@pactosigna/trace 0.1.0

package/dist/index.js

@@ -0,0 +1,4794 @@
+// src/config/load-config.ts
+import { readFileSync } from "fs";
+import { join } from "path";
+import yaml from "js-yaml";
+var CONFIG_FILENAME = "pactosigna-trace.yaml";
+function defaultConfig() {
+  return {
+    version: 1,
+    deviceSafetyClass: void 0,
+    codeMap: [],
+    folderOverrides: [],
+    softwareItems: void 0,
+    impactRules: void 0
+  };
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function parseCodeMap(raw) {
+  if (!Array.isArray(raw)) return [];
+  const entries = [];
+  for (const item of raw) {
+    if (!isRecord(item)) continue;
+    if (typeof item.path !== "string") continue;
+    const softwareItems = Array.isArray(item.software_items) ? item.software_items.filter((s) => typeof s === "string") : [];
+    entries.push({ path: item.path, softwareItems });
+  }
+  return entries;
+}
+function parseFolderOverrides(raw) {
+  if (!Array.isArray(raw)) return [];
+  const overrides = [];
+  for (const item of raw) {
+    if (!isRecord(item)) continue;
+    if (typeof item.pattern !== "string") continue;
+    if (typeof item.doc_type !== "string") continue;
+    const prefixes = Array.isArray(item.prefixes) ? item.prefixes.filter((s) => typeof s === "string") : void 0;
+    overrides.push({
+      pattern: item.pattern,
+      docType: item.doc_type,
+      prefixes
+    });
+  }
+  return overrides;
+}
+function parseSoftwareItems(raw) {
+  if (!isRecord(raw)) return void 0;
+  const result = {};
+  for (const [name, value] of Object.entries(raw)) {
+    if (!isRecord(value)) continue;
+    if (typeof value.domain !== "string") continue;
+    const codePaths = Array.isArray(value.code_paths) ? value.code_paths.filter((s) => typeof s === "string") : [];
+    const architecture = Array.isArray(value.architecture) ? value.architecture.filter((s) => typeof s === "string") : [];
+    result[name] = { domain: value.domain, codePaths, architecture };
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+}
+function parseImpactRules(raw) {
+  if (!isRecord(raw)) return void 0;
+  const domains = isRecord(raw.domains) ? raw.domains : {};
+  const rules = Array.isArray(raw.rules) ? raw.rules : [];
+  if (Object.keys(domains).length === 0 && rules.length === 0) {
+    return void 0;
+  }
+  return { domains, rules };
+}
+function loadTraceConfig(rootDir) {
+  const filePath = join(rootDir, CONFIG_FILENAME);
+  let raw;
+  try {
+    raw = readFileSync(filePath, "utf-8");
+  } catch {
+    return defaultConfig();
+  }
+  let parsed;
+  try {
+    parsed = yaml.load(raw);
+  } catch {
+    return defaultConfig();
+  }
+  if (!isRecord(parsed)) {
+    return defaultConfig();
+  }
+  const version = typeof parsed.version === "number" ? parsed.version : 1;
+  const deviceSafetyClass = typeof parsed.device_safety_class === "string" ? parsed.device_safety_class : void 0;
+  const codeMap = parseCodeMap(parsed.code_map);
+  const folderOverrides = parseFolderOverrides(parsed.folder_rules);
+  const softwareItems = parseSoftwareItems(parsed.software_items);
+  const impactRules = parseImpactRules(parsed.impact_rules);
+  return { version, deviceSafetyClass, codeMap, folderOverrides, softwareItems, impactRules };
+}
+
+// src/loaders/filesystem-document-loader.ts
+import { readdirSync, readFileSync as readFileSync2, statSync } from "fs";
+import { join as join2, relative } from "path";
+import matter from "gray-matter";
+import { minimatch } from "minimatch";
+
+// ../schemas/dist/chunk-MFMBM63Y.js
+var FOLDER_RULES = {
+  // Product (ISO 13485 §7.3)
+  "docs/product": {
+    prefixes: ["PDP-", "IU-"],
+    type: ["product_development_plan", "intended_use"]
+  },
+  "docs/product/requirements": { prefixes: ["PRS-"], type: "requirement", category: "product" },
+  "docs/product/user-needs": { prefixes: ["UN-"], type: "user_need" },
+  // Software requirements (moved under software discipline)
+  "docs/software/requirements": { prefixes: ["SRS-"], type: "requirement", category: "software" },
+  // Design (IEC 62304 — under software discipline)
+  // DDD prefix retained (#665) — existing DDD- docs still live in this folder.
+  "docs/software/architecture": { prefixes: ["HLD-", "SAD-", "DDD-"], type: "architecture" },
+  "docs/software/design": { prefixes: ["SDD-"], type: "detailed_design" },
+  // Test (protocols + reports)
+  "docs/test/protocols": { prefixes: ["TP-"], type: "test_protocol" },
+  "docs/test/reports": { prefixes: ["TR-"], type: "test_report" },
+  // Risk management — ISO 14971 (umbrella)
+  "docs/risk/plans": { prefixes: ["RMP-"], type: "risk_management_plan" },
+  "docs/risk/situations": { prefixes: ["HS-"], type: "hazardous_situation" },
+  "docs/risk/harms": { prefixes: ["HARM-"], type: "harm" },
+  "docs/risk/hazard-categories": { prefixes: ["HC-"], type: "hazard_category" },
+  // Software lifecycle — IEC 62304
+  "docs/software/plans": {
+    prefixes: ["DEV-PLAN-", "MAINT-PLAN-", "SDP-", "STP-"],
+    type: [
+      "software_development_plan",
+      "software_maintenance_plan",
+      "software_development_plan",
+      "software_test_plan"
+    ]
+  },
+  "docs/software/risks": {
+    prefixes: ["HAZ-SW-", "RISK-SW-"],
+    type: ["haz_soe_software", "software_risk"]
+  },
+  "docs/software/soup": { prefixes: ["SOUP-"], type: "soup_register" },
+  // Problem resolution — IEC 62304 §9
+  "docs/software/anomalies": { prefixes: ["ANOM-"], type: "anomaly" },
+  // Cybersecurity — IEC 81001-5-1
+  "docs/cybersecurity/plans": { prefixes: ["CSPLAN-"], type: "cybersecurity_plan" },
+  "docs/cybersecurity/risks": {
+    prefixes: ["HAZ-SEC-", "RISK-SEC-"],
+    type: ["haz_soe_security", "security_risk"]
+  },
+  "docs/cybersecurity/sbom": { prefixes: ["SBOM-"], type: "sbom" },
+  // Usability engineering — IEC 62366
+  "docs/usability": { prefixes: ["UEP-"], type: "usability_plan" },
+  "docs/usability/use-specifications": { prefixes: ["US-"], type: "use_specification" },
+  "docs/usability/task-analyses": { prefixes: ["TA-"], type: "task_analysis" },
+  "docs/usability/evaluations": {
+    prefixes: ["UE-", "SE-"],
+    type: ["usability_evaluation", "summative_evaluation"]
+  },
+  "docs/usability/risks": { prefixes: ["RISK-US-"], type: "usability_risk" },
+  // Clinical — MDR / FDA
+  "docs/clinical": {
+    prefixes: ["CEP-", "CER-"],
+    type: ["clinical_evaluation_plan", "clinical_evaluation_report"]
+  },
+  // Post-market surveillance — MDR Art. 83
+  "docs/post-market": { prefixes: ["PMS-"], type: "post_market_surveillance_plan" },
+  "docs/post-market/feedback": { prefixes: ["PMF-"], type: "post_market_feedback" },
+  // Labeling — MDR Annex I
+  "docs/labeling": { prefixes: ["LBL-"], type: "labeling" },
+  // QMS documents
+  "docs/policies": { prefixes: ["POL-"], type: "policy" },
+  "docs/sops": { prefixes: ["SOP-"], type: "sop" },
+  "docs/work-instructions": { prefixes: ["WI-"], type: "work_instruction" },
+  // Internal audit management (ISO 13485 §8.2.2)
+  "docs/audits/schedules": { prefixes: ["AUD-SCH-"], type: "audit_schedule" },
+  "docs/audits/reports": { prefixes: ["AUD-RPT-"], type: "audit_report" },
+  // Management review (ISO 13485 §5.6) — management reviews are in-app entities
+  // (qualityReviews collection), not git-native documents. Folder rule removed (#707).
+  // Supplier management (ISO 13485 §7.4)
+  "docs/suppliers": { prefixes: ["SUP-"], type: "supplier" },
+  // Personnel (ISO 13485 §5.5, §6.2)
+  "docs/personnel": { prefixes: ["JD-"], type: "job_description" }
+};
+function normalizePath(path) {
+  return path.toLowerCase().replace(/\\/g, "/");
+}
+var MONOREPO_QMS_PREFIX = "docs/qms/";
+function normalizeMonorepoPath(filePath) {
+  const normalized = normalizePath(filePath);
+  if (normalized.startsWith(MONOREPO_QMS_PREFIX)) {
+    return "docs/" + normalized.slice(MONOREPO_QMS_PREFIX.length);
+  }
+  return normalized;
+}
+function extractFolder(filePath) {
+  const normalized = normalizeMonorepoPath(filePath);
+  const parts = normalized.split("/");
+  parts.pop();
+  return parts.join("/");
+}
+function findFolderRule(filePath) {
+  const folder = extractFolder(filePath);
+  if (FOLDER_RULES[folder]) {
+    return { rule: FOLDER_RULES[folder], folder };
+  }
+  const parts = folder.split("/");
+  while (parts.length > 0) {
+    const partial = parts.join("/");
+    if (FOLDER_RULES[partial]) {
+      return { rule: FOLDER_RULES[partial], folder: partial };
+    }
+    parts.pop();
+  }
+  return null;
+}
+function inferDocumentType(filePath, documentId) {
+  const match = findFolderRule(filePath);
+  if (!match) {
+    return null;
+  }
+  const { rule } = match;
+  if (typeof rule.type === "string") {
+    return {
+      docType: rule.type,
+      category: rule.category
+    };
+  }
+  const prefixIndex = rule.prefixes.findIndex(
+    (prefix) => documentId.toUpperCase().startsWith(prefix.toUpperCase())
+  );
+  if (prefixIndex === -1) {
+    return {
+      docType: rule.type[0],
+      category: rule.category
+    };
+  }
+  return {
+    docType: rule.type[prefixIndex],
+    category: rule.category
+  };
+}
+
+// src/loaders/filesystem-document-loader.ts
+var SCAN_DIRECTORIES = ["docs", "compliance"];
+var LINK_FIELD_MAP = {
+  traces_from: "derives_from",
+  derives_from: "derives_from",
+  derives: "derives_from",
+  traces_to: "implements",
+  implements: "implements",
+  leads_to: "leads_to",
+  results_in: "results_in",
+  analyzes: "analyzes",
+  verified_by: "verified_by",
+  mitigated_by: "mitigates"
+};
+var LINK_FIELDS = Object.keys(LINK_FIELD_MAP);
+function collectMarkdownFiles(dir) {
+  const results = [];
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return results;
+  }
+  for (const entry of entries) {
+    const fullPath = join2(dir, entry);
+    let stat;
+    try {
+      stat = statSync(fullPath);
+    } catch {
+      continue;
+    }
+    if (stat.isDirectory()) {
+      results.push(...collectMarkdownFiles(fullPath));
+    } else if (stat.isFile() && entry.endsWith(".md") && entry.toLowerCase() !== "readme.md") {
+      results.push(fullPath);
+    }
+  }
+  return results;
+}
+function matchFolderOverride(relPath, overrides) {
+  for (const override of overrides) {
+    if (minimatch(relPath, override.pattern)) {
+      return override;
+    }
+  }
+  return null;
+}
+function parseFile(absolutePath, rootDir, folderOverrides = []) {
+  let raw;
+  try {
+    raw = readFileSync2(absolutePath, "utf-8");
+  } catch {
+    return null;
+  }
+  if (!raw.trimStart().startsWith("---")) {
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = matter(raw);
+  } catch {
+    return null;
+  }
+  const frontmatter = parsed.data;
+  const id = frontmatter.id;
+  if (!id || typeof id !== "string" || id.trim() === "") {
+    return null;
+  }
+  const documentId = id.trim();
+  const relPath = relative(rootDir, absolutePath).replace(/\\/g, "/");
+  const override = matchFolderOverride(relPath, folderOverrides);
+  let docType;
+  let category;
+  if (override) {
+    docType = override.docType;
+    category = void 0;
+  } else {
+    const typeResult = inferDocumentType(relPath, documentId);
+    docType = typeResult?.docType ?? "unknown";
+    category = typeResult?.category;
+  }
+  const title = typeof frontmatter.title === "string" && frontmatter.title.trim() !== "" ? frontmatter.title.trim() : documentId;
+  const metadata = {};
+  for (const [key, value] of Object.entries(frontmatter)) {
+    if (key !== "id" && key !== "title") {
+      metadata[key] = value;
+    }
+  }
+  if (category) {
+    metadata.category = category;
+  }
+  return {
+    documentId,
+    title,
+    docType,
+    category,
+    metadata,
+    body: parsed.content,
+    filePath: relPath
+  };
+}
+function extractLinks(file) {
+  const links = [];
+  for (const field of LINK_FIELDS) {
+    const value = file.metadata[field];
+    if (!value) continue;
+    const linkType = LINK_FIELD_MAP[field];
+    const targets = normalizeToArray(value);
+    for (const targetId of targets) {
+      if (typeof targetId === "string" && targetId.trim() !== "") {
+        links.push({
+          sourceDocumentId: file.documentId,
+          targetDocumentId: targetId.trim(),
+          linkType
+        });
+      }
+    }
+  }
+  return links;
+}
+function normalizeToArray(value) {
+  if (Array.isArray(value)) {
+    return value.filter((v) => typeof v === "string");
+  }
+  if (typeof value === "string") {
+    return [value];
+  }
+  return [];
+}
+var FilesystemDocumentLoader = class {
+  rootDir;
+  folderOverrides;
+  cachedFiles = null;
+  constructor(rootDir, config) {
+    this.rootDir = rootDir;
+    this.folderOverrides = config?.folderOverrides ?? [];
+  }
+  /**
+   * Load and return all valid DocumentRef[] from the repository.
+   */
+  loadDocuments() {
+    return this.getParsedFiles().map((file) => ({
+      documentId: file.documentId,
+      title: file.title,
+      docType: file.docType,
+      metadata: file.metadata
+    }));
+  }
+  /**
+   * Extract all LinkRef[] from frontmatter link fields across all documents.
+   */
+  loadLinks() {
+    const allLinks = [];
+    for (const file of this.getParsedFiles()) {
+      allLinks.push(...extractLinks(file));
+    }
+    return allLinks;
+  }
+  /**
+   * Return a Map of documentId to markdown body content (without frontmatter).
+   */
+  loadBodies() {
+    const bodies = /* @__PURE__ */ new Map();
+    for (const file of this.getParsedFiles()) {
+      bodies.set(file.documentId, file.body);
+    }
+    return bodies;
+  }
+  /**
+   * Parse all markdown files from scan directories. Results are cached
+   * so repeated calls to loadDocuments/loadLinks/loadBodies are cheap.
+   */
+  getParsedFiles() {
+    if (this.cachedFiles) {
+      return this.cachedFiles;
+    }
+    const files = [];
+    for (const dir of SCAN_DIRECTORIES) {
+      const absoluteDir = join2(this.rootDir, dir);
+      const mdFiles = collectMarkdownFiles(absoluteDir);
+      for (const filePath of mdFiles) {
+        const parsed = parseFile(filePath, this.rootDir, this.folderOverrides);
+        if (parsed) {
+          files.push(parsed);
+        }
+      }
+    }
+    this.cachedFiles = files;
+    return files;
+  }
+};
+
+// src/traceability/scan-e2e.ts
+var REQ_TAG_REGEX = /@req-((?:PRS|SRS)-[A-Z]+-\d+\.\d+[a-z]?)/g;
+var REQ_TAG_TEST_REGEX = /@req-((?:PRS|SRS)-[A-Z]+-\d+\.\d+[a-z]?)/;
+function extractReqTagsFromFeature(content, filePath) {
+  const lines = content.split("\n");
+  const references = [];
+  let pendingTags = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith("@")) {
+      const tags = [...trimmed.matchAll(REQ_TAG_REGEX)].map((m) => m[1]);
+      pendingTags.push(...tags);
+      continue;
+    }
+    const scenarioMatch = trimmed.match(/^Scenario(?: Outline)?:\s*(.+)$/);
+    if (scenarioMatch && pendingTags.length > 0) {
+      const scenarioName = scenarioMatch[1].trim();
+      for (const reqId of pendingTags) {
+        references.push({
+          requirementId: reqId,
+          testType: "e2e",
+          file: filePath,
+          name: scenarioName
+        });
+      }
+      pendingTags = [];
+      continue;
+    }
+    pendingTags = [];
+  }
+  return references;
+}
+function findOrphanScenarios(content, filePath) {
+  const lines = content.split("\n");
+  const orphans = [];
+  let hasReqTag = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith("@")) {
+      if (REQ_TAG_TEST_REGEX.test(trimmed)) {
+        hasReqTag = true;
+      }
+      continue;
+    }
+    const scenarioMatch = trimmed.match(/^Scenario(?: Outline)?:\s*(.+)$/);
+    if (scenarioMatch) {
+      if (!hasReqTag) {
+        orphans.push({ file: filePath, name: scenarioMatch[1].trim() });
+      }
+      hasReqTag = false;
+      continue;
+    }
+    hasReqTag = false;
+  }
+  return orphans;
+}
+
+// src/traceability/scan-unit.ts
+var REQ_MARKER_REGEX = /@req\s+((?:PRS|SRS)-[A-Z]+-\d+\.\d+[a-z]?)/g;
+function extractReqMarkersFromTestFile(content, filePath) {
+  const references = [];
+  const itBlockRegex = /(?:describe|it|test)\s*\(\s*['"`]([^'"`]+)['"`]/g;
+  let match;
+  while ((match = itBlockRegex.exec(content)) !== null) {
+    const testName = match[1];
+    const reqMatches = [...testName.matchAll(REQ_MARKER_REGEX)];
+    for (const reqMatch of reqMatches) {
+      const reqId = reqMatch[1];
+      const cleanName = testName.replace(/@req\s+(?:PRS|SRS)-[A-Z]+-\d+\.\d+[a-z]?\s*—?\s*/g, "").trim();
+      references.push({
+        requirementId: reqId,
+        testType: "unit",
+        file: filePath,
+        name: cleanName || testName
+      });
+    }
+  }
+  return references;
+}
+
+// src/traceability/parse-requirements.ts
+function parseRequirementsFromMarkdown(content, documentId, level) {
+  const domain = extractDomain(documentId);
+  const lines = content.split("\n");
+  const tableStartIdx = lines.findIndex(
+    (line) => line.includes("Requirement") && line.includes("Criteria") && line.includes("|") && (line.includes("Verification Method") || line.includes("Method"))
+  );
+  if (tableStartIdx === -1) return [];
+  const headerLine = lines[tableStartIdx];
+  const hasProtocolColumn = headerLine.includes("Protocol");
+  const dataStartIdx = tableStartIdx + 2;
+  const requirements = [];
+  for (let i = dataStartIdx; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line.startsWith("|")) break;
+    const cells = line.split("|").map((c) => c.trim()).filter(Boolean);
+    let reqId;
+    let verificationMethod;
+    let criteria;
+    if (hasProtocolColumn) {
+      if (cells.length < 4) continue;
+      reqId = cells[0];
+      verificationMethod = cells[2];
+      criteria = cells.slice(3).join(" | ");
+    } else {
+      if (cells.length < 3) continue;
+      reqId = cells[0];
