@mitre/hdf-schema 3.1.0 → 3.3.0

package/dist/ts/hdf.js

@@ -0,0 +1,564 @@
+/**
+ * The comparison operator used when evaluating this input against observed values.
+ *
+ * Comparison operator for evaluating the input value against observed values. Numeric:
+ * eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.
+ */
+export var ComparisonOperator;
+(function (ComparisonOperator) {
+    ComparisonOperator["Contains"] = "contains";
+    ComparisonOperator["Eq"] = "eq";
+    ComparisonOperator["Ge"] = "ge";
+    ComparisonOperator["Gt"] = "gt";
+    ComparisonOperator["In"] = "in";
+    ComparisonOperator["LE"] = "le";
+    ComparisonOperator["Lt"] = "lt";
+    ComparisonOperator["Matches"] = "matches";
+    ComparisonOperator["Ne"] = "ne";
+    ComparisonOperator["NotIn"] = "notIn";
+})(ComparisonOperator || (ComparisonOperator = {}));
+/**
+ * The data type of this input.
+ *
+ * The data type of the input value. Aligns with InSpec input types.
+ */
+export var InputType;
+(function (InputType) {
+    InputType["Array"] = "Array";
+    InputType["Boolean"] = "Boolean";
+    InputType["Hash"] = "Hash";
+    InputType["Numeric"] = "Numeric";
+    InputType["Regexp"] = "Regexp";
+    InputType["String"] = "String";
+})(InputType || (InputType = {}));
+/**
+ * The hash algorithm used for the checksum.
+ *
+ * Supported cryptographic hash algorithms for checksums and integrity verification.
+ */
+export var HashAlgorithm;
+(function (HashAlgorithm) {
+    HashAlgorithm["Sha256"] = "sha256";
+    HashAlgorithm["Sha384"] = "sha384";
+    HashAlgorithm["Sha512"] = "sha512";
+})(HashAlgorithm || (HashAlgorithm = {}));
+/**
+ * The packaging ecosystem the package belongs to. Use 'generic' for hardware, firmware, or
+ * anything outside the listed language/OS package managers.
+ */
+export var Ecosystem;
+(function (Ecosystem) {
+    Ecosystem["Cargo"] = "cargo";
+    Ecosystem["Deb"] = "deb";
+    Ecosystem["Gem"] = "gem";
+    Ecosystem["Generic"] = "generic";
+    Ecosystem["Go"] = "go";
+    Ecosystem["Maven"] = "maven";
+    Ecosystem["Npm"] = "npm";
+    Ecosystem["Nuget"] = "nuget";
+    Ecosystem["Pypi"] = "pypi";
+    Ecosystem["RPM"] = "rpm";
+})(Ecosystem || (Ecosystem = {}));
+/**
+ * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
+ * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
+ * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
+ * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
+ * Optional: when omitted, consumers should treat the requirement as 'required' by
+ * convention.
+ */
+export var Applicability;
+(function (Applicability) {
+    Applicability["Advisory"] = "advisory";
+    Applicability["Optional"] = "optional";
+    Applicability["Required"] = "required";
+})(Applicability || (Applicability = {}));
+/**
+ * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
+ * categories. 'policy' = an authored governance statement; 'procedure' = a documented
+ * process; 'technical' = an enforced technical configuration; 'management' = a
+ * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
+ * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
+ * family/id but should not assume a default.
+ */
+export var ControlType;
+(function (ControlType) {
+    ControlType["Management"] = "management";
+    ControlType["Operational"] = "operational";
+    ControlType["Policy"] = "policy";
+    ControlType["Procedure"] = "procedure";
+    ControlType["Technical"] = "technical";
+})(ControlType || (ControlType = {}));
+/**
+ * Qualitative severity band corresponding to baseScore. CVSS 2.0 does not natively use
+ * 'none' or 'critical' bands; map accordingly when populating.
