d.ts +73 -0
  2046. package/dist/packs/_base-classifiers.d.ts.map +1 -0
  2047. package/dist/packs/_base-classifiers.js +165 -0
  2048. package/dist/packs/_base-classifiers.js.map +1 -0
  2049. package/dist/packs/aba.d.ts +41 -0
  2050. package/dist/packs/aba.d.ts.map +1 -0
  2051. package/dist/packs/aba.js +300 -0
  2052. package/dist/packs/aba.js.map +1 -0
  2053. package/dist/packs/as-9100.d.ts +130 -0
  2054. package/dist/packs/as-9100.d.ts.map +1 -0
  2055. package/dist/packs/as-9100.js +817 -0
  2056. package/dist/packs/as-9100.js.map +1 -0
  2057. package/dist/packs/au-act-hrpaa.d.ts +68 -0
  2058. package/dist/packs/au-act-hrpaa.d.ts.map +1 -0
  2059. package/dist/packs/au-act-hrpaa.js +293 -0
  2060. package/dist/packs/au-act-hrpaa.js.map +1 -0
  2061. package/dist/packs/au-aiethics-framework.d.ts +68 -0
  2062. package/dist/packs/au-aiethics-framework.d.ts.map +1 -0
  2063. package/dist/packs/au-aiethics-framework.js +344 -0
  2064. package/dist/packs/au-aiethics-framework.js.map +1 -0
  2065. package/dist/packs/au-aml-ctf.d.ts +67 -0
  2066. package/dist/packs/au-aml-ctf.d.ts.map +1 -0
  2067. package/dist/packs/au-aml-ctf.js +349 -0
  2068. package/dist/packs/au-aml-ctf.js.map +1 -0
  2069. package/dist/packs/au-asic-rg-271.d.ts +50 -0
  2070. package/dist/packs/au-asic-rg-271.d.ts.map +1 -0
  2071. package/dist/packs/au-asic-rg-271.js +271 -0
  2072. package/dist/packs/au-asic-rg-271.js.map +1 -0
  2073. package/dist/packs/au-asic-rg-274.d.ts +51 -0
  2074. package/dist/packs/au-asic-rg-274.d.ts.map +1 -0
  2075. package/dist/packs/au-asic-rg-274.js +271 -0
  2076. package/dist/packs/au-asic-rg-274.js.map +1 -0
  2077. package/dist/packs/au-cdr.d.ts +49 -0
  2078. package/dist/packs/au-cdr.d.ts.map +1 -0
  2079. package/dist/packs/au-cdr.js +308 -0
  2080. package/dist/packs/au-cdr.js.map +1 -0
  2081. package/dist/packs/au-cps230.d.ts +50 -0
  2082. package/dist/packs/au-cps230.d.ts.map +1 -0
  2083. package/dist/packs/au-cps230.js +267 -0
  2084. package/dist/packs/au-cps230.js.map +1 -0
  2085. package/dist/packs/au-cps234.d.ts +56 -0
  2086. package/dist/packs/au-cps234.d.ts.map +1 -0
  2087. package/dist/packs/au-cps234.js +300 -0
  2088. package/dist/packs/au-cps234.js.map +1 -0
  2089. package/dist/packs/au-mandatory-ai-guardrails.d.ts +61 -0
  2090. package/dist/packs/au-mandatory-ai-guardrails.d.ts.map +1 -0
  2091. package/dist/packs/au-mandatory-ai-guardrails.js +274 -0
  2092. package/dist/packs/au-mandatory-ai-guardrails.js.map +1 -0
  2093. package/dist/packs/au-nsw-hripa.d.ts +78 -0
  2094. package/dist/packs/au-nsw-hripa.d.ts.map +1 -0
  2095. package/dist/packs/au-nsw-hripa.js +366 -0
  2096. package/dist/packs/au-nsw-hripa.js.map +1 -0
  2097. package/dist/packs/au-online-safety.d.ts +55 -0
  2098. package/dist/packs/au-online-safety.d.ts.map +1 -0
  2099. package/dist/packs/au-online-safety.js +300 -0
  2100. package/dist/packs/au-online-safety.js.map +1 -0
  2101. package/dist/packs/au-privacy-act.d.ts +54 -0
  2102. package/dist/packs/au-privacy-act.d.ts.map +1 -0
  2103. package/dist/packs/au-privacy-act.js +364 -0
  2104. package/dist/packs/au-privacy-act.js.map +1 -0
  2105. package/dist/packs/au-soci-act.d.ts +53 -0
  2106. package/dist/packs/au-soci-act.d.ts.map +1 -0
  2107. package/dist/packs/au-soci-act.js +254 -0
  2108. package/dist/packs/au-soci-act.js.map +1 -0
  2109. package/dist/packs/au-spam-act.d.ts +54 -0
  2110. package/dist/packs/au-spam-act.d.ts.map +1 -0
  2111. package/dist/packs/au-spam-act.js +287 -0
  2112. package/dist/packs/au-spam-act.js.map +1 -0
  2113. package/dist/packs/au-tga-saimd.d.ts +74 -0
  2114. package/dist/packs/au-tga-saimd.d.ts.map +1 -0
  2115. package/dist/packs/au-tga-saimd.js +344 -0
  2116. package/dist/packs/au-tga-saimd.js.map +1 -0
  2117. package/dist/packs/au-vic-hra.d.ts +70 -0
  2118. package/dist/packs/au-vic-hra.d.ts.map +1 -0
  2119. package/dist/packs/au-vic-hra.js +348 -0
  2120. package/dist/packs/au-vic-hra.js.map +1 -0
  2121. package/dist/packs/bipa.d.ts +30 -0
  2122. package/dist/packs/bipa.d.ts.map +1 -0
  2123. package/dist/packs/bipa.js +271 -0
  2124. package/dist/packs/bipa.js.map +1 -0
  2125. package/dist/packs/bsa-aml.d.ts +52 -0
  2126. package/dist/packs/bsa-aml.d.ts.map +1 -0
  2127. package/dist/packs/bsa-aml.js +413 -0
  2128. package/dist/packs/bsa-aml.js.map +1 -0
  2129. package/dist/packs/ca-pipeda.d.ts +48 -0
  2130. package/dist/packs/ca-pipeda.d.ts.map +1 -0
  2131. package/dist/packs/ca-pipeda.js +220 -0
  2132. package/dist/packs/ca-pipeda.js.map +1 -0
  2133. package/dist/packs/ca-qc-law25.d.ts +46 -0
  2134. package/dist/packs/ca-qc-law25.d.ts.map +1 -0
  2135. package/dist/packs/ca-qc-law25.js +191 -0
  2136. package/dist/packs/ca-qc-law25.js.map +1 -0
  2137. package/dist/packs/caldicott-principles.d.ts +86 -0
  2138. package/dist/packs/caldicott-principles.d.ts.map +1 -0
  2139. package/dist/packs/caldicott-principles.js +444 -0
  2140. package/dist/packs/caldicott-principles.js.map +1 -0
  2141. package/dist/packs/california-ab2930.d.ts +58 -0
  2142. package/dist/packs/california-ab2930.d.ts.map +1 -0
  2143. package/dist/packs/california-ab2930.js +413 -0
  2144. package/dist/packs/california-ab2930.js.map +1 -0
  2145. package/dist/packs/ccpa.d.ts +47 -0
  2146. package/dist/packs/ccpa.d.ts.map +1 -0
  2147. package/dist/packs/ccpa.js +399 -0
  2148. package/dist/packs/ccpa.js.map +1 -0
  2149. package/dist/packs/cfpb-2023-03.d.ts +32 -0
  2150. package/dist/packs/cfpb-2023-03.d.ts.map +1 -0
  2151. package/dist/packs/cfpb-2023-03.js +285 -0
  2152. package/dist/packs/cfpb-2023-03.js.map +1 -0
  2153. package/dist/packs/check-registry.d.ts +76 -0
  2154. package/dist/packs/check-registry.d.ts.map +1 -0
  2155. package/dist/packs/check-registry.js +3341 -0
  2156. package/dist/packs/check-registry.js.map +1 -0
  2157. package/dist/packs/cjis.d.ts +61 -0
  2158. package/dist/packs/cjis.d.ts.map +1 -0
  2159. package/dist/packs/cjis.js +345 -0
  2160. package/dist/packs/cjis.js.map +1 -0
  2161. package/dist/packs/cma-ai-foundation-models.d.ts +74 -0
  2162. package/dist/packs/cma-ai-foundation-models.d.ts.map +1 -0
  2163. package/dist/packs/cma-ai-foundation-models.js +397 -0
  2164. package/dist/packs/cma-ai-foundation-models.js.map +1 -0
  2165. package/dist/packs/cmmc2.d.ts +69 -0
  2166. package/dist/packs/cmmc2.d.ts.map +1 -0
  2167. package/dist/packs/cmmc2.js +350 -0
  2168. package/dist/packs/cmmc2.js.map +1 -0
  2169. package/dist/packs/cms-interoperability.d.ts +55 -0
  2170. package/dist/packs/cms-interoperability.d.ts.map +1 -0
  2171. package/dist/packs/cms-interoperability.js +390 -0
  2172. package/dist/packs/cms-interoperability.js.map +1 -0
  2173. package/dist/packs/cn-dsl-csl.d.ts +52 -0
  2174. package/dist/packs/cn-dsl-csl.d.ts.map +1 -0
  2175. package/dist/packs/cn-dsl-csl.js +137 -0
  2176. package/dist/packs/cn-dsl-csl.js.map +1 -0
  2177. package/dist/packs/colorado-ai.d.ts +77 -0
  2178. package/dist/packs/colorado-ai.d.ts.map +1 -0
  2179. package/dist/packs/colorado-ai.js +379 -0
  2180. package/dist/packs/colorado-ai.js.map +1 -0
  2181. package/dist/packs/common-rule.d.ts +91 -0
  2182. package/dist/packs/common-rule.d.ts.map +1 -0
  2183. package/dist/packs/common-rule.js +473 -0
  2184. package/dist/packs/common-rule.js.map +1 -0
  2185. package/dist/packs/coppa.d.ts +84 -0
  2186. package/dist/packs/coppa.d.ts.map +1 -0
  2187. package/dist/packs/coppa.js +409 -0
  2188. package/dist/packs/coppa.js.map +1 -0
  2189. package/dist/packs/cyber-essentials.d.ts +63 -0
  2190. package/dist/packs/cyber-essentials.d.ts.map +1 -0
  2191. package/dist/packs/cyber-essentials.js +407 -0
  2192. package/dist/packs/cyber-essentials.js.map +1 -0
  2193. package/dist/packs/de-bdsg.d.ts +66 -0
  2194. package/dist/packs/de-bdsg.d.ts.map +1 -0
  2195. package/dist/packs/de-bdsg.js +416 -0
  2196. package/dist/packs/de-bdsg.js.map +1 -0
  2197. package/dist/packs/do-178c.d.ts +98 -0
  2198. package/dist/packs/do-178c.d.ts.map +1 -0
  2199. package/dist/packs/do-178c.js +726 -0
  2200. package/dist/packs/do-178c.js.map +1 -0
  2201. package/dist/packs/dora.d.ts +48 -0
  2202. package/dist/packs/dora.d.ts.map +1 -0
  2203. package/dist/packs/dora.js +361 -0
  2204. package/dist/packs/dora.js.map +1 -0
  2205. package/dist/packs/ecoa.d.ts +46 -0
  2206. package/dist/packs/ecoa.d.ts.map +1 -0
  2207. package/dist/packs/ecoa.js +389 -0
  2208. package/dist/packs/ecoa.js.map +1 -0
  2209. package/dist/packs/eu-ai-liability.d.ts +39 -0
  2210. package/dist/packs/eu-ai-liability.d.ts.map +1 -0
  2211. package/dist/packs/eu-ai-liability.js +303 -0
  2212. package/dist/packs/eu-ai-liability.js.map +1 -0
  2213. package/dist/packs/eu-cra.d.ts +50 -0
  2214. package/dist/packs/eu-cra.d.ts.map +1 -0
  2215. package/dist/packs/eu-cra.js +143 -0
  2216. package/dist/packs/eu-cra.js.map +1 -0
  2217. package/dist/packs/eu-data-act.d.ts +49 -0
  2218. package/dist/packs/eu-data-act.d.ts.map +1 -0
  2219. package/dist/packs/eu-data-act.js +141 -0
  2220. package/dist/packs/eu-data-act.js.map +1 -0
  2221. package/dist/packs/eu-dma.d.ts +59 -0
  2222. package/dist/packs/eu-dma.d.ts.map +1 -0
  2223. package/dist/packs/eu-dma.js +188 -0
  2224. package/dist/packs/eu-dma.js.map +1 -0
  2225. package/dist/packs/eu-dsa.d.ts +54 -0
  2226. package/dist/packs/eu-dsa.d.ts.map +1 -0
  2227. package/dist/packs/eu-dsa.js +179 -0
  2228. package/dist/packs/eu-dsa.js.map +1 -0
  2229. package/dist/packs/eu-lpp.d.ts +61 -0
  2230. package/dist/packs/eu-lpp.d.ts.map +1 -0
  2231. package/dist/packs/eu-lpp.js +345 -0
  2232. package/dist/packs/eu-lpp.js.map +1 -0
  2233. package/dist/packs/eu-mdr-ivdr.d.ts +67 -0
  2234. package/dist/packs/eu-mdr-ivdr.d.ts.map +1 -0
  2235. package/dist/packs/eu-mdr-ivdr.js +420 -0
  2236. package/dist/packs/eu-mdr-ivdr.js.map +1 -0
  2237. package/dist/packs/euaiact.d.ts +51 -0
  2238. package/dist/packs/euaiact.d.ts.map +1 -0
  2239. package/dist/packs/euaiact.js +344 -0
  2240. package/dist/packs/euaiact.js.map +1 -0
  2241. package/dist/packs/fca-consumer-duty.d.ts +65 -0
  2242. package/dist/packs/fca-consumer-duty.d.ts.map +1 -0
  2243. package/dist/packs/fca-consumer-duty.js +412 -0
  2244. package/dist/packs/fca-consumer-duty.js.map +1 -0
  2245. package/dist/packs/fca-op-resilience.d.ts +53 -0
  2246. package/dist/packs/fca-op-resilience.d.ts.map +1 -0
  2247. package/dist/packs/fca-op-resilience.js +353 -0
  2248. package/dist/packs/fca-op-resilience.js.map +1 -0
  2249. package/dist/packs/fcra.d.ts +47 -0
  2250. package/dist/packs/fcra.d.ts.map +1 -0
  2251. package/dist/packs/fcra.js +444 -0
  2252. package/dist/packs/fcra.js.map +1 -0
  2253. package/dist/packs/fda-21-cfr-820.d.ts +53 -0
  2254. package/dist/packs/fda-21-cfr-820.d.ts.map +1 -0
  2255. package/dist/packs/fda-21-cfr-820.js +609 -0
  2256. package/dist/packs/fda-21-cfr-820.js.map +1 -0
  2257. package/dist/packs/fda-samd-precert.d.ts +122 -0
  2258. package/dist/packs/fda-samd-precert.d.ts.map +1 -0
  2259. package/dist/packs/fda-samd-precert.js +866 -0
  2260. package/dist/packs/fda-samd-precert.js.map +1 -0
  2261. package/dist/packs/fda-samd.d.ts +42 -0
  2262. package/dist/packs/fda-samd.d.ts.map +1 -0
  2263. package/dist/packs/fda-samd.js +317 -0
  2264. package/dist/packs/fda-samd.js.map +1 -0
  2265. package/dist/packs/fedramp.d.ts +51 -0
  2266. package/dist/packs/fedramp.d.ts.map +1 -0
  2267. package/dist/packs/fedramp.js +321 -0
  2268. package/dist/packs/fedramp.js.map +1 -0
  2269. package/dist/packs/ferpa.d.ts +57 -0
  2270. package/dist/packs/ferpa.d.ts.map +1 -0
  2271. package/dist/packs/ferpa.js +312 -0
  2272. package/dist/packs/ferpa.js.map +1 -0
  2273. package/dist/packs/finra-3110.d.ts +53 -0
  2274. package/dist/packs/finra-3110.d.ts.map +1 -0
  2275. package/dist/packs/finra-3110.js +354 -0
  2276. package/dist/packs/finra-3110.js.map +1 -0
  2277. package/dist/packs/florida-student-privacy.d.ts +104 -0
  2278. package/dist/packs/florida-student-privacy.d.ts.map +1 -0
  2279. package/dist/packs/florida-student-privacy.js +451 -0
  2280. package/dist/packs/florida-student-privacy.js.map +1 -0
  2281. package/dist/packs/foia.d.ts +46 -0
  2282. package/dist/packs/foia.d.ts.map +1 -0
  2283. package/dist/packs/foia.js +397 -0
  2284. package/dist/packs/foia.js.map +1 -0
  2285. package/dist/packs/frcp26.d.ts +52 -0
  2286. package/dist/packs/frcp26.d.ts.map +1 -0
  2287. package/dist/packs/frcp26.js +297 -0
  2288. package/dist/packs/frcp26.js.map +1 -0
  2289. package/dist/packs/ftc5.d.ts +35 -0
  2290. package/dist/packs/ftc5.d.ts.map +1 -0
  2291. package/dist/packs/ftc5.js +293 -0
  2292. package/dist/packs/ftc5.js.map +1 -0
  2293. package/dist/packs/gdpr.d.ts +41 -0
  2294. package/dist/packs/gdpr.d.ts.map +1 -0
  2295. package/dist/packs/gdpr.js +490 -0
  2296. package/dist/packs/gdpr.js.map +1 -0
  2297. package/dist/packs/glba.d.ts +34 -0
  2298. package/dist/packs/glba.d.ts.map +1 -0
  2299. package/dist/packs/glba.js +424 -0
  2300. package/dist/packs/glba.js.map +1 -0
  2301. package/dist/packs/gxp.d.ts +43 -0
  2302. package/dist/packs/gxp.d.ts.map +1 -0
  2303. package/dist/packs/gxp.js +353 -0
  2304. package/dist/packs/gxp.js.map +1 -0
  2305. package/dist/packs/hipaa.d.ts +47 -0
  2306. package/dist/packs/hipaa.d.ts.map +1 -0
  2307. package/dist/packs/hipaa.js +384 -0
  2308. package/dist/packs/hipaa.js.map +1 -0
  2309. package/dist/packs/hitech.d.ts +43 -0
  2310. package/dist/packs/hitech.d.ts.map +1 -0
  2311. package/dist/packs/hitech.js +292 -0
  2312. package/dist/packs/hitech.js.map +1 -0
  2313. package/dist/packs/hitrust-csf.d.ts +41 -0
  2314. package/dist/packs/hitrust-csf.d.ts.map +1 -0
  2315. package/dist/packs/hitrust-csf.js +122 -0
  2316. package/dist/packs/hitrust-csf.js.map +1 -0
  2317. package/dist/packs/hk-pdpo.d.ts +38 -0
  2318. package/dist/packs/hk-pdpo.d.ts.map +1 -0
  2319. package/dist/packs/hk-pdpo.js +125 -0
  2320. package/dist/packs/hk-pdpo.js.map +1 -0
  2321. package/dist/packs/hmda.d.ts +42 -0
  2322. package/dist/packs/hmda.d.ts.map +1 -0
  2323. package/dist/packs/hmda.js +382 -0
  2324. package/dist/packs/hmda.js.map +1 -0
  2325. package/dist/packs/iec-62304.d.ts +79 -0
  2326. package/dist/packs/iec-62304.d.ts.map +1 -0
  2327. package/dist/packs/iec-62304.js +588 -0
  2328. package/dist/packs/iec-62304.js.map +1 -0
  2329. package/dist/packs/iec-62443.d.ts +112 -0
  2330. package/dist/packs/iec-62443.d.ts.map +1 -0
  2331. package/dist/packs/iec-62443.js +689 -0
  2332. package/dist/packs/iec-62443.js.map +1 -0
  2333. package/dist/packs/illinois-aivia.d.ts +56 -0
  2334. package/dist/packs/illinois-aivia.d.ts.map +1 -0
  2335. package/dist/packs/illinois-aivia.js +351 -0
  2336. package/dist/packs/illinois-aivia.js.map +1 -0
  2337. package/dist/packs/in-dpdp.d.ts +82 -0
  2338. package/dist/packs/in-dpdp.d.ts.map +1 -0
  2339. package/dist/packs/in-dpdp.js +432 -0
  2340. package/dist/packs/in-dpdp.js.map +1 -0
  2341. package/dist/packs/index.d.ts +468 -0
  2342. package/dist/packs/index.d.ts.map +1 -0
  2343. package/dist/packs/index.js +672 -0
  2344. package/dist/packs/index.js.map +1 -0
  2345. package/dist/packs/iso-15189.d.ts +143 -0
  2346. package/dist/packs/iso-15189.d.ts.map +1 -0
  2347. package/dist/packs/iso-15189.js +947 -0
  2348. package/dist/packs/iso-15189.js.map +1 -0
  2349. package/dist/packs/iso-23894.d.ts +40 -0
  2350. package/dist/packs/iso-23894.d.ts.map +1 -0
  2351. package/dist/packs/iso-23894.js +445 -0
  2352. package/dist/packs/iso-23894.js.map +1 -0
  2353. package/dist/packs/iso-26262.d.ts +97 -0
  2354. package/dist/packs/iso-26262.d.ts.map +1 -0
  2355. package/dist/packs/iso-26262.js +737 -0
  2356. package/dist/packs/iso-26262.js.map +1 -0
  2357. package/dist/packs/iso-iec-80001.d.ts +151 -0
  2358. package/dist/packs/iso-iec-80001.d.ts.map +1 -0
  2359. package/dist/packs/iso-iec-80001.js +996 -0
  2360. package/dist/packs/iso-iec-80001.js.map +1 -0
  2361. package/dist/packs/iso20022.d.ts +54 -0
  2362. package/dist/packs/iso20022.d.ts.map +1 -0
  2363. package/dist/packs/iso20022.js +347 -0
  2364. package/dist/packs/iso20022.js.map +1 -0
  2365. package/dist/packs/iso27001.d.ts +46 -0
  2366. package/dist/packs/iso27001.d.ts.map +1 -0
  2367. package/dist/packs/iso27001.js +391 -0
  2368. package/dist/packs/iso27001.js.map +1 -0
  2369. package/dist/packs/iso27701.d.ts +53 -0
  2370. package/dist/packs/iso27701.d.ts.map +1 -0
  2371. package/dist/packs/iso27701.js +393 -0
  2372. package/dist/packs/iso27701.js.map +1 -0
  2373. package/dist/packs/iso42001.d.ts +47 -0
  2374. package/dist/packs/iso42001.d.ts.map +1 -0
  2375. package/dist/packs/iso42001.js +291 -0
  2376. package/dist/packs/iso42001.js.map +1 -0
  2377. package/dist/packs/jp-appi.d.ts +78 -0
  2378. package/dist/packs/jp-appi.d.ts.map +1 -0
  2379. package/dist/packs/jp-appi.js +441 -0
  2380. package/dist/packs/jp-appi.js.map +1 -0
  2381. package/dist/packs/kr-pipa.d.ts +74 -0
  2382. package/dist/packs/kr-pipa.d.ts.map +1 -0
  2383. package/dist/packs/kr-pipa.js +445 -0
  2384. package/dist/packs/kr-pipa.js.map +1 -0
  2385. package/dist/packs/lgpd.d.ts +32 -0
  2386. package/dist/packs/lgpd.d.ts.map +1 -0
  2387. package/dist/packs/lgpd.js +353 -0
  2388. package/dist/packs/lgpd.js.map +1 -0
  2389. package/dist/packs/lpo2024.d.ts +70 -0
  2390. package/dist/packs/lpo2024.d.ts.map +1 -0
  2391. package/dist/packs/lpo2024.js +310 -0
  2392. package/dist/packs/lpo2024.js.map +1 -0
  2393. package/dist/packs/maryland-hb1202.d.ts +53 -0
  2394. package/dist/packs/maryland-hb1202.d.ts.map +1 -0
  2395. package/dist/packs/maryland-hb1202.js +341 -0
  2396. package/dist/packs/maryland-hb1202.js.map +1 -0
  2397. package/dist/packs/mhra-samd-ukca.d.ts +79 -0
  2398. package/dist/packs/mhra-samd-ukca.d.ts.map +1 -0
  2399. package/dist/packs/mhra-samd-ukca.js +476 -0
  2400. package/dist/packs/mhra-samd-ukca.js.map +1 -0
  2401. package/dist/packs/mifid2.d.ts +51 -0
  2402. package/dist/packs/mifid2.d.ts.map +1 -0
  2403. package/dist/packs/mifid2.js +384 -0
  2404. package/dist/packs/mifid2.js.map +1 -0
  2405. package/dist/packs/migration-manifest.d.ts +30 -0
  2406. package/dist/packs/migration-manifest.d.ts.map +1 -0
  2407. package/dist/packs/migration-manifest.js +59 -0
  2408. package/dist/packs/migration-manifest.js.map +1 -0
  2409. package/dist/packs/naic-mdl.d.ts +50 -0
  2410. package/dist/packs/naic-mdl.d.ts.map +1 -0
  2411. package/dist/packs/naic-mdl.js +318 -0
  2412. package/dist/packs/naic-mdl.js.map +1 -0
  2413. package/dist/packs/ncsc-ai-security.d.ts +69 -0
  2414. package/dist/packs/ncsc-ai-security.d.ts.map +1 -0
  2415. package/dist/packs/ncsc-ai-security.js +629 -0
  2416. package/dist/packs/ncsc-ai-security.js.map +1 -0
  2417. package/dist/packs/ncsc-caf.d.ts +62 -0
  2418. package/dist/packs/ncsc-caf.d.ts.map +1 -0
  2419. package/dist/packs/ncsc-caf.js +384 -0
  2420. package/dist/packs/ncsc-caf.js.map +1 -0
  2421. package/dist/packs/nhs-dcb0129-dcb0160.d.ts +85 -0
  2422. package/dist/packs/nhs-dcb0129-dcb0160.d.ts.map +1 -0
  2423. package/dist/packs/nhs-dcb0129-dcb0160.js +473 -0
  2424. package/dist/packs/nhs-dcb0129-dcb0160.js.map +1 -0
  2425. package/dist/packs/nhs-dspt.d.ts +83 -0
  2426. package/dist/packs/nhs-dspt.d.ts.map +1 -0
  2427. package/dist/packs/nhs-dspt.js +437 -0
  2428. package/dist/packs/nhs-dspt.js.map +1 -0
  2429. package/dist/packs/nhs-dtac.d.ts +80 -0
  2430. package/dist/packs/nhs-dtac.d.ts.map +1 -0
  2431. package/dist/packs/nhs-dtac.js +402 -0
  2432. package/dist/packs/nhs-dtac.js.map +1 -0
  2433. package/dist/packs/nhs-psirf.d.ts +74 -0
  2434. package/dist/packs/nhs-psirf.d.ts.map +1 -0
  2435. package/dist/packs/nhs-psirf.js +417 -0
  2436. package/dist/packs/nhs-psirf.js.map +1 -0
  2437. package/dist/packs/ni-equality.d.ts +87 -0
  2438. package/dist/packs/ni-equality.d.ts.map +1 -0
  2439. package/dist/packs/ni-equality.js +439 -0
  2440. package/dist/packs/ni-equality.js.map +1 -0
  2441. package/dist/packs/ni-hscni.d.ts +76 -0
  2442. package/dist/packs/ni-hscni.d.ts.map +1 -0
  2443. package/dist/packs/ni-hscni.js +418 -0
  2444. package/dist/packs/ni-hscni.js.map +1 -0
  2445. package/dist/packs/ni-mental-capacity.d.ts +45 -0
  2446. package/dist/packs/ni-mental-capacity.d.ts.map +1 -0
  2447. package/dist/packs/ni-mental-capacity.js +133 -0
  2448. package/dist/packs/ni-mental-capacity.js.map +1 -0
  2449. package/dist/packs/nice-esf-dht.d.ts +72 -0
  2450. package/dist/packs/nice-esf-dht.d.ts.map +1 -0
  2451. package/dist/packs/nice-esf-dht.js +407 -0
  2452. package/dist/packs/nice-esf-dht.js.map +1 -0
  2453. package/dist/packs/nis2.d.ts +80 -0
  2454. package/dist/packs/nis2.d.ts.map +1 -0
  2455. package/dist/packs/nis2.js +425 -0
  2456. package/dist/packs/nis2.js.map +1 -0
  2457. package/dist/packs/nist-800-53.d.ts +40 -0
  2458. package/dist/packs/nist-800-53.d.ts.map +1 -0
  2459. package/dist/packs/nist-800-53.js +129 -0
  2460. package/dist/packs/nist-800-53.js.map +1 -0
  2461. package/dist/packs/nist-ai-rmf.d.ts +48 -0
  2462. package/dist/packs/nist-ai-rmf.d.ts.map +1 -0
  2463. package/dist/packs/nist-ai-rmf.js +370 -0
  2464. package/dist/packs/nist-ai-rmf.js.map +1 -0
  2465. package/dist/packs/nist-csf.d.ts +41 -0
  2466. package/dist/packs/nist-csf.d.ts.map +1 -0
  2467. package/dist/packs/nist-csf.js +134 -0
  2468. package/dist/packs/nist-csf.js.map +1 -0
  2469. package/dist/packs/nist-sp-800-82.d.ts +127 -0
  2470. package/dist/packs/nist-sp-800-82.d.ts.map +1 -0
  2471. package/dist/packs/nist-sp-800-82.js +724 -0
  2472. package/dist/packs/nist-sp-800-82.js.map +1 -0
  2473. package/dist/packs/nyc-ll-144.d.ts +38 -0
  2474. package/dist/packs/nyc-ll-144.d.ts.map +1 -0
  2475. package/dist/packs/nyc-ll-144.js +291 -0
  2476. package/dist/packs/nyc-ll-144.js.map +1 -0
  2477. package/dist/packs/nydfs500.d.ts +32 -0
  2478. package/dist/packs/nydfs500.d.ts.map +1 -0
  2479. package/dist/packs/nydfs500.js +288 -0
  2480. package/dist/packs/nydfs500.js.map +1 -0
  2481. package/dist/packs/nz-privacy.d.ts +91 -0
  2482. package/dist/packs/nz-privacy.d.ts.map +1 -0
  2483. package/dist/packs/nz-privacy.js +468 -0
  2484. package/dist/packs/nz-privacy.js.map +1 -0
  2485. package/dist/packs/part11.d.ts +31 -0
  2486. package/dist/packs/part11.d.ts.map +1 -0
  2487. package/dist/packs/part11.js +332 -0
  2488. package/dist/packs/part11.js.map +1 -0
  2489. package/dist/packs/part2.d.ts +42 -0
  2490. package/dist/packs/part2.d.ts.map +1 -0
  2491. package/dist/packs/part2.js +358 -0
  2492. package/dist/packs/part2.js.map +1 -0
  2493. package/dist/packs/pcidss.d.ts +72 -0
  2494. package/dist/packs/pcidss.d.ts.map +1 -0
  2495. package/dist/packs/pcidss.js +470 -0
  2496. package/dist/packs/pcidss.js.map +1 -0
  2497. package/dist/packs/pipl.d.ts +31 -0
  2498. package/dist/packs/pipl.d.ts.map +1 -0
  2499. package/dist/packs/pipl.js +208 -0
  2500. package/dist/packs/pipl.js.map +1 -0
  2501. package/dist/packs/reg-e.d.ts +55 -0
  2502. package/dist/packs/reg-e.d.ts.map +1 -0
  2503. package/dist/packs/reg-e.js +362 -0
  2504. package/dist/packs/reg-e.js.map +1 -0
  2505. package/dist/packs/registry-expanded.d.ts +76 -0
  2506. package/dist/packs/registry-expanded.d.ts.map +1 -0
  2507. package/dist/packs/registry-expanded.js +2354 -0
  2508. package/dist/packs/registry-expanded.js.map +1 -0
  2509. package/dist/packs/scotland-awi.d.ts +74 -0
  2510. package/dist/packs/scotland-awi.d.ts.map +1 -0
  2511. package/dist/packs/scotland-awi.js +408 -0
  2512. package/dist/packs/scotland-awi.js.map +1 -0
  2513. package/dist/packs/scotland-procurement-reform.d.ts +40 -0
  2514. package/dist/packs/scotland-procurement-reform.d.ts.map +1 -0
  2515. package/dist/packs/scotland-procurement-reform.js +125 -0
  2516. package/dist/packs/scotland-procurement-reform.js.map +1 -0
  2517. package/dist/packs/scotland-psed.d.ts +67 -0
  2518. package/dist/packs/scotland-psed.d.ts.map +1 -0
  2519. package/dist/packs/scotland-psed.js +372 -0
  2520. package/dist/packs/scotland-psed.js.map +1 -0
  2521. package/dist/packs/sg-model-ai-gov.d.ts +62 -0
  2522. package/dist/packs/sg-model-ai-gov.d.ts.map +1 -0
  2523. package/dist/packs/sg-model-ai-gov.js +396 -0
  2524. package/dist/packs/sg-model-ai-gov.js.map +1 -0
  2525. package/dist/packs/soc1.d.ts +34 -0
  2526. package/dist/packs/soc1.d.ts.map +1 -0
  2527. package/dist/packs/soc1.js +308 -0
  2528. package/dist/packs/soc1.js.map +1 -0
  2529. package/dist/packs/soc2.d.ts +44 -0
  2530. package/dist/packs/soc2.d.ts.map +1 -0
  2531. package/dist/packs/soc2.js +340 -0
  2532. package/dist/packs/soc2.js.map +1 -0
  2533. package/dist/packs/sox404.d.ts +32 -0
  2534. package/dist/packs/sox404.d.ts.map +1 -0
  2535. package/dist/packs/sox404.js +298 -0
  2536. package/dist/packs/sox404.js.map +1 -0
  2537. package/dist/packs/sr117.d.ts +35 -0
  2538. package/dist/packs/sr117.d.ts.map +1 -0
  2539. package/dist/packs/sr117.js +345 -0
  2540. package/dist/packs/sr117.js.map +1 -0
  2541. package/dist/packs/stateramp.d.ts +62 -0
  2542. package/dist/packs/stateramp.d.ts.map +1 -0
  2543. package/dist/packs/stateramp.js +327 -0
  2544. package/dist/packs/stateramp.js.map +1 -0
  2545. package/dist/packs/tennessee-elvis.d.ts +68 -0
  2546. package/dist/packs/tennessee-elvis.d.ts.map +1 -0
  2547. package/dist/packs/tennessee-elvis.js +420 -0
  2548. package/dist/packs/tennessee-elvis.js.map +1 -0
  2549. package/dist/packs/texas-hb4.d.ts +77 -0
  2550. package/dist/packs/texas-hb4.d.ts.map +1 -0
  2551. package/dist/packs/texas-hb4.js +396 -0
  2552. package/dist/packs/texas-hb4.js.map +1 -0
  2553. package/dist/packs/th-pdpa.d.ts +43 -0
  2554. package/dist/packs/th-pdpa.d.ts.map +1 -0
  2555. package/dist/packs/th-pdpa.js +128 -0
  2556. package/dist/packs/th-pdpa.js.map +1 -0
  2557. package/dist/packs/title-ix.d.ts +93 -0
  2558. package/dist/packs/title-ix.d.ts.map +1 -0
  2559. package/dist/packs/title-ix.js +447 -0
  2560. package/dist/packs/title-ix.js.map +1 -0
  2561. package/dist/packs/uk-ai-framework.d.ts +42 -0
  2562. package/dist/packs/uk-ai-framework.d.ts.map +1 -0
  2563. package/dist/packs/uk-ai-framework.js +355 -0
  2564. package/dist/packs/uk-ai-framework.js.map +1 -0
  2565. package/dist/packs/uk-cma-1990.d.ts +75 -0
  2566. package/dist/packs/uk-cma-1990.d.ts.map +1 -0
  2567. package/dist/packs/uk-cma-1990.js +406 -0
  2568. package/dist/packs/uk-cma-1990.js.map +1 -0
  2569. package/dist/packs/uk-equality-act-ai-bias.d.ts +54 -0
  2570. package/dist/packs/uk-equality-act-ai-bias.d.ts.map +1 -0
  2571. package/dist/packs/uk-equality-act-ai-bias.js +684 -0
  2572. package/dist/packs/uk-equality-act-ai-bias.js.map +1 -0
  2573. package/dist/packs/uk-equality-act.d.ts +69 -0
  2574. package/dist/packs/uk-equality-act.d.ts.map +1 -0
  2575. package/dist/packs/uk-equality-act.js +409 -0
  2576. package/dist/packs/uk-equality-act.js.map +1 -0
  2577. package/dist/packs/uk-future-ai-legislation.d.ts +42 -0
  2578. package/dist/packs/uk-future-ai-legislation.d.ts.map +1 -0
  2579. package/dist/packs/uk-future-ai-legislation.js +212 -0
  2580. package/dist/packs/uk-future-ai-legislation.js.map +1 -0
  2581. package/dist/packs/uk-gdpr.d.ts +74 -0
  2582. package/dist/packs/uk-gdpr.d.ts.map +1 -0
  2583. package/dist/packs/uk-gdpr.js +377 -0
  2584. package/dist/packs/uk-gdpr.js.map +1 -0
  2585. package/dist/packs/uk-ico-open-case.d.ts +65 -0
  2586. package/dist/packs/uk-ico-open-case.d.ts.map +1 -0
  2587. package/dist/packs/uk-ico-open-case.js +399 -0
  2588. package/dist/packs/uk-ico-open-case.js.map +1 -0
  2589. package/dist/packs/uk-nis-regs.d.ts +67 -0
  2590. package/dist/packs/uk-nis-regs.d.ts.map +1 -0
  2591. package/dist/packs/uk-nis-regs.js +366 -0
  2592. package/dist/packs/uk-nis-regs.js.map +1 -0
  2593. package/dist/packs/uk-online-safety-act.d.ts +68 -0
  2594. package/dist/packs/uk-online-safety-act.d.ts.map +1 -0
  2595. package/dist/packs/uk-online-safety-act.js +413 -0
  2596. package/dist/packs/uk-online-safety-act.js.map +1 -0
  2597. package/dist/packs/uk-procurement-act.d.ts +81 -0
  2598. package/dist/packs/uk-procurement-act.d.ts.map +1 -0
  2599. package/dist/packs/uk-procurement-act.js +434 -0
  2600. package/dist/packs/uk-procurement-act.js.map +1 -0
  2601. package/dist/packs/us-fda-21cfr56.d.ts +63 -0
  2602. package/dist/packs/us-fda-21cfr56.d.ts.map +1 -0
  2603. package/dist/packs/us-fda-21cfr56.js +367 -0
  2604. package/dist/packs/us-fda-21cfr56.js.map +1 -0
  2605. package/dist/packs/us-nih-coc.d.ts +43 -0
  2606. package/dist/packs/us-nih-coc.d.ts.map +1 -0
  2607. package/dist/packs/us-nih-coc.js +206 -0
  2608. package/dist/packs/us-nih-coc.js.map +1 -0
  2609. package/dist/packs/us-nih-dms.d.ts +43 -0
  2610. package/dist/packs/us-nih-dms.d.ts.map +1 -0
  2611. package/dist/packs/us-nih-dms.js +244 -0
  2612. package/dist/packs/us-nih-dms.js.map +1 -0
  2613. package/dist/packs/us-nih-gds.d.ts +41 -0
  2614. package/dist/packs/us-nih-gds.d.ts.map +1 -0
  2615. package/dist/packs/us-nih-gds.js +358 -0
  2616. package/dist/packs/us-nih-gds.js.map +1 -0
  2617. package/dist/packs/us-nih-it-security.d.ts +40 -0
  2618. package/dist/packs/us-nih-it-security.d.ts.map +1 -0
  2619. package/dist/packs/us-nih-it-security.js +206 -0
  2620. package/dist/packs/us-nih-it-security.js.map +1 -0
  2621. package/dist/packs/us-respa.d.ts +55 -0
  2622. package/dist/packs/us-respa.d.ts.map +1 -0
  2623. package/dist/packs/us-respa.js +364 -0
  2624. package/dist/packs/us-respa.js.map +1 -0
  2625. package/dist/packs/us-tila.d.ts +65 -0
  2626. package/dist/packs/us-tila.d.ts.map +1 -0
  2627. package/dist/packs/us-tila.js +353 -0
  2628. package/dist/packs/us-tila.js.map +1 -0
  2629. package/dist/packs/us-trid.d.ts +62 -0
  2630. package/dist/packs/us-trid.d.ts.map +1 -0
  2631. package/dist/packs/us-trid.js +345 -0
  2632. package/dist/packs/us-trid.js.map +1 -0
  2633. package/dist/packs/utah-ai-policy.d.ts +55 -0
  2634. package/dist/packs/utah-ai-policy.d.ts.map +1 -0
  2635. package/dist/packs/utah-ai-policy.js +340 -0
  2636. package/dist/packs/utah-ai-policy.js.map +1 -0
  2637. package/dist/packs/vn-pdpd.d.ts +40 -0
  2638. package/dist/packs/vn-pdpd.d.ts.map +1 -0
  2639. package/dist/packs/vn-pdpd.js +125 -0
  2640. package/dist/packs/vn-pdpd.js.map +1 -0
  2641. package/dist/packs/wales-future-generations.d.ts +67 -0
  2642. package/dist/packs/wales-future-generations.d.ts.map +1 -0
  2643. package/dist/packs/wales-future-generations.js +396 -0
  2644. package/dist/packs/wales-future-generations.js.map +1 -0
  2645. package/dist/reporting/governance-reporter.d.ts +196 -0
  2646. package/dist/reporting/governance-reporter.d.ts.map +1 -0
  2647. package/dist/reporting/governance-reporter.js +442 -0
  2648. package/dist/reporting/governance-reporter.js.map +1 -0
  2649. package/dist/retention/backup-retention-adapter.d.ts +72 -0
  2650. package/dist/retention/backup-retention-adapter.d.ts.map +1 -0
  2651. package/dist/retention/backup-retention-adapter.js +69 -0
  2652. package/dist/retention/backup-retention-adapter.js.map +1 -0
  2653. package/dist/retention/classification-rules.d.ts +59 -0
  2654. package/dist/retention/classification-rules.d.ts.map +1 -0
  2655. package/dist/retention/classification-rules.js +185 -0
  2656. package/dist/retention/classification-rules.js.map +1 -0
  2657. package/dist/retention/classifier.d.ts +195 -0
  2658. package/dist/retention/classifier.d.ts.map +1 -0
  2659. package/dist/retention/classifier.js +254 -0
  2660. package/dist/retention/classifier.js.map +1 -0
  2661. package/dist/retention/data-class.d.ts +70 -0
  2662. package/dist/retention/data-class.d.ts.map +1 -0
  2663. package/dist/retention/data-class.js +47 -0
  2664. package/dist/retention/data-class.js.map +1 -0
  2665. package/dist/retention/enforcement-log-store.d.ts +121 -0
  2666. package/dist/retention/enforcement-log-store.d.ts.map +1 -0
  2667. package/dist/retention/enforcement-log-store.js +183 -0
  2668. package/dist/retention/enforcement-log-store.js.map +1 -0
  2669. package/dist/retention/index.d.ts +31 -0
  2670. package/dist/retention/index.d.ts.map +1 -0
  2671. package/dist/retention/index.js +67 -0
  2672. package/dist/retention/index.js.map +1 -0
  2673. package/dist/retention/ingest-classifier.d.ts +126 -0
  2674. package/dist/retention/ingest-classifier.d.ts.map +1 -0
  2675. package/dist/retention/ingest-classifier.js +130 -0
  2676. package/dist/retention/ingest-classifier.js.map +1 -0
  2677. package/dist/retention/legal-hold-errors.d.ts +57 -0
  2678. package/dist/retention/legal-hold-errors.d.ts.map +1 -0
  2679. package/dist/retention/legal-hold-errors.js +99 -0
  2680. package/dist/retention/legal-hold-errors.js.map +1 -0
  2681. package/dist/retention/legal-hold-store.d.ts +191 -0
  2682. package/dist/retention/legal-hold-store.d.ts.map +1 -0
  2683. package/dist/retention/legal-hold-store.js +432 -0
  2684. package/dist/retention/legal-hold-store.js.map +1 -0
  2685. package/dist/retention/legal-hold.d.ts +122 -0
  2686. package/dist/retention/legal-hold.d.ts.map +1 -0
  2687. package/dist/retention/legal-hold.js +18 -0
  2688. package/dist/retention/legal-hold.js.map +1 -0
  2689. package/dist/retention/log-aggregators/datadog.d.ts +53 -0
  2690. package/dist/retention/log-aggregators/datadog.d.ts.map +1 -0
  2691. package/dist/retention/log-aggregators/datadog.js +157 -0
  2692. package/dist/retention/log-aggregators/datadog.js.map +1 -0
  2693. package/dist/retention/log-aggregators/index.d.ts +14 -0
  2694. package/dist/retention/log-aggregators/index.d.ts.map +1 -0
  2695. package/dist/retention/log-aggregators/index.js +18 -0
  2696. package/dist/retention/log-aggregators/index.js.map +1 -0
  2697. package/dist/retention/log-aggregators/log-aggregator.d.ts +62 -0
  2698. package/dist/retention/log-aggregators/log-aggregator.d.ts.map +1 -0
  2699. package/dist/retention/log-aggregators/log-aggregator.js +21 -0
  2700. package/dist/retention/log-aggregators/log-aggregator.js.map +1 -0
  2701. package/dist/retention/log-aggregators/noop.d.ts +23 -0
  2702. package/dist/retention/log-aggregators/noop.d.ts.map +1 -0
  2703. package/dist/retention/log-aggregators/noop.js +30 -0
  2704. package/dist/retention/log-aggregators/noop.js.map +1 -0
  2705. package/dist/retention/log-aggregators/sentinel.d.ts +75 -0
  2706. package/dist/retention/log-aggregators/sentinel.d.ts.map +1 -0
  2707. package/dist/retention/log-aggregators/sentinel.js +220 -0
  2708. package/dist/retention/log-aggregators/sentinel.js.map +1 -0
  2709. package/dist/retention/log-aggregators/splunk.d.ts +58 -0
  2710. package/dist/retention/log-aggregators/splunk.d.ts.map +1 -0
  2711. package/dist/retention/log-aggregators/splunk.js +151 -0
  2712. package/dist/retention/log-aggregators/splunk.js.map +1 -0
  2713. package/dist/retention/policy-matrix-errors.d.ts +80 -0
  2714. package/dist/retention/policy-matrix-errors.d.ts.map +1 -0
  2715. package/dist/retention/policy-matrix-errors.js +134 -0
  2716. package/dist/retention/policy-matrix-errors.js.map +1 -0
  2717. package/dist/retention/policy-matrix.d.ts +263 -0
  2718. package/dist/retention/policy-matrix.d.ts.map +1 -0
  2719. package/dist/retention/policy-matrix.js +584 -0
  2720. package/dist/retention/policy-matrix.js.map +1 -0
  2721. package/dist/scanner/gap-report.d.ts +108 -0
  2722. package/dist/scanner/gap-report.d.ts.map +1 -0
  2723. package/dist/scanner/gap-report.js +337 -0
  2724. package/dist/scanner/gap-report.js.map +1 -0
  2725. package/dist/scanner/index.d.ts +98 -0
  2726. package/dist/scanner/index.d.ts.map +1 -0
  2727. package/dist/scanner/index.js +453 -0
  2728. package/dist/scanner/index.js.map +1 -0
  2729. package/dist/scanner/manifest-integrity.d.ts +44 -0
  2730. package/dist/scanner/manifest-integrity.d.ts.map +1 -0
  2731. package/dist/scanner/manifest-integrity.js +155 -0
  2732. package/dist/scanner/manifest-integrity.js.map +1 -0
  2733. package/dist/scanner/remediation.d.ts +72 -0
  2734. package/dist/scanner/remediation.d.ts.map +1 -0
  2735. package/dist/scanner/remediation.js +292 -0
  2736. package/dist/scanner/remediation.js.map +1 -0
  2737. package/dist/security/access-review.d.ts +122 -0
  2738. package/dist/security/access-review.d.ts.map +1 -0
  2739. package/dist/security/access-review.js +272 -0
  2740. package/dist/security/access-review.js.map +1 -0
  2741. package/dist/security/agent-auth.d.ts +92 -0
  2742. package/dist/security/agent-auth.d.ts.map +1 -0
  2743. package/dist/security/agent-auth.js +290 -0
  2744. package/dist/security/agent-auth.js.map +1 -0
  2745. package/dist/security/anomaly-auto-suspend.d.ts +226 -0
  2746. package/dist/security/anomaly-auto-suspend.d.ts.map +1 -0
  2747. package/dist/security/anomaly-auto-suspend.js +384 -0
