diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index c3adfa6..a026023 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -4,16 +4,7 @@
     <option name="autoReloadType" value="SELECTIVE" />
   </component>
   <component name="ChangeListManager">
-    <list default="true" id="1592dce9-8f09-4274-8c20-f8bd3d95f76e" name="Changes" comment="">
-      <change beforePath="$PROJECT_DIR$/dependency-reduced-pom.xml" beforeDir="false" afterPath="$PROJECT_DIR$/dependency-reduced-pom.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pom.xml" beforeDir="false" afterPath="$PROJECT_DIR$/pom.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/src/main/kotlin/gov/nist/secauto/oscal/tools/server/OscalVerticle.kt" beforeDir="false" afterPath="$PROJECT_DIR$/src/main/kotlin/gov/nist/secauto/oscal/tools/server/OscalVerticle.kt" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/src/main/kotlin/gov/nist/secauto/oscal/tools/server/commands/OscalCommandExecutor.kt" beforeDir="false" />
-      <change beforePath="$PROJECT_DIR$/src/main/kotlin/gov/nist/secauto/oscal/tools/server/commands/OscalQueryCommand.kt" beforeDir="false" />
-      <change beforePath="$PROJECT_DIR$/src/main/kotlin/gov/nist/secauto/oscal/tools/server/core/JsonItemWriter.kt" beforeDir="false" />
-      <change beforePath="$PROJECT_DIR$/src/main/resources/log4j2.xml" beforeDir="false" afterPath="$PROJECT_DIR$/src/main/resources/log4j2.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/src/main/resources/webroot/openapi.yaml" beforeDir="false" afterPath="$PROJECT_DIR$/src/main/resources/webroot/openapi.yaml" afterDir="false" />
-    </list>
+    <list default="true" id="1592dce9-8f09-4274-8c20-f8bd3d95f76e" name="Changes" comment="" />
     <option name="SHOW_DIALOG" value="false" />
     <option name="HIGHLIGHT_CONFLICTS" value="true" />
     <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
@@ -48,17 +39,6 @@
   }
 }</component>
   <component name="RunManager">
-    <configuration default="true" type="JetRunConfigurationType">
-      <module name="server" />
-      <method v="2">
-        <option name="Make" enabled="true" />
-      </method>
-    </configuration>
-    <configuration default="true" type="KotlinStandaloneScriptRunConfigurationType">
-      <module name="server" />
-      <option name="filePath" />
-      <method v="2" />
-    </configuration>
     <configuration name="server" type="MavenRunConfiguration" factoryName="Maven" nameIsGenerated="true">
       <MavenSettings>
         <option name="myGeneralSettings" />
@@ -121,6 +101,7 @@
       <updated>1732645292337</updated>
       <workItem from="1732645293851" duration="862000" />
       <workItem from="1732646192483" duration="1981000" />
+      <workItem from="1733152009507" duration="306000" />
     </task>
     <servers />
   </component>
diff --git a/.oscal/attachments/diagrams/authorization-boundary.mermaid b/.oscal/attachments/diagrams/authorization-boundary.mermaid
new file mode 100644
index 0000000..5a36f0a
--- /dev/null
+++ b/.oscal/attachments/diagrams/authorization-boundary.mermaid
@@ -0,0 +1,61 @@
+flowchart TD
+    subgraph External["External Boundary"]
+        Client[Web Client]
+    end
+
+    subgraph AuthBoundary["Authorization Boundary"]
+        direction TB
+        
+        subgraph ServerControls["Server Security Controls"]
+            LocalHost["Localhost Only\nPort 8888"]
+            Router["Router/API Gateway\nInput Validation"]
+        end
+
+        subgraph FileSystemControls["Filesystem Security Controls"]
+            DirVal["Directory Validation"]
+            PathCheck["Path Traversal Check"]
+            UrlProcess["URL Processing\nHTTPS/File Only"]
+            PermCheck["Permission Checks"]
+        end
+
+        subgraph TrustedZone["Trusted Zone"]
+            OscalDir["~/.oscal Directory\nOwner RWX Only"]
+            AllowedDirs["Allowed Directories\nvia OSCAL_SERVER_PATH"]
+            TempFiles["Temporary Files\nRestricted Access"]
+        end
+
+        subgraph Validation["Security Validation"]
+            ValidateDir["validateDirectory()"]
+            RestrictPerms["restrictDirectoryPermissions()"]
+            SymlinkCheck["Symlink Validation"]
+        end
+    end
+
+    Client -->|HTTP Requests| LocalHost
+    LocalHost -->|Validated Requests| Router
+    
+    Router -->|File Operations| FileSystemControls
+    
+    FileSystemControls -->|Access Check| DirVal
+    FileSystemControls -->|Traversal Prevention| PathCheck
+    FileSystemControls -->|URL Validation| UrlProcess
+    FileSystemControls -->|Permission Validation| PermCheck
+    
+    DirVal -->|Validated Access| TrustedZone
+    PathCheck -->|Safe Paths| TrustedZone
+    UrlProcess -->|Safe URLs| TrustedZone
+    PermCheck -->|Verified Permissions| TrustedZone
+    
+    TrustedZone <-->|Security Checks| Validation
+    
+    classDef external fill:#ddd,stroke:#999,stroke-width:1px;
+    classDef boundary fill:#f9f,stroke:#333,stroke-width:2px;
+    classDef controls fill:#aef,stroke:#333,stroke-width:1px;
+    classDef trusted fill:#bfb,stroke:#333,stroke-width:1px;
+    classDef validation fill:#feb,stroke:#333,stroke-width:1px;
+    
+    class External external;
+    class AuthBoundary boundary;
+    class ServerControls,FileSystemControls controls;
+    class TrustedZone trusted;
+    class Validation validation;
\ No newline at end of file
diff --git a/.oscal/attachments/diagrams/authorization-boundary.svg b/.oscal/attachments/diagrams/authorization-boundary.svg
new file mode 100644
index 0000000..79db1b2
--- /dev/null
+++ b/.oscal/attachments/diagrams/authorization-boundary.svg
@@ -0,0 +1 @@
+<svg aria-roledescription="flowchart-v2" role="graphics-document document" viewBox="0 0 1155.974609375 1212" style="max-width: 1155.974609375px;" class="flowchart" xmlns="http://www.w3.org/2000/svg" width="100%" id="export-svg"><style xmlns="http://www.w3.org/1999/xhtml">@import url("https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.2.0/css/all.min.css"); p {margin: 0;}</style><style>#export-svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:14px;fill:#333;}#export-svg .error-icon{fill:#ffffff;}#export-svg .error-text{fill:#000000;stroke:#000000;}#export-svg .edge-thickness-normal{stroke-width:1px;}#export-svg .edge-thickness-thick{stroke-width:3.5px;}#export-svg .edge-pattern-solid{stroke-dasharray:0;}#export-svg .edge-thickness-invisible{stroke-width:0;fill:none;}#export-svg .edge-pattern-dashed{stroke-dasharray:3;}#export-svg .edge-pattern-dotted{stroke-dasharray:2;}#export-svg .marker{fill:#000000;stroke:#000000;}#export-svg .marker.cross{stroke:#000000;}#export-svg svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:14px;}#export-svg p{margin:0;}#export-svg .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#export-svg .cluster-label text{fill:#000000;}#export-svg .cluster-label span{color:#000000;}#export-svg .cluster-label span p{background-color:transparent;}#export-svg .label text,#export-svg span{fill:#333;color:#333;}#export-svg .node rect,#export-svg .node circle,#export-svg .node ellipse,#export-svg .node polygon,#export-svg .node path{fill:#ffffff;stroke:#000000;stroke-width:1px;}#export-svg .rough-node .label text,#export-svg .node .label text,#export-svg .image-shape .label,#export-svg .icon-shape .label{text-anchor:middle;}#export-svg .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#export-svg .rough-node .label,#export-svg .node .label,#export-svg .image-shape .label,#export-svg .icon-shape .label{text-align:center;}#export-svg .node.clickable{cursor:pointer;}#export-svg .root .anchor path{fill:#000000!important;stroke-width:0;stroke:#000000;}#export-svg .arrowheadPath{fill:#000000;}#export-svg .edgePath .path{stroke:#000000;stroke-width:2.0px;}#export-svg .flowchart-link{stroke:#000000;fill:none;}#export-svg .edgeLabel{background-color:hsl(-120, 0%, 80%);text-align:center;}#export-svg .edgeLabel p{background-color:hsl(-120, 0%, 80%);}#export-svg .edgeLabel rect{opacity:0.5;background-color:hsl(-120, 0%, 80%);fill:hsl(-120, 0%, 80%);}#export-svg .labelBkg{background-color:rgba(204, 204, 204, 0.5);}#export-svg .cluster rect{fill:#ffffff;stroke:hsl(0, 0%, 90%);stroke-width:1px;}#export-svg .cluster text{fill:#000000;}#export-svg .cluster span{color:#000000;}#export-svg div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:#ffffff;border:1px solid hsl(0, 0%, 90%);border-radius:2px;pointer-events:none;z-index:100;}#export-svg .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#export-svg rect.text{fill:none;stroke-width:0;}#export-svg .icon-shape,#export-svg .image-shape{background-color:hsl(-120, 0%, 80%);text-align:center;}#export-svg .icon-shape p,#export-svg .image-shape p{background-color:hsl(-120, 0%, 80%);padding:2px;}#export-svg .icon-shape rect,#export-svg .image-shape rect{opacity:0.5;background-color:hsl(-120, 0%, 80%);fill:hsl(-120, 0%, 80%);}#export-svg .node .neo-node{stroke:#000000;}#export-svg [data-look="neo"].node rect,#export-svg [data-look="neo"].cluster rect,#export-svg [data-look="neo"].node polygon{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].node rect,#export-svg [data-look="neo"].node polygon,#export-svg [data-look="neo"].node path{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].node .neo-line path{stroke:hsl(0, 0%, 70%);filter:none;}#export-svg [data-look="neo"].node circle{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].node circle .state-start{fill:#000000;}#export-svg [data-look="neo"].statediagram-cluster rect{fill:#ffffff;stroke:url(#export-svg-gradient);stroke-width:1px;}#export-svg [data-look="neo"].icon-shape .icon{fill:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].icon-shape .icon-neo path{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#export-svg .external&gt;*{fill:#ddd!important;stroke:#999!important;stroke-width:1px!important;}#export-svg .external span{fill:#ddd!important;stroke:#999!important;stroke-width:1px!important;}#export-svg .boundary&gt;*{fill:#f9f!important;stroke:#333!important;stroke-width:2px!important;}#export-svg .boundary span{fill:#f9f!important;stroke:#333!important;stroke-width:2px!important;}#export-svg .controls&gt;*{fill:#aef!important;stroke:#333!important;stroke-width:1px!important;}#export-svg .controls span{fill:#aef!important;stroke:#333!important;stroke-width:1px!important;}#export-svg .trusted&gt;*{fill:#bfb!important;stroke:#333!important;stroke-width:1px!important;}#export-svg .trusted span{fill:#bfb!important;stroke:#333!important;stroke-width:1px!important;}#export-svg .validation&gt;*{fill:#feb!important;stroke:#333!important;stroke-width:1px!important;}#export-svg .validation span{fill:#feb!important;stroke:#333!important;stroke-width:1px!important;}</style><g><marker orient="auto" markerHeight="8" markerWidth="8" markerUnits="userSpaceOnUse" refY="5" refX="5" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-pointEnd"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 0 0 L 10 5 L 0 10 z"/></marker><marker orient="auto" markerHeight="8" markerWidth="8" markerUnits="userSpaceOnUse" refY="5" refX="4.5" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-pointStart"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 0 5 L 10 10 L 10 0 z"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5" refX="11" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-circleEnd"><circle style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" r="5" cy="5" cx="5"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5" refX="-1" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-circleStart"><circle style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" r="5" cy="5" cx="5"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5.2" refX="12" viewBox="0 0 11 11" class="marker cross flowchart-v2" id="export-svg_flowchart-v2-crossEnd"><path style="stroke-width: 2; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 1,1 l 9,9 M 10,1 l -9,9"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5.2" refX="-1" viewBox="0 0 11 11" class="marker cross flowchart-v2" id="export-svg_flowchart-v2-crossStart"><path style="stroke-width: 2; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 1,1 l 9,9 M 10,1 l -9,9"/></marker><g class="root"><g class="clusters"><g data-look="neo" data-et="cluster" data-id="AuthBoundary" id="AuthBoundary" class="cluster boundary"><rect height="1024" width="1139.974609375" y="180" x="8" style="fill:#f9f !important;stroke:#333 !important;stroke-width:2px !important"/><g transform="translate(505.2177734375, 180)" class="cluster-label"><foreignObject height="21" width="145.5390625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Authorization Boundary</p></span></div></foreignObject></g></g><g data-look="neo" data-et="cluster" data-id="External" id="External" class="cluster external"><rect height="101" width="198.21875" y="8" x="405.396484375" style="fill:#ddd !important;stroke:#999 !important;stroke-width:1px !important"/><g transform="translate(446.916015625, 8)" class="cluster-label"><foreignObject height="21" width="115.1796875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>External Boundary</p></span></div></foreignObject></g></g><g data-look="neo" data-et="cluster" data-id="FileSystemControls" id="FileSystemControls" class="cluster controls"><rect height="244" width="1080.0625" y="520" x="47.912109375" style="fill:#aef !important;stroke:#333 !important;stroke-width:1px !important"/><g transform="translate(499.251953125, 520)" class="cluster-label"><foreignObject height="21" width="177.3828125"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Filesystem Security Controls</p></span></div></foreignObject></g></g><g data-look="neo" data-et="cluster" data-id="ServerControls" id="ServerControls" class="cluster controls"><rect height="244" width="330" y="205" x="339.505859375" style="fill:#aef !important;stroke:#333 !important;stroke-width:1px !important"/><g transform="translate(428.646484375, 205)" class="cluster-label"><foreignObject height="21" width="151.71875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Server Security Controls</p></span></div></foreignObject></g></g></g><g class="edgePaths"><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTA0LjUwNTg1OTM3NSwieSI6ODR9LHsieCI6NTA0LjUwNTg1OTM3NSwieSI6MTA5fSx7IngiOjUwNC41MDU4NTkzNzUsInkiOjE0NC41fSx7IngiOjUwNC41MDU4NTkzNzUsInkiOjE4MH0seyJ4Ijo1MDQuNTA1ODU5Mzc1LCJ5IjoyMDV9LHsieCI6NTA0LjUwNTg1OTM3NSwieSI6MjMwfV0=" data-id="L_Client_LocalHost_0" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_Client_LocalHost_0" d="M504.505859375,84L504.505859375,109L504.505859375,144.5L504.505859375,180L504.505859375,205L504.505859375,217.5L504.505859375,226"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTA0LjUwNTg1OTM3NSwieSI6MjgxfSx7IngiOjUwNC41MDU4NTkzNzUsInkiOjMxNi41fSx7IngiOjUwNC41MDU4NTkzNzUsInkiOjM1Mn1d" data-id="L_LocalHost_Router_1" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_LocalHost_Router_1" d="M504.505859375,281L504.505859375,316.5L504.505859375,334.25L504.505859375,348"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTA0LjUwNTg1OTM3NSwieSI6NDI0fSx7IngiOjUwNC41MDU4NTkzNzUsInkiOjQ0OX0seyJ4Ijo1MDQuNTA1ODU5Mzc1LCJ5Ijo0ODQuNX0seyJ4Ijo1MDQuNTA1ODU5Mzc1LCJ5Ijo1MjB9LHsieCI6NTA0LjUwNTg1OTM3NSwieSI6NTQ1fV0=" data-id="L_Router_FileSystemControls_2" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_Router_FileSystemControls_2" d="M504.505859375,424L504.505859375,449L504.505859375,484.5L504.505859375,502.25L504.505859375,516"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTk0LjY4MTY0MDYyNSwieSI6NTY0Ljc5MTMwMzEzOTEzMjN9LHsieCI6OTA3LjMwOTI0NDc5MTY2NjcsInkiOjU0NX0seyJ4Ijo5ODUuNDY2MTQ1ODMzMzMzMywieSI6NTQ1fSx7IngiOjEwNjMuNjIzMDQ2ODc1LCJ5Ijo1NzAuNX0seyJ4Ijo5ODUuNDY2MTQ1ODMzMzMzMywieSI6NTk2fSx7IngiOjkwNy4zMDkyNDQ3OTE2NjY3LCJ5Ijo1OTZ9LHsieCI6NTk0LjY4MTY0MDYyNSwieSI6NTc2LjIwODY5Njg2MDg2Nzd9XQ==" data-id="L_FileSystemControls_DirVal_3" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_FileSystemControls_DirVal_3" d=""/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NDYxLjU1MTM1NzU4MTk2NzIsInkiOjU5Nn0seyJ4Ijo0MDEuNzUxOTUzMTI1LCJ5Ijo2MzEuNX0seyJ4Ijo0MDEuNzUxOTUzMTI1LCJ5Ijo2NzcuNX1d" data-id="L_FileSystemControls_PathCheck_4" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_FileSystemControls_PathCheck_4" d=""/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTc3LjMxMjE0Nzc5NzEzMTIsInkiOjU5Nn0seyJ4Ijo2NzguNjY5OTIxODc1LCJ5Ijo2MzEuNX0seyJ4Ijo2NzguNjY5OTIxODc1LCJ5Ijo2Njd9XQ==" data-id="L_FileSystemControls_UrlProcess_5" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_FileSystemControls_UrlProcess_5" d=""/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTk0LjY4MTY0MDYyNSwieSI6NTgyLjg4Njk0NDM5ODAxOTF9LHsieCI6OTQ4LjU4MDA3ODEyNSwieSI6NjMxLjV9LHsieCI6OTQ4LjU4MDA3ODEyNSwieSI6Njc3LjV9XQ==" data-id="L_FileSystemControls_PermCheck_6" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_FileSystemControls_PermCheck_6" d=""/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NDE0LjMzMDA3ODEyNSwieSI6NTg1Ljg4MTkzMDc5MDQwNX0seyJ4IjoxNDYuODk2NDg0Mzc1LCJ5Ijo2MzEuNX0seyJ4IjoxNDYuODk2NDg0Mzc1LCJ5Ijo3MDN9LHsieCI6MTQ2Ljg5NjQ4NDM3NSwieSI6NzY0fSx7IngiOjE0Ni44OTY0ODQzNzUsInkiOjc5OS41fSx7IngiOjI3NC45OTQzMTA4NTE0OTA4LCJ5Ijo4MzV9XQ==" data-id="L_DirVal_TrustedZone_7" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_DirVal_TrustedZone_7" d="M414.330078125,585.881930790405L154.53895927439584,630.196368156279Q146.896484375,631.5 