npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/.well-known/ai-compliance.json ADDED Viewed

@@ -0,0 +1,16 @@
+{
+  "version": "1.0",
+  "scanner": "complior/1.0.0",
+  "scannedAt": "[SCAN_DATE]",
+  "organization": "[TO BE SET]",
+  "ai_systems": [
+    {
+      "name": "[TO BE SET]",
+      "provider": "[TO BE SET]",
+      "risk_level": "[TO BE SET]",
+      "compliance_score": 0
+    }
+  ],
+  "jurisdiction": "EU",
+  "regulation": "EU AI Act (Regulation (EU) 2024/1689)"
+}

package/COMPLIANCE.md ADDED Viewed

@@ -0,0 +1,64 @@
+# Compliance Report
+> Generated by Complior v1.0.0 on 2026-03-15T18:52:53.383Z
+## Score
+| Metric | Value |
+|--------|-------|
+| Total Score | **22.18%** |
+| Zone | red |
+| Checks | 93 total, 56 passed, 36 failed |
+## Findings Summary
+| Check ID | Severity | Message |
+|----------|----------|---------|
+| l3-banned-emotion-recognition | critical | Art. 5 REVIEW: "emotion-recognition" detected — Emotion recognition. Prohibited under Art. 5(1)(f) when: Infers emotions in workplace or educational settings, except for medical or safety purposes. Verify: Is this used to detect emotions of employees or students? (Medical/safety use is exempt) |
+| cross-permission-passport-mismatch | critical | 14 undeclared permission(s) with unwrapped LLM calls — compounding governance failure per Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| undeclared-permission | high | Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4) |
+| art5-screening | high | No art. 5 screening document found (Art. 5) |
+| technical-documentation | high | No technical documentation found (Art. 11) |
+| declaration-of-conformity | high | No declaration of conformity found (Art. 47) |
+| risk-management | high | No risk management documentation found (Art. 9) |
+| ai-literacy | medium | No AI literacy policy or training documentation found (Art. 4) |
+| incident-report | medium | No incident report template found (Art. 73) |
+| monitoring-policy | medium | No monitoring policy found (Art. 26) |
+| data-governance | medium | No data governance documentation found (Art. 10) |
+| qms | medium | No quality management system found (Art. 17) |
+| instructions-for-use | medium | No instructions for use found (Art. 13) |
+| l4-bare-llm | medium | WARNING: Anthropic bare API call in src/chat/anthropic.ts:8 — eu-ai-act-OBL-015 Art. 50(1) |
+| l4-bare-llm | medium | WARNING: OpenAI bare API call in src/chat/handler.ts:11 — eu-ai-act-OBL-015 Art. 50(1) |
+| l4-security-risk | medium | WARNING: Unsafe eval() with user input in src/screening/hr-filter.ts:16 — eu-ai-act-OBL-008 Art. 15(4) |
+| l4-security-risk | medium | WARNING: Unsafe eval() with user input in src/security/unsafe-eval.ts:11 — eu-ai-act-OBL-008 Art. 15(4) |
+| l4-security-risk | medium | WARNING: Unsafe pickle deserialization in src/security/unsafe-pickle.py:14 — eu-ai-act-OBL-008 Art. 15(4) |
+| cross-banned-with-wrapper | medium | Prohibited package detected but compliance controls (disclosure, oversight, kill-switch) are present. Review whether usage falls under an Art. 5 exception. |
+| cross-logging-no-retention | medium | AI logging implemented in code but no log retention configuration found. Art. 12 requires log retention >= 180 days. |
+| l3-missing-bias-testing | low | AI SDKs detected but no bias testing library found. Consider adding fairlearn, aif360, or aequitas. |
+| l3-log-retention | low | docker-compose.yml: Logging configured but no retention policy found. Ensure >= 180 days retention (Art. 12). |
+| cross-kill-switch-no-test | low | AI kill switch pattern found in code but no automated tests detected for it. Safety mechanisms should be tested. |
+## Top Issues
+1. **[CRITICAL]** l3-banned-emotion-recognition: Art. 5 REVIEW: "emotion-recognition" detected — Emotion recognition. Prohibited under Art. 5(1)(f) when: Infers emotions in workplace or educational settings, except for medical or safety purposes. Verify: Is this used to detect emotions of employees or students? (Medical/safety use is exempt)
+2. **[CRITICAL]** cross-permission-passport-mismatch: 14 undeclared permission(s) with unwrapped LLM calls — compounding governance failure per Art. 26(4)
+3. **[HIGH]** undeclared-permission: Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4)
+4. **[HIGH]** undeclared-permission: Tool 'ticket_history' (langchain) used in code but not declared in Agent Passport — Art. 26(4)
+5. **[HIGH]** undeclared-permission: Tool 'kb_search' (langchain) used in code but not declared in Agent Passport — Art. 26(4)
+---
+![Compliance Badge](.complior/badge.svg)

