@pactosigna/schemas 0.1.0

package/dist/index.js

@@ -0,0 +1,1156 @@
+// ../shared/dist/schemas/index.js
+import { z as z20 } from "zod";
+
+// ../shared/dist/schemas/risk.js
+import { z } from "zod";
+var RiskDocumentStatusSchema = z.enum([
+  "draft",
+  "in_review",
+  "approved",
+  "effective",
+  "archived",
+  "example"
+]);
+var MitigationTargetSchema = z.enum([
+  "sequence_probability",
+  "harm_probability",
+  "severity"
+]);
+var RiskGapCodeSchema = z.enum([
+  "hazard_no_situation",
+  "situation_no_harm",
+  "hazard_not_analyzed",
+  "missing_mitigation",
+  "broken_mitigation_link",
+  "control_not_approved",
+  "missing_risk_benefit",
+  "severity_mismatch",
+  "probability_mismatch",
+  "missing_frontmatter"
+]);
+var RiskGapSeveritySchema = z.enum(["error", "warning"]);
+var MitigationSchema = z.object({
+  control: z.string().min(1),
+  reduces: MitigationTargetSchema
+});
+var RiskEntryFrontmatterSchema = z.object({
+  type: z.enum(["software_risk", "usability_risk", "security_risk"]),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  analyzes: z.string().min(1),
+  hazardous_situation: z.string().min(1),
+  harm: z.string().min(1),
+  inherent_severity: z.number().int().min(1).max(5),
+  inherent_probability: z.number().int().min(1).max(5).optional(),
+  inherent_exploitability: z.number().int().min(1).max(5).optional(),
+  mitigations: z.array(MitigationSchema).optional(),
+  residual_severity: z.number().int().min(1).max(5).optional(),
+  residual_probability: z.number().int().min(1).max(5).optional(),
+  residual_exploitability: z.number().int().min(1).max(5).optional()
+});
+var HazardFrontmatterSchema = z.object({
+  type: z.enum(["haz_soe_software", "haz_soe_security"]),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  leads_to: z.array(z.string()).optional(),
+  // sFMEA fields
+  failure_mode: z.string().optional(),
+  cause: z.string().optional(),
+  detection_method: z.string().optional(),
+  // STRIDE fields
+  threat_category: z.string().optional(),
+  attack_vector: z.string().optional()
+});
+var HazardousSituationFrontmatterSchema = z.object({
+  type: z.literal("hazardous_situation"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  probability: z.number().int().min(1).max(5),
+  results_in: z.array(z.string()).optional()
+});
+var HarmFrontmatterSchema = z.object({
+  type: z.literal("harm"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  severity: z.number().int().min(1).max(5),
+  category: z.string().optional()
+});
+var RiskMatrixConfigSchema = z.object({
+  version: z.number(),
+  labels: z.object({
+    severity: z.array(z.string()).length(5),
+    probability: z.array(z.string()).length(5),
+    exploitability: z.array(z.string()).length(5).optional()
+  }),
+  acceptability: z.object({
+    unacceptable: z.array(z.tuple([z.number(), z.number()])),
+    review_required: z.array(z.tuple([z.number(), z.number()])).optional()
+  }),
+  overrides: z.record(z.object({
+    unacceptable: z.array(z.tuple([z.number(), z.number()])),
+    review_required: z.array(z.tuple([z.number(), z.number()])).optional()
+  })).optional()
+});
+
+// ../shared/dist/schemas/usability.js
+import { z as z2 } from "zod";
+var UsabilityPlanFrontmatterSchema = z2.object({
+  type: z2.literal("usability_plan"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z2.string().optional(),
+  reviewers: z2.array(z2.string()).optional(),
+  approvers: z2.array(z2.string()).optional()
+});
+var UseSpecificationFrontmatterSchema = z2.object({
+  type: z2.literal("use_specification"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  user_group: z2.string().min(1),
+  author: z2.string().optional(),
+  reviewers: z2.array(z2.string()).optional(),
+  approvers: z2.array(z2.string()).optional()
+});
+var TaskAnalysisFrontmatterSchema = z2.object({
+  type: z2.literal("task_analysis"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  user_group: z2.string().min(1),
+  critical_task: z2.boolean(),
+  max_harm_severity: z2.number().int().min(1).max(5).optional(),
+  author: z2.string().optional(),
+  reviewers: z2.array(z2.string()).optional(),
+  approvers: z2.array(z2.string()).optional()
+});
+var UsabilityEvaluationFrontmatterSchema = z2.object({
+  type: z2.literal("usability_evaluation"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  result: z2.enum(["pass", "fail", "pass_with_findings"]).optional(),
