verification-layer 0.19.0 → 0.21.0

package/dist/scanners/hipaa2026/index.test.js

@@ -0,0 +1,321 @@
+/**
+ * Tests for HIPAA 2026 Security Rule Scanner
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { hipaa2026Scanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('HIPAA 2026 Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'hipaa2026-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('HIPAA-MFA-001: Multi-Factor Authentication', () => {
+        it('should detect PHI access without MFA', async () => {
+            const file = await createTestFile('auth.ts', `
+app.post('/login', async (req, res) => {
+  const user = await authenticateUser(req.body);
+  if (user.role === 'doctor') {
+    accessPatientRecords(user);
+  }
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'HIPAA-MFA-001');
+            expect(mfaFindings.length).toBeGreaterThan(0);
+            expect(mfaFindings[0].severity).toBe('critical');
+            expect(mfaFindings[0].hipaaReference).toContain('164.312(a)(2)(i)');
+        });
+        it('should not flag PHI access with MFA', async () => {
+            const file = await createTestFile('auth-secure.ts', `
+app.post('/login', async (req, res) => {
+  const user = await authenticateUser(req.body);
+  if (!user.mfaVerified) {
+    return res.status(401).json({ error: 'MFA required' });
+  }
+  if (user.role === 'doctor') {
+    accessPatientRecords(user);
+  }
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const mfaFindings = findings.filter((f) => f.id === 'HIPAA-MFA-001');
+            expect(mfaFindings.length).toBe(0);
+        });
+    });
+    describe('HIPAA-ENC-REST-001: Encryption at Rest', () => {
+        it('should detect database without encryption', async () => {
+            const file = await createTestFile('db.ts', `
+import mongoose from 'mongoose';
+
+mongoose.connect('mongodb://localhost:27017/patients', {
+  useNewUrlParser: true,
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const encFindings = findings.filter((f) => f.id === 'HIPAA-ENC-REST-001');
+            expect(encFindings.length).toBeGreaterThan(0);
+            expect(encFindings[0].severity).toBe('critical');
+        });
+        it('should not flag database with encryption', async () => {
+            const file = await createTestFile('db-secure.ts', `
+import mongoose from 'mongoose';
+
+mongoose.connect('mongodb://localhost:27017/patients', {
+  useNewUrlParser: true,
+  ssl: true,
+  encrypt: true,
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const encFindings = findings.filter((f) => f.id === 'HIPAA-ENC-REST-001');
+            expect(encFindings.length).toBe(0);
+        });
+    });
+    describe('HIPAA-SESSION-001: Session Timeout', () => {
+        it('should detect session without timeout', async () => {
+            const file = await createTestFile('session.ts', `
+import session from 'express-session';
+
+app.use(session({
+  secret: 'my-secret',
+  resave: false,
+  saveUninitialized: false,
+}));
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const sessionFindings = findings.filter((f) => f.id === 'HIPAA-SESSION-001');
+            expect(sessionFindings.length).toBeGreaterThan(0);
+            expect(sessionFindings[0].severity).toBe('high');
+        });
+        it('should not flag session with proper timeout', async () => {
+            const file = await createTestFile('session-secure.ts', `
+import session from 'express-session';
+
+app.use(session({
+  secret: 'my-secret',
+  resave: false,
+  saveUninitialized: false,
+  cookie: { maxAge: 900000 } // 15 minutes
+}));
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const sessionFindings = findings.filter((f) => f.id === 'HIPAA-SESSION-001');
+            expect(sessionFindings.length).toBe(0);
+        });
+    });
+    describe('HIPAA-REVOKE-001: Access Revocation', () => {
+        it('should detect user deactivation without token revocation', async () => {
+            const file = await createTestFile('user.ts', `
+async function deactivateUser(userId: string) {
+  await User.update({ id: userId }, { active: false });
+  console.log('User deactivated');
+}