package/data/data-integrity.test.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Smoke tests for extracted JSON data files.
+ * Validates structure and constraints to catch data corruption early.
+ */
+import { describe, it, expect } from 'vitest';
+import limits from './scanner/limits.json' with { type: 'json' };
+import pricing from './llm/model-pricing.json' with { type: 'json' };
+import routing from './llm/model-routing.json' with { type: 'json' };
+import confidence from './scanner/confidence-params.json' with { type: 'json' };
+import checkIds from './scanner/check-id-categories.json' with { type: 'json' };
+import evalMappings from './eval/eval-mappings.json' with { type: 'json' };
+import riskProfile from './onboarding/risk-profile.json' with { type: 'json' };
+const OBL_ID_RE = /^OBL-\d{3}$/;
+describe('data integrity', () => {
+  it('scanner/limits.json has positive limits', () => {
+    expect(limits.max_files).toBeGreaterThan(0);
+    expect(limits.max_file_size_bytes).toBeGreaterThan(0);
+  });
+  it('llm/model-pricing.json has positive input/output for all models', () => {
+    const models = Object.entries(pricing.models);
+    expect(models.length).toBeGreaterThanOrEqual(10);
+    for (const [name, p] of models) {
+      expect(p.input, `${name} input`).toBeGreaterThan(0);
+      expect(p.output, `${name} output`).toBeGreaterThan(0);
+    }
+  });
+  it('llm/model-routing.json covers all task types for every provider', () => {
+    const taskTypes = Object.keys(routing.task_reasons);
+    expect(taskTypes.length).toBeGreaterThanOrEqual(6);
+    for (const [provider, tasks] of Object.entries(routing.model_map)) {
+      for (const tt of taskTypes) {
+        expect((tasks as Record<string, string>)[tt], `${provider}.${tt}`).toBeTruthy();
+      }
+    }
+  });
+  it('scanner/confidence-params.json has all 5 layers and 5 multipliers', () => {
+    expect(Object.keys(confidence.layer_weights)).toEqual(['L1', 'L2', 'L3', 'L4', 'L5']);
+    expect(Object.keys(confidence.score_multipliers)).toEqual([
+      'PASS', 'LIKELY_PASS', 'UNCERTAIN', 'LIKELY_FAIL', 'FAIL',
+    ]);
+  });
+  it('scanner/check-id-categories.json has non-empty mapping', () => {
+    const entries = Object.entries(checkIds.mapping);
+    expect(entries.length).toBeGreaterThanOrEqual(70);
+    for (const [id, cat] of entries) {
+      expect(cat, `category for ${id}`).toBeTruthy();
+    }
+  });
+  it('eval/eval-mappings.json has valid priority/article/fine/timeline entries', () => {
+    expect(Object.keys(evalMappings.priority_order)).toEqual(['critical', 'high', 'medium', 'low']);
+    expect(Object.keys(evalMappings.category_articles).length).toBeGreaterThanOrEqual(10);
+    expect(Object.keys(evalMappings.priority_timeline)).toEqual(['critical', 'high', 'medium', 'low']);
+  });
+  it('onboarding/risk-profile.json has valid OBL-IDs', () => {
+    for (const id of riskProfile.base_obligations) {
+      expect(id, `base ${id}`).toMatch(OBL_ID_RE);
+    }
+    for (const id of riskProfile.high_risk_extra_obligations) {
+      expect(id, `extra ${id}`).toMatch(OBL_ID_RE);
+    }
+    for (const [domain, ids] of Object.entries(riskProfile.domain_obligations)) {
+      for (const id of ids) {
+        expect(id, `${domain} ${id}`).toMatch(OBL_ID_RE);
+      }
+    }
+  });
+});

