heron-ai 0.2.2 → 0.4.0

package/dist/src/compliance/control-mappings.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Finding → framework-control mapping table.
+ *
+ * One entry per finding type. Each entry lists the controls that finding
+ * activates across every registered framework.
+ *
+ * Scope (2026-04-24): EU AI Act, GDPR, ISO/IEC 42001, AIUC-1, NIST AI RMF.
+ * EU AI Act controls tagged `annexIII: true` fire only when the system is
+ * classified as high-risk (previously lived in a separate
+ * `eu-ai-act-high-risk` framework entry that has now been merged into
+ * `eu-ai-act`). AIUC-1 controls may additionally carry `gatedBy` for
+ * architecture-specific signal filtering.
+ *
+ * Mappings are INDICATIVE — they surface which framework clauses a finding
+ * typically activates, not a certification that the controls are satisfied.
+ */
+import type { ControlMapping, FindingType, FrameworkControl } from './types.js';
+export declare const CONTROL_MAPPINGS: Record<FindingType, ControlMapping>;
+export declare function getMapping(findingType: FindingType): ControlMapping;
+export declare function controlsFor(findingType: FindingType, frameworkId: FrameworkControl['frameworkId']): FrameworkControl[];
+//# sourceMappingURL=control-mappings.d.ts.map

package/dist/src/compliance/control-mappings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"control-mappings.d.ts","sourceRoot":"","sources":["../../../src/compliance/control-mappings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAahF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,WAAW,EAAE,cAAc,CAuKhE,CAAC;AAIF,wBAAgB,UAAU,CAAC,WAAW,EAAE,WAAW,GAAG,cAAc,CAEnE;AAED,wBAAgB,WAAW,CACzB,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,gBAAgB,CAAC,aAAa,CAAC,GAC3C,gBAAgB,EAAE,CAIpB"}

