monora-ai 2.0.0 → 2.1.3

package/dist/aims_governance.js

@@ -0,0 +1,922 @@
+"use strict";
+/**
+ * AIMS governance workflows for ISO 42001 policy, roles, and concerns.
+ *
+ * This module focuses on:
+ * - A.2 policy lifecycle (versioning, review cadence, approvals)
+ * - A.3 governance roles (RACI) and concern reporting
+ * - Clause 4/5/7 evidence tracking for context, leadership, and competence
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clearAimsGovernanceData = clearAimsGovernanceData;
+exports.createPolicyDocument = createPolicyDocument;
+exports.addPolicyVersion = addPolicyVersion;
+exports.submitPolicyVersion = submitPolicyVersion;
+exports.approvePolicyVersion = approvePolicyVersion;
+exports.rejectPolicyVersion = rejectPolicyVersion;
+exports.recordPolicyReview = recordPolicyReview;
+exports.setPolicyReviewCadence = setPolicyReviewCadence;
+exports.getPolicyDocument = getPolicyDocument;
+exports.listPolicyDocuments = listPolicyDocuments;
+exports.getDuePolicyReviews = getDuePolicyReviews;
+exports.recordAimsContext = recordAimsContext;
+exports.getAimsContext = getAimsContext;
+exports.registerRaciEntry = registerRaciEntry;
+exports.listRaciEntries = listRaciEntries;
+exports.recordGovernanceTraining = recordGovernanceTraining;
+exports.listGovernanceTrainingRecords = listGovernanceTrainingRecords;
+exports.fileConcernReport = fileConcernReport;
+exports.updateConcernReport = updateConcernReport;
+exports.resolveConcernReport = resolveConcernReport;
+exports.getConcernReport = getConcernReport;
+exports.listConcernReports = listConcernReports;
+exports.getOpenConcerns = getOpenConcerns;
+exports.getAimsGovernanceSummary = getAimsGovernanceSummary;
+exports.buildAimsGovernanceStatePayload = buildAimsGovernanceStatePayload;
+exports.exportAimsGovernanceState = exportAimsGovernanceState;
+exports.loadAimsGovernanceState = loadAimsGovernanceState;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const control_backbone_1 = require("./control_backbone");
+const POLICY_STATUS_SET = new Set(['draft', 'in_review', 'approved', 'superseded', 'rejected']);
+const CONCERN_STATUS_SET = new Set(['open', 'in_review', 'resolved', 'closed', 'rejected']);
+const CONCERN_SEVERITY_SET = new Set(['low', 'medium', 'high', 'critical']);
+const DEFAULT_POLICY_CONTROL_IDS = ['A.2.2', 'A.2.3', 'Clause5'];
+const DEFAULT_CONTEXT_CONTROL_IDS = ['Clause4'];
+const DEFAULT_RACI_CONTROL_IDS = ['A.3.2', 'Clause7'];
+const DEFAULT_CONCERN_CONTROL_IDS = ['A.3.3'];
+const DEFAULT_TRAINING_CONTROL_IDS = ['Clause7', 'A.4.6'];
+const policies = new Map();
+let contextRecord = null;
+const raciEntries = new Map();
+const concernReports = new Map();
+const trainingRecords = new Map();
+function utcNow() {
+    return new Date().toISOString();
+}
+function clone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+function normalizeList(value) {
+    if (value === null || value === undefined) {
+        return [];
+    }
+    if (Array.isArray(value)) {
+        return value
+            .map((item) => String(item).trim())
+            .filter(Boolean);
+    }
+    return String(value)
+        .replace(/;/g, ',')
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean);
+}
+function asPolicyStatus(value, fallback = 'draft') {
+    const text = String(value || '').trim();
+    return POLICY_STATUS_SET.has(text) ? text : fallback;
+}
+function asConcernStatus(value, fallback = 'open') {
+    const text = String(value || '').trim();
+    return CONCERN_STATUS_SET.has(text) ? text : fallback;
+}
+function asConcernSeverity(value, fallback = 'medium') {
+    const text = String(value || '').trim();
+    return CONCERN_SEVERITY_SET.has(text) ? text : fallback;
+}
+function buildId(prefix, ...parts) {
+    const seed = `${prefix}:${parts.join(':')}:${utcNow()}`;
+    const digest = crypto.createHash('sha256').update(seed).digest('hex').slice(0, 12);
+    return `${prefix}_${digest}`;
+}
+function parseIso(value) {
+    if (!value) {
+        return null;
+    }
+    const date = new Date(value);
+    if (Number.isNaN(date.getTime())) {
+        return null;
+    }
+    return date;
+}
+function getPolicy(policyId) {
+    const policy = policies.get(policyId);
+    if (!policy) {
+        throw new Error(`Policy not found: ${policyId}`);
+    }
+    return policy;
+}
+function getPolicyVersion(policy, versionId) {
+    const version = policy.versions.find((item) => item.version_id === versionId);
+    if (!version) {
+        throw new Error(`Policy version not found: ${policy.policy_id}:${versionId}`);
+    }
+    return version;
+}
+function hashPolicyContent(content, artifactPath, fallbackText = '') {
+    if (artifactPath && fs.existsSync(artifactPath)) {
+        const digest = crypto.createHash('sha256').update(fs.readFileSync(artifactPath)).digest('hex');
