@vorionsys/platform-core 0.1.0

package/dist/audit/security-events.d.ts

@@ -0,0 +1,1624 @@
+/**
+ * Security Event Type Definitions
+ *
+ * Comprehensive security event types for SOC 2 compliance audit logging.
+ * Every security-relevant action must be categorized and logged with full context.
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+import type { ID, Timestamp } from '../common/types.js';
+/**
+ * Security event categories for SOC 2 compliance
+ */
+export declare const SECURITY_EVENT_CATEGORIES: readonly ["authentication", "authorization", "data_access", "configuration", "incident"];
+export type SecurityEventCategory = (typeof SECURITY_EVENT_CATEGORIES)[number];
+/**
+ * Security event severity levels aligned with SOC 2 requirements
+ */
+export declare const SECURITY_SEVERITIES: readonly ["info", "low", "medium", "high", "critical"];
+export type SecuritySeverity = (typeof SECURITY_SEVERITIES)[number];
+/**
+ * Security event outcomes for decision tracking
+ */
+export declare const SECURITY_OUTCOMES: readonly ["success", "failure", "blocked", "escalated"];
+export type SecurityOutcome = (typeof SECURITY_OUTCOMES)[number];
+/**
+ * Authentication event types
+ */
+export declare const AUTHENTICATION_EVENT_TYPES: {
+    readonly LOGIN_SUCCESS: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "User successfully authenticated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly LOGIN_FAILURE: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Authentication attempt failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly LOGOUT: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "User logged out";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly LOGIN_LOCKED: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "Account locked due to failed attempts";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_CREATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "New session established";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_VALIDATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Session validated successfully";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_INVALID: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Session validation failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_EXPIRED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Session expired naturally";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Session forcibly terminated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSIONS_BULK_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "Multiple sessions revoked for user";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_ISSUED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Access token issued";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_REFRESHED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Access token refreshed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Token manually revoked";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_VALIDATION_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Token validation failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_CREATED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key created";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_VALIDATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "API key validated successfully";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_VALIDATION_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key validation failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key revoked";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_ROTATED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key rotated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_EXPIRED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "API key expired";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_DELETED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key permanently deleted";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_RATE_LIMITED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key rate limit exceeded";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA enrollment completed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLMENT_STARTED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA enrollment initiated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLMENT_VERIFIED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA enrollment code verified";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLMENT_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA enrollment verification failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_DISABLED: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "MFA disabled for user";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_CHALLENGE_CREATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA challenge initiated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_VERIFICATION_SUCCESS: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA verification successful";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_VERIFICATION_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA verification failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_BACKUP_CODE_USED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA backup code used";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_BACKUP_CODES_REGENERATED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA backup codes regenerated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_TOO_MANY_ATTEMPTS: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "MFA verification exceeded maximum attempts";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly PASSWORD_CHANGED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Password changed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly PASSWORD_RESET_REQUESTED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Password reset requested";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly PASSWORD_RESET_COMPLETED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Password reset completed";
+        readonly soc2Control: "CC6.1";
+    };
+};
+/**
+ * Authorization event types
+ */
+export declare const AUTHORIZATION_EVENT_TYPES: {
+    readonly ACCESS_GRANTED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "Access granted to resource";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly ACCESS_DENIED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Access denied to resource";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly PERMISSION_GRANTED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Permission granted to user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly PERMISSION_REVOKED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Permission revoked from user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly ROLE_ASSIGNED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Role assigned to user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly ROLE_REMOVED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Role removed from user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly PRIVILEGE_ESCALATED: {
