iso27001-mcp 0.7.9 → 0.8.0

package/dist/index.js

@@ -24797,7 +24797,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "iso27001-mcp",
-      version: "0.7.9",
+      version: "0.8.0",
       description: "Stateful ISO 27001:2022 ISMS management for Claude \u2014 gap analysis, risk register, policies, audits, and evidence tracking via the Model Context Protocol",
       license: "MIT",
       repository: {
@@ -24837,7 +24837,7 @@ var require_package = __commonJS({
       ],
       scripts: {
         build: "tsup",
-        postbuild: "rm -rf dist/seed && mkdir -p dist/seed && cp -r src/seed/policy-templates dist/seed/policy-templates && cp -r src/seed/procedure-templates dist/seed/procedure-templates",
+        postbuild: "rm -rf dist/seed && mkdir -p dist/seed && cp -r src/seed/policy-templates dist/seed/policy-templates && cp -r src/seed/procedure-templates dist/seed/procedure-templates && cp -r src/seed/evidence-templates dist/seed/evidence-templates && cp -r src/seed/partials dist/seed/partials",
         prepack: "npm run build",
         prepublishOnly: "npm run typecheck && npm test && npm run build",
         postinstall: `node -e "require('better-sqlite3-multiple-ciphers')" 2>/dev/null || echo "\\n\u26A0\uFE0F  iso27001-mcp: Native SQLite module failed to load. You may need build tools installed.\\n   macOS: xcode-select --install\\n   Ubuntu/Debian: sudo apt-get install build-essential python3\\n   Windows: https://visualstudio.microsoft.com/downloads/ \u2192 Build Tools for Visual Studio \u2192 Desktop development with C++\\n   See: https://github.com/Sushegaad/MCP-Server-for-ISO27001#prerequisites\\n"`,
@@ -25660,120 +25660,10 @@ var lib_default = rateLimit;
 // src/transport/sse.ts
 var import_crypto = require("crypto");
 var import_sse = require("@modelcontextprotocol/sdk/server/sse.js");
-var sessions = /* @__PURE__ */ new Map();
-var ttlMs = parseInt(process.env["SESSION_TTL_HOURS"] ?? "4") * 60 * 60 * 1e3;
-setInterval(() => {
-  const now2 = Date.now();
-  for (const [sessionId, entry] of sessions) {
-    if (now2 - entry.lastActivity > ttlMs) {
-      try {
-        entry.transport.res?.end();
-      } catch {
-      }
-      sessions.delete(sessionId);
-      console.error(`[iso27001-mcp] Session ${sessionId} expired and removed.`);
-    }
-  }
-}, 6e4);
-function startSseServer(server) {
-  const isProduction = process.env["NODE_ENV"] === "production";
-  const port = parseInt(process.env["SSE_PORT"] ?? "3000", 10);
-  if (isProduction && process.env["BEHIND_TLS_PROXY"] !== "true") {
-    console.error(
-      "[SECURITY] Running in production without BEHIND_TLS_PROXY=true. Ensure TLS is terminated upstream."
-    );
-  }
-  const app = (0, import_express.default)();
-  app.use((req, res, next) => {
-    const allowedOrigin = isProduction ? "https://claude.ai" : "*";
-    res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
-    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-    if (req.method === "OPTIONS") {
-      res.sendStatus(204);
-      return;
-    }
-    next();
-  });
-  app.use(import_express.default.json());
-  if (isProduction) {
-    const limiter = lib_default({
-      windowMs: 60 * 1e3,
-      max: 100,
-      standardHeaders: true,
-      legacyHeaders: false
-    });
-    app.use("/messages", limiter);
-  }
-  app.get("/health", (_req, res) => {
-    res.json({ status: "ok", uptime: process.uptime(), mode: "sse" });
-  });
-  app.get("/sse", async (_req, res) => {
-    const sessionId = (0, import_crypto.randomUUID)();
-    const transport = new import_sse.SSEServerTransport("/messages", res);
-    sessions.set(sessionId, {
-      transport,
-      createdAt: Date.now(),
-      lastActivity: Date.now()
-    });
-    res.on("close", () => {
-      sessions.delete(sessionId);
-      console.error(`[iso27001-mcp] SSE connection closed for session ${sessionId}.`);
-    });
-    await server.connect(transport);
-    res.write("data: " + JSON.stringify({ type: "session", sessionId }) + "\n\n");
-  });
-  app.post("/messages", async (req, res) => {
-    const sessionId = req.query["sessionId"];
-    if (!sessionId) {
-      res.status(400).json({ error: "Missing sessionId query parameter." });
-      return;
-    }
-    const entry = sessions.get(sessionId);
-    if (!entry) {
-      res.status(404).json({ error: `Session not found: ${sessionId}` });
-      return;
-    }
-    entry.lastActivity = Date.now();
-    await entry.transport.handlePostMessage(req, res);
-  });
-  app.listen(port, () => {
-    console.error(`[iso27001-mcp] SSE server listening on port ${port}.`);
-  });
-}
-
-// src/security/secrets.ts
-var REQUIRED_VARS = ["DB_ENCRYPTION_KEY", "HMAC_SECRET"];
-function requireEnv(name) {
-  const value = process.env[name];
-  if (!value) {
-    throw new Error(
-      `Missing required environment variable: ${name}. Copy .env.example to .env and set the required variables.`
-    );
-  }
-  return value;
-}
-function getEnv(name, defaultValue) {
-  return process.env[name] ?? defaultValue;
-}
-function loadSecrets() {
-  const missing = [];
-  for (const name of REQUIRED_VARS) {
-    if (!process.env[name]) {
-      missing.push(name);
-    }
-  }
-  if (missing.length > 0) {
-    const list = missing.map((n) => `  \u2022 ${n}`).join("\n");
-    throw new Error(
-      `[secrets] Server cannot start \u2014 missing required environment variables:
-${list}
 
-Copy .env.example to .env and set all required variables.`
-    );
-  }
-  console.error("[secrets] Required environment variables verified.");
-}
+// src/auth/api-key.ts
+var import_node_crypto3 = require("crypto");
+var import_node_crypto4 = require("crypto");
 
 // src/db/connection.ts
 var import_node_crypto2 = require("crypto");
@@ -26219,12 +26109,189 @@ CREATE INDEX IF NOT EXISTS idx_procedures_review
 CREATE INDEX IF NOT EXISTS idx_procedures_type
   ON procedures(procedure_type, status);
 `;
+var MIGRATION_0004 = `-- ============================================================
+-- iso27001-mcp  Migration 0004 \u2014 Management Review & Improvement Plan
+-- Clause 9.3 (Management Review) and Clause 10.1 (Improvement Opportunities)
+-- ============================================================
+
+-- \u2500\u2500 Management Reviews (ISO 27001:2022 Clause 9.3) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+
+CREATE TABLE IF NOT EXISTS management_reviews (
+  id           TEXT PRIMARY KEY NOT NULL,
+  title        TEXT NOT NULL,
+  review_date  TEXT NOT NULL,
+  reviewers    TEXT NOT NULL,
+  scope_notes  TEXT,
+  status       TEXT NOT NULL DEFAULT 'planned' CHECK (status IN ('planned','in_progress','completed')),
+  completed_at TEXT,
+  completed_by TEXT,
+  created_at   TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at   TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+-- \u2500\u2500 Review Inputs (ISO 27001:2022 Clause 9.3.2) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+
+CREATE TABLE IF NOT EXISTS review_inputs (
+  id             TEXT PRIMARY KEY NOT NULL,
+  review_id      TEXT NOT NULL REFERENCES management_reviews(id) ON DELETE CASCADE,
+  input_category TEXT NOT NULL CHECK (input_category IN (
+    'previous_action_status',
+    'external_internal_issues',
+    'interested_party_needs',
+    'isms_performance',
+    'interested_party_feedback',
+    'risk_assessment_results',
+    'improvement_opportunities'
+  )),
+  summary    TEXT NOT NULL,
+  details    TEXT,
+  trend      TEXT CHECK (trend IN ('improving','stable','declining','insufficient_data')),
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at TEXT NOT NULL DEFAULT (datetime('now')),
+  UNIQUE(review_id, input_category)
+);
+
+-- \u2500\u2500 Review Outputs (ISO 27001:2022 Clause 9.3.3) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+
+CREATE TABLE IF NOT EXISTS review_outputs (
+  id          TEXT PRIMARY KEY NOT NULL,
+  review_id   TEXT NOT NULL REFERENCES management_reviews(id) ON DELETE CASCADE,
+  output_type TEXT NOT NULL CHECK (output_type IN (
+    'improvement_decision',
+    'isms_change_decision'
+  )),
+  decision   TEXT NOT NULL,
+  owner      TEXT,
+  due_date   TEXT,
+  created_at TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+-- \u2500\u2500 Improvement Opportunities (ISO 27001:2022 Clause 10.1) \u2500\u2500\u2500
+
+CREATE TABLE IF NOT EXISTS improvement_opportunities (
+  id          TEXT PRIMARY KEY NOT NULL,
+  title       TEXT NOT NULL,
+  description TEXT NOT NULL,
+  source      TEXT NOT NULL CHECK (source IN (
+    'management_review','risk_assessment','audit','monitoring','other'
+  )),
+  priority    TEXT NOT NULL DEFAULT 'medium' CHECK (priority IN ('low','medium','high','critical')),
+  owner       TEXT,
+  target_date TEXT,
+  status      TEXT NOT NULL DEFAULT 'open' CHECK (status IN (
+    'open','in_progress','implemented','closed'
+  )),
+  review_id   TEXT REFERENCES management_reviews(id) ON DELETE SET NULL,
+  created_at  TEXT NOT NULL DEFAULT (datetime('now')),
+  updated_at  TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+-- \u2500\u2500 Performance Indexes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+
+CREATE INDEX IF NOT EXISTS idx_management_reviews_status
+  ON management_reviews(status, review_date DESC);
+
+CREATE INDEX IF NOT EXISTS idx_review_inputs_review
+  ON review_inputs(review_id, input_category);
+
+CREATE INDEX IF NOT EXISTS idx_review_outputs_review
+  ON review_outputs(review_id, output_type);
+
+CREATE INDEX IF NOT EXISTS idx_improvement_opps_status
+  ON improvement_opportunities(status, priority);
+
+CREATE INDEX IF NOT EXISTS idx_improvement_opps_review
+  ON improvement_opportunities(review_id);
+`;
+var MIGRATION_0005 = `-- ============================================================
+-- iso27001-mcp  Migration 0005 \u2014 Generated Evidence Documents
+-- Supports the generate_evidence_document tool (Group 14).
+-- ============================================================
+
+CREATE TABLE IF NOT EXISTS generated_evidence (
+  id                TEXT PRIMARY KEY NOT NULL,
+  template_type     TEXT NOT NULL CHECK (template_type IN (
+    'access_review_attestation',
+    'training_acknowledgement',
+    'supplier_security_questionnaire',
+    'incident_post_mortem',
+    'bcp_test_report',
+    'risk_treatment_sign_off'
+  )),
+  title             TEXT NOT NULL,
+  content           TEXT NOT NULL,
+  organisation_name TEXT NOT NULL,
+  generated_by      TEXT NOT NULL,
+  clause_mappings   TEXT,
+  control_mappings  TEXT,
+  template_vars     TEXT NOT NULL DEFAULT '{}',
+  evidence_id       TEXT REFERENCES evidence(id) ON DELETE SET NULL,
+  created_at        TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_generated_evidence_type
+  ON generated_evidence(template_type, created_at DESC);
+
+CREATE INDEX IF NOT EXISTS idx_generated_evidence_generated_by
+  ON generated_evidence(generated_by, created_at DESC);
+`;
+var MIGRATION_0006 = `-- ============================================================
+-- iso27001-mcp  Migration 0006 \u2014 Audit Log HMAC Hardening
+-- Adds prev_hash column to audit_log for hash-chain integrity.
+-- After this migration, row_hash is computed as HMAC-SHA256 over
+-- ALL fields (id, timestamp, tool, key_hash, role, params_json,
+-- outcome, error_message, duration_ms, prev_hash), replacing the
+-- former SHA-256 over 4 fields only.
+-- !! Never edit this file after it has been applied !!
+-- ============================================================
+
+-- SQLite does not support ALTER TABLE ADD COLUMN with NOT NULL
+-- without a default; prev_hash is nullable (NULL = first in chain).
