monora-ai 2.1.0 → 2.1.4

package/dist/control_backbone.js

@@ -0,0 +1,826 @@
+"use strict";
+/**
+ * Control/evidence workflow backbone for framework coverage reporting.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clearControlRuntime = clearControlRuntime;
+exports.setControlCatalog = setControlCatalog;
+exports.loadControlCatalog = loadControlCatalog;
+exports.getControlCatalog = getControlCatalog;
+exports.loadDefaultIso42001Catalog = loadDefaultIso42001Catalog;
+exports.loadDefaultSoc2Catalog = loadDefaultSoc2Catalog;
+exports.loadDefaultGdprCatalog = loadDefaultGdprCatalog;
+exports.loadDefaultControlCatalog = loadDefaultControlCatalog;
+exports.resolveControlIdsForEvidenceTypes = resolveControlIdsForEvidenceTypes;
+exports.createWorkflowTask = createWorkflowTask;
+exports.getWorkflowTask = getWorkflowTask;
+exports.listWorkflowTasks = listWorkflowTasks;
+exports.transitionWorkflowTask = transitionWorkflowTask;
+exports.submitWorkflowTask = submitWorkflowTask;
+exports.approveControlEvidence = approveControlEvidence;
+exports.expireWorkflowTask = expireWorkflowTask;
+exports.attachControlEvidence = attachControlEvidence;
+exports.importEvidenceManifest = importEvidenceManifest;
+exports.bootstrapWorkflowsFromCatalog = bootstrapWorkflowsFromCatalog;
+exports.prioritizeMissingWorkflowModules = prioritizeMissingWorkflowModules;
+exports.generateControlCoverageReport = generateControlCoverageReport;
+exports.buildWorkflowStatePayload = buildWorkflowStatePayload;
+exports.exportWorkflowState = exportWorkflowState;
+exports.loadWorkflowState = loadWorkflowState;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const evidence_store_1 = require("./evidence_store");
+const WORKFLOW_STATUSES = new Set(['draft', 'in_review', 'approved', 'expired']);
+const STATUS_TRANSITIONS = {
+    draft: ['in_review', 'approved'],
+    in_review: ['draft', 'approved'],
+    approved: ['in_review', 'expired'],
+    expired: ['in_review'],
+};
+const ISO42001_WORKFLOW_MODULES = [
+    {
+        module_id: 'aims_governance',
+        name: 'AIMS Governance',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['A.2.2', 'A.2.3', 'A.2.4', 'A.3.2', 'A.3.3', 'Clause4', 'Clause5', 'Clause7'],
+    },
+    {
+        module_id: 'risk_impact_workflow',
+        name: 'Risk + Impact Workflow',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['A.5.2', 'A.5.3', 'A.5.4', 'A.5.5', 'Clause6'],
+    },
+    {
+        module_id: 'ai_lifecycle_assurance',
+        name: 'AI Lifecycle Assurance',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['A.6.1.2', 'A.6.1.3', 'A.6.2.2', 'A.6.2.4', 'A.6.2.5', 'A.6.2.6', 'A.6.2.7', 'A.6.2.8', 'Clause8'],
+    },
+    {
+        module_id: 'audit_review_capa',
+        name: 'Audit + Management Review + CAPA',
+        priority: 'P2',
+        impact: 'high',
+        controls: ['Clause9', 'Clause10'],
+    },
+    {
+        module_id: 'data_governance_workflow',
+        name: 'Data Governance Workflow',
+        priority: 'P2',
+        impact: 'medium',
+        controls: ['A.7.2', 'A.7.3', 'A.7.4', 'A.7.5', 'A.7.6'],
+    },
+    {
+        module_id: 'transparency_responsible_use',
+        name: 'Transparency + Responsible Use',
+        priority: 'P2',
+        impact: 'medium',
+        controls: ['A.8.2', 'A.8.3', 'A.8.4', 'A.8.5', 'A.9.2', 'A.9.3', 'A.9.4'],
+    },
+    {
+        module_id: 'third_party_customer_governance',
+        name: 'Third-Party + Customer Governance',
+        priority: 'P3',
+        impact: 'medium',
+        controls: ['A.10.1', 'A.10.2', 'A.10.3'],
+    },
+];
+const SOC2_WORKFLOW_MODULES = [
+    {
+        module_id: 'soc2_governance_communication',
+        name: 'Governance + Communication',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['CC1', 'CC2'],
+    },
+    {
