Initial commit: Knowledge-as-Code template

Config-driven static site generator for ontology-first knowledge bases.
Edit project.yml to define entities, groups, statuses, and colors.
Add markdown data files, run build.js, get a full HTML site + JSON API.

Includes example data (3 requirements, 2 frameworks, 2 organizations)
that builds into 21 HTML pages out of the box.

Zero dependencies — Node.js built-ins only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: snapsynapse

.github/workflows/build.yml

@@ -0,0 +1,32 @@
+name: Build
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Validate cross-references
+        run: node scripts/validate.js
+
+      - name: Build site
+        run: node scripts/build.js
+
+      - name: Deploy to GitHub Pages
+        if: github.event_name != 'pull_request'
+        uses: peaceiris/actions-gh-pages@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs

.gitignore

@@ -0,0 +1,31 @@
+# Dependencies
+node_modules/
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Editor files
+*.swp
+*.swo
+*~
+.idea/
+.vscode/
+*.sublime-*
+.claude/
+
+# Logs
+*.log
+npm-debug.log*
+
+# Generated output (rebuild with: node scripts/build.js)
+# docs/ is generated — track only the static assets
+docs/*
+!docs/assets/
+docs/assets/*
+!docs/assets/styles.css
+!docs/assets/search.js
+
+# Environment
+.env
+.env.local

CLAUDE.md

@@ -0,0 +1,59 @@
+# Knowledge-as-Code Project
+
+A config-driven knowledge base using an ontology-first approach. All domain-specific settings are in `project.yml`.
+
+## Project Structure
+
+```
+project.yml           # Domain configuration (THE key file)
+data/
+  examples/           # Data files (one .md per entity)
+    primary/          # Stable anchor entities
+    container/        # Grouping entities with provisions
+    authority/        # Source entities
+    mapping/          # index.yml connecting containers to primaries
+scripts/
+  build.js            # Config-driven site generator
+  validate.js         # Cross-reference validator
+docs/                 # Generated output (HTML + JSON API)
+  api/v1/             # Static JSON API
+```
+
+## Key Commands
+
+```bash
+node scripts/build.js      # Build site + JSON API
+node scripts/validate.js   # Validate cross-references
+```
+
+## Entity Model
+
+The ontology is defined in `project.yml` under `entities:`. Four roles:
+
+| Role | Config key | Description |
+|------|-----------|-------------|
+| Primary | `entities.primary` | Stable anchors (e.g., requirements) |
+| Container | `entities.container` | Grouping entities (e.g., frameworks) |
+| Authority | `entities.authority` | Source entities (e.g., organizations) |
+| Secondary | `entities.secondary` | Mapping entities connecting containers to primaries |
+
+Relationship: Authority → Container → Secondary → Primary
+
+## Adding Data
+
+1. Create a `.md` file in the appropriate `data/` directory
+2. Add YAML frontmatter with required fields (see existing files for format)
+3. For containers: add timeline table and provision sections separated by `---`
+4. Add mapping entries to `data/examples/mapping/index.yml`
+5. Run `node scripts/validate.js` to check cross-references
+6. Run `node scripts/build.js` to generate the site
+
+## Customization
+
+Edit `project.yml` to change:
+- Entity names and directories
+- Group categories and colors
+- Status types and colors
+- Site name, URL, and navigation
+- Bridge page patterns
+- Theme accent colors

