@tantainnovative/ndpr-toolkit 3.4.1 → 3.5.0

package/dist/core.d.mts

@@ -1,23 +1,2049 @@
-export { C as ConsentOption, a as ConsentSettings, b as ConsentStorageOptions, L as LawfulBasisType } from './consent-CmVzqZUk.mjs';
-export { D as DSRRequest, a as DSRStatus, b as DSRType, R as RequestStatus, c as RequestType } from './dsr-yKbqX531.mjs';
-export { D as DPIAQuestion, a as DPIAResult, b as DPIARisk, c as DPIASection } from './dpia-c9GiiOq0.mjs';
-export { B as BreachCategory, a as BreachReport, N as NotificationRequirement, R as RegulatoryNotification, b as RiskAssessment } from './breach-Eu9byel8.mjs';
-export { O as OrganizationInfo, P as PolicySection, a as PolicyTemplate, b as PolicyVariable, c as PrivacyPolicy } from './privacy-Ca6te9Ir.mjs';
-export { L as LawfulBasis, a as LawfulBasisSummary, b as LegitimateInterestAssessment, P as ProcessingActivity, S as SensitiveDataCondition } from './lawful-basis-Cv1VmDLn.mjs';
-export { A as AdequacyStatus, C as CrossBorderSummary, a as CrossBorderTransfer, T as TransferImpactAssessment, b as TransferMechanism } from './cross-border-UyT00llA.mjs';
-export { P as ProcessingRecord, R as ROPASummary, a as RecordOfProcessingActivities } from './ropa-CFHuT7jE.mjs';
-export { L as LawfulBasisComplianceGap, a as LawfulBasisValidationResult, b as assessComplianceGaps, g as generateLawfulBasisSummary, c as getLawfulBasisDescription, v as validateProcessingActivity } from './lawful-basis-C2eGaoHM.mjs';
-export { T as TransferRiskResult, a as TransferValidationResult, b as assessTransferRisk, g as getTransferMechanismDescription, i as isNDPCApprovalRequired, v as validateTransfer } from './cross-border-BBi9rZyO.mjs';
-export { R as ROPAComplianceGap, a as ROPAValidationResult, e as exportROPAToCSV, g as generateROPASummary, i as identifyComplianceGaps, v as validateProcessingRecord } from './ropa-NIgxd8uP.mjs';
-export { N as NDPRConfig, a as NDPRProvider, u as useNDPRConfig, b as useNDPRLocale } from './NDPRProvider-U3QNu6MA.mjs';
-export { N as NDPRLocale, d as defaultLocale, s as sanitizeInput } from './sanitize-CxxwKxAx.mjs';
-export { h as hausaLocale, i as igboLocale, m as mergeLocale, p as pidginLocale, y as yorubaLocale } from './locale-CxJx2tzn.mjs';
-export { C as ConsentAuditEntry, a as appendAuditEntry, c as createAuditEntry, g as getAuditLog, v as validateConsent, b as validateConsentOptions } from './consent-audit-BdByjYlM.mjs';
-export { f as formatDSRRequest } from './dsr-XZ_HqTlA.mjs';
-export { a as assessDPIARisk } from './dpia-DQDFw2_l.mjs';
-export { c as calculateBreachSeverity } from './breach-B_-6lDqS.mjs';
-export { D as DEFAULT_POLICY_SECTIONS, a as DEFAULT_POLICY_VARIABLES, c as createBusinessPolicyTemplate, f as findUnfilledTokens, g as generatePolicyText } from './policy-templates-DwYl2329.mjs';
-export { C as ComplianceGap, a as ComplianceResult, b as CustomSection, D as DataCategory, P as PolicyDraft, T as TemplateContext, c as ThirdPartyProcessor, d as createDefaultContext } from './policy-engine-5qTfp2z4.mjs';
-export { a as assemblePolicy, e as evaluatePolicyCompliance } from './policy-sections-CBWcJv-R.mjs';
-export { C as ComplianceInput, a as ComplianceRating, b as ComplianceReport, E as EffortLevel, M as ModuleScore, R as Recommendation, c as RecommendationPriority, d as RegulatoryReference, g as getComplianceScore } from './compliance-score-racQe_E_.mjs';
-import 'react';
+import { ErrorInfo } from 'react';
+import React__default from 'react';
+import { ReactNode } from 'react';
+
+/**
+ * Adequacy status of a destination country
+ */
+export declare type AdequacyStatus = 'adequate' | 'inadequate' | 'pending_review' | 'unknown';
+
+/**
+ * Appends a single audit entry to the consent audit log in localStorage.
+ * The log is append-only; existing entries are never modified.
+ *
+ * @param entry     - The audit entry to append
+ * @param storageKey - Base storage key (the audit key is derived as `${storageKey}_audit`)
+ */
+export declare function appendAuditEntry(entry: ConsentAuditEntry, storageKey?: string): void;
+
+/**
+ * Assemble an ordered, NDPA-aligned array of privacy-policy sections from
+ * a {@link TemplateContext}. This is the canonical "compute the policy"
+ * function — it produces structured `PolicySection[]` data that downstream
+ * renderers (`exportHTML`, `exportMarkdown`, `exportPDF`, `exportDOCX`,
+ * `<PolicyPage />`) consume.
+ *
+ * Section composition:
+ * - **Core sections** (always included): Introduction, Data Collection,
+ *   Legal Basis, Data Usage, Data Sharing, Data Retention, Data Security,
+ *   Data Subject Rights, Contact Information.
+ * - **Conditional sections** (included based on context flags):
+ *   - `hasChildrenData` → Children's Data Protection (NDPA §31)
+ *   - `hasSensitiveData` → Sensitive / Special-Category Data
+ *   - `hasCrossBorderTransfer` → Cross-Border Transfers (NDPA Part VI)
+ *   - `hasAutomatedDecisions` → Automated Decision-Making (NDPA §37)
+ *
+ * Section text uses `«TODO: fieldName»` markers (see {@link UNFILLED_PREFIX})
+ * for any required org-info field that's empty in the context. Pair with
+ * {@link findUnfilledTokens} to surface those before publishing.
+ *
+ * @param context - Organisation info, data categories, processing purposes,
+ *                  third-party processors, and feature flags. Build a default
+ *                  context with `createDefaultContext()` then mutate.
+ * @returns An ordered array of {@link PolicySection} objects ready to pass
+ *          to `exportHTML(policy)` or `<PolicyPage policy={...} />`.
+ *
+ * @example
+ * ```ts
+ * import { assemblePolicy, createDefaultContext } from '@tantainnovative/ndpr-toolkit/server';
+ *
+ * const ctx = createDefaultContext();
+ * ctx.org.name = 'Acme Nigeria Ltd';
+ * ctx.org.privacyEmail = 'privacy@acme.ng';
+ * ctx.hasCrossBorderTransfer = true;
+ *
+ * const sections = assemblePolicy(ctx);
+ * // sections is a 10-element array (9 core + 1 cross-border)
+ * ```
+ */
+export declare function assemblePolicy(context: TemplateContext): PolicySection[];
+
+/**
+ * Analyzes all processing activities and returns compliance gaps including
+ * missing DPO approval, overdue reviews, undocumented justifications,
+ * missing LIA for legitimate interests, and other documentation issues.
+ *
+ * @param activities Array of processing activities to analyze
+ * @returns Array of identified compliance gaps
+ */
+export declare function assessComplianceGaps(activities: ProcessingActivity[]): LawfulBasisComplianceGap[];
+
+/**
+ * Assesses the risk level of a DPIA based on the identified risks
+ * @param dpiaResult The DPIA result containing risks to assess
+ * @returns Assessment result with overall risk level and recommendations
+ */
+export declare function assessDPIARisk(dpiaResult: DPIAResult): {
+    overallRiskLevel: 'low' | 'medium' | 'high' | 'critical';
+    requiresConsultation: boolean;
+    canProceed: boolean;
+    recommendations: string[];
+};
+
+/**
+ * Performs a basic risk assessment of a cross-border transfer based on adequacy status,
+ * transfer mechanism, and data sensitivity.
