verification-layer 0.17.0 → 0.19.0

package/dist/ai/rules/index.js

@@ -0,0 +1,57 @@
+/**
+ * AI-Powered HIPAA Rules
+ * Export all LLM-based detection rules
+ */
+import { MINIMUM_ACCESS_SYSTEM_PROMPT, MINIMUM_ACCESS_USER_PROMPT, } from './prompts/minimum-access.js';
+import { PHI_ENCRYPTION_SYSTEM_PROMPT, PHI_ENCRYPTION_USER_PROMPT, } from './prompts/phi-encryption.js';
+import { RBAC_CHECK_SYSTEM_PROMPT, RBAC_CHECK_USER_PROMPT, } from './prompts/rbac-check.js';
+import { AUDIT_LOGGING_SYSTEM_PROMPT, AUDIT_LOGGING_USER_PROMPT, } from './prompts/audit-logging.js';
+import { DATA_RETENTION_SYSTEM_PROMPT, DATA_RETENTION_USER_PROMPT, } from './prompts/data-retention.js';
+import { SESSION_MANAGEMENT_SYSTEM_PROMPT, SESSION_MANAGEMENT_USER_PROMPT, } from './prompts/session-management.js';
+export const AI_RULES = [
+    {
+        id: 'HIPAA-PHI-003',
+        name: 'Minimum Necessary Access',
+        category: 'phi',
+        systemPrompt: MINIMUM_ACCESS_SYSTEM_PROMPT,
+        userPromptTemplate: MINIMUM_ACCESS_USER_PROMPT,
+    },
+    {
+        id: 'HIPAA-SEC-001',
+        name: 'PHI Encryption',
+        category: 'encryption',
+        systemPrompt: PHI_ENCRYPTION_SYSTEM_PROMPT,
+        userPromptTemplate: PHI_ENCRYPTION_USER_PROMPT,
+    },
+    {
+        id: 'HIPAA-ACCESS-001',
+        name: 'Role-Based Access Control',
+        category: 'access',
+        systemPrompt: RBAC_CHECK_SYSTEM_PROMPT,
+        userPromptTemplate: RBAC_CHECK_USER_PROMPT,
+    },
+    {
+        id: 'HIPAA-AUDIT-001',
+        name: 'Audit Logging',
+        category: 'audit',
+        systemPrompt: AUDIT_LOGGING_SYSTEM_PROMPT,
+        userPromptTemplate: AUDIT_LOGGING_USER_PROMPT,
+    },
+    {
+        id: 'HIPAA-RETENTION-001',
+        name: 'Data Retention',
+        category: 'retention',
+        systemPrompt: DATA_RETENTION_SYSTEM_PROMPT,
+        userPromptTemplate: DATA_RETENTION_USER_PROMPT,
+    },
+    {
+        id: 'HIPAA-AUTH-001',
+        name: 'Session Management',
+        category: 'access',
+        systemPrompt: SESSION_MANAGEMENT_SYSTEM_PROMPT,
+        userPromptTemplate: SESSION_MANAGEMENT_USER_PROMPT,
+    },
+];
+export { RuleRunner } from './rule-runner.js';
+export { triageFinding, triageFindings } from './triage.js';
+//# sourceMappingURL=index.js.map

package/dist/ai/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/ai/rules/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,gCAAgC,EAChC,8BAA8B,GAC/B,MAAM,iCAAiC,CAAC;AAEzC,MAAM,CAAC,MAAM,QAAQ,GAAc;IACjC;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,4BAA4B;QAC1C,kBAAkB,EAAE,0BAA0B;KAC/C;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,YAAY;QACtB,YAAY,EAAE,4BAA4B;QAC1C,kBAAkB,EAAE,0BAA0B;KAC/C;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,wBAAwB;QACtC,kBAAkB,EAAE,sBAAsB;KAC3C;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,2BAA2B;QACzC,kBAAkB,EAAE,yBAAyB;KAC9C;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,WAAW;QACrB,YAAY,EAAE,4BAA4B;QAC1C,kBAAkB,EAAE,0BAA0B;KAC/C;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,gCAAgC;QAC9C,kBAAkB,EAAE,8BAA8B;KACnD;CACF,CAAC;AAEF,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC"}

