@mitre/hdf-schema 3.1.0 → 3.3.0

package/dist/ts/hdf.d.ts

@@ -0,0 +1,3562 @@
+/**
+ * The top level value containing all assessment results.
+ */
+export interface HDFResults {
+    /**
+     * Information on the baselines that were evaluated, including findings.
+     */
+    baselines: EvaluatedBaseline[];
+    /**
+     * The components that were assessed. Each component describes a system element (host,
+     * container, cloud resource, application, etc.) with optional identity, SBOM, and external
+     * references.
+     */
+    components?: Component[];
+    /**
+     * Reserved for tool-specific data not defined in the HDF standard. Use this to preserve
+     * original tool output, auxiliary data, or custom metadata.
+     */
+    extensions?: {
+        [key: string]: any;
+    };
+    /**
+     * Information about the tool that generated this file.
+     */
+    generator?: Generator;
+    /**
+     * Unique identifier for this assessment run.
+     */
+    id?: string;
+    /**
+     * Cryptographic integrity information for verifying this file.
+     */
+    integrity?: Integrity;
+    /**
+     * Reference to an hdf-plan document describing the assessment plan that produced these
+     * results. May be a relative path, absolute URI, or fragment identifier.
+     */
+    planRef?: string;
+    /**
+     * Optional reference to automated remediation resources (Ansible playbooks, Terraform
+     * scripts, etc.) for fixing failing requirements found in this assessment.
+     */
+    remediation?: Remediation;
+    /**
+     * Information about the test execution environment where the security tool was run.
+     * Distinct from targets (what is being tested).
+     */
+    runner?: Runner;
+    /**
+     * Statistics for the assessment run, including duration and result counts.
+     */
+    statistics?: Statistics;
+    /**
+     * Reference to an hdf-system document describing the system under assessment. May be a
+     * relative path, absolute URI, or fragment identifier.
+     */
+    systemRef?: string;
+    /**
+     * When this assessment was executed.
+     */
+    timestamp?: Date;
+    /**
+     * The security tool that produced the assessment data in this file.
+     */
+    tool?: Tool;
+    [property: string]: any;
+}
+/**
+ * Information on a baseline that was evaluated, including any findings.
+ *
+ * Shared metadata fields for baselines. Used in both standalone baseline documents and
+ * evaluated baseline results.
+ */
+export interface EvaluatedBaseline {
+    /**
+     * The set of dependencies this baseline depends on.
+     */
+    depends?: Dependency[];
+    /**
+     * The description - should be more detailed than the summary.
+     */
+    description?: string;
+    /**
+     * Reserved for tool-specific baseline metadata not defined in the HDF standard.
+     */
+    extensions?: {
+        [key: string]: any;
+    };
+    /**
+     * A set of descriptions for the requirement groups.
+     */
+    groups?: RequirementGroup[];
+    /**
+     * Typed inputs used to parameterize this baseline at execution time. See the Input
+     * primitive for the full schema.
+     */
+    inputs?: Input[];
+    /**
+     * Cryptographic integrity information for verifying this baseline has not been tampered
+     * with.
+     */
+    integrity?: Integrity;
+    /**
+     * SHA-256 checksum of the original baseline definition file (before execution). This is an
+     * immutable reference to the baseline as defined, used to detect tampering with baseline
+     * requirements or metadata.
+     */
+    originalChecksum?: Checksum;
+    /**
+     * The name of the parent baseline if this is a dependency of another.
+     */
+    parentBaseline?: string;
+    /**
+     * The set of requirements including any findings. A baseline must have at least one
+     * requirement.
+     */
+    requirements: EvaluatedRequirement[];
+    /**
+     * SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs).
+     * Used to detect tampering with test results. Compare with currentChecksum to verify
+     * amendment integrity.
+     */
+    resultsChecksum?: Checksum;
+    /**
+     * An explanation of the baseline status. Example: why it was skipped, failed to load, or
+     * any other status details.
+     */
+    statusMessage?: string;
+    /**
+     * The name - must be unique.
+     */
+    name: string;
+    /**
+     * The copyright holder(s).
+     */
+    copyright?: string;
+    /**
+     * The email address or other contact information of the copyright holder(s).
+     */
+    copyrightEmail?: string;
+    /**
+     * Optional key-value labels for flexible grouping. Well-known keys: system, component,
+     * environment, region, team. Values must be strings.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * The copyright license. Example: 'Apache-2.0'.
+     */
+    license?: string;
+    /**
+     * The maintainer(s).
+     */
+    maintainer?: string;
+    /**
+     * The status. Example: 'loaded'.
+     */
+    status?: string;
+    /**
+     * The summary. Example: the Security Technical Implementation Guide (STIG) header.
+     */
+    summary?: string;
+    /**
+     * The set of supported platform targets.
+     */
+    supports?: SupportedPlatform[];
+    /**
+     * The title - should be human readable.
+     */
+    title?: string;
+    /**
+     * The version of the baseline.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * A dependency for a baseline. Can include relative paths or URLs for where to find the
+ * dependency.
+ */
+export interface Dependency {
+    /**
+     * The branch name for a git repo.
+     */
+    branch?: string;
+    /**
+     * The 'user/profilename' attribute for an Automate server.
+     */
+    compliance?: string;
+    /**
+     * The location of the git repo. Example:
+     * 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'.
+     */
+    git?: string;
+    /**
+     * The name or assigned alias.
+     */
+    name?: string;
+    /**
+     * The relative path if the dependency is locally available.
+     */
+    path?: string;
+    /**
+     * The status. Should be: 'loaded', 'failed', or 'skipped'.
+     */
+    status?: string;
+    /**
+     * The reason for the status if it is 'failed' or 'skipped'.
+     */
+    statusMessage?: string;
+    /**
+     * The 'user/profilename' attribute for a Supermarket server.
+     */
+    supermarket?: string;
+    /**
+     * The address of the dependency.
+     */
+    url?: string;
+    [property: string]: any;
+}
+/**
+ * Describes a group of requirements, such as those defined in a single file.
+ */
+export interface RequirementGroup {
+    /**
+     * The unique identifier for the group. Example: the relative path to the file specifying
+     * the requirements.
+     */
+    id: string;
+    /**
+     * The set of requirements as specified by their ids in this group. Example: 'SV-238196'.
+     */
+    requirements: string[];
+    /**
+     * The title of the group - should be human readable.
+     */
+    title?: string;
+    [property: string]: any;
+}
+/**
+ * A typed input parameter that bridges governance requirements and scanner automation.
+ * Inputs carry expected configuration values with type information, comparison operators,
+ * and validation constraints, enabling traceability from policy through to scan results.
+ */
+export interface Input {
+    /**
+     * Validation constraints for the input value.
+     */
+    constraints?: InputConstraints;
+    /**
+     * Human-readable description of what this input controls.
+     */
+    description?: string;
+    /**
+     * The input name. Must be unique within a baseline or results document. Example:
+     * 'max_concurrent_sessions'.
+     */
+    name: string;
+    /**
+     * The comparison operator used when evaluating this input against observed values.
+     */
+    operator?: ComparisonOperator;
+    /**
+     * Whether this input must be provided. Defaults to false if omitted.
+     */
+    required?: boolean;
+    /**
+     * Whether this input contains sensitive data (passwords, keys). Sensitive values should be
+     * redacted in output. Defaults to false if omitted.
+     */
+    sensitive?: boolean;
+    /**
+     * The data type of this input.
+     */
+    type?: InputType;
+    /**
+     * The input value. Type should match the declared type field. Accepts any JSON value.
+     */
+    value?: any;
+    [property: string]: any;
+}
+/**
+ * Validation constraints for the input value.
+ *
+ * Validation constraints for an input value.
+ */
+export interface InputConstraints {
+    /**
+     * Enumeration of permitted values.
+     */
+    allowedValues?: any[];
+    /**
+     * Maximum allowed value (for Numeric inputs).
+     */
+    max?: number;
+    /**
+     * Minimum allowed value (for Numeric inputs).
+     */
+    min?: number;
+    /**
+     * Regular expression pattern the value must match (for String inputs).
+     */
+    pattern?: string;
+    [property: string]: any;
+}
+/**
+ * The comparison operator used when evaluating this input against observed values.
+ *
+ * Comparison operator for evaluating the input value against observed values. Numeric:
+ * eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.
+ */
+export declare enum ComparisonOperator {
+    Contains = "contains",
+    Eq = "eq",
+    Ge = "ge",
+    Gt = "gt",
+    In = "in",
+    LE = "le",
+    Lt = "lt",
+    Matches = "matches",
+    Ne = "ne",
+    NotIn = "notIn"
+}
+/**
+ * The data type of this input.
+ *
+ * The data type of the input value. Aligns with InSpec input types.
+ */
+export declare enum InputType {
+    Array = "Array",
+    Boolean = "Boolean",
+    Hash = "Hash",
+    Numeric = "Numeric",
+    Regexp = "Regexp",
+    String = "String"
+}
+/**
+ * Cryptographic integrity information for verifying this baseline has not been tampered
+ * with.
+ *
+ * Cryptographic integrity information for verifying the HDF file has not been tampered
+ * with. If algorithm is provided, checksum must also be provided, and vice versa.
+ *
+ * Cryptographic integrity information for verifying this file.
+ *
+ * Cryptographic integrity information for verifying this comparison document.
+ *
+ * Cryptographic integrity information for verifying this system document has not been
+ * tampered with.
+ *
+ * Cryptographic integrity information for verifying this plan document has not been
+ * tampered with.
+ *
+ * Cryptographic integrity information for verifying this amendments document has not been
+ * tampered with.
+ *
+ * Cryptographic integrity information for verifying this evidence package has not been
+ * tampered with.
+ */
+export interface Integrity {
+    /**
+     * The hash algorithm used for the checksum.
+     */
+    algorithm?: HashAlgorithm;
+    /**
+     * The checksum value.
+     */
+    checksum?: string;
+    /**
+     * Optional cryptographic signature.
+     */
+    signature?: string;
+    /**
+     * Identifier of who signed this file.
+     */
+    signedBy?: string;
+    [property: string]: any;
+}
+/**
+ * The hash algorithm used for the checksum.
+ *
+ * Supported cryptographic hash algorithms for checksums and integrity verification.
+ */
+export declare enum HashAlgorithm {
+    Sha256 = "sha256",
+    Sha384 = "sha384",
+    Sha512 = "sha512"
+}
+/**
+ * SHA-256 checksum of the original baseline definition file (before execution). This is an
+ * immutable reference to the baseline as defined, used to detect tampering with baseline
+ * requirements or metadata.
+ *
+ * Cryptographic checksum for baseline integrity verification.
+ *
+ * SHA-256 checksum of the previous amendment in chronological order. Creates a
+ * tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
+ * on a requirement.
+ *
+ * SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs).
+ * Used to detect tampering with test results. Compare with currentChecksum to verify
+ * amendment integrity.
+ *
+ * Optional cryptographic checksum for verifying the integrity of remediation resources
+ * fetched from the URI. Recommended for security when referencing external automation
+ * scripts.
+ *
+ * Cryptographic checksum of the source document for integrity verification.
+ *
+ * Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
+ * for the first amendment.
+ *
+ * Cryptographic checksum for verifying the referenced document's integrity.
+ */
+export interface Checksum {
+    /**
+     * The hash algorithm used for the checksum.
+     */
+    algorithm: HashAlgorithm;
+    /**
+     * The checksum value.
+     */
+    value: string;
+    [property: string]: any;
+}
+/**
+ * A requirement that has been evaluated, including any findings.
+ *
+ * Core requirement fields shared between baseline requirements and evaluated requirements.
+ * Contains the fundamental requirement definition without assessment results.
+ */
+export interface EvaluatedRequirement {
+    /**
+     * Packages affected by this vulnerability finding. Vulnerability-finding-scoped — see
+     * components[] on hdf-system for component-level package inventories. One entry per matched
+     * package signature (scanners often report multiple CPE variations per CVE).
+     */
+    affectedPackages?: AffectedPackage[];
+    /**
+     * Structured CVSS scoring data for vulnerability findings. One entry per CVE — a finding
+     * may match multiple CVEs (common in vulnerability scanners). Captures vendor-supplied Base
+     * metrics plus optional consumer-owned Threat / Environmental / Supplemental groups for
+     * risk adjustment. See cvss.schema.json.
+     */
+    cvss?: Cvss[];
+    /**
+     * Common Weakness Enumeration IDs associated with this finding. Use CWE-N format with no
+     * leading zeros (matches the MITRE catalog convention). For NIST control mappings derived
+     * from CWE, see tags.nist.
+     */
+    cwe?: string[];
+    /**
+     * Array of labeled descriptions. At least one description with label 'default' must be
+     * present. Convention: place default description first. Common labels: 'default', 'check',
+     * 'fix', 'rationale'.