+        return `sha256:${digest}`;
+    }
+    const digest = crypto.createHash('sha256').update(content || fallbackText).digest('hex');
+    return `sha256:${digest}`;
+}
+function emitGovernanceEvidence(options) {
+    const normalizedEvidenceTypes = Array.from(new Set(normalizeList(options.evidenceTypes).concat([options.evidenceType, 'documented_information']))).sort();
+    const evidence = {
+        evidence_id: buildId('evd', options.evidenceType, options.title),
+        title: options.title,
+        source: 'aims_governance',
+        category: options.category,
+        collected_at: utcNow(),
+        collection_method: 'workflow',
+        system: 'aims_governance',
+        system_id: options.systemId,
+        control_ids: normalizeList(options.controlIds),
+        status: options.status || 'approved',
+        metadata: {
+            ...options.metadata,
+            evidence_type: options.evidenceType,
+            evidence_types: normalizedEvidenceTypes,
+        },
+        tags: options.tags,
+    };
+    let updated = clone(evidence);
+    const workflowIds = options.workflowIds || {};
+    for (const controlId of normalizeList(options.controlIds)) {
+        updated = (0, control_backbone_1.attachControlEvidence)({
+            controlId,
+            evidence: updated,
+            workflowId: workflowIds[controlId],
+            evidenceType: options.evidenceType,
+            note: 'aims_governance_auto_attach',
+        });
+    }
+    return updated;
+}
+function findExistingWorkflow(controlId, policyId) {
+    const workflows = (0, control_backbone_1.listWorkflowTasks)({ controlId });
+    if (policyId) {
+        const match = workflows.find((workflow) => workflow.metadata?.policy_id === policyId);
+        if (match) {
+            return match.workflow_id;
+        }
+    }
+    return workflows.length > 0 ? workflows[0].workflow_id : null;
+}
+function ensurePolicyWorkflows(policy) {
+    const workflowIds = { ...(policy.workflow_ids || {}) };
+    const controls = Array.from(new Set(normalizeList(policy.control_ids))).sort();
+    for (const controlId of controls) {
+        const existingId = workflowIds[controlId];
+        if (existingId && (0, control_backbone_1.getWorkflowTask)(existingId)) {
+            continue;
+        }
+        const found = findExistingWorkflow(controlId, policy.policy_id);
+        if (found) {
+            workflowIds[controlId] = found;
+            continue;
+        }
+        const dueAt = policy.next_review_due_at
+            || new Date(Date.now() + policy.review_frequency_days * 86400 * 1000).toISOString();
+        const workflow = (0, control_backbone_1.createWorkflowTask)({
+            controlId,
+            title: `${controlId} - ${policy.title}`,
+            owner: policy.owner,
+            dueAt,
+            metadata: { policy_id: policy.policy_id, policy_title: policy.title, workflow_kind: 'policy' },
+        });
+        workflowIds[controlId] = workflow.workflow_id;
+    }
+    policy.workflow_ids = workflowIds;
+    return workflowIds;
+}
+function syncPolicyWorkflowStatus(workflowIds, options) {
+    for (const workflowId of Object.values(workflowIds)) {
+        const workflow = (0, control_backbone_1.getWorkflowTask)(workflowId);
+        if (!workflow) {
+            continue;
+        }
+        const current = workflow.status;
+        if (options.targetStatus === 'in_review') {
+            if (current === 'in_review') {
+                continue;
+            }
+            if (current === 'draft' || current === 'approved' || current === 'expired') {
+                (0, control_backbone_1.submitWorkflowTask)(workflowId, { actor: options.actor, note: options.note });
+            }
+        }
+        else if (options.targetStatus === 'approved') {
+            if (current === 'approved') {
+                continue;
+            }
+            (0, control_backbone_1.approveControlEvidence)(workflowId, { actor: options.actor, note: options.note });
+        }
+        else if (options.targetStatus === 'draft') {
+            if (current !== 'in_review') {
+                continue;
+            }
+            (0, control_backbone_1.transitionWorkflowTask)(workflowId, { toStatus: 'draft', actor: options.actor, note: options.note });
+        }
+    }
+}
+function clearAimsGovernanceData() {
+    policies.clear();
+    raciEntries.clear();
+    concernReports.clear();
+    trainingRecords.clear();
+    contextRecord = null;
+}
+function createPolicyDocument(options) {
+    if (policies.has(options.policyId)) {
+        throw new Error(`Policy already exists: ${options.policyId}`);
+    }
+    const policy = {
+        policy_id: options.policyId,