+ *
+ * Qualitative CVSS severity band. Aligns with FIRST/NVD bands: none=0.0, low=0.1-3.9,
+ * medium=4.0-6.9, high=7.0-8.9, critical=9.0-10.0. Distinct from the broader Severity enum
+ * used on Requirement_Core (which includes 'informational').
+ *
+ * Qualitative severity band corresponding to computedScore. Same band convention as
+ * baseSeverity.
+ */
+export var CVSSSeverity;
+(function (CVSSSeverity) {
+    CVSSSeverity["Critical"] = "critical";
+    CVSSSeverity["High"] = "high";
+    CVSSSeverity["Low"] = "low";
+    CVSSSeverity["Medium"] = "medium";
+    CVSSSeverity["None"] = "none";
+})(CVSSSeverity || (CVSSSeverity = {}));
+/**
+ * The CVSS specification version this entry conforms to. Vendor scanners typically emit 3.1
+ * or 4.0; legacy data may use 2.0 or 3.0.
+ */
+export var Version;
+(function (Version) {
+    Version["The20"] = "2.0";
+    Version["The30"] = "3.0";
+    Version["The31"] = "3.1";
+    Version["The40"] = "4.0";
+})(Version || (Version = {}));
+/**
+ * The type of the most recent non-expired override or POAM governing this requirement.
+ * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+ * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+ * POAMs apply.
+ *
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
+ *
+ * The type of override applied to this requirement.
+ *
+ * The type of amendment.
+ */
+export var OverrideType;
+(function (OverrideType) {
+    OverrideType["Attestation"] = "attestation";
+    OverrideType["FalsePositive"] = "falsePositive";
+    OverrideType["Inherited"] = "inherited";
+    OverrideType["OperationalRequirement"] = "operationalRequirement";
+    OverrideType["Poam"] = "poam";
+    OverrideType["RiskAdjustment"] = "riskAdjustment";
+    OverrideType["Waiver"] = "waiver";
+})(OverrideType || (OverrideType = {}));
+/**
+ * The current effective compliance status of this requirement after applying the most
+ * recent non-expired override with a status field, or computed from results (worst-wins) if
+ * no status-bearing overrides exist.
+ *
+ * The status of an individual test result. 'notApplicable' indicates the requirement does
+ * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
+ * requires manual verification).
+ *
+ * The status of this test within the requirement. Example: 'failed'.
+ *
+ * The new status this override sets for the requirement. Optional when only impact is being
+ * overridden.
+ *
+ * The new status this amendment sets. Optional when only impact is being overridden.
+ */
+export var ResultStatus;
+(function (ResultStatus) {
+    ResultStatus["Error"] = "error";
+    ResultStatus["Failed"] = "failed";
+    ResultStatus["NotApplicable"] = "notApplicable";
+    ResultStatus["NotReviewed"] = "notReviewed";
+    ResultStatus["Passed"] = "passed";
+})(ResultStatus || (ResultStatus = {}));
+/**
+ * The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
+ * 'system' for automated systems, 'simple' for basic string identifiers without additional
+ * classification, or 'other' for custom identity systems.
+ */
+export var IdentityType;
+(function (IdentityType) {
+    IdentityType["Email"] = "email";
+    IdentityType["Other"] = "other";
+    IdentityType["Simple"] = "simple";
+    IdentityType["System"] = "system";
+    IdentityType["Username"] = "username";
+})(IdentityType || (IdentityType = {}));
+/**
+ * The type of evidence being provided.
+ */
+export var EvidenceType;
+(function (EvidenceType) {
+    EvidenceType["Code"] = "code";
+    EvidenceType["File"] = "file";
+    EvidenceType["Log"] = "log";
+    EvidenceType["Other"] = "other";
+    EvidenceType["Screenshot"] = "screenshot";
+    EvidenceType["URL"] = "url";
+})(EvidenceType || (EvidenceType = {}));
+/**
+ * Current status of this milestone.
