@blamejs/core 0.7.107 → 0.8.4

package/lib/compliance-ai-act-logging.js

@@ -0,0 +1,190 @@
+"use strict";
+/**
+ * EU AI Act Article 12 — automatic logging requirements for high-risk
+ * AI systems.
+ *
+ * Per Regulation (EU) 2024/1689 Art. 12, providers of high-risk AI
+ * systems MUST design the system to automatically record events
+ * ("logs") over its lifetime, sufficient to:
+ *
+ *   (a) identify situations that may result in the AI system
+ *       presenting a risk under Art. 79(1) (post-market monitoring);
+ *   (b) facilitate post-market monitoring per Art. 72;
+ *   (c) monitor the operation of the high-risk AI systems referred
+ *       to in Art. 26(5) (deployer obligations).
+ *
+ * For Annex III §1(a) (remote biometric identification systems), the
+ * minimum required logged fields are explicitly enumerated in
+ * Art. 12(3):
+ *
+ *   - period of each use (start time, end time)
+ *   - reference database against which input data was checked
+ *   - input data for which the search led to a match
+ *   - identification of natural persons involved in result verification
+ *
+ * The framework provides a typed event-builder that produces records
+ * conforming to these requirements, plus a serialiser that funnels the
+ * records into the framework's audit-chain (b.audit) so they ride the
+ * tamper-evident PQC-signed chain.
+ *
+ * Logs are operator-retained per Art. 19 (provider must keep them at
+ * least 6 months unless local law requires longer; for high-risk
+ * systems used in financial services + employment + law enforcement
+ * the retention floor is 1 year). The retention floor cross-walks
+ * into b.retention.complianceFloor.
+ */
+
+var validateOpts        = require("./validate-opts");
+var lazyRequire         = require("./lazy-require");
+var C                   = require("./constants");
+var { ComplianceError }  = require("./framework-error");
+
+var audit               = lazyRequire(function () { return require("./audit"); });
+
+// Retention floors per Art. 19. Operator's b.retention.complianceFloor
+// applies the more-stringent of: AI Act floor, sectoral law, internal
+// retention policy.
+var RETENTION_FLOORS = Object.freeze({
+  default:                    C.TIME.days(180),
+  "high-risk-financial":      C.TIME.days(365),
+  "high-risk-employment":     C.TIME.days(365),
+  "high-risk-law-enforcement": C.TIME.days(365),
+});
+
+var MIN_BIOMETRIC_FIELDS = Object.freeze([
+  "periodStart", "periodEnd", "referenceDatabase",
+  "matchedInputRef", "verifiers",
+]);
+
+function buildEvent(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "systemId", "kind", "actor", "timestamp",
+    "periodStart", "periodEnd", "referenceDatabase",
+    "matchedInputRef", "verifiers",
+    "outcome", "metadata", "annexIII",
+  ], "compliance.aiAct.logging.buildEvent");
+
+  validateOpts.requireNonEmptyString(opts.systemId,
+    "buildEvent: systemId", ComplianceError, "compliance-ai-act/bad-event");
+  validateOpts.requireNonEmptyString(opts.kind,
+    "buildEvent: kind", ComplianceError, "compliance-ai-act/bad-event");
+
+  var nowMs = (typeof opts.timestamp === "number" && isFinite(opts.timestamp))
+    ? opts.timestamp : Date.now();
+
+  var record = {
+    aiActArticle:    "Art. 12",
+    systemId:        opts.systemId,
+    kind:            opts.kind,
+    timestamp:       new Date(nowMs).toISOString(),
+    actor:           opts.actor || null,
+    annexIII:        opts.annexIII || null,
+    outcome:         opts.outcome || "ok",
+  };
+
+  // Annex III §1(a) biometric-id systems require specific fields.
