npm - agentic-qe - Versions diffs - 3.7.8 → 3.7.10 - Mend

agentic-qe 3.7.8 → 3.7.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (569) hide show

package/.claude/skills/compliance-testing/schemas/output.json CHANGED Viewed

@@ -1,845 +1,845 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://agentic-qe.dev/schemas/compliance-testing-output.json",
-  "title": "Compliance Testing Skill Output Schema",
-  "description": "Schema for compliance-testing skill output validation. Validates GDPR, HIPAA, SOC2, PCI-DSS, and CCPA compliance audit results.",
-  "type": "object",
-  "required": ["skillName", "version", "timestamp", "status", "trustTier", "output"],
-  "properties": {
-    "skillName": {
-      "type": "string",
-      "const": "compliance-testing",
-      "description": "Must be 'compliance-testing'"
-    },
-    "version": {
-      "type": "string",
-      "pattern": "^\\d+\\.\\d+\\.\\d+(-[a-zA-Z0-9]+)?$",
-      "description": "Semantic version of the skill"
-    },
-    "timestamp": {
-      "type": "string",
-      "format": "date-time",
-      "description": "ISO 8601 timestamp of output generation"
-    },
-    "status": {
-      "type": "string",
-      "enum": ["success", "partial", "failed", "skipped"],
-      "description": "Overall execution status"
-    },
-    "trustTier": {
-      "type": "integer",
-      "const": 3,
-      "description": "Trust tier 3: has schema, validator, and eval suite"
-    },
-    "output": {
-      "type": "object",
-      "required": ["summary", "complianceFrameworks", "overallComplianceScore"],
-      "properties": {
-        "summary": {
-          "type": "string",
-          "minLength": 20,
-          "maxLength": 3000,
-          "description": "Human-readable summary of compliance audit findings"
-        },
-        "overallComplianceScore": {
-          "$ref": "#/$defs/complianceScore",
-          "description": "Overall compliance score across all frameworks"
-        },
-        "complianceFrameworks": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/complianceFramework"
-          },
-          "minItems": 1,
-          "maxItems": 10,
-          "description": "List of compliance frameworks audited"
-        },
-        "controls": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/complianceControl"
-          },
-          "maxItems": 500,
-          "description": "Individual compliance controls evaluated"
-        },
-        "findings": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/complianceFinding"
-          },
-          "maxItems": 200,
-          "description": "Compliance violations and gaps identified"
-        },
-        "riskAssessment": {
-          "$ref": "#/$defs/riskAssessment",
-          "description": "Overall risk assessment from compliance gaps"
-        },
-        "recommendations": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/recommendation"
-          },
-          "maxItems": 100,
-          "description": "Actionable remediation recommendations"
-        },
-        "auditTrail": {
-          "$ref": "#/$defs/auditTrail",
-          "description": "Audit trail and evidence collection metadata"
-        },
-        "dataPrivacy": {
-          "$ref": "#/$defs/dataPrivacyAssessment",
-          "description": "Data privacy specific assessment (GDPR/CCPA)"
-        },
-        "artifacts": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/artifact"
-          },
-          "maxItems": 50,
-          "description": "Generated compliance reports and evidence"
-        }
-      }
-    },
-    "metadata": {
-      "type": "object",
-      "properties": {
-        "executionTimeMs": {
-          "type": "integer",
-          "minimum": 0,
-          "maximum": 3600000
-        },
-        "toolsUsed": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "uniqueItems": true
-        },
-        "agentId": {
-          "type": "string",
-          "pattern": "^qe-[a-z][a-z0-9-]*$"
-        },
-        "modelUsed": {
-          "type": "string"
-        },
-        "targetPath": {
-          "type": "string"
-        },
-        "targetUrl": {
-          "type": "string",
-          "format": "uri"
-        },
-        "regulationsScoped": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
-          },
-          "description": "Regulations included in this compliance audit"
-        },
-        "auditDate": {
-          "type": "string",
-          "format": "date",
-          "description": "Date of the compliance audit"
-        },
-        "auditScope": {
-          "type": "string",
-          "description": "Description of what was included in the audit"
-        }
-      }
-    },
-    "validation": {
-      "type": "object",
-      "properties": {
-        "schemaValid": {
-          "type": "boolean"
-        },
-        "contentValid": {
-          "type": "boolean"
-        },
-        "confidence": {
-          "type": "number",
-          "minimum": 0,
-          "maximum": 1
-        },
-        "warnings": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "errors": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    },
-    "learning": {
-      "type": "object",
-      "properties": {
-        "patternsDetected": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "reward": {
-          "type": "number",
-          "minimum": 0,
-          "maximum": 1
-        }
-      }
-    }
-  },
-  "$defs": {
-    "complianceScore": {
-      "type": "object",
-      "required": ["value", "max", "percentage"],
-      "properties": {
-        "value": {
-          "type": "number",
-          "minimum": 0,
-          "description": "Score value (controls passed)"