+ *
+ * @param transfer The cross-border transfer to assess
+ * @returns Risk assessment result with score, factors, and recommendations
+ */
+export declare function assessTransferRisk(transfer: CrossBorderTransfer): TransferRiskResult;
+
+/**
+ * Breach notification types aligned with NDPA 2023 Section 40
+ * Data controllers must notify the NDPC within 72 hours of becoming aware of a breach
+ * Data subjects must be notified without undue delay when breach is likely to result in high risk
+ */
+/**
+ * Represents a data breach category
+ */
+export declare interface BreachCategory {
+    /** Unique identifier for the category */
+    id: string;
+    /** Display name for the category */
+    name: string;
+    /** Description of this breach category */
+    description: string;
+    /** Default severity level for this category */
+    defaultSeverity: 'low' | 'medium' | 'high' | 'critical';
+}
+
+/**
+ * Represents a data breach report
+ */
+export declare interface BreachReport {
+    /** Unique identifier for the breach report */
+    id: string;
+    /** Title/summary of the breach */
+    title: string;
+    /** Detailed description of the breach */
+    description: string;
+    /** Category of the breach */
+    category: string;
+    /** Timestamp when the breach was discovered */
+    discoveredAt: number;
+    /** Timestamp when the breach occurred (if known) */
+    occurredAt?: number;
+    /** Timestamp when the breach was reported internally */
+    reportedAt: number;
+    /** Person who reported the breach */
+    reporter: {
+        name: string;
+        email: string;
+        department: string;
+        phone?: string;
+    };
+    /** Systems or data affected by the breach */
+    affectedSystems: string[];
+    /** Types of data involved in the breach */
+    dataTypes: string[];
+    /** Whether sensitive personal data is involved (NDPA Section 27) */
+    involvesSensitiveData?: boolean;
+    /** Estimated number of data subjects affected */
+    estimatedAffectedSubjects?: number;
+    /** Whether the breach is ongoing or contained */
+    status: 'ongoing' | 'contained' | 'resolved';
+    /** Initial actions taken to address the breach */
+    initialActions?: string;
+    /** Attachments related to the breach */
+    attachments?: Array<{
+        id: string;
+        name: string;
+        type: string;
+        url: string;
+        addedAt: number;
+    }>;
+}
+
+/**
+ * Calculates the severity of a data breach based on various factors
+ * @param report The breach report
+ * @param assessment The risk assessment (if available)
+ * @returns The calculated severity and notification requirements
+ */
+export declare function calculateBreachSeverity(report: BreachReport, assessment?: RiskAssessment): {
+    severityLevel: 'low' | 'medium' | 'high' | 'critical';
+    notificationRequired: boolean;
+    urgentNotificationRequired: boolean;
+    timeframeHours: number;
+    justification: string;
+};
+
+/** A single gap found during NDPA compliance evaluation. */
+export declare interface ComplianceGap {
+    /** Machine-readable requirement identifier. */
+    requirementId: string;
+    /** Human-readable name of the requirement. */
+    requirement: string;
+    /** Reference to the relevant NDPA section. */
+    ndpaSection: string;
+    /** How severe the gap is. */
+    severity: 'critical' | 'important' | 'recommended';
+    /** Explanation of what is missing. */
+    message: string;
+    /** Suggested fix type for the UI. */
+    fixType: 'add_section' | 'add_content' | 'fill_field';
+    /** Label for the fix action button. */
+    fixLabel: string;
+    /** Pre-written content the user can insert to close the gap. */
+    suggestedContent?: string;
+}
+
+export declare interface ComplianceInput {
+    consent: {
+        hasConsentMechanism: boolean;
+        hasPurposeSpecification: boolean;
+        hasWithdrawalMechanism: boolean;
+        hasMinorProtection: boolean;
+        consentRecordsRetained: boolean;
+    };
+    dsr: {
+        hasRequestMechanism: boolean;
+        supportsAccess: boolean;
+        supportsRectification: boolean;
+        supportsErasure: boolean;
+        supportsPortability: boolean;
+        supportsObjection: boolean;
+        /** Expected max response time in days (>30 counts as a gap) */
+        responseTimelineDays: number;
+    };
+    dpia: {
+        conductedForHighRisk: boolean;
+        documentedRisks: boolean;
+        mitigationMeasures: boolean;
+    };
+    breach: {
+        hasNotificationProcess: boolean;
+        notifiesWithin72Hours: boolean;
+        hasRiskAssessment: boolean;
+        hasRecordKeeping: boolean;
+    };
+    policy: {
+        hasPrivacyPolicy: boolean;
+        isPubliclyAccessible: boolean;
+        /** ISO date string (YYYY-MM-DD); >13 months old counts as a gap */
+        lastUpdated: string;
+        coversAllSections: boolean;
+    };
+    lawfulBasis: {
+        documentedForAllProcessing: boolean;
+        hasLegitimateInterestAssessment: boolean;
+    };
+    crossBorder: {
+        hasTransferMechanisms: boolean;
+        adequacyAssessed: boolean;
+        ndpcApprovalObtained: boolean;
+    };
+    ropa: {
+        maintained: boolean;
+        includesAllProcessing: boolean;
+        /** ISO date string (YYYY-MM-DD); >6 months since review counts as a gap */
+        lastReviewed: string;
+    };
+}
+
+/**
+ * Compliance Score Engine
+ *
+ * Evaluates an organisation's NDPA compliance posture across eight modules and
+ * returns a scored, rated report with per-module breakdowns and sorted
+ * recommendations.
+ *
+ * Pure utility — zero React dependency.
+ */
+export declare type ComplianceRating = 'excellent' | 'good' | 'needs-work' | 'critical';
+
+export declare interface ComplianceReport {
+    /** Overall compliance score, 0–100 */
+    score: number;
+    /** Rating bucket */
+    rating: ComplianceRating;
+    /** Per-module breakdown keyed by module name */
+    modules: Record<string, ModuleScore>;
+    /** Recommendations sorted by priority (critical first) */
+    recommendations: Recommendation[];
+    /** Top-level regulatory references */
+    regulatoryReferences: RegulatoryReference[];
+    /** ISO date of when the report was generated */
+    generatedAt: string;
+}
+
+/** Result of evaluating a policy against NDPA requirements. */
+export declare interface ComplianceResult {
+    /** Points earned. */
+    score: number;
+    /** Maximum achievable points (115). */
+    maxScore: number;
+    /** Percentage score (0-100). */
+    percentage: number;
+    /** Overall compliance rating. */
+    rating: 'compliant' | 'nearly_compliant' | 'not_compliant';
+    /** List of identified compliance gaps. */
+    gaps: ComplianceGap[];
+    /** List of requirement ids that passed. */
+    passed: string[];
+}
+
+/**
+ * Represents a single entry in the consent audit trail.
+ * Each entry captures what happened, when, and the full consent state
+ * at that point in time, satisfying NDPA recordkeeping requirements.
+ */
+export declare interface ConsentAuditEntry {
+    /** The type of consent action that occurred */
+    action: 'consent_given' | 'consent_withdrawn' | 'consent_updated' | 'consent_expired';
+    /** Unix timestamp (ms) when the action occurred */
+    timestamp: number;
+    /** Version of the consent form at the time of the action */
+    version: string;
+    /** Full snapshot of consent category states */
+    categories: Record<string, boolean>;
+    /** How consent was collected (e.g. "banner", "customize", "api") */
+    method: string;
+    /** Browser user-agent string for forensic traceability */
+    userAgent?: string;
+}
+
+/**
+ * Consent types aligned with NDPA 2023 Section 25-26
+ * Consent must be freely given, specific, informed, and unambiguous
+ */
+/**
+ * Represents a consent option that can be presented to users
+ */
+export declare interface ConsentOption {
+    /** Unique identifier for the consent option */
+    id: string;
+    /** Display label for the consent option */
+    label: string;
+    /** Detailed description of what this consent option covers */
+    description: string;
+    /** Whether this consent option is required (cannot be declined) */
+    required: boolean;
+    /**
+     * The specific purpose for which data will be processed
+     * NDPA Section 25(2) requires consent to be specific to each purpose
+     */
+    purpose: string;
+    /**
+     * Default state of the consent option
+     * @default false
+     */
+    defaultValue?: boolean;
+    /**
+     * Categories of personal data covered by this consent option
+     */
+    dataCategories?: string[];
+}
+
+/**
+ * Represents the user's consent settings
+ */
+export declare interface ConsentSettings {
+    /** Map of consent option IDs to boolean values indicating consent status */
+    consents: Record<string, boolean>;
+    /** Timestamp when consent was last updated */
+    timestamp: number;
+    /** Version of the consent form that was accepted */
+    version: string;
+    /** Method used to collect consent (e.g., "banner", "settings", "api") */
+    method: string;
+    /** Whether the user has actively made a choice (as opposed to default settings) */
+    hasInteracted: boolean;
+    /**
+     * The lawful basis under which processing is conducted
+     * Required by NDPA Section 25(1)
+     */
+    lawfulBasis?: LawfulBasisType;
+}
+
+/**
+ * Represents the storage mechanism for consent settings
+ */
+export declare interface ConsentStorageOptions {
+    /**
+     * Storage key for consent settings
+     * @default "ndpr_consent"
+     */
+    storageKey?: string;
+    /**
+     * Storage type to use
+     * @default "localStorage"
+     */
+    storageType?: 'localStorage' | 'sessionStorage' | 'cookie';
+    /**
+     * Cookie options (only used when storageType is "cookie")
+     */
+    cookieOptions?: {
+        /** Domain for the cookie */
+        domain?: string;
+        /**
+         * Path for the cookie
+         * @default "/"
+         */
+        path?: string;
+        /**
+         * Expiration days for the cookie
+         * @default 365
+         */
+        expires?: number;
+        /**
+         * Whether the cookie should be secure
+         * @default true
+         */
+        secure?: boolean;
+        /**
+         * SameSite attribute for the cookie
+         * @default "Lax"
+         */
+        sameSite?: 'Strict' | 'Lax' | 'None';
+    };
+}
+
+/**
+ * Creates a new audit entry from consent settings. If `previousSettings` is
+ * provided, the action is automatically determined by comparing old and new
+ * states. Otherwise `action` defaults to `'consent_given'`.
