npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/domain/supply-chain/supply-chain.test.ts ADDED Viewed

@@ -0,0 +1,211 @@
+import { describe, it, expect } from 'vitest';
+import { REGISTRY_CARDS, findRegistryCard, findRegistryCardsByProvider, REGISTRY_SLUG_PATTERN, isGpaiSystemic, getProviderName } from '../../data/registry-cards.js';
+import { analyzeSupplyChain, SUPPLY_CHAIN_OBLIGATIONS } from './dependency-analyzer.js';
+import type { ParsedDependency } from '../scanner/layers/layer3-parsers.js';
+// --- Registry Cards Tests ---
+describe('RegistryToolCards', () => {
+  it('contains 10 registry cards', () => {
+    expect(REGISTRY_CARDS).toHaveLength(10);
+  });
+  it('all cards have required fields', () => {
+    for (const card of REGISTRY_CARDS) {
+      expect(card.slug).toBeTruthy();
+      expect(card.name).toBeTruthy();
+      expect(card.provider.name).toBeTruthy();
+      expect(card.capabilities!.length).toBeGreaterThan(0);
+      expect(card.assessments?.['eu-ai-act']?.training_cutoff).toBeTruthy();
+      expect(card.assessments?.['eu-ai-act']?.license).toBeTruthy();
+      expect(card.assessments?.['eu-ai-act']?.limitations!.length).toBeGreaterThan(0);
+      expect(card.assessments?.['eu-ai-act']?.known_risks!.length).toBeGreaterThan(0);
+      expect(card.assessments?.['eu-ai-act']?.risk_reasoning).toBeTruthy();
+    }
+  });
+  it('findRegistryCard returns card by slug', () => {
+    const card = findRegistryCard('gpt-4o');
+    expect(card).toBeDefined();
+    expect(card!.name).toBe('GPT-4o');
+    expect(card!.provider.name).toBe('OpenAI');
+  });
+  it('findRegistryCard returns undefined for unknown slug', () => {
+    expect(findRegistryCard('nonexistent-model')).toBeUndefined();
+  });
+  it('findRegistryCardsByProvider filters correctly', () => {
+    const anthropicCards = findRegistryCardsByProvider('Anthropic');
+    expect(anthropicCards).toHaveLength(2);
+    for (const card of anthropicCards) {
+      expect(card.provider.name).toBe('Anthropic');
+    }
+  });
+  it('REGISTRY_SLUG_PATTERN matches known model slugs', () => {
+    const text = 'Using gpt-4o and claude-sonnet-4 models';
+    const matches = [...text.matchAll(new RegExp(REGISTRY_SLUG_PATTERN.source, 'g'))].map((m) => m[0]);
+    expect(matches).toContain('gpt-4o');
+    expect(matches).toContain('claude-sonnet-4');
+  });
+  it('REGISTRY_SLUG_PATTERN does not false-positive on embedded substrings', () => {
+    const text = 'ratio1 protocol1 foo1bar';
+    const matches = [...text.matchAll(new RegExp(REGISTRY_SLUG_PATTERN.source, 'g'))];
+    expect(matches).toHaveLength(0);
+  });
+  it('REGISTRY_SLUG_PATTERN is derived from REGISTRY_CARDS data', () => {
+    for (const card of REGISTRY_CARDS) {
+      const text = `model: ${card.slug}`;
+      const matches = [...text.matchAll(new RegExp(REGISTRY_SLUG_PATTERN.source, 'g'))].map((m) => m[0]);
+      expect(matches).toContain(card.slug);
+    }
+  });
+  it('isGpaiSystemic correctly identifies systemic risk', () => {
+    const gpt4o = findRegistryCard('gpt-4o')!;
+    expect(isGpaiSystemic(gpt4o)).toBe(true);
+    const gpt4oMini = findRegistryCard('gpt-4o-mini')!;
+    expect(isGpaiSystemic(gpt4oMini)).toBe(false);
+  });
+  it('getProviderName extracts provider name', () => {
+    const card = findRegistryCard('gpt-4o')!;
+    expect(getProviderName(card)).toBe('OpenAI');
+    const mistral = findRegistryCard('mistral-large')!;