+        title: options.title,
+        owner: options.owner,
+        review_frequency_days: Math.max(1, options.reviewFrequencyDays ?? 365),
+        control_ids: Array.from(new Set(normalizeList(options.controlIds).concat(DEFAULT_POLICY_CONTROL_IDS))).sort(),
+        created_at: utcNow(),
+        updated_at: utcNow(),
+        versions: [],
+        metadata: options.metadata || {},
+    };
+    ensurePolicyWorkflows(policy);
+    policies.set(policy.policy_id, clone(policy));
+    return clone(policy);
+}
+function addPolicyVersion(options) {
+    const policy = getPolicy(options.policyId);
+    const versionNumber = policy.versions.length + 1;
+    const version = {
+        version_id: `v${versionNumber}`,
+        version_number: versionNumber,
+        change_summary: options.changeSummary,
+        content_hash: hashPolicyContent(options.content, options.artifactPath, `${options.policyId}:${versionNumber}:${options.changeSummary}`),
+        created_by: options.createdBy,
+        created_at: utcNow(),
+        status: 'draft',
+        artifact_path: options.artifactPath,
+        required_reviewers: Array.from(new Set(normalizeList(options.requiredReviewers))).sort(),
+        approvals: [],
+        review_history: [],
+        metadata: options.metadata || {},
+    };
+    policy.versions.push(version);
+    policy.updated_at = utcNow();
+    policies.set(policy.policy_id, clone(policy));
+    return clone(version);
+}
+function submitPolicyVersion(options) {
+    const policy = getPolicy(options.policyId);
+    const version = getPolicyVersion(policy, options.versionId);
+    if (version.status !== 'draft' && version.status !== 'rejected') {
+        throw new Error(`Policy version cannot be submitted from status=${version.status}`);
+    }
+    const reviewers = Array.from(new Set(normalizeList(options.reviewerChain))).sort();
+    if (reviewers.length > 0) {
+        version.required_reviewers = reviewers;
+    }
+    else if (version.required_reviewers.length === 0) {
+        version.required_reviewers = [policy.owner];
+    }
+    version.status = 'in_review';
+    version.submitted_at = utcNow();
+    version.review_history.push({
+        timestamp: utcNow(),
+        actor: options.submittedBy,
+        action: 'submitted_for_review',
+        note: options.note,
+    });
+    policy.updated_at = utcNow();
+    const workflowIds = ensurePolicyWorkflows(policy);
+    syncPolicyWorkflowStatus(workflowIds, {
+        targetStatus: 'in_review',
+        actor: options.submittedBy,
+        note: options.note,
+    });
+    policies.set(policy.policy_id, clone(policy));
+    return clone(version);
+}
+function approvePolicyVersion(options) {
+    const policy = getPolicy(options.policyId);
+    const version = getPolicyVersion(policy, options.versionId);
+    if (version.status !== 'draft' && version.status !== 'in_review') {
+        throw new Error(`Policy version cannot be approved from status=${version.status}`);
+    }
+    if (version.status === 'draft') {
+        version.status = 'in_review';
+        version.submitted_at = utcNow();
+    }
+    if (version.required_reviewers.length > 0 &&
+        !options.force &&
+        !version.required_reviewers.includes(options.approver)) {
+        throw new Error(`Approver '${options.approver}' is not in required_reviewers=${version.required_reviewers.join(', ')}`);
+    }
+    if (!version.approvals.includes(options.approver)) {
+        version.approvals.push(options.approver);
+    }
+    version.review_history.push({
+        timestamp: utcNow(),
+        actor: options.approver,
+        action: 'approved_step',
+        note: options.note,
+    });
+    const required = new Set(version.required_reviewers);
+    const approvals = new Set(version.approvals);
+    const chainComplete = required.size === 0
+        || Array.from(required).every((reviewer) => approvals.has(reviewer))
+        || Boolean(options.force);
+    if (!chainComplete) {
+        policy.updated_at = utcNow();
+        policies.set(policy.policy_id, clone(policy));
+        return clone(version);
+    }
+    const approvedAt = utcNow();
+    version.status = 'approved';
+    version.approved_at = approvedAt;
+    version.approved_by = options.approver;
+    version.effective_at = approvedAt;
+    version.review_history.push({
+        timestamp: approvedAt,
+        actor: options.approver,
+        action: 'approval_chain_complete',
+        note: options.note,
+    });
+    for (const other of policy.versions) {
+        if (other.version_id !== version.version_id && other.status === 'approved') {
+            other.status = 'superseded';
+        }
+    }
+    policy.active_version_id = version.version_id;
+    policy.updated_at = utcNow();
