fathom-cli 0.2.4 → 0.3.1

package/dist/chunk-SEGVTWSK.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+export {
+  __require,
+  __commonJS,
+  __export,
+  __toESM
+};
+//# sourceMappingURL=chunk-SEGVTWSK.js.map

package/dist/chunk-SEGVTWSK.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-TXIC6BY4.js

@@ -0,0 +1,169 @@
+#!/usr/bin/env node
+import {
+  external_exports,
+  jsYaml
+} from "./chunk-MNGU6SI4.js";
+
+// ../intent/dist/index.js
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+import { readFileSync as readFileSync2, readdirSync } from "fs";
+import { resolve } from "path";
+var ValueSchema = external_exports.object({
+  name: external_exports.string(),
+  description: external_exports.string(),
+  priority: external_exports.enum(["critical", "high", "medium", "low"]).default("medium"),
+  details: external_exports.string().optional()
+});
+var BudgetSchema = external_exports.object({
+  monthly_limit: external_exports.number().positive(),
+  alert_threshold: external_exports.number().min(0).max(1).default(0.8),
+  prefer_batch: external_exports.boolean().default(false),
+  currency: external_exports.string().default("USD")
+});
+var GuardrailsSchema = external_exports.object({
+  security: external_exports.object({
+    templates: external_exports.array(external_exports.string()).default([]),
+    custom: external_exports.array(external_exports.string()).default([])
+  }).optional(),
+  quality: external_exports.array(external_exports.string()).default([]),
+  process: external_exports.array(external_exports.string()).default([])
+});
+var TechSchema = external_exports.object({
+  stack: external_exports.array(external_exports.string()).default([]),
+  opinions: external_exports.array(external_exports.string()).default([])
+});
+var ProvidersSchema = external_exports.object({
+  preferred: external_exports.string().optional(),
+  api_key_env: external_exports.string().optional(),
+  fallback: external_exports.string().optional(),
+  local_models: external_exports.array(external_exports.string()).default([])
+});
+var IntentSchema = external_exports.object({
+  project: external_exports.string(),
+  description: external_exports.string(),
+  audience: external_exports.string().optional(),
+  values: external_exports.array(ValueSchema).default([]),
+  budget: BudgetSchema.optional(),
+  guardrails: GuardrailsSchema.optional(),
+  tech: TechSchema.optional(),
+  providers: ProvidersSchema.optional()
+});
+var GuardrailTemplateSchema = external_exports.object({
+  name: external_exports.string(),
+  description: external_exports.string(),
+  category: external_exports.enum(["security", "quality"]),
+  status: external_exports.string().optional(),
+  rules: external_exports.array(external_exports.string())
+});
+var INTENT_DIR = ".fathom";
+var INTENT_FILE = "intent.yaml";
+function intentPath(dir) {
+  return join(dir, INTENT_DIR, INTENT_FILE);
+}
+async function loadIntent(dir) {
+  const filePath = intentPath(dir);
+  if (!existsSync(filePath)) {
+    throw new Error(`Intent file not found: ${filePath}`);
+  }
+  const content = readFileSync(filePath, "utf-8");
+  const raw = jsYaml.load(content);
+  return IntentSchema.parse(raw);
+}
+async function saveIntent(dir, intent) {
+  const validated = IntentSchema.parse(intent);
+  const fathomDir = join(dir, INTENT_DIR);
+  if (!existsSync(fathomDir)) {
+    mkdirSync(fathomDir, { recursive: true });
+  }
+  const content = jsYaml.dump(validated, {
+    lineWidth: 120,
+    noRefs: true,
+    quotingType: '"',
+    forceQuotes: false
+  });
+  writeFileSync(intentPath(dir), content, "utf-8");
+}
+function detectIntent(dir) {
+  return existsSync(intentPath(dir));
+}
+function findDataDir() {
+  const base = import.meta.dirname ?? __dirname;
+  const bundled = resolve(base, "data", "guardrails");
+  try {
+    readdirSync(bundled);
+    return bundled;
+  } catch {
+    return resolve(base, "..", "data", "guardrails");
+  }
+}
+function loadTemplate(name) {
+  const dir = findDataDir();
+  const filePath = resolve(dir, `${name}.yaml`);
+  let content;
+  try {
+    content = readFileSync2(filePath, "utf-8");
+  } catch {
+    throw new Error(
+      `Unknown guardrail template: "${name}". Use listTemplates() to see available templates.`
+    );
+  }
+  const raw = jsYaml.load(content);
+  return GuardrailTemplateSchema.parse(raw);
+}
+function listTemplates() {
+  const dir = findDataDir();
+  const files = readdirSync(dir).filter((f) => f.endsWith(".yaml"));
+  return files.map((file) => {
+    const content = readFileSync2(resolve(dir, file), "utf-8");
+    const raw = jsYaml.load(content);
+    return {
+      name: raw.name,
+      description: raw.description,
+      category: raw.category,
+      status: raw.status
+    };
+  });
+}
+function resolveGuardrails(intent) {
+  const result = {
+    security: [],
+    quality: [],
+    process: []
+  };
+  if (!intent.guardrails) {
+    return result;
+  }
+  const { guardrails } = intent;
+  if (guardrails.security) {
+    for (const templateName of guardrails.security.templates) {
+      const template = loadTemplate(templateName);
+      if (template.category === "security") {
+        result.security.push(...template.rules);
+      } else if (template.category === "quality") {
+        result.quality.push(...template.rules);
+      }
+    }
+    result.security.push(...guardrails.security.custom);
+  }
+  result.quality.push(...guardrails.quality);
+  result.process.push(...guardrails.process);
+  return result;
+}
+
+export {
+  ValueSchema,
+  BudgetSchema,
+  GuardrailsSchema,
+  TechSchema,
+  ProvidersSchema,
+  IntentSchema,
+  GuardrailTemplateSchema,
+  loadIntent,
+  saveIntent,
+  detectIntent,
+  loadTemplate,
+  listTemplates,
+  resolveGuardrails
+};
+//# sourceMappingURL=chunk-TXIC6BY4.js.map

