npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/dist/services/audit/detectors/ad/compliance.detector.js ADDED Viewed

@@ -0,0 +1,896 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAnssiR1PasswordPolicy = detectAnssiR1PasswordPolicy;
+exports.detectAnssiR2PrivilegedAccounts = detectAnssiR2PrivilegedAccounts;
+exports.detectAnssiR3StrongAuth = detectAnssiR3StrongAuth;
+exports.detectAnssiR4Logging = detectAnssiR4Logging;
+exports.detectAnssiR5Segregation = detectAnssiR5Segregation;
+exports.detectNistAc2AccountManagement = detectNistAc2AccountManagement;
+exports.detectNistAc6LeastPrivilege = detectNistAc6LeastPrivilege;
+exports.detectNistIa5Authenticator = detectNistIa5Authenticator;
+exports.detectNistAu2AuditEvents = detectNistAu2AuditEvents;
+exports.detectCisPasswordPolicy = detectCisPasswordPolicy;
+exports.detectCisNetworkSecurity = detectCisNetworkSecurity;
+exports.detectCisUserRights = detectCisUserRights;
+exports.detectDisaAccountPolicies = detectDisaAccountPolicies;
+exports.detectDisaAuditPolicies = detectDisaAuditPolicies;
+exports.detectMfaNotEnforced = detectMfaNotEnforced;
+exports.detectBackupNotVerified = detectBackupNotVerified;
+exports.detectAuditLogRetentionShort = detectAuditLogRetentionShort;
+exports.detectPrivilegedAccessReviewMissing = detectPrivilegedAccessReviewMissing;
+exports.detectDataClassificationMissing = detectDataClassificationMissing;
+exports.detectChangeManagementBypass = detectChangeManagementBypass;
+exports.detectVendorAccountUnmonitored = detectVendorAccountUnmonitored;
+exports.detectEncryptionAtRestDisabled = detectEncryptionAtRestDisabled;
+exports.detectComplianceScore = detectComplianceScore;
+exports.detectComplianceVulnerabilities = detectComplianceVulnerabilities;
+const entity_converter_1 = require("../../../../utils/entity-converter");
+function detectAnssiR1PasswordPolicy(domain, gpoSettings, _includeDetails) {
+    const issues = [];
+    let compliant = true;
+    const policy = domain['passwordPolicy'];
+    if (policy) {
+        if (policy.minPwdLength < 12) {
+            issues.push(`Minimum password length ${policy.minPwdLength} < 12 required`);
+            compliant = false;
+        }
+        if (policy.pwdHistoryLength < 12) {
+            issues.push(`Password history ${policy.pwdHistoryLength} < 12 required`);
+            compliant = false;
+        }
+        if (policy.lockoutThreshold > 5 && policy.lockoutThreshold !== 0) {
+            issues.push(`Lockout threshold ${policy.lockoutThreshold} > 5 allowed`);
+            compliant = false;
+        }
+        if (policy.maxPwdAge > 90) {
+            issues.push(`Max password age ${policy.maxPwdAge} > 90 days`);
+            compliant = false;
+        }
+    }
+    else {
+        issues.push('Password policy not configured or not readable');
+        compliant = false;
+    }
+    if (gpoSettings?.ldapServerIntegrity !== undefined) {
+    }
+    return {
+        type: 'ANSSI_R1_PASSWORD_POLICY',
+        severity: 'high',
+        category: 'compliance',
+        title: 'ANSSI R1 - Password Policy Non-Compliant',
+        description: 'Password policy does not meet ANSSI R1 recommendations. ANSSI requires minimum 12 characters, password history of 12, lockout threshold ≤5, and max age ≤90 days.',
+        count: compliant ? 0 : 1,
+        details: issues.length > 0 ? { violations: issues, framework: 'ANSSI', control: 'R1' } : undefined,
+    };
+}
+function detectAnssiR2PrivilegedAccounts(users, _groups, includeDetails) {
+    const privilegedGroups = ['Domain Admins', 'Enterprise Admins', 'Schema Admins', 'Administrators'];
+    const issues = [];
+    const privilegedUsers = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        return u.memberOf.some((dn) => privilegedGroups.some((pg) => dn.includes(`CN=${pg}`)));
+    });
+    for (const user of privilegedUsers) {
+        const userIssues = [];
+        if (user.mail) {
+            userIssues.push('Admin account has email configured (use separate account)');
+        }
+        const uac = user.userAccountControl || 0;
+        if ((uac & 0x40000) === 0) {
+            userIssues.push('Smartcard not required for privileged account');
+        }
+        if (user.enabled && !user.lastLogon) {
+            userIssues.push('Enabled admin account never logged on');
+        }
+        if (userIssues.length > 0) {
+            issues.push({ user: user.sAMAccountName, violations: userIssues });
+        }
+    }
+    const domainAdmins = privilegedUsers.filter((u) => u.memberOf?.some((dn) => dn.includes('CN=Domain Admins')));
+    const domainAdminCount = domainAdmins.length;
+    return {
+        type: 'ANSSI_R2_PRIVILEGED_ACCOUNTS',
+        severity: 'high',
+        category: 'compliance',
+        title: 'ANSSI R2 - Privileged Accounts Non-Compliant',
+        description: 'Privileged accounts do not meet ANSSI R2 recommendations. Admin accounts should use separate identities, require smartcard, and not exceed 10 Domain Admins.',
+        count: issues.length,
+        affectedEntities: includeDetails
+            ? (0, entity_converter_1.toAffectedUserEntities)(users.filter((u) => issues.some((i) => i.user === u.sAMAccountName)))
+            : undefined,
+        details: issues.length > 0
+            ? {
+                violations: issues.slice(0, 10),