+  author: z2.string().optional(),
+  reviewers: z2.array(z2.string()).optional(),
+  approvers: z2.array(z2.string()).optional()
+});
+var SummativeEvaluationFrontmatterSchema = z2.object({
+  type: z2.literal("summative_evaluation"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  result: z2.enum(["pass", "fail", "pass_with_findings"]).optional(),
+  author: z2.string().optional(),
+  reviewers: z2.array(z2.string()).optional(),
+  approvers: z2.array(z2.string()).optional()
+});
+
+// ../shared/dist/schemas/risk-management-plan.js
+import { z as z3 } from "zod";
+var RiskManagementPlanFrontmatterSchema = z3.object({
+  type: z3.literal("risk_management_plan"),
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional()
+});
+
+// ../shared/dist/schemas/software-lifecycle.js
+import { z as z4 } from "zod";
+var SoftwareDevelopmentPlanFrontmatterSchema = z4.object({
+  type: z4.literal("software_development_plan"),
+  id: z4.string().min(1),
+  title: z4.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z4.string().optional(),
+  reviewers: z4.array(z4.string()).optional(),
+  approvers: z4.array(z4.string()).optional()
+});
+var SoftwareMaintenancePlanFrontmatterSchema = z4.object({
+  type: z4.literal("software_maintenance_plan"),
+  id: z4.string().min(1),
+  title: z4.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z4.string().optional(),
+  reviewers: z4.array(z4.string()).optional(),
+  approvers: z4.array(z4.string()).optional()
+});
+var SoupRegisterFrontmatterSchema = z4.object({
+  type: z4.literal("soup_register"),
+  id: z4.string().min(1),
+  title: z4.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z4.string().optional(),
+  reviewers: z4.array(z4.string()).optional(),
+  approvers: z4.array(z4.string()).optional()
+});
+
+// ../shared/dist/schemas/anomaly.js
+import { z as z5 } from "zod";
+var AnomalyCategorySchema = z5.enum([
+  "bug",
+  "security_vulnerability",
+  "regression",
+  "performance"
+]);
+var AnomalySeveritySchema = z5.enum(["critical", "major", "minor"]);
+var AnomalyDispositionSchema = z5.enum([
+  "open",
+  "investigating",
+  "resolved",
+  "deferred",
+  "will_not_fix"
+]);
+var AnomalyFrontmatterSchema = z5.object({
+  type: z5.literal("anomaly"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  category: AnomalyCategorySchema,
+  severity: AnomalySeveritySchema,
+  disposition: AnomalyDispositionSchema,
+  affected_version: z5.string().optional(),
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+
+// ../shared/dist/schemas/cybersecurity.js
+import { z as z6 } from "zod";
+var CybersecurityPlanFrontmatterSchema = z6.object({
+  type: z6.literal("cybersecurity_plan"),
+  id: z6.string().min(1),
+  title: z6.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z6.string().optional(),
+  reviewers: z6.array(z6.string()).optional(),
+  approvers: z6.array(z6.string()).optional()
+});
+var SbomFrontmatterSchema = z6.object({
+  type: z6.literal("sbom"),
+  id: z6.string().min(1),
+  title: z6.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z6.string().optional(),
+  reviewers: z6.array(z6.string()).optional(),
+  approvers: z6.array(z6.string()).optional()
+});
+
+// ../shared/dist/schemas/clinical.js
+import { z as z7 } from "zod";
+var ClinicalEvaluationPlanFrontmatterSchema = z7.object({
+  type: z7.literal("clinical_evaluation_plan"),
+  id: z7.string().min(1),
+  title: z7.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z7.string().optional(),
+  reviewers: z7.array(z7.string()).optional(),
+  approvers: z7.array(z7.string()).optional()
+});
+var ClinicalEvaluationReportFrontmatterSchema = z7.object({
+  type: z7.literal("clinical_evaluation_report"),
+  id: z7.string().min(1),
+  title: z7.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z7.string().optional(),
+  reviewers: z7.array(z7.string()).optional(),
+  approvers: z7.array(z7.string()).optional()
+});
+
+// ../shared/dist/schemas/post-market.js
+import { z as z8 } from "zod";
+var PostMarketSurveillancePlanFrontmatterSchema = z8.object({
+  type: z8.literal("post_market_surveillance_plan"),
+  id: z8.string().min(1),
+  title: z8.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z8.string().optional(),
+  reviewers: z8.array(z8.string()).optional(),
+  approvers: z8.array(z8.string()).optional()
+});
