erosolar-cli 2.1.269 → 2.1.271

package/dist/core/unifiedFraudOrchestrator.js

@@ -1,3312 +0,0 @@
-/**
- * Unified Tech Fraud Investigation Orchestrator
- *
- * Purpose: Coordinate investigation of tech company fraud across multiple vectors:
- * - Apple iMessage PQ3 (key substitution, false E2E claims)
- * - Google Gmail (hidden threads, draft manipulation, unauthorized access)
- * - Google Chrome (browser hijacking, session control, surveillance)
- * - Cross-platform evidence correlation
- *
- * This orchestrator:
- * 1. Manages investigation workflows across multiple targets
- * 2. Correlates evidence across different fraud vectors
- * 3. Detects patterns indicating coordinated manipulation
- * 4. Generates unified legal evidence packages
- * 5. Maintains cryptographic chain of custody
- */
-import * as crypto from 'node:crypto';
-import * as fs from 'node:fs/promises';
-import * as path from 'node:path';
-import { EventEmitter } from 'node:events';
-import { IntegrityVerificationEngine, hashString, } from './integrityVerification.js';
-import { iMessageVerificationEngine, APPLE_PQ3_CLAIMS, } from './iMessageVerification.js';
-// ─────────────────────────────────────────────────────────────────────────────
-// Google Security Claims (like Apple PQ3 claims)
-// ─────────────────────────────────────────────────────────────────────────────
-export const GOOGLE_GMAIL_CLAIMS = {
-    user_control: {
-        claim: "You're in control of your data in Gmail. You can export and delete your data anytime.",
-        source: 'https://safety.google/gmail/',
-        verifiable: 'partial',
-        reason: 'Cannot verify server-side manipulation of what is shown to user'
-    },
-    no_email_scanning_for_ads: {
-        claim: 'Gmail does not scan or read your emails for advertising purposes.',
-        source: 'https://support.google.com/mail/answer/6603',
-        verifiable: false,
-        reason: 'Closed source server, cannot verify processing'
-    },
-    confidential_mode: {
-        claim: 'Confidential mode helps protect sensitive information from unauthorized access.',
-        source: 'https://support.google.com/mail/answer/7674059',
-        verifiable: false,
-        reason: 'Google retains access to content and revocation keys'
-    },
-    security_alerts: {
-        claim: 'We notify you of suspicious activity on your account.',
-        source: 'https://support.google.com/accounts/answer/2590353',
-        verifiable: 'partial',
-        reason: 'Cannot verify all access is reported; Google-controlled infrastructure'
-    },
-    search_accuracy: {
-        claim: 'Search in Gmail finds all matching messages in your mailbox.',
-        source: 'https://support.google.com/mail/answer/7190',
-        verifiable: true,
-        reason: 'Can test by cross-referencing with IMAP/Takeout'
-    },
-    draft_integrity: {
-        claim: 'Drafts are saved automatically and preserved until you delete or send them.',
-        source: 'https://support.google.com/mail/answer/7684',
-        verifiable: true,
-        reason: 'Can monitor draft state over time and detect unauthorized changes'
-    }
-};
-export const GOOGLE_CHROME_CLAIMS = {
-    safe_browsing: {
-        claim: 'Safe Browsing protects you from dangerous sites and downloads.',
-        source: 'https://safebrowsing.google.com/',
-        verifiable: 'partial',
-        reason: 'Also reports all browsing URLs to Google servers'
-    },
-    sync_privacy: {
-        claim: 'Sync data is encrypted in transit and at rest.',
-        source: 'https://support.google.com/chrome/answer/165139',
-        verifiable: false,
-        reason: 'Google holds encryption keys; can access synced data'
-    },
-    user_control_history: {
-        claim: 'You can view and delete your browsing history at any time.',
-        source: 'https://support.google.com/chrome/answer/95589',
-        verifiable: 'partial',
-        reason: 'Cannot verify server-side retention after "deletion"'
-    },
-    no_unauthorized_access: {
-        claim: 'Chrome only accesses your data when you explicitly use a Google service.',
-        source: 'https://www.google.com/chrome/privacy/',
-        verifiable: true,
-        reason: 'Can monitor Chrome process network activity and launches'
-    },
-    extension_security: {
-        claim: 'Extensions must request permissions and users can control what extensions access.',
-        source: 'https://support.google.com/chrome_webstore/answer/2664769',
-        verifiable: 'partial',
-        reason: 'Cannot verify extension behavior matches stated permissions'
-    }
-};
-// ═══════════════════════════════════════════════════════════════════════════════
-// GMAIL INVESTIGATION ENGINE
-// ═══════════════════════════════════════════════════════════════════════════════
-export class GmailInvestigationEngine {
-    storageDir;
-    threadObservations = new Map();
-    draftObservations = new Map();
-    filterObservations = [];
-    accessLogs = [];
-    findings = [];
-    constructor(storageDir) {
-        this.storageDir = path.join(storageDir, 'gmail-investigation');
-    }
-    async initialize() {
-        await fs.mkdir(this.storageDir, { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'threads'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'drafts'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'filters'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'access'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'findings'), { recursive: true });
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Thread Monitoring (Hidden Threads Detection)
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record observation of Gmail threads.
-     * Compare with previous observations to detect hidden threads.
-     *
-     * Detection methods:
-     * 1. Compare UI-visible threads vs API-returned threads
-     * 2. Compare search results vs direct thread access
-     * 3. Compare current state vs Google Takeout export
-     * 4. Monitor for threads that disappear from search but still exist
-     */
-    async recordThreadObservation(params) {
-        const now = new Date().toISOString();
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            ...params,
-            hash: '',
-        };
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            timestamp: observation.timestamp,
-            threadId: observation.threadId,
-            messageIds: observation.messageIds,
-            isVisible: observation.isVisible,
-            isInSearch: observation.isInSearch,
-        }));
-        // Get previous observations for this thread
-        const previous = this.threadObservations.get(params.threadId) || [];
-        const lastObs = previous[previous.length - 1];
-        let anomalyDetected = false;
-        let finding;
-        // Check for anomalies
-        if (lastObs) {
-            // Thread was visible, now hidden
-            if (lastObs.isVisible && !params.isVisible) {
-                anomalyDetected = true;
-                finding = await this.createFinding({
-                    vector: 'gmail_hidden_threads',
-                    severity: 'high',
-                    title: `Thread hidden: "${params.subject}"`,
-                    description: `Thread ${params.threadId} was visible in previous observation but is now hidden. This may indicate manipulation by Google to hide communications from the user.`,
-                    technicalDetails: {
-                        threadId: params.threadId,
-                        previouslyVisible: true,
-                        currentlyVisible: false,
-                        wasInSearch: lastObs.isInSearch,
-                        nowInSearch: params.isInSearch,
-                        timeSinceLastObservation: new Date(now).getTime() - new Date(lastObs.timestamp).getTime(),
-                    },
-                    evidenceIds: [lastObs.id, observation.id],
-                });
-            }
-            // Thread was in search, now excluded
-            if (lastObs.isInSearch && !params.isInSearch && params.isVisible) {
-                anomalyDetected = true;
-                finding = finding || await this.createFinding({
-                    vector: 'gmail_hidden_threads',
-                    severity: 'medium',
-                    title: `Thread excluded from search: "${params.subject}"`,
-                    description: `Thread ${params.threadId} is visible but no longer appears in search results. Google may be suppressing this thread from discovery.`,
-                    technicalDetails: {
-                        threadId: params.threadId,
-                        visible: true,
-                        excludedFromSearch: true,
-                    },
-                    evidenceIds: [lastObs.id, observation.id],
-                });
-            }
-            // Messages disappeared from thread
-            const missingMessages = lastObs.messageIds.filter(id => !params.messageIds.includes(id));
-            if (missingMessages.length > 0) {
-                anomalyDetected = true;
-                finding = finding || await this.createFinding({
-                    vector: 'gmail_hidden_threads',
-                    severity: 'critical',
-                    title: `Messages removed from thread: "${params.subject}"`,
-                    description: `${missingMessages.length} messages have been removed from thread ${params.threadId} without user action.`,
-                    technicalDetails: {
-                        threadId: params.threadId,
-                        missingMessageIds: missingMessages,
-                        previousMessageCount: lastObs.messageIds.length,
-                        currentMessageCount: params.messageIds.length,
-                    },
-                    evidenceIds: [lastObs.id, observation.id],
-                });
-            }
-        }
-        // Inconsistency: exists but not visible and not in search
-        if (!params.isVisible && !params.isInSearch) {
-            anomalyDetected = true;
-            finding = finding || await this.createFinding({
-                vector: 'gmail_hidden_threads',
-                severity: 'high',
-                title: `Thread completely hidden: "${params.subject}"`,
-                description: `Thread ${params.threadId} exists but is neither visible in inbox views nor discoverable via search. This is strong evidence of deliberate hiding.`,
-                technicalDetails: {
-                    threadId: params.threadId,
-                    captureMethod: params.captureMethod,
-                    lastMessageDate: params.lastMessageDate,
-                },
-                evidenceIds: [observation.id],
-            });
-        }
-        // Store observation
-        previous.push(observation);
-        this.threadObservations.set(params.threadId, previous);
-        await this.persistThreadObservation(observation);
-        return { observation, anomalyDetected, finding };
-    }
-    /**
-     * Compare multiple capture methods to detect discrepancies.
-     * If API shows different threads than UI or Takeout, that's manipulation.
-     */
-    async crossReferenceThreadSources(params) {
-        const allThreadIds = new Set([
-            ...params.apiThreadIds,
-            ...params.uiThreadIds,
-            ...(params.takeoutThreadIds || []),
-            ...(params.imapThreadIds || []),
-        ]);
-        const discrepancies = [];
-        for (const threadId of allThreadIds) {
-            const presentIn = [];
-            const missingFrom = [];
-            if (params.apiThreadIds.includes(threadId))
-                presentIn.push('api');
-            else
-                missingFrom.push('api');
-            if (params.uiThreadIds.includes(threadId))
-                presentIn.push('ui');
-            else
-                missingFrom.push('ui');
-            if (params.takeoutThreadIds?.includes(threadId))
-                presentIn.push('takeout');
-            else if (params.takeoutThreadIds)
-                missingFrom.push('takeout');
-            if (params.imapThreadIds?.includes(threadId))
-                presentIn.push('imap');
-            else if (params.imapThreadIds)
-                missingFrom.push('imap');
-            if (missingFrom.length > 0 && presentIn.length > 0) {
-                let implication = '';
-                if (missingFrom.includes('ui') && presentIn.includes('api')) {
-                    implication = 'Thread exists but is hidden from user interface - deliberate UI manipulation';
-                }
-                else if (missingFrom.includes('api') && presentIn.includes('takeout')) {
-                    implication = 'Thread in export but not in API - potential retroactive hiding';
-                }
-                else if (presentIn.includes('imap') && missingFrom.includes('ui')) {
-                    implication = 'Thread accessible via IMAP but hidden in webmail - selective hiding';
-                }
-                discrepancies.push({ threadId, presentIn, missingFrom, implication });
-            }
-        }
-        let finding;
-        if (discrepancies.length > 0) {
-            finding = await this.createFinding({
-                vector: 'gmail_hidden_threads',
-                severity: discrepancies.length > 5 ? 'critical' : 'high',
-                title: `Cross-reference reveals ${discrepancies.length} hidden threads`,
-                description: `Comparison of Gmail data sources reveals threads that exist in some views but are hidden from others. This is direct evidence of selective content manipulation.`,
-                technicalDetails: {
-                    discrepancyCount: discrepancies.length,
-                    discrepancies,
-                    sourcesCrossReferenced: ['api', 'ui', params.takeoutThreadIds ? 'takeout' : null, params.imapThreadIds ? 'imap' : null].filter(Boolean),
-                },
-                evidenceIds: [],
-            });
-        }
-        return { discrepancies, finding };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Draft Monitoring (Draft Manipulation Detection)
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record observation of a draft.
-     * Detect unauthorized modifications, deletions, or sends.
-     */
-    async recordDraftObservation(params) {
-        const now = new Date().toISOString();
-        const bodyHash = hashString(params.bodyContent);
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            draftId: params.draftId,
-            threadId: params.threadId,
-            subject: params.subject,
-            recipientCount: params.recipientCount,
-            bodyHash,
-            bodyLength: params.bodyContent.length,
-            hasAttachments: params.hasAttachments,
-            createdAt: params.createdAt,
-            modifiedAt: params.modifiedAt,
-            captureMethod: params.captureMethod,
-            hash: '',
-        };
-        // Get previous observations
-        const previous = this.draftObservations.get(params.draftId) || [];
-        const lastObs = previous[previous.length - 1];
-        const changes = [];
-        if (lastObs) {
-            observation.previousObservationId = lastObs.id;
-            // Check for content changes
-            if (lastObs.bodyHash !== bodyHash) {
-                const wasUserModified = new Date(params.modifiedAt) > new Date(lastObs.timestamp);
-                changes.push({
-                    type: 'content_changed',
-                    field: 'body',
-                    previousValue: `hash:${lastObs.bodyHash.slice(0, 16)}... (${lastObs.bodyLength} chars)`,
-                    newValue: `hash:${bodyHash.slice(0, 16)}... (${params.bodyContent.length} chars)`,
-                    userInitiated: wasUserModified, // heuristic - needs better detection
-                    suspicionLevel: wasUserModified ? 'normal' : 'highly_suspicious',
-                    reason: wasUserModified ? 'Draft modified' : 'Draft content changed without user modification timestamp update',
-                });
-            }
-            // Check for subject changes
-            if (lastObs.subject !== params.subject) {
-                changes.push({
-                    type: 'modified',
-                    field: 'subject',
-                    previousValue: lastObs.subject,
-                    newValue: params.subject,
-                    userInitiated: false, // cannot determine
-                    suspicionLevel: 'suspicious',
-                    reason: 'Subject line changed',
-                });
-            }
-            // Check for recipient changes
-            if (lastObs.recipientCount !== params.recipientCount) {
-                changes.push({
-                    type: 'modified',
-                    field: 'recipients',
-                    previousValue: String(lastObs.recipientCount),
-                    newValue: String(params.recipientCount),
-                    userInitiated: false,
-                    suspicionLevel: params.recipientCount > lastObs.recipientCount ? 'highly_suspicious' : 'suspicious',
-                    reason: params.recipientCount > lastObs.recipientCount
-                        ? 'Recipients ADDED to draft without user action'
-                        : 'Recipients changed',
-                });
-            }
-        }
-        observation.changes = changes.length > 0 ? changes : undefined;
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            timestamp: observation.timestamp,
-            draftId: observation.draftId,
-            bodyHash: observation.bodyHash,
-            modifiedAt: observation.modifiedAt,
-        }));
-        // Store observation
-        previous.push(observation);
-        this.draftObservations.set(params.draftId, previous);
-        await this.persistDraftObservation(observation);
-        // Generate finding if suspicious changes detected
-        let finding;
-        const suspiciousChanges = changes.filter(c => c.suspicionLevel !== 'normal');
-        if (suspiciousChanges.length > 0) {
-            finding = await this.createFinding({
-                vector: 'gmail_draft_manipulation',
-                severity: suspiciousChanges.some(c => c.suspicionLevel === 'highly_suspicious') ? 'critical' : 'high',
-                title: `Draft manipulated: "${params.subject}"`,
-                description: `Draft ${params.draftId} has been modified without clear user action. ${suspiciousChanges.map(c => c.reason).join('; ')}`,
-                technicalDetails: {
-                    draftId: params.draftId,
-                    changes: suspiciousChanges,
-                    previousObservationId: lastObs?.id,
-                },
-                evidenceIds: lastObs ? [lastObs.id, observation.id] : [observation.id],
-            });
-        }
-        return { observation, changes, finding };
-    }
-    /**
-     * Detect drafts that were sent without user action.
-     * This is a critical fraud indicator.