+    expect(getProviderName(mistral)).toBe('Mistral AI');
+  });
+});
+// --- Analyzer Tests ---
+describe('analyzeSupplyChain', () => {
+  it('returns zero risk for empty dependencies', () => {
+    const report = analyzeSupplyChain('/test', [], []);
+    expect(report.totalDependencies).toBe(0);
+    expect(report.aiSdkCount).toBe(0);
+    expect(report.bannedCount).toBe(0);
+    expect(report.risks).toHaveLength(0);
+    expect(report.riskScore).toBe(0);
+  });
+  it('detects banned packages as critical risk', () => {
+    const deps: ParsedDependency[] = [
+      { name: 'clearview-ai', version: '1.0.0', ecosystem: 'npm' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, []);
+    expect(report.bannedCount).toBe(1);
+    expect(report.risks.length).toBeGreaterThanOrEqual(1);
+    const bannedRisk = report.risks.find((r) => r.type === 'banned-package');
+    expect(bannedRisk).toBeDefined();
+    expect(bannedRisk!.severity).toBe('critical');
+    expect(bannedRisk!.articleRef).toBe('Art.5');
+  });
+  it('counts AI SDK packages', () => {
+    const deps: ParsedDependency[] = [
+      { name: 'openai', version: '4.0.0', ecosystem: 'npm' },
+      { name: '@anthropic-ai/sdk', version: '1.0.0', ecosystem: 'npm' },
+      { name: 'express', version: '4.18.0', ecosystem: 'npm' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, []);
+    expect(report.aiSdkCount).toBe(2);
+    expect(report.totalDependencies).toBe(3);
+  });
+  it('flags missing bias testing when AI SDKs present', () => {
+    const deps: ParsedDependency[] = [
+      { name: 'openai', version: '4.0.0', ecosystem: 'npm' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, []);
+    const biasRisk = report.risks.find((r) => r.type === 'missing-bias-testing');
+    expect(biasRisk).toBeDefined();
+    expect(biasRisk!.severity).toBe('medium');
+  });
+  it('no bias testing warning when bias package present', () => {
+    const deps: ParsedDependency[] = [
+      { name: 'openai', version: '4.0.0', ecosystem: 'npm' },
+      { name: 'fairlearn', version: '0.9.0', ecosystem: 'pip' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, []);
+    const biasRisk = report.risks.find((r) => r.type === 'missing-bias-testing');
+    expect(biasRisk).toBeUndefined();
+  });
+  it('matches detected models to cards', () => {
+    const report = analyzeSupplyChain('/test', [], ['gpt-4o', 'claude-sonnet-4']);
+    expect(report.registryCards).toHaveLength(2);
+    expect(report.detectedModels).toEqual(['gpt-4o', 'claude-sonnet-4']);
+  });
+  it('flags GPAI systemic models as high risk', () => {
+    const report = analyzeSupplyChain('/test', [], ['gpt-4o']);
+    const systemicRisk = report.risks.find((r) => r.type === 'gpai-systemic');
+    expect(systemicRisk).toBeDefined();
+    expect(systemicRisk!.severity).toBe('high');
+    expect(systemicRisk!.articleRef).toBe('Art.51');
+  });
+  it('computes risk score correctly (capped at 100)', () => {
+    // 5 banned packages = 5 × 25 = 125 → capped at 100
+    const deps: ParsedDependency[] = [
+      { name: 'clearview-ai', version: '1.0', ecosystem: 'npm' },
+      { name: 'social-credit-score', version: '1.0', ecosystem: 'npm' },
+      { name: 'predictive-policing', version: '1.0', ecosystem: 'npm' },
+      { name: 'emotion-recognition', version: '1.0', ecosystem: 'npm' },
+      { name: 'subliminal-ai', version: '1.0', ecosystem: 'npm' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, []);
