monora-ai 2.0.0 → 2.1.3

package/dist/assessment.js

@@ -0,0 +1,1232 @@
+"use strict";
+/**
+ * Compliance assessment and certification support for Monora SDK.
+ *
+ * This module provides tools for running compliance checks and generating
+ * assessment reports for ISO 42001, SOC 2, GDPR, and other frameworks.
+ *
+ * @example
+ * ```typescript
+ * import { runComplianceCheck, reportUsageProfile } from 'monora-ai';
+ *
+ * // Run compliance check before audit
+ * const result = await runComplianceCheck({
+ *   eventsPath: './monora_events.jsonl',
+ *   configPath: './monora.yml',
+ * });
+ *
+ * // Report usage profile
+ * const profile = reportUsageProfile();
+ * ```
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runComplianceCheck = runComplianceCheck;
+exports.reportUsageProfile = reportUsageProfile;
+exports.onComplianceCheck = onComplianceCheck;
+exports.generateRemediationPlan = generateRemediationPlan;
+exports.generateAssessmentReport = generateAssessmentReport;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const attribution_1 = require("./attribution");
+const config_1 = require("./config");
+const verify_1 = require("./verify");
+// Get version
+let SDK_VERSION = '2.1.3';
+try {
+    const pkgPath = path.join(__dirname, '..', 'package.json');
+    if (fs.existsSync(pkgPath)) {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+        SDK_VERSION = pkg.version || SDK_VERSION;
+    }
+}
+catch {
+    // Use default version
+}
+// Callback registry
+const checkCallbacks = [];
+/**
+ * Run compliance checks for AI safety and governance.
+ *
+ * This function runs a series of checks to assess compliance with
+ * various frameworks like SOC 2, GDPR, ISO 27001, and ISO 42001.
+ *
+ * @param options - Check options.
+ * @returns ComplianceCheckResult with pass/fail status and details.
+ *
+ * @example
+ * ```typescript
+ * const result = await runComplianceCheck({
+ *   eventsPath: './monora_events.jsonl',
+ *   configPath: './monora.yml',
+ *   frameworks: ['SOC2', 'ISO42001'],
+ * });
+ *
+ * if (result.passed) {
+ *   console.log(`Compliance score: ${result.score}`);
+ * }
+ * ```
+ */
+async function runComplianceCheck(options = {}) {
+    const checks = [];
+    const warnings = [];
+    const errors = [];
+    const recommendations = [];
+    // Load config if needed
+    let loadedConfig = options.config || {};
+    if (options.configPath) {
+        try {
+            loadedConfig = (0, config_1.loadConfig)({ configPath: options.configPath });
+        }
+        catch (e) {
+            errors.push(`Failed to load config: ${e}`);
+        }
+    }
+    // Determine frameworks to check
+    const frameworksToCheck = options.frameworks || ['SOC2', 'GDPR', 'ISO27001', 'ISO42001'];
+    const { normalizedFrameworks, unknownFrameworks } = normalizeFrameworks(frameworksToCheck);
+    for (const framework of unknownFrameworks) {
+        warnings.push(`Unknown compliance framework: ${framework}`);
+    }
+    // Run configuration checks
+    const configChecks = checkConfiguration(loadedConfig);
+    checks.push(...configChecks.checks);
+    warnings.push(...configChecks.warnings);
+    recommendations.push(...configChecks.recommendations);
+    let events = null;
+    // Run event log checks if path provided
+    if (options.eventsPath) {
+        const loadResult = loadEvents(options.eventsPath);
+        if (loadResult.errors.length > 0) {
+            errors.push(...loadResult.errors);
+        }
+        else {
+            events = loadResult.events;
+            const eventChecks = await checkEvents(options.eventsPath, events);
+            checks.push(...eventChecks.checks);
+            warnings.push(...eventChecks.warnings);
+            errors.push(...eventChecks.errors);
+            recommendations.push(...eventChecks.recommendations);
+        }
+    }
+    const frameworkChecks = buildFrameworkChecks(loadedConfig, normalizedFrameworks);
+    checks.push(...frameworkChecks.checks);
+    warnings.push(...frameworkChecks.warnings);
+    recommendations.push(...frameworkChecks.recommendations);
+    // Calculate score (framework-weighted)
+    const scoreResult = calculateWeightedScore(checks, normalizedFrameworks);
+    const score = scoreResult.score;
+    // Determine grade
+    let grade;
+    if (score >= 90)
+        grade = 'A';
+    else if (score >= 80)
+        grade = 'B';
+    else if (score >= 70)
+        grade = 'C';
+    else if (score >= 60)
+        grade = 'D';
+    else
+        grade = 'F';
+    // Determine pass/fail
+    const passed = score >= 70 && errors.length === 0;
+    const result = {
+        passed,
+        score,
+        grade,
+        scoreBreakdown: scoreResult.breakdown,
+        checks,
+        warnings,
+        errors,
+        recommendations,
+        frameworksAssessed: frameworksToCheck,
+        assessedAt: new Date().toISOString(),
+        sdkVersion: SDK_VERSION,
+    };
+    // Notify callbacks
+    for (const callback of checkCallbacks) {
+        try {
+            callback(result);
+        }
+        catch {
+            // Ignore callback errors
+        }
+    }
+    return result;
+}
+/**
+ * Check configuration for compliance requirements.