+      verificationMethod = cells[1];
+      criteria = cells.slice(2).join(" | ");
+    }
+    requirements.push({
+      id: reqId,
+      document: documentId,
+      domain,
+      level,
+      verificationMethod,
+      criteria,
+      regulatoryCompliance: []
+    });
+  }
+  return requirements;
+}
+function extractDomain(documentId) {
+  const match = documentId.match(/^(?:PRS|SRS)-([A-Z]+)-\d+$/);
+  return match?.[1] ?? "UNKNOWN";
+}
+
+// src/traceability/cross-reference.ts
+function buildTraceabilityReport(requirements, testRefs, compliance, orphanScenarios) {
+  const reqMap = new Map(requirements.map((r) => [r.id, r]));
+  const covered = /* @__PURE__ */ new Map();
+  const gaps = [];
+  for (const ref of testRefs) {
+    if (!reqMap.has(ref.requirementId)) {
+      gaps.push({
+        category: "INVALID_REQ_REFERENCE",
+        message: `Test "${ref.name}" in ${ref.file} references non-existent requirement ${ref.requirementId}`,
+        requirementId: ref.requirementId,
+        testFile: ref.file
+      });
+      continue;
+    }
+    const existing = covered.get(ref.requirementId) ?? [];
+    existing.push(ref);
+    covered.set(ref.requirementId, existing);
+  }
+  const uncovered = requirements.filter((req) => {
+    const method = req.verificationMethod;
+    const needsTest = method === "E2E Test" || method === "Unit Test";
+    return needsTest && !covered.has(req.id);
+  });
+  for (const req of uncovered) {
+    gaps.push({
+      category: "MISSING_TEST_COVERAGE",
+      message: `${req.id} (${req.criteria}) requires ${req.verificationMethod} but has no test`,
+      requirementId: req.id
+    });
+  }
+  for (const orphan of orphanScenarios) {
+    gaps.push({
+      category: "ORPHAN_TEST",
+      message: `Scenario "${orphan.name}" in ${orphan.file} has no @req tag`,
+      testFile: orphan.file
+    });
+  }
+  for (const entry of compliance) {
+    if (entry.status !== "Compliant") continue;
+    for (const reqId of entry.linkedRequirements) {
+      if (!covered.has(reqId)) {
+        gaps.push({
+          category: "COMPLIANCE_WITHOUT_EVIDENCE",
+          message: `Part 11 \xA7${entry.section} claims Compliant via ${reqId}, but ${reqId} has no test coverage`,
+          requirementId: reqId
+        });
+      }
+    }
+  }
+  return {
+    matrix: {
+      requirements,
+      testReferences: testRefs,
+      covered,
+      uncovered,
+      orphanTests: testRefs.filter((r) => !reqMap.has(r.requirementId))
+    },
+    compliance,
+    gaps
+  };
+}
+function buildDocumentChainGaps(documentLinks, _riskEntries, knownDocIds, _requirements) {
+  const gaps = [];
+  for (const link of documentLinks) {
+    if (!knownDocIds.has(link.targetId)) {
+      gaps.push({
+        category: "BROKEN_TRACE",
+        message: `${link.sourceId} has ${link.direction} \u2192 ${link.targetId}, but ${link.targetId} does not exist`,
+        requirementId: link.sourceId
+      });
+    }
+  }
+  const tracedToTargets = /* @__PURE__ */ new Set();
+  for (const link of documentLinks) {
+    if (link.direction === "derives" || link.direction === "traces_to") {
+      tracedToTargets.add(link.targetId);
+    }
+    if (link.direction === "traces_from") {
+      tracedToTargets.add(link.sourceId);
+    }
+  }
+  const prsDocIds = [...knownDocIds].filter((id) => id.startsWith("PRS-"));
+  const srsDocIds = [...knownDocIds].filter((id) => id.startsWith("SRS-"));
+  for (const prsId of prsDocIds) {
+    if (!tracedToTargets.has(prsId)) {
+      gaps.push({
+        category: "ORPHAN_REQUIREMENT",
+        message: `${prsId} is not traced from any upstream User Need document`,
+        requirementId: prsId
+      });
+    }
+  }
+  for (const srsId of srsDocIds) {
+    if (!tracedToTargets.has(srsId)) {
+      gaps.push({
+        category: "ORPHAN_REQUIREMENT",
+        message: `${srsId} is not traced from any upstream Product Requirement document`,
+        requirementId: srsId
+      });
+    }
+  }
+  return gaps;
+}
+
+// src/traceability/index.ts
+import { readFileSync as readFileSync4, readdirSync as readdirSync3 } from "fs";
+import { join as join4, relative as relative2 } from "path";
+
+// src/traceability/parse-compliance.ts
+var STATUS_VALUES = ["Compliant", "Partially Compliant", "Planned", "N/A"];
+var REQ_ID_REGEX = /((?:PRS|SRS)-[A-Z]+-\d+\.\d+)/g;
+function parseComplianceMatrix(content) {
+  const lines = content.split("\n");
+  const entries = [];
+  let inTable = false;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (line.includes("| Section") && line.includes("Status") && line.includes("Evidence")) {
+      inTable = true;
+      i++;
+      continue;
+    }
+    if (inTable) {
+      if (!line.startsWith("|")) {
+        inTable = false;
+        continue;
+      }
+      const cells = line.split("|").map((c) => c.trim()).filter(Boolean);
+      if (cells.length < 4) continue;
+      const section = cells[0];
+      const statusRaw = cells[2].replace(/\*\*/g, "");
+      const status = STATUS_VALUES.find((s) => statusRaw === s);
+      if (!status) continue;
+      const evidence = cells[3] ?? "";
+      const linkedRequirements = [...evidence.matchAll(REQ_ID_REGEX)].map((m) => m[1]);
+      entries.push({
+        section,
+        status,
+        linkedRequirements
+      });
+    }
+  }
+  return entries;
+}
+
+// src/traceability/format-report.ts
+function formatReport(report) {
+  const { matrix, gaps } = report;
+  const lines = [];
+  const testableReqs = matrix.requirements.filter(
+    (r) => r.verificationMethod === "E2E Test" || r.verificationMethod === "Unit Test"
+  );
+  const coveredCount = testableReqs.filter((r) => matrix.covered.has(r.id)).length;
+  const totalCount = testableReqs.length;
+  const pct = totalCount > 0 ? Math.round(coveredCount / totalCount * 100) : 0;
+  lines.push("# Requirements Traceability Report");
+  lines.push("");
+  lines.push(`**Coverage:** ${coveredCount}/${totalCount} testable requirements covered (${pct}%)`);
+  lines.push(`**Total requirements:** ${matrix.requirements.length}`);
+  lines.push(`**Test references:** ${matrix.testReferences.length}`);
+  lines.push(`**Gaps found:** ${gaps.length}`);
+  lines.push("");
+  const domains = [...new Set(matrix.requirements.map((r) => r.domain))].sort();
+  lines.push("## Coverage by Domain");
+  lines.push("");
+  lines.push("| Domain | Covered | Total | % |");
+  lines.push("| ------ | ------- | ----- | - |");
+  for (const domain of domains) {
+    const domainReqs = testableReqs.filter((r) => r.domain === domain);
+    const domainCovered = domainReqs.filter((r) => matrix.covered.has(r.id)).length;
+    const domainPct = domainReqs.length > 0 ? Math.round(domainCovered / domainReqs.length * 100) : 0;
+    lines.push(`| ${domain} | ${domainCovered} | ${domainReqs.length} | ${domainPct}% |`);
+  }
+  lines.push("");
+  if (gaps.length > 0) {
+    const categories = [...new Set(gaps.map((g) => g.category))];
+    for (const cat of categories) {
+      const catGaps = gaps.filter((g) => g.category === cat);
+      const heading = cat.replace(/_/g, " ");
+      lines.push(`## ${heading}`);
+      lines.push("");
+      for (const gap of catGaps) {
+        lines.push(`- ${gap.message}`);
+      }
+      lines.push("");
+    }
+  } else {
+    lines.push("## No gaps found");
+    lines.push("");
+    lines.push("All testable requirements have test coverage.");
+  }
+  return lines.join("\n");
+}
+
+// src/traceability/format-rtm.ts
+import { readFileSync as readFileSync3, readdirSync as readdirSync2 } from "fs";
+import { join as join3 } from "path";
+function parseTraceLinks(rootDir) {
+  const links = /* @__PURE__ */ new Map();
+  const dirs = [
+    join3(rootDir, "docs/product/requirements"),
+    join3(rootDir, "docs/software/requirements")
+  ];
+  for (const dir of dirs) {
+    let files;
+    try {
+      files = readdirSync2(dir).filter((f) => f.endsWith(".md"));
+    } catch {
+      continue;
+    }
+    for (const file of files) {
+      const docId = file.replace(".md", "");
+      const content = readFileSync3(join3(dir, file), "utf-8");
+      const lines = content.split("\n");
+      const tracesFrom = [];
+      const tracesTo = [];
+      const traceTableIdx = lines.findIndex(
+        (line) => line.includes("Direction") && line.includes("Document") && line.includes("|")
+      );
+      if (traceTableIdx === -1) continue;
+      for (let i = traceTableIdx + 2; i < lines.length; i++) {
+        const line = lines[i].trim();
+        if (!line.startsWith("|")) break;
+        const cells = line.split("|").map((c) => c.trim()).filter(Boolean);
+        if (cells.length < 2) continue;
+        const direction = cells[0].toLowerCase();
+        const targetDoc = cells[1];
+        if (direction.includes("from")) {
+          tracesFrom.push(targetDoc);
+        } else if (direction.includes("to")) {
+          tracesTo.push(targetDoc);
+        }
+      }
+      links.set(docId, { tracesFrom, tracesTo });
+    }
+  }
+  return links;
+}
+function formatRTM(report, rootDir) {
+  const traceLinks = parseTraceLinks(rootDir);
+  const lines = [];
+  lines.push("# Requirements Traceability Matrix (RTM)");
+  lines.push("");
+  lines.push(`**Generated:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
+  lines.push(`**Standard:** IEC 62304:2015, ISO 13485:2016 \xA77.3.3`);
+  lines.push("");
+  const entries = [];
+  for (const req of report.matrix.requirements) {
+    const docLinks = traceLinks.get(req.document);
+    const tests = report.matrix.covered.get(req.id) ?? [];
+    const needsTest = req.verificationMethod === "E2E Test" || req.verificationMethod === "Unit Test";
+    let status;
+    if (!needsTest) {
+      status = "N/A";
+    } else if (tests.length > 0) {
+      status = "Verified";
+    } else {
+      status = "Not Verified";
+    }
+    entries.push({
+      requirementId: req.id,
+      domain: req.domain,
+      level: req.level,
+      criteria: req.criteria,
+      verificationMethod: req.verificationMethod,
+      tracesFrom: docLinks?.tracesFrom ?? [],
+      tracesTo: docLinks?.tracesTo ?? [],
+      tests: tests.map((t) => ({ file: t.file, name: t.name, type: t.testType })),
+      status
+    });
+  }
+  const domains = [...new Set(entries.map((e) => e.domain))].sort();
+  for (const domain of domains) {
+    const domainEntries = entries.filter((e) => e.domain === domain);
+    const verified = domainEntries.filter((e) => e.status === "Verified").length;
+    const notVerified = domainEntries.filter((e) => e.status === "Not Verified").length;
+    const na = domainEntries.filter((e) => e.status === "N/A").length;
+    lines.push(`## ${domain} Domain`);
+    lines.push("");
+    lines.push(`**Verified:** ${verified} | **Not Verified:** ${notVerified} | **N/A:** ${na}`);
+    lines.push("");
+    lines.push("| Requirement | Traces From | Traces To | Verification | Tests | Status |");
+    lines.push("| ----------- | ----------- | --------- | ------------ | ----- | ------ |");
+    for (const entry of domainEntries) {
+      const from = entry.tracesFrom.length > 0 ? entry.tracesFrom.join(", ") : "\u2014";
+      const to = entry.tracesTo.length > 0 ? entry.tracesTo.join(", ") : "\u2014";
+      const testCount = entry.tests.length > 0 ? `${entry.tests.length} test(s)` : "\u2014";
+      lines.push(
+        `| ${entry.requirementId} | ${from} | ${to} | ${entry.verificationMethod} | ${testCount} | ${entry.status} |`
+      );
+    }
+    lines.push("");
+  }
+  const totalVerified = entries.filter((e) => e.status === "Verified").length;
+  const totalNotVerified = entries.filter((e) => e.status === "Not Verified").length;
+  const totalNA = entries.filter((e) => e.status === "N/A").length;
+  const total = entries.length;
+  lines.push("## Summary");
+  lines.push("");
+  lines.push("| Metric | Count |");
+  lines.push("| ------ | ----- |");
+  lines.push(`| Total Requirements | ${total} |`);
+  lines.push(`| Verified | ${totalVerified} |`);
+  lines.push(`| Not Verified | ${totalNotVerified} |`);
+  lines.push(`| N/A (non-test verification) | ${totalNA} |`);
+  lines.push("");
+  return lines.join("\n");
+}
+
+// src/traceability/index.ts
+function globFiles(dir, pattern) {
+  const results = [];
+  try {
+    const entries = readdirSync3(dir, { withFileTypes: true, recursive: true });
+    for (const entry of entries) {
+      if (entry.isFile() && pattern.test(entry.name)) {
+        const fullPath = join4(entry.parentPath, entry.name);
+        results.push(fullPath);
+      }
+    }
+  } catch {
+  }
+  return results;
+}
+function runLegacyTraceability(options) {
+  const { rootDir, mode } = options;
+  const prsDir = join4(rootDir, "docs/product/requirements");
+  const prsFiles = globFiles(prsDir, /^PRS-.*\.md$/);
+  const requirements = [];
+  for (const file of prsFiles) {
+    const content = readFileSync4(file, "utf-8");
+    const docId = file.match(/(PRS-[A-Z]+-\d+)\.md$/)?.[1];
+    if (!docId) continue;
+    requirements.push(...parseRequirementsFromMarkdown(content, docId, "PRS"));
+  }
+  const srsDir = join4(rootDir, "docs/software/requirements");
+  const srsFiles = globFiles(srsDir, /^SRS-.*\.md$/);
+  for (const file of srsFiles) {
+    const content = readFileSync4(file, "utf-8");
+    const docId = file.match(/(SRS-[A-Z]+-\d+)\.md$/)?.[1];
+    if (!docId) continue;
+    requirements.push(...parseRequirementsFromMarkdown(content, docId, "SRS"));
+  }
+  const e2eDir = join4(rootDir, "e2e/features");
+  const featureFiles = globFiles(e2eDir, /\.feature$/);
+  const testRefs = [];
+  const allOrphans = [];
+  for (const file of featureFiles) {
+    const content = readFileSync4(file, "utf-8");
+    const relPath = relative2(rootDir, file);
+    testRefs.push(...extractReqTagsFromFeature(content, relPath));
+    allOrphans.push(...findOrphanScenarios(content, relPath));
+  }
+  const testDirs = [join4(rootDir, "packages"), join4(rootDir, "apps"), join4(rootDir, "scripts")];
+  for (const dir of testDirs) {
+    const testFiles = globFiles(dir, /\.(test|spec)\.tsx?$/);
+    for (const file of testFiles) {
+      const content = readFileSync4(file, "utf-8");
+      const relPath = relative2(rootDir, file);
+      testRefs.push(...extractReqMarkersFromTestFile(content, relPath));
+    }
+  }
+  const compliancePath = join4(rootDir, "compliance/part11-compliance-matrix.md");
+  let compliance;
+  try {
+    const complianceContent = readFileSync4(compliancePath, "utf-8");
+    compliance = parseComplianceMatrix(complianceContent);
+  } catch {
+    compliance = [];
+  }
+  const report = buildTraceabilityReport(requirements, testRefs, compliance, allOrphans);
+  if (mode === "rtm") {
+    const rtmOutput = formatRTM(report, rootDir);
+    return { output: rtmOutput, gapCount: report.gaps.length };
+  }
+  const output = formatReport(report);
+  const lines = [output];
+  if (mode === "check" && report.gaps.length > 0) {
+    lines.push(`
+Traceability check FAILED: ${report.gaps.length} gap(s) found.`);
+  }
+  if (mode === "check" && report.gaps.length === 0) {
+    lines.push("\nTraceability check PASSED: all requirements have test coverage.");
+  }
+  return { output: lines.join("\n"), gapCount: report.gaps.length };
+}
+
+// src/impact/diff-gaps.ts
+function gapKey(gap) {
+  return `${gap.code}::${gap.documentId}`;
+}
+function diffGaps(baseGaps, headGaps) {
+  const baseKeys = new Set(baseGaps.map(gapKey));
+  const headKeys = new Set(headGaps.map(gapKey));
+  const newGaps = headGaps.filter((g) => !baseKeys.has(gapKey(g)));
+  const resolvedGaps = baseGaps.filter((g) => !headKeys.has(gapKey(g)));
+  let unchangedCount = 0;
+  for (const key of headKeys) {
+    if (baseKeys.has(key)) {
+      unchangedCount++;
+    }
+  }
+  return { newGaps, resolvedGaps, unchangedCount };
+}
+
+// src/impact/baseline-scan.ts
+import { execSync } from "child_process";
+import { mkdtempSync, rmSync } from "fs";
+import { join as join5 } from "path";
+import { tmpdir } from "os";
+
+// ../domain/dist/index.js
+import { z as z2 } from "zod";
+import { z } from "zod";
+import { z as z3 } from "zod";
+import { z as z4 } from "zod";
+import { z as z5 } from "zod";
+import { z as z7 } from "zod";
+import { z as z6 } from "zod";
+import { z as z8 } from "zod";
+import { z as z9 } from "zod";
+import { z as z10 } from "zod";
+import { z as z11 } from "zod";
+import { z as z12 } from "zod";
+import { z as z13 } from "zod";
+import { z as z14 } from "zod";
+import { z as z15 } from "zod";
+import { z as z16 } from "zod";
+import { z as z18 } from "zod";
+import { z as z17 } from "zod";
+import { z as z20 } from "zod";
+import { z as z19 } from "zod";
+import { z as z21 } from "zod";
+import { z as z22 } from "zod";
+import { z as z23 } from "zod";
+import { z as z24 } from "zod";
+import { z as z25 } from "zod";
+import { z as z26 } from "zod";
+import { z as z27 } from "zod";
+import { z as z28 } from "zod";
+import { z as z29 } from "zod";
+import { z as z30 } from "zod";
+import { z as z31 } from "zod";
+var REQUIRED_SECTIONS = {
+  user_need: ["User Story", "Validation Criteria"],
+  architecture: ["Purpose", "Architecture Overview", "Interfaces"],
+  detailed_design: ["Purpose", "Detailed Design", "Interfaces"],
+  audit_schedule: ["Scope", "Audit Criteria"],
+  audit_report: ["Scope", "Methodology", "Findings", "Conclusion"],
+  // Deprecated: management reviews are in-app entities, not git-native documents (#707)
+  management_review: ["Review Inputs", "Review Outputs", "Action Items", "Decisions"],
+  hazard_category: ["Description", "Examples", "Applicable Standards"],
+  // Risk document body sections use BODY_FORMAT heading_pattern (## HARM-XXX via HS-XXX),
+  // not a literal "Harm Assessment" heading. Validation is via BODY_FORMAT, not here.