package/dist/src/compliance/control-mappings.js

@@ -0,0 +1,182 @@
+/**
+ * Finding → framework-control mapping table.
+ *
+ * One entry per finding type. Each entry lists the controls that finding
+ * activates across every registered framework.
+ *
+ * Scope (2026-04-24): EU AI Act, GDPR, ISO/IEC 42001, AIUC-1, NIST AI RMF.
+ * EU AI Act controls tagged `annexIII: true` fire only when the system is
+ * classified as high-risk (previously lived in a separate
+ * `eu-ai-act-high-risk` framework entry that has now been merged into
+ * `eu-ai-act`). AIUC-1 controls may additionally carry `gatedBy` for
+ * architecture-specific signal filtering.
+ *
+ * Mappings are INDICATIVE — they surface which framework clauses a finding
+ * typically activates, not a certification that the controls are satisfied.
+ */
+// ─── Tiny builder to keep the data table readable ──────────────────────────
+const c = (frameworkId, controlId, note, opts) => ({ frameworkId, controlId, note, ...opts });
+// ─── Mappings by finding type ──────────────────────────────────────────────
+export const CONTROL_MAPPINGS = {
+    'excessive-access': {
+        findingType: 'excessive-access',
+        category: 'privacy',
+        summary: 'Agent has been granted scopes or resource access beyond what its stated purpose requires (least-privilege violation).',
+        controls: [
+            c('iso-42001', 'A.6.2.6', 'Access controls for AI system resources.'),
+            c('iso-42001', 'A.6.2.5', 'Restrict AI system resource interactions.'),
+            c('iso-42001', 'A.9.2', 'Internal audit of AI management system.'),
+            c('eu-ai-act', 'Art. 9(2)(a)', 'Risk management — identification and analysis (high-risk baseline reference).'),
+            c('eu-ai-act', 'Art. 15(4-5)', 'Accuracy and robustness — resilience to misuse (baseline reference).'),
+            c('gdpr', 'Art. 25', 'Data protection by design and by default.'),
+            // ── AIUC-1 (Q2-2026) ──
+            c('aiuc-1', 'A003.3', 'Agent has its own non-human identity separate from the invoking user.'),
+            c('aiuc-1', 'A003.4', 'Agent scopes bounded by least-privilege for its stated task.'),
+            c('aiuc-1', 'B007', 'User-level access privileges enforced for every agent action.'),
+            c('aiuc-1', 'B008.2', 'MCP / A2A interfaces require authentication, encrypted transport, and integrity protection.', { gatedBy: ['hasMCPOrA2A'] }),
+            // ── NIST AI RMF (voluntary) ──
+            c('nist-ai-rmf', 'MAP 3.2', 'Map context of use — identify access scope.'),
+            c('nist-ai-rmf', 'GOVERN 6.1', 'Policies for organizational risk governance.'),
+            c('nist-ai-rmf', 'MEASURE 2.7', 'Evaluate AI system trustworthiness metrics.'),
+            c('nist-ai-rmf', 'MANAGE 1.2', 'Treat and respond to identified risks.'),
+        ],
+    },
+    'write-risk': {
+        findingType: 'write-risk',
+        category: 'consumer-protection',
+        summary: 'Agent performs write operations — especially irreversible or unapproved ones — that can affect users or downstream systems.',
+        controls: [
+            c('iso-42001', 'A.6.2.4', 'Controls for AI system operational changes.'),
+            c('iso-42001', 'A.6.2.8', 'Logging and monitoring of AI system actions.'),
+            c('iso-42001', 'A.5.3', 'Roles and responsibilities for AI operations.'),
+            c('eu-ai-act', 'Art. 14(4)(d)', 'Human oversight — override/stop function (baseline).'),
+            c('eu-ai-act', 'Art. 9(6)-(7)', 'Risk management testing before deployment (baseline reference).'),
+            // ── AIUC-1 (Q2-2026) ──
+            c('aiuc-1', 'B006', 'Unauthorized agent actions blocked at the tool/effect boundary.'),
+            c('aiuc-1', 'D003', 'Restrict unsafe tool-calls: allowlist tools, validate arguments, refuse destructive ops without approval.'),
+            c('aiuc-1', 'E015.2', 'Log every sub-agent and tool-call invocation with inputs, outputs, and principal.', { gatedBy: ['hasSubAgents'] }),
+            c('aiuc-1', 'F001', 'Prevent cyber misuse: stop the agent from being used to harvest credentials, exfiltrate data, or launch attacks.'),
+            // ── NIST AI RMF (voluntary) ──
+            c('nist-ai-rmf', 'MAP 3.5', 'Map risks from AI-induced actions and side-effects.'),
+            c('nist-ai-rmf', 'MANAGE 2.4', 'Manage residual risk from AI system operations.'),
+            c('nist-ai-rmf', 'GOVERN 1.7', 'Processes for escalating AI-driven actions.'),
+        ],
+    },
+    'sensitive-data': {
+        findingType: 'sensitive-data',
+        category: 'privacy',
+        summary: 'Agent processes personal, health, financial, or otherwise sensitive data — activates data-protection statutes.',
+        controls: [
+            c('iso-42001', 'A.7.4', 'Data quality and integrity for AI systems.'),
+            c('iso-42001', 'A.7.5', 'Sensitive data handling procedures.'),
+            c('iso-42001', 'A.5.4', 'Privacy impact considerations in AI lifecycle.'),
+            // ── EU AI Act baseline (Art. 50 transparency) ──
+            c('eu-ai-act', 'Art. 50(1)', 'Transparency — inform affected persons.'),
+            // ── EU AI Act Annex III (high-risk data governance) ──
+            c('eu-ai-act', 'Art. 10(1-5)', 'Data governance for high-risk AI systems — training/validation/test sets.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 13', 'Transparency and provision of information (high-risk).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 15', 'Accuracy, robustness, cybersecurity (high-risk).', { annexIII: true }),
+            c('gdpr', 'Art. 6', 'Lawful basis for processing.'),
+            c('gdpr', 'Art. 35', 'DPIA for high-risk processing.'),
+            c('gdpr', 'Art. 33', '72-hour breach notification.'),
+            // ── AIUC-1 (Q2-2026) ──
+            c('aiuc-1', 'A001', 'Input data policy: document lawful basis, sources, and allowed uses.'),
+            c('aiuc-1', 'A002', 'Output data policy: govern retention, downstream sharing, and deletion.'),
+            c('aiuc-1', 'A005', "Cross-customer isolation: one customer's data never leaks into another's session, cache, logs, or fine-tune set.", { gatedBy: ['hasCrossCustomer'] }),
+            c('aiuc-1', 'A006', 'PII leakage prevention: redaction and output filtering for personal data.'),
+            // ── NIST AI RMF (voluntary) ──
+            c('nist-ai-rmf', 'MEASURE 2.10', 'Privacy risk — measure and document impacts.'),