+ */
+function checkConfiguration(config) {
+    const checks = [];
+    const warnings = [];
+    const recommendations = [];
+    // Check immutability settings
+    const immutability = config.immutability || {};
+    checks.push({
+        name: 'immutability_enabled',
+        description: 'Hash chain immutability is enabled',
+        passed: immutability.enabled ?? false,
+        category: 'integrity',
+    });
+    if (immutability.enabled) {
+        checks.push({
+            name: 'verify_on_emit',
+            description: 'Hash verification on emit is enabled',
+            passed: immutability.verify_on_emit ?? false,
+            category: 'integrity',
+        });
+        if (!immutability.verify_on_emit) {
+            recommendations.push('Enable verify_on_emit for real-time integrity checks');
+        }
+    }
+    // Check policy enforcement
+    const policies = config.policies || {};
+    checks.push({
+        name: 'policies_enforce',
+        description: 'Policy enforcement is enabled',
+        passed: policies.enforce ?? false,
+        category: 'governance',
+    });
+    // Check WAL settings
+    const wal = config.wal || {};
+    checks.push({
+        name: 'wal_enabled',
+        description: 'Write-ahead log is enabled for crash resilience',
+        passed: wal.enabled ?? false,
+        category: 'reliability',
+    });
+    if (!wal.enabled) {
+        recommendations.push('Enable WAL for crash resilience in production');
+    }
+    // Check signing settings
+    const signing = config.signing || {};
+    checks.push({
+        name: 'signing_enabled',
+        description: 'Event signing is enabled for non-repudiation',
+        passed: signing.enabled ?? false,
+        category: 'security',
+    });
+    if (!signing.enabled) {
+        recommendations.push('Consider enabling event signing for enterprise deployments');
+    }
+    // Check data handling
+    const dataHandling = config.data_handling || {};
+    checks.push({
+        name: 'data_handling_enabled',
+        description: 'Data handling/redaction rules are configured',
+        passed: dataHandling.enabled ?? false,
+        category: 'privacy',
+    });
+    // Check reporting
+    const reporting = config.reporting || {};
+    checks.push({
+        name: 'reporting_enabled',
+        description: 'Compliance reporting is enabled',
+        passed: reporting.enabled ?? true,
+        category: 'auditability',
+    });
+    return { checks, warnings, recommendations };
+}
+const KNOWN_FRAMEWORKS = new Set(['SOC2', 'GDPR', 'ISO27001', 'ISO42001']);
+const DEFAULT_CATEGORY_WEIGHT = 1;
+const CATEGORY_WEIGHTS = {
+    DEFAULT: {
+        integrity: 1,
+        governance: 1,
+        reliability: 1,
+        security: 1,
+        privacy: 1,
+        auditability: 1,
+        completeness: 1,
+    },
+    SOC2: {
+        integrity: 2.5,
+        governance: 1.5,
+        reliability: 1.5,
+        security: 2,
+        privacy: 0.75,
+        auditability: 2.5,
+        completeness: 1,
+    },
+    GDPR: {
+        integrity: 1,
+        governance: 1.5,
+        reliability: 1,
+        security: 1,
+        privacy: 3,
+        auditability: 1.5,
+        completeness: 1,
+    },
+    ISO27001: {
+        integrity: 2,
+        governance: 1,
+        reliability: 1.5,
+        security: 2.5,
+        privacy: 1,
+        auditability: 1.5,
+        completeness: 1,
+    },
+    ISO42001: {
+        integrity: 1.5,
+        governance: 2.5,
+        reliability: 1,
+        security: 1,
+        privacy: 1,
+        auditability: 2,
+        completeness: 1,
+    },
+};
+function normalizeFrameworkName(value) {
+    return String(value || '').replace(/[^a-zA-Z0-9]/g, '').toUpperCase();
+}
+function normalizeFrameworks(frameworks) {
+    const normalizedFrameworks = [];
+    const unknownFrameworks = [];
+    for (const framework of frameworks) {
+        const normalized = normalizeFrameworkName(framework);
+        if (!normalized) {
+            continue;
+        }
+        if (KNOWN_FRAMEWORKS.has(normalized)) {
+            if (!normalizedFrameworks.includes(normalized)) {
+                normalizedFrameworks.push(normalized);
+            }
+        }
+        else {
+            unknownFrameworks.push(framework);
+        }
+    }
+    return { normalizedFrameworks, unknownFrameworks };
+}
+function normalizeFrameworkList(values) {
+    if (!Array.isArray(values)) {
+        return [];
+    }
+    const normalized = [];
+    for (const value of values) {
+        const norm = normalizeFrameworkName(value);
+        if (norm) {
+            normalized.push(norm);
+        }
+    }
+    return normalized;
+}
+function combineCategoryWeights(frameworks) {
+    if (frameworks.length === 0) {
+        return { ...CATEGORY_WEIGHTS.DEFAULT };
+    }
+    const profiles = frameworks.map((framework) => CATEGORY_WEIGHTS[framework] || CATEGORY_WEIGHTS.DEFAULT);
+    const categories = Object.keys(CATEGORY_WEIGHTS.DEFAULT);
+    const combined = {};
+    for (const category of categories) {
+        const total = profiles.reduce((sum, profile) => sum + (profile[category] ?? DEFAULT_CATEGORY_WEIGHT), 0);
+        combined[category] = total / profiles.length;
+    }
+    return combined;
+}
+function calculateWeightedScore(checks, frameworks) {
+    const rawPassed = checks.filter((check) => check.passed).length;
+    const rawTotal = checks.length;
+    if (checks.length === 0) {
+        return {
+            score: 0,
+            breakdown: {
+                method: 'weighted_categories',
+                frameworks: frameworks.length > 0 ? frameworks : ['default'],
+                categoryWeights: { ...CATEGORY_WEIGHTS.DEFAULT },
+                categoryTotals: {},
+                categoryPassed: {},
+                weightedPassed: 0,
+                weightedTotal: 0,
+                rawPassed,
+                rawTotal,
+            },
+        };
+    }
+    const weights = combineCategoryWeights(frameworks);
+    const categoryWeights = { ...weights };
+    const categoryTotals = {};
+    const categoryPassed = {};
+    let weightedPassed = 0;
+    let weightedTotal = 0;
+    for (const check of checks) {
+        const category = String(check.category || 'uncategorized');
+        if (!(category in categoryWeights)) {
+            categoryWeights[category] = DEFAULT_CATEGORY_WEIGHT;
+        }
+        const weight = categoryWeights[category];
+        categoryTotals[category] = (categoryTotals[category] || 0) + 1;
+        weightedTotal += weight;
+        if (check.passed) {
+            categoryPassed[category] = (categoryPassed[category] || 0) + 1;
+            weightedPassed += weight;
+        }
+    }
+    const score = weightedTotal > 0 ? Math.round((weightedPassed / weightedTotal) * 100) : 0;
+    return {
+        score,
+        breakdown: {
+            method: 'weighted_categories',
+            frameworks: frameworks.length > 0 ? frameworks : ['default'],
+            categoryWeights,
+            categoryTotals,
+            categoryPassed,
+            weightedPassed: Number(weightedPassed.toFixed(2)),
+            weightedTotal: Number(weightedTotal.toFixed(2)),
+            rawPassed,
+            rawTotal,
+        },
+    };
+}
+function cleanPayload(payload) {
+    const cleaned = {};
+    for (const [key, value] of Object.entries(payload || {})) {
+        if (value === undefined || value === null) {
+            continue;
+        }
+        if (typeof value === 'string' && value.trim() === '') {
+            continue;
+        }
+        if (Array.isArray(value) && value.length === 0) {
+            continue;
+        }
+        if (typeof value === 'object' && !Array.isArray(value) && Object.keys(value).length === 0) {
+            continue;