+    policy.last_reviewed_at = approvedAt;
+    policy.next_review_due_at = new Date(Date.now() + policy.review_frequency_days * 86400 * 1000).toISOString();
+    const workflowIds = ensurePolicyWorkflows(policy);
+    emitGovernanceEvidence({
+        title: `Policy approved: ${policy.title} (${version.version_id})`,
+        evidenceType: 'policy_document',
+        category: 'policy_document',
+        controlIds: policy.control_ids,
+        systemId: policy.policy_id,
+        workflowIds,
+        metadata: {
+            policy_id: policy.policy_id,
+            title: policy.title,
+            version_id: version.version_id,
+            version_number: version.version_number,
+            approved_by: options.approver,
+            approved_at: approvedAt,
+            required_reviewers: version.required_reviewers,
+            approvals: version.approvals,
+            content_hash: version.content_hash,
+        },
+        tags: ['aims', 'policy', 'approval_chain'],
+    });
+    syncPolicyWorkflowStatus(workflowIds, {
+        targetStatus: 'approved',
+        actor: options.approver,
+        note: options.note,
+    });
+    policies.set(policy.policy_id, clone(policy));
+    return clone(version);
+}
+function rejectPolicyVersion(options) {
+    const policy = getPolicy(options.policyId);
+    const version = getPolicyVersion(policy, options.versionId);
+    if (version.status !== 'draft' && version.status !== 'in_review') {
+        throw new Error(`Policy version cannot be rejected from status=${version.status}`);
+    }
+    version.status = 'rejected';
+    version.review_history.push({
+        timestamp: utcNow(),
+        actor: options.reviewer,
+        action: 'rejected',
+        note: options.note,
+    });
+    policy.updated_at = utcNow();
+    const workflowIds = ensurePolicyWorkflows(policy);
+    syncPolicyWorkflowStatus(workflowIds, {
+        targetStatus: 'draft',
+        actor: options.reviewer,
+        note: options.note,
+    });
+    policies.set(policy.policy_id, clone(policy));
+    return clone(version);
+}
+function recordPolicyReview(options) {
+    const policy = getPolicy(options.policyId);
+    const version = getPolicyVersion(policy, options.versionId);
+    if (version.status !== 'approved' && version.status !== 'in_review') {
+        throw new Error(`Policy review not allowed from status=${version.status}`);
+    }
+    const outcome = options.outcome || 'accepted';
+    version.review_history.push({
+        timestamp: utcNow(),
+        actor: options.reviewer,
+        action: 'periodic_review',
+        note: `${outcome}: ${options.summary}`,
+    });
+    if (outcome === 'changes_required') {
+        version.status = 'in_review';
+    }
+    const reviewedAt = utcNow();
+    policy.last_reviewed_at = reviewedAt;
+    policy.updated_at = reviewedAt;
+    policy.next_review_due_at = new Date(Date.now() + policy.review_frequency_days * 86400 * 1000).toISOString();
+    const reviewControls = ['A.2.4', 'Clause9'];
+    const reviewWorkflows = {};
+    for (const controlId of reviewControls) {
+        const found = findExistingWorkflow(controlId, policy.policy_id);
+        if (found) {
+            reviewWorkflows[controlId] = found;
+            continue;
+        }
+        const workflow = (0, control_backbone_1.createWorkflowTask)({
+            controlId,
+            title: `${controlId} - ${policy.title} review`,
+            owner: policy.owner,
+            dueAt: policy.next_review_due_at,
+            metadata: { policy_id: policy.policy_id, policy_title: policy.title, workflow_kind: 'policy_review' },
+        });
+        reviewWorkflows[controlId] = workflow.workflow_id;
+    }
+    emitGovernanceEvidence({
+        title: `Policy review: ${policy.title} (${version.version_id})`,
+        evidenceType: 'review_minutes',
+        category: 'review_minutes',
+        controlIds: reviewControls,
+        systemId: policy.policy_id,
+        workflowIds: reviewWorkflows,
+        metadata: {
+            policy_id: policy.policy_id,
+            version_id: version.version_id,
+            reviewer: options.reviewer,
+            summary: options.summary,
+            outcome,
+            reviewed_at: reviewedAt,
+        },
+        tags: ['aims', 'policy', 'review_cadence'],
+    });
+    syncPolicyWorkflowStatus(reviewWorkflows, {
+        targetStatus: 'approved',
+        actor: options.reviewer,
+        note: options.summary,
+    });
+    policies.set(policy.policy_id, clone(policy));
+    return clone(version);
+}
+function setPolicyReviewCadence(policyId, reviewFrequencyDays) {
+    const policy = getPolicy(policyId);
+    policy.review_frequency_days = Math.max(1, reviewFrequencyDays);
+    policy.updated_at = utcNow();
