vaspera 2.7.0 → 2.9.0

package/dist/compliance/attestation.js

@@ -0,0 +1,364 @@
+/**
+ * Framework Attestation Content
+ *
+ * Framework-specific attestation text for audit-defensible compliance reports.
+ * Each framework has methodology, scope limitations, and auditor notes.
+ *
+ * @module compliance/attestation
+ */
+/**
+ * Attestation content for each compliance framework
+ */
+export const FRAMEWORK_ATTESTATIONS = {
+    "SOC2": {
+        fullName: "SOC 2 Trust Services Criteria",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection of security vulnerabilities using Semgrep, gitleaks, npm audit, and other static analyzers",
+            "**Control Mapping:** Automated mapping of security findings to SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)",
+            "**Severity Correlation:** Finding severity to control risk impact correlation",
+            "**Tamper-Evident Logging:** Hash-chained audit trail with optional Sigstore signing",
+            "**Evidence Collection:** Cryptographically attested artifacts for audit defensibility",
+        ],
+        scopeLimitations: [
+            "Formal SOC 2 Type I or Type II examination by a licensed CPA firm",
+            "Organizational policies and procedures documentation review",
+            "Management assertion and system description validation",
+            "Physical and environmental security controls assessment",
+            "Personnel security and HR process verification",
+            "Vendor and third-party risk management review",
+        ],
+        auditorNote: "This automated assessment identifies technical gaps in your security posture. A licensed CPA firm must perform the formal SOC 2 examination. This report can serve as evidence of continuous monitoring for your auditor.",
+    },
+    "ISO27001": {
+        fullName: "ISO/IEC 27001:2022 Information Security Management",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection using static analysis tools aligned with ISO 27001 Annex A controls",
+            "**Control Mapping:** Automated mapping of findings to ISO 27001 Annex A control objectives",
+            "**Risk Assessment:** Finding severity to control impact correlation per ISO 27001 risk methodology",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for evidence integrity",
+            "**Evidence Collection:** Cryptographically attested artifacts supporting certification audits",
+        ],
+        scopeLimitations: [
+            "Formal ISO 27001 certification audit by an accredited certification body",
+            "ISMS documentation review (policies, procedures, risk assessment)",
+            "Management review and leadership commitment verification",
+            "Internal audit program evaluation",
+            "Physical security and environmental controls",
+            "Human resource security processes",
+            "Business continuity planning review",
+        ],
+        auditorNote: "This automated assessment supports your ISO 27001 Statement of Applicability evidence. Certification must be performed by an accredited certification body. This report demonstrates continuous technical control monitoring.",
+    },
+    "PCI-DSS": {
+        fullName: "PCI DSS v4.0 Payment Card Industry Data Security Standard",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection for PCI DSS technical requirements (encryption, authentication, logging)",
+            "**Control Mapping:** Automated mapping to PCI DSS v4.0 requirements",
+            "**Cardholder Data Detection:** Scanning for potential PAN, CVV, and sensitive authentication data exposure",
+            "**Tamper-Evident Logging:** Hash-chained audit trail meeting PCI DSS logging requirements",
