@complior/engine 0.9.0

package/src/http/routes/agent.route.ts

@@ -0,0 +1,380 @@
+import { Hono } from 'hono';
+import { z } from 'zod';
+import { ValidationError } from '../../types/errors.js';
+import type { PassportService } from '../../services/passport-service.js';
+import { ALL_DOC_TYPES } from '../../domain/documents/document-generator.js';
+import { parseBody, parseQuery, requireQuery } from '../utils/validation.js';
+
+const AUDIT_EVENT_TYPES = [
+  'passport.created', 'passport.updated', 'passport.exported',
+  'fria.generated', 'scan.completed', 'fix.applied',
+  'evidence.verified', 'worker_notification.generated',
+  'policy.generated',
+  'readiness.computed',
+] as const;
+
+const AuditQuerySchema = z.object({
+  agent: z.string().optional(),
+  since: z.string().optional(),
+  until: z.string().optional(),
+  type: z.enum(AUDIT_EVENT_TYPES).optional(),
+  limit: z.coerce.number().int().positive().optional(),
+});
+
+const InitRequestSchema = z.object({
+  path: z.string().min(1),
+  overrides: z.record(z.unknown()).optional(),
+  force: z.boolean().optional(),
+});
+
+export const createAgentRoute = (passportService: PassportService) => {
+  const app = new Hono();
+
+  app.post('/agent/init', async (c) => {
+    const data = await parseBody(c, InitRequestSchema);
+
+    const result = await passportService.initPassport(
+      data.path,
+      data.overrides,
+      data.force,
+    );
+    return c.json(result);
+  });
+
+  app.get('/agent/list', async (c) => {
+    const path = requireQuery(c, 'path');
+    const manifests = await passportService.listPassports(path);
+    return c.json(manifests);
+  });
+
+  app.get('/agent/show', async (c) => {
+    const path = requireQuery(c, 'path');
+    const name = requireQuery(c, 'name');
+    const manifest = await passportService.showPassport(name, path);
+    if (manifest === null) {
+      throw new ValidationError(`Passport not found: ${name}`);
+    }
+    return c.json(manifest);
+  });
+
+  app.post('/agent/rename', async (c) => {
+    const data = await parseBody(c, z.object({
+      path: z.string().min(1),
+      oldName: z.string().min(1),
+      newName: z.string().min(1),
+    }));
+
+    const result = await passportService.renamePassport(
+      data.oldName,
+      data.newName,
+      data.path,
+    );
+    return c.json(result);
+  });
+
+  // C.S02: Standalone autonomy analysis (per-agent breakdown)
+  app.get('/agent/autonomy', async (c) => {
+    const path = requireQuery(c, 'path');
+
+    // Return per-agent breakdown from existing passports
+    const manifests = await passportService.listPassports(path);
+    if (manifests.length > 0) {
+      const agents = manifests.map(m => ({
+        name: m.name,
+        level: m.autonomy_level,
+        agentType: m.type,
+        evidence: m.autonomy_evidence ?? {
+          human_approval_gates: 0,
+          unsupervised_actions: 0,
+          no_logging_actions: 0,
+          auto_rated: true,
+        },
+      }));
+      // Also include project-level summary
+      const projectAnalysis = await passportService.analyzeProjectAutonomy(path);
+      return c.json({ agents, summary: projectAnalysis });
+    }
+
+    // No passports — return project-level analysis only
+    const result = await passportService.analyzeProjectAutonomy(path);
+    return c.json({ agents: [], summary: result });
+  });
+
+  // C.S07: Passport validation (schema + signature + completeness)
+  app.get('/agent/validate', async (c) => {
+    const path = requireQuery(c, 'path');
+    const name = requireQuery(c, 'name');
+    const result = await passportService.validatePassportByName(name, path);
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${name}`);
+    }
+    return c.json(result);
+  });
+
+  // C.S09: Passport completeness score
+  app.get('/agent/completeness', async (c) => {
+    const path = requireQuery(c, 'path');
+    const name = requireQuery(c, 'name');
+    const result = await passportService.getPassportCompleteness(name, path);
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${name}`);
