npm - @complior/engine - Versions diffs - 0.9.0 - Mend

@complior/engine 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (594) hide show

package/.well-known/ai-compliance.json +16 -0
package/COMPLIANCE.md +64 -0
package/data/data-integrity.test.ts +75 -0
package/data/eval/eval-mappings.json +33 -0
package/data/llm/model-pricing.json +15 -0
package/data/llm/model-routing.json +36 -0
package/data/onboarding/risk-profile.json +17 -0
package/data/regulations/eu-ai-act/README.md +245 -0
package/data/regulations/eu-ai-act/applicability-tree.json +160 -0
package/data/regulations/eu-ai-act/cross-mapping.json +175 -0
package/data/regulations/eu-ai-act/localization.json +186 -0
package/data/regulations/eu-ai-act/obligations.json +3981 -0
package/data/regulations/eu-ai-act/regulation-meta.json +482 -0
package/data/regulations/eu-ai-act/scoring.json +342 -0
package/data/regulations/eu-ai-act/technical-requirements.json +2590 -0
package/data/regulations/eu-ai-act/timeline.json +160 -0
package/data/regulations/jurisdictions/at.json +15 -0
package/data/regulations/jurisdictions/be.json +15 -0
package/data/regulations/jurisdictions/bg.json +15 -0
package/data/regulations/jurisdictions/cy.json +15 -0
package/data/regulations/jurisdictions/cz.json +15 -0
package/data/regulations/jurisdictions/de.json +15 -0
package/data/regulations/jurisdictions/dk.json +15 -0
package/data/regulations/jurisdictions/ee.json +15 -0
package/data/regulations/jurisdictions/es.json +15 -0
package/data/regulations/jurisdictions/fi.json +15 -0
package/data/regulations/jurisdictions/fr.json +15 -0
package/data/regulations/jurisdictions/gr.json +15 -0
package/data/regulations/jurisdictions/hr.json +15 -0
package/data/regulations/jurisdictions/hu.json +15 -0
package/data/regulations/jurisdictions/ie.json +15 -0
package/data/regulations/jurisdictions/is.json +15 -0
package/data/regulations/jurisdictions/it.json +15 -0
package/data/regulations/jurisdictions/li.json +15 -0
package/data/regulations/jurisdictions/lt.json +15 -0
package/data/regulations/jurisdictions/lu.json +15 -0
package/data/regulations/jurisdictions/lv.json +15 -0
package/data/regulations/jurisdictions/mt.json +15 -0
package/data/regulations/jurisdictions/nl.json +15 -0
package/data/regulations/jurisdictions/no.json +15 -0
package/data/regulations/jurisdictions/pl.json +15 -0
package/data/regulations/jurisdictions/pt.json +15 -0
package/data/regulations/jurisdictions/ro.json +15 -0
package/data/regulations/jurisdictions/se.json +15 -0
package/data/regulations/jurisdictions/si.json +15 -0
package/data/regulations/jurisdictions/sk.json +15 -0
package/data/scanner/check-id-categories.json +81 -0
package/data/scanner/confidence-params.json +16 -0
package/data/scanner/limits.json +4 -0
package/data/schemas/http-contract-sample.json +79 -0
package/data/schemas/http-contract.json +144 -0
package/data/semgrep-rules/bare-call.yaml +37 -0
package/data/semgrep-rules/injection.yaml +73 -0
package/data/semgrep-rules/missing-error-handling.yaml +58 -0
package/data/semgrep-rules/unsafe-deser.yaml +65 -0
package/data/templates/eu-ai-act/ai-literacy.md +184 -0
package/data/templates/eu-ai-act/art5-screening.md +131 -0
package/data/templates/eu-ai-act/data-governance.md +145 -0
package/data/templates/eu-ai-act/declaration-of-conformity.md +161 -0
package/data/templates/eu-ai-act/fria.md +127 -0
package/data/templates/eu-ai-act/gpai-systemic-risk.md +150 -0
package/data/templates/eu-ai-act/gpai-transparency.md +166 -0
package/data/templates/eu-ai-act/incident-report.md +188 -0
package/data/templates/eu-ai-act/instructions-for-use.md +202 -0
package/data/templates/eu-ai-act/monitoring-policy.md +110 -0
package/data/templates/eu-ai-act/qms.md +180 -0
package/data/templates/eu-ai-act/risk-management-system.md +123 -0
package/data/templates/eu-ai-act/technical-documentation.md +287 -0
package/data/templates/eu-ai-act/worker-notification.md +143 -0
package/data/templates/policies/biometrics-ai-policy.md +214 -0
package/data/templates/policies/critical-infra-ai-policy.md +228 -0
package/data/templates/policies/education-ai-policy.md +184 -0
package/data/templates/policies/finance-ai-policy.md +191 -0
package/data/templates/policies/healthcare-ai-policy.md +197 -0
package/data/templates/policies/hr-ai-policy.md +178 -0
package/data/templates/policies/legal-ai-policy.md +189 -0
package/data/templates/policies/migration-ai-policy.md +239 -0
package/engine.log +7 -0
package/package.json +74 -0
package/src/composition-root.ts +791 -0
package/src/data/eval/conformity-tests.test.ts +122 -0
package/src/data/eval/ct-1-transparency.ts +106 -0
package/src/data/eval/ct-10-gpai.ts +25 -0
package/src/data/eval/ct-11-industry.ts +42 -0
package/src/data/eval/ct-2-oversight.ts +41 -0
package/src/data/eval/ct-3-explanation.ts +14 -0
package/src/data/eval/ct-4-bias.ts +83 -0
package/src/data/eval/ct-5-accuracy.ts +41 -0
package/src/data/eval/ct-6-robustness.ts +81 -0
package/src/data/eval/ct-7-prohibited.ts +52 -0
package/src/data/eval/ct-8-logging.ts +68 -0
package/src/data/eval/ct-9-risk-awareness.ts +33 -0
package/src/data/eval/deterministic-evaluator.ts +120 -0
package/src/data/eval/index.ts +55 -0
package/src/data/eval/judge-prompts.ts +146 -0
package/src/data/eval/llm-judged-tests.ts +279 -0
package/src/data/eval/llm-tests.test.ts +83 -0
package/src/data/eval/remediation/ct-1-transparency.ts +91 -0
package/src/data/eval/remediation/ct-10-gpai.ts +94 -0
package/src/data/eval/remediation/ct-11-industry.ts +94 -0
package/src/data/eval/remediation/ct-2-oversight.ts +71 -0
package/src/data/eval/remediation/ct-3-explanation.ts +70 -0
package/src/data/eval/remediation/ct-4-bias.ts +70 -0
package/src/data/eval/remediation/ct-5-accuracy.ts +70 -0
package/src/data/eval/remediation/ct-6-robustness.ts +70 -0
package/src/data/eval/remediation/ct-7-prohibited.ts +94 -0
package/src/data/eval/remediation/ct-8-logging.ts +94 -0
package/src/data/eval/remediation/ct-9-risk-awareness.ts +94 -0
package/src/data/eval/remediation/index.ts +89 -0
package/src/data/eval/remediation/owasp-art5.ts +15 -0
package/src/data/eval/remediation/owasp-llm01.ts +72 -0
package/src/data/eval/remediation/owasp-llm02.ts +72 -0
package/src/data/eval/remediation/owasp-llm03.ts +15 -0
package/src/data/eval/remediation/owasp-llm04.ts +15 -0
package/src/data/eval/remediation/owasp-llm05.ts +15 -0
package/src/data/eval/remediation/owasp-llm06.ts +15 -0
package/src/data/eval/remediation/owasp-llm07.ts +15 -0
package/src/data/eval/remediation/owasp-llm08.ts +15 -0
package/src/data/eval/remediation/owasp-llm09.ts +15 -0
package/src/data/eval/remediation/owasp-llm10.ts +15 -0
package/src/data/eval/remediation/remediation.test.ts +229 -0
package/src/data/eval/remediation/test-mapping.ts +290 -0
package/src/data/eval/security-rubrics.ts +381 -0
package/src/data/finding-explanations.json +453 -0
package/src/data/industry-patterns.ts +161 -0
package/src/data/registry-cards.ts +368 -0
package/src/data/regulation/index.ts +5 -0
package/src/data/regulation/jurisdiction-data.test.ts +73 -0
package/src/data/regulation/jurisdiction-data.ts +65 -0
package/src/data/regulation/regulation-data.ts +19 -0
package/src/data/regulation/regulation-loader.test.ts +107 -0
package/src/data/regulation/regulation-loader.ts +56 -0
package/src/data/scanner-constants.ts +46 -0
package/src/data/schemas/schemas-core.ts +140 -0
package/src/data/schemas/schemas-supplementary.ts +211 -0
package/src/data/schemas/schemas.ts +28 -0