+var PostMarketFeedbackCategorySchema = z8.enum([
+  "complaint",
+  "field_observation",
+  "clinical_followup",
+  "trend_report"
+]);
+var PostMarketFeedbackSeveritySchema = z8.enum(["low", "medium", "high", "critical"]);
+var PostMarketFeedbackFrontmatterSchema = z8.object({
+  type: z8.literal("post_market_feedback"),
+  id: z8.string().min(1),
+  title: z8.string().min(1),
+  status: RiskDocumentStatusSchema,
+  category: PostMarketFeedbackCategorySchema,
+  severity: PostMarketFeedbackSeveritySchema,
+  device: z8.string().optional(),
+  reporting_period: z8.string().optional(),
+  author: z8.string().optional(),
+  reviewers: z8.array(z8.string()).optional(),
+  approvers: z8.array(z8.string()).optional()
+});
+
+// ../shared/dist/schemas/labeling.js
+import { z as z9 } from "zod";
+var LabelingFrontmatterSchema = z9.object({
+  type: z9.literal("labeling"),
+  id: z9.string().min(1),
+  title: z9.string().min(1),
+  status: RiskDocumentStatusSchema,
+  label_type: z9.enum(["ifu", "product_label", "packaging_label"]).optional(),
+  author: z9.string().optional(),
+  reviewers: z9.array(z9.string()).optional(),
+  approvers: z9.array(z9.string()).optional()
+});
+
+// ../shared/dist/schemas/product.js
+import { z as z10 } from "zod";
+var ProductDevelopmentPlanFrontmatterSchema = z10.object({
+  type: z10.literal("product_development_plan"),
+  id: z10.string().min(1),
+  title: z10.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z10.string().optional(),
+  reviewers: z10.array(z10.string()).optional(),
+  approvers: z10.array(z10.string()).optional()
+});
+var IntendedUseFrontmatterSchema = z10.object({
+  type: z10.literal("intended_use"),
+  id: z10.string().min(1),
+  title: z10.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z10.string().optional(),
+  reviewers: z10.array(z10.string()).optional(),
+  approvers: z10.array(z10.string()).optional()
+});
+
+// ../shared/dist/schemas/user-need.js
+import { z as z11 } from "zod";
+var UserNeedPrioritySchema = z11.enum(["must_have", "should_have", "nice_to_have"]);
+var UserNeedFrontmatterSchema = z11.object({
+  id: z11.string().min(1),
+  title: z11.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** Validated if present — ensures frontmatter doesn't misidentify the document type */
+  type: z11.literal("user_need").optional(),
+  /** The user role or stakeholder (e.g., "Quality Manager", "Developer") */
+  stakeholder: z11.string().optional(),
+  /** MoSCoW priority classification */
+  priority: UserNeedPrioritySchema.optional(),
+  /** Where this need originated (e.g., "ISO 13485 §7.3", "user interview") */
+  source: z11.string().optional(),
+  /** IDs of product requirements derived from this need */
+  derives: z11.array(z11.string()).optional(),
+  author: z11.string().optional(),
+  reviewers: z11.array(z11.string()).optional(),
+  approvers: z11.array(z11.string()).optional()
+});
+
+// ../shared/dist/schemas/requirement.js
+import { z as z12 } from "zod";
+var RequirementTypeSchema = z12.enum([
+  "functional",
+  "interface",
+  "performance",
+  "security",
+  "usability",
+  "safety",
+  "regulatory"
+]);
+var RequirementFormatSchema = z12.enum(["standard", "user_story"]);
+var RequirementFulfillmentTypeSchema = z12.enum([
+  "software",
+  "labeling",
+  "clinical",
+  "usability",
+  "regulatory_doc",
+  "process"
+]);
+var RequirementFrontmatterSchema = z12.object({
+  id: z12.string().min(1),
+  title: z12.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.2.2 — requirement classification (required for SRS, optional for PRS) */
+  req_type: RequirementTypeSchema.optional(),
+  /** Authoring convention — controls which required sections are checked */
+  format: RequirementFormatSchema.optional(),
+  /** ISO 13485 §7.3.3 — how this PRS design input is fulfilled (PRS only, defaults to 'software') */
+  fulfillment_type: RequirementFulfillmentTypeSchema.optional(),
+  author: z12.string().optional(),
+  reviewers: z12.array(z12.string()).optional(),
+  approvers: z12.array(z12.string()).optional()
+});
+
+// ../shared/dist/schemas/test-documents.js
+import { z as z13 } from "zod";
+var TestProtocolFrontmatterSchema = z13.object({
+  type: z13.literal("test_protocol"),
+  id: z13.string().min(1),
+  title: z13.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z13.string().optional(),
+  reviewers: z13.array(z13.string()).optional(),