+        readonly category: "authorization";
+        readonly severity: "high";
+        readonly description: "Privilege escalation occurred";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly TRUST_TIER_CHANGED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Entity trust tier changed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly POLICY_EVALUATED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "Authorization policy evaluated";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly POLICY_VIOLATION: {
+        readonly category: "authorization";
+        readonly severity: "high";
+        readonly description: "Policy violation detected";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly SCOPE_CHECK_PASSED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "Scope check passed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly SCOPE_CHECK_FAILED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Scope check failed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly DPOP_VERIFIED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "DPoP proof verified successfully";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly DPOP_FAILED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "DPoP proof verification failed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly AGENT_REVOKED: {
+        readonly category: "authorization";
+        readonly severity: "high";
+        readonly description: "Agent access revoked";
+        readonly soc2Control: "CC6.2";
+    };
+};
+/**
+ * Data access event types
+ */
+export declare const DATA_ACCESS_EVENT_TYPES: {
+    readonly DATA_READ: {
+        readonly category: "data_access";
+        readonly severity: "info";
+        readonly description: "Data read operation";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_CREATED: {
+        readonly category: "data_access";
+        readonly severity: "info";
+        readonly description: "Data created";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_UPDATED: {
+        readonly category: "data_access";
+        readonly severity: "info";
+        readonly description: "Data updated";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_DELETED: {
+        readonly category: "data_access";
+        readonly severity: "medium";
+        readonly description: "Data deleted";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_EXPORTED: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Data exported";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly BULK_DATA_ACCESS: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Bulk data access operation";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly SENSITIVE_DATA_ACCESS: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Sensitive data accessed";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly PII_ACCESSED: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Personally identifiable information accessed";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly AUDIT_LOG_ACCESSED: {
+        readonly category: "data_access";
+        readonly severity: "medium";
+        readonly description: "Audit log accessed";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly AUDIT_LOG_EXPORTED: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Audit log exported";
+        readonly soc2Control: "CC6.5";
+    };
+};
+/**
+ * Configuration event types
+ */
+export declare const CONFIGURATION_EVENT_TYPES: {
+    readonly CONFIG_CHANGED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "System configuration changed";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly SECURITY_SETTING_CHANGED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Security setting modified";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Encryption key created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_ROTATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Encryption key rotated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_REVOKED: {
+        readonly category: "configuration";
+        readonly severity: "critical";
+        readonly description: "Encryption key revoked";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_ACCESSED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Encryption key accessed";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly SECRET_ROTATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Secret rotated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly SECRET_ACCESSED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Secret accessed";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly POLICY_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Security policy created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly POLICY_UPDATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Security policy updated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly POLICY_DELETED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Security policy deleted";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly TENANT_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Tenant created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly TENANT_UPDATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Tenant configuration updated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_UPDATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account updated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_DELETED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "User account deleted";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_DISABLED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account disabled";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_ENABLED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account enabled";
+        readonly soc2Control: "CC8.1";
+    };
+};
+/**
+ * Incident and security alert event types
+ */
+export declare const INCIDENT_EVENT_TYPES: {
+    readonly BRUTE_FORCE_DETECTED: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Brute force attack detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly INJECTION_ATTEMPT: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Injection attack attempt detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly ANOMALY_DETECTED: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Anomalous behavior detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly RATE_LIMIT_EXCEEDED: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "Rate limit exceeded";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly IP_BLOCKED: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "IP address blocked";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly IP_UNBLOCKED: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "IP address unblocked";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly SUSPICIOUS_ACTIVITY: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Suspicious activity flagged";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly SECURITY_ALERT: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Security alert triggered";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly INCIDENT_CREATED: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Security incident created";
