@blamejs/core 0.7.106 → 0.8.0

package/lib/compliance-ai-act-prohibited.js

@@ -0,0 +1,205 @@
+"use strict";
+/**
+ * EU AI Act Article 5 — prohibited AI practices.
+ *
+ * Per Regulation (EU) 2024/1689 Art. 5, certain AI practices are
+ * unconditionally prohibited in the EU market. The practices fall
+ * into eight categories listed below; each entry carries:
+ *
+ *   - id          — short canonical identifier (used by classify())
+ *   - article     — the sub-article of Art. 5 (a-h)
+ *   - title       — operator-readable title
+ *   - description — paraphrase of the prohibited practice
+ *   - examples    — non-exhaustive list of system shapes that fall in
+ *
+ * The catalog is operator-readable but NOT operator-extensible — Art. 5
+ * is set by EU regulation; operators don't add private "prohibited
+ * practices". For private "we don't allow this" rules see
+ * b.compliance.aiAct.local-policy (separate primitive).
+ *
+ * Effective date: 2026-02-02 per Art. 113(a). Operators with EU users
+ * MUST classify each AI system against this catalog before deployment.
+ */
+
+var PROHIBITED_PRACTICES = Object.freeze([
+  Object.freeze({
+    id:          "subliminal-manipulation",
+    article:     "Art. 5(1)(a)",
+    title:       "Subliminal techniques beyond a person's consciousness",
+    description: "AI systems that deploy subliminal, purposefully manipulative, or deceptive techniques with the objective or effect of materially distorting a person's behaviour by appreciably impairing their ability to make an informed decision, thereby causing or likely to cause significant harm.",
+    examples:    Object.freeze([
+      "Hidden audio cues in marketing audio that bypass conscious perception",
+      "UX patterns engineered with eye-tracking to push specific decisions",
+      "Generative content that subliminally embeds product imagery",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "exploit-vulnerabilities",
+    article:     "Art. 5(1)(b)",
+    title:       "Exploiting vulnerabilities of specific groups",
+    description: "AI systems that exploit vulnerabilities of a specific group of persons (due to age, disability, or specific social or economic situation) with the objective or effect of materially distorting their behaviour, thereby causing or likely to cause significant harm.",
+    examples:    Object.freeze([
+      "Recommender systems targeting children with addictive content patterns",
+      "Predatory lending offers tuned to financial-distress signals",
+      "Manipulative chatbots aimed at elderly users with dementia signals",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "social-scoring",
+    article:     "Art. 5(1)(c)",
+    title:       "Social scoring by public authorities",
+    description: "AI systems for the evaluation or classification of natural persons over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, leading to detrimental or unfavourable treatment that is unjustified or disproportionate.",
+    examples:    Object.freeze([
+      "General-purpose social-credit ranking by a state agency",
+      "Cross-context behavior scoring used to deny unrelated services",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "predictive-policing-individual",
+    article:     "Art. 5(1)(d)",
+    title:       "Predictive policing solely on profiling",
+    description: "AI systems for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics.",
+    examples:    Object.freeze([
+      "Recidivism scoring using only demographic + arrest-history features",
+      "Heatmap-driven 'pre-crime' targeting of named individuals",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "untargeted-facial-scraping",
+    article:     "Art. 5(1)(e)",
+    title:       "Untargeted scraping for facial-recognition databases",
+    description: "AI systems that create or expand facial-recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.",
+    examples:    Object.freeze([
+      "Bulk-collecting public profile photos to populate a face-search index",
+      "CCTV-derived enrolment of unconsenting bystanders",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "emotion-inference-workplace-edu",
+    article:     "Art. 5(1)(f)",
+    title:       "Emotion inference in workplace and education",
+    description: "AI systems to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons.",
+    examples:    Object.freeze([
+      "Camera-based 'engagement' scoring of students during remote class",
+      "Sentiment analysis of employee video calls for performance review",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "biometric-categorisation-sensitive",
