@pactosigna/schemas 0.1.0 → 0.1.2

package/dist/cli.js

@@ -0,0 +1,1545 @@
+#!/usr/bin/env node
+
+// src/validate-directory.ts
+import path from "path";
+import fs from "fs";
+
+// src/validate-document.ts
+import matter from "gray-matter";
+
+// ../shared/dist/schemas/index.js
+import { z as z24 } from "zod";
+
+// ../shared/dist/schemas/common-enums.js
+import { z } from "zod";
+var RegulatoryFrameworkSchema = z.enum([
+  "ISO_13485",
+  "IEC_62304",
+  "FDA_21_CFR_820",
+  "QMSR",
+  "EU_MDR",
+  "ISO_14971",
+  "AI_ACT"
+]);
+var SafetyClassSchema = z.enum(["A", "B", "C"]);
+var DocumentTypeSchema = z.enum([
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "sop",
+  "work_instruction",
+  "policy",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  // Risk document types
+  "haz_soe_software",
+  "haz_soe_security",
+  "hazardous_situation",
+  "harm",
+  "hazard_category",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Release management (IEC 62304 §5.7)
+  "release_plan",
+  // Change management (ISO 13485 §7.3.5)
+  "design_review",
+  "release_notes",
+  // Supplier management (ISO 13485 §7.4)
+  "supplier",
+  // Internal audit management (ISO 13485 §8.2.2)
+  "audit_schedule",
+  "audit_report",
+  // Management review (ISO 13485 §5.6)
+  "management_review",
+  // Software test plan (IEC 62304 §5.7)
+  "software_test_plan"
+]);
+var DocumentStatusSchema = z.enum([
+  "draft",
+  "in_review",
+  "approved",
+  "obsolete",
+  "example"
+]);
+var LinkTypeSchema = z.enum([
+  "derives_from",
+  "implements",
+  "verified_by",
+  "mitigates",
+  "parent_of",
+  "related_to",
+  // New risk link types
+  "leads_to",
+  "results_in",
+  "analyzes"
+]);
+var AcceptabilityStatusSchema = z.enum(["acceptable", "review_required", "unacceptable"]);
+var DepartmentRoleSchema = z.enum(["manager", "member"]);
+
+// ../shared/dist/schemas/risk.js
+import { z as z2 } from "zod";
+var RiskDocumentStatusSchema = z2.enum([
+  "draft",
+  "in_review",
+  "approved",
+  "effective",
+  "archived",
+  "example"
+]);
+var MitigationTargetSchema = z2.enum([
+  "sequence_probability",
+  "harm_probability",
+  "severity"
+]);
+var RiskGapCodeSchema = z2.enum([
+  "hazard_no_situation",
+  "situation_no_harm",
+  "hazard_not_analyzed",
+  "missing_mitigation",
+  "broken_mitigation_link",
+  "control_not_approved",
+  "missing_risk_benefit",
+  "risk_missing_safety_chain",
+  "risk_broken_safety_chain",
+  "wrong_probability_dimension",
+  "missing_frontmatter",
+  "requirement_no_architecture",
+  "architecture_no_segregation",
+  "architecture_no_parent",
+  "haz_missing_category",
+  "haz_invalid_category",
+  "category_not_approved"
+]);
+var RiskGapSeveritySchema = z2.enum(["error", "warning"]);
+var MitigationSchema = z2.object({
+  control: z2.string().min(1),
+  reduces: MitigationTargetSchema,
+  for_harm: z2.string().optional()
+});
+var HarmAssessmentSchema = z2.object({
+  harm: z2.string().min(1),
+  inherent_probability: z2.number().int().min(1).max(5).optional(),
+  inherent_exploitability: z2.number().int().min(1).max(5).optional(),
+  residual_probability: z2.number().int().min(1).max(5).optional(),
+  residual_exploitability: z2.number().int().min(1).max(5).optional(),
+  residual_severity_override: z2.number().int().min(1).max(5).optional()
+});
+var RiskEntryFrontmatterSchema = z2.object({
+  type: z2.enum(["software_risk", "usability_risk", "security_risk"]),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  analyzes: z2.string().min(1),
+  hazardous_situation: z2.string().min(1),
+  harm_assessments: z2.array(HarmAssessmentSchema).min(1),
+  mitigations: z2.array(MitigationSchema).optional(),
+  cvss_score: z2.number().min(0).max(10).optional(),
+  cvss_vector: z2.string().regex(/^CVSS:3\.[01]\/AV:[NALP]\/AC:[LH]\/PR:[NLH]\/UI:[NR]\/S:[UC]\/C:[NLH]\/I:[NLH]\/A:[NLH]$/).optional()
+}).refine((data) => {
+  if (data.type === "security_risk") {
+    return data.harm_assessments.every((ha) => ha.inherent_exploitability != null);
+  }
+  return data.harm_assessments.every((ha) => ha.inherent_probability != null);
+}, {
+  message: "Security risks must use inherent_exploitability; software/usability risks must use inherent_probability"
+});
+var HazardFrontmatterSchema = z2.object({
+  type: z2.enum(["haz_soe_software", "haz_soe_security"]),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  leads_to: z2.array(z2.string()).optional(),
+  // sFMEA fields
+  failure_mode: z2.string().optional(),
+  cause: z2.string().optional(),
+  detection_method: z2.string().optional(),
+  // STRIDE fields
+  threat_category: z2.string().optional(),
+  attack_vector: z2.string().optional(),
+  // Hazard category reference (HC-xxx)
+  hazard_category: z2.string().optional()
+});
+var HazardCategoryFrontmatterSchema = z2.object({
+  type: z2.literal("hazard_category"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  source: z2.string().optional()
+});
+var HazardousSituationFrontmatterSchema = z2.object({
+  type: z2.literal("hazardous_situation"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  results_in: z2.array(z2.string()).optional()
+});
+var HarmFrontmatterSchema = z2.object({
+  type: z2.literal("harm"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  severity: z2.number().int().min(1).max(5),
+  category: z2.string().optional()
+});
+var RiskMatrixConfigSchema = z2.object({
+  version: z2.number(),
+  labels: z2.object({
+    severity: z2.array(z2.string()).length(5),
+    probability: z2.array(z2.string()).length(5),
+    exploitability: z2.array(z2.string()).length(5).optional()
+  }),
+  acceptability: z2.object({
+    unacceptable: z2.array(z2.tuple([z2.number(), z2.number()])),
+    review_required: z2.array(z2.tuple([z2.number(), z2.number()])).optional()
+  }),
+  overrides: z2.record(z2.object({
+    unacceptable: z2.array(z2.tuple([z2.number(), z2.number()])),
+    review_required: z2.array(z2.tuple([z2.number(), z2.number()])).optional()
+  })).optional()
+});
+
+// ../shared/dist/schemas/usability.js
+import { z as z3 } from "zod";
+var UsabilityPlanFrontmatterSchema = z3.object({
+  type: z3.literal("usability_plan"),
