@mitre/hdf-schema 3.1.0-rc.1 → 3.2.0

package/dist/ts/hdf-baseline.js

@@ -42,6 +42,36 @@ export var HashAlgorithm;
     HashAlgorithm["Sha384"] = "sha384";
     HashAlgorithm["Sha512"] = "sha512";
 })(HashAlgorithm || (HashAlgorithm = {}));
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export var Applicability;
+(function (Applicability) {
+    Applicability["Advisory"] = "advisory";
+    Applicability["Optional"] = "optional";
+    Applicability["Required"] = "required";
+})(Applicability || (Applicability = {}));
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export var ControlType;
+(function (ControlType) {
+    ControlType["Management"] = "management";
+    ControlType["Operational"] = "operational";
+    ControlType["Policy"] = "policy";
+    ControlType["Procedure"] = "procedure";
+    ControlType["Technical"] = "technical";
+})(ControlType || (ControlType = {}));
 /**
  * Explicit severity rating. Typically derived from impact score but provided explicitly for
  * clarity.
@@ -56,3 +86,25 @@ export var Severity;
     Severity["Low"] = "low";
     Severity["Medium"] = "medium";
 })(Severity || (Severity = {}));
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export var VerificationMethodEnum;
+(function (VerificationMethodEnum) {
+    VerificationMethodEnum["Automated"] = "automated";
+    VerificationMethodEnum["Hybrid"] = "hybrid";
+    VerificationMethodEnum["ManualByDesign"] = "manual-by-design";
+    VerificationMethodEnum["ManualPendingAutomation"] = "manual-pending-automation";
+})(VerificationMethodEnum || (VerificationMethodEnum = {}));

package/dist/ts/hdf-baseline.ts

@@ -378,12 +378,31 @@ export interface BaselineRequirement {
      * A set of tags - usually metadata like CCI, STIG ID, severity.
      */
     tags: { [key: string]: any };
+    /**
+     * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+     * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+     * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+     * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+     * Optional: when omitted, consumers should treat the requirement as 'required' by
+     * convention.
+     */
+    applicability?: Applicability;
     /**
      * The raw source code of the requirement. Set to null for manual-only requirements or
-     * requirements not yet implemented. Note that if this is an overlay, it does not include
-     * the underlying source code.
+     * requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
+     * from manual-pending-automation. Note that if this is an overlay, it does not include the
+     * underlying source code.
      */
     code?: string;
+    /**
+     * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+     * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+     * process; 'technical' = an enforced technical configuration; 'management' = a
+     * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+     * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+     * family/id but should not assume a default.
+     */
+    controlType?: ControlType;
     /**
      * The set of references to external documents.
      */
@@ -396,9 +415,48 @@ export interface BaselineRequirement {
      * The title - is nullable.
      */
     title?: string;
+    /**
+     * How this requirement is intended to be verified. Disambiguates the two cases that null
+     * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+     * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+     * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+     * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+     * omitted, consumers should not infer a default.
+     */
+    verificationMethod?: VerificationMethodEnum;
     [property: string]: any;
 }
 
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export enum Applicability {
+    Advisory = "advisory",
+    Optional = "optional",
+    Required = "required",
+}
+
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export enum ControlType {
+    Management = "management",
+    Operational = "operational",
+    Policy = "policy",
+    Procedure = "procedure",
+    Technical = "technical",
+}
+
 export interface Description {
     /**
      * The description text content.
@@ -459,6 +517,28 @@ export interface SourceLocation {
     [property: string]: any;
 }
 
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export enum VerificationMethodEnum {
+    Automated = "automated",
+    Hybrid = "hybrid",
+    ManualByDesign = "manual-by-design",
+    ManualPendingAutomation = "manual-pending-automation",
+}
+
 /**
  * A supported platform target. Example: the platform name being 'ubuntu'.
  */

package/dist/ts/hdf-results.d.ts

@@ -480,12 +480,31 @@ export interface EvaluatedRequirement {
     tags: {
         [key: string]: any;
     };
+    /**
+     * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+     * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+     * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+     * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+     * Optional: when omitted, consumers should treat the requirement as 'required' by
+     * convention.
+     */
+    applicability?: Applicability;
     /**
      * The raw source code of the requirement. Set to null for manual-only requirements or
-     * requirements not yet implemented. Note that if this is an overlay, it does not include
-     * the underlying source code.
+     * requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
+     * from manual-pending-automation. Note that if this is an overlay, it does not include the
+     * underlying source code.
      */
     code?: string;
+    /**
+     * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+     * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+     * process; 'technical' = an enforced technical configuration; 'management' = a
+     * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+     * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+     * family/id but should not assume a default.
+     */
+    controlType?: ControlType;
     /**
      * The set of references to external documents.
      */
@@ -494,8 +513,45 @@ export interface EvaluatedRequirement {
      * The title - is nullable.
      */
     title?: string;
+    /**
+     * How this requirement is intended to be verified. Disambiguates the two cases that null
+     * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+     * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+     * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+     * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+     * omitted, consumers should not infer a default.
+     */
+    verificationMethod?: VerificationMethodEnum;
     [property: string]: any;
 }
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export declare enum Applicability {
+    Advisory = "advisory",
+    Optional = "optional",
+    Required = "required"
+}
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export declare enum ControlType {
+    Management = "management",
+    Operational = "operational",
+    Policy = "policy",
+    Procedure = "procedure",
+    Technical = "technical"
+}
 export interface Description {
     /**
      * The description text content.
@@ -1007,6 +1063,27 @@ export interface ImpactOverride {
     value: number;
     [property: string]: any;
 }
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export declare enum VerificationMethodEnum {
+    Automated = "automated",
+    Hybrid = "hybrid",
+    ManualByDesign = "manual-by-design",
+    ManualPendingAutomation = "manual-pending-automation"
+}
 /**
  * A supported platform target. Example: the platform name being 'ubuntu'.
  */