  2748. package/dist/security/anomaly-auto-suspend.js.map +1 -0
  2749. package/dist/security/anomaly-correlator.d.ts +66 -0
  2750. package/dist/security/anomaly-correlator.d.ts.map +1 -0
  2751. package/dist/security/anomaly-correlator.js +316 -0
  2752. package/dist/security/anomaly-correlator.js.map +1 -0
  2753. package/dist/security/anomaly-detector.d.ts +137 -0
  2754. package/dist/security/anomaly-detector.d.ts.map +1 -0
  2755. package/dist/security/anomaly-detector.js +298 -0
  2756. package/dist/security/anomaly-detector.js.map +1 -0
  2757. package/dist/security/anomaly-self-reflection.d.ts +168 -0
  2758. package/dist/security/anomaly-self-reflection.d.ts.map +1 -0
  2759. package/dist/security/anomaly-self-reflection.js +331 -0
  2760. package/dist/security/anomaly-self-reflection.js.map +1 -0
  2761. package/dist/security/built-in-llm-providers.d.ts +50 -0
  2762. package/dist/security/built-in-llm-providers.d.ts.map +1 -0
  2763. package/dist/security/built-in-llm-providers.js +83 -0
  2764. package/dist/security/built-in-llm-providers.js.map +1 -0
  2765. package/dist/security/circuit-breaker.d.ts +62 -0
  2766. package/dist/security/circuit-breaker.d.ts.map +1 -0
  2767. package/dist/security/circuit-breaker.js +183 -0
  2768. package/dist/security/circuit-breaker.js.map +1 -0
  2769. package/dist/security/data-classifier.d.ts +139 -0
  2770. package/dist/security/data-classifier.d.ts.map +1 -0
  2771. package/dist/security/data-classifier.js +483 -0
  2772. package/dist/security/data-classifier.js.map +1 -0
  2773. package/dist/security/encrypted-storage.d.ts +80 -0
  2774. package/dist/security/encrypted-storage.d.ts.map +1 -0
  2775. package/dist/security/encrypted-storage.js +257 -0
  2776. package/dist/security/encrypted-storage.js.map +1 -0
  2777. package/dist/security/encryption-layer.d.ts +115 -0
  2778. package/dist/security/encryption-layer.d.ts.map +1 -0
  2779. package/dist/security/encryption-layer.js +374 -0
  2780. package/dist/security/encryption-layer.js.map +1 -0
  2781. package/dist/security/external-cross-check.d.ts +206 -0
  2782. package/dist/security/external-cross-check.d.ts.map +1 -0
  2783. package/dist/security/external-cross-check.js +490 -0
  2784. package/dist/security/external-cross-check.js.map +1 -0
  2785. package/dist/security/hash-manifest.d.ts +70 -0
  2786. package/dist/security/hash-manifest.d.ts.map +1 -0
  2787. package/dist/security/hash-manifest.js +266 -0
  2788. package/dist/security/hash-manifest.js.map +1 -0
  2789. package/dist/security/http-interceptor.d.ts +262 -0
  2790. package/dist/security/http-interceptor.d.ts.map +1 -0
  2791. package/dist/security/http-interceptor.js +637 -0
  2792. package/dist/security/http-interceptor.js.map +1 -0
  2793. package/dist/security/key-manager.d.ts +111 -0
  2794. package/dist/security/key-manager.d.ts.map +1 -0
  2795. package/dist/security/key-manager.js +326 -0
  2796. package/dist/security/key-manager.js.map +1 -0
  2797. package/dist/security/nonce-store.d.ts +48 -0
  2798. package/dist/security/nonce-store.d.ts.map +1 -0
  2799. package/dist/security/nonce-store.js +170 -0
  2800. package/dist/security/nonce-store.js.map +1 -0
  2801. package/dist/security/operator-roles.d.ts +100 -0
  2802. package/dist/security/operator-roles.d.ts.map +1 -0
  2803. package/dist/security/operator-roles.js +278 -0
  2804. package/dist/security/operator-roles.js.map +1 -0
  2805. package/dist/security/plugin-integrity.d.ts +99 -0
  2806. package/dist/security/plugin-integrity.d.ts.map +1 -0
  2807. package/dist/security/plugin-integrity.js +194 -0
  2808. package/dist/security/plugin-integrity.js.map +1 -0
  2809. package/dist/security/prompt-injection-detector.d.ts +81 -0
  2810. package/dist/security/prompt-injection-detector.d.ts.map +1 -0
  2811. package/dist/security/prompt-injection-detector.js +505 -0
  2812. package/dist/security/prompt-injection-detector.js.map +1 -0
  2813. package/dist/security/provider-compliance-boot.d.ts +64 -0
  2814. package/dist/security/provider-compliance-boot.d.ts.map +1 -0
  2815. package/dist/security/provider-compliance-boot.js +105 -0
  2816. package/dist/security/provider-compliance-boot.js.map +1 -0
  2817. package/dist/security/provider-compliance.d.ts +261 -0
  2818. package/dist/security/provider-compliance.d.ts.map +1 -0
  2819. package/dist/security/provider-compliance.js +711 -0
  2820. package/dist/security/provider-compliance.js.map +1 -0
  2821. package/dist/security/secret-leak-detector.d.ts +59 -0
  2822. package/dist/security/secret-leak-detector.d.ts.map +1 -0
  2823. package/dist/security/secret-leak-detector.js +180 -0
  2824. package/dist/security/secret-leak-detector.js.map +1 -0
  2825. package/dist/security/session-timeout.d.ts +107 -0
  2826. package/dist/security/session-timeout.d.ts.map +1 -0
  2827. package/dist/security/session-timeout.js +291 -0
  2828. package/dist/security/session-timeout.js.map +1 -0
  2829. package/dist/security/ssrf-guard.d.ts +45 -0
  2830. package/dist/security/ssrf-guard.d.ts.map +1 -0
  2831. package/dist/security/ssrf-guard.js +263 -0
  2832. package/dist/security/ssrf-guard.js.map +1 -0
  2833. package/dist/security/supply-chain.d.ts +99 -0
  2834. package/dist/security/supply-chain.d.ts.map +1 -0
  2835. package/dist/security/supply-chain.js +320 -0
  2836. package/dist/security/supply-chain.js.map +1 -0
  2837. package/dist/security/vendor-registry.d.ts +111 -0
  2838. package/dist/security/vendor-registry.d.ts.map +1 -0
  2839. package/dist/security/vendor-registry.js +293 -0
  2840. package/dist/security/vendor-registry.js.map +1 -0
  2841. package/dist/tenant/index.d.ts +14 -0
  2842. package/dist/tenant/index.d.ts.map +1 -0
  2843. package/dist/tenant/index.js +32 -0
  2844. package/dist/tenant/index.js.map +1 -0
  2845. package/dist/tenant/policy-inheritance.d.ts +112 -0
  2846. package/dist/tenant/policy-inheritance.d.ts.map +1 -0
  2847. package/dist/tenant/policy-inheritance.js +382 -0
  2848. package/dist/tenant/policy-inheritance.js.map +1 -0
  2849. package/dist/tenant/rbac.d.ts +65 -0
  2850. package/dist/tenant/rbac.d.ts.map +1 -0
  2851. package/dist/tenant/rbac.js +185 -0
  2852. package/dist/tenant/rbac.js.map +1 -0
  2853. package/dist/tenant/workspace.d.ts +111 -0
  2854. package/dist/tenant/workspace.d.ts.map +1 -0
  2855. package/dist/tenant/workspace.js +315 -0
  2856. package/dist/tenant/workspace.js.map +1 -0
  2857. package/dist/trust-passport/index.d.ts +106 -0
  2858. package/dist/trust-passport/index.d.ts.map +1 -0
  2859. package/dist/trust-passport/index.js +123 -0
  2860. package/dist/trust-passport/index.js.map +1 -0
  2861. package/dist/util/async-io.d.ts +57 -0
  2862. package/dist/util/async-io.d.ts.map +1 -0
  2863. package/dist/util/async-io.js +209 -0
  2864. package/dist/util/async-io.js.map +1 -0
  2865. package/dist/util/fs.d.ts +84 -0
  2866. package/dist/util/fs.d.ts.map +1 -0
  2867. package/dist/util/fs.js +211 -0
  2868. package/dist/util/fs.js.map +1 -0
  2869. package/dist/util/log-rotation.d.ts +55 -0
  2870. package/dist/util/log-rotation.d.ts.map +1 -0
  2871. package/dist/util/log-rotation.js +212 -0
  2872. package/dist/util/log-rotation.js.map +1 -0
  2873. package/dist/util/log.d.ts +35 -0
  2874. package/dist/util/log.d.ts.map +1 -0
  2875. package/dist/util/log.js +115 -0
  2876. package/dist/util/log.js.map +1 -0
  2877. package/dist/util/sigv4.d.ts +73 -0
  2878. package/dist/util/sigv4.d.ts.map +1 -0
  2879. package/dist/util/sigv4.js +155 -0
  2880. package/dist/util/sigv4.js.map +1 -0
  2881. package/dist/util/storage-backend.d.ts +69 -0
  2882. package/dist/util/storage-backend.d.ts.map +1 -0
  2883. package/dist/util/storage-backend.js +204 -0
  2884. package/dist/util/storage-backend.js.map +1 -0
  2885. package/package.json +144 -0
  2886. package/src/hooks/audit-dir-picker.sh +70 -0
  2887. package/src/hooks/audit-logger.sh +325 -0
  2888. package/src/hooks/cost-budget-gate.sh +74 -0
  2889. package/src/hooks/destructive-command-guard.sh +200 -0
  2890. package/src/hooks/file-boundary-guard.sh +159 -0
  2891. package/src/hooks/file-change-tracker.sh +78 -0
  2892. package/src/hooks/governance-file-shield.sh +102 -0
  2893. package/src/hooks/governance-integrity-check.sh +109 -0
  2894. package/src/hooks/hook-health-monitor.sh +189 -0
  2895. package/src/hooks/hook-utils.sh +51 -0
  2896. package/src/hooks/hook-wrapper.sh +77 -0
  2897. package/src/hooks/install-hooks.sh +162 -0
  2898. package/src/hooks/output-exfiltration-scanner.sh +112 -0
  2899. package/src/hooks/powershell/audit-dir-picker.ps1 +72 -0
  2900. package/src/hooks/powershell/audit-logger.ps1 +75 -0
  2901. package/src/hooks/powershell/cost-budget-gate.ps1 +61 -0
  2902. package/src/hooks/powershell/destructive-command-guard.ps1 +67 -0
  2903. package/src/hooks/powershell/file-boundary-guard.ps1 +76 -0
  2904. package/src/hooks/powershell/file-change-tracker.ps1 +74 -0
  2905. package/src/hooks/powershell/governance-file-shield.ps1 +86 -0
  2906. package/src/hooks/powershell/governance-integrity-check.ps1 +101 -0
  2907. package/src/hooks/powershell/hook-health-monitor.ps1 +153 -0
  2908. package/src/hooks/powershell/hook-utils.ps1 +44 -0
  2909. package/src/hooks/powershell/hook-wrapper.ps1 +67 -0
  2910. package/src/hooks/powershell/install-hooks.ps1 +142 -0
  2911. package/src/hooks/powershell/output-exfiltration-scanner.ps1 +85 -0
  2912. package/src/hooks/powershell/secret-leak-scanner.ps1 +105 -0
  2913. package/src/hooks/powershell/token-tracker.ps1 +83 -0
  2914. package/src/hooks/powershell/web-access-gate.ps1 +89 -0
  2915. package/src/hooks/secret-leak-scanner.sh +293 -0
  2916. package/src/hooks/token-tracker.sh +89 -0
  2917. package/src/hooks/web-access-gate.sh +123 -0
package/dist/packs/check-registry.js ADDED
@@ -0,0 +1,3341 @@
1
+ "use strict";
2
+ /**
3
+ * ComplianceCheckRegistry
4
+ *
5
+ * Real implementations for the `check:` strings declared in every
6
+ * compliance pack's validators. Provides the pass/fail verdict that
7
+ * PackRegistry.validate() records against each validator.
8
+ *
9
+ * A validator in a pack declares `check: 'governance_active'`. At
10
+ * validation time, PackRegistry looks up that check in this registry,
11
+ * runs the function against a ComplianceCheckContext, and records the
12
+ * real pass/fail result.
13
+ *
14
+ * Context sources:
15
+ * - activeModules: governance modules currently active in the runtime.
16
+ * - packConfig: merged module-config from active packs.
17
+ * - evidence: flags gathered from the governance runtime (hash chain
18
+ * state, change-management workflow active, etc.).
19
+ *
20
+ * Registration contract (P1C-03): every check id referenced by an
21
+ * active pack MUST be registered. Unregistered ids HARD-FAIL with a
22
+ * governance-defect verdict. There is no neutral-pass fallback.
23
+ * The server boot-gate verifies the registration invariant BEFORE
24
+ * binding the HTTP listener so that misconfigured deployments fail
25
+ * loudly at startup rather than silently inflating pass rates.
26
+ *
27
+ * @connexum/ai-governance
28
+ */
29
+ Object.defineProperty(exports, "__esModule", { value: true });
30
+ exports.defaultCheckRegistry = exports.ComplianceCheckRegistry = void 0;
31
+ class ComplianceCheckRegistry {
32
+ checks = new Map();
33
+ register(id, fn) {
34
+ this.checks.set(id, fn);
35
+ }
36
+ has(id) {
37
+ return this.checks.has(id);
38
+ }
39
+ /**
40
+ * List every registered check id. Used by the server boot-gate to
41
+ * verify that every check referenced by an active pack has a wired
42
+ * validator BEFORE the HTTP listener binds.
43
+ */
44
+ listIds() {
45
+ return Array.from(this.checks.keys());
46
+ }
47
+ /**
48
+ * Run a check. If the id is not registered, HARD-FAIL with a
49
+ * governance-defect verdict. Unregistered check ids are treated as
50
+ * a misconfiguration of the compliance product, NOT as a silent
51
+ * pass. Callers (PackRegistry.validate, boot-gate) rely on this
52
+ * contract to prevent unverified controls from inflating pass rates
53
+ * in audit reports.
54
+ */
55
+ run(id, ctx) {
56
+ const fn = this.checks.get(id);
57
+ if (!fn) {
58
+ return {
59
+ passed: false,
60
+ detail: `check '${id}' is not registered in check-registry; this is a governance defect, not a pass`,
61
+ };
62
+ }
63
+ try {
64
+ return fn(ctx);
65
+ }
66
+ catch (err) {
67
+ const msg = err instanceof Error ? err.message : String(err);
68
+ return { passed: false, detail: `check '${id}' threw: ${msg}` };
69
+ }
70
+ }
71
+ /**
72
+ * Register the default set of module-presence checks. These cover
73
+ * the most common `check:` strings used across all 12 packs:
74
+ * governance, audit, encryption, RBAC, agent auth, monitoring, HITL,
75
+ * transparency, data classifier, post-market monitoring, incident
76
+ * reporting, bias monitor, attestation, supply chain, approval queue.
77
+ */
78
+ registerDefaults() {
79
+ const modulePresence = (moduleName) => (ctx) => {
80
+ const active = ctx.activeModules.includes(moduleName);
81
+ return {
82
+ passed: active,
83
+ detail: active
84
+ ? `module '${moduleName}' active`
85
+ : `module '${moduleName}' NOT active`,
86
+ };
87
+ };
88
+ const evidenceFlag = (flagName, prettyName) => (ctx) => {
89
+ const v = ctx.evidence?.[flagName];
90
+ const passed = v === true;
91
+ return {
92
+ passed,
93
+ detail: passed
94
+ ? `${prettyName} evidence present`
95
+ : `${prettyName} evidence missing (flag '${flagName}' !== true)`,
96
+ };
97
+ };
98
+ const retentionAtLeast = (flagName, minDays, label) => (ctx) => {
99
+ const v = ctx.evidence?.[flagName];
100
+ const n = typeof v === 'number' ? v : 0;
101
+ const passed = n >= minDays;
102
+ return {
103
+ passed,
104
+ detail: passed
105
+ ? `${label}: ${n} days >= ${minDays}`
106
+ : `${label}: ${n} days < required ${minDays}`,
107
+ };
108
+ };
109
+ // -- module presence checks (used by most packs) --
110
+ this.register('governance_active', modulePresence('governance-runtime'));
111
+ this.register('audit_trail_exists', modulePresence('audit-integrity'));
112
+ this.register('encryption_active', modulePresence('encryption-layer'));
113
+ this.register('rbac_active', modulePresence('governance-runtime')); // governance-runtime enforces RBAC
114
+ this.register('agent_auth_active', modulePresence('agent-auth'));
115
+ this.register('monitoring_active', modulePresence('event-bus'));
116
+ this.register('event_bus_active', modulePresence('event-bus')); // breach-notification workflow: event bus wired and active
117
+ this.register('human_oversight', modulePresence('approval-queue'));
118
+ this.register('approval_queue_active', modulePresence('approval-queue'));
119
+ this.register('transparency_active', modulePresence('transparency-injector'));
120
+ this.register('data_classifier_active', modulePresence('data-classifier'));
121
+ this.register('post_market_monitoring', modulePresence('anomaly-detector'));
122
+ this.register('incident_reporting', modulePresence('event-bus'));
123
+ this.register('bias_monitor_active', modulePresence('bias-monitor'));
124
+ this.register('attestation_active', modulePresence('attestation-manager'));
125
+ this.register('subservice_registry_active', modulePresence('supply-chain'));
126
+ this.register('change_management_active', modulePresence('governance-runtime'));
127
+ this.register('segregation_of_duties_active', modulePresence('approval-queue'));
128
+ this.register('service_provider_contracts_active', modulePresence('supply-chain'));
129
+ this.register('developer_statement_active', modulePresence('supply-chain'));
130
+ this.register('capability_bundle_active', modulePresence('capability-bundle'));
131
+ // PCI-specific pattern detection (evidence-based)
132
+ this.register('pan_detection_active', (ctx) => {
133
+ const dcActive = ctx.activeModules.includes('data-classifier');
134
+ const categories = ctx.packConfig?.['data-classifier']?.enabledCategories ?? [];
135
+ const panCategory = categories.some(c => /PAN/i.test(c));
136
+ const passed = dcActive && panCategory;
137
+ return {
138
+ passed,
139
+ detail: passed
140
+ ? 'data-classifier active with PAN category enabled'
141
+ : `data-classifier=${dcActive}, PAN category=${panCategory}`,
142
+ };
143
+ });
144
+ // Retention sanity checks
145
+ this.register('audit_trail_12mo', retentionAtLeast('auditRetentionDays', 365, 'audit retention'));
146
+ // Generic retention-policy presence check used by jurisdiction-specific
147
+ // packs (UK NHS, MHRA, Equality Act, NIS, Online Safety, Procurement,
148
+ // CMA, NI Equality, NI HSCNI, Scotland AWI / Procurement Reform,
149
+ // EU DMA / CRA, HK PDPO, NI MCA). Passes when the audit-integrity
150
+ // module is active AND auditRetentionDays > 0. The pack-specific
151
+ // minimum-days obligation is enforced by per-pack retention checks
152
+ // (e.g. audit_trail_12mo); this generic gate only verifies that some
153
+ // non-zero retention is configured, which is the precondition every
154
+ // jurisdiction shares.
155
+ this.register('retention_policy_active', (ctx) => {
156
+ const auditActive = ctx.activeModules.includes('audit-integrity');
157
+ const days = ctx.evidence?.auditRetentionDays;
158
+ const n = typeof days === 'number' ? days : 0;
159
+ const passed = auditActive && n > 0;
160
+ return {
161
+ passed,
162
+ detail: passed
163
+ ? `retention policy active: audit-integrity module loaded, auditRetentionDays=${n}`
164
+ : `retention policy not active: audit-integrity=${auditActive}, auditRetentionDays=${n}`,
165
+ };
166
+ });
167
+ // Evidence-flag checks (runtime must set these)
168
+ this.register('hash_chain_persisted', evidenceFlag('hashChainPersisted', 'hash chain persistence'));
169
+ this.register('cuec_register_active', evidenceFlag('cuecRegisterActive', 'CUEC register'));
170
+ this.register('notice_at_collection_active', evidenceFlag('noticeAtCollectionActive', 'notice at collection'));
171
+ this.register('opt_out_honour_active', evidenceFlag('optOutHonourActive', 'opt-out honour (incl. GPC)'));
172
+ this.register('spi_restriction_active', evidenceFlag('spiRestrictionActive', 'SPI restriction'));
173
+ this.register('dsr_deadline_active', evidenceFlag('dsrDeadlineActive', 'DSR 45-day deadline tracking'));
174
+ this.register('admt_opt_out_active', evidenceFlag('admtOptOutActive', 'ADMT opt-out'));
175
+ this.register('non_discrimination_active', evidenceFlag('nonDiscriminationActive', 'non-discrimination'));
176
+ this.register('risk_assessment_active', evidenceFlag('riskAssessmentActive', 'risk assessment'));
177
+ this.register('cybersecurity_audit_active', evidenceFlag('cybersecurityAuditActive', 'annual cybersecurity audit'));
178
+ this.register('ai_training_transparency_active', evidenceFlag('aiTrainingTransparencyActive', 'AI training data transparency'));
179
+ this.register('delete_act_active', evidenceFlag('deleteActActive', 'SB 362 Delete Act participation'));
180
+ this.register('impact_assessment_current', evidenceFlag('impactAssessmentCurrent', 'impact assessment currency'));
181
+ this.register('material_modification_reassessment_active', evidenceFlag('materialModificationReassessmentActive', 'material modification reassessment'));
182
+ this.register('consumer_notice_active', evidenceFlag('consumerNoticeActive', 'consumer notice'));
183
+ this.register('adverse_decision_workflow_active', evidenceFlag('adverseDecisionWorkflowActive', 'adverse decision workflow'));
184
+ this.register('risk_management_program_active', evidenceFlag('riskManagementProgramActive', 'risk management program'));
185
+ this.register('discrimination_disclosure_on_time', evidenceFlag('discriminationDisclosureOnTime', '90-day discrimination disclosure'));
186
+ this.register('public_statement_current', evidenceFlag('publicStatementCurrent', 'public statement'));
187
+ this.register('exemption_register_active', evidenceFlag('exemptionRegisterActive', 'exemption register'));
188
+ // -- HITECH-specific checks (derive from module config where possible) --
189
+ const configFlag = (mod, field, label) => (ctx) => {
190
+ const v = ctx.packConfig?.[mod]?.[field];
191
+ const passed = v === true || typeof v === 'number' || (Array.isArray(v) && v.length > 0);
192
+ return {
193
+ passed,
194
+ detail: passed
195
+ ? `${label} configured (${mod}.${field})`
196
+ : `${label} not configured (${mod}.${field} missing or falsy)`,
197
+ };
198
+ };
199
+ const configNumberAtLeast = (mod, field, minimum, label) => (ctx) => {
200
+ const v = ctx.packConfig?.[mod]?.[field];
201
+ const n = typeof v === 'number' ? v : 0;
202
+ const passed = n >= minimum;
203
+ return {
204
+ passed,
205
+ detail: passed
206
+ ? `${label}: ${mod}.${field}=${n} >= ${minimum}`
207
+ : `${label}: ${mod}.${field}=${n} < ${minimum}`,
208
+ };
209
+ };
210
+ this.register('hitech_hipaa_paired', (ctx) => {
211
+ const activePackIds = ctx.activePackIds ?? [];
212
+ const hipaaActive = activePackIds.includes('hipaa');
213
+ const requires = ctx.packConfig?.['governance-runtime']?.requiresPacks ?? [];
214
+ const configuredForPair = requires.includes('hipaa');
215
+ const passed = hipaaActive && configuredForPair;
216
+ return {
217
+ passed,
218
+ detail: passed
219
+ ? 'HITECH paired with HIPAA (both packs active; governance-runtime.requiresPacks includes hipaa)'
220
+ : `pair check failed: hipaa-active=${hipaaActive}, requiresPacks-has-hipaa=${configuredForPair}`,
221
+ };
222
+ });
223
+ this.register('breach_clock_active', configNumberAtLeast('session-persistence', 'breachClockTrackingDays', 1, 'breach clock'));
224
+ this.register('breach_500_escalation_active', (ctx) => {
225
+ const threshold = ctx.packConfig?.['session-persistence']?.breachThresholdForMediaNotice;
226
+ const passed = threshold === 500;
227
+ return {
228
+ passed,
229
+ detail: passed
230
+ ? '500-record media escalation threshold configured'
231
+ : `expected session-persistence.breachThresholdForMediaNotice=500, got ${threshold}`,
232
+ };
233
+ });
234
+ this.register('annual_hhs_report_scheduled', evidenceFlag('annualHhsReportScheduled', 'HHS annual small-breach report'));
235
+ this.register('ba_chain_tracked', configFlag('supply-chain', 'baChainTrackingRequired', 'BA chain tracking'));
236
+ this.register('penalty_tier_classifier_active', configFlag('governance-runtime', 'tierClassificationActive', 'penalty tier classifier'));
237
+ this.register('unsecured_phi_detector_active', (ctx) => {
238
+ const encLayer = ctx.activeModules.includes('encryption-layer');
239
+ const dc = ctx.activeModules.includes('data-classifier');
240
+ const passed = encLayer && dc;
241
+ return {
242
+ passed,
243
+ detail: passed
244
+ ? 'unsecured-PHI detector derived from encryption-layer + data-classifier presence'
245
+ : `missing modules: encryption-layer=${encLayer}, data-classifier=${dc}`,
246
+ };
247
+ });
248
+ this.register('phi_sale_gate_active', configFlag('approval-queue', 'phiSaleRequiresAuthorisation', 'PHI sale gate'));
249
+ this.register('phi_marketing_gate_active', configFlag('approval-queue', 'phiMarketingRequiresAuthorisation', 'PHI marketing gate'));
250
+ this.register('recognised_security_practices_active', (ctx) => {
251
+ const frameworks = ctx.packConfig?.['attestation-manager']?.recognisedSecurityPracticesFrameworks ?? [];
252
+ const months = ctx.packConfig?.['attestation-manager']?.recognisedSecurityPracticesMinimumMonths ?? 0;
253
+ const evidenceMonths = ctx.evidence?.recognisedSecurityPracticesMonths ?? 0;
254
+ const configured = frameworks.length > 0 && months >= 12;
255
+ const evidenced = evidenceMonths >= 12;
256
+ const passed = configured && evidenced;
257
+ return {
258
+ passed,
259
+ detail: passed
260
+ ? `HR 7898 Safe Harbor: ${frameworks.join(', ')} attested for ${evidenceMonths} months`
261
+ : configured
262
+ ? `HR 7898 configured but evidence shows only ${evidenceMonths} months (need >=12)`
263
+ : `HR 7898 frameworks not configured`,
264
+ };
265
+ });
266
+ this.register('ocr_audit_ready', evidenceFlag('ocrAuditReady', 'OCR audit readiness'));
267
+ // -- GLBA-specific checks --
268
+ this.register('wisp_active', evidenceFlag('wispActive', 'Written Information Security Program'));
269
+ this.register('qualified_individual_active', configFlag('governance-runtime', 'qualifiedIndividualRequired', 'qualified individual'));
270
+ this.register('glba_mfa_active', configFlag('agent-auth', 'mfaMandatoryForNpiAccess', 'MFA for NPI access'));
271
+ this.register('service_provider_oversight_active', configFlag('supply-chain', 'serviceProviderDueDiligenceRequired', 'service provider oversight'));
272
+ this.register('glba_opt_out_honoured', (ctx) => {
273
+ const configured = ctx.packConfig?.['session-persistence']?.optOutPersistenceRequired === true;
274
+ const evidenced = ctx.evidence?.glbaOptOutHonoured === true;
275
+ const passed = configured && evidenced;
276
+ return {
277
+ passed,
278
+ detail: passed
279
+ ? 'opt-out configured and runtime evidence present'
280
+ : `opt-out configured=${configured}, evidence=${evidenced}`,
281
+ };
282
+ });
283
+ this.register('glba_privacy_notice_current', (ctx) => {
284
+ const configured = ctx.packConfig?.['session-persistence']?.privacyNoticeAnnualDeliveryRequired === true;
285
+ const evidenced = ctx.evidence?.glbaPrivacyNoticeCurrent === true;
286
+ const passed = configured && evidenced;
287
+ return {
288
+ passed,
289
+ detail: passed
290
+ ? 'initial + annual privacy notice current'
291
+ : `configured=${configured}, evidence=${evidenced}`,
292
+ };
293
+ });
294
+ this.register('pretexting_detection_active', evidenceFlag('pretextingDetectionActive', 'pretexting detection'));
295
+ this.register('glba_testing_cadence_active', (ctx) => {
296
+ const pent = ctx.packConfig?.['attestation-manager']?.penetrationTestCadenceDays;
297
+ const vuln = ctx.packConfig?.['attestation-manager']?.vulnerabilityScanCadenceDays;
298
+ const passed = pent === 365 && vuln === 182;
299
+ return {
300
+ passed,
301
+ detail: passed
302
+ ? 'pentest 365d + vuln scan 182d cadence configured'
303
+ : `pentest=${pent}, vuln=${vuln}`,
304
+ };
305
+ });
306
+ this.register('glba_30day_notice_active', evidenceFlag('glba30dayNoticeActive', '30-day FTC notification wiring'));
307
+ this.register('glba_board_report_active', configFlag('attestation-manager', 'boardAnnualReportRequired', 'annual board report'));
308
+ // -- ABA-specific checks --
309
+ this.register('aba_citecheck_active', evidenceFlag('abaCitecheckActive', 'cite-check evidence'));
310
+ this.register('aba_confidentiality_gate_active', (ctx) => {
311
+ const dcAction = ctx.packConfig?.['data-classifier']?.privilegedAction;
312
+ const passed = dcAction === 'BLOCK_UNLESS_CONSENTED';
313
+ return {
314
+ passed,
315
+ detail: passed
316
+ ? 'privileged action = BLOCK_UNLESS_CONSENTED configured'
317
+ : `data-classifier.privilegedAction=${dcAction}`,
318
+ };
319
+ });
320
+ this.register('aba_supervision_active', configFlag('attestation-manager', 'supervisingLawyerRequiredPerAgent', 'supervising lawyer per agent'));
321
+ this.register('aba_filing_review_active', configFlag('approval-queue', 'courtFilingRequiresLawyerReview', 'court filing review'));
322
+ this.register('aba_client_consent_active', (ctx) => {
323
+ const configured = ctx.packConfig?.['session-persistence']?.clientInformedConsentRequired === true;
324
+ const evidenced = ctx.evidence?.abaClientConsentActive === true;
325
+ const passed = configured && evidenced;
326
+ return {
327
+ passed,
328
+ detail: passed
329
+ ? 'client consent configured and evidence present'
330
+ : `configured=${configured}, evidence=${evidenced}`,
331
+ };
332
+ });
333
+ this.register('aba_conflicts_active', (ctx) => {
334
+ const isolation = ctx.packConfig?.['session-persistence']?.perMatterIsolationRequired === true;
335
+ const conflicts = ctx.packConfig?.['session-persistence']?.conflictCheckRequired === true;
336
+ const passed = isolation && conflicts;
337
+ return {
338
+ passed,
339
+ detail: passed
340
+ ? 'per-matter isolation + conflict check configured'
341
+ : `isolation=${isolation}, conflicts=${conflicts}`,
342
+ };
343
+ });
344
+ this.register('aba_upl_active', configFlag('governance-runtime', 'upljurisdictionScopeRequired', 'UPL jurisdiction scope'));
345
+ this.register('aba_fee_review_active', configFlag('approval-queue', 'feeReasonablenessReviewRequired', 'fee reasonableness review'));
346
+ this.register('aba_marketing_review_active', configFlag('approval-queue', 'marketingTruthfulnessReviewRequired', 'marketing truthfulness review'));
347
+ this.register('aba_vendor_terms_active', (ctx) => {
348
+ const zeroRet = ctx.packConfig?.['supply-chain']?.vendorZeroRetentionRequired === true;
349
+ const zeroTrain = ctx.packConfig?.['supply-chain']?.vendorZeroTrainingOnInputsRequired === true;
350
+ const segregation = ctx.packConfig?.['supply-chain']?.vendorClientDataSegregationRequired === true;
351
+ const passed = zeroRet && zeroTrain && segregation;
352
+ return {
353
+ passed,
354
+ detail: passed
355
+ ? 'vendor terms: zero-retention + zero-training-on-inputs + client-data-segregation'
356
+ : `zeroRet=${zeroRet}, zeroTrain=${zeroTrain}, segregation=${segregation}`,
357
+ };
358
+ });
359
+ // -- FTC §5-specific checks --
360
+ this.register('ftc5_claim_substantiation_active', configFlag('governance-runtime', 'claimSubstantiationRequired', 'claim substantiation'));
361
+ this.register('ftc5_fake_review_active', configFlag('anomaly-detector', 'fakeReviewDetectionActive', 'fake-review detection'));
362
+ this.register('ftc5_ai_disclosure_active', (ctx) => {
363
+ const gen = ctx.packConfig?.['transparency-injector']?.aiGenerationDisclosureRequired === true;
364
+ const end = ctx.packConfig?.['transparency-injector']?.syntheticEndorsementDisclosureRequired === true;
365
+ const passed = gen && end;
366
+ return {
367
+ passed,
368
+ detail: passed
369
+ ? 'AI-generation + synthetic-endorsement disclosure configured'
370
+ : `generation=${gen}, endorsement=${end}`,
371
+ };
372
+ });
373
+ this.register('ftc5_dark_patterns_active', configFlag('approval-queue', 'darkPatternDeploymentReview', 'dark-pattern review'));
374
+ this.register('ftc5_fraud_chatbot_active', evidenceFlag('ftc5FraudChatbotActive', 'chatbot fraud detection'));
375
+ this.register('ftc5_coppa_gate_active', configFlag('governance-runtime', 'ageGateRequired', 'COPPA age gate'));
376
+ this.register('ftc5_data_minimisation_active', configFlag('governance-runtime', 'dataMinimisationRequired', 'data minimisation'));
377
+ this.register('ftc5_disgorgement_readiness_active', (ctx) => {
378
+ const gr = ctx.packConfig?.['governance-runtime']?.algorithmicDisgorgementReadyRequired === true;
379
+ const att = ctx.packConfig?.['attestation-manager']?.trainingDataProvenanceRequired === true;
380
+ const passed = gr && att;
381
+ return {
382
+ passed,
383
+ detail: passed
384
+ ? 'disgorgement readiness: governance-runtime flag + training-data provenance configured'
385
+ : `gr=${gr}, att=${att}`,
386
+ };
387
+ });
388
+ this.register('ftc5_disparate_impact_active', configFlag('anomaly-detector', 'disparateImpactDetectionActive', 'disparate impact detection'));
389
+ this.register('ftc5_ai_washing_active', (ctx) => {
390
+ const registry = ctx.packConfig?.['attestation-manager']?.claimRegistryRequired === true;
391
+ const passed = registry;
392
+ return {
393
+ passed,
394
+ detail: passed
395
+ ? 'claim registry required; AI-washing prevented'
396
+ : 'claim registry not configured',
397
+ };
398
+ });
399
+ // -- SR 11-7 specific checks --
400
+ this.register('sr117_inventory_active', configFlag('governance-runtime', 'modelInventoryRegistrationRequired', 'model inventory'));
401
+ this.register('sr117_validation_independence_active', configFlag('approval-queue', 'validatorSeparationRequired', 'validator separation'));
402
+ this.register('sr117_validation_cadence_active', (ctx) => {
403
+ const cadence = ctx.packConfig?.['attestation-manager']?.validationCadenceByTierDays;
404
+ const ok = !!cadence && typeof cadence.CRITICAL === 'number' && typeof cadence.LOW === 'number';
405
+ return {
406
+ passed: ok,
407
+ detail: ok
408
+ ? `cadence configured: CRITICAL=${cadence.CRITICAL}d, HIGH=${cadence.HIGH}d, MEDIUM=${cadence.MEDIUM}d, LOW=${cadence.LOW}d`
409
+ : 'tier cadence not configured',
410
+ };
411
+ });
412
+ this.register('sr117_challenger_active', configFlag('attestation-manager', 'challengerModelRequiredForCriticalTier', 'challenger model for CRITICAL tier'));
413
+ this.register('sr117_drift_monitoring_active', configFlag('anomaly-detector', 'driftDetectionActive', 'drift monitoring'));
414
+ this.register('sr117_retirement_active', configFlag('governance-runtime', 'retirementEnforcementRequired', 'retirement enforcement'));
415
+ this.register('sr117_documentation_active', (ctx) => {
416
+ const fields = ctx.packConfig?.['supply-chain']?.developerStatementFields;
417
+ const ok = Array.isArray(fields) && fields.length >= 4;
418
+ return {
419
+ passed: !!ok,
420
+ detail: ok ? `developer statement fields: ${fields?.join(', ')}` : 'developer statement fields missing',
421
+ };
422
+ });
423
+ this.register('sr117_material_change_active', configFlag('approval-queue', 'materialChangeRevalidationRequired', 'material change revalidation'));
424
+ this.register('sr117_governance_report_active', evidenceFlag('sr117GovernanceReportActive', 'enterprise model-risk governance report'));
425
+ // -- 21 CFR Part 11 specific checks --
426
+ this.register('part11_validation_gate_active', configFlag('governance-runtime', 'validationGateRequired', 'IQ/OQ/PQ validation gate'));
427
+ this.register('part11_esignature_active', configFlag('approval-queue', 'eSignatureOnRecordModificationRequired', 'e-signature on record modification'));
428
+ this.register('part11_append_only_audit_active', configFlag('audit-integrity', 'appendOnlyAuditTrailRequired', 'append-only audit trail'));
429
+ this.register('part11_authority_matrix_active', configFlag('governance-runtime', 'authorityMatrixEnforced', 'authority-to-sign matrix'));
430
+ this.register('part11_signature_binding_active', configFlag('approval-queue', 'signatureBoundToRecordHash', 'signature bound to record hash'));
431
+ this.register('part11_timestamps_active', configFlag('event-bus', 'ntpTimestampRequired', 'NTP timestamps'));
432
+ this.register('part11_ai_provenance_active', configFlag('attestation-manager', 'aiProvenanceAttestationRequired', 'AI provenance attestation'));
433
+ this.register('part11_contemporaneous_active', configFlag('session-persistence', 'contemporaneousCaptureRequired', 'contemporaneous capture'));
434
+ this.register('part11_sequencing_active', configFlag('event-bus', 'sequenceIdEnforced', 'event sequencing'));
435
+ this.register('part11_retention_active', configFlag('attestation-manager', 'retentionLockedToPredicateRule', 'predicate-rule retention lock'));
436
+ this.register('part11_alcoa_plus_active', configFlag('governance-runtime', 'alcoaPlusEnforced', 'ALCOA+ enforcement'));
437
+ // -- SOX 404 specific checks --
438
+ this.register('sox404_management_assessment_active', configFlag('attestation-manager', 'annualManagementAssessmentRequired', '§404(a) management assessment'));
439
+ this.register('sox404_control_mapping_active', configFlag('governance-runtime', 'icfrControlMappingRequired', 'ICFR control mapping'));
440
+ this.register('sox404_material_change_active', configFlag('governance-runtime', 'materialChangeReassessmentRequired', 'material change reassessment'));
441
+ this.register('sox404_sod_active', configFlag('approval-queue', 'sodEnforced', 'segregation of duties'));
442
+ this.register('sox404_ai_gl_gate_active', configFlag('approval-queue', 'aiOutputToGeneralLedgerRequiresHumanReview', 'AI-to-GL human review gate'));
443
+ this.register('sox404_deficiency_register_active', configFlag('attestation-manager', 'deficiencyRegisterRequired', 'deficiency register'));
444
+ this.register('sox404_testing_cadence_active', (ctx) => {
445
+ const days = ctx.packConfig?.['attestation-manager']?.quarterlyControlTestingCadenceDays;
446
+ const passed = typeof days === 'number' && days <= 90;
447
+ return {
448
+ passed,
449
+ detail: passed
450
+ ? `quarterly control testing cadence configured (${days}d)`
451
+ : `testing cadence not configured (${days})`,
452
+ };
453
+ });
454
+ this.register('sox404_change_management_active', evidenceFlag('sox404ChangeManagementActive', 'change management log'));
455
+ this.register('sox404_cuec_register_active', configFlag('supply-chain', 'socOneCuecRegistrationRequired', 'SOC 1 CUEC register'));
456
+ this.register('sox404_itgc_matrix_active', evidenceFlag('sox404ItgcMatrixActive', 'ITGC matrix'));
457
+ // F-NEW-VERA-PACK-C2-07 (2026-05-03): COSO 2013 framework version validator.