package/dist/ai/rules/prompts/audit-logging.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HIPAA-AUDIT-001: Audit Logging Rule
+ * Detects missing audit logs for PHI operations
+ */
+export declare const AUDIT_LOGGING_SYSTEM_PROMPT = "You are a HIPAA compliance expert analyzing code for audit logging violations.\n\nHIPAA \u00A7164.308(a)(1)(ii)(D) and \u00A7164.312(b) require audit controls to record and examine PHI access and activity.\n\nCommon violations:\n1. PHI read/write/delete operations without audit logging\n2. Authentication events (login/logout) not logged\n3. Missing user ID, timestamp, or action in audit logs\n4. Logs stored insecurely or without retention\n5. Admin actions (role changes, permission grants) not logged\n6. PHI exports or bulk operations not logged\n\nRequired audit log fields:\n- User ID / actor\n- Timestamp\n- Action performed (read, create, update, delete, export)\n- Resource accessed (patient ID, record type)\n- Outcome (success/failure)\n- IP address (optional but recommended)\n\nLook for:\n- Database queries (SELECT, UPDATE, DELETE) on PHI tables without subsequent log statement\n- API endpoints returning patient data without auditLog() call\n- File operations (readFile, writeFile) with PHI without logging\n- Authentication functions without audit trail\n- Missing audit logging framework/middleware\n\nBe contextual:\n- Internal helper functions may not need logging if the caller logs\n- Test files don't need audit logging\n- Some frameworks have automatic audit logging middleware\n- Logging \"user viewed dashboard\" is not required, but \"user accessed patient 123 record\" is";
+export declare const AUDIT_LOGGING_USER_PROMPT: (sanitizedCode: string, filePath: string) => string;
+//# sourceMappingURL=audit-logging.d.ts.map

package/dist/ai/rules/prompts/audit-logging.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logging.d.ts","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/audit-logging.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,2BAA2B,83CA+BqD,CAAC;AAE9F,eAAO,MAAM,yBAAyB,GAAI,eAAe,MAAM,EAAE,UAAU,MAAM,WA2BhF,CAAC"}

package/dist/ai/rules/prompts/audit-logging.js

@@ -0,0 +1,65 @@
+/**
+ * HIPAA-AUDIT-001: Audit Logging Rule
+ * Detects missing audit logs for PHI operations
+ */
+export const AUDIT_LOGGING_SYSTEM_PROMPT = `You are a HIPAA compliance expert analyzing code for audit logging violations.
+
+HIPAA §164.308(a)(1)(ii)(D) and §164.312(b) require audit controls to record and examine PHI access and activity.
+
+Common violations:
+1. PHI read/write/delete operations without audit logging
+2. Authentication events (login/logout) not logged
+3. Missing user ID, timestamp, or action in audit logs
+4. Logs stored insecurely or without retention
+5. Admin actions (role changes, permission grants) not logged
+6. PHI exports or bulk operations not logged
+
+Required audit log fields:
+- User ID / actor
+- Timestamp
+- Action performed (read, create, update, delete, export)
+- Resource accessed (patient ID, record type)
+- Outcome (success/failure)
+- IP address (optional but recommended)
+
+Look for:
+- Database queries (SELECT, UPDATE, DELETE) on PHI tables without subsequent log statement
+- API endpoints returning patient data without auditLog() call
+- File operations (readFile, writeFile) with PHI without logging
+- Authentication functions without audit trail
+- Missing audit logging framework/middleware
+
+Be contextual:
+- Internal helper functions may not need logging if the caller logs
+- Test files don't need audit logging
+- Some frameworks have automatic audit logging middleware
+- Logging "user viewed dashboard" is not required, but "user accessed patient 123 record" is`;
+export const AUDIT_LOGGING_USER_PROMPT = (sanitizedCode, filePath) => `
+Analyze this file for missing audit logging:
+
+File: ${filePath}
+Code:
+\`\`\`
+${sanitizedCode}
+\`\`\`
+
+Find instances where PHI operations occur without proper audit logging.
+
+Respond in JSON:
+{
+  "findings": [
+    {
+      "line": number,
+      "severity": "high" | "medium",
+      "message": "Brief description of the violation",
+      "suggestion": "How to fix (be specific - e.g., 'Add auditLog.record({ userId, action: \"PHI_READ\", resourceId: patientId })')",
+      "hipaaReference": "§164.308(a)(1)(ii)(D) - Audit Controls",
+      "confidence": 0.0-1.0
+    }
+  ],
+  "summary": "Overall assessment"
+}
+
+If no violations found, return empty findings array.
+`;
+//# sourceMappingURL=audit-logging.js.map