+ */
+export var MilestoneStatus;
+(function (MilestoneStatus) {
+    MilestoneStatus["Completed"] = "completed";
+    MilestoneStatus["InProgress"] = "inProgress";
+    MilestoneStatus["Pending"] = "pending";
+})(MilestoneStatus || (MilestoneStatus = {}));
+/**
+ * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
+ * compensating controls. 'riskAcceptance' documents decision to accept risk.
+ * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
+ */
+export var POAMType;
+(function (POAMType) {
+    POAMType["Mitigation"] = "mitigation";
+    POAMType["Remediation"] = "remediation";
+    POAMType["RiskAcceptance"] = "riskAcceptance";
+    POAMType["VendorDependency"] = "vendorDependency";
+})(POAMType || (POAMType = {}));
+/**
+ * Explicit severity rating. Typically derived from impact score but provided explicitly for
+ * clarity.
+ *
+ * Severity rating for a requirement. Typically derived from the numeric impact score.
+ */
+export var Severity;
+(function (Severity) {
+    Severity["Critical"] = "critical";
+    Severity["High"] = "high";
+    Severity["Informational"] = "informational";
+    Severity["Low"] = "low";
+    Severity["Medium"] = "medium";
+})(Severity || (Severity = {}));
+/**
+ * Structured controlled-vocabulary classification for why this override applies.
+ * Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
+ * and attestation overrides where the structured category enables filtering and lossless
+ * round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
+ * precedent vocabulary and rationale.
+ *
+ * Structured controlled-vocabulary reason for an override, complementing the free-text
+ * 'reason' field. 'reason' carries the human-readable rationale an auditor reads;
+ * 'justification' carries the machine-readable category enabling filtering, aggregation,
+ * and lossless round-trip with structured ecosystems (VEX, OSCAL, FedRAMP DR). Both fields
+ * may be present simultaneously and are NOT redundant: 'reason' explains the specific
+ * circumstance; 'justification' classifies it. Authors SHOULD populate both when a
+ * controlled-vocabulary value applies — the enum value alone is not self-explanatory to an
+ * auditor. The vocabulary is drawn from the VEX ecosystem: the first five values are common
+ * across OpenVEX, CSAF VEX, and CycloneDX VEX; the remaining six (requires_configuration /
+ * requires_dependency / requires_environment / protected_by_compiler / protected_at_runtime
+ * / protected_at_perimeter) are CycloneDX-specific and describe why the vulnerable code
+ * path is unreachable in the deployed configuration. The enum is extended additively across
+ * schema versions as other ecosystems' controlled vocabularies are integrated; documents
+ * using values added in a newer schema version will fail validation against an older
+ * schema. Consumers SHOULD validate against the schema version declared by the document
+ * ($schema) rather than assume a fixed vocabulary.
+ */
+export var Justification;
+(function (Justification) {
+    Justification["ComponentNotPresent"] = "component_not_present";
+    Justification["InlineMitigationsAlreadyExist"] = "inline_mitigations_already_exist";
+    Justification["ProtectedAtPerimeter"] = "protected_at_perimeter";
+    Justification["ProtectedAtRuntime"] = "protected_at_runtime";
+    Justification["ProtectedByCompiler"] = "protected_by_compiler";
+    Justification["RequiresConfiguration"] = "requires_configuration";
+    Justification["RequiresDependency"] = "requires_dependency";
+    Justification["RequiresEnvironment"] = "requires_environment";
+    Justification["VulnerableCodeCannotBeControlledByAdversary"] = "vulnerable_code_cannot_be_controlled_by_adversary";
+    Justification["VulnerableCodeNotInExecutePath"] = "vulnerable_code_not_in_execute_path";
+    Justification["VulnerableCodeNotPresent"] = "vulnerable_code_not_present";
+})(Justification || (Justification = {}));
+/**
+ * How this requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
+ * omitted, consumers should not infer a default.
+ *
+ * How a requirement is intended to be verified. Disambiguates the two cases that null
+ * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
+ * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
+ * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
+ * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
+ * disambiguate from the unrelated Verification_Method DID-context struct.