+  if (opts.annexIII === "biometric-id-categorisation") {
+    var missing = [];
+    for (var i = 0; i < MIN_BIOMETRIC_FIELDS.length; i += 1) {
+      var field = MIN_BIOMETRIC_FIELDS[i];
+      if (opts[field] == null) missing.push(field);
+    }
+    if (missing.length > 0) {
+      throw new ComplianceError("compliance-ai-act/missing-biometric-fields",
+        "buildEvent: biometric-id event missing required fields per Art. 12(3): " +
+        missing.join(", "));
+    }
+    record.periodStart       = _toIsoString(opts.periodStart);
+    record.periodEnd         = _toIsoString(opts.periodEnd);
+    record.referenceDatabase = opts.referenceDatabase;
+    record.matchedInputRef   = opts.matchedInputRef;
+    record.verifiers         = Array.isArray(opts.verifiers)
+      ? opts.verifiers.slice() : [opts.verifiers];
+  }
+
+  if (opts.metadata && typeof opts.metadata === "object") {
+    record.metadata = opts.metadata;
+  }
+  return record;
+}
+
+function _toIsoString(value) {
+  if (value == null) return null;
+  if (typeof value === "string") return value;
+  if (typeof value === "number" && isFinite(value)) {
+    return new Date(value).toISOString();
+  }
+  if (value instanceof Date) return value.toISOString();
+  return null;
+}
+
+function emit(event) {
+  if (!event || typeof event !== "object") {
+    throw new ComplianceError("compliance-ai-act/bad-event",
+      "compliance.aiAct.logging.emit: event must be an object");
+  }
+  // Funnel into the framework audit chain so the record rides the
+  // tamper-evident PQC-signed chain. The operator-facing kind vocabulary
+  // (from RFC-style slug identifiers in the AI-Act-Notice header — e.g.
+  // "biometric-id-categorisation") carries hyphens; the audit action
+  // namespace uses underscores, so the kind is rewritten before emit.
+  try {
+    var kindCanonical = String(event.kind || "log").replace(/-/g, "_");
+    audit().safeEmit({
+      action:   "compliance.aiact." + kindCanonical,
+      outcome:  event.outcome || "success",
+      actor:    event.actor || null,
+      metadata: event,
+    });
+  } catch (_e) { /* drop-silent */ }
+  return event;
+}
+
+function logEvent(opts) {
+  var record = buildEvent(opts);
+  return emit(record);
+}
+
+function retentionFloorMs(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["domain"], "compliance.aiAct.logging.retentionFloorMs");
+  var key = opts.domain || "default";
+  if (Object.prototype.hasOwnProperty.call(RETENTION_FLOORS, key)) {
+    return RETENTION_FLOORS[key];
+  }
+  return RETENTION_FLOORS.default;
+}
+
+// Build a request-attached logger pre-bound to a system context. The
+// returned function accepts a partial event and merges it with the
+// preset (systemId, annexIII, deployer).
+function loggerFor(systemContext) {
+  if (!systemContext || typeof systemContext !== "object") {
+    throw new ComplianceError("compliance-ai-act/bad-system-context",
+      "loggerFor: systemContext must be an object");
+  }
+  validateOpts.requireNonEmptyString(systemContext.systemId,
+    "loggerFor: systemContext.systemId", ComplianceError, "compliance-ai-act/bad-system-context");
+  return function (eventPartial) {
+    var merged = Object.assign({}, eventPartial || {});
+    merged.systemId = systemContext.systemId;
+    if (systemContext.annexIII && !merged.annexIII) {
+      merged.annexIII = systemContext.annexIII;
+    }
+    if (systemContext.deployer && !merged.actor) {
+      merged.actor = { deployer: systemContext.deployer };
+    }
+    return logEvent(merged);
+  };
+}
+
+module.exports = {
+  buildEvent:        buildEvent,
+  emit:              emit,
+  logEvent:          logEvent,
+  retentionFloorMs:  retentionFloorMs,
+  loggerFor:         loggerFor,
+  RETENTION_FLOORS:  RETENTION_FLOORS,
+  MIN_BIOMETRIC_FIELDS: MIN_BIOMETRIC_FIELDS,
+};

package/lib/compliance-ai-act-prohibited.js

@@ -0,0 +1,205 @@
+"use strict";
+/**
+ * EU AI Act Article 5 — prohibited AI practices.
