@ansvar/eu-regulations-mcp 1.0.0 → 1.1.1

package/src/middleware/rate-limit.ts

@@ -1,104 +0,0 @@
-interface RateLimitRecord {
-  count: number;
-  resetAt: number;
-}
-
-export interface RateLimitInfo {
-  allowed: boolean;
-  remaining: number;
-  resetAt: number;
-}
-
-/**
- * Fixed-window rate limiter for IP-based request throttling.
- *
- * Uses fixed time windows that reset at specific intervals. This is simpler
- * than true sliding windows but allows burst traffic at window boundaries
- * (e.g., 100 requests at 09:59:59 + 100 at 10:00:01 = 200 in 2 seconds).
- *
- * Trade-off accepted: Simplicity and performance over burst protection.
- * Suitable for basic rate limiting where occasional bursts are acceptable.
- *
- * @example
- * const limiter = new RateLimiter(100, 3600000); // 100 requests per hour
- * if (limiter.checkLimit(clientIP)) {
- *   // Allow request
- * } else {
- *   // Return 429 Too Many Requests
- * }
- */
-export class RateLimiter {
-  private records = new Map<string, RateLimitRecord>();
-  private readonly maxRequests: number;
-  private readonly windowMs: number;
-
-  constructor(maxRequests: number, windowMs: number) {
-    this.maxRequests = maxRequests;
-    this.windowMs = windowMs;
-  }
-
-  /**
-   * Check if a request from the given IP should be allowed
-   * @param ip Client IP address
-   * @returns true if allowed, false if rate limited
-   */
-  checkLimit(ip: string): boolean {
-    return this.getRateLimitInfo(ip).allowed;
-  }
-
-  /**
-   * Get detailed rate limit information for an IP
-   * @param ip Client IP address
-   * @returns Rate limit status with remaining requests and reset time
-   */
-  getRateLimitInfo(ip: string): RateLimitInfo {
-    const now = Date.now();
-    let record = this.records.get(ip);
-
-    // Clean up if window expired
-    if (record && now > record.resetAt) {
-      this.records.delete(ip);
-      record = undefined;
-    }
-
-    // Initialize new record if needed
-    if (!record) {
-      record = {
-        count: 0,
-        resetAt: now + this.windowMs,
-      };
-      this.records.set(ip, record);
-    }
-
-    // Check if over limit
-    if (record.count >= this.maxRequests) {
-      return {
-        allowed: false,
-        remaining: 0,
-        resetAt: record.resetAt,
-      };
-    }
-
-    // Increment and allow
-    record.count++;
-
-    return {
-      allowed: true,
-      remaining: this.maxRequests - record.count,
-      resetAt: record.resetAt,
-    };
-  }
-
-  /**
-   * Clean up old records to prevent memory leak
-   * Should be called periodically (e.g., every hour)
-   */
-  cleanup(): void {
-    const now = Date.now();
-    for (const [ip, record] of this.records.entries()) {
-      if (now > record.resetAt) {
-        this.records.delete(ip);
-      }
-    }
-  }
-}

