npm - vaspera - Versions diffs - 2.8.0 → 2.9.0 - Mend

vaspera 2.8.0 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (303) hide show

package/CHANGELOG.md +55 -0
package/README.md +111 -7
package/dist/__tests__/agents/adversary/tactics/api.test.d.ts +5 -0
package/dist/__tests__/agents/adversary/tactics/api.test.d.ts.map +1 -0
package/dist/__tests__/agents/adversary/tactics/api.test.js +369 -0
package/dist/__tests__/agents/adversary/tactics/api.test.js.map +1 -0
package/dist/__tests__/agents/adversary/tactics/llm.test.d.ts +5 -0
package/dist/__tests__/agents/adversary/tactics/llm.test.d.ts.map +1 -0
package/dist/__tests__/agents/adversary/tactics/llm.test.js +409 -0
package/dist/__tests__/agents/adversary/tactics/llm.test.js.map +1 -0
package/dist/__tests__/agents/adversary/tactics/registry.test.d.ts +7 -0
package/dist/__tests__/agents/adversary/tactics/registry.test.d.ts.map +1 -0
package/dist/__tests__/agents/adversary/tactics/registry.test.js +74 -0
package/dist/__tests__/agents/adversary/tactics/registry.test.js.map +1 -0
package/dist/__tests__/agents/adversary/tactics/web-app.test.d.ts +7 -0
package/dist/__tests__/agents/adversary/tactics/web-app.test.d.ts.map +1 -0
package/dist/__tests__/agents/adversary/tactics/web-app.test.js +374 -0
package/dist/__tests__/agents/adversary/tactics/web-app.test.js.map +1 -0
package/dist/__tests__/compliance-bundle.test.d.ts +9 -0
package/dist/__tests__/compliance-bundle.test.d.ts.map +1 -0
package/dist/__tests__/compliance-bundle.test.js +344 -0
package/dist/__tests__/compliance-bundle.test.js.map +1 -0
package/dist/__tests__/healthcare-compliance.test.d.ts +9 -0
package/dist/__tests__/healthcare-compliance.test.d.ts.map +1 -0
package/dist/__tests__/healthcare-compliance.test.js +233 -0
package/dist/__tests__/healthcare-compliance.test.js.map +1 -0
package/dist/action/diff-mode.d.ts +124 -8
package/dist/action/diff-mode.d.ts.map +1 -1
package/dist/action/diff-mode.js +384 -65
package/dist/action/diff-mode.js.map +1 -1
package/dist/action/diff-mode.test.js +3 -3
package/dist/action/diff-mode.test.js.map +1 -1
package/dist/action/pr-comment.test.js +1 -0
package/dist/action/pr-comment.test.js.map +1 -1
package/dist/action/sarif-upload.test.js +1 -0
package/dist/action/sarif-upload.test.js.map +1 -1
package/dist/agents/adversary/config.d.ts +25 -4
package/dist/agents/adversary/config.d.ts.map +1 -1
package/dist/agents/adversary/config.js +38 -8
package/dist/agents/adversary/config.js.map +1 -1
package/dist/agents/adversary/index.d.ts +7 -0
package/dist/agents/adversary/index.d.ts.map +1 -1
package/dist/agents/adversary/index.js +83 -1
package/dist/agents/adversary/index.js.map +1 -1
package/dist/agents/adversary/reporting/compliance-mapper.d.ts +108 -0
package/dist/agents/adversary/reporting/compliance-mapper.d.ts.map +1 -0
package/dist/agents/adversary/reporting/compliance-mapper.js +391 -0
package/dist/agents/adversary/reporting/compliance-mapper.js.map +1 -0
package/dist/agents/adversary/reporting/index.d.ts +10 -0
package/dist/agents/adversary/reporting/index.d.ts.map +1 -0
package/dist/agents/adversary/reporting/index.js +10 -0
package/dist/agents/adversary/reporting/index.js.map +1 -0
package/dist/agents/adversary/reporting/poc-generator.d.ts +44 -0
package/dist/agents/adversary/reporting/poc-generator.d.ts.map +1 -0
package/dist/agents/adversary/reporting/poc-generator.js +308 -0
package/dist/agents/adversary/reporting/poc-generator.js.map +1 -0
package/dist/agents/adversary/tactics/api.d.ts +13 -0
package/dist/agents/adversary/tactics/api.d.ts.map +1 -0
package/dist/agents/adversary/tactics/api.js +815 -0
package/dist/agents/adversary/tactics/api.js.map +1 -0
package/dist/agents/adversary/tactics/auth.d.ts +13 -0
package/dist/agents/adversary/tactics/auth.d.ts.map +1 -0
package/dist/agents/adversary/tactics/auth.js +676 -0
package/dist/agents/adversary/tactics/auth.js.map +1 -0
package/dist/agents/adversary/tactics/index.d.ts +129 -0
package/dist/agents/adversary/tactics/index.d.ts.map +1 -0
package/dist/agents/adversary/tactics/index.js +199 -0
package/dist/agents/adversary/tactics/index.js.map +1 -0
package/dist/agents/adversary/tactics/infra.d.ts +13 -0
package/dist/agents/adversary/tactics/infra.d.ts.map +1 -0
package/dist/agents/adversary/tactics/infra.js +827 -0
package/dist/agents/adversary/tactics/infra.js.map +1 -0
package/dist/agents/adversary/tactics/injection.d.ts +12 -0
package/dist/agents/adversary/tactics/injection.d.ts.map +1 -0
package/dist/agents/adversary/tactics/injection.js +549 -0
package/dist/agents/adversary/tactics/injection.js.map +1 -0
package/dist/agents/adversary/tactics/llm.d.ts +13 -0
package/dist/agents/adversary/tactics/llm.d.ts.map +1 -0
package/dist/agents/adversary/tactics/llm.js +767 -0
package/dist/agents/adversary/tactics/llm.js.map +1 -0
package/dist/agents/adversary/tactics/web-app.d.ts +13 -0
package/dist/agents/adversary/tactics/web-app.d.ts.map +1 -0
package/dist/agents/adversary/tactics/web-app.js +717 -0
package/dist/agents/adversary/tactics/web-app.js.map +1 -0
package/dist/agents/adversary/types.d.ts +66 -10
package/dist/agents/adversary/types.d.ts.map +1 -1
