monora-ai 2.1.0 → 2.1.3

package/dist/iso42001_workflows.js

@@ -0,0 +1,781 @@
+"use strict";
+/**
+ * ISO 42001 Annex A workflow architecture for governance artifacts.
+ *
+ * Captures non-runtime governance records and auto-links them to controls
+ * via attachControlEvidence.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clearIso42001WorkflowData = clearIso42001WorkflowData;
+exports.recordPolicyAlignment = recordPolicyAlignment;
+exports.recordResourceInventory = recordResourceInventory;
+exports.recordResourceCompetency = recordResourceCompetency;
+exports.recordImpactAssessment = recordImpactAssessment;
+exports.recordResponsibleDevelopmentObjectives = recordResponsibleDevelopmentObjectives;
+exports.recordResponsibleDevelopmentProcess = recordResponsibleDevelopmentProcess;
+exports.recordRequirementsSpecification = recordRequirementsSpecification;
+exports.recordVerificationValidationPlan = recordVerificationValidationPlan;
+exports.recordDeploymentPlan = recordDeploymentPlan;
+exports.recordOperationsMonitoringPlan = recordOperationsMonitoringPlan;
+exports.recordStakeholderTechnicalDocumentation = recordStakeholderTechnicalDocumentation;
+exports.recordLifecycleEventLoggingPolicy = recordLifecycleEventLoggingPolicy;
+exports.recordDataAcquisition = recordDataAcquisition;
+exports.recordDataQualityCriteria = recordDataQualityCriteria;
+exports.recordDataProvenanceProcess = recordDataProvenanceProcess;
+exports.recordDataPreparationCriteria = recordDataPreparationCriteria;
+exports.recordTransparencyDisclosure = recordTransparencyDisclosure;
+exports.recordAdverseImpactReporting = recordAdverseImpactReporting;
+exports.recordIncidentCommunicationPlan = recordIncidentCommunicationPlan;
+exports.recordReportingObligations = recordReportingObligations;
+exports.recordResponsibleUseProcess = recordResponsibleUseProcess;
+exports.recordResponsibleUseObjectives = recordResponsibleUseObjectives;
+exports.recordIntendedUseStatement = recordIntendedUseStatement;
+exports.recordThirdPartyResponsibilityMatrix = recordThirdPartyResponsibilityMatrix;
+exports.recordSupplierAssurance = recordSupplierAssurance;
+exports.recordCustomerExpectationAlignment = recordCustomerExpectationAlignment;
+exports.recordInternalAuditReport = recordInternalAuditReport;
+exports.recordManagementReviewMinutes = recordManagementReviewMinutes;
+exports.recordCorrectiveActionLog = recordCorrectiveActionLog;
+exports.getIso42001WorkflowRecord = getIso42001WorkflowRecord;
+exports.listIso42001WorkflowRecords = listIso42001WorkflowRecords;
+exports.getIso42001WorkflowSummary = getIso42001WorkflowSummary;
+exports.exportIso42001WorkflowState = exportIso42001WorkflowState;
+exports.loadIso42001WorkflowState = loadIso42001WorkflowState;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const control_backbone_1 = require("./control_backbone");
+const records = new Map();
+function utcNow() {
+    return new Date().toISOString();
+}
+function clone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+function normalizeList(value) {
+    if (value === null || value === undefined) {
+        return [];
+    }
+    if (Array.isArray(value)) {
+        return value
+            .map((item) => String(item).trim())
+            .filter(Boolean);
+    }
+    return String(value)
+        .replace(/;/g, ',')
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean);
+}
+function buildId(prefix, ...parts) {
+    const seed = `${prefix}:${parts.join(':')}:${utcNow()}`;
+    const digest = crypto.createHash('sha256').update(seed).digest('hex').slice(0, 12);
+    return `${prefix}_${digest}`;
+}
+function primaryEvidenceType(evidenceTypes) {
+    for (const item of evidenceTypes) {
+        if (item !== 'documented_information') {
+            return item;
+        }
+    }
+    return evidenceTypes[0] || 'documented_information';
+}
+function emitIsoEvidence(record) {
+    const evidenceTypes = Array.from(new Set(normalizeList(record.evidence_types).concat(['documented_information']))).sort();
+    const primaryType = primaryEvidenceType(evidenceTypes);
+    const evidence = {
+        evidence_id: buildId('evd', record.workflow_type, record.title),
+        title: record.title,
+        source: 'iso42001_workflows',
+        category: record.workflow_type,
+        collected_at: utcNow(),