+ */
+export var VerificationMethodEnum;
+(function (VerificationMethodEnum) {
+    VerificationMethodEnum["Automated"] = "automated";
+    VerificationMethodEnum["Hybrid"] = "hybrid";
+    VerificationMethodEnum["ManualByDesign"] = "manual-by-design";
+    VerificationMethodEnum["ManualPendingAutomation"] = "manual-pending-automation";
+})(VerificationMethodEnum || (VerificationMethodEnum = {}));
+export var CloudProvider;
+(function (CloudProvider) {
+    CloudProvider["Aws"] = "aws";
+    CloudProvider["Azure"] = "azure";
+    CloudProvider["Gcp"] = "gcp";
+    CloudProvider["Oci"] = "oci";
+    CloudProvider["Other"] = "other";
+})(CloudProvider || (CloudProvider = {}));
+/**
+ * Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
+ */
+export var SBOMFormat;
+(function (SBOMFormat) {
+    SBOMFormat["Cyclonedx"] = "cyclonedx";
+    SBOMFormat["Spdx"] = "spdx";
+})(SBOMFormat || (SBOMFormat = {}));
+/**
+ * Component type discriminator. Same values as Target types.
+ */
+export var TargetType;
+(function (TargetType) {
+    TargetType["Application"] = "application";
+    TargetType["Artifact"] = "artifact";
+    TargetType["CloudAccount"] = "cloudAccount";
+    TargetType["CloudResource"] = "cloudResource";
+    TargetType["ContainerImage"] = "containerImage";
+    TargetType["ContainerInstance"] = "containerInstance";
+    TargetType["ContainerPlatform"] = "containerPlatform";
+    TargetType["Database"] = "database";
+    TargetType["Host"] = "host";
+    TargetType["Network"] = "network";
+    TargetType["Repository"] = "repository";
+})(TargetType || (TargetType = {}));
+/**
+ * The category of this annotation.
+ *
+ * The category of an annotation attached to a comparison.
+ */
+export var AnnotationCategory;
+(function (AnnotationCategory) {
+    AnnotationCategory["BaselineChange"] = "baselineChange";
+    AnnotationCategory["Drift"] = "drift";
+    AnnotationCategory["Remediation"] = "remediation";
+    AnnotationCategory["ScannerNote"] = "scannerNote";
+    AnnotationCategory["Waiver"] = "waiver";
+})(AnnotationCategory || (AnnotationCategory = {}));
+/**
+ * The state of this baseline in the comparison.
+ *
+ * The state of this component in the comparison.
+ */
+export var BaselineDiffState;
+(function (BaselineDiffState) {
+    BaselineDiffState["Absent"] = "absent";
+    BaselineDiffState["New"] = "new";
+    BaselineDiffState["Unchanged"] = "unchanged";
+    BaselineDiffState["Updated"] = "updated";
+})(BaselineDiffState || (BaselineDiffState = {}));
+/**
+ * The mode of comparison being performed.
+ *
+ * The mode of comparison. 'temporal' compares the same target over time. 'baseline'
+ * compares against a golden reference. 'fleet' compares across multiple systems.
+ * 'multiSource' compares outputs from different scanners. 'baselineEvolution' compares two
+ * baseline documents to detect requirement changes between versions. 'systemDrift' compares
+ * two system documents to detect component-level changes.
+ */
+export var ComparisonMode;
+(function (ComparisonMode) {
+    ComparisonMode["Baseline"] = "baseline";
+    ComparisonMode["BaselineEvolution"] = "baselineEvolution";
+    ComparisonMode["Fleet"] = "fleet";
+    ComparisonMode["MultiSource"] = "multiSource";
+    ComparisonMode["SystemDrift"] = "systemDrift";
+    ComparisonMode["Temporal"] = "temporal";
+})(ComparisonMode || (ComparisonMode = {}));
+/**
+ * The type of change operation.
+ */
+export var Op;
+(function (Op) {
+    Op["Add"] = "add";
+    Op["Remove"] = "remove";
+    Op["Replace"] = "replace";
+})(Op || (Op = {}));
+/**
+ * The reason a requirement's state changed between sources.
