#![allow(dead_code)]
use serde::Serialize;
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)]
pub enum FrameworkId {
Soc2TypeII,
Iso27001,
Fips140_3,
CcEal4Plus,
}
impl FrameworkId {
pub fn as_str(&self) -> &'static str {
match self {
FrameworkId::Soc2TypeII => "soc2_type_ii",
FrameworkId::Iso27001 => "iso_27001",
FrameworkId::Fips140_3 => "fips_140_3",
FrameworkId::CcEal4Plus => "cc_eal4_plus",
}
}
}
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)]
pub enum EvidenceKind {
CompileTime,
RuntimeInvariant,
AutomatedArtifact,
TestSuite,
ManualPolicy,
ExternalOperational,
}
impl EvidenceKind {
pub fn as_str(&self) -> &'static str {
match self {
EvidenceKind::CompileTime => "compile_time",
EvidenceKind::RuntimeInvariant => "runtime_invariant",
EvidenceKind::AutomatedArtifact => "automated_artifact",
EvidenceKind::TestSuite => "test_suite",
EvidenceKind::ManualPolicy => "manual_policy",
EvidenceKind::ExternalOperational => "external_operational",
}
}
}
#[derive(Debug, Clone)]
pub struct Control {
pub framework: FrameworkId,
pub control_id: &'static str,
pub title: &'static str,
pub axon_primitive: &'static str,
pub evidence_kind: EvidenceKind,
pub evidence_locator: &'static str,
}
impl Control {
pub fn key(&self) -> String {
format!("{}:{}", self.framework.as_str(), self.control_id)
}
}
macro_rules! ctl {
($fw:ident, $id:expr, $title:expr, $prim:expr, $kind:ident, $loc:expr) => {
Control {
framework: FrameworkId::$fw,
control_id: $id,
title: $title,
axon_primitive: $prim,
evidence_kind: EvidenceKind::$kind,
evidence_locator: $loc,
}
};
}
fn soc2_controls() -> Vec<Control> {
vec![
ctl!(Soc2TypeII, "CC1.1", "Commitment to integrity", "Zero-shortcuts policy + signed commits", ManualPolicy, "CODE_OF_CONDUCT.md (repo-external)"),
ctl!(Soc2TypeII, "CC2.1", "Quality information", "axon check compile-time compliance", CompileTime, "axon.compiler.type_checker._check_regulatory_compliance"),
ctl!(Soc2TypeII, "CC3.1", "Objectives specification", "manifest.compliance declares system's κ", CompileTime, "axon.compiler.ast_nodes.ManifestDefinition"),
ctl!(Soc2TypeII, "CC3.2", "Risk identification", "immune + KL-divergence baseline", RuntimeInvariant, "axon.runtime.immune.AnomalyDetector"),
ctl!(Soc2TypeII, "CC3.3", "Fraud potential", "reflex action quarantine/terminate", RuntimeInvariant, "axon.runtime.immune.ReflexEngine"),
ctl!(Soc2TypeII, "CC4.1", "Control activities", "ESK 6 subsystems", TestSuite, "tests/test_phase6_*.py"),
ctl!(Soc2TypeII, "CC4.2", "Technology controls", "shield + type checker + Phase 4 pass", CompileTime, "axon.compiler.type_checker"),
ctl!(Soc2TypeII, "CC5.1", "Policies deployment", "axonendpoint.shield binding", CompileTime, "axon.compiler.ast_nodes.AxonEndpointDefinition"),
ctl!(Soc2TypeII, "CC6.1", "Logical access controls", "Secret[T] with audit trail", RuntimeInvariant, "axon.runtime.esk.Secret"),
ctl!(Soc2TypeII, "CC6.2", "Credential provisioning", "Handler-level credential + CT-3 classification", RuntimeInvariant, "axon.runtime.handlers.base"),
ctl!(Soc2TypeII, "CC6.3", "Access modification/removal", "lease τ-decay", RuntimeInvariant, "axon.runtime.lease_kernel.LeaseKernel"),
ctl!(Soc2TypeII, "CC6.6", "Boundary access controls", "axonendpoint.shield mandatory", CompileTime, "_check_regulatory_compliance"),
ctl!(Soc2TypeII, "CC6.7", "Information transmission restriction", "Secret[T] no-materialize", RuntimeInvariant, "tests/test_phase6_runtime.py::TestSecret"),
ctl!(Soc2TypeII, "CC6.8", "Unauthorized change prevention", "ProvenanceChain Merkle", RuntimeInvariant, "axon.runtime.esk.ProvenanceChain"),