README.md

@@ -0,0 +1,82 @@
+# Knowledge-as-Code Template
+
+A template for building structured, version-controlled knowledge bases with an ontology-first approach. Edit a config file, add markdown data, get a full HTML site + JSON API.
+
+## Quick Start
+
+1. **Use this template** — click "Use this template" on GitHub, or clone locally
+2. **Edit `project.yml`** — define your domain entities, groups, colors, and site identity
+3. **Add data** — create markdown files in `data/` following the schema in `data/_schema.md`
+4. **Build** — `node scripts/build.js`
+5. **Deploy** — push to GitHub, Pages deploys automatically
+
+## What You Get
+
+- **Static HTML site** — homepage, list pages, detail pages, coverage matrix, timeline, comparison tool
+- **JSON API** — programmatic access at `docs/api/v1/`
+- **Bridge pages** — SEO-targeted pages like "Does X require Y?"
+- **Dark/light theme** — with persistence
+- **Client-side search** — lazy-loaded, keyboard-navigable
+- **Zero dependencies** — Node.js built-ins only
+
+## Project Structure
+
+```
+project.yml          # Domain configuration (edit this first)
+data/
+  examples/          # Example data (replace with your own)
+    primary/         # Stable anchor entities (e.g., requirements, obligations)
+    container/       # Grouping entities (e.g., frameworks, regulations)
+    authority/       # Source entities (e.g., organizations, regulators)
+    mapping/         # index.yml connecting containers to primaries
+scripts/
+  build.js           # Config-driven site generator
+  validate.js        # Cross-reference validator
+docs/                # Generated output (do not edit)
+```
+
+## The Ontology
+
+Every knowledge-as-code project has four entity roles:
+
+```
+Authority → Container → Provision → Primary
+```
+
+| Role | What it is | Example domains |
+|------|-----------|----------------|
+| **Primary** | Stable anchors that don't change when sources change | Requirements, Obligations, Capabilities, Controls |
+| **Container** | Grouping entities that contain provisions | Regulations, Frameworks, Products, Standards |
+| **Authority** | Source entities that produce containers | Regulators, Vendors, Standards bodies |
+| **Secondary** | Mapping entities connecting containers to primaries | Provisions, Implementations, Mappings |
+
+Primaries are stable; containers are unstable. When a framework is amended, its provisions change, but the underlying requirements persist.
+
+## Configuration
+
+All domain-specific settings live in `project.yml`:
+
+- **Entity names** — what to call each entity type (e.g., "Requirement" vs "Obligation")
+- **Groups** — categories for primary entities, with dark/light mode colors
+- **Statuses** — lifecycle states for containers, with colors
+- **Navigation** — site nav items
+- **Bridge pages** — which SEO pages to generate
+- **Theme** — accent colors
+
+## Commands
+
+```bash
+node scripts/build.js      # Build the site
+node scripts/validate.js   # Validate cross-references
+```
+
+## Architecture
+
+- **File-over-App** — data in markdown files, not a database
+- **Zero dependencies** — no npm install, no supply chain risk
+- **Bespoke static generation** — the build script _is_ the specification
+- **GitOps** — Git is the single source of truth
+
+## License
+
+MIT

data/examples/frameworks/iso-27001.md

@@ -0,0 +1,74 @@
+---
+name: ISO 27001
+authority: iso
+jurisdiction: International
+type: standard
+status: active
+enacted: 2022-10-25
+effective: 2022-10-25
+official_url: https://www.iso.org/standard/27001
+last_verified: 2026-03-25
+---
+
+## Timeline
+
+| Milestone | Date | Notes |
+|-----------|------|-------|
+| Published | 2022-10-25 | ISO/IEC 27001:2022 released |
+| Transition deadline | 2025-10-31 | Organizations must transition from 2013 version |
+
+---
+
+## Information Security Controls (Annex A)
+
+| Property | Value |
+|----------|-------|
+| Obligation | access-control |
+| Sections | Annex A.5-A.8 |
+| Status | active |
+| Effective | 2022-10-25 |
+| Verified | 2026-03-25 |
+| Checked | 2026-03-25 |
+
+### Requirements
+
+| Requirement | Details |
+|-------------|---------|
+| Access control policy | Define and enforce access control rules |
+| User access management | Formal registration and de-registration |
+
+### Talking Point
+
+> "ISO 27001:2022 restructured Annex A controls into **4 themes** (organizational, people, physical, technological) with **93 controls** replacing the previous 114."
+
+### Sources
+
+- [ISO 27001:2022](https://www.iso.org/standard/27001)
+
+---
+
+## Data Quality Requirements (Clause 7.5)
+
+| Property | Value |
+|----------|-------|
+| Obligation | data-quality |
+| Sections | Clause 7.5 |
+| Status | active |
+| Effective | 2022-10-25 |
+| Verified | 2026-03-25 |
+| Checked | 2026-03-25 |
+
+### Requirements
+
+| Requirement | Details |
+|-------------|---------|
+| Documented information | Maintain quality and integrity of ISMS documentation |
+| Information classification | Classify information according to sensitivity |
+
+### Talking Point
+
+> "Clause 7.5 requires organizations to ensure documented information is **available, suitable, and adequately protected** throughout its lifecycle."
+
+### Sources
+
+- [ISO 27001:2022](https://www.iso.org/standard/27001)

