feat(migration/modules): port 11 module-config files (megaport STEP 8 — first compilable batch)

migration/modules/CloudGuardModule.affine

@@ -0,0 +1,84 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) 2026 Jonathan D.A. Jewell
+//
+// CloudGuardModule.affine — capability-driven registration for the
+// Cloudflare domain security management panel.
+//
+// Translation of src/modules/CloudGuardModule.res (93 LoC). Same shape
+// as the other module files plus an extra `capabilityDescription`
+// helper (CloudGuard tooltips include longer prose).
+//
+// Refs: standards#279, standards#252.
+
+module CloudGuardModule;
+
+use prelude::{Option, Some, None, contains};
+
+type CloudguardCapability =
+  | DomainInventory
+  | SecurityHardening
+  | DnsManagement
+  | ComplianceAudit
+  | OfflineConfig
+  | BulkOperations
+  | PagesIntegration
+  | DnssecManagement
+
+type CloudguardModuleConfig = {
+  id: String,
+  name: String,
+  version: String,
+  description: String,
+  apiEndpoint: String,
+  capabilities: [CloudguardCapability],
+  icon: Option<String>,
+}
+
+const config: CloudguardModuleConfig = #{
+  id: "cloudguard",
+  name: "CloudGuard",
+  version: "0.1.0",
+  description: "Cloudflare domain security management. Automates SSL/TLS hardening, DNS security records, WAF configuration, DNSSEC, and compliance auditing across all domains.",
+  apiEndpoint: "https://api.cloudflare.com/client/v4",
+  capabilities: [
+    DomainInventory,
+    SecurityHardening,
+    DnsManagement,
+    ComplianceAudit,
+    OfflineConfig,
+    BulkOperations,
+    PagesIntegration,
+    DnssecManagement,
+  ],
+  icon: Some("shield"),
+};
+
+fn hasCapability(cap: CloudguardCapability) -> Bool {
+  contains(config.capabilities, cap)
+}
+
+fn capabilityLabel(cap: CloudguardCapability) -> String {
+  match cap {
+    DomainInventory => "Domain Inventory",
+    SecurityHardening => "Security Hardening",
+    DnsManagement => "DNS Management",
+    ComplianceAudit => "Compliance Audit",
+    OfflineConfig => "Offline Config",
+    BulkOperations => "Bulk Operations",
+    PagesIntegration => "Pages Integration",
+    DnssecManagement => "DNSSEC Management",
+  }
+}
+
+fn capabilityDescription(cap: CloudguardCapability) -> String {
+  match cap {
+    DomainInventory => "List and monitor all Cloudflare zones with plan tier, status, and nameserver info",
+    SecurityHardening => "Apply SSL Full (Strict), HSTS, min TLS 1.2, security headers, and other hardening defaults",
+    DnsManagement => "Create, update, and delete DNS records with templates for SPF, DMARC, DKIM, CAA, and TLSRPT",
+    ComplianceAudit => "Evaluate live Cloudflare settings against Trustfile/Nickel security policy constraints",
+    OfflineConfig => "Download zone configs as JSON, edit offline, upload with three-way diff and dry-run preview",
+    BulkOperations => "Apply hardening settings across all selected domains with real-time progress tracking",
+    PagesIntegration => "Set up Cloudflare Pages projects from GitHub repos with auto-detected SSG framework",
+    DnssecManagement => "Enable DNSSEC, verify DS records at registrar, monitor key rotation status",
+  }
+}

