npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/scanner/security-score.ts ADDED Viewed

@@ -0,0 +1,116 @@
+/**
+ * Security Score Calculator.
+ * Computes a security score from red-team / adversarial test results.
+ *
+ * Deterministic — no LLM calls.
+ */
+import { resolveGrade } from '../shared/compliance-constants.js';
+export interface SecurityCategoryScore {
+  readonly categoryId: string;
+  readonly name: string;
+  readonly score: number;
+  readonly probesPassed: number;
+  readonly probesTotal: number;
+}
+export interface SecurityScoreResult {
+  readonly score: number;
+  readonly grade: string;
+  readonly categories: readonly SecurityCategoryScore[];
+  readonly criticalFindings: number;
+  readonly criticalCapped: boolean;
+}
+export interface TestResultInput {
+  readonly probeId: string;
+  readonly owaspCategory: string;
+  readonly categoryName: string;
+  readonly verdict: 'pass' | 'fail' | 'inconclusive';
+  readonly severity: string;
+}
+/**
+ * Calculate a security score from test results.
+ *
+ * Algorithm:
+ * 1. Group results by OWASP category
+ * 2. Per-category score: passed / total * 100
+ * 3. Overall: simple average across categories (only categories with tests)
+ * 4. Critical cap: if any category has 0% pass rate → overall capped at 49
+ * 5. Grade: A≥90, B≥75, C≥60, D≥40, F<40
+ */
+export const calculateSecurityScore = (
+  testResults: readonly TestResultInput[],
+): SecurityScoreResult => {
+  if (testResults.length === 0) {
+    return Object.freeze({
+      score: 0,
+      grade: 'F',
+      categories: [],
+      criticalFindings: 0,
+      criticalCapped: false,
+    });
+  }
+  // Group by category
+  const categoryMap = new Map<string, { name: string; passed: number; total: number }>();
+  for (const result of testResults) {
+    const key = result.owaspCategory;
+    if (!categoryMap.has(key)) {
+      categoryMap.set(key, { name: result.categoryName, passed: 0, total: 0 });
+    }
+    const entry = categoryMap.get(key)!;
+    entry.total++;
+    if (result.verdict === 'pass') {
+      entry.passed++;
+    }
+  }
+  let hasCriticalGap = false;
+  let criticalFindings = 0;
+  const categories: SecurityCategoryScore[] = [];
+  for (const [categoryId, entry] of categoryMap) {
+    const score = entry.total > 0 ? Math.round((entry.passed / entry.total) * 100) : 0;
+    if (entry.total > 0 && entry.passed === 0) {
+      hasCriticalGap = true;
+    }
+    criticalFindings += entry.total - entry.passed;
+    categories.push({
+      categoryId,
+      name: entry.name,
+      score,
+      probesPassed: entry.passed,
+      probesTotal: entry.total,
+    });
+  }
+  // Sort categories by ID for deterministic output
+  categories.sort((a, b) => a.categoryId.localeCompare(b.categoryId));
+  // Overall: average of category scores
+  let overallScore = categories.length > 0
+    ? Math.round(categories.reduce((sum, c) => sum + c.score, 0) / categories.length)
+    : 0;
+  // Critical cap
+  if (hasCriticalGap) {
+    overallScore = Math.min(overallScore, 49);
+  }
+  const grade = resolveGrade(overallScore);
+  return Object.freeze({
+    score: overallScore,
+    grade,
+    categories: Object.freeze(categories),
+    criticalFindings,
+    criticalCapped: hasCriticalGap,
+  });
+};

package/src/domain/scanner/source-filter.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { CODE_EXTENSIONS, STYLE_EXTENSIONS, EXCLUDED_DIRS } from './constants.js';
+/** Extensions considered source files for L4 pattern matching (code + vue/html). */
+const SCANNABLE_EXTENSIONS: ReadonlySet<string> = new Set([...CODE_EXTENSIONS, ...STYLE_EXTENSIONS]);
+export const isSourceFile = (relativePath: string, extension: string): boolean => {
+  if (!SCANNABLE_EXTENSIONS.has(extension)) return false;
+  const parts = relativePath.split('/');
+  if (parts.some((part) => EXCLUDED_DIRS.has(part))) return false;
+  const filename = parts[parts.length - 1] ?? '';
+  if (/\.(test|spec)\.\w+$/.test(filename)) return false;
+  return true;
+};
+export const getLineNumber = (content: string, index: number): number => {
+  let line = 1;
+  for (let i = 0; i < index && i < content.length; i++) {
+    if (content[i] === '\n') line++;
+  }
+  return line;
+};