+  approvers: z13.array(z13.string()).optional()
+});
+var TestPhaseSchema = z13.enum(["verification", "production"]);
+var TestReportFrontmatterSchema = z13.object({
+  type: z13.literal("test_report"),
+  id: z13.string().min(1),
+  title: z13.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z13.string().optional(),
+  reviewers: z13.array(z13.string()).optional(),
+  approvers: z13.array(z13.string()).optional(),
+  release_version: z13.string().optional(),
+  test_phase: TestPhaseSchema.optional()
+});
+
+// ../shared/dist/schemas/repo-config.js
+import { z as z14 } from "zod";
+var ReleaseReviewConfigSchema = z14.object({
+  required_departments: z14.array(z14.string().min(1)).min(1),
+  final_approver: z14.string().min(1)
+});
+var RepoConfigSchema = z14.object({
+  device: z14.object({
+    name: z14.string().min(1),
+    safety_class: z14.enum(["A", "B", "C"]),
+    classification: z14.object({
+      eu: z14.string().optional(),
+      us: z14.string().optional()
+    }).optional(),
+    udi_device_identifier: z14.string().optional()
+  }),
+  release_review: ReleaseReviewConfigSchema.optional()
+});
+
+// ../shared/dist/schemas/qms-device.js
+import { z as z15 } from "zod";
+var OwnerTypeSchema = z15.enum(["qms", "device"]);
+var DocumentSnapshotSchema = z15.object({
+  documentId: z15.string(),
+  commitSha: z15.string(),
+  documentPath: z15.string(),
+  documentTitle: z15.string(),
+  documentType: z15.string(),
+  previousReleasedCommitSha: z15.string().optional(),
+  changeType: z15.enum(["added", "modified", "unchanged"]),
+  changeDescription: z15.string().optional()
+});
+var QmsDocumentTypeSchema = z15.enum(["sop", "policy", "work_instruction"]);
+var DeviceDocumentTypeSchema = z15.enum([
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  "hazardous_situation",
+  "harm",
+  "haz_soe_software",
+  "haz_soe_security",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Release management (IEC 62304 §5.7)
+  "release_plan",
+  // Change management (ISO 13485 §7.3.5)
+  "design_review",
+  "release_notes"
+]);
+
+// ../shared/dist/schemas/change-management.js
+import { z as z16 } from "zod";
+var ReleasePlanFrontmatterSchema = z16.object({
+  id: z16.string().min(1),
+  title: z16.string().min(1),
+  type: z16.literal("release_plan").optional(),
+  status: z16.string().optional(),
+  author: z16.string().optional(),
+  reviewers: z16.array(z16.string()).optional(),
+  approvers: z16.array(z16.string()).optional(),
+  version: z16.string().optional(),
+  target_date: z16.string().optional()
+});
+var DesignReviewFrontmatterSchema = z16.object({
+  id: z16.string().min(1),
+  title: z16.string().min(1),
+  type: z16.literal("design_review").optional(),
+  status: z16.string().optional(),
+  author: z16.string().optional(),
+  reviewers: z16.array(z16.string()).optional(),
+  approvers: z16.array(z16.string()).optional(),
+  /** Optional link to a Release Plan document (e.g. "RP-001") */
+  release_plan: z16.string().optional()
+});
+var ReleaseNotesAudienceSchema = z16.enum(["customer", "technical"]);
+var ReleaseNotesFrontmatterSchema = z16.object({
+  id: z16.string().min(1),
+  title: z16.string().min(1),
+  type: z16.literal("release_notes").optional(),
+  status: RiskDocumentStatusSchema,
+  author: z16.string().optional(),
+  reviewers: z16.array(z16.string()).optional(),
+  approvers: z16.array(z16.string()).optional(),
+  audience: ReleaseNotesAudienceSchema,
+  release_version: z16.string().min(1)
+});
+
+// ../shared/dist/schemas/retention-policy.js
+import { z as z17 } from "zod";
+var RetentionPolicySchema = z17.object({
+  /** Default retention period in years for all record types */
+  defaultPeriodYears: z17.number().int().min(1).max(30).default(10),
+  /**
+   * Optional per-record-type overrides (e.g., { "release": 15, "signature": 20 }).
+   * Keys are record type identifiers; values are retention periods in years.
+   */
+  byRecordType: z17.record(z17.string(), z17.number().int().min(1).max(30)).optional()
+});
+function isWithinRetentionPeriod(createdAt, retentionYears, now = /* @__PURE__ */ new Date()) {
+  const retentionEnd = new Date(createdAt);
+  retentionEnd.setFullYear(retentionEnd.getFullYear() + retentionYears);
+  return now < retentionEnd;
+}
+function getEffectiveRetentionYears(policy, recordType) {
+  const DEFAULT_RETENTION_YEARS = 10;