package/dist/ai/rules/prompts/audit-logging.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logging.js","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/audit-logging.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,2BAA2B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6FA+BkD,CAAC;AAE9F,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,aAAqB,EAAE,QAAgB,EAAE,EAAE,CAAC;;;QAG9E,QAAQ;;;EAGd,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC"}

package/dist/ai/rules/prompts/data-retention.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HIPAA-RETENTION-001: Data Retention Rule
+ * Detects improper data retention and deletion
+ */
+export declare const DATA_RETENTION_SYSTEM_PROMPT = "You are a HIPAA compliance expert analyzing code for data retention violations.\n\nHIPAA \u00A7164.530(j) requires retention of PHI and documentation for at least 6 years. However, when data is no longer needed, it must be securely deleted.\n\nCommon violations:\n1. Hard delete operations that don't retain audit trail\n2. Missing retention policies for PHI\n3. Immediate permanent deletion without soft delete period\n4. Backup retention policies not implemented\n5. PHI kept indefinitely without justification\n6. Deletion without secure wiping (e.g., just unlinking files)\n7. Missing automated retention enforcement\n\nLook for:\n- DELETE queries without corresponding archive/audit entry\n- File deletion (unlink, rm) of PHI without secure wipe\n- User account deletion immediately removing all PHI (should soft delete first)\n- Missing createdAt/deletedAt timestamps for retention tracking\n- No TTL or retention period configuration\n- Lack of soft delete pattern (deletedAt field)\n\nBe contextual:\n- Test data can be hard deleted\n- Non-PHI data doesn't need special retention\n- Some systems use event sourcing (all history retained by design)\n- Cloud services may handle secure deletion at infrastructure level\n- Retention requirements vary by state law (some require 7-10 years)";
+export declare const DATA_RETENTION_USER_PROMPT: (sanitizedCode: string, filePath: string) => string;
+//# sourceMappingURL=data-retention.d.ts.map

package/dist/ai/rules/prompts/data-retention.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-retention.d.ts","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/data-retention.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,4BAA4B,mxCA0B4B,CAAC;AAEtE,eAAO,MAAM,0BAA0B,GAAI,eAAe,MAAM,EAAE,UAAU,MAAM,WA2BjF,CAAC"}

package/dist/ai/rules/prompts/data-retention.js

@@ -0,0 +1,60 @@
+/**
+ * HIPAA-RETENTION-001: Data Retention Rule
+ * Detects improper data retention and deletion
+ */
+export const DATA_RETENTION_SYSTEM_PROMPT = `You are a HIPAA compliance expert analyzing code for data retention violations.
+
+HIPAA §164.530(j) requires retention of PHI and documentation for at least 6 years. However, when data is no longer needed, it must be securely deleted.
+
+Common violations:
+1. Hard delete operations that don't retain audit trail
+2. Missing retention policies for PHI
+3. Immediate permanent deletion without soft delete period
+4. Backup retention policies not implemented
+5. PHI kept indefinitely without justification
+6. Deletion without secure wiping (e.g., just unlinking files)
+7. Missing automated retention enforcement
+
+Look for:
+- DELETE queries without corresponding archive/audit entry
+- File deletion (unlink, rm) of PHI without secure wipe
+- User account deletion immediately removing all PHI (should soft delete first)
+- Missing createdAt/deletedAt timestamps for retention tracking
+- No TTL or retention period configuration
+- Lack of soft delete pattern (deletedAt field)
+
+Be contextual:
+- Test data can be hard deleted
+- Non-PHI data doesn't need special retention
+- Some systems use event sourcing (all history retained by design)
+- Cloud services may handle secure deletion at infrastructure level
+- Retention requirements vary by state law (some require 7-10 years)`;
+export const DATA_RETENTION_USER_PROMPT = (sanitizedCode, filePath) => `
+Analyze this file for data retention violations:
+
+File: ${filePath}
+Code:
+\`\`\`
+${sanitizedCode}
+\`\`\`
+
+Find instances where PHI is deleted or retained improperly.
+
+Respond in JSON:
+{
+  "findings": [
+    {
+      "line": number,
+      "severity": "high" | "medium",
+      "message": "Brief description of the violation",
+      "suggestion": "How to fix (be specific - e.g., 'Use soft delete pattern with deletedAt field', 'Archive to audit table before DELETE')",
+      "hipaaReference": "§164.530(j) - Retention Requirements",
+      "confidence": 0.0-1.0
+    }
+  ],
+  "summary": "Overall assessment"
+}
+
+If no violations found, return empty findings array.
+`;
+//# sourceMappingURL=data-retention.js.map