+        collection_method: 'workflow',
+        system: 'iso42001_workflows',
+        system_id: record.record_id,
+        control_ids: record.control_ids,
+        status: record.status === 'approved' ? 'approved' : 'collected',
+        metadata: {
+            record_id: record.record_id,
+            workflow_type: record.workflow_type,
+            owner: record.owner,
+            status: record.status,
+            version: record.version,
+            evidence_type: primaryType,
+            evidence_types: evidenceTypes,
+            metadata: record.metadata,
+        },
+        tags: Array.from(new Set(record.tags.concat(['iso42001', record.workflow_type]))).sort(),
+    };
+    let updated = clone(evidence);
+    for (const controlId of Array.from(new Set(normalizeList(record.control_ids))).sort()) {
+        updated = (0, control_backbone_1.attachControlEvidence)({
+            controlId,
+            evidence: updated,
+            evidenceType: primaryType,
+            note: 'iso42001_workflow_auto_attach',
+        });
+    }
+    return updated;
+}
+function upsertRecord(options) {
+    const rid = options.recordId || buildId(options.workflowType, options.title, options.owner);
+    const existing = records.get(rid);
+    const now = utcNow();
+    const cadence = options.reviewFrequencyDays ? Math.max(1, options.reviewFrequencyDays) : undefined;
+    const nextDue = cadence ? new Date(Date.now() + cadence * 86400 * 1000).toISOString() : undefined;
+    const record = {
+        record_id: rid,
+        workflow_type: options.workflowType,
+        title: options.title,
+        owner: options.owner,
+        status: options.status || 'approved',
+        version: (existing?.version || 0) + 1,
+        control_ids: Array.from(new Set(normalizeList(options.controlIds))).sort(),
+        evidence_types: Array.from(new Set(normalizeList(options.evidenceTypes))).sort(),
+        created_at: existing?.created_at || now,
+        updated_at: now,
+        review_frequency_days: cadence,
+        next_review_due_at: nextDue,
+        metadata: options.metadata ? clone(options.metadata) : {},
+        tags: Array.from(new Set(normalizeList(options.tags))).sort(),
+    };
+    records.set(record.record_id, clone(record));
+    emitIsoEvidence(record);
+    return clone(record);
+}
+function clearIso42001WorkflowData() {
+    records.clear();
+}
+// A.2
+function recordPolicyAlignment(options) {
+    return upsertRecord({
+        workflowType: 'policy_alignment',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.2.3', 'Clause5'],
+        evidenceTypes: ['documented_information', 'policy_document', 'leadership_commitment_records'],
+        metadata: {
+            ...(options.metadata || {}),
+            aligned_policies: Array.from(new Set(normalizeList(options.alignedPolicies))).sort(),
+            rationale: options.rationale,
+        },
+        tags: ['policy', 'alignment'],
+        reviewFrequencyDays: options.reviewFrequencyDays || 365,
+    });
+}
+// A.4
+function recordResourceInventory(options) {
+    return upsertRecord({
+        workflowType: 'resource_inventory',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.4.2', 'A.4.3', 'A.4.4', 'A.4.5'],
+        evidenceTypes: [
+            'documented_information',
+            'resource_inventory',
+            'data_governance_records',
+            'identity_and_mfa_report',
+            'repository_configuration_export',
+            'workflow_configuration_export',
+            'iam_policy_snapshot',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            data_resources: Array.from(new Set(normalizeList(options.dataResources))).sort(),
+            tooling_resources: Array.from(new Set(normalizeList(options.toolingResources))).sort(),
+            compute_resources: Array.from(new Set(normalizeList(options.computeResources))).sort(),
+            human_resources: Array.from(new Set(normalizeList(options.humanResources))).sort(),
+        },
+        tags: ['resources', 'inventory'],
+        reviewFrequencyDays: options.reviewFrequencyDays || 90,
+    });
+}
+function recordResourceCompetency(options) {
+    return upsertRecord({
+        workflowType: 'resource_competency',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.4.6', 'Clause7'],