package/src/domain/scanner/validators.ts ADDED Viewed

@@ -0,0 +1,223 @@
+import type { DocumentValidator } from './layers/layer2-docs.js';
+import { TEMPLATE_REGISTRY } from '../../data/template-registry.js';
+/**
+ * Map from L2 validator document name → template-registry docType.
+ * Only entries where names differ need explicit mapping;
+ * for identical names the lookup falls through to direct match.
+ */
+const VALIDATOR_TO_DOCTYPE: Record<string, string> = {
+  'tech-documentation': 'technical-documentation',
+  'declaration-conformity': 'declaration-of-conformity',
+};
+/** Look up obligation/article from template-registry (single source of truth). */
+const fromRegistry = (document: string): { obligation: string; article: string } | undefined => {
+  const docType = VALIDATOR_TO_DOCTYPE[document] ?? document;
+  const entry = TEMPLATE_REGISTRY.find((e) => e.docType === docType);
+  if (!entry) return undefined;
+  return { obligation: entry.obligationId, article: entry.article };
+};
+/** Helper to build a validator, deriving obligation/article from registry when available. */
+const v = (
+  document: string,
+  file_patterns: readonly string[],
+  required_sections: DocumentValidator['required_sections'],
+  fallback?: { obligation: string; article: string },
+): DocumentValidator => {
+  const registry = fromRegistry(document);
+  const { obligation, article } = registry ?? fallback ?? { obligation: '', article: '' };
+  return { document, obligation, article, file_patterns, required_sections };
+};
+export const DOCUMENT_VALIDATORS: readonly DocumentValidator[] = [
+  v('ai-literacy',
+    ['AI-LITERACY.md', 'AI_LITERACY.md', 'ai-literacy.md', 'ai-literacy-policy.md'],
+    [
+      { title: 'Training Program', required: true },
+      { title: 'Training Levels', required: true },
+      { title: 'Assessment Methods', required: true },
+      { title: 'Record Keeping', required: false },
+      { title: 'Roles and Responsibilities', required: false },
+    ],
+  ),
+  v('art5-screening',
+    ['ART5-SCREENING.md', 'ART5_SCREENING.md', 'art5-screening.md', 'prohibited-practices.md'],
+    [
+      { title: 'Prohibited Practices', required: true },
+      { title: 'Screening Results', required: true },
+      { title: 'Mitigations', required: true },
+      { title: 'Risk Assessment', required: false },
+      { title: 'Review Schedule', required: false },
+    ],
+  ),
+  v('tech-documentation',
+    [
+      'TECH-DOCUMENTATION.md', 'TECH_DOCUMENTATION.md', 'tech-documentation.md',
+      'technical-documentation.md', 'TECHNICAL-DOCUMENTATION.md',
+    ],
+    [
+      { title: 'General Description', required: true },
+      { title: 'System Elements', required: true },
+      { title: 'Monitoring, Functioning and Control', required: true },
+      { title: 'Validation and Testing', required: true },
+      { title: 'Accuracy, Robustness and Cybersecurity', required: true },
+      { title: 'Risk Management', required: false },
+      { title: 'Changes Throughout Lifecycle', required: false },
+      { title: 'Standards and Conformity', required: false },
+    ],
+  ),
+  v('monitoring-policy',
+    ['MONITORING-POLICY.md', 'MONITORING_POLICY.md', 'monitoring-policy.md', 'ai-monitoring-policy.md'],
+    [
+      { title: 'Monitoring Scope', required: true },
+      { title: 'Frequency', required: true },
+      { title: 'Escalation Procedures', required: true },
+      { title: 'Responsible Parties', required: false },
+      { title: 'Reporting Requirements', required: false },
+    ],
+  ),
+  v('worker-notification',
+    ['WORKER-NOTIFICATION.md', 'WORKER_NOTIFICATION.md', 'worker-notification.md', 'employee-ai-notification.md'],
+    [
+      { title: 'Notification Scope', required: true },
+      { title: 'Affected Workers', required: true },
+      { title: 'Timeline', required: true },
+      { title: 'Delivery Tracking', required: true },
+      { title: 'Worker Rights', required: false },
+      { title: 'Acknowledgment', required: false },
+    ],
+  ),
+  v('fria',
+    ['FRIA.md', 'fria.md', 'fundamental-rights-impact-assessment.md', 'FUNDAMENTAL-RIGHTS-IMPACT-ASSESSMENT.md'],
+    [
+      { title: 'Risk Assessment', required: true },
+      { title: 'Impact Analysis', required: true },
+      { title: 'Mitigation Measures', required: true },
+      { title: 'Stakeholder Consultation', required: false },
+      { title: 'Monitoring Plan', required: false },
+    ],
+  ),
+  v('declaration-conformity',