+            "**Evidence Collection:** Cryptographically attested artifacts for QSA review",
+        ],
+        scopeLimitations: [
+            "Formal PCI DSS assessment by a Qualified Security Assessor (QSA)",
+            "Network segmentation validation and penetration testing",
+            "Cardholder data environment (CDE) scope determination",
+            "Physical security controls at data center locations",
+            "Personnel background checks and security awareness training",
+            "Vendor and service provider compliance validation",
+            "Incident response testing and tabletop exercises",
+        ],
+        auditorNote: "This automated assessment identifies technical gaps relevant to PCI DSS requirements. A QSA must perform the formal assessment. For SAQ merchants, this report provides evidence of continuous security monitoring.",
+    },
+    "HIPAA": {
+        fullName: "HIPAA Security Rule (45 CFR Part 164)",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection of PHI exposure, access control gaps, and audit trail deficiencies",
+            "**Control Mapping:** Automated mapping to HIPAA Security Rule administrative, physical, and technical safeguards",
+            "**PHI Detection:** Scanning for Protected Health Information in code, logs, and configuration",
+            "**Tamper-Evident Logging:** Hash-chained audit trail meeting HIPAA audit requirements",
+            "**Evidence Collection:** Cryptographically attested artifacts for OCR investigation readiness",
+        ],
+        scopeLimitations: [
+            "Formal HIPAA compliance audit or OCR investigation response",
+            "Administrative safeguards (policies, training, sanctions)",
+            "Physical safeguards (facility access, workstation security)",
+            "Business Associate Agreement (BAA) review and management",
+            "Risk analysis and management program evaluation",
+            "Incident response and breach notification procedures",
+            "Employee training and security awareness programs",
+        ],
+        auditorNote: "This automated assessment identifies technical gaps in HIPAA Security Rule compliance. This does not constitute a formal compliance audit. The report demonstrates reasonable technical safeguards and continuous monitoring.",
+    },
+    "42-CFR-PART-2": {
+        fullName: "42 CFR Part 2 - Confidentiality of Substance Use Disorder Patient Records",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection of SUD record disclosure, consent validation, and audit gaps",
+            "**Control Mapping:** Automated mapping to 42 CFR Part 2 confidentiality requirements",
+            "**SUD-Specific Detection:** Scanning for substance use disorder information disclosure patterns",
+            "**Consent Validation:** Detection of consent bypass and missing authorization checks",
+            "**Tamper-Evident Logging:** Hash-chained audit trail meeting federal audit requirements",
+            "**Evidence Collection:** Cryptographically attested artifacts for SAMHSA compliance review",
+        ],
+        scopeLimitations: [
+            "Formal 42 CFR Part 2 compliance review by qualified counsel or auditor",
+            "Written consent form and process validation",
+            "Qualified Service Organization Agreement (QSOA) review",
+            "Re-disclosure notice and prohibition verification",
+            "Patient rights and complaint procedures",
+            "Program staff training on SUD confidentiality",
+            "Court order and law enforcement request procedures",
+        ],
+        auditorNote: "42 CFR Part 2 provides stricter protections than HIPAA for substance use disorder records. This automated assessment identifies technical gaps. Legal counsel should review consent forms and disclosure procedures.",