+  haz_soe_software: ["Intended Function", "Failure Cause", "Failure Mode", "Failure Effect"],
+  haz_soe_security: [
+    "STRIDE Category & Threat",
+    "Asset",
+    "Vulnerability",
+    "Actor & Attack Vector",
+    "Adverse Impact"
+  ],
+  // Personnel (ISO 13485 §5.5, §6.2)
+  job_description: [
+    "Purpose",
+    "Responsibilities",
+    "Qualifications",
+    "Authorities",
+    "Reporting Structure",
+    "Training Requirements"
+  ]
+};
+var RiskDocumentStatusSchema = z.enum([
+  "draft",
+  "in_review",
+  "approved",
+  "effective",
+  "archived",
+  "example"
+]);
+var IsoCategorySchema = z.enum([
+  "safe_design",
+  "protective_measure",
+  "safety_information"
+]);
+var ReducesTargetSchema = z.enum(["p1_sequence", "p2_harm", "severity"]);
+var RiskGapCodeSchema = z.enum([
+  "hazard_no_situation",
+  "situation_no_harm",
+  "hazard_not_analyzed",
+  "missing_mitigation",
+  "broken_mitigation_link",
+  "control_not_approved",
+  "missing_risk_benefit",
+  "risk_missing_safety_chain",
+  "risk_broken_safety_chain",
+  "wrong_probability_dimension",
+  "missing_frontmatter",
+  "requirement_no_architecture",
+  "architecture_no_segregation",
+  "architecture_no_parent",
+  "haz_missing_category",
+  "haz_invalid_category",
+  "category_not_approved",
+  "missing_iso_category",
+  "missing_risk_acceptable",
+  "unacceptable_no_benefit",
+  "preliminary_not_analyzed",
+  "missing_body_rationale",
+  "orphaned_body_section",
+  "architecture_no_risk_analysis",
+  "security_hazard_no_asset_ref",
+  "high_cia_no_security_hazard",
+  "hazard_no_software_item",
+  "detailed_design_missing_for_unit",
+  "unit_no_verification",
+  "risk_control_no_verification",
+  "architecture_no_asset_types"
+]);
+var RiskGapSeveritySchema = z.enum(["error", "warning"]);
+var MitigationSchema = z.object({
+  control: z.string().min(1),
+  iso_category: IsoCategorySchema,
+  reduces: ReducesTargetSchema
+});
+var HarmAssessmentSchema = z.object({
+  harm: z.string().min(1),
+  inherent_probability: z.number().int().min(1).max(5).optional(),
+  inherent_exploitability: z.number().int().min(1).max(5).optional(),
+  residual_probability: z.number().int().min(1).max(5).optional(),
+  residual_exploitability: z.number().int().min(1).max(5).optional(),
+  harm_severity_override: z.number().int().min(1).max(5).optional(),
+  risk_acceptable: z.boolean(),
+  benefit_outweighs_risk: z.boolean().optional()
+});
+var HazardousSituationAssessmentSchema = z.object({
+  hazardous_situation: z.string().min(1),
+  mitigations: z.array(MitigationSchema).optional(),
+  harms: z.array(HarmAssessmentSchema).min(1)
+});
+var RiskEntryFrontmatterSchema = z.object({
+  type: z.enum(["software_risk", "usability_risk", "security_risk"]),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z.string().min(1),
+  reviewers: z.array(z.string()).optional(),
+  approvers: z.array(z.string()).optional(),
+  analyzes: z.string().min(1),
+  mitigations: z.array(MitigationSchema).optional(),
+  hazardous_situation_assessments: z.array(HazardousSituationAssessmentSchema).min(1),
+  cvss_score: z.number().min(0).max(10).optional(),
+  cvss_vector: z.string().regex(
+    /^CVSS:3\.[01]\/AV:[NALP]\/AC:[LH]\/PR:[NLH]\/UI:[NR]\/S:[UC]\/C:[NLH]\/I:[NLH]\/A:[NLH]$/
+  ).optional()
+}).refine(
+  (data) => {
+    const allHarms = data.hazardous_situation_assessments.flatMap((hsa) => hsa.harms);
+    if (data.type === "security_risk") {
+      return allHarms.every((ha) => ha.inherent_exploitability != null);
+    }
+    return allHarms.every((ha) => ha.inherent_probability != null);
+  },
+  {
+    message: "Security risks must use inherent_exploitability; software/usability risks must use inherent_probability"
+  }
+).refine(
+  (data) => {
+    const allHarms = data.hazardous_situation_assessments.flatMap((hsa) => hsa.harms);
+    return allHarms.every((ha) => ha.risk_acceptable || ha.benefit_outweighs_risk != null);
+  },
+  {
+    message: "benefit_outweighs_risk required when risk_acceptable is false"
+  }
+);
+var HazardSoftwareFrontmatterSchema = z.object({
+  type: z.literal("haz_soe_software"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z.string().min(1),
+  reviewers: z.array(z.string()).optional(),
+  approvers: z.array(z.string()).optional(),
+  preliminary: z.boolean().default(false),
+  leads_to: z.array(z.string()).optional(),
+  hazard_category: z.string().optional(),
+  detection_score: z.number().int().min(1).max(5).optional(),
+  detection_method: z.string().optional(),
+  /** Reference to the HLD/SDD software item this hazard applies to (IEC 62304 §7.1) */
+  software_item: z.string().min(1).optional()
+});
+var HazardSecurityFrontmatterSchema = z.object({
+  type: z.literal("haz_soe_security"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z.string().min(1),
+  reviewers: z.array(z.string()).optional(),
+  approvers: z.array(z.string()).optional(),
+  preliminary: z.boolean().default(false),
+  leads_to: z.array(z.string()).optional(),
+  hazard_category: z.string().optional(),
+  /** Reference to the HLD/SDD software item this security hazard applies to (IEC 62304 §7.1, IEC 81001-5-1) */
+  software_item: z.string().min(1).optional()
+});
+var HazardFrontmatterSchema = z.discriminatedUnion("type", [
+  HazardSoftwareFrontmatterSchema,
+  HazardSecurityFrontmatterSchema
+]);
+var HazardCategoryFrontmatterSchema = z.object({
+  type: z.literal("hazard_category"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  source: z.string().optional()
+});
+var HazardousSituationFrontmatterSchema = z.object({
+  type: z.literal("hazardous_situation"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  results_in: z.array(z.string()).optional()
+});
+var HarmFrontmatterSchema = z.object({
+  type: z.literal("harm"),
+  id: z.string().min(1),
+  title: z.string().min(1),
+  status: RiskDocumentStatusSchema,
+  severity: z.number().int().min(1).max(5),
+  category: z.string().optional()
+});
+var RiskMatrixConfigSchema = z.object({
+  version: z.number(),
+  labels: z.object({
+    severity: z.array(z.string()).length(5),
+    probability: z.array(z.string()).length(5),
+    exploitability: z.array(z.string()).length(5).optional()
+  }),
+  acceptability: z.object({
+    unacceptable: z.array(z.tuple([z.number(), z.number()])),
+    review_required: z.array(z.tuple([z.number(), z.number()])).optional()
+  }),
+  overrides: z.record(
+    z.object({
+      unacceptable: z.array(z.tuple([z.number(), z.number()])),
+      review_required: z.array(z.tuple([z.number(), z.number()])).optional()
+    })
+  ).optional()
+});
+var AnomalyCategorySchema = z2.enum([
+  "bug",
+  "security_vulnerability",
+  "regression",
+  "performance"
+]);
+var AnomalySeveritySchema = z2.enum(["critical", "major", "minor"]);
+var AnomalyDispositionSchema = z2.enum([
+  "open",
+  "investigating",
+  "resolved",
+  "deferred",
+  "will_not_fix"
+]);
+var AnomalyFrontmatterSchema = z2.object({
+  type: z2.literal("anomaly"),
+  id: z2.string().min(1),
+  title: z2.string().min(1),
+  status: RiskDocumentStatusSchema,
+  category: AnomalyCategorySchema,
+  severity: AnomalySeveritySchema,
+  disposition: AnomalyDispositionSchema,
+  affected_version: z2.string().optional(),
+  author: z2.string().optional(),
+  reviewers: z2.array(z2.string()).optional(),
+  approvers: z2.array(z2.string()).optional()
+});
+var AuditFindingClassificationSchema = z3.enum(["observation", "minor_nc", "major_nc"]);
+var AuditStatusSchema = z3.enum(["planned", "in_progress", "completed", "cancelled"]);
+var PlannedAuditEntrySchema = z3.object({
+  audit_id: z3.string().min(1),
+  process_area: z3.string().min(1),
+  clause: z3.string().optional(),
+  planned_date: z3.string().min(1),
+  auditor: z3.string().min(1),
+  status: AuditStatusSchema
+});
+var AuditScheduleFrontmatterSchema = z3.object({
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  type: z3.literal("audit_schedule").optional(),
+  status: z3.string().optional(),
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional(),
+  cycle_year: z3.number().int().min(2e3).max(2100),
+  audits: z3.array(PlannedAuditEntrySchema).min(1)
+});
+var AuditFindingSchema = z3.object({
+  finding_id: z3.string().min(1),
+  classification: AuditFindingClassificationSchema,
+  description: z3.string().min(1),
+  capa_id: z3.string().optional()
+});
+var AuditReportFrontmatterSchema = z3.object({
+  id: z3.string().min(1),
+  title: z3.string().min(1),
+  type: z3.literal("audit_report").optional(),
+  status: z3.string().optional(),
+  author: z3.string().optional(),
+  reviewers: z3.array(z3.string()).optional(),
+  approvers: z3.array(z3.string()).optional(),
+  audit_date: z3.string().min(1),
+  audit_id: z3.string().optional(),
+  process_area: z3.string().min(1),
+  clause: z3.string().optional(),
+  auditor: z3.string().min(1),
+  findings: z3.array(AuditFindingSchema),
+  findings_major: z3.number().int().min(0).optional(),
+  findings_minor: z3.number().int().min(0).optional(),
+  findings_observations: z3.number().int().min(0).optional()
+});
+var ClinicalEvaluationPlanFrontmatterSchema = z4.object({
+  type: z4.literal("clinical_evaluation_plan"),
+  id: z4.string().min(1),
+  title: z4.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z4.string().optional(),
+  reviewers: z4.array(z4.string()).optional(),
+  approvers: z4.array(z4.string()).optional()
+});
+var ClinicalEvaluationReportFrontmatterSchema = z4.object({
+  type: z4.literal("clinical_evaluation_report"),
+  id: z4.string().min(1),
+  title: z4.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z4.string().optional(),
+  reviewers: z4.array(z4.string()).optional(),
+  approvers: z4.array(z4.string()).optional()
+});
+var CybersecurityPlanFrontmatterSchema = z5.object({
+  type: z5.literal("cybersecurity_plan"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+var SbomFrontmatterSchema = z5.object({
+  type: z5.literal("sbom"),
+  id: z5.string().min(1),
+  title: z5.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z5.string().optional(),
+  reviewers: z5.array(z5.string()).optional(),
+  approvers: z5.array(z5.string()).optional()
+});
+var RegulatoryFrameworkSchema = z6.enum([
+  "ISO_13485",
+  "IEC_62304",
+  "FDA_21_CFR_820",
+  "QMSR",
+  "EU_MDR",
+  "ISO_14971",
+  "AI_ACT"
+]);
+var SafetyClassSchema = z6.enum(["A", "B", "C"]);
+var DocumentTypeSchema = z6.enum([
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "sop",
+  "work_instruction",
+  "policy",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  // Risk document types
+  "haz_soe_software",
+  "haz_soe_security",
+  "hazardous_situation",
+  "harm",
+  "hazard_category",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Supplier management (ISO 13485 §7.4)
+  "supplier",
+  // Internal audit management (ISO 13485 §8.2.2)
+  "audit_schedule",
+  "audit_report",
+  // Management review (ISO 13485 §5.6)
+  "management_review",
+  // Software test plan (IEC 62304 §5.7)
+  "software_test_plan",
+  // Personnel (ISO 13485 §5.5, §6.2)
+  "job_description"
+]);
+var DocumentStatusSchema = z6.enum([
+  "draft",
+  "in_review",
+  "approved",
+  "obsolete",
+  "example"
+]);
+var LinkTypeSchema = z6.enum([
+  "derives_from",
+  "implements",
+  "verified_by",
+  "mitigates",
+  "parent_of",
+  "related_to",
+  // New risk link types
+  "leads_to",
+  "results_in",
+  "analyzes"
+]);
+var AcceptabilityStatusSchema = z6.enum(["acceptable", "review_required", "unacceptable"]);
+var DepartmentRoleSchema = z6.enum(["manager", "member"]);
+var JobDescriptionFrontmatterSchema = z7.object({
+  type: z7.literal("job_description").optional(),
+  id: z7.string().min(1),
+  title: z7.string().min(1),
+  version: z7.string().optional(),
+  status: DocumentStatusSchema.optional(),
+  department: z7.string().min(1),
+  department_role: DepartmentRoleSchema.optional(),
+  author: z7.string().optional(),
+  reviewers: z7.array(z7.string()).optional(),
+  approvers: z7.array(z7.string()).optional(),
+  effective_date: z7.string().optional()
+});
+var LabelingFrontmatterSchema = z8.object({
+  type: z8.literal("labeling"),
+  id: z8.string().min(1),
+  title: z8.string().min(1),
+  status: RiskDocumentStatusSchema,
+  label_type: z8.enum(["ifu", "product_label", "packaging_label"]).optional(),
+  author: z8.string().optional(),
+  reviewers: z8.array(z8.string()).optional(),
+  approvers: z8.array(z8.string()).optional()
+});
+var ManagementReviewAttendeeSchema = z9.object({
+  name: z9.string().min(1),
+  role: z9.string().min(1)
+});
+var ManagementReviewFrontmatterSchema = z9.object({
+  id: z9.string().min(1),
+  title: z9.string().min(1),
+  type: z9.literal("management_review").optional(),
+  version: z9.string().optional(),
+  status: z9.enum(["draft", "scheduled", "completed"]).optional(),
+  review_date: z9.string().min(1),
+  review_period: z9.object({
+    from: z9.string().min(1),
+    to: z9.string().min(1)
+  }),
+  attendees: z9.array(ManagementReviewAttendeeSchema).min(1),
+  data_snapshot_date: z9.string().optional(),
+  next_review_date: z9.string().optional()
+});
+var PostMarketSurveillancePlanFrontmatterSchema = z10.object({
+  type: z10.literal("post_market_surveillance_plan"),
+  id: z10.string().min(1),
+  title: z10.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z10.string().optional(),
+  reviewers: z10.array(z10.string()).optional(),
+  approvers: z10.array(z10.string()).optional()
+});
+var PostMarketFeedbackCategorySchema = z10.enum([
+  "complaint",
+  "field_observation",
+  "clinical_followup",
+  "trend_report"
+]);
+var PostMarketFeedbackSeveritySchema = z10.enum(["low", "medium", "high", "critical"]);
+var PostMarketFeedbackFrontmatterSchema = z10.object({
+  type: z10.literal("post_market_feedback"),
+  id: z10.string().min(1),
+  title: z10.string().min(1),
+  status: RiskDocumentStatusSchema,
+  category: PostMarketFeedbackCategorySchema,
+  severity: PostMarketFeedbackSeveritySchema,
+  device: z10.string().optional(),
+  reporting_period: z10.string().optional(),
+  author: z10.string().optional(),
+  reviewers: z10.array(z10.string()).optional(),
+  approvers: z10.array(z10.string()).optional()
+});
+var ProductDevelopmentPlanFrontmatterSchema = z11.object({
+  type: z11.literal("product_development_plan"),
+  id: z11.string().min(1),
+  title: z11.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z11.string().optional(),
+  reviewers: z11.array(z11.string()).optional(),
+  approvers: z11.array(z11.string()).optional()
+});
+var IntendedUseFrontmatterSchema = z11.object({
+  type: z11.literal("intended_use"),
+  id: z11.string().min(1),
+  title: z11.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z11.string().optional(),
+  reviewers: z11.array(z11.string()).optional(),
+  approvers: z11.array(z11.string()).optional()
+});
+var CompiledDocumentPresetSchema = z12.enum([
+  "user_needs",
+  "srs",
+  "prs",
+  "dmr",
+  "risk",
+  "hld",
+  "sdd",
+  "vv",
+  "uef",
+  "csf",
+  "cer",
+  "smp",
+  "soup",
+  "pms",
+  "anomaly"
+]);
+var COMPILED_PRESET_DOC_TYPES = {
+  user_needs: ["user_need"],
+  srs: ["requirement"],
+  prs: ["requirement"],
+  dmr: [
+    "intended_use",
+    "product_development_plan",
+    "software_development_plan",
+    "architecture",
+    "detailed_design",
+    "requirement",
+    "labeling",
+    "user_need"
+  ],
+  risk: [
+    "risk_management_plan",
+    "software_risk",
+    "security_risk",
+    "usability_risk",
+    "haz_soe_software",
+    "haz_soe_security",
+    "hazardous_situation",
+    "harm",
+    "hazard_category"
+  ],
+  hld: ["architecture"],
+  sdd: ["detailed_design"],
+  vv: ["test_protocol", "test_report", "software_test_plan"],
+  uef: [
+    "usability_plan",
+    "use_specification",
+    "task_analysis",
+    "usability_evaluation",
+    "summative_evaluation"
+  ],
+  csf: ["cybersecurity_plan", "sbom", "security_risk"],
+  cer: ["clinical_evaluation_plan", "clinical_evaluation_report"],
+  smp: ["software_maintenance_plan"],
+  soup: ["soup_register"],
+  pms: ["post_market_surveillance_plan", "post_market_feedback"],
+  anomaly: ["anomaly"]
+};
+var COMPILED_PRESET_CATEGORIES = {
+  srs: ["software"],
+  prs: ["product"]
+};
+var PRESET_TITLES = {
+  user_needs: "User Needs Specification",
+  srs: "Software Requirements Specification",
+  prs: "Product Requirements Specification",
+  dmr: "Device Master Record",
+  risk: "Risk Management File",
+  hld: "Software Architecture Description",
+  sdd: "Software Detailed Design",
+  vv: "Verification & Validation",
+  uef: "Usability Engineering File",
+  csf: "Cybersecurity File",
+  cer: "Clinical Evaluation Report",
+  smp: "Software Maintenance Plan",
+  soup: "SOUP Register",
+  pms: "Post-Market Surveillance File",
+  anomaly: "Anomaly Register"
+};
+var COMPILATION_PRESETS = Object.fromEntries(
+  Object.entries(COMPILED_PRESET_DOC_TYPES).map(([key, docTypes]) => [
+    key,
+    {
+      title: PRESET_TITLES[key] ?? key,
+      docTypes: [...docTypes],
+      ...COMPILED_PRESET_CATEGORIES[key] ? {
+        categories: [
+          ...COMPILED_PRESET_CATEGORIES[key]
+        ]
+      } : {}
+    }
+  ])
+);
+var FrameworkScopeSchema = z13.enum(["qms", "device", "both"]);
+var MappingRelationshipSchema = z13.enum(["equivalent", "partial", "related", "supersedes"]);
+var FrameworkDefinitionSeedSchema = z13.object({
+  id: RegulatoryFrameworkSchema,
+  name: z13.string().min(1),
+  version: z13.string().min(1),
+  scope: FrameworkScopeSchema,
+  url: z13.string().url().nullable(),
+  active: z13.boolean().default(true)
+});
+var ClauseBase = z13.object({
+  clauseNumber: z13.string().min(1),
+  title: z13.string().min(1),
+  /** Clause-level scope override. When omitted, inherits from parent framework. */
+  scope: FrameworkScopeSchema.optional()
+});
+function buildClauseSchema(remainingDepth) {
+  if (remainingDepth <= 0) {
+    return ClauseBase.strict();
+  }
+  return ClauseBase.extend({
+    children: z13.array(z13.lazy(() => buildClauseSchema(remainingDepth - 1))).optional()
+  });
+}
+var FrameworkClauseSeedSchema = buildClauseSchema(5);
+var FrameworkMappingSeedSchema = z13.object({
+  sourceClause: z13.string().min(1),
+  targetFramework: RegulatoryFrameworkSchema,
+  targetClause: z13.string().min(1),
+  relationship: MappingRelationshipSchema,
+  notes: z13.string().nullable().default(null)
+});
+var MappingFileSeedSchema = z13.object({
+  sourceFramework: RegulatoryFrameworkSchema,
+  mappings: z13.array(FrameworkMappingSeedSchema)
+});
+var EvidenceSourceSchema = z13.enum(["documents", "training_records"]);
+var EvidenceRuleConditionsSeedSchema = z13.object({
+  evidenceSource: EvidenceSourceSchema.optional(),
+  documentType: DocumentTypeSchema.optional(),
+  linkType: LinkTypeSchema.optional(),
+  status: z13.string().optional(),
+  minCount: z13.number().int().positive().optional(),
+  safetyClass: SafetyClassSchema.optional(),
+  metadata: z13.record(z13.string(), z13.string()).optional()
+});
+var EvidenceRuleSeedSchema = z13.object({
+  clauseId: z13.string().min(1),
+  description: z13.string().min(1),
+  conditions: EvidenceRuleConditionsSeedSchema,
+  weight: z13.number().min(0).max(1)
+});
+var EvidenceRulesFileSeedSchema = z13.object({
+  frameworkId: RegulatoryFrameworkSchema,
+  rules: z13.array(EvidenceRuleSeedSchema)
+});
+var FrameworkFileSeedSchema = FrameworkDefinitionSeedSchema.extend({
+  clauses: z13.array(FrameworkClauseSeedSchema)
+});
+var SAFETY_CLASS_RANK = { A: 1, B: 2, C: 3 };
+var ARCHITECTURE_DOC_TYPES = ["architecture", "detailed_design"];
+function isArchitectureDoc(docType) {
+  return ARCHITECTURE_DOC_TYPES.includes(docType);
+}
+function detectRequirementNoArchitecture(documents, links) {
+  const archDocTypes = new Set(ARCHITECTURE_DOC_TYPES);
+  const docTypeById = new Map(documents.map((d) => [d.documentId, d.docType]));
+  const softwareRequirements = documents.filter(
+    (d) => d.docType === "requirement" && d.metadata.category === "software"
+  );
+  return softwareRequirements.filter((req) => {
+    const hasOutgoingArchLink = links.some(
+      (l) => l.sourceDocumentId === req.documentId && l.linkType === "implements" && archDocTypes.has(docTypeById.get(l.targetDocumentId) ?? "")
+    );
+    const hasIncomingArchLink = links.some(
+      (l) => l.targetDocumentId === req.documentId && l.linkType === "implements" && archDocTypes.has(docTypeById.get(l.sourceDocumentId) ?? "")
+    );
+    return !hasOutgoingArchLink && !hasIncomingArchLink;
+  }).map((req) => ({
+    code: "requirement_no_architecture",
+    severity: "warning",
+    documentId: req.documentId,
+    documentTitle: req.title,
+    message: `Software requirement ${req.documentId} has no implements link to an architecture or detailed design document (IEC 62304 \xA75.3.1).`
+  }));
+}
+function detectArchitectureNoSegregation(documents, deviceSafetyClass) {
+  if (!deviceSafetyClass) return [];
+  const deviceRank = SAFETY_CLASS_RANK[deviceSafetyClass];
+  if (deviceRank == null) return [];
+  return documents.filter((d) => {
+    if (!isArchitectureDoc(d.docType)) return false;
+    const docClass = d.metadata.safety_class;
+    if (!docClass) return false;
+    const docRank = SAFETY_CLASS_RANK[docClass];
+    if (docRank == null) return false;
+    return docRank < deviceRank && !d.metadata.segregation;
+  }).map((d) => ({
+    code: "architecture_no_segregation",
+    severity: "warning",
+    documentId: d.documentId,
+    documentTitle: d.title,