package/dist/chunk-TXIC6BY4.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../intent/src/schema.ts","../../intent/src/loader.ts","../../intent/src/guardrails.ts"],"sourcesContent":["import { z } from \"zod\";\n\n// ── Value schema ────────────────────────────────────────────\n\nexport const ValueSchema = z.object({\n  name: z.string(),\n  description: z.string(),\n  priority: z.enum([\"critical\", \"high\", \"medium\", \"low\"]).default(\"medium\"),\n  details: z.string().optional(),\n});\n\nexport type Value = z.infer<typeof ValueSchema>;\n\n// ── Budget schema ───────────────────────────────────────────\n\nexport const BudgetSchema = z.object({\n  monthly_limit: z.number().positive(),\n  alert_threshold: z.number().min(0).max(1).default(0.8),\n  prefer_batch: z.boolean().default(false),\n  currency: z.string().default(\"USD\"),\n});\n\nexport type Budget = z.infer<typeof BudgetSchema>;\n\n// ── Guardrails schema ───────────────────────────────────────\n\nexport const GuardrailsSchema = z.object({\n  security: z\n    .object({\n      templates: z.array(z.string()).default([]),\n      custom: z.array(z.string()).default([]),\n    })\n    .optional(),\n  quality: z.array(z.string()).default([]),\n  process: z.array(z.string()).default([]),\n});\n\nexport type Guardrails = z.infer<typeof GuardrailsSchema>;\n\n// ── Tech schema ─────────────────────────────────────────────\n\nexport const TechSchema = z.object({\n  stack: z.array(z.string()).default([]),\n  opinions: z.array(z.string()).default([]),\n});\n\nexport type Tech = z.infer<typeof TechSchema>;\n\n// ── Providers schema ────────────────────────────────────────\n\nexport const ProvidersSchema = z.object({\n  preferred: z.string().optional(),\n  api_key_env: z.string().optional(),\n  fallback: z.string().optional(),\n  local_models: z.array(z.string()).default([]),\n});\n\nexport type Providers = z.infer<typeof ProvidersSchema>;\n\n// ── Intent schema (top-level) ───────────────────────────────\n\nexport const IntentSchema = z.object({\n  project: z.string(),\n  description: z.string(),\n  audience: z.string().optional(),\n  values: z.array(ValueSchema).default([]),\n  budget: BudgetSchema.optional(),\n  guardrails: GuardrailsSchema.optional(),\n  tech: TechSchema.optional(),\n  providers: ProvidersSchema.optional(),\n});\n\nexport type IntentConfig = z.infer<typeof IntentSchema>;\n\n// ── Guardrail template schema ───────────────────────────────\n\nexport const GuardrailTemplateSchema = z.object({\n  name: z.string(),\n  description: z.string(),\n  category: z.enum([\"security\", \"quality\"]),\n  status: z.string().optional(),\n  rules: z.array(z.string()),\n});\n\nexport type GuardrailTemplate = z.infer<typeof GuardrailTemplateSchema>;\n\n// ── Resolved guardrails (flat output) ───────────────────────\n\nexport