Add HIPAA audit control evidence gates

[jddark62]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: hipaa-review
Skill path: skills/compliance/hipaa-review/

Closes #1413.

What Was Wrong

The skill listed 164.312(b) audit controls, but it could still over-credit a generic logging packet as compliant. A reviewer could see one EHR login event, SIEM forwarding, and six-year retention text while missing ePHI view/export/modify/delete events, break-glass access, admin changes, API/service access, log integrity, timestamp reliability, and the required information system activity review linkage under 164.308(a)(1)(ii)(D).

What This PR Fixes

• Adds 164.312(b) audit-control evidence gates for ePHI system and event coverage.
• Requires evidence sources for application, database, cloud, API gateway, SIEM, EDR, and Business Associate audit trails.
• Adds log integrity and time-basis checks for NTP/time source, immutable archive, hash/signature or archive controls, chain of custody, and restore/export testing.
• Links audit controls to 164.308(a)(1)(ii)(D) activity review through report/query, owner, cadence, exception disposition, and follow-up evidence.
• Adds downgrade/cap rules so login-only logging, unmapped event families, mutable logs, retention-only evidence, and disconnected activity reviews cannot be marked compliant.
• Adds Not Evaluable handling for legacy and Business Associate systems where event coverage cannot be proven.
• Adds a HIPAA audit-control coverage matrix to the report output.
• Adds edge-case fixtures for login-only logging, retention without integrity/time basis, unknown Business Associate coverage, disconnected activity review, legacy compensating controls, and complete audit-control evidence.

Evidence

Before (skill misses this / false positive on this):

technical_safeguards:
  164_312_b_audit_controls: implemented
logging_enabled: true
siem_connected: true
retention_policy: six_years
sampled_events:
  - user_login
events_not_mapped:
  - ephi_view
  - ephi_export
  - ephi_modify
  - ephi_delete
  - break_glass_access
log_integrity: not_tested
activity_review_linkage: missing

After (now correctly handled):

The review requires a system-by-system audit-control coverage matrix showing ePHI event coverage, log source, integrity/time basis, retention evidence, activity-review linkage, exception owner, and a Compliant / Partial / Non-Compliance / Not Evaluable decision.

Test Cases Added/Updated

• Added vulnerable test cases (tests/)
• Added benign test cases (tests/)
• Existing tests still pass

Added fixture:

• skills/compliance/hipaa-review/tests/audit-control-edge-cases.md

Validation run locally:

git diff --check
Markdown fence and marker sanity checks
privacy scan for local path/name leaks
Reference URL checks for eCFR 164.308, 164.312, 164.316, and NIST SP 800-66 Rev. 2 returned HTTP 200

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Can provide privately after maintainer acceptance.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1413