+     */
+    descriptions: Description[];
+    /**
+     * The type of the most recent non-expired override or POAM governing this requirement.
+     * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+     * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+     * POAMs apply.
+     */
+    disposition?: OverrideType;
+    /**
+     * The current effective impact score (0.0–1.0) after applying the most recent non-expired
+     * override with an impact field. Absent when no impact overrides apply; consumers should
+     * use the requirement's impact field in that case.
+     */
+    effectiveImpact?: number;
+    /**
+     * The current effective compliance status of this requirement after applying the most
+     * recent non-expired override with a status field, or computed from results (worst-wins) if
+     * no status-bearing overrides exist.
+     */
+    effectiveStatus?: ResultStatus;
+    /**
+     * FIRST.org EPSS (Exploit Prediction Scoring System) score for this CVE finding. Used
+     * alongside CVSS for prioritization — captures the probability the vulnerability will be
+     * exploited.
+     */
+    epss?: Epss;
+    /**
+     * Supporting evidence for this requirement's findings, such as screenshots, code samples,
+     * or log excerpts.
+     */
+    evidence?: Evidence[];
+    /**
+     * CISA Known Exploited Vulnerabilities (KEV) catalog status. When inKev=true, dateAdded and
+     * dueDate carry the federal patching deadline.
+     */
+    kev?: Kev;
+    /**
+     * Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
+     * POAMs do NOT change effectiveStatus - they track the work being done to address a
+     * failure. Separate from statusOverrides which DO change status.
+     */
+    poams?: Poam[];
+    /**
+     * The set of all tests within the requirement and their results.
+     */
+    results: RequirementResult[];
+    /**
+     * Explicit severity rating. Typically derived from impact score but provided explicitly for
+     * clarity.
+     */
+    severity?: Severity;
+    /**
+     * The explicit location of the requirement within the source code.
+     */
+    sourceLocation?: SourceLocation;
+    /**
+     * Chronological history of all overrides applied to this requirement. Overrides are
+     * intentional changes to the compliance status and/or impact score (waivers, attestations,
+     * false positives, risk adjustments). Most recent override should be first in array.
+     * Preserves full audit trail.
+     */
+    statusOverrides?: StatusOverride[];
+    /**
+     * The requirement identifier. Example: 'SV-238196'.
+     */
+    id: string;
+    /**
+     * The impactfulness or severity (0.0 to 1.0).
+     */
+    impact: number;
+    /**
+     * A set of tags - usually metadata like CCI, STIG ID, severity.
+     */
+    tags: {
+        [key: string]: any;
+    };
+    /**
+     * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+     * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+     * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+     * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+     * Optional: when omitted, consumers should treat the requirement as 'required' by
+     * convention.
+     */
+    applicability?: Applicability;
+    /**
+     * The raw source code of the requirement. Set to null for manual-only requirements or
+     * requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
+     * from manual-pending-automation. Note that if this is an overlay, it does not include the
+     * underlying source code.
+     */
+    code?: string;
+    /**
+     * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+     * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+     * process; 'technical' = an enforced technical configuration; 'management' = a
+     * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+     * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+     * family/id but should not assume a default.
+     */
+    controlType?: ControlType;
+    /**
+     * The set of references to external documents.
+     */
+    refs?: Reference[];
+    /**
+     * The title - is nullable.
+     */
+    title?: string;
+    /**
+     * How this requirement is intended to be verified. Disambiguates the two cases that null
+     * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+     * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+     * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+     * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+     * omitted, consumers should not infer a default.
+     */
+    verificationMethod?: VerificationMethodEnum;
+    [property: string]: any;
+}
+/**
+ * Represents a package referenced by a vulnerability finding or by an amendment's scope. On
+ * Evaluated_Requirement.affectedPackages it says 'this CVE affects these package versions'.
+ * On Standalone_Override.affectedPackages it says 'this amendment is scoped to these
+ * packages' (used by VEX, OSCAL POA&M, FedRAMP component-aware amendments). NOT a
+ * system-level component identifier — see `components[]` on hdf-system for those. Validity
+ * requires at least one of: (name + version + ecosystem), purl alone, or cpe alone. purl
+ * and cpe are self-describing identifiers that encode name/version implicitly, so either
+ * may stand on its own; the name+version+ecosystem combination is the explicit form for
+ * sources without formal identifiers.
+ */
+export interface AffectedPackage {
+    /**
+     * Optional CPE 2.3 URI identifying the affected product. Validated leniently: only the
+     * 'cpe:2.3:' prefix and the part-type letter ('a' application, 'h' hardware, 'o' operating
+     * system) are enforced here. Use `hdf-utilities.parseCpe` for full-grammar parsing.
+     * Example: 'cpe:2.3:a:openssl:openssl:1.1.1k:*:*:*:*:*:*:*'.
+     */
+    cpe?: string;
+    /**
+     * The packaging ecosystem the package belongs to. Use 'generic' for hardware, firmware, or
+     * anything outside the listed language/OS package managers.
+     */
+    ecosystem?: Ecosystem;
+    /**
+     * Optional version string identifying the first release that contains the fix for the
+     * vulnerability. Use the same version syntax as `version`. Example: '1.1.1l' fixes
+     * 'openssl@1.1.1k'.
+     */
+    fixedInVersion?: string;
+    /**
+     * The package name as published in its ecosystem. Examples: 'openssl' (rpm), 'lodash'
+     * (npm), 'org.apache.logging.log4j:log4j-core' (maven, group:artifact).
+     */
+    name?: string;
+    /**
+     * Optional Package URL (PURL) identifying the affected package. Validated leniently: only
+     * the 'pkg:TYPE/' scheme prefix is enforced here, where TYPE follows the PURL grammar (a
+     * letter followed by letters, digits, '.', '+', or '-') and is matched case-insensitively
+     * to mirror `hdf-utilities.parsePurl`'s accept-and-warn behavior. Use `parsePurl` for full
+     * PURL parsing. Example: 'pkg:rpm/redhat/openssl@1.1.1k-7.el8_4?arch=x86_64'.
+     */
+    purl?: string;
+    /**
+     * The exact version of the package that the vulnerability scanner observed. Use the
+     * ecosystem's native version string verbatim (e.g., '1.1.1k-7.el8_4' for rpm, '4.17.20' for
+     * npm).
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * The packaging ecosystem the package belongs to. Use 'generic' for hardware, firmware, or
+ * anything outside the listed language/OS package managers.
+ */
+export declare enum Ecosystem {
+    Cargo = "cargo",
+    Deb = "deb",
+    Gem = "gem",
+    Generic = "generic",
+    Go = "go",
+    Maven = "maven",
+    Npm = "npm",
+    Nuget = "nuget",
+    Pypi = "pypi",
+    RPM = "rpm"
+}
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export declare enum Applicability {
+    Advisory = "advisory",
+    Optional = "optional",
+    Required = "required"
+}
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export declare enum ControlType {
+    Management = "management",
+    Operational = "operational",
+    Policy = "policy",
+    Procedure = "procedure",
+    Technical = "technical"
+}
+/**
+ * Structured CVSS scoring data backing this override. Captures the rubric (which
+ * Environmental/Threat metrics the consumer modified, the recomputed score) used to justify
+ * a riskAdjustment. For other override types this is optional context.
+ *
+ * A CVSS (Common Vulnerability Scoring System) score record for a vulnerability finding.
+ * Captures the vendor-supplied Base metric group and optional consumer-supplied Threat,
+ * Environmental, and Supplemental metric groups. Supports all four CVSS major versions
+ * (2.0, 3.0, 3.1, 4.0). Vector strings are validated against a permissive umbrella grammar;
+ * semantic validation (correct metrics per version, correct values per metric) is performed
+ * by the hdf-utilities `validateCvssVector` helper rather than at the schema layer.
+ */
+export interface Cvss {
+    /**
+     * The Base score (0.0–10.0) computed from the base vector. Reflects the intrinsic,
+     * vendor-published severity before consumer enrichment.
+     */
+    baseScore?: number;
+    /**
+     * Qualitative severity band corresponding to baseScore. CVSS 2.0 does not natively use
+     * 'none' or 'critical' bands; map accordingly when populating.
+     */
+    baseSeverity?: CVSSSeverity;
+    /**
+     * Optional Base metric group vector string as emitted by the source (e.g.,
+     * 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'). For CVSS 2.0 the version prefix is
+     * omitted. Some vendor tools emit a final baseScore without the vector — in that case this
+     * field is absent and the score cannot be recomputed or decomposed. The pattern accepts any
+     * version-prefixed or prefix-less metric token sequence; semantic validity of individual
+     * metrics is checked by hdf-utilities, not by the schema.
+     */
+    baseVector?: string;
+    /**
+     * Optional final score after combining Base + Threat + Environmental metrics. This is the
+     * score consumers should treat as authoritative for risk decisions when present.
+     */
+    computedScore?: number;
+    /**
+     * Qualitative severity band corresponding to computedScore. Same band convention as
+     * baseSeverity.
+     */
+    computedSeverity?: CVSSSeverity;
+    /**
+     * Optional score (0.0–10.0) recomputed after applying Environmental metrics.
+     */
+    environmentalScore?: number;
+    /**
+     * Optional Environmental metric group vector segment (e.g., 'MAV:N/CR:H/IR:H/AR:H').
+     * Consumer-supplied — reflects the deployment context (criticality, mitigations, network
+     * exposure).
+     */
+    environmentalVector?: string;
+    /**
+     * Optional identifier the CVSS data is associated with — most commonly a CVE ID (e.g.,
+     * 'CVE-2024-12345'), but may also be a vendor advisory ID, GHSA, or similar.
+     */
+    source?: string;
+    /**
+     * Optional Supplemental metric group vector segment (CVSS 4.0 only). Examples:
+     * 'S:P/AU:N/V:C/RE:M/U:Amber'. Per CVSS 4.0 spec, supplemental metrics convey additional
+     * context but have no impact on the computed score.
+     */
+    supplementalVector?: string;
+    /**
+     * Optional score (0.0–10.0) recomputed after applying Threat metrics. Always less than or
+     * equal to baseScore in practice.
+     */
+    threatScore?: number;
+    /**
+     * Optional Threat metric group vector segment (e.g., 'E:U/RL:O/RC:C' for CVSS 3.1, or 'E:A'
+     * for CVSS 4.0). Consumer-supplied — captures real-world exploitation and remediation
+     * context the vendor cannot know.
+     */
+    threatVector?: string;
+    /**
+     * The CVSS specification version this entry conforms to. Vendor scanners typically emit 3.1
+     * or 4.0; legacy data may use 2.0 or 3.0.
+     */
+    version: Version;
+    [property: string]: any;
+}
+/**
+ * Qualitative severity band corresponding to baseScore. CVSS 2.0 does not natively use
+ * 'none' or 'critical' bands; map accordingly when populating.
+ *
+ * Qualitative CVSS severity band. Aligns with FIRST/NVD bands: none=0.0, low=0.1-3.9,
+ * medium=4.0-6.9, high=7.0-8.9, critical=9.0-10.0. Distinct from the broader Severity enum
+ * used on Requirement_Core (which includes 'informational').
+ *
+ * Qualitative severity band corresponding to computedScore. Same band convention as
+ * baseSeverity.
+ */
+export declare enum CVSSSeverity {
+    Critical = "critical",
+    High = "high",
+    Low = "low",
+    Medium = "medium",
+    None = "none"
+}
+/**
+ * The CVSS specification version this entry conforms to. Vendor scanners typically emit 3.1
+ * or 4.0; legacy data may use 2.0 or 3.0.
+ */
+export declare enum Version {
+    The20 = "2.0",
+    The30 = "3.0",
+    The31 = "3.1",
+    The40 = "4.0"
+}
+export interface Description {
+    /**
+     * The description text content.
+     */
+    data: string;
+    /**
+     * Description category. The 'default' label is required for the primary description. Common
+     * labels: 'default', 'check', 'fix', 'rationale'. Tools may use custom labels.
+     */
+    label: string;
+    [property: string]: any;
+}
+/**
+ * The type of the most recent non-expired override or POAM governing this requirement.
+ * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+ * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+ * POAMs apply.
+ *
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
+ *
+ * The type of override applied to this requirement.
+ *
+ * The type of amendment.
+ */
+export declare enum OverrideType {
+    Attestation = "attestation",
+    FalsePositive = "falsePositive",
+    Inherited = "inherited",
+    OperationalRequirement = "operationalRequirement",
+    Poam = "poam",
+    RiskAdjustment = "riskAdjustment",
+    Waiver = "waiver"
+}
+/**
+ * The current effective compliance status of this requirement after applying the most
+ * recent non-expired override with a status field, or computed from results (worst-wins) if
+ * no status-bearing overrides exist.