+        evidenceTypes: ['documented_information', 'identity_and_mfa_report', 'training_and_competency_records'],
+        metadata: {
+            ...(options.metadata || {}),
+            roles: Array.from(new Set(normalizeList(options.roles))).sort(),
+            required_competencies: Array.from(new Set(normalizeList(options.requiredCompetencies))).sort(),
+            training_plan: Array.from(new Set(normalizeList(options.trainingPlan))).sort(),
+        },
+        tags: ['resources', 'competency'],
+        reviewFrequencyDays: options.reviewFrequencyDays || 180,
+    });
+}
+// A.5
+function recordImpactAssessment(options) {
+    return upsertRecord({
+        workflowType: 'impact_assessment',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.5.2', 'A.5.3', 'A.5.4', 'A.5.5', 'Clause6'],
+        evidenceTypes: ['documented_information', 'impact_assessment_report', 'risk_signal_report'],
+        metadata: {
+            ...(options.metadata || {}),
+            system_id: options.systemId,
+            methodology: options.methodology,
+            individual_impacts: Array.from(new Set(normalizeList(options.individualImpacts))).sort(),
+            societal_impacts: Array.from(new Set(normalizeList(options.societalImpacts))).sort(),
+            mitigations: Array.from(new Set(normalizeList(options.mitigations))).sort(),
+            approved_by: options.approvedBy,
+            assessed_at: utcNow(),
+        },
+        tags: ['impact', 'risk'],
+        reviewFrequencyDays: options.reviewFrequencyDays || 90,
+    });
+}
+// A.6
+function recordResponsibleDevelopmentObjectives(options) {
+    return upsertRecord({
+        workflowType: 'responsible_development_objectives',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.1.2'],
+        evidenceTypes: ['documented_information', 'objectives_register'],
+        metadata: {
+            ...(options.metadata || {}),
+            objectives: Array.from(new Set(normalizeList(options.objectives))).sort(),
+            linked_risks: Array.from(new Set(normalizeList(options.linkedRisks))).sort(),
+        },
+        tags: ['lifecycle', 'objectives'],
+    });
+}
+function recordResponsibleDevelopmentProcess(options) {
+    return upsertRecord({
+        workflowType: 'responsible_development_process',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.1.3'],
+        evidenceTypes: ['documented_information', 'sdlc_control_evidence'],
+        metadata: {
+            ...(options.metadata || {}),
+            process_steps: Array.from(new Set(normalizeList(options.processSteps))).sort(),
+            gate_criteria: Array.from(new Set(normalizeList(options.gateCriteria))).sort(),
+        },
+        tags: ['lifecycle', 'sdlc'],
+    });
+}
+function recordRequirementsSpecification(options) {
+    return upsertRecord({
+        workflowType: 'requirements_specification',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.2.2'],
+        evidenceTypes: ['documented_information', 'requirements_specification', 'stakeholder_documentation'],
+        metadata: {
+            ...(options.metadata || {}),
+            system_id: options.systemId,
+            requirements: Array.from(new Set(normalizeList(options.requirements))).sort(),
+            stakeholder_groups: Array.from(new Set(normalizeList(options.stakeholderGroups))).sort(),
+        },
+        tags: ['lifecycle', 'requirements'],
+    });
+}
+function recordVerificationValidationPlan(options) {
+    return upsertRecord({
+        workflowType: 'verification_validation',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.2.4'],
+        evidenceTypes: ['documented_information', 'policy_configuration', 'verification_validation_evidence'],
+        metadata: {
+            ...(options.metadata || {}),
+            criteria: Array.from(new Set(normalizeList(options.criteria))).sort(),
+            test_evidence_refs: Array.from(new Set(normalizeList(options.testEvidenceRefs))).sort(),
+            pass_fail_threshold: options.passFailThreshold,
+        },
+        tags: ['lifecycle', 'verification', 'validation'],
+    });
+}
+function recordDeploymentPlan(options) {
+    return upsertRecord({
+        workflowType: 'deployment_plan',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.2.5'],
+        evidenceTypes: ['documented_information', 'deployment_approval_records'],