interface ResolvedGuardrails {\n  security: string[];\n  quality: string[];\n  process: string[];\n}\n\nexport interface TemplateInfo {\n  name: string;\n  description: string;\n  category: string;\n  status?: string;\n}\n","import { readFileSync, writeFileSync, mkdirSync, existsSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport yaml from \"js-yaml\";\nimport { IntentSchema, type IntentConfig } from \"./schema.js\";\n\nconst INTENT_DIR = \".fathom\";\nconst INTENT_FILE = \"intent.yaml\";\n\nfunction intentPath(dir: string): string {\n  return join(dir, INTENT_DIR, INTENT_FILE);\n}\n\n/**\n * Load and validate intent from a project directory.\n * Reads `.fathom/intent.yaml`, parses YAML, validates with Zod.\n */\nexport async function loadIntent(dir: string): Promise<IntentConfig> {\n  const filePath = intentPath(dir);\n\n  if (!existsSync(filePath)) {\n    throw new Error(`Intent file not found: ${filePath}`);\n  }\n\n  const content = readFileSync(filePath, \"utf-8\");\n  const raw = yaml.load(content);\n  return IntentSchema.parse(raw);\n}\n\n/**\n * Validate and save intent to a project directory.\n * Writes validated YAML to `.fathom/intent.yaml`. Creates `.fathom/` if needed.\n */\nexport async function saveIntent(dir: string, intent: IntentConfig): Promise<void> {\n  // Validate before writing\n  const validated = IntentSchema.parse(intent);\n\n  const fathomDir = join(dir, INTENT_DIR);\n  if (!existsSync(fathomDir)) {\n    mkdirSync(fathomDir, { recursive: true });\n  }\n\n  const content = yaml.dump(validated, {\n    lineWidth: 120,\n    noRefs: true,\n    quotingType: '\"',\n    forceQuotes: false,\n  });\n\n  writeFileSync(intentPath(dir), content, \"utf-8\");\n}\n\n/**\n * Synchronously check if `.fathom/intent.yaml` exists in a directory.\n */\nexport function detectIntent(dir: string): boolean {\n  return existsSync(intentPath(dir));\n}\n","import { readFileSync, readdirSync } from \"node:fs\";\nimport { resolve, basename } from \"node:path\";\nimport yaml from \"js-yaml\";\nimport {\n  GuardrailTemplateSchema,\n  type GuardrailTemplate,\n  type IntentConfig,\n  type ResolvedGuardrails,\n  type TemplateInfo,\n} from \"./schema.js\";\n\nfunction findDataDir(): string {\n  const base = import.meta.dirname ?? __dirname;\n  // Try bundled location first (dist/data/ when installed from npm)\n  const bundled = resolve(base, \"data\", \"guardrails\");\n  try {\n    readdirSync(bundled);\n    return bundled;\n  } catch {\n    // Fall back to monorepo location (packages/intent/data/guardrails from dist/)\n    return resolve(base, \"..\", \"data\", \"guardrails\");\n  }\n}\n\n/**\n * Load a guardrail template by name.