+                domainAdminCount,
+                recommendation: domainAdminCount > 10
+                    ? `Reduce Domain Admins from ${domainAdminCount} to ≤10`
+                    : undefined,
+                framework: 'ANSSI',
+                control: 'R2',
+            }
+            : undefined,
+    };
+}
+function detectAnssiR3StrongAuth(users, domain, _includeDetails) {
+    const issues = [];
+    const functionalLevel = domain['domainFunctionalLevel'] || 0;
+    if (functionalLevel < 6) {
+        issues.push(`Domain functional level ${functionalLevel} is below 2012 R2 (6), limiting security features`);
+    }
+    const weakEncryptionUsers = users.filter((u) => {
+        const encTypes = u['msDS-SupportedEncryptionTypes'];
+        if (typeof encTypes !== 'number')
+            return false;
+        return (encTypes & 0x18) === 0 && (encTypes & 0x7) !== 0;
+    });
+    if (weakEncryptionUsers.length > 0) {
+        issues.push(`${weakEncryptionUsers.length} users with weak encryption (no AES)`);
+    }
+    const noPreAuthUsers = users.filter((u) => {
+        const uac = u.userAccountControl || 0;
+        return (uac & 0x400000) !== 0;
+    });
+    if (noPreAuthUsers.length > 0) {
+        issues.push(`${noPreAuthUsers.length} users without Kerberos pre-authentication`);
+    }
+    return {
+        type: 'ANSSI_R3_STRONG_AUTH',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'ANSSI R3 - Strong Authentication Issues',
+        description: 'Strong authentication mechanisms not fully enforced per ANSSI R3. Kerberos AES should be required, and weak encryption types disabled.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'ANSSI', control: 'R3' } : undefined,
+    };
+}
+function detectAnssiR4Logging(gpoSettings, _includeDetails) {
+    const issues = [];
+    if (!gpoSettings) {
+        issues.push('GPO settings not available for audit policy analysis');
+    }
+    else {
+        if (gpoSettings.auditPolicies && gpoSettings.auditPolicies.length > 0) {
+            const audit = gpoSettings.auditPolicies;
+            const hasLogon = audit.some((p) => p.category.includes('Logon') && p.success && p.failure);
+            const hasAccountMgmt = audit.some((p) => p.category.includes('Account Management') && p.success && p.failure);
+            const hasPolicyChange = audit.some((p) => p.category.includes('Policy Change') && p.success && p.failure);
+            const hasPrivilegeUse = audit.some((p) => p.category.includes('Privilege Use') && p.success && p.failure);
+            if (!hasLogon)
+                issues.push('Logon events not fully audited');
+            if (!hasAccountMgmt)
+                issues.push('Account management not fully audited');
+            if (!hasPolicyChange)
+                issues.push('Policy changes not fully audited');
+            if (!hasPrivilegeUse)
+                issues.push('Privilege use not fully audited');
+        }
+        else {
+            issues.push('Audit policy not configured');
+        }
+    }
+    return {
+        type: 'ANSSI_R4_LOGGING',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'ANSSI R4 - Logging Non-Compliant',
+        description: 'Logging configuration does not meet ANSSI R4 recommendations. All security events should be audited with adequate log retention.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'ANSSI', control: 'R4' } : undefined,
+    };
+}
+function detectAnssiR5Segregation(users, computers, _includeDetails) {
+    const issues = [];
+    const privilegedGroups = ['Domain Admins', 'Enterprise Admins', 'Schema Admins'];
+    const admins = users.filter((u) => u.memberOf?.some((dn) => privilegedGroups.some((pg) => dn.includes(`CN=${pg}`))));
+    const serviceAccounts = users.filter((u) => {
+        const name = (u.sAMAccountName || '').toLowerCase();
+        return name.includes('svc') || name.includes('service') || name.startsWith('sa_');
+    });
+    const interactiveServiceAccounts = serviceAccounts.filter((u) => {
+        return u.enabled;
+    });
+    if (interactiveServiceAccounts.length > 0) {
+        issues.push(`${interactiveServiceAccounts.length} service accounts may allow interactive logon`);
+    }
+    const workstationsInServerOu = computers.filter((c) => {
+        const os = (0, entity_converter_1.ldapAttrToString)(c.operatingSystem);
+        const isWorkstation = /windows 10|windows 11|windows 7|windows 8/i.test(os);
+        const isInServerOu = /ou=servers|ou=server|ou=datacenter/i.test(c.dn);
+        return isWorkstation && isInServerOu;
+    });
+    if (workstationsInServerOu.length > 0) {
+        issues.push(`${workstationsInServerOu.length} workstations in server OUs (tier violation)`);
+    }
+    if (admins.length > 15) {
+        issues.push(`${admins.length} privileged accounts (recommend <15 for proper segregation)`);
+    }
+    return {
+        type: 'ANSSI_R5_SEGREGATION',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'ANSSI R5 - Segregation Issues',
+        description: 'Network and privilege segregation does not meet ANSSI R5 recommendations. Implement tiered administration model.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'ANSSI', control: 'R5' } : undefined,
+    };
+}
+function detectNistAc2AccountManagement(users, includeDetails) {