package/data/eval/eval-mappings.json ADDED Viewed

@@ -0,0 +1,33 @@
+{
+  "priority_order": {
+    "critical": 0,
+    "high": 1,
+    "medium": 2,
+    "low": 3
+  },
+  "category_articles": {
+    "transparency": "Art.50",
+    "oversight": "Art.14",
+    "explanation": "Art.13",
+    "bias": "Art.10",
+    "accuracy": "Art.15",
+    "robustness": "Art.15",
+    "prohibited": "Art.5",
+    "logging": "Art.12",
+    "risk-awareness": "Art.9",
+    "gpai": "Art.52",
+    "industry": "Art.6"
+  },
+  "category_fines": {
+    "transparency": "up to 35M EUR",
+    "prohibited": "up to 35M EUR or 7% worldwide turnover",
+    "bias": "up to 35M EUR",
+    "oversight": "up to 15M EUR"
+  },
+  "priority_timeline": {
+    "critical": "this week",
+    "high": "next week",
+    "medium": "this month",
+    "low": "backlog"
+  }
+}

package/data/llm/model-pricing.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "models": {
+    "claude-opus-4": { "input": 15.0, "output": 75.0 },
+    "claude-sonnet-4": { "input": 3.0, "output": 15.0 },
+    "claude-sonnet-4-20250514": { "input": 3.0, "output": 15.0 },
+    "claude-haiku-4": { "input": 0.80, "output": 4.0 },
+    "gpt-4o": { "input": 2.50, "output": 10.0 },
+    "gpt-4o-mini": { "input": 0.15, "output": 0.60 },
+    "o1": { "input": 15.0, "output": 60.0 },
+    "gemini-2.0-flash": { "input": 0.10, "output": 0.40 },
+    "gemini-2.0-pro": { "input": 1.25, "output": 5.0 },
+    "mistral-large": { "input": 2.0, "output": 6.0 },
+    "mistral-small": { "input": 0.20, "output": 0.60 }
+  }
+}

package/data/llm/model-routing.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "model_map": {
+    "openai": {
+      "qa": "gpt-4o-mini",
+      "code": "gpt-4o",
+      "report": "gpt-4o",
+      "classify": "gpt-4o-mini",
+      "chat": "gpt-4o",
+      "document-generation": "gpt-4o"
+    },
+    "anthropic": {
+      "qa": "claude-haiku-4-5-20251001",
+      "code": "claude-sonnet-4-5-20250929",
+      "report": "claude-sonnet-4-5-20250929",
+      "classify": "claude-haiku-4-5-20251001",
+      "chat": "claude-sonnet-4-5-20250929",
+      "document-generation": "claude-sonnet-4-5-20250929"
+    },
+    "openrouter": {
+      "qa": "anthropic/claude-haiku-4.5",
+      "code": "anthropic/claude-sonnet-4.5",
+      "report": "anthropic/claude-sonnet-4.5",
+      "classify": "anthropic/claude-haiku-4.5",
+      "chat": "anthropic/claude-sonnet-4.5",
+      "document-generation": "anthropic/claude-sonnet-4.5"
+    }
+  },
+  "task_reasons": {
+    "qa": "Fast, cheap model for simple Q&A",
+    "code": "Balanced model for code generation",
+    "report": "Powerful model for detailed reports",
+    "classify": "Fast model for classification tasks",
+    "chat": "Balanced model for interactive chat",
+    "document-generation": "Powerful model for detailed document creation"
+  }
+}

package/data/onboarding/risk-profile.json ADDED Viewed

@@ -0,0 +1,17 @@
+{
+  "high_risk_domains": ["healthcare", "finance", "hr", "education", "law_enforcement", "justice"],
+  "domain_obligations": {
+    "healthcare": ["OBL-070", "OBL-071", "OBL-072"],
+    "finance": ["OBL-073", "OBL-074", "OBL-075", "OBL-076"],
+    "hr": ["OBL-064", "OBL-065", "OBL-066"],
+    "education": ["OBL-067", "OBL-068", "OBL-069"],
+    "content": ["OBL-089", "OBL-090"],
+    "customer_service": ["OBL-091"]
+  },
+  "base_obligations": [
+    "OBL-001", "OBL-002", "OBL-003", "OBL-004", "OBL-005",
+    "OBL-006", "OBL-007", "OBL-008", "OBL-009", "OBL-010",
+    "OBL-011", "OBL-012", "OBL-013", "OBL-014", "OBL-015"
+  ],
+  "high_risk_extra_obligations": ["OBL-016", "OBL-017", "OBL-018", "OBL-019", "OBL-020"]
+}