146.896484375,639.2528626049905L146.896484375,703L146.896484375,764L146.896484375,791.2405224851909Q146.896484375,799.5 154.8559630790154,801.7058258267513L210.9453976132454,817.25L271.13959791608096,833.9317359008261"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NDAxLjc1MTk1MzEyNSwieSI6NzI4LjV9LHsieCI6NDAxLjc1MTk1MzEyNSwieSI6NzY0fSx7IngiOjQwMS43NTE5NTMxMjUsInkiOjc5OS41fSx7IngiOjQ0Ni44NDYzOTI5OTAyNTIzLCJ5Ijo4MzV9XQ==" data-id="L_PathCheck_TrustedZone_8" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_PathCheck_TrustedZone_8" d="M401.751953125,728.5L401.751953125,764L401.751953125,788.0508720951058Q401.751953125,799.5 410.7479547831718,806.5819830519988L424.29917305762615,817.25L443.70344560320245,832.5257563332937"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6Njc4LjY2OTkyMTg3NSwieSI6NzM5fSx7IngiOjY3OC42Njk5MjE4NzUsInkiOjc2NH0seyJ4Ijo2NzguNjY5OTIxODc1LCJ5Ijo3OTkuNX0seyJ4Ijo2MzMuNTc1NDgyMDA5NzQ3NywieSI6ODM1fV0=" data-id="L_UrlProcess_TrustedZone_9" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_UrlProcess_TrustedZone_9" d="M678.669921875,739L678.669921875,764L678.669921875,788.0508720951058Q678.669921875,799.5 669.6739202168283,806.5819830519988L656.1227019423739,817.25L636.7184293967975,832.5257563332937"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6OTQ4LjU4MDA3ODEyNSwieSI6NzI4LjV9LHsieCI6OTQ4LjU4MDA3ODEyNSwieSI6NzY0fSx7IngiOjk0OC41ODAwNzgxMjUsInkiOjc5OS41fSx7IngiOjgxNS41NzkxMTk0ODEwNzgsInkiOjgzNX1d" data-id="L_PermCheck_TrustedZone_10" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_PermCheck_TrustedZone_10" d="M948.580078125,728.5L948.580078125,764L948.580078125,791.2917613105104Q948.580078125,799.5 940.6494823684845,801.6167978954952L882.0795988030391,817.25L819.4438198420314,833.9684520757392"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" marker-start="url(#export-svg_flowchart-v2-pointStart)" data-points="W3sieCI6NTQwLjIxMDkzNzUsInkiOjk4Mn0seyJ4Ijo1NDAuMjEwOTM3NSwieSI6MTAxNy41fSx7IngiOjU0MC4yMTA5Mzc1LCJ5IjoxMDUzfV0=" data-id="L_TrustedZone_Validation_11" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_TrustedZone_Validation_11" d="M540.2109375,986L540.2109375,1017.5L540.2109375,1035.25L540.2109375,1049"/></g><g class="edgeLabels"><g transform="translate(504.505859375, 144.5)" class="edgeLabel"><g transform="translate(-49.66796875, -10.5)" data-id="L_Client_LocalHost_0" class="label"><foreignObject height="21" width="99.3359375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>HTTP Requests</p></span></div></foreignObject></g></g><g transform="translate(504.505859375, 316.5)" class="edgeLabel"><g transform="translate(-60.1875, -10.5)" data-id="L_LocalHost_Router_1" class="label"><foreignObject height="21" width="120.375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Validated Requests</p></span></div></foreignObject></g></g><g transform="translate(504.50586, 472)" class="edgeLabel"><g transform="translate(-47.46875, -10.5)" data-id="L_Router_FileSystemControls_2" class="label"><foreignObject height="21" width="94.9375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>File Operations</p></span></div></foreignObject></g></g><g transform="translate(594.681640625, 576.2086968608677)" class="edgeLabel"><g transform="translate(-44.3515625, -10.5)" data-id="L_FileSystemControls_DirVal_3" class="label"><foreignObject height="21" width="88.703125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Access Check</p></span></div></foreignObject></g></g><g transform="translate(401.751953125, 677.5)" class="edgeLabel"><g transform="translate(-64.32421875, -10.5)" data-id="L_FileSystemControls_PathCheck_4" class="label"><foreignObject height="21" width="128.6484375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Traversal Prevention</p></span></div></foreignObject></g></g><g transform="translate(678.669921875, 667)" class="edgeLabel"><g transform="translate(-45.9140625, -10.5)" data-id="L_FileSystemControls_UrlProcess_5" class="label"><foreignObject height="21" width="91.828125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>URL Validation</p></span></div></foreignObject></g></g><g transform="translate(948.580078125, 677.5)" class="edgeLabel"><g transform="translate(-66.79296875, -10.5)" data-id="L_FileSystemControls_PermCheck_6" class="label"><foreignObject height="21" width="133.5859375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Permission Validation</p></span></div></foreignObject></g></g><g transform="translate(146.896484375, 703)" class="edgeLabel"><g transform="translate(-52.79296875, -10.5)" data-id="L_DirVal_TrustedZone_7" class="label"><foreignObject height="21" width="105.5859375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Validated Access</p></span></div></foreignObject></g></g><g transform="translate(401.751953125, 799.5)" class="edgeLabel"><g transform="translate(-34.24609375, -10.5)" data-id="L_PathCheck_TrustedZone_8" class="label"><foreignObject height="21" width="68.4921875"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Safe Paths</p></span></div></foreignObject></g></g><g transform="translate(678.669921875, 799.5)" class="edgeLabel"><g transform="translate(-33.8515625, -10.5)" data-id="L_UrlProcess_TrustedZone_9" class="label"><foreignObject height="21" width="67.703125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Safe URLs</p></span></div></foreignObject></g></g><g transform="translate(948.580078125, 799.5)" class="edgeLabel"><g transform="translate(-63.4140625, -10.5)" data-id="L_PermCheck_TrustedZone_10" class="label"><foreignObject height="21" width="126.828125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Verified Permissions</p></span></div></foreignObject></g></g><g transform="translate(540.2109375, 1017.5)" class="edgeLabel"><g transform="translate(-50.57421875, -10.5)" data-id="L_TrustedZone_Validation_11" class="label"><foreignObject height="21" width="101.1484375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Security Checks</p></span></div></foreignObject></g></g></g><g class="nodes"><g transform="translate(151.953125, 1045)" class="root"><g class="clusters"><g data-look="neo" data-et="cluster" data-id="Validation" id="Validation" class="cluster validation"><rect height="126" width="760.515625" y="8" x="8" style="fill:#feb !important;stroke:#333 !important;stroke-width:1px !important"/><g transform="translate(330.80078125, 8)" class="cluster-label"><foreignObject height="21" width="114.9140625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Security Validation</p></span></div></foreignObject></g></g></g><g class="edgePaths"/><g class="edgeLabels"/><g class="nodes"><g transform="translate(129.79296875, 71)" data-look="neo" data-et="node" data-node="true" data-id="ValidateDir" id="flowchart-ValidateDir-365" class="node default"><rect stroke="url(#gradient)" height="51" width="173.5859375" y="-25.5" x="-86.79296875" data-id="ValidateDir" style="" class="basic label-container"/><g transform="translate(-56.79296875, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="113.5859375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>validateDirectory()</p></span></div></foreignObject></g></g><g transform="translate(388.375, 71)" data-look="neo" data-et="node" data-node="true" data-id="RestrictPerms" id="flowchart-RestrictPerms-366" class="node default"><rect stroke="url(#gradient)" height="51" width="243.578125" y="-25.5" x="-121.7890625" data-id="RestrictPerms" style="" class="basic label-container"/><g transform="translate(-91.7890625, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="183.578125"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>restrictDirectoryPermissions()</p></span></div></foreignObject></g></g><g transform="translate(646.83984375, 71)" data-look="neo" data-et="node" data-node="true" data-id="SymlinkCheck" id="flowchart-SymlinkCheck-367" class="node default"><rect stroke="url(#gradient)" height="51" width="173.3515625" y="-25.5" x="-86.67578125" data-id="SymlinkCheck" style="" class="basic label-container"/><g transform="translate(-56.67578125, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="113.3515625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Symlink Validation</p></span></div></foreignObject></g></g></g></g><g transform="translate(57.2109375, 827)" class="root"><g class="clusters"><g data-look="neo" data-et="cluster" data-id="TrustedZone" id="TrustedZone" class="cluster trusted"><rect height="147" width="950" y="8" x="8" style="fill:#bfb !important;stroke:#333 !important;stroke-width:1px !important"/><g transform="translate(441.62890625, 8)" class="cluster-label"><foreignObject height="21" width="82.7421875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Trusted Zone</p></span></div></foreignObject></g></g></g><g class="edgePaths"/><g class="edgeLabels"/><g class="nodes"><g transform="translate(173, 81.5)" data-look="neo" data-et="node" data-node="true" data-id="OscalDir" id="flowchart-OscalDir-362" class="node default"><rect stroke="url(#gradient)" height="72" width="260" y="-36" x="-130" data-id="OscalDir" style="" class="basic label-container"/><g transform="translate(-100, -21)" style="" class="label"><rect/><foreignObject height="42" width="200"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table; white-space: break-spaces; line-height: 1.5; max-width: 200px; text-align: center; width: 200px;"><span class="nodeLabel"><p>~/.oscal Directory\nOwner RWX Only</p></span></div></foreignObject></g></g><g transform="translate(483, 81.5)" data-look="neo" data-et="node" data-node="true" data-id="AllowedDirs" id="flowchart-AllowedDirs-363" class="node default"><rect stroke="url(#gradient)" height="72" width="260" y="-36" x="-130" data-id="AllowedDirs" style="" class="basic label-container"/><g transform="translate(-100, -21)" style="" class="label"><rect/><foreignObject height="42" width="200"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table; white-space: break-spaces; line-height: 1.5; max-width: 200px; text-align: center; width: 200px;"><span class="nodeLabel"><p>Allowed Directories\nvia OSCAL_SERVER_PATH</p></span></div></foreignObject></g></g><g transform="translate(793, 81.5)" data-look="neo" data-et="node" data-node="true" data-id="TempFiles" id="flowchart-TempFiles-364" class="node default"><rect stroke="url(#gradient)" height="72" width="260" y="-36" x="-130" data-id="TempFiles" style="" class="basic label-container"/><g transform="translate(-100, -21)" style="" class="label"><rect/><foreignObject height="42" width="200"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table; white-space: break-spaces; line-height: 1.5; max-width: 200px; text-align: center; width: 200px;"><span class="nodeLabel"><p>Temporary Files\nRestricted Access</p></span></div></foreignObject></g></g></g></g><g transform="translate(504.505859375, 58.5)" data-look="neo" data-et="node" data-node="true" data-id="Client" id="flowchart-Client-355" class="node default"><rect stroke="url(#gradient)" height="51" width="128.21875" y="-25.5" x="-64.109375" data-id="Client" style="" class="basic label-container"/><g transform="translate(-34.109375, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="68.21875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Web Client</p></span></div></foreignObject></g></g><g transform="translate(504.505859375, 255.5)" data-look="neo" data-et="node" data-node="true" data-id="LocalHost" id="flowchart-LocalHost-356" class="node default"><rect stroke="url(#gradient)" height="51" width="224.9921875" y="-25.5" x="-112.49609375" data-id="LocalHost" style="" class="basic label-container"/><g transform="translate(-82.49609375, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="164.9921875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Localhost Only\nPort 8888</p></span></div></foreignObject></g></g><g transform="translate(504.505859375, 388)" data-look="neo" data-et="node" data-node="true" data-id="Router" id="flowchart-Router-357" class="node default"><rect stroke="url(#gradient)" height="72" width="260" y="-36" x="-130" data-id="Router" style="" class="basic label-container"/><g transform="translate(-100, -21)" style="" class="label"><rect/><foreignObject height="42" width="200"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table; white-space: break-spaces; line-height: 1.5; max-width: 200px; text-align: center; width: 200px;"><span class="nodeLabel"><p>Router/API Gateway\nInput Validation</p></span></div></foreignObject></g></g><g transform="translate(504.505859375, 570.5)" data-look="neo" data-et="node" data-node="true" data-id="DirVal" id="flowchart-DirVal-358" class="node default"><rect stroke="url(#gradient)" height="51" width="180.3515625" y="-25.5" x="-90.17578125" data-id="DirVal" style="" class="basic label-container"/><g transform="translate(-60.17578125, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="120.3515625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Directory Validation</p></span></div></foreignObject></g></g><g transform="translate(401.751953125, 703)" data-look="neo" data-et="node" data-node="true" data-id="PathCheck" id="flowchart-PathCheck-359" class="node default"><rect stroke="url(#gradient)" height="51" width="193.8359375" y="-25.5" x="-96.91796875" data-id="PathCheck" style="" class="basic label-container"/><g transform="translate(-66.91796875, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="133.8359375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Path Traversal Check</p></span></div></foreignObject></g></g><g transform="translate(678.669921875, 703)" data-look="neo" data-et="node" data-node="true" data-id="UrlProcess" id="flowchart-UrlProcess-360" class="node default"><rect stroke="url(#gradient)" height="72" width="260" y="-36" x="-130" data-id="UrlProcess" style="" class="basic label-container"/><g transform="translate(-100, -21)" style="" class="label"><rect/><foreignObject height="42" width="200"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table; white-space: break-spaces; line-height: 1.5; max-width: 200px; text-align: center; width: 200px;"><span class="nodeLabel"><p>URL Processing\nHTTPS/File Only</p></span></div></foreignObject></g></g><g transform="translate(948.580078125, 703)" data-look="neo" data-et="node" data-node="true" data-id="PermCheck" id="flowchart-PermCheck-361" class="node default"><rect stroke="url(#gradient)" height="51" width="179.8203125" y="-25.5" x="-89.91015625" data-id="PermCheck" style="" class="basic label-container"/><g transform="translate(-59.91015625, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="119.8203125"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Permission Checks</p></span></div></foreignObject></g></g></g></g></g><linearGradient y2="0%" x2="100%" y1="0%" x1="0%" gradientUnits="objectBoundingBox" id="export-svg-gradient"><stop stop-opacity="1" stop-color="#0042eb" offset="0%"/><stop stop-opacity="1" stop-color="#eb0042" offset="100%"/></linearGradient></svg>