package/dist/agents/zero-day-hunter.d.ts +1 -1
package/dist/agents/zero-day-hunter.d.ts.map +1 -1
package/dist/analysis/data-flow.d.ts +154 -0
package/dist/analysis/data-flow.d.ts.map +1 -0
package/dist/analysis/data-flow.js +393 -0
package/dist/analysis/data-flow.js.map +1 -0
package/dist/analysis/index.d.ts +9 -0
package/dist/analysis/index.d.ts.map +1 -0
package/dist/analysis/index.js +9 -0
package/dist/analysis/index.js.map +1 -0
package/dist/badge-service/index.d.ts +144 -0
package/dist/badge-service/index.d.ts.map +1 -0
package/dist/badge-service/index.js +206 -0
package/dist/badge-service/index.js.map +1 -0
package/dist/certification/types.d.ts +1 -1
package/dist/certification/types.d.ts.map +1 -1
package/dist/certification/types.js.map +1 -1
package/dist/commands/certification/certify.d.ts.map +1 -1
package/dist/commands/certification/certify.js +18 -4
package/dist/commands/certification/certify.js.map +1 -1
package/dist/compliance/attestation.d.ts +39 -0
package/dist/compliance/attestation.d.ts.map +1 -0
package/dist/compliance/attestation.js +364 -0
package/dist/compliance/attestation.js.map +1 -0
package/dist/compliance/cfr42-part2.d.ts +42 -0
package/dist/compliance/cfr42-part2.d.ts.map +1 -0
package/dist/compliance/cfr42-part2.js +408 -0
package/dist/compliance/cfr42-part2.js.map +1 -0
package/dist/compliance/compliance-bundle.d.ts +100 -0
package/dist/compliance/compliance-bundle.d.ts.map +1 -0
package/dist/compliance/compliance-bundle.js +210 -0
package/dist/compliance/compliance-bundle.js.map +1 -0
package/dist/compliance/healthcare-bundle.d.ts +68 -0
package/dist/compliance/healthcare-bundle.d.ts.map +1 -0
package/dist/compliance/healthcare-bundle.js +104 -0
package/dist/compliance/healthcare-bundle.js.map +1 -0
package/dist/compliance/hipaa.d.ts.map +1 -1
package/dist/compliance/hipaa.js +14 -11
package/dist/compliance/hipaa.js.map +1 -1
package/dist/compliance/index.d.ts +10 -2
package/dist/compliance/index.d.ts.map +1 -1
package/dist/compliance/index.js +9 -3
package/dist/compliance/index.js.map +1 -1
package/dist/compliance/mapper.d.ts.map +1 -1
package/dist/compliance/mapper.js +3 -17
package/dist/compliance/mapper.js.map +1 -1
package/dist/compliance/nist-800-53.d.ts +22 -6
package/dist/compliance/nist-800-53.d.ts.map +1 -1
package/dist/compliance/nist-800-53.js +264 -272
package/dist/compliance/nist-800-53.js.map +1 -1
package/dist/compliance/report.d.ts +31 -2
package/dist/compliance/report.d.ts.map +1 -1
package/dist/compliance/report.js +255 -4
package/dist/compliance/report.js.map +1 -1
package/dist/compliance/types.d.ts +1 -1
package/dist/compliance/types.d.ts.map +1 -1
package/dist/config/flags.d.ts +12 -12
package/dist/cost/index.d.ts +1 -1
package/dist/cost/index.d.ts.map +1 -1
package/dist/cost/index.js +1 -1
package/dist/cost/index.js.map +1 -1
package/dist/cost/tracker.d.ts +64 -0
package/dist/cost/tracker.d.ts.map +1 -1
package/dist/cost/tracker.js +165 -0
package/dist/cost/tracker.js.map +1 -1
package/dist/eval/fixtures/healthcare/audit-gaps.d.ts +28 -0
package/dist/eval/fixtures/healthcare/audit-gaps.d.ts.map +1 -0
package/dist/eval/fixtures/healthcare/audit-gaps.js +90 -0
package/dist/eval/fixtures/healthcare/audit-gaps.js.map +1 -0
package/dist/eval/fixtures/healthcare/consent-bypass.d.ts +31 -0
package/dist/eval/fixtures/healthcare/consent-bypass.d.ts.map +1 -0
package/dist/eval/fixtures/healthcare/consent-bypass.js +61 -0
package/dist/eval/fixtures/healthcare/consent-bypass.js.map +1 -0
package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts +24 -0
package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts.map +1 -0
package/dist/eval/fixtures/healthcare/phi-in-logs.js +41 -0
package/dist/eval/fixtures/healthcare/phi-in-logs.js.map +1 -0
package/dist/evidence/collector.d.ts +21 -0
package/dist/evidence/collector.d.ts.map +1 -0
package/dist/evidence/collector.js +340 -0
package/dist/evidence/collector.js.map +1 -0
package/dist/evidence/index.d.ts +11 -0
package/dist/evidence/index.d.ts.map +1 -0
package/dist/evidence/index.js +12 -0
package/dist/evidence/index.js.map +1 -0
package/dist/evidence/store.d.ts +39 -0
package/dist/evidence/store.d.ts.map +1 -0
package/dist/evidence/store.js +173 -0
package/dist/evidence/store.js.map +1 -0
package/dist/evidence/types.d.ts +175 -0
package/dist/evidence/types.d.ts.map +1 -0
package/dist/evidence/types.js +9 -0
package/dist/evidence/types.js.map +1 -0
package/dist/exporters/checkmarx.d.ts +18 -0
package/dist/exporters/checkmarx.d.ts.map +1 -0
package/dist/exporters/checkmarx.js +203 -0
package/dist/exporters/checkmarx.js.map +1 -0
package/dist/exporters/index.d.ts +22 -0
package/dist/exporters/index.d.ts.map +1 -0
package/dist/exporters/index.js +41 -0
package/dist/exporters/index.js.map +1 -0
package/dist/exporters/snyk.d.ts +18 -0
package/dist/exporters/snyk.d.ts.map +1 -0
package/dist/exporters/snyk.js +119 -0
package/dist/exporters/snyk.js.map +1 -0
package/dist/exporters/sonarqube.d.ts +18 -0
package/dist/exporters/sonarqube.d.ts.map +1 -0
package/dist/exporters/sonarqube.js +125 -0
package/dist/exporters/sonarqube.js.map +1 -0
package/dist/exporters/types.d.ts +190 -0
