npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/http/routes/status.route.ts ADDED Viewed

@@ -0,0 +1,66 @@
+import { Hono } from 'hono';
+import type { StatusService } from '../../services/status-service.js';
+import type { LlmPort } from '../../ports/llm.port.js';
+import { envKeyForTaskType, type TaskType } from '../../llm/routing/model-routing.js';
+export interface StatusRouteDeps {
+  readonly statusService: StatusService;
+  readonly llm?: LlmPort;
+}
+export const createStatusRoute = (deps: StatusRouteDeps) => {
+  const { statusService, llm } = deps;
+  const app = new Hono();
+  app.get('/status', (c) => {
+    return c.json(statusService.getStatus());
+  });
+  app.get('/llm/info', (c) => {
+    if (!llm) {
+      return c.json({ error: 'LLM_NOT_CONFIGURED', message: 'No LLM adapter available' }, 404);
+    }
+    const providers = llm.detectProviders();
+    const available = llm.getAvailableProviders();
+    if (available.length === 0) {
+      return c.json({
+        configured: false,
+        providers: providers.map((p) => ({ name: p.name, available: p.available })),
+      });
+    }
+    const taskTypes: readonly TaskType[] = ['classify', 'document-generation', 'code', 'report', 'chat', 'qa'];
+    const tasks: Record<string, { provider: string; modelId: string; reason: string; source: string; envVar?: string }> = {};
+    for (const task of taskTypes) {
+      try {
+        const selection = llm.routeModel(task);
+        const envKey = envKeyForTaskType(task);
+        const hasEnvOverride = !!process.env[envKey];
+        tasks[task] = {
+          provider: selection.provider,
+          modelId: selection.modelId,
+          reason: selection.reason,
+          source: hasEnvOverride ? 'env' : 'default',
+          ...(hasEnvOverride ? { envVar: envKey } : {}),
+        };
+      } catch {
+        // Skip tasks that fail routing
+      }
+    }
+    const providerSource = process.env['COMPLIOR_LLM_PROVIDER'] ? 'env' : 'auto';
+    return c.json({
+      configured: true,
+      activeProvider: available[0]!.name,
+      providerSource,
+      providers: providers.map((p) => ({ name: p.name, available: p.available })),
+      ...tasks,
+    });
+  });
+  return app;
+};

package/src/http/routes/supply-chain.route.ts ADDED Viewed

@@ -0,0 +1,121 @@
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { Hono } from 'hono';
+import { z } from 'zod';
+import { parsePackageJson, parseRequirementsTxt, parseCargoToml, parseGoMod } from '../../domain/scanner/layers/layer3-parsers.js';
+import type { ParsedDependency } from '../../domain/scanner/layers/layer3-parsers.js';
+import { analyzeSupplyChain } from '../../domain/supply-chain/index.js';
+import { createEvidence } from '../../domain/scanner/evidence.js';
+import { REGISTRY_CARDS, REGISTRY_SLUG_PATTERN, getProviderName } from '../../data/registry-cards.js';
+import type { EvidenceStore } from '../../domain/scanner/evidence-store.js';
+import type { AuditStore } from '../../domain/audit/audit-trail.js';
+import { parseBody, parseQuery } from '../utils/validation.js';
+const SupplyChainRequestSchema = z.object({
+  path: z.string().min(1),
+});
+const ModelsQuerySchema = z.object({
+  provider: z.string().optional(),
+});
+export interface SupplyChainRouteDeps {
+  readonly evidenceStore?: EvidenceStore;
+  readonly auditStore?: AuditStore;
+}
+const DEP_FILES = [
+  { file: 'package.json', parser: parsePackageJson },
+  { file: 'requirements.txt', parser: parseRequirementsTxt },
+  { file: 'Cargo.toml', parser: parseCargoToml },
+  { file: 'go.mod', parser: parseGoMod },
+] as const;
+const CONFIG_FILES = ['package.json', '.env', '.env.local', 'config.json', 'config.ts', 'config.js'] as const;
+const tryReadFile = async (path: string): Promise<string | null> => {
+  try {
+    return await readFile(path, 'utf-8');
+  } catch {
+    return null;
+  }
+};
+const collectDependencies = async (projectPath: string): Promise<ParsedDependency[]> => {
+  const deps: ParsedDependency[] = [];
+  for (const { file, parser } of DEP_FILES) {