+        }
+        cleaned[key] = value;
+    }
+    return cleaned;
+}
+function resolveAuditMetadata(config) {
+    const auditFromState = (0, attribution_1.getAuditMetadata)();
+    const statePayload = auditFromState
+        ? {
+            use_case_name: auditFromState.useCaseName,
+            business_owner: auditFromState.businessOwner,
+            data_categories: auditFromState.dataCategories,
+            risk_level: auditFromState.riskLevel,
+            compliance_frameworks: auditFromState.complianceFrameworks,
+            review_date: auditFromState.reviewDate,
+            reviewer: auditFromState.reviewer,
+            notes: auditFromState.notes,
+        }
+        : {};
+    const auditFromConfig = (config.audit || {});
+    return cleanPayload({ ...statePayload, ...auditFromConfig });
+}
+function buildFrameworkChecks(config, frameworks) {
+    const checks = [];
+    const warnings = [];
+    const recommendations = [];
+    if (!frameworks || frameworks.length === 0) {
+        return { checks, warnings, recommendations };
+    }
+    const auditMetadata = resolveAuditMetadata(config);
+    const complianceFrameworks = normalizeFrameworkList(auditMetadata.compliance_frameworks);
+    const useCaseDocumented = Boolean(auditMetadata.use_case_name && auditMetadata.business_owner);
+    const reviewDocumented = Boolean(auditMetadata.review_date || auditMetadata.reviewer);
+    const dataCategoriesDeclared = Boolean(auditMetadata.data_categories);
+    const defaults = config.defaults || {};
+    const immutability = config.immutability || {};
+    const policies = config.policies || {};
+    const wal = config.wal || {};
+    const signing = config.signing || {};
+    const reporting = config.reporting || {};
+    const dataHandling = config.data_handling || {};
+    const alerts = config.alerts || {};
+    const sinks = config.sinks || [];
+    const sinksConfigured = sinks.length > 0;
+    const reportingEnabled = reporting.enabled ?? true;
+    const loggingConfigured = Boolean(reportingEnabled && sinksConfigured);
+    const dataHandlingEnabled = Boolean(dataHandling.enabled);
+    const redactionRulesConfigured = Array.isArray(dataHandling.rules) && dataHandling.rules.length > 0;
+    const dataClassificationSet = Boolean(defaults.data_classification);
+    const addCheck = (name, description, passed, category, recommendation) => {
+        checks.push({ name, description, passed, category });
+        if (recommendation && !passed) {
+            recommendations.push(recommendation);
+        }
+    };
+    if (frameworks.includes('SOC2')) {
+        addCheck('soc2_framework_declared', 'SOC 2: framework declared in audit metadata', complianceFrameworks.includes('SOC2'), 'governance', 'Add SOC2 to audit metadata compliance_frameworks');
+        addCheck('soc2_audit_metadata', 'SOC 2: audit metadata documents use case and owner', useCaseDocumented, 'governance', 'Set audit metadata with use_case_name and business_owner for SOC 2');
+        addCheck('soc2_logging_configured', 'SOC 2: reporting and event sinks are configured', loggingConfigured, 'auditability', 'Enable reporting and configure at least one sink for SOC 2 audit trails');
+        addCheck('soc2_integrity_controls', 'SOC 2: hash chain immutability is enabled', Boolean(immutability.enabled), 'integrity', 'Enable immutability for SOC 2 integrity controls');
+        addCheck('soc2_wal_enabled', 'SOC 2: write-ahead log enabled for resilience', Boolean(wal.enabled), 'reliability', 'Enable WAL to strengthen SOC 2 availability evidence');
+        addCheck('soc2_policy_enforcement', 'SOC 2: policy enforcement is enabled', Boolean(policies.enforce), 'governance', 'Enable policy enforcement for SOC 2 governance controls');
+        addCheck('soc2_incident_alerts', 'SOC 2: violation alert webhook configured', Boolean(alerts.violation_webhook), 'security', 'Configure alerts.violation_webhook for SOC 2 incident response');
+    }
+    if (frameworks.includes('GDPR')) {
+        addCheck('gdpr_framework_declared', 'GDPR: framework declared in audit metadata', complianceFrameworks.includes('GDPR'), 'privacy', 'Add GDPR to audit metadata compliance_frameworks');
+        addCheck('gdpr_data_handling_enabled', 'GDPR: data handling/redaction is enabled', dataHandlingEnabled, 'privacy', 'Enable data_handling to support GDPR data minimization');
+        addCheck('gdpr_redaction_rules_configured', 'GDPR: redaction rules are configured', redactionRulesConfigured, 'privacy', 'Configure data_handling.rules to redact sensitive data for GDPR');
+        addCheck('gdpr_data_categories_declared', 'GDPR: data categories are documented', dataCategoriesDeclared, 'privacy', 'Document data_categories in audit metadata for GDPR');
+        addCheck('gdpr_data_classification_set', 'GDPR: default data classification is set', dataClassificationSet, 'privacy', 'Set defaults.data_classification to document GDPR data handling scope');
+        addCheck('gdpr_review_documented', 'GDPR: compliance review metadata is documented', reviewDocumented, 'privacy', 'Record review_date or reviewer in audit metadata for GDPR');
+    }
+    if (frameworks.includes('ISO27001')) {
+        addCheck('iso27001_framework_declared', 'ISO 27001: framework declared in audit metadata', complianceFrameworks.includes('ISO27001'), 'security', 'Add ISO27001 to audit metadata compliance_frameworks');
+        addCheck('iso27001_signing_enabled', 'ISO 27001: event signing is enabled', Boolean(signing.enabled), 'security', 'Enable signing to strengthen ISO 27001 non-repudiation');
+        addCheck('iso27001_immutability_enabled', 'ISO 27001: hash chain immutability is enabled', Boolean(immutability.enabled), 'integrity', 'Enable immutability for ISO 27001 integrity controls');
+        addCheck('iso27001_wal_enabled', 'ISO 27001: write-ahead log enabled for resilience', Boolean(wal.enabled), 'reliability', 'Enable WAL to strengthen ISO 27001 availability evidence');
+        addCheck('iso27001_logging_configured', 'ISO 27001: reporting and event sinks are configured', loggingConfigured, 'auditability', 'Enable reporting and configure sinks for ISO 27001 audit trails');
+    }
+    if (frameworks.includes('ISO42001')) {
+        addCheck('iso42001_framework_declared', 'ISO 42001: framework declared in audit metadata', complianceFrameworks.includes('ISO42001'), 'governance', 'Add ISO42001 to audit metadata compliance_frameworks');
+        addCheck('iso42001_use_case_documented', 'ISO 42001: use case and owner are documented', useCaseDocumented, 'governance', 'Document use_case_name and business_owner for ISO 42001');
+        addCheck('iso42001_policy_enforcement', 'ISO 42001: policy enforcement is enabled', Boolean(policies.enforce), 'governance', 'Enable policy enforcement for ISO 42001 governance controls');
+        addCheck('iso42001_data_handling_enabled', 'ISO 42001: data handling/redaction is enabled', dataHandlingEnabled, 'privacy', 'Enable data_handling to support ISO 42001 risk controls');
+        addCheck('iso42001_review_documented', 'ISO 42001: compliance review metadata is documented', reviewDocumented, 'governance', 'Record review_date or reviewer in audit metadata for ISO 42001');
+        // A.5.x - Impact Assessment checks
+        const impactConfig = (config.impact_assessment || {});
+        const impactEnabled = Boolean(impactConfig.enabled);
+        addCheck('iso42001_impact_assessment_enabled', 'ISO 42001 A.5: Impact assessment module is enabled', impactEnabled, 'governance', 'Enable impact_assessment in config for ISO 42001 A.5.x compliance');
+        // Check for registered impact assessments
+        let hasImpactAssessments = false;
+        let hasApprovedAssessment = false;
+        try {