-     */
-    async detectUnauthorizedDraftSend(params) {
-        const draftObs = this.draftObservations.get(params.draftId);
-        const lastDraftState = draftObs?.[draftObs.length - 1];
-        const finding = await this.createFinding({
-            vector: 'gmail_draft_manipulation',
-            severity: 'critical',
-            title: `Draft sent without user action: "${lastDraftState?.subject || params.draftId}"`,
-            description: `Draft ${params.draftId} was sent at ${params.sentAt} without user initiation. User active: ${params.userWasActive}. This is unauthorized use of the user's email account.`,
-            technicalDetails: {
-                draftId: params.draftId,
-                sentMessageId: params.sentMessageId,
-                sentAt: params.sentAt,
-                userWasActive: params.userWasActive,
-                userLocation: params.userLocation,
-                sendingIp: params.sendingIp,
-                lastKnownDraftState: lastDraftState ? {
-                    subject: lastDraftState.subject,
-                    bodyHash: lastDraftState.bodyHash,
-                    recipientCount: lastDraftState.recipientCount,
-                    lastModified: lastDraftState.modifiedAt,
-                } : null,
-            },
-            evidenceIds: draftObs?.map(o => o.id) || [],
-        });
-        return finding;
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Access Monitoring
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record account access and detect unauthorized access.
-     */
-    async recordAccessLog(params) {
-        const now = new Date().toISOString();
-        // Determine if suspicious
-        let suspicious = false;
-        let reason;
-        if (!params.wasUser) {
-            suspicious = true;
-            reason = 'Access not initiated by user';
-        }
-        // Check for Google internal IPs (they access accounts for "security")
-        if (params.ipAddress.startsWith('172.217.') ||
-            params.ipAddress.startsWith('142.250.') ||
-            params.ipAddress.startsWith('74.125.')) {
-            suspicious = true;
-            reason = 'Access from Google infrastructure IP';
-        }
-        const log = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            accessType: params.accessType,
-            ipAddress: params.ipAddress,
-            location: params.location,
-            userAgent: params.userAgent,
-            deviceType: params.deviceType,
-            wasUser: params.wasUser,
-            suspicious,
-            reason,
-            hash: '',
-        };
-        log.hash = hashString(JSON.stringify({
-            id: log.id,
-            timestamp: log.timestamp,
-            accessType: log.accessType,
-            ipAddress: log.ipAddress,
-            wasUser: log.wasUser,
-        }));
-        this.accessLogs.push(log);
-        await this.persistAccessLog(log);
-        let finding;
-        if (suspicious) {
-            finding = await this.createFinding({
-                vector: 'gmail_unauthorized_access',
-                severity: 'high',
-                title: `Unauthorized account access detected`,
-                description: `Gmail account accessed ${params.wasUser ? 'without user initiation' : 'from Google infrastructure'}. ${reason}`,
-                technicalDetails: {
-                    accessType: params.accessType,
-                    ipAddress: params.ipAddress,
-                    location: params.location,
-                    userAgent: params.userAgent,
-                },
-                evidenceIds: [log.id],
-            });
-        }
-        return { log, finding };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Filter Monitoring
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record and detect unauthorized Gmail filters.
-     * Google could add filters to hide specific emails.
-     */
-    async recordFilterObservation(params) {
-        const now = new Date().toISOString();
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            filterId: params.filterId,
-            criteria: params.criteria,
-            actions: params.actions,
-            createdByUser: params.createdByUser,
-            createdAt: params.createdAt,
-            hash: '',
-        };
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            filterId: observation.filterId,
-            criteria: observation.criteria,
-            actions: observation.actions,
-        }));
-        this.filterObservations.push(observation);
-        await this.persistFilterObservation(observation);
-        let finding;
-        // Suspicious filter patterns
-        const isSuspicious = !params.createdByUser ||
-            (params.actions.delete && !params.createdByUser) ||
-            (params.actions.skipInbox && params.actions.markRead) ||
-            params.actions.forward;
-        if (isSuspicious) {
-            finding = await this.createFinding({
-                vector: 'gmail_filter_tampering',
-                severity: params.actions.delete ? 'critical' : 'high',
-                title: `Suspicious filter detected`,
-                description: `Filter ${params.filterId} was ${params.createdByUser ? 'created' : 'NOT created'} by user. Actions: ${JSON.stringify(params.actions)}. Criteria: ${JSON.stringify(params.criteria)}`,
-                technicalDetails: {
-                    filterId: params.filterId,
-                    criteria: params.criteria,
-                    actions: params.actions,
-                    createdByUser: params.createdByUser,
-                },
-                evidenceIds: [observation.id],
-            });
-        }
-        return { observation, finding };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Persistence
-    // ─────────────────────────────────────────────────────────────────────────────
-    async persistThreadObservation(obs) {
-        const filePath = path.join(this.storageDir, 'threads', `${obs.threadId}_${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async persistDraftObservation(obs) {
-        const filePath = path.join(this.storageDir, 'drafts', `${obs.draftId}_${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async persistAccessLog(log) {
-        const filePath = path.join(this.storageDir, 'access', `${log.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(log, null, 2));
-    }
-    async persistFilterObservation(obs) {
-        const filePath = path.join(this.storageDir, 'filters', `${obs.filterId}_${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async createFinding(params) {
-        const finding = {
-            id: crypto.randomUUID(),
-            timestamp: new Date().toISOString(),
-            vector: params.vector,
-            severity: params.severity,
-            title: params.title,
-            description: params.description,
-            technicalDetails: params.technicalDetails,
-            evidenceIds: params.evidenceIds,
-            legalImplications: this.getLegalImplications(params.vector, params.severity),
-            hash: '',
-        };
-        finding.hash = hashString(JSON.stringify({
-            id: finding.id,
-            timestamp: finding.timestamp,
-            vector: finding.vector,
-            title: finding.title,
-        }));
-        this.findings.push(finding);
-        await fs.writeFile(path.join(this.storageDir, 'findings', `${finding.id}.json`), JSON.stringify(finding, null, 2));
-        return finding;
-    }
-    getLegalImplications(vector, severity) {
-        const implications = {
-            gmail_hidden_threads: {
-                fraudType: 'DATA_MANIPULATION',
-                applicableLaws: [
-                    '15 U.S.C. § 45 - FTC Act Section 5 (Unfair or Deceptive Practices)',
-                    '18 U.S.C. § 1030 - Computer Fraud and Abuse Act',
-                    '18 U.S.C. § 2701 - Stored Communications Act',
-                ],
-                potentialDamages: 'Hidden communications may have caused missed opportunities, damaged relationships, or prevented awareness of important information.',
-                recommendations: [
-                    'Document all hidden threads with timestamps',
-                    'Export via Google Takeout for comparison',
-                    'File FTC complaint',
-                    'Consider class action for pattern of behavior',
-                ],
-            },
-            gmail_draft_manipulation: {
-                fraudType: 'UNAUTHORIZED_ACCESS',
-                applicableLaws: [
-                    '18 U.S.C. § 1030 - Computer Fraud and Abuse Act',
-                    '18 U.S.C. § 2511 - Wiretap Act (if communications altered)',
-                    '18 U.S.C. § 1343 - Wire Fraud',
-                ],
-                potentialDamages: 'Manipulation of drafts could send unauthorized communications, damage reputation, or expose confidential information.',
-                recommendations: [
-                    'Preserve all draft observation evidence',
-                    'Document timeline of changes',
-                    'File complaint with state AG',
-                ],
-            },
-            gmail_unauthorized_access: {
-                fraudType: 'UNAUTHORIZED_ACCESS',
-                applicableLaws: [
-                    '18 U.S.C. § 1030 - Computer Fraud and Abuse Act',
-                    '18 U.S.C. § 2701 - Stored Communications Act',
-                    'Cal. Penal Code § 502 - Computer Crimes',
-                ],
-                potentialDamages: 'Unauthorized access enables surveillance, data theft, and manipulation of user communications.',
-                recommendations: [
-                    'Document all access logs',
-                    'Enable additional security measures',
-                    'File with FBI IC3 if pattern detected',
-                ],
-            },
-            gmail_filter_tampering: {
-                fraudType: 'DATA_MANIPULATION',
-                applicableLaws: [
-                    '15 U.S.C. § 45 - FTC Act Section 5',
-                    '18 U.S.C. § 1030 - CFAA',
-                ],
-                potentialDamages: 'Unauthorized filters can hide important communications, delete evidence, or forward sensitive data.',
-                recommendations: [
-                    'Document all filters and creation dates',
-                    'Remove unauthorized filters',
-                    'Monitor for re-creation',
-                ],
-            },
-        };
-        return implications[vector] || {
-            fraudType: 'UNKNOWN',
-            applicableLaws: ['15 U.S.C. § 45 - FTC Act Section 5'],
-            potentialDamages: 'To be determined based on specific circumstances.',
-            recommendations: ['Document all evidence', 'Consult legal counsel'],
-        };
-    }
-    getFindings() {
-        return [...this.findings];
-    }
-    getThreadObservations(threadId) {
-        return this.threadObservations.get(threadId) || [];
-    }
-    getDraftObservations(draftId) {
-        return this.draftObservations.get(draftId) || [];
-    }
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// CHROME INVESTIGATION ENGINE
-// ═══════════════════════════════════════════════════════════════════════════════
-export class ChromeInvestigationEngine {
-    storageDir;
-    processObservations = [];
-    sessionObservations = new Map();
-    historyObservations = [];
-    findings = [];
-    constructor(storageDir) {
-        this.storageDir = path.join(storageDir, 'chrome-investigation');
-    }
-    async initialize() {
-        await fs.mkdir(this.storageDir, { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'processes'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'sessions'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'history'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'findings'), { recursive: true });
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Process Monitoring (Unauthorized Launch Detection)
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record Chrome process observation.
-     * Detect unauthorized browser launches.
-     */
-    async recordProcessObservation(params) {
-        const now = new Date().toISOString();
-        // Analyze launch source
-        let launchSource = 'unknown';
-        let suspicionLevel = 'normal';
-        let reason;
-        // Check command line for suspicious flags
-        const cmdLine = params.commandLine.join(' ').toLowerCase();
-        if (cmdLine.includes('--remote-debugging') ||
-            cmdLine.includes('--headless') ||
-            cmdLine.includes('--disable-gpu') && cmdLine.includes('--no-sandbox')) {
-            launchSource = 'script';
-            suspicionLevel = 'suspicious';
-            reason = 'Automation/debugging flags detected';
-        }
-        if (cmdLine.includes('--user-data-dir=/tmp') ||
-            cmdLine.includes('--user-data-dir=/var')) {
-            suspicionLevel = 'highly_suspicious';
-            reason = 'Temporary profile directory - likely automated session';
-        }
-        if (!params.userInitiated) {
-            suspicionLevel = suspicionLevel === 'normal' ? 'suspicious' : 'highly_suspicious';
-            reason = (reason ? reason + '; ' : '') + 'Not user-initiated';
-            launchSource = 'remote';
-        }
-        // Check for Google remote connections
-        const googleConnections = params.networkConnections?.filter(c => c.remoteIp.startsWith('172.217.') ||
-            c.remoteIp.startsWith('142.250.') ||
-            c.remoteIp.startsWith('74.125.')) || [];
-        if (googleConnections.length > 0 && !params.userInitiated) {
-            suspicionLevel = 'highly_suspicious';
-            reason = (reason ? reason + '; ' : '') + 'Connections to Google infrastructure without user action';
-        }
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            pid: params.pid,
-            parentPid: params.parentPid,
-            commandLine: params.commandLine,
-            profilePath: params.profilePath,
-            startTime: params.startTime,
-            userInitiated: params.userInitiated,
-            launchSource,
-            suspicionLevel,
-            reason,
-            networkConnections: params.networkConnections,
-            hash: '',
-        };
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            pid: observation.pid,
-            commandLine: observation.commandLine,
-            startTime: observation.startTime,
-            userInitiated: observation.userInitiated,
-        }));
-        this.processObservations.push(observation);
-        await this.persistProcessObservation(observation);
-        let finding;
-        if (suspicionLevel !== 'normal') {
-            finding = await this.createFinding({
-                vector: 'chrome_unauthorized_launch',
-                severity: suspicionLevel === 'highly_suspicious' ? 'critical' : 'high',
-                title: 'Unauthorized Chrome launch detected',
-                description: `Chrome process ${params.pid} launched without user action. ${reason}`,
-                technicalDetails: {
-                    pid: params.pid,
-                    parentPid: params.parentPid,
-                    commandLine: params.commandLine,
-                    profilePath: params.profilePath,
-                    startTime: params.startTime,
-                    launchSource,
-                    networkConnections: googleConnections,
-                },
-                evidenceIds: [observation.id],
-            });
-        }
-        return { observation, finding };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Session Monitoring (Session Hijacking Detection)
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record Chrome session state.
-     * Detect session hijacking and unauthorized modifications.
-     */
-    async recordSessionObservation(params) {
-        const now = new Date().toISOString();
-        const anomalies = [];
-        // Get previous session state
-        const previous = this.sessionObservations.get(params.profileId) || [];
-        const lastSession = previous[previous.length - 1];
-        if (lastSession) {
-            // Check for unexpected tabs
-            const newTabs = params.tabs.filter(t => !lastSession.tabs.find(lt => lt.tabId === t.tabId));
-            for (const tab of newTabs) {
-                // Check if tab URL is suspicious
-                if (tab.url.includes('google.com/') &&
-                    new Date(tab.createdAt) > new Date(lastSession.timestamp)) {
-                    anomalies.push({
-                        type: 'unexpected_tab',
-                        severity: 'medium',
-                        description: `New tab opened to ${tab.url} without user action`,
-                        evidence: JSON.stringify(tab),
-                    });
-                }
-            }
-            // Check for cookie changes
-            const newCookies = params.cookies.filter(c => !lastSession.cookies.find(lc => lc.domain === c.domain && lc.name === c.name && lc.valueHash === c.valueHash));
-            const sensitiveDomains = ['accounts.google.com', 'myaccount.google.com', 'mail.google.com'];
-            for (const cookie of newCookies) {
-                if (sensitiveDomains.some(d => cookie.domain.includes(d))) {
-                    anomalies.push({
-                        type: 'cookie_injection',
-                        severity: 'high',
-                        description: `Cookie modified for ${cookie.domain}:${cookie.name}`,
-                        evidence: JSON.stringify(cookie),
-                    });
-                }
-            }
-            // Check for sync without user action
-            if (lastSession.syncStatus === 'local_only' && params.syncStatus === 'synced') {
-                anomalies.push({
-                    type: 'sync_without_user',
-                    severity: 'high',
-                    description: 'Sync enabled without user action',
-                    evidence: `Last sync: ${params.lastSyncTime}`,
-                });
-            }
-        }
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            profileId: params.profileId,
-            tabs: params.tabs,
-            cookies: params.cookies,
-            localStorage: params.localStorage,
-            syncStatus: params.syncStatus,
-            lastSyncTime: params.lastSyncTime,
-            anomalies,
-            hash: '',
-        };
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            timestamp: observation.timestamp,
-            profileId: observation.profileId,
-            tabCount: observation.tabs.length,
-            cookieCount: observation.cookies.length,
-            anomalyCount: observation.anomalies.length,
-        }));
-        previous.push(observation);
-        this.sessionObservations.set(params.profileId, previous);
-        await this.persistSessionObservation(observation);
-        let finding;
-        if (anomalies.length > 0) {
-            const criticalAnomalies = anomalies.filter(a => a.severity === 'high' || a.severity === 'critical');
-            finding = await this.createFinding({
-                vector: 'chrome_session_hijacking',
-                severity: criticalAnomalies.length > 0 ? 'critical' : 'high',
-                title: `Session anomalies detected: ${anomalies.length} issues`,
-                description: anomalies.map(a => a.description).join('; '),
-                technicalDetails: {
-                    profileId: params.profileId,
-                    anomalies,
-                    tabCount: params.tabs.length,
-                    syncStatus: params.syncStatus,
-                },
-                evidenceIds: [observation.id],
-            });
-        }
-        return { observation, anomalies, finding };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // History Monitoring
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Record Chrome history state.