+ *
+ * The status of an individual test result. 'notApplicable' indicates the requirement does
+ * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
+ * requires manual verification).
+ *
+ * The status of this test within the requirement. Example: 'failed'.
+ *
+ * The new status this override sets for the requirement. Optional when only impact is being
+ * overridden.
+ *
+ * The new status this amendment sets. Optional when only impact is being overridden.
+ */
+export declare enum ResultStatus {
+    Error = "error",
+    Failed = "failed",
+    NotApplicable = "notApplicable",
+    NotReviewed = "notReviewed",
+    Passed = "passed"
+}
+/**
+ * FIRST.org EPSS (Exploit Prediction Scoring System) score for this CVE finding. Used
+ * alongside CVSS for prioritization — captures the probability the vulnerability will be
+ * exploited.
+ *
+ * FIRST.org Exploit Prediction Scoring System (EPSS) data for a single vulnerability. All
+ * three fields are required when an Epss object is present; the date disambiguates which
+ * day's score this is, since EPSS recomputes daily.
+ */
+export interface Epss {
+    /**
+     * ISO 8601 date (YYYY-MM-DD) on which FIRST.org published this EPSS score.
+     */
+    date: Date;
+    /**
+     * Rank of this score relative to all scored CVEs, expressed as a value between 0.0 and 1.0
+     * inclusive. A percentile of 0.99 means this CVE is scored at or above 99% of all scored
+     * CVEs.
+     */
+    percentile: number;
+    /**
+     * Exploit probability as a value between 0.0 and 1.0 inclusive. Higher values indicate
+     * greater predicted likelihood of exploitation in the next 30 days. Example: 0.97532 means
+     * roughly a 97.5% predicted probability.
+     */
+    score: number;
+    [property: string]: any;
+}
+/**
+ * Supporting evidence for a finding or override, such as screenshots, code samples, log
+ * excerpts, or URLs.
+ */
+export interface Evidence {
+    /**
+     * Timestamp when this evidence was captured. ISO 8601 format.
+     */
+    capturedAt?: Date;
+    /**
+     * Identity of who or what captured this evidence.
+     */
+    capturedBy?: Identity;
+    /**
+     * The evidence content. For screenshots/files: base64-encoded data or URL. For code/logs:
+     * the raw text. For URLs: the URL string.
+     */
+    data: string;
+    /**
+     * Human-readable description of what this evidence shows.
+     */
+    description?: string;
+    /**
+     * Encoding used for the data. Example: 'base64', 'utf-8'.
+     */
+    encoding?: string;
+    /**
+     * MIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'.
+     */
+    mimeType?: string;
+    /**
+     * Size of the evidence data in bytes.
+     */
+    size?: number;
+    /**
+     * The type of evidence being provided.
+     */
+    type: EvidenceType;
+    [property: string]: any;
+}
+/**
+ * Identity of who or what captured this evidence.
+ *
+ * Represents an identity that performed an action, such as capturing evidence or applying
+ * an override.
+ *
+ * Identity of who created this POA&M. For simple cases, use type 'simple' with just an
+ * identifier.
+ *
+ * Identity of who completed this milestone.
+ *
+ * The identity that created this signature.
+ *
+ * Identity of who applied this override. For simple cases, use type 'simple' with just an
+ * identifier.
+ *
+ * Identity of the person or system that approved this override.
+ *
+ * Team or individual responsible for this component. Enables per-component ownership when
+ * different teams manage different parts of a system.
+ *
+ * The identity of the person or system responsible for executing the test. This could be a
+ * human auditor manually completing a checklist, an automated CI/CD system, or a security
+ * tool. Optional field to support both automated and manual HDF generation.
+ *
+ * Team or individual responsible for this system's authorization and compliance. Maps to
+ * OSCAL responsible-party with role 'system-owner'.
+ *
+ * Default identity of who created this amendments document. Individual overrides may
+ * specify their own appliedBy.
+ *
+ * Identity of the authorizing official who approved these amendments.
+ *
+ * Identity of who applied this amendment.
+ *
+ * Identity of who prepared this evidence package.
+ */
+export interface Identity {
+    /**
+     * Optional description of the identity or identity system, particularly useful when type is
+     * 'other'.
+     */
+    description?: string;
+    /**
+     * The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
+     */
+    identifier: string;
+    /**
+     * The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
+     * 'system' for automated systems, 'simple' for basic string identifiers without additional
+     * classification, or 'other' for custom identity systems.
+     */
+    type: IdentityType;
+    [property: string]: any;
+}
+/**
+ * The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
+ * 'system' for automated systems, 'simple' for basic string identifiers without additional
+ * classification, or 'other' for custom identity systems.
+ */
+export declare enum IdentityType {
+    Email = "email",
+    Other = "other",
+    Simple = "simple",
+    System = "system",
+    Username = "username"
+}
+/**
+ * The type of evidence being provided.
+ */
+export declare enum EvidenceType {
+    Code = "code",
+    File = "file",
+    Log = "log",
+    Other = "other",
+    Screenshot = "screenshot",
+    URL = "url"
+}
+/**
+ * CISA Known Exploited Vulnerabilities (KEV) catalog status. When inKev=true, dateAdded and
+ * dueDate carry the federal patching deadline.
+ */
+export interface Kev {
+    /**
+     * ISO 8601 calendar date (YYYY-MM-DD) the vulnerability was added to the CISA KEV catalog.
+     * Required when inKev is true.
+     */
+    dateAdded?: Date;
+    /**
+     * ISO 8601 calendar date (YYYY-MM-DD) by which federal agencies must remediate per CISA BOD
+     * 22-01. Normally later than dateAdded, but the schema does not enforce ordering because
+     * CISA occasionally adjusts published dates. Required when inKev is true.
+     */
+    dueDate?: Date;
+    /**
+     * Whether this vulnerability is currently in the CISA Known Exploited Vulnerabilities
+     * catalog. When true, dateAdded and dueDate are required.
+     */
+    inKev: boolean;
+    /**
+     * CISA's notes describing the vulnerability, observed exploitation, or remediation guidance.
+     */
+    notes?: string;
+    [property: string]: any;
+}
+/**
+ * Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
+ * POAMs do NOT change the effectiveStatus - the requirement remains in its current state
+ * while the POA&M tracks remediation efforts.
+ */
+export interface Poam {
+    /**
+     * Timestamp when this POA&M was created. ISO 8601 format.
+     */
+    appliedAt: Date;
+    /**
+     * Identity of who created this POA&M. For simple cases, use type 'simple' with just an
+     * identifier.
+     */
+    appliedBy: Identity;
+    /**
+     * Supporting evidence for this POA&M, such as documentation of compensating controls or
+     * mitigation implementation.
+     */
+    evidence?: Evidence[];
+    /**
+     * Optional expiration date for this POA&M requiring review/renewal. ISO 8601 format.
+     */
+    expiresAt?: Date;
+    /**
+     * Detailed explanation of the plan, including what actions will be taken.
+     */
+    explanation: string;
+    /**
+     * Optional array of milestones tracking progress toward completion.
+     */
+    milestones?: Milestone[];
+    /**
+     * SHA-256 checksum of the previous amendment in chronological order. Creates a
+     * tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
+     * on a requirement.
+     */
+    previousChecksum?: Checksum;
+    /**
+     * Optional digital signature for enhanced trust and non-repudiation.
+     */
+    signature?: Signature;
+    /**
+     * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
+     * compensating controls. 'riskAcceptance' documents decision to accept risk.
+     * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
+     */
+    type: POAMType;
+    [property: string]: any;
+}
+/**
+ * A milestone or task within a POA&M remediation plan.
+ */
+export interface Milestone {
+    /**
+     * Actual completion timestamp. ISO 8601 format.
+     */
+    completedAt?: Date;
+    /**
+     * Identity of who completed this milestone.
+     */
+    completedBy?: Identity;
+    /**
+     * Description of this milestone or task.
+     */
+    description: string;
+    /**
+     * Estimated completion date. ISO 8601 format.
+     */
+    estimatedCompletion: Date;
+    /**
+     * Current status of this milestone.
+     */
+    status: MilestoneStatus;
+    [property: string]: any;
+}
+/**
+ * Current status of this milestone.
+ */
+export declare enum MilestoneStatus {
+    Completed = "completed",
+    InProgress = "inProgress",
+    Pending = "pending"
+}
+/**
+ * Optional digital signature for enhanced trust and non-repudiation.
+ *
+ * A digital signature following W3C Data Integrity Proofs pattern. Supports hardware
+ * security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic
+ * signing methods via JWK, PEM, or Base58 key formats.
+ *
+ * Optional digital signature for enhanced trust and non-repudiation. Supports hardware
+ * security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing
+ * methods.
+ *
+ * Digital signature for non-repudiation.
+ *
+ * Document-level digital signature covering all amendments.
+ *
+ * Digital signature covering the entire evidence package.
+ */
+export interface Signature {
+    /**
+     * Challenge value from the verifier, used in challenge-response authentication.
+     */
+    challenge?: string;
+    /**
+     * When the signature was created. ISO 8601 format.
+     */
+    created: Date;
+    /**
+     * The identity that created this signature.
+     */
+    creator: Identity;
+    /**
+     * Domain restriction for the signature, prevents cross-domain replay attacks.
+     */
+    domain?: string;
+    /**
+     * Random value to prevent replay attacks.
+     */
+    nonce?: string;
+    /**
+     * The purpose of this signature. Example: 'attestation', 'authentication',
+     * 'assertionMethod'.
+     */
+    proofPurpose: string;
+    /**
+     * The base64-encoded or base58-encoded signature value.
+     */
+    signatureValue: string;
+    /**
+     * The signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018',
+     * 'Ed25519Signature2020'.
+     */
+    type: string;
+    /**
+     * The verification method containing the public key for signature verification.
+     */
+    verificationMethod: VerificationMethod;
+    [property: string]: any;
+}
+/**
+ * The verification method containing the public key for signature verification.
+ *
+ * Verification method containing the public key needed to verify a digital signature.
+ * Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.
+ */
+export interface VerificationMethod {
+    /**
+     * The entity that controls this verification method. Can be a DID, URI, or other identifier.
+     */
+    controller: string;
+    /**
+     * Public key in Base58 format, commonly used with Ed25519 keys.
+     */
+    publicKeyBase58?: string;
+    /**
+     * Public key in JSON Web Key format.
+     */
+    publicKeyJwk?: {
+        [key: string]: any;
+    };
+    /**
+     * Public key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC
+     * KEY-----'.
+     */
+    publicKeyPem?: string;
+    /**
+     * The type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018',
+     * 'Ed25519VerificationKey2020'.
+     */
+    type: string;
+    [property: string]: any;
+}
+/**
+ * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
+ * compensating controls. 'riskAcceptance' documents decision to accept risk.
+ * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
+ */
+export declare enum POAMType {
+    Mitigation = "mitigation",
+    Remediation = "remediation",
+    RiskAcceptance = "riskAcceptance",
+    VendorDependency = "vendorDependency"
+}
+/**
+ * A reference to an external document.
+ *
+ * A reference using the 'ref' field.
+ *
+ * A URL pointing at the reference.
+ *
+ * A URI pointing at the reference.
+ */
+export interface Reference {
+    ref?: {
+        [key: string]: any;
+    }[] | string;
+    url?: string;
+    uri?: string;
+    [property: string]: any;
+}
+/**
+ * A test within a requirement and its results and findings such as how long it took to run.
+ */
+export interface RequirementResult {
+    /**
+     * The stacktrace/backtrace of the exception if one occurred.
+     */
+    backtrace?: string[];
+    /**
+     * A description of this test. Example: 'limits.conf * is expected to include ["hard",
+     * "maxlogins", "10"]'.
+     */
+    codeDesc: string;
+    /**
+     * The type of exception if an exception was thrown.
+     */
+    exception?: string;
+    /**
+     * An explanation of the test result. Typically provided for failed tests, errors, or to
+     * explain why a test was not applicable or not reviewed.
+     */
+    message?: string;
+    /**
+     * The resource used in the test. Example: 'file', 'command', 'service'.
+     */
+    resource?: string;
+    /**
+     * The unique identifier of the resource. Example: '/etc/passwd'.
+     */
+    resourceId?: string;
+    /**
+     * The execution time in seconds for the test.
+     */
+    runTime?: number;
+    /**
+     * The time at which the test started.
+     */
+    startTime: Date;
+    /**
+     * The status of this test within the requirement. Example: 'failed'.
+     */
+    status: ResultStatus;
+    [property: string]: any;
+}
+/**
+ * Explicit severity rating. Typically derived from impact score but provided explicitly for
+ * clarity.