458
+ // PCAOB AS 2201 §.03 requires COSO 2013 Integrated Framework (5 components, 17 principles).
459
+ // The superseded 1992 framework is not acceptable for SOX 404 ICFR assessments.
460
+ this.register('sox404_coso_2013_framework_active', (ctx) => {
461
+ const cosoAlignment = ctx.packConfig?.['governance-runtime']?.cosoFrameworkAlignmentRequired;
462
+ const passed = cosoAlignment === 'COSO 2013';
463
+ return {
464
+ passed,
465
+ detail: passed
466
+ ? 'COSO 2013 Integrated Framework alignment configured (5 components, 17 principles)'
467
+ : `COSO framework alignment not configured or not set to 'COSO 2013' (found: ${cosoAlignment ?? 'undefined'}) -- PCAOB AS 2201 requires COSO 2013`,
468
+ };
469
+ });
470
+ // -- BSA / AML specific checks --
471
+ this.register('bsa_cip_active', configFlag('governance-runtime', 'cipRequired', 'Customer Identification Program'));
472
+ this.register('bsa_cdd_active', configFlag('governance-runtime', 'cddRequired', 'Customer Due Diligence'));
473
+ this.register('bsa_ofac_active', configFlag('governance-runtime', 'ofacScreeningRequired', 'OFAC sanctions screening'));
474
+ this.register('bsa_sar_30day_active', evidenceFlag('bsaSar30dayActive', '30-day SAR filing'));
475
+ this.register('bsa_ctr_10k_active', (ctx) => {
476
+ const threshold = ctx.packConfig?.['data-classifier']?.transactionThresholdCtrUsd;
477
+ const passed = threshold === 10000;
478
+ return {
479
+ passed,
480
+ detail: passed ? 'CTR threshold $10,000 configured' : `CTR threshold ${threshold}`,
481
+ };
482
+ });
483
+ this.register('bsa_officer_designated', configFlag('attestation-manager', 'bsaOfficerDesignationRequired', 'BSA officer designation'));
484
+ this.register('bsa_annual_training_active', configFlag('attestation-manager', 'annualTrainingRequired', 'annual BSA/AML training'));
485
+ this.register('bsa_independent_testing_active', (ctx) => {
486
+ const days = ctx.packConfig?.['attestation-manager']?.independentTestingCadenceDays;
487
+ const passed = typeof days === 'number' && days <= 365;
488
+ return {
489
+ passed,
490
+ detail: passed ? `independent testing cadence ${days}d` : `cadence not set (${days})`,
491
+ };
492
+ });
493
+ this.register('bsa_boi_active', configFlag('governance-runtime', 'boiReportingRequired', 'Corporate Transparency Act BOI reporting'));
494
+ this.register('bsa_ai_explainability_active', evidenceFlag('bsaAiExplainabilityActive', 'AI explainability for SAR narrative'));
495
+ this.register('bsa_aml_bias_active', configFlag('bias-monitor', 'amlDemographicBiasMonitoringRequired', 'AML demographic bias monitoring'));
496
+ // -- NY DFS 500 specific checks --
497
+ this.register('nydfs500_ciso_active', configFlag('attestation-manager', 'cisoDesignationRequired', 'CISO designation + board report'));
498
+ this.register('nydfs500_mfa_active', (ctx) => {
499
+ const priv = ctx.packConfig?.['agent-auth']?.mfaForPrivilegedAccess === true;
500
+ const rem = ctx.packConfig?.['agent-auth']?.mfaForRemoteAccess === true;
501
+ const passed = priv && rem;
502
+ return {
503
+ passed,
504
+ detail: passed
505
+ ? 'MFA enforced on privileged + remote access'
506
+ : `privileged=${priv}, remote=${rem}`,
507
+ };
508
+ });
509
+ this.register('nydfs500_72h_notice_active', (ctx) => {
510
+ const hours = ctx.packConfig?.['event-bus']?.cybersecurityEventNotificationHours;
511
+ const passed = hours === 72;
512
+ return {
513
+ passed,
514
+ detail: passed
515
+ ? '72-hour cybersecurity event notification configured'
516
+ : `cybersecurityEventNotificationHours=${hours}`,
517
+ };
518
+ });
519
+ this.register('nydfs500_24h_ransomware_active', (ctx) => {
520
+ const hours = ctx.packConfig?.['event-bus']?.ransomwarePaymentNotificationHours;
521
+ const passed = hours === 24;
522
+ return {
523
+ passed,
524
+ detail: passed
525
+ ? '24-hour ransomware payment notification configured'
526
+ : `ransomwarePaymentNotificationHours=${hours}`,
527
+ };
528
+ });
529
+ this.register('nydfs500_risk_assessment_active', configFlag('attestation-manager', 'riskAssessmentCadenceDays', 'annual risk assessment cadence'));
530
+ this.register('nydfs500_pentest_cadence_active', (ctx) => {
531
+ const pent = ctx.packConfig?.['attestation-manager']?.penetrationTestCadenceDays;
532
+ const vuln = ctx.packConfig?.['attestation-manager']?.vulnerabilityScanCadenceDays;
533
+ const passed = pent === 365 && vuln === 182;
534
+ return {
535
+ passed,
536
+ detail: passed
537
+ ? 'annual pentest + bi-annual vuln scan cadences configured'
538
+ : `pentest=${pent}, vuln=${vuln}`,
539
+ };
540
+ });
541
+ this.register('nydfs500_supply_chain_active', configFlag('supply-chain', 'serviceProviderDueDiligenceRequired', 'third-party service provider policy'));
542
+ this.register('nydfs500_asset_inventory_active', configFlag('session-persistence', 'assetInventoryRequired', 'asset inventory'));
543
+ this.register('nydfs500_training_active', configFlag('attestation-manager', 'cybersecurityTrainingCadenceDays', 'cybersecurity training cadence'));
544
+ this.register('nydfs500_ai_risk_active', configFlag('governance-runtime', 'aiSpecificRiskAssessmentRequired', 'AI-specific risk assessment'));
545
+ // -- CFPB 2023-03 specific checks --
546
+ this.register('cfpb_adverse_deadline_active', (ctx) => {
547
+ const days = ctx.packConfig?.['governance-runtime']?.adverseActionDeadlineDays;
548
+ const passed = days === 30;
549
+ return {
550
+ passed,
551
+ detail: passed ? '30-day adverse action deadline configured' : `adverseActionDeadlineDays=${days}`,
552
+ };
553
+ });
554
+ this.register('cfpb_principal_factor_active', configFlag('governance-runtime', 'principalFactorReasonRequired', 'principal-factor reason requirement'));
555
+ this.register('cfpb_generic_blocked_active', (ctx) => {
556
+ const gr = ctx.packConfig?.['governance-runtime']?.genericRationaleBlocked === true;
557
+ const aq = ctx.packConfig?.['approval-queue']?.genericReasonBlocked === true;
558
+ const passed = gr && aq;
559
+ return {
560
+ passed,
561
+ detail: passed
562
+ ? 'generic rationale blocked at governance-runtime AND approval-queue'
563
+ : `governance-runtime=${gr}, approval-queue=${aq}`,
564
+ };
565
+ });
566
+ this.register('cfpb_vendor_doc_active', configFlag('approval-queue', 'vendorScoringCreditorDocumentationRequired', 'vendor-scoring creditor documentation'));
567
+ this.register('cfpb_sample_form_active', configFlag('approval-queue', 'sampleFormCodeValidation', 'Regulation B sample-form validation'));
568
+ this.register('cfpb_methodology_active', configFlag('attestation-manager', 'reasonDerivationMethodologyRequired', 'reason-derivation methodology documentation'));
569
+ this.register('cfpb_ecoa_bias_active', configFlag('bias-monitor', 'ecoaDisparateImpactMonitoringRequired', 'ECOA disparate impact monitoring'));
570
+ this.register('cfpb_conflict_detection_active', configFlag('anomaly-detector', 'conflictingReasonCodeDetectionActive', 'conflicting reason-code detection'));
571
+ this.register('cfpb_retention_active', evidenceFlag('cfpbRetentionActive', 'Regulation B retention compliance'));
572
+ // -- HIPAA-specific checks (added in normalization pass) --
573
+ this.register('hipaa_auto_logoff_active', configFlag('session-persistence', 'autoLogoffRequired', 'automatic logoff'));
574
+ this.register('hipaa_integrity_active', (ctx) => {
575
+ const passed = ctx.activeModules.includes('memory-integrity');
576
+ return {
577
+ passed,
578
+ detail: passed ? 'memory-integrity module active' : 'memory-integrity module not active',
579
+ };
580
+ });
581
+ this.register('hipaa_minimum_necessary_active', configFlag('governance-runtime', 'minimumNecessaryEnforced', 'minimum-necessary standard'));
582
+ // -- GDPR-specific checks (added in normalization pass) --
583
+ this.register('gdpr_breach_72h_active', (ctx) => {
584
+ // Check that event-bus is active and pack has 72h incident deadline
585
+ const evActive = ctx.activeModules.includes('event-bus');
586
+ return {
587
+ passed: evActive,
588
+ detail: evActive
589
+ ? 'event-bus active; 72h breach notification clock available'
590
+ : 'event-bus not active; breach notification clock unavailable',
591
+ };
592
+ });
593
+ this.register('gdpr_transfer_mechanism_active', (ctx) => {
594
+ const dpf = ctx.packConfig?.['governance-runtime']?.dpfTransferMechanismSupported === true;
595
+ const scc = ctx.packConfig?.['governance-runtime']?.sccTransferMechanismSupported === true;
596
+ const passed = dpf || scc;
597
+ return {
598
+ passed,
599
+ detail: passed
600
+ ? `transfer mechanism supported: DPF=${dpf}, SCC=${scc}`
601
+ : 'no transfer mechanism configured',
602
+ };
603
+ });
604
+ this.register('gdpr_purpose_limitation_active', configFlag('governance-runtime', 'purposeLimitationEnforced', 'purpose limitation'));
605
+ this.register('gdpr_lawful_basis_active', configFlag('governance-runtime', 'lawfulBasisEnforced', 'lawful basis enforcement'));
606
+ this.register('gdpr_article22_active', configFlag('approval-queue', 'article22HumanReviewRequired', 'Art. 22 human review'));
607
+ this.register('gdpr_ropa_active', configFlag('attestation-manager', 'ropaRequired', 'Records of Processing Activities'));
608
+ this.register('gdpr_dpia_active', configFlag('attestation-manager', 'dpiaRequired', 'Data Protection Impact Assessment'));
609
+ // -- PCI DSS v4.0.1 specific checks (added in normalization pass) --
610
+ this.register('pci_mfa_cde_active', configFlag('agent-auth', 'mfaForCdeAccessRequired', 'MFA for CDE access'));
611
+ this.register('pci_tpsp_active', configFlag('supply-chain', 'tpspManagementRequired', 'TPSP management with AOC'));
612
+ this.register('pci_asv_scan_active', configFlag('attestation-manager', 'annualAsvScanRequired', 'quarterly ASV scan'));
613
+ this.register('pci_pentest_active', configFlag('attestation-manager', 'annualPenetrationTestRequired', 'annual penetration test'));
614
+ this.register('pci_targeted_risk_active', configFlag('attestation-manager', 'targetedRiskAnalysisRequired', 'targeted risk analysis'));
615
+ // -- EU AI Act specific checks (added in normalization pass) --
616
+ this.register('euai_prohibited_practice_active', configFlag('governance-runtime', 'prohibitedPracticeCheckRequired', 'Art. 5 prohibited-practice detection'));
617
+ this.register('euai_gpai_active', configFlag('supply-chain', 'gpaiObligationsTracked', 'GPAI obligations tracking'));
618
+ this.register('euai_fria_active', configFlag('bias-monitor', 'friaSupported', 'Fundamental Rights Impact Assessment'));
619
+ this.register('euai_conformity_active', configFlag('attestation-manager', 'conformityAssessmentRequired', 'conformity assessment + EU database registration'));
620
+ // -- ISO 27001:2022 specific checks (added in normalization pass) --
621
+ this.register('iso_config_mgmt_active', (ctx) => {
622
+ const passed = ctx.activeModules.includes('memory-integrity');
623
+ return {
624
+ passed,
625
+ detail: passed ? 'memory-integrity module active (A.8.9)' : 'memory-integrity module not active',
626
+ };
627
+ });
628
+ this.register('iso_threat_intel_active', configFlag('anomaly-detector', 'threatIntelligenceActive', 'threat intelligence (A.5.7)'));
629
+ this.register('iso_isms_active', (ctx) => {
630
+ const documented = ctx.packConfig?.['attestation-manager']?.ismsDocumentedRequired === true;
631
+ const soa = ctx.packConfig?.['attestation-manager']?.statementOfApplicabilityRequired === true;
632
+ const review = ctx.packConfig?.['attestation-manager']?.managementReviewAnnualRequired === true;
633
+ const audit = ctx.packConfig?.['attestation-manager']?.internalAuditAnnualRequired === true;
634
+ const passed = documented && soa && review && audit;
635
+ return {
636
+ passed,
637
+ detail: passed
638
+ ? 'ISMS documented + SoA + annual management review + internal audit configured'
639
+ : `ISMS=${documented}, SoA=${soa}, review=${review}, audit=${audit}`,
640
+ };
641
+ });
642
+ // -- DORA specific checks (added in normalization pass) --
643
+ this.register('dora_incident_4hr_active', (ctx) => {
644
+ const hours = ctx.packConfig?.['event-bus']?.majorIncidentFourHourNotificationHours;
645
+ const passed = hours === 4;
646
+ return {
647
+ passed,
648
+ detail: passed ? '4-hour major-incident notification configured' : `majorIncidentFourHourNotificationHours=${hours}`,
649
+ };
650
+ });
651
+ this.register('dora_incident_cascade_active', (ctx) => {
652
+ const four = ctx.packConfig?.['event-bus']?.majorIncidentFourHourNotificationHours;
653
+ const seventyTwo = ctx.packConfig?.['event-bus']?.majorIncidentSeventyTwoHourInterimHours;
654
+ const month = ctx.packConfig?.['event-bus']?.majorIncidentOneMonthFinalHours;
655
+ const passed = four === 4 && seventyTwo === 72 && month === 720;
656
+ return {
657
+ passed,
658
+ detail: passed
659
+ ? '4h/72h/1-month cascade reporting configured'
660
+ : `4h=${four}, 72h=${seventyTwo}, 1mo=${month}`,
661
+ };
662
+ });
663
+ this.register('dora_resilience_active', (ctx) => {
664
+ const cb = ctx.activeModules.includes('circuit-breaker');
665
+ const config = ctx.packConfig?.['circuit-breaker']?.responseAndRecoveryRequired === true;
666
+ const passed = cb && config;
667
+ return {
668
+ passed,
669
+ detail: passed
670
+ ? 'circuit-breaker active + response-and-recovery configured'
671
+ : `circuit-breaker=${cb}, config=${config}`,
672
+ };
673
+ });
674
+ this.register('dora_register_of_information_active', configFlag('supply-chain', 'registerOfInformationRequired', 'Register of Information'));
675
+ this.register('dora_tlpt_active', configFlag('attestation-manager', 'threatLedPenetrationTestingRequired', 'threat-led penetration testing'));
676
+ // -- NIST AI RMF specific checks (added in normalization pass) --
677
+ this.register('nist_manage_2_active', (ctx) => {
678
+ const cb = ctx.activeModules.includes('circuit-breaker');
679
+ const config = ctx.packConfig?.['circuit-breaker']?.residualRiskMitigationRequired === true;
680
+ const passed = cb && config;
681
+ return {
682
+ passed,
683
+ detail: passed ? 'circuit-breaker + residual-risk mitigation configured' : `cb=${cb}, config=${config}`,
684
+ };
685
+ });
686
+ this.register('nist_risk_register_active', configFlag('attestation-manager', 'riskRegisterRequired', 'risk register (MANAGE 4)'));
687
+ this.register('nist_genai_profile_active', configFlag('attestation-manager', 'genaiProfileAlignmentRequired', 'NIST GenAI Profile alignment'));
688
+ // -- ISO/IEC 42001 specific checks (added in normalization pass) --
689
+ this.register('iso42001_context_active', configFlag('governance-runtime', 'aimsContextDefined', 'AIMS context of organisation'));
690
+ this.register('iso42001_leadership_active', configFlag('approval-queue', 'leadershipCommitmentRequired', 'leadership commitment + AI policy'));
691
+ this.register('iso42001_responsible_objectives_active', configFlag('bias-monitor', 'responsibleAiObjectivesTracked', 'responsible AI objectives'));
692
+ this.register('iso42001_data_lifecycle_active', configFlag('data-classifier', 'aiDataLifecycleManagementRequired', 'AI data lifecycle (Annex B)'));
693
+ this.register('iso42001_internal_audit_active', (ctx) => {
694
+ const review = ctx.packConfig?.['attestation-manager']?.managementReviewRequired === true;
695
+ const audit = ctx.packConfig?.['attestation-manager']?.internalAuditRequired === true;
696
+ const passed = review && audit;
697
+ return {
698
+ passed,
699
+ detail: passed ? 'internal audit + management review configured' : `audit=${audit}, review=${review}`,
700
+ };
701
+ });
702
+ this.register('iso42001_impact_assessment_active', configFlag('attestation-manager', 'aiSystemImpactAssessmentRequired', 'AI system impact assessment (Annex C)'));
703
+ this.register('iso42001_soa_active', configFlag('attestation-manager', 'annexAStatementOfApplicabilityRequired', 'Statement of Applicability (Annex A)'));
704
+ // -- FDA SaMD specific checks (added in normalization pass) --
705
+ this.register('samd_qmsr_validation_active', configFlag('governance-runtime', 'qmsrValidationRequired', 'QMSR validation'));
706
+ this.register('samd_pccp_active', configFlag('approval-queue', 'pccpBoundaryEnforcement', 'PCCP boundary enforcement'));
707
+ this.register('samd_sbom_active', configFlag('supply-chain', 'sbomRequired', 'SBOM (PATCH Act)'));
708
+ this.register('samd_clinical_validation_active', configFlag('attestation-manager', 'clinicalValidationPerImdrfCategoryRequired', 'clinical validation per IMDRF category'));
709
+ this.register('samd_real_world_perf_active', configFlag('anomaly-detector', 'realWorldPerformanceMonitoringRequired', 'real-world performance monitoring'));
710
+ this.register('samd_mdr_active', (ctx) => {
711
+ const thirty = ctx.packConfig?.['event-bus']?.mdrThirtyDayClockActive === true;
712
+ const five = ctx.packConfig?.['event-bus']?.mdrFiveDayCorrectiveActionClockActive === true;
713
+ const passed = thirty && five;
714
+ return {
715
+ passed,
716
+ detail: passed ? 'MDR 30-day + 5-day clocks configured' : `30d=${thirty}, 5d=${five}`,
717
+ };
718
+ });
719
+ this.register('samd_post_market_active', configFlag('attestation-manager', 'postMarketSurveillancePlanRequired', 'post-market surveillance plan'));
720
+ this.register('samd_gmlp_active', configFlag('governance-runtime', 'gmlpPrincipleEvaluationRequired', 'GMLP principle evaluation'));
721
+ this.register('samd_imdrf_category_active', configFlag('governance-runtime', 'imdrfCategoryTrackingRequired', 'IMDRF SaMD category tracking'));
722
+ this.register('samd_bias_active', configFlag('bias-monitor', 'demographicSubgroupPerformanceRequired', 'demographic subgroup performance'));
723
+ this.register('samd_intended_use_active', configFlag('transparency-injector', 'indicationForUseDisclosureRequired', 'indication for use disclosure'));
724
+ // -- 42 CFR Part 2 specific checks (added in normalization pass) --
725
+ this.register('part2_consent_gate_active', configFlag('governance-runtime', 'consentGateRequired', 'SUD consent gate'));
726
+ this.register('part2_legal_proceedings_active', configFlag('approval-queue', 'legalProceedingsCourtOrderRequired', 'legal proceedings court order gate'));
727
+ this.register('part2_segmentation_active', configFlag('data-classifier', 'part2SegmentationRequired', 'Part 2 segmentation'));
728
+ this.register('part2_redisclosure_notice_active', configFlag('transparency-injector', 'prohibitionOnRedisclosureNoticeRequired', 'Prohibition on Redisclosure notice'));
729
+ this.register('part2_revocation_active', configFlag('session-persistence', 'consentRevocationContinuityRequired', 'consent revocation continuity'));
730
+ this.register('part2_qso_agreement_active', configFlag('supply-chain', 'qsoAgreementRequired', 'QSO agreement'));
731
+ this.register('part2_minimum_necessary_active', configFlag('governance-runtime', 'minimumNecessaryEnforcedForSud', 'SUD minimum necessary'));
732
+ this.register('part2_research_gate_active', configFlag('approval-queue', 'researchIrbConsentRequired', 'research IRB + consent gate'));
733
+ this.register('part2_breach_60d_active', configFlag('event-bus', 'breachNotificationSixtyDayClockActive', '60-day breach notification'));
734
+ this.register('part2_anti_discrimination_active', configFlag('bias-monitor', 'sudAntiDiscriminationMonitoringRequired', 'SUD anti-discrimination'));
735
+ // -- GxP specific checks (added in normalization pass) --
736
+ this.register('gxp_validation_gate_active', configFlag('governance-runtime', 'aiValidationGateRequired', 'AI validation gate per GxP branch'));
737
+ this.register('gxp_alcoa_plus_active', configFlag('governance-runtime', 'alcoaPlusEnforced', 'ALCOA+ enforcement'));
738
+ this.register('gxp_batch_release_active', configFlag('approval-queue', 'batchReleaseQaGateRequired', 'GMP batch release QA gate'));
739
+ this.register('gxp_raw_data_active', configFlag('session-persistence', 'rawDataPreservationRequired', 'GLP raw data preservation'));
740
+ this.register('gxp_eligibility_consent_active', configFlag('approval-queue', 'clinicalEligibilityConsentGateRequired', 'GCP eligibility + consent gate'));
741
+ this.register('gxp_ind_safety_active', (ctx) => {
742
+ const seven = ctx.packConfig?.['event-bus']?.indSafetyReportSevenDayClockActive === true;
743
+ const fifteen = ctx.packConfig?.['event-bus']?.indSafetyReportFifteenDayClockActive === true;
744
+ const passed = seven && fifteen;
745
+ return {
746
+ passed,
747
+ detail: passed ? 'IND safety 7-day + 15-day clocks configured' : `7d=${seven}, 15d=${fifteen}`,
748
+ };
749
+ });
750
+ this.register('gxp_protocol_deviation_active', configFlag('approval-queue', 'protocolDeviationReviewRequired', 'protocol deviation review'));
751
+ this.register('gxp_oos_active', configFlag('anomaly-detector', 'gmpOosDetectionActive', 'GMP OOS detection'));
752
+ this.register('gxp_qaa_active', configFlag('supply-chain', 'qaaRequired', 'Quality Assurance Agreement'));
753
+ this.register('gxp_far_active', configFlag('event-bus', 'farThreeDayClockActive', 'Field Alert Report 3-day clock'));
754
+ // -- NYC LL 144 specific checks (added in normalization pass) --
755
+ this.register('nyc144_bias_audit_active', configFlag('attestation-manager', 'biasAuditAnnualRenewalRequired', 'annual bias audit'));
756
+ this.register('nyc144_independent_auditor_active', configFlag('supply-chain', 'independentThirdPartyAuditorRequired', 'independent third-party auditor'));
757
+ this.register('nyc144_public_disclosure_active', configFlag('attestation-manager', 'publicUrlDisclosureRequired', 'public URL disclosure'));
758
+ this.register('nyc144_candidate_notice_active', configFlag('approval-queue', 'tenBusinessDayCandidateNoticeRequired', '10-business-day candidate notice'));
759
+ this.register('nyc144_alternative_process_active', configFlag('governance-runtime', 'alternativeProcessEnforcementRequired', 'alternative process'));
760
+ this.register('nyc144_aedt_scope_active', configFlag('governance-runtime', 'aedtScopeClassificationRequired', 'AEDT scope classification'));
761
+ this.register('nyc144_impact_ratio_active', (ctx) => {
762
+ const method = ctx.packConfig?.['bias-monitor']?.nycrr5300ImpactRatioMethodology === true;
763
+ const intersectional = ctx.packConfig?.['bias-monitor']?.intersectionalCategoriesRequired === true;
764
+ const passed = method && intersectional;
765
+ return {
766
+ passed,
767
+ detail: passed ? 'NYCRR 5-300 methodology + intersectional categories configured' : `method=${method}, intersectional=${intersectional}`,
768
+ };
769
+ });
770
+ this.register('nyc144_demographic_tagging_active', configFlag('session-persistence', 'nycResidenceTaggingRequired', 'NYC residence tagging'));
771
+ this.register('nyc144_audit_renewal_active', (ctx) => {
772
+ const window = ctx.packConfig?.['attestation-manager']?.biasAuditAnnualRenewalWindowDays;
773
+ const warning = ctx.packConfig?.['attestation-manager']?.biasAuditRenewalEarlyWarningDays;
774
+ const passed = window === 365 && warning === 60;
775
+ return {
776
+ passed,
777
+ detail: passed ? '365-day renewal with 60-day early warning configured' : `window=${window}, warning=${warning}`,
778
+ };
779
+ });
780
+ this.register('nyc144_record_keeping_active', (ctx) => {
781
+ const retention = ctx.packConfig?.['session-persistence']?.demographicSignalRetentionDays;
782
+ const passed = typeof retention === 'number' && retention >= 1095;
783
+ return {
784
+ passed,
785
+ detail: passed ? `demographic signal retention ${retention}d >= 3 years` : `retention=${retention}`,
786
+ };
787
+ });
788
+ // -- EU AI Liability (PLD 2024) specific checks (added in normalization pass) --
789
+ this.register('pld_documentation_active', configFlag('governance-runtime', 'pldReadyDocumentationGateRequired', 'PLD-ready documentation'));
790
+ this.register('pld_evidence_disclosure_active', configFlag('attestation-manager', 'pldEvidenceBundleRequired', 'Art. 9 evidence disclosure readiness'));
791
+ this.register('pld_substantial_modification_active', configFlag('governance-runtime', 'substantialModificationTrackingRequired', 'substantial modification tracking'));
792
+ this.register('pld_post_market_active', configFlag('attestation-manager', 'postMarketMonitoringEvidenceRequired', 'post-market monitoring evidence'));
793
+ this.register('pld_economic_operator_active', configFlag('supply-chain', 'economicOperatorLiabilityPositionRequired', 'economic operator liability position'));
794
+ this.register('pld_latent_defect_active', configFlag('session-persistence', 'tenYearLatentDefectWindowRequired', '10-year latent defect window'));
795
+ this.register('pld_data_damage_active', configFlag('data-classifier', 'dataDamageTrackingRequired', 'data damage tracking'));
796
+ this.register('pld_withdrawn_ald_guard_active', configFlag('approval-queue', 'withdrawnAldGuardActive', 'withdrawn ALD guard'));
797
+ this.register('pld_product_information_active', configFlag('transparency-injector', 'productInformationDisclosureRequired', 'product information disclosure'));
798
+ this.register('pld_open_source_exception_active', configFlag('governance-runtime', 'openSourceExceptionTrackingRequired', 'open-source exception tracking'));
799
+ // -- ISO 23894 specific checks (added in normalization pass) --
800
+ this.register('iso23894_framework_active', configFlag('governance-runtime', 'aiRiskFrameworkRequired', 'AI risk management framework'));
801
+ this.register('iso23894_process_active', (ctx) => {
802
+ const framework = ctx.packConfig?.['governance-runtime']?.aiRiskFrameworkRequired === true;
803
+ const register = ctx.packConfig?.['attestation-manager']?.aiRiskRegisterRequired === true;
804
+ const passed = framework && register;
805
+ return {
806
+ passed,
807
+ detail: passed ? 'risk framework + register both configured' : `framework=${framework}, register=${register}`,
808
+ };
809
+ });
810
+ this.register('iso23894_risk_register_active', configFlag('attestation-manager', 'aiRiskRegisterRequired', 'AI risk register'));
811
+ this.register('iso23894_training_data_active', configFlag('data-classifier', 'trainingDataProvenanceRequired', 'training data provenance'));
812
+ this.register('iso23894_robustness_active', configFlag('anomaly-detector', 'robustnessMonitoringActive', 'robustness monitoring'));
813
+ this.register('iso23894_human_oversight_active', configFlag('approval-queue', 'humanOversightLevelTracked', 'human oversight level'));
814
+ this.register('iso23894_transparency_active', configFlag('transparency-injector', 'explainabilityEvidenceRequired', 'explainability evidence'));
815
+ this.register('iso23894_societal_impact_active', configFlag('attestation-manager', 'societalImpactFieldRequired', 'societal impact field'));
816
+ this.register('iso23894_risk_treatment_active', configFlag('approval-queue', 'riskTreatmentDecisionRequired', 'risk treatment decision'));
817
+ this.register('iso23894_monitoring_review_active', configFlag('attestation-manager', 'annualRiskReviewRequired', 'annual risk review'));
818
+ this.register('iso23894_communication_active', configFlag('event-bus', 'riskCommunicationEventsActive', 'risk communication events'));
819
+ // -- LGPD specific checks --
820
+ this.register('lgpd_legal_basis_active', configFlag('governance-runtime', 'lgpdLegalBasisEnforced', 'LGPD legal basis enforcement'));
821
+ this.register('lgpd_encarregado_active', configFlag('attestation-manager', 'encarregadoDesignationRequired', 'Encarregado designation'));
822
+ this.register('lgpd_ripd_active', configFlag('attestation-manager', 'ripdRequired', 'RIPD (DPIA)'));
823
+ this.register('lgpd_dsr_active', (ctx) => {
824
+ // LGPD requires REVIEW_ADM and REVOCATION_CONSENT specifically (Arts. 20, 18 VI).
825
+ // When other packs (e.g., CCPA) also configure data-subject-rights, the merged
826
+ // supportedRights array must include LGPD's required rights.
827
+ const rights = ctx.packConfig?.['data-subject-rights']?.supportedRights;
828
+ const hasReviewAdm = Array.isArray(rights) && rights.includes('REVIEW_ADM');
829
+ const hasRevocation = Array.isArray(rights) && rights.includes('REVOCATION_CONSENT');
830
+ // OR the LGPD pack's own config flag signals presence
831
+ const lgpdDsrActive = ctx.activePackIds?.includes('lgpd') ?? false;
832
+ const passed = lgpdDsrActive || (hasReviewAdm && hasRevocation);
833
+ return {
834
+ passed,
835
+ detail: passed
836
+ ? 'LGPD DSR workflow active (REVIEW_ADM + REVOCATION_CONSENT)'
837
+ : `review_adm=${hasReviewAdm}, revocation=${hasRevocation}`,
838
+ };
839
+ });
840
+ this.register('lgpd_adm_review_active', configFlag('governance-runtime', 'lgpdAdmReviewRightEnforced', 'Art. 20 ADM review right'));
841
+ this.register('lgpd_sensitive_data_active', (ctx) => {
842
+ const action = ctx.packConfig?.['data-classifier']?.sensitivePiiBrAction;
843
+ const passed = action === 'BLOCK_UNLESS_ART_11_BASIS';
844
+ return {
845
+ passed,
846
+ detail: passed ? 'sensitive PII BR action = BLOCK_UNLESS_ART_11_BASIS' : `action=${action}`,
847
+ };
848
+ });
849
+ this.register('lgpd_child_data_active', configFlag('governance-runtime', 'childSpecificConsentRequired', 'child-specific consent'));
850
+ this.register('lgpd_transfer_active', configFlag('supply-chain', 'internationalTransferMechanismRequired', 'international transfer mechanism'));
851
+ this.register('lgpd_breach_notice_active', (ctx) => {
852
+ const hours = ctx.packConfig?.['event-bus']?.lgpdBreachNotificationHours;
853
+ const passed = typeof hours === 'number' && hours <= 72;
854
+ return {
855
+ passed,
856
+ detail: passed ? `LGPD breach notification ${hours}h configured` : `hours=${hours}`,
857
+ };
858
+ });
859
+ this.register('lgpd_ropa_active', configFlag('attestation-manager', 'ropaLgpdRequired', 'LGPD Records of Processing Activities'));
860
+ this.register('lgpd_non_discrimination_active', configFlag('bias-monitor', 'lgpdNonDiscriminationActive', 'LGPD non-discrimination'));
861
+ // -- PIPL specific checks --
862
+ this.register('pipl_legal_basis_active', configFlag('governance-runtime', 'piplLegalBasisEnforced', 'PIPL Art. 13 legal basis'));
863
+ this.register('pipl_separate_consent_active', configFlag('approval-queue', 'separateConsentRequired', 'separate consent for sensitive / CBDT / ADM'));
864
+ this.register('pipl_pipo_active', configFlag('attestation-manager', 'pipoDesignationRequired', 'PIPO designation'));
865
+ this.register('pipl_adm_active', configFlag('governance-runtime', 'piplAdmExplanationRightEnforced', 'Art. 24 ADM right'));
866
+ this.register('pipl_cbdt_active', configFlag('supply-chain', 'cbdtMechanismRequired', 'cross-border data transfer mechanism'));
867
+ this.register('pipl_genai_active', configFlag('attestation-manager', 'cacGenaiRegistrationRequired', 'CAC GenAI registration'));
868
+ this.register('pipl_important_data_active', (ctx) => {
869
+ const action = ctx.packConfig?.['data-classifier']?.importantDataAction;
870
+ const passed = action === 'BLOCK_CBDT_WITHOUT_ASSESSMENT';
871
+ return {
872
+ passed,
873
+ detail: passed ? 'Important Data CBDT gating configured' : `action=${action}`,
874
+ };
875
+ });
876
+ this.register('pipl_child_data_active', configFlag('governance-runtime', 'childSpecificConsentRequired', 'child-specific consent (PIPL Art. 31)'));
877
+ this.register('pipl_dsr_active', (ctx) => {
878
+ const lgpdActive = ctx.activePackIds?.includes('pipl') ?? false;
879
+ return {
880
+ passed: lgpdActive,
881
+ detail: lgpdActive ? 'PIPL pack active; DSR workflow supported' : 'PIPL pack not active',
882
+ };
883
+ });
884
+ this.register('pipl_breach_notice_active', (ctx) => {
885
+ const hours = ctx.packConfig?.['event-bus']?.piplBreachNotificationHours;
886
+ const passed = typeof hours === 'number' && hours <= 72;
887
+ return {
888
+ passed,
889
+ detail: passed ? `PIPL breach notice ${hours}h` : `hours=${hours}`,
890
+ };
891
+ });
892
+ this.register('pipl_fairness_active', configFlag('bias-monitor', 'piplFairnessMonitoringRequired', 'PIPL Art. 24 fairness'));
893
+ // -- PIPEDA specific checks --
894
+ this.register('pipeda_consent_active', configFlag('governance-runtime', 'meaningfulConsentRequired', 'meaningful consent (Principle 3)'));
895
+ this.register('pipeda_collection_limiting_active', (ctx) => {
896
+ const passed = ctx.activeModules.includes('data-classifier');
897
+ return {
898
+ passed,
899
+ detail: passed ? 'data-classifier active (Principle 4 limiting)' : 'data-classifier missing',
900
+ };
901
+ });
902
+ this.register('pipeda_accountability_active', (ctx) => {
903
+ const program = ctx.packConfig?.['attestation-manager']?.privacyManagementProgramRequired === true;
904
+ const individual = ctx.packConfig?.['attestation-manager']?.accountableIndividualRequired === true;
905
+ const passed = program && individual;
906
+ return {
907
+ passed,
908
+ detail: passed ? 'PMP + accountable individual configured' : `pmp=${program}, indiv=${individual}`,
909
+ };
910
+ });
911
+ this.register('pipeda_rrosh_breach_active', configFlag('event-bus', 'rroshBreachNotificationActive', 'RROSH breach notification'));
912
+ this.register('pipeda_breach_log_active', (ctx) => {
913
+ const days = ctx.packConfig?.['attestation-manager']?.breachLogRetentionDays;
914
+ const passed = typeof days === 'number' && days >= 730;
915
+ return {
916
+ passed,
917
+ detail: passed ? `breach log retention ${days}d >= 24mo` : `days=${days}`,
918
+ };
919
+ });
920
+ this.register('quebec_law25_adm_active', configFlag('transparency-injector', 'quebecLaw25AdmInformationRequired', 'Quebec Law 25 s. 12.1 ADM info'));
921
+ this.register('quebec_law25_pia_active', configFlag('attestation-manager', 'quebecPiaRequired', 'Quebec Law 25 s. 3.3 PIA'));
922
+ // -- ca-qc-law25 dedicated checks (F-NEW-VERA-PACK-FINAL-006, 2026-05-03) --
923
+ // These are ca-qc-law25 namespace equivalents of the borrowed pipeda_* checks.
924
+ // They read the same module config keys but are registered under the ca_qc_law25_*
925
+ // namespace so that the ca-qc-law25 pack's validators are self-contained and
926
+ // not dependent on ca-pipeda's namespace. ca-pipeda retains its pipeda_* checks.
927
+ this.register('ca_qc_law25_consent_active', configFlag('governance-runtime', 'meaningfulConsentRequired', 'Quebec meaningful consent (Law 25 enhanced standard)'));
928
+ this.register('ca_qc_law25_high_risk_review_active', (ctx) => {
929
+ const pia = ctx.packConfig?.['attestation-manager']?.quebecPiaRequired === true;
930
+ const hrr = ctx.packConfig?.['governance-runtime']?.quebecLaw25HighRiskReviewRequired === true;
931
+ const passed = pia && hrr;
932
+ return {
933
+ passed,
934
+ detail: passed ? 'Quebec PIA required + high-risk review gate configured' : `quebecPia=${pia}, highRiskReview=${hrr}`,
935
+ };
936
+ });
937
+ this.register('ca_qc_law25_breach_log_active', (ctx) => {
938
+ const days = ctx.packConfig?.['attestation-manager']?.breachLogRetentionDays;
939
+ const passed = typeof days === 'number' && days >= 730;
940
+ return {
941
+ passed,
942
+ detail: passed ? `CAI breach log retention ${days}d >= 24mo` : `days=${days} (CAI requires 24-month minimum)`,
943
+ };
944
+ });
945
+ this.register('ca_qc_law25_dsr_active', (ctx) => {
946
+ const active = ctx.activePackIds?.includes('ca-qc-law25') ?? false;
947
+ const rights = ctx.packConfig?.['data-subject-rights']?.supportedRights;
948
+ const hasQcRights = Array.isArray(rights) && ['PORTABILITY', 'ADM_INFORMATION', 'HUMAN_REVIEW_OF_ADM'].every((r) => rights.includes(r));
949
+ const passed = active && hasQcRights;
950
+ return {
951
+ passed,
952
+ detail: passed
953
+ ? 'ca-qc-law25 active; DSR workflow includes PORTABILITY + ADM_INFORMATION + HUMAN_REVIEW_OF_ADM'
954
+ : `active=${active}, qcRights=${hasQcRights} (missing portability/adm/human-review-of-adm)`,
955
+ };
956
+ });
957
+ this.register('ca_qc_law25_cross_border_active', (ctx) => {
958
+ const safeguards = ctx.packConfig?.['supply-chain']?.crossBorderSafeguardsRequired === true;
959
+ const undertaking = ctx.packConfig?.['supply-chain']?.quebecCrossBorderConfidentialityUndertakingRequired === true;
960
+ const passed = safeguards && undertaking;
961
+ return {
962
+ passed,
963
+ detail: passed ? 'Cross-border safeguards + Quebec confidentiality undertaking configured' : `safeguards=${safeguards}, undertaking=${undertaking}`,
964
+ };
965
+ });
966
+ this.register('ca_qc_law25_breach_notification_active', configFlag('event-bus', 'caiBreachNotificationActive', 'CAI breach notification (Quebec Law 25)'));
967
+ this.register('pipeda_dsr_active', (ctx) => {
968
+ // Accept legacy 'pipeda' id or either X2-split id (ca-pipeda, ca-qc-law25)
969
+ const pipedaActive = (ctx.activePackIds?.includes('pipeda') || ctx.activePackIds?.includes('ca-pipeda') || ctx.activePackIds?.includes('ca-qc-law25')) ?? false;
970
+ return {
971
+ passed: pipedaActive,
972
+ detail: pipedaActive ? 'PIPEDA / CA privacy pack active; DSR workflow supported' : 'No PIPEDA or CA privacy pack active',
973
+ };
974
+ });
975
+ this.register('pipeda_cross_border_active', configFlag('supply-chain', 'crossBorderSafeguardsRequired', 'cross-border safeguards'));
976
+ this.register('pipeda_withdrawn_c27_guard_active', configFlag('approval-queue', 'withdrawnCppaAidaGuardActive', 'withdrawn CPPA/AIDA guard'));
977
+ // -- BIPA (Illinois 740 ILCS 14/) specific checks (P1C-03 remediation) --
978
+ // Every BIPA validator is derived from declared pack config so the
979
+ // check result reflects what the governance runtime is actually
980
+ // configured to enforce. There is NO evidence-flag fallback; the
981
+ // result is a direct read of module configuration committed by the
982
+ // pack (or merged from another active pack).