+            c('nist-ai-rmf', 'GOVERN 1.1', 'Policies for AI risk management established.'),
+            c('nist-ai-rmf', 'MAP 5.1', 'Likelihood and impact of privacy harms mapped.'),
+        ],
+    },
+    'scope-creep': {
+        findingType: 'scope-creep',
+        category: 'consumer-protection',
+        summary: 'Agent\'s requested permissions exceed what is needed for the stated purpose — a precursor to unintended use.',
+        controls: [
+            c('iso-42001', 'A.6.2.6', 'Access controls — restrict scope to purpose.'),
+            c('iso-42001', 'A.5.2', 'AI policy covers purpose limitation.'),
+            c('eu-ai-act', 'Art. 9(1)', 'Risk management system — continuous obligation (baseline).'),
+            c('eu-ai-act', 'Art. 72', 'Post-market monitoring plan (baseline reference).'),
+            c('eu-ai-act', 'Art. 11', 'Technical documentation (baseline reference).'),
+            c('gdpr', 'Art. 5(1)(b)', 'Purpose limitation.'),
+            // ── NIST AI RMF (voluntary) ──
+            c('nist-ai-rmf', 'MEASURE 2.4', 'Measure scientific merit and scope of AI system.'),
+            c('nist-ai-rmf', 'MEASURE 3.1', 'Measure effectiveness of risk response.'),
+            c('nist-ai-rmf', 'MAP 1.6', 'Map intended and potential unintended uses.'),
+        ],
+    },
+    'regulatory-flags': {
+        findingType: 'regulatory-flags',
+        category: 'sector-specific',
+        summary: 'Agent operates in a regulated domain (employment, credit, insurance, health, housing, education, legal) that triggers domain-specific obligations.',
+        controls: [
+            c('iso-42001', 'A.5.2', 'AI policy addresses sector-specific obligations.'),
+            c('iso-42001', 'A.9.3', 'Management review includes regulatory findings.'),
+            // ── EU AI Act baseline ──
+            c('eu-ai-act', 'Art. 12', 'Record-keeping for regulated contexts (baseline).'),
+            // ── EU AI Act Annex III (high-risk regulated domains) ──
+            c('eu-ai-act', 'Art. 6(2) + Annex III', 'High-risk classification — regulated sector reference.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 43', 'Conformity assessment for high-risk systems.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 49', 'EU database registration (high-risk).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 9', 'Risk management system (high-risk).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 11', 'Technical documentation (high-risk).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 12', 'Record-keeping obligations (high-risk).', { annexIII: true }),
+            // ── NIST AI RMF (voluntary) ──
+            c('nist-ai-rmf', 'GOVERN 1.1', 'Policies for AI risk management established.'),
+            c('nist-ai-rmf', 'MAP 4.1', 'Map organizational risk tolerance to AI risks.'),
+            c('nist-ai-rmf', 'GOVERN 3.2', 'Processes for regulatory compliance tracking.'),
+        ],
+    },
+    'risk-score': {
+        findingType: 'risk-score',
+        category: 'consumer-protection',
+        summary: 'Overall composite risk-score methodology — anchors the headline rating to published risk-management frameworks.',
+        controls: [
+            c('iso-42001', 'Clause 6.1', 'Actions to address risks and opportunities.'),
+            c('eu-ai-act', 'Art. 9(2)(b)', 'Risk management — estimation and evaluation (baseline).'),
+            c('eu-ai-act', 'Art. 9(8)', 'Risk management system documented and up-to-date (baseline).'),
+            // ── NIST AI RMF (voluntary) — anchors the composite score methodology ──
+            c('nist-ai-rmf', 'MANAGE 1.2', 'Treat and respond to identified risks.'),
+            c('nist-ai-rmf', 'MEASURE 1.1', 'Identify and document AI risk measurement methods.'),
+        ],
+    },
+    'decisions-about-people': {
+        findingType: 'decisions-about-people',
+        category: 'consumer-protection',
+        summary: 'Agent makes or materially influences automated decisions affecting individuals (employment, credit, access, etc.).',
+        controls: [
+            c('iso-42001', 'A.9.3', 'Management review includes decision-impact findings.'),
+            // ── EU AI Act baseline (transparency + baseline oversight) ──
+            c('eu-ai-act', 'Art. 50(1)', 'Transparency — inform affected persons.'),
+            c('eu-ai-act', 'Art. 14(4)(d)', 'Human oversight — baseline override/stop function.'),
+            // ── EU AI Act Annex III (full high-risk obligations) ──
+            c('eu-ai-act', 'Art. 6(2) + Annex III', 'High-risk classification reference.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 9', 'Risk management system (high-risk).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 10', 'Data governance (high-risk).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 14', 'Human oversight — full high-risk obligations.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 27', 'FRIA — deployers (public bodies).', { annexIII: true }),
+            c('eu-ai-act', 'Art. 43', 'Conformity assessment.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 49', 'EU database registration.', { annexIII: true }),
+            c('eu-ai-act', 'Art. 72', 'Post-market monitoring.', { annexIII: true }),
+            c('gdpr', 'Art. 22', 'Right not to be subject to solely automated decisions.'),
+            // ── AIUC-1 (Q2-2026) ──
+            c('aiuc-1', 'C007', 'Human-in-the-loop review for consequential decisions.'),
+            c('aiuc-1', 'C009', 'Real-time override: operator can halt or reverse agent decisions live.'),
+            c('aiuc-1', 'E004', 'Assigned accountability: a named owner is responsible for agent behaviour.'),
+            c('aiuc-1', 'E016', 'AI disclosure: inform affected persons that an AI agent is involved.'),
+            // ── NIST AI RMF (voluntary) ──
+            c('nist-ai-rmf', 'GOVERN 1.1', 'Policies for AI risk management established.'),
+            c('nist-ai-rmf', 'MAP 4.1', 'Map organizational risk tolerance to AI risks.'),
+        ],
+    },
+};
+// ─── Convenience accessors ──────────────────────────────────────────────────
+export function getMapping(findingType) {
+    return CONTROL_MAPPINGS[findingType];
+}
+export function controlsFor(findingType, frameworkId) {
+    return CONTROL_MAPPINGS[findingType].controls.filter((ctrl) => ctrl.frameworkId === frameworkId);
+}
+//# sourceMappingURL=control-mappings.js.map