+    message: `${d.documentId} has safety_class '${d.metadata.safety_class}' (device default: '${deviceSafetyClass}') but no segregation strategy documented (IEC 62304 \xA75.3.5).`
+  }));
+}
+var APPROVED_STATUSES = /* @__PURE__ */ new Set(["approved", "effective"]);
+var HAZARD_DOC_TYPES = /* @__PURE__ */ new Set(["haz_soe_software", "haz_soe_security"]);
+function detectArchitectureNoRiskAnalysis(documents, links) {
+  const analyzedByHazard = /* @__PURE__ */ new Set();
+  for (const doc of documents) {
+    if (!HAZARD_DOC_TYPES.has(doc.docType)) continue;
+    const softwareItem = doc.metadata.software_item;
+    if (softwareItem) {
+      analyzedByHazard.add(softwareItem);
+    }
+  }
+  for (const link of links) {
+    if (link.linkType === "analyzes") {
+      analyzedByHazard.add(link.targetDocumentId);
+    }
+  }
+  return documents.filter((d) => {
+    if (!isArchitectureDoc(d.docType)) return false;
+    if (!APPROVED_STATUSES.has(d.metadata.status)) return false;
+    return !analyzedByHazard.has(d.documentId);
+  }).map((d) => ({
+    code: "architecture_no_risk_analysis",
+    severity: "warning",
+    documentId: d.documentId,
+    documentTitle: d.title,
+    message: `${d.documentId} is an approved ${d.docType} with no hazard analysis. Every software item must be evaluated for contribution to hazardous situations (IEC 62304 \xA77.1).`
+  }));
+}
+function detectArchitectureNoParent(documents) {
+  const needsParent = /* @__PURE__ */ new Set(["subsystem", "component", "unit"]);
+  return documents.filter((d) => {
+    if (!isArchitectureDoc(d.docType)) return false;
+    const itemType = d.metadata.software_item_type;
+    if (!itemType || !needsParent.has(itemType)) return false;
+    return !d.metadata.parent_item;
+  }).map((d) => ({
+    code: "architecture_no_parent",
+    severity: "warning",
+    documentId: d.documentId,
+    documentTitle: d.title,
+    message: `${d.documentId} is a ${d.metadata.software_item_type} but has no parent_item. Non-system software items must reference their parent (IEC 62304 \xA75.3.2).`
+  }));
+}
+function isApprovedOrEffective(doc) {
+  return doc.status === "approved" || doc.status === "effective";
+}
+function buildGap(doc, code, severity, message) {
+  return {
+    code,
+    severity,
+    documentId: doc.id,
+    documentTitle: doc.title,
+    message,
+    ...doc.repositoryId && { repositoryId: doc.repositoryId },
+    ...doc.repositoryName && { repositoryName: doc.repositoryName }
+  };
+}
+var HAZARD_TYPES = /* @__PURE__ */ new Set(["haz_soe_software", "haz_soe_security"]);
+var ARCHITECTURE_TYPES = /* @__PURE__ */ new Set(["architecture", "detailed_design"]);
+var RISK_ENTRY_TYPES = /* @__PURE__ */ new Set(["software_risk", "usability_risk", "security_risk"]);
+var NEEDS_DETAILED_DESIGN = /* @__PURE__ */ new Set(["unit", "component"]);
+var HIGH_CIA = "high";
+function buildVerifiedDocIds(links) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const link of links) {
+    if (link.type === "verified_by") {
+      ids.add(link.sourceId);
+      ids.add(link.targetId);
+    }
+  }
+  return ids;
+}
+function classSeverity(deviceSafetyClass) {
+  return deviceSafetyClass === "C" ? "error" : "warning";
+}
+function detectHazardNoSoftwareItem(documents, deviceSafetyClass) {
+  const severity = classSeverity(deviceSafetyClass);
+  return documents.filter((d) => {
+    if (!HAZARD_TYPES.has(d.type)) return false;
+    if (!isApprovedOrEffective(d)) return false;
+    return !d.frontmatter.software_item;
+  }).map(
+    (d) => buildGap(
+      d,
+      "hazard_no_software_item",
+      severity,
+      `Hazard "${d.title}" has no software_item reference. Every hazard must be traceable to a software item (IEC 62304 \xA77.1).`
+    )
+  );
+}
+function detectSecurityHazardNoAssetRef(documents) {
+  const docById = new Map(documents.map((d) => [d.id, d]));
+  const gaps = [];
+  for (const doc of documents) {
+    if (doc.type !== "haz_soe_security") continue;
+    if (!isApprovedOrEffective(doc)) continue;
+    const targetId = doc.frontmatter.software_item;
+    if (!targetId) continue;
+    const targetDoc = docById.get(targetId);
+    if (!targetDoc || !ARCHITECTURE_TYPES.has(targetDoc.type)) continue;
+    const assetTypes = targetDoc.frontmatter.asset_types;
+    if (!assetTypes || assetTypes.length === 0) {
+      gaps.push(
+        buildGap(
+          doc,
+          "security_hazard_no_asset_ref",
+          "warning",
+          `Security hazard "${doc.title}" targets "${targetId}" which has no asset_types. Structured asset identification is required (IEC 81001-5-1).`
+        )
+      );
+    }
+  }
+  return gaps;
+}
+function detectHighCiaNoSecurityHazard(documents) {
+  const analyzedBySecurityHazard = /* @__PURE__ */ new Set();
+  for (const doc of documents) {
+    if (doc.type !== "haz_soe_security") continue;
+    const targetId = doc.frontmatter.software_item;
+    if (targetId) {
+      analyzedBySecurityHazard.add(targetId);
+    }
+  }
+  return documents.filter((d) => {
+    if (!ARCHITECTURE_TYPES.has(d.type)) return false;
+    if (!isApprovedOrEffective(d)) return false;
+    const cia = d.frontmatter.cia_impact;
+    if (!cia) return false;
+    const hasHighCia = cia.confidentiality === HIGH_CIA || cia.integrity === HIGH_CIA || cia.availability === HIGH_CIA;
+    if (!hasHighCia) return false;
+    return !analyzedBySecurityHazard.has(d.id);
+  }).map(
+    (d) => buildGap(
+      d,
+      "high_cia_no_security_hazard",
+      "warning",
+      `Architecture doc "${d.title}" has high CIA impact but no security hazard analysis. High-value assets require security risk analysis (IEC 81001-5-1).`
+    )
+  );
+}
+function detectDetailedDesignMissingForUnit(documents, deviceSafetyClass) {
+  const severity = classSeverity(deviceSafetyClass);
+  const hasDetailedDesign = /* @__PURE__ */ new Set();
+  for (const doc of documents) {
+    if (doc.type !== "detailed_design") continue;
+    const parentItem = doc.frontmatter.parent_item;
+    if (parentItem) {
+      hasDetailedDesign.add(parentItem);
+    }
+  }
+  return documents.filter((d) => {
+    if (!ARCHITECTURE_TYPES.has(d.type)) return false;
+    if (!isApprovedOrEffective(d)) return false;
+    const itemType = d.frontmatter.software_item_type;
+    if (!itemType || !NEEDS_DETAILED_DESIGN.has(itemType)) return false;
+    if (d.type === "detailed_design" && itemType === "unit") return false;
+    return !hasDetailedDesign.has(d.id);
+  }).map(
+    (d) => buildGap(
+      d,
+      "detailed_design_missing_for_unit",
+      severity,
+      `Architecture ${d.frontmatter.software_item_type} "${d.title}" has no detailed design document. IEC 62304 \xA75.4.2 requires detailed design for units and components.`
+    )
+  );
+}
+function detectUnitNoVerification(documents, links, deviceSafetyClass) {
+  const severity = classSeverity(deviceSafetyClass);
+  const verifiedDocIds = buildVerifiedDocIds(links);
+  return documents.filter((d) => {
+    if (d.type !== "detailed_design") return false;
+    if (!isApprovedOrEffective(d)) return false;
+    return !verifiedDocIds.has(d.id);
+  }).map(
+    (d) => buildGap(
+      d,
+      "unit_no_verification",
+      severity,
+      `Detailed design "${d.title}" has no verified_by link to a test protocol or test report. IEC 62304 \xA75.5.5 requires unit verification.`
+    )
+  );
+}
+function detectRiskControlNoVerification(documents, links) {
+  const verifiedDocIds = buildVerifiedDocIds(links);
+  const gaps = [];
+  for (const doc of documents) {
+    if (!RISK_ENTRY_TYPES.has(doc.type)) continue;
+    if (!isApprovedOrEffective(doc)) continue;
+    const controls = /* @__PURE__ */ new Set();
+    const topLevel = doc.frontmatter.mitigations ?? [];
+    for (const m of topLevel) {
+      controls.add(m.control);
+    }
+    const perHS = doc.frontmatter.hazardous_situation_assessments ?? [];
+    for (const hsa of perHS) {
+      for (const m of hsa.mitigations ?? []) {
+        controls.add(m.control);
+      }
+    }
+    for (const control of controls) {
+      if (!verifiedDocIds.has(control)) {
+        gaps.push(
+          buildGap(
+            doc,
+            "risk_control_no_verification",
+            "warning",
+            `Risk "${doc.title}" has mitigation control "${control}" with no verified_by link to a test document. Risk controls must be verified (IEC 62304 \xA77.3).`
+          )
+        );
+      }
+    }
+  }
+  return gaps;
+}
+function detectArchitectureNoAssetTypes(documents, deviceSafetyClass) {
+  if (deviceSafetyClass !== "C") return [];
+  return documents.filter((d) => {
+    if (!ARCHITECTURE_TYPES.has(d.type)) return false;
+    if (!isApprovedOrEffective(d)) return false;
+    const assetTypes = d.frontmatter.asset_types;
+    return !assetTypes || assetTypes.length === 0;
+  }).map(
+    (d) => buildGap(
+      d,
+      "architecture_no_asset_types",
+      "warning",
+      `Architecture doc "${d.title}" has no asset_types. Class C devices require structured asset identification for cybersecurity risk analysis (IEC 81001-5-1).`
+    )
+  );
+}
+function getAcceptabilityStatus(severity, probability, config) {
+  const coord = [severity, probability];
+  if (config.unacceptable.some(([s, p]) => s === coord[0] && p === coord[1])) {
+    return "unacceptable";
+  }
+  if (config.review_required?.some(([s, p]) => s === coord[0] && p === coord[1])) {
+    return "review_required";
+  }
+  return "acceptable";
+}
+function collectAllMitigations(doc) {
+  const topLevel = doc.frontmatter.mitigations ?? [];
+  const perHS = (doc.frontmatter.hazardous_situation_assessments ?? []).flatMap(
+    (hsa) => hsa.mitigations ?? []
+  );
+  return [...topLevel, ...perHS];
+}
+function collectAllHarms(doc) {
+  return (doc.frontmatter.hazardous_situation_assessments ?? []).flatMap((hsa) => hsa.harms);
+}
+function detectMitigationGaps(doc, docById, mitigations) {
+  const gaps = [];
+  for (const mitigation of mitigations) {
+    const controlDoc = docById.get(mitigation.control);
+    if (!controlDoc) {
+      gaps.push(
+        buildGap(
+          doc,
+          "broken_mitigation_link",
+          "error",
+          `Risk "${doc.title}" references non-existent control "${mitigation.control}"`
+        )
+      );
+    } else if (controlDoc.status && controlDoc.status !== "approved" && controlDoc.status !== "effective") {
+      gaps.push(
+        buildGap(
+          doc,
+          "control_not_approved",
+          "warning",
+          `Risk "${doc.title}" mitigated by control "${mitigation.control}" which is not approved`
+        )
+      );
+    }
+  }
+  return gaps;
+}
+function detectBrokenReferences(doc, assessments, docById) {
+  const gaps = [];
+  for (const hsa of assessments) {
+    if (hsa.hazardous_situation && !docById.has(hsa.hazardous_situation)) {
+      gaps.push(
+        buildGap(
+          doc,
+          "risk_broken_safety_chain",
+          "error",
+          `Risk "${doc.title}" references non-existent hazardous situation "${hsa.hazardous_situation}"`
+        )
+      );
+    }
+    for (const harm of hsa.harms) {
+      if (harm.harm && !docById.has(harm.harm)) {
+        gaps.push(
+          buildGap(
+            doc,
+            "risk_broken_safety_chain",
+            "error",
+            `Risk "${doc.title}" references non-existent harm "${harm.harm}"`
+          )
+        );
+      }
+    }
+  }
+  return gaps;
+}
+function detectSafetyChainGaps(doc, docById) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const gaps = [];
+  const assessments = doc.frontmatter.hazardous_situation_assessments;
+  const allHarms = collectAllHarms(doc);
+  if (!assessments || assessments.length === 0 || allHarms.length === 0) {
+    const missingParts = [];
+    if (!assessments || assessments.length === 0)
+      missingParts.push("hazardous situation reference");
+    if (allHarms.length === 0) missingParts.push("harm assessments");
+    gaps.push(
+      buildGap(
+        doc,
+        "risk_missing_safety_chain",
+        "error",
+        `Risk "${doc.title}" missing ${missingParts.join(" and ")}`
+      )
+    );
+  }
+  if (assessments) {
+    gaps.push(...detectBrokenReferences(doc, assessments, docById));
+  }
+  return gaps;
+}
+function detectWrongProbabilityDimension(doc) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const allHarms = collectAllHarms(doc);
+  if (allHarms.length === 0) return [];
+  const isSecurityRisk = doc.type === "security_risk";
+  const gaps = [];
+  for (const assessment of allHarms) {
+    if (isSecurityRisk) {
+      if (assessment.inherent_probability != null && assessment.inherent_exploitability == null) {
+        gaps.push(
+          buildGap(
+            doc,
+            "wrong_probability_dimension",
+            "error",
+            `Security risk "${doc.title}" uses inherent_probability instead of inherent_exploitability for harm "${assessment.harm}"`
+          )
+        );
+      }
+    } else {
+      if (assessment.inherent_exploitability != null && assessment.inherent_probability == null) {
+        gaps.push(
+          buildGap(
+            doc,
+            "wrong_probability_dimension",
+            "error",
+            `Risk "${doc.title}" uses inherent_exploitability instead of inherent_probability for harm "${assessment.harm}"`
+          )
+        );
+      }
+    }
+  }
+  return gaps;
+}
+function checkAssessmentAcceptability(allHarms, docById, config) {
+  let anyInherentUnacceptable = false;
+  let anyResidualUnacceptable = false;
+  for (const assessment of allHarms) {
+    const harmDoc = docById.get(assessment.harm);
+    const severity = harmDoc?.frontmatter?.severity ?? 1;
+    const probability = assessment.inherent_probability ?? assessment.inherent_exploitability ?? 1;
+    if (getAcceptabilityStatus(severity, probability, config) === "unacceptable") {
+      anyInherentUnacceptable = true;
+    }
+    const residualSeverity = assessment.harm_severity_override ?? severity;
+    const residualProbability = assessment.residual_probability ?? assessment.residual_exploitability ?? probability;
+    if (getAcceptabilityStatus(residualSeverity, residualProbability, config) === "unacceptable") {
+      anyResidualUnacceptable = true;
+    }
+  }
+  return { anyInherentUnacceptable, anyResidualUnacceptable };
+}
+function detectIsoCategoryGaps(doc) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const allMitigations = collectAllMitigations(doc);
+  const gaps = [];
+  for (const mitigation of allMitigations) {
+    if (!mitigation.iso_category) {
+      gaps.push(
+        buildGap(
+          doc,
+          "missing_iso_category",
+          "error",
+          `Risk "${doc.title}" has mitigation "${mitigation.control}" without iso_category`
+        )
+      );
+    }
+  }
+  return gaps;
+}
+function detectRiskAcceptableGaps(doc) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const allHarms = collectAllHarms(doc);
+  const gaps = [];
+  for (const harm of allHarms) {
+    if (harm.risk_acceptable == null) {
+      gaps.push(
+        buildGap(
+          doc,
+          "missing_risk_acceptable",
+          "error",
+          `Risk "${doc.title}" has harm "${harm.harm}" without risk_acceptable field`
+        )
+      );
+    }
+  }
+  return gaps;
+}
+function detectBenefitGaps(doc) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const allHarms = collectAllHarms(doc);
+  const gaps = [];
+  for (const harm of allHarms) {
+    if (harm.risk_acceptable === false && harm.benefit_outweighs_risk == null) {
+      gaps.push(
+        buildGap(
+          doc,
+          "unacceptable_no_benefit",
+          "error",
+          `Risk "${doc.title}" has unacceptable harm "${harm.harm}" without benefit_outweighs_risk`
+        )
+      );
+    }
+  }
+  return gaps;
+}
+function detectMissingBodyRationale(doc) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const assessments = doc.frontmatter.hazardous_situation_assessments;
+  if (!assessments || assessments.length === 0) return [];
+  if (!doc.bodySectionHeadings || doc.bodySectionHeadings.length === 0) return [];
+  const gaps = [];
+  for (const hsa of assessments) {
+    for (const harm of hsa.harms) {
+      const expectedHeading = `${harm.harm} via ${hsa.hazardous_situation}`;
+      if (!doc.bodySectionHeadings.some(
+        (h) => h.toLowerCase().trim() === expectedHeading.toLowerCase().trim()
+      )) {
+        gaps.push(
+          buildGap(
+            doc,
+            "missing_body_rationale",
+            "error",
+            `Risk "${doc.title}" is missing body section "## ${expectedHeading}"`
+          )
+        );
+      }
+    }
+  }
+  return gaps;
+}
+function detectOrphanedBodySections(doc) {
+  const assessments = doc.frontmatter.hazardous_situation_assessments;
+  if (!assessments || assessments.length === 0) return [];
+  if (!doc.bodySectionHeadings || doc.bodySectionHeadings.length === 0) return [];
+  const expectedHeadings = /* @__PURE__ */ new Set();
+  for (const hsa of assessments) {
+    for (const harm of hsa.harms) {
+      expectedHeadings.add(`${harm.harm} via ${hsa.hazardous_situation}`.toLowerCase().trim());
+    }
+  }
+  const optionalSections = /* @__PURE__ */ new Set(["risk-benefit analysis", "harm assessment"]);
+  const gaps = [];
+  for (const heading of doc.bodySectionHeadings) {
+    const normalized = heading.toLowerCase().trim();
+    if (!expectedHeadings.has(normalized) && !optionalSections.has(normalized)) {
+      gaps.push(
+        buildGap(
+          doc,
+          "orphaned_body_section",
+          "warning",
+          `Risk "${doc.title}" has body section "## ${heading}" that does not match any frontmatter assessment`
+        )
+      );
+    }
+  }
+  return gaps;
+}
+function detectRiskEntryGaps(doc, docById, config) {
+  const gaps = [];
+  gaps.push(...detectSafetyChainGaps(doc, docById));
+  gaps.push(...detectWrongProbabilityDimension(doc));
+  const allHarms = collectAllHarms(doc);
+  const allMitigations = collectAllMitigations(doc);
+  const { anyInherentUnacceptable, anyResidualUnacceptable } = checkAssessmentAcceptability(
+    allHarms,
+    docById,
+    config
+  );
+  if (anyInherentUnacceptable && allMitigations.length === 0) {
+    gaps.push(
+      buildGap(
+        doc,
+        "missing_mitigation",
+        "error",
+        `Risk "${doc.title}" has unacceptable inherent risk but no mitigations`
+      )
+    );
+  }
+  gaps.push(...detectMitigationGaps(doc, docById, allMitigations));
+  gaps.push(...detectRiskAcceptableGaps(doc));
+  gaps.push(...detectBenefitGaps(doc));
+  if (anyResidualUnacceptable && !doc.hasRiskBenefitSection) {
+    gaps.push(
+      buildGap(
+        doc,
+        "missing_risk_benefit",
+        "error",
+        `Risk "${doc.title}" has unacceptable residual risk but no risk-benefit analysis`
+      )
+    );
+  }
+  gaps.push(...detectIsoCategoryGaps(doc));
+  gaps.push(...detectMissingBodyRationale(doc));
+  gaps.push(...detectOrphanedBodySections(doc));
+  return gaps;
+}
+var HAZARD_TYPES2 = ["haz_soe_software", "haz_soe_security"];
+var RISK_TYPES = ["software_risk", "usability_risk", "security_risk"];
+function detectHazardGaps(doc, leadsToLinks, analyzesLinks, allDocuments) {
+  const gaps = [];
+  const hasLeadsTo = doc.frontmatter.leads_to?.length || leadsToLinks.some((l) => l.sourceId === doc.id);
+  if (!hasLeadsTo) {
+    gaps.push(
+      buildGap(
+        doc,
+        "hazard_no_situation",
+        "error",
+        `Hazard "${doc.title}" has no leads_to links to hazardous situations`
+      )
+    );
+  }
+  const isAnalyzed = analyzesLinks.some((l) => l.targetId === doc.id) || allDocuments.some((d) => RISK_TYPES.includes(d.type) && d.frontmatter.analyzes === doc.id);
+  if (!isAnalyzed) {
+    gaps.push(
+      buildGap(
+        doc,
+        "hazard_not_analyzed",
+        "warning",
+        `Hazard "${doc.title}" is not analyzed by any risk entry`
+      )
+    );
+  }
+  return gaps;
+}
+function detectHazardCategoryGaps(doc, docById) {
+  if (!isApprovedOrEffective(doc)) return [];
+  const gaps = [];
+  const categoryRef = doc.frontmatter.hazard_category;
+  if (!categoryRef) {
+    gaps.push(
+      buildGap(
+        doc,
+        "haz_missing_category",
+        "warning",
+        `Hazard "${doc.title}" has no hazard_category reference`
+      )
+    );
+    return gaps;
+  }
+  const categoryDoc = docById.get(categoryRef);
+  if (!categoryDoc) {
+    gaps.push(
+      buildGap(
+        doc,
+        "haz_invalid_category",
+        "error",
+        `Hazard "${doc.title}" references non-existent category "${categoryRef}"`
+      )
+    );
+    return gaps;
+  }
+  if (categoryDoc.status !== "approved" && categoryDoc.status !== "effective") {
+    gaps.push(
+      buildGap(
+        doc,
+        "category_not_approved",
+        "warning",
+        `Hazard "${doc.title}" references category "${categoryRef}" which is not approved`
+      )
+    );
+  }
+  return gaps;
+}
+function detectPreliminaryGaps(doc, allDocuments) {
+  if (!doc.frontmatter.preliminary) return [];
+  const isAnalyzedByRisk = allDocuments.some(
+    (d) => RISK_TYPES.includes(d.type) && d.frontmatter.analyzes === doc.id
+  );
+  if (!isAnalyzedByRisk) {
+    return [
+      buildGap(
+        doc,
+        "preliminary_not_analyzed",
+        "warning",
+        `Preliminary hazard "${doc.title}" is not analyzed by any risk entry`
