@grc-claw/compliance-autopilot 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/ComplianceAutopilot.d.ts +38 -0
  2. package/dist/ComplianceAutopilot.js +548 -0
  3. package/dist/index.d.ts +2 -0
  4. package/dist/index.js +1 -0
  5. package/dist/index.test.d.ts +1 -0
  6. package/dist/index.test.js +174 -0
  7. package/dist/types.d.ts +121 -0
  8. package/dist/types.js +1 -0
  9. package/package.json +29 -0
package/dist/ComplianceAutopilot.d.ts ADDED
@@ -0,0 +1,38 @@
1
+ import type { AutopilotConfig, Control, ComplianceGap, ComplianceReport, CycleResult, MonitorResult, RemediationPlan, VerificationResult, AuditEntry } from './types.js';
2
+ export declare class ComplianceAutopilot {
3
+ private config;
4
+ private db?;
5
+ private auditTrail;
6
+ private lastHash;
7
+ private controls;
8
+ private gaps;
9
+ private remediations;
10
+ private monitoringIntervalId;
11
+ constructor(config: AutopilotConfig);
12
+ private initializeControls;
13
+ private recordAudit;
14
+ /** Cryptographically sign an audit entry */
15
+ signAuditEntry(entryId: string, signingKey: string): string;
16
+ /** Verify audit trail integrity */
17
+ verifyAuditTrail(): boolean;
18
+ monitor(): Promise<MonitorResult>;
19
+ private determineSeverity;
20
+ private getEvidenceForControl;
21
+ detect(): ComplianceGap[];
22
+ remediate(gaps?: ComplianceGap[]): Promise<RemediationPlan[]>;
23
+ private createRemediationPlan;
24
+ private executeRemediation;
25
+ private executeAction;
26
+ verify(remediationIds?: string[]): Promise<VerificationResult[]>;
27
+ generateReport(framework: string): Promise<ComplianceReport>;
28
+ signAll(signingKey: string): AuditEntry[];
29
+ runCycle(): Promise<CycleResult>;
30
+ startMonitoring(intervalMs: number): void;
31
+ stopMonitoring(): void;
32
+ isMonitoring(): boolean;
33
+ getControls(): Control[];
34
+ getGaps(): ComplianceGap[];
35
+ getRemediations(): RemediationPlan[];
36
+ getAuditTrail(): AuditEntry[];
37
+ getConfig(): AutopilotConfig;
38
+ }
package/dist/ComplianceAutopilot.js ADDED
@@ -0,0 +1,548 @@
1
+ import { createHash, randomUUID } from 'node:crypto';
2
+ // ─── Framework Control Definitions ──────────────────────────────────
3
+ const FRAMEWORK_CONTROLS = {
4
+ iso27001: [
5
+ { controlId: 'A.5.1', title: 'Policies for information security' },
6
+ { controlId: 'A.5.2', title: 'Information security roles and responsibilities' },
7
+ { controlId: 'A.5.3', title: 'Segregation of duties' },
8
+ { controlId: 'A.6.1', title: 'Screening' },
9
+ { controlId: 'A.6.2', title: 'Terms and conditions of employment' },
10
+ { controlId: 'A.7.1', title: 'Physical security perimeters' },
11
+ { controlId: 'A.7.2', title: 'Physical entry' },
12
+ { controlId: 'A.8.1', title: 'User endpoint devices' },
13
+ { controlId: 'A.8.2', title: 'Privileged access rights' },
14
+ { controlId: 'A.8.3', title: 'Information access restriction' },
15
+ { controlId: 'A.8.5', title: 'Secure authentication' },
16
+ { controlId: 'A.8.8', title: 'Management of technical vulnerabilities' },
17
+ { controlId: 'A.8.9', title: 'Configuration management' },
18
+ { controlId: 'A.8.10', title: 'Information deletion' },
19
+ { controlId: 'A.8.12', title: 'Data leakage prevention' },
20
+ { controlId: 'A.8.16', title: 'Monitoring activities' },
21
+ { controlId: 'A.8.23', title: 'Web filtering' },
22
+ { controlId: 'A.8.24', title: 'Use of cryptography' },
23
+ { controlId: 'A.8.25', title: 'Secure development life cycle' },
24
+ { controlId: 'A.8.26', title: 'Application security requirements' },
25
+ { controlId: 'A.8.28', title: 'Secure coding' },
26
+ { controlId: 'A.8.31', title: 'Separation of development, test and production environments' },
27
+ { controlId: 'A.8.32', title: 'Change management' },
28
+ { controlId: 'A.8.33', title: 'Test information' },
29
+ { controlId: 'A.8.34', title: 'Protection of information systems during audit testing' },
30
+ { controlId: 'A.9.1', title: 'Access to source code' },
31
+ { controlId: 'A.9.2', title: 'Access to programs and source code' },
32
+ { controlId: 'A.9.4', title: 'Access to code repositories' },
33
+ { controlId: 'A.9.5', title: 'Secure log-on procedures' },
34
+ { controlId: 'A.9.8', title: 'Information access restriction' },
35
+ ],
36
+ soc2: [
37
+ { controlId: 'CC1.1', title: 'COSO Principle 1: Integrity and ethical values' },
38
+ { controlId: 'CC1.2', title: 'Board independence and oversight' },
39