+    const content = await tryReadFile(join(projectPath, file));
+    if (content) deps.push(...parser(content));
+  }
+  return deps;
+};
+const detectModels = async (projectPath: string): Promise<string[]> => {
+  const models = new Set<string>();
+  for (const file of CONFIG_FILES) {
+    const content = await tryReadFile(join(projectPath, file));
+    if (content) {
+      for (const match of content.matchAll(REGISTRY_SLUG_PATTERN)) {
+        models.add(match[0]);
+      }
+    }
+  }
+  return [...models];
+};
+export const createSupplyChainRoute = (deps: SupplyChainRouteDeps) => {
+  const app = new Hono();
+  app.post('/supply-chain', async (c) => {
+    const data = await parseBody(c, SupplyChainRequestSchema);
+    const projectPath = data.path;
+    const allDeps = await collectDependencies(projectPath);
+    const detectedModels = await detectModels(projectPath);
+    const report = analyzeSupplyChain(projectPath, allDeps, detectedModels);
+    // Persist report
+    const reportsDir = join(projectPath, '.complior', 'reports');
+    await mkdir(reportsDir, { recursive: true });
+    const ts = new Date().toISOString().replace(/[:.]/g, '-');
+    const reportPath = join(reportsDir, `supply-chain-${ts}.json`);
+    await writeFile(reportPath, JSON.stringify(report, null, 2));
+    // Evidence chain (one entry per risk)
+    if (deps.evidenceStore && report.risks.length > 0) {
+      const evidenceItems = report.risks.map((risk, i) =>
+        createEvidence(`supply-chain-${i}`, 'L3', 'supply-chain', {
+          snippet: risk.description,
+          file: risk.packageName || undefined,
+        }),
+      );
+      await deps.evidenceStore.append(evidenceItems, `supply-chain-${Date.now()}`);
+    }
+    // Audit trail
+    if (deps.auditStore) {
+      await deps.auditStore.append('supply-chain.audited', {
+        projectPath,
+        totalDependencies: report.totalDependencies,
+        riskScore: report.riskScore,
+        risksCount: report.risks.length,
+        reportPath,
+      });
+    }
+    return c.json(report);
+  });
+  app.get('/supply-chain/models', async (c) => {
+    const query = parseQuery(c, ModelsQuerySchema);
+    const { provider } = query;
+    const cards = provider
+      ? REGISTRY_CARDS.filter((card) => getProviderName(card).toLowerCase() === provider.toLowerCase())
+      : REGISTRY_CARDS;
+    return c.json({ models: cards, total: cards.length });
+  });
+  return app;
+};

package/src/http/routes/sync.route.ts ADDED Viewed

@@ -0,0 +1,328 @@
+import { Hono } from 'hono';
+import { readFile, readdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { z } from 'zod';
+import { createSaasClient, type SyncPassportPayload, type SyncDocPayload } from '../../infra/saas-client.js';
+import type { AgentPassport } from '../../types/passport.types.js';
+import type { ScanResult } from '../../types/common.types.js';
+import type { PassportService } from '../../services/passport-service.js';
+import type { AuditFilter, AuditEntry } from '../../domain/audit/audit-trail.js';
+import { mapDomain } from '../../domain/passport/builder/domain-mapper.js';
+import { createLogger } from '../../infra/logger.js';
+import { parseBody } from '../utils/validation.js';
+const log = createLogger('sync');
+const parseManifest = (raw: string): AgentPassport | null => {
+  const parsed: unknown = JSON.parse(raw);
+  if (typeof parsed !== 'object' || parsed === null) return null;
+  if (!('name' in parsed) || typeof parsed.name !== 'string') return null;
+  // Validated: has required `name` field — safe to treat as manifest
+  return parsed as AgentPassport;
+};
+const SyncRequestSchema = z.object({
+  token: z.string().min(1),
+  saasUrl: z.string().url('saasUrl is required — set PROJECT_API_URL or run `complior login`'),
+});
+// Map AgentPassport risk_class to SaaS riskLevel
+const mapRiskLevel = (riskClass?: string): string | undefined => {
+  if (!riskClass) return undefined;
+  const map: Record<string, string> = {
+    L1: 'minimal', L2: 'limited', L3: 'limited', L4: 'high', L5: 'high',