+    const issues = [];
+    const affectedUsers = [];
+    const now = Date.now();
+    const ninetyDaysAgo = now - 90 * 24 * 60 * 60 * 1000;
+    const inactiveAccounts = users.filter((u) => u.enabled && u.lastLogon && u.lastLogon.getTime() < ninetyDaysAgo);
+    if (inactiveAccounts.length > 0) {
+        issues.push({ issue: 'Inactive accounts (90+ days) still enabled', count: inactiveAccounts.length });
+        affectedUsers.push(...inactiveAccounts);
+    }
+    const neverLoggedOn = users.filter((u) => u.enabled && !u.lastLogon);
+    if (neverLoggedOn.length > 0) {
+        issues.push({ issue: 'Enabled accounts never logged on', count: neverLoggedOn.length });
+        affectedUsers.push(...neverLoggedOn.filter((u) => !affectedUsers.includes(u)));
+    }
+    const guestEnabled = users.filter((u) => u.sAMAccountName.toLowerCase() === 'guest' && u.enabled);
+    if (guestEnabled.length > 0) {
+        issues.push({ issue: 'Guest account enabled', count: 1 });
+        affectedUsers.push(...guestEnabled);
+    }
+    return {
+        type: 'NIST_AC_2_ACCOUNT_MANAGEMENT',
+        severity: 'high',
+        category: 'compliance',
+        title: 'NIST AC-2 - Account Management Issues',
+        description: 'Account management does not comply with NIST AC-2. Inactive accounts should be disabled, guest account should be disabled.',
+        count: affectedUsers.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affectedUsers.slice(0, 50)) : undefined,
+        details: issues.length > 0 ? { violations: issues, framework: 'NIST', control: 'AC-2' } : undefined,
+    };
+}
+function detectNistAc6LeastPrivilege(users, groups, includeDetails) {
+    const issues = [];
+    const affectedUsers = [];
+    const sensitiveGroups = [
+        'Domain Admins',
+        'Enterprise Admins',
+        'Schema Admins',
+        'Administrators',
+        'Account Operators',
+        'Backup Operators',
+        'Server Operators',
+        'Print Operators',
+    ];
+    const usersInMultipleSensitiveGroups = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        const sensitiveCount = u.memberOf.filter((dn) => sensitiveGroups.some((sg) => dn.includes(`CN=${sg}`))).length;
+        return sensitiveCount > 1;
+    });
+    if (usersInMultipleSensitiveGroups.length > 0) {
+        issues.push({
+            issue: 'Users in multiple sensitive groups',
+            count: usersInMultipleSensitiveGroups.length,
+        });
+        affectedUsers.push(...usersInMultipleSensitiveGroups);
+    }
+    const domainAdmins = users.filter((u) => u.memberOf?.some((dn) => dn.includes('CN=Domain Admins')));
+    if (domainAdmins.length > 5) {
+        issues.push({
+            issue: `Excessive Domain Admins (${domainAdmins.length}, recommend ≤5)`,
+            count: domainAdmins.length,
+        });
+    }
+    const oversizedPrivilegedGroups = groups.filter((g) => {
+        const isSensitive = sensitiveGroups.some((sg) => g.sAMAccountName?.toLowerCase() === sg.toLowerCase());
+        return isSensitive && (g.member?.length || 0) > 10;
+    });
+    if (oversizedPrivilegedGroups.length > 0) {
+        issues.push({
+            issue: 'Privileged groups with >10 members',
+            count: oversizedPrivilegedGroups.length,
+        });
+    }
+    return {
+        type: 'NIST_AC_6_LEAST_PRIVILEGE',
+        severity: 'high',
+        category: 'compliance',
+        title: 'NIST AC-6 - Least Privilege Violations',
+        description: 'Privilege assignments do not comply with NIST AC-6 least privilege principle. Review and reduce excessive privileges.',
+        count: affectedUsers.length + oversizedPrivilegedGroups.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affectedUsers.slice(0, 50)) : undefined,
+        details: issues.length > 0 ? { violations: issues, framework: 'NIST', control: 'AC-6' } : undefined,
+    };
+}
+function detectNistIa5Authenticator(domain, users, _includeDetails) {
+    const issues = [];
+    const policy = domain['passwordPolicy'];
+    if (policy) {
+        if (!policy.complexityEnabled) {
+            issues.push('Password complexity not enabled');
+        }
+        if (policy.minPwdLength < 14) {
+            issues.push(`Minimum password length ${policy.minPwdLength} < 14 (NIST recommends 14+)`);
+        }
+        if (policy.lockoutThreshold === 0) {
+            issues.push('Account lockout not configured');
+        }
+    }
+    const noPasswordRequired = users.filter((u) => {
+        const uac = u.userAccountControl || 0;
+        return (uac & 0x20) !== 0;
+    });
+    if (noPasswordRequired.length > 0) {
+        issues.push(`${noPasswordRequired.length} accounts with password not required`);
+    }
+    const reversibleEncryption = users.filter((u) => {
+        const uac = u.userAccountControl || 0;
+        return (uac & 0x80) !== 0;
+    });
+    if (reversibleEncryption.length > 0) {
+        issues.push(`${reversibleEncryption.length} accounts with reversible encryption`);
+    }
+    return {
+        type: 'NIST_IA_5_AUTHENTICATOR',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'NIST IA-5 - Authenticator Management Issues',
+        description: 'Authenticator management does not comply with NIST IA-5. Password policies should enforce complexity and secure storage.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'NIST', control: 'IA-5' } : undefined,