+        metadata: {
+            ...(options.metadata || {}),
+            release_scope: options.releaseScope,
+            rollback_plan: options.rollbackPlan,
+            approvers: Array.from(new Set(normalizeList(options.approvers))).sort(),
+        },
+        tags: ['lifecycle', 'deployment'],
+    });
+}
+function recordOperationsMonitoringPlan(options) {
+    return upsertRecord({
+        workflowType: 'operations_monitoring',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.2.6', 'Clause8'],
+        evidenceTypes: [
+            'documented_information',
+            'event_logs',
+            'telemetry_metrics',
+            'operational_runbook',
+            'runtime_observability_report',
+            'standard_operating_procedure',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            monitoring_signals: Array.from(new Set(normalizeList(options.monitoringSignals))).sort(),
+            maintenance_tasks: Array.from(new Set(normalizeList(options.maintenanceTasks))).sort(),
+            incident_response_refs: Array.from(new Set(normalizeList(options.incidentResponseRefs))).sort(),
+        },
+        tags: ['lifecycle', 'operations', 'monitoring'],
+        reviewFrequencyDays: options.reviewFrequencyDays || 30,
+    });
+}
+function recordStakeholderTechnicalDocumentation(options) {
+    return upsertRecord({
+        workflowType: 'stakeholder_documentation',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.2.7'],
+        evidenceTypes: ['documented_information', 'stakeholder_documentation'],
+        metadata: {
+            ...(options.metadata || {}),
+            audience: Array.from(new Set(normalizeList(options.audience))).sort(),
+            document_refs: Array.from(new Set(normalizeList(options.documentRefs))).sort(),
+        },
+        tags: ['lifecycle', 'documentation'],
+    });
+}
+function recordLifecycleEventLoggingPolicy(options) {
+    return upsertRecord({
+        workflowType: 'lifecycle_event_logging',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.6.2.8', 'Clause8'],
+        evidenceTypes: [
+            'documented_information',
+            'event_logs',
+            'hash_chain_proof',
+            'continuous_evidence',
+            'runtime_observability_report',
+            'operational_runbook',
+            'standard_operating_procedure',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            log_scope: Array.from(new Set(normalizeList(options.logScope))).sort(),
+            retention_days: options.retentionDays,
+            integrity_controls: Array.from(new Set(normalizeList(options.integrityControls))).sort(),
+        },
+        tags: ['lifecycle', 'event_logging'],
+    });
+}
+// A.7
+function recordDataAcquisition(options) {
+    return upsertRecord({
+        workflowType: 'data_acquisition',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.7.2', 'A.7.3', 'A.4.2', 'A.4.3'],
+        evidenceTypes: [
+            'documented_information',
+            'data_governance_records',
+            'data_source_and_consent_log',
+            'resource_inventory',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            data_sources: Array.from(new Set(normalizeList(options.dataSources))).sort(),
+            consent_basis: Array.from(new Set(normalizeList(options.consentBasis))).sort(),
+            owners: Array.from(new Set(normalizeList(options.owners))).sort(),
+        },
+        tags: ['data', 'acquisition'],
+    });
+}
+function recordDataQualityCriteria(options) {
+    return upsertRecord({
+        workflowType: 'data_quality',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.7.4'],
+        evidenceTypes: ['documented_information', 'data_governance_records', 'data_quality_report'],
+        metadata: {
+            ...(options.metadata || {}),
+            quality_dimensions: Array.from(new Set(normalizeList(options.qualityDimensions))).sort(),
+            thresholds: options.thresholds,
+            validation_schedule: options.validationSchedule,
+        },
+        tags: ['data', 'quality'],
+    });
+}
+function recordDataProvenanceProcess(options) {
+    return upsertRecord({
+        workflowType: 'data_provenance',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.7.5'],
+        evidenceTypes: ['documented_information', 'data_lineage_records'],