+    policies.set(policy.policy_id, clone(policy));
+    return clone(policy);
+}
+function getPolicyDocument(policyId) {
+    const policy = policies.get(policyId);
+    return policy ? clone(policy) : null;
+}
+function listPolicyDocuments() {
+    return Array.from(policies.values()).map((policy) => clone(policy));
+}
+function getDuePolicyReviews(options) {
+    const now = parseIso(options?.referenceTime) || new Date();
+    const due = [];
+    for (const policy of policies.values()) {
+        const dueAt = parseIso(policy.next_review_due_at);
+        if (!dueAt || dueAt > now) {
+            continue;
+        }
+        const overdueDays = Math.max(0, Math.floor((now.getTime() - dueAt.getTime()) / (86400 * 1000)));
+        due.push({
+            policy_id: policy.policy_id,
+            title: policy.title,
+            owner: policy.owner,
+            active_version_id: policy.active_version_id,
+            next_review_due_at: policy.next_review_due_at || dueAt.toISOString(),
+            overdue_days: overdueDays,
+        });
+    }
+    return due.sort((a, b) => a.next_review_due_at.localeCompare(b.next_review_due_at));
+}
+function recordAimsContext(options) {
+    const version = contextRecord ? contextRecord.version + 1 : 1;
+    const reviewFrequencyDays = Math.max(1, options.reviewFrequencyDays ?? 365);
+    const record = {
+        context_id: 'aims_context',
+        scope: options.scope,
+        approved_by: options.approvedBy,
+        version,
+        interested_parties: normalizeList(options.interestedParties),
+        internal_issues: normalizeList(options.internalIssues),
+        external_issues: normalizeList(options.externalIssues),
+        objectives: normalizeList(options.objectives),
+        reviewed_at: utcNow(),
+        next_review_due_at: new Date(Date.now() + reviewFrequencyDays * 86400 * 1000).toISOString(),
+        review_frequency_days: reviewFrequencyDays,
+        metadata: options.metadata || {},
+    };
+    contextRecord = clone(record);
+    emitGovernanceEvidence({
+        title: 'AIMS context and scope review',
+        evidenceType: 'organizational_context_assessment',
+        category: 'organizational_context_assessment',
+        controlIds: DEFAULT_CONTEXT_CONTROL_IDS,
+        systemId: record.context_id,
+        metadata: record,
+        tags: ['aims', 'context', 'clause4'],
+    });
+    return clone(record);
+}
+function getAimsContext() {
+    return contextRecord ? clone(contextRecord) : null;
+}
+function registerRaciEntry(options) {
+    const entry = {
+        entry_id: options.entryId || buildId('raci', options.functionName),
+        function_name: options.functionName,
+        owner: options.owner,
+        accountable: Array.from(new Set(normalizeList(options.accountable))).sort(),
+        responsible: Array.from(new Set(normalizeList(options.responsible))).sort(),
+        consulted: Array.from(new Set(normalizeList(options.consulted))).sort(),
+        informed: Array.from(new Set(normalizeList(options.informed))).sort(),
+        control_ids: Array.from(new Set(normalizeList(options.controlIds).concat(DEFAULT_RACI_CONTROL_IDS))).sort(),
+        last_updated: utcNow(),
+        notes: options.notes,
+        metadata: options.metadata || {},
+    };
+    raciEntries.set(entry.entry_id, clone(entry));
+    emitGovernanceEvidence({
+        title: `RACI update: ${entry.function_name}`,
+        evidenceType: 'role_responsibility_matrix',
+        category: 'role_responsibility_matrix',
+        controlIds: entry.control_ids,
+        systemId: entry.entry_id,
+        metadata: entry,
+        tags: ['aims', 'raci', 'roles'],
+    });
+    return clone(entry);
+}
+function listRaciEntries() {
+    return Array.from(raciEntries.values()).map((entry) => clone(entry));
+}
+function recordGovernanceTraining(options) {
+    const record = {
+        record_id: buildId('train', options.userId, options.topic),
+        user_id: options.userId,
+        topic: options.topic,
+        completed_at: options.completedAt || utcNow(),
+        recorded_by: options.recordedBy,
+        control_ids: Array.from(new Set(normalizeList(options.controlIds).concat(DEFAULT_TRAINING_CONTROL_IDS))).sort(),
+        notes: options.notes,
+        metadata: options.metadata || {},
+    };
+    trainingRecords.set(record.record_id, clone(record));
+    emitGovernanceEvidence({
+        title: `Governance training completion: ${record.topic}`,
+        evidenceType: 'training_and_competency_records',
+        category: 'training_and_competency_records',
+        controlIds: record.control_ids,
+        systemId: record.record_id,
+        metadata: record,
+        tags: ['aims', 'training', 'competence'],
+    });
+    return clone(record);