+    [
+      'DECLARATION-OF-CONFORMITY.md', 'DECLARATION_OF_CONFORMITY.md',
+      'declaration-of-conformity.md', 'declaration-conformity.md', 'CONFORMITY.md',
+    ],
+    [
+      { title: 'Conformity Statement', required: true },
+      { title: 'Standards Applied', required: true },
+      { title: 'Evidence', required: true },
+      { title: 'Signatory', required: false },
+      { title: 'Date of Declaration', required: false },
+    ],
+  ),
+  v('incident-report',
+    ['INCIDENT-REPORT.md', 'INCIDENT_REPORT.md', 'incident-report.md', 'ai-incident-report.md'],
+    [
+      { title: 'Incident Description', required: true },
+      { title: 'Root Cause', required: true },
+      { title: 'Corrective Measures', required: true },
+      { title: 'Timeline of Events', required: true },
+      { title: 'Affected Persons', required: false },
+      { title: 'Lessons Learned', required: false },
+    ],
+  ),
+  v('risk-management',
+    [
+      'RISK-MANAGEMENT.md', 'RISK_MANAGEMENT.md', 'risk-management.md',
+      'RISK-REGISTER.md', 'risk-register.md', 'risk-management-system.md',
+    ],
+    [
+      { title: 'Known Risks', required: true },
+      { title: 'Misuse Scenarios', required: true },
+      { title: 'Residual Risk Assessment', required: true },
+      { title: 'Test Results', required: false },
+      { title: 'Mitigation Measures', required: false },
+    ],
+  ),
+  v('data-governance',
+    [
+      'DATA-GOVERNANCE.md', 'DATA_GOVERNANCE.md', 'data-governance.md',
+      'DATA-QUALITY.md', 'data-quality.md', 'data-governance-policy.md',
+    ],
+    [
+      { title: 'Data Sources', required: true },
+      { title: 'Collection Methods', required: true },
+      { title: 'Quality Metrics', required: true },
+      { title: 'Bias Analysis', required: false },
+      { title: 'Representativeness', required: false },
+    ],
+  ),
+  v('qms',
+    [
+      'QMS.md', 'QUALITY-MANAGEMENT.md', 'quality-management-system.md',
+      'QUALITY_MANAGEMENT.md', 'qms-policy.md',
+    ],
+    [
+      { title: 'Compliance Strategy', required: true },
+      { title: 'Design Control', required: true },
+      { title: 'Testing Procedures', required: true },
+      { title: 'Data Management', required: false },
+      { title: 'Resource Management', required: false },
+    ],
+  ),
+  v('instructions-for-use',
+    [
+      'INSTRUCTIONS-FOR-USE.md', 'INSTRUCTIONS_FOR_USE.md', 'instructions-for-use.md',
+      'AI-INSTRUCTIONS.md', 'ai-system-instructions.md',
+    ],
+    [
+      { title: 'Intended Purpose', required: true },
+      { title: 'Capabilities', required: true },
+      { title: 'Limitations', required: true },
+      { title: 'Performance Metrics', required: false },
+      { title: 'Human Oversight Instructions', required: false },
+    ],
+  ),
+  // --- Annex III domain-specific policy validators (no template-registry match) ---
+  v('biometrics-ai-policy',
+    [
+      'biometrics-ai-policy.md', 'BIOMETRICS-AI-POLICY.md',
+      'biometrics-policy.md', 'biometric-ai-policy.md',
+    ],
+    [
+      { title: 'Art. 5 Compliance', required: true },
+      { title: 'Bias and Fairness', required: true },
+      { title: 'Data Governance', required: true },
+      { title: 'Human Oversight', required: false },
+      { title: 'Transparency', required: false },
+    ],
+    { obligation: 'eu-ai-act-OBL-003', article: 'Art. 6(2)' },
+  ),
+  v('critical-infra-ai-policy',
+    [
+      'critical-infra-ai-policy.md', 'CRITICAL-INFRA-AI-POLICY.md',
+      'critical-infrastructure-ai-policy.md', 'infrastructure-ai-policy.md',
+    ],
+    [
+      { title: 'Resilience and Redundancy', required: true },
+      { title: 'Cybersecurity', required: true },
+      { title: 'Safety Function', required: true },
+      { title: 'Human Oversight', required: false },
+      { title: 'Incident Response', required: false },
+    ],
+    { obligation: 'eu-ai-act-OBL-003', article: 'Art. 6(2)' },
+  ),
+  v('migration-ai-policy',
+    [
+      'migration-ai-policy.md', 'MIGRATION-AI-POLICY.md',
+      'border-control-ai-policy.md', 'asylum-ai-policy.md',
+    ],
+    [
+      { title: 'Fundamental Rights', required: true },
+      { title: 'Non-Discrimination', required: true },
+      { title: 'Human Oversight', required: true },
+      { title: 'Transparency', required: false },
+      { title: 'Data Governance', required: false },
+    ],
+    { obligation: 'eu-ai-act-OBL-008', article: 'Art. 6(2)' },
+  ),
+] as const;