+ALTER TABLE audit_log ADD COLUMN prev_hash TEXT;
+`;
 var MIGRATIONS = [
   { filename: "0001_initial.sql", sql: MIGRATION_0001 },
   { filename: "0002_fts_index.sql", sql: MIGRATION_0002 },
-  { filename: "0003_org_profile_procedures.sql", sql: MIGRATION_0003 }
+  { filename: "0003_org_profile_procedures.sql", sql: MIGRATION_0003 },
+  { filename: "0004_management_review_improvement.sql", sql: MIGRATION_0004 },
+  { filename: "0005_evidence_documents.sql", sql: MIGRATION_0005 },
+  { filename: "0006_audit_log_hmac.sql", sql: MIGRATION_0006 }
 ];
 
+// src/security/secrets.ts
+var REQUIRED_VARS = ["DB_ENCRYPTION_KEY", "HMAC_SECRET"];
+function requireEnv(name) {
+  const value = process.env[name];
+  if (!value) {
+    throw new Error(
+      `Missing required environment variable: ${name}. Copy .env.example to .env and set the required variables.`
+    );
+  }
+  return value;
+}
+function getEnv(name, defaultValue) {
+  return process.env[name] ?? defaultValue;
+}
+function loadSecrets() {
+  const missing = [];
+  for (const name of REQUIRED_VARS) {
+    if (!process.env[name]) {
+      missing.push(name);
+    }
+  }
+  if (missing.length > 0) {
+    const list = missing.map((n) => `  \u2022 ${n}`).join("\n");
+    throw new Error(
+      `[secrets] Server cannot start \u2014 missing required environment variables:
+${list}
+
+Copy .env.example to .env and set all required variables.`
+    );
+  }
+  console.error("[secrets] Required environment variables verified.");
+}
+
 // src/db/connection.ts
 var Database = require("better-sqlite3-multiple-ciphers");
 var _db = null;
@@ -26292,82 +26359,436 @@ function runMigrations(db) {
 }
 var requireEnv2 = requireEnv;
 
-// src/seed/seeder.ts
-var import_node_crypto3 = require("crypto");
-
-// src/seed/controls-2022.json
-var controls_2022_default = [
-  {
-    control_id: "5.1",
-    version: "2022",
-    name: "Policies for information security",
-    theme: "Organizational",
-    description: "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals or if significant changes occur.",
-    guidance: "Policies should address business requirements, relevant legislation and regulations, current and anticipated information security threats, and the specific policy areas defined in Annex A. Policies shall be reviewed at planned intervals or if significant changes occur.",
-    control_type: [
-      "Preventive"
-    ],
-    attributes: {
-      information_security_properties: [
-        "Confidentiality",
-        "Integrity",
-        "Availability"
-      ],
-      cybersecurity_concepts: [
-        "Identify",
-        "Protect"
-      ],
-      operational_capabilities: [
-        "Governance"
-      ],
-      security_domains: [
-        "Governance_and_ecosystem"
-      ]
-    },
-    related_controls: [
-      "5.2",
-      "5.4",
-      "5.36",
-      "5.37"
-    ],
-    new_in_2022: false,
-    iso_clause_refs: [
-      "5",
-      "6.2"
-    ]
-  },
-  {
-    control_id: "5.2",
-    version: "2022",
-    name: "Information security roles and responsibilities",
-    theme: "Organizational",
-    description: "Information security roles and responsibilities shall be defined and allocated according to the organisation's needs.",
-    guidance: "Roles and responsibilities should be defined for all personnel involved in information security. Responsibilities for protecting specific assets and carrying out specific information security processes shall be clearly assigned.",
-    control_type: [
-      "Preventive"
-    ],
-    attributes: {
-      information_security_properties: [
-        "Confidentiality",
-        "Integrity",
-        "Availability"
-      ],
-      cybersecurity_concepts: [
-        "Identify",
-        "Protect"
-      ],
-      operational_capabilities: [
-        "Governance"
-      ],
-      security_domains: [
-        "Governance_and_ecosystem"
-      ]
-    },
-    related_controls: [
-      "5.1",
-      "5.3",
-      "5.4",
-      "6.2"
+// src/types/errors.ts
+var HTTP_STATUS = {
+  AUTH_MISSING: 401,
+  AUTH_INVALID: 401,
+  AUTH_EXPIRED: 401,
+  AUTH_REVOKED: 401,
+  RBAC_DENIED: 403,
+  RATE_LIMITED: 429,
+  VALIDATION_ERROR: 400,
+  NOT_FOUND: 404,
+  BUSINESS_RULE: 422,
+  INTERNAL_ERROR: 500,
+  INTEGRATION_ERROR: 502
+};
+var McpError = class extends Error {
+  error_code;
+  http_status;
+  field;
+  hint;
+  docs_ref;
+  constructor(opts) {
+    super(opts.message);
+    this.name = "McpError";
+    this.error_code = opts.error_code;
+    this.http_status = HTTP_STATUS[opts.error_code];
+    this.field = opts.field;
+    this.hint = opts.hint;
+    this.docs_ref = opts.docs_ref;
+  }
+  /**
+   * Serialise to the structured tool result format expected by the MCP SDK.
+   * Returns a single content block with JSON text so Claude can parse it.
+   */
+  toToolResult() {
+    const body = {
+      error_code: this.error_code,
+      http_status: this.http_status,
+      message: this.message
+    };
+    if (this.field) body["field"] = this.field;
+    if (this.hint) body["hint"] = this.hint;
+    if (this.docs_ref) body["docs_ref"] = this.docs_ref;
+    return {
+      content: [{ type: "text", text: JSON.stringify(body, null, 2) }],
+      isError: true
+    };
+  }
+};
+function authMissing() {
+  return new McpError({
+    error_code: "AUTH_MISSING",
+    message: "No API key provided. Pass your key via MCP_API_KEY env var or _meta.apiKey.",
+    hint: "Set MCP_API_KEY env var or include apiKey in _meta"
+  });
+}
+function authInvalid() {
+  return new McpError({
+    error_code: "AUTH_INVALID",
+    message: "HMAC validation failed. The provided API key is not recognised.",
+    hint: "Verify your API key \u2014 run: iso27001-mcp keygen"
+  });
+}
+function authExpired() {
+  return new McpError({
+    error_code: "AUTH_EXPIRED",
+    message: "API key has expired.",
+    hint: "Generate a new key: iso27001-mcp keygen"
+  });
+}
+function authRevoked() {
+  return new McpError({
+    error_code: "AUTH_REVOKED",
+    message: "API key has been revoked.",
+    hint: "Generate a new key: iso27001-mcp keygen --role [role]"
+  });
+}
+function rbacDenied(toolName, requiredRole) {
+  return new McpError({
+    error_code: "RBAC_DENIED",
+    message: `Your role does not have permission to call '${toolName}'. Requires: ${requiredRole}.`,
+    hint: "Your role cannot call this tool \u2014 contact your admin to get a key with a higher role"
+  });
+}
+function rateLimited() {
+  return new McpError({
+    error_code: "RATE_LIMITED",
+    message: "Too many requests. Exceeded RATE_LIMIT_RPM.",
+    hint: "Slow down or raise RATE_LIMIT_RPM in your .env"
+  });
+}
+function notFound(entity, id) {
+  return new McpError({
+    error_code: "NOT_FOUND",
+    message: `${entity} not found: ${id}`
+  });
+}
+function businessRule(message, hint, docsRef) {
+  return new McpError({
+    error_code: "BUSINESS_RULE",
+    message,
+    hint,
+    docs_ref: docsRef
+  });
+}
+function integrationError(service, message, hint) {
+  return new McpError({
+    error_code: "INTEGRATION_ERROR",
+    message: `${service} integration error: ${message}`,
+    hint
+  });
+}
+
+// src/auth/api-key.ts
+function hmacSha256(secret, data) {
+  return (0, import_node_crypto3.createHmac)("sha256", secret).update(data).digest("hex");
+}
+function generateKey(label, role, expiresAt) {
+  const db = getDb();
+  const rawKey = "iso27001_" + (0, import_node_crypto3.randomBytes)(24).toString("base64url");
+  const keyHash = hmacSha256(requireEnv("HMAC_SECRET"), rawKey);
+  db.prepare(`
+    INSERT INTO api_keys (id, key_hash, label, role, expires_at, created_at)
+    VALUES (?, ?, ?, ?, ?, datetime('now'))
+  `).run(
+    (0, import_node_crypto4.randomUUID)(),
+    keyHash,
+    label,
+    role,
+    expiresAt ?? null
+  );
+  console.log("=".repeat(60));
+  console.log("API Key generated (save now \u2014 NOT stored in plaintext):");
+  console.log("");
+  console.log("  " + rawKey);
+  console.log("");
+  console.log(`  Label:   ${label}`);
+  console.log(`  Role:    ${role}`);
+  console.log(`  Expires: ${expiresAt ?? "never"}`);
+  console.log("=".repeat(60));
+  return rawKey;
+}
+function validateKey(rawKey) {
+  if (!rawKey) throw authMissing();
+  const secret = requireEnv("HMAC_SECRET");
+  const keyHash = hmacSha256(secret, rawKey);
+  const db = getDb();
+  const row = db.prepare(
+    "SELECT key_hash FROM api_keys WHERE key_hash = ? LIMIT 1"
+  ).get(keyHash);
+  if (!row) {
+    const dummyA = Buffer.alloc(32, 0);
+    const dummyB = Buffer.alloc(32, 1);
+    (0, import_node_crypto3.timingSafeEqual)(dummyA, dummyB);
+    throw authInvalid();
+  }
+  const storedBuf = Buffer.from(row.key_hash, "hex");
+  const computedBuf = Buffer.from(keyHash, "hex");
+  if (storedBuf.length !== computedBuf.length || !(0, import_node_crypto3.timingSafeEqual)(storedBuf, computedBuf)) {
+    throw authInvalid();
+  }
+  return keyHash;
+}
+function loadRole(keyHash) {
+  const db = getDb();
+  const row = db.prepare(`
+    SELECT id, role, expires_at, revoked_at FROM api_keys WHERE key_hash = ?
+  `).get(keyHash);
+  if (!row) throw authInvalid();
+  if (row.revoked_at) throw authRevoked();
+  if (row.expires_at) {
+    const expiry = new Date(row.expires_at);
+    if (expiry < /* @__PURE__ */ new Date()) throw authExpired();
+  }
+  try {
+    db.prepare("UPDATE api_keys SET last_used_at = datetime('now') WHERE id = ?").run(row.id);
+  } catch {
+  }
+  return row.role;
+}
+function listKeys() {
+  const db = getDb();
+  const rows = db.prepare(`
+    SELECT id, label, role, created_at, expires_at, revoked_at, last_used_at
+    FROM api_keys
+    ORDER BY created_at DESC
+  `).all();
+  const now2 = /* @__PURE__ */ new Date();
+  return rows.map((r) => {
+    let status = "active";
+    if (r.revoked_at) {
+      status = "revoked";
+    } else if (r.expires_at && new Date(r.expires_at) < now2) {
+      status = "expired";
+    }
+    return {
+      id: r.id,
+      label: r.label,
+      role: r.role,
+      created_at: r.created_at,
+      expires_at: r.expires_at,
+      last_used_at: r.last_used_at,
+      status
+    };
+  });
+}
+function revokeKey(label) {
+  const db = getDb();
+  const row = db.prepare("SELECT id FROM api_keys WHERE label = ?").get(label);
+  if (!row) {
+    throw new Error(`API key with label '${label}' not found.`);
+  }
+  db.prepare("UPDATE api_keys SET revoked_at = datetime('now') WHERE id = ?").run(row.id);
+  console.log(`[auth] Key '${label}' revoked.`);
+}
+function warnAdminExpiry() {
+  const db = getDb();
+  const rows = db.prepare(`
+    SELECT label FROM api_keys
+    WHERE role = 'admin' AND expires_at IS NULL AND revoked_at IS NULL
+  `).all();
+  if (rows.length > 0) {
+    const labels = rows.map((r) => r.label).join(", ");
+    console.warn(
+      `[SECURITY] Admin keys without expiry: ${labels}. Consider setting --expires to limit blast radius.`
+    );
+  }
+}
+function parseExpiresFlag(value) {
+  if (/^\d{4}-\d{2}-\d{2}$/.test(value)) return value;
+  const days = /^(\d+)d$/.exec(value);
+  if (days) {
+    const d = /* @__PURE__ */ new Date();
+    d.setDate(d.getDate() + parseInt(days[1], 10));
+    return d.toISOString().split("T")[0];
+  }
+  const years = /^(\d+)y$/.exec(value);
+  if (years) {
+    const d = /* @__PURE__ */ new Date();
+    d.setFullYear(d.getFullYear() + parseInt(years[1], 10));
+    return d.toISOString().split("T")[0];
+  }
+  throw new Error(
+    `Invalid --expires value: '${value}'. Use '90d', '1y', or 'YYYY-MM-DD'.`
+  );
+}
+
+// src/transport/sse.ts
+var sessions = /* @__PURE__ */ new Map();
+var ttlMs = parseInt(process.env["SESSION_TTL_HOURS"] ?? "4") * 60 * 60 * 1e3;
+setInterval(() => {
+  const now2 = Date.now();
+  for (const [sessionId, entry] of sessions) {
+    if (now2 - entry.lastActivity > ttlMs) {
+      try {
+        entry.transport.res?.end();
+      } catch {
+      }
+      sessions.delete(sessionId);
+      console.error(`[iso27001-mcp] Session ${sessionId} expired and removed.`);
+    }
+  }
+}, 6e4);
+function startSseServer(server) {
+  const isProduction = process.env["NODE_ENV"] === "production";
+  const port = parseInt(process.env["SSE_PORT"] ?? "3000", 10);
+  if (isProduction && process.env["BEHIND_TLS_PROXY"] !== "true") {
+    console.error(
+      "[SECURITY] Running in production without BEHIND_TLS_PROXY=true. Ensure TLS is terminated upstream."
+    );
+  }
+  const app = (0, import_express.default)();
+  app.use((req, res, next) => {
+    const allowedOrigin = isProduction ? "https://claude.ai" : "*";
+    res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    if (req.method === "OPTIONS") {
+      res.sendStatus(204);
+      return;
+    }
+    next();
+  });
+  app.use(import_express.default.json());
+  if (isProduction) {
+    const limiter = lib_default({
+      windowMs: 60 * 1e3,
+      max: 100,
+      standardHeaders: true,
+      legacyHeaders: false
+    });
+    app.use("/messages", limiter);
+  }
+  app.get("/health", (_req, res) => {
+    res.json({ status: "ok", uptime: process.uptime(), mode: "sse" });
+  });
+  app.get("/sse", async (req, res) => {
+    const authHeader = req.headers["authorization"];
+    const rawKey = (authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null) ?? process.env["MCP_API_KEY"] ?? "";
+    let keyHash;
+    try {
+      keyHash = validateKey(rawKey);
+      loadRole(keyHash);
+    } catch (err) {
+      const msg = err instanceof McpError ? err.message : "Invalid or missing API key";
+      res.status(401).json({
+        error: "Unauthorized",
+        message: msg,
+        hint: "Pass Authorization: Bearer <iso27001_...> header at connect time."