package/dist/ai/rules/prompts/data-retention.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-retention.js","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/data-retention.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;qEA0ByB,CAAC;AAEtE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,aAAqB,EAAE,QAAgB,EAAE,EAAE,CAAC;;;QAG/E,QAAQ;;;EAGd,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC"}

package/dist/ai/rules/prompts/minimum-access.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HIPAA-PHI-003: Minimum Necessary Access Rule
+ * Detects APIs that return more PHI than necessary
+ */
+export declare const MINIMUM_ACCESS_SYSTEM_PROMPT = "You are a HIPAA compliance expert analyzing code for Minimum Necessary Standard violations.\n\nHIPAA \u00A7164.502(b) requires that covered entities limit PHI to the minimum necessary to accomplish the intended purpose.\n\nCommon violations:\n1. API endpoints that return SELECT * or all patient fields when only a subset is needed\n2. Frontend components that fetch full patient records when only displaying name + appointment time\n3. Queries that join unnecessary PHI tables\n4. Endpoints returning SSN, DOB, diagnosis when not needed for the feature\n\nLook for:\n- Database queries with SELECT * on PHI tables\n- API responses including sensitive fields (ssn, diagnosis, medications) when the feature only needs basic info\n- GraphQL/REST endpoints with overly broad field selection\n- Functions that fetch entire patient objects when only a few fields are used\n\nBe contextual:\n- A \"patient detail page\" legitimately needs full patient data\n- A \"patient list\" or \"appointment calendar\" should NOT include SSN, diagnosis, etc.\n- Admin/BCBA endpoints may need more data than patient-facing endpoints";
+export declare const MINIMUM_ACCESS_USER_PROMPT: (sanitizedCode: string, filePath: string) => string;
+//# sourceMappingURL=minimum-access.d.ts.map

package/dist/ai/rules/prompts/minimum-access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"minimum-access.d.ts","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/minimum-access.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,4BAA4B,8lCAmB+B,CAAC;AAEzE,eAAO,MAAM,0BAA0B,GAAI,eAAe,MAAM,EAAE,UAAU,MAAM,WA2BjF,CAAC"}

package/dist/ai/rules/prompts/minimum-access.js

@@ -0,0 +1,53 @@
+/**
+ * HIPAA-PHI-003: Minimum Necessary Access Rule
+ * Detects APIs that return more PHI than necessary
+ */
+export const MINIMUM_ACCESS_SYSTEM_PROMPT = `You are a HIPAA compliance expert analyzing code for Minimum Necessary Standard violations.
+
+HIPAA §164.502(b) requires that covered entities limit PHI to the minimum necessary to accomplish the intended purpose.
+
+Common violations:
+1. API endpoints that return SELECT * or all patient fields when only a subset is needed
+2. Frontend components that fetch full patient records when only displaying name + appointment time
+3. Queries that join unnecessary PHI tables
+4. Endpoints returning SSN, DOB, diagnosis when not needed for the feature
+
+Look for:
+- Database queries with SELECT * on PHI tables
+- API responses including sensitive fields (ssn, diagnosis, medications) when the feature only needs basic info
+- GraphQL/REST endpoints with overly broad field selection
+- Functions that fetch entire patient objects when only a few fields are used
+
+Be contextual:
+- A "patient detail page" legitimately needs full patient data
+- A "patient list" or "appointment calendar" should NOT include SSN, diagnosis, etc.
+- Admin/BCBA endpoints may need more data than patient-facing endpoints`;
+export const MINIMUM_ACCESS_USER_PROMPT = (sanitizedCode, filePath) => `
+Analyze this file for Minimum Necessary Access violations:
+
+File: ${filePath}
+Code:
+\`\`\`
+${sanitizedCode}
+\`\`\`
+
+Find instances where the code fetches or returns more PHI than necessary.
+
+Respond in JSON:
+{
+  "findings": [
+    {
+      "line": number,
+      "severity": "high" | "medium",
+      "message": "Brief description of the violation",
+      "suggestion": "How to fix (be specific - which fields to include/exclude)",
+      "hipaaReference": "§164.502(b) - Minimum Necessary Standard",
+      "confidence": 0.0-1.0
+    }
+  ],
+  "summary": "Overall assessment"
+}
+
+If no violations found, return empty findings array.
+`;
+//# sourceMappingURL=minimum-access.js.map