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'HIPAA-REVOKE-001');
+            expect(revokeFindings.length).toBeGreaterThan(0);
+            expect(revokeFindings[0].severity).toBe('critical');
+        });
+        it('should not flag deactivation with token revocation', async () => {
+            const file = await createTestFile('user-secure.ts', `
+async function deactivateUser(userId: string) {
+  await User.update({ id: userId }, { active: false });
+  await revokeAllTokens(userId);
+  await invalidateAllSessions(userId);
+  console.log('User deactivated and tokens revoked');
+}
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'HIPAA-REVOKE-001');
+            expect(revokeFindings.length).toBe(0);
+        });
+    });
+    describe('HIPAA-BREACH-001: Breach Notification', () => {
+        it('should detect security errors without breach notification', async () => {
+            const file = await createTestFile('api.ts', `
+try {
+  await processPhiData(data);
+} catch (error) {
+  if (error.message.includes('unauthorized')) {
+    console.error('Security breach detected');
+  }
+}
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const breachFindings = findings.filter((f) => f.id === 'HIPAA-BREACH-001');
+            expect(breachFindings.length).toBeGreaterThan(0);
+            expect(breachFindings[0].severity).toBe('critical');
+        });
+        it('should not flag errors with breach notification', async () => {
+            const file = await createTestFile('api-secure.ts', `
+try {
+  await processPhiData(data);
+} catch (error) {
+  if (error.message.includes('unauthorized')) {
+    console.error('Security breach detected');
+    await notifyBreach(error);
+    await incidentResponse.trigger('security-breach');
+  }
+}
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const breachFindings = findings.filter((f) => f.id === 'HIPAA-BREACH-001');
+            expect(breachFindings.length).toBe(0);
+        });
+    });
+    describe('HIPAA-SEGMENT-001: Network Segmentation', () => {
+        it('should detect CORS wildcard for PHI endpoints', async () => {
+            const file = await createTestFile('cors.ts', `
+import cors from 'cors';
+
+app.use(cors({ origin: '*' }));
+
+app.get('/api/patients', async (req, res) => {
+  const patients = await getPatients();
+  res.json(patients);
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const segmentFindings = findings.filter((f) => f.id === 'HIPAA-SEGMENT-001');
+            expect(segmentFindings.length).toBeGreaterThan(0);
+            expect(segmentFindings[0].severity).toBe('critical');
+        });
+        it('should not flag CORS with origin whitelist', async () => {
+            const file = await createTestFile('cors-secure.ts', `
+import cors from 'cors';
+
+app.use(cors({ origin: ['https://hospital.com', 'https://ehr.hospital.com'] }));
+
+app.get('/api/patients', async (req, res) => {
+  const patients = await getPatients();
+  res.json(patients);
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const segmentFindings = findings.filter((f) => f.id === 'HIPAA-SEGMENT-001');
+            expect(segmentFindings.length).toBe(0);
+        });
+    });
+    describe('HIPAA-ASSET-001: Technology Asset Inventory', () => {
+        it('should generate asset inventory', async () => {
+            await createTestFile('services.ts', `
+import mongoose from 'mongoose';
+import { S3Client } from '@aws-sdk/client-s3';
+import axios from 'axios';
+
+mongoose.connect('mongodb://localhost/patients');
+const s3 = new S3Client({ region: 'us-east-1' });
+axios.get('https://api.external.com/patient-data');
+        `);
+            const findings = await hipaa2026Scanner.scan(testFiles, scanOptions);
+            const assetFindings = findings.filter((f) => f.id === 'HIPAA-ASSET-001');
+            expect(assetFindings.length).toBe(1);
+            expect(assetFindings[0].severity).toBe('high');
+            expect(assetFindings[0].file).toBe('ASSET-INVENTORY');
+            expect(assetFindings[0].recommendation).toContain('DATABASE');
+        });
+    });
+    describe('HIPAA-FLOW-001: PHI Flow Mapping', () => {
+        it('should generate PHI flow map', async () => {