-        },
-        "max": {
-          "type": "number",
-          "minimum": 1,
-          "description": "Maximum possible score (total controls)"
-        },
-        "percentage": {
-          "type": "number",
-          "minimum": 0,
-          "maximum": 100,
-          "description": "Compliance percentage"
-        },
-        "grade": {
-          "type": "string",
-          "pattern": "^[A-F][+-]?$",
-          "description": "Letter grade (A, B, C, D, F)"
-        },
-        "status": {
-          "type": "string",
-          "enum": ["compliant", "partial", "non-compliant", "not-applicable"],
-          "description": "Compliance status determination"
-        },
-        "trend": {
-          "type": "string",
-          "enum": ["improving", "stable", "declining", "unknown"],
-          "description": "Trend compared to previous audits"
-        }
-      }
-    },
-    "complianceFramework": {
-      "type": "object",
-      "required": ["id", "name", "version", "score"],
-      "properties": {
-        "id": {
-          "type": "string",
-          "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"],
-          "description": "Framework identifier"
-        },
-        "name": {
-          "type": "string",
-          "description": "Full framework name"
-        },
-        "version": {
-          "type": "string",
-          "description": "Framework version (e.g., 'v4.0' for PCI-DSS)"
-        },
-        "score": {
-          "$ref": "#/$defs/complianceScore"
-        },
-        "controlCategories": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/controlCategory"
-          },
-          "description": "Breakdown by control category"
-        },
-        "applicableRequirements": {
-          "type": "integer",
-          "minimum": 0,
-          "description": "Number of requirements applicable to this system"
-        },
-        "exemptions": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "List of exempted requirements with justification"
-        }
-      }
-    },
-    "controlCategory": {
-      "type": "object",
-      "required": ["id", "name", "score"],
-      "properties": {
-        "id": {
-          "type": "string",
-          "description": "Category identifier (e.g., 'CC6' for SOC2, 'Art.17' for GDPR)"
-        },
-        "name": {
-          "type": "string",
-          "description": "Category name"
-        },
-        "score": {
-          "$ref": "#/$defs/complianceScore"
-        },
-        "controlCount": {
-          "type": "integer",
-          "minimum": 0
-        },
-        "criticalGaps": {
-          "type": "integer",
-          "minimum": 0
-        }
-      }
-    },
-    "complianceControl": {
-      "type": "object",
-      "required": ["id", "requirement", "status"],
-      "properties": {
-        "id": {
-          "type": "string",
-          "pattern": "^[A-Z0-9]+-[A-Z0-9.-]+$",
-          "description": "Control identifier (e.g., 'GDPR-Art17', 'PCI-3.4', 'SOC2-CC6.1')"
-        },
-        "framework": {
-          "type": "string",
-          "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
-        },
-        "requirement": {
-          "type": "string",
-          "minLength": 10,
-          "maxLength": 1000,
-          "description": "Full requirement text"
-        },
-        "status": {
-          "type": "string",
-          "enum": ["pass", "fail", "partial", "not-applicable", "not-tested"],
-          "description": "Control compliance status"
-        },
-        "evidence": {
-          "type": "string",
-          "maxLength": 5000,
-          "description": "Evidence supporting the status determination"
-        },
-        "evidenceType": {
-          "type": "string",
-          "enum": ["code", "config", "log", "document", "interview", "observation", "automated-test"],
-          "description": "Type of evidence collected"
-        },
-        "testedBy": {
-          "type": "string",
-          "description": "Agent or tool that performed the test"
-        },
-        "testedAt": {
-          "type": "string",
-          "format": "date-time"
-        },
-        "location": {
-          "$ref": "#/$defs/location"
-        },
-        "gaps": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Specific gaps identified for this control"
-        },
-        "remediationRequired": {
-          "type": "boolean",
-          "description": "Whether remediation is required"
-        },
-        "remediationDeadline": {
-          "type": "string",
-          "format": "date",
-          "description": "Deadline for remediation based on severity"
-        }
-      }
-    },
-    "complianceFinding": {
-      "type": "object",
-      "required": ["id", "title", "severity", "framework", "controlId"],
-      "properties": {
-        "id": {
-          "type": "string",
-          "pattern": "^COMP-\\d{3,6}$",
-          "description": "Finding identifier (e.g., COMP-001)"
-        },
-        "title": {
-          "type": "string",
-          "minLength": 10,
-          "maxLength": 200
-        },
-        "description": {
-          "type": "string",
-          "maxLength": 3000
-        },
-        "severity": {
-          "type": "string",
-          "enum": ["critical", "high", "medium", "low", "info"],
-          "description": "Severity based on regulatory impact"
-        },
-        "framework": {
-          "type": "string",
-          "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
-        },
-        "controlId": {
-          "type": "string",
-          "description": "Related control identifier"
-        },
-        "category": {