+ *
+ * Severity rating for a requirement. Typically derived from the numeric impact score.
+ */
+export declare enum Severity {
+    Critical = "critical",
+    High = "high",
+    Informational = "informational",
+    Low = "low",
+    Medium = "medium"
+}
+/**
+ * The explicit location of the requirement within the source code.
+ *
+ * The explicit location of a requirement within source code.
+ */
+export interface SourceLocation {
+    /**
+     * The line on which this requirement is located.
+     */
+    line?: number;
+    /**
+     * Path to the file that this requirement originates from.
+     */
+    ref?: string;
+    [property: string]: any;
+}
+/**
+ * An intentional change to a requirement's compliance status and/or impact score. At least
+ * one of status or impact must be set. Overrides change the effectiveStatus or impact of
+ * the requirement. All overrides must have an expiration date to enforce periodic review.
+ */
+export interface StatusOverride {
+    /**
+     * Timestamp when this override was applied. ISO 8601 format.
+     */
+    appliedAt: Date;
+    /**
+     * Identity of who applied this override. For simple cases, use type 'simple' with just an
+     * identifier.
+     */
+    appliedBy: Identity;
+    /**
+     * Structured CVSS scoring data backing this override. Captures the rubric (which
+     * Environmental/Threat metrics the consumer modified, the recomputed score) used to justify
+     * a riskAdjustment. For other override types this is optional context.
+     */
+    cvss?: Cvss;
+    /**
+     * Supporting evidence for this override, such as screenshots demonstrating manual
+     * verification for attestations.
+     */
+    evidence?: Evidence[];
+    /**
+     * Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no
+     * permanent overrides allowed. ISO 8601 format.
+     */
+    expiresAt: Date;
+    /**
+     * Override to the requirement's impact score. At least one of status or impact must be set.
+     */
+    impact?: ImpactOverride;
+    /**
+     * Structured controlled-vocabulary classification for why this override applies.
+     * Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
+     * and attestation overrides where the structured category enables filtering and lossless
+     * round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
+     * precedent vocabulary and rationale.
+     */
+    justification?: Justification;
+    /**
+     * SHA-256 checksum of the previous amendment in chronological order. Creates a
+     * tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
+     * on a requirement.
+     */
+    previousChecksum?: Checksum;
+    /**
+     * Explanation for why this override was applied.
+     */
+    reason: string;
+    /**
+     * Optional digital signature for enhanced trust and non-repudiation. Supports hardware
+     * security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing
+     * methods.
+     */
+    signature?: Signature;
+    /**
+     * The new status this override sets for the requirement. Optional when only impact is being
+     * overridden.
+     */
+    status?: ResultStatus;
+    /**
+     * The type of override applied to this requirement.
+     */
+    type: OverrideType;
+    [property: string]: any;
+}
+/**
+ * Override to the requirement's impact score. At least one of status or impact must be
+ * set.
+ *
+ * An override to the requirement's impact score. The prior impact is the original result
+ * value or the preceding override in the chain.
+ */
+export interface ImpactOverride {
+    /**
+     * The overridden impact score (0.0–1.0).
+     */
+    value: number;
+    [property: string]: any;
+}
+/**
+ * Structured controlled-vocabulary classification for why this override applies.
+ * Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
+ * and attestation overrides where the structured category enables filtering and lossless
+ * round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
+ * precedent vocabulary and rationale.
+ *
+ * Structured controlled-vocabulary reason for an override, complementing the free-text
+ * 'reason' field. 'reason' carries the human-readable rationale an auditor reads;
+ * 'justification' carries the machine-readable category enabling filtering, aggregation,
+ * and lossless round-trip with structured ecosystems (VEX, OSCAL, FedRAMP DR). Both fields
+ * may be present simultaneously and are NOT redundant: 'reason' explains the specific
+ * circumstance; 'justification' classifies it. Authors SHOULD populate both when a
+ * controlled-vocabulary value applies — the enum value alone is not self-explanatory to an
+ * auditor. The vocabulary is drawn from the VEX ecosystem: the first five values are common
+ * across OpenVEX, CSAF VEX, and CycloneDX VEX; the remaining six (requires_configuration /
+ * requires_dependency / requires_environment / protected_by_compiler / protected_at_runtime
+ * / protected_at_perimeter) are CycloneDX-specific and describe why the vulnerable code
+ * path is unreachable in the deployed configuration. The enum is extended additively across
+ * schema versions as other ecosystems' controlled vocabularies are integrated; documents
+ * using values added in a newer schema version will fail validation against an older
+ * schema. Consumers SHOULD validate against the schema version declared by the document
+ * ($schema) rather than assume a fixed vocabulary.
+ */
+export declare enum Justification {
+    ComponentNotPresent = "component_not_present",
+    InlineMitigationsAlreadyExist = "inline_mitigations_already_exist",
+    ProtectedAtPerimeter = "protected_at_perimeter",
+    ProtectedAtRuntime = "protected_at_runtime",
+    ProtectedByCompiler = "protected_by_compiler",
+    RequiresConfiguration = "requires_configuration",
+    RequiresDependency = "requires_dependency",
+    RequiresEnvironment = "requires_environment",
+    VulnerableCodeCannotBeControlledByAdversary = "vulnerable_code_cannot_be_controlled_by_adversary",
+    VulnerableCodeNotInExecutePath = "vulnerable_code_not_in_execute_path",
+    VulnerableCodeNotPresent = "vulnerable_code_not_present"
+}
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export declare enum VerificationMethodEnum {
+    Automated = "automated",
+    Hybrid = "hybrid",
+    ManualByDesign = "manual-by-design",
+    ManualPendingAutomation = "manual-pending-automation"
+}
+/**
+ * A supported platform target. Example: the platform name being 'ubuntu'.
+ */
+export interface SupportedPlatform {
+    /**
+     * The location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'.
+     */
+    platform?: string;
+    /**
+     * The platform family. Example: 'redhat'.
+     */
+    platformFamily?: string;
+    /**
+     * The platform name - can include wildcards. Example: 'debian'.
+     */
+    platformName?: string;
+    /**
+     * The release of the platform. Example: '20.04' for 'ubuntu'.
+     */
+    release?: string;
+    [property: string]: any;
+}
+/**
+ * A system component. Uses discriminated union pattern with 'type' field as discriminator.
+ * Superset of Target with identity, external IDs, and SBOM support.
+ *
+ * A physical or virtual server, workstation, or network device.
+ *
+ * Base properties shared by all component types. Extends the Target concept with stable
+ * identity, external references, and SBOM embedding.
+ *
+ * A static container image (not running).
+ *
+ * A running container instance.
+ *
+ * A container orchestration platform (Kubernetes, OpenShift, ECS, etc.).
+ *
+ * A cloud provider account (AWS account, Azure subscription, GCP project).
+ *
+ * A specific cloud resource (EC2 instance, S3 bucket, Azure VM, etc.).
+ *
+ * A code repository (for SAST tools).
+ *
+ * A running application or API (for DAST tools).
+ *
+ * A software artifact or dependency (for SCA tools).
+ *
+ * A network segment or network device.
+ *
+ * A database instance.
+ */
+export interface Component {
+    /**
+     * Names of baselines that apply to this component.
+     */
+    baselineRefs?: string[];
+    /**
+     * Stable UUID (RFC 4122) for this component. Required in hdf-system documents, optional in
+     * hdf-results. Enables cross-document correlation, diffing, and data flow references.
+     */
+    componentId?: string;
+    /**
+     * Description of this component's role or purpose.
+     */
+    description?: string;
+    /**
+     * Map of external identifier scheme to value. Well-known schemes: aws (instance ID), azure
+     * (resource ID), cmdb (asset ID), emass (system ID), cve (CVE ID). Custom schemes are
+     * allowed.
+     */
+    externalIds?: {
+        [key: string]: string;
+    };
+    /**
+     * System-specific overrides for baseline input values.
+     */
+    inputOverrides?: InputOverride[];
+    /**
+     * Optional key-value labels for flexible grouping. Well-known keys: system, component,
+     * environment, region, team. Values must be strings.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * Human-readable name for this component.
+     */
+    name: string;
+    /**
+     * Team or individual responsible for this component. Enables per-component ownership when
+     * different teams manage different parts of a system.
+     */
+    owner?: Identity;
+    /**
+     * Embedded CycloneDX or SPDX SBOM document representing this component's software
+     * inventory. The sbomFormat field determines which format constraints apply.
+     */
+    sbom?: any;
+    /**
+     * Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
+     */
+    sbomFormat?: SBOMFormat;
+    /**
+     * URI reference to an external CycloneDX or SPDX SBOM document for this component. May be a
+     * relative path, absolute URI, or fragment identifier.
+     */
+    sbomRef?: string;
+    /**
+     * Label selector to match targets belonging to this component during migration. Targets
+     * with matching labels are automatically included.
+     */
+    targetSelector?: {
+        [key: string]: string;
+    };
+    /**
+     * Component type discriminator. Same values as Target types.
+     */
+    type: TargetType;
+    /**
+     * Fully qualified domain name.
+     */
+    fqdn?: string;
+    /**
+     * IP address of the host.
+     */
+    ipAddress?: string;
+    /**
+     * MAC address in colon-separated hexadecimal format.
+     */
+    macAddress?: string;
+    /**
+     * Operating system name.
+     */
+    osName?: string;
+    /**
+     * Operating system version.
+     */
+    osVersion?: string;
+    /**
+     * Image digest for immutable reference.
+     */
+    digest?: string;
+    /**
+     * Container image ID.
+     */
+    imageId?: string;
+    /**
+     * Container registry. Example: 'docker.io'.
+     */
+    registry?: string;
+    /**
+     * Repository name. Example: 'library/nginx'.
+     */
+    repository?: string;
+    /**
+     * Image tag. Example: '1.25'.
+     */
+    tag?: string;
+    /**
+     * Running container ID.
+     */
+    containerId?: string;
+    /**
+     * Image the container was started from.
+     */
+    image?: string;
+    /**
+     * Container runtime. Example: 'docker', 'containerd', 'cri-o'.
+     */
+    runtime?: string;
+    /**
+     * Cluster name.
+     */
+    clusterName?: string;
+    /**
+     * Namespace within the cluster, if applicable.
+     */
+    namespace?: string;
+    /**
+     * Platform type. Example: 'kubernetes', 'openshift', 'ecs', 'docker-swarm'.
+     */
+    platformType?: string;
+    /**
+     * Platform version.
+     *
+     * Application version.
+     *
+     * Package version.
+     *
+     * Database version.
+     */
+    version?: string;
+    /**
+     * Cloud account identifier.
+     */
+    accountId?: string;
+    /**
+     * Cloud provider.
+     */
+    provider?: CloudProvider | null;
+    /**
+     * Cloud region, if applicable.
+     *
+     * Cloud region where the resource resides.
+     */
+    region?: string;
+    /**
+     * Amazon Resource Name (AWS only).
+     */
+    arn?: string;
+    /**
+     * Provider-specific resource identifier.
+     */
+    resourceId?: string;
+    /**
+     * Type of cloud resource. Example: 'ec2:instance', 's3:bucket'.
+     */
+    resourceType?: string;
+    /**
+     * Branch that was scanned.
+     */
+    branch?: string;
+    /**
+     * Commit SHA that was scanned.
+     */
+    commit?: string;
+    /**
+     * Repository URL.
+     *
+     * Application URL (for DAST tools).
+     */
+    url?: string;
+    /**
+     * Environment. Example: 'production', 'staging', 'development'.
+     */
+    environment?: string;
+    /**
+     * Package checksum for verification.
+     */
+    checksum?: string;
+    /**
+     * Package manager. Example: 'npm', 'maven', 'pip', 'nuget'.
+     */
+    packageManager?: string;
+    /**
+     * Package name.
+     */
+    packageName?: string;
+    /**
+     * Network CIDR block.
+     */
+    cidr?: string;
+    /**
+     * Network gateway address.
+     */
+    gateway?: string;
+    /**
+     * Database engine. Example: 'postgresql', 'mysql', 'oracle', 'mssql'.
+     */
+    engine?: string;
+    /**
+     * Database host.
+     */
+    host?: string;
+    /**
+     * Database port.
+     */
+    port?: number;
+    [property: string]: any;
+}
+/**
+ * An override of a baseline input value for a specific component. Enables system-specific
+ * tailoring of baseline parameters.
+ */
+export interface InputOverride {
+    /**
+     * Identity of the person or system that approved this override.
+     */
+    approvedBy?: Identity;
+    /**
+     * Name of the baseline this override applies to. If omitted, applies to all baselines that
+     * define this input.