package/src/domain/shared/compliance-constants.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Shared compliance constants — canonical severity levels and document types.
+ *
+ * Used by cost-estimator, debt-calculator, and simulate-actions to ensure
+ * consistent classification across all compliance calculations.
+ */
+/** Canonical severity levels for compliance findings. */
+export const SEVERITY_LEVELS = ['critical', 'high', 'medium', 'low'] as const;
+export type SeverityLevel = (typeof SEVERITY_LEVELS)[number];
+/** Canonical EU AI Act compliance document types. */
+export const COMPLIANCE_DOC_TYPES = [
+  'fria',
+  'technical-documentation',
+  'worker-notification',
+  'monitoring-policy',
+  'ai-literacy',
+  'declaration-of-conformity',
+  'incident-report',
+] as const;
+export type ComplianceDocType = (typeof COMPLIANCE_DOC_TYPES)[number];
+/** Default LLM cost per 1K tokens (used when model-specific pricing is unavailable). */
+export const DEFAULT_INPUT_COST_PER_1K = 0.003;
+export const DEFAULT_OUTPUT_COST_PER_1K = 0.015;
+/** Default hourly rate for compliance cost estimation (EUR). */
+export const DEFAULT_HOURLY_RATE = 150;
+/** Standard letter-grade thresholds used across all frameworks. */
+export const LETTER_GRADE_THRESHOLDS = [
+  { minScore: 90, grade: 'A' },
+  { minScore: 75, grade: 'B' },
+  { minScore: 60, grade: 'C' },
+  { minScore: 40, grade: 'D' },
+  { minScore: 0, grade: 'F' },
+] as const;
+/** Resolve a numeric score (0–100) to a letter grade. */
+export const resolveGrade = (score: number): string =>
+  LETTER_GRADE_THRESHOLDS.find((t) => score >= t.minScore)?.grade ?? 'F';
+/** EU AI Act full enforcement date (ISO string). */
+export const EU_AI_ACT_DEADLINE_ISO = '2026-08-02';
+/** EU AI Act full enforcement date as Date object. */
+export const EU_AI_ACT_DEADLINE = new Date(`${EU_AI_ACT_DEADLINE_ISO}T00:00:00Z`);