+    },
+    "CIS": {
+        fullName: "CIS Critical Security Controls v8",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection aligned with CIS Controls implementation groups",
+            "**Control Mapping:** Automated mapping to CIS Controls v8 safeguards",
+            "**Implementation Group Assessment:** Findings categorized by IG1, IG2, IG3 applicability",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for evidence integrity",
+            "**Evidence Collection:** Cryptographically attested artifacts for security assessment",
+        ],
+        scopeLimitations: [
+            "Formal CIS Controls assessment or CIS-CAT Pro benchmark",
+            "Asset inventory and hardware/software management verification",
+            "Network infrastructure and perimeter security assessment",
+            "Vulnerability management program effectiveness review",
+            "Security awareness training program evaluation",
+            "Incident response capability testing",
+            "Data protection and backup verification",
+        ],
+        auditorNote: "This automated assessment maps findings to CIS Controls safeguards. For formal benchmarking, use CIS-CAT Pro or engage a certified assessor. This report demonstrates continuous security control monitoring.",
+    },
+    "GDPR": {
+        fullName: "General Data Protection Regulation (EU) 2016/679",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection of personal data exposure and processing issues",
+            "**Control Mapping:** Automated mapping to GDPR articles and technical requirements",
+            "**Personal Data Detection:** Scanning for PII exposure in code, logs, and configuration",
+            "**Data Protection Impact:** Finding severity correlation to data subject rights impact",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for accountability demonstration",
+            "**Evidence Collection:** Cryptographically attested artifacts for DPA inquiry readiness",
+        ],
+        scopeLimitations: [
+            "Formal Data Protection Impact Assessment (DPIA)",
+            "Records of Processing Activities (RoPA) review",
+            "Data Subject Rights implementation verification",
+            "Lawful basis determination and documentation",
+            "Data Protection Officer (DPO) designation assessment",
+            "Cross-border transfer mechanism validation",
+            "Vendor and processor agreement review",
+            "Privacy notice and consent mechanism audit",
+        ],
+        auditorNote: "This automated assessment identifies technical gaps relevant to GDPR Article 32 security requirements. A Data Protection Officer or qualified privacy professional should conduct comprehensive GDPR compliance review.",
+    },
+    "NIST-800-53": {
+        fullName: "NIST SP 800-53 Rev. 5 Security and Privacy Controls",
+        methodology: [
+            "**Deterministic Scanning:** Pattern-based detection aligned with NIST 800-53 control families",
+            "**Control Mapping:** Automated mapping to NIST 800-53 Rev. 5 controls and control enhancements",
+            "**Baseline Assessment:** Findings mapped to Low, Moderate, and High impact baselines",
+            "**Control Family Coverage:** Assessment across Access Control, Audit, Configuration Management, and other families",
+            "**Tamper-Evident Logging:** Hash-chained audit trail meeting federal logging requirements",
+            "**Evidence Collection:** Cryptographically attested artifacts for FedRAMP/FISMA compliance",
+        ],
+        scopeLimitations: [
+            "Formal NIST 800-53 assessment by accredited assessor (3PAO for FedRAMP)",