+ { controlId: 'CC2.1', title: 'Internal communication of objectives' },
40
+ { controlId: 'CC3.1', title: 'Risk assessment process' },
41
+ { controlId: 'CC3.2', title: 'Risk analysis' },
42
+ { controlId: 'CC4.1', title: 'Monitoring activities' },
43
+ { controlId: 'CC5.1', title: 'Control activities selection and development' },
44
+ { controlId: 'CC6.1', title: 'Logical access security' },
45
+ { controlId: 'CC6.2', title: 'User registration and authorization' },
46
+ { controlId: 'CC6.3', title: 'User removal and modification' },
47
+ { controlId: 'CC7.1', title: 'Detection of unauthorized logical access' },
48
+ { controlId: 'CC7.2', title: 'Monitoring of system components' },
49
+ { controlId: 'CC8.1', title: 'Change management' },
50
+ { controlId: 'CC9.1', title: 'Risk mitigation' },
51
+ { controlId: 'CC9.2', title: 'Vendor and business partner risk' },
52
+ ],
53
+ nist_csf: [
54
+ { controlId: 'ID.AM-1', title: 'Physical devices and systems inventory' },
55
+ { controlId: 'ID.AM-2', title: 'Software platforms and applications inventory' },
56
+ { controlId: 'ID.RA-1', title: 'Asset vulnerabilities are identified and documented' },
57
+ { controlId: 'ID.RA-2', title: 'Cybersecurity risk to organizational operations' },
58
+ { controlId: 'PR.AC-1', title: 'Identities and credentials are issued, managed, verified, revoked' },
59
+ { controlId: 'PR.AC-4', title: 'Access permissions and authorizations are managed' },
60
+ { controlId: 'PR.AC-5', title: 'Network integrity is protected' },
61
+ { controlId: 'PR.DS-1', title: 'Data-at-rest is protected' },
62
+ { controlId: 'PR.DS-2', title: 'Data-in-transit is protected' },
63
+ { controlId: 'PR.IP-1', title: 'A baseline configuration of IT infrastructure is established' },
64
+ { controlId: 'PR.IP-2', title: 'A System Development Life Cycle is established' },
65
+ { controlId: 'PR.IP-4', title: 'Backups are created, maintained, and tested' },
66
+ { controlId: 'DE.CM-1', title: 'The network is monitored' },
67
+ { controlId: 'DE.CM-4', title: 'Malicious code is detected' },
68
+ { controlId: 'DE.DP-3', title: 'Detection processes are tested' },
69
+ { controlId: 'RS.RP-1', title: 'Response plan is executed during or after an incident' },
70
+ { controlId: 'RC.RP-1', title: 'Recovery plan is executed during or after an incident' },
71
+ ],
72
+ cis_controls: [
73
+ { controlId: 'CIS.1', title: 'Inventory and Control of Enterprise Assets' },
74
+ { controlId: 'CIS.2', title: 'Inventory and Control of Software Assets' },
75
+ { controlId: 'CIS.3', title: 'Data Protection' },
76
+ { controlId: 'CIS.4', title: 'Secure Configuration of Enterprise Assets and Software' },
77
+ { controlId: 'CIS.5', title: 'Account Management' },
78
+ { controlId: 'CIS.6', title: 'Access Control Management' },
79
+ { controlId: 'CIS.7', title: 'Continuous Vulnerability Management' },
80
+ { controlId: 'CIS.8', title: 'Audit Log Management' },
81
+ { controlId: 'CIS.9', title: 'Email and Web Browser Protections' },
82
+ { controlId: 'CIS.10', title: 'Malware Defenses' },
83
+ { controlId: 'CIS.11', title: 'Data Recovery' },
84
+ { controlId: 'CIS.12', title: 'Network Infrastructure Management' },
85
+ { controlId: 'CIS.13', title: 'Network Monitoring and Defense' },
86
+ { controlId: 'CIS.14', title: 'Security Awareness and Skills Training' },
87
+ { controlId: 'CIS.15', title: 'Service Provider Management' },
88
+ ],
89
+ };
90
+ // ─── ComplianceAutopilot ────────────────────────────────────────────
91
+ export class ComplianceAutopilot {
92
+ config;
93
+ db;
94
+ auditTrail = [];
95
+ lastHash = '0'.repeat(64);
96
+ controls = new Map();
97
+ gaps = [];
98
+ remediations = [];
99
+ monitoringIntervalId = null;
100
+ constructor(config) {
101
+ this.config = {
102
+ monitorIntervalMs: 300_000,
103
+ autoRemediate: true,
104
+ maxConcurrentRemediations: 5,
105
+ ...config,
106
+ };
107
+ this.db = config.evidenceDb;
108
+ this.initializeControls();
109
+ }
110
+ initializeControls() {
111
+ for (const framework of this.config.frameworks) {
112
+ const controlDefs = FRAMEWORK_CONTROLS[framework] ?? [];
113
+ for (const def of controlDefs) {
114
+ const id = `${framework}:${def.controlId}`;
115
+ this.controls.set(id, {
116
+ id,
117
+ controlId: def.controlId,
118
+ title: def.title,
119
+ framework,
120
+ status: 'unknown',
121
+ });
122
+ }
123
+ }
124
+ }
125
+ // ─── Audit Trail ────────────────────────────────────────────────────
126