+        metadata: {
+            ...(options.metadata || {}),
+            lineage_method: options.lineageMethod,
+            systems: Array.from(new Set(normalizeList(options.systems))).sort(),
+        },
+        tags: ['data', 'provenance', 'lineage'],
+    });
+}
+function recordDataPreparationCriteria(options) {
+    return upsertRecord({
+        workflowType: 'data_preparation',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.7.6'],
+        evidenceTypes: [
+            'documented_information',
+            'operational_runbook',
+            'data_governance_records',
+            'standard_operating_procedure',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            preparation_steps: Array.from(new Set(normalizeList(options.preparationSteps))).sort(),
+            acceptance_criteria: Array.from(new Set(normalizeList(options.acceptanceCriteria))).sort(),
+        },
+        tags: ['data', 'preparation'],
+    });
+}
+// A.8
+function recordTransparencyDisclosure(options) {
+    return upsertRecord({
+        workflowType: 'transparency_disclosure',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.8.2'],
+        evidenceTypes: ['documented_information', 'user_disclosure_artifacts'],
+        metadata: {
+            ...(options.metadata || {}),
+            channels: Array.from(new Set(normalizeList(options.channels))).sort(),
+            disclosure_scope: options.disclosureScope,
+        },
+        tags: ['transparency', 'disclosure'],
+    });
+}
+function recordAdverseImpactReporting(options) {
+    return upsertRecord({
+        workflowType: 'adverse_impact_reporting',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.8.3'],
+        evidenceTypes: ['documented_information', 'concern_reporting_records'],
+        metadata: {
+            ...(options.metadata || {}),
+            channels: Array.from(new Set(normalizeList(options.channels))).sort(),
+            triage_sla: options.triageSla,
+        },
+        tags: ['transparency', 'adverse_impact'],
+    });
+}
+function recordIncidentCommunicationPlan(options) {
+    return upsertRecord({
+        workflowType: 'incident_communication',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.8.4'],
+        evidenceTypes: ['documented_information', 'incident_communication_plan'],
+        metadata: {
+            ...(options.metadata || {}),
+            communication_matrix: Array.from(new Set(normalizeList(options.communicationMatrix))).sort(),
+            escalation_contacts: Array.from(new Set(normalizeList(options.escalationContacts))).sort(),
+        },
+        tags: ['transparency', 'incident'],
+    });
+}
+function recordReportingObligations(options) {
+    return upsertRecord({
+        workflowType: 'reporting_obligations',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.8.5'],
+        evidenceTypes: ['documented_information', 'regulatory_reporting_matrix'],
+        metadata: {
+            ...(options.metadata || {}),
+            obligations: Array.from(new Set(normalizeList(options.obligations))).sort(),
+            recipients: Array.from(new Set(normalizeList(options.recipients))).sort(),
+        },
+        tags: ['transparency', 'reporting'],
+    });
+}
+// A.9
+function recordResponsibleUseProcess(options) {
+    return upsertRecord({
+        workflowType: 'responsible_use_process',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.9.2'],
+        evidenceTypes: ['documented_information', 'operational_runbook', 'standard_operating_procedure'],
+        metadata: {
+            ...(options.metadata || {}),
+            process_steps: Array.from(new Set(normalizeList(options.processSteps))).sort(),
+            enforcement_controls: Array.from(new Set(normalizeList(options.enforcementControls))).sort(),
+        },
+        tags: ['responsible_use', 'process'],
+    });
+}
+function recordResponsibleUseObjectives(options) {
+    return upsertRecord({
+        workflowType: 'responsible_use_objectives',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.9.3'],
+        evidenceTypes: ['documented_information', 'objectives_register'],
+        metadata: {
+            ...(options.metadata || {}),
+            objectives: Array.from(new Set(normalizeList(options.objectives))).sort(),