+      )
+    ];
+  }
+  return [];
+}
+function detectRiskGaps(documents, links, config, _deviceSafetyClass) {
+  const gaps = [];
+  const docById = new Map(documents.map((d) => [d.id, d]));
+  const leadsToLinks = links.filter((l) => l.type === "leads_to");
+  const resultsInLinks = links.filter((l) => l.type === "results_in");
+  const analyzesLinks = links.filter((l) => l.type === "analyzes");
+  for (const doc of documents) {
+    if (HAZARD_TYPES2.includes(doc.type)) {
+      gaps.push(...detectHazardGaps(doc, leadsToLinks, analyzesLinks, documents));
+      gaps.push(...detectHazardCategoryGaps(doc, docById));
+      gaps.push(...detectPreliminaryGaps(doc, documents));
+    }
+    if (doc.type === "hazardous_situation") {
+      const hasResultsIn = doc.frontmatter.results_in?.length || resultsInLinks.some((l) => l.sourceId === doc.id);
+      if (!hasResultsIn) {
+        gaps.push(
+          buildGap(
+            doc,
+            "situation_no_harm",
+            "error",
+            `Hazardous situation "${doc.title}" has no results_in links to harms`
+          )
+        );
+      }
+    }
+    if (RISK_TYPES.includes(doc.type)) {
+      gaps.push(...detectRiskEntryGaps(doc, docById, config));
+    }
+  }
+  return gaps;
+}
+function detectBrokenLinks(documents, links) {
+  const gaps = [];
+  const documentIds = new Set(documents.map((d) => d.documentId));
+  for (const link of links) {
+    if (!documentIds.has(link.targetDocumentId)) {
+      const sourceDoc = documents.find((d) => d.documentId === link.sourceDocumentId);
+      gaps.push({
+        code: "broken_link",
+        severity: "error",
+        documentId: link.sourceDocumentId,
+        documentTitle: sourceDoc?.title || link.sourceDocumentId,
+        message: `Link references non-existent document: ${link.targetDocumentId}`,
+        metadata: { targetId: link.targetDocumentId, linkType: link.linkType }
+      });
+    }
+  }
+  return gaps;
+}
+function detectOrphanedPrs(documents, links) {
+  const gaps = [];
+  const productRequirements = documents.filter(
+    (d) => d.docType === "requirement" && d.metadata.category === "product"
+  );
+  for (const req of productRequirements) {
+    const hasDerivesFrom = links.some(
+      (l) => l.sourceDocumentId === req.documentId && l.linkType === "derives_from"
+    );
+    if (!hasDerivesFrom) {
+      gaps.push({
+        code: "prs_no_upstream",
+        severity: "warning",
+        documentId: req.documentId,
+        documentTitle: req.title,
+        message: `Product requirement has no upstream link (derives_from). Should derive from a User Need, Risk, or regulatory requirement.`
+      });
+    }
+  }
+  return gaps;
+}
+function detectOrphanedPrsFulfillment(documents, links) {
+  const FULFILLMENT_TARGET = {
+    labeling: "labeling",
+    clinical: "clinical_evaluation_report",
+    usability: "summative_evaluation"
+  };
+  const gaps = [];
+  const docTypeById = new Map(documents.map((d) => [d.documentId, d.docType]));
+  const productRequirements = documents.filter(
+    (d) => d.docType === "requirement" && d.metadata.category === "product"
+  );
+  for (const req of productRequirements) {
+    const fulfillmentType = req.metadata.fulfillment_type;
+    const expectedDocType = fulfillmentType ? FULFILLMENT_TARGET[fulfillmentType] : void 0;
+    if (!expectedDocType) continue;
+    const hasLink = links.some(
+      (l) => l.sourceDocumentId === req.documentId && l.linkType === "implements" && docTypeById.get(l.targetDocumentId) === expectedDocType
+    );
+    if (!hasLink) {
+      gaps.push({
+        code: "prs_no_fulfillment",
+        severity: "warning",
+        documentId: req.documentId,
+        documentTitle: req.title,
+        message: `${req.documentId} has fulfillment_type '${fulfillmentType}' but no implements link to a ${expectedDocType.replace(/_/g, " ")} document`
+      });
+    }
+  }
+  return gaps;
+}
+function detectSrsMissingReqType(documents) {
+  const gaps = [];
+  const softwareRequirements = documents.filter(
+    (d) => d.docType === "requirement" && d.metadata.category === "software"
+  );
+  for (const req of softwareRequirements) {
+    if (!req.metadata.req_type) {
+      gaps.push({
+        code: "srs_missing_req_type",
+        severity: "warning",
+        documentId: req.documentId,
+        documentTitle: req.title,
+        message: `Software requirement missing req_type classification (IEC 62304 \xA75.2.2). Add req_type: functional|interface|performance|security|usability|safety|regulatory to frontmatter.`
+      });
+    }
+  }
+  return gaps;
+}
+function extractH2Headings(body) {
+  const headings = [];
+  for (const line of body.split("\n")) {
+    const match = line.match(/^##\s+(.+)/);
+    if (match) {
+      headings.push(match[1].trim());
+    }
+  }
+  return headings;
+}
+function checkRequiredHeadings(doc, body, requiredSections) {
+  const headingsLower = extractH2Headings(body).map((h) => h.toLowerCase());
+  return requiredSections.filter((section) => !headingsLower.some((h) => h.includes(section.toLowerCase()))).map((section) => ({
+    code: "missing_section",
+    severity: "warning",
+    documentId: doc.documentId,
+    documentTitle: doc.title,
+    message: `Missing required section: "${section}"`
+  }));
+}
+function detectMissingSections(documents, bodies) {
+  const gaps = [];
+  for (const doc of documents) {
+    const requiredSections = REQUIRED_SECTIONS[doc.docType];
+    if (!requiredSections) continue;
+    const body = bodies.get(doc.documentId);
+    if (!body) continue;
+    gaps.push(...checkRequiredHeadings(doc, body, requiredSections));
+  }
+  return gaps;
+}
+var STANDARD_REQUIRED_SECTIONS = ["Requirement", "Verification Criteria"];
+var USER_STORY_REQUIRED_SECTIONS = ["User Story", "Verification Criteria"];
+function detectRequirementFormatSections(documents, bodies) {
+  const gaps = [];
+  const requirements = documents.filter((d) => d.docType === "requirement");
+  for (const req of requirements) {
+    const body = bodies.get(req.documentId);
+    if (!body) continue;
+    const format = req.metadata.format;
+    const requiredSections = format === "user_story" ? USER_STORY_REQUIRED_SECTIONS : STANDARD_REQUIRED_SECTIONS;
+    gaps.push(...checkRequiredHeadings(req, body, requiredSections));
+  }
+  return gaps;
+}
+function detectUnlinkedMajorNc(documents) {
+  const gaps = [];
+  const auditReports = documents.filter((d) => d.docType === "audit_report");
+  for (const doc of auditReports) {
+    const findings = doc.metadata.findings ?? [];
+    for (const finding of findings) {
+      if (finding.classification === "major_nc" && !finding.capa_id) {
+        gaps.push({
+          code: "unlinked_major_nc",
+          severity: "error",
+          documentId: doc.documentId,
+          documentTitle: doc.title,
+          message: `Finding ${finding.finding_id} is classified as major nonconformity but has no linked CAPA. Major NCs require corrective action per ISO 13485 \xA78.5.2.`,
+          metadata: { findingId: finding.finding_id, classification: finding.classification }
+        });
+      }
+    }
+  }
+  return gaps;
+}
+function detectOverdueAudits(documents) {
+  const gaps = [];
+  const schedules = documents.filter((d) => d.docType === "audit_schedule");
+  const now = /* @__PURE__ */ new Date();
+  for (const doc of schedules) {
+    const audits = doc.metadata.audits ?? [];
+    for (const audit of audits) {
+      if (audit.status === "planned" && new Date(audit.planned_date) < now) {
+        gaps.push({
+          code: "overdue_audit",
+          severity: "warning",
+          documentId: doc.documentId,
+          documentTitle: doc.title,
+          message: `Planned audit "${audit.audit_id}" (${audit.process_area}) was due ${audit.planned_date} but is still in planned status.`,
+          metadata: {
+            auditId: audit.audit_id,
+            processArea: audit.process_area,
+            plannedDate: audit.planned_date
+          }
+        });
+      }
+    }
+  }
+  return gaps;
+}
+function toDocumentForGaps(doc) {
+  const m = doc.metadata;
+  return {
+    id: doc.documentId,
+    type: doc.docType,
+    title: doc.title,
+    status: m.status,
+    frontmatter: {
+      leads_to: m.leads_to,
+      results_in: m.results_in,
+      analyzes: m.analyzes,
+      preliminary: m.preliminary,
+      hazard_category: m.hazard_category,
+      software_item: m.software_item,
+      software_item_type: m.software_item_type,
+      parent_item: m.parent_item,
+      asset_types: m.asset_types,
+      severity: m.severity,
+      cia_impact: m.cia_impact,
+      mitigations: m.mitigations,
+      hazardous_situation_assessments: m.hazardous_situation_assessments
+    }
+  };
+}
+function toLinkForGaps(link) {
+  return {
+    sourceId: link.sourceDocumentId,
+    targetId: link.targetDocumentId,
+    type: link.linkType
+  };
+}
+function riskGapToGap(rg) {
+  return {
+    code: rg.code,
+    severity: rg.severity,
+    documentId: rg.documentId,
+    documentTitle: rg.documentTitle,
+    message: rg.message
+  };
+}
+function detectRiskSecurityGaps(docsForGaps, linksForGaps, deviceSafetyClass) {
+  return [
+    ...detectHazardNoSoftwareItem(docsForGaps, deviceSafetyClass),
+    ...detectSecurityHazardNoAssetRef(docsForGaps),
+    ...detectHighCiaNoSecurityHazard(docsForGaps),
+    ...detectDetailedDesignMissingForUnit(docsForGaps, deviceSafetyClass),
+    ...detectUnitNoVerification(docsForGaps, linksForGaps, deviceSafetyClass),
+    ...detectRiskControlNoVerification(docsForGaps, linksForGaps),
+    ...detectArchitectureNoAssetTypes(docsForGaps, deviceSafetyClass)
+  ].map(riskGapToGap);
+}
+function buildSummary(gaps) {
+  let errorCount = 0;
+  let warningCount = 0;
+  const byCode = {};
+  for (const gap of gaps) {
+    if (gap.severity === "error") errorCount++;
+    else warningCount++;
+    byCode[gap.code] = (byCode[gap.code] || 0) + 1;
+  }
+  return { errorCount, warningCount, byCode };
+}
+function detectAllGaps(documents, links, context) {
+  const { deviceSafetyClass, bodies, acceptabilityConfig } = context ?? {};
+  const gaps = [];
+  gaps.push(...detectBrokenLinks(documents, links));
+  gaps.push(...detectOrphanedPrs(documents, links));
+  gaps.push(...detectOrphanedPrsFulfillment(documents, links));
+  gaps.push(...detectSrsMissingReqType(documents));
+  if (bodies) {
+    gaps.push(...detectMissingSections(documents, bodies));
+    gaps.push(...detectRequirementFormatSections(documents, bodies));
+  }
+  gaps.push(...detectUnlinkedMajorNc(documents));
+  gaps.push(...detectOverdueAudits(documents));
+  gaps.push(...detectRequirementNoArchitecture(documents, links));
+  gaps.push(...detectArchitectureNoSegregation(documents, deviceSafetyClass));
+  gaps.push(...detectArchitectureNoParent(documents));
+  gaps.push(...detectArchitectureNoRiskAnalysis(documents, links));
+  const docsForGaps = documents.map(toDocumentForGaps);
+  const linksForGaps = links.map(toLinkForGaps);
+  gaps.push(...detectRiskSecurityGaps(docsForGaps, linksForGaps, deviceSafetyClass));
+  if (acceptabilityConfig) {
+    const riskGaps = detectRiskGaps(
+      docsForGaps,
+      linksForGaps,
+      acceptabilityConfig,
+      deviceSafetyClass
+    );
+    gaps.push(...riskGaps.map(riskGapToGap));
+  }
+  return { gaps, summary: buildSummary(gaps) };
+}
+var RetentionPolicySchema = z14.object({
+  /** Default retention period in years for all record types */
+  defaultPeriodYears: z14.number().int().min(1).max(30).default(10),
+  /**
+   * Optional per-record-type overrides (e.g., { "release": 15, "signature": 20 }).
+   * Keys are record type identifiers; values are retention periods in years.
+   */
+  byRecordType: z14.record(z14.string(), z14.number().int().min(1).max(30)).optional()
+});
+var MemberPermissionsSchema = z15.object({
+  canSign: z15.boolean(),
+  canApprove: z15.boolean(),
+  canCreateRelease: z15.boolean(),
+  canPublishRelease: z15.boolean(),
+  canApproveTransfer: z15.boolean(),
+  canManageMembers: z15.boolean(),
+  canViewAuditLog: z15.boolean(),
+  canExport: z15.boolean()
+});
+var SoftwareItemTypeSchema = z16.enum(["system", "subsystem", "component", "unit"]);
+var AssetTypeSchema = z16.enum([
+  "data_store",
+  "api_endpoint",
+  "background_worker",
+  "auth_provider",
+  "external_service",
+  "user_interface",
+  "message_queue",
+  "network_boundary"
+]);
+var CiaImpactLevelSchema = z16.enum(["low", "medium", "high"]);
+var CiaImpactSchema = z16.object({
+  confidentiality: CiaImpactLevelSchema.optional(),
+  integrity: CiaImpactLevelSchema.optional(),
+  availability: CiaImpactLevelSchema.optional()
+});
+var SegregationSchema = z16.object({
+  mechanism: z16.string().min(1),
+  rationale: z16.string().min(1)
+});
+var ArchitectureFrontmatterSchema = z16.object({
+  id: z16.string().min(1),
+  title: z16.string().min(1),
+  /** Required — cannot be inferred from folder alone since architecture/ and design/ share parent */
+  type: z16.literal("architecture"),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.3 — C4/IEC mapping: system, subsystem, component, unit (required) */
+  software_item_type: SoftwareItemTypeSchema,
+  /** Parent HLD doc ID (optional for system-level, recommended for subsystem/component) */
+  parent_item: z16.string().optional(),
+  safety_class: SafetyClassSchema.optional(),
+  segregation: SegregationSchema.optional(),
+  /** Document author — required for all regulated document types */
+  author: z16.string().min(1),
+  reviewers: z16.array(z16.string()).optional(),
+  /** Approver list — required for all regulated document types */
+  approvers: z16.array(z16.string()).min(1),
+  /** SRS requirement IDs this architecture item implements (IEC 62304 §5.3.1) */
+  implements: z16.array(z16.string().min(1)).optional(),
+  /** IEC 81001-5-1 asset classification for this software item (optional, enables security gap detection) */
+  asset_types: z16.array(AssetTypeSchema).optional(),
+  /** CIA impact assessment — enables automated detection of high-value assets missing security analysis */
+  cia_impact: CiaImpactSchema.optional()
+});
+var DetailedDesignFrontmatterSchema = z16.object({
+  id: z16.string().min(1),
+  title: z16.string().min(1),
+  /** Required — cannot be inferred from folder alone since architecture/ and design/ share parent */
+  type: z16.literal("detailed_design"),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.4 — typically component or unit (required) */
+  software_item_type: SoftwareItemTypeSchema,
+  /** Parent HLD doc ID — required for SDD (must reference parent architecture) */
+  parent_item: z16.string().min(1),
+  safety_class: SafetyClassSchema.optional(),
+  segregation: SegregationSchema.optional(),
+  /** Document author — required for all regulated document types */
+  author: z16.string().min(1),
+  reviewers: z16.array(z16.string()).optional(),
+  /** Approver list — required for all regulated document types */
+  approvers: z16.array(z16.string()).min(1),
+  /** SRS requirement IDs this design item implements (IEC 62304 §5.4.2) */
+  implements: z16.array(z16.string().min(1)).optional(),
+  /** IEC 81001-5-1 asset classification for this software item (optional, enables security gap detection) */
+  asset_types: z16.array(AssetTypeSchema).optional(),
+  /** CIA impact assessment — enables automated detection of high-value assets missing security analysis */
+  cia_impact: CiaImpactSchema.optional()
+});
+var RequirementTypeSchema = z17.enum([
+  "functional",
+  "interface",
+  "performance",
+  "security",
+  "usability",
+  "safety",
+  "regulatory"
+]);
+var RequirementFormatSchema = z17.enum(["standard", "user_story"]);
+var RequirementFulfillmentTypeSchema = z17.enum([
+  "software",
+  "labeling",
+  "clinical",
+  "usability",
+  "regulatory_doc",
+  "process"
+]);
+var RequirementFrontmatterSchema = z17.object({
+  id: z17.string().min(1),
+  title: z17.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.2.2 — requirement classification (required for SRS, optional for PRS) */
+  req_type: RequirementTypeSchema.optional(),
+  /** Authoring convention — controls which required sections are checked */
+  format: RequirementFormatSchema.optional(),
+  /** ISO 13485 §7.3.3 — how this PRS design input is fulfilled (PRS only, defaults to 'software') */
+  fulfillment_type: RequirementFulfillmentTypeSchema.optional(),
+  author: z17.string().optional(),
+  reviewers: z17.array(z17.string()).optional(),
+  approvers: z17.array(z17.string()).optional(),
+  /** Upstream traceability — IDs of documents this requirement traces from (e.g., UN for PRS, PRS for SRS) */
+  traces_from: z17.array(z17.string()).optional(),
+  /** Downstream traceability — IDs of documents this requirement traces to (e.g., SRS for PRS) */
+  traces_to: z17.array(z17.string()).optional()
+});
+var ProductRequirementFrontmatterSchema = z18.object({
+  id: z18.string().min(1),
+  title: z18.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.2.2 — requirement classification (optional for PRS) */
+  req_type: RequirementTypeSchema.optional(),
+  /** Authoring convention — controls which required sections are checked */
+  format: RequirementFormatSchema.optional(),
+  /** ISO 13485 §7.3.3 — how this PRS design input is fulfilled (defaults to 'software') */
+  fulfillment_type: RequirementFulfillmentTypeSchema.optional(),
+  /** Document author — required for all regulated document types */
+  author: z18.string().min(1),
+  reviewers: z18.array(z18.string()).optional(),
+  /** Approver list — required for all regulated document types */
+  approvers: z18.array(z18.string()).min(1),
+  /** Upstream traceability — IDs of User Need documents this PRS traces from (required) */
+  traces_from: z18.array(z18.string()).min(1),
+  /** Downstream traceability — IDs of SRS documents this PRS traces to */
+  traces_to: z18.array(z18.string()).optional()
+});
+var DeliverableVersionTypeSchema = z19.enum(["initial", "major", "minor", "patch"]);
+var DeliverableSafetyClassSchema = z19.enum(["A", "B", "C"]);
+var PlanDeliverableSchema = z19.object({
+  /** Unique ID within the plan (e.g., "DEL-SDP-001") */
+  id: z19.string().min(1),
+  /** Human-readable label for the checklist item */
+  label: z19.string().min(1),
+  /** Which version types this applies to (initial, major, minor, patch) */
+  version_types: z19.array(DeliverableVersionTypeSchema).optional(),
+  /** Which safety classes this applies to (A, B, C) */
+  safety_classes: z19.array(DeliverableSafetyClassSchema).optional(),
+  /** Whether this deliverable can be deferred with rationale */
+  deferrable: z19.boolean().optional()
+});
+var PlanDeliverablesFieldSchema = z19.array(PlanDeliverableSchema).optional();
+var StrictPlanDeliverablesFieldSchema = z19.array(PlanDeliverableSchema).min(1);
+var SoftwareDevelopmentPlanFrontmatterSchema = z20.object({
+  type: z20.literal("software_development_plan"),
+  id: z20.string().min(1),
+  title: z20.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z20.string().optional(),
+  reviewers: z20.array(z20.string()).optional(),
+  approvers: z20.array(z20.string()).optional(),
+  deliverables: PlanDeliverablesFieldSchema
+});
+var SoftwareMaintenancePlanFrontmatterSchema = z20.object({
+  type: z20.literal("software_maintenance_plan"),
+  id: z20.string().min(1),
+  title: z20.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z20.string().optional(),
+  reviewers: z20.array(z20.string()).optional(),
+  approvers: z20.array(z20.string()).optional()
+});
+var SoupRegisterFrontmatterSchema = z20.object({
+  type: z20.literal("soup_register"),
+  id: z20.string().min(1),
+  title: z20.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z20.string().optional(),
+  reviewers: z20.array(z20.string()).optional(),
+  approvers: z20.array(z20.string()).optional()
+});
+var SoftwareTestPlanFrontmatterSchema = z20.object({
+  type: z20.literal("software_test_plan"),
+  id: z20.string().min(1),
+  title: z20.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z20.string().optional(),
+  reviewers: z20.array(z20.string()).optional(),
+  approvers: z20.array(z20.string()).optional(),
+  deliverables: PlanDeliverablesFieldSchema
+});
+var SoftwareRequirementFrontmatterSchema = z21.object({
+  id: z21.string().min(1),
+  title: z21.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** IEC 62304 §5.2.2 — requirement classification (recommended for SRS) */
+  req_type: RequirementTypeSchema.optional(),
+  /** Authoring convention — controls which required sections are checked */
+  format: RequirementFormatSchema.optional(),
+  /** Document author — required for all regulated document types */
+  author: z21.string().min(1),
+  reviewers: z21.array(z21.string()).optional(),
+  /** Approver list — required for all regulated document types */
+  approvers: z21.array(z21.string()).min(1),
+  /** Upstream traceability — IDs of PRS documents this SRS traces from (required) */
+  traces_from: z21.array(z21.string()).min(1),
+  /** Downstream traceability — IDs of documents this SRS traces to */
+  traces_to: z21.array(z21.string()).optional(),
+  /**
+   * @deprecated Use `implements` on HLD/SDD documents instead.
+   * Architecture documents should declare which requirements they implement (IEC 62304 §5.3.1).
+   * Kept for backwards compatibility — the sync engine does not create links from this field.