-          "type": "string",
-          "enum": [
-            "data-privacy",
-            "access-control",
-            "encryption",
-            "audit-logging",
-            "data-retention",
-            "consent-management",
-            "data-subject-rights",
-            "incident-response",
-            "vendor-management",
-            "security-awareness",
-            "physical-security",
-            "change-management"
-          ]
-        },
-        "evidence": {
-          "type": "string",
-          "maxLength": 5000
-        },
-        "location": {
-          "$ref": "#/$defs/location"
-        },
-        "regulatoryImpact": {
-          "type": "string",
-          "maxLength": 1000,
-          "description": "Potential regulatory consequences of non-compliance"
-        },
-        "penaltyRisk": {
-          "type": "string",
-          "maxLength": 500,
-          "description": "Estimated penalty risk (e.g., 'Up to 4% global revenue')"
-        },
-        "remediation": {
-          "type": "string",
-          "maxLength": 2000
-        },
-        "remediationEffort": {
-          "type": "string",
-          "enum": ["trivial", "low", "medium", "high", "major"]
-        },
-        "dueDate": {
-          "type": "string",
-          "format": "date",
-          "description": "Remediation due date"
-        },
-        "assignee": {
-          "type": "string",
-          "description": "Person/team responsible for remediation"
-        }
-      }
-    },
-    "riskAssessment": {
-      "type": "object",
-      "required": ["overallRiskLevel", "riskScore"],
-      "properties": {
-        "overallRiskLevel": {
-          "type": "string",
-          "enum": ["critical", "high", "medium", "low", "minimal"],
-          "description": "Overall compliance risk level"
-        },
-        "riskScore": {
-          "type": "number",
-          "minimum": 0,
-          "maximum": 100,
-          "description": "Numeric risk score (0=no risk, 100=critical risk)"
-        },
-        "riskFactors": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/riskFactor"
-          },
-          "description": "Individual risk factors contributing to overall risk"
-        },
-        "dataExposureRisk": {
-          "type": "string",
-          "enum": ["none", "low", "medium", "high", "critical"],
-          "description": "Risk of sensitive data exposure"
-        },
-        "regulatoryActionRisk": {
-          "type": "string",
-          "enum": ["none", "low", "medium", "high", "critical"],
-          "description": "Risk of regulatory enforcement action"
-        },
-        "reputationalRisk": {
-          "type": "string",
-          "enum": ["none", "low", "medium", "high", "critical"],
-          "description": "Risk of reputational damage"
-        },
-        "financialImpact": {
-          "type": "object",
-          "properties": {
-            "estimatedPenalty": {
-              "type": "string",
-              "description": "Estimated maximum penalty (e.g., '$10M or 4% revenue')"
-            },
-            "remediationCost": {
-              "type": "string",
-              "description": "Estimated remediation cost"
-            }
-          }
-        }
-      }
-    },
-    "riskFactor": {
-      "type": "object",
-      "required": ["factor", "impact", "likelihood"],
-      "properties": {
-        "factor": {
-          "type": "string",
-          "description": "Risk factor description"
-        },
-        "impact": {
-          "type": "string",
-          "enum": ["critical", "high", "medium", "low", "minimal"]
-        },
-        "likelihood": {
-          "type": "string",
-          "enum": ["certain", "likely", "possible", "unlikely", "rare"]
-        },
-        "mitigationStatus": {
-          "type": "string",
-          "enum": ["mitigated", "partial", "unmitigated"]
-        }
-      }
-    },
-    "auditTrail": {
-      "type": "object",
-      "properties": {
-        "auditId": {
-          "type": "string",
-          "format": "uuid"
-        },
-        "auditDate": {
-          "type": "string",
-          "format": "date-time"
-        },
-        "auditor": {
-          "type": "string",
-          "description": "Agent or person conducting the audit"
-        },
-        "scope": {
-          "type": "string",
-          "description": "Audit scope description"
-        },
-        "methodology": {
-          "type": "string",
-          "enum": ["automated", "manual", "hybrid"],
-          "description": "Audit methodology used"
-        },
-        "evidenceCount": {
-          "type": "integer",
-          "minimum": 0
-        },
-        "controlsTested": {
-          "type": "integer",
-          "minimum": 0
-        },
-        "findingsCount": {
-          "type": "integer",
-          "minimum": 0
-        },
-        "previousAuditId": {
-          "type": "string",
-          "format": "uuid",
-          "description": "Reference to previous audit for trend analysis"
-        }
-      }
-    },
-    "dataPrivacyAssessment": {
-      "type": "object",
-      "description": "GDPR/CCPA specific data privacy assessment",
-      "properties": {
-        "piiDetected": {
-          "type": "boolean",
-          "description": "Whether PII was detected in scope"
-        },
-        "piiCategories": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "enum": [
-              "name",
-              "email",
-              "phone",
-              "address",
-              "ssn",
-              "financial",
-              "health",
-              "biometric",
-              "genetic",
-              "racial-ethnic",