+    article:     "Art. 5(1)(g)",
+    title:       "Biometric categorisation by sensitive attributes",
+    description: "AI systems of biometric categorisation that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation.",
+    examples:    Object.freeze([
+      "Face-derived political-opinion or religion classifiers",
+      "Voice-derived sexual-orientation inference",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "real-time-remote-biometric-id",
+    article:     "Art. 5(1)(h)",
+    title:       "Real-time remote biometric identification in public",
+    description: "AI systems for real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes — except for narrowly-defined exceptions (search for missing persons, prevention of imminent threat, suspect of serious crime listed in Annex II).",
+    examples:    Object.freeze([
+      "Mass facial-recognition gates at festivals or stations",
+      "Real-time crowd-scanning ID systems without imminent-threat trigger",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+]);
+
+function listPractices() {
+  return PROHIBITED_PRACTICES.slice();
+}
+
+function getPractice(id) {
+  for (var i = 0; i < PROHIBITED_PRACTICES.length; i += 1) {
+    if (PROHIBITED_PRACTICES[i].id === id) return PROHIBITED_PRACTICES[i];
+  }
+  return null;
+}
+
+function listIds() {
+  return PROHIBITED_PRACTICES.map(function (p) { return p.id; });
+}
+
+// Classify a system description against the catalog. Returns the array
+// of practice IDs it appears to fall under, based on operator-supplied
+// signals. The classifier is intentionally conservative — it errs on
+// the side of flagging a system as potentially-prohibited; legal
+// review is required before deployment regardless of the result.
+
+function classify(systemDescription) {
+  if (!systemDescription || typeof systemDescription !== "object") {
+    return [];
+  }
+  var hits = [];
+  // (a) subliminal manipulation
+  if (systemDescription.usesSubliminalCues === true ||
+      systemDescription.intent === "subliminal-influence") {
+    hits.push("subliminal-manipulation");
+  }
+  // (b) exploit vulnerabilities
+  if (systemDescription.targetsVulnerableGroup === true) {
+    hits.push("exploit-vulnerabilities");
+  }
+  // (c) social scoring
+  if (systemDescription.purpose === "social-scoring" &&
+      systemDescription.deployerType === "public-authority") {
+    hits.push("social-scoring");
+  }
+  // (d) predictive policing on profiling alone
+  if (systemDescription.purpose === "predictive-policing" &&
+      systemDescription.usesProfileOnly === true) {
+    hits.push("predictive-policing-individual");
+  }
+  // (e) untargeted facial-recognition database build
+  if (systemDescription.builds === "facial-recognition-db" &&
+      systemDescription.scrapesUntargeted === true) {
+    hits.push("untargeted-facial-scraping");
+  }
+  // (f) emotion inference in workplace / education
+  if (systemDescription.infersEmotion === true &&
+      (systemDescription.deployContext === "workplace" ||
+       systemDescription.deployContext === "education")) {
+    if (systemDescription.purpose !== "medical" &&
+        systemDescription.purpose !== "safety") {
+      hits.push("emotion-inference-workplace-edu");
+    }
+  }
+  // (g) biometric categorisation of sensitive attributes
+  if (systemDescription.biometricCategorisation === true &&
+      Array.isArray(systemDescription.inferredAttributes)) {
+    var sensitive = ["race", "political-opinion", "trade-union",
+                     "religion", "philosophy", "sex-life", "sexual-orientation"];
+    for (var i = 0; i < systemDescription.inferredAttributes.length; i += 1) {
+      if (sensitive.indexOf(systemDescription.inferredAttributes[i]) !== -1) {
+        hits.push("biometric-categorisation-sensitive");
+        break;
+      }
+    }
+  }
+  // (h) real-time remote biometric ID for law enforcement
+  if (systemDescription.remoteBiometricId === "real-time" &&
+      systemDescription.deployContext === "law-enforcement-public-space" &&
+      systemDescription.exemption !== "missing-person" &&
+      systemDescription.exemption !== "imminent-threat" &&
+      systemDescription.exemption !== "annex-ii-suspect") {
+    hits.push("real-time-remote-biometric-id");
+  }
+  return hits;
+}
+
+module.exports = {
+  PROHIBITED_PRACTICES: PROHIBITED_PRACTICES,
+  listPractices:        listPractices,
+  listIds:              listIds,
+  getPractice:          getPractice,
+  classify:             classify,
+};

package/lib/compliance-ai-act-risk.js

@@ -0,0 +1,189 @@
+"use strict";
+/**
+ * EU AI Act Article 6 + Annex III — high-risk AI system classification.