-     * Detect unauthorized deletions or additions.
-     */
-    async recordHistoryObservation(params) {
-        const now = new Date().toISOString();
-        // Compare with previous observation
-        const lastObs = this.historyObservations[this.historyObservations.length - 1];
-        const deletedEntries = [];
-        const unexpectedEntries = [];
-        if (lastObs && params.entryCount < lastObs.entryCount) {
-            // History was deleted
-            deletedEntries.push({
-                approximateTime: now,
-                entriesAffected: lastObs.entryCount - params.entryCount,
-                userInitiated: false, // cannot determine
-            });
-        }
-        // Check for suspicious entries (e.g., visits to Google services during sleep)
-        for (const entry of params.entries) {
-            const visitDate = new Date(entry.visitTime);
-            const hour = visitDate.getHours();
-            // Suspicious: visits between 2-5 AM to Google properties
-            if (hour >= 2 && hour <= 5 &&
-                (entry.url.includes('google.com') || entry.url.includes('googleapis.com'))) {
-                unexpectedEntries.push({
-                    url: entry.url,
-                    visitTime: entry.visitTime,
-                    transitionType: entry.transitionType,
-                    suspicionReason: 'Visit during inactive hours to Google service',
-                });
-            }
-            // Suspicious: typed_url transition type but user wasn't active
-            if (entry.transitionType === 'typed' &&
-                entry.url.includes('myaccount.google.com')) {
-                unexpectedEntries.push({
-                    url: entry.url,
-                    visitTime: entry.visitTime,
-                    transitionType: entry.transitionType,
-                    suspicionReason: 'Direct navigation to Google account page',
-                });
-            }
-        }
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            captureMethod: params.captureMethod,
-            entryCount: params.entryCount,
-            dateRange: params.dateRange,
-            deletedEntries: deletedEntries.length > 0 ? deletedEntries : undefined,
-            unexpectedEntries: unexpectedEntries.length > 0 ? unexpectedEntries : undefined,
-            hash: '',
-        };
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            timestamp: observation.timestamp,
-            entryCount: observation.entryCount,
-            deletedCount: deletedEntries.length,
-            unexpectedCount: unexpectedEntries.length,
-        }));
-        this.historyObservations.push(observation);
-        await this.persistHistoryObservation(observation);
-        let finding;
-        if (deletedEntries.length > 0 || unexpectedEntries.length > 0) {
-            finding = await this.createFinding({
-                vector: 'chrome_history_manipulation',
-                severity: deletedEntries.length > 0 ? 'high' : 'medium',
-                title: 'Browser history anomalies detected',
-                description: `${deletedEntries.length > 0 ? `${deletedEntries[0].entriesAffected} entries deleted. ` : ''}${unexpectedEntries.length > 0 ? `${unexpectedEntries.length} suspicious entries found.` : ''}`,
-                technicalDetails: {
-                    deletedEntries,
-                    unexpectedEntries,
-                    totalEntries: params.entryCount,
-                    dateRange: params.dateRange,
-                },
-                evidenceIds: [observation.id],
-            });
-        }
-        return { observation, finding };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Persistence
-    // ─────────────────────────────────────────────────────────────────────────────
-    async persistProcessObservation(obs) {
-        const filePath = path.join(this.storageDir, 'processes', `${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async persistSessionObservation(obs) {
-        const filePath = path.join(this.storageDir, 'sessions', `${obs.profileId}_${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async persistHistoryObservation(obs) {
-        const filePath = path.join(this.storageDir, 'history', `${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async createFinding(params) {
-        const finding = {
-            id: crypto.randomUUID(),
-            timestamp: new Date().toISOString(),
-            vector: params.vector,
-            severity: params.severity,
-            title: params.title,
-            description: params.description,
-            technicalDetails: params.technicalDetails,
-            evidenceIds: params.evidenceIds,
-            legalImplications: this.getLegalImplications(params.vector),
-            hash: '',
-        };
-        finding.hash = hashString(JSON.stringify({
-            id: finding.id,
-            timestamp: finding.timestamp,
-            vector: finding.vector,
-            title: finding.title,
-        }));
-        this.findings.push(finding);
-        await fs.writeFile(path.join(this.storageDir, 'findings', `${finding.id}.json`), JSON.stringify(finding, null, 2));
-        return finding;
-    }
-    getLegalImplications(vector) {
-        const implications = {
-            chrome_unauthorized_launch: {
-                fraudType: 'UNAUTHORIZED_ACCESS',
-                applicableLaws: [
-                    '18 U.S.C. § 1030 - Computer Fraud and Abuse Act',
-                    '18 U.S.C. § 2511 - Wiretap Act',
-                    'Cal. Penal Code § 502 - Computer Crimes',
-                ],
-                potentialDamages: 'Unauthorized browser launches can enable surveillance, credential theft, and remote control of user system.',
-                recommendations: [
-                    'Monitor Chrome process launches',
-                    'Document all unauthorized launches',
-                    'Consider disabling Chrome sync',
-                    'Use alternative browser for sensitive activities',
-                ],
-            },
-            chrome_session_hijacking: {
-                fraudType: 'UNAUTHORIZED_ACCESS',
-                applicableLaws: [
-                    '18 U.S.C. § 1030 - CFAA',
-                    '18 U.S.C. § 1029 - Access Device Fraud',
-                ],
-                potentialDamages: 'Session hijacking enables impersonation, data theft, and unauthorized actions on user accounts.',
-                recommendations: [
-                    'Document session anomalies',
-                    'Clear cookies and re-authenticate',
-                    'Enable 2FA on all accounts',
-                ],
-            },
-            chrome_history_manipulation: {
-                fraudType: 'DATA_MANIPULATION',
-                applicableLaws: [
-                    '18 U.S.C. § 1030 - CFAA',
-                    '15 U.S.C. § 45 - FTC Act',
-                ],
-                potentialDamages: 'History manipulation can hide evidence of surveillance or unauthorized access.',
-                recommendations: [
-                    'Export history regularly',
-                    'Compare with network logs',
-                    'Document deletions',
-                ],
-            },
-        };
-        return implications[vector] || {
-            fraudType: 'UNKNOWN',
-            applicableLaws: ['18 U.S.C. § 1030 - CFAA'],
-            potentialDamages: 'To be determined.',
-            recommendations: ['Document all evidence'],
-        };
-    }
-    getFindings() {
-        return [...this.findings];
-    }
-    getProcessObservations() {
-        return [...this.processObservations];
-    }
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// UNIFIED FRAUD INVESTIGATION ORCHESTRATOR
-// ═══════════════════════════════════════════════════════════════════════════════
-export class UnifiedFraudOrchestrator extends EventEmitter {
-    storageDir;
-    integrityEngine;
-    iMessageEngine;
-    gmailEngine;
-    chromeEngine;
-    investigations = new Map();
-    correlations = [];
-    constructor(workingDir = process.cwd()) {
-        super();
-        this.storageDir = path.join(workingDir, '.erosolar', 'investigations');
-        this.integrityEngine = new IntegrityVerificationEngine({
-            storageDir: path.join(this.storageDir, 'integrity'),
-            algorithm: 'sha256',
-        });
-        this.iMessageEngine = new iMessageVerificationEngine({
-            storageDir: this.storageDir,
-        });
-        this.gmailEngine = new GmailInvestigationEngine(this.storageDir);
-        this.chromeEngine = new ChromeInvestigationEngine(this.storageDir);
-    }
-    async initialize() {
-        await fs.mkdir(this.storageDir, { recursive: true });
-        await this.iMessageEngine.initialize();
-        await this.gmailEngine.initialize();
-        await this.chromeEngine.initialize();
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Investigation Management
-    // ─────────────────────────────────────────────────────────────────────────────
-    async createInvestigation(params) {
-        const now = new Date().toISOString();
-        // Create evidence chain for this investigation
-        const evidenceChain = await this.integrityEngine.createChain();
-        const investigation = {
-            id: crypto.randomUUID(),
-            name: params.name,
-            target: params.target,
-            vectors: params.vectors,
-            status: 'planning',
-            created: now,
-            lastActivity: now,
-            evidenceChainId: evidenceChain.id,
-            findings: [],
-            correlations: [],
-            hash: '',
-        };
-        investigation.hash = hashString(JSON.stringify({
-            id: investigation.id,
-            name: investigation.name,
-            target: investigation.target,
-            vectors: investigation.vectors,
-            created: investigation.created,
-        }));
-        this.investigations.set(investigation.id, investigation);
-        await this.persistInvestigation(investigation);
-        this.emit('investigation:created', investigation);
-        return investigation;
-    }
-    async updateInvestigationStatus(investigationId, status) {
-        const investigation = this.investigations.get(investigationId);
-        if (!investigation) {
-            throw new Error(`Investigation not found: ${investigationId}`);
-        }
-        investigation.status = status;
-        investigation.lastActivity = new Date().toISOString();
-        await this.persistInvestigation(investigation);
-        this.emit('investigation:updated', investigation);
-        return investigation;
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Engine Access
-    // ─────────────────────────────────────────────────────────────────────────────
-    getIMessageEngine() {
-        return this.iMessageEngine;
-    }
-    getGmailEngine() {
-        return this.gmailEngine;
-    }
-    getChromeEngine() {
-        return this.chromeEngine;
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Cross-Engine Correlation
-    // ─────────────────────────────────────────────────────────────────────────────
-    /**
-     * Correlate findings across different fraud vectors.
-     * Detect patterns that indicate coordinated manipulation.
-     */
-    async correlateFindings(investigationId) {
-        const investigation = this.investigations.get(investigationId);
-        if (!investigation) {
-            throw new Error(`Investigation not found: ${investigationId}`);
-        }
-        const newCorrelations = [];
-        // Gather all findings
-        const iMessageEvidence = this.iMessageEngine.getEvidenceRecords();
-        const gmailFindings = this.gmailEngine.getFindings();
-        const chromeFindings = this.chromeEngine.getFindings();
-        const allFindings = [...gmailFindings, ...chromeFindings];
-        // Temporal correlation: events happening within short timeframe
-        const sortedFindings = allFindings.sort((a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime());
-        for (let i = 0; i < sortedFindings.length - 1; i++) {
-            const f1 = sortedFindings[i];
-            const f2 = sortedFindings[i + 1];
-            const timeDiff = new Date(f2.timestamp).getTime() - new Date(f1.timestamp).getTime();
-            // If events within 5 minutes, likely correlated
-            if (timeDiff < 5 * 60 * 1000 && f1.vector !== f2.vector) {
-                const correlation = {
-                    id: crypto.randomUUID(),
-                    timestamp: new Date().toISOString(),
-                    findingIds: [f1.id, f2.id],
-                    correlationType: 'temporal',
-                    description: `${f1.vector} and ${f2.vector} events occurred within ${Math.round(timeDiff / 1000)} seconds`,
-                    confidence: timeDiff < 60000 ? 0.9 : 0.7, // Higher confidence if within 1 minute
-                    implications: 'Events occurring in close temporal proximity across different services may indicate coordinated manipulation.',
-                    hash: '',
-                };
-                correlation.hash = hashString(JSON.stringify({
-                    id: correlation.id,
-                    findingIds: correlation.findingIds,
-                    correlationType: correlation.correlationType,
-                }));
-                newCorrelations.push(correlation);
-            }
-        }
-        // Behavioral correlation: Chrome launch + Gmail access
-        const chromeLaunches = chromeFindings.filter(f => f.vector === 'chrome_unauthorized_launch');
-        const gmailAccess = gmailFindings.filter(f => f.vector === 'gmail_unauthorized_access');
-        for (const launch of chromeLaunches) {
-            for (const access of gmailAccess) {
-                const launchTime = new Date(launch.timestamp).getTime();
-                const accessTime = new Date(access.timestamp).getTime();
-                if (Math.abs(accessTime - launchTime) < 10 * 60 * 1000) { // Within 10 minutes
-                    const correlation = {
-                        id: crypto.randomUUID(),
-                        timestamp: new Date().toISOString(),
-                        findingIds: [launch.id, access.id],
-                        correlationType: 'behavioral',
-                        description: 'Chrome unauthorized launch followed by Gmail access - browser used to access email',
-                        confidence: 0.85,
-                        implications: 'This pattern suggests Google is using Chrome to access Gmail without user consent, enabling surveillance and manipulation.',
-                        hash: '',
-                    };
-                    correlation.hash = hashString(JSON.stringify({
-                        id: correlation.id,
-                        findingIds: correlation.findingIds,
-                    }));
-                    newCorrelations.push(correlation);
-                }
-            }
-        }
-        // Cross-platform correlation: iMessage + Gmail (both companies may share data)
-        for (const imEvidence of iMessageEvidence) {
-            for (const gmailFinding of gmailFindings) {
-                const imTime = new Date(imEvidence.timestamp).getTime();
-                const gmailTime = new Date(gmailFinding.timestamp).getTime();
-                if (Math.abs(gmailTime - imTime) < 60 * 60 * 1000) { // Within 1 hour
-                    const correlation = {
-                        id: crypto.randomUUID(),
-                        timestamp: new Date().toISOString(),
-                        findingIds: [imEvidence.id, gmailFinding.id],
-                        correlationType: 'pattern',
-                        description: `Apple iMessage (${imEvidence.evidenceType}) and Google Gmail (${gmailFinding.vector}) events within 1 hour`,
-                        confidence: 0.5, // Lower confidence for cross-platform
-                        implications: 'Coordinated manipulation across Apple and Google platforms may indicate data sharing or parallel surveillance operations.',
-                        hash: '',
-                    };
-                    correlation.hash = hashString(JSON.stringify({
-                        id: correlation.id,
-                        findingIds: correlation.findingIds,
-                    }));
-                    newCorrelations.push(correlation);
-                }
-            }
-        }
-        // Store correlations
-        for (const correlation of newCorrelations) {
-            this.correlations.push(correlation);
-            investigation.correlations.push(correlation);
-        }
-        await this.persistInvestigation(investigation);
-        return newCorrelations;
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Reporting
-    // ─────────────────────────────────────────────────────────────────────────────
-    async generateUnifiedReport(investigationId) {
-        const investigation = this.investigations.get(investigationId);
-        if (!investigation) {
-            throw new Error(`Investigation not found: ${investigationId}`);
-        }
-        // Gather all findings
-        const gmailFindings = this.gmailEngine.getFindings();
-        const chromeFindings = this.chromeEngine.getFindings();
-        const iMessageEvidence = this.iMessageEngine.getEvidenceRecords();
-        // Convert iMessage evidence to findings format
-        const iMessageFindings = iMessageEvidence.map(e => ({
-            id: e.id,
-            timestamp: e.timestamp,
-            vector: e.evidenceType === 'key_substitution' ? 'imessage_key_substitution' :
-                e.evidenceType === 'mitm_detected' ? 'imessage_false_e2e' :
-                    'imessage_false_e2e',
-            severity: e.severity === 'irrefutable' ? 'critical' :
-                e.severity === 'confirmed' ? 'critical' : 'high',
-            title: e.summary,
-            description: e.technicalDetails.discrepancy,
-            technicalDetails: e.technicalDetails,
-            evidenceIds: e.supportingEvidence,
-            legalImplications: {
-                fraudType: e.legalImplications.fraudType,
-                applicableLaws: e.legalImplications.applicableLaws,
-                potentialDamages: e.legalImplications.damages,
-                recommendations: [],
-            },
-            hash: e.hash,
-        }));
-        const allFindings = [...gmailFindings, ...chromeFindings, ...iMessageFindings];
-        // Organize by vector
-        const byVector = {};
-        for (const finding of allFindings) {
-            if (!byVector[finding.vector]) {
-                byVector[finding.vector] = { findings: [], severity: 'low' };
-            }
-            byVector[finding.vector].findings.push(finding);
-            // Update severity to max
-            const severityOrder = ['low', 'medium', 'high', 'critical'];
-            if (severityOrder.indexOf(finding.severity) > severityOrder.indexOf(byVector[finding.vector].severity)) {
-                byVector[finding.vector].severity = finding.severity;
-            }
-        }
-        // Legal summary
-        const fraudTypes = [...new Set(allFindings.map(f => f.legalImplications.fraudType))];
-        const applicableLaws = [...new Set(allFindings.flatMap(f => f.legalImplications.applicableLaws))];
-        const recommendations = [...new Set(allFindings.flatMap(f => f.legalImplications.recommendations))];
-        // Claims
-        const claims = {};
-        if (investigation.target === 'apple' || iMessageFindings.length > 0) {
-            claims.apple = APPLE_PQ3_CLAIMS;
-        }
-        if (investigation.target === 'google' || gmailFindings.length > 0) {
-            claims.google_gmail = GOOGLE_GMAIL_CLAIMS;
-        }
-        if (investigation.target === 'google' || chromeFindings.length > 0) {
-            claims.google_chrome = GOOGLE_CHROME_CLAIMS;
-        }
-        return {
-            investigation,
-            summary: {
-                target: investigation.target,
-                vectorsInvestigated: investigation.vectors,
-                totalFindings: allFindings.length,
-                criticalFindings: allFindings.filter(f => f.severity === 'critical').length,
-                correlations: this.correlations.filter(c => c.findingIds.some(id => allFindings.find(f => f.id === id))).length,
-            },
-            byVector: byVector,
-            correlations: this.correlations,
-            legalSummary: {
-                fraudTypes,
-                applicableLaws,
-                recommendations,
-            },
-            claims,
-        };
-    }
-    async exportForLitigation(investigationId, outputDir) {
-        const report = await this.generateUnifiedReport(investigationId);
-        const exportDir = path.join(outputDir, `investigation-${investigationId}-${Date.now()}`);
-        await fs.mkdir(exportDir, { recursive: true });
-        // Export report
-        await fs.writeFile(path.join(exportDir, 'unified-report.json'), JSON.stringify(report, null, 2));
-        // Export iMessage evidence
-        const iMessageExport = await this.iMessageEngine.exportForLitigation(exportDir);
-        // Generate legal summary document
-        await fs.writeFile(path.join(exportDir, 'legal-summary.md'), this.generateLegalDocument(report));
-        return exportDir;
-    }
-    generateLegalDocument(report) {
-        return `# Unified Tech Fraud Investigation Report
-
-## Investigation: ${report.investigation.name}
-**ID:** ${report.investigation.id}
-**Target:** ${report.investigation.target.toUpperCase()}
-**Status:** ${report.investigation.status}
-**Created:** ${report.investigation.created}
-
----
-
-## Executive Summary
-
-This report documents a comprehensive investigation into potential fraud and manipulation
-by ${report.investigation.target.toUpperCase()} across ${report.summary.vectorsInvestigated.length} attack vectors.