+    expect(report.riskScore).toBe(100);
+  });
+  it('flags AI SDKs without registry cards', () => {
+    const deps: ParsedDependency[] = [
+      { name: 'replicate', version: '1.0.0', ecosystem: 'npm' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, []);
+    const noCardRisk = report.risks.find((r) => r.type === 'ai-sdk-no-card');
+    expect(noCardRisk).toBeDefined();
+    expect(noCardRisk!.severity).toBe('low');
+    expect(noCardRisk!.packageName).toBe('replicate');
+  });
+});
+// --- Integration Tests ---
+describe('SupplyChain integration', () => {
+  it('report is frozen', () => {
+    const report = analyzeSupplyChain('/test', [], []);
+    expect(Object.isFrozen(report)).toBe(true);
+  });
+  it('obligation refs include OBL-026', () => {
+    const report = analyzeSupplyChain('/test', [], []);
+    expect(report.obligationRefs).toContain('OBL-026');
+    expect(report.obligationRefs).toContain('OBL-005');
+  });
+  it('report has valid structure', () => {
+    const deps: ParsedDependency[] = [
+      { name: 'openai', version: '4.0.0', ecosystem: 'npm' },
+    ];
+    const report = analyzeSupplyChain('/test', deps, ['gpt-4o']);
+    expect(report.projectPath).toBe('/test');
+    expect(report.timestamp).toBeTruthy();
+    expect(typeof report.duration).toBe('number');
+    expect(report.totalDependencies).toBe(1);
+    expect(report.aiSdkCount).toBe(1);
+    expect(report.registryCards.length).toBeGreaterThan(0);
+    expect(report.riskScore).toBeGreaterThanOrEqual(0);
+    expect(report.riskScore).toBeLessThanOrEqual(100);
+  });
+  it('SUPPLY_CHAIN_OBLIGATIONS is correct', () => {
+    expect(SUPPLY_CHAIN_OBLIGATIONS).toEqual(['OBL-026', 'OBL-005']);
+  });
+});

package/src/domain/supply-chain/types.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import type { RegistryToolCard } from '../../data/registry-cards.js';
+export type SupplyChainRiskType =
+  | 'banned-package'
+  | 'ai-sdk-no-card'
+  | 'missing-bias-testing'
+  | 'gpai-systemic';
+export interface SupplyChainRisk {
+  readonly type: SupplyChainRiskType;
+  readonly severity: 'critical' | 'high' | 'medium' | 'low';
+  readonly packageName: string;
+  readonly packageVersion: string;
+  readonly ecosystem: string;
+  readonly description: string;
+  readonly articleRef: string;
+  readonly obligationId: string;
+}
+export interface SupplyChainReport {
+  readonly projectPath: string;
+  readonly timestamp: string;
+  readonly duration: number;
+  readonly totalDependencies: number;
+  readonly aiSdkCount: number;
+  readonly bannedCount: number;
+  readonly risks: readonly SupplyChainRisk[];
+  readonly riskScore: number;
+  readonly detectedModels: readonly string[];
+  readonly registryCards: readonly RegistryToolCard[];
+  readonly obligationRefs: readonly string[];
+}

package/src/domain/whatif/config-fixer.ts ADDED Viewed

@@ -0,0 +1,187 @@
+import type { OnboardingProfile } from '../../onboarding/profile.js';
+export interface GeneratedConfig {
+  readonly type: 'docker-compose' | 'env' | 'ci-cd';
+  readonly filename: string;
+  readonly content: string;
+  readonly description: string;
+  readonly changes: readonly string[];
+}
+export const generateDockerCompose = (profile: OnboardingProfile): GeneratedConfig => {
+  const services: string[] = [];
+  const changes: string[] = [];
+  services.push(`  app:
+    build: .