+     */
+    baselineRef?: string;
+    /**
+     * Name of the input being overridden. Must match an Input.name in the referenced baseline.
+     */
+    inputName: string;
+    /**
+     * Rationale for why this override is needed.
+     */
+    justification?: string;
+    /**
+     * The overridden value. Should match the type of the original input.
+     */
+    value: any;
+    [property: string]: any;
+}
+export declare enum CloudProvider {
+    Aws = "aws",
+    Azure = "azure",
+    Gcp = "gcp",
+    Oci = "oci",
+    Other = "other"
+}
+/**
+ * Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
+ */
+export declare enum SBOMFormat {
+    Cyclonedx = "cyclonedx",
+    Spdx = "spdx"
+}
+/**
+ * Component type discriminator. Same values as Target types.
+ */
+export declare enum TargetType {
+    Application = "application",
+    Artifact = "artifact",
+    CloudAccount = "cloudAccount",
+    CloudResource = "cloudResource",
+    ContainerImage = "containerImage",
+    ContainerInstance = "containerInstance",
+    ContainerPlatform = "containerPlatform",
+    Database = "database",
+    Host = "host",
+    Network = "network",
+    Repository = "repository"
+}
+/**
+ * Information about the tool that generated this file.
+ *
+ * Information about the tool that generated this HDF file.
+ *
+ * The tool that generated this file.
+ *
+ * Information about the tool that generated this comparison.
+ *
+ * Information about the tool that generated this system document.
+ *
+ * Information about the tool that generated this plan.
+ *
+ * Information about the tool that generated this document.
+ */
+export interface Generator {
+    /**
+     * The name of the software that produced this HDF file. Example: 'gosec-to-hdf'.
+     */
+    name: string;
+    /**
+     * The version of the tool. Example: '5.22.3'.
+     */
+    version: string;
+    [property: string]: any;
+}
+/**
+ * Optional reference to automated remediation resources (Ansible playbooks, Terraform
+ * scripts, etc.) for fixing failing requirements found in this assessment.
+ *
+ * Reference to automated remediation resources for implementing security controls. Points
+ * to external automation content like Ansible playbooks, Terraform scripts, or
+ * vendor-provided remediation tools.
+ *
+ * Optional reference to automated remediation resources (Ansible playbooks, Terraform
+ * scripts, etc.) for implementing the security controls defined in this baseline.
+ */
+export interface Remediation {
+    /**
+     * Optional cryptographic checksum for verifying the integrity of remediation resources
+     * fetched from the URI. Recommended for security when referencing external automation
+     * scripts.
+     */
+    checksum?: Checksum;
+    /**
+     * URI pointing to automated remediation resources (Ansible playbooks, Terraform scripts,
+     * etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content,
+     * vendor-provided scripts.
+     */
+    uri: string;
+    [property: string]: any;
+}
+/**
+ * Information about the test execution environment where the security tool was run.
+ * Distinct from targets (what is being tested).
+ *
+ * Information about the test execution environment. This is distinct from the target being
+ * scanned - the runner is where the security tool executes, while targets are what is being
+ * assessed.
+ */
+export interface Runner {
+    /**
+     * The CPU architecture of the runner system. Example: 'x86_64', 'arm64', 'aarch64'.
+     */
+    architecture?: string;
+    /**
+     * The container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'.
+     * Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier.
+     */
+    containerId?: string;
+    /**
+     * The container image used for the test execution. Example: 'inspec/inspec:latest',
+     * 'ghcr.io/my-org/scanner:v2.1.0'. Useful for CI/CD pipelines where tests run in containers.
+     */
+    containerImage?: string;
+    /**
+     * The hostname of the runner system. Example: 'ci-runner-01', 'jenkins-agent-03',
+     * 'k8s-node-worker-03'.
+     */
+    hostname?: string;
+    /**
+     * The name of the runner environment. Examples: 'ubuntu', 'macos', 'windows', 'docker',
+     * 'kubernetes-pod', 'manual'.
+     */
+    name: string;
+    /**
+     * The identity of the person or system responsible for executing the test. This could be a
+     * human auditor manually completing a checklist, an automated CI/CD system, or a security
+     * tool. Optional field to support both automated and manual HDF generation.
+     */
+    operator?: Identity;
+    /**
+     * The version/release of the operating system or runtime. Example: '20.04', '13.2', '11'.
+     */
+    release?: string;
+    [property: string]: any;
+}
+/**
+ * Statistics for the assessment run, including duration and result counts.
+ *
+ * Statistics for the assessment run(s) such as duration and result counts.
+ */
+export interface Statistics {
+    /**
+     * How long (in seconds) this assessment run took.
+     */
+    duration?: number;
+    /**
+     * Breakdowns of requirement statistics by result status.
+     */
+    requirements?: StatisticHash;
+    [property: string]: any;
+}
+/**
+ * Breakdowns of requirement statistics by result status.
+ *
+ * Statistics for requirement results, grouped by status.
+ */
+export interface StatisticHash {
+    /**
+     * Statistics for requirements that encountered an error during assessment.
+     */
+    error?: StatisticBlock;
+    /**
+     * Statistics for requirements that failed.
+     */
+    failed?: StatisticBlock;
+    /**
+     * Statistics for requirements that are not applicable to the target.
+     */
+    notApplicable?: StatisticBlock;
+    /**
+     * Statistics for requirements that were not reviewed (manual check required).
+     */
+    notReviewed?: StatisticBlock;
+    /**
+     * Statistics for requirements that passed.
+     */
+    passed?: StatisticBlock;
+    [property: string]: any;
+}
+/**
+ * Statistics for requirements that encountered an error during assessment.
+ *
+ * Statistics for a given item, such as the total count.
+ *
+ * Statistics for requirements that failed.
+ *
+ * Statistics for requirements that are not applicable to the target.
+ *
+ * Statistics for requirements that were not reviewed (manual check required).
+ *
+ * Statistics for requirements that passed.
+ */
+export interface StatisticBlock {
+    /**
+     * The total count. Example: the total number of requirements in a given category for a run.
+     */
+    total: number;
+    [property: string]: any;
+}
+/**
+ * The security tool that produced the assessment data in this file.
+ *
+ * The security tool that produced the assessment data represented in this HDF file. Aligns
+ * with SARIF, OSCAL, and CycloneDX terminology.
+ *
+ * The security tool that produced the assessment data in this source.
+ */
+export interface Tool {
+    /**
+     * The file format, if it is a recognized named format shared by multiple tools. Examples:
+     * 'SARIF', 'XCCDF'. Omit for tool-specific formats where the tool name already implies the
+     * format (Nessus XML, gosec JSON).
+     */
+    format?: string;
+    /**
+     * The name of the security tool that produced the data. Examples: 'gosec', 'Semgrep',
+     * 'OpenSCAP', 'AWS Config', 'Nessus'. Omit if the tool cannot be identified.
+     */
+    name?: string;
+    /**
+     * Version of the source tool, if available in the tool's output. Example: '5.22.3'.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * Information on the set of requirements that can be assessed, including baseline metadata
+ * and requirement definitions.
+ *
+ * Shared metadata fields for baselines. Used in both standalone baseline documents and
+ * evaluated baseline results.
+ */
+export interface HDFBaseline {
+    /**
+     * The set of dependencies this baseline depends on.
+     */
+    depends?: Dependency[];
+    /**
+     * The tool that generated this file.
+     */
+    generator?: Generator;
+    /**
+     * A set of descriptions for the requirement groups.
+     */
+    groups?: RequirementGroup[];
+    /**
+     * The input(s) or attribute(s) to be used in the run.
+     */
+    inputs?: Input[];
+    /**
+     * Cryptographic integrity information for verifying this baseline has not been tampered
+     * with.
+     */
+    integrity?: Integrity;
+    /**
+     * Optional reference to automated remediation resources (Ansible playbooks, Terraform
+     * scripts, etc.) for implementing the security controls defined in this baseline.
+     */
+    remediation?: Remediation;
+    /**
+     * The set of requirements - contains no findings as the assessment has not yet occurred.
+     */
+    requirements: BaselineRequirement[];
+    /**
+     * The name - must be unique.
+     */
+    name: string;
+    /**
+     * The copyright holder(s).
+     */
+    copyright?: string;
+    /**
+     * The email address or other contact information of the copyright holder(s).
+     */
+    copyrightEmail?: string;
+    /**
+     * Optional key-value labels for flexible grouping. Well-known keys: system, component,
+     * environment, region, team. Values must be strings.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * The copyright license. Example: 'Apache-2.0'.
+     */
+    license?: string;
+    /**
+     * The maintainer(s).
+     */
+    maintainer?: string;
+    /**
+     * The status. Example: 'loaded'.
+     */
+    status?: string;
+    /**
+     * The summary. Example: the Security Technical Implementation Guide (STIG) header.
+     */
+    summary?: string;
+    /**
+     * The set of supported platform targets.
+     */
+    supports?: SupportedPlatform[];
+    /**
+     * The title - should be human readable.
+     */
+    title?: string;
+    /**
+     * The version of the baseline.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * A requirement definition without assessment results.
+ *
+ * Core requirement fields shared between baseline requirements and evaluated requirements.
+ * Contains the fundamental requirement definition without assessment results.
+ */
+export interface BaselineRequirement {
+    /**
+     * Array of labeled descriptions. At least one description with label 'default' must be
+     * present. Convention: place default description first. Common labels: 'default', 'check',
+     * 'fix', 'rationale'.
+     */
+    descriptions: Description[];
+    /**
+     * Explicit severity rating. Typically derived from impact score but provided explicitly for
+     * clarity.
+     */
+    severity?: Severity;
+    /**
+     * The requirement identifier. Example: 'SV-238196'.
+     */
+    id: string;
+    /**
+     * The impactfulness or severity (0.0 to 1.0).
+     */
+    impact: number;
+    /**
+     * A set of tags - usually metadata like CCI, STIG ID, severity.
+     */
+    tags: {
+        [key: string]: any;
+    };
+    /**
+     * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+     * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+     * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+     * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+     * Optional: when omitted, consumers should treat the requirement as 'required' by
+     * convention.
+     */
+    applicability?: Applicability;
+    /**
+     * The raw source code of the requirement. Set to null for manual-only requirements or
+     * requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
+     * from manual-pending-automation. Note that if this is an overlay, it does not include the
+     * underlying source code.
+     */
+    code?: string;
+    /**
+     * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+     * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+     * process; 'technical' = an enforced technical configuration; 'management' = a
+     * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+     * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+     * family/id but should not assume a default.
+     */
+    controlType?: ControlType;
+    /**
+     * The set of references to external documents.
+     */
+    refs?: Reference[];
+    /**
+     * The explicit location of the requirement within the source code.
+     */
+    sourceLocation?: SourceLocation;
+    /**
+     * The title - is nullable.
+     */
+    title?: string;
+    /**
+     * How this requirement is intended to be verified. Disambiguates the two cases that null
+     * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+     * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+     * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+     * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+     * omitted, consumers should not infer a default.
+     */
+    verificationMethod?: VerificationMethodEnum;
+    [property: string]: any;
+}
+/**
+ * Structured comparison between two or more HDF security assessment documents. Supports
+ * temporal, baseline, fleet, and multi-source comparison modes.
+ */
+export interface HDFComparison {
+    /**
+     * Map of annotation IDs to annotation objects, providing context or action items for
+     * requirement diffs.
+     */
+    annotations?: {
+        [key: string]: Annotation;
+    };
+    /**
+     * Comparison of baselines between sources.
+     */
+    baselineDiffs?: BaselineDiff[];
+    /**
+     * The mode of comparison being performed.
+     */
+    comparisonMode: ComparisonMode;
+    /**
+     * Comparison of components between two system documents. Used in systemDrift mode.
+     */
+    componentDiffs?: ComponentDiff[];
+    /**
+     * External/metadata changes separate from status changes (Terraform pattern).
+     */
+    drift?: RequirementDiff[];
+    /**
+     * Reserved for tool-specific data not defined in the HDF standard.
+     */
+    extensions?: {
+        [key: string]: any;
+    };
+    /**
+     * Schema version for this comparison format.
+     */
+    formatVersion: FormatVersion;
+    /**
+     * Information about the tool that generated this comparison.
+     */
+    generator?: Generator;
+    /**
+     * Cryptographic integrity information for verifying this comparison document.
+     */
+    integrity?: Integrity;
+    /**
+     * Configuration for how requirements were matched across sources.
+     */
+    matching?: MatchingConfig;
+    /**
+     * Comparison of packages between two SBOMs. Used in systemDrift mode for SBOM comparison.
+     */
+    packageDiffs?: PackageDiff[];
+    /**
+     * Detailed comparison of individual requirements between sources.
+     */
+    requirementDiffs: RequirementDiff[];
+    /**
+     * The source documents being compared. At least two sources are required.