+ */
+export declare function createAuditEntry(settings: ConsentSettings, previousSettings?: ConsentSettings | null, actionOverride?: ConsentAuditEntry['action']): ConsentAuditEntry;
+
+/**
+ * Creates a complete business privacy policy template with default
+ * NDPA-compliant sections and variables.
+ *
+ * @returns An object containing the default sections and variables.
+ */
+export declare function createBusinessPolicyTemplate(): {
+    sections: PolicySection[];
+    variables: PolicyVariable[];
+};
+
+/**
+ * Creates a default TemplateContext with sensible empty/initial values.
+ * Useful for initialising the wizard state before the user begins editing.
+ */
+export declare function createDefaultContext(): TemplateContext;
+
+/**
+ * Summary of cross-border transfer compliance
+ */
+export declare interface CrossBorderSummary {
+    /** Total number of active transfers */
+    totalActiveTransfers: number;
+    /** Breakdown by transfer mechanism */
+    byMechanism: Record<TransferMechanism, number>;
+    /** Breakdown by adequacy status */
+    byAdequacy: Record<AdequacyStatus, number>;
+    /** Transfers pending NDPC approval */
+    pendingApproval: CrossBorderTransfer[];
+    /** Transfers due for review */
+    dueForReview: CrossBorderTransfer[];
+    /** Transfers missing TIA */
+    missingTIA: CrossBorderTransfer[];
+    /** High-risk transfers */
+    highRiskTransfers: CrossBorderTransfer[];
+    /** Last updated timestamp */
+    lastUpdated: number;
+}
+
+/**
+ * Represents a cross-border data transfer record
+ */
+export declare interface CrossBorderTransfer {
+    /** Unique identifier */
+    id: string;
+    /** Destination country or territory */
+    destinationCountry: string;
+    /** ISO country code */
+    destinationCountryCode?: string;
+    /** Adequacy status of the destination */
+    adequacyStatus: AdequacyStatus;
+    /** The transfer mechanism being relied upon */
+    transferMechanism: TransferMechanism;
+    /** Categories of personal data being transferred */
+    dataCategories: string[];
+    /** Whether sensitive personal data is included */
+    includesSensitiveData: boolean;
+    /** Estimated number of data subjects whose data is transferred */
+    estimatedDataSubjects?: number;
+    /** Name of the recipient organization */
+    recipientOrganization: string;
+    /** Contact details of the recipient */
+    recipientContact: {
+        name: string;
+        email: string;
+        phone?: string;
+        address?: string;
+    };
+    /** Purpose of the data transfer */
+    purpose: string;
+    /** Safeguards in place to protect the data */
+    safeguards: string[];
+    /** Risk assessment summary */
+    riskAssessment: string;
+    /** Risk level of the transfer */
+    riskLevel: 'low' | 'medium' | 'high';
+    /** NDPC approval details (required for some transfer mechanisms) */
+    ndpcApproval?: {
+        required: boolean;
+        applied: boolean;
+        approved?: boolean;
+        referenceNumber?: string;
+        appliedAt?: number;
+        approvedAt?: number;
+    };
+    /** Whether a Transfer Impact Assessment has been conducted */
+    tiaCompleted: boolean;
+    /** Reference to the TIA document */
+    tiaReference?: string;
+    /** Frequency of the transfer */
+    frequency: 'one_time' | 'periodic' | 'continuous';
+    /** Start date of the transfer */
+    startDate: number;
+    /** End date of the transfer (if applicable) */
+    endDate?: number;
+    /** Status of the transfer */
+    status: 'active' | 'suspended' | 'terminated' | 'pending_approval';
+    /** Timestamp when the record was created */
+    createdAt: number;
+    /** Timestamp when the record was last updated */
+    updatedAt: number;
+    /** Next review date */
+    reviewDate?: number;
+}
+
+/** A user-defined section added to the policy outside the generated ones. */
+export declare interface CustomSection {
+    id: string;
+    title: string;
+    content: string;
+    order: number;
+    required: false;
+}
+
+/** A logical category of personal data the organisation may collect. */
+export declare interface DataCategory {
+    /** Machine-readable identifier. */
+    id: string;
+    /** Human-readable label shown in the wizard. */
+    label: string;
+    /** Grouping for display and compliance checks. */
+    group: 'identity' | 'financial' | 'behavioral' | 'sensitive' | 'children';
+    /** Specific data points within this category. */
+    dataPoints: string[];
+    /** Whether this category is currently selected by the user. */
+    selected: boolean;
+}
+
+/**
+ * Default NDPA-compliant privacy policy sections.
+ * Each section uses {{variable}} placeholders that are resolved at generation time.
+ */
+export declare const DEFAULT_POLICY_SECTIONS: PolicySection[];
+
+/**
+ * Default policy variables for NDPA-compliant privacy policies.
+ * These map to the {{variable}} placeholders used in DEFAULT_POLICY_SECTIONS.
+ */
+export declare const DEFAULT_POLICY_VARIABLES: PolicyVariable[];
+
+export declare const defaultLocale: Required<{
+    [K in keyof NDPRLocale]: Required<NonNullable<NDPRLocale[K]>>;
+}>;
+
+/**
+ * Data Protection Impact Assessment types aligned with NDPA 2023 Sections 38-39
+ * A DPIA is required when processing is likely to result in high risk to data subjects
+ */
+/**
+ * Represents a question in the DPIA questionnaire
+ */
+export declare interface DPIAQuestion {
+    /** Unique identifier for the question */
+    id: string;
+    /** The text of the question */
+    text: string;
+    /** Additional guidance for answering the question */
+    guidance?: string;
+    /** Type of input required for the answer */
+    type: 'text' | 'textarea' | 'select' | 'radio' | 'checkbox' | 'scale';
+    /** Options for select, radio, or checkbox questions */
+    options?: Array<{
+        value: string;
+        label: string;
+        riskLevel?: 'low' | 'medium' | 'high';
+    }>;
+    /** For scale questions, the minimum value */
+    minValue?: number;
+    /** For scale questions, the maximum value */
+    maxValue?: number;
+    /** For scale questions, labels for the scale points */
+    scaleLabels?: Record<number, string>;
+    /** Whether the question is required */
+    required: boolean;
+    /** Risk level associated with this question */
+    riskLevel?: 'low' | 'medium' | 'high';
+    /** Whether this question triggers additional questions based on the answer */
+    hasDependentQuestions?: boolean;
+    /** Conditions that determine when this question should be shown */
+    showWhen?: Array<{
+        questionId: string;
+        operator: 'equals' | 'contains' | 'greaterThan' | 'lessThan';
+        value: string | number | boolean;
+    }>;
+}
+
+/**
+ * Represents the result of a completed DPIA
+ */
+export declare interface DPIAResult {
+    /** Unique identifier for the DPIA */
+    id: string;
+    /** Title of the DPIA */
+    title: string;
+    /** Description of the processing activity being assessed */
+    processingDescription: string;
+    /** Timestamp when the DPIA was started */
+    startedAt: number;
+    /** Timestamp when the DPIA was completed */
+    completedAt?: number;
+    /** Person responsible for conducting the DPIA */
+    assessor: {
+        name: string;
+        role: string;
+        email: string;
+    };
+    /** Answers to all questions in the DPIA */
+    answers: Record<string, string | number | boolean | string[]>;
+    /** Risks identified in the DPIA */
+    risks: DPIARisk[];
+    /** Overall risk level of the processing activity */
+    overallRiskLevel: 'low' | 'medium' | 'high' | 'critical';
+    /** Whether the DPIA concluded that the processing can proceed */
+    canProceed: boolean;
+    /** Reasons why the processing can or cannot proceed */
+    conclusion: string;
+    /** Recommendations for the processing activity */
+    recommendations?: string[];
+    /** Next review date for the DPIA */
+    reviewDate?: number;
+    /** Version of the DPIA questionnaire used */
+    version: string;
+    /**
+     * Whether prior consultation with NDPC is required
+     * Per NDPA Section 39, consultation is required when DPIA indicates high residual risk
+     */
+    ndpcConsultationRequired?: boolean;
+    /** Date when NDPC consultation was initiated */
+    ndpcConsultationDate?: number;
+    /** Reference number from NDPC consultation */
+    ndpcConsultationReference?: string;
+    /**
+     * The lawful basis for the processing activity being assessed
+     */
+    lawfulBasis?: string;
+    /**
+     * Whether this DPIA involves cross-border data transfers
+     */
+    involvesCrossBorderTransfer?: boolean;
+}
+
+/**
+ * Represents a risk identified in the DPIA
+ */
+export declare interface DPIARisk {
+    /** Unique identifier for the risk */
+    id: string;
+    /** Description of the risk */
+    description: string;
+    /** Likelihood of the risk occurring (1-5) */
+    likelihood: number;
+    /** Impact if the risk occurs (1-5) */
+    impact: number;
+    /** Overall risk score (likelihood * impact) */
+    score: number;
+    /** Risk level based on the score */
+    level: 'low' | 'medium' | 'high' | 'critical';
+    /** Measures to mitigate the risk */
+    mitigationMeasures?: string[];
+    /** Whether the risk has been mitigated */
+    mitigated: boolean;