-              "political",
-              "religious",
-              "sexual-orientation",
-              "criminal",
-              "location",
-              "ip-address",
-              "device-id"
-            ]
-          }
-        },
-        "dataSubjectRights": {
-          "type": "object",
-          "properties": {
-            "accessRight": {
-              "$ref": "#/$defs/rightStatus"
-            },
-            "rectificationRight": {
-              "$ref": "#/$defs/rightStatus"
-            },
-            "erasureRight": {
-              "$ref": "#/$defs/rightStatus"
-            },
-            "portabilityRight": {
-              "$ref": "#/$defs/rightStatus"
-            },
-            "restrictionRight": {
-              "$ref": "#/$defs/rightStatus"
-            },
-            "objectionRight": {
-              "$ref": "#/$defs/rightStatus"
-            }
-          }
-        },
-        "consentManagement": {
-          "type": "object",
-          "properties": {
-            "consentTracked": {
-              "type": "boolean"
-            },
-            "consentTimestamped": {
-              "type": "boolean"
-            },
-            "consentWithdrawable": {
-              "type": "boolean"
-            },
-            "consentGranular": {
-              "type": "boolean"
-            }
-          }
-        },
-        "dataRetention": {
-          "type": "object",
-          "properties": {
-            "retentionPolicyExists": {
-              "type": "boolean"
-            },
-            "retentionEnforced": {
-              "type": "boolean"
-            },
-            "retentionPeriods": {
-              "type": "array",
-              "items": {
-                "type": "object",
-                "properties": {
-                  "dataCategory": {
-                    "type": "string"
-                  },
-                  "retentionPeriod": {
-                    "type": "string"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "encryptionStatus": {
-          "type": "object",
-          "properties": {
-            "atRest": {
-              "type": "boolean"
-            },
-            "inTransit": {
-              "type": "boolean"
-            },
-            "algorithm": {
-              "type": "string"
-            }
-          }
-        },
-        "crossBorderTransfer": {
-          "type": "object",
-          "properties": {
-            "detected": {
-              "type": "boolean"
-            },
-            "adequacyDecision": {
-              "type": "boolean"
-            },
-            "transferMechanism": {
-              "type": "string",
-              "enum": ["adequacy", "scc", "bcr", "consent", "none"]
-            }
-          }
-        }
-      }
-    },
-    "rightStatus": {
-      "type": "object",
-      "properties": {
-        "implemented": {
-          "type": "boolean"
-        },
-        "tested": {
-          "type": "boolean"
-        },
-        "responseTime": {
-          "type": "string",
-          "description": "Response time (e.g., '30 days')"
-        },
-        "issues": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    },
-    "recommendation": {
-      "type": "object",
-      "required": ["id", "title", "priority"],
-      "properties": {
-        "id": {
-          "type": "string",
-          "pattern": "^REC-\\d{3,6}$"
-        },
-        "title": {
-          "type": "string",
-          "minLength": 5,
-          "maxLength": 200
-        },
-        "description": {
-          "type": "string",
-          "maxLength": 2000
-        },
-        "priority": {
-          "type": "string",
-          "enum": ["critical", "high", "medium", "low"]
-        },
-        "effort": {
-          "type": "string",
-          "enum": ["trivial", "low", "medium", "high", "major"]
-        },
-        "impact": {
-          "type": "integer",
-          "minimum": 1,
-          "maximum": 10
-        },
-        "relatedFindings": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "relatedControls": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "frameworks": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
-          }
-        },
-        "codeExample": {
-          "type": "string",
-          "maxLength": 5000
-        },
-        "resources": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "required": ["title", "url"],
-            "properties": {
-              "title": {
-                "type": "string"
-              },
-              "url": {
-                "type": "string",
-                "format": "uri"
-              }
-            }
-          }
-        }
-      }
-    },
-    "artifact": {
-      "type": "object",
-      "required": ["type", "path"],
-      "properties": {
-        "type": {
-          "type": "string",
-          "enum": ["report", "evidence", "config", "log", "certificate", "policy", "matrix"]
-        },
-        "path": {
-          "type": "string",
-          "maxLength": 500
-        },
-        "format": {
-          "type": "string",
-          "enum": ["json", "html", "pdf", "md", "csv", "xlsx"]
-        },
-        "description": {
-          "type": "string",
-          "maxLength": 500
-        },
-        "sizeBytes": {
-          "type": "integer",
-          "minimum": 0
-        }
-      }
-    },
-    "location": {
-      "type": "object",
-      "properties": {
-        "file": {
-          "type": "string",
-          "maxLength": 500
-        },
-        "line": {
-          "type": "integer",
-          "minimum": 1
-        },
-        "column": {
-          "type": "integer",