+     */
+    sources: Source[];
+    /**
+     * Summary statistics for the overall comparison.
+     */
+    summary: ComparisonSummary;
+    /**
+     * URI identifying the system being compared in systemDrift mode.
+     */
+    systemRef?: string;
+    /**
+     * When this comparison was performed.
+     */
+    timestamp?: Date;
+    [property: string]: any;
+}
+/**
+ * An annotation attached to a comparison, providing context or action items.
+ */
+export interface Annotation {
+    /**
+     * The category of this annotation.
+     */
+    category?: AnnotationCategory;
+    /**
+     * Detailed description of the annotation.
+     */
+    description?: string;
+    /**
+     * Human-readable label for this annotation.
+     */
+    label: string;
+    /**
+     * Whether this annotation requires human confirmation before acting on it.
+     */
+    needsConfirmation?: boolean;
+    [property: string]: any;
+}
+/**
+ * The category of this annotation.
+ *
+ * The category of an annotation attached to a comparison.
+ */
+export declare enum AnnotationCategory {
+    BaselineChange = "baselineChange",
+    Drift = "drift",
+    Remediation = "remediation",
+    ScannerNote = "scannerNote",
+    Waiver = "waiver"
+}
+/**
+ * Comparison of a baseline between sources.
+ */
+export interface BaselineDiff {
+    /**
+     * The source of any ID mapping used to correlate requirements across baseline versions.
+     */
+    mappingSource?: string;
+    /**
+     * Name of the baseline being compared.
+     */
+    name: string;
+    /**
+     * Version of the baseline in the new source.
+     */
+    newVersion?: string;
+    /**
+     * Version of the baseline in the old source.
+     */
+    oldVersion?: string;
+    /**
+     * The state of this baseline in the comparison.
+     */
+    state: BaselineDiffState;
+    [property: string]: any;
+}
+/**
+ * The state of this baseline in the comparison.
+ *
+ * The state of this component in the comparison.
+ */
+export declare enum BaselineDiffState {
+    Absent = "absent",
+    New = "new",
+    Unchanged = "unchanged",
+    Updated = "updated"
+}
+/**
+ * The mode of comparison being performed.
+ *
+ * The mode of comparison. 'temporal' compares the same target over time. 'baseline'
+ * compares against a golden reference. 'fleet' compares across multiple systems.
+ * 'multiSource' compares outputs from different scanners. 'baselineEvolution' compares two
+ * baseline documents to detect requirement changes between versions. 'systemDrift' compares
+ * two system documents to detect component-level changes.
+ */
+export declare enum ComparisonMode {
+    Baseline = "baseline",
+    BaselineEvolution = "baselineEvolution",
+    Fleet = "fleet",
+    MultiSource = "multiSource",
+    SystemDrift = "systemDrift",
+    Temporal = "temporal"
+}
+/**
+ * Comparison of a single component between two system document versions.
+ */
+export interface ComponentDiff {
+    /**
+     * Component snapshot from the new system document. Null when state is 'absent'.
+     */
+    after?: any;
+    /**
+     * Component snapshot from the old system document. Null when state is 'new'.
+     */
+    before?: any;
+    /**
+     * Detailed field-level changes between the before and after component snapshots.
+     */
+    fieldChanges?: FieldChange[];
+    /**
+     * Component name used for matching across system versions.
+     */
+    name: string;
+    /**
+     * The state of this component in the comparison.
+     */
+    state: BaselineDiffState;
+    [property: string]: any;
+}
+/**
+ * A single field-level change between two versions of a requirement.
+ */
+export interface FieldChange {
+    /**
+     * The new value of the field (for 'add' and 'replace' operations).
+     */
+    newValue?: any;
+    /**
+     * The previous value of the field (for 'remove' and 'replace' operations).
+     */
+    oldValue?: any;
+    /**
+     * The type of change operation.
+     */
+    op: Op;
+    /**
+     * JSON Pointer path to the changed field.
+     */
+    path: string;
+    [property: string]: any;
+}
+/**
+ * The type of change operation.
+ */
+export declare enum Op {
+    Add = "add",
+    Remove = "remove",
+    Replace = "replace"
+}
+/**
+ * A comparison of a single requirement between sources, including state, changes, and full
+ * before/after snapshots.
+ */
+export interface RequirementDiff {
+    /**
+     * The requirement as it appeared in the new source. Null when state is 'absent'.
+     */
+    after: any;
+    /**
+     * Sensitive data from the new source that should not be included in the main after snapshot.
+     */
+    afterSensitive?: {
+        [key: string]: any;
+    };
+    /**
+     * IDs of annotations attached to this requirement diff.
+     */
+    annotationIds?: string[];
+    /**
+     * The requirement as it appeared in the old/reference source. Null when state is 'new'.
+     */
+    before: any;
+    /**
+     * Sensitive data from the old source that should not be included in the main before
+     * snapshot.
+     */
+    beforeSensitive?: {
+        [key: string]: any;
+    };
+    /**
+     * The reasons for the state change.
+     */
+    changeReasons: ChangeReason[];
+    /**
+     * Conflicts between multiple scanner results for this requirement.
+     */
+    conflicts?: ScannerConflict[];
+    /**
+     * Detailed field-level changes between the before and after versions.
+     */
+    fieldChanges: FieldChange[];
+    /**
+     * The canonical requirement identifier used for this diff.
+     */
+    id: string;
+    /**
+     * Confidence score for the match (0-1).
+     */
+    matchConfidence?: number;
+    /**
+     * Whether the match was manually confirmed by a human.
+     */
+    matchManual?: boolean;
+    /**
+     * The strategy that was used to match this requirement across sources.
+     */
+    matchStrategy?: MatchStrategy;
+    /**
+     * The effective status of the requirement in the new source.
+     */
+    newEffectiveStatus?: string;
+    /**
+     * The requirement ID in the new source, if different from the canonical id.
+     */
+    newId?: string;
+    /**
+     * The impact score of the requirement in the new source (0-1).
+     */
+    newImpact?: number;
+    /**
+     * The effective status of the requirement in the old source.
+     */
+    oldEffectiveStatus?: string;
+    /**
+     * The requirement ID in the old source, if different from the canonical id.
+     */
+    oldId?: string;
+    /**
+     * The impact score of the requirement in the old source (0-1).
+     */
+    oldImpact?: number;
+    /**
+     * Index into the sources array for multi-source comparisons.
+     */
+    sourceIndex?: number;
+    /**
+     * The state of this requirement in the comparison.
+     */
+    state: RequirementState;
+    /**
+     * The requirement title for human readability.
+     */
+    title?: string;
+    [property: string]: any;
+}
+/**
+ * The reason a requirement's state changed between sources.
+ */
+export declare enum ChangeReason {
+    BaselineUpgraded = "baselineUpgraded",
+    ConfigChanged = "configChanged",
+    ControlMapped = "controlMapped",
+    ImpactChanged = "impactChanged",
+    MetadataChanged = "metadataChanged",
+    OverrideAdded = "overrideAdded",
+    OverrideExpired = "overrideExpired",
+    OverrideModified = "overrideModified",
+    OverrideRemoved = "overrideRemoved",
+    ResultChanged = "resultChanged",
+    ScannerChanged = "scannerChanged",
+    TargetChanged = "targetChanged"
+}
+/**
+ * A conflict between scanner results for the same requirement.
+ */
+export interface ScannerConflict {
+    /**
+     * The field where the conflict occurs.
+     */
+    field: string;
+    /**
+     * How the conflict was resolved.
+     */
+    resolution?: ConflictResolution;
+    /**
+     * Index of the source whose value was chosen as the resolution.
+     */
+    resolvedIndex?: number;
+    /**
+     * The conflicting values from each source.
+     */
+    values: Value[];
+    [property: string]: any;
+}
+/**
+ * How the conflict was resolved.
+ *
+ * How a conflict between multiple scanner results was resolved.
+ */
+export declare enum ConflictResolution {
+    Manual = "manual",
+    MostRecent = "mostRecent",
+    MostSevere = "mostSevere",
+    Unresolved = "unresolved"
+}
+export interface Value {
+    /**
+     * Zero-based index into the sources array.
+     */
+    sourceIndex: number;
+    /**
+     * Human-readable label for the source.
+     */
+    sourceLabel: string;
+    /**
+     * The value reported by this source for the conflicting field.
+     */
+    value: any;
+    [property: string]: any;
+}
+/**
+ * The strategy that was used to match this requirement across sources.
+ *
+ * The strategy used to match requirements across sources. 'exactId' matches by identical
+ * IDs. 'mappedId' uses an ID mapping table. 'cciMatch'/'nistMatch' match by framework
+ * identifiers. 'fuzzyTitle'/'fuzzyContent' use text similarity.
+ *
+ * The primary strategy used to match requirements across sources.
+ */
+export declare enum MatchStrategy {
+    CciMatch = "cciMatch",
+    ExactID = "exactId",
+    FuzzyContent = "fuzzyContent",
+    FuzzyTitle = "fuzzyTitle",
+    MappedID = "mappedId",
+    NISTMatch = "nistMatch"
+}
+/**
+ * The state of this requirement in the comparison.
+ *
+ * SARIF-compatible vocabulary extended for security. 'new' = present only in new source,
+ * 'absent' = present only in old, 'unchanged' = same effective status, 'updated' = status
+ * changed (generic), 'fixed' = was failing now passing, 'regressed' = was passing now
+ * failing, 'moved' = reorganized same content, 'split'/'merged' = reserved for v1.1.
+ */
+export declare enum RequirementState {
+    Absent = "absent",
+    Fixed = "fixed",
+    Merged = "merged",
+    Moved = "moved",
+    New = "new",
+    Regressed = "regressed",
+    Split = "split",
+    Unchanged = "unchanged",
+    Updated = "updated"
+}
+export declare enum FormatVersion {
+    The100 = "1.0.0"
+}
+/**
+ * Configuration for how requirements were matched across sources.
+ *
+ * Configuration for how requirements are matched across sources.
+ */
+export interface MatchingConfig {
+    /**
+     * Ordered list of fallback strategies tried when the primary strategy fails to find a match.
+     */
+    fallbackStrategies?: MatchStrategy[];
+    /**
+     * Fields used to compute a fingerprint for fuzzy matching.
+     */
+    fingerprintFields?: string[];
+    /**
+     * URI pointing to an external mapping table used for ID translation.
+     */
+    mappingTableUri?: string;
+    /**
+     * Minimum confidence score (0-1) required to accept a match.
+     */
+    minimumConfidence?: number;
+    /**
+     * The primary strategy used to match requirements across sources.
+     */
+    primaryStrategy: MatchStrategy;
+    [property: string]: any;
+}
+/**
+ * Comparison of a single package between two SBOM versions, matched by purl.
+ */
+export interface PackageDiff {
+    /**
+     * License identifiers for this package.
+     */
+    licenses?: string[];
+    /**
+     * Human-readable package name.
+     */
+    name?: string;
+    /**
+     * Package version in the new SBOM.
+     */
+    newVersion?: string;
+    /**
+     * Package version in the old SBOM.
+     */
+    oldVersion?: string;
+    /**
+     * Package URL (purl) used as the identity key for matching across SBOMs.
+     */
+    purl: string;
+    /**
+     * The state of this package: added (new in new SBOM), removed (absent from new SBOM),
+     * updated (version changed), unchanged.
+     */
+    state: PackageDiffState;
+    [property: string]: any;
+}
+/**
+ * The state of this package: added (new in new SBOM), removed (absent from new SBOM),
+ * updated (version changed), unchanged.
+ */
+export declare enum PackageDiffState {
+    Added = "added",
+    Removed = "removed",
+    Unchanged = "unchanged",
+    Updated = "updated"
+}
+/**
+ * A source document participating in the comparison.
+ */
+export interface Source {
+    /**
+     * When the source assessment was performed. ISO 8601 format.
+     */
+    assessmentTimestamp?: Date;
+    /**
+     * Reference to the baseline used in this source assessment.
+     */
+    baselineRef?: BaselineRef;
+    /**
+     * Cryptographic checksum of the source document for integrity verification.
+     */
+    checksum?: Checksum;
+    /**
+     * The components assessed in this source.
+     */
+    components?: Component[];
+    /**
+     * Human-readable label for this source. Example: 'Before remediation scan'.
+     */
+    label: string;
+    /**
+     * The original format of the source document before conversion to HDF.
+     */
+    originalFormat?: OriginalFormat;
+    /**
+     * The role of this source in the comparison.
+     */
+    role: SourceRole;
+    /**
+     * The security tool that produced the assessment data in this source.
+     */
+    tool?: Tool;
+    /**
+     * URI pointing to the source document.