\ No newline at end of file
diff --git a/.oscal/attachments/diagrams/network-diagram.mermaid b/.oscal/attachments/diagrams/network-diagram.mermaid
new file mode 100644
index 0000000..e0851d6
--- /dev/null
+++ b/.oscal/attachments/diagrams/network-diagram.mermaid
@@ -0,0 +1,40 @@
+graph TD
+    Client[Web Client]
+    Router[Router/API Gateway]
+    VertxServer[Vertx HTTP Server\nPort 8888\nLocalhost Only]
+    FileSystem[Local File System]
+    OscalCLI[OSCAL CLI]
+    HomeDir[User Home Directory]
+    TempFiles[Temporary Files]
+    
+    subgraph "OSCAL Server"
+        Router --> |Route Requests| Operations
+        
+        subgraph "Operations"
+            Validate[Validate]
+            Convert[Convert]
+            Resolve[Resolve Profile]
+            Query[Query/MetaPath]
+            Health[Health Check]
+        end
+        
+        subgraph "Storage"
+            FileSystem --> |Read/Write| HomeDir
+            HomeDir --> |Contains| OscalDir[~/.oscal Directory]
+            FileSystem --> |Create/Delete| TempFiles
+        end
+    end
+    
+    Client -->|HTTP Requests\nGET/POST| VertxServer
+    VertxServer --> |Forward| Router
+    
+    Operations --> |Execute| OscalCLI
+    OscalCLI --> |Read Input| FileSystem
+    OscalCLI --> |Write Output| FileSystem
+    
+    classDef secure fill:#f9f,stroke:#333,stroke-width:2px;
+    classDef restricted fill:#ff9,stroke:#333,stroke-width:2px;
+    
+    class VertxServer restricted;
+    class OscalDir secure;
+    class TempFiles restricted;
\ No newline at end of file
diff --git a/.oscal/attachments/diagrams/network-diagram.svg b/.oscal/attachments/diagrams/network-diagram.svg
new file mode 100644
index 0000000..47c0e13
--- /dev/null
+++ b/.oscal/attachments/diagrams/network-diagram.svg
@@ -0,0 +1 @@
+<svg aria-roledescription="flowchart-v2" role="graphics-document document" viewBox="0 0 1202.34375 1117" style="max-width: 1202.34375px;" class="flowchart" xmlns="http://www.w3.org/2000/svg" width="100%" id="export-svg"><style xmlns="http://www.w3.org/1999/xhtml">@import url("https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.2.0/css/all.min.css"); p {margin: 0;}</style><style>#export-svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:14px;fill:#333;}#export-svg .error-icon{fill:#ffffff;}#export-svg .error-text{fill:#000000;stroke:#000000;}#export-svg .edge-thickness-normal{stroke-width:1px;}#export-svg .edge-thickness-thick{stroke-width:3.5px;}#export-svg .edge-pattern-solid{stroke-dasharray:0;}#export-svg .edge-thickness-invisible{stroke-width:0;fill:none;}#export-svg .edge-pattern-dashed{stroke-dasharray:3;}#export-svg .edge-pattern-dotted{stroke-dasharray:2;}#export-svg .marker{fill:#000000;stroke:#000000;}#export-svg .marker.cross{stroke:#000000;}#export-svg svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:14px;}#export-svg p{margin:0;}#export-svg .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#export-svg .cluster-label text{fill:#000000;}#export-svg .cluster-label span{color:#000000;}#export-svg .cluster-label span p{background-color:transparent;}#export-svg .label text,#export-svg span{fill:#333;color:#333;}#export-svg .node rect,#export-svg .node circle,#export-svg .node ellipse,#export-svg .node polygon,#export-svg .node path{fill:#ffffff;stroke:#000000;stroke-width:1px;}#export-svg .rough-node .label text,#export-svg .node .label text,#export-svg .image-shape .label,#export-svg .icon-shape .label{text-anchor:middle;}#export-svg .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#export-svg .rough-node .label,#export-svg .node .label,#export-svg .image-shape .label,#export-svg .icon-shape .label{text-align:center;}#export-svg .node.clickable{cursor:pointer;}#export-svg .root .anchor path{fill:#000000!important;stroke-width:0;stroke:#000000;}#export-svg .arrowheadPath{fill:#000000;}#export-svg .edgePath .path{stroke:#000000;stroke-width:2.0px;}#export-svg .flowchart-link{stroke:#000000;fill:none;}#export-svg .edgeLabel{background-color:hsl(-120, 0%, 80%);text-align:center;}#export-svg .edgeLabel p{background-color:hsl(-120, 0%, 80%);}#export-svg .edgeLabel rect{opacity:0.5;background-color:hsl(-120, 0%, 80%);fill:hsl(-120, 0%, 80%);}#export-svg .labelBkg{background-color:rgba(204, 204, 204, 0.5);}#export-svg .cluster rect{fill:#ffffff;stroke:hsl(0, 0%, 90%);stroke-width:1px;}#export-svg .cluster text{fill:#000000;}#export-svg .cluster span{color:#000000;}#export-svg div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:#ffffff;border:1px solid hsl(0, 0%, 90%);border-radius:2px;pointer-events:none;z-index:100;}#export-svg .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#export-svg rect.text{fill:none;stroke-width:0;}#export-svg .icon-shape,#export-svg .image-shape{background-color:hsl(-120, 0%, 80%);text-align:center;}#export-svg .icon-shape p,#export-svg .image-shape p{background-color:hsl(-120, 0%, 80%);padding:2px;}#export-svg .icon-shape rect,#export-svg .image-shape rect{opacity:0.5;background-color:hsl(-120, 0%, 80%);fill:hsl(-120, 0%, 80%);}#export-svg .node .neo-node{stroke:#000000;}#export-svg [data-look="neo"].node rect,#export-svg [data-look="neo"].cluster rect,#export-svg [data-look="neo"].node polygon{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].node rect,#export-svg [data-look="neo"].node polygon,#export-svg [data-look="neo"].node path{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].node .neo-line path{stroke:hsl(0, 0%, 70%);filter:none;}#export-svg [data-look="neo"].node circle{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].node circle .state-start{fill:#000000;}#export-svg [data-look="neo"].statediagram-cluster rect{fill:#ffffff;stroke:url(#export-svg-gradient);stroke-width:1px;}#export-svg [data-look="neo"].icon-shape .icon{fill:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg [data-look="neo"].icon-shape .icon-neo path{stroke:url(#export-svg-gradient);filter:drop-shadow( 0px 1px 2px rgba(0, 0, 0, 0.25));}#export-svg :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;}#export-svg .secure&gt;*{fill:#f9f!important;stroke:#333!important;stroke-width:2px!important;}#export-svg .secure span{fill:#f9f!important;stroke:#333!important;stroke-width:2px!important;}#export-svg .restricted&gt;*{fill:#ff9!important;stroke:#333!important;stroke-width:2px!important;}#export-svg .restricted span{fill:#ff9!important;stroke:#333!important;stroke-width:2px!important;}</style><g><marker orient="auto" markerHeight="8" markerWidth="8" markerUnits="userSpaceOnUse" refY="5" refX="5" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-pointEnd"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 0 0 L 10 5 L 0 10 z"/></marker><marker orient="auto" markerHeight="8" markerWidth="8" markerUnits="userSpaceOnUse" refY="5" refX="4.5" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-pointStart"><path style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 0 5 L 10 10 L 10 0 z"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5" refX="11" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-circleEnd"><circle style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" r="5" cy="5" cx="5"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5" refX="-1" viewBox="0 0 10 10" class="marker flowchart-v2" id="export-svg_flowchart-v2-circleStart"><circle style="stroke-width: 1; stroke-dasharray: 1, 0;" class="arrowMarkerPath" r="5" cy="5" cx="5"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5.2" refX="12" viewBox="0 0 11 11" class="marker cross flowchart-v2" id="export-svg_flowchart-v2-crossEnd"><path style="stroke-width: 2; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 1,1 l 9,9 M 10,1 l -9,9"/></marker><marker orient="auto" markerHeight="11" markerWidth="11" markerUnits="userSpaceOnUse" refY="5.2" refX="-1" viewBox="0 0 11 11" class="marker cross flowchart-v2" id="export-svg_flowchart-v2-crossStart"><path style="stroke-width: 2; stroke-dasharray: 1, 0;" class="arrowMarkerPath" d="M 1,1 l 9,9 M 10,1 l -9,9"/></marker><g class="root"><g class="clusters"><g data-look="neo" data-et="cluster" data-id="subGraph2" id="subGraph2" class="cluster"><rect height="836" width="1018.71875" y="273" x="8" style=""/><g transform="translate(471.32421875, 273)" class="cluster-label"><foreignObject height="21" width="92.0703125"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>OSCAL Server</p></span></div></foreignObject></g></g><g data-look="neo" data-et="cluster" data-id="Storage" id="Storage" class="cluster"><rect height="345" width="473.005859375" y="739" x="279.494140625" style=""/><g transform="translate(491.4775390625, 739)" class="cluster-label"><foreignObject height="21" width="49.0390625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Storage</p></span></div></foreignObject></g></g></g><g class="edgePaths"><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NDc1LjM1NDAyNzkyMDA4MiwieSI6ODE1fSx7IngiOjQwOS44NDE3OTY4NzUsInkiOjg1MC41fSx7IngiOjQwOS44NDE3OTY4NzUsInkiOjg4Nn1d" data-id="L_FileSystem_HomeDir_1" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_FileSystem_HomeDir_1" d="M475.354027920082,815L417.64480424533986,846.2716787044477Q409.841796875,850.5 409.841796875,859.375L409.841796875,868.25L409.841796875,882"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NDA5Ljg0MTc5Njg3NSwieSI6OTM3fSx7IngiOjQwOS44NDE3OTY4NzUsInkiOjk3Mi41fSx7IngiOjQwOS44NDE3OTY4NzUsInkiOjEwMDh9XQ==" data-id="L_HomeDir_OscalDir_2" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_HomeDir_OscalDir_2" d="M409.841796875,937L409.841796875,972.5L409.841796875,990.25L409.841796875,1004"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTY5LjQ3MDE5MDgyOTkxOCwieSI6ODE1fSx7IngiOjYzNC45ODI0MjE4NzUsInkiOjg1MC41fSx7IngiOjYzNC45ODI0MjE4NzUsInkiOjg4Nn1d" data-id="L_FileSystem_TempFiles_3" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_FileSystem_TempFiles_3" d="M569.470190829918,815L627.1794145046601,846.2716787044477Q634.982421875,850.5 634.982421875,859.375L634.982421875,868.25L634.982421875,882"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTE3LjM1OTM3NSwieSI6NTl9LHsieCI6NTE3LjM1OTM3NSwieSI6OTQuNX0seyJ4Ijo1MTcuMzU5Mzc1LCJ5IjoxMzB9XQ==" data-id="L_Client_VertxServer_4" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_Client_VertxServer_4" d="M517.359375,59L517.359375,94.5L517.359375,112.25L517.359375,126"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTE3LjM1OTM3NSwieSI6MjAyfSx7IngiOjUxNy4zNTkzNzUsInkiOjIzNy41fSx7IngiOjUxNy4zNTkzNzUsInkiOjI3M30seyJ4Ijo1MTcuMzU5Mzc1LCJ5IjoyOTh9XQ==" data-id="L_VertxServer_Router_5" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_VertxServer_Router_5" d="M517.359375,202L517.359375,237.5L517.359375,273L517.359375,285.5L517.359375,294"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6MTA2MS43MTg3NSwieSI6NjQ3Ljc5OTAwMDYxOTE3Nn0seyJ4IjozNjQuNjY3OTY4NzUsInkiOjcwMy41fSx7IngiOjM2NC42Njc5Njg3NSwieSI6NzM5fSx7IngiOjQ0Mi43NTkxMjc0NzUyNDc1LCJ5Ijo3NjR9XQ==" data-id="L_OscalCLI_FileSystem_7" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_OscalCLI_FileSystem_7" d="M1061.71875,647.799000619176L372.0152662518145,702.9128809197152Q364.66796875,703.5 364.66796875,710.8707183771057L364.66796875,730.5187481281586Q364.66796875,739 372.74539262127337,741.5858957669243L403.71354811262376,751.5L438.94958426472635,762.7804178883026"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6MTA2MS43MTg3NSwieSI6NjUxLjU3NjcyMjE1MDYzOTR9LHsieCI6NjgyLjM3ODkwNjI1LCJ5Ijo3MDMuNX0seyJ4Ijo2ODIuMzc4OTA2MjUsInkiOjczOX0seyJ4Ijo2MDMuMTg3NDIyNjQ4NTE0OCwieSI6NzY0fV0=" data-id="L_OscalCLI_FileSystem_8" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_OscalCLI_FileSystem_8" d="M1061.71875,651.5767221506394L689.9142015090155,702.4685838810312Q682.37890625,703.5 682.37890625,711.105556774557L682.37890625,730.5421385595782Q682.37890625,739 674.3134070298646,741.5462015779132L642.7831644492574,751.5L607.0018616893764,762.7958177863995"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTE3LjM1OTM3NSwieSI6MzQ5fSx7IngiOjUxNy4zNTkzNzUsInkiOjM4NC41fSx7IngiOjUxNy4zNTkzNzUsInkiOjQyMH1d" data-id="L_Router_Operations_0" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_Router_Operations_0" d="M517.359375,349L517.359375,384.5L517.359375,402.25L517.359375,416"/><path marker-end="url(#export-svg_flowchart-v2-pointEnd)" data-points="W3sieCI6NTE3LjM1OTM3NSwieSI6NTQ2fSx7IngiOjUxNy4zNTkzNzUsInkiOjU4MS41fSx7IngiOjEwNjEuNzE4NzUsInkiOjYzNS44NzYwNDU4NTExMzczfV0=" data-id="L_Operations_OscalCLI_6" data-et="edge" data-edge="true" style="" class="edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link" id="L_Operations_OscalCLI_6" d="M517.359375,546L517.359375,574.0489426928168Q517.359375,581.5 524.7735348476594,582.2406002621411L789.5390625,608.6880229255687L1057.7385579053764,635.4784645514056"/></g><g class="edgeLabels"><g transform="translate(409.841796875, 850.5)" class="edgeLabel"><g transform="translate(-34.88671875, -10.5)" data-id="L_FileSystem_HomeDir_1" class="label"><foreignObject height="21" width="69.7734375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Read/Write</p></span></div></foreignObject></g></g><g transform="translate(409.841796875, 972.5)" class="edgeLabel"><g transform="translate(-27.62890625, -10.5)" data-id="L_HomeDir_OscalDir_2" class="label"><foreignObject height="21" width="55.2578125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Contains</p></span></div></foreignObject></g></g><g transform="translate(634.982421875, 850.5)" class="edgeLabel"><g transform="translate(-43.19140625, -10.5)" data-id="L_FileSystem_TempFiles_3" class="label"><foreignObject height="21" width="86.3828125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Create/Delete</p></span></div></foreignObject></g></g><g transform="translate(517.359375, 94.5)" class="edgeLabel"><g transform="translate(-90.8984375, -10.5)" data-id="L_Client_VertxServer_4" class="label"><foreignObject height="21" width="181.796875"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>HTTP Requests\nGET/POST</p></span></div></foreignObject></g></g><g transform="translate(517.359375, 237.5)" class="edgeLabel"><g transform="translate(-25.67578125, -10.5)" data-id="L_VertxServer_Router_5" class="label"><foreignObject height="21" width="51.3515625"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Forward</p></span></div></foreignObject></g></g><g transform="translate(364.66796875, 703.5)" class="edgeLabel"><g transform="translate(-34.25, -10.5)" data-id="L_OscalCLI_FileSystem_7" class="label"><foreignObject height="21" width="68.5"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Read Input</p></span></div></foreignObject></g></g><g transform="translate(682.37890625, 703.5)" class="edgeLabel"><g transform="translate(-39.1640625, -10.5)" data-id="L_OscalCLI_FileSystem_8" class="label"><foreignObject height="21" width="78.328125"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Write Output</p></span></div></foreignObject></g></g><g transform="translate(517.359375, 384.5)" class="edgeLabel"><g transform="translate(-50.19921875, -10.5)" data-id="L_Router_Operations_0" class="label"><foreignObject height="21" width="100.3984375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Route Requests</p></span></div></foreignObject></g></g><g transform="translate(517.359375, 581.5)" class="edgeLabel"><g transform="translate(-25.29296875, -10.5)" data-id="L_Operations_OscalCLI_6" class="label"><foreignObject height="21" width="50.5859375"><div class="labelBkg" xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="edgeLabel"><p>Execute</p></span></div></foreignObject></g></g></g><g class="nodes"><g transform="translate(35, 412)" class="root"><g class="clusters"><g data-look="neo" data-et="cluster" data-id="Operations" id="Operations" class="cluster"><rect height="126" width="948.71875" y="8" x="8" style=""/><g transform="translate(448.1171875, 8)" class="cluster-label"><foreignObject height="21" width="68.484375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Operations</p></span></div></foreignObject></g></g></g><g class="edgePaths"/><g class="edgeLabels"/><g class="nodes"><g transform="translate(97.77734375, 