data/examples/frameworks/nist-csf.md

@@ -0,0 +1,74 @@
+---
+name: NIST Cybersecurity Framework
+authority: nist
+jurisdiction: Federal
+type: framework
+status: active
+enacted: 2024-02-26
+effective: 2024-02-26
+official_url: https://www.nist.gov/cyberframework
+last_verified: 2026-03-25
+---
+
+## Timeline
+
+| Milestone | Date | Notes |
+|-----------|------|-------|
+| CSF 2.0 published | 2024-02-26 | Major update adding Govern function |
+| CSF 1.1 published | 2018-04-16 | Original framework |
+
+---
+
+## Incident Response (RS.AN, RS.MI)
+
+| Property | Value |
+|----------|-------|
+| Obligation | incident-response |
+| Sections | RS.AN, RS.MI |
+| Status | active |
+| Effective | 2024-02-26 |
+| Verified | 2026-03-25 |
+| Checked | 2026-03-25 |
+
+### Requirements
+
+| Requirement | Details |
+|-------------|---------|
+| Analysis | Investigate incidents to determine scope and impact |
+| Mitigation | Contain and mitigate effects of detected incidents |
+
+### Talking Point
+
+> "NIST CSF 2.0 restructured response activities into **analysis and mitigation** subcategories, emphasizing that incident response is a continuous improvement process."
+
+### Sources
+
+- [NIST CSF 2.0](https://www.nist.gov/cyberframework)
+
+---
+
+## Access Control (PR.AA)
+
+| Property | Value |
+|----------|-------|
+| Obligation | access-control |
+| Sections | PR.AA |
+| Status | active |
+| Effective | 2024-02-26 |
+| Verified | 2026-03-25 |
+| Checked | 2026-03-25 |
+
+### Requirements
+
+| Requirement | Details |
+|-------------|---------|
+| Identity management | Manage identities and credentials for authorized users |
+| Access enforcement | Enforce access permissions based on policies |
+
+### Talking Point
+
+> "CSF 2.0 consolidated identity and access management into a single **PR.AA** subcategory, clarifying that authentication and authorization are inseparable."
+
+### Sources
+
+- [NIST CSF 2.0](https://www.nist.gov/cyberframework)

data/examples/mapping/index.yml

@@ -0,0 +1,31 @@
+- id: iso-27001-access-control
+  regulation: iso-27001
+  authority: iso
+  source_file: data/examples/container/iso-27001.md
+  source_heading: Information Security Controls (Annex A)
+  obligations:
+    - access-control
+
+- id: iso-27001-data-quality
+  regulation: iso-27001
+  authority: iso
+  source_file: data/examples/container/iso-27001.md
+  source_heading: Data Quality Requirements (Clause 7.5)
+  obligations:
+    - data-quality
+
+- id: nist-csf-incident-response
+  regulation: nist-csf
+  authority: nist
+  source_file: data/examples/container/nist-csf.md
+  source_heading: Incident Response (RS.AN, RS.MI)
+  obligations:
+    - incident-response
+
+- id: nist-csf-access-control
+  regulation: nist-csf
+  authority: nist
+  source_file: data/examples/container/nist-csf.md
+  source_heading: Access Control (PR.AA)
+  obligations:
+    - access-control