+            await createTestFile('patient-flow.ts', `
+app.post('/api/patient', async (req, res) => {
+  const patientData = req.body.patient;
+  const validated = validatePatient(patientData);
+  await savePatient(validated);
+  return res.json({ success: true, patient: validated });
+});
+        `);
+            const findings = await hipaa2026Scanner.scan(testFiles, scanOptions);
+            const flowFindings = findings.filter((f) => f.id === 'HIPAA-FLOW-001');
+            expect(flowFindings.length).toBe(1);
+            expect(flowFindings[0].severity).toBe('high');
+            expect(flowFindings[0].file).toBe('PHI-FLOW-MAP');
+            expect(flowFindings[0].recommendation).toContain('INPUT');
+            expect(flowFindings[0].recommendation).toContain('PROCESSING');
+            expect(flowFindings[0].recommendation).toContain('STORAGE');
+        });
+    });
+    describe('HIPAA-PENTEST-001: Vulnerability Scanning', () => {
+        it('should detect missing vulnerability scanning config', async () => {
+            const file = await createTestFile('package.json', JSON.stringify({
+                name: 'test-app',
+                version: '1.0.0',
+                scripts: {
+                    test: 'jest',
+                },
+            }));
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const pentestFindings = findings.filter((f) => f.id === 'HIPAA-PENTEST-001');
+            expect(pentestFindings.length).toBeGreaterThan(0);
+            expect(pentestFindings[0].severity).toBe('high');
+        });
+        it('should not flag when dependabot exists', async () => {
+            const githubDir = path.join(tempDir, '.github');
+            await fs.mkdir(githubDir, { recursive: true });
+            await fs.writeFile(path.join(githubDir, 'dependabot.yml'), 'version: 2\nupdates:\n  - package-ecosystem: npm', 'utf-8');
+            const file = await createTestFile('package.json', JSON.stringify({
+                name: 'test-app',
+                version: '1.0.0',
+            }));
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            const pentestFindings = findings.filter((f) => f.id === 'HIPAA-PENTEST-001');
+            expect(pentestFindings.length).toBe(0);
+        });
+    });
+    describe('General Scanner Behavior', () => {
+        it('should only scan code files', async () => {
+            await createTestFile('README.md', 'patient data here');
+            await createTestFile('data.json', '{"patient": "data"}');
+            await createTestFile('code.ts', 'const patient = req.body;');
+            const findings = await hipaa2026Scanner.scan(testFiles, scanOptions);
+            // Should only find findings in code.ts
+            const uniqueFiles = new Set(findings.map((f) => path.basename(f.file)));
+            expect(uniqueFiles.has('README.md')).toBe(false);
+            expect(uniqueFiles.has('data.json')).toBe(false);
+        });
+        it('should include confidence scores', async () => {
+            const file = await createTestFile('auth.ts', `
+app.post('/login', async (req) => {
+  const user = await authenticateUser(req.body);
+  accessPatientRecords(user);
+});
+        `);
+            const findings = await hipaa2026Scanner.scan([file], scanOptions);
+            for (const finding of findings) {
+                expect(finding.confidence).toBeDefined();
+                expect(['high', 'medium', 'low']).toContain(finding.confidence);
+            }
+        });
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/hipaa2026/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/hipaa2026/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,OAAe;QAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;QAC1D,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAErE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACjD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;;;SAUC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAErE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;QACtD,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,OAAO,EACP;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YAE1E,