+     */
+    uri?: string;
+    [property: string]: any;
+}
+/**
+ * Reference to the baseline used in this source assessment.
+ */
+export interface BaselineRef {
+    /**
+     * Name of the baseline used in this source.
+     */
+    name: string;
+    /**
+     * Version of the baseline used in this source.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * The original format of the source document before conversion to HDF.
+ */
+export declare enum OriginalFormat {
+    HdfV2 = "hdf-v2",
+    InspecV1 = "inspec-v1",
+    OscalAr = "oscal-ar",
+    Sarif = "sarif",
+    Xccdf = "xccdf"
+}
+/**
+ * The role of this source in the comparison.
+ *
+ * The role of a source document in the comparison.
+ */
+export declare enum SourceRole {
+    Golden = "golden",
+    New = "new",
+    Old = "old",
+    Reference = "reference",
+    System = "system"
+}
+/**
+ * Summary statistics for the overall comparison.
+ */
+export interface ComparisonSummary {
+    /**
+     * Number of requirements present only in the old source.
+     */
+    absent?: number;
+    /**
+     * Average confidence score across all requirement matches (0-1).
+     */
+    averageMatchConfidence?: number;
+    /**
+     * State counts broken down by severity level.
+     */
+    bySeverity?: SeverityBreakdown;
+    /**
+     * Change in compliance percentage (new - old).
+     */
+    complianceDelta?: number;
+    /**
+     * Number of requirements that changed from failing to passing.
+     */
+    fixed?: number;
+    /**
+     * Number of requirements successfully matched between sources.
+     */
+    matchedCount: number;
+    /**
+     * Number of requirements that were reorganized without content change.
+     */
+    moved?: number;
+    /**
+     * Number of requirements present only in the new source.
+     */
+    new?: number;
+    /**
+     * Compliance percentage of the new source (0-100).
+     */
+    newCompliancePercent?: number;
+    /**
+     * Compliance percentage of the old source (0-100).
+     */
+    oldCompliancePercent?: number;
+    /**
+     * Summary statistics for each individual source in a multi-source comparison.
+     */
+    perSource?: PerSourceSummary[];
+    /**
+     * Number of requirements that changed from passing to failing.
+     */
+    regressed?: number;
+    /**
+     * Total number of unique requirements across all sources.
+     */
+    total: number;
+    /**
+     * Number of requirements with the same effective status.
+     */
+    unchanged?: number;
+    /**
+     * Number of requirements in the new source with no match in the old source.
+     */
+    unmatchedNewCount: number;
+    /**
+     * Number of requirements in the old source with no match in the new source.
+     */
+    unmatchedOldCount: number;
+    /**
+     * Number of requirements with a generic status change.
+     */
+    updated?: number;
+    [property: string]: any;
+}
+/**
+ * State counts broken down by severity level.
+ *
+ * Breakdown of state counts by severity level.
+ */
+export interface SeverityBreakdown {
+    /**
+     * State counts for critical severity requirements.
+     */
+    critical?: StateCounts;
+    /**
+     * State counts for high severity requirements.
+     */
+    high?: StateCounts;
+    /**
+     * State counts for low severity requirements.
+     */
+    low?: StateCounts;
+    /**
+     * State counts for medium severity requirements.
+     */
+    medium?: StateCounts;
+    [property: string]: any;
+}
+/**
+ * State counts for critical severity requirements.
+ *
+ * Counts of requirements in each state.
+ *
+ * State counts for high severity requirements.
+ *
+ * State counts for low severity requirements.
+ *
+ * State counts for medium severity requirements.
+ */
+export interface StateCounts {
+    /**
+     * Number of requirements present only in the old source.
+     */
+    absent?: number;
+    /**
+     * Number of requirements that changed from failing to passing.
+     */
+    fixed?: number;
+    /**
+     * Number of requirements that were reorganized without content change.
+     */
+    moved?: number;
+    /**
+     * Number of requirements present only in the new source.
+     */
+    new?: number;
+    /**
+     * Number of requirements that changed from passing to failing.
+     */
+    regressed?: number;
+    /**
+     * Number of requirements with the same effective status.
+     */
+    unchanged?: number;
+    /**
+     * Number of requirements with a generic status change.
+     */
+    updated?: number;
+    [property: string]: any;
+}
+/**
+ * Summary statistics for a single source in a multi-source comparison.
+ */
+export interface PerSourceSummary {
+    /**
+     * Number of requirements present only in the old source.
+     */
+    absent?: number;
+    /**
+     * Number of requirements that changed from failing to passing.
+     */
+    fixed?: number;
+    /**
+     * Human-readable label for this source.
+     */
+    label: string;
+    /**
+     * Number of requirements that were reorganized without content change.
+     */
+    moved?: number;
+    /**
+     * Number of requirements present only in the new source.
+     */
+    new?: number;
+    /**
+     * Number of requirements that changed from passing to failing.
+     */
+    regressed?: number;
+    /**
+     * Zero-based index into the sources array identifying which source this summary is for.
+     */
+    sourceIndex: number;
+    /**
+     * Number of requirements with the same effective status.
+     */
+    unchanged?: number;
+    /**
+     * Number of requirements with a generic status change.
+     */
+    updated?: number;
+    [property: string]: any;
+}
+/**
+ * Describes a system's authorization boundary, components, and interconnections. Maps to
+ * OSCAL SSP system-characteristics and FedRAMP system inventory.
+ */
+export interface HDFSystem {
+    /**
+     * Date the current authorization status was granted. ISO 8601 format.
+     */
+    authorizationDate?: Date;
+    /**
+     * Current Authorization to Operate (ATO) status.
+     */
+    authorizationStatus?: AuthorizationStatus;
+    /**
+     * Description of the system's authorization boundary. Example: network CIDR blocks, cloud
+     * VPC IDs, physical locations.
+     */
+    boundaryDescription?: string;
+    /**
+     * FIPS 199 security categorization (impact level).
+     */
+    categorizationLevel?: CategorizationLevel;
+    /**
+     * System components within the authorization boundary. Uses the full polymorphic Component
+     * type with stable identity (componentId), external references, and SBOM support.
+     */
+    components: Component[];
+    /**
+     * Declares which controls are common, hybrid, or system-specific, and which component
+     * provides them. Maps to NIST SP 800-53 control designations and OSCAL
+     * leveraged-authorizations.
+     */
+    controlDesignations?: ControlDesignation[];
+    /**
+     * Inter-component data flows describing how components communicate. Supports local,
+     * cross-system, and external flows. Replaces the interconnections[] field.
+     */
+    dataFlows?: DataFlow[];
+    /**
+     * Description of the system's purpose and mission.
+     */
+    description?: string;
+    /**
+     * Information about the tool that generated this system document.
+     */
+    generator?: Generator;
+    /**
+     * System identifier from an authoritative source. Example: eMASS system ID, FedRAMP package
+     * ID.
+     */
+    identifier?: string;
+    /**
+     * URI identifying the scheme of the system identifier. Example: 'https://emass.mil',
+     * 'https://fedramp.gov'.
+     */
+    identifierScheme?: string;
+    /**
+     * Cryptographic integrity information for verifying this system document has not been
+     * tampered with.
+     */
+    integrity?: Integrity;
+    /**
+     * Optional key-value labels for grouping and querying systems.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * Human-readable system name. Example: 'Enterprise Portal Production'.
+     */
+    name: string;
+    /**
+     * Team or individual responsible for this system's authorization and compliance. Maps to
+     * OSCAL responsible-party with role 'system-owner'.
+     */
+    owner?: Identity;
+    /**
+     * Stable UUID (RFC 4122) for this system. Enables cross-document correlation independent of
+     * file location. Optional in casual use, expected in production documents.
+     */
+    systemId?: string;
+    /**
+     * Version of this system document.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * Current Authorization to Operate (ATO) status.
+ *
+ * Authorization to Operate (ATO) status for the system.
+ */
+export declare enum AuthorizationStatus {
+    Authorized = "authorized",
+    ConditionallyAuthorized = "conditionallyAuthorized",
+    Denied = "denied",
+    NotYetRequested = "notYetRequested",
+    PendingAuthorization = "pendingAuthorization",
+    Revoked = "revoked"
+}
+/**
+ * FIPS 199 security categorization (impact level).
+ *
+ * FIPS 199 security categorization level (impact level).
+ */
+export declare enum CategorizationLevel {
+    High = "high",
+    Low = "low",
+    Moderate = "moderate"
+}
+/**
+ * Declares a control's designation within a system — whether it is common (provided by
+ * another component or system), system-specific (implemented locally), or hybrid (shared
+ * responsibility). Maps to NIST SP 800-53 Appendix C control designations and OSCAL SSP
+ * by-component provided/inherited semantics.
+ */
+export interface ControlDesignation {
+    /**
+     * The control identifier (e.g., 'SC-7', 'AC-2 (1)'). Must match a NIST tag in a baseline
+     * requirement's tags.
+     */
+    controlId: string;
+    /**
+     * Justification for this designation — who provides the control, why it's inherited, and
+     * any relevant authorization references.
+     */
+    description: string;
+    /**
+     * NIST SP 800-53 control designation. 'common': fully provided by another component or
+     * system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid':
+     * shared responsibility between provider and inheritor.
+     */
+    designation: Designation;
+    /**
+     * componentIds that inherit this control. If omitted, all components in the system inherit
+     * it.
+     */
+    inheritedBy?: string[];
+    /**
+     * componentId of a local component that provides this control. Omit when the provider is an
+     * external system.
+     */
+    providedBy?: string;
+    /**
+     * Reference to another hdf-system document whose component provides this control. Use when
+     * the provider is in a different system. Omit when the provider is local.
+     */
+    systemRef?: string;
+    [property: string]: any;
+}
+/**
+ * NIST SP 800-53 control designation. 'common': fully provided by another component or
+ * system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid':
+ * shared responsibility between provider and inheritor.
+ */
+export declare enum Designation {
+    Common = "common",
+    Hybrid = "hybrid",
+    SystemSpecific = "system-specific"
+}
+/**
+ * A data flow between two endpoints. The 'from' endpoint is always a local component; the
+ * 'to' endpoint can be local, cross-system, or external. Use 'direction' to indicate
+ * whether data flows one-way or both ways.
+ */
+export interface DataFlow {
+    /**
+     * Authentication mechanism used for this connection. Examples: 'mTLS', 'OAuth2', 'API key',
+     * 'SAML', 'Kerberos'.
+     */
+    authentication?: string;
+    /**
+     * Human-readable description of this data flow's purpose and the data exchanged.
+     */
+    description?: string;
+    /**
+     * Data flow direction. 'unidirectional' means data flows from→to only. 'bidirectional'
+     * means data flows in both directions (e.g., request/response).
+     */
+    direction?: Direction;
+    /**
+     * UUID of the local component that is one end of this data flow. Always references a
+     * component in the current system document.
+     */
+    from: string;
+    /**
+     * Network port number.
+     */
+    port?: number;
+    /**
+     * Communication protocol. Examples: 'http', 'https', 'grpc', 'ssh', 'jdbc', 'k8s-api',
+     * 'socket', 'sftp'.
+     */
+    protocol?: string;
+    /**
+     * The other end of this data flow. Can be a local component (UUID), a cross-system
+     * component reference, or an external endpoint.
+     */
+    to: any;
+    [property: string]: any;
+}
+/**
+ * Data flow direction. 'unidirectional' means data flows from→to only. 'bidirectional'
+ * means data flows in both directions (e.g., request/response).
+ */
+export declare enum Direction {
+    Bidirectional = "bidirectional",
+    Unidirectional = "unidirectional"
+}
+/**
+ * Defines an assessment plan — what baselines to run against which targets, with resolved
+ * inputs and scheduling. Maps to OSCAL Assessment Plan.
+ */
+export interface HDFPlan {
+    /**
+     * The assessments to perform. Each assessment pairs a baseline with targets and resolved
+     * inputs.
+     */
+    assessments: Assessment[];
+    /**
+     * Description of the plan's purpose and scope.
+     */
+    description?: string;
+    /**
+     * Information about the tool that generated this plan.
+     */
+    generator?: Generator;
+    /**
+     * Cryptographic integrity information for verifying this plan document has not been
+     * tampered with.
+     */
+    integrity?: Integrity;
+    /**
+     * Optional key-value labels for grouping and querying plans.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * Human-readable plan name. Example: 'Portal Monthly Assessment'.
+     */
+    name: string;
+    /**
+     * Unique identifier for this plan. Optional in casual use, expected in production
+     * documents. Auto-generated if omitted during creation.
+     */
+    planId?: string;
+    /**
+     * Optional scheduling configuration for recurring assessments.