package/dist/exporters/types.d.ts.map +1 -0
package/dist/exporters/types.js +9 -0
package/dist/exporters/types.js.map +1 -0
package/dist/frontier/index.d.ts +12 -0
package/dist/frontier/index.d.ts.map +1 -0
package/dist/frontier/index.js +12 -0
package/dist/frontier/index.js.map +1 -0
package/dist/frontier/orchestrator.d.ts +73 -0
package/dist/frontier/orchestrator.d.ts.map +1 -0
package/dist/frontier/orchestrator.js +312 -0
package/dist/frontier/orchestrator.js.map +1 -0
package/dist/frontier/providers/stub.d.ts +32 -0
package/dist/frontier/providers/stub.d.ts.map +1 -0
package/dist/frontier/providers/stub.js +66 -0
package/dist/frontier/providers/stub.js.map +1 -0
package/dist/frontier/types.d.ts +318 -0
package/dist/frontier/types.d.ts.map +1 -0
package/dist/frontier/types.js +27 -0
package/dist/frontier/types.js.map +1 -0
package/dist/history/index.d.ts +13 -0
package/dist/history/index.d.ts.map +1 -0
package/dist/history/index.js +15 -0
package/dist/history/index.js.map +1 -0
package/dist/history/store.d.ts +74 -0
package/dist/history/store.d.ts.map +1 -0
package/dist/history/store.js +399 -0
package/dist/history/store.js.map +1 -0
package/dist/history/types.d.ts +282 -0
package/dist/history/types.d.ts.map +1 -0
package/dist/history/types.js +41 -0
package/dist/history/types.js.map +1 -0
package/dist/history/verify.d.ts +44 -0
package/dist/history/verify.d.ts.map +1 -0
package/dist/history/verify.js +230 -0
package/dist/history/verify.js.map +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +431 -18
package/dist/index.js.map +1 -1
package/dist/multimodel/index.d.ts +1 -0
package/dist/multimodel/index.d.ts.map +1 -1
package/dist/multimodel/index.js +2 -0
package/dist/multimodel/index.js.map +1 -1
package/dist/multimodel/leaderboard.d.ts +116 -0
package/dist/multimodel/leaderboard.d.ts.map +1 -0
package/dist/multimodel/leaderboard.js +262 -0
package/dist/multimodel/leaderboard.js.map +1 -0
package/dist/observability/otel.d.ts.map +1 -1
package/dist/observability/otel.js +1 -3
package/dist/observability/otel.js.map +1 -1
package/dist/plugins/loader.js +1 -1
package/dist/plugins/loader.js.map +1 -1
package/dist/scanners/agent/agent-chain-analysis.d.ts +152 -0
package/dist/scanners/agent/agent-chain-analysis.d.ts.map +1 -0
package/dist/scanners/agent/agent-chain-analysis.js +438 -0
package/dist/scanners/agent/agent-chain-analysis.js.map +1 -0
package/dist/scanners/agent/payloads/index.d.ts +2 -1
package/dist/scanners/agent/payloads/index.d.ts.map +1 -1
package/dist/scanners/agent/payloads/index.js +25 -6
package/dist/scanners/agent/payloads/index.js.map +1 -1
package/dist/scanners/agent/prompt-injection-fuzzer.d.ts.map +1 -1
package/dist/scanners/agent/prompt-injection-fuzzer.js +14 -0
package/dist/scanners/agent/prompt-injection-fuzzer.js.map +1 -1
package/dist/scanners/agent/types.d.ts +5 -5
package/dist/scanners/agent/types.d.ts.map +1 -1
package/dist/scanners/agent/types.js.map +1 -1
package/dist/scanners/cache.d.ts +156 -0
package/dist/scanners/cache.d.ts.map +1 -0
package/dist/scanners/cache.js +462 -0
package/dist/scanners/cache.js.map +1 -0
package/dist/scanners/dependencies.js +4 -4
package/dist/scanners/dependencies.js.map +1 -1
package/dist/scanners/gosec.d.ts.map +1 -1
package/dist/scanners/gosec.js +47 -9
package/dist/scanners/gosec.js.map +1 -1
package/dist/scanners/healthcare.d.ts +29 -0
package/dist/scanners/healthcare.d.ts.map +1 -0
package/dist/scanners/healthcare.js +526 -0
package/dist/scanners/healthcare.js.map +1 -0
package/dist/scanners/index.d.ts +1 -0
package/dist/scanners/index.d.ts.map +1 -1
package/dist/scanners/index.js +33 -0
package/dist/scanners/index.js.map +1 -1
package/dist/scanners/index.test.js +6 -6
package/dist/scanners/index.test.js.map +1 -1
package/dist/scanners/secrets.js +4 -4
package/dist/scanners/secrets.js.map +1 -1
package/dist/scanners/semgrep.js +5 -5
package/dist/scanners/semgrep.js.map +1 -1
package/dist/scanners/types.d.ts +1 -1
package/dist/scanners/types.d.ts.map +1 -1
package/dist/scanners/types.js +1 -0
package/dist/scanners/types.js.map +1 -1
package/dist/scanners/typescript.test.js +1 -1
package/dist/scanners/typescript.test.js.map +1 -1
package/dist/telemetry/index.d.ts +10 -0
package/dist/telemetry/index.d.ts.map +1 -0
package/dist/telemetry/index.js +10 -0
package/dist/telemetry/index.js.map +1 -0
package/dist/telemetry/registry.d.ts +178 -0
package/dist/telemetry/registry.d.ts.map +1 -0
package/dist/telemetry/registry.js +297 -0
package/dist/telemetry/registry.js.map +1 -0
package/dist/telemetry/usage.d.ts +197 -0
package/dist/telemetry/usage.d.ts.map +1 -0
package/dist/telemetry/usage.js +244 -0
package/dist/telemetry/usage.js.map +1 -0
package/package.json +1 -1

package/dist/compliance/cfr42-part2.js ADDED Viewed

@@ -0,0 +1,408 @@
+/**
+ * 42 CFR Part 2 Compliance Controls
+ *
+ * Confidentiality of Substance Use Disorder Patient Records
+ * (Stricter than HIPAA for SUD treatment records)
+ *
+ * @module compliance/cfr42-part2
+ */
+/**
+ * 42 CFR Part 2 control categories
+ */
+export const CFR42_PART2_CATEGORIES = [
+    "General Provisions",
+    "Disclosures With Consent",
+    "Disclosures Without Consent",