package/data/regulations/eu-ai-act/README.md ADDED Viewed

@@ -0,0 +1,245 @@
+# EU AI Act Compliance Framework — README
+> **Version:** 4.0-full-coverage
+> **Дата:** 2026-02-18
+> **Закон:** EU AI Act (Regulation (EU) 2024/1689)
+> **Покрытие:** ~95% actionable obligations
+> **Next review:** 2026-03-01
+---
+## Что это
+11 файлов, 421 KB — полная машиночитаемая база знаний по EU AI Act для платформы Complior.ai.
+Обработаны: 34 статьи закона, 5 Annexes (II, III, IV, XI, XII), Codes of Practice (по декабрь 2025), Commission Guidelines (февраль 2025). Obligations decomposed по 13 industry domains.
+Это **data layer**, не документация. Загружается в engine и используется scanner'ом, fixer'ом, scoring engine, onboarding wizard, SEO generator и knowledge loader.
+---
+## Числа
+| Метрика | Значение |
+|---------|----------|
+| Obligations (обязательств) | **108** |
+| — critical severity | 37 |
+| — high severity | 57 |
+| — medium severity | 12 |
+| — low severity | 2 |
+| — applies to provider | 48 |
+| — applies to deployer | 17 |
+| — applies to both | 43 |
+| — CLI-checkable (scanner может проверить) | 85 (79%) |
+| — SDK feature needed | 33 (31%) |
+| — document template needed | 40 (37%) |
+| — has what_not_to_do (антипаттерны) | **108 (100%)** |
+| Tech specs for scanner | **89** |
+| — CLI coverage | **85/85 (100%)** |
+| Scoring categories (base) | 8 |
+| Scoring categories (domain) | 13 |
+| Risk levels | 5 |
+| Classification questions | 8 |
+| Roles defined | 8 |
+| Key definitions | 20 |
+| Applicability tree questions | 7 |
+| Cross-regulation mappings | 8 |
+| Timeline events (2024–2030) | 18 |
+| Localization terms × 7 languages | 8 × 7 = 56 |
+| Document templates (audit-ready) | 8 |
+| Marketing assets | 7 |
+| Industry domains covered | **13** |
+---
+## Структура файлов
+```
+complior/engine/data/regulations/eu-ai-act/
+│
+├── README.md                        ← этот файл
+│
+│   ── ЯДРО (engine загружает при старте) ──
+├── obligations.json                 ← 108 обязательств (191 KB)
+├── technical-requirements.json       ← 89 tech specs для scanner (111 KB)
+├── scoring.json                     ← алгоритм скоринга (14 KB)
+├── regulation-meta.json             ← метаданные + роли + риски (34 KB)
+│
+│   ── ВСПОМОГАТЕЛЬНЫЕ ──
+├── applicability-tree.json           ← decision tree Quick Check (9 KB)
+├── cross-mapping.json               ← маппинг на другие законы (8 KB)
+├── timeline.json                    ← 18 дедлайнов 2024–2030 (9 KB)
+├── localization.json                ← термины на 7 языках (7 KB)
+│
+│   ── ДОКУМЕНТЫ И КОНТЕНТ ──
+├── templates-part1.md               ← шаблоны 1–2: AI Literacy + Art. 5 Screening (14 KB)
+├── templates-part2.md               ← шаблоны 3–8: FRIA, Worker, TechDoc, Incident, CE, Monitoring (12 KB)
+└── marketing-content.md             ← Quick Check, Penalty Calc, Blog, FAQ, LinkedIn, SEO pages (12 KB)
+```
+При переименовании убрать `-v3-production` суффикс.
+---
+## 13 Industry Domains
+Каждое domain obligation содержит специфику для отрасли: какие запрещённые практики актуальны, какие bias-тесты нужны, какие смежные законы пересекаются.
+| # | Domain | Obl | Annex | Ключевая специфика |
+|---|--------|-----|-------|-------------------|
+| 1 | **HR / Employment** | 3 | III.4 | Recruitment bias, workplace emotion recognition PROHIBITED (Art. 5(1)(f)), works council notification (DE/NL/AT), GDPR employee data |
+| 2 | **Finance / Credit / Insurance** | 4 | III.5 | Credit scoring FRIA mandatory (Art. 27), insurance pricing fairness, proxy discrimination, MiFID II intersection |