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional()
+});
+var UseSpecificationFrontmatterSchema = z3.object({
+  type: z3.literal("use_specification"),
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  status: RiskDocumentStatusSchema,
+  user_group: z3.string().min(1),
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional()
+});
+var TaskAnalysisFrontmatterSchema = z3.object({
+  type: z3.literal("task_analysis"),
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  status: RiskDocumentStatusSchema,
+  user_group: z3.string().min(1),
+  critical_task: z3.boolean(),
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional()
+});
+var UsabilityEvaluationFrontmatterSchema = z3.object({
+  type: z3.literal("usability_evaluation"),
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  status: RiskDocumentStatusSchema,
+  result: z3.enum(["pass", "fail", "pass_with_findings"]).optional(),
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional()
+});
+var SummativeEvaluationFrontmatterSchema = z3.object({
+  type: z3.literal("summative_evaluation"),
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  status: RiskDocumentStatusSchema,
+  result: z3.enum(["pass", "fail", "pass_with_findings"]).optional(),
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional()
+});
+
+// ../shared/dist/schemas/risk-management-plan.js
+import { z as z4 } from "zod";
+var RiskManagementPlanFrontmatterSchema = z4.object({
+  type: z4.literal("risk_management_plan"),
+  id: z4.string().min(1),
+  title: z4.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z4.string().optional(),
+  reviewers: z4.array(z4.string()).optional(),
+  approvers: z4.array(z4.string()).optional()
+});
+
+// ../shared/dist/schemas/software-lifecycle.js
+import { z as z5 } from "zod";
+var SoftwareDevelopmentPlanFrontmatterSchema = z5.object({
+  type: z5.literal("software_development_plan"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+var SoftwareMaintenancePlanFrontmatterSchema = z5.object({
+  type: z5.literal("software_maintenance_plan"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+var SoupRegisterFrontmatterSchema = z5.object({
+  type: z5.literal("soup_register"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+var SoftwareTestPlanFrontmatterSchema = z5.object({
+  type: z5.literal("software_test_plan"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+
+// ../shared/dist/schemas/architecture.js
+import { z as z6 } from "zod";
+var SoftwareItemTypeSchema = z6.enum(["system", "subsystem", "component", "unit"]);
+var SegregationSchema = z6.object({
+  mechanism: z6.string().min(1),
+  rationale: z6.string().min(1)
+});
+var ArchitectureFrontmatterSchema = z6.object({
+  id: z6.string().min(1),
+  title: z6.string().min(1),
+  type: z6.literal("architecture"),
+  status: RiskDocumentStatusSchema,
+  software_item_type: SoftwareItemTypeSchema.optional(),
+  parent_item: z6.string().optional(),
+  safety_class: z6.enum(["A", "B", "C"]).optional(),
+  segregation: SegregationSchema.optional(),
+  author: z6.string().optional(),
+  reviewers: z6.array(z6.string()).optional(),
+  approvers: z6.array(z6.string()).optional()
+});
+var DetailedDesignFrontmatterSchema = z6.object({
+  id: z6.string().min(1),
+  title: z6.string().min(1),
+  type: z6.literal("detailed_design"),
+  status: RiskDocumentStatusSchema,
+  software_item_type: SoftwareItemTypeSchema.optional(),
+  parent_item: z6.string().optional(),
+  safety_class: z6.enum(["A", "B", "C"]).optional(),
+  segregation: SegregationSchema.optional(),
+  author: z6.string().optional(),
+  reviewers: z6.array(z6.string()).optional(),
+  approvers: z6.array(z6.string()).optional()
+});
+
+// ../shared/dist/schemas/anomaly.js
+import { z as z7 } from "zod";
+var AnomalyCategorySchema = z7.enum([
+  "bug",
+  "security_vulnerability",
+  "regression",
+  "performance"
+]);
+var AnomalySeveritySchema = z7.enum(["critical", "major", "minor"]);
+var AnomalyDispositionSchema = z7.enum([
+  "open",
+  "investigating",
+  "resolved",
+  "deferred",
+  "will_not_fix"
+]);
+var AnomalyFrontmatterSchema = z7.object({
+  type: z7.literal("anomaly"),
+  id: z7.string().min(1),
+  title: z7.string().min(1),
+  status: RiskDocumentStatusSchema,
+  category: AnomalyCategorySchema,
+  severity: AnomalySeveritySchema,
+  disposition: AnomalyDispositionSchema,
+  affected_version: z7.string().optional(),
+  author: z7.string().optional(),
+  reviewers: z7.array(z7.string()).optional(),
+  approvers: z7.array(z7.string()).optional()
+});
+
+// ../shared/dist/schemas/cybersecurity.js
+import { z as z8 } from "zod";
+var CybersecurityPlanFrontmatterSchema = z8.object({
+  type: z8.literal("cybersecurity_plan"),
+  id: z8.string().min(1),
+  title: z8.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z8.string().optional(),
+  reviewers: z8.array(z8.string()).optional(),
+  approvers: z8.array(z8.string()).optional()
+});
+var SbomFrontmatterSchema = z8.object({
+  type: z8.literal("sbom"),
+  id: z8.string().min(1),
+  title: z8.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z8.string().optional(),
+  reviewers: z8.array(z8.string()).optional(),
+  approvers: z8.array(z8.string()).optional()
+});
+
+// ../shared/dist/schemas/clinical.js
+import { z as z9 } from "zod";
+var ClinicalEvaluationPlanFrontmatterSchema = z9.object({
+  type: z9.literal("clinical_evaluation_plan"),
+  id: z9.string().min(1),
+  title: z9.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z9.string().optional(),
+  reviewers: z9.array(z9.string()).optional(),
+  approvers: z9.array(z9.string()).optional()
+});
+var ClinicalEvaluationReportFrontmatterSchema = z9.object({
+  type: z9.literal("clinical_evaluation_report"),
+  id: z9.string().min(1),
+  title: z9.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z9.string().optional(),
+  reviewers: z9.array(z9.string()).optional(),
+  approvers: z9.array(z9.string()).optional()
+});
+
+// ../shared/dist/schemas/post-market.js
+import { z as z10 } from "zod";
+var PostMarketSurveillancePlanFrontmatterSchema = z10.object({
+  type: z10.literal("post_market_surveillance_plan"),
+  id: z10.string().min(1),