+        module_id: 'soc2_risk_monitoring',
+        name: 'Risk + Monitoring',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['CC3', 'CC4', 'CC9'],
+    },
+    {
+        module_id: 'soc2_access_security',
+        name: 'Access + Security',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['CC5', 'CC6'],
+    },
+    {
+        module_id: 'soc2_operations_availability',
+        name: 'Operations + Availability',
+        priority: 'P2',
+        impact: 'medium',
+        controls: ['CC7', 'CC8'],
+    },
+    {
+        module_id: 'soc2_privacy_integrity',
+        name: 'Privacy + Processing Integrity',
+        priority: 'P2',
+        impact: 'medium',
+        controls: ['P_SERIES', 'PI_SERIES'],
+    },
+];
+const GDPR_WORKFLOW_MODULES = [
+    {
+        module_id: 'gdpr_lawful_basis_consent',
+        name: 'Lawful Basis + Consent',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['art5', 'art6', 'art7'],
+    },
+    {
+        module_id: 'gdpr_transparency_rights',
+        name: 'Transparency + Data Subject Rights',
+        priority: 'P1',
+        impact: 'high',
+        controls: ['art12', 'art13', 'art14', 'art15', 'art16', 'art17', 'art18', 'art20', 'art21', 'art22'],
+    },
+    {
+        module_id: 'gdpr_privacy_by_design_records',
+        name: 'Privacy by Design + Records',
+        priority: 'P2',
+        impact: 'medium',
+        controls: ['art25', 'art30'],
+    },
+    {
+        module_id: 'gdpr_security_breach_handling',
+        name: 'Security + Breach Handling',
+        priority: 'P2',
+        impact: 'high',
+        controls: ['art32', 'art33'],
+    },
+    {
+        module_id: 'gdpr_dpia_risk',
+        name: 'DPIA + Risk',
+        priority: 'P2',
+        impact: 'medium',
+        controls: ['art35'],
+    },
+];
+const WORKFLOW_MODULES_BY_STANDARD = {
+    ISO42001: ISO42001_WORKFLOW_MODULES,
+    SOC2: SOC2_WORKFLOW_MODULES,
+    GDPR: GDPR_WORKFLOW_MODULES,
+};
+const PRIORITY_ORDER = { P0: 0, P1: 1, P2: 2, P3: 3, P4: 4 };
+const IMPACT_ORDER = { critical: 0, high: 1, medium: 2, low: 3 };
+let runtimeCatalog = null;
+let runtimeWorkflows = new Map();
+let runtimeEvidence = new Map();
+let defaultIso42001Catalog = null;
+let defaultSoc2Catalog = null;
+let defaultGdprCatalog = null;
+function utcNow() {
+    return new Date().toISOString();
+}
+function clone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+function normalizeList(value) {
+    if (value === null || value === undefined) {
+        return [];
+    }
+    if (Array.isArray(value)) {
+        return value
+            .map((item) => String(item).trim())
+            .filter(Boolean);
+    }
+    return String(value)
+        .replace(/;/g, ',')
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean);
+}
+function buildId(prefix, ...parts) {
+    const seed = `${prefix}:${parts.join(':')}:${utcNow()}`;
+    const digest = crypto.createHash('sha256').update(seed).digest('hex').slice(0, 12);
+    return `${prefix}_${digest}`;
+}
+function normalizeStandard(value) {
+    const normalized = String(value || '').trim().toUpperCase().replace(/[-_]/g, '');
+    if (!normalized)
+        return 'ISO42001';
+    if (normalized === 'ISO42001' || normalized === 'ISOIEC42001')
+        return 'ISO42001';
+    if (normalized === 'SOC2' || normalized === 'SOCII')
+        return 'SOC2';
+    if (normalized === 'GDPR')
+        return 'GDPR';
+    return String(value || '').trim().toUpperCase();
+}
+function loadDefaultCatalogFromFile(filename, label) {
+    const candidatePaths = [
+        path.resolve(__dirname, '..', 'templates', 'controls', filename),
+        path.resolve(process.cwd(), 'monora-node', 'templates', 'controls', filename),
+        path.resolve(process.cwd(), 'templates', 'controls', filename),
+        path.resolve(process.cwd(), 'docs', filename),