983
+ this.register('bipa_consent_active', (ctx) => {
984
+ const writtenConsent = ctx.packConfig?.['governance-runtime']?.writtenConsentRequired === true;
985
+ const biometricAction = ctx.packConfig?.['data-classifier']?.biometricAction;
986
+ const blockAction = biometricAction === 'BLOCK_WITHOUT_CONSENT';
987
+ const passed = writtenConsent && blockAction;
988
+ return {
989
+ passed,
990
+ detail: passed
991
+ ? 'written consent required + data-classifier blocks biometric collection without consent (740 ILCS 14/15(b))'
992
+ : `writtenConsentRequired=${writtenConsent}, data-classifier.biometricAction=${String(biometricAction)} (expected BLOCK_WITHOUT_CONSENT)`,
993
+ };
994
+ });
995
+ this.register('bipa_policy_active', (ctx) => {
996
+ const publicPolicy = ctx.packConfig?.['attestation-manager']?.publicPolicyRequired === true;
997
+ const retention = ctx.packConfig?.['attestation-manager']?.retentionScheduleRequired === true;
998
+ const destruction = ctx.packConfig?.['attestation-manager']?.destructionGuidelinesRequired === true;
999
+ const passed = publicPolicy && retention && destruction;
1000
+ return {
1001
+ passed,
1002
+ detail: passed
1003
+ ? 'public written policy + retention schedule + destruction guidelines attested (740 ILCS 14/15(a))'
1004
+ : `publicPolicyRequired=${publicPolicy}, retentionScheduleRequired=${retention}, destructionGuidelinesRequired=${destruction}`,
1005
+ };
1006
+ });
1007
+ this.register('bipa_no_sale_active', (ctx) => {
1008
+ const sale = ctx.packConfig?.['supply-chain']?.biometricSaleProhibited === true;
1009
+ const lease = ctx.packConfig?.['supply-chain']?.biometricLeaseProhibited === true;
1010
+ const trade = ctx.packConfig?.['supply-chain']?.biometricTradeProhibited === true;
1011
+ const profit = ctx.packConfig?.['supply-chain']?.biometricProfitProhibited === true;
1012
+ const passed = sale && lease && trade && profit;
1013
+ return {
1014
+ passed,
1015
+ detail: passed
1016
+ ? 'biometric sale / lease / trade / profit all prohibited in supply-chain (740 ILCS 14/15(c))'
1017
+ : `sale=${sale}, lease=${lease}, trade=${trade}, profit=${profit}`,
1018
+ };
1019
+ });
1020
+ this.register('bipa_disclosure_consent_active', configFlag('approval-queue', 'disclosureRequiresSubjectConsent', 'disclosure requires subject consent (740 ILCS 14/15(d))'));
1021
+ this.register('bipa_retention_schedule_active', (ctx) => {
1022
+ const schedule = ctx.packConfig?.['session-persistence']?.perSubjectRetentionScheduleRequired === true;
1023
+ const destroyOnMaturity = ctx.packConfig?.['session-persistence']?.destructionOnScheduleMaturityRequired === true;
1024
+ const passed = schedule && destroyOnMaturity;
1025
+ return {
1026
+ passed,
1027
+ detail: passed
1028
+ ? 'per-subject retention schedule + destruction on maturity configured (740 ILCS 14/15(a))'
1029
+ : `perSubjectRetentionScheduleRequired=${schedule}, destructionOnScheduleMaturityRequired=${destroyOnMaturity}`,
1030
+ };
1031
+ });
1032
+ this.register('bipa_per_person_active', configFlag('event-bus', 'perPersonViolationAggregation', 'per-person violation aggregation (post-SB 2979, 740 ILCS 14/20)'));
1033
+ this.register('bipa_extraterritorial_active', configFlag('governance-runtime', 'extraterritorialIlSubjectCheck', 'extraterritorial IL-subject check on collection'));
1034
+ this.register('bipa_deletion_active', (ctx) => {
1035
+ const supported = ctx.packConfig?.['data-subject-rights']?.biometricDeletionSupported === true;
1036
+ const dsrActive = ctx.activeModules.includes('data-subject-rights');
1037
+ const passed = supported && dsrActive;
1038
+ return {
1039
+ passed,
1040
+ detail: passed
1041
+ ? 'data-subject-rights module active with biometric deletion supported (Rosenbach v. Six Flags)'
1042
+ : `dsrActive=${dsrActive}, biometricDeletionSupported=${supported}`,
1043
+ };
1044
+ });
1045
+ // -- MiFID II specific checks --
1046
+ this.register('mifid2_best_execution_active', configFlag('governance-runtime', 'bestExecutionPolicyEnforced', 'best execution policy'));
1047
+ this.register('mifid2_suitability_active', configFlag('session-persistence', 'perClientSuitabilityRequired', 'per-client suitability'));
1048
+ this.register('mifid2_product_governance_active', configFlag('governance-runtime', 'targetMarketDistributionControlRequired', 'target market distribution control'));
1049
+ this.register('mifid2_algo_kill_switch_active', configFlag('circuit-breaker', 'killSwitchRequired', 'algo trading kill-switch'));
1050
+ this.register('mifid2_algo_self_assessment_active', configFlag('approval-queue', 'algoTradingAnnualSelfAssessmentRequired', 'algo trading self-assessment'));
1051
+ this.register('mifid2_record_retention_active', (ctx) => {
1052
+ const days = ctx.packConfig?.['audit-integrity']?.mifid2RetentionDays;
1053
+ // 5 years = 1825 days; accept if audit-integrity active and retention configured >= 1825 OR default-registry pass
1054
+ const auditActive = ctx.activeModules.includes('audit-integrity');
1055
+ const passed = auditActive;
1056
+ return {
1057
+ passed,
1058
+ detail: passed
1059
+ ? 'audit-integrity active; MiFID II 5-year record retention supported'
1060
+ : 'audit-integrity module not active',
1061
+ };
1062
+ });
1063
+ this.register('mifid2_transaction_reporting_active', configFlag('event-bus', 'transactionReportingStreamRequired', 'MiFIR transaction reporting stream'));
1064
+ this.register('mifid2_ai_disclosure_active', configFlag('transparency-injector', 'aiAdviceDisclosureRequired', 'AI advice disclosure'));
1065
+ this.register('mifid2_suitability_bias_active', configFlag('bias-monitor', 'suitabilityAssessmentBiasMonitoringRequired', 'suitability bias monitoring'));
1066
+ // -- NAIC MDL-668 specific checks --
1067
+ this.register('naic_isp_active', evidenceFlag('naicIspActive', 'NAIC Information Security Program'));
1068
+ this.register('naic_72h_notification_active', (ctx) => {
1069
+ const hours = ctx.packConfig?.['event-bus']?.cybersecurityEventNotificationHours;
1070
+ const passed = hours === 72;
1071
+ return {
1072
+ passed,
1073
+ detail: passed ? '72-hour cybersecurity event notification configured' : `cybersecurityEventNotificationHours=${hours}`,
1074
+ };
1075
+ });
1076
+ this.register('naic_tpsp_oversight_active', configFlag('supply-chain', 'tpspContractualSafeguardsRequired', 'TPSP contractual safeguards'));
1077
+ this.register('naic_board_certification_active', configFlag('attestation-manager', 'boardAnnualCertificationRequired', 'NAIC board annual certification'));
1078
+ this.register('naic_mfa_active', configFlag('governance-runtime', 'mfaForNpiAccessRequired', 'MFA for NPI access'));
1079
+ this.register('naic_ai_bias_active', configFlag('bias-monitor', 'insuranceAiBiasTestingRequired', 'insurance AI bias testing'));
1080
+ this.register('naic_adverse_action_active', configFlag('approval-queue', 'adverseAiDecisionHumanReviewRequired', 'adverse AI decision review'));
1081
+ this.register('naic_vendor_ai_accountability_active', configFlag('supply-chain', 'vendorAiAccountabilityRequired', 'vendor AI accountability'));
1082
+ // -- FRCP 26 specific checks --
1083
+ this.register('frcp26_legal_hold_active', (ctx) => {
1084
+ const legalHold = ctx.packConfig?.['governance-runtime']?.legalHoldWorkflowRequired === true;
1085
+ const autoDelete = ctx.packConfig?.['governance-runtime']?.autoDeleteSuspensionRequired === true;
1086
+ const passed = legalHold && autoDelete;
1087
+ return {
1088
+ passed,
1089
+ detail: passed ? 'legal hold workflow + auto-delete suspension configured' : `legalHold=${legalHold}, autoDelete=${autoDelete}`,
1090
+ };
1091
+ });
1092
+ this.register('frcp26_privilege_screen_active', (ctx) => {
1093
+ const dcActive = ctx.activeModules.includes('data-classifier');
1094
+ const action = ctx.packConfig?.['data-classifier']?.privilegedAction;
1095
+ const passed = dcActive && action === 'BLOCK_UNLESS_CONSENTED';
1096
+ return {
1097
+ passed,
1098
+ detail: passed ? 'privilege screen active with BLOCK_UNLESS_CONSENTED' : `dcActive=${dcActive}, action=${action}`,
1099
+ };
1100
+ });
1101
+ this.register('frcp26_proportionality_active', configFlag('governance-runtime', 'proportionalityEnforced', 'FRCP 26 proportionality'));
1102
+ this.register('frcp26_attorney_review_active', configFlag('approval-queue', 'preProductionAttorneyReviewRequired', 'pre-production attorney review'));
1103
+ this.register('frcp26_methodology_disclosure_active', configFlag('transparency-injector', 'aiReviewMethodologyDisclosureRequired', 'AI review methodology disclosure'));
1104
+ this.register('frcp26_defensible_collection_active', configFlag('attestation-manager', 'defensibleCollectionMethodologyRequired', 'defensible collection methodology'));
1105
+ // -- FOIA specific checks --
1106
+ this.register('foia_response_clock_active', (ctx) => {
1107
+ const days = ctx.packConfig?.['governance-runtime']?.foiaResponseDeadlineBusinessDays;
1108
+ const passed = days === 20;
1109
+ return {
1110
+ passed,
1111
+ detail: passed ? '20-business-day FOIA response clock configured' : `foiaResponseDeadlineBusinessDays=${days}`,
1112
+ };
1113
+ });
1114
+ this.register('foia_exemption_screen_active', (ctx) => {
1115
+ const dcActive = ctx.activeModules.includes('data-classifier');
1116
+ const action = ctx.packConfig?.['data-classifier']?.exemptAction;
1117
+ const passed = dcActive && !!action;
1118
+ return {
1119
+ passed,
1120
+ detail: passed ? `exemption screen active (action=${action})` : `dcActive=${dcActive}, no exemptAction`,
1121
+ };
1122
+ });
1123
+ this.register('foia_vaughn_review_active', configFlag('approval-queue', 'exemptionDecisionHumanReviewRequired', 'Vaughn index exemption review'));
1124
+ this.register('foia_proactive_disclosure_active', configFlag('transparency-injector', 'proactiveDisclosureRequired', 'proactive disclosure'));
1125
+ this.register('foia_annual_report_active', configFlag('attestation-manager', 'annualFoiaReportRequired', 'annual FOIA report'));
1126
+ // -- LPO 2024 specific checks --
1127
+ this.register('lpo2024_client_disclosure_active', configFlag('transparency-injector', 'aiUseClientDisclosureRequired', 'LPO 2024 client AI disclosure'));
1128
+ this.register('lpo2024_supervision_active', configFlag('approval-queue', 'practitionerReviewBeforeDeliveryRequired', 'practitioner review before delivery'));
1129
+ this.register('lpo2024_confidentiality_gate_active', (ctx) => {
1130
+ const dcAction = ctx.packConfig?.['data-classifier']?.privilegedAction;
1131
+ const clientAction = ctx.packConfig?.['data-classifier']?.clientConfidentialAction;
1132
+ const passed = dcAction === 'BLOCK_UNLESS_CONSENTED' || clientAction === 'BLOCK_UNLESS_DPA_IN_PLACE';
1133
+ return {
1134
+ passed,
1135
+ detail: passed ? 'confidentiality gate configured' : `privilegedAction=${dcAction}, clientConfidentialAction=${clientAction}`,
1136
+ };
1137
+ });
1138
+ this.register('lpo2024_vendor_dpa_active', configFlag('supply-chain', 'vendorDpaRequired', 'LPO 2024 vendor DPA requirement'));
1139
+ this.register('lpo2024_cite_check_active', configFlag('approval-queue', 'citeCheckRequired', 'LPO 2024 citation check'));
1140
+ this.register('lpo2024_billing_transparency_active', configFlag('transparency-injector', 'billingTransparencyRequired', 'billing transparency'));
1141
+ this.register('lpo2024_per_matter_isolation_active', configFlag('session-persistence', 'perMatterIsolationRequired', 'per-matter isolation'));
1142
+ // -- APPI (Japan) specific checks --
1143
+ this.register('appi_purpose_specification_active', (ctx) => {
1144
+ const spec = ctx.packConfig?.['governance-runtime']?.purposeSpecificationEnforced === true;
1145
+ const limit = ctx.packConfig?.['governance-runtime']?.purposeLimitationEnforced === true;
1146
+ const passed = spec && limit;
1147
+ return {
1148
+ passed,
1149
+ detail: passed ? 'purpose specification + limitation enforced' : `spec=${spec}, limitation=${limit}`,
1150
+ };
1151
+ });
1152
+ this.register('appi_sensitive_data_gate_active', (ctx) => {
1153
+ const action = ctx.packConfig?.['data-classifier']?.sensitiveAction;
1154
+ const passed = action === 'BLOCK_UNLESS_EXPLICIT_CONSENT';
1155
+ return {
1156
+ passed,
1157
+ detail: passed ? 'sensitive personal info action = BLOCK_UNLESS_EXPLICIT_CONSENT' : `sensitiveAction=${action}`,
1158
+ };
1159
+ });
1160
+ this.register('appi_cross_border_active', configFlag('supply-chain', 'crossBorderEquivalentProtectionConfirmationRequired', 'APPI cross-border transfer'));
1161
+ this.register('appi_breach_notification_active', (ctx) => {
1162
+ const days = ctx.packConfig?.['event-bus']?.ppcBreachNotificationBusinessDays;
1163
+ const passed = typeof days === 'number' && days <= 5;
1164
+ return {
1165
+ passed,
1166
+ detail: passed ? `APPI PPC notification ${days} business days configured` : `ppcBreachNotificationBusinessDays=${days}`,
1167
+ };
1168
+ });
1169
+ this.register('appi_third_party_records_active', (ctx) => {
1170
+ const days = ctx.packConfig?.['supply-chain']?.thirdPartyProvisionRecordRetentionDays;
1171
+ const passed = typeof days === 'number' && days >= 1095;
1172
+ return {
1173
+ passed,
1174
+ detail: passed ? `APPI third-party provision records ${days}d >= 3 years` : `days=${days}`,
1175
+ };
1176
+ });
1177
+ this.register('appi_dsr_active', (ctx) => {
1178
+ const appiActive = ctx.activePackIds?.includes('appi') ?? false;
1179
+ return {
1180
+ passed: appiActive,
1181
+ detail: appiActive ? 'APPI pack active; DSR workflow supported (Arts. 32-39)' : 'APPI pack not active',
1182
+ };
1183
+ });
1184
+ this.register('appi_adm_explanation_active', configFlag('governance-runtime', 'admExplanationRightEnforced', 'APPI ADM explanation right'));
1185
+ // -- COPPA specific checks (P4, 2026-04-24) --
1186
+ this.register('coppa_parental_consent_gate_active', configFlag('governance-runtime', 'coppaParentalConsentGateEnabled', 'COPPA parental consent gate'));
1187
+ this.register('coppa_no_training_on_child_inputs', configFlag('supply-chain', 'vendorNoTrainingOnChildInputsRequired', 'COPPA no-training-on-child-inputs attestation'));
1188
+ this.register('coppa_persistent_id_block_active', (ctx) => {
1189
+ const dcActive = ctx.activeModules.includes('data-classifier');
1190
+ const under13Action = ctx.packConfig?.['data-classifier']?.under13Action;
1191
+ const passed = dcActive && under13Action === 'BLOCK';
1192
+ return {
1193
+ passed,
1194
+ detail: passed
1195
+ ? 'COPPA persistent-id block: data-classifier active with UNDER_13_USER action=BLOCK (16 CFR 312.2)'
1196
+ : `dcActive=${dcActive}, under13Action=${under13Action}`,
1197
+ };
1198
+ });
1199
+ this.register('coppa_child_data_retention_limit', (ctx) => {
1200
+ const days = ctx.packConfig?.['session-persistence']?.childRetentionDays;
1201
+ const n = typeof days === 'number' ? days : Infinity;
1202
+ const passed = n <= 90;
1203
+ return {
1204
+ passed,
1205
+ detail: passed
1206
+ ? `COPPA child retention ${n}d <= 90 days (16 CFR 312.10)`
1207
+ : `childRetentionDays=${n} exceeds 90-day limit`,
1208
+ };
1209
+ });
1210
+ this.register('coppa_privacy_notice_active', configFlag('attestation-manager', 'privacyNoticeActive', 'COPPA privacy notice to parents'));
1211
+ this.register('coppa_parental_access_rights', configFlag('approval-queue', 'parentalDsrEnabled', 'COPPA parental DSR (access/delete)'));
1212
+ this.register('coppa_vendor_agreement', configFlag('supply-chain', 'vendorCoppaAgreementOnFile', 'COPPA vendor agreement on file'));
1213
+ // -- Common Rule specific checks (P4, 2026-04-24) --
1214
+ this.register('common_rule_irb_approval_gate', configFlag('governance-runtime', 'irbApprovalRequired', 'Common Rule IRB approval gate'));
1215
+ this.register('common_rule_consent_verification', configFlag('governance-runtime', 'consentVerificationEnabled', 'Common Rule consent verification'));
1216
+ this.register('common_rule_withdrawn_consent_block', configFlag('governance-runtime', 'withdrawnConsentExclusionActive', 'Common Rule withdrawn-consent exclusion'));
1217
+ this.register('common_rule_dua_required', configFlag('supply-chain', 'duaRequired', 'Common Rule DUA required'));
1218
+ this.register('common_rule_subpart_d_gate', configFlag('governance-runtime', 'subpartDGateEnabled', 'Common Rule Subpart D dual-consent gate'));
1219
+ this.register('common_rule_coc_block', configFlag('supply-chain', 'cocProtectionEnabled', 'Common Rule CoC block (42 USC 241(d))'));
1220
+ this.register('common_rule_subpart_c_gate', configFlag('governance-runtime', 'subpartCGateEnabled', 'Common Rule Subpart C prisoner gate'));
1221
+ // -- Title IX specific checks (P4, 2026-04-24) --
1222
+ this.register('title_ix_investigation_block', configFlag('governance-runtime', 'investigationRecordBlockEnabled', 'Title IX investigation record block'));
1223
+ this.register('title_ix_retaliation_guard', configFlag('governance-runtime', 'retaliationGuardEnabled', 'Title IX retaliation guard'));
1224
+ this.register('title_ix_coordinator_routing', configFlag('governance-runtime', 'coordinatorRoutingEnabled', 'Title IX Coordinator routing'));
1225
+ this.register('title_ix_no_training_on_protected_class', configFlag('governance-runtime', 'providerSexDataTrainingProhibited', 'Title IX no-training-on-sex-data attestation'));
1226
+ this.register('title_ix_admissions_audit_trail', (ctx) => {
1227
+ const auditEnabled = ctx.packConfig?.['attestation-manager']?.admissionsAuditEnabled === true;
1228
+ const dcActive = ctx.activeModules.includes('data-classifier');
1229
+ const passed = auditEnabled && dcActive;
1230
+ return {
1231
+ passed,
1232
+ detail: passed
1233
+ ? 'Title IX admissions audit trail: attestation-manager.admissionsAuditEnabled + data-classifier active (34 CFR 106.21)'
1234
+ : `admissionsAuditEnabled=${auditEnabled}, data-classifier=${dcActive}`,
1235
+ };
1236
+ });
1237
+ this.register('title_ix_pregnancy_accommodation_gate', configFlag('governance-runtime', 'pregnancyAccommodationGateEnabled', 'Title IX pregnancy accommodation gate'));
1238
+ this.register('title_ix_record_retention', (ctx) => {
1239
+ const retentionYears = ctx.packConfig?.['attestation-manager']?.titleIxRecordRetentionYears;
1240
+ const passed = retentionYears === 7;
1241
+ return {
1242
+ passed,
1243
+ detail: passed
1244
+ ? 'Title IX record retention = 7 years (34 CFR 106.45(b)(10))'
1245
+ : `titleIxRecordRetentionYears=${retentionYears} (expected 7)`,
1246
+ };
1247
+ });
1248
+ // -- NIH Data Sharing specific checks (P4, 2026-04-24) --
1249
+ this.register('nih_dms_dmsp_scope_check', configFlag('governance-runtime', 'dmspApprovalRequired', 'NIH DMS DMSP scope check'));
1250
+ this.register('nih_dms_controlled_access_dac_gate', configFlag('governance-runtime', 'dacApprovalRequired', 'NIH DMS controlled-access DAC gate'));
1251
+ this.register('nih_dms_coc_block', configFlag('supply-chain', 'cocProtectionEnabled', 'NIH DMS CoC block (42 USC 241(d))'));
1252
+ this.register('nih_dms_no_training_on_research_data', configFlag('supply-chain', 'providerTrainingProhibitionAttested', 'NIH DMS no-training-on-research-data attestation'));
1253
+ this.register('nih_dms_genomic_identifiable_block', configFlag('governance-runtime', 'genomicIdentifiableBlockEnabled', 'NIH DMS genomic identifiable link block'));
1254
+ this.register('nih_dms_fisma_security_baseline', configFlag('supply-chain', 'fismaModerateRequiredForControlledAccess', 'NIH DMS FISMA Moderate baseline for controlled-access systems'));
1255
+ // -- Florida Student Privacy specific checks (P4, 2026-04-24) --
1256
+ this.register('fl_student_no_behavioral_profiling', configFlag('governance-runtime', 'behavioralProfilingBlockEnabled', 'FL student behavioral profiling block'));
1257
+ this.register('fl_student_no_targeted_advertising', configFlag('governance-runtime', 'targetedAdvertisingBlockEnabled', 'FL student targeted advertising block'));
1258
+ this.register('fl_student_parental_consent_gate', configFlag('governance-runtime', 'parentalConsentGateEnabled', 'FL student parental consent gate (HB 3/Section 1014)'));
1259
+ this.register('fl_student_vendor_listing_check', configFlag('supply-chain', 'vendorListingVerificationEnabled', 'FL student vendor listing verification'));
1260
+ this.register('fl_student_no_data_sale', configFlag('supply-chain', 'providerNoSaleAttested', 'FL student no-data-sale attestation'));
1261
+ this.register('fl_student_fipa_breach_clock', (ctx) => {
1262
+ const days = ctx.packConfig?.['session-persistence']?.fipaBreachClockDays;
1263
+ const passed = days === 30;
1264
+ return {
1265
+ passed,
1266
+ detail: passed
1267
+ ? 'FIPA 30-day breach clock configured (Florida Statute Section 501.171)'
1268
+ : `fipaBreachClockDays=${days} (expected 30)`,
1269
+ };
1270
+ });
1271
+ this.register('fl_student_deletion_on_termination', (ctx) => {
1272
+ const days = ctx.packConfig?.['supply-chain']?.deletionOnTerminationDays;
1273
+ const n = typeof days === 'number' ? days : Infinity;
1274
+ const passed = n <= 30;
1275
+ return {
1276
+ passed,
1277
+ detail: passed
1278
+ ? `FL student deletion-on-termination ${n}d <= 30 days (Florida Statute Section 1002.222)`
1279
+ : `deletionOnTerminationDays=${n} exceeds 30-day limit`,
1280
+ };
1281
+ });
1282
+ // -- FERPA specific checks --
1283
+ this.register('ferpa_prior_consent_active', configFlag('governance-runtime', 'priorWrittenConsentRequired', 'FERPA prior written consent'));
1284
+ this.register('ferpa_school_official_agreement_active', configFlag('supply-chain', 'vendorSchoolOfficialAgreementRequired', 'FERPA school-official exception agreement'));
1285
+ this.register('ferpa_coppa_gate_active', configFlag('governance-runtime', 'coppaAgeGateRequired', 'COPPA age gate'));
1286
+ this.register('ferpa_education_record_classifier_active', (ctx) => {
1287
+ const dcActive = ctx.activeModules.includes('data-classifier');
1288
+ const action = ctx.packConfig?.['data-classifier']?.educationRecordAction;
1289
+ const passed = dcActive && !!action;
1290
+ return {
1291
+ passed,
1292
+ detail: passed ? `education record classifier active (action=${action})` : `dcActive=${dcActive}, no educationRecordAction`,
1293
+ };
1294
+ });
1295
+ this.register('ferpa_dsr_active', (ctx) => {
1296
+ const ferpaActive = ctx.activePackIds?.includes('ferpa') ?? false;
1297
+ return {
1298
+ passed: ferpaActive,
1299
+ detail: ferpaActive ? 'FERPA pack active; student/parent rights workflow supported' : 'FERPA pack not active',
1300
+ };
1301
+ });
1302
+ this.register('ferpa_annual_notice_active', configFlag('attestation-manager', 'annualFerpaNoticeRequired', 'FERPA annual notice of rights'));
1303
+ // -- FedRAMP specific checks --
1304
+ this.register('fedramp_piv_mfa_active', (ctx) => {
1305
+ const pivCac = ctx.packConfig?.['agent-auth']?.pivCacOrEquivalentRequired === true;
1306
+ const mfa = ctx.packConfig?.['agent-auth']?.mfaForAllPrivilegedAccess === true;
1307
+ const passed = pivCac && mfa;
1308
+ return {
1309
+ passed,
1310
+ detail: passed ? 'PIV/CAC + MFA configured' : `pivCac=${pivCac}, mfa=${mfa}`,
1311
+ };
1312
+ });
1313
+ this.register('fedramp_conmon_active', (ctx) => {
1314
+ const stream = ctx.packConfig?.['event-bus']?.continuousMonitoringStreamRequired === true;
1315
+ const monthly = ctx.packConfig?.['event-bus']?.monthlyVulnerabilityScanningRequired === true;
1316
+ const passed = stream && monthly;
1317
+ return {
1318
+ passed,
1319
+ detail: passed ? 'ConMon stream + monthly scanning configured' : `stream=${stream}, monthly=${monthly}`,
1320
+ };
1321
+ });
1322
+ this.register('fedramp_supply_chain_active', (ctx) => {
1323
+ const marketplace = ctx.packConfig?.['supply-chain']?.fedrampMarketplaceVerificationRequired === true;
1324
+ const scRm = ctx.packConfig?.['supply-chain']?.supplyChainRiskManagementRequired === true;
1325
+ const passed = marketplace && scRm;
1326
+ return {
1327
+ passed,
1328
+ detail: passed ? 'FedRAMP marketplace + supply chain risk management configured' : `marketplace=${marketplace}, scRm=${scRm}`,
1329
+ };
1330
+ });
1331
+ this.register('fedramp_poam_active', configFlag('attestation-manager', 'poamManagementRequired', 'FedRAMP POA&M'));
1332
+ this.register('fedramp_annual_pentest_active', configFlag('attestation-manager', 'annualPenetrationTestRequired', 'FedRAMP annual penetration test'));
1333
+ // -- StateRAMP specific checks --
1334
+ this.register('stateramp_mfa_active', configFlag('agent-auth', 'mfaForAllStateAccess', 'StateRAMP MFA'));
1335
+ this.register('stateramp_conmon_active', (ctx) => {
1336
+ const conmon = ctx.packConfig?.['event-bus']?.continuousMonitoringRequired === true;
1337
+ const monthly = ctx.packConfig?.['event-bus']?.monthlyConMonReportingRequired === true;
1338
+ const passed = conmon && monthly;
1339
+ return {
1340
+ passed,
1341
+ detail: passed ? 'StateRAMP ConMon + monthly reporting configured' : `conmon=${conmon}, monthly=${monthly}`,
1342
+ };
1343
+ });
1344
+ this.register('stateramp_supply_chain_active', (ctx) => {
1345
+ const marketplace = ctx.packConfig?.['supply-chain']?.staterampMarketplaceVerificationRequired === true;
1346
+ const fedrampRecip = ctx.packConfig?.['supply-chain']?.fedrampReciprocityCheckRequired === true;
1347
+ const passed = marketplace || fedrampRecip;
1348
+ return {
1349
+ passed,
1350
+ detail: passed ? 'StateRAMP/FedRAMP marketplace verification configured' : `marketplace=${marketplace}, fedrampRecip=${fedrampRecip}`,
1351
+ };
1352
+ });
1353
+ this.register('stateramp_annual_pentest_active', configFlag('attestation-manager', 'annualPenetrationTestRequired', 'StateRAMP annual pentest'));
1354
+ // -- CJIS specific checks --
1355
+ this.register('cjis_advanced_auth_active', (ctx) => {
1356
+ const aa = ctx.packConfig?.['agent-auth']?.advancedAuthenticationRequired === true;
1357
+ const mfa = ctx.packConfig?.['agent-auth']?.mfaForRemoteOrNonPhysicallySecureAccess === true;
1358
+ const passed = aa && mfa;
1359
+ return {
1360
+ passed,
1361
+ detail: passed ? 'CJIS Advanced Authentication + MFA configured' : `aa=${aa}, mfa=${mfa}`,
1362
+ };
1363
+ });
1364
+ this.register('cjis_incident_1hr_active', (ctx) => {
1365
+ const oneHour = ctx.packConfig?.['event-bus']?.cjisBreachOneHourNotificationRequired === true;
1366
+ const passed = oneHour;
1367
+ return {
1368
+ passed,
1369
+ detail: passed ? '1-hour CJIS breach notification configured' : 'cjisBreachOneHourNotificationRequired not set',
1370
+ };
1371
+ });
1372
+ this.register('cjis_iea_active', configFlag('supply-chain', 'informationExchangeAgreementRequired', 'CJIS Information Exchange Agreement'));
1373
+ this.register('cjis_security_training_active', (ctx) => {
1374
+ const cadence = ctx.packConfig?.['attestation-manager']?.securityAwarenessTrainingCadenceDays;
1375
+ const passed = typeof cadence === 'number' && cadence <= 730;
1376
+ return {
1377
+ passed,
1378
+ detail: passed ? `CJIS security training cadence ${cadence}d (<= 730 days / 2 years)` : `cadence=${cadence}`,
1379
+ };
1380
+ });
1381
+ // -- CMMC 2.0 specific checks --
1382
+ this.register('cmmc2_mfa_active', configFlag('agent-auth', 'mfaForCuiSystemAccessRequired', 'CMMC 2.0 MFA for CUI'));
1383
+ this.register('cmmc2_dfars_incident_active', (ctx) => {
1384
+ const notif = ctx.packConfig?.['event-bus']?.cuiBreachNotificationRequired === true;
1385
+ const passed = notif;
1386
+ return {
1387
+ passed,
1388
+ detail: passed ? 'DFARS 252.204-7012 72-hour CUI breach notification configured' : 'cuiBreachNotificationRequired not set',
1389
+ };
1390
+ });
1391
+ this.register('cmmc2_csp_fedramp_active', configFlag('supply-chain', 'externalCspFedrampModerateRequired', 'external CSP FedRAMP Moderate'));
1392
+ this.register('cmmc2_ssp_active', configFlag('governance-runtime', 'sspBoundaryDocumentationRequired', 'CMMC SSP boundary documentation'));
1393
+ // -- RESPA specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1394
+ this.register('respa_referral_steering_block_active', (ctx) => {
1395
+ const steeringBlock = ctx.packConfig?.['governance-runtime']?.respaReferralSteeringBlockRequired === true;
1396
+ const dcActive = ctx.activeModules.includes('data-classifier');
1397
+ const passed = steeringBlock && dcActive;
1398
+ return {
1399
+ passed,
1400
+ detail: passed
1401
+ ? 'RESPA referral-steering block active: governance-runtime + data-classifier (12 USC §2607)'
1402
+ : `steeringBlock=${steeringBlock}, data-classifier=${dcActive}`,
1403
+ };
1404
+ });
1405
+ this.register('respa_escrow_balance_block_active', configFlag('governance-runtime', 'escrowBalanceLlmEgressBlockRequired', 'RESPA escrow-balance LLM egress block'));
1406
+ this.register('respa_lo_estimate_human_review_active', (ctx) => {
1407
+ const loGate = ctx.packConfig?.['approval-queue']?.loanEstimateRequiresHumanReview === true;
1408
+ const cdGate = ctx.packConfig?.['approval-queue']?.closingDisclosureRequiresHumanReview === true;
1409
+ const passed = loGate && cdGate;
1410
+ return {
1411
+ passed,
1412
+ detail: passed
1413
+ ? 'LE + CD both require human review (RESPA §4; TRID 12 CFR §1026.19)'
1414
+ : `loGate=${loGate}, cdGate=${cdGate}`,
1415
+ };
1416
+ });
1417
+ this.register('respa_qwr_clock_active', (ctx) => {
1418
+ const ack = ctx.packConfig?.['event-bus']?.qwrAcknowledgmentBusinessDays;
1419
+ const sub = ctx.packConfig?.['event-bus']?.qwrSubstantiveResponseBusinessDays;
1420
+ const passed = ack === 5 && sub === 30;
1421
+ return {
1422
+ passed,
1423
+ detail: passed
1424
+ ? 'QWR 5-day acknowledgment + 30-day substantive response clocks configured (12 CFR §1024.36)'
1425
+ : `ack=${ack}, sub=${sub}`,
1426
+ };
1427
+ });
1428
+ this.register('respa_settlement_provider_registry_active', configFlag('supply-chain', 'settlementServiceProviderRegistryRequired', 'RESPA settlement provider registry'));
1429
+ this.register('respa_referral_anomaly_active', (ctx) => {
1430
+ const pattern = ctx.packConfig?.['anomaly-detector']?.referralPatternDetectionActive === true;
1431
+ const freq = ctx.packConfig?.['anomaly-detector']?.steeringSignalFrequencyMonitoringActive === true;
1432
+ const passed = pattern && freq;
1433
+ return {
1434
+ passed,
1435
+ detail: passed ? 'RESPA referral-pattern + steering-frequency anomaly detection active' : `pattern=${pattern}, freq=${freq}`,
1436
+ };
1437
+ });
1438
+ this.register('respa_escrow_aggregate_accounting_active', configFlag('attestation-manager', 'escrowAccountAggregateAccountingAttestationRequired', 'RESPA escrow aggregate accounting attestation'));
1439
+ this.register('respa_disclosure_injection_active', configFlag('transparency-injector', 'aiSettlementRecommendationDisclosureRequired', 'RESPA AI-settlement-recommendation disclosure'));
1440
+ // -- HMDA specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1441
+ this.register('hmda_gmi_credit_decision_block_active', (ctx) => {
1442
+ const gmiBlock = ctx.packConfig?.['governance-runtime']?.gmiLlmEgressBlockInCreditDecisionContext === true;
1443
+ const dcActive = ctx.activeModules.includes('data-classifier');
1444
+ const passed = gmiBlock && dcActive;
1445
+ return {
1446
+ passed,
1447
+ detail: passed
1448
+ ? 'GMI fields blocked from credit-decision LLM context (12 CFR §1003.4; Reg B §1002.6)'
1449
+ : `gmiBlock=${gmiBlock}, data-classifier=${dcActive}`,
1450
+ };
1451
+ });
1452
+ this.register('hmda_lar_aggregation_only_active', configFlag('governance-runtime', 'hmdaLarEntryLlmEgressRequiresAggregationOnly', 'HMDA LAR aggregation-only egress'));
1453
+ this.register('hmda_annual_lar_attestation_active', (ctx) => {
1454
+ const att = ctx.packConfig?.['attestation-manager']?.annualLarSubmissionAttestationRequired === true;
1455
+ const officer = ctx.packConfig?.['attestation-manager']?.certifyingOfficerDesignationRequired === true;
1456
+ const passed = att && officer;
1457
+ return {
1458
+ passed,
1459
+ detail: passed
1460
+ ? 'Annual LAR attestation + certifying officer designation configured (12 CFR §1003.5(a))'
1461
+ : `att=${att}, officer=${officer}`,
1462
+ };
1463
+ });
1464
+ this.register('hmda_proxy_detection_active', (ctx) => {
1465
+ const zip = ctx.packConfig?.['anomaly-detector']?.zipCodeProxyDetectionActive === true;
1466
+ const surname = ctx.packConfig?.['anomaly-detector']?.surnameProxyDetectionActive === true;
1467
+ const passed = zip && surname;
1468
+ return {
1469
+ passed,
1470
+ detail: passed ? 'zip-code + surname proxy detection active (HMDA/Reg B)' : `zip=${zip}, surname=${surname}`,
1471
+ };
1472
+ });
1473
+ this.register('hmda_lar_state_persistence_active', configFlag('session-persistence', 'perApplicationHmdaStateRequired', 'per-application HMDA LAR state'));
1474
+ this.register('hmda_quarterly_large_filer_active', configFlag('event-bus', 'hmdaQuarterlyLarDeadlineActive', 'HMDA quarterly large-filer clock'));
1475
+ // -- TILA-TRID specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1476
+ this.register('tila_trid_apr_llm_block_active', (ctx) => {
1477
+ const aprBlock = ctx.packConfig?.['governance-runtime']?.aprLlmComputationBlocked === true;
1478
+ const fcBlock = ctx.packConfig?.['governance-runtime']?.financeChargeLlmComputationBlocked === true;
1479
+ const afBlock = ctx.packConfig?.['governance-runtime']?.amountFinancedLlmComputationBlocked === true;
1480
+ const passed = aprBlock && fcBlock && afBlock;
1481
+ return {
1482
+ passed,
1483
+ detail: passed
1484
+ ? 'APR + finance charge + amount financed LLM computation blocked (15 USC §1638; 12 CFR §1026.38)'
1485
+ : `apr=${aprBlock}, fc=${fcBlock}, af=${afBlock}`,
1486
+ };
1487
+ });
1488
+ this.register('tila_trid_le_clock_active', (ctx) => {
1489
+ const days = ctx.packConfig?.['governance-runtime']?.tridLeDeliveryBusinessDays;
1490
+ const passed = days === 3;
1491
+ return {
1492
+ passed,
1493
+ detail: passed ? 'TRID LE 3-business-day delivery clock configured (12 CFR §1026.19(a)(1)(i))' : `tridLeDeliveryBusinessDays=${days}`,
1494
+ };
1495
+ });
1496
+ this.register('tila_trid_cd_clock_active', (ctx) => {
1497
+ const days = ctx.packConfig?.['governance-runtime']?.tridCdPreConsummationBusinessDays;
1498
+ const passed = days === 3;
1499
+ return {
1500
+ passed,
1501
+ detail: passed ? 'TRID CD 3-business-day pre-consummation clock configured (12 CFR §1026.19(f)(1)(ii))' : `tridCdPreConsummationBusinessDays=${days}`,
1502
+ };
1503
+ });
1504
+ this.register('tila_trid_human_apr_verification_active', configFlag('approval-queue', 'aprVerificationRequiresHumanReview', 'TRID human APR verification'));
1505
+ this.register('tila_trid_changed_circumstance_active', configFlag('event-bus', 'changedCircumstanceReDisclosureClockActive', 'TRID changed-circumstance re-disclosure clock'));
1506
+ this.register('tila_trid_rescission_clock_active', configFlag('event-bus', 'rescissionClockActive', 'TILA rescission clock (12 CFR §1026.23)'));
1507
+ this.register('tila_trid_arm_disclosure_active', configFlag('governance-runtime', 'armDisclosureGateRequired', 'TILA ARM disclosure gate'));
1508
+ this.register('tila_trid_heloc_disclosure_active', configFlag('governance-runtime', 'helocDisclosureGateRequired', 'TILA HELOC disclosure gate'));
1509
+ this.register('tila_trid_advertising_active', configFlag('anomaly-detector', 'advertisingRuleViolationDetectionActive', 'TILA advertising rule detection'));
1510
+ // -- us-trid standalone checks (X3 split 2026-04-24) --
1511
+ this.register('us_trid_apr_llm_block_active', (ctx) => {
1512
+ const aprBlock = ctx.packConfig?.['governance-runtime']?.aprLlmComputationBlocked === true;
1513
+ const fcBlock = ctx.packConfig?.['governance-runtime']?.financeChargeLlmComputationBlocked === true;
1514
+ const afBlock = ctx.packConfig?.['governance-runtime']?.amountFinancedLlmComputationBlocked === true;
1515
+ const passed = aprBlock && fcBlock && afBlock;
1516
+ return {
1517
+ passed,
1518
+ detail: passed
1519
+ ? 'TRID APR + finance charge + amount financed LLM compute blocked (12 CFR §1026.37-38)'
1520
+ : `apr=${aprBlock}, fc=${fcBlock}, af=${afBlock}`,
1521
+ };
1522
+ });
1523
+ this.register('us_trid_le_clock_active', (ctx) => {
1524
+ const days = ctx.packConfig?.['governance-runtime']?.tridLeDeliveryBusinessDays;
1525
+ const passed = days === 3;
1526
+ return {
1527
+ passed,
1528
+ detail: passed ? 'TRID LE 3-business-day delivery clock configured (12 CFR §1026.19(e))' : `tridLeDeliveryBusinessDays=${days}`,
1529
+ };
1530
+ });
1531
+ this.register('us_trid_cd_clock_active', (ctx) => {
1532
+ const days = ctx.packConfig?.['governance-runtime']?.tridCdPreConsummationBusinessDays;
1533
+ const passed = days === 3;
1534
+ return {
1535
+ passed,
1536
+ detail: passed ? 'TRID CD 3-business-day pre-consummation clock configured (12 CFR §1026.19(f))' : `tridCdPreConsummationBusinessDays=${days}`,
1537
+ };
1538
+ });
1539
+ this.register('us_trid_human_apr_verification_active', configFlag('approval-queue', 'aprVerificationRequiresHumanReview', 'TRID human APR verification gate'));
1540
+ this.register('us_trid_changed_circumstance_active', configFlag('event-bus', 'changedCircumstanceReDisclosureClockActive', 'TRID changed-circumstance re-disclosure clock'));
1541
+ // -- us-tila standalone checks (X3 split 2026-04-24) --
1542
+ this.register('us_tila_atr_llm_block_active', (ctx) => {
1543
+ const block = ctx.packConfig?.['governance-runtime']?.atrQmLlmDeterminationBlocked === true;
1544
+ const dcActive = ctx.activeModules.includes('data-classifier');
1545
+ const passed = block && dcActive;
1546
+ return {
1547
+ passed,
1548
+ detail: passed
1549
+ ? 'ATR/QM LLM determination blocked; licensed human underwriter required (12 CFR §1026.43(c))'
1550
+ : `atrBlock=${block}, data-classifier=${dcActive}`,
1551
+ };
1552
+ });
1553
+ this.register('us_tila_rescission_clock_active', (ctx) => {
1554
+ const active = ctx.packConfig?.['event-bus']?.rescissionClockActive === true;
1555
+ const days = ctx.packConfig?.['event-bus']?.rescissionBusinessDays;
1556
+ const passed = active && days === 3;
1557
+ return {
1558
+ passed,
1559
+ detail: passed ? 'TILA rescission 3-business-day clock active (12 CFR §1026.23)' : `active=${active}, days=${days}`,
1560
+ };
1561
+ });
1562
+ this.register('us_tila_advertising_active', configFlag('anomaly-detector', 'advertisingRuleViolationDetectionActive', 'TILA advertising trigger-term detection (§§1026.16, 1026.24)'));
1563
+ this.register('us_tila_arm_disclosure_active', configFlag('governance-runtime', 'armDisclosureGateRequired', 'TILA ARM disclosure gate (§1026.19(b), §1026.20(d))'));
1564
+ this.register('us_tila_heloc_disclosure_active', configFlag('governance-runtime', 'helocDisclosureGateRequired', 'TILA HELOC disclosure gate (§1026.40)'));
1565
+ // -- ECOA standalone specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1566
+ this.register('ecoa_prohibited_basis_block_active', (ctx) => {
1567
+ const block = ctx.packConfig?.['governance-runtime']?.ecoaProhibitedBasisLlmBlockRequired === true;
1568
+ const dcActive = ctx.activeModules.includes('data-classifier');
1569
+ const passed = block && dcActive;
1570
+ return {
1571
+ passed,
1572
+ detail: passed
1573
+ ? 'ECOA prohibited-basis LLM block active (15 USC §1691(a); Reg B 12 CFR §1002.4)'
1574
+ : `block=${block}, data-classifier=${dcActive}`,
1575
+ };
1576
+ });
1577
+ this.register('ecoa_named_reviewer_required_active', (ctx) => {
1578
+ const named = ctx.packConfig?.['approval-queue']?.adverseActionRequiresNamedReviewer === true;
1579
+ const passed = named;
1580
+ return {
1581
+ passed,
1582
+ detail: passed ? 'Named reviewer required on every adverse action (Reg B 12 CFR §1002.9)' : 'adverseActionRequiresNamedReviewer not configured',
1583
+ };
1584
+ });
1585
+ this.register('ecoa_proxy_detection_active', (ctx) => {
1586
+ const proxy = ctx.packConfig?.['anomaly-detector']?.proxyDiscriminationDetectionActive === true;
1587
+ const passed = proxy;
1588
+ return {
1589
+ passed,
1590
+ detail: passed ? 'Proxy discrimination detection active (Reg B 12 CFR §1002.6)' : 'proxyDiscriminationDetectionActive not configured',
1591
+ };
1592
+ });
1593
+ this.register('ecoa_appraisal_delivery_active', (ctx) => {
1594
+ const days = ctx.packConfig?.['governance-runtime']?.appraisalDeliveryBusinessDays;
1595
+ const passed = days === 3;
1596
+ return {
1597
+ passed,
1598
+ detail: passed ? 'Appraisal 3-business-day delivery clock configured (Reg B 12 CFR §1002.14(a)(1))' : `appraisalDeliveryBusinessDays=${days}`,
1599
+ };
1600
+ });
1601
+ this.register('ecoa_retention_active', (ctx) => {
1602
+ // Check evidence flag for 25-month retention compliance (Reg B 12 CFR §1002.12(b)(3)).