+}
+function listGovernanceTrainingRecords() {
+    return Array.from(trainingRecords.values()).map((record) => clone(record));
+}
+function fileConcernReport(options) {
+    const concernId = options.concernId || buildId('concern', options.title);
+    if (concernReports.has(concernId)) {
+        throw new Error(`Concern already exists: ${concernId}`);
+    }
+    const report = {
+        concern_id: concernId,
+        title: options.title,
+        description: options.description,
+        reported_by: options.reportedBy,
+        severity: asConcernSeverity(options.severity, 'medium'),
+        status: 'open',
+        submitted_at: utcNow(),
+        updated_at: utcNow(),
+        assigned_to: options.assignedTo,
+        control_ids: Array.from(new Set(normalizeList(options.controlIds).concat(DEFAULT_CONCERN_CONTROL_IDS))).sort(),
+        tags: Array.from(new Set(normalizeList(options.tags))).sort(),
+        history: [
+            {
+                timestamp: utcNow(),
+                actor: options.reportedBy,
+                status: 'open',
+                note: 'concern_reported',
+            },
+        ],
+        metadata: options.metadata || {},
+    };
+    concernReports.set(concernId, clone(report));
+    emitGovernanceEvidence({
+        title: `Concern reported: ${report.title}`,
+        evidenceType: 'concern_reporting_records',
+        category: 'concern_reporting_records',
+        controlIds: report.control_ids,
+        systemId: report.concern_id,
+        metadata: report,
+        tags: ['aims', 'concern', 'intake'],
+        status: 'collected',
+    });
+    return clone(report);
+}
+function updateConcernReport(options) {
+    const report = concernReports.get(options.concernId);
+    if (!report) {
+        throw new Error(`Concern not found: ${options.concernId}`);
+    }
+    report.status = asConcernStatus(options.status, report.status);
+    if (options.assignedTo !== undefined) {
+        report.assigned_to = options.assignedTo;
+    }
+    report.updated_at = utcNow();
+    if (report.status === 'resolved' || report.status === 'closed') {
+        report.resolved_at = utcNow();
+    }
+    report.history.push({
+        timestamp: utcNow(),
+        actor: options.actor,
+        status: report.status,
+        note: options.note,
+    });
+    concernReports.set(report.concern_id, clone(report));
+    if (report.status === 'resolved' || report.status === 'closed') {
+        emitGovernanceEvidence({
+            title: `Concern resolved: ${report.title}`,
+            evidenceType: 'concern_reporting_records',
+            category: 'concern_reporting_records',
+            controlIds: report.control_ids,
+            systemId: report.concern_id,
+            metadata: report,
+            tags: ['aims', 'concern', 'resolution'],
+        });
+    }
+    return clone(report);
+}
+function resolveConcernReport(options) {
+    return updateConcernReport({
+        concernId: options.concernId,
+        actor: options.resolvedBy,
+        status: options.close === false ? 'resolved' : 'closed',
+        note: options.resolutionSummary,
+    });
+}
+function getConcernReport(concernId) {
+    const report = concernReports.get(concernId);
+    return report ? clone(report) : null;
+}
+function listConcernReports(options) {
+    const items = Array.from(concernReports.values())
+        .filter((item) => !options?.status || item.status === options.status)
+        .map((item) => clone(item));
+    return items;
+}
+function getOpenConcerns() {
+    return listConcernReports({ status: 'open' });
+}
+function getAimsGovernanceSummary() {
+    let policyInReview = 0;
+    let policyApproved = 0;
+    for (const policy of policies.values()) {
+        for (const version of policy.versions) {
+            if (version.status === 'in_review') {
+                policyInReview += 1;
+            }
+            if (version.status === 'approved') {
+                policyApproved += 1;
+            }
+        }
+    }
+    const openConcerns = Array.from(concernReports.values()).filter((item) => item.status === 'open' || item.status === 'in_review').length;
+    const closedConcerns = Array.from(concernReports.values()).filter((item) => item.status === 'resolved' || item.status === 'closed').length;
+    return {
+        policy_documents: policies.size,
+        policy_versions_in_review: policyInReview,
+        policy_versions_approved: policyApproved,
+        due_policy_reviews: getDuePolicyReviews().length,
+        raci_entries: raciEntries.size,
+        concerns_total: concernReports.size,
+        concerns_open_or_in_review: openConcerns,
+        concerns_resolved_or_closed: closedConcerns,
+        aims_context_version: contextRecord ? contextRecord.version : 0,