-
-### Key Metrics
-- **Total Findings:** ${report.summary.totalFindings}
-- **Critical Findings:** ${report.summary.criticalFindings}
-- **Cross-Vector Correlations:** ${report.summary.correlations}
-
----
-
-## Findings by Attack Vector
-
-${Object.entries(report.byVector).map(([vector, data]) => `
-### ${vector.replace(/_/g, ' ').toUpperCase()}
-**Severity Level:** ${data.severity.toUpperCase()}
-**Finding Count:** ${data.findings.length}
-
-${data.findings.map(f => `
-#### ${f.title}
-- **Severity:** ${f.severity}
-- **Timestamp:** ${f.timestamp}
-- **Description:** ${f.description}
-- **Legal Basis:** ${f.legalImplications.applicableLaws.join(', ')}
-`).join('\n')}
-`).join('\n')}
-
----
-
-## Cross-Vector Correlations
-
-${report.correlations.length > 0 ? report.correlations.map(c => `
-### Correlation: ${c.correlationType}
-**Confidence:** ${(c.confidence * 100).toFixed(0)}%
-**Description:** ${c.description}
-**Implications:** ${c.implications}
-`).join('\n') : 'No correlations detected.'}
-
----
-
-## Legal Analysis
-
-### Fraud Types Identified
-${report.legalSummary.fraudTypes.map(t => `- ${t}`).join('\n')}
-
-### Applicable Laws
-${report.legalSummary.applicableLaws.map(l => `- ${l}`).join('\n')}
-
-### Recommended Actions
-${report.legalSummary.recommendations.map(r => `- ${r}`).join('\n')}
-
----
-
-## Company Claims vs. Reality
-
-${report.claims.apple ? `
-### Apple iMessage PQ3 Claims
-${Object.entries(report.claims.apple).map(([key, data]) => `
-**${key.replace(/_/g, ' ')}**
-- Claim: "${data.claim}"
-- Source: ${data.source}
-- Verifiable: ${data.verifiable}
-- Reality: ${data.reason}
-`).join('\n')}
-` : ''}
-
-${report.claims.google_gmail ? `
-### Google Gmail Claims
-${Object.entries(report.claims.google_gmail).map(([key, data]) => `
-**${key.replace(/_/g, ' ')}**
-- Claim: "${data.claim}"
-- Source: ${data.source}
-- Verifiable: ${data.verifiable}
-- Reality: ${data.reason}
-`).join('\n')}
-` : ''}
-
-${report.claims.google_chrome ? `
-### Google Chrome Claims
-${Object.entries(report.claims.google_chrome).map(([key, data]) => `
-**${key.replace(/_/g, ' ')}**
-- Claim: "${data.claim}"
-- Source: ${data.source}
-- Verifiable: ${data.verifiable}
-- Reality: ${data.reason}
-`).join('\n')}
-` : ''}
-
----
-
-## Conclusion
-
-This investigation has documented ${report.summary.totalFindings} findings of potential fraud and manipulation,
-including ${report.summary.criticalFindings} critical severity issues. The evidence collected herein
-demonstrates patterns of behavior that contradict the public claims made by ${report.investigation.target.toUpperCase()}.
-
----
-
-*Generated by erosolar-cli Unified Fraud Investigation Orchestrator*
-*Report Hash: ${hashString(JSON.stringify(report))}*
-`;
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Persistence
-    // ─────────────────────────────────────────────────────────────────────────────
-    async persistInvestigation(investigation) {
-        const filePath = path.join(this.storageDir, `${investigation.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(investigation, null, 2));
-    }
-    async loadInvestigation(investigationId) {
-        try {
-            const filePath = path.join(this.storageDir, `${investigationId}.json`);
-            const data = await fs.readFile(filePath, 'utf8');
-            const investigation = JSON.parse(data);
-            this.investigations.set(investigation.id, investigation);
-            return investigation;
-        }
-        catch {
-            return null;
-        }
-    }
-    getInvestigations() {
-        return [...this.investigations.values()];
-    }
-}
-// ─────────────────────────────────────────────────────────────────────────────
-// GOOGLE ATTACK CHAINS
-// ─────────────────────────────────────────────────────────────────────────────
-export const GOOGLE_SURVEILLANCE_CHAIN = {
-    id: 'google-surveillance-chain',
-    name: 'Google Cross-Service Surveillance Chain',
-    target: 'google',
-    description: `Google leverages Chrome browser control to access Gmail and exfiltrate user data.
-    This chain demonstrates coordinated use of multiple Google services to conduct surveillance.`,
-    steps: [
-        {
-            id: 'gs-1-chrome-recon',
-            phase: 'reconnaissance',
-            name: 'Chrome Profile Reconnaissance',
-            description: 'Chrome syncs profile data including history, bookmarks, and saved passwords to Google servers',
-            indicators: [
-                'Chrome sync enabled without explicit user action',
-                'Profile data transmitted to Google servers',
-                'History data available in Google My Activity',
-            ],
-            requiredPriorSteps: [],
-            vectors: ['chrome_session_hijacking'],
-            detectionMethods: [
-                'Monitor Chrome sync settings and activity',
-                'Compare local profile data with My Activity',
-                'Network analysis of Chrome sync traffic',
-            ],
-        },
-        {
-            id: 'gs-2-chrome-launch',
-            phase: 'initial_access',
-            name: 'Unauthorized Chrome Launch',
-            description: 'Chrome is launched without user action, possibly with automation flags',
-            indicators: [
-                'Chrome process spawned without user click/command',
-                'Parent process is system service or scheduled task',
-                'Launch includes --remote-debugging or --headless flags',
-                'Launch during inactive hours (sleep time)',
-            ],
-            requiredPriorSteps: ['gs-1-chrome-recon'],
-            vectors: ['chrome_unauthorized_launch'],
-            detectionMethods: [
-                'Process monitoring with parent-child tracking',
-                'Command-line argument analysis',
-                'Launch time correlation with user activity',
-            ],
-        },
-        {
-            id: 'gs-3-session-hijack',
-            phase: 'execution',
-            name: 'Session Cookie Access',
-            description: 'Chrome session cookies are used to access Gmail without re-authentication',
-            indicators: [
-                'Gmail accessed from new Chrome process using existing cookies',
-                'No login event but Gmail activity recorded',
-                'Session tokens reused across browser instances',
-            ],
-            requiredPriorSteps: ['gs-2-chrome-launch'],
-            vectors: ['chrome_session_hijacking', 'gmail_unauthorized_access'],
-            detectionMethods: [
-                'Cookie access monitoring',
-                'Gmail access log analysis',
-                'Cross-reference Chrome launch with Gmail activity',
-            ],
-        },
-        {
-            id: 'gs-4-gmail-access',
-            phase: 'execution',
-            name: 'Gmail Content Access',
-            description: 'Gmail content is accessed - threads read, drafts examined, contacts harvested',
-            indicators: [
-                'Gmail API calls without corresponding UI activity',
-                'Thread access from Google infrastructure IPs',
-                'Unusual access patterns (bulk read, specific keyword searches)',
-            ],
-            requiredPriorSteps: ['gs-3-session-hijack'],
-            vectors: ['gmail_unauthorized_access', 'gmail_hidden_threads'],
-            detectionMethods: [
-                'API activity monitoring',
-                'Access log IP analysis',
-                'Pattern detection in access behavior',
-            ],
-        },
-        {
-            id: 'gs-5-data-manipulation',
-            phase: 'impact',
-            name: 'Data Manipulation',
-            description: 'Gmail data is modified - threads hidden, drafts altered, filters added',
-            indicators: [
-                'Threads hidden from search without user action',
-                'Draft content changed without user editing',
-                'Filters created to suppress emails',
-                'Labels modified silently',
-            ],
-            requiredPriorSteps: ['gs-4-gmail-access'],
-            vectors: ['gmail_hidden_threads', 'gmail_draft_manipulation', 'gmail_filter_tampering'],
-            detectionMethods: [
-                'Cross-reference thread visibility across access methods',
-                'Draft content hashing and monitoring',
-                'Filter audit and creation tracking',
-            ],
-        },
-        {
-            id: 'gs-6-evidence-cleanup',
-            phase: 'impact',
-            name: 'Evidence Cleanup',
-            description: 'Browser history and activity logs are modified to hide the intrusion',
-            indicators: [
-                'Chrome history entries deleted for Gmail access',
-                'My Activity entries missing for corresponding time period',
-                'Sync data inconsistent between devices',
-            ],
-            requiredPriorSteps: ['gs-4-gmail-access'],
-            vectors: ['chrome_history_manipulation'],
-            detectionMethods: [
-                'History integrity monitoring',
-                'Cross-device sync comparison',
-                'Timeline reconstruction from multiple sources',
-            ],
-        },
-    ],
-    minimumStepsForEvidence: 3,
-    legalImplications: {
-        fraudType: 'COORDINATED_SURVEILLANCE',
-        applicableLaws: [
-            '18 U.S.C. § 1030 - Computer Fraud and Abuse Act',
-            '18 U.S.C. § 2511 - Wiretap Act (interception of communications)',
-            '18 U.S.C. § 2701 - Stored Communications Act',
-            '15 U.S.C. § 45 - FTC Act Section 5 (unfair/deceptive practices)',
-            'GDPR Article 5 - Lawfulness, fairness, transparency (EU users)',
-            'Cal. Civ. Code § 1798.100 - CCPA (California users)',
-        ],
-        potentialDamages: `Coordinated cross-service surveillance enables:
-      - Comprehensive communication monitoring
-      - Behavioral profiling and prediction
-      - Selective information suppression
-      - Evidence destruction capability
-      - Complete loss of privacy for all Google-connected services`,
-        recommendations: [
-            'Document complete attack chain with timestamps',
-            'Preserve evidence from all affected services',
-            'File FTC complaint for coordinated deceptive practices',
-            'Consider class action for pattern of behavior',
-            'Report to state AG and relevant privacy authorities',
-            'Engage forensic expert for legal proceedings',
-        ],
-    },
-};
-export const GOOGLE_DRAFT_EXPLOITATION_CHAIN = {
-    id: 'google-draft-exploitation-chain',
-    name: 'Gmail Draft Exploitation Chain',
-    target: 'google',
-    description: `Google accesses and potentially modifies email drafts, enabling impersonation,
-    data theft, or message manipulation before the user sends.`,
-    steps: [
-        {
-            id: 'gd-1-draft-access',
-            phase: 'reconnaissance',
-            name: 'Draft Content Surveillance',
-            description: 'Drafts are read and indexed by Google servers',
-            indicators: [
-                'Draft content appears in search suggestions',
-                'Ads target draft content before send',
-                'Draft metadata synced to Google servers',
-            ],
-            requiredPriorSteps: [],
-            vectors: ['gmail_draft_manipulation'],
-            detectionMethods: [
-                'Draft content keyword tracking',
-                'Ad targeting correlation',
-                'Network traffic analysis',
-            ],
-        },
-        {
-            id: 'gd-2-draft-modification',
-            phase: 'execution',
-            name: 'Unauthorized Draft Modification',
-            description: 'Draft content, recipients, or subject is modified without user action',
-            indicators: [
-                'Draft body hash changes between observations',
-                'Recipients added without user editing',
-                'Subject line altered',
-                'Attachments added or removed',
-            ],
-            requiredPriorSteps: ['gd-1-draft-access'],
-            vectors: ['gmail_draft_manipulation'],
-            detectionMethods: [
-                'Continuous draft hashing',
-                'Recipient count monitoring',
-                'Attachment enumeration',
-            ],
-        },
-        {
-            id: 'gd-3-draft-send',
-            phase: 'impact',
-            name: 'Unauthorized Draft Send',
-            description: 'Draft is sent without user action, potentially with modifications',
-            indicators: [
-                'Sent message timestamp does not correlate with user activity',
-                'Sent from IP address not associated with user',
-                'User was not active at send time',
-            ],
-            requiredPriorSteps: ['gd-1-draft-access'],
-            vectors: ['gmail_draft_manipulation'],
-            detectionMethods: [
-                'Send event correlation with user activity',
-                'IP address analysis',
-                'Device activity monitoring',
-            ],
-        },
-        {
-            id: 'gd-4-evidence-suppression',
-            phase: 'impact',
-            name: 'Sent Message Suppression',
-            description: 'Sent message is hidden from Sent folder or altered after sending',
-            indicators: [
-                'Message in recipient inbox differs from Sent copy',
-                'Sent message not visible in UI but exists in API',
-                'Message-ID mismatches',
-            ],
-            requiredPriorSteps: ['gd-3-draft-send'],
-            vectors: ['gmail_hidden_threads', 'gmail_draft_manipulation'],
-            detectionMethods: [
-                'Cross-reference with recipient',
-                'Sent folder integrity checking',
-                'Message-ID tracking',
-            ],
-        },
-    ],
-    minimumStepsForEvidence: 2,
-    legalImplications: {
-        fraudType: 'MAIL_FRAUD_AND_IMPERSONATION',
-        applicableLaws: [
-            '18 U.S.C. § 1343 - Wire Fraud',
-            '18 U.S.C. § 1028A - Identity Theft',
-            '18 U.S.C. § 1030 - CFAA',
-            '18 U.S.C. § 2511 - Wiretap Act',
-        ],
-        potentialDamages: `Draft exploitation enables:
-      - Email impersonation (sending as user)
-      - Business communication manipulation
-      - Relationship sabotage
-      - Evidence planting`,
-        recommendations: [
-            'Preserve all draft observations with hashes',
-            'Document modification timeline',
-            'Compare sent messages with drafts',
-            'Contact recipients to verify received content',
-        ],
-    },
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// APPLE ATTACK CHAINS
-// ─────────────────────────────────────────────────────────────────────────────
-export const APPLE_IMESSAGE_MITM_CHAIN = {
-    id: 'apple-imessage-mitm-chain',
-    name: 'Apple iMessage Man-in-the-Middle Chain',
-    target: 'apple',
-    description: `Apple exploits control of the IDS (Identity Directory Service) to substitute
-    encryption keys, enabling message interception despite PQ3 "end-to-end encryption" claims.`,
-    steps: [
-        {
-            id: 'am-1-ids-control',
-            phase: 'reconnaissance',
-            name: 'IDS Key Distribution Control',
-            description: 'Apple controls IDS servers that distribute public keys for iMessage',
-            indicators: [
-                'All iMessage key requests route through Apple IDS servers',
-                'No independent key verification mechanism',
-                'Key Transparency logs controlled by Apple',
-            ],
-            requiredPriorSteps: [],
-            vectors: ['imessage_false_e2e'],
-            detectionMethods: [
-                'Network traffic analysis to IDS endpoints',
-                'Key request interception and analysis',
-                'KT audit log verification',
-            ],
-        },
-        {
-            id: 'am-2-key-substitution',
-            phase: 'initial_access',
-            name: 'Encryption Key Substitution',
-            description: 'Apple-controlled IDS returns substitute keys instead of actual recipient keys',
-            indicators: [