package/dist/ts/hdf-results.js

@@ -42,6 +42,36 @@ export var HashAlgorithm;
     HashAlgorithm["Sha384"] = "sha384";
     HashAlgorithm["Sha512"] = "sha512";
 })(HashAlgorithm || (HashAlgorithm = {}));
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export var Applicability;
+(function (Applicability) {
+    Applicability["Advisory"] = "advisory";
+    Applicability["Optional"] = "optional";
+    Applicability["Required"] = "required";
+})(Applicability || (Applicability = {}));
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export var ControlType;
+(function (ControlType) {
+    ControlType["Management"] = "management";
+    ControlType["Operational"] = "operational";
+    ControlType["Policy"] = "policy";
+    ControlType["Procedure"] = "procedure";
+    ControlType["Technical"] = "technical";
+})(ControlType || (ControlType = {}));
 /**
  * The type of the most recent non-expired override or POAM governing this requirement.
  * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
@@ -157,6 +187,28 @@ export var Severity;
     Severity["Low"] = "low";
     Severity["Medium"] = "medium";
 })(Severity || (Severity = {}));
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export var VerificationMethodEnum;
+(function (VerificationMethodEnum) {
+    VerificationMethodEnum["Automated"] = "automated";
+    VerificationMethodEnum["Hybrid"] = "hybrid";
+    VerificationMethodEnum["ManualByDesign"] = "manual-by-design";
+    VerificationMethodEnum["ManualPendingAutomation"] = "manual-pending-automation";
+})(VerificationMethodEnum || (VerificationMethodEnum = {}));
 export var CloudProvider;
 (function (CloudProvider) {
     CloudProvider["Aws"] = "aws";

package/dist/ts/hdf-results.ts

@@ -483,12 +483,31 @@ export interface EvaluatedRequirement {
      * A set of tags - usually metadata like CCI, STIG ID, severity.
      */
     tags: { [key: string]: any };
+    /**
+     * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+     * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+     * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+     * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+     * Optional: when omitted, consumers should treat the requirement as 'required' by
+     * convention.
+     */
+    applicability?: Applicability;
     /**
      * The raw source code of the requirement. Set to null for manual-only requirements or
-     * requirements not yet implemented. Note that if this is an overlay, it does not include
-     * the underlying source code.
+     * requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
+     * from manual-pending-automation. Note that if this is an overlay, it does not include the
+     * underlying source code.
      */
     code?: string;
+    /**
+     * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+     * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+     * process; 'technical' = an enforced technical configuration; 'management' = a
+     * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+     * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+     * family/id but should not assume a default.
+     */
+    controlType?: ControlType;
     /**
      * The set of references to external documents.
      */
@@ -497,9 +516,48 @@ export interface EvaluatedRequirement {
      * The title - is nullable.
      */
     title?: string;
+    /**
+     * How this requirement is intended to be verified. Disambiguates the two cases that null
+     * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+     * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+     * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+     * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+     * omitted, consumers should not infer a default.
+     */
+    verificationMethod?: VerificationMethodEnum;
     [property: string]: any;
 }
 
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export enum Applicability {
+    Advisory = "advisory",
+    Optional = "optional",
+    Required = "required",
+}
+
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export enum ControlType {
+    Management = "management",
+    Operational = "operational",
+    Policy = "policy",
+    Procedure = "procedure",
+    Technical = "technical",
+}
+
 export interface Description {
     /**
      * The description text content.
@@ -1026,6 +1084,28 @@ export interface ImpactOverride {
     [property: string]: any;
 }
 
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export enum VerificationMethodEnum {
+    Automated = "automated",
+    Hybrid = "hybrid",
+    ManualByDesign = "manual-by-design",
+    ManualPendingAutomation = "manual-pending-automation",
+}
+
 /**
  * A supported platform target. Example: the platform name being 'ubuntu'.
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mitre/hdf-schema",
-  "version": "3.1.0-rc.1",
+  "version": "3.2.0",
   "description": "JSON schemas and multi-language type definitions for Heimdall Data Format (HDF)",
   "publishConfig": {
     "access": "public"
@@ -59,7 +59,7 @@
   "dependencies": {
     "ajv": "^8.17.0",
     "ajv-formats": "^3.0.0",
-    "@mitre/hdf-utilities": "^3.1.0-rc.1"
+    "@mitre/hdf-utilities": "^3.2.0"
   },
   "devDependencies": {
     "@hyperjump/json-schema": "^1.17.2",