+        readonly soc2Control: "CC7.3";
+    };
+    readonly INCIDENT_UPDATED: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Security incident updated";
+        readonly soc2Control: "CC7.3";
+    };
+    readonly INCIDENT_RESOLVED: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "Security incident resolved";
+        readonly soc2Control: "CC7.3";
+    };
+    readonly GEOGRAPHIC_ANOMALY: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Geographic access anomaly detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly TEMPORAL_ANOMALY: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "Temporal access anomaly detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly VOLUME_ANOMALY: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Access volume anomaly detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly CERTIFICATE_INVALID: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Invalid certificate detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly INTEGRITY_VIOLATION: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Data integrity violation detected";
+        readonly soc2Control: "CC7.2";
+    };
+};
+/**
+ * Combined security event types for comprehensive logging
+ */
+export declare const SECURITY_EVENT_TYPES: {
+    readonly BRUTE_FORCE_DETECTED: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Brute force attack detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly INJECTION_ATTEMPT: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Injection attack attempt detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly ANOMALY_DETECTED: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Anomalous behavior detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly RATE_LIMIT_EXCEEDED: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "Rate limit exceeded";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly IP_BLOCKED: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "IP address blocked";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly IP_UNBLOCKED: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "IP address unblocked";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly SUSPICIOUS_ACTIVITY: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Suspicious activity flagged";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly SECURITY_ALERT: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Security alert triggered";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly INCIDENT_CREATED: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Security incident created";
+        readonly soc2Control: "CC7.3";
+    };
+    readonly INCIDENT_UPDATED: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Security incident updated";
+        readonly soc2Control: "CC7.3";
+    };
+    readonly INCIDENT_RESOLVED: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "Security incident resolved";
+        readonly soc2Control: "CC7.3";
+    };
+    readonly GEOGRAPHIC_ANOMALY: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Geographic access anomaly detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly TEMPORAL_ANOMALY: {
+        readonly category: "incident";
+        readonly severity: "medium";
+        readonly description: "Temporal access anomaly detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly VOLUME_ANOMALY: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Access volume anomaly detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly CERTIFICATE_INVALID: {
+        readonly category: "incident";
+        readonly severity: "high";
+        readonly description: "Invalid certificate detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly INTEGRITY_VIOLATION: {
+        readonly category: "incident";
+        readonly severity: "critical";
+        readonly description: "Data integrity violation detected";
+        readonly soc2Control: "CC7.2";
+    };
+    readonly CONFIG_CHANGED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "System configuration changed";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly SECURITY_SETTING_CHANGED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Security setting modified";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Encryption key created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_ROTATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Encryption key rotated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_REVOKED: {
+        readonly category: "configuration";
+        readonly severity: "critical";
+        readonly description: "Encryption key revoked";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly KEY_ACCESSED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Encryption key accessed";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly SECRET_ROTATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Secret rotated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly SECRET_ACCESSED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Secret accessed";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly POLICY_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Security policy created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly POLICY_UPDATED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Security policy updated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly POLICY_DELETED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "Security policy deleted";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly TENANT_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Tenant created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly TENANT_UPDATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "Tenant configuration updated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_CREATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account created";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_UPDATED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account updated";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_DELETED: {
+        readonly category: "configuration";
+        readonly severity: "high";
+        readonly description: "User account deleted";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_DISABLED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account disabled";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly USER_ENABLED: {