ctl!(Soc2TypeII, "CC7.1", "Event detection", "immune + EID", RuntimeInvariant, "axon.runtime.esk.EpistemicIntrusionDetector"),
ctl!(Soc2TypeII, "CC7.2", "Anomaly monitoring", "KL-based AnomalyDetector", RuntimeInvariant, "axon.runtime.immune.AnomalyDetector"),
ctl!(Soc2TypeII, "CC7.3", "Incident evaluation", "EID severity mapping", RuntimeInvariant, "axon.runtime.esk.eid.IntrusionEvent"),
ctl!(Soc2TypeII, "CC7.4", "Incident response", "reflex + heal linear", RuntimeInvariant, "axon.runtime.immune.HealKernel"),
ctl!(Soc2TypeII, "CC7.5", "Recovery", "reconcile Active Inference", RuntimeInvariant, "axon.runtime.reconcile_loop.ReconcileLoop"),
ctl!(Soc2TypeII, "CC8.1", "Change authorization", "SBOM deterministic content_hash", AutomatedArtifact, "axon sbom CLI"),
ctl!(Soc2TypeII, "CC9.1", "Risk mitigation activities", "PrivacyBudget ε-tracker", RuntimeInvariant, "axon.runtime.esk.PrivacyBudget"),
ctl!(Soc2TypeII, "CC9.2", "Vendor risk management", "SBOM dependencies list", AutomatedArtifact, "axon sbom CLI"),
ctl!(Soc2TypeII, "C1.1", "Confidential information identification", "type κ annotation", CompileTime, "TypeDefinition.compliance"),
ctl!(Soc2TypeII, "C1.2", "Confidential information disposal", "lease τ-decay + Secret audit", RuntimeInvariant, "LeaseKernel + Secret.audit_trail"),
ctl!(Soc2TypeII, "PI1.1", "Processing objectives", "axon check passes ⟺ objectives met", CompileTime, "axon check exit 0"),
ctl!(Soc2TypeII, "PI1.4", "Output completeness", "Byzantine ensemble quorum", RuntimeInvariant, "axon.runtime.ensemble_aggregator"),
ctl!(Soc2TypeII, "PI1.5", "Information retention", "ProvenanceChain append-only", RuntimeInvariant, "ProvenanceChain.append"),
ctl!(Soc2TypeII, "P1.1", "Notice to data subjects", "dossier classes_covered", AutomatedArtifact, "axon dossier CLI"),
ctl!(Soc2TypeII, "P4.1", "Collection limitation", "Differential Privacy mechanisms", RuntimeInvariant, "axon.runtime.esk.privacy"),
ctl!(Soc2TypeII, "P5.1", "Data subject access", "Secret audit + ProvenanceChain", RuntimeInvariant, "Secret.audit_trail"),
ctl!(Soc2TypeII, "P6.1", "Disclosure restriction", "shield<GDPR> mandatory gate", CompileTime, "_check_regulatory_compliance"),
]
}
fn iso_27001_controls() -> Vec<Control> {
vec![
ctl!(Iso27001, "A.5.1", "Information security policies", "manifest.compliance declarations", CompileTime, "ManifestDefinition"),
ctl!(Iso27001, "A.5.2", "Security roles", "heal.mode human_in_loop", RuntimeInvariant, "HealDefinition.mode"),
ctl!(Iso27001, "A.5.3", "Segregation of duties", "shield.allow_tools / deny_tools", CompileTime, "ShieldDefinition"),
ctl!(Iso27001, "A.5.7", "Threat intelligence", "immune baseline-learned KL", RuntimeInvariant, "AnomalyDetector"),
ctl!(Iso27001, "A.5.8", "InfoSec in project management", "CI axon check gate", ExternalOperational, ".github/workflows/*.yml"),
ctl!(Iso27001, "A.5.23", "Cloud services InfoSec", "Handler protocol abstraction", RuntimeInvariant, "axon.runtime.handlers"),
ctl!(Iso27001, "A.5.24", "Incident management planning", "immune+reflex+heal+EID", RuntimeInvariant, "axon.runtime.immune + esk.eid"),
ctl!(Iso27001, "A.5.25", "Event assessment", "EID classify_severity", RuntimeInvariant, "EpistemicIntrusionDetector.observe"),
ctl!(Iso27001, "A.5.26", "Incident response", "reflex signed_trace", RuntimeInvariant, "ReflexEngine"),
ctl!(Iso27001, "A.5.27", "Learning from incidents", "ProvenanceChain ledger", AutomatedArtifact, "ProvenanceChain.entries"),