+    minimal: 'minimal', limited: 'limited', high: 'high', prohibited: 'prohibited',
+  };
+  return map[riskClass] ?? undefined;
+};
+// Map manifest to SaaS passport payload
+const mapPassport = (manifest: AgentPassport): SyncPassportPayload => ({
+  name: manifest.name,
+  vendorName: manifest.owner?.team ?? '',
+  vendorUrl: manifest.owner?.contact ?? undefined,
+  description: manifest.description,
+  purpose: manifest.disclosure?.disclosure_text ?? '',
+  domain: mapDomain(manifest),
+  riskLevel: mapRiskLevel(manifest.compliance?.eu_ai_act?.risk_class),
+  slug: manifest.agent_id,
+  detectionPatterns: manifest.permissions?.tools ?? [],
+  versions: { cli: manifest.version, manifest: manifest.manifest_version },
+  autonomyLevel: manifest.autonomy_level,
+  framework: manifest.framework,
+  modelProvider: manifest.model?.provider,
+  modelId: manifest.model?.model_id,
+  dataResidency: manifest.model?.data_residency ?? undefined,
+  lifecycleStatus: manifest.lifecycle?.status ?? undefined,
+  compliorScore: manifest.compliance?.complior_score != null ? Math.round(manifest.compliance.complior_score) : undefined,
+  manifestVersion: manifest.manifest_version,
+  signature: manifest.signature,
+  extendedFields: {
+    owner: manifest.owner,
+    constraints: manifest.constraints,
+    permissions: manifest.permissions,
+    logging: manifest.logging,
+    interop: manifest.interop,
+    source: manifest.source,
+    autonomy_evidence: manifest.autonomy_evidence,
+  },
+});
+// Document type mapping: CLI file patterns to SaaS document types
+const DOC_TYPE_MAP: Record<string, string> = {
+  'ai-literacy-policy': 'usage_policy',
+  'art5-screening-report': 'risk_assessment',
+  'technical-documentation': 'qms_template',
+  'monitoring-policy': 'monitoring_plan',
+  'worker-notification': 'employee_notification',
+  'fria': 'fria',
+  'declaration-of-conformity': 'transparency_notice',
+  'incident-report': 'incident_report',
+};
+interface SyncRouteDeps {
+  readonly getProjectPath: () => string;
+  readonly getLastScan: () => ScanResult | null;
+  readonly passportService?: PassportService;
+  readonly getAuditEntries?: (filter: AuditFilter) => Promise<readonly AuditEntry[]>;
+}
+export const createSyncRoute = (deps: SyncRouteDeps) => {
+  const app = new Hono();
+  // POST /sync/passport — push all passports to SaaS
+  app.post('/sync/passport', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const projectPath = deps.getProjectPath();
+    const agentsDir = join(projectPath, '.complior', 'agents');
+    let files: string[];
+    try {
+      files = (await readdir(agentsDir)).filter((f) => f.endsWith('-manifest.json'));
+    } catch {
+      return c.json({ synced: 0, created: 0, updated: 0, conflicts: 0, results: [], message: 'No passports found' });
+    }
+    const results: Record<string, unknown>[] = [];
+    let created = 0;
+    let updated = 0;
+    let conflicts = 0;
+    for (const file of files) {
+      try {
+        const content = await readFile(join(agentsDir, file), 'utf-8');
+        const manifest = parseManifest(content);
+        if (!manifest) { results.push({ name: file, action: 'error', error: 'Invalid manifest' }); continue; }
+        const payload = mapPassport(manifest);
+        const result = await client.syncPassport(token, payload);
+        results.push({ name: manifest.name, ...result });
+        if (result.action === 'created') created++;
+        if (result.action === 'updated') updated++;
+        if (Array.isArray(result.conflicts) && result.conflicts.length > 0) conflicts++;
+      } catch (err) {
+        log.error(`Failed to sync passport ${file}:`, err);
+        results.push({ name: file, action: 'error', error: String(err) });
+      }
+    }
+    return c.json({ synced: files.length, created, updated, conflicts, results });
+  });
+  // POST /sync/scan — push last scan results to SaaS
+  app.post('/sync/scan', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const lastScan = deps.getLastScan();
+    if (!lastScan) {
+      return c.json({ processed: 0, tools: [], message: 'No scan results. Run a scan first.' });
