guardrail-compliance 1.0.0

package/dist/container/scanner.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.containerScanner = exports.ContainerScanner = void 0;
+const database_1 = require("@guardrail/database");
+const fs_1 = require("fs");
+const rules_1 = require("./rules");
+class ContainerScanner {
+    /**
+     * Scan Docker image for vulnerabilities
+     * In production, would integrate with Trivy or Grype
+     */
+    async scanImage(imageName, tag, projectId) {
+        // Simulate vulnerability scanning
+        // In production, would execute: trivy image imageName:tag --format json
+        const vulnerabilities = [];
+        // Example vulnerabilities (in production, parsed from Trivy/Grype output)
+        // const exampleVulns: Vulnerability[] = [
+        //   {
+        //     id: 'CVE-2024-1234',
+        //     severity: 'high',
+        //     package: 'openssl',
+        //     installedVersion: '1.1.1k',
+        //     fixedVersion: '1.1.1w',
+        //     description: 'OpenSSL vulnerability'
+        //   }
+        // ];
+        const summary = {
+            critical: vulnerabilities.filter(v => v.severity === 'critical').length,
+            high: vulnerabilities.filter(v => v.severity === 'high').length,
+            medium: vulnerabilities.filter(v => v.severity === 'medium').length,
+            low: vulnerabilities.filter(v => v.severity === 'low').length
+        };
+        // Save to database
+        try {
+            await database_1.prisma.containerScan.create({
+                data: {
+                    projectId
+                }
+            });
+        }
+        catch (error) {
+            // Table may not exist - continue
+        }
+        return {
+            projectId,
+            imageName,
+            imageTag: tag,
+            summary,
+            vulnerabilities
+        };
+    }
+    /**
+     * Scan Dockerfile for security issues
+     */
+    async scanDockerfile(dockerfilePath) {
+        if (!(0, fs_1.existsSync)(dockerfilePath)) {
+            throw new Error(`Dockerfile not found: ${dockerfilePath}`);
+        }
+        const content = (0, fs_1.readFileSync)(dockerfilePath, 'utf-8');
+        const lines = content.split('\n');
+        const findings = [];
+        let hasHealthcheck = false;
+        let hasUser = false;
+        let fromCount = 0;
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i]?.trim();
+            if (!line)
+                continue;
+            // Skip comments and empty lines
+            if (line.startsWith('#')) {
+                continue;
+            }
+            // Parse instruction
+            const parts = line.split(/\s+/);
+            const instruction = parts[0]?.toUpperCase();
+            const value = parts.slice(1).join(' ');
+            // Track special instructions
+            if (instruction === 'HEALTHCHECK')
+                hasHealthcheck = true;
+            if (instruction === 'USER')
+                hasUser = true;
+            if (instruction === 'FROM')
+                fromCount++;
+            // Check against rules
+            for (const rule of rules_1.DOCKERFILE_RULES) {
+                if (rule.check(instruction, value || '')) {
+                    findings.push({
+                        ruleId: rule.id,
+                        title: rule.title,
+                        description: rule.description,
+                        severity: rule.severity,
+                        line: i + 1,
+                        instruction: instruction,
+                        value: value || '',
+                        recommendation: rule.recommendation
+                    });
+                }
+            }
+        }
+        // Check for missing HEALTHCHECK
+        if (!hasHealthcheck) {
+            findings.push({
+                ruleId: 'DOCKER-003',
+                title: 'Missing Health Check',
+                description: 'No HEALTHCHECK instruction defined',
+                severity: 'low',
+                line: 0,
+                instruction: 'HEALTHCHECK',
+                value: '',
+                recommendation: 'Add HEALTHCHECK instruction'
+            });
+        }
+        // Check for missing USER (running as root)
+        if (!hasUser) {
+            findings.push({
+                ruleId: 'DOCKER-001',
+                title: 'Running as Root',
+                description: 'No USER instruction - container runs as root',
+                severity: 'high',
+                line: 0,
+                instruction: 'USER',
+                value: '',
+                recommendation: 'Add USER instruction to run as non-root'
+            });
+        }
+        // Check for multi-stage builds
+        if (fromCount === 1) {
+            findings.push({
+                ruleId: 'DOCKER-006',
+                title: 'Missing Multi-Stage Build',
+                description: 'Single-stage build - consider using multi-stage',
+                severity: 'low',
+                line: 0,
+                instruction: 'FROM',
+                value: '',
+                recommendation: 'Use multi-stage builds to reduce image size'
+            });
+        }
+        return findings;
+    }
+}
+exports.ContainerScanner = ContainerScanner;
+exports.containerScanner = new ContainerScanner();