+        training_records: trainingRecords.size,
+    };
+}
+function buildAimsGovernanceStatePayload() {
+    return {
+        state_type: 'aims_governance_state',
+        generated_at: utcNow(),
+        policies: Array.from(policies.values()),
+        context_record: contextRecord ? clone(contextRecord) : null,
+        raci_entries: Array.from(raciEntries.values()),
+        concern_reports: Array.from(concernReports.values()),
+        training_records: Array.from(trainingRecords.values()),
+    };
+}
+function exportAimsGovernanceState(outputPath) {
+    const payload = buildAimsGovernanceStatePayload();
+    fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+    fs.writeFileSync(outputPath, JSON.stringify(payload, null, 2), 'utf-8');
+    return clone(payload);
+}
+function loadAimsGovernanceState(inputPath, options) {
+    const payload = JSON.parse(fs.readFileSync(inputPath, 'utf-8'));
+    if (!payload || typeof payload !== 'object') {
+        throw new Error('Invalid AIMS governance state payload');
+    }
+    const replaceRuntime = options?.replaceRuntime !== false;
+    if (!replaceRuntime) {
+        return payload;
+    }
+    clearAimsGovernanceData();
+    for (const rawPolicy of Array.isArray(payload.policies) ? payload.policies : []) {
+        if (!rawPolicy || typeof rawPolicy !== 'object') {
+            continue;
+        }
+        const versions = [];
+        for (const rawVersion of Array.isArray(rawPolicy.versions) ? rawPolicy.versions : []) {
+            if (!rawVersion || typeof rawVersion !== 'object') {
+                continue;
+            }
+            versions.push({
+                version_id: String(rawVersion.version_id || buildId('ver')),
+                version_number: Number(rawVersion.version_number || 1),
+                change_summary: String(rawVersion.change_summary || ''),
+                content_hash: String(rawVersion.content_hash || ''),
+                created_by: String(rawVersion.created_by || 'unknown'),
+                created_at: String(rawVersion.created_at || utcNow()),
+                status: asPolicyStatus(rawVersion.status),
+                artifact_path: rawVersion.artifact_path || undefined,
+                submitted_at: rawVersion.submitted_at || undefined,
+                approved_at: rawVersion.approved_at || undefined,
+                approved_by: rawVersion.approved_by || undefined,
+                effective_at: rawVersion.effective_at || undefined,
+                required_reviewers: normalizeList(rawVersion.required_reviewers),
+                approvals: normalizeList(rawVersion.approvals),
+                review_history: (Array.isArray(rawVersion.review_history) ? rawVersion.review_history : [])
+                    .filter((item) => item && typeof item === 'object')
+                    .map((item) => ({
+                    timestamp: String(item.timestamp || utcNow()),
+                    actor: String(item.actor || 'unknown'),
+                    action: String(item.action || 'event'),
+                    note: item.note || undefined,
+                })),
+                metadata: rawVersion.metadata && typeof rawVersion.metadata === 'object'
+                    ? rawVersion.metadata
+                    : {},
+            });
+        }
+        const policy = {
+            policy_id: String(rawPolicy.policy_id || buildId('policy')),
+            title: String(rawPolicy.title || 'policy'),
+            owner: String(rawPolicy.owner || 'owner'),
+            review_frequency_days: Math.max(1, Number(rawPolicy.review_frequency_days || 365)),
+            control_ids: Array.from(new Set(normalizeList(rawPolicy.control_ids).concat(DEFAULT_POLICY_CONTROL_IDS))).sort(),
+            created_at: String(rawPolicy.created_at || utcNow()),
+            updated_at: String(rawPolicy.updated_at || utcNow()),
+            active_version_id: rawPolicy.active_version_id || undefined,
+            last_reviewed_at: rawPolicy.last_reviewed_at || undefined,
+            next_review_due_at: rawPolicy.next_review_due_at || undefined,
+            workflow_ids: rawPolicy.workflow_ids && typeof rawPolicy.workflow_ids === 'object'
+                ? rawPolicy.workflow_ids
+                : undefined,
+            versions,
+            metadata: rawPolicy.metadata && typeof rawPolicy.metadata === 'object'
+                ? rawPolicy.metadata
+                : {},
+        };
+        policies.set(policy.policy_id, clone(policy));
+    }
+    if (payload.context_record && typeof payload.context_record === 'object') {
+        const rawContext = payload.context_record;
+        contextRecord = {
+            context_id: String(rawContext.context_id || 'aims_context'),
+            scope: String(rawContext.scope || ''),