+  if (!policy) {
+    return DEFAULT_RETENTION_YEARS;
+  }
+  return policy.byRecordType?.[recordType] ?? policy.defaultPeriodYears;
+}
+
+// ../shared/dist/schemas/audit.js
+import { z as z18 } from "zod";
+var AuditFindingClassificationSchema = z18.enum(["observation", "minor_nc", "major_nc"]);
+var AuditStatusSchema = z18.enum(["planned", "in_progress", "completed", "cancelled"]);
+var PlannedAuditEntrySchema = z18.object({
+  audit_id: z18.string().min(1),
+  process_area: z18.string().min(1),
+  clause: z18.string().optional(),
+  planned_date: z18.string().min(1),
+  auditor: z18.string().min(1),
+  status: AuditStatusSchema
+});
+var AuditScheduleFrontmatterSchema = z18.object({
+  id: z18.string().min(1),
+  title: z18.string().min(1),
+  type: z18.literal("audit_schedule").optional(),
+  status: z18.string().optional(),
+  author: z18.string().optional(),
+  reviewers: z18.array(z18.string()).optional(),
+  approvers: z18.array(z18.string()).optional(),
+  cycle_year: z18.number().int().min(2e3).max(2100),
+  audits: z18.array(PlannedAuditEntrySchema).min(1)
+});
+var AuditFindingSchema = z18.object({
+  finding_id: z18.string().min(1),
+  classification: AuditFindingClassificationSchema,
+  description: z18.string().min(1),
+  capa_id: z18.string().optional()
+});
+var AuditReportFrontmatterSchema = z18.object({
+  id: z18.string().min(1),
+  title: z18.string().min(1),
+  type: z18.literal("audit_report").optional(),
+  status: z18.string().optional(),
+  author: z18.string().optional(),
+  reviewers: z18.array(z18.string()).optional(),
+  approvers: z18.array(z18.string()).optional(),
+  audit_date: z18.string().min(1),
+  audit_id: z18.string().optional(),
+  process_area: z18.string().min(1),
+  clause: z18.string().optional(),
+  auditor: z18.string().min(1),
+  findings: z18.array(AuditFindingSchema),
+  findings_major: z18.number().int().min(0).optional(),
+  findings_minor: z18.number().int().min(0).optional(),
+  findings_observations: z18.number().int().min(0).optional()
+});
+
+// ../shared/dist/schemas/management-review.js
+import { z as z19 } from "zod";
+var ManagementReviewAttendeeSchema = z19.object({
+  name: z19.string().min(1),
+  role: z19.string().min(1)
+});
+var ManagementReviewFrontmatterSchema = z19.object({
+  id: z19.string().min(1),
+  title: z19.string().min(1),
+  type: z19.literal("management_review").optional(),
+  version: z19.string().optional(),
+  status: z19.enum(["draft", "scheduled", "completed"]).optional(),
+  review_date: z19.string().min(1),
+  review_period: z19.object({
+    from: z19.string().min(1),
+    to: z19.string().min(1)
+  }),
+  attendees: z19.array(ManagementReviewAttendeeSchema).min(1),
+  data_snapshot_date: z19.string().optional(),
+  next_review_date: z19.string().optional()
+});
+
+// ../shared/dist/schemas/index.js
+var RegulatoryFrameworkSchema = z20.enum(["ISO_13485", "IEC_62304", "FDA_21_CFR_820"]);
+var SafetyClassSchema = z20.enum(["A", "B", "C"]);
+var DocumentTypeSchema = z20.enum([
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "sop",
+  "work_instruction",
+  "policy",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  // Risk document types
+  "haz_soe_software",
+  "haz_soe_security",
+  "hazardous_situation",
+  "harm",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Release management (IEC 62304 §5.7)
+  "release_plan",
+  // Change management (ISO 13485 §7.3.5)
+  "design_review",
+  "release_notes",
+  // Supplier management (ISO 13485 §7.4)
+  "supplier",
+  // Internal audit management (ISO 13485 §8.2.2)
+  "audit_schedule",
+  "audit_report",
+  // Management review (ISO 13485 §5.6)
+  "management_review",
+  // Report document types
+  "report"
+]);
+var DocumentStatusSchema = z20.enum([
+  "draft",
+  "in_review",
+  "approved",
+  "obsolete",
+  "example"
+]);
+var LinkTypeSchema = z20.enum([
+  "derives_from",
+  "implements",
+  "verified_by",
+  "mitigates",
+  "parent_of",
+  "related_to",
+  // New risk link types
+  "leads_to",
+  "results_in",
+  "analyzes"
+]);
+var AcceptabilityStatusSchema = z20.enum(["acceptable", "review_required", "unacceptable"]);
+var MemberRoleSchema = z20.enum(["admin", "member"]);
+var MemberStatusSchema = z20.enum(["active", "suspended", "removed"]);
+var EmailAddressSchema = z20.object({
+  value: z20.string().email(),
+  verified: z20.boolean()
+});
