-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcompliance.zod.ts
More file actions
291 lines (252 loc) · 10.4 KB
/
compliance.zod.ts
File metadata and controls
291 lines (252 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
import { z } from 'zod';
import { ComplianceFrameworkSchema } from './security-context.zod';
/**
* Compliance protocol for GDPR, CCPA, HIPAA, SOX, PCI-DSS
*/
import { lazySchema } from '../shared/lazy-schema';
export const GDPRConfigSchema = lazySchema(() => z.object({
enabled: z.boolean().describe('Enable GDPR compliance controls'),
dataSubjectRights: z.object({
rightToAccess: z.boolean().default(true).describe('Allow data subjects to access their data'),
rightToRectification: z.boolean().default(true).describe('Allow data subjects to correct their data'),
rightToErasure: z.boolean().default(true).describe('Allow data subjects to request deletion'),
rightToRestriction: z.boolean().default(true).describe('Allow data subjects to restrict processing'),
rightToPortability: z.boolean().default(true).describe('Allow data subjects to export their data'),
rightToObjection: z.boolean().default(true).describe('Allow data subjects to object to processing'),
}).describe('Data subject rights configuration per GDPR Articles 15-21'),
legalBasis: z.enum([
'consent',
'contract',
'legal-obligation',
'vital-interests',
'public-task',
'legitimate-interests',
]).describe('Legal basis for data processing under GDPR Article 6'),
consentTracking: z.boolean().default(true).describe('Track and record user consent'),
dataRetentionDays: z.number().optional().describe('Maximum data retention period in days'),
dataProcessingAgreement: z.string().optional().describe('URL or reference to the data processing agreement'),
}).describe('GDPR (General Data Protection Regulation) compliance configuration'));
export type GDPRConfig = z.infer<typeof GDPRConfigSchema>;
export type GDPRConfigInput = z.input<typeof GDPRConfigSchema>;
export const HIPAAConfigSchema = lazySchema(() => z.object({
enabled: z.boolean().describe('Enable HIPAA compliance controls'),
phi: z.object({
encryption: z.boolean().default(true).describe('Encrypt Protected Health Information at rest'),
accessControl: z.boolean().default(true).describe('Enforce role-based access to PHI'),
auditTrail: z.boolean().default(true).describe('Log all PHI access events'),
backupAndRecovery: z.boolean().default(true).describe('Enable PHI backup and disaster recovery'),
}).describe('Protected Health Information safeguards'),
businessAssociateAgreement: z.boolean().default(false).describe('BAA is in place with third-party processors'),
}).describe('HIPAA (Health Insurance Portability and Accountability Act) compliance configuration'));
export type HIPAAConfig = z.infer<typeof HIPAAConfigSchema>;
export type HIPAAConfigInput = z.input<typeof HIPAAConfigSchema>;
export const PCIDSSConfigSchema = lazySchema(() => z.object({
enabled: z.boolean().describe('Enable PCI-DSS compliance controls'),
level: z.enum(['1', '2', '3', '4']).describe('PCI-DSS compliance level (1 = highest)'),
cardDataFields: z.array(z.string()).describe('Field names containing cardholder data'),
tokenization: z.boolean().default(true).describe('Replace card data with secure tokens'),
encryptionInTransit: z.boolean().default(true).describe('Encrypt cardholder data during transmission'),
encryptionAtRest: z.boolean().default(true).describe('Encrypt stored cardholder data'),
}).describe('PCI-DSS (Payment Card Industry Data Security Standard) compliance configuration'));
export type PCIDSSConfig = z.infer<typeof PCIDSSConfigSchema>;
export type PCIDSSConfigInput = z.input<typeof PCIDSSConfigSchema>;
export const AuditLogConfigSchema = lazySchema(() => z.object({
enabled: z.boolean().default(true).describe('Enable audit logging'),
retentionDays: z.number().default(365).describe('Number of days to retain audit logs'),
immutable: z.boolean().default(true).describe('Prevent modification or deletion of audit logs'),
signLogs: z.boolean().default(false).describe('Cryptographically sign log entries for tamper detection'),
events: z.array(z.enum([
'create',
'read',
'update',
'delete',
'export',
'permission-change',
'login',
'logout',
'failed-login',
])).describe('Event types to capture in the audit log'),
}).describe('Audit log configuration for compliance and security monitoring'));
export type AuditLogConfig = z.infer<typeof AuditLogConfigSchema>;
export type AuditLogConfigInput = z.input<typeof AuditLogConfigSchema>;
/**
* Audit Finding Severity Schema
*
* Severity classification for audit findings.
*/
export const AuditFindingSeveritySchema = lazySchema(() => z.enum([
'critical', // Immediate remediation required
'major', // Significant non-conformity
'minor', // Minor non-conformity
'observation', // Improvement opportunity
]));
/**
* Audit Finding Status Schema
*
* Lifecycle status of an audit finding.
*/
export const AuditFindingStatusSchema = lazySchema(() => z.enum([
'open', // Finding identified, not yet addressed
'in_remediation', // Remediation in progress
'remediated', // Remediation completed, pending verification
'verified', // Remediation verified and accepted
'accepted_risk', // Risk accepted by management
'closed', // Finding closed
]));
/**
* Audit Finding Schema (A.5.35)
*
* Individual finding from a compliance or security audit.