71)" data-look="neo" data-et="node" data-node="true" data-id="Validate" id="flowchart-Validate-163" class="node default"><rect stroke="url(#gradient)" height="51" width="109.5546875" y="-25.5" x="-54.77734375" data-id="Validate" style="" class="basic label-container"/><g transform="translate(-24.77734375, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="49.5546875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Validate</p></span></div></foreignObject></g></g><g transform="translate(257.06640625, 71)" data-look="neo" data-et="node" data-node="true" data-id="Convert" id="flowchart-Convert-164" class="node default"><rect stroke="url(#gradient)" height="51" width="109.0234375" y="-25.5" x="-54.51171875" data-id="Convert" style="" class="basic label-container"/><g transform="translate(-24.51171875, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="49.0234375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Convert</p></span></div></foreignObject></g></g><g transform="translate(438.65625, 71)" data-look="neo" data-et="node" data-node="true" data-id="Resolve" id="flowchart-Resolve-165" class="node default"><rect stroke="url(#gradient)" height="51" width="154.15625" y="-25.5" x="-77.078125" data-id="Resolve" style="" class="basic label-container"/><g transform="translate(-47.078125, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="94.15625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Resolve Profile</p></span></div></foreignObject></g></g><g transform="translate(646.703125, 71)" data-look="neo" data-et="node" data-node="true" data-id="Query" id="flowchart-Query-166" class="node default"><rect stroke="url(#gradient)" height="51" width="161.9375" y="-25.5" x="-80.96875" data-id="Query" style="" class="basic label-container"/><g transform="translate(-50.96875, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="101.9375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Query/MetaPath</p></span></div></foreignObject></g></g><g transform="translate(849.6953125, 71)" data-look="neo" data-et="node" data-node="true" data-id="Health" id="flowchart-Health-167" class="node default"><rect stroke="url(#gradient)" height="51" width="144.046875" y="-25.5" x="-72.0234375" data-id="Health" style="" class="basic label-container"/><g transform="translate(-42.0234375, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="84.046875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Health Check</p></span></div></foreignObject></g></g></g></g><g transform="translate(517.359375, 33.5)" data-look="neo" data-et="node" data-node="true" data-id="Client" id="flowchart-Client-154" class="node default"><rect stroke="url(#gradient)" height="51" width="128.21875" y="-25.5" x="-64.109375" data-id="Client" style="" class="basic label-container"/><g transform="translate(-34.109375, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="68.21875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Web Client</p></span></div></foreignObject></g></g><g transform="translate(517.359375, 323.5)" data-look="neo" data-et="node" data-node="true" data-id="Router" id="flowchart-Router-155" class="node default"><rect stroke="url(#gradient)" height="51" width="187.6171875" y="-25.5" x="-93.80859375" data-id="Router" style="" class="basic label-container"/><g transform="translate(-63.80859375, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="127.6171875"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Router/API Gateway</p></span></div></foreignObject></g></g><g transform="translate(517.359375, 166)" data-look="neo" data-et="node" data-node="true" data-id="VertxServer" id="flowchart-VertxServer-156" class="node default restricted"><rect stroke="url(#gradient)" height="72" width="260" y="-36" x="-130" data-id="VertxServer" style="fill:#ff9 !important;stroke:#333 !important;stroke-width:2px !important" class="basic label-container"/><g transform="translate(-100, -21)" style="" class="label"><rect/><foreignObject height="42" width="200"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table; white-space: break-spaces; line-height: 1.5; max-width: 200px; text-align: center; width: 200px;"><span class="nodeLabel"><p>Vertx HTTP Server\nPort 8888\nLocalhost Only</p></span></div></foreignObject></g></g><g transform="translate(522.412109375, 789.5)" data-look="neo" data-et="node" data-node="true" data-id="FileSystem" id="flowchart-FileSystem-157" class="node default"><rect stroke="url(#gradient)" height="51" width="170.484375" y="-25.5" x="-85.2421875" data-id="FileSystem" style="" class="basic label-container"/><g transform="translate(-55.2421875, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="110.484375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Local File System</p></span></div></foreignObject></g></g><g transform="translate(1128.03125, 642.5)" data-look="neo" data-et="node" data-node="true" data-id="OscalCLI" id="flowchart-OscalCLI-158" class="node default"><rect stroke="url(#gradient)" height="51" width="132.625" y="-25.5" x="-66.3125" data-id="OscalCLI" style="" class="basic label-container"/><g transform="translate(-36.3125, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="72.625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>OSCAL CLI</p></span></div></foreignObject></g></g><g transform="translate(409.841796875, 911.5)" data-look="neo" data-et="node" data-node="true" data-id="HomeDir" id="flowchart-HomeDir-159" class="node default"><rect stroke="url(#gradient)" height="51" width="190.6953125" y="-25.5" x="-95.34765625" data-id="HomeDir" style="" class="basic label-container"/><g transform="translate(-65.34765625, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="130.6953125"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>User Home Directory</p></span></div></foreignObject></g></g><g transform="translate(634.982421875, 911.5)" data-look="neo" data-et="node" data-node="true" data-id="TempFiles" id="flowchart-TempFiles-160" class="node default restricted"><rect stroke="url(#gradient)" height="51" width="159.5859375" y="-25.5" x="-79.79296875" data-id="TempFiles" style="fill:#ff9 !important;stroke:#333 !important;stroke-width:2px !important" class="basic label-container"/><g transform="translate(-49.79296875, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="99.5859375"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>Temporary Files</p></span></div></foreignObject></g></g><g transform="translate(409.841796875, 1033.5)" data-look="neo" data-et="node" data-node="true" data-id="OscalDir" id="flowchart-OscalDir-171" class="node default secure"><rect stroke="url(#gradient)" height="51" width="168.5390625" y="-25.5" x="-84.26953125" data-id="OscalDir" style="fill:#f9f !important;stroke:#333 !important;stroke-width:2px !important" class="basic label-container"/><g transform="translate(-54.26953125, -10.5)" style="" class="label"><rect/><foreignObject height="21" width="108.5390625"><div xmlns="http://www.w3.org/1999/xhtml" style="display: table-cell; white-space: normal; line-height: 1.5; max-width: 200px; text-align: center;"><span class="nodeLabel"><p>~/.oscal Directory</p></span></div></foreignObject></g></g></g></g></g><linearGradient y2="0%" x2="100%" y1="0%" x1="0%" gradientUnits="objectBoundingBox" id="export-svg-gradient"><stop stop-opacity="1" stop-color="#0042eb" offset="0%"/><stop stop-opacity="1" stop-color="#eb0042" offset="100%"/></linearGradient></svg>
\ No newline at end of file
diff --git a/component.oscal.yml b/.oscal/component.oscal.yaml
similarity index 73%
rename from component.oscal.yml
rename to .oscal/component.oscal.yaml
index 95ee370..5cb66f9 100644
--- a/component.oscal.yml
+++ b/.oscal/component.oscal.yaml
@@ -1,24 +1,23 @@
 component-definition:
-  uuid: 12345678-1234-1234-1234-123456789abc
+  uuid: 2862dbd1-1d58-4caf-8b57-cb29d150d236
   metadata:
     title: OSCAL Server Component Definition
     last-modified: "2024-10-17T12:00:00Z"
     version: "1.0"
-    oscal-version: "1.0.0"
+    oscal-version: "1.1.3"
   components:
-    - uuid: 98765432-9876-9876-9876-987654321def
+    - uuid: 2862dbd1-1d58-4caf-8b57-cb29d150d234
       type: service
       title: OSCAL Server
       description: >
         A service that runs through local loopback on port 8888
-      props:
-        - name: port
-          value: "8888"
       protocols:
         - name: https
-          port-ranges:
+          uuid: 2862dbd1-1d58-4caf-8b57-cb29d150d234
+          port-ranges:            
             - start: 8888
               end: 8888
+              transport: TCP
       remarks: >
         This component definition describes the OSCAL Server, which provides
         file conversion, validation and profile resolution
diff --git a/.oscal/poam.oscal.yaml b/.oscal/poam.oscal.yaml
new file mode 100644
index 0000000..9457bb7
--- /dev/null
+++ b/.oscal/poam.oscal.yaml
@@ -0,0 +1,307 @@
+plan-of-action-and-milestones:
+  uuid: 8c1ee2a6-bd14-4f77-b2f7-3d2bc0aaa55e
+  metadata:
+    title: "Oscal Server Software Development System POA&M"
+    last-modified: "2024-10-24T13:57:28.355446-04:00"
+    version: "1.0"
+    oscal-version: 1.1.3
+  import-ssp:
+    href: ssp.oscal.yaml
+  system-id:
+    identifier-type: http://ietf.org/rfc/rfc4122
+    id: 8c1ee2a6-bd14-4f77-b2f7-3d2bc0aaa55e
+  observations:
+    - uuid: 77777777-0000-4000-9000-100000000012
+      title: "Source Control System Security Requirements Assessment"
+      description: "Examine implementation of security requirements documentation and maintenance"
+      methods:
+        - EXAMINE
+      types:
+        - finding
+      subjects:
+        - subject-uuid: 55555555-0000-4000-9000-100000000005
+          type: component
+      collected: "2024-10-24T12:00:00-04:00"
+      remarks: "Security requirements documentation is not currently maintained in a centralized repository. Quarterly reviews are not being conducted systematically."
+    
+    - uuid: 77777777-0000-4000-9000-100000000013
+      title: "Development Team Role Management Assessment"
+      description: "Examine implementation of role management and security training program"
+      methods:
+        - EXAMINE
+      types:
+        - finding
+      subjects:
+        - subject-uuid: 55555555-0000-4000-9000-100000000005
+          type: component
+      collected: "2024-10-24T12:00:00-04:00"
+      remarks: "RACI matrix is incomplete and security training program is not fully implemented in the learning management system."
+
+    - uuid: 77777777-0000-4000-9000-100000000022
+      title: "Unrestricted File System Access Assessment"
+      description: "Examine server file system access controls and potential security vulnerabilities"
+      methods:
+        - EXAMINE
+        - TEST
+      types:
+        - finding
+      subjects:
+        - subject-uuid: 66666666-0000-4000-9000-100000000006
+          type: component
+      collected: "2024-10-24T12:00:00-04:00"
+      remarks: "Server has unrestricted access to entire file system. No environment variable constraints are in place to limit file access to specific directories."
+
+    - uuid: 77777777-0000-4000-9000-100000000027
+      title: "HTTPS URL Validation Assessment"
+      description: "Examine implementation of URL validation controls for SSRF prevention"
+      methods:
+        - EXAMINE
+        - TEST
+      types:
+        - finding
+      subjects:
+        - subject-uuid: 66666666-0000-4000-9000-100000000006
+          type: component
+      collected: "2024-10-24T12:00:00-04:00"
+      remarks: "The processUrl() method accepts any HTTPS URL without validation, potentially enabling Server-Side Request Forgery (SSRF) attacks. No URL validation or domain whitelist mechanisms are currently implemented."
+
+  risks:
+    - uuid: 77777777-0000-4000-9000-100000000014
+      title: "RISK-1: Inadequate Security Requirements Management"
+      description: "Security requirements are not properly documented and maintained, increasing risk of security gaps"
+      statement: >-
+        Lack of centralized security requirements documentation and systematic review
+        process could lead to inconsistent security implementations and missed
+        vulnerabilities. This poses significant risk to the development environment
+        and resulting software products.
+      props:
+        - name: label
+          value: risk-1
+      status: open
+      characterizations:
+        - origin:
+            actors:
+              - type: party
+                actor-uuid: 11111111-0000-4000-9000-100000000001
+          facets:
+            - name: likelihood
+              system: https://fedramp.gov
+              value: moderate
+            - name: impact
+              system: https://fedramp.gov
+              value: moderate
+      deadline: "2025-03-31T00:00:00-04:00"
+      remediations:
+        - uuid: 77777777-0000-4000-9000-100000000015
+          lifecycle: planned
+          title: "Security Requirements Documentation Implementation"
+          description: >-
+            Implement centralized security requirements documentation system and
+            establish quarterly review process. Assign dedicated security team
+            members for maintenance.
+          props:
+            - name: type
+              value: mitigate
+          tasks:
+            - uuid: 77777777-0000-4000-9000-100000000016
+              type: milestone
+              title: "Initial Documentation System Implementation"
+              description: "Complete setup of centralized documentation system and initial content creation"
+              timing:
+                within-date-range:
+                  start: "2024-11-01T00:00:00-04:00"
+                  end: "2024-12-31T00:00:00-04:00"
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000012
+
+    - uuid: 77777777-0000-4000-9000-100000000017
+      title: "RISK-2: Incomplete Role Management Implementation"
+      description: "Role management and security training program not fully implemented"
+      statement: >-
+        Incomplete RACI matrix and security training program implementation could
+        lead to unclear responsibilities and insufficient security awareness among
+        development team members.
+      props:
+         - name: label
+            value: risk-2
+      status: open
+      characterizations:
+        - origin:
+            actors:
+              - type: party
+                actor-uuid: 11111111-0000-4000-9000-100000000001
+          facets:
+            - name: likelihood
+              system: https://fedramp.gov
+              value: moderate
+            - name: impact
+              system: https://fedramp.gov
+              value: moderate
+      deadline: "2025-01-31T00:00:00-04:00"
+      remediations:
+        - uuid: 77777777-0000-4000-9000-100000000018
+          lifecycle: planned
+          title: "Role Management Program Implementation"
+          description: >-
+            Complete RACI matrix implementation and establish comprehensive
+            security training program in learning management system.
+          props:
+            - name: type
+              value: mitigate
+          tasks:
+            - uuid: 77777777-0000-4000-9000-100000000019
+              type: milestone
+              title: "RACI Matrix and Training Program Completion"
+              description: "Finalize RACI matrix and launch security training program"
+              timing:
+                within-date-range:
+                  start: "2024-11-01T00:00:00-04:00"
+                  end: "2025-01-31T00:00:00-04:00"
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000013
+
+    - uuid: 77777777-0000-4000-9000-100000000023
+      title: "RISK-3: Unrestricted File System Access"
+      description: "Server has unrestricted access to entire file system without proper controls"
+      statement: >-
+        Unrestricted file system access could allow unauthorized access to sensitive
+        system files and data outside the intended scope of the application. This
+        poses a significant security risk through potential data exposure or system
+        manipulation.