package/dist/frameworks/engine.d.ts

@@ -0,0 +1,108 @@
+export interface ComplianceControl {
+    id: string;
+    title: string;
+    description: string;
+    category: string;
+    requirements: string[];
+    automatedChecks?: AutomatedCheck[];
+    manualSteps?: string[];
+}
+export interface AutomatedCheck {
+    id: string;
+    description: string;
+    check: (projectPath: string) => Promise<CheckResult>;
+}
+export interface CheckResult {
+    passed: boolean;
+    details: string;
+    evidence?: any;
+}
+export interface ComplianceFramework {
+    id: string;
+    name: string;
+    version: string;
+    description: string;
+    controls: ComplianceControl[];
+}
+export interface ControlAssessment {
+    controlId: string;
+    title: string;
+    status: 'compliant' | 'partial' | 'non-compliant' | 'not-assessed';
+    score: number;
+    findings: string[];
+    evidence: any[];
+    gaps: string[];
+}
+export interface ComplianceGap {
+    controlId: string;
+    severity: 'high' | 'medium' | 'low';
+    description: string;
+    recommendation: string;
+}
+export interface ComplianceEvidence {
+    controlId: string;
+    type: string;
+    description: string;
+    data: any;
+    timestamp: Date;
+}
+export interface ComplianceAssessmentResult {
+    projectId: string;
+    frameworkId: string;
+    summary: {
+        totalControls: number;
+        compliant: number;
+        partial: number;
+        nonCompliant: number;
+        score: number;
+    };
+    controls: ControlAssessment[];
+    gaps: ComplianceGap[];
+    evidence: ComplianceEvidence[];
+}
+export declare class ComplianceAutomationEngine {
+    private frameworks;
+    constructor();
+    /**
+     * Load all compliance frameworks
+     */
+    private loadFrameworks;
+    /**
+     * Get available frameworks
+     */
+    getFrameworks(): ComplianceFramework[];
+    /**
+     * Get specific framework
+     */
+    getFramework(frameworkId: string): ComplianceFramework | undefined;
+    /**
+     * Run compliance assessment
+     */
+    assess(projectPath: string, frameworkId: string, projectId: string): Promise<ComplianceAssessmentResult>;
+    /**
+     * Assess single control
+     */
+    private assessControl;
+    /**
+     * Run automated check
+     */
+    private runCheck;
+    /**
+     * Generate evidence for control
+     */
+    generateEvidence(projectPath: string, _frameworkId: string, _controlId: string): Promise<ComplianceEvidence[]>;
+    /**
+     * Calculate overall compliance score
+     */
+    private calculateOverallScore;
+    /**
+     * Determine gap severity based on control category
+     */
+    private determineGapSeverity;
+    /**
+     * Get recommendation for gap
+     */
+    private getRecommendation;
+}
+export declare const complianceAutomationEngine: ComplianceAutomationEngine;
+//# sourceMappingURL=engine.d.ts.map

package/dist/frameworks/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/frameworks/engine.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,CAAC,EAAE,cAAc,EAAE,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;CACtD;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,GAAG,CAAC;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,iBAAiB,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,WAAW,GAAG,SAAS,GAAG,eAAe,GAAG,cAAc,CAAC;IACnE,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,EAAE,GAAG,EAAE,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,GAAG,CAAC;IACV,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,YAAY,EAAE,MAAM,CAAC;QACrB,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,QAAQ,EAAE,kBAAkB,EAAE,CAAC;CAChC;AAED,qBAAa,0BAA0B;IACrC,OAAO,CAAC,UAAU,CAAmC;;IAOrD;;OAEG;IACH,OAAO,CAAC,cAAc;IAOtB;;OAEG;IACH,aAAa,IAAI,mBAAmB,EAAE;IAItC;;OAEG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIlE;;OAEG;IACG,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAgE9G;;OAEG;YACW,aAAa;IAuD3B;;OAEG;YACW,QAAQ;IAItB;;OAEG;IACG,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAoBpH;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAO7B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAY5B;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAI1B;AAED,eAAO,MAAM,0BAA0B,4BAAmC,CAAC"}