+    /** Residual risk score after mitigation */
+    residualScore?: number;
+    /** Questions that identified this risk */
+    relatedQuestionIds: string[];
+}
+
+/**
+ * Represents a section in the DPIA questionnaire
+ */
+export declare interface DPIASection {
+    /** Unique identifier for the section */
+    id: string;
+    /** Title of the section */
+    title: string;
+    /** Description of the section */
+    description?: string;
+    /** Questions in this section */
+    questions: DPIAQuestion[];
+    /** Order of the section in the questionnaire */
+    order: number;
+}
+
+/**
+ * Represents a data subject request
+ */
+export declare interface DSRRequest {
+    /** Unique identifier for the request */
+    id: string;
+    /** Type of request */
+    type: DSRType;
+    /** Current status of the request */
+    status: DSRStatus;
+    /** Timestamp when the request was submitted */
+    createdAt: number;
+    /** Timestamp when the request was last updated */
+    updatedAt: number;
+    /** Timestamp when the request was completed (if applicable) */
+    completedAt?: number;
+    /** Timestamp when the identity was verified (if applicable) */
+    verifiedAt?: number;
+    /**
+     * Due date for responding to the request (timestamp)
+     * NDPA requires response within 30 days of receipt
+     */
+    dueDate?: number;
+    /** Description or details of the request */
+    description?: string;
+    /**
+     * The lawful basis under which the data was originally processed
+     * Relevant for evaluating objection and erasure requests
+     */
+    lawfulBasis?: string;
+    /** Data subject information */
+    subject: {
+        name: string;
+        email: string;
+        phone?: string;
+        identifierValue?: string;
+        identifierType?: string;
+    };
+    /** Additional information provided by the data subject */
+    additionalInfo?: Record<string, string | number | boolean | null>;
+    /** Notes added by staff processing the request */
+    internalNotes?: Array<{
+        timestamp: number;
+        author: string;
+        note: string;
+    }>;
+    /** Verification status */
+    verification?: {
+        verified: boolean;
+        method?: string;
+        verifiedAt?: number;
+        verifiedBy?: string;
+    };
+    /** Reason for rejection (if status is 'rejected') */
+    rejectionReason?: string;
+    /** Files attached to the request */
+    attachments?: Array<{
+        id: string;
+        name: string;
+        type: string;
+        url: string;
+        addedAt: number;
+    }>;
+    /**
+     * Whether an extension was requested for this DSR
+     * NDPA allows a one-time extension of 30 days with justification
+     */
+    extensionRequested?: boolean;
+    /** Reason for the extension, if requested */
+    extensionReason?: string;
+}
+
+/**
+ * Status of a data subject request
+ */
+export declare type DSRStatus = 'pending' | 'awaitingVerification' | 'inProgress' | 'completed' | 'rejected';
+
+/**
+ * Validated DSR submission shape — matches what `<DSRRequestForm onSubmit>`
+ * emits client-side. Use this as the typed parameter for your server-side
+ * handler after `validateDsrSubmission` returns `valid: true`.
+ */
+export declare interface DsrSubmissionPayload {
+    requestType: string;
+    dataSubject: {
+        fullName: string;
+        email: string;
+        phone?: string;
+        identifierType: string;
+        identifierValue: string;
+    };
+    additionalInfo?: Record<string, string | number | boolean | null>;
+    submittedAt: number;
+}
+
+/** Result of validating a raw DSR submission payload. */
+export declare interface DsrSubmissionValidationResult {
+    /** True when the payload conforms to the DSR submission contract. */
+    valid: boolean;
+    /** Field-keyed error messages. Empty when `valid` is true. */
+    errors: Record<string, string>;
+    /** The narrowed, typed payload — only populated when `valid` is true. */
+    data?: DsrSubmissionPayload;
+}
+
+/**
+ * Data Subject Rights types aligned with NDPA 2023 Part IV (Sections 29-36)
+ */
+/**
+ * Types of data subject requests per NDPA Part IV
+ * - 'information': Right to be informed (Section 29)
+ * - 'access': Right of access (Section 30)
+ * - 'rectification': Right to rectification (Section 31)
+ * - 'erasure': Right to erasure (Section 32)
+ * - 'restriction': Right to restrict processing (Section 33)
+ * - 'portability': Right to data portability (Section 34)
+ * - 'objection': Right to object (Section 35)
+ * - 'automated_decision_making': Rights related to automated decision-making (Section 36)
+ */
+export declare type DSRType = 'information' | 'access' | 'rectification' | 'erasure' | 'restriction' | 'portability' | 'objection' | 'automated_decision_making';
+
+export declare type EffortLevel = 'low' | 'medium' | 'high';
+
+/**
+ * NDPA policy compliance checker.
+ *
+ * Evaluates a {@link PrivacyPolicy} against 15 requirements drawn from
+ * the Nigeria Data Protection Act (NDPA) 2023, producing a scored
+ * {@link ComplianceResult} with actionable gaps.
+ *
+ * Scoring:
+ *   6 critical  @ 10 pts = 60
+ *   5 important @  7 pts = 35
+ *   4 recommended @ 5 pts = 20
+ *   Total max = 115
+ *
+ * Rating thresholds:
+ *   >= 100 → compliant
+ *   >=  80 → nearly_compliant
+ *   <   80 → not_compliant
+ */
+
+/**
+ * Evaluates a privacy policy against 15 NDPA 2023 requirements and
+ * returns a scored compliance result with actionable gap information.
+ *
+ * @param policy  - The privacy policy to evaluate.
+ * @param context - The template context that was used to generate the policy.
+ * @returns A {@link ComplianceResult} with score, rating, gaps, and passed ids.
+ */
+export declare function evaluatePolicyCompliance(policy: PrivacyPolicy, context: TemplateContext): ComplianceResult;
+
+/**
+ * Exports the Record of Processing Activities to a CSV string.
+ * The CSV includes all key fields from each processing record.
+ *
+ * @param ropa - The full Record of Processing Activities
+ * @returns CSV-formatted string
+ */
+export declare function exportROPAToCSV(ropa: RecordOfProcessingActivities): string;
+
+/**
+ * Scan rendered policy text for unfilled placeholder tokens.
+ *
+ * Detects two token forms:
+ * - `«TODO: fieldName»` — sentinel emitted by {@link assemblePolicy} when
+ *   a required org-info field is missing from the context.
+ * - `{{fieldName}}` — mustache token that escaped substitution (either
+ *   because the variable wasn't declared or its value was empty).
+ *
+ * Returns a deduplicated list of the field names found. An empty array
+ * means the rendered text is fully populated.
+ *
+ * Two recommended uses:
+ *
+ * 1. **CI guard** — assert your canonical org-info fixture renders without
+ *    leaving any tokens behind:
+ *    ```ts
+ *    const html = exportHTML(policy);
+ *    expect(findUnfilledTokens(html)).toEqual([]);
+ *    ```
+ *
+ * 2. **Runtime guard** — surface a clear error to compliance officers
+ *    before they publish a policy with `{{orgName}}` visible to visitors:
+ *    ```ts
+ *    const missing = findUnfilledTokens(getPolicyText().fullText);
+ *    if (missing.length) throw new Error(`Policy is missing: ${missing.join(', ')}`);
+ *    ```
+ *
+ * @param rendered - The substituted policy text (from `exportHTML`,
+ *                   `exportMarkdown`, or `usePrivacyPolicy().getPolicyText().fullText`).
+ * @returns Deduplicated array of unfilled field names; `[]` if fully filled.
+ */
+export declare function findUnfilledTokens(rendered: string): string[];
+
+/**
+ * Formats a DSR request for display or submission
+ * @param request The DSR request to format
+ * @returns Formatted request data
+ */
+export declare function formatDSRRequest(request: DSRRequest): {
+    formattedRequest: Record<string, unknown>;
+    isValid: boolean;
+    validationErrors: string[];
+};
+
+/**
+ * Generates a summary of all lawful basis documentation across processing activities.
+ *
+ * @param activities Array of processing activities to summarize
+ * @returns LawfulBasisSummary with counts, breakdowns, and flagged activities
+ */
+export declare function generateLawfulBasisSummary(activities: ProcessingActivity[]): LawfulBasisSummary;
+
+/**
+ * Generates policy text by replacing variables in a template with organization-specific values
+ * @param sectionsOrTemplate The policy sections or template string to generate text for
+ * @param organizationInfoOrVariables The organization information or variable map to use for replacement
+ * @returns The generated policy text or an object with the generated text and metadata
+ */
+export declare function generatePolicyText(sectionsOrTemplate: PolicySection[] | string, organizationInfoOrVariables: OrganizationInfo | Record<string, string>): string | {
+    fullText: string;
+    sectionTexts: Record<string, string>;
+    missingVariables: string[];
+};
+
+/**
+ * Generates a summary of the Record of Processing Activities.
+ * Provides statistics and identifies records that are due for review.
+ *
+ * @param ropa - The full Record of Processing Activities
+ * @returns Summary statistics for the ROPA
+ */
+export declare function generateROPASummary(ropa: RecordOfProcessingActivities): ROPASummary;
+
+/**
+ * Retrieves the full consent audit log from localStorage.
+ * Returns an empty array if no log exists or parsing fails.