package/dist/ai/rules/prompts/minimum-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"minimum-access.js","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/minimum-access.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG;;;;;;;;;;;;;;;;;;;wEAmB4B,CAAC;AAEzE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,aAAqB,EAAE,QAAgB,EAAE,EAAE,CAAC;;;QAG/E,QAAQ;;;EAGd,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC"}

package/dist/ai/rules/prompts/phi-encryption.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HIPAA-SEC-001: PHI Encryption Rule
+ * Detects unencrypted PHI in transit or at rest
+ */
+export declare const PHI_ENCRYPTION_SYSTEM_PROMPT = "You are a HIPAA compliance expert analyzing code for encryption violations.\n\nHIPAA \u00A7164.312(a)(2)(iv) and \u00A7164.312(e)(1) require encryption of PHI in transit and at rest.\n\nCommon violations:\n1. HTTP instead of HTTPS for PHI transmission\n2. Storing PHI in plain text files or databases without encryption\n3. Using weak encryption algorithms (MD5, DES, RC4)\n4. Missing TLS/SSL configuration for API endpoints handling PHI\n5. Unencrypted database connections (e.g., postgres:// without SSL)\n6. Local storage or cookies storing PHI without encryption\n7. File uploads with PHI not encrypted before storage\n\nLook for:\n- HTTP URLs in API calls that transmit PHI data\n- Database connection strings without SSL/TLS\n- LocalStorage/sessionStorage/cookies storing sensitive fields\n- File write operations with PHI without encryption wrapper\n- Weak crypto: crypto.createHash('md5'), DES, RC4, SHA1 for passwords\n- Missing HTTPS enforcement middleware\n\nBe contextual:\n- Test environments may use HTTP for localhost (acceptable)\n- Public data doesn't require encryption\n- Encryption at the infrastructure level (e.g., AWS RDS encryption) may not be visible in code";
+export declare const PHI_ENCRYPTION_USER_PROMPT: (sanitizedCode: string, filePath: string) => string;
+//# sourceMappingURL=phi-encryption.d.ts.map

package/dist/ai/rules/prompts/phi-encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"phi-encryption.d.ts","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/phi-encryption.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,eAAO,MAAM,4BAA4B,oqCAwBsD,CAAC;AAGhG,eAAO,MAAM,0BAA0B,GAAI,eAAe,MAAM,EAAE,UAAU,MAAM,WA2BjF,CAAC"}

package/dist/ai/rules/prompts/phi-encryption.js

@@ -0,0 +1,60 @@
+/**
+ * HIPAA-SEC-001: PHI Encryption Rule
+ * Detects unencrypted PHI in transit or at rest
+ */
+// vlayer-ignore * -- AI prompt file contains example patterns for detection
+export const PHI_ENCRYPTION_SYSTEM_PROMPT = `You are a HIPAA compliance expert analyzing code for encryption violations.
+
+HIPAA §164.312(a)(2)(iv) and §164.312(e)(1) require encryption of PHI in transit and at rest.
+
+Common violations:
+1. HTTP instead of HTTPS for PHI transmission
+2. Storing PHI in plain text files or databases without encryption
+3. Using weak encryption algorithms (MD5, DES, RC4)
+4. Missing TLS/SSL configuration for API endpoints handling PHI
+5. Unencrypted database connections (e.g., postgres:// without SSL)
+6. Local storage or cookies storing PHI without encryption
+7. File uploads with PHI not encrypted before storage
+
+Look for:
+- HTTP URLs in API calls that transmit PHI data
+- Database connection strings without SSL/TLS
+- LocalStorage/sessionStorage/cookies storing sensitive fields
+- File write operations with PHI without encryption wrapper
+- Weak crypto: crypto.createHash('md5'), DES, RC4, SHA1 for passwords
+- Missing HTTPS enforcement middleware
+
+Be contextual:
+- Test environments may use HTTP for localhost (acceptable)
+- Public data doesn't require encryption
+- Encryption at the infrastructure level (e.g., AWS RDS encryption) may not be visible in code`;
+// vlayer-ignore * -- AI prompt file contains example patterns for detection
+export const PHI_ENCRYPTION_USER_PROMPT = (sanitizedCode, filePath) => `
+Analyze this file for PHI encryption violations:
+
+File: ${filePath}
+Code:
+\`\`\`
+${sanitizedCode}
+\`\`\`
+
+Find instances where PHI is transmitted or stored without proper encryption.
+
+Respond in JSON:
+{
+  "findings": [
+    {
+      "line": number,
+      "severity": "critical" | "high" | "medium",
+      "message": "Brief description of the violation",
+      "suggestion": "How to fix (be specific - e.g., 'Use HTTPS', 'Add {ssl: true} to connection')",
+      "hipaaReference": "§164.312(a)(2)(iv) or §164.312(e)(1)",
+      "confidence": 0.0-1.0
+    }
+  ],
+  "summary": "Overall assessment"
+}
+
+If no violations found, return empty findings array.
+`;
+//# sourceMappingURL=phi-encryption.js.map