+     */
+    schedule?: Schedule;
+    /**
+     * URI to the hdf-system document this plan targets. Example: 'portal-prod.hdf-system.json'.
+     */
+    systemRef?: string;
+    /**
+     * The type of assessment plan.
+     */
+    type?: PlanType;
+    /**
+     * Version of this plan document.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * A single assessment within a plan — defines which baseline to run against which targets
+ * with what configuration.
+ */
+export interface Assessment {
+    /**
+     * Reference to the baseline to evaluate. May be a baseline name (e.g. 'RHEL9-STIG'), a
+     * relative path to an HDF Baseline document (e.g. 'rhel9-stig.hdf-baseline.json'), or an
+     * absolute URI.
+     */
+    baselineRef: string;
+    /**
+     * componentId of the system component this assessment targets. Use for direct component
+     * binding. Alternative to targetSelector.
+     */
+    componentRef?: string;
+    /**
+     * Description of this assessment's purpose.
+     */
+    description?: string;
+    /**
+     * Resolved input values for this assessment. Keys are input names, values are the final
+     * resolved values (after baseline defaults + system overrides).
+     */
+    inputs?: {
+        [key: string]: any;
+    };
+    /**
+     * Runner/scanner configuration for this assessment.
+     */
+    runner?: RunnerConfig;
+    /**
+     * Label selector to match targets for this assessment. Overrides the system component's
+     * targetSelector if provided.
+     */
+    targetSelector?: {
+        [key: string]: string;
+    };
+    [property: string]: any;
+}
+/**
+ * Runner/scanner configuration for this assessment.
+ *
+ * Configuration for the assessment runner/scanner.
+ */
+export interface RunnerConfig {
+    /**
+     * Name of the assessment runner. Example: 'cinc-auditor', 'inspec', 'openscap'.
+     */
+    name?: string;
+    /**
+     * Version of the runner.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * Optional scheduling configuration for recurring assessments.
+ *
+ * Scheduling configuration for recurring assessments.
+ */
+export interface Schedule {
+    /**
+     * Cron expression for recurring assessments. Example: '0 2 1 * *' (2 AM on the 1st of each
+     * month).
+     */
+    cron?: string;
+    /**
+     * Date after which assessments should no longer run. ISO 8601 format.
+     */
+    endDate?: Date;
+    /**
+     * Email addresses or notification endpoints to alert when assessments complete.
+     */
+    notifyOnCompletion?: string[];
+    /**
+     * Email addresses or notification endpoints to alert when regressions are detected.
+     */
+    notifyOnRegression?: string[];
+    /**
+     * Earliest date to begin assessments. ISO 8601 format.
+     */
+    startDate?: Date;
+    [property: string]: any;
+}
+/**
+ * The type of assessment plan.
+ *
+ * The type of assessment. 'automated' for scanner-driven, 'manual' for human-performed,
+ * 'hybrid' for both.
+ */
+export declare enum PlanType {
+    Automated = "automated",
+    Hybrid = "hybrid",
+    Manual = "manual"
+}
+/**
+ * Waivers, attestations, and POA&Ms that modify requirement compliance status or impact.
+ * Amendments are standalone documents that can be applied to results via merge operations.
+ */
+export interface HDFAmendments {
+    /**
+     * Unique identifier for this amendments document. Useful for cross-referencing when
+     * multiple amendment documents target the same results.
+     */
+    amendmentId?: string;
+    /**
+     * Default identity of who created this amendments document. Individual overrides may
+     * specify their own appliedBy.
+     */
+    appliedBy?: Identity;
+    /**
+     * Identity of the authorizing official who approved these amendments.
+     */
+    approvedBy?: Identity;
+    /**
+     * Description of the amendments' purpose and scope.
+     */
+    description?: string;
+    /**
+     * Information about the tool that generated this document.
+     */
+    generator?: Generator;
+    /**
+     * Cryptographic integrity information for verifying this amendments document has not been
+     * tampered with.
+     */
+    integrity?: Integrity;
+    /**
+     * Optional key-value labels for grouping and querying amendments.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * Human-readable name for this amendments document. Example: 'Portal Q1 2026 Waivers'.
+     */
+    name: string;
+    /**
+     * The set of amendments (waivers, attestations, POA&Ms, and other overrides).
+     */
+    overrides: StandaloneOverride[];
+    /**
+     * Document-level digital signature covering all amendments.
+     */
+    signature?: Signature;
+    /**
+     * URI to the hdf-system document these amendments apply to.
+     */
+    systemRef?: string;
+    /**
+     * Version of this amendments document.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * A standalone override to a requirement's compliance status or risk impact. Validation has
+ * two branches gated on 'type': when type is 'operationalRequirement', neither 'status' nor
+ * 'impact' may be set — the override records accepted risk without changing the finding
+ * (documentation-only). For all other types, at least one of 'status' or 'impact' must be
+ * set. This rule aligns with: (1) OSCAL Assessment Results — finding.target.status and
+ * finding.associated-risk[].facet[] are separate axes
+ * (https://pages.nist.gov/OSCAL/learn/concepts/layer/assessment/assessment-results/); (2)
+ * FedRAMP deviation request types — Risk Adjustment changes impact only, Operational
+ * Requirement documents acceptance only, False Positive changes status
+ * (https://www.ignyteplatform.com/blog/fedramp/fedramp-deviation-requests-submit/); (3)
+ * NIST SP 800-37 RMF — risk response (accept/mitigate/transfer) is a separate step from
+ * control assessment status (https://csrc.nist.gov/pubs/sp/800/37/r2/final).
+ */
+export interface StandaloneOverride {
+    /**
+     * Software packages this amendment is scoped to, distinct from componentRef (which scopes
+     * to an HDF-internal Component by UUID). Use when the source amendment format references
+     * packages by purl/cpe/name+version — e.g., VEX `affects[]` / `products[]`, OSCAL POA&M
+     * `subjects[]`, FedRAMP component-aware amendments. Symmetric with
+     * Evaluated_Requirement.affectedPackages, which scopes findings to the same package
+     * vocabulary. When omitted, the amendment applies system-wide (or only to componentRef when
+     * that is set).
+     */
+    affectedPackages?: AffectedPackage[];
+    /**
+     * When this amendment was applied. ISO 8601 format.
+     */
+    appliedAt: Date;
+    /**
+     * Identity of who applied this amendment.
+     */
+    appliedBy: Identity;
+    /**
+     * Name of the baseline containing the requirement. Required when the system has multiple
+     * baselines with potentially overlapping requirement IDs.
+     */
+    baselineRef?: string;
+    /**
+     * componentId of the component this amendment is scoped to. When set, the amendment only
+     * applies to the specified component. When omitted, the amendment applies system-wide.
+     */
+    componentRef?: string;
+    /**
+     * Structured CVSS scoring data backing this override. Captures the rubric (which
+     * Environmental/Threat metrics the consumer modified, the recomputed score) used to justify
+     * a riskAdjustment. For other override types this is optional context.
+     */
+    cvss?: Cvss;
+    /**
+     * Supporting evidence (screenshots, logs, URLs, documents).
+     */
+    evidence?: Evidence[];
+    /**
+     * When this amendment expires and must be reviewed. No permanent amendments. ISO 8601
+     * format.
+     */
+    expiresAt: Date;
+    /**
+     * Override to the requirement's impact score. At least one of status or impact must be set.
+     */
+    impact?: ImpactOverride;
+    /**
+     * componentId of the local component that provides this control. Set when the provider is
+     * in the same system. Omit for external or cross-system providers; the reason field
+     * explains the source. Primarily used with type 'inherited'.
+     */
+    inheritedFrom?: string;
+    /**
+     * Structured controlled-vocabulary classification for why this override applies.
+     * Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
+     * and attestation overrides where the structured category enables filtering and lossless
+     * round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
+     * precedent vocabulary and rationale.
+     */
+    justification?: Justification;
+    /**
+     * Remediation milestones (primarily for POA&M type amendments).
+     */
+    milestones?: Milestone[];
+    /**
+     * Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
+     * for the first amendment.
+     */
+    previousChecksum?: Checksum;
+    /**
+     * Justification for this amendment.
+     */
+    reason: string;
+    /**
+     * The ID of the requirement being amended. Must match a requirement ID in the referenced
+     * baseline.
+     */
+    requirementId: string;
+    /**
+     * Digital signature for non-repudiation.
+     */
+    signature?: Signature;
+    /**
+     * The new status this amendment sets. Optional when only impact is being overridden.
+     */
+    status?: ResultStatus;
+    /**
+     * The type of amendment.
+     */
+    type: OverrideType;
+    [property: string]: any;
+}
+/**
+ * Bundles references to all HDF documents for audit, authorization, and compliance review.
+ * Each content entry references a document by type, URI, and checksum for integrity
+ * verification.
+ */
+export interface HDFEvidencePackage {
+    /**
+     * Summary of assessment completeness and compliance status.
+     */
+    completenessCheck?: CompletenessCheck;
+    /**
+     * References to HDF documents included in this evidence package.
+     */
+    contents: ContentReference[];
+    /**
+     * Description of the evidence package's purpose and scope.
+     */
+    description?: string;
+    /**
+     * Information about the tool that generated this document.
+     */
+    generator?: Generator;
+    /**
+     * Cryptographic integrity information for verifying this evidence package has not been
+     * tampered with.
+     */
+    integrity?: Integrity;
+    /**
+     * Optional key-value labels for grouping and querying evidence packages.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * Human-readable name for this evidence package. Example: 'Enterprise Portal ATO Evidence -
+     * Q1 2026'.
+     */
+    name: string;
+    /**
+     * Unique identifier for this evidence package. Optional in casual use, expected in
+     * production ATO submissions. Auto-generated if omitted during creation.
+     */
+    packageId?: string;
+    /**
+     * URI to the hdf-plan document that drove this assessment. Used for completeness
+     * verification — every baseline in the plan should have a corresponding results document in
+     * this package.
+     */
+    planRef?: string;
+    /**
+     * When this evidence package was prepared. ISO 8601 format.
+     */
+    preparedAt?: Date;
+    /**
+     * Identity of who prepared this evidence package.
+     */
+    preparedBy?: Identity;
+    /**
+     * Digital signature covering the entire evidence package.
+     */
+    signature?: Signature;
+    /**
+     * URI to the hdf-system document this evidence package covers.
+     */
+    systemRef?: string;
+    /**
+     * Version of this evidence package.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * Summary of assessment completeness and compliance status.
+ *
+ * Informational summary of assessment completeness. Not authoritative — tools should
+ * compute these from the referenced documents.
+ */
+export interface CompletenessCheck {
+    /**
+     * Whether all baselines referenced by system components have assessment results.
+     */
+    allBaselinesAssessed?: boolean;
+    /**
+     * Whether all system components have at least one matching target in the results.
+     */
+    allComponentsCovered?: boolean;
+    /**
+     * Overall compliance percentage across all assessments.
+     */
+    compliancePercent?: number;
+    /**
+     * Number of waivers/amendments that have expired.
+     */
+    expiredWaivers?: number;
+    /**
+     * SBOM coverage across system components.
+     */
+    sbomCoverage?: SBOMCoverage;
+    /**
+     * Number of POA&M items that are still open (not completed).
+     */
+    unresolvedPoams?: number;
+    [property: string]: any;
+}
+/**
+ * SBOM coverage across system components.
+ *
+ * SBOM coverage statistics for the system.
+ */
+export interface SBOMCoverage {
+    /**
+     * Number of system components that have an associated SBOM.
+     */
+    componentsWithSbom?: number;
+    /**
+     * Total number of components in the system.
+     */
+    totalComponents?: number;
+    [property: string]: any;
+}
+/**
+ * A reference to an HDF document or SBOM included in the evidence package.
+ */
+export interface ContentReference {
+    /**
+     * Cryptographic checksum for verifying the referenced document's integrity.
+     */
+    checksum?: Checksum;
+    /**
+     * componentId of the component this content entry relates to. Use to link SBOMs, results,
+     * or other documents to a specific system component.
+     */
+    componentRef?: string;
+    /**
+     * Optional description of this content entry.
+     */
+    description?: string;
+    /**
+     * The type of HDF document being referenced.
+     */
+    type: ContentType;
+    /**
+     * URI to the document. Can be a relative path or absolute URL.
+     */
+    uri: string;
+    [property: string]: any;
+}
+/**
+ * The type of HDF document being referenced.
+ *
+ * The type of document referenced in the evidence package.
+ */
+export declare enum ContentType {
+    HdfAmendments = "hdf-amendments",
+    HdfBaseline = "hdf-baseline",
+    HdfComparison = "hdf-comparison",
+    HdfPlan = "hdf-plan",
+    HdfResults = "hdf-results",
+    HdfSystem = "hdf-system",
+    Sbom = "sbom"
+}