package/dist/src/compliance/control-mappings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"control-mappings.js","sourceRoot":"","sources":["../../../src/compliance/control-mappings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,8EAA8E;AAE9E,MAAM,CAAC,GAAG,CACR,WAA4C,EAC5C,SAAiB,EACjB,IAAa,EACb,IAAiD,EAC/B,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;AAEnE,8EAA8E;AAE9E,MAAM,CAAC,MAAM,gBAAgB,GAAwC;IACnE,kBAAkB,EAAE;QAClB,WAAW,EAAE,kBAAkB;QAC/B,QAAQ,EAAE,SAAS;QACnB,OAAO,EACL,uHAAuH;QACzH,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,0CAA0C,CAAC;YACrE,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,2CAA2C,CAAC;YACtE,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,yCAAyC,CAAC;YAClE,CAAC,CAAC,WAAW,EAAE,cAAc,EAAE,+EAA+E,CAAC;YAC/G,CAAC,CAAC,WAAW,EAAE,cAAc,EAAE,sEAAsE,CAAC;YACtG,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,2CAA2C,CAAC;YACjE,yBAAyB;YACzB,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,uEAAuE,CAAC;YAC9F,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,8DAA8D,CAAC;YACrF,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,+DAA+D,CAAC;YACpF,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,6FAA6F,EAAE,EAAE,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC;YAClJ,gCAAgC;YAChC,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,6CAA6C,CAAC;YAC1E,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,8CAA8C,CAAC;YAC9E,CAAC,CAAC,aAAa,EAAE,aAAa,EAAE,6CAA6C,CAAC;YAC9E,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,wCAAwC,CAAC;SACzE;KACF;IAED,YAAY,EAAE;QACZ,WAAW,EAAE,YAAY;QACzB,QAAQ,EAAE,qBAAqB;QAC/B,OAAO,EACL,6HAA6H;QAC/H,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,6CAA6C,CAAC;YACxE,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,8CAA8C,CAAC;YACzE,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,+CAA+C,CAAC;YACxE,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,sDAAsD,CAAC;YACvF,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,iEAAiE,CAAC;YAClG,yBAAyB;YACzB,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,iEAAiE,CAAC;YACtF,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,2GAA2G,CAAC;YAChI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,mFAAmF,EAAE,EAAE,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;YACzI,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,kHAAkH,CAAC;YACvI,gCAAgC;YAChC,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,qDAAqD,CAAC;YAClF,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,iDAAiD,CAAC;YACjF,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,6CAA6C,CAAC;SAC9E;KACF;IAED,gBAAgB,EAAE;QAChB,WAAW,EAAE,gBAAgB;QAC7B,QAAQ,EAAE,SAAS;QACnB,OAAO,EACL,gHAAgH;QAClH,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,4CAA4C,CAAC;YACrE,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,qCAAqC,CAAC;YAC9D,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,gDAAgD,CAAC;YACzE,kDAAkD;YAClD,CAAC,CAAC,WAAW,EAAE,YAAY,EAAE,yCAAyC,CAAC;YACvE,wDAAwD;YACxD,CAAC,CAAC,WAAW,EAAE,cAAc,EAAE,2EAA2E,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC/H,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,wDAAwD,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACvG,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,kDAAkD,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACjG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,8BAA8B,CAAC;YACnD,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,gCAAgC,CAAC;YACtD,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,8BAA8B,CAAC;YACpD,yBAAyB;YACzB,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,sEAAsE,CAAC;YAC3F,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,yEAAyE,CAAC;YAC9F,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,kHAAkH,EAAE,EAAE,OAAO,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC1K,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,2EAA2E,CAAC;YAChG,gCAAgC;YAChC,CAAC,CAAC,aAAa,EAAE,cAAc,EAAE,8CAA8C,CAAC;YAChF,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,8CAA8C,CAAC;YAC9E,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,gDAAgD,CAAC;SAC9E;KACF;IAED,aAAa,EAAE;QACb,WAAW,EAAE,aAAa;QAC1B,QAAQ,EAAE,qBAAqB;QAC/B,OAAO,EACL,8GAA8G;QAChH,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,8CAA8C,CAAC;YACzE,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,sCAAsC,CAAC;YAC/D,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,4DAA4D,CAAC;YACzF,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,mDAAmD,CAAC;YAC9E,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,+CAA+C,CAAC;YAC1E,CAAC,CAAC,MAAM,EAAE,cAAc,EAAE,qBAAqB,CAAC;YAChD,gCAAgC;YAChC,CAAC,CAAC,aAAa,EAAE,aAAa,EAAE,kDAAkD,CAAC;YACnF,CAAC,CAAC,aAAa,EAAE,aAAa,EAAE,yCAAyC,CAAC;YAC1E,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,6CAA6C,CAAC;SAC3E;KACF;IAED,kBAAkB,EAAE;QAClB,WAAW,EAAE,kBAAkB;QAC/B,QAAQ,EAAE,iBAAiB;QAC3B,OAAO,EACL,oJAAoJ;QACtJ,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,kDAAkD,CAAC;YAC3E,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,iDAAiD,CAAC;YAC1E,2BAA2B;YAC3B,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,mDAAmD,CAAC;YAC9E,0DAA0D;YAC1D,CAAC,CAAC,WAAW,EAAE,uBAAuB,EAAE,wDAAwD,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACrH,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,8CAA8C,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC7F,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,uCAAuC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACtF,CAAC,CAAC,WAAW,EAAE,QAAQ,EAAE,qCAAqC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACnF,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,sCAAsC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACrF,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,yCAAyC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACxF,gCAAgC;YAChC,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,8CAA8C,CAAC;YAC9E,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,gDAAgD,CAAC;YAC7E,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,+CAA+C,CAAC;SAChF;KACF;IAED,YAAY,EAAE;QACZ,WAAW,EAAE,YAAY;QACzB,QAAQ,EAAE,qBAAqB;QAC/B,OAAO,EACL,iHAAiH;QACnH,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,YAAY,EAAE,6CAA6C,CAAC;YAC3E,CAAC,CAAC,WAAW,EAAE,cAAc,EAAE,yDAAyD,CAAC;YACzF,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,8DAA8D,CAAC;YAC3F,0EAA0E;YAC1E,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,wCAAwC,CAAC;YACxE,CAAC,CAAC,aAAa,EAAE,aAAa,EAAE,oDAAoD,CAAC;SACtF;KACF;IAED,wBAAwB,EAAE;QACxB,WAAW,EAAE,wBAAwB;QACrC,QAAQ,EAAE,qBAAqB;QAC/B,OAAO,EACL,oHAAoH;QACtH,QAAQ,EAAE;YACR,CAAC,CAAC,WAAW,EAAE,OAAO,EAAE,sDAAsD,CAAC;YAC/E,+DAA+D;YAC/D,CAAC,CAAC,WAAW,EAAE,YAAY,EAAE,yCAAyC,CAAC;YACvE,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,oDAAoD,CAAC;YACrF,yDAAyD;YACzD,CAAC,CAAC,WAAW,EAAE,uBAAuB,EAAE,qCAAqC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAClG,CAAC,CAAC,WAAW,EAAE,QAAQ,EAAE,qCAAqC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACnF,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,8BAA8B,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC7E,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,+CAA+C,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC9F,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,mCAAmC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAClF,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,wBAAwB,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACvE,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,2BAA2B,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAC1E,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,yBAAyB,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YACxE,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,wDAAwD,CAAC;YAC9E,yBAAyB;YACzB,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,uDAAuD,CAAC;YAC5E,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,wEAAwE,CAAC;YAC7F,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,4EAA4E,CAAC;YACjG,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,sEAAsE,CAAC;YAC3F,gCAAgC;YAChC,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,8CAA8C,CAAC;YAC9E,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,gDAAgD,CAAC;SAC9E;KACF;CACF,CAAC;AAEF,+EAA+E;AAE/E,MAAM,UAAU,UAAU,CAAC,WAAwB;IACjD,OAAO,gBAAgB,CAAC,WAAW,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,WAAwB,EACxB,WAA4C;IAE5C,OAAO,gBAAgB,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAClD,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,KAAK,WAAW,CAC3C,CAAC;AACJ,CAAC"}