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YAE1E,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAClD,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YAE7E,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;;;;;;;SASC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YAE7E,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;QACnD,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAE3E,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAE3E,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;QACrD,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YACzE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,QAAQ,EACR;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAE3E,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;;;;;SAUC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAE3E,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACvD,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;;;;SASC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YAE7E,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;;SASC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YAE7E,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,6CAA6C,EAAE,GAAG,EAAE;QAC3D,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YAC/C,MAAM,cAAc,CAClB,aAAa,EACb;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC;YAEzE,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACrC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YACtD,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAChD,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,cAAc,CAClB,iBAAiB,EACjB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,gBAAgB,CAAC,CAAC;YAEvE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACpC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAClD,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC1D,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YAC/D,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACzD,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,OAAO;gBAChB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAM;iBACb;aACF,CAAC,CACH,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YAE7E,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAChD,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,MAAM,EAAE,CAAC,SAAS,CAChB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,EACtC,kDAAkD,EAClD,OAAO,CACR,CAAC;YAEF,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,OAAO;aACjB,CAAC,CACH,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YAE7E,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,cAAc,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;YACvD,MAAM,cAAc,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;YACzD,MAAM,cAAc,CAAC,SAAS,EAAE,2BAA2B,CAAC,CAAC;YAE7D,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAErE,uCAAuC;YACvC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACxE,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjD,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAElE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAClE,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/hipaa2026/patterns.d.ts

@@ -0,0 +1,57 @@
+/**
+ * HIPAA 2026 Security Rule Detection Patterns
+ * Covers 15 technical requirements (all now "required" instead of "addressable")
+ * Expected enforcement: May 2026
+ */
+export interface HIPAA2026Pattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'critical' | 'high';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    autoFix?: string;
+    confidence: 'high' | 'medium' | 'low';
+    category: string;
+}
+/**
+ * HIPAA-MFA-001: Multi-Factor Authentication Enforcement
+ */
+export declare const MFA_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-ENC-REST-001: Encryption at Rest
+ */
+export declare const ENCRYPTION_AT_REST_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-SESSION-001: Automatic Session Timeout
+ */
+export declare const SESSION_TIMEOUT_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-REVOKE-001: Immediate Access Revocation
+ */
+export declare const ACCESS_REVOCATION_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-BREACH-001: 24-Hour Breach Notification
+ */