+ */
+export var ChangeReason;
+(function (ChangeReason) {
+    ChangeReason["BaselineUpgraded"] = "baselineUpgraded";
+    ChangeReason["ConfigChanged"] = "configChanged";
+    ChangeReason["ControlMapped"] = "controlMapped";
+    ChangeReason["ImpactChanged"] = "impactChanged";
+    ChangeReason["MetadataChanged"] = "metadataChanged";
+    ChangeReason["OverrideAdded"] = "overrideAdded";
+    ChangeReason["OverrideExpired"] = "overrideExpired";
+    ChangeReason["OverrideModified"] = "overrideModified";
+    ChangeReason["OverrideRemoved"] = "overrideRemoved";
+    ChangeReason["ResultChanged"] = "resultChanged";
+    ChangeReason["ScannerChanged"] = "scannerChanged";
+    ChangeReason["TargetChanged"] = "targetChanged";
+})(ChangeReason || (ChangeReason = {}));
+/**
+ * How the conflict was resolved.
+ *
+ * How a conflict between multiple scanner results was resolved.
+ */
+export var ConflictResolution;
+(function (ConflictResolution) {
+    ConflictResolution["Manual"] = "manual";
+    ConflictResolution["MostRecent"] = "mostRecent";
+    ConflictResolution["MostSevere"] = "mostSevere";
+    ConflictResolution["Unresolved"] = "unresolved";
+})(ConflictResolution || (ConflictResolution = {}));
+/**
+ * The strategy that was used to match this requirement across sources.
+ *
+ * The strategy used to match requirements across sources. 'exactId' matches by identical
+ * IDs. 'mappedId' uses an ID mapping table. 'cciMatch'/'nistMatch' match by framework
+ * identifiers. 'fuzzyTitle'/'fuzzyContent' use text similarity.
+ *
+ * The primary strategy used to match requirements across sources.
+ */
+export var MatchStrategy;
+(function (MatchStrategy) {
+    MatchStrategy["CciMatch"] = "cciMatch";
+    MatchStrategy["ExactID"] = "exactId";
+    MatchStrategy["FuzzyContent"] = "fuzzyContent";
+    MatchStrategy["FuzzyTitle"] = "fuzzyTitle";
+    MatchStrategy["MappedID"] = "mappedId";
+    MatchStrategy["NISTMatch"] = "nistMatch";
+})(MatchStrategy || (MatchStrategy = {}));
+/**
+ * The state of this requirement in the comparison.
+ *
+ * SARIF-compatible vocabulary extended for security. 'new' = present only in new source,
+ * 'absent' = present only in old, 'unchanged' = same effective status, 'updated' = status
+ * changed (generic), 'fixed' = was failing now passing, 'regressed' = was passing now
+ * failing, 'moved' = reorganized same content, 'split'/'merged' = reserved for v1.1.
+ */
+export var RequirementState;
+(function (RequirementState) {
+    RequirementState["Absent"] = "absent";
+    RequirementState["Fixed"] = "fixed";
+    RequirementState["Merged"] = "merged";
+    RequirementState["Moved"] = "moved";
+    RequirementState["New"] = "new";
+    RequirementState["Regressed"] = "regressed";
+    RequirementState["Split"] = "split";
+    RequirementState["Unchanged"] = "unchanged";
+    RequirementState["Updated"] = "updated";
+})(RequirementState || (RequirementState = {}));
+export var FormatVersion;
+(function (FormatVersion) {
+    FormatVersion["The100"] = "1.0.0";
+})(FormatVersion || (FormatVersion = {}));
+/**
+ * The state of this package: added (new in new SBOM), removed (absent from new SBOM),
+ * updated (version changed), unchanged.
+ */
+export var PackageDiffState;
+(function (PackageDiffState) {
+    PackageDiffState["Added"] = "added";
+    PackageDiffState["Removed"] = "removed";
+    PackageDiffState["Unchanged"] = "unchanged";
+    PackageDiffState["Updated"] = "updated";
+})(PackageDiffState || (PackageDiffState = {}));
+/**
+ * The original format of the source document before conversion to HDF.