-                'Key fingerprint differs from out-of-band verified key',
-                'Key changes without device change event',
-                'Multiple different keys returned for same identity',
-                'Key hash mismatch in KT logs',
-            ],
-            requiredPriorSteps: ['am-1-ids-control'],
-            vectors: ['imessage_key_substitution'],
-            detectionMethods: [
-                'Out-of-band key verification (like Signal safety numbers)',
-                'Key change monitoring over time',
-                'Multi-device key comparison',
-                'Independent KT auditing',
-            ],
-        },
-        {
-            id: 'am-3-message-interception',
-            phase: 'execution',
-            name: 'Message Decryption',
-            description: 'Messages encrypted to substitute key are decrypted by Apple',
-            indicators: [
-                'Message content known to parties other than sender/recipient',
-                'Targeted advertising based on message content',
-                'Content referenced in legal requests without device access',
-            ],
-            requiredPriorSteps: ['am-2-key-substitution'],
-            vectors: ['imessage_false_e2e'],
-            detectionMethods: [
-                'Canary message testing',
-                'Content correlation with external signals',
-                'Legal discovery analysis',
-            ],
-        },
-        {
-            id: 'am-4-message-modification',
-            phase: 'impact',
-            name: 'Message Modification/Injection',
-            description: 'Apple modifies message content or injects new messages',
-            indicators: [
-                'Message content differs between sender and recipient',
-                'Messages appear that sender did not send',
-                'Message timing anomalies',
-                'Metadata inconsistencies',
-            ],
-            requiredPriorSteps: ['am-3-message-interception'],
-            vectors: ['imessage_false_e2e'],
-            detectionMethods: [
-                'Message content comparison (sender vs recipient)',
-                'Message hash verification',
-                'Timing analysis',
-            ],
-        },
-        {
-            id: 'am-5-kt-manipulation',
-            phase: 'persistence',
-            name: 'Key Transparency Log Manipulation',
-            description: 'Apple manipulates KT logs to hide key substitution',
-            indicators: [
-                'KT log entries do not match observed keys',
-                'Log gaps or inconsistencies',
-                'No third-party KT auditors',
-                'Internal-only verification',
-            ],
-            requiredPriorSteps: ['am-2-key-substitution'],
-            vectors: ['imessage_key_substitution', 'imessage_false_e2e'],
-            detectionMethods: [
-                'Independent KT log auditing',
-                'Log integrity verification',
-                'Historical key comparison',
-            ],
-        },
-    ],
-    minimumStepsForEvidence: 2,
-    legalImplications: {
-        fraudType: 'FALSE_E2E_ENCRYPTION_CLAIMS',
-        applicableLaws: [
-            '15 U.S.C. § 45 - FTC Act Section 5 (deceptive advertising)',
-            '18 U.S.C. § 2511 - Wiretap Act',
-            '18 U.S.C. § 2701 - Stored Communications Act',
-            'Cal. Bus. & Prof. Code § 17500 - False Advertising',
-            'GDPR Article 5(1)(a) - Lawful processing (EU users)',
-        ],
-        potentialDamages: `False E2E encryption claims cause:
-      - Users believe communications are private when they are not
-      - Journalists, activists, and at-risk users are endangered
-      - Business confidential information exposed
-      - Legal privilege potentially compromised
-      - Constitutional rights (4th Amendment) circumvented`,
-        recommendations: [
-            'Document key discrepancies with cryptographic proof',
-            'Perform out-of-band verification with contacts',
-            'File FTC complaint for false advertising',
-            'Report to state AG consumer protection division',
-            'Consider class action for systematic deception',
-            'Engage security researchers for independent verification',
-        ],
-    },
-};
-export const APPLE_CONTACT_KEY_BYPASS_CHAIN = {
-    id: 'apple-contact-key-bypass-chain',
-    name: 'Apple Contact Key Verification Bypass Chain',
-    target: 'apple',
-    description: `Apple's Contact Key Verification can be bypassed or disabled, leaving users
-    vulnerable to MITM attacks while believing they are protected.`,
-    steps: [
-        {
-            id: 'ac-1-ckv-disabled',
-            phase: 'reconnaissance',
-            name: 'CKV Disabled by Default',
-            description: 'Contact Key Verification requires opt-in and is not enabled by default',
-            indicators: [
-                'CKV setting off on user devices',
-                'No prompts to enable CKV',
-                'Most contacts do not have CKV enabled',
-            ],
-            requiredPriorSteps: [],
-            vectors: ['imessage_false_e2e'],
-            detectionMethods: [
-                'Device settings audit',
-                'Contact CKV status survey',
-                'Apple documentation review',
-            ],
-        },
-        {
-            id: 'ac-2-ckv-ineffective',
-            phase: 'initial_access',
-            name: 'CKV Alert Suppression',
-            description: 'CKV alerts can be suppressed or not delivered when key substitution occurs',
-            indicators: [
-                'Key change detected but no CKV alert shown',
-                'Alert displayed after messages already sent',
-                'Alert notification easily dismissed',
-            ],
-            requiredPriorSteps: ['ac-1-ckv-disabled'],
-            vectors: ['imessage_key_substitution'],
-            detectionMethods: [
-                'Key change event vs alert correlation',
-                'Alert timing analysis',
-                'User notification log review',
-            ],
-        },
-        {
-            id: 'ac-3-forced-ckv-off',
-            phase: 'execution',
-            name: 'Remote CKV Disabling',
-            description: 'Apple can remotely disable CKV or modify its behavior via iOS updates',
-            indicators: [
-                'CKV settings change without user action',
-                'CKV behavior changes after update',
-                'No user control over CKV update deployment',
-            ],
-            requiredPriorSteps: [],
-            vectors: ['imessage_false_e2e', 'imessage_key_substitution'],
-            detectionMethods: [
-                'Settings monitoring before/after updates',
-                'CKV behavior testing after updates',
-                'iOS update analysis',
-            ],
-        },
-    ],
-    minimumStepsForEvidence: 1,
-    legalImplications: {
-        fraudType: 'SECURITY_FEATURE_BYPASS',
-        applicableLaws: [
-            '15 U.S.C. § 45 - FTC Act Section 5',
-            'Cal. Bus. & Prof. Code § 17500 - False Advertising',
-        ],
-        potentialDamages: `CKV bypass enables MITM attacks on users who believe they are protected.
-      High-value targets (journalists, activists) are especially at risk.`,
-        recommendations: [
-            'Document CKV status across devices',
-            'Monitor for setting changes',
-            'Use independent verification methods',
-        ],
-    },
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// CROSS-PLATFORM ATTACK CHAINS
-// ─────────────────────────────────────────────────────────────────────────────
-export const CROSS_PLATFORM_SURVEILLANCE_CHAIN = {
-    id: 'cross-platform-surveillance-chain',
-    name: 'Cross-Platform Coordinated Surveillance',
-    target: 'google', // Primary, but involves Apple
-    description: `Coordinated surveillance across Apple and Google services, suggesting data
-    sharing or parallel targeting operations.`,
-    steps: [
-        {
-            id: 'cp-1-parallel-access',
-            phase: 'reconnaissance',
-            name: 'Parallel Service Access',
-            description: 'Multiple services (Gmail, iMessage, Chrome) accessed within short timeframe',
-            indicators: [
-                'Gmail access within minutes of iMessage key observation',
-                'Chrome launch correlates with iMessage activity',
-                'Cross-platform activity during user inactive periods',
-            ],
-            requiredPriorSteps: [],
-            vectors: ['cross_platform_surveillance'],
-            detectionMethods: [
-                'Timeline correlation across services',
-                'Activity pattern analysis',
-                'User activity verification',
-            ],
-        },
-        {
-            id: 'cp-2-content-correlation',
-            phase: 'execution',
-            name: 'Cross-Platform Content Correlation',
-            description: 'Content from one service appears to influence actions on another',
-            indicators: [
-                'Gmail filters target topics from iMessage conversations',
-                'Chrome history shows searches related to private iMessage content',
-                'Advertising targets cross-platform conversation topics',
-            ],
-            requiredPriorSteps: ['cp-1-parallel-access'],
-            vectors: ['cross_platform_surveillance', 'coordinated_manipulation'],
-            detectionMethods: [
-                'Content keyword tracking across platforms',
-                'Ad targeting analysis',
-                'Search history correlation',
-            ],
-        },
-        {
-            id: 'cp-3-coordinated-suppression',
-            phase: 'impact',
-            name: 'Coordinated Information Suppression',
-            description: 'Content is hidden or suppressed across multiple platforms simultaneously',
-            indicators: [
-                'Gmail thread hidden at same time as iMessage discussion',
-                'Chrome history entries deleted matching Gmail activity',
-                'Cross-platform content removal patterns',
-            ],
-            requiredPriorSteps: ['cp-1-parallel-access'],
-            vectors: ['coordinated_manipulation', 'gmail_hidden_threads', 'chrome_history_manipulation'],
-            detectionMethods: [
-                'Cross-platform visibility monitoring',
-                'Deletion timing correlation',
-                'Content preservation and comparison',
-            ],
-        },
-    ],
-    minimumStepsForEvidence: 2,
-    legalImplications: {
-        fraudType: 'CROSS_PLATFORM_CONSPIRACY',
-        applicableLaws: [
-            '18 U.S.C. § 371 - Conspiracy to commit offense against US',
-            '18 U.S.C. § 1030 - CFAA',
-            '18 U.S.C. § 2511 - Wiretap Act',
-            '15 U.S.C. § 1 - Sherman Antitrust Act (if competitive harm)',
-            'GDPR Article 5 - Data sharing without consent (EU)',
-        ],
-        potentialDamages: `Cross-platform coordination indicates:
-      - Systematic privacy violation
-      - Potential data sharing agreements
-      - Comprehensive surveillance capability
-      - No platform provides genuine privacy`,
-        recommendations: [
-            'Document temporal correlations with precision',
-            'Preserve evidence from all platforms',
-            'Report to DOJ Antitrust Division',
-            'File multi-company FTC complaint',
-            'Consider RICO implications',
-        ],
-    },
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// PREDEFINED ATTACK CHAIN REGISTRY
-// ─────────────────────────────────────────────────────────────────────────────
-export const ATTACK_CHAIN_REGISTRY = [
-    GOOGLE_SURVEILLANCE_CHAIN,
-    GOOGLE_DRAFT_EXPLOITATION_CHAIN,
-    APPLE_IMESSAGE_MITM_CHAIN,
-    APPLE_CONTACT_KEY_BYPASS_CHAIN,
-    CROSS_PLATFORM_SURVEILLANCE_CHAIN,
-];
-// ═══════════════════════════════════════════════════════════════════════════════
-// ATTACK CHAIN DETECTOR
-// ═══════════════════════════════════════════════════════════════════════════════
-export class AttackChainDetector {
-    storageDir;
-    observations = new Map();
-    progressCache = new Map();
-    constructor(storageDir) {
-        this.storageDir = path.join(storageDir, 'attack-chains');
-    }
-    async initialize() {
-        await fs.mkdir(this.storageDir, { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'observations'), { recursive: true });
-        await fs.mkdir(path.join(this.storageDir, 'progress'), { recursive: true });
-    }
-    /**
-     * Record an observation that matches an attack chain step.
-     */
-    async recordObservation(params) {
-        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === params.chainId);
-        if (!chain) {
-            throw new Error(`Unknown attack chain: ${params.chainId}`);
-        }
-        const step = chain.steps.find(s => s.id === params.stepId);
-        if (!step) {
-            throw new Error(`Unknown step ${params.stepId} in chain ${params.chainId}`);
-        }
-        const now = new Date().toISOString();
-        const observation = {
-            id: crypto.randomUUID(),
-            timestamp: now,
-            chainId: params.chainId,
-            stepId: params.stepId,
-            findingId: params.findingId,
-            confidence: params.confidence,
-            evidence: params.evidence,
-            hash: '',
-        };
-        observation.hash = hashString(JSON.stringify({
-            id: observation.id,
-            timestamp: observation.timestamp,
-            chainId: observation.chainId,
-            stepId: observation.stepId,
-            findingId: observation.findingId,
-        }));
-        // Store observation
-        const chainObs = this.observations.get(params.chainId) || [];
-        chainObs.push(observation);
-        this.observations.set(params.chainId, chainObs);
-        await this.persistObservation(observation);
-        // Update progress
-        await this.updateProgress(params.chainId);
-        return observation;
-    }
-    /**
-     * Automatically detect which attack chain steps match a finding.
-     */
-    async detectChainSteps(finding) {
-        const observations = [];
-        for (const chain of ATTACK_CHAIN_REGISTRY) {
-            for (const step of chain.steps) {
-                // Check if finding's vector matches step's vectors
-                if (step.vectors.includes(finding.vector)) {
-                    // Calculate confidence based on indicator match
-                    let matchedIndicators = 0;
-                    const findingDetails = JSON.stringify(finding.technicalDetails).toLowerCase();
-                    for (const indicator of step.indicators) {
-                        const indicatorKeywords = indicator.toLowerCase().split(' ');
-                        if (indicatorKeywords.some(kw => findingDetails.includes(kw))) {
-                            matchedIndicators++;
-                        }
-                    }
-                    const confidence = step.indicators.length > 0
-                        ? matchedIndicators / step.indicators.length
-                        : 0.5;
-                    // Only record if confidence is above threshold
-                    if (confidence >= 0.3) {
-                        const obs = await this.recordObservation({
-                            chainId: chain.id,
-                            stepId: step.id,
-                            findingId: finding.id,
-                            confidence,
-                            evidence: finding.description,
-                        });
-                        observations.push(obs);
-                    }
-                }
-            }
-        }
-        return observations;
-    }
-    /**
-     * Get current progress for an attack chain.
-     */
-    async getChainProgress(chainId) {
-        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === chainId);
-        if (!chain) {
-            throw new Error(`Unknown attack chain: ${chainId}`);
-        }
-        // Check cache
-        const cached = this.progressCache.get(chainId);
-        if (cached) {
-            return cached;
-        }
-        return this.updateProgress(chainId);
-    }
-    /**
-     * Get all attack chain progress.