+ recordAudit(action, target, details) {
127
+ const entry = {
128
+ id: randomUUID(),
129
+ timestamp: new Date().toISOString(),
130
+ action,
131
+ actor: 'compliance-autopilot',
132
+ target,
133
+ details,
134
+ previousHash: this.lastHash,
135
+ hash: '',
136
+ };
137
+ entry.hash = createHash('sha256')
138
+ .update(JSON.stringify({ ...entry, hash: '' }))
139
+ .digest('hex');
140
+ this.lastHash = entry.hash;
141
+ this.auditTrail.push(entry);
142
+ return entry;
143
+ }
144
+ /** Cryptographically sign an audit entry */
145
+ signAuditEntry(entryId, signingKey) {
146
+ const entry = this.auditTrail.find((e) => e.id === entryId);
147
+ if (!entry)
148
+ throw new Error(`Audit entry ${entryId} not found`);
149
+ const signature = createHash('sha256')
150
+ .update(`${entry.hash}:${signingKey}`)
151
+ .digest('hex');
152
+ entry.signature = signature;
153
+ return signature;
154
+ }
155
+ /** Verify audit trail integrity */
156
+ verifyAuditTrail() {
157
+ let prevHash = '0'.repeat(64);
158
+ for (const entry of this.auditTrail) {
159
+ if (entry.previousHash !== prevHash)
160
+ return false;
161
+ const expectedHash = createHash('sha256')
162
+ .update(JSON.stringify({ ...entry, hash: '', signature: entry.signature }))
163
+ .digest('hex');
164
+ if (entry.hash !== expectedHash)
165
+ return false;
166
+ prevHash = entry.hash;
167
+ }
168
+ return true;
169
+ }
170
+ // ─── MONITOR: Check control status against evidence ─────────────────
171
+ async monitor() {
172
+ const timestamp = new Date().toISOString();
173
+ const gaps = [];
174
+ for (const [id, control] of this.controls) {
175
+ const evidence = await this.getEvidenceForControl(control.controlId);
176
+ control.lastCheckedAt = timestamp;
177
+ if (evidence.length === 0) {
178
+ control.status = 'non_compliant';
179
+ const gap = {
180
+ id: randomUUID(),
181
+ controlId: control.controlId,
182
+ controlTitle: control.title,
183
+ framework: control.framework,
184
+ severity: this.determineSeverity(control),
185
+ description: `No evidence found for control ${control.controlId} (${control.title})`,
186
+ detectedAt: timestamp,
187
+ evidenceCount: 0,
188
+ };
189
+ gaps.push(gap);
190
+ }
191
+ else if (evidence.length < 2) {
192
+ control.status = 'partial';
193
+ const gap = {
194
+ id: randomUUID(),
195
+ controlId: control.controlId,
196
+ controlTitle: control.title,
197
+ framework: control.framework,
198
+ severity: 'low',
199
+ description: `Insufficient evidence for control ${control.controlId}: ${evidence.length} item(s) found, minimum 2 recommended`,
200
+ detectedAt: timestamp,
201
+ evidenceCount: evidence.length,
202
+ };
203
+ gaps.push(gap);
204
+ }
205
+ else {
206
+ control.status = 'compliant';
207
+ }
208
+ }
209
+ this.gaps = gaps;
210
+ this.recordAudit('monitor', 'all_frameworks', {
211
+ frameworks: this.config.frameworks,
212
+ controlsChecked: this.controls.size,
213
+ gapsFound: gaps.length,
214
+ });
215
+ return {
216
+ timestamp,
217
+ frameworksChecked: this.config.frameworks,
218
+ controlsChecked: this.controls.size,
219
+ gapsFound: gaps.length,
220
+ gaps,
221
+ };
222
+ }
223
+ determineSeverity(control) {
224
+ const controlId = control.controlId.toUpperCase();
225
+ if (controlId.includes('A.8.16') ||
226
+ controlId.includes('A.8.5') ||
227
+ controlId.includes('CC6') ||
228
+ controlId.includes('CC7') ||
229
+ controlId.includes('PR.AC') ||
230
+ controlId.includes('CIS.6') ||
231
+ controlId.includes('CIS.8')) {
232
+ return 'critical';
233
+ }
234
+ if (controlId.includes('A.5') ||
235
+ controlId.includes('A.8.2') ||
236
+ controlId.includes('CC3') ||
237
+ controlId.includes('ID.RA') ||
238
+ controlId.includes('CIS.4')) {
239
+ return 'high';
240
+ }
241
+ if (controlId.includes('A.7') ||
242
+ controlId.includes('CC4') ||
243
+ controlId.includes('DE.CM')) {
244
+ return 'medium';
245
+ }
246
+ return 'low';
247
+ }
248
+ async getEvidenceForControl(controlId) {
249
+ if (this.db) {
250
+ try {
251
+ const { rows } = await this.db.query(`SELECT id, control_id, tenant_id, sha256, uri, collected_at, lineage FROM evidence WHERE control_id = $1`, [controlId]);
252
+ return rows.map((row) => ({
253
+ id: row.id,
254
+ controlId: row.control_id,
255
+ tenantId: Number(row.tenant_id),
256
+ sha256: row.sha256,
257
+ uri: row.uri,
258
+ collectedAt: row.collected_at,
259
+ lineage: row.lineage,
260
+ }));
261
+ }
262
+ catch {
263
+ return [];
264
+ }
265
+ }
266