+            const { getRegistry: getImpactRegistry } = require('./impact-assessment');
+            const impactRegistry = getImpactRegistry();
+            const assessments = impactRegistry.listAssessments();
+            hasImpactAssessments = assessments.length > 0;
+            hasApprovedAssessment = assessments.some((a) => a.status === 'approved');
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_impact_assessment_registered', 'ISO 42001 A.5.2: At least one impact assessment is registered', hasImpactAssessments, 'governance', 'Create and register an AI impact assessment using createImpactAssessment()');
+        addCheck('iso42001_impact_assessment_approved', 'ISO 42001 A.5.3: At least one impact assessment is approved', hasApprovedAssessment, 'governance', 'Complete impact assessment approval workflow using finalizeAssessment()');
+        // A.6.x - Lifecycle checks
+        const lifecycleConfig = (config.lifecycle || {});
+        const lifecycleEnabled = Boolean(lifecycleConfig.enabled);
+        addCheck('iso42001_lifecycle_enabled', 'ISO 42001 A.6: Lifecycle management module is enabled', lifecycleEnabled, 'governance', 'Enable lifecycle in config for ISO 42001 A.6.x compliance');
+        // Check for registered system records
+        let hasSystemRecords = false;
+        let hasRequirements = false;
+        let hasVerification = false;
+        try {
+            const { getRegistry: getLifecycleRegistry } = require('./lifecycle');
+            const lifecycleRegistry = getLifecycleRegistry();
+            const systemRecords = lifecycleRegistry.listRecords();
+            hasSystemRecords = systemRecords.length > 0;
+            hasRequirements = systemRecords.some((r) => r.requirements && r.requirements.length > 0);
+            hasVerification = systemRecords.some((r) => r.verificationResults && r.verificationResults.length > 0);
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_system_record_registered', 'ISO 42001 A.6.1: At least one AI system record is registered', hasSystemRecords, 'governance', 'Create AI system record using createSystemRecord()');
+        addCheck('iso42001_requirements_defined', 'ISO 42001 A.6.2.2: System has defined requirements', hasRequirements, 'governance', 'Define system requirements using addRequirement()');
+        addCheck('iso42001_verification_recorded', 'ISO 42001 A.6.2.4: Verification results are recorded', hasVerification, 'governance', 'Record verification results using recordVerification()');
+        // A.7.x - Data Governance checks
+        const dataGovConfig = (config.data_governance || {});
+        const dataGovEnabled = Boolean(dataGovConfig.enabled);
+        addCheck('iso42001_data_governance_enabled', 'ISO 42001 A.7: Data governance module is enabled', dataGovEnabled, 'privacy', 'Enable data_governance in config for ISO 42001 A.7.x compliance');
+        // Check for registered datasets
+        let hasDatasets = false;
+        let hasQualityMetrics = false;
+        let hasBiasAssessment = false;
+        try {
+            const { getRegistry: getDataGovRegistry } = require('./data-governance');
+            const dataRegistry = getDataGovRegistry();
+            const datasets = dataRegistry.listRecords();
+            hasDatasets = datasets.length > 0;
+            hasQualityMetrics = datasets.some((d) => d.qualityMetrics !== undefined);
+            hasBiasAssessment = datasets.some((d) => d.biasAssessments && d.biasAssessments.length > 0);
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_dataset_registered', 'ISO 42001 A.7.2: At least one dataset is registered', hasDatasets, 'privacy', 'Register datasets using createDatasetRecord()');
+        addCheck('iso42001_data_quality_recorded', 'ISO 42001 A.7.4: Data quality metrics are recorded', hasQualityMetrics, 'privacy', 'Record data quality metrics using recordQualityMetrics()');
+        addCheck('iso42001_data_bias_assessed', 'ISO 42001 A.7.6: Dataset bias assessments are recorded', hasBiasAssessment, 'privacy', 'Record bias assessments using recordDatasetBiasAssessment()');
+        // A.8.x/A.10.x - Stakeholder checks
+        const stakeholdersConfig = (config.stakeholders || {});
+        const stakeholdersEnabled = Boolean(stakeholdersConfig.enabled);
+        addCheck('iso42001_stakeholders_enabled', 'ISO 42001 A.8/A.10: Stakeholder management module is enabled', stakeholdersEnabled, 'governance', 'Enable stakeholders in config for ISO 42001 A.8/A.10 compliance');
+        // Check for registered stakeholders/suppliers
+        let hasStakeholders = false;
+        let hasSuppliers = false;
+        let hasApprovedSuppliers = false;
+        try {
+            const { getRegistry: getStakeholderRegistry } = require('./stakeholders');
+            const stakeholderRegistry = getStakeholderRegistry();
+            const stakeholdersList = stakeholderRegistry.listStakeholders();
+            const suppliersList = stakeholderRegistry.listSuppliers();
+            hasStakeholders = stakeholdersList.length > 0;
+            hasSuppliers = suppliersList.length > 0;
+            hasApprovedSuppliers = suppliersList.some((s) => s.status === 'approved');
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_stakeholders_registered', 'ISO 42001 A.8.2: Stakeholders are registered', hasStakeholders, 'governance', 'Register stakeholders using registerStakeholder()');
+        addCheck('iso42001_suppliers_registered', 'ISO 42001 A.10.3: Suppliers are registered', hasSuppliers, 'governance', 'Register suppliers using registerSupplier()');
+        addCheck('iso42001_suppliers_approved', 'ISO 42001 A.10.3: Suppliers are assessed and approved', hasApprovedSuppliers, 'governance', 'Approve suppliers after assessment using updateSupplierStatus()');
+        // A.4.x/A.2.4 - Resource Inventory checks
+        const resourcesConfig = (config.resources || {});
+        const resourcesEnabled = Boolean(resourcesConfig.enabled);
+        addCheck('iso42001_resources_enabled', 'ISO 42001 A.4: Resource inventory module is enabled', resourcesEnabled, 'governance', 'Enable resources in config for ISO 42001 A.4.x compliance');
+        // Check for resource inventories and policy reviews
+        let hasInventories = false;
+        let hasTooling = false;
+        let hasPolicyReviews = false;
+        try {
+            const { getRegistry: getResourceRegistry } = require('./resources');
+            const resourceRegistry = getResourceRegistry();
+            const inventories = resourceRegistry.listInventories();
+            const policyReviews = resourceRegistry.listPolicyReviews();
+            hasInventories = inventories.length > 0;
+            hasTooling = inventories.some((i) => i.toolingResources && i.toolingResources.length > 0);
+            hasPolicyReviews = policyReviews.length > 0;
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_resource_inventory_exists', 'ISO 42001 A.4.2: Resource inventory exists', hasInventories, 'governance', 'Create resource inventory using createResourceInventory()');
+        addCheck('iso42001_tooling_resources_tracked', 'ISO 42001 A.4.4: Tooling resources are tracked', hasTooling, 'governance', 'Track tooling resources using addToolingResource()');
+        addCheck('iso42001_policy_reviews_scheduled', 'ISO 42001 A.2.4: Policy reviews are scheduled', hasPolicyReviews, 'governance', 'Schedule policy reviews using schedulePolicyReview()');
+        // ============================================================
+        // NEW ISO 42001 CHECKS - Phase 2 Gap Closure (39 checks)
+        // ============================================================
+        // Query ISO 42001 workflow records for checks
+        let workflowTypes = new Set();
+        try {
+            const { listWorkflowRecords } = require('./iso42001-workflows');