\n */\nexport function loadTemplate(name: string): GuardrailTemplate {\n  const dir = findDataDir();\n  const filePath = resolve(dir, `${name}.yaml`);\n\n  let content: string;\n  try {\n    content = readFileSync(filePath, \"utf-8\");\n  } catch {\n    throw new Error(\n      `Unknown guardrail template: \"${name}\". Use listTemplates() to see available templates.`,\n    );\n  }\n\n  const raw = yaml.load(content);\n  return GuardrailTemplateSchema.parse(raw);\n}\n\n/**\n * List all available guardrail templates.\n */\nexport function listTemplates(): TemplateInfo[] {\n  const dir = findDataDir();\n  const files = readdirSync(dir).filter((f) => f.endsWith(\".yaml\"));\n\n  return files.map((file) => {\n    const content = readFileSync(resolve(dir, file), \"utf-8\");\n    const raw = yaml.load(content) as Record<string, unknown>;\n    return {\n      name: raw.name as string,\n      description: raw.description as string,\n      category: raw.category as string,\n      status: raw.status as string | undefined,\n    };\n  });\n}\n\n/**\n * Resolve all guardrail templates and custom rules from an intent config\n * into a flat categorized object.\n */\nexport function resolveGuardrails(intent: IntentConfig): ResolvedGuardrails {\n  const result: ResolvedGuardrails = {\n    security: [],\n    quality: [],\n    process: [],\n  };\n\n  if (!intent.guardrails) {\n    return result;\n  }\n\n  const { guardrails } = intent;\n\n  // Expand security templates\n  if (guardrails.security) {\n    for (const templateName of guardrails.security.templates) {\n      const template = loadTemplate(templateName);\n      if (template.category === \"security\") {\n        result.security.push(...template.rules);\n      } else if (template.category === \"quality\") {\n        result.quality.push(...template.rules);\n      }\n    }\n\n    // Add custom security rules\n    result.security.push(...guardrails.security.custom);\n  }\n\n  // Add quality rules (these are direct string rules, not template refs)\n  result.quality.push(...guardrails.quality);\n\n  // Add process rules\n  result.process.push(...guardrails.process);\n\n  return result;\n}\n"],"mappings":";;;;;;;ACAA,SAAS,cAAc,eAAe,WAAW,kBAAkB;AACnE,SAAS,YAAY;ACDrB,SAAS,gBAAAA,eAAc,mBAAmB;AAC1C,SAAS,eAAyB;AFG3B,IAAM,cAAc,iBAAE,OAAO;EAClC,MAAM,iBAAE,OAAO;EACf,aAAa,iBAAE,OAAO;EACtB,UAAU,iBAAE,KAAK,CAAC,YAAY,QAAQ,UAAU,KAAK,CAAC,EAAE,QAAQ,QAAQ;EACxE,SAAS,iBAAE,OAAO,EAAE,SAAS;AAC/B,CAAC;AAMM,IAAM,eAAe,iBAAE,OAAO;EACnC,eAAe,iBAAE,OAAO,EAAE,SAAS;EACnC,iBAAiB,iBAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;EACrD,cAAc,iBAAE,QAAQ,EAAE,QAAQ,KAAK;EACvC,UAAU,iBAAE,OAAO,EAAE,QAAQ,KAAK;AACpC,CAAC;AAMM,IAAM,mBAAmB,iBAAE,OAAO;EACvC,UAAU,iBACP,OAAO;IACN,WAAW,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;IACzC,QAAQ,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;EACxC,CAAC,EACA,SAAS;EACZ,SAAS,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;EACvC,SAAS,