+ *
+ * Per Regulation (EU) 2024/1689 Art. 5, certain AI practices are
+ * unconditionally prohibited in the EU market. The practices fall
+ * into eight categories listed below; each entry carries:
+ *
+ *   - id          — short canonical identifier (used by classify())
+ *   - article     — the sub-article of Art. 5 (a-h)
+ *   - title       — operator-readable title
+ *   - description — paraphrase of the prohibited practice
+ *   - examples    — non-exhaustive list of system shapes that fall in
+ *
+ * The catalog is operator-readable but NOT operator-extensible — Art. 5
+ * is set by EU regulation; operators don't add private "prohibited
+ * practices". For private "we don't allow this" rules see
+ * b.compliance.aiAct.local-policy (separate primitive).
+ *
+ * Effective date: 2026-02-02 per Art. 113(a). Operators with EU users
+ * MUST classify each AI system against this catalog before deployment.
+ */
+
+var PROHIBITED_PRACTICES = Object.freeze([
+  Object.freeze({
+    id:          "subliminal-manipulation",
+    article:     "Art. 5(1)(a)",
+    title:       "Subliminal techniques beyond a person's consciousness",
+    description: "AI systems that deploy subliminal, purposefully manipulative, or deceptive techniques with the objective or effect of materially distorting a person's behaviour by appreciably impairing their ability to make an informed decision, thereby causing or likely to cause significant harm.",
+    examples:    Object.freeze([
+      "Hidden audio cues in marketing audio that bypass conscious perception",
+      "UX patterns engineered with eye-tracking to push specific decisions",
+      "Generative content that subliminally embeds product imagery",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "exploit-vulnerabilities",
+    article:     "Art. 5(1)(b)",
+    title:       "Exploiting vulnerabilities of specific groups",
+    description: "AI systems that exploit vulnerabilities of a specific group of persons (due to age, disability, or specific social or economic situation) with the objective or effect of materially distorting their behaviour, thereby causing or likely to cause significant harm.",
+    examples:    Object.freeze([
+      "Recommender systems targeting children with addictive content patterns",
+      "Predatory lending offers tuned to financial-distress signals",
+      "Manipulative chatbots aimed at elderly users with dementia signals",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "social-scoring",
+    article:     "Art. 5(1)(c)",
+    title:       "Social scoring by public authorities",
+    description: "AI systems for the evaluation or classification of natural persons over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, leading to detrimental or unfavourable treatment that is unjustified or disproportionate.",
+    examples:    Object.freeze([
+      "General-purpose social-credit ranking by a state agency",
+      "Cross-context behavior scoring used to deny unrelated services",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "predictive-policing-individual",
+    article:     "Art. 5(1)(d)",
+    title:       "Predictive policing solely on profiling",
+    description: "AI systems for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics.",
+    examples:    Object.freeze([
+      "Recidivism scoring using only demographic + arrest-history features",
+      "Heatmap-driven 'pre-crime' targeting of named individuals",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "untargeted-facial-scraping",
+    article:     "Art. 5(1)(e)",
+    title:       "Untargeted scraping for facial-recognition databases",
+    description: "AI systems that create or expand facial-recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.",
+    examples:    Object.freeze([
+      "Bulk-collecting public profile photos to populate a face-search index",
+      "CCTV-derived enrolment of unconsenting bystanders",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "emotion-inference-workplace-edu",
+    article:     "Art. 5(1)(f)",
+    title:       "Emotion inference in workplace and education",
+    description: "AI systems to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons.",
+    examples:    Object.freeze([
+      "Camera-based 'engagement' scoring of students during remote class",
+      "Sentiment analysis of employee video calls for performance review",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "biometric-categorisation-sensitive",
+    article:     "Art. 5(1)(g)",
+    title:       "Biometric categorisation by sensitive attributes",