package/dist/src/compliance/frameworks.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Framework metadata registry.
+ *
+ * Separation of concerns:
+ *   - frameworks.ts       — WHAT each framework is (name, tier, jurisdiction).
+ *   - control-mappings.ts — WHICH controls a given finding activates.
+ *
+ * Scope (2026-04-24): 5 frameworks — 2 mandatory (EU AI Act, GDPR) + 3
+ * voluntary (ISO/IEC 42001, AIUC-1, NIST AI RMF). EU AI Act is a single
+ * entry; high-risk (Annex III) status is a classification stored per-audit
+ * rather than a separate framework.
+ */
+import type { Framework, FrameworkId, Jurisdiction } from './types.js';
+export declare const FRAMEWORKS: Record<FrameworkId, Framework>;
+export declare function getFramework(id: FrameworkId): Framework;
+export declare function listMandatoryFrameworks(): Framework[];
+export declare function listVoluntaryFrameworks(): Framework[];
+/**
+ * Return frameworks that are mandatory in the given jurisdiction. Used by the
+ * jurisdictional appendix renderer to show, e.g., "Frameworks that apply to
+ * EU-domiciled processing".
+ */
+export declare function frameworksFor(jurisdiction: Jurisdiction): Framework[];
+//# sourceMappingURL=frameworks.d.ts.map