+ *
+ * Per Regulation (EU) 2024/1689 Art. 6, an AI system is "high-risk"
+ * when:
+ *
+ *   (a) it is intended to be used as a safety component of a product
+ *       covered by the Union harmonisation legislation listed in Annex I,
+ *       OR the AI system is itself such a product, AND the product is
+ *       required to undergo third-party conformity assessment; OR
+ *
+ *   (b) it falls into one of the eight Annex III use-case categories.
+ *
+ * The classifier returns the tier and the matched Annex-III row(s) so
+ * operators can produce the Annex IV technical documentation required
+ * by Art. 11 + 18.
+ *
+ * Tiers:
+ *   "prohibited"      → falls under Article 5
+ *   "high-risk"       → falls under Article 6 / Annex III
+ *   "limited-risk"    → falls under Article 50 (transparency obligations only)
+ *   "minimal-risk"    → no specific obligations beyond general principles
+ *   "general-purpose" → general-purpose AI model (GPAI) — Article 53
+ */
+
+var ANNEX_III_USE_CASES = Object.freeze([
+  Object.freeze({
+    id:          "biometric-id-categorisation",
+    annexRow:    "Annex III §1",
+    title:       "Biometric identification and categorisation",
+    description: "Remote biometric identification systems (excluding the prohibited real-time-public ones), biometric categorisation systems, emotion-recognition systems.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "critical-infrastructure",
+    annexRow:    "Annex III §2",
+    title:       "Critical infrastructure",
+    description: "AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "education-vocational",
+    annexRow:    "Annex III §3",
+    title:       "Education and vocational training",
+    description: "AI systems for determining access, admission or assignment to educational and vocational training institutions; for evaluating learning outcomes; for assessing the appropriate level of education; for monitoring and detecting prohibited behaviour during tests.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "employment-workers-mgmt",
+    annexRow:    "Annex III §4",
+    title:       "Employment, workers management, and access to self-employment",
+    description: "AI systems for recruitment / selection, advertising vacancies, screening or filtering applications, evaluating candidates; for promotion / termination decisions, task allocation based on individual behaviour or personal traits, for monitoring and evaluating performance and behaviour.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "essential-services",
+    annexRow:    "Annex III §5",
+    title:       "Access to essential private and public services",
+    description: "AI systems used by public authorities to evaluate eligibility for essential public assistance benefits and services; for credit-worthiness scoring of natural persons; for risk assessment and pricing of life and health insurance; for emergency-response triage.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "law-enforcement",
+    annexRow:    "Annex III §6",
+    title:       "Law enforcement",
+    description: "AI systems used by law enforcement authorities for risk assessment of natural persons (excluding the prohibited profiling-only ones), polygraphs / similar tools, evaluating reliability of evidence, profiling for detection / investigation of criminal offences.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15", "fundamental-rights-impact-assessment-art-27"]),
+  }),
+  Object.freeze({
+    id:          "migration-asylum-border",
+    annexRow:    "Annex III §7",
+    title:       "Migration, asylum and border control management",
+    description: "AI systems used by competent public authorities for assessing risks (security, irregular migration, health) posed by a natural person intending to enter / having entered the EU; for examining applications for asylum / visa / residence permits; for detecting / recognising / identifying natural persons in the context of migration.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15", "fundamental-rights-impact-assessment-art-27"]),
+  }),
+  Object.freeze({
+    id:          "judicial-democratic-process",
+    annexRow:    "Annex III §8",
+    title:       "Administration of justice and democratic processes",
+    description: "AI systems intended to assist judicial authorities in researching / interpreting facts and the law and applying the law; AI systems used to influence the outcome of an election or referendum or voting behaviour.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+]);
+
+function listAnnexIII() {
+  return ANNEX_III_USE_CASES.slice();
+}
+
+function getAnnexIII(id) {
+  for (var i = 0; i < ANNEX_III_USE_CASES.length; i += 1) {
+    if (ANNEX_III_USE_CASES[i].id === id) return ANNEX_III_USE_CASES[i];
+  }
+  return null;
+}
+
+// Operator-side helper to determine the matching Annex III row from a
+// purpose vocabulary the framework recognises.