+    description: "AI systems of biometric categorisation that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation.",
+    examples:    Object.freeze([
+      "Face-derived political-opinion or religion classifiers",
+      "Voice-derived sexual-orientation inference",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+  Object.freeze({
+    id:          "real-time-remote-biometric-id",
+    article:     "Art. 5(1)(h)",
+    title:       "Real-time remote biometric identification in public",
+    description: "AI systems for real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes — except for narrowly-defined exceptions (search for missing persons, prevention of imminent threat, suspect of serious crime listed in Annex II).",
+    examples:    Object.freeze([
+      "Mass facial-recognition gates at festivals or stations",
+      "Real-time crowd-scanning ID systems without imminent-threat trigger",
+    ]),
+    effectiveDate: "2026-02-02",
+  }),
+]);
+
+function listPractices() {
+  return PROHIBITED_PRACTICES.slice();
+}
+
+function getPractice(id) {
+  for (var i = 0; i < PROHIBITED_PRACTICES.length; i += 1) {
+    if (PROHIBITED_PRACTICES[i].id === id) return PROHIBITED_PRACTICES[i];
+  }
+  return null;
+}
+
+function listIds() {
+  return PROHIBITED_PRACTICES.map(function (p) { return p.id; });
+}
+
+// Classify a system description against the catalog. Returns the array
+// of practice IDs it appears to fall under, based on operator-supplied
+// signals. The classifier is intentionally conservative — it errs on
+// the side of flagging a system as potentially-prohibited; legal
+// review is required before deployment regardless of the result.
+
+function classify(systemDescription) {
+  if (!systemDescription || typeof systemDescription !== "object") {
+    return [];
+  }
+  var hits = [];
+  // (a) subliminal manipulation
+  if (systemDescription.usesSubliminalCues === true ||
+      systemDescription.intent === "subliminal-influence") {
+    hits.push("subliminal-manipulation");
+  }
+  // (b) exploit vulnerabilities
+  if (systemDescription.targetsVulnerableGroup === true) {
+    hits.push("exploit-vulnerabilities");
+  }
+  // (c) social scoring
+  if (systemDescription.purpose === "social-scoring" &&
+      systemDescription.deployerType === "public-authority") {
+    hits.push("social-scoring");
+  }
+  // (d) predictive policing on profiling alone
+  if (systemDescription.purpose === "predictive-policing" &&
+      systemDescription.usesProfileOnly === true) {
+    hits.push("predictive-policing-individual");
+  }
+  // (e) untargeted facial-recognition database build
+  if (systemDescription.builds === "facial-recognition-db" &&
+      systemDescription.scrapesUntargeted === true) {
+    hits.push("untargeted-facial-scraping");
+  }
+  // (f) emotion inference in workplace / education
+  if (systemDescription.infersEmotion === true &&
+      (systemDescription.deployContext === "workplace" ||
+       systemDescription.deployContext === "education")) {
+    if (systemDescription.purpose !== "medical" &&
+        systemDescription.purpose !== "safety") {
+      hits.push("emotion-inference-workplace-edu");
+    }
+  }
+  // (g) biometric categorisation of sensitive attributes
+  if (systemDescription.biometricCategorisation === true &&
+      Array.isArray(systemDescription.inferredAttributes)) {
+    var sensitive = ["race", "political-opinion", "trade-union",
+                     "religion", "philosophy", "sex-life", "sexual-orientation"];
+    for (var i = 0; i < systemDescription.inferredAttributes.length; i += 1) {
+      if (sensitive.indexOf(systemDescription.inferredAttributes[i]) !== -1) {
+        hits.push("biometric-categorisation-sensitive");
+        break;
+      }
+    }
+  }
+  // (h) real-time remote biometric ID for law enforcement
+  if (systemDescription.remoteBiometricId === "real-time" &&
+      systemDescription.deployContext === "law-enforcement-public-space" &&
+      systemDescription.exemption !== "missing-person" &&
+      systemDescription.exemption !== "imminent-threat" &&
+      systemDescription.exemption !== "annex-ii-suspect") {
+    hits.push("real-time-remote-biometric-id");
+  }
+  return hits;
+}
+
+module.exports = {
+  PROHIBITED_PRACTICES: PROHIBITED_PRACTICES,
+  listPractices:        listPractices,
+  listIds:              listIds,
+  getPractice:          getPractice,
+  classify:             classify,
+};

package/lib/compliance-ai-act-risk.js

@@ -0,0 +1,189 @@
+"use strict";
+/**
+ * EU AI Act Article 6 + Annex III — high-risk AI system classification.