ctl!(Iso27001, "A.5.28", "Evidence collection", "Merkle chain + HMAC", AutomatedArtifact, "ProvenanceChain.append"),
ctl!(Iso27001, "A.5.30", "Business continuity ICT", "reconcile self-healing", RuntimeInvariant, "ReconcileLoop"),
ctl!(Iso27001, "A.5.33", "Records protection", "Immutable ProvenanceChain + SBOM", AutomatedArtifact, "axon sbom"),
ctl!(Iso27001, "A.5.34", "Privacy / PII protection", "compliance [GDPR, CCPA] + PrivacyBudget + Secret[T]", CompileTime, "TypeDefinition.compliance + PrivacyBudget"),
ctl!(Iso27001, "A.5.36", "Compliance with policies", "axon check enforces RTT", CompileTime, "_check_regulatory_compliance"),
ctl!(Iso27001, "A.8.1", "User endpoint devices", "axonendpoint.shield gate", CompileTime, "AxonEndpointDefinition"),
ctl!(Iso27001, "A.8.2", "Privileged access rights", "lease τ-decay", RuntimeInvariant, "LeaseKernel"),
ctl!(Iso27001, "A.8.3", "Information access restriction", "shield.allow_tools + Secret[T]", RuntimeInvariant, "ShieldDefinition + Secret"),
ctl!(Iso27001, "A.8.5", "Secure authentication", "Handler credential flow + CT-3", RuntimeInvariant, "axon.runtime.handlers"),
ctl!(Iso27001, "A.8.6", "Capacity management", "resource.capacity + manifest.zones", CompileTime, "ResourceDefinition"),
ctl!(Iso27001, "A.8.7", "Protection against malware", "immune behavioral detection", RuntimeInvariant, "AnomalyDetector + ReflexEngine"),
ctl!(Iso27001, "A.8.8", "Technical vulnerability management", "heal + human_in_loop + signed", RuntimeInvariant, "HealKernel"),
ctl!(Iso27001, "A.8.9", "Configuration management", "deterministic SBOM program_hash", AutomatedArtifact, "axon sbom"),
ctl!(Iso27001, "A.8.10", "Information deletion", "lease on_expire anchor_breach", RuntimeInvariant, "LeaseKernel"),
ctl!(Iso27001, "A.8.12", "Data leakage prevention", "Secret[T] no-materialize", RuntimeInvariant, "tests/test_phase6_runtime.py::TestSecret"),
ctl!(Iso27001, "A.8.13", "Information backup", "resource.lifetime persistent + axonstore", CompileTime, "ResourceDefinition"),
ctl!(Iso27001, "A.8.15", "Logging", "reflex HMAC signed_trace", RuntimeInvariant, "ReflexEngine"),
ctl!(Iso27001, "A.8.16", "Monitoring", "immune continuous sensing", RuntimeInvariant, "AnomalyDetector"),
ctl!(Iso27001, "A.8.17", "Clock synchronization", "ISO-8601 UTC timestamps", RuntimeInvariant, "LambdaEnvelope.tau"),
ctl!(Iso27001, "A.8.20", "Network security", "Handler CT-3 partition classification", RuntimeInvariant, "NetworkPartitionError"),
ctl!(Iso27001, "A.8.23", "Web filtering", "shield.scan threat categories", CompileTime, "ShieldDefinition.scan"),
ctl!(Iso27001, "A.8.24", "Use of cryptography", "HmacSigner + Ed25519Signer + DilithiumSigner", RuntimeInvariant, "axon.runtime.esk.provenance"),
ctl!(Iso27001, "A.8.25", "SDL", "axon check CI gate", ExternalOperational, ".github/workflows"),
ctl!(Iso27001, "A.8.26", "Application security requirements", "compliance declarations", CompileTime, "TypeDefinition + ShieldDefinition"),
ctl!(Iso27001, "A.8.27", "Secure architecture", "π-calculus + Linear + Separation Logic compile-time", CompileTime, "type_checker.*"),
ctl!(Iso27001, "A.8.28", "Secure coding", "Compile-time type errors (Theorem 5.1)", CompileTime, "paper_lambda_lineal_epistemico.md"),
ctl!(Iso27001, "A.8.29", "Security testing", "pytest 3680 tests", TestSuite, "tests/"),
ctl!(Iso27001, "A.8.30", "Outsourced development", "Dual-remote strategy + SBOM", AutomatedArtifact, "DEVELOPMENT.md + axon sbom"),