-          "minimum": 1
-        },
-        "url": {
-          "type": "string",
-          "format": "uri"
-        },
-        "component": {
-          "type": "string",
-          "description": "System component or service name"
-        },
-        "database": {
-          "type": "string",
-          "description": "Database name if applicable"
-        },
-        "table": {
-          "type": "string",
-          "description": "Table name if applicable"
-        }
-      }
-    }
-  }
-}
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://agentic-qe.dev/schemas/compliance-testing-output.json",
+  "title": "Compliance Testing Skill Output Schema",
+  "description": "Schema for compliance-testing skill output validation. Validates GDPR, HIPAA, SOC2, PCI-DSS, and CCPA compliance audit results.",
+  "type": "object",
+  "required": ["skillName", "version", "timestamp", "status", "trustTier", "output"],
+  "properties": {
+    "skillName": {
+      "type": "string",
+      "const": "compliance-testing",
+      "description": "Must be 'compliance-testing'"
+    },
+    "version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+(-[a-zA-Z0-9]+)?$",
+      "description": "Semantic version of the skill"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp of output generation"
+    },
+    "status": {
+      "type": "string",
+      "enum": ["success", "partial", "failed", "skipped"],
+      "description": "Overall execution status"
+    },
+    "trustTier": {
+      "type": "integer",
+      "const": 3,
+      "description": "Trust tier 3: has schema, validator, and eval suite"
+    },
+    "output": {
+      "type": "object",
+      "required": ["summary", "complianceFrameworks", "overallComplianceScore"],
+      "properties": {
+        "summary": {
+          "type": "string",
+          "minLength": 20,
+          "maxLength": 3000,
+          "description": "Human-readable summary of compliance audit findings"
+        },
+        "overallComplianceScore": {
+          "$ref": "#/$defs/complianceScore",
+          "description": "Overall compliance score across all frameworks"
+        },
+        "complianceFrameworks": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/complianceFramework"
+          },
+          "minItems": 1,
+          "maxItems": 10,
+          "description": "List of compliance frameworks audited"
+        },
+        "controls": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/complianceControl"
+          },
+          "maxItems": 500,
+          "description": "Individual compliance controls evaluated"
+        },
+        "findings": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/complianceFinding"
+          },
+          "maxItems": 200,
+          "description": "Compliance violations and gaps identified"
+        },
+        "riskAssessment": {
+          "$ref": "#/$defs/riskAssessment",
+          "description": "Overall risk assessment from compliance gaps"
+        },
+        "recommendations": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/recommendation"
+          },
+          "maxItems": 100,
+          "description": "Actionable remediation recommendations"
+        },
+        "auditTrail": {
+          "$ref": "#/$defs/auditTrail",
+          "description": "Audit trail and evidence collection metadata"
+        },
+        "dataPrivacy": {
+          "$ref": "#/$defs/dataPrivacyAssessment",
+          "description": "Data privacy specific assessment (GDPR/CCPA)"
+        },
+        "artifacts": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/artifact"
+          },
+          "maxItems": 50,
+          "description": "Generated compliance reports and evidence"
+        }
+      }
+    },
+    "metadata": {
+      "type": "object",
+      "properties": {
+        "executionTimeMs": {
+          "type": "integer",
+          "minimum": 0,
+          "maximum": 3600000
+        },
+        "toolsUsed": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "uniqueItems": true
+        },
+        "agentId": {
+          "type": "string",
+          "pattern": "^qe-[a-z][a-z0-9-]*$"
+        },
+        "modelUsed": {
+          "type": "string"
+        },
+        "targetPath": {
+          "type": "string"
+        },
+        "targetUrl": {
+          "type": "string",
+          "format": "uri"
+        },
+        "regulationsScoped": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
+          },
+          "description": "Regulations included in this compliance audit"
+        },
+        "auditDate": {
+          "type": "string",
+          "format": "date",
+          "description": "Date of the compliance audit"
+        },
+        "auditScope": {
+          "type": "string",
+          "description": "Description of what was included in the audit"
+        }
+      }
+    },
+    "validation": {
+      "type": "object",
+      "properties": {
+        "schemaValid": {
+          "type": "boolean"
+        },
+        "contentValid": {
+          "type": "boolean"
+        },
+        "confidence": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "warnings": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "errors": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "learning": {
+      "type": "object",
+      "properties": {
+        "patternsDetected": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "reward": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        }
+      }
+    }
+  },
+  "$defs": {
+    "complianceScore": {
+      "type": "object",
+      "required": ["value", "max", "percentage"],
+      "properties": {
+        "value": {
+          "type": "number",