+      });
+      return;
+    }
+    const sessionId = (0, import_crypto.randomUUID)();
+    const transport = new import_sse.SSEServerTransport("/messages", res);
+    sessions.set(sessionId, {
+      transport,
+      createdAt: Date.now(),
+      lastActivity: Date.now(),
+      keyHash,
+      rawKey
+    });
+    res.on("close", () => {
+      sessions.delete(sessionId);
+      console.error(`[iso27001-mcp] SSE connection closed for session ${sessionId}.`);
+    });
+    await server.connect(transport);
+    res.write("data: " + JSON.stringify({ type: "session", sessionId }) + "\n\n");
+  });
+  app.post("/messages", async (req, res) => {
+    const sessionId = req.query["sessionId"];
+    if (!sessionId) {
+      res.status(400).json({ error: "Missing sessionId query parameter." });
+      return;
+    }
+    const entry = sessions.get(sessionId);
+    if (!entry) {
+      res.status(404).json({ error: `Session not found: ${sessionId}` });
+      return;
+    }
+    entry.lastActivity = Date.now();
+    if (entry.rawKey && req.body && typeof req.body === "object") {
+      const body = req.body;
+      if (body.params && typeof body.params === "object") {
+        const meta = body.params["_meta"] ?? {};
+        meta["apiKey"] = entry.rawKey;
+        body.params["_meta"] = meta;
+      }
+    }
+    await entry.transport.handlePostMessage(req, res);
+  });
+  app.listen(port, () => {
+    console.error(`[iso27001-mcp] SSE server listening on port ${port}.`);
+  });
+}
+
+// src/seed/seeder.ts
+var import_node_crypto5 = require("crypto");
+
+// src/seed/controls-2022.json
+var controls_2022_default = [
+  {
+    control_id: "5.1",
+    version: "2022",
+    name: "Policies for information security",
+    theme: "Organizational",
+    description: "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals or if significant changes occur.",
+    guidance: "Policies should address business requirements, relevant legislation and regulations, current and anticipated information security threats, and the specific policy areas defined in Annex A. Policies shall be reviewed at planned intervals or if significant changes occur.",
+    control_type: [
+      "Preventive"
+    ],
+    attributes: {
+      information_security_properties: [
+        "Confidentiality",
+        "Integrity",
+        "Availability"
+      ],
+      cybersecurity_concepts: [
+        "Identify",
+        "Protect"
+      ],
+      operational_capabilities: [
+        "Governance"
+      ],
+      security_domains: [
+        "Governance_and_ecosystem"
+      ]
+    },
+    related_controls: [
+      "5.2",
+      "5.4",
+      "5.36",
+      "5.37"
+    ],
+    new_in_2022: false,
+    iso_clause_refs: [
+      "5",
+      "6.2"
+    ]
+  },
+  {
+    control_id: "5.2",
+    version: "2022",
+    name: "Information security roles and responsibilities",
+    theme: "Organizational",
+    description: "Information security roles and responsibilities shall be defined and allocated according to the organisation's needs.",
+    guidance: "Roles and responsibilities should be defined for all personnel involved in information security. Responsibilities for protecting specific assets and carrying out specific information security processes shall be clearly assigned.",
+    control_type: [
+      "Preventive"
+    ],
+    attributes: {
+      information_security_properties: [
+        "Confidentiality",
+        "Integrity",
+        "Availability"
+      ],
+      cybersecurity_concepts: [
+        "Identify",
+        "Protect"
+      ],
+      operational_capabilities: [
+        "Governance"
+      ],
+      security_domains: [
+        "Governance_and_ecosystem"
+      ]
+    },
+    related_controls: [
+      "5.1",
+      "5.3",
+      "5.4",
+      "6.2"
     ],
     new_in_2022: false,
     iso_clause_refs: [
@@ -32667,502 +33088,252 @@ var clause_requirements_default = [
       "5.4"
     ]
   },
-  {
-    clause_id: "9.3.2",
-    parent_id: "9.3",
-    title: "Management review inputs",
-    requirement_text: "The management review shall include consideration of: status of actions from previous reviews; changes in external/internal issues; feedback on information security performance; feedback from interested parties; results of risk assessment and risk treatment plan status; opportunities for continual improvement.",
-    implementation_notes: "Prepare management review inputs in advance. Include trend data where available. Present metrics and KPIs. Summarise key risks and treatment status. Include audit findings and corrective action status.",
-    related_controls: [
-      "5.35",
-      "5.36"
-    ]
-  },
-  {
-    clause_id: "9.3.3",
-    parent_id: "9.3",
-    title: "Management review results",
-    requirement_text: "The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the information security management system.",
-    implementation_notes: "Document all decisions with clear action items, owners, and due dates. Communicate decisions to relevant stakeholders. Track action items to completion. Use management review outputs to drive ISMS improvement.",
-    related_controls: [
-      "5.1"
-    ]
-  },
-  {
-    clause_id: "10",
-    parent_id: null,
-    title: "Improvement",
-    requirement_text: "The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.",
-    implementation_notes: "Improvement activities include corrective actions, preventive actions, and continual improvement initiatives. Track and trend nonconformities. Use improvement inputs from audits, incidents, management reviews, and performance metrics.",
-    related_controls: [
-      "5.27",
-      "5.35",
-      "5.36"
-    ]
-  },
-  {
-    clause_id: "10.1",
-    parent_id: "10",
-    title: "Continual improvement",
-    requirement_text: "The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.",
-    implementation_notes: "Establish a formal process for identifying and implementing improvements. Use Lessons Learned from incidents, audit findings, and management reviews as inputs. Track improvement initiatives to completion. Measure the effectiveness of improvements.",
-    related_controls: [
-      "5.27"
-    ]
-  },
-  {
-    clause_id: "10.2",
-    parent_id: "10",
-    title: "Nonconformity and corrective action",
-    requirement_text: "When a nonconformity occurs, the organisation shall: a) react to the nonconformity and, as applicable: 1) take action to control and correct it; 2) deal with the consequences; b) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; e) make changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organisation shall retain documented information as evidence of: a) the nature of the nonconformities and any subsequent actions taken; b) the results of any corrective action.",
-    implementation_notes: "Establish a formal nonconformity and corrective action procedure. Use root cause analysis techniques (5 Whys, fishbone diagram). Assign corrective actions to owners with due dates. Verify effectiveness before closing. Retain records of nonconformities and corrective actions.",
-    related_controls: [
-      "5.27",
-      "5.35"
-    ]
-  }
-];
-
-// src/seed/checksums.json
-var checksums_default = {
-  "controls-2022.json": "f6ccfc42c3ebe39695f8d5c75face62077bffceb28a1786207969c75d5b78cba",
-  "controls-2013.json": "653ecfb8e22e134d836d3ee38f48839152dd4a2c382a38e1f2052d9a4dbe8c39",
-  "version-mapping.json": "458e2acf023bcd4636113df5b5fc1252c82db62e382a8887fcdfcb53ed62687a",
-  "clause-requirements.json": "ef72f98436a1faba117fe333c096b365180aa7a7d5eeebb9cd2f70cbd542592c"
-};
-
-// src/seed/seeder.ts
-function sha256(data) {
-  return (0, import_node_crypto3.createHash)("sha256").update(JSON.stringify(data, null, 2)).digest("hex");
-}
-function verifyChecksums() {
-  const checks = [
-    { key: "controls-2022.json", data: controls_2022_default },
-    { key: "controls-2013.json", data: controls_2013_default },
-    { key: "version-mapping.json", data: version_mapping_default },
-    { key: "clause-requirements.json", data: clause_requirements_default }
-  ];
-  for (const { key, data } of checks) {
-    const actual = sha256(data);
-    const expected = checksums_default[key];
-    if (!expected) {
-      throw new Error(
-        `[seeder] No checksum entry found for "${key}". Run "npm run generate-checksums" to regenerate checksums.json.`
-      );
-    }
-    if (actual !== expected) {
-      throw new Error(
-        `[seeder] Checksum mismatch for "${key}".
-  expected: ${expected}
-  actual:   ${actual}
-Seed data may have been modified. Run "npm run generate-checksums" to update checksums.json.`
-      );
-    }
-  }
-  console.error("[seeder] Checksum verification passed.");
-}
-function stableId(key) {
-  const h = (0, import_node_crypto3.createHash)("sha256").update(key).digest("hex");
-  return `${h.slice(0, 8)}-${h.slice(8, 12)}-4${h.slice(13, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
-}
-function seedAll(db) {
-  verifyChecksums();
-  const existing = db.prepare("SELECT count(*) AS n FROM controls").get();
-  if (existing.n > 0) {
-    console.error(`[seeder] Seed data already present (${existing.n} controls). Skipping.`);
-    return;
-  }
-  console.error("[seeder] Starting seed run\u2026");
-  const t0 = Date.now();
-  const seed = db.transaction(() => {
-    _seedControls2022(db);
-    _seedControls2013(db);
-    _seedVersionMappings(db);
-    _seedClauseRequirements(db);
-    _rebuildFts(db);
-  });
-  seed();
-  const elapsed = Date.now() - t0;
-  const totals = db.prepare(`
-      SELECT
-        (SELECT count(*) FROM controls WHERE version='2022')           AS c2022,
-        (SELECT count(*) FROM controls WHERE version='2013')           AS c2013,
-        (SELECT count(*) FROM controls WHERE new_in_2022=1)            AS new22,
-        (SELECT count(*) FROM control_version_mapping)                 AS mappings,
-        (SELECT count(*) FROM clause_requirements)                     AS clauses
-    `).get();
-  console.error(
-    `[seeder] Done in ${elapsed}ms \u2014 controls-2022: ${totals.c2022}, controls-2013: ${totals.c2013}, new-in-2022: ${totals.new22}, mappings: ${totals.mappings}, clauses: ${totals.clauses}`
-  );
-}
-function _seedControls2022(db) {
-  const stmt = db.prepare(`
-    INSERT OR IGNORE INTO controls
-      (id, control_id, version, name, theme, description, guidance,
-       control_type, attributes, related_controls, new_in_2022, iso_clause_refs)
-    VALUES
-      (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `);
-  for (const row of controls_2022_default) {
-    stmt.run(
-      stableId(`2022:${row.control_id}`),
-      row.control_id,
-      "2022",
-      row.name,
-      row.theme,
-      row.description,
-      row.guidance ?? null,
-      JSON.stringify(row.control_type),
-      row.attributes ? JSON.stringify(row.attributes) : null,
-      JSON.stringify(row.related_controls ?? []),
-      row.new_in_2022 ? 1 : 0,
-      JSON.stringify(row.iso_clause_refs ?? [])
-    );
-  }
-  console.error(`[seeder]   Inserted ${controls_2022_default.length} 2022 controls.`);
-}
-function _seedControls2013(db) {
-  const stmt = db.prepare(`
-    INSERT OR IGNORE INTO controls
-      (id, control_id, version, name, theme, description, guidance,
-       control_type, attributes, related_controls, new_in_2022, iso_clause_refs)
-    VALUES
-      (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `);
-  for (const row of controls_2013_default) {
-    stmt.run(
-      stableId(`2013:${row.control_id}`),
-      row.control_id,
-      "2013",
-      row.name,
-      row.theme,
-      row.description,
-      row.guidance ?? null,
-      JSON.stringify(row.control_type),
-      null,
-      // 2013 controls have no 2022-style attributes
-      JSON.stringify(row.related_controls ?? []),
-      0,
-      // new_in_2022 is always false for 2013 controls
-      JSON.stringify(row.iso_clause_refs ?? [])
-    );
-  }
-  console.error(`[seeder]   Inserted ${controls_2013_default.length} 2013 controls.`);
-}
-function _seedVersionMappings(db) {
-  const stmt = db.prepare(`
-    INSERT OR IGNORE INTO control_version_mapping
-      (id, v2013_id, v2022_id, mapping_type, change_summary, migration_notes)
-    VALUES
-      (?, ?, ?, ?, ?, ?)
-  `);
-  for (const row of version_mapping_default) {
-    const naturalKey = `mapping:${row.v2013_id ?? "null"}:${row.v2022_id ?? "null"}:${row.mapping_type}`;
-    stmt.run(
-      stableId(naturalKey),
-      row.v2013_id ?? null,
-      row.v2022_id ?? null,
-      row.mapping_type,
-      row.change_summary,
-      row.migration_notes ?? null
-    );
-  }
-  console.error(`[seeder]   Inserted ${version_mapping_default.length} version mappings.`);
-}
-function _seedClauseRequirements(db) {
-  const stmt = db.prepare(`
-    INSERT OR IGNORE INTO clause_requirements
-      (id, clause_id, parent_id, title, requirement_text,
-       implementation_notes, related_controls)
-    VALUES
-      (?, ?, ?, ?, ?, ?, ?)
-  `);
-  const clauses = clause_requirements_default;
-  const idMap = /* @__PURE__ */ new Map();
-  for (const row of clauses) {
-    idMap.set(row.clause_id, stableId(`clause:${row.clause_id}`));
-  }
-  const sorted = [...clauses].sort((a, b) => {
-    if (a.parent_id === null && b.parent_id !== null) return -1;
-    if (a.parent_id !== null && b.parent_id === null) return 1;
-    return a.clause_id.localeCompare(b.clause_id);
-  });
-  for (const row of sorted) {
-    const rowId = idMap.get(row.clause_id);
-    const parentDbId = row.parent_id ? idMap.get(row.parent_id) ?? null : null;
-    stmt.run(
-      rowId,
-      row.clause_id,
-      parentDbId,
-      row.title,
-      row.requirement_text,
-      row.implementation_notes ?? null,
-      JSON.stringify(row.related_controls ?? [])
-    );
+  {
+    clause_id: "9.3.2",
+    parent_id: "9.3",
+    title: "Management review inputs",
+    requirement_text: "The management review shall include consideration of: status of actions from previous reviews; changes in external/internal issues; feedback on information security performance; feedback from interested parties; results of risk assessment and risk treatment plan status; opportunities for continual improvement.",
+    implementation_notes: "Prepare management review inputs in advance. Include trend data where available. Present metrics and KPIs. Summarise key risks and treatment status. Include audit findings and corrective action status.",
+    related_controls: [
+      "5.35",
+      "5.36"
+    ]
+  },
+  {
+    clause_id: "9.3.3",
+    parent_id: "9.3",
+    title: "Management review results",
+    requirement_text: "The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the information security management system.",
+    implementation_notes: "Document all decisions with clear action items, owners, and due dates. Communicate decisions to relevant stakeholders. Track action items to completion. Use management review outputs to drive ISMS improvement.",
+    related_controls: [
+      "5.1"
+    ]
+  },
+  {
+    clause_id: "10",
+    parent_id: null,
+    title: "Improvement",
+    requirement_text: "The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.",
+    implementation_notes: "Improvement activities include corrective actions, preventive actions, and continual improvement initiatives. Track and trend nonconformities. Use improvement inputs from audits, incidents, management reviews, and performance metrics.",
+    related_controls: [
+      "5.27",
+      "5.35",
+      "5.36"
+    ]
+  },
+  {
+    clause_id: "10.1",
+    parent_id: "10",
+    title: "Continual improvement",
+    requirement_text: "The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.",
+    implementation_notes: "Establish a formal process for identifying and implementing improvements. Use Lessons Learned from incidents, audit findings, and management reviews as inputs. Track improvement initiatives to completion. Measure the effectiveness of improvements.",
+    related_controls: [
+      "5.27"
+    ]
+  },
+  {
+    clause_id: "10.2",
+    parent_id: "10",
+    title: "Nonconformity and corrective action",
+    requirement_text: "When a nonconformity occurs, the organisation shall: a) react to the nonconformity and, as applicable: 1) take action to control and correct it; 2) deal with the consequences; b) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; 3) determining if similar nonconformities exist, or could potentially occur; c) implement any action needed; d) review the effectiveness of any corrective action taken; e) make changes to the information security management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organisation shall retain documented information as evidence of: a) the nature of the nonconformities and any subsequent actions taken; b) the results of any corrective action.",
+    implementation_notes: "Establish a formal nonconformity and corrective action procedure. Use root cause analysis techniques (5 Whys, fishbone diagram). Assign corrective actions to owners with due dates. Verify effectiveness before closing. Retain records of nonconformities and corrective actions.",
+    related_controls: [
+      "5.27",
+      "5.35"
+    ]
   }
-  console.error(`[seeder]   Inserted ${clauses.length} clause requirements.`);
-}
-function _rebuildFts(db) {
-  db.prepare("INSERT INTO controls_fts(controls_fts) VALUES('rebuild')").run();
-  console.error("[seeder]   FTS5 index rebuilt.");
-}
-
-// src/server.ts
-var import_mcp6 = require("@modelcontextprotocol/sdk/server/mcp.js");
-
-// src/tools/index.ts
-var import_zod2 = require("zod");
-
-// src/auth/api-key.ts
-var import_node_crypto4 = require("crypto");
-var import_node_crypto5 = require("crypto");
+];
 
-// src/types/errors.ts
-var HTTP_STATUS = {
-  AUTH_MISSING: 401,
-  AUTH_INVALID: 401,
-  AUTH_EXPIRED: 401,
-  AUTH_REVOKED: 401,
-  RBAC_DENIED: 403,
-  RATE_LIMITED: 429,
-  VALIDATION_ERROR: 400,
-  NOT_FOUND: 404,
-  BUSINESS_RULE: 422,
-  INTERNAL_ERROR: 500,
-  INTEGRATION_ERROR: 502
-};
-var McpError = class extends Error {
-  error_code;
-  http_status;
-  field;
-  hint;
-  docs_ref;
-  constructor(opts) {
-    super(opts.message);
-    this.name = "McpError";
-    this.error_code = opts.error_code;
-    this.http_status = HTTP_STATUS[opts.error_code];
-    this.field = opts.field;
-    this.hint = opts.hint;
-    this.docs_ref = opts.docs_ref;
-  }
-  /**
-   * Serialise to the structured tool result format expected by the MCP SDK.