* Supports tracking from discovery through remediation and verification.
*
* @example
* ```json
* {
* "id": "FIND-2024-001",
* "title": "Insufficient access logging",
* "description": "PHI access events are not being logged for HIPAA compliance",
* "severity": "major",
* "status": "in_remediation",
* "controlReference": "A.8.15",
* "framework": "iso27001",
* "identifiedAt": 1704067200000,
* "identifiedBy": "external_auditor",
* "remediationPlan": "Implement audit logging for all PHI access events",
* "remediationDeadline": 1706745600000
* }
* ```
*/
export const AuditFindingSchema = lazySchema(() => z.object({
/**
* Unique finding identifier
*/
id: z.string().describe('Unique finding identifier'),
/**
* Short descriptive title
*/
title: z.string().describe('Finding title'),
/**
* Detailed description of the finding
*/
description: z.string().describe('Finding description'),
/**
* Finding severity
*/
severity: AuditFindingSeveritySchema.describe('Finding severity'),
/**
* Current status
*/
status: AuditFindingStatusSchema.describe('Finding status'),
/**
* ISO 27001 control reference (e.g., "A.5.35", "A.8.15")
*/
controlReference: z.string().optional().describe('ISO 27001 control reference'),
/**
* Compliance framework
*/
framework: ComplianceFrameworkSchema.optional()
.describe('Related compliance framework'),
/**
* Timestamp when finding was identified (Unix milliseconds)
*/
identifiedAt: z.number().describe('Identification timestamp'),
/**
* User or entity who identified the finding
*/
identifiedBy: z.string().describe('Identifier (auditor name or system)'),
/**
* Planned remediation actions
*/
remediationPlan: z.string().optional().describe('Remediation plan'),
/**
* Remediation deadline (Unix milliseconds)
*/
remediationDeadline: z.number().optional().describe('Remediation deadline timestamp'),
/**
* Timestamp when remediation was verified (Unix milliseconds)
*/
verifiedAt: z.number().optional().describe('Verification timestamp'),
/**
* Verifier name or role
*/
verifiedBy: z.string().optional().describe('Verifier name or role'),
/**
* Notes or comments
*/
notes: z.string().optional().describe('Additional notes'),
}).describe('Audit finding with remediation tracking per ISO 27001:2022 A.5.35'));
export type AuditFinding = z.infer<typeof AuditFindingSchema>;
/**
* Audit Schedule Schema (A.5.35)
*
* Defines audit scheduling for independent information security reviews.
* Supports recurring audits, scope definition, and assessor assignment.
*
* @example
* ```json
* {
* "id": "AUDIT-2024-Q1",
* "title": "Q1 ISO 27001 Internal Audit",
* "scope": ["access_control", "encryption", "incident_response"],
* "framework": "iso27001",
* "scheduledAt": 1711929600000,
* "assessor": "internal_audit_team",
* "recurrenceMonths": 3
* }
* ```
*/
export const AuditScheduleSchema = lazySchema(() => z.object({
/**
* Unique audit schedule identifier
*/
id: z.string().describe('Unique audit schedule identifier'),
/**
* Audit title or name
*/
title: z.string().describe('Audit title'),
/**
* Scope of areas to audit
*/
scope: z.array(z.string()).describe('Audit scope areas'),
/**
* Target compliance framework
*/
framework: ComplianceFrameworkSchema
.describe('Target compliance framework'),
/**
* Scheduled audit date (Unix milliseconds)
*/
scheduledAt: z.number().describe('Scheduled audit timestamp'),
/**
* Actual completion date (Unix milliseconds)
*/
completedAt: z.number().optional().describe('Completion timestamp'),
/**
* Assessor name, team, or external firm
*/
assessor: z.string().describe('Assessor or audit team'),
/**
* Whether this is an external (independent) audit
*/
isExternal: z.boolean().default(false).describe('Whether this is an external audit'),
/**
* Recurrence interval in months (0 = one-time)
*/
recurrenceMonths: z.number().default(0).describe('Recurrence interval in months (0 = one-time)'),
/**
* Findings from this audit
*/
findings: z.array(AuditFindingSchema).optional().describe('Audit findings'),
}).describe('Audit schedule for independent security reviews per ISO 27001:2022 A.5.35'));
export type AuditSchedule = z.infer<typeof AuditScheduleSchema>;
export const ComplianceConfigSchema = lazySchema(() => z.object({
gdpr: GDPRConfigSchema.optional().describe('GDPR compliance settings'),
hipaa: HIPAAConfigSchema.optional().describe('HIPAA compliance settings'),
pciDss: PCIDSSConfigSchema.optional().describe('PCI-DSS compliance settings'),
auditLog: AuditLogConfigSchema.describe('Audit log configuration'),
auditSchedules: z.array(AuditScheduleSchema).optional()
.describe('Scheduled compliance audits (A.5.35)'),
}).describe('Unified compliance configuration spanning GDPR, HIPAA, PCI-DSS, and audit governance'));
export type ComplianceConfig = z.infer<typeof ComplianceConfigSchema>;
export type ComplianceConfigInput = z.input<typeof ComplianceConfigSchema>;