+          "minimum": 0,
+          "description": "Score value (controls passed)"
+        },
+        "max": {
+          "type": "number",
+          "minimum": 1,
+          "description": "Maximum possible score (total controls)"
+        },
+        "percentage": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 100,
+          "description": "Compliance percentage"
+        },
+        "grade": {
+          "type": "string",
+          "pattern": "^[A-F][+-]?$",
+          "description": "Letter grade (A, B, C, D, F)"
+        },
+        "status": {
+          "type": "string",
+          "enum": ["compliant", "partial", "non-compliant", "not-applicable"],
+          "description": "Compliance status determination"
+        },
+        "trend": {
+          "type": "string",
+          "enum": ["improving", "stable", "declining", "unknown"],
+          "description": "Trend compared to previous audits"
+        }
+      }
+    },
+    "complianceFramework": {
+      "type": "object",
+      "required": ["id", "name", "version", "score"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"],
+          "description": "Framework identifier"
+        },
+        "name": {
+          "type": "string",
+          "description": "Full framework name"
+        },
+        "version": {
+          "type": "string",
+          "description": "Framework version (e.g., 'v4.0' for PCI-DSS)"
+        },
+        "score": {
+          "$ref": "#/$defs/complianceScore"
+        },
+        "controlCategories": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/controlCategory"
+          },
+          "description": "Breakdown by control category"
+        },
+        "applicableRequirements": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Number of requirements applicable to this system"
+        },
+        "exemptions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "List of exempted requirements with justification"
+        }
+      }
+    },
+    "controlCategory": {
+      "type": "object",
+      "required": ["id", "name", "score"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "description": "Category identifier (e.g., 'CC6' for SOC2, 'Art.17' for GDPR)"
+        },
+        "name": {
+          "type": "string",
+          "description": "Category name"
+        },
+        "score": {
+          "$ref": "#/$defs/complianceScore"
+        },
+        "controlCount": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "criticalGaps": {
+          "type": "integer",
+          "minimum": 0
+        }
+      }
+    },
+    "complianceControl": {
+      "type": "object",
+      "required": ["id", "requirement", "status"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[A-Z0-9]+-[A-Z0-9.-]+$",
+          "description": "Control identifier (e.g., 'GDPR-Art17', 'PCI-3.4', 'SOC2-CC6.1')"
+        },
+        "framework": {
+          "type": "string",
+          "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
+        },
+        "requirement": {
+          "type": "string",
+          "minLength": 10,
+          "maxLength": 1000,
+          "description": "Full requirement text"
+        },
+        "status": {
+          "type": "string",
+          "enum": ["pass", "fail", "partial", "not-applicable", "not-tested"],
+          "description": "Control compliance status"
+        },
+        "evidence": {
+          "type": "string",
+          "maxLength": 5000,
+          "description": "Evidence supporting the status determination"
+        },
+        "evidenceType": {
+          "type": "string",
+          "enum": ["code", "config", "log", "document", "interview", "observation", "automated-test"],
+          "description": "Type of evidence collected"
+        },
+        "testedBy": {
+          "type": "string",
+          "description": "Agent or tool that performed the test"
+        },
+        "testedAt": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "location": {
+          "$ref": "#/$defs/location"
+        },
+        "gaps": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "Specific gaps identified for this control"
+        },
+        "remediationRequired": {
+          "type": "boolean",
+          "description": "Whether remediation is required"
+        },
+        "remediationDeadline": {
+          "type": "string",
+          "format": "date",
+          "description": "Deadline for remediation based on severity"
+        }
+      }
+    },
+    "complianceFinding": {
+      "type": "object",
+      "required": ["id", "title", "severity", "framework", "controlId"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^COMP-\\d{3,6}$",
+          "description": "Finding identifier (e.g., COMP-001)"
+        },
+        "title": {
+          "type": "string",
+          "minLength": 10,
+          "maxLength": 200
+        },
+        "description": {
+          "type": "string",
+          "maxLength": 3000
+        },
+        "severity": {
+          "type": "string",
+          "enum": ["critical", "high", "medium", "low", "info"],
+          "description": "Severity based on regulatory impact"
+        },
+        "framework": {
+          "type": "string",
+          "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
+        },
+        "controlId": {
+          "type": "string",
+          "description": "Related control identifier"
+        },
+        "category": {
+          "type": "string",
+          "enum": [
+            "data-privacy",
+            "access-control",
+            "encryption",
+            "audit-logging",
+            "data-retention",
+            "consent-management",