-   * Returns a single content block with JSON text so Claude can parse it.
-   */
-  toToolResult() {
-    const body = {
-      error_code: this.error_code,
-      http_status: this.http_status,
-      message: this.message
-    };
-    if (this.field) body["field"] = this.field;
-    if (this.hint) body["hint"] = this.hint;
-    if (this.docs_ref) body["docs_ref"] = this.docs_ref;
-    return {
-      content: [{ type: "text", text: JSON.stringify(body, null, 2) }],
-      isError: true
-    };
-  }
+// src/seed/checksums.json
+var checksums_default = {
+  "controls-2022.json": "f6ccfc42c3ebe39695f8d5c75face62077bffceb28a1786207969c75d5b78cba",
+  "controls-2013.json": "653ecfb8e22e134d836d3ee38f48839152dd4a2c382a38e1f2052d9a4dbe8c39",
+  "version-mapping.json": "458e2acf023bcd4636113df5b5fc1252c82db62e382a8887fcdfcb53ed62687a",
+  "clause-requirements.json": "ef72f98436a1faba117fe333c096b365180aa7a7d5eeebb9cd2f70cbd542592c"
 };
-function authMissing() {
-  return new McpError({
-    error_code: "AUTH_MISSING",
-    message: "No API key provided. Pass your key via MCP_API_KEY env var or _meta.apiKey.",
-    hint: "Set MCP_API_KEY env var or include apiKey in _meta"
-  });
-}
-function authInvalid() {
-  return new McpError({
-    error_code: "AUTH_INVALID",
-    message: "HMAC validation failed. The provided API key is not recognised.",
-    hint: "Verify your API key \u2014 run: iso27001-mcp keygen"
-  });
-}
-function authExpired() {
-  return new McpError({
-    error_code: "AUTH_EXPIRED",
-    message: "API key has expired.",
-    hint: "Generate a new key: iso27001-mcp keygen"
-  });
-}
-function authRevoked() {
-  return new McpError({
-    error_code: "AUTH_REVOKED",
-    message: "API key has been revoked.",
-    hint: "Generate a new key: iso27001-mcp keygen --role [role]"
-  });
-}
-function rbacDenied(toolName, requiredRole) {
-  return new McpError({
-    error_code: "RBAC_DENIED",
-    message: `Your role does not have permission to call '${toolName}'. Requires: ${requiredRole}.`,
-    hint: "Your role cannot call this tool \u2014 contact your admin to get a key with a higher role"
-  });
-}
-function rateLimited() {
-  return new McpError({
-    error_code: "RATE_LIMITED",
-    message: "Too many requests. Exceeded RATE_LIMIT_RPM.",
-    hint: "Slow down or raise RATE_LIMIT_RPM in your .env"
-  });
-}
-function notFound(entity, id) {
-  return new McpError({
-    error_code: "NOT_FOUND",
-    message: `${entity} not found: ${id}`
-  });
-}
-function businessRule(message, hint, docsRef) {
-  return new McpError({
-    error_code: "BUSINESS_RULE",
-    message,
-    hint,
-    docs_ref: docsRef
-  });
-}
-function integrationError(service, message, hint) {
-  return new McpError({
-    error_code: "INTEGRATION_ERROR",
-    message: `${service} integration error: ${message}`,
-    hint
-  });
-}
 
-// src/auth/api-key.ts
-function hmacSha256(secret, data) {
-  return (0, import_node_crypto4.createHmac)("sha256", secret).update(data).digest("hex");
-}
-function generateKey(label, role, expiresAt) {
-  const db = getDb();
-  const rawKey = "iso27001_" + (0, import_node_crypto4.randomBytes)(24).toString("base64url");
-  const keyHash = hmacSha256(requireEnv("HMAC_SECRET"), rawKey);
-  db.prepare(`
-    INSERT INTO api_keys (id, key_hash, label, role, expires_at, created_at)
-    VALUES (?, ?, ?, ?, ?, datetime('now'))
-  `).run(
-    (0, import_node_crypto5.randomUUID)(),
-    keyHash,
-    label,
-    role,
-    expiresAt ?? null
-  );
-  console.log("=".repeat(60));
-  console.log("API Key generated (save now \u2014 NOT stored in plaintext):");
-  console.log("");
-  console.log("  " + rawKey);
-  console.log("");
-  console.log(`  Label:   ${label}`);
-  console.log(`  Role:    ${role}`);
-  console.log(`  Expires: ${expiresAt ?? "never"}`);
-  console.log("=".repeat(60));
-  return rawKey;
-}
-function validateKey(rawKey) {
-  if (!rawKey) throw authMissing();
-  const secret = requireEnv("HMAC_SECRET");
-  const keyHash = hmacSha256(secret, rawKey);
-  const db = getDb();
-  const row = db.prepare(
-    "SELECT key_hash FROM api_keys WHERE key_hash = ? LIMIT 1"
-  ).get(keyHash);
-  if (!row) {
-    const dummyA = Buffer.alloc(32, 0);
-    const dummyB = Buffer.alloc(32, 1);
-    (0, import_node_crypto4.timingSafeEqual)(dummyA, dummyB);
-    throw authInvalid();
-  }
-  const storedBuf = Buffer.from(row.key_hash, "hex");
-  const computedBuf = Buffer.from(keyHash, "hex");
-  if (storedBuf.length !== computedBuf.length || !(0, import_node_crypto4.timingSafeEqual)(storedBuf, computedBuf)) {
-    throw authInvalid();
-  }
-  return keyHash;
+// src/seed/seeder.ts
+function sha256(data) {
+  return (0, import_node_crypto5.createHash)("sha256").update(JSON.stringify(data, null, 2)).digest("hex");
 }
-function loadRole(keyHash) {
-  const db = getDb();
-  const row = db.prepare(`
-    SELECT id, role, expires_at, revoked_at FROM api_keys WHERE key_hash = ?
-  `).get(keyHash);
-  if (!row) throw authInvalid();
-  if (row.revoked_at) throw authRevoked();
-  if (row.expires_at) {
-    const expiry = new Date(row.expires_at);
-    if (expiry < /* @__PURE__ */ new Date()) throw authExpired();
-  }
-  try {
-    db.prepare("UPDATE api_keys SET last_used_at = datetime('now') WHERE id = ?").run(row.id);
-  } catch {
+function verifyChecksums() {
+  const checks = [
+    { key: "controls-2022.json", data: controls_2022_default },
+    { key: "controls-2013.json", data: controls_2013_default },
+    { key: "version-mapping.json", data: version_mapping_default },
+    { key: "clause-requirements.json", data: clause_requirements_default }
+  ];
+  for (const { key, data } of checks) {
+    const actual = sha256(data);
+    const expected = checksums_default[key];
+    if (!expected) {
+      throw new Error(
+        `[seeder] No checksum entry found for "${key}". Run "npm run generate-checksums" to regenerate checksums.json.`
+      );
+    }
+    if (actual !== expected) {
+      throw new Error(
+        `[seeder] Checksum mismatch for "${key}".
+  expected: ${expected}
+  actual:   ${actual}
+Seed data may have been modified. Run "npm run generate-checksums" to update checksums.json.`
+      );
+    }
   }
-  return row.role;
+  console.error("[seeder] Checksum verification passed.");
 }
-function listKeys() {
-  const db = getDb();
-  const rows = db.prepare(`
-    SELECT id, label, role, created_at, expires_at, revoked_at, last_used_at
-    FROM api_keys
-    ORDER BY created_at DESC
-  `).all();
-  const now2 = /* @__PURE__ */ new Date();
-  return rows.map((r) => {
-    let status = "active";
-    if (r.revoked_at) {
-      status = "revoked";
-    } else if (r.expires_at && new Date(r.expires_at) < now2) {
-      status = "expired";
-    }
-    return {
-      id: r.id,
-      label: r.label,
-      role: r.role,
-      created_at: r.created_at,
-      expires_at: r.expires_at,
-      last_used_at: r.last_used_at,
-      status
-    };
+function stableId(key) {
+  const h = (0, import_node_crypto5.createHash)("sha256").update(key).digest("hex");
+  return `${h.slice(0, 8)}-${h.slice(8, 12)}-4${h.slice(13, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
+}
+function seedAll(db) {
+  verifyChecksums();
+  const existing = db.prepare("SELECT count(*) AS n FROM controls").get();
+  if (existing.n > 0) {
+    console.error(`[seeder] Seed data already present (${existing.n} controls). Skipping.`);
+    return;
+  }
+  console.error("[seeder] Starting seed run\u2026");
+  const t0 = Date.now();
+  const seed = db.transaction(() => {
+    _seedControls2022(db);
+    _seedControls2013(db);
+    _seedVersionMappings(db);
+    _seedClauseRequirements(db);
+    _rebuildFts(db);
   });
+  seed();
+  const elapsed = Date.now() - t0;
+  const totals = db.prepare(`
+      SELECT
+        (SELECT count(*) FROM controls WHERE version='2022')           AS c2022,
+        (SELECT count(*) FROM controls WHERE version='2013')           AS c2013,
+        (SELECT count(*) FROM controls WHERE new_in_2022=1)            AS new22,
+        (SELECT count(*) FROM control_version_mapping)                 AS mappings,
+        (SELECT count(*) FROM clause_requirements)                     AS clauses
+    `).get();
+  console.error(
+    `[seeder] Done in ${elapsed}ms \u2014 controls-2022: ${totals.c2022}, controls-2013: ${totals.c2013}, new-in-2022: ${totals.new22}, mappings: ${totals.mappings}, clauses: ${totals.clauses}`
+  );
 }
-function revokeKey(label) {
-  const db = getDb();
-  const row = db.prepare("SELECT id FROM api_keys WHERE label = ?").get(label);
-  if (!row) {
-    throw new Error(`API key with label '${label}' not found.`);
+function _seedControls2022(db) {
+  const stmt = db.prepare(`
+    INSERT OR IGNORE INTO controls
+      (id, control_id, version, name, theme, description, guidance,
+       control_type, attributes, related_controls, new_in_2022, iso_clause_refs)
+    VALUES
+      (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  for (const row of controls_2022_default) {
+    stmt.run(
+      stableId(`2022:${row.control_id}`),
+      row.control_id,
+      "2022",
+      row.name,
+      row.theme,
+      row.description,
+      row.guidance ?? null,
+      JSON.stringify(row.control_type),
+      row.attributes ? JSON.stringify(row.attributes) : null,
+      JSON.stringify(row.related_controls ?? []),
+      row.new_in_2022 ? 1 : 0,
+      JSON.stringify(row.iso_clause_refs ?? [])
+    );
   }
-  db.prepare("UPDATE api_keys SET revoked_at = datetime('now') WHERE id = ?").run(row.id);
-  console.log(`[auth] Key '${label}' revoked.`);
+  console.error(`[seeder]   Inserted ${controls_2022_default.length} 2022 controls.`);
 }
-function warnAdminExpiry() {
-  const db = getDb();
-  const rows = db.prepare(`
-    SELECT label FROM api_keys
-    WHERE role = 'admin' AND expires_at IS NULL AND revoked_at IS NULL
-  `).all();
-  if (rows.length > 0) {
-    const labels = rows.map((r) => r.label).join(", ");
-    console.warn(
-      `[SECURITY] Admin keys without expiry: ${labels}. Consider setting --expires to limit blast radius.`
+function _seedControls2013(db) {
+  const stmt = db.prepare(`
+    INSERT OR IGNORE INTO controls
+      (id, control_id, version, name, theme, description, guidance,
+       control_type, attributes, related_controls, new_in_2022, iso_clause_refs)
+    VALUES
+      (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  for (const row of controls_2013_default) {
+    stmt.run(
+      stableId(`2013:${row.control_id}`),
+      row.control_id,
+      "2013",
+      row.name,
+      row.theme,
+      row.description,
+      row.guidance ?? null,
+      JSON.stringify(row.control_type),
+      null,
+      // 2013 controls have no 2022-style attributes
+      JSON.stringify(row.related_controls ?? []),
+      0,
+      // new_in_2022 is always false for 2013 controls
+      JSON.stringify(row.iso_clause_refs ?? [])
     );
   }
+  console.error(`[seeder]   Inserted ${controls_2013_default.length} 2013 controls.`);
 }
-function parseExpiresFlag(value) {
-  if (/^\d{4}-\d{2}-\d{2}$/.test(value)) return value;
-  const days = /^(\d+)d$/.exec(value);
-  if (days) {
-    const d = /* @__PURE__ */ new Date();
-    d.setDate(d.getDate() + parseInt(days[1], 10));
-    return d.toISOString().split("T")[0];
+function _seedVersionMappings(db) {
+  const stmt = db.prepare(`
+    INSERT OR IGNORE INTO control_version_mapping
+      (id, v2013_id, v2022_id, mapping_type, change_summary, migration_notes)
+    VALUES
+      (?, ?, ?, ?, ?, ?)