+ *
+ * @param storageKey - Base storage key (the audit key is derived as `${storageKey}_audit`)
+ */
+export declare function getAuditLog(storageKey?: string): ConsentAuditEntry[];
+
+/**
+ * Evaluate an organisation's NDPA compliance across all modules.
+ *
+ * @param input - Compliance input object
+ * @returns ComplianceReport with overall score, per-module breakdown, and sorted recommendations
+ */
+export declare function getComplianceScore(input: ComplianceInput): ComplianceReport;
+
+/**
+ * Returns a human-readable description of a lawful basis with the relevant
+ * NDPA section reference.
+ *
+ * @param basis The lawful basis to describe
+ * @returns Description string including NDPA section reference
+ */
+export declare function getLawfulBasisDescription(basis: LawfulBasis): string;
+
+/**
+ * Returns a human-readable description of a transfer mechanism with its NDPA section reference.
+ *
+ * @param mechanism The transfer mechanism
+ * @returns Description including the relevant NDPA section
+ */
+export declare function getTransferMechanismDescription(mechanism: TransferMechanism): string;
+
+export declare const hausaLocale: Required<{
+    [K in keyof NDPRLocale]: Required<NonNullable<NDPRLocale[K]>>;
+}>;
+
+/**
+ * Identifies compliance gaps in the Record of Processing Activities.
+ * Finds records that are missing required information per NDPA 2023.
+ *
+ * @param ropa - The full Record of Processing Activities
+ * @returns Array of compliance gaps grouped by record
+ */
+export declare function identifyComplianceGaps(ropa: RecordOfProcessingActivities): ROPAComplianceGap[];
+
+export declare const igboLocale: Required<{
+    [K in keyof NDPRLocale]: Required<NonNullable<NDPRLocale[K]>>;
+}>;
+
+/**
+ * Policy engine types for the adaptive privacy policy generator.
+ * These types power the wizard-driven policy builder, compliance checker,
+ * and export functionality — all aligned with the NDPA 2023.
+ */
+
+/** Industry verticals with sector-specific compliance requirements. */
+declare type Industry = 'fintech' | 'healthcare' | 'ecommerce' | 'saas' | 'education' | 'government' | 'other';
+
+/**
+ * Returns whether NDPC approval is required for a given transfer mechanism.
+ * Approval is required for standard contractual clauses (Section 42),
+ * binding corporate rules (Section 43), and specific NDPC authorization (Section 44).
+ *
+ * @param mechanism The transfer mechanism
+ * @returns Whether NDPC approval is required
+ */
+export declare function isNDPCApprovalRequired(mechanism: TransferMechanism): boolean;
+
+/**
+ * Lawful Basis types aligned with NDPA 2023 Part III (Sections 24-28)
+ * Every processing activity must have a documented lawful basis
+ */
+/**
+ * The six lawful bases for processing personal data per NDPA Section 25(1)
+ */
+export declare type LawfulBasis = 'consent' | 'contract' | 'legal_obligation' | 'vital_interests' | 'public_interest' | 'legitimate_interests';
+
+/**
+ * Compliance gap identified across processing activities
+ */
+export declare interface LawfulBasisComplianceGap {
+    activityId: string;
+    activityName: string;
+    type: 'missing_approval' | 'overdue_review' | 'missing_justification' | 'missing_lia' | 'missing_sensitive_condition' | 'missing_retention' | 'missing_data_categories' | 'missing_purposes';
+    severity: 'high' | 'medium' | 'low';
+    description: string;
+}
+
+/**
+ * Summary of all lawful basis documentation for compliance reporting
+ */
+export declare interface LawfulBasisSummary {
+    /** Total number of processing activities */
+    totalActivities: number;
+    /** Breakdown by lawful basis */
+    byBasis: Record<LawfulBasis, number>;
+    /** Number of activities involving sensitive data */
+    sensitiveDataActivities: number;
+    /** Number of activities involving cross-border transfers */
+    crossBorderActivities: number;
+    /** Activities due for review */
+    activitiesDueForReview: ProcessingActivity[];
+    /** Activities without DPO approval */
+    activitiesWithoutApproval: ProcessingActivity[];
+    /** Last updated timestamp */
+    lastUpdated: number;
+}
+
+/**
+ * Lawful basis for processing personal data per NDPA Section 25(1)
+ */
+export declare type LawfulBasisType = 'consent' | 'contract' | 'legal_obligation' | 'vital_interests' | 'public_interest' | 'legitimate_interests';
+
+/**
+ * Validation result for a processing activity
+ */
+export declare interface LawfulBasisValidationResult {
+    isValid: boolean;
+    errors: string[];
+    warnings: string[];
+}
+
+/**
+ * Represents a Legitimate Interest Assessment (LIA)
+ * Required when the lawful basis is 'legitimate_interests'
+ */
+export declare interface LegitimateInterestAssessment {
+    /** Unique identifier */
+    id: string;
+    /** ID of the associated processing activity */
+    processingActivityId: string;
+    /** Date the assessment was conducted */
+    assessmentDate: number;
+    /** Person who conducted the assessment */
+    assessor: {
+        name: string;
+        role: string;
+        email: string;
+    };
+    /** Description of the legitimate interest being pursued */
+    purposeTest: string;
+    /** Why the processing is necessary for this purpose */
+    necessityTest: string;
+    /** Balancing test: rights of data subject vs. legitimate interest */
+    balancingTest: string;
+    /** Safeguards applied to protect data subject rights */
+    safeguards: string[];
+    /** Overall conclusion */
+    conclusion: string;
+    /** Whether the assessment concluded the processing is justified */
+    approved: boolean;
+}
+
+/**
+ * Deep merges a partial locale with the default English locale.
+ * Any missing keys fall back to English.
+ */
+export declare function mergeLocale(partial?: NDPRLocale): typeof defaultLocale;
+
+export declare interface ModuleScore {
+    /** Module name (e.g. "consent") */
+    name: string;
+    /** Raw module score 0-100 */
+    score: number;
+    /** Maximum possible score for this module (always 100) */
+    maxScore: number;
+    /** Weighted contribution to the overall score */
+    weightedScore: number;
+    /** NDPA sections this module maps to */
+    ndpaSections: string[];
+    /** Gaps found — list of human-readable gap descriptions */
+    gaps: string[];
+}
+
+/**
+ * Configuration for the NDPR toolkit provider.
+ */
+export declare interface NDPRConfig {
+    /** The official name of the organisation */
+    organizationName?: string;
+    /** Email address of the Data Protection Officer */
+    dpoEmail?: string;
+    /** NDPC registration number, if registered */
+    ndpcRegistrationNumber?: string;
+    /** Prefix for localStorage/sessionStorage keys used by toolkit components */
+    storageKeyPrefix?: string;
+    /** When true, removes all default styles from toolkit components */
+    unstyled?: boolean;
+    /** Theme overrides applied as CSS custom properties */
+    theme?: {
+        /** Primary brand colour (e.g. "#0070f3") */
+        primary?: string;
+        /** Hover state for primary colour */
+        primaryHover?: string;
+        /** Foreground colour used on primary backgrounds */
+        primaryForeground?: string;
+    };
+    /**
+     * Locale strings for all toolkit components.
+     * Pass partial overrides — missing keys fall back to English defaults.
+     */
+    locale?: NDPRLocale;
+    /**
+     * Custom fallback UI to render when a child component throws during rendering.
+     * Receives the error and a reset function. If omitted, a default fallback is shown.
+     */
+    fallback?: ReactNode | ((error: Error, reset: () => void) => ReactNode);
+    /**
+     * Called when the error boundary catches an error.
+     * Useful for sending errors to an external reporting service.
+     */
+    onError?: (error: Error, errorInfo: ErrorInfo) => void;
+}
+
+/**
+ * Locale strings for all toolkit components.
+ * Pass partial overrides — missing keys fall back to English defaults.
+ */
+export declare interface NDPRLocale {
+    consent?: {
+        title?: string;
+        description?: string;
+        acceptAll?: string;
+        rejectAll?: string;
+        customize?: string;
+        savePreferences?: string;
+        selectAll?: string;
+        deselectAll?: string;
+        required?: string;
+        cookieNotice?: string;
+    };
+    dsr?: {
+        title?: string;
+        description?: string;
+        submitRequest?: string;
+        reset?: string;
+        fullName?: string;
+        email?: string;
+        phone?: string;
+        requestType?: string;
+        additionalInfo?: string;
+        identityVerification?: string;
+        identifierType?: string;
+        identifierValue?: string;
+        privacyNotice?: string;
+        successMessage?: string;
+    };
+    breach?: {
+        title?: string;
+        description?: string;
+        submitReport?: string;
+        breachTitle?: string;
+        category?: string;
+        discoveredAt?: string;
+        detailedDescription?: string;
+    };
+    dpia?: {
+        title?: string;
+        next?: string;
+        previous?: string;
+        complete?: string;
+        progress?: string;
+    };
+    policy?: {
+        title?: string;
+        generate?: string;
+        preview?: string;
+        export?: string;
+        sections?: string;
+        variables?: string;
+    };
+    compliance?: {
+        score?: string;
+        excellent?: string;
+        good?: string;
+        needsWork?: string;
+        critical?: string;
+        recommendations?: string;
+        passed?: string;
+        gaps?: string;
+    };
+    common?: {
+        loading?: string;
+        error?: string;
+        save?: string;
+        cancel?: string;
+        delete?: string;
+        edit?: string;
+        add?: string;
+        back?: string;
+        next?: string;
+        search?: string;
+        noResults?: string;
+    };
+}
+
+/**
+ * Provides NDPR configuration to all descendant toolkit components.