+    ports:
+      - "3000:3000"
+    environment:
+      - AI_DISCLOSURE_ENABLED=true
+      - AUDIT_LOG_ENABLED=true
+      - COMPLIANCE_MODE=strict
+    depends_on:
+      - audit-db`);
+  changes.push('App service with compliance environment variables');
+  services.push(`  audit-db:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_DB: complior_audit
+      POSTGRES_PASSWORD: \${AUDIT_DB_PASSWORD}
+    volumes:
+      - audit-data:/var/lib/postgresql/data`);
+  changes.push('Audit trail database (PostgreSQL)');
+  if (profile.computed.riskLevel === 'high') {
+    services.push(`  monitoring:
+    image: prom/prometheus:latest
+    ports:
+      - "9090:9090"
+    volumes:
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml`);
+    changes.push('Monitoring service (Prometheus) for high-risk AI');
+  }
+  const content = `# Compliance-enhanced Docker Compose
+# Generated by Complior for ${profile.business.domain} domain (${profile.computed.riskLevel} risk)
+version: "3.9"
+services:
+${services.join('\n\n')}
+volumes:
+  audit-data:
+`;
+  return Object.freeze({
+    type: 'docker-compose',
+    filename: 'docker-compose.compliance.yml',
+    content,
+    description: `Docker Compose with compliance services for ${profile.computed.riskLevel} risk ${profile.business.domain} project`,
+    changes,
+  });
+};
+export const generateEnvExample = (profile: OnboardingProfile): GeneratedConfig => {
+  const lines: string[] = [
+    '# Compliance Environment Variables',
+    `# Generated by Complior for ${profile.business.domain} domain`,
+    '',
+    '# === AI Disclosure (Art. 50) ===',
+    'AI_DISCLOSURE_ENABLED=true',
+    'AI_DISCLOSURE_TEXT="This service uses artificial intelligence"',
+    '',
+    '# === Audit Logging (Art. 12) ===',
+    'AUDIT_LOG_ENABLED=true',
+    'AUDIT_LOG_RETENTION_DAYS=365',
+    'AUDIT_DB_PASSWORD=changeme',
+    '',
+    '# === Human Oversight (Art. 14) ===',
+    'HUMAN_ESCALATION_ENABLED=true',
+    'HUMAN_ESCALATION_THRESHOLD=0.7',
+  ];
+  const changes: string[] = ['AI disclosure toggle', 'Audit logging config', 'Human oversight threshold'];
+  if (profile.computed.riskLevel === 'high') {
+    lines.push(
+      '',
+      '# === High-Risk Monitoring (Art. 9) ===',
+      'MONITORING_ENDPOINT=http://localhost:9090',
+      'BIAS_TESTING_ENABLED=true',
+      'BIAS_TESTING_SCHEDULE=weekly',
+    );
+    changes.push('Monitoring endpoint', 'Bias testing schedule');
+  }
+  if (profile.data.types.includes('personal') || profile.data.types.includes('health')) {
+    lines.push(
+      '',
+      '# === Data Protection ===',
+      'DATA_RETENTION_DAYS=90',
+      'DATA_ENCRYPTION_AT_REST=true',
+      'DATA_ANONYMIZATION_ENABLED=true',
+    );
+    changes.push('Data protection settings');
+  }
+  return Object.freeze({
+    type: 'env',
+    filename: '.env.compliance.example',
+    content: lines.join('\n') + '\n',
+    description: 'Compliance environment variables with defaults',
+    changes,
+  });
+};
+export const generateCIWorkflow = (profile: OnboardingProfile): GeneratedConfig => {
+  const changes: string[] = ['Pre-push compliance scan', 'Weekly audit report'];
+  const content = `# Compliance CI/CD Workflow
+# Generated by Complior
+name: Compliance Check
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 9 * * 1'  # Weekly Monday 9am
+jobs:
+  compliance-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Complior
+        run: npm install -g complior
+      - name: Run Compliance Scan
+        run: complior scan --ci --threshold ${profile.computed.riskLevel === 'high' ? 70 : 50} --sarif results.sarif
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+  weekly-audit:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Complior
+        run: npm install -g complior
+      - name: Generate Audit Report