+            "System Security Plan (SSP) documentation review",
+            "Plan of Action and Milestones (POA&M) validation",
+            "Continuous monitoring program evaluation",
+            "Authorization boundary and system categorization",
+            "Interconnection security agreements",
+            "Contingency planning and testing",
+            "Personnel security and training verification",
+        ],
+        auditorNote: "This automated assessment maps findings to NIST 800-53 controls. For FedRAMP authorization, a 3PAO must conduct the formal assessment. For FISMA, the agency Authorizing Official makes the final determination.",
+    },
+    // AI-Specific Frameworks
+    "OWASP-LLM": {
+        fullName: "OWASP LLM Top 10 for Large Language Model Applications",
+        methodology: [
+            "**LLM-Specific Scanning:** Detection of prompt injection, insecure output handling, and training data poisoning vulnerabilities",
+            "**Control Mapping:** Automated mapping to OWASP LLM Top 10 risk categories",
+            "**Agent Security:** Assessment of tool use boundaries, permission escalation, and data exfiltration paths",
+            "**Trust Boundary Analysis:** Evaluation of LLM input/output trust boundaries and sanitization",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for AI security evidence",
+            "**Evidence Collection:** Cryptographically attested artifacts for security assessment",
+        ],
+        scopeLimitations: [
+            "Formal red-team adversarial testing of LLM systems",
+            "Model training data provenance and bias analysis",
+            "Prompt engineering security review",
+            "Human-in-the-loop procedure verification",
+            "Model supply chain security assessment",
+            "Production deployment architecture review",
+            "Incident response procedures for AI failures",
+        ],
+        auditorNote: "This automated assessment identifies technical vulnerabilities in LLM applications per OWASP guidance. AI security requires ongoing red-team testing and adversarial evaluation beyond static analysis.",
+    },
+    "NIST-AI-RMF": {
+        fullName: "NIST AI Risk Management Framework 1.0",
+        methodology: [
+            "**AI Risk Detection:** Scanning for risks across NIST AI RMF functions (Govern, Map, Measure, Manage)",
+            "**Trustworthy AI Mapping:** Assessment against trustworthy AI characteristics (valid, reliable, safe, secure, accountable, transparent, explainable, fair)",
+            "**Control Mapping:** Automated mapping to NIST AI RMF subcategories",
+            "**Risk Measurement:** Finding severity correlation to AI risk levels",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for AI governance evidence",
+            "**Evidence Collection:** Cryptographically attested artifacts for AI risk assessment",
+        ],
+        scopeLimitations: [
+            "Formal AI risk assessment by qualified AI governance professionals",
+            "AI impact assessment and stakeholder engagement",
+            "Model performance and fairness evaluation",
+            "Organizational AI governance program maturity",
+            "Human oversight and accountability structures",
+            "AI incident management and response procedures",
+            "Third-party AI component risk assessment",
+        ],
+        auditorNote: "This automated assessment maps findings to NIST AI RMF controls. Comprehensive AI risk management requires organizational governance, human oversight, and ongoing monitoring beyond technical controls.",
+    },
+    "MITRE-ATLAS": {
+        fullName: "MITRE ATLAS (Adversarial Threat Landscape for AI Systems)",
+        methodology: [