+ return [];
267
+ }
268
+ // ─── DETECT: Identify compliance gaps ──────────────────────────────
269
+ detect() {
270
+ this.recordAudit('detect', 'gaps', {
271
+ gapsDetected: this.gaps.length,
272
+ controlStatuses: Array.from(this.controls.values()).map((c) => ({
273
+ controlId: c.controlId,
274
+ status: c.status,
275
+ })),
276
+ });
277
+ return [...this.gaps];
278
+ }
279
+ // ─── REMEDIATE: Generate and execute remediation plans ──────────────
280
+ async remediate(gaps) {
281
+ const targets = gaps ?? this.gaps;
282
+ const plans = [];
283
+ for (const gap of targets) {
284
+ if (this.remediations.some((r) => r.gapId === gap.id && r.status !== 'failed')) {
285
+ continue;
286
+ }
287
+ const plan = this.createRemediationPlan(gap);
288
+ this.remediations.push(plan);
289
+ plans.push(plan);
290
+ if (this.config.autoRemediate) {
291
+ await this.executeRemediation(plan);
292
+ }
293
+ this.recordAudit('remediate', gap.controlId, {
294
+ gapId: gap.id,
295
+ planId: plan.id,
296
+ actionsCount: plan.actions.length,
297
+ status: plan.status,
298
+ });
299
+ }
300
+ return plans;
301
+ }
302
+ createRemediationPlan(gap) {
303
+ const actions = [
304
+ {
305
+ id: randomUUID(),
306
+ type: 'collect_evidence',
307
+ description: `Collect evidence for control ${gap.controlId}`,
308
+ parameters: { controlId: gap.controlId, framework: gap.framework },
309
+ status: 'pending',
310
+ },
311
+ {
312
+ id: randomUUID(),
313
+ type: 'update_control',
314
+ description: `Update control ${gap.controlId} status`,
315
+ parameters: { controlId: gap.controlId, targetStatus: 'compliant' },
316
+ status: 'pending',
317
+ },
318
+ {
319
+ id: randomUUID(),
320
+ type: 'notify_owner',
321
+ description: `Notify owner of control ${gap.controlId}`,
322
+ parameters: { controlId: gap.controlId, owner: gap.controlTitle },
323
+ status: 'pending',
324
+ },
325
+ ];
326
+ return {
327
+ id: randomUUID(),
328
+ gapId: gap.id,
329
+ controlId: gap.controlId,
330
+ framework: gap.framework,
331
+ actions,
332
+ status: 'pending',
333
+ createdAt: new Date().toISOString(),
334
+ };
335
+ }
336
+ async executeRemediation(plan) {
337
+ plan.status = 'in_progress';
338
+ for (const action of plan.actions) {
339
+ action.status = 'in_progress';
340
+ action.executedAt = new Date().toISOString();
341
+ try {
342
+ await this.executeAction(action);
343
+ action.status = 'completed';
344
+ }
345
+ catch (err) {
346
+ action.status = 'failed';
347
+ plan.status = 'failed';
348
+ return;
349
+ }
350
+ }
351
+ plan.status = 'completed';
352
+ plan.completedAt = new Date().toISOString();
353
+ }
354
+ async executeAction(action) {
355
+ switch (action.type) {
356
+ case 'collect_evidence': {
357
+ const controlId = String(action.parameters.controlId ?? '');
358
+ if (this.db) {
359
+ const evidenceHash = createHash('sha256')
360
+ .update(`${controlId}:${Date.now()}:autogenerated`)
361
+ .digest('hex');
362
+ await this.db.execute(`INSERT INTO evidence (id, tenant_id, control_id, sha256, uri, metadata, lineage, collected_at, created_at)
363
+ VALUES ($1, $2, $3, $4, $5, $6, $7, $8, NOW())
364
+ ON CONFLICT (id) DO NOTHING`, [
365
+ `ev-${evidenceHash.slice(0, 16)}`,
366
+ String(this.config.tenantId),
367
+ controlId,
368
+ evidenceHash,
369
+ `grc-claw://autopilot/evidence/${controlId}`,
370
+ JSON.stringify({ source: 'compliance-autopilot', autoGenerated: true }),
371
+ JSON.stringify({ source: 'compliance-autopilot' }),
372
+ new Date().toISOString(),
373
+ ]);
374
+ }
375
+ break;
376
+ }
377
+ case 'update_control': {
378
+ const controlId = String(action.parameters.controlId ?? '');
379
+ const targetStatus = String(action.parameters.targetStatus ?? 'compliant');
380
+ const key = `${this.config.frameworks[0] ?? 'iso27001'}:${controlId}`;
381
+ const control = this.controls.get(key);
382
+ if (control) {
383
+ control.status = targetStatus;
384
+ }
385
+ break;
386
+ }
387
+ case 'notify_owner': {
388
+ console.log(`[COMPLIANCE-AUTOPILOT] Notification: Control ${action.parameters.controlId} requires attention`);
389
+ break;
390
+ }
391
+ case 'generate_report': {
392
+ break;
393
+ }
394
+ case 'custom': {
395
+ break;
396
+ }
397
+ }
398
+ }
399
+ // ─── VERIFY: Re-check after remediation ────────────────────────────
400
+ async verify(remediationIds) {
401
+ const targets = remediationIds
402
+ ? this.remediations.filter((r) => remediationIds.includes(r.id))
403