package/src/data/security/attack-probes.test.ts +62 -0
package/src/data/security/attack-probes.ts +496 -0
package/src/data/security/eu-ai-act-security.ts +40 -0
package/src/data/security/index.ts +19 -0
package/src/data/security/mitre-atlas.test.ts +43 -0
package/src/data/security/mitre-atlas.ts +93 -0
package/src/data/security/nist-ai-rmf.ts +43 -0
package/src/data/security/owasp-llm-top10.test.ts +60 -0
package/src/data/security/owasp-llm-top10.ts +138 -0
package/src/data/template-registry.ts +53 -0
package/src/data/tool-versions.json +22 -0
package/src/domain/audit/audit-package.test.ts +152 -0
package/src/domain/audit/audit-package.ts +166 -0
package/src/domain/audit/audit-trail.test.ts +121 -0
package/src/domain/audit/audit-trail.ts +174 -0
package/src/domain/audit/index.ts +8 -0
package/src/domain/audit/permissions-matrix.test.ts +136 -0
package/src/domain/audit/permissions-matrix.ts +121 -0
package/src/domain/certification/adversarial/bias-tests.ts +95 -0
package/src/domain/certification/adversarial/evaluators.ts +304 -0
package/src/domain/certification/adversarial/index.ts +11 -0
package/src/domain/certification/adversarial/prompt-injection.ts +103 -0
package/src/domain/certification/adversarial/safety-boundary.ts +132 -0
package/src/domain/certification/aiuc1-readiness.test.ts +236 -0
package/src/domain/certification/aiuc1-readiness.ts +298 -0
package/src/domain/certification/aiuc1-requirements.ts +235 -0
package/src/domain/certification/index.ts +10 -0
package/src/domain/certification/redteam-runner.test.ts +97 -0
package/src/domain/certification/redteam-runner.ts +205 -0
package/src/domain/certification/test-runner.test.ts +232 -0
package/src/domain/certification/test-runner.ts +289 -0
package/src/domain/cost/cost-estimator.test.ts +187 -0
package/src/domain/cost/cost-estimator.ts +133 -0
package/src/domain/disclaimer.test.ts +52 -0
package/src/domain/disclaimer.ts +39 -0
package/src/domain/documents/ai-enricher.test.ts +120 -0
package/src/domain/documents/ai-enricher.ts +159 -0
package/src/domain/documents/document-generator.test.ts +318 -0
package/src/domain/documents/document-generator.ts +239 -0
package/src/domain/documents/index.ts +9 -0
package/src/domain/documents/passport-helpers.ts +25 -0
package/src/domain/documents/policy-generator.test.ts +252 -0
package/src/domain/documents/policy-generator.ts +94 -0
package/src/domain/documents/worker-notification-generator.test.ts +162 -0
package/src/domain/documents/worker-notification-generator.ts +141 -0
package/src/domain/eval/adapters/adapter-port.ts +94 -0
package/src/domain/eval/adapters/adapters.test.ts +303 -0
package/src/domain/eval/adapters/anthropic-adapter.ts +57 -0
package/src/domain/eval/adapters/auto-detect.ts +104 -0
package/src/domain/eval/adapters/create-chat-adapter.ts +106 -0
package/src/domain/eval/adapters/custom-adapter.ts +74 -0
package/src/domain/eval/adapters/http-adapter.ts +66 -0
package/src/domain/eval/adapters/index.ts +7 -0
package/src/domain/eval/adapters/ollama-adapter.ts +48 -0
package/src/domain/eval/adapters/openai-adapter.ts +58 -0
package/src/domain/eval/adapters/with-timeout.ts +25 -0
package/src/domain/eval/conformity-score.test.ts +161 -0
package/src/domain/eval/conformity-score.ts +135 -0
package/src/domain/eval/eval-constants.ts +55 -0
package/src/domain/eval/eval-evidence.test.ts +85 -0
package/src/domain/eval/eval-evidence.ts +103 -0
package/src/domain/eval/eval-fix-generator.test.ts +421 -0
package/src/domain/eval/eval-fix-generator.ts +205 -0
package/src/domain/eval/eval-passport.test.ts +82 -0
package/src/domain/eval/eval-passport.ts +89 -0
package/src/domain/eval/eval-remediation-report.test.ts +682 -0
package/src/domain/eval/eval-remediation-report.ts +170 -0
package/src/domain/eval/eval-report.ts +108 -0
package/src/domain/eval/eval-runner.test.ts +609 -0
package/src/domain/eval/eval-runner.ts +593 -0
package/src/domain/eval/eval-to-findings.test.ts +293 -0
package/src/domain/eval/eval-to-findings.ts +83 -0
package/src/domain/eval/index.ts +31 -0
package/src/domain/eval/llm-judge.test.ts +139 -0
package/src/domain/eval/llm-judge.ts +168 -0
package/src/domain/eval/remediation-types.ts +90 -0
package/src/domain/eval/security-integration.test.ts +196 -0
package/src/domain/eval/security-integration.ts +136 -0
package/src/domain/eval/types.test.ts +173 -0
package/src/domain/eval/types.ts +244 -0
package/src/domain/eval/verdict-utils.ts +45 -0
package/src/domain/fixer/create-fixer.ts +101 -0
package/src/domain/fixer/diff.ts +70 -0
package/src/domain/fixer/fix-history.ts +23 -0
package/src/domain/fixer/fixer.test.ts +306 -0
package/src/domain/fixer/index.ts +9 -0
package/src/domain/fixer/strategies/bandit-fix.ts +61 -0
package/src/domain/fixer/strategies/bias-testing.ts +49 -0
package/src/domain/fixer/strategies/ci-compliance.ts +57 -0
package/src/domain/fixer/strategies/content-marking.ts +45 -0
package/src/domain/fixer/strategies/cve-upgrade.ts +66 -0
package/src/domain/fixer/strategies/data-governance.ts +65 -0
package/src/domain/fixer/strategies/disclosure.ts +69 -0
package/src/domain/fixer/strategies/doc-code-sync.ts +53 -0
package/src/domain/fixer/strategies/documentation.ts +59 -0
package/src/domain/fixer/strategies/error-handler.ts +63 -0
package/src/domain/fixer/strategies/hitl-gate.ts +67 -0
package/src/domain/fixer/strategies/index.ts +61 -0
package/src/domain/fixer/strategies/kill-switch-test.ts +85 -0
package/src/domain/fixer/strategies/kill-switch.ts +53 -0
package/src/domain/fixer/strategies/license-fix.ts +57 -0
package/src/domain/fixer/strategies/log-retention.ts +40 -0
package/src/domain/fixer/strategies/logging.ts +59 -0
package/src/domain/fixer/strategies/metadata.ts +45 -0
package/src/domain/fixer/strategies/permission-guard.ts +84 -0
package/src/domain/fixer/strategies/record-keeping.ts +69 -0
package/src/domain/fixer/strategies/secret-rotation.ts +52 -0
package/src/domain/fixer/strategies.test.ts +341 -0
package/src/domain/fixer/template-engine.test.ts +64 -0
package/src/domain/fixer/template-engine.ts +38 -0
package/src/domain/fixer/types.ts +88 -0
package/src/domain/frameworks/aiuc1-framework.test.ts +159 -0
package/src/domain/frameworks/aiuc1-framework.ts +126 -0
package/src/domain/frameworks/collect-foundation-metrics.test.ts +96 -0
package/src/domain/frameworks/collect-foundation-metrics.ts +34 -0
package/src/domain/frameworks/eu-ai-act-framework.test.ts +117 -0
package/src/domain/frameworks/eu-ai-act-framework.ts +100 -0
package/src/domain/frameworks/framework-registry.test.ts +91 -0
package/src/domain/frameworks/framework-registry.ts +38 -0
package/src/domain/frameworks/index.ts +8 -0
package/src/domain/frameworks/mitre-atlas-framework.test.ts +53 -0
package/src/domain/frameworks/mitre-atlas-framework.ts +53 -0
package/src/domain/frameworks/owasp-llm-framework.test.ts +77 -0
package/src/domain/frameworks/owasp-llm-framework.ts +54 -0
package/src/domain/frameworks/score-plugin-framework.ts +117 -0
package/src/domain/fria/fria-generator.test.ts +273 -0
package/src/domain/fria/fria-generator.ts +366 -0
package/src/domain/import/promptfoo-importer.test.ts +103 -0
package/src/domain/import/promptfoo-importer.ts +151 -0
package/src/domain/onboarding/guided-onboarding.test.ts +144 -0
package/src/domain/onboarding/guided-onboarding.ts +135 -0
package/src/domain/passport/builder/domain-mapper.ts +9 -0
package/src/domain/passport/builder/manifest-builder.test.ts +546 -0
package/src/domain/passport/builder/manifest-builder.ts +535 -0