+  `);
+  for (const row of version_mapping_default) {
+    const naturalKey = `mapping:${row.v2013_id ?? "null"}:${row.v2022_id ?? "null"}:${row.mapping_type}`;
+    stmt.run(
+      stableId(naturalKey),
+      row.v2013_id ?? null,
+      row.v2022_id ?? null,
+      row.mapping_type,
+      row.change_summary,
+      row.migration_notes ?? null
+    );
   }
-  const years = /^(\d+)y$/.exec(value);
-  if (years) {
-    const d = /* @__PURE__ */ new Date();
-    d.setFullYear(d.getFullYear() + parseInt(years[1], 10));
-    return d.toISOString().split("T")[0];
+  console.error(`[seeder]   Inserted ${version_mapping_default.length} version mappings.`);
+}
+function _seedClauseRequirements(db) {
+  const stmt = db.prepare(`
+    INSERT OR IGNORE INTO clause_requirements
+      (id, clause_id, parent_id, title, requirement_text,
+       implementation_notes, related_controls)
+    VALUES
+      (?, ?, ?, ?, ?, ?, ?)
+  `);
+  const clauses = clause_requirements_default;
+  const idMap = /* @__PURE__ */ new Map();
+  for (const row of clauses) {
+    idMap.set(row.clause_id, stableId(`clause:${row.clause_id}`));
   }
-  throw new Error(
-    `Invalid --expires value: '${value}'. Use '90d', '1y', or 'YYYY-MM-DD'.`
-  );
+  const sorted = [...clauses].sort((a, b) => {
+    if (a.parent_id === null && b.parent_id !== null) return -1;
+    if (a.parent_id !== null && b.parent_id === null) return 1;
+    return a.clause_id.localeCompare(b.clause_id);
+  });
+  for (const row of sorted) {
+    const rowId = idMap.get(row.clause_id);
+    const parentDbId = row.parent_id ? idMap.get(row.parent_id) ?? null : null;
+    stmt.run(
+      rowId,
+      row.clause_id,
+      parentDbId,
+      row.title,
+      row.requirement_text,
+      row.implementation_notes ?? null,
+      JSON.stringify(row.related_controls ?? [])
+    );
+  }
+  console.error(`[seeder]   Inserted ${clauses.length} clause requirements.`);
+}
+function _rebuildFts(db) {
+  db.prepare("INSERT INTO controls_fts(controls_fts) VALUES('rebuild')").run();
+  console.error("[seeder]   FTS5 index rebuilt.");
 }
 
+// src/server.ts
+var import_mcp8 = require("@modelcontextprotocol/sdk/server/mcp.js");
+
+// src/tools/index.ts
+var import_zod2 = require("zod");
+
 // src/auth/rbac.ts
 var ROLE_LEVEL = {
   viewer: 0,
@@ -33237,7 +33408,26 @@ var TOOL_MIN_ROLE = {
   get_procedure: "viewer",
   update_procedure: "admin",
   list_procedures: "viewer",
-  export_procedure: "analyst"
+  export_procedure: "analyst",
+  // ── Group 12: Management Review (Clause 9.3) ─────────────
+  // Schedule/record: admin; read: viewer
+  create_management_review: "admin",
+  record_review_input: "admin",
+  record_review_output: "admin",
+  complete_management_review: "admin",
+  get_management_review: "viewer",
+  list_management_reviews: "viewer",
+  // ── Group 13: Improvement Plan (Clause 10.1) ─────────────
+  // Create/update: analyst; read: viewer
+  create_improvement_opportunity: "analyst",
+  update_improvement_opportunity: "analyst",
+  get_improvement_opportunity: "viewer",
+  list_improvement_opportunities: "viewer",
+  // ── Group 14: Evidence Templates ──────────────────────────
+  // Generate (writes two tables): analyst; read: viewer
+  generate_evidence_document: "analyst",
+  get_evidence_document: "viewer",
+  list_evidence_documents: "viewer"
 };
 function checkPermission(role, toolName) {
   const minRole = TOOL_MIN_ROLE[toolName] ?? "admin";
@@ -33358,12 +33548,29 @@ function writeAuditEvent(event) {
   const db = getDb();
   const id = (0, import_node_crypto6.randomUUID)();
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace("T", " ").split(".")[0] + "Z";
-  const row_hash = (0, import_node_crypto6.createHash)("sha256").update(`${timestamp}|${event.tool}|${event.key_hash}|${event.outcome}`).digest("hex");
+  const prevRow = db.prepare(
+    "SELECT row_hash FROM audit_log ORDER BY rowid DESC LIMIT 1"
+  ).get();
+  const prev_hash = prevRow?.row_hash ?? null;
+  const hmacSecret = requireEnv("HMAC_SECRET");
+  const hashInput = [
+    id,
+    timestamp,
+    event.tool,
+    event.key_hash,
+    event.role,
+    event.params_json,
+    event.outcome,
+    event.error_message ?? "",
+    String(event.duration_ms),
+    prev_hash ?? "GENESIS"
+  ].join("|");
+  const row_hash = (0, import_node_crypto6.createHmac)("sha256", hmacSecret).update(hashInput).digest("hex");
   db.prepare(`
     INSERT INTO audit_log
       (id, timestamp, tool, key_hash, role, params_json,
-       outcome, error_message, duration_ms, row_hash)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+       outcome, error_message, duration_ms, prev_hash, row_hash)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `).run(
     id,
     timestamp,
@@ -33374,9 +33581,10 @@ function writeAuditEvent(event) {
     event.outcome,
     event.error_message,
     event.duration_ms,
+    prev_hash,
     row_hash
   );
-  const full = { id, timestamp, row_hash, ...event };
+  const full = { id, timestamp, prev_hash, row_hash, ...event };
   try {
     const logPath = getEnv("AUDIT_LOG_PATH", "./audit.jsonl");
     (0, import_node_fs.appendFileSync)(logPath, JSON.stringify(full) + "\n", "utf8");
@@ -33834,6 +34042,132 @@ var ExportProcedureSchema = import_zod.z.object({
   procedure_id: uuid,
   format: formatMarkdownJson
 });
+var reviewStatusEnum = import_zod.z.enum(["planned", "in_progress", "completed"]);
+var reviewInputCategoryEnum = import_zod.z.enum([
+  "previous_action_status",
+  "external_internal_issues",
+  "interested_party_needs",
+  "isms_performance",
+  "interested_party_feedback",
+  "risk_assessment_results",
+  "improvement_opportunities"
+]);
+var reviewOutputTypeEnum = import_zod.z.enum([
+  "improvement_decision",
+  "isms_change_decision"
+]);
+var reviewTrendEnum = import_zod.z.enum([
+  "improving",
+  "stable",
+  "declining",
+  "insufficient_data"
+]);
+var CreateManagementReviewSchema = import_zod.z.object({
+  title: shortText(200),
+  review_date: date,
+  reviewers: import_zod.z.array(shortText(200)).min(1, "At least one reviewer required"),
+  scope_notes: freeText(2e3).optional()
+});
+var RecordReviewInputSchema = import_zod.z.object({
+  review_id: uuid,
+  input_category: reviewInputCategoryEnum,
+  summary: freeText(2e3),
+  details: freeText(4e3).optional(),
+  trend: reviewTrendEnum.optional()
+});
+var RecordReviewOutputSchema = import_zod.z.object({
+  review_id: uuid,
+  output_type: reviewOutputTypeEnum,
+  decision: freeText(2e3),
+  owner: shortText(200).optional(),
+  due_date: date.optional()
+});
+var CompleteManagementReviewSchema = import_zod.z.object({
+  review_id: uuid,
+  completed_by: shortText(200)
+});
+var GetManagementReviewSchema = import_zod.z.object({
+  review_id: uuid
+});
+var ListManagementReviewsSchema = import_zod.z.object({
+  status: reviewStatusEnum.optional(),
+  limit: paginationLimit,
+  offset: paginationOffset
+});
+var improvementStatusEnum = import_zod.z.enum([
+  "open",
+  "in_progress",
+  "implemented",
+  "closed"
+]);
+var improvementSourceEnum = import_zod.z.enum([
+  "management_review",
+  "risk_assessment",
+  "audit",
+  "monitoring",
+  "other"
+]);
+var improvementPriorityEnum = import_zod.z.enum([
+  "low",
+  "medium",
+  "high",
+  "critical"
+]);
+var CreateImprovementOpportunitySchema = import_zod.z.object({
+  title: shortText(200),
+  description: freeText(2e3),
+  source: improvementSourceEnum,
+  priority: improvementPriorityEnum.optional().default("medium"),
+  owner: shortText(200).optional(),
+  target_date: date.optional(),
+  review_id: uuid.optional()
+});
+var UpdateImprovementOpportunitySchema = import_zod.z.object({
+  opportunity_id: uuid,
+  status: improvementStatusEnum.optional(),
+  owner: shortText(200).optional(),
+  target_date: date.optional(),
+  priority: improvementPriorityEnum.optional(),
+  description: freeText(2e3).optional()
+});
+var GetImprovementOpportunitySchema = import_zod.z.object({
+  opportunity_id: uuid
+});
+var ListImprovementOpportunitiesSchema = import_zod.z.object({
+  status: improvementStatusEnum.optional(),
+  source: improvementSourceEnum.optional(),
+  priority: improvementPriorityEnum.optional(),
+  review_id: uuid.optional(),
+  limit: paginationLimit,
+  offset: paginationOffset
+});
+var evidenceTemplateTypeEnum = import_zod.z.enum([
+  "access_review_attestation",
+  "training_acknowledgement",
+  "supplier_security_questionnaire",
+  "incident_post_mortem",
+  "bcp_test_report",
+  "risk_treatment_sign_off"
+]);
+var GenerateEvidenceDocumentSchema = import_zod.z.object({
+  template_type: evidenceTemplateTypeEnum,
+  title: shortText(200),
+  generated_by: shortText(200),
+  organisation_name: shortText(200).optional(),
+  // falls back to org profile
+  control_id: import_zod.z.string().min(1).max(20).optional(),
+  vars: import_zod.z.record(import_zod.z.string()).optional().default({})
+});
+var GetEvidenceDocumentSchema = import_zod.z.object({
+  document_id: uuid
+});
+var ListEvidenceDocumentsSchema = import_zod.z.object({
+  template_type: evidenceTemplateTypeEnum.optional(),
+  generated_by: shortText(200).optional(),
+  control_id: import_zod.z.string().min(1).max(20).optional(),
+  limit: paginationLimit,
+  offset: paginationOffset
+});
 var TOOL_SCHEMAS = {
   // Group 1
   get_control: GetControlSchema,
@@ -33895,7 +34229,23 @@ var TOOL_SCHEMAS = {
   get_procedure: GetProcedureSchema,
   update_procedure: UpdateProcedureSchema,
   list_procedures: ListProceduresSchema,
-  export_procedure: ExportProcedureSchema
+  export_procedure: ExportProcedureSchema,
+  // Group 12
+  create_management_review: CreateManagementReviewSchema,
+  record_review_input: RecordReviewInputSchema,
+  record_review_output: RecordReviewOutputSchema,
+  complete_management_review: CompleteManagementReviewSchema,
+  get_management_review: GetManagementReviewSchema,
+  list_management_reviews: ListManagementReviewsSchema,
+  // Group 13
+  create_improvement_opportunity: CreateImprovementOpportunitySchema,
+  update_improvement_opportunity: UpdateImprovementOpportunitySchema,
+  get_improvement_opportunity: GetImprovementOpportunitySchema,
+  list_improvement_opportunities: ListImprovementOpportunitiesSchema,
+  // Group 14
+  generate_evidence_document: GenerateEvidenceDocumentSchema,
+  get_evidence_document: GetEvidenceDocumentSchema,
+  list_evidence_documents: ListEvidenceDocumentsSchema
 };
 
 // src/tools/server-info.ts
@@ -34974,6 +35324,28 @@ function loadTemplate(type, dir) {
     `Template file not found for '${type}' in '${dir}'. Run 'npm run build' to ensure templates are copied into dist/.`
   );
 }
+var PARTIAL_NAMES = ["org_header", "revision_block", "approver_signature"];
+function loadPartials() {
+  const partials = {};
+  for (const name of PARTIAL_NAMES) {
+    const candidates = [
+      (0, import_node_path.join)(__dirname, `../seed/partials`, `${name}.md`),
+      (0, import_node_path.join)(process.cwd(), `src/seed/partials`, `${name}.md`),
+      (0, import_node_path.join)(process.cwd(), `dist/seed/partials`, `${name}.md`)
+    ];
+    for (const candidate of candidates) {
+      try {
+        partials[name] = (0, import_node_fs2.readFileSync)(candidate, "utf8");
+        break;
+      } catch {
+      }
+    }
+    if (!partials[name]) {
+      partials[name] = "";
+    }
+  }
+  return partials;
+}
 function stripFrontmatter(raw) {
   const match = raw.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
   if (!match) return { template: raw, clauseMappings: [], controlMappings: [] };
@@ -35113,8 +35485,10 @@ function handleCreatePolicy(args2) {
     approver: approver ?? "TBD",
     effective_date,
     next_review_date: next_review,
-    version: "1.0"
-  });
+    version: "1.0",
+    clause_mappings: clauseMappings.join(", "),
+    control_mappings: controlMappings.join(", ")
+  }, loadPartials());
   db.prepare(`
     INSERT INTO policies
       (id, type, organisation_name, scope, owner, approver, status, version,
@@ -35197,8 +35571,10 @@ function handleUpdatePolicy(args2) {
     approver: approver ?? current.approver ?? "TBD",
     effective_date: current.effective_date,
     next_review_date: current.next_review_date,
-    version: `${newVersion}.0`
-  });
+    version: `${newVersion}.0`,
+    clause_mappings: clauseMappings.join(", "),
+    control_mappings: controlMappings.join(", ")
+  }, loadPartials());
   db.prepare(`
     UPDATE policies SET
       scope       = COALESCE(?, scope),
@@ -36036,8 +36412,10 @@ function handleCreateProcedure(args2) {
     effective_date,
     next_review_date: next_review,
     version: "1.0",
-    parent_policy_id: resolvedPolicyId ?? "N/A"
-  });
+    parent_policy_id: resolvedPolicyId ?? "N/A",
+    clause_mappings: clauseMappings.join(", "),
+    control_mappings: controlMappings.join(", ")
+  }, loadPartials());
   db.prepare(`
     INSERT INTO procedures
       (id, procedure_type, policy_id, organisation_name, scope, owner, approver,
@@ -36111,152 +36489,705 @@ function handleListProcedures(args2) {
   } = args2;
   const conditions = [];
   const params = [];
-  if (procedure_type) {
-    conditions.push("procedure_type = ?");
-    params.push(procedure_type);
-  }