+  title: z10.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z10.string().optional(),
+  reviewers: z10.array(z10.string()).optional(),
+  approvers: z10.array(z10.string()).optional()
+});
+var PostMarketFeedbackCategorySchema = z10.enum([
+  "complaint",
+  "field_observation",
+  "clinical_followup",
+  "trend_report"
+]);
+var PostMarketFeedbackSeveritySchema = z10.enum(["low", "medium", "high", "critical"]);
+var PostMarketFeedbackFrontmatterSchema = z10.object({
+  type: z10.literal("post_market_feedback"),
+  id: z10.string().min(1),
+  title: z10.string().min(1),
+  status: RiskDocumentStatusSchema,
+  category: PostMarketFeedbackCategorySchema,
+  severity: PostMarketFeedbackSeveritySchema,
+  device: z10.string().optional(),
+  reporting_period: z10.string().optional(),
+  author: z10.string().optional(),
+  reviewers: z10.array(z10.string()).optional(),
+  approvers: z10.array(z10.string()).optional()
+});
+
+// ../shared/dist/schemas/labeling.js
+import { z as z11 } from "zod";
+var LabelingFrontmatterSchema = z11.object({
+  type: z11.literal("labeling"),
+  id: z11.string().min(1),
+  title: z11.string().min(1),
+  status: RiskDocumentStatusSchema,
+  label_type: z11.enum(["ifu", "product_label", "packaging_label"]).optional(),
+  author: z11.string().optional(),
+  reviewers: z11.array(z11.string()).optional(),
+  approvers: z11.array(z11.string()).optional()
+});
+
+// ../shared/dist/schemas/product.js
+import { z as z12 } from "zod";
+var ProductDevelopmentPlanFrontmatterSchema = z12.object({
+  type: z12.literal("product_development_plan"),
+  id: z12.string().min(1),
+  title: z12.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z12.string().optional(),
+  reviewers: z12.array(z12.string()).optional(),
+  approvers: z12.array(z12.string()).optional()
+});
+var IntendedUseFrontmatterSchema = z12.object({
+  type: z12.literal("intended_use"),
+  id: z12.string().min(1),
+  title: z12.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z12.string().optional(),
+  reviewers: z12.array(z12.string()).optional(),
+  approvers: z12.array(z12.string()).optional()
+});
+
+// ../shared/dist/schemas/user-need.js
+import { z as z13 } from "zod";
+var UserNeedPrioritySchema = z13.enum(["must_have", "should_have", "nice_to_have"]);
+var UserNeedFrontmatterSchema = z13.object({
+  id: z13.string().min(1),
+  title: z13.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** Validated if present — ensures frontmatter doesn't misidentify the document type */
+  type: z13.literal("user_need").optional(),
+  /** The user role or stakeholder (e.g., "Quality Manager", "Developer") */
+  stakeholder: z13.string().optional(),
+  /** MoSCoW priority classification */
+  priority: UserNeedPrioritySchema.optional(),
+  /** Where this need originated (e.g., "ISO 13485 §7.3", "user interview") */
+  source: z13.string().optional(),
+  /** IDs of product requirements derived from this need */
+  derives: z13.array(z13.string()).optional(),
+  author: z13.string().optional(),
+  reviewers: z13.array(z13.string()).optional(),
+  approvers: z13.array(z13.string()).optional()
+});
+
+// ../shared/dist/schemas/requirement.js
+import { z as z14 } from "zod";
+var RequirementTypeSchema = z14.enum([
+  "functional",
+  "interface",
+  "performance",
+  "security",
+  "usability",
+  "safety",
+  "regulatory"
+]);
+var RequirementFormatSchema = z14.enum(["standard", "user_story"]);
+var RequirementFulfillmentTypeSchema = z14.enum([
+  "software",
+  "labeling",
+  "clinical",
+  "usability",
+  "regulatory_doc",
+  "process"
+]);
+var RequirementFrontmatterSchema = z14.object({
+  id: z14.string().min(1),
+  title: z14.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.2.2 — requirement classification (required for SRS, optional for PRS) */
+  req_type: RequirementTypeSchema.optional(),
+  /** Authoring convention — controls which required sections are checked */
+  format: RequirementFormatSchema.optional(),
+  /** ISO 13485 §7.3.3 — how this PRS design input is fulfilled (PRS only, defaults to 'software') */
+  fulfillment_type: RequirementFulfillmentTypeSchema.optional(),
+  author: z14.string().optional(),
+  reviewers: z14.array(z14.string()).optional(),
+  approvers: z14.array(z14.string()).optional(),
+  /** Upstream traceability — IDs of documents this requirement traces from (e.g., UN for PRS, PRS for SRS) */
+  traces_from: z14.array(z14.string()).optional(),
+  /** Downstream traceability — IDs of documents this requirement traces to (e.g., SRS for PRS) */
+  traces_to: z14.array(z14.string()).optional()
+});
+
+// ../shared/dist/schemas/test-documents.js
+import { z as z15 } from "zod";
+var TestProtocolFrontmatterSchema = z15.object({
+  type: z15.literal("test_protocol"),
+  id: z15.string().min(1),
+  title: z15.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z15.string().optional(),
+  reviewers: z15.array(z15.string()).optional(),
+  approvers: z15.array(z15.string()).optional()
+});
+var TestPhaseSchema = z15.enum(["verification", "production"]);
+var TestReportFrontmatterSchema = z15.object({
+  type: z15.literal("test_report"),
+  id: z15.string().min(1),
+  title: z15.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z15.string().optional(),
+  reviewers: z15.array(z15.string()).optional(),
+  approvers: z15.array(z15.string()).optional(),
+  release_version: z15.string().optional(),
+  test_phase: TestPhaseSchema.optional()
+});
+
+// ../shared/dist/schemas/repo-config.js
+import { z as z16 } from "zod";
+var ReleaseReviewConfigSchema = z16.object({
+  required_departments: z16.array(z16.string().min(1)).min(1),
+  final_approver: z16.string().min(1)
+});
+var RepoConfigSchema = z16.object({
+  device: z16.object({
+    name: z16.string().min(1),
+    safety_class: z16.enum(["A", "B", "C"]),
+    classification: z16.object({
+      eu: z16.string().optional(),
+      us: z16.string().optional()
+    }).optional(),
+    udi_device_identifier: z16.string().optional()
+  }),
+  release_review: ReleaseReviewConfigSchema.optional()
+});
+
+// ../shared/dist/schemas/qms-device.js
+import { z as z17 } from "zod";
+var OwnerTypeSchema = z17.enum(["qms", "device"]);
+var DocumentSnapshotSchema = z17.object({