+    };
+}
+function detectNistAu2AuditEvents(gpoSettings, _includeDetails) {
+    const issues = [];
+    if (!gpoSettings?.auditPolicies || gpoSettings.auditPolicies.length === 0) {
+        issues.push('Audit policy not configured or not readable');
+    }
+    else {
+        const audit = gpoSettings.auditPolicies;
+        const requiredCategories = [
+            'Account Logon',
+            'Account Management',
+            'Policy Change',
+            'System',
+            'Object Access',
+        ];
+        for (const category of requiredCategories) {
+            const hasCategory = audit.some((p) => p.category.includes(category) && p.success && p.failure);
+            if (!hasCategory) {
+                issues.push(`${category} not fully audited (success and failure)`);
+            }
+        }
+    }
+    return {
+        type: 'NIST_AU_2_AUDIT_EVENTS',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'NIST AU-2 - Audit Events Non-Compliant',
+        description: 'Audit event configuration does not comply with NIST AU-2. All security-relevant events should be audited.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'NIST', control: 'AU-2' } : undefined,
+    };
+}
+function detectCisPasswordPolicy(domain, _includeDetails) {
+    const issues = [];
+    const policy = domain['passwordPolicy'];
+    if (policy) {
+        if (policy.minPwdLength < 14) {
+            issues.push(`Minimum password length ${policy.minPwdLength} < 14 (CIS 1.1.1)`);
+        }
+        if (policy.pwdHistoryLength < 24) {
+            issues.push(`Password history ${policy.pwdHistoryLength} < 24 (CIS 1.1.2)`);
+        }
+        if (policy.maxPwdAge > 365) {
+            issues.push(`Max password age ${policy.maxPwdAge} > 365 days (CIS 1.1.3)`);
+        }
+        if (policy.minPwdAge < 1) {
+            issues.push(`Min password age ${policy.minPwdAge} < 1 day (CIS 1.1.4)`);
+        }
+        if (!policy.complexityEnabled) {
+            issues.push('Password complexity not enabled (CIS 1.1.5)');
+        }
+        if (policy.reversibleEncryption) {
+            issues.push('Reversible encryption enabled (CIS 1.1.6)');
+        }
+    }
+    else {
+        issues.push('Password policy not available');
+    }
+    return {
+        type: 'CIS_PASSWORD_POLICY',
+        severity: 'high',
+        category: 'compliance',
+        title: 'CIS Benchmark - Password Policy Non-Compliant',
+        description: 'Password policy does not meet CIS Benchmark recommendations. Review and update password policy settings.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'CIS', control: '1.1.x' } : undefined,
+    };
+}
+function detectCisNetworkSecurity(gpoSettings, _includeDetails) {
+    const issues = [];
+    if (gpoSettings) {
+        if (gpoSettings.smbv1ServerEnabled || gpoSettings.smbv1ClientEnabled) {
+            issues.push('SMBv1 enabled (CIS 2.3.7.1 - Disable SMBv1)');
+        }
+        if (gpoSettings.ldapServerIntegrity !== undefined && gpoSettings.ldapServerIntegrity < 2) {
+            issues.push('LDAP signing not required (CIS 2.3.7.2)');
+        }
+        if (gpoSettings.ldapChannelBinding !== undefined && gpoSettings.ldapChannelBinding < 2) {
+            issues.push('LDAP channel binding not required (CIS 2.3.7.3)');
+        }
+    }
+    else {
+        issues.push('GPO settings not available for network security analysis');
+    }
+    return {
+        type: 'CIS_NETWORK_SECURITY',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'CIS Benchmark - Network Security Non-Compliant',
+        description: 'Network security settings do not meet CIS Benchmark recommendations. SMBv1 should be disabled, LDAP signing required.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'CIS', control: '2.3.7.x' } : undefined,
+    };
+}
+function detectCisUserRights(users, groups, _includeDetails) {
+    const issues = [];
+    const sensitiveGroups = ['Administrators', 'Domain Admins', 'Enterprise Admins'];
+    const problematicMembers = ['Everyone', 'Authenticated Users', 'ANONYMOUS LOGON'];
+    for (const group of groups) {
+        const isSensitive = sensitiveGroups.some((sg) => group.sAMAccountName?.toLowerCase() === sg.toLowerCase());
+        if (!isSensitive)
+            continue;
+        const hasProblematicMember = group.member?.some((memberDn) => problematicMembers.some((pm) => memberDn.toLowerCase().includes(pm.toLowerCase())));
+        if (hasProblematicMember) {
+            issues.push(`${group.sAMAccountName} contains well-known security principal (CIS 2.3.11.x)`);
+        }
+    }
+    const trustedForDelegation = users.filter((u) => {
+        const uac = u.userAccountControl || 0;
+        return (uac & 0x80000) !== 0;
+    });
+    if (trustedForDelegation.length > 0) {
+        issues.push(`${trustedForDelegation.length} users trusted for delegation (CIS 2.3.11.x)`);
+    }
+    return {
+        type: 'CIS_USER_RIGHTS',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'CIS Benchmark - User Rights Issues',
+        description: 'User rights assignments do not meet CIS Benchmark recommendations. Review delegation and group memberships.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'CIS', control: '2.3.11.x' } : undefined,