package/src/tools/applicability.ts

@@ -1,167 +0,0 @@
-import type { DatabaseAdapter } from '../database/types.js';
-
-export type Sector =
-  | 'financial'
-  | 'healthcare'
-  | 'energy'
-  | 'transport'
-  | 'digital_infrastructure'
-  | 'public_administration'
-  | 'manufacturing'
-  | 'other';
-
-export interface ApplicabilityInput {
-  sector: Sector;
-  subsector?: string;
-  member_state?: string;
-  size?: 'sme' | 'large';
-  detail_level?: 'summary' | 'requirements' | 'full';
-}
-
-export interface ApplicableRegulation {
-  regulation: string;
-  confidence: 'definite' | 'likely' | 'possible';
-  basis: string | null;
-  notes: string | null;
-}
-
-export interface RegulationSummary {
-  id: string;
-  full_name: string;
-  confidence: 'definite' | 'likely' | 'possible';
-  basis: string | null;
-  notes: string | null;
-  key_requirements?: string[];
-  priority_deadline?: string;
-}
-
-export interface ApplicabilityResult {
-  entity: ApplicabilityInput;
-  applicable_regulations: ApplicableRegulation[];
-  summary?: {
-    total_count: number;
-    by_confidence: {
-      definite: number;
-      likely: number;
-      possible: number;
-    };
-    regulations_summary: RegulationSummary[];
-    next_steps?: string;
-  };
-}
-
-export async function checkApplicability(
-  db: DatabaseAdapter,
-  input: ApplicabilityInput
-): Promise<ApplicabilityResult> {
-  const { sector, subsector, detail_level = 'full' } = input;
-
-  // Query for matching rules - check both sector match and subsector match
-  // Note: We handle deduplication in JavaScript, so no need for DISTINCT ON
-  let sql = `
-    SELECT
-      regulation,
-      confidence,
-      basis_article as basis,
-      notes,
-      CASE confidence
-        WHEN 'definite' THEN 1
-        WHEN 'likely' THEN 2
-        WHEN 'possible' THEN 3
-      END as conf_order
-    FROM applicability_rules
-    WHERE applies = true
-      AND (
-        (sector = $1 AND (subsector IS NULL OR subsector = $2))
-        OR (sector = $3 AND subsector IS NULL)
-      )
-    ORDER BY regulation, conf_order
-  `;
-
-  const result = await db.query(sql, [sector, subsector || '', sector]);
-
-  const rows = result.rows as Array<{
-    regulation: string;
-    confidence: 'definite' | 'likely' | 'possible';
-    basis: string | null;
-    notes: string | null;
-  }>;
-
-  // Deduplicate by regulation, keeping highest confidence
-  const regulationMap = new Map<string, ApplicableRegulation>();
-  for (const row of rows) {
-    if (!regulationMap.has(row.regulation)) {
-      regulationMap.set(row.regulation, {
-        regulation: row.regulation,
-        confidence: row.confidence,
-        basis: row.basis,
-        notes: row.notes,
-      });
-    }
-  }
-
-  const applicable_regulations = Array.from(regulationMap.values());
-
-  // If summary detail level requested, add summary section
-  let summary;
-  if (detail_level === 'summary') {
-    // Get regulation metadata for summary
-    const regIds = applicable_regulations.map(r => r.regulation);
-    const placeholders = regIds.map((_, i) => `$${i + 1}`).join(', ');
-    const regDataResult = await db.query(
-      `SELECT id, full_name, effective_date
-       FROM regulations
-       WHERE id IN (${placeholders})`,
-      regIds
-    );
-
-    const regData = regDataResult.rows as Array<{
-      id: string;
-      full_name: string;
-      effective_date: string | null;
-    }>;
-
-    const regMetadata = new Map(regData.map(r => [r.id, r]));
-
-    // Priority deadlines for key regulations
-    const priorityDeadlines: Record<string, string> = {
-      'DORA': 'Jan 17, 2025 (ACTIVE)',
-      'NIS2': 'Oct 17, 2024 (Swedish implementation)',
-      'AI_ACT': 'Aug 2, 2026 (high-risk systems)',
-      'EIDAS2': 'Late 2027 (wallet acceptance)',
-      'CSRD': 'Phased 2025-2028',
-      'CSDDD': 'Implementation roadmap needed',
-    };
-
-    const regulations_summary: RegulationSummary[] = applicable_regulations.map(reg => {
-      const metadata = regMetadata.get(reg.regulation);
-      return {
-        id: reg.regulation,
-        full_name: metadata?.full_name || reg.regulation,
-        confidence: reg.confidence,
-        basis: reg.basis,
-        notes: reg.notes,
-        priority_deadline: priorityDeadlines[reg.regulation],
-      };
-    });
-
-    const by_confidence = {
-      definite: applicable_regulations.filter(r => r.confidence === 'definite').length,
-      likely: applicable_regulations.filter(r => r.confidence === 'likely').length,
-      possible: applicable_regulations.filter(r => r.confidence === 'possible').length,
-    };
-
-    summary = {
-      total_count: applicable_regulations.length,
-      by_confidence,
-      regulations_summary,
-      next_steps: "For detailed requirements, use detail_level='requirements'. For full article-level detail, use detail_level='full'.",
-    };
-  }
-
-  return {
-    entity: input,
-    applicable_regulations,
-    summary,
-  };
-}