+            "**Adversarial Technique Detection:** Scanning for vulnerabilities mapped to MITRE ATLAS tactics and techniques",
+            "**Attack Surface Analysis:** Identification of ML attack vectors (reconnaissance, resource development, initial access, execution, persistence, evasion, impact)",
+            "**Control Mapping:** Automated mapping to ATLAS mitigations",
+            "**Threat Modeling:** Finding correlation to known adversarial ML attack patterns",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for security evidence",
+            "**Evidence Collection:** Cryptographically attested artifacts for threat assessment",
+        ],
+        scopeLimitations: [
+            "Active adversarial testing and red-team exercises",
+            "Model robustness and adversarial example testing",
+            "Data poisoning and backdoor detection",
+            "Model extraction and inversion attacks assessment",
+            "Supply chain security for ML components",
+            "Incident response for adversarial AI attacks",
+            "Threat intelligence integration for ML systems",
+        ],
+        auditorNote: "This automated assessment identifies vulnerabilities mapped to MITRE ATLAS adversarial techniques. Active red-team testing and adversarial evaluation are essential for comprehensive ML security assessment.",
+    },
+    "EU-AI-ACT": {
+        fullName: "EU AI Act (Regulation 2024/1689)",
+        methodology: [
+            "**Risk Classification:** Assessment against EU AI Act risk categories (unacceptable, high-risk, limited, minimal)",
+            "**High-Risk AI Requirements:** Scanning for technical requirements applicable to high-risk AI systems",
+            "**Control Mapping:** Automated mapping to EU AI Act articles and annexes",
+            "**Transparency Requirements:** Detection of AI system disclosure and documentation gaps",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for regulatory evidence",
+            "**Evidence Collection:** Cryptographically attested artifacts for compliance demonstration",
+        ],
+        scopeLimitations: [
+            "Formal conformity assessment by notified bodies (for high-risk AI)",
+            "AI system registration and documentation review",
+            "Fundamental rights impact assessment",
+            "Quality management system evaluation",
+            "Human oversight implementation verification",
+            "Post-market monitoring procedures",
+            "Incident reporting and recall procedures",
+        ],
+        auditorNote: "This automated assessment identifies technical gaps relevant to EU AI Act requirements. High-risk AI systems require conformity assessment by notified bodies. Legal counsel should advise on risk classification and applicable obligations.",
+    },
+    "ISO-42001": {
+        fullName: "ISO/IEC 42001:2023 AI Management System",
+        methodology: [
+            "**AIMS Control Assessment:** Scanning for alignment with ISO 42001 AI management system controls",
+            "**Control Mapping:** Automated mapping to ISO 42001 Annex A and Annex B controls",
+            "**Risk-Based Assessment:** Finding severity correlation to AI risk management requirements",
+            "**Documentation Detection:** Identification of required AI system documentation gaps",
+            "**Tamper-Evident Logging:** Hash-chained audit trail for certification evidence",
+            "**Evidence Collection:** Cryptographically attested artifacts supporting AIMS certification",
+        ],
+        scopeLimitations: [
+            "Formal ISO 42001 certification audit by accredited certification body",
+            "AI policy and objectives documentation review",
+            "AI system lifecycle management evaluation",