+    ];
+    for (const candidate of candidatePaths) {
+        if (!fs.existsSync(candidate)) {
+            continue;
+        }
+        return JSON.parse(fs.readFileSync(candidate, 'utf-8'));
+    }
+    throw new Error(`Default ${label} control catalog not found`);
+}
+function resolveCatalog(catalog, standard) {
+    if (typeof catalog === 'string') {
+        try {
+            return JSON.parse(fs.readFileSync(catalog, 'utf-8'));
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            console.warn(`Failed to load catalog from ${catalog}: ${message}`);
+            if (runtimeCatalog) {
+                return clone(runtimeCatalog);
+            }
+            return loadDefaultControlCatalog(standard || 'ISO42001');
+        }
+    }
+    if (catalog) {
+        return catalog;
+    }
+    if (runtimeCatalog) {
+        return clone(runtimeCatalog);
+    }
+    return loadDefaultControlCatalog(standard || 'ISO42001');
+}
+function ensureEvidenceRecord(payload, controlId) {
+    const evidence = clone(payload);
+    if (!evidence.evidence_id) {
+        evidence.evidence_id = buildId('evd', controlId);
+    }
+    if (!evidence.title) {
+        evidence.title = `Evidence for ${controlId}`;
+    }
+    if (!evidence.source) {
+        evidence.source = 'manual';
+    }
+    if (!evidence.category) {
+        evidence.category = 'governance';
+    }
+    if (!evidence.collection_method) {
+        evidence.collection_method = 'manual';
+    }
+    if (!evidence.collected_at) {
+        evidence.collected_at = utcNow();
+    }
+    const controlIds = new Set(normalizeList(evidence.control_ids));
+    controlIds.add(controlId);
+    evidence.control_ids = Array.from(controlIds).sort();
+    if (!evidence.metadata || typeof evidence.metadata !== 'object') {
+        evidence.metadata = {};
+    }
+    if (!evidence.status) {
+        evidence.status = 'collected';
+    }
+    return evidence;
+}
+function appendHistory(workflow, event, options) {
+    workflow.history.push({
+        timestamp: utcNow(),
+        event,
+        actor: options?.actor,
+        from_status: options?.fromStatus,
+        to_status: options?.toStatus,
+        note: options?.note,
+        metadata: options?.metadata,
+    });
+    workflow.updated_at = utcNow();
+}
+function findControl(controlId) {
+    const controls = (runtimeCatalog?.controls || []);
+    return controls.find((control) => String(control.control_id) === controlId) || {};
+}
+function clearControlRuntime() {
+    runtimeCatalog = null;
+    runtimeWorkflows = new Map();
+    runtimeEvidence = new Map();
+    (0, evidence_store_1.clearRuntimeEvidenceStore)();
+}
+function setControlCatalog(catalog) {
+    runtimeCatalog = clone(catalog);
+    return clone(runtimeCatalog);
+}
+function loadControlCatalog(filePath) {
+    const payload = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+    return setControlCatalog(payload);
+}
+function getControlCatalog() {
+    return runtimeCatalog ? clone(runtimeCatalog) : null;
+}
+function loadDefaultIso42001Catalog() {
+    if (defaultIso42001Catalog) {
+        return clone(defaultIso42001Catalog);
+    }
+    const payload = loadDefaultCatalogFromFile('iso42001_control_catalog.json', 'ISO 42001');
+    defaultIso42001Catalog = payload;
+    return clone(payload);
+}
+function loadDefaultSoc2Catalog() {
+    if (defaultSoc2Catalog) {
+        return clone(defaultSoc2Catalog);
+    }
+    const payload = loadDefaultCatalogFromFile('soc2_control_catalog.json', 'SOC 2');
+    defaultSoc2Catalog = payload;
+    return clone(payload);
+}
+function loadDefaultGdprCatalog() {
+    if (defaultGdprCatalog) {
+        return clone(defaultGdprCatalog);
+    }
+    const payload = loadDefaultCatalogFromFile('gdpr_control_catalog.json', 'GDPR');