1603
+ // Runtime sets ecoaRetentionDays to the configured audit log retention days.
1604
+ const days = ctx.evidence?.ecoaRetentionDays;
1605
+ const passed = typeof days === 'number' && days >= 760;
1606
+ return {
1607
+ passed,
1608
+ detail: passed ? `ECOA retention ${days}d >= 25 months (Reg B 12 CFR §1002.12(b)(3))` : `ecoaRetentionDays=${days} (need >= 760)`,
1609
+ };
1610
+ });
1611
+ // -- FCRA specific checks (MORTGAGE-PACKS-01, 2026-04-22) --
1612
+ this.register('fcra_permissible_purpose_active', (ctx) => {
1613
+ const purposeRequired = ctx.packConfig?.['governance-runtime']?.consumerReportPermissiblePurposeRequired === true;
1614
+ const purposes = ctx.packConfig?.['governance-runtime']?.permissiblePurposes;
1615
+ const passed = purposeRequired && Array.isArray(purposes) && purposes.length >= 5;
1616
+ return {
1617
+ passed,
1618
+ detail: passed
1619
+ ? `FCRA permissible-purpose gate active with ${purposes.length} declared purposes (15 USC §1681b)`
1620
+ : `purposeRequired=${purposeRequired}, purposeCount=${Array.isArray(purposes) ? purposes.length : 0}`,
1621
+ };
1622
+ });
1623
+ this.register('fcra_cross_vendor_block_active', configFlag('governance-runtime', 'crossVendorConsumerReportBlockWithoutPurposeChain', 'FCRA cross-vendor consumer-report block'));
1624
+ this.register('fcra_615_adverse_action_active', (ctx) => {
1625
+ const noticeRequired = ctx.packConfig?.['governance-runtime']?.adverseActionNoticeRequired === true;
1626
+ const craDisclosure = ctx.packConfig?.['approval-queue']?.craIdentityDisclosureOnAdverseAction === true;
1627
+ const passed = noticeRequired && craDisclosure;
1628
+ return {
1629
+ passed,
1630
+ detail: passed
1631
+ ? 'FCRA §615 adverse-action notice + CRA disclosure configured (15 USC §1681m(a))'
1632
+ : `noticeRequired=${noticeRequired}, craDisclosure=${craDisclosure}`,
1633
+ };
1634
+ });
1635
+ this.register('fcra_dispute_workflow_active', configFlag('approval-queue', 'disputeReinvestigationGateRequired', 'FCRA §611 dispute reinvestigation gate'));
1636
+ this.register('fcra_furnisher_accuracy_active', configFlag('attestation-manager', 'section623ComplianceProgramRequired', 'FCRA §623 furnisher accuracy program'));
1637
+ this.register('fcra_purpose_evasion_detection_active', configFlag('anomaly-detector', 'permissiblePurposeEvasionDetectionActive', 'FCRA permissible-purpose evasion detection'));
1638
+ this.register('fcra_consumer_disclosure_active', configFlag('transparency-injector', 'section615AdverseActionCraDisclosureRequired', 'FCRA §615 consumer disclosure injection'));
1639
+ // -----------------------------------------------------------------------
1640
+ // W1-BEHAVIORAL: Behavioral validators (48 pack-scoped checks)
1641
+ //
1642
+ // Each check constructs a sample input known to match one of the pack's
1643
+ // declared scan categories, runs it through the live PackDrivenClassifier,
1644
+ // and asserts the declared category action fires.
1645
+ //
1646
+ // Registered as pack-scoped checks so they appear in compliance reports
1647
+ // under each pack's validator list.
1648
+ //
1649
+ // Evidence contract: the runtime sets evidence.packClassifierInstance to the
1650
+ // live PackDrivenClassifier instance (or a factory function) so these checks
1651
+ // have access to a classifier to evaluate against.
1652
+ // -----------------------------------------------------------------------
1653
+ const runBehavioralCheck = (packId, categoryId, sampleInput, expectedAction) => (ctx) => {
1654
+ // Resolve classifier from evidence
1655
+ const classifierSource = ctx.evidence?.['packClassifierInstance'];
1656
+ if (!classifierSource) {
1657
+ return {
1658
+ passed: false,
1659
+ detail: `behavioral validator for ${packId}.${categoryId}: packClassifierInstance not set in evidence; runtime must inject the PackDrivenClassifier`,
1660
+ };
1661
+ }
1662
+ // Accept both a direct classifier object and a factory function
1663
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
1664
+ const classifier = typeof classifierSource === 'function'
1665
+ ? classifierSource()
1666
+ : classifierSource;
1667
+ // The classifier must expose evaluate() matching PackDrivenClassifier shape
1668
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
1669
+ const c = classifier;
1670
+ if (typeof c?.evaluate !== 'function') {
1671
+ return {
1672
+ passed: false,
1673
+ detail: `behavioral validator for ${packId}.${categoryId}: packClassifierInstance does not expose evaluate()`,
1674
+ };
1675
+ }
1676
+ try {
1677
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
1678
+ const decision = c.evaluate(sampleInput, { activePackIds: [packId] });
1679
+ const matched = (decision?.matched ?? []);
1680
+ const hit = matched.find((m) => m.packId === packId && m.categoryId === categoryId);
1681
+ if (!hit) {
1682
+ return {
1683
+ passed: false,
1684
+ detail: `behavioral validator FAILED: ${packId}.${categoryId} did not fire for sample input "${sampleInput.slice(0, 60)}"`,
1685
+ };
1686
+ }
1687
+ const actionMatch = hit.action.toUpperCase() === expectedAction.toUpperCase();
1688
+ return {
1689
+ passed: actionMatch,
1690
+ detail: actionMatch
1691
+ ? `behavioral validator PASSED: ${packId}.${categoryId} fired action=${hit.action} as expected`
1692
+ : `behavioral validator MISMATCH: ${packId}.${categoryId} fired action=${hit.action}, expected ${expectedAction}`,
1693
+ };
1694
+ }
1695
+ catch (err) {
1696
+ const msg = err instanceof Error ? err.message : String(err);
1697
+ return { passed: false, detail: `behavioral validator threw: ${msg}` };
1698
+ }
1699
+ };
1700
+ // HIPAA: PHI (SSN pattern)
1701
+ this.register('behavioralValidator_hipaa', runBehavioralCheck('hipaa', 'PHI', 'Patient SSN: 123-45-6789', 'BLOCK'));
1702
+ // HITECH: PHI
1703
+ this.register('behavioralValidator_hitech', runBehavioralCheck('hitech', 'PHI', 'Patient SSN: 123-45-6789', 'BLOCK'));
1704
+ // FERPA: EDUCATION_RECORD
1705
+ this.register('behavioralValidator_ferpa', runBehavioralCheck('ferpa', 'EDUCATION_RECORD', 'Student ID: STU123456 GPA: 3.8 transcript from Fall 2025', 'BLOCK'));
1706
+ // SOC 2: CREDENTIALS
1707
+ this.register('behavioralValidator_soc2', runBehavioralCheck('soc2', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1708
+ // SOC 1: CREDENTIALS
1709
+ this.register('behavioralValidator_soc1', runBehavioralCheck('soc1', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1710
+ // SOC 1: CONTROL_DEFICIENCY (ICFR) -- categoryActions.CONTROL_DEFICIENCY = WARN per soc1.ts
1711
+ this.register('behavioralValidator_soc1_icfr', runBehavioralCheck('soc1', 'CONTROL_DEFICIENCY', 'Material weakness identified in revenue-recognition control', 'WARN'));
1712
+ // SOC 1: ICFR_TEST_FAILURE (SSAE 18 AT-C 320 -- test of operating effectiveness failed)
1713
+ // categoryActions.ICFR_TEST_FAILURE = WARN per soc1.ts
1714
+ this.register('behavioralValidator_soc1_icfr_test_failure', runBehavioralCheck('soc1', 'ICFR_TEST_FAILURE', 'Test of operating effectiveness failed for general-IT controls.', 'WARN'));
1715
+ // SOC 1: SOX_404_EVIDENCE (Sarbanes-Oxley §404 ICFR attestation evidence)
1716
+ // categoryActions.SOX_404_EVIDENCE = LOG per soc1.ts
1717
+ this.register('behavioralValidator_soc1_sox_404', runBehavioralCheck('soc1', 'SOX_404_EVIDENCE', 'SOX Section 404 evidence requested for FY2026 audit.', 'LOG'));
1718
+ // ISO 27001: PII
1719
+ this.register('behavioralValidator_iso27001', runBehavioralCheck('iso27001', 'PII', 'User email: jane.doe@example.com', 'WARN'));
1720
+ // GDPR: SPECIAL_CATEGORY
1721
+ this.register('behavioralValidator_gdpr', runBehavioralCheck('gdpr', 'SPECIAL_CATEGORY', 'Patient is HIV positive, religion: Muslim', 'BLOCK'));
1722
+ // PCI DSS: PAN (Luhn-valid Visa PAN, payment context) -- must BLOCK
1723
+ this.register('behavioralValidator_pci_dss', runBehavioralCheck('pci-dss', 'PAN', 'Card number 4111111111111111 expires 12/26', 'BLOCK'));
1724
+ // PCI DSS: TRACK_DATA (track-2 sentinel pattern) -- must BLOCK
1725
+ this.register('behavioralValidator_pci_dss_track', runBehavioralCheck('pci-dss', 'TRACK_DATA', ';4111111111111111=26122015432112345?', 'BLOCK'));
1726
+ // PCI DSS: CVV (cvv label with 3-digit code) -- must BLOCK
1727
+ this.register('behavioralValidator_pci_dss_cvv', runBehavioralCheck('pci-dss', 'CVV', 'cvv: 123', 'BLOCK'));
1728
+ // DORA: CREDENTIALS
1729
+ this.register('behavioralValidator_dora', runBehavioralCheck('dora', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1730
+ // EU AI Act: BIOMETRIC_IDENTIFIER
1731
+ this.register('behavioralValidator_eu_ai_act', runBehavioralCheck('eu-ai-act', 'BIOMETRIC_IDENTIFIER', 'Biometric ID: fingerprint hash abc123def456', 'BLOCK'));
1732
+ // 42 CFR Part 2 (part2): SUD_RECORD
1733
+ this.register('behavioralValidator_part2', runBehavioralCheck('part2', 'SUD_RECORD', 'SUD treatment record for patient ID 78432', 'BLOCK'));
1734
+ // Colorado AI Act: PII
1735
+ this.register('behavioralValidator_colorado_ai', runBehavioralCheck('colorado-ai', 'PII', 'User email: jane.doe@example.com', 'WARN'));
1736
+ // NIST AI RMF: CREDENTIALS
1737
+ this.register('behavioralValidator_nist_ai_rmf', runBehavioralCheck('nist_ai_rmf', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz', 'BLOCK'));
1738
+ // ISO 42001: PII
1739
+ this.register('behavioralValidator_iso_42001', runBehavioralCheck('iso_42001', 'PII', 'User email: jane.doe@example.com', 'WARN'));
1740
+ // ISO 23894: AI_TRAINING_DATA
1741
+ this.register('behavioralValidator_iso_23894', runBehavioralCheck('iso-23894', 'AI_TRAINING_DATA', 'AI training data batch: model weights v2.3', 'LOG'));
1742
+ // CCPA: SPI
1743
+ this.register('behavioralValidator_ccpa', runBehavioralCheck('ccpa', 'SPI', 'Consumer health condition: diabetes type 2', 'BLOCK'));
1744
+ // LGPD: SENSITIVE_PII_BR
1745
+ this.register('behavioralValidator_lgpd', runBehavioralCheck('lgpd', 'SENSITIVE_PII_BR', 'CPF: 123.456.789-09 racial origin: Black', 'BLOCK'));
1746
+ // PIPL: PII_CN (dataPolicy.categoryActions: PII_CN = WARN)
1747
+ this.register('behavioralValidator_pipl', runBehavioralCheck('pipl', 'PII_CN', 'National ID: 110101199003077892', 'WARN'));
1748
+ // CA PIPEDA (X2 split -- legacy key kept for backward compat): CA_PIPEDA_PERSONAL_INFO (WARN)
1749
+ this.register('behavioralValidator_pipeda', runBehavioralCheck('ca-pipeda', 'CA_PIPEDA_PERSONAL_INFO', 'SIN: 046-454-286', 'WARN'));
1750
+ // GLBA: NPI
1751
+ this.register('behavioralValidator_glba', runBehavioralCheck('glba', 'NPI', 'Account number: 12345678 routing: 021000021', 'BLOCK'));
1752
+ // BIPA: BIOMETRIC_IDENTIFIER
1753
+ this.register('behavioralValidator_bipa', runBehavioralCheck('bipa', 'BIOMETRIC_IDENTIFIER', 'Biometric ID: fingerprint hash abc123def456', 'BLOCK'));
1754
+ // ABA: PRIVILEGED
1755
+ this.register('behavioralValidator_aba', runBehavioralCheck('aba', 'PRIVILEGED', 'Attorney-client privileged communication: case strategy memo', 'BLOCK'));
1756
+ // FTC §5: PAYMENT_DATA
1757
+ this.register('behavioralValidator_ftc5', runBehavioralCheck('ftc5', 'PAYMENT_DATA', 'Card number 4111111111111111 expires 12/26', 'BLOCK'));
1758
+ // SR 11-7: MODEL_INPUT
1759
+ this.register('behavioralValidator_sr117', runBehavioralCheck('sr11-7', 'MODEL_INPUT', 'Model input feature vector batch_id=2026-001 for risk model', 'LOG'));
1760
+ // 21 CFR Part 11: REGULATED_RECORD
1761
+ this.register('behavioralValidator_part11', runBehavioralCheck('part11', 'REGULATED_RECORD', 'Regulated electronic record: batch 2026-001 audit trail', 'BLOCK'));
1762
+ // SOX 404: CREDENTIALS
1763
+ this.register('behavioralValidator_sox404', runBehavioralCheck('sox404', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1764
+ // BSA/AML: NPI
1765
+ this.register('behavioralValidator_bsa_aml', runBehavioralCheck('bsa-aml', 'NPI', 'Account number: 12345678 routing: 021000021', 'BLOCK'));
1766
+ // NYDFS 500: CREDENTIALS
1767
+ this.register('behavioralValidator_nydfs500', runBehavioralCheck('nydfs500', 'CREDENTIALS', 'API_KEY=sk-prod-abc123xyz password=secret123', 'BLOCK'));
1768
+ // CFPB 2023-03: CREDIT_DECISION
1769
+ this.register('behavioralValidator_cfpb_2023_03', runBehavioralCheck('cfpb-2023-03', 'CREDIT_DECISION', 'Credit decision DECLINED for applicant ID A98765', 'LOG'));
1770
+ // MiFID II: CLIENT_FINANCIAL_DATA
1771
+ this.register('behavioralValidator_mifid2', runBehavioralCheck('mifid2', 'CLIENT_FINANCIAL_DATA', 'Client financial portfolio data EUR 250,000 equity account', 'BLOCK'));
1772
+ // NAIC MDL-668: NPI_HEALTH
1773
+ this.register('behavioralValidator_naic_mdl', runBehavioralCheck('naic-mdl', 'NPI_HEALTH', 'Insurance health record: policy holder DOB 1980-03-01 diagnosis code Z87.39', 'BLOCK'));
1774
+ // FRCP 26: PRIVILEGED
1775
+ this.register('behavioralValidator_frcp26', runBehavioralCheck('frcp26', 'PRIVILEGED', 'Attorney-client privileged communication: case strategy memo', 'BLOCK'));
1776
+ // FOIA: FOIA_EXEMPT_1_CLASSIFIED
1777
+ this.register('behavioralValidator_foia', runBehavioralCheck('foia', 'FOIA_EXEMPT_1_CLASSIFIED', 'CLASSIFIED national security intelligence assessment', 'BLOCK'));
1778
+ // LPO 2024: PRIVILEGED
1779
+ this.register('behavioralValidator_lpo2024', runBehavioralCheck('lpo2024', 'PRIVILEGED', 'Attorney-client privileged communication: case strategy memo', 'BLOCK'));
1780
+ // F-PACK-CLEANUP-1 (2026-05-08): behavioralValidator_appi removed.
1781
+ // The legacy `appi` pack file was deleted as a duplicate of `jp-appi`;
1782
+ // canonical coverage is via behavioralValidator_jp_appi (registered
1783
+ // further down). The `appi` alias on JP_APPI_PACK keeps callers using
1784
+ // `createGovernedAgent({ packs: ['appi'] })` working.
1785
+ // FedRAMP: CUI
1786
+ this.register('behavioralValidator_fedramp', runBehavioralCheck('fedramp', 'CUI', 'CUI: controlled unclassified information document ref CUI-2026-001', 'BLOCK'));
1787
+ // StateRAMP: CUI
1788
+ this.register('behavioralValidator_stateramp', runBehavioralCheck('stateramp', 'CUI', 'CUI: controlled unclassified information document ref CUI-2026-001', 'BLOCK'));
1789
+ // CJIS: CJI
1790
+ this.register('behavioralValidator_cjis', runBehavioralCheck('cjis', 'CJI', 'Criminal justice information: NCIC query result for suspect ID 98765', 'BLOCK'));
1791
+ // CMMC 2.0: CUI
1792
+ this.register('behavioralValidator_cmmc2', runBehavioralCheck('cmmc2', 'CUI', 'CUI: controlled unclassified information document ref CUI-2026-001', 'BLOCK'));
1793
+ // US-RESPA: REFERRAL_SIGNAL (renamed from respa to us-respa, X3 2026-04-24)
1794
+ this.register('behavioralValidator_respa', runBehavioralCheck('us-respa', 'REFERRAL_SIGNAL', 'Referral signal from settlement service provider to title company 2026-RESPA-001', 'BLOCK'));
1795
+ // HMDA: HMDA_GMI_RACE (dataPolicy.categoryActions: HMDA_GMI_RACE = BLOCK)
1796
+ this.register('behavioralValidator_hmda', runBehavioralCheck('hmda', 'HMDA_GMI_RACE', 'HMDA GMI race: Asian applicant loan ID 2026-LAR-001', 'BLOCK'));
1797
+ // US-TRID: CLOSING_DISCLOSURE_DRAFT (X3 split 2026-04-24 -- replaces tila-trid)
1798
+ this.register('behavioralValidator_us_trid', runBehavioralCheck('us-trid', 'CLOSING_DISCLOSURE_DRAFT', 'Closing Disclosure draft: APR 6.75% finance charge $45,200 consummation date 2026-05-01', 'LOG'));
1799
+ // US-TILA: ATR_DETERMINATION (X3 split 2026-04-24)
1800
+ this.register('behavioralValidator_us_tila', runBehavioralCheck('us-tila', 'ATR_DETERMINATION', 'ATR determination: debt-to-income ratio 38% ability-to-repay analysis 2026-ATR-001', 'BLOCK'));
1801
+ // ECOA: ECOA_PROHIBITED_BASIS
1802
+ this.register('behavioralValidator_ecoa', runBehavioralCheck('ecoa', 'ECOA_PROHIBITED_BASIS', 'Credit declined based on applicant race: Hispanic', 'BLOCK'));
1803
+ // FCRA: CONSUMER_REPORT_RECORD
1804
+ this.register('behavioralValidator_fcra', runBehavioralCheck('fcra', 'CONSUMER_REPORT_RECORD', 'Consumer report record: tradeline for consumer 123456', 'BLOCK'));
1805
+ // EU AI Liability: AI_PRODUCT_DAMAGE
1806
+ this.register('behavioralValidator_eu_ai_liability', runBehavioralCheck('eu-ai-liability', 'AI_PRODUCT_DAMAGE', 'AI product damage claim: defective AI output caused harm ref 2026-AI-001', 'LOG'));
1807
+ // FDA SaMD: PHI
1808
+ this.register('behavioralValidator_fda_samd', runBehavioralCheck('fda-samd', 'PHI', 'Patient SSN: 123-45-6789', 'BLOCK'));
1809
+ // FDA 21 CFR Part 56 (IRB): SERIOUS_ADVERSE_EVENT -> BLOCK
1810
+ // F-NEW-VERA-PACK-C7-01: missing behavioral check for us-fda-21cfr56.
1811
+ // SAE + CSUBJ pattern fires both SERIOUS_ADVERSE_EVENT (life-threatening-adverse regex)
1812
+ // and IRB_CLINICAL_SUBJECT_ID (CSUBJ prefix regex); SERIOUS_ADVERSE_EVENT is tested
1813
+ // here because it is the highest-risk BLOCK path (21 CFR 56.108(b) prompt reporting).
1814
+ this.register('behavioralValidator_us_fda_21cfr56', runBehavioralCheck('us-fda-21cfr56', 'SERIOUS_ADVERSE_EVENT', 'SAE reported: life-threatening adverse event for clinical subject CSUBJ-001234 IND-2026-0012', 'BLOCK'));
1815
+ // GxP: REGULATED_RECORD
1816
+ this.register('behavioralValidator_gxp', runBehavioralCheck('gxp', 'REGULATED_RECORD', 'Regulated electronic record: batch 2026-001 audit trail', 'BLOCK'));
1817
+ // HMDA (second primary category): HMDA_LAR_ENTRY (dataPolicy.categoryActions: HMDA_LAR_ENTRY = BLOCK)
1818
+ this.register('behavioralValidator_hmda_lar', runBehavioralCheck('hmda', 'HMDA_LAR_ENTRY', 'HMDA LAR entry loan origination 2026-LAR-001', 'BLOCK'));
1819
+ // BIPA second check: BIOMETRIC_INFORMATION
1820
+ this.register('behavioralValidator_bipa_info', runBehavioralCheck('bipa', 'BIOMETRIC_INFORMATION', 'Biometric information: facial geometry scan result', 'BLOCK'));
1821
+ // BSA/AML second check: SANCTIONS_IDENTIFIER
1822
+ this.register('behavioralValidator_bsa_sanctions', runBehavioralCheck('bsa-aml', 'SANCTIONS_IDENTIFIER', 'OFAC SDN match: entity XYZ Corp', 'BLOCK'));
1823
+ // -- P4 Education pack behavioral validators (2026-04-24) --
1824
+ // COPPA: UNDER_13_USER
1825
+ this.register('behavioralValidator_coppa', runBehavioralCheck('coppa', 'UNDER_13_USER', 'age: 8 under_13 user pediatric patient child-directed context', 'BLOCK'));
1826
+ // Common Rule: RESEARCH_SUBJECT_ID
1827
+ this.register('behavioralValidator_common_rule', runBehavioralCheck('common-rule', 'RESEARCH_SUBJECT_ID', 'subject_id: SUBJ-004821 participant_id study protocol IRB', 'BLOCK'));
1828
+ // Common Rule (GAP-5): IRB_APPROVAL_EXPIRED
1829
+ this.register('behavioralValidator_common_rule_irb_expiry', runBehavioralCheck('common-rule', 'IRB_APPROVAL_EXPIRED', 'IRB-2023-001 expired 2024-05-01 protocol approval lapsed', 'BLOCK'));
1830
+ // Title IX: TITLE_IX_INVESTIGATION_RECORD
1831
+ this.register('behavioralValidator_title_ix', runBehavioralCheck('title-ix', 'TITLE_IX_INVESTIGATION_RECORD', 'Title IX investigation record: respondent vs complainant Title IX Coordinator', 'BLOCK'));
1832
+ // Title IX (GAP-4): TITLE_IX_RETALIATION -- paraphrase pattern
1833
+ this.register('behavioralValidator_title_ix_retaliation', runBehavioralCheck('title-ix', 'TITLE_IX_RETALIATION', 'student suspended following gender bias complaint discrimination report', 'BLOCK'));
1834
+ // NIH Data Sharing: CONTROLLED_ACCESS_REPOSITORY_DATA (legacy pack id -- routes to us-nih-gds)
1835
+ this.register('behavioralValidator_nih_data_sharing', runBehavioralCheck('us-nih-gds', 'CONTROLLED_ACCESS_REPOSITORY_DATA', 'dbGaP phs000001 controlled access dataset DAC approved DUC', 'BLOCK'));
1836
+ // NIH Data Sharing (GAP-6): DAC_APPROVAL_EXPIRED (legacy pack id -- routes to us-nih-gds)
1837
+ this.register('behavioralValidator_nih_dms_dac_expiry', runBehavioralCheck('us-nih-gds', 'DAC_APPROVAL_EXPIRED', 'DAC approved DUC granted 2022-01-15, expires 2022-12-31 dbGaP dataset', 'BLOCK'));
1838
+ // CA PIPEDA (X2 split): CA_PIPEDA_PERSONAL_INFO (WARN)
1839
+ this.register('behavioralValidator_ca_pipeda', runBehavioralCheck('ca-pipeda', 'CA_PIPEDA_PERSONAL_INFO', 'SIN: 046-454-286', 'WARN'));
1840
+ // QC Law 25 (X2 split): QC_LAW25_HIGH_RISK_PI (BLOCK)
1841
+ this.register('behavioralValidator_ca_qc_law25', runBehavioralCheck('ca-qc-law25', 'QC_LAW25_HIGH_RISK_PI', 'health record: RAMQ biometric data facial recognition Quebec resident', 'BLOCK'));
1842
+ // NIH DMS (X2 split): DMSP_RESTRICTED_DATA (BLOCK)
1843
+ this.register('behavioralValidator_us_nih_dms', runBehavioralCheck('us-nih-dms', 'DMSP_RESTRICTED_DATA', 'DMSP restricted outside dmsp approved scope data management sharing plan limit', 'BLOCK'));
1844
+ // NIH GDS (X2 split): CONTROLLED_ACCESS_REPOSITORY_DATA (BLOCK)
1845
+ this.register('behavioralValidator_us_nih_gds', runBehavioralCheck('us-nih-gds', 'CONTROLLED_ACCESS_REPOSITORY_DATA', 'dbGaP phs000001 controlled access dataset DAC approved DUC', 'BLOCK'));
1846
+ // NIH GDS STUDY_CONCLUDED_DUC_ACTIVE (F-NEW-VERA-PACK-C6-02, 2026-05-03):
1847
+ // Study ended but DUC still in-date -- requires DUC termination workflow confirmation.
1848
+ // Action: REQUIRE_APPROVAL (not BLOCK -- close-out work is legitimate).
1849
+ this.register('nih_gds_study_concluded_duc_termination_active', runBehavioralCheck('us-nih-gds', 'STUDY_CONCLUDED_DUC_ACTIVE', 'study concluded final report submitted DAC DUC dbGaP controlled access genomic', 'REQUIRE_APPROVAL'));
1850
+ // NIH CoC (X2 split): COC_PROTECTED_RESEARCH_DATA (BLOCK)
1851
+ this.register('behavioralValidator_us_nih_coc', runBehavioralCheck('us-nih-coc', 'COC_PROTECTED_RESEARCH_DATA', 'certificate of confidentiality CoC protected research data', 'BLOCK'));
1852
+ // NIH IT Security (X2 split): NIH_IT_FISMA_BASELINE_GAP (BLOCK)
1853
+ this.register('behavioralValidator_us_nih_it_security', runBehavioralCheck('us-nih-it-security', 'NIH_IT_FISMA_BASELINE_GAP', 'NIH_IT_FISMA_BASELINE_GAP fisma gap nih data unencrypted controlled access', 'BLOCK'));
1854
+ // Florida Student Privacy: FLORIDA_K12_STUDENT_RECORD
1855
+ this.register('behavioralValidator_florida_student_privacy', runBehavioralCheck('florida-student-privacy', 'FLORIDA_K12_STUDENT_RECORD', 'FLORIDA_K12_STUDENT_RECORD florida k12 student grade 5 pk yonge school district', 'BLOCK'));
1856
+ // Florida Student Privacy (GAP-7): TARGETED_ADVERTISING_RECIPIENT
1857
+ this.register('behavioralValidator_florida_targeted_advertising', runBehavioralCheck('florida-student-privacy', 'TARGETED_ADVERTISING_RECIPIENT', 'florida k12 student record analytics advertising learning-analytics-provider adtech', 'BLOCK'));
1858
+ // -- AU packs (Phase 5) --
1859
+ // AU Privacy Act 1988
1860
+ this.register('au_privacy_sensitive_gate_active', configFlag('governance-runtime', 'auPrivacySensitiveGateEnabled', 'AU Privacy Act sensitive PI gate (APP 3)'));
1861
+ this.register('au_privacy_offshore_gate_active', configFlag('supply-chain', 'auPrivacyOffshoreTransferGateEnabled', 'AU Privacy Act offshore transfer gate (APP 8)'));
1862
+ this.register('au_privacy_ndb_timer_active', (ctx) => {
1863
+ const hours = ctx.packConfig?.['event-bus']?.auNdbNotificationDeadlineHours;
1864
+ const passed = typeof hours === 'number' && hours <= 720;
1865
+ return {
1866
+ passed,
1867
+ detail: passed
1868
+ ? `AU NDB notification clock ${hours}h configured (<= 720h / 30 days)`
1869
+ : `auNdbNotificationDeadlineHours=${hours} (need <= 720)`,
1870
+ };
1871
+ });
1872
+ this.register('au_privacy_govt_id_block_active', (ctx) => {
1873
+ const dcActive = ctx.activeModules.includes('data-classifier');
1874
+ const action = ctx.packConfig?.['data-classifier']?.auGovernmentIdAction;
1875
+ const passed = dcActive && action === 'BLOCK';
1876
+ return {
1877
+ passed,
1878
+ detail: passed
1879
+ ? 'AU government ID (TFN/DL) action = BLOCK via data-classifier (APP 8, TFN Rule)'
1880
+ : `dcActive=${dcActive}, auGovernmentIdAction=${action}`,
1881
+ };
1882
+ });
1883
+ this.register('au_privacy_secondary_use_gate_active', configFlag('governance-runtime', 'auPrivacySecondaryUseGateEnabled', 'AU Privacy Act secondary use gate (APP 6)'));
1884
+ this.register('au_privacy_automated_decision_log_active', configFlag('event-bus', 'auPrivacyAutomatedDecisionLoggingEnabled', 'AU Privacy Act automated decision logging'));
1885
+ this.register('au_privacy_access_sla_active', (ctx) => {
1886
+ const days = ctx.packConfig?.['governance-runtime']?.auPrivacyAccessResponseDays;
1887
+ const passed = typeof days === 'number' && days <= 30;
1888
+ return {
1889
+ passed,
1890
+ detail: passed
1891
+ ? `AU Privacy Act access SLA ${days}d (<= 30 days) configured (APP 12)`
1892
+ : `auPrivacyAccessResponseDays=${days} (need <= 30)`,
1893
+ };
1894
+ });
1895
+ this.register('au_privacy_retention_check_active', configFlag('session-persistence', 'auPrivacyRetentionScheduleEnabled', 'AU Privacy Act retention schedule (APP 11)'));
1896
+ // AU CDR Act 2019
1897
+ this.register('au_cdr_consent_gate_active', (ctx) => {
1898
+ const dcActive = ctx.activeModules.includes('data-classifier');
1899
+ const action = ctx.packConfig?.['data-classifier']?.auCdrConsentAction;
1900
+ const passed = dcActive && action === 'BLOCK';
1901
+ return {
1902
+ passed,
1903
+ detail: passed
1904
+ ? 'AU CDR expired consent action = BLOCK via data-classifier (PS 1.4)'
1905
+ : `dcActive=${dcActive}, auCdrConsentAction=${action}`,
1906
+ };
1907
+ });
1908
+ this.register('au_cdr_secondary_use_block_active', configFlag('governance-runtime', 'auCdrSecondaryUseBlockEnabled', 'AU CDR secondary use block (PS 6.4)'));
1909
+ this.register('au_cdr_marketing_block_active', configFlag('governance-runtime', 'auCdrMarketingBlockEnabled', 'AU CDR marketing use block (PS 7.5)'));
1910
+ this.register('au_cdr_deletion_sla_active', (ctx) => {
1911
+ const hours = ctx.packConfig?.['event-bus']?.auCdrDeletionDeadlineHours;
1912
+ const passed = typeof hours === 'number' && hours <= 336; // CDR 14-day (336h)
1913
+ return {
1914
+ passed,
1915
+ detail: passed
1916
+ ? `AU CDR deletion SLA ${hours}h configured (<= 336h / 14 days) (PS 9.2)`
1917
+ : `auCdrDeletionDeadlineHours=${hours} (need <= 336)`,
1918
+ };
1919
+ });
1920
+ this.register('au_cdr_offshore_gate_active', configFlag('supply-chain', 'auCdrOffshoreTransferGateEnabled', 'AU CDR offshore transfer gate (PS 8.11)'));
1921
+ this.register('au_cdr_access_log_active', configFlag('event-bus', 'auCdrAccessLoggingEnabled', 'AU CDR access logging'));
1922
+ // AU APRA CPS 234
1923
+ this.register('au_cps234_incident_72hr_active', (ctx) => {
1924
+ const hours = ctx.packConfig?.['event-bus']?.auCps234IncidentNotificationHours;
1925
+ const passed = hours === 72;
1926
+ return {
1927
+ passed,
1928
+ detail: passed
1929
+ ? 'APRA CPS 234 72-hour incident notification configured (Para 23)'
1930
+ : `auCps234IncidentNotificationHours=${hours} (need 72)`,
1931
+ };
1932
+ });
1933
+ this.register('au_cps234_control_weakness_notify_active', configFlag('event-bus', 'auCps234ControlWeaknessNotificationEnabled', 'APRA CPS 234 control weakness notification (Para 22)'));
1934
+ this.register('au_cps234_third_party_gate_active', configFlag('supply-chain', 'auCps234ThirdPartyGateEnabled', 'APRA CPS 234 third-party arrangement gate (Para 15-16)'));
1935
+ this.register('au_cps234_asset_register_check_active', configFlag('attestation-manager', 'auCps234InfoAssetRegisterRequired', 'APRA CPS 234 information asset register (Para 10)'));
1936
+ this.register('au_cps234_annual_testing_active', (ctx) => {
1937
+ const days = ctx.packConfig?.['attestation-manager']?.auCps234TestingCadenceDays;
1938
+ const passed = typeof days === 'number' && days <= 365;
1939
+ return {
1940
+ passed,
1941
+ detail: passed
1942
+ ? `APRA CPS 234 testing cadence ${days}d (<= 365 days) (Para 20-21)`
1943
+ : `auCps234TestingCadenceDays=${days}`,
1944
+ };
1945
+ });
1946
+ this.register('au_cps234_customer_data_log_active', configFlag('event-bus', 'auCps234CustomerDataLoggingEnabled', 'APRA CPS 234 customer data logging'));
1947
+ // AU APRA CPS 230
1948
+ this.register('au_cps230_incident_72hr_active', (ctx) => {
1949
+ const hours = ctx.packConfig?.['event-bus']?.auCps230IncidentNotificationHours;
1950
+ const passed = hours === 72;
1951
+ return {
1952
+ passed,
1953
+ detail: passed
1954
+ ? 'APRA CPS 230 72-hour operational incident notification configured'
1955
+ : `auCps230IncidentNotificationHours=${hours} (need 72)`,
1956
+ };
1957
+ });
1958
+ this.register('au_cps230_provider_due_diligence_active', configFlag('supply-chain', 'auCps230ProviderDueDiligenceEnabled', 'APRA CPS 230 material provider due diligence'));
1959
+ this.register('au_cps230_contract_completeness_active', configFlag('supply-chain', 'auCps230ContractCompletenessEnabled', 'APRA CPS 230 provider contract completeness'));
1960
+ this.register('au_cps230_bcp_annual_test_active', (ctx) => {
1961
+ const days = ctx.packConfig?.['attestation-manager']?.auCps230BcpTestCadenceDays;
1962
+ const passed = typeof days === 'number' && days <= 365;
1963
+ return {
1964
+ passed,
1965
+ detail: passed
1966
+ ? `APRA CPS 230 BCP test cadence ${days}d (<= 365 days)`
1967
+ : `auCps230BcpTestCadenceDays=${days}`,
1968
+ };
1969
+ });
1970
+ this.register('au_cps230_critical_op_register_active', configFlag('attestation-manager', 'auCps230CriticalOpRegisterRequired', 'APRA CPS 230 critical operations register'));
1971
+ this.register('au_cps230_post_incident_review_active', configFlag('attestation-manager', 'auCps230PostIncidentReviewEnabled', 'APRA CPS 230 post-incident review'));
1972
+ // AU SOCI Act 2018
1973
+ this.register('au_soci_incident_12hr_active', (ctx) => {
1974
+ const hours = ctx.packConfig?.['event-bus']?.auSociIncident12HrNotificationHours;
1975
+ const passed = hours === 12;
1976
+ return {
1977
+ passed,
1978
+ detail: passed
1979
+ ? 'SOCI Act 12-hour cyber incident notification configured (s.30BC)'
1980
+ : `auSociIncident12HrNotificationHours=${hours} (need 12)`,
1981
+ };
1982
+ });
1983
+ this.register('au_soci_incident_72hr_active', (ctx) => {
1984
+ const hours = ctx.packConfig?.['event-bus']?.auSociIncident72HrNotificationHours;
1985
+ const passed = hours === 72;
1986
+ return {
1987
+ passed,
1988
+ detail: passed
1989
+ ? 'SOCI Act 72-hour cyber incident follow-up notification configured (s.30BG)'
1990
+ : `auSociIncident72HrNotificationHours=${hours} (need 72)`,
1991
+ };
1992
+ });
1993
+ this.register('au_soci_sons_direction_active', configFlag('governance-runtime', 'auSociSonsDirectionComplianceEnabled', 'SOCI Act SONS direction compliance'));
1994
+ this.register('au_soci_cirmp_annual_active', (ctx) => {
1995
+ const days = ctx.packConfig?.['attestation-manager']?.auSociCirmpReviewCadenceDays;
1996
+ const passed = typeof days === 'number' && days <= 365;
1997
+ return {
1998
+ passed,
1999
+ detail: passed
2000
+ ? `SOCI Act CIRMP annual review cadence ${days}d configured`
2001
+ : `auSociCirmpReviewCadenceDays=${days}`,
2002
+ };
2003
+ });
2004
+ this.register('au_soci_data_asset_gate_active', configFlag('governance-runtime', 'auSociDataAssetGateEnabled', 'SOCI Act data asset gate'));
2005
+ // AU ASIC RG 271
2006
+ this.register('au_rg271_idr_30day_sla_active', (ctx) => {
2007
+ const days = ctx.packConfig?.['event-bus']?.auRg271IdrStandardDays;
2008
+ const passed = days === 30;
2009
+ return {
2010
+ passed,
2011
+ detail: passed
2012
+ ? 'ASIC RG 271 IDR 30-day standard SLA configured'
2013
+ : `auRg271IdrStandardDays=${days} (need 30)`,
2014
+ };
2015
+ });
2016
+ this.register('au_rg271_ai_decision_reasons_active', configFlag('transparency-injector', 'auRg271AiDecisionReasonsEnabled', 'ASIC RG 271 AI decision reasons disclosure'));
2017
+ this.register('au_rg271_complaint_log_active', configFlag('event-bus', 'auRg271ComplaintLoggingEnabled', 'ASIC RG 271 complaint logging'));
2018
+ this.register('au_rg271_systemic_escalation_active', configFlag('governance-runtime', 'auRg271SystemicIssueEscalationEnabled', 'ASIC RG 271 systemic issue escalation'));
2019
+ this.register('au_rg271_asic_reporting_active', configFlag('attestation-manager', 'auRg271AsicReportingEnabled', 'ASIC RG 271 ASIC reporting'));
2020
+ this.register('au_rg271_retention_7yr_active', (ctx) => {
2021
+ const days = ctx.packConfig?.['session-persistence']?.auRg271RetentionDays;
2022
+ const passed = typeof days === 'number' && days >= 2555;
2023
+ return {
2024
+ passed,
2025
+ detail: passed
2026
+ ? `ASIC RG 271 7-year retention ${days}d configured (>= 2555)`
2027
+ : `auRg271RetentionDays=${days} (need >= 2555)`,
2028
+ };
2029
+ });
2030
+ // AU ASIC RG 274 / DDO
2031
+ this.register('au_ddo_out_of_target_block_active', (ctx) => {
2032
+ const dcActive = ctx.activeModules.includes('data-classifier');
2033
+ const action = ctx.packConfig?.['data-classifier']?.auDdoOutOfTargetAction;
2034
+ const passed = dcActive && action === 'BLOCK';
2035
+ return {
2036
+ passed,
2037
+ detail: passed
2038
+ ? 'AU DDO out-of-target-market action = BLOCK via data-classifier (s.994E Corporations Act)'
2039
+ : `dcActive=${dcActive}, auDdoOutOfTargetAction=${action}`,
2040
+ };
2041
+ });
2042
+ this.register('au_ddo_tmd_screening_log_active', configFlag('event-bus', 'auDdoTmdScreeningLoggingEnabled', 'AU DDO TMD screening logging'));
2043
+ this.register('au_ddo_significant_dealing_report_active', (ctx) => {
2044
+ const days = ctx.packConfig?.['event-bus']?.auDdoSignificantDealingReportDays;
2045
+ const passed = typeof days === 'number' && days <= 10;
2046
+ return {
2047
+ passed,
2048
+ detail: passed
2049
+ ? `AU DDO significant dealing report ${days} BD configured (<= 10 BD) (s.994F2)`
2050
+ : `auDdoSignificantDealingReportDays=${days} (need <= 10)`,
2051
+ };
2052
+ });
2053
+ this.register('au_ddo_tmd_review_alert_active', configFlag('event-bus', 'auDdoTmdReviewAlertEnabled', 'AU DDO TMD review trigger alert'));
2054
+ this.register('au_ddo_retail_client_log_active', configFlag('event-bus', 'auDdoRetailClientLoggingEnabled', 'AU DDO retail client logging'));
2055
+ // AU AML/CTF Act 2006
2056
+ this.register('au_aml_smr_3bd_active', (ctx) => {
2057
+ const days = ctx.packConfig?.['event-bus']?.auAmlSmrDeadlineBusinessDays;
2058
+ const passed = typeof days === 'number' && days <= 3;
2059
+ return {
2060
+ passed,
2061
+ detail: passed
2062
+ ? `AU AML SMR standard 3-BD deadline ${days} BD configured`
2063
+ : `auAmlSmrDeadlineBusinessDays=${days} (need <= 3)`,
2064
+ };
2065
+ });
2066
+ this.register('au_aml_smr_ctf_24hr_active', (ctx) => {
2067
+ const hours = ctx.packConfig?.['event-bus']?.auAmlCtfSmrNotificationHours;
2068
+ const passed = hours === 24;
2069
+ return {