+            "Leadership commitment and AI governance verification",
+            "Competence and awareness program assessment",
+            "Internal audit program for AI management",
+            "Continual improvement process evaluation",
+        ],
+        auditorNote: "This automated assessment supports ISO 42001 Statement of Applicability evidence. Certification must be performed by an accredited certification body. This report demonstrates continuous AI management system monitoring.",
+    },
+};
+/**
+ * Get attestation content for a framework
+ */
+export function getFrameworkAttestation(framework) {
+    return FRAMEWORK_ATTESTATIONS[framework];
+}
+/**
+ * Format attestation section as markdown
+ */
+export function formatAttestationAsMarkdown(framework) {
+    const attestation = FRAMEWORK_ATTESTATIONS[framework];
+    const lines = [];
+    lines.push("## Attestation");
+    lines.push("");
+    lines.push(`This report was generated through automated security scanning and compliance mapping for **${attestation.fullName}**.`);
+    lines.push("");
+    lines.push("### Assessment Methodology");
+    lines.push("");
+    for (const step of attestation.methodology) {
+        lines.push(`- ${step}`);
+    }
+    lines.push("");
+    lines.push("### Scope Limitations");
+    lines.push("");
+    lines.push("This automated assessment does **NOT** replace:");
+    lines.push("");
+    for (const limitation of attestation.scopeLimitations) {
+        lines.push(`- ${limitation}`);
+    }
+    lines.push("");
+    lines.push("### Auditor Note");
+    lines.push("");
+    lines.push(`> ${attestation.auditorNote}`);
+    lines.push("");
+    return lines.join("\n");
+}
+/**
+ * Format attestation for multi-framework report
+ */
+export function formatMultiFrameworkAttestationAsMarkdown(frameworks) {
+    const lines = [];
+    lines.push("## Attestation");
+    lines.push("");
+    lines.push("This report was generated through automated security scanning and compliance mapping for the following frameworks:");
+    lines.push("");
+    for (const framework of frameworks) {
+        const attestation = FRAMEWORK_ATTESTATIONS[framework];
+        lines.push(`- **${attestation.fullName}**`);
+    }
+    lines.push("");
+    lines.push("### Assessment Methodology");
+    lines.push("");
+    lines.push("The following methodology was applied across all frameworks:");
+    lines.push("");
+    lines.push("1. **Deterministic Scanning:** Pattern-based detection using static analysis tools (Semgrep, gitleaks, npm audit, Bandit, Gosec, etc.)");
+    lines.push("2. **Finding-to-Control Mapping:** Automated mapping of security findings to framework-specific controls");
+    lines.push("3. **Severity Correlation:** Finding severity to control risk impact assessment");
+    lines.push("4. **Tamper-Evident Logging:** Hash-chained audit trail with optional Sigstore signing");
+    lines.push("5. **Evidence Collection:** Cryptographically attested artifacts for audit defensibility");
+    lines.push("");
+    lines.push("### Scope Limitations");
+    lines.push("");
+    lines.push("This automated assessment does **NOT** replace:");
+    lines.push("");
+    lines.push("- Formal compliance audits by accredited assessors or certification bodies");
+    lines.push("- Organizational policies, procedures, and governance documentation");
+    lines.push("- Physical security and environmental controls assessment");
+    lines.push("- Personnel security, training, and awareness programs");
+    lines.push("- Vendor and third-party risk management reviews");
+    lines.push("- Business continuity and incident response testing");
+    lines.push("");
+    lines.push("### Framework-Specific Notes");
+    lines.push("");
+    for (const framework of frameworks) {