+            approved_by: String(rawContext.approved_by || 'unknown'),
+            version: Math.max(1, Number(rawContext.version || 1)),
+            interested_parties: normalizeList(rawContext.interested_parties),
+            internal_issues: normalizeList(rawContext.internal_issues),
+            external_issues: normalizeList(rawContext.external_issues),
+            objectives: normalizeList(rawContext.objectives),
+            reviewed_at: String(rawContext.reviewed_at || utcNow()),
+            next_review_due_at: rawContext.next_review_due_at || undefined,
+            review_frequency_days: Math.max(1, Number(rawContext.review_frequency_days || 365)),
+            metadata: rawContext.metadata && typeof rawContext.metadata === 'object'
+                ? rawContext.metadata
+                : {},
+        };
+    }
+    for (const rawEntry of Array.isArray(payload.raci_entries) ? payload.raci_entries : []) {
+        if (!rawEntry || typeof rawEntry !== 'object') {
+            continue;
+        }
+        const entry = {
+            entry_id: String(rawEntry.entry_id || buildId('raci', 'entry')),
+            function_name: String(rawEntry.function_name || 'function'),
+            owner: String(rawEntry.owner || 'owner'),
+            accountable: normalizeList(rawEntry.accountable),
+            responsible: normalizeList(rawEntry.responsible),
+            consulted: normalizeList(rawEntry.consulted),
+            informed: normalizeList(rawEntry.informed),
+            control_ids: Array.from(new Set(normalizeList(rawEntry.control_ids).concat(DEFAULT_RACI_CONTROL_IDS))).sort(),
+            last_updated: String(rawEntry.last_updated || utcNow()),
+            notes: rawEntry.notes || undefined,
+            metadata: rawEntry.metadata && typeof rawEntry.metadata === 'object'
+                ? rawEntry.metadata
+                : {},
+        };
+        raciEntries.set(entry.entry_id, clone(entry));
+    }
+    for (const rawConcern of Array.isArray(payload.concern_reports) ? payload.concern_reports : []) {
+        if (!rawConcern || typeof rawConcern !== 'object') {
+            continue;
+        }
+        const report = {
+            concern_id: String(rawConcern.concern_id || buildId('concern')),
+            title: String(rawConcern.title || 'concern'),
+            description: String(rawConcern.description || ''),
+            reported_by: String(rawConcern.reported_by || 'unknown'),
+            severity: asConcernSeverity(rawConcern.severity, 'medium'),
+            status: asConcernStatus(rawConcern.status, 'open'),
+            submitted_at: String(rawConcern.submitted_at || utcNow()),
+            updated_at: String(rawConcern.updated_at || utcNow()),
+            assigned_to: rawConcern.assigned_to || undefined,
+            resolved_at: rawConcern.resolved_at || undefined,
+            control_ids: Array.from(new Set(normalizeList(rawConcern.control_ids).concat(DEFAULT_CONCERN_CONTROL_IDS))).sort(),
+            tags: Array.from(new Set(normalizeList(rawConcern.tags))).sort(),
+            history: (Array.isArray(rawConcern.history) ? rawConcern.history : [])
+                .filter((item) => item && typeof item === 'object')
+                .map((item) => ({
+                timestamp: String(item.timestamp || utcNow()),
+                actor: String(item.actor || 'unknown'),
+                status: asConcernStatus(item.status, 'open'),
+                note: item.note || undefined,
+            })),
+            metadata: rawConcern.metadata && typeof rawConcern.metadata === 'object'
+                ? rawConcern.metadata
+                : {},
+        };
+        concernReports.set(report.concern_id, clone(report));
+    }
+    for (const rawTraining of Array.isArray(payload.training_records) ? payload.training_records : []) {
+        if (!rawTraining || typeof rawTraining !== 'object') {
+            continue;
+        }
+        const record = {
+            record_id: String(rawTraining.record_id || buildId('train', 'record')),
+            user_id: String(rawTraining.user_id || 'unknown'),
+            topic: String(rawTraining.topic || 'topic'),
+            completed_at: String(rawTraining.completed_at || utcNow()),
+            recorded_by: String(rawTraining.recorded_by || 'unknown'),
+            control_ids: Array.from(new Set(normalizeList(rawTraining.control_ids).concat(DEFAULT_TRAINING_CONTROL_IDS))).sort(),
+            notes: rawTraining.notes || undefined,
+            metadata: rawTraining.metadata && typeof rawTraining.metadata === 'object'
+                ? rawTraining.metadata
+                : {},
+        };
+        trainingRecords.set(record.record_id, clone(record));
+    }
+    return payload;
+}