+export declare const BREACH_NOTIFICATION_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-SEGMENT-001: Network Segmentation
+ */
+export declare const NETWORK_SEGMENTATION_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-ASSET-001: Technology Asset Inventory
+ * Special pattern - triggers asset inventory generation
+ */
+export declare const ASSET_INVENTORY_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-FLOW-001: ePHI Flow Mapping
+ * Special pattern - triggers flow map generation
+ */
+export declare const PHI_FLOW_MAPPING_PATTERNS: HIPAA2026Pattern;
+/**
+ * HIPAA-PENTEST-001: Vulnerability Scanning Configuration
+ */
+export declare const VULNERABILITY_SCANNING_PATTERNS: HIPAA2026Pattern;
+export declare const ALL_HIPAA_2026_PATTERNS: HIPAA2026Pattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/hipaa2026/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/hipaa2026/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,gBA2B1B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAE,gBA6BzC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,gBA0BtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,gBAyBxC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,EAAE,gBAuB1C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B,EAAE,gBAyB3C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,gBAmBtC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,EAAE,gBAmBvC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,EAAE,gBAoB7C,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,gBAAgB,EAUrD,CAAC"}

package/dist/scanners/hipaa2026/patterns.js

@@ -0,0 +1,268 @@
+/**
+ * HIPAA 2026 Security Rule Detection Patterns
+ * Covers 15 technical requirements (all now "required" instead of "addressable")
+ * Expected enforcement: May 2026
+ */
+/**
+ * HIPAA-MFA-001: Multi-Factor Authentication Enforcement
+ */
+export const MFA_PATTERNS = {
+    id: 'HIPAA-MFA-001',
+    name: 'Missing Multi-Factor Authentication for PHI Access',
+    description: 'Endpoints accessing PHI must enforce MFA. All auth configs must require multi-factor authentication.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(2)(i) - Access Control (Required)',
+    patterns: [
+        // Login/auth without MFA
+        /(?:login|authenticate|signin|auth).*?(?:patient|phi|medical|health)(?!.*?(?:mfa|multi.?factor|2fa|totp|authenticator))/i,
+        // Auth configs without MFA
+        /(?:passport|auth0|okta|cognito)\.(?:use|configure).*?(?!.*?(?:mfa|multiFactor|requireMFA))/i,
+        // Admin endpoints without MFA
+        /\/admin.*?(?:patient|medical|phi)(?!.*?(?:mfa|2fa))/i,
+        // Session creation without MFA
+        /createSession.*?(?:user|admin)(?!.*?mfaVerified)/i,
+        // JWT without MFA claim
+        /jwt\.sign\(.*?(?:patient|phi)(?!.*?mfaVerified)/i,
+    ],
+    negativePatterns: [
+        /requireMFA:\s*true/i,
+        /mfaVerified/i,
+        /authenticator\.verify/i,
+        /totp\.validate/i,
+    ],
+    autoFix: 'Add MFA enforcement: requireMFA: true, verify TOTP/authenticator before granting access',
+    confidence: 'high',
+    category: 'access-control',
+};
+/**
+ * HIPAA-ENC-REST-001: Encryption at Rest
+ */
+export const ENCRYPTION_AT_REST_PATTERNS = {
+    id: 'HIPAA-ENC-REST-001',
+    name: 'ePHI Stored Without Encryption at Rest',
+    description: 'All ePHI must be encrypted at rest using AES-256 or stronger.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(2)(iv) - Encryption (Required)',
+    patterns: [
+        // Database without encryption
+        /(?:mongoose|sequelize|typeorm|prisma)\.(?:connect|createConnection).*?(?!.*?(?:encrypt|ssl|tls))/i,
+        // File storage without encryption
+        /(?:fs\.writeFile|writeFileSync|s3\.putObject).*?(?:patient|phi|medical)(?!.*?(?:encrypt|cipher))/i,
+        // LocalStorage with PHI
+        /localStorage\.setItem.*?(?:patient|ssn|mrn|phi)/i,
+        // Cookie with PHI unencrypted
+        /(?:res\.cookie|setCookie).*?(?:patient|phi|medical)(?!.*?(?:encrypt|secure|httpOnly))/i,
+        // MongoDB without encryption
+        /MongoClient\.connect.*?(?!.*?(?:ssl|tls|encryption))/i,
+        // PostgreSQL without encryption