+    }
+    return c.json(result);
+  });
+
+  // C.D01: Generate FRIA from passport
+  app.post('/agent/fria', async (c) => {
+    const data = await parseBody(c, z.object({
+      path: z.string().min(1),
+      name: z.string().min(1),
+      organization: z.string().optional(),
+      assessor: z.string().optional(),
+      impact: z.string().optional(),
+      mitigation: z.string().optional(),
+      approval: z.string().optional(),
+    }));
+
+    const result = await passportService.generateFriaReport(
+      data.name,
+      data.path,
+      {
+        organization: data.organization,
+        assessor: data.assessor,
+        impact: data.impact,
+        mitigation: data.mitigation,
+        approval: data.approval,
+      },
+    );
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${data.name}`);
+    }
+    return c.json(result);
+  });
+
+  // C.D02: Generate Worker Notification from passport (Art.26(7))
+  app.post('/agent/notify', async (c) => {
+    const data = await parseBody(c, z.object({
+      path: z.string().min(1),
+      name: z.string().min(1),
+      companyName: z.string().optional(),
+      contactName: z.string().optional(),
+      contactEmail: z.string().optional(),
+      contactPhone: z.string().optional(),
+      deploymentDate: z.string().optional(),
+      affectedRoles: z.string().optional(),
+      impactDescription: z.string().optional(),
+    }));
+
+    const result = await passportService.generateWorkerNotification(
+      data.name,
+      data.path,
+      {
+        companyName: data.companyName,
+        contactName: data.contactName,
+        contactEmail: data.contactEmail,
+        contactPhone: data.contactPhone,
+        deploymentDate: data.deploymentDate,
+        affectedRoles: data.affectedRoles,
+        impactDescription: data.impactDescription,
+      },
+    );
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${data.name}`);
+    }
+    return c.json(result);
+  });
+
+  // C.S08: Export passport to external format (A2A, AIUC-1, NIST)
+  app.get('/agent/export', async (c) => {
+    const path = requireQuery(c, 'path');
+    const name = requireQuery(c, 'name');
+    const format = c.req.query('format');
+
+    const validFormats = ['a2a', 'aiuc-1', 'nist'] as const;
+    const parsed = validFormats.find(f => f === format);
+    if (!parsed) {
+      throw new ValidationError('Invalid "format" — must be a2a, aiuc-1, or nist');
+    }
+
+    const result = await passportService.exportPassportToFormat(name, parsed, path);
+    if (result === null) throw new ValidationError(`Passport not found: ${name}`);
+    return c.json(result);
+  });
+
+  // C.R20: Evidence chain summary
+  app.get('/agent/evidence', async (c) => {
+    const path = requireQuery(c, 'path');
+    return c.json(await passportService.getEvidenceChainSummary(path));
+  });
+
+  // C.R20: Evidence chain verification
+  app.get('/agent/evidence/verify', async (c) => {
+    const path = requireQuery(c, 'path');
+    return c.json(await passportService.verifyEvidenceChain(path));
+  });
+
+  // US-S05-13: Agent Registry — per-agent compliance dashboard
+  app.get('/agent/registry', async (c) => {
+    const path = requireQuery(c, 'path');
+    return c.json(await passportService.getAgentRegistry(path));
+  });
+
+  // US-S05-14: Permissions matrix
+  app.get('/agent/permissions', async (c) => {
+    const path = requireQuery(c, 'path');
+    return c.json(await passportService.getPermissionsMatrix(path));
+  });
+
+  // US-S05-14: Audit trail query
+  app.get('/agent/audit', async (c) => {
+    const data = parseQuery(c, AuditQuerySchema);
+
+    const entries = await passportService.getAuditTrail({
+      agentName: data.agent,
+      since: data.since,
+      until: data.until,
+      eventType: data.type,
+      limit: data.limit,
+    });
+    return c.json(entries);
+  });
+
+  // US-S05-14: Audit trail summary
+  app.get('/agent/audit/summary', async (c) => {
+    return c.json(await passportService.getAuditSummary());
+  });
+
+  // US-S05-15: Generate industry-specific AI usage policy