+    }
+    // Read passports for tool detection
+    const projectPath = deps.getProjectPath();
+    const agentsDir2 = join(projectPath, '.complior', 'agents');
+    const toolsDetected: { name: string; version?: string; vendor?: string; category?: string }[] = [];
+    try {
+      const files = (await readdir(agentsDir2)).filter((f) => f.endsWith('-manifest.json'));
+      for (const file of files) {
+        try {
+          const content = await readFile(join(agentsDir2, file), 'utf-8');
+          const manifest = parseManifest(content);
+          if (!manifest) continue;
+          toolsDetected.push({
+            name: manifest.name,
+            version: manifest.version,
+            vendor: manifest.owner?.team,
+            category: manifest.type,
+          });
+        } catch (parseErr) { log.debug(`Skipping invalid passport ${file}:`, parseErr); }
+      }
+    } catch { /* no passports dir — expected when no agents discovered */ }
+    if (toolsDetected.length === 0) {
+      toolsDetected.push({ name: 'unknown-project', category: 'other' });
+    }
+    const payload = {
+      projectPath,
+      score: lastScan.score?.totalScore,
+      findings: lastScan.findings?.map((f) => ({
+        severity: f.severity ?? 'info',
+        message: f.message ?? '',
+        tool: f.checkId,
+      })) ?? [],
+      toolsDetected,
+    };
+    const result = await client.syncScan(token, payload);
+    return c.json(result);
+  });
+  // POST /sync/fria — push structured FRIA assessments to SaaS
+  app.post('/sync/fria', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const projectPath = deps.getProjectPath();
+    const reportsDir = join(projectPath, '.complior', 'reports');
+    let friaFiles: string[];
+    try {
+      friaFiles = (await readdir(reportsDir)).filter((f) => f.startsWith('fria-') && f.endsWith('.json'));
+    } catch {
+      return c.json({ synced: 0, created: 0, updated: 0, results: [], message: 'No FRIA reports found' });
+    }
+    const results: Record<string, unknown>[] = [];
+    let created = 0;
+    let updated = 0;
+    for (const file of friaFiles) {
+      try {
+        const content = await readFile(join(reportsDir, file), 'utf-8');
+        const payload: Record<string, unknown> = JSON.parse(content);
+        const result = await client.syncFria(token, payload);
+        const name = (payload['toolSlug'] as string) ?? file;
+        results.push({ name, ...result });
+        if (result.action === 'created') created++;
+        if (result.action === 'updated') updated++;
+      } catch (err) {
+        log.error(`Failed to sync FRIA ${file}:`, err);
+        results.push({ name: file, action: 'error', error: String(err) });
+      }
+    }
+    return c.json({ synced: friaFiles.length, created, updated, results });
+  });
+  // POST /sync/documents — push compliance docs to SaaS
+  app.post('/sync/documents', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const projectPath = deps.getProjectPath();
+    const reportsDir = join(projectPath, '.complior', 'reports');
+    let files: string[];
+    try {
+      files = (await readdir(reportsDir)).filter((f) => f.endsWith('.md'));
+    } catch {
+      return c.json({ synced: 0, created: 0, updated: 0, results: [], message: 'No compliance docs found' });
+    }
+    const documents: SyncDocPayload[] = [];
+    for (const file of files) {
+      // Strip fria- prefix and .md extension for type mapping
+      const baseName = file.replace(/^fria-/, '').replace(/-manifest/, '').replace('.md', '');
+      const docType = file.startsWith('fria-') ? 'fria' : DOC_TYPE_MAP[baseName];
+      if (!docType) continue;
+      try {
+        const content = await readFile(join(reportsDir, file), 'utf-8');
+        documents.push({
+          type: docType,
+          title: file.replace('.md', '').replace(/-/g, ' ').replace(/\b\w/g, (ch) => ch.toUpperCase()),
+          content,
+        });
+      } catch {
+        log.warn(`Failed to read doc: ${file}`);
+      }
+    }
+    if (documents.length === 0) {