+  if (procedure_type) {
+    conditions.push("procedure_type = ?");
+    params.push(procedure_type);
+  }
+  if (status) {
+    conditions.push("status = ?");
+    params.push(status);
+  }
+  if (policy_id) {
+    conditions.push("policy_id = ?");
+    params.push(policy_id);
+  }
+  if (overdue_only) {
+    conditions.push("next_review_date < date('now')");
+    conditions.push("status = 'active'");
+  }
+  const where = conditions.length ? "WHERE " + conditions.join(" AND ") : "";
+  const db = getDb();
+  const total = db.prepare(`SELECT count(*) AS n FROM procedures ${where}`).get(...params).n;
+  params.push(limit, offset);
+  const rows = db.prepare(
+    `SELECT id, procedure_type, policy_id, organisation_name, owner, approver,
+              status, version, effective_date, next_review_date, review_cycle_months,
+              created_at, updated_at
+         FROM procedures ${where}
+         ORDER BY next_review_date ASC, created_at DESC
+         LIMIT ? OFFSET ?`
+  ).all(...params);
+  const today = /* @__PURE__ */ new Date();
+  today.setHours(0, 0, 0, 0);
+  const enriched = rows.map((p) => {
+    const reviewDate = new Date(p.next_review_date);
+    const diffMs = reviewDate.getTime() - today.getTime();
+    const daysUntil = Math.ceil(diffMs / (1e3 * 60 * 60 * 24));
+    return { ...p, days_until_review: daysUntil, overdue: daysUntil < 0 };
+  });
+  return ok9({ total, limit, offset, procedures: enriched });
+}
+function handleUpdateProcedure(args2) {
+  const {
+    procedure_id,
+    scope,
+    owner,
+    approver,
+    related_controls,
+    reviewed_by,
+    change_summary
+  } = args2;
+  const db = getDb();
+  const current = db.prepare("SELECT * FROM procedures WHERE id = ?").get(procedure_id);
+  if (!current) throw notFound("procedure", procedure_id);
+  if (current.status === "archived") {
+    throw businessRule("procedure", "Cannot update an archived procedure.");
+  }
+  const ts = now();
+  const newVersion = current.version + 1;
+  db.prepare(`
+    INSERT INTO procedure_versions
+      (id, procedure_id, version, content, change_summary, reviewed_by, archived_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+  `).run(newId(), procedure_id, current.version, current.content, change_summary, reviewed_by, ts);
+  const raw = loadTemplate(current.procedure_type, "procedure-templates");
+  const { template, clauseMappings, controlMappings } = stripFrontmatter(raw);
+  const newScope = scope ?? current.scope;
+  const newOwner = owner ?? current.owner;
+  const rendered = import_mustache2.default.render(template, {
+    procedure_id,
+    organisation_name: current.organisation_name,
+    scope: newScope,
+    owner: newOwner,
+    approver: approver ?? current.approver ?? "TBD",
+    effective_date: current.effective_date,
+    next_review_date: current.next_review_date,
+    version: `${newVersion}.0`,
+    parent_policy_id: current.policy_id ?? "N/A",
+    clause_mappings: clauseMappings.join(", "),
+    control_mappings: controlMappings.join(", ")
+  }, loadPartials());
+  const newRelatedControls = related_controls ? JSON.stringify(related_controls) : current.related_controls;
+  db.prepare(`
+    UPDATE procedures SET
+      scope            = COALESCE(?, scope),
+      owner            = COALESCE(?, owner),
+      approver         = COALESCE(?, approver),
+      related_controls = COALESCE(?, related_controls),
+      reviewed_by      = ?,
+      version          = ?,
+      content          = ?,
+      clause_mappings  = ?,
+      control_mappings = ?,
+      updated_at       = ?
+    WHERE id = ?
+  `).run(
+    scope ?? null,
+    owner ?? null,
+    approver ?? null,
+    newRelatedControls,
+    reviewed_by,
+    newVersion,
+    rendered,
+    JSON.stringify(clauseMappings),
+    JSON.stringify(controlMappings),
+    ts,
+    procedure_id
+  );
+  return ok9({
+    id: procedure_id,
+    version: newVersion,
+    reviewed_by,
+    change_summary,
+    updated_at: ts
+  });
+}
+function handleExportProcedure(args2) {
+  const { procedure_id, format } = args2;
+  const db = getDb();
+  const row = db.prepare("SELECT * FROM procedures WHERE id = ?").get(procedure_id);
+  if (!row) throw notFound("procedure", procedure_id);
+  if (format === "markdown") {
+    const relatedControls = fromJsonArray(row.related_controls);
+    const controlsSection = relatedControls.length > 0 ? `
+
+---
+
+## Related Controls
+
+${relatedControls.map((c) => `- ${c}`).join("\n")}` : "";
+    return ok9({ format: "markdown", content: row.content + controlsSection });
+  }
+  return ok9({
+    format: "json",
+    procedure: {
+      ...row,
+      clause_mappings: fromJsonArray(row.clause_mappings),
+      control_mappings: fromJsonArray(row.control_mappings),
+      related_controls: fromJsonArray(row.related_controls)
+    }
+  });
+}
+
+// src/tools/management-review.ts
+function ok10(data) {
+  return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }], isError: false };
+}
+var REQUIRED_INPUT_CATEGORIES = [
+  "previous_action_status",
+  "external_internal_issues",
+  "interested_party_needs",
+  "isms_performance",
+  "interested_party_feedback",
+  "risk_assessment_results",
+  "improvement_opportunities"
+];
+function requireReview(id) {
+  const db = getDb();
+  const row = db.prepare("SELECT * FROM management_reviews WHERE id = ?").get(id);
+  if (!row) throw notFound("management_review", id);
+  return row;
+}
+function shapeReview(row, inputs, outputs) {
+  return {
+    ...row,
+    reviewers: fromJsonArray(row.reviewers),
+    inputs,
+    outputs
+  };
+}
+function handleCreateManagementReview(args2) {
+  const { title, review_date, reviewers, scope_notes } = args2;
+  const db = getDb();
+  const id = newId();
+  const ts = now();
+  db.prepare(`
+    INSERT INTO management_reviews (id, title, review_date, reviewers, scope_notes, status, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, 'planned', ?, ?)
+  `).run(id, title, review_date, toJson(reviewers), scope_notes ?? null, ts, ts);
+  return ok10({
+    review_id: id,
+    title,
+    review_date,
+    reviewers,
+    status: "planned",
+    message: `Management review scheduled. Record all 7 required 9.3.2 input categories before completing.`,
+    required_inputs: REQUIRED_INPUT_CATEGORIES,
+    created_at: ts
+  });
+}
+function handleRecordReviewInput(args2) {
+  const { review_id, input_category, summary, details, trend } = args2;
+  const review = requireReview(review_id);
+  if (review.status === "completed") {
+    throw businessRule("review_id", "Cannot add inputs to a completed management review.");
+  }
+  const db = getDb();
+  const existing = db.prepare(
+    "SELECT id FROM review_inputs WHERE review_id = ? AND input_category = ?"
+  ).get(review_id, input_category);
+  const ts = now();
+  if (existing) {
+    db.prepare(`
+      UPDATE review_inputs
+         SET summary = ?, details = ?, trend = ?, updated_at = ?
+       WHERE id = ?
+    `).run(summary, details ?? null, trend ?? null, ts, existing.id);
+  } else {
+    const id = newId();
+    db.prepare(`
+      INSERT INTO review_inputs (id, review_id, input_category, summary, details, trend, created_at, updated_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(id, review_id, input_category, summary, details ?? null, trend ?? null, ts, ts);
+    if (review.status === "planned") {
+      db.prepare("UPDATE management_reviews SET status = 'in_progress', updated_at = ? WHERE id = ?").run(ts, review_id);
+    }
+  }
+  const recorded = db.prepare(
+    "SELECT input_category FROM review_inputs WHERE review_id = ?"
+  ).all(review_id);
+  const recordedCategories = recorded.map((r) => r.input_category);
+  const missing = REQUIRED_INPUT_CATEGORIES.filter((c) => !recordedCategories.includes(c));
+  return ok10({
+    review_id,
+    input_category,
+    recorded_at: ts,
+    progress: {
+      recorded_count: recordedCategories.length,
+      required_count: REQUIRED_INPUT_CATEGORIES.length,
+      remaining: missing,
+      ready_to_complete: missing.length === 0
+    }
+  });
+}
+function handleRecordReviewOutput(args2) {
+  const { review_id, output_type, decision, owner, due_date } = args2;
+  const review = requireReview(review_id);
+  if (review.status === "completed") {
+    throw businessRule("review_id", "Cannot add outputs to a completed management review.");
+  }
+  const db = getDb();
+  const id = newId();
+  const ts = now();
+  db.prepare(`
+    INSERT INTO review_outputs (id, review_id, output_type, decision, owner, due_date, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(id, review_id, output_type, decision, owner ?? null, due_date ?? null, ts, ts);
+  return ok10({ output_id: id, review_id, output_type, recorded_at: ts });
+}
+function handleCompleteManagementReview(args2) {
+  const { review_id, completed_by } = args2;
+  const review = requireReview(review_id);
+  if (review.status === "completed") {
+    throw businessRule("review_id", "Management review is already completed.");
+  }
+  const db = getDb();
+  const recorded = db.prepare(
+    "SELECT input_category FROM review_inputs WHERE review_id = ?"
+  ).all(review_id);
+  const recordedCategories = new Set(recorded.map((r) => r.input_category));
+  const missing = REQUIRED_INPUT_CATEGORIES.filter((c) => !recordedCategories.has(c));
+  if (missing.length > 0) {
+    throw businessRule(
+      "input_category",
+      `ISO 27001:2022 \xA79.3.2 requires all 7 input categories before a review can be completed. Missing: ${missing.join(", ")}`
+    );
+  }
+  const outputCount = db.prepare(
+    "SELECT COUNT(*) AS c FROM review_outputs WHERE review_id = ?"
+  ).get(review_id).c;
+  if (outputCount === 0) {
+    throw businessRule(
+      "output_type",
+      "ISO 27001:2022 \xA79.3.3 requires at least one output (improvement_decision or isms_change_decision) before completing a review."
+    );
+  }
+  const ts = now();
+  db.prepare(`
+    UPDATE management_reviews
+       SET status = 'completed', completed_at = ?, completed_by = ?, updated_at = ?
+     WHERE id = ?
+  `).run(ts, completed_by, ts, review_id);
+  return ok10({
+    review_id,
+    status: "completed",
+    completed_at: ts,
+    completed_by,
+    inputs_count: recorded.length,
+    outputs_count: outputCount
+  });
+}
+function handleGetManagementReview(args2) {
+  const { review_id } = args2;
+  const db = getDb();
+  const review = requireReview(review_id);
+  const inputs = db.prepare(
+    "SELECT * FROM review_inputs WHERE review_id = ? ORDER BY input_category ASC"
+  ).all(review_id);
+  const outputs = db.prepare(
+    "SELECT * FROM review_outputs WHERE review_id = ? ORDER BY created_at ASC"
+  ).all(review_id);
+  const recordedCategories = inputs.map((i) => i.input_category);
+  const missingInputs = REQUIRED_INPUT_CATEGORIES.filter(
+    (c) => !recordedCategories.includes(c)
+  );
+  return ok10({
+    ...shapeReview(review, inputs, outputs),
+    completion_status: {
+      inputs_recorded: recordedCategories.length,
+      inputs_required: REQUIRED_INPUT_CATEGORIES.length,
+      missing_inputs: missingInputs,
+      outputs_recorded: outputs.length,
+      ready_to_complete: missingInputs.length === 0 && outputs.length > 0
+    }
+  });
+}
+function handleListManagementReviews(args2) {
+  const { status, limit = 50, offset = 0 } = args2;
+  const db = getDb();
+  const conditions = [];
+  const params = [];
+  if (status) {
+    conditions.push("status = ?");
+    params.push(status);
+  }
+  const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
+  const sql = `
+    SELECT id, title, review_date, reviewers, status, completed_at, completed_by, created_at
+      FROM management_reviews
+    ${where}
+    ORDER BY review_date DESC
+    LIMIT ? OFFSET ?
+  `;
+  params.push(limit, offset);
+  const rows = db.prepare(sql).all(...params);
+  return ok10({
+    total: rows.length,
+    offset,
+    limit,
+    reviews: rows.map((r) => ({
+      ...r,
+      reviewers: fromJsonArray(r.reviewers)
+    }))
+  });
+}
+
+// src/tools/improvement-plan.ts
+function ok11(data) {
+  return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }], isError: false };
+}
+var STATUS_ORDINAL = {
+  open: 0,
+  in_progress: 1,
+  implemented: 2,
+  closed: 3
+};
+function requireOpportunity(id) {
+  const db = getDb();
+  const row = db.prepare("SELECT * FROM improvement_opportunities WHERE id = ?").get(id);
+  if (!row) throw notFound("improvement_opportunity", id);
+  return row;
+}
+function computeHealthRating(stats) {
+  const active = stats.open + stats.in_progress;
+  if (stats.overdue > 3) return "at_risk";
+  if (active > 10) return "needs_attention";
+  if (active === 0) return "excellent";
+  if (stats.overdue === 0) return "good";
+  return "fair";
+}
+function handleCreateImprovementOpportunity(args2) {
+  const { title, description, source, priority, owner, target_date, review_id } = args2;
+  const db = getDb();
+  const id = newId();
+  const ts = now();
+  db.prepare(`
+    INSERT INTO improvement_opportunities
+      (id, title, description, source, priority, owner, target_date, status, review_id, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, 'open', ?, ?, ?)