+            "data-subject-rights",
+            "incident-response",
+            "vendor-management",
+            "security-awareness",
+            "physical-security",
+            "change-management"
+          ]
+        },
+        "evidence": {
+          "type": "string",
+          "maxLength": 5000
+        },
+        "location": {
+          "$ref": "#/$defs/location"
+        },
+        "regulatoryImpact": {
+          "type": "string",
+          "maxLength": 1000,
+          "description": "Potential regulatory consequences of non-compliance"
+        },
+        "penaltyRisk": {
+          "type": "string",
+          "maxLength": 500,
+          "description": "Estimated penalty risk (e.g., 'Up to 4% global revenue')"
+        },
+        "remediation": {
+          "type": "string",
+          "maxLength": 2000
+        },
+        "remediationEffort": {
+          "type": "string",
+          "enum": ["trivial", "low", "medium", "high", "major"]
+        },
+        "dueDate": {
+          "type": "string",
+          "format": "date",
+          "description": "Remediation due date"
+        },
+        "assignee": {
+          "type": "string",
+          "description": "Person/team responsible for remediation"
+        }
+      }
+    },
+    "riskAssessment": {
+      "type": "object",
+      "required": ["overallRiskLevel", "riskScore"],
+      "properties": {
+        "overallRiskLevel": {
+          "type": "string",
+          "enum": ["critical", "high", "medium", "low", "minimal"],
+          "description": "Overall compliance risk level"
+        },
+        "riskScore": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 100,
+          "description": "Numeric risk score (0=no risk, 100=critical risk)"
+        },
+        "riskFactors": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/riskFactor"
+          },
+          "description": "Individual risk factors contributing to overall risk"
+        },
+        "dataExposureRisk": {
+          "type": "string",
+          "enum": ["none", "low", "medium", "high", "critical"],
+          "description": "Risk of sensitive data exposure"
+        },
+        "regulatoryActionRisk": {
+          "type": "string",
+          "enum": ["none", "low", "medium", "high", "critical"],
+          "description": "Risk of regulatory enforcement action"
+        },
+        "reputationalRisk": {
+          "type": "string",
+          "enum": ["none", "low", "medium", "high", "critical"],
+          "description": "Risk of reputational damage"
+        },
+        "financialImpact": {
+          "type": "object",
+          "properties": {
+            "estimatedPenalty": {
+              "type": "string",
+              "description": "Estimated maximum penalty (e.g., '$10M or 4% revenue')"
+            },
+            "remediationCost": {
+              "type": "string",
+              "description": "Estimated remediation cost"
+            }
+          }
+        }
+      }
+    },
+    "riskFactor": {
+      "type": "object",
+      "required": ["factor", "impact", "likelihood"],
+      "properties": {
+        "factor": {
+          "type": "string",
+          "description": "Risk factor description"
+        },
+        "impact": {
+          "type": "string",
+          "enum": ["critical", "high", "medium", "low", "minimal"]
+        },
+        "likelihood": {
+          "type": "string",
+          "enum": ["certain", "likely", "possible", "unlikely", "rare"]
+        },
+        "mitigationStatus": {
+          "type": "string",
+          "enum": ["mitigated", "partial", "unmitigated"]
+        }
+      }
+    },
+    "auditTrail": {
+      "type": "object",
+      "properties": {
+        "auditId": {
+          "type": "string",
+          "format": "uuid"
+        },
+        "auditDate": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "auditor": {
+          "type": "string",
+          "description": "Agent or person conducting the audit"
+        },
+        "scope": {
+          "type": "string",
+          "description": "Audit scope description"
+        },
+        "methodology": {
+          "type": "string",
+          "enum": ["automated", "manual", "hybrid"],
+          "description": "Audit methodology used"
+        },
+        "evidenceCount": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "controlsTested": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "findingsCount": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "previousAuditId": {
+          "type": "string",
+          "format": "uuid",
+          "description": "Reference to previous audit for trend analysis"
+        }
+      }
+    },
+    "dataPrivacyAssessment": {
+      "type": "object",
+      "description": "GDPR/CCPA specific data privacy assessment",
+      "properties": {
+        "piiDetected": {
+          "type": "boolean",
+          "description": "Whether PII was detected in scope"
+        },
+        "piiCategories": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": [
+              "name",
+              "email",
+              "phone",
+              "address",
+              "ssn",
+              "financial",
+              "health",
+              "biometric",
+              "genetic",
+              "racial-ethnic",
+              "political",
+              "religious",
+              "sexual-orientation",
+              "criminal",
+              "location",
+              "ip-address",
+              "device-id"
+            ]
+          }
+        },
+        "dataSubjectRights": {
+          "type": "object",
+          "properties": {
+            "accessRight": {