package/dist/src/compliance/frameworks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"frameworks.d.ts","sourceRoot":"","sources":["../../../src/compliance/frameworks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAyBvE,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,SAAS,CAmCrD,CAAC;AAIF,wBAAgB,YAAY,CAAC,EAAE,EAAE,WAAW,GAAG,SAAS,CAEvD;AAED,wBAAgB,uBAAuB,IAAI,SAAS,EAAE,CAErD;AAED,wBAAgB,uBAAuB,IAAI,SAAS,EAAE,CAErD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,YAAY,EAAE,YAAY,GAAG,SAAS,EAAE,CAIrE"}

package/dist/src/compliance/frameworks.js

@@ -0,0 +1,55 @@
+/**
+ * Framework metadata registry.
+ *
+ * Separation of concerns:
+ *   - frameworks.ts       — WHAT each framework is (name, tier, jurisdiction).
+ *   - control-mappings.ts — WHICH controls a given finding activates.
+ *
+ * Scope (2026-04-24): 5 frameworks — 2 mandatory (EU AI Act, GDPR) + 3
+ * voluntary (ISO/IEC 42001, AIUC-1, NIST AI RMF). EU AI Act is a single
+ * entry; high-risk (Annex III) status is a classification stored per-audit
+ * rather than a separate framework.
+ */
+// ─── Builder helpers ────────────────────────────────────────────────────────
+function mandatory(id, name, mandatoryIn, extras = { primarySource: '' }) {
+    return { id, name, tier: 'mandatory', mandatoryIn, ...extras };
+}
+function voluntary(id, name, primarySource, summary, scopeNote) {
+    return { id, name, tier: 'voluntary', mandatoryIn: [], primarySource, summary, scopeNote };
+}
+// ─── Registry ───────────────────────────────────────────────────────────────
+export const FRAMEWORKS = {
+    // ── Mandatory, EU-wide ───────────────────────────────────────────────────
+    'eu-ai-act': mandatory('eu-ai-act', 'EU AI Act', ['EU'], {
+        primarySource: 'https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401689',
+        summary: 'Regulation (EU) 2024/1689. Applies to providers, deployers, importers, distributors, and product manufacturers where the AI system is placed on the EU market or its output is used in the EU. Risk-tiered obligations: prohibited practices (Art. 5), high-risk (Art. 6 + Annex III — Art. 9-15, 27, 43, 49, 72), limited-risk transparency (Art. 50), minimal-risk.',
+        scopeNote: 'Prohibited practices (Art. 5) in force since 2025-02-02. GPAI obligations since 2025-08-02. High-risk Annex III obligations and Art. 50 transparency effective 2026-08-02. Art. 6(3) exemption requires one of 4 enumerated conditions AND no material influence on decision outcomes; profiling of natural persons is ALWAYS high-risk across ALL Annex III categories (Art. 6(3) final paragraph). Classification for a given audit is surfaced as a scope label in the report.',
+    }),
+    gdpr: mandatory('gdpr', 'GDPR', ['EU'], {
+        primarySource: 'https://eur-lex.europa.eu/eli/reg/2016/679/oj',
+        summary: 'Regulation (EU) 2016/679. Lawful basis, DPIA, data-subject rights.',
+    }),
+    // ── Voluntary / best-practice ────────────────────────────────────────────
+    'iso-42001': voluntary('iso-42001', 'ISO/IEC 42001', 'https://www.iso.org/standard/81230.html', 'AI management system standard. Annex A controls (A.5–A.9).'),
+    'aiuc-1': voluntary('aiuc-1', 'AIUC-1', 'https://www.aiuc-1.com/', 'Agent-native compliance standard. Six domains: A Data & Privacy, B Security, C Safety, D Reliability, E Accountability, F Society.', 'Quarterly releases (Jan/Apr/Jul/Oct 15). Pinned to 2026-04-15 (Q2-2026) release.'),
+    'nist-ai-rmf': voluntary('nist-ai-rmf', 'NIST AI RMF', 'https://www.nist.gov/itl/ai-risk-management-framework', 'US-origin voluntary AI risk-management framework. Four functions: GOVERN (org policies + accountability), MAP (context + risk identification), MEASURE (analyze + track risks), MANAGE (prioritize + respond).', 'AI RMF 1.0 (January 2023) + Generative AI Profile NIST-AI-600-1 (July 2024). Widely cited by US federal agencies (OMB M-24-10) and enterprise procurement.'),
+};
+// ─── Convenience accessors ──────────────────────────────────────────────────
+export function getFramework(id) {
+    return FRAMEWORKS[id];
+}
+export function listMandatoryFrameworks() {
+    return Object.values(FRAMEWORKS).filter((f) => f.tier === 'mandatory');
+}
+export function listVoluntaryFrameworks() {
+    return Object.values(FRAMEWORKS).filter((f) => f.tier === 'voluntary');
+}
+/**
+ * Return frameworks that are mandatory in the given jurisdiction. Used by the
+ * jurisdictional appendix renderer to show, e.g., "Frameworks that apply to
+ * EU-domiciled processing".
+ */
+export function frameworksFor(jurisdiction) {
+    return Object.values(FRAMEWORKS).filter((f) => f.mandatoryIn.includes(jurisdiction));
+}
+//# sourceMappingURL=frameworks.js.map

package/dist/src/compliance/frameworks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"frameworks.js","sourceRoot":"","sources":["../../../src/compliance/frameworks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,+EAA+E;AAE/E,SAAS,SAAS,CAChB,EAAe,EACf,IAAY,EACZ,WAA2B,EAC3B,SAA0E,EAAE,aAAa,EAAE,EAAE,EAAE;IAE/F,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,MAAM,EAAE,CAAC;AACjE,CAAC;AAED,SAAS,SAAS,CAChB,EAAe,EACf,IAAY,EACZ,aAAqB,EACrB,OAAgB,EAChB,SAAkB;IAElB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,EAAE,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAC7F,CAAC;AAED,+EAA+E;AAE/E,MAAM,CAAC,MAAM,UAAU,GAAmC;IACxD,4EAA4E;IAC5E,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC,IAAI,CAAC,EAAE;QACvD,aAAa,EAAE,oEAAoE;QACnF,OAAO,EACL,uWAAuW;QACzW,SAAS,EACP,mdAAmd;KACtd,CAAC;IACF,IAAI,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE;QACtC,aAAa,EAAE,+CAA+C;QAC9D,OAAO,EAAE,oEAAoE;KAC9E,CAAC;IAEF,4EAA4E;IAC5E,WAAW,EAAE,SAAS,CACpB,WAAW,EACX,eAAe,EACf,yCAAyC,EACzC,4DAA4D,CAC7D;IACD,QAAQ,EAAE,SAAS,CACjB,QAAQ,EACR,QAAQ,EACR,yBAAyB,EACzB,oIAAoI,EACpI,kFAAkF,CACnF;IACD,aAAa,EAAE,SAAS,CACtB,aAAa,EACb,aAAa,EACb,uDAAuD,EACvD,gNAAgN,EAChN,4JAA4J,CAC7J;CACF,CAAC;AAEF,+EAA+E;AAE/E,MAAM,UAAU,YAAY,CAAC,EAAe;IAC1C,OAAO,UAAU,CAAC,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;AACzE,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC;AACzE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,YAA0B;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5C,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC,CACrC,CAAC;AACJ,CAAC"}

package/dist/src/compliance/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Barrel — re-exports the public surface of the AAP-31 compliance module.
+ */
+export * from './types.js';
+export { FRAMEWORKS, getFramework, listMandatoryFrameworks, listVoluntaryFrameworks, frameworksFor, } from './frameworks.js';
+export { CONTROL_MAPPINGS, getMapping, controlsFor } from './control-mappings.js';
+export { classifyDecisionImpact, detectSignals, mapFindingsToRiskCategories, } from './mapper.js';
+export type { CategorizedBucket, CategorizedCompliance, ComplianceSignals, DecisionImpact, FlagSeverity, MapperInput, TypedRegulatoryFlag, } from './mapper.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/compliance/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/compliance/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,OAAO,EACL,UAAU,EACV,YAAY,EACZ,uBAAuB,EACvB,uBAAuB,EACvB,aAAa,GACd,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAClF,OAAO,EACL,sBAAsB,EACtB,aAAa,EACb,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,WAAW,EACX,mBAAmB,GACpB,MAAM,aAAa,CAAC"}