-     */
-    async getAllProgress() {
-        const results = [];
-        for (const chain of ATTACK_CHAIN_REGISTRY) {
-            const progress = await this.getChainProgress(chain.id);
-            results.push(progress);
-        }
-        return results;
-    }
-    /**
-     * Get chains relevant to a specific target.
-     */
-    getChainsForTarget(target) {
-        return ATTACK_CHAIN_REGISTRY.filter(c => c.target === target);
-    }
-    /**
-     * Analyze findings and detect complete or partial attack chains.
-     */
-    async analyzeFindings(findings) {
-        // First, auto-detect chain steps for each finding
-        for (const finding of findings) {
-            await this.detectChainSteps(finding);
-        }
-        // Get all progress
-        const allProgress = await this.getAllProgress();
-        const completeChains = allProgress.filter(p => p.isComplete);
-        const partialChains = allProgress.filter(p => !p.isComplete &&
-            p.observedSteps.length >= ATTACK_CHAIN_REGISTRY.find(c => c.id === p.chainId).minimumStepsForEvidence);
-        const activeThreats = allProgress.filter(p => p.riskLevel === 'high' || p.riskLevel === 'critical');
-        return { completeChains, partialChains, activeThreats };
-    }
-    /**
-     * Generate attack chain report.
-     */
-    async generateChainReport(chainId) {
-        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === chainId);
-        if (!chain) {
-            throw new Error(`Unknown attack chain: ${chainId}`);
-        }
-        const progress = await this.getChainProgress(chainId);
-        const observations = this.observations.get(chainId) || [];
-        // Build timeline
-        const timeline = chain.steps.map(step => ({
-            step,
-            observation: observations.find(o => o.stepId === step.id) || null,
-        }));
-        // Identify gaps
-        const gaps = chain.steps.filter(step => !observations.find(o => o.stepId === step.id));
-        // Calculate evidence strength
-        const observedCount = observations.length;
-        const totalSteps = chain.steps.length;
-        const avgConfidence = observations.length > 0
-            ? observations.reduce((sum, o) => sum + o.confidence, 0) / observations.length
-            : 0;
-        let evidenceStrength;
-        if (progress.isComplete && avgConfidence > 0.8) {
-            evidenceStrength = 'irrefutable';
-        }
-        else if (observedCount >= chain.minimumStepsForEvidence && avgConfidence > 0.6) {
-            evidenceStrength = 'strong';
-        }
-        else if (observedCount >= 2 && avgConfidence > 0.4) {
-            evidenceStrength = 'moderate';
-        }
-        else {
-            evidenceStrength = 'weak';
-        }
-        // Calculate legal readiness
-        let legalReadiness;
-        if (evidenceStrength === 'irrefutable') {
-            legalReadiness = 'prosecution_ready';
-        }
-        else if (evidenceStrength === 'strong') {
-            legalReadiness = 'actionable';
-        }
-        else if (evidenceStrength === 'moderate') {
-            legalReadiness = 'preliminary';
-        }
-        else {
-            legalReadiness = 'insufficient';
-        }
-        return {
-            chain,
-            progress,
-            timeline,
-            gaps,
-            evidenceStrength,
-            legalReadiness,
-        };
-    }
-    // ─────────────────────────────────────────────────────────────────────────────
-    // Private Methods
-    // ─────────────────────────────────────────────────────────────────────────────
-    async updateProgress(chainId) {
-        const chain = ATTACK_CHAIN_REGISTRY.find(c => c.id === chainId);
-        if (!chain) {
-            throw new Error(`Unknown attack chain: ${chainId}`);
-        }
-        const observations = this.observations.get(chainId) || [];
-        // Calculate completion
-        const observedStepIds = new Set(observations.map(o => o.stepId));
-        const completionPercentage = (observedStepIds.size / chain.steps.length) * 100;
-        // Determine current phase
-        const observedSteps = chain.steps.filter(s => observedStepIds.has(s.id));
-        const phaseOrder = ['reconnaissance', 'initial_access', 'execution', 'persistence', 'exfiltration', 'impact'];
-        const currentPhase = observedSteps.length > 0
-            ? phaseOrder.reduce((latest, phase) => {
-                const stepsInPhase = observedSteps.filter(s => s.phase === phase);
-                return stepsInPhase.length > 0 ? phase : latest;
-            }, 'reconnaissance')
-            : 'reconnaissance';
-        // Calculate risk level
-        let riskLevel;
-        if (completionPercentage >= 80) {
-            riskLevel = 'critical';
-        }
-        else if (completionPercentage >= 50) {
-            riskLevel = 'high';
-        }
-        else if (observedStepIds.size >= chain.minimumStepsForEvidence) {
-            riskLevel = 'medium';
-        }
-        else {
-            riskLevel = 'low';
-        }
-        // Find next expected steps
-        const unobservedSteps = chain.steps.filter(s => !observedStepIds.has(s.id));
-        const nextExpectedSteps = unobservedSteps.filter(step => {
-            // Step is expected if all required prior steps are observed
-            return step.requiredPriorSteps.every(reqId => observedStepIds.has(reqId));
-        });
-        const progress = {
-            chainId,
-            chainName: chain.name,
-            target: chain.target,
-            observedSteps: observations,
-            completionPercentage,
-            currentPhase,
-            riskLevel,
-            isComplete: completionPercentage === 100,
-            nextExpectedSteps,
-        };
-        // Cache and persist
-        this.progressCache.set(chainId, progress);
-        await this.persistProgress(progress);
-        return progress;
-    }
-    async persistObservation(obs) {
-        const filePath = path.join(this.storageDir, 'observations', `${obs.chainId}_${obs.id}.json`);
-        await fs.writeFile(filePath, JSON.stringify(obs, null, 2));
-    }
-    async persistProgress(progress) {
-        const filePath = path.join(this.storageDir, 'progress', `${progress.chainId}.json`);
-        await fs.writeFile(filePath, JSON.stringify(progress, null, 2));
-    }
-}
-// Add methods to prototype
-UnifiedFraudOrchestrator.prototype.initializeAttackChains = async function () {
-    if (!this.attackChainDetector) {
-        this.attackChainDetector = new AttackChainDetector(this.storageDir);
-    }
-    await this.attackChainDetector.initialize();
-};
-UnifiedFraudOrchestrator.prototype.detectAttackChains = async function (investigationId) {
-    const investigation = this.investigations.get(investigationId);
-    if (!investigation) {
-        throw new Error(`Investigation not found: ${investigationId}`);
-    }
-    if (!this.attackChainDetector) {
-        await this.initializeAttackChains();
-    }
-    // Gather all findings
-    const gmailFindings = this.gmailEngine.getFindings();
-    const chromeFindings = this.chromeEngine.getFindings();
-    const allFindings = [...gmailFindings, ...chromeFindings];
-    return this.attackChainDetector.analyzeFindings(allFindings);
-};
-UnifiedFraudOrchestrator.prototype.getAttackChainReport = async function (chainId) {
-    if (!this.attackChainDetector) {
-        await this.initializeAttackChains();
-    }
-    return this.attackChainDetector.generateChainReport(chainId);
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// GOOGLE GOVERNMENT & DEFENSE SYSTEMS
-// ─────────────────────────────────────────────────────────────────────────────
-export const GOOGLE_GOV_PRODUCTS = [
-    {
-        id: 'google-workspace-gov',
-        name: 'Google Workspace for Government',
-        vendor: 'google',
-        category: 'productivity',
-        description: 'Gmail, Drive, Docs, Meet, Calendar for government agencies. FedRAMP authorized cloud productivity suite.',
-        targetCustomers: ['federal', 'state_local'],
-        certifications: ['FedRAMP High', 'CJIS', 'ITAR', 'SOC 1/2/3', 'ISO 27001'],
-        dataResidency: ['US-only data centers', 'Assured Workloads regions'],
-        knownContracts: ['DOI', 'USDA', 'GSA', 'Various state governments'],
-        securityConcerns: [
-            'Google retains access to all data for "support"',
-            'AI/ML processing of government communications',
-            'Metadata collection even in "sovereign" mode',
-            'Key management controlled by Google',
-        ],
-        accessPoints: [
-            'Admin console access by Google support',
-            'Automated scanning for "security"',
-            'AI training on anonymized data',
-            'Vault/eDiscovery backdoor access',
-        ],
-        integrations: ['Google Cloud Platform', 'Chronicle SIEM', 'BeyondCorp', 'Mandiant'],
-    },
-    {
-        id: 'google-cloud-gov',
-        name: 'Google Cloud Platform for Government',
-        vendor: 'google',
-        category: 'cloud',
-        description: 'FedRAMP authorized cloud infrastructure including Compute, Storage, BigQuery, AI/ML services.',
-        targetCustomers: ['federal', 'dod', 'state_local', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'FedRAMP Moderate', 'IL2', 'IL4', 'IL5', 'CJIS', 'ITAR'],
-        dataResidency: ['US regions', 'Assured Workloads', 'Sovereign Controls'],
-        knownContracts: ['JEDI follow-on work', 'VA', 'DOE National Labs'],
-        securityConcerns: [
-            'Shared infrastructure with commercial cloud',
-            'Google employee access to customer instances',
-            'AI services process sensitive data',
-            'Supply chain concerns with hardware',
-        ],
-        accessPoints: [
-            'Infrastructure-level access',
-            'Customer-managed encryption keys (CMEK) still Google-accessible',
-            'Logging and monitoring infrastructure',
-            'Break-glass emergency access',
-        ],
-        integrations: ['Anthos', 'GKE', 'BigQuery', 'Vertex AI', 'Chronicle'],
-    },
-    {
-        id: 'google-chronicle',
-        name: 'Chronicle Security Operations (Google SecOps)',
-        vendor: 'google',
-        category: 'security',
-        subcategory: 'SIEM/SOAR',
-        description: 'Cloud-native SIEM built on Google infrastructure. Ingests and analyzes security telemetry at scale.',
-        targetCustomers: ['federal', 'dod', 'ic', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'SOC 2'],
-        dataResidency: ['US data centers'],
-        knownContracts: ['Multiple federal agencies'],
-        securityConcerns: [
-            'All security logs sent to Google infrastructure',
-            'Google can see all ingested security data',
-            'Detection rules and threat intel controlled by Google',
-            'Creates comprehensive visibility into customer security posture',
-        ],
-        accessPoints: [
-            'Full access to ingested security logs',
-            'Threat detection rule management',
-            'Incident response data',
-            'Network flow and endpoint telemetry',
-        ],
-        integrations: ['Mandiant', 'VirusTotal', 'Google Cloud', 'Third-party SIEM'],
-    },
-    {
-        id: 'google-mandiant',
-        name: 'Mandiant (Google Cloud Security)',
-        vendor: 'google',
-        category: 'security',
-        subcategory: 'Threat Intelligence & IR',
-        description: 'Threat intelligence, incident response, and security consulting. Acquired by Google 2022.',
-        targetCustomers: ['federal', 'dod', 'ic', 'defense_contractors', 'allied_nations'],
-        certifications: ['FedRAMP (via Google Cloud)', 'Various clearances for personnel'],
-        dataResidency: ['US-based operations', 'Global threat intel'],
-        knownContracts: ['DOD', 'DHS', 'FBI', 'Various IC agencies', 'NATO allies'],
-        securityConcerns: [
-            'Incident response gives access to breached networks',
-            'Threat intel includes sensitive attack data',
-            'Acquisition by Google centralizes security intelligence',
-            'Consultants may retain access post-engagement',
-        ],
-        accessPoints: [
-            'Incident response network access',
-            'Threat intelligence sharing',
-            'Adversary tracking data',
-            'Customer breach forensics',
-        ],
-        integrations: ['Chronicle', 'VirusTotal', 'Google Cloud', 'Siemplify'],
-    },
-    {
-        id: 'google-beyondcorp',
-        name: 'BeyondCorp Enterprise',
-        vendor: 'google',
-        category: 'security',
-        subcategory: 'Zero Trust',
-        description: 'Zero trust access solution. Mediates all access to applications and data.',
-        targetCustomers: ['federal', 'dod', 'defense_contractors'],
-        certifications: ['FedRAMP High'],
-        dataResidency: ['US'],
-        securityConcerns: [
-            'All access decisions routed through Google',
-            'Full visibility into who accesses what',
-            'Device posture data collected',
-            'Can deny access to any resource',
-        ],
-        accessPoints: [
-            'Access policy enforcement point',
-            'User authentication data',
-            'Device inventory and health',
-            'Application access logs',
-        ],
-        integrations: ['Google Workspace', 'Google Cloud', 'Chrome Enterprise', 'Endpoint Verification'],
-    },
-    {
-        id: 'google-distributed-cloud',
-        name: 'Google Distributed Cloud',
-        vendor: 'google',
-        category: 'infrastructure',
-        subcategory: 'Edge/On-prem',
-        description: 'Google Cloud services running on-premises or at edge locations. For air-gapped and tactical environments.',
-        targetCustomers: ['dod', 'ic', 'defense_contractors'],
-        certifications: ['IL5', 'IL6 (in progress)', 'Secret/TS environments'],
-        dataResidency: ['Customer premises', 'Tactical edge'],
-        knownContracts: ['DOD tactical edge', 'IC facilities'],
-        securityConcerns: [
-            'Google hardware in classified environments',
-            'Software updates from Google',
-            'Telemetry even in "air-gapped" mode',
-            'Hardware implant concerns',
-        ],
-        accessPoints: [
-            'Software update channel',
-            'Support access (even limited)',
-            'Hardware-level access potential',
-            'Licensing/activation systems',
-        ],
-        integrations: ['Anthos', 'GKE', 'AI/ML services'],
-    },
-    {
-        id: 'google-vertex-ai-gov',
-        name: 'Vertex AI for Government',
-        vendor: 'google',
-        category: 'ai_ml',
-        description: 'Machine learning platform for government. Includes generative AI, AutoML, and custom model training.',
-        targetCustomers: ['federal', 'dod', 'ic'],
-        certifications: ['FedRAMP High', 'IL4/IL5 (select services)'],
-        dataResidency: ['US Assured Workloads'],
-        securityConcerns: [
-            'Training data potentially used by Google',
-            'Model architectures visible to Google',
-            'AI safety concerns for defense applications',
-            'Inference data accessible',
-        ],
-        accessPoints: [
-            'Training data access',
-            'Model weights and architecture',
-            'Inference inputs/outputs',
-            'Usage analytics',
-        ],
-        integrations: ['BigQuery', 'Cloud Storage', 'Gemini', 'PaLM'],
-    },
-];
-export const GOOGLE_GOV_PROFILE = {
-    vendor: 'google',
-    govDivision: 'Google Public Sector',
-    annualGovRevenue: '$2B+ (estimated)',
-    fedRampStatus: ['FedRAMP High (multiple)', 'FedRAMP Moderate', 'IL2', 'IL4', 'IL5'],
-    primaryContracts: [
-        'DOD JEDI/JWCC participant',
-        'CBP border surveillance',
-        'VA healthcare',
-        'Various civilian agencies',
-    ],
-    products: GOOGLE_GOV_PRODUCTS,
-    dataAccessCapabilities: [
-        'Full infrastructure access to cloud-hosted data',
-        'AI/ML processing of all content',
-        'Security monitoring and logging',
-        'Incident response access',
-        'Administrative backdoors',
-    ],
-    knownBackdoors: [
-        'Vault/eDiscovery access bypasses user encryption',
-        'Admin console "support access"',
-        'Break-glass emergency procedures',
-        'Automated content scanning',
-    ],
-    lawEnforcementCooperation: 'Complies with legal process. Transparency reports show high compliance rate. FISA court orders not disclosed.',