package/src/tools/article.ts

@@ -1,81 +0,0 @@
-import type { DatabaseAdapter } from '../database/types.js';
-
-export interface GetArticleInput {
-  regulation: string;
-  article: string;
-  include_recitals?: boolean;
-}
-
-export interface Article {
-  regulation: string;
-  article_number: string;
-  title: string | null;
-  text: string;
-  chapter: string | null;
-  recitals: string[] | null;
-  cross_references: string[] | null;
-  truncated?: boolean;
-  original_length?: number;
-  token_estimate?: number;
-}
-
-export async function getArticle(
-  db: DatabaseAdapter,
-  input: GetArticleInput
-): Promise<Article | null> {
-  const { regulation, article } = input;
-
-  const sql = `
-    SELECT
-      regulation,
-      article_number,
-      title,
-      text,
-      chapter,
-      recitals,
-      cross_references
-    FROM articles
-    WHERE regulation = $1 AND article_number = $2
-  `;
-
-  const result = await db.query(sql, [regulation, article]);
-
-  if (result.rows.length === 0) {
-    return null;
-  }
-
-  const row = result.rows[0] as {
-    regulation: string;
-    article_number: string;
-    title: string | null;
-    text: string;
-    chapter: string | null;
-    recitals: string | null;
-    cross_references: string | null;
-  };
-
-  // Token management: Truncate very large articles to prevent context overflow
-  const MAX_CHARS = 50000; // ~12,500 tokens (safe for 200k context window)
-  const originalLength = row.text.length;
-  const tokenEstimate = Math.ceil(originalLength / 4); // ~4 chars per token
-  let text = row.text;
-  let truncated = false;
-
-  if (originalLength > MAX_CHARS) {
-    text = row.text.substring(0, MAX_CHARS) + '\n\n[... Article truncated due to length. Original: ' + originalLength + ' chars (~' + tokenEstimate + ' tokens). Use search_regulations to find specific sections.]';
-    truncated = true;
-  }
-
-  return {
-    regulation: row.regulation,
-    article_number: row.article_number,
-    title: row.title,
-    text,
-    chapter: row.chapter,
-    recitals: row.recitals ? JSON.parse(row.recitals) : null,
-    cross_references: row.cross_references ? JSON.parse(row.cross_references) : null,
-    truncated,
-    original_length: truncated ? originalLength : undefined,
-    token_estimate: truncated ? tokenEstimate : undefined,
-  };
-}