+    defaultGdprCatalog = payload;
+    return clone(payload);
+}
+function loadDefaultControlCatalog(standard) {
+    const normalized = normalizeStandard(standard);
+    if (normalized === 'SOC2') {
+        return loadDefaultSoc2Catalog();
+    }
+    if (normalized === 'GDPR') {
+        return loadDefaultGdprCatalog();
+    }
+    return loadDefaultIso42001Catalog();
+}
+function resolveControlIdsForEvidenceTypes(evidenceTypes, catalog, standard) {
+    const normalizedTypes = new Set(normalizeList(evidenceTypes));
+    if (normalizedTypes.size === 0) {
+        return [];
+    }
+    let payload = catalog || runtimeCatalog;
+    if (!payload) {
+        try {
+            payload = loadDefaultControlCatalog(standard || 'ISO42001');
+        }
+        catch (_err) {
+            payload = null;
+        }
+    }
+    const controls = (payload?.controls || []);
+    const ids = new Set();
+    for (const control of controls) {
+        const controlId = String(control.control_id || '').trim();
+        if (!controlId) {
+            continue;
+        }
+        const controlTypes = new Set(normalizeList(control.evidence_types));
+        for (const evidenceType of normalizedTypes) {
+            if (controlTypes.has(evidenceType)) {
+                ids.add(controlId);
+            }
+        }
+    }
+    return Array.from(ids).sort();
+}
+function createWorkflowTask(options) {
+    const control = findControl(options.controlId);
+    const controlTitle = String(control.title || options.controlId);
+    const owner = options.owner || (typeof control.owner === 'string' ? control.owner.trim() || undefined : undefined);
+    const workflow = {
+        workflow_id: buildId('wf', options.controlId),
+        control_id: options.controlId,
+        title: options.title || `${options.controlId} - ${controlTitle}`,
+        status: 'draft',
+        owner,
+        created_at: utcNow(),
+        updated_at: utcNow(),
+        created_by: options.createdBy,
+        due_at: options.dueAt,
+        evidence_ids: [],
+        notes: options.notes,
+        metadata: options.metadata || {},
+        history: [],
+    };
+    appendHistory(workflow, 'created', { actor: options.createdBy, note: options.notes });
+    runtimeWorkflows.set(workflow.workflow_id, clone(workflow));
+    return clone(workflow);
+}
+function getWorkflowTask(workflowId) {
+    const workflow = runtimeWorkflows.get(workflowId);
+    return workflow ? clone(workflow) : null;
+}
+function listWorkflowTasks(options) {
+    const values = Array.from(runtimeWorkflows.values());
+    return values
+        .filter((workflow) => !options?.controlId || workflow.control_id === options.controlId)
+        .filter((workflow) => !options?.status || workflow.status === options.status)
+        .map((workflow) => clone(workflow));
+}
+function transitionWorkflowTask(workflowId, options) {
+    const workflow = runtimeWorkflows.get(workflowId);
+    if (!workflow) {
+        throw new Error(`Workflow not found: ${workflowId}`);
+    }
+    const fromStatus = workflow.status;
+    const allowed = STATUS_TRANSITIONS[workflow.status] || [];
+    if (!allowed.includes(options.toStatus)) {
+        throw new Error(`Invalid workflow transition ${workflow.status} -> ${options.toStatus}. Allowed: ${allowed.join(', ')}`);
+    }
+    workflow.status = options.toStatus;
+    if (options.toStatus === 'approved') {
+        if (workflow.evidence_ids.length === 0) {
+            throw new Error('Cannot approve workflow without linked evidence');
+        }
+        workflow.approved_at = utcNow();
+        workflow.approved_by = options.actor;
+    }
+    appendHistory(workflow, 'status_changed', {
+        actor: options.actor,
+        fromStatus,
+        toStatus: options.toStatus,