+    "Security Safeguards",
+    "Audit and Accountability",
+    "Re-disclosure Restrictions",
+    "Qualified Service Organizations",
+    "Patient Rights",
+];
+/**
+ * 42 CFR Part 2 controls for SUD confidentiality
+ *
+ * These controls are STRICTER than HIPAA and apply specifically to
+ * substance use disorder (SUD) treatment records.
+ */
+export const CFR42_PART2_CONTROLS = [
+    // General Provisions (Subpart B)
+    {
+        id: "2.12",
+        framework: "42-CFR-PART-2",
+        category: "General Provisions",
+        title: "Prohibition on Disclosure",
+        description: "Records of the identity, diagnosis, prognosis, or treatment of any patient maintained in connection with the performance of any SUD program shall be confidential and disclosed only as permitted.",
+        keywords: [
+            "substance use",
+            "SUD",
+            "confidential",
+            "disclosure",
+            "patient record",
+            "addiction",
+            "treatment",
+        ],
+        findingCategories: [
+            "phi-exposure",
+            "sud-disclosure",
+            "data-exposure",
+            "logging",
+        ],
+        cweIds: ["CWE-200", "CWE-532", "CWE-359"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.13",
+        framework: "42-CFR-PART-2",
+        category: "General Provisions",
+        title: "Confidentiality Restrictions",
+        description: "Part 2 programs, lawful holders, and other individuals may not disclose patient identifying information or seek, use, or disclose records except as permitted by Part 2.",
+        keywords: [
+            "confidentiality",
+            "restrictions",
+            "patient identifying information",
+            "lawful holder",
+        ],
+        findingCategories: [
+            "phi-exposure",
+            "access-control-gap",
+            "authorization",
+            "broken-access-control",
+        ],
+        cweIds: ["CWE-284", "CWE-862", "CWE-863"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.14",
+        framework: "42-CFR-PART-2",
+        category: "General Provisions",
+        title: "Minor Patient Consent",
+        description: "When state law requires parental consent for SUD treatment of a minor, consent for disclosure must come from both the minor and parent/guardian.",
+        keywords: [
+            "minor",
+            "parental consent",
+            "guardian",
+            "age verification",
+            "dual consent",
+        ],
+        findingCategories: ["consent-bypass", "consent-missing", "authorization"],
+        cweIds: ["CWE-862"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "2.15",
+        framework: "42-CFR-PART-2",
+        category: "General Provisions",
+        title: "Incompetent Patient Consent",
+        description: "For patients lacking capacity, consent must be obtained from guardian or authorized representative with patient notification.",
+        keywords: [
+            "incompetent",
+            "guardian",
+            "authorized representative",
+            "capacity",
+        ],
+        findingCategories: ["consent-bypass", "consent-missing", "authorization"],
+        cweIds: ["CWE-862"],
+        severityThreshold: "medium",
+    },
+    // Disclosures With Consent (Subpart C)
+    {
+        id: "2.31",
+        framework: "42-CFR-PART-2",
+        category: "Disclosures With Consent",
+        title: "Written Consent Requirements",
+        description: "Consent must be in writing and include: patient name, program name, recipient name, purpose, information to be disclosed, signature, date, expiration, and right to revoke.",
+        keywords: [
+            "written consent",
+            "consent form",
+            "signature",
+            "expiration",
+            "revocation",
+            "purpose limitation",
+        ],
+        findingCategories: [
+            "consent-bypass",
+            "consent-missing",
+            "authorization",
+            "audit-gap",
+        ],
+        cweIds: ["CWE-862", "CWE-778"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.32",
+        framework: "42-CFR-PART-2",
+        category: "Re-disclosure Restrictions",
+        title: "Re-disclosure Notice Requirement",
+        description: "Each disclosure made with consent must include a written statement prohibiting re-disclosure except as permitted by Part 2.",
+        keywords: [
+            "re-disclosure",
+            "prohibition notice",
+            "downstream disclosure",
+            "notice statement",
+        ],
+        findingCategories: [
+            "redisclosure-violation",
+            "third-party-risk",
+            "data-flow",
+        ],
+        cweIds: ["CWE-200", "CWE-359"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.33",
+        framework: "42-CFR-PART-2",
+        category: "Qualified Service Organizations",
+        title: "QSOA Requirements",
+        description: "Qualified Service Organization Agreement required before disclosing records to contractors providing services to the program.",
+        keywords: [