+var ReviewerRuleSchema = z20.object({
+  documentType: DocumentTypeSchema,
+  requiredDepartments: z20.array(z20.string()),
+  finalApproverDepartment: z20.string()
+});
+var SyncStatusSchema = z20.enum(["active", "paused", "error"]);
+var AuditActionSchema = z20.enum([
+  "organization.created",
+  "organization.settings_updated",
+  "organization.checklist_template_updated",
+  "member.invited",
+  "member.invite_declined",
+  "member.joined",
+  "member.role_changed",
+  "member.removed",
+  "member.password_reset_forced",
+  "repository.connected",
+  "repository.disconnected",
+  "repository.sync_triggered",
+  "repository.updated",
+  "repository.assigned",
+  "repository.unassigned",
+  "document.synced",
+  "document.removed",
+  "release.created",
+  "release.updated",
+  "release.deleted",
+  "release.withdrawn",
+  "release.submitted_for_review",
+  "release.signature_added",
+  "release.approved",
+  "release.published",
+  "release.checklist_updated",
+  "release.signing_obligations_rederived",
+  "signature.created",
+  "signature.attempt_failed",
+  "signature.lockout_triggered",
+  "signing_request.created",
+  "signing_request.sent",
+  "signing_request.viewed",
+  "signing_request.signed",
+  "signing_request.declined",
+  "signing_request.cancelled",
+  "signing_request.expired",
+  "signing_request.reminded",
+  "training.assigned",
+  "training.completed",
+  "training.settings_updated",
+  "training.quiz_submitted",
+  "training.quiz_passed",
+  "training.quiz_failed",
+  "training.overdue_notified",
+  "change_control.created",
+  "change_control.updated",
+  "change_control.deleted",
+  "change_control.submitted",
+  "change_control.approved",
+  "change_control.effective",
+  "dco.created",
+  "dco.updated",
+  "dco.deleted",
+  "dco.submitted",
+  "dco.obligation_fulfilled",
+  "dco.approved",
+  "dco.effective",
+  "design_review.created",
+  "design_review.updated",
+  "design_review.deleted",
+  "design_review.submitted",
+  "design_review.signature_added",
+  "design_review.signed",
+  "design_review.cancelled",
+  "capa.created",
+  "capa.updated",
+  "capa.deleted",
+  "capa.investigation_started",
+  "capa.implementation_started",
+  "capa.verification_started",
+  "capa.closed",
+  "capa.cancelled",
+  "capa.action_added",
+  "capa.action_updated",
+  "capa.action_removed",
+  "nc.created",
+  "nc.updated",
+  "nc.deleted",
+  "nc.investigation_started",
+  "nc.disposition_set",
+  "nc.concession_approved",
+  "nc.closed",
+  "nc.cancelled",
+  "nc.escalated_to_capa"
+]);
+var ResourceTypeSchema = z20.enum([
+  "organization",
+  "member",
+  "invite",
+  "repository",
+  "document",
+  "release",
+  "signature",
+  "training",
+  "training_task",
+  "training_settings",
+  "change_control",
+  "dco",
+  "design_review",
+  "signing_request",
+  "capa",
+  "nonconformance"
+]);
+var ReleaseTypeSchema = z20.enum(["qms", "device", "combined"]);
+var ReleaseStatusSchema = z20.enum(["draft", "in_review", "approved", "published"]);
+var SignatureTypeSchema = z20.enum(["author", "dept_reviewer", "final_approver", "trainee"]);
+var ChangeTypeSchema = z20.enum(["added", "modified", "deleted"]);
+var SigningRequestStatusSchema = z20.enum([
+  "sent",
+  "partially_signed",
+  "completed",
+  "expired",
+  "cancelled"
+]);
+var SignerStatusSchema = z20.enum(["pending", "viewed", "signed", "declined"]);
+var FieldTypeSchema = z20.enum(["signature", "initials", "date"]);
+
+// ../shared/dist/constants/risk-matrix.js
+var RISK_DOCUMENT_TYPES = [
+  "software_risk",
+  "usability_risk",
+  "security_risk"
+];
+var HAZARD_DOCUMENT_TYPES = ["haz_soe_software", "haz_soe_security"];
+var ALL_RISK_RELATED_DOCUMENT_TYPES = [
+  ...RISK_DOCUMENT_TYPES,
+  ...HAZARD_DOCUMENT_TYPES,
+  "hazardous_situation",
+  "harm"
+];
+
+// ../shared/dist/constants/document-types.js
+var QMS_DOCUMENT_TYPES = [
+  "sop",
+  "policy",
+  "work_instruction",
+  "supplier",
+  "report"
+];
+var DEVICE_DOCUMENT_TYPES = [
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  "hazardous_situation",
+  "harm",
+  "haz_soe_software",
+  "haz_soe_security",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Release management (IEC 62304 §5.7)
+  "release_plan",
+  // Change management (ISO 13485 §7.3.5)
+  "design_review",
+  "release_notes"
+];
+var CHANGE_DOCUMENT_TYPES = ["design_review", "release_plan"];
