feat(bundles): sector-specific framework subset bundles

Andrew Dunnrequested to merge
sector-bundles into main

Summary

  • Adds sector-keyed framework bundles under compliance/sectors/ (dod, health, finance, education) so .reference.yaml selects a regulated-buyer posture in one line via applicable_frameworks: [sector:<slug>].
  • Renames the applicable_standards: field to applicable_frameworks: (old name still accepted as a backward-compat alias with a schema warning), and renames the hipaa SECTOR slug to health to disambiguate from the hipaa framework yaml_key (which stays unchanged). Astro redirect keeps the old URL alive.
  • Promotes SOX from a yaml_keys alias to a full framework with its own /compliance/frameworks/sox/ detail page.
  • Introduces a bash resolver (scripts/lib/resolve-frameworks.sh) + Astro twin (site/src/lib/bundles.ts), and a validate-bundles gate wired into make validate.

What's in scope

  • compliance/sectors/{dod,health,finance,education}.yaml — one bundle per sector, with a rationale: paragraph.
  • compliance/enforcer-to-standard.yaml — catalog-path -> standard slug map the resolver consumes.
  • scripts/lib/resolve-frameworks.sh + scripts/validate-bundles.sh.
  • site/src/lib/bundles.ts (TS twin), site/src/pages/compliance/sectors/[slug].astro (Bundle card + Standards-in-scope card), site/src/pages/compliance/sectors/<slug>/index.md.ts per-sector agent surfaces, site/src/pages/compliance/frameworks/sox.astro.
  • standards/conformance-config/SKILL.md gains an applicable_frameworks (bundles) block with worked examples per sector and the subtraction-precedence rule.
  • standards/conformance-config/templates/.reference.yaml flips the default to applicable_frameworks: all with a commented-out [sector:dod] example.

Test plan

  • make validate -- all five validators green (registry, matrix, bundles, versions, templates).
  • make build -- 57 pages, 0 errors. One info-level WARN about the /compliance/sectors/hipaa/ redirect HTML having no <main> to extract; expected for an Astro redirect.
  • Resolver round-trip per sector (validate-bundles asserts each bundle resolves to >=1 standard).
  • Subtraction tested: [sector:dod, !slsa] drops slsa_v1.
  • Legacy applicable_standards: path tested -- treated as literal standards list, prints schema warning, no bundle expansion.

Notes for reviewer

  • The hipaa -> health sector rename touches 25 rows in compliance/unified.yaml. The framework yaml_key hipaa is untouched.
  • New file compliance/enforcer-to-standard.yaml is the resolver's only piece of state. Adding a new catalog template to unified.yaml means adding a row here too; the validator catches missing rows on the next make validate.

🤖 Generated with Claude Code

Merge request reports