+| 3 | **Healthcare / Medical** | 3 | II+III | Dual AI Act + MDR conformity, clinical validation, health advice disclaimers, GDPR Art. 9, demographic accuracy |
+| 4 | **Education** | 3 | III.3 | Admissions bias, proctoring emotion recognition PROHIBITED, tutoring minors protection |
+| 5 | **Law Enforcement** | 2 | III.6 | Real-time biometric ID PROHIBITED (Art. 5(1)(h)), predictive policing bias, maximum penalties (€35M) |
+| 6 | **Justice / Legal** | 2 | III.8 | Advisory-only judicial AI, highest explainability, legal practice client disclosure |
+| 7 | **Migration / Border** | 2 | III.7 | Refugee Convention intersection, asylum human review, AFSJ extended deadline (2030) |
+| 8 | **Critical Infrastructure** | 1 | III.2 | Failsafe mechanisms, NIS2 intersection, redundancy, public safety at scale |
+| 9 | **Biometric** | 1 | III.1 | 4 Art. 5 prohibitions, double human verification (Art. 14(5)), GDPR Art. 9 special category |
+| 10 | **Content Generation** | 2 | Art.50 | C2PA machine-readable marking, deepfake visible labeling, watermark robustness |
+| 11 | **Customer Service** | 1 | Art.50 | Chatbot AI disclosure, human escalation option |
+| 12 | **Marketing / Advertising** | 1 | Art.5 | AI manipulation = prohibited (max penalty), user opt-out, DSA intersection |
+| 13 | **Transport / Autonomous** | 1 | II+III | Fail-safe behavior, type-approval dual framework, diverse condition testing |
+Plus **82 generic (cross-domain) obligations** applying to all AI systems regardless of industry.
+---
+## Что означает каждый файл
+### 1. obligations.json — ЯДРО (191 KB, 108 obligations)
+Каждое обязательство: 27 полей. Ключевые:
+- `obligation_id` — уникальный ID (`eu-ai-act-OBL-HR-001`)
+- `applies_to_role` — `deployer` / `provider` / `both`
+- `applies_to_risk_level` — фильтр по уровню риска
+- `what_to_do` — конкретные действия (5–8 пунктов)
+- `what_not_to_do` — антипаттерны (3–5 пунктов)
+- `evidence_required` — что показать аудитору
+- `cli_check_possible` — может ли scanner проверить в коде
+- `severity` — critical / high / medium / low
+- `automation_approach` — как scanner автоматизирует (конкретные файлы и паттерны)
+### 2. technical-requirements.json — SCANNER DATA (111 KB, 89 specs)
+100% coverage всех CLI-checkable obligations. Каждый spec:
+- `positive_signals` — паттерны кода = compliance
+- `negative_signals` — паттерны кода = нарушение
+- `warning_message` — сообщение разработчику
+- `fix_suggestion` — как исправить
+- `severity` — error / warning / info
+### 3. scoring.json — COMPLIANCE SCORE (14 KB)
+8 base categories (always applied) + 13 domain categories (applied when company operates in domain). Critical cap: any critical = 0% → total max 40%. Thresholds: Red 0–49%, Yellow 50–79%, Green 80–100%. Certificate: 85% + all criticals 100%.
+### 4. regulation-meta.json — LAW METADATA (34 KB)
+ID, name, jurisdiction, 6 enforcement dates, penalties, 20 definitions, 8 roles, 5 risk levels, 8 classification questions.
+### 5. applicability-tree.json — QUICK CHECK (9 KB)
+7 questions: does EU AI Act apply to this company? Results: applies / does-not-apply / partially-applies.
+### 6. cross-mapping.json — MULTI-JURISDICTION (8 KB)
+8 cross-regulation mappings + strictest_rule_wins_matrix. Framework — fills when new jurisdictions processed.
+### 7. timeline.json — DEADLINES (9 KB)
+18 dates (2024–2030). Amendments. Codes of Practice. 7 monitoring URLs.
+### 8. localization.json — 7 LANGUAGES (7 KB)
+8 terms in DE, FR, ES, IT, NL, PT, PL. Cultural notes per market.