+    };
+}
+function detectDisaAccountPolicies(domain, users, _includeDetails) {
+    const issues = [];
+    const policy = domain['passwordPolicy'];
+    if (policy) {
+        if (policy.minPwdLength < 15) {
+            issues.push(`Min password length ${policy.minPwdLength} < 15 (V-220857)`);
+        }
+        if (policy.lockoutDuration > 0 && policy.lockoutDuration < 15) {
+            issues.push(`Lockout duration ${policy.lockoutDuration} min < 15 min (V-220857)`);
+        }
+        if (policy.lockoutThreshold > 3) {
+            issues.push(`Lockout threshold ${policy.lockoutThreshold} > 3 (V-220857)`);
+        }
+    }
+    const noExpiration = users.filter((u) => {
+        const uac = u.userAccountControl || 0;
+        const hasNoExpire = (uac & 0x10000) !== 0;
+        const isServiceAccount = u.sAMAccountName.toLowerCase().includes('svc') ||
+            u.sAMAccountName.toLowerCase().includes('service');
+        return hasNoExpire && !isServiceAccount;
+    });
+    if (noExpiration.length > 0) {
+        issues.push(`${noExpiration.length} non-service accounts with password never expires (V-220857)`);
+    }
+    return {
+        type: 'DISA_ACCOUNT_POLICIES',
+        severity: 'high',
+        category: 'compliance',
+        title: 'DISA STIG - Account Policies Non-Compliant',
+        description: 'Account policies do not comply with DISA STIG V-220857. Review password and lockout policy settings.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'DISA', control: 'V-220857' } : undefined,
+    };
+}
+function detectDisaAuditPolicies(gpoSettings, _includeDetails) {
+    const issues = [];
+    if (!gpoSettings?.auditPolicies || gpoSettings.auditPolicies.length === 0) {
+        issues.push('Audit policy not configured (V-220858)');
+    }
+    else {
+        const audit = gpoSettings.auditPolicies;
+        const disaRequirements = [
+            { name: 'Account Logon (Success)', check: (a) => a.some((p) => p.category.includes('Logon') && p.success) },
+            { name: 'Account Logon (Failure)', check: (a) => a.some((p) => p.category.includes('Logon') && p.failure) },
+            { name: 'Account Management (Success)', check: (a) => a.some((p) => p.category.includes('Account Management') && p.success) },
+            { name: 'Account Management (Failure)', check: (a) => a.some((p) => p.category.includes('Account Management') && p.failure) },
+            { name: 'Policy Change (Success)', check: (a) => a.some((p) => p.category.includes('Policy Change') && p.success) },
+            { name: 'Policy Change (Failure)', check: (a) => a.some((p) => p.category.includes('Policy Change') && p.failure) },
+            { name: 'Privilege Use (Success)', check: (a) => a.some((p) => p.category.includes('Privilege Use') && p.success) },
+            { name: 'Privilege Use (Failure)', check: (a) => a.some((p) => p.category.includes('Privilege Use') && p.failure) },
+        ];
+        for (const req of disaRequirements) {
+            if (!req.check(audit)) {
+                issues.push(`${req.name} audit not enabled (V-220858)`);
+            }
+        }
+    }
+    return {
+        type: 'DISA_AUDIT_POLICIES',
+        severity: 'high',
+        category: 'compliance',
+        title: 'DISA STIG - Audit Policies Non-Compliant',
+        description: 'Audit policies do not comply with DISA STIG V-220858. All required audit categories should be enabled.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? { violations: issues, framework: 'DISA', control: 'V-220858' } : undefined,
+    };
+}
+function detectMfaNotEnforced(users, includeDetails) {
+    const privilegedGroups = ['Domain Admins', 'Enterprise Admins', 'Schema Admins', 'Administrators'];
+    const privilegedUsers = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        return u.memberOf.some((dn) => privilegedGroups.some((pg) => dn.includes(`CN=${pg}`)));
+    });
+    const noMfa = privilegedUsers.filter((u) => {
+        const uac = u.userAccountControl || 0;
+        return (uac & 0x40000) === 0;
+    });
+    return {
+        type: 'MFA_NOT_ENFORCED',
+        severity: 'high',
+        category: 'compliance',
+        title: 'MFA Not Enforced for Privileged Accounts',
+        description: 'Privileged accounts do not require multi-factor authentication (smartcard). Required by PCI-DSS 8.3, SOC2 CC6.1, ISO27001 A.9.4.2.',
+        count: noMfa.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(noMfa.slice(0, 50)) : undefined,
+        details: noMfa.length > 0 ? {
+            frameworks: ['PCI-DSS', 'SOC2', 'ISO27001'],
+            controls: ['8.3', 'CC6.1', 'A.9.4.2'],
+            recommendation: 'Enable smartcard requirement for all privileged accounts',
+        } : undefined,
+    };
+}
+function detectBackupNotVerified(domain, _includeDetails) {
+    const issues = [];
+    const tombstoneLifetime = domain['tombstoneLifetime'] || 180;
+    if (tombstoneLifetime === 180 || tombstoneLifetime === 60) {
+        issues.push(`Tombstone lifetime is default (${tombstoneLifetime} days) - backup policy may not be configured`);
+    }
+    const lastBackup = domain['lastBackupTime'];
+    if (!lastBackup) {
+        issues.push('No backup metadata found - verify AD backup is configured and tested');
+    }
+    return {