+        /(?:pg|postgres)\.(?:connect|Pool).*?(?!.*?ssl)/i,
+    ],
+    negativePatterns: [
+        /encrypt:\s*true/i,
+        /ssl:\s*true/i,
+        /cipher\./i,
+        /aes-256/i,
+    ],
+    autoFix: 'Enable encryption at rest: Set encrypt: true in DB config, use crypto.cipher for file storage',
+    confidence: 'high',
+    category: 'encryption',
+};
+/**
+ * HIPAA-SESSION-001: Automatic Session Timeout
+ */
+export const SESSION_TIMEOUT_PATTERNS = {
+    id: 'HIPAA-SESSION-001',
+    name: 'Missing Automatic Session Timeout',
+    description: 'PHI access sessions must auto-expire within 15 minutes of inactivity.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.312(a)(2)(iii) - Session Control (Required)',
+    patterns: [
+        // Session config without expiration
+        /(?:express-session|session)\.(?:configure|use)(?!.*?(?:maxAge|expires|timeout))/i,
+        // Session with timeout > 15 min (900000 ms)
+        /maxAge:\s*(?:9[0-9]{5}[0-9]+|[1-9][0-9]{6,})/i,
+        // JWT without expiration
+        /jwt\.sign\([^)]*(?!.*?expiresIn)/i,
+        // Cookie session without expiration
+        /cookie-session.*?(?!.*?maxAge)/i,
+        // Missing idle timeout
+        /session.*?(?!.*?(?:idle|inactivity).*?timeout)/i,
+    ],
+    negativePatterns: [
+        /maxAge:\s*[1-8][0-9]{5}/i, // <= 900000 (15 min)
+        /expiresIn:\s*['"](?:1[0-5]m|[1-9]m)['"]/i,
+        /idleTimeout/i,
+    ],
+    autoFix: 'Set session timeout: maxAge: 900000 (15 min), implement idle timeout detector',
+    confidence: 'high',
+    category: 'access-control',
+};
+/**
+ * HIPAA-REVOKE-001: Immediate Access Revocation
+ */
+export const ACCESS_REVOCATION_PATTERNS = {
+    id: 'HIPAA-REVOKE-001',
+    name: 'Missing Immediate Access Revocation',
+    description: 'User deactivation must immediately invalidate all sessions and tokens.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.308(a)(3)(ii)(C) - Termination Procedures (Required)',
+    patterns: [
+        // Deactivate user without token revocation
+        /(?:deactivate|disable|remove)User(?!.*?(?:revoke|invalidate|blacklist).*?(?:token|session))/i,
+        // Delete user without session cleanup
+        /(?:deleteUser|removeUser).*?(?!.*?(?:logout|invalidate|clearSessions))/i,
+        // Missing token blacklist
+        /(?:user|admin).*?(?:deactivat|terminat).*?(?!.*?blacklist)/i,
+        // Role change without re-auth
+        /(?:updateRole|changePermissions)(?!.*?(?:logout|reauth|invalidate))/i,
+    ],
+    negativePatterns: [
+        /revokeAllTokens/i,
+        /invalidateAllSessions/i,
+        /tokenBlacklist\.add/i,
+        /clearUserSessions/i,
+    ],
+    autoFix: 'Add token revocation: Call revokeAllTokens() and invalidateAllSessions() on user deactivation',
+    confidence: 'medium',
+    category: 'access-control',
+};
+/**
+ * HIPAA-BREACH-001: 24-Hour Breach Notification
+ */
+export const BREACH_NOTIFICATION_PATTERNS = {
+    id: 'HIPAA-BREACH-001',
+    name: 'Missing Breach Notification Mechanism',
+    description: 'Must have automated breach detection and notification within 24 hours.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.308(a)(6)(ii) - Security Incident Procedures (Required)',
+    patterns: [
+        // Security errors without breach handler
+        /catch\s*\(.*?error.*?\).*?(?:security|unauthorized|breach)(?!.*?(?:notifyBreach|incidentResponse|alertSecurity))/i,
+        // Failed login attempts without monitoring
+        /(?:failed|invalid).*?(?:login|auth)(?!.*?(?:monitor|alert|notify))/i,
+        // Data access anomaly without alert
+        /(?:unusual|suspicious).*?access(?!.*?(?:alert|notify|incident))/i,
+    ],
+    negativePatterns: [
+        /breachNotification\./i,
+        /incidentResponse\.trigger/i,
+        /securityAlert\.send/i,
+        /notifyBreach/i,
+    ],
+    autoFix: 'Implement breach notification: Create incident response handler, set up 24h alert system',
+    confidence: 'medium',
+    category: 'audit-logging',
+};
+/**
+ * HIPAA-SEGMENT-001: Network Segmentation
+ */
+export const NETWORK_SEGMENTATION_PATTERNS = {
+    id: 'HIPAA-SEGMENT-001',