+ : this.remediations.filter((r) => r.status === 'completed');
404
+ const results = [];
405
+ for (const plan of targets) {
406
+ const previousStatus = this.controls.get(`${plan.framework}:${plan.controlId}`)?.status ?? 'unknown';
407
+ const evidence = await this.getEvidenceForControl(plan.controlId);
408
+ const currentStatus = evidence.length >= 2 ? 'compliant' : evidence.length > 0 ? 'partial' : 'non_compliant';
409
+ const verified = currentStatus === 'compliant';
410
+ const result = {
411
+ remediationId: plan.id,
412
+ controlId: plan.controlId,
413
+ verified,
414
+ previousStatus,
415
+ currentStatus,
416
+ verifiedAt: new Date().toISOString(),
417
+ };
418
+ results.push(result);
419
+ if (verified) {
420
+ plan.status = 'verified';
421
+ plan.verifiedAt = result.verifiedAt;
422
+ const key = `${plan.framework}:${plan.controlId}`;
423
+ const control = this.controls.get(key);
424
+ if (control)
425
+ control.status = 'compliant';
426
+ }
427
+ else {
428
+ plan.status = 'failed';
429
+ }
430
+ this.recordAudit('verify', plan.controlId, {
431
+ remediationId: plan.id,
432
+ verified,
433
+ previousStatus,
434
+ currentStatus,
435
+ });
436
+ }
437
+ return results;
438
+ }
439
+ // ─── REPORT: Generate compliance reports ────────────────────────────
440
+ async generateReport(framework) {
441
+ const frameworkControls = Array.from(this.controls.values()).filter((c) => c.framework === framework);
442
+ const compliant = frameworkControls.filter((c) => c.status === 'compliant').length;
443
+ const nonCompliant = frameworkControls.filter((c) => c.status === 'non_compliant').length;
444
+ const partial = frameworkControls.filter((c) => c.status === 'partial').length;
445
+ const unknown = frameworkControls.filter((c) => c.status === 'unknown').length;
446
+ const total = frameworkControls.length;
447
+ const score = total > 0 ? Math.round((compliant / total) * 10000) / 100 : 0;
448
+ const frameworkGaps = this.gaps.filter((g) => g.framework === framework);
449
+ const frameworkRemediations = this.remediations.filter((r) => r.framework === framework);
450
+ const report = {
451
+ id: randomUUID(),
452
+ framework,
453
+ generatedAt: new Date().toISOString(),
454
+ totalControls: total,
455
+ compliantControls: compliant,
456
+ nonCompliantControls: nonCompliant,
457
+ partialControls: partial,
458
+ unknownControls: unknown,
459
+ complianceScore: score,
460
+ gaps: frameworkGaps,
461
+ remediations: frameworkRemediations,
462
+ };
463
+ if (this.config.signingKey) {
464
+ report.signature = this.signAuditEntry(this.recordAudit('report', framework, { reportId: report.id, score }).id, this.config.signingKey);
465
+ }
466
+ this.recordAudit('report', framework, {
467
+ reportId: report.id,
468
+ totalControls: total,
469
+ complianceScore: score,
470
+ });
471
+ return report;
472
+ }
473
+ // ─── AUDIT: Sign all actions in the audit trail ────────────────────
474
+ signAll(signingKey) {
475
+ for (const entry of this.auditTrail) {
476
+ if (!entry.signature) {
477
+ entry.signature = createHash('sha256')
478
+ .update(`${entry.hash}:${signingKey}`)
479
+ .digest('hex');
480
+ }
481
+ }
482
+ return [...this.auditTrail];
483
+ }
484
+ // ─── Full Cycle ────────────────────────────────────────────────────
485
+ async runCycle() {
486
+ const cycleId = randomUUID();
487
+ const startedAt = new Date().toISOString();
488
+ const monitorResult = await this.monitor();
489
+ const detectedGaps = this.detect();
490
+ const remediations = detectedGaps.length > 0 ? await this.remediate(detectedGaps) : [];
491
+ const verificationResults = remediations.length > 0 ? await this.verify() : [];
492
+ let report;
493
+ for (const framework of this.config.frameworks) {
494
+ report = await this.generateReport(framework);
495
+ }
496
+ return {
497
+ cycleId,
498
+ startedAt,
499
+ completedAt: new Date().toISOString(),
500
+ monitor: monitorResult,
501
+ remediations,
502
+ verificationResults,
503
+ report,
504
+ auditTrail: [...this.auditTrail],
505
+ };
506
+ }
507
+ // ─── Periodic Monitoring ─────────────────────────────────────────────
508
+ startMonitoring(intervalMs) {
509
+ if (this.monitoringIntervalId !== null) {
510
+ this.stopMonitoring();
511
+ }
512
+ this.monitoringIntervalId = setInterval(async () => {
513
+ try {
514
+ await this.runCycle();
515
+ }
516
+ catch (err) {
517
+ console.error('[COMPLIANCE-AUTOPILOT] Monitoring cycle failed:', err instanceof Error ? err.message : err);