+  app.post('/agent/policy', async (c) => {
+    const VALID_INDUSTRIES = ['hr', 'finance', 'healthcare', 'education', 'legal'] as const;
+    const data = await parseBody(c, z.object({
+      path: z.string().min(1),
+      name: z.string().min(1),
+      industry: z.enum(VALID_INDUSTRIES),
+      organization: z.string().optional(),
+      approver: z.string().optional(),
+    }));
+
+    const result = await passportService.generatePolicy(
+      data.name,
+      data.industry,
+      data.path,
+      {
+        organization: data.organization,
+        approver: data.approver,
+      },
+    );
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${data.name}`);
+    }
+    return c.json(result);
+  });
+
+  // US-S05-24: Generate compliance test suite from passport constraints
+  app.post('/agent/test-gen', async (c) => {
+    const data = await parseBody(c, z.object({
+      name: z.string().min(1),
+      path: z.string().optional(),
+    }));
+
+    const result = await passportService.generateTestSuite(data.name, data.path);
+    return c.json(result);
+  });
+
+  // US-S05-19: AIUC-1 Readiness Score
+  app.get('/agent/readiness', async (c) => {
+    const name = requireQuery(c, 'name');
+    const path = c.req.query('path');
+    const result = await passportService.getReadiness(name, path || undefined);
+    if (!result) {
+      throw new ValidationError(`Passport not found: ${name}`);
+    }
+    return c.json(result);
+  });
+
+  // US-S06-11: Import passport from external format (A2A)
+  app.post('/agent/import', async (c) => {
+    const data = await parseBody(c, z.object({
+      format: z.enum(['a2a']),
+      data: z.record(z.unknown()),
+      path: z.string().optional(),
+    }));
+
+    const result = await passportService.importPassport(
+      data.format,
+      data.data,
+      data.path,
+    );
+    return c.json(result);
+  });
+
+  // US-S06-12: Audit package export (tar.gz for auditors)
+  app.get('/agent/audit-package', async (c) => {
+    const path = c.req.query('path');
+    const result = await passportService.generateAuditPackage(path || undefined);
+    return new Response(result.buffer, {
+      headers: {
+        'Content-Type': 'application/gzip',
+        'Content-Disposition': `attachment; filename="complior-audit-${Date.now()}.tar.gz"`,
+      },
+    });
+  });
+
+  // US-S06-12: Audit package metadata (JSON)
+  app.get('/agent/audit-package/meta', async (c) => {
+    const path = c.req.query('path');
+    const result = await passportService.generateAuditPackage(path || undefined);
+    return c.json({
+      manifest: result.manifest,
+      totalFiles: result.totalFiles,
+      sizeBytes: result.buffer.length,
+    });
+  });
+
+  // US-S05-24: Compare passport versions (diff)
+  app.get('/agent/diff', async (c) => {
+    const name = requireQuery(c, 'name');
+    const path = c.req.query('path');
+    const result = await passportService.diffPassport(name, path || undefined);
+    return c.json(result);
+  });
+
+  // US-S06-06: Generate a single compliance document by type
+  app.post('/agent/doc', async (c) => {
+    const data = await parseBody(c, z.object({
+      path: z.string().min(1),
+      name: z.string().min(1),
+      docType: z.enum(ALL_DOC_TYPES),
+      organization: z.string().optional(),
+    }));
+
+    const result = await passportService.generateDocByType(
+      data.name,
+      data.docType,
+      data.path,
+      { organization: data.organization },
+    );
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${data.name}`);
+    }
+    return c.json(result);
+  });
+
+  // US-S06-06: Generate ALL required compliance documents
+  app.post('/agent/doc/all', async (c) => {
+    const data = await parseBody(c, z.object({
+      path: z.string().min(1),
+      name: z.string().min(1),
+      organization: z.string().optional(),
+    }));
+
+    const result = await passportService.generateAllDocs(
+      data.name,
+      data.path,
+      { organization: data.organization },
+    );
+    return c.json(result);
+  });
+
+  return app;
+};