package/dist/frameworks/engine.js

@@ -0,0 +1,206 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.complianceAutomationEngine = exports.ComplianceAutomationEngine = void 0;
+const database_1 = require("@guardrail/database");
+const soc2_1 = require("./soc2");
+const gdpr_1 = require("./gdpr");
+const hipaa_1 = require("./hipaa");
+const pci_1 = require("./pci");
+class ComplianceAutomationEngine {
+    frameworks;
+    constructor() {
+        this.frameworks = new Map();
+        this.loadFrameworks();
+    }
+    /**
+     * Load all compliance frameworks
+     */
+    loadFrameworks() {
+        this.frameworks.set('soc2', soc2_1.SOC2_FRAMEWORK);
+        this.frameworks.set('gdpr', gdpr_1.GDPR_FRAMEWORK);
+        this.frameworks.set('hipaa', hipaa_1.HIPAA_FRAMEWORK);
+        this.frameworks.set('pci', pci_1.PCI_FRAMEWORK);
+    }
+    /**
+     * Get available frameworks
+     */
+    getFrameworks() {
+        return Array.from(this.frameworks.values());
+    }
+    /**
+     * Get specific framework
+     */
+    getFramework(frameworkId) {
+        return this.frameworks.get(frameworkId);
+    }
+    /**
+     * Run compliance assessment
+     */
+    async assess(projectPath, frameworkId, projectId) {
+        const framework = this.frameworks.get(frameworkId);
+        if (!framework) {
+            throw new Error(`Framework ${frameworkId} not found`);
+        }
+        const controlAssessments = [];
+        const allGaps = [];
+        const allEvidence = [];
+        // Assess each control
+        for (const control of framework.controls) {
+            const assessment = await this.assessControl(projectPath, control);
+            controlAssessments.push(assessment);
+            // Generate evidence
+            const evidence = await this.generateEvidence(projectPath, frameworkId, control.id);
+            allEvidence.push(...evidence);
+            // Identify gaps
+            if (assessment.status === 'non-compliant' || assessment.status === 'partial') {
+                allGaps.push(...assessment.gaps.map(gap => ({
+                    controlId: control.id,
+                    severity: this.determineGapSeverity(control.category),
+                    description: gap,
+                    recommendation: this.getRecommendation(control.id, gap)
+                })));
+            }
+        }
+        // Calculate summary
+        const summary = {
+            totalControls: controlAssessments.length,
+            compliant: controlAssessments.filter(a => a.status === 'compliant').length,
+            partial: controlAssessments.filter(a => a.status === 'partial').length,
+            nonCompliant: controlAssessments.filter(a => a.status === 'non-compliant').length,
+            score: this.calculateOverallScore(controlAssessments)
+        };
+        const result = {
+            projectId,
+            frameworkId,
+            summary,
+            controls: controlAssessments,
+            gaps: allGaps,
+            evidence: allEvidence
+        };
+        // Save to database
+        await database_1.prisma.complianceAssessment.create({
+            data: {
+                projectId,
+                frameworkId,
+                summary: summary,
+                controls: controlAssessments,
+                gaps: allGaps,
+                evidence: allEvidence
+            }
+        });
+        return result;
+    }
+    /**
+     * Assess single control
+     */
+    async assessControl(projectPath, control) {
+        const findings = [];
+        const evidence = [];
+        const gaps = [];
+        let passedChecks = 0;
+        let totalChecks = control.automatedChecks?.length || 0;
+        // Run automated checks
+        if (control.automatedChecks) {
+            for (const check of control.automatedChecks) {
+                try {
+                    const result = await this.runCheck(projectPath, check);
+                    if (result.passed) {
+                        passedChecks++;
+                        findings.push(`✓ ${check.description}`);
+                    }
+                    else {
+                        findings.push(`✗ ${check.description}: ${result.details}`);
+                        gaps.push(result.details);
+                    }
+                    if (result.evidence) {
+                        evidence.push(result.evidence);
+                    }
+                }
+                catch (error) {
+                    findings.push(`✗ ${check.description}: Error running check`);
+                }
+            }
+        }
+        // Calculate score and status
+        const score = totalChecks > 0 ? (passedChecks / totalChecks) * 100 : 0;
+        let status;
+        if (totalChecks === 0) {
+            status = 'not-assessed';
+        }
+        else if (score === 100) {
+            status = 'compliant';
+        }
+        else if (score >= 50) {
+            status = 'partial';
+        }
+        else {
+            status = 'non-compliant';
+        }
+        return {
+            controlId: control.id,
+            title: control.title,
+            status,
+            score,
+            findings,
+            evidence,
+            gaps
+        };
+    }
+    /**
+     * Run automated check
+     */
+    async runCheck(projectPath, check) {
+        return await check.check(projectPath);
+    }
+    /**
+     * Generate evidence for control
+     */
+    async generateEvidence(projectPath, _frameworkId, _controlId) {
+        const evidence = [];
+        // Generate evidence based on control type
+        // This is a simplified version - in production would collect actual artifacts
+        evidence.push({
+            controlId: _controlId,
+            type: 'automated-scan',
+            description: `Automated compliance scan for ${_controlId}`,
+            data: {
+                timestamp: new Date(),
+                projectPath
+            },
+            timestamp: new Date()
+        });
+        return evidence;
+    }
+    /**
+     * Calculate overall compliance score
+     */
+    calculateOverallScore(assessments) {
+        if (assessments.length === 0)
+            return 0;
+        const totalScore = assessments.reduce((sum, a) => sum + a.score, 0);
+        return Math.round(totalScore / assessments.length);
+    }
+    /**
+     * Determine gap severity based on control category
+     */
+    determineGapSeverity(category) {
+        const highSeverityCategories = ['access-control', 'data-protection', 'security'];
+        const mediumSeverityCategories = ['logging', 'monitoring', 'change-management'];
+        if (highSeverityCategories.includes(category)) {
+            return 'high';
+        }
+        else if (mediumSeverityCategories.includes(category)) {
+            return 'medium';
+        }
+        return 'low';
+    }
+    /**
+     * Get recommendation for gap
+     */
+    getRecommendation(_controlId, gap) {
+        // In production, would have specific recommendations for each control
+        return `Implement controls to address: ${gap}`;
+    }
+}
+exports.ComplianceAutomationEngine = ComplianceAutomationEngine;
+exports.complianceAutomationEngine = new ComplianceAutomationEngine();