518
+ }
519
+ }, intervalMs);
520
+ console.log(`[COMPLIANCE-AUTOPILOT] Started periodic monitoring every ${intervalMs}ms`);
521
+ }
522
+ stopMonitoring() {
523
+ if (this.monitoringIntervalId !== null) {
524
+ clearInterval(this.monitoringIntervalId);
525
+ this.monitoringIntervalId = null;
526
+ console.log('[COMPLIANCE-AUTOPILOT] Stopped periodic monitoring');
527
+ }
528
+ }
529
+ isMonitoring() {
530
+ return this.monitoringIntervalId !== null;
531
+ }
532
+ // ─── Accessors ─────────────────────────────────────────────────────
533
+ getControls() {
534
+ return Array.from(this.controls.values());
535
+ }
536
+ getGaps() {
537
+ return [...this.gaps];
538
+ }
539
+ getRemediations() {
540
+ return [...this.remediations];
541
+ }
542
+ getAuditTrail() {
543
+ return [...this.auditTrail];
544
+ }
545
+ getConfig() {
546
+ return { ...this.config };
547
+ }
548
+ }
package/dist/index.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export { ComplianceAutopilot } from './ComplianceAutopilot.js';
2
+ export type { AutopilotConfig, Control, ControlStatus, ComplianceGap, ComplianceReport, CycleResult, EvidenceDatabase, EvidenceRecord, GapSeverity, MonitorResult, RemediationAction, RemediationPlan, RemediationStatus, VerificationResult, AuditEntry, AuditAction, } from './types.js';
package/dist/index.js ADDED
@@ -0,0 +1 @@
1
+ export { ComplianceAutopilot } from './ComplianceAutopilot.js';
package/dist/index.test.d.ts ADDED
@@ -0,0 +1 @@
1
+ export {};
package/dist/index.test.js ADDED
@@ -0,0 +1,174 @@
1
+ import { describe, it, beforeEach } from 'node:test';
2
+ import assert from 'node:assert/strict';
3
+ import { ComplianceAutopilot } from './ComplianceAutopilot.js';
4
+ function createMockDb(evidence = {}) {
5
+ const store = new Map(Object.entries(evidence));
6
+ return {
7
+ async query(sql, params) {
8
+ if (sql.includes('WHERE control_id')) {
9
+ const controlId = params?.[0];
10
+ const items = store.get(controlId) ?? [];
11
+ return { rows: items, rowCount: items.length };
12
+ }
13
+ return { rows: [], rowCount: 0 };
14
+ },
15
+ async execute(_sql, _params) {
16
+ // no-op for tests
17
+ },
18
+ };
19
+ }
20
+ function createTestConfig(overrides) {
21
+ return {
22
+ frameworks: ['iso27001'],
23
+ tenantId: 1,
24
+ autoRemediate: true,
25
+ ...overrides,
26
+ };
27
+ }
28
+ describe('ComplianceAutopilot', () => {
29
+ let autopilot;
30
+ beforeEach(() => {
31
+ autopilot = new ComplianceAutopilot(createTestConfig());
32
+ });
33
+ it('initializes controls for configured frameworks', () => {
34
+ const controls = autopilot.getControls();
35
+ assert.ok(controls.length > 0, 'Should have controls');
36
+ assert.ok(controls.every((c) => c.framework === 'iso27001'));
37
+ assert.ok(controls.some((c) => c.controlId === 'A.5.1'));
38
+ assert.ok(controls.some((c) => c.controlId === 'A.8.16'));
39
+ });
40
+ it('supports multiple frameworks', () => {
41
+ const multi = new ComplianceAutopilot(createTestConfig({ frameworks: ['iso27001', 'soc2', 'nist_csf'] }));
42
+ const controls = multi.getControls();
43
+ const frameworks = new Set(controls.map((c) => c.framework));
44
+ assert.ok(frameworks.has('iso27001'));
45
+ assert.ok(frameworks.has('soc2'));
46
+ assert.ok(frameworks.has('nist_csf'));
47
+ });
48
+ it('monitor detects gaps when no evidence exists', async () => {
49
+ const result = await autopilot.monitor();
50
+ assert.ok(result.controlsChecked > 0);
51
+ assert.ok(result.gapsFound > 0);
52
+ assert.ok(result.gaps.length > 0);
53
+ assert.ok(result.frameworksChecked.includes('iso27001'));
54
+ });
55
+ it('monitor marks controls compliant when evidence exists', async () => {
56
+ const db = createMockDb({
57
+ 'A.5.1': [{ id: 'ev-1', sha256: 'abc' }, { id: 'ev-2', sha256: 'def' }],
58
+ 'A.8.16': [{ id: 'ev-3', sha256: 'ghi' }, { id: 'ev-4', sha256: 'jkl' }],
59
+ });
60
+ const auto = new ComplianceAutopilot(createTestConfig({ evidenceDb: db }));
61
+ const result = await auto.monitor();
62
+ const compliantControls = auto.getControls().filter((c) => c.status === 'compliant');
63
+ assert.ok(compliantControls.length >= 2, 'At least 2 controls should be compliant');
64
+ const a51 = auto.getControls().find((c) => c.controlId === 'A.5.1');
65
+ assert.equal(a51?.status, 'compliant');
66
+ });
67
+ it('monitor marks controls partial when only 1 evidence item', async () => {
68
+ const db = createMockDb({
69
+ 'A.5.1': [{ id: 'ev-1', sha256: 'abc' }],