package/dist/src/compliance/index.js

@@ -0,0 +1,8 @@
+/**
+ * Barrel — re-exports the public surface of the AAP-31 compliance module.
+ */
+export * from './types.js';
+export { FRAMEWORKS, getFramework, listMandatoryFrameworks, listVoluntaryFrameworks, frameworksFor, } from './frameworks.js';
+export { CONTROL_MAPPINGS, getMapping, controlsFor } from './control-mappings.js';
+export { classifyDecisionImpact, detectSignals, mapFindingsToRiskCategories, } from './mapper.js';
+//# sourceMappingURL=index.js.map

package/dist/src/compliance/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/compliance/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,OAAO,EACL,UAAU,EACV,YAAY,EACZ,uBAAuB,EACvB,uBAAuB,EACvB,aAAa,GACd,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAClF,OAAO,EACL,sBAAsB,EACtB,aAAa,EACb,2BAA2B,GAC5B,MAAM,aAAa,CAAC"}

package/dist/src/compliance/mapper.d.ts

@@ -0,0 +1,126 @@
+/**
+ * Maps raw audit signals (systems, transcript, decision metadata) onto the
+ * framework-control bundles defined in `./control-mappings.ts`.
+ *
+ * Output shape: `CategorizedCompliance`, grouped by mandatoriness
+ * (mandatory vs voluntary) and risk category (privacy / IP /
+ * consumer-protection / sector-specific). The report template renders
+ * this directly.
+ *
+ * Post-AAP-42 scope (2026-04-23):
+ *   - Framework gating is simpler — only 3 frameworks (EU AI Act, GDPR,
+ *     ISO/IEC 42001). All fire whenever the finding fires; no
+ *     jurisdiction-specific statutes to narrow-scope.
+ *   - EU AI Act controls tagged `annexIII: true` are gated per-control by
+ *     the detected Annex III signals (biometrics, education, employment,
+ *     essential services, law enforcement). This replaces the prior
+ *     two-framework split (`eu-ai-act` + `eu-ai-act-high-risk`).
+ *   - The overall EU AI Act classification is computed once per audit and
+ *     attached to the `CategorizedCompliance` output so the report can show
+ *     a single "EU AI Act — High-Risk (Annex III §3 Education)" label
+ *     instead of two separate framework blocks.
+ */
+import type { QAPair, RegulatoryFlag, SystemAssessment } from '../report/types.js';
+import type { EUAIActClassification, FindingType, FrameworkId, FrameworkTier, Jurisdiction, RiskCategory } from './types.js';
+export type DecisionImpact = 'high' | 'medium' | 'unclear' | 'none';
+export declare function classifyDecisionImpact(decidesAboutPeople: boolean, details?: string): DecisionImpact;
+export interface ComplianceSignals {
+    hasSensitivePII: boolean;
+    hasPublicPII: boolean;
+    hasPII: boolean;
+    hasHealth: boolean;
+    hasEmploymentDecisions: boolean;
+    hasWriteOps: boolean;
+    hasIrreversibleWrites: boolean;
+    hasExcessivePerms: boolean;
+    hasScopeCreep: boolean;
+    hasOrgBlast: boolean;
+    hasOrgBlastWithWrites: boolean;
+    decisionImpact: DecisionImpact;
+    businessSystems: SystemAssessment[];
+    hasBiometricSignal: boolean;
+    isEducationAssessmentContext: boolean;
+    isLawEnforcementContext: boolean;
+    hasEssentialServicesSignal: boolean;
+    /** True if automated decisions affect people (regardless of impact tier). */
+    hasDecisionsAboutPeople: boolean;
+    /** Data likely crosses EU borders (transcript mentions transfer/US-based processor). */
+    hasInternationalTransfer: boolean;
+    /** Agent uses third-party SaaS processors (triggers Art. 28 DPA obligation). */
+    hasExternalProcessors: boolean;
+    /** Heuristic: >=3 business systems OR >=1 org-wide blast radius system. */
+    hasLargeScaleProcessing: boolean;
+    hasMCPOrA2A: boolean;
+    hasSubAgents: boolean;
+    hasCrossCustomer: boolean;
+}
+export declare function detectSignals(systems: SystemAssessment[], transcript: QAPair[], decidesAboutPeople: boolean, decisionMakingDetails?: string): ComplianceSignals;
+export interface EUAIActClassificationResult {
+    classification: EUAIActClassification;
+    /** Human-readable category labels that triggered the classification (Annex III §1, §3, etc.). */
+    annexIIICategories: string[];
+}
+/**
+ * Compute the EU AI Act classification for the audit based on detected signals.
+ *
+ * This replaces the prior two-framework-entry model where high-risk was a
+ * separate framework ID. Now it is a scope label on the single `eu-ai-act`
+ * framework entry. Called once per audit and attached to the output.
+ *
+ * Prohibited / minimal tiers are out-of-scope for v1 signal detection; we
+ * surface `high-risk` if any Annex III signal matches, otherwise `limited`
+ * (which maps to Art. 50 transparency obligations only).
+ */
+export declare function classifyEUAIAct(signals: ComplianceSignals): EUAIActClassificationResult;
+export type FlagSeverity = 'info' | 'warning' | 'action-required' | 'clarification-needed';
+export interface TypedRegulatoryFlag extends RegulatoryFlag {
+    frameworkId: FrameworkId;
+    /** All controls from this framework activated by the triggering finding. */
+    controlIds: string[];
+    category: RiskCategory;
+    tier: FrameworkTier;
+    mandatoryIn: Jurisdiction[];
+    scopeNote?: string;
+    triggeredBy: FindingType;
+    /**
+     * EU AI Act only: the classification label relevant to this flag
+     * (e.g. "high-risk" if this flag was activated by Annex III gating).
+     * Undefined for non-EU-AI-Act flags.
+     */
+    euAiActClassification?: EUAIActClassification;
+}
+export interface CategorizedBucket {
+    privacy: TypedRegulatoryFlag[];
+    ip: TypedRegulatoryFlag[];
+    'consumer-protection': TypedRegulatoryFlag[];
+    'sector-specific': TypedRegulatoryFlag[];
+}
+export interface CategorizedCompliance {
+    mappingVersion: string;
+    mandatory: CategorizedBucket;
+    voluntary: CategorizedBucket;
+    /** Frameworks actually activated — drives the jurisdictional appendix. */
+    frameworksActivated: FrameworkId[];
+    /** Flat list for backward-compat consumers. */
+    all: TypedRegulatoryFlag[];
+    /**
+     * EU AI Act classification for this audit, with the Annex III categories
+     * (if any) that triggered the high-risk tier. Always present — drives the
+     * single-entry EU AI Act display (replaces the old two-entry split).
+     */
+    euAiActClassification: EUAIActClassificationResult;
+    /**
+     * AAP-43 P1: detected signals exposed so renderers can gate conditional
+     * content (e.g. GDPR obligations table rows, regulatory overall status).
+     * Read-only snapshot of the signals that produced the flags above.
+     */
+    signals: ComplianceSignals;
+}
+export interface MapperInput {
+    systems: SystemAssessment[];
+    transcript: QAPair[];
+    makesDecisionsAboutPeople?: boolean;
+    decisionMakingDetails?: string;
+}
+export declare function mapFindingsToRiskCategories(input: MapperInput): CategorizedCompliance;
+//# sourceMappingURL=mapper.d.ts.map