package/dist/frameworks/gdpr.d.ts

@@ -0,0 +1,6 @@
+import { ComplianceFramework } from './engine';
+/**
+ * GDPR (General Data Protection Regulation) Compliance Framework
+ */
+export declare const GDPR_FRAMEWORK: ComplianceFramework;
+//# sourceMappingURL=gdpr.d.ts.map

package/dist/frameworks/gdpr.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gdpr.d.ts","sourceRoot":"","sources":["../../src/frameworks/gdpr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAe,MAAM,UAAU,CAAC;AAI5D;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,mBAoM5B,CAAC"}

package/dist/frameworks/gdpr.js

@@ -0,0 +1,198 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GDPR_FRAMEWORK = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+/**
+ * GDPR (General Data Protection Regulation) Compliance Framework
+ */
+exports.GDPR_FRAMEWORK = {
+    id: 'gdpr',
+    name: 'GDPR',
+    version: '2018',
+    description: 'General Data Protection Regulation',
+    controls: [
+        {
+            id: 'ART5',
+            title: 'Principles of Processing Personal Data',
+            description: 'Personal data shall be processed lawfully, fairly and in a transparent manner',
+            category: 'data-protection',
+            requirements: [
+                'Lawfulness, fairness and transparency',
+                'Purpose limitation',
+                'Data minimisation',
+                'Accuracy',
+                'Storage limitation',
+                'Integrity and confidentiality'
+            ],
+            automatedChecks: [
+                {
+                    id: 'ART5-001',
+                    description: 'Check for PII data collection documentation',
+                    check: async (projectPath) => {
+                        const privacyDocs = [
+                            'PRIVACY.md',
+                            'privacy-policy.md',
+                            'docs/privacy',
+                            'GDPR.md'
+                        ];
+                        for (const doc of privacyDocs) {
+                            if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, doc))) {
+                                return {
+                                    passed: true,
+                                    details: 'Privacy documentation found',
+                                    evidence: { document: doc }
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No privacy policy documentation found'
+                        };
+                    }
+                }
+            ],
+            manualSteps: [
+                'Document legal basis for processing',
+                'Implement data retention policies',
+                'Ensure data accuracy mechanisms'
+            ]
+        },
+        {
+            id: 'ART25',
+            title: 'Data Protection by Design and by Default',
+            description: 'Implement appropriate technical and organisational measures for data protection',
+            category: 'data-protection',
+            requirements: [
+                'Data protection by design',
+                'Data protection by default',
+                'Minimisation of personal data',
+                'Pseudonymisation where possible'
+            ],
+            automatedChecks: [
+                {
+                    id: 'ART25-001',
+                    description: 'Verify data encryption at rest',
+                    check: async (projectPath) => {
+                        // Check for database encryption configuration
+                        const envExample = (0, path_1.join)(projectPath, '.env.example');
+                        if ((0, fs_1.existsSync)(envExample)) {
+                            return {
+                                passed: true,
+                                details: 'Environment configuration suggests encryption practices',
+                                evidence: { file: '.env.example' }
+                            };
+                        }
+                        return {
+                            passed: false,
+                            details: 'No evidence of encryption configuration'
+                        };
+                    }
+                },
+                {
+                    id: 'ART25-002',
+                    description: 'Check for data anonymization/pseudonymization',
+                    check: async (_projectPath) => {
+                        // This would check for anonymization libraries or patterns
+                        return {
+                            passed: false,