+ *
+ * Per Regulation (EU) 2024/1689 Art. 6, an AI system is "high-risk"
+ * when:
+ *
+ *   (a) it is intended to be used as a safety component of a product
+ *       covered by the Union harmonisation legislation listed in Annex I,
+ *       OR the AI system is itself such a product, AND the product is
+ *       required to undergo third-party conformity assessment; OR
+ *
+ *   (b) it falls into one of the eight Annex III use-case categories.
+ *
+ * The classifier returns the tier and the matched Annex-III row(s) so
+ * operators can produce the Annex IV technical documentation required
+ * by Art. 11 + 18.
+ *
+ * Tiers:
+ *   "prohibited"      → falls under Article 5
+ *   "high-risk"       → falls under Article 6 / Annex III
+ *   "limited-risk"    → falls under Article 50 (transparency obligations only)
+ *   "minimal-risk"    → no specific obligations beyond general principles
+ *   "general-purpose" → general-purpose AI model (GPAI) — Article 53
+ */
+
+var ANNEX_III_USE_CASES = Object.freeze([
+  Object.freeze({
+    id:          "biometric-id-categorisation",
+    annexRow:    "Annex III §1",
+    title:       "Biometric identification and categorisation",
+    description: "Remote biometric identification systems (excluding the prohibited real-time-public ones), biometric categorisation systems, emotion-recognition systems.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "critical-infrastructure",
+    annexRow:    "Annex III §2",
+    title:       "Critical infrastructure",
+    description: "AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "education-vocational",
+    annexRow:    "Annex III §3",
+    title:       "Education and vocational training",
+    description: "AI systems for determining access, admission or assignment to educational and vocational training institutions; for evaluating learning outcomes; for assessing the appropriate level of education; for monitoring and detecting prohibited behaviour during tests.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "employment-workers-mgmt",
+    annexRow:    "Annex III §4",
+    title:       "Employment, workers management, and access to self-employment",
+    description: "AI systems for recruitment / selection, advertising vacancies, screening or filtering applications, evaluating candidates; for promotion / termination decisions, task allocation based on individual behaviour or personal traits, for monitoring and evaluating performance and behaviour.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "essential-services",
+    annexRow:    "Annex III §5",
+    title:       "Access to essential private and public services",
+    description: "AI systems used by public authorities to evaluate eligibility for essential public assistance benefits and services; for credit-worthiness scoring of natural persons; for risk assessment and pricing of life and health insurance; for emergency-response triage.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+  Object.freeze({
+    id:          "law-enforcement",
+    annexRow:    "Annex III §6",
+    title:       "Law enforcement",
+    description: "AI systems used by law enforcement authorities for risk assessment of natural persons (excluding the prohibited profiling-only ones), polygraphs / similar tools, evaluating reliability of evidence, profiling for detection / investigation of criminal offences.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15", "fundamental-rights-impact-assessment-art-27"]),
+  }),
+  Object.freeze({
+    id:          "migration-asylum-border",
+    annexRow:    "Annex III §7",
+    title:       "Migration, asylum and border control management",