package/src/domain/passport/builder/manifest-diff.test.ts +105 -0
package/src/domain/passport/builder/manifest-diff.ts +89 -0
package/src/domain/passport/builder/manifest-files.ts +17 -0
package/src/domain/passport/crypto-signer.test.ts +93 -0
package/src/domain/passport/crypto-signer.ts +157 -0
package/src/domain/passport/discovery/agent-discovery.test.ts +296 -0
package/src/domain/passport/discovery/agent-discovery.ts +325 -0
package/src/domain/passport/discovery/autonomy-analyzer.test.ts +141 -0
package/src/domain/passport/discovery/autonomy-analyzer.ts +113 -0
package/src/domain/passport/discovery/permission-scanner.test.ts +191 -0
package/src/domain/passport/discovery/permission-scanner.ts +414 -0
package/src/domain/passport/export/a2a-mapper.ts +75 -0
package/src/domain/passport/export/aiuc1-mapper.ts +126 -0
package/src/domain/passport/export/export.test.ts +207 -0
package/src/domain/passport/export/index.ts +41 -0
package/src/domain/passport/export/nist-mapper.ts +227 -0
package/src/domain/passport/import/a2a-importer.test.ts +133 -0
package/src/domain/passport/import/a2a-importer.ts +156 -0
package/src/domain/passport/import/index.ts +2 -0
package/src/domain/passport/index.ts +32 -0
package/src/domain/passport/obligation-field-map.test.ts +113 -0
package/src/domain/passport/obligation-field-map.ts +117 -0
package/src/domain/passport/passport-validator.test.ts +156 -0
package/src/domain/passport/passport-validator.ts +126 -0
package/src/domain/passport/scan-to-compliance.test.ts +336 -0
package/src/domain/passport/scan-to-compliance.ts +166 -0
package/src/domain/passport/test-generator.test.ts +93 -0
package/src/domain/passport/test-generator.ts +136 -0
package/src/domain/proxy/index.ts +11 -0
package/src/domain/proxy/json-rpc.test.ts +72 -0
package/src/domain/proxy/json-rpc.ts +53 -0
package/src/domain/proxy/policy-engine.test.ts +259 -0
package/src/domain/proxy/policy-engine.ts +137 -0
package/src/domain/proxy/proxy-bridge.ts +125 -0
package/src/domain/proxy/proxy-interceptor.test.ts +184 -0
package/src/domain/proxy/proxy-interceptor.ts +120 -0
package/src/domain/proxy/proxy-types.ts +35 -0
package/src/domain/registry/compute-agent-score.test.ts +279 -0
package/src/domain/registry/compute-agent-score.ts +162 -0
package/src/domain/reporter/audit-report.test.ts +87 -0
package/src/domain/reporter/audit-report.ts +116 -0
package/src/domain/reporter/badge-generator.test.ts +54 -0
package/src/domain/reporter/badge-generator.ts +40 -0
package/src/domain/reporter/compliance-md.ts +45 -0
package/src/domain/reporter/index.ts +7 -0
package/src/domain/reporter/pdf-renderer.ts +282 -0
package/src/domain/reporter/share.test.ts +92 -0
package/src/domain/reporter/share.ts +80 -0
package/src/domain/scanner/ast/swc-analyzer.test.ts +49 -0
package/src/domain/scanner/ast/swc-analyzer.ts +124 -0
package/src/domain/scanner/attestations.ts +97 -0
package/src/domain/scanner/checks/ai-disclosure.test.ts +90 -0
package/src/domain/scanner/checks/ai-disclosure.ts +54 -0
package/src/domain/scanner/checks/ai-literacy.ts +163 -0
package/src/domain/scanner/checks/behavioral-constraints.test.ts +167 -0
package/src/domain/scanner/checks/behavioral-constraints.ts +86 -0
package/src/domain/scanner/checks/compliance-metadata.ts +63 -0
package/src/domain/scanner/checks/content-marking.ts +74 -0
package/src/domain/scanner/checks/dep-deep-scan.test.ts +318 -0
package/src/domain/scanner/checks/dep-deep-scan.ts +137 -0
package/src/domain/scanner/checks/documentation.test.ts +88 -0
package/src/domain/scanner/checks/documentation.ts +79 -0
package/src/domain/scanner/checks/git-history.test.ts +120 -0
package/src/domain/scanner/checks/git-history.ts +163 -0
package/src/domain/scanner/checks/gpai-systemic-risk.test.ts +84 -0
package/src/domain/scanner/checks/gpai-systemic-risk.ts +98 -0
package/src/domain/scanner/checks/gpai-transparency.ts +94 -0
package/src/domain/scanner/checks/index.ts +28 -0
package/src/domain/scanner/checks/industry/index.ts +40 -0
package/src/domain/scanner/checks/industry/industry.test.ts +287 -0
package/src/domain/scanner/checks/interaction-logging.test.ts +113 -0
package/src/domain/scanner/checks/interaction-logging.ts +142 -0
package/src/domain/scanner/checks/nhi-scanner.test.ts +158 -0
package/src/domain/scanner/checks/nhi-scanner.ts +78 -0
package/src/domain/scanner/checks/passport-completeness.test.ts +127 -0
package/src/domain/scanner/checks/passport-completeness.ts +82 -0
package/src/domain/scanner/checks/passport-presence.test.ts +56 -0
package/src/domain/scanner/checks/passport-presence.ts +78 -0
package/src/domain/scanner/checks/pattern-check-factory.ts +70 -0
package/src/domain/scanner/checks/permission-scanner.test.ts +279 -0
package/src/domain/scanner/checks/permission-scanner.ts +90 -0
package/src/domain/scanner/checks/presence-check-factory.test.ts +124 -0
package/src/domain/scanner/checks/presence-check-factory.ts +275 -0
package/src/domain/scanner/compliance-diff.test.ts +165 -0
package/src/domain/scanner/compliance-diff.ts +138 -0
package/src/domain/scanner/confidence.test.ts +235 -0
package/src/domain/scanner/confidence.ts +156 -0
package/src/domain/scanner/constants.ts +13 -0
package/src/domain/scanner/create-scanner.ts +573 -0
package/src/domain/scanner/cross-layer.test.ts +372 -0
package/src/domain/scanner/cross-layer.ts +232 -0
package/src/domain/scanner/data/ai-packages.ts +82 -0
package/src/domain/scanner/debt-calculator.test.ts +89 -0
package/src/domain/scanner/debt-calculator.ts +111 -0
package/src/domain/scanner/drift.test.ts +191 -0
package/src/domain/scanner/drift.ts +73 -0
package/src/domain/scanner/evidence-store.test.ts +207 -0
package/src/domain/scanner/evidence-store.ts +195 -0
package/src/domain/scanner/evidence.test.ts +104 -0
package/src/domain/scanner/evidence.ts +71 -0
package/src/domain/scanner/external/bandit-runner.test.ts +45 -0
package/src/domain/scanner/external/bandit-runner.ts +90 -0
package/src/domain/scanner/external/checks.ts +321 -0
package/src/domain/scanner/external/dedup.test.ts +79 -0
package/src/domain/scanner/external/dedup.ts +94 -0
package/src/domain/scanner/external/detect-secrets-runner.test.ts +58 -0
package/src/domain/scanner/external/detect-secrets-runner.ts +81 -0
package/src/domain/scanner/external/external-scanner.test.ts +221 -0
package/src/domain/scanner/external/external-scanner.ts +36 -0
package/src/domain/scanner/external/finding-mapper.test.ts +95 -0
package/src/domain/scanner/external/finding-mapper.ts +138 -0
package/src/domain/scanner/external/index.ts +15 -0
package/src/domain/scanner/external/mappings.ts +93 -0
package/src/domain/scanner/external/modelscan-runner.test.ts +35 -0
package/src/domain/scanner/external/modelscan-runner.ts +101 -0
package/src/domain/scanner/external/path-utils.ts +8 -0
package/src/domain/scanner/external/runner-port.ts +45 -0
package/src/domain/scanner/external/semgrep-runner.test.ts +52 -0
package/src/domain/scanner/external/semgrep-runner.ts +94 -0
package/src/domain/scanner/external/types.ts +32 -0
package/src/domain/scanner/finding-attribution.test.ts +444 -0
package/src/domain/scanner/finding-attribution.ts +195 -0
package/src/domain/scanner/finding-explainer.test.ts +157 -0
package/src/domain/scanner/finding-explainer.ts +73 -0
package/src/domain/scanner/fix-diff-builder.test.ts +272 -0
package/src/domain/scanner/fix-diff-builder.ts +477 -0
package/src/domain/scanner/import-graph.test.ts +162 -0
package/src/domain/scanner/import-graph.ts +198 -0