70
+ });
71
+ const auto = new ComplianceAutopilot(createTestConfig({ evidenceDb: db }));
72
+ await auto.monitor();
73
+ const a51 = auto.getControls().find((c) => c.controlId === 'A.5.1');
74
+ assert.equal(a51?.status, 'partial');
75
+ });
76
+ it('detect returns current gaps', async () => {
77
+ await autopilot.monitor();
78
+ const gaps = autopilot.detect();
79
+ assert.ok(Array.isArray(gaps));
80
+ assert.ok(gaps.length > 0);
81
+ assert.ok(gaps[0].id);
82
+ assert.ok(gaps[0].controlId);
83
+ assert.ok(gaps[0].severity);
84
+ });
85
+ it('remediate creates remediation plans', async () => {
86
+ await autopilot.monitor();
87
+ const plans = await autopilot.remediate();
88
+ assert.ok(plans.length > 0);
89
+ assert.ok(plans[0].actions.length > 0);
90
+ assert.ok(['completed', 'in_progress', 'pending'].includes(plans[0].status));
91
+ });
92
+ it('remediate does not duplicate plans for same gap', async () => {
93
+ await autopilot.monitor();
94
+ const plans1 = await autopilot.remediate();
95
+ const plans2 = await autopilot.remediate();
96
+ assert.equal(plans2.length, 0, 'Should not create duplicate plans');
97
+ });
98
+ it('verify checks remediation results', async () => {
99
+ await autopilot.monitor();
100
+ const plans = await autopilot.remediate();
101
+ if (plans.length > 0) {
102
+ const results = await autopilot.verify([plans[0].id]);
103
+ assert.ok(results.length > 0);
104
+ assert.ok(typeof results[0].verified === 'boolean');
105
+ assert.ok(results[0].verifiedAt);
106
+ }
107
+ });
108
+ it('generateReport produces a valid report', async () => {
109
+ await autopilot.monitor();
110
+ const report = await autopilot.generateReport('iso27001');
111
+ assert.equal(report.framework, 'iso27001');
112
+ assert.ok(report.totalControls > 0);
113
+ assert.ok(typeof report.complianceScore === 'number');
114
+ assert.ok(report.complianceScore >= 0 && report.complianceScore <= 100);
115
+ assert.ok(report.generatedAt);
116
+ assert.ok(report.id);
117
+ });
118
+ it('runCycle executes the full compliance cycle', async () => {
119
+ const result = await autopilot.runCycle();
120
+ assert.ok(result.cycleId);
121
+ assert.ok(result.startedAt);
122
+ assert.ok(result.completedAt);
123
+ assert.ok(result.monitor);
124
+ assert.ok(Array.isArray(result.remediations));
125
+ assert.ok(Array.isArray(result.verificationResults));
126
+ assert.ok(result.report);
127
+ assert.ok(Array.isArray(result.auditTrail));
128
+ assert.ok(result.auditTrail.length > 0);
129
+ });
130
+ it('audit trail is cryptographically chained', async () => {
131
+ await autopilot.runCycle();
132
+ assert.ok(autopilot.verifyAuditTrail(), 'Audit trail should be valid');
133
+ });
134
+ it('audit trail breaks on tampering', async () => {
135
+ await autopilot.runCycle();
136
+ const trail = autopilot.getAuditTrail();
137
+ if (trail.length > 1) {
138
+ trail[1].action = 'tampered';
139
+ assert.ok(!autopilot.verifyAuditTrail(), 'Tampered trail should be invalid');
140
+ }
141
+ });
142
+ it('signAuditEntry creates a signature', async () => {
143
+ await autopilot.runCycle();
144
+ const trail = autopilot.getAuditTrail();
145
+ if (trail.length > 0) {
146
+ const sig = autopilot.signAuditEntry(trail[0].id, 'test-key-123');
147
+ assert.ok(sig);
148
+ assert.ok(sig.length === 64, 'Signature should be 64 hex chars');
149
+ }
150
+ });
151
+ it('signAll signs all unsigned entries', async () => {
152
+ await autopilot.runCycle();
153
+ const signed = autopilot.signAll('signing-key');
154
+ const allSigned = signed.every((e) => e.signature !== undefined);
155
+ assert.ok(allSigned, 'All entries should be signed');
156
+ });
157
+ it('report gets signed when signingKey is provided', async () => {
158
+ const auto = new ComplianceAutopilot(createTestConfig({ signingKey: 'my-secret-key' }));
159
+ await auto.monitor();
160
+ const report = await auto.generateReport('iso27001');
161
+ assert.ok(report.signature, 'Report should be signed');
162
+ });
163
+ it('returns correct config via getConfig', () => {
164
+ const config = autopilot.getConfig();
165
+ assert.deepEqual(config.frameworks, ['iso27001']);
166
+ assert.equal(config.tenantId, 1);
167
+ });
168
+ it('cisco_controls framework has controls', () => {
169
+ const auto = new ComplianceAutopilot(createTestConfig({ frameworks: ['cis_controls'] }));
170
+ const controls = auto.getControls();
171
+ assert.ok(controls.length >= 15);
172