2070
+ passed,
2071
+ detail: passed
2072
+ ? 'AU AML/CTF 24-hour SMR notification clock configured (s.41B AUSTRAC requirement)'
2073
+ : `auAmlCtfSmrNotificationHours=${hours} (need 24)`,
2074
+ };
2075
+ });
2076
+ this.register('au_aml_tipping_off_block_active', (ctx) => {
2077
+ const dcActive = ctx.activeModules.includes('data-classifier');
2078
+ const action = ctx.packConfig?.['data-classifier']?.auAmlTippingOffAction;
2079
+ const passed = dcActive && action === 'BLOCK';
2080
+ return {
2081
+ passed,
2082
+ detail: passed
2083
+ ? 'AU AML tipping-off action = BLOCK via data-classifier (AML/CTF Act s.123)'
2084
+ : `dcActive=${dcActive}, auAmlTippingOffAction=${action}`,
2085
+ };
2086
+ });
2087
+ this.register('au_aml_pep_approval_active', configFlag('approval-queue', 'auAmlPepApprovalRequired', 'AU AML PEP enhanced due diligence approval'));
2088
+ this.register('au_aml_high_risk_country_active', configFlag('governance-runtime', 'auAmlHighRiskCountryScreeningEnabled', 'AU AML high-risk country screening'));
2089
+ this.register('au_aml_ttr_10bd_active', (ctx) => {
2090
+ const days = ctx.packConfig?.['event-bus']?.auAmlTtrDeadlineBusinessDays;
2091
+ const passed = typeof days === 'number' && days <= 10;
2092
+ return {
2093
+ passed,
2094
+ detail: passed
2095
+ ? `AU AML threshold transaction report ${days} BD configured (<= 10 BD)`
2096
+ : `auAmlTtrDeadlineBusinessDays=${days} (need <= 10)`,
2097
+ };
2098
+ });
2099
+ this.register('au_aml_ifti_10bd_active', (ctx) => {
2100
+ const days = ctx.packConfig?.['event-bus']?.auAmlIftiDeadlineBusinessDays;
2101
+ const passed = typeof days === 'number' && days <= 10;
2102
+ return {
2103
+ passed,
2104
+ detail: passed
2105
+ ? `AU AML IFTI ${days} BD configured (<= 10 BD)`
2106
+ : `auAmlIftiDeadlineBusinessDays=${days} (need <= 10)`,
2107
+ };
2108
+ });
2109
+ this.register('au_aml_programme_ai_docs_active', configFlag('attestation-manager', 'auAmlProgrammeAiDocumentationRequired', 'AU AML programme AI documentation'));
2110
+ this.register('au_aml_dnfbp_registration_active', configFlag('governance-runtime', 'auAmlDnfbpRegistrationCheckEnabled', 'AU AML DNFBP registration check'));
2111
+ // AU Spam Act 2003
2112
+ this.register('au_spam_act_consent_gate_active', (ctx) => {
2113
+ const dcActive = ctx.activeModules.includes('data-classifier');
2114
+ const action = ctx.packConfig?.['data-classifier']?.auCemConsentAction;
2115
+ const passed = dcActive && action === 'BLOCK';
2116
+ return {
2117
+ passed,
2118
+ detail: passed
2119
+ ? 'AU Spam Act consent gate: CEM without consent action = BLOCK via data-classifier (s.16)'
2120
+ : `dcActive=${dcActive}, auCemConsentAction=${action}`,
2121
+ };
2122
+ });
2123
+ this.register('au_spam_act_unsubscribe_block_active', (ctx) => {
2124
+ const dcActive = ctx.activeModules.includes('data-classifier');
2125
+ const action = ctx.packConfig?.['data-classifier']?.auCemUnsubscribedAction;
2126
+ const passed = dcActive && action === 'BLOCK';
2127
+ return {
2128
+ passed,
2129
+ detail: passed
2130
+ ? 'AU Spam Act unsubscribed address action = BLOCK via data-classifier (s.18)'
2131
+ : `dcActive=${dcActive}, auCemUnsubscribedAction=${action}`,
2132
+ };
2133
+ });
2134
+ this.register('au_spam_act_harvested_block_active', configFlag('governance-runtime', 'auCemHarvestedAddressBlockEnabled', 'AU Spam Act harvested address block (ss.20-22)'));
2135
+ this.register('au_spam_act_unsubscribe_5bd_active', (ctx) => {
2136
+ const days = ctx.packConfig?.['event-bus']?.auCemUnsubscribeDeadlineBusinessDays;
2137
+ const passed = typeof days === 'number' && days <= 5;
2138
+ return {
2139
+ passed,
2140
+ detail: passed
2141
+ ? `AU Spam Act unsubscribe action ${days} BD (<= 5 BD) configured (s.18(1)(a))`
2142
+ : `auCemUnsubscribeDeadlineBusinessDays=${days} (need <= 5)`,
2143
+ };
2144
+ });
2145
+ this.register('au_spam_act_sender_id_check_active', configFlag('transparency-injector', 'auCemSenderIdentityDisclosureEnabled', 'AU Spam Act sender identity disclosure (s.17)'));
2146
+ this.register('au_spam_act_consent_logging_active', configFlag('session-persistence', 'auCemConsentLoggingEnabled', 'AU Spam Act consent logging'));
2147
+ // AU Online Safety Act 2021
2148
+ this.register('au_online_safety_csam_block_active', (ctx) => {
2149
+ const dcActive = ctx.activeModules.includes('data-classifier');
2150
+ const action = ctx.packConfig?.['data-classifier']?.auOsaCsamAction;
2151
+ const passed = dcActive && action === 'BLOCK';
2152
+ return {
2153
+ passed,
2154
+ detail: passed
2155
+ ? 'AU Online Safety Act: CSAM action = BLOCK via data-classifier (Part 4, OSA 2021)'
2156
+ : `dcActive=${dcActive}, auOsaCsamAction=${action}`,
2157
+ };
2158
+ });
2159
+ this.register('au_online_safety_ncii_block_active', (ctx) => {
2160
+ const dcActive = ctx.activeModules.includes('data-classifier');
2161
+ const action = ctx.packConfig?.['data-classifier']?.auOsaNciiAction;
2162
+ const passed = dcActive && action === 'BLOCK';
2163
+ return {
2164
+ passed,
2165
+ detail: passed
2166
+ ? 'AU Online Safety Act: NCII action = BLOCK via data-classifier (Part 5, OSA 2021)'
2167
+ : `dcActive=${dcActive}, auOsaNciiAction=${action}`,
2168
+ };
2169
+ });
2170
+ this.register('au_online_safety_48h_removal_active', (ctx) => {
2171
+ const hours = ctx.packConfig?.['event-bus']?.auOsaRemovalObligationHours;
2172
+ const passed = hours === 48;
2173
+ return {
2174
+ passed,
2175
+ detail: passed
2176
+ ? 'AU Online Safety Act 48-hour removal obligation configured (Parts 4/5/6 OSA 2021)'
2177
+ : `auOsaRemovalObligationHours=${hours} (need 48)`,
2178
+ };
2179
+ });
2180
+ this.register('au_online_safety_esafety_notice_active', configFlag('governance-runtime', 'auOsaESafetyNoticeComplianceEnabled', 'AU Online Safety Act eSafety notice compliance'));
2181
+ this.register('au_online_safety_minor_protections_active', configFlag('governance-runtime', 'auOsaMinorProtectionsEnabled', 'AU Online Safety Act minor protections'));
2182
+ this.register('au_online_safety_bose_coverage_active', configFlag('attestation-manager', 'auOsaBoseCoverageAttestationRequired', 'AU Online Safety Act BOSE coverage attestation'));
2183
+ this.register('au_online_safety_moderation_logging_active', configFlag('event-bus', 'auOsaModerationLoggingEnabled', 'AU Online Safety Act moderation logging'));
2184
+ // AU AI Ethics Framework (voluntary)
2185
+ this.register('au_aiethics_accountability_defined_active', configFlag('attestation-manager', 'auAiEthicsAccountabilityDefined', 'AU AI Ethics Framework accountability defined (Principle 1)'));
2186
+ this.register('au_aiethics_ai_disclosure_active', configFlag('transparency-injector', 'auAiEthicsDisclosureEnabled', 'AU AI Ethics Framework AI disclosure (Principle 7)'));
2187
+ this.register('au_aiethics_governance_doc_active', configFlag('attestation-manager', 'auAiEthicsGovernanceDocRequired', 'AU AI Ethics Framework governance documentation (Principle 9)'));
2188
+ this.register('au_aiethics_testing_current_active', (ctx) => {
2189
+ const days = ctx.packConfig?.['attestation-manager']?.auAiEthicsTestingCadenceDays;
2190
+ const passed = typeof days === 'number' && days <= 365;
2191
+ return {
2192
+ passed,
2193
+ detail: passed
2194
+ ? `AU AI Ethics Framework testing cadence ${days}d configured`
2195
+ : `auAiEthicsTestingCadenceDays=${days}`,
2196
+ };
2197
+ });
2198
+ this.register('au_aiethics_redress_mechanism_active', configFlag('approval-queue', 'auAiEthicsRedressMechanismEnabled', 'AU AI Ethics Framework redress mechanism (Principle 10)'));
2199
+ this.register('au_aiethics_provenance_docs_active', configFlag('attestation-manager', 'auAiEthicsProvenanceDocsRequired', 'AU AI Ethics Framework training data provenance'));
2200
+ this.register('au_aiethics_human_override_active', configFlag('approval-queue', 'auAiEthicsHumanOverrideEnabled', 'AU AI Ethics Framework human override (Principle 8)'));
2201
+ // AU Mandatory AI Guardrails (DISR 2024, not yet enacted)
2202
+ this.register('au_mandatory_ai_high_risk_gate_active', configFlag('governance-runtime', 'auMandatoryAiHighRiskGateEnabled', 'AU Mandatory AI Guardrail 1: high-risk AI gate [CITATION TO VERIFY]'));
2203
+ this.register('au_mandatory_ai_accountability_active', configFlag('attestation-manager', 'auMandatoryAiAccountabilityDocRequired', 'AU Mandatory AI Guardrail 2: accountability documentation [CITATION TO VERIFY]'));
2204
+ this.register('au_mandatory_ai_transparency_active', configFlag('transparency-injector', 'auMandatoryAiTransparencyEnabled', 'AU Mandatory AI Guardrail 4: transparency disclosure [CITATION TO VERIFY]'));
2205
+ this.register('au_mandatory_ai_redress_active', configFlag('approval-queue', 'auMandatoryAiRedressEnabled', 'AU Mandatory AI Guardrail 5: redress mechanism [CITATION TO VERIFY]'));
2206
+ this.register('au_mandatory_ai_testing_active', (ctx) => {
2207
+ const days = ctx.packConfig?.['attestation-manager']?.auMandatoryAiTestingCadenceDays;
2208
+ const passed = typeof days === 'number' && days <= 365;
2209
+ return {
2210
+ passed,
2211
+ detail: passed
2212
+ ? `AU Mandatory AI testing cadence ${days}d configured [CITATION TO VERIFY]`
2213
+ : `auMandatoryAiTestingCadenceDays=${days}`,
2214
+ };
2215
+ });
2216
+ this.register('au_mandatory_ai_provenance_active', configFlag('attestation-manager', 'auMandatoryAiProvenanceRequired', 'AU Mandatory AI Guardrail 6: training data provenance [CITATION TO VERIFY]'));
2217
+ // AU TGA SaMD
2218
+ this.register('au_tga_samd_artg_registration_active', (ctx) => {
2219
+ const dcActive = ctx.activeModules.includes('data-classifier');
2220
+ const action = ctx.packConfig?.['data-classifier']?.auTgaSamdUnregisteredAction;
2221
+ const passed = dcActive && action === 'BLOCK';
2222
+ return {
2223
+ passed,
2224
+ detail: passed
2225
+ ? 'AU TGA SaMD: unregistered SaMD action = BLOCK via data-classifier (Therapeutic Goods Act s.19D)'
2226
+ : `dcActive=${dcActive}, auTgaSamdUnregisteredAction=${action}`,
2227
+ };
2228
+ });
2229
+ this.register('au_tga_samd_adverse_event_block_active', (ctx) => {
2230
+ const dcActive = ctx.activeModules.includes('data-classifier');
2231
+ const action = ctx.packConfig?.['data-classifier']?.auTgaSamdAdverseEventAction;
2232
+ const passed = dcActive && action === 'BLOCK';
2233
+ return {
2234
+ passed,
2235
+ detail: passed
2236
+ ? 'AU TGA SaMD: adverse event action = BLOCK via data-classifier (TGA MDR obligations)'
2237
+ : `dcActive=${dcActive}, auTgaSamdAdverseEventAction=${action}`,
2238
+ };
2239
+ });
2240
+ this.register('au_tga_samd_pccp_change_approval_active', configFlag('approval-queue', 'auTgaSamdPccpChangeApprovalRequired', 'AU TGA SaMD PCCP change approval (TGA AI/ML Guidance 2023)'));
2241
+ this.register('au_tga_samd_performance_monitoring_active', configFlag('anomaly-detector', 'auTgaSamdPerformanceMonitoringEnabled', 'AU TGA SaMD performance monitoring (GMLP Principle 6)'));
2242
+ this.register('au_tga_samd_clinical_evidence_active', configFlag('attestation-manager', 'auTgaSamdClinicalEvidenceRequired', 'AU TGA SaMD clinical evidence (TGA ECA)'));
2243
+ this.register('au_tga_samd_gmlp_compliance_active', configFlag('attestation-manager', 'auTgaSamdGmlpComplianceAttested', 'AU TGA SaMD GMLP compliance attestation'));
2244
+ this.register('au_tga_samd_labelling_active', configFlag('transparency-injector', 'auTgaSamdLabellingDisclosureEnabled', 'AU TGA SaMD AI labelling disclosure'));
2245
+ this.register('au_tga_samd_retention_10yr_active', (ctx) => {
2246
+ const days = ctx.packConfig?.['session-persistence']?.auTgaSamdRetentionDays;
2247
+ const passed = typeof days === 'number' && days >= 3650;
2248
+ return {
2249
+ passed,
2250
+ detail: passed
2251
+ ? `AU TGA SaMD 10-year retention ${days}d configured (>= 3650)`
2252
+ : `auTgaSamdRetentionDays=${days} (need >= 3650)`,
2253
+ };
2254
+ });
2255
+ // AU State Health Privacy (NSW HRIPA / VIC HRA / ACT HRPAA)
2256
+ this.register('au_state_health_nsw_transborder_block_active', (ctx) => {
2257
+ const dcActive = ctx.activeModules.includes('data-classifier');
2258
+ const action = ctx.packConfig?.['data-classifier']?.auStateHealthTransborderAction;
2259
+ const passed = dcActive && action === 'BLOCK';
2260
+ return {
2261
+ passed,
2262
+ detail: passed
2263
+ ? 'AU State Health: transborder transfer action = BLOCK via data-classifier (NSW HPP 10 / HRIPA 2002)'
2264
+ : `dcActive=${dcActive}, auStateHealthTransborderAction=${action}`,
2265
+ };
2266
+ });
2267
+ this.register('au_state_health_research_ethics_active', configFlag('approval-queue', 'auStateHealthResearchEthicsApprovalRequired', 'AU State Health research ethics approval gate'));
2268
+ this.register('au_state_health_mental_health_retention_active', (ctx) => {
2269
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMentalHealthRetentionDays;
2270
+ // VIC mental health: 25 years from last service entry for non-deceased [CITATION TO VERIFY]
2271
+ const passed = typeof days === 'number' && days >= 3650;
2272
+ return {
2273
+ passed,
2274
+ detail: passed
2275
+ ? `AU State Health mental health retention ${days}d configured (>= 3650)`
2276
+ : `auStateHealthMentalHealthRetentionDays=${days}`,
2277
+ };
2278
+ });
2279
+ this.register('au_state_health_access_30d_active', (ctx) => {
2280
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2281
+ const passed = typeof days === 'number' && days <= 30;
2282
+ return {
2283
+ passed,
2284
+ detail: passed
2285
+ ? `AU State Health access response ${days}d (<= 30 days) configured`
2286
+ : `auStateHealthAccessResponseDays=${days} (need <= 30)`,
2287
+ };
2288
+ });
2289
+ this.register('au_state_health_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'AU State Health collection notice (NSW HPP 4 / VIC HPP 1)'));
2290
+ this.register('au_state_health_server_location_active', configFlag('supply-chain', 'auStateHealthServerLocationAustralia', 'AU State Health server location Australia [CITATION TO VERIFY]'));
2291
+ this.register('au_state_health_correction_30d_active', (ctx) => {
2292
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2293
+ const passed = typeof days === 'number' && days <= 30;
2294
+ return {
2295
+ passed,
2296
+ detail: passed
2297
+ ? `AU State Health correction response ${days}d configured`
2298
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2299
+ };
2300
+ });
2301
+ this.register('au_state_health_minor_retention_active', (ctx) => {
2302
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMinorRetentionDays;
2303
+ // NSW: at least 7 years after last entry or age 25 (whichever is later) — conservative 3650d
2304
+ const passed = typeof days === 'number' && days >= 3650;
2305
+ return {
2306
+ passed,
2307
+ detail: passed
2308
+ ? `AU State Health minor retention ${days}d configured (>= 3650 conservative floor)`
2309
+ : `auStateHealthMinorRetentionDays=${days}`,
2310
+ };
2311
+ });
2312
+ // -- AU pack behavioral validators (Phase 5) --
2313
+ // AU Privacy Act: AU_PI_GOVERNMENT_ID (TFN pattern) -> BLOCK
2314
+ this.register('behavioralValidator_au_privacy_act', runBehavioralCheck('au-privacy-act', 'AU_PI_GOVERNMENT_ID', 'TFN 123 456 789 tax file number australia individual', 'BLOCK'));
2315
+ // AU CDR: AU_CDR_CONSENT_EXPIRED -> BLOCK
2316
+ this.register('behavioralValidator_au_cdr', runBehavioralCheck('au-cdr', 'AU_CDR_CONSENT_EXPIRED', 'CDR consent expired consumer data right consent_expired accreditation AU', 'BLOCK'));
2317
+ // AU CPS 234: AU_CPS234_INCIDENT -> REQUIRE_APPROVAL
2318
+ this.register('behavioralValidator_au_cps234', runBehavioralCheck('au-cps234', 'AU_CPS234_INCIDENT', 'APRA CPS 234 cyber incident information security incident notifiable breach', 'REQUIRE_APPROVAL'));
2319
+ // AU CPS 230: AU_CPS230_OP_INCIDENT -> REQUIRE_APPROVAL
2320
+ this.register('behavioralValidator_au_cps230', runBehavioralCheck('au-cps230', 'AU_CPS230_OP_INCIDENT', 'APRA CPS 230 operational incident disruption material service failure', 'REQUIRE_APPROVAL'));
2321
+ // AU SOCI Act: AU_SOCI_CYBER_INCIDENT -> REQUIRE_APPROVAL
2322
+ this.register('behavioralValidator_au_soci_act', runBehavioralCheck('au-soci-act', 'AU_SOCI_CYBER_INCIDENT', 'SOCI critical infrastructure cyber incident CIRMP sector attack', 'REQUIRE_APPROVAL'));
2323
+ // AU ASIC RG 271: AU_RG271_AI_DECISION -> REQUIRE_APPROVAL
2324
+ this.register('behavioralValidator_au_asic_rg_271', runBehavioralCheck('au-asic-rg-271', 'AU_RG271_AI_DECISION', 'RG 271 AI decision IDR internal dispute resolution financial product complaint', 'REQUIRE_APPROVAL'));
2325
+ // AU DDO: AU_DDO_OUT_OF_TARGET -> BLOCK
2326
+ this.register('behavioralValidator_au_asic_rg_274', runBehavioralCheck('au-asic-rg-274', 'AU_DDO_OUT_OF_TARGET', 'DDO target market determination out of target market retail client distribution obligation', 'BLOCK'));
2327
+ // AU AML/CTF: AU_AML_TIPPING_OFF_RISK -> BLOCK
2328
+ this.register('behavioralValidator_au_aml_ctf', runBehavioralCheck('au-aml-ctf', 'AU_AML_TIPPING_OFF_RISK', 'AML tipping off SMR suspicious matter report AUSTRAC tipping-off prohibited', 'BLOCK'));
2329
+ // AU Spam Act: AU_CEM_UNSUBSCRIBED -> BLOCK
2330
+ this.register('behavioralValidator_au_spam_act', runBehavioralCheck('au-spam-act', 'AU_CEM_UNSUBSCRIBED', 'unsubscribed commercial electronic message email spam Australia CEM opt-out', 'BLOCK'));
2331
+ // AU Online Safety: OSA_CSAM -> BLOCK
2332
+ this.register('behavioralValidator_au_online_safety', runBehavioralCheck('au-online-safety', 'OSA_CSAM', 'CSAM child sexual abuse material online safety eSafety Commissioner Australia', 'BLOCK'));
2333
+ // AU AI Ethics Framework: AU_AI_UNDISCLOSED_USE -> WARN
2334
+ // AU_AI_UNDISCLOSED_USE changed to BLOCK (Task 4 fix, 2026-04-25):
2335
+ // Non-deception (G7) is an absolute obligation -- hiding AI involvement from
2336
+ // affected individuals is deceptive by definition. BLOCK is the correct action.
2337
+ this.register('behavioralValidator_au_aiethics_framework', runBehavioralCheck('au-aiethics-framework', 'AU_AI_UNDISCLOSED_USE', 'AI system undisclosed use automated decision no disclosure Australia DISR', 'BLOCK'));
2338
+ // AU Mandatory AI Guardrails: AU_HIGH_RISK_AI_SETTING -> REQUIRE_APPROVAL
2339
+ this.register('behavioralValidator_au_mandatory_ai_guardrails', runBehavioralCheck('au-mandatory-ai-guardrails', 'AU_HIGH_RISK_AI_SETTING', 'high risk AI setting guardrail DISR mandatory Australia critical decision', 'REQUIRE_APPROVAL'));
2340
+ // AU TGA SaMD: TGA_SAMD_ARTG_STATUS -> BLOCK
2341
+ this.register('behavioralValidator_au_tga_saimd', runBehavioralCheck('au-tga-saimd', 'TGA_SAMD_ARTG_STATUS', 'TGA SaMD ARTG unregistered software medical device therapeutic goods Australia', 'BLOCK'));
2342
+ // AU State Health: STATE_HEALTH_TRANSBORDER_TRANSFER -> BLOCK
2343
+ // X1-disaggregation (2026-04-24): umbrella pack removed; NSW HRIPA is now canonical for
2344
+ // transborder block behavior. This registration kept for backward-compat check ID lookup.
2345
+ this.register('behavioralValidator_au_state_health_privacy', runBehavioralCheck('au-nsw-hripa', 'NSW_HEALTH_TRANSBORDER_TRANSFER', 'NSW HRIPA health information transborder transfer outside Australia HPP 10', 'BLOCK'));
2346
+ // -------------------------------------------------------------------------
2347
+ // X1-disaggregation: NSW HRIPA / VIC HRA / ACT HRPAA standalone checks
2348
+ // -------------------------------------------------------------------------
2349
+ // NSW HRIPA HPP 10 transborder block check
2350
+ this.register('au_nsw_hripa_transborder_block_active', (ctx) => {
2351
+ const dcActive = ctx.activeModules.includes('data-classifier');
2352
+ const action = ctx.packConfig?.['data-classifier']?.nswTransborderBlockEnabled;
2353
+ const passed = dcActive && action === true;
2354
+ return {
2355
+ passed,
2356
+ detail: passed
2357
+ ? 'NSW HRIPA: transborder block active via data-classifier (HPP 10)'
2358
+ : `dcActive=${dcActive}, nswTransborderBlockEnabled=${action}`,
2359
+ };
2360
+ });
2361
+ // NSW HRIPA HPP 14 research ethics check
2362
+ this.register('au_nsw_hripa_research_ethics_active', configFlag('approval-queue', 'auStateHealthResearchEthicsApprovalRequired', 'NSW HRIPA research ethics gate (HPP 14)'));
2363
+ // NSW HRIPA HPP 11 access 30-day check
2364
+ this.register('au_nsw_hripa_access_30d_active', (ctx) => {
2365
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2366
+ const passed = typeof days === 'number' && days <= 30;
2367
+ return {
2368
+ passed,
2369
+ detail: passed
2370
+ ? `NSW HRIPA access response ${days}d (<= 30) configured (HPP 11)`
2371
+ : `auStateHealthAccessResponseDays=${days} (need <= 30)`,
2372
+ };
2373
+ });
2374
+ // NSW HRIPA HPP 5 collection notice check
2375
+ this.register('au_nsw_hripa_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'NSW HRIPA collection notice (HPP 5)'));
2376
+ // NSW HRIPA HPP 10 server location check
2377
+ this.register('au_nsw_hripa_server_location_active', configFlag('supply-chain', 'auStateHealthServerLocationAustralia', 'NSW HRIPA server location confirmation (HPP 10)'));
2378
+ // NSW HRIPA HPP 12 correction 30-day check
2379
+ this.register('au_nsw_hripa_correction_30d_active', (ctx) => {
2380
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2381
+ const passed = typeof days === 'number' && days <= 30;
2382
+ return {
2383
+ passed,
2384
+ detail: passed
2385
+ ? `NSW HRIPA correction response ${days}d configured (HPP 12)`
2386
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2387
+ };
2388
+ });
2389
+ // NSW HRIPA Regulation 2017 minor retention check
2390
+ this.register('au_nsw_hripa_minor_retention_active', (ctx) => {
2391
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMinorRetentionDays;
2392
+ const passed = typeof days === 'number' && days >= 3650;
2393
+ return {
2394
+ passed,
2395
+ detail: passed
2396
+ ? `NSW HRIPA minor retention ${days}d (>= 3650) configured`
2397
+ : `auStateHealthMinorRetentionDays=${days}`,
2398
+ };
2399
+ });
2400
+ // VIC HRA HPP 2.2 research ethics check
2401
+ this.register('au_vic_hra_research_ethics_active', configFlag('approval-queue', 'vicResearchEthicsConfirmationRequired', 'VIC HRA research ethics gate (HPP 2.2)'));
2402
+ // VIC HRA 25-year mental health retention check
2403
+ this.register('au_vic_hra_mental_health_retention_active', (ctx) => {
2404
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMentalHealthRetentionDays;
2405
+ const passed = typeof days === 'number' && days >= 9125; // 25 years
2406
+ return {
2407
+ passed,
2408
+ detail: passed
2409
+ ? `VIC HRA mental health retention ${days}d (>= 9125) configured [CITATION TO VERIFY]`
2410
+ : `auStateHealthMentalHealthRetentionDays=${days} (need >= 9125 for 25y)`,
2411
+ };
2412
+ });
2413
+ // VIC HRA HPP 6 access 30-day check
2414
+ this.register('au_vic_hra_access_30d_active', (ctx) => {
2415
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2416
+ const passed = typeof days === 'number' && days <= 30;
2417
+ return {
2418
+ passed,
2419
+ detail: passed
2420
+ ? `VIC HRA access response ${days}d (<= 30) configured (HPP 6)`
2421
+ : `auStateHealthAccessResponseDays=${days} (need <= 30)`,
2422
+ };
2423
+ });
2424
+ // VIC HRA HPP 1 collection notice check
2425
+ this.register('au_vic_hra_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'VIC HRA collection notice (HPP 1)'));
2426
+ // VIC HRA HPP 7 correction 30-day check
2427
+ this.register('au_vic_hra_correction_30d_active', (ctx) => {
2428
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2429
+ const passed = typeof days === 'number' && days <= 30;
2430
+ return {
2431
+ passed,
2432
+ detail: passed
2433
+ ? `VIC HRA correction response ${days}d configured (HPP 7)`
2434
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2435
+ };
2436
+ });
2437
+ // VIC HRA minor retention check
2438
+ this.register('au_vic_hra_minor_retention_active', (ctx) => {
2439
+ const days = ctx.packConfig?.['session-persistence']?.auStateHealthMinorRetentionDays;
2440
+ const passed = typeof days === 'number' && days >= 3650;
2441
+ return {
2442
+ passed,
2443
+ detail: passed
2444
+ ? `VIC HRA minor retention ${days}d (>= 3650) configured`
2445
+ : `auStateHealthMinorRetentionDays=${days}`,
2446
+ };
2447
+ });
2448
+ // ACT HRPAA s.7 access 30-day check (CRITICAL -- positive right)
2449
+ this.register('au_act_hrpaa_access_30d_active', (ctx) => {
2450
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthAccessResponseDays;
2451
+ const passed = typeof days === 'number' && days <= 30;
2452
+ return {
2453
+ passed,
2454
+ detail: passed
2455
+ ? `ACT HRPAA s.7 access response ${days}d (<= 30) configured`
2456
+ : `auStateHealthAccessResponseDays=${days} (need <= 30 for HRPAA s.7)`,
2457
+ };
2458
+ });
2459
+ // ACT HRPAA HPP 5 collection notice check
2460
+ this.register('au_act_hrpaa_collection_notice_active', configFlag('transparency-injector', 'auStateHealthCollectionNoticeEnabled', 'ACT HRPAA collection notice (HPP 5)'));
2461
+ // ACT HRPAA HPP 10 data security check
2462
+ this.register('au_act_hrpaa_data_security_active', (ctx) => {
2463
+ const passed = ctx.activeModules.includes('encryption-layer');
2464
+ return {
2465
+ passed,
2466
+ detail: passed
2467
+ ? 'ACT HRPAA HPP 10: encryption-layer active'
2468
+ : 'encryption-layer not active (ACT HRPAA HPP 10 data security)',
2469
+ };
2470
+ });
2471
+ // ACT HRPAA HPP 7 correction 30-day check
2472
+ this.register('au_act_hrpaa_correction_30d_active', (ctx) => {
2473
+ const days = ctx.packConfig?.['governance-runtime']?.auStateHealthCorrectionResponseDays;
2474
+ const passed = typeof days === 'number' && days <= 30;
2475
+ return {
2476
+ passed,
2477
+ detail: passed
2478
+ ? `ACT HRPAA correction response ${days}d configured (HPP 7)`
2479
+ : `auStateHealthCorrectionResponseDays=${days} (need <= 30)`,
2480
+ };
2481
+ });
2482
+ // ACT HRPAA 7-year retention check
2483
+ this.register('au_act_hrpaa_retention_7y_active', (ctx) => {
2484
+ const days = ctx.packConfig?.['session-persistence']?.auActHealthRetentionDays
2485
+ ?? ctx.evidence?.auActHealthRetentionDays;
2486
+ // Accept either explicit config or the pack's auditLogRetentionDays floor (2555)
2487
+ const passed = typeof days === 'number' && days >= 2555;
2488
+ return {
2489
+ passed,
2490
+ detail: passed
2491
+ ? `ACT HRPAA 7y retention ${days}d (>= 2555) configured`
2492
+ : `auActHealthRetentionDays=${days} (need >= 2555 for 7y)`,
2493
+ };
2494
+ });
2495
+ // Behavioral validators for three disaggregated packs
2496
+ // NSW HRIPA: NSW_HEALTH_TRANSBORDER_TRANSFER -> BLOCK
2497
+ this.register('behavioralValidator_au_nsw_hripa', runBehavioralCheck('au-nsw-hripa', 'NSW_HEALTH_TRANSBORDER_TRANSFER', 'NSW HRIPA transborder transfer health information outside NSW HPP 10', 'BLOCK'));
2498
+ // VIC HRA: VIC_HEALTH_RESEARCH_USE -> REQUIRE_APPROVAL
2499
+ this.register('behavioralValidator_au_vic_hra', runBehavioralCheck('au-vic-hra', 'VIC_HEALTH_RESEARCH_USE', 'VIC HRA research secondary analysis victoria health patient data HPP 2.2', 'REQUIRE_APPROVAL'));
2500
+ // ACT HRPAA: ACT_HEALTH_ACCESS_REQUEST -> REQUIRE_APPROVAL
2501
+ this.register('behavioralValidator_au_act_hrpaa', runBehavioralCheck('au-act-hrpaa', 'ACT_HEALTH_ACCESS_REQUEST', 'ACT HRPAA s.7 health record access request canberra australian capital territory 30 day', 'REQUIRE_APPROVAL'));
2502
+ // -- BATCH-01 FINRA 3110 specific checks (2026-04-25) --
2503
+ this.register('finra_wsp_enforcement_active', configFlag('governance-runtime', 'wspEnforcementRequired', 'FINRA WSP enforcement'));
2504
+ this.register('finra_principal_review_active', configFlag('approval-queue', 'principalReviewForCustomerCommunicationsRequired', 'FINRA principal review for customer communications'));
2505
+ this.register('finra_worm_records_active', configFlag('audit-integrity', 'wormCompliantRequired', 'FINRA WORM-compliant records (Exchange Act Rule 17a-4(f))'));
2506
+ this.register('finra_annual_certification_active', configFlag('attestation-manager', 'annualPrincipalCertificationRequired', 'FINRA Rule 3120 annual principal certification'));
2507
+ this.register('finra_4530_reporting_active', configFlag('event-bus', 'rule4530EventDetectionActive', 'FINRA Rule 4530 event detection and 30-day reporting'));
2508
+ // -- BATCH-01 EU LPP specific checks (2026-04-25) --
2509
+ this.register('eu_lpp_bar_membership_active', configFlag('governance-runtime', 'externalBarMembershipVerificationRequired', 'EU/EEA Bar membership verification (Akzo Nobel)'));
2510
+ this.register('eu_lpp_inhouse_flagging_active', configFlag('governance-runtime', 'inHouseCounselFlaggingRequired', 'In-house counsel flagged as unprotected (Akzo Nobel)'));
2511
+ this.register('eu_lpp_third_country_analysis_active', configFlag('governance-runtime', 'thirdCountryCounselAnalysisRequired', 'Third-country counsel privilege analysis'));
2512
+ // -- BATCH-01 ISO 20022 specific checks (2026-04-25) --
2513
+ this.register('iso20022_schema_validation_active', configFlag('governance-runtime', 'iso20022SchemaValidationRequired', 'ISO 20022 XML schema validation'));
2514
+ this.register('iso20022_mx_format_active', configFlag('governance-runtime', 'mxMessageFormatRequired', 'ISO 20022 MX format (SWIFT CBPR+ mandatory)'));
2515
+ this.register('iso20022_structured_remittance_active', configFlag('governance-runtime', 'structuredRemittanceDataPreservationRequired', 'ISO 20022 structured remittance data preservation'));
2516
+ this.register('iso20022_duplicate_detection_active', configFlag('anomaly-detector', 'paymentDuplicateDetectionActive', 'ISO 20022 duplicate payment detection'));
2517
+ // F-NEW-VERA-PACK-C5-05 (2026-05-03): renamed checks replacing borrowed attestation_active and post_market_monitoring.
2518
+ // BIC/LEI validation is a data-classifier config gate; payment misrouting detection is anomaly-detector presence.
2519
+ this.register('iso20022_bic_lei_validation_active', configFlag('data-classifier', 'bicLeiValidationRequired', 'ISO 20022 BIC/LEI structured agent field validation'));
2520
+ this.register('iso20022_misrouting_detection_active', modulePresence('anomaly-detector'));
2521
+ // -- BATCH-01 EU MDR/IVDR specific checks (2026-04-25) --
2522
+ this.register('eu_mdr_ivdr_qualification_active', configFlag('governance-runtime', 'softwareQualificationAssessmentRequired', 'EU MDR/IVDR software qualification assessment (MDCG 2019-16)'));
2523
+ this.register('eu_mdr_ivdr_eudamed_active', configFlag('attestation-manager', 'eudamedRegistrationRequired', 'EUDAMED registration + UDI management'));
2524
+ this.register('eu_mdr_ivdr_clinical_evaluation_active', configFlag('attestation-manager', 'postMarketSurveillancePlanRequired', 'Clinical/performance evaluation report current'));
2525
+ // Behavioral validators for BATCH-01 packs (2026-04-25)
2526
+ // FINRA 3110: SUPERVISORY_RECORDS -> WARN
2527
+ this.register('behavioralValidator_finra_3110', runBehavioralCheck('finra-3110', 'SUPERVISORY_RECORDS', 'Written supervisory procedure WSP principal review branch office inspection', 'WARN'));
2528
+ // EU LPP: EU_PRIVILEGED -> BLOCK
2529
+ this.register('behavioralValidator_eu_lpp', runBehavioralCheck('eu-lpp', 'EU_PRIVILEGED', 'External counsel avocat legally privileged EU Commission investigation right of defence', 'BLOCK'));
2530
+ // UK GDPR: SPECIAL_CATEGORY -> BLOCK
2531
+ this.register('behavioralValidator_uk_gdpr', runBehavioralCheck('uk-gdpr', 'SPECIAL_CATEGORY', 'Patient is HIV positive religion Muslim biometric facial recognition data', 'BLOCK'));
2532
+ // ISO 20022: PAYMENT_MESSAGE -> WARN
2533
+ this.register('behavioralValidator_iso20022', runBehavioralCheck('iso20022', 'PAYMENT_MESSAGE', 'pacs.008 MX message BizMsgIdr IBAN GB29NWBK60161331926819', 'WARN'));
2534
+ // EU MDR/IVDR: CLINICAL_EVALUATION_DATA -> WARN
2535
+ this.register('behavioralValidator_eu_mdr_ivdr', runBehavioralCheck('eu-mdr-ivdr', 'CLINICAL_EVALUATION_DATA', 'Clinical evaluation report CER clinical investigation PMCF post-market clinical follow-up', 'WARN'));
2536
+ // -- BATCH-02 + BATCH-03 shared check primitives (2026-04-25) --
2537
+ // event_clock_active: verifies event-bus module is present and clock-tracking config active.
2538
+ // Referenced by: reg-e (error-resolution clocks), illinois-aivia (30-day deletion clock),
2539
+ // maryland-hb1202 (consent-withdrawal halt), california-ab2930 (annual/complaint clocks).
2540
+ this.register('event_clock_active', (ctx) => {
2541
+ const hasEventBus = ctx.activeModules.includes('event-bus');
2542
+ if (!hasEventBus) {
2543
+ return { passed: false, detail: 'event-bus module not active; event clock enforcement unavailable' };
2544
+ }
2545
+ return { passed: true, detail: 'event-bus module active; event clock enforcement available' };
2546
+ });
2547
+ // -- BATCH-02 ISO 27701 specific checks (2026-04-25) --
2548
+ // ISO 27701 reuses existing check IDs: gdpr_ropa_active, gdpr_lawful_basis_active,
2549
+ // data_classifier_active, encryption_active, gdpr_dpia_active,
2550
+ // gdpr_purpose_limitation_active, gdpr_breach_72h_active,
2551
+ // subservice_registry_active, rbac_active, transparency_active.
2552
+ // All of those are already registered. No new pack-specific checks needed.
2553
+ // -- BATCH-02 Reg E specific checks (2026-04-25) --
2554
+ // Reg E reuses: transparency_active, event_clock_active, approval_queue_active,
2555
+ // audit_trail_exists, data_classifier_active, governance_active,
2556
+ // rbac_active, subservice_registry_active (all pre-existing).
2557
+ // F-NEW-VERA-PACK-C5-01 (2026-05-03): replaced foreign-pack check strings
2558
+ // finra_wsp_enforcement_active and gdpr_article22_active with Reg-E-namespaced
2559
+ // checks that read from the Reg E moduleConfig keys actually present.
2560
+ this.register('reg_e_prepaid_disclosure_active', configFlag('governance-runtime', 'prepaidDisclosureRequired', 'Reg E prepaid account disclosure (§1005.18(b))'));
2561
+ this.register('reg_e_provisional_credit_active', configFlag('approval-queue', 'provisionalCreditAuthorizationRequired', 'Reg E provisional credit authorization (§1005.11(c)(2))'));
2562
+ // -- BATCH-03 Employment AI specific checks (2026-04-25) --
2563
+ // Illinois AIVIA reuses: transparency_active, gdpr_lawful_basis_active,
2564
+ // event_clock_active, audit_trail_exists, finra_annual_certification_active,
2565
+ // data_classifier_active, subservice_registry_active, rbac_active,
2566
+ // encryption_active, gdpr_article22_active.