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC;AAMM,IAAM,aAAa,iBAAE,OAAO;EACjC,OAAO,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;EACrC,UAAU,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAMM,IAAM,kBAAkB,iBAAE,OAAO;EACtC,WAAW,iBAAE,OAAO,EAAE,SAAS;EAC/B,aAAa,iBAAE,OAAO,EAAE,SAAS;EACjC,UAAU,iBAAE,OAAO,EAAE,SAAS;EAC9B,cAAc,iBAAE,MAAM,iBAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC9C,CAAC;AAMM,IAAM,eAAe,iBAAE,OAAO;EACnC,SAAS,iBAAE,OAAO;EAClB,aAAa,iBAAE,OAAO;EACtB,UAAU,iBAAE,OAAO,EAAE,SAAS;EAC9B,QAAQ,iBAAE,MAAM,WAAW,EAAE,QAAQ,CAAC,CAAC;EACvC,QAAQ,aAAa,SAAS;EAC9B,YAAY,iBAAiB,SAAS;EACtC,MAAM,WAAW,SAAS;EAC1B,WAAW,gBAAgB,SAAS;AACtC,CAAC;AAMM,IAAM,0BAA0B,iBAAE,OAAO;EAC9C,MAAM,iBAAE,OAAO;EACf,aAAa,iBAAE,OAAO;EACtB,UAAU,iBAAE,KAAK,CAAC,YAAY,SAAS,CAAC;EACxC,QAAQ,iBAAE,OAAO,EAAE,SAAS;EAC5B,OAAO,iBAAE,MAAM,iBAAE,OAAO,CAAC;AAC3B,CAAC;AC7ED,IAAM,aAAa;AACnB,IAAM,cAAc;AAEpB,SAAS,WAAW,KAAqB;AACvC,SAAO,KAAK,KAAK,YAAY,WAAW;AAC1C;AAMA,eAAsB,WAAW,KAAoC;AACnE,QAAM,WAAW,WAAW,GAAG;AAE/B,MAAI,CAAC,WAAW,QAAQ,GAAG;AACzB,UAAM,IAAI,MAAM,0BAA0B,QAAQ,EAAE;EACtD;AAEA,QAAM,UAAU,aAAa,UAAU,OAAO;AAC9C,QAAM,MAAM,OAAK,KAAK,OAAO;AAC7B,SAAO,aAAa,MAAM,GAAG;AAC/B;AAMA,eAAsB,WAAW,KAAa,QAAqC;AAEjF,QAAM,YAAY,aAAa,MAAM,MAAM;AAE3C,QAAM,YAAY,KAAK,KAAK,UAAU;AACtC,MAAI,CAAC,WAAW,SAAS,GAAG;AAC1B,cAAU,WAAW,EAAE,WAAW,KAAK,CAAC;EAC1C;AAEA,QAAM,UAAU,OAAK,KAAK,WAAW;IACnC,WAAW;IACX,QAAQ;IACR,aAAa;IACb,aAAa;EACf,CAAC;AAED,gBAAc,WAAW,GAAG,GAAG,SAAS,OAAO;AACjD;AAKO,SAAS,aAAa,KAAsB;AACjD,SAAO,WAAW,WAAW,GAAG,CAAC;AACnC;AC7CA,SAAS,cAAsB;AAC7B,QAAM,OAAO,YAAY,WAAW;AAEpC,QAAM,UAAU,QAAQ,MAAM,QAAQ,YAAY;AAClD,MAAI;AACF,gBAAY,OAAO;AACnB,WAAO;EACT,QAAQ;AAEN,WAAO,QAAQ,MAAM,MAAM,QAAQ,YAAY;EACjD;AACF;AAKO,SAAS,aAAa,MAAiC;AAC5D,QAAM,MAAM,YAAY;AACxB,QAAM,WAAW,QAAQ,KAAK,GAAG,IAAI,OAAO;AAE5C,MAAI;AACJ,MAAI;AACF,cAAUC,cAAa,UAAU,OAAO;EAC1C,QAAQ;AACN,UAAM,IAAI;MACR,gCAAgC,IAAI;IACtC;EACF;AAEA,QAAM,MAAMC,OAAK,KAAK,OAAO;AAC7B,SAAO,wBAAwB,MAAM,GAAG;AAC1C;AAKO,SAAS,gBAAgC;AAC9C,QAAM,MAAM,YAAY;AACxB,QAAM,QAAQ,YAAY,GAAG,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,OAAO,CAAC;AAEhE,SAAO,MAAM,IAAI,CAAC,SAAS;AACzB,UAAM,UAAUD,cAAa,QAAQ,KAAK,IAAI,GAAG,OAAO;AACxD,UAAM,MAAMC,OAAK,KAAK,OAAO;AAC7B,WAAO;MACL,MAAM,IAAI;MACV,aAAa,IAAI;MACjB,UAAU,IAAI;MACd,QAAQ,IAAI;IACd;EACF,CAAC;AACH;AAMO,SAAS,kBAAkB,QAA0C;AAC1E,QAAM,SAA6B;IACjC,UAAU,CAAC;IACX,SAAS,CAAC;IACV,SAAS,CAAC;EACZ;AAEA,MAAI,CAAC,OAAO,YAAY;AACtB,WAAO;EACT;AAEA,QAAM,EAAE,WAAW,IAAI;AAGvB,MAAI,WAAW,UAAU;AACvB,eAAW,gBAAgB,WAAW,SAAS,WAAW;AACxD,YAAM,WAAW,aAAa,YAAY;AAC1C,UAAI,SAAS,aAAa,YAAY;AACpC,eAAO,SAAS,KAAK,GAAG,SAAS,KAAK;MACxC,WAAW,SAAS,aAAa,WAAW;AAC1C,eAAO,QAAQ,KAAK,GAAG,SAAS,KAAK;MACvC;IACF;AAGA,WAAO,SAAS,KAAK,GAAG,WAAW,SAAS,MAAM;EACpD;AAGA,SAAO,QAAQ,KAAK,GAAG,WAAW,OAAO;AAGzC,SAAO,QAAQ,KAAK,GAAG,WAAW,OAAO;AAEzC,SAAO;AACT;","names":["readFileSync","readFileSync","yaml"]}