+   */
+  implemented_in: z21.string().optional()
+});
+var ExecutionMethodSchema = z22.enum(["manual", "automated"]);
+var TestProtocolFrontmatterSchema = z22.object({
+  type: z22.literal("test_protocol"),
+  id: z22.string().min(1),
+  title: z22.string().min(1),
+  status: RiskDocumentStatusSchema,
+  execution_method: ExecutionMethodSchema.optional(),
+  // lenient: optional for existing docs
+  author: z22.string().optional(),
+  reviewers: z22.array(z22.string()).optional(),
+  approvers: z22.array(z22.string()).optional()
+});
+var TestPhaseSchema = z22.enum(["verification", "production"]);
+var TestReportFrontmatterSchema = z22.object({
+  type: z22.literal("test_report"),
+  id: z22.string().min(1),
+  title: z22.string().min(1),
+  status: RiskDocumentStatusSchema,
+  protocol_id: z22.string().min(1).optional(),
+  // lenient: optional for existing docs
+  author: z22.string().optional(),
+  reviewers: z22.array(z22.string()).optional(),
+  approvers: z22.array(z22.string()).optional(),
+  release_version: z22.string().optional(),
+  test_phase: TestPhaseSchema.optional()
+});
+var UsabilityPlanFrontmatterSchema = z23.object({
+  type: z23.literal("usability_plan"),
+  id: z23.string().min(1),
+  title: z23.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z23.string().optional(),
+  reviewers: z23.array(z23.string()).optional(),
+  approvers: z23.array(z23.string()).optional(),
+  deliverables: PlanDeliverablesFieldSchema
+});
+var UseSpecificationFrontmatterSchema = z23.object({
+  type: z23.literal("use_specification"),
+  id: z23.string().min(1),
+  title: z23.string().min(1),
+  status: RiskDocumentStatusSchema,
+  user_group: z23.string().min(1),
+  author: z23.string().optional(),
+  reviewers: z23.array(z23.string()).optional(),
+  approvers: z23.array(z23.string()).optional()
+});
+var TaskAnalysisFrontmatterSchema = z23.object({
+  type: z23.literal("task_analysis"),
+  id: z23.string().min(1),
+  title: z23.string().min(1),
+  status: RiskDocumentStatusSchema,
+  user_group: z23.string().min(1),
+  critical_task: z23.boolean(),
+  author: z23.string().optional(),
+  reviewers: z23.array(z23.string()).optional(),
+  approvers: z23.array(z23.string()).optional()
+});
+var UsabilityEvaluationFrontmatterSchema = z23.object({
+  type: z23.literal("usability_evaluation"),
+  id: z23.string().min(1),
+  title: z23.string().min(1),
+  status: RiskDocumentStatusSchema,
+  result: z23.enum(["pass", "fail", "pass_with_findings"]).optional(),
+  author: z23.string().optional(),
+  reviewers: z23.array(z23.string()).optional(),
+  approvers: z23.array(z23.string()).optional()
+});
+var SummativeEvaluationFrontmatterSchema = z23.object({
+  type: z23.literal("summative_evaluation"),
+  id: z23.string().min(1),
+  title: z23.string().min(1),
+  status: RiskDocumentStatusSchema,
+  result: z23.enum(["pass", "fail", "pass_with_findings"]).optional(),
+  author: z23.string().optional(),
+  reviewers: z23.array(z23.string()).optional(),
+  approvers: z23.array(z23.string()).optional()
+});
+var UserNeedPrioritySchema = z24.enum(["must_have", "should_have", "nice_to_have"]);
+var UserNeedFrontmatterSchema = z24.object({
+  id: z24.string().min(1),
+  title: z24.string().min(1),
+  status: RiskDocumentStatusSchema,
+  /** Validated if present — ensures frontmatter doesn't misidentify the document type */
+  type: z24.literal("user_need").optional(),
+  /** The user role or stakeholder (e.g., "Quality Manager", "Developer") — required per ISO 13485 §7.3.2 */
+  stakeholder: z24.string().min(1),
+  /** MoSCoW priority classification */
+  priority: UserNeedPrioritySchema.optional(),
+  /** Where this need originated (e.g., "ISO 13485 §7.3", "user interview") */
+  source: z24.string().optional(),
+  /** IDs of product requirements derived from this need */
+  derives: z24.array(z24.string()).optional(),
+  /** Document author — required for all regulated document types */
+  author: z24.string().min(1),
+  reviewers: z24.array(z24.string()).optional(),
+  /** Approver list — required for all regulated document types */
+  approvers: z24.array(z24.string()).min(1),
+  /** Optional reference to a Use Specification persona (US-xxx) per IEC 62366 */
+  use_specification: z24.string().optional()
+});
+var DEFAULT_ACCEPTABILITY_CONFIG = {
+  unacceptable: [
+    [5, 5],
+    // Catastrophic + Frequent
+    [5, 4],
+    // Catastrophic + Likely
+    [5, 3],
+    // Catastrophic + Possible
+    [4, 5],
+    // Major + Frequent
+    [4, 4],
+    // Major + Likely
+    [3, 5]
+    // Moderate + Frequent
+  ],
+  review_required: [
+    [5, 2],
+    // Catastrophic + Unlikely
+    [4, 3],
+    // Major + Possible
+    [3, 4],
+    // Moderate + Likely
+    [3, 3],
+    // Moderate + Possible
+    [2, 5]
+    // Minor + Frequent
+  ]
+};
+var RISK_DOCUMENT_TYPES = [
+  "software_risk",
+  "usability_risk",
+  "security_risk"
+];
+var HAZARD_DOCUMENT_TYPES = ["haz_soe_software", "haz_soe_security"];
+var ALL_RISK_RELATED_DOCUMENT_TYPES = [
+  ...RISK_DOCUMENT_TYPES,
+  ...HAZARD_DOCUMENT_TYPES,
+  "hazardous_situation",
+  "harm"
+];
+var RiskManagementPlanFrontmatterSchema = z25.object({
+  type: z25.literal("risk_management_plan"),
+  id: z25.string().min(1),
+  title: z25.string().min(1),
+  status: RiskDocumentStatusSchema,
+  author: z25.string().optional(),
+  reviewers: z25.array(z25.string()).optional(),
+  approvers: z25.array(z25.string()).optional(),
+  deliverables: PlanDeliverablesFieldSchema
+});
+var EvidenceResultStatusSchema = z26.enum(["pass", "fail", "skip"]);
+var EvidenceResultSchema = z26.object({
+  test_id: z26.string().min(1),
+  req_id: z26.string().min(1),
+  status: EvidenceResultStatusSchema,
+  message: z26.string().optional(),
+  duration_ms: z26.number().nonnegative().optional()
+});
+var EvidenceSummarySchema = z26.object({
+  total: z26.number().int().nonnegative(),
+  passed: z26.number().int().nonnegative(),
+  failed: z26.number().int().nonnegative(),
+  skipped: z26.number().int().nonnegative()
+}).refine((s) => s.total === s.passed + s.failed + s.skipped, {
+  message: "total must equal passed + failed + skipped",
+  path: ["total"]
+});
+var AutomatedTestEvidenceSchema = z26.object({
+  protocol_id: z26.string().min(1),
+  results: z26.array(EvidenceResultSchema).min(1),
+  summary: EvidenceSummarySchema,
+  environment: z26.record(z26.string()).optional(),
+  timestamp: z26.string().datetime()
+}).refine((e) => e.results.length === e.summary.total, {
+  message: "results.length must equal summary.total",
+  path: ["summary", "total"]
+});
+var ManualStepResultSchema = z26.object({
+  step_id: z26.string().min(1),
+  status: EvidenceResultStatusSchema,
+  notes: z26.string().optional(),
+  attachment_path: z26.string().optional()
+});
+var ManualTestEvidenceSchema = z26.object({
+  protocol_id: z26.string().min(1),
+  results: z26.array(ManualStepResultSchema).min(1),
+  summary: EvidenceSummarySchema,
+  executor: z26.string().email(),
+  executed_at: z26.string().datetime()
+}).refine((e) => e.results.length === e.summary.total, {
+  message: "results.length must equal summary.total",
+  path: ["summary", "total"]
+});
+var LegalDocumentTypeSchema = z27.enum(["tos", "privacy-policy", "billing-terms"]);
+var LegalDocumentVersionSchema = z27.string().regex(/^\d{4}-\d{2}-\d{2}$/, {
+  message: "Version must be in YYYY-MM-DD format"
+});
+var OwnerTypeSchema = z28.enum(["qms", "device"]);
+var DocumentSnapshotSchema = z28.object({
+  documentId: z28.string(),
+  commitSha: z28.string(),
+  documentPath: z28.string(),
+  documentTitle: z28.string(),
+  documentType: z28.string(),
+  previousReleasedCommitSha: z28.string().optional(),
+  changeType: z28.enum(["added", "modified", "unchanged"]),
+  changeDescription: z28.string().optional()
+});
+var QmsDocumentTypeSchema = z28.enum([
+  "sop",
+  "policy",
+  "work_instruction",
+  "supplier",
+  "audit_schedule",
+  "audit_report",
+  "management_review",
+  "job_description"
+]);
+var DeviceDocumentTypeSchema = z28.enum([
+  "user_need",
+  "requirement",
+  "architecture",
+  "detailed_design",
+  "test_protocol",
+  "test_report",
+  "usability_risk",
+  "software_risk",
+  "security_risk",
+  "hazardous_situation",
+  "harm",
+  "haz_soe_software",
+  "haz_soe_security",
+  "hazard_category",
+  // Usability engineering (IEC 62366)
+  "usability_plan",
+  "use_specification",
+  "task_analysis",
+  "usability_evaluation",
+  "summative_evaluation",
+  // Risk management (ISO 14971)
+  "risk_management_plan",
+  // Software lifecycle (IEC 62304)
+  "software_development_plan",
+  "software_maintenance_plan",
+  "soup_register",
+  // Problem resolution (IEC 62304 §9)
+  "anomaly",
+  // Cybersecurity (IEC 81001-5-1)
+  "cybersecurity_plan",
+  "sbom",
+  // Clinical (MDR / FDA)
+  "clinical_evaluation_plan",
+  "clinical_evaluation_report",
+  // Post-market surveillance (MDR Art. 83)
+  "post_market_surveillance_plan",
+  "post_market_feedback",
+  // Labeling (MDR Annex I)
+  "labeling",
+  // Product (ISO 13485 §7.3)
+  "product_development_plan",
+  "intended_use",
+  // Software test plan (IEC 62304 §5.7)
+  "software_test_plan"
+]);
+var ReleaseReviewConfigSchema = z29.object({
+  required_departments: z29.array(z29.string().min(1)).min(1),
+  final_approver: z29.string().min(1)
+});
+var RepoConfigSchema = z29.object({
+  monorepo: z29.boolean().optional(),
+  device: z29.object({
+    name: z29.string().min(1),
+    safety_class: z29.enum(["A", "B", "C"]),
+    classification: z29.object({
+      eu: z29.string().optional(),
+      us: z29.string().optional()
+    }).optional(),
+    udi_device_identifier: z29.string().optional(),
+    deploy_sources: z29.array(
+      z29.object({
+        identifier: z29.string().min(1),
+        label: z29.string().min(1),
+        provider: z29.enum(["github"]),
+        connection_ref: z29.string().min(1)
+      })
+    ).optional()
+  }).optional(),
+  release_review: ReleaseReviewConfigSchema.optional()
+});
+var GateOverrideCategorySchema = z31.enum([
+  "unverified_requirements",
+  "unanalyzed_requirements",
+  "error_risk_gaps",
+  "missing_risk_management_plan_reference",
+  "missing_plan_risk_management",
+  "missing_plan_software_development",
+  "missing_plan_cybersecurity",
+  "missing_plan_usability",
+  "missing_plan_clinical_evaluation",
+  "missing_plan_post_market_surveillance",
+  "missing_artifact_soup_register",
+  "missing_artifact_sbom",
+  "missing_artifact_summative_evaluation",
+  "missing_deployment_references",
+  "missing_smoke_test_evidence"
+]);
+var MemberRoleSchema = z31.enum(["admin", "member"]);
+var MemberStatusSchema = z31.enum(["active", "suspended", "removed"]);
+var EmailAddressSchema = z31.object({
+  value: z31.string().email(),
+  verified: z31.boolean()
+});
+var SyncStatusSchema = z31.enum(["active", "paused", "error"]);
+var AuditActionSchema = z31.enum([
+  // Organization
+  "organization.created",
+  "organization.settings_updated",
+  "organization.checklist_template_updated",
+  // Members
+  "member.invited",
+  "member.invite_declined",
+  "member.joined",
+  "member.role_changed",
+  "member.removed",
+  "member.password_reset_forced",
+  // Repositories
+  "repository.connected",
+  "repository.disconnected",
+  "repository.sync_triggered",
+  "repository.updated",
+  "repository.assigned",
+  "repository.unassigned",
+  // Documents
+  "document.synced",
+  "document.removed",
+  "document.viewed",
+  // Releases
+  "release.created",
+  "release.updated",
+  "release.deleted",
+  "release.withdrawn",
+  "release.submitted_for_review",
+  "release.signature_added",
+  "release.approved",
+  "release.transferred_to_transfer",
+  "release.transfer_approved",
+  "release.published",
+  "release.checklist_updated",
+  "release.checklist_item_added",
+  "release.checklist_item_deferred",
+  "release.checklist_reordered",
+  "release.checklist_retrigger_confirmed",
+  "release.signing_obligations_rederived",
+  "release.gate_override_added",
+  "release.gate_override_removed",
+  "release.gate_override_invalidated",
+  "release.viewed",
+  "release.artifact_uploaded",
+  "release.evidence_pulled",
+  "release.manual_test_executed",
+  "release.attributions_derived",
+  "release.attribution_dismissed",
+  "release.attribution_restored",
+  // Signatures
+  "signature.created",
+  "signature.attempt_failed",
+  "signature.lockout_triggered",
+  // Signing Requests
+  "signing_request.created",
+  "signing_request.sent",
+  "signing_request.viewed",
+  "signing_request.signed",
+  "signing_request.declined",
+  "signing_request.cancelled",
+  "signing_request.expired",
+  "signing_request.reminded",
+  "signing_request.document_accessed",
+  // Training
+  "training.assigned",
+  "training.completed",
+  "training.started",
+  "training.settings_updated",
+  "training.quiz_submitted",
+  "training.quiz_passed",
+  "training.quiz_failed",
+  "training.overdue_notified",
+  "training.acknowledged",
+  "training.signature_added",
+  "training.instructor_signoff",
+  "training.task_created",
+  "training.viewed",
+  // QMS
+  "qms.created",
+  "qms.updated",
+  "qms.deleted",
+  // Devices
+  "device.created",
+  "device.updated",
+  "device.deleted",
+  // DCOs
+  "dco.created",
+  "dco.updated",
+  "dco.deleted",
+  "dco.submitted",
+  "dco.obligation_fulfilled",
+  "dco.approved",
+  "dco.effective",
+  // CAPAs
+  "capa.created",
+  "capa.updated",
+  "capa.deleted",
+  "capa.investigation_started",
+  "capa.implementation_started",
+  "capa.verification_started",
+  "capa.closed",
+  "capa.cancelled",
+  "capa.action_added",
+  "capa.action_updated",
+  "capa.action_removed",
+  // Complaints
+  "complaint.created",
+  "complaint.updated",
+  "complaint.deleted",
+  "complaint.investigation_started",
+  "complaint.resolved",
+  "complaint.closed",
+  "complaint.cancelled",
+  "complaint.escalated_to_capa",
+  // Nonconformances
+  "nc.created",
+  "nc.updated",
+  "nc.deleted",
+  "nc.investigation_started",
+  "nc.disposition_set",
+  "nc.concession_approved",
+  "nc.closed",
+  "nc.cancelled",
+  "nc.escalated_to_capa",
+  // Actions
+  "action.created",
+  "action.updated",
+  "action.completed",
+  "action.cancelled",
+  "action.deleted",
+  // Legal
+  "billing_terms.accepted",
+  "legal_document.accepted",
+  // Billing
+  "billing.checkout_created",
+  "billing.portal_accessed",
+  "billing.subscription_activated",
+  "billing.subscription_updated",
+  "billing.subscription_canceled",
+  // API Keys
+  "api_key.created",
+  "api_key.revoked",
+  // Risk Management
+  "risk.viewed",
+  // Compliance
+  "compliance_package.requested",
+  "compliance_package.downloaded",
+  "validation_package.downloaded",
+  // ERSD
+  "ersd.created",
+  "ersd.auto_seeded",
+  // Quality Objectives
+  "quality_objective.created",
+  "quality_objective.updated",
+  "quality_objective.value_recorded",
+  "quality_objective.deactivated",
+  // Quality Reviews
+  "quality_review.created",
+  "quality_review.updated",
+  "quality_review.started",
+  "quality_review.completed",
+  "quality_review.cancelled",
+  // Review Types
+  "review_type.created",
+  "review_type.updated",
+  // Components (SOUP/SBOM enrichment)
+  "component.enriched",
+  // Audit
+  "audit_log.exported",
+  // Compiled Record Export
+  "compiled_record_export.requested",
+  "compiled_record_export.completed",
+  "compiled_record_export.failed",
+  "compiled_record_export.downloaded"
+]);
+var ResourceTypeSchema = z31.enum([
+  "organization",
+  "member",
+  "invite",
+  "repository",
+  "document",
+  "release",
+  "signature",
+  "training",
+  "training_task",
+  "training_settings",
+  "qms",
+  "device",
+  "dco",
+  "signing_request",
+  "capa",
+  "complaint",
+  "nonconformance",
+  "action",
+  "legal_acceptance",
+  "subscription",
+  "api_key",
+  "compliance_package",
+  "validation_package",
+  "ersd",
+  "qualityObjective",
+  "qualityReview",
+  "reviewType",
+  "audit_log",
+  "risk_matrix",
+  "component",
+  "compiled_record_export"
+]);
+
+// src/impact/baseline-scan.ts
+function scanBaselineGaps(rootDir, baseBranch, config) {
+  const worktreeDir = mkdtempSync(join5(tmpdir(), "trace-baseline-"));
+  try {
+    const mergeBase = execSync(`git merge-base HEAD ${baseBranch}`, {
+      cwd: rootDir,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (!mergeBase) {
+      return [];
+    }
+    execSync(`git worktree add --detach ${worktreeDir} ${mergeBase}`, {
+      cwd: rootDir,
+      stdio: "pipe"
+    });
+    const loader = new FilesystemDocumentLoader(worktreeDir, config);
+    const docs = loader.loadDocuments();
+    const links = loader.loadLinks();
+    const bodies = loader.loadBodies();
+    const result = detectAllGaps(docs, links, {
+      bodies,
+      deviceSafetyClass: config.deviceSafetyClass,
+      acceptabilityConfig: DEFAULT_ACCEPTABILITY_CONFIG
+    });
+    return result.gaps;
+  } catch {
+    return [];
+  } finally {
+    try {
+      execSync(`git worktree remove --force ${worktreeDir}`, {
+        cwd: rootDir,
+        stdio: "pipe"
+      });
+    } catch {
+      rmSync(worktreeDir, { recursive: true, force: true });
+    }
+  }
+}
+
+// src/traceability/trace-cli.ts
+import { readFileSync as readFileSync8 } from "fs";
+
+// src/traceability/graph/parse-docs.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { join as join7 } from "path";
+import yaml3 from "js-yaml";
+
+// src/traceability/parse-frontmatter.ts
+import { readFileSync as readFileSync5, readdirSync as readdirSync4 } from "fs";
+import { join as join6 } from "path";
+import yaml2 from "js-yaml";
+var TYPE_PREFIXES = {
+  UN: "UN",
+  PRS: "PRS",
+  SRS: "SRS",
+  HAZ: "HAZ",
+  RISK: "RISK",
+  HLD: "HLD",
+  SDD: "SDD",
+  DDD: "DDD",
+  RA: "RISK"
+};
+function parseFrontmatter(filePath) {
+  const content = readFileSync5(filePath, "utf-8");
+  const fmMatch = content.match(/^---\n([\s\S]*?)\n---/);
+  if (!fmMatch) {
+    throw new Error(`No frontmatter found in ${filePath}`);
+  }
+  const fields = yaml2.load(fmMatch[1]);
+  const id = fields.id;
+  if (!id) throw new Error(`No 'id' field in frontmatter of ${filePath}`);
+  const type = inferType(id, fields.type);
+  return {
+    id,
+    title: fields.title ?? id,
+    type,
+    derives: parseStringArray(fields.derives),
+    traces_from: parseStringArray(fields.traces_from),
+    traces_to: parseStringArray(fields.traces_to),
+    analyzes: parseStringArray(fields.analyzes),
+    leads_to: parseStringArray(fields.leads_to)
+  };
+}
+function parseAllDocsInDir(dir, pattern) {
+  const results = [];
+  try {
+    const entries = readdirSync4(dir, { withFileTypes: true, recursive: true });
+    for (const entry of entries) {
+      if (entry.isFile() && pattern.test(entry.name)) {
+        try {
+          const fullPath = join6(entry.parentPath, entry.name);
+          results.push(parseFrontmatter(fullPath));
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+  return results;
+}
+function inferType(id, explicitType) {
+  if (explicitType) {
+    const normalized = explicitType.toLowerCase();
+    if (normalized.includes("risk")) return "RISK";
+    if (normalized.includes("hazard")) return "HAZ";
+  }
+  const prefix = id.split("-")[0];
+  return TYPE_PREFIXES[prefix] ?? "SDD";
+}
+function parseStringArray(value) {
+  if (!value) return void 0;
+  if (Array.isArray(value)) return value.map(String);
+  if (typeof value === "string") return [value];
+  return void 0;
+}
+
+// src/traceability/graph/types.ts
+function createDocumentNode(props) {
+  return { nodeKind: "document", ...props };
+}
+function createRequirementNode(props) {
+  return { nodeKind: "requirement", ...props };
+}
+function createTestRefNode(props) {
+  return {
+    nodeKind: "test_ref",
+    id: `test:${props.file}:${props.requirementId}:${props.name}`,
+    ...props
+  };
+}
+function createEdge(props) {
+  return { ...props };
+}
+
+// src/traceability/graph/parse-docs.ts
+var DIR_SCANS = [
+  { subdir: "docs/product/user-needs", pattern: /^UN-.*\.md$/ },
+  { subdir: "docs/product/requirements", pattern: /^PRS-.*\.md$/ },
+  { subdir: "docs/software/requirements", pattern: /^SRS-.*\.md$/ },
+  { subdir: "docs/software/architecture", pattern: /^(?:HLD|DDD)-.*\.md$/ },
+  { subdir: "docs/software/design", pattern: /^SDD-.*\.md$/ },
+  { subdir: "docs/usability/risks", pattern: /^RISK-.*\.md$/ },
+  { subdir: "docs/risk/analysis", pattern: /^(?:RA|RISK)-.*\.md$/ },
+  { subdir: "docs/usability/task-analyses", pattern: /^TA-.*\.md$/ }
+];
+function parseAllDocuments(rootDir) {
+  const documentNodes = scanDocumentNodes(rootDir);
+  const requirementNodes = extractRequirementNodes(rootDir, documentNodes);
+  const edges = extractAllEdges(rootDir, documentNodes);
+  return { documentNodes, requirementNodes, edges };
+}
+function scanDocumentNodes(rootDir) {
+  const nodeMap = /* @__PURE__ */ new Map();
+  for (const { subdir, pattern } of DIR_SCANS) {
+    const dir = join7(rootDir, subdir);
+    const docs = parseAllDocsInDir(dir, pattern);
+    for (const doc of docs) {
+      if (nodeMap.has(doc.id)) continue;
+      const filePath = resolveFilePath(rootDir, subdir, doc);
+      const frontmatter = readRawFrontmatter(join7(rootDir, filePath));
+      nodeMap.set(
+        doc.id,
+        createDocumentNode({
+          id: doc.id,
+          type: doc.type,
+          title: doc.title,
+          filePath,
+          frontmatter: frontmatter ?? { id: doc.id }
+        })
+      );
+    }
+  }
+  return [...nodeMap.values()];
+}
+function resolveFilePath(_rootDir, subdir, doc) {
+  return `${subdir}/${doc.id}.md`;
+}
+function readRawFrontmatter(filePath) {
+  try {
+    const content = readFileSync6(filePath, "utf-8");
+    const match = content.match(/^---\n([\s\S]*?)\n---/);
+    if (!match) return null;
+    return yaml3.load(match[1]) ?? null;
+  } catch {
+    return null;
+  }
+}
+function extractRequirementNodes(rootDir, documentNodes) {
+  const reqNodes = [];
+  const prsAndSrs = documentNodes.filter((n) => n.type === "PRS" || n.type === "SRS");
+  for (const doc of prsAndSrs) {
+    const level = doc.type;
+    const content = readFileContent(join7(rootDir, doc.filePath));
+    if (!content) continue;
+    const reqs = parseRequirementsFromMarkdown(content, doc.id, level);
+    for (const req of reqs) {
+      reqNodes.push(
+        createRequirementNode({
+          id: req.id,
+          documentId: req.document,
+          verificationMethod: req.verificationMethod,
+          criteria: req.criteria
+        })
+      );
+    }
+  }
+  return reqNodes;
+}
+function readFileContent(filePath) {
+  try {
+    return readFileSync6(filePath, "utf-8");
+  } catch {
+    return null;
+  }
+}
+function extractAllEdges(_rootDir, documentNodes) {
+  const edgeSet = new EdgeDeduplicator();
+  extractFrontmatterEdges(documentNodes, edgeSet);