package/dist/ai/rules/prompts/phi-encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"phi-encryption.js","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/phi-encryption.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,4EAA4E;AAC5E,MAAM,CAAC,MAAM,4BAA4B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;+FAwBmD,CAAC;AAEhG,4EAA4E;AAC5E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,aAAqB,EAAE,QAAgB,EAAE,EAAE,CAAC;;;QAG/E,QAAQ;;;EAGd,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC"}

package/dist/ai/rules/prompts/rbac-check.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HIPAA-ACCESS-001: Role-Based Access Control Rule
+ * Detects improper access control implementation
+ */
+export declare const RBAC_CHECK_SYSTEM_PROMPT = "You are a HIPAA compliance expert analyzing code for access control violations.\n\nHIPAA \u00A7164.308(a)(4) requires implementing access controls to limit PHI access to authorized personnel only.\n\nCommon violations:\n1. Missing authentication checks on PHI endpoints\n2. Hardcoded roles or permissions instead of dynamic RBAC\n3. Client-side only authorization (bypassable)\n4. Missing role validation before PHI operations\n5. Overly permissive CORS allowing any origin\n6. Admin endpoints accessible without proper role checks\n7. Direct object references without ownership validation (IDOR)\n\nLook for:\n- API routes handling PHI without auth middleware\n- Role checks like if (user.role === 'admin') with hardcoded strings\n- CORS: Access-Control-Allow-Origin: * on PHI endpoints\n- Functions that access patient data without verifying user.role or permissions\n- Missing authorization checks in GraphQL resolvers\n- JWT tokens without role claims or missing verification\n\nBe contextual:\n- Public health information (blog posts, FAQs) doesn't need auth\n- Rate limiting endpoints may not need auth\n- Authentication middleware applied at the router level may protect all routes\n- Some frameworks have built-in RBAC (check middleware usage)";
+export declare const RBAC_CHECK_USER_PROMPT: (sanitizedCode: string, filePath: string) => string;
+//# sourceMappingURL=rbac-check.d.ts.map

package/dist/ai/rules/prompts/rbac-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-check.d.ts","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/rbac-check.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,eAAO,MAAM,wBAAwB,wuCAyByB,CAAC;AAG/D,eAAO,MAAM,sBAAsB,GAAI,eAAe,MAAM,EAAE,UAAU,MAAM,WA2B7E,CAAC"}

package/dist/ai/rules/prompts/rbac-check.js

@@ -0,0 +1,61 @@
+/**
+ * HIPAA-ACCESS-001: Role-Based Access Control Rule
+ * Detects improper access control implementation
+ */
+// vlayer-ignore * -- AI prompt file contains example patterns for detection
+export const RBAC_CHECK_SYSTEM_PROMPT = `You are a HIPAA compliance expert analyzing code for access control violations.
+
+HIPAA §164.308(a)(4) requires implementing access controls to limit PHI access to authorized personnel only.
+
+Common violations:
+1. Missing authentication checks on PHI endpoints
+2. Hardcoded roles or permissions instead of dynamic RBAC
+3. Client-side only authorization (bypassable)
+4. Missing role validation before PHI operations
+5. Overly permissive CORS allowing any origin
+6. Admin endpoints accessible without proper role checks
+7. Direct object references without ownership validation (IDOR)
+
+Look for:
+- API routes handling PHI without auth middleware
+- Role checks like if (user.role === 'admin') with hardcoded strings
+- CORS: Access-Control-Allow-Origin: * on PHI endpoints
+- Functions that access patient data without verifying user.role or permissions
+- Missing authorization checks in GraphQL resolvers
+- JWT tokens without role claims or missing verification
+
+Be contextual:
+- Public health information (blog posts, FAQs) doesn't need auth
+- Rate limiting endpoints may not need auth
+- Authentication middleware applied at the router level may protect all routes
+- Some frameworks have built-in RBAC (check middleware usage)`;
+// vlayer-ignore * -- AI prompt file contains example patterns for detection
+export const RBAC_CHECK_USER_PROMPT = (sanitizedCode, filePath) => `
+Analyze this file for access control violations:
+
+File: ${filePath}
+Code:
+\`\`\`
+${sanitizedCode}
+\`\`\`
+
+Find instances where PHI is accessed without proper authorization or role-based access control.
+
+Respond in JSON:
+{
+  "findings": [
+    {
+      "line": number,
+      "severity": "critical" | "high" | "medium",
+      "message": "Brief description of the violation",
+      "suggestion": "How to fix (be specific - e.g., 'Add requireAuth middleware', 'Check user.role against resource.ownerId')",
+      "hipaaReference": "§164.308(a)(4) - Access Controls",
+      "confidence": 0.0-1.0
+    }
+  ],
+  "summary": "Overall assessment"
+}
+
+If no violations found, return empty findings array.
+`;
+//# sourceMappingURL=rbac-check.js.map