package/src/tools/compare.ts

@@ -1,217 +0,0 @@
-import type { DatabaseAdapter } from '../database/types.js';
-import { searchRegulations } from './search.js';
-
-export interface CompareInput {
-  topic: string;
-  regulations: string[];
-}
-
-export interface RegulationComparison {
-  regulation: string;
-  requirements: string[];
-  articles: string[];
-  timelines?: string;
-}
-
-export interface CompareResult {
-  topic: string;
-  regulations: RegulationComparison[];
-  key_differences?: string[];
-}
-
-/**
- * Concept synonym families for cross-regulation terminology matching.
- * Each key is a canonical concept; values are alternative terms used across
- * different EU regulations for the same underlying requirement.
- */
-const CONCEPT_SYNONYMS: Record<string, string[]> = {
-  // Incident & breach reporting
-  'incident reporting': ['breach notification', 'incident management', 'incident report', 'significant incident', 'security incident'],
-  'breach notification': ['incident reporting', 'data breach', 'personal data breach', 'incident notification', 'security breach'],
-
-  // Data protection & privacy
-  'data protection': ['privacy', 'personal data', 'data processing', 'data subject rights', 'information protection'],
-  'privacy': ['data protection', 'personal data', 'confidentiality', 'private life', 'ePrivacy'],
-
-  // Access control & authentication
-  'access control': ['authentication', 'identity verification', 'authorisation', 'identity management', 'strong authentication'],
-  'authentication': ['access control', 'identity verification', 'electronic identification', 'multi-factor', 'strong user authentication'],
-
-  // Risk management & assessment
-  'risk management': ['risk assessment', 'risk analysis', 'risk evaluation', 'threat assessment', 'ICT risk'],
-  'risk assessment': ['risk management', 'risk analysis', 'impact assessment', 'threat analysis', 'vulnerability assessment'],
-
-  // Encryption & cryptography
-  'encryption': ['cryptography', 'cryptographic', 'cipher', 'pseudonymisation', 'data at rest'],
-  'cryptography': ['encryption', 'cryptographic controls', 'cipher', 'key management', 'digital signature'],
-
-  // Supply chain & third-party
-  'supply chain': ['third-party', 'third party', 'ICT services', 'outsourcing', 'subcontracting', 'vendor'],
-  'third-party': ['supply chain', 'third party', 'ICT third-party', 'service provider', 'outsourcing', 'subcontractor'],
-
-  // Business continuity & disaster recovery
-  'business continuity': ['disaster recovery', 'continuity plan', 'operational resilience', 'recovery', 'backup'],
-  'disaster recovery': ['business continuity', 'continuity plan', 'restoration', 'backup', 'recovery objective'],
-
-  // Vulnerability management & disclosure
-  'vulnerability management': ['vulnerability disclosure', 'vulnerability handling', 'security flaw', 'patch management', 'security update'],
-  'vulnerability disclosure': ['vulnerability management', 'coordinated disclosure', 'security vulnerability', 'responsible disclosure'],
-
-  // Audit & compliance & certification
-  'audit': ['compliance', 'certification', 'conformity assessment', 'supervisory', 'inspection', 'assurance'],
-  'compliance': ['audit', 'certification', 'regulatory', 'supervisory authority', 'conformity', 'enforcement'],
-  'certification': ['audit', 'compliance', 'conformity assessment', 'accreditation', 'qualified status', 'cybersecurity certification'],
-
-  // Transparency & reporting
-  'transparency': ['reporting', 'disclosure', 'information provision', 'public reporting', 'register'],
-  'reporting': ['transparency', 'disclosure', 'notification', 'documentation', 'reporting obligation'],
-
-  // Governance & accountability
-  'governance': ['accountability', 'management body', 'board responsibility', 'oversight', 'organisational structure'],
-  'accountability': ['governance', 'responsibility', 'management body', 'data controller', 'duty of care'],
-
-  // Penetration testing & security testing
-  'penetration testing': ['security testing', 'TLPT', 'threat-led', 'red team', 'vulnerability testing'],
-  'security testing': ['penetration testing', 'resilience testing', 'TLPT', 'vulnerability assessment', 'operational testing'],
-
-  // Consent & lawful basis
-  'consent': ['lawful basis', 'legal basis', 'legitimate interest', 'data subject consent', 'explicit consent'],