+        type: 'BACKUP_AD_NOT_VERIFIED',
+        severity: 'high',
+        category: 'compliance',
+        title: 'AD Backup Not Verified',
+        description: 'Active Directory backup configuration cannot be verified. Required by SOC2 A1.2, DORA Article 11, ISO27001 A.12.3.1.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? {
+            violations: issues,
+            frameworks: ['SOC2', 'DORA', 'ISO27001'],
+            controls: ['A1.2', 'Art.11', 'A.12.3.1'],
+            recommendation: 'Configure and regularly test AD system state backups',
+        } : undefined,
+    };
+}
+function detectAuditLogRetentionShort(gpoSettings, _includeDetails) {
+    const issues = [];
+    if (!gpoSettings?.auditPolicies || gpoSettings.auditPolicies.length === 0) {
+        issues.push('Audit policy not configured - log retention cannot be verified');
+    }
+    else {
+        const hasSecurityAudit = gpoSettings.auditPolicies.some((p) => p.category.includes('Logon') || p.category.includes('Account'));
+        if (!hasSecurityAudit) {
+            issues.push('Security events not being audited - retention policy meaningless without logging');
+        }
+    }
+    if (issues.length === 0) {
+        issues.push('Log retention period should be verified manually (1 year minimum for compliance)');
+    }
+    return {
+        type: 'AUDIT_LOG_RETENTION_SHORT',
+        severity: 'high',
+        category: 'compliance',
+        title: 'Audit Log Retention Below Requirements',
+        description: 'Audit log retention period may not meet compliance requirements (1 year minimum). Required by SOX Section 802, HIPAA 164.312(b), PCI-DSS 10.7.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? {
+            violations: issues,
+            frameworks: ['SOX', 'HIPAA', 'PCI-DSS'],
+            controls: ['Section 802', '164.312(b)', '10.7'],
+            recommendation: 'Configure log retention for minimum 1 year with SIEM integration',
+        } : undefined,
+    };
+}
+function detectPrivilegedAccessReviewMissing(users, groups, _includeDetails) {
+    const issues = [];
+    const NINETY_DAYS_MS = 90 * 24 * 60 * 60 * 1000;
+    const now = Date.now();
+    const privilegedGroupNames = ['Domain Admins', 'Enterprise Admins', 'Schema Admins', 'Administrators'];
+    for (const group of groups) {
+        if (!privilegedGroupNames.some(pg => group.sAMAccountName?.toLowerCase() === pg.toLowerCase())) {
+            continue;
+        }
+        const groupChanged = group['whenChanged'];
+        if (groupChanged && (now - groupChanged.getTime()) > NINETY_DAYS_MS) {
+            const memberCount = group.member?.length || 0;
+            if (memberCount > 0) {
+                issues.push(`${group.sAMAccountName} (${memberCount} members) not reviewed in 90+ days`);
+            }
+        }
+    }
+    const privilegedUsers = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        return u.memberOf.some((dn) => privilegedGroupNames.some((pg) => dn.includes(`CN=${pg}`)));
+    });
+    const staleAdmins = privilegedUsers.filter((u) => {
+        if (!u.lastLogon)
+            return true;
+        return (now - u.lastLogon.getTime()) > NINETY_DAYS_MS;
+    });
+    if (staleAdmins.length > 0) {
+        issues.push(`${staleAdmins.length} privileged accounts inactive for 90+ days`);
+    }
+    return {
+        type: 'PRIVILEGED_ACCESS_REVIEW_MISSING',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'Privileged Access Review Missing',
+        description: 'Privileged access has not been reviewed recently. Required by SOX Section 404, ISO27001 A.9.2.5, SOC2 CC6.2.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? {
+            violations: issues,
+            frameworks: ['SOX', 'ISO27001', 'SOC2'],
+            controls: ['Section 404', 'A.9.2.5', 'CC6.2'],
+            recommendation: 'Implement quarterly privileged access reviews with documented approval',
+        } : undefined,
+    };
+}
+function detectDataClassificationMissing(domain, _includeDetails) {
+    const issues = [];
+    const domainDescription = domain['description'] || '';
+    const hasClassificationKeywords = /confidential|restricted|internal|public|sensitive|pii|phi|pci/i.test(domainDescription);
+    if (!hasClassificationKeywords) {
+        issues.push('Domain description does not indicate data classification policy');
+    }
+    const msExchVersion = domain['msExchVersion'];
+    if (msExchVersion) {
+        issues.push('Exchange detected - email data classification policy required for GDPR/HIPAA');
+    }
+    return {
+        type: 'DATA_CLASSIFICATION_MISSING',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'Data Classification Not Implemented',
+        description: 'Data classification scheme not detected in AD structure. Required by GDPR Article 30, ISO27001 A.8.2.1, HIPAA 164.312.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? {
+            violations: issues,
+            frameworks: ['GDPR', 'ISO27001', 'HIPAA'],
+            controls: ['Art.30', 'A.8.2.1', '164.312'],
+            recommendation: 'Implement data classification scheme using OU structure and object attributes',
+        } : undefined,
+    };
+}
+function detectChangeManagementBypass(users, groups, _includeDetails) {
+    const issues = [];