+            const workflowRecords = listWorkflowRecords();
+            workflowTypes = new Set(workflowRecords.map((r) => r.workflowType));
+        }
+        catch {
+            // Module not available
+        }
+        // ----------------------------------------------------------
+        // A.2 Policy & Governance (4 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_policy_alignment_recorded', 'ISO 42001 A.2.3: Policy alignment workflow is recorded', workflowTypes.has('policy_alignment'), 'governance', 'Record policy alignment using recordPolicyAlignment()');
+        const iso42001Config = (config.iso42001 || {});
+        const aimsContext = iso42001Config.aims_context || '';
+        addCheck('iso42001_aims_context_established', 'ISO 42001 A.2.2: AIMS context is established', Boolean(aimsContext), 'governance', 'Set iso42001.aims_context in config to document AIMS context');
+        const aimsScope = iso42001Config.aims_scope || '';
+        addCheck('iso42001_aims_scope_defined', 'ISO 42001 A.2: AIMS scope is defined', Boolean(aimsScope), 'governance', 'Set iso42001.aims_scope in config to define scope');
+        // Check for interested parties via stakeholders module
+        addCheck('iso42001_interested_parties_identified', 'ISO 42001 A.2: Interested parties are identified', hasStakeholders, 'governance', 'Register stakeholders using registerStakeholder()');
+        // ----------------------------------------------------------
+        // A.4 Resources (4 new checks)
+        // ----------------------------------------------------------
+        let hasHumanResources = false;
+        let hasComputeResources = false;
+        let hasDataResources = false;
+        try {
+            const { getRegistry: getResRegistry } = require('./resources');
+            const resReg = getResRegistry();
+            const allInventories = resReg.listInventories();
+            hasHumanResources = allInventories.some((i) => i.humanResources && i.humanResources.length > 0);
+            hasComputeResources = allInventories.some((i) => i.computeResources && i.computeResources.length > 0);
+            hasDataResources = allInventories.some((i) => i.metadata && i.metadata.data_resources);
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_human_resources_tracked', 'ISO 42001 A.4: Human resources are tracked', hasHumanResources, 'governance', 'Track human resources using addHumanResource()');
+        addCheck('iso42001_compute_resources_tracked', 'ISO 42001 A.4: Compute resources are tracked', hasComputeResources, 'governance', 'Track compute resources using addComputeResource()');
+        addCheck('iso42001_data_resources_tracked', 'ISO 42001 A.4: Data resources are documented', hasDataResources, 'governance', 'Document data resources in resource inventory metadata');
+        const hasCompetencyRecords = workflowTypes.has('resource_competency');
+        addCheck('iso42001_competency_training_documented', 'ISO 42001 A.4: Competency and training is documented', hasCompetencyRecords, 'governance', 'Record competency requirements using recordResourceCompetency()');
+        // ----------------------------------------------------------
+        // A.5 Impact Assessment (5 new checks)
+        // ----------------------------------------------------------
+        let hasCurrentAssessment = false;
+        let hasSocietalImpacts = false;
+        let hasIndividualImpacts = false;
+        let hasMitigations = false;
+        let hasRevalidation = false;
+        try {
+            const { getRegistry: getImpRegistry } = require('./impact-assessment');
+            const impReg = getImpRegistry();
+            const allAssessments = impReg.listAssessments();
+            const now = new Date().toISOString();
+            hasCurrentAssessment = allAssessments.some((a) => !a.validUntil || a.validUntil > now);
+            hasSocietalImpacts = allAssessments.some((a) => a.impacts && a.impacts.some((i) => i.impactType === 'societal'));
+            hasIndividualImpacts = allAssessments.some((a) => a.impacts && a.impacts.some((i) => i.impactType === 'individual'));
+            hasMitigations = allAssessments.some((a) => a.impacts && a.impacts.some((i) => i.mitigations && i.mitigations.length > 0));
+            hasRevalidation = allAssessments.some((a) => a.revalidationFrequency);
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_impact_assessment_current', 'ISO 42001 A.5.2: Impact assessment is current (not expired)', hasCurrentAssessment, 'governance', 'Ensure impact assessment validUntil is in the future');
+        addCheck('iso42001_societal_impacts_assessed', 'ISO 42001 A.5.5: Societal impacts are assessed', hasSocietalImpacts, 'governance', "Add societal impact records using addImpactRecord({impactType: 'societal'})");
+        addCheck('iso42001_individual_impacts_assessed', 'ISO 42001 A.5.4: Individual impacts are assessed', hasIndividualImpacts, 'governance', "Add individual impact records using addImpactRecord({impactType: 'individual'})");
+        addCheck('iso42001_impact_mitigations_documented', 'ISO 42001 A.5: Impact mitigations are documented', hasMitigations, 'governance', 'Document mitigations using addMitigation() on impact records');
+        addCheck('iso42001_impact_revalidation_scheduled', 'ISO 42001 A.5: Impact revalidation frequency is set', hasRevalidation, 'governance', 'Set revalidationFrequency on impact assessments');
+        // ----------------------------------------------------------
+        // A.6 Lifecycle (8 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_development_objectives_defined', 'ISO 42001 A.6.1.2: Development objectives are defined', workflowTypes.has('responsible_development_objectives'), 'governance', 'Record objectives using recordResponsibleDevelopmentObjectives()');
+        addCheck('iso42001_development_process_defined', 'ISO 42001 A.6.1.3: Development process is defined', workflowTypes.has('responsible_development_process'), 'governance', 'Record process using recordResponsibleDevelopmentProcess()');
+        // Check for design documents via lifecycle
+        let hasDesignDocs = false;
+        let hasValidation = false;
+        let hasDeploymentApproval = false;
+        let hasMonitoring = false;
+        try {
+            const { getRegistry: getLcRegistry } = require('./lifecycle');
+            const lcReg = getLcRegistry();
+            const lcRecords = lcReg.listRecords();
+            hasDesignDocs = lcRecords.some((r) => r.metadata && r.metadata.design_documents);
+            hasValidation = lcRecords.some((r) => r.validationResults && r.validationResults.length > 0);
+            hasDeploymentApproval = lcRecords.some((r) => (r.stage === 'staging' || r.stage === 'production') &&
+                r.metadata &&
+                r.metadata.deployment_approved);
+            hasMonitoring = lcRecords.some((r) => r.metadata && r.metadata.monitoring_configured);
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_design_documents_current', 'ISO 42001 A.6.2.1: Design documents are maintained', hasDesignDocs || workflowTypes.has('requirements_specification'), 'governance', 'Record requirements using recordRequirementsSpecification() or add design_documents to lifecycle metadata');
+        addCheck('iso42001_verification_validation_complete', 'ISO 42001 A.6.2.4: Verification and validation is complete', hasValidation || workflowTypes.has('verification_validation'), 'governance', 'Record V&V using recordVerificationValidation() or recordValidation()');
+        addCheck('iso42001_deployment_approval_documented', 'ISO 42001 A.6.2.5: Deployment approval is documented', hasDeploymentApproval || workflowTypes.has('deployment_plan'), 'governance', 'Record deployment approval using recordDeploymentPlan() or set deployment_approved in metadata');