+        run: complior scan --ci --json > audit-report.json
+      - name: Upload Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: compliance-audit-\${{ github.run_number }}
+          path: audit-report.json
+`;
+  return Object.freeze({
+    type: 'ci-cd',
+    filename: '.github/workflows/compliance-check.yml',
+    content,
+    description: 'GitHub Actions workflow for compliance scanning and weekly audits',
+    changes,
+  });
+};
+export const generateAllConfigs = (profile: OnboardingProfile): readonly GeneratedConfig[] => {
+  return [
+    generateDockerCompose(profile),
+    generateEnvExample(profile),
+    generateCIWorkflow(profile),
+  ];
+};

package/src/domain/whatif/index.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export { generateDockerCompose, generateEnvExample, generateCIWorkflow, generateAllConfigs } from './config-fixer.js';
+export type { GeneratedConfig } from './config-fixer.js';
+export { analyzeScenario } from './scenario-engine.js';
+export type { ScenarioType, WhatIfRequest, WhatIfResult } from './scenario-engine.js';
+export { simulateActions } from './simulate-actions.js';
+export type { SimulationAction, SimulationInput, SimulatedActionResult, SimulationResult } from './simulate-actions.js';

package/src/domain/whatif/scenario-engine.ts ADDED Viewed

@@ -0,0 +1,121 @@
+import type { OnboardingProfile } from '../../onboarding/profile.js';
+import type { ScoreBreakdown } from '../../types/common.types.js';
+export type ScenarioType = 'jurisdiction' | 'tool' | 'risk_level';
+export interface WhatIfRequest {
+  readonly type: ScenarioType;
+  readonly params: Record<string, string>;
+  readonly currentProfile: OnboardingProfile;
+  readonly currentScore: ScoreBreakdown;
+}
+export interface WhatIfResult {
+  readonly scenario: string;
+  readonly scoreDelta: number;
+  readonly projectedScore: number;
+  readonly newObligations: readonly string[];
+  readonly removedObligations: readonly string[];
+  readonly effort: {
+    readonly estimatedWeeks: number;
+    readonly keyTasks: readonly string[];
+  };
+  readonly recommendation: string;
+}
+const JURISDICTION_OBLIGATIONS: Record<string, { count: number; names: readonly string[] }> = {
+  UK: { count: 17, names: ['UK AI Safety registration', 'DSIT transparency guidance', 'Post-market monitoring (UK)'] },
+  US: { count: 8, names: ['State-level disclosure', 'FTC AI guidelines', 'Algorithmic accountability'] },
+  'US-CO': { count: 5, names: ['Colorado SB 205 disclosure', 'High-risk AI notice', 'Impact assessment'] },
+  'US-TX': { count: 4, names: ['Texas TRAIGA disclosure', 'AI inventory', 'Consumer notification'] },
+  KR: { count: 6, names: ['Korea AI Basic Act registration', 'Disclosure requirements', 'Risk assessment'] },
+};
+const TOOL_IMPACTS: Record<string, { scoreDelta: number; obligations: readonly string[] }> = {
+  whisper: { scoreDelta: -5, obligations: ['Audio data retention', 'Consent for audio', 'Transcription accuracy'] },
+  'dall-e': { scoreDelta: -8, obligations: ['Art. 50.2 content marking', 'C2PA metadata', 'Deepfake labeling'] },
+  elevenlabs: { scoreDelta: -10, obligations: ['Art. 50.4 deepfake disclosure', 'Voice cloning consent', 'Content marking'] },
+  stable_diffusion: { scoreDelta: -7, obligations: ['Content marking', 'Model card', 'GPAI transparency'] },
+  midjourney: { scoreDelta: -6, obligations: ['Art. 50.2 image marking', 'Watermark', 'Provenance metadata'] },
+};
+const RISK_LEVEL_CHANGES: Record<string, { scoreDelta: number; addedObligations: number; keyChanges: readonly string[] }> = {
+  'limited_to_high': { scoreDelta: -20, addedObligations: 25, keyChanges: ['Conformity assessment required', 'FRIA mandatory', 'Bias testing', 'QMS documentation', 'Post-market monitoring'] },