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// APPLE GOVERNMENT & DEFENSE SYSTEMS
-// ─────────────────────────────────────────────────────────────────────────────
-export const APPLE_GOV_PRODUCTS = [
-    {
-        id: 'apple-business-essentials',
-        name: 'Apple Business Essentials',
-        vendor: 'apple',
-        category: 'productivity',
-        description: 'Device management, storage, and support for businesses and government. Includes iCloud storage and MDM.',
-        targetCustomers: ['federal', 'state_local'],
-        certifications: ['FedRAMP (via partners)', 'SOC 2'],
-        dataResidency: ['US data centers', 'Limited options'],
-        securityConcerns: [
-            'iCloud data accessible by Apple',
-            'MDM profiles controlled centrally',
-            'Device telemetry collected',
-            'Limited true air-gap capability',
-        ],
-        accessPoints: [
-            'iCloud infrastructure access',
-            'MDM command and control',
-            'Device enrollment data',
-            'AppleCare support access',
-        ],
-        integrations: ['iCloud', 'Apple School Manager', 'Apple Business Manager'],
-    },
-    {
-        id: 'apple-managed-device-attestation',
-        name: 'Managed Device Attestation',
-        vendor: 'apple',
-        category: 'security',
-        subcategory: 'Device Security',
-        description: 'Cryptographic attestation that device is genuine Apple hardware with valid security state.',
-        targetCustomers: ['federal', 'dod', 'ic'],
-        certifications: ['FIPS 140-2 (Secure Enclave)', 'Common Criteria'],
-        dataResidency: ['Apple servers for attestation'],
-        securityConcerns: [
-            'Apple servers validate every device attestation',
-            'Apple knows which devices are in use by whom',
-            'Attestation can be revoked by Apple',
-            'Creates dependency on Apple infrastructure',
-        ],
-        accessPoints: [
-            'Device attestation traffic',
-            'Hardware identity database',
-            'Security state information',
-            'Enrollment status',
-        ],
-        integrations: ['MDM solutions', 'Apple Business Manager', 'Conditional access'],
-    },
-    {
-        id: 'apple-platform-security',
-        name: 'Apple Platform Security (T2/Apple Silicon)',
-        vendor: 'apple',
-        category: 'hardware',
-        description: 'Secure Enclave, hardware encryption, secure boot on Mac and iOS devices.',
-        targetCustomers: ['federal', 'dod', 'ic', 'defense_contractors'],
-        certifications: ['FIPS 140-2/140-3', 'Common Criteria', 'Various national certifications'],
-        dataResidency: ['On-device', 'Keys may escrow to iCloud'],
-        securityConcerns: [
-            'Apple controls Secure Enclave firmware',
-            'Recovery key escrow to Apple',
-            'Activation lock controlled by Apple',
-            'Software updates can modify security behavior',
-        ],
-        accessPoints: [
-            'Firmware update channel',
-            'Activation lock servers',
-            'Recovery key escrow',
-            'Device enrollment status',
-        ],
-        integrations: ['iCloud', 'MDM', 'Apple services'],
-    },
-    {
-        id: 'apple-imessage-gov',
-        name: 'iMessage/FaceTime for Government',
-        vendor: 'apple',
-        category: 'communications',
-        description: 'Encrypted messaging and video calls. Used by government personnel on Apple devices.',
-        targetCustomers: ['federal', 'state_local'],
-        certifications: ['None specific - consumer product'],
-        dataResidency: ['Primarily US', 'Metadata on Apple servers'],
-        securityConcerns: [
-            'Key distribution controlled by Apple IDS',
-            'No independent key verification',
-            'Metadata collected and retained',
-            'MITM possible via key substitution',
-            'iCloud backup defeats E2E encryption',
-        ],
-        accessPoints: [
-            'IDS key distribution servers',
-            'Key Transparency logs (Apple controlled)',
-            'Metadata collection',
-            'iCloud message backup',
-            'Push notification infrastructure',
-        ],
-        integrations: ['iCloud', 'Apple ID', 'CarPlay', 'HomePod'],
-    },
-    {
-        id: 'apple-maps-location',
-        name: 'Apple Maps / Location Services',
-        vendor: 'apple',
-        category: 'analytics',
-        subcategory: 'Geolocation',
-        description: 'Mapping and location services used by government apps and personnel.',
-        targetCustomers: ['federal', 'state_local', 'dod'],
-        certifications: ['None specific'],
-        dataResidency: ['Apple servers globally'],
-        securityConcerns: [
-            'Location history tracked',
-            'Significant Locations feature',
-            'Find My network creates mesh tracking',
-            'Government personnel movements visible to Apple',
-        ],
-        accessPoints: [
-            'Location Services API',
-            'Find My infrastructure',
-            'Significant Locations database',
-            'Maps search history',
-        ],
-        integrations: ['Siri', 'Find My', 'CarPlay', 'Weather'],
-    },
-    {
-        id: 'apple-mdm-abm',
-        name: 'Apple Business Manager / MDM',
-        vendor: 'apple',
-        category: 'identity',
-        subcategory: 'Device Management',
-        description: 'Centralized device enrollment and management for government Apple devices.',
-        targetCustomers: ['federal', 'state_local', 'dod'],
-        certifications: ['SOC 2', 'ISO 27001'],
-        dataResidency: ['Apple servers'],
-        securityConcerns: [
-            'Apple has visibility into all managed devices',
-            'Can push profiles and configurations',
-            'Device wipe capability',
-            'App distribution controlled',
-        ],
-        accessPoints: [
-            'Device enrollment data',
-            'Management command channel',
-            'App deployment',
-            'Configuration profiles',
-        ],
-        integrations: ['MDM vendors (Jamf, Kandji, etc.)', 'Apple School Manager', 'VPP'],
-    },
-];
-export const APPLE_GOV_PROFILE = {
-    vendor: 'apple',
-    govDivision: 'Apple Federal (via partners)',
-    annualGovRevenue: '$1B+ (hardware sales, estimated)',
-    fedRampStatus: ['No direct FedRAMP', 'Partners provide FedRAMP coverage'],
-    primaryContracts: [
-        'Device purchases across federal agencies',
-        'DOD iOS device procurement',
-        'State/local education and government',
-    ],
-    products: APPLE_GOV_PRODUCTS,
-    dataAccessCapabilities: [
-        'iCloud data access (even with ADP, metadata accessible)',
-        'Device attestation and enrollment data',
-        'IDS key distribution control',
-        'Location services data',
-        'Push notification content (briefly)',
-    ],
-    knownBackdoors: [
-        'IDS key substitution capability',
-        'iCloud backup decryption (without ADP)',
-        'Activation Lock control',
-        'MDM remote wipe',
-        'Recovery key escrow',
-    ],
-    lawEnforcementCooperation: 'Historically resisted FBI demands (San Bernardino). Complies with valid legal process. ADP makes iCloud data inaccessible but metadata still available.',
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// MICROSOFT GOVERNMENT & DEFENSE SYSTEMS
-// ─────────────────────────────────────────────────────────────────────────────
-export const MICROSOFT_GOV_PRODUCTS = [
-    {
-        id: 'microsoft-365-gcc',
-        name: 'Microsoft 365 Government (GCC/GCC-High)',
-        vendor: 'microsoft',
-        category: 'productivity',
-        description: 'Office 365, Teams, SharePoint, Exchange for government. GCC-High for DoD and sensitive workloads.',
-        targetCustomers: ['federal', 'dod', 'ic', 'state_local', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'DFARS', 'ITAR', 'CJIS', 'IRS 1075', 'IL2', 'IL4', 'IL5'],
-        dataResidency: ['US-only sovereign cloud', 'GCC-High isolated infrastructure'],
-        knownContracts: ['JEDI (terminated)', 'JWCC', 'DOD enterprise', 'Most federal agencies'],
-        securityConcerns: [
-            'Microsoft retains admin access',
-            'Telemetry collection even in GCC-High',
-            'AI/Copilot processing of content',
-            'Key escrow capabilities',
-            'Partner ecosystem access',
-        ],
-        accessPoints: [
-            'Exchange Online admin access',
-            'SharePoint backend access',
-            'Teams message inspection',
-            'eDiscovery and Legal Hold',
-            'Customer Lockbox (still MS access)',
-        ],
-        integrations: ['Azure Government', 'Defender', 'Sentinel', 'Intune', 'Entra ID'],
-    },
-    {
-        id: 'azure-government',
-        name: 'Azure Government',
-        vendor: 'microsoft',
-        category: 'cloud',
-        description: 'Isolated government cloud with FedRAMP High and DoD IL authorizations. Separate from commercial Azure.',
-        targetCustomers: ['federal', 'dod', 'ic', 'state_local', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'IL2', 'IL4', 'IL5', 'IL6', 'CJIS', 'ITAR', 'IRS 1075'],
-        dataResidency: ['US Government regions only', 'Air-gapped options (Azure Government Secret/Top Secret)'],
-        knownContracts: ['JWCC', 'DOD enterprise', 'VA', 'DHS', 'Treasury'],
-        securityConcerns: [
-            'Still connected to Microsoft corporate',
-            'Software supply chain from commercial',
-            'Microsoft employee access with clearance',
-            'Shared codebase with commercial Azure',
-        ],
-        accessPoints: [
-            'Infrastructure-level access',
-            'Support access with clearance',
-            'Monitoring and diagnostics',
-            'Update and patch channels',
-        ],
-        integrations: ['M365 GCC-High', 'Defender for Cloud', 'Sentinel', 'Key Vault'],
-    },
-    {
-        id: 'azure-gov-secret',
-        name: 'Azure Government Secret / Top Secret',
-        vendor: 'microsoft',
-        category: 'cloud',
-        subcategory: 'Classified',
-        description: 'Air-gapped Azure for classified workloads. Secret and Top Secret enclaves.',
-        targetCustomers: ['dod', 'ic'],
-        certifications: ['IL6', 'SECRET', 'TOP SECRET/SCI'],
-        dataResidency: ['Classified US facilities', 'Air-gapped'],
-        knownContracts: ['IC agencies', 'DOD classified programs'],
-        securityConcerns: [
-            'Microsoft personnel with TS/SCI clearance',
-            'Hardware from Microsoft supply chain',
-            'Software updates through controlled channels',
-            'Potential for supply chain compromise',
-        ],
-        accessPoints: [
-            'Cleared Microsoft personnel',
-            'Software update channel',
-            'Hardware maintenance',
-            'Limited remote diagnostics',
-        ],
-        integrations: ['Classified Microsoft services', 'Partner solutions'],
-    },
-    {
-        id: 'microsoft-defender-gov',
-        name: 'Microsoft Defender for Government',
-        vendor: 'microsoft',
-        category: 'security',
-        subcategory: 'XDR/EDR',
-        description: 'Endpoint detection and response, threat protection for government. Part of M365 security stack.',
-        targetCustomers: ['federal', 'dod', 'state_local', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'IL4', 'IL5'],
-        dataResidency: ['US Government cloud'],
-        securityConcerns: [
-            'All endpoint telemetry sent to Microsoft',
-            'Threat detection rules controlled by Microsoft',
-            'Response actions controllable by Microsoft',
-            'Creates complete visibility into government endpoints',
-        ],
-        accessPoints: [
-            'Endpoint telemetry collection',
-            'Threat detection and response',
-            'Security posture data',
-            'Incident investigation access',
-        ],
-        integrations: ['Microsoft 365', 'Sentinel', 'Intune', 'Entra ID'],
-    },
-    {
-        id: 'microsoft-sentinel-gov',
-        name: 'Microsoft Sentinel for Government',
-        vendor: 'microsoft',
-        category: 'security',
-        subcategory: 'SIEM/SOAR',
-        description: 'Cloud-native SIEM/SOAR on Azure Government. Ingests security logs from across the enterprise.',
-        targetCustomers: ['federal', 'dod', 'ic', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'IL4', 'IL5'],
-        dataResidency: ['Azure Government'],
-        knownContracts: ['CISA', 'DOD components', 'Civilian agencies'],
-        securityConcerns: [
-            'All security logs visible to Microsoft',
-            'AI/ML analysis of security data',
-            'Detection rules from Microsoft',
-            'Integration with commercial threat intel',
-        ],
-        accessPoints: [
-            'Security log ingestion',
-            'Threat detection analytics',
-            'Incident response data',
-            'Automation playbooks',
-        ],
-        integrations: ['Defender', 'M365', 'Azure Arc', 'Third-party connectors'],
-    },
-    {
-        id: 'microsoft-intune-gov',
-        name: 'Microsoft Intune for Government',
-        vendor: 'microsoft',
-        category: 'identity',
-        subcategory: 'Device Management',
-        description: 'Mobile device and endpoint management for government. Controls policy and app deployment.',
-        targetCustomers: ['federal', 'dod', 'state_local'],
-        certifications: ['FedRAMP High', 'IL4', 'IL5'],
-        dataResidency: ['US Government cloud'],
-        securityConcerns: [
-            'Microsoft controls device policy enforcement',
-            'Can push apps and configurations',
-            'Device wipe capability',
-            'Telemetry collection',
-        ],
-        accessPoints: [
-            'Device enrollment and inventory',
-            'Policy deployment',
-            'App distribution',
-            'Compliance data',
-        ],
-        integrations: ['Entra ID', 'Defender', 'Autopilot', 'Configuration Manager'],
-    },
-    {
-        id: 'microsoft-teams-gov',
-        name: 'Microsoft Teams for Government',
-        vendor: 'microsoft',
-        category: 'communications',
-        description: 'Collaboration and communications platform for government. Chat, meetings, calls, and file sharing.',
-        targetCustomers: ['federal', 'dod', 'state_local', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'IL4', 'IL5', 'CJIS'],
-        dataResidency: ['US Government cloud'],
-        securityConcerns: [
-            'All communications visible to Microsoft',
-            'Meeting recordings stored in Microsoft cloud',
-            'Transcription and AI processing',
-            'eDiscovery access to all content',
-        ],
-        accessPoints: [
-            'Message content and metadata',
-            'Meeting recordings and transcripts',
-            'File sharing and collaboration',
-            'Presence and activity data',
-        ],
-        integrations: ['SharePoint', 'OneDrive', 'Outlook', 'Power Platform'],
-    },
-    {
-        id: 'microsoft-copilot-gov',
-        name: 'Microsoft Copilot for Government (Preview)',
-        vendor: 'microsoft',
-        category: 'ai_ml',
-        description: 'AI assistant integrated into M365 Government. Processes documents, emails, meetings.',
-        targetCustomers: ['federal', 'state_local'],
-        certifications: ['FedRAMP (in progress)', 'GCC availability'],
-        dataResidency: ['US - processing location TBD'],
-        securityConcerns: [
-            'AI processes all user content',
-            'Training on government data (even if anonymized)',
-            'Prompt injection vulnerabilities',
-            'Data leakage through AI responses',
-        ],
-        accessPoints: [
-            'Full access to user content for AI processing',
-            'Meeting transcriptions',
-            'Document analysis',
-            'Email content',
-        ],
-        integrations: ['M365 suite', 'Azure OpenAI', 'Graph API'],
-    },
-];
-export const MICROSOFT_GOV_PROFILE = {
-    vendor: 'microsoft',
-    govDivision: 'Microsoft Federal',
-    annualGovRevenue: '$20B+ (estimated, largest gov IT vendor)',
-    fedRampStatus: ['FedRAMP High (many services)', 'IL2-IL6', 'SECRET', 'TOP SECRET'],
-    primaryContracts: [
-        'JWCC (multi-billion)',
-        'DOD Enterprise agreements',
-        'VA healthcare',
-        'Most federal agencies',
-        'State/local enterprise',