+            metrics: Array.from(new Set(normalizeList(options.metrics))).sort(),
+        },
+        tags: ['responsible_use', 'objectives'],
+    });
+}
+function recordIntendedUseStatement(options) {
+    return upsertRecord({
+        workflowType: 'intended_use_statement',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.9.4'],
+        evidenceTypes: ['documented_information', 'policy_configuration', 'intended_use_statement'],
+        metadata: {
+            ...(options.metadata || {}),
+            intended_uses: Array.from(new Set(normalizeList(options.intendedUses))).sort(),
+            prohibited_uses: Array.from(new Set(normalizeList(options.prohibitedUses))).sort(),
+            enforcement_hooks: Array.from(new Set(normalizeList(options.enforcementHooks))).sort(),
+        },
+        tags: ['responsible_use', 'intended_use'],
+    });
+}
+// A.10
+function recordThirdPartyResponsibilityMatrix(options) {
+    return upsertRecord({
+        workflowType: 'third_party_responsibility',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.10.1'],
+        evidenceTypes: ['documented_information'],
+        metadata: {
+            ...(options.metadata || {}),
+            responsibility_allocations: Array.from(new Set(normalizeList(options.responsibilityAllocations))).sort(),
+        },
+        tags: ['third_party', 'responsibility'],
+    });
+}
+function recordSupplierAssurance(options) {
+    return upsertRecord({
+        workflowType: 'supplier_assurance',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.10.2'],
+        evidenceTypes: ['documented_information', 'vendor_assessment_records', 'supplier_due_diligence_records'],
+        metadata: {
+            ...(options.metadata || {}),
+            supplier: options.supplier,
+            assurance_checks: Array.from(new Set(normalizeList(options.assuranceChecks))).sort(),
+            review_outcome: options.reviewOutcome,
+        },
+        tags: ['third_party', 'supplier'],
+    });
+}
+function recordCustomerExpectationAlignment(options) {
+    return upsertRecord({
+        workflowType: 'customer_alignment',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['A.10.3'],
+        evidenceTypes: ['documented_information', 'customer_requirement_mapping'],
+        metadata: {
+            ...(options.metadata || {}),
+            customer_segments: Array.from(new Set(normalizeList(options.customerSegments))).sort(),
+            requirement_mappings: Array.from(new Set(normalizeList(options.requirementMappings))).sort(),
+        },
+        tags: ['customer', 'alignment'],
+    });
+}
+// Clause 9 and Clause 10
+function recordInternalAuditReport(options) {
+    return upsertRecord({
+        workflowType: 'internal_audit',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['Clause9'],
+        evidenceTypes: [
+            'documented_information',
+            'internal_audit_report',
+            'review_minutes',
+            'telemetry_metrics',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            audit_scope: options.auditScope,
+            findings: Array.from(new Set(normalizeList(options.findings))).sort(),
+            nonconformities: Array.from(new Set(normalizeList(options.nonconformities))).sort(),
+            recommendations: Array.from(new Set(normalizeList(options.recommendations))).sort(),
+        },
+        tags: ['clause9', 'internal_audit'],
+    });
+}
+function recordManagementReviewMinutes(options) {
+    return upsertRecord({
+        workflowType: 'management_review',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['Clause9'],
+        evidenceTypes: [
+            'documented_information',
+            'management_review_minutes',
+            'review_minutes',
+            'telemetry_metrics',
+            'internal_audit_report',
+        ],
+        metadata: {
+            ...(options.metadata || {}),
+            attendees: Array.from(new Set(normalizeList(options.attendees))).sort(),
+            review_topics: Array.from(new Set(normalizeList(options.reviewTopics))).sort(),
+            decisions: Array.from(new Set(normalizeList(options.decisions))).sort(),
+            action_items: Array.from(new Set(normalizeList(options.actionItems))).sort(),
+        },
+        tags: ['clause9', 'management_review'],
+    });
+}
+function recordCorrectiveActionLog(options) {