+  documentId: z17.string(),
+  commitSha: z17.string(),
+  documentPath: z17.string(),
+  documentTitle: z17.string(),
+  documentType: z17.string(),
+  previousReleasedCommitSha: z17.string().optional(),
+  changeType: z17.enum(["added", "modified", "unchanged"]),
+  changeDescription: z17.string().optional()
+});
+var QmsDocumentTypeSchema = z17.enum([
+  "sop",
+  "policy",
+  "work_instruction",
+  "supplier",
+  "audit_schedule",
+  "audit_report",
+  "management_review"
+]);
+var DeviceDocumentTypeSchema = z17.enum([
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  "hazardous_situation",
+  "harm",
+  "haz_soe_software",
+  "haz_soe_security",
+  "hazard_category",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Release management (IEC 62304 §5.7)
+  "release_plan",
+  // Change management (ISO 13485 §7.3.5)
+  "design_review",
+  "release_notes",
+  // Software test plan (IEC 62304 §5.7)
+  "software_test_plan"
+]);
+
+// ../shared/dist/schemas/change-management.js
+import { z as z18 } from "zod";
+var ReleasePlanFrontmatterSchema = z18.object({
+  id: z18.string().min(1),
+  title: z18.string().min(1),
+  type: z18.literal("release_plan").optional(),
+  status: z18.string().optional(),
+  author: z18.string().optional(),
+  reviewers: z18.array(z18.string()).optional(),
+  approvers: z18.array(z18.string()).optional(),
+  version: z18.string().optional(),
+  target_date: z18.string().optional()
+});
+var SuspectedLinkDispositionSchema = z18.enum(["included_in_release", "not_impacted"]);
+var SuspectedLinkNeighborSchema = z18.object({
+  document: z18.string().min(1),
+  direction: z18.enum(["upstream", "downstream"]),
+  disposition: SuspectedLinkDispositionSchema,
+  /** Required when disposition is 'not_impacted' */
+  rationale: z18.string().min(1).optional()
+});
+var SuspectedLinkGroupSchema = z18.object({
+  triggered_by: z18.string().min(1),
+  neighbors: z18.array(SuspectedLinkNeighborSchema).min(1)
+});
+var DesignReviewFrontmatterSchema = z18.object({
+  id: z18.string().min(1),
+  title: z18.string().min(1),
+  type: z18.literal("design_review").optional(),
+  status: z18.string().optional(),
+  author: z18.string().optional(),
+  reviewers: z18.array(z18.string()).optional(),
+  approvers: z18.array(z18.string()).optional(),
+  /** Optional link to a Release Plan document (e.g. "RP-001") */
+  release_plan: z18.string().optional(),
+  /** Acknowledged suspected links — one-up/one-down neighbor analysis */
+  suspected_links: z18.array(SuspectedLinkGroupSchema).optional()
+});
+var ReleaseNotesAudienceSchema = z18.enum(["customer", "technical"]);
+var ReleaseNotesFrontmatterSchema = z18.object({
+  id: z18.string().min(1),
+  title: z18.string().min(1),
+  type: z18.literal("release_notes").optional(),
+  status: RiskDocumentStatusSchema,
+  author: z18.string().optional(),
+  reviewers: z18.array(z18.string()).optional(),
+  approvers: z18.array(z18.string()).optional(),
+  audience: ReleaseNotesAudienceSchema,
+  release_version: z18.string().min(1)
+});
+
+// ../shared/dist/schemas/retention-policy.js
+import { z as z19 } from "zod";
+var RetentionPolicySchema = z19.object({
+  /** Default retention period in years for all record types */
+  defaultPeriodYears: z19.number().int().min(1).max(30).default(10),
+  /**
+   * Optional per-record-type overrides (e.g., { "release": 15, "signature": 20 }).
+   * Keys are record type identifiers; values are retention periods in years.
+   */
+  byRecordType: z19.record(z19.string(), z19.number().int().min(1).max(30)).optional()
+});
+
+// ../shared/dist/schemas/audit.js
+import { z as z20 } from "zod";
+var AuditFindingClassificationSchema = z20.enum(["observation", "minor_nc", "major_nc"]);
+var AuditStatusSchema = z20.enum(["planned", "in_progress", "completed", "cancelled"]);
+var PlannedAuditEntrySchema = z20.object({
+  audit_id: z20.string().min(1),
+  process_area: z20.string().min(1),
+  clause: z20.string().optional(),
+  planned_date: z20.string().min(1),
+  auditor: z20.string().min(1),
+  status: AuditStatusSchema
+});
+var AuditScheduleFrontmatterSchema = z20.object({
+  id: z20.string().min(1),
+  title: z20.string().min(1),
+  type: z20.literal("audit_schedule").optional(),
+  status: z20.string().optional(),
+  author: z20.string().optional(),
+  reviewers: z20.array(z20.string()).optional(),
+  approvers: z20.array(z20.string()).optional(),
+  cycle_year: z20.number().int().min(2e3).max(2100),
+  audits: z20.array(PlannedAuditEntrySchema).min(1)
+});
+var AuditFindingSchema = z20.object({
+  finding_id: z20.string().min(1),
+  classification: AuditFindingClassificationSchema,
+  description: z20.string().min(1),
+  capa_id: z20.string().optional()
+});
+var AuditReportFrontmatterSchema = z20.object({
+  id: z20.string().min(1),
+  title: z20.string().min(1),
+  type: z20.literal("audit_report").optional(),
+  status: z20.string().optional(),
+  author: z20.string().optional(),
+  reviewers: z20.array(z20.string()).optional(),
+  approvers: z20.array(z20.string()).optional(),
+  audit_date: z20.string().min(1),
+  audit_id: z20.string().optional(),
+  process_area: z20.string().min(1),
+  clause: z20.string().optional(),
+  auditor: z20.string().min(1),
+  findings: z20.array(AuditFindingSchema),
+  findings_major: z20.number().int().min(0).optional(),
+  findings_minor: z20.number().int().min(0).optional(),
+  findings_observations: z20.number().int().min(0).optional()
+});
+
+// ../shared/dist/schemas/management-review.js
+import { z as z21 } from "zod";
+var ManagementReviewAttendeeSchema = z21.object({
+  name: z21.string().min(1),
+  role: z21.string().min(1)
+});
+var ManagementReviewFrontmatterSchema = z21.object({
+  id: z21.string().min(1),
+  title: z21.string().min(1),
+  type: z21.literal("management_review").optional(),
+  version: z21.string().optional(),
+  status: z21.enum(["draft", "scheduled", "completed"]).optional(),
+  review_date: z21.string().min(1),
+  review_period: z21.object({
+    from: z21.string().min(1),
+    to: z21.string().min(1)
+  }),
+  attendees: z21.array(ManagementReviewAttendeeSchema).min(1),
+  data_snapshot_date: z21.string().optional(),