+ *
+ * When a `theme` is supplied, the corresponding CSS custom properties
+ * (`--ndpr-primary`, `--ndpr-primary-hover`, `--ndpr-primary-foreground`)
+ * are set on the wrapping element so components can reference them.
+ *
+ * Wraps children in an error boundary so that a rendering failure in any
+ * toolkit component does not crash the host application.
+ */
+export declare const NDPRProvider: React__default.FC<NDPRConfig & {
+    children: React__default.ReactNode;
+}>;
+
+/**
+ * Represents notification requirements for a data breach per NDPA Section 40
+ */
+export declare interface NotificationRequirement {
+    /**
+     * Whether NDPC notification is required
+     * Per NDPA Section 40, notification to NDPC is required for all breaches
+     * that pose a risk to data subjects' rights and freedoms
+     */
+    ndpcNotificationRequired: boolean;
+    /**
+     * Deadline for NDPC notification (72 hours from discovery)
+     * NDPA Section 40(1)
+     */
+    ndpcNotificationDeadline: number;
+    /**
+     * Whether data subject notification is required
+     * Per NDPA Section 40(4), required when breach is likely to result in
+     * high risk to rights and freedoms of data subjects
+     */
+    dataSubjectNotificationRequired: boolean;
+    /** Justification for the notification decision */
+    justification: string;
+    /**
+     * @deprecated Use ndpcNotificationRequired instead. Kept for backward compatibility.
+     */
+    nitdaNotificationRequired?: boolean;
+    /**
+     * @deprecated Use ndpcNotificationDeadline instead. Kept for backward compatibility.
+     */
+    nitdaNotificationDeadline?: number;
+}
+
+/**
+ * Represents organization information for a privacy policy
+ */
+export declare interface OrganizationInfo {
+    /** Name of the organization */
+    name: string;
+    /** Website URL of the organization */
+    website: string;
+    /** Contact email for privacy inquiries */
+    privacyEmail: string;
+    /** Physical address of the organization */
+    address?: string;
+    /** Phone number for privacy inquiries */
+    privacyPhone?: string;
+    /** Name of the Data Protection Officer */
+    dpoName?: string;
+    /** Email of the Data Protection Officer */
+    dpoEmail?: string;
+    /** Industry or sector of the organization */
+    industry?: string;
+    /** NDPC registration number (if registered) */
+    ndpcRegistrationNumber?: string;
+}
+
+/** Organisation size tiers — affects complexity of generated language. */
+declare type OrgSize = 'startup' | 'midsize' | 'enterprise';
+
+export declare const pidginLocale: Required<{
+    [K in keyof NDPRLocale]: Required<NonNullable<NDPRLocale[K]>>;
+}>;
+
+/** Represents an in-progress policy being built in the wizard. */
+export declare interface PolicyDraft {
+    /** Unique identifier for the draft. */
+    id: string;
+    /** The template context driving section generation. */
+    templateContext: TemplateContext;
+    /** Custom sections added by the user. */
+    customSections: CustomSection[];
+    /** Per-section content overrides keyed by section id. */
+    sectionOverrides: Record<string, string>;
+    /** Ordered list of section ids defining the final order. */
+    sectionOrder: string[];
+    /** Current wizard step (0-indexed). */
+    currentStep: number;
+    /** Timestamp of the last save. */
+    lastSavedAt: number;
+    /** The draft is always in "draft" status until finalised. */
+    status: 'draft';
+}
+
+/**
+ * Privacy policy types aligned with NDPA 2023
+ * Privacy policies must clearly inform data subjects of their rights under the NDPA
+ */
+/**
+ * Represents a section in a privacy policy
+ */
+export declare interface PolicySection {
+    /** Unique identifier for the section */
+    id: string;
+    /** Title of the section */
+    title: string;
+    /** Description of the section */
+    description?: string;
+    /** Order of the section in the policy */
+    order?: number;
+    /** Whether the section is required by NDPA */
+    required: boolean;
+    /** Template text for the section */
+    template: string;
+    /**
+     * Default content for the section (legacy field)
+     * @deprecated Use template instead
+     */
+    defaultContent?: string;
+    /**
+     * Custom content for the section (overrides default content)
+     * @deprecated Use template instead
+     */
+    customContent?: string;
+    /** Whether the section is included in the policy */
+    included: boolean;
+    /** Variables that can be used in the section content */
+    variables?: string[];
+}
+
+/**
+ * Represents a privacy policy template
+ */
+export declare interface PolicyTemplate {
+    /** Unique identifier for the template */
+    id: string;
+    /** Name of the template */
+    name: string;
+    /** Description of the template */
+    description: string;
+    /** Type of organization the template is designed for */
+    organizationType: 'business' | 'nonprofit' | 'government' | 'educational';
+    /** Sections included in the template */
+    sections: PolicySection[];
+    /** Variables used across the template */
+    variables: Record<string, {
+        name: string;
+        description: string;
+        required: boolean;
+        defaultValue?: string;
+    }>;
+    /** Version of the template */
+    version: string;
+    /** Last updated date of the template */
+    lastUpdated: number;
+    /**
+     * Whether this template is NDPA 2023 compliant
+     */
+    ndpaCompliant: boolean;
+}
+
+/**
+ * Represents a variable in a privacy policy
+ */
+export declare interface PolicyVariable {
+    /** Unique identifier for the variable */
+    id: string;
+    /** Name of the variable as it appears in the template */
+    name: string;
+    /** Description of the variable */
+    description: string;
+    /** Default value for the variable */
+    defaultValue?: string;
+    /** Current value of the variable */
+    value: string;
+    /** Type of input for the variable */
+    inputType: 'text' | 'textarea' | 'email' | 'url' | 'date' | 'select';
+    /** Options for select inputs */
+    options?: string[];
+    /** Whether the variable is required */
+    required: boolean;
+}
+
+/**
+ * Represents a generated privacy policy
+ */
+export declare interface PrivacyPolicy {
+    /** Unique identifier for the policy */
+    id: string;
+    /** Title of the policy */
+    title: string;
+    /** Template used to generate the policy */
+    templateId: string;
+    /** Organization information */
+    organizationInfo: OrganizationInfo;
+    /** Sections of the policy */
+    sections: PolicySection[];
+    /** Values for the variables used in the policy */
+    variableValues: Record<string, string>;
+    /** Effective date of the policy */
+    effectiveDate: number;
+    /** Last updated date of the policy */
+    lastUpdated: number;
+    /** Version of the policy */
+    version: string;
+    /**
+     * Applicable legal frameworks
+     */
+    applicableFrameworks?: ('ndpa' | 'ndpr' | 'gdpr' | 'ccpa')[];
+}
+
+/**
+ * Represents a processing activity and its lawful basis
+ */
+export declare interface ProcessingActivity {
+    /** Unique identifier */
+    id: string;
+    /** Name of the processing activity */
+    name: string;
+    /** Description of what processing is performed */
+    description: string;
+    /** The lawful basis for this processing activity */
+    lawfulBasis: LawfulBasis;
+    /** Justification for why this lawful basis applies */
+    lawfulBasisJustification: string;
+    /** Categories of personal data being processed */
+    dataCategories: string[];
+    /** Whether sensitive personal data is involved */
+    involvesSensitiveData: boolean;
+    /** Condition for processing sensitive data (required if involvesSensitiveData is true) */
+    sensitiveDataCondition?: SensitiveDataCondition;
+    /** Categories of data subjects */
+    dataSubjectCategories: string[];
+    /** Purposes of the processing */
+    purposes: string[];
+    /** Data retention period */
+    retentionPeriod: string;
+    /** Justification for the retention period */
+    retentionJustification?: string;
+    /** Recipients or categories of recipients */
+    recipients?: string[];
+    /** Whether data is transferred outside Nigeria */
+    crossBorderTransfer: boolean;
+    /** Timestamp when the record was created */
+    createdAt: number;
+    /** Timestamp when the record was last updated */
+    updatedAt: number;
+    /** Next review date */
+    reviewDate?: number;
+    /** Status of the processing activity */
+    status: 'active' | 'inactive' | 'under_review' | 'archived';
+    /** DPO approval details */
+    dpoApproval?: {
+        approved: boolean;
+        approvedBy: string;
+        approvedAt: number;
+        notes?: string;
+    };
+}
+
+/** Lawful processing purposes recognised under the NDPA. */
+declare type ProcessingPurpose = 'service_delivery' | 'marketing' | 'analytics' | 'research' | 'legal_compliance' | 'fraud_prevention';
+
+/**
+ * Record of Processing Activities (ROPA) types aligned with NDPA 2023
+ * Data controllers must maintain comprehensive records of all processing activities
+ */
+
+/**
+ * Represents a single processing record in the ROPA
+ */
+export declare interface ProcessingRecord {
+    /** Unique identifier */
+    id: string;
+    /** Name of the processing activity */
+    name: string;
+    /** Detailed description of the processing */
+    description: string;
+    /** Data controller details */