-    ],
-    products: MICROSOFT_GOV_PRODUCTS,
-    dataAccessCapabilities: [
-        'Administrative access to all cloud services',
-        'eDiscovery and Legal Hold across M365',
-        'Endpoint telemetry via Defender',
-        'Security logs via Sentinel',
-        'AI processing of all content via Copilot',
-    ],
-    knownBackdoors: [
-        'Customer Lockbox (still allows access)',
-        'eDiscovery admin access',
-        'Defender response actions',
-        'Intune device wipe',
-        'Global admin account recovery',
-    ],
-    lawEnforcementCooperation: 'Complies with legal process. Transparency reports published. CLOUD Act agreements with allies. Known cooperation with national security requests.',
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// AMAZON GOVERNMENT & DEFENSE SYSTEMS
-// ─────────────────────────────────────────────────────────────────────────────
-export const AMAZON_GOV_PRODUCTS = [
-    {
-        id: 'aws-govcloud',
-        name: 'AWS GovCloud (US)',
-        vendor: 'amazon',
-        category: 'cloud',
-        description: 'Isolated AWS regions for government workloads. FedRAMP High and DoD authorizations.',
-        targetCustomers: ['federal', 'dod', 'ic', 'state_local', 'defense_contractors'],
-        certifications: ['FedRAMP High', 'IL2', 'IL4', 'IL5', 'CJIS', 'ITAR', 'IRS 1075'],
-        dataResidency: ['US-only regions', 'Isolated from commercial AWS'],
-        knownContracts: ['CIA $600M (historic)', 'JWCC', 'NSA', 'DOD components'],
-        securityConcerns: [
-            'AWS employees with clearances have access',
-            'Shared codebase with commercial AWS',
-            'Software supply chain from commercial',
-            'Hardware from AWS supply chain',
-        ],
-        accessPoints: [
-            'Infrastructure-level access',
-            'Support access with clearance',
-            'Monitoring and CloudWatch',
-            'Service control plane',
-        ],
-        integrations: ['All AWS services (subset)', 'AWS Marketplace', 'Partner solutions'],
-    },
-    {
-        id: 'aws-secret-region',
-        name: 'AWS Secret Region',
-        vendor: 'amazon',
-        category: 'cloud',
-        subcategory: 'Classified',
-        description: 'Air-gapped AWS for SECRET classified workloads. Operated for IC community.',
-        targetCustomers: ['ic', 'dod'],
-        certifications: ['SECRET', 'ICD 503'],
-        dataResidency: ['Classified US facilities'],
-        knownContracts: ['CIA', 'IC agencies'],
-        securityConcerns: [
-            'AWS cleared personnel',
-            'Hardware in classified facilities',
-            'Limited oversight of operations',
-            'Supply chain for classified infrastructure',
-        ],
-        accessPoints: [
-            'Cleared AWS employees',
-            'Controlled software updates',
-            'Hardware maintenance',
-            'Limited diagnostics',
-        ],
-        integrations: ['IC-specific services', 'C2S'],
-    },
-    {
-        id: 'aws-c2s',
-        name: 'AWS Commercial Cloud Services (C2S)',
-        vendor: 'amazon',
-        category: 'cloud',
-        subcategory: 'Classified',
-        description: 'Top Secret cloud for IC. $600M+ contract with CIA, now expanded.',
-        targetCustomers: ['ic'],
-        certifications: ['TOP SECRET/SCI', 'ICD 503'],
-        dataResidency: ['TS/SCI facilities'],
-        knownContracts: ['CIA (original $600M)', 'Expanded IC community'],
-        securityConcerns: [
-            'Most sensitive government data on commercial vendor infrastructure',
-            'AWS personnel with TS/SCI',
-            'Concentration of IC data',
-            'Single vendor risk',
-        ],
-        accessPoints: [
-            'Cleared AWS personnel',
-            'Infrastructure operations',
-            'Software and hardware supply chain',
-        ],
-        integrations: ['IC-specific tools', 'AWS services subset'],
-    },
-    {
-        id: 'amazon-rekognition-gov',
-        name: 'Amazon Rekognition for Government',
-        vendor: 'amazon',
-        category: 'ai_ml',
-        subcategory: 'Computer Vision',
-        description: 'Facial recognition and image analysis. Used by law enforcement and government.',
-        targetCustomers: ['federal', 'state_local', 'dod'],
-        certifications: ['FedRAMP (via GovCloud)'],
-        dataResidency: ['US GovCloud'],
-        knownContracts: ['ICE (controversial)', 'Law enforcement agencies', 'DOD programs'],
-        securityConcerns: [
-            'Facial recognition accuracy concerns',
-            'Bias in AI models',
-            'Mass surveillance capability',
-            'Data retention and sharing',
-        ],
-        accessPoints: [
-            'Image and video processing',
-            'Facial recognition database',
-            'Analysis results',
-            'Model training data',
-        ],
-        integrations: ['S3', 'Lambda', 'Kinesis Video Streams'],
-    },
-    {
-        id: 'amazon-ring-gov',
-        name: 'Ring (Amazon) Law Enforcement Partnerships',
-        vendor: 'amazon',
-        category: 'security',
-        subcategory: 'Surveillance',
-        description: 'Doorbell cameras and neighborhood surveillance. Partnerships with 2000+ police departments.',
-        targetCustomers: ['state_local'],
-        certifications: ['None specific'],
-        dataResidency: ['AWS US'],
-        knownContracts: ['2000+ police department partnerships'],
-        securityConcerns: [
-            'Mass neighborhood surveillance network',
-            'Police can request footage without warrant',
-            'Neighbors app creates tip network',
-            'Facial recognition integration',
-        ],
-        accessPoints: [
-            'Video footage access',
-            'Location data',
-            'Audio recordings',
-            'Request portal for law enforcement',
-        ],
-        integrations: ['Alexa', 'AWS', 'Neighbors app'],
-    },
-    {
-        id: 'aws-nitro-enclaves',
-        name: 'AWS Nitro Enclaves',
-        vendor: 'amazon',
-        category: 'security',
-        subcategory: 'Confidential Computing',
-        description: 'Isolated compute environments for processing sensitive data.',
-        targetCustomers: ['federal', 'dod', 'defense_contractors'],
-        certifications: ['FedRAMP (via GovCloud)'],
-        dataResidency: ['US GovCloud'],
-        securityConcerns: [
-            'AWS controls Nitro hypervisor',
-            'Side-channel attack potential',
-            'Key management complexity',
-            'Limited third-party attestation',
-        ],
-        accessPoints: [
-            'Hypervisor-level access',
-            'Attestation infrastructure',
-            'Enclave management',
-        ],
-        integrations: ['EC2', 'KMS', 'ACM'],
-    },
-    {
-        id: 'aws-workspaces-gov',
-        name: 'Amazon WorkSpaces for Government',
-        vendor: 'amazon',
-        category: 'infrastructure',
-        subcategory: 'VDI',
-        description: 'Virtual desktops in the cloud. Provides access to government applications.',
-        targetCustomers: ['federal', 'dod', 'state_local'],
-        certifications: ['FedRAMP High', 'IL4', 'IL5'],
-        dataResidency: ['US GovCloud'],
-        securityConcerns: [
-            'All desktop activity on AWS infrastructure',
-            'Session recording capability',
-            'Clipboard and file transfer monitoring',
-            'AWS admin access to desktops',
-        ],
-        accessPoints: [
-            'Desktop session data',
-            'User activity',
-            'File access',
-            'Application usage',
-        ],
-        integrations: ['Active Directory', 'WorkDocs', 'AppStream'],
-    },
-];
-export const AMAZON_GOV_PROFILE = {
-    vendor: 'amazon',
-    govDivision: 'AWS Public Sector / Amazon Web Services Government',
-    annualGovRevenue: '$10B+ (estimated)',
-    fedRampStatus: ['FedRAMP High', 'IL2-IL5', 'SECRET', 'TOP SECRET/SCI'],
-    primaryContracts: [
-        'CIA C2S ($600M+)',
-        'JWCC participant',
-        'NSA',
-        'DOD components',
-        'Most federal agencies',
-    ],
-    products: AMAZON_GOV_PRODUCTS,
-    dataAccessCapabilities: [
-        'Infrastructure-level access to all workloads',
-        'CloudWatch and logging access',
-        'Support access with clearances',
-        'Rekognition facial data',
-        'Ring video network',
-    ],
-    knownBackdoors: [
-        'AWS support access',
-        'CloudWatch log access',
-        'S3 bucket policy override (with warrant)',
-        'Ring law enforcement portal',
-        'Rekognition database',
-    ],
-    lawEnforcementCooperation: 'Complies with legal process. Ring partnerships with 2000+ police departments. Transparency reports published.',
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// META GOVERNMENT & DEFENSE SYSTEMS
-// ─────────────────────────────────────────────────────────────────────────────
-export const META_GOV_PRODUCTS = [
-    {
-        id: 'meta-workplace-gov',
-        name: 'Workplace from Meta for Government',
-        vendor: 'meta',
-        category: 'productivity',
-        description: 'Enterprise collaboration platform. Chat, video, and intranet for organizations.',
-        targetCustomers: ['federal', 'state_local'],
-        certifications: ['FedRAMP (limited)', 'SOC 2'],
-        dataResidency: ['US data centers'],
-        securityConcerns: [
-            'All communications on Meta infrastructure',
-            'AI processing of content',
-            'Integration with consumer Facebook',
-            'Limited government-specific isolation',
-        ],
-        accessPoints: [
-            'Chat and messaging content',
-            'Video call data',
-            'File sharing',
-            'Employee directory',
-        ],
-        integrations: ['Microsoft 365', 'Google Workspace', 'ServiceNow'],
-    },
-    {
-        id: 'meta-llama-gov',
-        name: 'Llama AI Models for Government',
-        vendor: 'meta',
-        category: 'ai_ml',
-        description: 'Open-source LLM available for government use. Various sizes from 7B to 70B+ parameters.',
-        targetCustomers: ['federal', 'dod', 'defense_contractors'],
-        certifications: ['None - open source', 'Self-hosted options'],
-        dataResidency: ['Self-hosted capability'],
-        securityConcerns: [
-            'Model weights from Meta',
-            'Unknown training data composition',
-            'Fine-tuning may leak data',
-            'Dual-use concerns for adversaries',
-        ],
-        accessPoints: [
-            'Model weights download',
-            'Usage telemetry (if using Meta cloud)',
-            'Research access program data',
-        ],
-        integrations: ['Various ML frameworks', 'Cloud platforms'],
-    },
-    {
-        id: 'meta-whatsapp-gov',
-        name: 'WhatsApp for Government Use',
-        vendor: 'meta',
-        category: 'communications',
-        description: 'Not officially supported, but used by many government personnel worldwide.',
-        targetCustomers: ['allied_nations', 'state_local'],
-        certifications: ['None - consumer product'],
-        dataResidency: ['Meta global infrastructure'],
-        securityConcerns: [
-            'Metadata collection by Meta',
-            'Device backup defeats E2E encryption',
-            'Key distribution controlled by Meta',
-            'Business API allows message inspection',
-        ],
-        accessPoints: [
-            'Metadata and contact lists',
-            'Backup encryption keys',
-            'Business API access',
-            'Device registration data',
-        ],
-        integrations: ['Facebook', 'Instagram', 'Meta Business Suite'],
-    },
-    {
-        id: 'meta-oculus-gov',
-        name: 'Meta Quest for Enterprise/Government',
-        vendor: 'meta',
-        category: 'hardware',
-        subcategory: 'VR/AR',
-        description: 'VR headsets for training and simulation. Used by military for training programs.',
-        targetCustomers: ['dod', 'federal'],
-        certifications: ['Limited government certifications'],
-        dataResidency: ['Meta servers'],
-        knownContracts: ['Military training programs', 'VA therapy'],
-        securityConcerns: [
-            'Extensive sensor data collection',
-            'Biometric data (eye tracking, movement)',
-            'Room mapping and environment capture',
-            'Required Meta/Facebook account (historically)',
-        ],
-        accessPoints: [
-            'VR session telemetry',
-            'Biometric data',
-            'Environment mapping',
-            'User behavior analytics',
-        ],
-        integrations: ['Meta Horizon', 'Unity', 'Unreal Engine'],
-    },
-];
-export const META_GOV_PROFILE = {
-    vendor: 'meta',
-    govDivision: 'Meta for Business / Public Sector',
-    annualGovRevenue: '<$500M (estimated, smaller gov footprint)',
-    fedRampStatus: ['Limited FedRAMP (Workplace only)'],
-    primaryContracts: [
-        'Workplace deployments',
-        'VR training programs',
-        'Research partnerships',
-    ],
-    products: META_GOV_PRODUCTS,
-    dataAccessCapabilities: [
-        'Workplace communications access',
-        'WhatsApp metadata',
-        'VR biometric and sensor data',
-        'Llama usage data (if cloud)',
-    ],
-    knownBackdoors: [
-        'Workplace admin access',
-        'WhatsApp backup access',
-        'Business API message access',
-        'Quest telemetry',
-    ],
-    lawEnforcementCooperation: 'Complies with legal process. Large volume of law enforcement requests. Transparency reports published. Signal protocol messaging limits access to content.',
-};
-// ─────────────────────────────────────────────────────────────────────────────
-// COMPLETE VENDOR REGISTRY
-// ─────────────────────────────────────────────────────────────────────────────
-export const GOV_DEFENSE_VENDOR_REGISTRY = [
-    GOOGLE_GOV_PROFILE,
-    APPLE_GOV_PROFILE,
-    MICROSOFT_GOV_PROFILE,
-    AMAZON_GOV_PROFILE,
-    META_GOV_PROFILE,
-];
-export const ALL_GOV_DEFENSE_PRODUCTS = [
-    ...GOOGLE_GOV_PRODUCTS,
-    ...APPLE_GOV_PRODUCTS,
-    ...MICROSOFT_GOV_PRODUCTS,
-    ...AMAZON_GOV_PRODUCTS,
-    ...META_GOV_PRODUCTS,
-];
-/**
- * Get all government products for a specific vendor.
- */
-export function getGovProductsByVendor(vendor) {
-    return ALL_GOV_DEFENSE_PRODUCTS.filter(p => p.vendor === vendor);
-}
-/**
- * Get government vendor profile.
- */
-export function getGovVendorProfile(vendor) {
-    return GOV_DEFENSE_VENDOR_REGISTRY.find(p => p.vendor === vendor);
-}
-/**
- * Get all products matching a category.
- */
-export function getGovProductsByCategory(category) {
-    return ALL_GOV_DEFENSE_PRODUCTS.filter(p => p.category === category);
-}
-/**
- * Get all products with specific certification.
- */
-export function getGovProductsByCertification(certification) {
-    return ALL_GOV_DEFENSE_PRODUCTS.filter(p => p.certifications.some(c => c.toLowerCase().includes(certification.toLowerCase())));
-}
-/**
- * Get all products targeting specific customer type.
- */
-export function getGovProductsByCustomerType(customerType) {
-    return ALL_GOV_DEFENSE_PRODUCTS.filter(p => p.targetCustomers.includes(customerType));
-}
-/**
- * Get security concerns summary across all vendors.
- */
-export function getSecurityConcernsSummary() {
-    const summary = {};
-    for (const product of ALL_GOV_DEFENSE_PRODUCTS) {
-        if (!summary[product.vendor]) {
-            summary[product.vendor] = [];
-        }
-        for (const concern of product.securityConcerns) {
-            if (!summary[product.vendor].includes(concern)) {
-                summary[product.vendor].push(concern);
-            }
-        }
-    }
-    return summary;
-}
-/**
- * Get access points summary - how vendors can access government data.
- */
-export function getAccessPointsSummary() {
-    const summary = {};
-    for (const product of ALL_GOV_DEFENSE_PRODUCTS) {
-        if (!summary[product.vendor]) {
-            summary[product.vendor] = [];
-        }
-        for (const access of product.accessPoints) {
-            if (!summary[product.vendor].includes(access)) {
-                summary[product.vendor].push(access);
-            }
-        }
-    }
-    return summary;
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// EXPORTS (note: GOOGLE_GMAIL_CLAIMS and GOOGLE_CHROME_CLAIMS are already exported inline)
-// ═══════════════════════════════════════════════════════════════════════════════
-//# sourceMappingURL=unifiedFraudOrchestrator.js.map