+        readonly category: "configuration";
+        readonly severity: "medium";
+        readonly description: "User account enabled";
+        readonly soc2Control: "CC8.1";
+    };
+    readonly DATA_READ: {
+        readonly category: "data_access";
+        readonly severity: "info";
+        readonly description: "Data read operation";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_CREATED: {
+        readonly category: "data_access";
+        readonly severity: "info";
+        readonly description: "Data created";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_UPDATED: {
+        readonly category: "data_access";
+        readonly severity: "info";
+        readonly description: "Data updated";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_DELETED: {
+        readonly category: "data_access";
+        readonly severity: "medium";
+        readonly description: "Data deleted";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly DATA_EXPORTED: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Data exported";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly BULK_DATA_ACCESS: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Bulk data access operation";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly SENSITIVE_DATA_ACCESS: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Sensitive data accessed";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly PII_ACCESSED: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Personally identifiable information accessed";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly AUDIT_LOG_ACCESSED: {
+        readonly category: "data_access";
+        readonly severity: "medium";
+        readonly description: "Audit log accessed";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly AUDIT_LOG_EXPORTED: {
+        readonly category: "data_access";
+        readonly severity: "high";
+        readonly description: "Audit log exported";
+        readonly soc2Control: "CC6.5";
+    };
+    readonly ACCESS_GRANTED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "Access granted to resource";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly ACCESS_DENIED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Access denied to resource";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly PERMISSION_GRANTED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Permission granted to user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly PERMISSION_REVOKED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Permission revoked from user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly ROLE_ASSIGNED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Role assigned to user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly ROLE_REMOVED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Role removed from user";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly PRIVILEGE_ESCALATED: {
+        readonly category: "authorization";
+        readonly severity: "high";
+        readonly description: "Privilege escalation occurred";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly TRUST_TIER_CHANGED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Entity trust tier changed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly POLICY_EVALUATED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "Authorization policy evaluated";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly POLICY_VIOLATION: {
+        readonly category: "authorization";
+        readonly severity: "high";
+        readonly description: "Policy violation detected";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly SCOPE_CHECK_PASSED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "Scope check passed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly SCOPE_CHECK_FAILED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "Scope check failed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly DPOP_VERIFIED: {
+        readonly category: "authorization";
+        readonly severity: "info";
+        readonly description: "DPoP proof verified successfully";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly DPOP_FAILED: {
+        readonly category: "authorization";
+        readonly severity: "medium";
+        readonly description: "DPoP proof verification failed";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly AGENT_REVOKED: {
+        readonly category: "authorization";
+        readonly severity: "high";
+        readonly description: "Agent access revoked";
+        readonly soc2Control: "CC6.2";
+    };
+    readonly LOGIN_SUCCESS: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "User successfully authenticated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly LOGIN_FAILURE: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Authentication attempt failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly LOGOUT: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "User logged out";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly LOGIN_LOCKED: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "Account locked due to failed attempts";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_CREATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "New session established";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_VALIDATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Session validated successfully";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_INVALID: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Session validation failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_EXPIRED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Session expired naturally";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSION_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Session forcibly terminated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly SESSIONS_BULK_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "Multiple sessions revoked for user";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_ISSUED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Access token issued";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_REFRESHED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Access token refreshed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Token manually revoked";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly TOKEN_VALIDATION_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Token validation failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_CREATED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key created";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_VALIDATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "API key validated successfully";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_VALIDATION_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key