+      status: closed
+      characterizations:
+        - origin:
+            actors:
+              - type: party
+                actor-uuid: 11111111-0000-4000-9000-100000000001
+          facets:
+            - name: likelihood
+              system: https://fedramp.gov
+              value: high
+            - name: impact
+              system: https://fedramp.gov
+              value: high
+      deadline: "2024-12-15T00:00:00-04:00"
+      remediations:
+        - uuid: 77777777-0000-4000-9000-100000000024
+          lifecycle: completed
+          title: "Implement File System Access Controls"
+          description: >-
+            Implement `OSCAL_SERVER_PATH` environment variable to restrict server access to the filesystem with allow-list to only permit filesystem access to enumerated paths
+            file system access to specific authorized directories only.
+          props:
+            - name: type
+              value: mitigate
+          tasks:
+            - uuid: 77777777-0000-4000-9000-100000000025
+              type: milestone
+              title: "File System Access Control Implementation"
+              description: >-
+                Implemented and tested OSCAL_SERVER_PATH environment variable controls.
+                Added validation of allowed directories, path canonicalization,
+                protection against directory traversal, proper permission management,
+                and comprehensive security logging.
+              timing:
+                within-date-range:
+                  start: "2024-11-01T00:00:00-04:00"
+                  end: "2024-12-15T00:00:00-04:00"
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000022
+    - uuid: 77777777-0000-4000-9000-100000000028
+      title: "RISK-4: SSRF Vulnerability in URL Processing"
+      description: "Lack of URL validation controls enables potential SSRF attacks"
+      statement: >-
+        The absence of URL validation in the processUrl() method allows requests to
+        any HTTPS endpoint, which could be exploited for Server-Side Request
+        Forgery (SSRF) attacks. This could enable attackers to probe internal
+        networks, access sensitive services, or perform denial of service attacks.
+      status: open
+      characterizations:
+        - origin:
+            actors:
+              - type: party
+                actor-uuid: 11111111-0000-4000-9000-100000000001
+          facets:
+            - name: likelihood
+              system: https://fedramp.gov
+              value: high
+            - name: impact
+              system: https://fedramp.gov
+              value: high
+      deadline: "2025-01-15T00:00:00-04:00"
+      remediations:
+        - uuid: 77777777-0000-4000-9000-100000000029
+          lifecycle: planned
+          title: "Implement URL Validation Controls"
+          description: >-
+            Implement comprehensive URL validation including domain whitelist,
+            IP address blocking, and protocol restrictions. Add input validation
+            and proper error handling for all URL processing.
+          props:
+            - name: type
+              value: mitigate
+          tasks:
+            - uuid: 77777777-0000-4000-9000-100000000030
+              type: milestone
+              title: "URL Validation Implementation"
+              description: "Implement and test URL validation controls including domain whitelist"
+              timing:
+                within-date-range:
+                  start: "2024-12-01T00:00:00-04:00"
+                  end: "2025-01-15T00:00:00-04:00"
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000027
+
+
+  poam-items:
+    - uuid: 77777777-0000-4000-9000-100000000020
+      title: "Implement Security Requirements Management System"
+      description: >-
+        Implementation of centralized security requirements documentation system
+        and establishment of quarterly review process requires allocation of
+        security team resources and development of new processes.
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000012
+      related-risks:
+        - risk-uuid: 77777777-0000-4000-9000-100000000014
+    - uuid: 77777777-0000-4000-9000-100000000021
+      title: "Complete Role Management Implementation"
+      description: >-
+        Completion of RACI matrix and security training program implementation
+        requires coordination between development team and security team, as well
+        as configuration of learning management system.
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000013
+      related-risks:
+        - risk-uuid: 77777777-0000-4000-9000-100000000017
+    - uuid: 77777777-0000-4000-9000-100000000026
+      title: "Implement File System Access Restrictions"
+      description: >-
+        Implementation of OSCAL_SERVER_PATH environment variable to restrict
+        server file system access to authorized directories only. This requires
+        configuration changes, testing, and validation of access controls.
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000022
+      related-risks:
+        - risk-uuid: 77777777-0000-4000-9000-100000000023
+    - uuid: 77777777-0000-4000-9000-100000000031
+      title: "Implement URL Validation Controls"
+      description: >-
+        Implementation of URL validation controls including domain whitelist,
+        IP address blocking, and comprehensive input validation to prevent
+        SSRF attacks.
+      related-observations:
+        - observation-uuid: 77777777-0000-4000-9000-100000000027
+      related-risks:
+        - risk-uuid: 77777777-0000-4000-9000-100000000028
+  back-matter:
+    resources:
+      - uuid: 77777777-0000-4000-9900-100000000000
+        title: "System POA&M"
+        description: "Plan of Action and Milestones for the System"
+        rlinks:
+          - href: "poam.oscal.yaml"
+        props:
+          - name: type
+            value: plan
+            class: poam
\ No newline at end of file
diff --git a/.oscal/profile.oscal.yaml b/.oscal/profile.oscal.yaml
new file mode 100644
index 0000000..e7b68b1
--- /dev/null
+++ b/.oscal/profile.oscal.yaml
@@ -0,0 +1,45 @@
+
+
+profile:
+  uuid: 8c1ee2a6-bd14-4f77-b2f7-3d2bc0aaa55e
+  metadata:
+    title: "Software Development Security Controls Profile"
+    last-modified: "2024-10-24T00:00:00Z"
+    version: "1.0"
+    oscal-version: "1.1.2"
+    parties:
+      - uuid: 11111111-0000-4000-9000-100000000001
+        type: organization
+        name: "Metaschema Framework Organization"
+        short-name: "MFO"
+    roles:
+      - id: profile-author
+        title: Profile Author
+    responsible-parties:
+      - role-id: profile-author
+        party-uuids:
+          - 11111111-0000-4000-9000-100000000001
+
+  imports:
+    - href: "ssdf.catalog.oscal.yaml"
+      include-controls:
+        - with-ids:
+            - po1
+            - po2
+            - po3
+            - po4
+            - po5
+            - ps1
+            - ps2
+            - ps3
+            - pw1
+            - pw2
+            - pw4
+            - pw5
+            - pw6
+            - pw7
+            - pw8
+            - pw9
+            - rv1
+            - rv2
+            - rv3
\ No newline at end of file
diff --git a/.oscal/ssdf.catalog.oscal.yaml b/.oscal/ssdf.catalog.oscal.yaml
new file mode 100644
index 0000000..8dfc33d
--- /dev/null
+++ b/.oscal/ssdf.catalog.oscal.yaml
@@ -0,0 +1,1058 @@
+catalog:
+  uuid: 4eb58c88-beca-490e-8870-655ffb5ffad1
+  groups:
+    - id: po
+      parts:
+        - name: overview
+          prose: >-
+            Organizations should ensure that their people,  processes, and
+            technology are prepared to perform secure software development at
+            the  organization level. Many organizations will find some PO
+            practices to also be applicable  to subsets of their software
+            development, like individual development groups or projects.
+      props:
+        - name: label
+          value: PO
+      title: Prepare the Organization
+      controls:
+        - id: po1
+          parts:
+            - name: overview
+              prose: >-
+                Ensure that security  requirements for software development are 
+                known at all times so that they can be taken into account
+                throughout the SDLC and duplication of  effort can be minimized
+                because the  requirements information can be collected once  and
+                shared. This includes requirements from internal sources (e.g.,
+                the organization’s policies, business objectives, and risk
+                management  strategy) and external sources (e.g., applicable 
+                laws and regulations)
+            - name: statement
+              props:
+                - name: label
+                  value: PO.1.1
+              prose: >-
+                Identify and document all security  requirements for the
+                organization’s software  development infrastructures and
+                processes, and  maintain the requirements over time.
+            - name: statement
+              props:
+                - name: label
+                  value: PO.1.2
+              prose: >-
+                Identify and document all security requirements for
+                organization-developed software to meet, and maintain the
+                requirements over time.
+            - name: statement
+              props:
+                - name: label
+                  value: PO.1.3
+              prose: >-
+                Communicate requirements to all third parties who will provide
+                commercial software components to the organization for reuse by
+                the organization’s own software.
+          props:
+            - name: label
+              value: PO.1
+          title: Define Security Requirements for Software Development
+        - id: po2
+          parts:
+            - name: overview
+              prose: >-
+                Ensure that everyone inside and outside of the organization
+                involved in the SDLC is prepared to perform their SDLC-related
+                roles and responsibilities throughout the SDLC
+            - name: statement
+              props:
+                - name: label
+                  value: PO.2.1
+              prose: >-
+                Create new roles and alter responsibilities for existing roles
+                as needed to encompass all parts of the SDLC. Periodically
+                review and maintain the defined roles and responsibilities,
+                updating them as needed.
+            - name: statement
+              props:
+                - name: label
+                  value: PO.2.2
+              prose: >-
+                Provide role-based training for all personnel with
+                responsibilities that contribute to secure development.
+                Periodically review personnel proficiency and role-based
+                training, and update the training as needed
+            - name: statement
+              props:
+                - name: label
+                  value: PO.2.3
+              prose: >-
+                Obtain upper management or authorizing official commitment to
+                secure development, and convey that commitment to all with
+                development- related roles and responsibilities.
+          props:
+            - name: label
+              value: PO.2
+          title: Implement Roles and Responsibilities
+        - id: po3
+          parts:
+            - name: overview
+              prose: >-
+                Use automation to reduce human effort and improve the accuracy,
+                reproducibility, usability, and comprehensiveness of security
+                practices throughout the SDLC, as well as provide a way to
+                document and demonstrate the use of these practices. Toolchains
+                and tools may be used at different levels of the organization,
+                such as organization-wide or project-specific, and may address a
+                particular part of the SDLC, like a build pipeline
+            - name: statement
+              props:
+                - name: label
+                  value: PO.3.1
+              prose: >-
+                Specify which tools or tool types must or should be included in
+                each toolchain to mitigate identified risks, as well as how the
+                toolchain components are to be integrated with each oth
+            - name: statement
+              props:
+                - name: label
+                  value: PO.3.2
+              prose: >-
+                Follow recommended security practices to deploy, operate, and
+                maintain tools and toolchain
+            - name: statement
+              props:
+                - name: label
+                  value: PO.3.3
+              prose: >-
+                Configure tools to generate artifacts6 of their support of
+                secure software development practices as defined by the
+                organization
+          props:
+            - name: label
+              value: PO.3
+          title: Implement Supporting Toolchains
+        - id: po4
+          parts:
+            - name: overview
+              prose: >-
+                Help ensure that the software resulting from the SDLC meets the
+                organization’s expectations by defining and using criteria for
+                checking the software’s security during development.
+            - name: statement
+              props:
+                - name: label
+                  value: PO.4.1
+              prose: >-
+                Define criteria for software security checks and track
+                throughout the SDLC.
+            - name: statement
+              props:
+                - name: label
+                  value: PO.4.2
+              prose: >-
+                Implement processes, mechanisms, etc. to gather and safeguard
+                the necessary information in support of the criteria.
+          props:
+            - name: label
+              value: PO.4
+          title: Implement Supporting Toolchains
+        - id: po5
+          parts:
+            - name: overview
+              prose: >-
+                Ensure that all components of the environments for software
+                development are strongly protected from internal and external
+                threats to prevent compromises of the environments or the
+                software being developed or maintained within them. Examples of
+                environments for software development include development,
+                build, test, and distribution environments.
+            - name: statement
+              props:
+                - name: label
+                  value: PO.5.1
+              prose: >-
+                Separate and protect each environment involved in software
+                development
+            - name: statement
+              props:
+                - name: label
+                  value: PO.5.2
+              prose: >-
+                Secure and harden development endpoints (i.e., endpoints for
+                software designers, developers, testers, builders, etc.) to
+                perform development-related tasks using a risk-based approach
+          props:
+            - name: label
+              value: PO.5
+          title: Implement and Maintain Secure Environments for Software Development
+    - id: ps
+      parts:
+        - name: overview
+          prose: >-
+            Organizations should protect all components of their software from
+            tampering and unauthorized access.
+      props:
+        - name: label
+          value: PS
+      title: Protect the Software
+      controls:
+        - id: ps1
+          parts:
+            - name: overview
+              prose: >-
+                Help prevent unauthorized changes to code, both inadvertent and
+                intentional, which could circumvent or negate the intended
+                security characteristics of the software. For code that is not
+                intended to be publicly accessible, this helps prevent theft of
+                the software and may make it more difficult or time-consuming
+                for attackers to find vulnerabilities in the software.
+            - name: statement
+              props:
+                - name: label
+                  value: PS.1.1
+              prose: >-
+                Store all forms of code – including source code, executable
+                code, and configuration-as-code – based on the principle of
+                least privilege so that only authorized personnel, tools,
+                services, etc. have access.
+          props:
+            - name: label
+              value: PS.1
+          title: Protect All Forms of Code from Unauthorized Access and Tampering
+        - id: ps2
+          parts:
+            - name: overview
+              prose: >-
+                Help software acquirers ensure that the software they acquire is
+                legitimate and has not been tampered with.
+            - name: statement
+              props:
+                - name: label
+                  value: PS.2.1
+              prose: >-
+                Make software integrity verification information available to
+                software acquirers.
+          props:
+            - name: label
+              value: PS.2
+          title: Provide a Mechanism for Verifying Software Release Integrity
+        - id: ps3
+          parts:
+            - name: overview
+              prose: >-
+                Preserve software releases in order to help identify, analyze,
+                and eliminate vulnerabilities discovered in the software after
+                release.
+            - name: statement
+              props:
+                - name: label
+                  value: PS.3.1
+              prose: >-
+                Securely archive the necessary files and supporting data (e.g.,
+                integrity verification information, provenance data) to be
+                retained for each software release.
+            - name: statement
+              props:
+                - name: label
+                  value: PS.3.2
+              prose: >-
+                Collect, safeguard, maintain, and share provenance data for all
+                components of each software release (e.g., in a software bill of
+                materials [SBOM]).
+          props:
+            - name: label
+              value: PS.3
+          title: Archive and Protect Each Software Release
+    - id: pw
+      parts:
+        - name: overview
+          prose: >-
+            Organizations should produce well-secured software with minimal
+            security vulnerabilities in its releases.
+      props:
+        - name: label
+          value: PW
+      title: Produce Well-Secured Software
+      controls:
+        - id: pw1
+          parts:
+            - name: overview
+              prose: >-
+                Identify and evaluate the security requirements for the
+                software; determine what security risks the software is likely
+                to face during operation and how the software’s design and
+                architecture should mitigate those risks; and justify any cases
+                where risk-based analysis indicates that security requirements
+                should be relaxed or waived. Addressing security requirements
+                and risks during software design (secure by design) is key for
+                improving software security and also helps improve development
+                efficiency.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.1.1
+              prose: >-
+                Use forms of risk modeling – such as threat modeling, attack
+                modeling, or attack surface mapping – to help assess the
+                security risk for the software.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.1.2
+              prose: >-
+                Track and maintain the software’s security requirements, risks,
+                and design decisions.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.1.3
+              prose: >-
+                Where appropriate, build in support for using standardized
+                security features and services (e.g., enabling software to
+                integrate with existing log management, identity management,
+                access control, and vulnerability management systems) instead of
+                creating proprietary implementations of security features and
+                service.
+          props:
+            - name: label
+              value: PW.1
+          title: >-
+            Design Software to Meet Security Requirements and Mitigate Security
+            Risks
+        - id: pw2
+          parts:
+            - name: overview
+              prose: >-
+                Help ensure that the software will meet the security
+                requirements and satisfactorily address the identified risk
+                information.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.2.1
+              prose: >-
+                Have 1) a qualified person (or people) who were not involved
+                with the design and/or 2) automated processes instantiated in
+                the toolchain review the software design to confirm and enforce
+                that it meets all of the security requirements and
+                satisfactorily addresses the identified risk information.