+  next_review_date: z21.string().optional()
+});
+
+// ../shared/dist/schemas/frameworks.js
+import { z as z22 } from "zod";
+var FrameworkScopeSchema = z22.enum(["qms", "device", "both"]);
+var MappingRelationshipSchema = z22.enum(["equivalent", "partial", "related", "supersedes"]);
+var FrameworkDefinitionSeedSchema = z22.object({
+  id: RegulatoryFrameworkSchema,
+  name: z22.string().min(1),
+  version: z22.string().min(1),
+  scope: FrameworkScopeSchema,
+  url: z22.string().url().nullable(),
+  active: z22.boolean().default(true)
+});
+var ClauseBase = z22.object({
+  clauseNumber: z22.string().min(1),
+  title: z22.string().min(1)
+});
+function buildClauseSchema(remainingDepth) {
+  if (remainingDepth <= 0) {
+    return ClauseBase.strict();
+  }
+  return ClauseBase.extend({
+    children: z22.array(z22.lazy(() => buildClauseSchema(remainingDepth - 1))).optional()
+  });
+}
+var FrameworkClauseSeedSchema = buildClauseSchema(5);
+var FrameworkMappingSeedSchema = z22.object({
+  sourceClause: z22.string().min(1),
+  targetFramework: RegulatoryFrameworkSchema,
+  targetClause: z22.string().min(1),
+  relationship: MappingRelationshipSchema,
+  notes: z22.string().nullable().default(null)
+});
+var MappingFileSeedSchema = z22.object({
+  sourceFramework: RegulatoryFrameworkSchema,
+  mappings: z22.array(FrameworkMappingSeedSchema)
+});
+var EvidenceSourceSchema = z22.enum(["documents", "training_records"]);
+var EvidenceRuleConditionsSeedSchema = z22.object({
+  evidenceSource: EvidenceSourceSchema.optional(),
+  documentType: DocumentTypeSchema.optional(),
+  linkType: LinkTypeSchema.optional(),
+  status: z22.string().optional(),
+  minCount: z22.number().int().positive().optional()
+});
+var EvidenceRuleSeedSchema = z22.object({
+  clauseId: z22.string().min(1),
+  description: z22.string().min(1),
+  conditions: EvidenceRuleConditionsSeedSchema,
+  weight: z22.number().min(0).max(1)
+});
+var EvidenceRulesFileSeedSchema = z22.object({
+  frameworkId: RegulatoryFrameworkSchema,
+  rules: z22.array(EvidenceRuleSeedSchema)
+});
+var FrameworkFileSeedSchema = FrameworkDefinitionSeedSchema.extend({
+  clauses: z22.array(FrameworkClauseSeedSchema)
+});
+
+// ../shared/dist/schemas/legal.js
+import { z as z23 } from "zod";
+var LegalDocumentTypeSchema = z23.enum(["tos", "privacy-policy", "billing-terms"]);
+var LegalDocumentVersionSchema = z23.string().regex(/^\d{4}-\d{2}-\d{2}$/, {
+  message: "Version must be in YYYY-MM-DD format"
+});
+
+// ../shared/dist/schemas/index.js
+var GateOverrideCategorySchema = z24.enum([
+  "unverified_requirements",
+  "unanalyzed_requirements",
+  "error_risk_gaps",
+  "missing_risk_management_plan_reference",
+  "missing_plan_risk_management",
+  "missing_plan_software_development",
+  "missing_plan_cybersecurity",
+  "missing_plan_usability",
+  "missing_plan_clinical_evaluation",
+  "missing_plan_post_market_surveillance",
+  "missing_artifact_soup_register",
+  "missing_artifact_sbom",
+  "missing_artifact_summative_evaluation",
+  "missing_deployment_references",
+  "missing_smoke_test_evidence"
+]);
+var MemberRoleSchema = z24.enum(["admin", "member"]);
+var MemberStatusSchema = z24.enum(["active", "suspended", "removed"]);
+var EmailAddressSchema = z24.object({
+  value: z24.string().email(),
+  verified: z24.boolean()
+});
+var ReviewerRuleSchema = z24.object({
+  documentType: DocumentTypeSchema,
+  requiredDepartments: z24.array(z24.string()),
+  finalApproverDepartment: z24.string()
+});
+var SyncStatusSchema = z24.enum(["active", "paused", "error"]);
+var AuditActionSchema = z24.enum([
+  // Organization
+  "organization.created",
+  "organization.settings_updated",
+  "organization.checklist_template_updated",
+  // Members
+  "member.invited",
+  "member.invite_declined",
+  "member.joined",
+  "member.role_changed",
+  "member.removed",
+  "member.password_reset_forced",
+  // Repositories
+  "repository.connected",
+  "repository.disconnected",
+  "repository.sync_triggered",
+  "repository.updated",
+  "repository.assigned",
+  "repository.unassigned",
+  // Documents
+  "document.synced",
+  "document.removed",
+  "document.viewed",
+  // Releases
+  "release.created",
+  "release.updated",
+  "release.deleted",
+  "release.withdrawn",
+  "release.submitted_for_review",
+  "release.signature_added",
+  "release.approved",
+  "release.published",
+  "release.checklist_updated",
+  "release.signing_obligations_rederived",
+  "release.gate_override_added",
+  "release.gate_override_removed",
+  "release.gate_override_invalidated",
+  "release.viewed",
+  // Signatures
+  "signature.created",
+  "signature.attempt_failed",
+  "signature.lockout_triggered",
+  // Signing Requests
+  "signing_request.created",
+  "signing_request.sent",
+  "signing_request.viewed",
+  "signing_request.signed",
+  "signing_request.declined",
+  "signing_request.cancelled",
+  "signing_request.expired",
+  "signing_request.reminded",
+  "signing_request.document_accessed",
+  // Training
+  "training.assigned",
+  "training.completed",
+  "training.started",
+  "training.settings_updated",
+  "training.quiz_submitted",
+  "training.quiz_passed",
+  "training.quiz_failed",
+  "training.overdue_notified",
+  "training.acknowledged",
+  "training.signature_added",
+  "training.instructor_signoff",
+  "training.task_created",
+  "training.viewed",
+  // QMS
+  "qms.created",
+  "qms.updated",
+  "qms.deleted",
+  // Devices
+  "device.created",
+  "device.updated",
+  "device.deleted",
+  // DCOs
+  "dco.created",
+  "dco.updated",
+  "dco.deleted",
+  "dco.submitted",
+  "dco.obligation_fulfilled",
+  "dco.approved",
+  "dco.effective",
+  // Design Reviews
+  "design_review.created",
+  "design_review.updated",
+  "design_review.deleted",
+  "design_review.submitted",
+  "design_review.signature_added",
+  "design_review.signed",
+  "design_review.cancelled",
+  // CAPAs
+  "capa.created",
+  "capa.updated",
+  "capa.deleted",
+  "capa.investigation_started",
+  "capa.implementation_started",
+  "capa.verification_started",
+  "capa.closed",
+  "capa.cancelled",
+  "capa.action_added",
+  "capa.action_updated",
+  "capa.action_removed",
+  // Complaints
+  "complaint.created",