validation failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_REVOKED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key revoked";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_ROTATED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key rotated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_EXPIRED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "API key expired";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_DELETED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key permanently deleted";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly API_KEY_RATE_LIMITED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "API key rate limit exceeded";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA enrollment completed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLMENT_STARTED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA enrollment initiated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLMENT_VERIFIED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA enrollment code verified";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_ENROLLMENT_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA enrollment verification failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_DISABLED: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "MFA disabled for user";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_CHALLENGE_CREATED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA challenge initiated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_VERIFICATION_SUCCESS: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "MFA verification successful";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_VERIFICATION_FAILED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA verification failed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_BACKUP_CODE_USED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA backup code used";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_BACKUP_CODES_REGENERATED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "MFA backup codes regenerated";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly MFA_TOO_MANY_ATTEMPTS: {
+        readonly category: "authentication";
+        readonly severity: "high";
+        readonly description: "MFA verification exceeded maximum attempts";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly PASSWORD_CHANGED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Password changed";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly PASSWORD_RESET_REQUESTED: {
+        readonly category: "authentication";
+        readonly severity: "info";
+        readonly description: "Password reset requested";
+        readonly soc2Control: "CC6.1";
+    };
+    readonly PASSWORD_RESET_COMPLETED: {
+        readonly category: "authentication";
+        readonly severity: "medium";
+        readonly description: "Password reset completed";
+        readonly soc2Control: "CC6.1";
+    };
+};
+export type SecurityEventType = keyof typeof SECURITY_EVENT_TYPES;
+/**
+ * Actor performing the security action
+ */
+export interface SecurityActor {
+    /** Actor type (user, agent, service, or system) */
+    type: 'user' | 'agent' | 'service' | 'system';
+    /** Actor's unique identifier */
+    id: ID;
+    /** Actor's display name */
+    name?: string;
+    /** Actor's email (if applicable) */
+    email?: string;
+    /** IP address of the actor */
+    ip?: string;
+    /** User agent string */
+    userAgent?: string;
+    /** Session ID (if authenticated) */
+    sessionId?: string;
+    /** Tenant context */
+    tenantId?: ID;
+}
+/**
+ * Zod schema for SecurityActor
+ */
+export declare const securityActorSchema: z.ZodObject<{
+    type: z.ZodEnum<["user", "agent", "service", "system"]>;
+    id: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    email: z.ZodOptional<z.ZodString>;
+    ip: z.ZodOptional<z.ZodString>;
+    userAgent: z.ZodOptional<z.ZodString>;
+    sessionId: z.ZodOptional<z.ZodString>;
+    tenantId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    name?: string;
+    id?: string;
+    type?: "agent" | "user" | "service" | "system";
+    email?: string;
+    ip?: string;
+    userAgent?: string;
+    tenantId?: string;
+    sessionId?: string;
+}, {
+    name?: string;
+    id?: string;
+    type?: "agent" | "user" | "service" | "system";
+    email?: string;
+    ip?: string;
+    userAgent?: string;
+    tenantId?: string;
+    sessionId?: string;
+}>;
+/**
+ * Resource affected by the security event
+ */
+export interface SecurityResource {
+    /** Resource type */
+    type: string;
+    /** Resource identifier */
+    id: ID;
+    /** Resource name (human readable) */
+    name?: string;
+    /** Resource path or location */
+    path?: string;
+    /** Additional resource attributes */
+    attributes?: Record<string, unknown>;
+}
+/**
+ * Zod schema for SecurityResource
+ */
+export declare const securityResourceSchema: z.ZodObject<{
+    type: z.ZodString;
+    id: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    path: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    name?: string;
+    path?: string;
+    id?: string;
+    type?: string;
+    attributes?: Record<string, unknown>;
+}, {
+    name?: string;
+    path?: string;
+    id?: string;
+    type?: string;
+    attributes?: Record<string, unknown>;
+}>;
+/**
+ * Complete security event for audit logging
+ */
+export interface SecurityEvent {
+    /** Unique event identifier */
+    id: ID;
+    /** Event timestamp (ISO 8601) */
+    timestamp: Timestamp;
+    /** Event type from SECURITY_EVENT_TYPES */
+    eventType: SecurityEventType;
+    /** Event category */
+    category: SecurityEventCategory;
+    /** Event severity */
+    severity: SecuritySeverity;
+    /** Actor who performed the action */
+    actor: SecurityActor;
+    /** Action performed */
+    action: string;
+    /** Resource affected */
+    resource: SecurityResource;
+    /** Outcome of the action */
+    outcome: SecurityOutcome;
+    /** Additional event metadata */
+    metadata: Record<string, unknown>;
+    /** Unique request identifier */
+    requestId: ID;
+    /** W3C TraceContext trace ID */
+    traceId?: string;
+    /** Reason for the outcome (especially for failures) */
+    reason?: string;
+    /** SOC 2 control identifier */
+    soc2Control?: string;
+    /** Hash of this record for chain integrity */
+    recordHash?: string;
+    /** Hash of previous record in chain */
+    previousHash?: string;
+    /** Sequence number in audit chain */
+    sequenceNumber?: number;
+}
+/**
+ * Zod schema for SecurityEvent
+ */
+export declare const securityEventSchema: z.ZodObject<{
+    id: z.ZodString;
+    timestamp: z.ZodString;
+    eventType: z.ZodString;