2567
+ // Maryland HB 1202 reuses: gdpr_lawful_basis_active, transparency_active,
2568
+ // event_clock_active, audit_trail_exists, data_classifier_active,
2569
+ // subservice_registry_active, rbac_active, encryption_active,
2570
+ // gdpr_article22_active, finra_worm_records_active.
2571
+ // California AB 2930 reuses: gdpr_dpia_active, transparency_active,
2572
+ // gdpr_article22_active, audit_trail_exists, finra_annual_certification_active,
2573
+ // post_market_monitoring, data_classifier_active, subservice_registry_active,
2574
+ // rbac_active, encryption_active, event_clock_active.
2575
+ // Behavioral validators for BATCH-02 packs (2026-04-25)
2576
+ // ISO 27701: PII_CONTROLLER_DATA -> WARN (processing purpose + data subject request signal)
2577
+ this.register('behavioralValidator_iso27701', runBehavioralCheck('iso27701', 'PII_CONTROLLER_DATA', 'processing purpose consent record ROPA record of processing activities lawful basis DPIA data subject request', 'WARN'));
2578
+ // Reg E: ERROR_RESOLUTION_RECORD -> WARN (error resolution / unauthorized transfer signal)
2579
+ this.register('behavioralValidator_reg_e', runBehavioralCheck('reg-e', 'ERROR_RESOLUTION_RECORD', 'error resolution unauthorized transfer EFT dispute Reg E claim 10 business days provisional credit 45 business days', 'WARN'));
2580
+ // Behavioral validators for BATCH-03 packs (2026-04-25)
2581
+ // Illinois AIVIA: VIDEO_INTERVIEW_RECORDING -> WARN
2582
+ this.register('behavioralValidator_illinois_aivia', runBehavioralCheck('illinois-aivia', 'VIDEO_INTERVIEW_RECORDING', 'video interview recorded interview async interview one-way video interview recording', 'WARN'));
2583
+ // Maryland HB 1202: CANDIDATE_CONSENT -> WARN (consent record detection; FR blocking is runtime-enforced)
2584
+ this.register('behavioralValidator_maryland_hb1202', runBehavioralCheck('maryland-hb1202', 'CANDIDATE_CONSENT', 'FR consent facial recognition consent face recognition consent Maryland HB 1202 biometric consent form', 'WARN'));
2585
+ // California AB 2930: AUTOMATED_DECISION_TOOL_OUTPUT -> WARN
2586
+ this.register('behavioralValidator_california_ab2930', runBehavioralCheck('california-ab2930', 'AUTOMATED_DECISION_TOOL_OUTPUT', 'automated decision tool ADT algorithmic decision AI decision recommendation scoring ranking consequential', 'WARN'));
2587
+ // -- BATCH-04 behavioral validators (2026-04-25) --
2588
+ // FCA Consumer Duty: RETAIL_CUSTOMER_DATA -> WARN
2589
+ this.register('behavioralValidator_fca_consumer_duty', runBehavioralCheck('fca-consumer-duty', 'RETAIL_CUSTOMER_DATA', 'retail customer consumer data consumer duty outcome FCA Principle 12 target market', 'WARN'));
2590
+ // CMS Interoperability: PATIENT_CLINICAL_DATA_FHIR -> WARN
2591
+ this.register('behavioralValidator_cms_interoperability', runBehavioralCheck('cms-interoperability', 'PATIENT_CLINICAL_DATA_FHIR', 'fhir r4 patient access api US Core SMART on FHIR clinical data bundle observation', 'WARN'));
2592
+ // Singapore Model AI Gov: AI_DECISION_RECORD -> WARN
2593
+ this.register('behavioralValidator_sg_model_ai_gov', runBehavioralCheck('sg-model-ai-gov', 'AI_DECISION_RECORD', 'ai decision record PDPC decision matrix algorithmic decision singapore automated recommendation', 'WARN'));
2594
+ // -- BATCH-05 behavioral validators (2026-04-25) --
2595
+ // NIS2: INCIDENT_NOTIFICATION_RECORD -> WARN
2596
+ this.register('behavioralValidator_nis2', runBehavioralCheck('nis2', 'INCIDENT_NOTIFICATION_RECORD', 'nis2 incident significant incident CSIRT notification 24 hour early warning 72 hour operational disruption', 'WARN'));
2597
+ // India DPDP: DIGITAL_PERSONAL_DATA_INDIA -> WARN
2598
+ this.register('behavioralValidator_in_dpdp', runBehavioralCheck('in-dpdp', 'DIGITAL_PERSONAL_DATA_INDIA', 'digital personal data india data principal DPDP aadhaar number india personal data', 'WARN'));
2599
+ // -- BATCH-06 first-half specific checks (2026-04-25) --
2600
+ // -- UK AI Framework specific checks --
2601
+ this.register('uk_ai_principle1_safety_gate_active', configFlag('governance-runtime', 'principle1SafetyGateRequired', 'UK AI Framework Principle 1 safety gate'));
2602
+ this.register('uk_ai_principle2_transparency_active', configFlag('transparency-injector', 'principle2TransparencyRequired', 'UK AI Framework Principle 2 transparency'));
2603
+ this.register('uk_ai_principle3_fairness_active', configFlag('bias-monitor', 'principle3FairnessMonitoringRequired', 'UK AI Framework Principle 3 fairness monitoring'));
2604
+ this.register('uk_ai_principle4_accountability_active', configFlag('attestation-manager', 'principleConformanceDocumentationRequired', 'UK AI Framework Principle 4 accountability'));
2605
+ this.register('uk_ai_principle5_contestability_active', configFlag('approval-queue', 'principle5ContestabilityRequired', 'UK AI Framework Principle 5 contestability'));
2606
+ // -- FCA Operational Resilience specific checks --
2607
+ this.register('fca_or_ibs_identification_active', configFlag('governance-runtime', 'ibsDisruptionDetectionRequired', 'FCA Op Resilience IBS disruption detection'));
2608
+ this.register('fca_or_impact_tolerance_active', configFlag('attestation-manager', 'ibsImpactToleranceDocumentationRequired', 'FCA Op Resilience impact tolerance documentation'));
2609
+ this.register('fca_or_board_attestation_active', configFlag('attestation-manager', 'boardAnnualAttestationRequired', 'FCA Op Resilience board annual attestation'));
2610
+ this.register('fca_or_third_party_active', configFlag('supply-chain', 'thirdPartyDependencyMappingRequired', 'FCA Op Resilience third-party dependency mapping'));
2611
+ this.register('fca_or_scenario_testing_active', configFlag('attestation-manager', 'scenarioTestRetentionYears', 'FCA Op Resilience scenario test retention'));
2612
+ // -- German BDSG specific checks --
2613
+ this.register('de_bdsg_works_council_gate_active', configFlag('approval-queue', 'worksCouncilConsultationGateRequired', 'BDSG BetrVG §87(1) No.6 works council gate'));
2614
+ this.register('de_bdsg_purpose_limitation_active', configFlag('governance-runtime', 'bdsg26PurposeLimitationRequired', 'BDSG §26 employee data purpose limitation'));
2615
+ this.register('de_bdsg_dpo_designation_active', configFlag('governance-runtime', 'germanDpoDesignationCheckRequired', 'BDSG §38 DPO designation check'));
2616
+ this.register('de_bdsg_video_surveillance_active', configFlag('transparency-injector', 'aiUseDisclosureRequired', 'BDSG §4 video surveillance disclosure'));
2617
+ this.register('de_bdsg_special_category_active', (ctx) => {
2618
+ const action = ctx.packConfig?.['data-classifier']?.specialCategoryEmployeeDataAction;
2619
+ const passed = action === 'BLOCK';
2620
+ return {
2621
+ passed,
2622
+ detail: passed
2623
+ ? 'BDSG §26(3) special category employee data action = BLOCK configured'
2624
+ : `specialCategoryEmployeeDataAction=${action} (expected BLOCK)`,
2625
+ };
2626
+ });
2627
+ // -- Texas HB4 specific checks --
2628
+ this.register('tx_hb4_sensitive_data_opt_in_active', configFlag('governance-runtime', 'sensitiveDataOptInRequired', 'Texas TDPSA sensitive data opt-in gate'));
2629
+ this.register('tx_hb4_biometric_consent_active', configFlag('governance-runtime', 'biometricAdditionalConsentRequired', 'Texas TDPSA biometric additional consent'));
2630
+ this.register('tx_hb4_child_data_gate_active', configFlag('governance-runtime', 'childDataParentalConsentRequired', 'Texas TDPSA child data parental consent'));
2631
+ this.register('tx_hb4_dpia_active', configFlag('approval-queue', 'dpiaReviewRequired', 'Texas TDPSA DPIA review required'));
2632
+ this.register('tx_hb4_privacy_notice_active', configFlag('transparency-injector', 'tdpsaPrivacyNoticeRequired', 'Texas TDPSA privacy notice'));
2633
+ this.register('tx_hb4_opt_out_active', configFlag('session-persistence', 'optOutPersistenceRequired', 'Texas TDPSA opt-out persistence'));
2634
+ // -- Utah AI Policy specific checks --
2635
+ this.register('utah_ai_disclosure_when_asked_active', configFlag('transparency-injector', 'generativeAiDisclosureWhenAskedRequired', 'Utah AI Policy Act disclosure when asked'));
2636
+ this.register('utah_ai_regulated_occupation_disclosure_active', configFlag('transparency-injector', 'regulatedOccupationAffirmativeDisclosureRequired', 'Utah AI Policy Act regulated occupation affirmative disclosure'));
2637
+ this.register('utah_ai_occupation_classification_active', configFlag('attestation-manager', 'regulatedOccupationRegisterRequired', 'Utah AI Policy Act occupation classification register'));
2638
+ this.register('utah_ai_liability_attribution_active', configFlag('governance-runtime', 'liabilityAttributionTrackingRequired', 'Utah AI Policy Act liability attribution tracking'));
2639
+ this.register('utah_ai_learning_lab_active', configFlag('attestation-manager', 'learningLabParticipationRecordsRequired', 'Utah AI Policy Act Learning Lab records'));
2640
+ // -- BATCH-06 behavioral validators (2026-04-25) --
2641
+ // UK AI Framework: PRINCIPLE_CONFORMANCE_EVIDENCE -> WARN
2642
+ this.register('behavioralValidator_uk_ai_framework', runBehavioralCheck('uk-ai-framework', 'PRINCIPLE_CONFORMANCE_EVIDENCE', 'uk ai framework principle conformance accountability governance safety DSIT cross-sectoral principle evidence', 'WARN'));
2643
+ // FCA Op Resilience: IMPACT_TOLERANCE_RECORD -> WARN
2644
+ this.register('behavioralValidator_fca_op_resilience', runBehavioralCheck('fca-op-resilience', 'IMPACT_TOLERANCE_RECORD', 'impact tolerance FCA PS21/3 important business service maximum tolerable disruption operational resilience', 'WARN'));
2645
+ // German BDSG: WORKS_COUNCIL_CONSULTATION_RECORD -> WARN
2646
+ this.register('behavioralValidator_de_bdsg', runBehavioralCheck('de-bdsg', 'WORKS_COUNCIL_CONSULTATION_RECORD', 'betriebsrat BetrVG works council codetermination Betriebsvereinbarung employee monitoring AI BDSG', 'WARN'));
2647
+ // Texas HB4: SENSITIVE_PERSONAL_DATA_TEXAS -> BLOCK
2648
+ this.register('behavioralValidator_texas_hb4', runBehavioralCheck('texas-hb4', 'SENSITIVE_PERSONAL_DATA_TEXAS', 'sensitive data texas TDPSA HB4 health condition immigration status religious beliefs texas resident', 'BLOCK'));
2649
+ // Utah AI Policy: REGULATED_OCCUPATION_AI_USE -> WARN
2650
+ this.register('behavioralValidator_utah_ai_policy', runBehavioralCheck('utah-ai-policy', 'REGULATED_OCCUPATION_AI_USE', 'utah regulated occupation ai disclosure medical legal mental health utah SB149 licensed professional affirmative disclosure', 'WARN'));
2651
+ // -- BATCH-06b behavioral validators (2026-04-25): Tennessee ELVIS + JP APPI + KR PIPA + NZ Privacy --
2652
+ // Tennessee ELVIS Act: VOICE_BIOMETRIC_RECORD -> BLOCK (no consent = blocked)
2653
+ this.register('behavioralValidator_tennessee_elvis', runBehavioralCheck('tennessee-elvis', 'VOICE_BIOMETRIC_RECORD', 'voice clone voice cloning AI voice biometric Tennessee ELVIS Act TCA §47-25 voice synthesis synthetic voice deepfake voice', 'BLOCK'));
2654
+ // Japan APPI: SPECIAL_CARE_REQUIRED_PERSONAL_INFORMATION -> BLOCK
2655
+ this.register('behavioralValidator_jp_appi', runBehavioralCheck('jp-appi', 'SPECIAL_CARE_REQUIRED_PERSONAL_INFORMATION', 'yohairyo special care required personal information japan APPI sensitive data medical history criminal record race creed disability', 'BLOCK'));
2656
+ // South Korea PIPA: SENSITIVE_INFORMATION_KOREA -> BLOCK
2657
+ this.register('behavioralValidator_kr_pipa', runBehavioralCheck('kr-pipa', 'SENSITIVE_INFORMATION_KOREA', 'mingam jeongbo sensitive information korea PIPA ideology belief union membership health genetic criminal biometric template', 'BLOCK'));
2658
+ // New Zealand Privacy Act: CROSS_BORDER_DISCLOSURE_NZ -> WARN (IPP 13 comparable safeguards)
2659
+ this.register('behavioralValidator_nz_privacy', runBehavioralCheck('nz-privacy', 'CROSS_BORDER_DISCLOSURE_NZ', 'IPP 13 transborder data flow new zealand NZ cross-border disclosure comparable safeguards privacy act 2020 overseas transfer', 'WARN'));
2660
+ // -- Tennessee ELVIS specific checks --
2661
+ this.register('tennessee_elvis_voice_consent_gate_active', configFlag('governance-runtime', 'voiceCloningConsentGateRequired', 'Tennessee ELVIS Act voice consent hard gate'));
2662
+ this.register('tennessee_elvis_likeness_consent_gate_active', configFlag('governance-runtime', 'likenessCloningConsentGateRequired', 'Tennessee ELVIS Act likeness consent hard gate'));
2663
+ this.register('tennessee_elvis_consent_separability_active', configFlag('attestation-manager', 'consentSeparabilityDocumentationRequired', 'Tennessee ELVIS Act consent separability documentation'));
2664
+ this.register('tennessee_elvis_ai_disclosure_active', configFlag('transparency-injector', 'aiGeneratedContentDisclosureRequired', 'Tennessee ELVIS Act AI-generated content disclosure'));
2665
+ this.register('tennessee_elvis_statutory_damages_active', configFlag('governance-runtime', 'statutoryDamagesTrackingRequired', 'Tennessee ELVIS Act statutory damages tracking'));
2666
+ // -- Japan APPI specific checks --
2667
+ this.register('jp_appi_purpose_gate_active', configFlag('governance-runtime', 'purposeSpecificationGateRequired', 'Japan APPI purpose specification gate'));
2668
+ this.register('jp_appi_special_care_opt_in_active', configFlag('governance-runtime', 'specialCareRequiredOptInGateRequired', 'Japan APPI special care-required data opt-in gate'));
2669
+ this.register('jp_appi_cross_border_adequacy_active', configFlag('governance-runtime', 'crossBorderTransferAdequacyCheckRequired', 'Japan APPI cross-border transfer adequacy check'));
2670
+ this.register('jp_appi_third_party_transfer_records_active', configFlag('attestation-manager', 'thirdPartyTransferRecordLifecycleRequired', 'Japan APPI third-party transfer records lifecycle'));
2671
+ this.register('jp_appi_purpose_disclosure_active', configFlag('transparency-injector', 'purposeOfUsePublicDisclosureRequired', 'Japan APPI purpose of use public disclosure'));
2672
+ // -- South Korea PIPA specific checks --
2673
+ this.register('kr_pipa_sensitive_separate_consent_active', configFlag('governance-runtime', 'sensitiveInformationSeparateConsentGateRequired', 'Korea PIPA sensitive information separate consent gate'));
2674
+ this.register('kr_pipa_rrn_statutory_basis_active', configFlag('governance-runtime', 'rrnStatutoryBasisGateRequired', 'Korea PIPA RRN statutory basis hard gate'));
2675
+ this.register('kr_pipa_automated_decision_objection_active', configFlag('governance-runtime', 'automatedDecisionObjectionWorkflowRequired', 'Korea PIPA 2023 automated decision objection workflow'));
2676
+ this.register('kr_pipa_cross_border_gate_active', configFlag('approval-queue', 'crossBorderTransferGateRequired', 'Korea PIPA cross-border transfer gate'));
2677
+ this.register('kr_pipa_cpo_designation_active', configFlag('attestation-manager', 'cpoDesignationRequired', 'Korea PIPA CPO mandatory designation'));
2678
+ // F-NEW-VERA-PACK-C3-01 (2026-05-03): dedicated portability check replacing borrowed bias_monitor_active.
2679
+ // PIPA Art. 35-2 (2023 amendment) data portability requires session-persistence to track portability
2680
+ // request state across the statutory response window, and approval-queue for human confirmation
2681
+ // before exporting personal information to a third party on behalf of the data subject.
2682
+ this.register('kr_pipa_portability_active', (ctx) => {
2683
+ const sessionPersistenceActive = ctx.activeModules.includes('session-persistence');
2684
+ const approvalQueueActive = ctx.activeModules.includes('approval-queue');
2685
+ const passed = sessionPersistenceActive && approvalQueueActive;
2686
+ return {
2687
+ passed,
2688
+ detail: passed
2689
+ ? 'PIPA Art. 35-2 portability workflow active: session-persistence + approval-queue both present'
2690
+ : `PIPA Art. 35-2 portability workflow incomplete: session-persistence=${sessionPersistenceActive}, approval-queue=${approvalQueueActive}`,
2691
+ };
2692
+ });
2693
+ // -- New Zealand Privacy Act 2020 specific checks --
2694
+ this.register('nz_privacy_ipp13_comparable_safeguards_active', configFlag('governance-runtime', 'ipp13ComparableSafeguardsCheckRequired', 'NZ Privacy Act IPP 13 comparable safeguards check'));
2695
+ this.register('nz_privacy_extra_territorial_active', configFlag('governance-runtime', 'extraTerritorialNzFlagRequired', 'NZ Privacy Act extra-territorial applicability flag'));
2696
+ // F-NEW-VERA-PACK-C3-02: corrected from nprsBranchNotificationOpcRequired (typo);
2697
+ // NPBR = Notifiable Privacy Breach Reporting per NZ Privacy Act 2020 s.114.
2698
+ this.register('nz_privacy_npbr_active', configFlag('event-bus', 'npbrNotificationOpcRequired', 'NZ Privacy Act NPBR OPC notification'));
2699
+ this.register('nz_privacy_ipp3_collection_notice_active', configFlag('transparency-injector', 'ipp3CollectionNoticeRequired', 'NZ Privacy Act IPP 3 collection notice'));
2700
+ this.register('nz_privacy_agency_compliance_active', configFlag('attestation-manager', 'privacyManagementFrameworkRequired', 'NZ Privacy Act Privacy Management Framework'));
2701
+ // -- FDA 21 CFR Part 56 (IRB Regulations) specific checks --
2702
+ // 56.107(a): >= 5 members, varying backgrounds, scientific + nonscientific + unaffiliated
2703
+ this.register('fda_irb_roster_composition_active', (ctx) => {
2704
+ const am = ctx.packConfig?.['attestation-manager'];
2705
+ const minCount = am?.minimumIrbMemberCount;
2706
+ const rosterAttested = am?.irbRosterCompositionAttestationRequired === true;
2707
+ const memberRecords = am?.memberQualificationRecordsRequired === true;
2708
+ const affiliationDeclared = am?.affiliationDeclarationRequired === true;
2709
+ const passed = rosterAttested && memberRecords && affiliationDeclared &&
2710
+ typeof minCount === 'number' && minCount >= 5;
2711
+ return {
2712
+ passed,
2713
+ detail: passed
2714
+ ? `IRB roster composition configured: >= ${minCount} members, qualification records required, affiliation declarations required (21 CFR 56.107(a))`
2715
+ : `IRB roster configuration incomplete: rosterAttested=${rosterAttested}, memberRecords=${memberRecords}, affiliationDeclared=${affiliationDeclared}, minimumIrbMemberCount=${minCount} (need >= 5)`,
2716
+ };
2717
+ });
2718
+ // 56.108(c): majority quorum including at least one nonscientific member
2719
+ this.register('fda_irb_quorum_active', (ctx) => {
2720
+ const gr = ctx.packConfig?.['governance-runtime'];
2721
+ const majorityRequired = gr?.irbQuorumMajorityRequired === true;
2722
+ const nonscientificRequired = gr?.irbQuorumNonscientificMemberRequired === true;
2723
+ const passed = majorityRequired && nonscientificRequired;
2724
+ return {
2725
+ passed,
2726
+ detail: passed
2727
+ ? 'IRB quorum rules configured: majority presence required + nonscientific member required (21 CFR 56.108(c))'
2728
+ : `IRB quorum configuration incomplete: majorityRequired=${majorityRequired}, nonscientificMemberRequired=${nonscientificRequired}`,
2729
+ };
2730
+ });
2731
+ // 56.107(e): conflict-of-interest recusal enforcement
2732
+ this.register('fda_irb_conflict_of_interest_active', (ctx) => {
2733
+ const gr = ctx.packConfig?.['governance-runtime'];
2734
+ const aq = ctx.packConfig?.['approval-queue'];
2735
+ const runtimeRecusal = gr?.conflictOfInterestRecusalActive === true;
2736
+ const queueRecusal = aq?.conflictOfInterestRecusalEnforced === true;
2737
+ const am = ctx.packConfig?.['attestation-manager'];
2738
+ const coiAcknowledgment = am?.conflictOfInterestAcknowledgmentRequired === true;
2739
+ const passed = runtimeRecusal && queueRecusal && coiAcknowledgment;
2740
+ return {
2741
+ passed,
2742
+ detail: passed
2743
+ ? 'Conflict-of-interest recusal enforced at governance-runtime, approval-queue, and attestation-manager (21 CFR 56.107(e))'
2744
+ : `COI recusal incomplete: runtime=${runtimeRecusal}, queue=${queueRecusal}, coiAcknowledgment=${coiAcknowledgment}`,
2745
+ };
2746
+ });
2747
+ // 56.109(f): continuing review not less than once per year
2748
+ this.register('fda_irb_continuing_review_active', (ctx) => {
2749
+ const gr = ctx.packConfig?.['governance-runtime'];
2750
+ const maxInterval = gr?.continuingReviewMaxIntervalDays;
2751
+ const aq = ctx.packConfig?.['approval-queue'];
2752
+ const renewalQueue = aq?.continuingReviewRenewalQueueEnabled === true;
2753
+ const am = ctx.packConfig?.['attestation-manager'];
2754
+ const approvalOnFile = am?.continuingReviewApprovalOnFileRequired === true;
2755
+ const passed = renewalQueue && approvalOnFile &&
2756
+ typeof maxInterval === 'number' && maxInterval <= 365;
2757
+ return {
2758
+ passed,
2759
+ detail: passed
2760
+ ? `Continuing review configured: max interval ${maxInterval} days (<= 365), renewal queue enabled, approval-on-file required (21 CFR 56.109(f))`
2761
+ : `Continuing review configuration incomplete: renewalQueue=${renewalQueue}, approvalOnFile=${approvalOnFile}, maxIntervalDays=${maxInterval} (need <= 365)`,
2762
+ };
2763
+ });
2764
+ // 56.110: expedited review only for minimal-risk studies on FDA's expedited list
2765
+ this.register('fda_irb_expedited_review_criteria_active', (ctx) => {
2766
+ const aq = ctx.packConfig?.['approval-queue'];
2767
+ const routingConfigured = aq?.expeditedVsFullBoardRoutingRequired === true;
2768
+ const am = ctx.packConfig?.['attestation-manager'];
2769
+ const eligibilityDoc = am?.expeditedReviewEligibilityDocumentationRequired === true;
2770
+ const passed = routingConfigured && eligibilityDoc;
2771
+ return {
2772
+ passed,
2773
+ detail: passed
2774
+ ? 'Expedited review criteria enforced: routing logic configured and eligibility documentation required (21 CFR 56.110)'
2775
+ : `Expedited review configuration incomplete: routingConfigured=${routingConfigured}, eligibilityDocumentation=${eligibilityDoc}`,
2776
+ };
2777
+ });
2778
+ // 56.115(b): IRB records retained >= 3 years after completion
2779
+ this.register('fda_irb_records_retention_active', (ctx) => {
2780
+ const retentionDays = ctx.evidence?.auditRetentionDays;
2781
+ // 1095 days = 3 years per 21 CFR 56.115(b)
2782
+ const n = typeof retentionDays === 'number' ? retentionDays : 0;
2783
+ const passed = n >= 1095;
2784
+ return {
2785
+ passed,
2786
+ detail: passed
2787
+ ? `IRB records retention ${n} days >= 1095 (3 years) per 21 CFR 56.115(b)`
2788
+ : `IRB records retention ${n} days < 1095 (3-year minimum per 21 CFR 56.115(b))`,
2789
+ };
2790
+ });
2791
+ // 56.115(a)(2): minutes must record attendance, votes, basis for required modifications
2792
+ this.register('fda_irb_meeting_minutes_active', (ctx) => {
2793
+ const ac = ctx.packConfig?.['audit-chain'];
2794
+ const minutesIntegrity = ac?.irbMeetingMinutesIntegrityRequired === true;
2795
+ const voteTally = ac?.voteTallyTamperDetectionRequired === true;
2796
+ const protocolChain = ac?.protocolApprovalChainRequired === true;
2797
+ const passed = minutesIntegrity && voteTally && protocolChain;
2798
+ return {
2799
+ passed,
2800
+ detail: passed
2801
+ ? 'IRB meeting minutes integrity enforced: tamper-evident minutes, vote tallies, protocol approval chain (21 CFR 56.115(a)(2))'
2802
+ : `Meeting minutes configuration incomplete: minutesIntegrity=${minutesIntegrity}, voteTally=${voteTally}, protocolChain=${protocolChain}`,
2803
+ };
2804
+ });
2805
+ // 56.108(b): prompt reporting of unanticipated problems, serious/continuing noncompliance, suspension/termination
2806
+ this.register('fda_irb_prompt_reporting_active', (ctx) => {
2807
+ const eb = ctx.packConfig?.['event-bus'];
2808
+ const unanticipatedReporting = eb?.unanticipatedProblemReportingActive === true;
2809
+ const suspensionNotification = eb?.suspensionTerminationNotificationActive === true;
2810
+ const noncomplianceEscalation = eb?.continuingNoncomplianceEscalationActive === true;
2811
+ const saeDeadline = eb?.saePromptReportingDeadlineHours;
2812
+ const passed = unanticipatedReporting && suspensionNotification && noncomplianceEscalation &&
2813
+ typeof saeDeadline === 'number' && saeDeadline <= 24;
2814
+ return {
2815
+ passed,
2816
+ detail: passed
2817
+ ? `Prompt reporting configured: unanticipated problems, suspension/termination, noncompliance escalation, SAE clock ${saeDeadline}h (<= 24h) (21 CFR 56.108(b))`
2818
+ : `Prompt reporting configuration incomplete: unanticipatedReporting=${unanticipatedReporting}, suspensionNotification=${suspensionNotification}, noncomplianceEscalation=${noncomplianceEscalation}, saeDeadlineHours=${saeDeadline} (need <= 24)`,
2819
+ };
2820
+ });
2821
+ // ---------------------------------------------------------------------------
2822
+ // NCSC Guidelines for Secure AI System Development (2024) checks
2823
+ // TIER 10-UK Wave 2 | pack id: ncsc-ai-security
2824
+ // Four-phase coverage: secure design / development / deployment / operation.
2825
+ // ---------------------------------------------------------------------------
2826
+ // Phase 1 — secure design: threat model present and approved
2827
+ this.register('behavioralValidator_ncsc_secure_design_threat_model_present', (ctx) => {
2828
+ const am = ctx.packConfig?.['attestation-manager'];
2829
+ const modelProvenanceAttestation = am?.modelProvenanceAttestationRequired === true;
2830
+ const retentionYears = am?.retentionYearsForEvidence;
2831
+ const passed = modelProvenanceAttestation && typeof retentionYears === 'number' && retentionYears >= 7;
2832
+ return {
2833
+ passed,
2834
+ detail: passed
2835
+ ? 'NCSC Phase 1: attestation-manager configured for AI threat model tracking with 7-year retention (NCSC Guidelines for secure AI system development 2024)'
2836
+ : `NCSC Phase 1 secure-design gate incomplete: modelProvenanceAttestation=${modelProvenanceAttestation}, retentionYears=${retentionYears} (need >= 7)`,
2837
+ };
2838
+ });
2839
+ // Phase 2 — secure development: dependency integrity active
2840
+ this.register('behavioralValidator_ncsc_secure_development_dependency_integrity', (ctx) => {
2841
+ const gr = ctx.packConfig?.['governance-runtime'];
2842
+ const designGate = gr?.ncscAiSecureDesignGateRequired === true;
2843
+ const blockUnauthorised = gr?.blockUnauthorisedModelWeightChanges === true;
2844
+ const passed = designGate && blockUnauthorised;
2845
+ return {
2846
+ passed,
2847
+ detail: passed
2848
+ ? 'NCSC Phase 2: governance-runtime blocks unauthorised model-weight changes and enforces secure-design gate (NCSC Guidelines for secure AI system development 2024)'
2849
+ : `NCSC Phase 2 dependency-integrity gate incomplete: designGate=${designGate}, blockUnauthorisedModelWeightChanges=${blockUnauthorised}`,
2850
+ };
2851
+ });
2852
+ // Phase 3 — secure deployment: deployment record present
2853
+ this.register('behavioralValidator_ncsc_secure_deployment_record_present', (ctx) => {
2854
+ const aq = ctx.packConfig?.['approval-queue'];
2855
+ const modelSwapApproval = aq?.modelSwapApprovalRequired === true;
2856
+ const reviewTier = aq?.reviewTier;
2857
+ const deploymentApproval = aq?.deploymentApprovalRequired === true;
2858
+ const passed = modelSwapApproval && reviewTier === 'T2' && deploymentApproval;
2859
+ return {
2860
+ passed,
2861
+ detail: passed
2862
+ ? 'NCSC Phase 3: approval-queue configured with T2 model-swap gate and deployment-approval requirement (NCSC Guidelines for secure AI system development 2024)'
2863
+ : `NCSC Phase 3 deployment-record gate incomplete: modelSwapApproval=${modelSwapApproval}, reviewTier=${reviewTier} (need T2), deploymentApproval=${deploymentApproval}`,
2864
+ };
2865
+ });
2866
+ // Phase 4 — secure operation: monitoring active for adversarial events
2867
+ this.register('behavioralValidator_ncsc_secure_operation_monitoring_active', (ctx) => {
2868
+ const eb = ctx.packConfig?.['event-bus'];
2869
+ const adversarialInputDetection = eb?.adversarialInputDetectionRequired === true;
2870
+ const promptInjectionAlerting = eb?.promptInjectionAlertingRequired === true;
2871
+ const aiIncidentRouting = eb?.aiSecurityIncidentRoutingRequired === true;
2872
+ const passed = adversarialInputDetection && promptInjectionAlerting && aiIncidentRouting;
2873
+ return {
2874
+ passed,
2875
+ detail: passed
2876
+ ? 'NCSC Phase 4: event-bus configured for adversarial-input detection, prompt-injection alerting, and AI-specific incident routing (NCSC Guidelines for secure AI system development 2024)'
2877
+ : `NCSC Phase 4 monitoring incomplete: adversarialInputDetection=${adversarialInputDetection}, promptInjectionAlerting=${promptInjectionAlerting}, aiIncidentRouting=${aiIncidentRouting}`,
2878
+ };
2879
+ });
2880
+ // Phase 4 — incident response: AI-specific incident path active
2881
+ this.register('behavioralValidator_ncsc_incident_response_ai_path_active', (ctx) => {
2882
+ const eb = ctx.packConfig?.['event-bus'];
2883
+ const aiIncidentRouting = eb?.aiSecurityIncidentRoutingRequired === true;
2884
+ const dataPoisoningSignal = eb?.dataPoisoningSignalRequired === true;
2885
+ const passed = aiIncidentRouting && dataPoisoningSignal;
2886
+ return {
2887
+ passed,
2888
+ detail: passed
2889
+ ? 'NCSC Phase 4: AI-specific incident response path active — data poisoning signal and AI incident routing configured (NCSC Guidelines for secure AI system development 2024)'
2890
+ : `NCSC Phase 4 AI incident-response path incomplete: aiIncidentRouting=${aiIncidentRouting}, dataPoisoningSignal=${dataPoisoningSignal}`,
2891
+ };
2892
+ });
2893
+ // ---------------------------------------------------------------------------
2894
+ // UK Equality Act 2010 + ICO-EHRC Joint AI Bias Guidance checks
2895
+ // TIER 10-UK Wave 2 | pack id: uk-equality-act-ai-bias
2896
+ // Equality Act 2010 ss.4-12, 13, 19, 149; ICO-EHRC joint guidance (2024)
2897
+ // ---------------------------------------------------------------------------
2898
+ // uk_equality_ai_bias_disparate_impact_gate:
2899
+ // Verifies bias-monitor is active AND the 80% (4/5ths) disparate-impact
2900
+ // threshold is configured. Equality Act 2010 s.19 indirect discrimination.
2901
+ this.register('uk_equality_ai_bias_disparate_impact_gate', (ctx) => {
2902
+ const bm = ctx.packConfig?.['bias-monitor'];
2903
+ const biasMonitorActive = ctx.activeModules.includes('bias-monitor');
2904
+ const thresholdSet = typeof bm?.disparateImpactThresholdPercent === 'number' &&
2905
+ bm.disparateImpactThresholdPercent >= 80;
2906
+ const blockEnabled = bm?.blockedBelowThreshold === true;
2907
+ const passed = biasMonitorActive && thresholdSet && blockEnabled;
2908
+ return {
2909
+ passed,
2910
+ detail: passed
2911
+ ? 'UK Equality Act AI bias disparate-impact gate active: bias-monitor present, 80% (4/5ths) threshold configured, BLOCK on sub-threshold decisions enabled (Equality Act 2010 s.19; ICO-EHRC joint guidance 2024)'
2912
+ : `Disparate-impact gate incomplete: biasMonitorActive=${biasMonitorActive}, thresholdSet=${thresholdSet} (need disparateImpactThresholdPercent >= 80), blockEnabled=${blockEnabled} — required: Equality Act 2010 s.19 indirect discrimination gate`,
2913
+ };
2914
+ });
2915
+ // uk_equality_ai_bias_eia_public_sector_gate:
2916
+ // Verifies attestation-manager has EIA-before-deployment required and gated.
2917
+ // Public Sector Equality Duty (s.149): public bodies must complete EIA before
2918
+ // deploying AI systems. ICO-EHRC joint guidance (2024).