+        const attestation = FRAMEWORK_ATTESTATIONS[framework];
+        lines.push(`**${framework}:** ${attestation.auditorNote}`);
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=attestation.js.map

package/dist/compliance/attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/compliance/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAkBH;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAsD;IACvF,MAAM,EAAE;QACN,QAAQ,EAAE,+BAA+B;QACzC,WAAW,EAAE;YACX,gJAAgJ;YAChJ,uKAAuK;YACvK,+EAA+E;YAC/E,qFAAqF;YACrF,uFAAuF;SACxF;QACD,gBAAgB,EAAE;YAChB,mEAAmE;YACnE,6DAA6D;YAC7D,wDAAwD;YACxD,yDAAyD;YACzD,gDAAgD;YAChD,+CAA+C;SAChD;QACD,WAAW,EAAE,2NAA2N;KACzO;IAED,UAAU,EAAE;QACV,QAAQ,EAAE,oDAAoD;QAC9D,WAAW,EAAE;YACX,yHAAyH;YACzH,4FAA4F;YAC5F,oGAAoG;YACpG,6EAA6E;YAC7E,+FAA+F;SAChG;QACD,gBAAgB,EAAE;YAChB,0EAA0E;YAC1E,mEAAmE;YACnE,0DAA0D;YAC1D,mCAAmC;YACnC,8CAA8C;YAC9C,mCAAmC;YACnC,qCAAqC;SACtC;QACD,WAAW,EAAE,+NAA+N;KAC7O;IAED,SAAS,EAAE;QACT,QAAQ,EAAE,2DAA2D;QACrE,WAAW,EAAE;YACX,8HAA8H;YAC9H,qEAAqE;YACrE,4GAA4G;YAC5G,2FAA2F;YAC3F,8EAA8E;SAC/E;QACD,gBAAgB,EAAE;YAChB,kEAAkE;YAClE,yDAAyD;YACzD,uDAAuD;YACvD,qDAAqD;YACrD,6DAA6D;YAC7D,mDAAmD;YACnD,kDAAkD;SACnD;QACD,WAAW,EAAE,qNAAqN;KACnO;IAED,OAAO,EAAE;QACP,QAAQ,EAAE,uCAAuC;QACjD,WAAW,EAAE;YACX,wHAAwH;YACxH,kHAAkH;YAClH,+FAA+F;YAC/F,uFAAuF;YACvF,+FAA+F;SAChG;QACD,gBAAgB,EAAE;YAChB,6DAA6D;YAC7D,2DAA2D;YAC3D,6DAA6D;YAC7D,0DAA0D;YAC1D,iDAAiD;YACjD,sDAAsD;YACtD,mDAAmD;SACpD;QACD,WAAW,EAAE,+NAA+N;KAC7O;IAED,eAAe,EAAE;QACf,QAAQ,EAAE,2EAA2E;QACrF,WAAW,EAAE;YACX,kHAAkH;YAClH,sFAAsF;YACtF,iGAAiG;YACjG,sFAAsF;YACtF,yFAAyF;YACzF,4FAA4F;SAC7F;QACD,gBAAgB,EAAE;YAChB,wEAAwE;YACxE,6CAA6C;YAC7C,wDAAwD;YACxD,mDAAmD;YACnD,yCAAyC;YACzC,+CAA+C;YAC/C,oDAAoD;SACrD;QACD,WAAW,EAAE,sNAAsN;KACpO;IAED,KAAK,EAAE;QACL,QAAQ,EAAE,mCAAmC;QAC7C,WAAW,EAAE;YACX,qGAAqG;YACrG,sEAAsE;YACtE,0FAA0F;YAC1F,6EAA6E;YAC7E,uFAAuF;SACxF;QACD,gBAAgB,EAAE;YAChB,yDAAyD;YACzD,+DAA+D;YAC/D,0DAA0D;YAC1D,uDAAuD;YACvD,gDAAgD;YAChD,sCAAsC;YACtC,yCAAyC;SAC1C;QACD,WAAW,EAAE,+MAA+M;KAC7N;IAED,MAAM,EAAE;QACN,QAAQ,EAAE,kDAAkD;QAC5D,WAAW,EAAE;YACX,qGAAqG;YACrG,oFAAoF;YACpF,yFAAyF;YACzF,wFAAwF;YACxF,uFAAuF;YACvF,yFAAyF;SAC1F;QACD,gBAAgB,EAAE;YAChB,iDAAiD;YACjD,gDAAgD;YAChD,iDAAiD;YACjD,8CAA8C;YAC9C,sDAAsD;YACtD,4CAA4C;YAC5C,uCAAuC;YACvC,4CAA4C;SAC7C;QACD,WAAW,EAAE,yNAAyN;KACvO;IAED,aAAa,EAAE;QACb,QAAQ,EAAE,qDAAqD;QAC/D,WAAW,EAAE;YACX,+FAA+F;YAC/F,gGAAgG;YAChG,sFAAsF;YACtF,oHAAoH;YACpH,2FAA2F;YAC3F,4FAA4F;SAC7F;QACD,gBAAgB,EAAE;YAChB,yEAAyE;YACzE,iDAAiD;YACjD,kDAAkD;YAClD,0CAA0C;YAC1C,kDAAkD;YAClD,qCAAqC;YACrC,kCAAkC;YAClC,8CAA8C;SAC/C;QACD,WAAW,EAAE,kNAAkN;KAChO;IAED,yBAAyB;IAEzB,WAAW,EAAE;QACX,QAAQ,EAAE,wDAAwD;QAClE,WAAW,EAAE;YACX,iIAAiI;YACjI,4EAA4E;YAC5E,2GAA2G;YAC3G,+FAA+F;YAC/F,+EAA+E;YAC/E,uFAAuF;SACxF;QACD,gBAAgB,EAAE;YAChB,oDAAoD;YACpD,kDAAkD;YAClD,oCAAoC;YACpC,0CAA0C;YAC1C,wCAAwC;YACxC,2CAA2C;YAC3C,8CAA8C;SAC/C;QACD,WAAW,EAAE,yMAAyM;KACvN;IAED,aAAa,EAAE;QACb,QAAQ,EAAE,uCAAuC;QACjD,WAAW,EAAE;YACX,uGAAuG;YACvG,4JAA4J;YAC5J,qEAAqE;YACrE,sEAAsE;YACtE,iFAAiF;YACjF,sFAAsF;SACvF;QACD,gBAAgB,EAAE;YAChB,oEAAoE;YACpE,iDAAiD;YACjD,2CAA2C;YAC3C,+CAA+C;YAC/C,+CAA+C;YAC/C,gDAAgD;YAChD,0CAA0C;SAC3C;QACD,WAAW,EAAE,0MAA0M;KACxN;IAED,aAAa,EAAE;QACb,QAAQ,EAAE,2DAA2D;QACrE,WAAW,EAAE;YACX,gHAAgH;YAChH,kKAAkK;YAClK,6DAA6D;YAC7D,kFAAkF;YAClF,4EAA4E;YAC5E,qFAAqF;SACtF;QACD,gBAAgB,EAAE;YAChB,mDAAmD;YACnD,kDAAkD;YAClD,uCAAuC;YACvC,mDAAmD;YACnD,yCAAyC;YACzC,8CAA8C;YAC9C,gDAAgD;SACjD;QACD,WAAW,EAAE,+MAA+M;KAC7N;IAED,WAAW,EAAE;QACX,QAAQ,EAAE,kCAAkC;QAC5C,WAAW,EAAE;YACX,mHAAmH;YACnH,uGAAuG;YACvG,0EAA0E;YAC1E,yFAAyF;YACzF,8EAA8E;YAC9E,4FAA4F;SAC7F;QACD,gBAAgB,EAAE;YAChB,oEAAoE;YACpE,iDAAiD;YACjD,sCAAsC;YACtC,sCAAsC;YACtC,6CAA6C;YAC7C,mCAAmC;YACnC,0CAA0C;SAC3C;QACD,WAAW,EAAE,+OAA+O;KAC7P;IAED,WAAW,EAAE;QACX,QAAQ,EAAE,yCAAyC;QACnD,WAAW,EAAE;YACX,kGAAkG;YAClG,kFAAkF;YAClF,4FAA4F;YAC5F,sFAAsF;YACtF,iFAAiF;YACjF,6FAA6F;SAC9F;QACD,gBAAgB,EAAE;YAChB,uEAAuE;YACvE,+CAA+C;YAC/C,2CAA2C;YAC3C,sDAAsD;YACtD,6CAA6C;YAC7C,0CAA0C;YAC1C,0CAA0C;SAC3C;QACD,WAAW,EAAE,6NAA6N;KAC3O;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,SAA8B;IACpE,OAAO,sBAAsB,CAAC,SAAS,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,2BAA2B,CAAC,SAA8B;IACxE,MAAM,WAAW,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,8FAA8F,WAAW,CAAC,QAAQ,KAAK,CAAC,CAAC;IACpI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,WAAW,EAAE,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,UAAU,IAAI,WAAW,CAAC,gBAAgB,EAAE,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yCAAyC,CAAC,UAAiC;IACzF,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,oHAAoH,CAAC,CAAC;IACjI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,OAAO,WAAW,CAAC,QAAQ,IAAI,CAAC,CAAC;IAC9C,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC3E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,wIAAwI,CAAC,CAAC;IACrJ,KAAK,CAAC,IAAI,CAAC,0GAA0G,CAAC,CAAC;IACvH,KAAK,CAAC,IAAI,CAAC,iFAAiF,CAAC,CAAC;IAC9F,KAAK,CAAC,IAAI,CAAC,wFAAwF,CAAC,CAAC;IACrG,KAAK,CAAC,IAAI,CAAC,0FAA0F,CAAC,CAAC;IACvG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;IACxE,KAAK,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;IACrE,KAAK,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,OAAO,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/compliance/cfr42-part2.d.ts

@@ -0,0 +1,42 @@
+/**
+ * 42 CFR Part 2 Compliance Controls
+ *
+ * Confidentiality of Substance Use Disorder Patient Records
+ * (Stricter than HIPAA for SUD treatment records)
+ *
+ * @module compliance/cfr42-part2
+ */
+import type { ComplianceControl } from "./types.js";
+/**
+ * 42 CFR Part 2 control categories
+ */
+export declare const CFR42_PART2_CATEGORIES: readonly ["General Provisions", "Disclosures With Consent", "Disclosures Without Consent", "Security Safeguards", "Audit and Accountability", "Re-disclosure Restrictions", "Qualified Service Organizations", "Patient Rights"];
+/**
+ * 42 CFR Part 2 controls for SUD confidentiality
+ *
+ * These controls are STRICTER than HIPAA and apply specifically to
+ * substance use disorder (SUD) treatment records.
+ */
+export declare const CFR42_PART2_CONTROLS: ComplianceControl[];
+/**
+ * Get all 42 CFR Part 2 controls
+ */
+export declare function getCFR42Part2Controls(): ComplianceControl[];
+/**
+ * Get 42 CFR Part 2 controls by category
+ */
+export declare function getCFR42Part2ControlsByCategory(category: string): ComplianceControl[];
+/**
+ * Get 42 CFR Part 2 control by ID
+ */
+export declare function getCFR42Part2ControlById(id: string): ComplianceControl | undefined;
+/**
+ * Get 42 CFR Part 2 categories
+ */
+export declare function getCFR42Part2Categories(): readonly string[];
+/**
+ * Cross-reference mapping to HIPAA controls
+ * 42 CFR Part 2 often overlaps with but is stricter than HIPAA
+ */
+export declare const CFR42_TO_HIPAA_MAPPING: Record<string, string[]>;
+//# sourceMappingURL=cfr42-part2.d.ts.map

package/dist/compliance/cfr42-part2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cfr42-part2.d.ts","sourceRoot":"","sources":["../../src/compliance/cfr42-part2.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD;;GAEG;AACH,eAAO,MAAM,sBAAsB,kOASzB,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAE,iBAAiB,EA6WnD,CAAC;AAEF;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,iBAAiB,EAAE,CAE3D;AAED;;GAEG;AACH,wBAAgB,+BAA+B,CAC7C,QAAQ,EAAE,MAAM,GACf,iBAAiB,EAAE,CAErB;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,EAAE,EAAE,MAAM,GACT,iBAAiB,GAAG,SAAS,CAE/B;AAED;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,SAAS,MAAM,EAAE,CAE3D;AAED;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAS3D,CAAC"}