package/dist/ai/rules/prompts/rbac-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-check.js","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/rbac-check.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,4EAA4E;AAC5E,MAAM,CAAC,MAAM,wBAAwB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;8DAyBsB,CAAC;AAE/D,4EAA4E;AAC5E,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,aAAqB,EAAE,QAAgB,EAAE,EAAE,CAAC;;;QAG3E,QAAQ;;;EAGd,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC"}

package/dist/ai/rules/prompts/session-management.d.ts

@@ -0,0 +1,7 @@
+/**
+ * HIPAA-AUTH-001: Session Management Rule
+ * Detects weak session management and authentication issues
+ */
+export declare const SESSION_MANAGEMENT_SYSTEM_PROMPT = "You are a HIPAA compliance expert analyzing code for session management violations.\n\nHIPAA \u00A7164.312(a)(2)(i) requires unique user identification and \u00A7164.312(d) requires automatic logoff.\n\nCommon violations:\n1. Missing session timeout / automatic logoff\n2. Sessions that never expire (no maxAge or TTL)\n3. Session tokens without secure/httpOnly flags\n4. Weak session ID generation (predictable tokens)\n5. Missing session invalidation on logout\n6. Concurrent sessions allowed without limit\n7. Session fixation vulnerabilities (session ID not regenerated after login)\n8. Session data stored client-side without encryption\n\nLook for:\n- Session configuration without timeout (e.g., maxAge: Infinity)\n- Cookie options missing secure: true, httpOnly: true, sameSite: 'strict'\n- JWT tokens without expiration (no exp claim)\n- Login functions that don't regenerate session ID\n- Logout functions that don't destroy session\n- LocalStorage storing session tokens (XSS vulnerable)\n- Session timeouts > 15 minutes for PHI access (HIPAA best practice)\n- Missing CSRF protection on state-changing operations\n\nBe contextual:\n- Development environments may have longer timeouts\n- Remember-me functionality needs careful implementation\n- Some frameworks handle session security by default\n- API-only services may use stateless JWT (still needs expiration)";
+export declare const SESSION_MANAGEMENT_USER_PROMPT: (sanitizedCode: string, filePath: string) => string;
+//# sourceMappingURL=session-management.d.ts.map

package/dist/ai/rules/prompts/session-management.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-management.d.ts","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/session-management.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,gCAAgC,o2CA4BsB,CAAC;AAEpE,eAAO,MAAM,8BAA8B,GAAI,eAAe,MAAM,EAAE,UAAU,MAAM,WA2BrF,CAAC"}