+    return upsertRecord({
+        workflowType: 'corrective_action',
+        title: options.title,
+        owner: options.owner,
+        controlIds: ['Clause10'],
+        evidenceTypes: ['documented_information', 'corrective_action_log'],
+        metadata: {
+            ...(options.metadata || {}),
+            issue_reference: options.issueReference,
+            root_cause: options.rootCause,
+            corrective_actions: Array.from(new Set(normalizeList(options.correctiveActions))).sort(),
+            preventive_actions: Array.from(new Set(normalizeList(options.preventiveActions))).sort(),
+            status: options.status || 'open',
+        },
+        tags: ['clause10', 'corrective_action', 'capa'],
+    });
+}
+function getIso42001WorkflowRecord(recordId) {
+    const record = records.get(recordId);
+    return record ? clone(record) : null;
+}
+function listIso42001WorkflowRecords(options) {
+    let rows = Array.from(records.values());
+    if (options?.workflowType) {
+        rows = rows.filter((row) => row.workflow_type === options.workflowType);
+    }
+    rows = rows.slice().sort((a, b) => {
+        if (a.workflow_type !== b.workflow_type) {
+            return a.workflow_type.localeCompare(b.workflow_type);
+        }
+        if (a.title !== b.title) {
+            return a.title.localeCompare(b.title);
+        }
+        return a.record_id.localeCompare(b.record_id);
+    });
+    return rows.map((row) => clone(row));
+}
+function getIso42001WorkflowSummary() {
+    const rows = listIso42001WorkflowRecords();
+    const workflowTypeCounts = {};
+    const controls = new Set();
+    for (const row of rows) {
+        workflowTypeCounts[row.workflow_type] = (workflowTypeCounts[row.workflow_type] || 0) + 1;
+        for (const control of row.control_ids) {
+            controls.add(control);
+        }
+    }
+    return {
+        records_total: rows.length,
+        workflow_type_counts: workflowTypeCounts,
+        controls_tracked: Array.from(controls).sort(),
+    };
+}
+function exportIso42001WorkflowState(path) {
+    const payload = {
+        state_type: 'iso42001_workflow_state',
+        generated_at: utcNow(),
+        records: listIso42001WorkflowRecords(),
+    };
+    fs.writeFileSync(path, JSON.stringify(payload, null, 2), 'utf-8');
+    return payload;
+}
+function loadIso42001WorkflowState(path, options) {
+    const payload = JSON.parse(fs.readFileSync(path, 'utf-8'));
+    const rows = Array.isArray(payload.records) ? payload.records : [];
+    const parsed = new Map();
+    for (const row of rows) {
+        if (!row || typeof row !== 'object') {
+            continue;
+        }
+        const rid = String(row.record_id || '').trim() || buildId('iso', 'record');
+        parsed.set(rid, {
+            record_id: rid,
+            workflow_type: String(row.workflow_type || 'workflow'),
+            title: String(row.title || rid),
+            owner: String(row.owner || 'Unassigned'),
+            status: String(row.status || 'approved'),
+            version: Math.max(1, Number(row.version || 1)),
+            control_ids: Array.from(new Set(normalizeList(row.control_ids))).sort(),
+            evidence_types: Array.from(new Set(normalizeList(row.evidence_types))).sort(),
+            created_at: String(row.created_at || utcNow()),
+            updated_at: String(row.updated_at || utcNow()),
+            review_frequency_days: row.review_frequency_days === null || row.review_frequency_days === undefined
+                ? undefined
+                : Math.max(1, Number(row.review_frequency_days || 1)),
+            next_review_due_at: row.next_review_due_at ? String(row.next_review_due_at) : undefined,
+            metadata: row.metadata && typeof row.metadata === 'object' ? clone(row.metadata) : {},
+            tags: Array.from(new Set(normalizeList(row.tags))).sort(),
+        });
+    }
+    if (options?.replaceRuntime !== false) {
+        records.clear();
+    }
+    for (const [rid, row] of parsed.entries()) {
+        records.set(rid, clone(row));
+    }
+    return {
+        state_type: typeof payload.state_type === 'string' ? payload.state_type : 'iso42001_workflow_state',
+        records_loaded: parsed.size,
+        replace_runtime: options?.replaceRuntime !== false,
+    };
+}