+    description: "AI systems used by competent public authorities for assessing risks (security, irregular migration, health) posed by a natural person intending to enter / having entered the EU; for examining applications for asylum / visa / residence permits; for detecting / recognising / identifying natural persons in the context of migration.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15", "fundamental-rights-impact-assessment-art-27"]),
+  }),
+  Object.freeze({
+    id:          "judicial-democratic-process",
+    annexRow:    "Annex III §8",
+    title:       "Administration of justice and democratic processes",
+    description: "AI systems intended to assist judicial authorities in researching / interpreting facts and the law and applying the law; AI systems used to influence the outcome of an election or referendum or voting behaviour.",
+    obligations: Object.freeze(["risk-management-art-9", "data-governance-art-10",
+                                "technical-documentation-art-11", "logging-art-12",
+                                "transparency-art-13", "human-oversight-art-14",
+                                "accuracy-robustness-art-15"]),
+  }),
+]);
+
+function listAnnexIII() {
+  return ANNEX_III_USE_CASES.slice();
+}
+
+function getAnnexIII(id) {
+  for (var i = 0; i < ANNEX_III_USE_CASES.length; i += 1) {
+    if (ANNEX_III_USE_CASES[i].id === id) return ANNEX_III_USE_CASES[i];
+  }
+  return null;
+}
+
+// Operator-side helper to determine the matching Annex III row from a
+// purpose vocabulary the framework recognises.
+function classifyAnnexIII(purpose) {
+  if (typeof purpose !== "string") return [];
+  var hits = [];
+  // Per-row heuristics — operators with a private vocabulary use
+  // .isHighRisk and pass annexId directly.
+  if (purpose === "biometric-id" || purpose === "biometric-category" ||
+      purpose === "emotion-recognition") {
+    hits.push("biometric-id-categorisation");
+  }
+  if (purpose === "critical-infrastructure-control" ||
+      purpose === "traffic-control" || purpose === "energy-grid") {
+    hits.push("critical-infrastructure");
+  }
+  if (purpose === "school-admissions" || purpose === "exam-grading" ||
+      purpose === "exam-proctoring") {
+    hits.push("education-vocational");
+  }
+  if (purpose === "candidate-screening" || purpose === "performance-evaluation" ||
+      purpose === "promotion-decision" || purpose === "termination-decision") {
+    hits.push("employment-workers-mgmt");
+  }
+  if (purpose === "credit-scoring" || purpose === "insurance-pricing" ||
+      purpose === "benefits-eligibility" || purpose === "emergency-triage") {
+    hits.push("essential-services");
+  }
+  if (purpose === "evidence-evaluation" || purpose === "law-enforcement-risk-assessment" ||
+      purpose === "polygraph") {
+    hits.push("law-enforcement");
+  }
+  if (purpose === "asylum-application-screening" || purpose === "visa-screening" ||
+      purpose === "border-biometric-id") {
+    hits.push("migration-asylum-border");
+  }
+  if (purpose === "judicial-research-assistant" || purpose === "election-influence") {
+    hits.push("judicial-democratic-process");
+  }
+  return hits;
+}
+
+function isHighRisk(opts) {
+  if (!opts || typeof opts !== "object") return false;
+  if (opts.tier === "high-risk") return true;
+  if (opts.purpose) {
+    var matches = classifyAnnexIII(opts.purpose);
+    if (matches.length > 0) return true;
+  }
+  if (opts.safetyComponentForRegulatedProduct === true &&
+      opts.requiresThirdPartyConformity === true) {
+    return true;
+  }
+  return false;
+}
+
+function obligationsFor(annexId) {
+  var row = getAnnexIII(annexId);
+  if (!row) return [];
+  return row.obligations.slice();
+}
+
+module.exports = {
+  ANNEX_III_USE_CASES: ANNEX_III_USE_CASES,
+  listAnnexIII:        listAnnexIII,
+  getAnnexIII:         getAnnexIII,
+  classifyAnnexIII:    classifyAnnexIII,
+  isHighRisk:          isHighRisk,
+  obligationsFor:      obligationsFor,
+};