+          props:
+            - name: label
+              value: PW.2
+          title: >-
+            Review the Software Design to Verify Compliance with Security
+            Requirements and Risk Information.
+        - id: pw3
+          links:
+            - rel: moved-to
+              href: '#pw4'
+          parts:
+            - name: statement
+              props:
+                - name: label
+                  value: PW.3.1
+              prose: '*Moved to PO.1.3*'
+            - name: statement
+              props:
+                - name: label
+                  value: PW.3.1
+              prose: '*Moved to PW.4.4*'
+          props:
+            - name: label
+              value: PW.3
+            - name: status
+              value: withdrawn
+          title: Verify Third-Party Software Complies with Security Requirements
+        - id: pw4
+          parts:
+            - name: overview
+              prose: >-
+                Lower the costs of software development, expedite software
+                development, and decrease the likelihood of introducing
+                additional security vulnerabilities into the software by reusing
+                software modules and services that have already had their
+                security posture checked. This is particularly important for
+                software that implements security functionality, such as
+                cryptographic modules and protocols.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.4.1
+              prose: >-
+                Acquire and maintain well-secured software components (e.g.,
+                software libraries, modules, middleware, frameworks) from
+                commercial, open- source, and other third-party developers for
+                use by the organization’s software
+            - name: statement
+              props:
+                - name: label
+                  value: PW.4.2
+              prose: >-
+                Create and maintain well-secured software components in-house
+                following SDLC processes to meet common internal software
+                development needs that cannot be better met by third-party
+                software components.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.4.3
+                - name: marking
+                  value: withdrawn
+              prose: '*Moved to PW.1.3*'
+            - name: statement
+              props:
+                - name: label
+                  value: PW.4.4
+              prose: >-
+                Verify that acquired commercial, open-source, and all other
+                third-party software components comply with the requirements, as
+                defined by the organization, throughout their life cycles.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.4.5
+              prose: '*Moved to PW.4.1 and PW.4.4*'
+          props:
+            - name: label
+              value: PW.4
+          title: >-
+            Reuse Existing, Well-Secured Software When Feasible Instead of
+            Duplicating Functionality
+        - id: pw5
+          parts:
+            - name: overview
+              prose: >-
+                Decrease the number of security vulnerabilities in the software,
+                and reduce costs by minimizing vulnerabilities introduced during
+                source code creation that meet or exceed organization-defined
+                vulnerability severity criteria
+            - name: statement
+              props:
+                - name: label
+                  value: PW.5.1
+              prose: >-
+                Follow all secure coding practices that are appropriate to the
+                development languages and environment to meet the organization’s
+                requirements.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.5.2
+              prose: '*Moved to PW.5.1 as example*'
+          props:
+            - name: label
+              value: PW.5
+          title: Create Source Code by Adhering to Secure Coding Practices
+        - id: pw6
+          parts:
+            - name: overview
+              prose: >-
+                Decrease the number of security vulnerabilities in the software
+                and reduce costs by eliminating vulnerabilities before testing
+                occurs.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.6.1
+              prose: >-
+                Use compiler, interpreter, and build tools that offer features
+                to improve executable security.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.6.2
+              prose: >-
+                Determine which compiler, interpreter, and build tool features
+                should be used and how each should be configured, then implement
+                and use the approved configurations.
+          props:
+            - name: label
+              value: PW.6
+          title: >-
+            Configure the Compilation, Interpreter, and Build Processes to
+            Improve Executable Security
+        - id: pw7
+          parts:
+            - name: overview
+              prose: >-
+                Help identify vulnerabilities so that they can be corrected
+                before the software is released to prevent exploitation. Using
+                automated methods lowers the effort and resources needed to
+                detect vulnerabilities. Human-readable code includes source
+                code, scripts, and any other form of code that an organization
+                deems human- readable.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.7.1
+              prose: >-
+                Determine whether code *review* (a person looks directly at the
+                code to find issues) and/or code *analysis* (tools are used to
+                find issues in code, either in a fully automated way or in
+                conjunction with a person) should be used, as defined by the
+                organization
+            - name: statement
+              props:
+                - name: label
+                  value: PW.7.2
+              prose: >-
+                Perform the code review and/or code analysis based on the
+                organization’s secure coding standards, and record and triage
+                all discovered issues and recommended remediations in the
+                development team’s workflow or issue tracking system.
+          props:
+            - name: label
+              value: PW.7
+          title: >-
+            Review and/or Analyze Human-Readable Code to Identify
+            Vulnerabilities and Verify Compliance with Security Requirements
+        - id: pw8
+          parts:
+            - name: overview
+              prose: >-
+                Help identify vulnerabilities so that they can be corrected
+                before the software is released in order to prevent
+                exploitation. Using automated methods lowers the effort and
+                resources needed to detect vulnerabilities and improves
+                traceability and repeatability. Executable code includes
+                binaries, directly executed bytecode and source code, and any
+                other form of code that an organization deems executable.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.8.1
+              prose: >-
+                Determine whether executable code testing should be performed to
+                find vulnerabilities not identified by previous reviews,
+                analysis, or testing and, if so, which types of testing should
+                be used.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.8.2
+              prose: >-
+                Scope the testing, design the tests, perform the testing, and
+                document the results, including recording and triaging all
+                discovered issues and recommended remediations in the
+                development team’s workflow or issue tracking system.
+          props:
+            - name: label
+              value: PW.8
+          title: >-
+            Test Executable Code to Identify Vulnerabilities and Verify
+            Compliance with Security Requirements
+        - id: pw9
+          parts:
+            - name: overview
+              prose: >-
+                Help improve the security of the software at the time of
+                installation to reduce the likelihood of the software being
+                deployed with weak security settings, putting it at greater risk
+                of compromise.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.9.1
+              prose: >-
+                Define a secure baseline by determining how to configure each
+                setting that has an effect on security or a security-related
+                setting so that the default settings are secure and do not
+                weaken the security functions provided by the platform, network
+                infrastructure, or services.
+            - name: statement
+              props:
+                - name: label
+                  value: PW.9.2
+              prose: >-
+                Implement the default settings (or groups of default settings,
+                if applicable), and document each setting for software
+                administrators.
+          props:
+            - name: label
+              value: PW.9
+          title: Configure Software to Have Secure Settings by Default
+    - id: rv
+      parts:
+        - name: overview
+          prose: >-
+            Organizations should identify residual vulnerabilities in their
+            software releases and respond appropriately to address those
+            vulnerabilities and prevent similar ones from occurring in the
+            future
+      props:
+        - name: label
+          value: RV
+      title: Respond to Vulnerabilities
+      controls:
+        - id: rv1
+          parts:
+            - name: overview
+              prose: >-
+                Help ensure that vulnerabilities are identified more quickly so
+                that they can be remediated more quickly in accordance with
+                risk, reducing the window of opportunity for attackers.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.1.1
+              prose: >-
+                Gather information from software acquirers, users, and public
+                sources on potential vulnerabilities in the software and
+                third-party components that the software uses, and investigate
+                all credible reports.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.1.2
+              prose: >-
+                Review, analyze, and/or test the software’s code to identify or
+                confirm the presence of previously undetected vulnerabilities.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.1.3
+              prose: >-
+                Have a policy that addresses vulnerability disclosure and
+                remediation, and implement the roles, responsibilities, and
+                processes needed to support that policy.
+          props:
+            - name: label
+              value: RV.1
+          title: Identify and Confirm Vulnerabilities on an Ongoing Basis
+        - id: rv2
+          parts:
+            - name: overview
+              prose: >-
+                Help ensure that vulnerabilities are remediated in accordance
+                with risk to reduce the window of opportunity for attackers.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.2.1
+              prose: >-
+                Analyze each vulnerability to gather sufficient information
+                about risk to plan its remediation or other risk response.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.2.2
+              prose: Plan and implement risk responses for vulnerabilities.
+          props:
+            - name: label
+              value: RV.2
+          title: Assess, Prioritize, and Remediate Vulnerabilities
+        - id: rv3
+          parts:
+            - name: overview
+              prose: Help reduce the frequency of vulnerabilities in the future.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.3.1
+              prose: >-
+                Analyze identified vulnerabilities to determine their root
+                causes.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.3.2
+              prose: >-
+                Analyze the root causes over time to identify patterns, such as
+                a particular secure coding practice not being followed
+                consistently.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.3.3
+              prose: >-
+                Review the software for similar vulnerabilities to eradicate a
+                class of vulnerabilities, and proactively fix them rather than
+                waiting for external reports.
+            - name: statement
+              props:
+                - name: label
+                  value: RV.3.4
+              prose: >-
+                Review the SDLC process, and update it if appropriate to prevent
+                (or reduce the likelihood of) the root cause recurring in
+                updates to the software or in new software that is created.
+          props:
+            - name: label
+              value: RV.3
+          title: Analyze Vulnerabilities to Identify Their Root Causes
+  metadata:
+    links:
+      - rel: canonical
+        href: >-
+          https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
+    props:
+      - name: keywords
+        value: >-
+          secure software development,Secure Software Development Framework
+          (SSDF),secure software development practices,software
+          acquisition,software development,software development life cycle
+          (SDLC),software security
+    roles:
+      - id: creator
+        title: Creator of the Original Content
+      - id: prepared-by
+        title: Author of Content in OSCAL Format
+    title: >-
+      Secure Software Development Framework (SSDF) Version 1.1: Recommendations
+      for Mitigating the Risk of Software Vulnerabilities
+    parties:
+      - name: National Institute of Standards and Technology
+        type: organization
+        uuid: 9609a569-3a70-43bb-8ff2-9149f1779d70
+        addresses:
+          - city: Gaithersburg
+            state: MD
+            addr-lines:
+              - 100 Bureau Drive
+              - Mail Stop 2000
+            postal-code: 20899-2000
+        short-name: NIST
+        email-addresses:
+          - dig-comments@nist.gov
+      - name: Easy Dynamics Corp.
+        type: organization
+        uuid: c9dbf135-b1ab-48c1-862c-655054ec669c
+        addresses:
+          - city: McLean
+            state: VA
+            addr-lines:
+              - 2000 Corporate Ridge
+              - Suite 240
+            postal-code: '22102'
+        short-name: EDC
+        email-addresses:
+          - oscal@easydynamics.com
+    remarks: >-
+      This is a **DRAFT** translation of the Secure Software Development
+      Framework in OSCAL. Refer to the source document for examples and
+      references.
+    version: '1.1'
+    published: '1900-01-01T00:00:00.000Z'
+    document-ids:
+      - scheme: http://www.doi.org/
+        identifier: https://doi.org/10.6028/NIST.SP.800-218
+    last-modified: '2024-08-23T18:31:49.500Z'
+    oscal-version: 1.0.4
+    responsible-parties:
+      - role-id: creator
+        party-uuids:
+          - 9609a569-3a70-43bb-8ff2-9149f1779d70
+      - role-id: prepared-by
+        party-uuids:
+          - c9dbf135-b1ab-48c1-862c-655054ec669c
+  back-matter:
+    resources:
+      - uuid: 8a086422-3948-46e9-a9da-0648d0e32444
+        title: BSAFSS
+        rlinks:
+          - href: >-
+              https://www.bsa.org/files/reports/bsa_framework_secure_software_update_2020.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            BSA (2020) *The BSA Framework for Secure Software: A New Approach to
+            Securing the Software Lifecycle, Version 1.1*.
+      - uuid: c3403865-69df-444f-a9aa-cf94d210c261
+        title: BSIMM
+        rlinks:
+          - href: >-
+              https://www.bsimm.com/content/dam/bsimm/reports/bsimm12-foundations.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            Migues S, Erlikhman E, Ewers J, Nassery K (2021) *BSIMM12 2021
+            Foundations Report*.
+      - uuid: 808989fe-67a1-4479-86fa-ba1553cc86d6
+        title: CNCFSSCP
+        rlinks:
+          - href: >-
+              https://github.com/cncf/tag-security/tree/main/supply-chain-security/supply-chain-security-paper
+        citation:
+          text: >-
+            Cloud Native Computing Foundation (2021) *Software Supply Chain Best
+            Practices*.
+      - uuid: c1ec0998-e16e-4eb5-8ca4-c76382994a45
+        title: EO14028
+        rlinks:
+          - href: https://www.govinfo.gov/app/details/DCPD-202100401
+        citation:
+          text: >-
+            Executive Order 14028 (2021) Improving the Nation’s Cybersecurity.
+            (The White House, Washington, DC), DCPD-202100401, May 12, 2021
+      - uuid: efb452e3-f9a1-4a89-b509-8e5d23a1bdd3
+        title: ISASOAR
+        rlinks:
+          - href: >-
+              https://www.ida.org/research-and-publications/publications/all/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation-2016
+        citation:
+          text: >-
+            Hong Fong EK, Wheeler D, Henninger A (2016) State-of-the-Art
+            Resources (SOAR) for Software Vulnerability Detection, Test, and
+            Evaluation 2016. (Institute for Defense Analyses [IDA], Alexandria,
+            VA), IDA Paper P-8005.
+      - uuid: f9ae6d45-d78e-4e6e-a01b-6260d1ee49f8
+        title: IEC62443
+        rlinks:
+          - href: https://webstore.iec.ch/publication/33615
+        citation:
+          text: >-
+            International Electrotechnical Commission (IEC), Security for
+            industrial automation and control systems – Part 4-1: Secure product
+            development lifecycle requirements, IEC 62443-4-1, 2018.
+      - uuid: bad0edc0-f8b2-481a-96fa-f48e3ac14140
+        title: IR7692
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.IR.7864
+            media-type: application/pdf
+        citation:
+          text: >-
+            Waltermire DA, Scarfone KA, Casipe M (2011) Specification for the
+            Open Checklist Interactive Language (OCIL) Version 2.0. (National
+            Institute of Standards and Technology, Gaithersburg, MD), NIST
+            Interagency or Internal Report (IR) 7692.
+      - uuid: b3e40157-08ec-4171-ab8b-30c3285bd127
+        title: IR7864
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.IR.7864
+            media-type: application/pdf
+        citation:
+          text: >-
+            LeMay E, Scarfone KA, Mell PM (2012) The Common Misuse Scoring
+            System (CMSS): Metrics for Software Feature Misuse Vulnerabilities.
+            (National Institute of Standards and Technology, Gaithersburg, MD),
+            NIST Interagency or Internal Report (IR) 7864.
+      - uuid: deda0dda-d2d0-4d57-a8f2-37e91c6affe0
+        title: IR8397
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.IR.8397
+            media-type: application/pdf
+        citation:
+          text: >-
+            Black P, Guttman B, Okun V (2021) Guidelines on Minimum Standards
+            for Developer Verification of Software. (National Institute of
+            Standards and Technology, Gaithersburg, MD), NIST Interagency or
+            Internal Report (IR) 8397.
+      - uuid: 7061f193-d793-46ae-b0bf-679cfc253297
+        title: ISO27034
+        rlinks:
+          - href: https://www.iso.org/standard/44378.html
+        citation:
+          text: >-
+            International Organization for Standardization (ISO)/International
+            Electrotechnical Commission (IEC), Information technology – Security
+            techniques – Application security – Part 1: Overview and concepts,
+            ISO/IEC 27034-1:2011, 2011.
+      - uuid: ea4e1fe7-dabc-477b-980f-6f0d8e522180
+        title: ISO29147
+        rlinks:
+          - href: https://www.iso.org/standard/72311.html
+        citation:
+          text: >-
+            International Organization for Standardization (ISO)/International
+            Electrotechnical Commission (IEC), Information technology – Security
+            techniques – Vulnerability disclosure, ISO/IEC 29147:2018, 2018.
+      - uuid: 1754c2c0-0762-40aa-9cc8-4322f4ed11fa
+        title: ISO30111
+        rlinks:
+          - href: https://www.iso.org/standard/69725.html
+        citation:
+          text: >-
+            International Organization for Standardization (ISO)/International
+            Electrotechnical Commission (IEC), Information technology – Security
+            techniques – Vulnerability handling processes, ISO/IEC 30111:2019,
+            2019.