+            "QSOA",
+            "qualified service organization",
+            "contractor",
+            "third-party",
+            "business associate",
+            "vendor",
+        ],
+        findingCategories: [
+            "qsoa-violation",
+            "third-party-risk",
+            "vendor",
+            "supply-chain",
+        ],
+        cweIds: ["CWE-200"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.34",
+        framework: "42-CFR-PART-2",
+        category: "Disclosures With Consent",
+        title: "Consent Revocation",
+        description: "Patients may revoke consent at any time. Programs must honor revocation prospectively.",
+        keywords: [
+            "revocation",
+            "revoke consent",
+            "withdraw consent",
+            "prospective",
+        ],
+        findingCategories: ["consent-bypass", "consent-missing", "authorization"],
+        cweIds: ["CWE-862"],
+        severityThreshold: "medium",
+    },
+    // Security Safeguards (Subpart B §2.16)
+    {
+        id: "2.16(a)",
+        framework: "42-CFR-PART-2",
+        category: "Security Safeguards",
+        title: "Safeguards Against Unauthorized Access",
+        description: "Part 2 programs must have formal policies and procedures to protect patient records from unauthorized access.",
+        keywords: [
+            "safeguards",
+            "unauthorized access",
+            "policies",
+            "procedures",
+            "access control",
+        ],
+        findingCategories: [
+            "access-control-gap",
+            "broken-access-control",
+            "authorization",
+            "authentication",
+        ],
+        cweIds: ["CWE-284", "CWE-287", "CWE-862"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.16(b)",
+        framework: "42-CFR-PART-2",
+        category: "Security Safeguards",
+        title: "Electronic Records Security",
+        description: "Programs maintaining electronic records must implement security measures including access controls, encryption, and audit trails.",
+        keywords: [
+            "electronic records",
+            "encryption",
+            "access control",
+            "audit trail",
+            "security measures",
+        ],
+        findingCategories: [
+            "encryption",
+            "missing-encryption",
+            "access-control-gap",
+            "audit-gap",
+        ],
+        cweIds: ["CWE-311", "CWE-312", "CWE-778"],
+        severityThreshold: "high",
+    },
+    // Audit and Accountability
+    {
+        id: "2.52",
+        framework: "42-CFR-PART-2",
+        category: "Audit and Accountability",
+        title: "Accounting of Disclosures",
+        description: "Programs must maintain records of disclosures made with or without consent, including date, recipient, purpose, and information disclosed.",
+        keywords: [
+            "accounting",
+            "disclosure log",
+            "audit trail",
+            "disclosure record",
+            "recipient tracking",
+        ],
+        findingCategories: ["audit-gap", "logging", "insufficient-logging"],
+        cweIds: ["CWE-778", "CWE-223"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.53",
+        framework: "42-CFR-PART-2",
+        category: "Audit and Accountability",
+        title: "Breach Notification",
+        description: "Programs must notify patients and HHS of breaches of unsecured SUD records.",
+        keywords: [
+            "breach",
+            "notification",
+            "incident response",
+            "unsecured records",
+        ],
+        findingCategories: [
+            "security-misconfiguration",
+            "logging",
+            "audit-gap",
+        ],
+        cweIds: ["CWE-778"],
+        severityThreshold: "high",
+    },
+    // Disclosures Without Consent (Subpart D)
+    {
+        id: "2.51",
+        framework: "42-CFR-PART-2",
+        category: "Disclosures Without Consent",
+        title: "Medical Emergency Exception",
+        description: "Disclosure without consent permitted only for medical emergencies where delay would increase health risk.",
+        keywords: [
+            "medical emergency",
+            "emergency disclosure",
+            "health risk",
+            "exception",
+        ],
+        findingCategories: ["consent-bypass", "audit-gap", "logging"],
+        cweIds: ["CWE-778"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "2.63",
+        framework: "42-CFR-PART-2",
+        category: "Disclosures Without Consent",
+        title: "Research Exception Requirements",
+        description: "Research disclosures require IRB/Privacy Board approval, data use agreement, and prohibition on re-identification.",
+        keywords: [
+            "research",
+            "IRB",
+            "privacy board",
+            "data use agreement",
+            "de-identification",
+        ],
+        findingCategories: ["consent-bypass", "authorization", "audit-gap"],
+        cweIds: ["CWE-359"],
+        severityThreshold: "medium",
+    },
+    // Patient Rights
+    {
+        id: "2.23",