+        note: options.note,
+    });
+    runtimeWorkflows.set(workflowId, clone(workflow));
+    return clone(workflow);
+}
+function submitWorkflowTask(workflowId, options) {
+    return transitionWorkflowTask(workflowId, {
+        toStatus: 'in_review',
+        actor: options?.actor,
+        note: options?.note,
+    });
+}
+function approveControlEvidence(workflowId, options) {
+    return transitionWorkflowTask(workflowId, {
+        toStatus: 'approved',
+        actor: options?.actor,
+        note: options?.note,
+    });
+}
+function expireWorkflowTask(workflowId, options) {
+    return transitionWorkflowTask(workflowId, {
+        toStatus: 'expired',
+        actor: options?.actor,
+        note: options?.note,
+    });
+}
+function attachControlEvidence(options) {
+    const evidence = ensureEvidenceRecord(options.evidence, options.controlId);
+    if (options.evidenceType) {
+        evidence.metadata = evidence.metadata || {};
+        evidence.metadata.evidence_type = options.evidenceType;
+        const evidenceTypes = new Set(normalizeList(evidence.metadata.evidence_types));
+        evidenceTypes.add(options.evidenceType);
+        evidence.metadata.evidence_types = Array.from(evidenceTypes).sort();
+    }
+    if (options.workflowId) {
+        evidence.metadata = evidence.metadata || {};
+        evidence.metadata.workflow_id = options.workflowId;
+    }
+    runtimeEvidence.set(evidence.evidence_id, clone(evidence));
+    (0, evidence_store_1.recordRuntimeEvidence)(evidence);
+    if (options.workflowId) {
+        const workflow = runtimeWorkflows.get(options.workflowId);
+        if (!workflow) {
+            throw new Error(`Workflow not found: ${options.workflowId}`);
+        }
+        if (workflow.control_id !== options.controlId) {
+            throw new Error(`Workflow control mismatch: ${workflow.control_id} != ${options.controlId}`);
+        }
+        if (!workflow.evidence_ids.includes(evidence.evidence_id)) {
+            workflow.evidence_ids.push(evidence.evidence_id);
+        }
+        appendHistory(workflow, 'evidence_attached', {
+            actor: options.actor,
+            note: options.note,
+            metadata: { evidence_id: evidence.evidence_id },
+        });
+        runtimeWorkflows.set(options.workflowId, clone(workflow));
+    }
+    return clone(evidence);
+}
+function importEvidenceManifest(manifest, options) {
+    const evidenceItems = Array.isArray(manifest.evidence_items) ? manifest.evidence_items : [];
+    if (options?.clearExisting) {
+        runtimeEvidence = new Map();
+        (0, evidence_store_1.clearRuntimeEvidenceStore)();
+    }
+    let count = 0;
+    for (const rawItem of evidenceItems) {
+        if (!rawItem || typeof rawItem !== 'object') {
+            continue;
+        }
+        const evidenceId = String(rawItem.evidence_id || '').trim();
+        if (!evidenceId) {
+            continue;
+        }
+        runtimeEvidence.set(evidenceId, clone(rawItem));
+        (0, evidence_store_1.recordRuntimeEvidence)(rawItem);
+        count += 1;
+    }
+    return count;
+}
+function bootstrapWorkflowsFromCatalog(catalog, options) {
+    const payload = catalog || runtimeCatalog || loadDefaultIso42001Catalog();
+    const controls = Array.isArray(payload.controls) ? payload.controls : [];
+    const existingControlIds = new Set(Array.from(runtimeWorkflows.values()).map((w) => w.control_id));
+    const created = [];
+    for (const control of controls) {
+        if (!control || typeof control !== 'object') {
+            continue;
+        }
+        const controlId = String(control.control_id || '').trim();
+        if (!controlId || existingControlIds.has(controlId)) {
+            continue;
+        }
+        const ownerValue = String(control.owner || '').trim();