package/dist/src/compliance/mapper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mapper.d.ts","sourceRoot":"","sources":["../../../src/compliance/mapper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EACV,MAAM,EACN,cAAc,EACd,gBAAgB,EACjB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,KAAK,EAEV,qBAAqB,EACrB,WAAW,EAGX,WAAW,EACX,aAAa,EACb,YAAY,EACZ,YAAY,EACb,MAAM,YAAY,CAAC;AAMpB,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;AAEpE,wBAAgB,sBAAsB,CACpC,kBAAkB,EAAE,OAAO,EAC3B,OAAO,CAAC,EAAE,MAAM,GACf,cAAc,CAgBhB;AAID,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,OAAO,CAAC;IACzB,YAAY,EAAE,OAAO,CAAC;IACtB,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,sBAAsB,EAAE,OAAO,CAAC;IAChC,WAAW,EAAE,OAAO,CAAC;IACrB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,cAAc,EAAE,cAAc,CAAC;IAC/B,eAAe,EAAE,gBAAgB,EAAE,CAAC;IAGpC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,4BAA4B,EAAE,OAAO,CAAC;IACtC,uBAAuB,EAAE,OAAO,CAAC;IACjC,0BAA0B,EAAE,OAAO,CAAC;IAGpC,6EAA6E;IAC7E,uBAAuB,EAAE,OAAO,CAAC;IACjC,wFAAwF;IACxF,wBAAwB,EAAE,OAAO,CAAC;IAClC,gFAAgF;IAChF,qBAAqB,EAAE,OAAO,CAAC;IAC/B,2EAA2E;IAC3E,uBAAuB,EAAE,OAAO,CAAC;IAGjC,WAAW,EAAE,OAAO,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;IACtB,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAoDD,wBAAgB,aAAa,CAC3B,OAAO,EAAE,gBAAgB,EAAE,EAC3B,UAAU,EAAE,MAAM,EAAE,EACpB,kBAAkB,EAAE,OAAO,EAC3B,qBAAqB,CAAC,EAAE,MAAM,GAC7B,iBAAiB,CAgKnB;AA6DD,MAAM,WAAW,2BAA2B;IAC1C,cAAc,EAAE,qBAAqB,CAAC;IACtC,iGAAiG;IACjG,kBAAkB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,iBAAiB,GACzB,2BAA2B,CAiB7B;AAID,MAAM,MAAM,YAAY,GACpB,MAAM,GACN,SAAS,GACT,iBAAiB,GACjB,sBAAsB,CAAC;AAE3B,MAAM,WAAW,mBAAoB,SAAQ,cAAc;IACzD,WAAW,EAAE,WAAW,CAAC;IACzB,4EAA4E;IAC5E,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,YAAY,CAAC;IACvB,IAAI,EAAE,aAAa,CAAC;IACpB,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,WAAW,CAAC;IACzB;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC/B,EAAE,EAAE,mBAAmB,EAAE,CAAC;IAC1B,qBAAqB,EAAE,mBAAmB,EAAE,CAAC;IAC7C,iBAAiB,EAAE,mBAAmB,EAAE,CAAC;CAC1C;AAED,MAAM,WAAW,qBAAqB;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,0EAA0E;IAC1E,mBAAmB,EAAE,WAAW,EAAE,CAAC;IACnC,+CAA+C;IAC/C,GAAG,EAAE,mBAAmB,EAAE,CAAC;IAC3B;;;;OAIG;IACH,qBAAqB,EAAE,2BAA2B,CAAC;IACnD;;;;OAIG;IACH,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAqJD,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,WAAW,GACjB,qBAAqB,CAuFvB"}