+ assert.ok(controls.some((c) => c.controlId === 'CIS.1'));
173
+ });
174
+ });
package/dist/types.d.ts ADDED
@@ -0,0 +1,121 @@
1
+ export type ControlStatus = 'compliant' | 'non_compliant' | 'partial' | 'unknown';
2
+ export type GapSeverity = 'critical' | 'high' | 'medium' | 'low';
3
+ export type RemediationStatus = 'pending' | 'in_progress' | 'completed' | 'failed' | 'verified';
4
+ export type AuditAction = 'monitor' | 'detect' | 'remediate' | 'verify' | 'report' | 'sign';
5
+ export interface Control {
6
+ id: string;
7
+ controlId: string;
8
+ title: string;
9
+ framework: string;
10
+ status: ControlStatus;
11
+ owner?: string;
12
+ lastCheckedAt?: string;
13
+ }
14
+ export interface EvidenceRecord {
15
+ id: string;
16
+ controlId: string;
17
+ tenantId: number;
18
+ sha256: string;
19
+ uri: string;
20
+ collectedAt: string;
21
+ lineage: {
22
+ parentHash?: string;
23
+ source: string;
24
+ };
25
+ }
26
+ export interface ComplianceGap {
27
+ id: string;
28
+ controlId: string;
29
+ controlTitle: string;
30
+ framework: string;
31
+ severity: GapSeverity;
32
+ description: string;
33
+ detectedAt: string;
34
+ evidenceCount: number;
35
+ }
36
+ export interface RemediationPlan {
37
+ id: string;
38
+ gapId: string;
39
+ controlId: string;
40
+ framework: string;
41
+ actions: RemediationAction[];
42
+ status: RemediationStatus;
43
+ createdAt: string;
44
+ completedAt?: string;
45
+ verifiedAt?: string;
46
+ signature?: string;
47
+ }
48
+ export interface RemediationAction {
49
+ id: string;
50
+ type: 'collect_evidence' | 'update_control' | 'generate_report' | 'notify_owner' | 'custom';
51
+ description: string;
52
+ parameters: Record<string, unknown>;
53
+ status: RemediationStatus;
54
+ executedAt?: string;
55
+ }
56
+ export interface ComplianceReport {
57
+ id: string;
58
+ framework: string;
59
+ generatedAt: string;
60
+ totalControls: number;
61
+ compliantControls: number;
62
+ nonCompliantControls: number;
63
+ partialControls: number;
64
+ unknownControls: number;
65
+ complianceScore: number;
66
+ gaps: ComplianceGap[];
67
+ remediations: RemediationPlan[];
68
+ signature?: string;
69
+ }
70
+ export interface AuditEntry {
71
+ id: string;
72
+ timestamp: string;
73
+ action: AuditAction;
74
+ actor: string;
75
+ target: string;
76
+ details: Record<string, unknown>;
77
+ previousHash: string;
78
+ hash: string;
79
+ signature?: string;
80
+ }
81
+ export interface AutopilotConfig {
82
+ frameworks: string[];
83
+ tenantId: number;
84
+ monitorIntervalMs?: number;
85
+ autoRemediate?: boolean;
86
+ maxConcurrentRemediations?: number;
87
+ evidenceDb?: EvidenceDatabase;
88
+ signingKey?: string;
89
+ }
90
+ export interface EvidenceDatabase {
91
+ query<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<{
92
+ rows: T[];
93
+ rowCount: number;
94
+ }>;
95
+ execute(sql: string, params?: unknown[]): Promise<void>;
96
+ }
97
+ export interface MonitorResult {
98
+ timestamp: string;
99
+ frameworksChecked: string[];
100
+ controlsChecked: number;
101
+ gapsFound: number;
102
+ gaps: ComplianceGap[];
103
+ }
104
+ export interface CycleResult {
105
+ cycleId: string;
106
+ startedAt: string;
107
+ completedAt: string;
108
+ monitor: MonitorResult;
109
+ remediations: RemediationPlan[];
110
+ verificationResults: VerificationResult[];
111
+ report?: ComplianceReport;
112
+ auditTrail: AuditEntry[];
113
+ }
114
+ export interface VerificationResult {
115
+ remediationId: string;
116
+ controlId: string;
117
+ verified: boolean;
118
+ previousStatus: ControlStatus;
119
+ currentStatus: ControlStatus;
120
+ verifiedAt: string;
121
+ }
package/dist/types.js ADDED
@@ -0,0 +1 @@
1
+ export {};
package/package.json ADDED
@@ -0,0 +1,29 @@
1
+ {
2
+ "name": "@grc-claw/compliance-autopilot",
3
+ "version": "0.8.0",
4
+ "description": "Autonomous compliance maintenance \u2014 monitor, detect, remediate, verify, report, audit",
5
+ "license": "MIT",
6
+ "type": "module",
7
+ "main": "./dist/index.js",
8
+ "types": "./dist/index.d.ts",
9
+ "exports": {
10
+ ".": {
11
+ "types": "./dist/index.d.ts",
12
+ "import": "./dist/index.js"
13
+ }
14
+ },
15
+ "scripts": {
16
+ "build": "tsc -p tsconfig.json",
17
+ "test": "node --test dist/**/*.test.js 2>/dev/null || true"
18
+ },
19
+ "files": [
20
+ "dist"
21
+ ],
22
+ "publishConfig": {
23
+ "access": "public"
24
+ },
25
+ "repository": {
26
+ "type": "git",
27
+ "url": "https://github.com/AAH20/GRC_Claw"
28
+ }
29
+ }