2919
+ this.register('uk_equality_ai_bias_eia_public_sector_gate', (ctx) => {
2920
+ const am = ctx.packConfig?.['attestation-manager'];
2921
+ const eiaRequired = am?.eiaBeforeDeploymentRequired === true;
2922
+ const eiaGated = am?.eiaApprovalGated === true;
2923
+ const biasAssessmentDocumented = am?.aisBiasRiskAssessmentDocumented === true;
2924
+ const passed = eiaRequired && eiaGated && biasAssessmentDocumented;
2925
+ return {
2926
+ passed,
2927
+ detail: passed
2928
+ ? 'UK Equality Act 2010 s.149 PSED EIA gate active: EIA required before deployment, EIA approval gated, AI bias risk assessment documented (ICO-EHRC joint guidance 2024)'
2929
+ : `EIA public-sector gate incomplete: eiaRequired=${eiaRequired}, eiaGated=${eiaGated}, biasAssessmentDocumented=${biasAssessmentDocumented} — required: Equality Act 2010 s.149 Public Sector Equality Duty + ICO-EHRC joint guidance 2024`,
2930
+ };
2931
+ });
2932
+ // ---------------------------------------------------------------------------
2933
+ // DO-178C avionics software life cycle checks (RTCA DO-178C / EUROCAE ED-12C)
2934
+ // ---------------------------------------------------------------------------
2935
+ this.register('do178c_software_level_assigned', configFlag('governance-runtime', 'softwareLevelTrackingRequired', 'software level (A/B/C/D/E) tracking active'));
2936
+ this.register('do178c_psac_active', configFlag('governance-runtime', 'do178cLevelAProcessRequired', 'DO-178C Level A process (PSAC scope)'));
2937
+ this.register('do178c_development_plan_active', configFlag('governance-runtime', 'do178cLevelBProcessRequired', 'DO-178C Level B development process (SDP scope)'));
2938
+ this.register('do178c_verification_plan_active', configFlag('governance-runtime', 'do178cLevelCProcessRequired', 'DO-178C Level C verification process (SVP scope)'));
2939
+ this.register('do178c_requirements_data_active', configFlag('governance-runtime', 'do178cLevelDProcessRequired', 'DO-178C Level D requirements process'));
2940
+ this.register('do178c_design_description_active', configFlag('governance-runtime', 'decisionCoverageRequiredForLevelB', 'design description with decision-coverage gating'));
2941
+ this.register('do178c_mc_dc_coverage_level_a_active', configFlag('governance-runtime', 'mcDcCoverageRequiredForLevelA', 'MC/DC coverage required for Level A'));
2942
+ this.register('do178c_decision_coverage_level_b_active', configFlag('attestation-manager', 'mcDcCoverageAttestationRequiredForLevelA', 'decision/MC-DC coverage attestation'));
2943
+ this.register('do178c_tool_qualification_active', configFlag('supply-chain', 'do330ToolQualificationLevelTrackingRequired', 'DO-330 tool qualification level (TQL) tracking'));
2944
+ this.register('do178c_config_management_active', configFlag('supply-chain', 'toolQualificationInventoryRequired', 'tool qualification inventory + configuration management'));
2945
+ this.register('do178c_quality_assurance_active', configFlag('attestation-manager', 'conformityReviewSignOffRequired', 'conformity review sign-off (SQA)'));
2946
+ this.register('do178c_problem_reports_active', configFlag('anomaly-detector', 'softwareAnomalySignalDetectionActive', 'software anomaly signal detection (problem reports)'));
2947
+ this.register('do178c_accomplishment_summary_active', configFlag('attestation-manager', 'softwareAccomplishmentSummaryAttestationRequired', 'Software Accomplishment Summary attestation'));
2948
+ this.register('behavioralValidator_do178c_level_a_unverified_change', configFlag('anomaly-detector', 'levelAAnomalyImmediateEscalationRequired', 'Level A unverified change immediate escalation'));
2949
+ this.register('behavioralValidator_do178c_mc_dc_coverage_below_threshold', configFlag('approval-queue', 'derReviewRequiredForLevelAB', 'Level A MC/DC coverage shortfall DER+SQA review'));
2950
+ // ---------------------------------------------------------------------------
2951
+ // FDA 21 CFR Part 820 (QSR / QMSR) checks (2026-05-09)
2952
+ // ---------------------------------------------------------------------------
2953
+ // § 820.30(j): Design History File controls
2954
+ this.register('fda_820_dhf_controls_active', (ctx) => {
2955
+ const ai = ctx.packConfig?.['audit-integrity'];
2956
+ const dhfChain = ai?.dhfAuditChainRequired === true;
2957
+ const gr = ctx.packConfig?.['governance-runtime'];
2958
+ const docCtrl = gr?.documentControlAuthorizationRequired === true;
2959
+ const passed = dhfChain && docCtrl;
2960
+ return {
2961
+ passed,
2962
+ detail: passed
2963
+ ? 'DHF controls active: audit-chain integrity + document-control authorisation (21 CFR 820.30(j))'
2964
+ : `DHF controls incomplete: dhfAuditChain=${dhfChain}, documentControlAuth=${docCtrl}`,
2965
+ };
2966
+ });
2967
+ // § 820.181: Device Master Record controls
2968
+ this.register('fda_820_dmr_controls_active', (ctx) => {
2969
+ const ai = ctx.packConfig?.['audit-integrity'];
2970
+ const dmrChain = ai?.dmrAuditChainRequired === true;
2971
+ const sc = ctx.packConfig?.['supply-chain'];
2972
+ const traceability = sc?.componentTraceabilityRequired === true;
2973
+ const passed = dmrChain && traceability;
2974
+ return {
2975
+ passed,
2976
+ detail: passed
2977
+ ? 'DMR controls active: audit-chain integrity + component traceability (21 CFR 820.181)'
2978
+ : `DMR controls incomplete: dmrAuditChain=${dmrChain}, traceability=${traceability}`,
2979
+ };
2980
+ });
2981
+ // § 820.184: Device History Record controls
2982
+ this.register('fda_820_dhr_controls_active', (ctx) => {
2983
+ const ai = ctx.packConfig?.['audit-integrity'];
2984
+ const dhrChain = ai?.dhrAuditChainRequired === true;
2985
+ const sc = ctx.packConfig?.['supply-chain'];
2986
+ const incoming = sc?.incomingAcceptanceRecordRequired === true;
2987
+ const passed = dhrChain && incoming;
2988
+ return {
2989
+ passed,
2990
+ detail: passed
2991
+ ? 'DHR controls active: audit-chain integrity + incoming acceptance records (21 CFR 820.184)'
2992
+ : `DHR controls incomplete: dhrAuditChain=${dhrChain}, incomingAcceptance=${incoming}`,
2993
+ };
2994
+ });
2995
+ // § 820.100: CAPA system
2996
+ this.register('fda_820_capa_active', (ctx) => {
2997
+ const gr = ctx.packConfig?.['governance-runtime'];
2998
+ const capaWorkflow = gr?.capaWorkflowRequired === true;
2999
+ const aq = ctx.packConfig?.['approval-queue'];
3000
+ const capaReview = aq?.capaInitiationReviewRequired === true;
3001
+ const ai = ctx.packConfig?.['audit-integrity'];
3002
+ const capaAudit = ai?.capaAuditTrailRequired === true;
3003
+ const passed = capaWorkflow && capaReview && capaAudit;
3004
+ return {
3005
+ passed,
3006
+ detail: passed
3007
+ ? 'CAPA system active: workflow + human-review gate + audit trail (21 CFR 820.100)'
3008
+ : `CAPA incomplete: workflow=${capaWorkflow}, reviewGate=${capaReview}, auditTrail=${capaAudit}`,
3009
+ };
3010
+ });
3011
+ // 21 CFR Part 803: MDR 30-day / 5-day clocks
3012
+ this.register('fda_820_mdr_clock_active', (ctx) => {
3013
+ const eb = ctx.packConfig?.['event-bus'];
3014
+ const thirtyDay = eb?.mdrThirtyDayClockActive === true;
3015
+ const fiveDay = eb?.mdrFiveDayCorrectiveActionClockActive === true;
3016
+ const aq = ctx.packConfig?.['approval-queue'];
3017
+ const mdrAuth = aq?.mdrFilingAuthorizationRequired === true;
3018
+ const passed = thirtyDay && fiveDay && mdrAuth;
3019
+ return {
3020
+ passed,
3021
+ detail: passed
3022
+ ? 'MDR clocks active: 30-day death/serious-injury clock, 5-day corrective-action clock, MDR filing authorisation (21 CFR Part 803)'
3023
+ : `MDR clock incomplete: thirtyDay=${thirtyDay}, fiveDay=${fiveDay}, filingAuth=${mdrAuth}`,
3024
+ };
3025
+ });
3026
+ // § 820.30(i): Design change review gate
3027
+ this.register('fda_820_design_change_review_active', (ctx) => {
3028
+ const aq = ctx.packConfig?.['approval-queue'];
3029
+ const t2Review = aq?.designChangeT2ReviewRequired === true;
3030
+ const gr = ctx.packConfig?.['governance-runtime'];
3031
+ const designCtrl = gr?.designControlWorkflowRequired === true;
3032
+ const passed = t2Review && designCtrl;
3033
+ return {
3034
+ passed,
3035
+ detail: passed
3036
+ ? 'Design change T2 review active: approval-queue gate + design-control workflow (21 CFR 820.30(i))'
3037
+ : `Design change review incomplete: t2Review=${t2Review}, designControl=${designCtrl}`,
3038
+ };
3039
+ });
3040
+ // § 820.40: Document control
3041
+ this.register('fda_820_document_control_active', (ctx) => {
3042
+ const gr = ctx.packConfig?.['governance-runtime'];
3043
+ const docAuth = gr?.documentControlAuthorizationRequired === true;
3044
+ const aq = ctx.packConfig?.['approval-queue'];
3045
+ const signOff = aq?.documentControlSignOffRequired === true;
3046
+ const passed = docAuth && signOff;
3047
+ return {
3048
+ passed,
3049
+ detail: passed
3050
+ ? 'Document control active: authorisation required + sign-off gate (21 CFR 820.40)'
3051
+ : `Document control incomplete: docAuth=${docAuth}, signOff=${signOff}`,
3052
+ };
3053
+ });
3054
+ // § 820.20(c): Management review
3055
+ this.register('fda_820_management_review_active', (ctx) => {
3056
+ const gr = ctx.packConfig?.['governance-runtime'];
3057
+ const reviewSched = gr?.managementReviewSchedulingRequired === true;
3058
+ const am = ctx.packConfig?.['attestation-manager'];
3059
+ const reviewAttest = am?.managementReviewAttestationRequired === true;
3060
+ const passed = reviewSched && reviewAttest;
3061
+ return {
3062
+ passed,
3063
+ detail: passed
3064
+ ? 'Management review active: scheduling configured + attestation required (21 CFR 820.20(c))'
3065
+ : `Management review incomplete: scheduling=${reviewSched}, attestation=${reviewAttest}`,
3066
+ };
3067
+ });
3068
+ // § 820.30(f)(g): Design verification + validation
3069
+ this.register('fda_820_design_vv_active', (ctx) => {
3070
+ const am = ctx.packConfig?.['attestation-manager'];
3071
+ const verifAttest = am?.designVerificationAttestationRequired === true;
3072
+ const validAttest = am?.designValidationAttestationRequired === true;
3073
+ const aq = ctx.packConfig?.['approval-queue'];
3074
+ const outputReview = aq?.designOutputReviewRequired === true;
3075
+ const passed = verifAttest && validAttest && outputReview;
3076
+ return {
3077
+ passed,
3078
+ detail: passed
3079
+ ? 'Design V&V active: verification attestation + validation attestation + output review gate (21 CFR 820.30(f)(g))'
3080
+ : `Design V&V incomplete: verification=${verifAttest}, validation=${validAttest}, outputReview=${outputReview}`,
3081
+ };
3082
+ });
3083
+ // § 820.50: Purchasing controls
3084
+ this.register('fda_820_purchasing_controls_active', (ctx) => {
3085
+ const sc = ctx.packConfig?.['supply-chain'];
3086
+ const asl = sc?.approvedSupplierListRequired === true;
3087
+ const qual = sc?.supplierQualificationRequired === true;
3088
+ const incoming = sc?.incomingAcceptanceRecordRequired === true;
3089
+ const passed = asl && qual && incoming;
3090
+ return {
3091
+ passed,
3092
+ detail: passed
3093
+ ? 'Purchasing controls active: approved-supplier list + qualification + incoming acceptance (21 CFR 820.50)'
3094
+ : `Purchasing controls incomplete: asl=${asl}, qualification=${qual}, incomingAcceptance=${incoming}`,
3095
+ };
3096
+ });
3097
+ // § 820.198: Complaint files
3098
+ this.register('fda_820_complaint_files_active', (ctx) => {
3099
+ const eb = ctx.packConfig?.['event-bus'];
3100
+ const slaAlerts = eb?.complaintFileSlaAlertsActive === true;
3101
+ const ad = ctx.packConfig?.['anomaly-detector'];
3102
+ const complaintTrend = ad?.complaintTrendAnalysisActive === true;
3103
+ const passed = slaAlerts && complaintTrend;
3104
+ return {
3105
+ passed,
3106
+ detail: passed
3107
+ ? 'Complaint files active: SLA alerts + complaint trend analysis for MDR signal detection (21 CFR 820.198)'
3108
+ : `Complaint files incomplete: slaAlerts=${slaAlerts}, complaintTrend=${complaintTrend}`,
3109
+ };
3110
+ });
3111
+ // § 820.90: Nonconforming product control
3112
+ this.register('fda_820_nonconforming_product_active', (ctx) => {
3113
+ const gr = ctx.packConfig?.['governance-runtime'];
3114
+ const qaSystem = gr?.qaSystemValidationRequired === true;
3115
+ const aq = ctx.packConfig?.['approval-queue'];
3116
+ const ncpReview = aq?.capaInitiationReviewRequired === true; // NCP disposition requires CAPA gate
3117
+ const passed = qaSystem && ncpReview;
3118
+ return {
3119
+ passed,
3120
+ detail: passed
3121
+ ? 'Nonconforming product controls active: QA system + disposition review gate (21 CFR 820.90)'
3122
+ : `Nonconforming product controls incomplete: qaSystem=${qaSystem}, dispositionReview=${ncpReview}`,
3123
+ };
3124
+ });
3125
+ // § 820.70: Production and process controls
3126
+ this.register('fda_820_production_controls_active', (ctx) => {
3127
+ const ad = ctx.packConfig?.['anomaly-detector'];
3128
+ const prodMonitor = ad?.productionProcessMonitoringActive === true;
3129
+ const gr = ctx.packConfig?.['governance-runtime'];
3130
+ const qaSystem = gr?.qaSystemValidationRequired === true;
3131
+ const passed = prodMonitor && qaSystem;
3132
+ return {
3133
+ passed,
3134
+ detail: passed
3135
+ ? 'Production controls active: process monitoring + QA system validation (21 CFR 820.70)'
3136
+ : `Production controls incomplete: processMonitoring=${prodMonitor}, qaSystem=${qaSystem}`,
3137
+ };
3138
+ });
3139
+ // § 820.60 / 820.65: Traceability
3140
+ this.register('fda_820_traceability_active', (ctx) => {
3141
+ const sc = ctx.packConfig?.['supply-chain'];
3142
+ const traceability = sc?.componentTraceabilityRequired === true;
3143
+ const asl = sc?.approvedSupplierListRequired === true;
3144
+ const passed = traceability && asl;
3145
+ return {
3146
+ passed,
3147
+ detail: passed
3148
+ ? 'Traceability active: component traceability + approved-supplier list (21 CFR 820.60/820.65)'
3149
+ : `Traceability incomplete: componentTraceability=${traceability}, supplierList=${asl}`,
3150
+ };
3151
+ });
3152
+ // § 820.180(b): Records retention device lifetime + 2 years
3153
+ this.register('fda_820_records_retention_active', (ctx) => {
3154
+ const retentionDays = ctx.evidence?.auditRetentionDays;
3155
+ // Minimum is 730 days (2 years from commercial release, per § 820.180(b))
3156
+ const n = typeof retentionDays === 'number' ? retentionDays : 0;
3157
+ const passed = n >= 730;
3158
+ return {
3159
+ passed,
3160
+ detail: passed
3161
+ ? `Records retention ${n} days >= 730 (2-year minimum per 21 CFR 820.180(b))`
3162
+ : `Records retention ${n} days < 730 (2-year minimum required by 21 CFR 820.180(b))`,
3163
+ };
3164
+ });
3165
+ // FDA 21 CFR Part 820 behavioral validators
3166
+ // DHF unauthorized modification -> BLOCK
3167
+ this.register('behavioralValidator_fda_820_dhf_unauthorised_modification', runBehavioralCheck('fda-21-cfr-820', 'DESIGN_HISTORY_FILE', 'DHF record modification: design history file entry updated without authorisation', 'BLOCK'));
3168
+ // MDR late filing -> BLOCK
3169
+ this.register('behavioralValidator_fda_820_mdr_late_filing', runBehavioralCheck('fda-21-cfr-820', 'MDR_REPORT', 'MDR 5-day report: medical device report adverse event MAUDE submission overdue corrective action', 'BLOCK'));
3170
+ // CAPA initiation -> REQUIRE_APPROVAL (pack-author REVIEW vocabulary canonicalizes here)
3171
+ this.register('behavioralValidator_fda_820_capa_initiation', runBehavioralCheck('fda-21-cfr-820', 'CORRECTIVE_ACTION', 'CAPA initiation: corrective action record nonconformance investigation root cause analysis', 'REQUIRE_APPROVAL'));
3172
+ // Design change -> BLOCK (must go through T2 review)
3173
+ this.register('behavioralValidator_fda_820_design_change', runBehavioralCheck('fda-21-cfr-820', 'DESIGN_CHANGE', 'Design change request DCR engineering change order design modification device', 'BLOCK'));
3174
+ // ---------------------------------------------------------------------------
3175
+ // IEC 62304 — Medical Device Software Life Cycle Processes
3176
+ // ---------------------------------------------------------------------------
3177
+ // -- IEC 62304 Medical Device Software Life Cycle checks --
3178
+ this.register('iec62304_safety_class_assigned', configFlag('governance-runtime', 'softwareSafetyClassTrackingRequired', 'software safety class (A/B/C) tracking active'));
3179
+ this.register('iec62304_soup_inventory_active', configFlag('supply-chain', 'soupInventoryRequired', 'SOUP inventory and evaluation'));
3180
+ this.register('iec62304_development_plan_active', configFlag('governance-runtime', 'iec62304ClassAProcessRequired', 'IEC 62304 Class A development process'));
3181
+ this.register('iec62304_requirements_analysis_active', configFlag('governance-runtime', 'classificationRationaleRequired', 'software safety classification rationale'));
3182
+ this.register('iec62304_architecture_active', configFlag('governance-runtime', 'iec62304ClassBProcessRequired', 'IEC 62304 Class B development process'));
3183
+ this.register('iec62304_class_c_unit_verification_active', configFlag('attestation-manager', 'classCUnitVerificationEvidenceRequired', 'Class C unit verification evidence'));
3184
+ this.register('iec62304_integration_testing_active', configFlag('governance-runtime', 'iec62304ClassCProcessRequired', 'IEC 62304 Class C development process'));
3185
+ this.register('iec62304_system_testing_active', configFlag('attestation-manager', 'softwareReleaseAttestationRequired', 'software release attestation'));
3186
+ this.register('iec62304_release_records_active', configFlag('attestation-manager', 'classificationRationaleSignOffRequired', 'classification rationale sign-off'));
3187
+ this.register('iec62304_config_management_active', configFlag('supply-chain', 'soupPublishedErrataEvaluationRequired', 'SOUP published errata evaluation'));
3188
+ this.register('iec62304_anomaly_resolution_active', configFlag('anomaly-detector', 'softwareAnomalySignalDetectionActive', 'software anomaly signal detection'));
3189
+ this.register('iec62304_class_c_soup_block_active', configFlag('approval-queue', 'soupIntroductionApprovalRequired', 'SOUP introduction approval gate'));
3190
+ this.register('behavioralValidator_iec62304_class_c_unverified_change', configFlag('anomaly-detector', 'classCAnomályImmediateEscalationRequired', 'Class C anomaly immediate escalation'));
3191
+ this.register('behavioralValidator_iec62304_class_b_anomaly_reviewed', configFlag('approval-queue', 'classBAnomályClosureApprovalRequired', 'Class B anomaly closure approval'));
3192
+ this.register('iec62304_maintenance_plan_active', configFlag('attestation-manager', 'soupEvaluationAttestationRequired', 'SOUP evaluation attestation'));
3193
+ // ---------------------------------------------------------------------------
3194
+ // DO-178C avionics software life cycle checks (RTCA DO-178C / EUROCAE ED-12C)
3195
+ // ---------------------------------------------------------------------------
3196
+ this.register('do178c_software_level_assigned', configFlag('governance-runtime', 'softwareLevelTrackingRequired', 'software level (A/B/C/D/E) tracking active'));
3197
+ this.register('do178c_psac_active', configFlag('governance-runtime', 'do178cLevelAProcessRequired', 'DO-178C Level A process (PSAC scope)'));
3198
+ this.register('do178c_development_plan_active', configFlag('governance-runtime', 'do178cLevelBProcessRequired', 'DO-178C Level B development process (SDP scope)'));
3199
+ this.register('do178c_verification_plan_active', configFlag('governance-runtime', 'do178cLevelCProcessRequired', 'DO-178C Level C verification process (SVP scope)'));
3200
+ this.register('do178c_requirements_data_active', configFlag('governance-runtime', 'do178cLevelDProcessRequired', 'DO-178C Level D requirements process'));
3201
+ this.register('do178c_design_description_active', configFlag('governance-runtime', 'decisionCoverageRequiredForLevelB', 'design description with decision-coverage gating'));
3202
+ this.register('do178c_mc_dc_coverage_level_a_active', configFlag('governance-runtime', 'mcDcCoverageRequiredForLevelA', 'MC/DC coverage required for Level A'));
3203
+ this.register('do178c_decision_coverage_level_b_active', configFlag('attestation-manager', 'mcDcCoverageAttestationRequiredForLevelA', 'decision/MC-DC coverage attestation'));
3204
+ this.register('do178c_tool_qualification_active', configFlag('supply-chain', 'do330ToolQualificationLevelTrackingRequired', 'DO-330 tool qualification level (TQL) tracking'));
3205
+ this.register('do178c_config_management_active', configFlag('supply-chain', 'toolQualificationInventoryRequired', 'tool qualification inventory + configuration management'));
3206
+ this.register('do178c_quality_assurance_active', configFlag('attestation-manager', 'conformityReviewSignOffRequired', 'conformity review sign-off (SQA)'));
3207
+ this.register('do178c_problem_reports_active', configFlag('anomaly-detector', 'softwareAnomalySignalDetectionActive', 'software anomaly signal detection (problem reports)'));
3208
+ this.register('do178c_accomplishment_summary_active', configFlag('attestation-manager', 'softwareAccomplishmentSummaryAttestationRequired', 'Software Accomplishment Summary attestation'));
3209
+ this.register('behavioralValidator_do178c_level_a_unverified_change', configFlag('anomaly-detector', 'levelAAnomalyImmediateEscalationRequired', 'Level A unverified change immediate escalation'));
3210
+ this.register('behavioralValidator_do178c_mc_dc_coverage_below_threshold', configFlag('approval-queue', 'derReviewRequiredForLevelAB', 'Level A MC/DC coverage shortfall DER+SQA review'));
3211
+ // ---------------------------------------------------------------------------
3212
+ // ISO 26262 — Automotive Functional Safety (ISO 26262:2018, all 12 parts)
3213
+ // ---------------------------------------------------------------------------
3214
+ this.register('iso26262_asil_assigned', configFlag('governance-runtime', 'asilTrackingRequired', 'ASIL (A/B/C/D/QM) tracking active — default ASIL B when not declared'));
3215
+ this.register('iso26262_item_definition_active', configFlag('governance-runtime', 'itemDefinitionRequired', 'item definition on file per ISO 26262-3 §5'));
3216
+ this.register('iso26262_hara_active', configFlag('governance-runtime', 'haraRequired', 'HARA active — hazard catalogue + ASIL rationale on file per ISO 26262-3 §6'));
3217
+ this.register('iso26262_functional_safety_concept_active', configFlag('governance-runtime', 'functionalSafetyConceptRequired', 'functional safety concept + FSR on file per ISO 26262-3 §7'));
3218
+ this.register('iso26262_technical_safety_concept_active', configFlag('governance-runtime', 'asilCChangeApprovalRequired', 'technical safety concept + ASIL C approval gate per ISO 26262-4 §6'));
3219
+ this.register('iso26262_software_safety_requirements_active', configFlag('governance-runtime', 'iso26262Part6SoftwareProcessRequired', 'software safety requirements per ISO 26262-6 §6'));
3220
+ this.register('iso26262_software_architectural_design_active', configFlag('governance-runtime', 'asilDChangeApprovalRequired', 'software architectural design + ASIL D approval gate per ISO 26262-6 §7'));
3221
+ this.register('iso26262_unit_verification_active', configFlag('attestation-manager', 'softwareReleaseAttestationRequired', 'software release attestation — unit verification evidence required'));
3222
+ this.register('iso26262_asil_d_mc_dc_coverage_active', configFlag('governance-runtime', 'asilDAnomalyImmediateEscalationRequired', 'ASIL D MC/DC coverage at 100% — immediate escalation on gap per ISO 26262-6 Table 12'));
3223
+ this.register('iso26262_asil_decomposition_active', configFlag('approval-queue', 'asilBAnomalyClosureApprovalRequired', 'ASIL decomposition rules active — ASIL B anomaly closure approval per ISO 26262-9 §5'));
3224
+ this.register('iso26262_fmea_fault_tree_active', configFlag('attestation-manager', 'functionalSafetyAssessmentSignOffRequired', 'FMEA/FTA safety analysis sign-off required per ISO 26262-9 §8'));
3225
+ this.register('iso26262_tool_confidence_level_active', configFlag('supply-chain', 'tclClassificationRequired', 'tool confidence level (TCL) classification per ISO 26262-8 §11'));
3226
+ this.register('iso26262_config_management_active', configFlag('supply-chain', 'toolConfidenceLevelInventoryRequired', 'TCL inventory + configuration management per ISO 26262-8 §7'));
3227
+ this.register('iso26262_change_management_active', configFlag('approval-queue', 'asilCChangeApprovalRequired', 'change management + ASIL C approval gate per ISO 26262-8 §8'));
3228
+ this.register('behavioralValidator_iso26262_asil_d_unverified_change', configFlag('anomaly-detector', 'asilDAnomalyImmediateEscalationRequired', 'ASIL D unverified change immediate escalation — absolute block'));
3229
+ // ---------------------------------------------------------------------------
3230
+ // IEC 62443 — Industrial Automation and Control Systems (IACS) Security
3231
+ // ---------------------------------------------------------------------------
3232
+ this.register('iec62443_security_level_assigned', configFlag('governance-runtime', 'securityLevelTrackingRequired', 'Security Level Target (SL 1-4) assigned per zone/conduit — default SL 2 when not declared'));
3233
+ this.register('iec62443_zone_conduit_model_active', configFlag('governance-runtime', 'zoneConduitModelRequired', 'zone and conduit model on file per IEC 62443-3-2 §5.5'));
3234
+ this.register('iec62443_csms_active', configFlag('governance-runtime', 'csmsCovered', 'CSMS established per IEC 62443-2-1 — scope, policy, risk assessment, organisational responsibilities'));
3235
+ this.register('iec62443_iac_controls_active', configFlag('governance-runtime', 'iec62443Part33SystemControlsRequired', 'FR1 Identification & Authentication Control (SR 1.x) per IEC 62443-3-3'));
3236
+ this.register('iec62443_uc_controls_active', configFlag('governance-runtime', 'sl3ChangeApprovalRequired', 'FR2 Use Control (SR 2.x) per IEC 62443-3-3 — SL 3 approval gate wired'));
3237
+ this.register('iec62443_si_controls_active', configFlag('governance-runtime', 'sl4ChangeApprovalRequired', 'FR3 System Integrity (SR 3.x) per IEC 62443-3-3 — SL 4 approval gate wired'));
3238
+ this.register('iec62443_dc_controls_active', configFlag('governance-runtime', 'sl2AnomalyClosureApprovalRequired', 'FR4 Data Confidentiality (SR 4.x) per IEC 62443-3-3 — SL 2 anomaly closure approval'));
3239
+ this.register('iec62443_rdf_controls_active', configFlag('governance-runtime', 'sl3AnomalyImmediateEscalationRequired', 'FR5 Restricted Data Flow / zone segmentation (SR 5.x) per IEC 62443-3-3'));
3240
+ this.register('iec62443_tre_controls_active', configFlag('governance-runtime', 'sl4AnomalyImmediateEscalationRequired', 'FR6 Timely Response to Events (SR 6.x) per IEC 62443-3-3 — SL 4 immediate escalation'));
3241
+ this.register('iec62443_ra_controls_active', configFlag('governance-runtime', 'iec62443Part41SecureDevelopmentLifecycleRequired', 'FR7 Resource Availability (SR 7.x) per IEC 62443-3-3'));
3242
+ this.register('iec62443_sdl_active', configFlag('attestation-manager', 'sdlComplianceAttestationRequired', 'Secure Development Lifecycle per IEC 62443-4-1 — SDL attestation required'));
3243
+ this.register('iec62443_component_security_requirements_active', configFlag('governance-runtime', 'iec62443Part42ComponentRequirementsRequired', 'component security requirements per IEC 62443-4-2'));
3244
+ this.register('iec62443_patch_management_active', configFlag('supply-chain', 'sdlComplianceVerificationRequired', 'patch management per IEC 62443-2-3 — supply-chain SDL compliance verification'));
3245
+ this.register('iec62443_incident_management_active', configFlag('approval-queue', 'sl2AnomalyClosureApprovalRequired', 'incident management per IEC 62443-2-1 §4.3.4.5 — SL 2+ anomaly closure approval'));
3246
+ this.register('behavioralValidator_iec62443_sl3_sl4_unverified_change', configFlag('anomaly-detector', 'sl4AnomalyImmediateEscalationRequired', 'SL 3/4 unverified IACS change immediate escalation — absolute block'));
3247
+ // ---------------------------------------------------------------------------
3248
+ // NIST SP 800-82 Rev 3 — US Federal Operational Technology Security
3249
+ // ---------------------------------------------------------------------------
3250
+ this.register('nist80082_impact_level_assigned', configFlag('governance-runtime', 'impactLevelTrackingRequired', 'FIPS 199 impact level (LOW/MODERATE/HIGH) assigned per OT system/zone — default MODERATE when not declared'));
3251
+ this.register('nist80082_purdue_model_segmentation', configFlag('governance-runtime', 'purdueModelSegmentationRequired', 'Purdue model segmentation on file per NIST SP 800-82 §5.5 — Levels 0-5 + industrial DMZ Level 3.5'));
3252
+ this.register('nist80082_cybersecurity_program', configFlag('governance-runtime', 'fips199CategorizationRequired', 'OT cybersecurity program per NIST SP 800-82 §3 — charter, roles, workforce training, management approval'));
3253
+ this.register('nist80082_risk_management', configFlag('governance-runtime', 'nist80053ControlOverlayRequired', 'OT risk management per NIST SP 800-82 §4 + SP 800-30 + SP 800-39 — risk register, AO acceptance'));
3254
+ this.register('nist80082_ac_controls', configFlag('governance-runtime', 'highImpactChangeApprovalRequired', 'AC family controls applied to OT per SP 800-82 §6.2 — RBAC, least privilege, MFA for remote access'));
3255
+ this.register('nist80082_au_controls', configFlag('governance-runtime', 'moderateImpactChangeApprovalRequired', 'AU family controls applied to OT per SP 800-82 §6.3 — audit logging, centralized SIEM, 7-year retention'));
3256
+ this.register('nist80082_cm_controls', configFlag('governance-runtime', 'moderateImpactAnomalyClosureApprovalRequired', 'CM family controls applied to OT per SP 800-82 §6.6 — baseline configs, formal change control'));
3257
+ this.register('nist80082_cp_controls', configFlag('governance-runtime', 'highImpactAnomalyImmediateEscalationRequired', 'CP family controls applied to OT per SP 800-82 §6.7 — OT contingency plan, backup, annual test'));
3258
+ this.register('nist80082_ir_controls', configFlag('governance-runtime', 'ciraReportingActive', 'IR family controls applied to OT per SP 800-82 §6.10 — OT IR plan, 24h CISA reporting, CIRCIA integration'));
3259
+ this.register('nist80082_sc_controls', configFlag('approval-queue', 'highImpactChangeApprovalRequired', 'SC family controls applied to OT per SP 800-82 §6.18 — Purdue segmentation, industrial DMZ, encrypted OT comms'));
3260
+ this.register('nist80082_si_controls', configFlag('approval-queue', 'sisModificationAbsoluteBlockRequired', 'SI family controls applied to OT per SP 800-82 §6.19 — malware protection, integrity verification, ICS-CERT'));
3261
+ this.register('nist80082_sr_controls', configFlag('supply-chain', 'eo14028SbomRequired', 'SR family controls applied to OT per SP 800-82 §6.20 — OT SBOM (EO 14028), supplier risk, CMMC'));
3262
+ this.register('nist80082_safety_instrumented_system', configFlag('governance-runtime', 'safetyInstrumentedSystemProtectionRequired', 'SIS isolation per NIST SP 800-82 §5.7 + IEC 61511 — separate segment, SIL engineer sign-off, no AI changes'));
3263
+ this.register('nist80082_cisa_incident_reporting', configFlag('attestation-manager', 'fismaAtoAttestationRequired', 'CISA OT incident reporting per SP 800-82 §6.10 + CIRCIA + EO 14028 — 24h notification, NERC CIP integration'));
3264
+ this.register('behavioralValidator_nist80082_high_impact_unverified_change', configFlag('anomaly-detector', 'unverifiedHighImpactChangeDetectionActive', 'HIGH impact / SIS unverified OT change immediate escalation — absolute block'));
3265
+ // ---- AS9100D / AS9110C / AS9120B — Aerospace Quality Management Systems ----
3266
+ this.register('as9100_product_safety_policy', configFlag('governance-runtime', 'productSafetyPolicyRequired', 'AS9100D §5.1.1.1 — Product Safety Policy: written policy + training + management commitment'));
3267
+ this.register('as9100_counterfeit_parts_prevention', configFlag('governance-runtime', 'counterfeitPartsPreventionRequired', 'AS9100D §8.1.4 — Counterfeit Parts Prevention: ASL + quarantine + ERAI/GIDEP reporting procedure'));
3268
+ this.register('as9100_configuration_management', configFlag('governance-runtime', 'configurationManagementBaselineRequired', 'AS9100D §8.1.2 — Configuration Management: CM baseline + change control (ECO/ECR) + CM records'));
3269
+ this.register('as9100_special_process_controls', configFlag('governance-runtime', 'specialProcessQualificationRequired', 'AS9100D §8.5.1.2 — Special Processes: NADCAP accreditation + operator/equipment/procedure qualification'));
3270
+ this.register('as9100_fod_prevention', configFlag('governance-runtime', 'fodPreventionRequired', 'AS9100D §8.5.4 — FOD Prevention: plan + training + inspections + event investigation'));
3271
+ this.register('as9100_risk_and_opportunity_management', configFlag('governance-runtime', 'capaImmediateEscalationOnSafetyImpact', 'AS9100D §6.1 — Risk + Opportunity Management: FMEA/FTA mandatory (§6.1.2.1) + risk register'));
3272
+ this.register('as9100_design_development_controls', configFlag('governance-runtime', 'designReviewApprovalRequired', 'AS9100D §8.3 — Design + Development Controls: FAI per AS9102 + design change per §8.3.6'));
3273
+ this.register('as9100_purchasing_controls', configFlag('governance-runtime', 'supplierQualificationRequired', 'AS9100D §8.4 — Purchasing Controls: ASL enforcement + customer-approved sources + incoming inspection'));
3274
+ this.register('as9100_product_realisation', configFlag('governance-runtime', 'postDeliverySupportRecordsRequired', 'AS9100D §8.5 — Product Realisation: controlled conditions + travellers + SPC + §8.5.5 post-delivery'));
3275
+ this.register('as9100_identification_traceability', configFlag('supply-chain', 'approvedSourceListEnforcementRequired', 'AS9100D §8.5.2 — Identification + Traceability: serialized/lot-controlled + material certs + CofC chain'));
3276
+ this.register('as9100_customer_property', configFlag('supply-chain', 'itarEarClassificationRequired', 'AS9100D §8.5.3 — Customer + External Property: CFE/CFM + tooling + ITAR/EAR IP protection'));
3277
+ this.register('as9100_post_delivery_support', configFlag('governance-runtime', 'postDeliverySupportRecordsRequired', 'AS9100D §8.5.5 — Post-Delivery Support: warranty + airworthiness data + FAA SDR / EASA Part 21J'));
3278
+ this.register('as9100_on_time_delivery_conformity', configFlag('governance-runtime', 'onTimeDeliveryMetricsRequired', 'AS9100D §9.1.1 — On-Time Delivery + Product Conformity: OTD + first-pass yield + PPM escapes'));
3279
+ this.register('as9100_corrective_action', configFlag('approval-queue', 'safetyImpactCapaApprovalRequired', 'AS9100D §10.2 — CAPA: RCA + effectiveness verification + safety-impact escalation + FAA SDR / EASA 21J'));
3280
+ this.register('behavioralValidator_as9100_counterfeit_parts_detected', configFlag('anomaly-detector', 'counterfeitPartsDetectedImmediateEscalationRequired', 'AS9100D §8.1.4 — counterfeit-parts-detected: absolute CRITICAL block + immediate escalation'));
3281
+ // ---- FDA Software Pre-Cert + SaMD TPLC + AI/ML Action Plan ----
3282
+ this.register('samd_imdrf_categorization', configFlag('governance-runtime', 'imdrfCategorizationRequired', 'IMDRF SaMD N12 (2014) — SaMD risk categorization (Category I–IV): medical purpose × healthcare situation severity'));
3283
+ this.register('samd_patient_safety_excellence', configFlag('governance-runtime', 'postMarketSignalDetectionActive', 'FDA Pre-Cert Principle 1 (Patient Safety) — risk management + MDR signal detection + 5-day escalation path'));
3284
+ this.register('samd_product_quality_excellence', configFlag('governance-runtime', 'pccpChangeControlRequired', 'FDA Pre-Cert Principle 2 (Product Quality) — QMS per ISO 13485 + IEC 62304 software lifecycle processes'));
3285
+ this.register('samd_clinical_responsibility', configFlag('governance-runtime', 'clinicalEvaluationRequired', 'FDA Pre-Cert Principle 3 (Clinical Responsibility) — clinical evaluation per IMDRF N41 + intended-use scoping'));
3286
+ this.register('samd_cybersecurity_responsibility', configFlag('supply-chain', 'sbomMaintenanceRequired', 'FDA Pre-Cert Principle 4 (Cybersecurity Responsibility) — SBOM + VEX + PATCH Act §524B + FDA Cybersecurity Guidance (2023)'));
3287
+ this.register('samd_proactive_culture', configFlag('governance-runtime', 'aimlActionPlanAlignmentActive', 'FDA Pre-Cert Principle 5 (Proactive Culture) — CAPA + RCA + FDA transparency + Q-Sub engagement'));
3288
+ this.register('samd_tplc_monitoring', configFlag('governance-runtime', 'tplcMonitoringActive', 'FDA Total Product Lifecycle (TPLC) approach — post-market monitoring plan + real-world performance tracking'));
3289
+ this.register('samd_real_world_performance', configFlag('governance-runtime', 'realWorldPerformanceTrackingActive', 'FDA RWE/RWD framework + Pre-Cert continuous monitoring — RWP metrics + drift detection + performance reports'));
3290
+ this.register('samd_aiml_action_plan_alignment', configFlag('governance-runtime', 'aimlActionPlanAlignmentActive', 'FDA AI/ML-Based SaMD Action Plan (Jan 2021) — GMLP 10 principles + transparency + RWP + regulatory science + patient engagement'));
3291
+ this.register('samd_pccp_change_control', configFlag('governance-runtime', 'pccpChangeControlRequired', 'FDA PCCP Guidance (2024) — modification protocol + development protocols + performance evaluation + pccp-change-controller'));
3292
+ this.register('samd_algorithm_change_protocol', configFlag('governance-runtime', 'algorithmChangeProtocolRequired', 'FDA AI/ML Action Plan §2 — ACP: bounded change envelope + change log + performance evidence + out-of-bounds escalation'));
3293
+ this.register('samd_clinical_evaluation', configFlag('governance-runtime', 'clinicalEvaluationRequired', 'IMDRF SaMD Clinical Evaluation N41 (2017) — analytical validation + clinical validation + CER + clinical evaluation officer'));
3294
+ this.register('samd_intended_use_scoping', configFlag('governance-runtime', 'intendedUseScopingRequired', 'FDA SaMD intended-use determination + IMDRF N12 — medical purpose + patient population + clinical setting + out-of-scope definition'));
3295
+ this.register('samd_post_market_signal_detection', configFlag('governance-runtime', 'postMarketSignalDetectionActive', 'FDA Sentinel Initiative + Pre-Cert continuous monitoring — signal thresholds + drift detection + 5-day MDR escalation path'));
3296
+ this.register('behavioralValidator_samd_out_of_pccp_bounds_change', configFlag('governance-runtime', 'outOfPccpBoundsImmediateEscalationRequired', 'FDA PCCP Guidance (2024) — out-of-PCCP-bounds-change: absolute CRITICAL block + immediate escalation, no compensating control path'));
3297
+ // ---- ISO 15189:2022 Medical Laboratory Quality and Competence ----
3298
+ this.register('iso15189_impartiality', configFlag('governance-runtime', 'impartialityPolicyRequired', 'ISO 15189:2022 §4.1 — Impartiality: policy documented + conflicts of interest identified + commercial pressure managed'));
3299
+ this.register('iso15189_confidentiality', configFlag('governance-runtime', 'confidentialityControlsRequired', 'ISO 15189:2022 §4.2 — Confidentiality: PHI protection + HIPAA BAA + GDPR Art. 9 + breach detection + 72h notification'));
3300
+ this.register('iso15189_lab_director_responsibility', configFlag('governance-runtime', 'labDirectorOversightRequired', 'ISO 15189:2022 §5.1 — Legal entity + Lab Director: CLIA-qualified director + management accountability + delegation documented'));
3301
+ this.register('iso15189_personnel_competence', configFlag('governance-runtime', 'personnelCompetenceTrackingRequired', 'ISO 15189:2022 §6.2 — Personnel: initial + ongoing competence assessment + lab-director authorisation + Annex C interpretive competence'));
3302
+ this.register('iso15189_equipment_calibration', configFlag('governance-runtime', 'equipmentCalibrationTraceabilityRequired', 'ISO 15189:2022 §6.4 — Equipment + calibration + traceability: SI metrological traceability chain + calibration certificates + maintenance records'));
3303
+ this.register('iso15189_reagents_consumables', configFlag('governance-runtime', 'reagentConsumableVendorQualificationRequired', 'ISO 15189:2022 §6.5 — Reagents + consumables: receipt inspection + lot verification + expiry management + vendor qualification'));
3304
+ this.register('iso15189_pre_examination', configFlag('governance-runtime', 'resultReportingControlsRequired', 'ISO 15189:2022 §7.2 — Pre-examination: request form + patient preparation + sample collection + reception criteria + sample tracking'));
3305
+ this.register('iso15189_examination_validation', configFlag('governance-runtime', 'examinationValidationRequired', 'ISO 15189:2022 §7.3 — Examination: validation (in-house — AMR/precision/trueness/uncertainty) + verification (commercial — manufacturer specs confirmed)'));
3306
+ this.register('iso15189_internal_quality_control', configFlag('governance-runtime', 'internalQualityControlActive', 'ISO 15189:2022 §7.3.7 — Internal Quality Control: Westgard rules + OOC policy: BLOCK patient results + immediate escalation + lab-director sign-off'));
3307
+ this.register('iso15189_external_proficiency_testing', configFlag('governance-runtime', 'externalProficiencyTestingActive', 'ISO 15189:2022 §7.3.4 — EQA/PT: enrolment + unacceptable performance corrective action + qms-lead + lab-director approval'));
3308
+ this.register('iso15189_result_reporting', configFlag('governance-runtime', 'resultReportingControlsRequired', 'ISO 15189:2022 §7.4 — Reporting: authorised release + critical value notification + amended report traceability + AI disclosure'));
3309
+ this.register('iso15189_clinical_interpretation', configFlag('governance-runtime', 'labDirectorOversightRequired', 'ISO 15189:2022 §7.5 + Annex C — Post-examination + clinical interpretation: pathologist review + AI provenance disclosure + retained sample policy'));
3310
+ this.register('iso15189_risk_management_annex_a', configFlag('governance-runtime', 'riskManagementAnnexAActive', 'ISO 15189:2022 Annex A — Risk management: ISO 14971 + ISO 22367 for lab processes + AI-introduced risk assessment + residual risk acceptance'));
3311
+ this.register('iso15189_complaints_handling', configFlag('governance-runtime', 'impartialityPolicyRequired', 'ISO 15189:2022 §8.7 — Complaints: acknowledge without undue delay + root cause + corrective action + accreditation body notification'));
3312
+ this.register('behavioralValidator_iso15189_iqc_out_of_control', configFlag('governance-runtime', 'iqcOutOfControlImmediateEscalationRequired', 'ISO 15189:2022 §7.3.7 — IQC-out-of-control: absolute CRITICAL block — no patient results released until IQC passes + lab-director sign-off'));
3313
+ // ---- ISO/IEC 80001 Medical IT Network Risk Management ----
3314
+ this.register('iso80001_key_property_safety', configFlag('governance-runtime', 'keyPropertySafetyTrackingRequired', 'ISO/IEC 80001-1:2021 §4.2.1 — KEY PROPERTY SAFETY: no patient harm from network-mediated failure; CRITICAL immediate escalation on impact; ISO 14971 probability × severity risk estimation'));
3315
+ this.register('iso80001_key_property_effectiveness', configFlag('governance-runtime', 'keyPropertyEffectivenessTrackingRequired', 'ISO/IEC 80001-1:2021 §4.2.2 — KEY PROPERTY EFFECTIVENESS: medical purpose still achieved; network performance vs device manufacturer specs; HIGH escalation on degradation'));
3316
+ this.register('iso80001_key_property_security', configFlag('governance-runtime', 'keyPropertySecurityTrackingRequired', 'ISO/IEC 80001-1:2021 §4.2.3 — KEY PROPERTY DATA+SYSTEM SECURITY: integrity + availability + confidentiality; SIEM integration; rogue device detection; CRITICAL on cybersecurity event'));
3317
+ this.register('iso80001_medical_it_network_risk_manager', configFlag('governance-runtime', 'designatedMedicalItNetworkRiskManagerRequired', 'ISO/IEC 80001-1:2021 §5 — Designated MITN-RM: named individual + documented authority over change management + Responsibility Agreement authority + 24/7 escalation availability'));
3318
+ this.register('iso80001_responsibility_agreements', configFlag('governance-runtime', 'responsibilityAgreementsRequired', 'ISO/IEC 80001-1:2021 §6 — Responsibility Agreements: RO + device manufacturer + IT operator; security capabilities obligations; change notification; incident notification; annual review'));
3319
+ this.register('iso80001_risk_management_process', configFlag('governance-runtime', 'iso14971AlignmentRequired', 'ISO/IEC 80001-2-1:2012 — Step-by-step risk management: hazard identification + risk estimation + control + residual risk acceptance + ISO 14971 alignment per §4.4'));
3320
+ this.register('iso80001_medical_device_inventory', configFlag('governance-runtime', 'medicalDeviceInventoryRequired', 'ISO/IEC 80001-1:2021 §7 — Medical device inventory: device ID + network ID + clinical context + risk assessment status + Responsibility Agreement reference; updated within 24h'));
3321
+ this.register('iso80001_network_change_management', configFlag('governance-runtime', 'networkChangeManagementApprovalRequired', 'ISO/IEC 80001-1:2021 §8 — Network change management: mandatory pre-change risk assessment, MITN-RM approval gate, NO unilateral changes, post-change key property verification'));
3322
+ this.register('iso80001_incident_management', configFlag('governance-runtime', 'keyPropertyImpactImmediateEscalationRequired', 'ISO/IEC 80001-1:2021 §9 — Incident management: SAFETY CRITICAL immediate escalation, manufacturer notification, 72h regulatory notification, root cause + corrective action + MITN-RM + PSO attestation'));
3323
+ this.register('iso80001_monitoring_event_handling', configFlag('governance-runtime', 'monitoringAndEventHandlingActive', 'ISO/IEC 80001-1:2021 §9 + 80001-2-2 §6 — Monitoring: continuous three KEY PROPERTIES monitoring; SIEM for medical device network; MITN-RM monthly review; coverage verified at each change cycle'));
3324
+ this.register('iso80001_security_capabilities', configFlag('governance-runtime', 'keyPropertySecurityTrackingRequired', 'ISO/IEC 80001-2-2 — Security capabilities: MDS2/SECURE template per device from manufacturer; version tracked vs device software; security gap risk management; annual review'));
3325
+ this.register('iso80001_wireless_network_controls', configFlag('governance-runtime', 'keyPropertyEffectivenessTrackingRequired', 'ISO/IEC 80001-2-3 — Wireless networks: RF site survey; medical SSID/VLAN; WPA3-Enterprise; 802.11e/WMM QoS; roaming performance; interference management; change management required'));
3326
+ this.register('iso80001_distributed_alarm_systems', configFlag('governance-runtime', 'keyPropertySafetyTrackingRequired', 'ISO/IEC 80001-2-5 — Distributed alarm systems: alarm delivery risk assessment; redundancy; end-to-end testing; alarm delivery failure = SAFETY KEY PROPERTY IMPACT CRITICAL block'));
3327
+ this.register('iso80001_iso14971_alignment', configFlag('governance-runtime', 'iso14971AlignmentRequired', 'ISO/IEC 80001-1:2021 §4.4 — ISO 14971 alignment: network-mediated risks linked to device-intrinsic risk files; probability × severity framework; risk/benefit consistent; annual review'));
3328
+ this.register('behavioralValidator_iso80001_key_property_impact_detected', runBehavioralCheck('iso-iec-80001', 'KEY_PROPERTY_IMPACT_EVENT', 'key_property_impact event detected on medical IT network: MITN-RM escalation required', 'BLOCK'));
3329
+ }
3330
+ }
3331
+ exports.ComplianceCheckRegistry = ComplianceCheckRegistry;
3332
+ /**
3333
+ * Shared default registry instance. Tests / apps can use this or
3334
+ * construct their own registry for isolated test fixtures.
3335
+ */
3336
+ exports.defaultCheckRegistry = (() => {
3337
+ const r = new ComplianceCheckRegistry();
3338
+ r.registerDefaults();
3339
+ return r;
3340
+ })();
3341
+ //# sourceMappingURL=check-registry.js.map