+        const owner = ownerValue || options?.ownerFallback || 'Unassigned';
+        const workflow = createWorkflowTask({
+            controlId,
+            title: `${controlId} - ${String(control.title || controlId)}`,
+            owner,
+            createdBy: options?.createdBy || 'system',
+            metadata: { bootstrap: true },
+        });
+        created.push(workflow);
+        existingControlIds.add(controlId);
+    }
+    return created;
+}
+function extractEvidenceTypes(item) {
+    const out = new Set();
+    const metadata = item.metadata && typeof item.metadata === 'object' ? item.metadata : {};
+    for (const key of ['evidence_type', 'type']) {
+        normalizeList(metadata[key]).forEach((value) => out.add(value));
+    }
+    normalizeList(metadata.evidence_types).forEach((value) => out.add(value));
+    normalizeList(item.tags).forEach((value) => out.add(value));
+    if (item.category) {
+        out.add(String(item.category));
+    }
+    return out;
+}
+function prioritizeMissingWorkflowModules(uncoveredControls, standard) {
+    const missingSet = new Set(normalizeList(uncoveredControls));
+    const modules = [];
+    const resolvedStandard = normalizeStandard(standard);
+    const moduleSource = WORKFLOW_MODULES_BY_STANDARD[resolvedStandard] || ISO42001_WORKFLOW_MODULES;
+    for (const moduleDef of moduleSource) {
+        const controls = normalizeList(moduleDef.controls);
+        const overlap = controls.filter((controlId) => missingSet.has(controlId)).sort();
+        if (overlap.length === 0) {
+            continue;
+        }
+        modules.push({
+            module_id: moduleDef.module_id,
+            name: moduleDef.name,
+            priority: moduleDef.priority,
+            impact: moduleDef.impact,
+            missing_controls: overlap,
+            missing_count: overlap.length,
+        });
+    }
+    modules.sort((a, b) => {
+        const p = (PRIORITY_ORDER[a.priority] ?? 99) - (PRIORITY_ORDER[b.priority] ?? 99);
+        if (p !== 0) {
+            return p;
+        }
+        const i = (IMPACT_ORDER[a.impact] ?? 99) - (IMPACT_ORDER[b.impact] ?? 99);
+        if (i !== 0) {
+            return i;
+        }
+        return Number(b.missing_count || 0) - Number(a.missing_count || 0);
+    });
+    return modules;
+}
+function generateControlCoverageReport(options) {
+    const catalog = resolveCatalog(options?.catalog || null, options?.standard);
+    const controls = Array.isArray(catalog.controls) ? catalog.controls : [];
+    const evidenceItems = options?.evidenceItems || Array.from(runtimeEvidence.values());
+    const workflows = options?.workflows || Array.from(runtimeWorkflows.values());
+    const targetCoverage = typeof options?.targetCoverage === 'number' ? options.targetCoverage : 0.9;
+    const evidenceById = new Map();
+    const evidenceByControl = new Map();
+    const approvedByControl = new Map();
+    for (const rawItem of evidenceItems) {
+        if (!rawItem || typeof rawItem !== 'object') {
+            continue;
+        }
+        const item = rawItem;
+        const evidenceId = String(item.evidence_id || '').trim();
+        if (!evidenceId) {
+            continue;
+        }
+        evidenceById.set(evidenceId, item);
+        for (const controlId of normalizeList(item.control_ids)) {
+            if (!evidenceByControl.has(controlId)) {
+                evidenceByControl.set(controlId, new Set());
+            }
+            evidenceByControl.get(controlId)?.add(evidenceId);
+            if (String(item.status || '').toLowerCase() === 'approved') {
+                if (!approvedByControl.has(controlId)) {
+                    approvedByControl.set(controlId, new Set());
+                }
+                approvedByControl.get(controlId)?.add(evidenceId);