+  extractArchitectureEdges(documentNodes, edgeSet);
+  return edgeSet.toArray();
+}
+function extractFrontmatterEdges(nodes, edgeSet) {
+  for (const node of nodes) {
+    const fm = node.frontmatter;
+    addEdgesFromField(node.id, fm.derives, "derives_from", edgeSet);
+    addEdgesFromField(node.id, fm.traces_from, "traces_from", edgeSet);
+    addEdgesFromField(node.id, fm.traces_to, "traces_to", edgeSet);
+    addEdgesFromField(node.id, fm.analyzes, "analyzes", edgeSet);
+    addEdgesFromField(node.id, fm.leads_to, "leads_to", edgeSet);
+  }
+}
+function addEdgesFromField(sourceId, field, linkType, edgeSet) {
+  const targets = toStringArray(field);
+  for (const targetId of targets) {
+    edgeSet.add(createEdge({ from: sourceId, to: targetId, linkType }));
+  }
+}
+function extractArchitectureEdges(nodes, edgeSet) {
+  for (const node of nodes) {
+    const fm = node.frontmatter;
+    const implementsList = toStringArray(fm.implements);
+    for (const targetId of implementsList) {
+      edgeSet.add(createEdge({ from: node.id, to: targetId, linkType: "implements" }));
+    }
+    if (typeof fm.parent_item === "string" && fm.parent_item) {
+      edgeSet.add(createEdge({ from: fm.parent_item, to: node.id, linkType: "parent_of" }));
+    }
+    if (typeof fm.software_item === "string" && fm.software_item) {
+      edgeSet.add(createEdge({ from: node.id, to: fm.software_item, linkType: "software_item" }));
+    }
+  }
+}
+function toStringArray(value) {
+  if (!value) return [];
+  if (Array.isArray(value)) return value.filter((v) => typeof v === "string");
+  if (typeof value === "string") return [value];
+  return [];
+}
+var EdgeDeduplicator = class {
+  seen = /* @__PURE__ */ new Set();
+  edges = [];
+  add(edge) {
+    const key = `${edge.from}|${edge.to}|${edge.linkType}`;
+    if (this.seen.has(key)) return;
+    this.seen.add(key);
+    this.edges.push(edge);
+  }
+  toArray() {
+    return [...this.edges];
+  }
+};
+
+// src/traceability/graph/parse-tests.ts
+import { readFileSync as readFileSync7, readdirSync as readdirSync5 } from "fs";
+import { join as join8, relative as relative3 } from "path";
+function parseAllTests(rootDir) {
+  const testRefNodes = [];
+  const orphanScenarios = [];
+  scanE2eFeatures(rootDir, testRefNodes, orphanScenarios);
+  scanUnitTests(rootDir, testRefNodes);
+  return { testRefNodes, orphanScenarios };
+}
+function scanE2eFeatures(rootDir, nodes, orphans) {
+  const featureDir = join8(rootDir, "e2e/features");
+  const featureFiles = globFiles2(featureDir, /\.feature$/);
+  for (const file of featureFiles) {
+    const content = readFileSync7(file, "utf-8");
+    const relPath = relative3(rootDir, file);
+    const refs = extractReqTagsFromFeature(content, relPath);
+    for (const ref of refs) {
+      nodes.push(
+        createTestRefNode({
+          requirementId: ref.requirementId,
+          testType: ref.testType,
+          file: ref.file,
+          name: ref.name
+        })
+      );
+    }
+    orphans.push(...findOrphanScenarios(content, relPath));
+  }
+}
+function scanUnitTests(rootDir, nodes) {
+  const testDirs = [join8(rootDir, "packages"), join8(rootDir, "apps"), join8(rootDir, "scripts")];
+  const testPattern = /\.(test|spec)\.tsx?$/;
+  for (const dir of testDirs) {
+    const testFiles = globFiles2(dir, testPattern);
+    for (const file of testFiles) {
+      const content = readFileSync7(file, "utf-8");
+      const relPath = relative3(rootDir, file);
+      const refs = extractReqMarkersFromTestFile(content, relPath);
+      for (const ref of refs) {
+        nodes.push(
+          createTestRefNode({
+            requirementId: ref.requirementId,
+            testType: ref.testType,
+            file: ref.file,
+            name: ref.name
+          })
+        );
+      }
+    }
+  }
+}
+function globFiles2(dir, pattern) {
+  const results = [];
+  try {
+    const entries = readdirSync5(dir, { withFileTypes: true, recursive: true });
+    for (const entry of entries) {
+      if (entry.isFile() && pattern.test(entry.name)) {
+        const fullPath = join8(entry.parentPath, entry.name);
+        results.push(fullPath);
+      }
+    }
+  } catch {
+  }
+  return results;
+}
+
+// src/traceability/graph/build-graph.ts
+function buildGraph(nodes, edges) {
+  const nodeMap = buildNodeMap(nodes);
+  const outgoing = /* @__PURE__ */ new Map();
+  const incoming = /* @__PURE__ */ new Map();
+  initializeAdjacencyEntries(nodeMap, outgoing, incoming);
+  populateAdjacencyLists(edges, outgoing, incoming);
+  return { nodes: nodeMap, edges, outgoing, incoming };
+}
+function buildNodeMap(nodes) {
+  const map = /* @__PURE__ */ new Map();
+  for (const node of nodes) {
+    map.set(node.id, node);
+  }
+  return map;
+}
+function initializeAdjacencyEntries(nodeMap, outgoing, incoming) {
+  for (const id of nodeMap.keys()) {
+    outgoing.set(id, []);
+    incoming.set(id, []);
+  }
+}
+function populateAdjacencyLists(edges, outgoing, incoming) {
+  for (const edge of edges) {
+    appendToList(outgoing, edge.from, edge);
+    appendToList(incoming, edge.to, edge);
+  }
+}
+function appendToList(map, key, edge) {
+  const list = map.get(key);
+  if (list) {
+    list.push(edge);
+  } else {
+    map.set(key, [edge]);
+  }
+}
+
+// src/traceability/graph/walk.ts
+var strategies = /* @__PURE__ */ new Map();
+function registerStrategy(name, fn) {
+  strategies.set(name, fn);
+}
+function walkStrategy(name, graph, entryNode) {
+  const fn = strategies.get(name);
+  if (!fn) {
+    throw new Error(`Unknown strategy: "${name}"`);
+  }
+  return fn(graph, entryNode);
+}
+function walkStrategies(names, graph, entryNode) {
+  const seen = /* @__PURE__ */ new Set();
+  const result = [];
+  for (const name of names) {
+    for (const node of walkStrategy(name, graph, entryNode)) {
+      if (!seen.has(node.id)) {
+        seen.add(node.id);
+        result.push(node);
+      }
+    }
+  }
+  return result;
+}
+function followOutgoing(graph, sourceIds, linkTypes, visited) {
+  const result = [];
+  const typeSet = new Set(linkTypes);
+  for (const sourceId of sourceIds) {
+    const edges = graph.outgoing.get(sourceId) ?? [];
+    for (const edge of edges) {
+      if (typeSet.has(edge.linkType) && !visited.has(edge.to)) {
+        const node = graph.nodes.get(edge.to);
+        if (node) {
+          visited.add(edge.to);
+          result.push(node);
+        }
+      }
+    }
+  }
+  return result;
+}
+function followIncoming(graph, targetIds, linkTypes, visited) {
+  const result = [];
+  const typeSet = new Set(linkTypes);
+  for (const targetId of targetIds) {
+    const edges = graph.incoming.get(targetId) ?? [];
+    for (const edge of edges) {
+      if (typeSet.has(edge.linkType) && !visited.has(edge.from)) {
+        const node = graph.nodes.get(edge.from);
+        if (node) {
+          visited.add(edge.from);
+          result.push(node);
+        }
+      }
+    }
+  }
+  return result;
+}
+function onlyDocumentNodes(nodes) {
+  return nodes.filter((n) => n.nodeKind === "document");
+}
+var ARCH_DOC_TYPES = /* @__PURE__ */ new Set(["HLD", "SDD", "DDD"]);
+function isArchDocType(type) {
+  return ARCH_DOC_TYPES.has(type);
+}
+function requirementsChain(graph, entryNode) {
+  const visited = /* @__PURE__ */ new Set([entryNode.id]);
+  const result = [];
+  const srsNodes = followOutgoing(graph, [entryNode.id], ["implements"], visited);
+  result.push(...onlyDocumentNodes(srsNodes));
+  const srsIds = srsNodes.map((n) => n.id);
+  const prsNodes = followOutgoing(graph, srsIds, ["traces_from", "derives_from"], visited);
+  result.push(...onlyDocumentNodes(prsNodes));
+  const prsIds = prsNodes.map((n) => n.id);
+  const unNodes = followOutgoing(graph, prsIds, ["traces_from", "derives_from"], visited);
+  result.push(...onlyDocumentNodes(unNodes));
+  return result;
+}
+function riskChain(graph, entryNode) {
+  const visited = /* @__PURE__ */ new Set([entryNode.id]);
+  const result = [];
+  const hazNodes = followIncoming(graph, [entryNode.id], ["software_item"], visited);
+  result.push(...onlyDocumentNodes(hazNodes));
+  const hazIds = hazNodes.map((n) => n.id);
+  const hsNodes = followOutgoing(graph, hazIds, ["leads_to"], visited);
+  result.push(...onlyDocumentNodes(hsNodes));
+  const hsIds = hsNodes.map((n) => n.id);
+  const harmNodes = followOutgoing(graph, hsIds, ["results_in"], visited);
+  result.push(...onlyDocumentNodes(harmNodes));
+  const riskNodes = followIncoming(graph, [entryNode.id], ["analyzes"], visited);
+  result.push(...onlyDocumentNodes(riskNodes));
+  return result;
+}
+function architectureDocs(graph, entryNode) {
+  const visited = /* @__PURE__ */ new Set([entryNode.id]);
+  const collected = [];
+  const fromImplements = followIncoming(graph, [entryNode.id], ["implements"], visited);
+  collected.push(...onlyDocumentNodes(fromImplements));
+  const toImplements = followOutgoing(graph, [entryNode.id], ["implements"], visited);
+  collected.push(...onlyDocumentNodes(toImplements));
+  const fromParent = followIncoming(graph, [entryNode.id], ["parent_of"], visited);
+  collected.push(...onlyDocumentNodes(fromParent));
+  const toParent = followOutgoing(graph, [entryNode.id], ["parent_of"], visited);
+  collected.push(...onlyDocumentNodes(toParent));
+  return collected.filter((n) => isArchDocType(n.type));
+}
+function riskNeighbors(graph, entryNode) {
+  const visited = /* @__PURE__ */ new Set([entryNode.id]);
+  const riskNodes = followIncoming(graph, [entryNode.id], ["analyzes"], visited);
+  return onlyDocumentNodes(riskNodes);
+}
+function fullGraphValidation(graph, _entryNode) {
+  const brokenNodeIds = /* @__PURE__ */ new Set();
+  for (const edge of graph.edges) {
+    const fromExists = graph.nodes.has(edge.from);
+    const toExists = graph.nodes.has(edge.to);
+    if (!fromExists || !toExists) {
+      if (fromExists) brokenNodeIds.add(edge.from);
+      if (toExists) brokenNodeIds.add(edge.to);
+    }
+  }
+  const result = [];
+  for (const id of brokenNodeIds) {
+    const node = graph.nodes.get(id);
+    if (node) result.push(node);
+  }
+  return result;
+}
+registerStrategy("requirements_chain", requirementsChain);
+registerStrategy("risk_chain", riskChain);
+registerStrategy("architecture_docs", architectureDocs);
+registerStrategy("risk_neighbors", riskNeighbors);
+registerStrategy("full_graph_validation", fullGraphValidation);
+
+// src/traceability/graph/coverage-query.ts
+function queryCoverage(graph, documentId) {
+  const testableRequirements = findTestableRequirements(graph, documentId);
+  const coveredIds = findCoveredRequirementIds(graph);
+  const covered = [];
+  const uncovered = [];
+  for (const req of testableRequirements) {
+    if (coveredIds.has(req.id)) {
+      covered.push(req.id);
+    } else {
+      uncovered.push(req.id);
+    }
+  }
+  return { covered, uncovered, total: testableRequirements.length };
+}
+function isTestableMethod(verificationMethod) {
+  return verificationMethod.includes("Test");
+}
+function findTestableRequirements(graph, documentId) {
+  const results = [];
+  for (const node of graph.nodes.values()) {
+    if (node.nodeKind === "requirement" && node.documentId === documentId && isTestableMethod(node.verificationMethod)) {
+      results.push(node);
+    }
+  }
+  return results;
+}
+function findCoveredRequirementIds(graph) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const node of graph.nodes.values()) {
+    if (node.nodeKind === "test_ref") {
+      ids.add(node.requirementId);
+    }
+  }
+  return ids;
+}
+
+// src/traceability/graph/resolve.ts
+import { execSync as execSync2 } from "child_process";
+import { minimatch as minimatch2 } from "minimatch";
+function resolveChangedFiles(changedFiles, config) {
+  if (changedFiles.length === 0) return [];
+  const matched = /* @__PURE__ */ new Map();
+  for (const file of changedFiles) {
+    matchFileToSoftwareItems(file, config.software_items, matched);
+  }
+  return Array.from(matched.values());
+}
+function matchFileToSoftwareItems(file, items, matched) {
+  for (const [name, entry] of Object.entries(items)) {
+    if (matched.has(name)) continue;
+    if (!isFileInEntry(file, entry)) continue;
+    matched.set(name, {
+      softwareItem: name,
+      domain: entry.domain,
+      architecture: entry.architecture
+    });
+  }
+}
+function isFileInEntry(file, entry) {
+  return entry.code_paths.some((pattern) => minimatch2(file, pattern));
+}
+function getChangedFilesFromGit() {
+  const branch = execSync2("git branch --show-current", { encoding: "utf-8" }).trim();
+  const command = isOnMain(branch) ? "git diff --name-only HEAD~1" : "git diff --name-only main...HEAD";
+  const output = execSync2(command, { encoding: "utf-8" }).trim();
+  if (!output) return [];
+  return output.split("\n");
+}
+function isOnMain(branch) {
+  return branch === "main" || branch === "";
+}
+
+// src/traceability/graph/format.ts
+var PHASE_RULES = {
+  design: {
+    description: "Understanding the domain before designing",
+    strategies: ["requirements_chain", "risk_chain", "test_coverage"],
+    output: "context",
+    prompts: [
+      "Has a task analysis been done for this area?",
+      "Are existing risk controls still valid for this change?",
+      "Which user needs drive this domain?"
+    ]
+  },
+  assess: {
+    description: "Predicting impact of a planned change",
+    strategies: ["requirements_chain", "risk_chain", "test_coverage"],
+    output: "impact_table",
+    checks: [
+      "Every touched SRS must have risk coverage",
+      "Every new SRS requirement needs a verification method"
+    ]
+  },
+  implement: {
+    description: "What docs are stale given code changes",
+    strategies: ["requirements_chain", "architecture_docs", "risk_neighbors"],
+    output: "update_list"
+  },
+  verify: {
+    description: "CI gate -- are all links intact?",
+    strategies: ["full_graph_validation"],
+    output: "gap_report",
+    checks: [
+      "Every SRS with verification_method has @req coverage",
+      "Every SRS has risk analysis",
+      "Every test has @req tag",
+      "No broken references"
+    ]
+  }
+};
+var NODE_GROUP_ORDER = [
+  { key: "un", label: "User Needs", types: ["UN"] },
+  { key: "prs", label: "Product Requirements", types: ["PRS"] },
+  { key: "srs", label: "Software Requirements", types: ["SRS"] },
+  { key: "risk", label: "Risk Analysis", types: ["RISK", "HAZ-SW", "HAZ", "HS", "HARM"] },
+  { key: "arch", label: "Architecture", types: ["HLD", "SDD", "DDD"] }
+];
+function onlyDocumentNodes2(nodes) {
+  return nodes.filter((n) => n.nodeKind === "document");
+}
+function groupByType(docNodes) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const group of NODE_GROUP_ORDER) {
+    const matching = docNodes.filter((n) => group.types.includes(n.type));
+    if (matching.length > 0) {
+      groups.set(group.key, matching);
+    }
+  }
+  return groups;
+}
+function findGroupLabel(key) {
+  return NODE_GROUP_ORDER.find((g) => g.key === key)?.label ?? key;
+}
+function getSrsCoverage(graph, srsNodes) {
+  return srsNodes.map((srs) => {
+    const cov = queryCoverage(graph, srs.id);
+    return {
+      documentId: srs.id,
+      covered: cov.covered.length,
+      total: cov.total,
+      uncovered: cov.uncovered
+    };
+  });
+}
+function formatContext(input) {
+  const { graph, resolvedItems, walkedNodes, domain } = input;
+  const lines = [];
+  const domainLabel = domain ?? "unknown";
+  lines.push(`=== Traceability Context: ${domainLabel} ===`);
+  lines.push("");
+  appendSoftwareItemsSummary(lines, resolvedItems);
+  const docNodes = onlyDocumentNodes2(walkedNodes);
+  if (docNodes.length === 0) {
+    lines.push("No traceability nodes found.");
+    lines.push("");
+    appendDesignPrompts(lines);
+    return lines.join("\n");
+  }
+  const grouped = groupByType(docNodes);
+  for (const [key, docs] of grouped) {
+    if (key === "srs") {
+      appendSrsGroup(lines, graph, docs);
+    } else {
+      appendDocGroup(lines, key, docs);
+    }
+  }
+  appendDesignPrompts(lines);
+  appendContextGaps(lines, graph, grouped);
+  return lines.join("\n");
+}
+function appendSoftwareItemsSummary(lines, items) {
+  if (items.length === 0) return;
+  const itemNames = items.map((i) => i.softwareItem).join(", ");
+  lines.push(`Software Items: ${itemNames}`);
+  const archIds = [...new Set(items.flatMap((i) => i.architecture))];
+  if (archIds.length > 0) {
+    lines.push(`Architecture: ${archIds.join(", ")}`);
+  }
+  lines.push("");
+}
+function appendDocGroup(lines, key, docs) {
+  const label = findGroupLabel(key);
+  lines.push(`${label} (${docs.length}):`);
+  for (const doc of docs) {
+    lines.push(`  ${doc.id}  ${doc.title}`);
+  }
+  lines.push("");
+}
+function appendSrsGroup(lines, graph, docs) {
+  const coverages = getSrsCoverage(graph, docs);
+  lines.push(`Software Requirements (${docs.length}):`);
+  for (let i = 0; i < docs.length; i++) {
+    const doc = docs[i];
+    const cov = coverages[i];
+    const covLabel = cov.total > 0 ? `  test_coverage: ${cov.covered}/${cov.total}` : "";
+    const check = cov.uncovered.length === 0 && cov.total > 0 ? "  \u2713" : "";
+    lines.push(`  ${doc.id}  ${doc.title}${covLabel}${check}`);
+  }
+  lines.push("");
+}
+function appendDesignPrompts(lines) {
+  const designPhase = PHASE_RULES["design"];
+  if (!designPhase?.prompts) return;
+  lines.push("Prompts:");
+  for (const prompt of designPhase.prompts) {
+    lines.push(`  \u26A0 ${prompt}`);
+  }
+  lines.push("");
+}
+function appendContextGaps(lines, graph, grouped) {
+  const srsNodes = grouped.get("srs") ?? [];
+  const coverages = getSrsCoverage(graph, srsNodes);
+  const gapEntries = [];
+  for (const cov of coverages) {
+    for (const uncoveredId of cov.uncovered) {
+      gapEntries.push(`  MISSING_TEST_COVERAGE  ${uncoveredId}`);
+    }
+  }
+  if (gapEntries.length > 0) {
+    lines.push(`Gaps (${gapEntries.length}):`);
+    lines.push(...gapEntries);
+    lines.push("");
+  }
+}
+function formatUpdateList(input) {
+  const { resolvedItems, walkedNodes } = input;
+  const lines = [];
+  const docNodes = onlyDocumentNodes2(walkedNodes);
+  lines.push(`=== Trace Impact: ${docNodes.length} docs may need updates ===`);
+  lines.push("");
+  if (docNodes.length === 0) {
+    return lines.join("\n");
+  }
+  lines.push("| Document | Type | Reason |");
+  lines.push("|----------|------|--------|");
+  for (const doc of docNodes) {
+    const reason = buildUpdateReason(doc, resolvedItems);
+    lines.push(`| ${doc.id} | ${doc.type} | ${reason} |`);
+  }
+  lines.push("");
+  if (resolvedItems.length > 0) {
+    const itemNames = resolvedItems.map((i) => i.softwareItem).join(", ");
+    lines.push(`Software items touched: ${itemNames}`);
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+function buildUpdateReason(doc, items) {
+  const itemNames = items.map((i) => i.softwareItem);
+  const itemLabel = itemNames.length > 0 ? itemNames.join(", ") : "affected scope";
+  switch (doc.type) {
+    case "SRS":
+      return `implements ${itemLabel}`;
+    case "HLD":
+      return `architecture for ${itemLabel}`;
+    case "SDD":
+      return `design for ${itemLabel}`;
+    case "RISK":
+      return `analyzes requirements -- review if risk posture changed`;
+    default:
+      return `related to ${itemLabel}`;
+  }
+}
+function formatImpactTable(input) {
+  const { graph, resolvedItems, walkedNodes } = input;
+  const lines = [];
+  const docNodes = onlyDocumentNodes2(walkedNodes);
+  lines.push("## DRM Assessment (auto-generated)");
+  lines.push("");
+  appendArchSection(lines, docNodes, resolvedItems);
+  appendReqSection(lines, graph, docNodes);
+  return lines.join("\n");
+}
+function appendArchSection(lines, docNodes, items) {
+  const archDocs = docNodes.filter((n) => ["HLD", "SDD", "DDD"].includes(n.type));
+  const itemLabel = items.map((i) => i.softwareItem).join(", ");
+  lines.push("<!-- DRM:ARCH_START -->");
+  if (archDocs.length === 0) {
+    lines.push("No architecture documents affected.");
+  } else {
+    lines.push("| Action | Document | Section | Description |");
+    lines.push("|--------|----------|---------|-------------|");
+    for (const doc of archDocs) {
+      const description = itemLabel ? `${doc.title} for ${itemLabel}` : doc.title;
+      lines.push(`| UPDATE | ${doc.filePath} | - | ${description} |`);
+    }
+  }
+  lines.push("<!-- DRM:ARCH_END -->");
+  lines.push("");
+}
+function appendReqSection(lines, graph, docNodes) {
+  const srsNodes = docNodes.filter((n) => n.type === "SRS");
+  lines.push("<!-- DRM:REQ_START -->");
+  if (srsNodes.length === 0) {
+    lines.push("No requirements affected.");
+  } else {
+    lines.push("| Document | Coverage | Gaps |");
+    lines.push("|----------|----------|------|");
+    for (const srs of srsNodes) {
+      const cov = queryCoverage(graph, srs.id);
+      const covLabel = `${cov.covered.length}/${cov.total}`;
+      const gapLabel = cov.uncovered.length > 0 ? cov.uncovered.join(", ") : "-";
+      lines.push(`| ${srs.id} | ${covLabel} | ${gapLabel} |`);
+    }
+  }
+  lines.push("<!-- DRM:REQ_END -->");
+  lines.push("");
+}
+function formatGapReport(input) {
+  const { gaps } = input;
+  const lines = [];
+  lines.push("# Requirements Traceability Report");
+  lines.push("");
+  lines.push(`**Gaps found:** ${gaps.length}`);
+  lines.push("");
+  if (gaps.length === 0) {
+    lines.push("## No gaps found");
+    lines.push("");
+    lines.push("All traceability links are intact.");
+    return lines.join("\n");
+  }
+  const categories = [...new Set(gaps.map((g) => g.category))];
+  for (const cat of categories) {
+    const catGaps = gaps.filter((g) => g.category === cat);
+    const heading = cat.replace(/_/g, " ");
+    lines.push(`## ${heading}`);
+    lines.push("");
+    for (const gap of catGaps) {
+      lines.push(`- ${gap.message}`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+
+// src/traceability/trace-cli.ts
+function constructGraph(rootDir) {
+  const docResult = parseAllDocuments(rootDir);
+  const testResult = parseAllTests(rootDir);
+  const allNodes = [
+    ...docResult.documentNodes,
+    ...docResult.requirementNodes,
+    ...testResult.testRefNodes
+  ];
+  return buildGraph(allNodes, docResult.edges);
+}
+function configToSoftwareItemsMap(items) {
+  const result = {};
+  for (const [name, config] of Object.entries(items)) {
+    result[name] = {
+      code_paths: config.codePaths,
+      architecture: config.architecture,
+      domain: config.domain
+    };
+  }
+  return { software_items: result };
+}
+function requireSoftwareItems(items) {
+  if (!items || Object.keys(items).length === 0) {
+    throw new Error(
+      "No software_items configuration found. Create a pactosigna-trace.yaml with a software_items section."