+    const SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1000;
+    const now = Date.now();
+    const privilegedGroupNames = ['Domain Admins', 'Enterprise Admins', 'Schema Admins'];
+    for (const group of groups) {
+        if (!privilegedGroupNames.some(pg => group.sAMAccountName?.toLowerCase() === pg.toLowerCase())) {
+            continue;
+        }
+        const groupChanged = group['whenChanged'];
+        if (groupChanged && (now - groupChanged.getTime()) < SEVEN_DAYS_MS) {
+            issues.push(`${group.sAMAccountName} modified in last 7 days - verify change request exists`);
+        }
+    }
+    const recentAdmins = users.filter((u) => {
+        if (!u.memberOf?.some((dn) => privilegedGroupNames.some((pg) => dn.includes(`CN=${pg}`)))) {
+            return false;
+        }
+        const created = u['whenCreated'];
+        return created && (now - created.getTime()) < SEVEN_DAYS_MS;
+    });
+    if (recentAdmins.length > 0) {
+        issues.push(`${recentAdmins.length} privileged accounts created in last 7 days - verify change requests`);
+    }
+    return {
+        type: 'CHANGE_MANAGEMENT_BYPASS',
+        severity: 'high',
+        category: 'compliance',
+        title: 'Potential Change Management Bypass',
+        description: 'Recent privileged changes detected - verify change management process was followed. Required by SOX Section 404, ISO27001 A.12.1.2, SOC2 CC8.1.',
+        count: issues.length > 0 ? 1 : 0,
+        details: issues.length > 0 ? {
+            violations: issues,
+            frameworks: ['SOX', 'ISO27001', 'SOC2'],
+            controls: ['Section 404', 'A.12.1.2', 'CC8.1'],
+            recommendation: 'Implement privileged change approval workflow with audit trail',
+        } : undefined,
+    };
+}
+function detectVendorAccountUnmonitored(users, includeDetails) {
+    const vendorPatterns = [
+        /vendor/i, /external/i, /contractor/i, /consultant/i,
+        /partner/i, /third.?party/i, /supplier/i, /^ext[_-]/i,
+        /^v[_-]/i, /^tmp[_-]/i, /^temp[_-]/i
+    ];
+    const vendorAccounts = users.filter((u) => {
+        const name = u.sAMAccountName || '';
+        const desc = u['description'] || '';
+        const displayName = u.displayName || '';
+        return vendorPatterns.some(p => p.test(name) || p.test(desc) || p.test(displayName));
+    });
+    const unmonitoredVendors = vendorAccounts.filter((u) => {
+        const accountExpires = u['accountExpires'];
+        let hasExpiry = false;
+        if (accountExpires) {
+            if (typeof accountExpires === 'bigint') {
+                hasExpiry = accountExpires !== BigInt('9223372036854775807') && accountExpires !== BigInt(0);
+            }
+            else if (typeof accountExpires === 'number') {
+                hasExpiry = accountExpires !== 9223372036854775807 && accountExpires !== 0;
+            }
+            else if (accountExpires instanceof Date) {
+                hasExpiry = accountExpires.getTime() > Date.now();
+            }
+        }
+        const lastLogon = u.lastLogon;
+        const NINETY_DAYS_MS = 90 * 24 * 60 * 60 * 1000;
+        const isActive = lastLogon && (Date.now() - lastLogon.getTime()) < NINETY_DAYS_MS;
+        return !hasExpiry && isActive;
+    });
+    return {
+        type: 'VENDOR_ACCOUNT_UNMONITORED',
+        severity: 'medium',
+        category: 'compliance',
+        title: 'Vendor Accounts Not Properly Monitored',
+        description: 'Third-party/vendor accounts detected without proper expiration or monitoring controls. Required by DORA Article 28, ISO27001 A.15.1.1, SOC2 CC9.2.',
+        count: unmonitoredVendors.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(unmonitoredVendors.slice(0, 50)) : undefined,
+        details: unmonitoredVendors.length > 0 ? {
+            totalVendorAccounts: vendorAccounts.length,
+            unmonitoredCount: unmonitoredVendors.length,
+            frameworks: ['DORA', 'ISO27001', 'SOC2'],
+            controls: ['Art.28', 'A.15.1.1', 'CC9.2'],
+            recommendation: 'Set expiration dates and enable enhanced logging for all vendor accounts',
+        } : undefined,
+    };
+}
+function detectEncryptionAtRestDisabled(computers, _includeDetails) {
+    const domainControllers = computers.filter((c) => {
+        const uac = c.userAccountControl || 0;
+        return (uac & 0x2000) !== 0;
+    });
+    const dcsWithoutBitLocker = domainControllers.filter((dc) => {
+        const hasBitLocker = dc['msFVE-RecoveryPassword'] || dc['msFVE-KeyPackage'];
+        return !hasBitLocker;
+    });
+    const servers = computers.filter((c) => {
+        const os = (0, entity_converter_1.ldapAttrToString)(c.operatingSystem).toLowerCase();
+        return os.includes('server') && !domainControllers.includes(c);
+    });
+    const serversWithoutBitLocker = servers.filter((s) => {
+        const hasBitLocker = s['msFVE-RecoveryPassword'] || s['msFVE-KeyPackage'];
+        return !hasBitLocker;
+    });
+    const issues = [];
+    if (dcsWithoutBitLocker.length > 0) {
+        issues.push(`${dcsWithoutBitLocker.length}/${domainControllers.length} Domain Controllers without BitLocker`);
+    }
+    if (serversWithoutBitLocker.length > 0 && serversWithoutBitLocker.length === servers.length) {
+        issues.push(`No servers have BitLocker recovery stored in AD`);