+      return c.json({ synced: 0, created: 0, updated: 0, results: [], message: 'No mappable docs found' });
+    }
+    const result = await client.syncDocuments(token, documents);
+    return c.json(result);
+  });
+  // POST /sync/audit — push audit trail entries to SaaS
+  app.post('/sync/audit', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const entries = deps.getAuditEntries
+      ? await deps.getAuditEntries({})
+      : [];
+    if (entries.length === 0) {
+      return c.json({ synced: 0, message: 'No audit entries to sync' });
+    }
+    const serializable = entries.map(e => ({ ...e }));
+    const result = await client.syncAudit(token, serializable);
+    return c.json(result);
+  });
+  // POST /sync/evidence — push evidence chain summary to SaaS
+  app.post('/sync/evidence', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const summary = deps.passportService
+      ? await deps.passportService.getEvidenceChainSummary()
+      : { totalEntries: 0, scanCount: 0, firstEntry: '', lastEntry: '', chainValid: true, uniqueFindings: 0 };
+    const result = await client.syncEvidence(token, { ...summary });
+    return c.json(result);
+  });
+  // POST /sync/registry — push agent registry scores to SaaS
+  app.post('/sync/registry', async (c) => {
+    const { token, saasUrl } = await parseBody(c, SyncRequestSchema);
+    const client = createSaasClient(saasUrl);
+    const entries = deps.passportService
+      ? await deps.passportService.getAgentRegistry()
+      : [];
+    if (entries.length === 0) {
+      return c.json({ synced: 0, message: 'No registry entries to sync' });
+    }
+    const serializable = entries.map(e => ({ ...e }));
+    const result = await client.syncRegistry(token, serializable);
+    return c.json(result);
+  });
+  // GET /sync/status — proxy SaaS sync status
+  app.get('/sync/status', async (c) => {
+    const token = c.req.header('Authorization')?.replace('Bearer ', '') ?? c.req.query('token') ?? '';
+    const saasUrl = c.req.query('saasUrl') ?? '';
+    if (!token || !saasUrl) {
+      return c.json({ authenticated: false, stats: null });
+    }
+    try {
+      const client = createSaasClient(saasUrl);
+      const status = await client.syncStatus(token);
+      return c.json({ authenticated: true, ...status });
+    } catch {
+      return c.json({ authenticated: false, stats: null });
+    }
+  });
+  return app;
+};

package/src/http/routes/tools.route.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { Hono } from 'hono';
+import type { ToolManager } from '../../infra/tool-manager.js';
+export interface ToolsRouteDeps {
+  readonly toolManager: ToolManager;
+}
+export const createToolsRoute = (deps: ToolsRouteDeps) => {
+  const app = new Hono();
+  const { toolManager } = deps;
+  app.get('/tools/status', async (c) => {
+    const uvAvailable = await toolManager.isUvAvailable();
+    const statuses = await toolManager.getToolStatus();
+    return c.json({
+      uvAvailable,
+      tools: statuses,
+    });
+  });
+  app.post('/tools/update', async (c) => {
+    const statuses = await toolManager.updateTools();
+    return c.json({
+      tools: statuses,
+    });
+  });
+  return app;
+};

package/src/http/routes/whatif.route.ts ADDED Viewed

@@ -0,0 +1,96 @@
+import { Hono } from 'hono';
+import { z } from 'zod';
+import { parseBody } from '../utils/validation.js';
+import type { WhatIfRequest, WhatIfResult } from '../../domain/whatif/scenario-engine.js';
+import type { GeneratedConfig } from '../../domain/whatif/config-fixer.js';
+import type { SimulationInput, SimulationResult } from '../../domain/whatif/simulate-actions.js';
+import type { OnboardingProfile } from '../../onboarding/profile.js';
+import type { ScanResult, ScoreBreakdown } from '../../types/common.types.js';
+const WhatIfSchema = z.object({
+  type: z.enum(['jurisdiction', 'tool', 'risk_level']),
+  params: z.record(z.string()),
+});
+const SimulateActionSchema = z.object({
+  type: z.enum(['fix', 'add-doc', 'complete-passport']),
+  target: z.string(),
+});
+const SimulateSchema = z.object({