+  "complaint.updated",
+  "complaint.deleted",
+  "complaint.investigation_started",
+  "complaint.resolved",
+  "complaint.closed",
+  "complaint.cancelled",
+  "complaint.escalated_to_capa",
+  // Nonconformances
+  "nc.created",
+  "nc.updated",
+  "nc.deleted",
+  "nc.investigation_started",
+  "nc.disposition_set",
+  "nc.concession_approved",
+  "nc.closed",
+  "nc.cancelled",
+  "nc.escalated_to_capa",
+  // Actions
+  "action.created",
+  "action.updated",
+  "action.completed",
+  "action.cancelled",
+  "action.deleted",
+  // Legal
+  "billing_terms.accepted",
+  "legal_document.accepted",
+  // Billing
+  "billing.checkout_created",
+  "billing.portal_accessed",
+  "billing.subscription_activated",
+  "billing.subscription_updated",
+  "billing.subscription_canceled",
+  // API Keys
+  "api_key.created",
+  "api_key.revoked",
+  // Risk Management
+  "risk.viewed",
+  // Compliance
+  "compliance_package.requested",
+  "compliance_package.downloaded",
+  "validation_package.downloaded",
+  // ERSD
+  "ersd.created",
+  "ersd.auto_seeded",
+  // Quality Objectives
+  "quality_objective.created",
+  "quality_objective.updated",
+  "quality_objective.value_recorded",
+  "quality_objective.deactivated",
+  // Quality Reviews
+  "quality_review.created",
+  "quality_review.updated",
+  "quality_review.started",
+  "quality_review.completed",
+  "quality_review.cancelled",
+  // Review Types
+  "review_type.created",
+  "review_type.updated",
+  // Audit
+  "audit_log.exported"
+]);
+var ResourceTypeSchema = z24.enum([
+  "organization",
+  "member",
+  "invite",
+  "repository",
+  "document",
+  "release",
+  "signature",
+  "training",
+  "training_task",
+  "training_settings",
+  "qms",
+  "device",
+  "dco",
+  "design_review",
+  "signing_request",
+  "capa",
+  "complaint",
+  "nonconformance",
+  "action",
+  "legal_acceptance",
+  "subscription",
+  "api_key",
+  "compliance_package",
+  "validation_package",
+  "ersd",
+  "qualityObjective",
+  "qualityReview",
+  "reviewType",
+  "audit_log",
+  "risk_matrix"
+]);
+var ReleaseTypeSchema = z24.enum(["qms", "device", "combined"]);
+var ReleaseStatusSchema = z24.enum(["draft", "in_review", "approved", "published"]);
+var SignatureTypeSchema = z24.enum(["author", "dept_reviewer", "final_approver", "trainee"]);
+var ChangeTypeSchema = z24.enum(["added", "modified", "deleted"]);
+var SigningRequestStatusSchema = z24.enum([
+  "sent",
+  "partially_signed",
+  "completed",
+  "expired",
+  "cancelled"
+]);
+var SignerStatusSchema = z24.enum(["pending", "viewed", "signed", "declined"]);
+var FieldTypeSchema = z24.enum(["signature", "initials", "date"]);
+
+// ../shared/dist/constants/risk-matrix.js
+var RISK_DOCUMENT_TYPES = [
+  "software_risk",
+  "usability_risk",
+  "security_risk"
+];
+var HAZARD_DOCUMENT_TYPES = ["haz_soe_software", "haz_soe_security"];
+var ALL_RISK_RELATED_DOCUMENT_TYPES = [
+  ...RISK_DOCUMENT_TYPES,
+  ...HAZARD_DOCUMENT_TYPES,
+  "hazardous_situation",
+  "harm"
+];
+
+// ../shared/dist/constants/index.js
+var REQUIRED_SECTIONS = {
+  user_need: ["Purpose", "Stakeholder", "User Needs"],
+  architecture: ["Purpose"],
+  release_plan: ["Scope", "Applicable Plans", "Release-Specific Criteria", "Known Anomalies"],
+  design_review: ["Review Scope", "Attendees", "Findings", "Actions", "Conclusion"],
+  release_notes: ["Changes", "Known Issues"],
+  audit_schedule: ["Scope", "Audit Criteria"],
+  audit_report: ["Scope", "Methodology", "Findings", "Conclusion"],
+  management_review: ["Review Inputs", "Review Outputs", "Action Items", "Decisions"],
+  hazard_category: ["Description", "Examples", "Applicable Standards"]
+};
+
+// ../shared/dist/validators/permissions.js
+import { z as z25 } from "zod";
+var MemberPermissionsSchema = z25.object({
+  canSign: z25.boolean(),
+  canApprove: z25.boolean(),
+  canCreateRelease: z25.boolean(),
+  canPublishRelease: z25.boolean(),
+  canManageMembers: z25.boolean(),
+  canViewAuditLog: z25.boolean(),
+  canExport: z25.boolean()
+});
+
+// src/schema-map.ts
+var SCHEMA_MAP = {
+  // Risk entries
+  software_risk: RiskEntryFrontmatterSchema,
+  usability_risk: RiskEntryFrontmatterSchema,
+  security_risk: RiskEntryFrontmatterSchema,
+  // Hazard / harm documents
+  haz_soe_software: HazardFrontmatterSchema,
+  haz_soe_security: HazardFrontmatterSchema,
+  hazardous_situation: HazardousSituationFrontmatterSchema,
+  harm: HarmFrontmatterSchema,
+  hazard_category: HazardCategoryFrontmatterSchema,
+  // Problem resolution (IEC 62304 §9)
+  anomaly: AnomalyFrontmatterSchema,
+  // Usability engineering (IEC 62366)
+  usability_plan: UsabilityPlanFrontmatterSchema,
+  use_specification: UseSpecificationFrontmatterSchema,
+  task_analysis: TaskAnalysisFrontmatterSchema,
+  usability_evaluation: UsabilityEvaluationFrontmatterSchema,
+  summative_evaluation: SummativeEvaluationFrontmatterSchema,
+  // Risk management (ISO 14971)
+  risk_management_plan: RiskManagementPlanFrontmatterSchema,
+  // Software lifecycle (IEC 62304)
+  software_development_plan: SoftwareDevelopmentPlanFrontmatterSchema,
+  software_maintenance_plan: SoftwareMaintenancePlanFrontmatterSchema,
+  software_test_plan: SoftwareTestPlanFrontmatterSchema,
+  soup_register: SoupRegisterFrontmatterSchema,
+  // Cybersecurity (IEC 81001-5-1)
+  cybersecurity_plan: CybersecurityPlanFrontmatterSchema,
+  sbom: SbomFrontmatterSchema,
+  // Clinical (MDR / FDA)
+  clinical_evaluation_plan: ClinicalEvaluationPlanFrontmatterSchema,
+  clinical_evaluation_report: ClinicalEvaluationReportFrontmatterSchema,
+  // Post-market surveillance (MDR Art. 83)
+  post_market_surveillance_plan: PostMarketSurveillancePlanFrontmatterSchema,
+  post_market_feedback: PostMarketFeedbackFrontmatterSchema,
+  // Labeling (MDR Annex I)
+  labeling: LabelingFrontmatterSchema,
+  // Product (ISO 13485 §7.3)
+  product_development_plan: ProductDevelopmentPlanFrontmatterSchema,
+  intended_use: IntendedUseFrontmatterSchema,
+  // User needs (ISO 13485 §7.3.2)
+  user_need: UserNeedFrontmatterSchema,
+  // Requirements (IEC 62304 §5.2.2, ISO 13485 §7.3.3)
+  requirement: RequirementFrontmatterSchema,
+  // Test documents