-  'lawful basis': ['consent', 'legal basis', 'legitimate interest', 'contractual necessity', 'legal obligation'],
-
-  // Data portability & interoperability
-  'data portability': ['interoperability', 'data transfer', 'data migration', 'portability right', 'data access'],
-  'interoperability': ['data portability', 'compatibility', 'standardisation', 'cross-border', 'mutual recognition'],
-
-  // Record keeping & documentation
-  'record keeping': ['documentation', 'register', 'records of processing', 'logging', 'traceability'],
-  'documentation': ['record keeping', 'register', 'records', 'evidence', 'logging', 'information register'],
-};
-
-/**
- * Find synonym terms for a given topic query.
- * Returns the original topic plus up to 4 synonym terms.
- */
-function getSynonyms(topic: string): string[] {
-  const lowerTopic = topic.toLowerCase();
-  const synonyms = new Set<string>();
-
-  for (const [concept, terms] of Object.entries(CONCEPT_SYNONYMS)) {
-    // Check if the topic matches or contains a concept key
-    if (lowerTopic.includes(concept) || concept.includes(lowerTopic)) {
-      for (const term of terms) {
-        synonyms.add(term);
-      }
-    }
-    // Check if the topic matches any synonym term
-    for (const term of terms) {
-      if (lowerTopic.includes(term) || term.includes(lowerTopic)) {
-        synonyms.add(concept);
-        for (const t of terms) {
-          synonyms.add(t);
-        }
-      }
-    }
-  }
-
-  // Remove the original topic itself and limit to 4 synonyms
-  synonyms.delete(lowerTopic);
-  return Array.from(synonyms).slice(0, 4);
-}
-
-/**
- * Extract timeline mentions from text (e.g., "24 hours", "72 hours")
- */
-function extractTimelines(text: string): string | undefined {
-  const timelinePatterns = [
-    /(\d+)\s*hours?/gi,
-    /(\d+)\s*days?/gi,
-    /without\s+undue\s+delay/gi,
-    /immediately/gi,
-  ];
-
-  const matches: string[] = [];
-  for (const pattern of timelinePatterns) {
-    const found = text.match(pattern);
-    if (found) {
-      matches.push(...found);
-    }
-  }
-
-  return matches.length > 0 ? matches.join(', ') : undefined;
-}
-
-export async function compareRequirements(
-  db: DatabaseAdapter,
-  input: CompareInput
-): Promise<CompareResult> {
-  const { topic, regulations } = input;
-
-  // Get synonym terms for expanded search
-  const synonyms = getSynonyms(topic);
-  const searchTerms = [topic, ...synonyms];
-
-  const comparisons: RegulationComparison[] = [];
-
-  for (const regulation of regulations) {
-    // Search with original topic + synonym terms, then merge results
-    const allResults: Map<string, { article: string; snippet: string; relevance: number }> = new Map();
-
-    for (const term of searchTerms) {
-      const results = await searchRegulations(db, {
-        query: term,
-        regulations: [regulation],
-        limit: 5,
-      });
-
-      for (const result of results) {
-        const existing = allResults.get(result.article);
-        if (!existing || result.relevance > existing.relevance) {
-          allResults.set(result.article, {
-            article: result.article,
-            snippet: result.snippet,
-            relevance: result.relevance,
-          });
-        }
-      }
-    }
-
-    // Sort by relevance and take top 5
-    const mergedResults = Array.from(allResults.values())
-      .sort((a, b) => b.relevance - a.relevance)
-      .slice(0, 5);
-
-    // Get full article text for timeline extraction
-    const articles: string[] = [];
-    const requirements: string[] = [];
-    let combinedText = '';
-
-    for (const result of mergedResults) {
-      articles.push(result.article);
-      requirements.push(result.snippet.replace(/>>>/g, '').replace(/<<</g, ''));
-
-      // Get full text for timeline extraction
-      const fullArticleResult = await db.query(
-        `SELECT text FROM articles WHERE regulation = $1 AND article_number = $2`,
-        [regulation, result.article]
-      );
-
-      if (fullArticleResult.rows.length > 0) {
-        combinedText += ' ' + (fullArticleResult.rows[0] as { text: string }).text;
-      }
-    }
-
-    const timelines = extractTimelines(combinedText);
-
-    comparisons.push({
-      regulation,
-      requirements,
-      articles,
-      timelines,
-    });
-  }
-
-  return {
-    topic,
-    regulations: comparisons,
-  };
-}