+  actions: z.array(SimulateActionSchema).min(1),
+  passportCompleteness: z.number().min(0).max(100).optional(),
+});
+export interface WhatIfRouteDeps {
+  readonly loadProfile: () => Promise<OnboardingProfile | null>;
+  readonly getLastScore: () => ScoreBreakdown | null;
+  readonly getLastScan?: () => ScanResult | null;
+  readonly analyzeScenario: (request: WhatIfRequest) => WhatIfResult;
+  readonly generateAllConfigs: (profile: OnboardingProfile) => readonly GeneratedConfig[];
+  readonly simulateActions: (input: SimulationInput) => SimulationResult;
+}
+export const createWhatIfRoute = (deps: WhatIfRouteDeps) => {
+  const app = new Hono();
+  // POST /whatif — analyze a what-if scenario
+  app.post('/whatif', async (c) => {
+    const data = await parseBody(c, WhatIfSchema);
+    const profile = await deps.loadProfile();
+    if (!profile) {
+      return c.json({ error: 'NO_PROFILE', message: 'Run onboarding first (/onboarding/complete)' }, 400);
+    }
+    const score = deps.getLastScore();
+    if (!score) {
+      return c.json({ error: 'NO_SCAN', message: 'Run a scan first (/scan)' }, 400);
+    }
+    const result = deps.analyzeScenario({
+      type: data.type,
+      params: data.params,
+      currentProfile: profile,
+      currentScore: score,
+    });
+    return c.json(result);
+  });
+  // POST /whatif/config — generate compliance configs from profile
+  app.post('/whatif/config', async (c) => {
+    const profile = await deps.loadProfile();
+    if (!profile) {
+      return c.json({ error: 'NO_PROFILE', message: 'Run onboarding first (/onboarding/complete)' }, 400);
+    }
+    const configs = deps.generateAllConfigs(profile);
+    return c.json({ configs });
+  });
+  // POST /simulate — US-S05-25: batch compliance simulation (what-if for fixes/docs/passport)
+  app.post('/simulate', async (c) => {
+    const data = await parseBody(c, SimulateSchema);
+    const scanResult = deps.getLastScan?.();
+    if (!scanResult) {
+      return c.json({ error: 'NO_SCAN', message: 'No scan results available. Run a scan first.' }, 400);
+    }
+    const result = deps.simulateActions({
+      actions: data.actions,
+      currentScore: scanResult.score.totalScore,
+      findings: scanResult.findings.map((f) => ({
+        checkId: f.checkId,
+        severity: f.severity,
+        status: f.type ?? 'fail',
+      })),
+      passportCompleteness: data.passportCompleteness ?? 50,
+    });
+    return c.json(result);
+  });
+  return app;
+};

package/src/http/utils/validation.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * HTTP request validation helpers.
+ * Replaces repeated json().catch() + safeParse() boilerplate in route files.
+ */
+import type { Context } from 'hono';
+import type { ZodType, z } from 'zod';
+import { ValidationError } from '../../types/errors.js';
+/** Parse and validate JSON body against a Zod schema. Throws ValidationError on failure. */
+export const parseBody = async <S extends ZodType>(c: Context, schema: S): Promise<z.output<S>> => {
+  const body = await c.req.json().catch(() => {
+    throw new ValidationError('Invalid JSON body');
+  });
+  const parsed = schema.safeParse(body);
+  if (!parsed.success) throw new ValidationError(`Invalid request: ${parsed.error.message}`);
+  return parsed.data;
+};
+/** Validate query parameters against a Zod schema. Throws ValidationError on failure. */
+export const parseQuery = <S extends ZodType>(c: Context, schema: S): z.output<S> => {
+  const parsed = schema.safeParse(c.req.query());
+  if (!parsed.success) throw new ValidationError(`Invalid query: ${parsed.error.message}`);
+  return parsed.data;
+};
+/** Extract a required query parameter. Throws ValidationError if missing. */
+export const requireQuery = (c: Context, param: string): string => {
+  const value = c.req.query(param);
+  if (!value) throw new ValidationError(`Missing "${param}" query parameter`);
+  return value;
+};

package/src/index.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export { loadApplication } from './composition-root.js';