ctl!(Iso27001, "A.8.31", "Dev/test/prod separation", "fabric.ephemeral", CompileTime, "FabricDefinition"),
ctl!(Iso27001, "A.8.32", "Change management", "deterministic SBOM diff", AutomatedArtifact, "axon sbom"),
ctl!(Iso27001, "A.8.33", "Test information", "DP-noise test data", RuntimeInvariant, "laplace_noise / gaussian_noise"),
]
}
fn fips_140_3_controls() -> Vec<Control> {
vec![
ctl!(Fips140_3, "FIPS.ALG_APPROVED", "Only FIPS-approved algorithms used", "HMAC-SHA256 + SHA-256 + Ed25519 + ML-DSA-65", RuntimeInvariant, "axon.runtime.esk.provenance"),
ctl!(Fips140_3, "FIPS.BOUNDARY", "Cryptographic boundary defined", "ESK-CB: provenance.py + secret.py + attestation.py", ManualPolicy, "docs/compliance/fips_140_3_submission_template.md"),
ctl!(Fips140_3, "FIPS.FSM", "Finite State Model", "POWER-OFF → INITIALIZED → OPERATIONAL", ManualPolicy, "docs/compliance/fips_140_3_submission_template.md §6"),
ctl!(Fips140_3, "FIPS.KAT_HMAC", "HMAC-SHA256 Known Answer Test", "Test with fixed key/message → known tag", TestSuite, "tests/test_phase6_runtime.py"),
ctl!(Fips140_3, "FIPS.KAT_SHA", "SHA-256 Known Answer Test", "SHA-256('abc') verification", TestSuite, "tests/test_phase6_runtime.py"),
ctl!(Fips140_3, "FIPS.KAT_ED25519", "Ed25519 KAT (NIST CAVP vectors)", "Pending: Ed25519 KAT test", TestSuite, "PENDING"),
ctl!(Fips140_3, "FIPS.PCT", "Pairwise consistency test Ed25519", "generate → sign → verify", TestSuite, "tests/test_phase6_runtime.py"),
ctl!(Fips140_3, "FIPS.RNG", "Approved RNG source", "Python secrets.token_bytes (OS CSPRNG)", RuntimeInvariant, "HmacSigner.random"),
ctl!(Fips140_3, "FIPS.CT_COMPARE", "Constant-time comparisons", "hmac.compare_digest for MAC verify", RuntimeInvariant, "HmacSigner.verify"),
ctl!(Fips140_3, "FIPS.KEY_LIFECYCLE", "Key zeroization on dispose", "Garbage collection + no plaintext in repr", RuntimeInvariant, "Secret[T] invariant"),
ctl!(Fips140_3, "FIPS.DELIVERY", "Secure delivery procedures", "PyPI package + GitHub release signatures", ExternalOperational, "pyproject.toml + release workflow"),
ctl!(Fips140_3, "FIPS.SELF_TEST", "Pre-operational self-test on load", "Pending: module-load KAT execution", TestSuite, "PENDING"),
ctl!(Fips140_3, "FIPS.LAB_CAVP", "CAVP algorithm testing", "Business: engage NIST-accredited lab", ExternalOperational, "PENDING (external)"),
ctl!(Fips140_3, "FIPS.CMVP", "CMVP module validation", "Business: submission to NIST", ExternalOperational, "PENDING (external)"),
]
}
fn cc_eal4_plus_controls() -> Vec<Control> {
vec![
ctl!(CcEal4Plus, "FAU_GEN.1", "Audit data generation", "ReflexOutcome + ProvenanceChain", RuntimeInvariant, "ProvenanceChain.append"),
ctl!(CcEal4Plus, "FAU_GEN.2", "User identity association", "Secret.audit_trail accessor", RuntimeInvariant, "SecretAccess"),
ctl!(CcEal4Plus, "FAU_SAR.1", "Audit review", "axon dossier / sbom + chain.entries()", AutomatedArtifact, "CLI commands"),
ctl!(CcEal4Plus, "FAU_STG.1", "Protected audit storage", "Merkle append-only chain", RuntimeInvariant, "ProvenanceChain"),
ctl!(CcEal4Plus, "FCO_NRO.1", "Proof of origin", "Ed25519Signer / DilithiumSigner", RuntimeInvariant, "provenance.py"),
ctl!(CcEal4Plus, "FCS_COP.1", "Cryptographic operation", "HMAC-SHA256 + Ed25519 + Dilithium3", RuntimeInvariant, "provenance.py"),
ctl!(CcEal4Plus, "FCS_CKM.1", "Key generation", "HmacSigner.random via secrets.token_bytes", RuntimeInvariant, "HmacSigner"),
ctl!(CcEal4Plus, "FDP_ACC.1", "Access control (coverage rule)", "κ(shield) ⊇ κ(body)∪κ(output)", CompileTime, "_check_regulatory_compliance"),