+        framework: "42-CFR-PART-2",
+        category: "Patient Rights",
+        title: "Patient Access to Records",
+        description: "Patients have the right to inspect and obtain copies of their SUD treatment records upon request.",
+        keywords: ["patient access", "record access", "copy", "inspect", "request"],
+        findingCategories: ["access-control-gap", "authorization"],
+        cweIds: ["CWE-284"],
+        severityThreshold: "low",
+    },
+    {
+        id: "2.24",
+        framework: "42-CFR-PART-2",
+        category: "Patient Rights",
+        title: "Patient Amendment Rights",
+        description: "Patients may request amendment of inaccurate or incomplete records.",
+        keywords: ["amendment", "correction", "inaccurate", "incomplete"],
+        findingCategories: ["data-integrity", "authorization"],
+        severityThreshold: "low",
+    },
+    // Additional Technical Controls
+    {
+        id: "2.16(c)",
+        framework: "42-CFR-PART-2",
+        category: "Security Safeguards",
+        title: "Data Transmission Security",
+        description: "SUD records transmitted electronically must be encrypted and protected against interception.",
+        keywords: [
+            "transmission",
+            "encryption",
+            "TLS",
+            "HTTPS",
+            "interception",
+            "network security",
+        ],
+        findingCategories: [
+            "transport-security",
+            "encryption",
+            "insecure-transmission",
+        ],
+        cweIds: ["CWE-319", "CWE-523"],
+        severityThreshold: "high",
+    },
+    {
+        id: "2.16(d)",
+        framework: "42-CFR-PART-2",
+        category: "Security Safeguards",
+        title: "Data Segmentation",
+        description: "SUD records should be segmented from general health records to prevent inadvertent disclosure under HIPAA.",
+        keywords: [
+            "segmentation",
+            "segregation",
+            "separate storage",
+            "data isolation",
+        ],
+        findingCategories: ["access-control-gap", "data-exposure", "phi-exposure"],
+        cweIds: ["CWE-284", "CWE-668"],
+        severityThreshold: "high",
+    },
+];
+/**
+ * Get all 42 CFR Part 2 controls
+ */
+export function getCFR42Part2Controls() {
+    return CFR42_PART2_CONTROLS;
+}
+/**
+ * Get 42 CFR Part 2 controls by category
+ */
+export function getCFR42Part2ControlsByCategory(category) {
+    return CFR42_PART2_CONTROLS.filter((c) => c.category === category);
+}
+/**
+ * Get 42 CFR Part 2 control by ID
+ */
+export function getCFR42Part2ControlById(id) {
+    return CFR42_PART2_CONTROLS.find((c) => c.id === id);
+}
+/**
+ * Get 42 CFR Part 2 categories
+ */
+export function getCFR42Part2Categories() {
+    return CFR42_PART2_CATEGORIES;
+}
+/**
+ * Cross-reference mapping to HIPAA controls
+ * 42 CFR Part 2 often overlaps with but is stricter than HIPAA
+ */
+export const CFR42_TO_HIPAA_MAPPING = {
+    "2.12": ["164.308(a)(1)", "164.312(a)(1)"],
+    "2.13": ["164.308(a)(4)", "164.312(a)(1)"],
+    "2.16(a)": ["164.312(a)(1)", "164.308(a)(3)"],
+    "2.16(b)": ["164.312(a)(2)(iv)", "164.312(b)"],
+    "2.16(c)": ["164.312(e)(1)", "164.312(e)(2)(ii)"],
+    "2.31": ["164.508"],
+    "2.52": ["164.312(b)", "164.528"],
+    "2.53": ["164.402", "164.404"],
+};
+//# sourceMappingURL=cfr42-part2.js.map

package/dist/compliance/cfr42-part2.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cfr42-part2.js","sourceRoot":"","sources":["../../src/compliance/cfr42-part2.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,oBAAoB;IACpB,0BAA0B;IAC1B,6BAA6B;IAC7B,qBAAqB;IACrB,0BAA0B;IAC1B,4BAA4B;IAC5B,iCAAiC;IACjC,gBAAgB;CACR,CAAC;AAEX;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAwB;IACvD,iCAAiC;IACjC;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,oMAAoM;QACtM,QAAQ,EAAE;YACR,eAAe;YACf,KAAK;YACL,cAAc;YACd,YAAY;YACZ,gBAAgB;YAChB,WAAW;YACX,WAAW;SACZ;QACD,iBAAiB,EAAE;YACjB,cAAc;YACd,gBAAgB;YAChB,eAAe;YACf,SAAS;SACV;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;QACzC,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,0KAA0K;QAC5K,QAAQ,EAAE;YACR,iBAAiB;YACjB,cAAc;YACd,iCAAiC;YACjC,eAAe;SAChB;QACD,iBAAiB,EAAE;YACjB,cAAc;YACd,oBAAoB;YACpB,eAAe;YACf,uBAAuB;SACxB;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;QACzC,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EACT,kJAAkJ;QACpJ,QAAQ,EAAE;YACR,OAAO;YACP,kBAAkB;YAClB,UAAU;YACV,kBAAkB;YAClB,cAAc;SACf;QACD,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,eAAe,CAAC;QACzE,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,QAAQ;KAC5B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,+HAA+H;QACjI,QAAQ,EAAE;YACR,aAAa;YACb,UAAU;YACV,2BAA2B;YAC3B,UAAU;SACX;QACD,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,eAAe,CAAC;QACzE,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,QAAQ;KAC5B;IAED,uCAAuC;IACvC;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,0BAA0B;QACpC,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,6KAA6K;QAC/K,QAAQ,EAAE;YACR,iBAAiB;YACjB,cAAc;YACd,WAAW;YACX,YAAY;YACZ,YAAY;YACZ,oBAAoB;SACrB;QACD,iBAAiB,EAAE;YACjB,gBAAgB;YAChB,iBAAiB;YACjB,eAAe;YACf,WAAW;SACZ;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,4BAA4B;QACtC,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6HAA6H;QAC/H,QAAQ,EAAE;YACR,eAAe;YACf,oBAAoB;YACpB,uBAAuB;YACvB,kBAAkB;SACnB;QACD,iBAAiB,EAAE;YACjB,wBAAwB;YACxB,kBAAkB;YAClB,WAAW;SACZ;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,iCAAiC;QAC3C,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EACT,+HAA+H;QACjI,QAAQ,EAAE;YACR,MAAM;YACN,gCAAgC;YAChC,YAAY;YACZ,aAAa;YACb,oBAAoB;YACpB,QAAQ;SACT;QACD,iBAAiB,EAAE;YACjB,gBAAgB;YAChB,kBAAkB;YAClB,QAAQ;YACR,cAAc;SACf;QACD,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,0BAA0B;QACpC,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,wFAAwF;QAC1F,QAAQ,EAAE;YACR,YAAY;YACZ,gBAAgB;YAChB,kBAAkB;YAClB,aAAa;SACd;QACD,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,eAAe,CAAC;QACzE,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,QAAQ;KAC5B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,SAAS;QACb,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,qBAAqB;QAC/B,KAAK,EAAE,wCAAwC;QAC/C,WAAW,EACT,+GAA+G;QACjH,QAAQ,EAAE;YACR,YAAY;YACZ,qBAAqB;YACrB,UAAU;YACV,YAAY;YACZ,gBAAgB;SACjB;QACD,iBAAiB,EAAE;YACjB,oBAAoB;YACpB,uBAAuB;YACvB,eAAe;YACf,gBAAgB;SACjB;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;QACzC,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,SAAS;QACb,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,qBAAqB;QAC/B,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,mIAAmI;QACrI,QAAQ,EAAE;YACR,oBAAoB;YACpB,YAAY;YACZ,gBAAgB;YAChB,aAAa;YACb,mBAAmB;SACpB;QACD,iBAAiB,EAAE;YACjB,YAAY;YACZ,oBAAoB;YACpB,oBAAoB;YACpB,WAAW;SACZ;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;QACzC,iBAAiB,EAAE,MAAM;KAC1B;IAED,2BAA2B;IAC3B;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,0BAA0B;QACpC,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,4IAA4I;QAC9I,QAAQ,EAAE;YACR,YAAY;YACZ,gBAAgB;YAChB,aAAa;YACb,mBAAmB;YACnB,oBAAoB;SACrB;QACD,iBAAiB,EAAE,CAAC,WAAW,EAAE,SAAS,EAAE,sBAAsB,CAAC;QACnE,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,0BAA0B;QACpC,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EACT,6EAA6E;QAC/E,QAAQ,EAAE;YACR,QAAQ;YACR,cAAc;YACd,mBAAmB;YACnB,mBAAmB;SACpB;QACD,iBAAiB,EAAE;YACjB,2BAA2B;YAC3B,SAAS;YACT,WAAW;SACZ;QACD,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,MAAM;KAC1B;IAED,0CAA0C;IAC1C;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,6BAA6B;QACvC,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,2GAA2G;QAC7G,QAAQ,EAAE;YACR,mBAAmB;YACnB,sBAAsB;YACtB,aAAa;YACb,WAAW;SACZ;QACD,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,WAAW,EAAE,SAAS,CAAC;QAC7D,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,QAAQ;KAC5B;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,6BAA6B;QACvC,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,oHAAoH;QACtH,QAAQ,EAAE;YACR,UAAU;YACV,KAAK;YACL,eAAe;YACf,oBAAoB;YACpB,mBAAmB;SACpB;QACD,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,WAAW,CAAC;QACnE,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,QAAQ;KAC5B;IAED,iBAAiB;IACjB;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,mGAAmG;QACrG,QAAQ,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC;QAC3E,iBAAiB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAC1D,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,iBAAiB,EAAE,KAAK;KACzB;IACD;QACE,EAAE,EAAE,MAAM;QACV,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,qEAAqE;QACvE,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,CAAC;QACjE,iBAAiB,EAAE,CAAC,gBAAgB,EAAE,eAAe,CAAC;QACtD,iBAAiB,EAAE,KAAK;KACzB;IAED,gCAAgC;IAChC;QACE,EAAE,EAAE,SAAS;QACb,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,qBAAqB;QAC/B,KAAK,EAAE,4BAA4B;QACnC,WAAW,EACT,8FAA8F;QAChG,QAAQ,EAAE;YACR,cAAc;YACd,YAAY;YACZ,KAAK;YACL,OAAO;YACP,cAAc;YACd,kBAAkB;SACnB;QACD,iBAAiB,EAAE;YACjB,oBAAoB;YACpB,YAAY;YACZ,uBAAuB;SACxB;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,iBAAiB,EAAE,MAAM;KAC1B;IACD;QACE,EAAE,EAAE,SAAS;QACb,SAAS,EAAE,eAAe;QAC1B,QAAQ,EAAE,qBAAqB;QAC/B,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EACT,4GAA4G;QAC9G,QAAQ,EAAE;YACR,cAAc;YACd,aAAa;YACb,kBAAkB;YAClB,gBAAgB;SACjB;QACD,iBAAiB,EAAE,CAAC,oBAAoB,EAAE,eAAe,EAAE,cAAc,CAAC;QAC1E,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,iBAAiB,EAAE,MAAM;KAC1B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,+BAA+B,CAC7C,QAAgB;IAEhB,OAAO,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CACtC,EAAU;IAEV,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAA6B;IAC9D,MAAM,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,MAAM,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,SAAS,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;IAC7C,SAAS,EAAE,CAAC,mBAAmB,EAAE,YAAY,CAAC;IAC9C,SAAS,EAAE,CAAC,eAAe,EAAE,mBAAmB,CAAC;IACjD,MAAM,EAAE,CAAC,SAAS,CAAC;IACnB,MAAM,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;IACjC,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;CAC/B,CAAC"}

package/dist/compliance/compliance-bundle.d.ts ADDED Viewed

@@ -0,0 +1,100 @@
+/**
+ * Compliance Assessment Bundle
+ *
+ * Orchestrates compliance assessment with evidence collection and audit
+ * trail verification for any combination of frameworks.
