# Compliance Engine (SOC2/ISO27001/PCI-DSS/HIPAA/FedRAMP/GDPR with Framework Mapping and Reporting)

## Module
ReleaseOrchestrator

## Status
IMPLEMENTED

## Description
Multi-framework compliance engine that maps release controls to regulatory requirements across SOC2, ISO 27001, PCI-DSS, HIPAA, FedRAMP, and GDPR. Includes framework mapper for automated control alignment and gap analysis, multi-format report generation with evidence linking, and control implementation status tracking per framework.

## Implementation Details
- **Modules**: `src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/`
- **Key Classes**:
  - `ComplianceEngine` (`src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/ComplianceEngine.cs`) - multi-framework compliance evaluation engine
  - `FrameworkMapper` (`src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/FrameworkMapper.cs`) - maps release controls to regulatory framework requirements
  - `ControlValidator` (`src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/ControlValidator.cs`) - validates control implementation status
  - `ReportGenerator` (`src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Compliance/ReportGenerator.cs`) - multi-format compliance report generation
  - `ComplianceController` (`src/ReleaseOrchestrator/StellaOps.ReleaseOrchestrator.Api/Controllers/ComplianceController.cs`) - REST API for compliance queries
- **Source**: SPRINT_20260117_039_ReleaseOrchestrator_compliance.md

## E2E Test Plan
- [ ] Run compliance evaluation against SOC2 framework and verify control mapping output
- [ ] Verify gap analysis: identify unimplemented controls via `FrameworkMapper` for PCI-DSS
- [ ] Verify multi-framework: evaluate a release against both ISO 27001 and HIPAA simultaneously
- [ ] Verify report generation: generate a compliance report and verify evidence linking
- [ ] Verify API: call `ComplianceController` endpoint and verify compliance status response