+function classifyAnnexIII(purpose) {
+  if (typeof purpose !== "string") return [];
+  var hits = [];
+  // Per-row heuristics — operators with a private vocabulary use
+  // .isHighRisk and pass annexId directly.
+  if (purpose === "biometric-id" || purpose === "biometric-category" ||
+      purpose === "emotion-recognition") {
+    hits.push("biometric-id-categorisation");
+  }
+  if (purpose === "critical-infrastructure-control" ||
+      purpose === "traffic-control" || purpose === "energy-grid") {
+    hits.push("critical-infrastructure");
+  }
+  if (purpose === "school-admissions" || purpose === "exam-grading" ||
+      purpose === "exam-proctoring") {
+    hits.push("education-vocational");
+  }
+  if (purpose === "candidate-screening" || purpose === "performance-evaluation" ||
+      purpose === "promotion-decision" || purpose === "termination-decision") {
+    hits.push("employment-workers-mgmt");
+  }
+  if (purpose === "credit-scoring" || purpose === "insurance-pricing" ||
+      purpose === "benefits-eligibility" || purpose === "emergency-triage") {
+    hits.push("essential-services");
+  }
+  if (purpose === "evidence-evaluation" || purpose === "law-enforcement-risk-assessment" ||
+      purpose === "polygraph") {
+    hits.push("law-enforcement");
+  }
+  if (purpose === "asylum-application-screening" || purpose === "visa-screening" ||
+      purpose === "border-biometric-id") {
+    hits.push("migration-asylum-border");
+  }
+  if (purpose === "judicial-research-assistant" || purpose === "election-influence") {
+    hits.push("judicial-democratic-process");
+  }
+  return hits;
+}
+
+function isHighRisk(opts) {
+  if (!opts || typeof opts !== "object") return false;
+  if (opts.tier === "high-risk") return true;
+  if (opts.purpose) {
+    var matches = classifyAnnexIII(opts.purpose);
+    if (matches.length > 0) return true;
+  }
+  if (opts.safetyComponentForRegulatedProduct === true &&
+      opts.requiresThirdPartyConformity === true) {
+    return true;
+  }
+  return false;
+}
+
+function obligationsFor(annexId) {
+  var row = getAnnexIII(annexId);
+  if (!row) return [];
+  return row.obligations.slice();
+}
+
+module.exports = {
+  ANNEX_III_USE_CASES: ANNEX_III_USE_CASES,
+  listAnnexIII:        listAnnexIII,
+  getAnnexIII:         getAnnexIII,
+  classifyAnnexIII:    classifyAnnexIII,
+  isHighRisk:          isHighRisk,
+  obligationsFor:      obligationsFor,
+};

package/lib/compliance-ai-act-transparency.js

@@ -0,0 +1,200 @@
+"use strict";
+/**
+ * EU AI Act Article 50 — transparency obligations.
+ *
+ * Per Regulation (EU) 2024/1689 Art. 50, providers / deployers of
+ * certain AI systems must inform end-users that they are interacting
+ * with an AI system, OR that content was AI-generated, OR that AI
+ * detected emotions / biometric attributes. Effective 2026-08-02.
+ *
+ * Four obligations:
+ *
+ *   §1 — AI systems intended to interact directly with natural
+ *        persons MUST disclose to the user that they are interacting
+ *        with AI (unless this is obvious from context).
+ *
+ *   §2 — Providers of GPAI / generative AI systems generating synthetic
+ *        audio / image / video / text MUST mark the output as
+ *        artificially generated or manipulated, in a machine-readable
+ *        format and detectable as such.