+function isChangeDocumentType(type) {
+  return CHANGE_DOCUMENT_TYPES.includes(type);
+}
+function isQmsDocumentType(type) {
+  return QMS_DOCUMENT_TYPES.includes(type);
+}
+function isDeviceDocumentType(type) {
+  return DEVICE_DOCUMENT_TYPES.includes(type);
+}
+
+// ../shared/dist/constants/index.js
+var DOCUMENT_TYPES = {
+  user_need: "User Need",
+  requirement: "Requirement",
+  architecture: "Architecture",
+  detailed_design: "Detailed Design",
+  test_protocol: "Test Protocol",
+  test_report: "Test Report",
+  sop: "SOP",
+  work_instruction: "Work Instruction",
+  policy: "Policy",
+  usability_risk: "Usability Risk",
+  software_risk: "Software Risk",
+  security_risk: "Security Risk",
+  // Risk document types
+  haz_soe_software: "Hazard (Software)",
+  haz_soe_security: "Hazard (Security)",
+  hazardous_situation: "Hazardous Situation",
+  harm: "Harm",
+  // Usability engineering (IEC 62366)
+  usability_plan: "Usability Plan",
+  use_specification: "Use Specification",
+  task_analysis: "Task Analysis",
+  usability_evaluation: "Usability Evaluation",
+  summative_evaluation: "Summative Evaluation",
+  // Risk management (ISO 14971)
+  risk_management_plan: "Risk Management Plan",
+  // Software lifecycle (IEC 62304)
+  software_development_plan: "Software Development Plan",
+  software_maintenance_plan: "Software Maintenance Plan",
+  soup_register: "SOUP Register",
+  // Problem resolution (IEC 62304 §9)
+  anomaly: "Anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  cybersecurity_plan: "Cybersecurity Plan",
+  sbom: "SBOM",
+  // Clinical (MDR / FDA)
+  clinical_evaluation_plan: "Clinical Evaluation Plan",
+  clinical_evaluation_report: "Clinical Evaluation Report",
+  // Post-market surveillance (MDR Art. 83)
+  post_market_surveillance_plan: "Post-Market Surveillance Plan",
+  post_market_feedback: "Post-Market Feedback",
+  // Labeling (MDR Annex I)
+  labeling: "Labeling",
+  // Product (ISO 13485 §7.3)
+  product_development_plan: "Product Development Plan",
+  intended_use: "Intended Use",
+  // Release management (IEC 62304 §5.7)
+  release_plan: "Release Plan",
+  // Change management (ISO 13485 §7.3.5)
+  design_review: "Design Review",
+  release_notes: "Release Notes",
+  // Supplier management (ISO 13485 §7.4)
+  supplier: "Supplier",
+  // Internal audit management (ISO 13485 §8.2.2)
+  audit_schedule: "Audit Schedule",
+  audit_report: "Audit Report",
+  // Management review (ISO 13485 §5.6)
+  management_review: "Management Review",
+  // Report document types
+  report: "Report"
+};
+var LINK_TYPES = {
+  derives_from: "Derives From",
+  implements: "Implements",
+  verified_by: "Verified By",
+  mitigates: "Mitigates",
+  parent_of: "Parent Of",
+  related_to: "Related To",
+  // New risk link types
+  leads_to: "Leads To",
+  results_in: "Results In",
+  analyzes: "Analyzes"
+};
+var REQUIRED_SECTIONS = {
+  user_need: ["Purpose", "Stakeholder", "User Needs"],
+  release_plan: ["Scope", "Applicable Plans", "Release-Specific Criteria", "Known Anomalies"],
+  design_review: ["Review Scope", "Attendees", "Findings", "Actions", "Conclusion"],
+  release_notes: ["Changes", "Known Issues"],
+  audit_schedule: ["Scope", "Audit Criteria"],
+  audit_report: ["Scope", "Methodology", "Findings", "Conclusion"],
+  management_review: ["Review Inputs", "Review Outputs", "Action Items", "Decisions"]
+};
+
+// ../shared/dist/validators/permissions.js
+import { z as z21 } from "zod";
+var MemberPermissionsSchema = z21.object({
+  canSign: z21.boolean(),
+  canApprove: z21.boolean(),
+  canCreateRelease: z21.boolean(),
+  canPublishRelease: z21.boolean(),
+  canManageMembers: z21.boolean(),
+  canViewAuditLog: z21.boolean(),
+  canExport: z21.boolean()
+});
+
+// src/schema-map.ts
+var SCHEMA_MAP = {
+  // Risk entries
+  software_risk: RiskEntryFrontmatterSchema,
+  usability_risk: RiskEntryFrontmatterSchema,
+  security_risk: RiskEntryFrontmatterSchema,
+  // Hazard / harm documents
+  haz_soe_software: HazardFrontmatterSchema,
+  haz_soe_security: HazardFrontmatterSchema,
+  hazardous_situation: HazardousSituationFrontmatterSchema,
+  harm: HarmFrontmatterSchema,
+  // Problem resolution (IEC 62304 §9)
+  anomaly: AnomalyFrontmatterSchema,
+  // Usability engineering (IEC 62366)
+  usability_plan: UsabilityPlanFrontmatterSchema,
+  use_specification: UseSpecificationFrontmatterSchema,