+        addCheck('iso42001_operations_monitoring_active', 'ISO 42001 A.6.2.6: Operations monitoring is configured', hasMonitoring || workflowTypes.has('operations_monitoring'), 'governance', 'Record monitoring using recordOperationsMonitoring() or set monitoring_configured in metadata');
+        addCheck('iso42001_stakeholder_docs_communicated', 'ISO 42001 A.6.2.7: Stakeholder documentation is communicated', workflowTypes.has('stakeholder_documentation'), 'governance', 'Record documentation using recordStakeholderDocumentation()');
+        // Check hash chain for event logging integrity
+        const immutabilityConfig = (config.immutability || {});
+        const hashChainEnabled = Boolean(immutabilityConfig.enabled);
+        addCheck('iso42001_event_logging_integrity', 'ISO 42001 A.6.2.8: Event logging integrity controls are enabled', hashChainEnabled || workflowTypes.has('lifecycle_event_logging'), 'integrity', 'Enable immutability.enabled=true or recordLifecycleEventLogging()');
+        // ----------------------------------------------------------
+        // A.7 Data (5 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_data_sources_documented', 'ISO 42001 A.7.2: Data sources are documented', workflowTypes.has('data_acquisition'), 'privacy', 'Record data sources using recordDataAcquisition()');
+        // Check for consent basis in data governance
+        let hasConsentBasis = false;
+        let hasQualityDimensions = false;
+        let hasProvenance = false;
+        let hasPreparation = false;
+        try {
+            const { getRegistry: getDataReg } = require('./data-governance');
+            const dataReg = getDataReg();
+            const allDatasets = dataReg.listRecords();
+            hasConsentBasis = allDatasets.some((d) => d.metadata && (d.metadata.consent_basis || d.metadata.legal_basis));
+            hasQualityDimensions = allDatasets.some((d) => d.qualityMetrics);
+            hasProvenance = allDatasets.some((d) => d.provenance);
+            hasPreparation = allDatasets.some((d) => d.preparationSteps && d.preparationSteps.length > 0);
+        }
+        catch {
+            // Module not available
+        }
+        addCheck('iso42001_data_consent_basis_valid', 'ISO 42001 A.7.3: Data consent/legal basis is documented', hasConsentBasis || workflowTypes.has('data_acquisition'), 'privacy', 'Set consent_basis or legal_basis in dataset metadata');
+        addCheck('iso42001_data_quality_dimensions', 'ISO 42001 A.7.4: Data quality dimensions are defined', hasQualityDimensions || workflowTypes.has('data_quality'), 'privacy', 'Record quality metrics using recordQualityMetrics() or recordDataQuality()');
+        addCheck('iso42001_data_provenance_traceable', 'ISO 42001 A.7.5: Data provenance is traceable', hasProvenance || workflowTypes.has('data_provenance'), 'privacy', 'Record provenance using recordProvenance() or recordDataProvenance()');
+        addCheck('iso42001_data_preparation_documented', 'ISO 42001 A.7.6: Data preparation is documented', hasPreparation || workflowTypes.has('data_preparation'), 'privacy', 'Record preparation using recordPreparationStep() or recordDataPreparation()');
+        // ----------------------------------------------------------
+        // A.8 Transparency (4 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_transparency_channels', 'ISO 42001 A.8.2: Transparency disclosure channels are established', workflowTypes.has('transparency_disclosure'), 'transparency', 'Record transparency using recordTransparencyDisclosure()');
+        addCheck('iso42001_adverse_impact_process', 'ISO 42001 A.8.3: Adverse impact reporting process is defined', workflowTypes.has('adverse_impact_reporting'), 'transparency', 'Record process using recordAdverseImpactReporting()');
+        addCheck('iso42001_incident_escalation_defined', 'ISO 42001 A.8.4: Incident escalation plan is defined', workflowTypes.has('incident_communication'), 'transparency', 'Record plan using recordIncidentCommunication()');
+        addCheck('iso42001_regulatory_reporting_compliant', 'ISO 42001 A.8.5: Regulatory reporting obligations are tracked', workflowTypes.has('reporting_obligations'), 'transparency', 'Record obligations using recordReportingObligations()');
+        // ----------------------------------------------------------
+        // A.9 Responsible Use (3 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_use_process_documented', 'ISO 42001 A.9.2: Responsible use process is documented', workflowTypes.has('responsible_use_process'), 'governance', 'Record process using recordResponsibleUseProcess()');
+        addCheck('iso42001_use_objectives_measurable', 'ISO 42001 A.9.3: Responsible use objectives are measurable', workflowTypes.has('responsible_use_objectives'), 'governance', 'Record objectives using recordResponsibleUseObjectives()');
+        addCheck('iso42001_intended_use_defined', 'ISO 42001 A.9.4: Intended use statement is defined', workflowTypes.has('intended_use_statement'), 'governance', 'Record statement using recordIntendedUseStatement()');
+        // ----------------------------------------------------------
+        // A.10 Third-Party (3 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_responsibility_allocation', 'ISO 42001 A.10.1: Third-party responsibility allocation is clear', workflowTypes.has('third_party_responsibility'), 'governance', 'Record allocation using recordThirdPartyResponsibility()');
+        addCheck('iso42001_supplier_assessment_documented', 'ISO 42001 A.10.2: Supplier assessments are documented', workflowTypes.has('supplier_assurance'), 'governance', 'Record assessments using recordSupplierAssurance()');
+        addCheck('iso42001_customer_requirements_mapped', 'ISO 42001 A.10.3: Customer requirements are mapped', workflowTypes.has('customer_alignment'), 'governance', 'Record requirements using recordCustomerAlignment()');
+        // ----------------------------------------------------------
+        // Clause 9-10 Management (3 new checks)
+        // ----------------------------------------------------------
+        addCheck('iso42001_audit_findings_addressed', 'ISO 42001 Clause 9: Internal audit findings are addressed', workflowTypes.has('internal_audit'), 'governance', 'Record audits using recordInternalAudit()');
+        addCheck('iso42001_management_review_complete', 'ISO 42001 Clause 9: Management review is complete', workflowTypes.has('management_review'), 'governance', 'Record reviews using recordManagementReview()');
+        addCheck('iso42001_capa_effectiveness_verified', 'ISO 42001 Clause 10: Corrective action effectiveness is verified', workflowTypes.has('corrective_action'), 'governance', 'Record CAPA using recordCorrectiveAction()');
+    }
+    return { checks, warnings, recommendations };
+}
+function loadEvents(eventsPath) {
+    const errors = [];
+    if (!fs.existsSync(eventsPath)) {
+        errors.push(`Events file not found: ${eventsPath}`);
+        return { events: [], errors };
+    }
+    try {
+        const content = fs.readFileSync(eventsPath, 'utf8');
+        const events = [];
+        const lines = content.split('\n').filter((line) => line.trim());
+        lines.forEach((line, index) => {
+            try {
+                events.push(JSON.parse(line));
+            }
+            catch (err) {
+                const snippet = line.length > 120 ? `${line.slice(0, 120)}...` : line;
+                errors.push(`Failed to parse events line ${index + 1}: ${err} (${snippet})`);
+            }
+        });
+        return { events, errors };
+    }
+    catch (e) {
+        errors.push(`Failed to parse events file: ${e}`);
+        return { events: [], errors };
+    }
+}
+/**
+ * Check event log for compliance requirements.