package/src/tools/definitions.ts

@@ -1,49 +0,0 @@
-import type { DatabaseAdapter } from '../database/types.js';
-
-export interface DefinitionsInput {
-  term: string;
-  regulation?: string;
-}
-
-export interface Definition {
-  term: string;
-  regulation: string;
-  article: string;
-  definition: string;
-  related_terms?: string[];
-}
-
-export async function getDefinitions(
-  db: DatabaseAdapter,
-  input: DefinitionsInput
-): Promise<Definition[]> {
-  const { term, regulation } = input;
-
-  let sql = `
-    SELECT
-      term,
-      regulation,
-      article,
-      definition
-    FROM definitions
-    WHERE term ILIKE $1
-  `;
-
-  const params: string[] = [`%${term}%`];
-
-  if (regulation) {
-    sql += ` AND regulation = $2`;
-    params.push(regulation);
-  }
-
-  sql += ` ORDER BY regulation, term`;
-
-  const result = await db.query(sql, params);
-
-  return result.rows.map((row: any) => ({
-    term: row.term,
-    regulation: row.regulation,
-    article: row.article,
-    definition: row.definition,
-  }));
-}

package/src/tools/evidence.ts

@@ -1,84 +0,0 @@
-import type { DatabaseAdapter } from '../database/types.js';
-
-export interface EvidenceInput {
-  regulation?: string;
-  article?: string;
-  evidence_type?: 'document' | 'log' | 'test_result' | 'certification' | 'policy' | 'procedure';
-}
-
-export interface EvidenceRequirement {
-  regulation: string;
-  article: string;
-  requirement_summary: string;
-  evidence_type: string;
-  artifact_name: string;
-  artifact_example: string | null;
-  description: string | null;
-  retention_period: string | null;
-  auditor_questions: string[];
-  maturity_levels: {
-    basic?: string;
-    intermediate?: string;
-    advanced?: string;
-  } | null;
-  cross_references: string[];
-}
-
-export async function getEvidenceRequirements(
-  db: DatabaseAdapter,
-  input: EvidenceInput
-): Promise<EvidenceRequirement[]> {
-  const { regulation, article, evidence_type } = input;
-
-  let sql = `
-    SELECT
-      regulation,
-      article,
-      requirement_summary,
-      evidence_type,
-      artifact_name,
-      artifact_example,
-      description,
-      retention_period,
-      auditor_questions,
-      maturity_levels,
-      cross_references
-    FROM evidence_requirements
-    WHERE 1=1
-  `;
-
-  const params: string[] = [];
-
-  if (regulation) {
-    sql += ` AND regulation = $${params.length + 1}`;
-    params.push(regulation);
-  }
-
-  if (article) {
-    sql += ` AND article = $${params.length + 1}`;
-    params.push(article);
-  }
-
-  if (evidence_type) {
-    sql += ` AND evidence_type = $${params.length + 1}`;
-    params.push(evidence_type);
-  }
-
-  sql += ` ORDER BY regulation, article::INTEGER, evidence_type`;
-
-  const result = await db.query(sql, params);
-
-  return result.rows.map((row: any) => ({
-    regulation: row.regulation,
-    article: row.article,
-    requirement_summary: row.requirement_summary,
-    evidence_type: row.evidence_type,
-    artifact_name: row.artifact_name,
-    artifact_example: row.artifact_example,
-    description: row.description,
-    retention_period: row.retention_period,
-    auditor_questions: row.auditor_questions ? JSON.parse(row.auditor_questions) : [],
-    maturity_levels: row.maturity_levels ? JSON.parse(row.maturity_levels) : null,
-    cross_references: row.cross_references ? JSON.parse(row.cross_references) : [],
-  }));
-}