+  'minimal_to_limited': { scoreDelta: -10, addedObligations: 12, keyChanges: ['Art. 50 transparency', 'Disclosure to users', 'Content marking'] },
+  'high_to_limited': { scoreDelta: 15, addedObligations: -20, keyChanges: ['Conformity assessment no longer required', 'Reduced documentation', 'Simplified monitoring'] },
+  'limited_to_minimal': { scoreDelta: 8, addedObligations: -10, keyChanges: ['Minimal obligations only', 'No disclosure required'] },
+};
+export const analyzeScenario = (request: WhatIfRequest): WhatIfResult => {
+  const { type, params, currentProfile, currentScore } = request;
+  const baseScore = currentScore.totalScore;
+  if (type === 'jurisdiction') {
+    const newJurisdiction = params['jurisdiction'] ?? 'UK';
+    const impact = JURISDICTION_OBLIGATIONS[newJurisdiction] ?? { count: 5, names: ['Additional local requirements'] };
+    const scoreDelta = -Math.round(impact.count * 0.8);
+    return {
+      scenario: `Jurisdiction expansion: ${currentProfile.jurisdiction.primary} → ${currentProfile.jurisdiction.primary} + ${newJurisdiction}`,
+      scoreDelta,
+      projectedScore: Math.max(0, baseScore + scoreDelta),
+      newObligations: impact.names,
+      removedObligations: [],
+      effort: {
+        estimatedWeeks: Math.ceil(impact.count / 5),
+        keyTasks: impact.names.slice(0, 3),
+      },
+      recommendation: `Adding ${newJurisdiction} jurisdiction adds ~${impact.count} obligations. Estimated ${Math.ceil(impact.count / 5)} weeks for compliance.`,
+    };
+  }
+  if (type === 'tool') {
+    const toolName = params['tool']?.toLowerCase() ?? '';
+    const impact = TOOL_IMPACTS[toolName] ?? { scoreDelta: -3, obligations: ['Review compliance requirements for new tool'] };
+    return {
+      scenario: `Add AI tool: ${params['tool'] ?? 'unknown'}`,
+      scoreDelta: impact.scoreDelta,
+      projectedScore: Math.max(0, baseScore + impact.scoreDelta),
+      newObligations: impact.obligations,
+      removedObligations: [],
+      effort: {
+        estimatedWeeks: Math.ceil(impact.obligations.length / 2),
+        keyTasks: impact.obligations.slice(0, 3),
+      },
+      recommendation: `Adding ${params['tool'] ?? 'this tool'} requires ${impact.obligations.length} additional compliance measures.`,
+    };
+  }
+  if (type === 'risk_level') {
+    const from = currentProfile.computed.riskLevel;
+    const to = params['level'] ?? 'high';
+    const key = `${from}_to_${to}`;
+    const impact = RISK_LEVEL_CHANGES[key] ?? { scoreDelta: -10, addedObligations: 10, keyChanges: ['Review all obligations for new risk level'] };
+    return {
+      scenario: `Risk level change: ${from} → ${to}`,
+      scoreDelta: impact.scoreDelta,
+      projectedScore: Math.max(0, Math.min(100, baseScore + impact.scoreDelta)),
+      newObligations: impact.keyChanges.filter((_, i) => impact.addedObligations > 0 ? true : i >= Math.abs(impact.addedObligations)),
+      removedObligations: impact.addedObligations < 0 ? impact.keyChanges.slice(0, Math.abs(impact.addedObligations)) : [],
+      effort: {
+        estimatedWeeks: Math.abs(impact.addedObligations) > 15 ? 6 : 3,
+        keyTasks: impact.keyChanges.slice(0, 3),
+      },
+      recommendation: impact.scoreDelta < 0
+        ? `Upgrading to ${to} risk adds ${Math.abs(impact.addedObligations)} obligations. Score impact: ${impact.scoreDelta} points.`
+        : `Downgrading to ${to} risk removes ${Math.abs(impact.addedObligations)} obligations. Score improvement: +${impact.scoreDelta} points.`,
+    };
+  }
+  return {
+    scenario: 'Unknown scenario type',
+    scoreDelta: 0,
+    projectedScore: baseScore,
+    newObligations: [],
+    removedObligations: [],
+    effort: { estimatedWeeks: 0, keyTasks: [] },
+    recommendation: 'Unknown scenario type. Use "jurisdiction", "tool", or "risk_level".',
+  };
+};