+ *
+ * @module compliance/compliance-bundle
+ */
+import type { Finding } from "../certification/types.js";
+import type { ComplianceReport, ComplianceFramework, MultiFrameworkReport } from "./types.js";
+import type { EvidenceBundle } from "../evidence/types.js";
+import type { IntegrityVerificationResult } from "../history/types.js";
+/**
+ * Compliance assessment result for a single framework
+ */
+export interface SingleFrameworkAssessmentResult {
+    /** Compliance report */
+    report: ComplianceReport;
+    /** Formatted markdown report */
+    markdownReport: string;
+    /** Evidence bundle if collected */
+    evidenceBundle?: EvidenceBundle;
+    /** Audit trail verification result */
+    auditVerification?: IntegrityVerificationResult;
+    /** Path where evidence was stored */
+    evidencePath?: string;
+    /** Overall assessment status */
+    status: "compliant" | "at_risk" | "non_compliant";
+}
+/**
+ * Compliance assessment result for multiple frameworks
+ */
+export interface MultiFrameworkAssessmentResult {
+    /** Individual reports per framework */
+    reports: Partial<Record<ComplianceFramework, ComplianceReport>>;
+    /** Multi-framework report */
+    multiFrameworkReport: MultiFrameworkReport;
+    /** Formatted markdown report */
+    markdownReport: string;
+    /** Evidence bundle if collected */
+    evidenceBundle?: EvidenceBundle;
+    /** Audit trail verification result */
+    auditVerification?: IntegrityVerificationResult;
+    /** Path where evidence was stored */
+    evidencePath?: string;
+    /** Overall assessment status */
+    status: "compliant" | "at_risk" | "non_compliant";
+    /** Combined compliance score (average across frameworks) */
+    combinedScore: number;
+}
+/**
+ * Options for running compliance assessment
+ */
+export interface ComplianceAssessmentOptions {
+    /** Project path to assess */
+    projectPath: string;
+    /** Security findings from certification/scanning */
+    findings: Finding[];
+    /** Framework(s) to assess */
+    frameworks: ComplianceFramework[];
+    /** Certification ID to associate with */
+    certificationId?: string;
+    /** Collect evidence bundle for audit defensibility */
+    collectEvidence?: boolean;
+    /** Sign evidence with Sigstore */
+    sign?: boolean;
+    /** Verify audit trail integrity */
+    verifyAuditTrail?: boolean;
+    /** Store evidence bundle to disk */
+    storeEvidence?: boolean;
+    /** Include attestation section in report */
+    includeAttestation?: boolean;
+}
+/**
+ * Run a compliance assessment for a single framework
+ *
+ * This function orchestrates:
+ * 1. Compliance control mapping for the framework
+ * 2. Audit trail integrity verification (optional)
+ * 3. Evidence bundle collection (optional)
+ * 4. Audit-defensible report generation
+ */
+export declare function runSingleFrameworkAssessment(options: Omit<ComplianceAssessmentOptions, "frameworks"> & {
+    framework: ComplianceFramework;
+}): Promise<SingleFrameworkAssessmentResult>;
+/**
+ * Run a compliance assessment for multiple frameworks
+ *
+ * This function orchestrates:
+ * 1. Compliance control mapping for all frameworks
+ * 2. Audit trail integrity verification (optional)
+ * 3. Evidence bundle collection (optional)
+ * 4. Unified audit-defensible report generation
+ */
+export declare function runComplianceAssessment(options: ComplianceAssessmentOptions): Promise<MultiFrameworkAssessmentResult>;
+/**
+ * Generate a quick compliance summary
+ */
+export declare function generateComplianceSummary(result: MultiFrameworkAssessmentResult): string;
+//# sourceMappingURL=compliance-bundle.d.ts.map

package/dist/compliance/compliance-bundle.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"compliance-bundle.d.ts","sourceRoot":"","sources":["../../src/compliance/compliance-bundle.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAUH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,KAAK,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAC9F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,+BAA+B;IAC9C,wBAAwB;IACxB,MAAM,EAAE,gBAAgB,CAAC;IAEzB,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IAEvB,mCAAmC;IACnC,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC,sCAAsC;IACtC,iBAAiB,CAAC,EAAE,2BAA2B,CAAC;IAEhD,qCAAqC;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,gCAAgC;IAChC,MAAM,EAAE,WAAW,GAAG,SAAS,GAAG,eAAe,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC7C,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,mBAAmB,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAEhE,6BAA6B;IAC7B,oBAAoB,EAAE,oBAAoB,CAAC;IAE3C,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IAEvB,mCAAmC;IACnC,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC,sCAAsC;IACtC,iBAAiB,CAAC,EAAE,2BAA2B,CAAC;IAEhD,qCAAqC;IACrC,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,gCAAgC;IAChC,MAAM,EAAE,WAAW,GAAG,SAAS,GAAG,eAAe,CAAC;IAElD,4DAA4D;IAC5D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,6BAA6B;IAC7B,WAAW,EAAE,MAAM,CAAC;IAEpB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,EAAE,CAAC;IAEpB,6BAA6B;IAC7B,UAAU,EAAE,mBAAmB,EAAE,CAAC;IAElC,yCAAyC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,sDAAsD;IACtD,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B,kCAAkC;IAClC,IAAI,CAAC,EAAE,OAAO,CAAC;IAEf,mCAAmC;IACnC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B,oCAAoC;IACpC,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,wBAAsB,4BAA4B,CAChD,OAAO,EAAE,IAAI,CAAC,2BAA2B,EAAE,YAAY,CAAC,GAAG;IAAE,SAAS,EAAE,mBAAmB,CAAA;CAAE,GAC5F,OAAO,CAAC,+BAA+B,CAAC,CA8E1C;AAED;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,2BAA2B,GACnC,OAAO,CAAC,8BAA8B,CAAC,CAmIzC;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,8BAA8B,GACrC,MAAM,CA4BR"}