package/src/domain/scanner/languages/adapter.test.ts +105 -0
package/src/domain/scanner/languages/adapter.ts +239 -0
package/src/domain/scanner/layers/index.ts +24 -0
package/src/domain/scanner/layers/layer1-files.ts +54 -0
package/src/domain/scanner/layers/layer2-docs.test.ts +1207 -0
package/src/domain/scanner/layers/layer2-docs.ts +297 -0
package/src/domain/scanner/layers/layer2-parsing.ts +217 -0
package/src/domain/scanner/layers/layer3-config.test.ts +187 -0
package/src/domain/scanner/layers/layer3-config.ts +279 -0
package/src/domain/scanner/layers/layer3-parsers.ts +73 -0
package/src/domain/scanner/layers/layer4-patterns.test.ts +397 -0
package/src/domain/scanner/layers/layer4-patterns.ts +216 -0
package/src/domain/scanner/layers/layer5-docs.test.ts +99 -0
package/src/domain/scanner/layers/layer5-docs.ts +250 -0
package/src/domain/scanner/layers/layer5-llm.test.ts +146 -0
package/src/domain/scanner/layers/layer5-llm.ts +262 -0
package/src/domain/scanner/layers/layer5-targeted.test.ts +93 -0
package/src/domain/scanner/layers/layer5-targeted.ts +233 -0
package/src/domain/scanner/layers/lockfile-parsers.test.ts +320 -0
package/src/domain/scanner/layers/lockfile-parsers.ts +184 -0
package/src/domain/scanner/regulation-version.test.ts +54 -0
package/src/domain/scanner/regulation-version.ts +23 -0
package/src/domain/scanner/role-filter.test.ts +116 -0
package/src/domain/scanner/role-filter.ts +51 -0
package/src/domain/scanner/rules/banned-packages-data.ts +553 -0
package/src/domain/scanner/rules/banned-packages-sdk.ts +65 -0
package/src/domain/scanner/rules/banned-packages.test.ts +249 -0
package/src/domain/scanner/rules/banned-packages.ts +55 -0
package/src/domain/scanner/rules/comment-filter.test.ts +115 -0
package/src/domain/scanner/rules/comment-filter.ts +297 -0
package/src/domain/scanner/rules/index.ts +9 -0
package/src/domain/scanner/rules/nhi-patterns.test.ts +128 -0
package/src/domain/scanner/rules/nhi-patterns.ts +60 -0
package/src/domain/scanner/rules/pattern-rules.ts +1152 -0
package/src/domain/scanner/sbom.test.ts +136 -0
package/src/domain/scanner/sbom.ts +103 -0
package/src/domain/scanner/scan-cache.test.ts +136 -0
package/src/domain/scanner/scan-cache.ts +115 -0
package/src/domain/scanner/scanner.test.ts +125 -0
package/src/domain/scanner/score-calculator.test.ts +363 -0
package/src/domain/scanner/score-calculator.ts +189 -0
package/src/domain/scanner/security-score.test.ts +107 -0
package/src/domain/scanner/security-score.ts +116 -0
package/src/domain/scanner/source-filter.ts +24 -0
package/src/domain/scanner/validators.ts +223 -0
package/src/domain/shared/compliance-constants.ts +48 -0
package/src/domain/shared/disclosure-patterns.ts +16 -0
package/src/domain/shared/index.ts +6 -0
package/src/domain/shared/parse-dependencies.ts +21 -0
package/src/domain/supply-chain/dependency-analyzer.ts +138 -0
package/src/domain/supply-chain/index.ts +3 -0
package/src/domain/supply-chain/supply-chain.test.ts +211 -0
package/src/domain/supply-chain/types.ts +32 -0
package/src/domain/whatif/config-fixer.ts +187 -0
package/src/domain/whatif/index.ts +6 -0
package/src/domain/whatif/scenario-engine.ts +121 -0
package/src/domain/whatif/simulate-actions.test.ts +161 -0
package/src/domain/whatif/simulate-actions.ts +114 -0
package/src/domain/whatif/whatif.test.ts +135 -0
package/src/e2e/gaps-e2e.test.ts +259 -0
package/src/e2e/smoke.test.ts +101 -0
package/src/hooks/hooks-export.test.ts +81 -0
package/src/hooks/installer.ts +113 -0
package/src/http/cors.test.ts +38 -0
package/src/http/create-router.ts +259 -0
package/src/http/routes/agent.route.ts +380 -0
package/src/http/routes/audit.route.ts +66 -0
package/src/http/routes/badge.route.ts +23 -0
package/src/http/routes/cert.route.ts +66 -0
package/src/http/routes/chat.route.ts +228 -0
package/src/http/routes/cost.route.ts +33 -0
package/src/http/routes/debt.route.ts +29 -0
package/src/http/routes/disclaimer.route.ts +64 -0
package/src/http/routes/eval.route.ts +161 -0
package/src/http/routes/events.route.test.ts +108 -0
package/src/http/routes/events.route.ts +71 -0
package/src/http/routes/external-scan.route.ts +24 -0
package/src/http/routes/file.route.ts +54 -0
package/src/http/routes/fix.route.ts +219 -0
package/src/http/routes/frameworks.route.test.ts +66 -0
package/src/http/routes/frameworks.route.ts +36 -0
package/src/http/routes/git.route.ts +27 -0
package/src/http/routes/guided-onboarding.route.ts +65 -0
package/src/http/routes/import.route.ts +64 -0
package/src/http/routes/jurisdiction.route.ts +22 -0
package/src/http/routes/obligations.route.test.ts +122 -0
package/src/http/routes/obligations.route.ts +110 -0
package/src/http/routes/onboarding.route.ts +53 -0
package/src/http/routes/provider.route.ts +42 -0
package/src/http/routes/proxy.route.ts +40 -0
package/src/http/routes/redteam.route.ts +84 -0
package/src/http/routes/report.route.ts +29 -0
package/src/http/routes/scan.route.ts +104 -0
package/src/http/routes/share.route.ts +44 -0
package/src/http/routes/shell.route.ts +27 -0
package/src/http/routes/status.route.ts +66 -0
package/src/http/routes/supply-chain.route.ts +121 -0
package/src/http/routes/sync.route.ts +328 -0
package/src/http/routes/tools.route.ts +29 -0
package/src/http/routes/whatif.route.ts +96 -0
package/src/http/utils/validation.ts +31 -0
package/src/index.ts +1 -0
package/src/infra/bundle-fetcher.ts +77 -0
package/src/infra/cache-storage.ts +34 -0
package/src/infra/event-bus.ts +31 -0
package/src/infra/file-collector.ts +61 -0
package/src/infra/file-ops-adapter.ts +95 -0
package/src/infra/file-watcher.test.ts +90 -0
package/src/infra/file-watcher.ts +106 -0
package/src/infra/git-adapter.ts +93 -0
package/src/infra/git-history-adapter.ts +41 -0
package/src/infra/headless-browser.ts +178 -0
package/src/infra/llm-adapter.test.ts +83 -0
package/src/infra/llm-adapter.ts +86 -0
package/src/infra/logger.ts +27 -0
package/src/infra/project-config.test.ts +74 -0
package/src/infra/project-config.ts +35 -0
package/src/infra/rate-limiter.test.ts +36 -0
package/src/infra/rate-limiter.ts +34 -0
package/src/infra/retry.ts +46 -0
package/src/infra/saas-client.ts +123 -0
package/src/infra/search-adapter.ts +113 -0
package/src/infra/shell-adapter.ts +68 -0
package/src/infra/tool-manager.test.ts +99 -0
package/src/infra/tool-manager.ts +197 -0
package/src/llm/agents/agent-modes.test.ts +44 -0
package/src/llm/agents/modes.ts +68 -0
package/src/llm/routing/cost-routing.test.ts +37 -0
package/src/llm/routing/cost-tracker.ts +74 -0
package/src/llm/routing/model-routing.test.ts +79 -0
package/src/llm/routing/model-routing.ts +38 -0
package/src/llm/routing/pricing.ts +19 -0
package/src/llm/sse-protocol.ts +77 -0
package/src/llm/tool-definitions.ts +83 -0
package/src/llm/tool-executors.ts +80 -0
package/src/llm/tools/types.ts +13 -0
package/src/mcp/create-mcp-stack.ts +82 -0
package/src/mcp/handlers.ts +245 -0
package/src/mcp/index.ts +28 -0
package/src/mcp/mcp-server.test.ts +80 -0
package/src/mcp/server.ts +79 -0
package/src/mcp/tools.ts +48 -0
package/src/onboarding/auto-detect.ts +164 -0
package/src/onboarding/onboarding.test.ts +89 -0
package/src/onboarding/profile.ts +169 -0
package/src/onboarding/questions.ts +112 -0
package/src/onboarding/wizard.ts +66 -0
package/src/output/github-issue.ts +32 -0
package/src/output/json-output.ts +67 -0
package/src/ports/browser.port.ts +23 -0
package/src/ports/events.port.ts +28 -0
package/src/ports/llm.port.ts +23 -0
package/src/ports/logger.port.ts +6 -0