+ *
+ *   §3 — Deployers of emotion-recognition or biometric categorisation
+ *        systems MUST inform exposed natural persons.
+ *
+ *   §4 — Deployers generating / manipulating image / audio / video
+ *        constituting a deep fake MUST disclose that the content is
+ *        artificially generated. Deployers generating / manipulating
+ *        text published to inform on matters of public interest MUST
+ *        disclose that the text is AI-generated, unless reviewed by a
+ *        human editor with editorial responsibility.
+ *
+ * The framework provides:
+ *
+ *   - banner({ kind })           → builder for the standard disclosure banner
+ *   - watermark({ kind, ... })   → builder for content-marking tags
+ *   - cspMetaTag({ ... })        → meta tag pair for HTML pages
+ *   - jsonLdDisclosure({ ... })  → JSON-LD <script> for structured-data emit
+ *   - C2pa-stub                  → operator-feeds-claims pattern for
+ *                                  C2PA Content Credentials integration
+ */
+
+var validateOpts  = require("./validate-opts");
+var { ComplianceError } = require("./framework-error");
+
+var BANNER_KINDS = Object.freeze([
+  "ai-interaction",          // Art. 50(1)
+  "ai-generated-content",    // Art. 50(2) / 50(4)
+  "emotion-recognition",     // Art. 50(3)
+  "biometric-categorisation", // Art. 50(3)
+  "deep-fake",               // Art. 50(4)
+  "ai-text-public-interest", // Art. 50(4) text variant
+]);
+
+var BANNER_TEXT_EN = Object.freeze({
+  "ai-interaction":            "You are interacting with an AI system.",
+  "ai-generated-content":      "This content was generated or modified by AI.",
+  "emotion-recognition":       "This system uses AI to recognise emotional state.",
+  "biometric-categorisation":  "This system uses AI biometric categorisation.",
+  "deep-fake":                 "This media was generated or modified by AI (deep-fake).",
+  "ai-text-public-interest":   "This text was generated by AI on a matter of public interest.",
+});
+
+function banner(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "kind", "lang", "deployerName", "controllerContact",
+    "linkPolicy", "linkContact",
+  ], "compliance.aiAct.transparency.banner");
+  if (BANNER_KINDS.indexOf(opts.kind) === -1) {
+    throw new ComplianceError("compliance-ai-act/bad-banner-kind",
+      "transparency.banner: kind must be one of " + BANNER_KINDS.join(", ") +
+      " — got " + JSON.stringify(opts.kind));
+  }
+  var lang = (typeof opts.lang === "string" && opts.lang.length > 0) ? opts.lang : "en";
+  var text = BANNER_TEXT_EN[opts.kind];
+  // Operators with a non-en lang supply their own translation via the
+  // returned object — the framework only ships en defaults for now.
+  var out = {
+    kind:    opts.kind,
+    lang:    lang,
+    text:    text,
+    article: _articleFor(opts.kind),
+  };
+  if (typeof opts.deployerName === "string" && opts.deployerName.length > 0) {
+    out.deployerName = opts.deployerName;
+  }
+  if (typeof opts.controllerContact === "string" && opts.controllerContact.length > 0) {
+    out.controllerContact = opts.controllerContact;
+  }
+  if (typeof opts.linkPolicy === "string" && opts.linkPolicy.length > 0) {
+    out.linkPolicy = opts.linkPolicy;
+  }
+  if (typeof opts.linkContact === "string" && opts.linkContact.length > 0) {
+    out.linkContact = opts.linkContact;
+  }
+  return out;
+}
+
+function _articleFor(kind) {
+  switch (kind) {
+    case "ai-interaction":            return "Art. 50(1)";
+    case "ai-generated-content":      return "Art. 50(2)";
+    case "emotion-recognition":       return "Art. 50(3)";
+    case "biometric-categorisation":  return "Art. 50(3)";
+    case "deep-fake":                 return "Art. 50(4)";
+    case "ai-text-public-interest":   return "Art. 50(4)";
+    default:                          return null;
+  }
+}
+
+function htmlBanner(opts) {
+  var b = banner(opts);
+  var attrs =
+    'role="status" data-blamejs-aiAct="' + b.article +
+    '" data-blamejs-kind="' + b.kind +
+    '" lang="' + b.lang + '"';
+  return '<div ' + attrs + '>' + _escapeHtml(b.text) + '</div>';
+}
+
+function _escapeHtml(s) {
+  if (typeof s !== "string") return "";
+  return s.replace(/&/g, "&amp;")
+          .replace(/</g, "&lt;")
+          .replace(/>/g, "&gt;")
+          .replace(/"/g, "&quot;");
+}
+
+// Watermark builder for Art. 50(2). Operators integrate with C2PA /
+// SynthID / SoundID / hidden-watermark schemes; the framework emits a
+// machine-readable manifest fragment that downstream tooling can attach
+// or hash into the asset.