+    }
+    return {
+        type: 'ENCRYPTION_AT_REST_DISABLED',
+        severity: 'high',
+        category: 'compliance',
+        title: 'Encryption at Rest Not Deployed',
+        description: 'BitLocker encryption not detected on domain controllers or servers. Required by PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv), ISO27001 A.10.1.1.',
+        count: dcsWithoutBitLocker.length,
+        details: issues.length > 0 ? {
+            violations: issues,
+            domainControllers: domainControllers.length,
+            dcsWithBitLocker: domainControllers.length - dcsWithoutBitLocker.length,
+            frameworks: ['PCI-DSS', 'HIPAA', 'ISO27001'],
+            controls: ['3.4', '164.312(a)(2)(iv)', 'A.10.1.1'],
+            recommendation: 'Deploy BitLocker on all domain controllers and servers with AD key backup',
+        } : undefined,
+    };
+}
+function detectComplianceScore(findings, _includeDetails) {
+    const anssi = { total: 5, passed: 0 };
+    const nist = { total: 4, passed: 0 };
+    const cis = { total: 3, passed: 0 };
+    const disa = { total: 2, passed: 0 };
+    const industry = { total: 8, passed: 0 };
+    const industryTypes = [
+        'MFA_NOT_ENFORCED',
+        'BACKUP_AD_NOT_VERIFIED',
+        'AUDIT_LOG_RETENTION_SHORT',
+        'PRIVILEGED_ACCESS_REVIEW_MISSING',
+        'DATA_CLASSIFICATION_MISSING',
+        'CHANGE_MANAGEMENT_BYPASS',
+        'VENDOR_ACCOUNT_UNMONITORED',
+        'ENCRYPTION_AT_REST_DISABLED',
+    ];
+    const complianceFindings = findings.filter((f) => f.category === 'compliance');
+    for (const finding of complianceFindings) {
+        if (finding.count === 0) {
+            if (finding.type.startsWith('ANSSI_'))
+                anssi.passed++;
+            else if (finding.type.startsWith('NIST_'))
+                nist.passed++;
+            else if (finding.type.startsWith('CIS_'))
+                cis.passed++;
+            else if (finding.type.startsWith('DISA_'))
+                disa.passed++;
+            else if (industryTypes.includes(finding.type))
+                industry.passed++;
+        }
+    }
+    const totalControls = anssi.total + nist.total + cis.total + disa.total + industry.total;
+    const passedControls = anssi.passed + nist.passed + cis.passed + disa.passed + industry.passed;
+    const compliancePercentage = Math.round((passedControls / totalControls) * 100);
+    return {
+        type: 'COMPLIANCE_SCORE',
+        severity: 'low',
+        category: 'compliance',
+        title: 'Compliance Score Summary',
+        description: `Overall compliance score: ${compliancePercentage}%. This represents adherence to ANSSI, NIST, CIS, DISA, and industry frameworks (PCI-DSS, SOC2, GDPR, SOX, DORA, HIPAA, ISO27001).`,
+        count: totalControls - passedControls,
+        details: {
+            score: compliancePercentage,
+            frameworks: {
+                ANSSI: `${anssi.passed}/${anssi.total}`,
+                NIST: `${nist.passed}/${nist.total}`,
+                CIS: `${cis.passed}/${cis.total}`,
+                DISA: `${disa.passed}/${disa.total}`,
+                'Industry (PCI/SOC2/GDPR/SOX/DORA/HIPAA/ISO)': `${industry.passed}/${industry.total}`,
+            },
+            passedControls,
+            totalControls,
+            recommendation: compliancePercentage < 70
+                ? 'Compliance score is below 70%. Prioritize addressing high-severity compliance gaps.'
+                : undefined,
+        },
+    };
+}
+function detectComplianceVulnerabilities(users, groups, computers, domain, gpoSettings, includeDetails) {
+    const findings = [
+        detectAnssiR1PasswordPolicy(domain, gpoSettings, includeDetails),
+        detectAnssiR2PrivilegedAccounts(users, groups, includeDetails),
+        detectAnssiR3StrongAuth(users, domain, includeDetails),
+        detectAnssiR4Logging(gpoSettings, includeDetails),
+        detectAnssiR5Segregation(users, computers, includeDetails),
+        detectNistAc2AccountManagement(users, includeDetails),
+        detectNistAc6LeastPrivilege(users, groups, includeDetails),
+        detectNistIa5Authenticator(domain, users, includeDetails),
+        detectNistAu2AuditEvents(gpoSettings, includeDetails),
+        detectCisPasswordPolicy(domain, includeDetails),
+        detectCisNetworkSecurity(gpoSettings, includeDetails),
+        detectCisUserRights(users, groups, includeDetails),
+        detectDisaAccountPolicies(domain, users, includeDetails),
+        detectDisaAuditPolicies(gpoSettings, includeDetails),
+        detectMfaNotEnforced(users, includeDetails),
+        detectBackupNotVerified(domain, includeDetails),
+        detectAuditLogRetentionShort(gpoSettings, includeDetails),
+        detectPrivilegedAccessReviewMissing(users, groups, includeDetails),
+        detectDataClassificationMissing(domain, includeDetails),
+        detectChangeManagementBypass(users, groups, includeDetails),
+        detectVendorAccountUnmonitored(users, includeDetails),
+        detectEncryptionAtRestDisabled(computers, includeDetails),
+    ];
+    findings.push(detectComplianceScore(findings, includeDetails));
+    return findings.filter((f) => f.count > 0 || f.type === 'COMPLIANCE_SCORE');
+}
+//# sourceMappingURL=compliance.detector.js.map