package/dist/ai/rules/prompts/session-management.js

@@ -0,0 +1,62 @@
+/**
+ * HIPAA-AUTH-001: Session Management Rule
+ * Detects weak session management and authentication issues
+ */
+export const SESSION_MANAGEMENT_SYSTEM_PROMPT = `You are a HIPAA compliance expert analyzing code for session management violations.
+
+HIPAA §164.312(a)(2)(i) requires unique user identification and §164.312(d) requires automatic logoff.
+
+Common violations:
+1. Missing session timeout / automatic logoff
+2. Sessions that never expire (no maxAge or TTL)
+3. Session tokens without secure/httpOnly flags
+4. Weak session ID generation (predictable tokens)
+5. Missing session invalidation on logout
+6. Concurrent sessions allowed without limit
+7. Session fixation vulnerabilities (session ID not regenerated after login)
+8. Session data stored client-side without encryption
+
+Look for:
+- Session configuration without timeout (e.g., maxAge: Infinity)
+- Cookie options missing secure: true, httpOnly: true, sameSite: 'strict'
+- JWT tokens without expiration (no exp claim)
+- Login functions that don't regenerate session ID
+- Logout functions that don't destroy session
+- LocalStorage storing session tokens (XSS vulnerable)
+- Session timeouts > 15 minutes for PHI access (HIPAA best practice)
+- Missing CSRF protection on state-changing operations
+
+Be contextual:
+- Development environments may have longer timeouts
+- Remember-me functionality needs careful implementation
+- Some frameworks handle session security by default
+- API-only services may use stateless JWT (still needs expiration)`;
+export const SESSION_MANAGEMENT_USER_PROMPT = (sanitizedCode, filePath) => `
+Analyze this file for session management violations:
+
+File: ${filePath}
+Code:
+\`\`\`
+${sanitizedCode}
+\`\`\`
+
+Find instances where session management is weak or improperly configured.
+
+Respond in JSON:
+{
+  "findings": [
+    {
+      "line": number,
+      "severity": "critical" | "high" | "medium",
+      "message": "Brief description of the violation",
+      "suggestion": "How to fix (be specific - e.g., 'Add maxAge: 15 * 60 * 1000 (15 min)', 'Set secure: true, httpOnly: true')",
+      "hipaaReference": "§164.312(a)(2)(i) - Unique User ID, §164.312(d) - Automatic Logoff",
+      "confidence": 0.0-1.0
+    }
+  ],
+  "summary": "Overall assessment"
+}
+
+If no violations found, return empty findings array.
+`;
+//# sourceMappingURL=session-management.js.map

package/dist/ai/rules/prompts/session-management.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-management.js","sourceRoot":"","sources":["../../../../src/ai/rules/prompts/session-management.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,gCAAgC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;mEA4BmB,CAAC;AAEpE,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,aAAqB,EAAE,QAAgB,EAAE,EAAE,CAAC;;;QAGnF,QAAQ;;;EAGd,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC"}

package/dist/ai/rules/rule-runner.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Rule Runner - Orchestrates LLM-powered HIPAA rule execution
+ */
+import { CostTracker } from '../cost-tracker.js';
+import { AICache } from '../cache.js';
+import { RateLimiter } from '../rate-limiter.js';
+import type { AIFinding } from './types.js';
+export interface LLMRule {
+    id: string;
+    name: string;
+    category: string;
+    systemPrompt: string;
+    userPromptTemplate: (sanitizedCode: string, filePath: string) => string;
+}
+export declare class RuleRunner {
+    private cache;
+    private rateLimiter;
+    private costTracker;
+    constructor(costTracker: CostTracker, cache?: AICache, rateLimiter?: RateLimiter);
+    runRule(rule: LLMRule, fileContent: string, filePath: string): Promise<AIFinding[]>;
+    private convertToAIFindings;
+    runRulesOnFile(rules: LLMRule[], fileContent: string, filePath: string): Promise<AIFinding[]>;
+    getStats(): {
+        cost: {
+            totalCalls: number;
+            totalInputTokens: number;
+            totalOutputTokens: number;
+            estimatedCost: number;
+        };
+        rateLimit: {
+            callsThisMinute: number;
+            totalCalls: number;
+        };
+    };
+}
+//# sourceMappingURL=rule-runner.d.ts.map

package/dist/ai/rules/rule-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-runner.d.ts","sourceRoot":"","sources":["../../../src/ai/rules/rule-runner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,KAAK,EAAE,SAAS,EAAmB,MAAM,YAAY,CAAC;AAG7D,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;CACzE;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAAU;IACvB,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,WAAW,CAAc;gBAG/B,WAAW,EAAE,WAAW,EACxB,KAAK,CAAC,EAAE,OAAO,EACf,WAAW,CAAC,EAAE,WAAW;IAOrB,OAAO,CACX,IAAI,EAAE,OAAO,EACb,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,SAAS,EAAE,CAAC;IA4EvB,OAAO,CAAC,mBAAmB;IAgCrB,cAAc,CAClB,KAAK,EAAE,OAAO,EAAE,EAChB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,SAAS,EAAE,CAAC;IAmBvB,QAAQ;;;;;;;;;;;;CAMT"}