+            }
+        }
+    }
+    const workflowsByControl = new Map();
+    for (const rawWorkflow of workflows) {
+        if (!rawWorkflow || typeof rawWorkflow !== 'object') {
+            continue;
+        }
+        const workflow = rawWorkflow;
+        const controlId = String(workflow.control_id || '').trim();
+        const workflowId = String(workflow.workflow_id || '').trim();
+        if (!controlId || !workflowId) {
+            continue;
+        }
+        if (!workflowsByControl.has(controlId)) {
+            workflowsByControl.set(controlId, new Set());
+        }
+        workflowsByControl.get(controlId)?.add(workflowId);
+        if (workflow.status === 'approved') {
+            if (!approvedByControl.has(controlId)) {
+                approvedByControl.set(controlId, new Set());
+            }
+            for (const evidenceId of normalizeList(workflow.evidence_ids)) {
+                if (evidenceById.has(evidenceId)) {
+                    approvedByControl.get(controlId)?.add(evidenceId);
+                }
+            }
+        }
+    }
+    const rows = [];
+    for (const control of controls) {
+        if (!control || typeof control !== 'object') {
+            continue;
+        }
+        const controlId = String(control.control_id || '').trim();
+        if (!controlId) {
+            continue;
+        }
+        const requiredTypes = Array.from(new Set(normalizeList(control.evidence_types))).sort();
+        const linkedEvidenceIds = Array.from(evidenceByControl.get(controlId) || new Set()).sort();
+        const approvedEvidenceIds = Array.from(approvedByControl.get(controlId) || new Set()).sort();
+        const collectedTypes = new Set();
+        for (const evidenceId of linkedEvidenceIds) {
+            const evidence = evidenceById.get(evidenceId);
+            if (!evidence) {
+                continue;
+            }
+            extractEvidenceTypes(evidence).forEach((value) => collectedTypes.add(value));
+        }
+        const collectedTypeList = Array.from(collectedTypes).sort();
+        const missingEvidenceTypes = requiredTypes.filter((item) => !collectedTypes.has(item));
+        const owner = String(control.owner || '').trim() || undefined;
+        const frequency = String(control.frequency || '').trim() || undefined;
+        const hasRequirements = requiredTypes.length > 0;
+        const hasApprovedEvidence = approvedEvidenceIds.length > 0;
+        const reportable = Boolean(owner && frequency && hasRequirements && hasApprovedEvidence && missingEvidenceTypes.length === 0);
+        const gaps = [];
+        if (!owner) {
+            gaps.push('missing_owner');
+        }
+        if (!frequency) {
+            gaps.push('missing_frequency');
+        }
+        if (!hasRequirements) {
+            gaps.push('missing_evidence_type_requirements');
+        }
+        if (linkedEvidenceIds.length === 0) {
+            gaps.push('missing_linked_evidence');
+        }
+        if (!hasApprovedEvidence) {
+            gaps.push('missing_approved_evidence');
+        }
+        if (missingEvidenceTypes.length > 0) {
+            gaps.push('missing_required_evidence_types');
+        }
+        rows.push({
+            control_id: controlId,
+            title: String(control.title || controlId),
+            clause: String(control.clause || '').trim() || undefined,
+            owner,
+            frequency,
+            required_evidence_types: requiredTypes,
+            evidence_types_collected: collectedTypeList,
+            missing_evidence_types: missingEvidenceTypes,
+            linked_evidence_ids: linkedEvidenceIds,
+            approved_evidence_ids: approvedEvidenceIds,
+            workflow_ids: Array.from(workflowsByControl.get(controlId) || new Set()).sort(),