package/dist/data/guardrails/gdpr-basic.yaml

@@ -0,0 +1,19 @@
+name: gdpr-basic
+description: GDPR Basic Compliance Guidelines
+category: security
+rules:
+  - "Collect explicit, informed, and freely given consent before processing personal data — pre-checked boxes are not valid consent"
+  - "Practice data minimization — only collect and retain personal data that is strictly necessary for the stated purpose"
+  - "Implement right to deletion (right to be forgotten) — users must be able to request complete removal of their personal data"
+  - "Implement data portability — provide users a machine-readable export (JSON/CSV) of all their personal data on request"
+  - "Implement right of access — users must be able to view all personal data you hold about them within 30 days of request"
+  - "Apply privacy by design — build data protection into system architecture from the start, not as an afterthought"
+  - "Maintain a Record of Processing Activities (ROPA) documenting what data you collect, why, and how long you keep it"
+  - "Implement breach notification — report personal data breaches to the supervisory authority within 72 hours of discovery"
+  - "Obtain explicit consent before setting non-essential cookies or tracking — implement a compliant cookie consent banner"
+  - "Do not transfer personal data outside the EEA without appropriate safeguards (SCCs, adequacy decisions, or BCRs)"
+  - "Define and enforce data retention periods — automatically delete or anonymize personal data when the retention period expires"
+  - "Implement granular consent management — users must be able to withdraw consent as easily as they gave it"
+  - "Conduct Data Protection Impact Assessments (DPIA) before processing that is likely to result in high risk to individuals"
+  - "Pseudonymize personal data wherever possible — separate identifying information from the data being processed"
+  - "Never use personal data for purposes beyond what was explicitly communicated at the time of collection without new consent"

package/dist/data/guardrails/hipaa-basic.yaml

@@ -0,0 +1,19 @@
+name: hipaa-basic
+description: HIPAA Basic Compliance Guidelines
+category: security
+rules:
+  - "Encrypt all Protected Health Information (PHI) at rest using AES-256 — this includes databases, backups, and file storage"
+  - "Encrypt all PHI in transit using TLS 1.2+ — never send health data over unencrypted channels"
+  - "Apply the minimum necessary principle — only request, display, and process the specific PHI fields needed for the task"
+  - "Implement role-based access control (RBAC) so users only see PHI relevant to their job function"
+  - "Log all access to PHI with immutable audit trails — record who accessed what, when, and why"
+  - "Retain audit logs for at least six years as required by HIPAA retention rules"
+  - "Never include PHI in URLs, query parameters, client-side storage, or application logs"
+  - "Require unique user IDs and enforce multi-factor authentication for all systems containing PHI"
+  - "Implement automatic session timeout (15 minutes or less of inactivity) for applications accessing PHI"
+  - "Verify that all third-party services handling PHI have signed a Business Associate Agreement (BAA) before integration"
+  - "Implement a breach notification mechanism — HIPAA requires notification within 60 days of discovering a breach"
+  - "Provide a mechanism for patients to request access to, amendment of, and an accounting of disclosures of their PHI"
+  - "Run regular risk assessments on all systems that store, process, or transmit PHI — document findings and remediation"
+  - "Ensure PHI is completely and irreversibly deleted when no longer needed — including backups and replicas"
+  - "De-identify data according to HIPAA Safe Harbor (remove all 18 identifiers) before using it for analytics or testing"

package/dist/data/guardrails/owasp-top-10.yaml

@@ -0,0 +1,16 @@
+name: owasp-top-10
+description: OWASP Top 10 Web Application Security Risks
+category: security
+rules:
+  - "Validate and sanitize all user input server-side — never trust client-side validation alone"
+  - "Use parameterized queries or prepared statements — never concatenate user input into SQL"
+  - "Implement proper authentication with secure password hashing (bcrypt/argon2) and session management"
+  - "Apply principle of least privilege — users and services should only access what they need"
+  - "Never expose sensitive data in error messages, logs, or API responses"
+  - "Use HTTPS everywhere — never transmit sensitive data over unencrypted connections"
+  - "Validate Content-Type headers and reject unexpected content types"
+  - "Implement rate limiting on authentication endpoints and sensitive operations"
+  - "Keep dependencies updated and audit for known vulnerabilities regularly"
+  - "Encode output contextually (HTML, URL, JavaScript) to prevent XSS"
+  - "Use CSRF tokens for state-changing operations"
+  - "Never store secrets, API keys, or credentials in source code or client-side storage"