+    controllerDetails: {
+        name: string;
+        contact: string;
+        address: string;
+        registrationNumber?: string;
+        dpoContact?: string;
+    };
+    /** Joint controller details (if applicable) */
+    jointControllerDetails?: {
+        name: string;
+        contact: string;
+        address: string;
+        responsibilities: string;
+    };
+    /** Data processor details (if processing is outsourced) */
+    processorDetails?: {
+        name: string;
+        contact: string;
+        address: string;
+        contractReference?: string;
+    };
+    /** Lawful basis for the processing */
+    lawfulBasis: LawfulBasis;
+    /** Justification for the chosen lawful basis */
+    lawfulBasisJustification: string;
+    /** Purposes of the processing */
+    purposes: string[];
+    /** Categories of personal data processed */
+    dataCategories: string[];
+    /** Categories of sensitive personal data (if any) */
+    sensitiveDataCategories?: string[];
+    /** Categories of data subjects */
+    dataSubjectCategories: string[];
+    /** Recipients or categories of recipients */
+    recipients: string[];
+    /** Cross-border transfer details */
+    crossBorderTransfers?: Array<{
+        destinationCountry: string;
+        countryCode?: string;
+        safeguards: string;
+        transferMechanism: string;
+    }>;
+    /** Data retention period */
+    retentionPeriod: string;
+    /** Justification for the retention period */
+    retentionJustification?: string;
+    /** Technical and organizational security measures */
+    securityMeasures: string[];
+    /** Data source (directly from data subject or from third party) */
+    dataSource: 'data_subject' | 'third_party' | 'public_source' | 'other';
+    /** Third-party source details (if dataSource is 'third_party') */
+    thirdPartySourceDetails?: string;
+    /** Whether a DPIA is required for this processing */
+    dpiaRequired: boolean;
+    /** Reference to the DPIA (if conducted) */
+    dpiaReference?: string;
+    /** Whether automated decision-making is involved */
+    automatedDecisionMaking: boolean;
+    /** Details of automated decision-making (if applicable) */
+    automatedDecisionMakingDetails?: string;
+    /** Status of the processing record */
+    status: 'active' | 'inactive' | 'archived';
+    /** Department or business unit responsible */
+    department?: string;
+    /** System or application used for processing */
+    systemsUsed?: string[];
+    /** Timestamp when the record was created */
+    createdAt: number;
+    /** Timestamp when the record was last updated */
+    updatedAt: number;
+    /** Timestamp when the record was last reviewed */
+    lastReviewedAt?: number;
+    /** Next review date */
+    nextReviewDate?: number;
+}
+
+export declare interface Recommendation {
+    module: string;
+    key: string;
+    label: string;
+    priority: RecommendationPriority;
+    effort: EffortLevel;
+    recommendation: string;
+    ndpaSection: string;
+}
+
+export declare type RecommendationPriority = 'critical' | 'high' | 'medium' | 'low';
+
+/**
+ * Represents a complete Record of Processing Activities
+ */
+export declare interface RecordOfProcessingActivities {
+    /** Unique identifier */
+    id: string;
+    /** Organization name */
+    organizationName: string;
+    /** Organization contact information */
+    organizationContact: string;
+    /** Organization address */
+    organizationAddress: string;
+    /** Data Protection Officer details */
+    dpoDetails?: {
+        name: string;
+        email: string;
+        phone?: string;
+    };
+    /** NDPC registration number */
+    ndpcRegistrationNumber?: string;
+    /** All processing records */
+    records: ProcessingRecord[];
+    /** Timestamp when the ROPA was last updated */
+    lastUpdated: number;
+    /** Version of the ROPA */
+    version: string;
+    /** Export format options */
+    exportFormats?: ('pdf' | 'csv' | 'json' | 'xlsx')[];
+}
+
+/**
+ * Represents a notification sent to the NDPC (Nigeria Data Protection Commission)
+ */
+export declare interface RegulatoryNotification {
+    /** Unique identifier for the notification */
+    id: string;
+    /** ID of the breach this notification is for */
+    breachId: string;
+    /** Timestamp when the notification was sent */
+    sentAt: number;
+    /** Method used to send the notification */
+    method: 'email' | 'portal' | 'letter' | 'other';
+    /** Reference number assigned by the NDPC (if available) */
+    referenceNumber?: string;
+    /** Contact person at the NDPC */
+    ndpcContact?: {
+        name: string;
+        email: string;
+        phone?: string;
+    };
+    /** Content of the notification */
+    content: string;
+    /** Attachments included with the notification */
+    attachments?: Array<{
+        id: string;
+        name: string;
+        type: string;
+        url: string;
+    }>;
+    /** Follow-up communications with the NDPC */
+    followUps?: Array<{
+        timestamp: number;
+        direction: 'sent' | 'received';
+        content: string;
+        attachments?: Array<{
+            id: string;
+            name: string;
+            type: string;
+            url: string;
+        }>;
+    }>;
+    /**
+     * @deprecated Use ndpcContact instead. Kept for backward compatibility.
+     */
+    nitdaContact?: {
+        name: string;
+        email: string;
+        phone?: string;
+    };
+}
+
+export declare interface RegulatoryReference {
+    section: string;
+    title: string;
+    url?: string;
+}
+
+/**
+ * Legacy status of a data subject request
+ * @deprecated Use DSRStatus instead
+ */
+export declare type RequestStatus = 'pending' | 'verifying' | 'processing' | 'completed' | 'rejected';
+
+/**
+ * Represents a type of data subject request (detailed configuration)
+ */
+export declare interface RequestType {
+    /** Unique identifier for the request type */
+    id: string;
+    /** Display name for the request type */
+    name: string;
+    /** Description of what this request type entails */
+    description: string;
+    /**
+     * NDPA section reference (e.g., "Section 30" for access requests)
+     */
+    ndpaSection?: string;
+    /**
+     * Estimated time to fulfill this type of request (in days)
+     * NDPA requires response within 30 days
+     */
+    estimatedCompletionTime: number;
+    /** Whether additional information is required for this request type */
+    requiresAdditionalInfo: boolean;
+    /** Custom fields required for this request type */
+    additionalFields?: Array<{
+        id: string;
+        label: string;
+        type: 'text' | 'textarea' | 'select' | 'checkbox' | 'file';
+        options?: string[];
+        required: boolean;
+        placeholder?: string;
+    }>;
+}
+
+/**
+ * Represents a risk assessment for a data breach
+ */
+export declare interface RiskAssessment {
+    /** Unique identifier for the risk assessment */
+    id: string;
+    /** ID of the breach this assessment is for */
+    breachId: string;
+    /** Timestamp when the assessment was conducted */
+    assessedAt: number;
+    /** Person who conducted the assessment */
+    assessor: {
+        name: string;
+        role: string;
+        email: string;
+    };
+    /** Confidentiality impact (1-5) */
+    confidentialityImpact: number;
+    /** Integrity impact (1-5) */
+    integrityImpact: number;
+    /** Availability impact (1-5) */
+    availabilityImpact: number;
+    /** Likelihood of harm to data subjects (1-5) */
+    harmLikelihood: number;
+    /** Severity of potential harm to data subjects (1-5) */
+    harmSeverity: number;
+    /** Overall risk score */
+    overallRiskScore: number;
+    /** Risk level based on the overall score */
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    /** Whether the breach is likely to result in a risk to rights and freedoms */
+    risksToRightsAndFreedoms: boolean;
+    /** Whether the breach is likely to result in a high risk to rights and freedoms */
+    highRisksToRightsAndFreedoms: boolean;
+    /** Justification for the risk assessment */
+    justification: string;
+}
+
+/**
+ * Compliance gap found in a processing record
+ */
+export declare interface ROPAComplianceGap {
+    recordId: string;
+    recordName: string;
+    gaps: string[];
+}
+
+/**
+ * Summary statistics for the ROPA
+ */
+export declare interface ROPASummary {
+    /** Total number of processing records */
+    totalRecords: number;
+    /** Active processing records */
+    activeRecords: number;
+    /** Records by lawful basis */
+    byLawfulBasis: Record<LawfulBasis, number>;
+    /** Records involving sensitive data */
+    sensitiveDataRecords: number;
+    /** Records involving cross-border transfers */
+    crossBorderRecords: number;
+    /** Records requiring DPIA */
+    dpiaRequiredRecords: number;
+    /** Records involving automated decision-making */
+    automatedDecisionRecords: number;
+    /** Records due for review */
+    recordsDueForReview: ProcessingRecord[];
+    /** Departments with most processing activities */
+    topDepartments: Array<{
+        department: string;
+        count: number;
+    }>;
+    /** Last updated timestamp */
+    lastUpdated: number;
+}
+
+/**
+ * Validation result for a processing record
+ */
+export declare interface ROPAValidationResult {
+    valid: boolean;
+    errors: string[];
+}
+
+/**
+ * Sanitizes user input to prevent XSS attacks.