+function watermark(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "mediaKind", "modelId", "modelVersion", "createdAt", "promptHash",
+    "manipulation", "deployerName", "encoding",
+  ], "compliance.aiAct.transparency.watermark");
+  if (typeof opts.mediaKind !== "string" ||
+      ["image", "audio", "video", "text"].indexOf(opts.mediaKind) === -1) {
+    throw new ComplianceError("compliance-ai-act/bad-watermark",
+      "transparency.watermark: mediaKind must be one of image/audio/video/text — got " +
+      JSON.stringify(opts.mediaKind));
+  }
+  validateOpts.requireNonEmptyString(opts.modelId,
+    "transparency.watermark: modelId", ComplianceError, "compliance-ai-act/bad-watermark");
+  var manifest = {
+    "@context":         "https://blamejs.com/schemas/ai-act-watermark/v1",
+    aiActArticle:       "Art. 50(2)",
+    mediaKind:          opts.mediaKind,
+    modelId:            opts.modelId,
+    modelVersion:       opts.modelVersion || null,
+    createdAt:          opts.createdAt || new Date().toISOString(),
+    promptHash:         opts.promptHash || null,
+    manipulation:       opts.manipulation === true ? true : false,
+    deployerName:       opts.deployerName || null,
+    encoding:           opts.encoding || "json",
+  };
+  return manifest;
+}
+
+function jsonLdDisclosure(opts) {
+  var w = watermark(opts);
+  var script = '<script type="application/ld+json" ' +
+               'data-blamejs-aiAct="Art. 50(2)">' +
+               JSON.stringify(w) + '</script>';
+  return script;
+}
+
+// CSP-meta-tag pair for HTML pages — the disclosure-policy URI plus
+// the AI-Act-Notice header are emitted as <meta> equivalents so static
+// renderers can include them.
+function metaTags(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "kind", "policyUri", "deployerName",
+  ], "compliance.aiAct.transparency.metaTags");
+  if (BANNER_KINDS.indexOf(opts.kind) === -1) {
+    throw new ComplianceError("compliance-ai-act/bad-banner-kind",
+      "transparency.metaTags: kind must be one of " + BANNER_KINDS.join(", "));
+  }
+  var out = [];
+  out.push('<meta name="ai-act-notice" content="' + _escapeHtml(opts.kind) + '">');
+  out.push('<meta name="ai-act-article" content="' + _escapeHtml(_articleFor(opts.kind)) + '">');
+  if (typeof opts.policyUri === "string" && opts.policyUri.length > 0) {
+    out.push('<link rel="ai-act-policy" href="' + _escapeHtml(opts.policyUri) + '">');
+  }
+  if (typeof opts.deployerName === "string" && opts.deployerName.length > 0) {
+    out.push('<meta name="ai-act-deployer" content="' + _escapeHtml(opts.deployerName) + '">');
+  }
+  return out.join("\n");
+}
+
+module.exports = {
+  BANNER_KINDS:      BANNER_KINDS,
+  BANNER_TEXT_EN:    BANNER_TEXT_EN,
+  banner:            banner,
+  htmlBanner:        htmlBanner,
+  watermark:         watermark,
+  jsonLdDisclosure:  jsonLdDisclosure,
+  metaTags:          metaTags,
+};