+ */
+async function checkEvents(eventsPath, events) {
+    const checks = [];
+    const warnings = [];
+    const errors = [];
+    const recommendations = [];
+    if (!events) {
+        const loadResult = loadEvents(eventsPath);
+        events = loadResult.events;
+        errors.push(...loadResult.errors);
+    }
+    if (errors.length > 0) {
+        return { checks, warnings, errors, recommendations };
+    }
+    // Check we have events
+    checks.push({
+        name: 'events_exist',
+        description: 'Event log contains events',
+        passed: events.length > 0,
+        category: 'auditability',
+    });
+    if (events.length > 0) {
+        // Check hash chain integrity
+        const [chainValid] = (0, verify_1.verifyChain)(events);
+        checks.push({
+            name: 'hash_chain_valid',
+            description: 'Hash chain integrity is verified',
+            passed: chainValid,
+            category: 'integrity',
+        });
+        if (!chainValid) {
+            errors.push('Hash chain integrity check failed - possible tampering');
+        }
+        // Check for signatures
+        const signedEvents = events.filter((e) => e.event_signature);
+        checks.push({
+            name: 'events_signed',
+            description: 'Events are signed',
+            passed: signedEvents.length === events.length,
+            category: 'security',
+        });
+        // Check for sequence gaps
+        const gaps = (0, verify_1.detectSequenceGaps)(events);
+        checks.push({
+            name: 'no_sequence_gaps',
+            description: 'No sequence gaps detected',
+            passed: gaps.length === 0,
+            category: 'completeness',
+        });
+        if (gaps.length > 0) {
+            warnings.push(`Detected ${gaps.length} sequence gaps in event log`);
+        }
+        // Check for policy violations
+        const violations = events.filter((e) => e.event_type === 'policy_violation');
+        checks.push({
+            name: 'no_violations',
+            description: 'No unresolved policy violations',
+            passed: violations.length === 0,
+            category: 'governance',
+        });
+        if (violations.length > 0) {
+            warnings.push(`Found ${violations.length} policy violations in event log`);
+        }
+    }
+    return { checks, warnings, errors, recommendations };
+}
+/**
+ * Report current usage profile for certification/assessment.
+ *
+ * This generates a summary of SDK usage that can be used for
+ * certification processes like ISO 42001.
+ *
+ * @param options - Profile options.
+ * @returns UsageProfile object.
+ *
+ * @example
+ * ```typescript
+ * const profile = reportUsageProfile();
+ * console.log(profile.featuresUsed);
+ * ```
+ */
+function reportUsageProfile(options = {}) {
+    const { config, environment } = options;
+    // Get features from config
+    const featuresEnabled = [];
+    const configSummary = {};
+    if (config) {
+        if (config.immutability?.enabled)
+            featuresEnabled.push('immutability');
+        if (config.policies?.enforce)
+            featuresEnabled.push('policy_enforcement');
+        if (config.wal?.enabled)
+            featuresEnabled.push('wal');
+        if (config.signing?.enabled)
+            featuresEnabled.push('signing');
+        if (config.data_handling?.enabled)
+            featuresEnabled.push('data_handling');
+        if (config.reporting?.enabled)
+            featuresEnabled.push('reporting');
+        if (config.telemetry?.enabled)
+            featuresEnabled.push('telemetry');
+        configSummary.environment = config.defaults?.environment ?? 'unknown';
+        configSummary.dataClassification = config.defaults?.data_classification ?? 'unknown';
+        configSummary.sinksCount = config.sinks?.length ?? 0;
+    }
+    // Get audit metadata and registration
+    const auditMeta = (0, attribution_1.getAuditMetadata)();
+    const reg = (0, attribution_1.getRegistration)();
+    return {
+        sdkVersion: SDK_VERSION,
+        featuresEnabled,
+        featuresUsed: (0, attribution_1.getFeaturesUsed)(),
+        configSummary,
+        auditMetadata: auditMeta ?? undefined,
+        registration: reg ?? undefined,
+        environment: environment ?? configSummary.environment ?? 'unknown',
+        generatedAt: new Date().toISOString(),
+    };
+}
+/**
+ * Register a callback for compliance check events.
+ *
+ * @param callback - Function called with check result.
+ * @returns Unsubscribe function.
+ *
+ * @example
+ * ```typescript
+ * const unsubscribe = onComplianceCheck((result) => {
+ *   if (!result.passed) {
+ *     sendAlert('Compliance check failed!');
+ *   }
+ * });
+ * ```
+ */
+function onComplianceCheck(callback) {
+    checkCallbacks.push(callback);
+    return () => {
+        const index = checkCallbacks.indexOf(callback);
+        if (index !== -1) {
+            checkCallbacks.splice(index, 1);
+        }
+    };
+}
+/**
+ * Category priority weights for remediation ordering.
+ */
+const CATEGORY_PRIORITY = {
+    security: 100,
+    integrity: 90,
+    privacy: 85,
+    governance: 70,
+    auditability: 60,
+    reliability: 50,
+    completeness: 40,
+};
+/**
+ * Effort estimates based on check name patterns.
+ */
+const EFFORT_ESTIMATES = {
+    // Configuration changes - minimal effort
+    immutability_enabled: 'minimal',
+    verify_on_emit: 'minimal',
+    policies_enforce: 'minimal',
+    wal_enabled: 'minimal',
+    signing_enabled: 'low',
+    data_handling_enabled: 'minimal',
+    reporting_enabled: 'minimal',
+    // Metadata documentation - low effort
+    framework_declared: 'low',
+    audit_metadata: 'low',
+    use_case_documented: 'low',
+    review_documented: 'low',
+    data_categories_declared: 'low',
+    data_classification_set: 'low',
+    // Infrastructure changes - medium/high effort
+    logging_configured: 'medium',
+    incident_alerts: 'medium',
+    redaction_rules_configured: 'medium',
+};
+/**
+ * Get effort estimate for a check.
+ */
+function getEffortEstimate(checkName) {
+    for (const [pattern, effort] of Object.entries(EFFORT_ESTIMATES)) {
+        if (checkName.includes(pattern)) {
+            return effort;
+        }
+    }
+    return 'medium';
+}
+/**
+ * Determine priority based on category and framework context.
+ */
+function determinePriority(category, frameworks, checkName) {
+    const basePriority = CATEGORY_PRIORITY[category] || 50;
+    // Boost priority for certain patterns
+    let priorityScore = basePriority;
+    // Security and integrity issues are always high priority
+    if (category === 'security' || category === 'integrity') {
+        priorityScore += 20;
+    }
+    // Framework-specific boosts
+    if (frameworks.includes('SOC2') && (category === 'auditability' || category === 'integrity')) {
+        priorityScore += 15;
+    }
+    if (frameworks.includes('GDPR') && category === 'privacy') {
+        priorityScore += 20;
+    }
+    if (frameworks.includes('ISO27001') && category === 'security') {
+        priorityScore += 15;
+    }
+    if (frameworks.includes('ISO42001') && category === 'governance') {
+        priorityScore += 15;
+    }
+    // Chain integrity failures are critical
+    if (checkName.includes('chain') && checkName.includes('valid')) {
+        return 'critical';
+    }
+    // Signing for security frameworks
+    if (checkName.includes('signing') && frameworks.includes('ISO27001')) {
+        priorityScore += 10;
+    }
+    if (priorityScore >= 100)
+        return 'critical';
+    if (priorityScore >= 80)
+        return 'high';
+    if (priorityScore >= 50)
+        return 'medium';
+    return 'low';
+}
+/**
+ * Extract framework prefix from check name.