+ */
+export var OriginalFormat;
+(function (OriginalFormat) {
+    OriginalFormat["HdfV2"] = "hdf-v2";
+    OriginalFormat["InspecV1"] = "inspec-v1";
+    OriginalFormat["OscalAr"] = "oscal-ar";
+    OriginalFormat["Sarif"] = "sarif";
+    OriginalFormat["Xccdf"] = "xccdf";
+})(OriginalFormat || (OriginalFormat = {}));
+/**
+ * The role of this source in the comparison.
+ *
+ * The role of a source document in the comparison.
+ */
+export var SourceRole;
+(function (SourceRole) {
+    SourceRole["Golden"] = "golden";
+    SourceRole["New"] = "new";
+    SourceRole["Old"] = "old";
+    SourceRole["Reference"] = "reference";
+    SourceRole["System"] = "system";
+})(SourceRole || (SourceRole = {}));
+/**
+ * Current Authorization to Operate (ATO) status.
+ *
+ * Authorization to Operate (ATO) status for the system.
+ */
+export var AuthorizationStatus;
+(function (AuthorizationStatus) {
+    AuthorizationStatus["Authorized"] = "authorized";
+    AuthorizationStatus["ConditionallyAuthorized"] = "conditionallyAuthorized";
+    AuthorizationStatus["Denied"] = "denied";
+    AuthorizationStatus["NotYetRequested"] = "notYetRequested";
+    AuthorizationStatus["PendingAuthorization"] = "pendingAuthorization";
+    AuthorizationStatus["Revoked"] = "revoked";
+})(AuthorizationStatus || (AuthorizationStatus = {}));
+/**
+ * FIPS 199 security categorization (impact level).
+ *
+ * FIPS 199 security categorization level (impact level).
+ */
+export var CategorizationLevel;
+(function (CategorizationLevel) {
+    CategorizationLevel["High"] = "high";
+    CategorizationLevel["Low"] = "low";
+    CategorizationLevel["Moderate"] = "moderate";
+})(CategorizationLevel || (CategorizationLevel = {}));
+/**
+ * NIST SP 800-53 control designation. 'common': fully provided by another component or
+ * system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid':
+ * shared responsibility between provider and inheritor.
+ */
+export var Designation;
+(function (Designation) {
+    Designation["Common"] = "common";
+    Designation["Hybrid"] = "hybrid";
+    Designation["SystemSpecific"] = "system-specific";
+})(Designation || (Designation = {}));
+/**
+ * Data flow direction. 'unidirectional' means data flows from→to only. 'bidirectional'
+ * means data flows in both directions (e.g., request/response).
+ */
+export var Direction;
+(function (Direction) {
+    Direction["Bidirectional"] = "bidirectional";
+    Direction["Unidirectional"] = "unidirectional";
+})(Direction || (Direction = {}));
+/**
+ * The type of assessment plan.
+ *
+ * The type of assessment. 'automated' for scanner-driven, 'manual' for human-performed,
+ * 'hybrid' for both.
+ */
+export var PlanType;
+(function (PlanType) {
+    PlanType["Automated"] = "automated";
+    PlanType["Hybrid"] = "hybrid";
+    PlanType["Manual"] = "manual";
+})(PlanType || (PlanType = {}));
+/**
+ * The type of HDF document being referenced.
+ *
+ * The type of document referenced in the evidence package.
+ */
+export var ContentType;
+(function (ContentType) {
+    ContentType["HdfAmendments"] = "hdf-amendments";
+    ContentType["HdfBaseline"] = "hdf-baseline";
+    ContentType["HdfComparison"] = "hdf-comparison";
+    ContentType["HdfPlan"] = "hdf-plan";
+    ContentType["HdfResults"] = "hdf-results";
+    ContentType["HdfSystem"] = "hdf-system";
+    ContentType["Sbom"] = "sbom";
+})(ContentType || (ContentType = {}));