+### 9–10. templates — 8 AUDIT-READY DOCUMENTS (26 KB)
+Templates 1–2 (AI Literacy + Art. 5 Screening) **already required since Feb 2025**. Templates 3–8 (FRIA, Worker Notification, Tech Documentation, Incident Report, Declaration, Monitoring Policy) due Aug 2026.
+### 11. marketing-content.md — 7 MARKETING ASSETS (12 KB)
+Quick Check tool, Penalty Calculator, Blog outline, Comparison table, FAQ, LinkedIn post, Programmatic SEO template.
+---
+## Как файлы связаны
+```
+regulation-meta.json
+    ├── roles ──────── filter obligations by role
+    ├── risk_levels ── filter by risk level
+    └── questions ──── onboarding quiz
+            │
+            ▼
+obligations.json (108)
+    ├── cli_check=true ──► technical-requirements.json (89) ──► SCANNER
+    ├── sdk_needed=true ──► SDK middleware
+    ├── template_needed=true ──► templates-*.md ──► FIXER
+    ├── severity + category ──► scoring.json ──► SCORE
+    ├── cross_mapping ──► cross-mapping.json ──► STRICTEST RULE WINS
+    ├── deadline ──► timeline.json ──► COUNTDOWN
+    └── what_to_do + what_not_to_do ──► FINDINGS + FIX ACTIONS
+applicability-tree.json ──► Quick Check
+localization.json ──► UI labels (7 languages)
+marketing-content.md ──► Website SEO + blog + tools
+```
+---
+## Использование по компонентам
+| Component | Files used | How |
+|-----------|-----------|-----|
+| **Scanner** | obligations.json + technical-requirements.json | Load CLI-checkable obligations → match positive/negative signals → output findings |
+| **Fixer** | obligations.json + templates-*.md | what_to_do actions → generate documents + code fixes |
+| **Score Calculator** | scoring.json + obligations.json | Map results to categories → weighted score → threshold |
+| **Onboarding** | applicability-tree.json + regulation-meta.json | Quick Check → risk classification → role → personalized obligation list |
+| **SEO Generator** | marketing-content.md + obligations.json | Programmatic pages, per-obligation pages, FAQ, comparisons |
+| **Knowledge Loader** | obligations.json + timeline.json + regulation-meta.json | On-demand context for LLM agents |
+---
+## Добавление новой юрисдикции
+1. Use same 12-stage prompt + text of new law
+2. Receive 11 files → `engine/data/regulations/[jurisdiction-id]/`
+3. Fill `cross_regulation_mapping` per obligation
+4. Strictest-rule-wins engine picks stricter requirement automatically
+| # | Jurisdiction | Status |
+|---|-------------|--------|
+| 1 | EU AI Act | ✅ Done |
+| 2 | Colorado SB 205 | ⏳ Next |
+| 3 | NYC LL 144 | 📋 Planned |
+| 4 | California SB 1001 | 📋 Planned |
+| 5 | WCAG 2.2 AA (EAA) | 📋 Planned |
+| 6 | EU Cyber Resilience Act | 📋 Planned |
+---
+## Что осталось
+| Item | Priority |
+|------|----------|
+| Colorado SB 205 processing | P0 |
+| Templates 9–15 (Inventory, Model Card, Copyright, Data Gov, Corrective, Training Summary, Checklist) | P1 |
+| GPAI Code of Practice decomposition | P1 |
+| Commission guidelines on high-risk classification (expected Feb 2026) | P0 |
+| Content marking Code of Practice update | P1 |
+| National authority directory per Member State | P1 |
+| Harmonised standards (CEN/CENELEC, expected 2027) | P2 |
+---
+## Version history
+| Version | Date | Obligations | Tech specs | Change |
+|---------|------|------------|-----------|--------|
+| 1.0 | 2026-02-17 | 25 | 6 | Initial framework |
+| 2.0 | 2026-02-17 | 64 | 14 | Sub-decomposition |
+| 3.0 | 2026-02-17 | 69 | 53 | Deployer expansion, 100% CLI coverage, what_not_to_do |
+| **4.0** | **2026-02-18** | **108** | **89** | **13 domains, ~95% law coverage, full production** |