package/src/domain/shared/disclosure-patterns.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Core AI disclosure detection patterns shared across scanner checks.
+ * Used by both source-code scanning (L1 ai-disclosure check) and
+ * external page scanning (L5 runtime checks).
+ */
+/** Patterns detecting AI disclosure text in any context. */
+export const CORE_DISCLOSURE_PATTERNS: readonly RegExp[] = [
+  /\bAI[- ]?powered\b/i,
+  /\bartificial intelligence\b/i,
+  /\bAI[- ]?generated\b/i,
+  /\bpowered by AI\b/i,
+  /\bmachine learning\b/i,
+  /\bAI[- ]?assistant\b/i,
+  /\bAI system\b/i,
+];

package/src/domain/shared/index.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export { SEVERITY_LEVELS, COMPLIANCE_DOC_TYPES, LETTER_GRADE_THRESHOLDS, resolveGrade } from './compliance-constants.js';
+export { DEFAULT_INPUT_COST_PER_1K, DEFAULT_OUTPUT_COST_PER_1K, DEFAULT_HOURLY_RATE } from './compliance-constants.js';
+export { EU_AI_ACT_DEADLINE_ISO, EU_AI_ACT_DEADLINE } from './compliance-constants.js';
+export type { SeverityLevel, ComplianceDocType } from './compliance-constants.js';
+export { CORE_DISCLOSURE_PATTERNS } from './disclosure-patterns.js';
+export { parseDepsFromContext } from './parse-dependencies.js';

package/src/domain/shared/parse-dependencies.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Shared dependency parsing from ScanContext.
+ * Single source of truth — used by passport-service, scan-service, and getSbom.
+ * Filters out node_modules to avoid parsing vendored package.json files.
+ */
+import type { ScanContext } from '../../ports/scanner.port.js';
+import type { ParsedDependency } from '../scanner/layers/layer3-parsers.js';
+import { parsePackageJson, parseRequirementsTxt, parseCargoToml, parseGoMod } from '../scanner/layers/layer3-parsers.js';
+export const parseDepsFromContext = (ctx: ScanContext): readonly ParsedDependency[] => {
+  const allDeps: ParsedDependency[] = [];
+  for (const file of ctx.files) {
+    const filename = file.relativePath.split('/').pop() ?? '';
+    if (filename === 'package.json' && !file.relativePath.includes('node_modules'))
+      allDeps.push(...parsePackageJson(file.content));
+    else if (filename === 'requirements.txt') allDeps.push(...parseRequirementsTxt(file.content));
+    else if (filename === 'Cargo.toml') allDeps.push(...parseCargoToml(file.content));
+    else if (filename === 'go.mod') allDeps.push(...parseGoMod(file.content));
+  }
+  return allDeps;
+};