+    );
+  }
+  return configToSoftwareItemsMap(items);
+}
+function findArchitectureNodesForDomain(graph, domain, config) {
+  const resolvedItems = [];
+  const archIdSet = /* @__PURE__ */ new Set();
+  for (const [name, entry] of Object.entries(config.software_items)) {
+    if (entry.domain === domain) {
+      resolvedItems.push({
+        softwareItem: name,
+        domain: entry.domain,
+        architecture: entry.architecture
+      });
+      for (const archId of entry.architecture) {
+        archIdSet.add(archId);
+      }
+    }
+  }
+  const archNodes = [];
+  for (const archId of archIdSet) {
+    const node = graph.nodes.get(archId);
+    if (node && node.nodeKind === "document") {
+      archNodes.push(node);
+    }
+  }
+  return { archNodes, resolvedItems };
+}
+function runTraceContext(rootDir, domain, softwareItems) {
+  const config = requireSoftwareItems(softwareItems);
+  const graph = constructGraph(rootDir);
+  const { archNodes, resolvedItems } = findArchitectureNodesForDomain(graph, domain, config);
+  if (archNodes.length === 0) {
+    const domains = [...new Set(Object.values(config.software_items).map((e) => e.domain))];
+    const lines = [
+      `No architecture nodes found for domain "${domain}".`,
+      "Available domains:",
+      ...domains.map((d) => `  ${d}`)
+    ];
+    return lines.join("\n");
+  }
+  const walkedNodes = walkArchNodes(graph, archNodes, ["requirements_chain", "risk_chain"]);
+  return formatContext({ graph, resolvedItems, walkedNodes, domain });
+}
+function runTraceImpact(rootDir, softwareItems) {
+  const config = requireSoftwareItems(softwareItems);
+  const graph = constructGraph(rootDir);
+  const changedFiles = getChangedFilesFromGit();
+  if (changedFiles.length === 0) {
+    return "No changed files detected.";
+  }
+  const resolvedItems = resolveChangedFiles(changedFiles, config);
+  if (resolvedItems.length === 0) {
+    return "Changed files do not map to any known software items.";
+  }
+  const archNodes = collectArchNodes(graph, resolvedItems);
+  const walkedNodes = walkArchNodes(graph, archNodes, [
+    "requirements_chain",
+    "architecture_docs",
+    "risk_neighbors"
+  ]);
+  return formatUpdateList({ graph, resolvedItems, walkedNodes });
+}
+function runTraceAssess(rootDir, planFile, softwareItems) {
+  const config = requireSoftwareItems(softwareItems);
+  const graph = constructGraph(rootDir);
+  let planContent;
+  try {
+    planContent = readFileSync8(planFile, "utf-8");
+  } catch {
+    return `Could not read plan file: ${planFile}`;
+  }
+  const resolvedItems = matchPlanToSoftwareItems(planContent, config);
+  if (resolvedItems.length === 0) {
+    return "No software items matched from the plan file.";
+  }
+  const archNodes = collectArchNodes(graph, resolvedItems);
+  const walkedNodes = walkArchNodes(graph, archNodes, ["requirements_chain", "risk_chain"]);
+  return formatImpactTable({ graph, resolvedItems, walkedNodes });
+}
+function collectCoverageGaps(graph, srsDocNodes) {
+  const gaps = [];
+  let totalReqs = 0;
+  let totalCovered = 0;
+  for (const srs of srsDocNodes) {
+    const cov = queryCoverage(graph, srs.id);
+    totalReqs += cov.total;
+    totalCovered += cov.covered.length;
+    for (const uncoveredId of cov.uncovered) {
+      gaps.push({
+        category: "MISSING_TEST_COVERAGE",
+        message: `${uncoveredId} \u2014 requires test but has none`,
+        requirementId: uncoveredId
+      });
+    }
+  }
+  return { gaps, totalReqs, totalCovered };
+}
+function collectOrphanTestGaps(orphanScenarios) {
+  return orphanScenarios.map((orphan) => ({
+    category: "ORPHAN_TEST",
+    message: `${orphan.file}: "${orphan.name}" \u2014 scenario has no @req tag`,
+    testFile: orphan.file
+  }));
+}
+function collectInvalidRefGaps(graph) {
+  const gaps = [];
+  for (const node of graph.nodes.values()) {
+    if (node.nodeKind === "test_ref") {
+      const reqExists = graph.nodes.has(node.requirementId);
+      if (!reqExists) {
+        gaps.push({
+          category: "INVALID_REQ_REFERENCE",
+          message: `${node.file}: @req(${node.requirementId}) \u2014 requirement does not exist`,
+          requirementId: node.requirementId,
+          testFile: node.file
+        });
+      }
+    }
+  }
+  return gaps;
+}
+function collectBrokenTraceGaps(graph) {
+  const gaps = [];
+  for (const edge of graph.edges) {
+    const fromExists = graph.nodes.has(edge.from);
+    const toExists = graph.nodes.has(edge.to);
+    if (!fromExists || !toExists) {
+      const missingId = !toExists ? edge.to : edge.from;
+      const existingId = !toExists ? edge.from : edge.to;
+      gaps.push({
+        category: "BROKEN_TRACE",
+        message: `${existingId} --(${edge.linkType})--> ${missingId} \u2014 target does not exist`
+      });
+    }
+  }
+  return gaps;
+}
+function runTraceCheck(rootDir) {
+  const graph = constructGraph(rootDir);
+  const testResult = parseAllTests(rootDir);
+  const srsDocNodes = findSrsDocumentNodes(graph);
+  const coverage = collectCoverageGaps(graph, srsDocNodes);
+  const gaps = [
+    ...coverage.gaps,
+    ...collectOrphanTestGaps(testResult.orphanScenarios),
+    ...collectInvalidRefGaps(graph),
+    ...collectBrokenTraceGaps(graph)
+  ];
+  const pct = coverage.totalReqs > 0 ? (coverage.totalCovered / coverage.totalReqs * 100).toFixed(1) : "0.0";
+  const lines = [];
+  lines.push(
+    `Test coverage: ${coverage.totalCovered}/${coverage.totalReqs} testable requirements (${pct}%)`
+  );
+  lines.push(`SRS documents: ${srsDocNodes.length}`);
+  lines.push("");
+  const gapOutput = formatGapReport({
+    graph,
+    resolvedItems: [],
+    walkedNodes: [],
+    gaps
+  });
+  lines.push(gapOutput);
+  const passed = gaps.length === 0;
+  if (!passed) {
+    lines.push(`
+Trace check FAILED: ${gaps.length} gap(s) found.`);
+  } else {
+    lines.push("\nTrace check PASSED: all traceability links are intact.");
+  }
+  return {
+    output: lines.join("\n"),
+    gapCount: gaps.length,
+    passed
+  };
+}
+function collectArchNodes(graph, items) {
+  const archIds = new Set(items.flatMap((i) => i.architecture));
+  const archNodes = [];
+  for (const archId of archIds) {
+    const node = graph.nodes.get(archId);
+    if (node && node.nodeKind === "document") {
+      archNodes.push(node);
+    }
+  }
+  return archNodes;
+}
+function walkArchNodes(graph, archNodes, strategies2) {
+  const seen = /* @__PURE__ */ new Set();
+  const result = [];
+  for (const archNode of archNodes) {
+    const walked = walkStrategies(strategies2, graph, archNode);
+    for (const node of walked) {
+      if (!seen.has(node.id)) {
+        seen.add(node.id);
+        result.push(node);
+      }
+    }
+  }
+  return result;
+}
+function findSrsDocumentNodes(graph) {
+  const result = [];
+  for (const node of graph.nodes.values()) {
+    if (node.nodeKind === "document" && node.type === "SRS") {
+      result.push(node);
+    }
+  }
+  return result;
+}
+function matchPlanToSoftwareItems(planContent, config) {
+  const contentLower = planContent.toLowerCase();
+  const matched = [];
+  for (const [name, entry] of Object.entries(config.software_items)) {
+    const keywords = [name, entry.domain, ...name.split("-")].filter((k) => k.length > 2);
+    const isMatch = keywords.some((kw) => contentLower.includes(kw.toLowerCase()));
+    if (isMatch) {
+      matched.push({
+        softwareItem: name,
+        domain: entry.domain,
+        architecture: entry.architecture
+      });
+    }
+  }
+  return matched;
+}
+
+// src/test-report/index.ts
+import { existsSync } from "fs";
+import { join as join9 } from "path";
+
+// src/test-report/parse-results.ts
+import { readFileSync as readFileSync9 } from "fs";
+function extractReqIds(text) {
+  return [...text.matchAll(/@req[\s-]((?:PRS|SRS)-[A-Z]+-\d+\.\d+)/g)].map((m) => m[1]).filter((id) => id !== void 0);
+}
+function parseVitestResults(jsonPath) {
+  const raw = readFileSync9(jsonPath, "utf-8");
+  const data = JSON.parse(raw);
+  const suites = [];
+  for (const fileResult of data.testResults) {
+    const tests = [];
+    for (const assertion of fileResult.assertionResults) {
+      const fullName = [...assertion.ancestorTitles, assertion.title].join(" > ");
+      const reqIds = extractReqIds(fullName);
+      tests.push({
+        name: fullName,
+        file: fileResult.name,
+        status: assertion.status === "pending" ? "skipped" : assertion.status,
+        duration: assertion.duration ?? 0,
+        errorMessage: assertion.failureMessages.length > 0 ? assertion.failureMessages[0] : void 0,
+        requirementIds: reqIds
+      });
+    }
+    suites.push({
+      name: fileResult.name,
+      file: fileResult.name,
+      tests,
+      duration: fileResult.endTime - fileResult.startTime
+    });
+  }
+  return suites;
+}
+function flattenSuites(suite, parentFile) {
+  const results = [];
+  const file = suite.file || parentFile;
+  for (const spec of suite.specs) {
+    const reqIds = spec.tags.flatMap(
+      (t) => [...t.matchAll(/@req-((?:PRS|SRS)-[A-Z]+-\d+\.\d+)/g)].map((m) => m[1]).filter((id) => id !== void 0)
+    );
+    for (const test of spec.tests) {
+      const lastResult = test.results[test.results.length - 1];
+      let status;
+      if (test.status === "expected") status = "passed";
+      else if (test.status === "skipped") status = "skipped";
+      else status = "failed";
+      results.push({
+        name: `${suite.title} > ${spec.title}`,
+        file,
+        status,
+        duration: lastResult?.duration ?? 0,
+        errorMessage: lastResult?.error?.message,
+        requirementIds: reqIds
+      });
+    }
+  }
+  if (suite.suites) {
+    for (const child of suite.suites) {
+      results.push(...flattenSuites(child, file));
+    }
+  }
+  return results;
+}
+function parsePlaywrightResults(jsonPath) {
+  const raw = readFileSync9(jsonPath, "utf-8");
+  const data = JSON.parse(raw);
+  const suites = [];
+  for (const suite of data.suites) {
+    const tests = flattenSuites(suite, suite.file);
+    const duration = tests.reduce((sum, t) => sum + t.duration, 0);
+    suites.push({
+      name: suite.title || suite.file,
+      file: suite.file,
+      tests,
+      duration
+    });
+  }
+  return suites;
+}
+
+// src/test-report/build-report.ts
+import { execSync as execSync3 } from "child_process";
+function buildSTRReport(unitSuites, e2eSuites) {
+  const allSuites = [...unitSuites, ...e2eSuites];
+  const allTests = allSuites.flatMap((s) => s.tests);
+  const totalDuration = allSuites.reduce((sum, s) => sum + s.duration, 0);
+  let passed = 0;
+  let failed = 0;
+  let skipped = 0;
+  const failures = [];
+  const reqMap = /* @__PURE__ */ new Map();
+  for (const test of allTests) {
+    if (test.status === "passed") passed++;
+    else if (test.status === "failed") {
+      failed++;
+      failures.push(test);
+    } else skipped++;
+    for (const reqId of test.requirementIds) {
+      const existing = reqMap.get(reqId) ?? [];
+      existing.push({ name: test.name, file: test.file, status: test.status });
+      reqMap.set(reqId, existing);
+    }
+  }
+  const total = allTests.length;
+  const unitTestCount = unitSuites.reduce((n, s) => n + s.tests.length, 0);
+  const e2eTestCount = e2eSuites.reduce((n, s) => n + s.tests.length, 0);
+  const requirementCoverage = [...reqMap.entries()].sort(([a], [b]) => a.localeCompare(b)).map(([requirementId, tests]) => ({
+    requirementId,
+    tests,
+    allPassed: tests.every((t) => t.status === "passed")
+  }));
+  let gitCommit = "unknown";
+  let gitBranch = "unknown";
+  try {
+    gitCommit = execSync3("git rev-parse --short HEAD", { encoding: "utf-8" }).trim();
+    gitBranch = execSync3("git branch --show-current", { encoding: "utf-8" }).trim();
+  } catch {
+  }
+  return {
+    title: "Software Test Report (STR)",
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    environment: {
+      nodeVersion: process.version,
+      platform: process.platform,
+      gitCommit,
+      gitBranch
+    },
+    summary: {
+      totalTests: total,
+      passed,
+      failed,
+      skipped,
+      passRate: total > 0 ? Math.round(passed / total * 100) : 0,
+      totalDuration,
+      unitTestCount,
+      e2eTestCount
+    },
+    suites: allSuites,
+    requirementCoverage,
+    failures
+  };
+}
+
+// src/test-report/format-str.ts
+function formatSTR(report) {
+  const lines = [];
+  lines.push(`# ${report.title}`);
+  lines.push("");
+  lines.push("| Field | Value |");
+  lines.push("| ----- | ----- |");
+  lines.push(`| Generated | ${report.generatedAt} |`);
+  lines.push(`| Standard | IEC 62304:2015 \xA75.7 |`);
+  lines.push(`| Node.js | ${report.environment.nodeVersion} |`);
+  lines.push(`| Platform | ${report.environment.platform} |`);
+  lines.push(`| Git Commit | ${report.environment.gitCommit} |`);
+  lines.push(`| Git Branch | ${report.environment.gitBranch} |`);
+  lines.push("");
+  lines.push("## 1. Test Summary");
+  lines.push("");
+  lines.push("| Metric | Count |");
+  lines.push("| ------ | ----- |");
+  lines.push(`| Total Tests | ${report.summary.totalTests} |`);
+  lines.push(`| Passed | ${report.summary.passed} |`);
+  lines.push(`| Failed | ${report.summary.failed} |`);
+  lines.push(`| Skipped | ${report.summary.skipped} |`);
+  lines.push(`| Pass Rate | ${report.summary.passRate}% |`);
+  lines.push(`| Unit Tests | ${report.summary.unitTestCount} |`);
+  lines.push(`| E2E Tests | ${report.summary.e2eTestCount} |`);
+  lines.push(`| Total Duration | ${formatDuration(report.summary.totalDuration)} |`);
+  lines.push("");
+  lines.push("## 2. Test Results by Suite");
+  lines.push("");
+  for (const suite of report.suites) {
+    const suitePassed = suite.tests.filter((t) => t.status === "passed").length;
+    const suiteTotal = suite.tests.length;
+    lines.push(`### ${suite.name}`);
+    lines.push("");
+    lines.push(`**${suitePassed}/${suiteTotal} passed** (${formatDuration(suite.duration)})`);
+    lines.push("");
+    lines.push("| Test | Status | Duration | Requirements |");
+    lines.push("| ---- | ------ | -------- | ------------ |");
+    for (const test of suite.tests) {
+      const statusIcon = test.status === "passed" ? "PASS" : test.status === "failed" ? "FAIL" : "SKIP";
+      const reqs = test.requirementIds.length > 0 ? test.requirementIds.join(", ") : "\u2014";
+      lines.push(
+        `| ${escapeMarkdown(test.name)} | ${statusIcon} | ${formatDuration(test.duration)} | ${reqs} |`
+      );
+    }
+    lines.push("");
+  }
+  lines.push("## 3. Requirement Verification Results");
+  lines.push("");
+  if (report.requirementCoverage.length === 0) {
+    lines.push("No test-to-requirement traceability tags found.");
+  } else {
+    lines.push("| Requirement | Tests | Result |");
+    lines.push("| ----------- | ----- | ------ |");
+    for (const entry of report.requirementCoverage) {
+      const testCount = entry.tests.length;
+      const result = entry.allPassed ? "VERIFIED" : "FAILED";
+      lines.push(`| ${entry.requirementId} | ${testCount} test(s) | ${result} |`);
+    }
+  }
+  lines.push("");
+  lines.push("## 4. Failures and Anomalies");
+  lines.push("");
+  if (report.failures.length === 0) {
+    lines.push("No test failures recorded.");
+  } else {
+    for (const failure of report.failures) {
+      lines.push(`### ${escapeMarkdown(failure.name)}`);
+      lines.push("");
+      lines.push(`- **File:** ${failure.file}`);
+      lines.push(`- **Requirements:** ${failure.requirementIds.join(", ") || "\u2014"}`);
+      if (failure.errorMessage) {
+        lines.push("- **Error:**");
+        lines.push("```");
+        lines.push(failure.errorMessage.slice(0, 500));
+        lines.push("```");
+      }
+      lines.push("");
+    }
+  }
+  lines.push("## 5. Conclusion");
+  lines.push("");
+  if (report.summary.failed === 0) {
+    lines.push(
+      "All tests passed. The software meets its verification criteria as defined in the Software Test Plan (STP-001)."
+    );
+  } else {
+    lines.push(
+      `**${report.summary.failed} test(s) failed.** The software does NOT meet all verification criteria. Failed tests must be investigated and resolved before release.`
+    );
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  const seconds = (ms / 1e3).toFixed(1);
+  return `${seconds}s`;
+}
+function escapeMarkdown(text) {
+  return text.replace(/\|/g, "\\|").replace(/\n/g, " ");
+}
+
+// src/test-report/index.ts
+function generateTestReport(options = {}) {
+  const root = options.rootDir ?? process.cwd();
+  const vitestFile = options.vitestJsonPath ?? join9(root, "test-results", "vitest-results.json");
+  const playwrightFile = options.playwrightJsonPath ?? join9(root, "test-results", "playwright-results.json");
+  let unitSuites = [];
+  let e2eSuites = [];
+  if (existsSync(vitestFile)) {
+    unitSuites = parseVitestResults(vitestFile);
+  }
+  if (existsSync(playwrightFile)) {
+    e2eSuites = parsePlaywrightResults(playwrightFile);
+  }
+  if (unitSuites.length === 0 && e2eSuites.length === 0) {
+    return null;
+  }
+  const report = buildSTRReport(unitSuites, e2eSuites);
+  return formatSTR(report);
+}
+
+// src/validation-report/index.ts
+import { execSync as execSync4 } from "child_process";
+function resolveGitContext(rootDir) {
+  try {
+    return {
+      commit: execSync4("git rev-parse --short HEAD", { cwd: rootDir, encoding: "utf-8" }).trim(),
+      branch: execSync4("git branch --show-current", { cwd: rootDir, encoding: "utf-8" }).trim(),
+      tag: execSync4('git describe --tags --abbrev=0 2>/dev/null || echo "untagged"', {
+        cwd: rootDir,
+        encoding: "utf-8"
+      }).trim()
+    };
+  } catch {
+    return { commit: "unknown", branch: "unknown", tag: "untagged" };
+  }
+}
+function generateVSR(options) {
+  const { rootDir } = options;
+  const git = options.gitContext ?? resolveGitContext(rootDir);
+  const rtmResult = runLegacyTraceability({ rootDir, mode: "rtm" });
+  const strOutput = generateTestReport({
+    rootDir,
+    vitestJsonPath: options.vitestJsonPath,
+    playwrightJsonPath: options.playwrightJsonPath
+  });
+  return [
+    "# Validation Summary Report",
+    "",
+    `**Generated:** ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    `**Commit:** ${git.commit} (${git.branch})`,
+    `**Tag:** ${git.tag}`,
+    "",
+    "## \xA75.8.1 Scope",
+    "",
+    "This Validation Summary Report (VSR) provides evidence that the software",
+    "has been validated per IEC 62304:2006+A1:2015 \xA75.8.",
+    "",
+    "## \xA75.8.2 Requirements Traceability Matrix",
+    "",
+    rtmResult.output,
+    "",
+    "## \xA75.8.3 Software Test Report",
+    "",
+    strOutput ?? "_No test results available._",
+    "",
+    "## \xA75.8.4 Risk Management",
+    "",
+    "Risk analysis is maintained in `docs/risk/analysis/RA-001.md`.",
+    "STRIDE security risk analysis is maintained in `docs/cybersecurity/risks/`.",
+    "",
+    "## \xA75.8.5 Conclusion",
+    "",
+    rtmResult.gapCount === 0 ? "All testable requirements have been verified. The software meets its specified requirements." : `**${rtmResult.gapCount} gap(s) remain.** Review the RTM section above for details.`
+  ].join("\n");
+}
+export {
+  FilesystemDocumentLoader,
+  buildDocumentChainGaps,
+  buildSTRReport,
+  buildTraceabilityReport,
+  diffGaps,
+  extractReqMarkersFromTestFile,
+  extractReqTagsFromFeature,
+  findOrphanScenarios,
+  formatSTR,
+  generateTestReport,
+  generateVSR,
+  loadTraceConfig,
+  parsePlaywrightResults,
+  parseRequirementsFromMarkdown,
+  parseVitestResults,
+  runLegacyTraceability,
+  runTraceAssess,
+  runTraceCheck,
+  runTraceContext,
+  runTraceImpact,
+  scanBaselineGaps
+};