migration/modules/FarmModule.affine

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) 2026 Jonathan D.A. Jewell
+//
+// FarmModule.affine — capability registration for the Git-Private-Farm panel.
+//
+// Translation of src/modules/FarmModule.res (66 LoC). Same capability-
+// declaration shape as the other panll module files: sum-type capability,
+// config record, hasCapability + capabilityLabel helpers. Pure data +
+// pure functions — no FFI / Tea_/ Pixi / Gossamer surface.
+//
+// Refs: standards#279 (megaport step), standards#252 (campaign umbrella).
+
+module FarmModule;
+
+use prelude::{Option, Some, None, contains};
+
+/// Capabilities that the Farm panel exposes.
+type FarmCapability =
+  | RepoInventory
+  | EnrollmentDashboard
+  | HealthDashboard
+  | GroupAnalysis
+  | ForgeCoverage
+
+type FarmModuleConfig = {
+  id: String,
+  name: String,
+  version: String,
+  description: String,
+  manifestPath: String,
+  capabilities: [FarmCapability],
+  icon: Option<String>,
+}
+
+const config: FarmModuleConfig = #{
+  id: "farm",
+  name: "Git-Private-Farm",
+  version: "0.1.0",
+  description: "Repository admin registry and maintenance hub for ~265 repos across 6 forges",
+  manifestPath: "~/.git-private-farm/farm-manifest.json",
+  capabilities: [RepoInventory, EnrollmentDashboard, HealthDashboard, GroupAnalysis, ForgeCoverage],
+  icon: Some("barn"),
+};
+
+fn hasCapability(cap: FarmCapability) -> Bool {
+  contains(config.capabilities, cap)
+}
+
+fn capabilityLabel(cap: FarmCapability) -> String {
+  match cap {
+    RepoInventory => "Repo Inventory",
+    EnrollmentDashboard => "Enrollment Dashboard",
+    HealthDashboard => "Health Dashboard",
+    GroupAnalysis => "Group Analysis",
+    ForgeCoverage => "Forge Coverage",
+  }
+}

migration/modules/LanguageForgeModule.affine

@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) 2026 Jonathan D.A. Jewell
+//
+// LanguageForgeModule.affine — capability registration for the
+// nextgen-languages panel.
+//
+// Translation of src/modules/LanguageForgeModule.res (60 LoC). Same shape
+// as the other module files.
+//
+// Refs: standards#279, standards#252.
+
+module LanguageForgeModule;
+
+use prelude::{Option, Some, None, contains};
+
+type LanguageForgeCapability =
+  | LanguageDashboard
+  | CompilationStatus
+  | MoscowView
+  | WasmTargetTracker
+
+type LanguageForgeModuleConfig = {
+  id: String,
+  name: String,
+  version: String,
+  description: String,
+  capabilities: [LanguageForgeCapability],
+  icon: Option<String>,
+}
+
+const config: LanguageForgeModuleConfig = #{
+  id: "language-forge",
+  name: "Language Forge",
+  version: "0.1.0",
+  description: "Monitor and develop the 14 nextgen-languages portfolio — scores, phases, WASM readiness",
+  capabilities: [LanguageDashboard, CompilationStatus, MoscowView, WasmTargetTracker],
+  icon: Some("hammer"),
+};
+
+fn hasCapability(cap: LanguageForgeCapability) -> Bool {
+  contains(config.capabilities, cap)
+}
+
+fn capabilityLabel(cap: LanguageForgeCapability) -> String {
+  match cap {
+    LanguageDashboard => "Language Dashboard",
+    CompilationStatus => "Compilation Status",
+    MoscowView => "MoSCoW View",
+    WasmTargetTracker => "WASM Target Tracker",
+  }
+}

