refactor: deduplicate data classification and compliance framework enums via shared schemas from security-context.zod.ts

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

packages/spec/src/system/change-management.zod.ts

@@ -1,6 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { z } from 'zod';
+import { DataClassificationSchema } from './security-context.zod';
 
 /**
  * Change Type Enum
@@ -337,9 +338,8 @@ export const ChangeRequestSchema = z.object({
     /**
      * Data classifications affected by this change
      */
-    affectedDataClassifications: z.array(z.enum([
-      'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
-    ])).optional().describe('Affected data classifications'),
+    affectedDataClassifications: z.array(DataClassificationSchema)
+      .optional().describe('Affected data classifications'),
 
     /**
      * Whether the change requires security team approval

packages/spec/src/system/compliance.zod.ts

@@ -1,6 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { z } from 'zod';
+import { ComplianceFrameworkSchema } from './security-context.zod';
 
 /**
  * Compliance protocol for GDPR, CCPA, HIPAA, SOX, PCI-DSS
@@ -161,7 +162,7 @@ export const AuditFindingSchema = z.object({
   /**
    * Compliance framework
    */
-  framework: z.enum(['gdpr', 'hipaa', 'sox', 'pci_dss', 'ccpa', 'iso27001']).optional()
+  framework: ComplianceFrameworkSchema.optional()
     .describe('Related compliance framework'),
 
   /**
@@ -240,7 +241,7 @@ export const AuditScheduleSchema = z.object({
   /**
    * Target compliance framework
    */
-  framework: z.enum(['gdpr', 'hipaa', 'sox', 'pci_dss', 'ccpa', 'iso27001'])
+  framework: ComplianceFrameworkSchema
     .describe('Target compliance framework'),
 
   /**

packages/spec/src/system/incident-response.zod.ts

@@ -1,6 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { z } from 'zod';
+import { DataClassificationSchema } from './security-context.zod';
 
 /**
  * Incident Response Protocol — ISO 27001:2022 (A.5.24–A.5.28)
@@ -270,9 +271,8 @@ export const IncidentSchema = z.object({
   /**
    * Data classifications affected (for data breach assessment)
    */
-  affectedDataClassifications: z.array(z.enum([
-    'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
-  ])).optional().describe('Affected data classifications'),
+  affectedDataClassifications: z.array(DataClassificationSchema)
+    .optional().describe('Affected data classifications'),
 
   /**
    * Structured response phases tracking

packages/spec/src/system/security-context.zod.ts

@@ -21,12 +21,32 @@ import { z } from 'zod';
  * @category Security
  */
 
+/**
+ * Shared data classification enum used across security subsystems.
+ * Defines the canonical set of data sensitivity labels.
+ */
+export const DataClassificationSchema = z.enum([
+  'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
+]).describe('Data classification level');
+
+export type DataClassification = z.infer<typeof DataClassificationSchema>;
+
+/**
+ * Shared compliance framework enum used across compliance and security schemas.
+ * Defines the canonical set of regulatory frameworks.
+ */
+export const ComplianceFrameworkSchema = z.enum([
+  'gdpr', 'hipaa', 'sox', 'pci_dss', 'ccpa', 'iso27001',
+]).describe('Compliance framework identifier');
+
+export type ComplianceFramework = z.infer<typeof ComplianceFrameworkSchema>;
+
 /**
  * Compliance-driven audit requirement.
  * Maps specific compliance frameworks to the audit event types that MUST be captured.
  */
 export const ComplianceAuditRequirementSchema = z.object({
-  framework: z.enum(['gdpr', 'hipaa', 'sox', 'pci_dss', 'ccpa', 'iso27001'])
+  framework: ComplianceFrameworkSchema
     .describe('Compliance framework identifier'),
   requiredEvents: z.array(z.string())
     .describe('Audit event types required by this framework (e.g., "data.delete", "auth.login")'),
@@ -43,11 +63,10 @@ export type ComplianceAuditRequirement = z.infer<typeof ComplianceAuditRequireme
  * Maps compliance frameworks to encryption mandates for specific data classifications.
  */
 export const ComplianceEncryptionRequirementSchema = z.object({
-  framework: z.enum(['gdpr', 'hipaa', 'sox', 'pci_dss', 'ccpa', 'iso27001'])
+  framework: ComplianceFrameworkSchema
     .describe('Compliance framework identifier'),
-  dataClassifications: z.array(z.enum([
-    'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
-  ])).describe('Data classifications that must be encrypted under this framework'),
+  dataClassifications: z.array(DataClassificationSchema)
+    .describe('Data classifications that must be encrypted under this framework'),
   minimumAlgorithm: z.enum(['aes-256-gcm', 'aes-256-cbc', 'chacha20-poly1305']).default('aes-256-gcm')
     .describe('Minimum encryption algorithm strength required'),
   keyRotationMaxDays: z.number().min(1).default(90)
@@ -61,9 +80,8 @@ export type ComplianceEncryptionRequirement = z.infer<typeof ComplianceEncryptio
  * Controls which roles can view unmasked data with audit trail enforcement.
  */
 export const MaskingVisibilityRuleSchema = z.object({
-  dataClassification: z.enum([
-    'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
-  ]).describe('Data classification this rule applies to'),
+  dataClassification: DataClassificationSchema
+    .describe('Data classification this rule applies to'),
   defaultMasked: z.boolean().default(true)
     .describe('Whether data is masked by default'),
   unmaskRoles: z.array(z.string()).optional()
@@ -102,9 +120,8 @@ export type SecurityEventCorrelation = z.infer<typeof SecurityEventCorrelationSc
  * Assigns classification labels to fields/objects for unified security enforcement.
  */
 export const DataClassificationPolicySchema = z.object({
-  classification: z.enum([
-    'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
-  ]).describe('Data classification level'),
+  classification: DataClassificationSchema
+    .describe('Data classification level'),
   requireEncryption: z.boolean().default(false)
     .describe('Encryption required for this classification'),
   requireMasking: z.boolean().default(false)

packages/spec/src/system/supplier-security.zod.ts

@@ -1,6 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { z } from 'zod';
+import { DataClassificationSchema } from './security-context.zod';
 
 /**
  * Supplier Security Protocol — ISO 27001:2022 (A.5.19–A.5.22)
@@ -160,9 +161,8 @@ export const SupplierSecurityAssessmentSchema = z.object({
   /**
    * Data classifications shared with this supplier
    */
-  dataClassificationsShared: z.array(z.enum([
-    'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
-  ])).optional().describe('Data classifications shared with supplier'),
+  dataClassificationsShared: z.array(DataClassificationSchema)
+    .optional().describe('Data classifications shared with supplier'),
 
   /**
    * Services provided by the supplier