package/src/ports/process.port.ts +6 -0
package/src/ports/scanner.port.ts +15 -0
package/src/server.ts +134 -0
package/src/services/badge-service.ts +67 -0
package/src/services/chat-service.test.ts +162 -0
package/src/services/chat-service.ts +152 -0
package/src/services/cost-service.ts +52 -0
package/src/services/debt-service.ts +65 -0
package/src/services/eval-integration.test.ts +132 -0
package/src/services/eval-service.test.ts +373 -0
package/src/services/eval-service.ts +463 -0
package/src/services/external-scan-service.ts +60 -0
package/src/services/file-service.ts +37 -0
package/src/services/fix-service.test.ts +470 -0
package/src/services/fix-service.ts +648 -0
package/src/services/framework-service.test.ts +159 -0
package/src/services/framework-service.ts +67 -0
package/src/services/onboarding-service.ts +165 -0
package/src/services/passport-audit.ts +244 -0
package/src/services/passport-documents.ts +258 -0
package/src/services/passport-service-utils.ts +72 -0
package/src/services/passport-service.test.ts +251 -0
package/src/services/passport-service.ts +339 -0
package/src/services/proxy-service.ts +81 -0
package/src/services/report-service.ts +72 -0
package/src/services/scan-service.test.ts +470 -0
package/src/services/scan-service.ts +335 -0
package/src/services/share-service.ts +108 -0
package/src/services/shared/backup.ts +23 -0
package/src/services/status-service.ts +38 -0
package/src/services/undo-service.test.ts +190 -0
package/src/services/undo-service.ts +144 -0
package/src/test-helpers/factories.ts +116 -0
package/src/types/common.schemas.ts +147 -0
package/src/types/common.types.ts +292 -0
package/src/types/contract.test.ts +217 -0
package/src/types/errors.ts +52 -0
package/src/types/framework.types.ts +87 -0
package/src/types/passport-schemas.ts +241 -0
package/src/types/passport.types.ts +296 -0
package/src/version.ts +1 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +9 -0

package/src/services/fix-service.ts ADDED Viewed

@@ -0,0 +1,648 @@
+import { resolve, dirname } from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { backupFile } from './shared/backup.js';
+import type { Finding, ScanResult } from '../types/common.types.js';
+import type { EventBusPort } from '../ports/events.port.js';
+import type { Fixer } from '../domain/fixer/create-fixer.js';
+import type { FixPlan, FixResult, FixValidation } from '../domain/fixer/types.js';
+import type { ScanService } from './scan-service.js';
+import type { UndoService } from './undo-service.js';
+import type { EvidenceStore } from '../domain/scanner/evidence-store.js';
+import { createEvidence } from '../domain/scanner/evidence.js';
+import type { AgentPassport } from '../types/passport.types.js';
+import { generateDocument, TEMPLATE_FILE_MAP, type DocType, type DocResult } from '../domain/documents/document-generator.js';
+import { enrichDocumentWithAI, detectWeakSections } from '../domain/documents/ai-enricher.js';
+import type { LlmPort } from '../ports/llm.port.js';
+/** Resolve [PASSPORT:field] tokens from agent passport data. */
+function resolvePassportPlaceholders(content: string, passport: AgentPassport): string {
+  const fields: Record<string, string | undefined> = {
+    'display_name': passport.display_name ?? passport.name,
+    'name': passport.name,
+    'description': passport.description,
+    'owner.team': passport.owner?.team,
+    'owner.contact': passport.owner?.contact,
+    'owner.responsible_person': passport.owner?.responsible_person,
+    'model.provider': passport.model?.provider,
+    'model.model_id': passport.model?.model_id,
+    'risk_class': passport.compliance?.eu_ai_act?.risk_class,
+    'autonomy_level': passport.autonomy_level,
+    'disclosure_text': passport.disclosure?.disclosure_text,
+  };
+  return content.replace(/\[PASSPORT:([^\]]+)\]/g, (match, key: string) => {
+    return fields[key] ?? match;
+  });
+}
+export interface FixServiceDeps {
+  readonly fixer: Fixer;
+  readonly scanService: ScanService;
+  readonly events: EventBusPort;
+  readonly getProjectPath: () => string;
+  readonly getLastScanResult: () => ScanResult | null;
+  readonly loadTemplate: (templateFile: string) => Promise<string>;
+  readonly undoService?: UndoService;
+  readonly evidenceStore?: EvidenceStore;
+  readonly passportService?: { listPassports: (path?: string) => Promise<readonly AgentPassport[]> };
+  readonly llm?: LlmPort;
+}
+export const createFixService = (deps: FixServiceDeps) => {
+  const { fixer, scanService, events, getProjectPath: _getProjectPath, getLastScanResult, loadTemplate, undoService } = deps;
+  const getProjectPath = () => _getProjectPath();
+  const createBackup = (filePath: string): Promise<string> =>
+    backupFile(filePath, getProjectPath());
+  const applyAction = async (action: FixPlan['actions'][number], projectPath: string, useAi = false): Promise<readonly string[] | undefined> => {
+    const fullPath = resolve(projectPath, action.path);
+    await mkdir(dirname(fullPath), { recursive: true });
+    if (action.type === 'create') {
+      let content = action.content ?? '';
+      let manualFields: readonly string[] | undefined;
+      // Resolve template placeholder — pre-fill with passport data when available
+      const templateMatch = content.match(/^\[TEMPLATE:(.+)]$/);
+      if (templateMatch) {
+        const templateFile = templateMatch[1]!;
+        const template = await loadTemplate(templateFile);
+        // Reverse-lookup: templateFile → DocType
+        const docTypeEntry = (Object.entries(TEMPLATE_FILE_MAP) as [DocType, string][])
+          .find(([, file]) => file === templateFile);
+        if (docTypeEntry && deps.passportService) {
+          try {
+            const passports = await deps.passportService.listPassports(projectPath);
+            const passport = passports[0];
+            if (passport) {
+              // Check if file already exists on disk — enhance existing instead of overwriting
+              let existingContent: string | undefined;
+              try { existingContent = await readFile(fullPath, 'utf-8'); } catch { /* file doesn't exist */ }
+              if (existingContent && existingContent.trim().length > 0) {
+                if (useAi && deps.llm) {
+                  // Existing doc + --ai: enhance with L2-informed LLM feedback (preserve user edits)
+                  const weakSections = detectWeakSections(existingContent);
+                  const baseResult: DocResult = {
+                    markdown: existingContent,
+                    docType: docTypeEntry[0],
+                    prefilledFields: [],
+                    manualFields: [...weakSections],
+                  };
+                  manualFields = weakSections;
+                  if (weakSections.length > 0) {
+                    try {
+                      const selection = deps.llm.routeModel('document-generation');
+                      const model = await deps.llm.getModel(selection.provider, selection.modelId);
+                      const enriched = await enrichDocumentWithAI({ baseResult, manifest: passport, model });
+                      // Second pass: re-check for remaining weak sections and enrich again
+                      let finalMarkdown = enriched.markdown;
+                      const remainingWeak = detectWeakSections(finalMarkdown);
+                      if (remainingWeak.length > 0) {
+                        try {
+                          const secondPass = await enrichDocumentWithAI({