ctl!(CcEal4Plus, "FDP_IFC.1", "Information flow control", "κ propagation through types", CompileTime, "TypeDefinition + type_checker"),
ctl!(CcEal4Plus, "FDP_IFF.1", "Security attributes", "compliance: [HIPAA,...] annotation", CompileTime, "TypeDefinition"),
ctl!(CcEal4Plus, "FDP_ITC.2", "Import with attributes", "manifest.compliance at ingest boundary", CompileTime, "ManifestDefinition"),
ctl!(CcEal4Plus, "FIA_UAU.1", "Authentication timing", "Handler-level credential flow", RuntimeInvariant, "axon.runtime.handlers"),
ctl!(CcEal4Plus, "FMT_MSA.1", "Security attribute management", "Only shield definitions set compliance", CompileTime, "ShieldDefinition.compliance"),
ctl!(CcEal4Plus, "FMT_SMR.1", "Security roles", "Crypto Officer + User + Reviewer (heal.mode)", RuntimeInvariant, "HealDefinition.mode"),
ctl!(CcEal4Plus, "FPR_PSE.1", "Pseudonymity", "DP Laplace mechanism", RuntimeInvariant, "laplace_noise"),
ctl!(CcEal4Plus, "FPR_UNL.1", "Unlinkability", "DP Gaussian with composition", RuntimeInvariant, "gaussian_noise + PrivacyBudget"),
ctl!(CcEal4Plus, "FPT_TST.1", "TSF testing", "pytest 3680 tests", TestSuite, "tests/"),
ctl!(CcEal4Plus, "FPT_ITC.1", "Inter-TSF confidentiality", "Secret[T] no-materialize", RuntimeInvariant, "Secret"),
ctl!(CcEal4Plus, "FRU_RSA.1", "Maximum quotas", "resource.capacity + heal.max_patches", CompileTime, "ResourceDefinition + HealDefinition"),
ctl!(CcEal4Plus, "FTP_ITC.1", "Inter-TSF trusted channel", "Operator's TLS stack (outside TOE)", ExternalOperational, "PENDING (operator-provided)"),
ctl!(CcEal4Plus, "ALC_FLR.2", "Flaw reporting procedures", "GitHub Issues SLA", ExternalOperational, "SECURITY.md (organization-authored)"),
ctl!(CcEal4Plus, "AVA_VAN.5", "Advanced vulnerability analysis", "External pentest (accredited lab)", ExternalOperational, "PENDING (external)"),
]
}
pub fn controls_for(framework: FrameworkId) -> Vec<Control> {
match framework {
FrameworkId::Soc2TypeII => soc2_controls(),
FrameworkId::Iso27001 => iso_27001_controls(),
FrameworkId::Fips140_3 => fips_140_3_controls(),
FrameworkId::CcEal4Plus => cc_eal4_plus_controls(),
}
}
pub fn all_frameworks() -> Vec<FrameworkId> {
vec![
FrameworkId::Soc2TypeII,
FrameworkId::Iso27001,
FrameworkId::Fips140_3,
FrameworkId::CcEal4Plus,
]
}
pub fn control_count(framework: FrameworkId) -> usize {
controls_for(framework).len()
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn control_counts_match_python() {
assert_eq!(control_count(FrameworkId::Soc2TypeII), 31);
assert_eq!(control_count(FrameworkId::Iso27001), 41);
assert_eq!(control_count(FrameworkId::Fips140_3), 14);
assert_eq!(control_count(FrameworkId::CcEal4Plus), 22);
}
#[test]
fn control_ids_unique_within_framework() {
for fw in all_frameworks() {
let ids: Vec<_> = controls_for(fw).iter().map(|c| c.control_id).collect();
let mut sorted = ids.clone();
sorted.sort();
sorted.dedup();
assert_eq!(ids.len(), sorted.len(), "duplicate ids in {:?}", fw);
}
}
#[test]
fn every_control_has_axon_primitive_and_locator() {
for fw in all_frameworks() {
for c in controls_for(fw) {
assert!(!c.axon_primitive.is_empty(), "{:?} {} missing primitive", fw, c.control_id);
assert!(!c.evidence_locator.is_empty(), "{:?} {} missing locator", fw, c.control_id);
}
}
}
#[test]
fn framework_id_as_str_matches_python() {
assert_eq!(FrameworkId::Soc2TypeII.as_str(), "soc2_type_ii");
assert_eq!(FrameworkId::Iso27001.as_str(), "iso_27001");
assert_eq!(FrameworkId::Fips140_3.as_str(), "fips_140_3");
assert_eq!(FrameworkId::CcEal4Plus.as_str(), "cc_eal4_plus");
}
}