+ * Escapes HTML special characters so that data rendered in dashboards
+ * or other consumer UIs cannot execute embedded scripts.
+ */
+export declare function sanitizeInput(input: string): string;
+
+/**
+ * Additional conditions required for processing sensitive personal data
+ * per NDPA Section 27
+ */
+export declare type SensitiveDataCondition = 'explicit_consent' | 'employment_law' | 'vital_interests_incapable' | 'nonprofit_legitimate' | 'publicly_available' | 'legal_claims' | 'substantial_public_interest' | 'health_purposes' | 'public_health' | 'archiving_research';
+
+/** Full context used to generate an adaptive privacy policy. */
+export declare interface TemplateContext {
+    /** Organisation details, extended with industry and size. */
+    org: OrganizationInfo & {
+        industry: Industry;
+        orgSize: OrgSize;
+        country: string;
+    };
+    /** Data categories the organisation collects. */
+    dataCategories: DataCategory[];
+    /** Processing purposes relevant to the organisation. */
+    purposes: ProcessingPurpose[];
+    /** Whether the organisation processes children's data. */
+    hasChildrenData: boolean;
+    /** Whether the organisation processes sensitive/special-category data. */
+    hasSensitiveData: boolean;
+    /** Whether the organisation processes financial data. */
+    hasFinancialData: boolean;
+    /** Whether data is transferred outside Nigeria. */
+    hasCrossBorderTransfer: boolean;
+    /** Whether automated decision-making or profiling is used. */
+    hasAutomatedDecisions: boolean;
+    /** Third-party processors that receive personal data. */
+    thirdPartyProcessors: ThirdPartyProcessor[];
+}
+
+/** A third-party entity that processes data on behalf of the organisation. */
+export declare interface ThirdPartyProcessor {
+    /** Name of the third party. */
+    name: string;
+    /** Purpose of sharing data with this processor. */
+    purpose: string;
+    /** Country where the processor is located. */
+    country: string;
+}
+
+/**
+ * Transfer Impact Assessment (TIA) for cross-border transfers
+ */
+export declare interface TransferImpactAssessment {
+    /** Unique identifier */
+    id: string;
+    /** ID of the associated cross-border transfer */
+    transferId: string;
+    /** Date the assessment was conducted */
+    assessmentDate: number;
+    /** Person who conducted the assessment */
+    assessor: {
+        name: string;
+        role: string;
+        email: string;
+    };
+    /** Analysis of the destination country's legal framework */
+    destinationLegalFramework: string;
+    /** Whether the destination has data protection legislation */
+    hasDataProtectionLaw: boolean;
+    /** Whether the destination has an independent supervisory authority */
+    hasIndependentAuthority: boolean;
+    /** Risk of government access to the data */
+    governmentAccessRisk: 'low' | 'medium' | 'high';
+    /** Overall assessment of data protection level */
+    dataProtectionLevel: 'adequate' | 'partially_adequate' | 'inadequate';
+    /** Supplementary measures to address gaps */
+    supplementaryMeasures: string[];
+    /** Technical measures (encryption, pseudonymization, etc.) */
+    technicalMeasures: string[];
+    /** Contractual measures */
+    contractualMeasures: string[];
+    /** Organizational measures */
+    organizationalMeasures: string[];
+    /** Overall conclusion */
+    conclusion: string;
+    /** Whether the transfer can proceed based on the assessment */
+    approved: boolean;
+    /** Conditions for the transfer (if approved with conditions) */
+    conditions?: string[];
+}
+
+/**
+ * Cross-Border Data Transfer types aligned with NDPA 2023 Part VI (Sections 41-45)
+ * Personal data may only be transferred outside Nigeria under specific conditions
+ */
+/**
+ * Transfer mechanisms recognized under the NDPA
+ */
+export declare type TransferMechanism = 'adequacy_decision' | 'standard_clauses' | 'binding_corporate_rules' | 'ndpc_authorization' | 'explicit_consent' | 'contract_performance' | 'public_interest' | 'legal_claims' | 'vital_interests';
+
+/**
+ * Risk assessment result for a cross-border transfer
+ */
+export declare interface TransferRiskResult {
+    riskLevel: 'low' | 'medium' | 'high';
+    riskScore: number;
+    factors: string[];
+    recommendations: string[];
+}
+
+/**
+ * Validation result for a cross-border transfer
+ */
+export declare interface TransferValidationResult {
+    isValid: boolean;
+    errors: string[];
+    warnings: string[];
+}
+
+/**
+ * Returns the current NDPR configuration from the nearest `NDPRProvider`.
+ * If no provider is found, returns an empty config object.
+ */
+export declare function useNDPRConfig(): NDPRConfig;
+
+/**
+ * Returns the resolved locale for the nearest `NDPRProvider`.
+ * Merges any partial `locale` prop with the default English strings,
+ * so all keys are always present and non-nullable.
+ */
+export declare function useNDPRLocale(): typeof defaultLocale;
+
+/**
+ * Validates consent settings to ensure they meet NDPA requirements
+ * @param settings The consent settings to validate
+ * @returns An object containing validation result and any error messages
+ */
+export declare function validateConsent(settings: ConsentSettings): {
+    valid: boolean;
+    errors: string[];
+};
+
+/**
+ * Validates that consent options meet NDPA Section 26 requirements.
+ * Each consent option must specify a purpose for which data will be processed,
+ * as consent must be specific and informed per the Nigeria Data Protection Act.
+ * @param options The consent options to validate
+ * @returns An object containing validation result and any error messages
+ */
+export declare function validateConsentOptions(options: ConsentOption[]): {
+    valid: boolean;
+    errors: string[];
+};
+
+/**
+ * Validate a raw DSR submission payload against the same rules
+ * `<DSRRequestForm />` enforces client-side. Designed to be called from a
+ * server-side handler (Next.js Route Handler, NestJS controller, Express
+ * middleware, Cloudflare Worker) so client and server stay in sync without
+ * the consumer hand-rolling zod / class-validator schemas.
+ *
+ * Defensive — accepts `unknown` and narrows. Safe to call directly on
+ * `await request.json()`.
+ *
+ * @example **Next.js Route Handler**
+ * ```ts
+ * // app/api/dsr/route.ts
+ * import { validateDsrSubmission } from '@tantainnovative/ndpr-toolkit/server';
+ *
+ * export async function POST(req: Request) {
+ *   const { valid, errors, data } = validateDsrSubmission(await req.json());
+ *   if (!valid) return Response.json({ errors }, { status: 422 });
+ *   // `data` is the typed DsrSubmissionPayload
+ *   await dsrStore.create(data);
+ *   return Response.json({ ok: true }, { status: 201 });
+ * }
+ * ```
+ *
+ * @example **Lock to specific request types**
+ * ```ts
+ * validateDsrSubmission(payload, {
+ *   allowedRequestTypes: ['access', 'erasure', 'rectification'],
+ * });
+ * ```
+ *
+ * @example **Skip identity verification (e.g. authenticated session)**
+ * ```ts
+ * validateDsrSubmission(payload, { requireIdentityVerification: false });
+ * ```
+ */
+export declare function validateDsrSubmission(payload: unknown, options?: ValidateDsrSubmissionOptions): DsrSubmissionValidationResult;
+
+/** Options for {@link validateDsrSubmission}. */
+export declare interface ValidateDsrSubmissionOptions {
+    /**
+     * Whether the data subject is required to provide an identifier
+     * (NDPC's recommended verification step). Mirror whatever you set on
+     * the client-side `<DSRRequestForm requireIdentityVerification>`.
+     * @default true
+     */
+    requireIdentityVerification?: boolean;
+    /**
+     * Allowed request types. When provided, the payload's `requestType`
+     * must be one of these — useful for locking the server to a specific
+     * set of supported NDPA Part IV §29-36 rights.
+     */
+    allowedRequestTypes?: string[];
+}
+
+/**
+ * Validates that all required fields are present on a processing activity
+ * and that the lawful basis is properly documented.
+ *
+ * If lawfulBasis is 'legitimate_interests', ensures a LIA justification exists.
+ * If involvesSensitiveData is true, ensures sensitiveDataCondition is set.
+ *
+ * @param activity The processing activity to validate
+ * @returns Validation result with errors and warnings
+ */
+export declare function validateProcessingActivity(activity: ProcessingActivity): LawfulBasisValidationResult;
+
+/**
+ * Validates a processing record to ensure all required fields are present
+ * and properly filled per NDPA 2023 requirements.
+ *
+ * @param record - The processing record to validate
+ * @returns Validation result with any errors found
+ */
+export declare function validateProcessingRecord(record: ProcessingRecord): ROPAValidationResult;
+
+/**
+ * Validates a cross-border transfer record for completeness and compliance.
+ * Checks required fields, verifies that NDPC approval is documented when required,
+ * and ensures safeguards are in place.
+ *
+ * @param transfer The cross-border transfer to validate
+ * @returns Validation result with errors and warnings
+ */
+export declare function validateTransfer(transfer: CrossBorderTransfer): TransferValidationResult;
+
+export declare const yorubaLocale: Required<{
+    [K in keyof NDPRLocale]: Required<NonNullable<NDPRLocale[K]>>;
+}>;
+
+export { }