package/dist/data/guardrails/pci-basic.yaml

@@ -0,0 +1,19 @@
+name: pci-basic
+description: PCI DSS Basic Compliance Guidelines
+category: security
+rules:
+  - "Never store full card numbers (PAN) in plaintext — use tokenization or truncation (first 6/last 4 only)"
+  - "Never log, print, or include in error messages: full PAN, CVV/CVC, PIN, or magnetic stripe data"
+  - "Encrypt cardholder data at rest using AES-256 or equivalent — manage keys separately from encrypted data"
+  - "Transmit cardholder data only over TLS 1.2+ — reject connections using older protocols"
+  - "Isolate payment processing systems from the general application network — use dedicated subnets or services"
+  - "Restrict access to cardholder data to only the services and personnel that absolutely need it"
+  - "Use unique credentials for every user and service account that accesses payment systems — no shared accounts"
+  - "Enforce multi-factor authentication for all administrative access to payment processing environments"
+  - "Log all access to cardholder data and payment systems — include who, what, when, and from where"
+  - "Retain audit logs for at least one year, with a minimum of three months immediately available for analysis"
+  - "Run vulnerability scans on all payment-facing systems quarterly and after any significant change"
+  - "Never use vendor-supplied default passwords or settings on any system in the cardholder data environment"
+  - "Mask PAN when displayed — show no more than first 6 and last 4 digits unless there is a legitimate business need"
+  - "Implement a web application firewall (WAF) or rigorous code review for all public-facing payment applications"
+  - "Maintain an inventory of all system components in scope for PCI DSS and review scope annually"

package/dist/data/guardrails/soc2-basic.yaml

@@ -0,0 +1,19 @@
+name: soc2-basic
+description: SOC 2 Basic Compliance Guidelines
+category: security
+rules:
+  - "Enforce multi-factor authentication (MFA) for all user and administrative access to production systems"
+  - "Implement role-based access control (RBAC) with least-privilege — review and recertify access quarterly"
+  - "Log all system access, configuration changes, and data operations to a centralized, tamper-evident logging system"
+  - "Establish a formal change management process — all production changes require review, approval, and rollback plans"
+  - "Conduct regular vulnerability scans and penetration tests — remediate critical findings within defined SLAs"
+  - "Implement automated monitoring and alerting for system availability, performance anomalies, and security events"
+  - "Maintain and test an incident response plan — define roles, escalation paths, communication templates, and post-mortem processes"
+  - "Encrypt sensitive data at rest (AES-256) and in transit (TLS 1.2+) across all system components"
+  - "Perform vendor security assessments before onboarding third-party services that process or store customer data"
+  - "Implement automated backups with defined RPO/RTO targets and test restoration procedures at least annually"
+  - "Enforce separation of duties — no single person should be able to deploy code, approve changes, and access production data"
+  - "Revoke access to all systems within 24 hours of employee termination or role change"
+  - "Maintain a documented and enforced data classification policy — label data as public, internal, confidential, or restricted"
+  - "Implement network segmentation — isolate production, staging, and development environments from each other"
+  - "Require security awareness training for all employees and contractors with access to customer data at least annually"

package/dist/data/guardrails/wcag-aa.yaml

@@ -0,0 +1,16 @@
+name: wcag-aa
+description: WCAG 2.1 Level AA Accessibility Guidelines
+category: quality
+rules:
+  - "All images must have descriptive alt text (or empty alt for decorative images)"
+  - "Ensure color contrast ratio of at least 4.5:1 for normal text, 3:1 for large text"
+  - "All interactive elements must be keyboard accessible with visible focus indicators"
+  - "Form inputs must have associated labels — use htmlFor/id or aria-label"
+  - "Use semantic HTML elements (nav, main, header, footer, article, section) for document structure"
+  - "Provide skip navigation links for keyboard users"
+  - "Ensure all content is readable and functional at 200% zoom"
+  - "Use aria-live regions for dynamic content updates that should be announced to screen readers"
+  - "Never use color alone to convey information — supplement with text, icons, or patterns"
+  - "Provide text alternatives for all non-text content (video captions, audio transcripts)"
+  - "Ensure touch targets are at least 44x44px on mobile"
+  - "Support reduced-motion preferences via prefers-reduced-motion media query"