+            status: reportable ? 'covered' : linkedEvidenceIds.length > 0 || approvedEvidenceIds.length > 0 ? 'partial' : 'gap',
+            reportable,
+            gaps,
+        });
+    }
+    const totalControls = rows.length;
+    const coveredControls = rows.filter((row) => row.reportable).length;
+    const partialControls = rows.filter((row) => row.status === 'partial').length;
+    const gapControls = rows.filter((row) => row.status === 'gap').length;
+    const coverageRatio = totalControls > 0 ? coveredControls / totalControls : 0;
+    const uncovered = rows.filter((row) => !row.reportable).map((row) => row.control_id);
+    const reportStandard = normalizeStandard(String(catalog.standard || options?.standard || 'ISO42001'));
+    return {
+        report_type: 'control_coverage',
+        generated_at: utcNow(),
+        catalog_id: catalog.catalog_id,
+        standard: catalog.standard,
+        version: catalog.version,
+        summary: {
+            total_controls: totalControls,
+            covered_controls: coveredControls,
+            partial_controls: partialControls,
+            gap_controls: gapControls,
+            coverage_ratio: Number(coverageRatio.toFixed(6)),
+            coverage_percent: Number((coverageRatio * 100).toFixed(2)),
+            target_coverage_ratio: Number(targetCoverage.toFixed(6)),
+            target_coverage_percent: Number((targetCoverage * 100).toFixed(2)),
+            target_met: coverageRatio >= targetCoverage,
+        },
+        controls: rows,
+        missing_workflow_modules: prioritizeMissingWorkflowModules(uncovered, reportStandard),
+    };
+}
+function buildWorkflowStatePayload(options) {
+    const catalog = resolveCatalog(options?.catalog || null, options?.standard);
+    const workflows = options?.workflows || Array.from(runtimeWorkflows.values());
+    const evidenceItems = options?.evidenceItems || Array.from(runtimeEvidence.values());
+    return {
+        state_type: 'control_workflow_state',
+        generated_at: utcNow(),
+        catalog_id: catalog.catalog_id,
+        standard: catalog.standard,
+        version: catalog.version,
+        workflows,
+        evidence_items: evidenceItems,
+    };
+}
+function exportWorkflowState(outputPath, options) {
+    const payload = buildWorkflowStatePayload(options);
+    fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+    fs.writeFileSync(outputPath, JSON.stringify(payload, null, 2), 'utf-8');
+    return clone(payload);
+}
+function loadWorkflowState(filePath, options) {
+    const payload = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+    const workflows = Array.isArray(payload.workflows) ? payload.workflows : [];
+    const evidenceItems = Array.isArray(payload.evidence_items) ? payload.evidence_items : [];
+    if (options?.replaceRuntime !== false) {
+        runtimeWorkflows = new Map();
+        runtimeEvidence = new Map();
+        (0, evidence_store_1.clearRuntimeEvidenceStore)();
+        for (const workflow of workflows) {
+            if (!workflow || typeof workflow !== 'object') {
+                continue;
+            }
+            const workflowId = String(workflow.workflow_id || '').trim();
+            if (!workflowId) {
+                continue;
+            }
+            runtimeWorkflows.set(workflowId, clone(workflow));
+        }
+        for (const evidence of evidenceItems) {
+            if (!evidence || typeof evidence !== 'object') {
+                continue;
+            }
+            const evidenceId = String(evidence.evidence_id || '').trim();
+            if (!evidenceId) {
+                continue;
+            }
+            runtimeEvidence.set(evidenceId, clone(evidence));
+            (0, evidence_store_1.recordRuntimeEvidence)(evidence);
+        }
+    }
+    return payload;
+}