+                            details: 'Manual review required for anonymization practices'
+                        };
+                    }
+                }
+            ]
+        },
+        {
+            id: 'ART32',
+            title: 'Security of Processing',
+            description: 'Implement appropriate technical and organisational measures to ensure a level of security',
+            category: 'security',
+            requirements: [
+                'Pseudonymisation and encryption',
+                'Ongoing confidentiality, integrity, availability',
+                'Regular testing and evaluation',
+                'Process for restoring availability'
+            ],
+            automatedChecks: [
+                {
+                    id: 'ART32-001',
+                    description: 'Verify HTTPS enforcement',
+                    check: async (_projectPath) => {
+                        // Check for HTTPS/TLS configuration
+                        // In production would check actual configuration
+                        return {
+                            passed: false,
+                            details: 'Manual verification required for HTTPS enforcement'
+                        };
+                    }
+                },
+                {
+                    id: 'ART32-002',
+                    description: 'Check for security testing',
+                    check: async (projectPath) => {
+                        const securityTestDirs = [
+                            'test/security',
+                            'tests/security',
+                            '__tests__/security'
+                        ];
+                        for (const dir of securityTestDirs) {
+                            if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, dir))) {
+                                return {
+                                    passed: true,
+                                    details: 'Security tests found',
+                                    evidence: { directory: dir }
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No security tests found'
+                        };
+                    }
+                }
+            ]
+        },
+        {
+            id: 'ART33',
+            title: 'Breach Notification',
+            description: 'Notify supervisory authority of a personal data breach within 72 hours',
+            category: 'incident-response',
+            requirements: [
+                'Breach detection capability',
+                'Breach notification procedures',
+                'Documentation of breaches'
+            ],
+            automatedChecks: [
+                {
+                    id: 'ART33-001',
+                    description: 'Check for incident response procedures',
+                    check: async (projectPath) => {
+                        const irDocs = [
+                            'SECURITY.md',
+                            'docs/incident-response',
+                            'docs/security/incident-response.md'
+                        ];
+                        for (const doc of irDocs) {
+                            if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, doc))) {
+                                return {
+                                    passed: true,
+                                    details: 'Incident response documentation found',
+                                    evidence: { document: doc }
+                                };
+                            }
+                        }
+                        return {
+                            passed: false,
+                            details: 'No incident response documentation found'
+                        };
+                    }
+                }
+            ],
+            manualSteps: [
+                'Define breach notification workflow',
+                'Establish contact with supervisory authority',
+                'Create breach documentation templates'
+            ]
+        }
+    ]
+};

package/dist/frameworks/hipaa.d.ts

@@ -0,0 +1,6 @@
+import { ComplianceFramework } from './engine';
+/**
+ * HIPAA (Health Insurance Portability and Accountability Act) Compliance Framework
+ */
+export declare const HIPAA_FRAMEWORK: ComplianceFramework;
+//# sourceMappingURL=hipaa.d.ts.map

package/dist/frameworks/hipaa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hipaa.d.ts","sourceRoot":"","sources":["../../src/frameworks/hipaa.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAe,MAAM,UAAU,CAAC;AAI5D;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,mBAyM7B,CAAC"}