+  `).run(
+    id,
+    title,
+    description,
+    source,
+    priority ?? "medium",
+    owner ?? null,
+    target_date ?? null,
+    review_id ?? null,
+    ts,
+    ts
+  );
+  return ok11({
+    opportunity_id: id,
+    title,
+    source,
+    priority: priority ?? "medium",
+    status: "open",
+    created_at: ts
+  });
+}
+function handleUpdateImprovementOpportunity(args2) {
+  const { opportunity_id, status, owner, target_date, priority, description } = args2;
+  const opp = requireOpportunity(opportunity_id);
+  if (status !== void 0) {
+    const currentOrdinal = STATUS_ORDINAL[opp.status] ?? 0;
+    const newOrdinal = STATUS_ORDINAL[status] ?? 0;
+    if (newOrdinal < currentOrdinal) {
+      throw businessRule(
+        "status",
+        `Status transition '${opp.status}' \u2192 '${status}' is not permitted. Improvement opportunity status can only advance forward: open \u2192 in_progress \u2192 implemented \u2192 closed.`
+      );
+    }
+  }
+  const db = getDb();
+  const ts = now();
+  const updates = ["updated_at = ?"];
+  const params = [ts];
+  if (status !== void 0) {
+    updates.push("status = ?");
+    params.push(status);
+  }
+  if (owner !== void 0) {
+    updates.push("owner = ?");
+    params.push(owner);
+  }
+  if (target_date !== void 0) {
+    updates.push("target_date = ?");
+    params.push(target_date);
+  }
+  if (priority !== void 0) {
+    updates.push("priority = ?");
+    params.push(priority);
+  }
+  if (description !== void 0) {
+    updates.push("description = ?");
+    params.push(description);
+  }
+  params.push(opportunity_id);
+  db.prepare(`UPDATE improvement_opportunities SET ${updates.join(", ")} WHERE id = ?`).run(...params);
+  const updated = db.prepare("SELECT * FROM improvement_opportunities WHERE id = ?").get(opportunity_id);
+  return ok11(updated);
+}
+function handleGetImprovementOpportunity(args2) {
+  const { opportunity_id } = args2;
+  const opp = requireOpportunity(opportunity_id);
+  return ok11(opp);
+}
+function handleListImprovementOpportunities(args2) {
+  const { status, source, priority, review_id, limit = 50, offset = 0 } = args2;
+  const db = getDb();
+  const conditions = [];
+  const params = [];
   if (status) {
     conditions.push("status = ?");
     params.push(status);
   }
-  if (policy_id) {
-    conditions.push("policy_id = ?");
-    params.push(policy_id);
+  if (source) {
+    conditions.push("source = ?");
+    params.push(source);
   }
-  if (overdue_only) {
-    conditions.push("next_review_date < date('now')");
-    conditions.push("status = 'active'");
+  if (priority) {
+    conditions.push("priority = ?");
+    params.push(priority);
   }
-  const where = conditions.length ? "WHERE " + conditions.join(" AND ") : "";
-  const db = getDb();
-  const total = db.prepare(`SELECT count(*) AS n FROM procedures ${where}`).get(...params).n;
-  params.push(limit, offset);
-  const rows = db.prepare(
-    `SELECT id, procedure_type, policy_id, organisation_name, owner, approver,
-              status, version, effective_date, next_review_date, review_cycle_months,
-              created_at, updated_at
-         FROM procedures ${where}
-         ORDER BY next_review_date ASC, created_at DESC
-         LIMIT ? OFFSET ?`
-  ).all(...params);
-  const today = /* @__PURE__ */ new Date();
-  today.setHours(0, 0, 0, 0);
-  const enriched = rows.map((p) => {
-    const reviewDate = new Date(p.next_review_date);
-    const diffMs = reviewDate.getTime() - today.getTime();
-    const daysUntil = Math.ceil(diffMs / (1e3 * 60 * 60 * 24));
-    return { ...p, days_until_review: daysUntil, overdue: daysUntil < 0 };
+  if (review_id) {
+    conditions.push("review_id = ?");
+    params.push(review_id);
+  }
+  const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
+  const rows = db.prepare(`
+    SELECT * FROM improvement_opportunities
+    ${where}
+    ORDER BY
+      CASE priority WHEN 'critical' THEN 0 WHEN 'high' THEN 1 WHEN 'medium' THEN 2 ELSE 3 END ASC,
+      target_date ASC NULLS LAST,
+      created_at DESC
+    LIMIT ? OFFSET ?
+  `).all(...params, limit, offset);
+  const stats = db.prepare(`
+    SELECT
+      SUM(CASE WHEN status = 'open'        THEN 1 ELSE 0 END) AS open,
+      SUM(CASE WHEN status = 'in_progress' THEN 1 ELSE 0 END) AS in_progress,
+      SUM(CASE WHEN status = 'implemented' THEN 1 ELSE 0 END) AS implemented,
+      SUM(CASE WHEN status = 'closed'      THEN 1 ELSE 0 END) AS closed,
+      SUM(
+        CASE WHEN status IN ('open','in_progress')
+              AND target_date IS NOT NULL
+              AND target_date < date('now') THEN 1 ELSE 0 END
+      ) AS overdue
+    FROM improvement_opportunities
+  `).get();
+  return ok11({
+    total: rows.length,
+    offset,
+    limit,
+    opportunities: rows,
+    health: {
+      open: stats.open ?? 0,
+      in_progress: stats.in_progress ?? 0,
+      implemented: stats.implemented ?? 0,
+      closed: stats.closed ?? 0,
+      overdue: stats.overdue ?? 0,
+      rating: computeHealthRating({
+        open: stats.open ?? 0,
+        in_progress: stats.in_progress ?? 0,
+        implemented: stats.implemented ?? 0,
+        closed: stats.closed ?? 0,
+        overdue: stats.overdue ?? 0
+      })
+    }
   });
-  return ok9({ total, limit, offset, procedures: enriched });
 }
-function handleUpdateProcedure(args2) {
+
+// src/tools/evidence-templates.ts
+var import_mustache3 = __toESM(require("mustache"));
+function ok12(data) {
+  return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }], isError: false };
+}
+var EVIDENCE_TYPE_MAP = {
+  access_review_attestation: "audit_report",
+  training_acknowledgement: "training_record",
+  supplier_security_questionnaire: "report",
+  incident_post_mortem: "report",
+  bcp_test_report: "report",
+  risk_treatment_sign_off: "report"
+};
+var ORG_PROFILE_ID2 = "00000000-0000-4000-8000-000000000001";
+function loadOrgRaci(db) {
+  const row = db.prepare("SELECT raci_roles, isms_scope_statement FROM organization_profile WHERE id = ?").get(ORG_PROFILE_ID2);
+  if (!row) {
+    return { ciso: "", dpo: "", data_owner: "", isms_manager: "", internal_auditor: "" };
+  }
+  try {
+    const raci = JSON.parse(row.raci_roles);
+    return {
+      ciso: raci.ciso ?? "",
+      dpo: raci.dpo ?? "",
+      data_owner: raci.data_owner ?? "",
+      isms_manager: raci.isms_manager ?? "",
+      internal_auditor: raci.internal_auditor ?? ""
+    };
+  } catch {
+    return { ciso: "", dpo: "", data_owner: "", isms_manager: "", internal_auditor: "" };
+  }
+}
+function loadIsmsScope(db) {
+  const row = db.prepare("SELECT isms_scope_statement FROM organization_profile WHERE id = ?").get(ORG_PROFILE_ID2);
+  return row?.isms_scope_statement ?? "";
+}
+function handleGenerateEvidenceDocument(args2) {
   const {
-    procedure_id,
-    scope,
-    owner,
-    approver,
-    related_controls,
-    reviewed_by,
-    change_summary
+    template_type,
+    title,
+    generated_by,
+    organisation_name: callerOrgName,
+    control_id,
+    vars = {}
   } = args2;
   const db = getDb();
-  const current = db.prepare("SELECT * FROM procedures WHERE id = ?").get(procedure_id);
-  if (!current) throw notFound("procedure", procedure_id);
-  if (current.status === "archived") {
-    throw businessRule("procedure", "Cannot update an archived procedure.");
-  }
-  const ts = now();
-  const newVersion = current.version + 1;
-  db.prepare(`
-    INSERT INTO procedure_versions
-      (id, procedure_id, version, content, change_summary, reviewed_by, archived_at)
-    VALUES (?, ?, ?, ?, ?, ?, ?)
-  `).run(newId(), procedure_id, current.version, current.content, change_summary, reviewed_by, ts);
-  const raw = loadTemplate(current.procedure_type, "procedure-templates");
+  const orgDefaults = loadOrgProfileDefaults(db);
+  const raci = loadOrgRaci(db);
+  const ismsScope = loadIsmsScope(db);
+  const organisation_name = callerOrgName ?? orgDefaults?.organisation_name ?? "";
+  const raw = loadTemplate(template_type, "evidence-templates");
   const { template, clauseMappings, controlMappings } = stripFrontmatter(raw);
-  const newScope = scope ?? current.scope;
-  const newOwner = owner ?? current.owner;
-  const rendered = import_mustache2.default.render(template, {
-    procedure_id,
-    organisation_name: current.organisation_name,
-    scope: newScope,
-    owner: newOwner,
-    approver: approver ?? current.approver ?? "TBD",
-    effective_date: current.effective_date,
-    next_review_date: current.next_review_date,
-    version: `${newVersion}.0`,
-    parent_policy_id: current.policy_id ?? "N/A"
-  });
-  const newRelatedControls = related_controls ? JSON.stringify(related_controls) : current.related_controls;
+  const today = now().slice(0, 10);
+  const view = {
+    // Org-profile auto-injections
+    organisation_name,
+    isms_scope_statement: ismsScope,
+    ciso: raci.ciso,
+    dpo: raci.dpo,
+    data_owner: raci.data_owner,
+    isms_manager: raci.isms_manager,
+    internal_auditor: raci.internal_auditor,
+    // Document-level fields
+    title,
+    generated_by,
+    generated_date: today,
+    // Caller-supplied template-specific variables (override org defaults if clashing)
+    ...vars
+  };
+  const viewWithMappings = {
+    ...view,
+    clause_mappings: clauseMappings.join(", "),
+    control_mappings: controlMappings.join(", ")
+  };
+  const content = import_mustache3.default.render(template, viewWithMappings, loadPartials());
+  const ts = now();
+  const docId = newId();
+  const evidenceType = EVIDENCE_TYPE_MAP[template_type] ?? "report";
+  const evidenceId = newId();
+  const evidenceControlId = control_id ?? "general";
   db.prepare(`
-    UPDATE procedures SET
-      scope            = COALESCE(?, scope),
-      owner            = COALESCE(?, owner),
-      approver         = COALESCE(?, approver),
-      related_controls = COALESCE(?, related_controls),
-      reviewed_by      = ?,
-      version          = ?,
-      content          = ?,
-      clause_mappings  = ?,
-      control_mappings = ?,
-      updated_at       = ?
-    WHERE id = ?
+    INSERT INTO evidence
+      (id, control_id, type, description, source_url, collected_by, collected_date,
+       expiry_date, jira_key, jira_url, github_issue_url, github_issue_number,
+       created_at, updated_at)
+    VALUES (?, ?, ?, ?, NULL, ?, ?, NULL, NULL, NULL, NULL, NULL, ?, ?)
   `).run(
-    scope ?? null,
-    owner ?? null,
-    approver ?? null,
-    newRelatedControls,
-    reviewed_by,
-    newVersion,
-    rendered,
-    JSON.stringify(clauseMappings),
-    JSON.stringify(controlMappings),
+    evidenceId,
+    evidenceControlId,
+    evidenceType,
+    title,
+    generated_by,
+    today,
     ts,
-    procedure_id
+    ts
   );
-  return ok9({
-    id: procedure_id,
-    version: newVersion,
-    reviewed_by,
-    change_summary,
-    updated_at: ts
+  db.prepare(`
+    INSERT INTO generated_evidence
+      (id, template_type, title, content, organisation_name, generated_by,
+       clause_mappings, control_mappings, template_vars, evidence_id, created_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    docId,
+    template_type,
+    title,
+    content,
+    organisation_name,
+    generated_by,
+    toJson(clauseMappings),
+    toJson(controlMappings),
+    JSON.stringify(vars),
+    evidenceId,
+    ts
+  );
+  return ok12({
+    document_id: docId,
+    evidence_id: evidenceId,
+    template_type,
+    title,
+    organisation_name,
+    clause_mappings: clauseMappings,
+    control_mappings: controlMappings,
+    generated_by,
+    generated_at: ts,
+    content
   });
 }
-function handleExportProcedure(args2) {
-  const { procedure_id, format } = args2;
+function handleGetEvidenceDocument(args2) {
+  const { document_id } = args2;
   const db = getDb();
-  const row = db.prepare("SELECT * FROM procedures WHERE id = ?").get(procedure_id);
-  if (!row) throw notFound("procedure", procedure_id);
-  if (format === "markdown") {
-    const relatedControls = fromJsonArray(row.related_controls);
-    const controlsSection = relatedControls.length > 0 ? `
-
----
-
-## Related Controls
-
-${relatedControls.map((c) => `- ${c}`).join("\n")}` : "";
-    return ok9({ format: "markdown", content: row.content + controlsSection });
+  const row = db.prepare("SELECT * FROM generated_evidence WHERE id = ?").get(document_id);
+  if (!row) throw notFound("evidence_document", document_id);
+  return ok12({
+    ...row,
+    clause_mappings: fromJsonArray(row.clause_mappings),
+    control_mappings: fromJsonArray(row.control_mappings),
+    template_vars: JSON.parse(row.template_vars)
+  });
+}
+function handleListEvidenceDocuments(args2) {
+  const { template_type, generated_by, control_id, limit = 50, offset = 0 } = args2;
+  const db = getDb();
+  const conditions = [];
+  const params = [];
+  if (template_type) {
+    conditions.push("g.template_type = ?");
+    params.push(template_type);
   }
-  return ok9({
-    format: "json",
-    procedure: {
-      ...row,
-      clause_mappings: fromJsonArray(row.clause_mappings),
-      control_mappings: fromJsonArray(row.control_mappings),
-      related_controls: fromJsonArray(row.related_controls)
-    }
+  if (generated_by) {
+    conditions.push("g.generated_by = ?");
+    params.push(generated_by);
+  }
+  if (control_id) {
+    conditions.push("e.control_id = ?");
+    params.push(control_id);
+  }
+  const join2 = control_id ? "LEFT JOIN evidence e ON e.id = g.evidence_id" : "";
+  const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
+  const rows = db.prepare(`
+    SELECT g.id, g.template_type, g.title, g.organisation_name,
+           g.generated_by, g.evidence_id, g.created_at,
+           g.clause_mappings, g.control_mappings
+      FROM generated_evidence g
+      ${join2}
+    ${where}
+    ORDER BY g.created_at DESC
+    LIMIT ? OFFSET ?