+      - uuid: 76083d23-8059-4107-b4c8-c4e3fd984b95
+        title: MSSDL
+        rlinks:
+          - href: https://www.microsoft.com/en-us/securityengineering/sdl/
+            media-type: text/html
+        citation:
+          text: Microsoft (2021) *Security Development Lifecycle*.
+      - uuid: cbc61673-68f7-4b68-bdff-f5f2d97a4c5b
+        title: NISTCSF
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.CSWP.04162018
+            media-type: application/pdf
+        citation:
+          text: >-
+            National Institute of Standards and Technology (2018) Framework for
+            Improving Critical Infrastructure Cybersecurity, Version 1.1.
+            (National Institute of Standards and Technology, Gaithersburg, MD).
+      - uuid: b508122a-587b-4f23-9681-6dea8ee97058
+        title: NISTLABEL
+        rlinks:
+          - href: >-
+              https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity
+            media-type: text/html
+        citation:
+          text: >-
+            Ogata M, Haney J, Merkel W, Phelps A (2022) Recommended Criteria for
+            Cybersecurity Labeling of Consumer Software. (National Institute of
+            Standards and Technology, Gaithersburg, MD).
+      - uuid: 1373fbd6-a2f4-4e82-a606-a620ca7a6db7
+        title: NTIASBOM
+        rlinks:
+          - href: >-
+              https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom
+        citation:
+          text: >-
+            National Telecommunications and Information Administration (NTIA)
+            (2021) *The Minimum Elements For a Software Bill of Materials
+            (SBOM)*.
+      - uuid: 27bfcef8-3857-424c-9d63-4bb259d72a35
+        title: OWASPASVS
+        rlinks:
+          - href: https://github.com/OWASP/ASVS
+        citation:
+          text: >-
+            Open Web Application Security Project (2021) *OWASP Application
+            Security Verification Standard 4.0.3*.
+      - uuid: 6f5613b7-560c-404c-b591-7c0550f5c9a8
+        title: OWASPMASVS
+        rlinks:
+          - href: https://github.com/OWASP/owasp-masvs/releases
+        citation:
+          text: >-
+            Open Web Application Security Project (2021) *OWASP Mobile
+            Application Security Verification Standard, Version 1.4.2*.
+      - uuid: ad2ae407-da60-46fc-b3f8-83430c004997
+        title: OWASPSAMM
+        rlinks:
+          - href: https://www.owasp.org/index.php/OWASP_SAMM_Project
+        citation:
+          text: >-
+            Open Web Application Security Project (2017) *Software Assurance
+            Maturity Model Version 1.5*.
+      - uuid: 09cc20d1-869d-469e-b162-cea7c84c0718
+        title: OWASPSCVS
+        rlinks:
+          - href: https://github.com/OWASP/Software-Component-Verification-Standard
+        citation:
+          text: >-
+            Open Web Application Security Project (2020) *OWASP Software
+            Component Verification Standard, Version 1.0*.
+      - uuid: 2d19aaff-82e6-4b13-bcc3-65c1c02ba83e
+        title: PCISSLC
+        rlinks:
+          - href: >-
+              https://www.pcisecuritystandards.org/document_library?category=sware_sec#results
+        citation:
+          text: >-
+            Payment Card Industry (PCI) Security Standards Council (2021)
+            *Secure Software Lifecycle (Secure SLC) Requirements and Assessment
+            Procedures Version 1.1*.
+      - uuid: 87cb65be-2dc4-4943-be3e-00c679157778
+        title: SCAGILE
+        rlinks:
+          - href: >-
+              http://www.safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            Software Assurance Forum for Excellence in Code (2012) *Practical
+            Security Stories and Security Tasks for Agile Development
+            Environments*.
+      - uuid: b07bfd85-a085-445c-939b-e76fe2ac2816
+        title: SCFPSSD
+        rlinks:
+          - href: >-
+              https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            Software Assurance Forum for Excellence in Code (2018) *Fundamental
+            Practices for Secure Software Development: Essential Elements of a
+            Secure Development Lifecycle Program, Third Edition*.
+      - uuid: 1ff3a4f7-780c-46b6-b26f-2ccaa9491a4d
+        title: SCSIC
+        rlinks:
+          - href: >-
+              http://www.safecode.org/publication/SAFECode_Software_Integrity_Controls0610.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            Software Assurance Forum for Excellence in Code (2010) *Software
+            Integrity Controls: An Assurance-Based Approach to Minimizing Risks
+            in the Software Supply Chain*.
+      - uuid: 68abc9f7-c45c-4648-a5c2-0526264ec366
+        title: SCTPC
+        rlinks:
+          - href: >-
+              https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            Software Assurance Forum for Excellence in Code (2017) *Managing
+            Security Risks Inherent in the Use of Third-Party Components*.
+      - uuid: c8a8d56e-e2ce-4ee6-bb34-7b4d57fdecef
+        title: SCTTM
+        rlinks:
+          - href: >-
+              https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf
+            media-type: application/pdf
+        citation:
+          text: >-
+            Software Assurance Forum for Excellence in Code (2017) *Tactical
+            Threat Modeling*.
+      - uuid: 530e65a6-7742-49b6-a7f6-97f48665f46a
+        title: SP80053
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.SP.800-53r5
+            media-type: application/pdf
+        citation:
+          text: >-
+            Joint Task Force (2020) Security and Privacy Controls for
+            Information Systems and Organizations. (National Institute of
+            Standards and Technology, Gaithersburg, MD), NIST Special
+            Publication (SP) 800-53, Rev. 5. Includes updates as of December 10,
+            2020.
+      - uuid: 0e01d884-fb67-45ac-9e06-0c4aa37d9932
+        title: SP800160
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.SP.800-160v1
+            media-type: application/pdf
+        citation:
+          text: >-
+            Ross R, McEvilley M, Oren J (2016) Systems Security Engineering:
+            Considerations for a Multidisciplinary Approach in the Engineering
+            of Trustworthy Secure Systems. (National Institute of Standards and
+            Technology, Gaithersburg, MD), NIST Special Publication (SP)
+            800-160, Volume 1. Includes updates as of March 21, 2018.
+      - uuid: e1abda75-f19f-4d3b-9676-791e7c37a2b8
+        title: SP800161
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.SP.800-161r1-draft2
+            media-type: application/pdf
+        citation:
+          text: >-
+            Boyens J, Smith A, Bartol N, Winkler K, Holbrook A, Fallon M (2021)
+            Cybersecurity Supply Chain Risk Management Practices for Systems and
+            Organizations. (National Institute of Standards and Technology,
+            Gaithersburg, MD), Second Draft NIST Special Publication (SP)
+            800-161, Rev. 1.
+      - uuid: a08f59a9-7c98-497c-b75f-157b699d0b7b
+        title: SP800181
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.SP.800-181
+            media-type: application/pdf
+        citation:
+          text: >-
+            Newhouse W, Keith S, Scribner B, Witte G (2017) National Initiative
+            for Cybersecurity Education (NICE) Cybersecurity Workforce
+            Framework. (National Institute of Standards and Technology,
+            Gaithersburg, MD), NIST Special Publication (SP) 800-181.
+      - uuid: 140fc9d9-97db-4185-9c1c-51a4107f240f
+        title: SP800216
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.SP.800-216-draft
+            media-type: application/pdf
+        citation:
+          text: >-
+            Schaffer K, Mell P, Trinh H (2021) Recommendations for Federal
+            Vulnerability Disclosure Guidelines. (National Institute of
+            Standards and Technology, Gaithersburg, MD), Draft NIST Special
+            Publication (SP) 800- 216.
diff --git a/.oscal/ssp.oscal.yaml b/.oscal/ssp.oscal.yaml
new file mode 100644
index 0000000..62e8d80
--- /dev/null
+++ b/.oscal/ssp.oscal.yaml
@@ -0,0 +1,312 @@
+system-security-plan:
+  uuid: 8c1ee2a6-bd14-4f77-b2f7-3d2bc0aaa55e
+  metadata:
+    title: "Oscal Server Software Development System Security Plan"
+    last-modified: "2024-10-24T00:00:00Z"
+    version: "1.0"
+    oscal-version: "1.0.4"
+    published: "2024-10-24T00:00:00Z"
+    roles:
+      - id: authorizing-official
+        title: Authorizing Official
+      - id: system-owner
+        title: System Owner
+      - id: information-security-officer
+        title: Information System Security Officer
+      - id: developer
+        title: Software Developer
+      - id: security-engineer
+        title: Security Engineer
+      - id: prepared-by
+        title: Document Preparer
+      - id: prepared-for
+        title: Document Recipient
+    
+    parties:
+      - uuid: 11111111-0000-4000-9000-100000000001
+        type: organization
+        name: "Metaschema Framework Organization"
+        short-name: "MFO"
+      - uuid: 11111111-0000-4000-9000-100000000002
+        type: person
+        name: "David Waltermire"
+        props:
+          - name: job-title
+            value: Software Architect
+      - uuid: 22222222-0000-4000-9000-100000000002
+        type: person
+        name: "Paul Wand"
+        props:
+          - name: job-title
+            value: Senior Software Architect
+      - uuid: 88888888-0000-4000-9000-100000000008
+        type: person
+        name: "AJ Stein"
+        props:
+          - name: job-title
+            value: Senior Security Architect
+      - uuid: 99999999-0000-4000-9000-100000000009
+        type: organization
+        name: "FedRAMP PMO"
+        links:
+          - href: https://fedramp.gov
+            rel: homepage
+    responsible-parties:
+      - role-id: system-owner
+        party-uuids:
+          - 11111111-0000-4000-9000-100000000002
+      - role-id: information-security-officer
+        party-uuids:
+          - 22222222-0000-4000-9000-100000000002
+      - role-id: prepared-by
+        party-uuids:
+          - 88888888-0000-4000-9000-100000000008
+
+    props:
+      - name: marking
+        value: "SENSITIVE BUT UNCLASSIFIED"
+
+  import-profile:
+    href: "profile.oscal.yaml"
+
+  system-characteristics:
+    system-ids:
+      - id: "ESC-DEV-001"
+        identifier-type: https://fedramp.gov
+    system-name: "Enterprise Software Development Environment"
+    system-name-short: "ESDE"
+    description: >-
+      Primary software development environment for Example Software Company,
+      including development, testing, and build infrastructure.
+    security-sensitivity-level: fips-199-moderate
+    system-information:
+      information-types:
+        - title: "Software Development Information"
+          uuid: 370026f8-582b-4c02-9331-a5c84afdbfd8
+          description: "Source code, build configurations, and development artifacts"
+          categorization:
+            system: https://doi.org/10.6028/NIST.SP.800-60v2r1
+            information-type-id: C.3.5.1
+          confidentiality-impact:
+            base: fips-199-low
+            selected: fips-199-low
+          integrity-impact:
+            base: fips-199-moderate
+            selected: fips-199-low
+            adjustment-justification: >-
+              This library is provided as a public domain application built with free, open-source, and public domain libraries. Vendors using this application must review and confirm the integrity of the codebase and its changes over time and use the Merkle-tree data structure with integrity checking mechanisms as provided by the `git` utility, protocol, and GitHub code sharing service. Integrity checking is free and ubiqutous, and the impact of integrity violation to this code base is low, not moderate.
+          availability-impact:
+            base: fips-199-moderate
+            selected: fips-199-low
+    security-impact-level:
+      security-objective-confidentiality: moderate
+      security-objective-integrity: moderate
+      security-objective-availability: moderate
+
+    status:
+      state: operational
+
+    authorization-boundary:
+      description: "The authorization boundary encompasses all core development systems"
+      diagrams:
+        - description: "a simple diagram in mermaid"
+          links:
+            - href: "#11111111-2222-3333-4444-555555555555"
+
+    network-architecture:
+      description: "Network architecture showing system components and connections"
+      diagrams:  
+        - description: "a simple diagram in mermaid"
+          links:
+            - href: "#11111111-3333-3333-4444-555555555555"
+
+
+    data-flow:
+      description: "Data flow between system components"
+
+  system-implementation:
+    users:
+      - uuid: 33333333-0000-4000-9000-100000000003
+        title: "Development Team"
+        description: "Software developers and engineers"
+        role-ids:
+          - developer
+        authorized-privileges:
+          - title: "Code Repository Access"
+            functions-performed:
+              - "Read/Write source code"
+              - "Create pull requests"
+        props:
+          - name: type
+            value: "internal"
+      
+      - uuid: 44444444-0000-4000-9000-100000000004
+        title: "Security Team"
+        description: "Security engineers and analysts"
+        role-ids:
+          - security-engineer
+        authorized-privileges:
+          - title: "Security Scanning"
+            functions-performed:
+              - "Run security scans"
+              - "Review security findings"
+        props:
+          - name: type
+            value: "internal"
+
+    components:
+      - uuid: 55555555-0000-4000-9000-100000000005
+        type: "software"
+        title: "Source Control System"
+        description: "Git-based version control system"
+        status:
+          state: operational
+        responsible-roles:
+          - role-id: information-security-officer
+        links:
+          - href: "poam.oscal.yaml"
+            rel: poam-item
+            resource-fragment: "77777777-0000-4000-9000-100000000020"
+
+      - uuid: 66666666-0000-4000-9000-100000000006
+        type: "software"
+        title: "CI/CD Pipeline"
+        description: "Continuous Integration and Deployment System"
+        status:
+          state: operational
+        responsible-roles:
+          - role-id: information-security-officer
+        links:
+          - href: "poam.oscal.yaml"
+            rel: poam-item
+            resource-fragment: "77777777-0000-4000-9000-100000000026"
+  control-implementation:
+    implemented-requirements:
+    # Respond to Vulnerabilities (RV) Controls
+    - uuid: 77777777-0000-4000-9000-100000000011
+      control-id: rv1
+      by-components:
+        - component-uuid: 66666666-0000-4000-9000-100000000006
+          implementation-status:
+            state: planned
+          description: >-
+            Vulnerability scanning is automated in the CI/CD pipeline.
+            Security findings are tracked and remediated based on severity.
+            A bug bounty program is maintained for external security researchers.
+    - uuid: 77777777-0000-4000-9000-100000000001 
+      control-id: po1
+      props:
+        - ns: "https://fedramp.gov/ns/oscal"
+          name: "control-origination"
+          value: "service-provider-system"
+        - ns: "https://fedramp.gov/ns/oscal" 
+          name: "implementation-status"
+          value: "implemented"
+      statements:
+        - statement-id: "po-1_smt"
+          uuid: 77777777-0000-4000-9000-200000000001
+          by-components:
+            - component-uuid: 55555555-0000-4000-9000-100000000005
+              uuid: 77777777-0000-4000-9000-300000000001
+              description: >-
+                Security requirements for software development are documented and maintained
+                in the organization's security policy repository. Requirements are:
+                - Reviewed quarterly by the security team
+                - Updated based on emerging threats and compliance needs
+                - Stored in a version-controlled repository
+                - Accessible to all development teams
+              implementation-status:
+                state: implemented
+
+    - uuid: 77777777-0000-4000-9000-100000000002
+      control-id: po2
+      props:
+        - ns: "https://fedramp.gov/ns/oscal"
+          name: "control-origination" 
+          value: "service-provider-system"
+        - ns: "https://fedramp.gov/ns/oscal"
+          name: "implementation-status"
+          value: "implemented"
+      statements:
+        - statement-id: "po-2_smt.a"
+          uuid: 77777777-0000-4000-9000-200000000002
+          by-components:
+            - component-uuid: 55555555-0000-4000-9000-100000000005
+              uuid: 77777777-0000-4000-9000-300000000002
+              description: >-
+                Development team roles and responsibilities are clearly defined through:
+                - Comprehensive RACI matrix covering all SDLC phases
+                - Quarterly security training with role-specific modules 
+                - Tracked training completion in the learning management system
+              implementation-status:
+                state: implemented
+        
+        - statement-id: "po-2_smt.b"
+          uuid: 77777777-0000-4000-9000-200000000003
+          by-components:
+            - component-uuid: 55555555-0000-4000-9000-100000000005
+              uuid: 77777777-0000-4000-9000-300000000003
+              description: >-
+                Role-based security training is provided through:
+                - Initial onboarding training
+                - Quarterly refresher courses
+                - Role-specific security modules
+              implementation-status:
+                state: implemented
+
+    - uuid: 77777777-0000-4000-9000-100000000003
+      control-id: po3
+      props:
+        - ns: "https://fedramp.gov/ns/oscal"
+          name: "control-origination"
+          value: "service-provider-system"
+        - ns: "https://fedramp.gov/ns/oscal"
+          name: "implementation-status"
+          value: "implemented"
+      statements: 
+        - statement-id: "po-3_smt"
+          uuid: 77777777-0000-4000-9000-200000000004
+          by-components:
+            - component-uuid: 66666666-0000-4000-9000-100000000006
+              uuid: 77777777-0000-4000-9000-300000000004
+              description: >- 
+                CI/CD pipeline integrates multiple security tools including:
+                - Static Application Security Testing (SAST)
+                - Software Composition Analysis (SCA)
+                - Dynamic Application Security Testing (DAST)
+                - Container security scanning
+                All tools are configured to fail builds on critical findings.