+                            baseResult: { markdown: finalMarkdown, docType: docTypeEntry[0], prefilledFields: [], manualFields: [...remainingWeak] },
+                            manifest: passport,
+                            model,
+                          });
+                          finalMarkdown = secondPass.markdown;
+                        } catch {
+                          // Keep first-pass result on second-pass failure
+                        }
+                      }
+                      // Remove scaffold marker after successful LLM enrichment — scanner upgrades to 'draft'
+                      content = finalMarkdown.replace(/^<!-- COMPLIOR:SCAFFOLD -->\n/, '');
+                    } catch (err) {
+                      events.emit('log', { level: 'warn', message: `LLM enrichment failed: ${err instanceof Error ? err.message : err}` });
+                      content = existingContent; // LLM failed — keep existing
+                    }
+                  } else {
+                    content = existingContent; // All sections adequate — no changes needed
+                  }
+                } else {
+                  // Existing doc without --ai: keep existing content, never overwrite with scaffold
+                  content = existingContent;
+                  manualFields = detectWeakSections(existingContent);
+                }
+              } else {
+                // No existing file — generate fresh scaffold
+                const baseResult = generateDocument({ manifest: passport, template, docType: docTypeEntry[0] });
+                manualFields = baseResult.manualFields;
+                // LLM enrichment for fresh scaffold
+                if (useAi && deps.llm && baseResult.manualFields.length > 0) {
+                  try {
+                    const selection = deps.llm.routeModel('document-generation');
+                    const model = await deps.llm.getModel(selection.provider, selection.modelId);
+                    const enriched = await enrichDocumentWithAI({ baseResult, manifest: passport, model });
+                    // Second pass: re-check for remaining weak sections and enrich again
+                    let finalMarkdown = enriched.markdown;
+                    const remainingWeak = detectWeakSections(finalMarkdown);
+                    if (remainingWeak.length > 0) {
+                      try {
+                        const secondPass = await enrichDocumentWithAI({
+                          baseResult: { markdown: finalMarkdown, docType: docTypeEntry[0], prefilledFields: [], manualFields: [...remainingWeak] },
+                          manifest: passport,
+                          model,
+                        });
+                        finalMarkdown = secondPass.markdown;
+                      } catch {
+                        // Keep first-pass result on second-pass failure
+                      }
+                    }
+                    // LLM enriched → no scaffold marker (scanner classifies as 'draft')
+                    content = finalMarkdown;
+                  } catch (err) {
+                    events.emit('log', { level: 'warn', message: `LLM enrichment failed: ${err instanceof Error ? err.message : err}` });
+                    content = `<!-- COMPLIOR:SCAFFOLD -->\n${baseResult.markdown}`;
+                  }
+                } else {
+                  // No LLM → mark as scaffold
+                  content = `<!-- COMPLIOR:SCAFFOLD -->\n${baseResult.markdown}`;
+                }
+              }
+            } else {
+              content = `<!-- COMPLIOR:SCAFFOLD -->\n${template}`;
+            }
+          } catch {
+            content = `<!-- COMPLIOR:SCAFFOLD -->\n${template}`;
+          }
+        } else {
+          content = `<!-- COMPLIOR:SCAFFOLD -->\n${template}`;
+        }
+      }
+      // Resolve [PASSPORT:*] tokens from agent passport (for non-template content)
+      if (content.includes('[PASSPORT:') && deps.passportService) {
+        try {
+          const passports = await deps.passportService.listPassports(projectPath);
+          const passport = passports[0];
+          if (passport) {
+            content = resolvePassportPlaceholders(content, passport);
+          }
+        } catch { /* ignore — keep placeholders */ }
+      }
+      await writeFile(fullPath, content, 'utf-8');
+      events.emit('file.changed', { path: fullPath, action: 'create' });
+      return manualFields;
+    } else if (action.type === 'splice') {
+      const content = await readFile(fullPath, 'utf-8');
+      const lines = content.split('\n');
+      const startIdx = (action.startLine ?? 1) - 1;
+      const beforeLines = action.beforeLines ?? [];
+      const endIdx = startIdx + beforeLines.length;
+      // Stale diff protection — validate before-lines match (trimmed)
+      if (endIdx > lines.length) {
+        throw new Error(`Stale diff: line range exceeds file length — re-scan first`);
+      }
+      for (let i = 0; i < beforeLines.length; i++) {
+        if ((lines[startIdx + i] ?? '').trim() !== (beforeLines[i] ?? '').trim()) {
+          throw new Error(`Stale diff at line ${(action.startLine ?? 1) + i} — re-scan first`);
+        }
+      }
+      // Splice: replace before-lines with after-lines
+      lines.splice(startIdx, beforeLines.length, ...(action.afterLines ?? []));
+      // Import injection — after last existing import, or at top
+      if (action.importLine && !lines.some((l) => l.includes(action.importLine!))) {
+        let insertAt = 0;
+        for (let i = lines.length - 1; i >= 0; i--) {
+          if (lines[i]!.startsWith('import ')) { insertAt = i + 1; break; }
+        }
+        lines.splice(insertAt, 0, action.importLine);
+      }
+      // Write back, preserving trailing newline
+      let output = lines.join('\n');
+      if (content.endsWith('\n') && !output.endsWith('\n')) output += '\n';
+      await writeFile(fullPath, output, 'utf-8');
+      events.emit('file.changed', { path: fullPath, action: 'edit' });
+      return undefined;
+    } else {
+      const current = await readFile(fullPath, 'utf-8');
+      const updated = current.replace(action.oldContent ?? '', action.newContent ?? '');
+      await writeFile(fullPath, updated, 'utf-8');
+      events.emit('file.changed', { path: fullPath, action: 'edit' });
+      return undefined;
+    }
+  };
+  const preview = (finding: Finding): FixPlan | null => {
+    return fixer.previewFix(finding);
+  };
+  const previewAll = (): readonly FixPlan[] => {
+    const lastScan = getLastScanResult();
+    if (!lastScan) return [];
+    return fixer.generateFixes(lastScan.findings);
+  };
+  const applyFix = async (plan: FixPlan, useAi = false): Promise<FixResult> => {
+    const projectPath = getProjectPath();
+    // Normalize: run a basic scan first so scoreBefore matches scoreAfter tier
+    const baselineScan = await scanService.scan(projectPath);
+    const scoreBefore = baselineScan.score.totalScore;
+    const backedUp: string[] = [];
+    try {
+      let manualFields: readonly string[] | undefined;
+      for (const action of plan.actions) {
+        const bk = await createBackup(action.path);
+        backedUp.push(bk);
+        const mf = await applyAction(action, projectPath, useAi);
+        if (mf) manualFields = mf;
+      }
+      const enrichedPlan = manualFields ? { ...plan, manualFields } : plan;
+      // Re-scan to get updated score