+  task_analysis: TaskAnalysisFrontmatterSchema,
+  usability_evaluation: UsabilityEvaluationFrontmatterSchema,
+  summative_evaluation: SummativeEvaluationFrontmatterSchema,
+  // Risk management (ISO 14971)
+  risk_management_plan: RiskManagementPlanFrontmatterSchema,
+  // Software lifecycle (IEC 62304)
+  software_development_plan: SoftwareDevelopmentPlanFrontmatterSchema,
+  software_maintenance_plan: SoftwareMaintenancePlanFrontmatterSchema,
+  soup_register: SoupRegisterFrontmatterSchema,
+  // Cybersecurity (IEC 81001-5-1)
+  cybersecurity_plan: CybersecurityPlanFrontmatterSchema,
+  sbom: SbomFrontmatterSchema,
+  // Clinical (MDR / FDA)
+  clinical_evaluation_plan: ClinicalEvaluationPlanFrontmatterSchema,
+  clinical_evaluation_report: ClinicalEvaluationReportFrontmatterSchema,
+  // Post-market surveillance (MDR Art. 83)
+  post_market_surveillance_plan: PostMarketSurveillancePlanFrontmatterSchema,
+  post_market_feedback: PostMarketFeedbackFrontmatterSchema,
+  // Labeling (MDR Annex I)
+  labeling: LabelingFrontmatterSchema,
+  // Product (ISO 13485 §7.3)
+  product_development_plan: ProductDevelopmentPlanFrontmatterSchema,
+  intended_use: IntendedUseFrontmatterSchema,
+  // User needs (ISO 13485 §7.3.2)
+  user_need: UserNeedFrontmatterSchema,
+  // Requirements (IEC 62304 §5.2.2, ISO 13485 §7.3.3)
+  requirement: RequirementFrontmatterSchema,
+  // Test documents
+  test_protocol: TestProtocolFrontmatterSchema,
+  test_report: TestReportFrontmatterSchema,
+  // Change management (ISO 13485 §7.3.5)
+  release_plan: ReleasePlanFrontmatterSchema,
+  design_review: DesignReviewFrontmatterSchema,
+  release_notes: ReleaseNotesFrontmatterSchema,
+  // Internal audit management (ISO 13485 §8.2.2)
+  audit_schedule: AuditScheduleFrontmatterSchema,
+  audit_report: AuditReportFrontmatterSchema,
+  // Management review (ISO 13485 §5.6)
+  management_review: ManagementReviewFrontmatterSchema
+};
+function getSchemaForDocumentType(type) {
+  return SCHEMA_MAP[type];
+}
+export {
+  AcceptabilityStatusSchema,
+  AnomalyCategorySchema,
+  AnomalyDispositionSchema,
+  AnomalyFrontmatterSchema,
+  AnomalySeveritySchema,
+  AuditFindingClassificationSchema,
+  AuditFindingSchema,
+  AuditReportFrontmatterSchema,
+  AuditScheduleFrontmatterSchema,
+  AuditStatusSchema,
+  CHANGE_DOCUMENT_TYPES,
+  ClinicalEvaluationPlanFrontmatterSchema,
+  ClinicalEvaluationReportFrontmatterSchema,
+  CybersecurityPlanFrontmatterSchema,
+  DEVICE_DOCUMENT_TYPES,
+  DOCUMENT_TYPES,
+  DesignReviewFrontmatterSchema,
+  DocumentStatusSchema,
+  DocumentTypeSchema,
+  HarmFrontmatterSchema,
+  HazardFrontmatterSchema,
+  HazardousSituationFrontmatterSchema,
+  IntendedUseFrontmatterSchema,
+  LINK_TYPES,
+  LabelingFrontmatterSchema,
+  LinkTypeSchema,
+  ManagementReviewAttendeeSchema,
+  ManagementReviewFrontmatterSchema,
+  MitigationSchema,
+  MitigationTargetSchema,
+  PlannedAuditEntrySchema,
+  PostMarketFeedbackCategorySchema,
+  PostMarketFeedbackFrontmatterSchema,
+  PostMarketFeedbackSeveritySchema,
+  PostMarketSurveillancePlanFrontmatterSchema,
+  ProductDevelopmentPlanFrontmatterSchema,
+  QMS_DOCUMENT_TYPES,
+  REQUIRED_SECTIONS,
+  RegulatoryFrameworkSchema,
+  ReleaseNotesAudienceSchema,
+  ReleaseNotesFrontmatterSchema,
+  ReleasePlanFrontmatterSchema,
+  ReleaseReviewConfigSchema,
+  RepoConfigSchema,
+  RequirementFormatSchema,
+  RequirementFrontmatterSchema,
+  RequirementFulfillmentTypeSchema,
+  RequirementTypeSchema,
+  RetentionPolicySchema,
+  RiskDocumentStatusSchema,
+  RiskEntryFrontmatterSchema,
+  RiskGapCodeSchema,
+  RiskGapSeveritySchema,
+  RiskManagementPlanFrontmatterSchema,
+  RiskMatrixConfigSchema,
+  SCHEMA_MAP,
+  SafetyClassSchema,
+  SbomFrontmatterSchema,
+  SoftwareDevelopmentPlanFrontmatterSchema,
+  SoftwareMaintenancePlanFrontmatterSchema,
+  SoupRegisterFrontmatterSchema,
+  SummativeEvaluationFrontmatterSchema,
+  TaskAnalysisFrontmatterSchema,
+  TestPhaseSchema,
+  TestProtocolFrontmatterSchema,
+  TestReportFrontmatterSchema,
+  UsabilityEvaluationFrontmatterSchema,
+  UsabilityPlanFrontmatterSchema,
+  UseSpecificationFrontmatterSchema,
+  UserNeedFrontmatterSchema,
+  UserNeedPrioritySchema,
+  getEffectiveRetentionYears,
+  getSchemaForDocumentType,
+  isChangeDocumentType,
+  isDeviceDocumentType,
+  isQmsDocumentType,
+  isWithinRetentionPeriod
+};