+              "$ref": "#/$defs/rightStatus"
+            },
+            "rectificationRight": {
+              "$ref": "#/$defs/rightStatus"
+            },
+            "erasureRight": {
+              "$ref": "#/$defs/rightStatus"
+            },
+            "portabilityRight": {
+              "$ref": "#/$defs/rightStatus"
+            },
+            "restrictionRight": {
+              "$ref": "#/$defs/rightStatus"
+            },
+            "objectionRight": {
+              "$ref": "#/$defs/rightStatus"
+            }
+          }
+        },
+        "consentManagement": {
+          "type": "object",
+          "properties": {
+            "consentTracked": {
+              "type": "boolean"
+            },
+            "consentTimestamped": {
+              "type": "boolean"
+            },
+            "consentWithdrawable": {
+              "type": "boolean"
+            },
+            "consentGranular": {
+              "type": "boolean"
+            }
+          }
+        },
+        "dataRetention": {
+          "type": "object",
+          "properties": {
+            "retentionPolicyExists": {
+              "type": "boolean"
+            },
+            "retentionEnforced": {
+              "type": "boolean"
+            },
+            "retentionPeriods": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "dataCategory": {
+                    "type": "string"
+                  },
+                  "retentionPeriod": {
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "encryptionStatus": {
+          "type": "object",
+          "properties": {
+            "atRest": {
+              "type": "boolean"
+            },
+            "inTransit": {
+              "type": "boolean"
+            },
+            "algorithm": {
+              "type": "string"
+            }
+          }
+        },
+        "crossBorderTransfer": {
+          "type": "object",
+          "properties": {
+            "detected": {
+              "type": "boolean"
+            },
+            "adequacyDecision": {
+              "type": "boolean"
+            },
+            "transferMechanism": {
+              "type": "string",
+              "enum": ["adequacy", "scc", "bcr", "consent", "none"]
+            }
+          }
+        }
+      }
+    },
+    "rightStatus": {
+      "type": "object",
+      "properties": {
+        "implemented": {
+          "type": "boolean"
+        },
+        "tested": {
+          "type": "boolean"
+        },
+        "responseTime": {
+          "type": "string",
+          "description": "Response time (e.g., '30 days')"
+        },
+        "issues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "recommendation": {
+      "type": "object",
+      "required": ["id", "title", "priority"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^REC-\\d{3,6}$"
+        },
+        "title": {
+          "type": "string",
+          "minLength": 5,
+          "maxLength": 200
+        },
+        "description": {
+          "type": "string",
+          "maxLength": 2000
+        },
+        "priority": {
+          "type": "string",
+          "enum": ["critical", "high", "medium", "low"]
+        },
+        "effort": {
+          "type": "string",
+          "enum": ["trivial", "low", "medium", "high", "major"]
+        },
+        "impact": {
+          "type": "integer",
+          "minimum": 1,
+          "maximum": 10
+        },
+        "relatedFindings": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "relatedControls": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "frameworks": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["GDPR", "HIPAA", "SOC2", "PCI-DSS", "CCPA", "ISO27001", "NIST", "FedRAMP"]
+          }
+        },
+        "codeExample": {
+          "type": "string",
+          "maxLength": 5000
+        },
+        "resources": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["title", "url"],
+            "properties": {
+              "title": {
+                "type": "string"
+              },
+              "url": {
+                "type": "string",
+                "format": "uri"
+              }
+            }
+          }
+        }
+      }
+    },
+    "artifact": {
+      "type": "object",
+      "required": ["type", "path"],
+      "properties": {
+        "type": {
+          "type": "string",
+          "enum": ["report", "evidence", "config", "log", "certificate", "policy", "matrix"]
+        },
+        "path": {
+          "type": "string",
+          "maxLength": 500
+        },
+        "format": {
+          "type": "string",
+          "enum": ["json", "html", "pdf", "md", "csv", "xlsx"]
+        },
+        "description": {
+          "type": "string",
+          "maxLength": 500
+        },
+        "sizeBytes": {
+          "type": "integer",
+          "minimum": 0
+        }
+      }
+    },
+    "location": {
+      "type": "object",
+      "properties": {
+        "file": {
+          "type": "string",
+          "maxLength": 500
+        },
+        "line": {
+          "type": "integer",
+          "minimum": 1
+        },
+        "column": {
+          "type": "integer",
+          "minimum": 1
+        },
+        "url": {
+          "type": "string",
+          "format": "uri"
+        },
+        "component": {
+          "type": "string",
+          "description": "System component or service name"
+        },
+        "database": {
+          "type": "string",
+          "description": "Database name if applicable"
+        },
+        "table": {
+          "type": "string",
+          "description": "Table name if applicable"
+        }
+      }
+    }
+  }
+}