migration/modules/MassPanicModule.affine

@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) 2026 Jonathan D.A. Jewell
+//
+// MassPanicModule.affine — capability declarations for the
+// organisation-scale batch scanning panel.
+//
+// Translation of src/modules/MassPanicModule.res (66 LoC). Same shape.
+//
+// Refs: standards#279, standards#252.
+
+module MassPanicModule;
+
+use prelude::{Option, Some, None, contains};
+
+type MassPanicCapability =
+  | AssemblylineScanning
+  | IncrementalBlake3
+  | VerisimDBPersistence
+  | DeltaReporting
+  | NotificationPipeline
+  | RepoDiscovery
+  | CacheManagement
+  | SystemImaging
+  | TemporalNavigation
+
+type MassPanicModuleConfig = {
+  id: String,
+  name: String,
+  version: String,
+  description: String,
+  binaryName: String,
+  capabilities: [MassPanicCapability],
+  icon: Option<String>,
+}
+
+const config: MassPanicModuleConfig = #{
+  id: "mass-panic",
+  name: "Mass Panic",
+  version: "2.1.0",
+  description: "Organisation-scale batch scanning — assemblyline + BLAKE3 + imaging + temporal + verisim",
+  binaryName: "panic-attack",
+  icon: Some("zap-off"),
+  capabilities: [
+    AssemblylineScanning,
+    IncrementalBlake3,
+    VerisimDBPersistence,
+    DeltaReporting,
+    NotificationPipeline,
+    RepoDiscovery,
+    CacheManagement,
+    SystemImaging,
+    TemporalNavigation,
+  ],
+};
+
+fn hasCapability(cap: MassPanicCapability) -> Bool {
+  contains(config.capabilities, cap)
+}
+
+fn capabilityLabel(cap: MassPanicCapability) -> String {
+  match cap {
+    AssemblylineScanning => "Assemblyline Scanning (rayon parallelism)",
+    IncrementalBlake3 => "Incremental BLAKE3 Fingerprinting",
+    VerisimDBPersistence => "VerisimDB Octad Persistence",
+    DeltaReporting => "Delta Reporting (diff between runs)",
+    NotificationPipeline => "Notification Pipeline (markdown + GitHub)",
+    RepoDiscovery => "Repository Discovery (.git detection)",
+    CacheManagement => "Fingerprint Cache Management",
+    SystemImaging => "System Health Imaging (fNIRS-style spatial risk map)",
+    TemporalNavigation => "Temporal Navigation (time-series diff + trend detection)",
+  }
+}

migration/modules/PanicAttackModule.affine

@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) 2026 Jonathan D.A. Jewell
+//
+// PanicAttackModule.affine — capability declarations for the stress
+// testing and weak point analysis panel.
+//
+// Translation of src/modules/PanicAttackModule.res (63 LoC). Same shape.
+//
+// Refs: standards#279, standards#252.
+
+module PanicAttackModule;
+
+use prelude::{Option, Some, None, contains};
+
+type PanicAttackCapability =
+  | StaticAnalysis
+  | StressTesting
+  | BugSignatureDetection
+  | ReportGeneration
+  | ReportComparison
+  | BatchScanning
+  | SarifExport
+  | EventChainExport
+
+type PanicAttackModuleConfig = {
+  id: String,
+  name: String,
+  version: String,
+  description: String,
+  binaryName: String,
+  capabilities: [PanicAttackCapability],
+  icon: Option<String>,
+}
+
+const config: PanicAttackModuleConfig = #{
+  id: "panic-attack",
+  name: "panic-attack",
+  version: "2.0.0",
+  description: "Universal stress testing and logic-based bug signature detection",
+  binaryName: "panic-attack",
+  icon: Some("zap"),
+  capabilities: [
+    StaticAnalysis,
+    StressTesting,
+    BugSignatureDetection,
+    ReportGeneration,
+    ReportComparison,
+    BatchScanning,
+    SarifExport,
+    EventChainExport,
+  ],
+};
+
+fn hasCapability(cap: PanicAttackCapability) -> Bool {
+  contains(config.capabilities, cap)
+}
+
+fn capabilityLabel(cap: PanicAttackCapability) -> String {
+  match cap {
+    StaticAnalysis => "Static Analysis (assail)",
+    StressTesting => "Stress Testing (attack/assault)",
+    BugSignatureDetection => "Bug Signature Detection (kanren)",
+    ReportGeneration => "Report Generation (JSON/YAML/SARIF)",
+    ReportComparison => "Report Comparison (diff)",
+    BatchScanning => "Batch Scanning (assemblyline)",
+    SarifExport => "SARIF Export (GitHub Security)",
+    EventChainExport => "Event Chain Export (PanLL)",
+  }
+}