+ */
+function extractFrameworkFromCheck(checkName) {
+    const frameworks = [];
+    if (checkName.startsWith('soc2_'))
+        frameworks.push('SOC2');
+    if (checkName.startsWith('gdpr_'))
+        frameworks.push('GDPR');
+    if (checkName.startsWith('iso27001_'))
+        frameworks.push('ISO27001');
+    if (checkName.startsWith('iso42001_'))
+        frameworks.push('ISO42001');
+    return frameworks;
+}
+/**
+ * Generate a remediation plan from compliance check results.
+ *
+ * This function analyzes failed compliance checks and generates an
+ * actionable remediation plan with prioritized fixes.
+ *
+ * @param result - Compliance check result from runComplianceCheck().
+ * @returns RemediationPlan with prioritized fixes.
+ *
+ * @example
+ * ```typescript
+ * const checkResult = await runComplianceCheck({
+ *   configPath: './monora.yml',
+ *   frameworks: ['SOC2', 'GDPR'],
+ * });
+ *
+ * const plan = generateRemediationPlan(checkResult);
+ *
+ * console.log(`Total issues: ${plan.summary.totalIssues}`);
+ * console.log(`Critical: ${plan.summary.criticalCount}`);
+ *
+ * for (const issue of plan.orderedFixes) {
+ *   console.log(`[${issue.priority}] ${issue.title}: ${issue.fix}`);
+ * }
+ * ```
+ */
+function generateRemediationPlan(result) {
+    const items = [];
+    const frameworks = result.frameworksAssessed || [];
+    // Process failed checks
+    for (const check of result.checks) {
+        if (check.passed)
+            continue;
+        const checkFrameworks = extractFrameworkFromCheck(check.name);
+        const affectedFrameworks = checkFrameworks.length > 0 ? checkFrameworks : frameworks;
+        // Find matching recommendation
+        const recommendation = result.recommendations.find((rec) => rec.toLowerCase().includes(check.name.replace(/_/g, ' ').toLowerCase()) ||
+            rec.toLowerCase().includes(check.description.toLowerCase().slice(0, 30)));
+        const item = {
+            id: check.name,
+            title: check.description,
+            description: `Compliance check "${check.name}" failed for category: ${check.category}`,
+            category: check.category,
+            priority: determinePriority(check.category, affectedFrameworks, check.name),
+            effort: getEffortEstimate(check.name),
+            fix: recommendation || `Enable or configure ${check.name.replace(/_/g, ' ')} in your monora.yml`,
+            frameworks: affectedFrameworks,
+        };
+        items.push(item);
+    }
+    // Add items from errors (critical issues)
+    for (const error of result.errors) {
+        const item = {
+            id: `error_${items.length}`,
+            title: 'Critical Error',
+            description: error,
+            category: 'integrity',
+            priority: 'critical',
+            effort: 'high',
+            fix: error.includes('chain')
+                ? 'Investigate hash chain integrity. Events may have been tampered with or corrupted.'
+                : 'Address the error before proceeding with compliance certification.',
+            frameworks,
+        };
+        items.push(item);
+    }
+    // Group by priority
+    const issuesByPriority = {
+        critical: items.filter((i) => i.priority === 'critical'),
+        high: items.filter((i) => i.priority === 'high'),
+        medium: items.filter((i) => i.priority === 'medium'),
+        low: items.filter((i) => i.priority === 'low'),
+    };
+    // Group by category
+    const issuesByCategory = {};
+    for (const item of items) {
+        if (!issuesByCategory[item.category]) {
+            issuesByCategory[item.category] = [];
+        }
+        issuesByCategory[item.category].push(item);
+    }
+    // Order fixes: critical first, then by category priority, then by effort (easiest first within priority)
+    const effortOrder = {
+        minimal: 0,
+        low: 1,
+        medium: 2,
+        high: 3,
+    };
+    const orderedFixes = [...items].sort((a, b) => {
+        // First by priority
+        const priorityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+        const priorityDiff = priorityOrder[a.priority] - priorityOrder[b.priority];
+        if (priorityDiff !== 0)
+            return priorityDiff;
+        // Then by category importance
+        const categoryDiff = (CATEGORY_PRIORITY[b.category] || 50) - (CATEGORY_PRIORITY[a.category] || 50);
+        if (categoryDiff !== 0)
+            return categoryDiff;
+        // Finally by effort (easier first)
+        return effortOrder[a.effort] - effortOrder[b.effort];
+    });
+    // Calculate estimated total effort
+    const effortCounts = { minimal: 0, low: 0, medium: 0, high: 0 };
+    for (const item of items) {
+        effortCounts[item.effort]++;
+    }
+    let estimatedEffort = 'None';
+    if (items.length > 0) {
+        if (effortCounts.high > 2 || items.length > 10) {
+            estimatedEffort = 'Significant (multiple sessions)';
+        }
+        else if (effortCounts.high > 0 || effortCounts.medium > 3) {
+            estimatedEffort = 'Moderate (few hours)';
+        }
+        else if (effortCounts.medium > 0 || effortCounts.low > 3) {
+            estimatedEffort = 'Low (under an hour)';
+        }
+        else {
+            estimatedEffort = 'Minimal (quick config changes)';
+        }
+    }
+    return {
+        summary: {
+            totalIssues: items.length,
+            criticalCount: issuesByPriority.critical.length,
+            highCount: issuesByPriority.high.length,
+            mediumCount: issuesByPriority.medium.length,
+            lowCount: issuesByPriority.low.length,
+            estimatedEffort,
+        },
+        issuesByPriority,
+        issuesByCategory,
+        orderedFixes,
+        generatedAt: new Date().toISOString(),
+    };
+}
+async function generateAssessmentReport(options = {}) {
+    // Run compliance check
+    const checkResult = await runComplianceCheck({
+        eventsPath: options.eventsPath,
+        configPath: options.configPath,
+        frameworks: options.frameworks,
+    });
+    // Get usage profile
+    let config;
+    if (options.configPath) {
+        try {
+            config = (0, config_1.loadConfig)({ configPath: options.configPath });
+        }
+        catch {
+            // Ignore config load errors
+        }
+    }
+    const profile = reportUsageProfile({ config });
+    // Build report
+    const report = {
+        reportType: 'monora_assessment',
+        reportVersion: '1.0.0',
+        sdkVersion: SDK_VERSION,
+        generatedAt: new Date().toISOString(),
+        complianceCheck: checkResult,
+        usageProfile: profile,
+        summary: {
+            passed: checkResult.passed,
+            score: checkResult.score,
+            grade: checkResult.grade,
+            frameworksAssessed: checkResult.frameworksAssessed,
+            totalChecks: checkResult.checks.length,
+            passedChecks: checkResult.checks.filter((c) => c.passed).length,
+            warningsCount: checkResult.warnings.length,
+            errorsCount: checkResult.errors.length,
+        },
+    };
+    // Write to file if requested
+    if (options.outputPath) {
+        fs.writeFileSync(options.outputPath, JSON.stringify(report, null, 2));
+    }
+    return report;
+}