+  test_protocol: TestProtocolFrontmatterSchema,
+  test_report: TestReportFrontmatterSchema,
+  // Change management (ISO 13485 §7.3.5)
+  release_plan: ReleasePlanFrontmatterSchema,
+  design_review: DesignReviewFrontmatterSchema,
+  release_notes: ReleaseNotesFrontmatterSchema,
+  // Internal audit management (ISO 13485 §8.2.2)
+  audit_schedule: AuditScheduleFrontmatterSchema,
+  audit_report: AuditReportFrontmatterSchema,
+  // Management review (ISO 13485 §5.6)
+  management_review: ManagementReviewFrontmatterSchema
+};
+
+// src/document-type-patterns.ts
+var FOLDER_RULES = {
+  // Product (ISO 13485 §7.3)
+  "docs/product": {
+    prefixes: ["PDP-", "IU-"],
+    type: ["product_development_plan", "intended_use"]
+  },
+  "docs/product/requirements": { prefixes: ["PRS-"], type: "requirement", category: "product" },
+  "docs/product/user-needs": { prefixes: ["UN-"], type: "user_need" },
+  // Software requirements (moved under software discipline)
+  "docs/software/requirements": { prefixes: ["SRS-"], type: "requirement", category: "software" },
+  // Design (IEC 62304 — under software discipline)
+  "docs/software/architecture": { prefixes: ["HLD-", "SAD-", "DEV-PLAN-"], type: "architecture" },
+  "docs/software/design": { prefixes: ["SDD-", "DDD-"], type: "detailed_design" },
+  // Test (protocols + reports)
+  "docs/test/protocols": { prefixes: ["TP-"], type: "test_protocol" },
+  "docs/test/reports": { prefixes: ["TR-"], type: "test_report" },
+  // Risk management — ISO 14971 (umbrella)
+  "docs/risk/plans": { prefixes: ["RMP-"], type: "risk_management_plan" },
+  "docs/risk/situations": { prefixes: ["HS-"], type: "hazardous_situation" },
+  "docs/risk/harms": { prefixes: ["HARM-"], type: "harm" },
+  "docs/risk/hazard-categories": { prefixes: ["HC-"], type: "hazard_category" },
+  // Software lifecycle — IEC 62304
+  "docs/software/plans": {
+    prefixes: ["DEV-PLAN-", "MAINT-PLAN-", "SDP-", "STP-"],
+    type: [
+      "software_development_plan",
+      "software_maintenance_plan",
+      "software_development_plan",
+      "software_test_plan"
+    ]
+  },
+  "docs/software/risks": {
+    prefixes: ["HAZ-SW-", "RISK-SW-"],
+    type: ["haz_soe_software", "software_risk"]
+  },
+  "docs/software/soup": { prefixes: ["SOUP-"], type: "soup_register" },
+  // Problem resolution — IEC 62304 §9
+  "docs/software/anomalies": { prefixes: ["ANOM-"], type: "anomaly" },
+  // Cybersecurity — IEC 81001-5-1
+  "docs/cybersecurity/plans": { prefixes: ["CSPLAN-"], type: "cybersecurity_plan" },
+  "docs/cybersecurity/risks": {
+    prefixes: ["HAZ-SEC-", "RISK-SEC-"],
+    type: ["haz_soe_security", "security_risk"]
+  },
+  "docs/cybersecurity/sbom": { prefixes: ["SBOM-"], type: "sbom" },
+  // Usability engineering — IEC 62366
+  "docs/usability": { prefixes: ["UEP-"], type: "usability_plan" },
+  "docs/usability/use-specifications": { prefixes: ["US-"], type: "use_specification" },
+  "docs/usability/task-analyses": { prefixes: ["TA-"], type: "task_analysis" },
+  "docs/usability/evaluations": {
+    prefixes: ["UE-", "SE-"],
+    type: ["usability_evaluation", "summative_evaluation"]
+  },
+  "docs/usability/risks": { prefixes: ["RISK-US-"], type: "usability_risk" },
+  // Clinical — MDR / FDA
+  "docs/clinical": {
+    prefixes: ["CEP-", "CER-"],
+    type: ["clinical_evaluation_plan", "clinical_evaluation_report"]
+  },
+  // Post-market surveillance — MDR Art. 83
+  "docs/post-market": { prefixes: ["PMS-"], type: "post_market_surveillance_plan" },
+  "docs/post-market/feedback": { prefixes: ["PMF-"], type: "post_market_feedback" },
+  // Change management — ISO 13485 §7.3.5
+  "docs/change/drm": { prefixes: ["DRM-"], type: "design_review" },
+  "docs/change/release-plans": { prefixes: ["RP-"], type: "release_plan" },
+  "docs/change/release-notes": { prefixes: ["RN-"], type: "release_notes" },
+  // Labeling — MDR Annex I
+  "docs/labeling": { prefixes: ["LBL-"], type: "labeling" },
+  // QMS documents
+  "docs/policies": { prefixes: ["POL-"], type: "policy" },
+  "docs/sops": { prefixes: ["SOP-"], type: "sop" },
+  "docs/work-instructions": { prefixes: ["WI-"], type: "work_instruction" },
+  // Internal audit management (ISO 13485 §8.2.2)
+  "docs/audits/schedules": { prefixes: ["AUD-SCH-"], type: "audit_schedule" },
+  "docs/audits/reports": { prefixes: ["AUD-RPT-"], type: "audit_report" },
+  // Management review (ISO 13485 §5.6)
+  "docs/management-reviews": { prefixes: ["MR-"], type: "management_review" },
+  // Supplier management (ISO 13485 §7.4)
+  "docs/suppliers": { prefixes: ["SUP-"], type: "supplier" }
+};
+var JSON_SBOM_FOLDERS = ["docs/cybersecurity/sbom"];
+var NON_REGULATED_FOLDERS = ["docs/compliance", "docs/user-guide", "docs/legal"];
+function normalizePath(path2) {
+  return path2.toLowerCase().replace(/\\/g, "/");
+}
+function extractFolder(filePath) {
+  const normalized = normalizePath(filePath);
+  const parts = normalized.split("/");
+  parts.pop();
+  return parts.join("/");
+}
+function findFolderRule(filePath) {
+  const folder = extractFolder(filePath);
+  if (FOLDER_RULES[folder]) {
+    return { rule: FOLDER_RULES[folder], folder };
+  }
+  const parts = folder.split("/");
+  while (parts.length > 0) {
+    const partial = parts.join("/");
+    if (FOLDER_RULES[partial]) {
+      return { rule: FOLDER_RULES[partial], folder: partial };
+    }
+    parts.pop();
+  }
+  return null;
+}
+function inferDocumentType(filePath, documentId) {
+  const match = findFolderRule(filePath);
+  if (!match) {
+    return null;
+  }
+  const { rule } = match;
+  if (typeof rule.type === "string") {
+    return {
+      docType: rule.type,
+      category: rule.category
+    };
+  }
+  const prefixIndex = rule.prefixes.findIndex(
+    (prefix) => documentId.toUpperCase().startsWith(prefix.toUpperCase())
+  );
+  if (prefixIndex === -1) {
+    return {
+      docType: rule.type[0],
+      category: rule.category
+    };
+  }
+  return {
+    docType: rule.type[prefixIndex],
+    category: rule.category
+  };
+}
+
+// src/validate-document.ts
+function validateDocument(content, filePath) {
+  const errors = [];
+  const warnings = [];
+  let documentId = null;