+    name: 'Missing Network Segmentation for PHI',
+    description: 'PHI services must be network-segmented with restricted CORS and firewall rules.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(e)(1) - Transmission Security (Required)',
+    patterns: [
+        // CORS allowing all origins for PHI
+        /cors\(\{?\s*origin:\s*['"]?\*['"]?.*?(?:patient|phi|medical)/i,
+        // PHI API without network restrictions
+        /\/api.*?(?:patient|phi|medical)(?!.*?(?:firewall|vpc|subnet|private))/i,
+        // Internal PHI service publicly accessible
+        /(?:express|fastify|koa)\.listen.*?(?:patient|phi)(?!.*?(?:localhost|127\.0\.0\.1|private))/i,
+        // Missing VPC/subnet config
+        /(?:database|storage).*?(?:patient|phi)(?!.*?(?:vpc|subnet|securityGroup))/i,
+    ],
+    negativePatterns: [
+        /origin:\s*\[.*?\]/i, // Whitelist
+        /private.*?subnet/i,
+        /securityGroup/i,
+        /firewall.*?rules/i,
+    ],
+    autoFix: 'Implement network segmentation: Use VPC/subnet isolation, restrict CORS to whitelisted origins',
+    confidence: 'high',
+    category: 'access-control',
+};
+/**
+ * HIPAA-ASSET-001: Technology Asset Inventory
+ * Special pattern - triggers asset inventory generation
+ */
+export const ASSET_INVENTORY_PATTERNS = {
+    id: 'HIPAA-ASSET-001',
+    name: 'Generate ePHI Technology Asset Inventory',
+    description: 'Automatic inventory of all systems processing, storing, or transmitting ePHI.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.308(a)(1)(ii)(A) - Risk Analysis (Required)',
+    patterns: [
+        // Databases
+        /(?:mongoose|sequelize|prisma|typeorm|knex)\.(?:connect|model)/i,
+        // Storage services
+        /(?:s3|azure\.storage|gcs)\./i,
+        // Third-party integrations
+        /(?:stripe|twilio|sendgrid|mailgun)\.(?:api|client)/i,
+        // APIs
+        /(?:axios|fetch|got|request)\./i,
+    ],
+    autoFix: 'Asset inventory will be generated automatically in scan report',
+    confidence: 'high',
+    category: 'data-retention',
+};
+/**
+ * HIPAA-FLOW-001: ePHI Flow Mapping
+ * Special pattern - triggers flow map generation
+ */
+export const PHI_FLOW_MAPPING_PATTERNS = {
+    id: 'HIPAA-FLOW-001',
+    name: 'Generate ePHI Flow Map',
+    description: 'Automatic mapping of PHI data flow through system (input → processing → storage → output).',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.308(a)(1)(ii)(A) - Risk Analysis (Required)',
+    patterns: [
+        // Input points
+        /(?:req\.body|req\.params|req\.query).*?(?:patient|phi|medical)/i,
+        // Processing
+        /(?:process|transform|validate).*?(?:patient|phi)/i,
+        // Storage
+        /(?:save|insert|update).*?(?:patient|phi)/i,
+        // Output
+        /(?:res\.(?:send|json)|return).*?(?:patient|phi)/i,
+    ],
+    autoFix: 'PHI flow map will be generated automatically in scan report',
+    confidence: 'high',
+    category: 'data-retention',
+};
+/**
+ * HIPAA-PENTEST-001: Vulnerability Scanning Configuration
+ */
+export const VULNERABILITY_SCANNING_PATTERNS = {
+    id: 'HIPAA-PENTEST-001',
+    name: 'Missing Vulnerability Scanning Configuration',
+    description: 'Must have automated vulnerability scanning (Dependabot, Snyk, Trivy) in CI/CD.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.308(a)(8) - Evaluation (Required)',
+    patterns: [
+        // Missing security scanning configs
+        /package\.json(?!.*?(?:snyk|audit|vulnerability))/i,
+    ],
+    negativePatterns: [
+        /dependabot\.yml/i,
+        /snyk\.yml/i,
+        /trivy/i,
+        /npm audit/i,
+        /security.*?scan/i,
+    ],
+    autoFix: 'Add vulnerability scanning: Enable Dependabot, add Snyk/Trivy to CI/CD pipeline',
+    confidence: 'medium',
+    category: 'audit-logging',
+};
+export const ALL_HIPAA_2026_PATTERNS = [
+    MFA_PATTERNS,
+    ENCRYPTION_AT_REST_PATTERNS,
+    SESSION_TIMEOUT_PATTERNS,
+    ACCESS_REVOCATION_PATTERNS,
+    BREACH_NOTIFICATION_PATTERNS,
+    NETWORK_SEGMENTATION_PATTERNS,
+    ASSET_INVENTORY_PATTERNS,
+    PHI_FLOW_MAPPING_PATTERNS,
+    VULNERABILITY_SCANNING_PATTERNS,
+];
+//# sourceMappingURL=patterns.js.map