+              implementation-status:
+                state: implemented
+  back-matter:
+    resources:
+    - uuid: 11111111-2222-3333-4444-555555555555
+      title: Boundary Diagram
+      description: The primary authorization boundary diagram.
+      props:
+        - name: type
+          value: image
+          class: authorization-boundary
+      rlinks:
+        - href: ./attachments/diagrams/authorization-boundary.png
+        - href: ./attachments/diagrams/authorization-boundary.mermaid
+    - uuid: 11111111-3333-3333-4444-555555555555
+      title: Network Diagram
+      description: The primary network boundary diagram.
+      props:
+        - name: type
+          value: image
+          class: network-diagram
+      rlinks:
+        - href: ./attachments/diagrams/network-diagram.svg
+        - href: ./attachments/diagrams/network-diagram.mermaid
+    - uuid: 66666666-0000-4000-8000-100000000006
+      title: "System POA&M"
+      description: "Plan of Action and Milestones for the System"
+      rlinks:
+        - href: "poam.oscal.yaml"
+      props:
+        - name: type
+          ns: "https://fedramp.gov/ns/oscal"
+          value: "plan"
+          class: "poam"
\ No newline at end of file
diff --git a/src/main/kotlin/gov/nist/secauto/oscal/tools/server/OscalVerticle.kt b/src/main/kotlin/gov/nist/secauto/oscal/tools/server/OscalVerticle.kt
index fcee18c..09f01ff 100644
--- a/src/main/kotlin/gov/nist/secauto/oscal/tools/server/OscalVerticle.kt
+++ b/src/main/kotlin/gov/nist/secauto/oscal/tools/server/OscalVerticle.kt
@@ -4,6 +4,7 @@
  */
 
 package gov.nist.secauto.oscal.tools.server
+import java.nio.file.attribute.PosixFilePermission
 import gov.nist.secauto.metaschema.databind.io.IBoundLoader;
 import gov.nist.secauto.oscal.tools.cli.core.OscalCliVersion;
 import io.vertx.core.Vertx
@@ -49,23 +50,196 @@ import gov.nist.secauto.oscal.tools.cli.core.CLI;
 class OscalVerticle : CoroutineVerticle() {
     private val logger: Logger = LogManager.getLogger(OscalVerticle::class.java)
     private lateinit var oscalDir: Path
+    private lateinit var serverDir: Path
+    private val allowedDirs = mutableListOf<Path>()
+
     private val activeWorkers = AtomicInteger(0)
 
+    
     override suspend fun start() {
-        VertxOptions().setEventLoopPoolSize(8)
+        try {
+            VertxOptions().setEventLoopPoolSize(8)
+            validateAndInitializeDirectories()
+            serverDir = Paths.get("").toAbsolutePath()
+            val router = createRouter()
+            startHttpServer(router)
+        } catch (e: SecurityException) {
+            logger.error("Critical security configuration error: ${e.message}")
+            throw e // Fail fast on security configuration issues
+        }
+    }
+
+    private fun validateAndInitializeDirectories() {
+        // Initialize OSCAL directory with security checks
         initializeOscalDirectory()
-        val router = createRouter()
-        startHttpServer(router)
+        
+        // Initialize and validate allowed directories
+        initializeAllowedDirectories()
+        
+        // Verify all directories are accessible and have proper permissions
+        verifyDirectoryPermissions()
     }
+
     private fun initializeOscalDirectory() {
         val homeDir = System.getProperty("user.home")
-        oscalDir = Paths.get(homeDir, ".oscal")
+        oscalDir = Paths.get(homeDir, ".oscal").normalize().toAbsolutePath()
+        
         if (!Files.exists(oscalDir)) {
-            Files.createDirectory(oscalDir)
+            try {
+                // Create directory with restricted permissions (owner read/write/execute only)
+                Files.createDirectory(oscalDir)
+                restrictDirectoryPermissions(oscalDir)
+            } catch (e: Exception) {
+                throw SecurityException("Failed to create secure OSCAL directory", e)
+            }
+        }
+        
+        if (!Files.isDirectory(oscalDir)) {
+            throw SecurityException("OSCAL path exists but is not a directory: $oscalDir")
         }
+        
         logger.info("OSCAL directory initialized at: $oscalDir")
     }
 
+    private fun initializeAllowedDirectories() {
+        // Clear existing allowed directories
+        allowedDirs.clear()
+        
+        // Always add ~/.oscal as the first allowed directory
+        allowedDirs.add(oscalDir)
+
+        val envPath = System.getenv("OSCAL_SERVER_PATH")
+        if (!envPath.isNullOrBlank()) {
+            val paths = envPath.split(File.pathSeparator)
+            for (dir in paths) {
+                try {
+                    val expandedDir = expandHomeDirectory(dir.trim())
+                    val path = Paths.get(expandedDir).normalize().toAbsolutePath()
+                    
+                    // Validate the directory
+                    validateDirectory(path)
+                    
+                    // Add to allowed directories if validation passes
+                    allowedDirs.add(path)
+                    logger.info("Added allowed directory from OSCAL_SERVER_PATH: $path")
+                } catch (e: Exception) {
+                    logger.error("Invalid directory in OSCAL_SERVER_PATH: $dir", e)
+                    throw SecurityException("Invalid directory configuration: $dir", e)
+                }
+            }
+        } else {
+            logger.warn("OSCAL_SERVER_PATH environment variable not set - only ~/.oscal will be accessible")
+        }
+
+        if (allowedDirs.isEmpty()) {
+            throw SecurityException("No valid directories configured for access")
+        }
+
+        logger.info("Initialized allowed directories: ${allowedDirs.joinToString(", ")}")
+    }
+
+    private fun validateDirectory(path: Path) {
+        when {
+            !Files.exists(path) -> 
+                throw SecurityException("Directory does not exist: $path")
+            !Files.isDirectory(path) -> 
+                throw SecurityException("Path is not a directory: $path")
+            !Files.isReadable(path) -> 
+                throw SecurityException("Directory is not readable: $path")
+            path.startsWith(oscalDir) && !path.equals(oscalDir) -> 
+                throw SecurityException("Security violation: Subdirectories of ~/.oscal are not allowed")
+        }
+    }
+
+    private fun verifyDirectoryPermissions() {
+        allowedDirs.forEach { dir ->
+            try {
+                // Verify basic access permissions
+                require(Files.isReadable(dir)) { "Directory not readable: $dir" }
+                require(Files.isExecutable(dir)) { "Directory not executable: $dir" }
+                
+                // Check for suspicious symlinks
+                if (Files.isSymbolicLink(dir)) {
+                    val target = Files.readSymbolicLink(dir)
+                    val resolvedTarget = dir.resolveSibling(target).normalize()
+                    require(allowedDirs.any { allowed -> resolvedTarget.startsWith(allowed) }) {
+                        "Symbolic link points outside allowed directories: $dir -> $resolvedTarget"
+                    }
+                }
+            } catch (e: Exception) {
+                throw SecurityException("Directory permission verification failed for $dir: ${e.message}")
+            }
+        }
+    }
+
+    private fun restrictDirectoryPermissions(path: Path) {
+        try {
+            // Set directory permissions to owner read/write/execute only
+            val perms = Files.getPosixFilePermissions(path)
+            perms.removeAll(setOf(
+                PosixFilePermission.GROUP_READ,
+                PosixFilePermission.GROUP_WRITE,
+                PosixFilePermission.GROUP_EXECUTE,
+                PosixFilePermission.OTHERS_READ,
+                PosixFilePermission.OTHERS_WRITE,
+                PosixFilePermission.OTHERS_EXECUTE
+            ))
+            Files.setPosixFilePermissions(path, perms)
+        } catch (e: Exception) {
+            logger.warn("Failed to restrict directory permissions: ${e.message}")
+            // Continue execution but log the warning
+        }
+    }
+
+    private fun processUrl(url: String): String {
+        return when {
+            url.startsWith("https://") -> {
+                // HTTPS URLs are allowed as-is
+                url
+            }
+            url.startsWith("file://") -> {
+                processFileUrl(url)
+            }
+            else -> {
+                logger.error("Invalid URL scheme: $url")
+                throw SecurityException("Only https:// URLs or allowed local files are permitted.")
+            }
+        }
+    }
+
+    private fun processFileUrl(url: String): String {
+        try {
+            val decodedPath = URLDecoder.decode(url.substring(7), StandardCharsets.UTF_8.name())
+            val normalizedPath = if (System.getProperty("os.name").lowercase().contains("win")) {
+                // Windows-specific handling
+                val winPath = if (decodedPath.startsWith("/")) {
+                    decodedPath.substring(1).replace('/', '\\')
+                } else {
+                    decodedPath.replace('/', '\\')
+                }
+                Paths.get(winPath).normalize().toAbsolutePath()
+            } else {
+                Paths.get(decodedPath).normalize().toAbsolutePath()
+            }
+
+            // Check for directory traversal attempts
+            val canonicalPath = normalizedPath.toFile().canonicalPath
+            if (canonicalPath != normalizedPath.toString()) {
+                throw SecurityException("Potential directory traversal detected")
+            }
+
+            // Verify path is under allowed directories
+            if (!allowedDirs.any { allowedDir -> normalizedPath.startsWith(allowedDir) }) {
+                throw SecurityException("Access denied: File is not in an allowed directory: $normalizedPath")
+            }
+
+            return normalizedPath.toString()
+        } catch (e: Exception) {
+            logger.error("Error processing file URL: $url", e)
+            throw SecurityException("Invalid file URL: ${e.message}")
+        }
+    }
+
     private suspend fun createRouter(): Router {
         logger.info("Creating router")
         val options = OpenAPILoaderOptions()
@@ -138,88 +312,97 @@ class OscalVerticle : CoroutineVerticle() {
         }
     }
 
-    
-
-    private fun processUrl(url: String): String {
-        if (!url.startsWith("file://")) {
-            return url
-        }
-
-        try {
-            // Remove the "file://" prefix and decode the URL
-            val decodedPath = URLDecoder.decode(url.substring(7), StandardCharsets.UTF_8.name())
-            
-            val result = when {
-                System.getProperty("os.name").lowercase().contains("win") -> {
-                    // Windows-specific handling
-                    if (decodedPath.startsWith("/")) {
-                        // Absolute path with drive letter
-                        decodedPath.substring(1).replace('/', '\\')
-                    } else {
-                        // UNC path or relative path
-                        decodedPath.replace('/', '\\')
-                    }
-                }
-                else -> {
-                    // Unix-like systems
-                    decodedPath
-                }
-            }            
-            return result
-        } catch (e: Exception) {
-            return url
+    private fun expandHomeDirectory(path: String): String {
+        return if (path.startsWith("~")) {
+            val home = System.getProperty("user.home")
+            home + path.substring(1)
+        } else {
+            path
         }
     }
+
     
+
+    private fun unescapeXmlString(xml: String): String {
+        return xml.replace("\\\"", "\"")  // Replace escaped quotes with regular quotes
+                 .replace("\\'", "'")      // Replace escaped single quotes
+                 .replace("\\n", "\n")     // Replace escaped newlines
+                 .replace("\\r", "\r")     // Replace escaped carriage returns
+                 .replace("\\t", "\t")     // Replace escaped tabs
+    }
     
     private fun handleValidateFileUpload(ctx: RoutingContext) {
         logger.info("Handling file upload request!")
         launch {
             try {
                 logger.info("Handling file upload request in the background")
-                val body = ctx.body().asString()
+                var body = ctx.body().asString()
+                    // Remove surrounding quotes if they exist
+                if (body.startsWith("\"") && body.endsWith("\"")) {
+                    body = body.substring(1, body.length - 1)
+                }
+                if (body.trim().startsWith("<")) {
+                    body = unescapeXmlString(body)
+                }
                 logger.info("Received body: $body")
                 val flags = ctx.queryParam("flags")
                 val encodedModule = ctx.queryParam("module").firstOrNull()
-
+                
+                // Get the format parameter if provided
+                val formatParam = ctx.queryParam("format").firstOrNull()?.lowercase()
+                val fileExtension = when (formatParam) {
+                    "json" -> ".json"
+                    "xml" -> ".xml"
+                    "yaml" -> ".yaml"
+                    else -> ".tmp"
+                }
+    
                 if (body.isNotEmpty()) {
-                    // Create a temporary file
-                    val tempFile = Files.createTempFile(oscalDir, "upload", ".tmp")
-
+                    // Create a temporary file with the chosen extension
+                    val tempFile = Files.createTempFile(oscalDir, "upload", fileExtension)
                     val tempFilePath = tempFile.toAbsolutePath()
                     logger.info("Created temporary file: $tempFilePath")
-                    val args = mutableListOf("validate");
+    
+                    // Prepare CLI arguments
+                    val args = mutableListOf("validate")
                     encodedModule?.let { module ->
                         if (module == "http://csrc.nist.gov/ns/oscal/metaschema/1.0") {
-                            args[0]="metaschema"
+                            args[0] = "metaschema"
                             args.add("validate")
-                        }else{
-                            args[0]="metaschema"
+                        } else {
+                            args[0] = "metaschema"
                             args.add("validate-content")
                         }
                     }
-                    args.add(tempFilePath.toString());
-                    args.add("--show-stack-trace");
+                    args.add(tempFilePath.toString())
+                    args.add("--show-stack-trace")
                     flags.forEach { flag ->
                         args.add(flagToParam(flag))
-                    }    
+                    }
+    
                     // Write the body content to the temporary file
                     tempFile.appendText(body)
                     logger.info("Wrote body content to temporary file")
     
-                    // Use async for parallelism
+                    // Use async for parallel execution
                     val result = async {
                         executeCommand(args)
-                    }.await() // Wait for the result of the async execution
-                    
+                    }.await()
+    
                     logger.info("Validation result: ${result.second}")
-                    if(result.first.exitCode.toString()==="OK"){
+    
+                    if (result.first.exitCode == ExitCode.OK) {
                         sendSuccessResponse(ctx, result.first, result.second)
-                    }else{
+                    } else {
                         sendErrorResponse(ctx, 400, result.first.exitCode.toString())
                     }
-                    
-                    // Clean up the temporary file
+                    // Clean up temporary file
+                    try {
+                        Files.deleteIfExists(tempFile)
+                    } catch (e: Exception) {
+                        logger.warn("Failed to delete temporary file: $tempFile", e)
+                    }
+                    // Temporary file may be cleaned up later if desired
                 } else {
                     sendErrorResponse(ctx, 400, "No content in request body")
                 }
diff --git a/src/main/resources/webroot/openapi.yaml b/src/main/resources/webroot/openapi.yaml
index 1940944..1c62cfc 100644
--- a/src/main/resources/webroot/openapi.yaml
+++ b/src/main/resources/webroot/openapi.yaml
@@ -86,6 +86,14 @@ paths:
           schema:
             type: string
           description: URI or NS of metaschema module
+        - in: query
+          name: format
+          required: false
+          schema:
+            type: string
+            enum: [json, yaml, xml]
+          description: Specify the format of the response
+          example: json
         - in: query
           name: flags
           required: false