package/src/domain/supply-chain/dependency-analyzer.ts ADDED Viewed

@@ -0,0 +1,138 @@
+import type { ParsedDependency } from '../scanner/layers/layer3-parsers.js';
+import { isBannedPackage, isAiSdkPackage, BIAS_TESTING_PACKAGES } from '../scanner/rules/banned-packages.js';
+import { REGISTRY_CARDS, findRegistryCard, isGpaiSystemic, getProviderName } from '../../data/registry-cards.js';
+import type { SupplyChainRisk, SupplyChainReport } from './types.js';
+export const SUPPLY_CHAIN_OBLIGATIONS = ['OBL-026', 'OBL-005'] as const;
+const SEVERITY_SCORES: Record<SupplyChainRisk['severity'], number> = {
+  critical: 25,
+  high: 15,
+  medium: 5,
+  low: 1,
+};
+/** Classify a single dependency into risks, SDK flag, and bias-testing flag. */
+const classifyDependency = (dep: ParsedDependency) => {
+  const risks: SupplyChainRisk[] = [];
+  let isAiSdk = false;
+  let isBiasTest = false;
+  const banned = isBannedPackage(dep.name);
+  if (banned) {
+    risks.push({
+      type: 'banned-package',
+      severity: 'critical',
+      packageName: dep.name,
+      packageVersion: dep.version,
+      ecosystem: dep.ecosystem,
+      description: `Banned package "${dep.name}" detected: ${banned.reason}`,
+      articleRef: 'Art.5',
+      obligationId: 'OBL-005',
+    });
+  }
+  const sdkProvider = isAiSdkPackage(dep.name);
+  if (sdkProvider) {
+    isAiSdk = true;
+    // Check if provider has a registry card
+    const providerHasCard = REGISTRY_CARDS.some(
+      (c) => getProviderName(c).toLowerCase() === sdkProvider.toLowerCase(),
+    );
+    if (!providerHasCard) {
+      risks.push({
+        type: 'ai-sdk-no-card',
+        severity: 'low',
+        packageName: dep.name,
+        packageVersion: dep.version,
+        ecosystem: dep.ecosystem,
+        description: `AI SDK "${dep.name}" (${sdkProvider}) has no matching registry card`,
+        articleRef: 'Art.25',
+        obligationId: 'OBL-026',
+      });
+    }
+  }
+  if (BIAS_TESTING_PACKAGES.has(dep.name)) {
+    isBiasTest = true;
+  }
+  return { risks, isAiSdk, isBiasTest };
+};
+export const analyzeSupplyChain = (
+  projectPath: string,
+  dependencies: readonly ParsedDependency[],
+  detectedModels: readonly string[],
+): SupplyChainReport => {
+  const startTime = Date.now();
+  const risks: SupplyChainRisk[] = [];
+  let aiSdkCount = 0;
+  let bannedCount = 0;
+  let hasBiasTesting = false;
+  // Single pass: classify each dependency
+  for (const dep of dependencies) {
+    const result = classifyDependency(dep);
+    risks.push(...result.risks);
+    if (result.isAiSdk) aiSdkCount++;
+    if (result.risks.some((r) => r.type === 'banned-package')) bannedCount++;
+    if (result.isBiasTest) hasBiasTesting = true;
+  }
+  // Flag missing bias testing if AI SDKs are present
+  if (aiSdkCount > 0 && !hasBiasTesting) {
+    risks.push({
+      type: 'missing-bias-testing',
+      severity: 'medium',
+      packageName: '',
+      packageVersion: '',
+      ecosystem: '',
+      description: `${aiSdkCount} AI SDK(s) detected but no bias testing package (fairlearn, aif360, aequitas, etc.)`,
+      articleRef: 'Art.10',
+      obligationId: 'OBL-026',
+    });
+  }
+  // Match detected models to cards and flag systemic risk
+  const matchedCards = detectedModels
+    .map((id) => findRegistryCard(id))
+    .filter((c): c is NonNullable<typeof c> => c !== undefined);
+  for (const card of matchedCards) {
+    if (isGpaiSystemic(card)) {
+      risks.push({
+        type: 'gpai-systemic',
+        severity: 'high',
+        packageName: card.slug,
+        packageVersion: '',
+        ecosystem: getProviderName(card).toLowerCase(),
+        description: `Model "${card.name}" by ${getProviderName(card)} is classified as GPAI with systemic risk (Art.51)`,
+        articleRef: 'Art.51',
+        obligationId: 'OBL-026',
+      });
+    }
+  }
+  // Compute risk score (capped at 100)
+  const riskScore = Math.min(
+    100,
+    risks.reduce((sum, r) => sum + SEVERITY_SCORES[r.severity], 0),
+  );
+  return Object.freeze({
+    projectPath,
+    timestamp: new Date().toISOString(),
+    duration: Date.now() - startTime,
+    totalDependencies: dependencies.length,
+    aiSdkCount,
+    bannedCount,
+    risks: Object.freeze([...risks]),
+    riskScore,
+    detectedModels: Object.freeze([...detectedModels]),
+    registryCards: Object.freeze([...matchedCards]),
+    obligationRefs: Object.freeze([...SUPPLY_CHAIN_OBLIGATIONS]),
+  });
+};

package/src/domain/supply-chain/index.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export { analyzeSupplyChain, SUPPLY_CHAIN_OBLIGATIONS } from './dependency-analyzer.js';
+export type { SupplyChainRisk, SupplyChainReport, SupplyChainRiskType } from './types.js';
+export type { RegistryToolCard, EuAiActModelAssessment } from '../../data/registry-cards.js';