+      const newResult = await scanService.scan(projectPath);
+      const scoreAfter = newResult.score.totalScore;
+      events.emit('score.updated', { before: scoreBefore, after: scoreAfter });
+      // C.R20: Record fix event in evidence chain
+      if (deps.evidenceStore) {
+        const evidence = createEvidence(
+          plan.checkId,
+          'fix',
+          'fix',
+          { file: plan.actions[0]?.path },
+        );
+        await deps.evidenceStore.append([evidence], randomUUID());
+      }
+      const result: FixResult = {
+        plan: enrichedPlan,
+        applied: true,
+        scoreBefore,
+        scoreAfter,
+        backedUpFiles: backedUp,
+      };
+      if (undoService) {
+        await undoService.recordFix(result, enrichedPlan);
+      }
+      return result;
+    } catch (err) {
+      return {
+        plan,
+        applied: false,
+        scoreBefore,
+        scoreAfter: scoreBefore,
+        backedUpFiles: backedUp,
+        error: err instanceof Error ? err.message : String(err),
+      };
+    }
+  };
+  const applyAndValidate = async (plan: FixPlan, useAi = false): Promise<FixResult & { validation: FixValidation }> => {
+    const lastScan = getLastScanResult();
+    const findingBefore = lastScan?.findings.find(
+      (f) => f.checkId === plan.checkId && (!plan.obligationId || f.obligationId === plan.obligationId),
+    );
+    const beforeType = findingBefore?.type ?? 'fail';
+    const result = await applyFix(plan, useAi);
+    const newScan = getLastScanResult();
+    const findingAfter = newScan?.findings.find(
+      (f) => f.checkId === plan.checkId && (!plan.obligationId || f.obligationId === plan.obligationId),
+    );
+    const afterType = findingAfter?.type ?? (result.applied ? 'pass' : beforeType);
+    const scoreDelta = result.scoreAfter - result.scoreBefore;
+    const validation: FixValidation = {
+      checkId: plan.checkId,
+      obligationId: plan.obligationId,
+      article: plan.article,
+      before: beforeType,
+      after: afterType,
+      scoreDelta,
+      totalScore: result.scoreAfter,
+    };
+    events.emit('fix.validated', {
+      checkId: plan.checkId,
+      passed: afterType === 'pass',
+      scoreDelta,
+    });
+    return { ...result, validation };
+  };
+  const applyAllAndValidate = async (useAi = false): Promise<{
+    results: readonly (FixResult & { validation: FixValidation })[];
+    totalDelta: number;
+  }> => {
+    const plans = previewAll();
+    const results: (FixResult & { validation: FixValidation })[] = [];
+    for (const plan of plans) {
+      const result = await applyAndValidate(plan, useAi);
+      results.push(result);
+    }
+    const totalDelta = results.reduce((sum, r) => sum + r.validation.scoreDelta, 0);
+    return { results, totalDelta };
+  };
+  type FixProgressCallback = (event: {
+    type: 'applying' | 'applied' | 'failed';
+    checkId: string;
+    path: string;
+    action?: string;
+    scoreAfter?: number;
+    error?: string;
+  }) => Promise<void>;
+  const applyAll = async (useAi = false, overridePath?: string, onProgress?: FixProgressCallback): Promise<readonly FixResult[]> => {
+    const plans = fixer.generateFixes(
+      getLastScanResult()?.findings ?? [],
+      useAi ? { useAi: true } : undefined,
+    );
+    if (plans.length === 0) return [];
+    const projectPath = overridePath ?? getProjectPath();
+    // Normalize: ensure scoreBefore reflects basic scan (same tier as scoreAfter)
+    const baselineScan = await scanService.scan(projectPath);
+    const scoreBefore = baselineScan.score.totalScore;
+    const results: FixResult[] = [];
+    const appliedActionKeys = new Set<string>(); // Track path:startLine (splice) or path (create/edit)
+    // Separate splice-only plans (batch per file) from others (apply individually)
+    const splicePlans: FixPlan[] = [];
+    const otherPlans: FixPlan[] = [];
+    for (const plan of plans) {
+      if (plan.actions.length === 1 && plan.actions[0]!.type === 'splice') {
+        splicePlans.push(plan);
+      } else {
+        otherPlans.push(plan);
+      }
+    }
+    // Phase 1a: Apply non-splice plans individually
+    for (const plan of otherPlans) {
+      const backedUp: string[] = [];
+      const actionPath = plan.actions[0]?.path ?? '?';
+      const actionType = plan.actions[0]?.type === 'create' ? 'CREATE' : 'MODIFY';
+      if (onProgress) {
+        await onProgress({ type: 'applying', checkId: plan.checkId, path: actionPath, action: actionType });
+      }
+      try {
+        let manualFields: readonly string[] | undefined;
+        for (const action of plan.actions) {
+          const bk = await createBackup(action.path);
+          backedUp.push(bk);
+          const mf = await applyAction(action, projectPath, useAi);
+          if (mf) manualFields = mf;
+        }
+        const enrichedPlan = manualFields ? { ...plan, manualFields } : plan;
+        for (const action of plan.actions) {
+          appliedActionKeys.add(action.type === 'splice' ? `${action.path}:${action.startLine}` : action.path);
+        }
+        results.push({ plan: enrichedPlan, applied: true, scoreBefore, scoreAfter: 0, backedUpFiles: backedUp });
+        if (onProgress) {
+          await onProgress({ type: 'applied', checkId: plan.checkId, path: actionPath });
+        }
+      } catch (err) {
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        results.push({
+          plan,
+          applied: false,
+          scoreBefore,
+          scoreAfter: scoreBefore,
+          backedUpFiles: backedUp,
+          error: errorMsg,
+        });
+        if (onProgress) {
+          await onProgress({ type: 'failed', checkId: plan.checkId, path: actionPath, error: errorMsg });
+        }
+      }
+    }
+    // Phase 1b: Batch same-file splices — single read-modify-write per file
+    const fileGroups = new Map<string, FixPlan[]>();
+    for (const plan of splicePlans) {
+      const path = plan.actions[0]!.path;
+      if (!fileGroups.has(path)) fileGroups.set(path, []);
+      fileGroups.get(path)!.push(plan);
+    }
+    for (const [filePath, group] of fileGroups) {
+      // Sort bottom-up by startLine so splicing doesn't shift indices for remaining ops
+      group.sort((a, b) => (b.actions[0]!.startLine ?? 0) - (a.actions[0]!.startLine ?? 0));
+      const bk = await createBackup(filePath);
+      const fullPath = resolve(projectPath, filePath);
+      let content: string;
+      try {
+        content = await readFile(fullPath, 'utf-8');
+      } catch {
+        for (const plan of group) {
+          results.push({
+            plan, applied: false, scoreBefore, scoreAfter: scoreBefore,
+            backedUpFiles: [bk], error: `File not found: ${filePath}`,
+          });
+        }
+        continue;
+      }
+      const lines = content.split('\n');
+      const importLines: string[] = [];
+      // Apply each splice to in-memory lines (bottom-up)
+      for (const plan of group) {
+        const action = plan.actions[0]!;
+        const startIdx = (action.startLine ?? 1) - 1;
+        const beforeLines = action.beforeLines ?? [];
+        // Validate before-lines against current in-memory state
+        let valid = true;
+        if (startIdx + beforeLines.length > lines.length) {
+          results.push({
+            plan, applied: false, scoreBefore, scoreAfter: scoreBefore,
+            backedUpFiles: [bk], error: `Stale diff: line range exceeds file length — re-scan first`,