+    category: z.ZodEnum<["authentication", "authorization", "data_access", "configuration", "incident"]>;
+    severity: z.ZodEnum<["info", "low", "medium", "high", "critical"]>;
+    actor: z.ZodObject<{
+        type: z.ZodEnum<["user", "agent", "service", "system"]>;
+        id: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        ip: z.ZodOptional<z.ZodString>;
+        userAgent: z.ZodOptional<z.ZodString>;
+        sessionId: z.ZodOptional<z.ZodString>;
+        tenantId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    }, {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    }>;
+    action: z.ZodString;
+    resource: z.ZodObject<{
+        type: z.ZodString;
+        id: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        path: z.ZodOptional<z.ZodString>;
+        attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    }, {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    }>;
+    outcome: z.ZodEnum<["success", "failure", "blocked", "escalated"]>;
+    metadata: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    requestId: z.ZodString;
+    traceId: z.ZodOptional<z.ZodString>;
+    reason: z.ZodOptional<z.ZodString>;
+    soc2Control: z.ZodOptional<z.ZodString>;
+    recordHash: z.ZodOptional<z.ZodString>;
+    previousHash: z.ZodOptional<z.ZodString>;
+    sequenceNumber: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    traceId?: string;
+    action?: string;
+    reason?: string;
+    id?: string;
+    metadata?: Record<string, unknown>;
+    requestId?: string;
+    outcome?: "escalated" | "success" | "failure" | "blocked";
+    eventType?: string;
+    previousHash?: string;
+    severity?: "info" | "critical" | "low" | "medium" | "high";
+    sequenceNumber?: number;
+    recordHash?: string;
+    timestamp?: string;
+    resource?: {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    };
+    category?: "authorization" | "data_access" | "authentication" | "configuration" | "incident";
+    actor?: {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    };
+    soc2Control?: string;
+}, {
+    traceId?: string;
+    action?: string;
+    reason?: string;
+    id?: string;
+    metadata?: Record<string, unknown>;
+    requestId?: string;
+    outcome?: "escalated" | "success" | "failure" | "blocked";
+    eventType?: string;
+    previousHash?: string;
+    severity?: "info" | "critical" | "low" | "medium" | "high";
+    sequenceNumber?: number;
+    recordHash?: string;
+    timestamp?: string;
+    resource?: {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    };
+    category?: "authorization" | "data_access" | "authentication" | "configuration" | "incident";
+    actor?: {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    };
+    soc2Control?: string;
+}>;
+/**
+ * Input for creating a security event (without auto-generated fields)
+ */
+export interface CreateSecurityEventInput {
+    /** Event type from SECURITY_EVENT_TYPES */
+    eventType: SecurityEventType;
+    /** Actor who performed the action */
+    actor: SecurityActor;
+    /** Action performed */
+    action: string;
+    /** Resource affected */
+    resource: SecurityResource;
+    /** Outcome of the action */
+    outcome: SecurityOutcome;
+    /** Additional event metadata */
+    metadata?: Record<string, unknown>;
+    /** Reason for the outcome */
+    reason?: string;
+    /** Override timestamp (defaults to now) */
+    timestamp?: Timestamp;
+    /** Override request ID (auto-populated from trace context) */
+    requestId?: ID;
+    /** Override trace ID (auto-populated from trace context) */
+    traceId?: string;
+}
+/**
+ * Zod schema for CreateSecurityEventInput
+ */
+export declare const createSecurityEventInputSchema: z.ZodObject<{
+    eventType: z.ZodString;
+    actor: z.ZodObject<{
+        type: z.ZodEnum<["user", "agent", "service", "system"]>;
+        id: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        ip: z.ZodOptional<z.ZodString>;
+        userAgent: z.ZodOptional<z.ZodString>;
+        sessionId: z.ZodOptional<z.ZodString>;
+        tenantId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    }, {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    }>;
+    action: z.ZodString;
+    resource: z.ZodObject<{
+        type: z.ZodString;
+        id: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        path: z.ZodOptional<z.ZodString>;
+        attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    }, {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    }>;
+    outcome: z.ZodEnum<["success", "failure", "blocked", "escalated"]>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    reason: z.ZodOptional<z.ZodString>;
+    timestamp: z.ZodOptional<z.ZodString>;
+    requestId: z.ZodOptional<z.ZodString>;
+    traceId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    traceId?: string;
+    action?: string;
+    reason?: string;
+    metadata?: Record<string, unknown>;
+    requestId?: string;
+    outcome?: "escalated" | "success" | "failure" | "blocked";
+    eventType?: string;
+    timestamp?: string;
+    resource?: {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    };
+    actor?: {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    };
+}, {
+    traceId?: string;
+    action?: string;
+    reason?: string;
+    metadata?: Record<string, unknown>;
+    requestId?: string;
+    outcome?: "escalated" | "success" | "failure" | "blocked";
+    eventType?: string;
+    timestamp?: string;
+    resource?: {
+        name?: string;
+        path?: string;
+        id?: string;
+        type?: string;
+        attributes?: Record<string, unknown>;
+    };
+    actor?: {
+        name?: string;
+        id?: string;
+        type?: "agent" | "user" | "service" | "system";
+        email?: string;
+        ip?: string;
+        userAgent?: string;
+        tenantId?: string;
+        sessionId?: string;
+    };
+}>;
+/**
+ * Get event definition by type
+ */
+export declare function getSecurityEventDefinition(eventType: SecurityEventType): {
+    category: SecurityEventCategory;
+    severity: SecuritySeverity;
+    description: string;
+    soc2Control: string;
+};
+/**
+ * Get all event types for a category
+ */
+export declare function getSecurityEventsByCategory(category: SecurityEventCategory): SecurityEventType[];
+/**
+ * Get all event types for a severity level
+ */
+export declare function getSecurityEventsBySeverity(severity: SecuritySeverity): SecurityEventType[];
+/**
+ * Validate that a string is a valid security event type
+ */
+export declare function isValidSecurityEventType(type: string): type is SecurityEventType;
+/**
+ * Get all security event types
+ */
+export declare function getAllSecurityEventTypes(): SecurityEventType[];
+/**
+ * Get SOC 2 control for an event type
+ */
+export declare function getSoc2Control(eventType: SecurityEventType): string;
+//# sourceMappingURL=security-events.d.ts.map