+  let docType = null;
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  let frontmatter;
+  let body;
+  try {
+    const parsed = matter(content);
+    if (!parsed.data || Object.keys(parsed.data).length === 0) {
+      if (!content.trimStart().startsWith("---")) {
+        return {
+          path: normalizedPath,
+          documentId: null,
+          docType: null,
+          errors: [{ code: "missing_frontmatter", message: "File has no YAML frontmatter block" }],
+          warnings: []
+        };
+      }
+    }
+    frontmatter = parsed.data;
+    body = parsed.content;
+  } catch {
+    return {
+      path: normalizedPath,
+      documentId: null,
+      docType: null,
+      errors: [{ code: "missing_frontmatter", message: "Failed to parse YAML frontmatter" }],
+      warnings: []
+    };
+  }
+  if (!frontmatter.id || typeof frontmatter.id !== "string" || frontmatter.id.trim() === "") {
+    return {
+      path: normalizedPath,
+      documentId: null,
+      docType: null,
+      errors: [{ code: "missing_id", message: "Frontmatter exists but lacks `id` field" }],
+      warnings: []
+    };
+  }
+  documentId = frontmatter.id;
+  const ruleMatch = findFolderRule(normalizedPath);
+  if (!ruleMatch) {
+    return {
+      path: normalizedPath,
+      documentId,
+      docType: null,
+      errors: [
+        {
+          code: "unknown_type",
+          message: `File is in a folder not matched by any FOLDER_RULES entry: ${normalizedPath}`
+        }
+      ],
+      warnings: []
+    };
+  }
+  const { rule } = ruleMatch;
+  const prefixMatches = rule.prefixes.some(
+    (prefix) => documentId.toUpperCase().startsWith(prefix.toUpperCase())
+  );
+  if (!prefixMatches) {
+    errors.push({
+      code: "invalid_prefix",
+      message: `ID "${documentId}" does not match expected prefixes for this folder: ${rule.prefixes.join(", ")}`
+    });
+  }
+  const typeResult = inferDocumentType(normalizedPath, documentId);
+  if (typeResult) {
+    docType = typeResult.docType;
+  }
+  if (docType) {
+    const schema = SCHEMA_MAP[docType];
+    if (schema) {
+      const parseResult = schema.safeParse(frontmatter);
+      if (!parseResult.success) {
+        for (const issue of parseResult.error.issues) {
+          errors.push({
+            code: "invalid_frontmatter",
+            message: issue.message,
+            field: issue.path.join(".")
+          });
+        }
+      }
+    }
+  }
+  if (docType) {
+    let requiredSections = [];
+    if (docType === "requirement") {
+      const format = frontmatter.format;
+      if (format === "user_story") {
+        requiredSections = ["User Story", "Acceptance Criteria"];
+      } else {
+        requiredSections = ["Requirements", "Verification Criteria"];
+      }
+    } else {
+      const sections = REQUIRED_SECTIONS[docType];
+      if (sections) {
+        requiredSections = sections;
+      }
+    }
+    const h2Headings = body.split("\n").filter((line) => line.startsWith("## ")).map((line) => line.slice(3).trim().toLowerCase());
+    for (const required of requiredSections) {
+      const found = h2Headings.some((h) => h.includes(required.toLowerCase()));
+      if (!found) {
+        warnings.push({
+          code: "missing_section",
+          message: `Missing required section: ${required}`
+        });
+      }
+    }
+  }
+  return { path: normalizedPath, documentId, docType, errors, warnings };
+}
+
+// src/validate-directory.ts
+function validateDirectory(dirPath, options) {
+  const absoluteDir = path.resolve(dirPath);
+  const repoRoot = path.basename(absoluteDir) === "docs" ? path.dirname(absoluteDir) : absoluteDir;
+  const results = [];
+  const orphanFolders = [];
+  const strayFiles = [];
+  const seenFolders = /* @__PURE__ */ new Set();
+  const excludeList = options?.exclude ?? [];
+  function walk(dir2) {
+    let entries;
+    try {
+      entries = fs.readdirSync(dir2, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const fullPath = path.join(dir2, entry.name);
+      try {
+        if (fs.lstatSync(fullPath).isSymbolicLink()) continue;
+      } catch {
+        continue;
+      }
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (entry.isFile()) {
+        const repoRelative = path.relative(repoRoot, fullPath).replace(/\\/g, "/");
+        if (excludeList.some((ex) => repoRelative.startsWith(ex))) continue;
+        if (NON_REGULATED_FOLDERS.some((nr) => repoRelative.startsWith(nr))) continue;
+        const folder = path.dirname(repoRelative).replace(/\\/g, "/");
+        seenFolders.add(folder);
+        if (entry.name.endsWith(".md")) {
+          if (entry.name.toLowerCase() === "readme.md") continue;
+          const content = fs.readFileSync(fullPath, "utf-8");
+          results.push(validateDocument(content, repoRelative));
+        } else {
+          const folderRule = findFolderRule(repoRelative);
+          if (folderRule) {
+            const isJsonInSbomFolder = entry.name.endsWith(".json") && JSON_SBOM_FOLDERS.some((sbomFolder) => repoRelative.startsWith(sbomFolder));
+            if (!isJsonInSbomFolder) {
+              strayFiles.push(repoRelative);
+            }
+          }
+        }
+      }
+    }
+  }
+  walk(absoluteDir);
+  for (const folder of seenFolders) {
+    if (folder.startsWith("docs/") || folder === "docs") {
+      const rule = findFolderRule(folder + "/dummy.md");
+      if (!rule && folder !== "docs") {
+        orphanFolders.push(folder);
+      }
+    }
+  }
+  const failed = results.filter((r) => r.errors.length > 0).length;
+  const withWarnings = results.filter((r) => r.warnings.length > 0).length;
+  const summary = {
+    total: results.length,
+    passed: results.length - failed,
+    failed,
+    warnings: withWarnings
+  };
+  return { results, summary, orphanFolders, strayFiles };
+}
+
+// src/cli.ts
+var args = process.argv.slice(2);
+var dir = args.find((a) => !a.startsWith("-")) ?? "docs/";
+var exclude = args.filter((a) => a.startsWith("--exclude=")).map((a) => a.slice(a.indexOf("=") + 1));
+var result = validateDirectory(dir, { exclude });
+console.log(JSON.stringify(result, null, 2));
+process.exit(result.summary.failed > 0 ? 1 : 0);