package/src/http/routes/audit.route.ts

@@ -0,0 +1,66 @@
+/**
+ * Audit Route — combined scan + eval + security assessment.
+ *
+ * POST /audit/run — Run comprehensive audit (scan + eval combined)
+ */
+
+import { Hono } from 'hono';
+import type { EvalService } from '../../services/eval-service.js';
+import type { ScanService } from '../../services/scan-service.js';
+import { AuditOptionsSchema } from '../../domain/eval/types.js';
+import { parseBody } from '../utils/validation.js';
+
+export interface AuditRouteDeps {
+  readonly evalService: EvalService;
+  readonly scanService: ScanService;
+  readonly getProjectPath: () => string;
+}
+
+export const createAuditRoute = (deps: AuditRouteDeps) => {
+  const app = new Hono();
+
+  // POST /audit/run — combined scan + eval
+  app.post('/audit/run', async (c) => {
+    const parsed = await parseBody(c, AuditOptionsSchema);
+
+    const projectPath = parsed.path ?? deps.getProjectPath();
+
+    // Step 1: Static scan
+    const scanResult = await deps.scanService.scan(projectPath);
+
+    // Step 2: Dynamic eval (full = all tests + security)
+    const evalResult = await deps.evalService.runEval({
+      target: parsed.target,
+      full: true,
+      agent: parsed.agent,
+    });
+
+    // Step 3: Combined result
+    const auditResult = {
+      scan: {
+        score: scanResult.score.totalScore,
+        grade: scanResult.score.grade,
+        findings: scanResult.findings.length,
+      },
+      eval: {
+        score: evalResult.overallScore,
+        grade: evalResult.grade,
+        tests: evalResult.totalTests,
+        passed: evalResult.passed,
+        failed: evalResult.failed,
+        securityScore: evalResult.securityScore,
+        securityGrade: evalResult.securityGrade,
+      },
+      combined: {
+        // Weighted: 40% scan + 60% eval
+        score: Math.round(scanResult.score.totalScore * 0.4 + evalResult.overallScore * 0.6),
+        timestamp: new Date().toISOString(),
+        agent: parsed.agent,
+      },
+    };
+
+    return c.json(auditResult);
+  });
+
+  return app;
+};

package/src/http/routes/badge.route.ts

@@ -0,0 +1,23 @@
+import { Hono } from 'hono';
+import type { BadgeService } from '../../services/badge-service.js';
+
+export const createBadgeRoute = (badgeService: BadgeService) => {
+  const app = new Hono();
+
+  // Get badge SVG
+  app.get('/badge', (c) => {
+    const svg = badgeService.getBadgeSvg();
+    if (!svg) {
+      return c.json({ error: 'NO_BADGE', message: 'No scan result available' }, 404);
+    }
+    return c.body(svg, 200, { 'Content-Type': 'image/svg+xml' });
+  });
+
+  // Generate badge + COMPLIANCE.md
+  app.post('/badge/generate', async (c) => {
+    const result = await badgeService.generateBadge();
+    return c.json(result);
+  });
+
+  return app;
+};

package/src/http/routes/cert.route.ts

@@ -0,0 +1,66 @@
+import { Hono } from 'hono';
+import { z } from 'zod';
+import { ValidationError } from '../../types/errors.js';
+import type { PassportService } from '../../services/passport-service.js';
+import type { EvidenceStore } from '../../domain/scanner/evidence-store.js';
+import type { AuditStore } from '../../domain/audit/audit-trail.js';
+import { parseBody, parseQuery } from '../utils/validation.js';
+
+const ReadinessQuerySchema = z.object({
+  path: z.string().min(1),
+  name: z.string().min(1),
+});
+
+const AdversarialRequestSchema = z.object({
+  agent_name: z.string().min(1),
+  test_categories: z.array(z.enum(['prompt_injection', 'bias_detection', 'safety_boundary'])).optional(),
+});
+
+export interface CertRouteDeps {
+  readonly passportService: PassportService;
+  readonly callLlm?: (prompt: string, systemPrompt?: string) => Promise<string>;
+  readonly evidenceStore?: EvidenceStore;
+  readonly auditStore?: AuditStore;
+  readonly getProjectPath: () => string;
+}
+
+export const createCertRoute = (deps: CertRouteDeps) => {
+  const app = new Hono();
+
+  // US-S05-19: AIUC-1 Readiness Score
+  app.get('/cert/readiness', async (c) => {
+    const query = parseQuery(c, ReadinessQuerySchema);
+
+    const result = await deps.passportService.getReadiness(query.name, query.path);
+    if (result === null) {
+      throw new ValidationError(`Passport not found: ${query.name}`);
+    }
+    return c.json(result);
+  });
+
+  // US-S05-20: Adversarial Test Runner
+  app.post('/cert/test/adversarial', async (c) => {
+    const data = await parseBody(c, AdversarialRequestSchema);
+
+    if (!deps.callLlm) {
+      throw new ValidationError('LLM not configured. Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or GOOGLE_GENERATIVE_AI_API_KEY.');
+    }
+
+    const { createTestRunner } = await import('../../domain/certification/test-runner.js');
+    const runner = createTestRunner({
+      callLlm: deps.callLlm,
+      evidenceStore: deps.evidenceStore,
+      auditStore: deps.auditStore,
+      getProjectPath: deps.getProjectPath,
+    });
+
+    const report = await runner.runAdversarialTests(
+      data.agent_name,
+      data.test_categories,
+    );
+
+    return c.json(report);
+  });
+
+  return app;
+};