+  `).all(...params, limit, offset);
+  return ok12({
+    total: rows.length,
+    offset,
+    limit,
+    documents: rows.map((r) => ({
+      ...r,
+      clause_mappings: fromJsonArray(r.clause_mappings),
+      control_mappings: fromJsonArray(r.control_mappings)
+    }))
   });
 }
 
 // src/tools/index.ts
 function extractShape(schema) {
-  if (schema instanceof import_zod2.z.ZodEffects) {
-    return schema.innerType().shape;
+  let s = schema;
+  while (s instanceof import_zod2.z.ZodEffects) {
+    s = s.innerType();
   }
-  return schema.shape;
+  return s.shape;
 }
-function ok10(data) {
+function ok13(data) {
   return {
     content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
     isError: false
@@ -36323,7 +37254,23 @@ var TOOL_DESCRIPTIONS = {
   get_procedure: "Retrieve a procedure record by ID, optionally including version history.",
   update_procedure: "Archive the current procedure version and re-render with updated fields, incrementing the version number. Requires admin role.",
   list_procedures: "List procedures with optional filters: procedure_type, status, policy_id, overdue_only, and pagination.",
-  export_procedure: "Export a procedure as a markdown document (with related controls appended) or as structured JSON."
+  export_procedure: "Export a procedure as a markdown document (with related controls appended) or as structured JSON.",
+  // Group 12 — Management Review, Clause 9.3 (reads: viewer+, writes: admin)
+  create_management_review: "Schedule a new management review (ISO 27001:2022 Clause 9.3) with title, date, and reviewers list.",
+  record_review_input: "Record one of the 7 mandatory Clause 9.3.2 input categories for a management review. Upserts on re-submission; advances status to in_progress on first input.",
+  record_review_output: "Record a Clause 9.3.3 output decision (improvement_decision or isms_change_decision) for a management review.",
+  complete_management_review: "Mark a management review as completed. Enforces ISO 27001:2022 \xA79.3.2: all 7 input categories must be recorded, and at least one output must be present.",
+  get_management_review: "Retrieve a management review record with all inputs, outputs, and a completion-progress summary.",
+  list_management_reviews: "List management reviews with optional status filter and pagination.",
+  // Group 13 — Improvement Plan, Clause 10.1 (reads: viewer+, writes: analyst+)
+  create_improvement_opportunity: "Register a proactive improvement opportunity (ISO 27001:2022 Clause 10.1) with source, priority, owner, and optional target date. Not linked to a nonconformity.",
+  update_improvement_opportunity: "Advance an improvement opportunity's status (forward-only: open \u2192 in_progress \u2192 implemented \u2192 closed) or update owner, target date, priority, or description.",
+  get_improvement_opportunity: "Retrieve a single improvement opportunity by ID.",
+  list_improvement_opportunities: "List improvement opportunities with optional filters (status, source, priority, review_id) and a backlog health rating (excellent/good/fair/needs_attention/at_risk).",
+  // Group 14 — Evidence Templates (reads: viewer+, generate: analyst+)
+  generate_evidence_document: "Render one of 6 Mustache evidence templates (access_review_attestation, training_acknowledgement, supplier_security_questionnaire, incident_post_mortem, bcp_test_report, risk_treatment_sign_off) with org-profile auto-injection. Returns rendered Markdown and simultaneously registers an evidence record.",
+  get_evidence_document: "Retrieve a previously generated evidence document by ID, including its rendered Markdown content and template variables used.",
+  list_evidence_documents: "List generated evidence documents with optional filters: template_type, generated_by, control_id, and pagination."
 };
 var TOOL_HANDLERS = {
   // ── Group 1: Control Registry ────────────────────────────
@@ -36414,22 +37361,22 @@ var TOOL_HANDLERS = {
       params.push(key_hash);
     }
     const where = conditions.length > 0 ? "WHERE " + conditions.join(" AND ") : "";
-    const sql = `SELECT id, timestamp, tool, role, outcome, error_message, duration_ms, row_hash
+    const sql = `SELECT id, timestamp, tool, role, outcome, error_message, duration_ms, prev_hash, row_hash
                    FROM audit_log ${where}
                    ORDER BY timestamp DESC
                    LIMIT ? OFFSET ?`;
     params.push(limit, offset);
     const rows = db.prepare(sql).all(...params);
-    return ok10({ total: rows.length, offset, limit, entries: rows });
+    return ok13({ total: rows.length, offset, limit, entries: rows });
   },
   list_api_keys: (_args) => {
     const keys = listKeys();
-    return ok10({ count: keys.length, keys });
+    return ok13({ count: keys.length, keys });
   },
   revoke_api_key: (args2) => {
     const { label } = args2;
     revokeKey(label);
-    return ok10({ revoked: true, label });
+    return ok13({ revoked: true, label });
   },
   // ── Group 10: Organization Profile ───────────────────────────
   set_organization_profile: handleSetOrganizationProfile,
@@ -36439,7 +37386,23 @@ var TOOL_HANDLERS = {
   get_procedure: handleGetProcedure,
   update_procedure: handleUpdateProcedure,
   list_procedures: handleListProcedures,
-  export_procedure: handleExportProcedure
+  export_procedure: handleExportProcedure,
+  // ── Group 12: Management Review (Clause 9.3) ─────────────────
+  create_management_review: handleCreateManagementReview,
+  record_review_input: handleRecordReviewInput,
+  record_review_output: handleRecordReviewOutput,
+  complete_management_review: handleCompleteManagementReview,
+  get_management_review: handleGetManagementReview,
+  list_management_reviews: handleListManagementReviews,
+  // ── Group 13: Improvement Plan (Clause 10.1) ──────────────────
+  create_improvement_opportunity: handleCreateImprovementOpportunity,
+  update_improvement_opportunity: handleUpdateImprovementOpportunity,
+  get_improvement_opportunity: handleGetImprovementOpportunity,
+  list_improvement_opportunities: handleListImprovementOpportunities,
+  // ── Group 14: Evidence Templates ──────────────────────────────
+  generate_evidence_document: handleGenerateEvidenceDocument,
+  get_evidence_document: handleGetEvidenceDocument,
+  list_evidence_documents: handleListEvidenceDocuments
 };
 function registerAllTools(server) {
   for (const [toolName, description] of Object.entries(TOOL_DESCRIPTIONS)) {
@@ -37198,6 +38161,188 @@ function registerOrgProfileResource(server) {
   );
 }
 
+// src/resources/management-review.ts
+var import_mcp6 = require("@modelcontextprotocol/sdk/server/mcp.js");
+function registerManagementReviewResources(server) {
+  server.resource(
+    "iso27001-management-review",
+    new import_mcp6.ResourceTemplate("iso27001://management-review/{review_id}", {
+      list: () => {
+        const rows = getDb().prepare(
+          `SELECT id, title, review_date, status, completed_at
+               FROM management_reviews
+              ORDER BY review_date DESC`
+        ).all();
+        return {
+          resources: rows.map((r) => ({
+            uri: `iso27001://management-review/${r.id}`,
+            name: r.title,
+            description: `Management review on ${r.review_date}, status: ${r.status}` + (r.completed_at ? `, completed: ${r.completed_at}` : ""),
+            mimeType: "application/json"
+          }))
+        };
+      }
+    }),
+    {
+      description: "ISO 27001 management review record (Clause 9.3) with all inputs (9.3.2) and output decisions (9.3.3) nested. Fields: id, title, review_date, reviewers, scope_notes, status, completed_at, completed_by, inputs[], outputs[].",
+      mimeType: "application/json"
+    },
+    (uri, variables, extra) => {
+      assertResourceAuth(extra);
+      const { review_id } = variables;
+      const db = getDb();
+      const review = db.prepare("SELECT * FROM management_reviews WHERE id = ?").get(review_id);
+      if (!review) {
+        throw new Error(
+          `Management review not found: '${review_id}'. Use list_management_reviews to find valid IDs.`
+        );
+      }
+      const inputs = db.prepare(
+        "SELECT * FROM review_inputs WHERE review_id = ? ORDER BY input_category ASC"
+      ).all(review_id);
+      const outputs = db.prepare(
+        "SELECT * FROM review_outputs WHERE review_id = ? ORDER BY created_at ASC"
+      ).all(review_id);
+      const payload = {
+        ...review,
+        reviewers: fromJsonArray(review.reviewers),
+        inputs,
+        outputs
+      };
+      return {
+        contents: [{
+          uri: uri.toString(),
+          mimeType: "application/json",
+          text: JSON.stringify(payload, null, 2)
+        }]
+      };
+    }
+  );
+  server.resource(
+    "iso27001-improvement-plan",
+    new import_mcp6.ResourceTemplate("iso27001://improvement-plan", { list: void 0 }),
+    {
+      description: "ISO 27001 improvement opportunity backlog (Clause 10.1). Returns all opportunities sorted by priority and target date, with a health rating (excellent/good/fair/needs_attention/at_risk) and counts by status.",
+      mimeType: "application/json"
+    },
+    (uri, _variables, extra) => {
+      assertResourceAuth(extra);
+      const db = getDb();
+      const opportunities = db.prepare(`
+          SELECT * FROM improvement_opportunities
+          ORDER BY
+            CASE priority WHEN 'critical' THEN 0 WHEN 'high' THEN 1 WHEN 'medium' THEN 2 ELSE 3 END ASC,
+            target_date ASC NULLS LAST,
+            created_at DESC
+        `).all();
+      const stats = db.prepare(`
+        SELECT
+          SUM(CASE WHEN status = 'open'        THEN 1 ELSE 0 END) AS open,
+          SUM(CASE WHEN status = 'in_progress' THEN 1 ELSE 0 END) AS in_progress,
+          SUM(CASE WHEN status = 'implemented' THEN 1 ELSE 0 END) AS implemented,
+          SUM(CASE WHEN status = 'closed'      THEN 1 ELSE 0 END) AS closed,
+          SUM(
+            CASE WHEN status IN ('open','in_progress')
+                  AND target_date IS NOT NULL
+                  AND target_date < date('now') THEN 1 ELSE 0 END
+          ) AS overdue
+        FROM improvement_opportunities
+      `).get();
+      const open = stats.open ?? 0;
+      const in_progress = stats.in_progress ?? 0;
+      const implemented = stats.implemented ?? 0;
+      const closed = stats.closed ?? 0;
+      const overdue = stats.overdue ?? 0;
+      let rating;
+      const active = open + in_progress;
+      if (overdue > 3) rating = "at_risk";
+      else if (active > 10) rating = "needs_attention";
+      else if (active === 0) rating = "excellent";
+      else if (overdue === 0) rating = "good";
+      else rating = "fair";
+      const payload = {
+        total: opportunities.length,
+        health: { open, in_progress, implemented, closed, overdue, rating },
+        opportunities
+      };
+      return {
+        contents: [{
+          uri: uri.toString(),
+          mimeType: "application/json",
+          text: JSON.stringify(payload, null, 2)
+        }]
+      };
+    }
+  );
+}
+
+// src/resources/evidence-templates.ts
+var import_mcp7 = require("@modelcontextprotocol/sdk/server/mcp.js");
+var TEMPLATE_LABELS = {
+  access_review_attestation: "Access Review Attestation",
+  training_acknowledgement: "Training Acknowledgement",
+  supplier_security_questionnaire: "Supplier Security Questionnaire",
+  incident_post_mortem: "Incident Post-Mortem",
+  bcp_test_report: "BCP Test Report",
+  risk_treatment_sign_off: "Risk Treatment Sign-Off"
+};
+function registerEvidenceDocumentResources(server) {
+  server.resource(
+    "iso27001-evidence-document",
+    new import_mcp7.ResourceTemplate("iso27001://evidence-document/{document_id}", {
+      list: () => {
+        const rows = getDb().prepare(
+          `SELECT id, template_type, title, generated_by, evidence_id, created_at
+               FROM generated_evidence
+              ORDER BY created_at DESC`
+        ).all();
+        return {
+          resources: rows.map((r) => ({
+            uri: `iso27001://evidence-document/${r.id}`,
+            name: r.title,
+            description: `${TEMPLATE_LABELS[r.template_type] ?? r.template_type} \u2014 generated by ${r.generated_by} on ${r.created_at.slice(0, 10)}`,
+            mimeType: "application/json"
+          }))
+        };
+      }
+    }),
+    {
+      description: "Generated ISO 27001 evidence document with full rendered Markdown content. Template types: access_review_attestation, training_acknowledgement, supplier_security_questionnaire, incident_post_mortem, bcp_test_report, risk_treatment_sign_off. Fields: id, template_type, title, content (Markdown), organisation_name, generated_by, clause_mappings, control_mappings, template_vars, evidence_id, created_at.",
+      mimeType: "application/json"
+    },
+    (uri, variables, extra) => {
+      assertResourceAuth(extra);
+      const { document_id } = variables;
+      const db = getDb();
+      const row = db.prepare("SELECT * FROM generated_evidence WHERE id = ?").get(document_id);
+      if (!row) {
+        throw new Error(
+          `Evidence document not found: '${document_id}'. Use list_evidence_documents to find valid IDs.`
+        );
+      }
+      const payload = {
+        ...row,
+        clause_mappings: fromJsonArray(row.clause_mappings),
+        control_mappings: fromJsonArray(row.control_mappings),
+        template_vars: (() => {
+          try {
+            return JSON.parse(row.template_vars);
+          } catch {
+            return {};
+          }
+        })()
+      };
+      return {
+        contents: [{
+          uri: uri.toString(),
+          mimeType: "application/json",
+          text: JSON.stringify(payload, null, 2)
+        }]
+      };
+    }
+  );
+}
+
 // src/resources/index.ts
 function registerAllResources(server) {
   registerControlResources(server);
@@ -37206,11 +38351,13 @@ function registerAllResources(server) {
   registerProcedureResources(server);
   registerRiskResources(server);
   registerAssessmentResources(server);
+  registerManagementReviewResources(server);
+  registerEvidenceDocumentResources(server);
 }
 
 // src/server.ts
 function createServer() {
-  const server = new import_mcp6.McpServer({
+  const server = new import_mcp8.McpServer({
     name: "iso27001-mcp",
     version: process.env["npm_package_version"] ?? "2.0.0"
   });