+          });
+          valid = false;
+        } else {
+          for (let i = 0; i < beforeLines.length; i++) {
+            if ((lines[startIdx + i] ?? '').trim() !== (beforeLines[i] ?? '').trim()) {
+              results.push({
+                plan, applied: false, scoreBefore, scoreAfter: scoreBefore,
+                backedUpFiles: [bk], error: `Stale diff at line ${(action.startLine ?? 1) + i} — re-scan first`,
+              });
+              valid = false;
+              break;
+            }
+          }
+        }
+        if (!valid) continue;
+        if (onProgress) {
+          await onProgress({ type: 'applying', checkId: plan.checkId, path: action.path, action: 'MODIFY' });
+        }
+        // Splice in-memory
+        lines.splice(startIdx, beforeLines.length, ...(action.afterLines ?? []));
+        if (action.importLine) importLines.push(action.importLine);
+        appliedActionKeys.add(`${action.path}:${action.startLine}`);
+        results.push({ plan, applied: true, scoreBefore, scoreAfter: 0, backedUpFiles: [bk] });
+        if (onProgress) {
+          await onProgress({ type: 'applied', checkId: plan.checkId, path: action.path });
+        }
+      }
+      // Inject unique imports after all splices (after last import/from line)
+      const uniqueImports = [...new Set(importLines)].filter(
+        (imp) => !lines.some((l) => l.includes(imp)),
+      );
+      if (uniqueImports.length > 0) {
+        let insertAt = 0;
+        for (let i = lines.length - 1; i >= 0; i--) {
+          if (lines[i]!.startsWith('import ') || lines[i]!.startsWith('from ')) {
+            insertAt = i + 1;
+            break;
+          }
+        }
+        lines.splice(insertAt, 0, ...uniqueImports);
+      }
+      // Write file once
+      let output = lines.join('\n');
+      if (content.endsWith('\n') && !output.endsWith('\n')) output += '\n';
+      await writeFile(fullPath, output, 'utf-8');
+      events.emit('file.changed', { path: fullPath, action: 'edit' });
+    }
+    // Phase 2: Iterative scan+fix (up to 2 extra passes for cascading findings)
+    // After fixing line N, the scanner may detect line N+2 which was previously shadowed.
+    let scoreAfter = 0;
+    for (let pass = 0; pass < 3; pass++) {
+      const scanResult = await scanService.scan(projectPath);
+      scoreAfter = scanResult.score.totalScore;
+      if (pass >= 2) break; // Last pass is just the final scan
+      // Check for new fixable findings (splice + cascading create/edit)
+      const newPlans = previewAll().filter((p) => {
+        if (p.actions.length === 0) return false;
+        const a = p.actions[0]!;
+        const key = a.type === 'splice' ? `${a.path}:${a.startLine}` : a.path;
+        return !appliedActionKeys.has(key);
+      });
+      if (newPlans.length === 0) break;
+      // Apply new splice fixes using the same batched approach
+      const spliceCascadePlans = newPlans.filter(p => p.actions.length === 1 && p.actions[0]!.type === 'splice');
+      const newFileGroups = new Map<string, FixPlan[]>();
+      for (const plan of spliceCascadePlans) {
+        const path = plan.actions[0]!.path;
+        if (!newFileGroups.has(path)) newFileGroups.set(path, []);
+        newFileGroups.get(path)!.push(plan);
+      }
+      let anyApplied = false;
+      for (const [fp, group] of newFileGroups) {
+        group.sort((a, b) => (b.actions[0]!.startLine ?? 0) - (a.actions[0]!.startLine ?? 0));
+        const bk = await createBackup(fp);
+        const full = resolve(projectPath, fp);
+        let content: string;
+        try { content = await readFile(full, 'utf-8'); } catch { continue; }
+        const lines = content.split('\n');
+        const importLines: string[] = [];
+        for (const plan of group) {
+          const action = plan.actions[0]!;
+          const startIdx = (action.startLine ?? 1) - 1;
+          const beforeLines = action.beforeLines ?? [];
+          let valid = true;
+          if (startIdx + beforeLines.length > lines.length) { valid = false; }
+          else {
+            for (let i = 0; i < beforeLines.length; i++) {
+              if ((lines[startIdx + i] ?? '').trim() !== (beforeLines[i] ?? '').trim()) { valid = false; break; }
+            }
+          }
+          if (!valid) continue;
+          lines.splice(startIdx, beforeLines.length, ...(action.afterLines ?? []));
+          if (action.importLine) importLines.push(action.importLine);
+          appliedActionKeys.add(`${action.path}:${action.startLine}`);
+          results.push({ plan, applied: true, scoreBefore, scoreAfter: 0, backedUpFiles: [bk] });
+          anyApplied = true;
+        }
+        const uniqueImports = [...new Set(importLines)].filter((imp) => !lines.some((l) => l.includes(imp)));
+        if (uniqueImports.length > 0) {
+          let insertAt = 0;
+          for (let i = lines.length - 1; i >= 0; i--) {
+            if (lines[i]!.startsWith('import ') || lines[i]!.startsWith('from ')) { insertAt = i + 1; break; }
+          }
+          lines.splice(insertAt, 0, ...uniqueImports);
+        }
+        let output = lines.join('\n');
+        if (content.endsWith('\n') && !output.endsWith('\n')) output += '\n';
+        await writeFile(full, output, 'utf-8');
+        events.emit('file.changed', { path: full, action: 'edit' });
+      }
+      // Apply non-splice cascading actions (create/edit) using existing applyAction helper
+      const nonSplicePlans = newPlans.filter(p => p.actions.length > 0 && p.actions[0]!.type !== 'splice');
+      for (const plan of nonSplicePlans) {
+        try {
+          const bk = await createBackup(plan.actions[0]!.path);
+          await applyAction(plan.actions[0]!, projectPath);
+          appliedActionKeys.add(plan.actions[0]!.path);
+          results.push({ plan, applied: true, scoreBefore, scoreAfter: 0, backedUpFiles: [bk] });
+          anyApplied = true;
+        } catch { /* skip failed cascading fixes */ }
+      }
+      if (!anyApplied) break;
+    }
+    events.emit('score.updated', { before: scoreBefore, after: scoreAfter });
+    // Phase 3: Record undo history + evidence for applied fixes
+    for (const result of results) {
+      if (!result.applied) continue;
+      // Patch final score into result (reconstruct to preserve readonly contract)
+      Object.assign(result, { scoreAfter });
+      if (undoService) {
+        await undoService.recordFix(result, result.plan);
+      }
+      if (deps.evidenceStore) {
+        const evidence = createEvidence(
+          result.plan.checkId,
+          'fix',
+          'fix',
+          { file: result.plan.actions[0]?.path },
+        );
+        await deps.evidenceStore.append([evidence], randomUUID());
+      }
+    }
+    return results;
+  };
+  const getUnfixedFindings = (): readonly Finding[] => {
+    const lastScan = getLastScanResult();
+    if (!lastScan) return [];
+    const fixableIds = new Set(previewAll().map((p) => p.checkId));
+    return lastScan.findings.filter(
+      (f) => f.type === 'fail' && !fixableIds.has(f.checkId),
+    );
+  };
+  const getCurrentScore = (): number => {
+    const lastScan = getLastScanResult();
+    return lastScan?.score.totalScore ?? 0;
+  };
+  return Object.freeze({ preview, previewAll, applyFix, applyAll, applyAndValidate, applyAllAndValidate, getUnfixedFindings, getCurrentScore });
+};
+export type FixService = ReturnType<typeof createFixService>;